[j-nsp] GRE packet fragmentation on j-series

nebu thomas nebuvthomas at yahoo.com
Tue Jan 31 05:16:04 EST 2012 

Pls refer the below appnote 
 
http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf
 
see the section  


________________________________
From: Ben Dale <bdale at comlinx.com.au>
To: Lukasz Martyniak <lmartyniak at man.szczecin.pl> 
Cc: "Juniper-Nsp (juniper-nsp at puck.nether.net)" <juniper-nsp at puck.nether.net> 
Sent: Tuesday, January 31, 2012 5:28 AM
Subject: Re: [j-nsp] GRE packet fragmentation on j-series

Hi Lukasz,

J-Series only needs a license to download signature updates for IDP - in order to stop fragmentation, all you need to do is create a security policy that matches on GRE traffic "match application junos-gre" and then references the idp engine in the action "then permit application-services idp".  

This will force the IDP engine to re-assemble the GRE fragments for inspection (but not actually inspect them).  

Juniper had a really good document explaining this with examples for MPLSoGRE, but my google and KB-fu is failing.

Cheers,

Ben

On 26/01/2012, at 7:17 PM, Lukasz Martyniak wrote:

> Thanks for quick response, i had a hoped that this could be done in other whey. I think jseries need extra license for IDP. 
> 
> On Jan 24, 2012, at 11:35 PM, Alex Arseniev wrote:
> 
>> My understanding is that GRE fragmentation should occur if egress interface MTU is < GRE pkt size.
>> For GRE reassembly, you need IDP policy, this means high memory SRX model. IDP license is not needed.
>> Rgds
>> Alex
>> 
>> ----- Original Message ----- From: "Lukasz Martyniak" <lmartyniak at man.szczecin.pl>
>> To: <juniper-nsp at puck.nether.net>
>> Sent: Tuesday, January 24, 2012 2:04 PM
>> Subject: [j-nsp] GRE packet fragmentation on j-series
>> 
>> 
>>> Hi all
>>> 
>>> I have some problem with gre tunnels. I need to fragment packages in tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The problem looks like that packages with MTU above 1476 are not fragmented/reassembled and are dropped.
>>> 
>>> 
>>> interfaces gr-0/0/0
>>> unit 10 {
>>>  clear-dont-fragment-bit;
>>>  description "Tulne to r1-lab";
>>>  tunnel {
>>>      source 10.200.0.1;
>>>      destination 10.200.0.2;
>>>      allow-fragmentation;
>>>      path-mtu-discovery;
>>>  }
>>>  family inet {
>>>      mtu 1500;
>>>      address 100.100.100.1/30;
>>>  }
>>>  family mpls {
>>>  }
>>> }
>>> 
>>> Have someone have similar problem ? is there a simple way to fix this ?
>>> 
>>> Best Lukasz
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 


_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



MPLSoGRE with GRE Fragmentation and Reassembly 
 
--Thanks

More information about the juniper-nsp mailing list