Geen idee... volgens mij is daar wat gefoefeld toenertijd. Mss weet Raf meer ?
/W -----Original Message----- From: juniper-nsp [mailto:[email protected]] On Behalf Of [email protected] Sent: Monday, May 06, 2013 6:00 PM To: [email protected] Subject: juniper-nsp Digest, Vol 126, Issue 41 Send juniper-nsp mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/juniper-nsp or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of juniper-nsp digest..." Today's Topics: 1. Re: Maximum IPsec (st0) tunnels for SRX-series (Dale Shaw) 2. Anyone who use inetzero JNCIE-ENT workbook? (=?gb18030?B?YnJ1bm8=?=) 3. auto-negotiation on 1000BASE-X ports (Martin T) 4. Re: auto-negotiation on 1000BASE-X ports (Olivier Benghozi) 5. SRX 240 Site to Site Vpn Question (Nc Aji) ---------------------------------------------------------------------- Message: 1 Date: Mon, 6 May 2013 11:11:18 +1000 From: Dale Shaw <[email protected]> To: Ben Dale <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [j-nsp] Maximum IPsec (st0) tunnels for SRX-series Message-ID: <CAG_V284TSyrDyiNNUaj3FtHUqXLaWgiB6GCyX-gmoQ=l3t2...@mail.gmail.com> Content-Type: text/plain; charset=windows-1252 Hi Ben, On Mon, May 6, 2013 at 10:33 AM, Ben Dale <[email protected]> wrote: > As long as your tunnels don't breach the IPSEC Throughput numbers, you should > be right?. > > I have a few SRX240s out there with upwards of 500 tunnels on them, some > dynamic routing (3 core sites only), and they're sitting at around 50% CPU. > They're all running DPD with intervals of 10 and 3 (which I think is as low > as you can go). That's a good point. I'll want to run OSPF over all tunnels, so it's not just IPsec/IKE that'll be wanting control plane resources. The biggest branch SRX I've currently got with the most tunnels is a pair of SRX650s with 40 tunnels each (all w/OSPF p2p adjacencies, albeit with default timers). Control plane CPU sits steady at 20% all day. An SRX240 with only 12 tunnels sits at 40% but I recall this being "normal" due to some strange control plane utilisation metric due to the way flowd works on these boxes. Cheers, Dale ------------------------------ Message: 2 Date: Mon, 6 May 2013 15:41:05 +0800 From: "=?gb18030?B?YnJ1bm8=?=" <[email protected]> To: "=?gb18030?B?anVuaXBlci1uc3A=?=" <[email protected]> Subject: [j-nsp] Anyone who use inetzero JNCIE-ENT workbook? Message-ID: <[email protected]> Content-Type: text/plain; charset="gb18030" Hi All, Is there anyone who use Inetzero JNCIE-ENT workbook. Is it good enough. Last year, I buy proteus JNCIE-SP for my JNCIE-SP preparation.I don't think it's good. not a complete lab .so this time i don't want to choose proteus again. ------------------ Best Regards, Bruno ------------------------------ Message: 3 Date: Mon, 6 May 2013 13:07:49 +0300 From: Martin T <[email protected]> To: [email protected] Subject: [j-nsp] auto-negotiation on 1000BASE-X ports Message-ID: <CAJx5YvENCV8Ss8Z=oKpjFYd=y6i8p1sn8q8oc+if7wprbg2...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Hi, Juniper routers support enabling(this is the default setting) and disabling auto-negotiation both on 1000BASE-T(copper) and 1000BASE-X(optical) interfaces. Auto-negotiation on copper ports makes sense because copper ports(for example on tri-rate DPC's on MX960) support 10BASE-T and 100BASE-TX modes besides 1000BASE-T, 1000BASE-T supports both full- and half-duplex modes according to IEEE 802.3z and master/slave relationship between two ports needs to be determined for negotiating the clock settings. However, what is negotiated between two directly connected 1000BASE-X ports when auto-negotiation is enabled on both ports? I mean optical transceivers rated to 1Gbps do not support backward compatibility to lower speeds and are there optical transceivers out there that support half-duplex mode(it's supported according to IEEE 802.3 22.2.4.4.2)? In a nutshell, why is auto-negotiation needed on 1000BASE-X ports? regards, Martin ------------------------------ Message: 4 Date: Mon, 6 May 2013 13:18:00 +0200 From: Olivier Benghozi <[email protected]> To: Martin T <[email protected]>, [email protected] Subject: Re: [j-nsp] auto-negotiation on 1000BASE-X ports Message-ID: <[email protected]> Content-Type: text/plain; charset=us-ascii 1000Base-X can negotiate flow control. But, an interesting part of autoneg is Remote Fault Notification: one of the fibers in your 2 fibers link breaks, and the link becomes unidirectional; the side that sees its receiving fiber down sends a frame to notify the other side (which didn't see anything special) that the link is down (so this side will also show the link as "down", whereas it receives proper signal). Without this, when a single fiber breaks, to detect (slower) the problem and prevent unidirectional GE links, you have to rely on protocols running at a higher level: specialized ones (Cisco's UDLD, OAM), on routing protocols, or on LACP (which can be used on a single link for this purpose, as would describe http://kb.juniper.net/InfoCenter/index?page=content&id=KB13314). This also exists in 10GE links as Link Fault Signaling. regards, Olivier > supported according to IEEE 802.3 22.2.4.4.2)? In a nutshell, why is > auto-negotiation needed on 1000BASE-X ports? ------------------------------ Message: 5 Date: Mon, 6 May 2013 16:18:30 +0300 From: Nc Aji <[email protected]> To: "[email protected]" <[email protected]> Subject: [j-nsp] SRX 240 Site to Site Vpn Question Message-ID: <cadxh52grwjuhjodoxr1wz4xoh2fe4kv48hczwvep+9owyh_...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 I have a small customer requiring a VPN between two of the sites, One site is so remote where in we have only 3g internet connection available. other site which is considered to be the main site is having internet over an ADSL link . In essence both sides are getting dynamic IP address , can i have a site to site vpn in this situation ? Does SRX support dyndns feature ? can I use it for establishing site to site vpn ? if not what is the other option to suggest to customer ? Regards, Aji N C ------------------------------ Subject: Digest Footer _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp ------------------------------ End of juniper-nsp Digest, Vol 126, Issue 41 ******************************************** _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
