[j-nsp] access-internal routes

a 10.101.12.245 (nexthop in vrf default), 00:08:42 Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] access-internal routes

Thanks Daniel, I recall that's what another guy suggested... he gave my like 20 lines of junos code... then I found that one-line that did the trick. Aaron -Original Message- From: dverl...@gmail.com [mailto:dverl...@gmail.com] On Behalf Of Daniel Verlouw Sent: Friday, April 1, 2016 3

Re: [j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)

Thanks Daniel, this is encouraging... I wonder if I can get the specifics on when that will be available Aaron -Original Message- From: dverl...@gmail.com [mailto:dverl...@gmail.com] On Behalf Of Daniel Verlouw Sent: Friday, April 1, 2016 3:03 PM To: Aaron <aar...@gvtc.com&

Re: [j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)

interface access-classes or acl's attached to snmp process, etc... I'll get over it, just wanted to vent :| I really wish I could find an elegant/simple way to protect system processes (snmp, http, ssh, etc) Thanks y'all Aaron -Original Message- From: Eduardo Schoedler [mailto:lis

Re: [j-nsp] access-internal routes

researched and came across the dhcp-relay thing. If you can give me a helpers bootp config to work in my routing-instance then I might do it. Would like to know the compelling reason to go with bootp or dhcp relay... Thanks again gents Aaron -Original Message- From: juniper-nsp

Re: [j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)

Thanks Wayne, I tried it and get this error... agould@eng-lab-acx5048-1# commit confirmed 1 [edit interfaces lo0 unit 0 family inet] 'filter' Referenced filter 'local_acl' can not be used as default/physical interface specific with lo0 not supported on ingress loopback interface error:

[j-nsp] access-internal routes

what are these routes (access-internal) ? i'm seeing them actually being sent over my MPLS L3VPN into my other pe's as /32 routes. very interesting. and seemingly very inefficient and busy. not sure that I like the idea of host routes for 10's of thousands of hosts being injected into my mpls

[j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)

I need to only allow 172.17.0.0/16 to be able to remotely access the ACX5048 for snmp, telnet, ssh, http(s) services. How would I do this? Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo

Re: [j-nsp] nat - non-inline - service card ms-mic-16G in mx104

flows is what I needed to use to see flows. Aaron From: Alexander Arseniev [mailto:arsen...@btinternet.com] Sent: Tuesday, March 8, 2016 10:36 AM To: Aaron <aar...@gvtc.com>; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] nat - non-inline - service card ms-mic-16G in mx104 Hello,

[j-nsp] nat - non-inline - service card ms-mic-16G in mx104

Anybody know what I'm doing wrong ? I can't seem to get nat to work. I'm trying to do v4 to v4 with port translation (NAPT-44) using NON-inline nat. so I'm using an MX104 with a MS-MIC-16G FPC 1 BUILTIN BUILTIN MPC BUILTIN MIC 0 REV 17

Re: [j-nsp] Segment Routing ( SPRING )

I don't have answers for you Clarke, hopefully others out there will... But, I do have a question... Does SPRING require an IGP ? And if so, is ISIS the only IGP that SPRING will/can use? Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf

Re: [j-nsp] Segment Routing ( SPRING )

Oh man, watch out... now I got your number ! ...just kidding, sort of... lol Thanks David, et al, it's great to be a part of a knowledgeable and well-connected community as this Aaron -Original Message- From: david@orange.com [mailto:david@orange.com] Sent: Friday, March 4

Re: [j-nsp] Segment Routing ( SPRING )

Thanks David, I should've read this email before asking my previous question. I just got this book yesterday. Page 92 says SPRING is aka SR. Thanks Also I see in preface page xxii that one of the four key contributors to this book was a guy named David Royis this you? :) Aaron

Re: [j-nsp] Segment Routing ( SPRING )

These topics are new to me... I understand that SR is Segment Routing and SPRING is Source Packet Routing in Networking... so I want to know is "SR" and "SPRING" the exact same thing ? or are there some differences in SR and SPRING ? Aaron -Original Message---

Re: [j-nsp] A conceptual advice on QoS is needed

Right, very good Saku, thanks. Interestingly, one of my dsl bb customers may be very offended to find out that I consider their neighbors voice traffic to be more important than their dsl bb traffic :| perhaps that's what you meant about being careful with how I market it. Aaron

