Re: [j-nsp] 'Juniper BGP issues causing locallized Internet Problems, (Mon, Nov 7th)?

* David Ball: > Right, because upon the release of any new PSNs, immediate > network-wide code upgrades are completed. Seems to work fine with a $200 laptop running Windows. 8-) -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra

Re: [j-nsp] Juniper SRX and ssh freeze

s that they do not keep firewall state alive. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ juniper-nsp mailin

Re: [j-nsp] DOS Attack

18.742f.b380 with rate 241 pps Have you checked that you haven't got a routing loop or something like that? (And which platform is that, BTW?) If this isn't the case, you need to figure out who's got the 0018.742f.b380 MAC address and ask them to stop sending those packets. -- Flor

Re: [j-nsp] J series users bitten by the massive memory useincrease with flow mode add, please file jtac cases.

ll couldn't forward our tiny amount of traffic we deal with. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 __

Re: [j-nsp] J series users bitten by the massive memory useincrease with flow mode add, please file jtac cases.

isting TCP sessions involving the device are severed when rerouting event occurs because their flow implementation is interface-sensitive. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Kar

Re: [j-nsp] Clarification of EOL policies

* Richard A. Steenbergen: > On Mon, May 10, 2010 at 08:51:05AM +0000, Florian Weimer wrote: >> I'm a bit puzzled by the EOL policies. According to >> <http://www.juniper.net/support/eol/junos.html>, JUNOS 8.5 has its >> first transition event on 2010-11-16 (whatev

[j-nsp] Clarification of EOL policies

to that of JUNOS 10.1 (with an event on 2010-11-15). However, self-service downloads for JUNOS 8.5 have not been updated for years, despite intermediate security updates. The situation for JUNOS 9.3 appears to be similar. Does anybody know what's going on here? -- Florian Weimer

Re: [j-nsp] J2320 as BGP router

d. It seems that this is (a) un(der)documented and (b) results in strange stability issues. The box turns unresponsive during commits and eventually hangs (with just one BGP feed and 1 GB RAM). -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100

Re: [j-nsp] J2320 as BGP router

es? As far as I can tell, everything you need to run a regular BGP router is there, even without the advanced BGP license. It's likely that you don't have to pay the additional licensing fee. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße

Re: [j-nsp] J2320 as BGP router

). Does it still make sense to use them for new deployments as ordinary routers? -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-7

Re: [j-nsp] JUNOS vulnerability with malformed TCP packets

* Barry Greene: > The information is in the security advisory. Are the PSNs the security advisory you are referring to? I didn't see a security advisory as such, and I'm wondering if I'm missing anything. -- Florian Weimer BFK edv-consulting GmbH

Re: [j-nsp] ASR1002 Comparitive

n't it? In most scenarios, it's also fairly easy to restrict its impact to a single customer. Curiously, that's a point where flow-based fowarding is superior to stateless forwarding. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraß

Re: [j-nsp] ASR1002 Comparitive

ow. We saw that as well, but when we got rid of stateful filters, things improved. What worries me a bit is that there is no configurable limit for the maximum flow count on J-series devices, so I wonder if a high rate of flow creation would cause the sampled process to use up all available mem

Re: [j-nsp] J-series stateful firewall / NAT architecture

* Amos Rosenboim: > > Regarding the number of boxes, you can consolidate the 4 switches to > just two by using vlans. Huh? You either lose redundancy, or you heavily rely on VLAN separation on those switches. Neither seems to be a good idea. -- Florian Weimer

Re: [j-nsp] J-series stateful firewall / NAT architecture

our case, the overload was even triggered by non-malicious traffic. 8-/ We're currently migrating to stateless filters and hope that this problem does not occur. If it does, we'll move the filtering to a separate box, this time using Netfilter. -- Florian Weimer<

Re: [j-nsp] Cisco to Juniper Question

* Scott Morris: > What about a /31? I didn't test that. I was a bit in a hurry to get something working after discovering that the unnumbered interfaces were a dead end. -- Florian Weimer<[EMAIL PROTECTED]> BFK edv-consulting GmbH http://www.bfk.de/ Kr

Re: [j-nsp] Cisco to Juniper Question

ddress space. Right now, we need at least a /30 per host, wasting at least three publicly routed IP addresses. This is a bit excessive. (No, private VLANs aren't a solution for us because they do not provide the kind of isolation we require.) -- Florian Weimer<[EMAIL PRO

Re: [j-nsp] Cisco to Juniper Question

where it is kept. Large prefixes may create problems, but this is similar to what happens with a large directly connected subnet.) -- Florian Weimer<[EMAIL PROTECTED]> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Kar

Re: [j-nsp] Fwd: Point-to-point Ethernet interfaces

ered interfaces are the way to go. Thanks. -- Florian Weimer<[EMAIL PROTECTED]> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___

[j-nsp] Point-to-point Ethernet interfaces

w that the desired setup isn't strictly allowed by the standards, but it works quite well with various systems, and the address space savings are quite nice. -- Florian Weimer<[EMAIL PROTECTED]> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100