Juniper EX4500

we want to activate the URPF check on our EX4500  but


root@gate.spdnet.net#  set interfaces ae0 unit 0 family inet rpf-check
root@gate.spdnet.net# commit confirmed 1
[edit protocols]
  'bgp'
    warning: requires 'bgp' license
[edit interfaces ae0 unit 0]
  'family'
    When ethernet-switching family is configured on an interface, no other famil                                                                                                                                y type can be configured on the same interface.
error: configuration check-out failed

Open in new window



we get that error how should we overcome this issue


## Last changed: 2014-12-08 17:41:57 UTC
version 12.3R8.7;
system {
    host-name gate.spdnet.net;
    root-authentication {


    }
    services {
        ssh {
            protocol-version v2;
        }
        telnet;
        netconf {
            ssh;
        }
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 3;
        }
    }
}
interfaces {
    xe-0/0/0 {
        ether-options {
            802.3ad ae0;
        }
    }
    xe-0/0/1 {
        ether-options {
            802.3ad ae0;
        }
    }
    xe-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        ether-options {
            802.3ad ae1;
        }
    }
    xe-0/0/8 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/9 {
        ether-options {
            802.3ad ae1;
        }
    }
    xe-0/0/9 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/10 {
        ether-options {
            802.3ad ae2;
        }
    }
    xe-0/0/10 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/11 {
        ether-options {
            802.3ad ae2;
        }
    }
    xe-0/0/11 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/12 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/13 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/14 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/15 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/16 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/17 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/18 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/19 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/20 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/21 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/22 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/23 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/24 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/25 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/26 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/27 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/28 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/29 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/30 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/31 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/32 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/33 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/34 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/35 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/36 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/37 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/38 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/39 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ae0 {
        description xxxxxx;
        aggregated-ether-options {
            minimum-links 1;
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                rpf-check;
            }
            family ethernet-switching;
        }
    }
    ae1 {
        description "Netscaler UPlink";
        aggregated-ether-options {
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                address 10.98.37.33/30;
            }
        }
    }
    ae2 {
        description "Netscaler Downlink";
        aggregated-ether-options {
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    me0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.32.35.14/30;
            }
        }
        unit 1 {
            family inet {
                filter {
                    input only-spd-network;
                }
  









            }
        }
    }
}
snmp {
    location izmir;
    contact "xxxx";
    community xxxx{
        authorization read-only;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.32.35.13;
       





    }
    autonomous-system 57844;
}
protocols {
    bgp {
        group xxxxxx{
            type external;
            description xxxxxxx;
            local-address 10.32.35.14;
            import SPD-IN;
            export SPD-OUT;
            peer-as 43391;
            neighbor 10.32.35.13;
        }
    }
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
    sflow {
        polling-interval 10;
        sample-rate 500;
        source-ip 185.9.157.1;
        collector 185.9.157.19;
        interfaces xe-0/0/0.0;
        interfaces xe-0/0/1.0;
    }
}
policy-options {
    prefix-list SPD-PREFIX-LIST {
        185.9.157.0/24;
    }
    policy-statement SPD-IN {
        term 1 {
            then accept;
        }
    }
    policy-statement SPD-OUT {
        term 1 {
            from {
                prefix-list SPD-PREFIX-LIST;
            }
            then {
                community + Firewall;
                accept;
            }
        }
        term 500 {
            then reject;
        }
    }
    community Firewall members [ 9121:444 43391:111 ];
}
firewall {
    family inet {
        filter only-spd-network {
            term 1 {
                from {
                    source-address {














                    }
                }
                then accept;
            }
            term 500 {
                then {
                    reject;
                }
            }
        }
    }
}
ethernet-switching-options {
    voip;
    storm-control {
        interface all;
    }
}
vlans {
    xxxxxx{
        vlan-id 51;
        interface {
            ae0.0;
        }
        l3-interface vlan.0;
    }
    default {
        l3-interface vlan.1;
    }
}

Open in new window

FireBallITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pergrCommented:
First of all, you can not have both inet and ethernet switching on ae0

ae0 {
        unit 0 {
            family inet {
                rpf-check;
            }
            family ethernet-switching;
        }
    }

Open in new window


You need to configure rpf on some 'routed' interface, like ae1.0 or vlan.0.

The other error message about license, is for your BGP configuration under [protocols bgp].
You need to buy and install an AFL (advanced feature license) in order to run BGP on the EX4500.
0
FireBallITAuthor Commented:
ok then how should i add rpf-check to vlan 0
0
pergrCommented:
set interfaces vlan unit 0 family inet rpf-check
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

FireBallITAuthor Commented:
I could not understand that ;
does RPF-Check  block the spoof output from our network ? or does it check for incomming spoof calls from the internet.
0
pergrCommented:
The RPF check is done when the packet enters the EX.

If applied to vlan.0, then for a packet to enter the EX, the source address of the packet needs to be in a router that points out of vlan.0
0
FireBallITAuthor Commented:
we are looking for a solution which's directon from out to in

• Control plane denial-of-service (DoS) protection

that centences made let us search about the topic on
http://www.juniper.net/us/en/local/pdf/datasheets/1000322-en.pdf


do we mistake sth. ?
0
pergrCommented:
The 'control plane dos protection' is for protecting the control plane (CPU) on the EX itself from DOS attacks.

It is not directly related to RPF.

It is more related to RFC6192.
https://tools.ietf.org/html/rfc6192

A full description of how that can be configured is here:
http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/

Some shorter introductions:
http://www.dummies.com/how-to/content/how-to-protect-the-junos-routing-engine.html
http://showroute.net/juniper-ex-switch-arp-issues-with-re-filters/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FireBallITAuthor Commented:
You are king :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.