I did this once on an SRX240, and (as someone mentioned earlier) the fact
that the SRX only sees the packets in one direction will mean that TCP
sessions establish and work for a little while, but as soon as the flow
record on the SRX expires, it will stop passing the traffic mid-stream.
I ended u
Thanks very much we had no policy between private and private ;)
Appreciate everyone's replies... take care..
Paul
-Original Message-
From: Ben Dale [mailto:bd...@comlinx.com.au]
Sent: Wednesday, November 03, 2010 4:31 PM
To: Paul Stewart
Cc: juniper-nsp@puck.nether.net
Subject: R
Hi Giuliano,
I haven't really tried such things myselft for ages but AFAIK it's not even
possible with IDP since at least skype goes into encrypted mode when it
detect itself blocked and simulates something https quite well. Please
correct me, if someone knows I'm not right. In this case some too
As others have mentioned, on the Cisco side you can use ip tcp adjust-mss 1436.
On the Juniper side, I'm not sure how widely the reassmble-packets know is
supported across platforms, but the alternative is:
set security flow all-tcp mss 1436
The only downside is that this will adjust MSS on al
Hi Paul,
Router-on-a-stick with SRX will break unless you have the following:
set security policy from-zone Private to-zone Private policy 1ARM match
source-address n192.168.20.0/24
set security policy from-zone Private to-zone Private policy 1ARM match
destination-address n172.30.200.0/24
set
Dear community member,
We are producing a rotator with 02 MX480-logical systems (LS1 and LS2) and
routing-instance-virtual routers (ls1 and ls2), I need to set up
collection JFLOW
(samping).
logical-systems {
LS1 {
interfaces {
ge-0/0/0 {
unit 0 {
On Wed, Nov 03, 2010 at 11:34:59PM +0500, Good One wrote:
>
> Thanks for an useful information, Richard. Well, a DPC has a 1G ram
> inside and if each PFE has a complete copy of the routing table (even
> the best route) and you are receiving a full feed of internet and a
> thousands of your own
Thanks for an useful information, Richard.
Well, a DPC has a 1G ram inside and if each PFE has a complete copy of the
routing table (even the best route) and you are receiving a full feed of
internet and a thousands of your own routes, then all the 4 PFEs should occupy
the 1G RAM (I assume all
Does an SRX get confused when you have asymetric routing like
that on a single zone? Does it confuse the stream processing?
The SRX will only ever see the one way traffic from the host
on your local network to the remote network. The return traffic
(I assume) will go straight from the VPN gateway
Is this an encrypted GRE tunnel over the internet?
The "recommended" MTU is 1400 bytes on both ends. Use the
clear-dont-fragment-bit knob on the juniper side, and do "ip tcp mss-adjust
1360" on the Cisco side. Also on the Cisco side, ingress interfaces should
have
a route-map applied to clear
That's going to be required too, I forgot about that
On Nov 3, 2010, at 14:07 , OBrien, Will wrote:
> Do you have an intrazone policy? Trust to trust, allow all for example.
>
> Sent from my iPad
>
> On Nov 3, 2010, at 1:04 PM, "Paul Stewart" wrote:
>
>> Thanks... yeah, pretty much.
>>
>>
Do you have an intrazone policy? Trust to trust, allow all for example.
Sent from my iPad
On Nov 3, 2010, at 1:04 PM, "Paul Stewart" wrote:
> Thanks... yeah, pretty much.
>
> We installed the static route and were unable to reach anything on the
> 172.30.200.0/24 network from a machine in the
Well you're right that one of the old school fundamental rules of IP Packet
forwarding does not allow a packet to exit the same interface it entered on...
I think you can use Policy based Routing in JUNOS to engage that functionality,
but A) it's been so long I forget how to do it off the top of
Thanks... yeah, pretty much.
We installed the static route and were unable to reach anything on the
172.30.200.0/24 network from a machine in the 192.168.20.0/24 subnet. On
that actual machine (Windows 7) we installed a route in Windows and were
able to communicate no problem (bypassing the route
Paul-
Just to make sure I'm tracking correctly, you've tried installing a static
route and it didn't work?
On Nov 3, 2010, at 11:48 , Paul Stewart wrote:
> Hi there.
>
>
>
> Can anyone give any suggestion/guidance on the following.
