Martin-
Yes, we use the source-prefix-list autogenerated with external scripting based
on config parsing of eBGP peers with ttl 255 set. Below is what our BGP RE
rules look like on a PE; it probably has its own problems deserving feedback.
I show v4 but we have corresponding for v6.
You
Martin,
Saku is illuminating how difficult it can be to effectively protected the
control plane. If I were to post our production RE filter I would likely be
humbled with what I've overlooked as well. Thanks for sharing for commentary
and discussion.
Saku's comment about using router-ipv4
L3VPNs and on-prem DDoS scrubbing architecture
>
> On Tue, Apr 02, 2024 at 07:43:01PM +0300, Alexandre Snarskii via juniper-
> nsp wrote:
> > On Tue, Apr 02, 2024 at 03:25:21PM +, Michael Hare via juniper-nsp
> wrote:
> >
> > Hi!
> >
> > Workaround tha
Saku, Mark-
Thanks for the responses. Unless I'm mistaken, short of specifying a selective
import policy, I think I'm already doing what Saku suggests, see relevant
config snippet below. Our clean VRF is L3VPN-4205. But after I saw the lack
of mac based next hops I started searching to see
]
On Apr 2, 2024, at 10:25, Michael Hare via juniper-nsp
mailto:juniper-nsp@puck.nether.net>> wrote:
Hi there,
We're a US research and education ISP and we've been tasked for coming up with
an architecture to allow on premise DDoS scrubbing with an appliance. As a
first pass I've c
Hi there,
We're a US research and education ISP and we've been tasked for coming up with
an architecture to allow on premise DDoS scrubbing with an appliance. As a
first pass I've created an cleanL3VPN routing-instance to function as a clean
VRF that uses rib-groups to mirror the relevant
TLDR: Juniper: please keep the PDFs. I like control-F.
I may need a lesson in remedial use of browsers, but I find the PDFs useful and
I don't print them. Do people really have the time to navigate/click on all of
these hyperlinks, or am I missing an obvious way to control-F the entire
Richard just reports the news, and at risk of keeping this thread a live, I
thought I'd give our real word experiences.
I've upgraded both newer "licensed based" mx204s and perpetual pre-sku-change
mx204's to 22.4. I can attest regardless I had no problems with BGP or
anything else. All of
Hi Misak,
I think what you're seeing is normal for protection LSPs, "dirty hack on the
control plane side", but I'm looking forward to be humbled on this list that my
conclusion is incorrect.
We use "ldp interface link-protection dynamic-rsvp-lsp" and for all my bypass
LSPs, 'show route
I recognize Saku's recommendation of rib sharding is a practical one at 20M
routes, I'm curious if anyone is willing to admit to using it in production and
on what version of JunOS. I admit to have not played with this in the lab yet,
we are much smaller [3.5M RIB] worst case at this point.
Richard-
Sorry if this is off topic, but what's the use case for Base license on an MX?
Is it just to align the name of the licensing with EX and the ilk? Are there
significant customers using hardware as whitebox? We've been Juniper customer
since the m40 days and always routed with them.
Re: "In your specific case, the ports never worked, you had to procure a
license, and the license never dies."
Here's a cool story. At some point I migrated the perpetual 10G FPC2 SFP+ port
license on our MX104s from the "request system license add" mantra to "set
system license" so it was
FWIW, I deployed it for iBGP on MX gear in 20.4 with no concerns for an ASN I
manage. No issues in our lab with a mix of 20.4, 21.2 and 22.4, all classic
JunOS. I haven't tried it any other scenario.
-Michael
> -Original Message-
> From: juniper-nsp On Behalf Of Barry
> Greene via
Anyone running with less than 30s ipfix active and inactive flow timeouts
willing to share positive or negative experiences? Our target platform is
mx10003.
We've been running active 60 inactive 30 for quite some time and are looking to
move closer to the known configuration floor of 10 for
to all who chimed in,
-Michael
> -Original Message-
> From: juniper-nsp On Behalf Of
> Michael Hare via juniper-nsp
> Sent: Tuesday, October 11, 2022 11:04 AM
> To: Chuck Anderson ; juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] port-mirror with source inside routing-
Matt,
Are you hitting https://prsearch.juniper.net/problemreport/PR1629943 ?
-Michael
> -Original Message-
> From: juniper-nsp On Behalf Of
> Matthew Crocker via juniper-nsp
> Sent: Sunday, October 16, 2022 4:39 PM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] MX204 FPC won't
n;
> address 10.235.43.0/31 {
> arp 10.235.43.1 mac 02:02:02:02:02:02;
> }
> }
> }
> }
> }
>
> On Tue, Oct 11, 2022 at 02:37:47PM +, Michael Hare via juniper-nsp
> wrote:
> > show i
Hello,
Cluebats appreciated, I can contact JTAC on this but am trying to avoid the
timesink of opening a case.
Topic is filter based port mirroring for family inet with the wrinkle being
that I'm trying to mirror traffic from inside "instance-type vrf". I've done
this countless times before
ent: Friday, May 6, 2022 7:49 AM
> To: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] bgp graceful-shutdown receiver
>
>
>
> On 4/18/22 17:24, Michael Hare via juniper-nsp wrote:
> > Hello,
> >
> > Is anyone using "bgp graceful-shutdown receiver" success
--- Begin Message ---
Hello,
Is anyone using "bgp graceful-shutdown receiver" successfully out-of-the-box
for eBGP peers without modifying their import policies to account for 65535:0?
For example our production AS peers with lab AS over eBGP. Import policy on
the production side sets local
--- Begin Message ---
Just chimed in to agree with Tobias. Speed 1g definitely needed. Recently
migrated from an mx104 to an mx204 with remote end being a different AS.
Mx204 end was link up but remote end was not. In our case the diff in 'show
int $x' output implied that the mx104's
--- Begin Message ---
I'm quite interesting in this topic as I am in the same boat. I have problems
similar to Rob in 18.3R3.
We do have jtac support but I haven't contacted them; a time/priority issue so
far.
- "show bgp output-scheduler" is empty without top-level "protocols bgp
--- Begin Message ---
If you are absolutely certain you are not providing DHCP you could always set
the punt rate to 1 and disable logging.
Beware, this can be an awfully sharp sword. Ask me how I know!
system {
ddos-protection {
protocols {
--- Begin Message ---
We haven't had 1G fiber problems yet, 18.3R3. I've had intermittent success
with SFP-T at 1G, but they are third party pluggables.
It sounds like you don't have a PR? But in case you do, I'm sure many
(including our network) would benefit.
-Michael
> -Original
--- Begin Message ---
Charles-
This may be off mark but you have tried removing and re-adding the filter to
your lo0.0 or doing a commit full?
I have seen apply-groups inheritance issues in 16.1 that match the sort of
issues you are having. I have experienced them both in BGP and firewall
--- Begin Message ---
Nikolas,
I have been running into "committed config doesn't match operational reality"
issues with JunOS since at least 16.1. I've seen this under protocol bgp,
firewall filters, etc.
My issues appear apply-group related. Are your affected BGP policies achieved
via
Hello Guillermo-
I had a somewhat similar issue. For me I was trying to add a normal bgp
community in vrf-export to an E-VPN instance. This config caused RPD core
dumps in 18.2 although it worked as I had hoped in 16.1. JTAC reported at the
time: "... using vrf-export in EVPN instance with
Adam-
Have you accounted for this behavioral change?
https://kb.juniper.net/InfoCenter/index?page=content=KB32883=print=LIST==currentpaging
-Michael
> -Original Message-
> From: juniper-nsp On Behalf Of
> adamv0...@netconsultings.com
> Sent: Friday, June 28, 2019 9:16 AM
> To:
backwards and a
calculated risk to take. I disallow ICMP redirects via firewall filter.
I'm academically curious why this is a requirement (allow icmp redirects to be
sent) of hyper-mode.
-Michael
> -Original Message-
> From: juniper-nsp On Behalf Of
> Michael Hare via juniper-n
Saku/Franz-
I admit I didn't know what vlan padding was going into enabling hyper mode (or
frankly even this conversation) and made an educated guess at relative safety
at the time based on lab work (simplified production test) and a slow
production roll out.
In case of the hyper mode
Franz-
I have used successfully used hyper mode on MPC4E in M2K for a few years with
little regrets. I chose to do this as I didn't have the equipment to do line
rate testing and I do a significant amount of counters on untrusted ports. As
others have suggested, you need to know feature
31 matches
Mail list logo
