Re: [j-nsp] CGNat PBA - MX104 w/MS-MIC

[Mark Tinka]

On 25/Apr/16 23:10, Aaron wrote:

> You guys are awesome. PBA is working !  thanks a bunch. I upgraded to
> 14.2.R2 like you suggested and it's good now.

Quite a number of bugs in 14.2R2.

Would rather deploy 14.2R6, which is out now.

Mark.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 base model

[James Troutman]

A Google search for "juniper MX used" and some phone calls to some of the 
vendors in the top 10 would be a good place to start, if you are not going to 
buy from an authorized reseller. 

> On Apr 25, 2016, at 9:13 PM, Satish Patel  wrote:
> 
> How much it cost to activate 10G ports on MX104?
> 
>> On Mon, Apr 25, 2016 at 8:27 PM, Josh Baird  wrote:
>> The bundle that I purchased included S-MX104-ADV-R2, so no extra licensing
>> for BGP or additional routes was necessary.
>> 
>> Josh
>> 
>>> On Mon, Apr 25, 2016 at 8:03 PM, Mat Perkins  wrote:
>>> 
>>> Well, if you are happy running it against the licencing terms you don't.
>>> If you want to run over 20k routes? They want you to buy the full layer3
>>> license, and under the light one. So it will work, but don't expect support
>>> on it.
>>> 
>>> Mat
>>> 
 On Mon, Apr 25, 2016 at 6:01 PM, Josh Baird  wrote:
 
 No 10G interfaces are unlocked on the base MX104-MX5 bundle.  This
 requires
 additional licensing.
 
 You don't need additional licensing for BGP.
 
 On Mon, Apr 25, 2016 at 7:39 PM, Satish Patel 
 wrote:
 
> I check price on Internet it cost around $44k
> 
> Now I need to check how many ports are open and how many locked in base
> model because I don't want to pay money because out requirement is just
> 10g
> link with BGP support.
> 
> --
> Sent from my iPhone
> 
>>> On Apr 25, 2016, at 7:35 PM, Chris Kawchuk 
>> wrote:
>> 
>> No.
>> 
>> 
>>> On 26 Apr 2016, at 9:34 am, Satish Patel 
>>> wrote:
>>> 
>>> Also do I need to pay to run BGP?
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 base model

[Josh Baird]

You should really talk to your Juniper partner or sales rep.

On Mon, Apr 25, 2016 at 9:13 PM, Satish Patel  wrote:

> How much it cost to activate 10G ports on MX104?
>
> On Mon, Apr 25, 2016 at 8:27 PM, Josh Baird  wrote:
> > The bundle that I purchased included S-MX104-ADV-R2, so no extra
> licensing
> > for BGP or additional routes was necessary.
> >
> > Josh
> >
> > On Mon, Apr 25, 2016 at 8:03 PM, Mat Perkins  wrote:
> >>
> >> Well, if you are happy running it against the licencing terms you don't.
> >> If you want to run over 20k routes? They want you to buy the full layer3
> >> license, and under the light one. So it will work, but don't expect
> support
> >> on it.
> >>
> >> Mat
> >>
> >> On Mon, Apr 25, 2016 at 6:01 PM, Josh Baird 
> wrote:
> >>>
> >>> No 10G interfaces are unlocked on the base MX104-MX5 bundle.  This
> >>> requires
> >>> additional licensing.
> >>>
> >>> You don't need additional licensing for BGP.
> >>>
> >>> On Mon, Apr 25, 2016 at 7:39 PM, Satish Patel 
> >>> wrote:
> >>>
> >>> > I check price on Internet it cost around $44k
> >>> >
> >>> > Now I need to check how many ports are open and how many locked in
> base
> >>> > model because I don't want to pay money because out requirement is
> just
> >>> > 10g
> >>> > link with BGP support.
> >>> >
> >>> > --
> >>> > Sent from my iPhone
> >>> >
> >>> > > On Apr 25, 2016, at 7:35 PM, Chris Kawchuk 
> >>> > wrote:
> >>> > >
> >>> > > No.
> >>> > >
> >>> > >
> >>> > >> On 26 Apr 2016, at 9:34 am, Satish Patel 
> >>> > >> wrote:
> >>> > >>
> >>> > >> Also do I need to pay to run BGP?
> >>> > >
> >>> > ___
> >>> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> >>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>> >
> >>> ___
> >>> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >>
> >
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 base model

[Satish Patel]

How much it cost to activate 10G ports on MX104?

On Mon, Apr 25, 2016 at 8:27 PM, Josh Baird  wrote:
> The bundle that I purchased included S-MX104-ADV-R2, so no extra licensing
> for BGP or additional routes was necessary.
>
> Josh
>
> On Mon, Apr 25, 2016 at 8:03 PM, Mat Perkins  wrote:
>>
>> Well, if you are happy running it against the licencing terms you don't.
>> If you want to run over 20k routes? They want you to buy the full layer3
>> license, and under the light one. So it will work, but don't expect support
>> on it.
>>
>> Mat
>>
>> On Mon, Apr 25, 2016 at 6:01 PM, Josh Baird  wrote:
>>>
>>> No 10G interfaces are unlocked on the base MX104-MX5 bundle.  This
>>> requires
>>> additional licensing.
>>>
>>> You don't need additional licensing for BGP.
>>>
>>> On Mon, Apr 25, 2016 at 7:39 PM, Satish Patel 
>>> wrote:
>>>
>>> > I check price on Internet it cost around $44k
>>> >
>>> > Now I need to check how many ports are open and how many locked in base
>>> > model because I don't want to pay money because out requirement is just
>>> > 10g
>>> > link with BGP support.
>>> >
>>> > --
>>> > Sent from my iPhone
>>> >
>>> > > On Apr 25, 2016, at 7:35 PM, Chris Kawchuk 
>>> > wrote:
>>> > >
>>> > > No.
>>> > >
>>> > >
>>> > >> On 26 Apr 2016, at 9:34 am, Satish Patel 
>>> > >> wrote:
>>> > >>
>>> > >> Also do I need to pay to run BGP?
>>> > >
>>> > ___
>>> > juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> >
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 base model

[Mat Perkins]

Well, if you are happy running it against the licencing terms you don't. If
you want to run over 20k routes? They want you to buy the full layer3
license, and under the light one. So it will work, but don't expect support
on it.

Mat

On Mon, Apr 25, 2016 at 6:01 PM, Josh Baird  wrote:

> No 10G interfaces are unlocked on the base MX104-MX5 bundle.  This requires
> additional licensing.
>
> You don't need additional licensing for BGP.
>
> On Mon, Apr 25, 2016 at 7:39 PM, Satish Patel 
> wrote:
>
> > I check price on Internet it cost around $44k
> >
> > Now I need to check how many ports are open and how many locked in base
> > model because I don't want to pay money because out requirement is just
> 10g
> > link with BGP support.
> >
> > --
> > Sent from my iPhone
> >
> > > On Apr 25, 2016, at 7:35 PM, Chris Kawchuk 
> > wrote:
> > >
> > > No.
> > >
> > >
> > >> On 26 Apr 2016, at 9:34 am, Satish Patel 
> wrote:
> > >>
> > >> Also do I need to pay to run BGP?
> > >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 base model

[Josh Baird]

No 10G interfaces are unlocked on the base MX104-MX5 bundle.  This requires
additional licensing.

You don't need additional licensing for BGP.

On Mon, Apr 25, 2016 at 7:39 PM, Satish Patel  wrote:

> I check price on Internet it cost around $44k
>
> Now I need to check how many ports are open and how many locked in base
> model because I don't want to pay money because out requirement is just 10g
> link with BGP support.
>
> --
> Sent from my iPhone
>
> > On Apr 25, 2016, at 7:35 PM, Chris Kawchuk 
> wrote:
> >
> > No.
> >
> >
> >> On 26 Apr 2016, at 9:34 am, Satish Patel  wrote:
> >>
> >> Also do I need to pay to run BGP?
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 base model

[Satish Patel]

I check price on Internet it cost around $44k 

Now I need to check how many ports are open and how many locked in base model 
because I don't want to pay money because out requirement is just 10g link with 
BGP support. 

--
Sent from my iPhone

> On Apr 25, 2016, at 7:35 PM, Chris Kawchuk  wrote:
> 
> No.
> 
> 
>> On 26 Apr 2016, at 9:34 am, Satish Patel  wrote:
>> 
>> Also do I need to pay to run BGP?
> 
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 base model

[Chris Kawchuk]

No.


On 26 Apr 2016, at 9:34 am, Satish Patel  wrote:

> Also do I need to pay to run BGP?

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 base model

[Satish Patel]

Does MX104 base model has 10G ports are lock? Also do I need to pay to run BGP?



--
Sent from my iPhone

> On Apr 25, 2016, at 6:41 PM, Colton Conor  wrote:
> 
> Go with a MX104 not a MX80. New a MX104 is less expensive than a MX80. 
> 
>> On Mon, Apr 25, 2016 at 5:36 PM, Doug McIntyre  wrote:
>> On Mon, Apr 25, 2016 at 06:20:45PM -0400, Satish Patel wrote:
>> > I talked to one of vendore he gave me following price for MX80. Does
>> > MX80 base model support 20G throughput? or do i need to buy license to
>> > use more 20G?
>> 
>> The MX80 allows 40Gbps throughput (or 80Gbps in Marketing speak).
>> 
>> > in around $17k price. i will get following. Does 4x10GE fix port are
>> > locked or i need to unlock them?
>> 
>> The MX80 come with all ports licensed. You are confusing the MX20/MX40
>> with the MX80, which are the port license restricted models, that are
>> usually more expensive than the bas MX80 to start with.
>> 
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 base model

[Colton Conor]

Go with a MX104 not a MX80. New a MX104 is less expensive than a MX80.

On Mon, Apr 25, 2016 at 5:36 PM, Doug McIntyre  wrote:

> On Mon, Apr 25, 2016 at 06:20:45PM -0400, Satish Patel wrote:
> > I talked to one of vendore he gave me following price for MX80. Does
> > MX80 base model support 20G throughput? or do i need to buy license to
> > use more 20G?
>
> The MX80 allows 40Gbps throughput (or 80Gbps in Marketing speak).
>
> > in around $17k price. i will get following. Does 4x10GE fix port are
> > locked or i need to unlock them?
>
> The MX80 come with all ports licensed. You are confusing the MX20/MX40
> with the MX80, which are the port license restricted models, that are
> usually more expensive than the bas MX80 to start with.
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 base model

[Doug McIntyre]

On Mon, Apr 25, 2016 at 06:20:45PM -0400, Satish Patel wrote:
> I talked to one of vendore he gave me following price for MX80. Does
> MX80 base model support 20G throughput? or do i need to buy license to
> use more 20G?

The MX80 allows 40Gbps throughput (or 80Gbps in Marketing speak). 

> in around $17k price. i will get following. Does 4x10GE fix port are
> locked or i need to unlock them?

The MX80 come with all ports licensed. You are confusing the MX20/MX40
with the MX80, which are the port license restricted models, that are
usually more expensive than the bas MX80 to start with.

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX80 base model

[Satish Patel]

I talked to one of vendore he gave me following price for MX80. Does
MX80 base model support 20G throughput? or do i need to buy license to
use more 20G?

in around $17k price. i will get following. Does 4x10GE fix port are
locked or i need to unlock them?

MX80 Chassis with 2 MIC slot
4x10GE fixed port
MIC 3D-20GE-SFP, 20x10/100/1000MIC
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] CGNat PBA - MX104 w/MS-MIC

[Aaron]

You guys are awesome. PBA is working !  thanks a bunch. I upgraded to
14.2.R2 like you suggested and it's good now.

BTW, PBA allocations on the non-power-of-two seem to work fine.  I went with
1000.

After I enabled PBA I still saw a bunch of session open logs, then I figured
I probably needed to turn that off. so now it only shows the NAT PORT BLOCK
ALLOC msg .  cool.

gvtceng@eng-lab-mx104-cgn# run show version | grep JunOS
Junos: 14.2R2.8

gvtceng@eng-lab-mx104-cgn#

[edit]
gvtceng@eng-lab-mx104-cgn# set services nat pool nat1 port
secured-port-block-allocation block-size 1000

[edit]
gvtceng@eng-lab-mx104-cgn# delete services service-set cgn-sset syslog host
172.22.14.247 class session-logs

[edit]
gvtceng@eng-lab-mx104-cgn# commit
commit complete

[edit]


seen in syslog server...

2016-04-25 15:55:22 Daemon.Info 10.101.12.243   2016-04-25 20:55:21:
{cgn-sset}[jservices-nat]: JSERVICES_NAT_PORT_BLOCK_ALLOC: 10.144.0.105 ->
1.2.3.128:32024-33023 0x571e843a
2016-04-25 15:57:16 Daemon.Info 10.101.12.243   2016-04-25 20:57:15:
{cgn-sset}[jservices-nat]: JSERVICES_NAT_PORT_BLOCK_ALLOC: 10.144.0.102 ->
1.2.3.129:32024-33023 0x571e84ac
2016-04-25 15:57:23 Daemon.Info 10.101.12.243   2016-04-25 20:57:23:
{cgn-sset}[jservices-nat]: JSERVICES_NAT_PORT_BLOCK_ALLOC: 10.144.0.105 ->
1.2.3.130:32024-33023 0x571e84b3
2016-04-25 15:57:36 Daemon.Info 10.101.12.243   2016-04-25 20:57:35:
{cgn-sset}[jservices-nat]: JSERVICES_NAT_PORT_BLOCK_ALLOC: 10.144.0.180 ->
1.2.3.131:32024-33023 0x571e84bf

- Aaron



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] ASR 1001 throughput question

[Satish Patel]

That would be great! if it is for egress i will check with cisco sure.

On Mon, Apr 25, 2016 at 5:05 PM, Duane Grant  wrote:
> Hi Satish,
>
> I think that the throughput license for the asr1000 is for egress traffic,
> so if you're receiving 7 gb of traffic and and you're dropping 5g and
> transmitting 2g out the other side, i think you'll be fine.   you should
> check with your cisco se to make sure though.
>
>
>
>
> On Mon, Apr 25, 2016 at 4:54 PM, Satish Patel  wrote:
>>
>> We are planning to buy Cisco ASR 1001 but base model comes with 2.5G
>> throughput. Here is my requirement and question.
>>
>> Basically we have 10G link and legit traffic is 1G around but most of
>> time we get DDoS attack and because of that we upgrade link to 10G. so
>> let say we get 5G attack on link and we use ACL to drop all packet on
>> router interface in that cause does 2.5G ASR limit will cause any
>> issue?
>>
>> I am just trying to understand what is 2.5G throughput limit on Cisco ASR
>> 1001
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] IP Rate Limit

[Eduardo Schoedler]

Hi Cahit,

Only bandwidth, using prefix-action: http://goo.gl/SdcxHf


Regards,

2016-04-25 17:48 GMT-03:00 Cahit Eyigünlü :
> Hello friends ;
>
>
> Is there any body know a way to apply rate limit for /32  ip on source for 
> bandwith and pps ? We have /20 subnets and we do not want to let an ip send 
> 50K + pps if there is no exception but how should i write a generlized rule ?
> [SPDNet Telekomünikasyon  A.S. Logo]
>
> Cahit Eyigünlü
> SPDNet Telekomünikasyon A.S.
> +908508409773
> 75. Yl Mahallesi 5301 Sk No:24/A - MANSA 45100
> [WebsiteGB]   [email] 
>  [:inkedIn button] 
> [Twitter button] 
> [Facebook button] 
> 
>
>
> Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu 
> e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız 
> ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri 
> tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri 
> ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana 
> gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
Eduardo Schoedler
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] ASR 1001 throughput question

[Jeff Fry]

You may want to try your question on the Cisco NSP mailing list. 



Sent from my iPad

> On Apr 25, 2016, at 16:54, Satish Patel  wrote:
> 
> We are planning to buy Cisco ASR 1001 but base model comes with 2.5G
> throughput. Here is my requirement and question.
> 
> Basically we have 10G link and legit traffic is 1G around but most of
> time we get DDoS attack and because of that we upgrade link to 10G. so
> let say we get 5G attack on link and we use ACL to drop all packet on
> router interface in that cause does 2.5G ASR limit will cause any
> issue?
> 
> I am just trying to understand what is 2.5G throughput limit on Cisco ASR 1001
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] IP Rate Limit

[Cahit Eyigünlü]

Hello friends ;


Is there any body know a way to apply rate limit for /32  ip on source for 
bandwith and pps ? We have /20 subnets and we do not want to let an ip send 50K 
+ pps if there is no exception but how should i write a generlized rule ?
[SPDNet Telekomünikasyon  A.S. Logo]

Cahit Eyigünlü
SPDNet Telekomünikasyon A.S.
+908508409773
75. Yl Mahallesi 5301 Sk No:24/A - MANSA 45100
[WebsiteGB]   [email] 
 [:inkedIn button] 
[Twitter button] 
[Facebook button] 



Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta 
size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli 
dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri 
tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri 
ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana 
gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] ASR 1001 throughput question

[Satish Patel]

We are planning to buy Cisco ASR 1001 but base model comes with 2.5G
throughput. Here is my requirement and question.

Basically we have 10G link and legit traffic is 1G around but most of
time we get DDoS attack and because of that we upgrade link to 10G. so
let say we get 5G attack on link and we use ACL to drop all packet on
router interface in that cause does 2.5G ASR limit will cause any
issue?

I am just trying to understand what is 2.5G throughput limit on Cisco ASR 1001
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Stop IP Fragmentation attack

[Satish Patel]

In our network we are getting IP Fragmentation attack, so attack use
NTP or Chargen technic and sending very large packet on network which
is filling my network TRUNKs.

How do i stop IP Fragmentation attack on Cisco Edge router? I heard
ACL can do that but don't know what kind of technique it use to stop
fragmentation.

Does following list is enough to stop UDP style attack? Just trying to
understand what are the best practice to handle that attack.

deny udp any any fragments
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] ACX5048 - vlan-map conflict with routing-instance with vlan-id tags?

[Aaron]

Thanks Eric/Khairul, 

Right...

so, set bridge-domains isn't allowed in acx5048... it's set vlans.

so if i replace 1/1/1 with a valid interface on my acx5048 0/0/38

set interfaces ge-0/0/38 unit 281 encapsulation vlan-bridge
set interfaces ge-0/0/38 unit 281 vlan-id 281
set interfaces ge-0/0/38 unit 282 encapsulation vlan-bridge
set interfaces ge-0/0/38 unit 282 vlan-id 282

set vlans vlan10 interface ge-0/0/38.281
set vlans vlan10 interface ge-0/0/38.282

set vlans vlan10 domain-type bridge

agould@eng-lab-5048-1# show | compare
[edit interfaces ge-0/0/38]
+unit 281 {
+encapsulation vlan-bridge;
+vlan-id 281;
+}
+unit 282 {
+encapsulation vlan-bridge;
+vlan-id 282;
+}
[edit vlans vlan10]
 interface ae6.10 { ... }
+interface ge-0/0/38.281;
+interface ge-0/0/38.282;
[edit vlans vlan10]
+   domain-type bridge;

{master:0}[edit]
agould@eng-lab-5048-1# commit
[edit vlans vlan10]
  'interface ge-0/0/38.282'
l2ald ACX: On a bd, for each ifd only one ifl can be added
[edit vlans]
  Failed to parse vlan hierarchy completely
error: configuration check-out failed

{master:0}[edit]
agould@eng-lab-5048-1# rollback
load complete

{master:0}[edit]
agould@eng-lab-5048-1#


- Aaron


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] ACX5048 - vlan-map conflict with routing-instance with vlan-id tags?

[Eric Van Tol]

> Can't actually picture what you are really trying to achieve here with an
> irb and multiple vlan tags, but did you try configuring `vlan-id-list` under
> the logical unit? That or vlan-id-range might be useful.
> 
> If what i just said was totally irrelevant to you, please elaborate the
> picture and the problem you are facing :p
> 

I suspect what he is asking for is a valid configuration on the ACX that is 
similar to what you can do on the MX - he has customers on different VLANs that 
he wants to put into the same broadcast domain:

MX Config:
set interfaces ge-1/1/1 unit 281 encapsulation vlan-bridge
set interfaces ge-1/1/1 unit 281 vlan-id 281
set interfaces ge-1/1/1 unit 282 encapsulation vlan-bridge
set interfaces ge-1/1/1 unit 282 vlan-id 282
set interfaces irb unit 128 family inet address 192.168.254.1/24
set bridge-domains shared-bd description "Shared Bridge Domain"
set bridge-domains shared-bd domain-type bridge
set bridge-domains shared-bd vlan-id 128
set bridge-domains shared-bd interface ge-1/1/1.281
set bridge-domains shared-bd interface ge-1/1/1.282

Not sure if it's the same on ACX, or even if it's possible, but the above 
configuration works on the MX for aggregating mismatched VLANs into one bridge 
domain.

-evt
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] JUNOS precision-timers for BGP

[Olivier Benghozi]

This knob has been in all our confs for years (from 12.3 to 14.2).
At least it doesn't seem to do anything bad.

> Le 25 avr. 2016 à 17:16, Adam Chappell  a écrit :
> 
> Does anyone have positive or negative experience with this feature in 14.1
> please?
> 
> Currently in a situation troubleshooting consequences of high CPU usage
> with a number of aggravating factors. Most sensitive to the scarcity of CPU
> resources however is a number of BGP sessions with aggressive timers.
> 
> Quite often a commit operation seems to make rpd block sufficiently enough
> (or indeed it's already starved out by other processes) to neglect
> keepalives for these unforgiving BGP sessions and we end up losing them.
> 
> Juniper have recommended to us consideration of "precision-timers", a
> global BGP knob which, if I understand it well, offloads all of the crucial
> BGP session management functionality to a different rpd thread in order to
> leave the main thread able to handle config requests etc. - not too
> dissimilar to the session management separation in openbgpd etc.
> 
> The Juniper documentation says this feature is recommended for low hold
> timers, and from what we can ascertain rpd is able to transition to
> off-thread session management without a down/up which is pretty neat.
> 
> I'm aware of PR1044141 which apparently causes pain when used in
> conjunction with traceoptions, but I'm keen to understand if others have
> operational experience.
> 
> We're also making inroads to lower CPU demands through the use of
> distributed PPM etc., but the regular pattern I tend to see there is that
> this doesn't fly once the PPM'd protocol has a security knob added, eg.
> adding authentication to BFD, VRRP etc.
> 
> -- Adam.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] JUNOS precision-timers for BGP

[Adam Chappell]

Does anyone have positive or negative experience with this feature in 14.1
please?

Currently in a situation troubleshooting consequences of high CPU usage
with a number of aggravating factors. Most sensitive to the scarcity of CPU
resources however is a number of BGP sessions with aggressive timers.

Quite often a commit operation seems to make rpd block sufficiently enough
(or indeed it's already starved out by other processes) to neglect
keepalives for these unforgiving BGP sessions and we end up losing them.

Juniper have recommended to us consideration of "precision-timers", a
global BGP knob which, if I understand it well, offloads all of the crucial
BGP session management functionality to a different rpd thread in order to
leave the main thread able to handle config requests etc. - not too
dissimilar to the session management separation in openbgpd etc.

The Juniper documentation says this feature is recommended for low hold
timers, and from what we can ascertain rpd is able to transition to
off-thread session management without a down/up which is pretty neat.

I'm aware of PR1044141 which apparently causes pain when used in
conjunction with traceoptions, but I'm keen to understand if others have
operational experience.

We're also making inroads to lower CPU demands through the use of
distributed PPM etc., but the regular pattern I tend to see there is that
this doesn't fly once the PPM'd protocol has a security knob added, eg.
adding authentication to BFD, VRRP etc.

-- Adam.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] CGNat PBA - MX104 w/MS-MIC

[Aaron]

Thanks, I tried 1024 and 256 block size and still get the same error.

 

I have Junos: 13.3R6.5

 

What is a stable/good version that I should upgrade to in order to get PBA 
support ? 14.2R2 ?  or something else ?

 

 

 

 

 

agould@eng-lab-mx104-cgn# set services nat pool nat1 port 
secured-port-block-allocation block-size 1024

 

[edit]

agould@eng-lab-mx104-cgn# commit

error: ms-interface does not support PBA and Deterministic NAT configuration 
for pool nat1

error: configuration check-out failed

 

[edit]

agould@eng-lab-mx104-cgn# rollback

load complete

 

[edit]

agould@eng-lab-mx104-cgn# set services nat pool nat1 port 
secured-port-block-allocation block-size 256

 

[edit]

agould@eng-lab-mx104-cgn# commit

error: ms-interface does not support PBA and Deterministic NAT configuration 
for pool nat1

error: configuration check-out failed

 

[edit]

agould@eng-lab-mx104-cgn# rollback

load complete

 

[edit]

agould@eng-lab-mx104-cgn# run show version

Hostname: eng-lab-mx104-cgn

Model: mx104

Junos: 13.3R6.5

 

 

- Aaron

 

 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] CGNat PBA - MX104 w/MS-MIC

[Alexander Arseniev]

Hello,
What is the JUNOS version?
PBA on MS-MIC and MS-MPC is supported from 14.2R2 if memory serves but 
recommended is 14.1R5-S1 and newer.

And DetNAT on MS-MIC (and MS-MPC) is a roadmap item.
HTH
Thx
Alex

On 23/04/2016 01:27, Aaron wrote:

I'm trying to enable port block allocation (pba) for lessening the tons of
translation logs I'm seeing in my syslog server.

  


I'm getting an error, shown below.  Anyone know how to enable PBA ?  I'm
using an MX104 with MS_MIC-16G.

  


agould@eng-lab-mx104-cgn# set services nat pool nat1 port
secured-port-block-allocation block-size 1000

[edit]

agould@eng-lab-mx104-cgn# commit

error: ms-interface does not support PBA and Deterministic NAT configuration
for pool nat1

error: configuration check-out failed

[edit]

agould@eng-lab-mx104-cgn#

  

  


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp