Routing Instaces VRF on Juniper EX2200 is now Supported..!!

I have just learned that routing instances are now supported on Juniper EX-2200 series switches from Junos 12.3R1 version onwards. It is very handy feature and is analogous to Cisco's VRF-Lite.

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview.html

VPN between Fortigate and vmWare vShield Edge

Here is the step by step configuration of VPN between Fortigate and vShield Edge

Fortigate configuration

Create addresses on the Fortigate

Create Phase-1 and Phase-2 on Fortigate

Add VPN policy on Fortigate

Now Configure vShield Edge from vShield Manager

Enable VPN

Add default configuration

Add Site 

Add Site details

Check the status as shown

Enjoy..!!

Juniper EX Series Switches - Policing / Ratelimiting traffic

If you are from Cisco world and just been asked to rate limit traffic on Juniper EX series switches then this is how you will accomplish it.

First configure a policer under firewall

policer TEST-POLICER {
    if-exceeding {
        bandwidth-limit 10485760;
        burst-size-limit 1966080;
    }
    then discard;

}

Then you will need to configure firewall filter first just like an ACL in Cisco

family ethernet-switching {
    filter TEST-POLICE {
        term 1 {
            from {
                source-address {
                    0.0.0.0/0;
                }
                destination-address {
                    0.0.0.0/0;
                }
            }
            then policer TEST-POLICER;
        }
    }
}

The firewall filter can have multiple statements and you can apply different policers to "term"s. the above filter will apply the policer to all traffic. If your filters are specific and you want to restrict only few hosts or networks then you can have another term "default" without any action defined which will ensure that rest of the traffic is not policed

term default


Now apply the filter in the ingress on the RVI or the Interface;

show interfaces ge-0/0/42 
unit 0 {
    family ethernet-switching {
        port-mode access;
        vlan {
            members 422;
        }
        filter {
            input TEST-POLICE;
        }
    }
}

Please note that you cannot assign policers on the output direction as this is restricted in Juniper and will throw error when applying it.

You will need to create a shaper and apply it on the interface to shape the traffic to desired rate

show class-of-service 
interfaces {
    ge-0/0/42 {
        shaping-rate 10485760;
    }

}

Have Fun..!!

Fortigate VPN Debug log filter for IKE

During debugging VPN on Fortigate you may see logs from other active VPN's as well and if you running your firewall in MSP environment and have multiple customers hosted and they have VPN's then its not your good day...!!

Use below filters to make your life easy when debugging VPN IKE on Fortigates

diag  vpn ike  log-filter ?

clear        erase the current filter

dst-addr4    the IPv4 destination address range to filter by

dst-addr6    the IPv6 destination address range to filter by

dst-port     the destination port range to filter by

interface    interface that IKE connection is negotiated over

list         display the current filter

name         the phase1 name to filter by

negate       negate the specified filter parameter

src-addr4    the IPv4 source address range to filter by

src-addr6    the IPv6 source address range to filter by

src-port     the source port range to filter by

vd           index of virtual domain. -1 matches all

Once the filter is in place, you can then run debug using below command;

diag debug application ike -3