Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1484
Views
0
Helpful
2
Replies

Juniper policy translation for CISCO XR

andreherminio
Level 1
Level 1

‎02-28-2019 12:10 PM

Hello

We are performing a CEs migration from a juniper router to a Cisco ASR9006 router, on the Juniper router there is a policy applied in a GRE tunnel interface, was performed the translation of the policy to the IOS XR, but after migrating the GRE tunnel to the IOS XR to Policy is not being marked, in below the policy settings configured on the Juniper router and the translation to the IOS XR.

 

===========================================================================================
===========================================================================================

Config Juniper

unit 510 {
description "TN510 - RT01TP153 - Acesso VPN Internet";
tunnel {
source 10.251.38.177;
destination 189.125.34.126;
allow-fragmentation;
routing-instance {
destination pb-dados;
}
}
family inet {
mtu 1414;
filter {
output Limita_TP153;
}
sampling {
input;
output;
}
address 10.251.32.85/30;
}
}

filter Limita_TP153 {
term Limita_SCCM {
from {
protocol tcp;
source-port 2383;
}
then {
policer Limita_10Mbps;
count matches;
log;
}
}
term Internet {
from {
source-port [ 8080 804 ];
}
then policer 15Megabits;

}
inactive: term Limita_CIFS {
from {
protocol tcp;
source-port 445;
}
then policer Limita_25Mbps;
}
term Limita_AntiVirus {
from {
protocol tcp;
source-port [ 8014 2967 7070 ];
}
then {
policer Limita_20Mbps;
count matches;
log;
}
}
term Final {
then accept;
}
}

===========================================================================================
===========================================================================================

Config CISCO XR

interface tunnel-ip108
description Tunnel 108 - RT01TP153 - Acesso VPN Internet
vrf pb-dados
ipv4 address 10.251.32.85 255.255.255.252
mtu 1414
shutdown
service-policy output Limita_TP153_POLICY
tunnel source 10.251.38.177
tunnel vrf pb-dados
tunnel destination 189.125.34.126
!
!
ipv4 access-list Limita_TP153_ACL
10 permit tcp any any eq 2383
20 permit tcp any any eq 8080
30 permit tcp any any eq 445
40 permit tcp any any eq 8014
50 permit tcp any any eq 2967
60 permit tcp any any eq 7070
!
!
policy-map Limita_TP153_POLICY
class Limita_TP153_CLASS
police rate 20000000 bps burst 35000 bytes
exceed-action drop
!
!
class-map match-all Limita_TP153_CLASS
match access-group ipv4 Limita_TP153_ACL
end-class-map
!
!

===========================================================================================
===========================================================================================

Labels:
0 Helpful
2 Replies 2

Michalis Milaitis
Level 1
Level 1

‎03-19-2019 01:44 AM

Hello,

 

If I understand correctly you need to much the source port with your access-list.

 

Please change the access-list configuration like this :

 

ipv4 access-list Limita_TP153_ACL
10 permit tcp any eq 2383 any 
20 permit tcp any eq 8080 any 
30 permit tcp any eq 445 any 
40 permit tcp any eq 8014 any 
50 permit tcp any eq 2967 any 
60 permit tcp any eq 7070 any 
!

0 Helpful

andreherminio
Level 1
Level 1
In response to Michalis Milaitis

‎09-26-2019 11:11 AM

Thanks!!!
0 Helpful
Customers Also Viewed These Support Documents