date:20151026

Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

2015-10-26 Thread Nitzan Tzelniker

If you are doing destination based filtering (as I see in the example and
its OK to block it from all interfaces you can just use routing to discard
If you don't want to commit just do it from external server with exabgp


Nitzan


On Mon, Oct 26, 2015 at 8:33 PM, Dan Farrell  wrote:

> Hi Nitzan,
>
>
>
> Thanks for your reply- I think you’re right. To further add info and split
> the documentation and feature-set hairs-
>
>
>
> -  At least from 9.5 this is stated to be usable by EX series.
>
> -  BUT! All docs that reference dynamic-db do so with routing
> policies, and show support for only M, MX, and T.
>
> -  JUNOS-on-EX does not error out on the configuration (as it
> would, for example, when configuring BGP on an EX2200-C).
>
>
>
> The use-case is loading large numbers of prefixes for filtering purposes
> without having to churn the unit with a typical commit operation and it’s
> associated churn. I’d hate to have to migrate to MX because EX can’t/won’t
> do it.
>
>
>
> Cheers!
>
>
>
> Dan
>
>
>
> *From:* Nitzan Tzelniker [mailto:nitzan.tzelni...@gmail.com]
> *Sent:* Monday, October 26, 2015 2:19 PM
> *To:* Dan Farrell 
> *Cc:* juniper-nsp@puck.nether.net
> *Subject:* Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
>
>
>
> Dan,
>
>
>
> AFAIK dynamic-db is for routing policy only
>
> it dose not work for firewall filters
>
>
>
> Nitzan
>
>
>
>
>
> On Mon, Oct 26, 2015 at 7:29 PM, Dan Farrell  wrote:
>
> Howdy List,
>
> I can't seem to get a dynamic-db prefix-list to work correctly on either
> an ex3200 or ex2200 on JUNOS 12.3 and 12.10.
> I'm starting to suspect it simply won't work on these models (or maybe on
> EX-series at all, or maybe only on routing policies).
>
> Using a dynamic-db prefix-list in a filter leads to NO packets passing on
> the interface it is instantiated on. (tested on l2 and l3 interface
> filtering).
>
> It seems to be a simple implementation (create the same prefix-list name
> in the normal configuration as the dynamic-db prefix list and tag it
> 'dynamic-db', then use in a filter), so I'm currently not suspecting myself
> as the culprit.
>
>
> Combining manual prefixes with the dynamic-db in one prefix-list results
> in only the manual prefixes being honored, while the dynamic-db ones are
> still ignored (same as above).
>
>
> Thanks list!
>
>
> Also, here's my configuration's relevant parts:
>
> DYNAMIC CONFIGURATION:
> 
>   policy-options {
>   prefix-list badips {
>   192.168.75.35/32
> 
> ;
>   192.168.75.100/32
> 
> ;
>   192.168.100.251/32
> 
> ;
>   }
>   }
>
>
>
>
> STATIC CONFIGURATION:
> ==
>   policy-options {
>   prefix-list badips {
>   dynamic-db;
>   1.1.1.1/32
> 
> ;
>   }
>}
>
>   firewall {
>   family inet {
>   filter blocktest {
>   term block-dy {
>   from {
>   destination-prefix-list {
>   badips;
>   }
>   }
>   then {
>   discard;
>   }
>   }
>   term allow-all-else {
>   then accept;
>   }
>   }
>   }
>   }
>
>   interfaces {
> vlan {
> unit 33 {
> family inet {
> filter {
> input blocktest;
> }
> address 192.168.78.1/24
> 
> ;
> }
> }
> }
>   }
>
>   vlans {
> noc24-test {
> vlan-id 33;
> interface {
> ge-0/0/3.0;
> }
> l3-interface vlan.33;
> }
>   }
>
>
>
> Dan Farrell
> Applied Innovations Corp.
> d...@appliedi.net
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
>

Re: [j-nsp] Cisco ME3600 migration to something with more 10 gig ports

2015-10-26 Thread Aaron

Thanks again for all your insights and feedback.  I've tried to bring your
comments all together here below...

I'm revisiting this thread please since I am still looking to replace my
Cisco Me3600's in my distribution layer of my network.  They only have (2)
10 gig ports and I need more 10 gig.  I want all mpls l2vpn/l3vpn
capabilities that I at least have on my current ME3600's.

I would like to add that (6) ports 10 gig may not be enough for us to scale
to the future.  We would like more than 6.  If I LAG (2) 10's to my OLT/FTTH
Chassis and go east and west with 20 gig each direction, then I've used up
all (6) 10 gig's.  I think this rules out the ASR920's.  

--
About the Juniper ACX5000...

Mark mentioned - "Juniper's ACX5000 units are multi-rate systems. Only
problem is there are Broadcom chipsets in there. Okay for most applications,
but you may hit fundamental issues that software can't rectify. That is why
we dropped our consideration for them.".. " The ACX5000 was a reasonable
attempt, but that Broadcom chipset is a liability. As always, Juniper
continue to drop the ball on this"

James mentioned - " Yep, I mean it's a QFX 5100.  Cisco ASR 9xx are
certainly more better suited IMO for edge applications."
--
About the Juniper EX4550...

Mark mentioned - " The EX4550 falls very short of that re: full IP/MPLS
capabilities."
Raphael mentioned - "If l3vpn is your case you can consider ex4550 (with
caution). I use them as PE with some kind of success. But... there is some
limitations you should be aware of :  
- the cpu is slow, even the snmp process can kill the control plane if there
is too much polling
- mpls : l2circuit is working, but not l2vpn, nor vpls. l3vpn is working but
the number of routing instance is limited (around 40 if I remember
correctly. And the big one : no local leaking between routing instance. Very
annoying.
- snmp counter on sub interface (but there are workaround)
--
About the Juniper QFX5100...

Richard mentioned - " My experience with that platform and 14.1 has been
very unpleasant.  13.2 does not support MPLS PE."
--
About the Cisco ASR903...

I'm interested in this.  What do y'all think about this?  It seems that this
is a scalable box with its dual power, dual cpu, 6 slot with various
Ethernet card options.  I wonder what a starter box would cost (chassis, one
cpu, one power supply, one (8) port 10 gig module) ?



Any other comparable products out there y'all know of?

Aaron

-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of
Raphael Mazelier
Sent: Tuesday, July 14, 2015 12:45 PM
To: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Cisco ME3600 migration to something with more 10 gig
ports



Le 14/07/15 15:45, Phil Mayers a écrit :

>
> L3VPN was our use-case; it may or may not do L2VPN, we don't have much 
> use for it locally.
>

If l3vpn is your case you can consider ex4550 (with caution).
I use them as PE with some kind of succes. But.. there is some limitations
you should be aware of :

- the cpu is slow, even the snmp process can kill the control plane if there
is too much polling
- mpls : l2circuit is working, but not l2vpn, nor vpls. l3vpn is working but
the number of routing instance is limited (arround 40 if I remember
correctly. And the big one : no local leaking between routing instance. 
Very annoying.
- snmp counter on sub interface (but there are workarround)

Regards,

--
Raphael Mazelier
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] authentication failure in case of configuration archival over scp

2015-10-26 Thread Martin T

Stacy,

I configured SSH server(OpenSSH) to log both the user name and
password for all the successful and unsuccessful authorization
attempts and turned out, that Juniper router sends an empty string as
a password. I guess Junos uses FreeBSD scp utility for configuration
archival if following configuration is used:

configuration {
transfer-on-commit;
archive-sites {
"scp://juniper@backupserver:/home/juniper/configbackups"
password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA
}
}

If yes, then Junos probably provides an empty password string to scp.
Underlying XML also holds the correct obfuscated password, i.e. as far
as I can tell, the password in configuration is correct. I also tried
with other passwords, but the router still sends an empty string. How
to troubleshoot this further? Has anyone seen such behavior(possibly a
bug) before?

thanks,
Martin

On Wed, Oct 21, 2015 at 7:39 PM, Stacy W. Smith  wrote:
>
>> On Oct 21, 2015, at 10:16 AM, Martin T  wrote:
>>
>> SSH server log tells that "error: PAM: Authentication failure for juniper 
>> from r1".
>
>> What might cause this?
>
> Assuming the Junos version has not changed on the router, have there been any 
> changes to the SSH server, or the OS, on backupserver (potentially including 
> "security patches")?
>
> Assuming OpenSSH, you may want to "man sshd_config" and look into the various 
> Authentication settings as well as the UsePAM. I suspect some recent 
> upgrade may have changed the default value of some of these settings.
>
> I would normally suggest changing the client's config to interoperate with 
> the server, but since that's not easy to do on a Junos device, you might look 
> at changing the server config.
>
> --Stacy
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

2015-10-26 Thread Adam Vitkovsky

Hi Dan,

I found this:
"BGP is the only protocol to which you can apply routing policies that 
reference policies and policy objects configured in the dynamic database"
http://www.juniper.net/documentation/en_US/junos12.3/topics/usage-guidelines/policy-configuring-dynamic-routing-policies.html

adam
>

Adam Vitkovsky
IP Engineer

T:  0333 006 5936
E:  adam.vitkov...@gamma.co.uk
W:  www.gamma.co.uk

This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of 
this email are confidential to the ordinary user of the email address to which 
it was addressed. This email is not intended to create any legal relationship. 
No one else may place any reliance upon it, or copy or forward all or any of it 
in any form (unless otherwise notified). If you receive this email in error, 
please accept our apologies, we would be obliged if you would telephone our 
postmaster on +44 (0) 808 178 9652 or email postmas...@gamma.co.uk

Gamma Telecom Limited, a company incorporated in England and Wales, with 
limited liability, with registered number 04340834, and whose registered office 
is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at 
Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.


-Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
> Of Dan Farrell
> Sent: Monday, October 26, 2015 6:34 PM
> To: Nitzan Tzelniker
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
>
> Hi Nitzan,
>
> Thanks for your reply- I think you're right. To further add info and split the
> documentation and feature-set hairs-
>
>
>
> -  At least from 9.5 this is stated to be usable by EX series.
>
> -  BUT! All docs that reference dynamic-db do so with routing 
> policies,
> and show support for only M, MX, and T.
>
> -  JUNOS-on-EX does not error out on the configuration (as it would, 
> for
> example, when configuring BGP on an EX2200-C).
>
> The use-case is loading large numbers of prefixes for filtering purposes
> without having to churn the unit with a typical commit operation and it's
> associated churn. I'd hate to have to migrate to MX because EX can't/won't
> do it.
>
> Cheers!
>
> Dan
>
> From: Nitzan Tzelniker [mailto:nitzan.tzelni...@gmail.com]
> Sent: Monday, October 26, 2015 2:19 PM
> To: Dan Farrell 
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
>
> Dan,
>
> AFAIK dynamic-db is for routing policy only it dose not work for firewall 
> filters
>
> Nitzan
>
>
> On Mon, Oct 26, 2015 at 7:29 PM, Dan Farrell
> > wrote:
> Howdy List,
>
> I can't seem to get a dynamic-db prefix-list to work correctly on either an
> ex3200 or ex2200 on JUNOS 12.3 and 12.10.
> I'm starting to suspect it simply won't work on these models (or maybe on
> EX-series at all, or maybe only on routing policies).
>
> Using a dynamic-db prefix-list in a filter leads to NO packets passing on the
> interface it is instantiated on. (tested on l2 and l3 interface filtering).
>
> It seems to be a simple implementation (create the same prefix-list name in
> the normal configuration as the dynamic-db prefix list and tag it 
> 'dynamic-db',
> then use in a filter), so I'm currently not suspecting myself as the culprit.
>
>
> Combining manual prefixes with the dynamic-db in one prefix-list results in
> only the manual prefixes being honored, while the dynamic-db ones are still
> ignored (same as above).
>
>
> Thanks list!
>
>
> Also, here's my configuration's relevant parts:
>
> DYNAMIC CONFIGURATION:
> 
>   policy-options {
>   prefix-list badips {
>
> 192.168.75.35/32 PbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.75.35%2F
> 32=6603779591372800=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
>
> 192.168.75.100/32 MPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.75.100%2
> F32=6603779591372800=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
>
> 192.168.100.251/32 MPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.100.251%
> 2F32=6603779591372800=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
>   }
>   }
>
>
>
>
> STATIC CONFIGURATION:
> ==
>   policy-options {
>   prefix-list badips {
>   dynamic-db;
>
> 1.1.1.1/32 0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F1.1.1.1%2F32=
> 6603779591372800=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
>   }
>}
>
>   firewall {
>   family inet {
>   filter blocktest {
>

[j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

2015-10-26 Thread Dan Farrell

Howdy List,

I can't seem to get a dynamic-db prefix-list to work correctly on either an 
ex3200 or ex2200 on JUNOS 12.3 and 12.10.
I'm starting to suspect it simply won't work on these models (or maybe on 
EX-series at all, or maybe only on routing policies).

Using a dynamic-db prefix-list in a filter leads to NO packets passing on the 
interface it is instantiated on. (tested on l2 and l3 interface filtering).

It seems to be a simple implementation (create the same prefix-list name in the 
normal configuration as the dynamic-db prefix list and tag it 'dynamic-db', 
then use in a filter), so I'm currently not suspecting myself as the culprit.


Combining manual prefixes with the dynamic-db in one prefix-list results in 
only the manual prefixes being honored, while the dynamic-db ones are still 
ignored (same as above).


Thanks list!


Also, here's my configuration's relevant parts:

DYNAMIC CONFIGURATION:

  policy-options {
  prefix-list badips {
  192.168.75.35/32;
  192.168.75.100/32;
  192.168.100.251/32;
  }
  }




STATIC CONFIGURATION:
==
  policy-options {
  prefix-list badips {
  dynamic-db;
  1.1.1.1/32;
  }
   }

  firewall {
  family inet {
  filter blocktest {  
  term block-dy {
  from {
  destination-prefix-list {
  badips;
  }
  }
  then {
  discard;
  }
  }
  term allow-all-else {
  then accept;
  }
  }
  }
  }

  interfaces {
vlan {
unit 33 {
family inet {
filter {
input blocktest;
}
address 192.168.78.1/24;
}
}
}
  }

  vlans {
noc24-test {
vlan-id 33;
interface {
ge-0/0/3.0;
}
l3-interface vlan.33;
}
  }



Dan Farrell
Applied Innovations Corp.
d...@appliedi.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

2015-10-26 Thread Dan Farrell

Hi Nitzan,

Thanks for your reply- I think you're right. To further add info and split the 
documentation and feature-set hairs-



-  At least from 9.5 this is stated to be usable by EX series.

-  BUT! All docs that reference dynamic-db do so with routing policies, 
and show support for only M, MX, and T.

-  JUNOS-on-EX does not error out on the configuration (as it would, 
for example, when configuring BGP on an EX2200-C).

The use-case is loading large numbers of prefixes for filtering purposes 
without having to churn the unit with a typical commit operation and it's 
associated churn. I'd hate to have to migrate to MX because EX can't/won't do 
it.

Cheers!

Dan

From: Nitzan Tzelniker [mailto:nitzan.tzelni...@gmail.com]
Sent: Monday, October 26, 2015 2:19 PM
To: Dan Farrell 
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

Dan,

AFAIK dynamic-db is for routing policy only
it dose not work for firewall filters

Nitzan


On Mon, Oct 26, 2015 at 7:29 PM, Dan Farrell 
> wrote:
Howdy List,

I can't seem to get a dynamic-db prefix-list to work correctly on either an 
ex3200 or ex2200 on JUNOS 12.3 and 12.10.
I'm starting to suspect it simply won't work on these models (or maybe on 
EX-series at all, or maybe only on routing policies).

Using a dynamic-db prefix-list in a filter leads to NO packets passing on the 
interface it is instantiated on. (tested on l2 and l3 interface filtering).

It seems to be a simple implementation (create the same prefix-list name in the 
normal configuration as the dynamic-db prefix list and tag it 'dynamic-db', 
then use in a filter), so I'm currently not suspecting myself as the culprit.


Combining manual prefixes with the dynamic-db in one prefix-list results in 
only the manual prefixes being honored, while the dynamic-db ones are still 
ignored (same as above).


Thanks list!


Also, here's my configuration's relevant parts:

DYNAMIC CONFIGURATION:

  policy-options {
  prefix-list badips {
  
192.168.75.35/32;
  
192.168.75.100/32;
  
192.168.100.251/32;
  }
  }




STATIC CONFIGURATION:
==
  policy-options {
  prefix-list badips {
  dynamic-db;
  
1.1.1.1/32;
  }
   }

  firewall {
  family inet {
  filter blocktest {
  term block-dy {
  from {
  destination-prefix-list {
  badips;
  }
  }
  then {
  discard;
  }
  }
  term allow-all-else {
  then accept;
  }
  }
  }
  }

  interfaces {
vlan {
unit 33 {
family inet {
filter {
input blocktest;
}
address 
192.168.78.1/24;
}
}
}
  }

  vlans {
noc24-test {
vlan-id 33;
interface {
ge-0/0/3.0;
}
l3-interface vlan.33;
}
  }



Dan Farrell
Applied Innovations Corp.
d...@appliedi.net
___
juniper-nsp mailing list 
juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

2015-10-26 Thread Nitzan Tzelniker

Dan,

AFAIK dynamic-db is for routing policy only
it dose not work for firewall filters

Nitzan


On Mon, Oct 26, 2015 at 7:29 PM, Dan Farrell  wrote:

> Howdy List,
>
> I can't seem to get a dynamic-db prefix-list to work correctly on either
> an ex3200 or ex2200 on JUNOS 12.3 and 12.10.
> I'm starting to suspect it simply won't work on these models (or maybe on
> EX-series at all, or maybe only on routing policies).
>
> Using a dynamic-db prefix-list in a filter leads to NO packets passing on
> the interface it is instantiated on. (tested on l2 and l3 interface
> filtering).
>
> It seems to be a simple implementation (create the same prefix-list name
> in the normal configuration as the dynamic-db prefix list and tag it
> 'dynamic-db', then use in a filter), so I'm currently not suspecting myself
> as the culprit.
>
>
> Combining manual prefixes with the dynamic-db in one prefix-list results
> in only the manual prefixes being honored, while the dynamic-db ones are
> still ignored (same as above).
>
>
> Thanks list!
>
>
> Also, here's my configuration's relevant parts:
>
> DYNAMIC CONFIGURATION:
> 
>   policy-options {
>   prefix-list badips {
>   192.168.75.35/32;
>   192.168.75.100/32;
>   192.168.100.251/32;
>   }
>   }
>
>
>
>
> STATIC CONFIGURATION:
> ==
>   policy-options {
>   prefix-list badips {
>   dynamic-db;
>   1.1.1.1/32;
>   }
>}
>
>   firewall {
>   family inet {
>   filter blocktest {
>   term block-dy {
>   from {
>   destination-prefix-list {
>   badips;
>   }
>   }
>   then {
>   discard;
>   }
>   }
>   term allow-all-else {
>   then accept;
>   }
>   }
>   }
>   }
>
>   interfaces {
> vlan {
> unit 33 {
> family inet {
> filter {
> input blocktest;
> }
> address 192.168.78.1/24;
> }
> }
> }
>   }
>
>   vlans {
> noc24-test {
> vlan-id 33;
> interface {
> ge-0/0/3.0;
> }
> l3-interface vlan.33;
> }
>   }
>
>
>
> Dan Farrell
> Applied Innovations Corp.
> d...@appliedi.net
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

Re: [j-nsp] Cisco ME3600 migration to something with more 10 gig ports

Re: [j-nsp] authentication failure in case of configuration archival over scp

Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

[j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

7 matches

Site Navigation

Mail list logo

Footer information