Re: [j-nsp] BGP import policy not refreshing properly
Hi Truman,
*tbo...@manhattan> show configuration policy-options policy-statement
set-med
term 1 {**
from metric 0;
then {
metric 3;
**?++ACCEPT++?**
}
}
*
* term local_pref {**
then {
local-preference 110;
accept;
}
}
*
* term default {
then reject;
}
*
---
Yev.
2009/7/15 Truman Boyes
> Hi,
>
> I ran a quick test with 9.2R2.15 between two BGP peers and I see BGP metric
> (MED) changes take effect immediately.
>
> tbo...@brooklyn> show configuration protocols bgp
> group test {
>type internal;
>local-address 50.50.50.1;
>family inet {
>unicast;
>}
>family inet-vpn {
>unicast;
>}
>export static-export;
>ipsec-sa bgp-secure;
>multipath;
>neighbor 50.50.50.254;
> }
>
> tbo...@manhattan> show configuration protocols bgp
> group test {
>type internal;
>local-address 50.50.50.254;
>import set-med;
>family inet {
>unicast;
>}
>family inet-vpn {
>unicast;
>}
>ipsec-sa bgp-secure;
>neighbor 50.50.50.1;
> }
>
> tbo...@manhattan> show configuration policy-options policy-statement
> set-med
> term 1 {
>from metric 0;
>then {
>metric 3;
>}
> }
> term local_pref {
>then {
>local-preference 110;
>accept;
>}
> }
> term default {
>then reject;
> }
>
>
> Now I will start with no import policy on manhattan.
>
> Sending 3 routes I see this:
>
> tbo...@manhattan# run show route protocol bgp
>
> inet.0: 10 destinations, 13 routes (10 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 60.60.60.1/32 [BGP/170] 00:17:08, MED 100, localpref 100
> AS path: I
>> to 50.50.50.1 via em0.0
> 60.60.60.2/32 [BGP/170] 00:17:07, MED 0, localpref 100
> AS path: I
>> to 50.50.50.1 via em0.0
> 60.60.60.3/32 [BGP/170] 00:00:06, MED 300, localpref 100
> AS path: I
>> to 50.50.50.1 via em0.0
>
> So now we want to turn on the import policy on manhattan, commit and see
> what happens.
>
> tbo...@manhattan# run show route protocol bgp
>
> inet.0: 10 destinations, 13 routes (10 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 60.60.60.1/32 [BGP/170] 00:18:58, MED 100, localpref 110
> AS path: I
>> to 50.50.50.1 via em0.0
> 60.60.60.2/32 [BGP/170] 00:18:57, MED 3, localpref 110
> AS path: I
>> to 50.50.50.1 via em0.0
> 60.60.60.3/32 [BGP/170] 00:01:56, MED 300, localpref 110
> AS path: I
>> to 50.50.50.1 via em0.0
>
>
> This worked instantly without needing to clear the BGP session.
>
> If you turn on traceoptions on BGP you should see something like this ..
> which shows the new policy being evaluated and then route attributes
> changed:
>
> Jul 14 17:23:55.050048 peer 50.50.50.1 (test): Need to reevaluate import
> policy
> Jul 14 17:23:55.052131 task_timer_uset: timer BGP RT Background_BGP Route
> statistics timer set to interval 30 at 17:24:25
> Jul 14 17:23:55.052141 bgp_rt_update_med_igp_init: Deleting MED IGP update
> timer
> Jul 14 17:23:55.052147 group group test type Internal: export eval flag set
> (vpn nlri)
> Jul 14 17:23:55.052151 50.50.50.1 (Internal AS 1): import eval flag set
> (config change)
> Jul 14 17:23:55.052472 init bgp commit sync
>
> Jul 14 17:23:55.052495 bgp_rib_notify: freddy.inet.0 Add - exists
> Jul 14 17:23:55.052531 task_job_create_background: create prio 5 job BGP
> reconfig for task BGP.0.0.0.0+179
> Jul 14 17:23:55.061915 background dispatch running job BGP reconfig for
> task BGP.0.0.0.0+179
> Jul 14 17:23:55.062080 CHANGE 60.60.60.1/32 gw 50.50.50.1 BGP
> pref 170/-111 metric 100/0 as 1
> Jul 14 17:23:55.062106 CHANGE 60.60.60.2/32 gw 50.50.50.1 BGP
> pref 170/-111 metric 3/0 as 1
> Jul 14 17:23:55.062177 CHANGE 60.60.60.3/32 gw 50.50.50.1 BGP
> pref 170/-111 metric 300/0 as 1
>
> Not sure why it was necessary to hard clear the BGP session; does the
> upstream peer support BGP refresh?
>
>
> Kind regards,
> Truman Boyes
>
>
>
>
>
>
>
>
>
>
>
>
> On 13/07/2009, at 6:35 PM, Will Orton wrote:
>
> I have 2 POPs each with a connection to a common upstream. The upstream
>> is sending me MEDs, but lots of routes have (missing or 0) MEDs and I
>> want to reset those to a fixed value so I can tweak them later.
>>
>> So I have an import policy on each BGP session like so:
>>
>> term setall-meds {
>> from metric 0;
>> then {
>> metric 3;
>> }
>> }
>> term def {
>> then {
>> local-preference 110;
>> accept;
>> }
>> }
>> term rej {
>> then reject;
>> }
>>
>>
>> I apply this on both routers and get, for example:
>>
>> At POP A (M10i 9.3R1.7):
>> A DestinationP Prf Metric 1
Re: [j-nsp] bgp multipath confusion
r...@crs1.sc1> show isis route
IS-IS routing table Current version: L1: 0 L2: 599
IPv4/IPv6 Routes
Prefix L Version Metric Type InterfaceVia
10.0.0.4/30 2 599 20 int ge-1/0/1.0 edge2.xxx
ge-0/0/0.0 edge2.xxx
ge-0/0/1.0 edge1.xxx
ge-1/0/0.0 edge1.xxx
10.0.0.13/322 599 10 int ge-1/0/0.0 edge1.xxx
ge-0/0/1.0 edge1.xxx
10.0.0.14/322 599 10 int ge-0/0/0.0 edge2.xxx
ge-1/0/1.0 edge2.xxx
Yes, standard inet.0 routes.
On Jul 15, 2009, at 8:49 PM, Truman Boyes wrote:
The route reflectors are sending the "best" routes. Are there
different IGP costs between the 4 links? The routes will need to be
equal to have them all installed as equal. There is an option for
VPN routes to ignore the IGP metrics, but I assume these are
standard inet.0 routes.
Truman
On 15/07/2009, at 8:22 PM, Cord MacLeod wrote:
I guess I don't fully understand how this is supposed to work. I
have an ex4200 device with 4 links, 2 to each m7. Both m7s are
acting as route reflectors and advertising default to the ex4200.
The loopbacks are advertised with ISIS. However when I check BGP's
summery and my routing table, it seems multipath isn't working.
Any thoughts?
ex4200:
r...@crs1.xxx# show
type internal;
local-address 10.0.0.31;
export next-hop-self;
multipath;
neighbor 10.0.0.13 {
description "iBGP to edge1";
peer-as 64554;
}
neighbor 10.0.0.14 {
description "iBGP to edge2";
peer-as 64554;
Table Tot Paths Act Paths SuppressedHistory Damp
StatePending
inet.0 2 1 0 0
0 0
Peer AS InPkt OutPktOutQ Flaps
Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.0.0.13 64554 30 28 0
3 12:03 0/1/1/0 0/0/0/0
10.0.0.14 64554 58 57 0
3 12:03 1/1/1/0 0/0/0/0
0.0.0.0/0 *[BGP/170] 00:12:36, MED 0, localpref 100, from
10.0.0.14
AS path: 3561 I
> to 10.0.0.69 via ge-0/0/1.0
to 10.0.0.49 via ge-1/0/0.0
[BGP/170] 00:12:36, MED 0, localpref 100, from
10.0.0.13
AS path: 3561 I
> to 10.0.0.69 via ge-0/0/1.0
to 10.0.0.49 via ge-1/0/0.0
.49 and .69 are both /30 link addresses on 10.0.0.13. So the 2
links in place on .14 aren't showing up.
Interface System L StateHold (secs) SNPA
ge-0/0/0.0edge2.xxx 2 Up 23
0:1f:12:d2:d0:db
ge-0/0/1.0edge1.xxx 2 Up 24
0:1f:12:d3:60:2
ge-1/0/0.0edge1.xxx 2 Up 25
0:1f:12:d3:60:db
ge-1/0/1.0edge2.xxx 2 Up 19
0:1f:12:d2:d0:2
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp multipath confusion
The route reflectors are sending the "best" routes. Are there
different IGP costs between the 4 links? The routes will need to be
equal to have them all installed as equal. There is an option for VPN
routes to ignore the IGP metrics, but I assume these are standard inet.
0 routes.
Truman
On 15/07/2009, at 8:22 PM, Cord MacLeod wrote:
I guess I don't fully understand how this is supposed to work. I
have an ex4200 device with 4 links, 2 to each m7. Both m7s are
acting as route reflectors and advertising default to the ex4200.
The loopbacks are advertised with ISIS. However when I check BGP's
summery and my routing table, it seems multipath isn't working. Any
thoughts?
ex4200:
r...@crs1.sc1# show
type internal;
local-address 10.0.0.31;
export next-hop-self;
multipath;
neighbor 10.0.0.13 {
description "iBGP to edge1";
peer-as 64554;
}
neighbor 10.0.0.14 {
description "iBGP to edge2";
peer-as 64554;
Table Tot Paths Act Paths SuppressedHistory Damp
StatePending
inet.0 2 1 0 0
0 0
Peer AS InPkt OutPktOutQ Flaps
Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.0.0.13 64554 30 28 0 3
12:03 0/1/1/0 0/0/0/0
10.0.0.14 64554 58 57 0 3
12:03 1/1/1/0 0/0/0/0
0.0.0.0/0 *[BGP/170] 00:12:36, MED 0, localpref 100, from
10.0.0.14
AS path: 3561 I
> to 10.0.0.69 via ge-0/0/1.0
to 10.0.0.49 via ge-1/0/0.0
[BGP/170] 00:12:36, MED 0, localpref 100, from
10.0.0.13
AS path: 3561 I
> to 10.0.0.69 via ge-0/0/1.0
to 10.0.0.49 via ge-1/0/0.0
.49 and .69 are both /30 link addresses on 10.0.0.13. So the 2
links in place on .14 aren't showing up.
Interface System L StateHold (secs) SNPA
ge-0/0/0.0edge2.xxx 2 Up 23
0:1f:12:d2:d0:db
ge-0/0/1.0edge1.xxx 2 Up 24
0:1f:12:d3:60:2
ge-1/0/0.0edge1.xxx 2 Up 25
0:1f:12:d3:60:db
ge-1/0/1.0edge2.xxx 2 Up 19
0:1f:12:d2:d0:2
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] bgp multipath confusion
I guess I don't fully understand how this is supposed to work. I have
an ex4200 device with 4 links, 2 to each m7. Both m7s are acting as
route reflectors and advertising default to the ex4200. The loopbacks
are advertised with ISIS. However when I check BGP's summery and my
routing table, it seems multipath isn't working. Any thoughts?
ex4200:
r...@crs1.sc1# show
type internal;
local-address 10.0.0.31;
export next-hop-self;
multipath;
neighbor 10.0.0.13 {
description "iBGP to edge1";
peer-as 64554;
}
neighbor 10.0.0.14 {
description "iBGP to edge2";
peer-as 64554;
Table Tot Paths Act Paths SuppressedHistory Damp
StatePending
inet.0 2 1 0 0
0 0
Peer AS InPkt OutPktOutQ Flaps Last
Up/Dwn State|#Active/Received/Accepted/Damped...
10.0.0.13 64554 30 28 0 3
12:03 0/1/1/0 0/0/0/0
10.0.0.14 64554 58 57 0 3
12:03 1/1/1/0 0/0/0/0
0.0.0.0/0 *[BGP/170] 00:12:36, MED 0, localpref 100, from
10.0.0.14
AS path: 3561 I
> to 10.0.0.69 via ge-0/0/1.0
to 10.0.0.49 via ge-1/0/0.0
[BGP/170] 00:12:36, MED 0, localpref 100, from
10.0.0.13
AS path: 3561 I
> to 10.0.0.69 via ge-0/0/1.0
to 10.0.0.49 via ge-1/0/0.0
.49 and .69 are both /30 link addresses on 10.0.0.13. So the 2 links
in place on .14 aren't showing up.
Interface System L StateHold (secs) SNPA
ge-0/0/0.0edge2.xxx 2 Up 23 0:1f:
12:d2:d0:db
ge-0/0/1.0edge1.xxx 2 Up 24 0:1f:
12:d3:60:2
ge-1/0/0.0edge1.xxx 2 Up 25 0:1f:
12:d3:60:db
ge-1/0/1.0edge2.xxx 2 Up 19 0:1f:
12:d2:d0:2
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M7i and IEEE 802.1ag OAM Connectivity-Fault Management
>From another thread: 802.3ah is supported on all M-series. You're right about the platforms not supporting distributed ppmd. 802.1ag cannot be supported on ABC. The i-chip CFEB upgrade to m7i/m10i will support 802.1ag. Ananth -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Thiago Drechsel Sent: Wednesday, July 15, 2009 2:06 PM To: Juniper List Subject: [j-nsp] M7i and IEEE 802.1ag OAM Connectivity-Fault Management Hi. Does anybody know if M7i supports 802.1ag OAM?? I've gone through documentation and could not find clear information... Running JUNOS 9.0. Thanks in advance!! Thiago ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] M7i and IEEE 802.1ag OAM Connectivity-Fault Management
Hi. Does anybody know if M7i supports 802.1ag OAM?? I've gone through documentation and could not find clear information... Running JUNOS 9.0. Thanks in advance!! Thiago ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ADSL PIM on J2350 uses >85% memory
Yeah it seems OK with 1GB in the box. How do they manage to make use so much RAM? My Linux box with 8 DSL ports does very well on 512MB :) -- Leigh Manu Chao wrote: sorry to tell you need a memory upgrade (512 is the minimum no?) On Wed, Jul 15, 2009 at 12:38 PM, Leigh Porter wrote: Hey folks, I have a J2350 running various versions of 9.x, when I put a ADSL2+ PIM into the chassis, the memory utilisation jumps to 85% from 0% with no ADSL PIM. With a simple config this jumps to 95% or so. When up the config to the desired 4 ADSl PIMs, the Gig-E interfaces sometimes vanish and usually I only see 3 DSL PIMs, even though a 'sh chassis hardware' declares they are all there. All the memory seems to be eaten up by fwdd. The box has 512Mb of RAM, more then enough for 4 DSL ports and a few routes. What's happening here? Is 9.x broken? Thanks, Leigh Porter UK Broadband ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ADSL PIM on J2350 uses >85% memory
sorry to tell you need a memory upgrade (512 is the minimum no?) On Wed, Jul 15, 2009 at 12:38 PM, Leigh Porter wrote: > Hey folks, > > I have a J2350 running various versions of 9.x, when I put a ADSL2+ PIM > into the chassis, the memory utilisation jumps to 85% from 0% with no ADSL > PIM. With a simple config this jumps to 95% or so. When up the config to the > desired 4 ADSl PIMs, the Gig-E interfaces sometimes vanish and usually I > only see 3 DSL PIMs, even though a 'sh chassis hardware' declares they are > all there. All the memory seems to be eaten up by fwdd. > > The box has 512Mb of RAM, more then enough for 4 DSL ports and a few > routes. > > What's happening here? Is 9.x broken? > > > Thanks, > Leigh Porter > UK Broadband > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP import policy not refreshing properly
Hi,
I ran a quick test with 9.2R2.15 between two BGP peers and I see BGP
metric (MED) changes take effect immediately.
tbo...@brooklyn> show configuration protocols bgp
group test {
type internal;
local-address 50.50.50.1;
family inet {
unicast;
}
family inet-vpn {
unicast;
}
export static-export;
ipsec-sa bgp-secure;
multipath;
neighbor 50.50.50.254;
}
tbo...@manhattan> show configuration protocols bgp
group test {
type internal;
local-address 50.50.50.254;
import set-med;
family inet {
unicast;
}
family inet-vpn {
unicast;
}
ipsec-sa bgp-secure;
neighbor 50.50.50.1;
}
tbo...@manhattan> show configuration policy-options policy-statement
set-med
term 1 {
from metric 0;
then {
metric 3;
}
}
term local_pref {
then {
local-preference 110;
accept;
}
}
term default {
then reject;
}
Now I will start with no import policy on manhattan.
Sending 3 routes I see this:
tbo...@manhattan# run show route protocol bgp
inet.0: 10 destinations, 13 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
60.60.60.1/32 [BGP/170] 00:17:08, MED 100, localpref 100
AS path: I
> to 50.50.50.1 via em0.0
60.60.60.2/32 [BGP/170] 00:17:07, MED 0, localpref 100
AS path: I
> to 50.50.50.1 via em0.0
60.60.60.3/32 [BGP/170] 00:00:06, MED 300, localpref 100
AS path: I
> to 50.50.50.1 via em0.0
So now we want to turn on the import policy on manhattan, commit and
see what happens.
tbo...@manhattan# run show route protocol bgp
inet.0: 10 destinations, 13 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
60.60.60.1/32 [BGP/170] 00:18:58, MED 100, localpref 110
AS path: I
> to 50.50.50.1 via em0.0
60.60.60.2/32 [BGP/170] 00:18:57, MED 3, localpref 110
AS path: I
> to 50.50.50.1 via em0.0
60.60.60.3/32 [BGP/170] 00:01:56, MED 300, localpref 110
AS path: I
> to 50.50.50.1 via em0.0
This worked instantly without needing to clear the BGP session.
If you turn on traceoptions on BGP you should see something like
this .. which shows the new policy being evaluated and then route
attributes changed:
Jul 14 17:23:55.050048 peer 50.50.50.1 (test): Need to reevaluate
import policy
Jul 14 17:23:55.052131 task_timer_uset: timer BGP RT Background_BGP
Route statistics timer set to interval 30 at 17:24:25
Jul 14 17:23:55.052141 bgp_rt_update_med_igp_init: Deleting MED IGP
update timer
Jul 14 17:23:55.052147 group group test type Internal: export eval
flag set (vpn nlri)
Jul 14 17:23:55.052151 50.50.50.1 (Internal AS 1): import eval flag
set (config change)
Jul 14 17:23:55.052472 init bgp commit sync
Jul 14 17:23:55.052495 bgp_rib_notify: freddy.inet.0 Add - exists
Jul 14 17:23:55.052531 task_job_create_background: create prio 5 job
BGP reconfig for task BGP.0.0.0.0+179
Jul 14 17:23:55.061915 background dispatch running job BGP reconfig
for task BGP.0.0.0.0+179
Jul 14 17:23:55.062080 CHANGE 60.60.60.1/32 gw 50.50.50.1
BGP pref 170/-111 metric 100/0 as 1
Jul 14 17:23:55.062106 CHANGE 60.60.60.2/32 gw 50.50.50.1
BGP pref 170/-111 metric 3/0 as 1
Jul 14 17:23:55.062177 CHANGE 60.60.60.3/32 gw 50.50.50.1
BGP pref 170/-111 metric 300/0 as 1
Not sure why it was necessary to hard clear the BGP session; does the
upstream peer support BGP refresh?
Kind regards,
Truman Boyes
On 13/07/2009, at 6:35 PM, Will Orton wrote:
I have 2 POPs each with a connection to a common upstream. The
upstream
is sending me MEDs, but lots of routes have (missing or 0) MEDs and I
want to reset those to a fixed value so I can tweak them later.
So I have an import policy on each BGP session like so:
term setall-meds {
from metric 0;
then {
metric 3;
}
}
term def {
then {
local-preference 110;
accept;
}
}
term rej {
then reject;
}
I apply this on both routers and get, for example:
At POP A (M10i 9.3R1.7):
A DestinationP Prf Metric 1 Metric 2 Next hopAS
path
* 64.152.0.0/13 B 170110 0 >(TO POP B)
3356 I
B 170110 3 >(UPSTREAM AT A)
3356 I
At POP B (M10 9.3R3.8):
A DestinationP Prf Metric 1 Metric 2 Next hopAS
path
* 64.152.0.0/13 B 170110 0 >(UPSTREAM AT B)
3356 I
So the M10 at POP B doesn't appear to be applying the import policy
and
setting the MED to 3. POP A as a result picks the route through B.
(Yes, I waited more than the 15 minutes for POP B's CPU to go b
[j-nsp] ADSL PIM on J2350 uses >85% memory
Hey folks, I have a J2350 running various versions of 9.x, when I put a ADSL2+ PIM into the chassis, the memory utilisation jumps to 85% from 0% with no ADSL PIM. With a simple config this jumps to 95% or so. When up the config to the desired 4 ADSl PIMs, the Gig-E interfaces sometimes vanish and usually I only see 3 DSL PIMs, even though a 'sh chassis hardware' declares they are all there. All the memory seems to be eaten up by fwdd. The box has 512Mb of RAM, more then enough for 4 DSL ports and a few routes. What's happening here? Is 9.x broken? Thanks, Leigh Porter UK Broadband ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] How to upgrade junos 5.0.0r8.1
The bin file is within the ZIP. You will load the bin to the firewall. I would highly recommend against using anything but juniper.net to download your netscreen software. Never ever get your images from any where but directly from Juniper. The firewall images could contain back doors, root kits or other such harmful things when using an external source such as gegereka. -Tim Eberhard On Wed, Jul 15, 2009 at 3:48 AM, George wrote: > Hello again. > > Just to confirm the steps if they are correct: > 1. download the firmware I want to upgrade to ie 5.2.0r2.0 (Do i get the > zip file or the bin, or is the bin file contained in the zip file) > 2. From the Juniper GUI browse and load the Image to be upgraded. > 3. Once loaded reboot the juniper for the changes to take effect. > > Problem here again, I have been re-tryin to download the zip file from > www.gegereka.com even after getting the access code, what and where is the > easiet URL to download the update? > > Regards > George > > > > On Wed, 2009-07-15 at 09:29 +0300, George wrote: > > Thanks Guys, atleast that gives a success rate guarantee of around 90%, > better than some of those Vaccine drugs in the market. > > Cheerz > > On Mon, 2009-07-13 at 15:42 -0500, Tim Eberhard wrote: > > You configuration will remain after the upgrade/reboot. > > Downgrading is the same process as upgrading as long as you're going from > say 5.2 to 5.0. Just load the 5.0 image and reboot. The 5.0 image is blown > away when you load the newer screenOS. > > Good luck, > -Tim Eberhard > > On Mon, Jul 13, 2009 at 11:04 AM, George wrote: > > Thanks Guys, > > Sure I had planned to upgrade to above 5.2 , are these firmwares available > for download? > > So the next question is really about the configs, Once a reboot is done all > the previous setting take in effect, is that so? And for a rollback the do I > just scroll for the image? > > Regards > George > > > > > On Mon, 2009-07-13 at 17:39 +0300, Humair Ali wrote: > > Hi Georges > > Tim is absolutely correct, and since you are using the 2 netscreens as a > standalone, you are bound to have downtime. > > One other , I believe (needs to verify) you can't go straight from 5.0 to > 6.x, you need to upgrade through an intermediary such as 5.4 then upgrade > 6.x so that is added downtime since again code needs to be reloaded after > upgrade to 5.4 and then to 6.0 > > HTH > > > > 2009/7/13 Tim Eberhard > > George, > > It's not possible to preform any kind of hitless upgrade.. > > The Netscreen must reboot once the new code is loaded. So you must factor > in > the time it will take for the firewall to reload in addition to the hit it > will take when the wall comes back online and the traffic starts to flood > back. Depending on the size of your network/amount of VPN tunnels it could > take a couple of minutes for everything to ramp back up. > > Downgrading code is possible depending what code version you're going to. > It > can be a bit problematic if say you go to 6.X code from 5.0 but if you had > planned on going from 5.0 to 5.4 going back shouldn't be much of a problem. > > Good luck, > > -Tim Eberhard > > > > On Mon, Jul 13, 2009 at 7:12 AM, George wrote: > > > Sorry guys, > > > > The two firewalls are in completely two different networks and in no way > > work together. The reason I mentioned the two is because I tried the > > same VPN on the other Firewall with a higher firmware and it worked > > within minutes of set-up. So i really want to upgrade this firewall. > > > > Thanks > > George > > > > On Mon, 2009-07-13 at 17:17 +0500, mas...@nexlinx.net.pk wrote: > > > > > Are you using both of the firewalls as n active/active or > active/passive; > > > if yes thn you can try upgrading one of them while the other will take > > > care of your production services. > > > > > > Regards, > > > Masood > > > > > > > Hi there, > > > > > > > > I have two juniper netscreens one is Firmware 5.0.0r8.1 . Now I have > > > > encountered a problem when setting up a VPN on this one due to > firmware > > > > version thus I need to upgrade it. > > > > > > > > The question is how do I upgrade this firmware, challenge being that > it > > > > is running live services and if the upgrade fails how do I roll-back. > > > > Guess the thing is I have to be 100% sure the upgrade will not affect > > > > anything. > > > > > > > > Cheers. > > > > George > > > > ___ > > > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > > > > > > > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > ___ juniper-nsp mailing list jun
Re: [j-nsp] How to upgrade junos 5.0.0r8.1
Hello again. Just to confirm the steps if they are correct: 1. download the firmware I want to upgrade to ie 5.2.0r2.0 (Do i get the zip file or the bin, or is the bin file contained in the zip file) 2. From the Juniper GUI browse and load the Image to be upgraded. 3. Once loaded reboot the juniper for the changes to take effect. Problem here again, I have been re-tryin to download the zip file from www.gegereka.com even after getting the access code, what and where is the easiet URL to download the update? Regards George On Wed, 2009-07-15 at 09:29 +0300, George wrote: > Thanks Guys, atleast that gives a success rate guarantee of around > 90%, better than some of those Vaccine drugs in the market. > > Cheerz > > On Mon, 2009-07-13 at 15:42 -0500, Tim Eberhard wrote: > > > You configuration will remain after the upgrade/reboot. > > > > Downgrading is the same process as upgrading as long as you're going > > from say 5.2 to 5.0. Just load the 5.0 image and reboot. The 5.0 > > image is blown away when you load the newer screenOS. > > > > Good luck, > > -Tim Eberhard > > > > On Mon, Jul 13, 2009 at 11:04 AM, George > > wrote: > > > > Thanks Guys, > > > > Sure I had planned to upgrade to above 5.2 , are these > > firmwares available for download? > > > > So the next question is really about the configs, Once a > > reboot is done all the previous setting take in effect, is > > that so? And for a rollback the do I just scroll for the > > image? > > > > Regards > > George > > > > > > > > > > On Mon, 2009-07-13 at 17:39 +0300, Humair Ali wrote: > > > > > Hi Georges > > > > > > Tim is absolutely correct, and since you are using the 2 > > > netscreens as a standalone, you are bound to have > > > downtime. > > > > > > One other , I believe (needs to verify) you can't go > > > straight from 5.0 to 6.x, you need to upgrade through an > > > intermediary such as 5.4 then upgrade 6.x so that is added > > > downtime since again code needs to be reloaded after > > > upgrade to 5.4 and then to 6.0 > > > > > > HTH > > > > > > > > > > > > 2009/7/13 Tim Eberhard > > > > > > George, > > > > > > It's not possible to preform any kind of hitless > > > upgrade.. > > > > > > The Netscreen must reboot once the new code is > > > loaded. So you must factor in > > > the time it will take for the firewall to reload > > > in addition to the hit it > > > will take when the wall comes back online and the > > > traffic starts to flood > > > back. Depending on the size of your network/amount > > > of VPN tunnels it could > > > take a couple of minutes for everything to ramp > > > back up. > > > > > > Downgrading code is possible depending what code > > > version you're going to. It > > > can be a bit problematic if say you go to 6.X code > > > from 5.0 but if you had > > > planned on going from 5.0 to 5.4 going back > > > shouldn't be much of a problem. > > > > > > Good luck, > > > > > > -Tim Eberhard > > > > > > > > > > > > On Mon, Jul 13, 2009 at 7:12 AM, George > > > wrote: > > > > > > > Sorry guys, > > > > > > > > The two firewalls are in completely two > > > different networks and in no way > > > > work together. The reason I mentioned the two is > > > because I tried the > > > > same VPN on the other Firewall with a higher > > > firmware and it worked > > > > within minutes of set-up. So i really want to > > > upgrade this firewall. > > > > > > > > Thanks > > > > George > > > > > > > > On Mon, 2009-07-13 at 17:17 +0500, > > > mas...@nexlinx.net.pk wrote: > > > > > > > > > Are you using both of the firewalls as n > > > active/active or active/passive; > > > > > if yes thn you can try upgrading one of them > > > while the other will take > > > > > care of your production services. > > > > > > > > > > Regards, > > > > >
