[j-nsp] juniper-nsp Digest, Vol 126, Issue 41
Walter Vander Elst
wvanderelst at juniper.net
Mon May 6 13:02:22 EDT 2013
Geen idee... volgens mij is daar wat gefoefeld toenertijd. Mss weet Raf meer ?
/W
-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of juniper-nsp-request at puck.nether.net
Sent: Monday, May 06, 2013 6:00 PM
To: juniper-nsp at puck.nether.net
Subject: juniper-nsp Digest, Vol 126, Issue 41
Send juniper-nsp mailing list submissions to
juniper-nsp at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/juniper-nsp
or, via email, send a message with subject or body 'help' to
juniper-nsp-request at puck.nether.net
You can reach the person managing the list at
juniper-nsp-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of juniper-nsp digest..."
Today's Topics:
1. Re: Maximum IPsec (st0) tunnels for SRX-series (Dale Shaw)
2. Anyone who use inetzero JNCIE-ENT workbook?
(=?gb18030?B?YnJ1bm8=?=)
3. auto-negotiation on 1000BASE-X ports (Martin T)
4. Re: auto-negotiation on 1000BASE-X ports (Olivier Benghozi)
5. SRX 240 Site to Site Vpn Question (Nc Aji)
----------------------------------------------------------------------
Message: 1
Date: Mon, 6 May 2013 11:11:18 +1000
From: Dale Shaw <dale.shaw+j-nsp at gmail.com>
To: Ben Dale <bdale at comlinx.com.au>
Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] Maximum IPsec (st0) tunnels for SRX-series
Message-ID:
<CAG_V284TSyrDyiNNUaj3FtHUqXLaWgiB6GCyX-gmoQ=L3t2t+Q at mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Hi Ben,
On Mon, May 6, 2013 at 10:33 AM, Ben Dale <bdale at comlinx.com.au> wrote:
> As long as your tunnels don't breach the IPSEC Throughput numbers, you should be right?.
>
> I have a few SRX240s out there with upwards of 500 tunnels on them, some dynamic routing (3 core sites only), and they're sitting at around 50% CPU. They're all running DPD with intervals of 10 and 3 (which I think is as low as you can go).
That's a good point. I'll want to run OSPF over all tunnels, so it's
not just IPsec/IKE that'll be wanting control plane resources.
The biggest branch SRX I've currently got with the most tunnels is a
pair of SRX650s with 40 tunnels each (all w/OSPF p2p adjacencies,
albeit with default timers). Control plane CPU sits steady at 20% all
day. An SRX240 with only 12 tunnels sits at 40% but I recall this
being "normal" due to some strange control plane utilisation metric
due to the way flowd works on these boxes.
Cheers,
Dale
------------------------------
Message: 2
Date: Mon, 6 May 2013 15:41:05 +0800
From: "=?gb18030?B?YnJ1bm8=?=" <bruno.juniper at gmail.com>
To: "=?gb18030?B?anVuaXBlci1uc3A=?=" <juniper-nsp at puck.nether.net>
Subject: [j-nsp] Anyone who use inetzero JNCIE-ENT workbook?
Message-ID: <tencent_6F612CF43E4FA03D25FD307B at qq.com>
Content-Type: text/plain; charset="gb18030"
Hi All,
Is there anyone who use Inetzero JNCIE-ENT workbook. Is it good enough. Last year, I buy proteus JNCIE-SP for my JNCIE-SP preparation.I don't think it's good. not a complete lab .so this time i don't want to choose proteus again.
------------------
Best Regards,
Bruno
------------------------------
Message: 3
Date: Mon, 6 May 2013 13:07:49 +0300
From: Martin T <m4rtntns at gmail.com>
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] auto-negotiation on 1000BASE-X ports
Message-ID:
<CAJx5YvENCV8Ss8Z=oKpjFYd=Y6i8P1Sn8Q8Oc+iF7WprbG2B9Q at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
Juniper routers support enabling(this is the default setting) and
disabling auto-negotiation both on 1000BASE-T(copper) and
1000BASE-X(optical) interfaces. Auto-negotiation on copper ports makes
sense because copper ports(for example on tri-rate DPC's on MX960)
support 10BASE-T and 100BASE-TX modes besides 1000BASE-T, 1000BASE-T
supports both full- and half-duplex modes according to IEEE 802.3z and
master/slave relationship between two ports needs to be determined for
negotiating the clock settings. However, what is negotiated between
two directly connected 1000BASE-X ports when auto-negotiation is
enabled on both ports? I mean optical transceivers rated to 1Gbps do
not support backward compatibility to lower speeds and are there
optical transceivers out there that support half-duplex mode(it's
supported according to IEEE 802.3 22.2.4.4.2)? In a nutshell, why is
auto-negotiation needed on 1000BASE-X ports?
regards,
Martin
------------------------------
Message: 4
Date: Mon, 6 May 2013 13:18:00 +0200
From: Olivier Benghozi <olivier.benghozi at wifirst.fr>
To: Martin T <m4rtntns at gmail.com>, juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] auto-negotiation on 1000BASE-X ports
Message-ID: <62CF9698-4528-4BF2-AB5A-985CB4A30E02 at wifirst.fr>
Content-Type: text/plain; charset=us-ascii
1000Base-X can negotiate flow control.
But, an interesting part of autoneg is Remote Fault Notification: one of the fibers in your 2 fibers link breaks, and the link becomes unidirectional; the side that sees its receiving fiber down sends a frame to notify the other side (which didn't see anything special) that the link is down (so this side will also show the link as "down", whereas it receives proper signal).
Without this, when a single fiber breaks, to detect (slower) the problem and prevent unidirectional GE links, you have to rely on protocols running at a higher level: specialized ones (Cisco's UDLD, OAM), on routing protocols, or on LACP (which can be used on a single link for this purpose, as would describe http://kb.juniper.net/InfoCenter/index?page=content&id=KB13314).
This also exists in 10GE links as Link Fault Signaling.
regards,
Olivier
> supported according to IEEE 802.3 22.2.4.4.2)? In a nutshell, why is
> auto-negotiation needed on 1000BASE-X ports?
------------------------------
Message: 5
Date: Mon, 6 May 2013 16:18:30 +0300
From: Nc Aji <aji14730 at gmail.com>
To: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
Subject: [j-nsp] SRX 240 Site to Site Vpn Question
Message-ID:
<CADxh52GRwjuHjodOXR1WZ4Xoh2FE4kV48HczwVeP+9owYH_4ng at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I have a small customer requiring a VPN between two of the sites, One site
is so remote where in we have only 3g internet connection available. other
site which is considered to be the main site is having internet over an
ADSL link . In essence both sides are getting dynamic IP address , can i
have a site to site vpn in this situation ?
Does SRX support dyndns feature ? can I use it for establishing site to
site vpn ?
if not what is the other option to suggest to customer ?
Regards,
Aji N C
------------------------------
Subject: Digest Footer
_______________________________________________
juniper-nsp mailing list
juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
------------------------------
End of juniper-nsp Digest, Vol 126, Issue 41
********************************************
More information about the juniper-nsp
mailing list