Re: [j-nsp] Mirroring packets in an LSP
Hi Joe, I never tried this myself but it might work: 1/ buy an Y-splitter cable(s) and connect attenuated end(s) to an unused router port(s). 2/ configure pop-all-labels on that port or ports http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/config-guide-services/services-enabling-passive-flow-monitoring.html#id-11327781 3/ And from there you could port-mirror the traffic to another port with analyser attached or next-hop-group. Rgds Alex - Original Message - From: Joe Metzger metz...@es.net To: juniper-nsp@puck.nether.net Sent: Monday, November 02, 2009 7:29 PM Subject: [j-nsp] Mirroring packets in an LSP Hi, Does anybody know of a way to mirror traffic traversing an LSP on a transit router? I am trying to characterize the changes in inter-packet gaps on tcp flows transiting LSPs across the network. I can tap the flows on the edge routers, but I want to look at them at a midpoint if possible. Joe Metzger metz...@es.net ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] destination nat, 8 rule limit
If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org pgpUK6iKOlhUN.pgp Description: PGP signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
Upgrade to 9.6. You can have many more rules per rule-set... From: Christopher M. Hobbs ch...@altbit.org To: juniper-nsp@puck.nether.net Sent: Tue, November 3, 2009 10:08:13 AM Subject: [j-nsp] destination nat, 8 rule limit If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
On Tue, Nov 03, 2009 at 06:32:05PM -0700, Brandon Bennett wrote: 08/17/09 05:21:01 I am not sure of the exact time, but I know that It should be in version 10 of Junos. Did they mention what it would be increased to? IIRC 256 rules per one rule-set. -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
08/17/09 05:21:01 I am not sure of the exact time, but I know that It should be in version 10 of Junos. Did they mention what it would be increased to? -Brandon ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
he said he did that already.. unfortunately i don't think the limits were upped for source/destination nat rules, i think it is still 8 on 9.6r1 On Tue, Nov 3, 2009 at 8:39 AM, Derick Winkworth dwinkwo...@att.net wrote: Upgrade to 9.6. You can have many more rules per rule-set... From: Christopher M. Hobbs ch...@altbit.org To: juniper-nsp@puck.nether.net Sent: Tue, November 3, 2009 10:08:13 AM Subject: [j-nsp] destination nat, 8 rule limit If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Mirroring packets in an LSP
Alex, I have thought about physical taps but that is not practical in my environment. --Joe On Nov 3, 2009, at 5:44 AM, Alex wrote: Hi Joe, I never tried this myself but it might work: 1/ buy an Y-splitter cable(s) and connect attenuated end(s) to an unused router port(s). 2/ configure pop-all-labels on that port or ports http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/config-guide-services/services-enabling-passive-flow-monitoring.html#id-11327781 3/ And from there you could port-mirror the traffic to another port with analyser attached or next-hop-group. Rgds Alex - Original Message - From: Joe Metzger metz...@es.net To: juniper-nsp@puck.nether.net Sent: Monday, November 02, 2009 7:29 PM Subject: [j-nsp] Mirroring packets in an LSP Hi, Does anybody know of a way to mirror traffic traversing an LSP on a transit router? I am trying to characterize the changes in inter-packet gaps on tcp flows transiting LSPs across the network. I can tap the flows on the edge routers, but I want to look at them at a midpoint if possible. Joe Metzger metz...@es.net ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp Joe Metzger metz...@es.net ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
On Tue, Nov 03, 2009 at 03:45:18PM -0600, Christopher M. Hobbs wrote: On Tue, Nov 03, 2009 at 08:39:02AM -0800, Derick Winkworth wrote: Upgrade to 9.6. You can have many more rules per rule-set... From: Christopher M. Hobbs ch...@altbit.org To: juniper-nsp@puck.nether.net Sent: Tue, November 3, 2009 10:08:13 AM Subject: [j-nsp] destination nat, 8 rule limit If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org I am running 9.6: I have the same issue. Guys from JTAC told to wait for version 10: 08/17/09 05:21:01 I am not sure of the exact time, but I know that It should be in version 10 of Junos. -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Verifying NAT translation
hey try #show services stateful-firewall flows cheers Ivan On Fri, Oct 23, 2009 at 8:04 PM, techt...@gmail.com wrote: Hi, I have configured an SRX machine with source NAT and destination NAT as followed: set security nat source pool WAN_Address address x.x.x.x/32 set security nat source rule-set interface-nat from zone trust set security nat source rule-set interface-nat to zone untrust set security nat source rule-set interface-nat rule rule1 match source-address 10.0.0.0/24 set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0 set security nat source rule-set interface-nat rule rule1 then source-nat pool WAN_Address set security nat destination pool Int_Servers address 10.0.0.4/32 set security nat destination rule-set rule1 from interface fe-0/0/2.0 set security nat destination rule-set rule1 rule NAT-to-Server match destination-address x.x.x.x/32 set security nat destination rule-set rule1 rule NAT-to-Server then destination-nat pool Int_Servers set security nat proxy-arp interface fe-0/0/2.0 address x.x.x.x/32 [x.x.x.x is my WAN IP Address on fe-0/0/2] How can I verify that this config is working from within the SRX? While trying to ping some outside address with source ip of my internal LAN interface (10.0.0.254) I'm not getting back any answer Best Regards, MTC ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
On Tue, Nov 03, 2009 at 08:39:02AM -0800, Derick Winkworth wrote: Upgrade to 9.6. You can have many more rules per rule-set... From: Christopher M. Hobbs ch...@altbit.org To: juniper-nsp@puck.nether.net Sent: Tue, November 3, 2009 10:08:13 AM Subject: [j-nsp] destination nat, 8 rule limit If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org I am running 9.6: cho...@ss0101 show version Hostname: SS0101 Model: srx240-hm JUNOS Software Release [9.6R2.11] -- C.M. Hobbs, http://altbit.org pgpQ7oV1qh3K5.pgp Description: PGP signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp