=======================
Juniper Config Manager [Here..]
=======================

1. Create New Term (192.168.104.0/24 will be prepended):

term network-24 {
from {
prefix-list NETWORK-24;
}
then {
as-path-prepend “5656 5656 5656 5656″;
accept;
}
}

Done configuration after adding new term at edit>policy-options>policy-statement bla-bla will be :

You@JunOS# show
term 1 {
from as-path MY-AS;
then accept;
}
term 2 {
from as-path [ CUST-M CUST-N CUST-O ];
then accept;
}
term 3 {
from {
prefix-list NETWORK-22;
}
then accept;
}
term 5 {
from {
prefix-list CUST-B;
}
then accept;
}
term 6 {
from as-path CUST-A;
then {
as-path-prepend “525 525 525″;
accept;
}
}
term 8 {
then reject;
}
term network-24 {
from {
prefix-list NETWORK-24;
}
then {
as-path-prepend “5656 5656 5656 5656″;
accept;
}
}

[edit policy-options policy-statement UPSTREAM-EXPORT]

2. Insert New Term which has been created.

You@JunOS# insert term network-24 before term 1
[edit policy-options policy-statement UPSTREAM-EXPORT]

You@JunOS# show
term network-24 {
from {
prefix-list NETWORK-24;
}
then {
as-path-prepend “5656 5656 5656 5656″;
accept;
}
}
term 1 {
from as-path MY-AS;
then accept;
}
term 2 {
from as-path [ CUST-M CUST-N CUST-O ];
then accept;
}
term 3 {
from {
prefix-list NETWORK-22;
}
then accept;
}
term 5 {
from {
prefix-list CUST-B;
}
then accept;
}
term 6 {
from as-path CUST-A;
then {
as-path-prepend “525 525 525″;
accept;
}
}
term 8 {
then reject;
}

[edit policy-options policy-statement UPSTREAM-EXPORT]
You@JunOS# commit
commit complete

[edit policy-options policy-statement UPSTREAM-EXPORT]
You@JunoS#sh route advertised-protocol bgp 172.16.17.1

192.168.104.0/24   Self     5656 5656 5656 5656 I

a. rahman isnaini rangkayo sutan

=======================
Juniper Config Manager [Here..]
=======================

Though it doesn’t show the policer command under filter directory.
I am still forcing this to be set & to ensure everything works.
Unfortunately I have this error :

filter CUST-A {
policer SHAPE-CUSTOMER A { ## Warning: ‘policer’ is deprecated
if-exceeding {
bandwidth-limit 3m;
burst-size-limit 256k;
}
then discard;
}
term CUST-A-TRAFFIC {
then {
policer SHAPE-CUSTOMER-A; ## ‘SHAPE-BNA’ is not defined
count BNA-TRAFFIC;
}
}
}

Why ?
Newer version of Juniper OS (above commands valid for 5.0), policer should be under firewall.
Or the same level as filter & re-configure your policer under firewall should be fine.
a. rahman isnaini r.sutan

=======================
Juniper Config Manager [Here..]
=======================

For some reasons you need to configure PBR on your Juniper.
Here the step by step how to configure this policy like route-map in Cisco Router.

The Scenario :

a. Redirecting 192.168.100.0/24 to Provider B with IP Address : 192.168.224.2
b. The rest of outgoing traffic stick on Provider A
c. 192.168.100.0/24 located behind interface fe-0/2/2 (routed statically via 192.168.5.2 for e.g
Your directly connected via alias / secondary IP.

The Config Looks Like :

interfaces {
fe-0/2/2 {
description LAN;
unit 0 {
family inet {
filter {
input ROUTE-MAP-NET-100-0;
}
address 192.168.5.1/29;
}
}
}

routing-options {
interface-routes {
rib-group inet all-ribs;
}

rib-groups {
all-ribs {
import-rib [ inet.0 REDIRECT-100-0.inet.0 ];
}
}

firewall {
family inet {
filter ROUTE-MAP-NET-100-0 {
term 1 {
from {
source-address {
192.168.100.0/24;
}
}
then routing-instance REDIRECT-100-0;
}
term 2 {
then accept;
}
}
}

routing-instances {
REDIRECT-100-0 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.224.2;
}
}
}
}

The steps :

you@JunOS#(edit prompt)
you@JunOS#set routing-instances REDIRECT-100-0 instance-type forwarding
you@JunOS#set routing-instances REDIRECT-100-0 routing-options static route 0.0.0.0/0 next-hop 192.168.224.2
you@JunOS#commit

you@JunOS#set routing-options interface-routes rib-group inet all-ribs (just the name)
you@JunOS#set routing-options rib-groups all-ribs import rib [ inet.0 REDIRECT-100-0.inet.0 ]
(make sure REDIRECT-100-0 similar to your routing-instances name, unless it won’t work).
you@JunOS#commit

you@JunOS#set firewall family inet filter ROUTE-MAP-NET-100-0 term 1 from source-address 192.168.100.0/24
you@JunOS#set firewall family inet filter ROUTE-MAP-NET-100-0 term 1 then then routing-instance REDIRECT-100-0
you@JunOS#set firewall family inet filter ROUTE-MAP-NET-100-0 term 2 then accept
you@JunOS#commit

you@JunOS#set interfaces fe-0/2/2 unit 0 family inet filter input ROUTE-MAP-NET-100-0
you@JunOS#commit

a. rahman isnaini r.sutan

interface GigabitEthernet0/3.100

description IPV6-SECURED-LAN
encapsulation dot1Q 100
ipv6 address 2404:170:253::1/120
ipv6 enable
ipv6 traffic-filter SECURED-LAN out

ipv6 access-list SECURED-LAN

remark FILTER-SECURE-IPV6-LAN
sequence 110 permit tcp any host 2404:170:253::29 eq 8000 log
sequence 111 permit tcp any host 2404:170:253::26 eq www
sequence 122 permit tcp any any eq 2525
sequence 150 deny tcp any any range ftp-data telnet
sequence 151 deny tcp any any range 135 139
sequence 152 deny tcp any any range 161 162
sequence 153 deny tcp any any eq 6029
sequence 154 deny tcp any any range 67 68
sequence 155 deny tcp any any eq gopher
sequence 156 deny tcp any any eq finger
sequence 157 deny tcp any any eq www log
sequence 158 deny tcp any any eq 87
sequence 159 deny tcp any any eq sunrpc
sequence 160 deny tcp any any eq irc
sequence 161 deny tcp any any eq 372
sequence 162 deny tcp any any eq exec
sequence 163 deny tcp any any range login klogin
sequence 164 deny tcp any any eq cmd
sequence 165 deny tcp any any eq nntp
sequence 166 deny tcp any any eq uucp
sequence 167 deny tcp any any eq lpd
sequence 168 deny tcp any any eq 37
sequence 169 deny tcp any any eq 445
sequence 170 deny tcp any eq 445 any
sequence 171 deny tcp any any eq 450
sequence 172 deny tcp any any eq 1434
sequence 173 deny tcp any eq 1434 any
sequence 174 deny tcp any any eq 1524
sequence 175 deny tcp any any eq 2000
sequence 176 deny tcp any any range 2041 2049
sequence 177 deny udp any any range 135 netbios-ss
sequence 178 deny udp any any range snmp snmptrap
sequence 179 permit udp any any eq tftp
sequence 180 deny udp any any eq 1434
sequence 181 deny udp any eq 1434 any
sequence 182 deny udp any any eq time
sequence 183 deny udp any any eq tacacs
sequence 184 deny udp any any eq bootps
sequence 185 deny udp any any eq bootpc
sequence 186 deny udp any any eq sunrpc
sequence 187 deny udp any any eq 144
sequence 188 deny udp any any eq who
sequence 189 deny udp any any eq 515
sequence 190 deny udp any any eq rip
sequence 191 deny udp any any eq 27444
sequence 192 deny udp any any eq 31335
sequence 199 permit ipv6 any 2404:170:253::/120
sequence 500 deny ipv6 any any log

a. rahman isnaini r.sutan

Tired & want to block all “thing related” to the “picture’s below” from being accessed by your LAN / Saving your “Soap” from being used by Single man [Not Married yet] ?

Steps Configure IP NBAR Cisco with Regular Expression [old file] :

1. Configure Class Map to match any string in URL

class-map match-any ADULT-URL
match protocol http url “*porn*”
match protocol http url “*porn”
match protocol http url “porn*”
match protocol http url “*xxx*”
match protocol http url “xxx*”
match protocol http url “*xxx”

what ever specific string in URL you want to be blocked, put it on the list (3 raws with different place of “*” to match exactly”

2. Config Policy Map to Mark Traffic ADULT ini (DSCP x)

policy-map FILTER-ADULT
class ADULT-URL
set ip dscp 5

3. Create Access List to match marking traffic (DSCP) according to Policy Route-Map which will be set to Null.

access-list 150 permit ip any any dscp 5
access-list 150 deny ip any any

4. Configure Route-Map to Null traffic

route-map DENY-ADULT permit 10
match ip address 150
set interface Null0

5. Apply Service Policy to Interface LAN where accessing to this adult sites will be restricted

int f0/0.6
desc LAN-ADULT-SITE-RESTRICTED
ip policy route-map DENY-ADULT
service-policy input FILTER-ADULT

More regexp :

class-map match-any BLOCK-URL
match protocol http url “*lapotuak*”
match protocol http url “*adadeh-ffi*”
match protocol http url “*faithfreedom*”
match protocol http url “*lapo*tuak*”
match protocol http url “*komiknabimuhammad*”
match protocol http url “*komikmuhammad*”
match protocol http url “*komik*muhammad*”
match protocol http url “*Azl.jpg*”
match protocol http host “*faithfreedom*”
match protocol http url “*AlAzl2.jpg*”
match protocol http url “*AlAzl3.jpg*”
match protocol http url “*Draw Mohammed*”
match protocol http url “*Draw*Mohammed*”

In Mikrotik :

iptables -A FORWARD -m string –string “komikmuhammad” –algo bm –to 65535 -j DROP
iptables -A FORWARD -m string –string “komiknabimuhammad” –algo bm –to 65535 -j DROP
iptables -A FORWARD -m string –string “Draw-Mohammed” –algo bm –to 65535 -j DROP
iptables -A FORWARD -m string –string “faithfreedom” –algo bm –to 65535 -j DROP
iptables -A FORWARD -m string –string “Draw Mohammed” –algo bm –to 65535 -j DROP

by: Cak Jami

a. rahman isnaini r.sutan

=======================
Juniper Config Manager [Here..]
=======================

Juniper OS [JUNOS] has a completely different model of configuration with cisco IOS.
A Basic & Simple BGP config as you can see below.
The scheme is :

- You are connected to two peers
- Your ASNumber 8888
- You are peering with PEER-1 AS 9999
- You are peering with PEER-2 AS 10000
- You are advertising first longer prefix /24 to PEER-1
- You are advertising second longer prefix /24 to PEER-2
- You are advertising supernet aggregate or /23 to PEER-1 & PEER-2
- Why ? Redundancy Purpose

+++++++++++++++++++++++++++++++++++++++++++++++++
1. Configure IP Address for BGP Peer Purpose (PEER-1 & PEER-2) for e.g
+++++++++++++++++++++++++++++++++++++++++++++++++
interfaces {
fe-0/2/0 {
description PEER-1;
speed 100m;
link-mode full-duplex;
unit 0 {
family inet {
address 88.88.88.89/30;
}
}
}
fe-0/2/1 {
description PEER-2;
speed 100m;
link-mode full-duplex;
unit 0 {
family inet {
address 88.88.88.99/30;
}
}
}
}

The command should be (you can go with step by step command architechture or directly to the end) :

admin@JUNOS>edit
Entering configuration mode

[edit]
admin@JUNOS#edit interfaceS fe-0/2/0

[edit interfaces fe-0/2/0]
admin@JUNOS#
admin@JUNOS#set description PEER-1 speed 100 link-mode full-duplex unit 0 family inet 88.88.88.89/30

admin@JUNOS#edit interfaceS fe-0/2/1
admin@JUNOS#
admin@JUNOS#set description PEER-2 speed 100 link-mode full-duplex unit 0 family inet 88.88.88.99/30

[edit interfaces fe-0/2/1]
admin@JUNOS#
admin@JUNOS#commit

++++++++++++++++++++++++++++
2. Configure AS Number in Routing Option
++++++++++++++++++++++++++++

routing-options {
autonomous-system 8888;

The command should be :

admin@JUNOS>edit
Entering configuration mode

[edit]
admin@JUNOS#set routing-option autonomous-system 8888

++++++++++++
3. Configure BGP
++++++++++++

protocols {
bgp {
group PEER-1 {
type external;
description ***PEER-1***;
damping;
import PEER-IMPORT;
export PEER1-EXPORT;
peer-as 9999;
neighbor 88.88.88.90
}
}
group PEER-2 {
type external;
description ***PEER-2***;
damping;
import PEER-IMPORT;
export PEER2-EXPORT;
peer-as 10000;
neighbor 88.88.88.100
}
}
}
}

The command should be :

admin@JUNOS>edit
Entering configuration mode

[edit]
admin@JUNOS#set protocol bgp group PEER-1 type external description ***PEER-1*** import PEER-IMPORT export PEER1-EXPORT peer-as 9999 neighbor 88.88.88.90
admin@JUNOS#set protocol bgp group PEER-2 type external description ***PEER-2*** import PEER-IMPORT export PEER2-EXPORT peer-as 1000 neighbor 88.88.88.100
admin@JUNOS#commit

++++++++++++++++++++++++++++++++++++
4. Configure BGP Policy & AS Path Access-List in Cisco
++++++++++++++++++++++++++++++++++++

policy-options {
prefix-list PEER-1 {
88.88.86.0/24;
}
prefix-list PEER-2 {
88.88.87.0/24;
}
prefix-list PEER-12 {
88.88.86.0/23;
}

The command should be :

admin@JUNOS>edit
Entering configuration mode

[edit]
admin@JUNOS#set policy-options prefix-list PEER-1 88.88.88.86.0/24
admin@JUNOS#set policy-options prefix-list PEER-2 88.88.88.87.0/24
admin@JUNOS#set policy-options prefix-list PEER-12 88.88.88.86.0/23

policy-statement PEER-IMPORT {
term 1 {
from as-path ALL;
then accept;
}
}

admin@JUNOS#set policy-options policy-statement PEER-IMPORT term 1 from as-path ALL
admin@JUNOS#set policy-options policy-statement PEER-IMPORT term 1 then accept

policy-statement PEER1-EXPORT {
term 1 {
from {
prefix-list PEER-1;
}
then accept;
}
term 2 {
from {
prefix-list PEER-12;
}
then accept;
}
term 3 {
then reject;
}
}

admin@JUNOS#set policy-options policy-statement PEER1-EXPORT term 1 from prefix-list PEER-1
admin@JUNOS#set policy-options policy-statement PEER1-EXPORT term 1 then accept
admin@JUNOS#set policy-options policy-statement PEER1-EXPORT term 2 from prefix-list PEER-12
admin@JUNOS#set policy-options policy-statement PEER1-EXPORT term 2 then accept
admin@JUNOS#set policy-options policy-statement PEER1-EXPORT term 3 then reject

policy-statement PEER2-EXPORT {
term 1 {
from {
prefix-list PEER-2;
}
then accept;
}
term 2 {
from {
prefix-list PEER-12;
}
then accept;
}
term 3 {
then reject;
}
admin@JUNOS#set policy-options policy-statement PEER2-EXPORT term 1 from prefix-list PEER-2
admin@JUNOS#set policy-options policy-statement PEER2-EXPORT term 1 then accept
admin@JUNOS#set policy-options policy-statement PEER2-EXPORT term 2 from prefix-list PEER-12
admin@JUNOS#set policy-options policy-statement PEER2-EXPORT term 2 then accept
admin@JUNOS#set policy-options policy-statement PEER2-EXPORT term 3 then reject
}
as-path ALL .*;

admin@JUNOS#set policy-options as-path ALL .*
admin@JUNOS#commit
}

a. rahman isnaini r.sutan

As what everyone who received any unwanted information from their mobile operator (assumed as SPAM/JUNK) denies this type of promotion, so do I.

XL bebas as we know one of prepaid card from XL sending sometimes any unwanted information, and has been discussed and told among bloggers. Pak Hasnul said that only few customers who did complains regarding this spam, included me I believe among of them
My perspective yes, 818 or other information center can send the ‘general’ sms. But please have the ’selected ones’ not promo. Selected means useful, helpful, urgent.

Positive side is still the low cost tariff (Thanks to XL) and there many other operators claimed their similar low cost call/sms againts “zero, zero, zero,… dot One” Rupiah. And of course much better than what we have been used and called for many decade of years “SLJJ”…

Another things to concern ? here are they :

- Network often busy (oversubscriber / BTS / Backhaul congested)
- Urgent Call Only
- Noise Talk & Low Quality
- Voice Compression
- Redirect to VoIP Network (with QoS)

a. rahman isnaini r.sutan
(0817 xx88xxx)

Meski Config benar, dan matches ternyata tanpa Technology (T) version IOS dak jalan Policy Filter Regex - NBAR dak liwat dan harus sesuai dengan petunjuk primbon Mbah Kung Chamber.. Oh ya kalo ada teman2 yang convert ke JunOS atau Mikrotik Mangle, dan IP Firewall… mohon dishare..

c7200-is-mz.123-12.bin

Service-policy input: FILTER-FITNA

Class-map: URL-FITNA (match-any)
68 packets, 66099 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url “fitna*”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “*fitna*”
68 packets, 66099 bytes
5 minute rate 0 bps
Match: protocol http url “*fitna”
0 packets, 0 bytes
5 minute rate 0 bps

c3660-is-mz.122-2.T.bin

Service-policy input: FILTER-FITNA

Class-map: URL-FITNA (match-any)
234 packets, 132795 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url “*fitna*”
94 packets, 49737 bytes
5 minute rate 0 bps
Match: protocol http url “*fitna”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “fitna*”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “*spysurfing.com*”
140 packets, 83058 bytes
5 minute rate 0 bps
Match: protocol http url “spysurfing.com*”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “*spysurfing.com”
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
ip dscp 5
Packets marked 234

Anwar, … sama spt di Jt Padang … baru diapply disalah satu gateway saja atas e harus diupgrade :))

Wassalam,

a. rahman isnaini r.sutan

sh policy-map interface f0/0.6
FastEthernet0/0.6

Service-policy input: FILTER-FITNA

Class-map: URL-FITNA (match-any)
234 packets, 132795 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url “*fitna*”
94 packets, 49737 bytes
5 minute rate 0 bps
Match: protocol http url “*fitna”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “fitna*”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “*spysurfing.com*”
140 packets, 83058 bytes
5 minute rate 0 bps
Match: protocol http url “spysurfing.com*”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “*spysurfing.com”
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
ip dscp 5
Packets marked 234

Class-map: class-default (match-any)
6129 packets, 802498 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

sh access-lists 150
Extended IP access list 150
permit ip any any dscp 5 (234 matches)
deny ip any any (5782 matches)

Wassalaam,

a. rahman isnaini r.sutan