Screenos to Junos commands

This should be useful if you are new to junos, but old to screenos

What I have been up to: SRX performance is off the charts

Well I kind of hate just putting something about nothing, but just for updates sake. I have been stoopid busy lately. I just got through testing an srx3400 (which is the low-end midrange box, there are three other higher performing boxes) for performance using breaking point elite box. All I can say is wow, these product line is off the charts in terms of performance, mind boggling connections per second.  I have also been working on some new junoscripts to display in the cli a more concise summary of the policy hit counts much like you would see in IOS. I have also been working on a UAC/NAC proof of concept using juniper’s UAC, SA 2500, ex 4200, an SSG5 and an enterasys 2G4072-52.

Here is what i tested in SRX and some perf numbers (Junos 9.5)

Perf numbers:

Ran IMIX of tcp traffic, ramping up 150K new connections per second up to 1M concurrent sessions, 10Gbps throuhput for 10 mins. This was with full stateful firewall. This test was done using a breaking point elite with 2x10GE ports.

Also successfully ran 10Gbps udp at 1400bytes packets, 512 byte packets, no problem. 64 byte packets are a problem because there is a hard limit of 1M pps on each SPC.

Other SRX tests:

Jsrp – sessions are replicated, as of 9.5 only link detection for failover, 9.6 you can do track ip

NSM management – everything we wanted to see was there

Traffic logs – you can log session init, session close, idp deny, acl deny, however this must be sent out an IOC, not outa management port. this is because of the sheer volume of logs.

IDP – was able to block chat (Yahoo, gmail chat, aol IM)

Also working on some similar ns5k testing. I can post configs for any of this if anyone is interested.

Posted in Uncategorized. Tags: , . 6 Comments »

Secure Junos template

At my last job I created a NIST secure checklist for our cisco routers and applied it to each of them. I have been keeping my eye out for a Junos secure template and found one that seems reasonable. Tell me what you think.

Link …


Well no posts for a couple of weeks, I just realized that today, have had no time. Currently i am working on a bunch of Junoscript scripts. That is the right way to express that right? So these are my first scripts and when i am done I plan on writing an intro to Junoscripting. Cool stuff, extremely powerful, easy to access and modify the router.  If you are programmer and familiar with perl, then it will look inherently familiar, but with an xml tag twist, since all junos data and configs are basically xml underneath the hood.

Juniper Junoscript docs

Link …

Configuring your Junos Olive for VGA output – quick’n’dirty

Getting tired of accessing your olive through a serial connection? Configure it to run both  serial and Vga output, so that you can interact via the standard Vmware console.

Link …

Creating a J-series Junos or J-series Junos with Enhanced Services Olive – the easy way

Here is a way to create a J-series/J-series Enhanced Services Olive. This is a more straightforward way of creating an olive.

Link …

Flavors of Olives

When someone refers to an Olive they are referring to Junos running on top of a Freebsd install, whether it be a pc or a pc running some virtualization software like Vmware or qemu. An Olive has tradionally been based on  M&T series software which have some of their capabilities offloaded to another piece of hardware, such as an Adaptive Services PIC or Multiservices PIC or ASICs processors. There are other lower-end routers where all processing is done on a  i386 CPU, these are J-series routers. You can also have “Olives” of these as well. Juniper has recently released a new version of Junos for the J-series called Junos-ES (Enhanced Services), which in time all Junos will be Junos-ES. This adds in the functionality of a flow and zone based firewall. This can also be put in vmware. My thinking is that you will have more functionality in the J-series olives because more of the functionality is in the software and does not require another piece of hardware to achieve the same functionality, but I have yet to veriy this.

Posted in junos, olive. Tags: , , . 6 Comments »

Good article on creating a Juniper Olive in Qemu

Here is some good documentation on creating a Juniper Olive in qemu as well as getting an olive to talk to dynamips.

Link …

Also some more good documentation, hooking up an Olive to quagga (software that allows your *nix box to running dynamic routing protocols using ios-like interface).

Link …

Configuring Basic Rip using a Juniper Olive (JUNOS) via CLI

This document describes how to set up a mock Juniper  network running RIP in Junos using Olives

Link …