Juniper QFX5100 VLAN flood input filter doesn't work
Hello, list (again), I've been trying to use VLAN BUM traffic filter on QFX5100. The configuration on the test VLAN was quite trivial: Model: qfx5100-48s-6q Junos: 17.2R2.8 # show vlans Testvlan vlan-id 4030; forwarding-options { filter { input Testvlan-ingress; } flood { input Testvlan-flood; } } I connected two linux hosts to the test VLAN: # show interfaces ge-0/0/42 unit 0 { family ethernet-switching { vlan { members Testvlan; } } } # show interfaces ge-0/0/43 unit 0 { family ethernet-switching { vlan { members Testvlan; } } } The firewall filter wwas quite simple: # show firewall family ethernet-switching filter Testvlan-ingress term accept { then accept; } The flood input filter I was trying to use. According to the documentation, only Broadcast, Unknown unicast and Multicast (BUM) traffic goes here. The regular unicast traffic should be left intact by it. # show firewall family ethernet-switching filter Testvlan-flood term allow_arp { from { ether-type arp; } then accept; } term allow_ipv6_ns { from { destination-mac-address { 33:33:ff:00:00:00/24; } ether-type 0x86dd; } then accept; } term discard_all { then discard; } I started hosts to ping (and snif) each other.. And I saw only ARP requests/responses. "show ethernet-switching table" displayed that both hosts MAC were successfully learned, thus traffic between them should be considered as regular unicast. However, the last term in Testvlan-flood filter was blocking it. If I replace it with "accept" - traffic begins to flow. Are any Juniper QFX gurus here? I would really appreciate some advice.
Re: Network nerd poker night 11/8 in Seattle
Doesn't anybody play real poker any more? You know, 5 card draw, 7 card stud. Oh for a good game of high-stakes 7 card high-low stud. Miles Fidelman Original message From: Gordon Cook Date: 11/7/17 2:08 PM (GMT-07:00) To: Avi Freedman Cc: "nanog@nanog.org list" Subject: Re: Network nerd poker night 11/8 in Seattle Hi Avi long time no talk regards Gordon > On Nov 7, 2017, at 3:22 PM, Avi Freedman wrote: > > > If there are any network+poker nerds in the Seattle area tomorrow, we have 5 > seats left at a network nerd poker night I'm hosting tomorrow night. > > Attendees are from cloud, content provider, hosting, infra services, travel, > and SaaS analytics industries. > > We'll have food, drinks, a training session, and will be running ~3 > single-table No Limit Texas Hold'em tournaments. > > If there's time/interest afterwards I may also initiate anyone interested > into the wonders of Pot Limit Omaha. > > Prizes will be Bose head sets, to avoid corporate gift issues with playing > for or awarding $. > > It's at the W Hotel in Bellevue, at 6pm tomorrow night. > > The focus is poker, socializing, and free-form network tech, business, and > policy nerd discussions. Travel and gadget geeking allowed as well. Kentik > is sponsoring the space, tables, and professional dealers, and we'll have a < > 5 minute sponsor presentation. > > RSVP / info @ > https://www.greenvelope.com/viewer/?ActivityCode=.public:ab155c3532ca4bd5ad563ff222b6a338393435313037#details > > If it overflows we'll cut off RSVPs at the URL and/or let people know by > email. > > We're also going to organize to do another in Seattle in Feb and larger ones > in NY and the Bay area in Q1, so if you have interest or ideas for format or > quick content topics we could cover, please let me know. One thing we're > considering is adding a table for heads-up battles - participants to decide > if they want to add peering as part of the stakes. > > Thanks, > > Avi >
Re: Juniper MX80 strange dst MAC address behavior
