Looks like an error i D50, on D70 i cannot input a vlan with a vlan-id above 3967:
jh@fw# run show version Hostname: fw Model: srx300 Junos: 15.1X49-D70.3 JUNOS Software Release [15.1X49-D70.3] [edit] jh@fw# set vlans guest2 vlan-id 3999 error: Value 3999 is not within range (1..3967)
[edit]
jh@fw#
Weird linitation. Is there a special need to use vlan ID in the range above those specified or was this just for testing scenario?
Layer3Man - would you mind sharing your config? I've been fighting with a similar setup for ages.
Thanks,
Chuck
Hi lyndidon,
Well, You never guess the end-customer needs .. 
And yes, it only happens in D50 , in D60 and D70 I can't .. looks like a bug in D50
Hi,
LLDP and LLDP-MED for SRX300, SRX320, SRX340, SRX345, SRX550M and SRX1500 devices—Starting with Junos OS Release 15.1X49-D60, Link Layer Discovery Protocol (LLDP) and LLDP-Media Endpoint Discovery (MFD) are supported on Layer 3 interfaces for SRX300, SRX320, SRX340, SRX345, SRX550M and SRX1500 devices.
Note: On SRX300, SRX320, SRX340, and SRX345 devices, on VLAN-tagged routed interfaces, LLDP is still not supported.
You can also refer the below release note of Junos15.1x49-D70:
Regards,
Shubhankar Kaushish
------------------------------------------------------------------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Hi,
A static NAT is bi directional..
However, if you want to use different IP addresses for source and destination Nats to the same internal server, the you will have to implement separate source and destination NATs.
Please provide more details on what is the requirement.
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Hi Guys
I hope this is the right place for this message.
I would need your help if possible with a weird situation that I have. Due to a relocation of some devices I would need to swap node 0 with node 1 software, on a 3600 chassis cluster. Actually the explanation is that we need to mode some devices that are playing the active role to another location but we need to reassign the primary roles to the ones that are secondary now. Off course we could do a physical swap but fir the moment is not accepted by our management. Now I tried to find something on the knowledge base but ..no luck for the moment. So anybody did this?Procedure available?
Thanks in advance for your help!!!
Regards !
Marius
Hi all
Hopefully someone can help here. Like many here it seems, I don't have the greatest of experiance with these devices, but having a good understanding of port forwarding over the years I cannot fathom what's gone wrong with my fairly simple requirements.
All the forwards that I have pointing to our SBS server on 10.1.1.100 are working great, but using the same structure to try and point / redirect ports to other systems just doesn't work, even though "show security nat destination rule *******" shows "Successful sessions", I'm not getting any successful connections.
My requirements are to have all the usual Windows SBS ports + RDP forwarded to 10.1.1.100 <this bit works great>
with port 33899 translated to 10.1.1.101:3389 <can't get this working>
and ports 5060 UDP, 50443 TCP translated to 10.1.1.220:5060 (for sip) & 10.1.1.220:443 (for remote login access for our sip provider) repectively <can't get this working>
like I said this doesn't sound complicated and why it's not working has me tearing out my hair!
I've obscured public IP and use/pass's in below. The Trust zone isn't really used for anything but my own "at box" management access, the csam zone is one of our building tenents who handle their own internal networking, so it's everything to the xic 10.1.1.0/24 network unless pointing to 10.1.1.100/32 that just doesn't seem to want to work!
if anyone can spot where I'm going wrong some tips would be greatly appreciated!
version 15.1X49-D60.7;
system {
host-name SRX320;
backup-router *.*.131.197;
time-zone Europe/London;
root-authentication {
encrypted-password "***";
}
name-server {
8.8.8.8;
8.8.4.4;
}
login {
user **** {
uid 2000;
class super-user;
authentication {
encrypted-password "***";
}
}
user **** {
uid 2001;
class super-user;
authentication {
encrypted-password "***";
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
netconf {
ssh;
}
dhcp-local-server {
group jdhcp-group {
interface irb.0;
}
}
web-management {
http;
https {
system-generated-certificate;
interface [ ge-0/0/2.0 ge-0/0/5.0 irb.0 ];
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 15;
max-configuration-rollbacks 15;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 64.99.80.121 prefer;
}
}
security {
address-book {
global {
address network_trust 192.168.1.0/24;
address network_xic 10.1.1.0/24;
address xic_sbs 10.1.1.100/32;
address xic_sw 10.1.1.101/32;
address xic_sip 10.1.1.220/32;
address csam *.*.138.218/32;
}
}
alg {
sip disable;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set csam {
from zone untrust;
to zone untrust;
rule no_nat {
match {
source-address *.*.138.218/30;
}
then {
source-nat {
off;
}
}
}
}
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule trust-to-untrust-access {
match {
source-address 192.168.1.0/24;
source-address-name [ network_trust network_xic ];
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set xic-to-untrust {
from zone xic;
to zone untrust;
rule xic-to-untrust-access {
match {
source-address 10.1.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool xic-sbs-rdp {
address 10.1.1.100/32 port 3389;
}
pool xic-sw-rdp {
address 10.1.1.101/32 port 3389;
}
pool xic-sbs-smtp {
address 10.1.1.100/32 port 25;
}
pool xic-sbs-http {
address 10.1.1.100/32 port 80;
}
pool xic-sbs-https {
address 10.1.1.100/32 port 443;
}
pool xic-sbs-https-rwa {
address 10.1.1.100/32 port 987;
}
pool xic-sip-ctl {
address 10.1.1.220/32 port 5060;
}
pool xic-sip-al-remote {
address 10.1.1.220/32 port 443;
}
rule-set all-to-xic-services {
from zone [ csam junos-host trust untrust xic ];
rule xic-sbs-smtp {
match {
source-address 0.0.0.0/0;
destination-address *.*.131.198/32;
destination-port {
25;
}
protocol tcp;
}
then {
destination-nat {
pool {
xic-sbs-smtp;
}
}
}
}
rule xic-sbs-http {
match {
source-address 0.0.0.0/0;
destination-address *.*.131.198/32;
destination-port {
80;
}
protocol tcp;
}
then {
destination-nat {
pool {
xic-sbs-http;
}
}
}
}
rule xic-sbs-https {
match {
source-address 0.0.0.0/0;
destination-address *.*.131.198/32;
destination-port {
443;
}
protocol tcp;
}
then {
destination-nat {
pool {
xic-sbs-https;
}
}
}
}
rule xic-sbs-https-rwa {
match {
source-address 0.0.0.0/0;
destination-address *.*.131.198/32;
destination-port {
987;
}
protocol tcp;
}
then {
destination-nat {
pool {
xic-sbs-https-rwa;
}
}
}
}
rule xic-sbs-rdp {
match {
source-address 0.0.0.0/0;
destination-address *.*.131.198/32;
destination-port {
3389;
}
protocol tcp;
}
then {
destination-nat {
pool {
xic-sbs-rdp;
}
}
}
}
rule xic-sw-rdp {
match {
source-address 0.0.0.0/0;
destination-address *.*.131.198/32;
destination-port {
33899;
}
protocol tcp;
}
then {
destination-nat {
pool {
xic-sw-rdp;
}
}
}
}
rule xic-sip-ctl {
match {
source-address 0.0.0.0/0;
destination-address *.*.131.198/32;
destination-port {
5060;
}
protocol [ tcp udp ];
}
then {
destination-nat {
pool {
xic-sip-ctl;
}
}
}
}
rule xic-sip-al-remote {
match {
source-address 0.0.0.0/0;
destination-address *.*.131.198/32;
destination-port {
50443;
}
protocol [ tcp udp ];
}
then {
destination-nat {
pool {
xic-sip-al-remote;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone xic to-zone xic {
policy xic-to-xic {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone xic to-zone untrust {
policy xic-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone xic to-zone trust {
policy xic-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone xic {
policy trust-to-xic {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone xic {
policy xic-sip {
match {
source-address any;
destination-address any;
application [ junos-https junos-sip sip-support ];
}
then {
permit;
}
}
policy rdp-from-untrust {
match {
source-address any;
destination-address any;
application [ MS-RDP MS-RDP-ALT ];
}
then {
permit;
}
}
policy xic-sbs {
match {
source-address any;
destination-address any;
application [ junos-ftp junos-http junos-http-ext junos-https junos-icmp-all junos-imap junos-imaps junos-mail junos-ping junos-smtp https-rwa ];
}
then {
permit;
}
}
}
from-zone csam to-zone untrust {
policy csam-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone csam {
policy untrust-to-csam {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
tftp;
}
}
}
}
}
security-zone xic {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
http;
https;
}
}
}
}
}
security-zone csam {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/5.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address *.*.131.198/30;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address *.*.138.217/30;
}
}
}
irb {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop *.*.131.197;
}
}
protocols {
l2-learning {
global-mode switching;
}
}
access {
address-assignment {
pool junosDHCPPool {
family inet {
network 192.168.1.0/24;
range junosRange {
low 192.168.1.2;
high 192.168.1.254;
}
dhcp-attributes {
router {
192.168.1.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
}
}
applications {
application MS-RDP {
protocol tcp;
destination-port 3389;
}
application MS-RDP-ALT {
protocol tcp;
destination-port 33899;
}
application https-rwa {
protocol tcp;
destination-port 987;
}
application sip-support {
protocol tcp;
destination-port 50443;
}
}
vlans {
vlan-trust {
vlan-id 5;
l3-interface irb.0;
}
}
Dec 26 15:14:39 15:14:29.088434:CID-01:FPC-01
IC-00:THREAD_ID-23:RT: packet dropped, denied by policy
Dec 26 15:14:39 15:14:29.088440:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, policy deny.
Dec 26 15:14:39 15:14:29.088983:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, denied by policy
Dec 26 15:14:39 15:14:29.088994:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, policy deny.
Dec 26 15:14:39 15:14:29.110225:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, denied by policy
Dec 26 15:14:39 15:14:29.110236:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, policy deny.
Dec 26 15:14:39 15:14:29.134102:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, denied by policy
Dec 26 15:14:39 15:14:29.134114:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, policy deny.
Dec 26 15:14:39 15:14:29.155196:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, denied by policy
Dec 26 15:14:39 15:14:29.155203:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, policy deny.
Dec 26 15:14:39 15:14:29.181002:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, denied by policy
Dec 26 15:14:39 15:14:29.181011:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, policy deny.
Dec 26 15:14:39 15:14:29.212745:CID-01:FPC-01IC-00:THREAD_ID-23:RT: packet dropped, denied by policy
can you share "show log 001_check| no-more" output?
HI Marius,
I hope this answers your question.
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Haha! Oh yes. That is a significant issue though. Because in some networks, they use specific vlad ids to cary specific traffic and they use high numbers like 4000 etc and that would be a major issue. I wonder what would happen if one were to upgrade from a previous version that supported it?
edited...
So I realised the limitation in the number of vlans supported depending on the model series 3xx
1,000 1,000 2,000 3,000
So I think the bug may lie in the actual value that can be entered. The vlan ID is 12 bit field hence 4096 so I would think when the commit check is done, it should be checking the total number counted and the actual value entered. I think the code should be looking at if total count of vlans is =/< (1,000 1,000 2,000 3,000) and value is =/>1 but not >4096 then config success else fail.
My guess is that the limitation on SRX300 and SRX320 versus SRX340 and SRX345 is primarily found in the fact that they have different switching asics. SRX340 and SRX345 should (to my knowledge) share the same switch asic but guessing that SRX340 is limited to 2000 vlans due to CPU-limitations.
But agreed, missing vlans above >3967 is quite a funny design decission.
When it does not jump out, the quickest way to figure it out is to turn on debugging/traceoptions and you can use some packet filters to narrow down what is collected. When you run show security flow session, that will show you the input and output intercases so you cna quickly see if your return trafic is being generated and sent to right interface.
Hi all,
There are some IP-List with thousands of small subnet i wish to block on all subnet to accessing my gateway to the internet.
What i want is that, i dont want to see all those subnets in the config otherwise it would be a needle haystack.
I know that the blocking should be done in the zones/policy or with filter drop on the interfaces. But these will appear in the config.
I want to know if its possible to block all the ip-addresses in a text file?
thank you!!!
TSB16954 has just come out and im trying to run the tool to check if i need to proceed with a JTAC call and i am getting the following errors:
% ./tool_occam_32 -r
./tool_occam_32: Authentication error. % ./tool_main_32 -r ./tool_main_32: Authentication error.
Does anyone know what the error means by this? I am running it in a root shell, and root is the only account on this box currently, so i dunno how to run this at a higher privledge if required.
Hi,
Can you please clarify few things:
1. What Junos code you are running?
2. What it the CF model - you can get it in "show chassis hardware detail"
3. Have you done singing on the tool file?
sh manifest.loader
4. If you are using a 64 bit JUNOS image, you can use following:
./tool_main_64 -r
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Thanks
Hi, guys,
I am tasked to build an edge service pop for our business, I am struggling to decide which platform to use, Cisco ASR 1K or Juniper data center SRX (SRX-5400 or lower model), here are essential requirements:
1. Full routing protocol support (BGP primarily)
2. 10+ Gbps zone based stateful firewalling throughput
3. up to 10Gbps IPsec (AES256 encryption) throughput
4. Flexible NAT configuration (static NAT, PAT, double NAT etc with policies)
5. At least 2x10GE interfaces
6. Hardware redundancy, which means I may need two boxes -- ideally I want a single control plane, proprietary clustering is acceptable
7. most importantly, automation, which means to us for now is NETCONF, device configuration will be dynamically changing by Ansible during normal operation
Juniper SRX-5400 clustering totally meets my requirements, I think ASR 1K can also meet those requirements too but I am not sure about clustering part, the only problem with SRX-5400 clustering? COST.
Would ASR-1000 series have much lower pricing tag compared to SRX-5400 with similar configuration?
Hi,
I would expect ASR1000 with the mentioned requirements to be lower priced than a SRX5400.
May I suggest for you to look at the newly released SRX4200 platform which should cover all of your requirements, except that IPsec VPN performance is listed as 9,6 Gbps, where you require 10 Gbps.
This platform is way better priced for your use case.
On the positive side you are also left only utilizing 1 RU instead of 5 RU and way lower power usage.
I can help you with this trick. I would say there are options to hide the part of configuration when running the command "show configuration". This can be achieved with a config knob “apply-flags omit” tried with MX box.
This will actually omit the hierarchy you want to omit and not seen with show configuration. In your case it would be the firewall or policy [specific to your interest].
Simple Example:
I would like to hide this part of the config under chassis hierarchy:
root# show chassis
aggregated-devices {
ethernet {
device-count 2;
}
}
fpc 0 {
pic 0 {
interface-type ge;
number-of-ports 2;
}
lite-mode;
}
[edit]
root#
Configuration Steps:
[edit]
root# set chassis apply-flags omit
[edit]
root# commit and-quit
commit complete
Exiting configuration mode
root>
Now we cannot see the content of chassis hierarchy with "show configuration",
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
archive size 10m files 10;
}
file interactive-commands {
interactive-commands any;
}
}
}
chassis { /* OMITTED */ }; <<<<<<<
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 55.55.55.2/30;
}
}
}
}
To display configuration statements (including those marked as hidden by the apply-flags omit configuration statement).
root> show configuration | display omit
<snipped>
chassis {
apply-flags omit;
aggregated-devices {
ethernet {
device-count 2;
}
}
fpc 0 {
pic 0 {
interface-type ge;
number-of-ports 2;
}
lite-mode;
}
}
<snipped>
However you can see the configuration with polling the exact hierarchy as below and it will be seen,
root> show configuration chassis
apply-flags omit;
aggregated-devices {
ethernet {
device-count 2;
}
}
fpc 0 {
pic 0 {
interface-type ge;
number-of-ports 2;
}
lite-mode;
}
root>
Hopefully it meets your requirement!
