Re: [j-nsp] Add vlan to multiple interfaces on EX series
Sigh...from everyone's answers it appears the short answer to this question is no. I guess I'll take this up with my account team. Thanks everyone! -- matt On 7/2/09 12:25 PM, "Matt Stevens" wrote: > Is there an easy way to add a new VLAN to multiple interfaces on the EX > series switches? I'd like to be able to use a port range for both adding > vlans to trunk ports and putting access ports into a specific vlan. > > Both seem to only allow actions to be performed on a single port at a time. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Add vlan to multiple interfaces on EX series
Is there an easy way to add a new VLAN to multiple interfaces on the EX series switches? I'd like to be able to use a port range for both adding vlans to trunk ports and putting access ports into a specific vlan. Both seem to only allow actions to be performed on a single port at a time. -- matt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter on IPSec tunnel
Nilesh,
I actually tried it in both directions - neither seemed to work. JTAC
keeps trying to steer me towards JunOS enhanced services.
I find it a little surprising that I can't filter traffic going over the
tunnel. I imagine I could do GRE over IPSec - but that would require a
pretty large change to our current IPSec mesh.
--
matt
Nilesh Khambal wrote:
Hi Matt,
Where did you apply the filter? sp- inside or sp-outside interface? What
direction did you apply the filter?
For sp- interfaces always interpret the filter directions from PFE point
of view and “not” from service-pic point of view.
So what is “input” for service-pic on any interface is actually “output”
for PFE on that interface and vice-versa.
Hope this helps.
Thanks,
Nilesh
On 1/28/09 10:44 AM, "Matt Stevens" wrote:
That's in the services ipsec-vpn rule:
rule ashburn2 {
term one {
from {
ipsec-inside-interface sp-0/0/0.13;
}
then {
remote-gateway 10.11.12.14;
dynamic {
ike-policy hq-ashburn2;
ipsec-policy site-to-site;
}
clear-dont-fragment-bit;
}
}
match-direction input;
}
--
matt
Nan Li wrote:
> Show me the "match-direction input"
>
> -Original Message-
> From: juniper-nsp-boun...@puck.nether.net
> [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matt Stevens
> Sent: Wednesday, January 28, 2009 10:24 AM
> To: Stefan Fouant
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] Firewall filter on IPSec tunnel
>
> These are next-hop ipsec sets. For example:
>
> service-set ashburn2 {
> ipsec-vpn-options {
> local-gateway 10.11.12.13;
> }
> ipsec-vpn-rules ashburn2;
> next-hop-service {
> inside-service-interface sp-0/0/0.13;
> outside-service-interface sp-0/0/0.12;
> }
> }
>
> local-gateway has been changed to protect the innocent...
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter on IPSec tunnel
That's in the services ipsec-vpn rule:
rule ashburn2 {
term one {
from {
ipsec-inside-interface sp-0/0/0.13;
}
then {
remote-gateway 10.11.12.14;
dynamic {
ike-policy hq-ashburn2;
ipsec-policy site-to-site;
}
clear-dont-fragment-bit;
}
}
match-direction input;
}
--
matt
Nan Li wrote:
Show me the "match-direction input"
-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matt Stevens
Sent: Wednesday, January 28, 2009 10:24 AM
To: Stefan Fouant
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Firewall filter on IPSec tunnel
These are next-hop ipsec sets. For example:
service-set ashburn2 {
ipsec-vpn-options {
local-gateway 10.11.12.13;
}
ipsec-vpn-rules ashburn2;
next-hop-service {
inside-service-interface sp-0/0/0.13;
outside-service-interface sp-0/0/0.12;
}
}
local-gateway has been changed to protect the innocent...
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter on IPSec tunnel
I have no flows showing with stateful-firewall - although these tunnels are fine, and carrying traffic. -- matt Nan Li wrote: Find all the flowing inbound or outbound by command: Show services stateful-firewall flows Using interface service you need manually allowed inbound and outbound tcp or udp package by firewall matching . Make sure the package flowing is working on this interface, otherwise you can enable "establish-tunnel immediately" on both side. Nan -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matt Stevens Sent: Wednesday, January 28, 2009 10:07 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Firewall filter on IPSec tunnel Hello everyone. I'm trying to apply a filter to traffic that's entering a router via an IPSec tunnel. It doesn't seem like applying the filter to the services interfaces has any effect. I've thought about using the from interface condition in the filter, but I have a fair number of IPSec interfaces to apply this against which makes for a lot of individual terms. Any suggestions? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter on IPSec tunnel
These are next-hop ipsec sets. For example:
service-set ashburn2 {
ipsec-vpn-options {
local-gateway 10.11.12.13;
}
ipsec-vpn-rules ashburn2;
next-hop-service {
inside-service-interface sp-0/0/0.13;
outside-service-interface sp-0/0/0.12;
}
}
local-gateway has been changed to protect the innocent...
--
matt
Stefan Fouant wrote:
On Wed, Jan 28, 2009 at 1:17 PM, Matt Stevens <mailto:m...@elevate.org>> wrote:
Well, the fact that I'm terminating the tunnel helps. :-)
Basically, I want to apply an output filter on the tunnel interface
to filter packets leaving the tunnel towards a local subnet.
--
matt
What type of service set are you using?
--
Stefan
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter on IPSec tunnel
Well, the fact that I'm terminating the tunnel helps. :-) Basically, I want to apply an output filter on the tunnel interface to filter packets leaving the tunnel towards a local subnet. -- matt Stefan Fouant wrote: On Wed, Jan 28, 2009 at 1:06 PM, Matt Stevens <mailto:m...@elevate.org>> wrote: Hello everyone. I'm trying to apply a filter to traffic that's entering a router via an IPSec tunnel. It doesn't seem like applying the filter to the services interfaces has any effect. I've thought about using the from interface condition in the filter, but I have a fair number of IPSec interfaces to apply this against which makes for a lot of individual terms. Any suggestions? -- matt And what kind of magic do you have that allows you to inspect traffic that is encrypted? ;) Stefan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Firewall filter on IPSec tunnel
Hello everyone. I'm trying to apply a filter to traffic that's entering a router via an IPSec tunnel. It doesn't seem like applying the filter to the services interfaces has any effect. I've thought about using the from interface condition in the filter, but I have a fair number of IPSec interfaces to apply this against which makes for a lot of individual terms. Any suggestions? -- matt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Application Definitions
Thanks Nilesh! -- matt Nilesh Khambal wrote: From edit mode, l...@sizzle-re0# show groups junos-defaults applications ? Possible completions: <[Enter]>Execute this command application Define an application application-set Define an application set + apply-groups Groups from which to inherit configuration data |Pipe through a command [edit] l...@sizzle-re0# show groups junos-defaults applications Thanks, Nilesh On 1/23/09 2:04 PM, "Matt Stevens" wrote: Does anyone know if there's a way to see the configuration for the "default" applications that are defined in JunOS? Ie. all the junos-XXX applications. I can't seem to find a show command that enumerates what exactly they match. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Application Definitions
Does anyone know if there's a way to see the configuration for the "default" applications that are defined in JunOS? Ie. all the junos-XXX applications. I can't seem to find a show command that enumerates what exactly they match. -- matt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] J-Series Compact Flash
Just wondering what everyone else is using for Compact Flash in the J-Series. I've been using the SanDisk SDCFB-1024-A10 1GB cards that are on the Juniper compatibility list, but I've had at least two routers start complaining about corruption on the flash. I have one that's currently inaccessible following a 'request system snapshot media usb as-primary partition' to an external reader. It's routing fine though - just no management. Waiting for a maintenance window to get rebooted... -- matt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Injecting a route into OSPF
Hi,
I have a /32 that I'd like to redistribute via OSPF, the /32 is part of
a larger /24 that's directly connected to an interface of the router. I
don't want to advertise the whole /24 for various reasons, just the
route for the singe host.
Right now I have a static route:
static {
route 1.2.3.4/32 {
next-hop 1.2.3.4;
no-install;
}
}
That's then matched in a policy-statement that I use for export in ospf:
term static {
from {
protocol static;
route-filter 1.2.3.4/32 exact;
}
then {
external {
type 1;
}
accept;
}
}
This seems a little awkward (/32 static with a next-hop of itself) - is
there a cleaner way to do this?
Thanks for any tips!
--
matt
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] J-Series 1-port SFP ePIM
That's sort of my issue as well. We have a couple of these cards being used for telco connections in colos. One seemed to work fine to a certain carrier, once we got them to enable autonegotiation on their end. Now we're trying to bring up another link, with a different carrier, and running into all sorts of issues. Having autonegotiation be my only option gives me very few tools to work with. I was hoping that if the 1-port SFP PIM allowed autonegotiation to be disabled I could at least use that for troubleshooting the issue. The 6-port cards allow you to configure gigether-options no-auto-negotiation, they just log that they don't actually support it. -- matt Chris Adams wrote: > Once upon a time, angel <[EMAIL PROTECTED]> said: >> BTW - why you think it is an autonegotiation problem? What is the output >> of "show interfaces" command? > > In my case, autonegotiation is a problem because I have to connect to > telco-supplied metro-Ethernet boxes that the telco forces to a > particular speed/duplex (and then disables autonegotiation on their > end). Yes, it sucks, but I can only connect to what they provide. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] J-Series 1-port SFP ePIM
Is there anyone out there that can verify whether or not the 1-port SFP ePIM for the J-Series supports manually configuring the speed/duplex (disabling autonegotiation)? Apparently the 6-port uPIM does not support this, and we're running into issues getting an LX link up with a Cisco 6500. Possibly some autonegotiation problem? -- matt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Strange J-Series IPSec Issue
I'm trying to build a site-to-site IPSec tunnel with two J-4350's, but
I'm running into a strange issue.
The tunnel appears to be up, the two routers see each other as neighbors
in OSPF, I can even ping between the two routers.
In addition a host on one side can ping a host on the other side. The
problem comes when I try to put "real" traffic over the link. Connecting
to port 80 on a remote machine doesn't work. Packet captures show no
traffic coming back from the remote side.
I'm sure I'm missing something simple - but I'm at a loss as to what it is.
If anyone has any suggestions, they'd be much appreciated.
--
matt
Here's my partial config:
root> show ospf neighbor
Address Interface State ID Pri Dead
10.206.32.1 sp-0/0/0.11Full 218.81.216.253 12837
root> show route protocol ospf
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.206.32.0/24 *[OSPF/10] 00:42:47, metric 2
> via sp-0/0/0.11
10.206.32.1/32 *[OSPF/10] 04:24:03, metric 1
> via sp-0/0/0.11
10.206.34.0/24 *[OSPF/10] 00:42:47, metric 2
> via sp-0/0/0.11
10.206.35.0/24 *[OSPF/10] 00:42:47, metric 2
> via sp-0/0/0.11
192.168.1.1/32 [OSPF/10] 05:05:46, metric 2
> via sp-0/0/0.11
218.81.216.0/24*[OSPF/10] 00:42:47, metric 2
> via sp-0/0/0.11
224.0.0.5/32 *[OSPF/10] 1w0d 01:42:30, metric 1
MultiRecv
__juniper_private1__.inet.0: 2 destinations, 2 routes (2 active, 0
holddown, 0 hidden)
protocols {
ospf {
area 0.0.0.0 {
interface sp-0/0/0.11;
interface ge-0/0/0.0 {
passive;
}
}
}
}
services {
service-set ipsec {
next-hop-service {
inside-service-interface sp-0/0/0.11;
outside-service-interface sp-0/0/0.10;
}
ipsec-vpn-options {
local-gateway 1.1.1.1;
}
ipsec-vpn-rules ipsec-out;
}
ipsec-vpn {
rule ipsec-out {
term 1 {
then {
remote-gateway 2.2.2.2;
dynamic {
ike-policy ike-policy-hq;
ipsec-policy ipsec-policy-hq;
}
clear-dont-fragment-bit;
tunnel-mtu 1440;
}
}
match-direction input;
}
ipsec {
proposal ipsec-proposal-hq {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-192-cbc;
lifetime-seconds 3600;
}
policy ipsec-policy-hq {
proposals ipsec-proposal-hq;
}
}
ike {
proposal site-to-site {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-192-cbc;
lifetime-seconds 86400;
}
policy ike-policy-hq {
mode main;
proposals site-to-site;
pre-shared-key ascii-text "XXX"; ## SECRET-DATA
}
}
establish-tunnels immediately;
}
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Static NAT
Thanks Jon!
I actually got it working another way. There's a new option in 8.4,
nat-type. It's not documented anywhere that I can find, other than the
release notes for 8.4. And it's only available for the J-Series
rule NAT {
match-direction input;
term static-matt {
nat-type full-cone;
Now to figure out how I can map an external tcp port to a different
internal tcp port so I can reuse an IP multiple times for different
services.
--
matt
Jonathan Looney wrote:
> Matt,
>
> Now that you've gotten this far, adding inbound static NAT is pretty simple.
> :-)
>
> Create a NAT pool with your internal address(es).
>
> Add a new rule with a match-direction of "output". In this rule, add
> a term with a "from" clause that matches packets with a destination
> address of your public address. In the then clause, specify the NAT
> pool with your internal addresses (as a destination-pool) and a
> translation type of "destination static".
>
> Here's an example which translates 172.17.39.18/32 (outside address)
> to 192.168.200.1/32 (inside address):
> services {
> nat {
> pool dest-pool {
> address 192.168.200.2/32;
> }
> rule dest-nat {
> match-direction output;
> term dest-nat {
> from {
> destination-address {
> 172.17.39.18/32;
> }
> }
> then {
> translated {
> destination-pool dest-pool;
> translation-type {
> destination static;
> }
> }
> }
> }
> }
> }
> }
>
> Don't forget to match on applications in the rule, if necessary, to
> activate ALGs.
>
> Now, you just add the new rule to the existing service-set and
> everything should work!
>
> -Jon
>
>
> On 11/1/07, Matt Stevens <[EMAIL PROTECTED]> wrote:
>> I'm a recent Cisco convert - trying to wrap my head around the Juniper
>> was of dealing with NAT.
>>
>> I'm trying to get a setup working where I can allow inbound traffic
>> through the NAT to specific internal machines.
>>
>> Ideally I'd like to be able to map things at a port level - ie. port 80
>> on external address X goes to port Y on internal address Z.
>>
>> I have things working to the point where I can NAT a specific internal
>> address to a specific external address (see config at the end), with
>> everyone else using PAT on a different address. But I can't seem to
>> figure out how I allow inbound traffic through.
>>
>> This is on a J-4350, if that makes any difference...
>>
>> Any pointers in the right direction would be most appreciated!
>> --
>> matt
>>
>>
>> Here's my service nat config. I have the service-set for this applied on
>> the internal interface:
>> rule NAT {
>> match-direction input;
>> term static-matt {
>> from {
>> source-address {
>> 192.168.1.238/32;
>> }
>> }
>> then {
>> translated {
>> source-pool static-matt;
>> translation-type {
>> source static;
>> }
>> }
>> }
>> }
>> term dynamic {
>> then {
>> translated {
>> source-pool dynamic;
>> translation-type {
>> source dynamic;
>> }
>> }
>> }
>> }
>> }
>> }
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Static NAT
I'm a recent Cisco convert - trying to wrap my head around the Juniper
was of dealing with NAT.
I'm trying to get a setup working where I can allow inbound traffic
through the NAT to specific internal machines.
Ideally I'd like to be able to map things at a port level - ie. port 80
on external address X goes to port Y on internal address Z.
I have things working to the point where I can NAT a specific internal
address to a specific external address (see config at the end), with
everyone else using PAT on a different address. But I can't seem to
figure out how I allow inbound traffic through.
This is on a J-4350, if that makes any difference...
Any pointers in the right direction would be most appreciated!
--
matt
Here's my service nat config. I have the service-set for this applied on
the internal interface:
rule NAT {
match-direction input;
term static-matt {
from {
source-address {
192.168.1.238/32;
}
}
then {
translated {
source-pool static-matt;
translation-type {
source static;
}
}
}
}
term dynamic {
then {
translated {
source-pool dynamic;
translation-type {
source dynamic;
}
}
}
}
}
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] J-Series RAM
I'm dipping my toes into the Juniper pond for the first time - after years of dealing with Cisco. I'm looking at using the J4350 as a border router for some machines we have colo'd. From reading the archives it looks like the 4350's use pretty standard DRAM. But I can't find any mention of the exact type needed - either in the archives or on the wiki. I'm imagining third-party RAM is much cheaper than Junipers. Can anyone shed some light on the specifics. Also, how does third-party RAM affect service contracts - is there an "approved" third party list? Thanks. -- matt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
