[AusNOG] AWS Direct Connect & Juniper

Geordie Guy elomis at gmail.com
Fri Jan 23 16:26:22 EST 2015


Just to confirm, you can see traffic coming from AWS but not going back? Or
is it the other way around?  Are you connecting to a VPC or using a public
IPs for Internet facing resources like S3?  Also, if you're using it for
public accessibility over the DxC, are you using your own assigned IPs or
are you part of the beta program where AWS assign you a /31 in 54.239.0.0?

On Fri, Jan 23, 2015 at 3:49 PM, Andrew Cowan <andycowan at gmail.com> wrote:

> Hi Chris,
>
> Thanks for your suggestion.  I checked the firewall and got the output
> below, I think this just means the firewall is disabled, so no problem
> there.
>
> > show configuration firewall
>
> filter filter-jflow {
>
>     term 1 {
>
>         then {
>
>             sample;
>
>             accept;
>
>         }
>
>     }
>
> }
>
> > show configuration firewall family inet
>
>
> {primary:node0}
>
>
> I did find a problem with the VLANing, the router was sending tagged
> traffic to a switch with the VLAN on the default.  I can now ping the
> remote router (your suggestion for the routing instance was useful), last
> thing I’m looking at now is BGP.
>
> Cheers,
>
> ANDY COWAN
>
> +61 430 034 642
>
> From: Chris Kawchuk <juniperdude at gmail.com>
> Date: Friday, 23 January 2015 9:58 am
> To: Andrew Cowan <andycowan at gmail.com>
> Cc: Skeeve Stevens <skeeve+ausnog at theispguy.com>, "ausnog at lists.ausnog.net"
> <ausnog at lists.ausnog.net>
> Subject: Re: [AusNOG] AWS Direct Connect & Juniper
>
> Check for a firewall filter on the egress of the interface, or a firewall
> filter applied to lo0.0 that's denying it/dropping it. (firewall family
> inet, interface unit x family inet filter input/output <x>, etc..)
>
> If the interface is in a VR, you'll need to ping <1.1.1.1>
> routing-instance <your-VR>; likewise if in a VR, your BGP configuration
> needs to be in the [routing-instance <vrf> protocols bgp ] stanza.
>
> JunOS "show arp" is always your friend, to see if you can at least L2-ARP
> for an address on that network. Posting relevant configlets/stanzas may
> also help.
>
> - Ck.
>
> On 23/01/2015, at 9:24 AM, Andrew Cowan <andycowan at gmail.com> wrote:
>
>
> Layer 2 is up, we have done some port mirroring and can see the TCP SYN
> packets coming in on port 179, but the router isn’t sending anything back.
> It may be routing rather than BGP because we can’t ping either.
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150123/1d44fded/attachment.html>


More information about the AusNOG mailing list