Re: [j-nsp] Information for expected fragmentation behavior on IPsec tunnel

[Terry Jones]

The default is actually to clear the df-bit, which I have verified on the
srx, however, if this is case, then the traffic should be fragmenting when I
ping with large packets setting the df-bit. This setting should stay within
the encapsulated packet and then the outer ipsec packet is set to clear and
the packet should be fragmenting, which is it not.

I've opened a JTAC case, so we'll see what they say.

tjones@srx1-net04> show security ipsec security-associations index 131073
node0:
--
  ID: 131073 Virtual-system: root, VPN Name: Denver-CN
  Local Gateway: a.a.a.a, Remote Gateway: b.b.b.b
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
DF-bit: clear
Bind-interface: st0.3

Direction: inbound, SPI: 7075d78, AUX-SPI: 0
  , VPN Monitoring: UP
Hard lifetime: Expires in 3529 seconds
Lifesize Remaining:  Unlimited
Soft lifetime: Expires in 2973 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 2acb634b, AUX-SPI: 0
  , VPN Monitoring: UP
Hard lifetime: Expires in 3529 seconds
Lifesize Remaining:  Unlimited
Soft lifetime: Expires in 2973 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

Thanks,
Terry 

-Original Message-
From: Wayne Tucker [mailto:wa...@tuckerlabs.com] 
Sent: Friday, August 10, 2012 1:59 PM
To: Terry Jones
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Information for expected fragmentation behavior on
IPsec tunnel

It should be dependent on the "df-bit" setting on the VPN.  I don't remember
which behavior is default, but setting it to "clear" may do what you want.

:w


On Fri, Aug 10, 2012 at 12:36 PM, Terry Jones 
wrote:
> Greetings All,
>
>
>
> Could someone please point me in the direction of some good 
> information for a current setup I have and would like to know what the
expected behavior is.
>
>
>
> I have a site-to-site VPN setup between two SRX's. I'm in a 
> development lab that has a static NAT out to the internet through the
corporate network.
> (The other lab I'm connecting to is not local). Our connection to the 
> corporate network is to an ASA that DOES NOT support jumbo frames. I 
> have jumbo frames configured on the st0 interface and all interfaces 
> all the way back to the hosts on my side of the network. Same goes for 
> the lab on the other side of the tunnel. So I have 9000 bytes 
> configured end-to-end, however the transport the tunnel is configured 
> across only supports std 1500 bytes frames.
>
>
>
> The developers are sending 2000+ bytes sized packets that have the DF 
> bit set (and it has to be as such for now).
>
>
>
> I am trying to determine the expected behavior. I've been told that 
> the IPsec tunnel will fragment the traffic b/c it will not copy the DF 
> bit from the original packet once it is encapsulated, however, I 
> cannot ping through the tunnel with large packet sizes and the DF bit 
> set. I've found a lot of information and have worked a lot with 
> fragmentation, but can't find anything on this exact type of scenario.
>
>
>
> Thanks in advance for any input or information.
>
>
>
> Sincerely,
>
> Terry
>
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Information for expected fragmentation behavior on IPsec tunnel

[Wayne Tucker]

It should be dependent on the "df-bit" setting on the VPN.  I don't
remember which behavior is default, but setting it to "clear" may do
what you want.

:w


On Fri, Aug 10, 2012 at 12:36 PM, Terry Jones  wrote:
> Greetings All,
>
>
>
> Could someone please point me in the direction of some good information for
> a current setup I have and would like to know what the expected behavior is.
>
>
>
> I have a site-to-site VPN setup between two SRX's. I'm in a development lab
> that has a static NAT out to the internet through the corporate network.
> (The other lab I'm connecting to is not local). Our connection to the
> corporate network is to an ASA that DOES NOT support jumbo frames. I have
> jumbo frames configured on the st0 interface and all interfaces all the way
> back to the hosts on my side of the network. Same goes for the lab on the
> other side of the tunnel. So I have 9000 bytes configured end-to-end,
> however the transport the tunnel is configured across only supports std 1500
> bytes frames.
>
>
>
> The developers are sending 2000+ bytes sized packets that have the DF bit
> set (and it has to be as such for now).
>
>
>
> I am trying to determine the expected behavior. I've been told that the
> IPsec tunnel will fragment the traffic b/c it will not copy the DF bit from
> the original packet once it is encapsulated, however, I cannot ping through
> the tunnel with large packet sizes and the DF bit set. I've found a lot of
> information and have worked a lot with fragmentation, but can't find
> anything on this exact type of scenario.
>
>
>
> Thanks in advance for any input or information.
>
>
>
> Sincerely,
>
> Terry
>
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Information for expected fragmentation behavior on IPsec tunnel

[Terry Jones]

Greetings All,

 

Could someone please point me in the direction of some good information for
a current setup I have and would like to know what the expected behavior is.

 

I have a site-to-site VPN setup between two SRX's. I'm in a development lab
that has a static NAT out to the internet through the corporate network.
(The other lab I'm connecting to is not local). Our connection to the
corporate network is to an ASA that DOES NOT support jumbo frames. I have
jumbo frames configured on the st0 interface and all interfaces all the way
back to the hosts on my side of the network. Same goes for the lab on the
other side of the tunnel. So I have 9000 bytes configured end-to-end,
however the transport the tunnel is configured across only supports std 1500
bytes frames. 

 

The developers are sending 2000+ bytes sized packets that have the DF bit
set (and it has to be as such for now). 

 

I am trying to determine the expected behavior. I've been told that the
IPsec tunnel will fragment the traffic b/c it will not copy the DF bit from
the original packet once it is encapsulated, however, I cannot ping through
the tunnel with large packet sizes and the DF bit set. I've found a lot of
information and have worked a lot with fragmentation, but can't find
anything on this exact type of scenario.

 

Thanks in advance for any input or information.

 

Sincerely,

Terry

 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Selective packet mode & local traffic

[Phil Mayers]

Unless I'm missing a trick, apply-paths in a prefix list pulls the netmask in 
when applied to interface ips. This is ok for lo0 filters, but not those on 
transit interfaces.

Wayne Tucker  wrote:

>You can probably achieve that using apply-path.  This book has several
>good examples:
>
>http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/
>

-- 
Sent from my mobile device, please excuse brevity and typos.

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BAJUG2

[Doug Hanks]

Should be a good turn out.  For those of you interested and thinking about
scheduling some other business in Sunnyvale so that you can attend, we had
about 130 members for the first BAJUG meeting.

Thanks,
Doug


On 8/10/12 11:11 AM, "Stefan Fouant"  wrote:

>On 8/10/2012 2:00 PM, Doug Hanks wrote:
>> It's time for the Bay Area Juniper Users Group again.  October 16th
>>5.30pm.
>>
>> Sign up for free at http://bajug.eventbrite.com
>
>Kudos Doug, really good stuff... maybe I'll have to schedule some
>training related travel to Sunnyvale so I can attend.
>
>Thanks for setting this up.
>
>-- 
>Stefan Fouant
>JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
>Technical Trainer, Juniper Networks
>
>Follow us on Twitter @JuniperEducate


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BAJUG2

[Stefan Fouant]

On 8/10/2012 2:00 PM, Doug Hanks wrote:

It's time for the Bay Area Juniper Users Group again.  October 16th 5.30pm.

Sign up for free at http://bajug.eventbrite.com


Kudos Doug, really good stuff... maybe I'll have to schedule some 
training related travel to Sunnyvale so I can attend.


Thanks for setting this up.

--
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] BAJUG2

[Doug Hanks]

It's time for the Bay Area Juniper Users Group again.  October 16th 5.30pm.

Sign up for free at http://bajug.eventbrite.com


Thanks,
Doug


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] mpls node-protection: LSP down

[Mihai]

 I solved the problem by removing the no-cspf statement from 
label-switched-path configuration:


mumulox@mx5t> show route table inet.3 logical-system PE1 extensive

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
192.168.1.2/32 (1 entry, 1 announced)
State: 
*RSVP   Preference: 7/1
Next hop type: Router, Next hop index: 1299
Address: 0x2b5a578
Next-hop reference count: 13
Next hop: 172.22.211.2 via ge-1/1/7.104 
weight0x8001,selected

Label-switched-path Bypass->172.22.210.2->172.22.201.2
Label operation: Push 301744, Push 301584(top)
Label TTL action: prop-ttl, prop-ttl(top)
State: 
Local AS: 65512
Age: 3:36:49Metric: 4
Task: RSVP
Announcement bits (1): 1-Resolve tree 1



mumulox@mx5t> show rsvp session logical-system PE1 bypass extensive
Ingress RSVP: 6 sessions

192.168.5.2
  From: 192.168.1.1, LSPstate: BackupActive, ActiveRoute: 0
  LSPname: Bypass->172.22.210.2->172.22.201.2
  LSPtype: Static Configured
  Suggested label received: -, Suggested label sent: -
  Recovery label received: -, Recovery label sent: 301584
  Resv style: 1 SE, Label in: -, Label out: 301584
  Time left:-, Since: Fri Aug 10 16:06:15 2012
  Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
  Port number: sender 1 receiver 52704 protocol 0
  Type: Bypass LSP
Number of data route tunnel through: 2
Number of RSVP session tunnel through: 1
  PATH rcvfrom: localclient
  Adspec: sent MTU 1500
  Path MTU: received 1500
  PATH sentto: 172.22.211.2 (ge-1/1/7.104) 331 pkts
  RESV rcvfrom: 172.22.211.2 (ge-1/1/7.104) 331 pkts
  Explct route: 172.22.211.2 172.22.203.2 172.22.205.1
  Record route:  172.22.211.2 172.22.203.2 172.22.205.1


On 08/10/2012 06:28 PM, Wayne Tucker wrote:

I've never tried to use node-protection in conjunction with a strict
path - but I suspect the two features are incompatible since the
protection path would disregard the strict path.

Try changing the path from strict to loose.  That allows some
flexibility (though I believe every node in the path must be used, so
it will fail if the node goes down).

If you don't need to use that path, remove the primary statement on
the lsp configuration.

If you do need to use the strict path, configure an alternate strict
path and add it as a secondary under the lsp.  If you don't want it to
fail back automatically then list both as secondary paths.

:w




On Fri, Aug 10, 2012 at 2:02 AM, Mihai Gabriel  wrote:

This is the topology:
http://img52.imageshack.us/img52/5512/avpn.png

Sorry

On Fri, Aug 10, 2012 at 11:57 AM, Mihai Gabrielwrote:


Hello,

  I am trying to test the node-protection feature in a lab using an MX5
router with logical-systems and I can't find the reason why is not
working.The topology I use is here:
http://imageshack.us/photo/my-images/849/avpn.png/
All routers are configured for mls,rsvp,ospf,link-protection, but when I
disable the interface between P1 and PE1, the LSP between PE1 and PE2 goes
down and stay that way:

Before disabling the interface:

mumulox@mx5t>  show mpls lsp logical-system PE1 extensive
Ingress LSP: 1 sessions

192.168.1.2
   From: 192.168.1.1, State: Up, ActiveRoute: 0, LSPname: pe1-to-pe2
   ActivePath: strict-path (primary)
   Node/Link protection desired
   LSPtype: Static Configured
   LoadBalance: Random
   Encoding type: Packet, Switching type: Packet, GPID: IPv4
   Revert timer: 1
  *Primary   strict-path  State: Up
 Priorities: 7 0
 OptimizeTimer: 1
 SmartOptimizeTimer: 2
 Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node
10=SoftPreempt 20=Node-ID):
   192.168.5.1(flag=0x29) 172.22.210.2(flag=9 Label=301600)
192.168.5.2(flag=0x29) 172.22.201.2(flag=9 Label=301472)
192.168.5.3(flag=0x21) 172.22.206.2(flag=1 Label=301200)
192.168.1.2(flag=0x20) 172.22.212.1(Label=3)

mumulox@mx5t>  show mpls path strict-path logical-system PE1
Path nameAddress strict/loose if-id
strict-path  172.22.210.2strict

mumulox@mx5t>  show rsvp session logical-system PE1
Ingress RSVP: 2 sessions
To  FromState   Rt Style Labelin Labelout LSPname
192.168.1.2 192.168.1.1 Up   0  1 SE   -   301600
pe1-to-pe2
192.168.5.2 192.168.1.1 Up   0  1 SE   -   301296
Bypass->172.22.210.2->172.22.201.2
Total 2 displayed, Up 2, Down 0

mumulox@mx5t>  show route table inet.3 logical-system PE1 192.168.1.2
extensive

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
192.168.1.2/32 (1 entry, 1 announced)
 State:
 *RSVP   Preference: 7/1
 Next hop type: Router, Next hop index: 1048577
 Address: 0x2c74010
 Next-hop reference count: 7
 Next hop: 172.22.210.2 via ge-1/1/7.100 weight 0x1,

Re: [j-nsp] Static Route Names

[Ken Mix]

Annotate.

Regards,

Ken

-Original Message-
From: juniper-nsp-boun...@puck.nether.net 
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of GIULIANO (WZTECH)
Sent: Friday, August 10, 2012 09:45
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Static Route Names

People,

Besides the use of groups feature on JUNOS, how can name a static route ?

IOS has an option 'name' for static routes ... how can we do the same 
thing in junos ?

Is it possible ?

There is some kind of description ?

Thanks a lot,

Giuliano
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Static Route Names

[Stefan Fouant]

Annotate. It is your friend.

Sent from my HTC on the Now Network from Sprint!

- Reply message -
From: "GIULIANO (WZTECH)" 
Date: Fri, Aug 10, 2012 11:44 am
Subject: [j-nsp] Static Route Names
To: 

People,

Besides the use of groups feature on JUNOS, how can name a static route ?

IOS has an option 'name' for static routes ... how can we do the same 
thing in junos ?

Is it possible ?

There is some kind of description ?

Thanks a lot,

Giuliano
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Selective packet mode & local traffic

[Clay Haynes]

On 8/10/12 11:33 AM, "Wayne Tucker"  wrote:

>You can probably achieve that using apply-path.  This book has several
>good examples:
>
>http://www.juniper.net/us/en/community/junos/training-certification/day-on
>e/fundamentals-series/securing-routing-engine/
>
>:w
>
>
>On Thu, Aug 9, 2012 at 7:37 AM, Mark Menzies  wrote:
>> Yup, we can do selective packet mode using firewall filters.
>>
>> Its normally applied in the input direction however, note, it needs to
>>be
>> on all interfaces where we will see packets that we dont want to send to
>> the flow module, ie the reply packets as well
>>
>> As for a script, sadly dont have one, however if you do get one, I would
>> like to have a copy.  :)
>>
>> On 9 August 2012 15:13, Phil Mayers  wrote:
>>
>>> All,
>>>
>>> On the J-series and branch SRX, if you want to use selective packet
>>>mode
>>> (because you want to do IPSec at the same time as MPLS, for example)
>>>then,
>>> as I understand it, you need to exclude traffic *to* the box itself
>>>from
>>> packet mode.
>>>
>>> Is this correct?
>>>
>>> Does anyone have a handy op-script that will build a prefix list of all
>>> local IPs, to help with automating this?
>>> __**_
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> 
>>>https://puck.nether.net/**mailman/listinfo/juniper-nsp>>er.net/mailman/listinfo/juniper-nsp>
>>>
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>___
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp


Try this and see if it works/is acceptable:

+  policy-options {
+  prefix-list interfaces {
+  apply-path "interfaces <*> unit <*> family inet address <*>";
+  }
+  }



Here's the output that you'll get (note that it will take the entire
subnet that the interface/unit is configured for):


chaynes@srx100-1# show | compare | display inheritance
[edit]
+  policy-options {
+  prefix-list interfaces {
  ##
  ## apply-path was expanded to:
  ## 172.16.1.0/24;
  ## 172.16.100.0/24;
  ## 10.0.0.0/24;
  ##
+  apply-path "interfaces <*> unit <*> family inet address <*>";
+  }
+  }





- Clay


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Static Route Names

[Wayne Tucker]

It doesn't show up anywhere but the configuration, but what about annotate?

edit routing-options static
annotate route 10.0.0.0/8 "insert comment here"

:w



On Fri, Aug 10, 2012 at 8:44 AM, GIULIANO (WZTECH)
 wrote:
> People,
>
> Besides the use of groups feature on JUNOS, how can name a static route ?
>
> IOS has an option 'name' for static routes ... how can we do the same thing
> in junos ?
>
> Is it possible ?
>
> There is some kind of description ?
>
> Thanks a lot,
>
> Giuliano
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Static Route Names

[GIULIANO (WZTECH)]

People,

Besides the use of groups feature on JUNOS, how can name a static route ?

IOS has an option 'name' for static routes ... how can we do the same 
thing in junos ?


Is it possible ?

There is some kind of description ?

Thanks a lot,

Giuliano
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Selective packet mode & local traffic

[Wayne Tucker]

You can probably achieve that using apply-path.  This book has several
good examples:

http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/

:w


On Thu, Aug 9, 2012 at 7:37 AM, Mark Menzies  wrote:
> Yup, we can do selective packet mode using firewall filters.
>
> Its normally applied in the input direction however, note, it needs to be
> on all interfaces where we will see packets that we dont want to send to
> the flow module, ie the reply packets as well
>
> As for a script, sadly dont have one, however if you do get one, I would
> like to have a copy.  :)
>
> On 9 August 2012 15:13, Phil Mayers  wrote:
>
>> All,
>>
>> On the J-series and branch SRX, if you want to use selective packet mode
>> (because you want to do IPSec at the same time as MPLS, for example) then,
>> as I understand it, you need to exclude traffic *to* the box itself from
>> packet mode.
>>
>> Is this correct?
>>
>> Does anyone have a handy op-script that will build a prefix list of all
>> local IPs, to help with automating this?
>> __**_
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/**mailman/listinfo/juniper-nsp
>>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] mpls node-protection: LSP down

[Wayne Tucker]

I've never tried to use node-protection in conjunction with a strict
path - but I suspect the two features are incompatible since the
protection path would disregard the strict path.

Try changing the path from strict to loose.  That allows some
flexibility (though I believe every node in the path must be used, so
it will fail if the node goes down).

If you don't need to use that path, remove the primary statement on
the lsp configuration.

If you do need to use the strict path, configure an alternate strict
path and add it as a secondary under the lsp.  If you don't want it to
fail back automatically then list both as secondary paths.

:w




On Fri, Aug 10, 2012 at 2:02 AM, Mihai Gabriel  wrote:
> This is the topology:
> http://img52.imageshack.us/img52/5512/avpn.png
>
> Sorry
>
> On Fri, Aug 10, 2012 at 11:57 AM, Mihai Gabriel wrote:
>
>> Hello,
>>
>>  I am trying to test the node-protection feature in a lab using an MX5
>> router with logical-systems and I can't find the reason why is not
>> working.The topology I use is here:
>> http://imageshack.us/photo/my-images/849/avpn.png/
>> All routers are configured for mls,rsvp,ospf,link-protection, but when I
>> disable the interface between P1 and PE1, the LSP between PE1 and PE2 goes
>> down and stay that way:
>>
>> Before disabling the interface:
>>
>> mumulox@mx5t> show mpls lsp logical-system PE1 extensive
>> Ingress LSP: 1 sessions
>>
>> 192.168.1.2
>>   From: 192.168.1.1, State: Up, ActiveRoute: 0, LSPname: pe1-to-pe2
>>   ActivePath: strict-path (primary)
>>   Node/Link protection desired
>>   LSPtype: Static Configured
>>   LoadBalance: Random
>>   Encoding type: Packet, Switching type: Packet, GPID: IPv4
>>   Revert timer: 1
>>  *Primary   strict-path  State: Up
>> Priorities: 7 0
>> OptimizeTimer: 1
>> SmartOptimizeTimer: 2
>> Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node
>> 10=SoftPreempt 20=Node-ID):
>>   192.168.5.1(flag=0x29) 172.22.210.2(flag=9 Label=301600)
>> 192.168.5.2(flag=0x29) 172.22.201.2(flag=9 Label=301472)
>> 192.168.5.3(flag=0x21) 172.22.206.2(flag=1 Label=301200)
>> 192.168.1.2(flag=0x20) 172.22.212.1(Label=3)
>>
>> mumulox@mx5t> show mpls path strict-path logical-system PE1
>> Path nameAddress strict/loose if-id
>> strict-path  172.22.210.2strict
>>
>> mumulox@mx5t> show rsvp session logical-system PE1
>> Ingress RSVP: 2 sessions
>> To  FromState   Rt Style Labelin Labelout LSPname
>> 192.168.1.2 192.168.1.1 Up   0  1 SE   -   301600
>> pe1-to-pe2
>> 192.168.5.2 192.168.1.1 Up   0  1 SE   -   301296
>> Bypass->172.22.210.2->172.22.201.2
>> Total 2 displayed, Up 2, Down 0
>>
>> mumulox@mx5t> show route table inet.3 logical-system PE1 192.168.1.2
>> extensive
>>
>> inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
>> 192.168.1.2/32 (1 entry, 1 announced)
>> State: 
>> *RSVP   Preference: 7/1
>> Next hop type: Router, Next hop index: 1048577
>> Address: 0x2c74010
>> Next-hop reference count: 7
>> Next hop: 172.22.210.2 via ge-1/1/7.100 weight 0x1,
>> selected
>> Label-switched-path pe1-to-pe2
>> Label operation: Push 301600
>> Label TTL action: prop-ttl
>> Next hop: 172.22.211.2 via ge-1/1/7.104 weight 0x8001
>> Label-switched-path Bypass->172.22.210.2->172.22.201.2
>> Label operation: Push 301472, Push 301296(top)
>> Label TTL action: prop-ttl, prop-ttl(top)
>> State: 
>> Local AS: 65512
>> Age: 4:33 Metric: 4
>> Task: RSVP
>> Announcement bits (1): 1-Resolve tree 1
>> AS path: I
>>
>> After disabling the interface:
>>
>> mumulox@mx5t> show mpls lsp extensive logical-system PE1
>> Ingress LSP: 1 sessions
>>
>> 192.168.1.2
>>   From: 192.168.1.1, State: Dn, ActiveRoute: 0, LSPname: pe1-to-pe2
>>   ActivePath: (none)
>>   Node/Link protection desired
>>   LSPtype: Static Configured
>>   LoadBalance: Random
>>   Encoding type: Packet, Switching type: Packet, GPID: IPv4
>>   Revert timer: 1
>>   Primary   strict-path  State: Dn
>> Priorities: 7 0
>> OptimizeTimer: 1
>> SmartOptimizeTimer: 2
>>199 Aug 10 12:04:44.607 Deselected as active
>>198 Aug 10 12:04:44.607 172.22.205.1: Non-RSVP capable router detected
>>197 Aug 10 12:04:44.607 Link-protection Down
>>196 Aug 10 12:04:44.606 Session preempted
>>195 Aug 10 12:04:44.504 172.22.210.1: Tunnel local repaired
>>194 Aug 10 12:04:44.504 172.22.210.1: Down
>>
>> "198 Aug 10 12:04:44.607 172.22.205.1: Non-RSVP capable router detected"
>> seems to be very clear,but it is not, because all routers are rsvp enabled
>>
>> mumulox@mx5t> show rsvp neighbor logical-system P2
>> RSVP neighbor: 3 learned
>>

Re: [j-nsp] VLAN into a VPLS instance

[Chris Kawchuk]

Use an LT to crones-connect the bridge-domain with the vlan access interfaces 
(which you do a push-vlan-tag on ingress), and stitch the LT into the VPLS 
instance.

I was going to say "sure, put the access ports into a VPLS and do a vlan-push 
on ingress; and a pop on egress" but yes, that raises an issue as it would pop 
ANY packet returning from the MPLS-universe trying to leave the VPLS (and not 
just the one with the specific vlan tag); so you'd end up with "leakage" from 
the cloud.

- CK.

On 10/08/2012, at 7:50 PM, William Jackson  wrote:

> Hello
> 
> I want to setup an MX with multiple access ports in VLAN, I then want to 
> bridge that vlan into a VPLS instance.
> 
> So all L2, no interface vlan.XX stuff, is this possible?
> 
> thanks
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] VLAN into a VPLS instance

[William Jackson]

Hello

I want to setup an MX with multiple access ports in VLAN, I then want to bridge 
that vlan into a VPLS instance.

So all L2, no interface vlan.XX stuff, is this possible?

thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] mpls node-protection: LSP down

[Mihai Gabriel]

This is the topology:
http://img52.imageshack.us/img52/5512/avpn.png

Sorry

On Fri, Aug 10, 2012 at 11:57 AM, Mihai Gabriel wrote:

> Hello,
>
>  I am trying to test the node-protection feature in a lab using an MX5
> router with logical-systems and I can't find the reason why is not
> working.The topology I use is here:
> http://imageshack.us/photo/my-images/849/avpn.png/
> All routers are configured for mls,rsvp,ospf,link-protection, but when I
> disable the interface between P1 and PE1, the LSP between PE1 and PE2 goes
> down and stay that way:
>
> Before disabling the interface:
>
> mumulox@mx5t> show mpls lsp logical-system PE1 extensive
> Ingress LSP: 1 sessions
>
> 192.168.1.2
>   From: 192.168.1.1, State: Up, ActiveRoute: 0, LSPname: pe1-to-pe2
>   ActivePath: strict-path (primary)
>   Node/Link protection desired
>   LSPtype: Static Configured
>   LoadBalance: Random
>   Encoding type: Packet, Switching type: Packet, GPID: IPv4
>   Revert timer: 1
>  *Primary   strict-path  State: Up
> Priorities: 7 0
> OptimizeTimer: 1
> SmartOptimizeTimer: 2
> Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node
> 10=SoftPreempt 20=Node-ID):
>   192.168.5.1(flag=0x29) 172.22.210.2(flag=9 Label=301600)
> 192.168.5.2(flag=0x29) 172.22.201.2(flag=9 Label=301472)
> 192.168.5.3(flag=0x21) 172.22.206.2(flag=1 Label=301200)
> 192.168.1.2(flag=0x20) 172.22.212.1(Label=3)
>
> mumulox@mx5t> show mpls path strict-path logical-system PE1
> Path nameAddress strict/loose if-id
> strict-path  172.22.210.2strict
>
> mumulox@mx5t> show rsvp session logical-system PE1
> Ingress RSVP: 2 sessions
> To  FromState   Rt Style Labelin Labelout LSPname
> 192.168.1.2 192.168.1.1 Up   0  1 SE   -   301600
> pe1-to-pe2
> 192.168.5.2 192.168.1.1 Up   0  1 SE   -   301296
> Bypass->172.22.210.2->172.22.201.2
> Total 2 displayed, Up 2, Down 0
>
> mumulox@mx5t> show route table inet.3 logical-system PE1 192.168.1.2
> extensive
>
> inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
> 192.168.1.2/32 (1 entry, 1 announced)
> State: 
> *RSVP   Preference: 7/1
> Next hop type: Router, Next hop index: 1048577
> Address: 0x2c74010
> Next-hop reference count: 7
> Next hop: 172.22.210.2 via ge-1/1/7.100 weight 0x1,
> selected
> Label-switched-path pe1-to-pe2
> Label operation: Push 301600
> Label TTL action: prop-ttl
> Next hop: 172.22.211.2 via ge-1/1/7.104 weight 0x8001
> Label-switched-path Bypass->172.22.210.2->172.22.201.2
> Label operation: Push 301472, Push 301296(top)
> Label TTL action: prop-ttl, prop-ttl(top)
> State: 
> Local AS: 65512
> Age: 4:33 Metric: 4
> Task: RSVP
> Announcement bits (1): 1-Resolve tree 1
> AS path: I
>
> After disabling the interface:
>
> mumulox@mx5t> show mpls lsp extensive logical-system PE1
> Ingress LSP: 1 sessions
>
> 192.168.1.2
>   From: 192.168.1.1, State: Dn, ActiveRoute: 0, LSPname: pe1-to-pe2
>   ActivePath: (none)
>   Node/Link protection desired
>   LSPtype: Static Configured
>   LoadBalance: Random
>   Encoding type: Packet, Switching type: Packet, GPID: IPv4
>   Revert timer: 1
>   Primary   strict-path  State: Dn
> Priorities: 7 0
> OptimizeTimer: 1
> SmartOptimizeTimer: 2
>199 Aug 10 12:04:44.607 Deselected as active
>198 Aug 10 12:04:44.607 172.22.205.1: Non-RSVP capable router detected
>197 Aug 10 12:04:44.607 Link-protection Down
>196 Aug 10 12:04:44.606 Session preempted
>195 Aug 10 12:04:44.504 172.22.210.1: Tunnel local repaired
>194 Aug 10 12:04:44.504 172.22.210.1: Down
>
> "198 Aug 10 12:04:44.607 172.22.205.1: Non-RSVP capable router detected"
> seems to be very clear,but it is not, because all routers are rsvp enabled
>
> mumulox@mx5t> show rsvp neighbor logical-system P2
> RSVP neighbor: 3 learned
> AddressIdle Up/Dn LastChange HelloInt HelloTx/Rx MsgRcvd
> 172.22.201.1  0 13/12  23:491 84288/84248 2908
> 172.22.206.2  0  1/0  2d 20:02:201 92707/92707 4944
> 172.22.205.2  0  1/0  2d 18:30:331 92114/92114 6789
>
> Any advice?
>
> Thanks
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] mpls node-protection: LSP down

[Mihai Gabriel]

Hello,

 I am trying to test the node-protection feature in a lab using an MX5
router with logical-systems and I can't find the reason why is not
working.The topology I use is here:
http://imageshack.us/photo/my-images/849/avpn.png/
All routers are configured for mls,rsvp,ospf,link-protection, but when I
disable the interface between P1 and PE1, the LSP between PE1 and PE2 goes
down and stay that way:

Before disabling the interface:

mumulox@mx5t> show mpls lsp logical-system PE1 extensive
Ingress LSP: 1 sessions

192.168.1.2
  From: 192.168.1.1, State: Up, ActiveRoute: 0, LSPname: pe1-to-pe2
  ActivePath: strict-path (primary)
  Node/Link protection desired
  LSPtype: Static Configured
  LoadBalance: Random
  Encoding type: Packet, Switching type: Packet, GPID: IPv4
  Revert timer: 1
 *Primary   strict-path  State: Up
Priorities: 7 0
OptimizeTimer: 1
SmartOptimizeTimer: 2
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node
10=SoftPreempt 20=Node-ID):
  192.168.5.1(flag=0x29) 172.22.210.2(flag=9 Label=301600)
192.168.5.2(flag=0x29) 172.22.201.2(flag=9 Label=301472)
192.168.5.3(flag=0x21) 172.22.206.2(flag=1 Label=301200)
192.168.1.2(flag=0x20) 172.22.212.1(Label=3)

mumulox@mx5t> show mpls path strict-path logical-system PE1
Path nameAddress strict/loose if-id
strict-path  172.22.210.2strict

mumulox@mx5t> show rsvp session logical-system PE1
Ingress RSVP: 2 sessions
To  FromState   Rt Style Labelin Labelout LSPname
192.168.1.2 192.168.1.1 Up   0  1 SE   -   301600 pe1-to-pe2
192.168.5.2 192.168.1.1 Up   0  1 SE   -   301296
Bypass->172.22.210.2->172.22.201.2
Total 2 displayed, Up 2, Down 0

mumulox@mx5t> show route table inet.3 logical-system PE1 192.168.1.2
extensive

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
192.168.1.2/32 (1 entry, 1 announced)
State: 
*RSVP   Preference: 7/1
Next hop type: Router, Next hop index: 1048577
Address: 0x2c74010
Next-hop reference count: 7
Next hop: 172.22.210.2 via ge-1/1/7.100 weight 0x1, selected
Label-switched-path pe1-to-pe2
Label operation: Push 301600
Label TTL action: prop-ttl
Next hop: 172.22.211.2 via ge-1/1/7.104 weight 0x8001
Label-switched-path Bypass->172.22.210.2->172.22.201.2
Label operation: Push 301472, Push 301296(top)
Label TTL action: prop-ttl, prop-ttl(top)
State: 
Local AS: 65512
Age: 4:33 Metric: 4
Task: RSVP
Announcement bits (1): 1-Resolve tree 1
AS path: I

After disabling the interface:

mumulox@mx5t> show mpls lsp extensive logical-system PE1
Ingress LSP: 1 sessions

192.168.1.2
  From: 192.168.1.1, State: Dn, ActiveRoute: 0, LSPname: pe1-to-pe2
  ActivePath: (none)
  Node/Link protection desired
  LSPtype: Static Configured
  LoadBalance: Random
  Encoding type: Packet, Switching type: Packet, GPID: IPv4
  Revert timer: 1
  Primary   strict-path  State: Dn
Priorities: 7 0
OptimizeTimer: 1
SmartOptimizeTimer: 2
   199 Aug 10 12:04:44.607 Deselected as active
   198 Aug 10 12:04:44.607 172.22.205.1: Non-RSVP capable router detected
   197 Aug 10 12:04:44.607 Link-protection Down
   196 Aug 10 12:04:44.606 Session preempted
   195 Aug 10 12:04:44.504 172.22.210.1: Tunnel local repaired
   194 Aug 10 12:04:44.504 172.22.210.1: Down

"198 Aug 10 12:04:44.607 172.22.205.1: Non-RSVP capable router detected"
seems to be very clear,but it is not, because all routers are rsvp enabled

mumulox@mx5t> show rsvp neighbor logical-system P2
RSVP neighbor: 3 learned
AddressIdle Up/Dn LastChange HelloInt HelloTx/Rx MsgRcvd
172.22.201.1  0 13/12  23:491 84288/84248 2908
172.22.206.2  0  1/0  2d 20:02:201 92707/92707 4944
172.22.205.2  0  1/0  2d 18:30:331 92114/92114 6789

Any advice?

Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp