bb0xhi guys
bb0xonce I've done the commit, do I need anything else to make sure that configuration is saved and in case of reboot the SRX will boot the correct configuration ?
bb0xsimilar to wr mem on cisco switches ?
daemonkeeperUnlike Cisco switches, Junos is sane, so no.
Golleecommit also saves the config so it will still apply on startup
bb0xdaemonkeeper, Gollee thanks
bb0xdo you know why I'm not able to ssh or telnet directly from juniper to other hosts in a zone ?
Golleeyou need to enable ssh forwarding or w/e it's called
bb0xI have permit any any from trust to that zone and also from that zone to trust
bb0xhmm. how to enable it ?
daemonkeeperGollee: eh. what?
daemonkeeperbb0x: Traffic leaving the RE is allowed by default. Check your back routes, maybe you don't use the source address you think you'd be using.
Golleeno wait
Golleeurgh, I'm wrong
bb0xi have on reth2 interface and I want to connect to which is another device and it's not working, i only can ping that
bb0xi've setup source address when running telnet
bb0xand still not working
Golleeset system services ssh tcp-forwarding
GolleeI think that's what he's talking about
Golleeor no
daemonkeeperForget whatever Gollee is saying, bb0x.
Golleemaybe that's like port-forwarding using SSH
Golleedamn it, yeah
bb0xso, I'm on juniper node and I want to ssh to another device in the network connected to reth2
bb0xI can ping that device but I cannot ssh or telnet to it
daemonkeeperIf you can ping it, check the firewall on .4.10
bb0xthere is not firewall on 4.10
daemonkeeperssh from one window, and do show security flow session destination-address in another
bb0xok, give me 2 mins
bb0xSession ID: 359022, Policy name: self-traffic-policy/1, State: Active, Timeout: 6, Valid
bb0x In: -->;tcp, If: .local..0, Pkts: 2, Bytes: 96
bb0x Out: -->;tcp, If: reth2.0, Pkts: 3, Bytes: 180
bb0xTotal sessions: 1
bb0xself-traffic-policy/1 ? what is this ?
daemonkeeperWhat I said, the implicit allow-all policy for traffic initiated by the RE
daemonkeeperBut yeah, you see, the flow is valid. So from a SRX' point of view, the traffic is accepted.
bb0xthe strange thing is that in console telnet still says trying
bb0xso I cannot connect
bb0xshould I allow traffic from untrust to that zone too ?
daemonkeeperDoes not matter. Policies are bidirectional. By allowing it in one direction, reply packets associated with that connection are allowed.
bb0xguys any idea what should I try ?
AlexeyXCan't connect from Juniper to other system by ssh?
bb0xAlexeyX, yes, that's my issue
bb0xI can ping, but ssh/telnet not working
AlexeyXdo you have some firewall filters?
bb0xAlexeyX, I have this: Filter: pm-copp-in
bb0xName Bytes Packets
bb0xcopp-important-copp-important-dns 0
bb0xcopp-important-copp-important-ntp 0
bb0xcopp-important-copp-important-snmp 0
bb0xcopp-important-copp-important-ssh 0
bb0xcopp-normal-copp-normal-icmp 0
bb0xAlexeyX, that was the trick, I had to update the prefix-list for ssh with nodes from that network
AlexeyXIt was a firewall filter :)
daemonkeeperIf you need a firewall filter on a policy driven SRX you do something wrong.
Llama052Anyone have any experience/issues with VRF's on the EX4300 platform?
ishmauroThere's no MPLS on EX4300
daemonkeeperAnd VRFs have to do with MPLS because .... ?
ishmaurollama052, o you mean instance-type vrf or instance-type virtual-router? when I read vrf, I think MPLS
daemonkeeperVPLS/L3-VPN VRFs are very special use cases for VRFs.
ishmauroAgreed, but when you configure "vrf" on a junos box, it's for MPLS.
ishmaurollama052, I've had more experience with virtual routers on ex4200 than on ex4300 but i've used both a fair amount to simulate customer connections in lab networks. what are you trying to do?
Llama052just seeing some interesting layer2-3 issues
Llama052layer 2 is solid but having some layer 3 connectivity spotty issues
Llama052Odd activity
ishmauroare you exchanging routes between VRs?
kinivarpaHello, is it possible to find there freelancer ?
kinivarpai need a freelancer who can convert Brocade Bigiron RX configuration to juniper mx and add few aditional futures
bb0xdaemonkeeper, maybe, I didn't setup this, this is how I found it... I'm not a network expert, I have some basic network concepts and I'm new with SRX
bb0xcan I setup native vlan on a reth interface ?
bb0xis this supported in a cluster configuration ?
daemonkeeperCluster reths can be L3 only.
bb0xso I can setup vlan-tagging ... then define units for each vlan number
bb0xso no-native vlan ? it's strange it offers the option
bb0x native-vlan-id Virtual LAN identifier for untagged frames (0..4094)
bb0xfxp0 and fxp1 are normal management interfaces or they are used for clustering ?
Llama052I don't think this would cause issues, but would MTU interface mismatches on LACP links cause issues ?
Llama052for instance if link MTU's were set a bit differently
Llama052in a LACP lag
Llama052blegh been up all night
bb0xdaemonkeeper, according to juniper it look native vlan is supported on srx starting with 12.1x44D10
kevinsfucking native vlan
kevinspeople need to stop using that shit
bb0xI'm running 12.1x44D35 I think
bb0xkevins, :)
kevinsi disable vlan 1 on every fucking box I get
bb0xI have vlan1 disabled too, but the network was somehow flat
bb0xno vlans, only a single vlan (not 1) and I'm trying to implement vlans now
kevinsbb0x, I thought you were guiding daemonkeeper on how to use native vlan :)
daemonkeepersurely not.
bb0xso, I still have a few hosts in that vlan and that's why I've asked about native vlan
bb0xkevins, :) I'm a newbie :)
kevinsAhhh - we have a bunch of old cisco shit here - where between VTP and Native VLAN I want to gouge my eyes out everytime I configure something there
bb0xty guys, I have to leave now. I'll be here later to ask "stupid" questions
ishmauroVTP: the gift that keeps giving
kevinsishmauro, Yea....I could shoot someone for using VTP
ioudas^workIf I had a reth0 for my internet and I wanted to add just an internet server to that group. say i had 10 addresses and I wanna pick one in the middle. Whats the best way to configure a srx for this
nemithwhat group do you mean? Are you talking about NAT?
kevinsioudas^work, Proxy-Arp is needed
kevinsunless you assign the IP to the interface as a secondary or something
kevinsthe best way - is the way the makes the most sense in your specific enviornment