Re: [j-nsp] ex4500 best-effort drops nowhere near congested

2013-05-02 Thread Michael Loftis
I was finally able to get this explained via a third party who designs these things ... Basically in S&F you have an input and output queue, per port. When port 1 sends to port 2 frames are moved from 1's input queue to 2's output queue. If 2's out queue fills, it blocks back into 1's input queue

Re: [j-nsp] ex4500 best-effort drops nowhere near congested

2013-05-02 Thread joel jaeggli
On 5/2/13 1:24 PM, Benny Amorsen wrote: joel jaeggli writes: There's literally no options in between. so a 1/10Gb/s TOR like the force10 s60 might have 2GB of shared packet buffer, while an like an arista 7050s-64 would have 9MB for all the ports, assuming you run it as all 10Gb/s rather than

Re: [j-nsp] ex4500 best-effort drops nowhere near congested

2013-05-02 Thread Michael Loftis
On Thursday, May 2, 2013, Benny Amorsen wrote: > joel jaeggli > writes: > > > There's literally no options in between. so a 1/10Gb/s TOR like the > > force10 s60 might have 2GB of shared packet buffer, while an like an > > arista 7050s-64 would have 9MB for all the ports, assuming you run it > > a

Re: [j-nsp] ex4500 best-effort drops nowhere near congested

2013-05-02 Thread Benny Amorsen
joel jaeggli writes: > There's literally no options in between. so a 1/10Gb/s TOR like the > force10 s60 might have 2GB of shared packet buffer, while an like an > arista 7050s-64 would have 9MB for all the ports, assuming you run it > as all 10Gb/s rather than 100/1000/1/4 mixes of ports

Re: [j-nsp] ex4500 best-effort drops nowhere near congested

2013-05-02 Thread joel jaeggli
On 5/2/13 10:27 AM, Jeff Wheeler wrote: On Wed, May 1, 2013 at 8:27 PM, ryanL wrote: i'm guessing this is a buffer thing, but i can't explain why it only happens on my 1ge ports and not when i punt the traffic over an 10ge Yes, it is a buffer thing. A 10GE interface is basically never going t

Re: [j-nsp] ex4500 best-effort drops nowhere near congested

2013-05-02 Thread Jeff Wheeler
On Wed, May 1, 2013 at 8:27 PM, ryanL wrote: > i'm guessing this is a buffer thing, but i can't explain why it only > happens on my 1ge ports and not when i punt the traffic over an 10ge Yes, it is a buffer thing. A 10GE interface is basically never going to not have time to transmit frames unle

Re: [j-nsp] Are we under some weird SPAM attack?

2013-05-02 Thread Mark Tinka
On Thursday, May 02, 2013 01:16:27 PM Jared Mauch wrote: > Yes, everything is now unstuck now. Some lists had > messages going back to at least 2008 come 'unstuck' when > I poked at mailman yesterday. At one point there were > at least 40k outbound messages waiting to be delivered. Two themes

Re: [j-nsp] IP address

2013-05-02 Thread harbor235
Is this a test? Usable IPs are .0 and .1, no broadcast and no net address Mike On Wed, May 18, 2011 at 10:58 AM, Murphy, Jay, DOH wrote: > 10.8.0.1/31 What are the useable IPs. What is the broadcast and network > address in this subnetwork? > > ** ** > > Thanks. > > ** ** > > Danie

Re: [j-nsp] Juniper SRX 3400 Clustering

2013-05-02 Thread Mark Menzies
The CRM module is just to allow you to have 2 control links. ALl it is a long winded way of giving the control plane another interface We would use these for resiliency and redundancy on the control plane. We already have this resiliency in the data plane cos we have more than one member interfa

Re: [j-nsp] sflow on switch

2013-05-02 Thread Luca Salvatore
Shouldn't be a problem. Depending on the version of Junos make sure you don't have any port mirroring configured, there is a bug where sflow and port mirroring are configured it will crash the switch. Fixed in recent versions though. From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.n

Re: [j-nsp] Inserting security policies on SRX

2013-05-02 Thread James S. Smith
Is something funny going on with the mailing list? I sent this original email 2 years ago. Also saw a bunch of other emails get sent out that people had sent from 2009 and 2010 From: Michael Loftis [mailto:mlof...@wgops.com] Sent: May-01-13 10:28 AM To: James S. Smith Cc: juniper-nsp@puck.net

Re: [j-nsp] SSG20 & PBR to Web Proxy

2013-05-02 Thread Payam Chychi
From past experience Dnat with transparent proxy will not work very nicely, if at all. you want to route through the proxy and not forward the connections to the proxy If your proxy is squid or nix based you can do some packet magic but if you dont have access to the os layer (as it be the ca

Re: [j-nsp] Inserting security policies on SRX

2013-05-02 Thread Michael Loftis
I've found the "insert" and similar commands often get confused as to what you mean and where unless you move into the hierarchy closest to where you're working first by doing "edit security policies from-zone it_staff to-zone untrust" then doing your insert X before Y statement from that part of t

Re: [j-nsp] SRX - Static Routing Out Same Interface

2013-05-02 Thread Michael Loftis
You'll need a "hairpin" rule eg: set security policies from-zone trust to-zone trust policy hairpin match source-address any set security policies from-zone trust to-zone trust policy hairpin match destination-address any set security policies from-zone trust to-zone trust policy hairpin match app

Re: [j-nsp] Juniper SRX 3400 Clustering

2013-05-02 Thread ashish verma
It is needed to have dual control links. On Wed, May 11, 2011 at 9:17 PM, Altaf Ahmad wrote: > Hi Experts, > > ** ** > > I did configure the clustering of SRX 3400 chassis without installing > SRX3K-CRM Module and it went successful. Could anyone please let tell me > that then what is the p

Re: [j-nsp] IP address

2013-05-02 Thread Aaron Dewell
There are two usable ips and no broadcast or network address. One device can have .0 and the other one .1. On May 1, 2013 8:56 AM, "Murphy, Jay, DOH" wrote: > 10.8.0.1/31 What are the useable IPs. What is the broadcast and network > address in this subnetwork? > > ** ** > > Thanks. > >

Re: [j-nsp] TFTP Server on SRX100

2013-05-02 Thread Mark Menzies
TFTP is supported but deprecated as it says. I wouldn't necessarily use this regularly in production as its hidden for a reason :) On 22 October 2010 13:23, Bruce Buchanan wrote: > Hi Everyone, > > ** ** > > Does anyone know if the SRX100 can act as a local TFTP Server? > > ** ** > >

Re: [j-nsp] Aggregate interface AE issue

2013-05-02 Thread Jonathan Lassoff
What is the media management interface of which you speak? Do you mean a Layer 3 / IP interface on the router itself? I ask because you mention a "management VLAN" as being part of the trunk. It's not clear what's breaking here for you. Cheers, jof On Thu, Apr 26, 2012 at 2:56 AM, Ala' Amira w

Re: [j-nsp] SRX - Static Routing Out Same Interface

2013-05-02 Thread Jed Laundry
Apologies, my mail client was showing the date it received this, not when it was originally posted. Thanks, Jed. Sent from a small screen. On 2/05/2013 6:40 AM, "Jed Laundry" wrote: > Hi, > > Have you defined a security policy from and to the zone of the interface? > (Or is it running in packe

Re: [j-nsp] Inserting security policies on SRX

2013-05-02 Thread Aaron Dewell
Insert doesn't create it, it re-orders existing policies. IMHO it's confusingly named. So you create the policy using set (which puts it at the end) then you use insert to re-order it in the position you want. On May 1, 2013 8:32 AM, "James S. Smith" wrote: > I have an SRX240 running 11.1R2.3, a

Re: [j-nsp] Inserting security policies on SRX

2013-05-02 Thread OBrien, Will
Did you edit the new policy and set anything in it first? Will O'Brien On May 1, 2013, at 8:48 AM, "James S. Smith" mailto:jsm...@windmobile.ca>> wrote: I have an SRX240 running 11.1R2.3, and occasionally I have to add new policies. The obvious choice would seem to be use the insert command b

Re: [j-nsp] SRX - Static Routing Out Same Interface

2013-05-02 Thread Jed Laundry
Hi, Have you defined a security policy from and to the zone of the interface? (Or is it running in packet mode?) Which JunOS? Thanks, Jed Sent from a small screen. On 2/05/2013 2:31 AM, "Bruce Buchanan" wrote: > Hi List – > > ** ** > > Can anyone give any suggestion/guidance on the foll

Re: [j-nsp] SRX - Static Routing Out Same Interface

2013-05-02 Thread Aaron Dewell
That seems like it should work. Note that you'd need a policy in place from/to the same zone to allow this traffic. Even intrazone traffic is denied by default on an srx. I suspect that might be the issue here. On May 1, 2013 8:49 AM, "Bruce Buchanan" wrote: > Hi List – > > ** ** > > Can a

Re: [j-nsp] IP address

2013-05-02 Thread Harold 'Buz' Dale
There is no network address and subnet. There are only two addresses available: 10.8.0.0 and 10.8.0.1. The /31 is actually a relatively new construct to conserve address space for point to point links. Luck, Buz From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Murphy

Re: [j-nsp] srx240 VPN Question

2013-05-02 Thread Tim Eberhard
There are two methods possible ways of doing this (to me). 1) Stand up two VPN tunnels and just have one down at all times. You would use your existing configuration (assuming it's main mode) and just change the source IP where you expect the VPN initiator to come from. 2) Change your existing ma

Re: [j-nsp] IP address

2013-05-02 Thread Sivasankar Subbiah
if you take 10.8.0.0/31 then usuable IP addresses are 10.8.0.0 and 10.8.0.1 (p-2-p). No broadcast address for this particular /31 subnets. It is a kind of pure point to point subnet. Regards Siva On 18 May 2011 15:58, Murphy, Jay, DOH wrote: > 10.8.0.1/31 What are the useable IPs. What is the

Re: [j-nsp] Are we under some weird SPAM attack?

2013-05-02 Thread Jared Mauch
On May 2, 2013, at 2:42 AM, Mark Tinka wrote: > My suspicion is the mailing list "held" them (may be > something to do with the fact that they all "seem" to be > HTML-based e-mail), and maybe they're all now being released > for one reason or another. > > As a friend of mine would say, "conj

Re: [j-nsp] SSG20 & PBR to Web Proxy

2013-05-02 Thread Andrew Miehs
Does the ssg20 do destination NAT? That is the feature you are after - alternatively wccp Btw - I wouldn't recommend transparent https. Sent from a mobile device On 01/05/2012, at 14:08, "Josh Farrelly" wrote: > Hi guys. > > We have a customer who’d like to implement a transparent web

Re: [j-nsp] 1000BaseT SFP

2013-05-02 Thread Magnus Bergroth
The 40x1GE MX card does only support 1G, the MPC and the 2x10GE + 20x1GE supports 10/100/1000. < Keith > 16 maj 2011 19:32 > > Trying to connect GE copper SFP on MX to a 100meg port on a cisco > switch, 3560 actually. > > ge-0/0/2 { > description "<< Test Link >>"; > e

[j-nsp] Old Messages, etc

2013-05-02 Thread Jared Mauch
There were a few older messages that became unstuck from the system today. This has hammered the list machine in some weird ways and highlighted to me some changes I likely need to make to improve performance and scale in the future. Apologies for the problems and if your message was one that

[j-nsp] ex4500 best-effort drops nowhere near congested

2013-05-02 Thread ryanL
hi list. i'm guessing this is a buffer thing, but i can't explain why it only happens on my 1ge ports and not when i punt the traffic over an 10ge port. i have two 1ge in an ae bundle. both of them basically look like this: Statistics last cleared: 2013-05-02 00:16:50 UTC (00:02:02 ago) Traf

Re: [j-nsp] JNCIS

2013-05-02 Thread Mark Menzies
ER certs are expired, it was for the old Enterprise Routing. ER is now replaced with the ENT track for ENterprise routing and switching, the SEC track deals with SRX On 27 January 2010 11:58, Scott Morris wrote: > ** > E is for the BRAS systems (ERX) > M is for the SP systems (M7i, M10i, M320

Re: [j-nsp] Are we under some weird SPAM attack?

2013-05-02 Thread Mark Tinka
On Thursday, May 02, 2013 08:36:59 AM Bruce Morgan wrote: > Maybe legit but messages going back to 2010 > > Only three more years to goŠ. > > Only adding to the spam and unsubscribing rsn. My suspicion is the mailing list "held" them (may be something to do with the fact that they all "see

Re: [j-nsp] Aggregate interface AE issue

2013-05-02 Thread Ben Dale
Hi Ala', I think you are trying to do isn't going to work - when you bring up the aggregated ethernet interfaces between the two MXs, your media converters/management units will no longer be visible. Picture the AE as a tunnel between the two MXs (even though frames aren't actually tunnelled

Re: [j-nsp] Automated software upgrade on massive EX4200 deployment method advice

2013-05-02 Thread Job Snijders
Hi Jerry, On Jun 22, 2011, at 11:07 PM, Jerry Jaquith wrote: > I’m tasked with upgrading about 600 EX4200 switches to the latest recommended > OS. My first thought is to begin writing perl scripts, but wonder if anyone > has already been down this road and can offer some help? These are fres

Re: [j-nsp] SRX3600 weirdness

2013-05-02 Thread Eugeniu Patrascu
First option would be to check to see if the IMAP client is using the IMAP IDLE command. If so, you might want to disable this option. Or configure the SRX to never timeout this connections (not sure if possible). Second option would be a check to see what screening options you have from untrust (

Re: [j-nsp] 1000BaseT SFP

2013-05-02 Thread Bill Blackford
Is it a tri-rate SFP? On May 1, 2013 7:29 PM, "Keith" wrote: > ** > > Trying to connect GE copper SFP on MX to a 100meg port on a cisco switch, > 3560 actually. > > ge-0/0/2 { > description "<< Test Link >>"; > enable; > speed 100m; > link-mode full-duplex; >

Re: [j-nsp] Are we under some weird SPAM attack?

2013-05-02 Thread Bruce Morgan
Maybe legit but messages going back to 2010 Only three more years to goŠ. Only adding to the spam and unsubscribing rsn. Bruce On 2/05/13 2:32 PM, "Mark Tinka" wrote: >On Thursday, May 02, 2013 05:40:28 AM Michael Loftis wrote: > >> And answered my own ? by reading the rest of my inbox.