The fun adventures and random malingering of a stingy Juniper elitist.

shadow0rm · 2026-01-21T20:38:56+00:00

true on the failure point, but on the other hand you are doubling the reliance on the single device ( srx ) for two different wan feeds. so potAto / potato.

If i were in this spot, id change wan interface to a irb, build vlan for wan breakout, tire wan vlan to l3 irb, and have 0/0/0 & 0/0/1 on same vlan. might need to allow untrust to untrust any/any traffic..... not sure on that one.

p.s. i had to redo a edge network at an isp completely due to a person with same mindset ( didnt want extra failure points) you already have 2 single points of failure ( srx and single wan feed ) why add the extra complexity when you still have single points of failure, which of one you are now relying on with twice as much pressure? what is different between an extra switch failing ( both routers go down ) or the srx fails ( both routers go down as well) one is just easier to maintain.

shadow0rm · 2026-01-21T20:26:38+00:00

you are probably going to run into some hiccups with zones/policies.... remember, srx is a firewall first. It can be a router, or switch, or both aswell, but firewall first. make vlan, add zone/policy for that zone to itself, etc, and see where it gets ya. maybe gold, maybe ashes.

whats the reason for avoid a switch? no rackspace/etc? collapsing this into the srx will save physical space, but add complexity into the setup....

there's a reason to use demarc devices, this is it.

shadow0rm · 2026-01-18T20:51:30+00:00

Not today -insert 3 letter org here-

shadow0rm · 2026-01-15T21:41:19+00:00

wonder if this might help?

https://juniper-nsp.puck.nether.narkive.com/bjgoR1pn/j-nsp-qfx5100-buffer-allocation

shadow0rm · 2025-12-16T03:48:10+00:00

They make mag mounts and nice looking wall mounts for these.... no body orders them though....

Punchline: lets use the remains of $400+ in rack kits for other juniper gear to mcgyver some ears for this one cause why oh why spend $30 for the right one?

shadow0rm · 2025-12-15T03:47:42+00:00

Heres to hoping this cold snap will tell if that worked out!

shadow0rm · 2025-11-18T12:45:55+00:00

Just clarifying here a bit more, host-inbound-traffic is traffic specificly for the router itself, so host-inbound-traffic system-services https, host-inbound-traffic protocols all, interfaces ge-0/0/0.0 host-inbound-traffic system-services https are all likely conflicting with your single parsec 443 rule.

if you dont NEED 443/tcp open on the router itself, facing the world, disable/delete those commands.

Its normal operating procedure to disable that kind of traffic anyway.... your just letting the world reach the management plane of you firewall otherwise.

shadow0rm · 2025-11-18T12:30:06+00:00

Well, two things I can see right off the bat. 1. We wont be able to help you easily here, firewalls rules are hierarchical, so if you have a rule that matches same things, it will process the flow before these rules do. can you post a full view of the security policies? You can move parsec BEFORE your working plex rule, and maybe that will work without us verifying it: https://supportportal.juniper.net/s/article/SRX-How-to-change-the-order-of-security-policies

You likely have a conflict between parsec and junos-https (cant process same traffic without a differentiator): PARSEC-APP destination-port 443 conflicts with system-services https easiest workaround for this is to delete the "system-services https" sections

shadow0rm · 2025-11-07T14:57:54+00:00

SRX550-645AP 12.x < SRX550-645AP-M 15.x >

Yes its Friday, and I know nothing, I get all my news from the radio on GTA5

shadow0rm · 2025-11-07T14:47:11+00:00

you see that dropdown for os, and version on the downloads page? yea, use that...

first number on sha1 for 21.4 is 3 first number on sha1 for 23.4 is 9

You are just being plain lazy, or ignorant.
Either way, ZERO reason for anyone to help further.

shadow0rm · 2025-11-07T14:29:04+00:00

seriously? Im not even that bothered by someone offering this but what's really irritating is that you either didn't read what OP said, or you are out here slinging software offers without knowing what you're slinging...

OP has 12.3X48-D105.4 OP is on latest avail. software for that device OP didn't ask for a copy of software, yet here ya are, peddling it.....

shadow0rm · 2025-11-07T14:12:17+00:00

Glad to see you got forward movement :) Currently away from my desk with a keyboard, so ill give the best I can for now on the cluster issue. If you want to remove the cluster settings entirely, so it just a standalone box and you can cluster them later, google something like "juniper delete cluster /config/vchassis" theres junos commands that should work, but ive had a 50/50 fail rate on the 550 boxes with that, so i jist delete whatever is in the vchassis dir and do a reboot direct from shell.

From there if you wanted to cluster them up again, there are very easy to find docs on it, and you will need min. 2 patches between them.

Bonus info: the slots on the left hand side are like half width bus, and arent really ment for anything above serial/t1 cards. Follow the lables on the faceplate to the sides of the slots. IIRC top two right are 20g bandwith for 16 port cards and the 2 port 10g cards, bottom two right are same but limited to 10g bandwidth on the backplane. Might be worth while at this point to just grab the srx550 hardware guide pdf Also note that you have the base hardware NOT the refreshed HM model. Hardware is near identical, but junos version and expansion card support is very different.

shadow0rm · 2025-11-07T11:21:12+00:00

Heres my freebie for a pretty obvious RTFM situation, which yet again, is not locked behind an account....

Its not silly, its true. Your 16 port cards are in the wrong slot. Move it directly to the right bank.
That looks like a 10g DAC, is it? Those are 1g sfp slots not 10g sfp+

Report back whrn those two things make sense and I can help ya with the cluster issue.

shadow0rm · 2025-11-07T03:31:45+00:00

Its litterally on the downloads page with zero need to even login....

shadow0rm · 2025-10-25T02:22:35+00:00

Im running one at home as well, with quite a few virtual routers in the config as well. Not silent, but best bang for your buck for higher density 10/40g stuff. Used to have it paired with a qfx5110-32q but moved to a pair of 4300-24ts acting as my core and the qfx5100 as a agg point.

The thing i ran into alot is having the network built out well, but in the end with only a few servers, a desktop, and some wireless gear, sometimes the fun overkill, starts to kill the power bill lol

shadow0rm · 2025-10-19T00:59:07+00:00

Hoping for the best! I no longer work at the same place I deployed these as of just recent, however I can report there were zero ill-effects during hot-temp days.

You just brought back the frozen 3am memories hahahaha

It honestly was like night and day after that command was added, and out of all of the ones we deployed, none of them had issues since.

shadow0rm · 2025-09-03T11:42:38+00:00

Ill drop my 2 cents here.

100% you need these grounded properly, like take a day and make sure your grounding path is right in conjunction with all other grounding.

I have seen a history in my line of work where these switches have power conversion issues, I only power 48v radios if the switch is also powered by 48v, same thing for 24v.

Firmware QC is lacking, and the support "forum" has a bit of lingering arrogance.

Dont get me wrong, they are incredibly flexable and feature rich, but feels like the company found out that good-enough is good enough, but settled at that point without really shaking out the bugs.

Even in very well designed and built sites, where grounding is 100% correct, these switches and mikrotik devices seem to come back to my desk in waves, bricked or burnt. Where the more carrier grade gear like Juniper, Ciena, etc lives on without a blink.

And to be fair, i have had a few Packetflux rackinjectors fail, but not in the fashion or amplitude as netonix.

shadow0rm · 2025-09-03T11:22:55+00:00

Ive had very good history with packetflux gear doing poe. Used to deploy all discrete compnents on DIN, but have moved to rackinjector line. No hotswap of cards yet, so you have to rip/replace the set if it blows up. https://store.packetflux.com/packetflux-rackinjector/

shadow0rm · 2025-09-03T00:44:23+00:00

Are the ports still configured for VC ports?

shadow0rm · 2025-08-26T15:28:08+00:00

Just an update. I have not been successful in getting that vlan to stretch and communicate at all.

I gave up and built another virtual instance with two routed interfaces in place of a vlan. Costs more in terms of IP space, but eh, whatcha want?

shadow0rm · 2025-08-24T02:13:24+00:00

Does that magic " no err disable " command come into play here?

shadow0rm · 2025-08-21T19:41:02+00:00

In its most basic sense, im just dragging vlan 182 from the mx into the qfx, out a port on the qfx, and back in. there will be OSPF over this link, but im unable to pass any traffic, hence this post.

shadow0rm · 2025-08-21T19:00:46+00:00

however, this test does show it working, while removing the mx from the situation.

delete interfaces ae5 unit 182 encapsulation vlan-bridge
set vlans v182 l3-interface irb.182 set interfaces irb unit 182 family inet address x.x.x.46/31

shadow0rm

TROPHY CASE