[j-nsp] JunOS versions, MX and lots of policers
I'm currently policing two /16s of ip space with a pair of MX960s. It has My
policer config was originally written for a M20.
Here's an example of one of my policers: (real ips are used)
term 10.0.0.0 {
from {
address {
10.0.0.0/26;
}
}
then prefix-action 15MInbound;
}
prefix-action 15MOutbound {
policer 15MPolicer;
count;
subnet-prefix-length 24;
source-prefix-length 32;
}
and the policer it references:
if-exceeding {
bandwidth-limit 15m;
burst-size-limit 150;
}
then discard;
This behaves pretty well, but requires that the policer be applied on every /24
that I want.
With two /16s and some /26s in there, this makes for a pretty long config.
I'm curious if anyone has examples of better configs that the JunOS docs. The
policer we have now is very close to the examples online. I'd rather set some
larger overall policers, then set exceptions for certain subnets - data center,
etc. I'm pretty sure I'm only limited by the maximum number of policers that
can be created per instance.
Next question:
I have issues when changing policers with my current code - I have to disable
them, change them, the re-enable them to make changes take effect. Anyone else
seen this? Will force reload deal with this?
Finally,
Is anyone running version 10 code on their production MXs? How's it doing?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] maxium number of rvi's on ex series?
On Fri, Feb 12, 2010 at 07:51:53AM -0800, Dan Farrell wrote: > Are there any hard limits that anyone knows of? We use the 3200's > and 4200's, and on the 4200's we're literally putting on hundreds of > rvi's (eventually a couple thousand). I've been told that the only limitation is the FIB size, or every VLAN (since the EX doesn't support multiple bridge domains). In practice, if you're doing that, it implies you might have a large L2 config. We have hit a number of bugs related to the CPU time it takes to commit a large L2 config. Turns out that can spin enough to interfere with periodic packet processing. So - it should absolutely work. You definitely want to be running 9.6R3 as it has a fix for a potentially serious scheduling bugs related to large layer 2 configs. It's been decided that this fix will NOT be backported to 9.3. Ross -- Ross Vandegrift r...@kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie signature.asc Description: Digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] LAG Problem Cisco/Juniper
Hi Paul,
You may need to add the following to the main config stanza:
chassis {
aggregated-devices {
ethernet {
device-count 1; /* Or as many groups as you need */
}
}
}
main confg stanza:
vlans {
SOME-VLAN {
vlan-id 700;
interface {
ae0.0;
}
}
}
interfaces stanza:
ae0 {
aggregated-ether-options {
no-flow-control;
minimum-links 1;
link-speed 1g;
lacp {
active;/* I suggest active lacp discussions */
}
}
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
- Chris.
On 2010-02-12, at 10:11 AM, Paul Stewart wrote:
> Hey folks.
>
>
>
> I'm cross posting this so apologies if you are both lists.
>
>
>
> Trying to get a LAG group up between a Juniper EX4200 switch and a Cisco
> 7606 using a pair of GigE's - rush job etc.. can't get the group to come up
> and missing something obvious ;)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] [c-nsp] LAG Problem Cisco/Juniper
I'm not an expert on this subject, but I do notice you don't have a 'chassis'
stanza. Also, each physical interface should probably have the spped forced as
well. The flowing works for my LAGs. Obviously, I'm using port-mode trunk on
mine
chassis {
aggregated-devices {
ethernet {
device-count 2;
ge-0/0/46 {
ether-options {
speed {
1g;
}
802.3ad ae0;
}
}
ge-0/0/47 {
ether-options {
speed {
1g;
}
802.3ad ae0;
ae0 {
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
native-vlan-id 1;
-b
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Paul Stewart
Sent: Friday, February 12, 2010 9:12 AM
To: cisco-...@puck.nether.net
Cc: juniper-nsp@puck.nether.net
Subject: [c-nsp] LAG Problem Cisco/Juniper
Hey folks.
I'm cross posting this so apologies if you are both lists.
Trying to get a LAG group up between a Juniper EX4200 switch and a Cisco
7606 using a pair of GigE's - rush job etc.. can't get the group to come up
and missing something obvious ;)
Cisco:
interface GigabitEthernet3/25
description --
switchport
switchport access vlan 56
switchport mode access
no cdp enable
channel-protocol lacp
channel-group 2 mode active
interface GigabitEthernet3/37
description --
switchport
switchport access vlan 56
switchport mode access
no cdp enable
channel-protocol lacp
channel-group 2 mode active
interface Port-channel2
description --
switchport
switchport access vlan 56
switchport mode access
end
Juniper Side:
ge-0/0/35 {
description x-1;
ether-options {
802.3ad ae0;
}
ge-0/0/47 {
description xx-2;
ether-options {
802.3ad ae0;
}
ae0 {
aggregated-ether-options {
minimum-links 1;
link-speed 1g;
lacp {
passive;
}
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members xx;
}
}
}
___
cisco-nsp mailing list cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] LAG Problem Cisco/Juniper
Do you need a device count on configured on the EX like on M/T?
For example:
set chassis aggregated-devices ethernet device-count 2
On Fri, Feb 12, 2010 at 6:11 PM, Paul Stewart wrote:
>
> Hey folks.
>
>
>
> I'm cross posting this so apologies if you are both lists.
>
>
>
> Trying to get a LAG group up between a Juniper EX4200 switch and a Cisco
> 7606 using a pair of GigE's - rush job etc.. can't get the group to come up
> and missing something obvious ;)
>
>
>
> Cisco:
>
>
>
> interface GigabitEthernet3/25
>
> description --
>
> switchport
>
> switchport access vlan 56
>
> switchport mode access
>
> no cdp enable
>
> channel-protocol lacp
>
> channel-group 2 mode active
>
>
>
> interface GigabitEthernet3/37
>
> description --
>
> switchport
>
> switchport access vlan 56
>
> switchport mode access
>
> no cdp enable
>
> channel-protocol lacp
>
> channel-group 2 mode active
>
>
>
> interface Port-channel2
>
> description --
>
> switchport
>
> switchport access vlan 56
>
> switchport mode access
>
> end
>
>
>
>
>
> Juniper Side:
>
>
>
> ge-0/0/35 {
>
> description x-1;
>
> ether-options {
>
> 802.3ad ae0;
>
> }
>
>
>
>
>
> ge-0/0/47 {
>
> description xx-2;
>
> ether-options {
>
> 802.3ad ae0;
>
> }
>
>
>
>
>
> ae0 {
>
> aggregated-ether-options {
>
> minimum-links 1;
>
> link-speed 1g;
>
> lacp {
>
> passive;
>
> }
>
> }
>
> unit 0 {
>
> family ethernet-switching {
>
> port-mode access;
>
> vlan {
>
> members xx;
>
> }
>
> }
>
> }
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Phill Jolliffe
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] LAG Problem Cisco/Juniper
Hey folks.
I'm cross posting this so apologies if you are both lists.
Trying to get a LAG group up between a Juniper EX4200 switch and a Cisco
7606 using a pair of GigE's - rush job etc.. can't get the group to come up
and missing something obvious ;)
Cisco:
interface GigabitEthernet3/25
description --
switchport
switchport access vlan 56
switchport mode access
no cdp enable
channel-protocol lacp
channel-group 2 mode active
interface GigabitEthernet3/37
description --
switchport
switchport access vlan 56
switchport mode access
no cdp enable
channel-protocol lacp
channel-group 2 mode active
interface Port-channel2
description --
switchport
switchport access vlan 56
switchport mode access
end
Juniper Side:
ge-0/0/35 {
description x-1;
ether-options {
802.3ad ae0;
}
ge-0/0/47 {
description xx-2;
ether-options {
802.3ad ae0;
}
ae0 {
aggregated-ether-options {
minimum-links 1;
link-speed 1g;
lacp {
passive;
}
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members xx;
}
}
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Policer burst-size-limit, can someone please explain?
Thanks, I am still stumped on the effect (or seeming lack thereof) of burst-size-limit given the fact that the same amount of packets is always getting through the policer on a burst, despite changing this value. -J Scott On Fri, Feb 12, 2010 at 7:48 AM, Phill Jolliffe wrote: > This link claims all L2 header is counted. But as best I remember frames > FCS is stripped and regen'd be each PE. > > > http://www.juniper.net/techpubs/software/junos/junos95/swconfig-vpns/id-11513841.html#id-11525104 > > Not found a mention of IFG. > > > > On Thu, Feb 11, 2010 at 10:47 PM, Judah Scott > wrote: > >> Is there a document that can explain the attached code block for us? In >> case the screen shot isn't clear, I am basically just sending a >> single-shot >> of traffic (the packets are sent over 1 second) with, or without, a >> baseline >> constant traffic which is below the policed rate. >> >> Questions I have are: >> Does "bandwidth-limit" include Inter-frame Gap? Does it include L2 >> header? >> What does the "burst-size-limit" (MBS) actually do because looking at my >> attached gif it doesn't seem to have any effect on bursts. No matter what >> I >> set the MBS to I lose packets (not shown but the results are identical for >> 100g MBS as the rest of the lines in the file). >> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > > -- > Phill Jolliffe > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SMB bus collision
Hi there, today i had the following messages on a M20 with RE-3.0 and JunOS 8.5S5 Feb 12 07:53:35 /kernel: SMB bus collision (bus_addr 0x21, index 0x1) Feb 12 07:53:35 /kernel: SMB bus collision (bus_addr 0x21, index 0x1) Feb 12 07:53:36 /kernel: SMB busy timeout Feb 12 07:53:36 /kernel: Attempting SMB bus recovery Feb 12 07:53:36 /kernel: SMB failed transaction (bus_addr 0x21, index 0x1) Feb 12 07:53:36 /kernel: Successfully completed SMB read after bus recovery I have no idea what is causing this error. Hardware? Software? Anything to worry? Regards, Joerg ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper-Cisco interco issue with speed nonegociate
Hi everyone,
Sorry if this is trivial for most of you but I'm beginner with Juniper devices,
so here is my issue :
I have to interconnect my router J4350 (9.1R1.8) with a Cisco 7600 (another ISP)
The link between them is an optical fibre link (1000Base-SX).
The Cisco interface is configured with nonegociate speed and flow-control off.
On my Juniper I can only set the speed to 1g, link-mode full-duplex and disable
auto-negociation.
The weird thing is that on the Cisco the port goes UP/UP but on my Juniper the
port stay UP/DOWN. But if the cisco port is configured in autonegociation both
ports go UP/UP.
Unfortunatelly I have to find a way to configure the Juniper and leave the
Cisco config in nonegociate.
On the Cisco that I don't manage the configuration is
interface GigabitEthernet9/9
ip address x.x.x.109 255.255.255.252
no ip redirects
no ip proxy-arp
carrier-delay 2
speed nonegotiate
flowcontrol send off
storm-control broadcast level 1.00
no cdp enable
end
On the Juniper :
interfaces ge-1/0/4
speed 1g;
link-mode full-duplex;
gigether-options {
no-auto-negotiation;
}
unit 0 {
family inet {
address x.x.x.110/30;
}
}
Thanks for the help
--
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] maxium number of rvi's on ex series?
Are there any hard limits that anyone knows of? We use the 3200's and 4200's, and on the 4200's we're literally putting on hundreds of rvi's (eventually a couple thousand). Thanks, Dan Farrell Director of Network Operations Applied Innovations Corp. da...@appliedi.net ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Policer burst-size-limit, can someone please explain?
This link claims all L2 header is counted. But as best I remember frames FCS is stripped and regen'd be each PE. http://www.juniper.net/techpubs/software/junos/junos95/swconfig-vpns/id-11513841.html#id-11525104 Not found a mention of IFG. On Thu, Feb 11, 2010 at 10:47 PM, Judah Scott wrote: > Is there a document that can explain the attached code block for us? In > case the screen shot isn't clear, I am basically just sending a single-shot > of traffic (the packets are sent over 1 second) with, or without, a > baseline > constant traffic which is below the policed rate. > > Questions I have are: > Does "bandwidth-limit" include Inter-frame Gap? Does it include L2 header? > What does the "burst-size-limit" (MBS) actually do because looking at my > attached gif it doesn't seem to have any effect on bursts. No matter what > I > set the MBS to I lose packets (not shown but the results are identical for > 100g MBS as the rest of the lines in the file). > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Phill Jolliffe ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Diagnostic Optics MIB support
Hello, I'm looking for JunOS MIBs giving access to diagnostic optics information, basically what you see issuing the CLI command show interfaces diagnostics optics Physical interface: so-0/0/0 Laser bias current: 21.392 mA Laser output power: 0.2970 mW / -5.27 dBm Module temperature: 46 degrees C / 115 degrees F Module voltage: 3.2020 V Receiver signal average optical power : 0.0195 mW / -17.10 dBm Laser bias current high alarm : Off Laser bias current low alarm : Off Laser bias current high warning : Off Laser bias current low warning: Off Laser output power high alarm : Off Laser output power low alarm : Off Laser output power high warning : Off Laser output power low warning: Off Module temperature high alarm : Off Module temperature low alarm : Off Module temperature high warning : Off Module temperature low warning: Off Module voltage high alarm : Off Module voltage low alarm : Off Module voltage high warning : Off Module voltage low warning: Off Laser rx power high alarm : Off Laser rx power low alarm : Off Laser rx power high warning : Off Laser rx power low warning: Off Laser bias current high alarm threshold : 80.000 mA Laser bias current low alarm threshold: 2.000 mA Laser bias current high warning threshold : 70.000 mA Laser bias current low warning threshold : 4.000 mA Laser output power high alarm threshold : 1.2590 mW / 1.00 dBm Laser output power low alarm threshold: 0.0440 mW / -13.57 dBm Laser output power high warning threshold : 0.7940 mW / -1.00 dBm Laser output power low warning threshold : 0.0700 mW / -11.55 dBm Module temperature high alarm threshold : 110 degrees C / 230 degrees F Module temperature low alarm threshold: -40 degrees C / -40 degrees F Module temperature high warning threshold : 93 degrees C / 199 degrees F Module temperature low warning threshold : -30 degrees C / -22 degrees F Module voltage high alarm threshold : 3.900 V Module voltage low alarm threshold: 2.700 V Module voltage high warning threshold : 3.700 V Module voltage low warning threshold : 2.900 V Laser rx power high alarm threshold : 1.1748 mW / 0.70 dBm Laser rx power low alarm threshold: 0.0039 mW / -24.09 dBm Laser rx power high warning threshold : 0.7942 mW / -1.00 dBm Laser rx power low warning threshold : 0.0100 mW / -20.00 dBm Does anybody know if the MIBs exist? I couldn't find anything on juniper tech docs. Thanks, Alessandro ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex-series and RSPAN ?
On Thu, Feb 11, 2010 at 09:18:48PM +0300, Cyrill Malevanov wrote:
> 9.5R3
>
> ethernet-switching-options {
> analyzer sorm {
> output {
> interface {
> ge-2/0/7.0;
> }
> }
> }
> }
>
> it works
You configured local span-port, and this works for me too.
In my case, i'm trying to configure remote span, with output set to vlan:
s...@us-smf-csw02> show configuration ethernet-switching-options analyzer
Analyzer2
loss-priority high;
input {
ingress {
interface ge-0/0/12.0;
interface ge-0/0/13.0;
interface ge-0/0/14.0;
interface ge-0/0/16.0;
interface ge-0/0/17.0;
interface ge-0/0/19.0;
}
}
output {
vlan {
Analyzer2;
}
}
And it seems that my problem may be related to the fact that
this vlan exits this switch and enters next one via aggregated
ethernet:
s...@us-smf-csw02> show vlans Analyzer2 extensive
VLAN: Analyzer2, Created at: Fri Feb 12 02:46:45 2010
802.1Q Tag: 999, Internal index: 18, Admin State: Enabled, Origin: Static
Protocol: Port Mode
Number of interfaces: Tagged 1 (Active = 1), Untagged 0 (Active = 0)
ae2.0*, tagged, trunk
Will check next week.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Route-leaking between a virtual-router instance and VRF instance
Hello Andy,
I think that exporting these prefixes leaked from virtual-router instannce
to VRFX instance to BGP does not accomplish the desired result because I
want to convert those prefixes to MPBGP VPNV4 prefixes.
I do not run any protocol in VRFX instance as the common situation in order
to use vrf-export/import policies.
The problem is that I have the prefixes leaked into VRFX seen as :
VRFX.inet.0: 29 destinations, 29 routes (29 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
5.5.5.5/32 *[OSPF/10] 00:36:40, metric 1
> to 150.1.25.5 via em2.0
10.210.192.0/20*[OSPF/10] 00:36:40, metric 1
> to 150.1.25.5 via em2.0
10.210.192.5/32*[OSPF/10] 00:36:40, metric 1
> to 150.1.25.5 via em2.0
but I can't export them as MPBGP VPNV4 prefixes.
If I use the ospf-to-bgp export policy on BGP, I only export into BGP
prefixes from inet.0 I think.
I think that the ospf-to-bgp export policy will not accomplished the goal.
Thank you,
John
On Thu, Feb 11, 2010 at 10:42 PM, Andy Vance wrote:
> Ioan,
>
> I think the issue here is that the OSPF routes you have in that VRF are not
> being injected into BGP anywhere, even though we attempted to do that,
> possibly we're the area statement? I'm not running OSPF anywhere so
> my configs/experience don't help me answer that piece
>
> see
>
> http://www-jnet.juniper.net/techpubs/software/junos/junos92/swconfig-policy/example-redistributing-ospf-routes-into-bgp.html
>
> Since they aren't advertised, it makes me think that BGP doesn't know to
> advertise those routes.
>
> Cheers,
> Andy
>
> --
> *From:* Ioan Branet [mailto:ioan.bra...@gmail.com]
> *Sent:* Thursday, February 11, 2010 10:46 AM
> *To:* Andy Vance
> *Cc:* juniper-nsp@puck.nether.net
> *Subject:* Re: [j-nsp] Route-leaking between a virtual-router instance and
> VRF instance
>
> Hello Andy and thank you for your reply.
>
> I used the solution without
> vrf-import VRFX_IMPORT;
> vrf-export VRFX_EXPORT;
>
> but with the same result, the routes leaked from virtual-router instance to
> VRFX vrf instance does not propagate to other PE.
>
> I used also the same policies for export and import but i forgot to paste
> it in mail.
> Maybe the vrf-export wont work with those prefixes leaked from
> virtual-router instance,because if i add an interface to vrf instance VRFX
> and configure OSPF in VRF routing-instance,the prefixes are exported to
> other PE.
>
> Have anyone tried this kind of solution?
>
> Thank you,
> John
>
> On Thu, Feb 11, 2010 at 7:02 PM, Andy Vance wrote:
>
>> If I'm not mistaken,
>>
>> vrf-import VRFX_IMPORT;
>> vrf-export VRFX_EXPORT;
>> vrf-target {
>>import target:1:1;
>>export target:1:1;
>>
>> isn't going to accomplish what your trying to do here. vrf-target
>> commands allow you to import/export routes without as many policy hooks but
>> used together like this, I believe vrf-import/vrf-export is overriding the
>> vrf-target commands. As well, I didn't see any policy-options config for the
>> VRFX_IMPORT or VRFX_EXPORT policy your calling. I assume this policy config
>> would allow your routes to be exported:
>>
>> edit policy-options
>>
>> policy-statement VRFX_EXPORT {
>>term out {
>>from protocol ospf;
>>then {
>>community add VRFX;
>>accept;
>>}
>>}
>>term reject {
>>then reject;
>>}
>>}
>>
>> and this would allow your routes to be imported on R3
>>
>> policy-statement VRFX_IMPORT {
>>term import {
>>from {
>>protocol bgp;
>>community VRFX;
>>}
>>then accept;
>>}
>>term reject {
>>then reject;
>>}
>>}
>>
>> Cheers,
>> Andy Vance
>> Sr. Network Engineer
>> Speakeasy
>> Direct > 206.971.5144 * Fax > 206.728.1500
>> Email > ava...@hq.speakeasy.net * Web > www.speakeasy.net
>>
>> Voice * Data * Managed Services
>>
>>
>>
>>
>> -Original Message-
>> From: juniper-nsp-boun...@puck.nether.net [mailto:
>> juniper-nsp-boun...@puck.nether.net] On Behalf Of Ioan Branet
>> Sent: Thursday, February 11, 2010 8:38 AM
>> To: juniper-nsp@puck.nether.net
>> Subject: [j-nsp] Route-leaking between a virtual-router instance and VRF
>> instance
>>
>> Hello Group,
>>
>>
>>
>> I have the following setup:
>>
>> R3(PE VRF X)R1---R2(PE VRF X)R5 (CE )
>>
>> On R2 on the interface connecting to R5 i have a virtual-router instance
>> and run OSPF with R5 in this instance and also a VRF X instance.
>>
>> I use rib-groups to leak the prefixes from virtual-router instance to VRF
>> X instance ,but when I want to export these prefixese tp R3 ot seems that I
>> can't do that,nothing is exported.
>> I see the prefixes in VRFX.inet.o from R5 but there are no VPNV4 prefixes
>> advertised to R3 PE.
>> Is there any posibility to make this leaki
