Re: [j-nsp] 10.3 on MX960 with MPC only?

[Chris Evans]

Crazy workaround but I didn't spend 500k on a box to do a hack job that a 3k
box does perfectly

:)
> You know, just as this thread popped up on this list, we were dealing with
a
> multicast related issue... On an MX if you statically map a unicast IP
address
> to a multicast mac address, you have to specify a single l2 interface to
forward
> that traffic out of. It essentially defeats the whole purpose of creating
the
> mapping in the first place.
>
> So I thought, what if we connect to ports on the same box together? This
> worked. Essentially you create a logical interface on one end of the cable
and
> you move your layer 3 config to it for that particular VLAN, then the
other end
> of the cable is just a trunk port.
>
>
> This might resolve your issue.
>
>
>
>
> 
> From: Chris Evans 
> To: Derick Winkworth 
> Cc: juniper-nsp@puck.nether.net
> Sent: Tue, August 31, 2010 11:45:58 AM
> Subject: Re: [j-nsp] 10.3 on MX960 with MPC only?
>
>
> Agreed if they offering the mx as an Ethernet switch this should be
> supported. Nag your account team. I had them put in an enhancement request

> but who knows if they are listening.
>
>> "Its not supported" is the wrong phrase. "Its broken" is more
appropriate.
>>Whatever design choices that were made in the past that led to this, as
you
>>said, "mind-blowing" caveat, Juniper needs to go backwards and fix it.
>>
>> On Tue Aug 31st, 2010 8:01 AM CDT Chris Evans wrote:
>>
>>>Try configuring an irb, igmp, igmp-snooping and a trunk port on 10.x
code.
>>>It will tell you its not supported. It's never been supported per JTAC.
>>>Also as per jtacs comment they put that statement in newer code as they
>>>didn't know it wasnt supported before. I asked jtac to update the
>>>documentation.
>>> > Is this in documentation somewhere? I just did a quick pass through
the
>>>IGMP
 snooping docs and I did not see it stated anywhere in there... maybe I
>>>missed
 it.





 
 From: Derick Winkworth 
 To: Chris Evans ; Gavin Tweedie 
 Cc: juniper-nsp@puck.nether.net
 Sent: Tue, August 31, 2010 7:13:37 AM
 Subject: Re: [j-nsp] 10.3 on MX960 with MPC only?

 ###
 I'm not even going to mention that

 IGMP-Snooping isn't support on trunk interfaces which blows my mind.
 


 wow!
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Netflow / JFlow questions

[Chris Evans]

Have a few questions for some folks who have implemented JFlow..

I have a working jflow setup with basic ipv4 and ingress collection on a m7i
with a services pic and also on a MX platform with the MS-DPC blade.

#1 - Is egress netflow supported? It appears that only ingress is supported.
#2 - Why do all examples that I can find say to use a firewall filter to
sample traffic, I have successfully used the 'set interface xx-x/x/x unit xx
family inet sample' command. This appears to be the new way of doing it.
#3 - In my lab I have a MPLS VPN setup and am trying to netflow interfaces
within the VRF. As it appears the device can only do ingress netflow I also
need to sample the mpls interface. Does anyone have an example of how to
gather netflow stats from both the vrf and mpls pe <> p interfaces?


Thanks

Chris
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] 10.3 on MX960 with MPC only?

[Derick Winkworth]

You know, just as this thread popped up on this list, we were dealing with a 
multicast related issue...  On an MX if you statically map a unicast IP address 
to a multicast mac address, you have to specify a single l2 interface to 
forward 
that traffic out of.  It essentially defeats the whole purpose of creating the 
mapping in the first place.

So I thought, what if we connect to ports on the same box together?  This 
worked.  Essentially you create a logical interface on one end of the cable and 
you move your layer 3 config to it for that particular VLAN, then the other end 
of the cable is just a trunk port.  


This might resolve your issue.





From: Chris Evans 
To: Derick Winkworth 
Cc: juniper-nsp@puck.nether.net
Sent: Tue, August 31, 2010 11:45:58 AM
Subject: Re: [j-nsp] 10.3 on MX960 with MPC only?


Agreed if they offering the mx  as an Ethernet switch this should be 
supported.   Nag your account team.  I had them put in an enhancement request 
but who knows if they are listening.  

> "Its not supported" is the wrong phrase.  "Its broken" is more appropriate.  
>Whatever design choices that were made in the past that led to this, as you 
>said, "mind-blowing" caveat, Juniper needs to go backwards and fix it.
> 
> On Tue Aug 31st, 2010 8:01 AM CDT Chris Evans wrote:
> 
>>Try configuring an irb, igmp, igmp-snooping and a trunk port on 10.x code.
>>It will tell you its not supported.  It's never been supported per JTAC.
>>Also as per jtacs comment they put that statement in newer code as they
>>didn't know it wasnt supported before.  I asked jtac to update the
>>documentation.
>> > Is this in documentation somewhere? I just did a quick pass through the
>>IGMP
>>> snooping docs and I did not see it stated anywhere in there... maybe I
>>missed
>>> it.
>>>
>>>
>>>
>>>
>>>
>>> 
>>> From: Derick Winkworth 
>>> To: Chris Evans ; Gavin Tweedie 
>>> Cc: juniper-nsp@puck.nether.net
>>> Sent: Tue, August 31, 2010 7:13:37 AM
>>> Subject: Re: [j-nsp] 10.3 on MX960 with MPC only?
>>>
>>> ###
>>> I'm not even going to mention that
>>>
>>> IGMP-Snooping isn't support on trunk interfaces which blows my mind.
>>> 
>>>
>>>
>>> wow!
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Filtering the export of VRF routes with iBGP export filters....

[David Ball]

  Haven't tried them yet, no.  The application is a full routing table
inside a VRF, which is being exported to 'lesser' devices which can't handle
a full table.

David


On 31 August 2010 11:56, Keegan Holley  wrote:

> Have you tried any of the other suggestions?  I don't think I've ever had
> to export a group of routes and then filter then anyway.  Just out of
> curiosity where did this requirement come from?  Route reflection usually
> provides enough reduction in the routing table size.
>
>
>
> On Tue, Aug 31, 2010 at 10:44 AM, David Ball  wrote:
>
>> Thanks Krasimir.  I'd run across that knob previously, but my
>> understanding
>> is that the functionality provided by vpn-apply-export is enabled when a
>> router is configured as a route-reflector, which mine are already.  Will
>> give it a whirl anyways, though.
>>
>> David
>>
>>
>> On 31 August 2010 04:25, Krasimir Avramski  wrote:
>>
>> > You probably missing " vpn-apply-export" stanza in your bgp cluster
>> group.
>> >
>> > HTH
>> > Krasi
>> >
>> > On Mon, Aug 30, 2010 at 11:25 PM, David Ball 
>> wrote:
>> > >  Ts/MXs running 10.0.R3.10
>> > >
>> > > I don't have access to my actual configs, but think I can verbalize
>> > > anyways.
>> > >
>> > >  Does anyone know if it's possible to filter a given VRF route prior
>> to
>> > > export to an iBGP peer?  Naturally, the route itself includes an RD
>> and
>> > RT,
>> > > and I can't get my 'match' clauses to work.
>> > >
>> > >  I've been trying matching on things like community (ie. community
>> > SOMENAME
>> > > members target:###:###), on RIB (ie. rib bgp.l3vpn.0), and also using
>> a
>> > > route-filter (which I don't believe supports VRF routes), but with no
>> > > success.  For interest's sake, I'm running in 'route-reflector-ready'
>> > mode,
>> > > in that routes are being exported from bgp.l[2|3]vpn.0 rather than
>> from
>> > the
>> > > individual routing tables themselves, hence my trying to match on the
>> > > bgp.l3vpn.0 RIB instead of an individual VRF's RIB.
>> > >
>> > >  I was sure I saw a workaround listed here, but can't find it in the
>> > > archives for the life of me.
>> > >
>> > > David
>> > > ___
>> > > juniper-nsp mailing list juniper-nsp@puck.nether.net
>> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> > >
>> >
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Help with DHCP relay issues on J2350 running 9.6 code

[Will McLendon]

Make sure you have DHCP as an allowed service on the reth interface in the Zone 
configuration:

set security zones security-zone  interfaces reth0.0 host-inbound-traffic 
system-services dhcp

I think that will do the trick.

good luck,

Will McLendon

On Aug 31, 2010, at 3:24 PM, juniper-nsp-requ...@puck.nether.net wrote:

> Help with DHCP relay issues on J2350 running 9.6 code
Hi,

I recently migrated from Cisco ASA firewall to Junos 9.6 on J2350 series but I 
cannot get DHCP relay to work with the DHCP clients sitting behind the 
firewall. My configs below:

set forwarding-options helpers bootp relay-agent-option
set forwarding-options helpers bootp interface reth0.0 server x.x.x.x
set forwarding-options helpers bootp interface reth0.0 server x.x.x.x

Any ideas?
Many thanks,
Regards,
Joe
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Help with DHCP relay issues on J2350 running 9.6 code

[Jeff Cadwallader]

We also the same issue with certain versions of code for the 2350. Currently
we are using 9.6R3. This was an undocumented feature I guess.

Jeff

On Aug 31, 2010 3:25 PM, "Baidoo, Joe"  wrote:
> Hi,
>
> I recently migrated from Cisco ASA firewall to Junos 9.6 on J2350 series
but I cannot get DHCP relay to work with the DHCP clients sitting behind the
firewall. My configs below:
>
> set forwarding-options helpers bootp relay-agent-option
> set forwarding-options helpers bootp interface reth0.0 server x.x.x.x
> set forwarding-options helpers bootp interface reth0.0 server x.x.x.x
>
> Any ideas?
> Many thanks,
> Regards,
> Joe
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Stable Junos

[Mark Tinka]

On Wednesday, September 01, 2010 04:51:19 am Richard A 
Steenbergen wrote:

> It's like playing JUNOS Hero, you don't ever catch the
> dragon. :)

Nope, you never do :-).

> Personally I'd like them to support JUNOS images for a
> bit longer. By the time a particular branch is actually
> stable enough to use without major issues (R4) it's
> already EOL, which means they refuse to build fixes for
> any newly discovered bugs after that. Infact for the
> last several releases they've actually released R4
> *AFTER* the EOL date, so you're guaranteed that anything
> you find wrong in R4 will never get fixed. This forces
> you to chase the next newer version of code to fix those
> last few issues, where for every 1 thing they fix they
> break 2 new things, then rinse and repeat forever.

I was actually thinking about something like that. Perhaps 
it might not be such a bad idea to have additional releases 
of a particular code base, e.g., R5, R6, R7, e.t.c., while 
development continues for newer releases (I know these are 
the so-called Service releases, but...).

In many cases, you have all the features you need for a 
particular release and just require only bug fixes to 
smoothen the code out.

> By the time 10.4 actually gets stable
> enough to use in widespread deploys, which is at least a
> year from today, where will be some other reason why
> we're forced into something newer. There always is. :)

And that is exactly my problem with JUNOS.

At the moment, bug fixes and new features are being coupled 
together (save for the Service releases et al). It would be 
nice if these two aspects would be sufficiently separated.

We all know R1 and R2 releases tend to be fairly high-risk, 
and that anything decent is R3 or later. It's simply 
terrible that we have to knowingly run buggy code just so we 
can fix a problem from a previous release or have that new 
feature that we can only get in a new release, and still be 
mindful of the fact that we might not be able to do anything 
serious about it for at least another 6 to 9 to 12 months or 
so, if we're lucky.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Stable Junos

[Richard A Steenbergen]

On Wed, Sep 01, 2010 at 01:55:49AM +0800, Mark Tinka wrote:
> 
> I wish 10.5 were coming out tomorrow, but for now, 10.2R2.11 has been 
> behaving with the little we're doing. I'm tired of chasing JUNOS for 
> the past 2 years, so I wouldn't mind continuing with 10.2R2.11 until 
> 10.5R4 or 10.6R4 comes out (and works). Of course, that's hoping we 
> don't run into anything major with 10.2R2.11 :-\.

It's like playing JUNOS Hero, you don't ever catch the dragon. :)

Personally I'd like them to support JUNOS images for a bit longer. By 
the time a particular branch is actually stable enough to use without 
major issues (R4) it's already EOL, which means they refuse to build 
fixes for any newly discovered bugs after that. Infact for the last 
several releases they've actually released R4 *AFTER* the EOL date, so 
you're guaranteed that anything you find wrong in R4 will never get 
fixed. This forces you to chase the next newer version of code to fix 
those last few issues, where for every 1 thing they fix they break 2 new 
things, then rinse and repeat forever.

The extended support branches never quite seem to line up with anything 
we need either (I think they're picked solely based on what satisfies a 
few large accounts with some T1600s :P). For example, the extended 
support branches right now are 10.0 and 10.4. 10.0 is worthless to 
anyone who needs Trio card support, 10.1 reaches end of engineering 
in 2.5 months, this pretty much guarantees we'll be chasing 10.1, 10.2, 
10.3, etc, in the above cycle. By the time 10.4 actually gets stable 
enough to use in widespread deploys, which is at least a year from 
today, where will be some other reason why we're forced into something 
newer. There always is. :)

-- 
Richard A Steenbergenhttp://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Help with DHCP relay issues on J2350 running 9.6 code

[Nathan Sipes]

Make sure the security settings for the interfaces/zones are correct.

On Tue, Aug 31, 2010 at 11:38 AM, Baidoo, Joe wrote:

> Hi,
>
> I recently migrated from Cisco ASA firewall to Junos 9.6 on J2350 series
> but I cannot get DHCP relay to work with the DHCP clients sitting behind the
> firewall. My configs below:
>
> set forwarding-options helpers bootp relay-agent-option
> set forwarding-options helpers bootp interface reth0.0 server x.x.x.x
> set forwarding-options helpers bootp interface reth0.0 server x.x.x.x
>
> Any ideas?
> Many thanks,
> Regards,
> Joe
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Stable Junos

[Scott T. Cameron]

On Tue, Aug 31, 2010 at 1:55 PM, Mark Tinka wrote:

> On Wednesday, September 01, 2010 12:06:26 am Richard A
> Steenbergen wrote:
>
> > ... but we're gonna be
> > forced into 10.2+ for MX to get full Trio support soon
> > anyways, so there isn't much benefit to hanging around
> > 10.0 even if it was stable.
>
> Same reason we're going to 10.2 - MX80 support as well as
> some new NG-MVPN stuff.
>
> I wish 10.5 were coming out tomorrow, but for now, 10.2R2.11
> has been behaving with the little we're doing. I'm tired of
> chasing JUNOS for the past 2 years, so I wouldn't mind
> continuing with 10.2R2.11 until 10.5R4 or 10.6R4 comes out
> (and works). Of course, that's hoping we don't run into
> anything major with 10.2R2.11 :-\.
>
>
On my SRX3400 boxes, I've got 10.2R2 humming along without issue for the
past couple of weeks.

Of course, I was cornered in to this upgrade after a
crash-failover-turned-ALG-blocking-DNS event to save my V6 support.

I'm about to flip the switch live on a pair of MX240s running 10.1R3.  They
run great with only traffic coming on on fxp0...

Scott
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Help with DHCP relay issues on J2350 running 9.6 code

[Baidoo, Joe]

Hi,

I recently migrated from Cisco ASA firewall to Junos 9.6 on J2350 series but I 
cannot get DHCP relay to work with the DHCP clients sitting behind the 
firewall. My configs below:

set forwarding-options helpers bootp relay-agent-option
set forwarding-options helpers bootp interface reth0.0 server x.x.x.x
set forwarding-options helpers bootp interface reth0.0 server x.x.x.x

Any ideas?
Many thanks,
Regards,
Joe
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX5800 HA over 40 KM

[Michael Damkot]

I run A/A SRX 5000 series now, and I would advise against it. 

They aren't really designed for that, and the hello messages that would be 
required between chassis didn't play so well over MPLS when I tried it. 


