Re: [j-nsp] EX Feedback
As for EX4200, does anyone able to config firewall filter that matches established flag of TCP? We are using EX4200 with JUNOS 9.3R2.8, but not able to do this matching. It is quite a pain for us that we could not compose filter on the way we need. thanks, -- Michel~ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX960 SCB Alarm
Experts Could you please help me in this issue? We have MX960. we were testing the CB redundancy by removing the master CB and watching the transition of mastership to the backup one, the transition happened but with the following alarm: show chassis alarms 2 alarms currently active Alarm time Class Description 2009-07-28 02:45:51 UTC Minor Check CB 1 Fabric Chip 0 2009-07-28 02:45:51 UTC Minor Backup RE Active I need to know the meaning of the CB 1 Fabric Chip 0 alarm and if it's harmful or not and how to resolve. The alarm still exist even if I put the master RE back and switch over. The alarm disappear when I shutdown the box and bring it up again. BR, Walaa Abdel Razzak ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Problem with firewall m-series
Hi, I just started with an m10 and setting up some firewall rules. I know that default deny and permitting each individual service seems the best way to go. But my problem is the following filter: term 1 { from { destination-address { 192.168.100.0/23; } protocol-except tcp; destination-port-except 8935; } then { discard; } } term 2 { then accept; } I want on this link subnet 192.168.100.0/23 only tcp traffic on port 8935 allowed. On all other subnets, any traffic should be allowed. It seems that udp traffic on port 8935 to subnet 192.168.100.0/23 is allowed when applied this filter. May anybody tell me the right syntax for: traffic to 192.168.100.0/23, only tcp on port 8935 allowed. everything else for this destination is discarded. everything else on this link is allowed. I am applying the filter on the downlink interface as output. Thanks, Tom ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Problem with firewall m-series
Hi Tom, Try this: term 1 { from { destination-address { 192.168.100.0/23; } protocol tcp; destination port 8935; } then { count good-traffic-to-192-168-100-0-23; accept; } } term 2 { from { destination-address { 192.168.100.0/23; } } then { count bad-packet-going-to-192-168-100-0-23; log; reject; } } term 3 { then { accept; } } First of all, match the traffic you want to allow, and let it through. Then, match any other traffic going to that subnet and reject it, 3rdly, allow all other traffic. The terms are evaluated in order. - Chris. On 28-Jul-09, at 7:40 AM, Tom Mayer wrote: Hi, I just started with an m10 and setting up some firewall rules. I know that default deny and permitting each individual service seems the best way to go. But my problem is the following filter: term 1 { from { destination-address { 192.168.100.0/23; } protocol-except tcp; destination-port-except 8935; } then { discard; } } term 2 { then accept; } I want on this link subnet 192.168.100.0/23 only tcp traffic on port 8935 allowed. On all other subnets, any traffic should be allowed. It seems that udp traffic on port 8935 to subnet 192.168.100.0/23 is allowed when applied this filter. May anybody tell me the right syntax for: traffic to 192.168.100.0/23, only tcp on port 8935 allowed. everything else for this destination is discarded. everything else on this link is allowed. I am applying the filter on the downlink interface as output. Thanks, Tom ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Problem with firewall m-series
Hi Tom, Sometimes having double negatives in firewall terms is hard to read, but I understand what you are trying to do with the except matches. Here is a simple way to do it with 3 terms: [edit firewall family inet filter tdb-foo] l...@malaka# show term 1 { from { source-address { 192.168.100.0/23; } protocol tcp; destination-port 8935; } then accept; } term 2 { from { source-address { 192.168.100.0/23; } } then { discard; } } term 3 { then accept; } On 28/07/2009, at 9:40 AM, Tom Mayer wrote: Hi, I just started with an m10 and setting up some firewall rules. I know that default deny and permitting each individual service seems the best way to go. But my problem is the following filter: term 1 { from { destination-address { 192.168.100.0/23; } protocol-except tcp; destination-port-except 8935; } then { discard; } } term 2 { then accept; } I want on this link subnet 192.168.100.0/23 only tcp traffic on port 8935 allowed. On all other subnets, any traffic should be allowed. It seems that udp traffic on port 8935 to subnet 192.168.100.0/23 is allowed when applied this filter. May anybody tell me the right syntax for: traffic to 192.168.100.0/23, only tcp on port 8935 allowed. everything else for this destination is discarded. everything else on this link is allowed. I am applying the filter on the downlink interface as output. Thanks, Tom ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] anyone need M40E PICs/FPCs?
(I'm not sure if this is considered appropriate on this list or not, apologies if not, but I figured more-or-less free gear would be more- or-less ok ;-) I've got a pair of non-EP FPC1, along with assorted 1-port old-school GIGE (1 SX, 1 LX, 1 LX-B, 1 LH), 1 4xOC3-IR and 1 tunnel card from M40e lying around that I'd like out of the lab. Anyone need gear for theirs? They have no resale value at this point so you can have them for shipping cost just so I don't have to move them at the end of the year. But I need to know ASAP if you're interested because the chassis are being picked up tomorrow, and if no one wants the cards they're simply going out with those to get them out of my hair. I've also got four PB-1OC48-SON-SMSR and a pair of non-EP FPC2 that need to leave if anyone has a use for them. I assume these still have at least a modicum of value and usefulness, so make a lowball offer and they're yours. I want 'em gone! -dd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 SCB Alarm
On Tue, Jul 28, 2009 at 03:10:28PM +0300, Walaa Abdel razzak wrote: show chassis alarms 2 alarms currently active Alarm time Class Description 2009-07-28 02:45:51 UTC Minor Check CB 1 Fabric Chip 0 2009-07-28 02:45:51 UTC Minor Backup RE Active I need to know the meaning of the CB 1 Fabric Chip 0 alarm and if it's harmful or not and how to resolve. Check your logs - there should be some reasons given for the alarm. We recently saw this and the box had logged a series of CRC errors from that chip. JTAC issued an RMA. It seems there's an extremely rare software issue that can sometimes log CRC errors on the MX SCB, but that in the vast majority of cases, it just means that the board is flaky. Ross -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX960 SCB Alarm
Hi I have experienced your issue ever. I guess you might meet this PR. NUMBER 408359 SEVERITY minor PRIORITY medium CATEGORY sw STATE closed SYNOPSIS MX SCB may fail to online at boot up sequence RELEASE 8.5R3.4; 9.3R1.7; 9.3R2.3; 9.3-20081208 COMMITTED-IN RELEASE 8.5R5; 9.3R3; 9.4R2 ARRIVAL DATE 2008-12-10 06:05:52 LAST MODIFIED 2009-05-08 14:45:20 CLOSE DATE 2009-03-03 20:38:48 RELEASE NOTE When you configure graceful Routing Engine switchover (GRES) on MX-series routers, the Switch Interface Board (SIB) might not initialize if you reboot both Routing Engines simultaneously or reboot a router with only one Routing Engine installed. This describes the boot sequesce of each RE. kazuhiro ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp