Re: [j-nsp] BFD Session

[Masood Ahmad Shah]

If it's an intermittent issue with Ping reachability, then check out
interface errors as well. On top of that find out if there are any memory
errors (where data gets buffered) in the Syslog i.e. CRC failing..

On Mon, Mar 27, 2017 at 8:55 AM, Jeff Haas  wrote:

>
> > On Mar 5, 2017, at 3:05 AM, Mohammad Khalil  wrote:
> >
> > Hi all
> > I have a BFD session between two routers (which was working normally)
> > Currently , the session is down from one side and init from the other
> side
> > The ISIS adjacency is up
> > What could be the issue?
>
> The other comments in the thread support the observation here: You seem to
> have some form of half-duplexing issue.   You just need to figure out which
> side of the communication is getting dropped.
>
> -- Jeff
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Measure transit traffic to specific destination

[Masood Ahmad Shah]

If you don't wanna pay then make use of a free collector (aka opensource)
i.e.
http://www.ntop.org/ (i have had and used this +1)

Or more here:
https://www.pcwdld.com/free-open-source-netflow-analyzers




On Sat, Dec 31, 2016 at 2:41 AM, Matthew Crocker 
wrote:

>
> I’m sending IPFIX flows to Scrutinizer and can generate the type of
> reports you are looking for.   ‘All bandwidth from X ASN’, ect
>
> https://www.plixer.com/products/scrutinizer/
>
> On 12/30/16, 2:16 AM, "juniper-nsp on behalf of Santanu Mandal" <
> juniper-nsp-boun...@puck.nether.net on behalf of
> santanumandal2...@gmail.com> wrote:
>
> Dear all,
> I want to measure traffic bandwidth consuming for a specific
> destination IP
> from My Orzanization. Say how much is bandwidth is consumed for
> destination
> x.x.x.x out of total bandwidth in my ISP link.
>
> I have configured S-flow, but there I can see total amount of traffic
> transfered over a period of time. But My concern is, data transfer rate
> confumed for this destination, not tootal amount of data.
>
> It would be gratfull if you can suggest a tool for this purpose or how
> to
> approach to achive this.
>
>
>
> Thanking you
> ​ in advance​
>
>
> Santanu
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] how to get maximum interface unit value in JUNOS script

[Masood Ahmad Shah]

The maximum value is 4096 (0-4095), when you create more than 4095 logical
units with VLAN encapsulation, the message "limit of 4096 vlans/dlcis
exceeded"

Here is Juniper reference:
http://kb.juniper.net/InfoCenter/index?page=content=KB28265=search

P.S: It may varies hardware to hardware but I would go with 4096

On Sat, Jun 25, 2016 at 1:02 PM, Chen Jiang  wrote:

> Hi! Experts
>
> Sorry for disturbing, I want to use JUNOS OP script to auto-generate new
> interface configuration, but I don't know how to get maximum interface unit
> value in current configuration, do you have solved this before and could
> share a example?
>
> Thanks for your great help!
>
> --
> BR!
>
>
>
>James Chen
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MPC4D-32*GE Major Alarms

[Masood Ahmad Shah]

Some of the alarms are transient (should generate Syslog trap though), and
they generate a Chassis alarm upon occurrence (i.e. PFE<>Fabric plane took
a hit of CRC errors and then got recovered through fabric healing).
Sometimes Chassis does not clear alarm when the transient state gets
cleared and that requires a reboot treatment to the RE (yeah Routing engine
:)

I think chassisd (a daemon) not getting signaled from the relevant other
processes when the states get cleared.

On Sun, Feb 14, 2016 at 6:39 PM, Alex K.  wrote:

> Hello everyone,
>
> For some time now, one of my customers are getting "major alarms" from the
> MPC mentioned above on one of their MX960s.
>
> The issue is that nothing more than that message (+alarm) seems to be
> present. Nothing preceding that error, neither in "log messages" nor in
> "chassisd". There seems to be output rate drop, at the time of those
> incidents till the MPC get restarted (by the appropriate network team) and
> than everything gets back to normal.
>
> It's worth mentioning that they have a second MX960 serving the other half
> of their end-users, but configured exactly the same - which never had that
> issue (therefore it's probably not traffic related).
>
> They are running 12.3R6.6. The linecard was already replaced. There is
> seems to be no trace options available for monitoring MPCs and their
> internal status and Juniper web site lacks potential explanations and
> leads, therefore I'm addressing the community -  any advice for getting to
> the bottom of this, will be welcomed! Additionally, any experience with
> troubleshooting similar hardware issues might be as helpful as any advice.
>
> Thank you.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX960 with 3 RE's?

[Masood Ahmad Shah]

RE can only be installed into the SCBs labeled 0 and 1, third additional
multi-functioning slot labeled 2/6 supports either a SCB (NO RE) or FPC
(aka MPC,DPC). Something like
https://www.safaribooksonline.com/library/view/juniper-mx-series/9781449358143/httpatomoreillycomsourceoreillyimages1327907.png.jpg

Cheers,
Masood

On Wed, Jan 13, 2016 at 3:21 PM, Colton Conor 
wrote:

> Then how do they have 3 RE's listed and house in the picture? Is the 3 RE
> in the 3 SBC just in there, but would not be powered on or usable?
>
> On Tue, Jan 12, 2016 at 2:49 PM, Mark Tinka  wrote:
>
> >
> >
> > On 12/Jan/16 22:40, Colton Conor wrote:
> >
> > > Is it possible to have 3 RE's in a MX960? For example:
> > >
> >
> http://www.ebay.com/itm/Juniper-MX960PREMIUM-DC-ECM-4x-PWR-MX960-DC-3x-SCB-MX960-3x-RE-S-2000-4096-/271739188162?hash=item3f44eaf3c2:g:Z~IAAOSwnDZT8lpv
> > > shows 3s RE's installed?
> > >
> > > The documentation I have seen shows that a MX960 can have 3 SCB's, but
> it
> > > mentions only 2 REs?
> >
> > The MX960 supports 3x SCB's for the switch fabric.
> >
> > However, only 2x SCB's can house RE's.
> >
> > >
> > > How does the RE-S-2000-4096 compare to a RES-1800X4-16G?
> >
> > The latter is 64-bit, faster and supports more memory.
> >
> > >  How does a the
> > > regular SCB compared to the Enhanced SCB?
> >
> > Faster switch fabric.
> >
> > Mark.
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Gracefully delete MPLS RSVP LSP

[Masood Ahmad Shah]

Raising LSP metric sounds good to me

On Wed, Dec 16, 2015 at 10:00 PM, tim tiriche  wrote:

> Hello,
>
> i have 2 LSP to the same destination.
>
> 1st LSP name = R1-R2-a
> 2nd LSP name = R1-R2-b
>
> I have link protection enabled.
>
> i want to delete the 1st LSP and wanted to know what is a graceful way to
> do this?
>
> Is there a way to shift traffic from 1st LSP to 2nd LSP?  I don't have LSP
> metric and rely on IGP metrics.
>
> eg: changing priorities, or can i introduce LSP metrics temporarily to 65k?
>
> Sincerely,
> --Tim
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] purpose of "commit check"?

[Masood Ahmad Shah]

Hi - "commit check" is just there to verify the syntax and integrity of the
configuration, but do not activate it. Pretty self explanatory as you
already explained it :-)

On Tue, Sep 29, 2015 at 7:24 AM, Martin T  wrote:

> Hi,
>
> when I commit the candidate configuration in Junos, I tend to execute
> "commit check" and if configuration check succeeds, then I execute
> "commit comment ". However, when I think about it, "commit
> (comment)" itself should perform those very same checks that "commit
> check" does. If yes, then what is the point of "commit check"? Only
> purpose I could see is to check the validity of the candidate
> configuration in the middle of the configuration process, i.e. to
> check if the changes made in candidate configuration so far are fine
> but the candidate configuration is not ready to be committed.
>
>
> thanks,
> Martin
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] OS upgrade

[Masood Ahmad Shah]

Here you have the official answer, pretty self explanatory:
http://www.juniper.net/techpubs/en_US/junos13.1/information-products/topic-collections/release-notes/13.1/index.html?topic-78897.html
 On 10 Jun 2015 8:35 pm, james list jameslis...@gmail.com wrote:

 Hi
 My question is more related to the official path... not to the procedure...

 from 11.4 do I have to pass to 12.X to arrive to 13.3 or can I jump
 directly ?



 2015-06-10 12:27 GMT+02:00 Jared Mauch ja...@puck.nether.net:

 
   On Jun 10, 2015, at 5:59 AM, james list jameslis...@gmail.com wrote:
  
   Question: can I upgrade from junos 11.4 (EEOL) to 13.3  (EEOL) directly
  or
   is there any constrain ?
 
 
  I’ve generally not had issues upgrading from one release to the next, but
  it’s always useful to have console handy and to just use the full
 jinstall
  package with no-verify, etc to avoid issues.
 
  Once again, test your console/OOB before the upgrade :)
 
  - Jared
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ingress QoS Marking Now Fully Supported on MX Routers - Junos 14.2R3.8 Release

[Masood Ahmad Shah]

On Mon, May 18, 2015 at 12:39 AM, Chuck Anderson c...@wpi.edu wrote:

 Scroll down to the 4th top-level bullet:

 Support for packet marking schemes on a per-customer basis (MX Series
 only)


[Masood] I would say that this is incorrect and misleading. It should be MX
Series Trio based only and not an MX that runs with DPC's etc.




 On Sun, May 17, 2015 at 09:23:37PM +1000, Masood Ahmad Shah wrote:
  Thanks for sharing, Mark!
  Are you sure that it supports all Trio-bsaed cards and afterwards...
  Juniper documentation confirm it for the Type-5 FPC (T4K) only though.
 
  On Sun, May 17, 2015 at 7:02 AM, Mark Tinka mark.ti...@seacom.mu
 wrote:
 
   Hi all.
  
   Gosh, what a road this has been!
  
   Some of you may recall I started moaning and chasing Juniper about this
   way back in 2008. Well, finally, we have reached the promised land.
  
   Junos 14.2R3.8 for the MX was released last night. Prior to its
 release,
   we have been testing an engineering version of 14.2R1, where Juniper
   developed support for ingress marking/re-marking of QoS values on
   traffic entering an MX router.
  
   As you know, Juniper have traditionally done marking/re-marking on
   egress, which did not provide sufficient granularity for us, and I am
   sure several others on this list. With 14.2R3.8, Juniper now support
   ingress marking/re-marking of QoS values, negating the need for egress
   marking if what you're looking for is fine-grained marking/re-marking.
  
   Juniper are calling the feature Policy Map. I can get into more details
   of how this would work if anyone is interested, but below are some key
   features you might find useful:
  
   a) Policy Map is currently supported only on the MX routers.
   b) Requires a minimum of Trio-based line cards.
   c) First shipping in Junos 14.2R3.8.
   d) Supported for IPP, DSCP, MPLS EXP, 802.1p and 802.1ad.
   e) Supported for the inet, inet6, ccc, vpls, mpls and any address
   families.
   f) Application can be either via the [class-of-service] hierarchy
 or
   via a firewall filter.
   g) Supersedes traditional Junos CoS Rewrite actions.
  
   You can find some basic details on the feature here:
  
  
  
  
 http://www.juniper.net/techpubs/en_US/junos14.2/information-products/topic-collections/release-notes/14.2/topic-83366.html#jd0e3370
  
   It's been a long time coming.
  
   I'm very pleased to see this feature, and hope the rest of you find it
   as useful as we do.
  
   Mark.
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ingress QoS Marking Now Fully Supported on MX Routers - Junos 14.2R3.8 Release

[Masood Ahmad Shah]

Thanks for sharing, Mark!
Are you sure that it supports all Trio-bsaed cards and afterwards...
Juniper documentation confirm it for the Type-5 FPC (T4K) only though.

On Sun, May 17, 2015 at 7:02 AM, Mark Tinka mark.ti...@seacom.mu wrote:

 Hi all.

 Gosh, what a road this has been!

 Some of you may recall I started moaning and chasing Juniper about this
 way back in 2008. Well, finally, we have reached the promised land.

 Junos 14.2R3.8 for the MX was released last night. Prior to its release,
 we have been testing an engineering version of 14.2R1, where Juniper
 developed support for ingress marking/re-marking of QoS values on
 traffic entering an MX router.

 As you know, Juniper have traditionally done marking/re-marking on
 egress, which did not provide sufficient granularity for us, and I am
 sure several others on this list. With 14.2R3.8, Juniper now support
 ingress marking/re-marking of QoS values, negating the need for egress
 marking if what you're looking for is fine-grained marking/re-marking.

 Juniper are calling the feature Policy Map. I can get into more details
 of how this would work if anyone is interested, but below are some key
 features you might find useful:

 a) Policy Map is currently supported only on the MX routers.
 b) Requires a minimum of Trio-based line cards.
 c) First shipping in Junos 14.2R3.8.
 d) Supported for IPP, DSCP, MPLS EXP, 802.1p and 802.1ad.
 e) Supported for the inet, inet6, ccc, vpls, mpls and any address
 families.
 f) Application can be either via the [class-of-service] hierarchy or
 via a firewall filter.
 g) Supersedes traditional Junos CoS Rewrite actions.

 You can find some basic details on the feature here:



 http://www.juniper.net/techpubs/en_US/junos14.2/information-products/topic-collections/release-notes/14.2/topic-83366.html#jd0e3370

 It's been a long time coming.

 I'm very pleased to see this feature, and hope the rest of you find it
 as useful as we do.

 Mark.
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Distributed PPM and LACP always goes into Queue 3. host-outbound-traffic knob has no effect -- bug?

[Masood Ahmad Shah]

Yeah host-outbound-traffic should change the distributed protocol handler
sourced traffic, however a firewall filter that uses the forwarding-class
and dscp actions to specify the override values on loopback will only
affect the RE sourced traffic and not the distributed protocol handler
sourced. Highly likely a bug then.


On Sat, May 16, 2015 at 4:44 PM, Huan Pham drie.huanp...@gmail.com wrote:

 Thanks Masood,

 This seems to be version specific and it is a bug on 11.4R7.5 (on MX5 I
 tested to be specific)

 On 12.3R8.7 I do not encounter this problem. The queue that (one hop) BFD
 is put on can be changed with host-outbound-traffic command (but still
 cannot be changed with lo0 firewall outbound filter).

 Thanks again,

 Huan


 On 15 May 2015, at 11:48 am, Masood Ahmad Shah masoodn...@gmail.com
 wrote:

 AFAIK host-outbound configuration or lo0 output filter will NOT influence
 the PFE generated traffic. Only the output interface filter can match the
 PFE generated traffic.

 Cheers,
 Masood

 On Fri, May 15, 2015 at 10:22 AM, Huan Pham drie.huanp...@gmail.com
 wrote:

 Hi list,

 I've tested in the lab and confirm that distributed PPM (e.g. one hop BFD)
 and LACP on MX does not honour host-outbound-traffic class of service nor
 outbound RE-reclassificaiton filter. This traffic always gets into queue
 3.
 Depending on your design, this behaviour could be a problem, especially if
 your queue 3 is not designed for critical traffic.
 Is is a bug? Is there any way to move this control traffic to a different
 queue?

 Thanks very much in advance.

 Huan
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Distributed PPM and LACP always goes into Queue 3. host-outbound-traffic knob has no effect -- bug?

[Masood Ahmad Shah]

AFAIK host-outbound configuration or lo0 output filter will NOT influence
the PFE generated traffic. Only the output interface filter can match the
PFE generated traffic.

Cheers,
Masood

On Fri, May 15, 2015 at 10:22 AM, Huan Pham drie.huanp...@gmail.com wrote:

 Hi list,

 I've tested in the lab and confirm that distributed PPM (e.g. one hop BFD)
 and LACP on MX does not honour host-outbound-traffic class of service nor
 outbound RE-reclassificaiton filter. This traffic always gets into queue 3.
 Depending on your design, this behaviour could be a problem, especially if
 your queue 3 is not designed for critical traffic.
 Is is a bug? Is there any way to move this control traffic to a different
 queue?

 Thanks very much in advance.

 Huan
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] JNCIS-SP study materials?

[Masood Ahmad Shah]

I highly recommend Juniper day one books:
http://www.juniper.net/us/en/training/jnbooks/day-one/

In addition to that Network Mergers And Migrations book by Gonzalo and Jan

All the best!

Cheers,
Masood

On Thu, Apr 23, 2015 at 2:07 PM, Pyxis LX pyxi...@gmail.com wrote:

 Hi, all.

 I have just passed my JNCIS-SP certification, and am looking for
 up-to-date JNCIP-SP study materials.

 I knew there was an old study guide for JNCIP-M which does not cover a
 number of new topics.
 (And there are some behavior changes between the version in this guide
 and the current version, which is quite confusing in some cases.)

 I think that I should prepare both JNCIP-SP  JNCIE-SP at the same
 time since the current JNCIP-SP is essentially the written test of
 JNCIE-SP?

 If this is correct, which up-to-date study materials are
 recommended(including the lab workbooks)?

 Thanks!

 -Nat
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] iBGP and IPv6

[Masood Ahmad Shah]

Can you provide a show route hidden extensive through pastebin.com or
something like that... Your pasting is not easily readable and that makes
it hard to help..

Cheers,
Masood

On Thu, Apr 16, 2015 at 5:07 AM, Jonathan Call lordsit...@hotmail.com
wrote:

 I apologize. The email looked fine when I got it back from the list.

 OSPF/OSPF3 are the IGP. When I shut them off the BGP route for the
 loopback disappears.Limiting IBGP to only export directly connected routes
 would
 prevent this scenario from happening at all but it does not
 explain why router1 will mark
 the IPv4 loopback route it received as hidden/unusable but the
 IPv6 loopback route is not.

 Jonathan


 Subject: Re: [j-nsp] iBGP and IPv6
 To: lordsit...@hotmail.com; juniper-nsp@puck.nether.net
 From: mark.ti...@seacom.mu
 Date: Wed, 15 Apr 2015 20:38:18 +0200






 Your pasting is not formatting
   well. Makes it hard to help you.



   Mark.



 On 15/Apr/15 20:23, Jonathan Call
   wrote:





   OSPF/OSPFv3 are the IGP, which apparently are
 feeding back into IBGP:
 With OSPFv3 enabled:
 2001:db8:4000::1/128*[Direct/0] 1w0d 21:13:49
 via lo0.1
 [OSPF3/10] 1w0d 21:13:44, metric 0
 via lo0.1
 [BGP/170] 00:00:18, MED 1, localpref 100,
 from 2001:db8:4000::2
   AS path: I
 to fe80:db8:4000:1::3 via ge-0/0/8.0
 With OSPFv3 disabled:
 vr-1.inet6.0: 8 destinations, 9 routes (8 active, 0 holddown, 0
 hidden)
 + = Active Route, - = Last Active, * = Both
 2001:db8:4000::1/128*[Direct/0] 1w0d 21:10:41
 via lo0.1
 [OSPF3/10] 1w0d 21:10:36, metric 0
 via lo0.1
 Limiting IBGP to only export directly connected routes would
 prevent this. It still does not explain why router1 will mark
 the IPv4 loopback route it received as hidden/unusable but the
 IPv6 loopback route is not.
 Jonathan
 Subject: Re: [j-nsp] iBGP and IPv6
 To: lordsit...@hotmail.com; juniper-nsp@puck.nether.net
 From: mark.ti...@seacom.mu
 Date: Wed, 15 Apr 2015 18:02:30 +0200 On 15/Apr/15 17:43,
 Jonathan Call wrote: Correct.  The BGP route for the router's
 IPv4 loopback is marked as hidden/unusable. It does not show up
 in show route extensive output. Is this Loopback IPv4 address
 known by any other routing protocol, e.g., an IGP? Mark.



 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] ARP on unnumbered interfaces

[Masood Ahmad Shah]

AFAIK, router uses the preferred source address when it is configured for
an unnumbered Eth interface, for arp requests and replies. arp requests
need to match the preferred source address, which is by default primary
interfaces

lo0 {
unit 55 {
family inet {
address 5.5.5.5/32 {  //That would be this in your
case.
primary;
}
address 10.10.10.1/24;
address 20.20.20.1/24;
}
}
}

More here:
http://www.juniper.net/documentation/en_US/junos13.2/topics/usage-guidelines/interfaces-configuring-an-unnumbered-interface.html

Cheers,
Masood

On Sun, Jan 11, 2015 at 2:34 AM, Mihai mihaigabr...@gmail.com wrote:

 Hello,

  After the migration of a large network from a Cisco 7600 to a MX104 a lot
 of users started to have random problems with their connection.
 The setup is based on unnumbered interfaces and /32 static routes through
 IFLs.
 Basically, all clients with Cisco routers  will have at some point a
 missing ARP entry for their default gateway because the MX is changing the
 ARP source address from the gw_addr to the primary address.On Cisco i see
 the well known 'wrong cable' error.
 Does anyone have a clue why is this happening beside a bug? I've made some
 tests on MX960,MX480 and MX5 and didn't see this behavior.
 This is a lab simulation:


 mx# show

 interfaces {
 ge-1/1/8 {
 unit 55 {
 vlan-id 55;
 proxy-arp unrestricted;
 family inet {
 unnumbered-address lo0.55;
 }
 }
 unit 56 {
 vlan-id 56;
 proxy-arp unrestricted;
 family inet {
 unnumbered-address lo0.55;
 }
 }
 }
 lo0 {
 unit 55 {
 family inet {
 address 5.5.5.5/32 {
 primary;
 }
 address 10.10.10.1/24;
 address 20.20.20.1/24;
 }
 }
 }
 }
 routing-options {
 static {
 route 20.20.20.2/32 {
 qualified-next-hop ge-1/1/8.55;
 }
 route 10.10.10.2/32 {
 qualified-next-hop ge-1/1/8.56;
 }
 }
 router-id 5.5.5.5;
 }

 mx monitor traffic interface ge-1/1/8.55 detail no-resolve matching arp
 Address resolution is OFF.
 Listening on ge-1/1/8.55, capture size 1514 bytes

 17:28:11.105586 Out arp who-has 20.20.20.2 tell 20.20.20.1
 17:28:11.106100  In arp reply 20.20.20.2 is-at 00:1e:4a:fc:44:84
 17:29:20.504891 Out arp who-has 20.20.20.2 tell 20.20.20.1
 17:29:20.505375  In arp reply 20.20.20.2 is-at 00:1e:4a:fc:44:84
 17:30:30.104188 Out arp who-has 20.20.20.2 tell 20.20.20.1
 17:30:30.104632  In arp reply 20.20.20.2 is-at 00:1e:4a:fc:44:84

 .

 17:53:01.790690 Out arp who-has 20.20.20.2 tell 5.5.5.5
 17:54:05.690056 Out arp who-has 20.20.20.2 tell 5.5.5.5

 Thanks!
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 Sampling - High CPU

[Masood Ahmad Shah]

Jordan,

How does CPU utilization looks during these 3 minutes (even a minute before
and after)?
How many routes (prefixes) you have in the RIB (not just active, the total
number of prefixes that are being scanned to find out the best routes
adj-in-rib)?
With 14.1R3.5, did you use rpd-64bit or 32bit?

Cheers,
Masood

On Sun, Jan 4, 2015 at 9:30 AM, Jordan Whited jwhited0...@gmail.com wrote:

 I don't have any issues when sampling is disabled.

 No improvement from what I can tell between 12.3R8.7 and 14.1R3.5. Still
 seeing active-paths in the RIB advertised to other neighbors for upwards of
 3 minutes before they are installed in the FIB.

 On Sat, Dec 13, 2014 at 3:34 AM, MSusiva ssiva1...@gmail.com wrote:

  I assume, the 3mins result is with sampling?
  What is the result without sampling?
  Did you test in 14.1 with sampling?
 
  Thank You
  ___
  juniper-nsp mailing list juniper-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/juniper-nsp
 
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX480 SCB firmware issue

[Masood Ahmad Shah]

It could also be a hardware issue in either the referenced scb0 or back
connector. Have you tried the following:

Re-seat the scb in its slot, and then check for bent pins at this time (you
can use a flashlight)
Swap the scb0 with a spare (Or borrow one from another slot 1, 2)

Cheers,
Masood

On Tue, Dec 30, 2014 at 5:29 AM, Dave Peters - Terabit Systems 
d...@terabitsystems.com wrote:

 Thanks a lot for the information.

 It's definitely an SCBE (not a 2), but I tried upgrading to a 13 version
 just in case. Same FPGA revision error, and same firmware dead end.

 I appreciate the help. If anyone else has any pointers, let me know.

 -Original Message-
 From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
 Of Tobias Heister
 Sent: Tuesday, December 23, 2014 2:54 PM
 To: juniper-nsp@puck.nether.net
 Subject: Re: [j-nsp] MX480 SCB firmware issue

 Hi,

 Am 23.12.2014 um 23:23 schrieb Dave Peters - Terabit Systems:
  1 alarm currently active
  Alarm time   Class  Description
  2014-12-23 21:50:13 UTC  Major  CB 0 FPGA Revision unsupported
 
  In looking over the Juniper documentation, there's a request system
 firmware command to update the SCB, but unfortunately, I'm not seeing that
 option (meaning request system ? doesn't reveal firmware as a
 possibility). I'm also not seeing any specific BIOS/firmware files in the
 download section of the Juniper MX Series portion of the Juniper website.

 It is a hidden command, so you have to manually complete it. After the
 firmware it starts to auto complete:

  request system firmware ?
  Possible completions:
downgrade
upgrade

  request system firmware upgrade ?
  Possible completions:
fpc  Upgrade FPC ROM monitor
pic  Upgrade PIC firmware
vcpu Upgrade VCPU ROM monitor

 The output above is from an MX240 with SCB.

 I have never seen that error showing up but from what i have seen on
 similar situations the firmware should be embedded in junos and the
 firmware upgrade should just work without additional files. But SCB seems
 not to be a valid upgrade target on MX:

  request system firmware upgrade scb
  error: command is not valid on the mx480

 tested on MX480 with SCBE

 Would you by any chance have bought SCBE2 (they would probably not been
 available in used condition) instead of SCB. Just asking because SCBE2 is
 supported starting from 13.something and does not work in 12.3

 --
 Kind Regards
 Tobias Heister
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Moving routes between VRF and inet.0

[Masood Ahmad Shah]

Here is how I would do that:

1. Import the routes into inet.0 by rib-groups (that is what you have
already done, great)
2. Assuming PECE interface is 1.1.1.0/30 and working on the PE
3. Also I would not use “accept all” when doing import/export, so I created
a policy for that too.

routing-instance
floating {
routing-options {
interface-routes {
rib-group inet COPY_FLOAT_TO_GLOBAL; ## required for inet.0
to reach out to the next-hop of BGP routes
}
}

protocols {
bgp {
group CE{
family inet {
unicast {
rib-group COPY_FLOAT_TO_GLOBAL;
}
}
neighbor 1.1.1.1 {
peer-as ABCD;
}
}
}
}
}

policy-options
policy-statement pol-accept {
term MY_ROUTES {
from {
route-filter xx.yy.220.61/32 exact;   # required prefix
route-filter 1.1.1.0/30 exact;# pe-ce bgp next-hop
interface route
}
then accept;
}
term NO_LEAKS {
then reject;
}
}

routing-options
rib-groups {
COPY_FLOAT_TO_GLOBAL {
import-rib [ floating.inet.0 inet.0 ]; # Primary table
floating.inet.0
import-policy pol-accept;
}
}


Cheers,
Masood


On Sat, Apr 19, 2014 at 6:01 PM, Tom Eichhorn t...@wirkbetrieb.net wrote:

 Dear all,

 I am currently fighting a bit with rib-groups, and I hope someone
 could point me in the right direction:

 What I have is:

 floating.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
 + = Active Route, - = Last Active, * = Both

 xx.yy.220.61/32   *[BGP/170] 00:10:28, localpref 100, from xx.yy.221.101
   AS path: 64512 ?
  to xx.yy.221.102 via ge-0/0/0.0, Push 20

 I am getting a route from a contrail controller towards my router,
 this is so far working fine. But I need this route in the default table
 inet.0.

 So I tried with RIB-groups:

 teichhorn@firefly-contrail show configuration routing-options

 }
 rib-groups {
 COPY_FLOAT_TO_GLOBAL {
 import-rib [ floating.inet.0 inet.0 ];
 import-policy pol-accept;
 }
 }

 pol-accept simply accepts all - but the route is not beeing copied and I
 have no
 clue why - the rib group magic was always voodoo for me...

 Any idea or best practices to solve with another way?

 Thanks,
 Tom
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Verifying Juniper ECMP

[Masood Ahmad Shah]

See inline, prefixed [Masood] ...


On Thu, Apr 17, 2014 at 1:09 AM, John Neiberger jneiber...@gmail.comwrote:

 ​Another question: if a link in a ECMP bundle goes down and then comes
 back up later, do things end up hashed and balanced the same way they were
 prior to the link going down, or is there some amount of randomness to it?


[Masood] You may not see traffic balanced instantly, because existing flow
will NOT move to the newly added member. Only new flows will get hashed
across the members and then new member will have his fair share of good
luck :) However, the following things may happen and make load balancing
more fun:

1. incorrect load balancing by aggregate next hops
2. incorrect packet hash computation
3. insufficient variance in the packet flow
4. incorrect pattern selection

You may look for Adaptive Load Balancing, a Juniper method to balance
traffic across LAG members (that focus more on the weights, the bandwidth
and packet stream of link) but that has it's on pros and cons.


 If I check a certain flow and see that it is hashed to a particular link,
 is it a fair bet that it was hashed to that same link prior to the link
 going down?


[Masood] AFAIK, #Junos does not keep track of it and I wonder if any other
vendor would do that.



 Thanks,
 John​


 On Tue, Apr 15, 2014 at 12:07 PM, John Neiberger jneiber...@gmail.com
 wrote:

  Holy cow. I never would have figured that one out, and the two Juniper
  engineers I asked had no idea how to do it. I appreciate the help!
 
  Thanks,
  John
 
 
  On Tue, Apr 15, 2014 at 3:50 AM, Olivier Benghozi 
  olivier.bengh...@wifirst.fr wrote:
 
  Hi John,
 
  as usual with Juniper it's ridiculously overcomplicated, David Roy wrote
  a fine article about that, at least for MX with DPC:
 
 
 http://www.junosandme.net/article-junos-load-balancing-part-3-troubleshooting-109382234.html
 
 
  Olivier
 
  Le 15 avr. 2014 à 04:01, John Neiberger jneiber...@gmail.com a écrit
 :
   ​I know that ECMP is, by default, based on a hash of source and
  destination
   IP address, and I know that we can see the available paths by doing
  show
   route forwarding-table destination prefix, but is there a way to
   determine which path a particular flow is using?
  
   For those of you familiar with Cisco, I'm looking for an equivalent to
   show cef exact-route.
 
  ___
  juniper-nsp mailing list juniper-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/juniper-nsp
 
 
 
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE

[Masood Ahmad Shah]

Perhaps the file system became corrupted, most likely due to a sudden power
loss, or ungraceful shutdown. I would not worry, as long as both of the
partitions are healthy, then no issue with running switch on either of
them.

Just make sure that both of the partitions are healthy, so that fail over
can be done when needed. The following URL will point you how to recover
from this sort of condition. Just start from Step-by-step recovery
procedure for this situation: http://goo.gl/BoUUlA

Cheers,
Masood

On Fri, Mar 21, 2014 at 5:23 PM, Victor Sudakov v...@mpeks.tomsk.su wrote:

 Colleagues,

 What could be the reason that an EX4200-24T occasionally boots from the
 secondary copy?

 If I request system reboot slice alternate media internal, it will
 boot from the Active Partition all right. This means the Active
 Partition is operational, isn't it?

 But sometimes, one day, the switch will eventually boot from the
 Backup Partition again.

 What gives?

 TIA for any ideas.

 --
 Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
 sip:suda...@sibptus.tomsk.ru
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] problem with ospf between linux/quagga and JunOS via GRE interface

[Masood Ahmad Shah]

check de MTU


On 20-Nov-2010, at 3:53 PM, Sergey wrote:

 On Saturday 20 November 2010, you wrote:
 
 I attempted to remove point-to-point. No effect.:-(
 
 You possibly need it on the interface - but you ALSO need it under 
 protocols
 
 It has no effect. And I can not understand why I do not see any incoming
 OSPF traffic on the gr-1/2/0.2 from Linux side, but I see it if I change
 Linux box to Cisco.
 
 -- 
 Regards,
 Sergey
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] problem with ospf between linux/quagga and JunOS via GRE interface

[Masood Ahmad Shah]

check de MTU


On 20-Nov-2010, at 3:53 PM, Sergey wrote:

 On Saturday 20 November 2010, you wrote:
 
 I attempted to remove point-to-point. No effect.:-(
 
 You possibly need it on the interface - but you ALSO need it under 
 protocols
 
 It has no effect. And I can not understand why I do not see any incoming
 OSPF traffic on the gr-1/2/0.2 from Linux side, but I see it if I change
 Linux box to Cisco.
 
 -- 
 Regards,
 Sergey
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Recover/Reset Passwd on juniper netscreen

[Masood Ahmad Shah]

I would go with power-it; you cannot recover the password without resetting
the unit to factory defaults. On other devices of Juniper like routers there
are ways to do this but not on firewall devices.

As you do not have copy of the current configuration, then I would say let
it run as long as it can without making any change and then reset and
reconfigure from scratch when you absolutely need to make a change.

Kind Regards,
Masood

-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of George
Sent: Saturday, October 24, 2009 1:09 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Recover/Reset Passwd on juniper netscreen

Hello 

How do i recover/reset the root password on juniper netscreen 5gt.

I need a step by step guide guaranteed of working since I dont want to
lose my configs.

Regards
George
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] tacplus on EX3200

[Masood Ahmad Shah]

JUNOS gives you very flexible AAA services. I would suggest you should not
use remote user template on live production Box. Configuring a single remote
user template account requires that all users (once again keep in mind ALL
users) without individual configuration entries share the same class and
UID. 

When you are using TACACS and telnet or TACACS and SSH together, you can
specify a different template user other than the remote user. I would
suggest you better configure an alternate template users, specify the
user-name parameter (Custom Attributes 'local-user-name=insert username
here')returned in the TACACS authentication response packet. You'll need to
configure a template account on the Juniper device which matches the
username you specify as the local-user-name in your TACACS+ server. This
template account should be bound to the class you want to assign these
users. 

Find below a template for JUNOS and Tacacs server. 
Here is JUNOS: Read the commentes in braces

system {
authentication-order [ tacplus password ]; (plz authenticate me
using tacplus server first)
tacplus-server {
x.x.x.y { (Your Tacacs server address)
secret blahblahblah; ## SECRET-DATA (tacacs secret key, it
should be same the one you have configured on server)
timeout 5;
source-address x.x.y.x; (your tacacs server must be
reachable using this source address, nd you should have an entry in tacacs
server for  this particular source)
}

}

Here is TACACS: 
If you don't wana use remote user. Alternatively, you could just put the
following in your TACACS+ Configuration file on the TACACS Server, and bind
user with this particular server. You can use local-user-name attribute for
a specific user as well.

service = junos-exec { 
local-user-name = username-local-to-router 
allow-commands = allow-commands-regexp 
allow-configuration = allow-configuration-regexp 
deny-commands = deny-commands-regexp 
deny-configuration = deny-configuration-regexp 
}

Regards,
Masood
Blog: http://weblogs.com.pk/jahil/


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Nalkhande Tarique
Abbas
Sent: Sunday, August 09, 2009 6:01 PM
To: Bill Blackford; Walaa Abdel razzak
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] tacplus on EX3200


Do you have a remote user configured? Pls try to add this ..

system {
login {
user remote {
full-name All remote users;
uid 2001;
class super-user;
}
}
}


 
Thanks  Regards,
Tarique A. Nalkhande

-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford
Sent: Sunday, August 09, 2009 8:29 PM
To: Walaa Abdel razzak
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] tacplus on EX3200

authentication-order [ tacplus password ];

-b

-Original Message-
From: Walaa Abdel razzak [mailto:wala...@bmc.com.sa] 
Sent: Sunday, August 09, 2009 7:51 AM
To: Bill Blackford; juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] tacplus on EX3200

Hi 

Did you check the authentication order on the router? Tacacs log on the
server?


BR,
Walaa Abdel Razzak

This email and any attached files are confidential and intended solely
for the use of the individual to whom they are addressed. If you
received this email in error or you are not the named addressee, you
should not disseminate, distribute or copy this e-mail. Please notify
the sender immediately by e-mail and delete this e-mail from your
system.If you are not the intended recipient you are notified that
disclosing, copying,distributing or taking any action in reliance on the
contents of this information is strictly prohibited.

-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford
Sent: Sunday, August 09, 2009 5:23 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] tacplus on EX3200

I'm struggling with getting tacplus working on my EX's and was hoping
someone on the list has successfully done this.

tacplus-server {
###.###.###.### {
port 49;
secret my secret; ## SECRET-DATA
timeout 5;
single-connection;
}
}



I currently have local accounts with two profiles.
super-user and:
class NOC {
permissions [ view view-configuration ];

I would want to integrate these two profiles into tacacs as well, but
for now I'd like to just get it to authenticate.

Tacacs is doing passthough to AD and works fine with Cisco or extreme
devices.
What am I missing?

Thanks

-b

--
Bill Blackford 
Senior Network Engineer
Technology Systems Group   
Northwest Regional ESD 

my /home away from home

Re: [j-nsp] BGP load-balancing

[Masood Ahmad Shah]

You don't need to configure per packet-load balance during the JNCIP-M lab.
All you have to do is multipath..

Regards,
Masood


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Aamir Saleem
Sent: Tuesday, March 24, 2009 1:31 PM
To: Arda Balkanay
Cc: Juniper Puck
Subject: Re: [j-nsp] BGP load-balancing

This is what i am pointing to by enabling per packet-load balance we
able to load balance to RIP prefix. But in JNCIP-M study guide Book author
did't implement per-packet load balance in the case study solution. only
multipath is enable to load balnce the RIP prefix. is the statement given in
the case study of iBGP is Ambiguous or we have to explicity enable
per-packet load balnce to achive case study requirement?

Regards.

Aamir
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] L2TPv3

[Masood Ahmad Shah]

Yea, Juniper M Series does not support L2TPv3 at this time, and there is no
roadmap for it anytime in the near future. You can use l2circuit over
GRE/IP-IP tunnel. 

JUNOS now support MPLS-in-GRE  MPLS-in-IP. You guys can now encapsulate the
MPLS label stack for a packet with an IP header, making it possible to
tunnel MPLS over networks that do not have MPLS enabled on their core
routers. The following URL will confirm this.

http://tinyurl.com/cb3dte

Regards,
Masood


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Samit
Sent: Monday, March 09, 2009 3:32 PM
To: juniper-nsp
Subject: [j-nsp] L2TPv3

Hi,

I read some old post in this list regarding L2TPv3 not being supported
on M series, it is still not supported am I right?

Regards,
Samit

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] ispf support on Juniper routers

[Masood Ahmad Shah]

JUNOS software does not support ISPF but does perform partial route
calculations when the ospf topology is stble and only routing information
changes, you can mix this process up even further with spf-options...I guess
you will have ispf (enable/disable) in same hierarchy :)

ja...@r1# top set protocols ospf spf-options ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  delayTime to wait before running an SPF (50..8000
milliseconds)
  holddown Time to hold down before running an SPF (2000..2
milliseconds)
  rapid-runs   Number of maximum rapid SPF runs before holddown
(1..5)
{master}[edit]

Regards,
Masood



-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Stefan Fouant
Sent: Thursday, March 05, 2009 4:22 PM
To: Andrew Jimmy; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] ispf support on Juniper routers

Yes it does.  Jeff Doyle speaks of this in his book 'OSPF vs. IS-IS'.
I am mobile right now and don't have my book here for reference, but
IIRC Juniper supports incremental SPF runs when the additions to a
given node are stub networks only. Harry
Reynolds and many other knowledgeable folks are on this list - I'm
sure they will correct me if I am wrong.



On 3/5/09, Andrew Jimmy go...@live.com wrote:
 Does Juniper router support ispf feature so that router only recalculate a
 portion of the Shortest Path Tree when receive local link state
 advertisements



 Cisco

 router ospf 1

 ispf

 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp


-- 
Sent from Gmail for mobile | mobile.google.com

Stefan Fouant

Stay the patient course.
Of little worth is your ire.
The network is down.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???

[Masood Ahmad Shah]

I agreed with something Jared said. You never know whom you are going to
connect next to (Cisco :)). 

Save yourself n Save Others

Regards,
Masood


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jared Mauch
Sent: Friday, February 20, 2009 10:34 PM
To: Richard A Steenbergen
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???


On Feb 20, 2009, at 12:13 PM, Richard A Steenbergen wrote:

 On Fri, Feb 20, 2009 at 02:21:24PM +0100, david@orange- 
 ftgroup.com wrote:

 Hi,

 You can do it via a policy like this :

 Here MAX AS PATH equal to 20.

 Don't get too overzealous here. From my perspective I currently see  
 over
 160 prefixes with as-path = 20, so blocking them would break  
 legitimate
 announcements for no good reason. There was nothing out-of-spec or
 invalid about the  255 as-path, it was purely an implementation bug  
 on
 vendor C's part.

I really feel the need to echo this, if you have a cisco device that

reset the bgp session as a result of this (technically) valid AS-PATH  
you need to be careful to not suppress valid routes and isolate your  
network from part of the world.  Perhaps you don't care, but having  
seen people not update bogon prefix lists, I fear the same here if not  
well maintained.  You really should manage your IOS code as necessary  
and not add these config bits until you know when you're removing them.

- Jared
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SNMP issue...

[Masood Ahmad Shah]

This is what it should be like r...@testcommunity

HTH

Regards,
Masood

-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Nilesh Khambal
Sent: Saturday, February 21, 2009 12:53 AM
To: Derick Winkworth
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] SNMP issue...

Are you querying like communityn...@instance-name. In your case it 
will be testcommun...@rdi. If not can you try that.

Thanks,
Nilesh.


Derick Winkworth wrote:
 #
 Feb 20 17:44:54 snmpd[4d88b0c2]

 Feb 20 17:44:54 snmpd[4d88b0c2]  Get-Next-Request
 Feb 20 17:44:54 snmpd[4d88b0c2]   Source:  10.254.0.33
 Feb 20 17:44:54 snmpd[4d88b0c2]   Destination: 10.254.23.2
 Feb 20 17:44:54 snmpd[4d88b0c2]   Version: SNMPv2
 Feb 20 17:44:54 snmpd[4d88b0c2]   Request_id:  0x4d88b0c2
 Feb 20 17:44:54 snmpd[4d88b0c2]   Community:   testcommunity
 Feb 20 17:44:54 snmpd[4d88b0c2]   Error:   status=0 / vb_index=0
 Feb 20 17:44:54 snmpd[4d88b0c2]OID  : mib_2
 Feb 20 17:44:54 snmpd[4d88b0c2]

 Feb 20 17:44:54 SNMPD_AUTH_FAILURE: nsa_initial_embedcomm: unauthorized
SNMP community from 10.254.0.33 to unknown community name (testcommunity)
 ###
 
 
 
 and here is the config...
 
 
 
 [edit snmp]
 juni...@bd-bottom-m120# show
 
 community testcommunity {
 authorization read-only;
 routing-instance RDI;
 }
 routing-instance-access;
 traceoptions {
 file snmp;
 flag all;
 }
 
 
 
 The traffic is coming in on the RDI routing-instance, which is what we
want...
 
 Any ideas?  The community string is valid.
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
 
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] snmp oid for polling DCU

[Masood Ahmad Shah]

This will take you on a snmp journey .

ja...@r1# run show snmp mib walk 1

Regards,
Masood


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of shariq qamar
Sent: Monday, February 16, 2009 6:46 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] snmp oid for polling DCU

Dear Techies ,

I m done with QPPB configuration on my Juniper M320 box junos 8.5R3.4
and successfully able to get counters for the destination calss
i want  to see the plot of counters via SNMP server .

will anybody explain me how to get OID's values in juniper .
what is the way to get OID's value for DCU so that same we poll via SNMP
server


-- 
Regards,
Shariq Qamar,
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SNMP interface index change after upgrade to 9.2

[Masood Ahmad Shah]

It's a simple UNIX file 'dcd.snmp_ix' (I believe Juniper guys don't change
format/syntax of the file with each upgrade.), if you back
/var/db/dcd.snmp_ix while upgrading your JUNOS software and then later
restore it. 

ja...@r1 file list /var/db/dcd.snmp_ix


Regards,
Masood


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Patrik Olsson
Sent: Friday, February 13, 2009 5:19 PM
To: Chris Adams; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] SNMP interface index change after upgrade to 9.2

I use Cacti (it is free), have not seen this issue (yet). I think I will
poke around in it a bit, but I am with Chris and Tom in the spirit.

Cheers
Patrik


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] NSM

[Masood Ahmad Shah]

Check if you can find something similar while sitting at your J series :)

set system services outbound-ssh client nsm

Regards,
Masood


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of SunnyDay
Sent: Wednesday, February 11, 2009 5:35 PM
To: Juniper-Nsp
Subject: [j-nsp] NSM

Hello
Any one knows how can i configure a j series router so i can import it to
Netscreen Security Manager? ( NSM )

Thank You
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] transfer between 2 ns2000's is slow

[Masood Ahmad Shah]

I would suggest check CRC and duplex mismatch twice :) if everything goes
fine then you better play with the following TCP tweaks..

flow no-tcp-seq-check
flow tcp-syn-check
flow tcp-syn-bit-check

Regards,
Masood


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Leslie
Sent: Wednesday, February 11, 2009 1:44 AM
To: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] transfer between 2 ns2000's is slow

I got some good advice that my limits are suspiciously close to some tcp 
limits -- I have tried some tuning in my kernel but I am going to try 
hacking around a bit more and see if it helps with anything as well.

Leslie wrote:
 I'm having a strange problem that I haven't been able to fix after much 
 studying --
 
 Basically my setup is host 1 - fw1 - dedicated 1gige link (~25ms lag) - 
 router2 - fw2 - host 2
 
 I can blast udp across this pipe without a problem, but tcp traffic ch
 seems to be limited to about 3 mbyte/s -- I can make multiple sessions 
 that are all transferring at this speed, but no individual session will 
 go over that limit
 
 Another thing that makes me extremely suspicious is occasionally when I 
 start a transfer I'll see a brief cpu spike -- like shown below
 
  get perf cpu detail
 Average System Utilization: 21%
 Last 60 seconds:
 59: 3758: 3457: 3856: 2755: 3954: 38
 53: 81**  52: 76**  51: 81**  50: 77**  49: 82**  48: 62*
 47: 3646: 3745: 3544: 3643: 3642: 35
 41: 3240: 3739: 3338: 3737: 3436: 39
 35: 3334: 3833: 3332: 3931: 3330: 39
 29: 3128: 4027: 2926: 4225: 3524: 41
 23: 3522: 3821: 3120: 3519: 3218: 41
 17: 3516: 3815: 3414: 3913: 3512: 40
 11: 3310: 40 9: 32 8: 39 7: 45 6: 39
  5: 34 4: 40 3: 35 2: 42 1: 36 0: 39
 
 
 I've obviously spent hours and hours on the phone/email with tac without 
 much help.  Does anyone have any ideas of what could be doing this?  Any 
 troubleshooting tips?
 
 Thank you
 
 Leslie
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] E320 question

[Masood Ahmad Shah]

Yea sure, but you need to keep an eye on redundant RSP, LM and interface
related configuration .e.g. less or more number of physical interfaces, LM
or RSP.

Regards,
Masood
Blog: http://weblogs.com.pk/jahil/


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of SunnyDay
Sent: Friday, February 06, 2009 4:51 PM
To: juniper-Nsp
Subject: [j-nsp] E320 question

hello

Will a cnf config file work from an E320 to E120 ?

Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Installing backup default-route from upstream by BGP condition?

[Masood Ahmad Shah]

I have replied to a Juniper forum topic on same issue. Please find the link
below..

http://tinyurl.com/ba4r7p

Regards,
Masood


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Markus
Sent: Sunday, February 08, 2009 3:03 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Installing backup default-route from upstream by BGP
condition?

Hi,

on a M7i with 8.0R2.8 I'm receiving a full BGP feed from my upstream,
and a single default-route through a second BGP session with the same
upstream (but to another of their routers) for backup purposes if the
first session should go down. Is there any way that allows to install
the default-route only when the full BGP feed session goes down? 

What I want to achieve is that traffic to destinations which don't exist
in the global routing table won't get sent out to the upstream at all.

Can anyone point me to the right direction? 

Thanks!
Markus
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] cisco equilent com in juniper : under bgp configuration mode

[Masood Ahmad Shah]

This has already been discussed on list... the following URL will take you
to the QPPB/DCU 

http://markmail.org/message/et4gc4ysscxio7ra


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Mark Tinka
Sent: Wednesday, February 04, 2009 12:19 PM
To: juniper-nsp@puck.nether.net
Cc: shariq qamar
Subject: Re: [j-nsp] cisco equilent com in juniper : under bgp configuration
mode

On Wednesday 04 February 2009 03:07:44 pm shariq qamar
wrote:

 I m using table map command in cisco routers .
 can anyone tell me the equivalent of table-map command in juniper 
 configuration  .

It looks like you're doing QPPB for Cisco.

We managed to test the same on JunOS using DCU.

Mark.

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] merging IPv6 and IPv4 route in same policy

[Masood Ahmad Shah]

The following configuration should work for IPv6/IPv4 in same policy. 

policy-statement O-R {
term 1 {
from {
protocol ospf;
route-filter fec0:0:0:4::/64 orlonger;
}
then accept;
}   

term 2 {
from {
protocol ospf;
route-filter 10.0.6.0/24 orlonger;
}
then accept;
}


Regards,
Masood 

-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Ahmad Alhady
Sent: Sunday, December 28, 2008 9:52 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] merging IPv6 and IPv4 route in same policy

can we merge matching IPv6 and IPv4 routes in same config ???
for example 


policy-statement O-R {
term 1 {
from {
protocol ospf;
route-filter 10.0.6.0/24 orlonger;
route-filter fec0:0:0:4::/64 orlonger;
}
then accept;
}   


he is giving me this message!

   Policy: invalid prefix fec0:0:0:4::/64 for family inet
error: configuration check-out failed



Ahmad



  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] merging IPv6 and IPv4 route in same policy

[Masood Ahmad Shah]

What's wrong in using two terms J

 

Regards,

Masood

 

From: Ahmad Alhady [mailto:ahmad.alh...@yahoo.com] 
Sent: Sunday, December 28, 2008 10:23 PM
To: Masood Ahmad Shah; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] merging IPv6 and IPv4 route in same policy

 

but in 2 different terms !!!

not in same term !?

I was asking about same term ?!

Thanks

 

  _  

From: Masood Ahmad Shah mas...@nexlinx.net.pk
To: Ahmad Alhady ahmad.alh...@yahoo.com; juniper-nsp@puck.nether.net
Sent: Sunday, December 28, 2008 8:14:11 PM
Subject: RE: [j-nsp] merging IPv6 and IPv4 route in same policy

The following configuration should work for IPv6/IPv4 in same policy. 

policy-statement O-R {
term 1 {
from {
protocol ospf;
route-filter fec0:0:0:4::/64 orlonger;
}
then accept;
}  

term 2 {
from {
protocol ospf;
route-filter 10.0.6.0/24 orlonger;
}
then accept;
}


Regards,
Masood 

-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Ahmad Alhady
Sent: Sunday, December 28, 2008 9:52 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] merging IPv6 and IPv4 route in same policy

can we merge matching IPv6 and IPv4 routes in same config ???
for example 


policy-statement O-R {
term 1 {
from {
protocol ospf;
route-filter 10.0.6.0/24 orlonger;
route-filter fec0:0:0:4::/64 orlonger;
}
then accept;
}  


he is giving me this message!

  Policy: invalid prefix fec0:0:0:4::/64 for family inet
error: configuration check-out failed



Ahmad



  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] EX Series Experiences

[Masood Ahmad Shah]

http://weblogs.com.pk/jahil/archive/2008/12/26/juniper-switches.aspx


Regards,
Masood

-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Saturday, December 27, 2008 5:10 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] EX Series Experiences

All, 

I am looking to purchase a few Juniper EX switches, specifically 3200
series. I am interested in hearing how they are performing. And if they are
stable.

Regards,

Brendan Mannella
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] JR Global static route configuration

[Masood Ahmad Shah]

Two minor points you can have multiple static routes for the same
destination address with the same preference (juniper) admin distance
(Cisco) and difference interfaces for load balancing. The exception is the
default gateway 0.0.0.0 which can only occur once per admin distance but you
can use the interface method with difference admin distance described above
to provide resilience for 0.0.0.0. These methods are used when you do not
want to use a routing protocol.

You can have multiple static routes for the same destination address with
different preference (Juniper) admin distance (Cisco). In Juniper world
Qualified Next Hops is the way to go. For example, 

routing-options {
static {
route 1.1.1.1/32 {
next-hop 2.2.2.2;
qualified-next-hop 3.3.3.3 {
preference 5;
}
}
}
}

Regards,
Masood

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Madrid
Sent: Friday, November 21, 2008 7:07 PM
To: harish T
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] JR Global static route configuration

Yes, someone on here will correct me if im wrong, but I believe
qualified-next-hop is what you want.

http://www.juniper.net/techpubs/software/junos/junos73/swconfig73-routing/ht
ml/routing-summary51.html

On Fri, Nov 21, 2008 at 1:58 AM, harish T [EMAIL PROTECTED] wrote:
 Hi,

 Can we configure more than one instance of Global static route for a
 perticular Destination address ?

 Static route 1:
 destination mask:255.255.255.252
 destination prefix:10.12.32.0
 next hop:156.65.21.2


 Static route 2:
 destination mask:255.255.255.252
 destination prefix:10.12.32.0
 next hop:100.200.333.1

 Is it possible to have more than one entry of static route for a
particular
 network like above?


 --
 --
 To accomplish great things, we must not only act, but also dream; not only
 plan, but also believe.



 With regards
 Harish.T
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp




-- 
It has to start somewhere, it has to start sometime.  What better
place than here? What better time than now?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] bgp as-path

[Masood Ahmad Shah]

neighbor remove-private-as

Removes private AS numbers in updates sent to external peers. Private AS
numbers are only in the range 64,512-65,535.


Regards,
Masood


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SunnyDay
Sent: Friday, November 14, 2008 11:43 PM
To: Hyunseog Ryu
Cc: juniper-Nsp
Subject: Re: [j-nsp] bgp as-path

yes i know but whta if the AS-PATH contains both ublic and private.
what will happen then. i read that the OS will consider it a config error?


Hyunseog Ryu wrote:
 From bgp options, you can find 'remove-private-as' or something like
that.



 Sent from my Windows MobileR phone.

 -Original Message-
 From: SunnyDay [EMAIL PROTECTED]
 Sent: Friday, November 14, 2008 12:35 PM
 To: juniper-Nsp juniper-nsp@puck.nether.net
 Subject: [j-nsp] bgp as-path


 hello
 i want to know what will the behavior be if  AS-PATH contains both public
and private ASN
 and is possible to remove all private ??
 Thanks

 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

   

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Metro Ethernet CPE

[Masood Ahmad Shah]

The PPPoE interface to the access concentrator can be a Fast Ethernet
interface on any Services Router, a Gigabit Ethernet interface on J4350 and
J6350 Services Routers, an ATM-over-ADSL or ATM-over-SHDSL interface on all
J-series Services Routers except the J2300, or an ATM-over-SHDSL interface
on a J2300 Services Router. The PPPoE configuration is the same for both
interfaces. The only difference is the encapsulation for the underlying
interface to the access concentrator:

If the interface is Ethernet, use a PPPoE encapsulation. 
If the interface is ATM-over-ADSL or ATM-over-SHDSL, use a PPPoE over ATM
encapsulation.

Regards,
Masood 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GIULIANO (UOL)
Sent: Wednesday, October 29, 2008 3:38 PM
To: FAHAD ALI KHAN
Cc: juniper-nsp
Subject: Re: [j-nsp] Metro Ethernet CPE

J-Series can help you.

J-2320, J2350, J4350, J-6350.

The hole family can help you with all features (I need to check PPPoE
support).

The differences are related to traffic processing and capacity.

Att,


  Guys...!
 
 We are looking for good range of CPE (routers) for Home users  SMBs...and
 wish if following features are supported.
 
- FastEthernet port for WAN  LAN
- 802.1Q Trunking support on both FEs
- IPv4 support (IPv6 is optional)
- PPPoE support on FastEthernet main/Sub-interface (didnt find it in
1800
ISR)
- Basic QoS feature set
- GRE/IPSEC support
- Static/RIP/OSPF/BGP support
- Network Management support - SNMP
- BFD or ELMI support
- DHCP client
 
 
 What will be the best suited  cost effective CPE for offering triple play
 services over Metro Ethernet Network.
 
 Input from Metro Ethernet Service provider will be highly appreciable.
 
 
 *Regards*
 **
 *Fahad*
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] M-Series Authentication via Tacacs and authorization via local class

[Masood Ahmad Shah]

When you are using RADIUS or TACACS+ authentication, you can create single
accounts (for authorization purposes) that are shared by a set of users.

http://www.juniper.net/techpubs/software/junos/junos57/swconfig57-getting-st
arted/html/sys-mgmt-authentication4.html#1039222

HTH

Regards,
Masood Ahmad Shah
BLOG: http://www.weblogs.com.pk/jahil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aamir Saleem
Sent: Friday, September 26, 2008 11:18 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] M-Series Authentication via Tacacs and authorization via
local class

Hello,

I want to configure local configured users must authenticate from TACACS+
server first and local authentication have second priority. Authorization of
commands must be permitted from local account configured on M-Series
routers. Do any body have any idea how to accomplish this. I have following
class and user configured on M-Series for authorization purpose.


class superuser-local {

idle-timeout 5;

permissions all;

deny-commands (file delete)|(clear log);

deny-configuration system login;

}



user noc {

uid 2018;

class superuser-local;


Authentication order

authentication-order [ tacplus password ];

Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] dhcp-relay on MX

[Masood Ahmad Shah]

What you get when you do  show helper statistics
You can also use some packet capturing applications like ethereal on DHCP
server; just to check the packets are being forward to DHCP server or not.

If you need include the maximum-hop-count statement, deault value is 4 hops.
set the routing instance of the server to forward if different, include the
routing-instance statement.

Regards,
Masood

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marlon Duksa
Sent: Wednesday, September 17, 2008 11:01 PM
To: Nicolaj Kamensek
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] dhcp-relay on MX

Still no luck. This is what I have. Also there is no firewall in this
network.
forwarding-options {
helpers {
bootp {
server 10.0.0.100;
relay-agent-option;
}
}
}

interfaces {   ---client side
ge-0/0/0 {
unit 0 {
family inet {
unnumbered-address lo0.0 preferred-source-address 1.1.1.1;
}
}
}

On Wed, Sep 17, 2008 at 4:23 AM, Nicolaj Kamensek [EMAIL PROTECTED] wrote:

 Marlon Duksa schrieb:

 HiDoes anyone know why DHCP discover packets are not relayed through an
MX
 from my client to en external DHCP server that resides on the same
network
 as one on the interfaces on MX (I can ping this DHCP server from the MX).


 Keep in mind that dhcp-relay is done via the routing-engine, so your RE
 firewall filter might be the reason. You need to allow dhcp/bootp packets
 there.

 Regards


 --
 Accelerated IT Services GmbH
 Schubertstrasse 10D-67251 Freinsheim
 [EMAIL PROTECTED] http://www.accelerated.de/
 Telefon: +49 69-25738580-3Telefax: +49 69-25738580-4
 HRB: 60665 - Amtsgericht Ludwigshafen UstID: DE253684415
 Geschäftsführende Gesellschafter: Nicolaj Kamensek  Ole Krieger

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] OSPF inside VRF - Cisco Juniper Interoperability

[Masood Ahmad Shah]

If Cisco to Cisco works fine than problem seems in interpreting domain id.
If the OSPF domain ID for the destination PE differs from the originating
PE, MP-BGP redistributes the route into OSPF as an OSPF type 5 external
route. There is another to preserve OSPF routes across the MPLS VPN OSPF
route type extended community attribute, You can try this too.

Regards,
Masood

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Junaid
Sent: Wednesday, August 27, 2008 12:44 AM
To: Juniper Puck
Subject: [j-nsp] OSPF inside VRF - Cisco Juniper Interoperability

Hi,

I am caught up in what seems to be a Juniper Cisco interoperability
issue. I am running OSPF with customer inside VRF. Topology is
something like the following:

CE1 ---[Area 0]--- PE1  P1 --- P2 --- PE2 ---[Area 6]--- CE2

The two P routers are acting as route reflectors.

CE1, CE2 and PE1 are Cisco devices while rest are Juniper M-series
routers. The problem I am facing is that CE1 routes received at CE2a
are Inter-area which is what is required (no redistribution into OSPF
is done on CE1 and CE2). However, CE2 routes received by CE1 are Type
5 (E1). The documentation states that inorder to preserve the route
types, domain IDs should be same on both PE routers. I have set domain
ID to be 1.1.1.1:512, this was done on cisco via the command:
domain-id type 0105 value 010101010200 and on juniper as: domain-id
1.1.1.1:512 in the OSPF configuration inside the VRF. Also on Juniper
the domain-id was added into the ospf routes when redistributing them
into MBGP.

The problem seems to be with the Cisco PE1 router that can't seem to
interpret the route-type attribute generated by Juniper:

PE1#sh ip bgp vpnv4 all 10.254.20.254
BGP routing table entry for 1:103:10.254.20.254/32, version 550
Paths: (1 available, best #1, table VPN_OSPF)
  Not advertised to any peer
  Local
PE2_Loopback_IP (metric 4) from P1_Loopback_IP (P1_Loopback_IP)
  Origin IGP, metric 2, localpref 100, valid, internal, best
  Extended Community: RT:1:103 OSPF DOMAIN
ID:0x0105:0x010101010200 0x306:0:393472

10.254.20.254/32 is advertised by CE2 (assigned on one of its loopback
interfaces). Now the domain ID is fine but it seems that Cisco is
unable to interpret the route-type attribute. 393472 translates to
60100 where 6 is the area ID, 01 says that it is type 1 LSA and and
last two bytes are options are not used in this case. Upon receiving
this route via MBPG, PE1 injects a type 5 LSA towards CE1 (confirmed
on CE1 by enabling debugging) where it should inject have injected
type 3:

OSPF: Ack Type 5, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 5, seq
0x8001


If I replace the Juniper PE2 with a Cisco then on PE1 seems to
interpret the route-type attribute correctly and inject type 3 LSA
towards CE1 and CE1 receive the routes as inter-area:

PE1#sh ip bgp vpnv4 all 10.254.20.254
BGP routing table entry for 1:103:10.254.20.254/32, version 676
Paths: (1 available, best #1, table VPN_OSPF)
  Not advertised to any peer
  Local
PE2_Loopback_IP (metric 2) from P1_Loopback_IP (P1_Loopback_IP)
  Origin incomplete, metric 2, localpref 100, valid, internal, best
  Extended Community: RT:1:103 OSPF DOMAIN
ID:0x0005:0x010101010200 OSPF RT:0.0.0.6:2:0 OSPF ROUTER
ID:10.254.2.1:512


Debug output:

OSPF: Ack Type 3, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 1, seq
0x8001

Any idea what is causing this behavior? Any solution? Will appreciate any
help.

(The problem involves both Juniper and Cisco routers but I am posting
it here as I believe most guys here are have worked on both
platforms.)


Regards,
Junaid
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Restricting RADIUS Routes for E120

[Masood Ahmad Shah]

Yea you can set the route preferences ( In Cisco world administrative
distance ). For this you need to find the route preference radius attribute
... here is the list of supported radius attributes...


http://www.juniper.net/techpubs/software/erx/erx50x/swconfig-broadband/html/
radius-attributes.html



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Amr
Sent: Monday, August 25, 2008 11:21 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Restricting RADIUS Routes for E120

Dear All,
I have a problem in my E120 Router , where i have configured the
RADIUS Server to send to the Users on the E120 thier IP Subnet so that the
IP subnets of the users will be Access-internal routes as below

E120#sh ip route 10.10.10.10
  Protocol/Route type codes:
  I1- ISIS level 1, I2- ISIS level2,
  I- route type intra, IA- route type inter, E- route type external,
  i- metric type internal, e- metric type external,
  P- periodic download, O- OSPF, E1- external type 1, E2- external type2,
  N1- NSSA external type1, N2- NSSA external type2
  L- MPLS label, V- VRF, *- via indirect next-hop
  Prefix/Length  Type   Next Hop  Dst/Met
Interface
-- - --- --
---
10.10.10.10/32   *AccIntern *0.0.0.0 2/0
GigabitEthernet3/0/0.505252.59


but by mistake someone configured the RADIUS to send the default route
(0.0.0.0.0/0) for a specific user which affects the performance of the E120
router and modifyed the current default route learned by OSPF

So the Question is
Is it possible to restrict the routes the comes from the RADIUS Server and
not accepting it all (e.g denying the default route from the radius) ?
or

Is it possible to modify the admin distance for the Access-internal routes
so that it will be higher that the dynamic default route configured on the
E120 router ?

Appreciate your help

Thanks In Advance

Regards
Amr
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] LDP Session over GRE Tunnel

[Masood Ahmad Shah]

Two things can prevent LDP adjacencies MTU, fragmentation or access list.
 
You need to check MTU size at both sides as you are using tunnel interfaces.
You may need to look at data fragmentation too, in both cases try adjusting
MTU size. 

Look into IGP prefix lists, distribute lists or access-list if you are
using...

Regards,
Masood
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Farhan Jaffer
Sent: Monday, August 25, 2008 7:06 PM
To: Juniper Puck
Subject: [j-nsp] LDP Session over GRE Tunnel

Hi,

I am testing connectivity over GRE tunnel, IBGP session is
established, LSP is also established, however LDP session is not going
to establish. Any idea?

FJ
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] LDP Session over GRE Tunnel

[Masood Ahmad Shah]

Yea you can have established LSP without LDP. Guess how :) 

What if you are running both LDP and RSVP... ;)



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Junaid
Sent: Monday, August 25, 2008 8:35 PM
To: Farhan Jaffer
Cc: Juniper Puck
Subject: Re: [j-nsp] LDP Session over GRE Tunnel

Hi,

Check the transport addresses used by LDP on both nodes. These
addresses should be reachable via IGP or static routes over the GRE.
It is surprising that LSP is established without LDP!


Regards,
Junaid


On Mon, Aug 25, 2008 at 8:05 PM, Farhan Jaffer [EMAIL PROTECTED] wrote:
 Hi,

 I am testing connectivity over GRE tunnel, IBGP session is
 established, LSP is also established, however LDP session is not going
 to establish. Any idea?

 FJ
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Strange RX issue w/ GE PIC

[Masood Ahmad Shah]

There can be multiple reasons for these input errors.

Policed Discards
Frames that the incoming packet match code discarded because they were not
recognized or of interest. Usually, this field reports protocols that the
JUNOS software does not handle, such as CDP. 

L3 incompletes
This counter is incremented when the incoming packet fails Layer 3 (usually
IPv4) sanity checks of the header. For example, a frame with less than 20
bytes of available IP header would be discarded and this counter would be
incremented. 

L2 mismatch timeouts
Count of malformed or short packets that cause the incoming packet handler
to discard the frame as unreadable. 

HS link CRC errors
Count of errors on the high-speed links between the ASICs responsible for
handling the router interfaces.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Van Tol
Sent: Monday, August 25, 2008 8:05 PM
To: 'juniper-nsp@puck.nether.net'
Subject: [j-nsp] Strange RX issue w/ GE PIC

Hi all,
I'm experiencing a strange RX issue on a link and I need some more ideas on
where to look.  Two routers, an M7i and M20, are connected back-to-back,
sort-of (there's optical gear between them, obviously), over a WDM link.
Ping tests work perfectly from one to the other, using various packet sizes.
When enabling traffic from the M7i to the M20 by lowering an OSPF metric,
the link works fine.  When enabling traffic in the opposite direction, M20
to M7i, I begin to get massive input errors on the M20 GE PIC.  I see no
errors at all on the M7i side, ever.  Errors only start to accrue when
traffic reaches a certain as-yet-undetermined level, when bi-directional
traffic is enabled.

Done so far:
 - Cleaned every connector in the path.
 - Replaced both patch cables at either end of the link.
 - Installed intermediary switch to rule out PIC/SFP problems.
 - Failed over to redundant light path to rule out primary path problems.

In what situation would one see input errors accrue on one side, but only
when bi-directional traffic is enabled?

Thanks,
evt
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] egress PE disappear explicit-null

[Masood Ahmad Shah]

I came up with an issue, Juniper M Series router is inability to pop
explicit-null and decreasing IP TTL at the same time, making egress PE
disappear from traceroute, when using core-hiding and explicit-null.

Is there any workaround.

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] PPPoE tunnel and Firewall

[Masood Ahmad Shah]

 

I’m really getting confused while adding firewall for DSL subscribers. I
want to protect my PPPoE subscriber from malicious traffic. Adding a
firewall between DSLAMs and BRAS is kinda confused for me. The final
topology is going to be like 

 

 

CPEß--DSLAMß---àFirewallß--BRAS---Ineternet

 

From CPE to BRAS is PPPoE tunnel. The question “ Can firewall protect PPPoE
customers from malicious traffic while sitting in transparent mode in front
of BRAS”. I wonder , firewall will skip the PPPoE tunnels traffic. 

 

If yes, than how do you guys protect BRAS internal traffic from one
subscriber to another. 

 

 

  

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Full routing table feed on M7i and M10i

[Masood Ahmad Shah]

The full BGP table of the internet is big. The BGP table is held in memory.
If you use 1GB of RAM or more, you can store 3 full BGP table. M7i and M10i
both comes with fast CPU, You will not have to worry about processing, it's
juniper :)

Regards,
Masood

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Samit
Sent: Sunday, July 20, 2008 1:00 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Full routing table feed on M7i and M10i

Hi list,

With RE-850 can juniper M7i or M10i can effectively handle 3+ full 
routing table feed from multiple upstreams?

Regards,
Samit

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Track-IP functionality in Junos

[Masood Ahmad Shah]

I am looking for a track-ip functionality in Junos, which will be able to
retire a route based on IP reachability (ping or something like this)

Is this anything we can do?

Regards,
Masood Ahmad Shah


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] list admin garbage - unimportant you can delete me

[Masood Ahmad Shah]

Many thanks for running one of the leading mailing lists. Keep it up.. you
are great

Regards,
Masood Ahmad Shah
BLOG: http://www.weblogs.com.pk/jahil


-Original Message-
From: Jared Mauch [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 18, 2008 10:40 PM
To: Masood Ahmad Shah
Cc: 'Erik Erasmus'; juniper-nsp@puck.nether.net
Subject: list admin garbage - unimportant you can delete me

Just as a follow-up, there are over 2500 people on the list.

I wanted to thank everyone who helps make this forum what it is
in helping each other out.

- Jared

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Is this true

[Masood Ahmad Shah]

http://www.cisco.com/en/US/products/hw/routers/ps133/prod_system_test_report
0900aecd801b9424.html

:)


Regards,
Masood

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Bridging two LAN over IP

[Masood Ahmad Shah]

How you guys bridge two different network (Ethernet LANS) over IP routed
networks in Juniper (JUNOS)? Or Is there something like L2TPV3 Pseudowires
in Juniper routers; If yes which model is supporting it.

What if you want to forward broadcast traffic for a specific port between
two different network? Like in Cisco

Cisco#ip forward-protocol udp ?
  0-65535  Port number

Juniper# I don't know :)

Regards,
Masood Ahmad Shah




___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp