Re: [j-nsp] GRE packet fragmentation on j-series
Pls refer the below appnote
http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf
see the section
From: Ben Dale
To: Lukasz Martyniak
Cc: "Juniper-Nsp (juniper-nsp@puck.nether.net)"
Sent: Tuesday, January 31, 2012 5:28 AM
Subject: Re: [j-nsp] GRE packet fragmentation on j-series
Hi Lukasz,
J-Series only needs a license to download signature updates for IDP - in order
to stop fragmentation, all you need to do is create a security policy that
matches on GRE traffic "match application junos-gre" and then references the
idp engine in the action "then permit application-services idp".
This will force the IDP engine to re-assemble the GRE fragments for inspection
(but not actually inspect them).
Juniper had a really good document explaining this with examples for MPLSoGRE,
but my google and KB-fu is failing.
Cheers,
Ben
On 26/01/2012, at 7:17 PM, Lukasz Martyniak wrote:
> Thanks for quick response, i had a hoped that this could be done in other
> whey. I think jseries need extra license for IDP.
>
> On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote:
>
>> My understanding is that GRE fragmentation should occur if egress interface
>> MTU is < GRE pkt size.
>> For GRE reassembly, you need IDP policy, this means high memory SRX model.
>> IDP license is not needed.
>> Rgds
>> Alex
>>
>> - Original Message - From: "Lukasz Martyniak"
>>
>> To:
>> Sent: Tuesday, January 24, 2012 2:04 PM
>> Subject: [j-nsp] GRE packet fragmentation on j-series
>>
>>
>>> Hi all
>>>
>>> I have some problem with gre tunnels. I need to fragment packages in
>>> tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it.
>>> The problem looks like that packages with MTU above 1476 are not
>>> fragmented/reassembled and are dropped.
>>>
>>>
>>> interfaces gr-0/0/0
>>> unit 10 {
>>> clear-dont-fragment-bit;
>>> description "Tulne to r1-lab";
>>> tunnel {
>>> source 10.200.0.1;
>>> destination 10.200.0.2;
>>> allow-fragmentation;
>>> path-mtu-discovery;
>>> }
>>> family inet {
>>> mtu 1500;
>>> address 100.100.100.1/30;
>>> }
>>> family mpls {
>>> }
>>> }
>>>
>>> Have someone have similar problem ? is there a simple way to fix this ?
>>>
>>> Best Lukasz
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
MPLSoGRE with GRE Fragmentation and Reassembly
--Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
Hi Lukasz,
J-Series only needs a license to download signature updates for IDP - in order
to stop fragmentation, all you need to do is create a security policy that
matches on GRE traffic "match application junos-gre" and then references the
idp engine in the action "then permit application-services idp".
This will force the IDP engine to re-assemble the GRE fragments for inspection
(but not actually inspect them).
Juniper had a really good document explaining this with examples for MPLSoGRE,
but my google and KB-fu is failing.
Cheers,
Ben
On 26/01/2012, at 7:17 PM, Lukasz Martyniak wrote:
> Thanks for quick response, i had a hoped that this could be done in other
> whey. I think jseries need extra license for IDP.
>
> On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote:
>
>> My understanding is that GRE fragmentation should occur if egress interface
>> MTU is < GRE pkt size.
>> For GRE reassembly, you need IDP policy, this means high memory SRX model.
>> IDP license is not needed.
>> Rgds
>> Alex
>>
>> - Original Message - From: "Lukasz Martyniak"
>>
>> To:
>> Sent: Tuesday, January 24, 2012 2:04 PM
>> Subject: [j-nsp] GRE packet fragmentation on j-series
>>
>>
>>> Hi all
>>>
>>> I have some problem with gre tunnels. I need to fragment packages in
>>> tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it.
>>> The problem looks like that packages with MTU above 1476 are not
>>> fragmented/reassembled and are dropped.
>>>
>>>
>>> interfaces gr-0/0/0
>>> unit 10 {
>>> clear-dont-fragment-bit;
>>> description "Tulne to r1-lab";
>>> tunnel {
>>> source 10.200.0.1;
>>> destination 10.200.0.2;
>>> allow-fragmentation;
>>> path-mtu-discovery;
>>> }
>>> family inet {
>>> mtu 1500;
>>> address 100.100.100.1/30;
>>> }
>>> family mpls {
>>> }
>>> }
>>>
>>> Have someone have similar problem ? is there a simple way to fix this ?
>>>
>>> Best Lukasz
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
Thanks for quick response, i had a hoped that this could be done in other whey.
I think jseries need extra license for IDP.
On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote:
> My understanding is that GRE fragmentation should occur if egress interface
> MTU is < GRE pkt size.
> For GRE reassembly, you need IDP policy, this means high memory SRX model.
> IDP license is not needed.
> Rgds
> Alex
>
> - Original Message - From: "Lukasz Martyniak"
>
> To:
> Sent: Tuesday, January 24, 2012 2:04 PM
> Subject: [j-nsp] GRE packet fragmentation on j-series
>
>
>> Hi all
>>
>> I have some problem with gre tunnels. I need to fragment packages in tunnel.
>> I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The
>> problem looks like that packages with MTU above 1476 are not
>> fragmented/reassembled and are dropped.
>>
>>
>> interfaces gr-0/0/0
>> unit 10 {
>> clear-dont-fragment-bit;
>> description "Tulne to r1-lab";
>> tunnel {
>> source 10.200.0.1;
>> destination 10.200.0.2;
>> allow-fragmentation;
>> path-mtu-discovery;
>> }
>> family inet {
>> mtu 1500;
>> address 100.100.100.1/30;
>> }
>> family mpls {
>> }
>> }
>>
>> Have someone have similar problem ? is there a simple way to fix this ?
>>
>> Best Lukasz
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
My understanding is that GRE fragmentation should occur if egress interface
MTU is < GRE pkt size.
For GRE reassembly, you need IDP policy, this means high memory SRX model.
IDP license is not needed.
Rgds
Alex
- Original Message -
From: "Lukasz Martyniak"
To:
Sent: Tuesday, January 24, 2012 2:04 PM
Subject: [j-nsp] GRE packet fragmentation on j-series
Hi all
I have some problem with gre tunnels. I need to fragment packages in
tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it.
The problem looks like that packages with MTU above 1476 are not
fragmented/reassembled and are dropped.
interfaces gr-0/0/0
unit 10 {
clear-dont-fragment-bit;
description "Tulne to r1-lab";
tunnel {
source 10.200.0.1;
destination 10.200.0.2;
allow-fragmentation;
path-mtu-discovery;
}
family inet {
mtu 1500;
address 100.100.100.1/30;
}
family mpls {
}
}
Have someone have similar problem ? is there a simple way to fix this ?
Best Lukasz
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
