set firewall family inet filter Access term AllowSSH from address X.X.X.X/16
If X.X.X.X/16 includes any interface address of this router, then this
filter is NOT going to stop attacks, no matter where applied.
You should be much more specific in writing the match conditions. Below
is an
addresses outside the
filter on mine.
Thanks.
On Thu, Feb 27, 2014 at 7:44 AM, Alex Arseniev
arsen...@btinternet.com mailto:arsen...@btinternet.com wrote:
set firewall family inet filter Access term AllowSSH from address
X.X.X.X/16
If X.X.X.X/16 includes any interface address
Duplicate IP on this shared segment?
Just my guess...
HTH
Thanks
Alex
On 04/02/2014 14:38, Eric Van Tol wrote:
Hi all,
Two sets of routers in my network keep logging the following message:
rpd[1559]: RPD_RSVP_NBRDOWN: RSVP neighbor x.x.x.x down on interface ae0.1
nbr-type Direct, neighbor seq
You are monitoring ToS in ICMP ECHO REPLY, not request.
And that can be set/overridden anywhere by QoS policies, i.e.
- on Google DNS server 8.8.8.8 itself
- on any transit network
HTH
Thanks
Alex
On 22/01/2014 14:21, Arash Alizadeh wrote:
Hi,
I'm experiencing issues when initating ToS ping
You should be able to do negative match on interface-group:
1/ mark all other interfaces with interface-group:
set interfaces xe-0/0/0.0 family inet filter group 100
2/ match on interface-group-except in lo0.0 FW filter
set firewall family inet filter RE-PROTECT term 1 from
.
I'll pull some info and post it back, maybe someone sees something I
don't.
Scott H.
On 12/17/13, 12:27 PM, Alex Arseniev wrote:
For the traffic to be encrypted, the BGP nexthop has to point into
the tunnel which means one of the below:
1/ BGP has to run inside the tunnel, or
2/ You have
anyone have any experience running BGP like
this on the m-series or does it just not work on next-hop-style?
Thanks,
-SH
On 11/12/13, 1:34 PM, Scott Harvanek wrote:
Yep excellent, I'll give it a whirl, thanks!
Scott H.
On 11/12/13, 1:24 PM, Alex Arseniev wrote:
So, if I understand Your
Yes
[edit]
aarseniev@m120# set services service-set SS1 ipsec-vpn-options
local-gateway ?
Possible completions:
addressLocal gateway address
routing-instance Name of routing instance that hosts local
gateway = CHECK THIS OUT!!!
aarseniev@m120 show version
... the local gw in my case
is in the default instance and I want the service interface in another
so unless I'm mistaken it's in default by default and this fails?
Scott H.
On 11/12/13, 11:22 AM, Alex Arseniev wrote:
Yes
[edit]
aarseniev@m120# set services service-set SS1 ipsec-vpn-options
local
Hello,
Multiple routing-instances with next-table statics is a supported SRX
configuration, see
http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security-mutiple-isp-configuring.html
You can shortcut packets between RI with lt-* interfaces as well, but
lt-* interfaces are
routing instance-type virtual-switch (VS) + bridge-domain (BD) inside
that VS.
One limitation is that You cannot do VLAN manipulation in the middle
between l2circuit and BD whereas You can on a physical cable loop.
HTH
Thanks
Alex
On 14/10/2013 19:31, Michail Litvak wrote:
Hello,
I have
- Original Message -
From: Saku Ytti s...@ytti.fi
To: juniper-nsp@puck.nether.net
Everything works just fine. Only I find it really strange B-END cannot
push
arbitrary S-VLAN, considering A-END is going to change it anyhow. If it's
not
101, A-END vill be down with 'vlan-mismatch'.
- Original Message -
From: david@orange.com
To: dim0sal dim0...@hotmail.com
Cc: juniper-nsp@puck.nether.net
Sent: Tuesday, July 16, 2013 8:49 PM
Subject: Re: [j-nsp] R: RE : multicast issue
If you can't start/stop manually mcast streams you will never have stable
counters and
Haven't You checked the manual?
http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/syslog-messages/jd0e61552.html#WEBFILTER_URL_PERMITTED
The checks can be embedded into if/for-each constructs, see example here
https://code.google.com/p/junoscriptorium/source/browse/trunk/library/public/op/display/op-show-lsp-interface/op-show-lsp-interface.slax
if ($ifdescrdb/logical-interface[name == $if]/description) {
The above
To export a summarized route, having at least 1 more-specific contributing
route is necessary and sufficient.
I.e. if You have 10.10.10.1/32 as Type-1 in OSPF area X, then creating a
Type-3 summary (to announce from area X to any other area including 0) is
easy:
set routing-instances RIX
- Original Message -
From: Phil Mayers p.may...@imperial.ac.uk
To: Wood, Peter (ISS) p.w...@lancaster.ac.uk
Cc: juniper-nsp@puck.nether.net
Sent: Friday, May 24, 2013 12:02 PM
Subject: Re: [j-nsp] SRX 3600 dropped packets - how to debug?
At the moment, the SRX is sitting in front
gARP is not reliable and Your NE devices' ARP cache still contains old MAC
from old default GW.
You have to revisit them one by one and clear their arp caches, or change
IRB MAC to that of old default GW' MAC.
HTH
Thanks
Alex
- Original Message -
From: Jason Fortier
Works fine for me in the lab on MX80+JUNOS 12.3 ( I use BGP-LU though, too
busy to change to regular inet unicast:-)
[edit logical-systems MX2-RR]
aarseniev@mx80# run show route logical-system MX2-RR protocol bgp extensive
inet.0: 29 destinations, 30 routes (27 active, 0 holddown, 2 hidden)
From: Saku Ytti s...@ytti.fi
And no, you would not use this FXP0 for SNMP or Netflow or whatnot.
--
++ytti
And why is that may I ask? Care to elaborate?
Just curious - maybe You don't know how to cook it properly :-)
I personally set up SNMPv1/v2/v3 over fxp0 enough times, including SNMPv3
From: Saku Ytti s...@ytti.fi
There is nothing stopping vendors from implementing netflow and SNMP in
HW,
allowing instant refresh of octet counters.
SNMPv3 would require encryption capabilities in HW making Your idea (a)
potentially too expensive and (b) prone to export restrictions==must
From: Saku Ytti s...@ytti.fi
To: juniper-nsp@puck.nether.net
Sent: Thursday, April 25, 2013 4:34 PM
HW port can easily go through RE if needed.
Unless there is single ASIC in the box, that would be statistical
multiplexing.
Unless You wish to maintain full potential perf.gain from
- Original Message -
From: Saku Ytti s...@ytti.fi
To: juniper-nsp@puck.nether.net
Yes it's not fate-sharing forwarding-plane, but it's fate-sharing the
whole
control-plane.
No, it is not.
fxp0 is fully functional on backup RE (including Telnet/SSH/SNMP) - and
backup RE by default
- Original Message -
From: Pavel Lunin plu...@senetsy.ru
To: juniper-nsp@puck.nether.net
Sent: Thursday, April 25, 2013 5:48 PM
Subject: Re: [j-nsp] SNMP on logical-system fxp0
25.04.2013 19:04, Alex Arseniev wrote:
Netflow does NOT require encryption as standard (SNMPv3 does
- Original Message -
From: Pavel Lunin
To: Alex Arseniev
Cc: juniper-nsp
Sent: Thursday, April 25, 2013 9:56 PM
Subject: Re: [j-nsp] SNMP on logical-system fxp0
In a big enough network — anything. Broken NMS (it turns out to happen more
often than I could think
Use TCP Optimizer to increase WSCALE/RWIN on Windows hosts to achieve better
TCP perf
http://www.speedguide.net/downloads.php
Thanks
Alex
- Original Message -
From: Saku Ytti s...@ytti.fi
To: juniper-nsp@puck.nether.net
Sent: Monday, April 08, 2013 8:13 AM
Subject: Re: [j-nsp] Speed
This part won't work:
execute-commands {
commands {
set interface ge-0/0/3 disable;
commit;
Same holds true for delete interface disable.
You will need a commit script.
HTH
Thanks
Alex
- Original Message -
From: Luca Salvatore
The OP has already tried it with the event-script but did not tell us :-)
http://forums.juniper.net/t5/Junos-Automation-Scripting/disable-interface-slax-script-not-running-not-configured/td-p/183237
I provided him with final hints and he should be able to use the script as
published - or maybe
2 things:
1/ add family ccc under ge-1/2/0.2
2/ add encapsulation ethernet under l2circuit neighbor config.
Default encaps when You use tagged units is ethernet-vlan and with
ethernet-vlan the L2circuit actually checks if VLAN ids are same on both
ends. With encapsulation ethernet this check is
If you don't need to run STP on these VLANs, why not use
QinQ/dot1q-tunneling?
http://kb.juniper.net/InfoCenter/index?page=contentid=KB21686actp=RSS
Saves you
Thanks
Alex
- Original Message -
From: Luca Salvatore l...@ninefold.com
To: juniper-nsp@puck.nether.net
Sent: Sunday, March
ACX would do better, it uses same JUNOS build (for PowerPC) as MX80.
Thanks
Alex
- Original Message -
From: Morgan McLean wrx...@gmail.com
To: juniper-nsp@puck.nether.net
Sent: Friday, March 01, 2013 11:12 PM
Subject: [j-nsp] Lab gear to mimic MX80?
Hey everyone,
I'd like to pick
Looks like R2 has 2 equal-cost Ext routes, both with metric-type 2.
What happens if you redistribute on SW1 with metric-type 1?
Also, what do your link metrics look like? Are they BW-related or just 1 for
any link (LAG or single 1/10GE)?
Lastly, what happens if R1 has no-nssa-abr configured?
http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-41894.html
set security flow tcp-mss ipsec-vpn mss 1300
- should fix it.
Thanks
Alex
- Original Message -
From: Muhammad Atif Jauhar atif.jau...@gmail.com
To:
Probably not what you want to hear at the moment but it is working as
designed.
There is nothing in BGP RFCs which mandate that BGP-LU _must_ consult
LDP/RSVP/LFIB etc before announcing routes.
To force BGP-LU to consult LDP/RSVP and automatically advertise/withdraw
routes matching LSP
You can disable his process if you so desire:
aarseniev@dale show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis SRX210h-p-m
Routing Engine REV 30 750-024364
Jinstall validates both current _AND_ rescue config.
Check if you have rescue config set and if yes then overwrite it with
current config
request system config rescue save
HTH
Thanks
Alex
- Original Message -
From: Ali Sumsam ali+juniper...@eintellego.net
To:
Jinstall validates both current _AND_ rescue config.
Check if you have rescue config set and if yes then overwrite it with
current config
request system config rescue save
HTH
Thanks
Alex
- Original Message -
From: Ali Sumsam ali+juniper...@eintellego.net
To:
- Original Message -
From: sth...@nethelp.no
I can understand the choice of not including this functionality. Juniper
can avoid the well known of problem of pointing a default route at an
Ethernet interface, leading to an ARP for every new/unknown destination.
There is a recent post
You should have remote loopbacks also redistributed into LDP (if your
transport label is from LDP).
In JUNOS, this does not happen by default, you must have LDP egress-policy
for this to occur. By default, LDP announces only primary lo0.0 IP@.
Absent this, your L2circuits would show OL error
This is not enough.
You must have LDP egress-policy and include these loopbacks there too
https://www.juniper.net/techpubs/software/junos/junos93/swconfig-mpls-apps/configuring-the-ldp-egress-policy.html
HTH
Thanks
Alex
- Original Message -
From: Peter Nyamukusa
To: Alex Arseniev
Well, that's fairly straightforward - either (1) VRRP on master [J] stopped
sending or (2) CSCO switches stopped forwarding VRRP hellos, or (3) backup
[J] drops incoming VRRP hellos.
You can verify (1) by using monitor traffic interface blah no-resolve
size .
(2) could be verified with
You can limit flows per individual source IP (not NAT ports) using UTM
https://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/configuration-statement/security-edit-limit.html
You'll need a UTM license.
And if you are doing NAT on branch SRX, UTM is supported only on high-memory
branch
The service-filter directs matching packets to a particular service-set.
So in a sense, service-filter is executed first because match happens on
ingress interface, and service-set execution happens inside AS|MS-PIC|DPC
when matching packets have entered the ingress interface+crossed the
Have you tried PM instances?
- Original Message -
From: Paul Vlaar p...@vlaar.net
To: Alex Arseniev alex.arsen...@gmail.com
Cc: juniper-nsp@puck.nether.net
Sent: Friday, October 19, 2012 9:49 AM
Subject: Re: [j-nsp] port mirror to multiple ports on MX80 in inet6
Alex,
On 19/10/12 7
Multicast loop/L2 loop in the network?
- Original Message -
From: Saba Sumsam saba+j...@eintellego.net
To: juniper-nsp@puck.nether.net
Sent: Thursday, October 18, 2012 5:18 AM
Subject: [j-nsp] SRX sending thousands of VRRP packets per second
Hi,
We have two SRX 100s configured for
You could do cascaded PM. In a nutshell:
1/ port-mirror original packet, send the original packet on its way
2/ send the COPY into a loop (cable loop or looped tunnel)
3/ take the looped COPY and mirror it once again, creating 2nd copy.
4/ send 1st copy and 2nd copy on their respective ways.
HTH
Hello there,
forwarding-options helpers bootp is not DHCP relay, it is a different
feature although they both use same socket.
To insert option 82, you need forwarding-option dhcp-relay feature which
requires a license.
BOOTP helper and dhcp-relay|dhcp-local-server cannot be configured together
What JUNOS version and linecard HW?
interface-mode trunk is supported on Trio starting from 11.1.
Thanks
Alex
- Original Message -
From: Mohammad Khalil eng.m...@gmail.com
To: juniper-nsp@puck.nether.net
Sent: Thursday, July 19, 2012 6:48 AM
Subject: [j-nsp] Fwd: mx480 to mx240 port
Hello there,
This might help
http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/source-class-usage-guidelines-solution.html
quote
A source or destination class is applied to a packet only once during the
routing table lookup. When a network prefix matches a class-usage policy,
SCU
CGN used to be known/also known as Large Scale NAT (LSN)
Compare this http://tools.ietf.org/html/draft-nishitani-cgn-01
and this http://tools.ietf.org/html/draft-ietf-behave-lsn-requirements-05
Same IETF draft, different versions.
- Original Message -
From: Xu Hu
v5: either RE-based or Service PIC|MSDPC-based
v8: either RE-based or Service PIC|MSDPC-based
v9: only Service PIC|MSDPC-based.
I repeat: v9 is _only_ Service PIC|MSDPC-based. No chance of v9 flow
sampling/exporting on Routing Engine.
HTH
Rgds
Alex
- Original Message -
From: Arun
show services accounting flow-detail
http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/command-summary/show-services-accounting-flow-detail.html
Please read carefully, especially the caveats.
HTH
Alex
- Original Message -
From: Michael Smith mksm...@mac.com
To:
You don't have to do that with lo0 interface routes in JUNOS.
Configure lo0.nonzero-unit-number with same IP, put it in Salt RI and it
will work.
HTH
Rgds
Alex
- Original Message -
From: Alexander Shikoff minot...@crete.org.ua
To: juniper-nsp@puck.nether.net
Sent: Sunday, March 25,
Did you check what MACs are used in 1st, 2nd and 3rd time? Specifically MAC
OUIs.
I suspect this is a side effect of having C-J in the same broadcast domain.
Basically, when J-interface ARPs for a connected host, _AND_ if C has a
specific route to that host/32, the C will answer with own MAC.
I
My understanding is that GRE fragmentation should occur if egress interface
MTU is GRE pkt size.
For GRE reassembly, you need IDP policy, this means high memory SRX model.
IDP license is not needed.
Rgds
Alex
- Original Message -
From: Lukasz Martyniak lmartyn...@man.szczecin.pl
To:
PPTP ALG is supported from JUNOS 11.2R1
GRE is not supported with nat source dynamic
HTH
Rgds
Alex
- Original Message -
From: Jo Rhett jrh...@netconsonance.com
To: juniper-nsp@puck.nether.net
Sent: Tuesday, January 17, 2012 3:19 AM
Subject: [j-nsp] PPTP VPN through NAT on M10i
I've
Answer 1:
edit
set system processes multicast-snooping disable
commit
HTH
Rgds
Alex
- Original Message -
From: pkc mls pkc_...@yahoo.fr
To: juniper-nsp@puck.nether.net
Sent: Thursday, December 22, 2011 8:27 AM
Subject: [j-nsp] Junos EX - mcsnoopd high cpu
Hi all,
I have an issue
Active Backbone Detection
http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/config-guide-routing/routing-configuring-ospf-areas.html
Active backbone detection enables transit through an area border router with
no active backbone connection.
HTH
Rgds
Alex
Florian,
Perhaps a silly question - are these interfaces on the same router?
If yes what you are trying to accomplish is possible with unnumbered
Ethernet interfaces and forwarding-table-filter to prevent hosts talking to
each other.
Start here
59 matches
Mail list logo