Hello,
I have configured for dnat. When i am sending the traffic in half-duplex i am getting the throughput of approx 90% for 10g traffic
But in duplex mode , I am getting teh throughput of 40% (i.e. 4gbps in output ) in 10g .
Why is it ?
Can any one please explain for this reason?
Thanks
Hello there,
Is it inline NAT? Or are You using MS-DPC? Or - are You using MS-MIC? Or - are You using MS-MPC?
These simple guidelines may help You to get more responses
HTH
Thx
Alex
i am using ms-dpc interface (i.e service interface ) .
On service interface i am gettign 10gbps traffic on input as well as output.
But on LAN side, I am getting output as 4 gbps.
Hello there,
tridandi wrote:
On service interface i am gettign 10gbps traffic on input as well as output.
But on LAN side, I am getting output as 4 gbps.
Simultaneously? Or are these different tests? What is the JUNOS version?
What traffic generator do You use? iPerf? IXIA? Spirent?
Is it stateful TCP? Or is it UDP? Unidirectional or bidirectional?
What is MTU on both sides of the DUT? Do You observe fragmentation?
Please provide as much information as possible and do not forget the configs & topology diagram.
HTH
Thx
Alex
Many of the customers have their own public subnets and peer with Awesome-Net via BGP.They fit into categories CUST3 and CUST4.
Awesome-Net provides IPs within their own BGP AS to it's other customers. Those all fit into the category CUST1.
Thanks for the input bhaskerp.
user@CORE01> show arp no-resolve vpn HOSTING-VRF
MAC Address Address Interface Flags
00:0c:29:df:c6:f1 x.x.x..82 irb.833 [ae6.833] none
It is there and can be cleared with:
clear arp vpn HOSTING-VRF hostname x.x.x.82
It is repopulated right away after a ping from the host but still it does not show up in the routing table as a /32:
user@CORE01> show route table HOSTING-VRF x.x.x.82
HOSTING-VRF.inet.0: 23 destinations, 24 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
x.x.x.80/28 *[Direct/0] 5w1d 00:09:08
> via irb.833
At this moment i am unable to create a support case because of a political issue with a 3rd party supplier.
I am planning to upgrade the firmware on our MX960 and EX9200's. This takes some time unfortunatly because they are in production.
Hello all,
I recently acquired a couple of srx210s to expand my knowledge of routing. I've been trying to set up eBGP between the two, exporting local routes. I configured ge-0/0/1 on both sides as 10.0.0.1/24 and 10.0.0.2/24. Local-as for one is 10 and the other is 20. I created and applied export and import policies. I wonder, is the SRX being a firewall a part of it? Is traffic being blocked. I don't seem to even be getting layer 2:
Physical interface: ge-0/0/1, Enabled, Physical link is Up
Interface index: 135, SNMP ifIndex: 509
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: 78:19:f7:aa:5b:01, Hardware address: 78:19:f7:aa:5b:01
Last flapped : 2017-01-27 21:03:45 UTC (00:14:25 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-0/0/1.0 (Index 70) (SNMP ifIndex 516)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 1
Output packets: 78
Security: Zone: Null
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.0.0/24, Local: 10.0.0.2, Broadcast: 10.0.0.255Here is my config on one router:
## Last changed: 2017-01-27 21:01:54 UTC
version 11.4R5.5;
system {
host-name SR210Bottom;
root-authentication {
encrypted-password "$1$P1EoZ8l8$kDeaHpuxfNAhza8Z.5jsz/"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0;
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.0.2/24;
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
router-id 10.0.0.2;
}
protocols {
bgp {
group external {
type external;
local-address 10.0.0.2;
import bgp-import-all;
export bgp-export-all;
peer-as 10;
local-as 20;
neighbor 10.0.0.1;
}
}
stp;
}
policy-options {
policy-statement bgp-export-all {
term first {
from protocol [ bgp local ];
then accept;
}
}
policy-statement bgp-import-all {
term first {
from protocol [ bgp local ];
then accept;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}Any ideas?
I'd suggest to you to look at a sample config.
You didn't put ge-0/0/1.0 into a zone, and that zone will need to have host-inbound-trafffic protocols bgp added.
You still have all the default config on there too which I'd recommend you delete.
If you're new to junos and want to mess with routing you may want to consider disabling flow processing altogether to have them act like routers.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB30461
Also, you can verify layer 2 with ">show arp"
I just realized my answer might not have been detailed enough.
I am uploading a PDF network map at its most basic level.
In this PDF example, customers 1 thru 3 are all PI. They have their own BGP AS and assigned subnets that are independent of Awesome-Net and its upstream providers.
Any customers that would be off of R1 in the PDF, all use IPs assigned and provided by Awesome-Net. Those IPs are indepentent of Provider1 and Provider2 (ISP1 and ISP2 in the PDF). They are owned by Awesome-Net and are a parts of its BGP AS.
Does this tell you what you need to know?
Hello there,
One way to accomplish this is to use MPLS L3VPN (a.k.a. VRFs) with targeted route leaking.
Rough algorithm:
0/ it would help a lot if Your Provider1 sends 0/1 & 128/1 instead of 0/0
1/ create 4 VRFs as below:
1a/ CUST1-VRF is the "primary" for CUST1 and holds all its routes. CUST2,3,4 routes are leaked into CUST1-VRF as well.
CUST1-VRF is also primary for ISP1 and receives 0/1 & 128/1 from ISP1. CUST1-VRF has a static 0/0 route with "next-table CUST2-VRF.inet.0" configured.
1b/ CUST2-VRF is the "primary" for CUST2 and holds all its routes. CUST1,3,4 routes are leaked into CUST2-VRF as well.
CUST2-VRF is also primary for ISP2 and receives full table.
1c/ CUST3-VRF is the "primary" for CUST3 and holds all its routes. CUST1,2,4 routes are leaked into CUST3-VRF as well.
ISP1 and ISP2 routes are leaked into CUST3-VRF from CUST1-VRF & CUST2-VRF.
1d/ CUST4-VRF is the "primary" for CUST4 and holds all its routes. CUST1,2,3 routes are leaked into CUST4-VRF as well.
ISP2 routes are leaked into CUST4-VRF.
2/ the leaking between VRFs is done on a local PE by means of RIB-groups(if BGP) +auto-export (if direct/static) and on remote PE by means of crafted VRF import policies.
The advantages:
a/ You can enforce almost any business rule this way
b/ with MPLS as transport, You can have multiservice network from Day1 and gradually add E-LINE, E-LAN (VPLS), etc on the fly
Disadvantages:
i) in certain cases, when CUST2,3,4-VRFs are on same PE, that PE has to hold up to 3 copies of full table, one copy in each VRF. This cuonsumes memory but with modern Routing Engines, it is not that critical.
ii) If You are not familiar with MPLS and L3VPNs, then Your learning curve would look like Delta-4 rocket launch 
HTH
Thx
Alex
For your partial route table you can also ask your upstream carriers to send you a partial table option directly. As carriers most maintain a community tagged list of direct attached routes which we can send to customers.
I assume you have changed all the loopbacks now to /32 and all the route address overlaps ahve now been removed from the network.
Do a trace route from your management station and see where the path to the final mgmt address dies.
Then on this router we want to check the active route table for the address we cannot reach and see what it has.
We can also trace the route learning from the mgmt device side up to where the laptop gets plugged in. Is the mgmt address learned at each router hop along the path.
Likewise we need to verify that the return route for the laptop is learned at each router hop down to the final mgmt device.
Hello Everyone,
I'm working on an issue I'm trying to lab out before moving to production.
My Edge configuration will be changing from a single SRX with dual MX-5 routers running IBGP to moving one MX-5 to another location on the LAN and attaching a 2nd SRX to it.
For box OneNet and Cox, I'm receiving full and default routes over EBGP. Default route from BGP is being redistributed into OSPF.
Current IBGP setup is for the BGP Annex router to favor the OneNet connection in both directions.
BGP DLM router has local preference set to 80 and prepending AS muliptple times.
Here is the diagram for the lab :
The first problem I had with setup is keeping the IBGP neighbors up. I accomplished this by creating an IPSec VPN tunnel in the untrust zone between the two SRXs. This brought up the neighbors and routing worked fine. Another problem was introduced once I attempted to see what failover was like.
I went to the BGP Annex router and disabled the interface going to the OneNet ISP to try failover. The IBGP neighbor stayed up, but my internal LAN was still saying to go to BGP Annex router to exit the LAN. This is causing a routing loop at the Annex SRX that feeds into the core.
Please let me know what your suggestions are.
I'm attaching the configurgations for reference and the diagram for better viewing.
BGP Annex
system {
host-name BGP_Annex;
root-authentication {
encrypted-password "$1$urv2wMd4$6v7797nFw6JyLXfVp1l9W/"; ## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
description "To SRX";
unit 0 {
family inet {
address 206.202.209.10/30;
}
}
}
inactive: ge-0/0/2 {
description "To DLM MX-5";
unit 0 {
family inet {
address 206.202.209.5/30;
}
}
}
ge-0/0/3 {
description "To OneNet - eBGP";
disable;
unit 0 {
family inet {
address 164.58.18.50/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 206.202.209.1/32;
}
}
}
}
routing-options {
aggregate {
route 206.202.208.0/23 policy AGGREGATE-ROUTE;
}
router-id 206.202.209.1;
autonomous-system 393936;
}
protocols {
bgp {
group IBGP_TO_MX5_DLM {
type internal;
local-address 206.202.209.1;
family inet {
unicast;
}
export NEXT_HOP_SELF;
neighbor 206.202.209.2;
}
group EBGP_TO_ONENET {
type external;
local-address 164.58.18.50;
import OneNet_IMPORT;
family inet {
unicast;
}
export TC_EXPORT;
peer-as 5078;
neighbor 164.58.18.49;
}
}
ospf {
export EXPORT_DEFAULT;
import OSPF_IMPORT_DENY;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0;
interface ge-0/0/2.0;
}
}
}
policy-options {
policy-statement AGGREGATE-ROUTE {
term 1 {
from {
protocol [ ospf direct ];
route-filter 206.202.208.0/23 orlonger;
}
then accept;
}
}
policy-statement EXPORT_DEFAULT {
term 1 {
from {
protocol bgp;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement NEXT_HOP_SELF {
term 1 {
from protocol bgp;
then {
next-hop self;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement OSPF_IMPORT_DENY {
term 1 {
from {
protocol ospf;
route-filter 0.0.0.0/0 exact;
}
then reject;
}
term 2 {
then accept;
}
}
policy-statement OneNet_IMPORT {
term 1 {
then accept;
}
}
policy-statement TC_EXPORT {
term 1 {
from {
protocol aggregate;
route-filter 206.202.208.0/23 exact;
}
then accept;
}
term 2 {
then reject;
}
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
BGP DLM
system {
host-name BGP_DLM;
root-authentication {
encrypted-password "$1$65/av4Pt$bPYWzZytH/L3Gp4laDPqj1"; ## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 174.79.213.99/29;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 206.202.209.14/30;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 206.202.209.6/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 206.202.209.2/32;
}
}
}
}
routing-options {
aggregate {
route 206.202.208.0/23 policy AGGREGATE-ROUTE;
}
router-id 206.202.209.2;
autonomous-system 393936;
}
protocols {
bgp {
group IBGP_TO_MX5_ANNEX {
type internal;
local-address 206.202.209.2;
family inet {
unicast;
}
export NEXT_HOP_SELF;
neighbor 206.202.209.1;
}
group EBGP_TO_COX {
type external;
import COX_IMPORT;
family inet {
unicast;
}
export TC_EXPORT;
peer-as 22773;
neighbor 174.79.213.97;
}
}
ospf {
export EXPORT_DEFAULT;
import OSPF_IMPORT_DENY;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/1.0 {
metric 1000;
}
interface ge-0/0/2.0;
}
}
}
policy-options {
policy-statement AGGREGATE-ROUTE {
term 1 {
from {
protocol [ ospf direct ];
route-filter 206.202.208.0/23 orlonger;
}
then accept;
}
}
policy-statement COX_IMPORT {
term 1 {
then {
local-preference 80;
accept;
}
}
}
policy-statement EXPORT_DEFAULT {
term 1 {
from {
protocol bgp;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement NEXT_HOP_SELF {
term 1 {
from protocol bgp;
then {
next-hop self;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement OSPF_IMPORT_DENY {
term 1 {
from {
protocol ospf;
route-filter 0.0.0.0/0 exact;
}
then reject;
}
term 2 {
then accept;
}
}
policy-statement TC_EXPORT {
term 1 {
from {
protocol aggregate;
route-filter 206.202.208.0/23 exact;
}
then {
as-path-prepend "393936 393936 393936";
accept;
}
}
term 2 {
then reject;
}
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
Annex SRX
system {
host-name Annex_SRX;
root-authentication {
encrypted-password "$1$miMmo00A$bJhfzOQI94q/IEKrN3hIS."; ## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.201.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 206.202.209.9/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 206.202.208.1/32;
}
}
}
st0 {
unit 0 {
family inet {
address 206.202.209.17/30;
}
}
}
}
routing-options {
static {
route 206.202.209.2/32 next-hop st0.0;
route 206.202.209.14/32 next-hop st0.0;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface st0.0 {
metric 100;
}
}
}
}
security {
ike {
proposal Phase1-IKE {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
policy iBGP_VPN {
mode main;
proposals Phase1-IKE;
pre-shared-key ascii-text "$9$ZAUi.f5zAt0WLi.mPn6hSr"; ## SECRET-DATA
}
gateway iBGP_VPN {
ike-policy iBGP_VPN;
address 192.168.180.1;
no-nat-traversal;
external-interface ge-0/0/0;
}
}
ipsec {
proposal Phase2-IPSec {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 600;
}
policy iBGP_VPN {
proposals Phase2-IPSec;
}
vpn iBGP_VPN {
bind-interface st0.0;
ike {
gateway iBGP_VPN;
no-anti-replay;
ipsec-policy iBGP_VPN;
}
establish-tunnels immediately;
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule trust-to-untrust {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set trust-to-dmz {
from zone trust;
to zone trust;
rule trust-to-dmz-NAT {
match {
source-address 0.0.0.0/0;
destination-address 206.202.208.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy Any-Any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy Any-Any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone untrust {
policy iBGP {
match {
source-address Annex_MX-5;
destination-address DLM_MX-5;
application junos-bgp;
}
then {
permit;
}
}
policy iBGP_VPN {
match {
source-address iBGP_VPN;
destination-address iBGP_VPN;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
address-book {
address OneNet_MX-5 206.202.209.10/32;
address OneNet_MX-5_Loopback 206.202.209.1/32;
address DLM_MX-5_To_SRX 206.202.209.14/32;
address DLM_MX-5_Loopback 206.202.209.2/32;
address iBGP_VPN 206.202.209.16/30;
address-set Annex_MX-5 {
address OneNet_MX-5;
address OneNet_MX-5_Loopback;
}
address-set DLM_MX-5 {
address DLM_MX-5_To_SRX;
address DLM_MX-5_Loopback;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
protocols {
ospf;
}
}
}
st0.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
bgp;
ospf;
}
}
}
}
}
security-zone dmz {
interfaces {
lo0.0 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
ospf;
}
}
}
}
}
security-zone trust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}DLM SRX
system {
host-name DLM_SRX;
root-authentication {
encrypted-password "$1$miMmo00A$bJhfzOQI94q/IEKrN3hIS."; ## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.180.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 206.202.209.13/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 206.202.210.1/32;
}
}
}
st0 {
unit 0 {
family inet {
address 206.202.209.18/30;
}
}
}
}
routing-options {
static {
route 206.202.209.1/32 next-hop st0.0;
route 206.202.209.10/32 next-hop st0.0;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0;
interface ge-0/0/1.0 {
metric 1000;
}
interface st0.0 {
metric 100;
}
}
}
}
security {
ike {
proposal Phase1-IKE {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
policy iBGP_VPN {
mode main;
proposals Phase1-IKE;
pre-shared-key ascii-text "$9$.PT3/9tRESVwT3n60OM8X"; ## SECRET-DATA
}
gateway iBGP_VPN {
ike-policy iBGP_VPN;
address 192.168.201.1;
no-nat-traversal;
external-interface ge-0/0/0;
}
}
ipsec {
proposal Phase2-IPSec {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 600;
}
policy iBGP_VPN {
proposals Phase2-IPSec;
}
vpn iBGP_VPN {
bind-interface st0.0;
ike {
gateway iBGP_VPN;
no-anti-replay;
ipsec-policy iBGP_VPN;
}
establish-tunnels immediately;
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule trust-to-untrust {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set trust-to-dmz {
from zone trust;
to zone trust;
rule trust-to-dmz-NAT {
match {
source-address 0.0.0.0/0;
destination-address 206.202.210.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy Any-Any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy Any-Any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone untrust {
policy iBGP {
match {
source-address [ DLM_MX-5_IPs Annex_MX-5 iBGP_VPN ];
destination-address [ DLM_MX-5_IPs Annex_MX-5 iBGP_VPN ];
application [ junos-icmp-all junos-bgp ];
}
then {
permit;
}
}
policy iBGP_VPN {
match {
source-address iBGP_VPN;
destination-address iBGP_VPN;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
address-book {
address DLM_MX-5 206.202.209.14/32;
address DLM_MX-5_Loopback 206.202.209.2/32;
address Annex_MX-5_To_SRX 206.202.209.10/32;
address Annex_MX-5_Loopback 206.202.209.1/32;
address iBGP_VPN 206.202.209.16/30;
address-set DLM_MX-5_IPs {
address DLM_MX-5;
address DLM_MX-5_Loopback;
}
address-set Annex_MX-5 {
address Annex_MX-5_To_SRX;
address Annex_MX-5_Loopback;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
protocols {
ospf;
}
}
}
st0.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
bgp;
ospf;
}
}
}
}
}
security-zone dmz {
interfaces {
lo0.0 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
ospf;
}
}
}
}
}
security-zone trust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
Thanks!
Hello,
You need to export 0/0 into OSPF _ONLY_ if it is coming from EBGP.
The OSPF export policy should look like:
policy-statement EXPORT_DEFAULT {
term 1 {
from {
protocol bgp;route-type external; ## add this line
route-filter 0.0.0.0/0 exact;
}HTH
Thx
Alex
Hi Alex,
Thanks for the suggestion on the additional entry for the OSPF default.
It worked right away.
I did have a question though.
Obviously this is a lab situation, but convergence time for failover takes about 90 packets (3 minutes).
Should I expect the same in production?
What might I do to reduce the convergence time?
Thanks!
Kevin
Dear aarsenjev,
Thanks for your reply,
When i am sending the traffic from one end then i am getting the throughput of 100 % on the other side as output.
But when i am sending the traffic from both end simultaneously then the throughput reduce to 4gbps.
Traffic Generator : Analyzer
UDP PACKET , BIDIRECTIONAL
MTU :1300
Configuration are working fine both side we are flow of packet are OK. But getting problem in throughput
Configuration :-
Configuration On R1
Configuration On R2
I have a internal lan network setup connected to cyberoam firewall cr300i . I want to configure another firewall juniper ns5gt so that i can access it from outside using external public ip . The external ip given is 210.212.161.99 ( untrust zone )and internal lan ip that is mapped ip is 172.16.40.200 (trust zone). kindly help with configuration
Hello there,
Thanks for posting the configs, topology and printouts.
From what I see You are having a cosmetic/display issue here.
First things first - MS-DPC NPU t'put is around 10Gbps where 10Gbps is a sum of inside->outside (or PRIVATE->PUBLIC) and outside->inside (or PUBLIC->PRIVATE) bps.
I will explain this further.
"monitor interface sp-8/0/0" printouts shows You the sum of:
- client->server (c2s) traffic ENTERING sp-8/0/0 private side + server->client (s2c) traffic ENTERING sp-8/0/0 public side, roughly 10Gbps on L3.
- client->server (c2s) traffic LEAVING sp-8/0/0 public side + server->client (s2c) traffic LEAVING sp-8/0/0 private side, roughly 10Gbps on L3.
So far so good.
The "monitor interface xe-9/1/3" printouts shows You :
- c2s traffic in one direction
- s2c traffic in other direction, and
- bps at L2, not L3 as SP interface shows.
Now, let's see how much traffic You are offering to NPU.
Xe-9/1/3 input is 9Gbs.
xe-9/1/2 input is 6Gbps.
Summing it up, You are offering 15Gbps of traffic at L2 to NPU while it is able to process only 10Gbps at L3.
Your average packet size is ~1282 Bytes from sp-8/0/0 stats, therefore 15Gbps of L2 translates to 15 * (1282/1296) = 14.8Gbps of L3. Still above 10Gbps, and I reckon You are losing ~4.8Gbps inside NPU.
I hope this makes sense.
Please post "show services service-set sttatistics packet-drops" printout to see the reason. I reckon Your NPU CPU is at nearly 100%.
HTH
Thx
Alex
Hello,
kroach2911 wrote:Hi Alex,
Obviously this is a lab situation, but convergence time for failover takes about 90 packets (3 minutes).
I reckon this is with "interface disable" method and that did not bring Your SRX' eBGP interface down for whatever reason.
Can You re-test with cable pull instead?
If You are still worried that Your eBGP session might silently fail and Your convergence has to rely on BGP holdtime, then consider adding RPM or BFD to SRX eBGP interface to speed up the process.
HTH
Thx
Alex
