[j-nsp] L3VPN on J series enhance services
ade
ade at nec.co.id
Fri Oct 30 20:04:45 EDT 2009
Samin-san
Please configure the J-series like this, it should be help...
PC-----J4350-----J2350------PC
L3vpn works well when you disable the security feature in Junos Enhance
Services
ade
root# show | no-more
## Last changed: 2009-10-31 09:05:56 UTC
version 9.2R4.4;
system {
root-authentication {
encrypted-password "$1$9aQTmFHm$lNkr4e5JOZC0TYiq.TUe/1"; ##
SECRET-DATA
}
login {
user lab {
uid 2001;
class super-user;
authentication {
encrypted-password "$1$2Ef07UvV$lITxZrsWXDDBZFgNISmAj0"; ##
SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface [ ge-0/0/0.0 ge-2/0/0.0 ];
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
fpc 2 {
pic 0 {
ethernet {
pic-mode enhanced-switching;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0;
}
ls-0/0/0 {
unit 1 {
family inet {
address 192.168.1.1/30;
}
family mpls;
}
}
ge-0/0/1 {
unit 0;
}
ge-2/0/0 {
unit 0 {
family inet {
address 50.50.50.3/24;
}
}
}
ge-2/0/1 {
unit 0;
}
e1-3/0/0 {
e1-options {
framing unframed;
}
unit 0 {
family mlppp {
bundle ls-0/0/0.1;
}
}
}
e1-3/0/1 {
e1-options {
framing unframed;
}
unit 0 {
family mlppp {
bundle ls-0/0/0.1;
}
}
}
lo0 {
unit 0 {
family inet {
address 1.1.1.1/32;
}
}
}
}
routing-options {
autonomous-system 65000;
}
protocols {
mpls {
interface ls-0/0/0.1;
}
bgp {
group inte {
type internal;
local-address 1.1.1.1;
family inet-vpn {
unicast;
}
neighbor 1.1.1.2;
}
}
ospf {
area 0.0.0.0 {
interface ls-0/0/0.1;
interface lo0.0;
}
}
ldp {
interface ls-0/0/0.1;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
zones {
security-zone untrust {
screen untrust-screen;
}
security-zone trust {
tcp-rst;
}
security-zone default {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
all;
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
}
routing-instances {
l3vpn {
instance-type vrf;
interface ge-2/0/0.0;
route-distinguisher 65000:1;
vrf-target target:65000:1;
vrf-table-label;
}
}
[edit]
root# run ping routing-instance l3vpn 192.168.0.100
PING 192.168.0.100 (192.168.0.100): 56 data bytes
64 bytes from 192.168.0.100: icmp_seq=0 ttl=127 time=4.164 ms
64 bytes from 192.168.0.100: icmp_seq=1 ttl=127 time=7.286 ms
64 bytes from 192.168.0.100: icmp_seq=2 ttl=127 time=6.287 ms
64 bytes from 192.168.0.100: icmp_seq=3 ttl=127 time=4.510 ms
^C
--- 192.168.0.100 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.164/5.562/7.286/1.281 ms
[edit]
root# run telnet 192.168.1.2
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
(ttyp0)
login: root
Password:
Login incorrect
login:
login: lab
Password:
No home directory.
Logging in with home = "/".
invalid user: getpwuid failsConnection closed by foreign host.
[edit]
root# root
^
unknown command.
[edit]
root# run telnet 192.168.1.2
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
(ttyp0)
login: root
Password:
Login incorrect
login:
login:
login:
login:
login: as
Password:
Login incorrect
login:
[edit]
root#
[edit]
root#
[edit]
root#
[edit]
root#
[edit]
root# show
## Last changed: 2009-10-31 08:43:15 UTC
version 9.2R4.4;
system {
root-authentication {
encrypted-password "$1$LDh/6jEb$e3xe2SE9P./z89p5hpmg/0"; ##
SECRET-DATA
}
login {
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$gMVASxqR$nC7jqVtrE9OEUxFG/Nkgk."; ##
SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface [ ge-0/0/0.0 ge-0/0/1.0 ];
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
fpc 0 {
pic 0 {
ethernet {
pic-mode enhanced-switching;
}
}
}
}
interfaces {
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 2;
family inet {
address 192.168.10.1/24;
}
}
unit 10 {
vlan-id 10;
family inet {
address 20.20.20.1/24;
}
}
unit 20 {
vlan-id 20;
family inet {
address 40.40.40.1/24;
}
}
}
ls-0/0/0 {
unit 1 {
family inet {
address 192.168.1.2/30;
}
family mpls;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.0.10/24;
}
}
}
ge-0/0/2 {
unit 0;
}
e1-4/0/0 {
clocking external;
e1-options {
framing unframed;
}
unit 0 {
family mlppp {
bundle ls-0/0/0.1;
}
}
}
e1-4/0/1 {
clocking external;
e1-options {
framing unframed;
}
unit 0 {
family mlppp {
bundle ls-0/0/0.1;
}
}
}
lo0 {
unit 0 {
family inet {
address 1.1.1.2/32;
}
}
}
vlan {
unit 10 {
family inet {
address 10.10.10.250/24;
}
}
}
}
routing-options {
autonomous-system 65000;
}
protocols {
mpls {
interface ls-0/0/0.1;
}
bgp {
group intern {
type internal;
local-address 1.1.1.2;
family inet-vpn {
unicast;
}
neighbor 1.1.1.1;
}
}
ospf {
area 0.0.0.0 {
interface lo0.0;
interface ls-0/0/0.1;
}
}
ldp {
interface ls-0/0/0.1;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
zones {
security-zone trust;
security-zone untrust {
screen untrust-screen;
}
security-zone default {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
all;
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
}
routing-instances {
l3vpn {
instance-type vrf;
interface vlan.10;
interface ge-0/0/1.0;
route-distinguisher 65000:1;
vrf-target target:65000:1;
vrf-table-label;
}
}
vlans {
vlan10 {
vlan-id 10;
l3-interface vlan.10;
}
}
[edit]
root# run ping routing-instance l3vpn 50.50.50.4
PING 50.50.50.4 (50.50.50.4): 56 data bytes
64 bytes from 50.50.50.4: icmp_seq=0 ttl=127 time=6.066 ms
64 bytes from 50.50.50.4: icmp_seq=1 ttl=127 time=4.414 ms
64 bytes from 50.50.50.4: icmp_seq=2 ttl=127 time=4.150 ms
64 bytes from 50.50.50.4: icmp_seq=3 ttl=127 time=5.431 ms
^C
--- 50.50.50.4 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.150/5.015/6.066/0.773 ms
[edit]
----- Original Message -----
From: "amin amin" <amiensda at gmail.com>
To: <juniper-nsp at puck.nether.net>
Sent: Friday, October 30, 2009 6:09 PM
Subject: [j-nsp] L3VPN on J series enhance services
> can L3VPN run on J series enhance services? I 've configured by follow
> below
> but never can reach by ping in routing instance l3vpn.
> I can't put the interface by member of vrf onto security zone trust
> interface .
>
>
> interfaces {
> ge-0/0/0 {
> vlan-tagging;
> unit 0 {
> vlan-id 2;
> family inet {
> address 192.168.10.1/24;
> }
> }
> unit 10 {
> vlan-id 10;
> family inet {
> address 20.20.20.1/24;
> }
> }
> unit 20 {
> vlan-id 20;
> family inet {
> address 40.40.40.1/24;
> }
> }
> }
> ls-0/0/0 {
> unit 1 {
> family inet {
> address 192.168.1.2/30;
> }
> family mpls;
> }
> }
> ge-0/0/1 {
> unit 0 {
> family inet {
> address 192.168.0.10/24;
> }
> }
> }
> ge-0/0/2 {
> unit 0;
> }
> e1-4/0/0 {
> clocking external;
> e1-options {
> framing unframed;
> }
> unit 0 {
> family mlppp {
> bundle ls-0/0/0.1;
> }
> }
> }
> e1-4/0/1 {
> clocking external;
> e1-options {
> framing unframed;
> }
> unit 0 {
> family mlppp {
> bundle ls-0/0/0.1;
> }
> }
> }
> lo0 {
> unit 0 {
> family inet {
> address 1.1.1.2/32;
> }
> }
> }
> vlan {
> unit 10 {
> family inet {
> address 10.10.10.250/24;
> }
> }
> }
> }
> routing-options {
> autonomous-system 65000;
> }
> protocols {
> mpls {
> interface ls-0/0/0.1;
> }
> bgp {
> group intern {
> type internal;
> local-address 1.1.1.2;
> family inet-vpn {
> unicast;
> }
> neighbor 1.1.1.1;
> }
> }
> ospf {
> area 0.0.0.0 {
> interface lo0.0;
> interface ls-0/0/0.1;
> }
> }
> ldp {
> interface ls-0/0/0.1;
> }
> }
> security {
> screen {
> ids-option untrust-screen {
> icmp {
> ping-death;
> }
> ip {
> source-route-option;
> tear-drop;
> }
> tcp {
> syn-flood {
> alarm-threshold 1024;
> attack-threshold 200;
> source-threshold 1024;
> destination-threshold 2048;
> queue-size 2000; ## Warning: 'queue-size' is deprecated
> timeout 20;
> }
> land;
> }
> }
> }
> zones {
> security-zone trust {
> tcp-rst;
> interfaces {
> ls-0/0/0.1 {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> }
> ge-0/0/0.0 {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> }
> ge-0/0/0.10 {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> }
> ge-0/0/0.20 {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> }
> ge-0/0/2.0 {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> }
> lo0.0 {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> }
> }
> }
> security-zone untrust {
> screen untrust-screen;
> }
> }
> policies {
> from-zone trust to-zone trust {
> policy default-permit {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone trust to-zone untrust {
> policy default-permit {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone untrust to-zone trust {
> policy default-deny {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> }
> }
> routing-instances {
> l3vpn {
> instance-type vrf;
> interface vlan.10;
> interface ge-0/0/1.0;
> route-distinguisher 65000:1;
> vrf-target target:65000:1;
> vrf-table-label;
> }
> }
> vlans {
> vlan10 {
> vlan-id 10;
> l3-interface vlan.10;
> }
> }
>
> Thanks for your help before
>
> ~Samin
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: samin.txt
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20091031/0e2efbe6/attachment-0001.txt>
More information about the juniper-nsp
mailing list