Re: [j-nsp] remove-private for iBGP session

2015-09-28 Thread Cydon Satyr 
Version 11.4R7.5 and 12.3R6.6.
Configuration in lab is minimal - just peer IP, type internal,
local-address, and remove-private toward RR. Simple eBGP session toward
other end.

Thanks!

BR
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] vSRX on KVM

2015-09-28 Thread Yuriy B. Borysov 
Hello!

Does someone use vSRX on the KVM in lab or in production?

Could you show example of XML config from working instance?

I'm trying to install according to this manual:

https://www.juniper.net/techpubs/en_US/vsrx15.1x49/topics/task/multi-task/security-vsrx-with-kvm-installing.html

but the system does not see any ge-* interface.

Thanks!


-- 
WBR, Yuriy B. Borysov
YOKO-UANIC | YOKO-RIPE  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vSRX on KVM

2015-09-28 Thread Maxwell Cole 
Hello,

How are you passing in the interfaces? A bridge or PCI-Passthrough? 

From my testing with the vSRX it won’t recognize any ge- interfaces unless you 
pass at least 3 interfaces in. This is true on both KVM and ESXi, which makes 
me think that they silently (Or at least quietly) abort adding interfaces 
unless it has the required minimum of 3. I have also noticed that it helps to 
pass in all 3 interfaces in the same “model” type regardless of the source 
driver or interface. Also note that after you start up the VM it can take 2-3 
minutes after the control plane becomes accessible before the ge- interfaces 
get added. 

Here is the relevant config I have working. I’ve had the most success passing 
them in as e1000. The first network “default” is just a simple 1g bridge 
interface and the other two are Intel SR-IVO passthrough networks. I was able 
to get it up and running just by creating a bridge and adding them to it via 
[].


   
  
  
  


  
  
  


  
  
  


#virsh net-dumpxml pnetwork

  pnetwork
  [snip]
  

















  


Hope that helps,

Cheers,

> On Sep 28, 2015, at 12:51 PM, Yuriy B. Borysov  
> wrote:
> 
> Hello!
> 
> Does someone use vSRX on the KVM in lab or in production?
> 
> Could you show example of XML config from working instance?
> 
> I'm trying to install according to this manual:
> 
> https://www.juniper.net/techpubs/en_US/vsrx15.1x49/topics/task/multi-task/security-vsrx-with-kvm-installing.html
> 
> but the system does not see any ge-* interface.
> 
> Thanks!
> 
> 
> -- 
> WBR, Yuriy B. Borysov
> YOKO-UANIC | YOKO-RIPE
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] vme.0 IPV6 management IP on QFX5100

2015-09-28 Thread Franz Georg Köhler 

Hello,


I'm trying to set up IPV6 management IP on QFX 5100 VCF.
IPV6 is not reachable from the outside, while IPV4 works.
The switch can ping itsself but does not see any IPV6 neighbors.

Any idea what goes wrong here?

> show configuration interfaces vme
unit 0 {
family inet {
address x.x.x.22/30;
}
family inet6 {
address x:x:x:x::46/64 {
primary;
preferred;
}
}
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] No IFL found...

2015-09-28 Thread Alireza Soltanian 
Hi everybody

 

A couple of days ago, I sent an email about GRE Keepalive on M10/M20.

I did some more tests on this case. I am using PE-Tunnel on M10/M20. Tunnel
can be configured and works fine but when I try to configure GRE Keepalive
via oam and check the statistics about it I received an error about IFL not
found.

I don't have this issue on M320 with PC-Tunnel.

IS anybody here familiar with this issue?

 

Thank you

Alireza

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] EX4300 and full-duplex-only

2015-09-28 Thread Phil Mayers 

On 28/09/15 11:52, Jackson, William wrote:

The ex3300 does not have this limitation.



FWIW, Juniper have come back and said this is a firmware limitation in 
the PHY. Apparently it's some sort of feature conflict or code space 
issue w.r.t. MACSEC, and there is some vague possibility of a release 
with an either/or MACSEC/half-duplex in the future.


:o/

Agree the 3300 has no such limitation.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] EX4300 and full-duplex-only

2015-09-28 Thread Jackson, William 
The ex3300 does not have this limitation.


William Jackson

Gibtelecom 
Email: william.jack...@gibtele.com 

-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of 
Frank Sweetser
Sent: 23 September 2015 18:05
To: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] EX4300 and full-duplex-only

On 09/23/2015 09:47 AM, Phil Mayers wrote:
> If you mean "why it's only duplex limitations", I'm guessing the 
> device is missing the collision-detect/retransmit hardware for cost 
> reasons. 10/half is pretty rare these days and, in theory, they're 
> pitched as a datacentre device (though we have an IBM tape library which is 
> 10/half on it's management port).

When I first saw the details about the EX4300, my initial reaction was that it 
was built as a low cost 1Gb dongle for QFabric.

> You can force the link up by disabling autoneg, but that comes up 
> duplex-mismatched - 10/full at the EX end, 10/half at the device end.
>
> All very disappointing; we did not think to specify "must comply with 
> IEEE 802.3" in the RFP :o/


Even putting it in wouldn't have helped unless you verified it yourself anyway
- they list 802.3 support on page 19 of the data sheet:

http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000467-en.pdf

That said, does anyone know if the EX3300 switches suffer from this same design 
decision?

-- 
Frank Sweetser fs at wpi.edu|  For every problem, there is a solution that
Manager of Network Operations   |  is simple, elegant, and wrong.
Worcester Polytechnic Institute |   - HL Mencken
___
juniper-nsp mailing list juniper-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] purpose of "commit check"?

