Hi All
First time setting up any Juniper devices so any glaringly obvious mistakes, please point them out!
The setup we are trying to setup is as follows:
A ------------B
\ /
\ /
\ /
C
In between all 3 sites is an externally managed MPLS - we just plug into a port on their Cisco router and point our traffic to their gateway (A=x.x.30.254, B=x.x.39.254, C=x.x.90.254)
Site A and B are configured by myself, site C by our Beijing counterparts.
The issues we are having:
If I have the servers at each site set to using the juniper as their gateway (x.x.30.1, x.x.39.1), connectivity is lost - pings and traceroutes are perfect the whole time, but DFS replication fails at times, RDP sessions drop, RDP connections sometimes even tell us the server at the other end isnt there.
If I change the servers to use the MPLS as the gateway (254) they all work seamlessly.
Site C does not have this issue. Their gateways are set to their juniper and we never have issues connecting to them, so its just my configuration.
I am at a loss as to what to try - we can't leave it as it is, as Destination NATing doesn't work if the gateway of the servers are set to something other than the juniper - and if the MPLS ever goes down we might be in for a world of pain.
Site B configuration below - any help would be appreciated as we are steaming towards go-live date and I am lost...
## Last changed: 2014-09-30 06:48:43 GMT+10
version 12.1X44.3;
system {
host-name CAB-F-01;
time-zone GMT+10;
authentication-order [ password radius ];
root-authentication {
encrypted-password "$1$KT7IAZ2z$YFB.3OgYtl71L7bfO3egF.";
}
name-server {
X.X..39.5;
}
radius-server {
X.X..30.5 {
port 1812;
secret "$9$Glj.f36CO1EP5n9A0hcYgoJHmQz69AuhSxdVYaJp0BErKbwgaZD69A01EeKVwY2GDQz6puO36Ih";
}
}
radius-options {
password-protocol mschap-v2;
}
login {
user abadmin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$wxvvjFWh$xsvW4yjj6d1uUTpT3z/oa/";
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http;
https {
system-generated-certificate;
interface vlan.39;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 129.250.35.250;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description "External Internet";
family inet {
dhcp {
update-server;
}
}
}
}
ge-0/0/1 {
unit 0 {
description "MPLS connection to NDC and Beijing";
family ethernet-switching {
port-mode access;
vlan {
members vlan39;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan39;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan39;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan39;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan39;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan39;
}
}
}
}
vlan {
unit 39 {
family inet {
address X.X..39.1/24;
}
}
}
}
forwarding-options {
helpers {
bootp {
relay-agent-option;
description Caboolture;
server X.X..39.5;
maximum-hop-count 10;
minimum-wait-time 300;
client-response-ttl 20;
interface {
vlan.39 {
no-listen;
broadcast;
description CAB1-DC-V01;
minimum-wait-time 400;
client-response-ttl 30;
dhcp-option82;
}
}
}
}
}
routing-options {
static {
route X.X.30.0/24 next-hop X.X.39.254;
route X.X.31.0/24 next-hop X.X.39.254;
route X.X.109.0/24 next-hop X.X.39.254;
route X.X.16.0/24 next-hop X.X.39.254;
route X.X.12.0/24 next-hop X.X.39.254;
route 0.0.0.0/0 next-hop X.X.X.X;
route X.X.1.0/24 next-hop X.X.39.254;
route X.X.90.0/24 next-hop X.X.39.254;
route X.X.32.0/24 next-hop X.X.39.254;
route X.X.33.0/24 next-hop X.X.39.254;
route X.X.34.0/24 next-hop X.X.39.254;
route X.X.35.0/24 next-hop X.X.39.254;
route X.X.36.0/24 next-hop X.X.39.254;
route X.X.37.0/24 next-hop X.X.39.254;
route X.X.38.0/24 next-hop X.X.39.254;
}
}
protocols {
stp {
disable;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set internal-to-internet {
description "NAT anything from cabtrust zone to internet zone (LAN to Internet)";
from zone cabtrust;
to zone internet;
rule internet-access {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set mgmt-to-internet {
description "Allowing internet access from mgmt network to internet";
from zone mgmt;
to zone internet;
rule mgmt-internet-access {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone cabtrust to-zone cabtrust {
policy cabtrust-to-cabtrust {
description "inter-vlan trust";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone cabtrust to-zone mpls {
policy cabtrust-to-mpls {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone mpls to-zone cabtrust {
policy mpls-to-cabtrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone cabtrust to-zone internet {
policy All_trust_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone mgmt to-zone cabtrust {
policy mgmt-to-cabtrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone mpls to-zone mpls {
policy mpls-to-mpls {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
global {
policy deny-all {
description "Deny all requests that do not match a prior security zone rule";
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
zones {
security-zone cabtrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.39 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
fe-0/0/4.0;
fe-0/0/5.0;
fe-0/0/6.0;
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
fe-0/0/3.0;
ge-0/0/1.0;
}
}
security-zone mpls {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
security-zone internet {
interfaces {
ge-0/0/0.0;
}
}
security-zone mgmt {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/7.0;
}
}
}
}
vlans {
vlan39 {
vlan-id 39;
l3-interface vlan.39;
}
}