Last time I was able to smell broken memory was during the "core" days when a lead shorted. - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 11/07/17 16:07, Job Snijders wrote: This smells like broken memory. I recommend to open a TAC/JTAC case. Kind regards, Job
Re: Network nerd poker night 11/8 in Seattle
Hi Avi long time no talk regards Gordon > On Nov 7, 2017, at 3:22 PM, Avi Freedman wrote: > > > If there are any network+poker nerds in the Seattle area tomorrow, we have 5 > seats left at a network nerd poker night I'm hosting tomorrow night. > > Attendees are from cloud, content provider, hosting, infra services, travel, > and SaaS analytics industries. > > We'll have food, drinks, a training session, and will be running ~3 > single-table No Limit Texas Hold'em tournaments. > > If there's time/interest afterwards I may also initiate anyone interested > into the wonders of Pot Limit Omaha. > > Prizes will be Bose head sets, to avoid corporate gift issues with playing > for or awarding $. > > It's at the W Hotel in Bellevue, at 6pm tomorrow night. > > The focus is poker, socializing, and free-form network tech, business, and > policy nerd discussions. Travel and gadget geeking allowed as well. Kentik > is sponsoring the space, tables, and professional dealers, and we'll have a < > 5 minute sponsor presentation. > > RSVP / info @ > https://www.greenvelope.com/viewer/?ActivityCode=.public:ab155c3532ca4bd5ad563ff222b6a338393435313037#details > > If it overflows we'll cut off RSVPs at the URL and/or let people know by > email. > > We're also going to organize to do another in Seattle in Feb and larger ones > in NY and the Bay area in Q1, so if you have interest or ideas for format or > quick content topics we could cover, please let me know. One thing we're > considering is adding a table for heads-up battles - participants to decide > if they want to add peering as part of the stakes. > > Thanks, > > Avi >
Re: Juniper MX80 strange dst MAC address behavior
This smells like broken memory. I recommend to open a TAC/JTAC case. Kind regards, Job
Juniper MX80 strange dst MAC address behavior
Today I was investigating strange unknown unicast traffic in LAN of IX which I operate. It was about 200 kbps of constant unknown unicast load. Unknown unicast is a rare ocasion in IX LAN as participants MAC addresses are almost persistent. I added a server in the vlan and started sniffing: all the unicast was coming from one participant MAC. One of the frames: XX:XX:XX:XX:ee:98 > 5e:5c:ab:31:c0:cb, ethertype IPv4 (0x0800), length 1434: XX.XX.16.30.80 > XX.XX.76.137.41934: Flags [.], seq 1619512599:1619513967, ack 3595347045, win 235, options [nop,nop,TS val 3650267181 ecr 1841068329], length 1368: HTTP Okay, destination MAC 5e:5c:ab:31:c0:cb isn't really in switches FDB table. I looked up the routing table and figured out that router announcing the bestpath for XX.XX.76.137 has MAC 5e:5e:ab:31:c0:cb. So customers sent a frame to: 5e:*5c*:ab:31:c0:cb The right address should be : 5e:*5e*:ab:31:c0:cb I tried next packet in dump, the same story: customer sends to: *90*:c6:9a:*e5*:2f:c1 right mac is : *b0*:c6:9a:*e4*:2f:c1 I converted differencing bytes to binary representation: 90: 1001 b0: 1011 e5: 11100101 e4: 11100100 I guess all the unknown unicast frames MAC addresses were having the same slightly difference from the right ones. So the router in general works fine (it has several gigabits of traffic in the IX) but sometimes it changes one or two bits in frame's destination MAC address. My guess it is caused by a large ARP table on customer's router. The router may have some tricky lookup algorithm preceding constant calculating speed over accuracy. I called their NOC, they said it is Juniper MX80 and also confirmed that it has more than 4k ARPs. Have anybody encountered with that kind of issue?
Network nerd poker night 11/8 in Seattle
If there are any network+poker nerds in the Seattle area tomorrow, we have 5 seats left at a network nerd poker night I'm hosting tomorrow night. Attendees are from cloud, content provider, hosting, infra services, travel, and SaaS analytics industries. We'll have food, drinks, a training session, and will be running ~3 single-table No Limit Texas Hold'em tournaments. If there's time/interest afterwards I may also initiate anyone interested into the wonders of Pot Limit Omaha. Prizes will be Bose head sets, to avoid corporate gift issues with playing for or awarding $. It's at the W Hotel in Bellevue, at 6pm tomorrow night. The focus is poker, socializing, and free-form network tech, business, and policy nerd discussions. Travel and gadget geeking allowed as well. Kentik is sponsoring the space, tables, and professional dealers, and we'll have a < 5 minute sponsor presentation. RSVP / info @ https://www.greenvelope.com/viewer/?ActivityCode=.public:ab155c3532ca4bd5ad563ff222b6a338393435313037#details If it overflows we'll cut off RSVPs at the URL and/or let people know by email. We're also going to organize to do another in Seattle in Feb and larger ones in NY and the Bay area in Q1, so if you have interest or ideas for format or quick content topics we could cover, please let me know. One thing we're considering is adding a table for heads-up battles - participants to decide if they want to add peering as part of the stakes. Thanks, Avi
Re: GO DADDY Person?
> > Is there a GoDaddy person on this list? > > There is a domain that has been created that is 100% a bot and need to flag > it immediately. Ilissa, may we share this directly with our GoDaddy contact, including your contact information? Anne Anne P. Mitchell, Attorney at Law Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Elevations Credit Union Member Council Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
Re: media are reporting "major Internet outage"
Yah as mentioned by others, lots of chatter on the outages list. In short, starting at 17:47 utc level3 started leaking a whole bunch of more specifics, mainly for various comcast ASns but also others like for example AS10481 (Argentina) Many of these more specific announcements for large network such as comcast were picked up by other large network such at Tata, NTT, Liberty Global (UPC) and as a result caused a major traffic shift, resulting in a choke point somewhere along the way. One an example is the prefix 98.242.128.0/17 which is normally not visible, only as the larger block 98.192.0.0/10 (AS7922). Yesterday it was visible as 98.242.128.0/17 originated via another comcast AS (20214), with transit via level3. Good replay and visual of the timeline here: https://stat.ripe.net/widget/bgplay#w.resource=98.242.128.0%2F17 Cheers Andree My secret spy satellite informs me that Miles Fidelman wrote On 2017-11-06, 6:45 PM: > Folks, > > It seems like various media outlets are reporting a "major Internet > outage" - some going so far as to call it an "attack." > > A few headlines that crossed Facebook today: > > "Major internet outage hits the U.S." (Mashable via AOL News) > > "Widespread Comcast internet outage across U.S. includes Massachusetts > customers" (WHDH, Channel 7 News, Boston) > > A couple of more detailed sources reported that issues at L3 were > effecting Comcast, specifically. > > Kind of interesting that there's been no mention here on nanog, nor have > I personally noticed any issues (as a user or a hosting provider). > > Tempest in a teapot? > > Miles Fidelman >
someone from easydns here? dns3.easydns.org. 2620:49:3::10 unreachable from AS8560 and 6939
Hi, can someone operating easydns nameserver check whether 2620:49:3::10 is answering? I create a atlas measurement https://atlas.ripe.net/measurements/10137819 and I can see that some AS still can reach 2620:49:3::10 but many many timeouts. For me, it stops working after 2a00:dd80:9:3::2 (AS42210) Cheers Thomas
Need a contact at GoDaddy NOC
Hi. Could anyone from GoDaddy NOC, please, get in touch with me off list? One of our IP addresses is being blocked from accessing an address hosting some websites at Godaddy. Even GoDaddy's support and SSO sites are blocked. Using a different IP address for outbound Source NAT makes things work. But we would like to figure out what caused blocking in the first place to make sure we stop it happening in the future. Thank you.
GO DADDY Person?
Is there a GoDaddy person on this list? There is a domain that has been created that is 100% a bot and need to flag it immediately. Already contacted GoDaddy directly but it is still active. Please contact me off list Thanks!
RE: media are reporting "major Internet outage"
I wonder if that was the cause of the snapchat outage yesterday or if the snapchat outage was altogether separate from what y'all are talking about. ? -Aaron