Re: [j-nsp] How to configure shaping or rate linit in EX4200
Below are details that talk about rate-limiting on RVI interfaces: http://kb.juniper.net/index?page=contentid=KB14250cat=FIREWALLactp=LIST This KB talks about port filters as well: http://kb.juniper.net/index?page=contentid=KB10968cat=JUNOS_EXactp=LIST Cheers, Truman On 15/07/2010, at 9:37 AM, luis barrios wrote: hello .. does anybody know how to configure shaping in one port of a juniper EX4200. I need to configure a shape or rate-limit in one physical port, but it´s not exactly the same as in a juniper router. thanks ... luis ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MS-DPC and netflow.
Hi guys, Im at a complete loss regarding this issue. And the documentation at J is a bad mess of RE based flow sampling, and M series stuff mixed with MX/MS-DPC stuff. 1 .Do I need to prep the MS-DPC more than ? : aggregated-devices { ethernet { device-count 1; } } fpc 1 { pic 0 { adaptive-services { service-package layer-3; } } pic 1 { adaptive-services { service-package layer-3; } } } network-services ip; 2. Anyone has a working configuration for netflow v9 on MX ? 3. And what is the purpose of the source address statement under / forwarding-options/output/interface, where is this address used ? Im running 10.1R1.8 and the suggested config in the docs for 10.1 gives me a deprecated warning. Here is my config: forwarding-options { sampling { input { family inet { rate 1; } family mpls { rate 1; } } output { ## Warning: 'output' is deprecated flow-inactive-timeout 30; flow-active-timeout 60; flow-server 213.173.238.14 { port 9990; version9 { template { ip-template; } } } interface sp-1/0/0 { source-address 1.1.1.1; } } } } Kind regards, Peter Krupl ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MS-DPC and netflow.
Hi Peter, this should be working Thanks, Luca. forwarding-options { sampling { input { rate 1; run-length 0; } family inet { output { flow-server 1.1.1.66 { port ; autonomous-system-type origin; no-local-dump; version9 { template { PIPPO_V9; } } } flow-server 1.1.1.194 { port ; autonomous-system-type origin; no-local-dump; version9 { template { PIPPO_V9; } } } interface sp-2/0/0 { source-address 1.1.1.1; } } } family inet6 { output { flow-server 1.1.1.66 { port ; autonomous-system-type origin; no-local-dump; version9 { template { PIPPO-INET6-V9; } } } flow-server 1.1.1.194 { port ; autonomous-system-type origin; no-local-dump; version9 { template { PIPPO-INET6-V9; } } } interface sp-2/0/0 { source-address 1.1.1.1; } } } } } services { flow-monitoring { version9 { template PIPPO_V9 { ipv4-template; } template PIPPO-INET6-V9 { ipv6-template; } } } } On Thu, 2010-07-15 at 10:58 +0200, Peter Krupl wrote: Hi guys, Im at a complete loss regarding this issue. And the documentation at J is a bad mess of RE based flow sampling, and M series stuff mixed with MX/MS-DPC stuff. 1 .Do I need to prep the MS-DPC more than ? : aggregated-devices { ethernet { device-count 1; } } fpc 1 { pic 0 { adaptive-services { service-package layer-3; } } pic 1 { adaptive-services { service-package layer-3; } } } network-services ip; 2. Anyone has a working configuration for netflow v9 on MX ? 3. And what is the purpose of the source address statement under / forwarding-options/output/interface, where is this address used ? Im running 10.1R1.8 and the suggested config in the docs for 10.1 gives me a deprecated warning. Here is my config: forwarding-options { sampling { input { family inet { rate 1; } family mpls { rate 1; } } output { ## Warning: 'output' is deprecated flow-inactive-timeout 30; flow-active-timeout 60; flow-server 213.173.238.14 { port 9990; version9 { template { ip-template; } } } interface sp-1/0/0 { source-address 1.1.1.1; } } } } Kind regards, Peter Krupl ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MS-DPC and netflow.
Peter, Luca, I believe you need to be running 9.6 or later in order to use the config that Luca provided below. Prior to 9.6, you will only find 'input', 'output' and 'traceoptions' under forwarding-options { sampling { ... } }. After 9.6, you will find 'family inet' and 'family inet6' under that level -- but not in earlier releases. In either case, under output { ... }, older JUNOS seems to use 'cflowd' while newer JUNOS uses the 'flow-server' keyword. The advantage is that after 9.6, you can output IPv4 and IPv6 flow data to the same collector IP address/port. e.g. apply multiple templates to a single collector. Before 9.6, you had to apply the IPv4 template to one cflowd IP, and the IPv6 (or MPLS) template to another cflowd IP. Another cool thing you can do after 9.6 is per-FPC sampling instances. For example, you can do forwarding-options { sampling { instance { xyz { input { ... } family inet { ... } family inet6 { ... } } } } } chassis { fpc X { sampling-instance xyz; } } I haven't really seen a reason to use this type of config yet, but if you are somehow max'ing out the resources of a single MS-DPC, it looks like you could potentially use this syntax to dedicate one MS-DPC to one or more FPCs, another MS-DPC to another set of FPCs, etc. For completeness, here is a working example from JUNOS 9.3. Just make sure you are doing sampling somewhere in your firewall filters (e.g. you might sample all inbound on every interface). You need to be careful not to sample the same flow twice (on each router) or else your flow records will show double packets/octets. interfaces { sp-1/0/0 { unit 0 { family inet; family inet6; family mpls; } } } forwarding-options { sampling { input { family inet { rate 1; run-length 0; max-packets-per-second 65000; } family inet6 { rate 1; run-length 0; max-packets-per-second 65000; } } output { cflowd 10.0.0.1 { port ; version9 { template { ipv4; } } no-local-dump; autonomous-system-type origin; } cflowd 10.0.0.2 { port ; version9 { template { ipv6; } } no-local-dump; autonomous-system-type origin; } flow-inactive-timeout 15; flow-active-timeout 60; interface sp-1/0/0 { source-address [router loopback address]; } } } } services { flow-monitoring { version9 { template ipv4 { ipv4-template; } template mpls { mpls-template; } template ipv6 { ipv6-template; } } } } Cheers, -Chris On Jul 15, 2010, at 10:18 AM, bit gossip wrote: Hi Peter, this should be working Thanks, Luca. forwarding-options { sampling { input { rate 1; run-length 0; } family inet { output { flow-server 1.1.1.66 { port ; autonomous-system-type origin; no-local-dump; version9 { template { PIPPO_V9; } } } flow-server 1.1.1.194 { port ; autonomous-system-type origin; no-local-dump; version9 { template { PIPPO_V9; } } } interface sp-2/0/0 { source-address 1.1.1.1; } } } family inet6 { output { flow-server 1.1.1.66 { port ; autonomous-system-type origin; no-local-dump; version9 { template { PIPPO-INET6-V9; } } } flow-server 1.1.1.194 { port ; autonomous-system-type origin; no-local-dump; version9 { template { PIPPO-INET6-V9; }
Re: [j-nsp] Juniper RANCID
your output is expected behavior. jlogin is just an expect script that logs into the devices. if you're configuration is complete (with cron job/etc and you just want to test you can run the following /blah/blah/rancid/bin/rancid-run to run rancid -ck On Thu, Jul 15, 2010 at 4:53 PM, Stefan Schlesinger s...@ono.at wrote: Hello Folks, I'm trying to get RANCID to work with jlogin on my SRX100. I configured my router.db and .cloginrc. The following command can login to the router, but it doesn't backup anything. $ bin/jlogin -f .cloginrc 192.168.0.13 I'm running rancid 2.3.3, and here are my configuration files: .cloginrc add password 192.168.0.* pwdstring add user 192.168.0.* rancid add method 192.168.0.* {ssh} -- var/noc/router.db: 192.168.0.13:juniper:up -- The following happens when i run the command line from above: $ bin/jlogin -f .cloginrc 192.168.0.13 spawn ssh -c 3des -x -l rancid 192.168.0.13 ran...@192.168.0.13's password: --- JUNOS 10.1R3.7 built 2010-07-10 08:32:02 UTC ran...@juniper-01 ran...@juniper-01 Maybe someone on the list could provide me with some advice on how to get that working. Regards, Stefan. -- Stefan Schlesinger // /// s...@ono.at ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper RANCID
Hi Stefan, On Fri, Jul 16, 2010 at 9:53 AM, Stefan Schlesinger s...@ono.at wrote: I'm trying to get RANCID to work with jlogin on my SRX100. [...] The following happens when i run the command line from above: $ bin/jlogin -f .cloginrc 192.168.0.13 spawn ssh -c 3des -x -l rancid 192.168.0.13 ran...@192.168.0.13's password: --- JUNOS 10.1R3.7 built 2010-07-10 08:32:02 UTC ran...@juniper-01 Looks like 'jlogin' is working just fine. 'jlogin' automates logins and (optionally) allows you to execute commands (using -c or -x). 'jrancid' does the work to collect and store command output in CVS, but typically it is not executed directly. Have you run rancid-cvs and then rancid-run? Have you set up rancid.conf? Follow some of the links from: http://www.shrubbery.net/rancid/#started cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp