Hi All,
In chassis cluster active/passive setup, what are the best practice on interface monitoring if i'm using LACP. For example i have 3g interfaace and minimum link must 3g. Do i have put reth0 or physical interface on interface monitoring?
Thanks and appreciate other feedback
2-IF i specify in the gatway of IKE phase 1 that the address is the loopback IP of the tunnel peer, Does that means that the peer must specify his gateway external interface as lo0 ??
Hello,I have the following scenario:
Juniper SRX110
I have 2 internet links with fixed ip ISP1 189.x.x.x and ISP2 187.x.x.x
2 different subnets (Data1) 192.168.1.x (Data2) 192.168.2.x
The Data1 network is required to exit through ISP1 and Data through ISP2
The problem is that the destination NAT "HTTPS (443)" does not work when I set up the rib-group, everything else works correctly.
Any solution for this?
My configuration is as follows:
## Last changed: 2017-03-15 16:51:50 GMT
version 12.1X44-D35.5;
services {
ssh;
telnet;
web-management {
https {
port 9443;
system-generated-certificate;
}
session {
idle-timeout 60;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 189.x.x.170/28;
}
}
}
fe-0/0/1 {
unit 0 {
family inet {
address 192.168.1.252/24;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 192.168.2.252/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 187.x.x.194/28;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop [ 189.x.x.169 187.x.x.193 ];
qualified-next-hop 187.x.x.193;
}
}
rib-groups {
ISP1-ISP2 {
import-rib [ ISP1.inet.0 ISP2.inet.0 ];
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone REDVERACRUZ;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set ISP2 {
from zone REDVERACRUZ2;
to zone INTERNET2;
rule ISP2 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool Barracuda {
routing-instance {
default;
}
address 192.168.1.20/32 port 25;
}
pool HTTP80 {
description "HTTP(80)";
address 192.168.1.3/32 port 80;
}
pool Cliente_Citrix {
address 192.168.1.3/32 port 1494;
}
pool ODRSAAM {
address 192.168.1.30/32 port 8900;
}
pool SMTP-OUT {
address 192.168.1.20/32 port 587;
}
pool HTTP8080 {
description "HTTP(8080)  ";
address 192.168.1.30/32 port 8080;
}
pool WebInsyc {
routing-instance {
default;
}
address 192.168.1.29/32 port 442;
}
pool Insync_srv {
address 192.168.1.21/32 port 6065;
}
pool MAIL {
description "MAIL(25) ";
routing-instance {
default;
}
address 192.168.1.20/32 port 25;
}
pool POP3 {
description "POP3(110)";
address 192.168.1.20/32 port 110;
}
pool Escritorio_Remoto {
address 192.168.1.29/32 port 3389;
}
pool IMAP-SECUR {
address 192.168.1.20/32 port 993;
}
pool HTTPS {
description "HTTPS(443)";
routing-instance {
default;
}
address 192.168.1.38/32 port 443;
}
pool EXCHANGE {
description "MAIL(4443)";
routing-instance {
default;
}
address 192.168.1.20/32 port 4443;
}
pool EXCHANGEIMAP {
description "EXCHANGEIMAP(143)";
address 192.168.1.20/32 port 143;
}
pool EXCHANGEIMAPSSL {
description "EXCHANGEIMAPSSL(993)";
routing-instance {
default;
}
address 192.168.1.20/32 port 993;
}
pool SMTP587 {
description "SMTP(587)";
address 192.168.1.20/32 port 587;
}
pool FTP21 {
description "Srvcitrix FTP";
routing-instance {
default;
}
address 192.168.1.3/32 port 21;
}
rule-set VIPs {
description "Regla para Vips";
from zone Internet;
rule Rule_IMAP-Secure {
description "IMAP-SECURE 993";
match {
destination-address 189.x.x.170/32;
destination-port 993;
}
then {
destination-nat pool IMAP-SECUR;
}
}
rule Rule_ODRSAAM {
match {
destination-address 189.x.x.170/32;
destination-port 8900;
}
then {
destination-nat pool ODRSAAM;
}
}
rule Rule_SMTP_OUT {
match {
destination-address 189.x.x.170/32;
destination-port 587;
}
then {
destination-nat pool SMTP-OUT;
}
}
rule Rule_HTTP_8080 {
description "HTTP(8080)";
match {
destination-address 189.x..x.170/32;
destination-port 8080;
}
then {
destination-nat pool HTTP8080;
}
}
rule Rule_WebInsync {
match {
destination-address 189.x..x.170/32;
destination-port 442;
}
then {
destination-nat pool WebInsyc;
}
}
rule Rule_Insync {
description "Insync(srv)";
match {
destination-address 189.x..x.170/32;
destination-port 6065;
}
then {
destination-nat pool Insync_srv;
}
}
rule Rule_Mail {
description "MAIL(25)";
match {
destination-address 189.x..x.170/32;
destination-port 25;
}
then {
destination-nat pool MAIL;
}
}
rule Rule_POP3 {
description "POP3(110)";
match {
destination-address 189.x..x.170/32;
destination-port 110;
}
then {
destination-nat pool POP3;
}
}
rule Rule_HTTP {
description "HTTP(80)";
match {
destination-address 189.x..x.170/32;
destination-port 80;
}
then {
destination-nat pool HTTP80;
}
}
rule Rule_Citrix {
description "Cleinte Citrix";
match {
destination-address 189.x..x.170/32;
destination-port 1494;
}
then {
destination-nat pool Cliente_Citrix;
}
}
rule Rule_Esc_Remoto {
description "Escritorio Remoto";
match {
destination-address 189.x..x.170/32;
destination-port 3389;
}
then {
destination-nat pool Escritorio_Remoto;
}
}
rule Rule_HTTPS {
description "HTTPS(443)";
match {
destination-address 189.x..x.170/32;
destination-port 443;
}
then {
destination-nat pool HTTPS;
}
}
rule Rule_Exchange {
match {
destination-address 189.x..x.170/32;
destination-port 4443;
}
then {
destination-nat pool EXCHANGE;
}
}
rule Rule_ExchangeIMAP {
match {
destination-address 189.x..x.170/32;
destination-port 143;
}
then {
destination-nat pool EXCHANGEIMAP;
}
}
rule Rule_ExchangeIMAPSSL {
match {
destination-address 189.x..x.170/32;
destination-port 993;
}
then {
destination-nat pool EXCHANGEIMAPSSL;
}
}
rule Rule_SMTP587 {
match {
destination-address 189.x..x.170/32;
destination-port 587;
}
then {
destination-nat pool SMTP587;
}
}
rule Rule_FTP {
description "FTP Srvcitrix";
match {
destination-address 189.x..x.170/32;
destination-port 21;
}
then {
destination-nat pool FTP21;
}
}
}
}
}
policies {
from-zone REDVERACRUZ to-zone Internet {
policy AccesoInternet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone REDVERACRUZ {
policy AccesoInternet {
match {
source-address any;
destination-address [ Server_192.168.1.20 Server_192.168.1.30 Server_192.168.1.10 Server_192.168.1.38 Server_192.168.1.3 ];
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ2 to-zone INTERNET2 {
policy REDVER2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ to-zone REDVERACRUZ2 {
policy RED_LOCAL {
description "COMUNICACION AMBAS REDES";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ2 to-zone REDVERACRUZ {
policy RED_LOCAL2 {
description "COMUNICACION AMBAS REDES";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ to-zone INTERNET2 {
policy AccesoInt2 {
description "Acceso red 1 a internet de Telmex";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ2 to-zone Internet {
policy REDVER1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone REDVERACRUZ {
address-book {
address LptGama 192.168.1.5/32;
address Server_192.168.1.20 192.168.1.20/32;
address Server_192.168.1.30 192.168.1.30/32;
address Server_192.168.1.21 192.168.1.21/32;
address Server_192.168.1.3 192.168.1.3/32;
address Server_192.168.1.7 192.168.1.7/32;
address Server_192.168.1.10 192.168.1.10/32;
address Server_192.168.1.29 192.168.1.29/32;
address Server_192.168.1.38 192.168.1.38/32;
}
interfaces {
fe-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
https;
http;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
description METROCARRIER;
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
}
}
}
}
}
security-zone REDVERACRUZ2 {
interfaces {
fe-0/0/2.0;
}
}
security-zone INTERNET2 {
description TELMEX;
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
https;
ping;
}
}
}
}
}
}
}
routing-instances {
ISP1 {
instance-type virtual-router;
interface fe-0/0/0.0;
interface fe-0/0/1.0;
routing-options {
interface-routes {
rib-group inet ISP1-ISP2;
}
static {
route 0.0.0.0/0 next-hop 189.x.x.169;
}
}
}
ISP2 {
instance-type virtual-router;
interface fe-0/0/2.0;
interface fe-0/0/7.0;
routing-options {
interface-routes {
rib-group inet ISP1-ISP2;
}
static {
route 0.0.0.0/0 next-hop 187.x.x.193;
}
}
}
}
Regards!
Miguel Rodriguez
Hi All,
I want to segregate vlan 90 from the rest of my network so it can't access any private addresses except 1 which is 192.168.45.1. This vlan will be use for payments so it needs to be PCI compliant and that address is the payment server.
I also want to run a DHCP server so that handheld payment devices can be assigned addresses dynamically.
With the config I've applied which I'll paste below, DHCP works fine however I'm able to ping other private subnets at other sites when I source traffic from the gateway:
E.g. I'm able to get a response from 192.168.46.254, 10.128.22.254 etc.. when sourcing from 10.128.92.254
Here is my relevant config:
set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/1 unit 90 vlan-id 90
set interfaces fe-0/0/1 unit 90 family inet filter input REJECT_RFC1918_IN
set interfaces fe-0/0/1 unit 90 family inet filter output REJECT_RFC1918_OUT
set interfaces fe-0/0/1 unit 90 family inet address 10.128.92.254/24
set policy-options prefix-list RFC_1918 10.0.0.0/8
set policy-options prefix-list RFC_1918 172.16.0.0/12
set policy-options prefix-list RFC_1918 192.168.0.0/16
set firewall family inet filter REJECT_RFC1918_IN term allow-UDP from protocol udp
set firewall family inet filter REJECT_RFC1918_IN term allow-UDP from port 67
set firewall family inet filter REJECT_RFC1918_IN term allow-UDP from port 68
set firewall family inet filter REJECT_RFC1918_IN term allow-UDP then accept
set firewall family inet filter REJECT_RFC1918_IN term allow-specific from destination-address 192.168.45.1/32
set firewall family inet filter REJECT_RFC1918_IN term allow-specific then accept
set firewall family inet filter REJECT_RFC1918_IN term deny from destination-prefix-list RFC_1918
set firewall family inet filter REJECT_RFC1918_IN term deny then discard
set firewall family inet filter REJECT_RFC1918_IN term allow then accept
set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP from protocol udp
set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP from port 67
set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP from port 68
set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP then accept
set firewall family inet filter REJECT_RFC1918_OUT term allow-specific from source-address 192.168.45.1/32
set firewall family inet filter REJECT_RFC1918_OUT term allow-specific then accept
set firewall family inet filter REJECT_RFC1918_OUT term deny from source-prefix-list RFC_1918
set firewall family inet filter REJECT_RFC1918_OUT term deny then discard
set firewall family inet filter REJECT_RFC1918_OUT term allow then accept
Please kindly advise if I've done the firewall filter wrong.
Thanks a bunch!
Hi,
Can some one please provide SRX320 Mean time to recovery/resolution/repair (MTTR) value
Thank You..
Hi guys,
I have one router MX240. On viewing show chassis alarms , router is showing minor alarm of PEM 1 absent .
What may be the cause and how to rectify it? Please suggest solution
Thank you,
Andriy
About an hour ago, all of our site to site vpn tunnel went down at the same time on our SRX650 and they stays down. I'm not an expert on SRX. When I run "show log kmd-logs" I see the error messages "IKE Phase-1 Failure: Invalid cookie recvd". How do I fix this issue? Any ideas?
I have issue with connecting to the AWS Direct Conect ViF
I have downloaded and configured the configuration settings provided by amazon to connect but the ViF still remains in the down state.
Would anyone be able to guide me in configuring the devce.
When I check show bgp summary - all I get is State as Active with the Amazon Perr IP.
address persistent allow the device to assign the same address from source pool to a specific host for multiple concurrent sessions.
The question here, For How long does the address persistent maintain the address for the host ???
Hi everyone,
very easy question for everyone having SRX, preferrably 300 series.
We are considering buying SRX 340. I have tested vSRX and after configuring a couple of source nat pools. I received the following error:
error: nat-pat-address quota exceeded (usage 26108 > max 768)
The Limits in the datasheets of SRX state the following for SRX 340:
https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000550-en.pdf
NAT rules: 2000
Limits for some older SRX:
https://kb.juniper.net/InfoCenter/index?page=content&id=kb14149
So I am wondering what does NAT Rule in this sense mean. Does it mean:
A. 2000 NAT rules allow NAT'ing 2000 IPs (Like dynamic NAT entries). So limit is 2000 IPs and one /20 pools brings hardware to a limit.
B. 2000 NAT rules means I can have 2000 NAT rules in the configuration. Such as:
2000 x
[edit security nat source] pool mytestpoolX address 10.XX.XX.0/24 set rule-set rsX from zone trust set rule-set rsX to zone untrust set rule-set rsX rule rX match source-address 0.0.0.0/0 set rule-set rsX rule rX match destination-address 0.0.0.0/0 set rule-set rsX rule rX then source-nat mytestpoolX
To test this on srx300 or bigger hardware one coud simply do:
set security nat source pool mytestpool01 address 10.101.0.0/16 set security nat source pool mytestpool02 address 10.102.0.0/16 set security nat source pool mytestpool03 address 10.103.0.0/16 set security nat source pool mytestpool04 address 10.104.0.0/16 commit check
Can anyone check this for me ?
Thank you
Nooto
Hi guys,
is it still the case, that dns-proxy and chassis cluster do not work hand in hand or am I missing something else?
I configured the following on a SRX340-Cluster:
set system services dns dns-proxy interface reth0.11
set system services dns dns-proxy interface reth0.12
set system services dns dns-proxy interface reth0.13
set system services dns dns-proxy interface reth0.14
set system services dns dns-proxy default-domain * forwarders 193.101.111.10
set system services dns dns-proxy default-domain * forwarders 193.101.111.20
but only reth0.11 is added to the "listen" state - the others are ignored - any ideas? Am I missing something?
Goal: Every computer from Site A is connecting to single computer C5 (10.10.20.2) through VPN2 and to others through VPN1. Every computer except C5 from site B is connecting to Site A through VPN1.
Site A:
static route 10.10.20.0/24 next hop 192.168.36.2
static route 10.10.20.2/32 next-hop 192.168.36.6
Site B:
Model: srx210he
JUNOS Software Release [12.1X46-D60.4]
inet.0:
static route 10.10.10.0/24 next-hop 192.168.36.1
10.10.10.0/10 *[Static/5] 11w3d 22:35:41
> to 192.168.36.1 via st0.0
vpn2.inet.0:
static route 10.10.10.0/24 next-hop 192.168.36.5
10.10.10.0/10 *[Static/5] 2d 22:27:47
> to 192.168.36.5 via st0.1
vpn2: instance-type forwarding
Both st0.0 and st0.1 are in the same security zone. Nothing is logged as dropped through zone policy.
firewall family inet filter RoutingVPNalt term VPN_ALT from source-address 10.10.20.2/32
firewall family inet filter RoutingVPNalt term VPN_ALT then routing-instance vpn2
firewall family inet filter RoutingVPNalt term Last_Term then accept
interfaces vlan unit 360 family inet filter input RoutingVPNalt
interfaces vlan unit 360 family inet filter output RoutingVPNalt
After commit that filtering I can connect from 10.10.20.2 to any 10.10.10.0/24 but I can't connect from any 10.10.10.0/24 to 10.10.20.2. Trace stops at 192.168.36.6.
If I add any address to master [inet.0] routing table on R2, f.e. 10.10.10.2 with next-hop 192.168.36.5 then it works. I can ping from 10.10.10.2 to 10.10.20.2.
Are there any problems with vpn and policy routing working together, any workarounds?
Hi all,
Please advise how to log all traffic information (source and destination IP addresses, ports, Pkts, Bytes, date, time) passing SRX3600.
If I configure J-Flow with rate 1, it will be CPU intensive and slow down performance.
Are there other ways ?
Thanks
I have an existing VPN which traffic passes through just fine.
I need to add a few more IP's to route through this tunnel that are on the same remote subnet
While I can ping original 10.16.199.49/32 a new IP added 10.16.199.82/32 I cannot.
I did add the new routes directly into the config via j-web if that makes a difference.
Here's what I did;
Added the static routes pointing to the correct interface and they all show up in "show route" and look good.
Next added the new IP's to correct zone policies. Commited all but still can't ping the new IP's
Basically did what I did for the original IP's that do ping.
Keep thinking I'm missing a step but for the life of me don't see what it could be?
I am using a simple static NAT rule but that shouldn't be the issue and as I said the original IP's connect through just fine.
route 10.16.199.53/32 next-hop st0.2; current and pings through
route 10.16.199.51/32 next-hop st0.2; current and pings through
route 10.16.199.49/32 next-hop st0.2; current and pings through
route 10.16.199.39/32 next-hop st0.2; current and pings through
route 10.16.199.181/32 next-hop st0.2; current and pings through
route 10.16.199.82/32 next-hop st0.2; new and doesn't ping
route 10.16.199.204/32 next-hop st0.2; new and doesn't ping
route 10.16.199.205/32 next-hop st0.2; new and doesn't ping
route 10.16.199.92/32 next-hop st0.2; new and doesn't ping
route 10.16.199.93/32 next-hop st0.2; new and doesn't ping
Policy
policy policy_out_remote {
match {
source-address INT;
destination-address [ addr_10_16_199_53 addr_10_16_199_51 addr_10_16_199_49 addr_10_16_199_39 vpn addr_10_16_199_181 addr_10_16_199_82 10_16_199_92 10_16_199_93 10_16_199_204 10_16_199_205 ];
application any;
}
then {
permit;
Same for policy_in
Thanks in advance
Hi, I am following exactly the steps to configure redundant IKE gateway:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB29211
When I deactivate the active gateway, SRX-300 running 15.1 code fails to negotiate IKE with standby IKE gateway
kmd[5592]: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local:1.1.1.2/500, Remote: 3.3.3.1/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder
There is zero information about "KE gateway configuration lookup failed during negotiation", if I remove primary IKE gateway , the IPsec negotiation will succeed without problem, so there is no issue with configuration itself, what could be the problem?
Hello everyone
I have an SRX240 equipment and when I turn it on I get the following message in a repetitive way, restarting the equipment with the same message.
U-Boot 1.1.6-JNPR-2.6 (Build time: Aug 8 2013 - 20:07:50)
ERROR: No valid DIMMs detected on any DDR interface.!!!
Measured DDR clock 0.00 MHz
SRX_240H2 board revision major:2, minor:10, serial #: ACLM5636
OCTEON CN5230R-SCP pass 2.0, Core clock: 600 MHz, DDR clock: 0 MHz (0 Mhz data rate)
hanging, init func: 8
### ERROR ### Please RESET the board ###
U-Boot 1.1.6-JNPR-2.6 (Build time: Aug 8 2013 - 20:07:50)
ERROR: No valid DIMMs detected on any DDR interface.!!!
Measured DDR clock 0.00 MHz
SRX_240H2 board revision major:2, minor:10, serial #: ACLM5636
OCTEON CN5230R-SCP pass 2.0, Core clock: 600 MHz, DDR clock: 0 MHz (0 Mhz data rate)
hanging, init func: 8
### ERROR ### Please RESET the board ###
I do not have the equipment under warranty and after searching if it has a memory module inside, I have not been able to find out, the slot is empty
Anyone know how I could fix it? Do you need a memory module?
Thank you very much in advance.
Regards
Hi
I have just acquired a SRX300 for my home office.
I am not a network engineer, or a systems administrator, if I scan a generated configuration, the errors don't leap out at me.
I do not have my licence details, yet (it seems that the goose-boy hasn't been out to pluck a quill from which the keeper of the pen-knife can fashion a nib to hand to the clerk of chancery that then issues the parchment upon which is scribed the required information), so I have no idea what is going on in my device as far as AV/anti-malware etc are concerned, and cannot upgrade software and firmware.
I have had great difficulty creating a configuration (through J-Web) that is usable. Some of the time the generated configuration was not committed.
In order to eliminate as much noise as possible from what was occurring, I decided to set up an internet zone, an internal zone, and two other zones for later testing. For the purposes of testing I configured the communication between the Internal Zone and the Internet Zone to allow everything through in both directions, and enabled - ping, dhcp, http, https, ssh and telnet, I even disabled httpsEverywhere.
This morning, after resetting the SRX I built a configuration that was initially rejected when I tried to commit it, but I resubmitted it, without change, and it was accepted. For about 40 minutes, everything appeared to work; briefly, even the link between Outlook and the remote Exchange server was functioning. I could synch files with my remote OneDrive. But gradually, everything became so slow it became unusable.
I did check that ping performance was acceptable, both from a connected workstation, and from the SRX300 itself, even when browsing was not possible. I gracefully rebooted the SRX and the workstation but to no avail. I did notice that some websites loaded before I finished a mug of coffee, but the spinner on the tab usually continued spinning. Meraki, strangely, loaded comparatively quickly, Juniper did not.
I connect to a FTTC VDSL2 service from BT (Infinity 2) 80/20. I use a Vigor 130 modem configured for PPPoE in Bridging mode (suggested by Draytek for BT connections with multicast). I am uncertain as to what the MTU should be as far as the SRX is concerned, I leave it at 1492, for now.
The browing performance, and inability to connect to the Exchange Server mean that the SRXis not currently usable. Unfortunately, I do not have the knowledge to put my finger on the problem, although I have bought what feels like half the Morgan Library and a new packet of highlighters. Any suggestions welcome. I have a copy of the configuration if required.
The above is the long version of HELP ;-((
hi ,
this happened after a software failure, we couldn't reinstall Junos using neither loader or Uboot, the only method that fixed the issue is by creating a USB snapshot from another srx 210.
this SRX 210 comes with 2 APs license, they vanished after this accident.
how can I redownload these licences?
Thanks
Hello Experts,
Two E1 links for connecting DR. SRX is on edge on HA connecting DC infrastructure and DR through E1.
Have E1 interface on each SRX on HA. Now is it possible to bundle both the E1 links terminated on two SRX on HA for load sharing and failover also. Is it possible with MLPPP configuration on SRX?
Hope for some expert solutions.
Thank You.
It can do in following config to use multiple ip addresses for the same VLAN.
vlans {
Vlan100 {
vlan-id 100;
l3-interface vlan.100;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ 10 20 ];
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 100;
}
}
}
}
vlan {
unit 10 {
family inet {
address 172.16.10.1/24;
}
}
unit 20 {
family inet {
address 172.16.20.1/24;
}
}
unit 100 {
family inet {
address 192.168.0.1/24;
address 192.168.0.2/24;
address 192.168.0.3/24;
}
}
}
}
However, it becomes an error to use each IP for every VRF.
routing-instances {
VR01 {
description Customer01;
instance-type virtual-router;
interface vlan.10;
interface vlan.100;
}
VR02 {
description Customer02;
instance-type virtual-router;
interface vlan.20;
interface vlan.100;
}
}
[edit routing-instances VR02 interface]
'vlan.100'
RT Instance: Interface vlan.100 already configured under instance VR01
What should I do to use the same VLAN by two or more VRF?
