Juniper’s ‘Translator in the Cloud’

Interesting and simple description of how Juniper implement a translator to enable their website for IPv6 users. What’s also interesting is that they don’t make mention of what the ‘translator’ actually is… If it were a Junos device, I’m sure they’d have made a meal of it, but I am assuming it is an F5 or an A10 box.

Juniper SRX 11.1 – SSL VPN termination

Just seen in the release notes for Junos 11.1 for branch SRX that it will terminate SSL VPNs from Pulse clients.  Now that’s a nice thing – but calls into question why I bought my Juniper SA.  I think the SA will do some degree of network access control (NAC) for me on the corporate wired LAN as well, but perhaps I can make do with the SRX for remote access.

The thing to watch out for is that you need to have a licence for remote access on the SRX to terminate Pulse clients there. It is billed as ‘dynamic VPN’ licences, but will apparently work for Pulse clients too.  If you’ve bought licences for SSL VPNs on your SA, you won’t be able to terminate these on your SRX unless you get different licences.

I need to try this out a bit further (when time allows) and report back, I think…

More new Juniper stuff. Big stuff.

Bloody hell – Juniper are on fire at the moment.  First we get the new QFX switches supporting more 10G and FCoE in a single rack U than you can shake a stick at, and now we get the ‘converged supercore’, in the form of the PTX5000 and PTX9000.

Jesus, these things are big… Read the rest of this entry »

Junos logical systems, and logical system users

Logical systems on Junos are quite easy to configure. Their purpose is to partition the system up into completely separate routers, each running its own routing daemon (rpd). The systems don’t talk to each other at all – you connect them together using physical or vlan-tagged virtual interfaces if they need to communicate.

Unless I’m mistaken, the ability to create a user with control over a single logical system is not covered by the manual. I thought I’d write it up here, just in case it is of any use to anyone.
Read the rest of this entry »

Unified Threat Management (UTM) on Junos is BAD

I probably shouldn’t say this, but UTM on Junos with their new SRX devices.. (ahem).. is not very good… Juniper support is excellent, and the base features of the device are good, but there are a few caveats:

1. Don’t do too much logging
2. Especially, don’t log too much to the device’s filesystem
3. Don’t implement large whitelists/blacklists (particularly with wildcard filtering on URLs)

Juniper’s support on this product is (as usual) excellent, and far surpasses any other manufacturer’s level of help. However, there are some bits of code in this box that haven’t undergone the level of testing you might expect.
Junos 10.0R3 is therefore what we should all be waiting for – available in April. It includes almost 300 fixes (just fixes – no new features), and they have re-worked how the do Q&A on the entire product line.

If you’re struggling with an SRX right now, I’d be really interested to hear from you. In the meantime, let’s hope that release R3 is going to alleviate some of our pain..

USB modems on Juniper J-series

Just seen something on the j-nsp list about using Multitech USB modems on the USB port of J-series routers, so I thought I’d post a link here for my future reference.

Juniper J-series upgrade to 8.4R2.3

We’ve just been in the lab trying to get a router upgraded from 8.2 to the latest 8.4R2.3, and have been having some issues…  Read the rest of this entry »

Undocumented (and broken) DXOS command

While trying to do an upgrade on a DX, I found a command that is not referenced in the command ref, or when you use the “?” at the CLI. Read the rest of this entry »

Upgrade of Juniper DX3200 to 5.2.4

Here’s what to do to get a DX application acceleration engine upgraded. Note that you will need serial access to the device in the later stages of this procedure: Read the rest of this entry »

Exclusive configuration in IOS and JunOS

Juniper certainly seem to lead Cisco in certain areas sometimes.

If there’s a chance that more than one person can be changing a router’s configuration at the same time, you can get yourself into trouble. Read the rest of this entry »