Re: [j-nsp] BFD Session
If it's an intermittent issue with Ping reachability, then check out interface errors as well. On top of that find out if there are any memory errors (where data gets buffered) in the Syslog i.e. CRC failing.. On Mon, Mar 27, 2017 at 8:55 AM, Jeff Haaswrote: > > > On Mar 5, 2017, at 3:05 AM, Mohammad Khalil wrote: > > > > Hi all > > I have a BFD session between two routers (which was working normally) > > Currently , the session is down from one side and init from the other > side > > The ISIS adjacency is up > > What could be the issue? > > The other comments in the thread support the observation here: You seem to > have some form of half-duplexing issue. You just need to figure out which > side of the communication is getting dropped. > > -- Jeff > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Measure transit traffic to specific destination
If you don't wanna pay then make use of a free collector (aka opensource) i.e. http://www.ntop.org/ (i have had and used this +1) Or more here: https://www.pcwdld.com/free-open-source-netflow-analyzers On Sat, Dec 31, 2016 at 2:41 AM, Matthew Crockerwrote: > > I’m sending IPFIX flows to Scrutinizer and can generate the type of > reports you are looking for. ‘All bandwidth from X ASN’, ect > > https://www.plixer.com/products/scrutinizer/ > > On 12/30/16, 2:16 AM, "juniper-nsp on behalf of Santanu Mandal" < > juniper-nsp-boun...@puck.nether.net on behalf of > santanumandal2...@gmail.com> wrote: > > Dear all, > I want to measure traffic bandwidth consuming for a specific > destination IP > from My Orzanization. Say how much is bandwidth is consumed for > destination > x.x.x.x out of total bandwidth in my ISP link. > > I have configured S-flow, but there I can see total amount of traffic > transfered over a period of time. But My concern is, data transfer rate > confumed for this destination, not tootal amount of data. > > It would be gratfull if you can suggest a tool for this purpose or how > to > approach to achive this. > > > > Thanking you > in advance > > > Santanu > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] how to get maximum interface unit value in JUNOS script
The maximum value is 4096 (0-4095), when you create more than 4095 logical units with VLAN encapsulation, the message "limit of 4096 vlans/dlcis exceeded" Here is Juniper reference: http://kb.juniper.net/InfoCenter/index?page=content=KB28265=search P.S: It may varies hardware to hardware but I would go with 4096 On Sat, Jun 25, 2016 at 1:02 PM, Chen Jiangwrote: > Hi! Experts > > Sorry for disturbing, I want to use JUNOS OP script to auto-generate new > interface configuration, but I don't know how to get maximum interface unit > value in current configuration, do you have solved this before and could > share a example? > > Thanks for your great help! > > -- > BR! > > > >James Chen > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MPC4D-32*GE Major Alarms
Some of the alarms are transient (should generate Syslog trap though), and they generate a Chassis alarm upon occurrence (i.e. PFE<>Fabric plane took a hit of CRC errors and then got recovered through fabric healing). Sometimes Chassis does not clear alarm when the transient state gets cleared and that requires a reboot treatment to the RE (yeah Routing engine :) I think chassisd (a daemon) not getting signaled from the relevant other processes when the states get cleared. On Sun, Feb 14, 2016 at 6:39 PM, Alex K.wrote: > Hello everyone, > > For some time now, one of my customers are getting "major alarms" from the > MPC mentioned above on one of their MX960s. > > The issue is that nothing more than that message (+alarm) seems to be > present. Nothing preceding that error, neither in "log messages" nor in > "chassisd". There seems to be output rate drop, at the time of those > incidents till the MPC get restarted (by the appropriate network team) and > than everything gets back to normal. > > It's worth mentioning that they have a second MX960 serving the other half > of their end-users, but configured exactly the same - which never had that > issue (therefore it's probably not traffic related). > > They are running 12.3R6.6. The linecard was already replaced. There is > seems to be no trace options available for monitoring MPCs and their > internal status and Juniper web site lacks potential explanations and > leads, therefore I'm addressing the community - any advice for getting to > the bottom of this, will be welcomed! Additionally, any experience with > troubleshooting similar hardware issues might be as helpful as any advice. > > Thank you. > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 with 3 RE's?
RE can only be installed into the SCBs labeled 0 and 1, third additional multi-functioning slot labeled 2/6 supports either a SCB (NO RE) or FPC (aka MPC,DPC). Something like https://www.safaribooksonline.com/library/view/juniper-mx-series/9781449358143/httpatomoreillycomsourceoreillyimages1327907.png.jpg Cheers, Masood On Wed, Jan 13, 2016 at 3:21 PM, Colton Conorwrote: > Then how do they have 3 RE's listed and house in the picture? Is the 3 RE > in the 3 SBC just in there, but would not be powered on or usable? > > On Tue, Jan 12, 2016 at 2:49 PM, Mark Tinka wrote: > > > > > > > On 12/Jan/16 22:40, Colton Conor wrote: > > > > > Is it possible to have 3 RE's in a MX960? For example: > > > > > > http://www.ebay.com/itm/Juniper-MX960PREMIUM-DC-ECM-4x-PWR-MX960-DC-3x-SCB-MX960-3x-RE-S-2000-4096-/271739188162?hash=item3f44eaf3c2:g:Z~IAAOSwnDZT8lpv > > > shows 3s RE's installed? > > > > > > The documentation I have seen shows that a MX960 can have 3 SCB's, but > it > > > mentions only 2 REs? > > > > The MX960 supports 3x SCB's for the switch fabric. > > > > However, only 2x SCB's can house RE's. > > > > > > > > How does the RE-S-2000-4096 compare to a RES-1800X4-16G? > > > > The latter is 64-bit, faster and supports more memory. > > > > > How does a the > > > regular SCB compared to the Enhanced SCB? > > > > Faster switch fabric. > > > > Mark. > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Gracefully delete MPLS RSVP LSP
Raising LSP metric sounds good to me On Wed, Dec 16, 2015 at 10:00 PM, tim tirichewrote: > Hello, > > i have 2 LSP to the same destination. > > 1st LSP name = R1-R2-a > 2nd LSP name = R1-R2-b > > I have link protection enabled. > > i want to delete the 1st LSP and wanted to know what is a graceful way to > do this? > > Is there a way to shift traffic from 1st LSP to 2nd LSP? I don't have LSP > metric and rely on IGP metrics. > > eg: changing priorities, or can i introduce LSP metrics temporarily to 65k? > > Sincerely, > --Tim > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] purpose of "commit check"?
