Product | EOL Announce Date | Last Order Date | Last Date to Convert Warranty | Same Day Support Discontinued | Next Day Support Discontinued | End of Support |
---|---|---|---|---|---|---|
SRX-MP-1SFP | 02/15/12 | 08/31/12 | 08/31/13 | 08/31/14 | 08/31/16 | 08/31/17 |
JX-SFP SKUs |
11/15/11 |
02/28/12 |
02/28/13 |
02/28/14 |
02/28/16 |
02/28/17 |
SRX210B, SRX210H, SRX210H-POE |
11/15/11 | 08/31/12 | 08/31/13 | 08/31/14 | 08/31/16 | 08/31/17 |
EXPCD-3G-CDMA-V |
11/15/11 | 02/28/12 | 02/28/13 | 02/28/13 | 02/28/14 | 02/28/14 |
EXPCD-3G-CDMA-S |
11/15/11 |
10/31/11 |
10/31/12 |
10/31/12 |
10/31/13 |
10/31/13 |
SRX210H-P-MGW, SRX220H-P-MGW, SRX240H-P-MGW, SRX-MP-VA04, SRX-MP-VA04, SRX-MP-VA22 |
01/24/11 | 01/24/11 | 01/24/11 | 01/24/11 | 01/24/11 | 01/24/1 |
Saturday, 22 September 2012
Junos : SRX Series Hardware EOS Dates & Milestones
The following SRX Series product(s) have all been announced as End of
Life (EOL). The End of Support (EOS) milestone dates for the five (5)
year support model are published below.
Tuesday, 18 September 2012
Junos: automatic rollback How To
From your telnet session on JUNOS, delete the telnet statement under system services
level and commit in a way that if you lose your connection to JUNOS,
the configuration is automatically rolled back after 1 minute.
Exit both configuration and operational modes to go back to JUNOS. Try to telnet again to 192.168.1.2; this should not work. Wait about 2 minutes (take a coffee break) and try again. This time it should work as your previous commit should have been rolled back.
Exit both configuration and operational modes to go back to JUNOS. Try to telnet again to 192.168.1.2; this should not work. Wait about 2 minutes (take a coffee break) and try again. This time it should work as your previous commit should have been rolled back.
Solution
[edit] junuser@JUNOS2# delete system services telnet
[edit] junuser@JUNOS2# commit confirmed 1 commit confirmed will be automatically rolled back in 1 minutes unless confirmed commit complete
# commit confirmed will be rolled back in 1 minute [edit] junuser@JUNOS2# exit Exiting configuration mode
# commit confirmed will be rolled back in 1 minute junuser@JUNOS2> exit
Sunday, 16 September 2012
Junos : Source NAT HOWTO
How to access Internal Resources using the external Static
NAT address
Internal (trust) zone clients accessing Internal resources
using external interface (untrust) Static NAT address.
Topology
192.168.1.1 address is translated to 100.100.100.101/24
(Static NAT).
In this example, the Internal IP (192.168.1.2) will access the Internal webserver using the external IP address(100.100.100.101).
This is popularly used in scenarios where DNS resolves the webserver IP to its public IP.
In this example, the Internal IP (192.168.1.2) will access the Internal webserver using the external IP address(100.100.100.101).
This is popularly used in scenarios where DNS resolves the webserver IP to its public IP.
Solution:
Configuration Steps :
Configure
Static NAT for the Internal Web-server.
The Static NAT configured on the SRX for an internal Webserver should be mapped to both the directions (internal interface as well as external interface).
The Static NAT configured on the SRX for an internal Webserver should be mapped to both the directions (internal interface as well as external interface).
root@juniper#
show security
nat
{
static {
rule-set Staticnat {
from routing-instance default;
rule Internal_Webserver {
match {
destination-address
100.100.100.101/32;
}
then {
static-nat prefix
192.168.1.1/32;
}
}
}
}
}
Configure
Source NAT for the internal IP.
Source NAT should be configured on the device for packets with source as the internal IP and destination as the Internal webserver to any dummy IP that should not exist on internal network. The reason behind this that return packet should be routed via the firewall.
Source NAT should be configured on the device for packets with source as the internal IP and destination as the Internal webserver to any dummy IP that should not exist on internal network. The reason behind this that return packet should be routed via the firewall.
root@juniper#
show security
nat
{
source {
pool Dummypool {
address {
192.168.100.1/32;
}
}
rule-set Snat {
from zone trust;
to zone trust;
rule InternalNat {
match {
source-address
192.168.1.2/32;
destination-address
192.168.1.1/32;
}
then {
source-nat {
pool {
Dummypool;
}
}
}
}
}
}
}
Configure
Proxy ARP. (Optional)
If the Static NAT IP and firewall's external interface IP are in same subnet, enable Proxy ARP on external interface.
If the Static NAT IP and firewall's external interface IP are in same subnet, enable Proxy ARP on external interface.
root@juniper#
show security
nat
{
proxy-arp {
interface ge-0/0/1.0 {
address {
100.100.100.101/32;
}
}
}
}
Tuesday, 11 September 2012
Junos : Basic configuration
1. setup host name
# set system host-name <name>
2. setup system domain name
# set system domain-name <example.com>
3. configure management port for remote support
# set interface fxp0 unit 0 family inet address <192.168.1.1>
# set system host-name <name>
2. setup system domain name
# set system domain-name <example.com>
3. configure management port for remote support
# set interface fxp0 unit 0 family inet address <192.168.1.1>
**Management port is
depend on the boxes it self. Do sh int terse in order to identify the interface
type. **
# set routing-options static route
0.0.0.0/0 next-hop x.x.x.x( default gateway)
4. configure name server /dns
# set system name-server <dns ip>
5. configure password
# set system root-authentication plain-text-password
** WITHOUT ROOT AUTHENTICATION PASSWORD, THE COMMIT WILL FAILED.**
6. configure ntp clock
# set system ntp server <8.8.8.8>
7. configure system time zone
# set system time-zone
8. configure ssh
# set system services ssh
# set interaces lo0 unit family inet address <x.x.x.x>
# set system login user <example> class superuser
# set system log user example authentication plain-text-password
9. create user
# set system login user <example> class superuser
# set system log user example authentication plain-text-password
**ALWAYS PERFORM SHOW | COMPARE IN ORDER TO DOUBLE CONFIRM ON THE CONFIGURATION **
4. configure name server /dns
# set system name-server <dns ip>
5. configure password
# set system root-authentication plain-text-password
** WITHOUT ROOT AUTHENTICATION PASSWORD, THE COMMIT WILL FAILED.**
6. configure ntp clock
# set system ntp server <8.8.8.8>
7. configure system time zone
# set system time-zone
8. configure ssh
# set system services ssh
# set interaces lo0 unit family inet address <x.x.x.x>
# set system login user <example> class superuser
# set system log user example authentication plain-text-password
9. create user
# set system login user <example> class superuser
# set system log user example authentication plain-text-password
**ALWAYS PERFORM SHOW | COMPARE IN ORDER TO DOUBLE CONFIRM ON THE CONFIGURATION **
Friday, 7 September 2012
Junos: Known Limitations in Junos OS Release 12.1 for Branch SRX Series Services Gateways
ADSL
Mini-PIM
- SRX Series - ADSL Mini-PIM - It takes more than 5 minutes for ATM interface to show up when CPE is configured in ANSI-DMT mode and CO is configured in auto mode. This occurs only with ALU 7300 DSLAM, due to limitation in current firmware version running on ADSL Mini – PIM.
AppSecure
- Junos OS application identification—When you create custom application or nested application signatures for Junos OS application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application matching priority of the application signature.
The order
value is set with the set services application-identification application
application-name signature order command. You can also view all signature order
values by entering the show services application-identification | display set |
match order command. You will need to change the order number of the custom
signature if it conflicts with another application signature.
- J-Web pages for AppSecure are preliminary.
- Custom application signatures and custom nested application signatures are not currently supported by J-Web.
- When ALG is enabled, AppID includes the ALG result to identify the application of the control sessions. AppFW permits ALG data sessions whenever control sessions are permitted. If the control session is denied, there will be no data sessions. When ALG is disabled, AppID relies on its signatures to identify the application of the control and data sessions. If a signature match is not found, the application is considered unknown. AppFW handles them based on the AppID result.
AX411
Access Points
- On SRX210, SRX240, and SRX650 devices, up to four access points (maximum) can be configured and managed.
- On all branch SRX Series devices, managing AX411 WLAN Access Points through a Layer 3 Aggregated Ethernet (ae) interface is not supported.
Chassis
Cluster
- SRX100, SRX210, SRX240, and SRX650 devices have the following chassis cluster limitations:
- Virtual Router Redundancy Protocol (VRRP) is not supported.
- In-service software upgrade (ISSU) is not supported.
- The 3G dialer interface is not supported.
- On SRX Series device failover, access points on the Layer 2 switch reboot and all wireless clients lose connectivity for 4 to 6 minutes.
- On very-high-bit-rate digital subscriber line (VDSL) mini-PIM, chassis cluster is not supported for VDSL mode.
- Queuing on the aggregated Ethernet (ae) interface is not supported.
- Group VPN is not supported.
- Sampling features like J-FLow, packet capture, and port mirror on the reth interface are not supported.
- Switching is not supported in chassis cluster mode for SRX100 and SRX210.
- The Chassis Cluster MIB is not supported.
- Any packet-based services like MPLS and CLNS are not supported.
- lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP) are not supported.
- lt-0/0/0—CoS for real-time performance monitoring (RPM) is not supported.
- PP0: PPPoE, PPPoEoA is not supported.
- Packet-based forwarding for MPLS and International Organization for Standardization (ISO) protocol familes is not supported.
- Layer 2 Ethernet switching
The
factory default configuration for SRX100 and SRX210 devices automatically
enables Layer 2 Ethernet switching. Because Layer 2 Ethernet switching is not
supported in chassis cluster mode, for these devices, if you use the factory
default configuration, you must delete the Ethernet switching configuration
before you enable chassis clustering.
|
Caution: Enabling chassis clustering while Ethernet switching is
enabled is not a supported configuration and might result in undesirable
behavior from the devices, leading to possible network instability.
|
The
default configuration for other SRX Series devices and all J Series devices
does not automatically enable Ethernet switching. However, if you have enabled
Ethernet switching, be sure to disable it before enabling clustering on these
devices too.
- On all branch SRX Series devices, only redundant Ethernet interfaces (reth) are supported for IKE external interface configuration in IPsec VPN. Other interface types can be configured, but IPsec VPN might not work.
Command-Line
Interface (CLI)
- On all branch SRX and all J Series devices, the clear services flow command is not supported.
- On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the device by using the CLI. The number of users allowed to access the device is limited as follows:
- For SRX210 devices: four CLI users and three J-Web users
- For SRX240 devices: six CLI users and five J-Web users
- On J6350 devices, there is a difference in the power ratings provided by user documentation (J Series Services Routers Hardware Guide and PIM, uPIM, and ePIM Power and Thermal Calculator) and the power ratings displayed by CLI ( by a unit of 1). The cause of this issue is a round off error, where the CLI display rounds off the value to a lower integer and the ratings provided in user documentation rounds off the value to the higher integer. As a workaround, follow the user documentation for accurate ratings.
DOCSIS
Mini-PIM
- On SRX210 devices, the DOCSIS Mini-PIM delivers speeds up to a maximum of 100 Mbps throughput in each direction.
Dynamic
Host Configuration Protocol (DHCP)
- On all branch SRX Series and J Series devices do not support DHCPv6 client authentication is not supported.
Dynamic
VPN
SRX100, SRX210, and SRX240 devices
have the following limitations:
- The IKE configuration for the Junos Pulse client does not support the hexadecimal preshared key.
- The Junos Pulse client IPsec does not support the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol with NULL authentication.
- When you log in through the Web browser (instead of logging in through the Junos Pulse client) and a new client is available, you are prompted for a client upgrade even if the force-upgrade option is configured. Conversely, if you log in using the Junos Pulse client with the force-upgrade option configured, the client upgrade occurs automatically (without a prompt).
- On all branch SRX Series devices, DH-group 14 is not supported for dynamic VPN.
- On all branch SRX Series devices, when you download the Pulse client using the Mozilla browser, the “Launching the VPN Client” page is displayed when Junos Pulse is still downloading. However, when you download the Pulse client using Internet Explorer, “Launching the VPN Client” page is displayed after Junos Pulse has been downloaded and installed.
Flow
and Processing
- On all branch SRX Series and J Series devices, a mismatch between the Firewall Counter Packet and Byte Statistics values, and between the Interface Packet and Byte Statistics values, might occur when the rate of traffic increases above certain rates of traffic.
- On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, due to a limit on the number of large packet buffers, Routing Engine based sampling might run out of buffers for packet sizes greater than or equal to 1500 bytes and hence those packets will not be sampled. You could run out of buffers when the rate of the traffic stream is high.
- On SRX100 and SRX240 devices, the data file transfer rate for more than 20 megabits per second is reduced by 60 percent with the introduction of Junos Pulse1.0 client as compared to the Acadia client that was used before Junos OS Release 11.1.
- On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the default authentication table capacity is 10,000; the administrator can increase the capacity to a maximum of 15,000.
- On all branch SRX Series and J Series devices, when devices are operating in flow mode, the Routing Engine side cannot detect the path maximum transmission unit (PMTU) of an IPv6 multicast address (with a large size packet).
- On all branch SRX Series devices, you cannot configure route policies and route patterns in the same dial plan.
- On all branch SRX Series devices, you can configure no more than four members in a station group. Station groups are used for hunt groups and ring groups.
- On all J Series devices, even when forwarding options are set to drop packets for the ISO protocol family, the device forms End System-to-Intermediate System (ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2 terminating packets.
- On all branch SRX Series and J Series devices, high CPU utilization triggered for reasons such as CPU intensive commands and SNMP walks causes the Bidirectional Forwarding Detection protocol (BFD) to flap while processing large BGP updates.
- On SRX210, SRX240, and J Series devices, broadcast TFTP is not supported when flow is enabled on the device.
- Maximum concurrent SSH, Telnet, and Web sessions — On SRX210, SRX240, and SRX650 devices, the maximum number of concurrent sessions is as follows:
Sessions
|
SRX210
|
SRX240
|
SRX650
|
|
ssh
|
3
|
5
|
5
|
|
telnet
|
3
|
5
|
5
|
|
Web
|
3
|
5
|
5
|
|
|
Note: These defaults are provided for performance reasons.
|
|||
- On SRX210 and SRX240 devices, for optimized efficiency, we recommend that you limit use of CLI and J-Web to the numbers of sessions listed in the following table:
Device
|
CLI
|
J-Web
|
Console
|
SRX210
|
3
|
3
|
1
|
SRX240
|
5
|
5
|
1
|
- On SRX100 devices, Layer 3 control protocols (OSPF, using multicast destination MAC address) on the VLAN Layer 3 interface work only with access switch ports.
Group
VPN Interoperability with Cisco’s GET VPN for Juniper Networks Security Devices
that Support Group VPN
Cisco’s implementation of the Group
Domain of Interpretation (GDOI) is called Group Encryption Transport (GET)
VPN. While group VPN in Junos OS and Cisco's GET VPN are both based on RFC
3547, The Group Domain of Interpretation, there are some implementation
differences that you need to be aware of when deploying GDOI in a networking
environment that includes both Juniper Networks security devices and Cisco
routers. This topic discusses important items to note when using Cisco routers
with GET VPN and Juniper Networks security devices with group VPN.
Cisco GET VPN members and Juniper
Group VPN members can interoperate as long as the server role is played by a
Cisco GET VPN server, Juniper Networks security devices are group members, and
with the following caveats:
The group VPN in Release 12.1 of
Junos OS has been tested with Cisco GET VPN servers running Version 12.4(22)T
and Version 12.4(24)T.
To avoid traffic disruption, do not
enable rekey on a Cisco server when the VPN group includes a Juniper Networks
security device. The Cisco GET VPN server implements a proprietary ACK for
unicast rekey messages. If a group member does not respond to the unicast rekey
messages, the group member is removed from the group and is not able to receive
rekeys. An out-of-date key causes the remote peer to treat IPsec packets as bad
security parameter indexes (SPIs). The Juniper Networks security device can
recover from this situation by reregistering with the server to download the
new key.
Antireplay must be disabled on the
Cisco server when a VPN group of more than two members includes a Juniper
Networks security device. The Cisco server supports time-based antireplay by
default. A Juniper Networks security device will not interoperate with a Cisco
group member if time-based antireplay is used because the timestamp in the
IPsec packet is proprietary. Juniper Networks security devices are not able to
synchronize time with the Cisco GET VPN server and Cisco GET VPN members
because the sync payload is also proprietary. Counter-based antireplay can be
enabled if there are only two group members.
According to Cisco documentation,
the Cisco GET VPN server triggers rekeys 90 seconds before a key expires, and
the Cisco GET VPN member triggers rekeys 60 seconds before a key expires. When
interacting with a Cisco GET VPN server, a Juniper Networks security device
member needs to match Cisco behavior.
A Cisco GET VPN member accepts all
keys downloaded from the GET VPN server. Policies associated with the keys are
dynamically installed. A policy does not have to be configured on a Cisco GET
VPN member locally, but a deny policy can optionally be configured to prevent
certain traffic from passing through the security policies set by the server.
For example, the server can set a policy to have traffic between subnet A and
subnet B be encrypted by key 1. The member can set a deny policy to allow OSPF
traffic between subnet A and subnet B not to be encrypted by key 1. However,
the member cannot set a permit policy to allow more traffic to be protected by
the key. The centralized security policy configuration does not apply to the
Juniper Networks security device.
On a Juniper Networks security
device, the ipsec-group-vpn configuration statement in the permit tunnel rule
in a scope policy references the group VPN. This allows multiple policies
referencing a VPN to share an SA. This configuration is required to
interoperate with Cisco GET VPN servers.
Logical key hierarchy (LKH), a
method for adding and removing group members, is not supported with group VPN
on Juniper Networks security devices.
GET VPN members can be configured
for cooperative key servers (COOP KSs), an ordered list of servers with which
the member can register or reregister. Multiple group servers cannot be
configured on group VPN members.
Hardware
This section covers filter and
policing limitations.
- On SRX650 devices, the T1/E1 GPIMs (2-port or 4-port version) do not work in Junos OS Release 9.6R1. This issue is resolved in Junos OS Release 9.6R2 and later releases, but if you roll back to the 9.6R1 image, this issue is still seen.
Interfaces
and Routing
- On SRX650 devices, you can only create a maximum of 63 physical interface devices with 1GB RAM capacity. Therefore, we recommend that you use only seven octal serial cards to create physical interface devices. To optimally use the 8xoctal serial cards, and to create 64 physical interface devices, you require an SRX-650 device with 2 GB RAM capacity.
- On SRX100 and J Series devices, dynamic VLAN assignments and guest VLANs are not supported.
- On SRX650 devices, Ethernet switching is not supported on Gigabit Ethernet interfaces (ge-0/0/0 through ge-0/0/3 ports).
- On SRX210, SRX220, SRX240, and SRX650 devices, logs cannot be sent to NSM when logging is configured in the stream mode. Logs cannot be sent because the security log does not support configuring of the source IP address for the fxp0 interface and the security log destination in stream mode cannot be routed through the fxp0 interface. This implies that you can not configure the security log server in the same subnet as the fxp0 interface and the route the log server through the fxp0 interface.
- On all branch SRX Series devices, the number of child interfaces per node is restricted to 4 on the reth interface and the number of child interfaces per reth interface is restricted to 8.
- On SRX240 High Memory devices, traffic might stop between the SRX240 device and the Cisco switch due to link mode mismatch. We recommend setting autonegotiation parameters on both ends to the same value.
- On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a workaround, run the restart fpc command and restart the FPC.
- On SRX210 devices with VDLS2, ATM COS VBR-related functionality cannot be tested.
- On SRX210 devices, Internet Group Management Protocol version 2 (IGMPv2) JOINS messages are dropped on an integrated routing and bridging (IRB) interface. As a workaround, enable IGMP snooping to use IGMP over IRB interfaces.
- On all J Series devices, the DS3 interface does not have an option to configure multilink-frame-relay-uni-nni (MFR).
- On SRX210, SRX220, and SRX240 devices, every time the VDSL2 PIM is restarted in the asymmetric digital subscriber line (ADSL) mode, the first packet passing through the PIM is dropped.
- On SRX240 Low Memory devices and SRX240 High Memory devices, the RPM server operation does not work when the probe is configured with the option destination-interface.
- On all J Series devices, Link Layer Discovery Protocol (LLDP) is not supported on routed ports.
- In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported. If the user configures IP CoS in conjunction with ATM CoS, the logical interface level shaper matching the ATM CoS rate must be configured to avoid congestion drops in segmentation and reassembly (SAR).
Example:
set interfaces at-5/0/0 unit 0 vci 1.110
set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS
set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS
set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER
set interfaces at-5/0/0 unit 0 vci 1.110
set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS
set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS
set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER
- On SRX210, SRX220, and SRX240 devices, 1-port Gigabit Ethernet SFP mini-PIM does not support switching in Junos OS Release 12.1.
- On SRX650 devices, MAC pause frame and frame check sequence (FCS) error frame counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3.
- On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the reserved VLAN address range, and the user is not allowed any configured VLANs from this range.
- On SRX650 devices, the last four ports of a 24-Gigabit Ethernet switch GPIM can be used either as RJ-45 or SFP ports. If both are present and providing power, the SFP media is preferred. If the SFP media is removed or the link is brought down, then the interface will switch to the RJ-45 medium. This can take up to 15 seconds, during which the LED for the RJ-45 port might go on and off intermittently. Similarly, when the RJ-45 medium is active and an a small form-factor pluggable transceiver (SFP) link is brought up, the interface will transition to the SFP medium, and this transition could also take a few seconds.
- On SRX210 devices, the USB modem interface can handle bidirectional traffic of up to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps or above), keepalives do not get exchanged, and the interface goes down.
- On SRX100, SRX210, SRX240, and SRX650 devices, on the Layer 3 ae interface, the following features are not supported:
- Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPOE) on Layer 3 ae interfaces
- J-Web
- Layer 3 ae for 10-Gigabit Ethernet
- On SRX100 devices, the multicast data traffic is not supported on IRB interfaces.
- On SRX240 High Memory devices, when the system login deny-sources statement is used to restrict the access, it blocks a remote copy (rcp) between nodes, which is used to copy the configuration during the commit routine. Use a firewall filter on the lo0.0 interface to restrict the Routing Engine access, However, if you choose to use the system login deny-sources statement, check the private addresses that were automatically on lo0.x and sp-0/0/0.x and exclude them from the denied list.
- On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, on VLAN-tagged routed interfaces, LLDP is not all supported.
Internet
Key Exchange Version 2 (IKEv2)
On all branch SRX Series devices,
IKEv2 does not include support for:
- Policy-based tunnels
- Dial-up tunnels
- Network Address Translation-Traversal (NAT-T)
- VPN monitoring
- Next-Hop Tunnel Binding (NHTB) for st0—Reusing the same tunnel interface for multiple tunnels
- Extensible Authentication Protocol (EAP)
- IPv6
- Multiple child SAs for the same traffic selectors for each QoS value
- Proposal enhancement features
- Reuse of Diffie-Hellman (DH) exponentials
- Configuration payloads
- IP Payload Compression Protocol (IPComp)
- Dynamic Endpoint (DEP)
Internet
Protocol Security (IPsec)
- On all branch SRX Series devices, when you enable VPN, overlapping of the IP addresses across virtual routers is supported with following limitations:
- An IKE external interface address cannot overlap with any other virtual router.
- An internal/trust interface address can overlap across virtual routers.
- An st0 interface address cannot overlap in route-based VPN in point-to-multipoint tunnels such as NHTB.
- An st0 interface address can overlap in route-based VPN in point-to-point tunnels.
Intrusion
Detection and Prevention (IDP)
- On all branch SRX Series devices, from Junos OS Release 11.2 and later, the IDP security package is based on the Berkeley database. Hence, when the Junos OS image is upgraded from Junos OS Release 11.1 or earlier to Junos OS 11.2 or later, a migration of IDP security package files needs to be performed. This is done automatically on upgrade when the IDP daemon comes up. Similarly, when the image is downgraded, a migration (secDb install) is automatically performed when the IDP daemon comes up, and previously installed database files get deleted.
However,
migration is dependent on the XML files for the installed database to be
present on the device. For first-time installation, full update files are
required. If the last update on the device was an incremental update, migration
might fail. In such a case, you have to manually download and install the IDP
security package using the download or install CLI command before using the IDP
configuration with predefined attacks or groups.
As a
workaround, use the following CLI commands to manually download the individual
components of the security package from the Juniper Security Engineering portal
and install the full update:
- request security idp security-package download full-update
- request security idp security-package install
- On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the request services application-identification uninstall command will uninstall all predefined signatures.
- On all branch SRX Series devices, IDP does not allow header checks for nonpacket contexts.
- On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the maximum supported number of entries in the ASC table for is 100,000 entries. However, because the user land buffer has a fixed size of 1 MB as a limitation, it displays a maximum of 38,837 cache entries.
- The maximum number of IDP sessions supported is 16,384 on SRX210 devices, 32,768 on SRX240 devices, and 13,1072 on SRX650 devices.
- On all branch SRX Series devices, all IDP policy templates are supported except All Attacks. There is a 100-MB policy size limit for integrated mode and a 150-MB policy size limit for dedicated mode. The current IDP policy templates supported are dynamic, based on the attack signatures being added. Therefore, be aware that supported templates might eventually grow past the policy-size limit.
On all
branch SRX Series devices, the following IDP policies are supported:
- DMZ_Services
- DNS_Service
- File_Server
- Getting_Started
- IDP_Default
- Recommended
- Web_Server
- On all branch SRX Series devices, IDP deployed in both active/active and active/passive chassis clusters has the following limitations:
- No inspection of sessions that fail over or fail back.
- The IP action table is not synchronized across nodes.
- The Routing Engine on the secondary node might not be able to reach networks that are reachable only through a Packet Forwarding Engine.
- The SSL session ID cache is not synchronized across nodes. If an SSL session reuses a session ID and it happens to be processed on a node other than the one on which the session ID is cached, the SSL session cannot be decrypted and will be bypassed for IDP inspection.
- On all branch SRX Series devices, IDP deployed in active/active chassis clusters has a limitation that for time-binding scope source traffic, if attacks from a source (with more than one destination) have active sessions distributed across nodes, then the attack might not be detected because time-binding counting has a local-node-only view. Detecting this sort of attack requires an RTO synchronization of the time-binding state that is not currently supported.
|
Note: On SRX100 devices, IDP high availability (HA) is supported
in active/backup mode.
|
- On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the IDP policies for each user logical system are compiled together and stored on the data plane memory. To estimate adequate data plane memory for a configuration, consider these two factors:
- IDP policies applied to each user logical system are considered unique instances because the ID and zones for each user logical system are different. Estimates need to take into account the combined memory requirements for all user logical systems.
- As the application database increases, compiled policies will require more memory. Memory usage should be kept below the available data plane memory to allow for database increases.
IPv6
IPsec
The IPv6 IPsec implementation has
the following limitations:
- IPv6 routers do not perform fragmentation. IPv6 hosts should either perform path maximum transmission unit (PMTU) discovery or send packets smaller than the IPv6 minimum MTU size of 1280 bytes.
- Because IPv6 addresses are 128 bits long compared to IPv4 addresses, which are 32-bits long, IPv6 IPsec packet processing requires more resources. Therefore, a small performance degradation is observed.
- IPv6 uses more memory to set up the IPsec tunnel. Therefore, the IPsec IPv4 tunnel scalability numbers might drop.
- The addition of IPv6 capability might cause a drop in the IPsec IPv4-in-IPv4 tunnel throughput performance.
- The IPv6 IPsec VPN does not support the following functions:
- 4in6 and 6in4 policy-based site-to-site VPN, IKE
- 4in6 and 6in4 route-based site-to-site VPN, IKE
- 4in6 and 6in4 policy-based site-to-site VPN, Manual Key
- 4in6 and 6in4 route-based site-to-site VPN, Manual Key
- 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, IKE
- 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, Manual Key
- Remote Access—XAuth, config mode, and shared IKE identity with mandatory XAuth
- IKE authentication—public key infrastructure/digital signature algorithm (PKI/DSA)
- IKE peer type—Dynamic IP
- Chassis cluster for basic VPN features
- IKE authentication—PKI/RSA
- Network Address Translation-Traversal (NAT-T)
- VPN monitoring
- Hub-and-spoke VPNs
- Next Hop Tunnel Binding Table (NHTB)
- Dead Peer Detection (DPD)
- Simple Network Management Protocol (SNMP) for IPsec VPN MIBs
- Chassis cluster for advanced VPN features
- IPv6 link-local address
Layer
2 Transparent Mode
- DHCP server propagation is not supported in Layer 2 transparent mode.
IPv6
Support
- NSM—Consult the Network and Security Manager (NSM) release notes for version compatibility, required schema updates, platform limitations, and other specific details regarding NSM support for IPv6 addressing on SRX Series and J Series devices.
J-Web
- SRX Series and J Series browser compatibility
- To access the J-Web interface, your management device requires the following software:
- Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox version 3.0
- Language support—English-version browsers
- Supported OS—Microsoft Windows XP Service Pack 3
- If the device is running the worldwide version of the Junos OS and you are using the Microsoft Internet Explorer Web browser, you must disable the Use SSL 3.0 option in the Web browser to access the device.
- To use the Chassis View, a recent version of Adobe Flash that supports ActionScript and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed by default on the Dashboard page. You can enable or disable it using options in the Dashboard Preference dialog box, but clearing cookies in Internet Explorer also causes the Chassis View to be displayed.
- On all branch SRX Series devices, in the J-Web interface, there is no support for changing the T1 interface to an E1 interface or vice versa. As a workaround, use the CLI to convert from T1 to E1 and vice versa.
- On all branch SRX Series and J Series devices, users cannot differentiate between Active and Inactive configurations on the System Identity, Management Access, User Management, and Date & Time pages.
- On SRX210 devices, there is no maximum length when the user commits the hostname in CLI mode; however, only 58 characters, maximum, are displayed in the J-Web System Identification panel.
- On all J Series devices, some J-Web pages for new features (for example, the Quick Configuration page for the switching features on J Series devices) display content in one or more modal pop-up windows. In the modal pop-up windows, you can interact only with the content in the window and not with the rest of the J-Web page. As a result, online Help is not available when modal pop-up windows are displayed. You can access the online Help for a feature only by clicking the Help button on a J-Web page.
- On all branch SRX Series devices, you cannot use J-Web to configure a VLAN interface for an IKE gateway. VLAN interfaces are not currently supported for use as IKE external interfaces.
Network
Address Translation (NAT)
- Maximum capacities for source pools and IP addresses have been extended on SRX650 devices, as follows:
Devices
|
Source NAT Pools
|
PAT Maximum Address Capacity
|
Pat Port Number
|
Source NAT rules number
|
SRX650
|
1024
|
1024
|
64M
|
1024
|
- Increasing the capacity of source NAT pools consumes memory needed for port allocation. When source NAT pool and IP address limits are reached, port ranges should be reassigned. That is, the number of ports for each IP address should be decreased when the number of IP addresses and source NAT pools is increased. This ensures NAT does not consume too much memory. Use the port-range statement in configuration mode in the CLI to assign a new port range or the pool-default-port-range statement to override the specified default.
- Configuring port overloading should also be done carefully when source NAT pools are increased.
- For source pool with port address translation (PAT) in range (64,510 through 65,533), two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323, and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports (64,512 through 65,535) for Application Layer Gateway (ALG) module use.
- NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edge of the carrier network, the device-wide NAT rule capacity has been changed.
Table :
Number of Rules on SRX Series and J Series Devices
NAT Rule Type
|
SRX100
|
SRX210
|
SRX240
|
SRX650
|
J Series
|
Source NAT rule
|
512
|
512
|
1024
|
1024
|
512
|
Destination NAT rule
|
512
|
512
|
1024
|
1024
|
512
|
Static NAT rule
|
512
|
512
|
1024
|
6144
|
512
|
The
restriction on the number of rules per rule set has been increased so that
there is only a device-wide limitation on how many rules a device can support.
This restriction is provided to help you better plan and configure the NAT
rules for the device.
Power
over Ethernet (PoE)
- On SRX210-PoE devices, SDK packages might not work.
Security
- J Series devices do not support the authentication order password radius or password ldap in the edit access profile profile-name authentication-order command. Instead, use order radius password or ldap password.
- On all branch SRX Series and J Series devices, the limitation on the number of addresses in an address-set has been increased. The number of addresses in an address-set now depends on the device and is equal to the number of addresses supported by the policy.
Table 7:
Number of Addresses in an address-set on SRX Series and J Series Devices
Device
|
address-set
|
Default
|
1024
|
SRX100 High Memory
|
1024
|
SRX100 Low Memory
|
512
|
SRX210 High Memory
|
1024
|
SRX210 Low Memory
|
512
|
SRX240 High Memory
|
1024
|
SRX240 Low Memory
|
512
|
SRX650
|
1024
|
J Series
|
1024
|
Simple
Network Management Protocol (SNMP)
- On all J Series devices, the SNMP NAT-related MIB is not supported in Junos OS Release 12.1.
Switching
- Layer 2 transparent mode support—On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following features are not supported for Layer 2 transparent mode:
- Gratuitious Address Resolution Protocol (GARP) on the Layer 2 interface
- Spanning Tree Protocol (STP)
- IP address monitoring on any interface
- Transit traffic through integrated routing and bridging (IRB)
- IRB interface in a routing instance
- Chassis clustering
- IRB interface handling of Layer 3 traffic
|
Note: The IRB interface is a pseudointerface and does not belong
to the reth interface and redundancy group.
|
- On SRX100, SRX210, SRX240, and SRX650 devices, Change of Authorization is not supported with 802.1x.
- On SRX100, SRX210, SRX240, and SRX650 devices, on the routed VLAN interface, the following features are not supported:
- IPv6 (family inet6)
- ISIS (family ISO)
- Class of service
- Encapsulations (Ether circuit cross-connect [CCC], VLAN CCC, VPLS, PPPoE, and so on) on VLAN interfaces
- CLNS
- Protocol Independent Multicast (PIM)
- Distance Vector Multicast Routing Protocol (DVMRP)
- VLAN interface MAC change
- Gratuitous Address Resolution Protocol (ARP)
- Change VLAN-Id for VLAN interface
USB
- On SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, frequent plug and play of USB keys is not supported. You must wait for the device node creation before removing the USB Key.
Upgrade
and Downgrade
- On all J Series devices, the Junos OS upgrade might fail due to insufficient disk space if the CompactFlash is smaller than 1-GB in size. We recommend using a 1-GB CompactFlash for Junos OS Release 10.0 and later.
- On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, when you connect a client running Junos Pulse 1.0 to an SRX Series device that is a running a later version of Junos Pulse, the client will not be upgraded automatically to the later version. You must uninstall Junos Pulse1.0 from the client and then download the later version of Junos Pulse from the SRX Series device.
Virtual
Private Networks (VPNs)
- On SRX100, SRX210, SRX240, and SRX650 devices, while configuring dynamic VPN using the Junos Pulse client, when you select the authentication-algorithm as sha-256 in the IKE proposal, the IPsec session might not get established.
Unsupported
CLI for Branch SRX Series Services Gateways
Accounting-Options
Hierarchy
- On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the accounting, source-class, and destination-class statements in the [accounting-options] hierarchy level are not supported.
AX411
Access Point Hierarchy
- On SRX100 devices, there are CLI commands for wireless LAN configurations related to the AX411 Access Point. However, at this time, the SRX100 devices do not support the AX411 Access Point.
Chassis
Hierarchy
- On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following chassis hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
chassis craft-lockout
set
chassis routing-engine on-disk-failure
Class-of-Service
Hierarchy
- On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following class-of-service hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
class-of-service classifiers ieee-802.1ad
set
class-of-service interfaces interface-name unit 0 adaptive-shaper
Ethernet-Switching
Hierarchy
- On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following Ethernet-switching hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
ethernet-switching-options bpdu-block disable-timeout
set
ethernet-switching-options bpdu-block interface
set
ethernet-switching-options mac-notification
set
ethernet-switching-options voip interface access-ports
set
ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class
Firewall
Hierarchy
- On SRX100, SRX210, SRX220, SRX240 SRX650, and all J Series devices, the following Firewall hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
firewall family vpls filter
set
firewall family mpls dialer-filter d1 term
Aggregated
Interface CLI
- The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
request
lacp link-switchover ae0
set
interfaces ae0 aggregated-ether-options lacp link-protection
set
interfaces ae0 aggregated-ether-options link-protection
ATM
Interface CLI
- The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
·
set interfaces at-1/0/0
container-options
set
interfaces at-1/0/0 atm-options ilmi
set
interfaces at-1/0/0 atm-options linear-red-profiles
set
interfaces at-1/0/0 atm-options no-payload-scrambler
set
interfaces at-1/0/0 atm-options payload-scrambler
set
interfaces at-1/0/0 atm-options plp-to-clp
set
interfaces at-1/0/0 atm-options scheduler-maps
set
interfaces at-1/0/0 unit 0 atm-l2circuit-mode
set
interfaces at-1/0/0 unit 0 atm-scheduler-map
set
interfaces at-1/0/0 unit 0 cell-bundle-size
set
interfaces at-1/0/0 unit 0 compression-device
set
interfaces at-1/0/0 unit 0 epd-threshold
set
interfaces at-1/0/0 unit 0 inverse-arp
set
interfaces at-1/0/0 unit 0 layer2-policer
set
interfaces at-1/0/0 unit 0 multicast-vci
set
interfaces at-1/0/0 unit 0 multipoint
set
interfaces at-1/0/0 unit 0 plp-to-clp
set
interfaces at-1/0/0 unit 0 point-to-point
set
interfaces at-1/0/0 unit 0 radio-router
set
interfaces at-1/0/0 unit 0 transmit-weight
set
interfaces at-1/0/0 unit 0 trunk-bandwidth
Ethernet
Interfaces
- The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
interfaces ge-0/0/1 gigether-options ignore-l3-incompletes
set
interfaces ge-0/0/1 gigether-options mpls
set
interfaces ge-0/0/0 stacked-vlan-tagging
set
interfaces ge-0/0/0 native-vlan-id
set
interfaces ge-0/0/0 radio-router
set
interfaces ge-0/0/0 unit 0 interface-shared-with
set
interfaces ge-0/0/0 unit 0 input-vlan-map
set
interfaces ge-0/0/0 unit 0 output-vlan-map
set
interfaces ge-0/0/0 unit 0 layer2-policer
set
interfaces ge-0/0/0 unit 0 accept-source-mac
set
interfaces fe-0/0/2 fastether-options source-address-filter
set
interfaces fe-0/0/2 fastether-options source-filtering
set
interfaces ge-0/0/1 passive-monitor-mode
GRE
Interface CLI
- The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
interfaces gr-0/0/0 unit 0 ppp-options
set
interfaces gr-0/0/0 unit 0 layer2-policer
IP
Interface CLI
- The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
interfaces ip-0/0/0 unit 0 layer2-policer
set
interfaces ip-0/0/0 unit 0 ppp-options
set
interfaces ip-0/0/0 unit 0 radio-router
LSQ
Interface CLI
- The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
interfaces lsq-0/0/0 unit 0 layer2-policer
set
interfaces lsq-0/0/0 unit 0 family ccc
set
interfaces lsq-0/0/0 unit 0 family tcc
set
interfaces lsq-0/0/0 unit 0 family vpls
set
interfaces lsq-0/0/0 unit 0 multipoint
set
interfaces lsq-0/0/0 unit 0 point-to-point
set
interfaces lsq-0/0/0 unit 0 radio-router
PT
Interface CLI
- The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
interfaces pt-1/0/0 gratuitous-arp-reply
set
interfaces pt-1/0/0 link-mode
set
interfaces pt-1/0/0 no-gratuitous-arp-reply
set
interfaces pt-1/0/0 no-gratuitous-arp-request
set
interfaces pt-1/0/0 vlan-tagging
set
interfaces pt-1/0/0 unit 0 radio-router
set
interfaces pt-1/0/0 unit 0 vlan-id
T1
Interface CLI
- The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
interfaces t1-1/0/0 receive-bucket
set
interfaces t1-1/0/0 transmit-bucket
set
interfaces t1-1/0/0 encapsulation ether-vpls-ppp
set
interfaces t1-1/0/0 encapsulation extended-frame-relay
set
interfaces t1-1/0/0 encapsulation extended-frame-relay-tcc
set
interfaces t1-1/0/0 encapsulation frame-relay-port-ccc
set
interfaces t1-1/0/0 encapsulation satop
set
interfaces t1-1/0/0 unit 0 encapsulation ether-vpls-fr
set
interfaces t1-1/0/0 unit 0 encapsulation frame-relay-ppp
set
interfaces t1-1/0/0 unit 0 layer2-policer
set
interfaces t1-1/0/0 unit 0 radio-router
set
interfaces t1-1/0/0 unit 0 family inet dhcp
set
interfaces t1-1/0/0 unit 0 inverse-arp
set
interfaces t1-1/0/0 unit 0 multicast-dlci
VLAN
Interface CLI
- The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
interfaces vlan unit 0 family tcc
set
interfaces vlan unit 0 family vpls
set
interfaces vlan unit 0 accounting-profile
set
interfaces vlan unit 0 layer2-policer
set
interfaces vlan unit 0 ppp-options
set
interfaces vlan unit 0 radio-router
Protocols
Hierarchy
- On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following CLI commands are not supported. However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message.
set
protocols bfd no-issu-timer-negotiation
set
protocols bgp idle-after-switch-over
set
protocols l2iw
set
protocols bgp family inet flow
set
protocols bgp family inet-vpn flow
set
protocols igmp-snooping vlan all proxy
Routing
Hierarchy
- On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following routing hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
routing-instances < instance_name
> services
set
routing-instances < instance_name
> multicast-snooping-options
set
routing-instances < instance_name
> protocols amt
set
routing-options bmp
set
routing-options flow
Services
Hierarchy
- On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following services hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
services service-interface-pools
SNMP
Hierarchy
- On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following SNMP hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
snmp community < community_name
> logical-system
set
snmp logical-system-trap-filter
set
snmp trap-options logical-system
set
snmp trap-group d1 logical-system
System
Hierarchy
- On all SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following system hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set
system diag-port-authentication
Subscribe to:
Posts (Atom)
loading...