Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - screenie.

Pages: 1 [2] 3 4 5 6 7 ... 66
21
Switches / Re: EX4200 Virtual Chassis NIC teaming.
« on: April 13, 2011, 03:06:45 am »
LAG interfaces only work from 1 device (or VC in this case). If you want redundancy to two VC's you have to use SPT (apnning tree) I'm afraid.

22
Routers / Re: I need to break( juniper router SSG520)necessary
« on: April 12, 2011, 04:51:01 pm »
Can you get the complete config? (get conf) and save it? If so reset the device to factory default (login on console woth the device serial number as username and the same serial number as password). Restore the config and set a new admin password.

23
I asume the MPLS is on a separated interface. You can configure monitoring on the interfaces. This makes the interface go down when the MPLS fails, even if the etherlink to your mpls router stays up. Then you configure to static routes. The primary as allways, the secondary with a higher preference number (> 20). The second link will only be active when first one goes down this way.

24
Routers / Re: Multiple ISPs and VLANs
« on: April 12, 2011, 04:41:56 pm »
You could upgrade tp 5.4 and use PBR or source based routing to override the destination routing. 5.4 is (from memory) the first version with policy based routing. For ECMP to work all internet interfaces must be in the same zone.

25
You should configure manager-ip on the interface. This address is used as source for tracking, even when the interface is down tracking still works. So the interface comes back up when destination is reachable again.

26
Switches / Re: MX-series TWAMP configuration
« on: March 23, 2011, 05:08:18 pm »
Does the service card show up in show chassis hardware?

27
SRX Platform and J-series / Re: HELP Error SRX210b 10.0.4
« on: March 13, 2011, 06:56:46 am »
You're mixing things up.  

set interfaces interface-range uplink_trunk unit 0 family ethernet-switching vlan members vlan1006-trust
set interfaces interface-range uplink_trunk member  ge-0/0/0

So ge0-0/0/0 is by interface-range definition in L2-mode (family ethernet switching) That's why you can't assign an IP address to it. Two ways to fix this:

Place ge-0/0/0 in family inet  or place a L3 interface in the vlan ge-0/0/0 is a member of to do the L3 stuff.

28
JunoSpace / Re: what exactly is JUNOS SPACE?
« on: March 09, 2011, 07:08:55 am »
Indeed What?
Space is more than replacement of NSM. It got tools to convert your logical view on networks (not devices) into configs. You add a bunch off lets say switches. Define a vlan end to end. Endpoint get access ports and on in between switches vlan is added to trunk. Same with secuirty policies etc. Lot's of info on juniper.net/partners.

29
NetScreen and SSG/ISG Series Firewalls / Re: JNCIS -FWV exam fees
« on: March 09, 2011, 04:40:34 am »
look at prometric site for the fee! http://www.prometric.com/Juniper/default.htm

You can take the specialist without taking associate first for ScreenOS. For the new JUNOS tracks you have to certify junos associate before getting certified on any specialist Junos certification.

30
Routers / Re: Confusion on Source-NAT with NS204
« on: March 05, 2011, 01:22:24 pm »
Interface base NAT only works when the ingress interface is in in NAT mode AND:

1 in a single VR from trust zone to untrust zone

2 In miltiple VR any VR to untrust VR

Never mind: make all your interface ROUTED and nat in yout POLICIES.

31
Suggestions/Feedback / Re: Thank You (for reporting spam)
« on: March 04, 2011, 06:39:35 am »
I totally agree!

32
Did you look in the interface counters for faulty packets?
Did you ran a debug session?
Something to see in the policy logs?

Any thing to get a clue?

33
Routers / Re: Telnet port 25 block NS50
« on: January 23, 2011, 03:47:20 pm »
When in doubt where the problems lays there are two things you can do:

First:

Enable logging at the begining of a session on the inbounf policy. Then look at the the close reason for a session. That should make clear hether or not the session was allowed by the firewall. If it show age-out, rst or something like that, it was allowed but closed afterwards.

If this don't help use the real pwer tool: debug:

set a flow filter:

set ff dst-ip <outside address> dst-port 23

start the debug:

debug flow basic

Clear the debug output buffer:

clear db

Now try the telnet session.

Stop the debugging:

undebug all (or simply press the ESC button on the keyboard)

Read the output with:

get db stream.

If it isn't clear: post the output, we're here to help you!

34
SRX Platform and J-series / Re: Admin Recovery on (newer) SRX-210
« on: January 08, 2011, 08:12:48 am »
You're to early in the bootloader I think. This sounds like the bios boot. You need to interupt the os boot, second phase. Otherwise try pressing the reset button for 10 secs. But this might delete configs, so you might need an exernal config to restore.

35
Inta zone policies are only usefull when intrazoneblock on this zone is in place! Check with get zone <name> if block is set you need them. Block is default off in trust, on on every other zone. One tricky thing: setting any global policy overwrites the off setting. In other words when configuring just one global policy you allaws need policies for intrazone traffic.

36
NetScreen and SSG/ISG Series Firewalls / Re: NS-204 Streaming Video IPTV
« on: January 02, 2011, 12:08:33 pm »
QOS on the policies maybe?

37
No problem!

38
Try a security flow trace and look what's going on!

set security flow trace-options flag basic-datapath
set sec flow  trace-options packfilter just-a -name destintion prefix <dest-ip>
 set security flow trace-options file filename
commit
generate traffic
run show log filename

39
Hi,

that's any easy one. Since the squid is proxy it send out traffic with it's own IP address. So this will work

pol form trust to untrust <ip-squid> any HTTP+HTTPS permit
pol from trust to intrust any any HTTP+HTTPS reject log

Traffic from squid will hit rule one, any other rule two.
Of course this must come before an permit all rule.

40
fastest way: block http from every source except the squid. users have to use the proxy this way. Otherwise (didn't try) use policy based routing and route every http packet to the squid, except comming from there of course. Don't know if the squid handles trafiic send to it this way ok. It's worth a try though.

Pages: 1 [2] 3 4 5 6 7 ... 66