[j-nsp] SRX, UDP traffic, routing asymmetry
Caillin Bathern
caillinb at commtelns.com
Thu Dec 6 19:45:46 EST 2012
Sigh.. If only there was "selective flow mode" on the SRX/J...
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Per Westerlund
Sent: Friday, 7 December 2012 4:24 AM
To: Phil Mayers; Dale Shaw
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] SRX, UDP traffic, routing asymmetry
This is a flow mode configuration (Juniper calls it "router mode", not
"packet mode"), that emulates pure packet mode by allowing all packets
to start a flow, and having a default permit-all for all flows.
The sole reason for having this is to enable flow-mode things like IPsec
and NAT at the same time as having almost the same behavior as pure
packet mode.
I am working on another mail or two with examples of "selective packet
mode" that I believe might solve Dale's original problem (and perhaps
his quest for pure routing with IPsec).
/Per
6 dec 2012 kl. 14:15 skrev Phil Mayers:
> On 06/12/12 10:58, Per Westerlund wrote:
>> To follow up my own post (even more to follow), here is the config
>> you use on a J-series router to put it in router-mode. Nothing magic,
>> just some configuration. This will work with SRX as well, there is
>> nothing J-series specific in here. This config is found in
>> /etc/config/jsr-series-routermode-factory.conf, and the box I picked
>> it from was running Junos 10.2R4.8
>
> Is this *actually* in router mode, or is it just in a permit-all flow
mode?
>
> In particularly, you seem to be missing a "packet-mode" statement for
> IPv4 or MPLS (which also disables flow mode for IPv4)
>
> What does "show security flow status" say?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and
content filtering.http://www.mailguard.com.au/mg
More information about the juniper-nsp
mailing list