[j-nsp] protecting E-series
Christopher Young
cyoung at juniper.net
Mon Nov 10 12:24:32 EST 2008
Amos,
Take a look at Dos Protection in JUNOSe. This is designed to provide
control traffic rate-limits (routing protocols, DHCP, PPPoe, ARP, OAM
etc) and a per subscriber interface suspicious control flow detection
system. Any flows exceeding a configurable rate can be shut down by the
system preventing resources from being consumed by these malicious
flows. Events are reported in the cli and via logging to alert
administrators of the events.
In addition to this you can have ingress IP policy on subscriber/core
facing interfaces to prevent access to specific transit
networks/resources as well as secondary-input policies for providing
specific filtering of traffic heading to the router itself.
Thanks,
Christopher Young
Systems Engineer
Juniper Networks
JNCIP-E #9
JNCIS-M
cell: (978) 973-0574
office: (443) 552-7722
fax: (443) 451-1841
cyoung at juniper.net
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
juniper-nsp-request at puck.nether.net
Sent: Monday, November 10, 2008 11:51 AM
To: juniper-nsp at puck.nether.net
Subject: juniper-nsp Digest, Vol 72, Issue 14
Send juniper-nsp mailing list submissions to
juniper-nsp at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/juniper-nsp
or, via email, send a message with subject or body 'help' to
juniper-nsp-request at puck.nether.net
You can reach the person managing the list at
juniper-nsp-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of juniper-nsp digest..."
Today's Topics:
1. Re: Why should I *not* buy an MX? (Phil Bedard)
2. Screenos interface (SunnyDay)
3. protecting E-series (Amos Rosenboim)
4. Policy routing (Bit Gossip)
5. Re: Screenos interface (GIULIANO (UOL))
6. Re: Policy routing (Benny Sumitro)
7. Re: Policy routing (raymondh (NSP))
8. Re: any way to backup files as cisco (raymondh (NSP))
9. Re: Screenos interface (Tim Eberhard)
10. Re: Using TACACS to prevent deactivate/activate statements?
(German Martinez)
----------------------------------------------------------------------
Message: 1
Date: Sun, 9 Nov 2008 12:18:19 -0500
From: Phil Bedard <philxor at gmail.com>
Subject: Re: [j-nsp] Why should I *not* buy an MX?
To: nachocheeze at gmail.com
Cc: Juniper-NSP <juniper-nsp at puck.nether.net>
Message-ID: <FC662A08-6CEE-4349-BA34-7D6B54BBE925 at gmail.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
The only things I don't like as much about the MX is the various
flavors of DPCs they offer depending on what your application might be
(queueing options), having to keep track of limitations on certain
cards (like Cisco), and licensing of certain features. We've been
testing the MX960 and have them deployed in a few sites today, and
they are as solid as the M/T series. We've tested pretty much
everything you've listed there with the box in both a core/agg role
and found no real flaws that weren't software related, meaning they
affected the M/T as well.
It's a great platform. It still doesn't compete with the 7600 on
price for most of the market, considering there are tons of people out
there that don't need the more expensive ESxx 7600 cards, but for
those that are looking at 7600 w/ES20/ES40 vs. MX series, I'd take the
MX.
Phil
On Nov 7, 2008, at 10:57 AM, nachocheeze at gmail.com wrote:
> We've been using Juniper M/T series in service provider scenarios for
> a couple of years now, and really like them. As part of an equipment
> life cycle refresh, we're considering replacing our core (campus
> enterprise) network with something in the MX series; a la this post:
>
> http://marc.info/?l=juniper-nsp&m=122008030004203&w=1
>
> We are very "glass is half empty" on our evals; while it seems most
> are pretty happy with the MX boxen, I'm trying to find something
> show-stopper that would make us go with another product. We're
> wanting basically a campus Ethernet version of an M/T box and all that
> that implies (besides just shoveling packets at a non-blocking line
> rate, we'd like full MPLS and RSVP/TE support, L2/L3 VPN, multicast,
> IPv6, lawful intercept, etc), so I'm curious if anyone's demo'ed an MX
> box as a campus core router and tested everything but the kitchen sink
> and found something that Juniper says "works great", but in actual
> practice just isn't quite there yet.
>
> Basically, can someone give me reasons apart from "we don't need SONET
> or any other WAN interfaces, and it's cheaper per port", why should we
> NOT choose an MX box? Are there any gotchas waiting in the wings for
> someone who's used to the full flavored goodness that is the M/T
> series?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
------------------------------
Message: 2
Date: Mon, 10 Nov 2008 11:31:47 +0200
From: SunnyDay <cscosunny at gmail.com>
Subject: [j-nsp] Screenos interface
To: Juniper-Nsp <juniper-nsp at puck.nether.net>
Message-ID: <4917FF83.5040205 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hello is it possible to shutdown an interface in screenos?
i have seen the "exec interface" command but nothing comes out.
thank you
------------------------------
Message: 3
Date: Mon, 10 Nov 2008 09:44:38 +0200
From: Amos Rosenboim <amos at oasis-tech.net>
Subject: [j-nsp] protecting E-series
To: juniper-nsp at puck.nether.net
Cc: Eliran Hasid <eliran.hasid at pccwglobal.com>, yossi
<yossi.s at oasis-tech.net>
Message-ID: <9EB38D64-43DE-4573-A47B-27E275BA0076 at oasis-tech.net>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Hello List,
I'm looking for the JunosE equivalent of lo0 filters in Junos or
Cisco control plane policing.
Any reference will be welcome.
Regards
Amos
------------------------------
Message: 4
Date: Mon, 10 Nov 2008 10:59:26 +0100
From: Bit Gossip <bit.gossip at chello.nl>
Subject: [j-nsp] Policy routing
To: juniper-nsp <juniper-nsp at puck.nether.net>
Message-ID: <1226311166.6140.3.camel at nlws481253>
Content-Type: text/plain
Experts,
can you provide an example on how to configure in Junos something like:
- packet enters from interface X please route according to routing table
Y; otherwise normal routing.
Thanks,
Luca.
------------------------------
Message: 5
Date: Mon, 10 Nov 2008 08:23:23 -0200
From: "GIULIANO (UOL)" <giulianocm at uol.com.br>
Subject: Re: [j-nsp] Screenos interface
To: SunnyDay <cscosunny at gmail.com>
Cc: Juniper-Nsp <juniper-nsp at puck.nether.net>
Message-ID: <49180B9B.9050709 at uol.com.br>
Content-Type: text/plain; charset=ISO-8859-1
For ethernet interfaces:
set interface eth0/0 phy link-down
> Hello is it possible to shutdown an interface in screenos?
> i have seen the "exec interface" command but nothing comes out.
> thank you
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
------------------------------
Message: 6
Date: Mon, 10 Nov 2008 17:26:49 +0700
From: "Benny Sumitro" <benny.sumitro at gmail.com>
Subject: Re: [j-nsp] Policy routing
To: "Bit Gossip" <bit.gossip at chello.nl>
Cc: juniper-nsp <juniper-nsp at puck.nether.net>
Message-ID:
<f5f9934c0811100226p20a3a216habe17f4bf06c186d at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
what you are looking is filter-based forwarding which is explained in
the
techpubs.
http://www.juniper.net/techpubs/software/junos/junos91/swconfig-policy/c
onfiguring-filter-based-forwarding.html#id-10876979
Regards,
Benny
On Mon, Nov 10, 2008 at 4:59 PM, Bit Gossip <bit.gossip at chello.nl>
wrote:
> Experts,
> can you provide an example on how to configure in Junos something
like:
> - packet enters from interface X please route according to routing
table
> Y; otherwise normal routing.
> Thanks,
> Luca.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
------------------------------
Message: 7
Date: Mon, 10 Nov 2008 19:25:44 +0800
From: "raymondh (NSP)" <raymondh.nsp at gmail.com>
Subject: Re: [j-nsp] Policy routing
To: Bit Gossip <bit.gossip at chello.nl>
Cc: juniper-nsp <juniper-nsp at puck.nether.net>
Message-ID: <347D4090-0E80-4144-85FB-D882FF224386 at gmail.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
What you need is JUNOS version of PBR known as FBF.
https://www.juniper.net/techpubs/software/junos/junos92/swconfig-policy/
configuring-filter-based-forwarding.html
On Nov 10, 2008, at 5:59 PM, Bit Gossip wrote:
> Experts,
> can you provide an example on how to configure in Junos something
> like:
> - packet enters from interface X please route according to routing
> table
> Y; otherwise normal routing.
> Thanks,
> Luca.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
------------------------------
Message: 8
Date: Mon, 10 Nov 2008 19:27:29 +0800
From: "raymondh (NSP)" <raymondh.nsp at gmail.com>
Subject: Re: [j-nsp] any way to backup files as cisco
To: Erdem Sener <erdems at gmail.com>
Cc: Tore Anderson <tore at linpro.no>, juniper-nsp at puck.nether.net
Message-ID: <30BA2D72-B6C3-4EA8-9AC0-645262D035EB at gmail.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
On default JUNOS has the backup of the configs inside the chassis
using rollback; for viewing and comparison use diff or compare.
Secondly, for external sources backup, you can use rancid which
support JUNOS syntax or you can write a shell script for fetch it via
SCP.
On Nov 9, 2008, at 11:32 AM, Erdem Sener wrote:
> Hi,
>
> TFTP is not supported in JUNOS, supported copy methods are
> ftp,http,scp or 'file' knob which stores a copy of the file locally
>
> If you like, you can also automate this task (or tie to each commit).
> You might want to use the URL below as a starting point:
>
>
http://www.juniper.net/techpubs/software/junos/junos91/swconfig-system-b
asics/configuring-a-router-to-transfer-its-configuration-to-an-archivesi
te.html#id-10981417
>
> Cheers,
> Erdem
>
> On Sun, Nov 9, 2008 at 2:04 AM, Tore Anderson <tore at linpro.no> wrote:
>> * chloe K
>>
>>> I am wandering whether any backup process is in juniper
>>>
>>> in cisco
>>>
>>> copy running-config tftp
>>
>> Not sure about tftp, but you can use scp to get hold of the config
>> file:
>>
>> scp router:/config/juniper.conf.gz /backup-dir/
>>
>> Or use scp from the router itself:
>>
>> file copy /config/juniper.conf.gz backup-host:
>>
>> You'll probably also be able to use plain FTP to the router to grab
>> the
>> file.
>>
>> Regards,
>> --
>> Tore Anderson
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
------------------------------
Message: 9
Date: Mon, 10 Nov 2008 09:00:51 -0600
From: "Tim Eberhard" <xmin0s at gmail.com>
Subject: Re: [j-nsp] Screenos interface
To: giulianocm at uol.com.br
Cc: Juniper-Nsp <juniper-nsp at puck.nether.net>
Message-ID:
<2c52b84e0811100700s47e6a0ddj3396bdeffa831a75 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Just as important..
To do a no shut on that port..
unset interface eth0/0 phy link-down
On Mon, Nov 10, 2008 at 4:23 AM, GIULIANO (UOL)
<giulianocm at uol.com.br>wrote:
> For ethernet interfaces:
>
> set interface eth0/0 phy link-down
>
>
> > Hello is it possible to shutdown an interface in screenos?
> > i have seen the "exec interface" command but nothing comes out.
> > thank you
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
------------------------------
Message: 10
Date: Mon, 10 Nov 2008 11:04:54 -0500
From: German Martinez <gmartine at ajax.opentransit.net>
Subject: Re: [j-nsp] Using TACACS to prevent deactivate/activate
statements?
To: Brian Pavane <jnsp at brianpavane.org>
Cc: Juniper-Nsp <juniper-nsp at puck.nether.net>
Message-ID: <20081110160454.GA22241 at ajax.opentransit.net>
Content-Type: text/plain; charset="us-ascii"
On Tue Apr 22, 2008, Brian Pavane wrote:
Hello Brian,
Did you have any luck with this task? Anything that you are willing
to share is really welcome
Thanks
German
> I am currently working on a security profile, that requires me to
> prohibit certain deactivate/activate commands to be issued by a
certain
> class of users. I am looking to add this to my current TACACS
> configuration (tac_plus), however I have been unable as of yet to get
> the router to properly authorize these commands.
>
> From what I can tell, these need to be placed in the "deny-commands"
> section rather than the "deny-configuration" section of TACACS... but
I
> may be wrong (I've tried both).
>
> Has anyone done this in the past? If so, could you share this portion
> of your tacacs.conf?
>
> Thank you.
>
> -Brian
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL:
<https://puck.nether.net/pipermail/juniper-nsp/attachments/20081110/3d25
f574/attachment.bin>
------------------------------
_______________________________________________
juniper-nsp mailing list
juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
End of juniper-nsp Digest, Vol 72, Issue 14
*******************************************
More information about the juniper-nsp
mailing list