Hi admin_max,
Greetings,
As per my understanding, in the Juniper terminology, it is called Filter-based forwarding.
Please refer the below link for details and configuration example: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/filter-based-forwarding-policy-based-routing.html#jd0e894
Please mark "Accept as solution" if this answers your query.
Kudos are appreciated too!
Regards,
Sharat Ainapur
I think I found the answer to my question:
https://www.juniper.net/documentation/en_US/junos/topics/concept/policy-bgp-communities-extended-communities-match-conditions-overview.html
namely:
You can configure BGP large community at the [edit policy-options community community-name members] and [edit routing-options static route ip-address community] hierarchy levels. The BGP large community attributes format has four fields: large:global administrator:assigned number:assigned number.
I did so:
static {
route X.X.X.X/20 {
discard;
community [ YYYYY:0 YYYYY:10 YYYYY:100 YYYYY:150 ]
}
route Z.Z.Z.Z/22{
discard;
community [ YYYYY:0 YYYYY:10 YYYYY:100 YYYYY:150 ]
}
}Hi all,
below is flow session on firewall. The secuty policy zone-to-zone is permit all.
{primary:node0}[edit]
root@SRX-Lab01# ...session destination-prefix 192.168.201.10
node0:
--------------------------------------------------------------------------
Session ID: 7697, Policy name: DC2-Tenant3-Tenant4/12, State: Active, Timeout: 56, Valid
In: 192.168.221.2/67 --> 192.168.201.10/67;udp, Conn Tag: 0x0, If: reth1.993, Pkts: 12, Bytes: 4188,
Out: 192.168.201.10/67 --> 192.168.221.2/67;udp, Conn Tag: 0x0, If: reth1.991, Pkts: 0, Bytes: 0,
Total sessions: 1
Fixed.
The problem is
PPPoE and NAT(on MS-DPC) work only on 13.3.
Maybe there is another solution can be found but I managed to start it in this way
Thanks,
Hi all,
Im reading this url below and have some question:
On title "Configuring the VLAN-Aware Centrally-Routed Bridging Overlay with Virtual Switches on a Spine Device" may i know why need to put "vlan-id none". Is it supposedly need to put vlan-id value? Or is it as per design no need to assign vlan if choosing "virtual switch" method? Appreciate someone feedback
Hi
I believe vlan-id none is used for the vlan translation in the newer 17.3 and later for vlan aware services. You can get more information in the below link
https://www.juniper.net/documentation/en_US/junos/topics/example/evpn-based-services.html
Starting with Junos OS Release 17.3R1, VLAN-based service with VID translation as described in RFC 7432 is supported. This means that Junos supports VID translation and the customer can have a different VID for each VLAN. As described in the RFC, the VID translation must be performed at the egress PE device while the MPLS encapsulated frames should also retain the originating VID. Figure 2 illustrates a topology where CE devices use different CE-VIDs for single VLAN-based EVI.
For more information on configuring VLAN-based service, see Configuring EVPN with VLAN-Based Service.
The following is a sample configuration for a single VLAN-based EVI. The same VID is used on all the PE devices, so VLAN translation is not required. In this example, the VLAN-id=none statement is included to remove the originating VID and to set the Ethernet tag ID to zero in the MPLS frame.
Hope this helps
The command
show route
Will display all routes from all protocols in all routing tables on the device and each route will show which protocol the route was learned from.
Routing instances and vrf all create a separate routing table and each will be displayed separately with the name of the instance or vrf.
Hi all,
In terms of ospf and ebgp that they are peering to different ISP(s). Each protocol has two links as primary and backup(standby). Question is how can be make ebgp links primary and ospf links ar secondary? I know default egbp preference is 170 and higher than ospf which of 10.
Is this good idea, what dou think? Any best practice about this situation?
Th
Ar.
Hello,
I would like to know if can use a PTD10003-80C-DC router with STD license as LSR router.
Can that license do CCC, MPLS RSVP, and LDP?
Thank you,
Javier Rodriguez.
Hi, from this doc, for rsvp and Layer 2 circuit you need "Advanced 2 Features License"
Hi all,
I have a lab for practising routing protocols... One of the resourses I have read that is saying "....because your case is suspecting saturation and packet loss on the public peer's network interface facing.... ". I know the packet loss and also guessing meaning of the saturation etc....But I like to ask about what does "saturation" exactly mean? Anyone can explain nd give some examples in real-world cases?
Th
A
Hi Arix,
I would think that the context of this is regarding the saturation and packet loss on the interface. It probably means the interface is running around the capacity and hence may see packet loss. For example if an interface is 10Gig and you can see traffic around 9 Gig or so on that interface then it would mean it is almost saturated and may result into packet loss in case the traffic increases.
Hope this helps.
I don't think I understand you topology and question. Clearly you are not connecting ospf to an ISP. How are the links setup with the two ISP eBGP sesssions and where are the ospf internal links tha cause the undesired route path?
Also what type of route table are you recieving from your ISP, full, partial (how many) or just default route?
If you are trying to load balance both ISP and get full or very large partial tables you typically do not want to push these into ospf for efficiency reasons but just use the default to get the internet traffic up to the routers that hold the large tables making the ISP choice.
But this won't matter if your ISPs are setup as a simple primary and failover where default and failover is all you need to accomplish.
Once your topology and routing goals are understood we can discuss the appropriate methods to make sure outbound internet traffic routes per you goals.
Hi Arix,
You can use the route preference option to have one route as the primary and the other as a back-up.
Hoewever, it will be great if you can clarify the need to peer with one ISP over OSPF ?
-Vishal
PS: Please accept my response as solution if it answers you query, kudos are appreciated too!
Hello Arix,
Is this question regarding SRX, EX or MX-Series platform?
If this relies on SRX:
Please consider that Junos OS denies IP fragments on a security zone and blocks all IP packet fragments that are received at interfaces bound to that zone.
So basically the SRX is responding against an IP fragment packet that reaches to the reth0.0 interface, in case you are receiving these packets in this interface there is no way to control since this is ISP traffic.
Configuration Example:
# show security screen
ids-option untrust-screen {
icmp {
large;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
block-frag;
tear-drop;
Example Output
Screen statistics:
IDS attack type Statistics
IP block fragment 580620
Reference;
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-introduction-to-adp.html
Best Regards,
Allan Quiros
Hello Arix,
You can also check following KB:
How to allow DNS reply packets through the SRX device with no existing session for the DNS request.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB26313&actp=METADATA
Regards,
Allan Quiros
Hello Nellikka,
thanks for answering my question, I will try using generate route in the lab, however I doubt, that it may help. As a matter of fact, those next-hops to /32 prefixes are not the same, as I have several bgp-sessions and corresponding number of next-hops. So, if I use generate route to /24, it'd choose just one of those next-hops, as primary next-hop to whole /24 prefix. This may lead to incorrect traffic forwarding. That's why I need to change next-hop to "next-table" instead of particular IP. Thus, when we receive a packet into interface assosiated with routing-instance B, which has it's IP destination within one of those /32 prefixes, the router would look for it's next-hop in table A.inet.0. Meanwhile in table B.inet.0 we'd have just one route X.X.X.0/24 (with next-hop in table A.inet.0.)
Is it possible at all?
Regards,
Tima K
You you have both ISP in the same zone then the policy that allows the DNS request will still match and permit the traffic even if the request egresses on ISP 1 and returns on ISP2.
Hi all,
When utilization occurs, in other vendors' people often use to get top 10 IP(source &destionation) Talk in such a specific interface, network or device....
How can we do this on devices running JUNOS?
Any ideas or examples?
Thanks
A.
