Re: [j-nsp] Junos 10.4R8 on MX (PR 701928)
Hi, On Tue, Jan 24, 2012 at 08:25, Daniel Roesen d...@cluenet.de wrote: Daniel (waiting for over a year now for a 10.4 without major bugs...) same here... Am I the only one who finds it extremely annoying and disturbing that critical bugs get *introduced* this far down into an E-EOL train!? And where's the technical bulletin that alerts all of us? Interesting that j-nsp is a better source of information than JTAC... BR, Daniel (2) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] packet based on jseries
pkc mls pkc_...@yahoo.fr wrote: Hi all, Could anyone indicate the latest junos version that supports packet based on J series ? (the last I can find is 9.6). Is there a reason why there was no recent junos that can run packet based ? thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp You can force packet based on newer junos globally per address family, or selectively with an interface firewall filter. It works fine. Don't have a link right now but you should find it via Google. why the move to flow based, who knows. It has been discussed to death on the list. See the archives. -- Sent from my phone. Please excuse brevity and typos. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Frame loss during Ethernet test
Dear all, One of our customer complaining a small amount of frame loss on their service. I see that lost packets when i compare input and output statistics on the interface. We are terminating service with ccc configuration. At remote end, we have a hardware loop and customer connects its tester to A-end sends traffic. When we run the test for 2-3 mins, we have no frame loss but at longer test we start to see 10-20 frame loss. Frames are lost when our PE puts sent test traffic into corrresponding LSP but there is no issue in our LSP. I do not know the exact principle of these testers but i checked all the possible reasons which may cause frame loss Delay, errors on the line, oversubscription, etc...None of them is an issue during test. Is there anybody who has such an experience with Ethernet testers? Thanks and regards, Gokhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] packet based on jseries
2012/1/23 pkc mls pkc_...@yahoo.fr Hi all, Could anyone indicate the latest junos version that supports packet based on J series ? (the last I can find is 9.6). Is there a reason why there was no recent junos that can run packet based ? thanks. Hi, You can activate packet based routing on recent Junos SRX/J-Series devices : http://juniper.cluepon.net/Enabling_packet_based_forwarding Pierre-Yves ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos 10.4R8 on MX (PR 701928)
We recently decided it's time to upgrade from 10.0R3.10 and kind of wondering now where to go as JTAC recommends 10.4R8 we've been running 10.0R3.10 on several boxes now for about 2 years and only recently got bitten by a bug (which we understand and know how to work around *now*). I gotta a feeling we're going to be sitting on 10.0R3.10 for a while longer ;) Paul -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Daniel Roesen Sent: Tuesday, January 24, 2012 2:25 AM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Junos 10.4R8 on MX (PR 701928) On Mon, Jan 23, 2012 at 03:20:44PM +, OBrien, Will wrote: It's been recommended to go to r7.5 for now if I want to stick with 10.4. Thoughts? 10.4R6 showstopper: PR/676729 - occasional lock-up of traffic from/to controlplane (e.g. LACP) on 16x10GE MPC PFEs. (and a lot other serious problems) 10.4R7 showstopper: PR/695895 - AE loadbalancing broken after member link flap when using minimum-links feature So neither R7 nor R6 usable for us. Best regards, Daniel (waiting for over a year now for a 10.4 without major bugs...) -- CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NSM API resources with SRX
Have a question about SPACE, Is it better to manage SRXes with space? Have not tried space yet. Last time we checked (May-June 2011) it was very very very raw. Too many bugs, too much of nonworking features etc. E. g. IPSec point-and-click configuration (which was the main goal of the project) just didn't work at all because the browser code was broken, some buttons which you needed to press, were randomly disabled.The idea of preprovisioned config, which can be stored on a usb flash together with a desired software image and plugged into an out-of-box remote SRX is also very cute, but it didn't work. Most of things we tested were related to Security and Campus designer modules (or however it's called, I forgot). And, of course. Don't even try to run in on a VM with less than 8 Gigs of RAM. No joke, this is a minimum requirement even if you only want to test it with two devices in a lab. Otherwise be ready to wait until it swaps everything. Java rules. But, I must say, the overall idea and many things looked cute. If they ever make it work, it'll become a lovely product :) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Frame loss during Ethernet test
On (2012-01-24 11:03 +0100), Gökhan Gümüş wrote: We are terminating service with ccc configuration. At remote end, we have a hardware loop and customer connects its tester to A-end sends traffic. When we run the test for 2-3 mins, we have no frame loss but at longer test we start to see 10-20 frame loss. Frames are lost when our PE puts sent test traffic into corrresponding LSP but there is no issue in our LSP. I guess this is ethernet over MPLS, point-to-point service then? You're not explicitly stating it though, but I'm working on that assumption. One possible cause for this is, that customer is doing wire-rate traffic and your access to customer is same capacity as your backbone. Backbone needs considerably more overhead (another set of MAC addresses, at least two labels) so wire rate at customer port would be excessive rate in core, if this is the case, you should see latency starting to increase linearly right from the start and then eventually when buffers are exhausted packet drops. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Frame loss during Ethernet test
This isn't running on an MPC carded MX running 10.2 code is it? There was a bug that bit us that had some random small bits of frame loss on CCC circuits on MX80 on 10.2.. I can't recall the bug ID, but it was fixed in 10.4R6.. If I remember right, check your logs and you'll see some parity errors scrolling through when there is frame loss. -- Tim On Tue, Jan 24, 2012 at 4:03 AM, Gökhan Gümüş ggu...@gmail.com wrote: Dear all, One of our customer complaining a small amount of frame loss on their service. I see that lost packets when i compare input and output statistics on the interface. We are terminating service with ccc configuration. At remote end, we have a hardware loop and customer connects its tester to A-end sends traffic. When we run the test for 2-3 mins, we have no frame loss but at longer test we start to see 10-20 frame loss. Frames are lost when our PE puts sent test traffic into corrresponding LSP but there is no issue in our LSP. I do not know the exact principle of these testers but i checked all the possible reasons which may cause frame loss Delay, errors on the line, oversubscription, etc...None of them is an issue during test. Is there anybody who has such an experience with Ethernet testers? Thanks and regards, Gokhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JN0-522 (JNCIA-FWV)
Dear Gentlemen Recently I got a spot in a Company, but I have a deadline of 30 days to get the certification JN0-522(JNCIA-FWV) I would like to know what is the path and recomendations to achieve that goal. I'm already reading the books and documentations found in the Internet. Thanks very much. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JN0-522 (JNCIA-FWV)
FastTrack on the Juniper site should help a lot... Paul -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Cláudio Duarte Sent: Tuesday, January 24, 2012 8:25 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] JN0-522 (JNCIA-FWV) Dear Gentlemen Recently I got a spot in a Company, but I have a deadline of 30 days to get the certification JN0-522(JNCIA-FWV) I would like to know what is the path and recomendations to achieve that goal. I'm already reading the books and documentations found in the Internet. Thanks very much. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] GRE packet fragmentation on j-series