Hi - "commit check" is just there to verify the syntax and integrity of the configuration, but do not activate it. Pretty self explanatory as you already explained it :-) On Tue, Sep 29, 2015 at 7:24 AM, Martin Twrote: > Hi, > > when I commit the candidate configuration in Junos, I tend to execute > "commit check" and if configuration check succeeds, then I execute > "commit comment ". However, when I think about it, "commit > (comment)" itself should perform those very same checks that "commit > check" does. If yes, then what is the point of "commit check"? Only > purpose I could see is to check the validity of the candidate > configuration in the middle of the configuration process, i.e. to > check if the changes made in candidate configuration so far are fine > but the candidate configuration is not ready to be committed. > > > thanks, > Martin > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] OS upgrade
Here you have the official answer, pretty self explanatory: http://www.juniper.net/techpubs/en_US/junos13.1/information-products/topic-collections/release-notes/13.1/index.html?topic-78897.html On 10 Jun 2015 8:35 pm, james list jameslis...@gmail.com wrote: Hi My question is more related to the official path... not to the procedure... from 11.4 do I have to pass to 12.X to arrive to 13.3 or can I jump directly ? 2015-06-10 12:27 GMT+02:00 Jared Mauch ja...@puck.nether.net: On Jun 10, 2015, at 5:59 AM, james list jameslis...@gmail.com wrote: Question: can I upgrade from junos 11.4 (EEOL) to 13.3 (EEOL) directly or is there any constrain ? I’ve generally not had issues upgrading from one release to the next, but it’s always useful to have console handy and to just use the full jinstall package with no-verify, etc to avoid issues. Once again, test your console/OOB before the upgrade :) - Jared ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ingress QoS Marking Now Fully Supported on MX Routers - Junos 14.2R3.8 Release
On Mon, May 18, 2015 at 12:39 AM, Chuck Anderson c...@wpi.edu wrote: Scroll down to the 4th top-level bullet: Support for packet marking schemes on a per-customer basis (MX Series only) [Masood] I would say that this is incorrect and misleading. It should be MX Series Trio based only and not an MX that runs with DPC's etc. On Sun, May 17, 2015 at 09:23:37PM +1000, Masood Ahmad Shah wrote: Thanks for sharing, Mark! Are you sure that it supports all Trio-bsaed cards and afterwards... Juniper documentation confirm it for the Type-5 FPC (T4K) only though. On Sun, May 17, 2015 at 7:02 AM, Mark Tinka mark.ti...@seacom.mu wrote: Hi all. Gosh, what a road this has been! Some of you may recall I started moaning and chasing Juniper about this way back in 2008. Well, finally, we have reached the promised land. Junos 14.2R3.8 for the MX was released last night. Prior to its release, we have been testing an engineering version of 14.2R1, where Juniper developed support for ingress marking/re-marking of QoS values on traffic entering an MX router. As you know, Juniper have traditionally done marking/re-marking on egress, which did not provide sufficient granularity for us, and I am sure several others on this list. With 14.2R3.8, Juniper now support ingress marking/re-marking of QoS values, negating the need for egress marking if what you're looking for is fine-grained marking/re-marking. Juniper are calling the feature Policy Map. I can get into more details of how this would work if anyone is interested, but below are some key features you might find useful: a) Policy Map is currently supported only on the MX routers. b) Requires a minimum of Trio-based line cards. c) First shipping in Junos 14.2R3.8. d) Supported for IPP, DSCP, MPLS EXP, 802.1p and 802.1ad. e) Supported for the inet, inet6, ccc, vpls, mpls and any address families. f) Application can be either via the [class-of-service] hierarchy or via a firewall filter. g) Supersedes traditional Junos CoS Rewrite actions. You can find some basic details on the feature here: http://www.juniper.net/techpubs/en_US/junos14.2/information-products/topic-collections/release-notes/14.2/topic-83366.html#jd0e3370 It's been a long time coming. I'm very pleased to see this feature, and hope the rest of you find it as useful as we do. Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ingress QoS Marking Now Fully Supported on MX Routers - Junos 14.2R3.8 Release
Thanks for sharing, Mark! Are you sure that it supports all Trio-bsaed cards and afterwards... Juniper documentation confirm it for the Type-5 FPC (T4K) only though. On Sun, May 17, 2015 at 7:02 AM, Mark Tinka mark.ti...@seacom.mu wrote: Hi all. Gosh, what a road this has been! Some of you may recall I started moaning and chasing Juniper about this way back in 2008. Well, finally, we have reached the promised land. Junos 14.2R3.8 for the MX was released last night. Prior to its release, we have been testing an engineering version of 14.2R1, where Juniper developed support for ingress marking/re-marking of QoS values on traffic entering an MX router. As you know, Juniper have traditionally done marking/re-marking on egress, which did not provide sufficient granularity for us, and I am sure several others on this list. With 14.2R3.8, Juniper now support ingress marking/re-marking of QoS values, negating the need for egress marking if what you're looking for is fine-grained marking/re-marking. Juniper are calling the feature Policy Map. I can get into more details of how this would work if anyone is interested, but below are some key features you might find useful: a) Policy Map is currently supported only on the MX routers. b) Requires a minimum of Trio-based line cards. c) First shipping in Junos 14.2R3.8. d) Supported for IPP, DSCP, MPLS EXP, 802.1p and 802.1ad. e) Supported for the inet, inet6, ccc, vpls, mpls and any address families. f) Application can be either via the [class-of-service] hierarchy or via a firewall filter. g) Supersedes traditional Junos CoS Rewrite actions. You can find some basic details on the feature here: http://www.juniper.net/techpubs/en_US/junos14.2/information-products/topic-collections/release-notes/14.2/topic-83366.html#jd0e3370 It's been a long time coming. I'm very pleased to see this feature, and hope the rest of you find it as useful as we do. Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Distributed PPM and LACP always goes into Queue 3. host-outbound-traffic knob has no effect -- bug?
Yeah host-outbound-traffic should change the distributed protocol handler sourced traffic, however a firewall filter that uses the forwarding-class and dscp actions to specify the override values on loopback will only affect the RE sourced traffic and not the distributed protocol handler sourced. Highly likely a bug then. On Sat, May 16, 2015 at 4:44 PM, Huan Pham drie.huanp...@gmail.com wrote: Thanks Masood, This seems to be version specific and it is a bug on 11.4R7.5 (on MX5 I tested to be specific) On 12.3R8.7 I do not encounter this problem. The queue that (one hop) BFD is put on can be changed with host-outbound-traffic command (but still cannot be changed with lo0 firewall outbound filter). Thanks again, Huan On 15 May 2015, at 11:48 am, Masood Ahmad Shah masoodn...@gmail.com wrote: AFAIK host-outbound configuration or lo0 output filter will NOT influence the PFE generated traffic. Only the output interface filter can match the PFE generated traffic. Cheers, Masood On Fri, May 15, 2015 at 10:22 AM, Huan Pham drie.huanp...@gmail.com wrote: Hi list, I've tested in the lab and confirm that distributed PPM (e.g. one hop BFD) and LACP on MX does not honour host-outbound-traffic class of service nor outbound RE-reclassificaiton filter. This traffic always gets into queue 3. Depending on your design, this behaviour could be a problem, especially if your queue 3 is not designed for critical traffic. Is is a bug? Is there any way to move this control traffic to a different queue? Thanks very much in advance. Huan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Distributed PPM and LACP always goes into Queue 3. host-outbound-traffic knob has no effect -- bug?
AFAIK host-outbound configuration or lo0 output filter will NOT influence the PFE generated traffic. Only the output interface filter can match the PFE generated traffic. Cheers, Masood On Fri, May 15, 2015 at 10:22 AM, Huan Pham drie.huanp...@gmail.com wrote: Hi list, I've tested in the lab and confirm that distributed PPM (e.g. one hop BFD) and LACP on MX does not honour host-outbound-traffic class of service nor outbound RE-reclassificaiton filter. This traffic always gets into queue 3. Depending on your design, this behaviour could be a problem, especially if your queue 3 is not designed for critical traffic. Is is a bug? Is there any way to move this control traffic to a different queue? Thanks very much in advance. Huan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JNCIS-SP study materials?
I highly recommend Juniper day one books: http://www.juniper.net/us/en/training/jnbooks/day-one/ In addition to that Network Mergers And Migrations book by Gonzalo and Jan All the best! Cheers, Masood On Thu, Apr 23, 2015 at 2:07 PM, Pyxis LX pyxi...@gmail.com wrote: Hi, all. I have just passed my JNCIS-SP certification, and am looking for up-to-date JNCIP-SP study materials. I knew there was an old study guide for JNCIP-M which does not cover a number of new topics. (And there are some behavior changes between the version in this guide and the current version, which is quite confusing in some cases.) I think that I should prepare both JNCIP-SP JNCIE-SP at the same time since the current JNCIP-SP is essentially the written test of JNCIE-SP? If this is correct, which up-to-date study materials are recommended(including the lab workbooks)? Thanks! -Nat ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] iBGP and IPv6
Can you provide a show route hidden extensive through pastebin.com or something like that... Your pasting is not easily readable and that makes it hard to help.. Cheers, Masood On Thu, Apr 16, 2015 at 5:07 AM, Jonathan Call lordsit...@hotmail.com wrote: I apologize. The email looked fine when I got it back from the list. OSPF/OSPF3 are the IGP. When I shut them off the BGP route for the loopback disappears.Limiting IBGP to only export directly connected routes would prevent this scenario from happening at all but it does not explain why router1 will mark the IPv4 loopback route it received as hidden/unusable but the IPv6 loopback route is not. Jonathan Subject: Re: [j-nsp] iBGP and IPv6 To: lordsit...@hotmail.com; juniper-nsp@puck.nether.net From: mark.ti...@seacom.mu Date: Wed, 15 Apr 2015 20:38:18 +0200 Your pasting is not formatting well. Makes it hard to help you. Mark. On 15/Apr/15 20:23, Jonathan Call wrote: OSPF/OSPFv3 are the IGP, which apparently are feeding back into IBGP: With OSPFv3 enabled: 2001:db8:4000::1/128*[Direct/0] 1w0d 21:13:49 via lo0.1 [OSPF3/10] 1w0d 21:13:44, metric 0 via lo0.1 [BGP/170] 00:00:18, MED 1, localpref 100, from 2001:db8:4000::2 AS path: I to fe80:db8:4000:1::3 via ge-0/0/8.0 With OSPFv3 disabled: vr-1.inet6.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 2001:db8:4000::1/128*[Direct/0] 1w0d 21:10:41 via lo0.1 [OSPF3/10] 1w0d 21:10:36, metric 0 via lo0.1 Limiting IBGP to only export directly connected routes would prevent this. It still does not explain why router1 will mark the IPv4 loopback route it received as hidden/unusable but the IPv6 loopback route is not. Jonathan Subject: Re: [j-nsp] iBGP and IPv6 To: lordsit...@hotmail.com; juniper-nsp@puck.nether.net From: mark.ti...@seacom.mu Date: Wed, 15 Apr 2015 18:02:30 +0200 On 15/Apr/15 17:43, Jonathan Call wrote: Correct. The BGP route for the router's IPv4 loopback is marked as hidden/unusable. It does not show up in show route extensive output. Is this Loopback IPv4 address known by any other routing protocol, e.g., an IGP? Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ARP on unnumbered interfaces
AFAIK, router uses the preferred source address when it is configured for an unnumbered Eth interface, for arp requests and replies. arp requests need to match the preferred source address, which is by default primary interfaces lo0 { unit 55 { family inet { address 5.5.5.5/32 { //That would be this in your case. primary; } address 10.10.10.1/24; address 20.20.20.1/24; } } } More here: http://www.juniper.net/documentation/en_US/junos13.2/topics/usage-guidelines/interfaces-configuring-an-unnumbered-interface.html Cheers, Masood On Sun, Jan 11, 2015 at 2:34 AM, Mihai mihaigabr...@gmail.com wrote: Hello, After the migration of a large network from a Cisco 7600 to a MX104 a lot of users started to have random problems with their connection. The setup is based on unnumbered interfaces and /32 static routes through IFLs. Basically, all clients with Cisco routers will have at some point a missing ARP entry for their default gateway because the MX is changing the ARP source address from the gw_addr to the primary address.On Cisco i see the well known 'wrong cable' error. Does anyone have a clue why is this happening beside a bug? I've made some tests on MX960,MX480 and MX5 and didn't see this behavior. This is a lab simulation: mx# show interfaces { ge-1/1/8 { unit 55 { vlan-id 55; proxy-arp unrestricted; family inet { unnumbered-address lo0.55; } } unit 56 { vlan-id 56; proxy-arp unrestricted; family inet { unnumbered-address lo0.55; } } } lo0 { unit 55 { family inet { address 5.5.5.5/32 { primary; } address 10.10.10.1/24; address 20.20.20.1/24; } } } } routing-options { static { route 20.20.20.2/32 { qualified-next-hop ge-1/1/8.55; } route 10.10.10.2/32 { qualified-next-hop ge-1/1/8.56; } } router-id 5.5.5.5; } mx monitor traffic interface ge-1/1/8.55 detail no-resolve matching arp Address resolution is OFF. Listening on ge-1/1/8.55, capture size 1514 bytes 17:28:11.105586 Out arp who-has 20.20.20.2 tell 20.20.20.1 17:28:11.106100 In arp reply 20.20.20.2 is-at 00:1e:4a:fc:44:84 17:29:20.504891 Out arp who-has 20.20.20.2 tell 20.20.20.1 17:29:20.505375 In arp reply 20.20.20.2 is-at 00:1e:4a:fc:44:84 17:30:30.104188 Out arp who-has 20.20.20.2 tell 20.20.20.1 17:30:30.104632 In arp reply 20.20.20.2 is-at 00:1e:4a:fc:44:84 . 17:53:01.790690 Out arp who-has 20.20.20.2 tell 5.5.5.5 17:54:05.690056 Out arp who-has 20.20.20.2 tell 5.5.5.5 Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Sampling - High CPU
Jordan, How does CPU utilization looks during these 3 minutes (even a minute before and after)? How many routes (prefixes) you have in the RIB (not just active, the total number of prefixes that are being scanned to find out the best routes adj-in-rib)? With 14.1R3.5, did you use rpd-64bit or 32bit? Cheers, Masood On Sun, Jan 4, 2015 at 9:30 AM, Jordan Whited jwhited0...@gmail.com wrote: I don't have any issues when sampling is disabled. No improvement from what I can tell between 12.3R8.7 and 14.1R3.5. Still seeing active-paths in the RIB advertised to other neighbors for upwards of 3 minutes before they are installed in the FIB. On Sat, Dec 13, 2014 at 3:34 AM, MSusiva ssiva1...@gmail.com wrote: I assume, the 3mins result is with sampling? What is the result without sampling? Did you test in 14.1 with sampling? Thank You ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX480 SCB firmware issue
It could also be a hardware issue in either the referenced scb0 or back connector. Have you tried the following: Re-seat the scb in its slot, and then check for bent pins at this time (you can use a flashlight) Swap the scb0 with a spare (Or borrow one from another slot 1, 2) Cheers, Masood On Tue, Dec 30, 2014 at 5:29 AM, Dave Peters - Terabit Systems d...@terabitsystems.com wrote: Thanks a lot for the information. It's definitely an SCBE (not a 2), but I tried upgrading to a 13 version just in case. Same FPGA revision error, and same firmware dead end. I appreciate the help. If anyone else has any pointers, let me know. -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Tobias Heister Sent: Tuesday, December 23, 2014 2:54 PM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] MX480 SCB firmware issue Hi, Am 23.12.2014 um 23:23 schrieb Dave Peters - Terabit Systems: 1 alarm currently active Alarm time Class Description 2014-12-23 21:50:13 UTC Major CB 0 FPGA Revision unsupported In looking over the Juniper documentation, there's a request system firmware command to update the SCB, but unfortunately, I'm not seeing that option (meaning request system ? doesn't reveal firmware as a possibility). I'm also not seeing any specific BIOS/firmware files in the download section of the Juniper MX Series portion of the Juniper website. It is a hidden command, so you have to manually complete it. After the firmware it starts to auto complete: request system firmware ? Possible completions: downgrade upgrade request system firmware upgrade ? Possible completions: fpc Upgrade FPC ROM monitor pic Upgrade PIC firmware vcpu Upgrade VCPU ROM monitor The output above is from an MX240 with SCB. I have never seen that error showing up but from what i have seen on similar situations the firmware should be embedded in junos and the firmware upgrade should just work without additional files. But SCB seems not to be a valid upgrade target on MX: request system firmware upgrade scb error: command is not valid on the mx480 tested on MX480 with SCBE Would you by any chance have bought SCBE2 (they would probably not been available in used condition) instead of SCB. Just asking because SCBE2 is supported starting from 13.something and does not work in 12.3 -- Kind Regards Tobias Heister ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Moving routes between VRF and inet.0
Here is how I would do that: 1. Import the routes into inet.0 by rib-groups (that is what you have already done, great) 2. Assuming PECE interface is 1.1.1.0/30 and working on the PE 3. Also I would not use “accept all” when doing import/export, so I created a policy for that too. routing-instance floating { routing-options { interface-routes { rib-group inet COPY_FLOAT_TO_GLOBAL; ## required for inet.0 to reach out to the next-hop of BGP routes } } protocols { bgp { group CE{ family inet { unicast { rib-group COPY_FLOAT_TO_GLOBAL; } } neighbor 1.1.1.1 { peer-as ABCD; } } } } } policy-options policy-statement pol-accept { term MY_ROUTES { from { route-filter xx.yy.220.61/32 exact; # required prefix route-filter 1.1.1.0/30 exact;# pe-ce bgp next-hop interface route } then accept; } term NO_LEAKS { then reject; } } routing-options rib-groups { COPY_FLOAT_TO_GLOBAL { import-rib [ floating.inet.0 inet.0 ]; # Primary table floating.inet.0 import-policy pol-accept; } } Cheers, Masood On Sat, Apr 19, 2014 at 6:01 PM, Tom Eichhorn t...@wirkbetrieb.net wrote: Dear all, I am currently fighting a bit with rib-groups, and I hope someone could point me in the right direction: What I have is: floating.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both xx.yy.220.61/32 *[BGP/170] 00:10:28, localpref 100, from xx.yy.221.101 AS path: 64512 ? to xx.yy.221.102 via ge-0/0/0.0, Push 20 I am getting a route from a contrail controller towards my router, this is so far working fine. But I need this route in the default table inet.0. So I tried with RIB-groups: teichhorn@firefly-contrail show configuration routing-options } rib-groups { COPY_FLOAT_TO_GLOBAL { import-rib [ floating.inet.0 inet.0 ]; import-policy pol-accept; } } pol-accept simply accepts all - but the route is not beeing copied and I have no clue why - the rib group magic was always voodoo for me... Any idea or best practices to solve with another way? Thanks, Tom ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Verifying Juniper ECMP
See inline, prefixed [Masood] ... On Thu, Apr 17, 2014 at 1:09 AM, John Neiberger jneiber...@gmail.comwrote: Another question: if a link in a ECMP bundle goes down and then comes back up later, do things end up hashed and balanced the same way they were prior to the link going down, or is there some amount of randomness to it? [Masood] You may not see traffic balanced instantly, because existing flow will NOT move to the newly added member. Only new flows will get hashed across the members and then new member will have his fair share of good luck :) However, the following things may happen and make load balancing more fun: 1. incorrect load balancing by aggregate next hops 2. incorrect packet hash computation 3. insufficient variance in the packet flow 4. incorrect pattern selection You may look for Adaptive Load Balancing, a Juniper method to balance traffic across LAG members (that focus more on the weights, the bandwidth and packet stream of link) but that has it's on pros and cons. If I check a certain flow and see that it is hashed to a particular link, is it a fair bet that it was hashed to that same link prior to the link going down? [Masood] AFAIK, #Junos does not keep track of it and I wonder if any other vendor would do that. Thanks, John On Tue, Apr 15, 2014 at 12:07 PM, John Neiberger jneiber...@gmail.com wrote: Holy cow. I never would have figured that one out, and the two Juniper engineers I asked had no idea how to do it. I appreciate the help! Thanks, John On Tue, Apr 15, 2014 at 3:50 AM, Olivier Benghozi olivier.bengh...@wifirst.fr wrote: Hi John, as usual with Juniper it's ridiculously overcomplicated, David Roy wrote a fine article about that, at least for MX with DPC: http://www.junosandme.net/article-junos-load-balancing-part-3-troubleshooting-109382234.html Olivier Le 15 avr. 2014 à 04:01, John Neiberger jneiber...@gmail.com a écrit : I know that ECMP is, by default, based on a hash of source and destination IP address, and I know that we can see the available paths by doing show route forwarding-table destination prefix, but is there a way to determine which path a particular flow is using? For those of you familiar with Cisco, I'm looking for an equivalent to show cef exact-route. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE
Perhaps the file system became corrupted, most likely due to a sudden power loss, or ungraceful shutdown. I would not worry, as long as both of the partitions are healthy, then no issue with running switch on either of them. Just make sure that both of the partitions are healthy, so that fail over can be done when needed. The following URL will point you how to recover from this sort of condition. Just start from Step-by-step recovery procedure for this situation: http://goo.gl/BoUUlA Cheers, Masood On Fri, Mar 21, 2014 at 5:23 PM, Victor Sudakov v...@mpeks.tomsk.su wrote: Colleagues, What could be the reason that an EX4200-24T occasionally boots from the secondary copy? If I request system reboot slice alternate media internal, it will boot from the Active Partition all right. This means the Active Partition is operational, isn't it? But sometimes, one day, the switch will eventually boot from the Backup Partition again. What gives? TIA for any ideas. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] problem with ospf between linux/quagga and JunOS via GRE interface
check de MTU On 20-Nov-2010, at 3:53 PM, Sergey wrote: On Saturday 20 November 2010, you wrote: I attempted to remove point-to-point. No effect.:-( You possibly need it on the interface - but you ALSO need it under protocols It has no effect. And I can not understand why I do not see any incoming OSPF traffic on the gr-1/2/0.2 from Linux side, but I see it if I change Linux box to Cisco. -- Regards, Sergey ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] problem with ospf between linux/quagga and JunOS via GRE interface
check de MTU On 20-Nov-2010, at 3:53 PM, Sergey wrote: On Saturday 20 November 2010, you wrote: I attempted to remove point-to-point. No effect.:-( You possibly need it on the interface - but you ALSO need it under protocols It has no effect. And I can not understand why I do not see any incoming OSPF traffic on the gr-1/2/0.2 from Linux side, but I see it if I change Linux box to Cisco. -- Regards, Sergey ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Recover/Reset Passwd on juniper netscreen
I would go with power-it; you cannot recover the password without resetting the unit to factory defaults. On other devices of Juniper like routers there are ways to do this but not on firewall devices. As you do not have copy of the current configuration, then I would say let it run as long as it can without making any change and then reset and reconfigure from scratch when you absolutely need to make a change. Kind Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of George Sent: Saturday, October 24, 2009 1:09 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Recover/Reset Passwd on juniper netscreen Hello How do i recover/reset the root password on juniper netscreen 5gt. I need a step by step guide guaranteed of working since I dont want to lose my configs. Regards George ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] tacplus on EX3200
JUNOS gives you very flexible AAA services. I would suggest you should not use remote user template on live production Box. Configuring a single remote user template account requires that all users (once again keep in mind ALL users) without individual configuration entries share the same class and UID. When you are using TACACS and telnet or TACACS and SSH together, you can specify a different template user other than the remote user. I would suggest you better configure an alternate template users, specify the user-name parameter (Custom Attributes 'local-user-name=insert username here')returned in the TACACS authentication response packet. You'll need to configure a template account on the Juniper device which matches the username you specify as the local-user-name in your TACACS+ server. This template account should be bound to the class you want to assign these users. Find below a template for JUNOS and Tacacs server. Here is JUNOS: Read the commentes in braces system { authentication-order [ tacplus password ]; (plz authenticate me using tacplus server first) tacplus-server { x.x.x.y { (Your Tacacs server address) secret blahblahblah; ## SECRET-DATA (tacacs secret key, it should be same the one you have configured on server) timeout 5; source-address x.x.y.x; (your tacacs server must be reachable using this source address, nd you should have an entry in tacacs server for this particular source) } } Here is TACACS: If you don't wana use remote user. Alternatively, you could just put the following in your TACACS+ Configuration file on the TACACS Server, and bind user with this particular server. You can use local-user-name attribute for a specific user as well. service = junos-exec { local-user-name = username-local-to-router allow-commands = allow-commands-regexp allow-configuration = allow-configuration-regexp deny-commands = deny-commands-regexp deny-configuration = deny-configuration-regexp } Regards, Masood Blog: http://weblogs.com.pk/jahil/ -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Nalkhande Tarique Abbas Sent: Sunday, August 09, 2009 6:01 PM To: Bill Blackford; Walaa Abdel razzak Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] tacplus on EX3200 Do you have a remote user configured? Pls try to add this .. system { login { user remote { full-name All remote users; uid 2001; class super-user; } } } Thanks Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Sunday, August 09, 2009 8:29 PM To: Walaa Abdel razzak Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] tacplus on EX3200 authentication-order [ tacplus password ]; -b -Original Message- From: Walaa Abdel razzak [mailto:wala...@bmc.com.sa] Sent: Sunday, August 09, 2009 7:51 AM To: Bill Blackford; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] tacplus on EX3200 Hi Did you check the authentication order on the router? Tacacs log on the server? BR, Walaa Abdel Razzak This email and any attached files are confidential and intended solely for the use of the individual to whom they are addressed. If you received this email in error or you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying,distributing or taking any action in reliance on the contents of this information is strictly prohibited. -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Sunday, August 09, 2009 5:23 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] tacplus on EX3200 I'm struggling with getting tacplus working on my EX's and was hoping someone on the list has successfully done this. tacplus-server { ###.###.###.### { port 49; secret my secret; ## SECRET-DATA timeout 5; single-connection; } } I currently have local accounts with two profiles. super-user and: class NOC { permissions [ view view-configuration ]; I would want to integrate these two profiles into tacacs as well, but for now I'd like to just get it to authenticate. Tacacs is doing passthough to AD and works fine with Cisco or extreme devices. What am I missing? Thanks -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home
Re: [j-nsp] BGP load-balancing
You don't need to configure per packet-load balance during the JNCIP-M lab. All you have to do is multipath.. Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Aamir Saleem Sent: Tuesday, March 24, 2009 1:31 PM To: Arda Balkanay Cc: Juniper Puck Subject: Re: [j-nsp] BGP load-balancing This is what i am pointing to by enabling per packet-load balance we able to load balance to RIP prefix. But in JNCIP-M study guide Book author did't implement per-packet load balance in the case study solution. only multipath is enable to load balnce the RIP prefix. is the statement given in the case study of iBGP is Ambiguous or we have to explicity enable per-packet load balnce to achive case study requirement? Regards. Aamir ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] L2TPv3
Yea, Juniper M Series does not support L2TPv3 at this time, and there is no roadmap for it anytime in the near future. You can use l2circuit over GRE/IP-IP tunnel. JUNOS now support MPLS-in-GRE MPLS-in-IP. You guys can now encapsulate the MPLS label stack for a packet with an IP header, making it possible to tunnel MPLS over networks that do not have MPLS enabled on their core routers. The following URL will confirm this. http://tinyurl.com/cb3dte Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Samit Sent: Monday, March 09, 2009 3:32 PM To: juniper-nsp Subject: [j-nsp] L2TPv3 Hi, I read some old post in this list regarding L2TPv3 not being supported on M series, it is still not supported am I right? Regards, Samit ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ispf support on Juniper routers
JUNOS software does not support ISPF but does perform partial route calculations when the ospf topology is stble and only routing information changes, you can mix this process up even further with spf-options...I guess you will have ispf (enable/disable) in same hierarchy :) ja...@r1# top set protocols ospf spf-options ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups delayTime to wait before running an SPF (50..8000 milliseconds) holddown Time to hold down before running an SPF (2000..2 milliseconds) rapid-runs Number of maximum rapid SPF runs before holddown (1..5) {master}[edit] Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Stefan Fouant Sent: Thursday, March 05, 2009 4:22 PM To: Andrew Jimmy; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] ispf support on Juniper routers Yes it does. Jeff Doyle speaks of this in his book 'OSPF vs. IS-IS'. I am mobile right now and don't have my book here for reference, but IIRC Juniper supports incremental SPF runs when the additions to a given node are stub networks only. Harry Reynolds and many other knowledgeable folks are on this list - I'm sure they will correct me if I am wrong. On 3/5/09, Andrew Jimmy go...@live.com wrote: Does Juniper router support ispf feature so that router only recalculate a portion of the Shortest Path Tree when receive local link state advertisements Cisco router ospf 1 ispf ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Stay the patient course. Of little worth is your ire. The network is down. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???
I agreed with something Jared said. You never know whom you are going to connect next to (Cisco :)). Save yourself n Save Others Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jared Mauch Sent: Friday, February 20, 2009 10:34 PM To: Richard A Steenbergen Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ??? On Feb 20, 2009, at 12:13 PM, Richard A Steenbergen wrote: On Fri, Feb 20, 2009 at 02:21:24PM +0100, david@orange- ftgroup.com wrote: Hi, You can do it via a policy like this : Here MAX AS PATH equal to 20. Don't get too overzealous here. From my perspective I currently see over 160 prefixes with as-path = 20, so blocking them would break legitimate announcements for no good reason. There was nothing out-of-spec or invalid about the 255 as-path, it was purely an implementation bug on vendor C's part. I really feel the need to echo this, if you have a cisco device that reset the bgp session as a result of this (technically) valid AS-PATH you need to be careful to not suppress valid routes and isolate your network from part of the world. Perhaps you don't care, but having seen people not update bogon prefix lists, I fear the same here if not well maintained. You really should manage your IOS code as necessary and not add these config bits until you know when you're removing them. - Jared ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP issue...
This is what it should be like r...@testcommunity HTH Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Nilesh Khambal Sent: Saturday, February 21, 2009 12:53 AM To: Derick Winkworth Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SNMP issue... Are you querying like communityn...@instance-name. In your case it will be testcommun...@rdi. If not can you try that. Thanks, Nilesh. Derick Winkworth wrote: # Feb 20 17:44:54 snmpd[4d88b0c2] Feb 20 17:44:54 snmpd[4d88b0c2] Get-Next-Request Feb 20 17:44:54 snmpd[4d88b0c2] Source: 10.254.0.33 Feb 20 17:44:54 snmpd[4d88b0c2] Destination: 10.254.23.2 Feb 20 17:44:54 snmpd[4d88b0c2] Version: SNMPv2 Feb 20 17:44:54 snmpd[4d88b0c2] Request_id: 0x4d88b0c2 Feb 20 17:44:54 snmpd[4d88b0c2] Community: testcommunity Feb 20 17:44:54 snmpd[4d88b0c2] Error: status=0 / vb_index=0 Feb 20 17:44:54 snmpd[4d88b0c2]OID : mib_2 Feb 20 17:44:54 snmpd[4d88b0c2] Feb 20 17:44:54 SNMPD_AUTH_FAILURE: nsa_initial_embedcomm: unauthorized SNMP community from 10.254.0.33 to unknown community name (testcommunity) ### and here is the config... [edit snmp] juni...@bd-bottom-m120# show community testcommunity { authorization read-only; routing-instance RDI; } routing-instance-access; traceoptions { file snmp; flag all; } The traffic is coming in on the RDI routing-instance, which is what we want... Any ideas? The community string is valid. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] snmp oid for polling DCU
This will take you on a snmp journey . ja...@r1# run show snmp mib walk 1 Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of shariq qamar Sent: Monday, February 16, 2009 6:46 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] snmp oid for polling DCU Dear Techies , I m done with QPPB configuration on my Juniper M320 box junos 8.5R3.4 and successfully able to get counters for the destination calss i want to see the plot of counters via SNMP server . will anybody explain me how to get OID's values in juniper . what is the way to get OID's value for DCU so that same we poll via SNMP server -- Regards, Shariq Qamar, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP interface index change after upgrade to 9.2
It's a simple UNIX file 'dcd.snmp_ix' (I believe Juniper guys don't change format/syntax of the file with each upgrade.), if you back /var/db/dcd.snmp_ix while upgrading your JUNOS software and then later restore it. ja...@r1 file list /var/db/dcd.snmp_ix Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Patrik Olsson Sent: Friday, February 13, 2009 5:19 PM To: Chris Adams; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SNMP interface index change after upgrade to 9.2 I use Cacti (it is free), have not seen this issue (yet). I think I will poke around in it a bit, but I am with Chris and Tom in the spirit. Cheers Patrik ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NSM
