download limit policer issue

June 3, 2017, 5:36 pm

≫ Next: Re: download limit policer issue

My internet bandwidth is 30 Mbps.

I have the policer configured to limit upload and download bandwidth to 2 Mbps to certain user groups.

My LAN is connected to ge-0/0/0 and WAN is connected to ge-0/0/2 interfaces.

The folowing is my policer and filter configured.

set policy-options prefix-list 2mb_group 192.168.1.211/32
set policy-options prefix-list 2mb_group 192.168.1.213/32
set policy-options prefix-list 2mb_group 192.168.1.218/32

set firewall policer limit_2mbps if-exceeding bandwidth-limit 2m
set firewall policer limit_2mbps if-exceeding burst-size-limit 62k
set firewall policer limit_2mbps then discard

Filter for upload traffic

set firewall filter input-limit term 1 from source-prefix-list 2mb_group
set firewall filter input-limit term 1 then policer limit_2mbps
set firewall filter input-limit term 1 then accept
set firewall filter input-limit term last then accept

Filter for download tarffic

set firewall filter output-limit term 1 from destination-prefix-list 2mb_group
set firewall filter output-limit term 1 then policer limit_2mbps
set firewall filter output-limit term 1 then accept
set firewall filter output-limit term last then accept

Upload Filter applied on Input direction in LAN interface

set interfaces ge-0/0/0 unit 0 description Local-LAN
set interfaces ge-0/0/0 unit 0 family inet filter input input-limit
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24

Download Filter applied on Input direction in WAN interface

set interfaces ge-0/0/2 unit 0 description "WAN"
set interfaces ge-0/0/2 unit 0 family inet filter input output-limit
set interfaces ge-0/0/2 unit 0 family inet address 111.139.102.80/30

Am able to suceed for the upload limit (nearing 2 mbps) but could not control the download limit. Am getting the full bandwidth.

If i applied the download filter in the output direction on LAN interface, then am getting very low download less than 128kbps..

Let me have your suggestion to fine tune the errors.

Regards,

↧

Re: download limit policer issue

June 3, 2017, 9:49 pm

≫ Next: Re: same (sticking ) ip assignment for user in dynamic vpn

≪ Previous: download limit policer issue

Based on your configuration, I assume you are using source nat for the LAN traffic. In that case, you have to change the destination ip address in the download traffic filter to reflect the natted ip. You may add the 'action log' to see if any matching traffic hits your filter.(show firewall log)

↧

Re: same (sticking ) ip assignment for user in dynamic vpn

June 4, 2017, 12:33 am

≫ Next: SRX300 - 15.1X49D-90.7 Configuration

≪ Previous: Re: download limit policer issue

thanks Nellikka. i have already gone through that post but the problem is that client doesn't get the ip given in xauth everytime. the first time it gets the one binded by xauth but if it disconnects for a while and i reconnect it then gets another ip from the pool. than i have to manually disconnect it again once or twice to gets the same ip back.

↧

SRX300 - 15.1X49D-90.7 Configuration

June 4, 2017, 3:32 am

≫ Next: PKI

≪ Previous: Re: same (sticking ) ip assignment for user in dynamic vpn

For my private office I needed to radically improve my security capabilities, hence the introduction of an SRX300.

I am trying to get basic functionality sorted before expanding my use of VPNs and introducing vSRX to my remote environments. As a non-Juniper non-network administrator person, my approach has been to try and get a basic configuration using J-Web, and then to modify that to achieve my goals - hence my switch to D-90.7, which is actually capable of generating a configuration through J-Web that is valid and accepted.

I have two main problems right now.

A device that expects encrypted multicast IPv4 packets, 802.1P priority 0 and 802.1Q VLAN ID tagged 101. The 802.1 related information is not being passed through the SRX300, although the Meraki switch (in default ex factory mode) does pass this information through when connected to the ISP supplied router, so I'm reasonably confident that the problem is SRX300 related, not switch related.
A number of devices that have ethernet connectivity, and need to be able to access the internet, that I perceive as "risky", in the way that virtually all IOT devices are risky. Mostly my secure devices communicate with them through non-ethernet interfaces (usually HDMI 2), although there are some grey areas (Sony AV equipment and Sony computers talk to each other in so many ways).

The SRX300 is in Ethernet switching mode. I have a default VLAN and irb configured.

Ideally, I would like to attach the multicast device to a separate port on the SRX, in a zone of its own, and not worry about it. I'm not sure how to set up a static route that would work, that passes through the 802.1 info unchanged from the remote site. So that everything else is isolated from it.

I'd like to put the questionably insecure devices into isolation, from which they can go out to the internet but not elsewhere, but I'd prefer to retain the present "casting" capability.

However, there are updates which are pushed to these devices, to add to the difficulties. I imagine I can whitelist who is doing the pushing.

I'd be extremely grateful for some pointers to help with making these configuration changes. What is obvious to networking engineers isn't always obvious to me.

Incidentally, anybody in Britain should be aware that Open Reach FTTC cabinets are now mostly capable of handling Baby Jumbo and Jumbo frames (<9000), although I haven't tried anything at the larger end of the scale.

↧

PKI

June 4, 2017, 3:12 am

≫ Next: Re: download limit policer issue

≪ Previous: SRX300 - 15.1X49D-90.7 Configuration

why there is the option digest in the command : request security PKI generate-certificate-request <Digest> ??????

my point is the CA is one who should make the digest and then sign it with its private key, why i specify the Hash algorithm and make the digest ?

↧

Re: download limit policer issue

June 4, 2017, 5:01 am

≫ Next: We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

≪ Previous: PKI

Hi,

Your assumption is right. Source nat is enabled for internet traffic. For one policer , we can use the WAN interface IP.

Let me have your suggestion in case of multiple policers involved.

Regards,

↧

We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

June 4, 2017, 6:20 am

≫ Next: Binding multicast mac address on SRX Chassis Cluster?

≪ Previous: Re: download limit policer issue

We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

can't login from console also, what is the reason? anybody help me to restore the issue.

The platform is SRX1500.

↧

Binding multicast mac address on SRX Chassis Cluster?

June 4, 2017, 8:28 pm

≫ Next: Re: We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

≪ Previous: We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

Hi all,

My physical topology as per below. My question does all the devices before it can reach SRX5800 need to configure something static arp also same as SRX config below?

Porta-Web-Voice (virtual mac 03:00:60:0d:f0:0d ) ----> (Trunk) Cisco Switch ----> (Trunk) Cisco Switch --> (Trunk) Huwaei Switch ---> (Trunk) SRX5800

set logical-systems LSYS-1 interfaces reth0 unit 79 family inet address 7.7.7.1/26 arp 7.7.7.10 multicast-mac 03:00:60:0d:f0:0d

Thanks and appreciate any feedback.

↧

Re: We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

June 4, 2017, 11:43 pm

≫ Next: Re: PKI

≪ Previous: Binding multicast mac address on SRX Chassis Cluster?

What's the Junos version you are using. I remember seeing this issue on older 15.1 versions. I would suggest an upgrade if you are running something old.

↧

Re: PKI

June 4, 2017, 11:47 pm

≫ Next: Re: SRX300 - 15.1X49D-90.7 Configuration

≪ Previous: Re: We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

Hello,

I hope following link is helpful.

The CA that issues a certificate uses a hash algorithm to generate a digest, and then “signs” the certificate by encrypting the digest with its private key. The result is a digital signature. The CA then makes the digitally signed certificate available for download to the person who requested it. Figure 1 illustrates this process.

The recipient of the certificate generates another digest by applying the same hash algorithm to the certificate file, then uses the CA's public key to decrypt the digital signature. By comparing the decrypted digest with the digest just generated, the recipient can confirm the integrity of the CA's signature and, by extension, the integrity of the accompanying certificate. Figure 1 illustrates this process.

https://www.juniper.net/documentation/en_US/junos12.1x47/topics/concept/certificate-digital-understanding.html

Regards,

Rushi

↧

Re: SRX300 - 15.1X49D-90.7 Configuration

June 5, 2017, 12:02 am

≫ Next: Create custom destination-port in firewall filter

≪ Previous: Re: PKI

Hello,

A topology of your existing network and a network where you are using SRX would be of help.

Also if you can explain the issue in the topology, it would also be easier visualize it.

Regards,

Rushi

↧

Create custom destination-port in firewall filter

June 5, 2017, 12:15 am

≫ Next: Re: Create custom destination-port in firewall filter

≪ Previous: Re: SRX300 - 15.1X49D-90.7 Configuration

I was wondering if it were possible to create a custom "destination-port" for use in the [firewall] filter

Then create a "protocol set"

I want it to be similar to the Cisco ASA ACL using custom objects and object groups. Can this only be done using security policies?

I know how to create custom applications for use in [security policies]

What I mean exactly, is there a way to add to the port list in the firewall filter statements?

@srx# set firewall filter allow_AD_445 term 1 from destination-port ?
Possible completions:
<range>              Range of values
[                    Open a set of values
afs                  AFS
bgp                  Border Gateway Protocol
biff                 Biff/Comsat

↧

Re: Create custom destination-port in firewall filter

June 5, 2017, 12:55 am

≫ Next: Re: SRX300 - 15.1X49D-90.7 Configuration

≪ Previous: Create custom destination-port in firewall filter

Hello,

You can specify custom ports after 'set firewall filter allow_AD_445 term 1 from destination-port'.

Within '[ ]' you can configure multiple customer destination ports.

Regards,

Rushi

↧

Re: SRX300 - 15.1X49D-90.7 Configuration

June 5, 2017, 1:19 am

≫ Next: Re: We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

≪ Previous: Re: Create custom destination-port in firewall filter

The above cuts out much of the duplication of equipment.

The device labelled Playout Centre expects encrypted multicast IPv4 packets, 802.1P priority 0 and 802.1Q VLAN ID tagged 101.

The other two (Sony) devices which I would like to isolate are the the device marked Audio Processing and the large 4K screen, which is running Android.

My intent is to introduce more fanless switches.

Azure, Sparta and Athens will eventually have vSRX devices.

↧

Re: We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

June 5, 2017, 1:32 am

≫ Next: Re: PKI

≪ Previous: Re: SRX300 - 15.1X49D-90.7 Configuration

Hi Rsuraj

The Junos version is 15.1X49-D60.

Thanks.

↧

Re: PKI

June 5, 2017, 2:15 am

≫ Next: Re: New SRX configuration and troubleshooting resources

≪ Previous: Re: We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

i was confused for a while because it was generating certificate request command , so if the hash algorithim option will be used for validation by using it to create a digest from the received certificate and use the CA public to decrypt the DS and compare both hashes it now makes sense

↧

Re: New SRX configuration and troubleshooting resources

June 5, 2017, 4:35 am

≫ Next: Re: Create custom destination-port in firewall filter

≪ Previous: Re: PKI

This would be fine, were it kept up to date. If it isn't updated, it's misleading. For example, JDHCP is now flavour du jour, but not covered here. The DHCP Server document is dated 02 Feb 2014. The switching article makes no mention of the SRX300.

In fact as far as configuring a SRX300 with a recent Junos release, this resource is misleading, frustrating, and wastes time.

It would be great if it was up to date, and had some recent configurations as examples. Otherwise . .

↧

Re: Create custom destination-port in firewall filter

June 5, 2017, 8:29 am

≫ Next: Fabric Monitoring

≪ Previous: Re: New SRX configuration and troubleshooting resources

Yes, you can specify a port number for the term

set firewall filter allow_AD_445 term 1 from destination-port 445

I want to know if you can make

AD = 445

This way it will describe more what the port does or create a grouping of ports

AD = 445

SMB = 139

AD_SMB = AD and SMB

set firewall filter allow_AD_445 term 1 from destination-port AD

set firewall filter allow_AD_445 term 1 from destination-port AD_SMB

to match what you can do with applications in the security policy:

application AD {
    protocol tcp;
    destination-port 445;
}
application SMB {
    protocol tcp;
    destination-port 139;
}
application-set AD_SMB {
    application AD;
    application SMB;

↧

Fabric Monitoring

June 5, 2017, 8:31 am

≫ Next: PKI- validation

≪ Previous: Re: Create custom destination-port in firewall filter

Is it safe to enable chassis cluster fabric monitoring on production firewalls with no impact to service?

↧

PKI- validation

June 5, 2017, 1:34 pm

≫ Next: Digital Certificate exchange

≪ Previous: Fabric Monitoring

would someone please explain to me this Note : why would the initial response be authenticated by the CA-Certificate

↧