Search

1 to 3 of 3
Sort by

Blog Entry
What are the differences in packet processing between a VT interface and an LSI interface (vrf-table-label or no-tunnel-services)?

Answer The LSI interface provides better packet processing performance than the VT interface, unless there are core-facing interface restrictions or loss of ingress forwarding functionality, because the frame is sent only once through the route lookup


Discussion Post
ipsec with selective packet services and flow mode master vr with router on a stick

Hi I want to have this configuration with srx210. Please see attached diagra also configuration. I also attached chassis cluster diagram which is not important, I think. Just in case... I have remote site. It's name is (branch-)pernik and a central site domino. Branch consist of chassis cluster...

3 attachments

Focus Search - ## Last changed: 2011-09-12 06:03:06 UTC version 10.4R6.5; system ( host-name srx1; root-authentication ( encrypted-password xxxxxxxxxxx ## SECRET-DATA ) name-server ( 208.67.222.222; 208.67.220.220; ) services ( ssh; dhcp ( router ( 192.168.2.1; ) pool 192.168.2.0/24 ( address-range low 192.168.2.2 high 192.168.2.254; ) propagate-settings ge-0/0/0.0; ) ) syslog ( archive size 100k files 3; user * ( any emergency; ) file messages ( any critical; authorization info; ) file interactive-commands ( interactive-commands error; ) ) max-configurations-on-flash 5; max-configuration-rollbacks 5; license ( autoupdate ( url https://ae1.juniper.net/junos/key_retrieval; ) ) ) interfaces ( ge-0/0/0 ( unit 0 ( family inet ( filter ( input packet-mode; ) address 1.2.3.1/24; ) ) ) lt-0/0/0 ( unit 0 ( description to master flow instance encapsulation ethernet; peer-unit 1; family inet ( filter ( input packet-mode; ) address 1.1.1.1/24; ) ) unit 1 ( description to packet VR encapsulation ethernet; peer-unit 0; family inet ( address 1.1.1.2/24; ) ) ) ge-0/0/1 ( unit 0 ( family ethernet-switching ( vlan ( members vlan-trust; ) ) ) ) fe-0/0/2 ( unit 0 ( family ethernet-switching ( vlan ( members vlan-trust; ) ) ) ) fe-0/0/3 ( unit 0 ( family ethernet-switching ( vlan ( members vlan-trust; ) ) ) ) fe-0/0/4 ( unit 0 ( family ethernet-switching ( vlan ( members vlan-trust; ) ) ) ) fe-0/0/5 ( unit 0 ( family ethernet-switching ( vlan ( members vlan-trust; ) ) ) ) fe-0/0/6 ( unit 0 ( family ethernet-switching ( vlan ( members vlan-trust; ) ) ) ) fe-0/0/7 ( unit 0 ( family ethernet-switching ( vlan ( members vlan-trust; ) ) ) ) st0 ( unit 0 ( family inet ( address 10.199.0.1/24; ) ) ) vlan ( unit 0 ( family inet ( address 192.168.2.1/24; ) ) ) ) routing-options ( static ( route 192.168.1.0/24 next-hop st0.0; inactive: route 0.0.0.0/0 next-hop 1.2.3.4; route 1.2.3.0/24 next-hop [ lt-0/0/1.0 1.1.1.1 ]; ) ) security ( ike ( inactive: traceoptions ( file size 1m; flag policy-manager; flag ike; flag routing-socket; ) policy ike-policy-cfgr ( mode main; proposal-set standard; pre-shared-key ascii-text xxxxxxxx ## SECRET-DATA ) gateway ike-gate-cfgr ( ike-policy ike-policy-cfgr; address 1.2.3.4; external-interface lt-0/0/1; ) ) ipsec ( traceoptions ( flag all; ) policy ipsec-policy-cfgr ( proposal-set standard; ) vpn ipsec-vpn-cfgr ( bind-interface st0.0; vpn-monitor ( optimized; ) ike ( gateway ike-gate-cfgr; ipsec-policy ipsec-policy-cfgr; ) ) ) inactive: nat ( source ( rule-set korexadm-to-untrust ( from zone korexadm; to zone untrust; rule source-nat-rule ( match ( source-address 0.0.0.0/0; ) then ( source-nat ( interface; ) ) ) ) ) ) screen ( ids-option untrust-screen ( icmp ( ping-death; ) ip ( source-route-option; tear-drop; ) tcp ( syn-flood ( alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; ) land; ) ) ) zones ( security-zone untrust ( screen untrust-screen; host-inbound-traffic ( system-services ( ike; ) ) interfaces ( ge-0/0/0.0 ( host-inbound-traffic ( system-services ( ike; ping; ) ) ) ) ) security-zone vpn ( address-book ( address net-cfgr_192-168-1-0--24 192.168.1.0/24; ) interfaces ( st0.0; ) ) security-zone korexadm ( address-book ( address net-cfgr_192-168-2-0--24 192.168.2.0/24; ) host-inbound-traffic ( system-services ( all; ) protocols ( all; ) ) interfaces ( vlan.0; ) ) security-zone a ( interfaces ( lt-0/0/0.0 ( host-inbound-traffic ( system-services ( all; ) protocols ( all; ) ) ) ) ) security-zone b ( interfaces ( lt-0/0/0.1 ( host-inbound-traffic ( system-services ( all; ) protocols ( all; ) ) ) ) ) ) policies ( from-zone korexadm to-zone vpn ( policy korexadm-vpn-cfgr ( match ( source-address net-cfgr_192-168-2-0--24; destination-address net-cfgr_192-168-1-0--24; application any; ) then ( permit; ) ) ) from-zone vpn to-zone korexadm ( policy vpn-korexadm-cfgr ( match ( source-address net-cfgr_192-168-1-0--24; destination-address net-cfgr_192-168-2-0--24; application any; ) then ( permit; ) ) ) from-zone korexadm to-zone untrust ( policy trust-to-untrust ( match ( source-address any; destination-address any; application any; ) then ( permit; ) ) ) from-zone a to-zone b ( policy accept ( match ( source-address any; destination-address any; application any; ) then ( permit; ) ) ) from-zone b to-zone a ( policy accept ( match ( source-address any; destination-address any; application any; ) then ( permit; ) ) ) from-zone a to-zone untrust ( policy accept ( match ( source-address any; destination-address any; application any; ) then ( permit; ) ) ) from-zone untrust to-zone a ( policy accept ( match ( source-address any; destination-address any; application any; ) then ( permit; ) ) ) ) alg ( ftp disable; ) flow ( tcp-mss ( ipsec-vpn ( mss 1350; ) ) ) ) firewall ( family inet ( filter packet-mode ( term host-inbound ( from ( destination-address ( 10.2.1.1/32; ) ) then accept; ) term packet-mode-rest ( then ( packet-mode; accept; ) ) ) ) ) routing-instances ( Packet-VR ( instance-type virtual-router; interface ge-0/0/0.0; interface lt-0/0/0.0; ) ) vlans ( vlan-trust ( vlan-id 3; l3-interface vlan.0; ) )## Last changed: 2011-09-12 11:04:43 UTC version 10.4R6.5; groups ( node0 ( system ( host-name branch-pernik-0; ) interfaces ( fxp0 ( unit 0 ( family inet ( address 10.32.1.100/29; ) ) ) ) ) node1 ( system ( host-name branch-pernik-1; ) interfaces ( fxp0 ( unit 0 ( family inet ( address 10.32.1.101/29; ) ) ) ) ) ) apply-groups $(node) system ( # root-authentication ( # encrypted-password xxxxxxx ## SECRET-DATA ) name-server ( 208.67.222.222; 208.67.220.220; ) services ( ssh; dhcp ( router ( 192.168.1.1; ) pool 192.168.1.0/24 ( address-range low 192.168.1.2 high 192.168.1.254; ) propagate-settings ge-0/0/0.0; ) ) syslog ( archive size 100k files 3; user * ( any emergency; ) file messages ( any critical; authorization info; ) file interactive-commands ( interactive-commands error; ) ) max-configurations-on-flash 5; max-configuration-rollbacks 5; license ( autoupdate ( url https://ae1.juniper.net/junos/key_retrieval; ) ) ) chassis ( cluster ( reth-count 2; redundancy-group 0 ( node 0 priority 100; node 1 priority 1; ) redundancy-group 1 ( node 0 priority 100; node 1 priority 1; interface-monitor ( ge-0/0/0 weight 255; ge-2/0/0 weight 255; fe-0/0/2 weight 255; fe-2/0/2 weight 255; ) ) ) ) interfaces ( ge-0/0/0 ( gigether-options ( redundant-parent reth0; ) ) fe-0/0/2 ( fastether-options ( redundant-parent reth1; ) ) ge-2/0/0 ( gigether-options ( redundant-parent reth0; ) ) fe-2/0/2 ( fastether-options ( redundant-parent reth1; ) ) fab0 ( fabric-options ( member-interfaces ( fe-0/0/4; fe-0/0/5; ) ) ) fab1 ( fabric-options ( member-interfaces ( fe-2/0/4; fe-2/0/5; ) ) ) reth0 ( redundant-ether-options ( redundancy-group 1; ) unit 0 ( family inet ( address 192.168.1.1/24; ) ) ) reth1 ( redundant-ether-options ( redundancy-group 1; ) unit 0 ( family inet ( address 1.2.3.4/24; ) ) ) st0 ( unit 0 ( family inet ( address 10.199.0.2/24; ) ) ) ) routing-options ( static ( route 192.168.2.0/24 next-hop st0.0; route 0.0.0.0/0 next-hop 1.2.3.1; route 1.1.1.0/24 next-hop 1.2.3.1; ) ) security ( ike ( policy ike-policy-cfgr ( mode main; proposal-set standard; pre-shared-key ascii-text XXXXX; ## SECRET-DATA ) gateway ike-gate-cfgr ( ike-policy ike-policy-cfgr; address 1.1.1.2; external-interface reth1.0; ) ) ipsec ( policy ipsec-policy-cfgr ( proposal-set standard; ) vpn ipsec-vpn-cfgr ( bind-interface st0.0; vpn-monitor ( optimized; ) ike ( gateway ike-gate-cfgr; ipsec-policy ipsec-policy-cfgr; ) ) ) inactive: nat ( source ( rule-set kxpernik-to-untrust ( from zone kxpernik; to zone untrust; rule source-nat-rule ( match ( source-address 0.0.0.0/0; ) then ( source-nat ( interface; ) ) ) ) ) ) screen ( ids-option untrust-screen ( icmp ( ping-death; ) ip ( source-route-option; tear-drop; ) tcp ( syn-flood ( alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; ) land; ) ) ) zones ( security-zone vpn ( address-book ( address net-cfgr_192-168-2-0--24 192.168.2.0/24; ) interfaces ( st0.0; ) ) security-zone kxpernik ( address-book ( address net-cfgr_192-168-1-0--24 192.168.1.0/24; ) host-inbound-traffic ( system-services ( all; ) protocols ( all; ) ) interfaces ( reth0.0; ) ) security-zone untrust ( screen untrust-screen; host-inbound-traffic ( system-services ( ike; ping; ) ) interfaces ( reth1.0; ) ) ) policies ( from-zone kxpernik to-zone vpn ( policy kxpernik-vpn-cfgr ( match ( source-address net-cfgr_192-168-1-0--24; destination-address net-cfgr_192-168-2-0--24; application any; ) then ( permit; ) ) ) from-zone vpn to-zone kxpernik ( policy vpn-kxpernik-cfgr ( match ( source-address net-cfgr_192-168-2-0--24; destination-address net-cfgr_192-168-1-0--24; application any; ) then ( permit; ) ) ) from-zone kxpernik to-zone untrust ( policy kxpernik-to-untrust ( match ( source-address any; destination-address any; application any; ) then ( permit; ) ) ) ) alg ( ftp disable; ) flow ( tcp-mss ( ipsec-vpn ( mss 1350; ) ) ) )