[j-nsp] mx304 alarm seen after junos upgrade
Anyone ever seen this alarm on an MX304 following a Junos upgrade? I went from ... 22.2R3-S1.9 - initially had this 22.4R2-S2.6 - upgrade 23.2R1-S2.5 - final now with23.2R1-S2.5, i have an issue with more than one, 100g interfaces being able to operate. I have a 100g on et-0/0/4 and another one on et-0/0/12... BUT, they won't both function at the same time. 4 works, 12 doesn't... reboot mx304, 4 doesn't work, but 12 does. Very weird. root@304-1> show system alarms 6 alarms currently active Alarm time Class Description 2024-02-29 06:00:25 CST Minor 200 ADVANCE Bandwidth (in gbps)s(315) require a license 2024-02-29 06:00:25 CST Minor OSPF protocol(282) usage requires a license 2024-02-29 06:00:25 CST Minor LDP Protocol(257) usage requires a license 2024-02-28 09:35:10 CST Minor *FPC 0 firmware outdated* 2024-02-28 09:29:45 CST Major Host 0 fxp0 : Ethernet Link Down 2024-02-28 09:28:15 CST Major Management Ethernet Links Down root@304-1> show chassis alarms 3 alarms currently active Alarm time Class Description 2024-02-28 09:35:10 CST Minor *FPC 0 firmware outdated* 2024-02-28 09:29:45 CST Major Host 0 fxp0 : Ethernet Link Down 2024-02-28 09:28:15 CST Major Management Ethernet Links Down -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] igmp snooping layer 2 querier breaks ospf in other devices
At this point I opted for a different design. I no longer have the mcast clients gathered into a vlan, which requires igmp snooping. I changed the mcast client ports to be L3. I just assign a /30 to each mcast client interface on the ACX5048. This way there is no need for igmp snooping. A bit more up-front administration of ip subnets, but it's ok, and it's RFC 1918 so I have plenty. JTAC didn't find anything in the rsi and logs to be able to determine a problem, and also told me my Junos is EoL... of course it is. I'll be upgrading soon right around the time I implement IPv6. lol thanks y'all -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] igmp snooping layer 2 querier breaks ospf in other devices
thanks for this... i think i misunderstood the use of l2-querier from a previous project i worked on, and put it here where i really didn't need it. moving forward i will only use igmp snooping in the vlan, and not the l2-querier option. but with all that said, i still don't understand why ospf inside an l2circuit is affected by my pim/igmp configs ... furthermore, why it breaks in the field and works in the lab -Aaron On 2/2/2024 10:32 AM, Crist Clark wrote: I thought this was asked, but don’t recall an answer, what’s the point of turning on a querier if the switch is already a PIM router? You don’t need an IGMP snooping querier if it’s a multicast router. On Fri, Feb 2, 2024 at 8:21 AM Aaron Gould via juniper-nsp wrote: I tried to recreate the scenario in my lab with no success 21.2R3-S4.8 - in lab - problem not seen 20.2R3-S7.3 - in lab - problem not seen 19.2R3-S6.1 - in lab - problem not seen 18.3R3-S6.1 - in lab - problem not seen 17.4R2-S11 - in lab - problem not seen 17.4R2-S11 - in field - problem seen again, the problem is, when i enabled this command... set protocols igmp-snooping vlan vlan100 l2-querier source-address 10.100.4.1 ...a customer riding an l2circuit on ge-0/0/2 report to me that their multicast stops working... ospf goes down and stays in INIT... when i remove all pim and igmp, then there OSPF neighbors up and stabilizes i just don't know how running igmp inside vlan 100 with ports ge-0/0/4, 5 and 6 would have anything to do with an l2circuit on ge-0/0/2 -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] igmp snooping layer 2 querier breaks ospf in other devices
Thanks Aditya, here's my re-creation of this scenario in my lab... but it works with the pim/igmp config that i have, and the ospf neighboring over the l2circuit continues to work. isn't ospf 224 packets "hidden" inside encapsulation over l2circuit? how would pfe in 5048 use 224 routes seen in inet.0 and inet.1 for l2circuits? -Aaron me@lab-5048-2> show route 224/8 inet.0: 846 destinations, 847 routes (846 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 224.0.0.2/32 *[PIM/0] 16:56:50 MultiRecv [LDP/9] 16:56:47, metric 1 MultiRecv 224.0.0.5/32 *[OSPF/10] 16:56:52, metric 1 MultiRecv 224.0.0.13/32 *[PIM/0] 16:56:50 MultiRecv 224.0.0.22/32 *[IGMP/0] 16:55:29 MultiRecv inet.1: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 224.0.0.0/24 *[Multicast/180] 16:56:46 MultiDiscard me@lab-5048-2> show route table l2circuit.0 l2circuit.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ... 10.123.12.240:NoCtrlWord:5:2056:Local/96 *[L2CKT/7] 16:55:35, metric2 2 > to 10.123.14.9 via xe-0/0/0.0, Push 64741 10.123.12.240:NoCtrlWord:5:2056:Remote/96 *[LDP/9] 16:55:35 Discard On 2/2/2024 10:25 AM, Aditya Mahale wrote: When you enabled pim multicast routes are added to the pfe, this is mostly breaking ospf over l2 ckt because these packets are mostly now matching the default 224 routes added to pfe . Without having any show commands or rtsockmon it’s difficult to debug anything -Aditya Google On Fri, Feb 2, 2024 at 8:21 AM Aaron Gould via juniper-nsp wrote: I tried to recreate the scenario in my lab with no success 21.2R3-S4.8 - in lab - problem not seen 20.2R3-S7.3 - in lab - problem not seen 19.2R3-S6.1 - in lab - problem not seen 18.3R3-S6.1 - in lab - problem not seen 17.4R2-S11 - in lab - problem not seen 17.4R2-S11 - in field - problem seen again, the problem is, when i enabled this command... set protocols igmp-snooping vlan vlan100 l2-querier source-address 10.100.4.1 ...a customer riding an l2circuit on ge-0/0/2 report to me that their multicast stops working... ospf goes down and stays in INIT... when i remove all pim and igmp, then there OSPF neighbors up and stabilizes i just don't know how running igmp inside vlan 100 with ports ge-0/0/4, 5 and 6 would have anything to do with an l2circuit on ge-0/0/2 -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] igmp snooping layer 2 querier breaks ospf in other devices
I tried to recreate the scenario in my lab with no success 21.2R3-S4.8 - in lab - problem not seen 20.2R3-S7.3 - in lab - problem not seen 19.2R3-S6.1 - in lab - problem not seen 18.3R3-S6.1 - in lab - problem not seen 17.4R2-S11 - in lab - problem not seen 17.4R2-S11 - in field - problem seen again, the problem is, when i enabled this command... set protocols igmp-snooping vlan vlan100 l2-querier source-address 10.100.4.1 ...a customer riding an l2circuit on ge-0/0/2 report to me that their multicast stops working... ospf goes down and stays in INIT... when i remove all pim and igmp, then there OSPF neighbors up and stabilizes i just don't know how running igmp inside vlan 100 with ports ge-0/0/4, 5 and 6 would have anything to do with an l2circuit on ge-0/0/2 -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] igmp snooping layer 2 querier breaks ospf in other devices
thanks and yes, working on it i've done my best to recreate this scenario in my lab... 21.2R3-S4.8 - in lab - problem not seen 20.2R3-S7.3 - in lab - downgraded an hour ago - problem not seen 19.2R3-S6.1 - in lab - downgrading now... will let you know... if good, will continue 18.3R3-S6.1 - will move to this if problem not seen in 19.2 17.4R2-S11 - will move to this if problem not seen in 18.3...this 17.4 is what is in the field -Aaron On 2/1/2024 3:15 PM, Karsten Thomann wrote: Hi Aaron, as you're using a 3,5 years old junos, is it possible to upgrade and check if the problem is fixed in a newer version? The latest is from March 2022, but I would still expect some bug fixing. Maybe there is something wrong in the programming of the hardware... Kind regards Karsten Am Donnerstag, 1. Februar 2024, 19:41:12 CET schrieb Aaron Gould via juniper- nsp: does this help? ACX5048 - port ge-0/0/4 - vlan 100 - multicast listener/client - port ge-0/0/5 - vlan 100 - multicast listener/client - port ge-0/0/6 - vlan 100 - multicast listener/client - irb.100 routes that vlan - runs pim/igmp/igmp-snooping l2-querier - xe-0/0/0 - an uplink port running pim to route ssm multicast joins to the multicast sender - port ge-0/0/2 is mapped to an l2circuit over mpls to some remote location --- i don't see ge-0/0/2 related at all to the vlan 100 where i run multicast -Aaron On 2/1/2024 8:19 AM, Andrey Kostin wrote: Hi Aaron, It's not clear from your explanation where l2circuits with ospf are connected and how they are related to this irb/vlan. Do you really need a querier in this case? IIRC, querier is needed when only hosts are present on LAN and a switch has to send igmp queries. In your case, you have a router with irb interface that should work as igmp querier by default. Not sure if it helps though. Kind regards, Andrey Aaron Gould via juniper-nsp писал(а) 2024-01-31 14:54: I'm having an issue where igmp snooping layer 2 querier breaks ospf in other devices which are in l2circuits Has anyone ever come across this issue, and have a work-around for it? I have the following configured and devices in vlan 100 can join multicast just fine. But there are other unrelated l2circuits that carry traffic for devices in other vlans and inside this l2circuit is ospf hellos that seem to be getting broken by this configuration set interfaces irb unit 100 family inet address 10.100.4.1/27 set protocols ospf area 0.0.0.1 interface irb.100 passive set protocols igmp interface irb.100 version 3 set protocols pim interface irb.100 set protocols igmp-snooping vlan vlan100 l2-querier source-address 10.100.4.1 Model: acx5048 Junos: 17.4R2-S11 -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] igmp snooping layer 2 querier breaks ospf in other devices
does this help? ACX5048 - port ge-0/0/4 - vlan 100 - multicast listener/client - port ge-0/0/5 - vlan 100 - multicast listener/client - port ge-0/0/6 - vlan 100 - multicast listener/client - irb.100 routes that vlan - runs pim/igmp/igmp-snooping l2-querier - xe-0/0/0 - an uplink port running pim to route ssm multicast joins to the multicast sender - port ge-0/0/2 is mapped to an l2circuit over mpls to some remote location --- i don't see ge-0/0/2 related at all to the vlan 100 where i run multicast -Aaron On 2/1/2024 8:19 AM, Andrey Kostin wrote: Hi Aaron, It's not clear from your explanation where l2circuits with ospf are connected and how they are related to this irb/vlan. Do you really need a querier in this case? IIRC, querier is needed when only hosts are present on LAN and a switch has to send igmp queries. In your case, you have a router with irb interface that should work as igmp querier by default. Not sure if it helps though. Kind regards, Andrey Aaron Gould via juniper-nsp писал(а) 2024-01-31 14:54: I'm having an issue where igmp snooping layer 2 querier breaks ospf in other devices which are in l2circuits Has anyone ever come across this issue, and have a work-around for it? I have the following configured and devices in vlan 100 can join multicast just fine. But there are other unrelated l2circuits that carry traffic for devices in other vlans and inside this l2circuit is ospf hellos that seem to be getting broken by this configuration set interfaces irb unit 100 family inet address 10.100.4.1/27 set protocols ospf area 0.0.0.1 interface irb.100 passive set protocols igmp interface irb.100 version 3 set protocols pim interface irb.100 set protocols igmp-snooping vlan vlan100 l2-querier source-address 10.100.4.1 Model: acx5048 Junos: 17.4R2-S11 -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] igmp snooping layer 2 querier breaks ospf in other devices
I'm having an issue where igmp snooping layer 2 querier breaks ospf in other devices which are in l2circuits Has anyone ever come across this issue, and have a work-around for it? I have the following configured and devices in vlan 100 can join multicast just fine. But there are other unrelated l2circuits that carry traffic for devices in other vlans and inside this l2circuit is ospf hellos that seem to be getting broken by this configuration set interfaces irb unit 100 family inet address 10.100.4.1/27 set protocols ospf area 0.0.0.1 interface irb.100 passive set protocols igmp interface irb.100 version 3 set protocols pim interface irb.100 set protocols igmp-snooping vlan vlan100 l2-querier source-address 10.100.4.1 Model: acx5048 Junos: 17.4R2-S11 -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Thanks for all the fish
https://newsroom.juniper.net/news/news-details/2024/HPE-to-Acquire-Juniper-Networks-to-Accelerate-AI-Driven-Innovation/ an MX with an HP label on it will seem so weird On 1/9/2024 2:55 AM, Saku Ytti via juniper-nsp wrote: What do we think of HPE acquiring JNPR? I guess it was given that something's gotta give, JNPR has lost to dollar as an investment for more than 2 decades, which is not sustainable in the way we model our economy. Out of all possible outcomes: - JNPR suddenly starts to grow (how?) - JNPR defaults - JNPR gets acquired It's not the worst outcome, and from who acquires them, HPE isn't the worst option, nor the best. I guess the best option would have been, several large telcos buying it through a co-owned sister company, who then are less interested in profits, and more interested in having a device that works for them. Worst would probably have been Cisco, Nokia, Huawei. I think the main concern is that SP business is kinda shitty business, long sales times, low sales volumes, high requirements. But that's also the side of JNPR that has USP. What is the future of NPU (Trio) and Pipeline (Paradise/Triton), why would I, as HP exec, keep them alive? I need JNPR to put QFX in my DC RFPs, I don't really care about SP markets, and I can realise some savings by axing chip design and support. I think Trio is the best NPU on the market, and I think we may have a real risk losing it, and no mechanism that would guarantee new players surfacing to replace it. I do wish that JNPR had been more serious about how unsustainable it is to lose to the dollar, and had tried more to capture markets. I always suggested why not try Trio-PCI in newegg. Long tail is long, maybe if you could buy it for 2-3k, there would be a new market of Linux PCI users who want wire rate programmable features for multiple ports? Maybe ESXi server integration for various pre-VPC protection features at wire-rate? I think there might be a lot of potential in NPU-PCI, perhaps even FAB-PCI, to have more ports than single NPU-PCI. -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX304 - Edge Router
After tshooting with JTAC yesterday, they've determined the built-in FPC to be a problem. They are doing RMA. Strange that when the 60-day trail license expired, I decided to reboot to see what would happen. I rebooted "request system reboot both-routing-engines" and that's when the router never worked after that. Strange that this would "fry" the FPC. Maybe there was already something wrong with it... I don't know. Perhaps I'll try to reproduce it after the new chassis comes back. -Aaron I wonder if the "request vmhost reboot routing-engine both" would've done anything differently ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX304 - Edge Router
22.2R3.15 On 10/25/2023 7:50 AM, Richard McGovern wrote: Aaron, what version of Junos are you using on your MX304? This should NOT happen and if it did/is, then I suggest you open a Case with JTAC. Minimally your account team should be able to get you a temp license to work-around this until resolved. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX304 - Edge Router
My MX304 trial license expired last night, after rebooting the MX304, various protocols no longer work. This seems more than just honor-based... ospf, ldp, etc, no longer function. This is new to me; that Juniper is making protocols and technologies tied to license. I need to understand more about this, as I'm considering buying MX304's. -Aaron On 10/24/2023 4:18 AM, Karl Gerhard via juniper-nsp wrote: On 18/10/2023 18:55, Tom Beecher via juniper-nsp wrote: Juniper licensing is honor based. Won't impact functionality, will just grump at you on commits. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX304 - Edge Router
my tab and spacebar auto-complete is working...22.2R3.15
{master}
me@mx304> show system information
Model: mx304
Family: junos
Junos: 22.2R3.15
Hostname: mx304
On 10/18/2023 11:11 PM, Mark Tinka via juniper-nsp wrote:
On 10/18/23 19:05, Chris Wopat via juniper-nsp wrote:
Only complaint is Junos related, with auto tab complete problems as
extensively discussed in a different thread.
I have an update on that...
Our request was granted, and Juniper are initially targeting to fix
this in Junos 24.1. However, there are ongoing discussions to
introduce this into 23.3R2.
So we may soon see the back of this.
Mark.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
-Aaron
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Telemetry in the ACX7100-48L
I'm starting to wonder if this has something to do with different telemetry models/methodologies. Forgive me as I forget the correct terminology, but, I think the MX960 sending native telem models, seems to be always-on... and I'm wondering if the ACX7100 is more based on the grpc subscription model, whereas the collector needs to subscribe to the agent/sensor running on the ACX7100, then the telemetry data is streamed, and possibly in openconfig format. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Telemetry in the ACX7100-48L
Anyone done telemetry in the ACX7100-48L? Before I start talking about the ACX7100, I'll say that I do have MX960's successfully sending telemetry data to this collector, and it automatically displays in the web gui front-end. (I actually use chronograf instead of grafana) Now, the ACX7100... I've tried various things... I can only get this sensor resource string to produce any sort of telemetry data. I see the data arriving at my telemetry collector machine (TIG stack), but not showing up on the web interface (chronograf) ...config on ACX7100-48L set services analytics streaming-server my-grafana-srvr-netmon08 remote-address 172.122.14.159 set services analytics streaming-server my-grafana-srvr-netmon08 remote-port 5 set services analytics export-profile my-exprt-prfl local-address 10.11.12.237 set services analytics export-profile my-exprt-prfl local-port 12237 set services analytics export-profile my-exprt-prfl reporting-rate 1 set services analytics export-profile my-exprt-prfl format gpb set services analytics export-profile my-exprt-prfl transport udp set services analytics sensor my-sensor-23 server-name my-grafana-srvr-netmon08 set services analytics sensor my-sensor-23 export-name my-exprt-prfl set services analytics sensor my-sensor-23 resource /lacp/interfaces/interface/members/member/state/counters/lacp-in-pkts ...seen on my telem collector ngrep host 10.11.12.237 U 10.11.12.237:12237 -> 172.122.14.159:5 #218 ..eng-lab-7100-2.."..my-sensor-23:/lacp/interfaces/inte rface/members/member/state/counters/lacp-in-pkts/:/lacp/int erfaces/interface/members/member/state/counters/lacp-in-pkt s/:re0/lacpd($0.18.@...2..+..(..%...ae100.e t-0/0/49..w I'm wondering if this has something to do with maybe my MX960's sending native/vendor-specific Juniper telemetry data, but the ACX7100 may not belike I think it's OpenConfig version of telem data. And so maybe my collector isn't displaying it and maybe there are more than one issue I'm having, unsure. I've tried these other formats and i didn't see any data arrive at the collector at all... me@acx7100# set services analytics export-profile my-exprt-prfl format ? Possible completions: gpb Use gpb format gpb-gnmi Use gnmi format for gpb messages gpb-sdm Use gpb self-describing-message format json-gnmi Use gnmi format for json messages [edit] i've tried remote-port 50020, and nothing... -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ACX7100-48L
I might be hitting PR1664302 keep in mind, I have another 7100 racked right beside this one with no problems me@lab-7100-2> show log messages | grep "cooling|shutdown" ... Jun 8 20:23:23 eng-lab-7100-2 hwdre: HWD_COOLING_FIRE_SHUTDOWN_INIT: Cooling zone fire action initiated !! Jun 8 20:23:23 eng-lab-7100-2 hwdre: HWD_COOLING_FIRE_SHUTDOWN_SENSOR: Sensor /Chassis[0]/Fpc[0] Sensor J2 Max Reading crossed fire threshold temp value 136, driving chassis to shutdown but i just now had someone pull the power cords since i couldn't console in... so I don't know if this reboot reason is from the power cord pull or the previous high temp shutdown PR condition me@lab-7100-2> show chassis routing-engine | grep reboot Last reboot reason power cycle interestingly, the PR is said to be fixed in 22.2R2-EVO, wouldn't that follow that it should be fixed in my version? 22.2R3.13-EVO me@lab-7100-2> show version ... Junos: 22.2R3.13-EVO -Aaron On 6/7/2023 2:29 PM, Roger Wiklund wrote: Hi Some generic pointers here: Checklist for Collecting Crash Data - TechLibrary - Juniper Networks <https://www.juniper.net/documentation/en_US/junos/topics/task/troubleshooting/crash-data-collection-checklist.html> show chassis routing-engine What does "last reboot reason say"? I would upgrade to 22.2R3, it's working fine for us so far. Regards Roger On Wed, Jun 7, 2023 at 9:18 PM Aaron Gould via juniper-nsp wrote: I had a ACX7100-48L suddenly go down in my lab. Is there a way to find the cause of it going down? agould@eng-lab-7100-2> show system information Model: ACX7100-48L Family: junos Junos: 22.2R1.12-EVO Hostname: eng-lab-7100-2 agould@eng-lab-7100-2> show system core-dumps re0: -- agould@eng-lab-7100-2> file ls /var/crash /var/crash: No such file or directory agould@eng-lab-7100-2> -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ACX7100-48L
darn, i should've check that before upgrading/rebooting to 22.2R3 , 10 mins ago -Aaron On 6/7/2023 2:29 PM, Roger Wiklund wrote: Hi Some generic pointers here: Checklist for Collecting Crash Data - TechLibrary - Juniper Networks <https://www.juniper.net/documentation/en_US/junos/topics/task/troubleshooting/crash-data-collection-checklist.html> show chassis routing-engine What does "last reboot reason say"? I would upgrade to 22.2R3, it's working fine for us so far. Regards Roger On Wed, Jun 7, 2023 at 9:18 PM Aaron Gould via juniper-nsp wrote: I had a ACX7100-48L suddenly go down in my lab. Is there a way to find the cause of it going down? agould@eng-lab-7100-2> show system information Model: ACX7100-48L Family: junos Junos: 22.2R1.12-EVO Hostname: eng-lab-7100-2 agould@eng-lab-7100-2> show system core-dumps re0: -- agould@eng-lab-7100-2> file ls /var/crash /var/crash: No such file or directory agould@eng-lab-7100-2> -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] ACX7100-48L
I had a ACX7100-48L suddenly go down in my lab. Is there a way to find the cause of it going down? agould@eng-lab-7100-2> show system information Model: ACX7100-48L Family: junos Junos: 22.2R1.12-EVO Hostname: eng-lab-7100-2 agould@eng-lab-7100-2> show system core-dumps re0: -- agould@eng-lab-7100-2> file ls /var/crash /var/crash: No such file or directory agould@eng-lab-7100-2> -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] NXTWORK 2023 - United States
Does anyone know when and where the Juniper NXTWORK conference is this year? -- -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] juniper.net down?
Thanks, Looks good now. https://www.isitdownrightnow.com/juniper.net.html shows it was down 8 minutes ago for everyone -Aaron From: Liam Farr Sent: Tuesday, October 18, 2022 1:21 PM To: aar...@gvtc.com Cc: juniper-nsp Subject: Re: [j-nsp] juniper.net down? Loading fine from NZ, as is https://iam-signin.juniper.net & https://webdownload.juniper.net/ Being served off Akamai, so maybe a localised Akamai issue to you. www.juniper.net <http://www.juniper.net> 23.43.144.179 assets.adobedtm.com <http://assets.adobedtm.com> 131.203.7.165 Data from cached requests only. consent.trustarc.com <http://consent.trustarc.com> 54.192.177.98 d.la3-c2-ia2.salesforceliveagent.com <http://d.la3-c2-ia2.salesforceliveagent.com> 13.110.34.160 d.la3-c2-ph2.salesforceliveagent.com <http://d.la3-c2-ph2.salesforceliveagent.com> 13.110.37.32 juniper.secure.force.com <http://juniper.secure.force.com> 13.110.83.142 service.force.com <http://service.force.com> 101.53.168.136 Data from cached requests only. www.youtube.com <http://www.youtube.com> 172.217.24.46 On Wed, 19 Oct 2022 at 07:13, Aaron via juniper-nsp mailto:juniper-nsp@puck.nether.net> > wrote: juniper.net <http://juniper.net> down? Aaron aar...@gvtc.com <mailto:aar...@gvtc.com> ___ juniper-nsp mailing list juniper-nsp@puck.nether.net <mailto:juniper-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/juniper-nsp -- Kind Regards Liam Farr Maxum Data +64-9-950-5302 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] juniper.net down?
juniper.net down? Aaron aar...@gvtc.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper CoS - Classifiers specifically
Just looking to bounce this off anyone in the know. As I learn more about Juniper CoS in Junos, it appears to me that a Juniper device comes by default acting as a Behavior Aggregate classifier on each interface that has an ip address enabled. I'm saying this since I have IP's on 3 interfaces, and I'm seeing Junos assign a default classifier to each of those logical units. I'm saying BA since I understand a BA classifier is one assigned using class-of-service classifier like I see here. and not the other type MFC (multi-field classifier) which uses a firewall filter I'm wondering if the BA classifier stops working once an MFC is applied. It sure seems to in testing. I feel like I've seen a diagram at some point or document stating that MFC comes before BA in the CoS process chain. but I'm not sure. If anyone has that link/doc please send it. I'd like to know for sure. Oh, btw, were in the world is all this default CoS stuff derived from? I'd like to think it's in a file somewhere that I can see in shell perhaps. But maybe not. Maybe it's actually compiled into the Junos operating systems itself. Or is there a way to see "show configuration" with a special option that shows automatic/default stuff like all this CoS info? The available default classifiers. root@srx-1> show class-of-service classifier | grep classifier Classifier: dscp-default, Code point type: dscp, Index: 7 Classifier: dscp-ipv6-default, Code point type: dscp-ipv6, Index: 8 Classifier: dscp-ipv6-compatibility, Code point type: dscp-ipv6, Index: 9 Classifier: exp-default, Code point type: exp, Index: 10 Classifier: ieee8021p-default, Code point type: ieee-802.1, Index: 11 Classifier: ipprec-default, Code point type: inet-precedence, Index: 12 Classifier: ipprec-compatibility, Code point type: inet-precedence, Index: 13 Classifier: ieee8021ad-default, Code point type: ieee-802.1ad, Index: 41 The ipprec-compatibility classifier I find assigned to enabled interfaces. root@srx-1> show class-of-service interface | grep "object|classifier|logical" Logical interface: ge-0/0/0.0, Index: 74 Object Name TypeIndex Classifier ipprec-compatibility ip 13 Logical interface: ge-0/0/1.0, Index: 75 Object Name TypeIndex Classifier ipprec-compatibility ip 13 Logical interface: irb.0, Index: 73 Object Name TypeIndex Classifier ipprec-compatibility ip 13 Details of the classifier I see assigned to my enabled interfaces. root@srx-1> show class-of-service classifier name ipprec-compatibility Classifier: ipprec-compatibility, Code point type: inet-precedence, Index: 13 Code point Forwarding classLoss priority 000best-effort low 001best-effort high 010best-effort low 011best-effort high 100best-effort low 101best-effort high 110network-control low 111network-control high (no user defined cos config is present) root@srx-1> show configuration class-of-service | display set root@srx-1> Aaron aar...@gvtc.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] vQFX cpu cores and ram
--- Begin Message --- Hi All, If you have experience running vQFXs, what are you setting for cpu cores and ram? I'm using eve-ng to get around group_fwd_mask issues[1] such that I can have lacp and lldp working right out of the box. The defaults on the github page do not seem enough, as if I set those values, I can't even get lacp bundles to come up, once I bump the resources, the bundles come up. I've asked my SE, but I would like to know what the community has set in their environments? Thanks, Aaron 1. https://interestingtraffic.nl/2017/11/21/an-oddly-specific-post-about-group_fwd_mask/ --- End Message --- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX routers and DAC cables?
--- Begin Message --- Seconding Eric's point, depending on the version of Junos and transceiver, fec will be auto-configured, can be turned off, but depending on the transceiver, for example CWDM4, fec must be enabled on both sides to get link-up. Along with disabling auto-negotiation on one side or both can sometimes help. Just make sure to wait 1min after committing as changes to take effect can be delayed. -Aaron Jun 12, 2020, 13:55 by e...@telic.us: > That's what I was going to chime in on. Behaviour differences between > software versions have done different defaults. > > ekrichbaum@atl-bdr1> show interfaces et-0/0/1 | grep FEC > Active defects : None > Ethernet FEC Mode : NONE > > eric@cht-bdr2> show interfaces et-0/0/1 | grep FEC > Active defects : None > Ethernet FEC Mode : FEC91 > > These are 204s with a difference in default from 17.4 to 18.2 somewhere. > Manually setting FEC on both ends seems to correct and bring up the links. > > > -Original Message- > From: juniper-nsp On Behalf Of Tobias > Heister > Sent: Friday, June 12, 2020 2:03 PM > To: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] MX routers and DAC cables? > > Hi, > > On 12.06.2020 20:39, Chris Adams wrote: > >> Is anybody using DAC cables on MX routers? We have a customer with an >> MX10003 connected to EX4600 switches with 40G DAC cables (Juniper >> parts, not third-party). Upon upgrading the router JUNOS to >> 18.2R3-S3, none of the interfaces with a DAC cable would come up on the >> > router end. > >> >> JTAC's response was that no DAC cables are supported on any MX routers. >> >> That seems a little odd to me... I thought DAC cables are a part of >> the various specs, so saying they're not supported is saying those >> aren't actually Ethernet ports to me. >> > > DAC and AOC are transceivers, and officially only a specific set of > transceivers are supported per platform. > > For MX10003 you can check here: > https://apps.juniper.net/hct/product/#prd=MX10003 > > There are 40GE AOC supported for that box, but not 40GE DAC. For 100GE DAC > are actually supported in later Junos version. > > That being said typically DAC worked in MX for 10G and even 40G on most > noxes, but on MX10003 we had a lot of problems with 40G DACs and eventually > replaced most/all of of them with optical transceivers. > > Even on 100GE you might need to set the FEC config depending on what and > where you connect the other DAC end. > > While 10G mostly worked everywhere we had a fair share of trouble on 40 and > 100GE on various vendors and platforms. > > -- > regards > Tobias > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > -- > This email has been checked for viruses by Avast antivirus software. > https://www.avast.com/antivirus > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > --- End Message --- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PIM Join Load Balancing
This ? [edit protocols pim ] user@host# set interface all mode sparse version 2 user@host# set join-load-balance https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ mcast-pim-join-load-balance.html -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of craig washington Sent: Wednesday, May 13, 2020 5:07 PM To: Juniper List Subject: [j-nsp] PIM Join Load Balancing Has anyone tried running or are running PIM Join load balancing. Most of the documentation I have read doesn't suggest it works for plain multicast? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper Case Management down
There should have been a banner up for the last few weeks detailing changes that were going to happen May 2 to My Juniper. There may have also been an email but I don't recall that myself. http://casemanager.juniper.net is the place to go for your case management needs now. On May 2 2020, at 11:46 am, Clinton Work wrote: > Was there any notification about the Juniper case manager going down for > scheduled maintenance? The site has been down since last night and we had to > get temp case # created via the phone. > > https://my.juniper.net/#dashboard/overview > -- > Clinton Work > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos Telemetry Interface
Here's my lab MX960
Mine is currently set at 1 second
set services analytics export-profile my-exprt-prfl reporting-rate 1
I tried decimals and zero to see what would happen, seems that 1 is the
lowest.
{master}[edit]
agould@lab-960# set services analytics export-profile my-exprt-prfl
reporting-rate
Possible completions:
Telemetry interval in seconds (0..3600 seconds)
{master}[edit]
agould@lab-960# set services analytics export-profile my-exprt-prfl
reporting-rate .1
^
Invalid numeric value: '.1' at '.1'
{master}[edit]
agould@lab-960# set services analytics export-profile my-exprt-prfl
reporting-rate .9
^
Invalid numeric value: '.9' at '.9'
{master}[edit]
agould@lab-960# set services analytics export-profile my-exprt-prfl
reporting-rate 0
{master}[edit]
agould@lab-960# show | compare
[edit services analytics export-profile my-exprt-prfl]
-reporting-rate 1;
+reporting-rate 0;
{master}[edit]
agould@lab-960# commit check
re0:
[edit services analytics]
'sensor my-sensor-14'
reporting-rate of 0 not supported for PFE sensor
error: configuration check-out failed
-Aaron
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos Telemetry Interface
You’re welcome Colton. I understand there are 2 different ways to do telemetry on Juniper. One called Native and the other called gRPC/openconfig. I’ve done the Native form. I think the native form is a configured form where by which the network device constantly streams the sensor objects… and conversely, the gRPC form is subscription based where the management app/computer, subscribes to the network device to receive telem data objects. I understand the native form to be executed in hardware near the monitored object….and because of this, highly scalable.And the grpc/openconfig form runs on re cpu. I don’t think we’ve gotten native telemetry to work on ACX. But I have it running on MX960’s. I understand the grpc/openconfig method requires you to download some code/software to the network device. Collector I use is the OpenNTI project. Grafana (web ui) (or a less known Cronograf, which I actually use and like), InfluxDB (TSDB), fluentd, and other components. I must credit Dave, my coworker and resident Linux genius in assisting my with the server side collector setup. Some helpful/related links below…. https://puck.nether.net/pipermail/juniper-nsp/2018-October/036602.html https://openeye.blog/2017/06/26/using-opennti-as-a-collector-for-streaming-telemetry-from-juniper-devices-part-1/ https://www.juniper.net/documentation/en_US/junos/topics/concept/junos-telemetry-interface-oveview.html look under “telemetry sensors and data models” https://community.grafana.com/t/how-to-send-juniper-router-telemetry-to-grafana/11071/9 -Aaron From: Colton Conor [mailto:colton.co...@gmail.com] Sent: Saturday, April 11, 2020 9:05 AM To: Aaron Gould Cc: Juniper List Subject: Re: [j-nsp] Junos Telemetry Interface Aaron, Thanks, this is indeed helpful. What collector are you using to store and view this telemetry data? Also, have you had any luck with getting JTI to work on your ACX gear? This only JTI feature is see for the ACX line according to the feature explorer is: https://apps.juniper.net/feature-explorer/feature-info.html?fKey=8978 <https://apps.juniper.net/feature-explorer/feature-info.html?fKey=8978=Specify%20Routing%20Instance%20for%20JTI> =Specify%20Routing%20Instance%20for%20JTI I am not sure if that means it fully supports JTI or not. On Fri, Apr 10, 2020 at 11:53 AM Aaron Gould wrote: Not sure if this is what you are looking for, but here are some of the sensor agents that I enabled on my MX routers Maybe it's the linecard or interface specific ones that give me the bits in bits out utilization graphs. set services analytics sensor my-sensor-14 server-name my-grafana-srvr set services analytics sensor my-sensor-14 export-name my-exprt-prfl set services analytics sensor my-sensor-14 resource /junos/system/linecard/interface/ set services analytics sensor my-sensor-1 server-name my-grafana-srvr set services analytics sensor my-sensor-1 export-name my-exprt-prfl set services analytics sensor my-sensor-1 resource /junos/system/linecard/packet/usage/ set services analytics sensor my-sensor-2 server-name my-grafana-srvr set services analytics sensor my-sensor-2 export-name my-exprt-prfl set services analytics sensor my-sensor-2 resource /junos/system/linecard/cpu/memory/ set services analytics sensor my-sensor-12 server-name my-grafana-srvr set services analytics sensor my-sensor-12 export-name my-exprt-prfl set services analytics sensor my-sensor-12 resource /junos/system/linecard/fabric/ set services analytics sensor my-sensor-15 server-name my-grafana-srvr set services analytics sensor my-sensor-15 export-name my-exprt-prfl set services analytics sensor my-sensor-15 resource /junos/system/linecard/interface/logical/usage/ set services analytics sensor my-sensor-17 server-name my-grafana-srvr set services analytics sensor my-sensor-17 export-name my-exprt-prfl set services analytics sensor my-sensor-17 resource /junos/system/linecard/npu/memory/ set services analytics sensor my-sensor-18 server-name my-grafana-srvr set services analytics sensor my-sensor-18 export-name my-exprt-prfl set services analytics sensor my-sensor-18 resource /junos/system/linecard/npu/utilization/ set services analytics sensor my-sensor-19 server-name my-grafana-srvr set services analytics sensor my-sensor-19 export-name my-exprt-prfl set services analytics sensor my-sensor-19 resource /junos/system/linecard/optics/ set services analytics sensor my-sensor-21 server-name my-grafana-srvr set services analytics sensor my-sensor-21 export-name my-exprt-prfl set services analytics sensor my-sensor-21 resource /junos/system/linecard/services/inline-jflow/ set services analytics sensor my-sensor-13 server-name my-grafana-srvr set services analytics sensor my-sensor-13 export-name my-exprt-prfl set services analytics sensor my-sensor-13 resource /junos/system/linecard/firewall/ -Aaron -Original Message- From: junip
Re: [j-nsp] Junos Telemetry Interface
Not sure if this is what you are looking for, but here are some of the sensor agents that I enabled on my MX routers Maybe it's the linecard or interface specific ones that give me the bits in bits out utilization graphs. set services analytics sensor my-sensor-14 server-name my-grafana-srvr set services analytics sensor my-sensor-14 export-name my-exprt-prfl set services analytics sensor my-sensor-14 resource /junos/system/linecard/interface/ set services analytics sensor my-sensor-1 server-name my-grafana-srvr set services analytics sensor my-sensor-1 export-name my-exprt-prfl set services analytics sensor my-sensor-1 resource /junos/system/linecard/packet/usage/ set services analytics sensor my-sensor-2 server-name my-grafana-srvr set services analytics sensor my-sensor-2 export-name my-exprt-prfl set services analytics sensor my-sensor-2 resource /junos/system/linecard/cpu/memory/ set services analytics sensor my-sensor-12 server-name my-grafana-srvr set services analytics sensor my-sensor-12 export-name my-exprt-prfl set services analytics sensor my-sensor-12 resource /junos/system/linecard/fabric/ set services analytics sensor my-sensor-15 server-name my-grafana-srvr set services analytics sensor my-sensor-15 export-name my-exprt-prfl set services analytics sensor my-sensor-15 resource /junos/system/linecard/interface/logical/usage/ set services analytics sensor my-sensor-17 server-name my-grafana-srvr set services analytics sensor my-sensor-17 export-name my-exprt-prfl set services analytics sensor my-sensor-17 resource /junos/system/linecard/npu/memory/ set services analytics sensor my-sensor-18 server-name my-grafana-srvr set services analytics sensor my-sensor-18 export-name my-exprt-prfl set services analytics sensor my-sensor-18 resource /junos/system/linecard/npu/utilization/ set services analytics sensor my-sensor-19 server-name my-grafana-srvr set services analytics sensor my-sensor-19 export-name my-exprt-prfl set services analytics sensor my-sensor-19 resource /junos/system/linecard/optics/ set services analytics sensor my-sensor-21 server-name my-grafana-srvr set services analytics sensor my-sensor-21 export-name my-exprt-prfl set services analytics sensor my-sensor-21 resource /junos/system/linecard/services/inline-jflow/ set services analytics sensor my-sensor-13 server-name my-grafana-srvr set services analytics sensor my-sensor-13 export-name my-exprt-prfl set services analytics sensor my-sensor-13 resource /junos/system/linecard/firewall/ -Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Colton Conor Sent: Thursday, April 9, 2020 3:25 PM To: Juniper List Subject: [j-nsp] Junos Telemetry Interface Instead of monitoring Juniper equipment by SNMP with 5 minute polling we would like to use streaming telemetry to monitor the devices in real-time. This requires the Junos Telemetry Interface. Looking in the Juniper Feature Explorer, Junos Telemetry Interface is not a feature, but rater a whole category in the feature explorer, with multiple features under it. What feature am I looking for to be able to monitor the interfaces in real-time, and see how much bandwidth flows across them similar to SNMP? The ACX platforms only support the Specify Routing Instance for JTI feature? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Trouble with 100G link MX204 <-> Dell S4100F-ON
On the topic of FEC modethought I'd share something I found a while back when testing the ACX5448 with an MX960 The ACX5448 40 gig interface defaulted to FEC74... the MX960 40 gig interface on an MPC7E-MRATE module default to FEC "NONE" 40 gig link would not come up agould@lab-960> show system information Model: mx960 Family: junos Junos: 17.4R2-S1.2 Hostname: lab-960 agould@eng-lab-5448> show system information Model: acx5448 Family: junos Junos: 18.3-20180825.3 Hostname: eng-lab-5448 After reconfig of FEC mode on ACX5448 to NONE, interface came up and we passed ping tests... agould@eng-lab-5448> show interfaces et-0/1/0 | grep "fec mode" Ethernet FEC Mode : NONE agould@lab-960> show interfaces et-0/1/0 | grep "fec mode" Ethernet FEC Mode : NONE [edit] root@eng-lab-5448# set interfaces et-0/1/0 gigether-options fec ? Possible completions: fec74FEC74 enabled fec91IEEE 802.3bj Clause 91, Reed-Solomon FEC (RS-FEC) none FEC disabled -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 vs MX10K
Just fyi, I'm running evpn-mpls between a couple dc's and ms-mpc-128g for my cable modem communities all in the same mx960 chassis's... been good so far. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 vs MX10K
In my case, 960 has a lot of slots, and I use slot 0 and slot 11 for MPC-7E-MRATE to light up 100 gig east/west ring and 40 gig south to ACX subrings, so I have plenty of slot space for my MS-MPC-128G nat module... If I place it somewhere else, then I gotta cross the network to some extent to get to it... also, my dual 100 gig inet connections are on a couple of those 960's where I colo the mpc-128g card, yeah, it's all right there. Not the case for dsl nat, that's across the network in a couple mx104's, but dsl doesn't have near the speeds that my ftth and cm subs have. -Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Chris Kawchuk Sent: Wednesday, March 4, 2020 9:33 PM To: Tom Beecher Cc: juniper-nsp Subject: Re: [j-nsp] MX960 vs MX10K Just to chime in --- for scale-out, wouldn't you be better offloading those MS-MPC functions to another box? (i.e. VM/Dedicated Appliance/etc..?). You burn slots for the MSMPC plus you burn the backplane crossing twice; so it's at worst a neutral proposition to externalise it and add low-cost non-HQoS ports to feed it. or is it the case of limited space/power/RUs/want-it-all-in-one-box? and yes, MS-MPC won't scale to Nx100G of workload. - CK. > On 5 Mar 2020, at 1:36 am, Tom Beecher wrote: > > It really depends on what you're going to be doing,but I still have quite a > few MX960s out there running pretty significant workloads without issues. > > I would suspect you hit the limits of the MS-MPCs way before the limits of > the chassis. > > On Wed, Mar 4, 2020 at 6:56 AM Ibariouen Khalid wrote: > >> dear Juniper community >> >> is there any limitation of using MX960 as DC-GW compared to MX10K ? >> >> juniper always recommends to use MX10K , but i my case i need MS-MPC which >> is not supported on MX10K and i want to knwo if i will have some limitation >> on MX960. >> >> Thanks >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper support offline?
Hi, >Prsearch disappeared what, Jan 2019.. this year will it be case management and >download access we lose for almost a year? FYI, PR search came back a long time ago sometime late 2019. -Aaron Jan 26, 2020, 08:30 by c...@ip4.de: > Everything works here again - without resetting. > Looks like it’s recovering > > > > Von meinem iPhone gesendet > >> Am 26.01.2020 um 17:08 schrieb Ross Halliday >> : >> >> Seems to be back albeit a bit rocky - I could not get in with my previous >> password and had to reset. SRM and Downloads appear to be functioning >> >> Ross >> >> >> -Original Message- >> From: juniper-nsp On Behalf Of Thomas >> Scott >> Sent: January 26, 2020 6:14 AM >> To: Nathan Ward >> Cc: Juniper NSP >> Subject: Re: [j-nsp] Juniper support offline? >> >> Just got off the phone with JTAC and was informed the website was down for >> "maintenance". We managed to open a case last night, but were unable to >> this morning... I'm hoping that the "issue" doesn't last too long.. >> >> Phone number I called was 1-888-314-5822. >> >> - Thomas Scott | mr.thomas.sc...@gmail.com >> >> >>>>> On Sun, Jan 26, 2020 at 5:28 AM Nathan Ward wrote: >>>>> >>> Hi, >>> The published number on the Juniper website - 0080025864737 doesn’t work, >>> and the +1888 US number went to Juniper, but to voicemail. >>> I’ve called the number Liam has posted here (same as above but with + >>> rather than 00), which worked - the agent had told me that there was >>> maintenance yesterday and now there is no way to get copies of images >>> apparently, even JTAC. >>> I was told that there is no ETA for login being restored. All they can do >>> is open a case so I get notified if and when it’s fixed. (Yeah, the agent >>> really said “if and when”). >>> Prsearch disappeared what, Jan 2019.. this year will it be case management >>> and download access we lose for almost a year? >>> On the off chance someone has them and is able to share, I need packages >>> for 18.2R3-S1 for MX204 (so, VMHost), and 18.4R2-S2 for QFX5120. >>> Those are the JTAC recommended versions, so I imagine they’ll be knocking >>> about on plenty of hard drives.. >>> Luckily, checksums are still visible on the public site :-) >>> >>>>> On 26/01/2020, at 8:22 PM, Liam Farr wrote: >>>>> >>>> I just messaged some local at Juniper NZ and they advised that >>>> >>> +80025864737 is working for support. >>> >>>> Seems to work from my 2D mobile here too. >>>> Cheers >>>> Liam >>>> On Sun, 26 Jan 2020 at 8:16 PM, Nathan Ward >>> >>> <mailto:juniper-...@daork.net>> wrote: >>> >>>> Hi, >>>> Looks to me and colleagues of mine like Juniper support is offline. >>>> Last night, I was able to log in but trying to download an image got to >>>> >>> some stage of the redirect process and hung, then a please try again later >>> message. It persisted for the next few hours of me trying every now and >>> then. >>> >>>> Today, I can’t log in at all - Invalid user/password. >>>> Password reset process works, but, still doesn’t let me in. Different >>>> >>> browsers, cleared cache, all the usual “is it on at the wall sir” debugging. >>> >>>> Hearing the same story for others. >>>> I’ve called both the NZ 00800 (international 800) and the US +1888 >>>> >>> number. The former says “call cannot be completed”. The US number says >>> “high volume of calls please leave a message”. >>> >>>> We’re in New Zealand - unsure if that’s relevant. >>>> Are others having these same issues? >>>> Any insight in to what’s going on? >>>> It’s a long weekend here, so the local sales/SE/etc. folks I usually >>>> >>> deal with are likely not anywhere near their phones. >>> >>>> -- >>>> Nathan Ward >>>> ___ >>>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> >>> juniper-nsp@puck.nether.net> >>> >>>> https://puck.nether.net/mailman/listinfo/juniper-nsp < >>>> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp> >>> >>>> -- >>>> Kind Regards >>>> Liam Farr >>>> Maxum Data >>>> +64-9-950-5302 >>>> >>> ___ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] rest api - limit ip sources
Anyone know how to limit ip addresses *in subnet notation* that are able to
communicate with the rest api ?
rest api allowed-source - how to use subnet notation
{master:0}[edit]
agould@eng-lab-5048-2# set system services rest control allowed-sources
"123.123.0.64/26"
^
invalid input at '/26' in ip address '123.123.0.64/26' at '123.123.0.64/26'
{master:0}[edit]
agould@eng-lab-5048-2# set system services rest control allowed-sources
[123.123.0.64 /26]
error: invalid ip address or hostname: /26: /26
{master:0}[edit]
agould@eng-lab-5048-2# set system services rest control allowed-sources
[123.123.0.64/26]
error: invalid input at '/26' in ip address '123.123.0.64/26':
123.123.0.64/26
*** this works, but it's only one IP address, and I need to allow many more.
{master:0}[edit]
agould@eng-lab-5048-2# set system services rest control allowed-sources
123.123.0.80
{master:0}[edit]
-Aaron
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ACX5448 & ACX710
I've had an ACX5448 in my lab on loaner for over a year. I need to refresh myself on how well it performed. I have the little-brother ACX5048, probably 50 of them all over my network doing quite well. Pretty sure those are not Trio based. Never heard of the ACX710, but see it in slide 22 here ... https://senetsy.ru/upload/juniper-summit-2019/5G-ready_Transport_Networks_Ev genii_Bugakov_Juniper.pdf ACX710 and ACX753. I'm curious about interfaces and modules and capabilities of both of them. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] [EXT] Re: MX204 MACsec
[edit]
me@site2-204-3# show | compare
[edit]
+ security {
+ macsec {
+ connectivity-association my-ca1 {
+ security-mode static-cak;
+ mka {
+ transmit-interval 6000;
+ key-server-priority 0;
+ }
+ replay-protect {
+ replay-window-size 5;
+ }
+ offset 30;
+ pre-shared-key {
+ ckn (i removed);
+ cak "(i removed)"; ## SECRET-DATA
+ }
+ exclude-protocol lldp;
+ }
+ interfaces {
+ xe-0/1/0 {
+ connectivity-association my-ca1;
+ }
+ }
+ }
+ }
[edit]
me@site2-204-3# commit check
configuration check succeeds
[edit]
me@site2-204-3# show security
macsec {
connectivity-association my-ca1 {
security-mode static-cak;
mka {
transmit-interval 6000;
key-server-priority 0;
}
replay-protect {
replay-window-size 5;
}
offset 30;
pre-shared-key {
ckn (i removed);
cak "(i removed)"; ## SECRET-DATA
}
exclude-protocol lldp;
}
interfaces {
xe-0/1/0 {
connectivity-association my-ca1;
}
}
}
[edit]
me@site2-204-3#
- Aaron
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] [EXT] Re: MX204 MACsec
Before or after I do that config test ? Asking since I didn't commit that as it's on a MX204 in a far-away place during a thanksgiving week network-change moratorium, I'm treading on thin ice. LOL -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX204 MACsec
Not knowing much about this, but going from this site's guidance ( I stopped
halfway down the page ) ,
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html
...i did the following...
[edit]
me@site2-204-3# show | compare
[edit]
+ security {
+ macsec {
+ connectivity-association my-ca1 {
+ security-mode static-cak;
+ mka {
+ transmit-interval 6000;
+ key-server-priority 0;
+ }
+ replay-protect {
+ replay-window-size 5;
+ }
+ offset 30;
+ pre-shared-key {
+ ckn
37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311;
+ cak
"$9$9Zp0tBIhSrlM8n/0IhcleaZGD.P5T36/tPfIESr8LVwY4UjfTzn9AF3A0BIrlaZGjmfFn/CA0JGjqP5F3evM8X-oJGDHqLx";
## SECRET-DATA
+ }
+ exclude-protocol lldp;
+ }
+ interfaces {
+ xe-0/1/0 {
+ connectivity-association my-ca1;
+ }
+ }
+ }
+ }
[edit]
me@site2-204-3# commit check
configuration check succeeds
[edit]
me@site2-204-3#
- Aaron
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX204 MACsec
I don't know much about this, but, for what it's worth, I do see this on one of my MX204's... me@site2-204-3# set security macsec connectivity-association test ? Possible completions: <[Enter]>Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups cipher-suite Cipher suite to be used for encryption > exclude-protocol Configure protocols to exclude from MAC Security include-sci Include secure channel identifier in MAC Security PDU > mka Configure MAC Security Key Agreement protocol properties no-encryptionDisable encryption offset Confidentiality offset > pre-shared-key Configure pre-shared connectivity association key pre-shared-key-chain Pre-shared key chain name for connectivity association > replay-protect Configure replay protection > secure-channel Configure secure channel properties security-modeConnectivity association mode |Pipe through a command [edit] me@site2-204-3# exit Exiting configuration mode me@site2-204-3> show system information Model: mx204 Family: junos Junos: 18.4R1-S3.1 Hostname: site2-204-3 me@site2-204-3> -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Thanks, but I just moved the fxp0 ip address to a revenue interface to get the pfe forwarding I needed. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Thanks -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Thanks again (Chris) for solving my vpls/irb/tagging combination problem yesterday. we can bridge successfully now. Taking this one step further, we now are trying to route via fxp0 and *through* it to the irb.100 interface and are unable to. Is it possible to route traffic *through* an fxp0 interface ? (MX204) I'm asking since it seems that someone mentioned that it is in fact possible with some sort of static routes. but I'm unsure what they meant exactly. If it's definitely not possible to transit an fxp0 interface, I just need to know that, and I will seek solutions using a revenue interface instead. Resurrecting an old thread(s).. https://www.mail-archive.com/juniper-nsp@puck.nether.net/msg09809.html https://puck.nether.net/pipermail/juniper-nsp/2010-August/017545.html subnet A-fxp0/mx204/irb.100subnet B <---is bi-dir comms possible?--> -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] trying to add double tagged interface and getting errors
Very nice, the config works now! (I had to add vpls encap to the subints of course) And I see the interface shows pop-pop push-push still Thanks! set routing-instances 100 interface xe-0/1/1.300 set routing-instances 100 interface xe-0/1/1.312 delete interfaces xe-0/1/1 unit 300 input-vlan-map pop-pop delete interfaces xe-0/1/1 unit 300 output-vlan-map push-push delete interfaces xe-0/1/1 unit 312 input-vlan-map pop-pop delete interfaces xe-0/1/1 unit 312 output-vlan-map push-push set interfaces xe-0/1/1 unit 300 encapsulation vlan-vpls set interfaces xe-0/1/1 unit 312 encapsulation vlan-vpls me@204-1> show interfaces xe-0/1/1.300 Logical interface xe-0/1/1.300 (Index 336) (SNMP ifIndex 534) Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.300 0x8100.100 ] In(pop-pop) Out(push-push 0x8100.300 0x8100.100) Encapsulation: VLAN-VPLS Input packets : 0 Output packets: 0 Protocol vpls, MTU: 9216 me@204-1> show interfaces xe-0/1/1.312 Logical interface xe-0/1/1.312 (Index 341) (SNMP ifIndex 535) Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.312 0x8100.100 ] In(pop-pop) Out(push-push 0x8100.312 0x8100.100) Encapsulation: VLAN-VPLS Input packets : 0 Output packets: 0 Protocol vpls, MTU: 9216 - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] trying to add double tagged interface and getting errors
How would I accomplish this ? It's working fine, but when I try to add a double tagged interface into the existing vpls bridging environment, I get the following error. me@ 204-1> show configuration routing-instances 100 | display set set routing-instances 100 instance-type vpls set routing-instances 100 vlan-id none set routing-instances 100 interface xe-0/1/4.100 set routing-instances 100 routing-interface irb.100 set routing-instances 100 protocols vpls no-tunnel-services set routing-instances 100 protocols vpls vpls-id 1 set routing-instances 100 protocols vpls mtu 1500 set routing-instances 100 protocols vpls neighbor 10.102.255.7 me@ 204-1> show configuration interfaces xe-0/1/1 | display set set interfaces xe-0/1/1 flexible-vlan-tagging set interfaces xe-0/1/1 mtu 9216 set interfaces xe-0/1/1 encapsulation flexible-ethernet-services set interfaces xe-0/1/1 unit 300 vlan-tags outer 300 set interfaces xe-0/1/1 unit 300 vlan-tags inner 100 set interfaces xe-0/1/1 unit 300 input-vlan-map pop-pop set interfaces xe-0/1/1 unit 300 output-vlan-map push-push me@204-1# set routing-instances 100 interface xe-0/1/1.300 [edit] me@ 204-1# commit check [edit routing-instances 100 interface] 'xe-0/1/1.300' interface with input/output vlan-maps cannot be added to a routing-instance with a vlan-id/vlan-tags configured error: configuration check-out failed: (statements constraint check failed) -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX204 vs. MX240??
We deployed the MX204 in pairs in 2 new markets that we entered into recently... Houston and Dallas... the MX204 presents itself as a small and relatively inexpensive but with nice port and feature versatility with its MX capabilities. We decided to roll them out with (2) 100g, (2) 40g, (4) 10g and (4) 1g...and link them together with a 100g DAC cable Btw, the MX204 defaults as a all-10gig interface box.. in its default state... [edit] root# run show interfaces terse | grep "^et|^xe|^ge" xe-0/0/0:0 updown xe-0/0/0:1 updown xe-0/0/0:2 updown xe-0/0/0:3 updown xe-0/0/1:0 updown xe-0/0/1:1 updown xe-0/0/1:2 updown xe-0/0/1:3 updown xe-0/0/2:0 updown xe-0/0/2:1 updown xe-0/0/2:2 updown xe-0/0/2:3 updown xe-0/0/3:0 updown xe-0/0/3:1 updown xe-0/0/3:2 updown xe-0/0/3:3 updown xe-0/1/0updown xe-0/1/1updown xe-0/1/2updown xe-0/1/3updown xe-0/1/4updown xe-0/1/5updown xe-0/1/6updown xe-0/1/7updown [edit] root# run show interfaces terse | grep "^et|^xe|^ge" | count Count: 24 lines so to achieve port speed that you want, this is what we did. set chassis fpc 0 pic 0 port 0 speed 100g set chassis fpc 0 pic 0 port 1 speed 100g set chassis fpc 0 pic 0 port 2 speed 40g set chassis fpc 0 pic 0 port 3 speed 40g set chassis fpc 0 pic 1 port 0 speed 10g set chassis fpc 0 pic 1 port 1 speed 10g set chassis fpc 0 pic 1 port 2 speed 10g set chassis fpc 0 pic 1 port 3 speed 10g set chassis fpc 0 pic 1 port 4 speed 10g set chassis fpc 0 pic 1 port 5 speed 10g set chassis fpc 0 pic 1 port 6 speed 10g set chassis fpc 0 pic 1 port 7 speed 10g Verify. after. root> show interfaces terse | grep "^et|^xe|^ge" | count Count: 12 lines root> show interfaces terse | grep "^et|^xe|^ge" et-0/0/0updown et-0/0/1updown et-0/0/2updown et-0/0/3updown xe-0/1/0updown xe-0/1/1updown xe-0/1/2updown xe-0/1/3updown xe-0/1/4updown xe-0/1/5updown xe-0/1/6updown xe-0/1/7updown ...then to get the (4) 1g that we wanted... set interfaces xe-0/1/4 gigether-options speed 1g set interfaces xe-0/1/5 gigether-options speed 1g set interfaces xe-0/1/6 gigether-options speed 1g set interfaces xe-0/1/7 gigether-options speed 1g - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VLAN sub-interfaces in VRR em0?
My situation might be different than yours, but, I'm using vlan tags in junos vMX on eve-ng... (17.4R1.16) root@sabn-960-e> show interfaces ae161.0 Logical interface ae161.0 (Index 344) (SNMP ifIndex 546) Flags: Up SNMP-Traps 0x20004000 VLAN-Tag [ 0x8100.10 ] Encapsulation: VLAN-Bridge StatisticsPacketspps Bytes bps Bundle: Input : 6278792 0 5253885840 Output: 5878898 0 497667878 256 Adaptive Statistics: Adaptive Adjusts: 0 Adaptive Scans : 0 Adaptive Updates: 0 Protocol bridge, MTU: 1522 root@sabn-960-e> show configuration interfaces ae161.0 | display set set interfaces ae161 unit 0 encapsulation vlan-bridge set interfaces ae161 unit 0 vlan-id 10 root@sabn-960-e> show arp interface irb.10 no-resolve MAC Address Address Interface Flags 02:05:86:71:20:00 172.223.10.30 irb.10 [.local..8] permanent remote 02:05:86:71:3e:00 172.223.10.31 irb.10 [ae161.0] permanent remote Total entries: 2 root@sabn-960-e> show configuration interfaces irb.10 | display set set interfaces irb unit 10 family inet address 172.223.10.1/24 set interfaces irb unit 10 mac 00:00:00:00:00:0a root@sabn-960-e> ping 172.223.10.31 PING 172.223.10.31 (172.223.10.31): 56 data bytes 64 bytes from 172.223.10.31: icmp_seq=0 ttl=64 time=106.272 ms 64 bytes from 172.223.10.31: icmp_seq=1 ttl=64 time=144.518 ms 64 bytes from 172.223.10.31: icmp_seq=2 ttl=64 time=180.567 ms ^C --- 172.223.10.31 ping statistics --- 4 packets transmitted, 3 packets received, 25% packet loss round-trip min/avg/max/stddev = 106.272/143.786/180.567/30.335 ms - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JunOS on EX4550?
On my EX4550, I recall going from 12 to 15 to get some mpls function. But I also recall having issues with mpls services and then later removing those mpls services. -Aaron -Original Message- From: Richard McGovern [mailto:rmcgov...@juniper.net] Sent: Thursday, October 17, 2019 5:27 AM To: Josh Baird Cc: Juniper List Subject: Re: [j-nsp] JunOS on EX4550? In my view best stability, used by most people (all of my customers are on 12.3 only), and no feature set differences. When 15.1 came out initially there were some concerns, so IMHO most just stayed on 12.3 once it was announced to have continued support. Just my 2 cents worth. Sent from my iPhone On Oct 17, 2019, at 12:01 AM, Josh Baird wrote: Thanks, Richard. Any particular reason why I would be better off using 12.3R12? On Wed, Oct 16, 2019 at 5:53 PM Richard McGovern mailto:rmcgov...@juniper.net>> wrote: No. For legacy EX switches, for which EX4500/EX4550 fall into, 15.1 is last release. At the same time, I think you might have best results using 12.3R12-S[latest] instead. Both 12.3 and 15.1 will be maintained for life of legacy EX switches. HTH, Rich Richard McGovern Sr Sales Engineer, Juniper Networks 978-618-3342 I’d rather be lucky than good, as I know I am not good I don’t make the news, I just report it On 10/16/19, 1:50 PM, "Josh Baird" mailto:joshba...@gmail.com>> wrote: Is it possible (and recommended) to run anything newer than 15.1 on EX4550 (which is what the JTAC-recommended version currently is). ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos Telemetry Interface (JTI)
Response to old thread and referencing my new thread… “[j-nsp] telemetry analytics - mx960 - npu packet rate concerns” My JTI/OpenNTI systems seems to be continuing to run nicely. I use it when I really need to know some details. In the new thread I mentioned above, I was curious about my CGNat MS-MPC-128G resource utilization and starting digging around in those sensor agent and their data I’ve been receiving in my telem station. I’ll copy and paste from that other thread for convienience. Using my JTI/Chronograf/Grafana web interface I'm trying to understand some of the telemetry analytics data I'm seeing coming from what appears to be the sensor resource of my MX960 corresponding to /junos/system/linecard/npu/utilization/ .. The field seen on chronograf that I'm watching is "npu_util_stats.packets.rate" When using the Chronograf data explorer and picking one MX960 and a certain _seq number (0-14 , I don't know what these are) I'm seeing some significant drops in the graph during peak time (approx. 7 - 10 p.m.) watching "npu_util_stats.packets.rate" with mean function (as opposed to median, count, min, max, etc, etc). In other words, the graph shows a typical ramp-up approaching peak times, and ramp-down during the late night hours.. But about a week ago, I started seeing dramatic drops/sags in the graph during those 7-10 p.m. hours. I'd like to try to figure out what those drops are related to. I'm wondering if this is the MS-MPC-128G npu's in-use for my cgnat.. I've been loading it up quite a bit lately with thousands more subscribers behind it, and am trying to watch how it scales. and if I have any reason for concerns regarding resource load, etc. If you unicast email me, I’ll send you screen shots of my telem graphs that are giving me concern and the sensor agent strings that I’m looking at. Thanks y’all - Aaron From: Colton Conor [mailto:colton.co...@gmail.com] Sent: Monday, November 12, 2018 6:47 AM To: Aaron Cc: beec...@beecher.cc; Juniper List; james.burn...@geant.org Subject: Re: [j-nsp] Junos Telemetry Interface (JTI) Guys, I wanted to follow up and see how things are going with JTI? Also, it has been brought to my attention that OpenNMS supports JTI. I was not aware of that, so I figured I would share with others: https://docs.opennms.org/opennms/branches/develop/guide-admin/guide-admin.html#ga-telemetryd On Thu, Oct 11, 2018 at 12:24 PM Aaron1 wrote: Yes Niall, lets stay in touch. Thanks Tom, I’ll have to look at Panoptes Aaron > On Oct 11, 2018, at 8:18 AM, Tom Beecher wrote: > > Related, my company open sourced a tool we've been working on for network > telemetry at NANOG in Vancouver. I'm 95% sure that a JTI receiver is > functional on our internal builds, but they're still working on a few things > with streaming receivers generally, so it's not yet in the public repo. May > be something that can meet your needs at some point if you wanted to keep an > eye on it. > > https://github.com/yahoo/panoptes > >> On Thu, Oct 11, 2018 at 9:02 AM Niall Donaghy >> wrote: >> Fantastic news Aaron! >> >> That tallies with our experience of deploying the 'bundle' version of >> OpenNTI >> for Junos ST. >> >> We look forward to your shared experiences as you kick the tyres and - >> hopefully - incorporate this into your NMS/procedures. :) >> >> Many thanks, >> Niall >> >> >> -Original Message- >> From: Aaron Gould [mailto:aar...@gvtc.com] >> Sent: 11 October 2018 13:59 >> To: juniper-nsp@puck.nether.net >> Cc: James Burnett ; Niall Donaghy >> ; 'Colton Conor' >> Subject: RE: [j-nsp] Junos Telemetry Interface (JTI) >> >> Wanted to circle back with y'all... I finally got this working...thanks to >> techmocha10 (see below) and my linux coworker genius (Dave), >> >> I'll just copy/paste a post I just made... >> >> https://forums.juniper.net/t5/vMX/Telemetry-data-is-not-streaming-from-Juniper-vMX-17-4R1-16/m-p/375996#M923 >> >> >> I got telemetry streaming working using this site ... I have a couple >> MX960's >> streaming telemetry to the suite of software provided in this Open-NTI >> project >> spoken of on this techmocha blog site. I think my previous problems were >> related to conflicting installs as myself and my coworker had loaded >> individual items and then the open-nti suite (which i understand is a docker >> container with all the items like grafana, fluentd, chronograf, influxdb, >> etc) anyway, we started with a fresh install Ubunto virtual machine and >> *only* loaded Open-NTI and it works. >> >> >> I do not know or under
[j-nsp] telemetry analytics - mx960 - npu packet rate concerns
Using my JTI/Chronograf/Grafana web interface I'm trying to understand some of the telemetry analytics data I'm seeing coming from what appears to be the sensor resource of my MX960 corresponding to /junos/system/linecard/npu/utilization/ .. The field seen on chronograf that I'm watching is "npu_util_stats.packets.rate" When using the Chronograf data explorer and picking one MX960 and a certain _seq number (0-14 , I don't know what these are) I'm seeing some significant drops in the graph during peak time (approx. 7 - 10 p.m.) watching "npu_util_stats.packets.rate" with mean function (as opposed to median, count, min, max, etc, etc). In other words, the graph shows a typical ramp-up approaching peak times, and ramp-down during the late night hours.. But about a week ago, I started seeing dramatic drops/sags in the graph during those 7-10 p.m. hours. I'd like to try to figure out what those drops are related to. I'm wondering if this is the MS-MPC-128G npu's in-use for my cgnat.. I've been loading it up quite a bit lately with thousands more subscribers behind it, and am trying to watch how it scales. and if I have any reason for concerns regarding resource load, etc. (should I post this to NANOG also?) -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PFE forwarding bug - PR1380183
nn_num 3 Aug 15 13:50:54 my-mx-960 fpc11 mqss_stream_phy_stream_out_wanio_cr_flush: Starting traffic flush using WANIO core flush for PHY stream failed - status 29, stream_num 1095, chmac_speed 0, pr_stream 33 Aug 15 13:50:54 my-mx-960 fpc11 mqss_stream_out_disable_wanio_ea: Starting traffic flush for PHY stream using WANIO core failed - status 29, stream_num 1095 Aug 15 13:50:54 my-mx-960 fpc11 mqss_stream_out_disable_wanio: Performing egress PHY stream disable operations for WANIO failed - status 29, stream_num 1095 Aug 15 13:50:54 my-mx-960 fpc11 mqss_stream_out_disable: Performing egress PHY stream disable operations for WANIO failed - status 29, stream_num 1095 Aug 15 13:50:54 my-mx-960 fpc11 mqss_ifd_link_up_down_handler: Disabling PHY stream for egress side failed - status 29, instance 0, phy_stream 1095 Aug 15 13:50:54 my-mx-960 fpc11 pfe_ifd_link_updown: Handling IFD link DOWN failed - status 29, ifd xe-11/0/0:3 -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PFE forwarding bug - PR1380183
Thanks Rich, similar to the guidance from my Juniper account SE. ...also 17.4R3 is being released in September but I understand that once you jump R releases, you get into new features with potential for new bugs correct ? In other words, am I correct that the next S (service) release is the safest and least changes as possible to the existing train of code you are currently running ? (I just read this as a refresher for my understanding) https://forums.juniper.net/t5/Junos/Current-JUNOS-Release-numbers-explained/td-p/58396 -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] PFE forwarding bug - PR1380183
I hit PR1380183 last week on an MX960. https://prsearch.juniper.net/InfoCenter/index?page=prcontent <https://prsearch.juniper.net/InfoCenter/index?page=prcontent=PR1380183> =PR1380183 I currently run 17.4R2-S1.2 on all my MX960's. The PR mentions a fix in 5 different versions of Junos. Should I stick with the current train I'm in ? Resolved In Release junos 18.4R1 x 18.4R2 x 17.4R3 x 19.1R1 x 17.4R2-S2 x ...17.4R2-S2 is closest to what I'm currently using. - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client?
Old thread (2015)... Is there still a problem with MacOS using Pulse Secure to connect with SRX Dynamic/Remote Access VPN ? Anyone know how to make it work ? I do have Windows 10 working fine... but not MacOS Apple laptop. Using SRX300 15.1X49-D150.2 and Pulse client from Junipers website 5.1R5.1 ps-pulse-win-5.1r5.1-b61437-64bitinstaller.msi - windows 10 working ps-pulse-mac-5.1r5.1-b61437-installer.dmg - macos not working -Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Aaron Dewell Sent: Monday, March 23, 2015 7:39 PM To: Nick Schmalenberger Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client? Have you tried 0/1 and 128/1 instead of 0/0? That's also required for backup-router destination as well, so might solve this problem too. On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger wrote: > On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote: >> I need to have my vpn clients default route go over their tunnel >> to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource >> works for Windows clients 5.1r1.1-b52267, but with Mac Pulse >> Secure is never able to setup a tunnel and connect. >> >> If I put some more specific routes, such as private addresses I >> use internally and certain public addresses, as >> remote-protected-resources, the Mac client (5.1r1.1-b52267 again) >> is able to connect fine and reach all those networks/hosts with >> the vpn assigned address, or NAT out of the same SRX in the case >> of the public destinations (what I mostly want to do). >> >> Does anyone else have that problem? Is there a known bug with the >> Mac client? I made a support case with JTAC, and they agreed it >> was a bug but said I need to call back and make a new case for >> the Pulse Secure Client instead of SRX. >> >> Another issue I had, was how to route the vpn clients assigned >> private addresses, and give the route to OSPF. I made an >> aggregate route for them, but it seemed like they weren't >> contributing to bring it up, so I made a reject route for one of >> the addresses in the network but not the pool. It worked, but the >> clients couldn't connect to the srx itself. Any other >> suggestions? A better action than reject for that? Thanks! >> -Nick Schmalenberger >> >> P.S. this post was very helpful in figuring it all out: >> http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/ > > Juniper finally told me they reproduced this problem with the Mac > client, but also that the configuration did NOT work with > Windows! They then told me, the configuration is not supported at > all, but I should try some other vpn client such as VPN Tracker, > which I'm planning to do. It would then not use dynamic-vpn at > all, but could still use the same xauth access-profile. > > Meanwhile, I have also setup a site-to-site tunnel for some of > the same usage, and it allows clients to use the remote SRX's dns > proxy where dynamic-vpn clients could not (at least the way I > managed to get it to work). So this will have some advantages as > well. Thanks for the helpful suggestions! > -Nick > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX dynamic vpn with Pulse Secure client - MacOS Apple laptop not working
Is there still a problem with MacOS using Pulse Secure to connect with SRX Dynamic/Remote Access VPN ? Anyone know how to make it work ? I do have Windows 10 working fine... but not MacOS Apple laptop. Using SRX300 15.1X49-D150.2 and Pulse client from Junipers website 5.1R5.1 ps-pulse-win-5.1r5.1-b61437-64bitinstaller.msi - windows 10 working ps-pulse-mac-5.1r5.1-b61437-installer.dmg - macos not working I tried the 0/0 cut in half suggesting someone made, didn't seem to help Apple/Mac, but Windows still works. set security dynamic-vpn clients all remote-protected-resources 0.0.0.0/1 set security dynamic-vpn clients all remote-protected-resources 128.0.0.0/1 -Aaron Old thread (2015)... [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client? https://puck.nether.net/pipermail/juniper-nsp/2015-March/030059.html ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 40Gig Ether for MX480
My ISP network is core/agg mpls rings of MX960's and ACX5048's960's connect 40 gig to 5048's using the MPC7E-MRATE in the MX960. Seems good to me so far Also use MX960 40 gig on MPC7E-MRATE to DC/CDN deployments of QFX5120's (pure Ethernet tagging). -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] srx ipsec tunnel over mpls l3vpn
Yes Hugo, I can pass non-ipsec encrypted traffic via the MPLS L3VPN inside the SRX... isn't that what the IKE Phase 1 and IKE Phase 2 success is proving ? -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] srx ipsec tunnel over mpls l3vpn
Craig, how did you do the LT config to "cycle" traffic back through ? you have a link/kb on how-to ? Actually I'm wondering if there's a more elegant way then LT's (no offense since we all love accomplishing things and making stuff work, but it seems that LT's and furthermore, physical cables lopped from port to port on the front of the device, are usually ways to do things that we can't figure out in software) :| Hugo, The other end is an MX104 with services card for ipsec capability (MS-MIC-16G) I haven't yet put any customer edge interfaces behind the SRX or MX, but I will do that this morning I simply wanted to put a subnet on the secure tunnel interfaces and ping from st0.0 to ms-0/0/0.1 first, but I can do the further edge config also. -Aaron -Original Message- From: Hugo Slabbert [mailto:h...@slabnet.com] Sent: Friday, July 12, 2019 1:26 AM To: Aaron Gould Cc: 'Emille Blanc'; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] srx ipsec tunnel over mpls l3vpn Is the other end of this also an SRX configured in a similar way, or something else? This seems to contradict basically any Juniper docs on SRX around MPLS traffic re: flow/packet mode. Specifically given that it's showing "drop" for MPLS traffic, I would be confused about how it's passing MPLS-encap'd traffic. Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it) across the l3vpn to validate bidirectional traffic passing? -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould wrote: > >Thanks Emille, Ummm, I may be misunderstanding you , but I don't think >I have change from SRX flow-mode default. But I do have ldp neighbor >up and mpls forwarding is occurring via mpls l3vpn vrf . and I do >believe the ike phase 1 and phase 2 is working over this mpls l3vpn within the srx >but I just don't seem to be able to ping from one side of the st0 >tunnel interface to the other. > >See... > >root@demo-srx300> show security flow status > Flow forwarding mode: >Inet forwarding mode: flow based >Inet6 forwarding mode: drop >MPLS forwarding mode: drop >ISO forwarding mode: drop >Enhanced route scaling mode: Disabled > Flow trace status >Flow tracing status: off > Flow session distribution >Distribution mode: RR-based >GTP-U distribution: Disabled > Flow ipsec performance acceleration: off > Flow packet ordering >Ordering mode: Hardware > > >root@demo-srx300> show route table mpls.0 > >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) >+ = Active Route, - = Last Active, * = Both > >0 *[MPLS/0] 04:51:07, metric 1 > Receive >1 *[MPLS/0] 04:51:07, metric 1 > Receive >2 *[MPLS/0] 04:51:07, metric 1 > Receive >13 *[MPLS/0] 04:51:07, metric 1 > Receive >16 *[VPN/0] 04:51:07 > to table one.inet.0, Pop >345552 *[LDP/9] 04:43:04, metric 3, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16507 >345568 *[LDP/9] 04:43:04, metric 4, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16508 >345584 *[LDP/9] 04:43:04, metric 2, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16512 >345600 *[LDP/9] 04:43:04, metric 3, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16513 >345616 *[LDP/9] 04:43:04, metric 3, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16516 >345632 *[LDP/9] 04:43:04, metric 4, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16517 >345648 *[LDP/9] 04:43:04, metric 3, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16518 > >root@demo-srx300> show route table mpls.0 terse > >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) >+ = Active Route, - = Last Active, * = Both > >A V DestinationP Prf Metric 1 Metric 2 Next hopAS path >* ? 0 M 0 1 Receive >* ? 1 M 0 1 Receive >* ? 2 M 0 1 Receive >* ? 13 M 0 1 Receive >* ? 16 V 0Table >* ? 345552 L 9 3>10.101.14.197 >* ? 345568 L 9 4>10.101.14.197 >* ? 345584 L 9 2>10.101.14.197 >* ? 345600
Re: [j-nsp] srx ipsec tunnel over mpls l3vpn
Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I have change from SRX flow-mode default. But I do have ldp neighbor up and mpls forwarding is occurring via mpls l3vpn vrf . and I do believe the ike phase 1 and phase 2 is working over this mpls l3vpn within the srx but I just don't seem to be able to ping from one side of the st0 tunnel interface to the other. See... root@demo-srx300> show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Enhanced route scaling mode: Disabled Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based GTP-U distribution: Disabled Flow ipsec performance acceleration: off Flow packet ordering Ordering mode: Hardware root@demo-srx300> show route table mpls.0 mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0 *[MPLS/0] 04:51:07, metric 1 Receive 1 *[MPLS/0] 04:51:07, metric 1 Receive 2 *[MPLS/0] 04:51:07, metric 1 Receive 13 *[MPLS/0] 04:51:07, metric 1 Receive 16 *[VPN/0] 04:51:07 to table one.inet.0, Pop 345552 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16507 345568 *[LDP/9] 04:43:04, metric 4, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16508 345584 *[LDP/9] 04:43:04, metric 2, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16512 345600 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16513 345616 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16516 345632 *[LDP/9] 04:43:04, metric 4, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16517 345648 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16518 root@demo-srx300> show route table mpls.0 terse mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A V DestinationP Prf Metric 1 Metric 2 Next hopAS path * ? 0 M 0 1 Receive * ? 1 M 0 1 Receive * ? 2 M 0 1 Receive * ? 13 M 0 1 Receive * ? 16 V 0Table * ? 345552 L 9 3>10.101.14.197 * ? 345568 L 9 4>10.101.14.197 * ? 345584 L 9 2>10.101.14.197 * ? 345600 L 9 3>10.101.14.197 * ? 345616 L 9 3>10.101.14.197 * ? 345632 L 9 4>10.101.14.197 * ? 345648 L 9 3>10.101.14.197 * ? 345664 L 9 7>10.101.14.197 * ? 345680 L 9 6>10.101.14.197 * ? 345696 L 9 7>10.101.14.197 * ? 345712 L 9 7>10.101.14.197 * ? 345728 L 9 6>10.101.14.197 * ? 345744 L 9 7>10.101.14.197 root@demo-srx300> show route table mpls.0 terse | count Count: 528 lines root@demo-srx300> show ldp neighbor AddressInterface Label space ID Hold time 10.101.14.197 ge-0/0/0.0 10.101.0.254:0 10 root@demo-srx300> -Original Message- From: Emille Blanc [mailto:emi...@abccommunications.com] Sent: Thursday, July 11, 2019 3:04 PM To: Aaron Gould; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn Based on what you described, it sounds like you already got your MPLS/LDP running in a packet-mode routing-instance, as otherwise MPLS is dropped on an SRX in flow mode. No obvious ideas with the output provided otherwise. Do the flows in your IPSEC instance get created? -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Aaron Gould Sent: Thursday, July 11, 2019 12:27 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled the SRX such that I have an l3vpn functional into the SRX. I have a lo0.99 interface as the external interface used for ike/ipsec. Seems that I'm pretty close to g
[j-nsp] srx ipsec tunnel over mpls l3vpn
Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled the SRX such that I have an l3vpn functional into the SRX. I have a lo0.99 interface as the external interface used for ike/ipsec. Seems that I'm pretty close to getting this done, as i have ike phase 1 up and ike phase 2 up, but only seeing encrypted packets as I try to ping between the st0.0 interface and the ms-0/0/0.1 inside interface on the other side (mx104 with ms-mic-16g) Let me know what I'm missing. I'm seeing drops in these to show outputs. which seems to coincide with a 100-packet ping test... root@demo-srx300> show security flow statistics Current sessions: 9 Packets forwarded: 417926 Packets dropped: 15604 Fragment packets: 0 Pre fragments generated: 0 Post fragments generated: 0 root@demo-srx300> show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Enhanced route scaling mode: Disabled Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based GTP-U distribution: Disabled Flow ipsec performance acceleration: off Flow packet ordering Ordering mode: Hardware root@demo-srx300> show security ipsec statistics ESP Statistics: Encrypted bytes: 252264 Decrypted bytes:0 Encrypted packets: 1618 Decrypted packets: 0 AH Statistics: Input bytes:0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@demo-srx300> show security flow statistics | grep rop Packets dropped: 15650 root@demo-srx300> ping 10.102.199.66 routing-instance one rapid interval .1 count 100 PING 10.102.199.66 (10.102.199.66): 56 data bytes --- 10.102.199.66 ping statistics --- 100 packets transmitted, 0 packets received, 100% packet loss root@demo-srx300> show security ipsec statistics ESP Statistics: Encrypted bytes: 267864 Decrypted bytes:0 Encrypted packets: 1718 Decrypted packets: 0 AH Statistics: Input bytes:0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@demo-srx300> show security flow statistics | grep rop Packets dropped: 15755 -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv6 firewall policy for MX
2nd edition page 332 "IPv6 RE Protection Filter" -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] good study guide/material for jncis - SP/P
Hey check it out... I just heard that Cisco is opening up recert with continuing education to associate, specialist and professional levels... on 2/24/2020 https://www.cisco.com/c/en/us/training-events/training-certifications/recertification-policy.html -Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Aaron Gould Sent: Friday, May 17, 2019 11:03 AM To: 'Dave Bell' Cc: 'Juniper List'; 'mcbob 58' Subject: Re: [j-nsp] good study guide/material for jncis - SP/P Not the same. Seems that Cisco only offers continuing education as a recertification for CCIE level "Eligibility - The Continuing Education Program will be available only for candidates with *Expert-level* certifications in Active or Suspend status as defined on the How to Recertify website." Juniper does it for course attendance to recertify certs at any level ! “Taking any higher-level course will recertify the corresponding certification listed as well as all lower-level certifications within the same track” Am I missing something ? -Aaron From: Dave Bell [mailto:m...@geordish.org] Sent: Thursday, May 16, 2019 1:28 PM To: Aaron Gould Cc: Hitesh Kumar; mcbob 58; Juniper List Subject: Re: [j-nsp] good study guide/material for jncis - SP/P Yes: https://learningnetwork.cisco.com/community/certifications/cisco-continuing-education-program On Thu, 16 May 2019 at 17:10, Aaron Gould wrote: Does Cisco have recertification through continuing education (attend a class and recert!) like Juniper does ? https://www.juniper.net/us/en/training/certification/recertification/ touché :) -Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Kumar Sent: Thursday, May 16, 2019 1:04 AM To: mcbob 58 Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] good study guide/material for jncis - SP/P I am not taking cisco side.but that is why cico is best. Look at devnet!! Br Hitesh On Thu, 16 May 2019, 03:13 mcbob 58, wrote: > Aaron , Alexander > > > Thanks for responding. I contacted Juniper to see if there are many > differences with the 2013 version. > I am now doubting whether I should buy the books. There are 3 books and > they cost $ 400 each on the Juniper site. Shame there are no fast tracks > anymore. I am now learning with genius and the old material > > Br mc bob > > > Van: Aaron Gould > Verzonden: woensdag, mei 15, 2019 5:04 PM > Aan: 'mcbob 58'; juniper-nsp@puck.nether.net > Onderwerp: RE: [j-nsp] good study guide/material for jncis - SP/P > > Btw, I just heard back from Juniper (certificat...@juniper.net) that the > fast track study guides are no longer available. > > - Aaron > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] evpn with vrf
By the looks of it, seems so. EVPN Interworking with IPVPN draft-rabadan-sajassi-bess-evpn-ipvpn-interworking-02 Abstract EVPN is used as a unified control plane for tenant network intra and inter-subnet forwarding. When a tenant network spans not only EVPN domains but also domains where IPVPN provides inter-subnet forwarding, there is a need to specify the interworking aspects between both EVPN and IPVPN domains, so that the end to end tenant connectivity can be accomplished. This document specifies how EVPN should interwork with VPN-IPv4/VPN-IPv6 and IPv4/IPv6 BGP families for inter-subnet forwarding. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] evpn with vrf (change to evpn inside inet.0 and igp advertise evpn /32's)
I think I got it. This works to get evpn host routes into ospf. Is there a better way ? set policy-options policy-statement my-ospf-export-policy term 1 from protocol evpn set policy-options policy-statement my-ospf-export-policy term 1 then accept set protocols ospf export my-ospf-export-policy -Aaron After putting the above evpn ospf export on an evpn pe, I see this on a non-evpn ospf router across the network... root@blvr-witness> show route table inet.0 172.223.10.0/24 inet.0: 39 destinations, 39 routes (39 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 172.223.10.0/24*[OSPF/10] 00:54:18, metric 4 > to 10.103.130.245 via ge-0/0/9.0 172.223.10.10/32 *[OSPF/150] 00:02:54, metric 0, tag 0 > to 10.103.130.245 via ge-0/0/9.0 172.223.10.11/32 *[OSPF/150] 00:01:57, metric 0, tag 0 > to 10.103.130.245 via ge-0/0/9.0 172.223.10.20/32 *[OSPF/150] 00:02:54, metric 0, tag 0 > to 10.103.130.245 via ge-0/0/9.0 172.223.10.21/32 *[OSPF/150] 00:01:57, metric 0, tag 0 > to 10.103.130.245 via ge-0/0/9.0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] evpn with vrf (change to evpn inside inet.0 and igp advertise evpn /32's)
Oh dang, hang on... I just removed irb.0 from vrf and allowed it to sit in inet.0 global table... and I DO see the evpn routes in inet.0 now... So I think my question is actually this... when I have evpn with irb inside vrf, MP-iBGP advertises all those evpn /32's to the other remote pe's in that vrf. Great. But with epvn irb inside inet.0 , how do I get something like ospf to do the same ? how do I get ospf to advertise all those evpn /32 host routes ? I would think this is what I would need in order to have the efficient routing to the evpn hosts in a certain data center that spreads across many dc's is, I would need the igp to advertise those epvn /32's throughout the domain. root@stlr-960-e> show route table inet.0 172.223.10.0/24 inet.0: 42 destinations, 43 routes (42 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 172.223.10.0/24*[Direct/0] 00:01:34 > via irb.0 [Direct/0] 00:01:34 > via irb.0 172.223.10.1/32*[Local/0] 00:01:34 Local via irb.0 172.223.10.5/32*[Local/0] 00:01:34 Local via irb.0 172.223.10.10/32 *[EVPN/7] 00:01:21 > via irb.0 172.223.10.11/32 *[EVPN/7] 00:00:59 > to 10.103.129.14 via ae0.0, Push 301728, Push 299840(top) 172.223.10.20/32 *[EVPN/7] 00:01:09 > via irb.0 172.223.10.21/32 *[EVPN/7] 00:00:17 > to 10.103.129.14 via ae0.0, Push 301728, Push 299840(top) -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] evpn with vrf
Seems that I get an auto-export from evpn-learned destinations auto exported as /32's into the vrf that the IRB is attached to. Is this possibly with inet.0 global route table? In other words, in a vrf table I see evpn-learned routes listed like this... 172.223.10.10/32 *[EVPN/7] 00:00:03 > via irb.0 ... how would I get this same behavior if the irb.0 interface was in inet.0 routing domain and not vrf ? -Aaron Details. root@stlr-960-e> show evpn database Instance: 10 VLAN DomainId MAC addressActive source Timestamp IP address 10 00:00:00:00:00:01 irb.0 Jun 10 15:13:59 172.223.10.1 172.223.10.5 10 00:50:79:66:68:21 ae141.0Jun 10 15:12:06 10 00:50:79:66:68:23 ae141.0Jun 10 15:10:53 10 02:05:86:71:f1:02 10.103.128.9 Jun 10 14:10:25 root@stlr-960-e> show route table one.inet.0 one.inet.0: 3 destinations, 4 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 172.223.10.0/24*[Direct/0] 00:00:38 > via irb.0 [Direct/0] 00:00:38 > via irb.0 172.223.10.1/32*[Local/0] 00:00:38 Local via irb.0 172.223.10.5/32*[Local/0] 00:00:38 Local via irb.0 root@stlr-960-e> ping 172.223.10.10 routing-instance one PING 172.223.10.10 (172.223.10.10): 56 data bytes 64 bytes from 172.223.10.10: icmp_seq=0 ttl=64 time=391.814 ms 64 bytes from 172.223.10.10: icmp_seq=1 ttl=64 time=118.886 ms ^C --- 172.223.10.10 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 118.886/255.350/391.814/136.464 ms root@stlr-960-e> show route table one.inet.0 one.inet.0: 4 destinations, 5 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 172.223.10.0/24*[Direct/0] 00:00:58 > via irb.0 [Direct/0] 00:00:58 > via irb.0 172.223.10.1/32*[Local/0] 00:00:58 Local via irb.0 172.223.10.5/32*[Local/0] 00:00:58 Local via irb.0 172.223.10.10/32 *[EVPN/7] 00:00:03 > via irb.0 root@stlr-960-e> root@stlr-960-e> ping 172.223.10.20 routing-instance one PING 172.223.10.20 (172.223.10.20): 56 data bytes 64 bytes from 172.223.10.20: icmp_seq=0 ttl=64 time=437.254 ms 64 bytes from 172.223.10.20: icmp_seq=1 ttl=64 time=161.525 ms ^C --- 172.223.10.20 ping statistics --- 3 packets transmitted, 2 packets received, 33% packet loss round-trip min/avg/max/stddev = 161.525/299.389/437.254/137.865 ms root@stlr-960-e> show route table one.inet.0 one.inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 172.223.10.0/24*[Direct/0] 00:01:11 > via irb.0 [Direct/0] 00:01:11 > via irb.0 172.223.10.1/32*[Local/0] 00:01:11 Local via irb.0 172.223.10.5/32*[Local/0] 00:01:11 Local via irb.0 172.223.10.10/32 *[EVPN/7] 00:00:16 > via irb.0 172.223.10.20/32 *[EVPN/7] 00:00:03 > via irb.0 root@stlr-960-e> ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos 18.X on QFX5100
Looks like that PR applies to all platforms...not just qfx. Correct? Product J Series, M Series, T Series, MX-series, EX Series, SRX Series, Customer Care, QFX Series, NFX Series, PTX Series, ACX Series -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 4x1G QSFP?
I think the definition of SFP+ is 1g or 10g whichever you insert -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 4x1G QSFP?
https://apps.juniper.net/home/#MX204/Hardware+Compatibility maybe it's one of those listed as QSFP+ to SFP+ - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] good study guide/material for jncis - SP/P
I just remembered another really cool thing about Juniper certification, that I don't think exists with Cisco... Remote online cert exams ! https://home.pearsonvue.com/junipernetworks/op love it -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] good study guide/material for jncis - SP/P
Not the same. Seems that Cisco only offers continuing education as a recertification for CCIE level "Eligibility - The Continuing Education Program will be available only for candidates with *Expert-level* certifications in Active or Suspend status as defined on the How to Recertify website." Juniper does it for course attendance to recertify certs at any level ! “Taking any higher-level course will recertify the corresponding certification listed as well as all lower-level certifications within the same track” Am I missing something ? -Aaron From: Dave Bell [mailto:m...@geordish.org] Sent: Thursday, May 16, 2019 1:28 PM To: Aaron Gould Cc: Hitesh Kumar; mcbob 58; Juniper List Subject: Re: [j-nsp] good study guide/material for jncis - SP/P Yes: https://learningnetwork.cisco.com/community/certifications/cisco-continuing-education-program On Thu, 16 May 2019 at 17:10, Aaron Gould wrote: Does Cisco have recertification through continuing education (attend a class and recert!) like Juniper does ? https://www.juniper.net/us/en/training/certification/recertification/ touché :) -Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Kumar Sent: Thursday, May 16, 2019 1:04 AM To: mcbob 58 Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] good study guide/material for jncis - SP/P I am not taking cisco side.but that is why cico is best. Look at devnet!! Br Hitesh On Thu, 16 May 2019, 03:13 mcbob 58, wrote: > Aaron , Alexander > > > Thanks for responding. I contacted Juniper to see if there are many > differences with the 2013 version. > I am now doubting whether I should buy the books. There are 3 books and > they cost $ 400 each on the Juniper site. Shame there are no fast tracks > anymore. I am now learning with genius and the old material > > Br mc bob > > > Van: Aaron Gould > Verzonden: woensdag, mei 15, 2019 5:04 PM > Aan: 'mcbob 58'; juniper-nsp@puck.nether.net > Onderwerp: RE: [j-nsp] good study guide/material for jncis - SP/P > > Btw, I just heard back from Juniper (certificat...@juniper.net) that the > fast track study guides are no longer available. > > - Aaron > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] good study guide/material for jncis - SP/P
Eh...not to diminish your concern too much...and not to pound on my earlier point too much either, but spanning tree, isis, ospf, bgp, etc how often are those changing ?like I said, I used 2013 material and took 2017 test and passed. https://www.juniper.net/uk/en/training/certification/resources/jncissp/ - Protocol-Independent Routing - Open Shortest Path First (OSPF) - Intermediate System to Intermediate System (IS-IS) - Border Gateway Protocol (BGP) - Layer 2 Bridging and VLANs - Spanning-Tree Protocols - Multiprotocol Label Switching (MPLS) - IPv6 - Tunnels - High Availability -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] good study guide/material for jncis - SP/P
Does Cisco have recertification through continuing education (attend a class and recert!) like Juniper does ? https://www.juniper.net/us/en/training/certification/recertification/ touché :) -Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Kumar Sent: Thursday, May 16, 2019 1:04 AM To: mcbob 58 Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] good study guide/material for jncis - SP/P I am not taking cisco side.but that is why cico is best. Look at devnet!! Br Hitesh On Thu, 16 May 2019, 03:13 mcbob 58, wrote: > Aaron , Alexander > > > Thanks for responding. I contacted Juniper to see if there are many > differences with the 2013 version. > I am now doubting whether I should buy the books. There are 3 books and > they cost $ 400 each on the Juniper site. Shame there are no fast tracks > anymore. I am now learning with genius and the old material > > Br mc bob > > ____ > Van: Aaron Gould > Verzonden: woensdag, mei 15, 2019 5:04 PM > Aan: 'mcbob 58'; juniper-nsp@puck.nether.net > Onderwerp: RE: [j-nsp] good study guide/material for jncis - SP/P > > Btw, I just heard back from Juniper (certificat...@juniper.net) that the > fast track study guides are no longer available. > > - Aaron > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] good study guide/material for jncis - SP/P
Btw, I just heard back from Juniper (certificat...@juniper.net) that the fast track study guides are no longer available. - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] good study guide/material for jncis - SP/P
I took JNCIS-SP exam in 2017 I self-studied with the 3-part 2013 files and they were a good source of info. However, I also work as a full-time ip/mpls engineer for an ISP and also accessed any and all forms of info needed to follow the blueprint topics juniper mentions on their website I used MPLS in SDN era, MX book, etc. Oh, also I used GNS3 (free), and now, EVE-NG (community free) for virtual labs for olives/vMX (60 day trial). Have fun, and wish you the best on your journey. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] LACP is not running between two VMX
Sorry I don't have mc-lag configs for vMX, but I did do mc-lag on vQFX...
Here is some quick outputs from my eve-ng lab...
I have mc-lag between (2) vQFX devices... and actually, the lag client side
is one vMX node...
Here's one side of the mc-lag pair... I grabbed some commands that I recall
being important to make this work... forgive me, it's been a while... lemme
know if you need anything else from this...
{master:0}
root@stlr-qfx-01> show configuration interfaces ae1 | display set
set interfaces ae1 mtu 9216
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp system-id 00:01:02:03:04:05
set interfaces ae1 aggregated-ether-options lacp admin-key 3
set interfaces ae1 aggregated-ether-options mc-ae mc-ae-id 3
set interfaces ae1 aggregated-ether-options mc-ae redundancy-group 1
set interfaces ae1 aggregated-ether-options mc-ae chassis-id 0
set interfaces ae1 aggregated-ether-options mc-ae mode active-active
set interfaces ae1 aggregated-ether-options mc-ae status-control active
set interfaces ae1 aggregated-ether-options mc-ae init-delay-time 240
set interfaces ae1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae1 unit 0 family ethernet-switching vlan members ten
set multi-chassis multi-chassis-protection 1.1.1.15 interface ae0
set protocols iccp local-ip-addr 1.1.1.5
set protocols iccp peer 1.1.1.15 session-establishment-hold-time 50
set protocols iccp peer 1.1.1.15 redundancy-group-id-list 1
set protocols iccp peer 1.1.1.15 backup-liveness-detection backup-peer-ip
10.207.64.233
set protocols iccp peer 1.1.1.15 liveness-detection minimum-receive-interval
60
set protocols iccp peer 1.1.1.15 liveness-detection transmit-interval
minimum-interval 60
set protocols rstp bpdu-block-on-edge
set switch-options service-id 1
{master:0}
root@stlr-qfx-01> show interfaces mc-ae
Member Link : ae1
Current State Machine's State: mcae active state
Local Status : active
Local State : up
Peer Status : active
Peer State : up
Logical Interface: ae1.0
Topology Type: bridge
Local State : up
Peer State : up
Peer Ip/MCP/State: 1.1.1.15 ae0.0 up
{master:0}
root@stlr-qfx-01> show iccp
Redundancy Group Information for peer 1.1.1.15
TCP Connection : Established
Liveliness Detection : Up
Backup liveness peer status: Up
Redundancy Group ID Status
1 Up
Client Application: lacpd
Redundancy Group IDs Joined: 1
Client Application: MCSNOOPD
Redundancy Group IDs Joined: None
Client Application: l2ald_iccpd_client
Redundancy Group IDs Joined: 1
{master:0}
root@stlr-qfx-01>
-Aaron
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] fusion QFX5120 and MX204
Trying to do fusion from MX204 (AD) to QFX5120-48Y-8C (SD). but getting this message.. "Satellite image not available" Is a QFX5120-48Y-8C capable of being a satellite device in fusion ? On juniper.net I see lots of satellite images for qfx5100, ex4300, ex2300, qfx5110, .but nothing for QFX5120 agould@lab-mx204> show chassis satellite detail Satellite Alias: _sd141 FPC Slot: 141 Operational State: Standalone Product Model: QFX5120-48Y-8C Serial number: 123456789012 Device Reachability: None Mode change state: Mode change not initiated. Satellite image not available (model QFX5120-48Y-8C) System id: b0:33:44:33:22:11 Software package version: 18.3R1.11 Cascade interfaces: Interface Name: et-0/0/3 State: present Uplink Interface: et-141/0/55 Last transition: 3w2d 05:22:43 Adjacency down count: 0 Rx Packet: 34 Last received packet: 00:00:06 -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Fusion using vMX and vQFX
Ok thanks ...was purely a training/familiarization question as an attempt to spin-up some fusion in my eve-ng lab I'll resort to my hardware, which is limited, but good gear... mx960, mx204, qfx5120 of which I only have 1-each in my lab... but it's good nonetheless Thanks -Aaron -Original Message- From: Tobias Heister [mailto:li...@tobias-heister.de] Sent: Friday, April 12, 2019 9:24 AM To: Aaron Gould; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Fusion using vMX and vQFX Hi, On 12.04.2019 15:34, Aaron Gould wrote: > Can I do Fusion using vMX and vQFX ? Will it work? Leaving aside the use case and what you would actually want/could to do with it this will not work. vQFX is basically QFX10k and QFX10k can not be used as Sat in any Fusion deployment (it can be AD in DC flavor). So even if Fusion would be supported and/or work on vMX (which i doubt) there would be no virtual SAT to connect. Also of course you would need a License for the AD in Fusion PE (which uses MX as AD) in order to use it. Even MX150 (which is vMX on NFX Appliance) is not supported as AD for fusion. -- regards Tobias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Fusion using vMX and vQFX
Can I do Fusion using vMX and vQFX ? Will it work? -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JunOS 16.2R2.8 High CPU caused by python
(from jason ... "Is there a function to kill (and/or restart) the process in this type of scenario? ") Yes, there is. For instance, I had an issue with leaking ip helper (dhcp relay) in Junos ACX5048, that was immediately relieved with a restart of that process... agould@ 5048> show chassis routing-engine | grep memory | refresh 1 Memory utilization 83 percent ---(refreshed at 2018-11-30 13:33:26 CST)--- Memory utilization 83 percent ... ---(refreshed at 2018-11-30 13:33:44 CST)--- Memory utilization 96 percent ---(refreshed at 2018-11-30 13:33:45 CST)--- Memory utilization 96 percent agould@ 5048> restart dhcp-service gracefully Junos Dynamic Host Configuration Protocol process started, pid 37106 . . . ---(refreshed at 2018-11-30 13:34:02 CST)--- Memory utilization 59 percent ---(refreshed at 2018-11-30 13:34:03 CST)--- Memory utilization 59 percent 15.1X54-D61.6 - leaking jdhcpd 17.3R3.10 - permanently fixed - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Mirroring IPv6 neighbor advertisements
Thanks Jason, that question was for Crist Clark since he mentioned logging. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Mirroring IPv6 neighbor advertisements
Can you log DHCPv6 PD (Prefix Delegation) also ? -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Silly command?
Thanks Eric, What is "100G FS DAC" ? Why were you using 4300/5100 with MX204 ? is that for port expansion made possible with fusion or vc or vcf ? Also, you didn't set pic 0 port 3 speed ? BTW, you doing any qinq tagging? ...also, subinterface (unit level) policing ? If not, I'm about to test that as a must-have for where I intend on deploying, to which I'll let you know findings. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Silly command?
How did you like the MX204 ? How much testing did you do? I have one now, just received it on Friday, and I have it in the lab. I'm currently just testing a few things... ospf mpls ldp vrf bridge-domain multiple different vlan tags on same physical interface with different tags on different units (subinterfaces) all seems good at this point The interfaces were interesting trying to get those up... I had to set chassis fpc speed for all of them pic 0 and pic 1 to get a 40 gig interface on pic 0 to work (bounce pic's... request chassis fpc pic etc offline... then online) -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] jaa-nat cgnat license
To circle back, my vendor team has confirmed that this is purely an honor-based license. .no need to input anything into cli. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Old JunOS upgrade path
Lately, we have been upgrading lots of our ACX5048's from 15.1X54 (D51 and D61) to 17.3R3.10 -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] jaa-nat cgnat license
Has anyone had to scale up their cgnat yet ? .to the extent that you had to purchase and install additional throughput licenses for your cgnat ? I'm running MX960 with MS-MPC-128G and I plan on moving lots of my customers behind it so I'm purchasing more JAA-NAT-10 I'd like to hear from someone who actually installed the JAA-NAT-x (1,10,100) cgnat license and exactly how they did it. cli commands please with show output before and after would be nice. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] cgnat ams0 vrf-aware flow data export help
Need assistance with exporting flow data for inside interface of cgnat ams0 aggregated multiservice interface I have MX960 with MS-MPC-128G doing cgnat using AMS0 (aggregated multiservice of underlying mams interfaces) using next-hop-style vrf-aware cgnat. I need the cgnat inside domain interface (ams0.551) to be configured to export flow data (jflow, sflow, ipfix, whichever version i can use) to a flow collector server, this is important so we can have flow data of *pre-nat) private ip traffic. Anyone know how ? -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] multi services cards - MX
Circling back on some older threads... I'm doing this because I've been growing my cgnat environments and needing to remind myself of somethings, etc... Regarding MS-MPC-128G being used for napt-44 (nat overload ipv4 savings) what do you all know about throughput ? I understand that it may not be an exact number... but is there a general nat/napt-44 throughput number associated with the ms-mpc-128g ? I've seen numbers ranging from ~7.5 gbps per npu so ~30 gbps total (x4 with 4 npu's per ms-mpc) ... to other numbers like 150 or 160 gbps in a certain slide/document speaking of scp chipset sx or fx... ...i may have misread somethings, but let me know what y'all know about the capabilities of the ms-mpc-128g inside an MX960 as it pertains to napt-44 -Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of harbor235 Sent: Saturday, March 18, 2017 12:24 PM To: Juniper List Subject: [j-nsp] multi services cards - MX My google-fu is preventing me from finding performance data on the various MS-MPC linecards for the MX router series. I am looking for IPSEC capabilities e.g. max tunnels, max bandwidth per tunnel, etc ... Different versions of the ms-mpc support different performance and tunnel sizes? Can anyone point me to a good reference url? Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 power supply stopped during ISSU
Thanks Tim, unsure what you mean by "do you have enough power supplies
to maintain N+1 at full tilt?"
Thanks Jerry, ISSU upgrade went fine this time. I've done 3 so far...
-1st MX960 ISSU upgrade in lab-960 was fine
-2nd MX960 ISSU upgrade had a glitch, I don't recall why, but it caused me
to have to do a stand-alone RE upgrade to the old master/new bu re... but I
got through it and all is well. (as you may know, stand-alone upgrade caused
me to have to remove, gres, nsr, nsb...re-enabled it afterwards)
-3rd MX960 ISSU, the one this thread is about, went good. ...except 2
issues, that did *not* hender the issu from completing successfully, so just
want to be clear on that.
--- Issue 1 was the power supply I found down afterwards. But now I'm
learning from you all and JTAC that the ISSU had nothing to do with this
PEM0 going offline and it was purely coincidental that it went offline
during the ISSU. I asked the JTAC to tell me why the power supply went
offline. Waiting on that answer. He did say that there are normal
procedures for a power supply going offline to simply reseat it. if it
comes back up, great. If not, rma. In my case, we did not reseat, but
instead, removed it, but in a known-good one, and took that removed bad one
to the lab, where it has been functioning fine since yesterday... to which
the jtac is calling it good.
--- Issue 2 was , during the issu upgrade process, there is a config check
apparently (details shown below... see starting at "Validating against
/config/juniper.conf.gz" well, strangely it found an entry for
"ether-options" and aborted the ISSU. This was weird, that et (40 gig)
interface et-11/1/1 was alive and well config'd like that, and passing
traffic in a functional lag bundle ae43... I removed the ether-options
command, before commiting, tried to put it back and it would *not* let me...
weird. Then I looked on other et-x/x/x interfaces in other ae's like ae40,
ae41, etc... and those were all config'd with gigether-options... so I
likewise config'd et-11/1/1 with gigether-options, commited, restarted ISSU,
and all is well.
- Aaron
Details of the 3rd MX960 upgrade 2nd issue... but was easily overcome and
restarted issu and completed successfully.
.
Mounting junos-daemons-mx-x86-64-20181003.235426_builder_junos_174_r2_s1
Verified jsdn-x86-32-17.4R2-S1 signed by PackageProductionEc_2018 method
ECDSA256+SHA256
Mounting jsdn-x86-32-17.4R2-S1.2
Verified jsd-x86-32-17.4R2-S1 signed by PackageProductionEc_2018 method
ECDSA256+SHA256
Mounting jsd-x86-32-17.4R2-S1.2-jet-1
Verified jpfe-common-x86-32-20181003 signed by PackageProductionEc_2018
method ECDSA256+SHA256
Mounting jpfe-common-x86-32-20181003.235426_builder_junos_174_r2_s1
Verified jfirmware-x86-32-17.4R2-S1 signed by PackageProductionEc_2018
method ECDSA256+SHA256
Mounting jfirmware-x86-32-17.4R2-S1.2
Verified jdocs-x86-32-20181003 signed by PackageProductionEc_2018 method
ECDSA256+SHA256
Mounting jdocs-x86-32-20181003.235426_builder_junos_174_r2_s1
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
/config/juniper.conf:390:(21) syntax error at 'ether-options'
[edit interfaces et-11/1/1]
'ether-options {'
syntax error
/config/juniper.conf:392:(9) error recovery ignores input until this point
at '}'
[edit interfaces et-11/1/1]
'}'
error recovery ignores input until this point
mgd: warning: (#2)Db open failed...
Validation failed
ERROR: Failed to add
/var/tmp/junos-vmhost-install-mx-x86-64-17.4R2-S1.2.tgz
da0 at vtscsi0 bus 0 scbus2 target 0 lun 0
da0: detached
(da0:vtscsi0:0:0:0): Periph destroyed
error: ISSU Aborted!
[Jan 29 00:04:28]:ISSU: Error
Chassis ISSU Aborted
[Jan 29 00:04:28]:ISSU: IDLE
warning: Host software installation has failed.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MIC3-3D-1X100GE-CXP ports won't light up.
Not sure if this is the problem... maybe it's the laser thing Jerry mentioned, ... but maybe you need to online the mic ? I think I had to do this with new mpc's I put in my mx960's but unsure if it's required at the mic level for newly inserted mics... Request chassis pic online or something like that -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX960 power supply stopped during ISSU
Last night I had a successful ISSU upgrade. BUT. "show chassis alarm" showed me that PEM0 power supply had issues. Searching logs didn't turn up any previous issues so I think that this happened during the ISSU process. Anyway ever seen something like that before? I would've thought that a software upgrade wouldn't do much with power, but I'm wondering now. 17.4R1-S2.2 - old 17.4R2-S1.2 - new agould@blvr-960> show chassis alarms 3 alarms currently active Alarm time Class Description 2019-01-29 00:33:12 CST Major PEM 0 Input Failure 2019-01-29 00:33:12 CST Major PEM 0 Not OK 2019-01-29 00:32:27 CST Minor Backup RE Active .this morning CO Tech went on site and said power feeds to PEM0 were fine, and no tripped fuzes or anything. "show chassis power" showed 2 feeds expected and connected, and good power but not putting anything out. He removed the bad PEM0 and put it into lab MX960, and it works! Some messages seen were. I wonder what "bump volt" means ? .wondering if that is an action to actually hit the voltage of each PEM, and if so, wonder if that would've tripped on offline. Jan 29 00:32:20 hwdb: entry for cbd 2988 at slot 2 inserted Jan 29 00:32:20 acb_add: CB 2, initializing SGLS SGLINk type 2 Local ACB type 4 Jan 29 00:32:20 acb_sglink_init: GE 8374 PHY PMC ctrl 2 : 0xa300 at slot 2 Jan 29 00:32:20 acb_sglink_init: GE 8374 PHY PMC ctrl 2: set TXCLK4 at slot 2 Jan 29 00:32:20 acb_sglink_init: GE 8354 PHY Auto Neg Status 2: 0x2a for slot 2 Jan 29 00:32:20 acb_sglink_init: GE 8354 PHY is byte aligned for slot 2 Jan 29 00:32:21 acb_sglink_init: GE 8374 PHY Auto Neg Status 2: 0xa0 at slot 2 Jan 29 00:32:21 acb_sglink_init: GE 8374 PHY is byte aligned at slot 2 Jan 29 00:32:21 acb_sglink_init: CB slot 2 SGLS version 0 Jan 29 00:32:21 acb_sglink_init: CB slot 2 SGLS type 2, acb type 4 Jan 29 00:32:21 acb_add: CB 2, initializing PCIe hub Jan 29 00:32:21 acb_add: setting CB 2 cache type and i2c 0xbac Jan 29 00:32:21 ch_probe_frus: Routing Engine 1 added Jan 29 00:32:21 reading RE 1 initial state Jan 29 00:32:21 reading host processor dimms Jan 29 00:32:22 hwdb: entry for re 3087 at slot 1 inserted Jan 29 00:32:22 ch_probe_frus: PEM 0 added Jan 29 00:32:22 reading PEM 0 initial state Jan 29 00:32:22 Bump volt: reset structure for pem 0 during add Jan 29 00:32:22 ch_probe_frus: PEM 1 added Jan 29 00:32:22 reading PEM 1 initial state Jan 29 00:32:22 Bump volt: reset structure for pem 1 during add Jan 29 00:32:22 ch_probe_frus: PEM 2 added Jan 29 00:32:22 reading PEM 2 initial state Jan 29 00:32:22 Bump volt: reset structure for pem 2 during add Jan 29 00:32:22 ch_probe_frus: PEM 3 added Jan 29 00:32:22 reading PEM 3 initial state Jan 29 00:32:22 Bump volt: reset structure for pem 3 during add Jan 29 00:32:22 ch_probe_frus: FPM 0 added Jan 29 00:32:22 reading FPM 0 initial state Jan 29 00:32:22 check_and_carp_on_i2cs_version I2CS version=0x29 Jan 29 00:33:12 blvr-960 alarmd[16028]: Alarm set: Pwr supply color=RED, class=CHASSIS, reason=PEM 0 Not OK Jan 29 00:33:12 blvr-960 craftd[13352]: Major alarm set, PEM 0 Not OK Jan 29 00:33:12 blvr-960 chassisd[13337]: CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x2); check circuit breaker Jan 29 00:33:12 blvr-960 alarmd[16028]: Alarm set: Pwr supply color=RED, class=CHASSIS, reason=PEM 0 Input Failure Jan 29 00:33:12 blvr-960 craftd[13352]: Major alarm set, PEM 0 Input Failure Jan 29 00:33:12 blvr-960 chassisd[13337]: CHASSISD_PEM_INPUT_BAD: Input failure for power supply 0 (status bits: 0x2); check circuit breaker Jan 29 00:33:17 blvr-960 chassisd[13337]: CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x2); check circuit breaker Jan 29 00:33:12 send: red alarm set, device PEM 0, reason PEM 0 Not OK Jan 29 00:33:12 CHASSISD_PEM_INPUT_BAD: status failure for power supply 0 (status bits: 0x2); check circuit breaker Jan 29 00:33:12 send: red alarm set, device PEM 0, reason PEM 0 Input Failure Jan 29 00:33:12 CHASSISD_PEM_INPUT_BAD: Input failure for power supply 0 (status bits: 0x2); check circuit breaker -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX960 differing RE REVs is this ok
Does ISSU require same *Rev* of RE ? ...and is there any reason why I would NOT want to run different Rev of RE in my MX960 ? Is it ok to run different rev of RE ? I have REV 17 as RE0 and REV 15 as RE1. Is this ok? root> show chassis hardware models | grep Routing Routing Engine 0 REV 17 750-054758 (removed) RE-S-X6-64G-S Routing Engine 1 REV 15 750-054758 (removed) RE-S-X6-64G-S -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] evpn with vrf
I wanted to share some thoughts and new experiences with you all, I've been learning evpn in the lab in preparation for using it to connect a couple data centers. I think this would be known as evpn-mpls (and not evpn-vxlan, as I've heard "evpn-vxlan" mentioned in the same breath over and over and over again in video's, conferences, etc. I began thinking evpn didn't exist apart from the acronym "vxlan" but I'm pretty sure I understand that vxlan is only one of a few different data planes that evpn can make use of.. mpls, pbb, vxlan) I think the evpn flavor I'm working with is known as "vlan-aware bundle service" where you use routing-instance instance-type virtual-switch with subordinate bridge-domains.I've also followed a book I was reading and added a routing-instance instance-type vrf with the irb inside both routing instances (this irb seems to be an integral part of the "glue" that integrates these two instances together) On the PE-CE edge interface, where mac addresses are traditionally learned, I'm blown away at how evpn-learned mac addresses are automatically copied into the vrf routing table as /32's and then of course once there, auto exported using basic vrf route-targets. then the remote vrf-only pe's have a /32 absolute way back to the host at the exact dc evpn pe where it was advertised. .I've read something about this a few times, but to see how it works is eye-opening. I have more to learn I'm sure. If you have anything to add, I'm all ears ..or, eyes, you know : ) -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] inline-jflow monitoring
I recently did this on operational/live MX960's on my 100 gig mpls ring with
no problem. ...no service impact, no card reboots.
set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 4
I run...
agould@960> show system information
Model: mx960
Family: junos
Junos: 17.4R1-S2.2
Hostname: 960
{master}
agould@960> show chassis hardware models | grep "fpc|engine"
Routing Engine 0 REV 15 750-054758 (removed) RE-S-X6-64G-S
Routing Engine 1 REV 15 750-054758 (removed) RE-S-X6-64G-S
FPC 0REV 43 750-056519 (removed) MPC7E-MRATE
FPC 11 REV 43 750-056519 (removed) MPC7E-MRATE
Yeah, prior to this, you see lots of creation failures...
{master}[edit]
agould@ 960# run show services accounting errors inline-jflow fpc-slot 0 |
grep creation
Flow Creation Failures: 1589981308
IPv4 Flow Creation Failures: 1582829194
IPv6 Flow Creation Failures: 7152114
During change, if you look closely, you will see PFE-0 and PFE-1
"reconfiguring"then "steady"
And flow count will change from 1024 to whatever you change it to
show services accounting status inline-jflow fpc-slot 0
these are my notes when I did this a few months ago...
...these numbers didn't look right at first considering they say that the
unit is a multiplier for 256K base number i set v4 to 4 and v6 to 1...
so i thought the number would simply be...
256k * 4 ... (but "k" = 1024) so... (256 * 1024 = 262,144) 262,144 * 4 =
1,048,576
but new ipv4 flow limit is 1,466,368 so 1,466,368 - 1,048,576 =
417,792
...what is this strange extra 417,792 ? interestling if you divide it be
1024 you get... 408
417,792 / 1024 = 408
and i know i used a 4 for ipv4 multiplier...so i assume 408 / 4 = 102
so let's check ipv6...
256 * 1024 = 262,144
ipv6 flow limit is now 366,592
366,592 - 262,144 = 104,448
104,448 / 1024 = 102
there's our nice little 102 again :)
- Aaron
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4650 or QFX5120 Use Case
I have (9) qfx5120-48y-8c
{master:0}
root> show system information
Model: qfx5120-48y-8c
Family: junos-qfx
Junos: 18.3R1.11
I plan to deploy them fairly simply at this point
I plan to have (4) in each of my (2) DC's
DC1
(2) QFX5120's for Services vlans/evpns
(2) QFX5120's for SAN/iscsi type vlans/evpns
DC2
(2) QFX5120's for Services vlans/evpns
(2) QFX5120's for SAN/iscsi type vlans/evpns
Lab Spare
(1) QFX5120 for testing
...so that's the (9) QFX5120's...
...so pretty much each QFX5120 I plan to uplink like this...
(1) QFX5120 dual connected 40 gig lacp (80 gig ae) to (2) separate
MPC7E-MRATE linecards in (1) MX960,
...so there won't be 960 redundancy, but there will be power zone and
linecard redundancy
*** To be clear, I intend on the EVPN logic/config be on the MX960 only, and
not on the QFX5120 at this point
*** I intend on the QFX5120 to be an Ethernet switch with lots of 10/25 gig
interfaces, and dual 40 gig uplinks
*** I don't intend on mpls fordarding nor routing to occur in the QFX5120
*** I don't intend on VC'ing the (2) QFX5120's sitting side by side
...could this change?...perhaps, but this is where I'm at, at this point
The servers and vm's in the DC will dual connect (2) 25 gig to different
QFX5120's
If the MX960 is spine...
If the QFX5120 is leaf...
...I've seen/read/heard that you typically don't interconnect the leafs...
so I don't intend on interconnecting the leafs (QFX5120) together, but
rather bridge via the MX960 BUT, I'm going to test an interconnect
east/west between (2) QFX5120's at a DC to see if I like it or in case we
have a necessity, I'll be ready... also, I'd imaging the active/active
m-home'd CE-to-PE EVPN as predicated on the dual CE (in this case dual qfx)
being interconnected, so I'll give it a whirl...
My EVE-NG lab has this pretty much already built out... examples of vMX and
vQFX are shown below... I think the newest vQFX junos is 18.1 so it's as
close as I could get to 18.3 which shipped on my qfx's
{master:0}
root@sabn-qfx-01> show system information
Model: vqfx-1
Family: junos-qfx
Junos: 18.1R1.9
Hostname: sabn-qfx-01
root@sabn-960> show system information
Model: vmx
Family: junos
Junos: 18.2R1.9
Hostname: sabn-960
I will have more to share as I deploy/test/turn-up after the new year...
- Aaron
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] qfx5120-48y-8c - jtac recommeded junos version
I got my QFX-5120's in a couple days ago. running 18.3R1.11
I don't see a JTAC Recommendation for 5120
https://kb.juniper.net/InfoCenter/index?page=content
<https://kb.juniper.net/InfoCenter/index?page=content=KB21476>
=KB21476
{master:0}
root> show system information
Model: qfx5120-48y-8c
Family: junos-qfx
Junos: 18.3R1.11
- Aaron
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ftp.juniper.net
Definitely. You can file a report with the “feedback” button on that page and it will get updated. > On Dec 19, 2018, at 10:16 AM, Niall Donaghy wrote: > > Thanks Saku and Aaron. > > My point is KB15585 should be retired if FTP is no longer supported. =) > > -Original Message- > From: Aaron Gould [mailto:aar...@gvtc.com] > Sent: 19 December 2018 16:41 > To: 'Saku Ytti' ; Niall Donaghy > Cc: aaron.dew...@gmail.com; 'Juniper List' > Subject: RE: [j-nsp] ftp.juniper.net > > Yep works, thanks (Niall, use sftp.juniper.net not ftp.juniper.net) > > C:\Users\aaron>sftp anonym...@sftp.juniper.net Password authentication > Password: > Connected to anonym...@sftp.juniper.net. > sftp> pwd > Remote working directory: /pub/incoming > > - Aaron > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MPC7E-MRATE - won't come online (enhanced-ip done)
Thanks Jeff, perhaps AC Highcap ship with different default dip setting than do the DC Highcap... I can tell you this all 6 of my MX960's with DC highcap pem's came with dip set to 0 (1700w)... Ok so today I did this in my lab-960... Had someone flip the dip to 1 (4100w) on all 4 PEM's, works nice, I didn't drop any pings to linecards in both zones...didn't see any issues on ssh or console... then I had him slot my MPC7E-MRATE, guess what, stayed in Present mode (show chassis fpc). I learned that I must online a newly installed module in order for it to come online. request chassis fpc slot 1 online so thinking back to last year when I originally turned up these 960'sreason I didn't have to online the MPC7E's in slot 0 and 11 is because when the 960 originally shipped to me with those MPC7E's in it and I powered the 960 on with the MPC7E's in it and I understand that when an entire system boots up, it boots up all the modules too (no user intervention needed per module)... someone can correct me if I misspeak... (I will caveat that with this, truly, when my 960 shipped and I booted it, the MPC7E's actually didn't power at all (show chassis fpc...shows " ---FPC misconfiguration---" ... I had to first take the system out of its default setting (show chassis network-services IP) with (set chassis network-services enhanced-ip) then reboot (request system reboot both-routing-engines) then after reboot I saw the MPC7E's booting -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ftp.juniper.net
Yep works, thanks (Niall, use sftp.juniper.net not ftp.juniper.net) C:\Users\aaron>sftp anonym...@sftp.juniper.net Password authentication Password: Connected to anonym...@sftp.juniper.net. sftp> pwd Remote working directory: /pub/incoming - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ftp.juniper.net
I thought it was pending shutdown in favor of sftp. But I haven’t been paying that much attention. > On Dec 19, 2018, at 8:44 AM, Aaron Gould wrote: > > Does juniper's ftp.juniper.net still work ? > > > > I haven't been able to use it in a few weeks. > > > > -Aaron > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
