Re: [j-nsp] GRE packet fragmentation on j-series
Pls refer the below appnote http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf see the section From: Ben Dale bd...@comlinx.com.au To: Lukasz Martyniak lmartyn...@man.szczecin.pl Cc: Juniper-Nsp (juniper-nsp@puck.nether.net) juniper-nsp@puck.nether.net Sent: Tuesday, January 31, 2012 5:28 AM Subject: Re: [j-nsp] GRE packet fragmentation on j-series Hi Lukasz, J-Series only needs a license to download signature updates for IDP - in order to stop fragmentation, all you need to do is create a security policy that matches on GRE traffic match application junos-gre and then references the idp engine in the action then permit application-services idp. This will force the IDP engine to re-assemble the GRE fragments for inspection (but not actually inspect them). Juniper had a really good document explaining this with examples for MPLSoGRE, but my google and KB-fu is failing. Cheers, Ben On 26/01/2012, at 7:17 PM, Lukasz Martyniak wrote: Thanks for quick response, i had a hoped that this could be done in other whey. I think jseries need extra license for IDP. On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote: My understanding is that GRE fragmentation should occur if egress interface MTU is GRE pkt size. For GRE reassembly, you need IDP policy, this means high memory SRX model. IDP license is not needed. Rgds Alex - Original Message - From: Lukasz Martyniak lmartyn...@man.szczecin.pl To: juniper-nsp@puck.nether.net Sent: Tuesday, January 24, 2012 2:04 PM Subject: [j-nsp] GRE packet fragmentation on j-series Hi all I have some problem with gre tunnels. I need to fragment packages in tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The problem looks like that packages with MTU above 1476 are not fragmented/reassembled and are dropped. interfaces gr-0/0/0 unit 10 { clear-dont-fragment-bit; description Tulne to r1-lab; tunnel { source 10.200.0.1; destination 10.200.0.2; allow-fragmentation; path-mtu-discovery; } family inet { mtu 1500; address 100.100.100.1/30; } family mpls { } } Have someone have similar problem ? is there a simple way to fix this ? Best Lukasz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp MPLSoGRE with GRE Fragmentation and Reassembly --Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
Hi Lukasz, J-Series only needs a license to download signature updates for IDP - in order to stop fragmentation, all you need to do is create a security policy that matches on GRE traffic match application junos-gre and then references the idp engine in the action then permit application-services idp. This will force the IDP engine to re-assemble the GRE fragments for inspection (but not actually inspect them). Juniper had a really good document explaining this with examples for MPLSoGRE, but my google and KB-fu is failing. Cheers, Ben On 26/01/2012, at 7:17 PM, Lukasz Martyniak wrote: Thanks for quick response, i had a hoped that this could be done in other whey. I think jseries need extra license for IDP. On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote: My understanding is that GRE fragmentation should occur if egress interface MTU is GRE pkt size. For GRE reassembly, you need IDP policy, this means high memory SRX model. IDP license is not needed. Rgds Alex - Original Message - From: Lukasz Martyniak lmartyn...@man.szczecin.pl To: juniper-nsp@puck.nether.net Sent: Tuesday, January 24, 2012 2:04 PM Subject: [j-nsp] GRE packet fragmentation on j-series Hi all I have some problem with gre tunnels. I need to fragment packages in tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The problem looks like that packages with MTU above 1476 are not fragmented/reassembled and are dropped. interfaces gr-0/0/0 unit 10 { clear-dont-fragment-bit; description Tulne to r1-lab; tunnel { source 10.200.0.1; destination 10.200.0.2; allow-fragmentation; path-mtu-discovery; } family inet { mtu 1500; address 100.100.100.1/30; } family mpls { } } Have someone have similar problem ? is there a simple way to fix this ? Best Lukasz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
Thanks for quick response, i had a hoped that this could be done in other whey. I think jseries need extra license for IDP. On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote: My understanding is that GRE fragmentation should occur if egress interface MTU is GRE pkt size. For GRE reassembly, you need IDP policy, this means high memory SRX model. IDP license is not needed. Rgds Alex - Original Message - From: Lukasz Martyniak lmartyn...@man.szczecin.pl To: juniper-nsp@puck.nether.net Sent: Tuesday, January 24, 2012 2:04 PM Subject: [j-nsp] GRE packet fragmentation on j-series Hi all I have some problem with gre tunnels. I need to fragment packages in tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The problem looks like that packages with MTU above 1476 are not fragmented/reassembled and are dropped. interfaces gr-0/0/0 unit 10 { clear-dont-fragment-bit; description Tulne to r1-lab; tunnel { source 10.200.0.1; destination 10.200.0.2; allow-fragmentation; path-mtu-discovery; } family inet { mtu 1500; address 100.100.100.1/30; } family mpls { } } Have someone have similar problem ? is there a simple way to fix this ? Best Lukasz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] GRE packet fragmentation on j-series
Hi all I have some problem with gre tunnels. I need to fragment packages in tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The problem looks like that packages with MTU above 1476 are not fragmented/reassembled and are dropped. interfaces gr-0/0/0 unit 10 { clear-dont-fragment-bit; description Tulne to r1-lab; tunnel { source 10.200.0.1; destination 10.200.0.2; allow-fragmentation; path-mtu-discovery; } family inet { mtu 1500; address 100.100.100.1/30; } family mpls { } } Have someone have similar problem ? is there a simple way to fix this ? Best Lukasz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
My understanding is that GRE fragmentation should occur if egress interface MTU is GRE pkt size. For GRE reassembly, you need IDP policy, this means high memory SRX model. IDP license is not needed. Rgds Alex - Original Message - From: Lukasz Martyniak lmartyn...@man.szczecin.pl To: juniper-nsp@puck.nether.net Sent: Tuesday, January 24, 2012 2:04 PM Subject: [j-nsp] GRE packet fragmentation on j-series Hi all I have some problem with gre tunnels. I need to fragment packages in tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The problem looks like that packages with MTU above 1476 are not fragmented/reassembled and are dropped. interfaces gr-0/0/0 unit 10 { clear-dont-fragment-bit; description Tulne to r1-lab; tunnel { source 10.200.0.1; destination 10.200.0.2; allow-fragmentation; path-mtu-discovery; } family inet { mtu 1500; address 100.100.100.1/30; } family mpls { } } Have someone have similar problem ? is there a simple way to fix this ? Best Lukasz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp