Based off this site, there is suppose to be a way to test SNMP traps:
http://juniper.cluepon.net/index.php/ER_SNMP_trap_testing
However, on my 4200EX, no such command is available via the CLI:
m...@myrouter> test snmp
^
syntax error, expecting .
I'm trying to
Of course five minutes after sending that I found the right way to do it:
request snmp spoof-trap
Jonathan
From: lordsit...@hotmail.com
To: juniper-nsp@puck.nether.net
Subject: Testing SNMP traps
Date: Mon, 16 Aug 2010 10:09:57 -0600
Based off this site, there is suppose to be a way to
Pick your favorite SNMP monitoring tool and have it use this OID:
1.3.6.1.2.1.15.3.1.2 (bgpPeerState)
http://www.mibdepot.com/cgi-bin/getmib3.cgi?win=mib_a&i=1657&n=BGP4-MIB&r=inreach&f=rfc1657.mib&v=v1&t=tab&o=bgpPeerState
It presents each peer as an extension of the OID. So if you just wan
The 'show virtual-chassis' output on an EX4500 shows the following columns:
> show virtual-chassis
Virtual Chassis ID: 0fff.78ff.dbffVirtual Chassis Mode: Enabled
Mstr Mixed Neighbor ListMember ID Status
Serial NoModel prio Role
If I run 'show snmp mib walk jnxOperatingTemp' on an ex4200-24t I get valid
(i.e. non-zero) temperature readings for the FPCs and Routing Engines in it. If
I run the same command on an ex4500-40f all of the entries return a
non-operational status (i.e. zero). All of them are running 11.4R1.6.
Has anyone encountered an issue where an etherchannel interface appears to be
only using a portion of its available bandwidth?
I have a very straightforward LACP enabled etherchannel interface:
chassis {
aggregated-devices {
ethernet {
device-count 4;
}
y
> ##
> source-address;
> }
> }
>
> http://juniper.cluepon.net/index.php/Load_Balancing
>
>
>
> -- Kevin
>
>
> On Apr 24, 2009, at 3:20 PM, Jonathan Call wrote:
>
> >
> > Has anyone encountered an issue where an
I don't know if this will help because it has to deal with gigabit Ethernet
interfaces but...
If you set a Cisco device to use frame size of MTU 9000 it does not count the
18 bytes for TCP headers. However, Juniper does count the 18 bytes when you set
the MTU. So if the Cisco interface is set
System: mx960
OS: 9.6R1.13
I am using Torrus (http://www.torrus.org) to collect and graph data on a new
mx960 pair that we just put into place. Since I started collecting data the
following message has started to appear in the logs of both:
Nov 17 16:25:15 my.router snmpd[1816]: SNMP_SUBAGENT
My company is also using 8.5S4 for our M20s.
Jonathan
> From: ava...@hq.speakeasy.net
> To: jmadr...@gmail.com; juniper-nsp@puck.nether.net
> Date: Wed, 21 Jul 2010 08:12:26 -0700
> Subject: Re: [j-nsp] M20 JunOS Recommendation
>
> We currently have all of our M20's on 8.5S4 and have had no iss
Both an MX80 and an EX4200 have the following ntp related filtering in place on
their loopback interface:
term ntp {from {protocol udp;source-port ntp;
destination-port ntp;}then accept;}
...
term deny-any {then discard;}
It is not a great filter, but it doe
Use the inner-vlan-id-list option:
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/vlan-translation-vlan-id-list-l2.html
Jonathan
From: juniper-nsp on behalf of Vincent
Bernat
Sent: Thursday, May 17, 2018 3:17 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp]
I have a NetApp using iSCSI sitting on an EX4550. The iSCSI port on the EX4500
is dropping packets on a regular basis, but its queue length is always zero:
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort0 1518576563
Two strikes against it:
MTU 9014
Ethernet flow control disabled
I'll look into the shared-buffer setting.
Jonathan
From: Alexandre Guimaraes
Sent: Friday, June 8, 2018 4:21 AM
To: Mark Tinka
Cc: Simone Spinelli; Jonathan Call; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] iSCSI on E
Anyone have experience with hold timers?
For the first time in my experience I have a carrier asking me to implement 3
second hold timers on their interface to deal with their link constantly
flapping. They're citing this document as proof that it needs to be done:
https://www.juniper.net/docu
Is there a good online resource for IPv6 firewall policy/hardening for MX
series routers?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
I've run into a corner case with a peering exchange that has me a little
stumped for a solution that doesn't require redesigning the whole thing:
Two MX80 routers participate in the same peering exchange. (A Primary and
Secondary) Each has an interface configured in the same IP network within th
I recently set up a very basic WLC and a few APs using the web interfaces. For
my first SSID I enabled 802.1x PEAP/MSCHAPv2 authentication and pointed it to
an existing RADIUS server but users cannot connect to the SSID. The RADIUS
server says authentication is succeeding but the WLC gives the f
After spending a while picking at this: there was a group attribute called
"Service-Type" applied to a group that everyone belonged to. After I removed
it, everyone was able to connect successfully.
> From: lordsit...@hotmail.com
> To: juniper-nsp@puck.nether.net
> Date: Wed, 29 Oct 2014 13:
I have a very basic configuration but can't get link between a Cisco 3560 and
the SRX 240h:
ge-0/0/0 {description "port 21 on 3560 switch";gigether-options {
redundant-parent reth1;}}...reth1 {redundant-ether-options {
redundancy-group 1;}unit 0 {fa
I've seen plenty of examples of a static NAT where the SRX has a public IP
range on the untrusted interface. I have not found a good one for when the SRX
has an IP range routed to it.
SRX Public IP: 4.5.6.60/30Routed IP range (via the public interface)
4.5.32.16/28Trusted zone: 192.168.2.1/26
sh
com
CC: juniper-nsp@puck.nether.net
We use routed ranges to NAT a few hosts. The key for us was configuring
proxy-arp on the untrust interface for the IPs.
On Wed, Feb 4, 2015 at 11:24 AM, Jonathan Call wrote:
I've seen plenty of examples of a static NAT where the SRX has a public IP
ra
ne
> untrust;rule {match {destination-address destination>;destination-port ;}then {
> static-nat {prefix {;
> mapped-port ;}}}}
On Wed, Feb 4, 2015 at 1:08 PM, Jonathan Call wrot
es from-zone untrust to-zone trust policy
> {
match {source-address ;
destination-address ;application [ ];}then {permit;}}
If you want to make the NAT work for any outside source, you could just set
source-address to any.
On Wed, Feb 4, 2015
Shut off defective member and remove itWith the replacement still powered off
connect one VCP port to the VC stackPower on the replacement and confirm it is
showing up properlyCable the other VCP into the VS stack
A more detailed explanation is given here:
http://www.juniper.net/techpubs/en_US/ju
sting.
On Apr 7, 2015, at 12:45 PM, Jonathan Call wrote:
Shut off defective member and remove it
With the replacement still powered off connect one VCP port to the VC stack
Power on the replacement and confirm it is showing up properly
Cable the other VCP into the VS stack
A more det
My IPv6 BGP experience is a bit lacking. What would be an appropriate IPv6
policy-statement to only install a default route. Is it something as basic as
this?
policy-statement myisp-in {term bgp-nets {from {
route-filter beef:f00f:baaa::/48 exact;}then rej
So I have a lab with two routers exchanging iBGP between them. They have both
IPv4 and IPv6 addresses configured on the loopback. There aren't any export or
import policies defined between the two. When I examine the routes for the
local loopback interface on router1 I see the following:
router1
g nexthops: 1
Nexthop: fe80:db8:4000:1::3 via ge-0/0/8.0
Jonathan> Subject: Re: [j-nsp] iBGP and IPv6
> To: lordsit...@hotmail.com; juniper-nsp@puck.nether.net
> From: mark.ti...@seacom.mu
> Date: Wed, 15 Apr 2015 07:45:00 +0200
>
>
>
> On 14/Apr/15 19:37, Jonathan Call wr
015 23:47:04 +0900
> From: cont...@winterei.se
> To: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] iBGP and IPv6
>
> Perhaps use a pastebin?
>
> On 4/15/2015 午後 11:24, Jonathan Call wrote:
> > Here is the output of 'show route extensive'. Hopefully it
puck.nether.net
From: mark.ti...@seacom.mu
Date: Wed, 15 Apr 2015 17:06:08 +0200
On 15/Apr/15 16:24, Jonathan Call
wrote:
Here is the output of 'show route extensive'.
Hopefully it shows up formatted properly this time.
it
received as hidden/unusable but the IPv6 loopback route is not.
Jonathan
Subject: Re: [j-nsp] iBGP and IPv6
To: lordsit...@hotmail.com; juniper-nsp@puck.nether.net
From: mark.ti...@seacom.mu
Date: Wed, 15 Apr 2015 18:02:30 +0200
On 15/Apr/15 17:43, Jonathan C
Your pasting is not formatting
well. Makes it hard to help you.
Mark.
On 15/Apr/15 20:23, Jonathan Call
wrote:
OSPF/OSPFv3 are the IGP, which apparently are
feeding back into IBGP:
With OSPFv3 enabled
This is a good starting point:
https://tools.ietf.org/html/rfc6192> Date: Sat, 25 Apr 2015 22:36:47 +0200
> From: cydonsa...@gmail.com
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] IPv6 RE protection
>
> Hello,
> Currently we don't use any IPv6 RE protect filters on our routers (6PE only
>
I have two APs connected to the same EX4200. Both are controlled by the same
(and only) WLC. When a client enables WIFI near the first AP that person is
able to access the Internet. When the same client enables WIFI under the second
AP they cannot connect to the Internet. The port configuration
to view the buffer, and "clear trace all" to
> disable the debugging when you're done.
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB20351
>
> Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
> Manager of Network Operation
I have an SRX250 (SRX A) and an SRX240h2 (SRX B) connected via a PSK IPSec
tunnel. They both have multiple IPSec tunnels configured to other SRX devices
on our network. Recently the tunnel between the two stopped passing traffic.
Both IKE and IPSec security association were UP on both sides. (s
I found this in the traceoptions I collected from SRX A:
http://pastebin.com/Kk0gSzaD
So the tunnel is there, but its not there. That explains the lack of ESP
packets on that side.
Jonathan
From: Stefan Fouant
Sent: Tuesday, November 17, 2015 8:08 PM
To: Jonathan Call
Cc: juniper-nsp
gain.
Jonathan
From: juniper-nsp on behalf of Jonathan
Call
Sent: Wednesday, November 18, 2015 9:19 AM
To: Stefan Fouant
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Trouble with just one IPSec tunnel among many
I found this in the traceoptions I collected from SRX A:
http
Comcast uses stateful DHCPv6 where it delegates a Identity Association (the
/128 for your external interface) and a Prefix Delegation which can be used on
your internal network. Comcast will allocate a PD of up to a /60 which could
give you up to 16 /64 site level aggregation (SLAs).
Right now
I have a Gigabit Ethernet port on an EX4200 that is performing very poorly. It
maxes out at about 120Mbps under heavy load. During that heavy load I see MAC
pause frame values increasing as well as dropped packets in the queue counters.
All of this points to the server being the culprit. Howeve
perly. For some reason my
Macbook does not seems to copy and paste well in Hotmail.
From: dale.s...@gmail.com on behalf of Dale Shaw
Sent: Wednesday, August 3, 2016 12:53 AM
To: Jonathan Call
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] 100mbps bandwidth on a logical interface
Hi Jonat
I've set up four QFX devices in a lab. Two QFX5100-24Q as the spine members and
two QFX-5100-48T as the leaf nodes. I connected two 40GbE links from each spine
to each leaf member. According to the documentation the VCPs are supposed to
figure out a LAG on their own. I can't tell for certain if
I have four QFX set up in a lab to do some Virtual Chassis testing. The two REs
are QFX5100-24Q and the two linecards are QFX5100-48T
virtual-chassis {
preprovisioned;
member 0 {
role routing-engine;
serial-number TB3714010XXX;
}
member 1 {
role routing-eng
Ps on the 24Q blink according
to traffic levels.
Jonathan
From: juniper-nsp on behalf of Jonathan
Call
Sent: Wednesday, January 11, 2017 2:41 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Oddness in a QFX VCP trunk
I have four QFX set up in a lab to do some Virtual Chassis testing
I followed the instructions listed here to create and start a capture for a
single destination IP address on an SRX5400 in a lab:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21563
I can see a flow for the IP when I run a "show security flow session
destination-prefix 172.16.x.x
I am looking for a drop-in solution for our EX4200 and EX4300 equipment that
will give us more 10GbE at the access layer but doesn't require me to overhaul
all of the remaining infrastructure. The QFX5100-48T seems ideal except for its
lack of 10GbE optics. I am looking at combining a QFX-QSFP
I installed multiple QSFP+-40G-SR4 modules into a QFX5100-24Q. Port 5 changed
to "break out" mode (i.e. xe-0/0/5:0, 1, 2, 3 instead of et-0/0/5) I tried
swapping out QSFP modules and the problem persisted with just that port. I had
to manually disable auto negotiation (set chassis fpc 0 pic 0 p
Is there any reason a /31 address would not work on a SRX tunnel interface
(i.e. st0.1)
The VPN is up, ping is allowed and both sides show outbound traffic but neither
sides shows any inbound traffic.
Jonathan
___
juniper-nsp mailing list juniper-ns
Typically when I build virtual chassis I set up the recommended "ring" topology
and give path an equal amount of bandwidth. Would there be any technical
problems if I give one of the virtual chassis links more bandwidth than the
others?
The Virtual Chassis Feature Guide for the QFX Series does
be a
scenario where one 24q would see a better topology to the other 24q by going
through the 48t. The extra bandwidth would be set up between the two 24q.
Jonathan
From: Chris Kawchuk
Sent: Thursday, October 26, 2017 3:16 PM
To: Jonathan Call; junipe
Juniper has instructions on how to disable auto-channelization on the QFX
series, but there doesn't appear to be a way to force (or even encourage)
channelization. I have a qfx5100-48t with a QSFP-40G-SR in port 48 and a
MTP-4xLC breakout cable connected to a couple of servers. The qfx5100-48t j
Sent: Thursday, February 8, 2018 1:29 PM
To: Jonathan Call
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Channelizing a 40GbE port
On Feb 8, 2018, at 10:46 AM, Jonathan Call wrote:
>
> Juniper has instructions on how to disable auto-channelization on the QFX
> series, but ther
.
Jonathan
From: juniper-nsp on behalf of Jonathan
Call
Sent: Thursday, February 8, 2018 2:28 PM
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Channelizing a 40GbE port
I thought that only controlled the overall speed of the port. But apparently it
I don't remember if this is in 15 code but what about authentication order?
set system authentication-order [ radius password ]
Jonathan
From: juniper-nsp on behalf of Chris Boyd
Sent: Friday, February 16, 2018 9:44 AM
To: juniper-nsp@puck.nether.net
Subject:
55 matches
Mail list logo