Hello all,
I need to filter ssh access from servers that i have in different routing instances ( VRFs) when device is a default gateway for them.
There are any option to set filter en global configuration and appy on all VRFs? or i need to appy it in each VRF ?
Thanks a lot
Fran
I am brand new to Juniper (I’m trained in Cisco) and need some help with a scenario. I have an office that currently has a site-to-site vpn tunnel to Vendor 1 up on a Cisco ASA 5505. Everything is working fine. The office has since signed a contract with Vendor 2 which requires another site-to-site vpn tunnel to them. Vendor 2 will only support Juniper and the office only has 1 static IP address available. My goal is to use the SRX100 to establish both VPN tunnels to both Vendor 1 and Vendor 2.
The topology would be as described in the picture.
Vendor 2 has sent the following configuration file to load on the srx100. I loaded it and it brings the vpn tunnel up fine and I can access all of the resources on Vendor 2’s network.
set system services ftp
set system services ssh root-login deny
set system services ssh protocol-version v2
set system services dhcp router 192.168.10.1
set system services dhcp pool 192.168.10.0/24 address-range low 192.168.10.5
set system services dhcp pool 192.168.10.0/24 address-range high 192.168.10.100
set system services dhcp pool 192.168.10.0/24 propagate-settings vlan.192
set system services dhcp pool 192.168.10.0/24 default-lease-time 3600
set system services dhcp pool 192.168.10.0/24 name-server 65.232.95.14
set system services dhcp pool 192.168.10.0/24 name-server 210.62.219.218
set system syslog file traffic-log any any
set system syslog file traffic-log match RT_FLOW
set system ntp server 52.211.31.251
set interfaces fe-0/0/0 unit 0 family inet address 50.77.191.98/30
set interfaces fe-0/0/1 unit 0 family ethernet-switching
set interfaces fe-0/0/2 unit 0 family ethernet-switching
set interfaces fe-0/0/3 unit 0 family ethernet-switching
set interfaces fe-0/0/4 unit 0 family ethernet-switching
set interfaces fe-0/0/5 unit 0 family ethernet-switching
set interfaces fe-0/0/6 unit 0 family ethernet-switching
set interfaces fe-0/0/7 unit 0 family ethernet-switching
set interfaces st0 unit 0 family inet address 49.199.235.220/29
set interfaces vlan unit 192 family inet address 192.168.10.1/24
set routing-options static route 0.0.0.0/0 next-hop 50.77.191.97
set protocols ospf area 101.212.1.20 nssa
set protocols ospf area 101.212.1.20 interface st0.0
set security ike traceoptions file ikedebug.log
set security ike traceoptions flag all
set security ike policy ike-policy mode main
set security ike policy ike-policy proposal-set standard
set security ike policy ike-policy pre-shared-key ascii-text ############
set security ike gateway prgmy-gateway ike-policy ike-policy
set security ike gateway prgmy-gateway address 101.212.235.218
set security ike gateway prgmy-gateway external-interface fe-0/0/0.0
set security ipsec policy ipsec-policy proposal-set standard
set security ipsec vpn prgmy-vpn bind-interface st0.0
set security ipsec vpn prgmy-vpn ike gateway prgmy-gateway
set security ipsec vpn prgmy-vpn ike ipsec-policy ipsec-policy
set security ipsec vpn prgmy-vpn establish-tunnels immediately
set security nat source pool src-pool address 101.212.235.221/32
set security nat source pool src-pool address 101.212.235.221/32
set security nat source rule-set outbound-internet from zone trust
set security nat source rule-set outbound-internet to zone untrust
set security nat source rule-set outbound-internet rule interface-nat match source-address 192.168.10.0/24
set security nat source rule-set outbound-internet rule interface-nat match destination-address 0.0.0.0/0
set security nat source rule-set outbound-internet rule interface-nat then source-nat interface
set security nat source rule-set outbound-prgmy from zone trust
set security nat source rule-set outbound-prgmy to zone vpn
set security nat source rule-set outbound-prgmy rule src-nat match source-address 192.168.10.0/24
set security nat source rule-set outbound-prgmy rule src-nat match destination-address 10.20.198.0/24
set security nat source rule-set outbound-prgmy rule src-nat match destination-address 10.221.140.0/24
set security nat source rule-set outbound-prgmy rule src-nat match destination-address 101.212.238.3/32
set security nat source rule-set outbound-prgmy rule src-nat then source-nat pool src-pool
set security nat destination pool printer1-nat address 192.168.10.233/32
set security nat destination pool printer2-nat address 192.168.10.234/32
set security nat destination pool printer3-nat address 192.168.10.235/32
set security nat destination rule-set corp-printing from zone vpn
set security nat destination rule-set corp-printing rule corp-printing-1 match source-address 10.20.192.0/24
set security nat destination rule-set corp-printing rule corp-printing-1 match destination-address 101.212.235.222/32
set security nat destination rule-set corp-printing rule corp-printing-1 then destination-nat pool printer1-nat
set security nat proxy-arp interface st0.0 address 101.212.235.221/32
set security nat proxy-arp interface st0.0 address 101.212.235.222/32
set security nat destination rule-set corp-printing from zone vpn
set security nat destination rule-set corp-printing rule corp-printing-2 match source-address 10.20.192.0/24
set security nat destination rule-set corp-printing rule corp-printing-2 match destination-address 101.212.235.223/32
set security nat destination rule-set corp-printing rule corp-printing-2 then destination-nat pool printer2-nat
set security nat proxy-arp interface st0.0 address 101.212.235.221/32
set security nat proxy-arp interface st0.0 address 101.212.235.223/32
set security nat destination rule-set corp-printing from zone vpn
set security nat destination rule-set corp-printing rule corp-printing-3 match source-address 10.20.192.0/24
set security nat destination rule-set corp-printing rule corp-printing-3 match destination-address 101.212.235.224/32
set security nat destination rule-set corp-printing rule corp-printing-3 then destination-nat pool printer3-nat
set security nat proxy-arp interface st0.0 address 101.212.235.221/32
set security nat proxy-arp interface st0.0 address 101.212.235.224/32
set security policies from-zone trust to-zone untrust policy allow-outbound match source-address lclBranch-subnet
set security policies from-zone trust to-zone untrust policy allow-outbound match destination-address any
set security policies from-zone trust to-zone untrust policy allow-outbound match application any
set security policies from-zone trust to-zone untrust policy allow-outbound then permit
set security policies from-zone trust to-zone untrust policy allow-outbound then log session-init
set security policies from-zone trust to-zone untrust policy allow-outbound then log session-close
set security policies from-zone trust to-zone vpn policy allow-prgmy-access match source-address lclBranch-subnet
set security policies from-zone trust to-zone vpn policy allow-prgmy-access match destination-address prgmy-grp
set security policies from-zone trust to-zone vpn policy allow-prgmy-access match application any
set security policies from-zone trust to-zone vpn policy allow-prgmy-access then permit
set security policies from-zone trust to-zone vpn policy allow-prgmy-access then log session-init
set security policies from-zone trust to-zone vpn policy allow-prgmy-access then log session-close
set security policies from-zone vpn to-zone trust policy allow-corp-lrs-inbound match source-address corp-lrs
set security policies from-zone vpn to-zone trust policy allow-corp-lrs-inbound match destination-address lclBranch-printers-grp
set security policies from-zone vpn to-zone trust policy allow-corp-lrs-inbound match application any
set security policies from-zone vpn to-zone trust policy allow-corp-lrs-inbound then permit
set security policies from-zone vpn to-zone trust policy allow-corp-lrs-inbound then log session-init
set security policies from-zone vpn to-zone trust policy allow-corp-lrs-inbound then log session-close
set security zones security-zone trust address-book address lclBranch-subnet 192.168.10.0/24
set security zones security-zone trust address-book address lclBranch-printer1 192.168.10.233/32
set security zones security-zone trust address-book address lclBranch-printer2 192.168.10.234/32
set security zones security-zone trust address-book address lclBranch-printer3 192.168.10.235/32
set security zones security-zone trust address-book address-set lclBranch-printers-grp address lclBranch-printer1
set security zones security-zone trust address-book address-set lclBranch-printers-grp address lclBranch-printer2
set security zones security-zone trust address-book address-set lclBranch-printers-grp address lclBranch-printer3
set security zones security-zone trust interfaces vlan.192 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces vlan.192 host-inbound-traffic system-services traceroute
set security zones security-zone trust interfaces vlan.192 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces vlan.192 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ftp
set security zones security-zone vpn address-book address prgmy-corp 10.20.198.0/24
set security zones security-zone vpn address-book address prgmy-corp-dr 10.199.144.0/24
set security zones security-zone vpn address-book address prgmy-vApplications 101.212.238.3/32
set security zones security-zone vpn address-book address corp-lrs 10.20.192.0/24
set security zones security-zone vpn address-book address-set prgmy-grp address prgmy-corp
set security zones security-zone vpn address-book address-set prgmy-grp address prgmy-corp-dr
set security zones security-zone vpn address-book address-set prgmy-grp address prgmy-vApplications
set security zones security-zone vpn host-inbound-traffic system-services ping
set security zones security-zone vpn host-inbound-traffic system-services traceroute
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces st0.0
set vlans lclBranch-vlan vlan-id 192
set vlans lclBranch-vlan interface fe-0/0/1.0
set vlans lclBranch-vlan interface fe-0/0/2.0
set vlans lclBranch-vlan interface fe-0/0/3.0
set vlans lclBranch-vlan interface fe-0/0/4.0
set vlans lclBranch-vlan interface fe-0/0/5.0
set vlans lclBranch-vlan interface fe-0/0/6.0
set vlans lclBranch-vlan interface fe-0/0/7.0
set vlans lclBranch-vlan l3-interface vlan.192
The following is the current configuration on the ASA that worked fine.
interface vlan2
ip address 50.77.191.98 255.255.255.252
route outside 0.0.0.0 0.0.0.0 50.77.191.97
dhcpd dns 50.232.95.14
crypto ikev1 enable outside
object network Site-A-SN
subnet 192.168.10.0 255.255.255.0
exit
object network Site-B-SN
subnet 172.16.85.215 255.255.255.0
exit
access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object Site-A-SN object Site-B-SN
nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup
tunnel-group 165.86.21.159 type ipsec-l2l
tunnel-group 165.86.21.159 ipsec-attributes
pre-shared-key ###############
isakmp keepalive threshold 10 retry 2
exit
crypto ikev1 policy 10
authentication pre-share
hash sha
group 2
lifetime 28800
exit
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
Crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set peer 165.86.21.159
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
Using these parameters (from the ASA) I used the online Juniper SRX & J Series Site-to-Site VPN Configuration Generator tool to generate the following configs to setup the Vendor 1 VPN tunnel on the SRX. I choose policy based vpn in the configuration tool because I only need to access 1 host on Vendor 1’s network. Before I load them I would like to ask you guys, the experts, if these configs should work and if I’m going down the right path.
## Host-inbound services for each zone
set security zones security-zone untrust host-inbound-traffic system-services ike
## Address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_192-168-10-0--24 192.168.10.0/24
set security zones security-zone untrust address-book address net-cfgr_172-16-75-215--24 172.16.75.215/24
## IKE policy
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "ThisWouldBeTheKey"
## IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 165.86.21.159
set security ike gateway ike-gate-cfgr external-interface fe-0/0/0.0
## IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
## IPsec vpn
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately
## Security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match source-address net-cfgr_192-168-10-0--24
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match destination-address net-cfgr_172-16-75-215--24
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match application any
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr then permit tunnel ipsec-vpn ipsec-vpn-cfgr
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr then permit tunnel pair-policy vpnpolicy-untrust-trust-cfgr
## Security policies for tunnel traffic in inbound direction
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match source-address net-cfgr_172-16-75-215--24
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match destination-address net-cfgr_192-168-10-0--24
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match application any
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr then permit tunnel ipsec-vpn ipsec-vpn-cfgr
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr then permit tunnel pair-policy vpnpolicy-trust-untrust-cfgr
## End - VPN Configuration Generator Output
Thanksin advance for any help with this issue. Looking forward to learning and growing with Juniper!!
Hi,
Iam trying to configure a L2circuit between QFX5100 and MX480. I had done all the relevant config. But i can only ping PE2 from PE1 but not vice versa. Iam pasting my configs.
BGP VPN works between PE1 and PE2. But L2circuit dosent.
PE1(QFX):
{master:0}[edit interfaces xe-0/0/0] ----CE access interface
root# show
encapsulation ethernet-ccc;
unit 0
mpls {
statistics {
interval 30;
}
no-cspf;
path loose;
interface lo0.0;
interface xe-0/0/2.0;
}
bgp {
t
family inet {
any;
}
family inet-vpn {
any;
}
local-as 100;
group QFX_MX480 {
type internal;
local-address 92.168.100.173;
family inet {
unicast;
}
family inet-vpn {
unicast;
}
neighbor 92.168.100.210;
}
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface xe-0/0/2.0 {
interface-type p2p;
}
}
ldp {
interface xe-0/0/2.0;
interface lo0.0;
}
l2circuit {
neighbor 92.168.100.210 {
interface xe-0/0/0.0 {
virtual-circuit-id 998;
}
}
}
I have the same mirror config on PE2
PE1 to PE2 ping
{master:0}
root> ping mpls l2circuit virtual-circuit 998 neighbor 92.168.100.210
!!!!!
--- lsping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
But from PE2 to PE1
root@mx480-01-RE0> ... 998 neighbor 92.168.100.173
.....
--- lsping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Please help me debuggin this.
Hi!
I have MX240 with 2 RE-S-1800x4 running on 15.1R2.9 (because i want to use vxlan).
Also installed 2 MPC 3D 16x 10GE linecards.
1 full-view BGP session and 1GB transit traffic load.
In the messages log i see strange records^
Mar 11 11:16:41 cr3 fpc2 PFE 0: Possible fabric hw fault detected, total 88 times since up.
Mar 11 11:16:41 cr3 fpc2 PFE 0: exceeding aggr threshold 100, curr/last stats: pkt_crc 0/0, pkt_err 26825/26725, ptuse 0/0
Mar 11 11:17:42 cr3 fpc1 PFE 0: Possible fabric hw fault detected, total 63 times since up.
Mar 11 11:17:42 cr3 fpc1 PFE 0: exceeding aggr threshold 100, curr/last stats: pkt_crc 0/0, pkt_err 19118/19018, ptuse 0/0
This guide does not help: http://kb.juniper.net/InfoCenter/index?page=content&id=KB23173&actp=search
> show chassis fabric summary
Plane State Uptime
0 Online 15 days, 20 hours, 31 minutes, 55 seconds
1 Online 15 days, 20 hours, 31 minutes, 53 seconds
2 Online 15 days, 20 hours, 31 minutes, 54 seconds
3 Online 15 days, 20 hours, 31 minutes, 52 seconds
4 Online 15 days, 21 hours, 27 minutes, 16 seconds
5 Online 15 days, 21 hours, 27 minutes, 14 seconds
6 Online 15 days, 21 hours, 27 minutes, 15 seconds
7 Online 15 days, 21 hours, 27 minutes, 14 seconds
And > request pfe execute command "show hsl2 statistics" target fpc1 # or fpc2 show no CRC errors.
Traffic have not degradation too.
Anyone seen messages like this? What they can mean?
Hi, I've been at this for a few days now and I can't get to the bottom of it. I'm trying to configure filter based forwarding and redundancy on a srx210H cluster.
reth0 Lan
reth2 WAN Dedicated BW
reth3 WAN Shared BW
reth4 WAN Backup
What I'm trying to do is route trafic with destination ports 5060 8200 1853 49104-65534 3478 22 80 through reth2 and the rest through reth3 I managed to do this but the problem is that if reth2 is down, traffic won't get redirected to reth3, being the next qualified hop. I tried setining it up with an rpm probe and ip monitoring but it didn't work.
reth4 needs to be backup in case reth2 and reth3 are down. Anyone have any ideeas?
Any info would be much appreciated. Please see my config below:
{primary:node0}
root@JN-FW-01> show configuration
## Last commit: 2016-03-11 17:59:43 GMT by root
version 12.1X46-D35.1;
groups {
node0 {
system {
host-name JN-FW-01;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.11.1/24;
}
}
}
}
}
node1 {
system {
host-name JN-FW-02;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.11.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
time-zone Europe/London;
root-authentication {
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
interface [ reth0.0 reth2.0 reth3.0 ];
}
}
dhcp {
maximum-lease-time 345600;
default-lease-time 259200;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
10.20.0.254;
}
pool 10.20.0.0/24 {
address-range low 10.20.0.1 high 10.20.0.253;
maximum-lease-time 345600;
default-lease-time 259200;
name-server {
208.67.222.222;
208.67.220.220;
}
router {
10.20.0.254;
}
}
}
}
syslog {
archive size 100k files 3;
inactive: user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 94.228.40.3;
}
}
chassis {
cluster {
control-link-recovery;
reth-count 6;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
ge-0/0/0 weight 255;
ge-2/0/0 weight 255;
ge-0/0/1 weight 255;
ge-2/0/1 weight 255;
fe-0/0/2 weight 255;
fe-2/0/2 weight 255;
fe-0/0/3 weight 255;
fe-2/0/3 weight 255;
fe-0/0/4 weight 255;
fe-2/0/4 weight 255;
}
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fe-0/0/2 {
fastether-options {
redundant-parent reth2;
}
}
fe-0/0/3 {
fastether-options {
redundant-parent reth3;
}
}
fe-0/0/4 {
fastether-options {
redundant-parent reth4;
}
}
ge-2/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-2/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fe-2/0/2 {
fastether-options {
redundant-parent reth2;
}
}
fe-2/0/3 {
fastether-options {
redundant-parent reth3;
}
}
fe-2/0/4 {
fastether-options {
redundant-parent reth4;
}
}
fab0 {
fabric-options {
member-interfaces {
fe-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
fe-2/0/5;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Lan;
family inet {
filter {
input Load-Balence;
}
address 10.20.0.254/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0;
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Dedicated-BW;
family inet {
address 192.168.2.100/24;
}
}
}
reth3 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Shared-BW;
family inet {
address 172.16.0.100/16;
}
}
}
reth4 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Backup-WAN;
family inet {
address 192.168.1.100/24;
}
}
}
reth5 {
redundant-ether-options {
redundancy-group 1;
}
}
reth6 {
redundant-ether-options {
redundancy-group 1;
}
}
}
routing-options {
interface-routes {
rib-group inet import;
}
static {
route 0.0.0.0/0 next-hop [ 172.16.0.253 192.168.2.254 192.168.1.254 ];
}
rib-groups {
import {
import-rib [ inet.0 Dedicated.inet.0 Shared.inet.0 Backup.inet.0 ];
}
}
}
protocols {
stp;
}
security {
alg {
sip {
retain-hold-resource;
application-screen {
unknown-message {
permit-nat-applied;
permit-routed;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set Outgoing {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy Allow-Outbound-Traffic {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy Allow-Internal-Mgnt {
match {
source-address any;
destination-address any;
application junos-ssh;
}
then {
permit;
}
}
}
from-zone untrust to-zone junos-host {
policy management-3 {
match {
source-address any;
destination-address any;
application [ junos-https junos-ssh junos-ping junos-icmp-ping ];
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy management-4 {
match {
source-address any;
destination-address any;
application [ junos-ping junos-ssh junos-https ];
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
https;
ping;
ssh;
}
protocols {
all;
}
}
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
dhcp;
https;
ssh;
ping;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
https;
ssh;
ping;
}
protocols {
all;
}
}
interfaces {
reth2.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
reth3.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
reth4.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
}
}
security-zone junos-host;
}
}
firewall {
filter Load-Balence {
term mgmt {
from {
destination-address {
10.20.0.254/32;
172.16.0.100/32;
}
}
then accept;
}
term Dedicated-BW {
from {
destination-port [ 5060 8200 1853 49104-65534 3478 22 80 ];
}
then {
routing-instance Dedicated;
}
}
term Shared-BW {
then {
routing-instance Shared;
}
}
}
}
routing-instances {
Backup {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.254;
}
}
}
Dedicated {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.168.2.254;
qualified-next-hop 172.16.0.253 {
preference 100;
}
}
}
}
}
Shared {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 172.16.0.253;
qualified-next-hop 192.168.2.254 {
preference 100;
}
}
}
}
}
}
Kind regards,
Adrian
Hello,
I am trying to implement interchassis HA for firewall and CGNAT in my network
I have an issue where I am using two MX480s, one in active (primary router) and the other in standby (secondary) and I want to implement a scenario where when I fail over from primary to secondary box and no voice calls or packet drops are experienced
I have configured my two boxes exactly as seen in the documentation here: http://www.juniper.net/techpubs/en_US/junos15.1/topics/example/nat-interchassis-ha-sfw-nat-msmic-msmpc.html
But I have two problems.
1. When i pass traffic through mx a, nothing is being replicated on mx b as shown below
MX A
xx@mx480a> show services nat mappings detail
Interface: ms-1/2/0, Service set: SS-2000
NAT pool: NAT-POOL-DATA-2000
Mapping : 192.168.100.11 --> XX.XXX.X17.84
Ports In Use : 14
Session Count : 14
Mapping State : Active
NAT pool: NAT-POOL-VOICE-2000
Mapping : 192.168.200.12 --> XX.XXX.X17.85
Ports In Use : 1
Session Count : 1
Mapping State : Active
MX B
xx@mx480b> show services nat mappings detail
2. The second problem is that my MS-MIC on MX A(which is the primary router) is in backup role and the MS-MIC on MX B( which is the backup router ) is in active role. See below:
MX B
xx@mx480b> show services ha
Interface: ms-1/2/0
Inter-chassis: Role: active, Connection: Up, Synchronization: Hot
Peers: Local: 10.135.100.2 Port: 4001, Remote: 10.135.100.1 Port: 4001
MX A
xx@mx480a> show services ha
Interface: ms-1/2/0
Inter-chassis: Role: backup, Connection: Up, Synchronization: Hot
Peers: Local: 10.135.100.1 Port: 4001, Remote: 10.135.100.2 Port: 4001
Does anyone know how to reticfy this and switch the priority?
Thanks
Uzo
Hello.
From time to time the MS-MIC-16G card is reloaded on Juniper MX5-T (log is attached).
The router had been downgraded from Junos 14.2R4.9 to recomanded 13.3R8.7 but it didn't solve the problem.
Can somebody help to solve the problem?
Hi there,
Totally new to Juniper but have a J-Series on hand I can use for an overly simple task!
I currently am using a linux freeBSD server as a gateway to route between two local networks. The NIC's are bridged and packets are fwrd between the interfaces. I'd like to utilize two interfaces on a J-series router to repalce this.
Local network 1 J2350 - Router Local network 2
192.168.1.0/24 ---> ge-0/0/0.0 192.168.1.1 <----> ge-0/1/0/0.1 192.168.35.12 ---> (192.168.35.0/24 def.gw 192.168.35.1)
Is this possible to forward between interfaces as if they were two separate routers? I've tried setting up static routes between the two internal interfaces but haven't had any luck.
Thanks for the help!
Hello everyone,
what is mean by export eval flag , which is seen in out put of "show bgp group detail" ? (output is following)
user@host> show bgp group detail
Group Type: Internal AS: 1 Local AS: 1 Name: ibgp Index: 0 Flags: <Export Eval> Holdtime: 0 Total peers: 3 Established: 0 22.0.0.2 22.0.0.8 22.0.0.5
I have 4 new MX104 routers in the network and all of them generate the above alarm.
Any one ever encountered this same issue?
integrator@VP_mcRNC_MX-2> show log chassisd | last 50
Mar 18 17:12:09 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:12:14 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:13:14 send: red alarm clear, device PEM 0, reason PEM 0 Not OK
Mar 18 17:13:19 CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply OK (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr PEM 0, jnxOperatingState/Temp 2)
Mar 18 17:14:19 tray 0 fan 0 current speed 0x0 requested speed 0x4
Mar 18 17:24:19 tray 0 fan 0 current speed 0x4 requested speed 0x0
Mar 18 17:26:59 send: red alarm set, device PEM 0, reason PEM 0 Not OK
Mar 18 17:26:59 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:27:04 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:27:05 CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply failed (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr PEM 0, jnxOperatingState/Temp 6)
Mar 18 17:27:09 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:27:14 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:28:09 send: red alarm clear, device PEM 0, reason PEM 0 Not OK
Mar 18 17:28:20 CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply OK (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr PEM 0, jnxOperatingState/Temp 2)
Mar 18 17:31:59 send: red alarm set, device PEM 0, reason PEM 0 Not OK
Mar 18 17:31:59 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:32:04 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:32:05 CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply failed (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr PEM 0, jnxOperatingState/Temp 6)
Mar 18 17:32:09 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:32:14 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:33:14 send: red alarm clear, device PEM 0, reason PEM 0 Not OK
Mar 18 17:33:20 CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply OK (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr PEM 0, jnxOperatingState/Temp 2)
Mar 18 17:34:19 tray 0 fan 0 current speed 0x0 requested speed 0x4
Mar 18 17:44:19 tray 0 fan 0 current speed 0x4 requested speed 0x0
Mar 18 17:46:59 send: red alarm set, device PEM 0, reason PEM 0 Not OK
Mar 18 17:46:59 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:47:04 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:47:05 CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply failed (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr PEM 0, jnxOperatingState/Temp 6)
Mar 18 17:47:09 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:47:14 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:48:09 send: red alarm clear, device PEM 0, reason PEM 0 Not OK
Mar 18 17:48:20 CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply OK (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr PEM 0, jnxOperatingState/Temp 2)
Mar 18 17:52:04 send: red alarm set, device PEM 0, reason PEM 0 Not OK
Mar 18 17:52:04 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:52:05 CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply failed (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr PEM 0, jnxOperatingState/Temp 6)
Mar 18 17:52:09 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:52:14 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:52:19 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x6); check circuit breaker
Mar 18 17:53:19 send: red alarm clear, device PEM 0, reason PEM 0 Not OK
Mar 18 17:53:20 CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply OK (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr PEM 0, jnxOperatingState/Temp 2)
Mar 18 17:54:19 tray 0 fan 0 current speed 0x0 requested speed 0x4
Kind regards,
Kip.
Dears
Hope you are doing great.
Need your assistace please regarding below command
R1> show ospf route router
Topology default Route Table:
Prefix Path Route NH Metric NextHop Nexthop
Type Type Type Interface Address/LSP
10.0.0.0/24 Intra Router IP 5100 ae10.0 1.1.1.1
11.0.0.0/24 Intra AS BR IP 5100 ae2.0 2.2.2.2
12.0.0.0/24 Intra Network IP 5101 ae3.0 3.3.3.3
13.0.0.0/32 Ext1 Network IP 1050 ae4.0 4.4.4.4
Intra should be intra (level-1/level-2) LSA and Ext should be level-5 LSA
However what does "Rotuer" , " Network" means ?? It can't be level-1 / level-2
Thanks for your assistance
Best Regards
Sherif Ismail
Dears
Hope you are doing great.
Need your assistace please regarding below command
R1> show ospf route router
Topology default Route Table:
Prefix Path Route NH Metric NextHop Nexthop
Type Type Type Interface Address/LSP
10.0.0.0/24 Intra Router IP 5100 ae10.0 1.1.1.1
11.0.0.0/24 Intra AS BR IP 5100 ae2.0 2.2.2.2
12.0.0.0/24 Intra Network IP 5101 ae3.0 3.3.3.3
13.0.0.0/32 Ext1 Network IP 1050 ae4.0 4.4.4.4
Intra should be intra (level-1/level-2) LSA and Ext should be level-5 LSA
However what does "Rotuer" , " Network" means ?? It can't be level-1 / level-2 as Ext1 is with Network
Many Thanks for your assistance
Best Regards
Sherif Ismail
I only saw it will affect OSPF cost, not sure if can affect QoS.
Hi,
my config looks like this:
set routing-instances VR_Office routing-options static route 10.14.0.0/16 next-hop 10.181.101.249
set routing-instances VR_Office routing-options static route 10.14.0.0/16 tag 513
set routing-instances VR_Office protocols ospf export export-static-tag-513
set policy-options policy-statement export-static-tag-513 term term-1 from protocol static
set policy-options policy-statement export-static-tag-513 term term-1 from tag 513
set policy-options policy-statement export-static-tag-513 term term-1 then accept
set policy-options policy-statement export-static-tag-513 then reject
I can see the static route in the respective routing table:
{master}
router> show route table VR_Office.inet.0 10.14.0.0/16 detail
VR_Office.inet.0: 3264 destinations, 3264 routes (3264 active, 0 holddown, 0 hidden)
10.14.0.0/16 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 10384
Address: 0xaf7e234
Next-hop reference count: 7
Next hop: 10.181.101.249 via irb.101, selected
Session Id: 0x28
State: <Active Int Ext>
Age: 25:50
Validation State: unverified
Tag: 513
Task: RT
Announcement bits (3): 0-RT 2-KRT 3-Resolve tree 4
AS path: I
AS path: Recorded
{master}
router>
But it does not appear in the ospf database:
{master}
router> show ospf database instance VR_Office | grep 10.14.0.0
{master}
router>
What am I missing?
Thx,
Stefan
Hi everyone,
Here is my situation terse :
set route 0.0.0.0/0 interface ethernet0/0
set VPN1 outgoing-interface "ethernet0/0" /same peer for both
set VPN2 outgoing-interface "ethernet0/3" /same peer for both
VPN1 is up
VPN2 is down
VPN2 tries to establish tunnel using source address of eth0/3 but since it uses routing table it tryes to establish it via eth0/0(debug flow confirmed it). Negotiation Fails.
How to force VPN2 to use eth0/3 as outgoing interface ? I put PBR and source routing but it still takes the defailt route.
Thank you for your help !
Server---->Ex4200--------->ISP1
|
---------->ISP2
Can I do filterbase forwarding on the basis of BGP community?
I already do this with prefix-list, but I can't find way to do this with BGP.
set firewall family inet filter classify-customers term sp1-customers from ????????????
set firewall family inet filter classify-customers term sp1-customers then routing-instance sp1-route-table
set routing-instances sp1-route-table instance-type forwarding
set routing-instances sp1-route-table routing-options static route 0.0.0.0/0 qualified-next-hop ISP2
Default route is ISP1
set routing-options static route 0.0.0.0/0 next-hop ISP1
We have new MX240 with two routing engines. Each routing engine has a card (XGE) with twp SFP ports.. I think they are the CB 0 and CB1. We don't see those 4 interfaces when we issue "show interfaces ". Can those interfaces used for network connectivity (to other switches and/or routers)? do they support 10G SFP? How to enable them?
We issues the command "set system network-services enhanced-ip" but that didn't help
show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis JN125ADCCAFC MX240
Midplane REV 04 750-047865 ACRF8986 Enhanced MX240 Backplane
FPM Board REV 04 760-021392 ABDE4335 Front Panel Display
PEM 0 Rev 11 740-029970 QCS1544U1PE PS 1.4-2.52kW; 90-264V AC in
PEM 1 Rev 11 740-029970 QCS1544U1LR PS 1.4-2.52kW; 90-264V AC in
PEM 2 Rev 11 740-029970 QCS1544U1LT PS 1.4-2.52kW; 90-264V AC in
PEM 3 Rev 11 740-029970 QCS1544U1PA PS 1.4-2.52kW; 90-264V AC in
Routing Engine 0 REV 11 740-031116 9009256147 RE-S-1800x4
Routing Engine 1 REV 11 740-031116 9009255897 RE-S-1800x4
CB 0 REV 08 750-055976 CAFW7761 Enhanced MX SCB 2
CB 1 REV 08 750-055976 CAFR4747 Enhanced MX SCB 2
FPC 1 REV 11 750-054904 CAEL5200 MPC2E NG PQ & Flex Q
CPU REV 12 711-045719 CAEL4676 RMPC PMB
MIC 0 REV 32 750-028392 CAGA4573 3D 20x 1GE(LAN) SFP
PIC 0 BUILTIN BUILTIN 10x 1GE(LAN) SFP
PIC 1 BUILTIN BUILTIN 10x 1GE(LAN) SFP
---(more)--- Fan Tray 0
After upgrading to version 13.3R8.7 following message is flooding in the message log
Apr 2 02:12:14 mx-1 tfeb0 Reset media mux for mic slot 1
Apr 2 02:12:14 mx-1 tfeb0 PQ3_IIC(WR): no target ack on byte 0 (wait spins 3)
Apr 2 02:12:14 mx-1 tfeb0 PQ3_IIC(WR): I/O error (i2c_stat=0xa3, i2c_ctl[1]=0xb0, bus_addr=0x51)
Apr 2 02:12:14 mx-1 tfeb0 mic_sfp_pca9548_swtbl_clean: Reset MUX to SFP ports
Any ideas of what is causing the error?
I have a EX3300 hanging off a FIOS router (192.168.1.0/24), I have the 192.168.1.0 network routable from my internal networks (10.10.10.0/24 & 10.10.110.0/24) as I have a port configured as an uplink (192.168.1.99) to the FIOS router for internet. I need to hang a port off the EX3300 on the FIOS Network (192.168.1.121) so I can expose my NAS to my Samsung Smart TV. But what do I need to do to get this to work?
I have configured the port 11 with a IPV4 Address (192.168.1.120) and set a static route /32 for the IP address and also on the system I am testing with to no avail. What am I missing?
I'm trying to convert Cisco configuration to Juniper MX configuration.. On Cisco device there's a reflexive access list.. Anyone knows what's the equivalent commands in Juniper
ip access-list extended test123
permit x.x.x.x.
permint xx.x.x.x
permit x.x.x.x
Evaluate RefACL
ip accexx-list extend test456
permint x.x.x.x
permit x.x.x.x
permit 10.1.0.0 0.0.255.255 any reflect RefACL
Thanks for your help
