Re: [j-nsp] EX 8200 deployment
On Wed, Mar 24, 2010 at 10:45:07PM -0700, Hoogen wrote: I think flash isn't going to be considered... It has a finite erase/write cycles.. yeah but 8200 could have had more storage.. Erm... what do you think it uses currently, a 2GB hard drive? :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 8200 deployment
Flash gets a bad rap. I think most people have heard of supposed horror stories or they see the cycle limit and get wary. But I'm wondering... has anyone in this list actually had a personal flash horror story? I don't have one of my own, and I'm swimming in network devices (some quite old) that use them. Dan Farrell Applied Innovations Corp. da...@appliedi.net On Wed, Mar 24, 2010 at 10:45:07PM -0700, Hoogen wrote: I think flash isn't going to be considered... It has a finite erase/write cycles.. yeah but 8200 could have had more storage.. Erm... what do you think it uses currently, a 2GB hard drive? :) -- __ Information from ESET NOD32 Antivirus, version of virus signature database 4974 (20100325) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 8200 deployment
Excerpts from Dan Farrell's message of Thu Mar 25 09:13:59 -0700 2010: Flash gets a bad rap. I think most people have heard of supposed horror stories or they see the cycle limit and get wary. But I'm wondering... has anyone in this list actually had a personal flash horror story? I don't have one of my own, and I'm swimming in network devices (some quite old) that use them. I've definitely observed wearing out older multi-layer flash chips, but every modern (in the last several years) flash device I've run across implements some sort of damaged cell management on the chips controller. If you're careful about how you access the device (mounting filesystems with no atime, no heavy logging, etc.), I'm convinced that modern flash works just fine in an embedded application like this. That being said, I think Richard is right regarding adding expandable flash. Flash is so cheap and constantly developing, it seems like a no brainer to just eat the cost of adding a small controller-on-a-chip, some discrete components, and a CF slot to future-proof the storage. In looking at the EX platforms though, this doesn't seem in line with Juniper's design goals though (not that I actually know what they planned). It seems like most of the hardware ('cept the EX-8200) comes in a fixed configuration -- stuff that's just supposed to work, and not to worry the manuf. with compatibility concerns. If you're feeling gutsy and want to void any warranties, you might try de-soldering and replacing the internal flash :) Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] LLDP between cisco and juniper
I have enabled LLDP between several mx240's JUNOS 9.6R1.13 with DPCE-R-20GE-2XGE and several cisco 6506's. LLDP works fine in both directions for anything connected by a 10G interface. None of the mx240's sees the cisco LLDP neighbor connected by 1GE interface. However, the cisco's see the mx240's. All I see are errors as below. Has anyone else had this problem? m...@mx240 show lldp statistics Interface Received Unknown TLVs With Errors Discarded TLVs Transmitted Untransmitted ge-2/0/0 0 0 4358943589 433750 ge-2/1/0 0 0 4561145611 453860 xe-2/2/0 43898 0 00 43900 572 xe-2/3/0 45611 0 00 453860 Thanks, Phil ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] LLDP between cisco and juniper
Ived tested this with a 3750 in my lab connected to a MX480 and an EX4200. From what I remember it functions both ways. I am used gige. I will very and get back to you. I am testing 9.6R3.8 on both Juniper and 12.2(50)SE3 on the 3750. Im --Original Message-- From: Philip Palanchi Sender: juniper-nsp-boun...@puck.nether.net To: juniper-nsp Subject: [j-nsp] LLDP between cisco and juniper Sent: Mar 25, 2010 12:50 PM I have enabled LLDP between several mx240's JUNOS 9.6R1.13 with DPCE-R-20GE-2XGE and several cisco 6506's. LLDP works fine in both directions for anything connected by a 10G interface. None of the mx240's sees the cisco LLDP neighbor connected by 1GE interface. However, the cisco's see the mx240's. All I see are errors as below. Has anyone else had this problem? m...@mx240 show lldp statistics Interface Received Unknown TLVs With Errors Discarded TLVs Transmitted Untransmitted ge-2/0/0 0 0 4358943589 433750 ge-2/1/0 0 0 4561145611 453860 xe-2/2/0 43898 0 00 43900 572 xe-2/3/0 45611 0 00 453860 Thanks, Phil ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp Sent via BlackBerry by ATT ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 8200 deployment
On 10-03-25 9:51 AM, Jonathan Lassoff j...@thejof.com wrote: Excerpts from Dan Farrell's message of Thu Mar 25 09:13:59 -0700 2010: Flash gets a bad rap. I think most people have heard of supposed horror stories or they see the cycle limit and get wary. But I'm wondering... has anyone in this list actually had a personal flash horror story? I don't have one of my own, and I'm swimming in network devices (some quite old) that use them. ... In looking at the EX platforms though, this doesn't seem in line with Juniper's design goals though (not that I actually know what they planned). It seems like most of the hardware ('cept the EX-8200) comes in a fixed configuration -- stuff that's just supposed to work, and not to worry the manuf. with compatibility concerns. They do allow the mounting of a USB flash device. Of course, the usual admonishment about using Juniper USB devices, but you can mount a fat32 formatted USB key: * Enter the shell as root: u...@switch start shell user root Password: r...@switch% * Mount USB to /mnt r...@switch% mount_msdosfs /dev/da1s1 /mnt * Check the contents in USB disk r...@switch% ls /mnt juniper.conf.1.gz juniper.conf.3.gz rescue.conf.gz juniper.conf.2.gz juniper.conf.gz * Unmount usb disk and then pull it out. u...@switch% umount /mnt http://kb.juniper.net/KB12880 http://kb.juniper.net/KB12022 USB keys are cheap too - cheap enough to replace as part of yearly maintenance. As usual, YMMV - some USB keys are better than others, and I haven't tried any larger than 4G. If you're feeling gutsy and want to void any warranties, you might try de-soldering and replacing the internal flash :) Heh. Sounds like fun - maybe with a unit once it gets older/off warranty/maintenance. Take care Brian Fitzgerald ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Excerpts from Paul Stewart's message of Thu Mar 25 12:13:31 -0700 2010: I'm looking for feedback from folks on the list who are service providers and connect to peering exchange points (IE. PAIX, Equinix, LINX etc). I'm looking for recommended configuration for layer2 connectivity via an EX switch towards one of these exchange points - we have been doing in Cisco so long that I'm missing some obvious config in the Juniper's we just moved to ;) AMS-IX has a nice guide and some useful suggestions over here: http://www.ams-ix.net/config-guide/#10 The problem I'm facing we're tripping the port security on the exchange switch: Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000b.45b6.f500 on port FastEthernet0/1. It is obviously seeing several MAC addresses and doesn't like this. so I'm trying to adapt a best practice here based on what other folks have encountered along the way as we're trying our best to learn Juniper better ;) Doh! If your platform supports it, implement a packet filter that blocks all traffic except for the single MAC that you think should be on that port. Maybe IGMP is leaking out? Also, depending on your platform, tcpdump (probably not much help on an L2 switch configuration) or a passive tap could provide some indication as to what traffic is causing port security to trip on the far side. Is 00:0b:45:b6:f5:00 the Ethernet MAC you expect to be seeing? Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Excerpts from Paul Stewart's message of Thu Mar 25 13:09:51 -0700 2010: Thanks very much for the reply... The AMS-IX guide I've been through but their Juniper section isn't nearly as detailed as the Cisco side... good guide for sure. ;) The MAC shown in my example below is actually the correct MAC for the layer3 facing interface ... so you're suggesting to create a filter to only allow that MAC to be 'sent out' to the peering switch? We never had to do this in the Cisco world using the configurations I sent in my original post hence some of my confusion... Indeed, Cisco is a big global player in the switching market, so many guides and experience are with Cisco gear. There's probably some other protocol running that's causing frames from other source MACs to be sent out of your port facing the peering switch, either from your Juniper or your Cisco interface. Maybe implement port security on your downstream interfaces that are on your peering VLAN/bridge.. If you can track down that protocol and disable it out of the interface in question, all the better. I was suggesting an L2 filter since if it's supported, it should give you the effect you want for the least amount of effort (no packet tracing, taps, etc.), but it comes at the cost of having to go back and change the filter if you want to change routers. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Excerpts from Paul Stewart's message of Thu Mar 25 13:09:51 -0700 2010: Thanks very much for the reply... The AMS-IX guide I've been through but their Juniper section isn't nearly as detailed as the Cisco side... good guide for sure. ;) The MAC shown in my example below is actually the correct MAC for the layer3 facing interface ... so you're suggesting to create a filter to only allow that MAC to be 'sent out' to the peering switch? We never had to do this in the Cisco world using the configurations I sent in my original post hence some of my confusion... Ok, I checked this out on a spare EX-3200. Maybe some configuration like: firewall { family ethernet-switching { filter XXX-IX_Peering_Filter { term expected_mac_address { from { source-mac-address { 00:0b:45:b6:f5:00; } } then accept; } term block { then discard; } } } } interfaces { ge-x/x/x { unit 0 { family ethernet-switching { filter { output XXX-IX_Peering_Filter } } } } } Would accomplish what you want. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Thanks again - we have some Ex4200's in our lab currently so will test this out... again, appreciate the fast response times..;) Paul -Original Message- From: Jonathan Lassoff [mailto:j...@thejof.com] Sent: Thursday, March 25, 2010 4:39 PM To: Paul Stewart Cc: jnsp Subject: RE: [j-nsp] EX Switches - Internet Exchange Points Excerpts from Paul Stewart's message of Thu Mar 25 13:09:51 -0700 2010: Thanks very much for the reply... The AMS-IX guide I've been through but their Juniper section isn't nearly as detailed as the Cisco side... good guide for sure. ;) The MAC shown in my example below is actually the correct MAC for the layer3 facing interface ... so you're suggesting to create a filter to only allow that MAC to be 'sent out' to the peering switch? We never had to do this in the Cisco world using the configurations I sent in my original post hence some of my confusion... Ok, I checked this out on a spare EX-3200. Maybe some configuration like: firewall { family ethernet-switching { filter XXX-IX_Peering_Filter { term expected_mac_address { from { source-mac-address { 00:0b:45:b6:f5:00; } } then accept; } term block { then discard; } } } } interfaces { ge-x/x/x { unit 0 { family ethernet-switching { filter { output XXX-IX_Peering_Filter } } } } } Would accomplish what you want. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 8200 deployment
Didn't word it right.. I meant shouldn't ... I was taking some example out from SRX.. where customers choose to log “session-init” and “session-close”, it could generates high rate of IO activity to /var/log/rtlogd. Though its not a problem logging all these; but on a compact flash when we have a life cycle of about 100k it might become an issue very soon. Do note that this may effect only event mode logs not the stream mode. -Hoogen On Wed, Mar 24, 2010 at 11:54 PM, Richard A Steenbergen r...@e-gerbil.netwrote: On Wed, Mar 24, 2010 at 10:45:07PM -0700, Hoogen wrote: I think flash isn't going to be considered... It has a finite erase/write cycles.. yeah but 8200 could have had more storage.. Erm... what do you think it uses currently, a 2GB hard drive? :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 8200 deployment
On Thu, Mar 25, 2010 at 09:13:59AM -0700, Dan Farrell wrote: Flash gets a bad rap. I think most people have heard of supposed horror stories or they see the cycle limit and get wary. But I'm wondering... has anyone in this list actually had a personal flash horror story? I don't have one of my own, and I'm swimming in network devices (some quite old) that use them. I've seen dozens of old RE-2.0s with CFs that have died over time, but I'm 99% certain there was no effort made to do wear leveling or bad block detection and avoidance on those things. :) The ironiy is that they were really put in as backup because nobody trusted spinning media in a router, go figure. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 8200 deployment
On Thu, Mar 25, 2010 at 09:51:20AM -0700, Jonathan Lassoff wrote: In looking at the EX platforms though, this doesn't seem in line with Juniper's design goals though (not that I actually know what they planned). It seems like most of the hardware ('cept the EX-8200) comes in a fixed configuration -- stuff that's just supposed to work, and not to worry the manuf. with compatibility concerns. If you're feeling gutsy and want to void any warranties, you might try de-soldering and replacing the internal flash :) 8200 is fixed configuration too. da0 at umass-sim0 bus 0 target 0 lun 0 da0: ST ST72682 2.10 Removable Direct Access SCSI-2 device da0: 40.000MB/s transfers da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C) Same device as on EX3200/4200, just bigger. Looks to be an embedded USB-Flash controller with non-modular flash. http://www.st.com/stonline/books/pdf/docs/12029.pdf I've taken a soldering iron to many a router and switch in my day to correct design flaws, but I don't think that will work out here. Those 5mm USB flash units stuffed into the usb port on the front seem to be the best option for making something that at least won't get bumped or stolen in the datacenter, but I can't find them shipping yet either. http://www.engadget.com/2009/06/24/buffalos-16gb-5mm-usb-thumbkey-its-really-small/ Then again, I have some promotional Cisco USB drives that might look good sticking out of the box like a giant wart too. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
On Thu, Mar 25, 2010 at 03:13:31PM -0400, Paul Stewart wrote: The problem I'm facing we're tripping the port security on the exchange switch: Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000b.45b6.f500 on port FastEthernet0/1. It is obviously seeing several MAC addresses and doesn't like this. so I'm trying to adapt a best practice here based on what other folks have encountered along the way as we're trying our best to learn Juniper better ;) The MAC address vendor database says 000b45 is Cisco, so either you have a misconfiguration or your Juniper is leaking something it shouldn't be, but at least is isn't generating something on its own. I'd recommend you track down that MAC address on your network and figure out how it is getting to the exchange, since if the Juniper is leaking things outside of its configured vlan it is a Big Problem (tm) which needs to be fixed. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Excerpts from Richard A Steenbergen's message of Thu Mar 25 16:52:15 -0700 2010: On Thu, Mar 25, 2010 at 03:13:31PM -0400, Paul Stewart wrote: The problem I'm facing we're tripping the port security on the exchange switch: Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000b.45b6.f500 on port FastEthernet0/1. It is obviously seeing several MAC addresses and doesn't like this. so I'm trying to adapt a best practice here based on what other folks have encountered along the way as we're trying our best to learn Juniper better ;) The MAC address vendor database says 000b45 is Cisco, so either you have a misconfiguration or your Juniper is leaking something it shouldn't be, but at least is isn't generating something on its own. I'd recommend you track down that MAC address on your network and figure out how it is getting to the exchange, since if the Juniper is leaking things outside of its configured vlan it is a Big Problem (tm) which needs to be fixed. From the original post, it sounds like Paul was using a Cisco as the router and just using his EX switch as an L2 device to connect the two, in which case, the Cisco OUI seems expected. --j ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Thanks Richard... The MAC filtering idea proposed earlier by another friendly person was quite helpful and solved the issue. That Cisco MAC is actually what we wanted to see however other MAC's were showing up from the intermediary switches along the path (Cisco 7600 - EX4200 - EX4200 - EX4200 in this particular case) Solved now thankfully - we like to be friendly to our peers at exchange points and I was getting worried ;) Take care, Paul -Original Message- From: Richard A Steenbergen [mailto:r...@e-gerbil.net] Sent: March-25-10 7:52 PM To: Paul Stewart Cc: 'jnsp' Subject: Re: [j-nsp] EX Switches - Internet Exchange Points On Thu, Mar 25, 2010 at 03:13:31PM -0400, Paul Stewart wrote: The problem I'm facing we're tripping the port security on the exchange switch: Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000b.45b6.f500 on port FastEthernet0/1. It is obviously seeing several MAC addresses and doesn't like this. so I'm trying to adapt a best practice here based on what other folks have encountered along the way as we're trying our best to learn Juniper better ;) The MAC address vendor database says 000b45 is Cisco, so either you have a misconfiguration or your Juniper is leaking something it shouldn't be, but at least is isn't generating something on its own. I'd recommend you track down that MAC address on your network and figure out how it is getting to the exchange, since if the Juniper is leaking things outside of its configured vlan it is a Big Problem (tm) which needs to be fixed. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
On Thu, Mar 25, 2010 at 08:01:36PM -0400, Paul Stewart wrote: Thanks Richard... The MAC filtering idea proposed earlier by another friendly person was quite helpful and solved the issue. That Cisco MAC is actually what we wanted to see however other MAC's were showing up from the intermediary switches along the path (Cisco 7600 - EX4200 - EX4200 - EX4200 in this particular case) Solved now thankfully - we like to be friendly to our peers at exchange points and I was getting worried ;) What were the other MACs that you didn't want leaked? The MAC filter is a fine workaround, but if your EX's are leaking things they shouldn't be I'd like to see that get addressed too. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp