Re: [j-nsp] 100Base-LX10 and MX80
On Sun, Mar 04, 2012 at 11:10:54PM -0600, Richard A Steenbergen wrote: My personal recollection is that MX back in the DPC days only supported 1000. Depends. Some DPCs were multirate (e.g. the 2x10GE + 20x1GE combos). I could probably go dust off some documentation on the internals of the MX80 and tell you whether the PHY for the modular version supports 10/100/1000 for the SFPs or not The 20x1GE MICs do support multirate, definately with the original Juniper Methode Elec. OEM SFPs. Works in MX80 as well as MPC2 and is supported. Caveat: you have to explicitly configure speed auto on the interface, otherwise it WILL do autoneg, but only advertise 1000Mbps capability. And to configure speed auto, you'll also have to explicitly configure gigether-options auto-negotiation even though the interface already does autoneg by default, otherwise your commit will be blocked. I was utterly unsuccessful explaining to bogosity of that to JTAC, trying hard for weeks. It's working as coded, so it's fine. No, it's not. I gave up eventually after being persistent enough to at least add some hints into the reference docs. lab@lab-MX80-01 show interfaces ge-1/2/7 | match link Physical interface: ge-1/2/7, Enabled, Physical link is Up Link-level type: Ethernet, MTU: 1514, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None, lab@lab-MX80-01 show configuration interfaces ge-1/2/7 speed auto; gigether-options { auto-negotiation; } lab@lab-MX80-01 show chassis hardware ... MIC 1 REV 23 750-028392 xx3D 20x 1GE(LAN) SFP Xcvr 7 REV 02 740-013111 xxx SFP-T ... lab@lab-MX80-01 show chassis pic fpc-slot 1 pic-slot 2 ... FiberXcvr vendor Port Cable typetype Xcvr vendorpart number Wavelength ... 7 GIGE 1000Tn/a Methode Elec. SP7041-M1-JN n/a ... Best regards, Daniel -- CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Help with vpn srx - asa
Hi, I have some problem in to configure a vpn between a srx and a cisco asa. This is my configuration: ike { proposal trans-vpn { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; lifetime-seconds 86400; } policy ike_pol_vpn2remote { mode main; proposals trans-vpn; pre-shared-key ascii-text 1234567899; ## SECRET-DATA } gateway gw_vpn2remote { ike-policy ike_pol_vpn2remote; address X.Y.W.Z; local-identity inet A.B.C.D; external-interface fe-0/0/7.0; version v1-only; } } ipsec { policy ipsec_pol_vpn2remote { proposal-set compatible; } vpn vpn2remote { bind-interface st0.0; ike { gateway gw_vpn2remote; ipsec-policy ipsec_pol_vpn2remote; } establish-tunnels immediately; } } And in the asa side remote IT tech said that configuration is the same: encryption, hash, lifetime, group, ecc.. In /var/log/kmd I found: Mar 5 12:51:27 IKEv1 Error : Timeout Mar 5 12:52:06 IKEv1 Error : No proposal chosen Mar 5 12:52:27 IKEv1 Error : Timeout Mar 5 12:52:41 IKEv1 Error : No proposal chosen Mar 5 12:53:13 IKEv1 Error : No proposal chosen Mar 5 12:53:27 IKEv1 Error : Timeout Mar 5 12:53:47 IKEv1 Error : No proposal chosen Mar 5 12:54:27 IKEv1 Error : Timeout Mar 5 12:54:30 IKEv1 Error : No proposal chosen Mar 5 12:55:08 IKEv1 Error : No proposal chosen Any hints? Regards Marco -- bizza ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Help with vpn srx - asa
Hi Marco, I see that you are using a custom proposal in phase-1 but using compatible in phase-2, that could be the problem. You need to define exact proposal in phase-2 aswell. Could you confirm if proposal mismatch is in phase-1 (ike) or phase-2 (ipsec) ot be more specific? regards, Asad On Mon, Mar 5, 2012 at 4:57 PM, bizza biz...@gmail.com wrote: Hi, I have some problem in to configure a vpn between a srx and a cisco asa. This is my configuration: ike { proposal trans-vpn { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; lifetime-seconds 86400; } policy ike_pol_vpn2remote { mode main; proposals trans-vpn; pre-shared-key ascii-text 1234567899; ## SECRET-DATA } gateway gw_vpn2remote { ike-policy ike_pol_vpn2remote; address X.Y.W.Z; local-identity inet A.B.C.D; external-interface fe-0/0/7.0; version v1-only; } } ipsec { policy ipsec_pol_vpn2remote { proposal-set compatible; } vpn vpn2remote { bind-interface st0.0; ike { gateway gw_vpn2remote; ipsec-policy ipsec_pol_vpn2remote; } establish-tunnels immediately; } } And in the asa side remote IT tech said that configuration is the same: encryption, hash, lifetime, group, ecc.. In /var/log/kmd I found: Mar 5 12:51:27 IKEv1 Error : Timeout Mar 5 12:52:06 IKEv1 Error : No proposal chosen Mar 5 12:52:27 IKEv1 Error : Timeout Mar 5 12:52:41 IKEv1 Error : No proposal chosen Mar 5 12:53:13 IKEv1 Error : No proposal chosen Mar 5 12:53:27 IKEv1 Error : Timeout Mar 5 12:53:47 IKEv1 Error : No proposal chosen Mar 5 12:54:27 IKEv1 Error : Timeout Mar 5 12:54:30 IKEv1 Error : No proposal chosen Mar 5 12:55:08 IKEv1 Error : No proposal chosen Any hints? Regards Marco -- bizza ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Help with vpn srx - asa
On Mon, Mar 5, 2012 at 1:28 PM, Asad Raza asadgard...@gmail.com wrote: Hi Marco, I see that you are using a custom proposal in phase-1 but using compatible in phase-2, that could be the problem. You need to define exact proposal in phase-2 aswell. Could you confirm if proposal mismatch is in phase-1 (ike) or phase-2 (ipsec) ot be more specific? I've just changed my configuration as follow: security { ike { proposal ike-p1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy ike_pol_lan2remote { mode main; proposals ike-p1; pre-shared-key ascii-text blablabla; ## SECRET-DATA } gateway gw_lan2remote { ike-policy ike_pol_lan2remote; address x.y.w.z; external-interface fe-0/0/7.0; version v1-only; } } ipsec { proposal ipsec-p2 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; lifetime-kilobytes 1048576; } policy ipsec_pol_lan2remote { proposals ipsec-p2; } vpn lan2remote { bind-interface st0.0; ike { gateway gw_lan2remote; ipsec-policy ipsec_pol_lan2remote; } establish-tunnels immediately; } } And I'm waiting that in the other side people change the asa configuration, that will be something lije this: crypto isakmp policy 5 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ipsec transform-set ipsec-p2 esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 1048576 crypto map foo 5 match address MYACL crypto map foo 5 set pfs crypto map foo 5 set peer x.y.w.z crypto map foo 5 set transform-set ipsec-p2 crypto map foo interface outside Do you think this will be enough? Regards Marco -- bizza ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Help with vpn srx - asa
On 05/03/2012, at 9:57 PM, bizza wrote: gateway gw_vpn2remote { ike-policy ike_pol_vpn2remote; address X.Y.W.Z; local-identity inet A.B.C.D; external-interface fe-0/0/7.0; version v1-only; } In your IKE gateway configuration above, you have configured the local-identity - this particular knob is only used for authentication when you are using aggressive mode (which you are not). I suspect what you really wanted to configure was the proxy-id which ASAs tend to be VERY picky about. You'll need: set security ipsec vpn vpn2remote ike proxy-identity local A.B.C.D/E set security ipsec vpn vpn2remote ike proxy-identity remote F.G.H.I/J set security ipsec vpn vpn2remote ike proxy-identity service any where F.G.H.I/J is the subnet on the remote side. Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Help with vpn srx - asa
The ASAs are usually quite picky about Propxy-ID, and since you haven't specified one, the SRX will use any, any, any (all 0). That kind of Proxy-ID (or lack of) usually works well when you are using a route-based setup. The ASA on the other hand (almost) always use policy based VPN, where you have to specify source and destination networks. I don't think this is your problem yet, since the phase 1 handshake doesn't work. I would say: remove the local-identity from the gateway definition. This can mess things up. It is normally enough that the remote end can see your external interface source address. /Per 5 mar 2012 kl. 12:57 skrev bizza: Hi, I have some problem in to configure a vpn between a srx and a cisco asa. This is my configuration: ike { proposal trans-vpn { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; lifetime-seconds 86400; } policy ike_pol_vpn2remote { mode main; proposals trans-vpn; pre-shared-key ascii-text 1234567899; ## SECRET-DATA } gateway gw_vpn2remote { ike-policy ike_pol_vpn2remote; address X.Y.W.Z; local-identity inet A.B.C.D; external-interface fe-0/0/7.0; version v1-only; } } ipsec { policy ipsec_pol_vpn2remote { proposal-set compatible; } vpn vpn2remote { bind-interface st0.0; ike { gateway gw_vpn2remote; ipsec-policy ipsec_pol_vpn2remote; } establish-tunnels immediately; } } And in the asa side remote IT tech said that configuration is the same: encryption, hash, lifetime, group, ecc.. In /var/log/kmd I found: Mar 5 12:51:27 IKEv1 Error : Timeout Mar 5 12:52:06 IKEv1 Error : No proposal chosen Mar 5 12:52:27 IKEv1 Error : Timeout Mar 5 12:52:41 IKEv1 Error : No proposal chosen Mar 5 12:53:13 IKEv1 Error : No proposal chosen Mar 5 12:53:27 IKEv1 Error : Timeout Mar 5 12:53:47 IKEv1 Error : No proposal chosen Mar 5 12:54:27 IKEv1 Error : Timeout Mar 5 12:54:30 IKEv1 Error : No proposal chosen Mar 5 12:55:08 IKEv1 Error : No proposal chosen Any hints? Regards Marco -- bizza ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Help with vpn srx - asa
If that is the actual config off the ASA, then another thing that may be affecting connectivity: crypto map foo 5 match address MYACL crypto map foo 5 set pfs crypto map foo 5 set peer x.y.w.z crypto map foo 5 set transform-set ipsec-p2 crypto map foo interface outside you have PFS turned on - either turn it off on the ASA, or configure it on the SRX: set security ipsec policy ipsec_pol_lan2remote perfect-forward-secrecy keys group2 Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Help with vpn srx - asa
On Mon, Mar 5, 2012 at 2:55 PM, Ben Dale bd...@comlinx.com.au wrote: If that is the actual config off the ASA, then another thing that may be affecting connectivity: crypto map foo 5 match address MYACL crypto map foo 5 set pfs crypto map foo 5 set peer x.y.w.z crypto map foo 5 set transform-set ipsec-p2 crypto map foo interface outside you have PFS turned on - either turn it off on the ASA, or configure it on the SRX: set security ipsec policy ipsec_pol_lan2remote perfect-forward-secrecy keys group2 thank you ben, I'm still waiting that in the other side they change the asa configuration, but now I suppose that all works fine regards Marco -- bizza ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter using a prefix-list, not updating
On Sun, 4 Mar 2012, Richard A Steenbergen wrote: Depends on your definition of normal. I run into firewall bugs like this all the time these days (probably on my 6th one in the last 2 years). When in doubt, remove the filter and re-apply, this causes a data structure rebuild on the hw and makes the badness go away. And just consider yourself lucky that it doesn't cause the FPCs to crash when you reorder firewall terms like on EX8200 running 11.1R5. :) The only obnoxious firewall filter issue I've run into lately is that inet6 firewall filters in Junos 10.3 don't support protocol as one of their allowable match criteria. Makes it tough to write ingress and egress filters for catching some of the 'low hanging fruit' nonsense. I hace a case open with JTAC, but I haven't gotten a good answer yet if that's a feature, a bug, or something that's just missing from the v6 capabilities in that release. I didn't see anything that looked like a good match in a cursory review of the bug list. I have a router in my lab running 10.4, so I'll check if the same situation exists there. jms ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter using a prefix-list, not updating
Perhaps I'm wrong, but I think you're looking for next-header for your protocol match. term T1 { from { next-header tcp; destination-port ssh; } then { count T1; accept; } } ~Adam On Mon, Mar 5, 2012 at 9:44 AM, Justin M. Streiner strei...@cluebyfour.orgwrote: On Sun, 4 Mar 2012, Richard A Steenbergen wrote: Depends on your definition of normal. I run into firewall bugs like this all the time these days (probably on my 6th one in the last 2 years). When in doubt, remove the filter and re-apply, this causes a data structure rebuild on the hw and makes the badness go away. And just consider yourself lucky that it doesn't cause the FPCs to crash when you reorder firewall terms like on EX8200 running 11.1R5. :) The only obnoxious firewall filter issue I've run into lately is that inet6 firewall filters in Junos 10.3 don't support protocol as one of their allowable match criteria. Makes it tough to write ingress and egress filters for catching some of the 'low hanging fruit' nonsense. I hace a case open with JTAC, but I haven't gotten a good answer yet if that's a feature, a bug, or something that's just missing from the v6 capabilities in that release. I didn't see anything that looked like a good match in a cursory review of the bug list. I have a router in my lab running 10.4, so I'll check if the same situation exists there. jms __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter using a prefix-list, not updating
On (2012-03-05 10:13 -0500), Adam Leff wrote: next-header tcp; destination-port ssh; Bear in mind that you cannot use these in 'deny' context for security purposes, as bypassing them is as trivial as adding extension header between TCP and IPv6. So maybe you're stopping your DSL users from spamming by allowing TCP/25 to your SMTPd and then denying other TCP/25 then allowing rest. This should not be done in JunOS in IPv6, as it can be easily bypassed. Or any other situation, where you deny something and permit later rest. Trio at least could do this correctly, and find TCP headers after extension headers, and infact it does, but there just isn't CLI way to build firewall matches like that today. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter using a prefix-list, not updating
On Mon, 5 Mar 2012, Saku Ytti wrote: So maybe you're stopping your DSL users from spamming by allowing TCP/25 to your SMTPd and then denying other TCP/25 then allowing rest. This should not be done in JunOS in IPv6, as it can be easily bypassed. Or any other situation, where you deny something and permit later rest. At this point I'm inclined to say -1 for Juniper. I don't have any Trio at my border at this point. With this in mind, do you have any recommendations for deploying a sane IPv6 ingress/egress filter policy on Juniper gear? jms ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter using a prefix-list, not updating
On (2012-03-05 10:47 -0500), Justin M. Streiner wrote: With this in mind, do you have any recommendations for deploying a sane IPv6 ingress/egress filter policy on Juniper gear? Try to make IPv6 rules where ultimate address matching rule is deny. So if you are doing iACL, allow UDP high ports, ICMP whatnot, then deny protocol agnostically everything to your infrastructure. Then attacker can only bypass the permit statement, but will hit the protocol agnostic deny statement. Other than that, ask JNPR to implement 'match tcp' like ipv4, not just 'next-protocol', which is needed also, of course. I'm pretty sure DPCE could do this also, at least EZchip could, but I don't expect it ever to be supported in DPCE. I'm confident it'll be supported some day in trio, while I have no information from JNPR on the matter. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] M20: Adding a second RE
Hello, We purchased a second RE600 (we had only one RE600). Does anyone know a procedure for adding a second RE?. The new RE has the same version and configuration as the RE installed. Do you have any recommendations of previous changes in the configuration? . PS:Junos /7.3R1.4 /Thanks Isidoro ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter using a prefix-list, not updating
Hi all, Thanks for the advice and information. Very much appreciated. I'll forward on to the JTAC and see where I get. All the best, David -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of juniper-nsp-requ...@puck.nether.net Sent: 05 March 2012 12:53 To: juniper-nsp@puck.nether.net Subject: juniper-nsp Digest, Vol 112, Issue 7 Send juniper-nsp mailing list submissions to juniper-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/juniper-nsp or, via email, send a message with subject or body 'help' to juniper-nsp-requ...@puck.nether.net You can reach the person managing the list at juniper-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of juniper-nsp digest... Today's Topics: 1. Juniper Training as per of degree or online with a training partner !! (Harri Makela) 2. Re: Juniper Training as per of degree or online with a training partner !! (Jose Madrid) 3. Re: 100Base-LX10 and MX80 (Richard A Steenbergen) 4. Re: Firewall filter using a prefix-list, not updating (Richard A Steenbergen) 5. Re: 100Base-LX10 and MX80 (Daniel Roesen) 6. Help with vpn srx - asa (bizza) 7. Re: Help with vpn srx - asa (Asad Raza) 8. Re: Help with vpn srx - asa (Ben Dale) -- Message: 1 Date: Sun, 4 Mar 2012 15:18:29 -0800 (PST) From: Harri Makela harri_mak...@yahoo.com To: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Subject: [j-nsp] Juniper Training as per of degree or online with a trainingpartner !! Message-ID: 1330903109.51265.yahoomail...@web120001.mail.ne1.yahoo.com Content-Type: text/plain; charset=utf-8 Hi Guys Do you know any university/college offering Juniper certifications as per of their degree program ? OR Any company offering online juniper training ? Thanks HM -- Message: 2 Date: Mon, 5 Mar 2012 00:02:59 -0500 From: Jose Madrid jmadr...@gmail.com To: Harri Makela harri_mak...@yahoo.com Cc: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Juniper Training as per of degree or online with a training partner !! Message-ID: CAL9vm5PxkThGKhM5k-f2eER_7AbEYrr=bdbzevxxxcct37e...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 The biggest name that comes to mind is Proteus Networks which is owned by Joe Sorricelli. Not sure if they have online training, but check them out. On Sun, Mar 4, 2012 at 6:18 PM, Harri Makela harri_mak...@yahoo.com wrote: Hi Guys Do you know any university/college offering Juniper certifications as per of their degree program ? OR Any company offering online juniper training ? Thanks HM ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- It has to start somewhere, it has to start sometime. What better place than here? What better time than now? -- Message: 3 Date: Sun, 4 Mar 2012 23:10:54 -0600 From: Richard A Steenbergen r...@e-gerbil.net To: ??ukasz Dudzi??ski luk...@dudzinscy.org Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] 100Base-LX10 and MX80 Message-ID: 20120305051054.gl93...@gerbil.cluepon.net Content-Type: text/plain; charset=us-ascii On Wed, Feb 29, 2012 at 02:35:09PM +0100, ??ukasz Dudzi??ski wrote: I did it already. The topic you have mentioned does not cover the essence of my question. I've asked for that specific SFP (100Base-LX10), not for using third party optics at all. The problem is that I don't know if it is possible to use 100Base-LX10 optics in MX80, because Juniper documentation does not mention about 100Base-LX10 SFP. There is a note regarding 100Base-FX (FE on MMF), but no 100Base-LX10 (FE on SMF). Generally speaking, the answer is unless the pluggable requires some special handling from the router above and beyond what is considered 'normal' relative to the other pluggables, it WILL work regardless of whether or not it is officially supported. So far the only two examples I've found of the above are copper vs fiber (copper sometimes requires special handling to do things like detect link state properly), and 100 vs 1000. The LX10 part is irrelevent, if it was a 1000BASE optic you could throw in 1km or 100km and the router wouldn't know the difference, but you're on shaky ground with the 100 support. You also run into questions about whether 100 is even supported at all, since there are different ways to implement the PHY, one with 10/100/1000 support, and another with 1000-only. My personal recollection is that MX back in the DPC days only supported 1000. I could probably go dust off some
Re: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter
Hi Stefan: Thanks again for your input. It looks like it won't take this command either on the SRX... See below when configuring the physical-interface-policer: juniper@SRX210-1-ipv6# edit firewall policer cos1_drop_80_out_small [edit firewall policer cos1_drop_80_out_small] juniper@SRX210-1-ipv6# show filter-specific; ## ## Warning: statement ignored: unsupported platform (srx210he) ## physical-interface-policer; if-exceeding { bandwidth-limit 800k; burst-size-limit 100k; } then discard; We are running Junos 10.4R9.5 as well. Thanks, Devin -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Devin Kennedy Sent: Friday, March 02, 2012 1:17 PM To: 'Stefan Fouant'; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter Thanks Stefan! I'll try that out and see if that will work for us. -Original Message- From: Stefan Fouant [mailto:sfou...@shortestpathfirst.net] Sent: Friday, March 02, 2012 12:55 PM To: 'Devin Kennedy'; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter Hi Devin, Have you tried using a Physical Interface Policer? A Physical Interface Policer will allow you to apply your policers across different terms across different firewall filters, that are applied to different protocol families on a single physical interface, and then it will merge all the filters which call that policer on the same physical interface. The cool thing is you can use this across different logical interfaces that might even be in different routing instances! Try something along the following: [edit firewall] policer cos1_drop_8000K_out_medium { physical-interface-policer; This is required if-exceeding { bandwidth-limit 8m; burst-size-limit 1m; } then discard; } family inet { filter filter-ipv4 { physical-interface-filter; This is required term 1 { from { protocol tcp; port 80; } then { policer cos1_drop_8000K_out_medium; accept; } } } } family inet6 { filter filter-ipv6 { physical-interface-filter; This is required term 1 { from { protocol tcp; port 80; } then { policer cos1_drop_8000K_out_medium; accept; } } } } HTHs. Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks -Original Message- From: Devin Kennedy [mailto:devinkennedy...@hotmail.com] Sent: Thursday, March 01, 2012 9:08 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter Hello: We are currently testing dual stack CoS on the Juniper platform and we're not seeing any way to aggregate the policing applied to IPv4 and IPv6. We want to allocate a customer a specific amount of bandwidth, say 10m (including both IPv4 and IPv6 traffic in any proportional amount), and have the traffic policed to 10m regardless of the amount of IPv4 or IPv6 traffic. I see there is an option to use a logical-interface-policer at the unit level: firewall policer 10M-policing { logical-interface-policer; if-exceeding { bandwidth-limit 10m; burst-size-limit 100k; } then discard; } interfaces { fe-2/0/3 { vlan-tagging; unit 200 { vlan-id 200; policer { input 10M-policing; output 10M-policing; } However, we are policing differently for each CoS queue so we need to call policers via MF and BA filters. The problem is that there has to be a different filter for each family (inet and inet6), so the two are not able to use an aggregate amount. So if we apply the same 10m policer to each family it won't aggregate and instead applies an instance of the policer for each family (so a total of 20m). Does anyone know if it's possible to configure an aggregate policer across two different firewall filters? Below is an example of what we are currently doing: ge-0/0/1 { per-unit-scheduler; vlan-tagging; speed 100m; link-mode full-duplex; gigether-options { no-auto-negotiation; } unit 2001 { vlan-id 2001; family inet { filter { output cos_filter; } address x.x.x.x/30; } family inet6 { filter { output cos_filter-v6; } address x::x/64; } } } The cos_filter then calls BA and MF filters such as: [edit] juniper@SRX210-2-IPV6# show firewall
[j-nsp] SRX240 - ready for prime time?
Over the past few years the general feeling I've gotten reading j-nsp and elsewhere was to stay away from the SRX line until the code matured. We've got an upcoming project that I'm considering using a SRX 240 for. Has the code matured to the point that it can be considered a stable platform for security (just basic firewall, 1:1 NATs, maybe a few VPNs), high availability, and some very basic layer 3 routing services? TIA. --Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX240 - ready for prime time?
Yes. I've got several deployed in those roles. Will O'Brien On Mar 5, 2012, at 5:28 PM, TCIS List Acct lista...@tulsaconnect.com wrote: Over the past few years the general feeling I've gotten reading j-nsp and elsewhere was to stay away from the SRX line until the code matured. We've got an upcoming project that I'm considering using a SRX 240 for. Has the code matured to the point that it can be considered a stable platform for security (just basic firewall, 1:1 NATs, maybe a few VPNs), high availability, and some very basic layer 3 routing services? TIA. --Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX240 - ready for prime time?
On Mon, Mar 5, 2012 at 3:28 PM, TCIS List Acct lista...@tulsaconnect.comwrote: Over the past few years the general feeling I've gotten reading j-nsp and elsewhere was to stay away from the SRX line until the code matured. We've got an upcoming project that I'm considering using a SRX 240 for. Has the code matured to the point that it can be considered a stable platform for security (just basic firewall, 1:1 NATs, maybe a few VPNs), high availability, and some very basic layer 3 routing services? TIA. --Mike __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp I have many SRXs, from 100's, to 1400's, and things in between. There are still some gotchas, but I would say they are very mature. On my branch units, I run 10.4R6.5, and on the highend units I run 11.1R3.5 Have not have any stability issues, they are quick, a pleasure to configure, and reliable. I wouldn't go back to ASAs ever at this point either -- Brent Jones br...@brentrjones.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX240 - ready for prime time?
Having dealt with the SRX through some very trying times (from early alpha boxes running on SSG) to current 11.x code I have to say the SRX has come a long long way. The 9.x code train and even well into 10.x saw some pretty big bugs with HA, VPN and other critical features. I have you say 10.4 and the 11.x code train have been pretty stable in whatever environment I've thrown them in. I tend to use the SRX's for their core functions (e.g. NAT, security policies, VPN's, etc) and stay away from IDP/UTM but from what i've seen they've been in good shape. I would encourage you to check out the 240. It's an amazing firewall for the price. Stick to 10.4 or something in the 11.x code and you'll be fine. I think you'll be shocked how stable and bug free it is after hearing all the bad items on this list. Good luck, hope this helps. -Tim Eberhard On Mon, Mar 5, 2012 at 5:28 PM, TCIS List Acct lista...@tulsaconnect.com wrote: Over the past few years the general feeling I've gotten reading j-nsp and elsewhere was to stay away from the SRX line until the code matured. We've got an upcoming project that I'm considering using a SRX 240 for. Has the code matured to the point that it can be considered a stable platform for security (just basic firewall, 1:1 NATs, maybe a few VPNs), high availability, and some very basic layer 3 routing services? TIA. --Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX240 - ready for prime time?
Thanks for all of the responses. A few more questions: - Can the L2 switch feature on the SRX240 be used when I have a pair of appliances in HA mode? The docs seem to be conflicting on this -- it appears that it may be supported in 11.x? - Can the SRX be used as a multi-tenant firewall to provide distinct L3 public IP subnets on VLAN interfaces, with their own set of unique firewall rules, and the possibility of overlapping Untrust IP networks (e.g. multiple customers have 192.168.1.0/24), AND the ability to terminate IPSEC VPN tunnels on these VLAN interfaces? (I'm looking for something to provide multi-tenant firewall services to a small Cloud hosting infrastructure) On 3/5/2012 5:43 PM, Tim Eberhard wrote: I would encourage you to check out the 240. It's an amazing firewall for the price. Stick to 10.4 or something in the 11.x code and you'll be fine. I think you'll be shocked how stable and bug free it is after hearing all the bad items on this list. Good luck, hope this helps. -Tim Eberhard --Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX gui
Just curious about your experiences with the SRX J-Web GUI. We have been testing the SRX-210 for a couple of years and have noticed that the GUI is very slow to load and configure compared to an SSG5. We're running the SRX at OS 11.4R1.6; the SSG5 at 6.2.0r5. Is it just the GUI on the SRX 210 that is slow? Does it run faster on the bigger hardware? We've tried it with IE8, IE9, and Firefox. Is there a specific browser or applet we need in order for it to run fast? If there is something that we need to do in order to make it run faster, please let me know. Thanks! -David Klein ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX gui
On Mon, Mar 5, 2012 at 4:58 PM, David Klein davidkl...@dhk.com wrote: Just curious about your experiences with the SRX J-Web GUI. We have been testing the SRX-210 for a couple of years and have noticed that the GUI is very slow to load and configure compared to an SSG5. We're running the SRX at OS 11.4R1.6; the SSG5 at 6.2.0r5. Is it just the GUI on the SRX 210 that is slow? Does it run faster on the bigger hardware? We've tried it with IE8, IE9, and Firefox. Is there a specific browser or applet we need in order for it to run fast? If there is something that we need to do in order to make it run faster, please let me know. Thanks! -David Klein ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp The GUI across all Juniper products are generally pretty slow, I don't think it is a primary function that they spend a lot of resources to make it even usable half the time. Luckily, the CLI is fully functional :) -- Brent Jones br...@brentrjones.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX gui
Hi David, about your question on bigger ones: I recently used j-web on srx 3k and it is slow... I cant compare j-web performance between branch and DC series. Never used jweb on branch.. On Mar 6, 2012 5:53 AM, David Klein davidkl...@dhk.com wrote: Just curious about your experiences with the SRX J-Web GUI. We have been testing the SRX-210 for a couple of years and have noticed that the GUI is very slow to load and configure compared to an SSG5. We're running the SRX at OS 11.4R1.6; the SSG5 at 6.2.0r5. Is it just the GUI on the SRX 210 that is slow? Does it run faster on the bigger hardware? We've tried it with IE8, IE9, and Firefox. Is there a specific browser or applet we need in order for it to run fast? If there is something that we need to do in order to make it run faster, please let me know. Thanks! -David Klein ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX gui
CLI was a nightmare on screenOS so at the time I used the web interface which was ok in terms of reactivity. Since we switched to Junos (first with Junos with Enhanced services) we went to the CLI (like we do for all our routers) because : - the GUI is very slow (on all systems I tested so far, J2320, J4350, SRX-210, SRX-240) - the CLI is really functionnal and help having things done very quickly. It seems to be better with their central management tool. Regards, Pierre-Yves Maunier Le 6 mars 2012 01:58, David Klein davidkl...@dhk.com a écrit : Just curious about your experiences with the SRX J-Web GUI. We have been testing the SRX-210 for a couple of years and have noticed that the GUI is very slow to load and configure compared to an SSG5. We're running the SRX at OS 11.4R1.6; the SSG5 at 6.2.0r5. Is it just the GUI on the SRX 210 that is slow? Does it run faster on the bigger hardware? We've tried it with IE8, IE9, and Firefox. Is there a specific browser or applet we need in order for it to run fast? If there is something that we need to do in order to make it run faster, please let me know. Thanks! -David Klein ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX gui
I cant compare j-web performance between branch and DC series. Never used jweb on branch.. It's just as slow. - CK. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp