Re: [j-nsp] SRX100 reset
On 02/09/2010, at 3:00 AM, Volker D. Pallas wrote: was something wrong with the VLAN/port-assignments (and maybe even zones) in the factory default config. This. The instructions say use fe-0/0/0 as trust and fe-0/0/1 as untrust, but they're the wrong way around. The DHCP you're seeing on fe-0/0/0 is the untrusted VLAN trying to find Internet access. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SNMP polling issue MX
Hi All, We are facing issue in polling SNMP statistics on MX 960 sub-interfaces. JUNOS 10.2R1.8 is running on router. The sub-interfaces statistics are not getting polled on the Reporter software, where as the parent statistics are getting polled. The SNMP statistics can be seen on the router. The issue is with all types of interfaces AE, XE, GE. Nothing wrong seems with the configuration. Thanks Chintan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP polling issue MX
On Thu, Sep 02, 2010 at 12:56:21PM +0530, Chintan Pandya wrote: Hi All, We are facing issue in polling SNMP statistics on MX 960 sub-interfaces. JUNOS 10.2R1.8 is running on router. The sub-interfaces statistics are not getting polled on the Reporter software, where as the parent statistics are getting polled. The SNMP statistics can be seen on the router. The issue is with all types of interfaces AE, XE, GE. Nothing wrong seems with the configuration. Semi-known issue, see the discussion about bugs in 10.2 (in the Trio card thread) from a few days ago. We somehow stopped being able to replicate it, and it didn't seem like they had a PR on it back when we were looking, so please open a case on it. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP polling issue MX
Hey thanks Richard, The case has been logged already. On Thu, Sep 2, 2010 at 2:24 PM, Richard A Steenbergen r...@e-gerbil.netwrote: On Thu, Sep 02, 2010 at 12:56:21PM +0530, Chintan Pandya wrote: Hi All, We are facing issue in polling SNMP statistics on MX 960 sub-interfaces. JUNOS 10.2R1.8 is running on router. The sub-interfaces statistics are not getting polled on the Reporter software, where as the parent statistics are getting polled. The SNMP statistics can be seen on the router. The issue is with all types of interfaces AE, XE, GE. Nothing wrong seems with the configuration. Semi-known issue, see the discussion about bugs in 10.2 (in the Trio card thread) from a few days ago. We somehow stopped being able to replicate it, and it didn't seem like they had a PR on it back when we were looking, so please open a case on it. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Junos 8.5 to junos 9.5
Dear community I'm trying to load a* configuration file* from an old router with Junos 8.5 to a new Router with junos 9.5. can someone tell me if there is any reference that can help to check if there is any change on the commad between the two Junos versions !! Or if this is can be loaded directlly . Regards ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX NSR issue
As if I don't have enough bugs I'm finding in 10.0R3 code, I had a routing-engine failure last night..The box failed over, but in the process things are broken now.. Luckily this is my lab box. We'll see how long it takes ATAC to get me some answers.. #1 - I have two eBGP neighbors using BFD. One of the neighbors tripped, now BFD won't re-establish. BGP is up however. #2 - I'm using IRB interfaces on the MX platform. After the failover, traffic will not forward.. You can communicate RE to host, but HOST to HOST on the same box or externalHOST connectivity is broken. Adding to the list of IGMP-snooping is broken, jflow multicast reporting issues, etc.. I'm seriously second guessing this platform.. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Inter-Area MPLS TE
Hi all, Sorry if this info is readily available, but I couldn't find it in the Juniper docs. Does JUNOS support inter-area MPLS traffic engineering for ISIS? I see that setting the 'expand-loose-hop' works for OSPF, but is it the same for ISIS, or does ISIS simply support this functionality naturally? Thanks, evt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JUNOS POLICER
People, We are trying to configure policers to logical interfaces created under IQ2E PIC. All policers are using firewall filters. One of them is a different situation ... we cannot rate all interface but only 3 IPs that pass thought the interface. But the policer is not worlink correctly: set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000 set firewall policer teste then discar set firewall family inet filter policer term 10 from source-address 192.168.10.35/32 set firewall family inet filter policer term 10 then accept set firewall family inet filter policer term 10 then policer teste set firewall family inet filter policer term 20 from source-address 192.168.10.36/32 set firewall family inet filter policer term 20 then accept set firewall family inet filter policer term 20 then policer teste set firewall family inet filter policer term 30 from source-address 192.168.10.37/32 set firewall family inet filter policer term 30 then accept set firewall family inet filter policer term 30 then policer teste set firewall family inet filter policer term 40 then accept set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer The problem is ... the 3 chosen IPs are exceeding 10m. Sometimes 12, sometimes 18 Mbps. We need to use some special command for it ? Like - logical interface under policer ? What is the correct manner to use it ? Or we need to put it all in the same term ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS POLICER
You need to put it all in the same term. From: Giuliano Cardozo Medalha giulian...@uol.com.br To: juniper-nsp@puck.nether.net Sent: Thu, September 2, 2010 11:07:08 AM Subject: [j-nsp] JUNOS POLICER People, We are trying to configure policers to logical interfaces created under IQ2E PIC. All policers are using firewall filters. One of them is a different situation ... we cannot rate all interface but only 3 IPs that pass thought the interface. But the policer is not worlink correctly: set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000 set firewall policer teste then discar set firewall family inet filter policer term 10 from source-address 192.168.10.35/32 set firewall family inet filter policer term 10 then accept set firewall family inet filter policer term 10 then policer teste set firewall family inet filter policer term 20 from source-address 192.168.10.36/32 set firewall family inet filter policer term 20 then accept set firewall family inet filter policer term 20 then policer teste set firewall family inet filter policer term 30 from source-address 192.168.10.37/32 set firewall family inet filter policer term 30 then accept set firewall family inet filter policer term 30 then policer teste set firewall family inet filter policer term 40 then accept set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer The problem is ... the 3 chosen IPs are exceeding 10m. Sometimes 12, sometimes 18 Mbps. We need to use some special command for it ? Like - logical interface under policer ? What is the correct manner to use it ? Or we need to put it all in the same term ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX NSR issue
On Thu, Sep 02, 2010 at 09:15:18AM -0400, Chris Evans wrote: #2 - I'm using IRB interfaces on the MX platform. After the failover, traffic will not forward.. You can communicate RE to host, but HOST to HOST on the same box or externalHOST connectivity is broken. I've seen this behavior about a dozen times over the years, but always on production boxes where we don't have the luxury of leaving it in a broken state for Juniper to look at it. We've tried opening cases, but they never find anything after the fact, so they just give up and close the case. Try rebooting the backup RE and see if traffic starts forwarding while it is offline, then breaks again when it comes back up. If that works, try disabling GRES and see if that stops the blackholing. In my previous encounters with it, it will start blackholing again if you turn GRES back on afterwards, but will clear up if you reboot or non-GRES switchover to the other RE. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS POLICER
The accept is what is allowing full bandwidth - you never hit the policer. firewall { family inet { filter policer { term 10 { from { source-address { 192.168.10.35/32; } then { policer teste; } } } } } On Thu, 02 Sep 2010 13:07:08 -0300, Giuliano Cardozo Medalha giulian...@uol.com.br wrote: People, We are trying to configure policers to logical interfaces created under IQ2E PIC. All policers are using firewall filters. One of them is a different situation ... we cannot rate all interface but only 3 IPs that pass thought the interface. But the policer is not worlink correctly: set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000 set firewall policer teste then discar set firewall family inet filter policer term 10 from source-address 192.168.10.35/32 set firewall family inet filter policer term 10 then accept set firewall family inet filter policer term 10 then policer teste set firewall family inet filter policer term 20 from source-address 192.168.10.36/32 set firewall family inet filter policer term 20 then accept set firewall family inet filter policer term 20 then policer teste set firewall family inet filter policer term 30 from source-address 192.168.10.37/32 set firewall family inet filter policer term 30 then accept set firewall family inet filter policer term 30 then policer teste set firewall family inet filter policer term 40 then accept set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer The problem is ... the 3 chosen IPs are exceeding 10m. Sometimes 12, sometimes 18 Mbps. We need to use some special command for it ? Like - logical interface under policer ? What is the correct manner to use it ? Or we need to put it all in the same term ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX NSR issue
My re totally failed. Luckily this is in my lab so we can hopefully get some info. I'm not rebooting it until I have an answer. On Thu, Sep 02, 2010 at 09:15:18AM -0400, Chris Evans wrote: #2 - I'm using IRB interfaces on the MX platform. After the failover, traffic will not forward.. You can communicate RE to host, but HOST to HOST on the same box or externalHOST connectivity is broken. I've seen this behavior about a dozen times over the years, but always on production boxes where we don't have the luxury of leaving it in a broken state for Juniper to look at it. We've tried opening cases, but they never find anything after the fact, so they just give up and close the case. Try rebooting the backup RE and see if traffic starts forwarding while it is offline, then breaks again when it comes back up. If that works, try disabling GRES and see if that stops the blackholing. In my previous encounters with it, it will start blackholing again if you turn GRES back on afterwards, but will clear up if you reboot or non-GRES switchover to the other RE. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS POLICER
Derick, And about the following options: filter-specific logical-bandwidth-policer logical-interface-policer Can we to use them ? When you configure the filter-specific statement, a single policer set is created for the entire filter. All traffic matching the terms of the firewall filter with the action policer goes through that single policer. The default is a term-specific policer in which a single policer set is created for each term within the filter. All traffic matching the terms of the firewall filter with the action policer goes through the part of the policer that is specific to that term. Logical-interface-policer option is for use inside logical units (like vlan units) ? Thanks a lot, Giuliano You need to put it all in the same term. *From:* Giuliano Cardozo Medalha giulian...@uol.com.br *To:* juniper-nsp@puck.nether.net *Sent:* Thu, September 2, 2010 11:07:08 AM *Subject:* [j-nsp] JUNOS POLICER People, We are trying to configure policers to logical interfaces created under IQ2E PIC. All policers are using firewall filters. One of them is a different situation ... we cannot rate all interface but only 3 IPs that pass thought the interface. But the policer is not worlink correctly: set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000 set firewall policer teste then discar set firewall family inet filter policer term 10 from source-address 192.168.10.35/32 set firewall family inet filter policer term 10 then accept set firewall family inet filter policer term 10 then policer teste set firewall family inet filter policer term 20 from source-address 192.168.10.36/32 set firewall family inet filter policer term 20 then accept set firewall family inet filter policer term 20 then policer teste set firewall family inet filter policer term 30 from source-address 192.168.10.37/32 set firewall family inet filter policer term 30 then accept set firewall family inet filter policer term 30 then policer teste set firewall family inet filter policer term 40 then accept set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer The problem is ... the 3 chosen IPs are exceeding 10m. Sometimes 12, sometimes 18 Mbps. We need to use some special command for it ? Like - logical interface under policer ? What is the correct manner to use it ? Or we need to put it all in the same term ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net mailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Is the J-6350 in Chassis Cluster mode support Router Context (IPv4 Packet-based forwarding)
Hi all, The J-6350 in JUNOS 10.0R3.1 can disable the security context (flow-based forwarding) and use it as a Router Context (IPv4 Packet-based forwarding). I had tested this on a single J-6350 box. Did anyone tested to disable the security context and enable the router context in a chassis cluster configuration? If yes, could you share the experience with me? Thanks a lot! Is the following configuration works on the Chassis Cluster configuration? show configuration security forwarding-options family { inet6 { mode packet-based; } mpls { mode packet-based; } iso { mode packet-based; } } Thanks Harris ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Is the J-6350 in Chassis Cluster mode support Router Context (IPv4 Packet-based forwarding)
On Thu, Sep 2, 2010 at 9:21 PM, Harris Hui harris@hk1.ibm.com wrote: Hi all, The J-6350 in JUNOS 10.0R3.1 can disable the security context (flow-based forwarding) and use it as a Router Context (IPv4 Packet-based forwarding). I had tested this on a single J-6350 box. Did anyone tested to disable the security context and enable the router context in a chassis cluster configuration? If yes, could you share the experience with me? Thanks a lot! I would imagine that this can be done, but admittedly, I've never run router mode in a chassis cluster. Check out the factory-included /etc/config/jsr-series-routermode-factory.conf file. It sets some other things under security { } as well, like disabling TCP SYN and sequence checking. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp