Monday 22 July 2013

Junos OS Release Changes for 2013-2014

Junos OS Release Changes for 2013-2014
Juniper is adjusting the Junos OS release schedule for 2013 and 2014 to better align our software development to new Juniper products for the cloud, data center and mobile markets. Below are the specifics:
  • Junos OS 13.2 will ship in August 2013.
  • Junos OS 13.3 moves to 1Q 2014 and remains an Extended End-of-Life (EEOL) release.
  • Junos OS 14.1 will ship 1H 2014.
  • Junos OS 14.2 will ship in 2H 2014.
  • Junos OS 14.3 feature content will be delivered in 2015.
Release Changes Old and New Plan
Junos OS SRX Series News
  • Junos OS 12.1R7 scheduled for release July 25, 2013, will be in the final 12.1R release for SRX Series platforms.
  • 11.4 EEOL will continue to support SRX Series platforms.
  • Junos OS 12.1x44 will deliver new features for the SRX Series platform.
at No comments:

Thursday 18 July 2013

Junos : SRX Traffic Shaping

let us assume, you want to limit traffic coming from the subnet 10.132.245.0/24 to 50Mbps on the outgoing interface ge-0/0/0.

Here is how you do it:

Note: monitor  the 'ddn' queue and 'ddn scheduler'.

Configuration:

class-of-service {
    forwarding-classes {
       queue 1 real-time;
       queue 2 burst-hi;
       queue 0 best-effort;
       queue 3 network-control;
       queue 4 ddn;
    }
interfaces {
    ge-0/0/0 {
        unit * {
            scheduler-map cos-map;
            shaping-rate 1g;
        }
    }
}
scheduler-maps {
    cos-map {
        forwarding-class real-time scheduler rt-scheduler;
        forwarding-class burst-hi scheduler bh-scheduler;
        forwarding-class best-effort scheduler be-scheduler;
        forwarding-class network-control scheduler nc-scheduler;
        forwarding-class ddn scheduler ddn-scheduler;
    }
}
schedulers {
    nc-scheduler {
        transmit-rate 70k;
        buffer-size percent 5;
        priority high;
    }
rt-scheduler {
    transmit-rate 50k;
    buffer-size percent 1;
    priority high;
}
bh-scheduler {
    transmit-rate 100k;
    buffer-size percent 10;
    priority medium-high;
}
be-scheduler {
    transmit-rate remainder;
    buffer-size remainder;
    priority low;
}
ddn-scheduler {
    transmit-rate 50m exact; << Key word “exact” solved the issue
    buffer-size percent 40;
    priority low;
}
}
}

firewall {
    family inet {
        filter ddn-traffic {
            term 1 {
               from {
                   source-address {
                       10.132.245.0/24;
                   }
               }
then {
    forwarding-class ddn;
       accept;
}
            }
term default {
    then {
       forwarding-class best-effort;
           accept;
   }
}
        }
   }
}

Procedure:
  1. Create a separate queue; that is the queue for ddn.

  2. Then create a scheduler; that is the ddn-scheduler.

  3. Define the exact rate, at which you want to limit the traffic that belongs to that class.

  4. Create a scheduler-map and attach the ddn-scheduler to the map.

  5. Define a firewall filter, which matches the traffic you want to forward through the ddn class.

  6. If the exact keyword is not defined, then the traffic will go up to 50Mbps and then snatch the available BW; if no other class is utilizing the BW.
at 2 comments:

Tuesday 9 July 2013

Junos : VRRP

For Ethernet, Fast Ethernet, Gigabit Ethernet, 10-Gigabit Ethernet, and logical interfaces, you can configure the Virtual Router Redundancy Protocol (VRRP) or VRRP for IPv6. VRRP enables hosts on a LAN to make use of redundant routing platforms on that LAN without requiring more than the static configuration of a single default route on the hosts. 

The VRRP routing platforms share the IP address corresponding to the default route configured on the hosts. At any time, one of the VRRP routing platforms is the master (active) and the others are backups. If the master fails, one of the backup routers or switches becomes the new master router, providing a virtual default routing platform and enabling traffic on the LAN to be routed without relying on a single routing platform. Using VRRP, a backup router can take over a failed default router within a few seconds. This is done with minimum VRRP traffic and without any interaction with the hosts.


Routers or running VRRP dynamically elect master and backup routers. You can also force assignment of master and backup routers using priorities from 1 through 255, with 255 being the highest priority. In VRRP operation, the default master router sends advertisements to backup routers at regular intervals. The default interval is 1 second. If a backup router does not receive an advertisement for a set period, the backup router with the next highest priority takes over as master and begins forwarding packets.


Configure one master (Router A) and one backup (Router B) routing platform. The address configured in the virtual-address statements differs from the addresses configured in the address statements. When you configure multiple VRRP groups on an interface, you configure one to be the master virtual router for that group.
On Router A
[edit interfaces]
ge-0/0/0 {unit 0 {family inet {address 192.168.1.20/24 {vrrp-group 27 {virtual-address 192.168.1.15;priority 254;authentication-type simple;authentication-key booJUM;}}}}}
On Router B
[edit interfaces]
ge-4/2/0 {unit 0 {family inet {address 192.168.1.24/24 {vrrp-group 27 {virtual-address 192.168.1.15;priority 200;authentication-type simple;authentication-key booJUM;}}}}}
Configuring One Router to Be the Master Virtual Router for the Group
[edit interfaces]
ge-0/0/0 {unit 0 {family inet {address 192.168.1.20/24 {vrrp-group 2 {virtual-address 192.168.1.20;priority 255;advertise-interval 3;preempt;}vrrp-group 10 {virtual-address 192.168.1.55;priority 201;advertise-interval 3;}vrrp-group 1 {virtual-address 192.168.1.54;priority 22;advertise-interval 4;}}}}}
Configuring VRRP and MAC Source Address Filtering
The VRRP group number is the decimal equivalent of the last byte of the virtual MAC address.
[edit interfaces]
ge-5/2/0 {gigether-options {source-filtering;source-address-filter {00:00:5e:00:01:0a; # Virtual MAC address}}unit 0 {family inet {address 192.168.1.10/24 {vrrp-group 10; # VRRP group numbervirtual-address 192.168.1.10;priority 255;preempt;}}}}
at 8 comments:

Thursday 4 July 2013

Junos : How to configure Integrated Web Filtering

Step-by-Step Procedure

To configure integrated Web filtering:
  1. Create custom objects and create the URL pattern list.
    [edit security utm]user@host# set custom-objects url-pattern urllist3 value [http://www.juniper.net 1.2.3.4]
  2. Configure the custom URL category list custom object using the URL pattern list.
    [edit security utm]user@host# set custom-objects custom-url-category custurl3 value urllist3
  3. Create a list of untrusted sites
    [edit security utm]user@host# set custom-objects url-pattern urllistblack value [http://www.untrusted.com 13.13.13.13]
  4. Configure the custom URL category list custom object using the URL pattern list of untrusted sites.
    [edit security utm]user@host# set custom-objects custom-url-category custblacklist value urllistblack
  5. Create a list of trusted sites.
    [edit security utm]user@host# set custom-objects url-pattern urllistwhite value [http://www.trusted.com 7.7.7.7]
  6. Configure the custom URL category list custom object using the URL pattern list of trusted sites.
    [edit security utm]user@host# set custom-objects custom-url-category custwhitelist value urllistwhite 

    Configuring Integrated Web Filtering UTM Policies

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the command into the CLI at the [edit] hierarchy level.
    set security utm utm-policy utmp5 web-filtering http-profile surfprofile1

    Step-by-Step Procedure

    To configure a UTM policy:
    1. Create the UTM policy referencing a profile.
      [edit]user@host# set security utm utm-policy utmp5 web-filtering http-profile surfprofile1

    Results

    From configuration mode, confirm your configuration by entering the show security utm utm-policy command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
    [edit]userhost#show security utm utm-policy
    ...utm-policy utmp5 {content-filtering {http-profile contentfilter1;}web-filtering {http-profile surfprofile1;}}
    If you are done configuring the device, enter commit from configuration mode. 


     
at No comments:
Subscribe to: Posts (Atom)
loading...