Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

[Dan Farrell]

Thank-you very much. 

Dan

From: Adam Vitkovsky 
Sent: Monday, October 26, 2015 6:06 PM
To: Dan Farrell; Nitzan Tzelniker
Cc: juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

Hi Dan,

I found this:
"BGP is the only protocol to which you can apply routing policies that 
reference policies and policy objects configured in the dynamic database"
http://www.juniper.net/documentation/en_US/junos12.3/topics/usage-guidelines/policy-configuring-dynamic-routing-policies.html

adam
>

Adam Vitkovsky
IP Engineer

T:  0333 006 5936
E:  adam.vitkov...@gamma.co.uk
W:  www.gamma.co.uk

This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of 
this email are confidential to the ordinary user of the email address to which 
it was addressed. This email is not intended to create any legal relationship. 
No one else may place any reliance upon it, or copy or forward all or any of it 
in any form (unless otherwise notified). If you receive this email in error, 
please accept our apologies, we would be obliged if you would telephone our 
postmaster on +44 (0) 808 178 9652 or email postmas...@gamma.co.uk

Gamma Telecom Limited, a company incorporated in England and Wales, with 
limited liability, with registered number 04340834, and whose registered office 
is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at 
Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.


-Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
> Of Dan Farrell
> Sent: Monday, October 26, 2015 6:34 PM
> To: Nitzan Tzelniker
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
>
> Hi Nitzan,
>
> Thanks for your reply- I think you're right. To further add info and split the
> documentation and feature-set hairs-
>
>
>
> -  At least from 9.5 this is stated to be usable by EX series.
>
> -  BUT! All docs that reference dynamic-db do so with routing 
> policies,
> and show support for only M, MX, and T.
>
> -  JUNOS-on-EX does not error out on the configuration (as it would, 
> for
> example, when configuring BGP on an EX2200-C).
>
> The use-case is loading large numbers of prefixes for filtering purposes
> without having to churn the unit with a typical commit operation and it's
> associated churn. I'd hate to have to migrate to MX because EX can't/won't
> do it.
>
> Cheers!
>
> Dan
>
> From: Nitzan Tzelniker [mailto:nitzan.tzelni...@gmail.com]
> Sent: Monday, October 26, 2015 2:19 PM
> To: Dan Farrell 
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
>
> Dan,
>
> AFAIK dynamic-db is for routing policy only it dose not work for firewall 
> filters
>
> Nitzan
>
>
> On Mon, Oct 26, 2015 at 7:29 PM, Dan Farrell
> > wrote:
> Howdy List,
>
> I can't seem to get a dynamic-db prefix-list to work correctly on either an
> ex3200 or ex2200 on JUNOS 12.3 and 12.10.
> I'm starting to suspect it simply won't work on these models (or maybe on
> EX-series at all, or maybe only on routing policies).
>
> Using a dynamic-db prefix-list in a filter leads to NO packets passing on the
> interface it is instantiated on. (tested on l2 and l3 interface filtering).
>
> It seems to be a simple implementation (create the same prefix-list name in
> the normal configuration as the dynamic-db prefix list and tag it 
> 'dynamic-db',
> then use in a filter), so I'm currently not suspecting myself as the culprit.
>
>
> Combining manual prefixes with the dynamic-db in one prefix-list results in
> only the manual prefixes being honored, while the dynamic-db ones are still
> ignored (same as above).
>
>
> Thanks list!
>
>
> Also, here's my configuration's relevant parts:
>
> DYNAMIC CONFIGURATION:
> 
>   policy-options {
>   prefix-list badips {
>
> 192.168.75.35/32 PbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.75.35%2F
> 32=6603779591372800=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
>
> 192.168.75.100/32 MPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.75.100%2
> F32=6603779591372800=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
>
> 192.168.100.251/32 MPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.100.251%
> 2F32=6603779591372800=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
>   }
>   }
>
>
>
>
> STATIC CONFIGURATION:
> ==
>   policy-options {
>   prefix-list badips {
>   dynamic-db;
>
> 

Re: [j-nsp] authentication failure in case of configuration archival over scp

[Michael Loftis]

keyboard-interactive vs. password authentication.  They may "feel" the
same but they're not.  I'd check which is going on, and maybe try
configuring the server for the other.

