What errors deo you get when you attempt to browse a website. Be specific. Share screenshot if necessary. Check, DNS, other AV, check network connectivity, can you ping site by IP/DNS, try accessing by IP etc. It would seem to me like the WebSense does not have Internet access. Or it maybe the zone related security polices. Which zone is the Websense in? Do you have a policy (generic) that allows bi-directional communication between the client PC and the Websense zone?
↧
Re: Source Based - Routing
↧
Re: Source Based - Routing
Error is Page cannot be displayed
I try to trace from the PC to google.com but it didn't pass from the first hop.
The websense has internet connnectivity since I'm able to ping and trace from the device.
Te websense is located under my Server Zone and has bidirectional policy
From the PC to the Websense
From the Websense to the PC
↧
↧
Subscriber Management with DHCP Relay not working inside Routing-Instance !
Hi All
I am trying to configure Subscriber Management on Juniper MX with DHCP Relay inside routing instance but its not working for my setup.
Below is the configuration of Inteface , Dynamic Profile and DHCP Relay which I am using.
I am unable to see any DHCP Discover Packets at all with this config. ge-1/0/7.0 is the Interface connected to DHCP Server.
xxxx@MX80# show interfaces ge-1/1/9
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile VLAN-PROF-Test-RI {
accept any;
ranges {
any;
}
}
}
remove-when-no-subscribers;
}
[edit]
xxxx@MX80# show dynamic-profiles VLAN-PROF-Test-RI
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
}
}
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
proxy-arp;
vlan-id "$junos-vlan-id";
family inet {
mac-validate strict;
unnumbered-address "$junos-loopback-interface" preferred-source-address "$junos-preferred-source-address";
}
}
}
}
xxxx@MX80# show interfaces lo0.2
f
family inet {
address 192.168.1.1/32;
}
xxxx@MX80# show routing-instances VRF-Internet
instance-type vrf;
access-profile DHCP;
interface lt-0/0/0.701;
interface ge-1/0/7.0;
interface lo0.2;
interface ps119.0;
route-distinguisher 65001:1;
vrf-import Internet-import;
vrf-export Internet-export;
vrf-table-label;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.1.1;
route 10.61.20.12/32 next-hop 172.16.1.1;
}
}
forwarding-options {
dhcp-relay {
server-group {
Retailer1 {
172.16.1.1;
}
group Retailer3 {
active-server-group Retailer1;
authentication {
username-include {
mac-address;
}
}
interface ge-1/1/9.0;
}
}
}
protocols {
ospf {
export Export_All_OSPF_VRF;
area 0.0.0.7 {
interface lt-0/0/0.701;
}
}
}
[edit]
xxxx@MX80#
xxxx@MX80# show access profile DHCP
authentication-order none;
[edit]
xxxx@MX80#
x.x.x.@MX80# show interfaces ge-1/0/7
unit 0 {
family inet {
address 172.16.1.2/30;
}
}
[edit]
x.x.x@MX80#
↧
Re: Source Based - Routing
>show route table <routing-instance.inet.0>
>ping google.com routing-instance
>ping pc routing-instance
can you show relevant snippet of the security configuration? Sanitize it as best as you can.
↧
Re: Source Based - Routing
Double check the rib group and the interface routes. These are symptoms that the main routing table routes are not visible to the forwarding routing instance.
↧
↧
Forwarding table policy not working on MX
I am try to forward traffic down a secondary LSP based on community. This works well in one direction but not the other.
On the side that works the route is imported into a VRF with the community attached. A policy is applied to the forwarding table under ' 'edit routing-options forwarding-table export' matching against the community and sending the traffic down the statically configured LSP.
On the side that does not work the route is imported and the community is added as part of the VRF import policy. When applying a similar policy on this router the route is not matched. It appears that the policy is using the route in the bgp.l3vpn.0 before the community is attached to the route rather than the one in the vrf1.inet.0 table.
I thought that maybe this is happening because I am applying the policy within the master routing instance but I am unable to apply the policy within the VRF i.e. 'edit routing-instance vrf1 routing-options forwarding-table' as the export command is not available despite the below link saying it is.
I am not sure this is going to resolve the issue anyway.
I am running 13.3R9.13 on MX480.
Any help greatly appreciated.
↧
L2VPN in OR state.
Hi Experts,
I'm trying to establish l2vpn connection using bgp signalling and l2vpn stuck in OR state. Can you please let me know what i'm doing wrong in configuration part ?
root@PE1# run show l2vpn connections
Layer-2 VPN connections:
Legend for connection status (St)
EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up
OR -- out of range Up -- operational
OL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control failure
RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch MI -- Mesh-Group ID not available
BK -- Backup connection ST -- Standby connection
PF -- Profile parse failure PB -- Profile busy
RS -- remote site standby SN -- Static Neighbor
LB -- Local site not best-site RB -- Remote site not best-site
VM -- VLAN ID mismatch
Legend for interface status
Up -- operational
Dn -- down
Instance: L2VPN
Local site: CUST-5 (5)
connection-site Type St Time last up # Up trans
6 rmt OR
root@PE2# run show l2vpn connections
Layer-2 VPN connections:
Legend for connection status (St)
EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up
OR -- out of range Up -- operational
OL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control failure
RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch MI -- Mesh-Group ID not available
BK -- Backup connection ST -- Standby connection
PF -- Profile parse failure PB -- Profile busy
RS -- remote site standby SN -- Static Neighbor
LB -- Local site not best-site RB -- Remote site not best-site
VM -- VLAN ID mismatch
Legend for interface status
Up -- operational
Dn -- down
Instance: L2VPN
Local site: CUST-6 (6)
connection-site Type St Time last up # Up trans
5 rmt OR PE1 Config
root@PE1# edit routing-instances L2VPN
[edit routing-instances L2VPN]
root@PE1# show
instance-type l2vpn;
interface ge-0/0/1.12;
route-distinguisher 11.11.11.11:1;
vrf-target target:200:300;
protocols {
l2vpn {
encapsulation-type ethernet-vlan;
site CUST-5 {
site-identifier 5;
interface ge-0/0/1.12;
}
}
}PE2 config
[edit routing-instances L2VPN]
root@PE2# show
instance-type l2vpn;
interface ge-0/0/3.12;
route-distinguisher 22.22.22.22:1;
vrf-target target:200:300;
protocols {
l2vpn {
encapsulation-type ethernet-vlan;
site CUST-6 {
site-identifier 6;
interface ge-0/0/3.12;
}
}
}CE5 config
root@CE5# run show configuration interfaces
ge-0/0/1 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 12 {
vlan-id 12;
family inet {
address 12.12.12.5/24;
}
}
unit 660 {
vlan-id 660;
family inet {
address 192.168.1.5/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 5.5.5.5/32;
}
}
}CE6 Config
root@CE6# run show configuration interfaces
ge-0/0/1 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 12 {
vlan-id 12;
family inet {
address 12.12.12.6/24;
}
}
unit 660 {
vlan-id 660;
family inet {
address 192.168.1.6/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 6.6.6.6/32;
}
}
}
Any suggestion would be highly appriciated.
Thanks,
Jay
↧
Re: Source Based - Routing
This is my rib group. I do not see anything wrong
routing-options {
interface-routes {
rib-group inet Content_Filter;
}
static {
route 0.0.0.0/0 next-hop 10.154.0.74;
}
rib-groups {
Content_Filter {
import-rib [ inet.0 Content_Filter_Instance.inet.0 ];
}
}
What I did different is that I applied to the VLAN instead that to the interface:
unit 125 {
vlan-id 125;
family inet {
filter {
input Content_Filter;
}
address 10.154.25.1/24;
}
}
And this the interface:
interfaces {
reth0.125 {
host-inbound-traffic {
system-services {
bootp;
}
}
}
↧
Re: L2VPN in OR state.
Try to set remote-site-id
↧
↧
Netflow data under UDP Flooding Attack
Hi,
I have a M320 router and configued netflow to export the flow data for troubleshooting .
I just found that, during the UDP flooding attack, the incoming traffic from the ISP GE interface reached the limit (1000Mbps). But the volume of flow data decreaded alot during the incident.
From the flow data, the attacks sending alot of fragment packet from difference INTERNET SRC IP to a Single IP. The fragmented packet have no SRC-Port / DST-Port information.
Here is my netflow configuation in forwarding-option. Do you have any idea why netflow data decreased alot during the attack?
sampling {
input {
rate 500;
}
family inet {
output {
file filename netflow-log files 10 size 5m;
flow-server AA.BB.CC.134 {
port 2055;
version 5;
}
flow-server AA.BB.CC.15 {
port 9800;
version 5;
}
}
}
}
↧
Re: Source Based - Routing
Is the websense server able to forward all traffic from these hosts or can it only handle the http and https traffic?
This filter is sending all traffic from the host to the web sense filter. I suspect you want to add the port restrictions so that only web browsing traffic is forwarded?
family inet {
filter Content_Filter {
term 0 {
from {
source-address {
10.154.25.0/24;
}
protocol tcp;
destination-port [ 80 443 ];
}
then {
routing-instance Content_Filter_Instance;
}
}
term 1 {
then accept;
}
}
}
↧
Re: L2VPN in OR state.
Thanks !! it worked :-)
root@PE1# run show l2vpn connections
Layer-2 VPN connections:
Legend for connection status (St)
EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up
OR -- out of range Up -- operational
OL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control failure
RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch MI -- Mesh-Group ID not available
BK -- Backup connection ST -- Standby connection
PF -- Profile parse failure PB -- Profile busy
RS -- remote site standby SN -- Static Neighbor
LB -- Local site not best-site RB -- Remote site not best-site
VM -- VLAN ID mismatch
Legend for interface status
Up -- operational
Dn -- down
Instance: L2VPN
Local site: CUST-5 (5)
connection-site Type St Time last up # Up trans
6 rmt Up Nov 25 08:10:05 2016 1
Remote PE: 22.22.22.22, Negotiated control-word: Yes (Null)
Incoming label: 800005, Outgoing label: 800002
Local interface: ge-0/0/1.12, Status: Up, Encapsulation: VLAN
↧
Re: Source Based - Routing
Can you share the result of this:
>show route table <routing-instance.inet.0>
>ping google.com routing-instance
>ping pc routing-instance
↧
↧
IS-IS route tagging
I have a question as i am not able to find any documentation anywhere so far for what i'm looking for.
But, My question is, I Thought if you turned off traffic engineering on your is-is protocol that it would not tag any routes getting advertised out?
So i have a lo0 interface with an IPv4 and v6 address on there, When i have the policy applied and traffic engineering enabled on the connecting router P1 i see the appropriate tag coming in for the loopback ips. IE
root@P1# show protocols isis
export tag-lo0;
interface ge-0/0/1.0;
interface ge-0/0/2.0;
interface ge-0/0/3.0;
interface ge-0/0/4.0;
interface ge-0/0/5.0;
interface lo0.0 {
passive;
}
[edit]
root@P1# show policy-options policy-statement tag-lo0
from interface lo0.0;
then {
tag 200;
accept;
}
root@PE12# run show route protocol isis | match tag
1.1.1.1/32 [IS-IS/15] 03:53:00, metric 10, tag 200
2001:db8::/128 *[IS-IS/15] 03:53:00, metric 10, tag 200
Now, If i just disable traffic engineering on the is-is protocol, I still see a tag for the ipv6 route but not the ipv4.
root@PE12# run show route protocol isis | match tag
2001:db8::/128 *[IS-IS/15] 04:00:59, metric 10, tag 200
If i remove the policy from P1, It will not tag the ipv6 route. I was just wondering is this normal for the basic policy i have or does it appear to be a bug?
↧
Re: IS-IS route tagging
When ISIS Traffic Engineering is disabled, TLVs 22, 134, and 135 are suppressed from being sent
Tags for IPv4 routes are in TLV re in 135 (sub-TLV 1).
For IPv6 routes the tags are in TLV 236. They are still present when you disable TE.
In all the cases check the ISIS DB: show isis database extensive and you will see what information is being flooded.
↧
Re: IS-IS route tagging
Thanks, That clears it up for me.
I thought disabling traffic engineering turned off all tagging.
↧
Re: Source Based - Routing
That is correct. So the code you posted do I add that to the VLAN or to the Virtual Interface?
↧
↧
Re: Source Based - Routing
These are the results
show route table <routing-instance.inet.0:
Content_Filter_Instance.inet.0: 39 destinations, 39 routes (39 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 1w2d 17:05:09
> to 10.154.2.19 via reth0.120
10.54.107.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.107
10.54.107.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.107
10.54.195.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.195
10.54.195.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.195
10.154.0.72/29 *[Direct/0] 1w2d 17:05:09
> via reth1.0
10.154.0.73/32 *[Local/0] 1w2d 17:05:09
Local via reth1.0
10.154.0.80/29 *[Direct/0] 1w2d 17:05:09
> via reth2.0
10.154.0.81/32 *[Local/0] 1w2d 17:05:09
Local via reth2.0
10.154.2.0/26 *[Direct/0] 1w2d 17:05:09
> via reth0.120
10.154.2.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.120
10.154.2.64/26 *[Direct/0] 1w2d 17:05:09
> via reth0.121
10.154.2.65/32 *[Local/0] 1w2d 17:05:09
Local via reth0.121
10.154.10.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.10
10.154.10.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.10
10.154.11.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.11
10.154.11.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.11
10.154.18.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.118
10.154.18.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.118
10.154.20.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.132
10.154.20.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.132
10.154.24.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.124
10.154.24.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.124
10.154.25.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.125
10.154.25.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.125
10.154.26.0/25 *[Direct/0] 1w2d 17:05:09
> via reth0.23
10.154.26.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.23
10.154.26.128/25 *[Direct/0] 1w2d 17:05:09
> via reth0.123
10.154.26.129/32 *[Local/0] 1w2d 17:05:09
Local via reth0.123
10.154.27.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.133
10.154.27.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.133
10.154.28.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.128
10.154.28.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.128
10.154.29.0/24 *[Direct/0] 1w2d 17:05:09
> via reth0.129
10.154.29.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.129
10.154.30.0/25 *[Direct/0] 1w2d 17:05:09
> via reth0.126
10.154.30.1/32 *[Local/0] 1w2d 17:05:09
Local via reth0.126
10.154.30.128/25 *[Direct/0] 1w2d 17:05:09
> via reth0.116
10.154.30.129/32 *[Local/0] 1w2d 17:05:09
Local via reth0.116
ping google.com routing-instance:
...nce Content_Filter_Instance no-resolve
ping: cannot resolve google.com: Host name lookup failure
Also tried with google.com IP address:
ping 216.58.192.78 routing-instance Content_Filter_I
PING 216.58.192.78 (216.58.192.78): 56 data bytes
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping pc routing-instance:
ping 10.154.25.21 interface Content_Filter_Instance
error: syntax error: Content_Filter_Instance.inet.0
↧
Rib-groups with aggregate routes
I notice that there is no rib-group option under aggregate. Why is this? I notice one of the previous posts talks about using 'istance-import' but this only appears not to work from the one VRF to another. The only other option I can think of is to use static routes with discard but these do not benifit from contributing routes. Any one understand why this option is not available and have any suggestions better than using statics?
I am implementing on MX480, 13.3R9.13.
Thanks
↧
L2VPN Remote site id inheritance
I was wondering if someone could clear this up for me, I think i have it down but am not sure.
Given the below code
root@CE10# show routing-instances
vpn-a {
instance-type l2vpn;
interface ge-0/0/7.550;
interface ge-0/0/7.551;
interface ge-0/0/7.552;
vrf-import import-vpn-a;
vrf-export export-vpn-a;
vrf-target target:65000:500;
protocols {
l2vpn {
encapsulation-type ethernet-vlan;
site ce10 {
site-identifier 1;
interface ge-0/0/7.550;
interface ge-0/0/7.551;
interface ge-0/0/7.552;
}
}
}
}The remote site ids that these interfaces should inherit should go
interface ge-0/0/7.550;=>RSI =2
interface ge-0/0/7.551;=>RSI =3
interface ge-0/0/7.552;=>RSI =4correct?
But, If i assign a site id of something else like
protocols {
l2vpn {
encapsulation-type ethernet-vlan;
site ce10 {
site-identifier 2;
interface ge-0/0/7.550;
interface ge-0/0/7.551;
interface ge-0/0/7.552;
}
}
}Should the inherited remote site ids be something like
interface ge-0/0/7.550;=>RSI =1
interface ge-0/0/7.551;=>RSI =4
interface ge-0/0/7.552;=>RSI =5According to the page in the study guide i am going by, (attached to the post) It said (if i am reading this right) that it should number the interfaces in order of 1+1 etc, unless it hits an interface number that overlaps with the configured site id, Then it would go (site-identifier + 2).
↧