SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX: both flow and packet mode

    Posted 08-18-2010 07:17

    Hello, forum.

     

    Is there any way to enable both flow and packet mode?

    I am looking for any suggestion how to configure MPLS/L3VPN on SRX and enable flow services for traffic destined for VRF.


    #selective.packetmode


  • 2.  RE: SRX: both flow and packet mode

    Posted 08-31-2010 14:05

    AFAIK you configure devices to direct traffic to use packet-based forwarding on the internal LAN and then direct the same traffic to use flow-based forwarding as it transits to the Internet.

     

    Please find the sample configs below.

     

    http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-admin-guide/config-selective-stateless-chap.html

     



  • 3.  RE: SRX: both flow and packet mode
    Best Answer

    Posted 09-06-2010 05:46

    My solution follows below

     

     

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    mtu 1500;
                    address 192.168.100.1/30;
                }
                family mpls {
                    filter {
                        input mpls;
                    }
                }
            }                               
        }
        lt-0/0/0 {
            unit 1 {
                description "Tunnel Interface bound to Packet VRF";
                encapsulation frame-relay;
                dlci 30;
                peer-unit 2;
                family inet {
                    filter {
                        input packet-mode;
                    }
                }
            }
            unit 2 {
                encapsulation frame-relay;
                dlci 30;
                peer-unit 1;
                family inet;
            }
        }
        fe-0/0/2 {
            unit 0 {
                family inet {
                    address 10.15.14.1/24;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 1.1.1.2/32;
                }
            }
            unit 1 {
                family inet {
                    address 10.15.16.1/32;
                }
            }
        }
    }

     

    protocols {
        mpls {
            interface ge-0/0/0.0;
            interface lo0.0;
        }
        bgp {
            local-address 1.1.1.2;
            group ELTEL {
                type internal;
                family inet {
                    labeled-unicast;
                }
                family inet-vpn {           
                    unicast;
                }
                export iBGP-export;
                neighbor 1.1.1.1 {
                    description RemotePE;
                }
            }
        }
        ospf {
            reference-bandwidth 40k;
            area 0.0.0.1 {
                stub;
                interface ge-0/0/0.0;
                interface lo0.0 {
                    passive;
                }
            }
        }
        ldp {
            import LDP_exchange;
            export LDP_exchange;
            egress-policy LDP_originate;
            transport-address 1.1.1.2;
            interface ge-0/0/0.0;
            interface lo0.0;
        }
    }
    
    [ Policies obvious and here omitted. ]
    
    security {
        zones {
            security-zone untrust {
                address-book {
                    address MPLS-LO 1.1.1.2/32;
                }
                host-inbound-traffic {
                    system-services {
                        telnet;
                    }
                    protocols {
                        ospf;
                        ldp;
                        bgp;
                    }
                }
                interfaces {                
                    ge-0/0/0.0;
                    lo0.0;
                }
            }
            security-zone trust-flow {
                host-inbound-traffic {
                    system-services {
                        telnet;
                        ping;
                    }
                }
                interfaces {
                    fe-0/0/2.0;
                }
            }
            security-zone untrust-flow {
                interfaces {
                    lt-0/0/0.2;
                }
            }
            security-zone untrust-pctks {
                interfaces {
                    lt-0/0/0.1;
                    lo0.1;
                }
            }
        }
        policies {
            from-zone untrust to-zone untrust {
                policy LDP {
                    match {
                        source-address any;
                        destination-address MPLS-LO;
                        application [ junos-ldp-tcp junos-ldp-udp ];
                    }
                    then {
                        permit;
                    }
                }
                policy BGP {
                    match {
                        source-address any-ipv4;
                        destination-address MPLS-LO;
                        application junos-bgp;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust-flow to-zone untrust-flow {
                policy permit-all {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {                  
                        permit;
                    }
                }
            }
            default-policy {
                deny-all;
            }
        }
        flow {
            tcp-mss {
                all-tcp {
                    mss 1400;
                }
            }
        }
    }
    firewall {
        family inet {
            filter packet-mode {
                interface-specific;
                term main {
                    then {
                        count pctks;
                        packet-mode;
                        accept;
                    }
                }
            }
        }
        family mpls {
            filter mpls {
                term main {
                    then {
                        count mpls;
                        packet-mode;
                        accept;
                    }
                }
            }
        }
    }
    routing-instances {
        TEST {
            instance-type vrf;
            interface lt-0/0/0.1;
            interface lo0.1;
            route-distinguisher 65535:111;
            vrf-import vrf_TEST_in;
            vrf-export vrf_TEST_out;
            routing-options {
                static {                    
                    route 10.15.14.0/24 next-hop lt-0/0/0.1;
                }
            }
        }
        TEST-VR {
            instance-type virtual-router;
            interface lt-0/0/0.2;
            interface fe-0/0/2.0;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop lt-0/0/0.2;
                }
            }
        }
    }
    
    
    

     

    the solution is in applying appropriate filters to ge-0/0/0 and lt-0/0/0 interfaces. It works well with Junos 10.3 I found hint with filters in presentation from Juniper describing how flow-mode works on branch SRX series. 


    #SRX
    #MPLS
    #flow
    #Mode
    #L3VPN


  • 4.  RE: SRX: both flow and packet mode

    Posted 08-12-2013 04:19
    Thanks for the share!


  • 5.  RE: SRX: both flow and packet mode

    Posted 08-20-2013 03:17

    Thanks so much for sharing. I will read it more carefully.