Internet routing table and damping on JunOS

To get an idea about the current number of Internet routes, for both IPv4 and IPv6:

moghaddas@USA> show route summary | match "inet|bgp"  
 
inet.0: 560133 destinations, 1663174 routes (558798 active, 0 holddown, 1525 hidden)
                 BGP: 1663124 routes, 558752 active
 
inet6.0: 24047 destinations, 47458 routes (23459 active, 0 holddown, 851 hidden)
                 BGP:  47444 routes,  23447 active

Now, imagine what would be the outcome of route flaps for a Service Provider environment with many eBGP neighbors. Instability and customer dissatisfaction!

The first solution to avoid such situations is BGP Route Dampening/Damping. Continue reading “Internet routing table and damping on JunOS”

Share this!

Aggregated Ethernet not showing up in JunOS!

In case you have configured an Aggregated-Ethernet (ae) interface on your juniper device, and it doesn’t show up in show interface and show lacp interfaces, then you should take a look at the following:

moghaddas@ex4500> show configuration chassis aggregated-devices ethernet device-count device-count 9;
Share this!

Renaming security policies on JunOS

Be careful while renaming a security policy on JunOS, since it will close the current session.

Unfortunately, what JunOS does, is removing the old-named policy and adds a new one.

I tried also with adding a new policy, inserting it before the old one, commit, then removing the old one and commit. But again interruption, which logically makes sense.

Test environment: JunOS 12.1X44-D35.5 on a SRX240h

UPDATE:
I tried on vsrx firefly-perimeter with JunOS 12.1X47-D20.7 and faced no drop!

Share this!

HowTo : Logging to terminal on JunOS

In Cisco IOS, if you had logging configured, by default you could see logs on console, or using terminal monitor with a terminal connection.

It’s almost the same with JunOS. You have to get your logging parameters configured and then entering monitor start LOG_FILENAME

Share this!

How-To: Destination NAT in JunOS

You are asked to publish a local website on an external network such as Internet, and you have to do it in a secure manner using the SRX firewall at your office.

The procedure is pretty straight forward.

  1. Local host’s zone (Local IP) : show route and show interface
  2. Find out to which External (Global) IP address you should apply the D-NAT
  3. External access zone (Global IP) : show route and show interface
  4. OPTIONAL: Create “security address-book global” entries for source/destination addresses
  5. If you are Port-Forwarding: Create an “application
  6. Define a “security policy from EXTERNAL zone to LOCAL zone, matching the source (external hosts), destination (local hosts) and application (local hosts’ protocol/port) parameters and then set the action as permit
  7. Create a “NAT Destination Pool” for the Local IP and if Port Forwarding add the service’s port
  8. Define a “security nat destination rule-set rule” matching the source (external hosts), destination (local hosts) and destination-port (local hosts’ port) parameters and then set the “destination-nat pool” to the pool created in last step

Below you will find a sample snippet of the configuration:

Share this!