>
>
>
> I'm trying to do a static route *out* the same
Hi Nilesh,
Sorry for don't put the release, I am working with JunOS 10.0R4.7 and the
chassis is a MX960.
I was thinking the same about the bridge-id I noted it but I wasn't sure if
it was possible to implement on logical-system with the same system MAC.
Do you know if there are any limit with pr
On Wed, Nov 03, 2010 at 02:00:11PM +0500, Good One wrote:
>
> We started using MX-480 and I came to know that each DPC has four
> PFEs. Now a question comes to mind that how the chemistry of routing
> updates in between PFEs and RE(kernel) is being done. If kernel routes
> are being exported to
Hi there.
Can anyone give any suggestion/guidance on the following.
I'm trying to do a static route *out* the same interface that the traffic
came *in* on. This is on an SRX-240
Here are the details:
"Private": 192.168.20.0/24
"Public": 216.168.x.x/32
Static route: 172.30.200.0/2
People,
Does anyone knows how to block ultrasurf and skype applications using
only a SSG140 Box with DI license ?
Or it is only possible to block it using SRX650 with IDP license ?
Is it possible to configure ?
Where can I find the detailed signatures of this both applications ?
Thanks a lo
I recently had and a similar issue between a Juniper and a Cisco router,
I resolved some of those symptoms by adjusting the tcp maximum segment
size. You may have to play with this setting until it yields the best
result. I use the "ip tcp adjust-mss 1300" and applied it to the
interfaces used. Thi
People,
Does anyone knows how to block ultrasurf and skype applications using
only a SSG140 Box with DI license ?
Is it possible to configure ?
Where can I find the detailed signatures of this both applications ?
Thanks a lot,
Giuliano
___
juniper
Hi Giuliano,
We have configured that like:
CISCO:
-
interface Tunnel0
ip address 172.20.1.1 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 192.168.1.2
tunnel path-mtu-discovery ---IMPORTANT
interface FastEthernet0/1
description LAN INTE
Generally, this issue is related to MTU and fragmentation. If you have a
problem with loading web-pages and slow tcp response, you better try
adjusting tcp-mss settings on your cisco router. You can use the following
command under tunnel interface, most of the time it works for me :)
interface tun
People,
We are trying to close a GRE tunnel between juniper and Cisco routers
without success.
We have tried a lot of MTU configurations but the traffic is suffering a
lot ... sometimes slow, sometimes do not open some pages.
Have you ever configured something like this before ?
Any tip ou
Hi,
How much air the PSU fan moves has absolutely no impact on switch
cooling, it's only cooling the PSU (at least on 3200, haven't pulled a
4200 apart yet). Also take into account that the fan assembly is moving
a larger volume at a lower speed, so a measurement with a piece of paper
wouldn't ne
I have it deployed in "enterprise-style" deployment (dual-stack for
the office users), on a SRX240-H cluster running 10.2R3. It works just
as expected so far.
On Tue, Nov 2, 2010 at 21:39, Paul Stewart wrote:
> Hmmm.. interesting - I thought I had reviewed 10.2 for this support... will
> dig dee
Interesting/ disappointing to read that the top end SRXs don't support MPLS as
it is clearly the intention to deploy MPLS to the edge with the smaller SRXs.
So what is Juniper's solution for concentration points in the network e.g. head
offices etc?
Do the large SRXs have no support for "Family
Hi Bill,
We have around 80 EX-3200 (24 port RJ-45, with SFP module) and 30
EX-4200 (24 port SFP, with XFP module) in production. They're all
located at telco pops, an environment with cooling, but not from the
floor and also quite densely populated locations. Not ideal
environment, so to say.
I'v
We started using MX-480 and I came to know that each DPC has four PFEs. Now a
question comes to mind that how the chemistry of routing updates in between
PFEs and RE(kernel) is being done. If kernel routes are being exported to PFEs,
does it means that each PFE contains a full routing table?
MSTP does work, well at least when i tried it on 10.3
On Wed, Nov 3, 2010 at 3:38 AM, Nilesh Khambal wrote:
> David,
>
> I don't think you can run RSTP in logical routers. As you can see from your
> outputs below, RSTP instances in all the LRs are using same system MAC. You
> can probably try MST
30 matches
Mail list logo
