?
Solved

Juniper EX4500

Posted on 2014-12-08
8
Medium Priority
?
339 Views
Last Modified: 2014-12-09
we want to activate the URPF check on our EX4500  but


root@gate.spdnet.net#  set interfaces ae0 unit 0 family inet rpf-check
root@gate.spdnet.net# commit confirmed 1
[edit protocols]
  'bgp'
    warning: requires 'bgp' license
[edit interfaces ae0 unit 0]
  'family'
    When ethernet-switching family is configured on an interface, no other famil                                                                                                                                y type can be configured on the same interface.
error: configuration check-out failed

Open in new window



we get that error how should we overcome this issue


## Last changed: 2014-12-08 17:41:57 UTC
version 12.3R8.7;
system {
    host-name gate.spdnet.net;
    root-authentication {


    }
    services {
        ssh {
            protocol-version v2;
        }
        telnet;
        netconf {
            ssh;
        }
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 3;
        }
    }
}
interfaces {
    xe-0/0/0 {
        ether-options {
            802.3ad ae0;
        }
    }
    xe-0/0/1 {
        ether-options {
            802.3ad ae0;
        }
    }
    xe-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        ether-options {
            802.3ad ae1;
        }
    }
    xe-0/0/8 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/9 {
        ether-options {
            802.3ad ae1;
        }
    }
    xe-0/0/9 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/10 {
        ether-options {
            802.3ad ae2;
        }
    }
    xe-0/0/10 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/11 {
        ether-options {
            802.3ad ae2;
        }
    }
    xe-0/0/11 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/12 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/13 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/14 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/15 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/16 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/17 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/18 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/19 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/20 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/21 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/22 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/23 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/24 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/25 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/26 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/27 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/28 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/29 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/30 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/31 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/32 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/33 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/34 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/35 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/36 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/37 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/38 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/39 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ae0 {
        description xxxxxx;
        aggregated-ether-options {
            minimum-links 1;
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                rpf-check;
            }
            family ethernet-switching;
        }
    }
    ae1 {
        description "Netscaler UPlink";
        aggregated-ether-options {
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                address 10.98.37.33/30;
            }
        }
    }
    ae2 {
        description "Netscaler Downlink";
        aggregated-ether-options {
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    me0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.32.35.14/30;
            }
        }
        unit 1 {
            family inet {
                filter {
                    input only-spd-network;
                }
  









            }
        }
    }
}
snmp {
    location izmir;
    contact "xxxx";
    community xxxx{
        authorization read-only;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.32.35.13;
       





    }
    autonomous-system 57844;
}
protocols {
    bgp {
        group xxxxxx{
            type external;
            description xxxxxxx;
            local-address 10.32.35.14;
            import SPD-IN;
            export SPD-OUT;
            peer-as 43391;
            neighbor 10.32.35.13;
        }
    }
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
    sflow {
        polling-interval 10;
        sample-rate 500;
        source-ip 185.9.157.1;
        collector 185.9.157.19;
        interfaces xe-0/0/0.0;
        interfaces xe-0/0/1.0;
    }
}
policy-options {
    prefix-list SPD-PREFIX-LIST {
        185.9.157.0/24;
    }
    policy-statement SPD-IN {
        term 1 {
            then accept;
        }
    }
    policy-statement SPD-OUT {
        term 1 {
            from {
                prefix-list SPD-PREFIX-LIST;
            }
            then {
                community + Firewall;
                accept;
            }
        }
        term 500 {
            then reject;
        }
    }
    community Firewall members [ 9121:444 43391:111 ];
}
firewall {
    family inet {
        filter only-spd-network {
            term 1 {
                from {
                    source-address {














                    }
                }
                then accept;
            }
            term 500 {
                then {
                    reject;
                }
            }
        }
    }
}
ethernet-switching-options {
    voip;
    storm-control {
        interface all;
    }
}
vlans {
    xxxxxx{
        vlan-id 51;
        interface {
            ae0.0;
        }
        l3-interface vlan.0;
    }
    default {
        l3-interface vlan.1;
    }
}

Open in new window

0
Comment
Question by:Cahit Eyigunlu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 17

Expert Comment

by:pergr
ID: 40488249
First of all, you can not have both inet and ethernet switching on ae0

ae0 {
        unit 0 {
            family inet {
                rpf-check;
            }
            family ethernet-switching;
        }
    }

Open in new window


You need to configure rpf on some 'routed' interface, like ae1.0 or vlan.0.

The other error message about license, is for your BGP configuration under [protocols bgp].
You need to buy and install an AFL (advanced feature license) in order to run BGP on the EX4500.
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40488560
ok then how should i add rpf-check to vlan 0
0
 
LVL 17

Expert Comment

by:pergr
ID: 40488638
set interfaces vlan unit 0 family inet rpf-check
0
WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

 

Author Comment

by:Cahit Eyigunlu
ID: 40488773
I could not understand that ;
does RPF-Check  block the spoof output from our network ? or does it check for incomming spoof calls from the internet.
0
 
LVL 17

Expert Comment

by:pergr
ID: 40488806
The RPF check is done when the packet enters the EX.

If applied to vlan.0, then for a packet to enter the EX, the source address of the packet needs to be in a router that points out of vlan.0
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40488817
we are looking for a solution which's directon from out to in

• Control plane denial-of-service (DoS) protection

that centences made let us search about the topic on
http://www.juniper.net/us/en/local/pdf/datasheets/1000322-en.pdf


do we mistake sth. ?
0
 
LVL 17

Accepted Solution

by:
pergr earned 2000 total points
ID: 40488889
The 'control plane dos protection' is for protecting the control plane (CPU) on the EX itself from DOS attacks.

It is not directly related to RPF.

It is more related to RFC6192.
https://tools.ietf.org/html/rfc6192

A full description of how that can be configured is here:
http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/

Some shorter introductions:
http://www.dummies.com/how-to/content/how-to-protect-the-junos-routing-engine.html
http://showroute.net/juniper-ex-switch-arp-issues-with-re-filters/
0
 

Author Closing Comment

by:Cahit Eyigunlu
ID: 40490262
You are king :)
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question