[j-nsp] recommendations / pointers, consulting eng needed

2020-09-09 Thread John Brown 
Hi folks,  I'm looking for recommendations on a consulting engineer
that can help with a redesign of our BGP and OSPF network.  Service
Provider focused, lots of BGP peers, multiple sites spread across
several countries, IPv6 and IPv4, and merging several acquisitions
into a single unified network.
Network is most MX240/MX480's and QFX switches in the core

Please reply off list so we don't kill SNR on the list.
I've got to much on my plate and need to hand over some of the packet
pushing design changes to someone else...

thank you

-- 
Respectfully,

John Brown, CISSP
Managing Member, CityLink Telecommunications NM, LLC
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] qfx5100 help with Q in Q

2020-08-19 Thread John Brown 
Hi I've been trying to get what I think should be pretty simple config
working between two QFX's
Switch A is running 18.1R3.3
Switch B is running 18.3R2.7
Both are qfx5100-48s-6q.

Switch A
Customer 1   xe-0/0/1
Customer 2   xe-0/0/2
Switch B
 Customer 1 xe-0/0/46
 Customer 2 xe-0/0/45

Switch A port xe-0/0/0 is connected to Switch B xe-0/0/47

I am trying to QinQ traffic between Switch A and B.
Customer 1 on Switch A wishes to send untagged traffic and maybe
tagged traffic in the future
to its Customer 1 port on Switch B

Customer 2 on Switch A wishes to send untagged traffic and maybe
tagged traffic in the future
to its Customer 2 port on Switch B

I've tried "All-in-one Bundling" and several other configs and have
looked at docs on Juniper site.
If anyone has a sample config that would be great.  Pointers appreciated.

Thank you

-- 
Respectfully,

John Brown, CISSP
Managing Member, CityLink Telecommunications NM, LLC
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] 40Gig Ether for MX480

2019-07-18 Thread John Brown 
Hi,
I have a client that is wanting a 40Gig ether handoff.   What would
folks recommend for
an interface on a MX480 system?

The customer is also asking if we need to handle G.709 FEC

Thoughts and tips appreciated.

-- 
Respectfully,

John Brown, CISSP
Managing Member, CityLink Telecommunications NM, LLC
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] JFlow / IPFIX / Mac Addresses, IX Fabrics

2017-12-29 Thread John Brown 
Hello all you wonderful JUNOS geeks :)
Happy New Year!

Couple of quick questions:

Current platform
MX480
RE-1800x4
MPC3-3D
MPC2-3D
1Gig and 10Gig MIC's
SCBE

Wanting to get flow data for both IPv4 and IPv6. Seems I need IPFIX
for this

I'm also trying to get MAC addresses into my flows so that I can sort out
which peer at a shared IX fabric (Think Equinix IBX, or LINX) is sending me
packets of love.

I'm ingesting into ELK and similar OS tools.
Would like to do 1:1 for good resolution.
The data is for security, forensics, historical, troubleshooting, back
tracing DDOS, etc.

Any tips / suggestions / sample configs would be greatly appreciated.

Thanks..
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] mx480, netflow/version9 ipv6 help

2017-08-23 Thread John Brown 
Not sure my flow collector (a ELK based config) will properly handle IP-FIX

On Wed, Aug 23, 2017 at 9:48 AM,   wrote:
>> Hi,  I'm trying to add IPv6 to my flow picture and I'm getting an
>> error from Junos.
>> Any help is much appreciated.  THANK YOU
>
> We are exporting IPv6 netflow info using IPfix - haven't tried v9.
> Seems to work for us. In your config, try replacing all "version9"
> occurrences with "version-ipfix".
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] mx480, netflow/version9 ipv6 help

2017-08-23 Thread John Brown 
yes, sorry I forgot to include that

fpc 1 {

sampling-instance 1to1;

inline-services {

flow-table-size {

ipv4-flow-table-size 5;

ipv6-flow-table-size 5;

}

}

}

fpc 2 {

sampling-instance 1to1;

inline-services {

flow-table-size {

ipv4-flow-table-size 5;

ipv6-flow-table-size 5;

}

}

}


On Wed, Aug 23, 2017 at 9:46 AM, Alvaro Pereira <start...@gmail.com> wrote:
> Hi John,
>
> Do you have the following configured on the fpc you have installed?
> ATTENTION! THIS WILL AUTOMATICALLY REBOOT THE FPC !!!
>
> https://www.juniper.net/documentation/en_US/junos12.3/topics/reference/configuration-statement/ipv6-flow-table-size.html
>
> Note: Any change in the configured size of the flow hash table sizes
> initiates an automatic reboot of the FPC.
>
> set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 12
> set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 3
>
> You might want to play with the numbers depending on your use case.
>
> Alvaro
>
> On Wed, Aug 23, 2017 at 7:17 AM, John Brown <j...@citylinkfiber.com> wrote:
>>
>> Hi,  I'm trying to add IPv6 to my flow picture and I'm getting an
>> error from Junos.
>> Any help is much appreciated.  THANK YOU
>>
>> Junos: 14.2R1.9
>>
>> Error from commit check
>>
>>  sampling inline configuration error
>> Can't configure inline output with V5, V8 and V9 collector
>> configured for family inet6
>>
>> Config snip
>>
>> family inet {
>> output {
>> flow-server 192.168.1.2 {
>> port 2055;
>> version9 {
>> template {
>> ipv4;
>> }
>> }
>> }
>> inline-jflow {
>> source-address 10.0.0.1;
>> }
>> }
>> }
>> family inet6 {
>> output {
>> flow-server 192.168.1.2 {
>> port 2055;
>> version9 {
>> template {
>> ipv6;
>> }
>> }
>> }
>> inline-jflow {
>> source-address 10.0.0.1;
>> }
>> }
>> }
>>
>> flow-monitoring {
>> version9 {
>> template ipv4 {
>> ipv4-template;
>> }
>> template ipv6 {
>> ipv6-template;
>> }
>> }
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] mx480, netflow/version9 ipv6 help

2017-08-23 Thread John Brown 
Hi,  I'm trying to add IPv6 to my flow picture and I'm getting an
error from Junos.
Any help is much appreciated.  THANK YOU

Junos: 14.2R1.9

Error from commit check

 sampling inline configuration error
Can't configure inline output with V5, V8 and V9 collector
configured for family inet6

Config snip

family inet {
output {
flow-server 192.168.1.2 {
port 2055;
version9 {
template {
ipv4;
}
}
}
inline-jflow {
source-address 10.0.0.1;
}
}
}
family inet6 {
output {
flow-server 192.168.1.2 {
port 2055;
version9 {
template {
ipv6;
}
}
}
inline-jflow {
source-address 10.0.0.1;
}
}
}

flow-monitoring {
version9 {
template ipv4 {
ipv4-template;
}
template ipv6 {
ipv6-template;
}
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Zabbix

2017-08-19 Thread John Brown 
We use a combo of LibreNMS and Zabbix
Both work quite well and solve slightly different needs.
If Zabbix had the more free form search that LibreNMS has, we would
probably just use zabbix

Monitoring, Juniper, UBNT, Tik, Cisco, Servers, various PtP licensed
wireless, adtran gpon and other devices.



On Sat, Aug 19, 2017 at 10:42 AM, Aaron Gould  wrote:
> Is it better than solarwinds ?  Asking since the ISP I work for relies 
> heavily on solarwinds.
>
> -Aaron
>
> -Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of 
> Paul Stewart
> Sent: Friday, August 18, 2017 5:15 AM
> To: Matthew Taylor
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] Zabbix
>
> How do you like Zabbix and what else do you monitor with it?  We are in midst 
> of considering it (along with others) to replace Solarwinds….
>
> Thanks,
> Paul
>
>> On Aug 18, 2017, at 2:04 AM, Matthew Taylor  wrote:
>>
>> Hi,
>>
>> Heavily use Zabbix with Juniper EX/MX and SRX devices.
>>
>> Most of our templates are customised, although you can find a lot from 
>> Zabbix Share.
>>
>> https://share.zabbix.com/search?searchword=Juniper_cat=1
>>
>> Cheers,
>> Matt.
>>
>> On 18/8/17 15:25, jayshankar nair via juniper-nsp wrote:
>>> Hi,I am currently using zabbix(www.zabbix.com) for monitoring of routers. 
>>> Has anybody on this forum use zabbix. In zabbix there is a concept called 
>>> template for integration of mibs.
>>> Please advise.
>>>
>>> Thanks,Jayshankar
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] help with new re-s-1800x4 and ssd

2017-04-22 Thread John Brown 
Hi,
We have an existing MX480 running a re-s-1800x2 on a single SCBE.
I want to install a second SCBE and a re-s-1800x4 into the chassis.
The SSD drive I have for the new RE is blank.

So.

1. Can I mix RE's on the same chassis ? while maintaining production ?

2. How do go about formatting and installing Junos on the new SSD in
the new re-1800 ??


thank you in advance
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX series BGP config macros ?

2016-11-05 Thread John Brown 
Hi,

I'm trying to build a BGP policy config that will advertise routes based on how
a subscriber tags a route towards us.

If they send a route with community 65010:XXX  with XXX = an ASN
then we will not announce it towards that ASN.

In a small configuration this is pretty easy to do, but I'm looking at
trying to
see if there is a more elegant and scaleable solution.

With hundreds of peers on a router, it doesn't make sense to have a bunch of
community members for each ASN

It would be nice to have code that did


protocol bgp
group  eBGP-Some-Peer
peer-as 1234
export [Dont-Export]


policy-statement  Dont-Export
term
from
 protocol bgp
 community 65010:$PEERASN
then
 reject



Where $PEERASN gets expanded to 1234 because of the BGP session
it is associated with.

Then I can just apply Dont-Export to multiple peers and not have to customize
it for each one



Hopefully this explains it well enough.

Thank you
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MPC-3D-16XGE-SFP

2016-08-31 Thread John Brown 
 Hi,

I've received some pretty good pricing on the MPC-3D-16XGE-SFP card,
and was wondering what the list.wisdom is ??

We are an ISP.  That will be the usage.
Some ports will have BGP, many will be static routed.

Will this run full line rate on all 16 ports ?
Can I run multiple ISP type clients on this card ?

What should I worry about ?

Going into a MX480 chassis with MPC2 and MPC3 cards existing.

Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] question about S/RTBH on DPC / MX's

2015-02-11 Thread John Brown 
Hi,

I've been doing some reading getting ready to implement S/RTBH using uRPF.

Basically if i have a route in the FIB whose next-hop is NULL0 then
uRPF Loose will discard the packet if that route is in the SOURCE addr
of the packet.

What I'm reading seems to indicate that this is available on a MPC but
not on a DPC

Is this correct ??

Are there any work arounds on the the DPC ?

Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] inline / ipfix broken on MX ??

2015-01-29 Thread John Brown 
Hi,

our flow software vendor says that the Juniper MX has bugs with ipfix
based inline flows not honoring the flow-active and flow-inactive
timeout values.  that the MX can export flows that are up to 5 minutes
or longer after the fact.

I'm presently running 12.3R4.6

Thoughts ??
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX series ntp clock issue ??

2015-01-26 Thread John Brown 
HI,
While trying track down another issue I went to make sure that the MX
clock was correct.
I'm a bit confused by the results.

Current time via show system uptime does NOT match the clock via
show ntp status
And the reftime in show ntp status and clock from the same aren't the same ?

Thoughts, appreciated


jmbr...@cr01.abq show system uptime
Current time: 2015-01-26 08:21:59 MST
System booted: 2014-04-14 16:46:51 MDT (40w6d 16:35 ago)
Protocols started: 2014-04-14 16:48:12 MDT (40w6d 16:33 ago)
Last configured: 2015-01-26 08:14:40 MST (00:07:19 ago) by jmbrown
 8:21AM  up 286 days, 16:35, 1 user, load averages: 0.06, 0.06, 0.01

jmbr...@cr01.abq show ntp status
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version=ntpd 4.2.0-a Fri Sep 13 01:28:39 UTC 2013 (1),
processor=amd64, system=JUNOS12.3R4.6, leap=00, stratum=3,
precision=-21, rootdelay=67.766, rootdispersion=75.848, peer=3028,
refid=216.243.112.132,
reftime=d870d876.dd44b8d2  Mon, Jan 26 2015  8:15:02.864, poll=10,
clock=d870da19.ba096ea4  Mon, Jan 26 2015  8:22:01.726, state=4,
offset=4.583, frequency=16.045, jitter=1.354, stability=0.041
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Junos MX series and Andrisoft Flow tools

2015-01-26 Thread John Brown 
Hi Raphael,   I curious as why you are using software flow. I thought
the inline was better from a performance perspective on the router..

On Mon, Jan 26, 2015 at 6:45 AM, Raphael Mazelier r...@futomaki.net wrote:
 I'm testing wanguard with my mx.
 The product is interresting, not perfect, but interresting.

 I'm not using inline ipfix, but software flow with the below configuration :


 sampling {
 input {
 rate 1000;
 }
 family inet {
 output {
 flow-server 15.5.17.7 {
 port 5678;
 source-address 15.5.17.10;
 version 5;
 }
 }
 }
 }

 with Flow protocol : Netflow v5,v7 or v9, IPFIX.

 The wanguard documentation specifie that if we are using juniper and ipfix,
 we habe to choose Flow protocol IPFIX with flows Timeout.


 --
 Raphael Mazelier
 AS39605


 Le 26/01/15 05:29, Jordan Whited a écrit :

 If clocks are sync’d my best guess would be that your active and/or
 inactive flow timeouts are longer than what is configured on the collector
 and it doesn’t like that.

 Try making them match the collector and if that doesn’t work make the MX
 timeouts slightly shorter.


 http://www.juniper.net/documentation/en_US/junos12.3/topics/task/configuration/services-ipfix-flow-template-flow-aggregation-configuring.html
 http://www.juniper.net/documentation/en_US/junos12.3/topics/task/configuration/services-ipfix-flow-template-flow-aggregation-configuring.html



 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Junos MX series and Andrisoft Flow tools

2015-01-25 Thread John Brown 
Hi Paul,

Yes all devices sync to the same internal NTP servers and are set for
the same TZ.

On Sun, Jan 25, 2015 at 8:40 PM, Paul S. cont...@winterei.se wrote:
 Just as a thought, do both systems have time synchronized with something
 like ntp?

 I've found that it helps to use the same timezone on the system hosting
 WANGuard as well as the routers (You should technically be using UTC anyway)

 On 1/26/2015 午前 06:34, John Brown wrote:

 Hi,

 I'm looking for advise on configuring our MX480 (Junos 12.3R4.6) to
 support
 IPFIX flows for Andrisoft's WanGuard flow based tools.  They only have
 samples for M series and that C company.

 I'm getting some errors on the Andrisoft console that make me wonder if I
 have things set right.

 The MX is feeding multiple 10Gig links and a pile of 1 Gig links, both
 IPv4
 and IPv6

 Many thanks for pointers and help

 here is the error I get on the Andrisoft console
 Wrong flow timeout settings! Received flow from 391 seconds in the past!
 16
 flows discarded
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp


 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Junos MX series and Andrisoft Flow tools

2015-01-25 Thread John Brown 
Hi,

I'm looking for advise on configuring our MX480 (Junos 12.3R4.6) to support
IPFIX flows for Andrisoft's WanGuard flow based tools.  They only have
samples for M series and that C company.

I'm getting some errors on the Andrisoft console that make me wonder if I
have things set right.

The MX is feeding multiple 10Gig links and a pile of 1 Gig links, both IPv4
and IPv6

Many thanks for pointers and help

here is the error I get on the Andrisoft console
Wrong flow timeout settings! Received flow from 391 seconds in the past! 16
flows discarded
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp