Re: [j-nsp] What exactly causes inconsistent RTT seen using ping utility in Junos?

[Martin T]

As I had access to lab MX960, then I made a similar packet capture as
described in my Apr 25 e-mail. Only difference is that I didn't
capture packets on forwarding-plane Ethernet interface facing the RE,
but on RE Ethernet interface facing the forwarding plane, i.e "start
shell sh" in Junos and then "su" and "tcpdump -ttt -nei em0 'ip proto
84 && src host 128.0.0.1 && ip[86:2] = 0x0800'" where em0 connects to
SCB integrated switch. As with vMX, the delay does not come from the
RE.

I also started following two commands and let them collect ping
results and line-card CPU utilization over night:

$ ssh -qT mx960 'ping 10.66.66.1 source 10.66.66.2' | grep
--line-buffered -oP '(?<=time=)[0-9.]+' | \
> while read -r rtt; do time=$(printf '%(%s)T'); printf '%s %s\n' "$time" 
> "$rtt" >> MX960_ping_results; done

$ while true; do \
>   regex='([0-9]+)% \(1 second\), ([0-9]+)% \(5 second\)'; \
>   while read -r line; do \
> if [[ $line =~ $regex ]]; then \
>   time=$(printf '%(%s)T'); \
>   printf '%s %s\n' "$time" "${BASH_REMATCH[1]}" >> LC_CPU_util_1s; \
>   printf '%s %s\n' "$time" "${BASH_REMATCH[2]}" >> LC_CPU_util_5s; \
> fi; \
>   done < <(timeout 1 ssh -qT mx960 'request pfe execute target fpc3 command 
> "show sched"'); \
> done

First command logs ping("ping 10.66.66.1 source 10.66.66.2" command in
Junos) results with Unix timestamps into file. File content will be:

1556775780 0.586
1556775781 0.579
1556775782 0.607
/* output removed for brevity */

Second command logs 1 second and 5 second LC CPU utilization value
from the PFE3(egress interface for 10.66.66.1 is ge-3/3/9) CLI "show
sched" command into two files. This means that both 1 second and 5
second CPU utilization log files have similar content:

1556775780 9
1556775782 9
1556775783 9
/* output removed for brevity */

One 360 seconds long period with three high-RTT cases can be seen
here: https://i.imgur.com/TZeIbDd.png Left-hand y-axis is RTT and
right-hand y-axis is CPU utilization in percentages. Again, there
doesn't seem to be much correlation between line-card CPU utilization
and high RTT..

At this point I'm fairly sure that this occasional RTT is introduced
in line-card and not in RE, but I'm not convinced that it has anything
to do with the CPU utilization on line-card running the microkernel.
However, I'm not sure if it is possible to debug this much further
without access to microkernel source code and knowing the forwarding
plane internals. There is for example possibility to make a primitive
packet capture inside the microkernel("show pfe host-outbound
packets"), but it does not allow filtering and printing of timestamps.

Again, please let me know if my explanations weren't clear or if there
are any additional ideas.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] What exactly causes inconsistent RTT seen using ping utility in Junos?

[Martin T]

Hi Saku,

> So 80% of time, work needed to compete for access to the CPU.

Yes. I hesitated because when I compare the ping results and vFP CPU
utilization plus microkernel threads CPU usage during the route churn
and without the route churn, then while CPU utilization clearly
increased, it did not *seem* to increase enough to explain such
drastic RTT fluctuation and even some packet loss. On the other hand,
I have absolutely no idea how the microkernel schedules its
processes/threads or how the virtualized forwarding plane distributes
those four CPU cores it has.
Graphical representation of the output of "show linux cpu usage" PFE
CLI command can be seen here: https://i.imgur.com/f1vMAn4.png and
https://i.imgur.com/vm5nr2S.png. First graph represent CPU cores
utilization under normal conditions. Second graph represents CPU cores
utilization during the route churn. Those four CPU cores are the host
machine CPU cores where the quemu virtualizes the forwarding plane.


> If I understood your explanation right (I may not have):

At this point, I was focusing on the ICMP "echo request" message only.
Network topology seen from Linux is following:

vcp-vmx1[vcp-int-vmx1] <-> [2]br-int-vmx1[3] <->
[vfp-int-vmx1]vfp-vmx1[ge-0.0.9-vmx1]

vcp-vmx1 is RE running Junos and vcp-int-vmx1 is em1 interface in
Junos. br-int-vmx1(Linux bridge) serves the similar purpose to
integrated switch in SCB seen with the "show chassis ethernet-switch"
command in Junos. vfp-int-vmx1 is the line-card Ethernet interface
used by microkernel to communicate with RE. ge-0.0.9-vmx1 represents
the ge-0/0/9 seen in Junos which is directly connected to TAP device
ge-0.0.9-vmx1:

martin@PC:~$ sudo ethtool -i ge-0.0.9-vmx1
driver: tun
version: 1.6
firmware-version:
expansion-rom-version:
bus-info: tap
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
martin@PC:~$

So when I execute the "ping 10.55.55.1 source 10.55.55.2 count 1"
command in RE, then the ICMP "echo request" package travels out from
the RE via vcp-int-vmx1 interface, through the Linux bridge into the
line-card via vfp-int-vmx1 and then to ge-0.0.9-vmx1 in host machine
which has 10.55.55.1 configured. I did packet capture simultaneously
on vfp-int-vmx1 and ge-0.0.9-vmx1 interfaces.


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] What exactly causes inconsistent RTT seen using ping utility in Junos?

[Martin T]

Hi,

I built a setup where vMX(local-as 64512) has following 20 eBGP
neighbors over point-to-point connections:

AS64513: vmx1[ge-0/0/6.13] <-> [ge-0.0.6.13]PC
AS64514: vmx1[ge-0/0/6.14] <-> [ge-0.0.6.14]PC
AS64515: vmx1[ge-0/0/6.15] <-> [ge-0.0.6.15]PC
AS64516: vmx1[ge-0/0/6.16] <-> [ge-0.0.6.16]PC
AS64517: vmx1[ge-0/0/6.17] <-> [ge-0.0.6.17]PC
AS64518: vmx1[ge-0/0/6.18] <-> [ge-0.0.6.18]PC
AS64519: vmx1[ge-0/0/6.19] <-> [ge-0.0.6.19]PC
AS64520: vmx1[ge-0/0/6.20] <-> [ge-0.0.6.20]PC
AS64521: vmx1[ge-0/0/6.21] <-> [ge-0.0.6.21]PC
AS64522: vmx1[ge-0/0/6.22] <-> [ge-0.0.6.22]PC
AS64523: vmx1[ge-0/0/7.23] <-> [ge-0.0.7.23]PC
AS64524: vmx1[ge-0/0/7.24] <-> [ge-0.0.7.24]PC
AS64525: vmx1[ge-0/0/7.25] <-> [ge-0.0.7.25]PC
AS64526: vmx1[ge-0/0/7.26] <-> [ge-0.0.7.26]PC
AS64527: vmx1[ge-0/0/7.27] <-> [ge-0.0.7.27]PC
AS64528: vmx1[ge-0/0/7.28] <-> [ge-0.0.7.28]PC
AS64529: vmx1[ge-0/0/7.29] <-> [ge-0.0.7.29]PC
AS64530: vmx1[ge-0/0/7.30] <-> [ge-0.0.7.30]PC
AS64531: vmx1[ge-0/0/7.31] <-> [ge-0.0.7.31]PC
AS64532: vmx1[ge-0/0/7.32] <-> [ge-0.0.7.32]PC

vMX has an evaluation license installed in order to avoid shallow max
prefix limitation. In PC there is a BGP daemon(BIRD) running in a way
that first set of 4000 prefixes oscillates between sessions with
AS64513 and AS64523, i.e between vmx1[ge-0/0/6.13] <-> [ge-0.0.6.13]PC
and vmx1[ge-0/0/7.23] <-> [ge-0.0.7.23]PC connections. Second set of
4000 prefixes oscillates between vmx1[ge-0/0/6.14] <-> [ge-0.0.6.14]PC
and vmx1[ge-0/0/7.24] <-> [ge-0.0.7.24]PC connections. Third set of
4000 prefixes oscillates between vmx1[ge-0/0/6.15] <-> [ge-0.0.6.15]PC
and vmx1[ge-0/0/7.25] <-> [ge-0.0.7.25]PC connections, etc.
CPU usage of rpd fluctuates between 20% and 90% under such conditions.
Now when I execute the "ping 10.55.55.1 source 10.55.55.2 count 1000"
command, then summary of the results is following:

--- 10.55.55.1 ping statistics ---
1000 packets transmitted, 992 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.189/19.572/315.915/36.297 ms

I also plotted the results: https://i.imgur.com/wWTgLfX.png As
expected, the RTT is very unstable and there is even some packet loss.
When I repeat the "ping 10.55.55.1 source 10.55.55.2 count 1000"
command without route churn, and thus the CPU usage of rpd is <0.5%,
then the summary of the results is much more stable:

--- 10.55.55.1 ping statistics ---
1000 packets transmitted, 1000 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.193/2.259/85.518/9.258 ms

Plotted results are here: https://i.imgur.com/bFM5zHj.png

This might give an impression, that this delay is directly related to
rpd process or CPU load caused by rpd, but this does not seem to be
true. vMX provides an excellent way to prove this as traffic between
vCP and vFP goes through the Linux bridge in the host machine and can
be captured. When I execute the "ping 10.55.55.1 source 10.55.55.2"
command and measure the delay between the ICMP "echo request" packages
on forwarding plane Ethernet interface facing the RE and ICMP "echo
request" packages on server interface with 10.55.55.1 address
configured, then first packet capture does not detect the occasional
delay where the second packet capture in the server does. For example,
see the following five ping results from the Junos ping utility:

64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=0.459 ms
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=0.434 ms
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=51.631 ms
64 bytes from 10.55.55.1: icmp_seq=4 ttl=64 time=0.622 ms
64 bytes from 10.55.55.1: icmp_seq=5 ttl=64 time=0.294 ms

Delays measured on the forwarding-plane Ethernet port facing the RE are stable:

 00:00:01.008455 52:54:00:1c:7d:e6 > 52:54:00:17:a4:ae, ethertype IPv4
(0x0800), length 158: 128.0.0.1 > 128.0.0.16:  ip-proto-84 124
 00:00:01.001053 52:54:00:1c:7d:e6 > 52:54:00:17:a4:ae, ethertype IPv4
(0x0800), length 158: 128.0.0.1 > 128.0.0.16:  ip-proto-84 124
 00:00:01.006539 52:54:00:1c:7d:e6 > 52:54:00:17:a4:ae, ethertype IPv4
(0x0800), length 158: 128.0.0.1 > 128.0.0.16:  ip-proto-84 124
 00:00:01.000228 52:54:00:1c:7d:e6 > 52:54:00:17:a4:ae, ethertype IPv4
(0x0800), length 158: 128.0.0.1 > 128.0.0.16:  ip-proto-84 124
 00:00:01.004250 52:54:00:1c:7d:e6 > 52:54:00:17:a4:ae, ethertype IPv4
(0x0800), length 158: 128.0.0.1 > 128.0.0.16:  ip-proto-84 124

I captured those with "tcpdump -ttt -nei vfp-int-vmx1 'ip proto 84 &&
src host 128.0.0.1 && ip[80:2] = 0x0800'" command. IP protocol 84 used
in the packet filter is Juniper proprietary Trivial Tunneling Protocol
(TTP) used to encapsulate external control traffic between the RE and
line-card microkernel. IPv4 address 128.0.0.1 is configured to em1.0
in RE. "ip[80:2] = 0x0800" matches ICMP "echo request" message ICMP
header type and code bytes inside the TTP packet, i.e type needs to be
0x08(Echo Request) and code needs to be 0x00.


However, same five packets captured on the ge-0.0.9-vmx1(this one has
the 10.55.55.1 configured) 

Re: [j-nsp] What exactly causes inconsistent RTT seen using ping utility in Junos?

[Martin T]

Hi Saku,

thanks for reply!

> > This is well know behavior and documented in several KB articles.
> > However, what exactly causes this?
>
> I think just CPU doing something else before given time to do the ICMP
> packets. Like busy running some RPD task.

I also thought that it has something to do with control-plane
process/thread scheduling at first. However, I would expect the RTT of
ping to become even more inconsistent when less CPU-time is available
for sending the ICMP "echo request" messages, but this is not the
case. For example, if I pin the vCPU of virtual control plane to
physical CPU core 0:

$ sudo virsh vcpuinfo vcp-vmx1
VCPU:   0
CPU:0
State:  running
CPU time:   142291.0s
CPU Affinity:   y---

$

..and at the same time run stress-ng on the core 0:

$ sudo taskset 0x0001 stress-ng --cpu 1 --timeout 600s

..and "while :; do /usr/bin/nice -n -20 sha256 /var/tmp/2GB &
/usr/bin/nice -n -20 sha256 /var/tmp/2GB & /usr/bin/nice -n -20 sha256
/var/tmp/2GB; done" on the RE, then it has no affect to RTT. Physical
core CPU utilization was ~100% and RE CPU utilization seen with "show
chassis routing-engine" was >80%:

1 min CPU utilization:
  User  83 percent
  Background 0 percent
  Kernel16 percent
  Interrupt  1 percent
  Idle   0 percent


In addition, the KB28157 says that "An ICMP ping shows intermittent
latency on a directly connected link with the default Junos Class of
Service (CoS) configuration" which gives an impression that there is a
non-default CoS configuration where there is steady latency.
This makes me think that the this occasional abnormal latency is not
caused by RE. However, I could be easily wrong.


> > Based on this information I changed the CoS configuration in two MX
> > series routers. First I tried with vMX(runs in performance mode) and
> > configured RE-sent ICMP "echo request" messages into forwarding-class
> > named "ef" and associated this class with low-latency queue:
>
> This won't do anything, this is only applicable for forwarding-plane
> traffic. For control-plane you want 'set class-of-service
> host-outbound-traffic forwarding-class ef'. However this won't do
> anything to give CPU scheduling priority on sending and receiving ICMP
> messages.

I classified control-plane ICMP traffic into "ef" forwarding-class
with multifield classifier on lo0. It has the same effect as
"host-outbound-traffic".


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] What exactly causes inconsistent RTT seen using ping utility in Junos?

[Martin T]

Hi,

ping utility(or "icmp-ping" RPM probe without hardware-timestamp) in
Junos shows occasional high RTT even in case of pinging for example
directly connected devices in the LAN. Example:

64 bytes from 10.55.55.1: icmp_seq=40 ttl=64 time=0.441 ms
64 bytes from 10.55.55.1: icmp_seq=41 ttl=64 time=0.399 ms
64 bytes from 10.55.55.1: icmp_seq=42 ttl=64 time=67.192 ms
64 bytes from 10.55.55.1: icmp_seq=43 ttl=64 time=0.617 ms

This is well know behavior and documented in several KB articles.
However, what exactly causes this?

KB11792 says that it is caused by an internal scheduler in router
which gives lowest priority to ICMP ping packets. KB28157 gives an
impression that it has something to do with default CoS configuration.
When I measure the deltas between ICMP "echo request" messages seen by
the server directly connected to the router, then there is always a
longer delay for the delayed ICMP "echo request" message. For example,
here is the packet capture with delays between ICMP "echo request"
messages for those four ping results shows above:

 00:00:01.000395 IP 10.55.55.2 > 10.55.55.1: ICMP echo request, id
59201, seq 40, length 64
 00:00:01.000218 IP 10.55.55.2 > 10.55.55.1: ICMP echo request, id
59201, seq 41, length 64
 00:00:01.024137 IP 10.55.55.2 > 10.55.55.1: ICMP echo request, id
59201, seq 42, length 64
 00:00:00.983721 IP 10.55.55.2 > 10.55.55.1: ICMP echo request, id
59201, seq 43, length 64

Packet 42 arrives later than normal(normal is ~1000ms) and thus next
packet arrives earlier than normal. This means that (at least some of)
this occasional abnormal delay should be introduced when ICMP "echo
request" is traveling out of the box.

Based on this information I changed the CoS configuration in two MX
series routers. First I tried with vMX(runs in performance mode) and
configured RE-sent ICMP "echo request" messages into forwarding-class
named "ef" and associated this class with low-latency queue:

root@vmx1> show configuration class-of-service
forwarding-classes {
class ef queue-num 1 priority high policing-priority premium;
class be queue-num 0 priority low policing-priority normal;
}
interfaces {
ge-0/0/9 {
scheduler-map test_schedmap;
}
}
scheduler-maps {
test_schedmap {
forwarding-class be scheduler be_sched;
forwarding-class ef scheduler ef_sched;
}
}
schedulers {
be_sched {
priority low;
}
ef_sched {
buffer-size percent 0;
priority strict-high;
}
}

root@vmx1>

I can confirm that ICMP "echo request" messages are put into queue
number 1(associated with "ef" forwarding-class) with "show interfaces
queue ge-0/0/9 forwarding-class ef" command. However, it made no
difference compared to default CoS configuration where ICMP "echo
request" messages sent by RE are in the best-effort class. When I try
the same configuration on MX960, then again, there is no difference
compared to default CoS configuration.

I also noticed that when I load the RE CPU, then this does not have
affect on ping RTT. However, for example, when I pin the vPFE vCPU's
to specific CPU core and then additionally do something CPU-heavy on
that specific core, then it has noticeable affect on RTT of RE-sent
ICMP "echo request" messages.


Maybe someone (from Juniper) can shed some light on it. Please let me
know if anything was unclear.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] understanding the "no-drift" option for generated events

[Martin T]

Hi,

according to Junos documentation, the "no-drift" option makes sure,
that the delay caused in triggering an event does not propagate to the
triggering of the next event. Even without "no-drift", the time which
takes the policy to complete, does not affect the start-time of the
next policy. Under which circumstances the "no-drift" option has an
affect? In addition, what does it do in Junos internally?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Junos and single IPv6 link-local address per IFL

[Martin T]

Hi Charles,

> fe80:0001::::/64 is not valid as a link-local address and I've run 
> into vendors that have issues with such addresses.

Oh, ok. I understand now what you meant. Good to know.


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Junos and single IPv6 link-local address per IFL

[Martin T]

Hi Charles,

> Link-Local addresses should be in fe80::/64, not fe80::/10.

As Eldon already mentioned, then I actually used /64 prefix in my
examples. However, any address from address block fe80::/10 should be
fine. The point is, that for some reason, Junos allows to have only
one link-local address per IFL.


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Junos and single IPv6 link-local address per IFL

[Martin T]

Hi,

looks like Junos allows to have only a single IPv6 link-local address.
For example, here I tested with Junos 18.2R1.9:

root@vmx1# show | compare
[edit interfaces ge-0/0/9 unit 0 family inet6]
address fe80::206:aff:fe0e:fffa/64 { ... }
+   address fe80:1::206:aff:fe0e:fffa/64;

[edit]
root@vmx1# commit check
[edit interfaces ge-0/0/9 unit 0 family inet6]
  'address fe80:1::206:aff:fe0e:fffa/64'
 Link Local address exists
error: configuration check-out failed

[edit]
root@vmx1#

..or:

root@vmx1# show | compare
[edit interfaces ge-0/0/9 unit 0 family inet6]
address fe80::206:aff:fe0e:fffa/64 { ... }
+   address fe80::206:aff:fe0e:fffb/64;

[edit]
root@vmx1# commit check
[edit interfaces ge-0/0/9 unit 0 family inet6]
  'address fe80::206:aff:fe0e:fffb/64'
 Link Local address exists
error: configuration check-out failed

[edit]
root@vmx1#

Just out of curiosity, why there is this limitation? For example
FreeBSD 11, which Junos 18.2R1.9 is based on, does not have this
limitation:

root@FreeBSD-11:~ # ifconfig em0 inet6
em0: flags=8843 metric 0 mtu
1500

options=209b
inet6 fe80::fc69:d3ff:feec:7741%em0 prefixlen 64 scopeid 0x1
inet6 fe80::fc69:d3ff:feec:7740%em0 prefixlen 64 scopeid 0x1
nd6 options=21
root@FreeBSD-11:~ #


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] questions regarding port mirroring analyzer in MX series router

[Martin T]

Hi!

According to Juniper documentation, MX series routers support
analyzers([edit forwarding-options analyzer]) since Junos OS Release
14.1 and one can mirror frames entering and exiting the port. However,
when I tested this with vMX running Junos 18.2R1.9, then I encountered
following problems/questions:

1) If the interface family is not bridge, then only the ingress
traffic is mirrored. Looks like this is the case with MX104 as well:
https://forums.juniper.net/t5/Routing/Analyzer-on-MX104/td-p/311718 In
short, am I correct that analyzer feature is dedicated to bridge
family only?

2) I built a following tiny test-setup:
https://i.imgur.com/ToyY31e.png Ports ge-0.0.7-vmx1 and ge-0-0.6-vmx1
are in the same broadcast domain, but in different Linux network
namespaces in order to force the traffic through vMX bridge. When the
analyzer configuration is inactive, then I can ping the 10.88.10.1(src
address is 10.88.10.2) without any issues. However, when the analyzer
configuration is activated:

root@vmx1> show configuration forwarding-options analyzer
test {
input {
ingress {
interface ge-0/0/6.0;
}
egress {
interface ge-0/0/6.0;
}
}
output {
interface ge-0/0/8.0;
}
}

root@vmx1> show forwarding-options analyzer
  Analyzer name: test
  Mirror rate  : 1
  Maximum packet length: 0
  State: up
  Ingress monitored interfaces : ge-0/0/6.0
  Egress monitored interfaces  : ge-0/0/6.0
  Output interface : ge-0/0/8.0

root@vmx1>

..and I make the packet capture on ge-0.0.7-vmx1 or
ge-0.0.8-vmx1(analyzer outgoing port for mirrored packets), then the
vMX seems to remove the EtherType field(0x0800) and the first 16 bits
of the IPv4 header starting from the second packet:

# tcpdump -nei ge-0.0.8-vmx1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ge-0.0.8-vmx1, link-type EN10MB (Ethernet), capture size
262144 bytes
13:31:42.068347 fe:06:0a:0e:ff:f7 > fe:06:0a:0e:ff:f6, ethertype IPv4
(0x0800), length 98: 10.88.10.2 > 10.88.10.1: ICMP echo request, id
14334, seq 1, length 64
13:31:42.068460 fe:06:0a:0e:ff:f6 > fe:06:0a:0e:ff:f7, ethertype IPv4
(0x0800), length 98: 10.88.10.1 > 10.88.10.2: ICMP echo reply, id
14334, seq 1, length 64
13:31:43.068240 fe:06:0a:0e:ff:f7 > fe:06:0a:0e:ff:f6, ethertype IPv4
(0x0800), length 98: 10.88.10.2 > 10.88.10.1: ICMP echo request, id
14334, seq 2, length 64
13:31:43.068419 fe:06:0a:0e:ff:f6 > fe:06:0a:0e:ff:f7, 802.3, length
84: LLC, dsap Unknown (0x50) Group, ssap Unknown (0x76) Response, ctrl
0x: Information, send seq 0, rcv seq 0, Flags [Response], length
80
0x:  5177  4001 0080 0a58 0a01 0a58 0a02  Qw..@X...X..
0x0010:   dfd3 37fe 0002 9ff2 2d5c    7.-\
0x0020:  5b0a 0100   1011 1213 1415 1617  [...
0x0030:  1819 1a1b 1c1d 1e1f 2021 2223 2425 2627  .!"#$%&'
0x0040:  2829 2a2b 2c2d 2e2f 3031 3233 3435 3637  ()*+,-./01234567
13:31:44.068247 fe:06:0a:0e:ff:f7 > fe:06:0a:0e:ff:f6, ethertype IPv4
(0x0800), length 98: 10.88.10.2 > 10.88.10.1: ICMP echo request, id
14334, seq 3, length 64
13:31:44.068291 fe:06:0a:0e:ff:f6 > fe:06:0a:0e:ff:f7, 802.3, length
84: LLC, dsap Unknown (0x54) Individual, ssap Unknown (0x46) Command,
ctrl 0x: Information, send seq 0, rcv seq 0, Flags [Command],
length 80
0x:  5446  4001 fdb0 0a58 0a01 0a58 0a02  TF..@X...X..
0x0010:   dbd2 37fe 0003 a0f2 2d5c    7.-\
0x0020:  5e0a 0100   1011 1213 1415 1617  ^...
0x0030:  1819 1a1b 1c1d 1e1f 2021 2223 2425 2627  .!"#$%&'
0x0040:  2829 2a2b 2c2d 2e2f 3031 3233 3435 3637  ()*+,-./01234567
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
#

Output of the ping utility can be seen below:

$ ping -c10 10.88.10.1
PING 10.88.10.1 (10.88.10.1) 56(84) bytes of data.
64 bytes from 10.88.10.1: icmp_seq=1 ttl=64 time=0.167 ms

--- 10.88.10.1 ping statistics ---
10 packets transmitted, 1 received, 90% packet loss, time 8999ms
rtt min/avg/max/mdev = 0.167/0.167/0.167/0.000 ms
$

Has anyone seen this (bug) before? Once I commit the "delete
forwarding-options analyzer", then this odd behavior disappears.


3) If there is already a port-mirroring([edit forwarding-options
port-mirroring]) available for MX series, then why introduce another
tool? Or does analyzer do something which port-mirroring doesn't?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Configuration database stuck with mgd crashing

[Martin T]

On Mon, Sep 3, 2018 at 1:49 PM Luis Balbinot  wrote:
>
> Mini heart attacks :-)
>
> Now seriously, I’ve seen none so far.
>
> On Mon, 3 Sep 2018 at 07:40 Sebastian Wiesinger 
> wrote:
>
> > * Phil Shafer  [2018-09-01 20:28]:
> > > "commit full" helps when daemons miss config changes (which they
> > > shouldn't) or if you just want to say "because I said so", but it
> > > needs a functioning database, provided by MGD.  In this case, MGD
> > > has corrupted the database (due to a software bug) and the assert
> > > means that it's unable to do anything useful with the database since
> > > it's corrupted and cannot be trusted.  "mgd -I" is the "nuke the
> > > entire site from orbit" option.  It rebuilds the schema and the
> > > database from scratch and reloads the entire contents.  It's the
> > > only way to be sure.
> >
> > What operational impact does mgd -I have?
> >
> > Regards
> >
> > Sebastian
> >
> > --
> > GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
> > 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE
> > SCYTHE.
> > -- Terry Pratchett, The Fifth Elephant
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

Hi,

I had the very same issue with SRX300 running Junos 15.1X49-D150.2.
"mgd -I" helped and I didn't notice any operational impact.


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] break statement in SLAX

[Martin T]

On Fri, Dec 14, 2018 at 9:41 PM Phil Shafer  wrote:
>
> Martin T writes:
> >> Now I want to process only the first three integers which are less
> >> than 5. As I understand, for-each loop does not support breaking out
> >> from the loop so I did it like this:
>
> Yes, for-each lacks a break, but while can help.
>
> >In addition, it would require a protection against an endless loop
> >inside the while loop. Something like this:
> >
> >if ( $n > count($int_ns) ) {
> >set $m = 4;
> >}
>
> You can hang inside a while loop forever.  While that's not it's
> goal, it's occasionally useful.
>
> Thanks,
>  Phil

Thanks Phil!


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] break statement in SLAX

[Martin T]

On Thu, Dec 13, 2018 at 7:15 PM Martin T  wrote:
>
> Hi!
>
> I have a XML text node which contains random integers between 1 and 10
> and are separated by LF(0x0a). I convert this text node into a string
> and use jcs:break-lines() to put those numbers into a node-set. This
> means, that eventually I have an object like this:
>
> (sdb) print $int_ns
> [node-set] (10)
> 8
> 8
> 2
> 1
> 2
> 9
> 3
> 4
> 7
> 1
>
> (sdb)
>
>
> Now I want to process only the first three integers which are less
> than 5. As I understand, for-each loop does not support breaking out
> from the loop so I did it like this:
>
> $ cat read_part_of_node-set.slax
> version  1.2;
>
> main  {
>
> var $int := {
>  8;
>  8;
>  2;
>  1;
>  2;
>  9;
>  3;
>  4;
>  7;
>  1;
> }
>
> var $int_ns := $int/*;
>
> mvar $n;
> set $n = 1;
>
> mvar $m;
> set $m = 1;
>
> while ( $m < 4 ) {
> if ( $int_ns[number($n)] < 5 )  {
>  $int_ns[number($n)];
> set $m = $m + 1;
> }
> set $n = $n + 1;
> }
> }
> $ slaxproc -g -E read_part_of_node-set.slax
> 
> 
>   2
>   1
>   2
> 
> $
>
> Just wondering, maybe there is a more elegant solution for this?
>
>
> thanks,
> Martin

In addition, it would require a protection against an endless loop
inside the while loop. Something like this:

if ( $n > count($int_ns) ) {
set $m = 4;
}


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] break statement in SLAX

[Martin T]

Hi!

I have a XML text node which contains random integers between 1 and 10
and are separated by LF(0x0a). I convert this text node into a string
and use jcs:break-lines() to put those numbers into a node-set. This
means, that eventually I have an object like this:

(sdb) print $int_ns
[node-set] (10)
8
8
2
1
2
9
3
4
7
1

(sdb)


Now I want to process only the first three integers which are less
than 5. As I understand, for-each loop does not support breaking out
from the loop so I did it like this:

$ cat read_part_of_node-set.slax
version  1.2;

main  {

var $int := {
 8;
 8;
 2;
 1;
 2;
 9;
 3;
 4;
 7;
 1;
}

var $int_ns := $int/*;

mvar $n;
set $n = 1;

mvar $m;
set $m = 1;

while ( $m < 4 ) {
if ( $int_ns[number($n)] < 5 )  {
 $int_ns[number($n)];
set $m = $m + 1;
}
set $n = $n + 1;
}
}
$ slaxproc -g -E read_part_of_node-set.slax


  2
  1
  2

$

Just wondering, maybe there is a more elegant solution for this?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] high RTT on vMX(virtio mode) interfaces

[Martin T]

On Fri, Nov 2, 2018 at 6:15 PM Martin T  wrote:
>
> Hi!
>
> I have a simple network topology where tap interface named
> ge-0.0.1-vmx1(generated by vMX orchestration scripts) is connected to
> virbr1 bridge port 1. This ge-0.0.1-vmx1 is mapped to ge-0/0/1
> interface in Junos and has IPv4 address 10.210.0.1/24 configured.
> virbr1 has 10.210.0.2/24 configured:
>
> $ ip a sh dev virbr1
> 24: virbr1:  mtu 1500 qdisc noqueue
> state UP group default
> link/ether fe:d6:c7:04:03:1b brd ff:ff:ff:ff:ff:ff
> inet 10.210.0.2/24 scope global virbr1
>valid_lft forever preferred_lft forever
> inet6 fe80::fc06:aff:fe0e:fff1/64 scope link
>valid_lft forever preferred_lft forever
> $
>
> When I ping the 10.210.0.2 from vMX, then the RTT is at least 20ms or
> higher. Example:
>
> root@vmx1> ping 10.210.0.2 source 10.210.0.1 count 100 rapid
> PING 10.210.0.2 (10.210.0.2): 56 data bytes
> 
> --- 10.210.0.2 ping statistics ---
> 100 packets transmitted, 100 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 22.045/33.365/73.901/6.391 ms
>
> root@vmx1>
>
> I don't observe such behavior when I use a physical NIC. fxp0 of vmx1
> is mapped to a physical NIC and 192.168.0.180 is a physical machine in
> my network:
>
> root@vmx1> show route 192.168.0.180 terse
>
> inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> A V DestinationP Prf   Metric 1   Metric 2  Next hopAS path
> * ? 192.168.0.0/24 D   0   >fxp0.0
>
> root@vmx1> ping 192.168.0.180 source 192.168.0.178 count 100 rapid
> PING 192.168.0.180 (192.168.0.180): 56 data bytes
> 
> --- 192.168.0.180 ping statistics ---
> 100 packets transmitted, 100 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.103/0.137/0.295/0.023 ms
>
> root@vmx1>
>
> Both VCP and VFP have the lowest niceness value, load of the host
> server is low, there is no netem configuration, which might affect the
> latency, etc.
>
> Is such latency expected when using virtio mode?
>
>
> thanks,
> Martin

If it helps someone, then I do not observe the behavior described
above using vMX 18.2R1.9 on Ubuntu 16.04.5 LTS(Linux version
4.4.0-62-lowlatency) in performance mode:

root@vmx> show route 192.168.122.1 terse

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A V DestinationP Prf   Metric 1   Metric 2  Next hopAS path
* ? 192.168.122.0/24   D   0   >ge-0/0/0.0

root@vmx> ping 192.168.122.1 source 192.168.122.10 count 100 rapid
PING 192.168.122.1 (192.168.122.1): 56 data bytes

--- 192.168.122.1 ping statistics ---
100 packets transmitted, 100 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.140/0.243/1.395/0.183 ms

root@vmx>

Hardware is exactly the same and I'm using virtio NICs.


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] high RTT on vMX(virtio mode) interfaces

[Martin T]

Hi!

I have a simple network topology where tap interface named
ge-0.0.1-vmx1(generated by vMX orchestration scripts) is connected to
virbr1 bridge port 1. This ge-0.0.1-vmx1 is mapped to ge-0/0/1
interface in Junos and has IPv4 address 10.210.0.1/24 configured.
virbr1 has 10.210.0.2/24 configured:

$ ip a sh dev virbr1
24: virbr1:  mtu 1500 qdisc noqueue
state UP group default
link/ether fe:d6:c7:04:03:1b brd ff:ff:ff:ff:ff:ff
inet 10.210.0.2/24 scope global virbr1
   valid_lft forever preferred_lft forever
inet6 fe80::fc06:aff:fe0e:fff1/64 scope link
   valid_lft forever preferred_lft forever
$

When I ping the 10.210.0.2 from vMX, then the RTT is at least 20ms or
higher. Example:

root@vmx1> ping 10.210.0.2 source 10.210.0.1 count 100 rapid
PING 10.210.0.2 (10.210.0.2): 56 data bytes

--- 10.210.0.2 ping statistics ---
100 packets transmitted, 100 packets received, 0% packet loss
round-trip min/avg/max/stddev = 22.045/33.365/73.901/6.391 ms

root@vmx1>

I don't observe such behavior when I use a physical NIC. fxp0 of vmx1
is mapped to a physical NIC and 192.168.0.180 is a physical machine in
my network:

root@vmx1> show route 192.168.0.180 terse

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A V DestinationP Prf   Metric 1   Metric 2  Next hopAS path
* ? 192.168.0.0/24 D   0   >fxp0.0

root@vmx1> ping 192.168.0.180 source 192.168.0.178 count 100 rapid
PING 192.168.0.180 (192.168.0.180): 56 data bytes

--- 192.168.0.180 ping statistics ---
100 packets transmitted, 100 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.103/0.137/0.295/0.023 ms

root@vmx1>

Both VCP and VFP have the lowest niceness value, load of the host
server is low, there is no netem configuration, which might affect the
latency, etc.

Is such latency expected when using virtio mode?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] How to trim the text node of a specific element node in SLAX node-set?

[Martin T]

On Thu, Oct 25, 2018 at 10:08 PM Phil Shafer  wrote:
>
> Martin T writes:
> >I need to trim the text node of a specific element node in SLAX. All
> >other elements should remain as in the original node-set. At the
> >moment, I do it like this:
>
> Use apply-templates and a distinct mode to traverse the entire
> hierarchy and apply rules to rebuild content, like:
>
> version 1.2;
>
> main  {
> var $alphabet :=  {
>  {
>  "bbb  ";
>  "ccc  ";
> }
>  {
>  "ddd  ";
>  "fff  ";
> }
> }
>
> var $new = {
> apply-templates $alphabet {
> mode "trim";
> }
> }
>
>  { copy-of $new; }
> }
>
> match text() {
> mode "trim";
>
> if (name(..) == "d") {
>  translate(., " ", "");
> } else {
> copy-of .;
> }
> }
>
> match @* | * | processing-instruction() | comment() {
> mode "trim";
>
> copy-node {
> apply-templates * |@* | text() | processing-instruction() | comment() 
> {
> mode "trim";
> }
> }
> }
>
> Thanks,
>  Phil

Thanks Phil! I wasn't aware of the mode statement. However, as I don't
see a performance benefit, then solution in my initial e-mail looks
bit simpler.


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] How to trim the text node of a specific element node in SLAX node-set?

[Martin T]

Hi!

I need to trim the text node of a specific element node in SLAX. All
other elements should remain as in the original node-set. At the
moment, I do it like this:

$ cat trim_node-set.slax
version  1.2;

main  {

  var $alphabet := {
 {
   {
 "bbb  ";
 "ccc  ";
  }
   {
 "ddd  ";
 "fff  ";
  }
}
  }

  var $alphabet_trimmed := {
 {
  for-each ( $alphabet/letters/consonants ) {
 {
  for-each ( * ) {
if ( name() == "d" ) {
   translate(.," ", "");
}
else {
  copy-of .;
}
  }
}
  }
}
  }

  copy-of $alphabet_trimmed;
}
$

As seen above, if element node is , then space characters are
removed. Output of this script can be seen below:

$ slaxproc -g -E trim_node-set.slax


  

  bbb  
  ccc  


  ddd
  fff  

  

$

Is there a more elegant way to do this? In addition, if I do the same
for rpc-reply, then for some reason, every element node gets the
'xmlns:junos="http://xml.juniper.net/junos/*/junos;' attribute node.
Just out of curiosity, why does this happen? As seen in the output
above, this does not happen in slaxproc, i.e ,  and  do not
get any attribute nodes added.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] set:difference() function in SLAX returns different results while input node-sets are the same

[Martin T]

Hi Phil,

> Two issues: first is that it is really comparing nodes not contents

Yes, that I understand. For example, here both element nodes contain
the same text node, but set:difference() still returns a node-set
99:

$ cat foo.slax
version  1.2;

var $v1 := {
 {
 "99";
}
 {
 "99";
}
}

var $v2 := $v1/*[1];

main  {
 {
copy-of set:difference($v1/*, $v2);
}
}
$ slaxproc -g -E foo.slax


  

  99

  

$


What I quite don't understand is why set:difference() considers $v1/*
and $v2/* to be different:

$ cat foo.slax
version  1.2;

var $v1 := {
 {
 "99";
}
 {
 "99";
}
}

var $v2 := {
 {
 "99";
}
 {
 "99";
}
}

main  {
 {
copy-of set:difference($v1/*, $v2/*);
}
}
$ slaxproc -g -E foo.slax


  

  99


  99

  

$

When I execute "print $v1/*" and "print $v2/*" in the debugger, then
the output is identical.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] set:difference() function in SLAX returns different results while input node-sets are the same

[Martin T]

Hi!

I encountered an interesting behavior where set:difference() function
does not work when node-set variable is manually defined like this:

var $vlan-range_ := {
 {
 "99";
}
 {
 "100";
}
 {
 "101";
}
 {
 "102";
}
}

However, the set:difference() function works fine if input node-sets
are for example from configuration as shown in "JUNOS AUTOMATION
REFERENCE FOR SLAX 1.0" on page 238. Here is a diff from debugger:
https://i.imgur.com/eygwaGQ.png I would expect both set:difference()
output node-sets to be equal.

What might cause such behavior?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Is it possible to pass apostrophe character(ASCII dec code 39) as an argument value to SLAX script?

[Martin T]

On Fri, Jul 13, 2018 at 12:35 AM Phil Shafer  wrote:
>
> Martin T writes:
> >aren't you using grave accent("echo -e "\x60"") character? I was using
> >"echo -e "\x27"" character.
>
> Doh!  I read apostrophe (even named the script apos.slax) but my
> brain turned into backtick.
>
> Yes, this looks like a JUNOS bug:
>
> root@box> op apos char "'"
> ''':(null):(2) Invalid expression
> error: runtime error
> error: Evaluating user parameter char failed
>
> The underlaying slax library handles it correctly:
>
> % slaxproc -E -n cs-examples/apos.slax -g -a char "'"
> 
> 
>   got: '
> 
>
> But it looks like this is explicitly handled in slaxproc.c:
>
> quote = strrchr(pvalue, '\"') ? '\'' : '\"';
> tvalue[0] = quote;
> memcpy(tvalue + 1, pvalue, plen);
> tvalue[plen + 1] = quote;
> tvalue[plen + 2] = '\0';
>
> This logic doesn't appear in the JUNOS driver (/usr/libexec/ui/cscript).
> I'll open a PR for this.
>
> There is a limitation in XSLT that one can't mix strings with both
> single and double quotes.  Strange but true.
>
> Thanks,
>  Phil

Thanks for confirming this! Just for information, another interesting
quirk I found is that in the case of non-interactive SSH mode, the ";"
character breaks the command on cli if it is preceded by escaped
double-quote character. I tested this with Net::OpenSSH, Net::SSH2 and
Net::SSH::Expect Perl modules, but one can demonstrate this easily
with OpenSSH client as well. For example:

$ ssh vmx1 'set cli directory "f\"oo;bar"'

error: Cannot set directory to 'f"oo'

error: unknown command: bar
$

In interactive mode, there is no such limitation:

martin@vmx1> set cli directory "f\"oo;bar"
error: Cannot set directory to 'f"oo;bar'

martin@vmx1>



Last problematic printable(dec 32 to dec 126) ASCII character, which I
found, was "\". It seems to work in a way that it escapes the
double-quote character('\"' becomes '"') and reports a syntax error if
"\" isn't followed by any other character.


The reason I found those Junos cli quirks is that I wrote a test
script(https://perldoc.perl.org/Test/More.html), which among other
things, generates a random string of characters from " "(dec 32) to
"~"(dec 126) which becomes an argument value for op script. So in
order to avoid any Junos cli errors, I'm doing following substitutions
to this randomly generated string before returning it to Perl
Net::SSH::Expect module:

# Replace one or more \ character(s) with single _ if the \
character(s) is at the end of the string.
$str =~ s/\\+$/_/;
# Delete all the \ character(s) if they are preceeding a " character.
$str =~ s/\\+"/"/g;
# Delete all ' characters.
$str =~ s/'/_/g;
# Escape the " character.
$str =~ s/"/\\"/g;

return $str;

I'm not saying, that this is perfect, but it is best I have managed to
come up with. I try to preserve the rendomly generated string as much
as possible. As much as I have tested, it seems to work.


regards,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Is it possible to pass apostrophe character(ASCII dec code 39) as an argument value to SLAX script?

[Martin T]

On Thu, Jul 12, 2018 at 11:20 PM Phil Shafer  wrote:
>
> Martin T writes:
> >Is it possible to pass apostrophe character(ASCII dec code 39) as an
> >argument value to SLAX script? I have tried to escape it, but it does
> >not seem to work:
>
> Quote it:
>
> version 1.2;
>
> param $char = "-";
>
> main  {
>  "got: " _ $char;
> }
>
> root@box> op apos char "`"
> got: `
>
> root@box>
>
> Thanks,
>  Phil

Phil,

aren't you using grave accent("echo -e "\x60"") character? I was using
"echo -e "\x27"" character.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Is it possible to pass apostrophe character(ASCII dec code 39) as an argument value to SLAX script?

[Martin T]

Hi!

Is it possible to pass apostrophe character(ASCII dec code 39) as an
argument value to SLAX script? I have tried to escape it, but it does
not seem to work:

root@vmx1> op test chr '
''':(null):(2) Invalid expression
error: runtime error
error: Evaluating user parameter chr failed

root@vmx1> op test chr "'"
''':(null):(2) Invalid expression
error: runtime error
error: Evaluating user parameter chr failed

root@vmx1> op test chr \'
'\'':(null):(3) Invalid expression
error: runtime error
error: Evaluating user parameter chr failed

root@vmx1> op test chr '''
':(null):(2) Invalid expression
error: runtime error
error: Evaluating user parameter chr failed

root@vmx1>


Script named test is following:

root@vmx1> file show /var/db/scripts/op/test.slax
version 1.1;

ns junos = "http://xml.juniper.net/junos/*/junos;;
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm;;
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0;;

import "../import/junos.xsl";

var $arguments = {
 {
 "chr";
}
}

param $chr;

match / {
 {
 "Character: " _ "'" _ $chr _ "'";
}
}

root@vmx1>

I guess it is not possible and one needs to use get-input() function?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] format of minimum and maximum value of math:random() in SLAX

[Martin T]

On Thu, Jul 5, 2018 at 11:37 PM Phil Shafer  wrote:
>
> Michael Loftis writes:
> >idk if there's a floor function but the general solution is floor(rand() *
> >16) when rand() produces values 0-1(exclusive) IE if random does not
> >generate 1.0 - dunno implementation details for slax
>
> Yes, XPath has a floor() function that can be used directly in SLAX.
>
> https://www.w3.org/TR/1999/REC-xpath-19991116/#section-Number-Functions
>
> So you'd say:
>
> var $res = floor(rand() * 16);
>
> Also see the "number" statement for additional number-formatting
> options:
>
> http://libslax.readthedocs.io/en/latest/content.html#the-number-statement
>
> Thanks,
>  Phil

Michael, Phil,

thanks! I didn't know about floor() function in XSLT/SLAX. However,
looks like in extremely rare cases math:random() can return 1 because
according to https://github.com/GNOME/libxslt/blob/master/libexslt/math.c#L465
random number calculation can be "(double)RAND_MAX /
(double)RAND_MAX". So final solution should be "floor(math:random() *
16) mod 16".


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] format of minimum and maximum value of math:random() in SLAX

[Martin T]

Hi!

According to the documentation, math:random() function returns a
random number with a minimum value of 0 and a maximum value of 1.
Larger values than 0 and smaller values than 1 have a format similar
to 0.663341003779015. What is the format of minimum and maximum value?
Simply 0 and 1? 0.000 and 1.000? The reason I
ask is that I use "substring(math:random(), 3, 2) mod 16" for finding
random numbers between 0 and 15 and I need to apply a workaround if
format is not always x.xxx.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] terminate endless loop in SLAX

[Martin T]

On Tue, Jun 26, 2018 at 9:35 PM Phil Shafer  wrote:
>
> Martin T writes:
> >Thanks Phil! So in short, at the moment "terminate" statement inside
> >the while loop works in a way that when "terminate" statement is
> >executed, then immediately next iteration of while loop is started if
> >while expression returns true and this will loop infinitely? If this
> >while expression returns false, then terminate statement was the last
> >thing processed by the script and script exits. At least based on my
> >tests it seems to work like that.
>
> Yes, which does inspire a reasonable (if ugly) workaround:
>
> Bock % cat /tmp/foo.slax
> version 1.2;
>
> match / {
> mvar $working = true();
>
>  {
> while ($working) {
> set $working = false();
> terminate "doa";
> }
> }
> }
> Bock % slaxproc -E -g /tmp/foo.slax
> doa
> 
> 
> Bock %
>
> Hope this helps.
>
> Thanks,
>  Phil

Heh, I thought about exactly the same workaround. I have a script with
multiple custom functions and if the function needs to terminate, then
it returns a number and if it does not need to terminate, then it
returns a string. In main match template inside the "while ( $chars )"
loop I check this with:

set $x = example:foo($i);
if ( exsl:object-type($x) == "number" ) {
set $chars = "";
terminate "Terminated on iteration #" _ $x;
}

Other functions I return a string in case I want the main match
template to terminate and check this with something similar:

set $x = example:bar($i);
if ( exsl:object-type($x) == "string" ) {
set $chars = "";
terminate "Terminated";
}

While this is indeed hackish, then as much as I tested, it seems to work fine.


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] terminate endless loop in SLAX

[Martin T]

On Mon, Jun 25, 2018 at 7:32 PM Phil Shafer  wrote:
>
> Martin T writes:
> >Hi!
> >
> >Is there a way to terminate endless loop in SLAX? For example, if I
> >configure something as simple as that:
> >
> >match / {
> > {
> >while ( true() ) {
> >terminate;
> >}
>
> It's processing the terminate, but then it continues to "skip" over
> the rest of the entries, thinking that it's a set of nodes instead
> of a condition.  So it really, really, quickly loops forever.  Doh!
>
> I'll open a bug report and work on the fix.  There is no workaround.
> Apologies for the problem.
>
> Thanks,
>  Phil

Thanks Phil! So in short, at the moment "terminate" statement inside
the while loop works in a way that when "terminate" statement is
executed, then immediately next iteration of while loop is started if
while expression returns true and this will loop infinitely? If this
while expression returns false, then terminate statement was the last
thing processed by the script and script exits. At least based on my
tests it seems to work like that.


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] terminate endless loop in SLAX

[Martin T]

Hi!

Is there a way to terminate endless loop in SLAX? For example, if I
configure something as simple as that:

match / {
 {
while ( true() ) {
terminate;
}
}
}

..then according to the debugger, the while loop does not seem to be
looping but simply hangs.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] negation operator in SLAX

[Martin T]

On Mon, Jun 18, 2018 at 9:40 PM Phil Shafer  wrote:
>
> Martin T writes:
> >Oh, yes. I forgot the not() function. I made a small comparison
> >between not(), jcs:empty() and ! using five data types in SLAX:
>
> "!" and "not" are identical.  The "!" is just syntactic sugar that
> turns "! x " into "not(x)", as you can see in the code:
>
> https://github.com/Juniper/libslax/blob/master/libslax/slaxparser-xp.y#L164
>
> >5) Empty RTF:
> >"not( $rtf )" returns false, which is an expected result because even
> >an empty RTF converts to true. "jcs:empty( $rtf )", to my surprise,
> >returns true. According to documentation, RTF is always considered to
> >not be empty. "! $rtf" returns false.
>
> RTFs are exactl the reason I made jcs:empty(), since it bugs me
> that boolean($rtf) is true.
>
>   http://juniper.github.io/libslax/slax-manual.html#slaxis-empty
>
> And "bugs" is too weak a word.  Imho, RTFs are the chief source of
> slax/xslt violations of the Principal of Least Astonishment.
>
> % cat /tmp/foo.slax
> version 1.2;
>
> var $a :=  {
>"b";
> }
>
> main  {
> var $x = { copy-of $a/z; }
> var $y = $a/z;
>
>  boolean($x);
>  boolean($y);
> }
> % slaxproc -g -E /tmp/foo.slax
> 
> 
>   true
>   false
> 
>
> See also the ":=" assignment operator, which helps avoid RTFs:
>
>   http://juniper.github.io/libslax/slax-manual.html#colon-equals
>
> Thanks,
>  Phil

Again, thank you for explaining this Phil!


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] negation operator in SLAX

[Martin T]

Hi!

> There is not() :

Oh, yes. I forgot the not() function. I made a small comparison
between not(), jcs:empty() and ! using five data types in SLAX:


1) False boolean value:
As expected "not( $boolean )" returns true. Also, the "jcs:empty(
$boolean )" returns true because jcs:empty() always consideres boolean
data type to be empty. Also, the "! $boolean" returns true. So for
boolean data type everything works as expected.

2) Empty string:
As expected, "not( $string )" returns true. As string is blank, then
"jcs:empty( $string )" also returns true. So does "! $string".

3) Number 0:
Again, "not( $number )", "jcs:empty( $number )" and "! $number" all
return true as expected.

4) Empty node-set:
Again, "not( $node-set )", "jcs:empty( $node-set )" and "! $node-set"
return true.

5) Empty RTF:
"not( $rtf )" returns false, which is an expected result because even
an empty RTF converts to true. "jcs:empty( $rtf )", to my surprise,
returns true. According to documentation, RTF is always considered to
not be empty. "! $rtf" returns false.


So I guess it is safe to say, that "!" is the same as "not()" function?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] negation operator in SLAX

[Martin T]

Hi!

I have quite often used "!" negation operator familiar from other
languages. For example:

/* If string does not match the pattern, then terminate the script. */
if ( ! jcs:regex( $pattern, $string ) )  {
terminate 'Invalid input string!';
}

However, I have not found this method in the official SLAX
documentation or SLAX operators list. Based on my example above, the
suggested solution seems to be to check if jcs:regex returned an empty
node-set or not using jcs:empty:

if ( jcs:empty( jcs:regex( $pattern, $string ) ) ) {
terminate 'Invalid input string!';
}

Just out of curiosity, is there a difference between those two methods?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] How does internal communication between vMX virtual control plane and virtual forwarding plane work?

[Martin T]

On Wed, Jun 6, 2018 at 11:17 AM, James Bensley  wrote:
> On 4 June 2018 at 13:46, Martin T  wrote:
>> Hi!
>
> Hi!
>
>> When I deploy a vMX using orchestration scripts, then I end up with
>> following virtualized topology:
>>
>> https://i.imgur.com/bBTXGM0.png
>>
>> Now when I execute "file copy root@192.168.122.1:/tmp/1G_file
>> /dev/zero" in vMX, then I can see that traffic traverses
>> virbr0[ge-0.0.0-vmx1] <-> [ge-0/0/0]vcp-vmx1[em1] <->
>> [vcp-int-vmx1]br-int-vmx1[vfp-int-vmx1] <-> [int]vfp-vmx1. Am I
>> misunderstaning this? Or does it really work in a way that first the
>> VM running Junos receives the traffic, then forwards it to VM running
>> virtualized Trio and then the traffic is forwarded back to Junos VM?
>
> Have I missed something in relation to your topology/config; ge-0/0/0,
> is that meant to provide you with management access to the VCP or is
> it supposed to be a forwarding place interface? If the later,
> shouldn't it be connected to the VFP VM and not the VCP VM (assuming
> you are trying to access the control plane over an in-band/forwarding
> plane interface)?
>
> Cheers,
> James.


James,

> ge-0/0/0, is that meant to provide you with management access to the VCP or 
> is it supposed to be a forwarding place interface?

Management access to the VCP(vcp-vmx1 on my drawing) is over fxp0.
ge-0/0/0 is a forwarding plane interface.


> shouldn't it be connected to the VFP VM and not the VCP VM

I don't know, but that's the way orchestration script deploys it.
Basically the only change I have done to the default vmx.conf YAML
file is removing entries for interfaces ge-0/0/1, ge-0/0/2 and
ge-0/0/3.


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] How does internal communication between vMX virtual control plane and virtual forwarding plane work?

[Martin T]

Hi!

When I deploy a vMX using orchestration scripts, then I end up with
following virtualized topology:

https://i.imgur.com/bBTXGM0.png

Now when I execute "file copy root@192.168.122.1:/tmp/1G_file
/dev/zero" in vMX, then I can see that traffic traverses
virbr0[ge-0.0.0-vmx1] <-> [ge-0/0/0]vcp-vmx1[em1] <->
[vcp-int-vmx1]br-int-vmx1[vfp-int-vmx1] <-> [int]vfp-vmx1. Am I
misunderstaning this? Or does it really work in a way that first the
VM running Junos receives the traffic, then forwards it to VM running
virtualized Trio and then the traffic is forwarded back to Junos VM?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] purpose of br-ext-nic and br-int-vmx1-nic interfaces in case of vMX 16.1R2.11

[Martin T]

Hi!

When I deploy a vMX named "vmx1" with vmx.sh orchestration script,
then it automatically creates tap devices "br-ext-nic" and
"br-int-vmx1-nic":

$ ip tuntap | grep -E "br-ext-nic|br-int-vmx1-nic"
br-ext-nic: tap UNKNOWN_FLAGS:800
br-int-vmx1-nic: tap UNKNOWN_FLAGS:800
$

"br-ext-nic" is one of the ports of "br-ext" switch and
"br-int-vmx1-nic" is one of the ports of "br-int-vmx1" switch.
However, both ports are down:

$ ip l sh dev br-ext-nic
6: br-ext-nic:  mtu 1500 qdisc pfifo_fast master
br-ext state DOWN mode DEFAULT group default qlen 500
link/ether 52:54:00:9f:a0:77 brd ff:ff:ff:ff:ff:ff
$
$ ip l sh dev br-int-vmx1-nic
8: br-int-vmx1-nic:  mtu 1500 qdisc pfifo_fast
master br-int-vmx1 state DOWN mode DEFAULT group default qlen 500
link/ether 52:54:00:8d:4c:71 brd ff:ff:ff:ff:ff:ff
$

What is the purpose of those two tap interfaces?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] repeat a character in SLAX certain number of times

[Martin T]

Hi!

Let's say I would like to print equals sign $x number of times. In
Python I could do this:

>>> x=5
>>> print("=" * x)
=
>>>

..or for example, in Bash I could do "for i in $(seq $x); do echo -n
=; done; echo". What is the most elegant way to do this in SLAX? At
the moment I solved it with this:

var $sout = jcs:printf("%.*s", $separator,
"==" _
"==" _
"==" _
"==");

It works, because I know, that $separator is less than 168 characters
long, but maybe there is a better solution.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Does Junos cli support colors?

[Martin T]

Hi!

When I start an ash shell and use terminal escape codes, then string
"Hello" is printed in red as expected:

user@vMX> start shell sh
$ echo $TERM
screen
$ echo -e "\e[31mHello\e[0m"
Hello
$

Is it possible to print colors in Junos cli? My cli terminal type is
also "screen" according to "show cli" command. I tried with few
jcs:output functions like:

expr jcs:output("\\\e[31mHello\\\e[0m\s");
expr jcs:output("\e[31mHello\e[0m");

..and with  elements like:

 "\\\e[31mHello\\\e[0m";
 '"\\\e[31mHello\\\e[0m"';


I guess it is not possible to use colors in SLAX scripts?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] predicates in if statement expression in SLAX

[Martin T]

Phil,

thank you for confirming this!



Martin

On Wed, Mar 14, 2018 at 10:52 PM, Phil Shafer <p...@juniper.net> wrote:
> Martin T writes:
>>Is there a difference between following two if statement expressions:
>>if ($node-set/foo/bar == "klm") {
>>..and:
>>if ($node-set[foo/bar == "klm"]) {
>
> If there is, I'm missing it.
>
> The first expression selects a set of "bar" nodes and then returns
> true if any of them are "klm".  The second selects a set of first-level
> nodes under $node-set named "foo" with a "bar" child that equals
> "klm".  While the two expressions build different types (boolean
> .vs. node-set), the resulting booleans should be equivalent: either
> way the result will be false if $node-set contains no "foo" nodes
> which contain "bar" children that equal "klm".
>
> Thanks,
>  Phil
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] predicates in if statement expression in SLAX

[Martin T]

Hi!

Is there a difference between following two if statement expressions:

if ($node-set/foo/bar == "klm") {
 "blah";
}

..and:

if ($node-set[foo/bar == "klm"]) {
 "blah";
}


Respective XSLT representations are:



..and:




As far as I can tell, those two expressions are identical.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Conditional statement in XPath predicates

[Martin T]

On Fri, Mar 9, 2018 at 8:39 PM, Phil Shafer  wrote:
> Jonathan Looney writes:
>>Actually, come to think of it, this (while untested) will probably work and
>>be much simpler:
>>
>>param $interface = "undef";
>>
>>for-each ($result/physical-interface[$interface == "undef" || name == 
>>$interface]) {
>
> Yup.  The ternary operator ("?:") turns into an , so it's
> not suitable for all expression locations.  SLAX is actually hiding quite
> a fair bit of XSLT plumbing behind "?:".
>
> % slaxproc --slax-to-xslt --partial --name -
> var $x = favorite-color ? "blue" : "green";
> ^D
> 
>   
> 
>   
> 
> 
>   
> 
>   
> 
> http://xml.libslax.org/slax; name="x" 
> select="slax:value($slax-ternary-1)"/>
>
> Thanks,
>  Phil


Jonathan,

this is really elegant solution! Thanks!


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] certain commands executed on CLI provide additional information over corresponding RPCs

[Martin T]

On Fri, Mar 9, 2018 at 8:32 PM, Phil Shafer <p...@juniper.net> wrote:
> Martin T writes:
>>However, the actual point of my question was, that where do "show ipv6
>>neighbors" and similar commands take the column names and the answer
>>seems to be, that this is hard-coded in the binary. For example
>>nd6info in case of "show ipv6 neighbors".
>
> No, this isn't true.  The CLI uses descriptions provided by the
> developer to turn XML into human-readable text.  Use "show ipv6
> neighbors | display xml" to see the raw XML.  The nd6info utility
> can generate it's own text version, but the UI plumbing invokes it
> with the "-X" option to make XML content instead.  The two are
> likely similar, but the CLI doesn't use the text from nh6info.  The
> idea is to push all UI content into a single consistent code path.
>
> FYI: You might want to take a look at libxo which allows binaries
> to generate both XML and text (and HTML and JSON) from the same
> source code path.
>
> http://juniper.github.io/libxo/libxo-manual.html
>
> This is now part of FreeBSD, so one can say "df --libxo:XP" and get
> pretty-printed XML output on a stock BSD system.
>
> (And no, we haven't moved nd6info over to libxo yet, but we should.)
>
> Thanks,
>  Phil

Saku, Phil,

ok, I see. I didn't thought it from that angle. While for my specific
script it would be convenient to have this CLI meta-data in the
back-end data, then I guess it is indeed much better approach to keep
those two separate.


Phil,

ok. Thanks for this information! In addition, this libxo is a clever
approach. The reason I thought that column names are provided by the
nd6info binary is that it contains printf format string(%-28s %-18s
%-11s %-4u %-3s %-6s) and column descriptions:

$ strings nd6info | grep Linklayer
IPv6 Address Linklayer Address  State   Exp  Rtr
Secure Interface
$

In addition, I didn't know that cli invokes it with "-X" option.
Still, this makes one think where does cli take those column
descriptions? My guess is that it comes from libnd6info-render.so
library.


regards,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] certain commands executed on CLI provide additional information over corresponding RPCs

[Martin T]

On Fri, Mar 9, 2018 at 2:25 PM, Saku Ytti <s...@ytti.fi> wrote:
> Ah.
>
> Your point is that the strings are different? CLI says 'Rtr' tag says
> 'isrouter'?
>
> I can't relate this being a problem, sorry. The data is there, you can
> classify and reprint it as you wish.
>
> On 9 March 2018 at 12:37, Martin T <m4rtn...@gmail.com> wrote:
>> On Thu, Mar 8, 2018 at 11:51 AM, Saku Ytti <s...@ytti.fi> wrote:
>>> Hey Phil,
>>>
>>> I'm hijacking this for a bit.
>>>
>>> You have | display json and xml, I assume json was relatively modest
>>> amount of work, as you have formal source of data, so someone only
>>> needed to write translator, without being aware of all context to
>>> support | display json, which also means, no one needs to do any work
>>> to get display xml or json to work on new command introduced?
>>>
>>> If this is remotely true, shouldn't it be equally possibly to present
>>> all data over SNMP which is presentable as JSON and XML? There are
>>> bunch of gaps on relatively important stuff, which I'd love to see
>>> available in SNMP. This week particularly I was frustrated to find how
>>> 'show class-of-service fabric statistics' is not available over SNMP.
>>> Perhaps introduce some CLI-MIB where all json/xml supporting commands
>>> are generated in OIDs and command in CLI to ask OID for particular
>>> command?
>>>
>>>
>>>
>>>
>>> On 8 March 2018 at 07:26, Phil Shafer <p...@juniper.net> wrote:
>>>> Martin T writes:
>>>>>I have noticed that certain commands executed on CLI provide some
>>>>>additional information over corresponding RPCs. For example "show ipv6
>>>>>neighbors" or "show system storage" on CLI show column names while XML
>>>>>output does not contain this data. Why is that so?
>>>>
>>>> Both the CLI and RPC content contain the same information, but the
>>>> CLI takes the data supplied by the RPC and displays it using rules
>>>> specified by the developer.  These rules include column headers,
>>>> field titles, and other gritty little details.
>>>>
>>>> But these are "display" features.  The API is meant to allow access
>>>> to the data, and to make that data the same data used by the CLI,
>>>> so the API is complete, up-to-date, well-tested, and useful.
>>>>
>>>> If you want to use the API to get pure text data, we do have the
>>>> 'format="text"' attribute that can be put on an RPC.
>>>>
>>>> Thanks,
>>>>  Phil
>>>> ___
>>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>>
>>>
>>> --
>>>   ++ytti
>>
>> Hi Saku,
>>
>>> I don't follow you, the 'column' names are not needed, as they are in the 
>>> tags?
>>
>> Column names are not in the tags. For example, consider a use-case
>> where you want to print the output of "show ipv6 neighbors" similarly
>> to table format of BSD column utility and you would like to use the
>> same column names as the output of "show ipv6 neighbors" CLI command.
>> One way to do this is to manually create a node-set variable for the
>> column names:
>>
>> "var $column_descr := {
>>{
>>  "IPv6 Address";
>>  "Linklayer Address";
>>  "State";
>>  "Exp";
>>  "Rtr";
>>  "Secure";
>>  "Interface";
>>   }
>> }
>>
>> ..and generate another node-set variable using
>> "get-ipv6-nd-information" RPC and finally use the union operator(|) to
>> find the longest row in each column and print the output accordingly.
>>
>>
>> Phil,
>>
>>> Both the CLI and RPC content contain the same information, but the
>>> CLI takes the data supplied by the RPC and displays it using rules
>>> specified by the developer.  These rules include column headers,
>>> field titles, and other gritty little details.
>>
>> Thanks! That's what I suspected. Looks like for example in case of
>> "show ipv6 neighbors", cli process calls nd6info binary which contains
>> the column names and statically set printf format string.
>>
>>
>> re

[j-nsp] Conditional statement in XPath predicates

[Martin T]

Hi,

let's say that I have a SLAX script which takes an argument named
"interface". This "interface" can be an IFD. Is it possible to create
an XPath statement for for-each loop, which runs for each interface if
the "interface" is not specified and only for this one specific IFD,
if "interface" is specified? My first idea was to do something like
this:

param $interface = "*";

for-each ($result/physical-interface[name == $interface) {

}

This works only in case the "interface" argument is specified. When
the "interface" argument is not specified, then interfaces with the
literal name of * are searched and obviously, none are found. When I
define the "interface" parameter like this:

param $interface = *;

..then nothing is printed because $interface seems to be an empty
node-set. As a next step, I tried with conditional statement:

for-each ($result/physical-interface[name == (($interface) ? $interface : *)]) {

}

..or:

for-each ($result/physical-interface[name == (($interface != "") ?
$interface : *)]) {

}

..but those do not work either. On the other hand, "[name == *]" works fine.

Am I doing it wrong or such statements are not supported?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] certain commands executed on CLI provide additional information over corresponding RPCs

[Martin T]

On Thu, Mar 8, 2018 at 11:51 AM, Saku Ytti <s...@ytti.fi> wrote:
> Hey Phil,
>
> I'm hijacking this for a bit.
>
> You have | display json and xml, I assume json was relatively modest
> amount of work, as you have formal source of data, so someone only
> needed to write translator, without being aware of all context to
> support | display json, which also means, no one needs to do any work
> to get display xml or json to work on new command introduced?
>
> If this is remotely true, shouldn't it be equally possibly to present
> all data over SNMP which is presentable as JSON and XML? There are
> bunch of gaps on relatively important stuff, which I'd love to see
> available in SNMP. This week particularly I was frustrated to find how
> 'show class-of-service fabric statistics' is not available over SNMP.
> Perhaps introduce some CLI-MIB where all json/xml supporting commands
> are generated in OIDs and command in CLI to ask OID for particular
> command?
>
>
>
>
> On 8 March 2018 at 07:26, Phil Shafer <p...@juniper.net> wrote:
>> Martin T writes:
>>>I have noticed that certain commands executed on CLI provide some
>>>additional information over corresponding RPCs. For example "show ipv6
>>>neighbors" or "show system storage" on CLI show column names while XML
>>>output does not contain this data. Why is that so?
>>
>> Both the CLI and RPC content contain the same information, but the
>> CLI takes the data supplied by the RPC and displays it using rules
>> specified by the developer.  These rules include column headers,
>> field titles, and other gritty little details.
>>
>> But these are "display" features.  The API is meant to allow access
>> to the data, and to make that data the same data used by the CLI,
>> so the API is complete, up-to-date, well-tested, and useful.
>>
>> If you want to use the API to get pure text data, we do have the
>> 'format="text"' attribute that can be put on an RPC.
>>
>> Thanks,
>>  Phil
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net

>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
>   ++ytti

Hi Saku,

> I don't follow you, the 'column' names are not needed, as they are in the 
> tags?

Column names are not in the tags. For example, consider a use-case
where you want to print the output of "show ipv6 neighbors" similarly
to table format of BSD column utility and you would like to use the
same column names as the output of "show ipv6 neighbors" CLI command.
One way to do this is to manually create a node-set variable for the
column names:

"var $column_descr := {
   {
 "IPv6 Address";
 "Linklayer Address";
 "State";
 "Exp";
 "Rtr";
 "Secure";
 "Interface";
  }
}

..and generate another node-set variable using
"get-ipv6-nd-information" RPC and finally use the union operator(|) to
find the longest row in each column and print the output accordingly.


Phil,

> Both the CLI and RPC content contain the same information, but the
> CLI takes the data supplied by the RPC and displays it using rules
> specified by the developer.  These rules include column headers,
> field titles, and other gritty little details.

Thanks! That's what I suspected. Looks like for example in case of
"show ipv6 neighbors", cli process calls nd6info binary which contains
the column names and statically set printf format string.


regards,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] initialize multiple mutable variables in SLAX with the same value

[Martin T]

On Thu, Mar 8, 2018 at 7:47 AM, Phil Shafer <p...@juniper.net> wrote:
> Martin T writes:
>>I would like to initialize multiple mutable variables with the same
>>value. I could initialize variables one by one like this:
>
> There's no sort of run-time variable naming like this in SLAX.
> Variable names are just plain tokens (qnames).
>
> If your data is an array, consider using a single variable
> that contains a set of values, like:
>
> var $x := {
>  "one";
>  "two";
>  "three";
> }
>
> so $x[1] is "one" (position() is 1-origin).  This allows
> building data like:
>
> var $x := {
> for-each (some/other/thing) {
>  .;
> }
> }
>
> But this makes updating a single array member difficult.
>
> The root of this is that XSLT (and SLAX) use a very different
> programming model than traditional languages, one that lends itself
> to recursion and immutable variables.  In general, you are better
> off following that model.
>
> That said, sometimes it's easier to thing of a problem in traditional
> patterns.  For more background on mutable variables into SLAX:
>
> http://juniper.github.io/libslax/slax-manual.html#mutable-variables-2
>
> Thanks,
>  Phil


Thank you for confirming this! In addition, the inner workings of
libslax mutable variables was an interesting read.


Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] initialize multiple mutable variables in SLAX with the same value

[Martin T]

Hi!

I would like to initialize multiple mutable variables with the same
value. I could initialize variables one by one like this:

mvar $c1 = 0;
mvar $c2 = 0;
mvar $c3 = 0;
mvar $c4 = 0;
mvar $c5 = 0;
mvar $c6 = 0;
mvar $c7 = 0;

However, is there a better way? My first idea was to use a loop.
Something like this:

for $i (1 ... 7) {
  mvar $c _ $i = 0;
}

..but as I expected, this does not work. For example in bash, I would do:

for i in {1..7}; do
  set c"$i"=0
done

..or use an array like this: "for i in {1..7}; do c[i]=0; done".


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] understaning the copy-node in SLAX

[Martin T]

On Mon, Feb 5, 2018 at 9:15 PM, Phil Shafer <p...@juniper.net> wrote:
> Martin T writes:
>>Thanks! And this technique is useful in case cli process expects an
>>element node(for example "interface-information") to have additional
>>attribute nodes(for example "junos:style="terse"")? Does it provide
>>any advantages over statically specifying the attribute node?
>
> No, there's really no advantage.  I almost didn't bother including
> it in the language; it's just there for completeness.  "element
> name()" gives identical functionality.
>
>>For
>>example, here I rewrote two named templates and a match template of an
>>op script example from "Automating Junos Administration" book:
>
> Can you give a page number?
>
>>template handle-logical-intf($family) {
>> {
>>for-each (*[name() != "address-family"]) {
>>copy-of .;
>>}
>>for-each (address-family[address-family-name=$family]) {
>>copy-of .;
>>}
>>}
>>}
>
> You might want:
>
>  {
> copy-of @*;
> for-each ...
>
> ... to copy the attributes off the current node.
>
> Using "copy-node" here gives you a means of avoiding hardcoding
> the name, but that's pretty unimportant for code like this where
> the functionality is so closely tied to the name.
>
> If the W3C had given copy-node a target xpath or an interesting
> default content template (like the identity template), then it would
> be more useful.  But it doesn't.
>
> Thanks,
>  Phil


Phil,

thanks for explaining this! The page number for this script, which I
mentioned, is 391.



Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] understaning the copy-node in SLAX

[Martin T]

On Fri, Feb 2, 2018 at 10:05 PM, Phil Shafer <p...@juniper.net> wrote:
> Martin T writes:
>>When I run this with traceoptions enabled, then I can see that ">a="12" b="34" c="56"/>" is present in the output document. I guess
>>that this inner for-each loop, based on my example, expands to this:
>>
>>copy-node {
>>attribute "a" {
>>expr 12;
>>}
>>attribute "b" {
>>expr 34;
>>}
>>attribute "c" {
>>expr 56;
>>}
>>}
>>
>>Now "copy-node" does its shallow copy and copies "abc" element node
>>and specified three attribute nodes to result tree. Am I correct?
>
> copy-node create a node with the target (default .) name which you
> can then populate with contents:
>
> https://www.w3.org/TR/1999/REC-xslt-19991116#copying
>
> The xsl:copy element provides an easy way of copying the current
> node. Instantiating the xsl:copy element creates a copy of the
> current node. The namespace nodes of the current node are
> automatically copied as well, but the attributes and children
> of the node are not automatically copied. The content of the
> xsl:copy element is a template for the attributes and children
> of the created node; the content is instantiated only for nodes
> of types that can have attributes or children (i.e. root nodes
> and element nodes).
>
> It's rather like:
>
> element name() {
> ...
> }
>
>>In
>>addition, why does copy-node run only once despite the fact that it is
>>in the for-each loop? Is it because copy-node discards all the child
>>elements of its current node and thus there are no more element
>>nodes(, ,  based on my example) to loop through?
>
> It's simpler than that; it's copying the current node, so there's
> only one of them.  The nested "for-each" hits all the current node's
> attributes, so you end up with:
>
> % cat /tmp/foo.slax
> version 1.2;
>
> var $results := {
>  {
>  {
>  "foo";
> }
> }
> }
>
> main  {
> for-each ($results/abc) {
> copy-node {
> for-each (@*) {
> attribute name(.) {
> expr .;
> }
> }
> }
> }
> }
> % slaxproc -E -g /tmp/foo.slax
> 
> 
>   
> 
> Bock %
>
> Thanks,
>  Phil


Thanks! And this technique is useful in case cli process expects an
element node(for example "interface-information") to have additional
attribute nodes(for example "junos:style="terse"")? Does it provide
any advantages over statically specifying the attribute node? For
example, here I rewrote two named templates and a match template of an
op script example from "Automating Junos Administration" book:

template handle-logical-intf($family) {
 {
for-each (*[name() != "address-family"]) {
copy-of .;
}
for-each (address-family[address-family-name=$family]) {
copy-of .;
}
}
}

template handle-physical-intf($family) {
 {
for-each (*[name() != "logical-interface"]) {
copy-of .;
}
for-each (logical-interface[address-family[
address-family-name=$family]]) {
call handle-logical-intf($family=$family);
}
}
}

match / {
 {
var $con = jcs:open();
var $rpc-query = {
 {
;
}
}
var $results = jcs:execute($con, $rpc-query);
expr jcs:close($con);

if ($family) {
 {
for-each
($results/physical-interface[logical-interface/

address-family[address-family-name=$family]]) {
call
handle-physical-intf($family=$family);
}
}
}
else {
copy-of $results;
}
}
}

It behaves exactly the same as the one using the copy-node statements.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] understanding the root container element of node-set in SLAX

[Martin T]

On Fri, Feb 2, 2018 at 9:53 PM, Phil Shafer <p...@juniper.net> wrote:
> Martin T writes:
>>for-each ($results/abc) {
>> name(.);
>>}
>>
>>..then "abc" is printed while I would expect "klm". Is this RTF
>>container-element also named "abc"? However, for example,
>>"$results/abc/abc" does not match anything.
>
> "for-each" whiffles thru the list of elements that have the name
> "abc", so "name(.)" ("the name of the current context node") will
> always be "abc".  Since there are no "abc" elements under "abc",
> "abc/abc" won't match anything.
>
> I always tell folks to read Xpaths from the end element, so "a/b/c"
> means 'any element named "c" parented by any element named "b"
> parented by any element named "a" parented by the current context'.
> Or "d[x==1]/e[y==2]" is 'any element named "e" that has an "y"
> element that is equal to 2, which is parented by an element named
> "d" which have an element named "x" which is equal to 1'.
>
> Thanks,
>  Phil

Phil,

thanks for explaining this! However, let's say that I change the
$results variable to:

var $results = jcs:invoke();


When I print the $results variable in debugger, then I can see following:

(sdb) print $results
[node-set] (1)


Now when I set my for-each statement to "for-each
($results/software-information)", then nothing is printed while in the
case of "for-each ($results/abc)" the "abc" was printed. The reason
for this should be that the current context node in already
"software-information" and there are no "software-information"
elements under "software-information".

So am I correct that such manually set node-set variables add simply a
new (unnamed?) root element which needs to be taken into account when
creating XPath statements?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] understaning the copy-node in SLAX

[Martin T]

Hi!

Let's say that I have the following node-set type variable and for-each loop:

var $results := {
 {
 {
 "foo";
 "bar";
}
}
}

for-each ($results/abc) {
copy-node {
for-each (@*) {
attribute name(.) {
expr .;
}
}
}
}

When I run this with traceoptions enabled, then I can see that "" is present in the output document. I guess
that this inner for-each loop, based on my example, expands to this:

copy-node {
attribute "a" {
expr 12;
}
attribute "b" {
expr 34;
}
attribute "c" {
expr 56;
}
}

Now "copy-node" does its shallow copy and copies "abc" element node
and specified three attribute nodes to result tree. Am I correct? In
addition, why does copy-node run only once despite the fact that it is
in the for-each loop? Is it because copy-node discards all the child
elements of its current node and thus there are no more element
nodes(, ,  based on my example) to loop through?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] understanding the root container element of node-set in SLAX

[Martin T]

Hi!

Let's say that I define a simple node-set in op script:

var $results := {
 {
 {
 "foo";
}
}
}

When I print the $results variable in debugger, then I can see that
its type is "[node-set] (1) rtf-doc".:

(sdb) print $results
[node-set] (1) rtf-doc

  
foo
  

(sdb)

This should mean that node-set is encapsulated in RTF. I know that I
can access the node-set with $results/abc, but what is confusing for
me is that when I do:

for-each ($results/abc) {
 name(.);
}

..then "abc" is printed while I would expect "klm". Is this RTF
container-element also named "abc"? However, for example,
"$results/abc/abc" does not match anything.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] How is SLAX "version" statement internally used?

[Martin T]

On Thu, Feb 1, 2018 at 7:30 PM, Phil Shafer <p...@juniper.net> wrote:
> Martin T writes:
>>"version" statement in SLAX script is mandatory and argument for
>>version statement has to be either 1.0 or 1.1. Based on my testing,
>>1.2 works as well for example in Junos 16.1R2.11. However, is there
>>any difference between "version 1.0" and "version 1.1"? For example,
>>in Junos 16.1R2.11 one could define "version 1.0" and still use
>>functionality introduced in SLAX 1.1 like mutable variables or for
>>loops. How is "version" statement used by cscript/mgd?
>
> At this point, it's strictly informational.  I don't want to "break"
> a script because it uses a new feature, so I don't do enforcement.
> Mainly it's used for output during "slaxproc --write-version"
> processing, which can convert between versions.
>
> http://libslax.readthedocs.io/en/latest/distribution.html#slaxproc-the-slax-processor
>
> http://libslax.readthedocs.io/en/latest/notes.html#slax-version-information
>
> Thanks,
>  Phil

Understood. Thanks!


regards,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] How is SLAX "version" statement internally used?

[Martin T]

Hi!

"version" statement in SLAX script is mandatory and argument for
version statement has to be either 1.0 or 1.1. Based on my testing,
1.2 works as well for example in Junos 16.1R2.11. However, is there
any difference between "version 1.0" and "version 1.1"? For example,
in Junos 16.1R2.11 one could define "version 1.0" and still use
functionality introduced in SLAX 1.1 like mutable variables or for
loops. How is "version" statement used by cscript/mgd?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] template similar to "jcs:load-configuration" in Junos versions prior to 9.3

[Martin T]

Hi,

is there a template similar to
"jcs:load-configuration"(http://www.juniper.net/documentation/en_US/junos/topics/reference/scripting/junos-script-automation-template-jcs-load-configuration.html)
in Junos versions prior to 9.3? Or how to commit configuration using
an op script in Junos versions prior to 9.3?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] disaccord in output of "df" and "df " in Junos

[Martin T]

Hi,

when I execute "df" in SRX240H2(Junos 12.3X48-D30.7), then I can see
following mount-points:


$ df
Filesystem   512-blocksUsed  Avail Capacity  Mounted on
/dev/da0s2a 1264552  363576 79981231%/
devfs 2   2  0   100%/dev
/dev/md0  40024   12624  2420034%/junos
/cf/packages1264552  363576 79981231%/junos/cf/packages
devfs 2   2  0   100%/junos/cf/dev
/dev/md11063984 1063984  0   100%/junos
/cf   40024   12624  2420034%/junos/cf
devfs 2   2  0   100%/junos/dev/
/cf/packages1264552  363576 79981231%/junos/cf/packages1
procfs8   8  0   100%/proc
/dev/bo0s3e   94304 228  86532 0%/config
/dev/bo0s3f 1264808  844256 31936873%/cf/var
/dev/md2 687744   46788 585940 7%/mfs
/cf/var/jail1264808  844256 31936873%/jail/var
/cf/var/log 1264808  844256 31936873%/jail/var/log
devfs 2   2  0   100%/jail/dev
/dev/md3 128728   8 118424 0%/mfs/var/run/utm
/dev/md4   3768   8   3460 0%/jail/mfs
$



As seen above, none of the mount-points matches /var/log. Now when I
execute "df /var/log", then I expect it to be on /(and thus on
/dev/da0s2a file-system), but for some odd reason it seems to be
associated with /cf/var(and thus on /dev/bo0s3f file-system):


$ df /var/log
Filesystem  512-blocks   Used  Avail Capacity  Mounted on
/dev/bo0s3f1264808 844616 31900873%/cf/var
$


Or another example where output of "df" and "df " do not match:

$ df /usr
Filesystem 512-blocksUsed Avail Capacity  Mounted on
/dev/md1  1063984 1063984 0   100%/junos
$


What causes Junos(or underlying FreeBSD) to behave like that?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] questions regarding Ethernet frame delay measurements

[Martin T]

Hi,

I have following questions regarding Ethernet frame delay measurements:

1) Why doesn't "monitor ethernet delay-measurement" support "rapid"
option? According to command reference for Junos 16.2 for MX
series(http://www.juniper.net/techpubs/en_US/junos/topics/reference/command-summary/monitor-ethernet-delay-measurement.html)
minimum "wait" interval is 1 second.

2) Is it possible to configure CFM two-way delay-measurements database
size in a way that "show oam ethernet connectivity-fault-management
delay-statistics maintenance-domain 
maintenance-association " command
displays for example 10 measurements instead of 100 and calculates
measurements summary("Average two-way delay", "Average two-way delay
variation") based on those 10 measurements? At the moment one can
specify "count", but summary is still calculated based on 100
measurement results. For example here I specify "count 5":

  Remote MAC address: 00:19:e2:b1:1d:c0
Delay measurement statistics:
Index  One-way delay  Two-way delay
  (usec) (usec)
  1   4920
  2   4916
  3   4914
  4   4956
  5   4919
Average two-way delay  : 4888 usec
Average two-way delay variation: 34 usec
Best case two-way delay: 3654 usec
Worst case two-way delay   : 4956 usec

As seen above, "Average two-way delay" or "Average two-way delay
variation" are not calculated based on those 5 measurement results.


3) Is there a way to keep two-way delay-measurements running as a
daemon? As much as I searched, this can only be triggered with
"monitor ethernet delay-measurement" command.



thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] execute a command in SLAX script which does not have XML RPC equivalent available

[Martin T]

Phil,

>Looks like a bug to me.
Thank you for confirming this!

>Please have your AM PR it for us.
Done.


regards,
Martin

On Fri, Nov 25, 2016 at 7:55 PM, Phil Shafer <p...@juniper.net> wrote:
> Looks like a bug to me.  Please have your AM PR it for us.
>
> Thanks,
>  Phil
>
>
>
> Martin T writes:
>>Jonathan, Phil,
>>
>>thank you for replies!  RPC does what I desire
>>for example in Junos versions 13.3R4.6 and 13.3R9.13 but not in
>>14.1R7.4. In 14.1 release for example following code:
>>
>>  var $request_system_license_save_cmd =  {
>> "/tmp/key" ;
>>  }
>>  var $request_system_license_save_results = jcs:invoke(
>>$request_system_license_save_cmd );
>>
>>..creates a file /tmp/key with no content:
>>
>>-rw---  1 root  wheel  0 Nov 25 10:18 key
>>
>>
>>On the other hand, "request system license save /tmp/key" CLI command
>>writes the key into the file. According to "Junos OS 14.1 XML API
>>Operational Developer Reference" the "" is
>>supported on MX series. Is this a bug? Or am I doing something wrong?
>>
>>
>>thanks,
>>Martin
>>
>>On Wed, Aug 17, 2016 at 1:19 AM, Phil Shafer <p...@juniper.net> wrote:
>>> Martin T writes:
>>>>I have a SLAX script where I execute "request system license save
>>>>ftp://root:passwd@10.11.12.5; command.
>>>
>>> [Background: the UI comes in two pieces.  The CLI process handles
>>> terminal I/O, key-bindings, automore, file transfers, and not much
>>> else.  The real brain resides in MGD, which understands commands,
>>> RPCs, how to parse them and what to do with them.]
>>>
>>> The "request system license save" command uses both halves.  MGD
>>> asks CLI to do the transfer, and then MGD does with real work.
>>>
>>> SLAX scripts use the API directly, so it cannot perform the
>>> file-transfer.
>>>
>>> The fix is to pass a local file name to the "request system license
>>> save" command RPC and then do the transfer explicitly using the
>>>  RPC.
>>>
>>> Thanks,
>>>  Phil
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] execute a command in SLAX script which does not have XML RPC equivalent available

[Martin T]

Jonathan, Phil,

thank you for replies!  RPC does what I desire
for example in Junos versions 13.3R4.6 and 13.3R9.13 but not in
14.1R7.4. In 14.1 release for example following code:

  var $request_system_license_save_cmd =  {
 "/tmp/key" ;
  }
  var $request_system_license_save_results = jcs:invoke(
$request_system_license_save_cmd );

..creates a file /tmp/key with no content:

-rw---  1 root  wheel  0 Nov 25 10:18 key


On the other hand, "request system license save /tmp/key" CLI command
writes the key into the file. According to "Junos OS 14.1 XML API
Operational Developer Reference" the "" is
supported on MX series. Is this a bug? Or am I doing something wrong?


thanks,
Martin

On Wed, Aug 17, 2016 at 1:19 AM, Phil Shafer <p...@juniper.net> wrote:
> Martin T writes:
>>I have a SLAX script where I execute "request system license save
>>ftp://root:passwd@10.11.12.5; command.
>
> [Background: the UI comes in two pieces.  The CLI process handles
> terminal I/O, key-bindings, automore, file transfers, and not much
> else.  The real brain resides in MGD, which understands commands,
> RPCs, how to parse them and what to do with them.]
>
> The "request system license save" command uses both halves.  MGD
> asks CLI to do the transfer, and then MGD does with real work.
>
> SLAX scripts use the API directly, so it cannot perform the
> file-transfer.
>
> The fix is to pass a local file name to the "request system license
> save" command RPC and then do the transfer explicitly using the
>  RPC.
>
> Thanks,
>  Phil
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX 14.2R7 / PR1177571

[Martin T]

Theo,

did you manage to find a solution for this? We were able to replicate
this behavior in lab and even system reboot did not clear the alarm
message.


thanks,
Martin

On Wed, Oct 26, 2016 at 4:30 PM, Olivier Benghozi
 wrote:
> Here the alarm (detected on the re0 in older version) disappeared as soon as 
> re1 (in newer version) took mastership in the chassis (non-GRES switchover, 
> as specified in JunOS updating documents).
>
>> Le 26 oct. 2016 à 15:19, Theo Voss  a écrit :
>>
>> Hi Santiago,
>>
>> did the alarm disappeared after the 2nd RE was detected with the same 
>> software or after a complete reboot?
>>
>> Best regards,
>> Theo
>>
>> Von: santiago martinez 
>> Datum: Mittwoch, 26. Oktober 2016 um 15:15
>> An: Theo Voss 
>> Cc: "juniper-nsp@puck.nether.net" , Olivier 
>> Benghozi 
>> Betreff: Re: [j-nsp] MX 14.2R7 / PR1177571
>>
>> Hi there, yes we did hit the same PR.
>>
>> the alarm was raised during the upgrade and completely disappear after both 
>> RE. were running the same code version (14.2R6).
>>
>> Regards
>>
>> santiago
>>
>>
>> On 26 Oct 2016 12:00, "Theo Voss" > > wrote:
>> Hi Olivier,
>>
>> thanks for your reply. Yes, /var is correctly mounted.
>>
>> Best regards,
>> Theo
>>
>> -Ursprüngliche Nachricht-
>> Von: juniper-nsp > > im Auftrag von Olivier 
>> Benghozi >
>> Datum: Mittwoch, 26. Oktober 2016 um 10:59
>> An: "juniper-nsp@puck.nether.net " 
>> >
>> Betreff: Re: [j-nsp] MX 14.2R7 / PR1177571
>>
>> Yes but with 14.2R6 on re0 and 15.1R4 on re1 (so, during the update).
>>
>> Did you check that /var was properly mounted on re1? :)
>>
>> > Le 26 oct. 2016 à 10:53, Theo Voss > > > a écrit :
>> >
>> > we've upgraded two of our MXs (MX960, 1800x4-32) to 14.2R7 and ran into 
>> > PR1177571 which should already be fixed in R7.
>> >
>> > router> show version invoke-on all-routing-engines | match boot
>> > JUNOS Base OS boot [14.2R7.5]
>> > JUNOS Base OS boot [14.2R7.5]
>> >
>> > router> show system alarms
>> > 1 alarms currently active
>> > Alarm time   Class  Description
>> > 2016-10-25 23:36:53 UTC  Major  Host 1 failed to mount /var off HDD, 
>> > emergency /var created
>> >
>> > Workaround according to Juniper: Upgrade backup RE to the same release 
>> > with master RE. << see "show version".
>> > Resolved In: 13.3R9-S4 13.3R10 14.1R8 >> 14.2R7 << 15.1R4 15.1R5 15.1F5-S3 
>> > 15.1F6-S1 16.1X70-D10 16.1R2 << see "show version".
>> >
>> > Has anybody encountered the same problem?
>>
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net 
>> 
>> https://puck.nether.net/mailman/listinfo/juniper-nsp 
>> 
>>
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net 
>> 
>> https://puck.nether.net/mailman/listinfo/juniper-nsp 
>> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] source of "/var/transfer/config/_juniper.conf.gz__" file

[Martin T]

Hi,

I had a weird behavior with one old Juniper router where
/config/juniper.conf.gz file was not updated during configuration
commit, but configuration archival
file(/var/transfer/config/_juniper.conf.gz__)
sent to remote server over scp included the latest changes. Is the
/var/transfer/config/_juniper.conf.gz__ file not
a copy of /config/juniper.conf.gz but instead for example a database
dump of /var/rundb/juniper.data?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] execute a command in SLAX script which does not have XML RPC equivalent available

[Martin T]

Hi,

I have a SLAX script where I execute "request system license save
ftp://root:passwd@10.11.12.5; command. According to
UI_CMDLINE_READ_LINE and UI_JUNOSCRIPT_CMD log messages everything
seems to be fine:

Jan  2 04:39:56   file[5314]: UI_CMDLINE_READ_LINE: User 'root',
command 'rpc command request system license save
"ftp://root:passwd@10.11.12.5; '
Jan  2 04:39:56   file[5314]: UI_JUNOSCRIPT_CMD: User 'root' used
JUNOScript client to run command 'request system license save
filename=ftp://root:passwd@10.11.12.5'

However, FTP connection is not established. I am aware that this
command does not have XML RPC equivalent available. However, is there
some way to still use such commands in SLAX scripts?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] repartition HDD in RE-333-768

[Martin T]

Hi,

on a second thought, "request system partition hard-disk" and then
"request system reboot" seems to work as well in that case:

root@m5> request system partition hard-disk
WARNING: Could not read disklabel for s1.
WARNING: Default sizes will be used for hard disk partitions.

WARNING:   The hard disk is about to be partitioned.  The contents
/* output removed for brevity */


This did not work on my test box where MBR was wiped:

root@mx480> request system partition hard-disk
mount: /dev/ad1s1e : No such file or directory
ERROR: Can't access hard disk, aborting partition.

root@mx480>


With this method only one reload is required.


thanks,
Martin

On 7/15/16, Martin T <m4rtn...@gmail.com> wrote:
> Hi,
>
> I have a situation on a remote live router where /dev/ad0s1a
> partition(in FreeBSD terminology) on CF is larger than /dev/ad1s1a
> partition on HDD. In addition /dev/ad0s1e partition is larger than
> /dev/ad1s1e. This means that I'm not able to create a snapshot to
> alternative media. What I need to do is "request system snapshot
> partition", but this is not possible because /dev/ad1s1f is mounted on
> /var. I could unmount the /var, but then the mgd is killed which means
> that I can't execute "request system snapshot partition". Best method
> I could come up with is to change the value of kern.geom.debugflags
> temporarily from 0x0 to 0x10(sysctl kern.geom.debugflags=0x10) in
> order to allow writes to MBR, wipe the MBR(dd if=/dev/zero of=/dev/ad1
> bs=512 count=1) and then reload the router(reboot). During the boot it
> will mount emergency /var to memory file-system and one is able to
> execute "request system snapshot partition". Then again router needs
> to be reloaded so that /dev/ad1s1f is mounted under /var and swap
> space is used. This last step can be done using mount and swapon as
> well.
>
> However, is there some quicker or even non service-affective way to
> solve this problem?
>
>
> thanks,
> Martin
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] repartition HDD in RE-333-768

[Martin T]

Hi,

I have a situation on a remote live router where /dev/ad0s1a
partition(in FreeBSD terminology) on CF is larger than /dev/ad1s1a
partition on HDD. In addition /dev/ad0s1e partition is larger than
/dev/ad1s1e. This means that I'm not able to create a snapshot to
alternative media. What I need to do is "request system snapshot
partition", but this is not possible because /dev/ad1s1f is mounted on
/var. I could unmount the /var, but then the mgd is killed which means
that I can't execute "request system snapshot partition". Best method
I could come up with is to change the value of kern.geom.debugflags
temporarily from 0x0 to 0x10(sysctl kern.geom.debugflags=0x10) in
order to allow writes to MBR, wipe the MBR(dd if=/dev/zero of=/dev/ad1
bs=512 count=1) and then reload the router(reboot). During the boot it
will mount emergency /var to memory file-system and one is able to
execute "request system snapshot partition". Then again router needs
to be reloaded so that /dev/ad1s1f is mounted under /var and swap
space is used. This last step can be done using mount and swapon as
well.

However, is there some quicker or even non service-affective way to
solve this problem?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] How to catch invalid value/option for a command in SLAX script?

[Martin T]

Thanks for the reply! Did I understand you correctly that "if(
$variable == "usb0\ninvalid value" ) {" is actually "if( string(
$variable ) == "usb0\ninvalid value" ) {" and the string() inserts a
newline at the beginning and in the end of the string? Based on the
debugger output it looks like so:

(sdb) p string( $variable )
[string] "
usb0
invalid value
"
(sdb) p string( $variable ) == "usb0\ninvalid value"
[boolean] false
(sdb) p string( $variable ) == "\nusb0\ninvalid value\n"
[boolean] true
(sdb)


thanks,
Martin


On Sat, Jul 9, 2016 at 8:27 PM, Phil Shafer <p...@juniper.net> wrote:
> Martin T writes:
>>I have a following simple SLAX script which executes "show system
>>snapshot media usb0" command in an environment where "usb0" option for
>>"show system snapshot" command is unavailable:
>
> I can't reproduce this on my test box ("command is not valid on the m7i"),
> but the best way to investigate this would be to use the debugger,
> stop on the "==" line, and print the contents of $variable.
>
> Reached breakpoint 2, at /tmp/foo.slax:21
> foo.slax:21: if( $variable == "usb0\ninvalid value" ) {
> (sdb) p $variable
> [node-set] (1)
> http://xml.juniper.net/xnm/1.1/xnm; 
> xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm;>
> 
> command is not valid on the m7i
> 
> 
>
> My guess is that the implicit string() call in the equals test is
> getting you.
>
> Consider using contain() instead of equals::
>
> (sdb) p string($variable) == "\n\ncommand is not valid on m7i\n\n"
> [boolean] false
>
> Thanks,
>  Phil
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] How to catch invalid value/option for a command in SLAX script?

[Martin T]

Hi,

I have a following simple SLAX script which executes "show system
snapshot media usb0" command in an environment where "usb0" option for
"show system snapshot" command is unavailable:

root> file show /var/db/scripts/op/template_test.slax | no-more
version 1.1;

ns junos = "http://xml.juniper.net/junos/*/junos;;
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm;;
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0;;

import "../import/junos.xsl";


match / {
   {

var $usb_snapshot_version_cmd =  {
   "usb0";
}
var $variable = jcs:invoke( $usb_snapshot_version_cmd );

 $variable;
 "usb0\ninvalid value";

if( $variable == "usb0\ninvalid value" ) {
   "match!";
}

  }
}

root> op template_test | display xml
http://xml.juniper.net/junos/13.3R8/junos;>

usb0
invalid value


usb0
invalid value






root>


As seen above, " $variable;" and " "usb0\ninvalid
value"" provide identical output. Why doesn't "if( $variable ==
"usb0\ninvalid value" )" statement return true?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Juniper vmx not able to find op and event script files

[Martin T]

Hi,

permissions were following:


root@vMX-A> file list detail /var/db/scripts/op/

/var/db/scripts/op/:
total blocks: 12
-rw-r--r--  1 root  wheel286 May 19 13:37 test.slax
total files: 1

root@vMX-A>


regards,
Martin

On Tue, May 24, 2016 at 5:03 PM, serge vautour <sergervaut...@gmail.com> wrote:
> What are the file permissions? ls -laF in the /var/db/scripts/op/ folder.
>
> Serge
>
> On Thu, May 19, 2016 at 6:37 PM, Martin T <m4rtn...@gmail.com> wrote:
>>
>> Hi,
>>
>> thanks for reply! Actually I tried that already, but SLAX script file
>> was still not found:
>>
>> root@vMX-A> op ?
>> Possible completions:
>>   

Re: [j-nsp] Juniper vmx not able to find op and event script files

[Martin T]

Hi,

unfortunately this doesn't work either:

root@vMX-A> file list detail /var/db/scripts/op/abc.slax
-rw-r--r--  1 root  wheel286 May 20 06:08 /var/db/scripts/op/abc.slax
total files: 1

root@vMX-A> show configuration system scripts op
file abc.slax {
command cba;
}

root@vMX-A> op cba
error: invalid filename: /var/db/scripts/op/abc.slax

root@vMX-A>


Any other ideas?


thanks,
Martin

On Fri, May 20, 2016 at 9:06 AM, Alexander Marhold
<alexander.marh...@gmx.at> wrote:
> Hi !
>
> Maybe it is not a good idea to name a file equal to a possible command.
>
> Ever tried renaming the file to abc ?
> Second possibility is that in the config you define something like:
>
>  set system scripts op file policy-test.slax command tpol
>
> and then call it with op tpol ...
>
>
> regards
>
> alexander
>
> -Ursprüngliche Nachricht-
> Von: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] Im Auftrag von
> Martin T
> Gesendet: Donnerstag, 19. Mai 2016 23:38
> An: serge vautour
> Cc: juniper-nsp
> Betreff: Re: [j-nsp] Juniper vmx not able to find op and event script files
>
> Hi,
>
> thanks for reply! Actually I tried that already, but SLAX script file was
> still not found:
>
> root@vMX-A> op ?
> Possible completions:
>   

Re: [j-nsp] Juniper vmx not able to find op and event script files

[Martin T]

Hi,

thanks for reply! Actually I tried that already, but SLAX script file
was still not found:

root@vMX-A> op ?
Possible completions:
  

[j-nsp] Juniper vmx not able to find op and event script files

[Martin T]

Hi,

I have a Juniper vmx router running Junos 14.1R1.10. For some reason
it does not find op and event scripts. For example:

root@vMX-A> file list detail /var/db/scripts/op/

/var/db/scripts/op/:
total blocks: 12
-rw-r--r--  1 root  wheel286 May 19 13:37 test.slax
total files: 1

root@vMX-A> show configuration system scripts
op {
file test.slax;
}

root@vMX-A> op test.slax detail
error: invalid filename: /var/db/scripts/op/test.slax

root@vMX-A>


..or in case of an event script:

[edit]
root@vMX-A# run file list detail /var/db/scripts/event/

/var/db/scripts/event/:
total blocks: 12
-rw-r--r--  1 root  wheel286 May 19 13:25 test.slax
total files: 1

[edit]
root@vMX-A# run file show /var/db/scripts/event/test.slax
version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos;;
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm;;
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0;;

import "../import/junos.xsl";

match / {
{
   }
}

[edit]
root@vMX-A# show | compare
[edit]
+  event-options {
+  event-script {
+  file test.slax;
+  }
+  }

[edit]
root@vMX-A# commit check
error: invalid filename: /var/db/scripts/event//test.slax
error: Reading the configuration from event scripts failed
error: configuration check-out failed

[edit]
root@vMX-A#


I also tried to load scripts from flash("load-scripts-from-flash") and
stored the scripts in respective directory under /config, but this
didn't help.


Am I doing something wrong?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] archived configuration file removed if transfer to remote host failed

[Martin T]

Hi,

I have a router(Juniper M10i, 12.3R6.6) with following simple
configuration archival setup:

configuration {
transfer-on-commit;
archive-sites {
"scp://user@10.10.10.1:/home/user/conf" password
"$9$ALhdbYIDk.PQwUQn/A1IolKvxd29Zjzl"; ## SECRET-DATA
}
}


I accidentally removed the destination directory for
scp(/home/user/conf/) from 10.10.10.1 host and router obviously failed
to upload its configuration:

Feb  8 08:55:55.980 2016  router logger: %DAEMON-3: transfer-file
failed to transfer
/var/transfer/config/router_juniper.conf.gz_20160208_085553
Feb  8 09:05:52.425 2016  router logger: %DAEMON-3: transfer-file
failed to transfer
/var/transfer/config/router_juniper.conf.gz_20160208_085553
Feb  8 09:15:47.443 2016  router pfed: %USER-3: Error <256> uploading
file '/var/transfer/config/router_juniper.conf.gz_20160208_085553'


However, for some reason, router did not store the configuration
archival file in /var/transfer/config/ directory after the
unsuccessful scp attempts. Has anyone seen such behavior where
configuration archival file is removed after an unsuccessful upload?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] understand the index in jcs:break-lines() function in SLAX

[Martin T]

Hi,

jcs:break-lines() function in SLAX allows one to break content into
multiple lines. For example here I break the output of "show chassis
mac-addresses" into lines:

version 1.0;

ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0;;

match / {
   {

var $sh_mac_results = jcs:invoke( "get-chassis-mac-addresses" );
var $line = jcs:break-lines( $sh_mac_results );
 $line;

  }
}

However, script above returns an empty line. Now if I add for example
index "0" or "1" to "$line" variable, then nothing changes. If I add
index "2"(e.g  $line[2];), then the first line of "show
chassis mac-addresses" command is printed:

root@M10i> op RE
MAC address information:

root@M10i>

How are those indexes numbered? Only thing that I can think of is that
those are indexed from zero and first line is "http://xml.juniper.net/junos/13.3R8/junos;>" which is not
printed, second line is "" which is also not printed and then
the third line would be "MAC address information:". However, I could
easily be wrong. Indexes in jcs:regex() are well documented and
logical, but I could not find any information regarding indexes for
jcs:break-lines() function..



thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] read CLI "banner" XML element value with SLAX script

[Martin T]

$junos-context variable works perfectly!


PS. Thanks for writing such book! I made a pre-order for printed version.


Martin

On 1/14/16, Phil Shafer <p...@juniper.net> wrote:
> Martin T writes:
>>Junos has "banner" XML element under "rpc-reply" and "cli" hierarchy:
>
> This is really only available between cli and mgd.  It's internal
> and we shouldn't display it at all during "display xml".  There's
> a PR to stop showing it.
>
> Like Jonathan said, the $junos-context is a better source.
>
> Thanks,
>  Phil
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] sequential commands in SLAX

[Martin T]

Hi,

while I am aware of jcs:open() function, which allows one to execute
commands on other routing-engine, I was wondering if following logic
is also possible in SLAX:

$ cat login_to_other_re.slax
version 1.0;

ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0;;
import "../import/junos.xsl";

match / {
   {

/* rlogin to second RE */
var $cmd_login_other_re =  "request routing-engine login
other-routing-engine";
var $cmd_login_other_re_results = jcs:invoke( $cmd_login_other_re );

/* print out the name of the second RE */
 $junos-context//routing-engine-name;

/* exit rlogin session */
var $cmd_quit_other_re =  "quit";
var $cmd_quit_other_re_results = jcs:invoke( $cmd_quit_other_re );

  }
}
$


Why doesn't such approach work?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] sequential commands in SLAX

[Martin T]

Wojciech,

I didn't know that, thanks! However, I also tried with jcs:open(),
jcs:execute() and jcs:close() but this didn't change anything:


$ cat login_to_other_re.slax
version 1.0;

ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0;;
import "../import/junos.xsl";

match / {
   {

/* open local management session */
var $connection = jcs:open();

/* rlogin to second RE */
var $cmd_login_other_re =  "request routing-engine login
other-routing-engine";
var $cmd_login_other_re_results = jcs:execute( $connection,
$cmd_login_other_re );

/* print out the name of the second RE */
 $junos-context//routing-engine-name;

/* exit rlogin session */
var $cmd_quit_other_re =  "quit";
var $cmd_quit_other_re_results = jcs:execute( $connection,
$cmd_quit_other_re );

/* close management session */
expr jcs:close( $connection );

  }
}
$

thanks,
Martin

On 1/14/16, Wojciech Janiszewski <wojciech.janiszew...@gmail.com> wrote:
> Hi Martin,
>
> I believe that jcs:invoke() is just a shortcut for jcs:open(),
> jcs:execute() and jcs:close(), so you get a new connection each time you
> execute jcs:invoke().
>
> Regards,
> Wojciech
>
> 2016-01-14 10:23 GMT+01:00 Martin T <m4rtn...@gmail.com>:
>
>> Hi,
>>
>> while I am aware of jcs:open() function, which allows one to execute
>> commands on other routing-engine, I was wondering if following logic
>> is also possible in SLAX:
>>
>> $ cat login_to_other_re.slax
>> version 1.0;
>>
>> ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0;;
>> import "../import/junos.xsl";
>>
>> match / {
>>{
>>
>> /* rlogin to second RE */
>> var $cmd_login_other_re =  "request routing-engine login
>> other-routing-engine";
>> var $cmd_login_other_re_results = jcs:invoke( $cmd_login_other_re );
>>
>> /* print out the name of the second RE */
>>  $junos-context//routing-engine-name;
>>
>> /* exit rlogin session */
>> var $cmd_quit_other_re =  "quit";
>> var $cmd_quit_other_re_results = jcs:invoke( $cmd_quit_other_re );
>>
>>   }
>> }
>> $
>>
>>
>> Why doesn't such approach work?
>>
>>
>> thanks,
>> Martin
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] read CLI "banner" XML element value with SLAX script

[Martin T]

Hi,

Junos has "banner" XML element under "rpc-reply" and "cli" hierarchy:


  

  


Is it somehow possible to read the value of "banner" element with SLAX
script? For example I have a router with dual routing-engines, i.e
"banner" element has either value of "{master}" or "{backup}":

{master}
root@M10i> show version brief | display xml | find cli

{master}



{master}
root@M10i>


Now if I try to print the value of "banner" element, then this does not work:


{master}
root@M10i> file show /var/db/scripts/op/show-banner.slax
version 1.0;

ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0;;

match / {
   {
var $sh_ver_cmd =  "show version brief";
var $sh_ver_cmd_out = jcs:invoke( $sh_ver_cmd );
var $banner_var = $sh_ver_cmd_out//banner;
 $banner_var;
  }
}

{master}
root@M10i> op show-banner


{master}
root@M10i>


Is there a way to process everything between 
elements? I'm afraid that my script processes data between
 and  elements.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] How to understand DRAM field in "show chassis routing-engine" output?

[Martin T]

Hi,

on some Juniper platforms there is a separate value for DRAM size and
installed memory size in "show chassis routing-engine" output. For
example "show chassis routing-engine" output in M10i and MX960
routers:

root@M10i> show chassis routing-engine | match "DRAM"
DRAM  1536 MB (1536 MB installed)

root@M10i>

..or:

{master}
root@MX960> show chassis routing-engine | match "DRAM"
DRAM  3584 MB (4096 MB installed)
DRAM  3584 MB (3584 MB installed)

{master}
root@MX960>


Am I correct that DRAM size is the amount of memory which Junos is
able to allocate and installed memory size is the amount of physical
memory installed? If yes, then are there any other causes other than
32bit Junos when not all the installed memory can't be allocated?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] understand "version" and "ns"(namespace) statements in SLAX scripts

[Martin T]

Hi,

if I look the SLAX script examples in Juniper web-site, then almost
all of those examples have "version" and multiple "ns" statements. For
example:

version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos;;
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm;;
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0;;
ns ext = "http://xmlsoft.org/XSLT/namespace;;


While I understand the idea of namespace in XML, then what is the
point of those statements in SLAX scripts? In addition, how does the
"version" statement work? Looks like this is (for some reason)
mandatory as let's say that I have a following very simple script:

$ cat hello_world.slax
version 1.0;

match / {
   {
 "Hello World!";
  }
}
$

..and I remove the "version 1.0;" line, then the script does not operate:

> op hello_world
error: /var/db/scripts/op/hello_world.slax:1: missing 'version'
statement; 'match' is not legal
error: /var/db/scripts/op/hello_world.slax: 1 error detected during parsing
error: error reading stylesheet: hello_world.slax

>



thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] NETCONF in Junos

[Martin T]

Thanks!


Martin

On 12/21/15, Matt Bernstein via juniper-nsp <juniper-nsp@puck.nether.net> wrote:
> On 21/12/2015 08:57, Martin T wrote:
>> Thanks! So as I understand, the general idea is that it doesn't matter
>> much for Junos if the command is executed in the CLI or from the
>> remote(management server) NETCONF manager, i.e. Junos is basically
>> built around the NETCONF? However, local calls(for example if one
>> executes "show version" in Junos CLI) do not travel internally over
>> SSH as remote calls would, do they?
> Yes. the Junos CLI can itself be considered a (really nice) NETCONF
> wrapper. It makes me idly wish other vendors' NETCONF implementations
> were good enough that the Junos CLI could be used on them!
>
> I doubt the CLI uses SSH internally, but I suppose it wouldn't really
> matter if it did.
>
> Matt
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] NETCONF in Junos

[Martin T]

Hi,

if I execute for example "show version brief | display xml" command,
then the router returns:

http://xml.juniper.net/junos/12.3R6/junos;>

r1
m10i
m10i

junos
JUNOS Base OS boot [12.3R6.6]


/* additional data removed for brevity  */



{master}



Is it a reply to NETCONF  operation? Does this mean that each for
example "show" command in Junos is a communication (over TCP/IP)
between the NETCONF manager(sends the ) and agent(sends the
) in the same router?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] per flow rate-limiting on Juniper equipment

[Martin T]

Hi,

which Juniper products support per flow rate-limiting? I mean similar
functionality to for example iptables "recent"
module(http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.16).
For example following iptables rules build dynamic source IP list if
new(not a reply traffic) UDP traffic with source port 53 enter the
interface eth0 and allow 4 packets within 10 seconds per IP address
through:

# iptables -t filter -L FORWARD -nv --line-numbers
Chain FORWARD (policy ACCEPT 9 packets, 1704 bytes)
num   pkts bytes target prot opt in out source
  destination
1   40  7200udp  --  eth0   *   0.0.0.0/0
  0.0.0.0/0udp spt:53 state NEW recent: SET name:
DNS-traffic-sources side: source mask: 255.255.255.255
2   34  6120 DROP   udp  --  eth0   *   0.0.0.0/0
  0.0.0.0/0udp spt:53 state NEW recent: UPDATE seconds: 10
hit_count: 4 name: DNS-traffic-sources side: source mask:
255.255.255.255
#


Is there any Juniper equipment which is able to do this?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] authentication failure in case of configuration archival over scp

[Martin T]

Stacy,

I configured SSH server(OpenSSH) to log both the user name and
password for all the successful and unsuccessful authorization
attempts and turned out, that Juniper router sends an empty string as
a password. I guess Junos uses FreeBSD scp utility for configuration
archival if following configuration is used:

configuration {
transfer-on-commit;
archive-sites {
"scp://juniper@backupserver:/home/juniper/configbackups"
password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA
}
}


If yes, then Junos probably provides an empty password string to scp.
Underlying XML also holds the correct obfuscated password, i.e. as far
as I can tell, the password in configuration is correct. I also tried
with other passwords, but the router still sends an empty string. How
to troubleshoot this further? Has anyone seen such behavior(possibly a
bug) before?


thanks,
Martin

On Wed, Oct 21, 2015 at 7:39 PM, Stacy W. Smith <st...@acm.org> wrote:
>
>> On Oct 21, 2015, at 10:16 AM, Martin T <m4rtn...@gmail.com> wrote:
>>
>> SSH server log tells that "error: PAM: Authentication failure for juniper 
>> from r1".
>
>> What might cause this?
>
> Assuming the Junos version has not changed on the router, have there been any 
> changes to the SSH server, or the OS, on backupserver (potentially including 
> "security patches")?
>
> Assuming OpenSSH, you may want to "man sshd_config" and look into the various 
> Authentication settings as well as the UsePAM. I suspect some recent 
> upgrade may have changed the default value of some of these settings.
>
> I would normally suggest changing the client's config to interoperate with 
> the server, but since that's not easy to do on a Junos device, you might look 
> at changing the server config.
>
> --Stacy
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] authentication failure in case of configuration archival over scp

[Martin T]

Hi,

I have a Juniper router(Junos 10.4R12.4) which should archive its
configuration over scp in case of commit:

configuration {
transfer-on-commit;
archive-sites {
"scp://juniper@backupserver:/home/juniper/configbackups"
password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA
}
}

In addition, it has SSH server public-key under "ssh-known-hosts".
This setup worked fine for a while, but all of the sudden router is no
longer able to scp its configuration to server. Router simply logs
that "transfer-file failed to transfer" and SSH server log tells that
"error: PAM: Authentication failure for juniper from r1". If I execute
scp from shell("start shell sh"), then there are no problems:

$ scp /var/transfer/config/r1_juniper.conf.gz_20151021_135546
juniper@backupserver:/home/juniper/configbackups
Password:
r1_juniper.conf.gz_20151021_135546


100%   64KB  64.4KB/s   00:00
$


What might cause this?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] understand "request system software rollback" in Junos

[Martin T]

Markus,

I have jbundle packages present in /var/sw/pkg/ directory:

root> file list detail /var/sw/pkg/*jbundle*
-r-xr-xr-x  1 root  wheel  640238884 Oct 1  08:20
/var/sw/pkg/jbundle-13.2R8.2.tgz*
-rw-r--r--  1 root  wheel  735837145 Oct 1  16:12
/var/sw/pkg/jbundle-13.3R6.5.tgz
total files: 2

root>

Looks like those are installed during the system
installation/upgrade(both in case of installation media or jinstall
package).



Oliver,

if I check the release notes for versions 12.3, 13.2, 13.3 or 14.1
then they all say that one can not issue the "request system software
rollback" command to return to previously installed software.
According to Junos command reference, the behavior of "request system
software rollback" command changed in version 12.1. Since Junos 12.1
the "request system software rollback" restores the system to known
good state. What does this known good state mean?

In addition, I have one older router which had Junos 7.4R1.7
installed. I executed "request system snapshot" and then upgraded to
Junos 8.5R4.3 using a jinstall package. Once the router booted up with
the Junos 8.5R4.3 I executed "request system software rollback"
command, but this still does not seem to do anything:

root> show version brief
Model: m20
JUNOS Base OS boot [8.5R4.3]
JUNOS Base OS Software Suite [8.5R4.3]
JUNOS Kernel Software Suite [8.5R4.3]
JUNOS Crypto Software Suite [8.5R4.3]
JUNOS Packet Forwarding Engine Support (M/T Common) [8.5R4.3]
JUNOS Packet Forwarding Engine Support (M20/M40) [8.5R4.3]
JUNOS Online Documentation [8.5R4.3]
JUNOS Routing Software Suite [8.5R4.3]

root> file list detail /var/sw/pkg/

/var/sw/pkg/:
total 750828
-r-xr-xr-x  1 root  wheel   68303371 Oct 16 14:11 jbundle-7.4R1.7.tgz*
-rw-r--r--  1 root  wheel  155872954 Oct 16 14:38 jbundle-8.5R4.3.tgz
-rwxr-xr-x  1 root  wheel  160039672 Oct 16 14:28
jinstall-8.5R4.3-domestic-signed.tgz*
-rw-r--r--  1 root  wheel122 Oct 16 14:38 rollback

root> request system software rollback

root>


Any comments?


thanks,
Martin

On 10/2/15, Olivier Benghozi <olivier.bengh...@wifirst.fr> wrote:
> http://www.juniper.net/techpubs/en_US/junos13.3/information-products/topic-collections/release-notes/13.3/topic-83364.html#rn-downgrade
> <http://www.juniper.net/techpubs/en_US/junos13.3/information-products/topic-collections/release-notes/13.3/topic-83364.html#rn-downgrade>
>
> "To downgrade from Release 13.3 to another supported release, follow the
> procedure for upgrading, but replace the 13.3 jinstall package with one that
> corresponds to the appropriate release."
>
> and
>
> "Note: After you install a Junos OS Release 13.3 jinstall package, you
> cannot issue the request system software rollback command to return to the
> previously installed software. Instead you must issue the request system
> software add validate command and specify the jinstallpackage that
> corresponds to the previously installed software."
>
>
>> Le 1 oct. 2015 à 22:57, Markus <unive...@truemetal.org> a écrit :
>>
>> Am 01.10.2015 um 18:25 schrieb Martin T:
>>> When can one use "request system software rollback"?
>>
>> http://www.juniper.net/documentation/en_US/junos13.3/topics/reference/command-summary/request-system-software-rollback.html
>>
>> "A software rollback fails if any required package (or a jbundle package
>> containing the required package) cannot be found in /var/sw/pkg."
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] understand the DRAM usage on CFEB(FEB-M10i-M7i-S)

[Martin T]

This makes sense. Thanks!


regards,
Martin

On 10/1/15, Michael Loftis <mlof...@wgops.com> wrote:
> It's not quite the FIB, it's a representation of it (J-Tree) for
> lookups.  I don't recall much of the specifics past that on the
> FEB/CFEB of the M7i/M10i because there's the other memories involved
> too and I can't recall how they're used.  But yes the microkernel is
> given a digest of the FIB as a j-tree which it keeps a copy of.
>
> On Thu, Oct 1, 2015 at 5:51 AM, Martin T <m4rtn...@gmail.com> wrote:
>> One last question- am I correct that copy of FIB is kept on this
>> microkernel SDRAM? I mean there seems to be a clear correlation
>> between amount of routes in router and CFEB microkernel memory
>> utilization. The reason I assume this is because if I upgrade the
>> SDRAM SODIMM on CFEB(i.e. upgrade the memory for microkernel), then
>> total amount of "heap" memory on CFEB increases and if router has more
>> routes, then the usage of "heap" memory increases.
>>
>>
>> thanks,
>> Martin
>>
>> On 9/30/15, Martin T <m4rtn...@gmail.com> wrote:
>>> Ok, thanks! I had never seen a solution where parity information is
>>> stored in additional individual SDRAM chips. So in conclusion 128MiB
>>> of on-board SDRAM is used for packet memory, 64MiB of on-board SDRAM
>>> is used for packet memory parity information and replaceable DDR SDRAM
>>> SODIMM is used solely for the PFE microkernel.
>>>
>>>
>>> regards,
>>> Martin
>>>
>>> On 9/29/15, Michael Loftis <mlof...@wgops.com> wrote:
>>>> The "extra" SDRAM chips.  The packet memory has parity or ECC bits, I
>>>> actually do not recall for sure which, but the "extra" is for those
>>>> extra bits.
>>>>
>>>> On Tue, Sep 29, 2015 at 12:45 PM, Martin T <m4rtn...@gmail.com> wrote:
>>>>> What do you mean?
>>>>>
>>>>>
>>>>> thanks,
>>>>> Martin
>>>>>
>>>>> On Tue, Sep 29, 2015 at 8:45 PM, Michael Loftis <mlof...@wgops.com>
>>>>> wrote:
>>>>>> Parity/ECC.
>>>>>>
>>>>>> On Tue, Sep 29, 2015 at 7:32 AM, Martin T <m4rtn...@gmail.com> wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> according to Juniper M10i Compact Forwarding Engine
>>>>>>> Board(http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/cfeb-m10i-description.html)
>>>>>>> documentation it has 128 MiB SDRAM for packet memory and 128 MiB
>>>>>>> SDRAM
>>>>>>> for the microkernel. If I visually inspect the CFEB, then it has
>>>>>>> twelve "MT 46V8M16" DDR SDRAM chips which means 12x 134217728 bits,
>>>>>>> i.e. 192MiB of on-board soldered DDR SDRAM. Questions:
>>>>>>>
>>>>>>> 1) Are four "MT 46V8M16" DDR SDRAM chips actually not in use? If
>>>>>>> they
>>>>>>> are in use, then what for?
>>>>>>>
>>>>>>> 2) Am I correct that on-board soldered DRAM is used for shared
>>>>>>> packet
>>>>>>> buffer and installable DDR SDRAM SODIMM is used for the microkernel?
>>>>>>>
>>>>>>>
>>>>>>> thanks,
>>>>>>> Martin
>>>>>>> ___
>>>>>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> "Genius might be described as a supreme capacity for getting its
>>>>>> possessors
>>>>>> into trouble of all kinds."
>>>>>> -- Samuel Butler
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> "Genius might be described as a supreme capacity for getting its
>>>> possessors
>>>> into trouble of all kinds."
>>>> -- Samuel Butler
>>>>
>>>
>
>
>
> --
>
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] HDD requirements for RE-333 and RE-600

[Martin T]

Hi,

looks like this is indeed a BIOS limitation of RE-333 and RE-600.
According to http://www.drivesolutions.com/info/aboutbios.shtml
document "if your drive is greater than 33.8 Gbytes, your system BIOS
may freeze or lockup at Power On Self Test (POST)". Probably the BIOS
on RE-333 and RE-600 simply does not support drives larger than
33.8GB(http://www.pcguide.com/ref/hdd/bios/sizeGB315-c.html).


regards,
Martin

On 9/30/15, Martin T <m4rtn...@gmail.com> wrote:
> On 9/30/15, Chris Cappuccio <ch...@nmedia.net> wrote:
>> Martin T [m4rtn...@gmail.com] wrote:
>>> Hi,
>>>
>>> while the original HDDs are in slave mode, I did try with cable-select
>>> and in master mode as well, but the RE did not boot with the Hitachi
>>> HTS541680J9AT00 HDD. I would expect to see at least the BIOS
>>> screen(http://s8.postimg.org/vuae8mx39/RE_600_BIOS_screen.jpg), but
>>> with Hitachi drive the RE does not seem to boot at all. That's the
>>> reason why I suspected the power consumption problem. However, any
>>> other ideas?
>>>
>>
>> Lots of drives are not compatible. Try another, but make sure you are
>> only changing one thing at a time. If you are putting in an different CF
>> card at the same time, you have no idea which change is incompatible
>> (perhaps both...)
>>
>
> I see. However, do you happen to know why certain drives are not
> compatible? I would expect to see at least the BIOS
> screen(http://s8.postimg.org/vuae8mx39/RE_600_BIOS_screen.jpg), but
> with Hitachi drive the RE does not seem to pass POST and boot at all.
>
>
> thanks,
> Martin
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] understand the DRAM usage on CFEB(FEB-M10i-M7i-S)

[Martin T]

One last question- am I correct that copy of FIB is kept on this
microkernel SDRAM? I mean there seems to be a clear correlation
between amount of routes in router and CFEB microkernel memory
utilization. The reason I assume this is because if I upgrade the
SDRAM SODIMM on CFEB(i.e. upgrade the memory for microkernel), then
total amount of "heap" memory on CFEB increases and if router has more
routes, then the usage of "heap" memory increases.


thanks,
Martin

On 9/30/15, Martin T <m4rtn...@gmail.com> wrote:
> Ok, thanks! I had never seen a solution where parity information is
> stored in additional individual SDRAM chips. So in conclusion 128MiB
> of on-board SDRAM is used for packet memory, 64MiB of on-board SDRAM
> is used for packet memory parity information and replaceable DDR SDRAM
> SODIMM is used solely for the PFE microkernel.
>
>
> regards,
> Martin
>
> On 9/29/15, Michael Loftis <mlof...@wgops.com> wrote:
>> The "extra" SDRAM chips.  The packet memory has parity or ECC bits, I
>> actually do not recall for sure which, but the "extra" is for those
>> extra bits.
>>
>> On Tue, Sep 29, 2015 at 12:45 PM, Martin T <m4rtn...@gmail.com> wrote:
>>> What do you mean?
>>>
>>>
>>> thanks,
>>> Martin
>>>
>>> On Tue, Sep 29, 2015 at 8:45 PM, Michael Loftis <mlof...@wgops.com>
>>> wrote:
>>>> Parity/ECC.
>>>>
>>>> On Tue, Sep 29, 2015 at 7:32 AM, Martin T <m4rtn...@gmail.com> wrote:
>>>>> Hi,
>>>>>
>>>>> according to Juniper M10i Compact Forwarding Engine
>>>>> Board(http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/cfeb-m10i-description.html)
>>>>> documentation it has 128 MiB SDRAM for packet memory and 128 MiB SDRAM
>>>>> for the microkernel. If I visually inspect the CFEB, then it has
>>>>> twelve "MT 46V8M16" DDR SDRAM chips which means 12x 134217728 bits,
>>>>> i.e. 192MiB of on-board soldered DDR SDRAM. Questions:
>>>>>
>>>>> 1) Are four "MT 46V8M16" DDR SDRAM chips actually not in use? If they
>>>>> are in use, then what for?
>>>>>
>>>>> 2) Am I correct that on-board soldered DRAM is used for shared packet
>>>>> buffer and installable DDR SDRAM SODIMM is used for the microkernel?
>>>>>
>>>>>
>>>>> thanks,
>>>>> Martin
>>>>> ___
>>>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> "Genius might be described as a supreme capacity for getting its
>>>> possessors
>>>> into trouble of all kinds."
>>>> -- Samuel Butler
>>
>>
>>
>> --
>>
>> "Genius might be described as a supreme capacity for getting its
>> possessors
>> into trouble of all kinds."
>> -- Samuel Butler
>>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] understand "request system software rollback" in Junos

[Martin T]

Hi,

I installed Junos 13.2R8.2 to M10i(RE-850), executed "request system
snapshot"(in other words copied / to /altroot on HDD and /config to
/altconfig on HDD) and installed Junos 13.3R6.5 with "request system
software add". This means that I have Junos 13.2R8.2 on HDD and Junos
13.3R6.5 on CF and I'm able to boot into both installations with
"request system reboot media". As I have old Junos installation on HDD
I thought that I'm able to roll back from Junos 13.3R6.5 to 13.2R8.2
with "request system software rollback", but this does seems to do
nothing::

root> request system software rollback

root>


When can one use "request system software rollback"?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] HDD requirements for RE-333 and RE-600

[Martin T]

On 9/30/15, Chris Cappuccio <ch...@nmedia.net> wrote:
> Martin T [m4rtn...@gmail.com] wrote:
>> Hi,
>>
>> while the original HDDs are in slave mode, I did try with cable-select
>> and in master mode as well, but the RE did not boot with the Hitachi
>> HTS541680J9AT00 HDD. I would expect to see at least the BIOS
>> screen(http://s8.postimg.org/vuae8mx39/RE_600_BIOS_screen.jpg), but
>> with Hitachi drive the RE does not seem to boot at all. That's the
>> reason why I suspected the power consumption problem. However, any
>> other ideas?
>>
>
> Lots of drives are not compatible. Try another, but make sure you are
> only changing one thing at a time. If you are putting in an different CF
> card at the same time, you have no idea which change is incompatible
> (perhaps both...)
>

I see. However, do you happen to know why certain drives are not
compatible? I would expect to see at least the BIOS
screen(http://s8.postimg.org/vuae8mx39/RE_600_BIOS_screen.jpg), but
with Hitachi drive the RE does not seem to pass POST and boot at all.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] understand the DRAM usage on CFEB(FEB-M10i-M7i-S)

[Martin T]

Ok, thanks! I had never seen a solution where parity information is
stored in additional individual SDRAM chips. So in conclusion 128MiB
of on-board SDRAM is used for packet memory, 64MiB of on-board SDRAM
is used for packet memory parity information and replaceable DDR SDRAM
SODIMM is used solely for the PFE microkernel.


regards,
Martin

On 9/29/15, Michael Loftis <mlof...@wgops.com> wrote:
> The "extra" SDRAM chips.  The packet memory has parity or ECC bits, I
> actually do not recall for sure which, but the "extra" is for those
> extra bits.
>
> On Tue, Sep 29, 2015 at 12:45 PM, Martin T <m4rtn...@gmail.com> wrote:
>> What do you mean?
>>
>>
>> thanks,
>> Martin
>>
>> On Tue, Sep 29, 2015 at 8:45 PM, Michael Loftis <mlof...@wgops.com>
>> wrote:
>>> Parity/ECC.
>>>
>>> On Tue, Sep 29, 2015 at 7:32 AM, Martin T <m4rtn...@gmail.com> wrote:
>>>> Hi,
>>>>
>>>> according to Juniper M10i Compact Forwarding Engine
>>>> Board(http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/cfeb-m10i-description.html)
>>>> documentation it has 128 MiB SDRAM for packet memory and 128 MiB SDRAM
>>>> for the microkernel. If I visually inspect the CFEB, then it has
>>>> twelve "MT 46V8M16" DDR SDRAM chips which means 12x 134217728 bits,
>>>> i.e. 192MiB of on-board soldered DDR SDRAM. Questions:
>>>>
>>>> 1) Are four "MT 46V8M16" DDR SDRAM chips actually not in use? If they
>>>> are in use, then what for?
>>>>
>>>> 2) Am I correct that on-board soldered DRAM is used for shared packet
>>>> buffer and installable DDR SDRAM SODIMM is used for the microkernel?
>>>>
>>>>
>>>> thanks,
>>>> Martin
>>>> ___
>>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>>
>>>
>>> --
>>>
>>> "Genius might be described as a supreme capacity for getting its
>>> possessors
>>> into trouble of all kinds."
>>> -- Samuel Butler
>
>
>
> --
>
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] purpose of "commit check"?

[Martin T]

So in order to sum this up, "commit check" makes sense at least in
following cases:

1) confirm "commit confirmed" action. This does not waste a rollback.
2) test errors for configuration which will be saved and committed later
3) make intermediate syntax checks in case of large configurations in
order to make sure that configuration applied to candidate
configuration so far is fine
4) use "commit check" to trigger commit scripts



regards,
Martin


On Wed, Sep 30, 2015 at 6:49 PM, Alexander Arseniev
<arsen...@btinternet.com> wrote:
> Hello,
> To add to what's been already covered  - "commit check" runs the commit
> scripts as if it is an actual commit.
> And You can do pretty much everything with commit scripts, including logging
> to another node and comparing/changing the config there.
> One use case is to keep DetNAT pools & prefix-lists synced between 2 CGNAT
> nodes in case inter-node failover happens. So if You want to always make
> changes on 1 such node only, and never bother with manually checking config
> consistency, then use a commit script which logs in to a neighbor node and
> does comparison and maybe fixes some trivial discrepansies. In this case,
> You want to run "commit check" first, to get 2nd node changed, and then
> "commit comment" to get 1st node aligned with the 2nd.
> HTH
> Thanks
> Alex
>
> On 28/09/2015 22:24, Martin T wrote:
>
> Hi,
>
> when I commit the candidate configuration in Junos, I tend to execute
> "commit check" and if configuration check succeeds, then I execute
> "commit comment ". However, when I think about it, "commit
> (comment)" itself should perform those very same checks that "commit
> check" does. If yes, then what is the point of "commit check"? Only
> purpose I could see is to check the validity of the candidate
> configuration in the middle of the configuration process, i.e. to
> check if the changes made in candidate configuration so far are fine
> but the candidate configuration is not ready to be committed.
>
>
> thanks,
> Martin
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] purpose of "commit check"?

[Martin T]

Harald, Ryan:

Great tips, thanks!



Chuck,

< "commit comment" will log the comment even if the commit fails.
Doing "commit check" first allows you to avoid this extra comment in
the "show system commits" log.


A failed "commit comment" does not create an entry to "show system
commit" log at least in my Junos 12.3R6.6 :


[edit]
root@M10i# run show system commit
rescue  2014-09-09 14:04:51 UTC by root via cli

[edit]
root@M10i# show interfaces ge-0/0/0 unit 0
vlan-id 0;
family inet {
filter {
input input-fw; ## reference 'input-fw' not found
}
}

[edit]
root@M10i# commit comment "ingress fw filter to ge-0/0/0.0"
[edit interfaces ge-0/0/0 unit 0 family inet]
  'filter'
Referenced filter 'input-fw' is not defined
error: configuration check-out failed

[edit]
root@M10i# run show system commit
rescue  2014-09-09 14:04:51 UTC by root via cli

[edit]
root@M10i#


However, failed "commit comment" does create a log entry to messages
file. Or does it depend on what exactly failed?



Phil,

< Doing a pre-check before a commit is mostly about working up the
confidence that you're not going to break something.

Yeah, but if one will "commit" the changes right after(i.e. no
additional changes to candidate configuration) "commit check", then
there isn't a difference.


regards,
Martin

On 9/29/15, Bryan Ashley <bash...@streamnetworksinc.com> wrote:
> Not sure if it's been mentioned or not but another good use of commit check
> is to confirm a commit confirmed. Typically people will issue a commit
> confirmed X to automatically rollback a change that didn't work. If the
> change did work many folks issue a commit to save the change and move
> forward. The problem with this is both your commit confirmed and subsequent
> commit burn rollbacks. A commit check will satisfy a commit confirmed
> without burning an additional rollback.
>
>
> Sent using CloudMagic
> Email<https://cloudmagic.com/k/d/mailapp?ct=pa=7.3.5=5.1.1=email_footer_2>
> On Tue, Sep 29, 2015 at 11:38 AM, Ryan Harden
> <harde...@uchicago.edu<mailto:harde...@uchicago.edu>> wrote:
>
>
> We regularly make large config changes, 'commit check' to confirm there
> aren't any syntax errors, then save the change as a patch to be applied
> during a maintenance window.
> This saves a ton of time during maint windows as we can do configs the day
> before and at least be sure there are no syntax errors in the patch. Maint
> windows simply become: load the patch, commit confirmed comment blah,
> verify, done.
>
> /Ryan
>
> Ryan Harden
> Research and Advanced Networking Architect
> University of Chicago - ASN160
> P: 773.834.5441
>
>> On Sep 28, 2015, at 4:24 PM, Martin T <m4rtn...@gmail.com> wrote:
>>
>> Hi,
>>
>> when I commit the candidate configuration in Junos, I tend to execute
>> "commit check" and if configuration check succeeds, then I execute
>> "commit comment ". However, when I think about it, "commit
>> (comment)" itself should perform those very same checks that "commit
>> check" does. If yes, then what is the point of "commit check"? Only
>> purpose I could see is to check the validity of the candidate
>> configuration in the middle of the configuration process, i.e. to
>> check if the changes made in candidate configuration so far are fine
>> but the candidate configuration is not ready to be committed.
>>
>>
>> thanks,
>> Martin
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] exception traffic types for Juniper routers

[Martin T]

David,

thanks for the "show pfe statistics exceptions" command! It seems to
be supported only on newer MX series routers(?). According to this
command packets with for example "ttl expired", "IP options", "tunnel
hdr needs reassembly", "IGMP snooping control packet", "PIM snooping
control packet", "MLD snooping control packet", "Tunnel keepalives"
etc are punted. What about ICMP traffic? How much does it depend on
platform which traffic is punted and which traffic is not?


Akash,

could you please show an example?


Brandon,

of course, sorry! So ASIC(probably platform dependent, but at least in
the past it was called "I/O manager ASIC") on PFE will look into
IP/IPv6 header and if destination IP/IPv6 address is configured to
router, then the packet is sent to RE. What about traffic destioned to
router which does not have IP/IPv6 header? IS-IS traffic should be one
example.


regards,
Martin

On Tue, Sep 29, 2015 at 11:57 PM, Brandon Ross <br...@pobox.com> wrote:
> On Tue, 29 Sep 2015, Martin T wrote:
>
>> as I understand, there are several different exception traffic types:
>>
>> 1) unicast traffic addressed to router itselt. For example telnet, SSH
>> or SNMP traffic. I guess it is technically correct to say that
>> "incoming frames which have one of the router interfaces MAC addresses
>> as a destination MAC address are exception traffic"?
>
>
> I certainly hope not, that would mean that every packet routed by the router
> would be punted to the processor.
>
> It would have to have an IP address that matches one of the addresses
> assigned the the router, not the MAC.
>
> --
> Brandon Ross  Yahoo & AIM:  BrandonNRoss
> +1-404-635-6667ICQ:  2269442
>  Skype:  brandonross
> Schedule a meeting:  http://www.doodle.com/bross
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] understand the DRAM usage on CFEB(FEB-M10i-M7i-S)

[Martin T]

Hi,

according to Juniper M10i Compact Forwarding Engine
Board(http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/cfeb-m10i-description.html)
documentation it has 128 MiB SDRAM for packet memory and 128 MiB SDRAM
for the microkernel. If I visually inspect the CFEB, then it has
twelve "MT 46V8M16" DDR SDRAM chips which means 12x 134217728 bits,
i.e. 192MiB of on-board soldered DDR SDRAM. Questions:

1) Are four "MT 46V8M16" DDR SDRAM chips actually not in use? If they
are in use, then what for?

2) Am I correct that on-board soldered DRAM is used for shared packet
buffer and installable DDR SDRAM SODIMM is used for the microkernel?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] When did "compress-configuration-files" become default option in Junos?

[Martin T]

Hi,

in which Junos version did "compress-configuration-files" become the
default configuration option? AFAIK in older Junos versions the active
configuration was not compressed. At least in Junos 5.4 active
configuration file was not compressed:

user@router> file list /config
juniper.conf
juniper.conf.1.gz
juniper.conf.2.gz
juniper.conf.3.gz
user@router>

However, at nowadays, "junos-defaults" configuration-group contains
"compress-configuration-files" under "system" configuration.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] exception traffic types for Juniper routers

[Martin T]

Hi,

as I understand, there are several different exception traffic types:

1) unicast traffic addressed to router itselt. For example telnet, SSH
or SNMP traffic. I guess it is technically correct to say that
"incoming frames which have one of the router interfaces MAC addresses
as a destination MAC address are exception traffic"?

2) IPv4 packets with options set. IPv6 packets with extension headers?

3) Packets requiring the generation of an ICMP error message. For
example if IPv4/IPv6 packet comes in with TTL/hop-limit 1, then router
has to send ICMP error message to destination.


Are there any other exception traffic types? When is broadcast and
multicast traffic handled as exception traffic?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] When did "compress-configuration-files" become default option in Junos?

[Martin T]

Thanks!


regards,
Martin

On Tue, Sep 29, 2015 at 8:40 PM, Pallavi Mahajan <pall...@juniper.net> wrote:
> btw: To override the default setting, include the
> "no-compression-configuration-files" statement at the [edit system]
> hierarchy level. When you enable this feature, the current operational
> configuration file is uncompressed.
>
>
> Thanks,
> Pallavi
>
> On 29/09/15 11:09 pm, "Pallavi Mahajan" <pall...@juniper.net> wrote:
>
>>I *think* this was in Junos 7.0
>>
>>Thanks,
>>Pallavi
>>
>>On 29/09/15 11:05 pm, "juniper-nsp on behalf of Martin T"
>><juniper-nsp-boun...@puck.nether.net on behalf of m4rtn...@gmail.com>
>>wrote:
>>
>>>Hi,
>>>
>>>in which Junos version did "compress-configuration-files" become the
>>>default configuration option? AFAIK in older Junos versions the active
>>>configuration was not compressed. At least in Junos 5.4 active
>>>configuration file was not compressed:
>>>
>>>user@router> file list /config
>>>juniper.conf
>>>juniper.conf.1.gz
>>>juniper.conf.2.gz
>>>juniper.conf.3.gz
>>>user@router>
>>>
>>>However, at nowadays, "junos-defaults" configuration-group contains
>>>"compress-configuration-files" under "system" configuration.
>>>
>>>
>>>thanks,
>>>Martin
>>>___
>>>juniper-nsp mailing list juniper-nsp@puck.nether.net
>>>https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] understand the DRAM usage on CFEB(FEB-M10i-M7i-S)

[Martin T]

What do you mean?


thanks,
Martin

On Tue, Sep 29, 2015 at 8:45 PM, Michael Loftis <mlof...@wgops.com> wrote:
> Parity/ECC.
>
> On Tue, Sep 29, 2015 at 7:32 AM, Martin T <m4rtn...@gmail.com> wrote:
>> Hi,
>>
>> according to Juniper M10i Compact Forwarding Engine
>> Board(http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/cfeb-m10i-description.html)
>> documentation it has 128 MiB SDRAM for packet memory and 128 MiB SDRAM
>> for the microkernel. If I visually inspect the CFEB, then it has
>> twelve "MT 46V8M16" DDR SDRAM chips which means 12x 134217728 bits,
>> i.e. 192MiB of on-board soldered DDR SDRAM. Questions:
>>
>> 1) Are four "MT 46V8M16" DDR SDRAM chips actually not in use? If they
>> are in use, then what for?
>>
>> 2) Am I correct that on-board soldered DRAM is used for shared packet
>> buffer and installable DDR SDRAM SODIMM is used for the microkernel?
>>
>>
>> thanks,
>> Martin
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
>
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] purpose of "commit check"?

[Martin T]

Hi,

when I commit the candidate configuration in Junos, I tend to execute
"commit check" and if configuration check succeeds, then I execute
"commit comment ". However, when I think about it, "commit
(comment)" itself should perform those very same checks that "commit
check" does. If yes, then what is the point of "commit check"? Only
purpose I could see is to check the validity of the candidate
configuration in the middle of the configuration process, i.e. to
check if the changes made in candidate configuration so far are fine
but the candidate configuration is not ready to be committed.


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] HDD requirements for RE-333 and RE-600

[Martin T]

Hi,

while the original HDDs are in slave mode, I did try with cable-select
and in master mode as well, but the RE did not boot with the Hitachi
HTS541680J9AT00 HDD. I would expect to see at least the BIOS
screen(http://s8.postimg.org/vuae8mx39/RE_600_BIOS_screen.jpg), but
with Hitachi drive the RE does not seem to boot at all. That's the
reason why I suspected the power consumption problem. However, any
other ideas?


regards,
Martin

On 9/25/15, Markus <unive...@truemetal.org> wrote:
> Hi,
>
> Am 24.09.2015 um 18:53 schrieb Martin T:
>> Now if I replace this HDD with Hitachi HTS541680J9AT00 80GB, 5400rpm
>> PATA HDD in slave mode, then both RE-333 and RE-600 even do not pass
>> the POST. RE does not seem to boot at all. According to specs, Hitachi
>
> I have only M7i's with RE-400 and RE-850 where I replaced the HDDs with
> SSDs, so I'm only guessing, its a shot in the dark, but did you try
> cable-select instead of slave?
>
> If it doesnt change anything I would try a HDD (SSD) with the exact same
> size than the original.
>
> Regards
> Markus
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Where to find install media for EOL hardware platforms and Junos releases?

[Martin T]

I got the install-media-7.4R1.7-domestic installation image from a
user in this mailing list and then upgraded to Junos 8.5R4.3 with
jinstall-8.5R4.3-domestic-signed install package.


thanks,
Martin

On 9/23/15, Martin T <m4rtn...@gmail.com> wrote:
> This did cross my mind, but those routers are in remote locations and
> this would require fairly long maintenance window. I hope that someone
> either has the install-media-8.5R4.3-domestic image or there is a way
> to build disk-image from jinstall-8.5R4.3-domestic-signed.tgz which I
> have. I guess an older install-image would work as well and then I
> could upgrade to 8.5R4.3 with jinstall-8.5R4.3-domestic-signed.tgz.
>
>
> Martin
>
> On 9/23/15, Dave Bell <m...@geordish.org> wrote:
>> Not the best solution, but have you thought about taking your live
>> routers down for maintenance, and dd'ing the contents of the CF onto
>> another card?
>>
>> Regards,
>> Dave
>>
>> On 23 September 2015 at 13:10, Martin T <m4rtn...@gmail.com> wrote:
>>> Or maybe someone has install-media-8.5R4.3-domestic image on some old
>>> tape-drive and is willing to share it? :)
>>>
>>>
>>> thanks,
>>> Martin
>>>
>>> On 9/21/15, Martin T <m4rtn...@gmail.com> wrote:
>>>> Hi,
>>>>
>>>> I have one RE-600-2048(256MB CF and 40GB HDD) and one RE-333-768(256MB
>>>> CF and 40GB HDD) routing engine. Both are with blank CF and HDD. I
>>>> would like to install Junos 8.5R4.3 on those routing engines and use
>>>> those as spares for some old routers with the same routing-engines and
>>>> software, but I cant find the install media for such legacy software
>>>> release. Oldest one available from Juniper web site for M series seems
>>>> to be 12.3R1.7(install-media-12.3R1.7-domestic), but I need
>>>> install-media-8.5R4.3-domestic. Is there a way to download EOL Junos
>>>> releases from Juniper web-site? Or is there a way to build
>>>> install-image from jinstall
>>>> tarball(jinstall-8.5R4.3-domestic-signed.tgz)?
>>>>
>>>>
>>>> thanks,
>>>> Martin
>>>>
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] HDD requirements for RE-333 and RE-600

[Martin T]

Hi,

I have a RE-333 and RE-600 both with Fujitsu MHT2030AT HDDs. It is a
30GB, 4200rpm PATA HDD in slave mode:

root> show system boot-messages | match ad1
ad1: 28615MB  at ata0-slave UDMA33

root>

Now if I replace this HDD with Hitachi HTS541680J9AT00 80GB, 5400rpm
PATA HDD in slave mode, then both RE-333 and RE-600 even do not pass
the POST. RE does not seem to boot at all. According to specs, Hitachi
drive requires 5.0W at startup(maximum peak) while Fujitsu requires
4.5W at startup. Is it possible that RE is not able to provide more
than 4.5W(900mA at 5V) to HDD? Or does BIOS of RE-333 and RE-600
accept only certain HDD models?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp