Re: [j-nsp] JunOS forwarding IPv6 packets with link-local source

Hi, On Thu, May 16, 2024 at 8:22 PM Antti Ristimäki via juniper-nsp wrote: > I thought this issue had been resolved already years ago, but I > noticed that JunOS still happily forwards IPv6 packets with link-local > source address towards remote destinations. This of course violates > RFC4291.

Re: [j-nsp] ACX5448 & ACX710 - Update!

Hi Mark, On Wed, Jul 29, 2020 at 4:24 PM Mark Tinka wrote: > I'm not sure I can be that patient, so I'm sniffing at Nokia's new > Metro-E product line. The problem is so far, as with Juniper and Cisco, > they've gone down the Broadcom route (some boxes shipping with Qumran, > others with Jericho

Re: [j-nsp] BPDUs over EVPN?

> Are there vendor implementations? Yes, am running in production on MX, ASR9K and NCS5500. Interops nicely too, for the most part. Believe Arista and others have working implementations too. -- Daniel. ___ juniper-nsp mailing list

Re: [j-nsp] BPDUs over EVPN?

Hi, On Fri, Oct 18, 2019 at 11:45 AM Gert Doering wrote: > If yes, is this something people do over EVPN? as an extension to 'plain' EVPN, yes. It's called EVPN-VPWS, RFC 8214. Basically EVPN without the MAC learning. -- Daniel. ___ juniper-nsp

Re: [j-nsp] prsearch missing in inaction

Hi, On Thu, May 9, 2019 at 1:54 PM Richard McGovern via juniper-nsp wrote: > Nathan, I am not sure what you want to hear, or what would make you > satisfied, but YES Juniper [IT?] did screw-up, and a restore from back-up > was/is not possible. So this situation is now being worked on,

Re: [j-nsp] Simple v4 vs v6 traffic measurement

Tim, On Tue, Oct 31, 2017 at 9:00 PM, Tim St. Pierre wrote: > Can anyone suggest a simple way to measure interface traffic by address > family? Currently, I'm measuring interface traffic using SNMP queries and > just grabbing the in / out bit byte counters. check

Re: [j-nsp] Junos CoS - ingress hierarchical policer

On Thu, May 18, 2017 at 12:44 PM, Saku Ytti wrote: > Why would you run policer, if shaper is available. on egress, agreed, but the OP mentioned he wants to do ingress policing. Not many platforms support ingress shaping afaik. --Daniel.

Re: [j-nsp] Juniper MPC-3D-16XGE-SFPP/SCBE2 incompatibility?

On Tue, Jan 10, 2017 at 7:45 PM, Brandon Ross wrote: > I have a colleague trying to use a MPC-3D-16XGE-SFPP with SCBE2s and getting > an "FPC misconfiguration" message in 'show chassis fpc' on an MX. It works > fine with SCBE, just not SCBE2, they tell me. > > Does anyone have

Re: [j-nsp] What version of Junos is best for bgp.

Hi, On Fri, Sep 16, 2016 at 11:38 AM, Mark Tinka wrote: > I'd suggest 14.2R7. It's been through the wash a few times and is > scent-free... One word of caution for 14.2R7: I have an open case where the box stops both logging & sending SNMP traps for link flaps. Issue

Re: [j-nsp] RVSP signaled L3VPN and RRs

On Thu, Aug 18, 2016 at 5:46 PM, raf wrote: > Hum my RRs do NHS, and I don't think I could easily change this. if your RRs do NHS for l3vpn routes, it will break the fowarding path; - in your scenario, your PEs don't have RSVP LSPs towards your RRs - and even if they would

Re: [j-nsp] RVSP signaled L3VPN and RRs

Hi, On Thu, Aug 18, 2016 at 5:13 PM, raf wrote: > I've changed resolution of bgp.inet.0 to inet.0 on RRs and PEs. you only need to do this on your RRs, not on your PEs. And make sure your RRs don't set NHS. --Daniel. ___

Re: [j-nsp] ACX50xx l2circuit counters

Hi Nathan, On Mon, Jun 20, 2016 at 6:03 AM, Nathan Ward wrote: > Does anyone have and tricks to make l2circuit counters work properly, or, is > this a lost cause? on ACX1k/2k/4k, you have to explicitly enable per unit statistics collection. We simply enable it on all

Re: [j-nsp] RE-S-X6-64G-BB

Hi, On Wed, May 25, 2016 at 7:06 PM, Saku Ytti wrote: > Longer time before it's end of support, better resell value on top of > normal better scale and convergence. definitely good and valid points, however are you willing to deploy (what I consider) bleeding-edge code in your

Re: [j-nsp] Full routes on MX5

Hi, On Tue, Apr 26, 2016 at 3:31 PM, Mark Tinka wrote: > That said, I think the MX104 feels even slower - I think having to > commit a configuration on multiple RE's just doubly slows things down. have you considered using the [system commit fast-synchronize] option?

Re: [j-nsp] ACX5048 - vlan-map conflict with routing-instance with vlan-id tags

Hi Aaron, On Thu, Apr 21, 2016 at 10:20 PM, Aaron wrote: > agould@eng-lab-5048-1# commit > [edit vlans vlan10] > 'interface ge-0/0/38.17' > l2ald ACX: On a bd, for each ifd only one ifl can be added > [edit vlans] > Failed to parse vlan hierarchy completely > error:

Re: [j-nsp] ACX5048 - vlan-map conflict with routing-instance with vlan-id tags

Hi Aaron, On Thu, Apr 21, 2016 at 7:48 PM, Aaron wrote: > [edit vlans vlan10 interface] > 'ge-0/0/38.17' > interface with input/output vlan-maps cannot be added to a > routing-instance with a vlan-id/vlan-tags configured > error: commit failed: (statements constraint

Re: [j-nsp] ACX5048 - vlan-map conflict with routing-instance with vlan-id tags

Hi Aaron, On Tue, Apr 19, 2016 at 10:43 PM, Aaron wrote: > Goal, to do tagging on ge-0/0/38 for 802.1q vlan tags of 10 and 17 and also, > put those tagged frames into the SAME vlan/bridge-domain so that they can > use the same ip subnet on the irb.10 interface that sits atop

Re: [j-nsp] access-internal routes

Hi, On Wed, Mar 30, 2016 at 10:41 PM, Aaron wrote: > what are these routes (access-internal) ? i'm seeing them actually being > sent over my MPLS L3VPN into my other pe's as /32 routes. very interesting. > and seemingly very inefficient and busy. not sure that I like the idea

Re: [j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)

Hi, On Fri, Apr 1, 2016 at 9:52 PM, Aaron wrote: > agould@eng-lab-acx5048-1# commit confirmed 1 [edit interfaces lo0 unit 0 > family inet] > 'filter' > Referenced filter 'local_acl' can not be used as default/physical > interface specific with lo0 not supported on ingress

Re: [j-nsp] Optimizing the FIB on MX

Hi, On Mon, Feb 22, 2016 at 6:53 PM, Saku Ytti wrote: > On pre-Trio it would disable egress filters, but on Trio it won't. yup, Trio always uses the egress proto family, whereas DPC would use the ingress (i.e. mpls) when vrf-table-label is used. One more reason to love Trio :-) >

Re: [j-nsp] ip(v6) options

Hi, On Thu, Jan 28, 2016 at 10:37 PM, Saku Ytti wrote: > Anyone remember from top of their head if or not Trio originally > punted transit IP packets with IP options through lo0 filter or not? http://kb.juniper.net/InfoCenter/index?page=content=KB30719=search just came online.

Re: [j-nsp] IPv4 Filter for ECN/CWR tcp bit (RFC3168)

Hi Jonas, On Fri, Nov 27, 2015 at 2:20 PM, Jonas Frey (Probe Networks) wrote: > Does anybody have any idea if its possible to filter for such traffic? have you looked at the firewall flexible match conditions? (avail in 14.2 for MX/MPC).

Re: [j-nsp] End of M-series hardware with BGP Fulltable

Hi, On Mon, Nov 17, 2014 at 9:24 PM, Joerg Staedele j...@tnib.de wrote: Currently i only know about a enhanced SSB for M20 which is available and has 16MB so this limit will not be reached in the near future but all other (older) models only have 8MB (fixed on the board, not replacable!) and

Re: [j-nsp] End of M-series hardware with BGP Fulltable

On Mon, Nov 17, 2014 at 9:41 PM, Daniel Verlouw dan...@shunoshu.net wrote: for the M7i and M10i there's the enhanced CFEB, basically (IIRC) a Trio-based/-like CFEB, along with plenty more memory. I-chip based that is... ___ juniper-nsp mailing list

Re: [j-nsp] ACX is just not there (was Re: EX4550 L2Circuit/VPN to MX80/lt Interface)

Hej Mark, On Thu, Nov 13, 2014 at 5:10 PM, Mark Tinka mark.ti...@seacom.mu wrote: I'd deploy vMX as a route reflector. I was actually evaluating vRR a few months ago, but it still had a long way to go, so went with Cisco's CSR1000v (which is, basically, IOS XE) instead. would you be able to

Re: [j-nsp] ACX is just not there (was Re: EX4550 L2Circuit/VPN to MX80/lt Interface)

Hi, For starters, at least when we evaluated it last year, there was no switching or IRB support. there is now, bridge-domains + IRB with L3VPN is what we use without a problem. We have a few hundred ACX deployed for our mobile backhaul and will ramp up that number over the next few months.

[j-nsp] bgp metric-out igp and CPU utilization

Hi list, before i open a tac case, wondering if anyone has seen something similar; when we enable 'metric-out igp offset delay-med-update' towards a full-table downstream bgp customer (exporting ~400k prefixes), CPU % of rpd process spikes through the roof (mostly in kqread state), overall RE

Re: [j-nsp] Update on 10.4R9 stability for MX?

Hi, On Thu, May 10, 2012 at 1:59 AM, Richard A Steenbergen r...@e-gerbil.net wrote: There is a serious issue with MPLS RSVP auto-bandwidth in 10.4R9, which can cause the reservation calculations to be off by quite a bit. The least broken code we've found so far is 10.4S9, I'm surprised they

Re: [j-nsp] Update on 10.4R9 stability for MX?

On Wed, May 9, 2012 at 9:13 PM, Clarke Morledge chm...@wm.edu wrote: I am curious to know about anyone's experience with 10.4R9 over the past few months.  I have DPC only currently; i.e. no MPC hardware -- and no MultiServices. I've been hit by: PR570168 - RE crash triggered by deletion and

Re: [j-nsp] 10.4R9 on MX stable?

Hi, On Fri, Feb 17, 2012 at 17:18, Paul Stewart p...@paulstewart.org wrote: Has anyone got 10.4R9 running on MX platform in production yet?  I'm looking for any feedback as JTAC is recommending we go to this release. hopefully I can share some results on Tuesday...looks fine in the lab so far,

Re: [j-nsp] Junos 10.4R8 on MX (PR 701928)

Hi, On Tue, Jan 24, 2012 at 08:25, Daniel Roesen d...@cluenet.de wrote: Daniel (waiting for over a year now for a 10.4 without major bugs...) same here... Am I the only one who finds it extremely annoying and disturbing that critical bugs get *introduced* this far down into an E-EOL train!?

Re: [j-nsp] In Search of the Optimal RE Protect Filter - A Journey

Hi guys, To revive this thread; does anyone know how to check what type of packets are being matched when using an family any input filter on lo0 ? You can't seem to use log as action and the from clause only allows some protocol independent matches; daniel@lab# set firewall family any filter

Re: [j-nsp] In Search of the Optimal RE Protect Filter - A Journey

On Fri, Aug 26, 2011 at 17:38, Clarke Morledge chm...@wm.edu wrote: I would love to be proven wrong on this, but I do not think you can use family any filters on the lo0 interface. well, it does commit on M and MX running 10.4; set firewall family any filter test term test then accept count

Re: [j-nsp] ECMP vs LAG and OAM vs BFD

On Fri, Jul 22, 2011 at 22:14, Stefan Fouant sfou...@shortestpathfirst.net wrote: Regarding BFD's capabilities to determine member state of individual member links, this is not currently supported by BFD.  Take a look at IETF Draft 'Bidirectional Forwarding Detection (BFD) for Interface' which

Re: [j-nsp] Back-reference in JunOS regular expressions

Hi, On Wed, Jul 13, 2011 at 15:18, Michael Hallgren m.hallg...@free.fr wrote: I can't find a firm statement in the JunOS documentation, and some tests makes me believe it's not implemented. Or am I mistaken with the syntax? (I can use back-reference in 'replace', etc, etc...) see

Re: [j-nsp] New J-net publications: Secure the routing engine and Useful tips/tricks

Hi, On Wed, Jun 22, 2011 at 02:01, Harry Reynolds ha...@juniper.net wrote: Hey all, Please pardon the wide distribution. I recall seeing postings on this list regarding current best practices for securing Juniper Networks Routing Engines via firewall filters. just briefly skimmed over it,

[j-nsp] RSVP automesh

Hi list, Has anyone played around with RSVP/MPLS automesh feature and can share some experiences and/or example configs? I believe it was introduced in 10.1, but can't find anything in the release notes and docs aren't very clear either;

Re: [j-nsp] Optimal BFD settings for BGP-signaled VPLS?

On Jan 17, 2011, at 11:50 PM, Keegan Holley wrote: Of course I can't find the link now, but just last night I read that prior to JunOS 9.4 echo mode required a command to be entered in order to move BFD to the forwarding plane. In or after 9.4 a new daemon was created to allow BFD to run in

Re: [j-nsp] Filtering the export of VRF routes with iBGP export filters....

On Tue, 2010-08-31 at 08:44 -0600, David Ball wrote: Thanks Krasimir. I'd run across that knob previously, but my understanding is that the functionality provided by vpn-apply-export is enabled when a router is configured as a route-reflector, which mine are already. Will give it a whirl

[j-nsp] AS-path regexp clue needed

Hi, can someone give me some clue on how to translate the following Cisco regexp to Junos ? ip as-path access-list 1 permit ^([0-9]+)(_\1)*$ (this uses pattern recall to match AS paths whose first AS number in the path is repeated zero or more times; basically to make sure certain customers

Re: [j-nsp] AS-path regexp clue needed

On Thu, 2010-07-29 at 14:45 +0200, KJ wrote: http://www.juniper.net/techpubs/software/junos/junos74/swconfig74-policy/html/policy-extend-match-config3.html I'm familiar with the manual, thank you. I'm not sure what operator you're specifically aiming at, but stuff like [1-65535]* doesn't work

Re: [j-nsp] Firewall Filters and BFD

On Jun 10, 2010, at 4:59 PM, Thomas Eichhorn wrote: Has somebody here an idea what to allow or maybe even a working configuration for this? this works for us (for both singlehop and multihop paths): term allow-bfd-control { from { source-prefix-list { insert prefix

Re: [j-nsp] vulnerability fix not available for 8.5 ?

On Fri, 2010-01-08 at 07:36 -0500, Eric Van Tol wrote: Wait, what? Can anyone confirm the removal of GE-SX-B drivers? 9.5R3.7 seems to work fine with a non-EFPC and PE-1GE-SX-B: FEB REV 10 710-002503 removedFEB-M5-S FPC 0 PIC 0 REV 02

Re: [j-nsp] show route advertising-protocol on IPv6 peers

On Wed, 2010-01-06 at 14:04 -0600, Richard A Steenbergen wrote: Yeah I've seen that behavior for years now, never got around to opening a case on it though. If you specify the table in your show route command (either inet.0 or inet6.0) it will return the results quickly, it's only slow if you

Re: [j-nsp] JUNOS vulnerability with malformed TCP packets

On Thu, 2010-01-07 at 08:04 -0500, Paul Stewart wrote: Anyone know why some issues identified as early as January 2009 are only being released now almost a year later? someone forgot to hit the 'send' button? ;) Interestingly enough, all of the PRs mentioned in these bulletins are not

Re: [j-nsp] show route advertising-protocol on IPv6 peers

On Wed, 2009-12-16 at 16:39 +0100, Daniel Verlouw wrote: It's most obvious with IPv6 neighbors receiving a full feed (+/- 2400 prefixes) from us, whereas the same command with an IPv4 neighbor receiving a full feed (300k prefixes) is almost instantaneous. funny enough, I just ran into the same

[j-nsp] show route advertising-protocol on IPv6 peers

Hi all, has anyone ever seen the behaviour below? I've been going back and forth with JTAC for months now without any result (which seems to be the norm nowadays...). We just upgraded a few M-series boxes from 9.3 to 9.5R3 and the issue still persists. It seems the issue was introduced in one of

Re: [j-nsp] Urgent downgrade pic

On Wed, 2009-11-11 at 15:19 +0530, chandrasekaran iyer wrote: Has anyone downgraded the PIC? how to do it? Which PICs are supported by 6.1 release. downgrade the PIC? What exactly do you want to achieve? And I'm more curious about why you would want to run JUNOS version that's EOLd over 5

Re: [j-nsp] ISIS Case Study in JNCIP..Summarization into Backbone

On Fri, 2009-09-18 at 01:16 -0700, Hoogen wrote: Now from my understanding of the question I need to deny the longer more specific routes... on R5 filter saying 172.16.40/29 longer the reject... yes it is quite common to suppress the more specifics. A more scalable approach would be to use the

Re: [j-nsp] MPLS VPN Load-balancing

Hi Harry, On Aug 12, 2009, at 6:50 PM, Harry Reynolds wrote: T-series platforms with e-fpcs and MX can hash on multiple MPLS labels while *also* hashing on L3 and l4. This seems to jive with the docs at:

Re: [j-nsp] JUNOS IS-IS QoS

On Fri, 2009-07-31 at 16:43 +0500, mas...@nexlinx.net.pk wrote: So does it mean that ISIS traffic is always treated as BE. Is there anything else that is hardcoded for ISIS QoS? IS-IS is mapped to the NC forwarding class (queue 3). Check

Re: [j-nsp] RPD soft assertion failed

On Wed, 2009-05-27 at 19:01 +0200, Daniel Verlouw wrote: JTAC has decoded the core dumps and on initial analysis it appears to match PR 448745 - RPD core at krt_inh_lock_internal. The PR doesn't mention 9.3 as affected though. I'll keep the list posted on any progress. JTAC is now

[j-nsp] RPD soft assertion failed

Hi, anyone else seeing messages similar to the following? We started seeing several of these after upgrading one of our M120s to 9.3R3.8 last night. May 27 10:28:05.806 2009 jun1.bit-1 rpd[1149]: % DAEMON-3-RPD_ASSERT_SOFT: Soft assertion failed rpd[1149]: file

Re: [j-nsp] RPD soft assertion failed

Hi Richard, On May 27, 2009, at 5:16 PM, Richard A Steenbergen wrote: I had a similar issue (well the exact same message, but I'm assuming different root causes) back in 8.2R2. It turned out to be PR99220, and was mostly cosmetic (minus the big scary log message that looked like a rpd core

Re: [j-nsp] RE : RPD soft assertion failed

Hi David, On May 27, 2009, at 9:18 PM, david@orange-ftgroup.com david@orange-ftgroup.com wrote: Do you have some configuration at this level edit protocols bgp path-selection ? no, it's empty. Did the RPD restart ? It seems that yes : %KERN-6: pid 12767 (rpd),uid 0: exited on

Re: [j-nsp] SNMP traps for exceeding policer configuration

On Feb 25, 2009, at 9:34 PM, Stefan Fouant wrote: I'd like to tragger some sort of alert when the traffic exceeds my policer configuration and packets start being discarded. I looked through JUNIPER-FIREWALL-MIB and didn't see anything along the lines of what I'm looking for. Anyone else

Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???

On Fri, 2009-02-20 at 12:00 +, Berislav Todorovic wrote: I'm wondering if there is a way to limit the AS path length in JUNOS. Yeah, bgp maxas-limit is available in JUNOSe, as well as in Cisco IOS, but I can't find any reference to it for JUNOS (M/MX/T Series). Any info will be greatly

Re: [j-nsp] bgp as-path

On Nov 14, 2008, at 8:38 PM, SunnyDay wrote: but what if i have 4509:65001:4356:65444 will it remove both private or only 65001 and when it checks the next (4356) stops and does not remove 65444 remove-private will only remove leading (left-hand) private ASNs, so in your example,

Re: [j-nsp] default TTE for entries in the ARP table/cache

On Jun 20, 2008, at 5:55 PM, Judd, Michael (Michael) wrote: What is Juniper's default TTE for entries in the ARP table/cache ? RTFM? http://www.juniper.net/techpubs/software/junos/junos85/swconfig85-system-basics/id-10920970.html --Daniel ___

Re: [j-nsp] ICMPv6 6PE network

On Jun 4, 2008, at 3:46 AM, snort bsd wrote: Any ideas? [EMAIL PROTECTED] set protocols mpls ? [...] ipv6-tunneling Allow MPLS LSPs to be used for tunneling IPv6 traffic ? -- Daniel Verlouw, Network Engineer BIT BV | [EMAIL PROTECTED] | +31 318 648688 DV244-RIPE | GPG: FAAF

Re: [j-nsp] Load Balancing IPv6 Traffic Flows

On May 20, 2008, at 9:57 PM, Stefan Fouant wrote: I'm wondering if anyone else has seen any similar problems and are there any gotchya's when configuring load-balancing for IPv6 traffic. you cannot match on family inet and inet6 in one term, 8.5 returns the following error: [edit

Re: [j-nsp] netscreen Vpn

On Wed, 2008-05-14 at 16:12 +0300, M.Mihailidis wrote: Anyone knows why is this?? on the general tab, change the mode-config method to push instead of the default pull. -Daniel. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net

Re: [j-nsp] forwarding-options hash-key family inet6

On Tue, 2008-03-25 at 05:11 -0500, Kevin Day wrote: It also seems to work okay, and do what was expected. Is anyone else using it without problem? layer-3 + layer-4 is the default hash setting for inet6. -- Daniel Verlouw, Network Engineer BIT BV | [EMAIL PROTECTED] | +31 318 648688