Re: J2320 - V12.4 BGP And Firewall Setup

September 5, 2017, 6:34 am

Hi,

Ok so BGP has come up and i`m seeing active routes in the table but i cannot get any traffic to pass through the router itself e.g. ping or see any devices at either end. I have at the moment set all zones to all with all services to allow apart from the default global which is set to deny.

Config:

## Last commit: 2017-09-05 13:23:52 UTC by root
version 12.1X44-D40.2;
system {
host-name DC-MPLS-01;
root-authentication {
encrypted-password
}
name-server {
192.168.50.80;
192.168.50.81;
192.168.50.89;
}
login {
user administrator {
uid 2000;
class super-user;
authentication {
encrypted-password
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description "LAN HQ";
family inet {
address 192.168.50.4/22;
}
}
}
ge-0/0/2 {
description "WAN MPLS";
unit 0 {
family inet {
address 172.0.0.6/30;
}
}
}
ge-0/0/3 {
description "UNUSED LAN";
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.0.0.6/32;
}
}
}
}
snmp {
community public {
authorization read-only;
}
}
routing-options {
static {
route 172.0.0.0/30 next-hop 172.0.0.5;
}
router-id 172.0.0.6;
autonomous-system 65000;
}
protocols {
bgp {
group MPLS {
type external;
description "BT MPLS PEER";
export export-LAN;
peer-as 2856;
neighbor 172.0.0.5 {
local-address 172.0.0.6;
hold-time 90;
}
}
}
}
policy-options {
policy-statement export-LAN {
from {
protocol [ direct local ];
interface ge-0/0/0.0;
}
then accept;
}
policy-statement jweb-policy-default-route {
from {
route-filter 0.0.0.0/0 exact;
}
then accept;
}
policy-statement jweb-policy-direct {
from {
protocol direct;
interface ge-0/0/2.0;
}
then accept;
}
policy-statement jweb-policy-rip {
from protocol rip;
then accept;
}
}
security {
address-book {
Test {
description test;
address 1.1.1.1 {
description test;
1.1.1.1/32;
}
attach {
zone UnTrust;
}
}
}
policies {
from-zone Trust to-zone UnTrust {
policy Trust-Untrust {
description Trust-Untrust;
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
count;
}
}
}
from-zone UnTrust to-zone Trust {
policy Untrust-Trust {
description Untrust-Trust;
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
count;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone Trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
lo0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone UnTrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}

Cheers,

↧

Re: Two Networks Config

September 5, 2017, 7:16 am

≫ Next: Re: J2320 - V12.4 BGP And Firewall Setup

≪ Previous: Re: J2320 - V12.4 BGP And Firewall Setup

i'm in /var/db/

root@sw1:RE:0% cd /var/db/
root@sw1:RE:0% ls -la
total 40
drwxr-xr-x 5 root wheel 512 Sep 5 02:00 .
drwxr-xr-x 31 root wheel 512 Nov 15 2011 ..
drwxr-xr-x 5 root wheel 512 Nov 15 2011 certs
-rw-r--r-- 1 root wheel 95 Sep 5 02:00 commits
lrwxr-xr-x 1 root wheel 17 Jan 1 2005 config -> /config/db/config
lrwxr-xr-x 1 root wheel 22 Sep 4 21:50 dcd.snmp_ix -> /config/db/dcd.snmp_ix
drwx------ 2 root wheel 512 Sep 4 21:50 dhcp_snoop
-rw-rw-r-- 1 root ext 6588 Sep 5 02:00 feature.db
drwxr-xr-x 2 root wheel 512 Sep 4 21:50 persistent_mac
lrwxr-xr-x 1 root wheel 18 Sep 4 21:50 scripts -> /config/db/scripts
lrwxr-xr-x 1 root wheel 25 Sep 4 21:50 snmp_engine.db -> /config/db/snmp_engine.db
root@sw1:RE:0%

↧

Re: J2320 - V12.4 BGP And Firewall Setup

September 6, 2017, 3:13 am

≫ Next: Re: MX480 IP SLA ??

≪ Previous: Re: Two Networks Config

The two things to check then are to confirm that sessions are being accepted and created for your traffic. Setup the ping and then use:

show security flow session source-prefix 1.1.1.1 destination-prefix 2.2.2.2

This should show the accepted sessions with nat and packet counts. If there are no sessions you will need to enable trace options to find out why.

Second thing to confirm is that the remote side has the return route for the traffic and that they ahve polcies to accept the traffic as well.

↧

Re: MX480 IP SLA ??

September 7, 2017, 1:19 am

≫ Next: Support for 1Gbps SFP in MIC3-3D-10XGE-SFPP?

≪ Previous: Re: J2320 - V12.4 BGP And Firewall Setup

hmmm... suprisingly the simple IP SLA feature cant find on MX serious. is there any road map the MX will support the IP SLA similiar feature ?

↧

Support for 1Gbps SFP in MIC3-3D-10XGE-SFPP?

September 7, 2017, 6:08 am

≫ Next: Re: Support for 1Gbps SFP in MIC3-3D-10XGE-SFPP?

≪ Previous: Re: MX480 IP SLA ??

Does anyone know if the MIC3-3D-10XGE-SFPP card supports 1Gbps SFP's?

I know there is the MIC-3D-20GE-SFP for that but since we are migrating from 1Gbps to 10Gbps I'd like the MIC to supprt both speeds.

↧

Re: Support for 1Gbps SFP in MIC3-3D-10XGE-SFPP?

September 7, 2017, 6:43 am

≫ Next: Re: J2320 - V12.4 BGP And Firewall Setup

≪ Previous: Support for 1Gbps SFP in MIC3-3D-10XGE-SFPP?

MIC3-3D-10XGE-SFPP is 10G / SFP+ only.

↧

Re: J2320 - V12.4 BGP And Firewall Setup

September 7, 2017, 7:56 am

≫ Next: Re: Support for 1Gbps SFP in MIC3-3D-10XGE-SFPP?

≪ Previous: Re: Support for 1Gbps SFP in MIC3-3D-10XGE-SFPP?

Hi,

Stil not having much luck.... I have setup a pair of J2320`s running V12 firmware, configured BGP between them (to simulate the MPLS proviers end) and i can see those routes replicating between the routers. On the head office end i can see and connect to all devices on the remote end but not the other way round e.g. communicating with head office end from the remote network. When running a trace i get as far as the external interface on the head office end`s router but no further. Machines in the head office end have a static route pointing back at the branch router.

Sorry it`s quite vague, let me know if you need any other info.

Cheers,

↧

Re: Support for 1Gbps SFP in MIC3-3D-10XGE-SFPP?

September 7, 2017, 10:18 am

≫ Next: Re: Duplicate Frame route issue in 16.1R4 for BNG

≪ Previous: Re: J2320 - V12.4 BGP And Firewall Setup

Hi,

This MIC has 10 Gig posrts only and 1G SFPs can not be used.

You can follow below links for more detail about this mic.

10-Gigabit Ethernet MIC with SFP+ (10 Ports)

[KUDOS PLEASE! If you think I earned it!

If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

↧

Re: Duplicate Frame route issue in 16.1R4 for BNG

September 7, 2017, 10:38 am

≫ Next: Re: Two Networks Config

≪ Previous: Re: Support for 1Gbps SFP in MIC3-3D-10XGE-SFPP?

Functionality is broken is next generation subscriber management release.

Please note this will be available in later releases.

↧

Re: Two Networks Config

September 7, 2017, 10:56 am

≫ Next: Re: J2320 - V12.4 BGP And Firewall Setup

≪ Previous: Re: Duplicate Frame route issue in 16.1R4 for BNG

Hey,

Can you try deleting the existing config directory in /var/db and recreate and check if it works?

root@:RE:0%
root@:RE:0% rm config/
rm: config/: is a directory
root@:RE:0% rm -r config/
root@:RE:0% ls -l
total 168
drwxr-xr-x 5 root      wheel       512 Dec 31 2016 certs
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 commit-queue
lrwxr-xr-x 1 root      wheel        18 Jan 1 2010 commits -> /config/db/commits
lrwxr-xr-x 1 root      wheel        22 Dec 31 2016 dcd.snmp_ix -> /config/db/dcd.snmp_ix
-rw-r--r-- 1 root      wheel     13399 Jun 11 05:53 dcd.snmp_ix.slave
drwx------ 2 root      wheel       512 Dec 31 2016 dhcp_snoop
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 download-manager
drwx------ 2 operator operator    512 Dec 31 2016 entropy
drwxrwxr-x 2 ext       ext         512 Dec 31 2016 ext
-rw-r--r-- 1 root      wheel     16384 Aug 7 12:43 ext_id_map.db
-rw-rw-r-- 1 root      ext       14105 Aug 30 19:44 feature.db
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 fsad
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 gtpcd
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 help
drwxr-xr-x 2 root      wheel       512 Apr 1 18:27 leases
-rw------- 1 root      wheel     12082 Sep 2 11:35 login-attempts
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 persistent_mac
drwxr-xr-x 7 root      wheel       512 Jan 1 2010 scripts
-rw-r--r-- 1 root      wheel        35 Aug 7 12:41 shutdown_info
lrwxr-xr-x 1 root      wheel        25 Dec 31 2016 snmp_engine.db -> /config/db/snmp_engine.db
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 zoneinfo
root@:RE:0% cli
{master:0}
root> edit
Entering configuration mode

{master:0}[edit]
root# commit
configuration check succeeds
error: error copying files (/config/juniper.conf.3.gz->/var/db/config/juniper.conf.4.gz): No such file or directory
error: rotation of old files failed

{master:0}[edit]
root# run start shell
root@:RE:0% pwd
/var/db
root@:RE:0% mkdir config
root@:RE:0% ls -l
total 172
drwxr-xr-x 5 root      wheel       512 Dec 31 2016 certs
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 commit-queue
lrwxr-xr-x 1 root      wheel        18 Jan 1 2010 commits -> /config/db/commits
drwxr-xr-x 2 root      wheel       512 Sep 2 11:36 config
lrwxr-xr-x 1 root      wheel        22 Dec 31 2016 dcd.snmp_ix -> /config/db/dcd.snmp_ix
-rw-r--r-- 1 root      wheel     13399 Jun 11 05:53 dcd.snmp_ix.slave
drwx------ 2 root      wheel       512 Dec 31 2016 dhcp_snoop
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 download-manager
drwx------ 2 operator operator    512 Dec 31 2016 entropy
drwxrwxr-x 2 ext       ext         512 Dec 31 2016 ext
-rw-r--r-- 1 root      wheel     16384 Aug 7 12:43 ext_id_map.db
-rw-rw-r-- 1 root      ext       14105 Sep 2 11:36 feature.db
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 fsad
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 gtpcd
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 help
drwxr-xr-x 2 root      wheel       512 Apr 1 18:27 leases
-rw------- 1 root      wheel     12082 Sep 2 11:35 login-attempts
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 persistent_mac
drwxr-xr-x 7 root      wheel       512 Jan 1 2010 scripts
-rw-r--r-- 1 root      wheel        35 Aug 7 12:41 shutdown_info
lrwxr-xr-x 1 root      wheel        25 Dec 31 2016 snmp_engine.db -> /config/db/snmp_engine.db
drwxr-xr-x 2 root      wheel       512 Dec 31 2016 zoneinfo
root@:RE:0% cli
e{master:0}
root> edit
Entering configuration mode
Users currently editing the configuration:
root terminal u0 (pid 54744) on since 2017-09-02 11:36:02 UTC
      {master:0}[edit]

{master:0}[edit]
root# commit
configuration check succeeds
commit complete

{master:0}[edit]
root#

↧

Re: J2320 - V12.4 BGP And Firewall Setup

September 8, 2017, 2:35 am

≫ Next: L2_BRIDGE family extension message

≪ Previous: Re: Two Networks Config

Securiity policies that permit the traffic are needed in the direction of the initiator (from-zone) of the traffic to the destination (to-zone)

set security policy from-zone NAME to-zone NAME

Both SRX need to have a policy that permits the traffic.

So in your case one of the two SRX does not have a policy from the hub zone to the spoke zone for the traffic to be permitted. You confirm the existence of the sessions with the show security flow command.

If the session is not being created you can use trace options to get the details on why.

https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

↧

L2_BRIDGE family extension message

September 8, 2017, 3:20 pm

≫ Next: Re: L2_BRIDGE family extension message

≪ Previous: Re: J2320 - V12.4 BGP And Firewall Setup

MX480 with 15.1F7

I'm migrating irb interfaces from one OSPF routing-instance to another. This only changes the interface unit from ae5.3 to ae5.128. I keep getting this error for every irb (one for each RE)

fpc0 ifl 429 does not have L2_BRIDGE family extension

fpc1 ifl 429 does not have L2_BRIDGE family extension

ae5 {

vlan-tagging;
encapsulation flexible-ethernet-services;
aggregated-ether-options {
minimum-links 1;
link-speed 10g;
lacp {
active;
periodic fast;
}
}

unit 3 {
vlan-id 3;
family inet {

address 192.168.90.3/30

I can't find any reference to this error anywhere. Doesn't appear to affect traffic that I can tell.

Some enlightenment would be appreciated.

thanks

Brian Nelson

↧

Re: L2_BRIDGE family extension message

September 9, 2017, 12:45 am

≫ Next: Need Help : OSPFv3 issue on Juniper MP-BGP --> OSPF

≪ Previous: L2_BRIDGE family extension message

Hi,

Can you please share below :

>show interface ae5.3

↧

Need Help : OSPFv3 issue on Juniper MP-BGP --> OSPF

September 10, 2017, 10:32 am

≫ Next: 100Mb SFP on ACX5048

≪ Previous: Re: L2_BRIDGE family extension message

I am currently using OSPFv3 between the CE and PE in the following scenario. The PEs are Juniper and CEs, another vendor (Cisco). I have enabled the address families/realms for both IPv4 and IPv6 between the CEs and the PEs. OSPF is established and I can see the OSPFv3 routes from the local CE on the local PE which is advertised through MP-BGP to the remote PE. In other words, I can see all OSPFv3 routes in the VPNv4 table. However, remote routes that is imported into the local PE (VRF) is not advertised into OSPFv3. I have configured export/Import policy for OSPF to export the BGP routes from the VRF to OSPF and also for loop prevention using tagging but seems that's not working as I can't see any remote routes in the local CPEs. I checked the OSPFv3 database (and also in realm IPv4-Unicast), no remote route is installed. With OSPFv2, everything works perfect with the exact same configurations w.r.t MPLS VPN.

Any idea what's going on please? Any help will be appreciated.

Thanks.

Scenario:

|CE-1| --- |PE-1| ---- |PE-2| --- |CE-2|

↧

100Mb SFP on ACX5048

September 10, 2017, 12:17 pm

≫ Next: Re: 100Mb SFP on ACX5048

≪ Previous: Need Help : OSPFv3 issue on Juniper MP-BGP --> OSPF

Hi,

I know that this can support 1Gb SFPs, but has anyone managed to test whether you can use a copper SFP and connect a device at 100Mb?

Will the ACS5048 support 100Mb F/D speeds using a 1Gb copper SFP?

Thanks in advance,

Matt

↧

Re: 100Mb SFP on ACX5048

September 10, 2017, 8:09 pm

≫ Next: Re: 100Mb SFP on ACX5048

≪ Previous: 100Mb SFP on ACX5048

Hi, mskipsey!

I don't personally have the ACX 5048 but reviewing the ACX 5000 series documentation it does not appear so. Here are the relevant portions of the document.

All 48 of these ports can be used for SFP+ transceivers or SFP+ direct attach copper (DAC) cables. You can use 1-Gigabit Ethernet SFP, 10-Gigabit Ethernet SFP+ transceivers and SFP+ direct attach copper cables in any access port.

Source - Port Panel of an ACX5048 Router

And on the Interface Specifications for SFP, SFP+, and QSFP+ Transceivers for an ACX5000 Router page you can see for the Gigabit transceivers only the 1000Mbps rate is supported.

I hope this helps.

↧

Re: 100Mb SFP on ACX5048

September 11, 2017, 12:40 am

≫ Next: Re: 100Mb SFP on ACX5048

≪ Previous: Re: 100Mb SFP on ACX5048

I can confirm that 100 Mbps optics are not supported on ACX5048 - with Junos 17.3R1 the smaller platform now supports for 100 Mbps but a bit strange that it wasn't a focus for ACX5000.

Hardware

Support for 100 MB Optics (ACX500, ACX1000, ACX1100, ACX2100, ACX2200, ACX4000)—Starting in Junos OS Release 17.3R1, ACX Series Universal Access Routers (ACX500, ACX1000, ACX1100, ACX2100, ACX2200, ACX4000) support 100 MB Ethernet optics.
[See Hardware Compatibility Tool]

Ref: http://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/17.3/topic-120780.html#rn-junos-acx-new-and-changed-features

↧

Re: 100Mb SFP on ACX5048

September 11, 2017, 3:16 am

≫ Next: Re: L2_BRIDGE family extension message

≪ Previous: Re: 100Mb SFP on ACX5048

Interesting find, as that does appear to confirm that the other ACX platforms now do support 100Mb optics, but not the 5000 series.

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/17.3/topic-120780.html#rn-junos-acx-new-and-changed-features

Support for 100 MB Optics (ACX500, ACX1000, ACX1100, ACX2100, ACX2200, ACX4000)—Starting in Junos OS Release 17.3R1, ACX Series Universal Access Routers (ACX500, ACX1000, ACX1100, ACX2100, ACX2200, ACX4000) support 100 MB Ethernet optics.

Bummer.

Some of our services are handed off to us on 100Mb copper.

I guess we'll have to put an intermediary EX switch between the ACX5048 and the network provider's NTE.

↧

Re: L2_BRIDGE family extension message

September 11, 2017, 8:00 am

≫ Next: Re: Need Help : OSPFv3 issue on Juniper MP-BGP --> OSPF

≪ Previous: Re: 100Mb SFP on ACX5048

OK. What are you looking for?

> show interfaces ae5.3 detail
Logical interface ae5.3 (Index 461) (SNMP ifIndex 693) (Generation 401)
Description: intgway routes
Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.3 ] Encapsulation: ENET2
Statistics Packets pps Bytes bps
Bundle:
Input : 33558427684 5438 30774541755941 51084040
Output: 29291232686 2418 26574548241450 9201736
Adaptive Statistics:
Adaptive Adjusts: 0
Adaptive Scans : 0
Adaptive Updates: 0
Link:
xe-1/0/5.3
Input : 15953103400 1551 14291791879561 11402088
Output: 14466878214 1183 13131121762743 3981744
xe-0/0/5.3
Input : 17605324284 3887 16482749876380 39681952
Output: 14824354473 1235 13443426478753 5219992

Aggregate member links: 2

Marker Statistics: Marker Rx Resp Tx Unknown Rx Illegal Rx
xe-1/0/5.3 0 0 0 0
xe-0/0/5.3 0 0 0 0
Protocol inet, MTU: 1500, Generation: 595, Route table: 15
Flags: Sendbcast-pkt-to-re
Input Filters: ae5.3-i
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.24.90.12/30, Local: 172.24.90.14, Broadcast: 172.24.90.15, Generation: 517
Protocol multiservice, MTU: Unlimited, Generation: 596, Route table: 15
Policer: Input: __default_arp_policer__

↧

Re: Need Help : OSPFv3 issue on Juniper MP-BGP --> OSPF

September 11, 2017, 8:07 pm

≫ Next: Re: Need Help : OSPFv3 issue on Juniper MP-BGP --> OSPF

≪ Previous: Re: L2_BRIDGE family extension message

Hi,

Can you please share the export/import policy which you are using to advertise BGP routes to OSPFv3 here?

Thanks

↧