Solved

Juniper EX4500

Posted on 2014-12-08
8
331 Views
Last Modified: 2014-12-09
we want to activate the URPF check on our EX4500  but


root@gate.spdnet.net#  set interfaces ae0 unit 0 family inet rpf-check
root@gate.spdnet.net# commit confirmed 1
[edit protocols]
  'bgp'
    warning: requires 'bgp' license
[edit interfaces ae0 unit 0]
  'family'
    When ethernet-switching family is configured on an interface, no other famil                                                                                                                                y type can be configured on the same interface.
error: configuration check-out failed

Open in new window



we get that error how should we overcome this issue


## Last changed: 2014-12-08 17:41:57 UTC
version 12.3R8.7;
system {
    host-name gate.spdnet.net;
    root-authentication {


    }
    services {
        ssh {
            protocol-version v2;
        }
        telnet;
        netconf {
            ssh;
        }
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 3;
        }
    }
}
interfaces {
    xe-0/0/0 {
        ether-options {
            802.3ad ae0;
        }
    }
    xe-0/0/1 {
        ether-options {
            802.3ad ae0;
        }
    }
    xe-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        ether-options {
            802.3ad ae1;
        }
    }
    xe-0/0/8 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/9 {
        ether-options {
            802.3ad ae1;
        }
    }
    xe-0/0/9 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/10 {
        ether-options {
            802.3ad ae2;
        }
    }
    xe-0/0/10 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/11 {
        ether-options {
            802.3ad ae2;
        }
    }
    xe-0/0/11 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/12 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/13 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/14 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/15 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/16 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/17 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/18 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/19 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/20 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/21 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/22 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/23 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/24 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/25 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/26 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/27 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/28 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/29 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/30 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/31 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/32 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/33 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/34 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/35 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/36 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/37 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/38 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/39 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ae0 {
        description xxxxxx;
        aggregated-ether-options {
            minimum-links 1;
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                rpf-check;
            }
            family ethernet-switching;
        }
    }
    ae1 {
        description "Netscaler UPlink";
        aggregated-ether-options {
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                address 10.98.37.33/30;
            }
        }
    }
    ae2 {
        description "Netscaler Downlink";
        aggregated-ether-options {
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    me0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.32.35.14/30;
            }
        }
        unit 1 {
            family inet {
                filter {
                    input only-spd-network;
                }
  









            }
        }
    }
}
snmp {
    location izmir;
    contact "xxxx";
    community xxxx{
        authorization read-only;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.32.35.13;
       





    }
    autonomous-system 57844;
}
protocols {
    bgp {
        group xxxxxx{
            type external;
            description xxxxxxx;
            local-address 10.32.35.14;
            import SPD-IN;
            export SPD-OUT;
            peer-as 43391;
            neighbor 10.32.35.13;
        }
    }
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
    sflow {
        polling-interval 10;
        sample-rate 500;
        source-ip 185.9.157.1;
        collector 185.9.157.19;
        interfaces xe-0/0/0.0;
        interfaces xe-0/0/1.0;
    }
}
policy-options {
    prefix-list SPD-PREFIX-LIST {
        185.9.157.0/24;
    }
    policy-statement SPD-IN {
        term 1 {
            then accept;
        }
    }
    policy-statement SPD-OUT {
        term 1 {
            from {
                prefix-list SPD-PREFIX-LIST;
            }
            then {
                community + Firewall;
                accept;
            }
        }
        term 500 {
            then reject;
        }
    }
    community Firewall members [ 9121:444 43391:111 ];
}
firewall {
    family inet {
        filter only-spd-network {
            term 1 {
                from {
                    source-address {














                    }
                }
                then accept;
            }
            term 500 {
                then {
                    reject;
                }
            }
        }
    }
}
ethernet-switching-options {
    voip;
    storm-control {
        interface all;
    }
}
vlans {
    xxxxxx{
        vlan-id 51;
        interface {
            ae0.0;
        }
        l3-interface vlan.0;
    }
    default {
        l3-interface vlan.1;
    }
}

Open in new window

0
Comment
Question by:Cahit Eyigunlu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 17

Expert Comment

by:pergr
ID: 40488249
First of all, you can not have both inet and ethernet switching on ae0

ae0 {
        unit 0 {
            family inet {
                rpf-check;
            }
            family ethernet-switching;
        }
    }

Open in new window


You need to configure rpf on some 'routed' interface, like ae1.0 or vlan.0.

The other error message about license, is for your BGP configuration under [protocols bgp].
You need to buy and install an AFL (advanced feature license) in order to run BGP on the EX4500.
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40488560
ok then how should i add rpf-check to vlan 0
0
 
LVL 17

Expert Comment

by:pergr
ID: 40488638
set interfaces vlan unit 0 family inet rpf-check
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Cahit Eyigunlu
ID: 40488773
I could not understand that ;
does RPF-Check  block the spoof output from our network ? or does it check for incomming spoof calls from the internet.
0
 
LVL 17

Expert Comment

by:pergr
ID: 40488806
The RPF check is done when the packet enters the EX.

If applied to vlan.0, then for a packet to enter the EX, the source address of the packet needs to be in a router that points out of vlan.0
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40488817
we are looking for a solution which's directon from out to in

• Control plane denial-of-service (DoS) protection

that centences made let us search about the topic on
http://www.juniper.net/us/en/local/pdf/datasheets/1000322-en.pdf


do we mistake sth. ?
0
 
LVL 17

Accepted Solution

by:
pergr earned 500 total points
ID: 40488889
The 'control plane dos protection' is for protecting the control plane (CPU) on the EX itself from DOS attacks.

It is not directly related to RPF.

It is more related to RFC6192.
https://tools.ietf.org/html/rfc6192

A full description of how that can be configured is here:
http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/

Some shorter introductions:
http://www.dummies.com/how-to/content/how-to-protect-the-junos-routing-engine.html
http://showroute.net/juniper-ex-switch-arp-issues-with-re-filters/
0
 

Author Closing Comment

by:Cahit Eyigunlu
ID: 40490262
You are king :)
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question