Re: [j-nsp] BGP EVPN, VXLAN and ECMP

[Nikolas Geyer]

A quick word of caution, if you use third party optics be very careful moving 
to Junos 17. We have found a bunch of ours unusable in Junos 17 and while our 
account team has been fantastic in trying to find out what’s changed in the 
code the official response has been “non Juniper optic, go away” and we 
literally run hundreds if not thousands of the QFX5ks which has put us in a 
difficult position.

That said, I was recently doing QFX5100 testing of VXLAN on various trains from 
Junos 14 through Junos 16 (17 bombed out due to above mentioned optic issue) 
and cant recall a problem with ECMP. I’ll pull the configs in the morning and 
send them through off list.

As someone else has mentioned are you sure you have per-packet load balancing 
policy exported in forwarding-options for all protocols?

Sent from my iPhone

> On 28 Mar 2018, at 3:45 pm, Nitzan Tzelniker  
> wrote:
> 
> Not sure I understand you but both can run 17.3R2 (just time of
> installation )
> 
> 
>> On Wed, Mar 28, 2018 at 10:16 PM Vincent Bernat  wrote:
>> 
>> ❦ 28 mars 2018 19:06 GMT, Nitzan Tzelniker  :
>> 
>>> The 5100 run 15.1X53-D63 and the 5110 17.3R2
>> 
>> Do you mean the other way around? No 15.1X53 for the 5100.
>> --
>> Use statement labels that mean something.
>>- The Elements of Programming Style (Kernighan & Plauger)
>> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ansible juniper_junos -add license module?

[Nitzan Tzelniker]

Thanks All,

This RPC command works for me via ansible
I used ansible lookup  module to take the license content from a file with
the hostname as filename but more advanced use should be to take it
directly from Juniper bulk activation excel based on the serial number

Nitzan


On Wed, Mar 28, 2018 at 8:09 PM Stacy W. Smith  wrote:

>
> On Mar 28, 2018, at 9:24 AM, Sander Steffann  wrote:
> >
> > I tried that, and git an error message back saying eta the license-add
> command is only supported on cli and not over RPC :'(
>
> 
>
> —Stacy
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BGP EVPN, VXLAN and ECMP

[Nitzan Tzelniker]

Not sure I understand you but both can run 17.3R2 (just time of
installation )


On Wed, Mar 28, 2018 at 10:16 PM Vincent Bernat  wrote:

>  ❦ 28 mars 2018 19:06 GMT, Nitzan Tzelniker  :
>
> > The 5100 run 15.1X53-D63 and the 5110 17.3R2
>
> Do you mean the other way around? No 15.1X53 for the 5100.
> --
> Use statement labels that mean something.
> - The Elements of Programming Style (Kernighan & Plauger)
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BGP EVPN, VXLAN and ECMP

[Vincent Bernat]

 ❦ 28 mars 2018 19:06 GMT, Nitzan Tzelniker  :

> The 5100 run 15.1X53-D63 and the 5110 17.3R2

Do you mean the other way around? No 15.1X53 for the 5100.
-- 
Use statement labels that mean something.
- The Elements of Programming Style (Kernighan & Plauger)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BGP EVPN, VXLAN and ECMP

[Vincent Bernat]

Thanks!

I'll try with 15.1X53 too.
-- 
For courage mounteth with occasion.
-- William Shakespeare, "King John"

 ――― Original Message ―――
 From: Nitzan Tzelniker 
 Sent: 28 mars 2018 19:06 GMT
 Subject: Re: [j-nsp] BGP EVPN, VXLAN and ECMP
 To: ber...@luffy.cx
 Cc: juniper-nsp@puck.nether.net

> Yes I have two routes in vxlan.inet.0
>
> nitzan@qfx5100> show route 10.111.44.222
>
> inet.0: 111 destinations, 111 routes (111 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 10.111.44.222/32*[OSPF/10] 1w5d 21:39:34, metric 4
> > to 10.111.33.99 via et-0/0/48.0
>   to 10.111.33.100 via et-0/0/49.0
>
> :vxlan.inet.0: 77 destinations, 77 routes (77 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 10.111.44.222/32*[Static/1] 1w1d 01:48:50, metric2 4
> > to 10.111.33.99 via et-0/0/48.0
>   to 10.111.33.100 via et-0/0/49.0
>
>
> The 5100 run 15.1X53-D63 and the 5110 17.3R2
>
> Nitzan
>
>
> On Wed, Mar 28, 2018 at 9:54 PM Vincent Bernat  wrote:
>
>> Hey!
>>
>> Which version of JunOS are you running? I am on 17.4R1. I see that
>> 18.1R1 was just released, I may try it tomorrow. Do you also have
>> a :vxlan.inet.0 table and does it show two paths too?
>>
>> In my configuration, I have:
>>
>> set routing-options forwarding-table export loadbalance
>> set policy-options policy-statement loadbalance then load-balance
>> per-packet
>> set protocols bgp group v4-UNDERLAY multipath
>> set protocols bgp group v4-EVPN multipath
>>
>> The PDF document is helpful. It says:
>>
>> > The QFX5100/QFX5110 can only install VTEP next hops in the PFE; it
>> > cannot install ESI next hops. This means that, for any given overlay
>> > destination, only one remote VTEP can be selected. To send traffic to
>> > the selected VTEP, traffic can be load balanced at the underlay layer
>> > through the two spine nodes.
>>
>> I need to do more tests, as the other provided commands may hint this is
>> just a display issue.
>> --
>> The lunatic, the lover, and the poet,
>> Are of imagination all compact...
>> -- Wm. Shakespeare, "A Midsummer Night's Dream"
>>
>>  ――― Original Message ―――
>>  From: Nitzan Tzelniker 
>>  Sent: 28 mars 2018 18:36 GMT
>>  Subject: Re: [j-nsp] BGP EVPN, VXLAN and ECMP
>>  To: ber...@luffy.cx
>>  Cc: juniper-nsp@puck.nether.net
>>
>> > Hi,
>> >
>> > Just check with 5110 and 5100 and on both I see two next hops
>> > but I am using OSPF for the underlay
>> > I think that you have multipath under BGP from the fact that we see two
>> > paths under inet.0 but do you have forwarding-table policy with
>> > "load-balance per-packet" ?
>> >
>> > BTW take a look here
>> >
>> https://www.juniper.net/documentation/en_US/release-independent/solutions/information-products/pathway-pages/lb-evpn-vxlan-tn.pdf
>> >
>> >
>> > Thanks
>> >
>> > Nitzan
>> >
>> >
>> > On Wed, Mar 28, 2018 at 5:27 PM Vincent Bernat  wrote:
>> >
>> >> Hey!
>> >>
>> >> I am trying to setup a Juniper QFX5100 as a VTEP with a very classic
>> >> setup. Everything works as expected, but the setup is only using one
>> >> possible path from the underlay network.
>> >>
>> >> I have the route to the other VTEP like this:
>> >>
>> >> # run show route 10.16.39.3
>> >>
>> >> inet.0: 240 destinations, 1808 routes (240 active, 0 holddown, 0 hidden)
>> >> + = Active Route, - = Last Active, * = Both
>> >>
>> >> 10.16.39.3/32  *[BGP/140] 00:38:24, localpref 500, from 10.64.0.5
>> >>   AS path: I, validation-state: unverified
>> >>   to 10.64.0.23 via xe-0/0/46.181
>> >> > to 10.64.128.23 via xe-0/0/47.183
>> >> [BGP/140] 00:38:24, localpref 500, from 10.64.128.6
>> >>   AS path: I, validation-state: unverified
>> >> > to 10.64.128.23 via xe-0/0/47.183
>> >> [BGP/140] 00:38:24, localpref 500, from 10.64.0.3
>> >>   AS path: I, validation-state: unverified
>> >> > to 10.64.0.23 via xe-0/0/46.181
>> >>
>> >> :vxlan.inet.0: 17 destinations, 21 routes (17 active, 0 holddown, 0
>> hidden)
>> >> + = Active Route, - = Last Active, * = Both
>> >>
>> >> 10.16.39.3/32  *[Static/1] 00:31:10, metric2 0
>> >> > to 10.64.128.23 via xe-0/0/47.183
>> >>
>> >> So, from an IP point of view, I have two available routes to the other
>> >> VTEP. In the :vxlan.inet.0 table, only one route is kept. I suppose the
>> >> problem is at this point.
>> >>
>> >> Looking at the forwarding table, I have only one indirect next-hop too:
>> >>
>> >> # show route forwarding-table family ethernet-switching bridge-domain
>> >> vlan-client1-543 extensive
>> >>Routing table: default-switch.bridge [Index 4]
>> >>Bridging 

Re: [j-nsp] BGP EVPN, VXLAN and ECMP

[Nitzan Tzelniker]

Yes I have two routes in vxlan.inet.0

nitzan@qfx5100> show route 10.111.44.222

inet.0: 111 destinations, 111 routes (111 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.111.44.222/32*[OSPF/10] 1w5d 21:39:34, metric 4
> to 10.111.33.99 via et-0/0/48.0
  to 10.111.33.100 via et-0/0/49.0

:vxlan.inet.0: 77 destinations, 77 routes (77 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.111.44.222/32*[Static/1] 1w1d 01:48:50, metric2 4
> to 10.111.33.99 via et-0/0/48.0
  to 10.111.33.100 via et-0/0/49.0


The 5100 run 15.1X53-D63 and the 5110 17.3R2

Nitzan


On Wed, Mar 28, 2018 at 9:54 PM Vincent Bernat  wrote:

> Hey!
>
> Which version of JunOS are you running? I am on 17.4R1. I see that
> 18.1R1 was just released, I may try it tomorrow. Do you also have
> a :vxlan.inet.0 table and does it show two paths too?
>
> In my configuration, I have:
>
> set routing-options forwarding-table export loadbalance
> set policy-options policy-statement loadbalance then load-balance
> per-packet
> set protocols bgp group v4-UNDERLAY multipath
> set protocols bgp group v4-EVPN multipath
>
> The PDF document is helpful. It says:
>
> > The QFX5100/QFX5110 can only install VTEP next hops in the PFE; it
> > cannot install ESI next hops. This means that, for any given overlay
> > destination, only one remote VTEP can be selected. To send traffic to
> > the selected VTEP, traffic can be load balanced at the underlay layer
> > through the two spine nodes.
>
> I need to do more tests, as the other provided commands may hint this is
> just a display issue.
> --
> The lunatic, the lover, and the poet,
> Are of imagination all compact...
> -- Wm. Shakespeare, "A Midsummer Night's Dream"
>
>  ――― Original Message ―――
>  From: Nitzan Tzelniker 
>  Sent: 28 mars 2018 18:36 GMT
>  Subject: Re: [j-nsp] BGP EVPN, VXLAN and ECMP
>  To: ber...@luffy.cx
>  Cc: juniper-nsp@puck.nether.net
>
> > Hi,
> >
> > Just check with 5110 and 5100 and on both I see two next hops
> > but I am using OSPF for the underlay
> > I think that you have multipath under BGP from the fact that we see two
> > paths under inet.0 but do you have forwarding-table policy with
> > "load-balance per-packet" ?
> >
> > BTW take a look here
> >
> https://www.juniper.net/documentation/en_US/release-independent/solutions/information-products/pathway-pages/lb-evpn-vxlan-tn.pdf
> >
> >
> > Thanks
> >
> > Nitzan
> >
> >
> > On Wed, Mar 28, 2018 at 5:27 PM Vincent Bernat  wrote:
> >
> >> Hey!
> >>
> >> I am trying to setup a Juniper QFX5100 as a VTEP with a very classic
> >> setup. Everything works as expected, but the setup is only using one
> >> possible path from the underlay network.
> >>
> >> I have the route to the other VTEP like this:
> >>
> >> # run show route 10.16.39.3
> >>
> >> inet.0: 240 destinations, 1808 routes (240 active, 0 holddown, 0 hidden)
> >> + = Active Route, - = Last Active, * = Both
> >>
> >> 10.16.39.3/32  *[BGP/140] 00:38:24, localpref 500, from 10.64.0.5
> >>   AS path: I, validation-state: unverified
> >>   to 10.64.0.23 via xe-0/0/46.181
> >> > to 10.64.128.23 via xe-0/0/47.183
> >> [BGP/140] 00:38:24, localpref 500, from 10.64.128.6
> >>   AS path: I, validation-state: unverified
> >> > to 10.64.128.23 via xe-0/0/47.183
> >> [BGP/140] 00:38:24, localpref 500, from 10.64.0.3
> >>   AS path: I, validation-state: unverified
> >> > to 10.64.0.23 via xe-0/0/46.181
> >>
> >> :vxlan.inet.0: 17 destinations, 21 routes (17 active, 0 holddown, 0
> hidden)
> >> + = Active Route, - = Last Active, * = Both
> >>
> >> 10.16.39.3/32  *[Static/1] 00:31:10, metric2 0
> >> > to 10.64.128.23 via xe-0/0/47.183
> >>
> >> So, from an IP point of view, I have two available routes to the other
> >> VTEP. In the :vxlan.inet.0 table, only one route is kept. I suppose the
> >> problem is at this point.
> >>
> >> Looking at the forwarding table, I have only one indirect next-hop too:
> >>
> >> # show route forwarding-table family ethernet-switching bridge-domain
> >> vlan-client1-543 extensive
> >>Routing table: default-switch.bridge [Index 4]
> >>Bridging domain: vlan-client1-543.bridge [Index 3]
> >>VPLS:
> >>Enabled protocols: Bridging, ACKed by all peers,
> >>
> >> [...]
> >>Destination:  0a:e3:40:00:00:d9/48
> >>  Learn VLAN: 0Route type: user
> >>  Route reference: 0   Route interface-index: 575
> >>  Multicast RPF nh index: 0
> >>  P2mpidx: 0
> >>  IFL generation: 142  Epoch: 0
> >>  Sequence Number: 0   Learn Mask:
> >> 

Re: [j-nsp] BGP EVPN, VXLAN and ECMP

[Vincent Bernat]

Hey!

Which version of JunOS are you running? I am on 17.4R1. I see that
18.1R1 was just released, I may try it tomorrow. Do you also have
a :vxlan.inet.0 table and does it show two paths too?

In my configuration, I have:

set routing-options forwarding-table export loadbalance
set policy-options policy-statement loadbalance then load-balance per-packet
set protocols bgp group v4-UNDERLAY multipath
set protocols bgp group v4-EVPN multipath

The PDF document is helpful. It says:

> The QFX5100/QFX5110 can only install VTEP next hops in the PFE; it
> cannot install ESI next hops. This means that, for any given overlay
> destination, only one remote VTEP can be selected. To send traffic to
> the selected VTEP, traffic can be load balanced at the underlay layer
> through the two spine nodes.

I need to do more tests, as the other provided commands may hint this is
just a display issue.
-- 
The lunatic, the lover, and the poet,
Are of imagination all compact...
-- Wm. Shakespeare, "A Midsummer Night's Dream"

 ――― Original Message ―――
 From: Nitzan Tzelniker 
 Sent: 28 mars 2018 18:36 GMT
 Subject: Re: [j-nsp] BGP EVPN, VXLAN and ECMP
 To: ber...@luffy.cx
 Cc: juniper-nsp@puck.nether.net

> Hi,
>
> Just check with 5110 and 5100 and on both I see two next hops
> but I am using OSPF for the underlay
> I think that you have multipath under BGP from the fact that we see two
> paths under inet.0 but do you have forwarding-table policy with
> "load-balance per-packet" ?
>
> BTW take a look here
> https://www.juniper.net/documentation/en_US/release-independent/solutions/information-products/pathway-pages/lb-evpn-vxlan-tn.pdf
>
>
> Thanks
>
> Nitzan
>
>
> On Wed, Mar 28, 2018 at 5:27 PM Vincent Bernat  wrote:
>
>> Hey!
>>
>> I am trying to setup a Juniper QFX5100 as a VTEP with a very classic
>> setup. Everything works as expected, but the setup is only using one
>> possible path from the underlay network.
>>
>> I have the route to the other VTEP like this:
>>
>> # run show route 10.16.39.3
>>
>> inet.0: 240 destinations, 1808 routes (240 active, 0 holddown, 0 hidden)
>> + = Active Route, - = Last Active, * = Both
>>
>> 10.16.39.3/32  *[BGP/140] 00:38:24, localpref 500, from 10.64.0.5
>>   AS path: I, validation-state: unverified
>>   to 10.64.0.23 via xe-0/0/46.181
>> > to 10.64.128.23 via xe-0/0/47.183
>> [BGP/140] 00:38:24, localpref 500, from 10.64.128.6
>>   AS path: I, validation-state: unverified
>> > to 10.64.128.23 via xe-0/0/47.183
>> [BGP/140] 00:38:24, localpref 500, from 10.64.0.3
>>   AS path: I, validation-state: unverified
>> > to 10.64.0.23 via xe-0/0/46.181
>>
>> :vxlan.inet.0: 17 destinations, 21 routes (17 active, 0 holddown, 0 hidden)
>> + = Active Route, - = Last Active, * = Both
>>
>> 10.16.39.3/32  *[Static/1] 00:31:10, metric2 0
>> > to 10.64.128.23 via xe-0/0/47.183
>>
>> So, from an IP point of view, I have two available routes to the other
>> VTEP. In the :vxlan.inet.0 table, only one route is kept. I suppose the
>> problem is at this point.
>>
>> Looking at the forwarding table, I have only one indirect next-hop too:
>>
>> # show route forwarding-table family ethernet-switching bridge-domain
>> vlan-client1-543 extensive
>>Routing table: default-switch.bridge [Index 4]
>>Bridging domain: vlan-client1-543.bridge [Index 3]
>>VPLS:
>>Enabled protocols: Bridging, ACKed by all peers,
>>
>> [...]
>>Destination:  0a:e3:40:00:00:d9/48
>>  Learn VLAN: 0Route type: user
>>  Route reference: 0   Route interface-index: 575
>>  Multicast RPF nh index: 0
>>  P2mpidx: 0
>>  IFL generation: 142  Epoch: 0
>>  Sequence Number: 0   Learn Mask:
>> 0x4000
>>  L2 Flags: control_dyn
>>  Flags: sent to PFE
>>  Next-hop type: composite Index: 2045 Reference: 6
>>  Next-hop type: indirect  Index: 131317   Reference: 3
>>  Nexthop: 10.64.128.23
>>  Next-hop type: unicast   Index: 1928 Reference: 4
>>  Next-hop interface: xe-0/0/47.183
>>
>> So, how to ensure the two possible next-hops are copied to the
>> ":vxlan.inet.0" table?
>> --
>> Make input easy to prepare and output self-explanatory.
>> - The Elements of Programming Style (Kernighan & Plauger)
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BGP EVPN, VXLAN and ECMP

[Nitzan Tzelniker]

Hi,

Just check with 5110 and 5100 and on both I see two next hops
but I am using OSPF for the underlay
I think that you have multipath under BGP from the fact that we see two
paths under inet.0 but do you have forwarding-table policy with
"load-balance per-packet" ?

BTW take a look here
https://www.juniper.net/documentation/en_US/release-independent/solutions/information-products/pathway-pages/lb-evpn-vxlan-tn.pdf


Thanks

Nitzan


On Wed, Mar 28, 2018 at 5:27 PM Vincent Bernat  wrote:

> Hey!
>
> I am trying to setup a Juniper QFX5100 as a VTEP with a very classic
> setup. Everything works as expected, but the setup is only using one
> possible path from the underlay network.
>
> I have the route to the other VTEP like this:
>
> # run show route 10.16.39.3
>
> inet.0: 240 destinations, 1808 routes (240 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 10.16.39.3/32  *[BGP/140] 00:38:24, localpref 500, from 10.64.0.5
>   AS path: I, validation-state: unverified
>   to 10.64.0.23 via xe-0/0/46.181
> > to 10.64.128.23 via xe-0/0/47.183
> [BGP/140] 00:38:24, localpref 500, from 10.64.128.6
>   AS path: I, validation-state: unverified
> > to 10.64.128.23 via xe-0/0/47.183
> [BGP/140] 00:38:24, localpref 500, from 10.64.0.3
>   AS path: I, validation-state: unverified
> > to 10.64.0.23 via xe-0/0/46.181
>
> :vxlan.inet.0: 17 destinations, 21 routes (17 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 10.16.39.3/32  *[Static/1] 00:31:10, metric2 0
> > to 10.64.128.23 via xe-0/0/47.183
>
> So, from an IP point of view, I have two available routes to the other
> VTEP. In the :vxlan.inet.0 table, only one route is kept. I suppose the
> problem is at this point.
>
> Looking at the forwarding table, I have only one indirect next-hop too:
>
> # show route forwarding-table family ethernet-switching bridge-domain
> vlan-client1-543 extensive
>Routing table: default-switch.bridge [Index 4]
>Bridging domain: vlan-client1-543.bridge [Index 3]
>VPLS:
>Enabled protocols: Bridging, ACKed by all peers,
>
> [...]
>Destination:  0a:e3:40:00:00:d9/48
>  Learn VLAN: 0Route type: user
>  Route reference: 0   Route interface-index: 575
>  Multicast RPF nh index: 0
>  P2mpidx: 0
>  IFL generation: 142  Epoch: 0
>  Sequence Number: 0   Learn Mask:
> 0x4000
>  L2 Flags: control_dyn
>  Flags: sent to PFE
>  Next-hop type: composite Index: 2045 Reference: 6
>  Next-hop type: indirect  Index: 131317   Reference: 3
>  Nexthop: 10.64.128.23
>  Next-hop type: unicast   Index: 1928 Reference: 4
>  Next-hop interface: xe-0/0/47.183
>
> So, how to ensure the two possible next-hops are copied to the
> ":vxlan.inet.0" table?
> --
> Make input easy to prepare and output self-explanatory.
> - The Elements of Programming Style (Kernighan & Plauger)
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ansible juniper_junos -add license module?

[Stacy W. Smith]

On Mar 28, 2018, at 9:24 AM, Sander Steffann  wrote:
> 
> I tried that, and git an error message back saying eta the license-add 
> command is only supported on cli and not over RPC :'(



—Stacy

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ansible juniper_junos -add license module?

[Stacy W. Smith]

Thanks Phil! 
I knew there was an RPC for this, but hadn’t had the chance to figure it out.

Adam,
Given the info from Phil, you can use a playbook similar to this:

---
- name: 'Add a license to a Junos device'
  hosts: junos-all
  connection: local
  gather_facts: no
  roles:
- Juniper.junos

  tasks:
- name: 'Add a license'
  juniper_junos_rpc:
rpc: 'request-license-add'
kwarg:
  key_data: ‘'


Alternatively, you can load the license from a file or URL with:

---
- name: 'Add a license to a Junos device'
  hosts: junos-all
  connection: local
  gather_facts: no
  roles:
- Juniper.junos

  tasks:
- name: 'Add a license'
  juniper_junos_rpc:
rpc: 'request-license-add'
kwarg:
  source: ‘'


You can also refer to the documentation here: 
http://junos-ansible-modules.readthedocs.io/en/2.0.2/juniper_junos_rpc.html 


> On Mar 28, 2018, at 3:28 AM, adamv0...@netconsultings.com wrote:
>  I could not find any juniper_junos module for amnesiac mode. (all the modules
> kind of assume working ssh and netconf).


The modules do have limited support for initial device configuration if you 
have a direct serial connection from the Ansible control machine to the Juniper 
device’s serial console or if you have the serial console connected to a 
terminal server which is reachable via an unauthenticated Telnet port. (If the 
console server is only reachable over SSH or adds additional authentication, 
that’s not currently supported.)

Performing NETCONF operations over the serial console is sometimes problematic 
because the NETCONF gets interspersed with any console logging. There’s not 
currently a way to disable this, so the best bet is to simply repeat any failed 
NETCONF operations over the serial console.

—Stacy



> On Mar 28, 2018, at 8:45 AM, Phil Shafer  wrote:
> 
> adamv0...@netconsultings.com writes:
>> The problem is I need to hit enter after the license is passed and then also
>> ^D (ctrl+D) at the end and I'm not sure how would I go about doing that in
>> junos_command. 
> 
> Not sure why these aren't documented but the functionality is there.
> Here's the JUNOS DDL (think "YANG"):
> 
>command add-license {
>help "Add license keys from file, local or from server";
>action acceptable mgd mgd_is_product_licensed;
>action execute mgd mgd_add_license_mgd;
>xml-name request-license-add;
>odl-tag add-license-results;
>argument source {
>help "URL of source license key file";
>type string;
>}
>argument key-data {
>help "License key data";
>type string;
>}
>}
>command save-license {
>help "Save license keys to file, local or to server";
>action acceptable mgd mgd_is_product_licensed;
>xml-name request-license-save;
>odl-tag none;
>action execute mgd mgd_save_license_mgd;
>argument destination {
>help "URL of destination license key file";
>type string;
>}
>}
> 
> The "xml-name" statement gives the name of the RPC used to access
> this command, which means the  RPC adds a
> license from either a  URL or a  string, and the
>  exports license data to a  URL.
> 
> In SLAX, that looks something like:
> 
>var $rpc =  {
> $my-data;
>}
> 
> Thanks,
> Phil
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] cdn.juniper.net slow?

[Jared Mauch]

are you having performance issues with other Akamai sites or just with this one?

Can you reply to me off list with the following data:

host whomi.akamai.net (or what IP address this resolves to?)

- Jared

> On Mar 28, 2018, at 12:15 PM, Franz Georg Köhler  wrote:
> 
> Is cdn.juniper.net always slow? It only delivers between 500 and 1000 kilobit 
> per
> second to me while the traceroute looks fine and I am used to much faster
> downloads from Akamai:
> 
> $ wget 
> "https://cdn.juniper.net/software/junos/18.1R1.9/junos-install-mx-x86-64-18.1R1.9.tgz[...];
> --2018-03-28 17:30:14--  
> https://cdn.juniper.net/software/junos/18.1R1.9/junos-install-mx-x86-64-18.1R1.9.tgz[...]
> Auflösen des Hostnamen »cdn.juniper.net (cdn.juniper.net)«... 23.37.55.189
> Verbindungsaufbau zu cdn.juniper.net (cdn.juniper.net)|23.37.55.189|:443... 
> verbunden.
> HTTP-Anforderung gesendet, warte auf Antwort... 200 OK
> Länge: 2726046587 (2,5G) [application/octet-stream]
> In »»junos-install-mx-x86-64-18.1R1.9.tgz[...]«« speichern.
> 
> junos-install-mx-x86-64-18.1R1.9.tgz?SM_US 
> 100%[>]
>2,54G   933KB/s   in 39m 37s
> 
> 2018-03-28 18:09:51 (1,09 MB/s) - 
> »»junos-install-mx-x86-64-18.1R1.9.tgz[...]«« gespeichert 
> [2726046587/2726046587]
> 
> 
> $ mtr -r -w 23.37.55.189
> Start: Wed Mar 28 18:13:48 2018
> HOST: hermes Loss%   Snt   Last   
> Avg  Best  Wrst StDev
>  1.|-- gw-corpserv.dabuk47DB.frankfurt.de.velia.net0.0%10   59.7  
>  7.9   1.3  59.7  18.2
>  2.|-- gauss.router.frankfurt.de.velia.net 0.0%100.3  
>  0.3   0.3   0.3   0.0
>  3.|-- ae4.cr-antares.fra10.core.heg.com   0.0%100.5  
>  0.4   0.3   0.9   0.0
>  4.|-- ae2.cr-polaris.fra1.core.heg.com0.0%100.4  
>  1.4   0.4   9.9   3.0
>  5.|-- ???100.0100.0  
>  0.0   0.0   0.0   0.0
>  6.|-- a23-37-55-189.deploy.static.akamaitechnologies.com  0.0%100.8  
>  0.8   0.8   0.9   0.0
> 
> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ansible juniper_junos -add license module?

[Sander Steffann]

Hi,

> The "xml-name" statement gives the name of the RPC used to access
> this command, which means the  RPC adds a
> license from either a  URL or a  string, and the
>  exports license data to a  URL.

I tried that, and git an error message back saying eta the license-add command 
is only supported on cli and not over RPC :'(

Cheers,
Sander

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] cdn.juniper.net slow?

[Franz Georg Köhler]

Is cdn.juniper.net always slow? It only delivers between 500 and 1000 kilobit 
per
second to me while the traceroute looks fine and I am used to much faster
downloads from Akamai:

$ wget 
"https://cdn.juniper.net/software/junos/18.1R1.9/junos-install-mx-x86-64-18.1R1.9.tgz[...];
--2018-03-28 17:30:14--  
https://cdn.juniper.net/software/junos/18.1R1.9/junos-install-mx-x86-64-18.1R1.9.tgz[...]
Auflösen des Hostnamen »cdn.juniper.net (cdn.juniper.net)«... 23.37.55.189
Verbindungsaufbau zu cdn.juniper.net (cdn.juniper.net)|23.37.55.189|:443... 
verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 2726046587 (2,5G) [application/octet-stream]
In »»junos-install-mx-x86-64-18.1R1.9.tgz[...]«« speichern.

junos-install-mx-x86-64-18.1R1.9.tgz?SM_US 
100%[>]
   2,54G   933KB/s   in 39m 37s

2018-03-28 18:09:51 (1,09 MB/s) - »»junos-install-mx-x86-64-18.1R1.9.tgz[...]«« 
gespeichert [2726046587/2726046587]


$ mtr -r -w 23.37.55.189
Start: Wed Mar 28 18:13:48 2018
HOST: hermes Loss%   Snt   Last   
Avg  Best  Wrst StDev
  1.|-- gw-corpserv.dabuk47DB.frankfurt.de.velia.net0.0%10   59.7   
7.9   1.3  59.7  18.2
  2.|-- gauss.router.frankfurt.de.velia.net 0.0%100.3   
0.3   0.3   0.3   0.0
  3.|-- ae4.cr-antares.fra10.core.heg.com   0.0%100.5   
0.4   0.3   0.9   0.0
  4.|-- ae2.cr-polaris.fra1.core.heg.com0.0%100.4   
1.4   0.4   9.9   3.0
  5.|-- ???100.0100.0   
0.0   0.0   0.0   0.0
  6.|-- a23-37-55-189.deploy.static.akamaitechnologies.com  0.0%100.8   
0.8   0.8   0.9   0.0


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ansible juniper_junos -add license module?

[Phil Shafer]

adamv0...@netconsultings.com writes:
>The problem is I need to hit enter after the license is passed and then also
>^D (ctrl+D) at the end and I'm not sure how would I go about doing that in
>junos_command. 

Not sure why these aren't documented but the functionality is there.
Here's the JUNOS DDL (think "YANG"):

command add-license {
help "Add license keys from file, local or from server";
action acceptable mgd mgd_is_product_licensed;
action execute mgd mgd_add_license_mgd;
xml-name request-license-add;
odl-tag add-license-results;
argument source {
help "URL of source license key file";
type string;
}
argument key-data {
help "License key data";
type string;
}
}
command save-license {
help "Save license keys to file, local or to server";
action acceptable mgd mgd_is_product_licensed;
xml-name request-license-save;
odl-tag none;
action execute mgd mgd_save_license_mgd;
argument destination {
help "URL of destination license key file";
type string;
}
}

The "xml-name" statement gives the name of the RPC used to access
this command, which means the  RPC adds a
license from either a  URL or a  string, and the
 exports license data to a  URL.

In SLAX, that looks something like:

var $rpc =  {
 $my-data;
}

Thanks,
 Phil
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] maximum-prefixes not enforced on option B gateways

[James Bensley]

On 28 March 2018 at 11:55, Pierre Emeriaud  wrote:
> Gents,
>
> I just noticed an issue on a couple of option B gateways in our
> network. The max-prefix within routing-instances is not enforced. It's
> although taken into account.
>
> This is on M120 running 12.3R6-S3 (yes I know, ancient. No, can't upgrade).

Do you have any other Junos versions that exhibit the same behavior?
Specifically do you see this on any newer Junos versions you maybe
running?

Cheers,
James.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] maximum-prefixes not enforced on option B gateways

[Pierre Emeriaud]

>> Could you try 'maximum-paths' instead? Just as additional datapoint.

Unfortunately, after enabling the maximum-paths 2000 and disabling /
re-enabling the RI, it made no difference:

Mar 28 15:34:38  router rpd[1598]: RPD_RT_PATH_LIMIT_REACHED: Number
of paths (3580) in table CUST-VRF-FOO.inet.0 still exceeds or equals
configured maximum (2000)

still a weird issue, but no customer impact, so I don't really mind
about it. I was just curious.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] BGP EVPN, VXLAN and ECMP

[Vincent Bernat]

Hey!

I am trying to setup a Juniper QFX5100 as a VTEP with a very classic
setup. Everything works as expected, but the setup is only using one
possible path from the underlay network.

I have the route to the other VTEP like this:

# run show route 10.16.39.3

inet.0: 240 destinations, 1808 routes (240 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.16.39.3/32  *[BGP/140] 00:38:24, localpref 500, from 10.64.0.5
  AS path: I, validation-state: unverified
  to 10.64.0.23 via xe-0/0/46.181
> to 10.64.128.23 via xe-0/0/47.183
[BGP/140] 00:38:24, localpref 500, from 10.64.128.6
  AS path: I, validation-state: unverified
> to 10.64.128.23 via xe-0/0/47.183
[BGP/140] 00:38:24, localpref 500, from 10.64.0.3
  AS path: I, validation-state: unverified
> to 10.64.0.23 via xe-0/0/46.181

:vxlan.inet.0: 17 destinations, 21 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.16.39.3/32  *[Static/1] 00:31:10, metric2 0
> to 10.64.128.23 via xe-0/0/47.183

So, from an IP point of view, I have two available routes to the other
VTEP. In the :vxlan.inet.0 table, only one route is kept. I suppose the
problem is at this point.

Looking at the forwarding table, I have only one indirect next-hop too:

# show route forwarding-table family ethernet-switching bridge-domain 
vlan-client1-543 extensive
   Routing table: default-switch.bridge [Index 4] 
   Bridging domain: vlan-client1-543.bridge [Index 3] 
   VPLS:
   Enabled protocols: Bridging, ACKed by all peers, 
   
[...]   
   Destination:  0a:e3:40:00:00:d9/48
 Learn VLAN: 0Route type: user  
 Route reference: 0   Route interface-index: 575 
 Multicast RPF nh index: 0 
 P2mpidx: 0  
 IFL generation: 142  Epoch: 0   
 Sequence Number: 0   Learn Mask: 
0x4000
 L2 Flags: control_dyn
 Flags: sent to PFE
 Next-hop type: composite Index: 2045 Reference: 6
 Next-hop type: indirect  Index: 131317   Reference: 3
 Nexthop: 10.64.128.23
 Next-hop type: unicast   Index: 1928 Reference: 4
 Next-hop interface: xe-0/0/47.183

So, how to ensure the two possible next-hops are copied to the
":vxlan.inet.0" table?
-- 
Make input easy to prepare and output self-explanatory.
- The Elements of Programming Style (Kernighan & Plauger)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] maximum-prefixes not enforced on option B gateways

[Pierre Emeriaud]

2018-03-28 13:47 GMT+02:00 Saku Ytti :
> Hey,
>
>> This is on M120 running 12.3R6-S3 (yes I know, ancient. No, can't upgrade).
>
> Then I recommend 'set system no-bugs'.

Error. Command not found. Please insert coin to conti^wupgrade.
:)

>> Anyone aware of a PR on this? Is this a known limitation?
>
> There are some PRs related to ways routes appear on RIB and that not
> all of these ways honour maximum-prefixes. One I found is PR1157842,
> but it's not really exact match to yours, provided your config is
> realistic and not cherry-picked example of what you believe is
> relevant to the problem.

Indeed, not exactly my issue, but that proves that max-prefix is not
always enforced.

> Could you try 'maximum-paths' instead? Just as additional datapoint.

Thanks, I'll try and report back.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] maximum-prefixes not enforced on option B gateways

[Saku Ytti]

Hey,

> This is on M120 running 12.3R6-S3 (yes I know, ancient. No, can't upgrade).

Then I recommend 'set system no-bugs'.

> CUST-VRF-FOO.inet.0: 2594 destinations, 3572 routes (2594 active, 0
> holddown, 0 hidden)
> Limit/Threshold: 2000/1600 destinations
>  BGP:   3572 routes,   2594 active
>
>
> Mar 28 09:03:45  router rpd[1598]: RPD_RT_PREFIX_LIMIT_REACHED: Number
> of prefixes (2593) in table CUST-VRF-FOO.inet.0 still exceeds or
> equals configured maximum (2000)

> Anyone aware of a PR on this? Is this a known limitation?

There are some PRs related to ways routes appear on RIB and that not
all of these ways honour maximum-prefixes. One I found is PR1157842,
but it's not really exact match to yours, provided your config is
realistic and not cherry-picked example of what you believe is
relevant to the problem.
Could you try 'maximum-paths' instead? Just as additional datapoint.

-- 
  ++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] maximum-prefixes not enforced on option B gateways

[Pierre Emeriaud]

Gents,

I just noticed an issue on a couple of option B gateways in our
network. The max-prefix within routing-instances is not enforced. It's
although taken into account.

This is on M120 running 12.3R6-S3 (yes I know, ancient. No, can't upgrade).

me@router> show configuration routing-instances CUST-VRF-FOO
instance-type vrf;
interface sp-2/2/0.1451;
route-distinguisher 64544:123456;
vrf-import [ CUST-POL-IN-FOO GEN-POL-BOTH-REJECT ];
vrf-export [ CUST-POL-OUT-FOO GEN-POL-BOTH-ACCEPT ];
vrf-table-label;
routing-options {
maximum-prefixes 2000 threshold 80;
auto-export;
}

me@router> show route summary table CUST-VRF-FOO
Autonomous system number: 64544

CUST-VRF-FOO.inet.0: 2594 destinations, 3572 routes (2594 active, 0
holddown, 0 hidden)
Limit/Threshold: 2000/1600 destinations
 BGP:   3572 routes,   2594 active


Mar 28 09:03:45  router rpd[1598]: RPD_RT_PREFIX_LIMIT_REACHED: Number
of prefixes (2593) in table CUST-VRF-FOO.inet.0 still exceeds or
equals configured maximum (2000)

CUST-VRF-FOO is not the only routing-instance affected, I have plenty
of them. I don't even have 1 holddown route on theses boxen.

Anyone aware of a PR on this? Is this a known limitation?

thanks
---
pierre
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ansible juniper_junos -add license module?

[adamv0025]

The problem is I need to hit enter after the license is passed and then also
^D (ctrl+D) at the end and I'm not sure how would I go about doing that in
junos_command. 

So I tried to do it with the "shell:" basically creating expect script -that
adds the license but I can't successfully exit. 
-it just hangs there even though I send commands to exit the router and I
even use "exit 0" at the end. 

So I ended up calling a python script :)
-adjusted a script I'm using to paste base staging config -as once again I
could not find any juniper_junos module for amnesiac mode. (all the modules
kind of assume working ssh and netconf).

Thanks folks for all the suggestions,

adam 

netconsultings.com
::carrier-class solutions for the telecommunications industry::

> -Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
> Of Nitzan Tzelniker
> Sent: Wednesday, March 28, 2018 12:57 AM
> To: j...@unistra.fr
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] Ansible juniper_junos -add license module?
> 
> I dont think rpc will be good option as the command "request system
license
> add " dose not have rpc May be junos_command will do it but I am not sure
> 
> user@switch> request system license add  jj | display xml rpc  xmlns:junos="http://xml.juniper.net/junos/17.3R2/junos;>
> 
> xml rpc equivalent of this command is not available.
> 
> 
> {master:0}
> 
> 
> 
> Nitzan
> 
> 
> On Mon, Mar 26, 2018 at 2:51 PM Jean Benoit  wrote:
> 
> > On Sun, Mar 25, 2018 at 03:59:14PM +0100,
> adamv0...@netconsultings.com
> > wrote:
> > > [...]
> > > If not how can I send ^D (ctrl+D a.k.a end of file) in expect script
> > please?
> >
> >
> > # ASCII 4: EOT (end of transmission)
> > set ctrlD \004
> >
> > send $ctrlD
> >
> > --
> > Jean
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp