[j-nsp] IOS to JUNOS VRF
Jonathan Looney
jonlooney at gmail.com
Thu May 8 10:23:33 EDT 2008
PS: If you happen to be running JUNOS software with enhanced services
(which is an option on the J-series), I *think* this configuration will
work. Note that this configuration doesn't use virtual routers. You *can*
use virtual routers in JUNOS software with enhanced services; I just don't
think its necessary in this case. (Again, this is not tested and comes with
no guarantees, etc.):
interfaces {
ge-0/0/0 {
description "Trunk Giga";
vlan-tagging;
speed 100m;
link-mode full-duplex;
gigether-options {
no-auto-negotiation;
}
unit 20 {
vlan-id 20;
family inet {
address 192.168.20.134/24;
}
}
unit 400 {
vlan-id 400;
family inet {
address 172.26.0.6/28;
}
}
}
ge-0/0/1 {
description Internet;
speed 100m;
link-mode full-duplex;
gigether-options {
no-auto-negotiation;
}
unit 0 {
family inet {
address 201.201.45.240/26;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 201.201.45.243;
route 10.0.0.0/8 next-hop 172.26.0.1;
}
}
security {
nat {
interface ge-0/0/1.0 {
source-nat {
pool POOL-02 {
address {
201.34.34.1;
}
}
}
}
}
zones {
security-zone inside {
address-book {
address ten-slash-eight 10.0.0.0/8;
}
interfaces {
ge-0/0/0.20;
ge-0/0/0.400;
}
}
security-zone outside {
interfaces {
ge-0/0/1.0;
}
}
}
policies {
from-zone inside to-zone outside {
policy permit-all {
match {
source-address ten-slash-eight;
destination-address any;
application any;
}
then {
permit {
source-nat {
pool POOL-02;
}
}
}
}
}
}
}
On Thu, May 8, 2008 at 10:11 AM, Jonathan Looney <jonlooney at gmail.com>
wrote:
> Assuming you are running traditional JUNOS, here is a translation (not
> tested, no guarantees, etc.):
>
> interfaces {
> ge-0/0/0 {
> description "Trunk Giga";
> vlan-tagging;
> speed 100m;
> link-mode full-duplex;
> gigether-options {
> no-auto-negotiation;
> }
> unit 20 {
> vlan-id 20;
> family inet {
> address 192.168.20.134/24;
> }
> }
> unit 400 {
> vlan-id 400;
> family inet {
> address 172.26.0.6/28;
> }
> }
> }
> sp-0/0/0 {
> unit 0 {
> family inet;
> }
> unit 1 {
> family inet;
> service-domain inside;
> }
> unit 2 {
> family inet;
> service-domain outside;
> }
> }
> ge-0/0/1 {
> description Internet;
> speed 100m;
> link-mode full-duplex;
> gigether-options {
> no-auto-negotiation;
> }
> unit 0 {
> family inet {
> address 201.201.45.240/26;
> }
> }
> }
> }
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 201.201.45.243;
> }
> }
> routing-instances {
> VRF01 {
> instance-type virtual-router;
> interface ge-0/0/0.20;
> interface ge-0/0/0.400;
> interface sp-0/0/0.1;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop sp-0/0/0.1;
> route 10.0.0.0/8 next-hop 172.26.0.1;
> }
> }
> }
> }
> services {
> nat {
> pool POOL-02 {
> address 201.34.34.1/32;
> port automatic;
> }
> rule VRF-TO-INTERNET {
> match-direction input;
> term ALGs {
> from {
> source-address {
> 10.0.0.0/8;
> }
> application-sets junos-algs-outbound;
> }
> then {
> translated {
> source-pool POOL-02;
> translation-type {
> source dynamic;
> }
> }
> }
> }
> term translate-all {
> from {
> source-address {
> 10.0.0.0/8;
> }
> }
> then {
> translated {
> source-pool POOL-02;
> translation-type {
> source dynamic;
> }
> }
> }
> }
> }
> }
> service-set NH-VRF01 {
> nat-rules VRF-TO-INTERNET;
> next-hop-service {
> inside-service-interface sp-0/0/0.1;
> outside-service-interface sp-0/0/0.2;
> }
> }
> }
>
>
>
> Hope that helps!