On Aug 31, 2010, at 13:08 , Stefan Fouant wrote:

>> -Original Message-
>> From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
>> boun...@puck.nether.net] On Behalf Of Fahad Khan
>> Sent: Tuesday, August 31, 2010 10:55 AM
>> To: juniper-nsp@puck.nether.net
>> Subject: [j-nsp] SRX5800 HA over 40 KM
>> 
>> Hi folks,
>> 
>> Can I place two SRX 5800 in separate DCs in HA and the distance in
>> between
>> these two Data centers is around 40 Km.
>> 
>> has any body experienced it??
> 
> It can be done under certain circumstances but it bears getting additional
> information before an answer can be given.
> 
> Are these for private services or publicly available services.  Are you
> planning on doing A/A or A/P and from a routing perspective how to you
> intend on failing respective flows from one data center to another, i.e.
> Anycast, etc...
> 
> Thanks,
> 
> Stefan Fouant, CISSP, JNCIEx2
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Stable Junos

[Mark Tinka]

On Wednesday, September 01, 2010 12:06:26 am Richard A 
Steenbergen wrote:

> ... but we're gonna be
> forced into 10.2+ for MX to get full Trio support soon
> anyways, so there isn't much benefit to hanging around
> 10.0 even if it was stable.

Same reason we're going to 10.2 - MX80 support as well as 
some new NG-MVPN stuff.

I wish 10.5 were coming out tomorrow, but for now, 10.2R2.11 
has been behaving with the little we're doing. I'm tired of 
chasing JUNOS for the past 2 years, so I wouldn't mind 
continuing with 10.2R2.11 until 10.5R4 or 10.6R4 comes out 
(and works). Of course, that's hoping we don't run into 
anything major with 10.2R2.11 :-\.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Filtering the export of VRF routes with iBGP export filters....

[Keegan Holley]

Have you tried any of the other suggestions?  I don't think I've ever had to
export a group of routes and then filter then anyway.  Just out of curiosity
where did this requirement come from?  Route reflection usually provides
enough reduction in the routing table size.


On Tue, Aug 31, 2010 at 10:44 AM, David Ball  wrote:

> Thanks Krasimir.  I'd run across that knob previously, but my understanding
> is that the functionality provided by vpn-apply-export is enabled when a
> router is configured as a route-reflector, which mine are already.  Will
> give it a whirl anyways, though.
>
> David
>
>
> On 31 August 2010 04:25, Krasimir Avramski  wrote:
>
> > You probably missing " vpn-apply-export" stanza in your bgp cluster
> group.
> >
> > HTH
> > Krasi
> >
> > On Mon, Aug 30, 2010 at 11:25 PM, David Ball 
> wrote:
> > >  Ts/MXs running 10.0.R3.10
> > >
> > > I don't have access to my actual configs, but think I can verbalize
> > > anyways.
> > >
> > >  Does anyone know if it's possible to filter a given VRF route prior to
> > > export to an iBGP peer?  Naturally, the route itself includes an RD and
> > RT,
> > > and I can't get my 'match' clauses to work.
> > >
> > >  I've been trying matching on things like community (ie. community
> > SOMENAME
> > > members target:###:###), on RIB (ie. rib bgp.l3vpn.0), and also using a
> > > route-filter (which I don't believe supports VRF routes), but with no
> > > success.  For interest's sake, I'm running in 'route-reflector-ready'
> > mode,
> > > in that routes are being exported from bgp.l[2|3]vpn.0 rather than from
> > the
> > > individual routing tables themselves, hence my trying to match on the
> > > bgp.l3vpn.0 RIB instead of an individual VRF's RIB.
> > >
> > >  I was sure I saw a workaround listed here, but can't find it in the
> > > archives for the life of me.
> > >
> > > David
> > > ___
> > > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX5800 HA over 40 KM

[Fahad Khan]

Especially for private services but can be for public services as well. i
want to keep them A/P.

Will Control and Fabric links work on this distance?

Actually we want geographical redundancy so simple making all master
equipments in one DC and backup equipment in an other DC (Like master FW ,
Master EX8208 in one DC and respective backups are in another DC)

how do you comment on that?

regards,


Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fa...@pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan


On Tue, Aug 31, 2010 at 10:08 PM, Stefan Fouant <
sfou...@shortestpathfirst.net> wrote:

> > -Original Message-
> > From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
> > boun...@puck.nether.net] On Behalf Of Fahad Khan
> > Sent: Tuesday, August 31, 2010 10:55 AM
> > To: juniper-nsp@puck.nether.net
> > Subject: [j-nsp] SRX5800 HA over 40 KM
> >
> > Hi folks,
> >
> > Can I place two SRX 5800 in separate DCs in HA and the distance in
> > between
> > these two Data centers is around 40 Km.
> >
> > has any body experienced it??
>
> It can be done under certain circumstances but it bears getting additional
> information before an answer can be given.
>
> Are these for private services or publicly available services.  Are you
> planning on doing A/A or A/P and from a routing perspective how to you
> intend on failing respective flows from one data center to another, i.e.
> Anycast, etc...
>
> Thanks,
>
> Stefan Fouant, CISSP, JNCIEx2
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX5800 HA over 40 KM

[Stefan Fouant]

> -Original Message-
> From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
> boun...@puck.nether.net] On Behalf Of Fahad Khan
> Sent: Tuesday, August 31, 2010 10:55 AM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] SRX5800 HA over 40 KM
> 
> Hi folks,
> 
> Can I place two SRX 5800 in separate DCs in HA and the distance in
> between
> these two Data centers is around 40 Km.
> 
> has any body experienced it??

It can be done under certain circumstances but it bears getting additional
information before an answer can be given.

Are these for private services or publicly available services.  Are you
planning on doing A/A or A/P and from a routing perspective how to you
intend on failing respective flows from one data center to another, i.e.
Anycast, etc...

Thanks,

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] 10.3 on MX960 with MPC only?

[Chris Evans]

Agreed if they offering the mx  as an Ethernet switch this should be
supported.   Nag your account team.  I had them put in an enhancement
request but who knows if they are listening.
> "Its not supported" is the wrong phrase. "Its broken" is more appropriate.
Whatever design choices that were made in the past that led to this, as you
said, "mind-blowing" caveat, Juniper needs to go backwards and fix it.
>
> On Tue Aug 31st, 2010 8:01 AM CDT Chris Evans wrote:
>
>>Try configuring an irb, igmp, igmp-snooping and a trunk port on 10.x code.
>>It will tell you its not supported. It's never been supported per JTAC.
>>Also as per jtacs comment they put that statement in newer code as they
>>didn't know it wasnt supported before. I asked jtac to update the
>>documentation.
>> > Is this in documentation somewhere? I just did a quick pass through the
>>IGMP
>>> snooping docs and I did not see it stated anywhere in there... maybe I
>>missed
>>> it.
>>>
>>>
>>>
>>>
>>>
>>> 
>>> From: Derick Winkworth 
>>> To: Chris Evans ; Gavin Tweedie 
>>> Cc: juniper-nsp@puck.nether.net
>>> Sent: Tue, August 31, 2010 7:13:37 AM
>>> Subject: Re: [j-nsp] 10.3 on MX960 with MPC only?
>>>
>>> ###
>>> I'm not even going to mention that
>>>
>>> IGMP-Snooping isn't support on trunk interfaces which blows my mind.
>>> 
>>>
>>>
>>> wow!
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] 10.3 on MX960 with MPC only?

[Derick Winkworth]

"Its not supported" is the wrong phrase.  "Its broken" is more appropriate.  
Whatever design choices that were made in the past that led to this, as you 
said, "mind-blowing" caveat, Juniper needs to go backwards and fix it.

On Tue Aug 31st, 2010 8:01 AM CDT Chris Evans wrote:

>Try configuring an irb, igmp, igmp-snooping and a trunk port on 10.x code.
>It will tell you its not supported.  It's never been supported per JTAC.
>Also as per jtacs comment they put that statement in newer code as they
>didn't know it wasnt supported before.  I asked jtac to update the
>documentation.
> > Is this in documentation somewhere? I just did a quick pass through the
>IGMP
>> snooping docs and I did not see it stated anywhere in there... maybe I
>missed
>> it.
>>
>>
>>
>>
>>
>> 
>> From: Derick Winkworth 
>> To: Chris Evans ; Gavin Tweedie 
>> Cc: juniper-nsp@puck.nether.net
>> Sent: Tue, August 31, 2010 7:13:37 AM
>> Subject: Re: [j-nsp] 10.3 on MX960 with MPC only?
>>
>> ###
>> I'm not even going to mention that
>>
>> IGMP-Snooping isn't support on trunk interfaces which blows my mind.
>> 
>>
>>
>> wow!
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Stable Junos

[Richard A Steenbergen]

On Tue, Aug 31, 2010 at 12:11:15AM -0700, Salik Mobin wrote:
> Dear Fellows,
> 
> Can anyone suggest a stable Junos from 10.x trail? 

You can't really make generalizations about JUNOS as a whole, it depends 
on which platform you're talking about... That said, at this exact 
moment we're actually having surprisingly good results (i.e. so far 
nothing major/new has blown up, and the number of serious outstanding 
bugs is lower than average) with 10.1S6 on both MX (not tested with Trio 
though) and EX8200. 10.0 is the only extended support release until 
10.4, so you might want to give it some consideration, but in our 
testing it still had a lot of serious issues leading all the way up to 
10.0R4. Our general theory is that we're going to stick with 10.1 for 
EX8200 for a while (trying to squeeze as many major fixes as possible 
for all the outstanding huge bugs into 10.1R4), but we're gonna be 
forced into 10.2+ for MX to get full Trio support soon anyways, so there 
isn't much benefit to hanging around 10.0 even if it was stable.

-- 
Richard A Steenbergenhttp://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX5800 HA over 40 KM

[Fahad Khan]

Hi folks,

Can I place two SRX 5800 in separate DCs in HA and the distance in between
these two Data centers is around 40 Km.

has any body experienced it??

Thanks in adv

regards,

Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fa...@pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Filtering the export of VRF routes with iBGP export filters....

[David Ball]

Thanks Krasimir.  I'd run across that knob previously, but my understanding
is that the functionality provided by vpn-apply-export is enabled when a
router is configured as a route-reflector, which mine are already.  Will
give it a whirl anyways, though.

David


On 31 August 2010 04:25, Krasimir Avramski  wrote:

> You probably missing " vpn-apply-export" stanza in your bgp cluster group.
>
> HTH
> Krasi
>
> On Mon, Aug 30, 2010 at 11:25 PM, David Ball  wrote:
> >  Ts/MXs running 10.0.R3.10
> >
> > I don't have access to my actual configs, but think I can verbalize
> > anyways.
> >
> >  Does anyone know if it's possible to filter a given VRF route prior to
> > export to an iBGP peer?  Naturally, the route itself includes an RD and
> RT,
> > and I can't get my 'match' clauses to work.
> >
> >  I've been trying matching on things like community (ie. community
> SOMENAME
> > members target:###:###), on RIB (ie. rib bgp.l3vpn.0), and also using a
> > route-filter (which I don't believe supports VRF routes), but with no
> > success.  For interest's sake, I'm running in 'route-reflector-ready'
> mode,
> > in that routes are being exported from bgp.l[2|3]vpn.0 rather than from
> the
> > individual routing tables themselves, hence my trying to match on the
> > bgp.l3vpn.0 RIB instead of an individual VRF's RIB.
> >
> >  I was sure I saw a workaround listed here, but can't find it in the
> > archives for the life of me.
> >
> > David
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Failed FPC

[Jonas Frey]

Hi,

yes you can do that, try offline/online for the fpc. It wont cause any
trouble, if you have bad luck it just wont work (if the card is faulty).
If it doesnt work i'd try to cycle it hardware-wise. If that doesnt help
try changing the FPC. Even tho juniper sold these combined with the
sonet card you can use a different fpc(-e) without problems (you can
remove the quad-wide sonet card).

IMO, rebooting wont help anything. Either it works via offline/online or
hardware-cycle of the card or nothing will help at all (defect).

Regards,
Jonas


On Tue, 2010-08-31 at 05:11, Jose Madrid wrote:
> I have an m20 with a seemingly failed FPC.  A Sonet card seems to have
> just disappeared from the chassis, although still inserted.  Any
> chance I can get this back by issuing a "request chassis fpc online
> slot 2".  I was hoping to avoid rebooting this box to get this thing
> back into working shape.  I understand that it may be a hardware
> failure, but wanted to try and get it working again.  All comments
> welcome.
> 
> Currently shows:
> Slot 2   Offline
> 
> Used to show:
> Slot 2   Online   E-FPC
>   PIC 0  Online   1x OC-48 SONET, SMSR


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] 10.3 on MX960 with MPC only?

[Chris Evans]

Try configuring an irb, igmp, igmp-snooping and a trunk port on 10.x code.
It will tell you its not supported.  It's never been supported per JTAC.
Also as per jtacs comment they put that statement in newer code as they
didn't know it wasnt supported before.  I asked jtac to update the
documentation.
 > Is this in documentation somewhere? I just did a quick pass through the
IGMP
> snooping docs and I did not see it stated anywhere in there... maybe I
missed
> it.
>
>
>
>
>
> 
> From: Derick Winkworth 
> To: Chris Evans ; Gavin Tweedie 
> Cc: juniper-nsp@puck.nether.net
> Sent: Tue, August 31, 2010 7:13:37 AM
> Subject: Re: [j-nsp] 10.3 on MX960 with MPC only?
>
> ###
> I'm not even going to mention that
>
> IGMP-Snooping isn't support on trunk interfaces which blows my mind.
> 
>
>
> wow!
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] 10.3 on MX960 with MPC only?

[Derick Winkworth]

Is this in documentation somewhere? I just did a quick pass through the IGMP 
snooping docs and I did not see it stated anywhere in there... maybe I missed 
it.  






From: Derick Winkworth 
To: Chris Evans ; Gavin Tweedie 
Cc: juniper-nsp@puck.nether.net
Sent: Tue, August 31, 2010 7:13:37 AM
Subject: Re: [j-nsp] 10.3 on MX960 with MPC only?

###
I'm not even going to mention that

IGMP-Snooping isn't support on trunk interfaces which blows my mind.



wow!
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] 10.3 on MX960 with MPC only?

[Derick Winkworth]

###
 I'm not even going to mention that

IGMP-Snooping isn't support on trunk interfaces which blows my mind.



wow!
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] "Total packets" OID

[david.roy]

Hi all,

Is-there a specific OID to get the "total input packets" of a specific 
interface (that we show with the cli commands show interface xe-x/x/x ext).
I saw the if-mib and the jnx-if-extension mibs but we've only separate counter 
for unicast, broadcast and mcast in the if-mib and nothing in the jnx mib (only 
pps).

thanks,
regards



David Roy
Orange France - RBCI IP Technical Assistance Center
Tel.   +33(0)299876472
Mob. +33(0)685522213
Email. david@orange-ftgroup.com



*
This message and any attachments (the "message") are confidential and intended 
solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or 
falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender.


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Stable Junos

[Tim Eberhard]

It's always a wise choice to go with Jtacs recommended version of junos for 
your platform. 



-Tim Eberhard

On Aug 31, 2010, at 2:11 AM, Salik Mobin  wrote:

> Dear Fellows,
> 
> Can anyone suggest a stable Junos from 10.x trail? 
> 
> TIA
> 
> 
> 
> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Filtering the export of VRF routes with iBGP export filters....

[Krasimir Avramski]

You probably missing " vpn-apply-export" stanza in your bgp cluster group.

HTH
Krasi

On Mon, Aug 30, 2010 at 11:25 PM, David Ball  wrote:
>  Ts/MXs running 10.0.R3.10
>
> I don't have access to my actual configs, but think I can verbalize
> anyways.
>
>  Does anyone know if it's possible to filter a given VRF route prior to
> export to an iBGP peer?  Naturally, the route itself includes an RD and RT,
> and I can't get my 'match' clauses to work.
>
>  I've been trying matching on things like community (ie. community SOMENAME
> members target:###:###), on RIB (ie. rib bgp.l3vpn.0), and also using a
> route-filter (which I don't believe supports VRF routes), but with no
> success.  For interest's sake, I'm running in 'route-reflector-ready' mode,
> in that routes are being exported from bgp.l[2|3]vpn.0 rather than from the
> individual routing tables themselves, hence my trying to match on the
> bgp.l3vpn.0 RIB instead of an individual VRF's RIB.
>
>  I was sure I saw a workaround listed here, but can't find it in the
> archives for the life of me.
>
> David
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Stable Junos

[Salik Mobin]

Dear Fellows,

Can anyone suggest a stable Junos from 10.x trail? 

TIA


  

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp