I am running some interoperability test with a customer: NOKIA - Juniper SRX
I am not entirely sure whether this is supported in SRX300, apparently it does.
Basically I will connect VRF between NOKIA/JUNIPER, and enable routed-mpls to emulate SHAM-links to send OSPF routes as IA.
Hi vvadivel,
Thanks for clarifying the difference between Inline active flow and active flow.
One more question:
1. Once we implement inline active flow monitoring which is in the PFE of the FPC, then why we use MS-MPC or MS-MIC for the collecting the flows. Below link clearly mentions that using inline active flow monitoring will save you to use services cards.
https://www.juniper.net/documentation/en_US/junos/topics/concept/inline-sampling-overview.html
2. If a person want to use MS-MPC/MS-MIC only for collecting flows not for Natting or some other services, then is it adviseable to use MS-MPC/MS-MIC or or is it best option to use Inline active flow monitoring using PFE on FPC?
3. Is it possible to configure Active flow monitoring using MS-MIC-16G with Junos 14.2 with flow
version 5 and flow version 8?
Looking forward for your kind reply. Thanks
Regards
Badar
badar28 wrote:
1. Once we implement inline active flow monitoring which is in the PFE of the FPC, then why we use MS-MPC or MS-MIC for the collecting the flows. Below link clearly mentions that using inline active flow monitoring will save you to use services cards.
https://www.juniper.net/documentation/en_US/junos/topics/concept/inline-sampling-overview.html
Ans. It depends on your requirement. Inline jflow can support max ~4 million flows whereas MS-MPC can upto ~30m.
2. If a person want to use MS-MPC/MS-MIC only for collecting flows not for Natting or some other services, then is it adviseable to use MS-MPC/MS-MIC or or is it best option to use Inline active flow monitoring using PFE on FPC?
Ans. Again, it depends on the requirement. if you have huge amount of traffic to sample, then it's good to use service PIC.
3. Is it possible to configure Active flow monitoring using MS-MIC-16G with Junos 14.2 with flow
version 5 and flow version 8?
Ans. Yes.
HTH
Hi Rahul,
As always, your help is brilliant.....
There is a problem with the configuration supplied, or there is on my system anyway..... where you have said to set the NDRA, as follows:
set protocols router-advertisement interface $junos-interface-name prefix $junos-ipv6-ndra-prefix
It does not like this command because after the "Prefix" command it is expecting an actual prefix or host name, so the erro I get is as follows:
[edit protocols router-advertisement interface "$junos-interface-name"]
Clive@HEX-LNS-02# set prefix ?
Possible completions:
<prefix> Prefix to be advertised
[edit protocols router-advertisement interface "$junos-interface-name"]
Clive@HEX-LNS-02# set prefix $junos-ipv6-ndra-prefix
^
invalid ip address or hostname: $junos-ipv6-ndra-prefix at '$junos-ipv6-ndra-prefix'
Is there a way around this issue please Rahul?
Also, is this a config for a statically assigned IPv6 address please?
Thanks
Hi,
It should be configured under dynamic-profile not under global protocol stanza as shown below. You need to configure RA else subscriber will not come up.
LNS# show dynamic-profiles dyn-lns-profile | no-more
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
dial-options {
l2tp-interface-id l2tp-encapsulation;
}
family inet {
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
unnumbered-address "$junos-loopback-interface";
}
}
}
}
protocols {
router-advertisement {
interface "$junos-interface-name" {
prefix $junos-ipv6-ndra-prefix;
}
}
}
Regards,
Rahul
Hi Rahul,
Many apologies. My error completely in mis-reading what you had written. I have now completed that configuration and will do some tests....
I think as we are supplying the customer with a CPE that is pre-configured.... as I mentioned, the interface facing us as an ISP will be IPv6 only. The itnerface that faces the customer will be IPv4 and IPv6..... so the test I need to complete is to ensure that an IPv6 only address can connect with an IPv4 only address on the other side of our ISP network.
I have dual stack IP's assigned to all the interfaces across the network, so I am hoping this will work.
I think we will also have to test the AAA server and its ability to deal with the IPv6 addressing, so I will be looking at the "framed-ipv6-prefix" attribute.... will update on here later...
Thank you
Hi,
Just FYI.....
framed-ipv6-route is supported from 16.1. I would prefer latest 16.1R5 or 16.1R6
You also need to tune dynamic-profile configuration and add rib for IPv6
LNS# show dynamic-profiles
lns-client-profile {
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
routing-options {
rib "$junos-ipv6-rib" {
access {
route $junos-framed-route-ipv6-address-prefix {
qualified-next-hop "$junos-interface-name";
metric "$junos-framed-route-ipv6-cost";
preference "$junos-framed-route-ipv6-distance";
tag "$junos-framed-route-ipv6-tag";
}
}
access-internal {
route $junos-subscriber-ipv6-address {
qualified-next-hop "$junos-interface-name";
}
}
}
access {
route $junos-framed-route-ip-address-prefix {
qualified-next-hop "$junos-interface-name";
metric "$junos-framed-route-cost";
preference "$junos-framed-route-distance";
}
}
access-internal {
route $junos-subscriber-ip-address {
qualified-next-hop "$junos-interface-name";
}
}
}
}
}
Please read below KB in case of any queries.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB31778
Regards,
Rahul N
Hi Rahul,
I have comleted the configuration as you stated but still have no IPv6 connectivity, no tunnels, no authentication and no address assigned when looking at the PPP client.
I may be making an error on the client itself, but Cisco is not really telling me what should be configured on the PPP client. My configuration is as follows:
PPP Client: (Cisco 2691 (as IPv6 was required))
interface Serial0/0
ip address negotiated
encapsulation ppp
clock rate 2000000
ppp pap sent-username testuser@network.com password 0 testing123
Maybe NDRA needs configuring on there somwewhere. This confguration works fine with IPv4 and an address is allocated when I complete the "show ip int brief" command. Obviously with IPv6 it is "show ipv6 int brief"......
LAC Config: (Cisco 2691):
vpdn enable
!
vpdn-group TESTNETWORK
request-dialin
protocol l2tp
domain network.com
initiate-to ip 195.80.0.29
local name 21HEX
l2tp tunnel password 7 071B245F5A001702464058
interface FastEthernet0/0
ip address 195.80.0.30 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0
no ip address
encapsulation ppp
serial restart-delay 0
ppp authentication pap callin
And the Juniper LNS configuration:
Clive@HEX-LNS-02# show dynamic-profiles dyn-hex-lns-profile
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
routing-options {
access {
route $junos-framed-route-ip-address-prefix {
next-hop "$junos-framed-route-nexthop";
metric "$junos-framed-route-cost";
preference "$junos-framed-route-distance";
}
}
access-internal {
route $junos-subscriber-ip-address {
qualified-next-hop "$junos-interface-name";
}
}
}
}
}
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
dial-options {
l2tp-interface-id l2tp-encapsulation;
dedicated;
}
no-traps;
family inet {
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
unnumbered-address "$junos-loopback-interface";
}
}
}
}
protocols {
router-advertisement {
interface "$junos-interface-name" {
prefix $junos-ipv6-ndra-prefix;
}
}
}
services {
ssh;
subscriber-management {
enable;
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
fpc 1 {
pic 2 {
tunnel-services {
bandwidth 1g;
}
inline-services {
bandwidth 1g;
}
max-queues-per-interface 8;
}
}
network-services enhanced-ip;
services {
l2tp {
tunnel-group LAC {
l2tp-access-profile l2tp-profile;
aaa-access-profile aaa-profile;
local-gateway {
address 195.80.0.29;
}
service-device-pool lns;
dynamic-profile dyn-hex-lns-profile;
}
traceoptions {
file ninel2tp size 100m;
level all;
flag all;
}
}
service-device-pools {
pool lns {
interface si-1/2/0;
interfaces {
ge-1/2/0 {
gigether-options {
802.3ad ae0;
}
}
si-1/2/0 {
hierarchical-scheduler maximum-hierarchy-levels 2;
encapsulation generic-services;
unit 0 {
family inet;
family inet6;
lo0 {
unit 0 {
family inet {
address 195.80.0.253/32;
}
family iso {
address 49.0001.2a05.0008.000e.00;
}
family inet6 {
address 2a05:d840:0100:ffff:ffff:ffff:0000:0049/128;
ccess {
group-profile l2tp-group-profile {
ppp {
idle-timeout 200;
ppp-options {
pap;
mtu 1430;
}
keepalive 30;
primary-dns 8.8.8.8;
secondary-dns 8.8.4.4;
}
}
profile l2tp-profile {
client 21HEX {
l2tp {
maximum-sessions-per-tunnel 4000;
interface-id l2tp-encapsulation;
shared-secret "$9$uQmC0EyMWxdwgX7gJUH5T9Ap0RhylK8xN"; ## SECRET-DATA
}
user-group-profile l2tp-group-profile;
}
}
profile aaa-profile {
authentication-order radius;
radius {
authentication-server 172.16.16.36;
}
radius-server {
172.16.16.36 secret "$9$NS-YoDjqfQnk.nCpBSy8X7-s2oJGiqm"; ## SECRET-DATA
}
}
address-assignment {
neighbor-discovery-router-advertisement POOL;
pool POOL {
family inet6 {
prefix 2a05:d840:0100::/48;
range lns {
low 2a05:d840:0100:ffff:ffff:ffff:0000:0001/48;
high 2a05:d840:0100:ffff:ffff:ffff:0000:0050/48;
Again, apologies for asking the questions, but I just cannot seem to get this working and feel that this may be down to the client now.... with the NDRA access?
Thanks very much Rahul
Clive
Hi Clive,
I am not familier with cisco client configuration. May be you can try adding below knobs and check once.
ipv6 address FE80::10 link-local
ipv6 address autoconfig default
ipv6 enable
Regards,
Rahul N
Many thanks!
Hi Rahul
Something is not right from the Cisco end, I think.
Le tme hsow you how everything is connected (I am using certain things because of interface speeds):
Cisco 2691 (PPP Client) --> Cisco 2691 (LAC) --> Cisco 3750 (Because of required gig connectivity) -->MX240 (LNS)
So, when running wireshark tracing on the 3750 while IPv4 was used, I could see all the different packets traversing the links including the AAA Access-Accept.... This was good
Now I have changed it to IPv6 and monitoring the same port, all I see are the ping packets I am testing with and the odd CDP and that is it.... there is absolutely nothing coming across from the PPP Client or the LAC...... very strange...... I can see that there may be an issue with regards to IP, but if it is in a tunnel there should be no issue.... but the Client or the LAC is not, or does not appear to be, forwarding anything to the LNS.
Hi,
I have my reth-count set and the minimum links set, reth2 interface is still down.
See the rest of my configuration:
MX
chassis {
redundancy {
routing-engine 0 master;
routing-engine 1 backup;
graceful-switchover;
}
aggregated-devices {
ethernet {
device-count 2;
}
}
network-services enhanced-ip;
}
interfaces {
ge-0/0/0 {
gigether-options {
802.3ad ae0;
}
}
ge-0/1/0 {
encapsulation ethernet-bridge;
unit 0 {
family bridge;
}
}
ge-1/0/1 {
encapsulation ethernet-bridge;
unit 0 {
family bridge;
}
}
ae0 {
aggregated-ether-options {
minimum-links 1;
}
unit 0 {
family inet {
address 169.254.254.6/30;
}
}
}
irb {
mtu 1500;
unit 0 {
family inet {
address 10.38.38.1/24;
}
}
}
}
forwarding-options {
sampling {
input {
rate 1024;
}
family inet {
output {
flow-server 10.3.8.7 {
port 2055;
source-address 10.1.3.1;
version 5;
}
}
}
}
}
routing-options {
nonstop-routing;
autonomous-system 40692;
}
bridge-domains {
srx345 {
domain-type bridge;
vlan-id 100;
interface ge-0/1/0.0;
interface ge-1/0/1.0;
routing-interface irb.0;
bridge-options {
interface ge-1/0/1.0;
}
}
}SRX:
chassis {
cluster {
reth-count 5;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 2 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 3 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
ge-0/0/5 weight 255;
ge-5/0/5 weight 255;
}
}
}
}
interfaces {
ge-1/0/0 {
gigether-options {
redundant-parent reth2;
}
}
fab1 {
fabric-options {
member-interfaces {
ge-5/0/2;
}
}
}
lo0 {
unit 1 {
family inet {
address 172.16.0.65/32;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 2;
minimum-links 1;
}
unit 0 {
family inet {
address 10.38.38.65/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop 96.120.27.5;
preference 1;
}
}
router-id 172.16.0.65;
}
policies {
from-zone trust to-zone trust {
policy any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
idp;
utm-policy junos-av-policy;
}
}
log {
session-init;
session-close;
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth2.0;
}
}Thomas
how many member interfaces are in reth?
Can use one interface from each of the node (even if from the other node in down state).?
Hi Rahul,
Okay. An update.... I removed the IPv6 configuration and got IPv4 working again. I then re-configured IPv6 as you have mentioned and well, typically, it started working, kind of...
So, where am I now.... I am in the situation where the PPP Client Serial interface goes UP and then DOWN and then UP and then DOWN..... I think I know what this is given my experience a few days ago from IPv4 and that is authentication.
Okay, I configured IPv6 on the SRX to RADIUS interface and also to the CORE interface. I have also configured an IPv6 address on the second RADIUS ethernet card. I have set, in RIB 6.0, the static route to the RADIUS and injected into IS-IS.
The ipv6 routes are advertised correctly by IS-IS throughout the network, however, although I can ping the SRX interface that faces the RADIUS, which is on the same network, I cannot ping the RADIUS. I believe this is because of, maybe, some policies stopping it, even though this is basic permit any any any at the moment.... any special IPv6 requirements on an SRX?
Thanks
Clive
Only have one interface in the reth.
My lab resources are limited ( I only have one PIM) so I can't configure it for another node. I can move the PIM to the other node.
Hi Kingsman,
it is really helpful and thanks for your response.
One more thing that can i have some juniper documentation or some sample configurations which supports below text which was actually question-3 from my last post and you replied YES.
"Active flow monitoring using MS-MIC-16G with Junos 14.2 with flow
version 5 and flow version 8"
Last Questions: can we configure active flow montoring using MS-MIC with Junos 14.2?
I will really apprecite your response. Thanks
Regards
Badar
Hi Badar,
Last Questions: can we configure active flow montoring using MS-MIC with Junos 14.2?
Yes, we can configure the flow monitoring on 14.2 with ms-mic
Thanks,
Vadivelan V
Hi Clive,
Regarding the PPP client going up and down. How authentication will play a role here when same is working fine for IPv4? Did you tried to make authentication as none and checked?
set access profile NONE authentication-order none
set acces-profile NONE
For IPv6 routing, do you have return route from radius i.e. any default IPv6 route pointing to eth2?
tcpdump on eth2 showing ICMP packet reaching radius?
Regards,
Rahul
Hi Rahul,
I shall try it with none, but it's weird.
From the LNS, I can ping the SRX interface that faces the RADIUS. It is on the same /48 prefix that the RADIUS interface is on. I cannot ping the RADIUS interface.
If I ping directly from the SRX, with no source, I can ping the RADIUS interface. If I use the source address of xe-0/0/16 (address where packets are arriving and exiting through the core) it does not ping. To check the gateway, I can ping from the RADIUS to the SRX interface.
The LNS is the furthest away from the RADIUS box and this is the resultant route:
2a05:d840:50::/48 *[IS-IS/15] 00:12:17, metric 30
> to fe80::4e16:fcff:fe20:7c0 via ae0.0
Results of ping to SRX Interface and RADIUS Interface:
SRX:
Clive@HEX-LNS-02# run ping inet6 2a05:d840:0050:ffff:ffff:ffff:0000:0003
PING6(56=40+8+8 bytes) 2a05:d840:8:ffff:ffff:ffff:0:e --> 2a05:d840:50:ffff:ffff:ffff:0:3
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=0 hlim=63 time=416.218 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=1 hlim=63 time=0.794 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=2 hlim=63 time=0.787 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=3 hlim=63 time=0.751 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=4 hlim=63 time=0.740 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=5 hlim=63 time=5.873 ms
RADIUS:
Clive@HEX-LNS-02# run ping inet6 2a05:d840:0050:ffff:ffff:ffff:0000:0002
PING6(56=40+8+8 bytes) 2a05:d840:8:ffff:ffff:ffff:0:e --> 2a05:d840:50:ffff:ffff:ffff:0:2
^C
--- 2a05:d840:0050:ffff:ffff:ffff:0000:0002 ping6 statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
From SRX to RADIUS:
Clive@HEX-SRX-02# run ping inet6 2a05:d840:0050:ffff:ffff:ffff:0000:0002
PING6(56=40+8+8 bytes) 2a05:d840:50:ffff:ffff:ffff:0:3 --> 2a05:d840:50:ffff:ffff:ffff:0:2
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:2, icmp_seq=0 hlim=64 time=0.869 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:2, icmp_seq=1 hlim=64 time=0.639 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:2, icmp_seq=2 hlim=64 time=0.745 ms
As you can see, that is strange..... what's even more weird is the routing. Look at the routes from the LNS to the SRX and the RADIUS (should take the same hops):
To RADIUS interface:
Clive@HEX-SRX-02# run traceroute 2a05:d840:0050:ffff:ffff:ffff:0000:0002
traceroute6 to 2a05:d840:0050:ffff:ffff:ffff:0000:0002 (2a05:d840:50:ffff:ffff:ffff:0:2) from 2a05:d840:8:ffff:ffff:ffff:0:e, 64 hops max, 12 byte packets
1 2a05:d840:8:ffff:ffff:ffff:0:10 (2a05:d840:8:ffff:ffff:ffff:0:10) 0.787 ms 0.546 ms 0.554 ms
2 2a05:d840:40:ffff:ffff:ffff:0:1 (2a05:d840:40:ffff:ffff:ffff:0:1) 0.535 ms 0.500 ms 0.468 ms
3 * * *
And to the SRX interface:
Clive@HEX-LNS-02# run traceroute 2a05:d840:0050:ffff:ffff:ffff:0000:0003
traceroute6 to 2a05:d840:0050:ffff:ffff:ffff:0000:0003 (2a05:d840:50:ffff:ffff:ffff:0:3) from 2a05:d840:8:ffff:ffff:ffff:0:e, 64 hops max, 12 byte packets
1 2a05:d840:8:ffff:ffff:ffff:0:10 (2a05:d840:8:ffff:ffff:ffff:0:10) 0.905 ms 0.554 ms 0.549 ms
2 2a05:d840:50:ffff:ffff:ffff:0:3 (2a05:d840:50:ffff:ffff:ffff:0:3) 1.039 ms 0.904 ms 0.849 ms
I'll do some more investigating and will let you know.
Thanks Rahul
Clive
Hi Rahul,
Apologies for questions.... I am missing something somewhere and cannot see the wood for the trees:
MX240(LNS) (int ae0) --> (int ae0) MX240(CORE) (xe-1/2/9) --> (int xe-0/0/16) SRX1500 (Int ge-0/0/2) --> (int em2) RADIUS
On the LNS, I can see the route for the IPv6 network at the RADIUS in IS-IS as expected. On the SRX I have set up a static route in inet6.0 RIB and am redistributing into IS-IS.
From the LNS I can ping the SRX Interface ge-0/0/2, which is on the same network as int em2 on the RADIUS and, as mentioned, the network is advertised on the SRX and the next-hop is the ge-0/0/2 interface.
I cannot ping the em2 interface from the LNS.
I have enabled IPv6 flow-based mode on the SRX and therefore the SRX should be forwarding packets. I will try and set up a different system off the ge-0/0/2 port and see if the RADIUS is causing the issue, but for now, here is the SRX basic config. Please can you let me know if there is something obvious that is wrong.
Thanks Rahul
Clive
SRX Config:
Clive@HEX-SRX-02# run show configuration | display set
set version 15.1X49-D110.4
set system host-name HEX-SRX-02
set system time-zone GMT
set system root-authentication encrypted-password "$5$qLsCZZS8$z.eXq.iH9bq7jaEylLsrM4uvwzoqWhsnroIjEZNWs6C"
set system name-server 208.67.222.222
set system name-server 208.67.222.220
set system login user Clive uid 2000
set system login user Clive class super-user
set system login user Clive authentication encrypted-password "$5$h/zFGlrV$dCjgDP2H9Y.ATAsS8TL9syhNNZKiygL0JdU8vIDVWsD"
set system login user Jim uid 2002
set system login user Jim class super-user
set system login user Jim authentication encrypted-password "$5$.KlIEL5y$uXd.LxHmgsJnTfMGXXRsvw2w9JrNLMaLlJq.VZ/e2v2"
set system login user Lee uid 2004
set system login user Lee class super-user
set system login user Lee authentication encrypted-password "$5$/aIRta9Q$tj4CeZBzHmEcRPWBw7brNlSE.rwI953jZjWQrtS3jH/"
set system login user Oliver uid 2001
set system login user Oliver class super-user
set system login user Oliver authentication encrypted-password "$5$.1Lb5XCf$.xjkLRhzVXSXtnLsITPB9w.uDNy0why7SKCOnWW/M52"
set system login user Stephen uid 2003
set system login user Stephen class super-user
set system login user Stephen authentication encrypted-password "$5$BXCsVaI6$90FkTRFCJVHnF9u005UL61lU3UBBe2NjNDawHzjgZn7"
set system services ssh
set system services xnm-clear-text
set system services dhcp-local-server group jdhcp-group interface ge-0/0/1.0
set system services web-management http interface fxp0.0
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system max-configurations-on-flash 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security forwarding-options family inet6 mode flow-based
set security forwarding-options family iso mode packet-based
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services traceroute
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone trust interfaces xe-0/0/16.0
set security zones security-zone trust interfaces xe-0/0/17.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set interfaces ge-0/0/0 enable
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/2 unit 0 family inet address 172.16.16.40/24
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family inet6 address 2a05:d840:0050:ffff:ffff:ffff:0000:0003/48
set interfaces ge-0/0/3 unit 0 family inet address 192.168.4.1/24
set interfaces xe-0/0/16 unit 0 family inet address 195.80.0.33/30
set interfaces xe-0/0/16 unit 0 family iso
set interfaces xe-0/0/16 unit 0 family inet6 address 2a05:d840:0040:ffff:ffff:ffff:0000:0001/48
set interfaces xe-0/0/17 unit 0 family inet address 192.168.5.1/24
set interfaces fxp0 unit 0 family inet address 185.89.120.11/24
set interfaces lo0 unit 0 family inet address 195.80.0.250/32
set interfaces lo0 unit 0 family iso address 49.0001.1958.0001.2500.00
set routing-options rib inet6.0 static route 2a05:d840:50::/48 next-hop 2a05:d840:0050:ffff:ffff:ffff:0000:0003
set routing-options static route 172.16.16.0/24 next-hop 172.16.16.40
set protocols isis traceoptions file isisdebug
set protocols isis traceoptions flag hello detail
set protocols isis export export_statics
set protocols isis level 1 authentication-key "$9$3zJMnA0B1hrK8Rh2aUH5TRhSylM"
set protocols isis level 1 authentication-type md5
set protocols isis level 2 authentication-key "$9$XNrxVYg4ZjkPaZA0IcvMaZUDi."
set protocols isis level 2 authentication-type md5
set protocols isis interface ge-0/0/2.0
set protocols isis interface xe-0/0/16.0
set protocols isis interface lo0.0 passive
set policy-options policy-statement export_statics term 1 from protocol static
set policy-options policy-statement export_statics term 1 then accept
set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254