>
> -Jon
>
>
>
> On Thu, May 8, 2008 at 9:58 AM, GIULIANO (UOL) <giulianocm at uol.com.br>
> wrote:
>
>> Alexander ,
>>
>> It is a J-2350 2GM RAM, 1 GB CF and JUNOS 9.1R1.8.
>>
>> Thanks,
>>
>> Att,
>>
>>
>> > Hi Giuliano,
>> >
>> > Is that M- or J- series?
>> > Because on M-series you would need AS, or AS-II or similar PIC
>> > installed for this one to implement:
>> > ip nat inside source list 1 pool POOL-02 vrf VRF01 overload
>> >
>> > -Alexander
>> >
>> >
>> > On 5/5/08, GIULIANO (UOL) <giulianocm at uol.com.br> wrote:
>> >> People,
>> >>
>> >> I need to convert the following script in a CISCO router with IOS 12.4
>> >> to JUNOS 9.1.
>> >>
>> >> The VRF only uses Static Routes. Can someone help me doing that ?
>> >>
>> >>
>> >> Thanks a lot,
>> >>
>> >> Giuliano
>> >>
>> >>
>> >>
>> >> !
>> >> !
>> >> !
>> >> ip vrf VRF01
>> >> rd 34567:400
>> >> !
>> >> !
>> >> !
>> >> interface GigabitEthernet0/0
>> >> description Trunk Giga
>> >> no ip address
>> >> duplex full
>> >> speed 100
>> >> media-type rj45
>> >> !
>> >> !
>> >> !
>> >> interface GigabitEthernet0/0.20
>> >> encapsulation dot1Q 20
>> >> ip vrf forwarding VRF01
>> >> ip address 192.168.20.134 255.255.255.0
>> >> !
>> >> !
>> >> !
>> >> interface GigabitEthernet0/0.400
>> >> encapsulation dot1Q 400
>> >> ip vrf forwarding VRF01
>> >> ip address 172.26.0.6 255.255.255.240
>> >> ip nat inside
>> >> !
>> >> !
>> >> !
>> >> interface GigabitEthernet0/1
>> >> description Internet
>> >> ip address 201.201.45.240 255.255.255.192
>> >> ip nat outside
>> >> duplex full
>> >> speed 100
>> >> media-type rj45
>> >> !
>> >> !
>> >> !
>> >> ip classless
>> >> ip route 0.0.0.0 0.0.0.0 201.201.45.253
>> >> ip route vrf VRF01 0.0.0.0 0.0.0.0 201.201.45.253 global
>> >> ip route vrf VRF01 10.0.0.0 255.0.0.0 172.26.0.1
>> >> !
>> >> !
>> >> access-list 1 permit 10.0.0.0 0.255.255.255
>> >> !
>> >> !
>> >> ip nat pool POOL-01 201.201.78.20 201.201.78.20 prefix-length 24
>> >> ip nat pool POOL-02 201.34.34.1 201.34.34.1 prefix-length 24
>> >> ip nat pool FTC1 196.196.96.21 196.196.96.21 prefix-length 24
>> >> ip nat pool FTC2 198.196.78.22 198.196.78.22 prefix-length 24
>> >> !
>> >> !
>> >> ip nat inside source list 1 pool POOL-02 vrf VRF01 overload
>> >> _______________________________________________
>> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >>
>> >
>> > __________ Information from ESET NOD32 Antivirus, version of virus
>> signature database 3085 (20080508) __________
>> >
>> > The message was checked by ESET NOD32 Antivirus.
>> >
>> > http://www.eset.com
>> >
>> >
>> >
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
More information about the juniper-nsp
mailing list