Re: [j-nsp] How to configure shaping or rate linit in EX4200
Below are details that talk about rate-limiting on RVI interfaces: http://kb.juniper.net/index?page=contentid=KB14250cat=FIREWALLactp=LIST This KB talks about port filters as well: http://kb.juniper.net/index?page=contentid=KB10968cat=JUNOS_EXactp=LIST Cheers, Truman On 15/07/2010, at 9:37 AM, luis barrios wrote: hello .. does anybody know how to configure shaping in one port of a juniper EX4200. I need to configure a shape or rate-limit in one physical port, but it´s not exactly the same as in a juniper router. thanks ... luis ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MS-DPC and netflow.
Hi guys,
Im at a complete loss regarding this issue. And the documentation at J is
a bad mess of RE based flow sampling, and M series stuff mixed with
MX/MS-DPC stuff.
1 .Do I need to prep the MS-DPC more than ? :
aggregated-devices {
ethernet {
device-count 1;
}
}
fpc 1 {
pic 0 {
adaptive-services {
service-package layer-3;
}
}
pic 1 {
adaptive-services {
service-package layer-3;
}
}
}
network-services ip;
2. Anyone has a working configuration for netflow v9 on MX ?
3. And what is the purpose of the source address statement under /
forwarding-options/output/interface,
where is this address used ?
Im running 10.1R1.8 and the suggested config in the docs for 10.1 gives me a
deprecated warning.
Here is my config:
forwarding-options {
sampling {
input {
family inet {
rate 1;
}
family mpls {
rate 1;
}
}
output { ## Warning: 'output' is deprecated
flow-inactive-timeout 30;
flow-active-timeout 60;
flow-server 213.173.238.14 {
port 9990;
version9 {
template {
ip-template;
}
}
}
interface sp-1/0/0 {
source-address 1.1.1.1;
}
}
}
}
Kind regards,
Peter Krupl
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MS-DPC and netflow.
Hi Peter,
this should be working
Thanks,
Luca.
forwarding-options {
sampling {
input {
rate 1;
run-length 0;
}
family inet {
output {
flow-server 1.1.1.66 {
port ;
autonomous-system-type origin;
no-local-dump;
version9 {
template {
PIPPO_V9;
}
}
}
flow-server 1.1.1.194 {
port ;
autonomous-system-type origin;
no-local-dump;
version9 {
template {
PIPPO_V9;
}
}
}
interface sp-2/0/0 {
source-address 1.1.1.1;
}
}
}
family inet6 {
output {
flow-server 1.1.1.66 {
port ;
autonomous-system-type origin;
no-local-dump;
version9 {
template {
PIPPO-INET6-V9;
}
}
}
flow-server 1.1.1.194 {
port ;
autonomous-system-type origin;
no-local-dump;
version9 {
template {
PIPPO-INET6-V9;
}
}
}
interface sp-2/0/0 {
source-address 1.1.1.1;
}
}
}
}
}
services {
flow-monitoring {
version9 {
template PIPPO_V9 {
ipv4-template;
}
template PIPPO-INET6-V9 {
ipv6-template;
}
}
}
}
On Thu, 2010-07-15 at 10:58 +0200, Peter Krupl wrote:
Hi guys,
Im at a complete loss regarding this issue. And the documentation at J is
a bad mess of RE based flow sampling, and M series stuff mixed with
MX/MS-DPC stuff.
1 .Do I need to prep the MS-DPC more than ? :
aggregated-devices {
ethernet {
device-count 1;
}
}
fpc 1 {
pic 0 {
adaptive-services {
service-package layer-3;
}
}
pic 1 {
adaptive-services {
service-package layer-3;
}
}
}
network-services ip;
2. Anyone has a working configuration for netflow v9 on MX ?
3. And what is the purpose of the source address statement under /
forwarding-options/output/interface,
where is this address used ?
Im running 10.1R1.8 and the suggested config in the docs for 10.1 gives me a
deprecated warning.
Here is my config:
forwarding-options {
sampling {
input {
family inet {
rate 1;
}
family mpls {
rate 1;
}
}
output { ## Warning: 'output' is deprecated
flow-inactive-timeout 30;
flow-active-timeout 60;
flow-server 213.173.238.14 {
port 9990;
version9 {
template {
ip-template;
}
}
}
interface sp-1/0/0 {
source-address 1.1.1.1;
}
}
}
}
Kind regards,
Peter Krupl
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MS-DPC and netflow.
Peter, Luca,
I believe you need to be running 9.6 or later in order to use the config that
Luca provided below.
Prior to 9.6, you will only find 'input', 'output' and 'traceoptions' under
forwarding-options { sampling { ... } }. After 9.6, you will find 'family
inet' and 'family inet6' under that level -- but not in earlier releases. In
either case, under output { ... }, older JUNOS seems to use 'cflowd' while
newer JUNOS uses the 'flow-server' keyword.
The advantage is that after 9.6, you can output IPv4 and IPv6 flow data to the
same collector IP address/port. e.g. apply multiple templates to a single
collector. Before 9.6, you had to apply the IPv4 template to one cflowd IP,
and the IPv6 (or MPLS) template to another cflowd IP.
Another cool thing you can do after 9.6 is per-FPC sampling instances. For
example, you can do
forwarding-options {
sampling {
instance {
xyz {
input { ... }
family inet { ... }
family inet6 { ... }
}
}
}
}
chassis {
fpc X {
sampling-instance xyz;
}
}
I haven't really seen a reason to use this type of config yet, but if you are
somehow max'ing out the resources of a single MS-DPC, it looks like you could
potentially use this syntax to dedicate one MS-DPC to one or more FPCs, another
MS-DPC to another set of FPCs, etc.
For completeness, here is a working example from JUNOS 9.3. Just make sure you
are doing sampling somewhere in your firewall filters (e.g. you might sample
all inbound on every interface). You need to be careful not to sample the same
flow twice (on each router) or else your flow records will show double
packets/octets.
interfaces {
sp-1/0/0 {
unit 0 {
family inet;
family inet6;
family mpls;
}
}
}
forwarding-options {
sampling {
input {
family inet {
rate 1;
run-length 0;
max-packets-per-second 65000;
}
family inet6 {
rate 1;
run-length 0;
max-packets-per-second 65000;
}
}
output {
cflowd 10.0.0.1 {
port ;
version9 {
template {
ipv4;
}
}
no-local-dump;
autonomous-system-type origin;
}
cflowd 10.0.0.2 {
port ;
version9 {
template {
ipv6;
}
}
no-local-dump;
autonomous-system-type origin;
}
flow-inactive-timeout 15;
flow-active-timeout 60;
interface sp-1/0/0 {
source-address [router loopback address];
}
}
}
}
services {
flow-monitoring {
version9 {
template ipv4 {
ipv4-template;
}
template mpls {
mpls-template;
}
template ipv6 {
ipv6-template;
}
}
}
}
Cheers,
-Chris
On Jul 15, 2010, at 10:18 AM, bit gossip wrote:
Hi Peter,
this should be working
Thanks,
Luca.
forwarding-options {
sampling {
input {
rate 1;
run-length 0;
}
family inet {
output {
flow-server 1.1.1.66 {
port ;
autonomous-system-type origin;
no-local-dump;
version9 {
template {
PIPPO_V9;
}
}
}
flow-server 1.1.1.194 {
port ;
autonomous-system-type origin;
no-local-dump;
version9 {
template {
PIPPO_V9;
}
}
}
interface sp-2/0/0 {
source-address 1.1.1.1;
}
}
}
family inet6 {
output {
flow-server 1.1.1.66 {
port ;
autonomous-system-type origin;
no-local-dump;
version9 {
template {
PIPPO-INET6-V9;
}
}
}
flow-server 1.1.1.194 {
port ;
autonomous-system-type origin;
no-local-dump;
version9 {
template {
PIPPO-INET6-V9;
}
Re: [j-nsp] Juniper RANCID
your output is expected behavior. jlogin is just an expect script that logs
into the devices.
if you're configuration is complete (with cron job/etc and you just want to
test you can run the following /blah/blah/rancid/bin/rancid-run to run
rancid
-ck
On Thu, Jul 15, 2010 at 4:53 PM, Stefan Schlesinger s...@ono.at wrote:
Hello Folks,
I'm trying to get RANCID to work with jlogin on my SRX100. I
configured my router.db and .cloginrc. The following command
can login to the router, but it doesn't backup anything.
$ bin/jlogin -f .cloginrc 192.168.0.13
I'm running rancid 2.3.3, and here are my configuration files:
.cloginrc
add password 192.168.0.* pwdstring
add user 192.168.0.* rancid
add method 192.168.0.* {ssh}
--
var/noc/router.db:
192.168.0.13:juniper:up
--
The following happens when i run the command line from above:
$ bin/jlogin -f .cloginrc 192.168.0.13
spawn ssh -c 3des -x -l rancid 192.168.0.13
ran...@192.168.0.13's password:
--- JUNOS 10.1R3.7 built 2010-07-10 08:32:02 UTC
ran...@juniper-01
ran...@juniper-01
Maybe someone on the list could provide me with some advice on how
to get that working.
Regards, Stefan.
--
Stefan Schlesinger // ///
s...@ono.at
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper RANCID
Hi Stefan, On Fri, Jul 16, 2010 at 9:53 AM, Stefan Schlesinger s...@ono.at wrote: I'm trying to get RANCID to work with jlogin on my SRX100. [...] The following happens when i run the command line from above: $ bin/jlogin -f .cloginrc 192.168.0.13 spawn ssh -c 3des -x -l rancid 192.168.0.13 ran...@192.168.0.13's password: --- JUNOS 10.1R3.7 built 2010-07-10 08:32:02 UTC ran...@juniper-01 Looks like 'jlogin' is working just fine. 'jlogin' automates logins and (optionally) allows you to execute commands (using -c or -x). 'jrancid' does the work to collect and store command output in CVS, but typically it is not executed directly. Have you run rancid-cvs and then rancid-run? Have you set up rancid.conf? Follow some of the links from: http://www.shrubbery.net/rancid/#started cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
