Re: [j-nsp] GRE packet fragmentation on j-series
Pls refer the below appnote http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf see the section From: Ben Dale To: Lukasz Martyniak Cc: "Juniper-Nsp (juniper-nsp@puck.nether.net)" Sent: Tuesday, January 31, 2012 5:28 AM Subject: Re: [j-nsp] GRE packet fragmentation on j-series Hi Lukasz, J-Series only needs a license to download signature updates for IDP - in order to stop fragmentation, all you need to do is create a security policy that matches on GRE traffic "match application junos-gre" and then references the idp engine in the action "then permit application-services idp". This will force the IDP engine to re-assemble the GRE fragments for inspection (but not actually inspect them). Juniper had a really good document explaining this with examples for MPLSoGRE, but my google and KB-fu is failing. Cheers, Ben On 26/01/2012, at 7:17 PM, Lukasz Martyniak wrote: > Thanks for quick response, i had a hoped that this could be done in other > whey. I think jseries need extra license for IDP. > > On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote: > >> My understanding is that GRE fragmentation should occur if egress interface >> MTU is < GRE pkt size. >> For GRE reassembly, you need IDP policy, this means high memory SRX model. >> IDP license is not needed. >> Rgds >> Alex >> >> - Original Message - From: "Lukasz Martyniak" >> >> To: >> Sent: Tuesday, January 24, 2012 2:04 PM >> Subject: [j-nsp] GRE packet fragmentation on j-series >> >> >>> Hi all >>> >>> I have some problem with gre tunnels. I need to fragment packages in >>> tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. >>> The problem looks like that packages with MTU above 1476 are not >>> fragmented/reassembled and are dropped. >>> >>> >>> interfaces gr-0/0/0 >>> unit 10 { >>> clear-dont-fragment-bit; >>> description "Tulne to r1-lab"; >>> tunnel { >>> source 10.200.0.1; >>> destination 10.200.0.2; >>> allow-fragmentation; >>> path-mtu-discovery; >>> } >>> family inet { >>> mtu 1500; >>> address 100.100.100.1/30; >>> } >>> family mpls { >>> } >>> } >>> >>> Have someone have similar problem ? is there a simple way to fix this ? >>> >>> Best Lukasz >>> ___ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp MPLSoGRE with GRE Fragmentation and Reassembly --Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
Hi Lukasz, J-Series only needs a license to download signature updates for IDP - in order to stop fragmentation, all you need to do is create a security policy that matches on GRE traffic "match application junos-gre" and then references the idp engine in the action "then permit application-services idp". This will force the IDP engine to re-assemble the GRE fragments for inspection (but not actually inspect them). Juniper had a really good document explaining this with examples for MPLSoGRE, but my google and KB-fu is failing. Cheers, Ben On 26/01/2012, at 7:17 PM, Lukasz Martyniak wrote: > Thanks for quick response, i had a hoped that this could be done in other > whey. I think jseries need extra license for IDP. > > On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote: > >> My understanding is that GRE fragmentation should occur if egress interface >> MTU is < GRE pkt size. >> For GRE reassembly, you need IDP policy, this means high memory SRX model. >> IDP license is not needed. >> Rgds >> Alex >> >> - Original Message - From: "Lukasz Martyniak" >> >> To: >> Sent: Tuesday, January 24, 2012 2:04 PM >> Subject: [j-nsp] GRE packet fragmentation on j-series >> >> >>> Hi all >>> >>> I have some problem with gre tunnels. I need to fragment packages in >>> tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. >>> The problem looks like that packages with MTU above 1476 are not >>> fragmented/reassembled and are dropped. >>> >>> >>> interfaces gr-0/0/0 >>> unit 10 { >>> clear-dont-fragment-bit; >>> description "Tulne to r1-lab"; >>> tunnel { >>> source 10.200.0.1; >>> destination 10.200.0.2; >>> allow-fragmentation; >>> path-mtu-discovery; >>> } >>> family inet { >>> mtu 1500; >>> address 100.100.100.1/30; >>> } >>> family mpls { >>> } >>> } >>> >>> Have someone have similar problem ? is there a simple way to fix this ? >>> >>> Best Lukasz >>> ___ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
Thanks for quick response, i had a hoped that this could be done in other whey. I think jseries need extra license for IDP. On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote: > My understanding is that GRE fragmentation should occur if egress interface > MTU is < GRE pkt size. > For GRE reassembly, you need IDP policy, this means high memory SRX model. > IDP license is not needed. > Rgds > Alex > > - Original Message - From: "Lukasz Martyniak" > > To: > Sent: Tuesday, January 24, 2012 2:04 PM > Subject: [j-nsp] GRE packet fragmentation on j-series > > >> Hi all >> >> I have some problem with gre tunnels. I need to fragment packages in tunnel. >> I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The >> problem looks like that packages with MTU above 1476 are not >> fragmented/reassembled and are dropped. >> >> >> interfaces gr-0/0/0 >> unit 10 { >> clear-dont-fragment-bit; >> description "Tulne to r1-lab"; >> tunnel { >> source 10.200.0.1; >> destination 10.200.0.2; >> allow-fragmentation; >> path-mtu-discovery; >> } >> family inet { >> mtu 1500; >> address 100.100.100.1/30; >> } >> family mpls { >> } >> } >> >> Have someone have similar problem ? is there a simple way to fix this ? >> >> Best Lukasz >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
My understanding is that GRE fragmentation should occur if egress interface MTU is < GRE pkt size. For GRE reassembly, you need IDP policy, this means high memory SRX model. IDP license is not needed. Rgds Alex - Original Message - From: "Lukasz Martyniak" To: Sent: Tuesday, January 24, 2012 2:04 PM Subject: [j-nsp] GRE packet fragmentation on j-series Hi all I have some problem with gre tunnels. I need to fragment packages in tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The problem looks like that packages with MTU above 1476 are not fragmented/reassembled and are dropped. interfaces gr-0/0/0 unit 10 { clear-dont-fragment-bit; description "Tulne to r1-lab"; tunnel { source 10.200.0.1; destination 10.200.0.2; allow-fragmentation; path-mtu-discovery; } family inet { mtu 1500; address 100.100.100.1/30; } family mpls { } } Have someone have similar problem ? is there a simple way to fix this ? Best Lukasz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp