[j-nsp] Fw: L3VPN on J series enhance services
ade
ade at nec.co.id
Fri Oct 30 20:09:33 EDT 2009
> Samin-san
>
> Please configure the J-series like this, it should be help...
> PC-----J4350-----J2350------PC
>
> L3vpn works well when you disable the security feature in Junos Enhance
> Services
>
> ade
>
>
> root# show | no-more
> ## Last changed: 2009-10-31 09:05:56 UTC
> version 9.2R4.4;
> system {
> root-authentication {
> encrypted-password "$1$9aQTmFHm$lNkr4e5JOZC0TYiq.TUe/1"; ##
> SECRET-DATA
> }
> login {
> user lab {
> uid 2001;
> class super-user;
> authentication {
> encrypted-password "$1$2Ef07UvV$lITxZrsWXDDBZFgNISmAj0"; ##
> SECRET-DATA
> }
> }
> }
> services {
> ssh;
> telnet;
> web-management {
> http {
> interface [ ge-0/0/0.0 ge-2/0/0.0 ];
> }
> }
> }
> syslog {
> user * {
> any emergency;
> }
> file messages {
> any any;
> authorization info;
> }
> file interactive-commands {
> interactive-commands any;
> }
> }
> license {
> autoupdate {
> url https://ae1.juniper.net/junos/key_retrieval;
> }
> }
> }
> chassis {
> fpc 2 {
> pic 0 {
> ethernet {
> pic-mode enhanced-switching;
> }
> }
> }
> }
> interfaces {
> ge-0/0/0 {
> unit 0;
> }
> ls-0/0/0 {
> unit 1 {
> family inet {
> address 192.168.1.1/30;
> }
> family mpls;
> }
> }
> ge-0/0/1 {
> unit 0;
> }
> ge-2/0/0 {
> unit 0 {
> family inet {
> address 50.50.50.3/24;
> }
> }
> }
> ge-2/0/1 {
> unit 0;
> }
> e1-3/0/0 {
> e1-options {
> framing unframed;
> }
> unit 0 {
> family mlppp {
> bundle ls-0/0/0.1;
> }
> }
> }
> e1-3/0/1 {
> e1-options {
> framing unframed;
> }
> unit 0 {
> family mlppp {
> bundle ls-0/0/0.1;
> }
> }
> }
> lo0 {
> unit 0 {
> family inet {
> address 1.1.1.1/32;
> }
> }
> }
> }
> routing-options {
> autonomous-system 65000;
> }
> protocols {
> mpls {
> interface ls-0/0/0.1;
> }
> bgp {
> group inte {
> type internal;
> local-address 1.1.1.1;
> family inet-vpn {
> unicast;
> }
> neighbor 1.1.1.2;
> }
> }
> ospf {
> area 0.0.0.0 {
> interface ls-0/0/0.1;
> interface lo0.0;
> }
> }
> ldp {
> interface ls-0/0/0.1;
> }
> }
> security {
> screen {
> ids-option untrust-screen {
> icmp {
> ping-death;
> }
> ip {
> source-route-option;
> tear-drop;
> }
> tcp {
> syn-flood {
> alarm-threshold 1024;
> attack-threshold 200;
> source-threshold 1024;
> destination-threshold 2048;
> queue-size 2000; ## Warning: 'queue-size' is deprecated
> timeout 20;
> }
> land;
> }
> }
> }
> zones {
> security-zone untrust {
> screen untrust-screen;
> }
> security-zone trust {
> tcp-rst;
> }
> security-zone default {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> interfaces {
> all;
> }
> }
> }
> policies {
> from-zone trust to-zone trust {
> policy default-permit {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone trust to-zone untrust {
> policy default-permit {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone untrust to-zone trust {
> policy default-deny {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> default-policy {
> permit-all;
> }
> }
> }
> routing-instances {
> l3vpn {
> instance-type vrf;
> interface ge-2/0/0.0;
> route-distinguisher 65000:1;
> vrf-target target:65000:1;
> vrf-table-label;
> }
> }
>
> [edit]
> root# run ping routing-instance l3vpn 192.168.0.100
> PING 192.168.0.100 (192.168.0.100): 56 data bytes
> 64 bytes from 192.168.0.100: icmp_seq=0 ttl=127 time=4.164 ms
> 64 bytes from 192.168.0.100: icmp_seq=1 ttl=127 time=7.286 ms
> 64 bytes from 192.168.0.100: icmp_seq=2 ttl=127 time=6.287 ms
> 64 bytes from 192.168.0.100: icmp_seq=3 ttl=127 time=4.510 ms
> ^C
> --- 192.168.0.100 ping statistics ---
> 4 packets transmitted, 4 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 4.164/5.562/7.286/1.281 ms
>
> [edit]
> root# run telnet 192.168.1.2
> Trying 192.168.1.2...
> Connected to 192.168.1.2.
> Escape character is '^]'.
>
> (ttyp0)
>
> login: root
> Password:
> Login incorrect
> login:
> login: lab
> Password:
> No home directory.
> Logging in with home = "/".
>
> invalid user: getpwuid failsConnection closed by foreign host.
>
> [edit]
> root# root
> ^
> unknown command.
>
> [edit]
> root# run telnet 192.168.1.2
> Trying 192.168.1.2...
> Connected to 192.168.1.2.
> Escape character is '^]'.
>
> (ttyp0)
>
> login: root
> Password:
> Login incorrect
> login:
> login:
> login:
> login:
> login: as
> Password:
> Login incorrect
> login:
>
> [edit]
> root#
>
> [edit]
> root#
>
> [edit]
> root#
>
> [edit]
> root#
>
> [edit]
> root# show
> ## Last changed: 2009-10-31 08:43:15 UTC
> version 9.2R4.4;
> system {
> root-authentication {
> encrypted-password "$1$LDh/6jEb$e3xe2SE9P./z89p5hpmg/0"; ##
> SECRET-DATA
> }
> login {
> user lab {
> uid 2000;
> class super-user;
> authentication {
> encrypted-password "$1$gMVASxqR$nC7jqVtrE9OEUxFG/Nkgk."; ##
> SECRET-DATA
> }
> }
> }
> services {
> ssh;
> telnet;
> web-management {
> http {
> interface [ ge-0/0/0.0 ge-0/0/1.0 ];
> }
> }
> }
> syslog {
> user * {
> any emergency;
> }
> file messages {
> any any;
> authorization info;
> }
> file interactive-commands {
> interactive-commands any;
> }
> }
> license {
> autoupdate {
> url https://ae1.juniper.net/junos/key_retrieval;
> }
> }
> }
> chassis {
> fpc 0 {
> pic 0 {
> ethernet {
> pic-mode enhanced-switching;
> }
> }
> }
> }
> interfaces {
> ge-0/0/0 {
> vlan-tagging;
> unit 0 {
> vlan-id 2;
> family inet {
> address 192.168.10.1/24;
> }
> }
> unit 10 {
> vlan-id 10;
> family inet {
> address 20.20.20.1/24;
> }
> }
> unit 20 {
> vlan-id 20;
> family inet {
> address 40.40.40.1/24;
> }
> }
> }
> ls-0/0/0 {
> unit 1 {
> family inet {
> address 192.168.1.2/30;
> }
> family mpls;
> }
> }
> ge-0/0/1 {
> unit 0 {
> family inet {
> address 192.168.0.10/24;
> }
> }
> }
> ge-0/0/2 {
> unit 0;
> }
> e1-4/0/0 {
> clocking external;
> e1-options {
> framing unframed;
> }
> unit 0 {
> family mlppp {
> bundle ls-0/0/0.1;
> }
> }
> }
> e1-4/0/1 {
> clocking external;
> e1-options {
> framing unframed;
> }
> unit 0 {
> family mlppp {
> bundle ls-0/0/0.1;
> }
> }
> }
> lo0 {
> unit 0 {
> family inet {
> address 1.1.1.2/32;
> }
> }
> }
> vlan {
> unit 10 {
> family inet {
> address 10.10.10.250/24;
> }
> }
> }
> }
> routing-options {
> autonomous-system 65000;
> }
> protocols {
> mpls {
> interface ls-0/0/0.1;
> }
> bgp {
> group intern {
> type internal;
> local-address 1.1.1.2;
> family inet-vpn {
> unicast;
> }
> neighbor 1.1.1.1;
> }
> }
> ospf {
> area 0.0.0.0 {
> interface lo0.0;
> interface ls-0/0/0.1;
> }
> }
> ldp {
> interface ls-0/0/0.1;
> }
> }
> security {
> screen {
> ids-option untrust-screen {
> icmp {
> ping-death;
> }
> ip {
> source-route-option;
> tear-drop;
> }
> tcp {
> syn-flood {
> alarm-threshold 1024;
> attack-threshold 200;
> source-threshold 1024;
> destination-threshold 2048;
> queue-size 2000; ## Warning: 'queue-size' is deprecated
> timeout 20;
> }
> land;
> }
> }
> }
> zones {
> security-zone trust;
> security-zone untrust {
> screen untrust-screen;
> }
> security-zone default {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> interfaces {
> all;
> }
> }
> }
> policies {
> from-zone trust to-zone trust {
> policy default-permit {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone trust to-zone untrust {
> policy default-permit {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone untrust to-zone trust {
> policy default-deny {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> default-policy {
> permit-all;
> }
> }
> }
> routing-instances {
> l3vpn {
> instance-type vrf;
> interface vlan.10;
> interface ge-0/0/1.0;
> route-distinguisher 65000:1;
> vrf-target target:65000:1;
> vrf-table-label;
> }
> }
> vlans {
> vlan10 {
> vlan-id 10;
> l3-interface vlan.10;
> }
> }
>
> [edit]
> root# run ping routing-instance l3vpn 50.50.50.4
> PING 50.50.50.4 (50.50.50.4): 56 data bytes
> 64 bytes from 50.50.50.4: icmp_seq=0 ttl=127 time=6.066 ms
> 64 bytes from 50.50.50.4: icmp_seq=1 ttl=127 time=4.414 ms
> 64 bytes from 50.50.50.4: icmp_seq=2 ttl=127 time=4.150 ms
> 64 bytes from 50.50.50.4: icmp_seq=3 ttl=127 time=5.431 ms
> ^C
> --- 50.50.50.4 ping statistics ---
> 4 packets transmitted, 4 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 4.150/5.015/6.066/0.773 ms
>
> [edit]
>
>
>
>
>
>
>
>
>
>
>
> ----- Original Message -----
> From: "amin amin" <amiensda at gmail.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Friday, October 30, 2009 6:09 PM
> Subject: [j-nsp] L3VPN on J series enhance services
>
>
>> can L3VPN run on J series enhance services? I 've configured by follow
>> below
>> but never can reach by ping in routing instance l3vpn.
>> I can't put the interface by member of vrf onto security zone trust
>> interface .
>>
>>
>> interfaces {
>> ge-0/0/0 {
>> vlan-tagging;
>> unit 0 {
>> vlan-id 2;
>> family inet {
>> address 192.168.10.1/24;
>> }
>> }
>> unit 10 {
>> vlan-id 10;
>> family inet {
>> address 20.20.20.1/24;
>> }
>> }
>> unit 20 {
>> vlan-id 20;
>> family inet {
>> address 40.40.40.1/24;
>> }
>> }
>> }
>> ls-0/0/0 {
>> unit 1 {
>> family inet {
>> address 192.168.1.2/30;
>> }
>> family mpls;
>> }
>> }
>> ge-0/0/1 {
>> unit 0 {
>> family inet {
>> address 192.168.0.10/24;
>> }
>> }
>> }
>> ge-0/0/2 {
>> unit 0;
>> }
>> e1-4/0/0 {
>> clocking external;
>> e1-options {
>> framing unframed;
>> }
>> unit 0 {
>> family mlppp {
>> bundle ls-0/0/0.1;
>> }
>> }
>> }
>> e1-4/0/1 {
>> clocking external;
>> e1-options {
>> framing unframed;
>> }
>> unit 0 {
>> family mlppp {
>> bundle ls-0/0/0.1;
>> }
>> }
>> }
>> lo0 {
>> unit 0 {
>> family inet {
>> address 1.1.1.2/32;
>> }
>> }
>> }
>> vlan {
>> unit 10 {
>> family inet {
>> address 10.10.10.250/24;
>> }
>> }
>> }
>> }
>> routing-options {
>> autonomous-system 65000;
>> }
>> protocols {
>> mpls {
>> interface ls-0/0/0.1;
>> }
>> bgp {
>> group intern {
>> type internal;
>> local-address 1.1.1.2;
>> family inet-vpn {
>> unicast;
>> }
>> neighbor 1.1.1.1;
>> }
>> }
>> ospf {
>> area 0.0.0.0 {
>> interface lo0.0;
>> interface ls-0/0/0.1;
>> }
>> }
>> ldp {
>> interface ls-0/0/0.1;
>> }
>> }
>> security {
>> screen {
>> ids-option untrust-screen {
>> icmp {
>> ping-death;
>> }
>> ip {
>> source-route-option;
>> tear-drop;
>> }
>> tcp {
>> syn-flood {
>> alarm-threshold 1024;
>> attack-threshold 200;
>> source-threshold 1024;
>> destination-threshold 2048;
>> queue-size 2000; ## Warning: 'queue-size' is
>> deprecated
>> timeout 20;
>> }
>> land;
>> }
>> }
>> }
>> zones {
>> security-zone trust {
>> tcp-rst;
>> interfaces {
>> ls-0/0/0.1 {
>> host-inbound-traffic {
>> system-services {
>> all;
>> }
>> protocols {
>> all;
>> }
>> }
>> }
>> ge-0/0/0.0 {
>> host-inbound-traffic {
>> system-services {
>> all;
>> }
>> protocols {
>> all;
>> }
>> }
>> }
>> ge-0/0/0.10 {
>> host-inbound-traffic {
>> system-services {
>> all;
>> }
>> protocols {
>> all;
>> }
>> }
>> }
>> ge-0/0/0.20 {
>> host-inbound-traffic {
>> system-services {
>> all;
>> }
>> protocols {
>> all;
>> }
>> }
>> }
>> ge-0/0/2.0 {
>> host-inbound-traffic {
>> system-services {
>> all;
>> }
>> protocols {
>> all;
>> }
>> }
>> }
>> lo0.0 {
>> host-inbound-traffic {
>> system-services {
>> all;
>> }
>> protocols {
>> all;
>> }
>> }
>> }
>> }
>> }
>> security-zone untrust {
>> screen untrust-screen;
>> }
>> }
>> policies {
>> from-zone trust to-zone trust {
>> policy default-permit {
>> match {
>> source-address any;
>> destination-address any;
>> application any;
>> }
>> then {
>> permit;
>> }
>> }
>> }
>> from-zone trust to-zone untrust {
>> policy default-permit {
>> match {
>> source-address any;
>> destination-address any;
>> application any;
>> }
>> then {
>> permit;
>> }
>> }
>> }
>> from-zone untrust to-zone trust {
>> policy default-deny {
>> match {
>> source-address any;
>> destination-address any;
>> application any;
>> }
>> then {
>> permit;
>> }
>> }
>> }
>> }
>> }
>> routing-instances {
>> l3vpn {
>> instance-type vrf;
>> interface vlan.10;
>> interface ge-0/0/1.0;
>> route-distinguisher 65000:1;
>> vrf-target target:65000:1;
>> vrf-table-label;
>> }
>> }
>> vlans {
>> vlan10 {
>> vlan-id 10;
>> l3-interface vlan.10;
>> }
>> }
>>
>> Thanks for your help before
>>
>> ~Samin
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list