re AS path count, include the as-path-unique-count count (equal
> | orhigher | orlower) configuration statement at the [edit policy-options
> policy-statement policy_name from] hierarchy level.
>
>
> Thanks
>
> Alex
>
>
> On 13/09/2019 00:18, Andy Litzinger wrote:
>
Hi All,
I thought this would be in a cookbook somewhere but I can't find it. Is
there a way to write an as-path regex so it will match a providers ASN
(e.g. 1234) one or more times and then 1 or 2 more ASNs zero or more
times? I'm hoping to be able to account for AS prepending.
I'm an
Hello!
We are attempting to use Napalm which I understand is using pyez/netconf
over ssh under the hood. We can get things to work with a full admin level
user, but we'd like to pare down the access to only what is required.
right now we are specifically hitting an issue where when we run
Hi Ross,
I essentially use the example straight from here:
http://forums.juniper.net/t5/Day-One-Books/Day-One-Book-Securing-the-Routin
g-Engine-on-M-MX-and-T-Series/ba-p/92276 and they work great.
HTH,
-andy
On 7/27/15, 2:45 PM, juniper-nsp on behalf of Ross Halliday
it go to 50m before we ended it).
We'll continue to test and monitor and I'll report back here if we have
issues. thanks to everyone for their help!
-andy
On Thu, May 28, 2015 at 12:10 PM, Andy Litzinger
andy.litzinger.li...@gmail.com wrote:
Hi Majdi,
So are you saying that the sip alg can
/32;
}
}
}
thanks,
-andy
On Thu, May 28, 2015 at 11:41 AM, Majdi S. Abbas m...@latt.net wrote:
On Thu, May 28, 2015 at 11:36:20AM -0700, Andy Litzinger wrote:
We're configuring a new sip setup with a phone vendor. The provider
pbx
sits inside our network and makes connections
Hi all,
We're configuring a new sip setup with a phone vendor. The provider pbx
sits inside our network and makes connections out through our SRX to the
provider sip gateways. Calls are working, but seem to drop at or near the
15 minute mark. The provider is sure that it's a setting on the
The flow configuration is working as posted- i was testing this in a
legacy setup and forgot there was another firewall in the path between my
mx80s and my flow collector.
thanks all for the help!
-andy
On Thu, Jan 15, 2015 at 9:44 AM, Andy Litzinger
andy.litzinger.li...@gmail.com wrote:
Hi
Levi,
did you get this working? My MX80 appears to be collecting flows, but I
don't see any output to my flow server. The server ip is reachable from my
MX 80.
# show chassis
snip
tfeb {
slot 0 {
sampling-instance tp-sampling-instance;
}
}
# show forwarding-options sampling
Yes I do. Sounds like I need to pole a hole?
On Jan 14, 2015, at 6:14 PM, Eduardo Schoedler lis...@esds.com.br wrote:
Do you have a firewall in your loopback?
--
Eduardo
Em quarta-feira, 14 de janeiro de 2015, Andy Litzinger
andy.litzinger.li...@gmail.com escreveu:
Levi,
did
Hello,
is anyone out there using the dns-proxy feature for the branch SRX? Are
there any clever tricks for specifying the source address the SRX uses to
query name servers? It does not appear to be a config option.
with the default config it appears to use the IP of the outbound
interface. If
, Andy Litzinger
andy.litzinger.li...@gmail.com wrote:
Hello,
is anyone out there using the dns-proxy feature for the branch SRX? Are
there any clever tricks for specifying the source address the SRX uses
to
query name servers? It does not appear to be a config option.
with the default
good material:
http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-multiple-proxy-ID-on
-route-based-VPN-with-multiple-local/td-p/172002/page/2
Cheers,
Ben
On 16 Oct 2014, at 8:35 am, Andy Litzinger
andy.litzin...@theplatform.com wrote:
I'd happily use route-based vpns if they are supported
+1 regarding input on VCF
Does anyone have any practical experience with a VCF either mixed-mode or
not? We're evaluating it as a replacement for legacy 6509s. Cisco is
pitching a Nexus 6004 + FEX solution.
regards,
-andy
On Tue, Aug 19, 2014 at 8:54 AM, Sebastian Wiesinger
Hi All,
Two related questions. I have a pair of SRX 3400s in an Active/Passive
cluster. They rely on an external gateway for internet access (i.e. my
ISPs don't terminate on the SRXs). I am setting up redundant tunnels to an
AWS VPC. Amazon has an example for J-Series (
?
thanks!
-andy
On Mon, May 5, 2014 at 3:30 PM, Morgan McLean wrx...@gmail.com wrote:
Use your loopback and put that in a reth.
Thanks,
Morgan
On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger
andy.litzinger.li...@gmail.com wrote:
Hi All,
Two related questions. I have a pair of SRX 3400s
I opened a JTAC case for the same issue. JTAC said their security team is
aware of the CVE and they are waiting for fix/recommendation.
-andy
On 4/8/14 2:51 PM, David B Funk dbf...@engineering.uiowa.edu wrote:
We have a SA4500 SSL VPN box with the JTAC recommended 7.4R8.0 release.
Testing by
OpenSSL to 1.0.1g, and PR 981148 has been submitted for IVE OS to
disable TLS heartbeat.
SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable
On Apr 8, 2014, at 3:41 PM, Andy Litzinger andy.litzin...@theplatform.com
wrote:
I opened a JTAC case for the same issue. JTAC said their security
We have two MX80 routers that currently each have an eBGP neighbor to the
same upstream ISP and are iBGP neighbors. We are using the same internal
ASN for both iBGP and eBGP. It's the autonomous-system number defined
under routing-options. We're adding a second peer and have recently
received
(unless this is a peering router with
dozens of peers and full routes on each)
Hope you fins root cause
--
Payam Chychi
Network Engineer / Security Specialist
On Thursday, March 13, 2014 at 4:50 PM, Andy Litzinger wrote:
Hi Chris,
yes, i am taking full routes from this neighbor
clear out the routes, and it was doing this
despite the fact that it had never received a signal that the other side
was doing a graceful restart.
It seems unlikely that you'd be seeing the same type of problem, but the
symptoms sound very similar.
John
On Thu, Mar 13, 2014 at 3:38 PM, Andy
at BGP session initiation.
is it fair to say that if you are directly connected to your neighbor and
that interface goes down that the expected behavior of GR is it should
abort and routes from that neighbor should immediately be removed?
-andy
On Fri, Mar 14, 2014 at 8:52 AM, Andy Litzinger
One of my providers (and eBGP neighbor) recently had a hardware failure
which caused the port that connects our two routers to go down. My router
did detect the link failure and BGP pretty much immediately transitioned to
an Idle state. my side is a Juniper MX80 running 11.4, their side I
, 2014 at 3:54 PM, Chris Adams c...@cmadams.net wrote:
Once upon a time, Andy Litzinger andy.litzinger.li...@gmail.com said:
what surprised me is that it looks like routes toward that provider were
not immediately removed from my routing table. Instead i see evidence of
blackholing for almost
Chris, can you elaborate on why low TTL on multicast frames will cause high CPU?
Sebastien, as Chris pointed out anything in the 224.0.0.0/24 will hit the CPU,
but so will a few other ranges that fall into the Link-Local block. This is a
good guide someone else on the list forwarded me a few
Hi Muhammad,
yes, JTAC agrees with you :). We installed the NPCs using the KB procedure
today and had no issues.
thanks!
-andy
From: Muhammad Atif Jauhar [mailto:atif.jau...@gmail.com]
Sent: Saturday, November 16, 2013 10:54 AM
To: Andy Litzinger
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j
an update- we finally moved our SRX fab links off of the EX switch and the CPU
load on the EX did not change.
-andy
-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
Of Andy Litzinger
Sent: Saturday, October 05, 2013 7:51 AM
To: Phil Fagan
can anyone recommend a procedure to add an NPC card to an SRX HA
(active/standby) cluster?
In this case it's a pair of SRX3400s, running 12.1X44-D10.4
I've only got two redundancy groups, RG0(control) and RG1(data).
Currently the only NPC in each SRX is the integrated NPC-IOC 10GbE card in each
If you want your browser to support a self-signed cert you probably need to
import it into your OS's trusted certificate store. In some cases you might be
able to import it into your browsers trusted CA store, but I think for a
self-signed (vs local CA signed) will have to be imported into
a strange one. I
wonder if it would happen on a stand alone switch vs VC. Also is xe-2 your
backup for the VC? Wonder if its busy pushing tables to the backup.
On Oct 4, 2013 5:50 PM, Andy Litzinger
andy.litzin...@theplatform.commailto:andy.litzin...@theplatform.com wrote:
While I was logged
Hi,
while troubleshooting high CPU on our EX mixed-mode VC (4200 and 4550) our JTAC
engineer noticed that one pair of ports is making changes to the MAC learning
table at an alarming rate. My SRX3400 fab links are connected to the ports in
question (I'm waiting on parts to correct this and
[mailto:philfa...@gmail.com]
Sent: Friday, October 04, 2013 2:52 PM
To: Andy Litzinger
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] SRX fab links through EX VC- seeing enumerating MAC
addresses
Very little is said other than indeed using MAC addresses is how the cluster
speaks via
maybe this will simply turn out to be a gap in my understanding about multicast
addressing, but my EX4550/4200 VC is not pruning multicast how I would expect.
I have vlan defined with an RVI. I have enabled igmp for that vlan interface.
I have two hosts that are members of the same vlan
things back online. Also, although I don't know how
reproducible this is for others, it seems like I may have hit a bug somewhere.
-andy
-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
Of Andy Litzinger
Sent: Thursday, August 15, 2013 3
To: Andy Litzinger
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] trouble setting up link agg between clustered SRX 550
and Cisco 6509
The components of the SRX RETH-interfaces are not all active at the same
time, this is a fail-over construct. One active link at the time.
You should
-group-configuring-cli.html
-andy
-Original Message-
From: Per Westerlund [mailto:p...@westerlund.se]
Sent: Friday, August 16, 2013 3:07 PM
To: Andy Litzinger
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] trouble setting up link agg between clustered SRX 550
and Cisco 6509
Has anyone had any difficulty creating a port channel between an SRX cluster
(in this case, SRX 550s) and Cisco switches (in this case 6509s, non-VSS)?
When I tried to bring up a second link in the link agg group the cisco side put
it in state I which means: standalone. It also logged this
I think your source ip range netmask should be /0, not /32. I.e: 0.0.0.0/0
On Jul 9, 2013, at 6:19 AM, Brijesh Patel brju.pa...@gmail.com wrote:
Hi All,
EX4500 firewall filter configuration :
Connectivity : F5 Load balancer - Ex4500 -- Internet
I want to
it?
-andy
-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
Of Andy Litzinger
Sent: Tuesday, June 18, 2013 4:29 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Share static routes between routing-instances on EX series
I have a network
I have a network that contains two distinct groups of servers.
Group1 with subnets A,B
Group2 with subnets C,D
Both groups use RVIs on a core VC (mix of EX4550s and 4200s) as their default
route. There are two different paths out of the network. I'd like Group1 to
take path1 and Group2 to
Has anyone used a 10G DAC/Twinax cable between an EX4550 and other vendor gear?
Did you use Juniper DAC cables or the other vendor cables?
In particular I'm planning on linking a Cisco UCS Fabric Interconnect and also
an F5 BigIP 4200v to a VC of EX4550s.
would you recommend it or should I
Hi,
we're deploying to a new environment where there will be about 500 virtual
servers hosted completely on Cisco UCS. The Core would mostly be hosting
uplinks to the UCS Fabric Interconnects (End Host Mode), inter-vlan routing and
links to service appliances (FW/LB) and the Internet edge
We're evaluating SRX clusters as replacements for our aging ASAs FO pairs in
various places in our network including the Datacenter Edge. I was reading
the upgrade procedure KB:
http://kb.juniper.net/InfoCenter/index?page=contentid=KB17947 and started to
have some heart palpitations. It
...@gmail.com]
Sent: Friday, March 08, 2013 10:11 AM
To: Andy Litzinger
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] SRX upgrade procedure -ready for enterprise?
I would never, ever follow that KB. It's just asking for a major outage..
With that said, you have two options. 1) ISSU and 2
ICU sounds interesting. Any idea why it's not supported on the 550? or is that
just documentation lag?
-Original Message-
From: Clay Haynes [mailto:chay...@centracomm.net]
Sent: Friday, March 08, 2013 3:08 PM
To: Andy Litzinger; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] SRX
Hi all,
we're looking at an SRX 550 and have been posed with the choice between using
the cloud based anti-virus or the on-device. Are there any compelling
reasons to pick one over the other?
thanks!
-andy
___
juniper-nsp mailing list
46 matches
Mail list logo