Hi all I have some problem with gre tunnels. I need to fragment packages in tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The problem looks like that packages with MTU above 1476 are not fragmented/reassembled and are dropped. interfaces gr-0/0/0 unit 10 { clear-dont-fragment-bit; description Tulne to r1-lab; tunnel { source 10.200.0.1; destination 10.200.0.2; allow-fragmentation; path-mtu-discovery; } family inet { mtu 1500; address 100.100.100.1/30; } family mpls { } } Have someone have similar problem ? is there a simple way to fix this ? Best Lukasz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos 10.4R8 on MX (PR 701928)
Just to be a little bit more specific... All of the following are I-chip based, and are affected by this issue: DPC ADPC MS-DPC MX-DPC The MPC is not I-chip based and is not affected. The PR synopsis has been updated. Again, sorry for any confusion that this has caused. -Original Message- From: Paul Goyette Sent: Monday, January 23, 2012 7:58 AM To: 'Daniel Hilj'; bas Cc: juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Junos 10.4R8 on MX (PR 701928) I have confirmed that this affects only DPC, and the PR Synopsis has been updated accordingly. Sorry for the confusion. -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Daniel Hilj Sent: Monday, January 23, 2012 7:21 AM To: bas Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Junos 10.4R8 on MX (PR 701928) Hi, This is what you see if you use their beta PR search engine. JUNOS Problem Report Number PR701928 Title MPC may restart with backtrace in ia_wpkt_next() routine Release Note Introduced in Junos software version 10.4R8, a DPC may restart unexpectedly with the following error messages: [Oct 25 04:21:08.749 LOG: Err] ia_wpkt_next : pkt_ring[937] has a packet 0x421fea20 SeverityCritical Status Closed Last Modified 2012-01-23 06:40:04 PST Affected-Releases 10.4R8 Resolved In Product MX-series Functional Area software Problem This is a critical defect which effects only DPC, and not MPC. Customers with DPC is discourage using Junos 10.4R8, 10.4S8(A), and 10.4S8(B). 23 jan 2012 kl. 16:16 skrev bas kilo...@gmail.commailto:kilo...@gmail.com: Hi, On Mon, Jan 23, 2012 at 3:57 PM, Daniel Hilj daniel.h...@ipnett.semailto:daniel.h...@ipnett.se wrote: This is a critical defect which effects only DPC, and not MPC. Customers with DPC is discourage using Junos 10.4R8, 10.4S8(A), and 10.4S8(B). Strange, I see: --- SYNOPSISMPC may restart with backtrace in ia_wpkt_next() routine RELEASE NOTEIntroduced in Junos software version 10.4R8, a DPC may restart unexpectedly [snip] --- So the Synopsis mentions MPC.. Bas -- This e-mail has been checked for virus by IPnett's Security solution -- -- This e-mail has been checked for virus by IPnett's Security solution -- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos 10.4R8 on MX (PR 701928)
* Daniel Verlouw dan...@shunoshu.net [2012-01-24 10:13]: Hi, On Tue, Jan 24, 2012 at 08:25, Daniel Roesen d...@cluenet.de wrote: Daniel (waiting for over a year now for a 10.4 without major bugs...) same here... Am I the only one who finds it extremely annoying and disturbing that critical bugs get *introduced* this far down into an E-EOL train!? And where's the technical bulletin that alerts all of us? Interesting that j-nsp is a better source of information than JTAC... Hi, we're told that beginning with 11.4 the release process was changed to better prevent these things. At the moment we're testing 11.2 because we need MC-LAG and other features which are more mature in 11.2 as they are in 10.4. That will force us to change to 11.4 in the near future as 11.2 support will end in August. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] QinQ between Cisco/Juniper with layer2-tunneling and VPLS
Hi, has anyone working QinQ between Cisco and Juniper running over VPLS and with working layer2-tunneling? We have a setup like this: EX4200 -- QinQ -- MX === VPLS === MX -- QinQ -- Cisco We see that on both ends of the QinQ tunnel CTP/STP/LLDP Pakets are encapsulated but on the other side nothing gets decapsulated. Regards sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QinQ between Cisco/Juniper with layer2-tunneling and VPLS
1. EX4200 - I assume this following: ethernet-switching-options { dot1q-tunneling { ether-type 0x8100; } } vlans { My-QinQ-VLAN { vlan-id 1000; dot1q-tunneling { layer2-protocol-tunneling { all; } } } } 2. Note that the EX4200's re-write the MAC Address when using QinQ (i.e. STP MAC 01:80:c2:00:00:00 becomes PVST+ MAC 01:00:0c:cc:cc:cd, for example). Ensure you are un-translating the MAC address at the far end MX or at the Cisco; else you end up with a regular RSTP Packet with the wrong Destination MAC Address. 3. Alternatively, POP the outer Tag on Ingress at the MX; and do the MAC destination re-write there (i.e. change it back to normal) before shoving it into the VPLS. - Chris. On 2012-01-25, at 8:23 AM, Sebastian Wiesinger wrote: Hi, has anyone working QinQ between Cisco and Juniper running over VPLS and with working layer2-tunneling? We have a setup like this: EX4200 -- QinQ -- MX === VPLS === MX -- QinQ -- Cisco We see that on both ends of the QinQ tunnel CTP/STP/LLDP Pakets are encapsulated but on the other side nothing gets decapsulated. Regards sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QinQ between Cisco/Juniper with layer2-tunneling and VPLS
* Chris Kawchuk juniperd...@gmail.com [2012-01-24 22:54]: 2. Note that the EX4200's re-write the MAC Address when using QinQ (i.e. STP MAC 01:80:c2:00:00:00 becomes PVST+ MAC 01:00:0c:cc:cc:cd, for example). Ensure you are un-translating the MAC address at the far end MX or at the Cisco; else you end up with a regular RSTP Packet with the wrong Destination MAC Address. Hi, the Cisco should be decapsulating it (layer2-tunneling is active on both ends) but it seems no packets are arriving to be decapsulated. Regards, Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE packet fragmentation on j-series
My understanding is that GRE fragmentation should occur if egress interface MTU is GRE pkt size. For GRE reassembly, you need IDP policy, this means high memory SRX model. IDP license is not needed. Rgds Alex - Original Message - From: Lukasz Martyniak lmartyn...@man.szczecin.pl To: juniper-nsp@puck.nether.net Sent: Tuesday, January 24, 2012 2:04 PM Subject: [j-nsp] GRE packet fragmentation on j-series Hi all I have some problem with gre tunnels. I need to fragment packages in tunnel. I run gre between two jseries (junos 10.4R6) and lunch MPLS on it. The problem looks like that packages with MTU above 1476 are not fragmented/reassembled and are dropped. interfaces gr-0/0/0 unit 10 { clear-dont-fragment-bit; description Tulne to r1-lab; tunnel { source 10.200.0.1; destination 10.200.0.2; allow-fragmentation; path-mtu-discovery; } family inet { mtu 1500; address 100.100.100.1/30; } family mpls { } } Have someone have similar problem ? is there a simple way to fix this ? Best Lukasz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Does MS-PIC (Type2 MultiServices 400) work in MX-FPC2?
Is it possible to reuse a Type2 MS-PIC in an MX-FPC2? Or is upgrading to the MS-DPC the only option? This would be used for stateful firewall and perhaps some NAT. Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QinQ between Cisco/Juniper with layer2-tunneling and VPLS
* Chris Kawchuk juniperd...@gmail.com [2012-01-25 00:10]: Heh, then it's a different problem altogether. =) In your VPLS config, do you have any vlan-id settings set in the routing-instance? It's a long shot, else I have no idea why she ain't passing traffic... I have vlan-id all set in the instance and use outer-tag/inner-tag configuration on the interface unit. It's passing traffic just not the tunnel'd stuff. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QinQ between Cisco/Juniper with layer2-tunneling and VPLS
On 12-01-24 03:14 PM, Sebastian Wiesinger wrote: * Chris Kawchukjuniperd...@gmail.com [2012-01-25 00:10]: Heh, then it's a different problem altogether. =) In your VPLS config, do you have any vlan-id settings set in the routing-instance? It's a long shot, else I have no idea why she ain't passing traffic... I have vlan-id all set in the instance and use outer-tag/inner-tag configuration on the interface unit. It's passing traffic just not the tunnel'd stuff. Regards Sebastian hey Sebastian, when doing a cisco to juniper youll have to (i could be wrong here... ) manually add pop/push for input/output vlan maps on the juniper side under the unit example: input-vlan-map pop; output-vlan-map push; also on the cisco side make sure you are ignoring encapsulation mismatch and mtu mismatch example: ignore-encapsulation-mismatch; ignore-mtu-mismatch; hope this helps -Payam ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp