Re: [j-nsp] flexible ethernet services change
Jay, Jay Hanke wrote: Is it service affecting to change the physical interface encapsulation on a mx router to flexible Ethernet services? yes. The existing logical interfaces will flap, and will take at least a few seconds to come up again (we observed 5..20 seconds between newer MXes and older M320s when enabling flexible-ethernet-services) Kind regards, Felix -- Felix Schüren Head of NOC -- Host Europe GmbH - http://www.hosteurope.de Welserstraße 14 - D-51149 Köln - Germany Telefon: (0800) 4 67 83 87 - Telefax: (01805) 66 32 33 HRB 28495 Amtsgericht Köln - UST ID DE187370678 Geschäftsführer: Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] flexible ethernet services change
Is it service affecting to change the physical interface encapsulation on a mx router to flexible Ethernet services? jay ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Failed to find the resolving address node
Yes. This is in addressed in JUNOS Problem Report Number : 412240. JTAC claims this is harmless and "will be fixed in a future release." On Jun 26, 2009, at 12:02 PM, Brendan Mannella wrote: Does anyone know what this means? I have these all through my message logs on a 4200 VC. Jun 26 14:58:19 core1.pit1 fpc0 Failed to find the resolving address node Jun 26 14:58:23 core1.pit1 fpc1 Failed to find the resolving address node Jun 26 14:58:25 core1.pit1 fpc0 Failed to find the resolving address node Jun 26 14:58:27 core1.pit1 fpc1 Failed to find the resolving address node ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Failed to find the resolving address node
Does anyone know what this means? I have these all through my message logs on a 4200 VC. Jun 26 14:58:19 core1.pit1 fpc0 Failed to find the resolving address node Jun 26 14:58:23 core1.pit1 fpc1 Failed to find the resolving address node Jun 26 14:58:25 core1.pit1 fpc0 Failed to find the resolving address node Jun 26 14:58:27 core1.pit1 fpc1 Failed to find the resolving address node ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
On Fri, Jun 26, 2009 at 5:02 PM, Ross Vandegrift wrote: > On Fri, Jun 26, 2009 at 12:52:49PM +0100, Phil Mayers wrote: > > However - I have it on good authority that NSM merely uses a hidden CLI > > command to start & commit bulk updates "all at once", a bit like SQL > You can view the raw config file by issuing a "get config datafile". I guess NSM is pushing such a file through the SSP connection established with the firewall. Don't know if you could do this manualy. If you have a heavily loaded cluster, I recommend to push policy changes to the backup unit of your cluster. By enablign NSRP config sync, changes will be replicated to the master. HTH Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
On Fri, Jun 26, 2009 at 04:05:28PM +0100, Phil Mayers wrote: > That seems to be it; ScreenOS throws me back out with a "NSM only!" > error through, so I suspect you need to be a specially-provisioned NSM > user for this :o( NSM traffic comes in over a special port with a special set of config to support it: set nsmgmt init id set nsmgmt server primary port 7800 set nsmgmt bulkcli reboot-timeout 60 set nsmgmt hb-interval 20 set nsmgmt hb-threshold 5 set nsmgmt enable You might be able to cheat by making the obvious changes :) Ross -- Ross Vandegrift r...@kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
Ross Vandegrift wrote: On Fri, Jun 26, 2009 at 12:52:49PM +0100, Phil Mayers wrote: However - I have it on good authority that NSM merely uses a hidden CLI command to start & commit bulk updates "all at once", a bit like SQL e.g. set mode bulk set address Trust ... ...100 more lines set mode bulk-commit ...or something like that. Does anyone know what those magic commands are, if they really exist? Are there any caveats to using them? I don't know the total sequence of commands, as I've never actually done this, but I think you're looking for "exec config lock ..." That seems to be it; ScreenOS throws me back out with a "NSM only!" error through, so I suspect you need to be a specially-provisioned NSM user for this :o( ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
On Fri, Jun 26, 2009 at 12:52:49PM +0100, Phil Mayers wrote: > However - I have it on good authority that NSM merely uses a hidden CLI > command to start & commit bulk updates "all at once", a bit like SQL > > e.g. > > set mode bulk > set address Trust ... > ...100 more lines > set mode bulk-commit > > ...or something like that. Does anyone know what those magic commands > are, if they really exist? Are there any caveats to using them? I don't know the total sequence of commands, as I've never actually done this, but I think you're looking for "exec config lock ..." -- Ross Vandegrift r...@kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
Phil Mayers wrote: Tim Eberhard wrote: I would not suggest playing with that fire... My personal suggestion to make "bulk" updates or update many configuration items at once would be to create the list of changes to a file and then tftp merge it into the configuration. It will go very fast and you can tell if anything errored out instantly. merging part 1000 lines via tftp takes just 10-15 seconds. Hmm. Interesting. I'll give that a go. Sadly, that doesn't seem to help. The firewall still stops responding to pings, SNMP monitoring, other CLI sessions and so forth, even for small updates. Thanks for the suggestion though. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
Tim Eberhard wrote: I would not suggest playing with that fire... My personal suggestion to make "bulk" updates or update many configuration items at once would be to create the list of changes to a file and then tftp merge it into the configuration. It will go very fast and you can tell if anything errored out instantly. merging part 1000 lines via tftp takes just 10-15 seconds. Hmm. Interesting. I'll give that a go. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
I would not suggest playing with that fire... My personal suggestion to make "bulk" updates or update many configuration items at once would be to create the list of changes to a file and then tftp merge it into the configuration. It will go very fast and you can tell if anything errored out instantly. merging part 1000 lines via tftp takes just 10-15 seconds. Good luck, -Tim Eberhard On Fri, Jun 26, 2009 at 6:52 AM, Phil Mayers wrote: > All, > > We have a (quite busy) netscreen 5400, which we occasionally need to make > big policy updates to. It goes very slow if we paste in changes via the CLI, > and we're not inclined to buy Netscreen Security Manager (or whatever it's > called these days) because our reseller stiffed us on a promised upgrade, > and the demo we had was anyway pretty underwhelming. > > However - I have it on good authority that NSM merely uses a hidden CLI > command to start & commit bulk updates "all at once", a bit like SQL > > e.g. > > set mode bulk > set address Trust ... > ...100 more lines > set mode bulk-commit > > ...or something like that. Does anyone know what those magic commands are, > if they really exist? Are there any caveats to using them? > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Bulk updates to Netscreen 5400
All, We have a (quite busy) netscreen 5400, which we occasionally need to make big policy updates to. It goes very slow if we paste in changes via the CLI, and we're not inclined to buy Netscreen Security Manager (or whatever it's called these days) because our reseller stiffed us on a promised upgrade, and the demo we had was anyway pretty underwhelming. However - I have it on good authority that NSM merely uses a hidden CLI command to start & commit bulk updates "all at once", a bit like SQL e.g. set mode bulk set address Trust ... ...100 more lines set mode bulk-commit ...or something like that. Does anyone know what those magic commands are, if they really exist? Are there any caveats to using them? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Maximum no. of static arp entries in M7i
Hello,
Too bad!
With IQ2 PIC and possibly ISE features on an I chip upgraded M series
you probably could have fixed it without static ARP:s
Cheers
Patrik
Samit wrote:
> Hi Tarique,
>
> Thanks, but I am not running mpls/vpls nor do I have a IQ pic.
>
> Regards,
> Samit
>
>
> Nalkhande Tarique Abbas wrote:
>> Samit
>>
>> Something similar to limit source-mac should help...you can try to fine
>> tune it further!
>>
>>
>> l...@m120# show interfaces ge-1/3/0
>> encapsulation flexible-ethernet-services;
>> gigether-options { <===
>> source-filtering;
>>
>> }
>>
>> }
>>
>>
>>
>>
>> vlan-id 1001;
>> encapsulation vlan-vpls
>> accept-source-mac {
>>mac-address 00:17:9a:00:73:91; <===
>>
>>
>>
>>
>>
>> Thanks & Regards,
>> Tarique
>>
>> -Original Message-
>> From: juniper-nsp-boun...@puck.nether.net
>> [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Samit
>> Sent: Friday, June 26, 2009 10:50 AM
>> To: Patrik Olsson
>> Cc: juniper-nsp
>> Subject: Re: [j-nsp] Maximum no. of static arp entries in M7i
>>
>> In a static IP address allocation to the customers scenario, is there
>> any other way other to discourage the users to abuse another subscribers
>> IP or MAC address and access/abuse the internet in a L2 switched network
>> (wire/wireless) where you do not have capabilities to control this from
>> a switch port?
>>
>> Currently am using linux router and doing IP+Mac filtering using
>> iptables, and now wondering if I can replace it with Juniper M7i do the
>> same but I believe it is not possible to run such filtering.
>>
>> Samit
>>
>> Patrik Olsson wrote:
>>> Out of sheer curiosity, why static arp:s?
>>>
>>> Patrik
>>>
Hi,
Any idea how many no. of static arp entries M7i interfaces/junos will
accept and work?
interfaces ge-1/3/0 {
unit 0 {
family inet {
address 192.168.0.1/24 {
arp 192.168.0.2 mac 00:17:f2:cb:89:43;
}
}
}
}
Regards,
Samit
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--
//Patrik
Webkom
http://www.webkom.se
+46 (0)709 35 22 99
+46 (0)8 559 26 488
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Maximum no. of static arp entries in M7i
Hi Tarique,
Thanks, but I am not running mpls/vpls nor do I have a IQ pic.
Regards,
Samit
Nalkhande Tarique Abbas wrote:
> Samit
>
> Something similar to limit source-mac should help...you can try to fine
> tune it further!
>
>
> l...@m120# show interfaces ge-1/3/0
> encapsulation flexible-ethernet-services;
> gigether-options { <===
> source-filtering;
>
> }
>
> }
>
>
>
>
> vlan-id 1001;
> encapsulation vlan-vpls
> accept-source-mac {
>mac-address 00:17:9a:00:73:91; <===
>
>
>
>
>
> Thanks & Regards,
> Tarique
>
> -Original Message-
> From: juniper-nsp-boun...@puck.nether.net
> [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Samit
> Sent: Friday, June 26, 2009 10:50 AM
> To: Patrik Olsson
> Cc: juniper-nsp
> Subject: Re: [j-nsp] Maximum no. of static arp entries in M7i
>
> In a static IP address allocation to the customers scenario, is there
> any other way other to discourage the users to abuse another subscribers
> IP or MAC address and access/abuse the internet in a L2 switched network
> (wire/wireless) where you do not have capabilities to control this from
> a switch port?
>
> Currently am using linux router and doing IP+Mac filtering using
> iptables, and now wondering if I can replace it with Juniper M7i do the
> same but I believe it is not possible to run such filtering.
>
> Samit
>
> Patrik Olsson wrote:
>> Out of sheer curiosity, why static arp:s?
>>
>> Patrik
>>
>>> Hi,
>>>
>>> Any idea how many no. of static arp entries M7i interfaces/junos will
>>> accept and work?
>>>
>>> interfaces ge-1/3/0 {
>>> unit 0 {
>>> family inet {
>>> address 192.168.0.1/24 {
>>> arp 192.168.0.2 mac 00:17:f2:cb:89:43;
>>> }
>>> }
>>> }
>>> }
>>>
>>> Regards,
>>> Samit
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Maximum no. of static arp entries in M7i
Samit
Something similar to limit source-mac should help...you can try to fine
tune it further!
l...@m120# show interfaces ge-1/3/0
encapsulation flexible-ethernet-services;
gigether-options { <===
source-filtering;
}
}
vlan-id 1001;
encapsulation vlan-vpls
accept-source-mac {
mac-address 00:17:9a:00:73:91; <===
Thanks & Regards,
Tarique
-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Samit
Sent: Friday, June 26, 2009 10:50 AM
To: Patrik Olsson
Cc: juniper-nsp
Subject: Re: [j-nsp] Maximum no. of static arp entries in M7i
In a static IP address allocation to the customers scenario, is there
any other way other to discourage the users to abuse another subscribers
IP or MAC address and access/abuse the internet in a L2 switched network
(wire/wireless) where you do not have capabilities to control this from
a switch port?
Currently am using linux router and doing IP+Mac filtering using
iptables, and now wondering if I can replace it with Juniper M7i do the
same but I believe it is not possible to run such filtering.
Samit
Patrik Olsson wrote:
> Out of sheer curiosity, why static arp:s?
>
> Patrik
>
>> Hi,
>>
>> Any idea how many no. of static arp entries M7i interfaces/junos will
>> accept and work?
>>
>> interfaces ge-1/3/0 {
>> unit 0 {
>> family inet {
>> address 192.168.0.1/24 {
>> arp 192.168.0.2 mac 00:17:f2:cb:89:43;
>> }
>> }
>> }
>> }
>>
>> Regards,
>> Samit
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
