Quantcast
Channel: MustBeGeek » Juniper
Viewing latest articles
Browse all 23 Browse latest View live

Configure Dual ISP Link Failover in Juniper SRX

August 30, 2013, 10:16 pm
$
0
0

The post Configure Dual ISP Link Failover in Juniper SRX appeared first on MustBeGeek.

If you have two ISPs or two different links for same destination, then you can configure floating static route. Floating static route allows you to failover the link if the primary link fails. This is accomplished by using preference and qualified-next hop feature available in JunOS operating system. To configure dual ISP link failover in Juniper SRX you need two ISP links. This technique is not just for ISP links. You can apply this technique to any dual link scenario that have same destination network. SRX series, MX series and J series devices are mostly used in these types of scenario.

Configure Dual ISP Link Failover in Juniper SRX

Below is our scenario. We have two ISPs, ISP A and ISP B. What we want to accomplish is, if primary ISP’s link fail, then switch the link through secondary link to ISP B. So, let’s get started.

Configure Dual ISP Link Failover in Juniper SRX

We need to configure the routing table under [routing-options] hierarchy.

[edit routing-options]
user@SRX240# set static route 0.0.0.0/0 next-hop 1.1.1.1 preference 5 [Next hop 1.1.1.1 is the primary next-hop for 0.0.0.0/0 destination network. Note, 0.0.0.0/0 means default gateway. Preference 5 is the default preference for static routes. Even if you don't put preference 5 in this command, it is automatically there.]
[edit routing-options]
user@SRX240# set static route 0.0.0.0/0 qualified-next-hop 2.2.2.1 preference 7 [Now next-hop 2.2.2.1 is the secondary next-hop for 0.0.0.0/0 network. It has the preference of 7. If the primary link is to go down, this link will be the gateway for the default route.]
[edit routing-options]
user@SRX240# show
static {
route 0.0.0.0/0 {
next-hop 1.1.1.1;
qualified-next-hop 2.2.2.1 {
preference 7;
}
preference 5;
}
}

In this way you can configure floating static route in JunOS systems.

 

The post Configure Dual ISP Link Failover in Juniper SRX appeared first on MustBeGeek.

Search

Load Balance Dual ISP Internet in Juniper SRX

September 9, 2013, 7:19 am
$
0
0

The post Load Balance Dual ISP Internet in Juniper SRX appeared first on MustBeGeek.

There are two different methods for load balancing internet traffic in Juniper SRX series devices. They are per flow load balancing and filter based forwarding load balancing. Both techniques can be applied to MX series routers as well. You can use any method to load balance dual ISP internet in Juniper SRX or MX series or J series devices. Here, I will load balance dual ISP internet in Juniper SRX device using per flow load balancing method.

Load Balance Dual ISP Internet in Juniper SRX

The diagram below shows our existing scenario. We have two ISPs that we want to load balance the internet traffic to. Two internet links are in UNTRUST zone whereas the internal network is in TRUST zone. I have already configured required security policies.

Load Balance Dual ISP Internet in Juniper SRX

The first step is to define routing policy. Configure the following policy under [edit-policy-options] hierarchy.

[edit policy-options]
root@SRX240# set policy-options policy-statement LOAD-BALANCE then load-balance per-packet
[edit policy-options]
root@SRX240# show
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
}
}

The second step is to configure the routing option. Configure the following routing information under [edit-routing-policy] hierarchy.

[edit policy-options]
root@SRX240# set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
[edit policy-options]
root@SRX240# set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1

Now, configure the routing policy called LOAD-BALANCE under the forwarding option.

[edit policy-options]
root@SRX240#set routing-options forwarding-table export LOAD-BALANCE

Type show command to view the configuration.

[edit routing-options]
root@SRX# show
static {
route 0.0.0.0/0 next-hop [ 1.1.1.1 2.2.2.1 ];
}
forwarding-table {
export LOAD-BALANCE;
}

You can now view route forwarding table to verify.

root@SRX> show route forwarding-table 

You will see two next-hop MAC addresses for default destination network.

By default JunOS include only layer 3 IP address to determine the flow but you can change this behavior and include layer 4 as well. To do so hit the following command under [edit forwarding-options] hierarchy.

[edit]
root@SRX#set forwarding-options hash-key family inet layer-3
[edit]
root@SRX# set forwarding-options hash-key family inet layer-4
[edit]
root@SRX# show
hash-key {
family inet {
layer-3;
layer-4;
}
}

You can now see the logs or even do tracert from client PC and test the load sharing. You can test from a single PC in the network.

The post Load Balance Dual ISP Internet in Juniper SRX appeared first on MustBeGeek.

Configure Filter Based Load Balancing in Juniper SRX

September 11, 2013, 8:31 am
$
0
0

The post Configure Filter Based Load Balancing in Juniper SRX appeared first on MustBeGeek.

There are various tricks to configure load balancing in JunOS devices. Filter based forwarding and per flow load balancing methods are quite popular. These type of load balancing can be configured in many Juniper devices like, MX series, J series, SRX series, etc. Here, I will show steps to configure filter based load balancing in Juniper SRX device. In filter based forwarding, two routing tables are configured. Each table will have different ISP as their primary gateway and remaining opposite ISP as secondary gateway.

Configure Filter Based Load Balancing in Juniper SRX

We want to balance the traffic coming from internal network to the Internet using both ISP links. At first, we need to create two routing tables. Then, create firewall filter and create RIB groups. I will show the step by step process of the configuration. Below shown diagram is our scenario. We have two ISP links and two internal networks. We want to route 192.168.1.0/24 network via ISP A and ISP B will be the backup. Similarly, route 192.168.2.0/24 via ISP B and ISP A will be it’s backup.

Configure Filter Based Load Balancing in Juniper SRX

Step 1: Create Routing Tables

At first, let’s create some routing tables. We need to create two routing tables. Routing tables are configured under [edit routing-instances] hierarchy. We will create routing tables named ISPA and ISPB.

[edit routing-instances]
root@SRX# set ISPA instance-type forwarding
[edit routing-instances]
root@SRX# set ISPA routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
[edit routing-instances]
root@SRX# set ISPA routing-options static route 0.0.0.0/0 qualified-next-hop 2.2.2.1 preference 7

Type show to view the configuration.

[edit routing-instances]
root@SRX# show
instance-type forwarding; routing-options {
static {
route 0.0.0.0/0 {
next-hop 1.1.1.1;
qualified-next-hop 2.2.2.1 {
preference 7;
}
}
}
}

Now let’s configure ISPB routing instance.

[edit routing-instances]
root@SRX# set ISPB instance-type forwarding
[edit routing-instances]
root@SRX# set ISPB routing-options static route 0.0.0.0/0 next-hop 2.2.2.1
[edit routing-instances]
root@SRX# set ISPB routing-options static route 0.0.0.0/0 qualified-next-hop 1.1.1.1 preference 7

Type show to view the configuration.

[edit routing-instances]
root@SRX# show
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 2.2.2.1;
qualified-next-hop 1.1.1.1 {
preference 7;
}
}
}
}

Step 2: Create Firewall Filters

Now, let’s create firewall filters.

[edit firewall family inet]
root@SRX# set filter ISPA-FILTER term FOR-ISPA from source-address 192.168.1.0/24
[edit firewall family inet]
root@SRX# set filter ISPA-FILTER term FOR-ISPA then routing-instance ISPA
[edit firewall family inet]
root@SRX# set filter ISPB-FILTER term FOR-ISPB from source-address 192.168.2.0/24
[edit firewall family inet]
root@SRX# set filter ISPB-FILTER term FOR-ISPB then routing-instance ISPB

Type show to view the firewall filter.

[edit firewall family inet]
root@SRX# show
filter ISPA-FILTER {
term FOR-ISPA {
from {
source-address {
192.168.1.0/24;
}
}
then {
routing-instance ISPA;
}
}
}
filter ISPB-FILTER {
term FOR-ISPB {
from {
source-address {
192.168.2.0/24;
}
}
then {
routing-instance ISPB;
}
}
}

Now apply the filter in for each internal interface.

[edit interface]
root@SRX# set ge-0/0/2 unit 0 family inet filter input ISPA-FILTER
[edit interface]
root@SRX# set ge-0/0/3 unit 0 family inet filter input ISPB-FILTER
[edit interface]
root@SRX# show
ge-0/0/2 {
unit 0 {
 family inet {
filter {
input ISPA-FILTER;
}
address 192.168.1.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
filter {
input ISPB-FILTER;
}
address 192.168.2.1/24;
}
}
}

Step 3: Create RIB Group

RIB (Routing Information Base) group is created to share route information from master routing table to other custom routing tables. For inet family, master routing table is inet.o. As of now, routing tables ISPA and ISPB only knows the routes that have been configured while creating the routing instance. That is, the default route only. We need to copy all the routes from inet.0 to ISPA and ISPB routing tables to make the routing work properly. RIB group is configured under [edit routing-options] hierarchy.

[edit routing-instances]
root@SRX# set rib-groups LOAD-BALANCE-RIB import-rib inet.0
[edit routing-instances]
root@SRX# set rib-groups LOAD-BALANCE-RIB import-rib ISPA.inet.0
[edit routing-instances]
root@SRX# set rib-groups LOAD-BALANCE-RIB import-rib ISPB.inet.0
[edit routing-instances]
root@SRX# show
rib-groups {
LOAD-BALANCE-RIB {
import-rib [ inet.0 ISPA.inet.0 ISPB.inet.0 ];
}
}

You can verify the configuration by running traceroute from client PC in both network. You can also check the routing tables. To view the routing tables, type

root@SRX> show route table ISPA.inet.0 

This is how you configure filter based load balancing.

The post Configure Filter Based Load Balancing in Juniper SRX appeared first on MustBeGeek.

Install JunOS From Loader

May 24, 2014, 8:50 am
$
0
0

Sometime Juniper devices may not boot JunOS properly. The image might be corrupted. So you need to re-install the JunOS of the EX or SRX device from the loader prompt. It is always good idea to have a USB snapshot of the JunOS device. But if you don’t have backup then you have to re install JunOS from loader prompt using USB media.

Install JunOS From Loader

Install JunOS From Loader

Step 1. Download the required JunOS and copy to USB flash drive. If the USB size is less than 2 GB then the file format must be FAT. Similarly, if the USB is greater than or equal to 4 GB, use FAT32 file system format.

Step 2. Now insert the flash into USB port of the Juniper device.

Step 3. Then, reboot the device. When JunOS boots up,press SPACE BAR on your keyboard to get into loader prompt. At the boot process hit SPACE BAR key when the following message is displayed,

Press Space to abort autoboot
Do nothing. A little while later, you will see:
Hit [Enter] to boot immediately, or space bar for command
prompt.
Press the space bar. You will be at loader mode; the prompt should
be loader>. If the prompt is > , type >boot to make it loader>.

Step 4. After hitting the SPACE BAR, you will notice the loader prompt. Now type the following command:

loader> install file:///jinstall-ex-2200-11.4R11.4-domestic-signed.tgz

Wait for a while, the installation file will be copied to the device and and start the installation process. The device will reboot after the installation is complete.

Install JunOS From Loader is a post from: MustBeGeek

SRX 240 Error! Install Package Version 11.4R5 or Higher!

May 27, 2014, 7:42 am
$
0
0

In this post, I am going to talk about SRX 240 upgrade error. I was trying to upgrade SRX 240 H2 from JunOS 11.4R7.5 to JunOS 11.4R11.4. I got an Error saying, Please install a package with version 11.4R5 or Higher.

SRX 240 Error! Install Package Version 11.4R5 or Higher!

Here is the log of the error,

SRX 240 Error! Install Package Version 11.4R5 or Higher!

If you are facing similar issue, then don’t worry, this is a known issue. Solution of this problem is to downgrade JunOS to 11.4R5 or 11.4R5 and then upgrade to required JunOS version. This problem is known in SRX 240 B2 and H2 model numbers if you are upgrading or downgrading to 11.4R10 or higher JunOS version from 11.4R7/R8/R9 or 12.1R5/R6/R7 or 12.1X44-D10/D15/D20/D25. Visit this link for more information about this problem. You must have Juniper account to be able to login to this page.

SRX 240 Error! Install Package Version 11.4R5 or Higher! is a post from: MustBeGeek

Configure SRX Mode to Packet Mode from Flow Mode

May 28, 2014, 7:42 am
$
0
0

Branch series Juniper SRX can operate at two different modes; packet mode and flow mode. In flow mode, SRX process all traffic by analyzing the state or session of traffic. In packet mode, SRX can process traffic as traditional router without analyzing the session of the traffic. By default, JunOS in SRX devices work at Flow mode. But if you want to operate it as a typical router then you can disable the security features like IPSec, NAT, UTM, etc. There are two ways to configure SRX mode to packet mode from flow mode in branch series SRX devices. First method shown in this post strictly converts to packet mode using set security forwarding-options command, whereas Second method allows the use of both packet and flow mode at the same time using firewall filters.

Configure SRX Mode to Packet Mode from Flow Mode

First Method

To view the existing flow mode type, show security flow status command in operational mode as shown below. As you can see it is now flow based forwarding mode, Inet forwarding mode: flow based.

Configure SRX Mode to Packet Mode from Flow Mode

We can change to packet mode by typing, set security forwarding-options family mpls mode packet-based command in configuration mode as shown below. Don’t forget to delete the security settings. 

[edit]
root@SRX240# delete security [Deletes all the security configuration.]
[edit]
root@SRX240# set security forwarding-options family mpls mode packet-based
[edit]
root@SRX240# commit
[edit]
root@SRX240# run request system reboot

After commit, you will get a warning saying, you must reboot the device for the change to take effect. After the reboot, issue show security flow status command.

root@SRX240> show security flow status
  Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based

As you can see above, the Inet forwarding mode is packet based. In this way you can configure SRX mode to packet mode from flow mode.

Second Method

Packet mode can also be enabled using firewall filter. Using this technique, you can use both packet mode and flow mode based on various match criteria.

[edit]
root@SRX240# set firewall filter PACKET-MODE term 1 from source-address X.X.X.X/32
[edit]
root@SRX240# set firewall filter PACKET-MODE term 1 then packet-mode
[edit]
root@SRX240# set firewall filter PACKET-MODE term 2 then accept

Now apply the filter PACKET-MODE in required interface in inbound or outbound direction. So traffic coming from particular source address of X.X.X.X/32 will only be processed as packet mode by SRX, rest will be processed as flow mode.

Configure SRX Mode to Packet Mode from Flow Mode is a post from: MustBeGeek

Configure Dynamic (Remote Access) VPN in Juniper SRX

May 29, 2014, 3:52 am
$
0
0

Dynamic VPN or Remote Access VPN is a feature available in branch series SRX. By default, branch series SRX gateways come pre-installed with two dynamic VPN licenses. So by default, only two remote users can have dynamic VPN simultaneously. You can purchase additional license for more dynamic VPN users. Dynamic VPN is used by users from Internet to access the corporate LANs. The required VPN client for user’s machine can be downloaded from SRX’s web interface and is automatically installed. When the user logs into the SRX’s dynamic VPN web page, the VPN session on user’s PC is initiated and required VPN client is automatically downloaded without user interaction. You can also manually download and install JunOS Pulse which is a VPN client application. In this post, I will show steps to configure Dynamic (Remote Access) VPN in Juniper SRX.

Configure Dynamic (Remote Access) VPN in Juniper SRX

To view the existing license information, type show system license command as shown below. As you can see the number of dynamic-vpn installed license is 2 and the expiry is permanent.

Configure Dynamic (Remote Access) VPN in Juniper SRX

The diagram below is our scenario for dynamic access VPN. Here, 10.0.0.0/24 is the protected network. We have Active Directory Domain Controller in the network. We want users to be able to access this protected network from the Internet.

Configure Dynamic (Remote Access) VPN in Juniper SRX

Step 1. Configure Dynamic VPN Users and IP Address Pool

set access profile Dynamic-XAuth client Jed firewall-user password P@ssw0rd
set access profile Dynamic-XAuth client Steve firewall-user password P@ssw0rd
set access profile Dynamic-XAuth address-assignment pool Dynamic-VPN-Pool
set access address-assignment pool Dynamic-VPN-Pool family inet network 192.168.1.0/24
set access address-assignment pool Dynamic-VPN-Pool family inet xauth-attributes primary-dns 10.0.0.10/32
set access firewall-authentication web-authentication default-profile Dynamic-XAuth

 Step 2. Configure IPSec Phase 1

set security ike proposal Dynamic-VPN-P1-Proposal description “Dynamic P1 Proposal”
set security ike proposal Dynamic-VPN-P1-Proposal authentication-method pre-shared-keys
set security ike proposal Dynamic-VPN-P1-Proposal dh-group group2
set security ike proposal Dynamic-VPN-P1-Proposal authentication-algorithm sha1
set security ike proposal Dynamic-VPN-P1-Proposal encryption-algorithm 3des-cbc
set security ike proposal Dynamic-VPN-P1-Proposal lifetime-seconds 1200
set security ike policy Dynamic-VPN-P2-Policy mode aggressive
set security ike policy Dynamic-VPN-P2-Policy description “Dynamic P2 Policy”
set security ike policy Dynamic-VPN-P2-Policy proposals Dynamic-VPN-P1-Proposal
set security ike policy Dynamic-VPN-P2-Policy pre-shared-key ascii-text test@123
set security ike gateway Dynamic-VPN-P1-Gateway ike-policy Dynamic-VPN-P2-Policy
set security ike gateway Dynamic-VPN-P1-Gateway dynamic hostname mustbegeek.com
set security ike gateway Dynamic-VPN-P1-Gateway dynamic ike-user-type shared-ike-id
set security ike gateway Dynamic-VPN-P1-Gateway external-interface ge-0/0/0.0
set security ike gateway Dynamic-VPN-P1-Gateway xauth access-profile Dynamic-XAuth

Step 3. Configure IPSec Phase 2

set security ipsec proposal Dynamic-P2-Proposal description Dynamic-VPN-P2-Proposal
set security ipsec proposal Dynamic-P2-Proposal protocol esp
set security ipsec proposal Dynamic-P2-Proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal Dynamic-P2-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Dynamic-P2-Proposal lifetime-seconds 3600
set security ipsec policy Dynamic-P2-Policy perfect-forward-secrecy keys group5
set security ipsec policy Dynamic-P2-Policy proposals Dynamic-P2-Proposal
set security ipsec vpn Dynamic-VPN ike gateway Dynamic-VPN-P1-Gateway
set security ipsec vpn Dynamic-VPN ike ipsec-policy Dynamic-P2-Policy
set security ipsec vpn Dynamic-VPN establish-tunnels immediately

Step 4. Configure Dynamic VPN Parameters

set security dynamic-vpn force-upgrade
set security dynamic-vpn access-profile Dynamic-XAuth
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn Dynamic-VPN
set security dynamic-vpn clients all user Jed
set security dynamic-vpn clients all user Steve

Step 5. Configure Security Policy

set security policies from-zone untrust to-zone trust policy Dynamic-VPN match source-address any
set security policies from-zone untrust to-zone trust policy Dynamic-VPN match destination-address any
set security policies from-zone untrust to-zone trust policy Dynamic-VPN match application any
set security policies from-zone untrust to-zone trust policy Dynamic-VPN then permit tunnel ipsec-vpn Dynamic-VPN

Step 6. Verifying IPSec Connection

root@SRX240> show security dynamic-vpn users
root@SRX240> show security dynamic-vpn client version
root@SRX240> show security ike active-peer
root@SRX240> show security ike security-associations
root@SRX240> show security ipsec security-associations

You can download and install JunOS Pulse client application on user PCs. JunOS Pulse is a VPN client from Juniper. Users out on the internet can use this tool to connect to VPN. To use this tool, click Add (+) button. Uner type, choose SRX. Then type name of the connection. Type IP address or domain name of the SRX device. And then, click Add button.

JunOS

After creating a new connection, click Connect button. The client will now attempt to connect.

Junos Pulse

Click Connect again on certificate warning. Now type username and password to connect to VPN.

JunOS Pulse 4

In this way you can configure dynamic VPN in Juniper SRX and use JunOS Pulse to connect to VPN.

 

Configure Dynamic (Remote Access) VPN in Juniper SRX is a post from: MustBeGeek

Configure Logging in Juniper Firewall Filter

June 7, 2014, 8:21 am
$
0
0

Logs are important feature that can be very handy to troubleshoot or monitor networks. You can configure firewall filters in various Juniper devices. Juniper’s SRX, EX, MX, T and other series devices support stateless firewall filters. Firewall filters are like access control lists (ACLs) in Cisco world. Firewall filters can be used to allow or reject packets based on various match conditions. You can apply firewall filter to a port, VLAN, or layer 3 interface. A firewall filter can have multiple terms that define specific match conditions and actions. Firewall filters are executed from top to bottom. In this port, I will show steps to configure logging in Juniper firewall filter.

Configure Logging in Juniper Firewall Filter

Configure Logging in Juniper Firewall Filter

Juniper firewall filters are made up of terms and match conditions. A filter can contain numerous terms. A term can contain various match conditions and actions. An example of firewall rule is shown below. The rule has two terms, T1 and T2. T1 matches traffic from any source address and destination port of 22 or 443 and has the action of accept. T2 has the action of reject. So only traffic matching destination port 22 or 443 will accepted by the interface fe-0/0/2, all other traffic will be dropped. Both terms have action of syslog. Syslog command logs all the packets of the corresponding terms.

[edit firewall]
root@SRX240# show
filter TEST {
term T1 {
from {
source-address {
192.168.1.1/32;
}
destination-port [ 22 443 ];
}
then {
syslog;
accept;
}
}
term T2 {
then {
syslog;
reject;
}
}
}

The filter is applied to the interface,

[edit interfaces fe-0/0/2]
root@SRX240# show
description “CONNECTED TO INTERNET”;
unit 0 {
family inet {
filter {
input TEST;
}
address 2.2.2.2/30;
}
}

There are also other match conditions and actions. You can match traffic based on source and destination IP address, mac address, port numbers, protocol numbers, dscp number, dot1q tag, icmp type, and many other. Remember, Juniper firewall filters are stateless and unidirectional. The filters won’t track states of the connection. Similarly, it also doesn’t care about return traffic. So you have option to apply firewall filters on both inbound (input) and outbound (output) traffic of an interface. To permit or deny transient traffic, you can apply firewall filters in transient interfaces. Likewise, to permit or deny traffic to Juniper device’s routing engine, you can apply firewall filter in loopback 0 interface. For example, to block SSG login attack you can create and apply firewall filter in loopback interface.

To view the log of firewall filter, create a custom syslog of firewall facility. Here is how you do that,

[edit system syslog]
root@SRX240# set file FILTER firewall any

Now, to view the log of firewall filters, type

root@SRX240> show log FILTER

In this way you can configure firewall filter and monitor log in Juniper SRX device.

Configure Logging in Juniper Firewall Filter is a post from: MustBeGeek

Search

Configure Private VLANs in Juniper Switch

June 7, 2014, 8:22 am
$
0
0

It is often a requirement to split a broadcast traffic or to restrict communication between hosts within a same VLAN. Private VLAN or PVLAN is a feature that is used to split broadcast traffic or restrict communication between hosts within a same VLAN in a switch. Private VLANs can be configured on all models of Juniper switches. In this post, I will show steps to configure Private VLANs in Juniper Switch.

Configure Private VLANs in Juniper Switch

Private VLANs in Juniper switch can have four types of switch ports.

  • Promiscuous Port – It is a trunk port on a switch that is connected uplink to Router or Firewall or servers. Promiscuous port can communicate with all other private VLAN ports within a private VLAN. The port is assigned member of primary VLAN and must be associated with 802.1Q tag. Trunk ports that are member of private VLANs are promiscuous port.
  • Community Port – It is a private VLAN where hosts connected to ports in a same community VLAN can communicate with each others and can also communicate with promiscuous port of the same private VLAN. It is a secondary VLAN and the port is assigned member of primary VLAN.
  • Isolated Port – The isolated port can’t communicate with other hosts connected to other isolated ports or community ports within a same private VLAN. Isolated port can communicate with promiscuous port and private VLAN trunk ports. If you want an Isolated port in a single switch then you don’t need to create VLAN for Isolated vlan. In Juniper switches, we have another flavor of Isolated port called inter-switch Isolated VLAN. This VLAN is used to pass traffic from one Isolated port of a switch to Isolated port of another switch through a PVLAN trunk. Inter-switch isolated VLAN must have secondary VLAN ID associated with it.
  • PVLAN Trunk Port – It is the trunk port which is used to connect two or more switches when PVLAN is configured in all of these switches. The trunk port is member of all the private VLAN, the primary VLAN, community VLAN and inter-switch Isolated VLAN. Trunk ports that are member of private VLANs with pvlan-trunk command are PVLAN trunk ports.

Before creating private VLANs in Juniper switch, check whether current version of JunOS running on switch supports PVLAN feature or not. I am running JunOS 12.3R6.6 in EX3300 switch. Here is our simple scenario,

Configure Private VLANs in Juniper Switch

We have a single switch connected to a SRX gateway. In addition, we have two community VLANs, COMM-SALES-10 and COMM-MARKETING-20. Similarly, one Isolated VLAN with no VLAN ID because this is a single switch setup.

At first, let’s look at configuration of SRX. As the promiscuous trunk port (ge-0/0/0 of switch) is connected to port ge-0/0/0 of SRX, the port of SRX needs to understand the tagged frames sent by the switch. So we have to configure vlan tagging in SRX port in following way,

[edit interfaces ge-0/0/0]
root@SRX# show
vlan-tagging;
unit 100 {
    vlan-id 100;
    family inet {
        address 192.168.10.1/24;
    }
}

Now, let’s configure the switch step by step.

Step 1. Configure primary VLAN name and VLAN-ID of 100.

{master:0}[edit]
root@EX3300# set vlans PVLAN vlan-id 100 no-local-switching

Step 2. Configure the promiscuous trunk port.

{master:0}[edit interfaces ge-0/0/0]
root@EX3300# set unit 0 family ethernet-switching port-mode trunk
{master:0}[edit interfaces ge-0/0/0]
root@EX3300# set unit 0 family ethernet-switching vlan members PVLAN

Step 3. Assign promiscuous trunk port in primary VLAN.

{master:0}[edit vlans]
root@EX3300# set PVLAN interface ge-0/0/0

Step 4. Configure Access Ports. All community ports and isolated ports must be in access port mode.

{master:0}[edit]
root# set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode access
{master:0}[edit]
root# set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
{master:0}[edit]
root# set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access

Step 5. Configure Community VLANs and assign ports to the community PVLANs.

{master:0}[edit vlans]
root@EX3300# set COMM-SALES-10 vlan-id 10
{master:0}[edit vlans]
root@EX3300# set COMM-SALES-10 primary-vlan PVLAN
{master:0}[edit vlans]
root@EX3300# set COMM-SALES-10 interface ge-0/0/3
{master:0}[edit vlans]
root@EX3300# set COMM-MARKETING-20 vlan-id 20
{master:0}[edit vlans]
root@EX3300# set COMM-MARKETING-20 primary-vlan PVLAN
{master:0}[edit vlans]
root@EX3300# set COMM-MARKETING-20 interface ge-0/0/4

Step 6. Assign port to Isolated PVLAN.

{master:0}[edit vlans]
root@EX3300# set PVLAN interface ge-0/0/5.0

To verify the configuration you can use following commands,

root@EX3300> show vlans 
root@EX3300> show vlans pvlan extensive
root@EX3300> show vlans extensive

Here is the output of vlan configuration.

{master:0}[edit vlans]
root# show
COMM-MARKETING-20 {
    vlan-id 20;
    interface {
        ge-0/0/4.0;
    }
    primary-vlan PVLAN;
}
COMM-SALES-10 {
    vlan-id 10;
    interface {
        ge-0/0/3.0;
    }
    primary-vlan PVLAN;
}
PVLAN {
    vlan-id 100;
    interface {
        ge-0/0/0.0; //This is promiscuous port. See step 2 and 3 above. 
        ge-0/0/5.0; //This is ISOLATED port. See step 6 above. 
    }
    no-local-switching;
}

Here is the output of show vlan command.

{master:0}[edit vlans]
root# run show vlans
Name           Tag     Interfaces
COMM-MARKETING-20 20
                       ge-0/0/0.0*, ge-0/0/4.0
COMM-SALES-10  10
                       ge-0/0/0.0*, ge-0/0/3.0
PVLAN          100
                       ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0
__pvlan_PVLAN_ge-0/0/5.0__
                       ge-0/0/0.0*, ge-0/0/5.0
default
                       ge-0/0/2.0*, ge-0/0/8.0

Here is the output of show vlan PVLAN extensive command. You can see here Isolated 1, Community 2.

root# run show vlans PVLAN extensive
VLAN: PVLAN, Created at: Sun Jun 29 15:30:35 2014
802.1Q Tag: 100, Internal index: 2, Admin State: Enabled, Origin: Static
Private VLAN Mode: Primary
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 1 (Active = 1), Untagged  3 (Active = 0)
      ge-0/0/0.0*, tagged, trunk
      ge-0/0/3.0, untagged, access
      ge-0/0/4.0, untagged, access
      ge-0/0/5.0, untagged, access
Secondary VLANs: Isolated 1, Community  2, Inter-switch-isolated  0
  Isolated VLANs :
      __pvlan_PVLAN_ge-0/0/5.0__
  Community VLANs :
      COMM-MARKETING-20
      COMM-SALES-10

In this way you can configure private VLANs in Juniper switch.

Configure Private VLANs in Juniper Switch is a post from: MustBeGeek

Block TOR Application in Juniper SRX

September 10, 2014, 1:27 am
$
0
0

TOR application allows users to browse any sites, by bypassing firewall. So all the policies, rules configured in SRX goes in vain if users in the network are using TOR application in their browsers. Juniper SRX can’t block TOR application but there is a work around method that can be used to block TOR application to some level. The steps shown here to block TOR application in Juniper SRX is not permanent fix as the IPs used by TOR application changes dynamically.

Block TOR Application in Juniper SRX

Block TOR Application in Juniper SRX

To block the TOR application in Juniper SRX, the only way I know to block is by blocking all the IP addresses used by TOR application. There is a site called www.dan.me.uk which finds the list of all the IP addresses used by TOR application, thanks to dan.me.uk.

You can view the list of all the IPs used by TOR application here. There can be about 6000 IP addresses which is quite a lot.

The trick is to use all these IPs in SRX and block them all by using firewall filter. There are 6K IP addresses, how can you put all that in firewall filter in shortcut. Again, the trick is to use Notepad++ application.

Step 1. Copy all the IP addresses from here and paste it in the Notepad++.

Step 2. Now, insert “;” after each IP address. You can do so by using Replace tool in Notepad++, as shown below. Find for “\r” and replace with “;”. Don’t forget to choose Extended option in under search mode in the same box.

SRX-Notepad

Step 3. Now login to SRX and create a firewall filter. Before creating a firewall filter we have to create prefix-list under [edit policy-options] hierarchy.

{primary:node0}[edit policy-options prefix-list TOR-ADDRESS-LIST]
root@SRX# load merge terminal relative
[Type ^D at a new line to end input]

{primary:node0}[edit policy-options]
root@SRX# show
prefix-list TOR-ADDRESS-LIST {
    2.1.254.209/32;
    2.4.148.58/32;
    2.25.26.77/32;
    .
    .
    .
    .
    2.33.88.122/32;
}

Step 4. Now configure the firewall filter. You can also configure logging in SRX to view the logs later.

{primary:node0}[edit firewall filter BLOCK-TOR]
root@SRX# show
term TOR-LIST {
    from {
        source-prefix-list {
            TOR-ADDRESS-LIST;
        }
    }
    then {
        syslog;
        discard;
    }
}
term ALLOW-REST {
    then accept;
}

Step 5. Now apply the filter in Internet facing interface in inbound direction as shown below.

{primary:node0}[edit interfaces reth1]
root@SRX# show
description ****CONNECTED-TO-ISP1***;
redundant-ether-options {
    redundancy-group 1;
}
unit 0 {
    family inet {
        filter {
            input BLOCK-TOR;
        }
        address 100.10.10.2/30;
    }
}

In this way you can block TOR browsers used by your internal users to bypass the firewall.

 

Block TOR Application in Juniper SRX is a post from: MustBeGeek

Viewing latest articles
Browse all 23 Browse latest View live
Search