On Mon, Oct 26, 2015 at 4:12 PM, Martin T  wrote:
> Stacy,
>
> I configured SSH server(OpenSSH) to log both the user name and
> password for all the successful and unsuccessful authorization
> attempts and turned out, that Juniper router sends an empty string as
> a password. I guess Junos uses FreeBSD scp utility for configuration
> archival if following configuration is used:
>
> configuration {
> transfer-on-commit;
> archive-sites {
> "scp://juniper@backupserver:/home/juniper/configbackups"
> password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA
> }
> }
>
>
> If yes, then Junos probably provides an empty password string to scp.
> Underlying XML also holds the correct obfuscated password, i.e. as far
> as I can tell, the password in configuration is correct. I also tried
> with other passwords, but the router still sends an empty string. How
> to troubleshoot this further? Has anyone seen such behavior(possibly a
> bug) before?
>
>
> thanks,
> Martin
>
> On Wed, Oct 21, 2015 at 7:39 PM, Stacy W. Smith  wrote:
>>
>>> On Oct 21, 2015, at 10:16 AM, Martin T  wrote:
>>>
>>> SSH server log tells that "error: PAM: Authentication failure for juniper 
>>> from r1".
>>
>>> What might cause this?
>>
>> Assuming the Junos version has not changed on the router, have there been 
>> any changes to the SSH server, or the OS, on backupserver (potentially 
>> including "security patches")?
>>
>> Assuming OpenSSH, you may want to "man sshd_config" and look into the 
>> various Authentication settings as well as the UsePAM. I suspect 
>> some recent upgrade may have changed the default value of some of these 
>> settings.
>>
>> I would normally suggest changing the client's config to interoperate with 
>> the server, but since that's not easy to do on a Junos device, you might 
>> look at changing the server config.
>>
>> --Stacy
>>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Why doesn't memory utilization in "show chassis routing-engine" count in "Inactive" and "Buffers" memory?

[Krasimir Avramski]

Hi,

It used to be calculated like (Total - Free - Inactive - Cached)/Total, but
changed somewhere in 7.x.

>From the book: "Dirty pages need to be paged out, but flushing a page is
extremely expensive compared to freeing a clean page. Thus, dirty pages are
given extra time on the inactive queue by cycling them through the queue
twice before being flushed. They cycle through the list once more while being
cleaned. This extra time on the inactive queue will reduce unnecessary I/O
caused by prematurely paging out an active page."

So, dirty pages are slowly "cleaned" and moved from inactive to cache(for
the next cycle of pageout process which runs when the system is under
memory pressure or when the queues are out of balance) and cache pages are
freed to maintain a minimum number of free pages - consequently Inact
memory is not so easily accessible by the kernel.

Regards,
Krasi

On 9 October 2015 at 15:57, Martin T  wrote:

> Hi,
>
> according to "The Design and Implementation of the FreeBSD Operating
> System"(https://books.google.ee/books?id=KfCuBAAAQBAJ=PA290=PA290)
> kernel divides used memory into five lists: Active, Inactive, Wired,
> Cache and Free. In addition, some memory is used for disk caching.
> Utilization of those lists can be seen with "top" or "show system
> processes extensive" commands. For example:
>
> Mem: 130M Active, 42M Inact, 51M Wired, 14M Cache, 34M Buf, 764K Free
> Swap: 512M Total, 512M Free
>
>
> So actually *used* memory is Wired and Active and if those two pools
> need additional amount of memory then this is taken from Inactive,
> Cached, Buffers or Free pools. This makes me wonder why "show chassis
> routing-engine" command calculates memory according to following
> formula(at least on M and MX series):
>
> Memory utilization % = (Total - Free - Cached)/Total
>
> In other words, it doesn't count in Inactive and Buffers lists as free
> memory while actually those should be available for Active and Wired
> immediately if needed. This makes one believe that memory utilization
> on his RE is always very high.
>
>
> Why doesn't memory utilization in "show chassis routing-engine" count
> in Inactive and Buffers memory?
>
>
>
> thanks,
> Martin
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp