[j-nsp] output-list for ex4200
Hi,
Im currently running an ex4200 with 10.0S12.
I have tried to chain 2 output filters together on an RVI. The command
completes successfully and a 'commit check' does not throw up any errors. When
I look at the config the below appears:-
show interfaces vlan unit 965
##
## inactive: interfaces vlan unit 965
##
description DaDa-colocated-server;
proxy-arp;
family inet {
filter {
##
## Warning: statement ignored: unsupported platform (ex4200-48t)
##
output-list [ ACL_Template VLAN965 ];
Any ideas if this is supported in 10.4 as we have a standard ACL we use on most
customer vlans and then a customer specific vlan?
Nick
--
Nick Ryce
Network Engineer
Lumison
t: 0845 1199 900
d: +44 131 514 4049
P.S. Fancy some light reading? Clouds to networks, download a Lumison
whitepaper now at http://www.lumison.net/why-lumison/whitepapers
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted. Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison.
Finally, the recipient should check this email and any attachments for the
presence of viruses. Lumison accept no liability for any
damage caused by any virus transmitted by this email.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] msdpc example configs...
Hi,
Well for the netflow part I have done the following for
10.2R1.8 on a MX240 with MS-DPC:
root@PE1-HOR show configuration chassis fpc 1
pic 0 {
adaptive-services {
service-package layer-3;
}
}
root@PE1-HOR show configuration forwarding-options
sampling {
sample-once;
input {
rate 1;
run-length 1;
}
family inet {
output {
flow-server x.x.x.249 {
port ;
autonomous-system-type origin;
no-local-dump;
source-address x.x.x.193;
version9 {
template {
ipv4;
}
}
}
interface sp-1/0/0 {
source-address x.x.x.193;
}
}
}
}
root@PE1-HOR show configuration interfaces xe-0/0/0.0
family inet {
filter {
input spoof-in;
}
sampling {
input;
output;
}
address x.x.x.x.2/30;
}
family inet6 {
address y::y/126;
}
The x.x.x.193 address is the same as on lo0.0.
The MS-DPC I currently processing about 1Gb/s of flows, and has about 7% CPU
load. Im only sampling IPv4 from a single vrf.
Kind regards,
Peter Krupl
Siminn Danmark A/S
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of OBrien, Will
Sent: 26. April, 2011 20:34
To: J NSP
Subject: [j-nsp] msdpc example configs...
I'm working on building a configuration to support MS-DPCs for netflow (easy)
and
nat (less easy) using a virtual routing instance to apply nat to specific
source
networks.
Does anyone on the list have some configurations that they can share, using
the
MS-DPC on a MX? I'd like to see some production quality uses to compare with
what we generate internally and with what juniper provides.
Thanks!
Will O'Brien
University of Missouri, DoIT DNPS
Network Systems Analyst - Redacted
obri...@missouri.edu
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] output-list for ex4200
On Wed, Apr 27, 2011 at 12:24:25PM +0100, Nick Ryce wrote: Any ideas if this is supported in 10.4 as we have a standard ACL we use on most customer vlans and then a customer specific vlan? Nah, filter chains are definitely not supported on EX, and I'm not aware of any near term plans to add it. Even on the major platforms, filter chains aren't exactly a completely well-thought-out solution. Doing the next term operation that you need to force packets to be evaluated all the way through the chain actually consumes lookup capacity inside the firewall processing, and it is surprisingly easy to exhaust this capacity. For example, something on the order of a dozen filter terms in a chain, doing relatively simple matching, is enough to exhaust the capacity of an I-Chip on an MX DPC. When this happens, you'll suddenly discover that your ports are no longer capable of doing line rate packets/sec, and there will be no indications of the drops short of poking around in the show ichip commands on the PFE. Needless to say, this can make for a really bad day. We use a commit script to automatically build unique per-interface firewall filters out of individual filter config components. It's not pretty, but unfortunately this is really the only practical way to get the kind of config reuse you're looking for, not to mention the only way to actually protect the control plane on the EX. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] juniper-nsp Digest, Vol 101, Issue 46
Hi,
can I block (drop) router advertisemet (RA) only on specific ports in
EX2400 (EX2200) configuration.
The problem is in security, because when any station (PC, notebook)
connected to LAN, starts own (but not official!!!) RA, I thing that this
unoffical RA
will pass throught switch. RA is using icmpv6 port 134. For example some PCs
with
Windows OS should generate own unoffical RA.Maybe I can use firewall filter,
but this
will generate CPU higher load :-(. Is possible to use another specific conf.
command?
Did anyone solve this type of problem in past?
Thanks
Martin Papik
Dne 27.4.2011 18:00, juniper-nsp-requ...@puck.nether.net napsal(a):
Send juniper-nsp mailing list submissions to
juniper-nsp@puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/juniper-nsp
or, via email, send a message with subject or body 'help' to
juniper-nsp-requ...@puck.nether.net
You can reach the person managing the list at
juniper-nsp-ow...@puck.nether.net
When replying, please edit your Subject line so it is more specific
than Re: Contents of juniper-nsp digest...
Today's Topics:
1. msdpc example configs... (OBrien, Will)
2. Re: Fan issues with EX4200 unit (Chris Cappuccio)
3. hello (kevin.cow...@bt.com)
4. output-list for ex4200 (Nick Ryce)
5. Re: msdpc example configs... (Peter Krupl)
6. Re: output-list for ex4200 (Richard A Steenbergen)
--
Message: 1
Date: Tue, 26 Apr 2011 13:34:14 -0500
From: OBrien, Willobri...@missouri.edu
To: J NSPjuniper-nsp@puck.nether.net
Subject: [j-nsp] msdpc example configs...
Message-ID:c359ea1e-377d-4570-9dd6-03d66471f...@missouri.edu
Content-Type: text/plain; charset=us-ascii
I'm working on building a configuration to support MS-DPCs for netflow (easy)
and nat (less easy) using a virtual routing instance to apply nat to specific
source networks.
Does anyone on the list have some configurations that they can share, using the
MS-DPC on a MX? I'd like to see some production quality uses to compare with
what we generate internally and with what juniper provides.
Thanks!
Will O'Brien
University of Missouri, DoIT DNPS
Network Systems Analyst - Redacted
obri...@missouri.edu
--
Message: 2
Date: Tue, 26 Apr 2011 13:20:09 -0700
From: Chris Cappuccioch...@nmedia.net
To: Dave Petersd...@terabitsystems.com
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Fan issues with EX4200 unit
Message-ID:20110426202009.gg3...@ref.nmedia.net
Content-Type: text/plain; charset=us-ascii
call juniper's quality control department!
Dave Peters [d...@terabitsystems.com] wrote:
Hey everybody--
I've got an EX4200 that won't recognize that one of its fans is
spinning. The same fan works fine in another unit. In addition, a
working replacement fan has the exact same issue (shown below).
It's out of warranty, but I thought maybe someone might have seen
this before, and could offer a fix. Thanks much. Here's the
chassis alarm:
root show chassis alarms
2 alarms currently active
Alarm time Class Description
2010-11-24 09:33:47 UTC Major FPC 0 Fan 1 not spinning
{master:0}
Appreciate any and all help.
--
Dave Peters
Technical Director
Terabit Systems
2565 3rd Street #218
San Francisco, CA 94107
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
