Hi all,
Does anyone know what letter 'E' means in DPC codes? Is there any
technical difference between DPCE-R-2XGE-XFP and DPC-R-4XGE-XFP other
than just number of ports?
--
Kind regards,
Pavel
___
juniper-nsp mailing list
it doesn't mean it's how many
bytes you can transfer in addition to the the bandwidth (at least because
there is no definition of the period of time). Burst-size is not a speed of
transmission, but a size of data burst that can be transmitted with no
dropping.
--
Kind regards,
Pavel Lunin,
Senetsy
P. S.
BS is needed because dealing with policing (not shaping), the router has no
buffer where to put a packet in for awaiting. It is also not able to drop a
part of a packet -- either transmit or drop a whole one. Well, imagine a
situation when you need to transmit just one packet per hour, but
Hi Jason,
Unfortunately the information you provided is not really helpful :)
All the cases with unexpected packet dropping are usually tied with
wrong policy, zones or routing.
So you should consider those things as well as provide them here to be
more informative.
But I believe, instead
Hi,
I didn't checked myself whether Juniper realized port-range feature (I have
no access to the lab due to the weekend came up) , but I remember they
promised to do so in 'future release' some half a year ago. So if they
didn't yet it might be a conscious move, though hard to guess why.
But
2009/9/24 Chris Kawchuk juniperd...@gmail.com
Yep. 30 ACL's with no issues (assuming straightforward things). Full BGP
Tables, OSPF area 0.0.0.0 inside, QoS, IPSEC.
I'd warn you guys of running peers with full BGP on J series with 1 Gig of
RAM. It was not a problem till 9.4. But since 9.4
Hi 陈江,
You're right, this should be almost always done if you run several external
peers with fullview, but this code only switches the box into router
context. It doesn't make fwdd to free the memory. The router I used to show
the fwdd memory consumption is also given this piece of config.
I
input.
Based on factsheets the J series outperform BGP capabilities of the SRX
series. The only out that outperform in SRX is the 650 which looks like a
real good deal (thanks for pointing it out to me!).
Nice weekend.
- Gregory
2009/9/26 Pavel Lunin plu...@senetsy.ru
I'd warn you guys
Hi Paul,
L3 switching is done in hardware (EX-PFE) so it is said to be wire-rate as
well as L2. Firewall filters are also hardware based so they don't degrade
performance in some reasonable amount (several thousand filter terms, I
guess).
However you should consider the FIB constrains for
Hi experts,
Does anyone have any real world experience with J-series running a few
hundred policiers? I mean few hundred 1-per-IFL policier instances, not
a few hundred policier stanzas in config.
All the documentation I was able to find, says J-series supports up to
50 policiers per box.
Hi Ibariouen,
Enough in this case can mean different things. Enough for what?
Usually not enough means that each external IP ‘generate’ too many
simultaneous and new (per second) sessions. This can trigger an attack
defence mechanisms on popular sites, etc.
But ‘too many’ is also quite not
2010/3/22 Richard A Steenbergen r...@e-gerbil.net
But what happens when you do:
interface xe-1/0/0 {
vlan-tagging;
unit 101 {
vlan-id 101;
family inet {
address 1.2.3.4/24;
}
}
}
interface xe-2/0/0 {
vlan-tagging;
unit 101 {
Hi Hoogen,
I think this is just another story.
SRX should have also had some more storage capacity to store IDP base and
all the same things as Richard wrote about. But session logging can cause
another problem — increased process switching or something like (if we talk
about Branch SRX),
Hi Richard,
My guess is that it is done to catch traffic destined to control plane.
I can not imagine a convincing enough example right now but I can tell I
bumped a few times into a situation when in case of an iface done, some sort
of a session to the router (no matter why it is no destined to
Hi experts,
Can anyone actually explain what for those /32 routes are intended at all?
Even if the iface is up. Ain't they to attract traffic addressed to control
plane?
My way of thinking is that they are alive at link down time for the same
reason as they exist when the link is up.
I haven't
Hi Eric,
SSG should be available for another couple of years. Juniper likes to say
ScreenOS's roadmap is full of things do be done till the end of the next
year.
However I wouldn't say SSG has so much better featureset.
In routing SRX is far far beyond. You can even have packet-mode instances
Hi,
Mainly I agree that ScreenOS is more predictable and less buggy than JUNOS
Voyager. Although I remember the times of 5.1-5.3 when loads of new features
were added and we ran into issues each new release. Specially when ISG had
just been released.
But from the features point of view, I really
2010/5/10 Scott T. Cameron routeh...@gmail.com
On Mon, May 10, 2010 at 3:25 AM, Pavel Lunin plu...@senetsy.ru wrote:
Moreover SRX3/5k is quite a different story. ScreenOS products anyway can
not compete against them.
Are you speaking from experience?
Yeah. All ScreenOS products have
Hi Fahad,
Chen gave a very good answer.
Though It also depends on which platform you talk of. E. g. SRX3400 could
not support more than 1M sessions until 10.0. Also some overall JUNOS things
were added in 10.0 like interface ranges.
There is a very good paper which answers your question, called
Hi Paul,
l also have two cases open with similar questions.
First it is nowhere written which fields are taken on EX to calculate the
hash for per flow. JTAC seems to not know though sent me very detailed
explanation of how per-flow balancing is done for LAGs. Seems like ECMP uses
the same
Hi all,
The issue is not that memory is being pre-allocated to the forwarding / flow
process.
This is expected and required to function.
The issue is that when things switched to flow support the memory usage went
*way* up, and
even when you convert to packet mode it is not reduced.
It
On 21.07.2010 22:34, Christopher E. Brown wrote:
That is exactly our use, up to a couple hundred megs of IP services on
one, a couple hundred of L3 MPLS on another, and L2-circuit/vpls on a third.
Alaska has many small remote locations. For larger areas, M and MX
platforms are better, and
On 22.07.2010 14:33, Alexandre Snarskii wrote:
we also bump into the requirements of cheap devices running everything
including L3VPN/VPLS for a few hundred megs. I would suggest to use
SRX240H in packet mode and don't even think about full BGP (they can't)
You can try the same trick as
Hi Heath,
I share your emotions, bloody capitalists are a burden to working-class
(joke). But the problem is that there are not so many exceptions. If you
know some, please let me know :)
Another problem is that customers are also not ideal. Many of them very
often want to run something
Example: you run routed metro (or datacenter) ethernet ring, with less
than 12k entries in FIB. One of your customers wants to turn BGP on his
link. There are lots of choices on how to do that:
[...]
But that is one of cases when having full-view in your edge switch RIB
and redistributed to
IIRC, it's quite possible to use closest MX-series router to mix
draft-kompella pseudowire from EX-series into VPLS domain (it was
discussed in this list not so long time ago).
Not sure about L3VPN though.
BTW. Kompella? Didn't you mean CCC? EX only support single label MPLS.
3. The issues raised below (I didn't realize this myself ) about sessions
destined to the router still being processed as flow mode, which can tear
down TCP sessions under certain circumstances.
Does anyone have a proof link for this? I've just checked a J series running
10.0R2 packet-mode
Hi Chris,
The entire SRX product line (branch and high-end) covers the performance
spectrum across M and MX series but were created specifically as
purpose-built security devices and therefore should be implemented as such.
Let me clarify the claim a little bit. The problem is that by the
Richard,
I agree with the idea that Juniper made a one-way decision and the customers
who used packet J series were cheated. At least they feel they are cheated.
And when Juniper announced packet JUNOS deprecation, it was obvious the
customers will feel cheated, despite the fact Juniper actually
I'm a firm believer of MPLS in the Access.
... yes, this is way off-topic now :-).
Mark, how about to open a new thread on this?
Actually, who is not a fan of MPLS access? But the question is how actually
to build it and will it be competitive. Lots of people here in Russia
(being fans
network design :) Upto 1Gbps performance (has anyone
tested how 300k prefixes in FIB affect forwarding
performance of J?) and things like this — you really
need it?
Route reflector.
Didn't you tested J4350/4350 or SRX650 with 2 Gigs of RAM and filters
which block full table from RIB-FIB
Florian,
We tried to enable MPLS (which is not really advertised as a way to
disable flow-based processing, BTW),
You are not right. It is well documented:
Although there has been no mention of constrained shortest paths or
back door routes I feel the thread is straying into rock ground ;-)
Exactly! Much more interesting than if you just vowed to be unfaithful
to Juniper with Cisco :)
___
juniper-nsp
So what to do?
1) Wait for Cisco with their ME 3600X and hope they cost less than half
an MX80, or hope that Juniper brings out an enhanced EX-4200?
Don't believe the latest is possible. IMHO EX needs just completely another
PFE in order to support 2-label operations.
2) Keep both a
I'm wondering if the EX-series external
RE might be viable as a standalone RR, since it would have to be priced
at least somewhat reasonably to serve in the function they're marketing
it for. The hardware specs are certainly not terrible.
There is another possible caveat. This thing most
Phil, thanks for your input. Very interesting.
There are vendors who are shipping boxes today with 24x1GE and 2x10GE
uplink, wire-rate, which
can do VPLS and P2P Ethernet/CES, but no L3VPN.
Doesn't this vendor ship another similar box which has 512k FIB and can also
do L3VPN? :)
One
10.0R1 has a bug in RTSP ALG causing fwdd dumping and all SPC restart. Fixed
in 10.0R2. I have not that much experience with large SRXs but what I say is
10.0R2 working quite stable in production for a couple of months quite
highly loaded.The config was rather straightforward though: src and dst
Would a SRX650 in packet mode work though? It's relatively attractive
price-wise and 7Gbps is certainly a good start. Tempting, at least if I
can somehow forget the scary stories about SRX on this mailing list.
7 Gbps is a number in marketeers' heads. 2.5Gigs actually for IMIX.
EX3200 is
I think the biggest problem with this approach, is the limit of 24K
MAC addresses across the entire VC. This is a problem we'll be running
into in the not so distant future - I don't know if CCCs are the right
(only?) solution to this.
Right. This scheme has quite appreciable scaling
Smaller ones as cheap access devices with or without (or even together
with) MPLS—maybe. Check the latest thread on J-series. Just couple of
days ago someone has given a good brief of how they use SRX100 in access
with MPLS.
Full BGP, wire-rate—just forget. You can do full BGP on SRX650
Hi Richard,
* Supposedly there is some capability to do local switching on the Trio
PFE, but I've been told that support is extremely limited, and even
doing something like configuring egress filters defeats the local
switching and forces everything through the fabric.
Sounds as
Thanks, Richard.
2010/8/29 Richard A Steenbergen r...@e-gerbil.net
* Each Trio PFE is composed of the following ASICs:
- MQ: Handles the packet memory, talks to the chassis fabric and the
WAN ports, handles port-based QoS, punts first part of the packet
to the LU chip for routing
://pk.linkedin.com/in/muhammadfahadkhan
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Отправлено с моего мобильного устройства
Pavel Lunin
Senetsy,
Moscow
+7 495 983-05-90, ext. 109
http
Hi Guliano,
Yes, this is correct that EX3200/4200 do not support policers for outbound
direction. Not absolutely but almost sure this is a hardware limitation and
nobody is going to change this.
What you can do is either to reconfigure the architecture so that you will
use input policers (e. g.
Hi Bikash,
I addition to everything, you also have to keep in mind that SRX is a
stateful device and performs a reverse route lookup when establishing a new
session. Unfortunately you can't enable something like use the iface and
mac address from where the packet came for traffic in backward
Does anyone know if the switch ports on the SRX models (not the highend for
datacenter) have similar functionality to the EX switches when it comes to
integrating with Juniper's UAC product?
No, it doesn't.
2010/10/27 Tom Devries tom.devr...@rci.rogers.com
Indeed, the only issue I see with policy based vpn's is the number of vpn
policies required for the amount of networks that have to be encrypted. As
someone pointed out on another list, the C device should support null proxy
ids if you first
Richard,
I knew you should tried it :) Thank you.
More and more signs that there is no many implementations but a lot of
skepticism around it.
2010/10/28 Richard A Steenbergen r...@e-gerbil.net
On Wed, Oct 27, 2010 at 11:25:27PM +0400, Pavel Lunin wrote:
Hi,
Anyone here uses dynamic-db
Hi Giuliano,
I haven't really tried such things myselft for ages but AFAIK it's not even
possible with IDP since at least skype goes into encrypted mode when it
detect itself blocked and simulates something https quite well. Please
correct me, if someone knows I'm not right. In this case some too
Hi all,
I am trying to establish a Martini tunnel through a core-facing MPLS
interface, which is placed into an instance (virtual router). Has anyone
tried this?
Everything (IGP, LDP, MPLS) is running in the instance but l2circuit is
configured in the master since there is no way to do so in an
I remember doing a single line in screenos unless my recollection is off.
On the Cisco ASA/PIX, it's a single line 'static (inside,outside)
' statement.
Is there an equivalently efficient method on the SRX?
Thank you in advance for any input.
Arp-proxy is needed to attract traffic
This is a pretty common error when you are bringing pre-configured devices
together in a chassis cluster.
+1
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2
In case of SRX650 this should be ge-0/0/2 and ge-9/0/2
My question with that setup is: how many VRRP instances can I have on an
SRX?
VRRP does not scale well on any platform because of the protocol limitation
and due to CPU-intensive hellos. Max number of groups is 256. Although
theoretically this limit is a concern only in case of a single
On 09.03.2011 21:47, Stefan Fouant wrote:
What Ben is saying is that you it is simply not necessary to configure the
AE interface when doing this on a Clustered device. Basically, when you are
doing clustering, you simply add multiple ports from the same node to a RETH
interface and this
While testing the failover in SRX650 cluster. I have removed the control
link between the primary and secondary. The secondary node went to
ineligible mode. The secondry FW is still accessible through OoB
interface. When I returned back the control link I couldn't reach the FW
through OoB
2011/3/23 Chen Jiang iloveb...@gmail.com
It's a by design behavior. When control link or fabric link disconnected,
the current RG0 master node will remain in master status but the current
RG0 backup node will disable itself to avoid split-brain issue, Disable
means the node will offline all
No need to install in on M10i just because it has a 1-core 32-bit CPU and
less (much less :) than 4GB of RAM which you can address (the only advantage
of 64-bit JUNOS by now) with x64. So even if you'd managed to push it into
RE-850, it wouldn've given you anything.
2011/3/23 Martin T
Seems like filters+policers allows you to specify bandwidth-limit
and burst-size..
I.e. if you had a pool of 10 mbps.. you could carve it into individual
customer chunks at their... But no way to allow the customer to burst above
that bandwidth-limit to some specified higher BW, only
Each customer is on a separate non-overlapping subnet, but
NOT on a different VLAN generally.. So filtering at the subnet level is
easy.. does this change your response at all?
No, not too much. Even worse :) Though, if so, you can try to implement
this on EX using an
Hi all,
Anyone here uses policers on LAGs with member interfaces, bound to
different PFE? MX Trio in my case, but same for i-chip would also be
interesting.
There is some rumor that in such a case policer rate is individually
applied several times to each of the member interfaces meaning
PS: those observations were done on older M320 and I-chip based
MX-series. Do not have Trio-based devices, so may be I'm wrong here.
Still do not believe that intrachip communications were introduced
to aid exact policing anyway.
Thanks. Actually I figured out myself with help from the local
Is anyone running MS products through SRX firewalls? How are you getting
RPC to work? According to engineering, the ScreenOS ms-rpc-any isn't
included in JUNOS, although, I do see the ALG catching the info based
off of endpoint mapper sessions.
[….]
Supposedly, according to JTAC, there are
Me Hi, when this bgp neighbor flaps it sometimes doesn't syslog the
event correctly, and instead records garbage messages.
ATAC The bgp neighbor is flapping, that is why you are logging the
neighbor down, can I close this case?
Oh-yah! )
Are your sure it wasn an ATAC guy really, not
I am in process of procuring new hardware and I've got a question. If you
were to go for MX480 would you order it with MPCs or DPCs. Also if your
network were to have MX80s as well which are Trio based would that
influence
the decision on choosing either MPCs or DPCs for the MX480s?
I'd say
Ups. First accidentally unicasted this to RAS yesterday night. Sorry,
Richard.
Yep. Also discovered this just today, trying to download Junos to a remote
machine with links (another text-based browser :).
Was really surprised seeing the 180 megs tgz opened as text. But I was
surprised even more
2011/9/17 Chris Evans chrisccnpsp...@gmail.com
Juniper devices have out of band ethernet ports, but have the HUGE HUGE
downfall of being in the main routing table conflicting with every other
route.
BTW, can anyone give a good real-world example of a _routed_ OOB management
network usage?
As far as I understand the whole concept of OOB MGT IP interface
Sorry, really meant dedicated physical interfaces, of course.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
I see two ways one can go about this. Either programmatically tunnel into
an OOB L2 segment via a bastion host in an on-demand fashion, or point
some routes (dynamically, or otherwise) into your internal network for
management use.
The risk of pointing routes into your internal network, IMO,
how about like management networks on ss7 deployments?
Not sure I correctly understand how the analogy from IP world should look
like. I can imagine a network of, say, access devices whether L2 or L3, for
which OOB mgt is really needed. But I don't know much people who use
dedicated mgt ports
Is it always necessary to take in a full table? Why or why not? In light
of the Saudi Telekom fiasco I'm curious what others thing. This question is
understandably subjective. We have datacenters with no more than three
upstreams. We would obviously have to have a few copies of the table
Indeed, when I check the session table on the SRX. I do get an entry for
the
BGP session, but it dissapears after only a few seconds. That seems wrong
to
me.
You mean a firewall session in show security flow session? If so, let me
express my doubts, an MTU related issue could make it close
Would it no be advisae to either teace it or a tcpdump from the OS you can
see what packets are being sent and received on the interface?
Generally yes, but. Though this doesn't seem to be the case for Jeroen since
he uses eBGP with direct interface address peering, you must keep in mind
that
Another example is LB. To make it smooth, LSR must get quite deep bits from
MPLS payload and process NH table accordingly.
In order to do things like facility protection or Option C Inter-AS VPN/VPLS
(sometimes it's not bad to stick it right to the core, say, in case of a
merge), LSR must be
I think decent core routers do this today. We've had good
luck load sharing MPLS traffic on LDP labels alone on
various Cisco and Juniper kit, provided the IGP cost is the
same.
This is where the number of labels comes into play. If we talk about LSR for
not that huge IPS (having not that
This is where the number of labels comes into play. If we
talk about LSR for not that huge IPS (having not that
much of core LSPs), I'm afraid, this can require to get
back to the old good conception of FEC per prefix :)
When we were small and using Cisco 7200's as BGP-free core
routers, we
While those links discuss how the box performs load sharing,
it isn't actually configurable at all,
This is exactly what I tried to point out when Richard proposed to use
Broadcom Trident+ as an LSR PFE. EX3200 uses, AFAIR, Marvell something,
but I don't believe Trident+ much differs in this.
I meant that in order to do LB on labels alone (to have
enough of hash-keys for micro-flows), you need a large
enough set of labels in the core and more or less
uniformly distributed traffic over these labels. If you
have, say, 10 PoPs and 90 core tunnels, it's very
probable that 20% of them
BTW, this is why I'm quite sceptically looking at the Juniper's
marketing of Express Chip simplicity and corresponded benefits. Lower
number of transistors in the crystal, greater MTBF, blah-blah.
Because of the mentioned features, which I don't really believe Juniper
could easily throw
Yes you need to look into the packet a little bit to hash well, but this
isn't a difficult operation either (compared to holding a full table and
doing longest prefix lookups at any rate).
As far as I understand, it's not really correct to compare difficulty of
these two operations, since
Since many of these devices have IPv6 routing capability (with a
limited FIB size) it is certain that they can look far enough into the
packet to see as many labels as any reasonable design will require.
I'm not sure this is a correct comparison. See my reply to RAS.
I share your skeptical
Hashing ALU's life is not a peace of cake either.
OMG. Piece :) I'll never get on with English spelling.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
existing commodity chips which CAN do IP and some pretty deep hashing
already,
This is where my doubts start :) You've mentioned QFX — is there any
evidence they are much smarter in hashing than EX?
Personally my take is that PTX missed the mark as far as interesting
target customer size
TBH, I haven't checked the pricing but I'd expect Brocade MLX
MLX(e) is an edge device and is much like MX in most things. It's cheaper
but at a cost of some features lack and few caveats. Although it's a good
product, it's not a label-oriented LSR anyway.
Do you realize that the source and destination IP address, TCP ports,
MAC addresses, and so on, are all larger than 20 bits? If the thing
can figure out how to hash on those parameters, it could also figure
out how to hash on labels.
:) If it were so easy, the next thread on EX LB wouldn't
Robert, is there any non-production implementation of simple-va, which we
could play with?
The main concern here is, of course, whether a router will
be infinitely installing/withdrawing tons of FIB entries because of
'natural' prefix flaps, how much black-hole/loop this will create in
practice,
The router with simple-va functionality enabled will not install nor
withdraw even single additional route on top of what it would do when
simple-va feature is not enabled. So it is guaranteed to be no less then
today.
OK, OK, I've read the draft quite some time ago, and I also liked it :)
The removal of a large aggregate (say 4/8) and the subsequent required
addition of all of the subnets under 4/8 could certainly be
'interesting' to observe.
Interesting as well is that 4/8's origin doesn't have to be the flapper,
just your network (or an intermediate) changing attributes (or
BTW, (although it's an offtopic quite a bit) let me ask if there is anyone
here who ever deployed/mantined LDP VPLS + external BGP autodiscovery in
real life for more or less large-scale network? How was it? Any gotchas
worth to be aware of?
12.11.2011 6:47 пользователь David Ball
That is not true. The ports are configurable and usable. But you need a
license to be allowed to use them. The license is just paperwork and you
dont need to activate it somewhere. However this policy will change in
the future, all MX5/10/40 bundles and line cards are EEPROM coded and a
later
Sorry, missed this reply because of the new year holidays.
BTW, never could understand people running L2 on srx650 coupled with a normal
switch. Especially in srx-cluster + ex-vc. What for?
Why not? If you have more devices that need access to specific vlan zones on
the SRX, and you're
This seems to be a horrible complexe topic, with
much sensible information behind - the exact algorithm
seems to be much of a secret.
[…]
Am I completely wrong and there is much more magic
behind? Has somebody here an deep insight and might
share it with us?
It depends on a platform. For
It depends on a platform. For M/MX/T the hashing algorithm is considered
to be a kind of business secret (said to be patented, etc). For EX it's
Just to make an important point, it's either a secret *or* it's
patented, part of the point of a patent is that you publish your
invention in a
In my experience, I have used a looback interface address of the SRX as
the destination of the GRE tunnel on both sides then just send the /32
route of the loopback at the other end to the st0.0 address.
One important thing here. When you use loopback for IPSecs, GRE, iBGP or
any other sort
This works for a few hours approximately and then no traffic will pass.
As a quick test try to decrease the SA timelive (both phase 1 and 2) to
possible configurable minimum. If the freezing time changes (AFIAR it's
rekeyed each half-life period), you'll have a way to go further. Also check
if
23.01.2012 18:42, Dan Chevrie wrote:
thanks alot Pavel.
if possible, please share some example scripts which can be utilize to
push SRX configuration etc.?
Let me give you these links instead :)
http://www.juniper.net/support/products/netconf/11.4/#doc
Have a question about SPACE, Is it better to manage SRXes with space? Have
not tried space yet.
Last time we checked (May-June 2011) it was very very very raw. Too many
bugs, too much of nonworking features etc.
E. g. IPSec point-and-click configuration (which was the main goal of the
Why not FRR everything? The control plane hit is negligable even if
your internet users wouldn't notice, care about, or even understand
the improvements.
FRRed traffic can follow very fancy routes eating bandwidth on the way. FRR
for high loads is like sending trucks from a speedway to a
why would FRR LSP's take a route different than what the IGP would
converge to.
Because FRR uses a path from a different entry (PLP) to probably a
different exit (say, next-next-hop). When normal LSP (either SPF or CSPF
calculated) is a path from head-end to tail-end. Whether this happens
Because FRR uses a path from a different entry (PLP) to probably a
different
Ups, I meant PLR, of course.
exit (say, next-next-hop). When normal LSP (either SPF or CSPF
calculated)
is a path from head-end to tail-end. Whether this happens often or rare,
the
need to care how your
We are getting SSH_Brute_Force alerts quite often from our Intrusion
prevention systems (IPS) - ISS GX.
[...]
What could be best practices to handle these alerts ? i.e.
Configure rate-limits to ssh. E. g. n attempts per something from a single
IP. JUNOS has such an option under ssh stanza.
1 - 100 of 224 matches
Mail list logo