Re: [j-nsp] A conceptual advice on QoS is needed

et through during attacks... right ? 2 - if you have links that are regularly experiencing congestion, I mean like daily/nightly and sustained congestion for an hour or more, then is qos really the "fix" for that ? sounds like that's a bandwidth issue. Aaron -Original Message---

Re: [j-nsp] Juniper ACX

and it looked good. I tested L2VPN VPLS BGP Auto Discovered w/BGP Sig and /LDP Sig and both were functional. Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Mark Tinka Sent: Monday, February 22, 2016 12:31 AM To: Saku Ytti <s...@ytti

Re: [j-nsp] Enable EVPN on existing mpls l3vpn network

... No outage on pe. Love it Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of tim tiriche Sent: Thursday, February 18, 2016 12:44 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Enable EVPN on existing mpls l3vpn network Hello, I have

[j-nsp] understanding interface encapsulation, family ... and more

derlying interface-specific options > tcc Translational cross-connect parameters > vpls Virtual private LAN service parameters [edit] Thanks, Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Acx5048 vpls vlan-id

29 2016 1 10.101.12.248 rmt Up Feb 5 05:59:29 2016 1 10.101.12.250 rmt Up Feb 5 05:59:29 2016 1 10.101.12.251 rmt Up Feb 5 05:59:29 2016 1 Aaron -Original Message- From: juniper-nsp [mail

Re: [j-nsp] juniper hack news

While that may be completely correct (while not completely provable, it is entirely reasonable to assume it), the immediate question was whether this particular vulnerability affected JunOS also, or only ScreenOS. The answer to that more narrow question is that it only affects ScreenOS. I

[j-nsp] juniper hack news

il.gvtc.net/owa/redir.aspx?C=7312c58d24cd4b6a8f8f85b851bb6702; URL=http%3a%2f%2fthehackernews.com%2f2015%2f12%2fhacking-juniper-firewall-se curity.html> Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Collapsed MPLS CE/PE/P configuration

: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Aaron Sent: Monday, December 21, 2015 11:04 AM To: 'Matthew Crocker'; 'jnsp list' Subject: Re: [j-nsp] Collapsed MPLS CE/PE/P configuration Maybe this will help... this makes L3VPN work for me on a PE... set interfaces ge-0/0/47

Re: [j-nsp] Collapsed MPLS CE/PE/P configuration

-target import target:1:1 set routing-instances one vrf-target export target:1:1 set routing-instances one vrf-table-label Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matthew Crocker Sent: Monday, December 21, 2015 9:42 AM To: jnsp

Re: [j-nsp] MAC filter on EX switches

check succeeds commit complete {master:0}[edit] Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Muhammad Atif Jauhar Sent: Wednesday, December 09, 2015 9:55 AM To: Tim St. Pierre Cc: Juniper List Subject: Re: [j-nsp] MAC filter on EX

Re: [j-nsp] MAC filter on EX switches

I’m not sure what you mean Eduardo. I just typed that mac address into the firewall filter as a test. I did not test this to see if it would really stop traffic. Aaron From: Eduardo Schoedler [mailto:lis...@esds.com.br] Sent: Wednesday, December 09, 2015 1:47 PM To: Aaron Cc

Re: [j-nsp] Juniper and Cisco - BGP MPLS L2VPN VPLS interoperability

unknown MTU 1500 1500 Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Juniper and Cisco - BGP MPLS L2VPN VPLS interoperability

d PW: neighbor 10.101.12.250, PW ID 10100, state is up ( established ) MTU 1500 1500 Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Juniper and Cisco - BGP MPLS L2VPN VPLS interoperability

nbr global 10.101.0.254 Active open failed - open timer running u all All possible debugging has been turned off Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Juniper and Cisco - BGP MPLS L2VPN VPLS interoperability

All possible debugging has been turned off Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-

Re: [j-nsp] Juniper and Cisco - BGP MPLS L2VPN VPLS interoperability

. http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-a1.html#wp1306388590 Aaron -Original Message- From: Adam Vitkovsky [mailto:adam.vitkov...@gamma.co.uk] Sent: Tuesday, November 24, 2015 4:43 AM To: Aaron; juniper-nsp@puck.nether.net; arsen

Re: [j-nsp] Juniper and Cisco - BGP MPLS L2VPN VPLS interoperability

re and all is well. Aaron p.s. besides, bringing up l2vpn AF on the 5048 and 104 , as I understand it, SHOULD NOT, cause any other PE's to renegotiate capabilities and AF's on their bgp neighbor sessions with the RR. -Original Message- From: Adam Vitkovsky [mailto:adam.vitkov...@gamma.co

Re: [j-nsp] Juniper and Cisco - BGP MPLS L2VPN VPLS interoperability

Thanks Dale, RR’s are (2) cisco asr9000’s (one is a 9006 and the other is a 9010), configured in a RR cluster. Both run IOS XR 4.1.2 Aaron From: dale.s...@gmail.com [mailto:dale.s...@gmail.com] On Behalf Of Dale Shaw Sent: Monday, November 23, 2015 4:47 PM To: Aaron Cc: Adam Vitkovsky

Re: [j-nsp] Juniper and Cisco - BGP MPLS L2VPN VPLS interoperability

exchange issue, but now I'm wondering if it's NLRI related. Thanks group, Aaron -Original Message- From: Adam Vitkovsky [mailto:adam.vitkov...@gamma.co.uk] Sent: Monday, November 23, 2015 5:55 PM To: Aaron; juniper-nsp@puck.nether.net; arsen...@btinternet.com Subject: RE: [j-nsp

Re: [j-nsp] Juniper and Cisco - BGP MPLS L2VPN VPLS interoperability

the juniper's signaling lsp's with each other... I wonder if that caused problems with the other PE's in my network. Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Aaron Sent: Monday, November 23, 2015 9:50 PM To: 'Adam Vitkovsky

[j-nsp] Juniper and Cisco - BGP MPLS L2VPN VPLS interoperability

Notifications and drop their MP-BGP neighbor sessions to the Route Reflector core and purge all their vpnv4, vpnv6 and l2vpn topology tables ! Bad customer impact. lots of trouble. "Rollback 1" on ACX and MX and all is well Anyway have trouble in this area ? Aaron P.S. fo

Re: [j-nsp] Limit on interfaces in bundle

It's code version dependent. It was raised recently, so if you still see 16 you need to upgrade. On Oct 29, 2015 5:01 AM, "Cydon Satyr" wrote: > Hello experts, > > Could somebody confirm if 16 is the max number of physical interfaces one > can have in a LAG on MX? What

[j-nsp] EX4550 - MPLS L3VPN - vrf forwarding without bgp license ?

table is being learned. BUT NO TRAFFIC SEEMS TO BE FORWARDED. EX4550 running JUNOS 12.2R1.9 If the problem is understood to be regarding the bgp license, then just let me know and I'll troubleshoot elsewhere. thanks Aaron

Re: [j-nsp] Cisco ME3600 migration to something with more 10 gig ports

? Any other comparable products out there y'all know of? Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Raphael Mazelier Sent: Tuesday, July 14, 2015 12:45 PM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Cisco ME3600 migration to some

Re: [j-nsp] nat / cg nat / vrf aware nat (pe nat)

Thanks, yes, I would be wanting NAPT (I believe this is NAT Overload/PAT) yes I would want this for the public IP address savings that it achieves. If I do NAPT, why would I want MS-DPC over MS-PIC or vice versa? Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp

[j-nsp] nat / cg nat / vrf aware nat (pe nat)

? Or do most Juniper SP devices support this ? Do only certain products support sp/cg nat ? Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] purpose of "commit check"?

Yes, the commit will fail if commit check would have also failed. I tend to use commit check as a check on myself when I’ve done a big cut-and-paste, or when creating a bunch of objects. The time to fail of commit check is less than commit if there are discrepancies. On Sep 28, 2015, at

Re: [j-nsp] Disable telnet/ssh access from virtual routers

Apply a filter on lo0.0 which denies traffic from anything but your management IPs. Or, put a filter on the VR interface denying all traffic destined to that IP itself. On Jul 15, 2015, at 10:11 AM, Victor Sudakov v...@mpeks.tomsk.su wrote: Colleagues, I have customers' networks

Re: [j-nsp] Cisco ME3600 migration to something with more 10 gigports

Thanks everyone for your input. Does the mx80 support all the mpls L3vpn and L2vpn things I mentioned ? Aaron From: Mark Tinka [mailto:mark.ti...@seacom.mu] Sent: Tuesday, July 14, 2015 7:41 AM To: Phil Bedard; Ivan Ivanov; Aaron Cc: Juniper List Subject: Re: [j-nsp] Cisco

[j-nsp] Cisco ME3600 migration to something with more 10 gig ports

Cisco ASR920's for (4) 10 gig ports and several (1) gig ports. Would this be good ? What are some comparable Juniper products that would fit here ? Is Juniper better in that area ? Aaron ___ juniper-nsp mailing list juniper-nsp

Re: [j-nsp] Buying a used Juniper

I looked into this once. Support involves a one-time purchase of a contract, back-dated to when it was last under contract. Depending on how long ago that was, it may be prohibitive as well. On May 5, 2015, at 11:00 AM, Raphael Mazelier r...@futomaki.net wrote: Le 05/05/15 18:47, Colton

Re: [j-nsp] Buying a used Juniper

Ask your local reseller for a quote. On May 5, 2015, at 2:13 PM, Colton Conor colton.co...@gmail.com wrote: Damien, Thanks for the links. From the website: Juniper Networks, Inc. requires an inspection or a reinstatement fee for all products that were not originally purchased, by the then

[j-nsp] junos cli prompt

Is there a way to not show the username in the prompt ? Is there a way to make set cli commands persist across reboots ? Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] ddos rtbh service

I usually ask of them.. TWC seemed a little harder for me to get through the layers of the company in order to finally talk to the right person..) Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman

Re: [j-nsp] ddos rtbh service

...@puck.nether.net] On Behalf Of Colin Baker Sent: Tuesday, April 07, 2015 9:28 AM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] ddos rtbh service On 2015-04-07 08:31, Aaron wrote: Now, I'm getting a third internet connection with ATT. how do they do it ? Any insight into how you all use ATT

Re: [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client?

Have you tried 0/1 and 128/1 instead of 0/0? That’s also required for backup-router destination as well, so might solve this problem too. On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger n...@schmalenberger.us wrote: On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote: I need

Re: [j-nsp] how to see users

Thanks everyone. Very helpful Aaron -Original Message- From: Tore Anderson [mailto:t...@fud.no] Sent: Friday, March 13, 2015 5:46 AM To: Aaron Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] how to see users * Aaron aar...@gvtc.com I have a user a I've config'd. I see that I

[j-nsp] how to see users

I have a user a I've config'd. I see that I can view it within the config. Also, I see that I can see users actively logged in. But how do I show users that are configured without viewing it in the config file? Aaron root@j1# show system login user a { uid 2000

Re: [j-nsp] QFX5100 3rd party optic/DAC

What version of code? D10 (frs) had some issues with some cables which is resolved in more current versions. Also if this is 5100 to 4300 make sure you have auto negotiation turned off on the 4300 (but that would probably fail with a juniper branded dac as well so unlikely to be the issue). On

Re: [j-nsp] Site to Site VPN issues with Cluster

90% sure it's nested tunnels (GRE over IPSec). You cannot do them in a cluster. If you can get the Cisco side to remove the GRE layer and route directly over the secure tunnel (have not tried it so I don't know if they can or not), then it will work (using st0 on the SRX). If you can't, your

Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

I have terminated IPSec tunnels on reth interfaces entirely successfully. I would think that would work fine in your setup as well. It wasn't amazon, but it was to other remote SRXs. The ISP in question did terminate on both cluster members (two drops). That was on a branch SRX. On the

Re: [j-nsp] WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE

fsck is run automatically every boot. If the automatic fsck fails, it throws it to the backup partition. So yes, you are correct, but the situation observed is when that system fails. On Mar 24, 2014, at 11:04 PM, Victor Sudakov wrote: Dear Masood, Thanks for the link to the KB article.

Re: [j-nsp] IBGP via EBGP Default

The route is known via some source, and therefore the destination is reachable. I've never known the source of the route to matter for the peer address on any platform. If you want it to go down, you can try the ttl knob to force it down if it's taking a longer path. On Mar 17, 2014, at

Re: [j-nsp] Configuring in-band management over trunk interfaces in EX2200

I can verify that if a VLAN is both named as a member and as a native-vlan-id, then it will accept traffic both tagged and untagged on that port for that VLAN. However, traffic will only be sent tagged. That can break some things (for example APs) which might work during boot but the loaded

Re: [j-nsp] VLAN's on EX4300 with 13.2X50-D15.3

I don't know if I'd call them issues. Just ELS introduces different configuration hierarchies that is the way things will be in the future. The functionality is still there even if the config bits change some. The main advantage of the 4300 vs. 4200 is 4x10G uplinks instead of 2, and 40G

Re: [j-nsp] VLAN's on EX4300 with 13.2X50-D15.3

It's a name change. vlan is now irb. It depends on platform, but the newer ones use irb instead of vlan. So it doesn't work with vlan.103 because the vlan interface physically does not exist. But you can configure nonexistent interfaces in JunOS. On Feb 18, 2014, at 9:44 PM, Janusz Wełna

Re: [j-nsp] OSPF neig / SRX cluster / LACP

Depending on how you have your redundancy groups set up, only the active links will be active at any given time. That means that the mxs won't see two links active, they will see one each. So you should have two adjacencies on the srx and one on each mx in this scenario. Lacp would only be

Re: [j-nsp] OSPF neig / SRX cluster / LACP

reth interfaces are for failover not for bundle. You can use two LAGs within a reth interface (multiple interface on a single node in a LAG) but not across both. It's up (probably) because you aren't running LACP. If you turn on LACP, then various links will be down. I'm going to guess

Re: [j-nsp] Juniper MX5 Advice

That's a pretty normal configuration so I wouldn't expect any issues. Load balancing over both connections is another story entirely and doesn't matter the exact platform. You can find a large volume of books/websites/opinions on BGP load balancing out there. It's not exactly a trivial

Re: [j-nsp] community set vs community add

Depends if there are other communities attached besides vpls-z. The first example would retain all of those. If that's the only community on the route, then, in that case, they are the same. On Oct 31, 2013, at 1:53 PM, Mihai wrote: Aren't these 2 policies the same thing?

[j-nsp] Static NAT and VPN tunnels

the Internet zone, so I'm betting the flows wouldn't match. It also seems like an extreme hack. Removing the static NAT would be awesome, but there are unknown things using it, so it's not so easy as that. Anyone have other suggestions? Thanks! Aaron

Re: [j-nsp] BGP Multipath

It depends how careful you want to be about it. Multipath and adding the peer as you've described will get you half traffic on each immediately which is fine assuming the circuit is good, etc. If it were me, I'd probably bring up the new one with a different policy (same group, policy under the

Re: [j-nsp] j2320 auto power-on

Mine do it automatically. I've never set anything to make them do that. On Jul 10, 2013, at 9:08 AM, Mark Felder wrote: Is there some way to make a j2320 auto power on when power is restored? I can't seem to successfully find this on Google ___

Re: [j-nsp] Can I do dumb Q-in-Q switching on Juniper MX?

the same CVLAN id. However, if you use a single SVLAN per customer, then there's no issue. I'd say it's easier to do this using CCC but YMMV. Aaron On Jul 1, 2013, at 4:11 AM, Sebastian Wiesinger wrote: Hello, I need to do a sort of dumb Q-in-Q on a MX box. What I want from the MX is: Take

Re: [j-nsp] 3G/4G on SRX

. Note that neither of those experiences are with prepaid or m2m. I imagine it would be the same until you ran out of credit. Aaron On May 1, 2013 10:33 PM, Jeff Rooney jtroo...@nexdlevel.com wrote: Does anyone have any experience using a prepaid or month to month 3G/4G connection on a branch SRX

Re: [j-nsp] SRX - Static Routing Out Same Interface

That seems like it should work. Note that you'd need a policy in place from/to the same zone to allow this traffic. Even intrazone traffic is denied by default on an srx. I suspect that might be the issue here. On May 1, 2013 8:49 AM, Bruce Buchanan bbuch...@nexicomgroup.net wrote: Hi List

Re: [j-nsp] Inserting security policies on SRX

Insert doesn't create it, it re-orders existing policies. IMHO it's confusingly named. So you create the policy using set (which puts it at the end) then you use insert to re-order it in the position you want. On May 1, 2013 8:32 AM, James S. Smith jsm...@windmobile.ca wrote: I have an SRX240

Re: [j-nsp] srx240 VPN Question

-identity command is not there in earlier versions. Aaron On May 11, 2011, at 8:53 AM, Pappas, AJ wrote: I have a srx240. I have someone who has a vpn with us who wants to change from a static IP address on an ipsec tunnel to a FQDN. Is there any documentation on how to do

Re: [j-nsp] ike túnnel termination on 5800s

physical outbound interface (or reth). Aaron On Apr 3, 2013, at 2:12 PM, OBrien, Will wrote: Hey guys, I'm building a new cluster of SRX 5800s and prepping to move several VPN tunnels to it. All of them are ike/ipsec. I built a test site on a SRX210 and configured a tunnel between it and my

Re: [j-nsp] Clustering J-series across a switch

IIRC, it's possible but not recommended due to the reliability issue of the switch in between. In your situation, I'd probably give it a shot. Definitely use different VLANs for control and fabric. Aaron On Apr 2, 2013, at 10:47 AM, Mike Williams wrote: Hey all, So I've been reading

Re: [j-nsp] Help needed with IPSEC VPN on J-Series

You'll also need a policy which allows traffic from trust to trust, i.e.: set security policies from-zone trust to-zone trust match source-address any set security policies from-zone trust to-zone trust match destination-address any set security policies from-zone trust to-zone trust match

[j-nsp] SRX with CX111 int to vlan

, that's why. Anyway, you get the idea. vlan.3900 will be in a zone, but my immediate concern is no longer getting a DHCP address from the CX111 (this time on vlan.10 instead of ge-0/0/0.0). Does anyone see anything quick that I did wrong here? Thanks! Aaron

Re: [j-nsp] SRX with CX111 int to vlan

On Mar 12, 2013, at 7:44 PM, Aaron Dewell wrote: Quick question for you all (I'm sure I'm doing something dumb here). I had this working config: […] That was working. Now I want to be able to get to the CX111's management VLAN, so I changed it to this: […] And yes, I just

Re: [j-nsp] SRX upgrade procedure -ready for enterprise?

Not that I've had to do it - but I'd probably break the cluster to do the upgrade and run on one during the procedure. On Mar 8, 2013, at 10:50 AM, Andy Litzinger wrote: We're evaluating SRX clusters as replacements for our aging ASAs FO pairs in various places in our network including the

Re: [j-nsp] SRX upgrade procedure -ready for enterprise?

I tried ISSU twice, both times on 3 MX routers during a single maintenance window, going from 10.x to 11.x. It failed spectacularly on the second router, requiring manual recovery via the console (mastership was not assumed by the backup before the primary rebooted), so I completely gave up

[j-nsp] VirtualBox arp problem

ping. I have assigned IP addresses to all devices temporarily to facilitate testing, the ultimate goal is L2 across to the VMs. The problem appears to be ARP replies not reaching the VM. If anyone has any ideas, I'd definitely appreciate it! Thanks! Aaron IP addresses are: Cluster

Re: [j-nsp] Weird ARP issue

Sounds like a Xen bridge issue, but I have no definitive experience or reason other than that's the only thing in the path which might block it. Strange that it would pass an arp for a ping but not for SSH. Should be the same arp off the switch either way. On Jan 30, 2013, at 5:41 PM, Luca

Re: [j-nsp] Splitting Dot1q VLAN across Logical Systems

Not true. Logical interfaces are allocated to logical systems, not physical interfaces. No problem with what you're doing. On Jan 24, 2013 4:28 AM, Skeeve Stevens skeeve+juniper...@eintellego.net wrote: Hey all, I want to build this scenario. 2 * MX80, with a trunk between then. On the

Re: [j-nsp] SRX and not working VRRP

is that the protocol has to be enabled in the zone/interface. Aaron On Jan 8, 2013, at 5:16 PM, Robert Hass wrote: On Wed, Jan 9, 2013 at 12:40 AM, Chuck Anderson c...@wpi.edu wrote: set vrrp-group 0 accept-data Thanks a lot !. It helped. I used VRRP earlier on MX where this is not necessary to make VRRP

[j-nsp] SRX-SRX IPSec multipoint with dynamic endpoints fails with new IP

a difference. Thanks for any insight! Aaron ike { policy remotes { mode aggressive; proposal-set standard; pre-shared-key ascii-text bla; } gateway SITEX { ike-policy remotes; dynamic inet WAN-SITEX-IP; local-identity inet WAN-LOCAL-IP

Re: [j-nsp] DHCP interface as next hop

On Nov 29, 2012, at 12:53 AM, Tore Anderson wrote: * Aaron Dewell I haven't found an answer to this question (except for Cisco options which doesn't help me). I want to configure a static route to a DHCP interface on an SRX240. Here's the scenario: ge-0/0/0 connected to CX111 (4G modem

[j-nsp] DHCP interface as next hop

because it's not a point to point interface. I cannot set an IP address as the next-hop because I don't know when it will change. Any ideas on how to address that? Thanks! Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https

[j-nsp] OSPF next hop

look the same (except R8 which is it's buddy and directly connected). Any ideas on what else to look at? The OSPF database looks reasonable. Our other shared segments act normal. All routers are on 11.4R2. Thanks! Aaron ___ juniper-nsp mailing

Re: [j-nsp] OSPF next hop

On Jul 24, 2012, at 4:56 AM, Wayne Tucker wrote: On Mon, Jul 23, 2012 at 11:02 PM, Aaron Dewell aaron.dew...@gmail.com wrote: I ran into an odd behavior here tonight, I'm hoping someone has some ideas. We have 8 routers on a broadcast OSPF segment. All are advertising their loopback

Re: [j-nsp] OSPF next hop

On Jul 24, 2012, at 2:04 PM, Wayne Tucker wrote: On Tue, Jul 24, 2012 at 12:36 PM, Aaron Dewell aaron.dew...@gmail.com wrote: Yes, Type Transit (2). However, the Network LSA only includes 3 attached routers (should be 6 currently). There are two Network LSAs in R7. One has the interface

[j-nsp] Split VRF traffic

define static routes for this and move on, but the challenge that I've not come up with an answer for yet is that the routes to be split are within the VRF, yet the next-hop is in inet.0. Any ideas? Thanks for your input! Aaron ___ juniper-nsp mailing

[j-nsp] Branch SRX and satellite

thing to be the problem. Has anyone had any issues with an SRX connected to a satellite modem before? Any suggestions would be greatly appreciated! Thanks! Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net

Re: [j-nsp] Branch SRX and satellite

table and forwarding table, so I assume that means that (eventually) the DHCP transaction is complete. Just no pings or anything after that. Aaron On May 28, 2012, at 4:49 PM, Tim Eberhard wrote: What you're most likely running into is the DHCP ttl limitation. While it's not often

Re: [j-nsp] problems with srx240

I have observed this on both an srx240 and srx210h. Jtac advised turning off utm and idp (on 210), yet those were enabled before with no issues. The 240 was fresh out of the box getting initial config (IP, Nat, zones, policies, I.e. nothing amazing). I'll be waiting to see the answers too! On May

Re: [j-nsp] VPLS Frustrations (Juniper - Cisco)

might solve the problem as well. CCC is the old-school Juniper way of doing this pre-l2circuit/l2vpn/vpls. Aaron On Mar 27, 2012, at 8:57 AM, Humair Ali wrote: Hi Ben not sure if you raised it before, but if you are looking at QinQ, and point-to-point is a viable solution, you should

Re: [j-nsp] ISIS Authentication Problems

Have you tried knobs such as: loose-authentication-check level X no-csnp-authentication level X no-psnp-authentication The second two sound like what you might be looking for. I have no CRS thus no further ideas... Aaron On Mar 7, 2012, at 7:53 PM, John Neiberger wrote: I'm pretty new

Re: [j-nsp] Ex Series VC with *both* high-speed backbone *and* link-aggregation

I haven't tried it, but all the docs I read on it suggested that configured VC ports acted as more ports, not replacements. On our EXs, the normal VC ports are still available even though we use two 10g for VC. However, we aren't using them so i can't confirm... But pretty sure it should work. On

Re: [j-nsp] How does multihop eBGP work?

Sure. Everything is actually routed hop-by-hop. As you've observed, that's a serious obstacle to multihop eBGP. Most uses I've seen involve crossing a non-BGP router to a customer, and redistributing whatever the customer advertises into their IGP. Klunky for sure, but it does work. Aaron

[j-nsp] M7i/M10i - 8.5R4.3 - cfeb RDP: Keepalive timeout for rdp.(scb:39937)

We having been losing CFEBs like a plague all with the above error (or similar) in the logs. No one at Juniper seems to know what RDP is (nearly 30 JTAC tickets opened in the last few months) does anyone on this list have any insight? Aaron ___ juniper

Re: [j-nsp] M7i/M10i - 8.5R4.3 - cfeb RDP: Keepalive timeout for rdp.(scb:39937)

Nilesh- Per subject line the FEB/CFEB failures have been predominantly on 8.5R4.3. Thank you for the below infromation. I will forward this onto on our NOC and have them begin uploading that data to the currently open cases. Thanks Aaron -Original Message- From: Nilesh Khambal

<    1   2   3   4   5   6   >