Hi,
I am very proud to tell you all that i passed my JNCIE-SEC lab exams.
Later this week i will make a post on how i prepared myself for this exams.
GreetZ,
Frac
Showing posts with label Juniper Networks. Show all posts
Showing posts with label Juniper Networks. Show all posts
Wednesday, August 3, 2011
Monday, May 4, 2009
The Branch SRX
Juniper networks has release the branch SRX firewalls/IDP's.
These SRX (210/240/650) scale from 750 Mbps to 8 Gbps firewalling, 80 Mbps to 900 Mbps IDP, 75 Mbps to 1,5 Gbps VPN and 30 Mbps to 350 Mbps antivirus.
These are crazy figures again. And this isn't the only nice thing, they also support switching PIM's, etc.
Read more about them at here
These SRX (210/240/650) scale from 750 Mbps to 8 Gbps firewalling, 80 Mbps to 900 Mbps IDP, 75 Mbps to 1,5 Gbps VPN and 30 Mbps to 350 Mbps antivirus.
These are crazy figures again. And this isn't the only nice thing, they also support switching PIM's, etc.
Read more about them at here
Wednesday, April 23, 2008
Proxy arp
Hi all,
Proxy arp is something that not all people understand well. Some devices are able to do it, other not, and other do it automatic (sometimes), etc....
Here i will give a brief overview of how juniper firewalls handle proxy arp:
As most of you know there are 5 solutions to do NATTING in juniper firewalls:
MIP: one to one (bi-directional)
DIP: many to one (uni-directional)
VIP: one to many (uni-directional)
Destination NAT (policy): one to one, one to many (uni-directional)
Source NAT (policy): many to one, one to one (uni-directional)
So this is a overview of the natting, know when will the firewall to proxy arp for these NAT addresses?
Yes:
-MIP
-VIP
No:
-Dest nat
So you see that when using Destination nat you will have problem. Solution to solve this problem, ... place a static arp entry on higher level router, or when not in same network has the interface ... place a route to cluster ip of the juniper firewall.
Sometimes this isn't a solution, because the upstream router isn't managed by yourself. This means you need to be able to do proxy arp on firewall for these NAT addresses.
Well there is a hidden command "set arp nat-dst", which will do proxy arp for NAT addresses in a certain situation!!
When will he do it or not:
• The Destination NAT policy must be configured using the same source and
destination Layer 3 security zone. However, traffic that matches the policy
can then be sent to any Layer 3 security zone.
• The device does not respond to an ARP request if the Destination NAT IP is
in the same incoming subnet as a secondary IP address.
• In an HA environment, the device only supports the Destination NAT ARP
capability if using NSRP Active/Passive on interfaces that reside in VSD ID
0.
• In ScreenOS 5.0r7 and below, the device does not respond to an ARP request
for a Destination NAT IP that is in the same subnet as the incoming
interface for a Destination NAT policy.
Hope this helps you all.
Proxy arp is something that not all people understand well. Some devices are able to do it, other not, and other do it automatic (sometimes), etc....
Here i will give a brief overview of how juniper firewalls handle proxy arp:
As most of you know there are 5 solutions to do NATTING in juniper firewalls:
MIP: one to one (bi-directional)
DIP: many to one (uni-directional)
VIP: one to many (uni-directional)
Destination NAT (policy): one to one, one to many (uni-directional)
Source NAT (policy): many to one, one to one (uni-directional)
So this is a overview of the natting, know when will the firewall to proxy arp for these NAT addresses?
Yes:
-MIP
-VIP
No:
-Dest nat
So you see that when using Destination nat you will have problem. Solution to solve this problem, ... place a static arp entry on higher level router, or when not in same network has the interface ... place a route to cluster ip of the juniper firewall.
Sometimes this isn't a solution, because the upstream router isn't managed by yourself. This means you need to be able to do proxy arp on firewall for these NAT addresses.
Well there is a hidden command "set arp nat-dst", which will do proxy arp for NAT addresses in a certain situation!!
When will he do it or not:
• The Destination NAT policy must be configured using the same source and
destination Layer 3 security zone. However, traffic that matches the policy
can then be sent to any Layer 3 security zone.
• The device does not respond to an ARP request if the Destination NAT IP is
in the same incoming subnet as a secondary IP address.
• In an HA environment, the device only supports the Destination NAT ARP
capability if using NSRP Active/Passive on interfaces that reside in VSD ID
0.
• In ScreenOS 5.0r7 and below, the device does not respond to an ARP request
for a Destination NAT IP that is in the same subnet as the incoming
interface for a Destination NAT policy.
Hope this helps you all.
Subscribe to:
Posts (Atom)
wim@securelink.be
Frac @ LinkedIn
Posts