2015-09-28 Thread Brad Fleming 
I use it to make sure another admin hasn’t made changes overtop of mine. Also, 
I believe commit check can help in situations where you are using “edit 
private”.


> On Sep 28, 2015, at 4:24 PM, Martin T  wrote:
> 
> Hi,
> 
> when I commit the candidate configuration in Junos, I tend to execute
> "commit check" and if configuration check succeeds, then I execute
> "commit comment ". However, when I think about it, "commit
> (comment)" itself should perform those very same checks that "commit
> check" does. If yes, then what is the point of "commit check"? Only
> purpose I could see is to check the validity of the candidate
> configuration in the middle of the configuration process, i.e. to
> check if the changes made in candidate configuration so far are fine
> but the candidate configuration is not ready to be committed.
> 
> 
> thanks,
> Martin
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] purpose of "commit check"?

2015-09-28 Thread Harald F. Karlsen 



On 28.09.2015 23:24, Martin T wrote:

Hi,

when I commit the candidate configuration in Junos, I tend to execute
"commit check" and if configuration check succeeds, then I execute
"commit comment ". However, when I think about it, "commit
(comment)" itself should perform those very same checks that "commit
check" does. If yes, then what is the point of "commit check"? Only
purpose I could see is to check the validity of the candidate
configuration in the middle of the configuration process, i.e. to
check if the changes made in candidate configuration so far are fine
but the candidate configuration is not ready to be committed.



You can use "commit check" to confirm a "commit confirmed" action. That 
way you don't create a new configuration file in your rollback log every 
time you cancel a pending rollback.


--
Harald
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] purpose of "commit check"?

2015-09-28 Thread Martin T 
Hi,

when I commit the candidate configuration in Junos, I tend to execute
"commit check" and if configuration check succeeds, then I execute
"commit comment ". However, when I think about it, "commit
(comment)" itself should perform those very same checks that "commit
check" does. If yes, then what is the point of "commit check"? Only
purpose I could see is to check the validity of the candidate
configuration in the middle of the configuration process, i.e. to
check if the changes made in candidate configuration so far are fine
but the candidate configuration is not ready to be committed.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] purpose of "commit check"?

2015-09-28 Thread Masood Ahmad Shah 
Hi - "commit check" is just there to verify the syntax and integrity of the
configuration, but do not activate it. Pretty self explanatory as you
already explained it :-)

On Tue, Sep 29, 2015 at 7:24 AM, Martin T  wrote:

> Hi,
>
> when I commit the candidate configuration in Junos, I tend to execute
> "commit check" and if configuration check succeeds, then I execute
> "commit comment ". However, when I think about it, "commit
> (comment)" itself should perform those very same checks that "commit
> check" does. If yes, then what is the point of "commit check"? Only
> purpose I could see is to check the validity of the candidate
> configuration in the middle of the configuration process, i.e. to
> check if the changes made in candidate configuration so far are fine
> but the candidate configuration is not ready to be committed.
>
>
> thanks,
> Martin
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] purpose of "commit check"?

2015-09-28 Thread Aaron Dewell 

Yes, the commit will fail if commit check would have also failed.  I tend to 
use commit check as a check on myself when I’ve done a big cut-and-paste, or 
when creating a bunch of objects.  The time to fail of commit check is less 
than commit if there are discrepancies.  

On Sep 28, 2015, at 3:32 PM, Brad Fleming  wrote:
> I use it to make sure another admin hasn’t made changes overtop of mine. 
> Also, I believe commit check can help in situations where you are using “edit 
> private”.
> 
> 
>> On Sep 28, 2015, at 4:24 PM, Martin T  wrote:
>> 
>> Hi,
>> 
>> when I commit the candidate configuration in Junos, I tend to execute
>> "commit check" and if configuration check succeeds, then I execute
>> "commit comment ". However, when I think about it, "commit
>> (comment)" itself should perform those very same checks that "commit
>> check" does. If yes, then what is the point of "commit check"? Only
>> purpose I could see is to check the validity of the candidate
>> configuration in the middle of the configuration process, i.e. to
>> check if the changes made in candidate configuration so far are fine
>> but the candidate configuration is not ready to be committed.
>> 
>> 
>> thanks,
>> Martin
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] purpose of "commit check"?

2015-09-28 Thread Graham Brown 
I echo what Harald mentions, I also follow with 'commit check' after using
'commit confirmed <> comment <> | display detail | no-more'

The | display detail is very handy when dealing with SRX with huge
configurations or in clusters that can take a worrying amount of time to
complete (especially at 03:00).

HTH,
Graham

Graham Brown
Twitter - @mountainrescuer 
LinkedIn 

On 29 September 2015 at 10:37, Harald F. Karlsen  wrote:

>
>
> On 28.09.2015 23:24, Martin T wrote:
>
>> Hi,
>>
>> when I commit the candidate configuration in Junos, I tend to execute
>> "commit check" and if configuration check succeeds, then I execute
>> "commit comment ". However, when I think about it, "commit
>> (comment)" itself should perform those very same checks that "commit
>> check" does. If yes, then what is the point of "commit check"? Only
>> purpose I could see is to check the validity of the candidate
>> configuration in the middle of the configuration process, i.e. to
>> check if the changes made in candidate configuration so far are fine
>> but the candidate configuration is not ready to be committed.
>>
>>
> You can use "commit check" to confirm a "commit confirmed" action. That
> way you don't create a new configuration file in your rollback log every
> time you cancel a pending rollback.
>
> --
> Harald
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp