[j-nsp] Destination NAT - GRE
Does anyone know how to pass protocol 47 (GRE) through destination NAT in JunOS? This is on an SRX100 running 10.4R4.5 currently. There is no match condition in the policies to permit it to pass... Thanks, Paul ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ECMP vs LAG and OAM vs BFD
FYI list, OAM LFM (802.3ah) appears to be supported in Junos 11.1 for Trio/MPC (I've yet to test this). http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic-collections/release-notes/11.1/index.html?topic-53312.html#jd0e1736 On Sat, Jul 23, 2011 at 7:22 AM, Daniel Verlouw wrote: > On Fri, Jul 22, 2011 at 22:14, Stefan Fouant > wrote: > > Regarding BFD's capabilities to determine member state of individual > member > > links, this is not currently supported by BFD. Take a look at IETF Draft > > 'Bidirectional Forwarding Detection (BFD) for Interface' which was just > > released a few weeks ago. It is designed to meet these requirements - > > http://tools.ietf.org/html/draft-chen-bfd-interface-00 > > IOS XR (at least on the ASR9k) supports BFD over individual member > links. Saw it in the lab, seemed to work fine. Not sure if it's > implementation is based on this draft though, or if it's a proprietary > one. > > --Daniel. > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX NAT at outside interface...
Does anyone have examples of configuring nat (NAPT) on the outside interface of a MX? I've got a working config with Nat applied to an inside interface, but I need to do it on my gateway interface... Here's why. I want to police per user IP at ingres. Policing doesn't play nice with services NAT. I've had a ticket open with TAC for a while now and seen no traction on it. Applying both to the same interface causes strange behavior on the policer. So my solution is to police at ingres and NAT at egress. I'm building a config now, but I wanted to see if anyone has done anything similar... ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] tag-protocol-id matching in vlan-tags
I wonder if you had the frame egress a trunk if you would see it dual tagged with 100/100, the expected outer-tag TPID, and the 0x8100 on the inner tag... Derick Winkworth CCIE #15672 (RS, SP), JNCIE-M #721 http://blinking-network.blogspot.com --- On Thu, 7/28/11, David Ball wrote: From: David Ball Subject: Re: [j-nsp] tag-protocol-id matching in vlan-tags To: "Addy Mathur" Cc: "Juniper-Nsp" Date: Thursday, July 28, 2011, 10:27 AM Ah, so I'm potentially not crazy (at least not for this reason). See below, and thanks... David --- JUNOS 10.0R3.10 built 2010-04-16 07:14:00 UTC {master} me@router> show interfaces ge-1/1/0 Physical interface: ge-1/1/0, Enabled, Physical link is Up Interface index: 173, SNMP ifIndex: 250 Link-level type: 52, MTU: 9192, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Disabled, Remote fault: Online, Speed-negotiation: Disabled, Auto-MDIX: Enabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x4000 CoS queues : 8 supported, 8 maximum usable queues Current address: 00:22:83:75:69:9c, Hardware address: 00:22:83:75:69:9c Last flapped : 2011-07-26 15:43:39 MDT (1d 17:08 ago) Input rate : 978417760 bps (96149 pps) Output rate : 988075168 bps (96491 pps) Active alarms : None Active defects : None Logical interface ge-1/1/0.100 (Index 113) (SNMP ifIndex 170) Description: 0x88A8 TPID test Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x88a8.100 ] In(pop) Out(push 0x88a8.100) Encapsulation: VLAN-CCC Input packets : 14161344641 Output packets: 14161304171 Protocol ccc, MTU: 9192 Logical interface ge-1/1/0.32767 (Index 114) (SNMP ifIndex 171) Flags: SNMP-Traps 0x4004000 VLAN-Tag [ 0x.0 ] Encapsulation: ENET2 Input packets : 0 Output packets: 0 Protocol multiservice, MTU: Unlimited Flags: None {master} me@router> On 28 July 2011 04:54, Addy Mathur wrote: > On Wednesday, July 27, 2011, David Ball wrote: >> MX running 10.0 (DPCE-R-20GE-2XGE for int in question) >> >> Should I expect that a logical unit configured with 'vlan-tags outer >> 0x88A8.100' would also permit frames using TPID 8100 and VLAN ID 100 ? >> I kinda expected not (since it doesn't 'match'), yet if I change my >> test set to send normal 0x8100.100 frames, they're still accepted by >> the interface (config below) and stuffed into the associated VPN. >> >> [edit interfaces ge-1/1/0] >> flexible-vlan-tagging; >> encapsulation flexible-ethernet-services; >> gig-ether-options { >> no-auto-negotiation; >> ethernet-switch-profile { >> tag-protocol-id 0x88A8; >> } >> } >> unit 100 { >> encapsulation vlan-ccc; >> vlan-tags outer 0x88A8.100; >> input-vlan-map pop; >> output-vlan-map push; >> } >> >> Are my expectations that "specifying the TPID in the vlan-tags >> statement would ONLY match frames with that TPID" wrong? Practice >> would indicate that I'm wrong, but I guess I'm wondering if this is >> expected behaviour. > > David: I don't believe your expectation is incorrect. Could you please post > the exact JUNOS release (including minor version) and the output of "show > interface ge-1/1/0"? > >> >> TIA, >> >> David >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS 10.4R4.5 on an SRX650
Thanks for the heads up. I have run into issues with link-speed 10.4R1.9 and clustering on another set of 650s. Make sure both SRX and other end are set to auto or the SRX will just stop forwarding traffic out of the interface randomly and will not fail. Hope Juniper can get around link-speed with clusters soon. Thanks! From: Ralph Rye To: Daniel M Daloia Jr ; "juniper-nsp@puck.nether.net" Sent: Thursday, July 28, 2011 5:03 PM Subject: RE: [j-nsp] JUNOS 10.4R4.5 on an SRX650 The only issue I have come across is unsupported command/feature causing the config not load, and also preventing the startup of the management daemon. In the case I worked on it was the link-speed option tied to a RETH interface on a cluster. It doesn't appear to happen every time. I tried to reproduce on a SRX 210 cluster and I could get it to fail the same way. If your SRXs come up and stay in a hold state and if the results of many operation commands result in "error: Could not connect to node0 : No route to host" type of error you are probably experiencing the issue. JTAC fixed the issue pretty quickly by starting a shell and running the following commands: % cd /var/run/db % mgd -i Which produced an error about link speed mismatch between the RETH and the GE interface. He then edited the configuration by deleting the option from the RETH interface and committed. After a reboot the SRX can back online and became a member of the cluster. Ralph -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Daniel M Daloia Jr Sent: Thursday, July 28, 2011 9:57 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] JUNOS 10.4R4.5 on an SRX650 Hey Folks, Anyone using the current recommended release 10.4R4.5 on the SRX650 series? We have a pretty simple setup with clustering, IDP, BGP, OSPF. Just looking for any got-chas! Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv6 Router Guard
I definitely want ipv6 but am researching how to implement RA guard on juniper devices. On Jul 29, 2011 9:19 AM, "Chuck Anderson" wrote: > On Thu, Jul 28, 2011 at 09:40:21PM -0500, Chris Adams wrote: >> Once upon a time, Chris Evans said: >> > I'm trying to implement a firewall filter to implement IPv6 RA guard on an >> > EX4200. I have the ACL written to block DHCP and icmp router-advertisements. >> > However it appears that the EX4200 only supports IPv4 at this time for >> > PACLs? I have applied the filter ingress to my interfaces and RA >> > advertisements are still passing. >> > >> > This is on 11.1 code. Anyone else tried this?? >> > >> > EX4200-1> show configuration firewall >> > family ethernet-switching { >> > term RA-GUARD-ICMP-RA { >> > from { >> > protocol icmp; >> > icmp-type router-advertisement; >> >> You are filtering the (unused) IPv4 ICMP RAs, not IPv6 ICMPv6 RAs. You >> can match protocol icmpv6, but I don't think there is a corresponding >> icmpv6-type, so I don't think you can do this right now. > > Right. As a workaround if you don't want any IPv6 packets to pass at > all, you can block by Ethertype: > > firewall { > family ethernet-switching { > filter DROP-IPv6 { > term DROP-IPv6 { > from { > ether-type 0x86dd; > } > then { > discard; > count DROP-IPv6; > } > } > term ACCEPT { > then accept; > } > } > } > } > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv6 Router Guard
On Thu, Jul 28, 2011 at 09:40:21PM -0500, Chris Adams wrote: > Once upon a time, Chris Evans said: > > I'm trying to implement a firewall filter to implement IPv6 RA guard on an > > EX4200. I have the ACL written to block DHCP and icmp router-advertisements. > > However it appears that the EX4200 only supports IPv4 at this time for > > PACLs? I have applied the filter ingress to my interfaces and RA > > advertisements are still passing. > > > > This is on 11.1 code. Anyone else tried this?? > > > > EX4200-1> show configuration firewall > > family ethernet-switching { > > term RA-GUARD-ICMP-RA { > > from { > > protocol icmp; > > icmp-type router-advertisement; > > You are filtering the (unused) IPv4 ICMP RAs, not IPv6 ICMPv6 RAs. You > can match protocol icmpv6, but I don't think there is a corresponding > icmpv6-type, so I don't think you can do this right now. Right. As a workaround if you don't want any IPv6 packets to pass at all, you can block by Ethertype: firewall { family ethernet-switching { filter DROP-IPv6 { term DROP-IPv6 { from { ether-type 0x86dd; } then { discard; count DROP-IPv6; } } term ACCEPT { then accept; } } } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] snmp count for arp policer?
> -Original Message- > From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- > boun...@puck.nether.net] On Behalf Of Clarke Morledge > Sent: Tuesday, July 12, 2011 11:07 AM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] snmp count for arp policer? > > On an IP interface (on a router like the MX), you can configure > filters to > count different types of IP packets. But there does not appear to be > a > way to count ARP packets, since they do not have an IP header. > > I would like to be able to have some type of ARP packet counter per > interface that I can query with SNMP, just like you would with the IP > counters via filters that can be programmed into the router hardware. > > The closest thing I can find that might do it is using an ARP > policer. > Unfortunately, this will only catch packets that hit some limit on > your > policer. This is better than nothing, but not great. From the > CLI, you > can look at the number of hits on the __default_arp_policer__, which > I > assume will get superceded by any interface specific ARP policer. In > this > context, the "show policer" output via the CLI is helpful: I have run into the same issue. I'm using an M7i and some Ethernet subinterfaces are hitting the default ARP policer. I configured a more sane policer and I'd like to track which interfaces this is happening on, but there doesn't seem to be a way to do it through SNMP. -evt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv6 Router Guard
Yeah I think you are right. Ipv6 isn't supported on Ethernet filters at this point. On Jul 28, 2011 10:42 PM, "Chris Adams" wrote: > Once upon a time, Chris Evans said: >> I'm trying to implement a firewall filter to implement IPv6 RA guard on an >> EX4200. I have the ACL written to block DHCP and icmp router-advertisements. >> However it appears that the EX4200 only supports IPv4 at this time for >> PACLs? I have applied the filter ingress to my interfaces and RA >> advertisements are still passing. >> >> This is on 11.1 code. Anyone else tried this?? >> >> EX4200-1> show configuration firewall >> family ethernet-switching { >> term RA-GUARD-ICMP-RA { >> from { >> protocol icmp; >> icmp-type router-advertisement; > > You are filtering the (unused) IPv4 ICMP RAs, not IPv6 ICMPv6 RAs. You > can match protocol icmpv6, but I don't think there is a corresponding > icmpv6-type, so I don't think you can do this right now. > > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp