Hi,
I was wondering if anyone else has had issues with M based routers and
PPM, if so, any advice would be greatly appreciated.
Here is my situation:
- I have a m120 router that is now running BFD and IS-IS on a few links
and OSPF on a few other links (no problem here)
- when I take a backup
Hey Juan,
It depends on if you are wanting to pass multiple vlans to the switch or
have it as a flat vlan. If you need more than 1 vlan then yes, the
switch must be setup as a trunk port but if you only need 1 vlan then
you can setup the switch as an access port.
On the ssg500 you define a p
is there a chance to use policy-statements here to accomplish this?
say for example:
from {
protocol ospf route-type internal ...
}
then {
reject;
}
?
-Payam
Phill Jolliffe wrote:
Only external LSA can be prevented from entering the RIB via ospf import policy.
On Thu, Dec 2, 2010 at
Must you use private vlans or can you merge say 10:1 ratio?
Sent from my BlackBerry device on the Rogers Wireless Network
-Original Message-
From: Andrew Jones
Sender: juniper-nsp-boun...@puck.nether.net
Date: Tue, 08 Mar 2011 13:22:50
To: Juniper nsp
Subject: [j-nsp] Router with lots o
Hey,
Are you dropping the fragmented pks on the end dst?
What mtu value are you using on your egress inet interface and LAN
interface? Remember that gre has 24byte overhead so your LAN side
needs to always be $x - 24 so if using 1508 on ur .inet facing
interface then your LAN facing max mtu valu
Hey David,
by default on the ex's igmp snooping is active.
disable this on the vlan being used for carry the isis traffic and it
will build nei adj
cheers
Payam
david@orange-ftgroup.com wrote:
Hi all,
I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is new for
me
Hey,
Have you tried setting each side up as a. Point-to-point network? Its
done under protocol isis
Try that and see if it works. If so, ur dst mac on one side is getting
filtered (by the device itself or perhaps your provider)
On 5/20/11, david@orange-ftgroup.com wrote:
> Hi,
>
> I don't
correction:
point-to-point is configured under the interface on the erx
" interface blah/0
isis network point-to-point "
-Payam
Payam Chychi wrote:
Hey,
Have you tried setting each side up as a. Point-to-point network? Its
done under protocol isis
Try that and see if it works.
that the simple
authentication don't work correctly. Maybe the hash-key is not compatible when
you use the simple authentication.
Now we are using md5 as authentication-type and point-to-point configuration
between equipments ERX, T1600, GSR and CRS.
BR,
---
David
On Fri, May 20, 2011 at 10
Hey Richard,
The then next-hop x.x.x.x should work as long as the next-hop is valid
'in the routing table'.
mind showing your config?
Thanks
Payam
Richard Zheng wrote:
Hi Joseph,
rtr C belongs to the customer. It only talks bgp with rtr A.
The issue is that redistribution from bgp to os
2011, at 6:44 PM, Richard Zheng wrote:
On Mon, Jun 13, 2011 at 7:50 AM, Payam Chychi <mailto:pchy...@gmail.com>> wrote:
Hey Richard,
The then next-hop x.x.x.x should work as long as the next-hop is
valid 'in the routing table'.
mind showing your config?
T
Had the same problem a few months ago prepping my bkbn for a higher
mtu support and noticed one bgp peer flapping, it was the same issue
as described by others, mtu mismatch.
I'm assuming that the initial bgp buildup happens ok due to the
bgp-pkt-size < supported mtu then once the update pkts get
hey John,
i believe juniper filters out macs when igmp snooping is enabled on the vlan,
normally this would be fine however i think their filters are also capturing
legitimate mac add/ranges
why do you need igmp snooping on ur phone vlan? if possible seperate ur voive
vlan from data and disab
On 12-01-24 03:14 PM, Sebastian Wiesinger wrote:
* Chris Kawchuk [2012-01-25 00:10]:
Heh, then it's a different problem altogether. =)
In your VPLS config, do you have any "vlan-id" settings set in the
routing-instance? It's a long shot, else I have no idea why she
ain't passing traffic...
I
hey everyone,
I was wondering if anyone knew of a way to collect payload data from the
Network Connect functionality of the Juniper SSL VPN.
The logs clearly show URL requests if the user utilizes the web based
login but does not show any information for network connect based
connections, othe
Eugeniu,
That helps greatly, thank you very much.
kind regards,
Payam
Sent from my iPhone
On 2012-06-06, at 4:26 AM, Eugeniu Patrascu wrote:
> Eugeniu
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/
Doesnt sound like you have done any research at all... Google.com and search
"juniper snmp arp oid"
--
Payam Chychi
Network Engineer / Security Specialist
On Sunday, 10 March, 2013 at 12:57 PM, Abdullah Al Faruque Mullick wrote:
> Dear All
>
> I would like to know h
port, negotiation settings or more
importantly another sfp brand or type on the juniper side, juniper is picky
with the brands of sfp used, specially copper
--
Payam Chychi
Network Engineer / Security Specialist
On Wednesday, 13 March, 2013 at 3:40 PM, snort bsd wrote:
> hi all:
>
> i hav
changes... Or at lease do
"commit confirm 60" which will revert your changes after 60 seconds in case you
blow up your network and lose access.
Cheers,
--
Payam Chychi
Network Engineer / Security Specialist
On Saturday, 23 March, 2013 at 4:26 PM, Jeff Wheeler wrote:
> On Sa
:
"Set routing-options static route x.x.x.x/32 discard" ... Something like this
All your doing is dropping traffic for x.x.x.x/x at your edge, most cases its a
/32 nullroute.
Google is your friend :)
Cheers,
--
Payam Chychi
Network Engineer / Security Specialist
On Sunday, 24 March,
case with most commercial
proxies) youll hit challanges.
All depends on your application requirements and design i suppose
--
Payam Chychi
Network Engineer / Security Specialist
On Wednesday, 1 May, 2013 at 6:34 PM, Andrew Miehs wrote:
> Does the ssg20 do destination NAT? That is
I 2nd this, check your mtu settings end to end, keep in mind the differences
between cisco and juniper when it comes to calculating lowest required mtu
value
Mismatch mtu tends to have some very odd behaviour on protocols
--
Payam Chychi
Network Engineer / Security Specialist
On
Hey,
Why not prepend the routes out of ur gigE? That way it becomes the backup link
and u can turn down bgp anytime you want on the gigE without impact
--
Payam Chychi
Network Engineer / Security Specialist
On Thursday, 18 July, 2013 at 4:10 PM, Keith wrote:
> We recently just turned
Many ways to skin a cat... personally i would use local pref for outbound and
as-prepend on the inbound and your golden
--
Payam Chychi
Network Engineer / Security Specialist
On Thursday, 18 July, 2013 at 4:45 PM, Tim Vollebregt wrote:
> Hi Keith,
>
> Yes, this sounds good. But to
You should always match mtu if you want to avoid having problems down
the line, specially with protocols such as ospf and bgp
On 2013-07-26 7:33 AM, OBrien, Will wrote:
You have to match them appropriately. Take a look at my nexus-srx example.
On Jul 26, 2013, at 9:30 AM, Mark Tinka wrote
so your valid path was actually invalid?
On 2013-08-06 6:43 PM, 徐见 wrote:
> Thx for you attention, I have found out the reason, it’s ospf issue,
> because ospf generate two next-hop for NET A on node 2.
>
>
>
> 发件人: Muhammad Atif Jauhar [mailto:atif.jau...@gmail.com]
> 发送时间: 2013年8月5日 21:36
>
use a separate range and keep your network clean
On 2013-08-14 8:37 AM, Eric Van Tol wrote:
Hi all,
We've had MPLS running on our network for years using JUNOS and until only very
recently, we haven't had to deal with any of our Cisco equipment needing MPLS.
That changed when we started purch
Unless im mistaken... Thats a safety which detects a loop and rejects the
prefix
Allowas-in as well as as-override will get you around it but dont mod unless
you know how its going to affect ur network
--
Payam Chychi
Network Engineer / Security Specialist
On Tuesday, 10 September, 2013
Is the dst ip pingabl drom the fw? I thought the system auto monitors to see if
the dnat dst responds to icmp packets and if not, will not work
?
--
Payam Chychi
Network Engineer / Security Specialist
On Thursday, November 28, 2013 at 3:08 AM, Mohammad Khalil wrote:
> Ok I have chan
a 3mim
wait for route withdraw (unless this is a peering router with dozens of peers
and full routes on each)
Hope you fins root cause
--
Payam Chychi
Network Engineer / Security Specialist
On Thursday, March 13, 2014 at 4:50 PM, Andy Litzinger wrote:
> Hi Chris,
> yes, i am takin
Its gona be ugly, the units capable for vpn? If so, i think that might be your
best bet
--
Payam Chychi
Network Engineer / Security Specialist
On Wednesday, March 12, 2014 at 5:04 AM, Skeeve Stevens wrote:
> Hi all,
>
> I have an SRX at a customer which has an Avaya voip system. W
same here, ALG is the devil =)
I think your best solution is gona be placing this inside your DMZ,
aside that ... a proxy method like the one already recommended with the
sip trunk
interested in seeing how you figure this out, it will be good KB
Cheers
Payam
On 2014-03-13, 5:57 PM, Andrew Jo
Hi Mohammad,
- Any route-maps preventing the prefix from being installed?
- How are you learning 1.1.1.1?
Payam
On 2014-04-28, 2:13 PM, Mohammad Salbad wrote:
Dear Experts
we have an MX router connected to a service provider network which provides
us with OSPF
L3VPN connectivity with re
Hi Johan,
What type of hardware are we talking here? Also, whats your end goal? Cant
really say which is better without knowing what you need at the end of the day
--
Payam Chychi
Network Engineer / Security Specialist
On Monday, September 1, 2014 at 11:53 AM, Johan Borch wrote:
>
Id also keep with L3/BGP over L2 or even L3/OSPF for DC. For ENT, you can
get away with L2 if you need and want to stay away from more advance
L3VPN/XVLAN
Really depends on what you are trying to do... however, most cases L3/BGP
will be a great start point and a friend =)
On Mon, Jun 25, 2018 at 9
Not sure if I agree with this, this (ospf) certainly would not scale in my
network. the point being, different use cases, different environments.
Always design your network to allow for forward progression else you will
be wasting more time and dealing with more problems
On Mon, Jun 25, 2018 at 11
Thats correct. You could also monitor on the switch port side of things with
snmp
If your going to pay, inmon is a great application.
--
Payam Chychi
Network Engineer / Security Specialist
On Thursday, September 25, 2014 at 7:23 PM, Paul S. wrote:
> I'm not 100% sure of thi
Hi Johan,
This sounds like a network issue, i'm actually dealing with the same
thing with one of my off-net providers.
Latency does of course play a factor however, latency has a
bidirectional influence and not asymmetric (as in 200ms rtr both ways).
No reason as to why you should be getting
Hi Johan,
This sounds like a network issue, im actually dealing with the same
thing with one of my mpls providers.
Latency does of course play a factor however, latency is a bidirectional
influence and not asymmetric. No reason as to why you should be getting
400 one way and 60 the other.
On
with 20ms RTT, a
receiver using a 1 MB receive window might see between 300-400 Mbps,
whereas a receiver stuck with a 64 KB receive window on the same link
might see only 20 Mbps. It's pretty common, especially if one side is
an older OS.
John
On Fri, Nov 21, 2014 at 10:46 AM, Pa
On 2015-05-08, 5:01 PM, Mark Tinka wrote:
On 8/May/15 22:40, Saku Ytti wrote:
I'm not entirely sure what is the scenario. Is the scenario one where you have
PE and CE, where PE may become isolated and if such, it should not inject
default to CE?
I've seen use-cases for this where customers ar
Asr1000 line are solid if needed for nat
--
Payam Chychi
Solution Architect
On Monday, November 30, 2015 at 5:57 AM, Saku Ytti wrote:
> On 30 November 2015 at 15:39, Adam Vitkovsky
> wrote:
>
> Hey Adam,
>
> > I think this can be alleviated with BGP provider edge
--
Payam Chychi
Solution Architect
On Sunday, December 20, 2015 at 10:11 AM, Per Westerlund wrote:
> Like most manufacturers the performances quoted by Juniper are under ideal
> (or even better) conditions. The only way to be sure is to test with a
> representative load.
>
> In
Hi Mike,
Here is what i got so far, from the testing i had done in the past using
the SRX240H, no issues with 800Mbps and 90K pps... also, no issues with
300 Mbps and 150K pps.
I am Not running it in Packet mode since i have no need to do so.
I am not doing nay IDS/Anti-Virus/IPSEC.
As of la
On 2015-12-31, 9:08 AM, Eric Van Tol wrote:
I’ve looked at this and there’s nothing in the console port config at all. I’ve
tried disabling and re-enabling the console port in the config, as well as
rebooting the switch to see if there was some “negotiation” going on. I’m able
to connect to th
On Thursday, February 4, 2016 at 5:24 AM, Adam Vitkovsky wrote:
> Hi Tim,
> > Of tim tiriche
> > Sent: Wednesday, February 03, 2016 4:55 PM
> >
> > Hi,
> >
> > I have a silly question.
> >
> > If i have 10G interface with an inbound ACL to drop UDP/80
> >
> > Now, if i have 30G of incomi
What Paul said, make sure you have proper mac add being propagated at the port
level.
On Mar 19, 2016, 5:25 PM -0700, Paul Abbott, wrote:
> Hi Serge,
>
> Have you verified the mac address from the VFP’s configuration with the MAC
> address of the interface in question from the Junos CLI? I’ve
What gear do you currently have? What do your filtering rules look like? You
don't need to buy new gear if your filtering much of the bad traffic at the
edge using simple ACLs
On Apr 14, 2016, 2:39 PM -0700, Dovid Bender, wrote:
> Why not use an external service to scrub your traffic?
>
> Reg
g solution that you can
employ
when under attack. Its likely a lot easier for you to administrate
too.
Regards,
Dave
On 14 April 2016 at 22:57, Payam Chychi mailto:pchy...@gmail.com>> wrote:
> What gear do you currently have? What do your filtering rules
c will be dropped
> > > before it even hits you. The damage is already done. The only way
> > > around
> > > this is bigger links, which can be costly and your not even
> > > guaranteed to
> > > have links big enough to cope with an attack.
> > >
&
All you need is a BGP session with your provider.
you discuss and agree to a predetermined set of bgp strings to assign to
the route. the route then gets advertized to your provider say and due
to the community attached, the route will auto-update its next-hop to
192.168.0.1 (or whatever ip th
A lot can be done using dscp/qos + PBR + BGP and a decent mitigation
segment (PCRE/suricata/bro ids)
On 2016-04-19, 4:52 AM, Dave Bell wrote:
You use destination black holing. Sacrifice the connectivity to one
customer to save the rest.
On 16 April 2016 at 17:25, Satish Patel wrote:
We ar
Check your load balancing hash, normally this is by default set to hash
based on layer3/4 dst info, this means that if you are sending all traffic
from one src to the same dst ip/port, it will only hash and bind to one
interface.
On Wednesday, 17 August 2016, Jeffrey Nikoletich wrote:
> Hello,
crazy questions... why?
normally its Cisco to Juniper specially when it comes to the
vpn/firewall/security devices
On 10/12/16 12:04 PM, Nik Geyer wrote:
https://fwmig.cisco.com/
-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of
Mohammad
Check interface stats and look for duplex, run a rapid burst of pings with
small and large payloads (2 tests) also is this a service provider link or
a link you control both ends?
If the latter applies, might be worth looking at the optics and physical
wire... else call your provider and ask for i
On Mon, Jan 29, 2018 at 10:31 PM sameer mughal
wrote:
> Thanks for the reply.
> Can you please help me how can I check and correct this ?
>
> <
> https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon
> >
> Virus-free.
> www.avast
On Tue, Jan 30, 2018 at 9:29 AM Alexander Arseniev
wrote:
> Hello,
>
> BGP KA size is 19 bytes without authentication, circa 39 with. Plus IP
> overhead, plus Ethernet OVH - still below 100 B.
>
> SRX reth default MTU is 1500B.
>
> Are You sure that checking & setting MTU helps to fix BGP holdtim
vast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
> <#m_8948595383215198987_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> On Wed, Jan 31, 2018 at 1:42 AM, Payam Chychi wrote:
58 matches
Mail list logo