Hi! Experts
Just want to confirm if Juniper backup routing engine could authenticate
users from in-band interface like ge-0/0/0 to the AAA server?
If not, do we have a solution? The scenario is MX960 with dual RE and no
OOB network. But need to authenticate users login backup RE from AAA.
Thanks
:12 AM Chen Jiang wrote:
> Hi! Experts
>
> Sorry for disturbing, I wan to confirm dos SRX supports SSH Inspection
> like Palo Alto or Fortigate firewall, I couldn't find any related topic in
> official documents, Thanks for your information.
>
> --
> BR!
&g
Hi! Experts
Sorry for disturbing, I wan to confirm dos SRX supports SSH Inspection like
Palo Alto or Fortigate firewall, I couldn't find any related topic in
official documents, Thanks for your information.
--
BR!
James Chen
___
juniper-nsp maili
Hi! Experts
Sorry for disturbing, Is there any method to configure SRX block http/https
file upload, Thanks for your help
--
BR!
James Chen
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/
Hi! Experts
We want to deploy global MAC address white list in access Layer 2 switchess
due to end user compliance requirement, but cannot find a easy way.
Do you know where the old style configure knob "secure-access-port" go in
ELS?
set ethernet-switching-options secure-access-port interface al
Hi! Experts
Sorry for disturbing. From JUNOS document, it said the "advertise
direct-nexthop" knob could do:
advertise direct-nexthop
Enable the switch to send IP prefix information using an EVPN pure Type 5
route, which includes a router MAC extended community used to send the MAC
address of the
Hi! Experts
Sorry for disturbing, we want to use MX to connect the branch office
through Channelized OC3 port, but it seems all the old CHOC3 MIC is EOLed,
except the expensive MIC-3D-8CHOC3-4CHOC12.
We doubt is the MIC-3D-4COC3-1COC12-CE PIC supports native IP forwarding?
if yes, it could be a
Hi! Experts
Sorry for disturbing, I am curious why IRB interface in EVPN does not use
VGAs' Virtual MAC address (00:00:5e:00:01:01) to originate packets, but
instead uses the interface real MAC address to originate packets.
Are there any special thoughts behind this? It will cause BUM flooding
My testing was with VLAN bridge and L2Circuit.
>
> --Mark
>
> On Mon, 15 Nov 2021 at 15:14, Chen Jiang wrote:
> >
> >
> > HI! Mark
> >
> > Thanks for your help. Attached is my configuration file. FYI.
> >
> > BR!
> >
> > Chen Ji
HI! Mark
Thanks for your help. Attached is my configuration file. FYI.
BR!
Chen Jiang
On Mon, Nov 15, 2021 at 7:44 AM Mark Tees wrote:
> Hey,
>
> I have done some similar testing for L2.
>
> Are you able to send your example/test config in a text file or
> something
Hi! Experts
End user asked us to implement QinQ (translate inner tag and push outer
tag) in QFX5100, but from POC it did not work as expected, Could QFX work
as in the configuration below? Someone said QFX could only handle outer
tag. Thanks for your advice. *Requirement:*
QFX et-0/0/0/48 recei
Hi!
it's very clear now, thanks for your great help.
On Fri, Oct 22, 2021 at 3:58 PM Tobias Heister via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:
> Hi,
>
> On 22.10.2021 08:42, Chen Jiang via juniper-nsp wrote:
> > I see there are 2 download links for vM
Hi! Experts
I see there are 2 download links for vMX, one is vMX, one is vMX
evaluation.
What's the difference between the two?
Thanks for your support.
--
BR!
James Chen
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https:/
Hi! Experts
We want to Could we do it? In old Non-ELS switches only interfaces
configured this knob apply the security check, but when migrate to new ELS
switches we found the behaviour is changed.
ELS switches configuration:
lab# show vlans
vlan100 {
vlan-id 100;
l3-inter
Hi! Experts
I need some 10GE LR optics and found 2 options in Juniper : SFPP-10GE-LR-IT
and SFPP-10GE-LR.
>From Juniper Hardware Compatibility Tool I can't find a difference
except SFPP-10GE-LR-IT has a widely operating temperature range
and SFPP-10GE-LR-IT price is lower. So it seems SFPP-10GE-
Hi! Experts
Sorry for disturbing, I want to confirm will SRX550M antivirus engine works
offline? it seems SRX550M only have sophos antivirus engine presently and I
found some words in Juniper KB:
"Sophos antivirus uses a small set of data files that need to be updated
periodically. These data fil
Hi! Experts
Sorry for disturbing, I am curious why local learned ARP in EVPN also has
"permanent remote" flags? if it is learned from remote VTEP then makes
sense, cause it is learned from BGP. but why local learned ARP also has
these flags.
lab@qfx5110> show arp no-resolve
MAC Address Addr
verything,
> and you will progress down to less helpful tue breakers like router id.
>
> Regards,
> Dave
>
> On Sun, 2 Aug 2020 at 11:58, Chen Jiang wrote:
>
>> Hi! Michael
>>
>> Thanks for your clarification.
>>
>> Sure, it will let LDP use IGP
configuration knob to let LDP use IGP metric?
BR!
Chen Jiang
On Sun, Aug 2, 2020 at 6:32 PM Michael Hallgren wrote:
> Hi James,
>
> From memory, Junos assigns metric 1 by default to "LDP routes", not IGP
> metric, unless you push this button.
>
> Cheers,
> mh
> --
Hi! Experts
Sorry for disturbing, I am curious about track-igp-metric knob under LDP,
is there any scenarios it will be useful? I think ldp is just a label
distribution protocol, the forwarding path always follows the IGP shortest
path, is there any benefit for using track-igp-metric?
Thanks for
Hi!
QFX10008 w/ JUNOS 15.1X53 and 18.4R2.3
Thanks!
On Fri, Feb 21, 2020 at 4:53 PM Timur Maryin wrote:
> What is exact model you have?
> And junos version?
>
>
> On 20-Feb-20 13:43, Chen Jiang wrote:
> > Hi! Experts
> >
> > Sorry for disturbing, we found the
Hi! Saku
I have tried you advice but there is no "output-traffic-control-profile"
under "class-of-service interfaces et-x/x/x" in QFX10K. different from
other Juniper gears, QFX COS configuration is very weired.
BR!
Chen Jiang
On Thu, Feb 20, 2020 at 10:03 PM Saku Ytti
Hi! Chris
Yes, all my business traffic is BE, but there is also BGP in NC queue, I am
afraid only shaping BE traffic to maxium link capacity will starve NC queue
and cause BGP broken.
Thanks for your help.
BR!
Chen Jiang
On Fri, Feb 21, 2020 at 7:03 AM Chris Kawchuk wrote:
> Assuming
Hi! Experts
Sorry for disturbing, we found the "set class-of-service interfaces xxx
shaping-rate" is missing in QFX platform, is there any other method could
do port shaping ?
Thanks for your help.
--
BR!
James Chen
___
juniper-nsp maili
Thanks, I found solution is configured enhanced-ip mode in
networks-services.
On Sun, Feb 2, 2020 at 9:51 AM Chen Jiang wrote:
> Hi! Experts
>
> Sorry for disturbing, I want to do some hands-on on SR and use vMX for
> lab, but seems it is not supported.
>
> Do you experience a
Hi! Experts
Sorry for disturbing, I want to do some hands-on on SR and use vMX for lab,
but seems it is not supported.
Do you experience and could hsed some light on this?
lab@vmx# set protocols source-packet-routing srgb?
No valid completions
[edit]
lab@vmx# run show version
Hostname: mx1
Mode
Hi! Experts
Sorry for disturbing, I want to use EVPN to transport range of customer
vlan traffic, but failed for my POC test (EVPN is OK for other vlan but
failed for vlan-tunnel ), do you have experience and could shed some light
on this? Thanks for your support.
Below is my vlan tunnel related
t; internet with a looped macsec GigE port to get encrypted traffic with full
> MTU. You could add VXLAN to that and get what you want kinda. MX GRE inline
> frag/reassembly works well.
>
>
>
> On Sat, Jun 1, 2019, 7:44 AM Chen Jiang wrote:
>
>> Hi! Experts
>>
>
Hi! Experts
Sorry for disturbing, we know that EVPN/VXLAN cannot fragment packets, but
we want to use IPsec/Internet as backup EVPN/VXLAN path, is there any
workaround to forwarding such packets in EVPN/VXLAN over IPsec over
Internet?
Thanks in advance.
--
BR!
James Chen
_
Hi! Experts
Sorry for disturbing, I am building a EVPN/VXLAN test bed but found there
is no vxlan option under QFX5100-24Q-2P's vlans hierarchy:
lab@qfx5k-4# set vlans test ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except
Hi! Experts
Sorry for disturbing, I want to use QFX5100-24Q to test VXLAN but there is
no vxlan option under vlan configuration, for other model like QFX5100-48S
it's OK. is it means QFX5100-24Q does not support vxlan? I cannot find any
document mention it.
Do you have some experience on this? Th
Hi! Experts
Sorry for disturbing, we have a customer asked if JUNOS system file could
be replaced by backdoor program and did JUNOS has build-in function to
protect system from this kind of invade? I couldn't find such kind of
information in documents. could you pls shed some light on this?
Thank
Hi! Experts
Sorry for disturbing, I have noticed JUNOS will re-establish BGP neighbour
relationship when configuring "advertise-inactive" under a neighbour. But
from the packets captured from neighbour peer there is nothing changed when
negotiated BGP relationship.
I doubt is this a must behaviou
Hi! Experts
Sorry for disturbing, we are using QFX5100 virtual-chassis for
distrubiuting storage traffic, the average traffic volume is 2-3 Gbps but
there is burst traffic will exceed the interface bandwidth (we see there
are tailed drop counter keep increasing in best-effort queue), so we want
to
Hi! Experts
Sorry for disturbing, I have a question but couldn't find the answer, could
you pls shed some light on this?
>From the documents we know that Juniper firewall filter has 3 termination
actions: accept, discard, and reject.
but when we configured mirror and sample action, if we didn't
Hi! Experts
Sorry for disturbing, I want to use JUNOS OP script to auto-generate new
interface configuration, but I don't know how to get maximum interface unit
value in current configuration, do you have solved this before and could
share a example?
Thanks for your great help!
--
BR!
The only difference between "3" and non-"3" model is the enhanced midplane
to support new 500G line card. The old non-"3" chassis midplane could
support about 300Gbps bandwidth per slot.
And because this is only a midplane connector enhancement, so the base3
chassis is compatible with all old lin
Hi! Experts
Sorry for disturbing, I have a scenario that router r1 need define a static
route next hop point to r2 (and this route need bfd for monitoring next-hop
liveness), but r2's revert route will go through another interface to r1.
Does JUNOS support this scenario? how do I configure r2's b
Hi! Experts
Sorry for disturbing, I want to separate loical-systems syslog file from
main system, and I have done below configuration per online JUNOS documents:
james@mx80# show logical-systems r1 system syslog
file r1-messages {
any any;
}
file cli {
interactive-commands any;
}
>From B
Hi! Phil, Diogo
Thanks for your detailed explanation and yes, it works as you described.
BR!
Chen Jiang
On Wed, Dec 30, 2015 at 1:15 AM, Phil Shafer wrote:
> Diogo Montagner writes:
> >Try this:
> > _ $users _ $meter;
>
> Yes, "_" is a valid character to ha
Hi! Experts
Sorry for disturbing, I use 2 user input params: $users and $meter to
generate firewall filter name, but JUNOS has gave a error:
...
var $arguments = {
{
"users";
"Required: to which users to put the bandwidth policer";
}
{
"src-add";
"Required: which
Hi! Phil
Yes, this is exactly what I needed and it works as you described, Thanks
for the great help!
BR!
James
On Fri, Dec 18, 2015 at 2:17 PM, Phil Shafer wrote:
> Chen Jiang writes:
> >I have a requirement from end user that want to automate firewall filter
> >configur
cember 2015 at 14:27, Chen Jiang wrote:
> > Hi! Jordan
> >
> > End user's MX has a firewall filter named metro-access has many terms in
> > it, just like below:
> >
> > lab@mx#show firewall family inet filter metro-access
> >
> > term inside-te
n/en_US/junos12.3/topics/example/junos-script-automation-op-script-changing-configuration.html
>
> How complex are the rules that need to be generated? Could you provide
> some examples? Feel free to ping me off list if necessary.
>
> -JH
>
> > On Dec 17, 2015, at 2:35 AM, Chen Jiang w
Hi! Experts
I have a requirement from end user that want to automate firewall filter
configuration procedure, that means they want to use OP script to generate
a customized firewall filter term and added it before the last "deny all"
term.
I have searched official documents but couldn't find help
Is this feature(GRE Keepalive) only supported in MPC in MX?
On Mon, Sep 28, 2015 at 2:30 PM, Alireza Soltanian
wrote:
> Hi everybody
>
>
>
> A couple of days ago, I sent an email about GRE Keepalive on M10/M20.
>
> I did some more tests on this case. I am using PE-Tunnel on M10/M20. Tunnel
> can
RE-2000 could support about 10M route in RIB.
RE-2000 is X86 based RE and MX80/MX104 is PPC based RE.
>From raw evaluation, in JUNOS PPC RE is about 1/3 performance vs. X86 RE
for same frequency,
On Wed, Oct 14, 2015 at 9:16 PM, Colton Conor
wrote:
> How many full routes can two RE-S-2000-4096
Thanks Phil and sorry for my mistake, I should use "interface" instead of
"interfaces", it works now.
On Wed, Apr 22, 2015 at 3:08 AM, Phil Shafer wrote:
> Chen Jiang writes:
> >change-configuration {
> >retry count 3
i
>
> On 21/04/15 9:10 pm, "Chen Jiang" wrote:
>
> >Hi! Experts
> >
> >I tried to use event-options to change the JUNOS configuration but there
> >is
> >some issue, are you experience the same issue and could shed some light on
> >this.
Hi! Experts
I tried to use event-options to change the JUNOS configuration but there is
some issue, are you experience the same issue and could shed some light on
this.
Thanks for your help!
lab@r1# show event-options
generate-event {
Configure-Ot-Change time-of-day "21:44:00 +0800";
}
polic
Hi!
SRX is the 2rd pure-software forwarding equipment from Juniper(the 1st is J
series routers), it just use multi-core CPU does all the forwarding and
security things in software. But in recent releases(maybe from JUNOS 10.4)
there is a new feature called "service-offload" that could use NPC in
1Gbps per PIC in cFEB-E vs 800Mbps per PIC in old cFEB
On Tue, Mar 20, 2012 at 6:44 PM, Shiva S Shankar wrote:
> Hi All, Can anyone help me with Enhanced CFEB throughput for M10i/M7i pls.
> Whats is the throughput per PIC slot? Also, simialr values for normal cFEBs
> would also be helpful. Thanks
this scenario?
Thanks for all the help!
BR!
James Chen
On Mon, Mar 19, 2012 at 11:22 AM, Chen Jiang wrote:
>
> HI!
>
> Is there any experience in JUNOS 10.4R
> --
> BR!
>
>
>
>James Chen
>
--
BR!
James Chen
__
HI!
Is there any experience in JUNOS 10.4R
--
BR!
James Chen
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Hi! Tim
Thanks for this great tool, is it work for all JUNOS version? AFAIK SRX
session table is changing several times.
On Sat, Oct 15, 2011 at 3:50 AM, Tim Eberhard wrote:
> All,
>
> After finally finding some free time (a new job or two, and a new kid)
> I was able to at least sit down and h
; Thanks!
> Morgan
>
>
> On Tue, Sep 27, 2011 at 7:01 AM, Chen Jiang wrote:
>
>> No, Ethernet Switching in not supported either in standalone or in cluster
>> in SRX HE, which include SRX1K/3K/5K.
>>
>> On Wed, Sep 21, 2011 at 4:21 AM, Morgan McLean wrote:
&
No, Ethernet Switching in not supported either in standalone or in cluster
in SRX HE, which include SRX1K/3K/5K.
On Wed, Sep 21, 2011 at 4:21 AM, Morgan McLean wrote:
> Hi,
>
> Does anybody know if ethernet switching across a chassis cluster on an
> SRX3600 (with swfab interface etc) is supporte
you can use routing-instance to achieve ECMP/NAT in SRX.
On Sun, Aug 28, 2011 at 1:22 AM, Daniel Daloia wrote:
> If that's true then that's horrible news. The data sheet for the sex branch
> series lines says that it can do ECMP, but says nothing about mixing it with
> advanced services. This see
You can put two or more logical interface from one routing-instance jut into
one security zone and control the flow traffic through security policy such
as "set security policy from-zone vr1 to-zone vr1 ... ".
The security zone concept is just for management purpose and has nothing to
do with the
hi!
I have done some test in POC lab for PPPoE in M120, it works for IQ2E PIC.
On Sun, Jun 5, 2011 at 11:15 PM, Mauritz Lewies wrote:
> Hi There
>
> Has anyone been able to terminate PPPoE sessions on :
> 1. a M120 router
> 2. In a logical system on a M120
>
> JTAC is not really forthcoming with
MX80-48T doesn't support scheduling hierarchy compared with MX80, except
that, all the same. I don't think you need scheduling hierarchy in your
scenario.
On Mon, May 16, 2011 at 8:34 AM, Doug Hanks wrote:
> Seconded. The MX80-48T is all line-rate. It uses ASICs/hardware on the
> forwarding pl
It's 10.4r3.4 or 10.4r4 which will be released in May.
On Wed, Apr 20, 2011 at 9:56 PM, Dale Shaw wrote:
> Hi all,
>
> I know there have been some pretty ugly bugs on srx5k with multiple
> SPCs in some early JUNOS 10.0 releases (and earlier). We're running
> 10.0R4 on a bunch of 5800s but while w
You can using shaping in outbound direction.
set class-of-services interface ge-0/0/0 shaping 20m
On Thu, Apr 21, 2011 at 4:09 PM, Ala' Amira wrote:
> Good morning all,
>
>
>
> Am trying to add bandwidth limitation on EX3200 on port or vlan using
> firewall policer and it is working as input fi
It's a by design behavior. When control link or fabric link disconnected,
the current RG0 master node will remain in master status but the current
RG0 backup node will disable itself to avoid split-brain issue, "Disable"
means the node will offline all SPC/NPC and Line Card. And only reboot the
wh
Yes, it will come out in EX in 11.1 in Mar.
On Wed, Mar 16, 2011 at 12:16 AM, Richard A Steenbergen
wrote:
> On Tue, Mar 15, 2011 at 12:25:59PM +0100, Tore Anderson wrote:
> > Hi,
> >
> > I'm wondering if it possible to configure something equivalent to the
> > EX2500's Uplink Failure Detection
you could try this knob: "set routing-options ppm no-delegate-processing"
On Wed, Dec 1, 2010 at 4:05 AM, Payam Chychi wrote:
> Hi,
>
> I was wondering if anyone else has had issues with M based routers and PPM,
> if so, any advice would be greatly appreciated.
>
> Here is my situation:
> - I ha
SRX only support inter-chassis HA presently, not intra-chassis HA. So from
HA point of view, SRX3K and SRX5K is same.
On Tue, Nov 16, 2010 at 6:32 AM, Giuliano Cardozo Medalha <
giulian...@uol.com.br> wrote:
> People,
>
> Hi,
>
> We are looking for a JUNIPER Solution for High End Firewalls.
>
> W
You cannot put fxp0 into VRF but could put it into a logical system. And
logical system also have a seperate routing table other than inet.0.
On Thu, Jul 8, 2010 at 3:16 AM, Jim Devane wrote:
> Hello,
>
> I need some ideas/help on a scenario I am sure comes up a lot but having
> problems with.
a...@pk.ibm.com
> +92-321-2370510
> +92-301-8247638
> Skype: fahad-ibm
> http://www.linkedin.com/in/muhammadfahadkhan
>
>
>
> On Thu, Jun 3, 2010 at 6:03 PM, Chen Jiang wrote:
>
>> I have tested it and it wroks.
>>
>>
>> On Tue, Jun 1, 2010 at
k.ibm.com
> +92-321-2370510
> +92-301-8247638
> Skype: fahad-ibm
> http://www.linkedin.com/in/muhammadfahadkhan
>
>
>
> On Sat, May 29, 2010 at 10:16 AM, Chen Jiang wrote:
>
>> NSR works but will not be officially supported by JNPR any more.
>>
>> On W
no, only MX family support virtual switch.
On Fri, May 28, 2010 at 10:35 PM, Jay Hanke wrote:
> What equipment at the low end supports a virtual switch with a bridge
> domains? Does the J-series?
>
>
>
> Thanks,
>
>
>
> Jay
>
>
>
>
>
> ___
> juniper-ns
15M in RIB and 1M in FIB.
On Fri, May 28, 2010 at 11:32 AM, matthew zeier wrote:
> Juniper's site doesn't got into enough details on number of full BGP peers
> an MX240 can handle or total FIB or RIB routes.
>
> Anyone have any guidance from real field use?
>
> Want to make sure buying an MX240
NSR works but will not be officially supported by JNPR any more.
On Wed, May 26, 2010 at 8:52 PM, Fahad Khan wrote:
> Dear Folks,
>
> Has any one used Netscreen Remote Client for dialup VPN with SRX device?? I
> have seen in release notes of 10.1 that SRX does not support NSR.
>
> But in securit
Some feature 10.1 support but 9.6 not supported:
1. LAG
2. LAG in JSRP
3. Many ALG (9.6 only support FTP/TFTP)
4.Static/Source NAT rule number limit (9.6 only support 8 rules per
rule-set)
On Sat, May 15, 2010 at 10:56 PM, Fahad Khan wrote:
> Dear Folks,
>
> Is there any difference when configur
Per Juniper's tradition, datasheet numbers just means tested by QA but not
the system limitation.
JUNOS in control panel doesn't pre-define any limitation for routing
capacity, it just depneding on the memory capacity.
- Show quoted text -
On Fri, Apr 23, 2010 at 5:33 AM, Richard A Steenbergen
w
hi!
This is a example for L3 mirror:
1.Define Port-Mirror Properties
.
forwarding-options {
port-mirroring {
input {
rate 1;
}
family inet {
output {
interface ge-2/0/3.0 { #define output
interface
I have heard that NX2K couldn't do local switching and all frames must goes
to NX5K for L2 swtching. If the uplink NX5K fail, it will take some time to
recovery to another uplink NX5K. And NX5K doesn't support L3 routing, L3
routing is depend on NX7K..
On Thu, Feb 25, 2010 at 6:35 PM, Muhammad Ati
77 matches
Mail list logo
