juniperdudedoes anyone know if configuring an IGP (ISIS/OSPF) with LFA paths, differ if using link-protection vs node-link-protection? or does node-link-protection only apply to MPLS (bypass LSP)
jfin mpls world is node-link-degradation i belive
jfand yes, node-link-protection tries to protect on the node (avoid select an LFA with nodes in common) and then, tries to maximize the coverage by trying to find LFA avoiding links in common
jfI think in mpls world the concept is the same, (applied to bypass LSP), however the node-link-protection is called node-link-degradation
t0kenACTION learned the important difference about creating community lists vs regex today
t0kenmembers [ target:64512:58453, 65083:64512 ];
t0kenmembers [ target:64512:58453 65083:64512 ];
t0kenthat's 2 very different meanings
t0kenis it bad to start drinking this early on a monday morning? it is not
tyorkIt's almost scotch:15
Roland-hi, still finding my way in junos, I need to add google dns servers to address book, is the approach to create two address sets and add it to the zone address book ? from the web I cannot see how to add two ips
AlexeyXHello! I'm adding like that - set address google-dns-srv-1, set address google-dns-srv-2, set address-set google-dns address google-dns-srv-1, set address-set google-dns address google-dns-srv-2
Roland-alright works for me
Roland-is that about right?
voipworking on my jncis-sec
voipI like the idea behind application-set's
Roland-anyone setup vpn ? I am enabling port 443 https for dynamic vpn, but that enables the web management as well thich I don't want to
Roland-documentation says to enable web management, which is kind of an issue, I mean whoever needs to vpn can do web management as well ?
Roland-I know it's a different user etc but
WintereiseWhy don't you uhh try turning web management off
Roland-if I do that, no access for users on https /dynamic-vpn
jfits possible to prepend an external ASN inbound (i know its not recomended, but..) ?
jf(to influencce outbound)
jiannoneset policy-options policy-statement bla term bla then as-path-expand las-as count bla
jfyes, would that work in applied as import from eBGP peer group ?
Xipher < yep
jfand i mean not prepend my own AS (as it will be blocked due to loop prevention), but prepend an external ASN
Xipherit will add the AS as your importing the route from a peer
Xipherwhen you set that in the import policy for said peer
jfyep, nice
jfi was wondering if junos does some sanity check for this case (if you prepend an external ASN)
Roland-any idea where I can get a price for an utm licence for juniper srx100h ?
Roland-ah lol
Roland-500 eur
Roland-for an srx100
Roland-SRX1XX-IDP-5 1.2k
kevinsRoland-, UTM on an SRX100 will be death to that poor box
Roland-I imagine so
Roland-I will dump it soon for an srx220
Roland-just got a very good deal for brand new srx110h for 130 EUR
Roland-enough for me to play with
kevinsJust download the 30 day trial licenses then
kevinsif this isn't for production
kevinsif you just want to play with it
kevinsrequest system license update trial
Roland-will do
Roland-but I was curious about the prices as well
Roland-but huh...
kevinsWell your SKU is a 5 year SKU
Roland-1k licence for an 500$ device which won't handle anyway...
kevinsThere are 1,3, and 5 year SKU's for the UTM shit
kevinsI mean it can handle it......but your throughput will go down to under 30Mbps
kevinsSRX100 is a shit box anyways
kevinsNo gig ports = fixed MTU of 1500
ishmauroagonizingly slow to commit anything
kevinsNot as slow as a PAN box
kevinsI use SRX100's for lab shit.
Roland-yes it's quite slow
kevinsjust need to work within their limits
Roland-cli is acceptable
Roland-but web... if needed
kevinsCLI is the only way to manage it
kevinsJWEB is garbage
Roland-true, is there a way to entirely disable it?
Roland-i mean nu just leave it unconfigured
ishmauroleave http and https unconfigured under system services…or don't allow in your lo0 firewall filter
Roland-srx240 seems also nice
Roland-from which series I can find an asic or something?
Roland-loks like 100 is doing everything in software
Roland-expected on the entry
ishmauroanything with 4 digits has packet forwarding engine…so 1400, 3400/3600, 5400/5600/5800, and now 1500
Roland-ah, so even 240 is doing sw
kevinsRoland-, Nothing in the SRX branch line is done in ASIC
kevinsAnd I wouldn't buy any more of the SRX2xx
Roland-why is that ?
kevinsWith the 3XX coming out this quarter
kevins1xx and 2xx going away
Roland-I understand but budget is an issue as well
kevinsNewer boxes will be cheaper than older boxes
kevinsunless you buy grey market
Roland-I can put my hands on an SRX220H with ~5-600 eur
kevinsThat will be the same price for the SRX3xx
kevinsThat's how Juniper prices
kevinsjack up the old
kevinsprice the new the same as what the old used to be
kevinsget people to buy the new
Roland-I do like what I see on srx320
kevinsIt will be 2 SKU's now
kevins1 for the hardware and 1 for the perpetual software
Roland-SRX300 is what I will need
kevinsThere just isn't much point in buying the SRX2xx series at this point
kevinswell when the SRX3xx comes out
kevinsI think SRX2xx will be EOS this year
Roland-well I will be waiting then
Roland-if prices for SRX300 are below 600eur I would go for it
Roland-otherwise I am looking into asas
kevinsSRX100H2 is EOL 5/1/2016
kevinsAll the SRX's that aren't going forward are EOL 5/1/16
kevins100H2,210HE2, 210HE2-POE, 240H2, 240H2-DC, 240H2-POE, 650 all those go EOL in a month essentiall
Roland-but SRX300 will be released... /
kevinsIt is on the Feb/March pricelist
kevinsso it should be shipping here soon
Roland-did you see the price for 300 ? :P
jryburnJust as a comparison... the current SRX100H2 list price in $845. The SRX300 + JSB software is $995 list.
jryburnAll the new SRXs (and switches for that matter) have a separate hardware and software SKU to purchase. Part of the new "disaggregation of Junos" strategy.
jryburnIf you buy the subscription software, service is included. If you buy the perpetual software, service is an additional SKU.
jryburnSo if you go perpetual, you have 4 SKUs to purchase. 1x hardware, 1x hardware service, 1x software, 1x software service.
Roland-I will have to go for the cheapest option
Roland-SRX100H2 eol in a month scares me
Roland-no os updates, nothing?
jryburnIt is end of sale in a month.... not end of support
jryburnThanks ishmauro... I was just going to look for that link.
jryburnI agree with kevins though. For the minor difference in list price, why not go with the 300? You get a lot more for the money.
ishmauroyou're welcome jryburn
jryburnHonestly if you try hard enough, you could probably get a reseller to price match and give you a 300 at the same price they are selling you the 100 today.
Roland-I doubt it, I bought it off ebay
Roland-but still, 6-700 eur is managable for me
Roland-because that is the price for the asa 5506-x
Roland-I am willing to go with junos if the price is close
jryburnWell it may be a while before you can find an SRX300 on ebay since they are just shipping from Juniper this month but it might be worth contacting a few resellers to get a quote and compare.
jryburnWhat I listed above is list price and as we all know, firewalls are like cars.... no one pays list price
Roland-I will ask around in Uk
Roland-plenty of resellers there
jryburnBTW: Another option might be the vSRX. You can get a free trial license to play around with it for 60 days.
Roland-already have vsrx
Roland-playing with it
Roland-I test stuff there
Roland-it's quite expensive and still needs a server somewhere
Roland-and for some reasons, it sucks
Roland-I mean, I have 4ms with the gateway
jryburnIt should be about the same price/performance as the physical SRX but yes you have to buy the server for it.
Roland-64 bytes from icmp_seq=10 ttl=64 time=4.58 ms
jryburnAll the new SRX300 and 1500 series are essentially running the vSRX on x86 appliances.
Roland-and varies
Roland-also, ads 25% latency to NAT
Roland-simple nat, nothign fancy
Roland-even moved the machine to a badass server with 10G and 10core e5s
jryburnWhat kind of resources are you assigning to the vSRX VM? vCPUs? Cores? etc.
Roland-2 cpus, 4gb of ram
Roland-it's a single host, empty network
Roland-my initial tests are these, 4 ms added to nat, and 4 ms to the vsrx itself
Roland-I mean it did go to full gigabit nat
Roland-but latency
jryburnSomething seems off there... I did a SFW/NAT test with 10G of traffic... average latency was .08ms
Roland-which version of vsrx?
Roland-15 ?
jryburnYeah... 15.1X49-D30
Roland-ok, did not try 15 yet
jryburnWhat version are you running?
Roland-JUNOS Software Release [12.1X47-D20.7]
Roland-I am updating now
Roland-mirror is slow
jryburnThat will likely make a big different... 12.1 is considered vSRX 1.0 which uses the old FreeBSD kernel and cannot take advantage of virtio, sr-iov, dpdk, etc. improvements.
Roland-ah on which platform did it work for you?
Roland-I am using esxi
Roland-did not try in kvm tbh
jryburnvSRX2.0 (15.1 based) uses a linux kernel and can take advantage of a lot of the newer high performance virtualization technologies.
jryburnI was using kvm on Ubuntu
Roland-might be it
Roland-but still running on esxi
Roland-I have the config ready
Roland-I am hoping I can use the same config
jryburnBetween 12.1 and 15.1 you mena?
jryburnThere will be some differences but the basic stuff should be the same.
jryburnMost of the performance numbers are better on esxi than on kvm anyway
Roland-could be, deployng now
Roland-ah wind river linux
jryburnGoing to see a lot of Wind River Linux.... all of Juniper's products are moving to that host OS with a KVM hypervisor and Junos running inside of that.
jryburnProbably should say "most" instead of "all"... I'm sure there are exceptions somewhere. :)
Roland-takes quite long to boot
Roland-at least initial
Roland-very very very slow on esxi
Roland-took me 5 mins
Roland-to log in
Roland-on a r10 enterprise ssd
Roland-what a poor choice of OS, freebsd
jryburnIn the mid-90s when Junos was first being written, writing a network OS on top of FreeBSD was pretty innovative.
Roland-vsrx 15 takes forever to boot...
Roland-like 5mins
inireidk, freebsd is pretty awesome for some things. like, say, sendfile
inirebut as a virtualization environment it is hit or miss
Roland-this 5min boot time is killing me
Roland-because I am doing some metrics here
Roland-and I guess I need another instance to pay because better have two when one goes reboot for some reasons like updates
nemithRoland-: real hardware takes a lot longer to initalize chips
Roland-same latency issues with 15.1
nemithgenerally the OS booting hasn't been a metric for network devices to follow
nemithand only up until recently linux would have been just as slow with a SysV style init
Roland-Ok, quick one, always when I log in I do: set cli idle-timeout 60 and set cli screen-length 0
Roland-can i set this up system wide?
Roland-I also have for srx100: JTAC Recommended release for this product is: 12.1X46-D40.2
Roland-but 12.1X46-D45 is available
Roland-does this mean that 12.1X46-D45 is not stable enough ?
Roland-I thought it's like cisco M T trains etc
Roland-because I don't get it
kevinsIt is a guideline
kevinsThese versions are selected using input from Juniper Engineering, customers, and analysis of field usage data.
kevinsYou will never see JTAC suggest a day one release...unless it is the release needed to run the platform
kevinsThey likely suggest D40 - because it has most features people are looking for in SRX, and the lowest volume of bugs/issues/tickets against it
Roland-I understand, makes sense
kevinsOr D45 is too new, and there isn't enough data behind it yet
Roland-Perfect thanks
kevinsYea - it is only 1 month old
kevinsD40 is at least 6 months old
kevinsYou should be a bad ass and run X48 though :)
kevinsand then let me know how it goes
kevinsoh shit - you can't run X47 or X48
kevinsbecause you only have a 100h....
kevins1GB memory version
Roland-I did install the 12.1X46-D45
Roland-worked fine, apart from some errors at boot but those seem normal
kevinsYea - you won't be able to go X47 or X48 though on that box
kevinssince it is the 100H, and not the 100H2
nemithyou can hack it in
kevinsWould you honestly want to though? You wouldn't be able to use the UTM and shit
Roland-supposed I do have h2
nemiththe box checking is done in shell scripts
Roland-where are the downloads for h2 ?
kevinsThere is no specific one for H2
nemithsame code, just there are shell scripts to check the eeproms
Roland-I can see x45 max tere
kevinsmodels. Just a note on the side of the download page
kevinsJ Series devices and the 512MB or 1GB memory versions of the SRX100 and SRX200 devices are unsupported for use on Junos OS 12.1X47 and higher versions.
kevinslike nemith said though. You could make it run
Roland-dows it worth it?
kevinsI don't think so
Roland-I mean, is there any extra feature?
kevinsOf course there are extra features
kevinsthere are new features in every release
Roland-this is a small firewall that provides out of band interface for a rack (idracs) and that is pretty much it traffic is very very low
kevinsI wouldn't waste my time on taking it to X47 or X48 then
Roland-yeah, not a huge production system
Roland-barely ever accesed
nemithsrx is already super tight on memory
nemithou will probably run into issues on a 1G box
Roland-I was willing to purchase an srx220
Roland-but I will hold off to see what srx300 has to give
futurellamaHey folks, I'm looking for some help configuring an srx220h, for voip in our small office. willing to pay for help.
futurellamaIt's nothing advanced, it's just getting the srx to be compliant to our hosted voip server's qos and port access needs
futurellamaor if you have any recommendations where I could go to for some hands on help with our Juniper config that would be fantastic
kevinsfuturellama, Whats going on? And what do you need?
kevinsI have hundreds of SRX's deployed with Hosted PBX solutions
kevinsin fact that is how we installed a bunch of ours
futurellamakevins, I'm early into my networking learning journey coming from a more general office management and working on small business networking, CLI and more enterprise terminology is something I'm still getting used to. I get the concepts but implementing is something I've been struggling with. I've been 8 hours and then spending another 8 hours at the office reading networking material for the last 3 weeks and I'm starting to just w
kevinsfuturellama, Okay. Is this hosted PBX service? Or is there a PBX on Prem?
kevinswith a SIP Trunk to a provider
futurellamahosted pbx, RingCentral
kevinsJust turn off your SIP ALG.
futurellamaAlready done
kevinsThen you should be set
kevinsthe QoS will get scrubbed when you hit your ISP
kevinssince you are buying Internet
kevinsSo if you want to set it on your LAN, you can, but it seems over kill
kevinsfor SMB
futurellamaI was hoping to reserve some bandwidth so that our other computers don't kill the quality. i can tell as soon as i initiate a high bandwidth transfer things go bad quickly
futurellamaalso none of the users at this location can transfer calls, it goes straight to silence and we get an error on the phones
kevinsWell you can sure.....
futurellamaat the other locations everything works fine
kevinsSo you can send your traffic to your ISP in an order....but the return from the ISP->You will be all screwed up
futurellamafair enough
kevinsSo your users on the LAN would hear shitty quality
kevinsbut the user on PSTN would hear just fine
kevinsYou can't correct that
kevinsno QOS in the world will correct that
kevinsunless your provider is providing a QoS enabled transport
futurellamaunless we have a SLA with our ISP?
kevinsThis is our major selling point against Ring Cetral, FWIW
futurellamawhich we don't have at this time, it's all just best effort
kevinsSo Ring Central -> You is always Best Effort - and you can't fix it
kevinsYou -> Ring Central you can get traffic to leave your SRX first, but once it hits the ISP it is mixed in with the rest
futurellamai can manage the office bandwidth other ways from the workstations themselves limiting transfer software etc, but my primary concern is the dropped transfer problem we are having
futurellamaalso i can call our isp and see what they want for qos on their side
kevinsHave you opened a ticket with RC to see why transfers are dropping?
futurellamawe pay a bunch for fiber already
kevinsfuturellama, So you can't QoS a Internet Pipe :)
futurellamayes, they want me to implement port triggering
kevinsBecause not all carriers will honor other carriers markings for QoS
kevinsInternet is sold as best effort
nemithport triggering?
kevinsSo while your ISP could get it to say Level3, Level3 wouldn't honor it
kevinsI assume he means port forarding
futurellamathey say triggering
kevinsthe only other 'trigger' method I know of would be to have the ALG on
kevinswhich creates a NAT pinhole
kevinsYea the ALG always fucked with our shit. So I advised on turning it off
nemithi've had good luck with the sip alg once you turn off some of it;s more stricter aspects
futurellamayeah sip alg is definitely off
kevinsA failed transfer isn't a call quality/qos issues
kevins*issue, IMO
kevinsunless they are tryign to say - your dropping the SIP Signaling Packets
futurellamai agree
kevinsfuturellama, What model phones? Cisco SPA or Polycom VVX?
futurellamakevins, polycom vvx
kevinsMaybe the user is screwing up the transfer? Are they trying to do a blind transfer or attended transfer?
futurellamawe are using the call parks, it works fine transferring from desk phones, but when outside callers call in and we want to park or transfer the call it goes to silence and looses the call
kevinsWe don't see a whole lot of people using call park these days
futurellamaWe recently switched from an old NEC pbx and our users are used to using the call parks
futurellamaand working from our other offices the parks work fine
futurellamait's just the one on the juniper that's giving us issues
futurellamain the meantime i could just run the phones on a basic adsl line on a separate router
kevinsWhat makes you think it is the SRX?
kevinsOr let me phrase it this way - how could you deduce that it was the SRX that was the issue?
javelinisn't it always the srx?
kevinsIt is
kevinsbut I want to know what in this case makes it the SRX and nothing else
futurellamaI haven't found 100% for sure that it is, but the issue does not occur on our other offices that run the same everything except for the router/firewall. In this case it could either be the ISP or the SRX no?
futurellamai could tell more confidently by moving some of the phones over to a our failover isp and testing, and then testing with a different router/firewall on the phones separate from the workstations
futurellamaI'll know more for sure when i get into the office tomorrow. I haven't been there yet since our DIDs ported over
kenlumboalways blame the firewall
kenlumbooh, futurellama is no longer here.... we do the same setup, SRX, VVX phones...
E1ephantACTION hugs his srxes
cactoid15.1X49-D40, for SRX, has dropped
cactoidvSRX finally supports ADVPN
javelinwhere is remote access?
javelinwhere is jet
javelinwhere is my 345s!
javelinwhere is my nsx integration!
cactoidtwo of those things you can have soon enough :-D
javelini've heard soon :)
KillsudoIs that NSX support only for managed-ovsdb?