Check if you can find something similar while sitting at your J series :) set system services outbound-ssh client nsm Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of SunnyDay Sent: Wednesday, February 11, 2009 5:35 PM To: Juniper-Nsp Subject: [j-nsp] NSM Hello Any one knows how can i configure a j series router so i can import it to Netscreen Security Manager? ( NSM ) Thank You ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] transfer between 2 ns2000's is slow
I would suggest check CRC and duplex mismatch twice :) if everything goes fine then you better play with the following TCP tweaks.. flow no-tcp-seq-check flow tcp-syn-check flow tcp-syn-bit-check Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Leslie Sent: Wednesday, February 11, 2009 1:44 AM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] transfer between 2 ns2000's is slow I got some good advice that my limits are suspiciously close to some tcp limits -- I have tried some tuning in my kernel but I am going to try hacking around a bit more and see if it helps with anything as well. Leslie wrote: I'm having a strange problem that I haven't been able to fix after much studying -- Basically my setup is host 1 - fw1 - dedicated 1gige link (~25ms lag) - router2 - fw2 - host 2 I can blast udp across this pipe without a problem, but tcp traffic ch seems to be limited to about 3 mbyte/s -- I can make multiple sessions that are all transferring at this speed, but no individual session will go over that limit Another thing that makes me extremely suspicious is occasionally when I start a transfer I'll see a brief cpu spike -- like shown below get perf cpu detail Average System Utilization: 21% Last 60 seconds: 59: 3758: 3457: 3856: 2755: 3954: 38 53: 81** 52: 76** 51: 81** 50: 77** 49: 82** 48: 62* 47: 3646: 3745: 3544: 3643: 3642: 35 41: 3240: 3739: 3338: 3737: 3436: 39 35: 3334: 3833: 3332: 3931: 3330: 39 29: 3128: 4027: 2926: 4225: 3524: 41 23: 3522: 3821: 3120: 3519: 3218: 41 17: 3516: 3815: 3414: 3913: 3512: 40 11: 3310: 40 9: 32 8: 39 7: 45 6: 39 5: 34 4: 40 3: 35 2: 42 1: 36 0: 39 I've obviously spent hours and hours on the phone/email with tac without much help. Does anyone have any ideas of what could be doing this? Any troubleshooting tips? Thank you Leslie ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] E320 question
Yea sure, but you need to keep an eye on redundant RSP, LM and interface related configuration .e.g. less or more number of physical interfaces, LM or RSP. Regards, Masood Blog: http://weblogs.com.pk/jahil/ -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of SunnyDay Sent: Friday, February 06, 2009 4:51 PM To: juniper-Nsp Subject: [j-nsp] E320 question hello Will a cnf config file work from an E320 to E120 ? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Installing backup default-route from upstream by BGP condition?
I have replied to a Juniper forum topic on same issue. Please find the link below.. http://tinyurl.com/ba4r7p Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Markus Sent: Sunday, February 08, 2009 3:03 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Installing backup default-route from upstream by BGP condition? Hi, on a M7i with 8.0R2.8 I'm receiving a full BGP feed from my upstream, and a single default-route through a second BGP session with the same upstream (but to another of their routers) for backup purposes if the first session should go down. Is there any way that allows to install the default-route only when the full BGP feed session goes down? What I want to achieve is that traffic to destinations which don't exist in the global routing table won't get sent out to the upstream at all. Can anyone point me to the right direction? Thanks! Markus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] cisco equilent com in juniper : under bgp configuration mode
This has already been discussed on list... the following URL will take you to the QPPB/DCU http://markmail.org/message/et4gc4ysscxio7ra -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Mark Tinka Sent: Wednesday, February 04, 2009 12:19 PM To: juniper-nsp@puck.nether.net Cc: shariq qamar Subject: Re: [j-nsp] cisco equilent com in juniper : under bgp configuration mode On Wednesday 04 February 2009 03:07:44 pm shariq qamar wrote: I m using table map command in cisco routers . can anyone tell me the equivalent of table-map command in juniper configuration . It looks like you're doing QPPB for Cisco. We managed to test the same on JunOS using DCU. Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] merging IPv6 and IPv4 route in same policy
The following configuration should work for IPv6/IPv4 in same policy. policy-statement O-R { term 1 { from { protocol ospf; route-filter fec0:0:0:4::/64 orlonger; } then accept; } term 2 { from { protocol ospf; route-filter 10.0.6.0/24 orlonger; } then accept; } Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Ahmad Alhady Sent: Sunday, December 28, 2008 9:52 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] merging IPv6 and IPv4 route in same policy can we merge matching IPv6 and IPv4 routes in same config ??? for example policy-statement O-R { term 1 { from { protocol ospf; route-filter 10.0.6.0/24 orlonger; route-filter fec0:0:0:4::/64 orlonger; } then accept; } he is giving me this message! Policy: invalid prefix fec0:0:0:4::/64 for family inet error: configuration check-out failed Ahmad ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] merging IPv6 and IPv4 route in same policy
What's wrong in using two terms J Regards, Masood From: Ahmad Alhady [mailto:ahmad.alh...@yahoo.com] Sent: Sunday, December 28, 2008 10:23 PM To: Masood Ahmad Shah; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] merging IPv6 and IPv4 route in same policy but in 2 different terms !!! not in same term !? I was asking about same term ?! Thanks _ From: Masood Ahmad Shah mas...@nexlinx.net.pk To: Ahmad Alhady ahmad.alh...@yahoo.com; juniper-nsp@puck.nether.net Sent: Sunday, December 28, 2008 8:14:11 PM Subject: RE: [j-nsp] merging IPv6 and IPv4 route in same policy The following configuration should work for IPv6/IPv4 in same policy. policy-statement O-R { term 1 { from { protocol ospf; route-filter fec0:0:0:4::/64 orlonger; } then accept; } term 2 { from { protocol ospf; route-filter 10.0.6.0/24 orlonger; } then accept; } Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Ahmad Alhady Sent: Sunday, December 28, 2008 9:52 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] merging IPv6 and IPv4 route in same policy can we merge matching IPv6 and IPv4 routes in same config ??? for example policy-statement O-R { term 1 { from { protocol ospf; route-filter 10.0.6.0/24 orlonger; route-filter fec0:0:0:4::/64 orlonger; } then accept; } he is giving me this message! Policy: invalid prefix fec0:0:0:4::/64 for family inet error: configuration check-out failed Ahmad ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Series Experiences
http://weblogs.com.pk/jahil/archive/2008/12/26/juniper-switches.aspx Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Saturday, December 27, 2008 5:10 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] EX Series Experiences All, I am looking to purchase a few Juniper EX switches, specifically 3200 series. I am interested in hearing how they are performing. And if they are stable. Regards, Brendan Mannella ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JR Global static route configuration
Two minor points you can have multiple static routes for the same destination address with the same preference (juniper) admin distance (Cisco) and difference interfaces for load balancing. The exception is the default gateway 0.0.0.0 which can only occur once per admin distance but you can use the interface method with difference admin distance described above to provide resilience for 0.0.0.0. These methods are used when you do not want to use a routing protocol. You can have multiple static routes for the same destination address with different preference (Juniper) admin distance (Cisco). In Juniper world Qualified Next Hops is the way to go. For example, routing-options { static { route 1.1.1.1/32 { next-hop 2.2.2.2; qualified-next-hop 3.3.3.3 { preference 5; } } } } Regards, Masood -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Madrid Sent: Friday, November 21, 2008 7:07 PM To: harish T Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] JR Global static route configuration Yes, someone on here will correct me if im wrong, but I believe qualified-next-hop is what you want. http://www.juniper.net/techpubs/software/junos/junos73/swconfig73-routing/ht ml/routing-summary51.html On Fri, Nov 21, 2008 at 1:58 AM, harish T [EMAIL PROTECTED] wrote: Hi, Can we configure more than one instance of Global static route for a perticular Destination address ? Static route 1: destination mask:255.255.255.252 destination prefix:10.12.32.0 next hop:156.65.21.2 Static route 2: destination mask:255.255.255.252 destination prefix:10.12.32.0 next hop:100.200.333.1 Is it possible to have more than one entry of static route for a particular network like above? -- -- To accomplish great things, we must not only act, but also dream; not only plan, but also believe. With regards Harish.T ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- It has to start somewhere, it has to start sometime. What better place than here? What better time than now? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp as-path
neighbor remove-private-as Removes private AS numbers in updates sent to external peers. Private AS numbers are only in the range 64,512-65,535. Regards, Masood -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SunnyDay Sent: Friday, November 14, 2008 11:43 PM To: Hyunseog Ryu Cc: juniper-Nsp Subject: Re: [j-nsp] bgp as-path yes i know but whta if the AS-PATH contains both ublic and private. what will happen then. i read that the OS will consider it a config error? Hyunseog Ryu wrote: From bgp options, you can find 'remove-private-as' or something like that. Sent from my Windows MobileR phone. -Original Message- From: SunnyDay [EMAIL PROTECTED] Sent: Friday, November 14, 2008 12:35 PM To: juniper-Nsp juniper-nsp@puck.nether.net Subject: [j-nsp] bgp as-path hello i want to know what will the behavior be if AS-PATH contains both public and private ASN and is possible to remove all private ?? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Metro Ethernet CPE
The PPPoE interface to the access concentrator can be a Fast Ethernet interface on any Services Router, a Gigabit Ethernet interface on J4350 and J6350 Services Routers, an ATM-over-ADSL or ATM-over-SHDSL interface on all J-series Services Routers except the J2300, or an ATM-over-SHDSL interface on a J2300 Services Router. The PPPoE configuration is the same for both interfaces. The only difference is the encapsulation for the underlying interface to the access concentrator: If the interface is Ethernet, use a PPPoE encapsulation. If the interface is ATM-over-ADSL or ATM-over-SHDSL, use a PPPoE over ATM encapsulation. Regards, Masood -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GIULIANO (UOL) Sent: Wednesday, October 29, 2008 3:38 PM To: FAHAD ALI KHAN Cc: juniper-nsp Subject: Re: [j-nsp] Metro Ethernet CPE J-Series can help you. J-2320, J2350, J4350, J-6350. The hole family can help you with all features (I need to check PPPoE support). The differences are related to traffic processing and capacity. Att, Guys...! We are looking for good range of CPE (routers) for Home users SMBs...and wish if following features are supported. - FastEthernet port for WAN LAN - 802.1Q Trunking support on both FEs - IPv4 support (IPv6 is optional) - PPPoE support on FastEthernet main/Sub-interface (didnt find it in 1800 ISR) - Basic QoS feature set - GRE/IPSEC support - Static/RIP/OSPF/BGP support - Network Management support - SNMP - BFD or ELMI support - DHCP client What will be the best suited cost effective CPE for offering triple play services over Metro Ethernet Network. Input from Metro Ethernet Service provider will be highly appreciable. *Regards* ** *Fahad* ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M-Series Authentication via Tacacs and authorization via local class
When you are using RADIUS or TACACS+ authentication, you can create single accounts (for authorization purposes) that are shared by a set of users. http://www.juniper.net/techpubs/software/junos/junos57/swconfig57-getting-st arted/html/sys-mgmt-authentication4.html#1039222 HTH Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aamir Saleem Sent: Friday, September 26, 2008 11:18 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] M-Series Authentication via Tacacs and authorization via local class Hello, I want to configure local configured users must authenticate from TACACS+ server first and local authentication have second priority. Authorization of commands must be permitted from local account configured on M-Series routers. Do any body have any idea how to accomplish this. I have following class and user configured on M-Series for authorization purpose. class superuser-local { idle-timeout 5; permissions all; deny-commands (file delete)|(clear log); deny-configuration system login; } user noc { uid 2018; class superuser-local; Authentication order authentication-order [ tacplus password ]; Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] dhcp-relay on MX
What you get when you do show helper statistics You can also use some packet capturing applications like ethereal on DHCP server; just to check the packets are being forward to DHCP server or not. If you need include the maximum-hop-count statement, deault value is 4 hops. set the routing instance of the server to forward if different, include the routing-instance statement. Regards, Masood -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marlon Duksa Sent: Wednesday, September 17, 2008 11:01 PM To: Nicolaj Kamensek Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] dhcp-relay on MX Still no luck. This is what I have. Also there is no firewall in this network. forwarding-options { helpers { bootp { server 10.0.0.100; relay-agent-option; } } } interfaces { ---client side ge-0/0/0 { unit 0 { family inet { unnumbered-address lo0.0 preferred-source-address 1.1.1.1; } } } On Wed, Sep 17, 2008 at 4:23 AM, Nicolaj Kamensek [EMAIL PROTECTED] wrote: Marlon Duksa schrieb: HiDoes anyone know why DHCP discover packets are not relayed through an MX from my client to en external DHCP server that resides on the same network as one on the interfaces on MX (I can ping this DHCP server from the MX). Keep in mind that dhcp-relay is done via the routing-engine, so your RE firewall filter might be the reason. You need to allow dhcp/bootp packets there. Regards -- Accelerated IT Services GmbH Schubertstrasse 10D-67251 Freinsheim [EMAIL PROTECTED] http://www.accelerated.de/ Telefon: +49 69-25738580-3Telefax: +49 69-25738580-4 HRB: 60665 - Amtsgericht Ludwigshafen UstID: DE253684415 Geschäftsführende Gesellschafter: Nicolaj Kamensek Ole Krieger ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] OSPF inside VRF - Cisco Juniper Interoperability
If Cisco to Cisco works fine than problem seems in interpreting domain id. If the OSPF domain ID for the destination PE differs from the originating PE, MP-BGP redistributes the route into OSPF as an OSPF type 5 external route. There is another to preserve OSPF routes across the MPLS VPN OSPF route type extended community attribute, You can try this too. Regards, Masood -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Junaid Sent: Wednesday, August 27, 2008 12:44 AM To: Juniper Puck Subject: [j-nsp] OSPF inside VRF - Cisco Juniper Interoperability Hi, I am caught up in what seems to be a Juniper Cisco interoperability issue. I am running OSPF with customer inside VRF. Topology is something like the following: CE1 ---[Area 0]--- PE1 P1 --- P2 --- PE2 ---[Area 6]--- CE2 The two P routers are acting as route reflectors. CE1, CE2 and PE1 are Cisco devices while rest are Juniper M-series routers. The problem I am facing is that CE1 routes received at CE2a are Inter-area which is what is required (no redistribution into OSPF is done on CE1 and CE2). However, CE2 routes received by CE1 are Type 5 (E1). The documentation states that inorder to preserve the route types, domain IDs should be same on both PE routers. I have set domain ID to be 1.1.1.1:512, this was done on cisco via the command: domain-id type 0105 value 010101010200 and on juniper as: domain-id 1.1.1.1:512 in the OSPF configuration inside the VRF. Also on Juniper the domain-id was added into the ospf routes when redistributing them into MBGP. The problem seems to be with the Cisco PE1 router that can't seem to interpret the route-type attribute generated by Juniper: PE1#sh ip bgp vpnv4 all 10.254.20.254 BGP routing table entry for 1:103:10.254.20.254/32, version 550 Paths: (1 available, best #1, table VPN_OSPF) Not advertised to any peer Local PE2_Loopback_IP (metric 4) from P1_Loopback_IP (P1_Loopback_IP) Origin IGP, metric 2, localpref 100, valid, internal, best Extended Community: RT:1:103 OSPF DOMAIN ID:0x0105:0x010101010200 0x306:0:393472 10.254.20.254/32 is advertised by CE2 (assigned on one of its loopback interfaces). Now the domain ID is fine but it seems that Cisco is unable to interpret the route-type attribute. 393472 translates to 60100 where 6 is the area ID, 01 says that it is type 1 LSA and and last two bytes are options are not used in this case. Upon receiving this route via MBPG, PE1 injects a type 5 LSA towards CE1 (confirmed on CE1 by enabling debugging) where it should inject have injected type 3: OSPF: Ack Type 5, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 5, seq 0x8001 If I replace the Juniper PE2 with a Cisco then on PE1 seems to interpret the route-type attribute correctly and inject type 3 LSA towards CE1 and CE1 receive the routes as inter-area: PE1#sh ip bgp vpnv4 all 10.254.20.254 BGP routing table entry for 1:103:10.254.20.254/32, version 676 Paths: (1 available, best #1, table VPN_OSPF) Not advertised to any peer Local PE2_Loopback_IP (metric 2) from P1_Loopback_IP (P1_Loopback_IP) Origin incomplete, metric 2, localpref 100, valid, internal, best Extended Community: RT:1:103 OSPF DOMAIN ID:0x0005:0x010101010200 OSPF RT:0.0.0.6:2:0 OSPF ROUTER ID:10.254.2.1:512 Debug output: OSPF: Ack Type 3, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 1, seq 0x8001 Any idea what is causing this behavior? Any solution? Will appreciate any help. (The problem involves both Juniper and Cisco routers but I am posting it here as I believe most guys here are have worked on both platforms.) Regards, Junaid ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Restricting RADIUS Routes for E120
Yea you can set the route preferences ( In Cisco world administrative distance ). For this you need to find the route preference radius attribute ... here is the list of supported radius attributes... http://www.juniper.net/techpubs/software/erx/erx50x/swconfig-broadband/html/ radius-attributes.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amr Sent: Monday, August 25, 2008 11:21 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Restricting RADIUS Routes for E120 Dear All, I have a problem in my E120 Router , where i have configured the RADIUS Server to send to the Users on the E120 thier IP Subnet so that the IP subnets of the users will be Access-internal routes as below E120#sh ip route 10.10.10.10 Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, P- periodic download, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 L- MPLS label, V- VRF, *- via indirect next-hop Prefix/Length Type Next Hop Dst/Met Interface -- - --- -- --- 10.10.10.10/32 *AccIntern *0.0.0.0 2/0 GigabitEthernet3/0/0.505252.59 but by mistake someone configured the RADIUS to send the default route (0.0.0.0.0/0) for a specific user which affects the performance of the E120 router and modifyed the current default route learned by OSPF So the Question is Is it possible to restrict the routes the comes from the RADIUS Server and not accepting it all (e.g denying the default route from the radius) ? or Is it possible to modify the admin distance for the Access-internal routes so that it will be higher that the dynamic default route configured on the E120 router ? Appreciate your help Thanks In Advance Regards Amr ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] LDP Session over GRE Tunnel
Two things can prevent LDP adjacencies MTU, fragmentation or access list. You need to check MTU size at both sides as you are using tunnel interfaces. You may need to look at data fragmentation too, in both cases try adjusting MTU size. Look into IGP prefix lists, distribute lists or access-list if you are using... Regards, Masood -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Farhan Jaffer Sent: Monday, August 25, 2008 7:06 PM To: Juniper Puck Subject: [j-nsp] LDP Session over GRE Tunnel Hi, I am testing connectivity over GRE tunnel, IBGP session is established, LSP is also established, however LDP session is not going to establish. Any idea? FJ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] LDP Session over GRE Tunnel
Yea you can have established LSP without LDP. Guess how :) What if you are running both LDP and RSVP... ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Junaid Sent: Monday, August 25, 2008 8:35 PM To: Farhan Jaffer Cc: Juniper Puck Subject: Re: [j-nsp] LDP Session over GRE Tunnel Hi, Check the transport addresses used by LDP on both nodes. These addresses should be reachable via IGP or static routes over the GRE. It is surprising that LSP is established without LDP! Regards, Junaid On Mon, Aug 25, 2008 at 8:05 PM, Farhan Jaffer [EMAIL PROTECTED] wrote: Hi, I am testing connectivity over GRE tunnel, IBGP session is established, LSP is also established, however LDP session is not going to establish. Any idea? FJ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange RX issue w/ GE PIC
There can be multiple reasons for these input errors. Policed Discards Frames that the incoming packet match code discarded because they were not recognized or of interest. Usually, this field reports protocols that the JUNOS software does not handle, such as CDP. L3 incompletes This counter is incremented when the incoming packet fails Layer 3 (usually IPv4) sanity checks of the header. For example, a frame with less than 20 bytes of available IP header would be discarded and this counter would be incremented. L2 mismatch timeouts Count of malformed or short packets that cause the incoming packet handler to discard the frame as unreadable. HS link CRC errors Count of errors on the high-speed links between the ASICs responsible for handling the router interfaces. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Van Tol Sent: Monday, August 25, 2008 8:05 PM To: 'juniper-nsp@puck.nether.net' Subject: [j-nsp] Strange RX issue w/ GE PIC Hi all, I'm experiencing a strange RX issue on a link and I need some more ideas on where to look. Two routers, an M7i and M20, are connected back-to-back, sort-of (there's optical gear between them, obviously), over a WDM link. Ping tests work perfectly from one to the other, using various packet sizes. When enabling traffic from the M7i to the M20 by lowering an OSPF metric, the link works fine. When enabling traffic in the opposite direction, M20 to M7i, I begin to get massive input errors on the M20 GE PIC. I see no errors at all on the M7i side, ever. Errors only start to accrue when traffic reaches a certain as-yet-undetermined level, when bi-directional traffic is enabled. Done so far: - Cleaned every connector in the path. - Replaced both patch cables at either end of the link. - Installed intermediary switch to rule out PIC/SFP problems. - Failed over to redundant light path to rule out primary path problems. In what situation would one see input errors accrue on one side, but only when bi-directional traffic is enabled? Thanks, evt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] egress PE disappear explicit-null
I came up with an issue, Juniper M Series router is inability to pop explicit-null and decreasing IP TTL at the same time, making egress PE disappear from traceroute, when using core-hiding and explicit-null. Is there any workaround. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] PPPoE tunnel and Firewall
Im really getting confused while adding firewall for DSL subscribers. I want to protect my PPPoE subscriber from malicious traffic. Adding a firewall between DSLAMs and BRAS is kinda confused for me. The final topology is going to be like CPEß--DSLAMß---àFirewallß--BRAS---Ineternet From CPE to BRAS is PPPoE tunnel. The question Can firewall protect PPPoE customers from malicious traffic while sitting in transparent mode in front of BRAS. I wonder , firewall will skip the PPPoE tunnels traffic. If yes, than how do you guys protect BRAS internal traffic from one subscriber to another. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Full routing table feed on M7i and M10i
The full BGP table of the internet is big. The BGP table is held in memory. If you use 1GB of RAM or more, you can store 3 full BGP table. M7i and M10i both comes with fast CPU, You will not have to worry about processing, it's juniper :) Regards, Masood -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Samit Sent: Sunday, July 20, 2008 1:00 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Full routing table feed on M7i and M10i Hi list, With RE-850 can juniper M7i or M10i can effectively handle 3+ full routing table feed from multiple upstreams? Regards, Samit ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Track-IP functionality in Junos
I am looking for a track-ip functionality in Junos, which will be able to retire a route based on IP reachability (ping or something like this) Is this anything we can do? Regards, Masood Ahmad Shah ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] list admin garbage - unimportant you can delete me
Many thanks for running one of the leading mailing lists. Keep it up.. you are great Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil -Original Message- From: Jared Mauch [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2008 10:40 PM To: Masood Ahmad Shah Cc: 'Erik Erasmus'; juniper-nsp@puck.nether.net Subject: list admin garbage - unimportant you can delete me Just as a follow-up, there are over 2500 people on the list. I wanted to thank everyone who helps make this forum what it is in helping each other out. - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Is this true
http://www.cisco.com/en/US/products/hw/routers/ps133/prod_system_test_report 0900aecd801b9424.html :) Regards, Masood ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Bridging two LAN over IP
How you guys bridge two different network (Ethernet LANS) over IP routed networks in Juniper (JUNOS)? Or Is there something like L2TPV3 Pseudowires in Juniper routers; If yes which model is supporting it. What if you want to forward broadcast traffic for a specific port between two different network? Like in Cisco Cisco#ip forward-protocol udp ? 0-65535 Port number Juniper# I don't know :) Regards, Masood Ahmad Shah ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp