Answer the question
In order to leave comments, you need to log in
M
M
Maxim2016-07-13 10:17:32
Maxim, 2016-07-13 10:17:32
Where is ppoe juniper srx config error?
It is not possible to set up a ppoe connection on the juniper srx100
, only the provider's gateway is pinged. while others like 8.8.8.8 don't.
I don't understand what's wrong.
config
interfaces {
fe-0/0/0 {
description "To RosTelecom MPLS net (zone mpls)";
unit 0 {
family inet {
address 172.16.2.188/29;
address 172.16.2.185/29;
address 172.16.2.187/29;
}
}
}
fe-0/0/1 {
description "To LAN with internet access (zone inet)";
unit 0 {
family inet {
address 192.168.1.252/24;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 10.14.2.2/24;
}
}
}
fe-0/0/3 {
unit 0 {
family inet {
address 10.214.2.1/28;
address 10.214.2.3/28;
}
}
}
fe-0/0/4 {
unit 0 {
family inet {
address 10.214.2.136/25;
}
}
}
fe-0/0/7 {
unit 0 {
encapsulation ppp-over-ether;
}
}
pp0 {
unit 0 {
ppp-options {
chap {
default-chap-secret "#######"; ## SECRET-DATA
local-name *******;
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/7.0;
idle-timeout 0;
auto-reconnect 5;
client;
}
family inet {
mtu 1492;
negotiate-address;
}
}
}
}
routing-options {
static {
route 172.16.0.0/16 next-hop 172.16.2.190;
route 10.0.0.0/8 next-hop 172.16.2.190;
route 0.0.0.0/0 next-hop pp0.0;
}
}
security {
nat {
source {
rule-set NAT-INET-TO-UNTRUST {
from zone inet;
to zone untrust;
rule PAT-INTERFACE {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set mpls-out {
from zone mpls;
rule mpls-out-rule {
match {
destination-address 172.16.2.187/32;
}
then {
static-nat prefix 10.214.2.4/32;
}
}
}
}
}
policies {
from-zone inet to-zone untrust {
policy inet-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone mpls {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/0.0;
}
}
security-zone inet {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/1.0;
}
}
security-zone terminals {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/3.0;
fe-0/0/2.0;
fe-0/0/4.0;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/7.0;
pp0.0;
}
}
}
}I don't see anything wrong in appearance.
the difficulty is that mpls is configured on it.
I will be very grateful for your help.
2 answer(s)
@yaror
Y
Yaroslav, 2016-08-04 @yaror
The config seems to be incomplete: there is neither bgp nor vrf.
It would also be interesting to see how you made friends with seciruty policy and MPLS: on SRX, security policy works only in flow mode, and MPLS works in packet mode.
You can switch SRX to packet mode entirely, and then it will turn into a dried M-ku, and the seciruty branch will not even be committed.
Or you can enable packet mode selectively in a packet filter on an interface or in a routing instance.
How are you doing?
Similar questions
M
W
E
P
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question