Juniper JUNOS 10.1 - S REV 4 Скачать руководство пользователя | Manualshive

Страница: 138 / 205

background image

Intrusion Detection and Prevention (IDP)

■

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, application-level
distributed denial-of-service (application-level DDoS) detection does not work if
two rules with different application-level DDoS applications process traffic going
to a single destination application server. When setting up application-level DDoS
rules, make sure you do not configure rulebase-ddos rules that have two different
application-ddos objects while the traffic destined to one application server can
process more than one rule. Essentially, for each protected application server,
you have to configure the (application-level DDoS rules so that traffic destined
for one protected server only processes one application-level DDoS rule.

NOTE:

Application-level DDoS rules are terminal, which means that once traffic is

processed by one rule, it will not be processed by other rules.

The following configuration options can be committed, but they will not work
properly:

Application Server

application-ddos

service

destination-ip

destination-zone

source-zone

1.1.1.1:80

http-appddos1

http

any

dst-1

source–zone-1

1.1.1.1:80

http-appddos2

http

any

dst-1

source-zone-2

■

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application-level
denial-of-service (application-level DDoS) rulebase (rulebase-ddos) does not
support port mapping. If you configure an application other than default, and if
the application is from either predefined JUNOS Software applications or a custom
application that maps an application service to a nonstandard port,
application-level DDoS detection will not work.

When you configure the application setting as

default

, IDP uses application

identification to detect applications running on standard and nonstandard ports,
hence the application-level DDoS detection would work properly.

■

On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessions
supported is 16,000.

■

On SRX Series devices, all IDP policy templates are supported except All Attacks.
There is a 100-MB policy size limit for integrated mode and a 150-MB policy size
limit for dedicated mode, and the current IDP policy templates supported are
dynamic, based on the attack signatures being added. Therefore, be aware that
supported templates might eventually grow past the policy-size limit.

On SRX Series devices, the following IDP policies are supported:

■

DMZ_Services

■

DNS_Service

■

File_Server

138

■

Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers

JUNOS 10.1 Software Release Notes

«
...
136
137
138
139
140
...
»

Содержание JUNOS 10.1 - S REV 4

Страница 1: ...e notes on the Juniper Networks JUNOS Software Documentation Web page which is located at http www juniper net techpubs software junos Contents JUNOS Software Release Notes for Juniper Networks M Seri...

Страница 2: ...Procedure for Upgrading to Release 10 1 98 Upgrading a Router with Redundant Routing Engines 101 Upgrading Juniper Routers Running Draft Rosen Multicast VPN to JUNOS Release 10 1 101 Upgrading the So...

Страница 3: ...in JUNOS Release 10 1 for SRX Series Services Gateways and J Series Services Routers 162 Errata and Changes in Documentation for JUNOS Release 10 1 for SRX Series Services Gateways and J Series Servic...

Страница 4: ...89 Changes in Default Behavior and Syntax in JUNOS Release 10 1 for EX Series Switches 189 Layer 2 and Layer 3 Protocols 190 Infrastructure 190 User Interface and Configuration 190 Limitations in JUNO...

Страница 5: ...Upgrading from JUNOS Release 9 3R1 to Release 10 1 for EX Series Switches 200 Upgrading from JUNOS Release 9 2 to Release 10 1 for EX Series Switches 201 Downgrading from JUNOS Release 10 1 to Releas...

Страница 6: ...ntrol packets Protocols such as telnet FTP and SSH that are mapped to queue 0 are classified as best effort No configuration is necessary but the queue assignments can be altered with a multifield cla...

Страница 7: ...nfigure scheduler node scaling include the maximum hierarchy levels statement at the edit interfaces xe fpc pic port hierarchical scheduler hierarchy level The only supported value is 2 Class of Servi...

Страница 8: ...s SA MAC learning MAC accounting and MAC policing Stacked virtual LAN VLAN tag and VLAN rewrite functionalities Network Interfaces Class of Service PIC Guide Intelligent oversubscription services MX S...

Страница 9: ...are supported on the 16 port 10 Gigabit Ethernet MPC with SFP Accepts traffic destined for GRE tunnels or DVMRP IP in IP tunnels JUNOS Release 10 0R2 Bidirectional Forwarding Detection BFD protocol J...

Страница 10: ...R2 Layer 2 frame filtering JUNOS Release 10 0R2 IEEE 802 3ad link aggregation JUNOS Release 10 0R2 Link Aggregation Control Protocol LACP JUNOS Release 10 0R2 Local loopback JUNOS Release 10 0R2 MAC l...

Страница 11: ...service VPLS JUNOS Release 10 0R2 Virtual private network VPN JUNOS Release 10 0R2 Virtual Router Redundancy Protocol VRRP for IPv4 JUNOS Release 10 0R2 To support these features some modifications ha...

Страница 12: ...ure which transparently applies scaling to oversubscribed queues Class of Service High Availability Enhancements to unified ISSU support on PICs T Series JUNOS Release 10 1 extends unified ISSU suppor...

Страница 13: ...Layer 2 feature parity includes Layer 2 bridging VPLS forwarding MAC address learning aging and MAC address limit Mesh group support Implicit VLAN mapping Integrated routing and bridging IRB Multicas...

Страница 14: ...unnel only statement at the chassis fpc number pic number hierarchy level You can use the show interfaces queue gr fpc pic port command to display statistics for the specified tunnel Network Interface...

Страница 15: ...RE so that reassembly of the packets is possible after fragmentation The previous CLI constraint check that requires you to configure either the clear dont fragment bit statement or a tunnel key with...

Страница 16: ...ration limits are changed to match the augmented capabilities of IQE PICs All functionality available on the 4 port Channelized OC12 IQ Type 2 PIC is supported by this PIC Network Interfaces Enhanced...

Страница 17: ...0 PICs Adds support for stateful firewall rule sets in Dynamic Application Awareness for JUNOS Software service chains New application level gateways ALGs are available for FTP junos ftp TFTP junos tf...

Страница 18: ...JUNOS XML API and Scripting 18 New Features in JUNOS Release 10 1 for M Series MX Series and T Series Routers JUNOS 10 1 Software Release Notes...

Страница 19: ...essage clear vrrp clear vrrp information clear_vrrp_information vrrp message clear vrrp interface clear vrrp interface statistics clear_vrrp_interface_statistics NONE request system scripts refresh fr...

Страница 20: ...information get_idp_policy_template_information idp detail status information show security idp status detail get idp detail status information get_idp_detail_status_information service nat mapping in...

Страница 21: ...statement at the edit protocols mpls static label switched path static lsp name hierarchy level You must also configure either the pop or the swap statement at the edit protocols mpls static label swi...

Страница 22: ...s command and the monitor static lsp lsp name command The show mpls static lsp statistics command includes the following options ingress transit bypass and name static lsp name This command displays t...

Страница 23: ...enter the media release statement at the edit services border signaling gateway gateway name sip new call usage policy policy name term term name then media policy hierarchy level Multiplay Solutions...

Страница 24: ...are sent on the same multiaccess network This improves scalability and efficiency by reducing the number of identical messages sent to the same router This feature is useful when there are a large nu...

Страница 25: ...wait before processing the messages The next hop hold time statement can be configured at the edit routing instances routing instance name hierarchy level The hold time can be configured from 1 to 100...

Страница 26: ...l on all PE routers participating in the MVPN Include the family inet mvpn statement and family inet6 mvpn statement at the edit routing instances routing instance name vrf advertise selective hierarc...

Страница 27: ...shared between IPv4 and IPv6 For example you can install 3000 IPv4 filters or 3000 IPv6 filters or a combination of both that totals 3000 You cannot install 3000 IPv4 filters and 3000 IPv6 filters No...

Страница 28: ...999 15 999 Dynamic PPPoE interfaces per chassis 4000 Dynamic PPPoE interfaces per IQ2 IQ2E PIC 32 000 32 000 Dynamic PPPoE interfaces per Trio MPC MIC 15 999 15 999 15 999 Static interfaces per chassi...

Страница 29: ...bles you to configure CoS for dynamic PPPoE subscriber interfaces on Trio MPC MIC interfaces available on MX Series routers and the Intelligent Queuing 2 IQ2 PIC on M120 and M320 Series routers In ear...

Страница 30: ...ng new predefined variables have been added to implement IPv6 addressing for subscriber services Definition Dynamic Profile Variable Route prefix of an IPv6 access route junos framed route ipv6 addres...

Страница 31: ...e router uses the information configured in the dynamic profile to determine the properties of the dynamic PPPoE logical interface The use of dynamically created PPPoE interfaces gives you the flexibi...

Страница 32: ...nterface unit predefined dynamic variable instead of the actual logical unit number for the unit statement and the junos underlying interface predefined dynamic variable instead of the actual name of...

Страница 33: ...ess Support for PPPoE Layer 3 wholesale configuration in a subscriber access network Enables you to configure PPPoE Layer 3 wholesaling within a subscriber access network Wholesale access is the proce...

Страница 34: ...ofiles profile name interfaces pp0 unit junos interface unit family inet hierarchy level To view the logical system and routing instance for each subscriber use the show subscriber operational command...

Страница 35: ...over the Trio MPC MIC interfaces on MX Series routers To apply input and output filters for logical interfaces include the input input filter name and output output filter name statements To apply the...

Страница 36: ...profiles profile name interfaces demux0 unit unit number demux options hierarchy level When configuring dynamic VLAN demux interfaces specify the VLAN ID variable junos vlan id for the vlan id stateme...

Страница 37: ...ypes of attack WEBFILTER Describes messages with the WEBFILTER prefix They are generated by the Web filtering process webfilter which allows you to manage Internet usage by preventing access to inappr...

Страница 38: ...more flexibility to load balance the traffic over as many as 64 LSPs To configure the maximum limit for ECMP next hops include the maximum ecmp next hops statement at the edit chassis hierarchy level...

Страница 39: ...limit of 32 or 64 ECMP next hops is applicable To view the details of the ECMP next hops issue the show route command The show route summary command also shows the current configuration for the maximu...

Страница 40: ...rewrite rules with a subscriber interface in a dynamic profile You must statically configure the classifiers and rewrite rules at the static edit class of service hierarchy level To associate a classi...

Страница 41: ...fetime managed configuration max advertisement interval min advertisement interval no managed configuration no other stateful configuration other stateful configuration prefix reachable time and retra...

Страница 42: ...learn configuration statement at the edit interfaces interface name unit interface unit number family inet and edit interfaces interface name unit interface unit number family inet6 hierarchy levels T...

Страница 43: ...n the Packet Forwarding Engine configuration category host user show interfaces extensive ge 7 1 3 Packet Forwarding Engine configuration Destination slot 7 CoS information Direction Output CoS transm...

Страница 44: ...ed number of configuration statements To configure an interface range group include the interface range statement and substatements at the edit interfaces hierarchy level To view an interface range gr...

Страница 45: ...tes 45 seconds 4 Empty use show chassis fabric fpcs to determine which PFEs have destination errors However for JUNOS Release 9 3 and 9 5 the command only displays the message destination errors or no...

Страница 46: ...MPLS statistics file you can view the statistics using SNMP instead This change helps to reduce disk space usage on the routing engine especially on routers on which numerous LSPs have been configure...

Страница 47: ...vpls and bridge now support the interface set match condition for firewall filters To configure include the interface set interface set name statement at the edit firewall family bridge filter filter...

Страница 48: ...application identification counter to view the APPID counters for the specified interface System Basics and Services Command Reference Session offloading on Multiservices PICs To enable session offloa...

Страница 49: ...rfaces Permanent limitation for session timeout on APPID If session timeout is configured for an APPID application a session for that application will be cleared once the session timeout expires Once...

Страница 50: ...00 New call usage policies per BSG 500 New transaction policies per BSG 10 Policies per service point 100 Service points per BSG 20 Terms per policy 10 000 Terms per BSG 4 Total of AND and OR operator...

Страница 51: ...ration options or statements within the last level in the hierarchy is not supported For example in the following sample configuration hierarchy annotation is supported up to the level 1 parent hierar...

Страница 52: ...terface to pop the service VLAN ID on input and push the service VLAN ID on output and in this way limit the impact of doubly tagged frames on scaling MX Series Layer 2 Configuration Layer 2 5 VPNs su...

Страница 53: ...following hierarchy levels edit logical systems logical system name routing instances routing instance name protocols vpls mesh group mesh group name edit routing instances routing instance name prot...

Страница 54: ...and Downgrade Instructions for JUNOS Release 10 1 for M Series MX Series and T Series Routers on page 98 Issues in JUNOS Release 10 1 for M Series MX Series and T Series Routers The current software r...

Страница 55: ...Laser rx power low alarm field even if the transceiver is a type such as XENPAK that does not support this alarm PR 103444 On the M120 router hot swapping the fan tray might cause the Check CB alarm t...

Страница 56: ...g is not supported on the PIC PR 482199 With JUNOS Releases 10 0 and 10 1 Trio DPCs do not support more than 31 remote PEs in a VPLS instance Also they do not support more than 31 AE bridging logical...

Страница 57: ...arly ge 1 3 0 and ge 9 3 0 are the same slot PIC port but from different LCCs Actor Partner ge 0 3 0 ge 1 3 0 ge 8 3 0 ge 9 3 0 On MX960 routers duplicate LACP port numbers will result in aggregate bu...

Страница 58: ...SCU name with an integer for example 100 and use this source class as a firewall filter match condition the class identifier might be misinterpreted as an integer which might cause the filter to disr...

Страница 59: ...nother FPC that has more memory or After the ISSU is complete reboot only the FPC3 or Enhanced FPC3 PR 282146 For Routing Engines rated at 850 MHz which appear as RE 850 in the output of the show chas...

Страница 60: ...ider edge interface in the other VRF the Internet Control Message Protocol reply returns the source interface IP of the provider edge that is connected directly instead of the interface IP of the othe...

Страница 61: ...classes FECs with an ingress counter set to zero send rnhstats GET error ENOENT Item not found PR 67647 If ICMP tunneling is enabled on the router and you configure a new logical system that does not...

Страница 62: ...PIC redundancy and a switchover to the backup Routing Engine occurs the redundant services interface rsp always activates the primary services interface sp even if the secondary interface was active b...

Страница 63: ...turned PR 471677 The destination and destination profile options for address and unnumbered address within the family inet and inet6 are allowed to be specified within a dynamic profile but are not su...

Страница 64: ...nt and date and time pages PR 433353 Selecting the monitor port for any port in the Chassis Viewer page displays the common Port Monitoring page instead of the corresponding Monitoring page of the sel...

Страница 65: ...vel if a nonstop active routing switchover occurs after the configuration for routing instances changes in certain ways the BGP sessions between PE and CE routers might not be established after the sw...

Страница 66: ...E tunnel with clear dont fragment bit enabled Additionally on an Enhanced FPC or M120 FEB the packet is also likely to be dropped if it is classified to a packet loss priority PLP other than low PR 51...

Страница 67: ...essage upon commit once network service is configured under the chassis stanza WARNING network services flag has been changed please reboot system PR 505690 This issue has been resolved The Routing En...

Страница 68: ...of two Ethernet connections to another Routing Engine is not present the mastership is not switched PR 521833 This issue has been resolved When multiple routed IPsec tunnels are configured and the tun...

Страница 69: ...e performing a periodic auto bandwidth adjustment at the adjust interval This prevents periodic auto bandwidth adjustment from adjusting to a lower bandwidth when the traffic rate drops PR 528619 This...

Страница 70: ...of an aggregate interface packet loss may occur after adding removing or changing the service configuration on the egress side of the aggregate interface As a workaround deactivate and activate the ou...

Страница 71: ...when it receives a robust count value of 0 It uses the default value 2 instead of the configured value PR 520252 This issue has been resolved The new NSR master may not send the OSPF hello messages im...

Страница 72: ...ivileges will sometimes have their access restricted to view permission only when they log in through TACACS PR 388053 This issue has been resolved If the time zone is set to Europe Berlin the command...

Страница 73: ...uld cause an incorrect firewall filter evaluation PR 493356 This issue has been resolved When the MS PIC used for an RLSQ interface resides on an E3 FPC M320 traffic might stop flowing across the RLSQ...

Страница 74: ...pplied PR 486424 This issue has been resolved The DPC remains in the ready state and the demux0 interface remains in a down state after a chassisd restart without graceful Routing Engine switchover GR...

Страница 75: ...when a Trio based MPC or MX80 boots There is no workaround PR 505490 This issue has been resolved Under certain circumstances the E3 IQ PIC might report bogus CCV CES and CSES alarms PR 505921 This i...

Страница 76: ...When an RSVP LSP is configured with the no install to address option and is not associated with CCC connection flaps the routing protocol process will crash when the LSP comes up again To avoid the pr...

Страница 77: ...sh upon receiving certain corrupted IPv6 packets PR 458361 This issue has been resolved When an aggregated SONET with a Cisco High Level Data Link Control HDLC encapsulation is configured a member lin...

Страница 78: ...DP entry is overwritten upon receiving NA from a connected device PR 499418 This issue has been resolved The static NDP entry remains permanent if the refcount is more than 1 even after deleting the s...

Страница 79: ...he configuration includes a large number of routing instances This is caused by the routing protocol process on the backup Routing Engine leaking file descriptors during commit synchronization To reco...

Страница 80: ...as been resolved When using a NAT DCE RPC ALG on a services PIC the PIC might crash while processing the binding request PR 510997 This issue has been resolved Route changes might not be updated in th...

Страница 81: ...ubscribers under heavy login and logout conditions when the 802 1 classifiers are in use PR 470513 This issue has been resolved On a shared scheduler configuration with CoS configured the rate limit f...

Страница 82: ...configuring a three color policer a dfwc core file is generated PR 509742 This issue has been resolved High Availability On an ISSU upgrade from JUNOS Release 9 3 to any of the current higher release...

Страница 83: ...e one or more of the aggregate child links This can happen after an FPC reboot If the aggregate member links are located on the same FPC this problem is not triggered To recover from this condition de...

Страница 84: ...ides in the link discovery mode as active PR 490886 This issue has been resolved On the IEEE 802 1ag CFM when the loss threshold is configured to 256 it displays a 0 PR 491422 This issue has been reso...

Страница 85: ...e incorrectly dropped with the diagnostic L4 length too short 501526 This issue has been resolved The configured TTL set for GRE traffic is set properly for locally generated Routing Engine packets bu...

Страница 86: ...1 0x08 group 0xe device 0x54 This is a cosmetic issue and has no impact on the router PR 500824 This issue has been resolved Network Management Under certain SNMP conditions the following log message...

Страница 87: ...een resolved The NGEN MVPN multicast traffic might be dropped at the ingress router if a point to multipoint LSP reoptimization is performed PR 491533 This issue has been resolved A rare condition bet...

Страница 88: ...se 9 3 to Release 9 5 the timestamps in the log files show the UTC time instead of the local time corresponding to the specified time zone PR 469175 This issue has been resolved On T640 and TX Series...

Страница 89: ...e other FPC types in the same system are not affected PR 499233 This issue has been resolved When a next hop chain has multiple types of next hop dependencies including indirect next hop aggregate nex...

Страница 90: ...and rejects the next hop add This problem persists until the multicast snooping process is restarted PR 467347 This issue has been resolved If a router modifies the next hop protocol to self for examp...

Страница 91: ...around convert the interface to a regular numbered interface on both sides PR 493206 This issue has been resolved In a NSR configuration the backup Routing Engine can lose the connection to the active...

Страница 92: ...unction process LPDFD on the master Routing Engine s restart local policy decision function PR 495363 This issue has been resolved Configuring different autonomous system types origin and peer toward...

Страница 93: ...he entries PR 438164 This issue has been resolved In an MLAN scenario where two PEs are connected to the multicast receiver when the PE acting as the designated router DR has a link failure on the MLA...

Страница 94: ...igh Availability TX Matrix Plus routers and T1600 routers that are configured as part of a routing matrix do not currently support nonstop active routing High Availability Integrated Multi Services Ga...

Страница 95: ...s Management The Subscriber Access Configuration Guide contains the following dynamic variable errors The Configuring a Dynamic Profile for Client Access topic erroneously uses the junos underlying in...

Страница 96: ...the subscriber VLANs are the same for both ANCP and multicast Subscriber Access The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in the Subscriber Access Configuration Guide erro...

Страница 97: ...Setup and Maintenance Using the Label Distribution Protocol LDP The JUNOS Software does not support Section 5 3 The Generalized PWid FEC Element RFC 4448 Encapsulation Methods for Transport of Ethern...

Страница 98: ...ngrading the JUNOS Software always use the jinstall package Use other packages such as the jbundle package only when so instructed by a Juniper Networks support representative For information about th...

Страница 99: ...n is retained but the contents of log files might be erased Stored files on the routing platform such as configuration templates and shell scripts the only exceptions are the juniper conf and ssh file...

Страница 100: ...g the console because in band connections are lost during the upgrade process Customers in the United States and Canada use the following command user host request system software add validate reboot...

Страница 101: ...ws 1 Disable graceful Routing Engine switchover GRES on the master Routing Engine and save the configuration change to both Routing Engines 2 Install the new JUNOS Software release on the backup Routi...

Страница 102: ...re the new feature until all the PE routers in the network have been upgraded to JUNOS Release 10 1 2 After you have upgraded all routers configure each router s main instance loopback address as the...

Страница 103: ...00 routers LCC are all re1 or are all re0 All master Routing Engines in all routers run the same version of software This is necessary for the routing matrix to operate All master and backup Routing E...

Страница 104: ...abled For additional information about using unified in service software upgrade see the Junos High Availability Configuration Guide Upgrading from JUNOS Release 9 2 or Earlier on a Router Enabled for...

Страница 105: ...ctions appropriate for the router type You can either use the standard procedure with reboot or use ISSU 3 After the router reboots and is running the upgraded JUNOS Software enter configuration mode...

Страница 106: ...ries and T Series Routers on page 42 Issues in JUNOS Release 10 1 for M Series MX Series and T Series Routers on page 54 Errata and Changes in Documentation for JUNOS Software Release 10 1 for M Serie...

Страница 107: ...teways and J Series Services Routers on page 123 Known Limitations in JUNOS Release 10 1 for SRX Series Services Gateways and J Series Services Routers on page 132 Issues in JUNOS Release 10 1 for SRX...

Страница 108: ...existence of compression pointer loops and drop the traffic if one exists Note that the DNS ALG can translate the first 32 A records in a single DNS reply A records after the first 32 will not be hand...

Страница 109: ...port address negotiation mechanism of the Sun RPC and to ensure program number based security policy enforcement You can define a security policy to permit or deny all RPC requests or to permit or den...

Страница 110: ...Release 10 1 Junos OS Security Configuration Guide Redundancy group IP address monitoring through a secondary interface This feature is supported on SRX3400 SRX3600 SRX5600 and SRX5800 devices In JUNO...

Страница 111: ...media policy statement in the edit services converged services hierarchy level set services convergence service service class name dscp bitmap set services convergence service service class media pol...

Страница 112: ...to provide high bandwidth applications Triple Play services such as high speed Internet access telephone services like voice over IP VoIP high definition TV HDTV and interactive gaming services over...

Страница 113: ...icate how much data the device can forward The device can then use the information provided in the PPPoE messages to dynamically adjust the interface speed of the PPP links Use the radio router statem...

Страница 114: ...wnstream direction the extra 802 1Q tag is removed There are three ways to map C VLANs to an S VLAN All in one bundling Use the dot1q tunneling statement at the edit vlans hierarchy to map without spe...

Страница 115: ...Management TLVs let the device ports advertise the power level and power priority needed For example the device can compare the power needed by an IP telephone running on a PoE interface with availab...

Страница 116: ...th threat prevention support This feature is supported on SRX3400 SRX3600 SRX5600 and SRX5800 devices With the increased use of application protocol encapsulation the need arises to support the identi...

Страница 117: ...constitutes a backup copy of U boot in addition to the active copy from which the system generally boots up Table 4 on page 117 provides details of BIOS components supported for different platforms T...

Страница 118: ...OS BIOS Software Suite 10 2B3 NOTE Installing the jloader srxsme package puts the necessary images under directory boot 2 Verifying that images for upgrade are installed The show system firmware comma...

Страница 119: ...0 RE FPGA 11 12 3 0 OK NOTE The device must be rebooted for the upgraded active BIOS to take effect Backup BIOS 1 Initiate the upgrade using the request system firmware upgade re bios backup command r...

Страница 120: ...total numbers of source NAT rules There is no limitation on the number of rules that you can configure in a source NAT rule set as long as the maximum number of source NAT rules allowed on the device...

Страница 121: ...th 80 threshold 5 NOTE The resource component variables attribute has been deprecated but has an alias to the radio router variable to minimize impact on existing routers that might have been configur...

Страница 122: ...s data between the wired and the wireless network Multiple access points form a part of a bigger wireless network and can be clustered together The access point cluster is a dynamic configuration awar...

Страница 123: ...he SRX210 Services Gateway Hardware Guide For more information on configuring the 3G interface see the JUNOS Software Interfaces and Routing Configuration Guide Related Topics Known Limitations in JUN...

Страница 124: ...ps has been removed Instead a configurable hold down interval timer for all redundancy groups has been instituted See the Configuring a Dampening Time Between Back to Back Redundancy Group Failovers s...

Страница 125: ...tmd command after making a configuration change to the MPIM ports On SRX210 devices with Integrated Convergence Services registrations do not work when PCS is configured and removed thorough the CLI T...

Страница 126: ...le root partitioning user host show system storage partitions Boot Media internal da0 Partitions Information Partition Size Mountpoint s1a 898M s1e 24M config s1f 61M var show system storage partition...

Страница 127: ...ically selected Example 2 user host set wlan access point ap6 radio 2 radio options channel number 1 Channel 1 2 Channel 2 3 Channel 3 4 Channel 4 5 Channel 5 6 Channel 6 7 Channel 7 8 Channel 8 9 Cha...

Страница 128: ...security ipsec proposal proposal name hierarchy level has been changed from 28 800 seconds to 3600 seconds Flow and Processing On SRX Series devices the factory default for the maximum number of backu...

Страница 129: ...le running commands in IDP ensure that you provide the service field values for custom attack definitions in lowercase In the following example the protocol service field value udp is specified in low...

Страница 130: ...g the UTC time zone use the set system time zone utc and set security log utc timestamp CLI statements Configuring the External CompactFlash card on SRX650 Services Gateways The SRX650 Services Gatewa...

Страница 131: ...password and the password entered is stored in encrypted form NOTE Without wlan config option enabled the AX411 Access Points will be managed with the default password Changing the wlan admin authenti...

Страница 132: ...t Protocol MLPPP Multilink Frame Relay MLFR and Compressed Real Time Transport Protocol CRTP gr 0 0 0 Generic routing encapsulation GRE and tunneling ip 0 0 0 IP over IP IP IP encapsulation pd 0 0 0 p...

Страница 133: ...g is not permitted on redundant Ethernet interface LAGs or on child interfaces of redundant Ethernet interface LAGs In service software upgrade ISSU does not support version downgrading That is ISSU d...

Страница 134: ...thout a prompt Flow and Processing Maximum concurrent SSH Telnet and Web sessions On SRX210 SRX240 and SRX650 devices the maximum number of concurrent sessions is as follows SRX650 SRX240 SRX210 Sessi...

Страница 135: ...er Packet loss priority as action of a policer Packet loss priority as action of a three color policer On SRX3400 SRX3600 SRX5600 and SRX5800 devices the following features are not supported by a fire...

Страница 136: ...the RJ 45 medium is active and an SFP link is brought up the interface will transition to the SFP medium and this transition could also take a few seconds On SRX Series and J Series devices the user...

Страница 137: ...e apply groups group family inet6 set protocols pim disable apply groups except group family inet6 set protocols pim disable export export join policy family inet6 set protocols pim disable dr electio...

Страница 138: ...zone 2 On SRX3400 SRX3600 SRX5600 and SRX5800 devices the application level denial of service application level DDoS rulebase rulebase ddos does not support port mapping If you configure an applicati...

Страница 139: ...chronization of the time binding state that is not currently supported On SRX100 SRX210 SRX240 and SRX650 devices maximum supported entries in ACS table for is 100 000 entries However since the user l...

Страница 140: ...sets and up to 256 rules per rule set can be configured on a device For destination NAT up to 32 rule sets and up to 8 rules per rule set can be configured on a device For source NAT the following ar...

Страница 141: ...run UTM VPNs On SRX3400 SRX3600 SRX5600 and SRX5800 devices the IPsec NAT T tunnels scaling and sustaining issues are as follows For a given private IP address the NAT device should translate both 500...

Страница 142: ...security alg sip counters command while doing a bulk call generation it might bring down the SPU with a flowd core file error PR 292956 On SRX210 devices the SCCP call cannot be set up after disablin...

Страница 143: ...mand on the secondary Routing Engine does not display the same details as that of the primary Routing Engine PR 237982 On J4350 Services Routers because the clear security alg sip call command trigger...

Страница 144: ...On an SRX210 device in a chassis cluster the fabric monitoring option is enabled by default This can cause one of the nodes to move to a disabled state You can disable fabric monitoring by using the...

Страница 145: ...tting full PR 454926 On SRX3400 SRX3600 SRX5600 and SRX5800 devices in a chassis cluster the ping operation to the redundant Ethernet interface reth fails when the cluster ID changes PR 458729 On SRX1...

Страница 146: ...might degrade CoS performance with smaller sized 500 bytes or less packets PR 73054 On J Series devices with a CoS configuration when you try to delete all the flow sessions using the clear security...

Страница 147: ...ets are Layer 2 terminating packets PR 252957 On SRX Series devices the show security flow session command currently does not display aggregate session information Instead it displays sessions on a pe...

Страница 148: ...affic PR 434508 On SRX5800 devices when there are nonexistent PICs in the network processing bundle the traffic is sent out to the PICs and is lost PR 434976 The SRX5600 and SRX5800 devices create mor...

Страница 149: ...0 SRX5600 and SRX5800 devices during end to end debugging with the jexec event packet summary trace messages have unknown IP addresses in the packet summary field PR 463534 On SRX3400 SRX3600 SRX5600...

Страница 150: ...evice does not have an ARP entry for an IP address it drops the first packet from itself to that IP address PR 233867 On J Series devices when you press the F10 key to save and exit from BIOS configur...

Страница 151: ...r survivable call server SRX Series SCS statistics PR 456454 When T1 lines for stations or trunks are configured you might hear a momentary burst of noise on the phone PR 467334 You must restart the f...

Страница 152: ...interfaces at 5 0 0 unit 0 shaping cbr 62400 ATM COS set class of service interfaces at 5 0 0 unit 0 scheduler map sche_map IP COS set class of service interfaces at 5 0 0 unit 0 shaping rate 62400 AD...

Страница 153: ...ion traffic testing with ALU 7302 DSLAM There is no impact on traffic except for the packet loss after long duration traffic testing which is also seen in the vendor CPE PR 467912 On SRX210 devices wi...

Страница 154: ...ed before the new policy becomes effective During the update IDP will not inspect the traffic that is passing through the device for attacks As a result there is no IDP policy enforcement PR 392421 On...

Страница 155: ...etting as default IDP uses application identification to detect applications running on standard and nonstandard ports hence the application level DDoS detection works properly PR 472522 J Flow SRX340...

Страница 156: ...use it was not functioning properly PR 422898 On SRX210 SRX240 J2350 J4350 and J6350 devices when J Web users select the tabs on the bottom left menu the corresponding screen is not displayed fully so...

Страница 157: ...if you have not made any changes PR 495603 Management and Administration On SRX3400 SRX3600 SRX5600 and SRX5800 devices the queue statistics are not correct after deletion and re creation of a logica...

Страница 158: ...event logs is incorrect for JUNOS Release 10 1 Because of a bug the log output shows both source and destination IP from the client server instead of only the IP address with NAT The output incorrect...

Страница 159: ...AX411 Access Points As a result the Ax411 Access Points retain the factory default configuration PR 476850 Security On SRX3400 SRX3600 SRX5600 and SRX5800 devices the egress filter based forwarding FB...

Страница 160: ...Mail retrieval is slow and the EICAR test file is not detected PR 424797 On SRX650 devices operating under stress conditions the UTM subsystem file partition might fill up faster than UTM can process...

Страница 161: ...aler interface on either the dial in or dial out interface goes down because no keepalive packets are exchanged As a workaround increase the ATS0 value to 4 or greater PR 492970 On SRX210 High Memory...

Страница 162: ...policies match the address any instead of specific addresses and all cross zone traffic policies are pointing to the single site to site VPN tunnel As a workaround configure address books in differen...

Страница 163: ...t loss occurred because of oversubscription and you had to reboot the SRX5800 device PR 433209 This issue has been resolved Hardware On SRX650 devices the 16 port Gigabit Ethernet switch GPIM was inco...

Страница 164: ...in the VDSL driver PR 505347 This issue has been resolved J Web On SRX Series devices in J Web when Troubleshoot was clicked twice the left side menu items and page content disappeared PR 459936 This...

Страница 165: ...based NAT configurations NAT configurations are now rule based The JUNOS Software Security Configuration Guide incorrectly states that ALGs are not supported in transparent mode on SRX3400 SRX3600 SR...

Страница 166: ...and SRX5800 devices edit security flow aging early ageout edit security flow aging high watermark edit security flow aging low watermark The Understanding Selective Stateless Packet Based Services sec...

Страница 167: ...x as disabled in factory default settings The J Web screenshot should indicate the Enable DHCP on ge 0 0 0 0 check box as enabled in factory default settings The show chassis environment cb 0 command...

Страница 168: ...SRX240 devices only the ge 0 0 0 port supports TFTP in uboot and on the SRX650 device all front end ports support TFTP in uboot Step 2 of the Installing JUNOS Software Using TFTPBOOT instructions shou...

Страница 169: ...curity TLS option for the SIP protocol transport is not supported in JUNOS Release 10 1 However it is documented in the Integrated Convergence Services entries of the JUNOS Software CLI Reference The...

Страница 170: ...from future intrusions while permitting legitimate traffic You can configure one of the following IP action options in application level DDoS ip block ip close and ip notify The exclude context values...

Страница 171: ...4 13 37 16 UTC 17 13 45 ago Packets second 0 Peak 0 2010 02 05 06 49 51 UTC KBits second 0 Peak 0 2010 02 05 06 49 51 UTC Latency microseconds min 0 max 0 avg 0 Packet Statistics ICMP 0 TCP 0 UDP 0 Ot...

Страница 172: ...ribe how to configure screen options using the set security screen screen name CLI statements Instead you should use the set security screen ids option screen name CLI statements All screen configurat...

Страница 173: ...and heat dissipation capacity of each PIM and troubleshooting procedures see the J Series Services Routers Hardware Guide Supported Third Party Hardware for J Series Services Routers The following th...

Страница 174: ...nd DRAM Requirements Maximum DRAM Supported Minimum DRAM Required Minimum CompactFlash Card Required Model 1 GB 512 MB 512 MB J2320 1 GB 512 MB 512 MB J2350 2 GB 512 MB 512 MB J4350 2 GB 1 GB 512 MB J...

Страница 175: ...d the system will be able to boot from the backup JUNOS Software image located in the other root partition and remain fully functional SRX Series devices that ship with JUNOS Release 10 1 are formatte...

Страница 176: ...other root partition are erased The contents of the other root partition will not be valid unless the installation is completed successfully With the dual root partitioning scheme after a new JUNOS S...

Страница 177: ...ot desired use the conventional CLI and J Web installation methods as described in the Junos OS Administration Guide for Security Devices Upgrading to JUNOS Release 10 1 with Dual Root Partitioning To...

Страница 178: ...set the following variables ipaddr loader set ipaddr IP address of the device netmask loader set netmask netmask gatewayip loader set gatewayip gateway IP address serverip loader set severip TFTP ser...

Страница 179: ...me 2 After the device reboots with JUNOS Release 10 1 upgrade the boot loader to version 1 5 See Upgrading the Boot Loader on page 179 3 Reinstall the 10 1 image from JUNOS CLI using the request syste...

Страница 180: ...om the boot loader using a TFTP server 1 Upload the JUNOS Software image to a TFTP server 2 Stop the device at the loader prompt and set the following variables ipaddr loader set ipaddr IP address of...

Страница 181: ...tition option This will copy the image to the device then reboot the device for installation The device will boot up with the 9 6 image installed with the single root partitioning scheme NOTE This pro...

Страница 182: ...or rescue configuration The snapshot feature is modified to support dual root partitioning The options as primary swap size config size root size var size and data size are not supported on SRX Series...

Страница 183: ...ioned before the software is installed When the partition option is used the format and install process is scheduled to run on the next reboot Therefore it is recommended that this option be used toge...

Страница 184: ...Control Board SCB The second Routing Engine must be running JUNOS Release 10 1 or later Because you cannot run the CLI or enter configuration mode on the second Routing Engine you cannot upgrade the J...

Страница 185: ...ster Routing Engine RE0 to the second Routing Engine RE1 if you do not already have a connection 9 Reboot the second Routing Engine RE1 Use the following command reboot When the following system outpu...

Страница 186: ...umentation for JUNOS Release 10 1 for EX Series Switches on page 199 Upgrade and Downgrade Issues for JUNOS Release 10 1 for EX Series Switches on page 200 New Features in JUNOS Release 10 1 for EX Se...

Страница 187: ...e card in EX8200 switches now supports one new optical transceiver EX SFP 10GE ER 10GBase ER 40 km Access Control and Port Security Captive portal authentication Captive portal authentication allows y...

Страница 188: ...st reverse path forwarding RPF is available on EX8200 switches The unicast RPF feature can be enabled on specific interfaces on EX8200 switches and supports ECMP traffic Layer 2 and Layer 3 Protocols...

Страница 189: ...ions using the interface match condition You can configure an ingress or egress firewall filter with an aggregated Ethernet interface as a match condition and apply the firewall filter to ports VLANs...

Страница 190: ...he 100Base ZX interface If you enable PIM on all interfaces using the interface all command it is not enabled on the me0 and vme interfaces by default Therefore you do not need to explicitly disable P...

Страница 191: ...OS Release 9 2 or Release 9 3 for EX Series switches and then attempt to upgrade to a later release or a later version of Release 9 3 than the one that is currently installed the switch might display...

Страница 192: ...X Series switches do not support queued packet counters Therefore the queued packet counter in the output of the show interfaces interface name extensive command always displays a count of 0 and is ne...

Страница 193: ...utstanding Issues in JUNOS Release 10 1 for EX Series Switches The following are outstanding issues in JUNOS Release 10 1R3 for EX Series switches The identifier following the description is the track...

Страница 194: ...rwarded to other interfaces in the same VLAN PR 456700 The jnxFirewallMIB might not be populated in a firewall filter configuration As a workaround set up the following configuration to skip the firew...

Страница 195: ...r Routing Route Information changing the Route Table to query other routes refreshes the page but does not return to page 1 For example if you run the query from page 3 and the new query returns very...

Страница 196: ...might be found in the Ethernet switching process eswd after you delete VLANs or deactivate the Multiple VLAN Registration Protocol MVRP PR 471647 This issue has been resolved On an EX2200 switch when...

Страница 197: ...0 switch when you add a syslog action modifier to the firewall filter the forwarding pfem process might create a core file when the filter binding is changed from an egress VLAN to an ingress VLAN PR...

Страница 198: ...the NAND flash is not responding Workaround Power cycle the switch PR 482026 This issue has been resolved If you attempt to set the time zone to Europe Berlin on a switch with dual Routing Engines the...

Страница 199: ...on page you might not be able to delete a configured next hop address because the Delete button is disabled PR 476572 This issue has been resolved In the J Web interface the OSPF Monitoring page might...

Страница 200: ...upgrade to JUNOS Release 9 4R2 or later or downgrade to JUNOS Release 9 3R1 or earlier the switch will display configuration errors on booting up after the upgrade or downgrade As a workaround delete...

Страница 201: ...multicast MAC addresses are not supported in a static MAC configuration If they exist and you try to commit the configuration the commit will fail Support for static MAC bypass in single or single se...

Страница 202: ...v before upgrading from Release 9 2 to Release 9 3 or later If the switch does not have a config license directory create the config license_priv directory manually before you upgrade If you do not re...

Страница 203: ...ical bookstores and book outlets around the world The current list can be viewed at http www juniper net books Documentation Feedback We encourage you to provide feedback comments and suggestions so t...

Страница 204: ...itlement by product serial number use our Serial Number Entitlement SNE Tool located at https tools juniper net SerialNumberEntitlementSearch Opening a Case with JTAC You can open a case with JTAC on...

Страница 205: ...emarks service marks registered trademarks or registered service marks are the property of their respective owners Juniper Networks assumes no responsibility for any inaccuracies in this document Juni...

Отзывы:

Нет отзывов

Похожие инструкции для JUNOS 10.1 - S REV 4

PowerShot SX1 IS

Бренд: Canon Страницы: 48

Бренд: Canon Страницы: 2

Linear-Phase MultiBand Software Audio Processor

Бренд: Waves Страницы: 27

3C19250 - USB Ethernet Network Interface...

Бренд: 3Com Страницы: 16

Earthmate GPS BT-20

Бренд: DeLorme Страницы: 9

Unified Messenger

Бренд: Avaya Страницы: 35

Auto Configuration Server Vantage Access

Бренд: ZyXEL Communications Страницы: 113

Бренд: Avision Страницы: 47

Бренд: A&D Страницы: 36

15606-011408-9300 - MAP R6.3 UPG

Бренд: Autodesk Страницы: 208

Data Migration Service

Бренд: Qlogic Страницы: 162

Phone Link Handbook

Бренд: Palm Страницы: 22

Бренд: Qualcomm Страницы: 192

FLEX BUILDER-USING FLEX BUILDER

Бренд: MACROMEDIA Страницы: 158

Бренд: YOKOGAWA Страницы: 29

Бренд: Fellowes Страницы: 170

ForeSight 6300 NMS

Бренд: Patton electronics Страницы: 156

Loran TD Position

Бренд: Garmin Страницы: 11

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды