[j-nsp] SRX, UDP traffic, routing asymmetry

叶雨飞 sunyucong at gmail.com
Thu Dec 6 22:13:06 EST 2012 

downgrade to 9.3R4.4 then

On Thu, Dec 6, 2012 at 6:47 PM, Caillin Bathern <caillinb at commtelns.com> wrote:
> This just becomes long and painful when you want to run the box as an MPLS device primarily and as an IPSec/Crypto box for some traffic..
>
> -----Original Message-----
> From: 叶雨飞 [mailto:sunyucong at gmail.com]
> Sent: Friday, 7 December 2012 12:21 PM
> To: Caillin Bathern
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] SRX, UDP traffic, routing asymmetry
>
> you can run your main routing instance in flow mode , and apply filters to send those into other VRs (flow or not) for further processing.
>
> On Thu, Dec 6, 2012 at 4:45 PM, Caillin Bathern <caillinb at commtelns.com> wrote:
>> Sigh..  If only there was "selective flow mode" on the SRX/J...
>>
>> -----Original Message-----
>> From: juniper-nsp-bounces at puck.nether.net
>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Per
>> Westerlund
>> Sent: Friday, 7 December 2012 4:24 AM
>> To: Phil Mayers; Dale Shaw
>> Cc: juniper-nsp at puck.nether.net
>> Subject: Re: [j-nsp] SRX, UDP traffic, routing asymmetry
>>
>> This is a flow mode configuration (Juniper calls it "router mode", not
>> "packet mode"), that emulates pure packet mode by allowing all packets
>> to start a flow, and having a default permit-all for all flows.
>>
>> The sole reason for having this is to enable flow-mode things like
>> IPsec and NAT at the same time as having almost the same behavior as
>> pure packet mode.
>>
>> I am working on another mail or two with examples of "selective packet
>> mode" that I believe might solve Dale's original problem (and perhaps
>> his quest for pure routing with IPsec).
>>
>> /Per
>>
>> 6 dec 2012 kl. 14:15 skrev Phil Mayers:
>>
>>> On 06/12/12 10:58, Per Westerlund wrote:
>>>> To follow up my own post (even more to follow), here is the config
>>>> you use on a J-series router to put it in router-mode. Nothing
>>>> magic,
>>
>>>> just some configuration. This will work with SRX as well, there is
>>>> nothing J-series specific in here. This config is found in
>>>> /etc/config/jsr-series-routermode-factory.conf, and the box I picked
>>>> it from was running Junos 10.2R4.8
>>>
>>> Is this *actually* in router mode, or is it just in a permit-all flow
>> mode?
>>>
>>> In particularly, you seem to be missing a "packet-mode" statement for
>>> IPv4 or MPLS (which also disables flow mode for IPv4)
>>>
>>> What does "show security flow status" say?
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> --
>> Message  protected by MailGuard: e-mail anti-virus, anti-spam and
>> content filtering.http://www.mailguard.com.au/mg
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list