Hi Paul,
Thanks - it's looking like 1800 seconds
p...@dis2.millbrook1> show security flow session destination-prefix
216.168.xxx.xxx
Session ID: 434890, Policy name: Linux-to-Internet/8, Timeout: 1800
In: 216.168.xx.xxx/37820 --> 216.168.xxx.xxx/9103;tcp, If: vlan.11
Out: 216.168.x
Hi Richard,
> * Supposedly there is some capability to do local switching on the Trio
> PFE, but I've been told that support is extremely limited, and even
> doing something like configuring egress filters defeats the local
> switching and forces everything through the fabric.
>
Sounds as inter
Thanks, Richard.
2010/8/29 Richard A Steenbergen
>
> * Each Trio PFE is composed of the following ASICs:
>
> - MQ: Handles the packet memory, talks to the chassis fabric and the
>WAN ports, handles port-based QoS, punts first part of the packet
>to the LU chip for routing lookups.
> -
> > > * The Trio PFE is good for around 55Mpps of lookups, give or take,
> > > depending on the exact operations being performed.
> >
> > 55, not 65? Anyway, this is what I can't understand (maybe because of
> > my not-native English). When you say 'give or take', you mean it can
> > only do 55/65
/T # 834
> IT Specialist
> Global Technology Services, IBM
> fa...@pk.ibm.com
> +92-301-8247638
> Skype: fahad-ibm
> http://pk.linkedin.com/in/muhammadfahadkhan
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puc
Hi Guliano,
Yes, this is correct that EX3200/4200 do not support policers for outbound
direction. Not absolutely but almost sure this is a hardware limitation and
nobody is going to change this.
What you can do is either to reconfigure the architecture so that you will
use input policers (e. g. w
Hi Bikash,
I addition to everything, you also have to keep in mind that SRX is a
stateful device and performs a reverse route lookup when establishing a new
session. Unfortunately you can't enable something like "use the iface and
mac address from where the packet came" for traffic in backward dir
> Does anyone know if the switch ports on the SRX models (not the highend for
> datacenter) have similar functionality to the EX switches when it comes to
> integrating with Juniper's UAC product?
>
>
No, it doesn't.
http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/junos-
Hi,
Anyone here uses dynamic-db? Works? or as always? :)
--
Regards,
Pavel
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
2010/10/27 Tom Devries
> Indeed, the only issue I see with policy based vpn's is the number of vpn
> policies required for the amount of networks that have to be encrypted. As
> someone pointed out on another list, the C device should support null proxy
> ids if you first deny all other networks
Richard,
I knew you should tried it :) Thank you.
More and more signs that there is no many implementations but a lot of
skepticism around it.
2010/10/28 Richard A Steenbergen
> On Wed, Oct 27, 2010 at 11:25:27PM +0400, Pavel Lunin wrote:
> > Hi,
> >
> > Anyone here uses
Hi Giuliano,
I haven't really tried such things myselft for ages but AFAIK it's not even
possible with IDP since at least skype goes into encrypted mode when it
detect itself blocked and simulates something https quite well. Please
correct me, if someone knows I'm not right. In this case some too
Hi all,
Unlike other platforms, the MX architecture if very flexible in how it
> uses its memory. For example, when a Cisco SUP720-3BXl says "1 million
> IPv4 routes", this means precisely 1 million, because they have exactly
> 72MB of TCAM and each IPv4 route takes a 72-bit entry, so they can fit
Hi all,
I am trying to establish a Martini tunnel through a core-facing MPLS
interface, which is placed into an instance (virtual router). Has anyone
tried this?
Everything (IGP, LDP, MPLS) is running in the instance but l2circuit is
configured in the master since there is no way to do so in an i
> I remember doing a single line in screenos unless my recollection is off.
>
> On the Cisco ASA/PIX, it's a single line 'static (inside,outside)
> ' statement.
> Is there an equivalently efficient method on the SRX?
>
> Thank you in advance for any input.
>
>
Arp-proxy is needed to attract tr
>
> This is a pretty common error when you are bringing pre-configured devices
> together in a chassis cluster.
>
+1
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
> set interfaces fab1 fabric-options member-interfaces ge-5/0/2
>
>
In case of SRX650 this should be ge-0/0/2 and ge-9
My 2 cents.
2011/3/8 Ben Dale
>
> Yes this can be done - control link traffic on the branch SRXs is actually
> sent 802.1Q tagged in VLAN 4094, so you'll need to make the interface you
> plug into the control link a trunk on your EX.
>
>
As I've mentioned a couple of days ago in some of the nei
My question with that setup is: how many VRRP instances can I have on an
> SRX?
>
VRRP does not scale well on any platform because of the protocol limitation
and due to CPU-intensive hellos. Max number of groups is 256. Although
theoretically this limit is a concern only in case of a single broadc
On 09.03.2011 21:47, Stefan Fouant wrote:
What Ben is saying is that you it is simply not necessary to configure the
AE interface when doing this on a Clustered device. Basically, when you are
doing clustering, you simply add multiple ports from the same node to a RETH
interface and this bond
>
> While testing the failover in SRX650 cluster. I have removed the control
> link between the primary and secondary. The secondary node went to
> ineligible mode. The secondry FW is still accessible through OoB
> interface. When I returned back the control link I couldn't reach the FW
> through O
2011/3/23 Chen Jiang
> It's a by design behavior. When control link or fabric link disconnected,
> the current RG0 master node will remain in master status but the current
> RG0 backup node will disable itself to avoid split-brain issue, "Disable"
> means the node will offline all SPC/NPC and Li
No need to install in on M10i just because it has a 1-core 32-bit CPU and
less (much less :) than 4GB of RAM which you can address (the only advantage
of 64-bit JUNOS by now) with x64. So even if you'd managed to push it into
RE-850, it wouldn've given you anything.
2011/3/23 Martin T
> Has any
>Seems like filters+policers allows you to specify bandwidth-limit
> and burst-size..
>
> I.e. if you had a pool of 10 mbps.. you could carve it into individual
> customer chunks at their... But no way to allow the customer to burst above
> that bandwidth-limit to some specified higher BW,
Each customer is on a separate non-overlapping subnet, but
> NOT on a different VLAN generally.. So filtering at the subnet level is
> easy.. does this change your response at all?
>
>
>
>
> No, not too much. Even worse :) Though, if so, you can try to implement
this on EX using an
Hi all,
Anyone here uses policers on LAGs with member interfaces, bound to
different PFE? MX Trio in my case, but same for i-chip would also be
interesting.
There is some rumor that in such a case policer rate is individually
applied several times to each of the member interfaces meaning ac
> PS: those observations were done on older M320 and I-chip based
> MX-series. Do not have Trio-based devices, so may be I'm wrong here.
> Still do not believe that intrachip communications were introduced
> to aid exact policing anyway.
>
Thanks. Actually I figured out myself with help from the l
Is anyone running MS products through SRX firewalls? How are you getting
RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't
included in JUNOS, although, I do see the ALG catching the info based
off of endpoint mapper sessions.
[….]
Supposedly, according to JTAC, there are
> "Hi, when this bgp neighbor flaps it sometimes doesn't syslog the
> event correctly, and instead records garbage messages."
>
> "The bgp neighbor is flapping, that is why you are logging the
> neighbor down, can I close this case?"
>
>
Oh-yah! )
Are your sure it wasn an ATAC guy really, no
> I am in process of procuring new hardware and I've got a question. If you
> were to go for MX480 would you order it with MPCs or DPCs. Also if your
> network were to have MX80s as well which are Trio based would that
> influence
> the decision on choosing either MPCs or DPCs for the MX480s?
>
>
I
Ups. First accidentally unicasted this to RAS yesterday night. Sorry,
Richard.
Yep. Also discovered this just today, trying to download Junos to a remote
machine with links (another text-based browser :).
Was really surprised seeing the 180 megs tgz opened as text. But I was
surprised even more
2011/9/17 Chris Evans
> Juniper devices have out of band ethernet ports, but have the HUGE HUGE
> downfall of being in the main routing table conflicting with every other
> route.
>
BTW, can anyone give a good real-world example of a _routed_ OOB management
network usage?
As far as I understan
> As far as I understand the whole concept of OOB MGT IP interface
Sorry, really meant dedicated physical interfaces, of course.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
> I see two ways one can go about this. Either programmatically tunnel into
> an OOB L2 segment via a "bastion" host in an on-demand fashion, or point
> some routes (dynamically, or otherwise) into your internal network for
> management use.
>
> The risk of pointing routes into your internal networ
> how about like management networks on ss7 deployments?
>
Not sure I correctly understand how the analogy from IP world should look
like. I can imagine a network of, say, access devices whether L2 or L3, for
which OOB mgt is really needed. But I don't know much people who use
dedicated mgt port
Is it always necessary to take in a full table? Why or why not? In light
of the Saudi Telekom fiasco I'm curious what others thing. This question is
understandably subjective. We have datacenters with no more than three
upstreams. We would obviously have to have a few copies of the table fo
> Indeed, when I check the session table on the SRX. I do get an entry for
> the
> BGP session, but it dissapears after only a few seconds. That seems wrong
> to
> me.
>
You mean a firewall session in "show security flow session"? If so, let me
express my doubts, an MTU related issue could make it
Would it no be advisae to either teace it or a tcpdump from the OS you can
> see what packets are being sent and received on the interface?
Generally yes, but. Though this doesn't seem to be the case for Jeroen since
he uses eBGP with direct interface address peering, you must keep in mind
that
> might not be enough business to justify it anyways), label switching is
> so easy from a hardware perspective that it's not even funny. Everyone
> and their mother is busy churning out Broadcom Trident+ based 64x10G 1U
> boxes right now (see: Juniper QFX, etc), and at a price of a couple
> hundre
Another example is LB. To make it smooth, LSR must get quite deep bits from
MPLS payload and process NH table accordingly.
In order to do things like facility protection or Option C Inter-AS VPN/VPLS
> (sometimes it's not bad to stick it right to the core, say, in case of a
> merge), LSR must be
> I think decent core routers do this today. We've had good
> luck load sharing MPLS traffic on LDP labels alone on
> various Cisco and Juniper kit, provided the IGP cost is the
> same.
>
This is where the number of labels comes into play. If we talk about LSR for
not that huge IPS (having not tha
This is where the number of labels comes into play. If we
talk about LSR for not that huge IPS (having not that
much of core LSPs), I'm afraid, this can require to get
back to the old good conception of FEC per prefix :)
When we were small and using Cisco 7200's as BGP-free core
routers, we wer
While those links discuss how the box performs load sharing,
it isn't actually configurable at all,
This is exactly what I tried to point out when Richard proposed to use
Broadcom Trident+ as an LSR PFE. EX3200 uses, AFAIR, Marvell something,
but I don't believe Trident+ much differs in this.
I meant that in order to do LB on labels alone (to have
enough of hash-keys for micro-flows), you need a large
enough set of labels in the core and more or less
uniformly distributed traffic over these labels. If you
have, say, 10 PoPs and 90 core tunnels, it's very
probable that 20% of them car
BTW, this is why I'm quite sceptically looking at the Juniper's
marketing of Express Chip simplicity and corresponded benefits. Lower
number of transistors in the crystal, greater MTBF, blah-blah.
Because of the mentioned features, which I don't really believe Juniper
could easily throw ou
> Yes you need to look into the packet a little bit to hash well, but this
> isn't a difficult operation either (compared to holding a full table and
> doing longest prefix lookups at any rate).
As far as I understand, it's not really correct to compare difficulty of
these two operations, since t
> Since many of these devices have IPv6 routing capability (with a
> limited FIB size) it is certain that they can look far enough into the
> packet to see as many labels as any reasonable design will require.
>
I'm not sure this is a correct comparison. See my reply to RAS.
I share your skeptica
>
> Hashing ALU's life is not a peace of cake either.
>
OMG. Piece :) I'll never get on with English spelling.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
> existing commodity chips which CAN do IP and some pretty deep hashing
> already,
This is where my doubts start :) You've mentioned QFX — is there any
evidence they are much smarter in hashing than EX?
Personally my take is that PTX missed the mark as far as interesting
> target customer size g
TBH, I haven't checked the pricing but I'd expect Brocade MLX
MLX(e) is an edge device and is much like MX in most things. It's cheaper
but at a cost of some features lack and few caveats. Although it's a good
product, it's not a label-oriented LSR anyway.
>
> Do you realize that the source and destination IP address, TCP ports,
> MAC addresses, and so on, are all larger than 20 bits? If the thing
> can figure out how to hash on those parameters, it could also figure
> out how to hash on labels.
:) If it were so easy, the next thread on EX LB woul
Robert, is there any non-production implementation of simple-va, which we
could play with?
The main concern here is, of course, whether a router will
be infinitely installing/withdrawing tons of FIB entries because of
'natural' prefix flaps, how much black-hole/loop this will create in
practice, a
> The router with simple-va functionality enabled will not install nor
> withdraw even single additional route on top of what it would do when
> simple-va feature is not enabled. So it is guaranteed to be no less then
> today.
>
OK, OK, I've read the draft quite some time ago, and I also liked it
The removal of a large aggregate (say 4/8) and the subsequent required
addition of all of the subnets under 4/8 could certainly be
'interesting' to observe.
Interesting as well is that 4/8's origin doesn't have to be the flapper,
just your network (or an intermediate) changing attributes (or exi
BTW, (although it's an offtopic quite a bit) let me ask if there is anyone
here who ever deployed/mantined LDP VPLS + external BGP autodiscovery in
real life for more or less large-scale network? How was it? Any gotchas
worth to be aware of?
12.11.2011 6:47 пользователь "David Ball" написал:
> W
> That is not true. The ports are configurable and usable. But you need a
> license to be allowed to use them. The license is just paperwork and you
> dont need to activate it somewhere. However this policy will change in
> the future, all MX5/10/40 bundles and line cards are EEPROM coded and a
> l
Sorry, missed this reply because of the new year holidays.
BTW, never could understand people running L2 on srx650 coupled with a normal
switch. Especially in srx-cluster + ex-vc. What for?
Why not? If you have more devices that need access to specific vlan zones on
the SRX, and you're low
This seems to be a horrible complexe topic, with
much sensible information behind - the exact algorithm
seems to be much of a secret.
[…]
Am I completely wrong and there is much more magic
behind? Has somebody here an deep insight and might
share it with us?
It depends on a platform. For M/M
> It depends on a platform. For M/MX/T the hashing algorithm is considered
> > to be a kind of business secret (said to be patented, etc). For EX it's
>
> Just to make an important point, it's either a secret *or* it's
> patented, part of the point of a patent is that you publish your
> invention i
> In my experience, I have used a looback interface address of the SRX as
> the destination of the GRE tunnel on both sides then just send the /32
> route of the loopback at the other end to the st0.0 address.
>
One important thing here. When you use loopback for IPSecs, GRE, iBGP or
any other sor
This works for a few hours approximately and then no traffic will pass.
>
As a quick test try to decrease the SA timelive (both phase 1 and 2) to
possible configurable minimum. If the freezing time changes (AFIAR it's
rekeyed each half-life period), you'll have a way to go further. Also check
if
Only thing I can say is SRX managed with NSM (manually) is a total mess,
much like any other JUNOS device.
To be honest, I don't see much reason to automate SRX management via NSM
except some specific cases of existing NSM infrastructure already automated
for hundreds of ScreenOS/IDP and a couple
23.01.2012 18:42, Dan Chevrie wrote:
thanks alot Pavel.
if possible, please share some example scripts which can be utilize to
push SRX configuration etc.?
Let me give you these links instead :)
http://www.juniper.net/support/products/netconf/11.4/#doc
http://www.juniper.net/us/en/communit
>
> Have a question about SPACE, Is it better to manage SRXes with space? Have
> not tried space yet.
>
Last time we checked (May-June 2011) it was very very very raw. Too many
bugs, too much of nonworking features etc.
E. g. IPSec point-and-click configuration (which was the main goal of the
proj
> Why not FRR everything? The control plane hit is negligable even if
> your internet users wouldn't notice, care about, or even understand
> the improvements.
>
FRRed traffic can follow very fancy routes eating bandwidth on the way. FRR
for high loads is like sending trucks from a speedway to a n
> why would FRR LSP's take a route different than what the IGP would
> converge to.
Because FRR uses a path from a different entry (PLP) to probably a
different exit (say, next-next-hop). When normal LSP (either SPF or CSPF
calculated) is a path from head-end to tail-end. Whether this happens oft
> > Because FRR uses a path from a different entry (PLP) to probably a
> different
>
Ups, I meant PLR, of course.
> > exit (say, next-next-hop). When normal LSP (either SPF or CSPF
> calculated)
> > is a path from head-end to tail-end. Whether this happens often or rare,
> the
> > need to care
We are getting "SSH_Brute_Force" alerts quite often from our Intrusion
> prevention systems (IPS) - ISS GX.
>
> [...]
> What could be best practices to handle these alerts ? i.e.
>
Configure rate-limits to ssh. E. g. n attempts per something from a single
IP. JUNOS has such an option under ssh s
4/6/2012 г. 3:08 Tim Hogard wrote:
i.e. going from port 22 to 10022 means the attacker needs to scan first
> and that makes that job 10^4 times harder.
>
It's just like if an MX router doing lookups in 400-entries table had 1000
times more performance than this same router looking against the fu
Phil Mayers wrote:
On 04/10/2012 06:17 AM, Doug Hanks wrote:
>
>> In the context of packet-mode, the family mpls is analogous to inet. This
>> is correct.
>>
>>
> Not sure I understand this.
>
> "analogous" implies what, here? That enabling packet-mode for MPLS
> implicitly enables it for IPv4?
>
4/10/2012 Doug Hanks wrote:
>
> I suggest that the OP use "set vlan " instead of "set bridge-domain
> " Also use "set interfaces vlan" instead of "set interfaces irb"
>
> I'm not even sure why the SRX accepted this configuration.
>
>
The MX-style L2 commands are supported on SRX (branch as well a
10.04.2012 20:13, Michael Still wrote:
> OP wanted to use the IRB ints as next hop for their respective
> networks. This is apparently not supported on the SRX platform in
> transparent mode:
Yeah, I mentioned this as well. In my post I just wanted to explain why
these (MX-style L2) commands were
Hi,
Until Juniper realizes MS-MIC (I have no idea when it will happen) MX5–80
boxes really supports no NAT at all.
What they call Inline NAT on Trio (recently realized) is by now… umm… sort
of a patch for a particular customer or something like. It only supports
1:1 bidirectional static mapping,
SunnyDay wrote:
Hello
im trying to create a dls sub interface and i get this message any clues?
SSG140-> set interface adsl2/0.1 pvc 8 36 zone Untrust
Zone Untrust traffic shaping has been enabled! Disable traffic shaping
before binding.
It's silly but it is. ScreenOS doesn't allow to add subi
Hi!
Mark Tinka wrote:
They've actually switched to RLDRAM (32MB of it, to be
exact).
Do you have any information regarding the number of active routes it is
able to store?
--
Kind regards,
Pavel
___
juniper-nsp mailing list juniper-nsp@puck.nethe
Hi all,
Does anyone know what letter 'E' means in DPC codes? Is there any
technical difference between DPCE-R-2XGE-XFP and DPC-R-4XGE-XFP other
than just number of ports?
--
Kind regards,
Pavel
___
juniper-nsp mailing list juniper-nsp@puck.nether.ne
ook, burst size is *"the number of bytes that can
exceed the bandwidth constraints"*. However it doesn't mean it's how many
bytes you can transfer in addition to the the bandwidth (at least because
there is no definition of the period of time). Burst-size is not a speed of
tra
P. S.
BS is needed because dealing with policing (not shaping), the router has no
buffer where to put a packet in for awaiting. It is also not able to drop a
part of a packet -- either transmit or drop a whole one. Well, imagine a
situation when you need to transmit just one packet per hour, but a
Hi Jason,
Unfortunately the information you provided is not really helpful :)
All the cases with unexpected packet dropping are usually tied with
wrong policy, zones or routing.
So you should consider those things as well as provide them here to be
more informative.
But I believe, instead o
Hi,
I didn't checked myself whether Juniper realized port-range feature (I have
no access to the lab due to the weekend came up) , but I remember they
promised to do so in 'future release' some half a year ago. So if they
didn't yet it might be a conscious move, though hard to guess why.
But firs
2009/9/24 Chris Kawchuk
Yep. 30 ACL's with no issues (assuming straightforward things). Full BGP
> Tables, OSPF area 0.0.0.0 inside, QoS, IPSEC.
I'd warn you guys of running peers with full BGP on J series with 1 Gig of
RAM. It was not a problem till 9.4. But since 9.4 JUNOS for J-series is flo
Hi 陈江,
You're right, this should be almost always done if you run several external
peers with fullview, but this code only switches the box into router
context. It doesn't make fwdd to free the memory. The router I used to show
the fwdd memory consumption is also given this piece of config.
I hea
input.
>
> Based on factsheets the J series outperform BGP capabilities of the SRX
> series. The only out that outperform in SRX is the 650 which looks like a
> real good deal (thanks for pointing it out to me!).
>
> Nice weekend.
>
> - Gregory
>
> 2009/9/26 Pavel Lunin plu..
Hi Paul,
L3 switching is done in hardware (EX-PFE) so it is said to be wire-rate as
well as L2. Firewall filters are also hardware based so they don't degrade
performance in some reasonable amount (several thousand filter terms, I
guess).
However you should consider the FIB constrains for EX3200/
2009/10/9 Pavel Lunin
if you have 2 x 3200-24T priced $3k each, and you want to connect them with
> a single 10Gig link, I have to buy 2 uplink modules (2x$2k) and 2 XFP/SFP+,
You have to buy them, not me :))
___
juniper-nsp mailing list juniper-
Hi experts,
Does anyone have any real world experience with J-series running a few
hundred policiers? I mean few hundred 1-per-IFL policier instances, not
a few hundred policier stanzas in config.
All the documentation I was able to find, says J-series supports up to
50 policiers per box. H
Hi experts,
Could I ask someone to help me to get a piece of simple statistics. I'd
like to know ratio of numbers of TCP sessions closed normally and aged
out in some way in real-world Internet traffic.
A simple way to know this is to place a filter like the following to
catch the packets
Hi Phil,
2010/2/27 Phil Shafer
>
> Be aware that "tcp-flags" looks at the bits at a fixed offset in
> the packet without checking to see that the packet is TCP.
[…]
> The fix is to add at the top of your filter:
>
>term accept-non-tcp {
>from {
>protocol-except tcp;
>
Hi Ibariouen,
Enough in this case can mean different things. Enough for what?
Usually not enough means that each external IP ‘generate’ too many
simultaneous and new (per second) sessions. This can trigger an attack
defence mechanisms on popular sites, etc.
But ‘too many’ is also quite not clear
2010/3/22 Richard A Steenbergen
> But what happens when you do:
>
> interface xe-1/0/0 {
>vlan-tagging;
>unit 101 {
>vlan-id 101;
>family inet {
>address 1.2.3.4/24;
>}
>}
> }
>
> interface xe-2/0/0 {
>vlan-tagging;
>unit 101 {
>vlan
Hi Hoogen,
I think this is just another story.
SRX should have also had some more storage capacity to store IDP base and
all the same things as Richard wrote about. But session logging can cause
another problem — increased process switching or something like (if we talk
about Branch SRX), because
Hi Richard,
My guess is that it is done to catch traffic destined to control plane.
I can not imagine a convincing enough example right now but I can tell I
bumped a few times into a situation when in case of an iface done, some sort
of a session to the router (no matter why it is no destined to
Hi experts,
Can anyone actually explain what for those /32 routes are intended at all?
Even if the iface is up. Ain't they to attract traffic addressed to control
plane?
My way of thinking is that they are alive at link down time for the same
reason as they exist when the link is up.
I haven't b
Hi Eric,
SSG should be available for another couple of years. Juniper likes to say
ScreenOS's roadmap is full of things do be done till the end of the next
year.
However I wouldn't say SSG has so much better featureset.
In routing SRX is far far beyond. You can even have packet-mode instances
wi
Hi,
Mainly I agree that ScreenOS is more predictable and less buggy than JUNOS
Voyager. Although I remember the times of 5.1-5.3 when loads of new features
were added and we ran into issues each new release. Specially when ISG had
just been released.
But from the features point of view, I really
2010/5/10 Scott T. Cameron
> On Mon, May 10, 2010 at 3:25 AM, Pavel Lunin wrote:
>
> > Moreover SRX3/5k is quite a different story. ScreenOS products anyway can
> > not compete against them.
> >
>
> Are you speaking from experience?
Yeah. All ScreenOS produc
Hi Fahad,
Chen gave a very good answer.
Though It also depends on which platform you talk of. E. g. SRX3400 could
not support more than 1M sessions until 10.0. Also some overall JUNOS things
were added in 10.0 like interface ranges.
There is a very good paper which answers your question, called
Hi Paul,
l also have two cases open with similar questions.
First it is nowhere written which fields are taken on EX to calculate the
hash for per flow. JTAC seems to not know though sent me very detailed
explanation of how per-flow balancing is done for LAGs. Seems like ECMP uses
the same fields
Hi all,
The issue is not that memory is being pre-allocated to the forwarding / flow
process.
This is expected and required to function.
The issue is that when things switched to flow support the memory usage went
*way* up, and
even when you convert to packet mode it is not reduced.
It is
On 21.07.2010 22:34, Christopher E. Brown wrote:
That is exactly our use, up to a couple hundred megs of IP services on
one, a couple hundred of L3 MPLS on another, and L2-circuit/vpls on a third.
Alaska has many small remote locations. For larger areas, M and MX
platforms are better, and can
On 22.07.2010 14:33, Alexandre Snarskii wrote:
we also bump into the requirements of cheap devices running everything
including L3VPN/VPLS for a few hundred megs. I would suggest to use
SRX240H in packet mode and don't even think about full BGP (they can't)
You can try the same trick as w
1 - 100 of 243 matches
Mail list logo