Re: [j-nsp] event-options to modify configuration
Chen Jiang writes: change-configuration { retry count 3 interval 1; commands { set interface ge-1/0/0 description test; Try changing interface to interfaces in this line. The commands need to be explicit/exact. Thanks, Phil ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DHCPv6 routing instance to reach server, or fooling flow sessions with firewall filters
Hey all, Got a problem here I'm hoping someone can help with. Client - M-series (relay) - (VLAN 2920) J-series (VLAN 100) - Server Server - (VLAN 100) J-series (VLAN 2980) inet6.0 on the M knows to reach the DHCPv6 server via VLAN 2920, the J-series dutifully forwards the packets to the server and receives the response. However, as the relayed request comes from the IP on the Client side of the M, the J-series wants to route the answer via VLAN 2980 (because it has a /56 route that way for all the client networks). If I add a /128 static route to the M via 2920 DHCPv6 works as expected. That's not going to scale for even half a dozen networks, let alone 10s or more. The M has a routing instance (type forwarding) that would use VLAN 2980 to reach the Server, but I haven't found a knob to make the dhcp-relay use a routing instance to reach the server. I've tried making a routing instance on the J-series (type virtual-router) with a default route via VLAN 2920, and using a firewall filter to put DHCPv6 packets into it. term dhcpv6 { from { source-address { ::/0; } next-header udp; source-port [ 547 546 ]; } then { count stateless-dhcpv6; log; routing-instance stateless; } } Seems the flow lookup doesn't respect that. Does anyone have any ideas? Thanks -- Mike Williams ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VRF route leaking on EX4550
Le 20/04/15 17:27, Raphael Mazelier a écrit : In my opinion rib-groups have a more complex syntax than auto-export wich seems natural to me. Anyway with the help of this documentation and templating feature of junos, I ll be able to make a relatively clear configuration. Me again. I'm facing a problem when mixing rib-groups export and vrf import/export. When exporting routes from A to vrf X with rib-groups, these routes is candidate to be re-exported in mpbgp VPN X, which is not I want (result in routing loop). My current solution is to tag the exported routes via rib-groups import policy, and to explicitely exclude theses routes in the vrf-export policy. I'm not very happy whit that. I'm wonder if someone have already facing this problem, and have a better/alternative options. Regards, -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] event-options to modify configuration
Hi! Experts I tried to use event-options to change the JUNOS configuration but there is some issue, are you experience the same issue and could shed some light on this. Thanks for your help! lab@r1# show event-options generate-event { Configure-Ot-Change time-of-day 21:44:00 +0800; } policy cfg-change { events Configure-Ot-Change; then { change-configuration { retry count 3 interval 1; commands { set interface ge-1/0/0 description test; } user-name lab; commit-options { log it works; } } } } lab@r1# show system login user lab { class super-user; authentication { encrypted-password $1$bCUr1ywM$IsPhjvdT88q/EGwtPD1UX1; ## SECRET-DATA } } lab@r1# run show log messages | match 21:44 Apr 7 21:44:02 r1 eventd: EVENTD_CONFIG_CHANGE_FAILED: Configuration change failed: rpc to management daemon failed while executing policy cfg-change with user lab privileges -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] How to enable bfd echo mode
Hi Experts, Can you please help me to enable echo mode of BFD protocol. The BFD session wich i try to make is between a juniper router and an alcatel omniswitch (which support only bfd echo mode for static routes) The software version of juniper router is 12.3R2-S2 Thank you for your help Regards ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] event-options to modify configuration
Yes, I have tried the same manual configuration through lab user and it works fine. On Wed, Apr 22, 2015 at 12:43 AM, Pallavi Mahajan pall...@juniper.net wrote: Have you tried checking if the user ‘lab’ can invoke the ‘set interface’ config knob from the CLI? Thanks, Pallavi On 21/04/15 9:10 pm, Chen Jiang iloveb...@gmail.com wrote: Hi! Experts I tried to use event-options to change the JUNOS configuration but there is some issue, are you experience the same issue and could shed some light on this. Thanks for your help! lab@r1# show event-options generate-event { Configure-Ot-Change time-of-day 21:44:00 +0800; } policy cfg-change { events Configure-Ot-Change; then { change-configuration { retry count 3 interval 1; commands { set interface ge-1/0/0 description test; } user-name lab; commit-options { log it works; } } } } lab@r1# show system login user lab { class super-user; authentication { encrypted-password $1$bCUr1ywM$IsPhjvdT88q/EGwtPD1UX1; ## SECRET-DATA } } lab@r1# run show log messages | match 21:44 Apr 7 21:44:02 r1 eventd: EVENTD_CONFIG_CHANGE_FAILED: Configuration change failed: rpc to management daemon failed while executing policy cfg-change with user lab privileges -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] event-options to modify configuration
Thanks Phil and sorry for my mistake, I should use interface instead of interfaces, it works now. On Wed, Apr 22, 2015 at 3:08 AM, Phil Shafer p...@juniper.net wrote: Chen Jiang writes: change-configuration { retry count 3 interval 1; commands { set interface ge-1/0/0 description test; Try changing interface to interfaces in this line. The commands need to be explicit/exact. Thanks, Phil -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX3600 Problem
hi cahit have you enabled any screens on the interface under attack? regards farrukh On Tue, Apr 21, 2015 at 7:22 PM, Cahit Eyigünlü cahit.eyigu...@spd.net.tr wrote: We are getting a spoofed ip syn attack. When attack starts and over 100K pps our SRX3600 was losting the connection. And we check the status of the device over the Serial connection. But we could not determine why it has been dropped the connection Should somebody help us to over come this issue ? r...@srx3600.spd.net.tr show security flow cp-session summary Valid sessions: 141 Pending sessions: 621628 Invalidated sessions: 517864 Sessions in other states: 1 Total sessions: 1139634 Maximum sessions: 2359296 r...@srx3600.spd.net.tr show security monitoring fpc 12 FPC 12 PIC 0 CPU utilization : 44 % Memory utilization : 67 % Current flow session : 147286 Current flow session IPv4: 147286 Current flow session IPv6:0 Max flow session : 524288 Current CP session : 1074031 Current CP session IPv4: 1074031 Current CP session IPv6:0 Max CP session : 2359296 Total Session Creation Per Second (for last 96 seconds on average): 13 IPv4 Session Creation Per Second (for last 96 seconds on average): 13 IPv6 Session Creation Per Second (for last 96 seconds on average):0 r...@srx3600.spd.net.tr show chassis routing-engine Routing Engine status: Slot 0: Current state Master Election priority Master (default) DRAM 1023 MB Memory utilization 44 percent CPU utilization: User 0 percent Background 0 percent Kernel 5 percent Interrupt 0 percent Idle 95 percent Model RE-PPC-1200-A Start time 2015-04-15 02:06:10 UTC Uptime 4 days, 15 hours, 16 minutes, 29 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.14 0.07 0.11 r...@srx3600.spd.net.tr show security monitoring performance spu fpc 12 pic 0 Last 60 seconds: 0: 39 1: 45 2: 44 3: 40 4: 44 5: 40 6: 38 7: 46 8: 45 9: 39 10: 44 11: 39 12: 38 13: 45 14: 38 15: 45 16: 44 17: 39 18: 44 19: 39 20: 44 21: 40 22: 44 23: 39 24: 38 25: 45 26: 44 27: 40 28: 44 29: 40 30: 45 31: 40 32: 45 33: 41 34: 45 35: 39 36: 45 37: 39 38: 45 39: 39 40: 44 41: 39 42: 44 43: 39 44: 44 45: 39 46: 46 47: 39 48: 45 49: 39 50: 44 51: 39 52: 45 53: 39 54: 44 55: 39 56: 44 57: 39 58: 44 59: 39 r...@srx3600.spd.net.tr show security monitoring performance session fpc 12 pic 0 Last 60 seconds: 0: 127861 1: 146887 2: 130877 3: 147286 4: 134179 5: 145303 6: 133196 7: 144339 8: 132233 9: 143981 10: 130861 11: 143042 12: 131280 13: 142719 14: 130623 15: 142493 16: 132094 17: 143124 18: 132726 19: 143938 20: 133022 21: 143349 22: 133100 23: 143469 24: 134321 25: 143694 26: 137340 27: 145672 28: 141399 29: 145458 30: 145697 31: 146920 32: 144260 33: 145259 34: 141360 35: 142157 36: 137389 37: 140399 38: 136483 39: 139640 40: 136597 41: 139363 42: 139707 43: 143110 44: 140994 45: 143038 46: 139781 47: 141751 48: 136746 49: 139456 50: 137395 51: 139898 52: 137503 53: 140300 54: 136762 55: 139315 56: 136245 57: 138951 58: 136685 59: 139288 r...@srx3600.spd.net.tr show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis SRX 3600 Midplane REV 07 710-020310 SRX 3600 Midplane PEM 0rev 08 740-027644 AC Power Supply PEM 1rev 08 740-027644 AC Power Supply CB 0 REV 14 750-021914 SRX3k RE-12-10 Routing Engine BUILTIN BUILTIN Routing Engine CPP BUILTIN BUILTIN Central PFE Processor Mezz REV 08 710-021035 SRX HD Mezzanine Card FPC 0REV 16 750-021882 SRX3k SFB 12GE PIC 0 BUILTIN BUILTIN 8x 1GE-TX 4x 1GE-SFP FPC 1REV 20 750-020321 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0NON-JNPR XFP-10G-SR Xcvr 1NON-JNPR
Re: [j-nsp] QFX5100 issues with IPv6 hashing
Doing more testing I am seeing bad hashing with UDPv6 traffic, TCPv6 traffic looks OK. Maybe it is just that UDP header is not parsed correctly. On 4/21/15 09:34, Anton Yurchenko wrote: Hi, I am using the -P option for iperf, it does vary source port dst port is the same though. Normally (and with v4) traffic it results in good hashing behavior. Thanks, On 4/18/15 07:21, Michael Loftis wrote: On Friday, April 17, 2015, Anton Yurchenko ayurche...@gmail.com mailto:ayurche...@gmail.com wrote: Hi All, I am seeing issues with QFX5100, hashing of IPv6 traffic over ECMP paths is very bad. In my case I have an ECMP over 3x40Gig links, and sending 180x10Mbit UDPv6 flows over them. First 40G gets ~300mbit, second ~600 and third ~900. IPv4 hashing is fine ~5% variance in traffic levels. I have enabled hashing on L3/L4 and layer2-payload but no avail. It seems that protocol/ports are not taken into account at all. If I start traffic from just one IP with 30 flows, they will all end up on a single link. You say 30 flows but are they differing at all? Even for v6 it looks at Source IP, Dest IP, Proto, Source port, Dest port. If you traffic generator doesn't vary the source port then each flow will look identical to the hash algo. Seeing this on 13.2X51-D35.3 and 14.1X53-D25.2 releases. Here is my hashing config: load-balance { indexed-load-balance; } hash-key { family inet { layer-3; layer-4; } } enhanced-hash-key { hash-mode { layer2-payload; } } Wondering if anybody have seen something similar or have seen it working properly. Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QFX5100 issues with IPv6 hashing
Hi, Under that inet6 stanza you can only turn off certain fields to be used for hashing. I tried playing with them with no visible effect. Asking on this list cause I almost feel this kind of issue would not go unnoticed for so long and that maybe my test setup is wrong. Thanks for your reply! On 4/18/15 02:58, Karsten Thomann wrote: Hi, not tested, but have you tried to configure under enhanced-hash-key the inet6 hashing like documented here? http://www.juniper.net/documentation/en_US/junos13.2/topics/reference/configuration-statement/enhanced-hash-key-edit-forwarding-options-ex-series.html Kind regards Karsten Am Freitag, 17. April 2015, 17:26:10 schrieb Anton Yurchenko: Hi All, I am seeing issues with QFX5100, hashing of IPv6 traffic over ECMP paths is very bad. In my case I have an ECMP over 3x40Gig links, and sending 180x10Mbit UDPv6 flows over them. First 40G gets ~300mbit, second ~600 and third ~900. IPv4 hashing is fine ~5% variance in traffic levels. I have enabled hashing on L3/L4 and layer2-payload but no avail. It seems that protocol/ports are not taken into account at all. If I start traffic from just one IP with 30 flows, they will all end up on a single link. Seeing this on 13.2X51-D35.3 and 14.1X53-D25.2 releases. Here is my hashing config: load-balance { indexed-load-balance; } hash-key { family inet { layer-3; layer-4; } } enhanced-hash-key { hash-mode { layer2-payload; } } Wondering if anybody have seen something similar or have seen it working properly. Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX3600 Problem
We are getting a spoofed ip syn attack. When attack starts and over 100K pps our SRX3600 was losting the connection. And we check the status of the device over the Serial connection. But we could not determine why it has been dropped the connection Should somebody help us to over come this issue ? r...@srx3600.spd.net.tr show security flow cp-session summary Valid sessions: 141 Pending sessions: 621628 Invalidated sessions: 517864 Sessions in other states: 1 Total sessions: 1139634 Maximum sessions: 2359296 r...@srx3600.spd.net.tr show security monitoring fpc 12 FPC 12 PIC 0 CPU utilization : 44 % Memory utilization : 67 % Current flow session : 147286 Current flow session IPv4: 147286 Current flow session IPv6:0 Max flow session : 524288 Current CP session : 1074031 Current CP session IPv4: 1074031 Current CP session IPv6:0 Max CP session : 2359296 Total Session Creation Per Second (for last 96 seconds on average): 13 IPv4 Session Creation Per Second (for last 96 seconds on average): 13 IPv6 Session Creation Per Second (for last 96 seconds on average):0 r...@srx3600.spd.net.tr show chassis routing-engine Routing Engine status: Slot 0: Current state Master Election priority Master (default) DRAM 1023 MB Memory utilization 44 percent CPU utilization: User 0 percent Background 0 percent Kernel 5 percent Interrupt 0 percent Idle 95 percent Model RE-PPC-1200-A Start time 2015-04-15 02:06:10 UTC Uptime 4 days, 15 hours, 16 minutes, 29 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.14 0.07 0.11 r...@srx3600.spd.net.tr show security monitoring performance spu fpc 12 pic 0 Last 60 seconds: 0: 39 1: 45 2: 44 3: 40 4: 44 5: 40 6: 38 7: 46 8: 45 9: 39 10: 44 11: 39 12: 38 13: 45 14: 38 15: 45 16: 44 17: 39 18: 44 19: 39 20: 44 21: 40 22: 44 23: 39 24: 38 25: 45 26: 44 27: 40 28: 44 29: 40 30: 45 31: 40 32: 45 33: 41 34: 45 35: 39 36: 45 37: 39 38: 45 39: 39 40: 44 41: 39 42: 44 43: 39 44: 44 45: 39 46: 46 47: 39 48: 45 49: 39 50: 44 51: 39 52: 45 53: 39 54: 44 55: 39 56: 44 57: 39 58: 44 59: 39 r...@srx3600.spd.net.tr show security monitoring performance session fpc 12 pic 0 Last 60 seconds: 0: 127861 1: 146887 2: 130877 3: 147286 4: 134179 5: 145303 6: 133196 7: 144339 8: 132233 9: 143981 10: 130861 11: 143042 12: 131280 13: 142719 14: 130623 15: 142493 16: 132094 17: 143124 18: 132726 19: 143938 20: 133022 21: 143349 22: 133100 23: 143469 24: 134321 25: 143694 26: 137340 27: 145672 28: 141399 29: 145458 30: 145697 31: 146920 32: 144260 33: 145259 34: 141360 35: 142157 36: 137389 37: 140399 38: 136483 39: 139640 40: 136597 41: 139363 42: 139707 43: 143110 44: 140994 45: 143038 46: 139781 47: 141751 48: 136746 49: 139456 50: 137395 51: 139898 52: 137503 53: 140300 54: 136762 55: 139315 56: 136245 57: 138951 58: 136685 59: 139288 r...@srx3600.spd.net.tr show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis SRX 3600 Midplane REV 07 710-020310 SRX 3600 Midplane PEM 0rev 08 740-027644 AC Power Supply PEM 1rev 08 740-027644 AC Power Supply CB 0 REV 14 750-021914 SRX3k RE-12-10 Routing Engine BUILTIN BUILTIN Routing Engine CPP BUILTIN BUILTIN Central PFE Processor Mezz REV 08 710-021035 SRX HD Mezzanine Card FPC 0REV 16 750-021882 SRX3k SFB 12GE PIC 0 BUILTIN BUILTIN 8x 1GE-TX 4x 1GE-SFP FPC 1REV 20 750-020321 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0NON-JNPR XFP-10G-SR Xcvr 1NON-JNPR XFP-10G-SR FPC 4REV 14 750-020321 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0NON-JNPR XFP-10G-SR Xcvr 1
Re: [j-nsp] QFX5100 issues with IPv6 hashing
Hi, I am using the -P option for iperf, it does vary source port dst port is the same though. Normally (and with v4) traffic it results in good hashing behavior. Thanks, On 4/18/15 07:21, Michael Loftis wrote: On Friday, April 17, 2015, Anton Yurchenko ayurche...@gmail.com mailto:ayurche...@gmail.com wrote: Hi All, I am seeing issues with QFX5100, hashing of IPv6 traffic over ECMP paths is very bad. In my case I have an ECMP over 3x40Gig links, and sending 180x10Mbit UDPv6 flows over them. First 40G gets ~300mbit, second ~600 and third ~900. IPv4 hashing is fine ~5% variance in traffic levels. I have enabled hashing on L3/L4 and layer2-payload but no avail. It seems that protocol/ports are not taken into account at all. If I start traffic from just one IP with 30 flows, they will all end up on a single link. You say 30 flows but are they differing at all? Even for v6 it looks at Source IP, Dest IP, Proto, Source port, Dest port. If you traffic generator doesn't vary the source port then each flow will look identical to the hash algo. Seeing this on 13.2X51-D35.3 and 14.1X53-D25.2 releases. Here is my hashing config: load-balance { indexed-load-balance; } hash-key { family inet { layer-3; layer-4; } } enhanced-hash-key { hash-mode { layer2-payload; } } Wondering if anybody have seen something similar or have seen it working properly. Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] event-options to modify configuration
Have you tried checking if the user ‘lab’ can invoke the ‘set interface’ config knob from the CLI? Thanks, Pallavi On 21/04/15 9:10 pm, Chen Jiang iloveb...@gmail.com wrote: Hi! Experts I tried to use event-options to change the JUNOS configuration but there is some issue, are you experience the same issue and could shed some light on this. Thanks for your help! lab@r1# show event-options generate-event { Configure-Ot-Change time-of-day 21:44:00 +0800; } policy cfg-change { events Configure-Ot-Change; then { change-configuration { retry count 3 interval 1; commands { set interface ge-1/0/0 description test; } user-name lab; commit-options { log it works; } } } } lab@r1# show system login user lab { class super-user; authentication { encrypted-password $1$bCUr1ywM$IsPhjvdT88q/EGwtPD1UX1; ## SECRET-DATA } } lab@r1# run show log messages | match 21:44 Apr 7 21:44:02 r1 eventd: EVENTD_CONFIG_CHANGE_FAILED: Configuration change failed: rpc to management daemon failed while executing policy cfg-change with user lab privileges -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp