Re: [j-nsp] Filter on lo0, MX80
Im trying a basic filer to deny traffic to lo0.
SSH, OSPF and ICMP is allowed.
It doesnt work, it allows all traffic.
Same filter work on a ge-interface.
ge-1/0/0 {
unit 0 {
family inet {
filter {
input admin-access;
}
address 10.1.1.1/29;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input admin-access;
}
address 10.2.1.1/32;
}
}
}
firewall {
family inet {
filter admin-access {
term ssh-access {
from {
address {
10.1.2.0/24;
}
}
then accept;
}
You only need it applied on the lo0 interface.
For ssh, change address to source-address, since just address mean either
source or destination.
Also, add protocol ssh to that from statement.
Cheers.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Únete a mi red en LinkedIn
LinkedIn Maurice Gil Cruz ha solicitado añadirte como contacto en LinkedIn: -- Me gustaría añadirte a mi red profesional en LinkedIn. Aceptar invitación de Maurice Gil Cruz http://www.linkedin.com/e/u96119-gy18slbe-16/XqZSB0oknt5cTYQCxwU5LkoQzUifoQRJSaUSlk19WH/blk/I2023366468_3/1BpC5vrmRLoRZcjkkZt5YCpnlOt3RApnhMpmdzgmhxrSNBszYPnPwSd3oScPcOc399bSFdjjhmhScPbPkNcPgMej0TcPkLrCBxbOYWrSlI/EML_comm_afe/?hs=falsetok=2nVruPO9WyJ541 Ver invitación de Maurice Gil Cruz http://www.linkedin.com/e/u96119-gy18slbe-16/XqZSB0oknt5cTYQCxwU5LkoQzUifoQRJSaUSlk19WH/blk/I2023366468_3/3dve3oQdzoPcP8McAALqnpPbOYWrSlI/svi/?hs=falsetok=1Fo3SzJvOyJ541 -- ¿Por qué puede ser una buena idea conectar con Maurice Gil Cruz? Los contactos de Maurice Gil Cruz podrían serte útiles: Tras aceptar la invitación de Maurice Gil Cruz, revisa los contactos de Maurice Gil Cruz para ver a quién más conoces y a quién te gustaría que te presentaran. Forjar contactos puede crear oportunidades futuras. -- (c) 2012, LinkedIn Corporation ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Recommended Releases now posted for MX, M, T, QFX
Just noticed this today - Seems JNPR has filled out the recommended release JunOS matrix for all the products now (incl M, T, MX, QFX) http://kb.juniper.net/InfoCenter/index?page=contentid=KB21476 - Chris. ... Riding the 10.4 MX Release Train. Next Stop, R9. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Recommended Releases now posted for MX, M, T, QFX
Hey Chris yeah, that just showed up about 2 weeks ago (at least that's when I noticed it). Since JTAC isn't supposed to provide you with recommended releases on M/T/MX, at least this KB is a reference point... also nice to see them update the MX recommended release ;) Paul -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Chris Kawchuk Sent: Monday, January 30, 2012 3:54 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Recommended Releases now posted for MX, M, T, QFX Just noticed this today - Seems JNPR has filled out the recommended release JunOS matrix for all the products now (incl M, T, MX, QFX) http://kb.juniper.net/InfoCenter/index?page=contentid=KB21476 - Chris. ... Riding the 10.4 MX Release Train. Next Stop, R9. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Recommended Releases now posted for MX, M, T, QFX
10.4R9? This makes me very happy... I thought they were going to stop at R8. I think they really need/want a golden release for the MX and R8 was supposed to be it. R9 will be good... we hope. Derick Winkworth CCIE #15672 (RS, SP), JNCIE-M #721 http://packetpushers.net/author/dwinkworth/ From: Paul Stewart p...@paulstewart.org To: juniper-nsp@puck.nether.net Sent: Monday, January 30, 2012 5:12 AM Subject: Re: [j-nsp] Recommended Releases now posted for MX, M, T, QFX Hey Chris yeah, that just showed up about 2 weeks ago (at least that's when I noticed it). Since JTAC isn't supposed to provide you with recommended releases on M/T/MX, at least this KB is a reference point... also nice to see them update the MX recommended release ;) Paul -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Chris Kawchuk Sent: Monday, January 30, 2012 3:54 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Recommended Releases now posted for MX, M, T, QFX Just noticed this today - Seems JNPR has filled out the recommended release JunOS matrix for all the products now (incl M, T, MX, QFX) http://kb.juniper.net/InfoCenter/index?page=contentid=KB21476 - Chris. ... Riding the 10.4 MX Release Train. Next Stop, R9. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Filter on lo0, MX80
On Mon, 30 Jan 2012, Stacy W. Smith wrote:
On Jan 30, 2012, at 1:05 AM, Per Granath wrote:
Im trying a basic filer to deny traffic to lo0.
SSH, OSPF and ICMP is allowed.
It doesnt work, it allows all traffic.
Same filter work on a ge-interface.
ge-1/0/0 {
unit 0 {
family inet {
filter {
input admin-access;
}
address 10.1.1.1/29;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input admin-access;
}
address 10.2.1.1/32;
}
}
}
firewall {
family inet {
filter admin-access {
term ssh-access {
from {
address {
10.1.2.0/24;
}
}
then accept;
}
You only need it applied on the lo0 interface.
For ssh, change address to source-address, since just address mean either
source or destination.
Also, add protocol ssh to that from statement.
There's no protocol ssh. You want protocol tcp and destination-port ssh:
[edit firewall family inet filter admin-access]
user@host# show
term ssh-access {
from {
source-address {
10.1.2.0/24;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
Thanks! source-address solved the problem.
/Jonas
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos 10.4R8 on MX (PR 701928)
Hi Daniel, just an update on this. The PR now has a workaround outlined and it can be implemented via a script. You mentioned our beta PR search, and we will be launching that officially this week at http://prsearch.juniper.net. For this PR, customers with a valid support contract can access the information at http://prsearch.juniper.net/PR701928. It is even possible to subscribe to the PR for any updates Thanks, Jim Boyle Customer Support Juniper Networks -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Daniel Hilj Sent: Monday, January 23, 2012 10:21 AM To: bas Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Junos 10.4R8 on MX (PR 701928) Hi, This is what you see if you use their beta PR search engine. JUNOS Problem Report Number PR701928 Title MPC may restart with backtrace in ia_wpkt_next() routine Release Note Introduced in Junos software version 10.4R8, a DPC may restart unexpectedly with the following error messages: [Oct 25 04:21:08.749 LOG: Err] ia_wpkt_next : pkt_ring[937] has a packet 0x421fea20 SeverityCritical Status Closed Last Modified 2012-01-23 06:40:04 PST Affected-Releases 10.4R8 Resolved In Product MX-series Functional Area software Problem This is a critical defect which effects only DPC, and not MPC. Customers with DPC is discourage using Junos 10.4R8, 10.4S8(A), and 10.4S8(B). 23 jan 2012 kl. 16:16 skrev bas kilo...@gmail.commailto:kilo...@gmail.com: Hi, On Mon, Jan 23, 2012 at 3:57 PM, Daniel Hilj daniel.h...@ipnett.semailto:daniel.h...@ipnett.se wrote: This is a critical defect which effects only DPC, and not MPC. Customers with DPC is discourage using Junos 10.4R8, 10.4S8(A), and 10.4S8(B). Strange, I see: --- SYNOPSISMPC may restart with backtrace in ia_wpkt_next() routine RELEASE NOTEIntroduced in Junos software version 10.4R8, a DPC may restart unexpectedly [snip] --- So the Synopsis mentions MPC.. Bas -- This e-mail has been checked for virus by IPnett's Security solution -- -- This e-mail has been checked for virus by IPnett's Security solution -- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Filter on lo0, MX80
Hello Jonas, You should use the new template for securing your router, use this book. http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/ Also when you finish always check all connections to RE with this command: show system connections This should get you going and securing the router. As for getting your security to the max use the newest edition http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hardening-junos-devices-checklist/ Peter Okupski www.widzew.net -- Best regards, Pajlatek mailto:pajla...@widzew.net ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Recommended Releases now posted for MX, M, T, QFX
that only took...about 5 years ? sweet, juniperdude. Chris Kawchuk [juniperd...@gmail.com] wrote: Just noticed this today - Seems JNPR has filled out the recommended release JunOS matrix for all the products now (incl M, T, MX, QFX) http://kb.juniper.net/InfoCenter/index?page=contentid=KB21476 - Chris. ... Riding the 10.4 MX Release Train. Next Stop, R9. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- The language of the totalist environment is characterized by the thought-terminating cliche. The most far-reaching and complex of human problems are compressed into brief, highly reductive, definitive-sounding phrases, easily memorized and easily expressed. These become the start and finish of any ideological analysis. - Robert Jay Lifton ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
Hi Lukasz,
J-Series only needs a license to download signature updates for IDP - in order
to stop fragmentation, all you need to do is create a security policy that
matches on GRE traffic match application junos-gre and then references the
idp engine in the action then permit application-services idp.
This will force the IDP engine to re-assemble the GRE fragments for inspection
(but not actually inspect them).
Juniper had a really good document explaining this with examples for MPLSoGRE,
but my google and KB-fu is failing.
Cheers,
Ben
On 26/01/2012, at 7:17 PM, Lukasz Martyniak wrote:
Thanks for quick response, i had a hoped that this could be done in other
whey. I think jseries need extra license for IDP.
On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote:
My understanding is that GRE fragmentation should occur if egress interface
MTU is GRE pkt size.
For GRE reassembly, you need IDP policy, this means high memory SRX model.
IDP license is not needed.
Rgds
Alex
- Original Message - From: Lukasz Martyniak
lmartyn...@man.szczecin.pl
To: juniper-nsp@puck.nether.net
Sent: Tuesday, January 24, 2012 2:04 PM
Subject: [j-nsp] GRE packet fragmentation on j-series
Hi all
I have some problem with gre tunnels. I need to fragment packages in
tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it.
The problem looks like that packages with MTU above 1476 are not
fragmented/reassembled and are dropped.
interfaces gr-0/0/0
unit 10 {
clear-dont-fragment-bit;
description Tulne to r1-lab;
tunnel {
source 10.200.0.1;
destination 10.200.0.2;
allow-fragmentation;
path-mtu-discovery;
}
family inet {
mtu 1500;
address 100.100.100.1/30;
}
family mpls {
}
}
Have someone have similar problem ? is there a simple way to fix this ?
Best Lukasz
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
