[j-nsp] test - please ignore
armwrestling procmailrc... sorry for the noise -- Pierfrancesco Caci p...@caci.it ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] RSVP automesh
Hi list, Has anyone played around with RSVP/MPLS automesh feature and can share some experiences and/or example configs? I believe it was introduced in 10.1, but can't find anything in the release notes and docs aren't very clear either; http://www.juniper.net/techpubs/en_US/junos10.1/topics/task/configuration/rsvp-automatic-mesh.html Regards, --Daniel. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] ISIS between ERX 1440 and MX960
Hi all,
I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is new for
me) and 1 MX without success : I double checked the mtu, subnet, Area (not
checked for L2), authentication key (I tried simple and MD5 types)
The problem seems to be at the ERX side. Indeed, the MX receives well the IIH
of the ERX and put its state to Init, then it sends an IIH to the ERX. At the
ERX level, IIH is discarded (at the Interface level : Input Discard counter). I
don't understand why. I guess there is a MTU issue with the hello padding
process but I'm not sure.
Config at the MX side
---
ge-2/2/2.0
{
family iso;
faimly inet address 10.1.1.1/30
}
lo0
{
family iso address 49.0001.xxx
}
protocol isis
{
level 2 {
authentication-key sdjskdjskd;
authentication-type md5;
}
interface ge-2/2/2.0 {
level 1 disable;
level 2 {
hello-authetication-key FOO;
hello-authetication-type md5;
}
}
Config at the ERX side :
router isis 1234
is-type level-2-only
net 49.0001.xxx
domain-message-digest-key 1 hmac-md5 FOO
passive-interface loopback50
int gi 12/0
ip router isis 1234
isis circuit-type level-2-only
isis message-digest-key 1 hmac-md5 FOO level-2
I tried to monitor ISIS packet at the MX side. I noticed that the PDU length of
the MX IIH is equal to 1492 and the ERX one is equal to 1497. Moreover, the
protocol capabilities of the MX are IPv4 and IPv6 and for the ERX that are CLNP
and IPv4.
Any help would be most welcome.
thanks
Regards,
David
IMPORTANT.Les informations contenues dans ce message electronique y compris les
fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s)
mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine,
veuillez immediatement le signaler a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans ce
message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s
il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout virus.
IMPORTANT.This e-mail message and any attachments are strictly confidential and
may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named recipient(s),
please immediately notify the sender and delete this e-mail message.
Any unauthorized view, usage or disclosure ofthis message is prohibited.
Since e-mail messages may not be reliable, France Telecom Group shall not be
liable for any message if modified, changed or falsified.
Additionally the recipient should ensure they are actually virus free.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
Hi Chris,
On 19.5.2011, at 16:30, Chris Tracy wrote:
Hi Matjaž,
Are you doing RE-based sampling, or using an MS-DPC? Can you post a
sanitized version of your config?
It is RE-based. We don't have a $MS-DPC :-(
The config is very simple and it worked for us in 9.6. In firewall filters we
use terms like that:
term Sample {
then {
count cntrS_Sample;
sample;
next term;
}
}
(all these filters are ingress/input)
...and we sample with:
[ forwarding-options sampling ]
input {
rate 256;
run-length 0;
max-packets-per-second 8000;
}
family inet {
output {
flow-active-timeout 300;
flow-server *** {
port ***;
autonomous-system-type peer;
no-local-dump;
source-address x.y.z.w;
version 5;
}
}
}
You might want to look at some of the previous posts to the list on this
topic, such as:
https://puck.nether.net/pipermail/juniper-nsp/2010-July/017293.html
This thread was specific to NetFlow v9 using an MS-DPC though...
-Chris
Kind regards,
Matjaž
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
Hi Matjaž,
Comments in-line below.
It is RE-based. We don't have a $MS-DPC :-(
The config is very simple and it worked for us in 9.6. In firewall filters we
use terms like that:
term Sample {
then {
count cntrS_Sample;
sample;
next term;
}
}
(all these filters are ingress/input)
...and we sample with:
[ forwarding-options sampling ]
input {
rate 256;
run-length 0;
max-packets-per-second 8000;
There is a hard limit of 7000, you'll never get more than that with RE-based
sampling. I'd recommend lowering this, but this likely has nothing to do with
your problem.
family inet {
output {
flow-active-timeout 300;
flow-server *** {
port ***;
autonomous-system-type peer;
no-local-dump;
source-address x.y.z.w;
version 5;
}
}
I'd try changing this to:
[ remove family inet {...}, put directly under sampling { ... } ]
output {
cflowd x.x.x.x { /* instead of flow-server... */
...same...
}
}
Please let the list know if this helps!
Cheers,
-Chris
--
Chris Tracy ctr...@es.net
Energy Sciences Network (ESnet)
Lawrence Berkeley National Laboratory
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ex4200 Routing Engine
Actually. Sorry to reply to my own thread. I see why.. root@agg1.pit1 show system processes extensive last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05 14:15:21 106 processes: 7 running, 80 sleeping, 19 waiting Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd 614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism 722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem 615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid 11 root1 171 52 0K16K RUN2342.0 0.00% idle 13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock 12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net 29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0 i2c1 745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd 737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd 616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd 744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd 747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd 28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1 I don't even use the web server, anyone know how to disable it? I would assume this will fix it? -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:17 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Ex4200 Routing Engine All, I have a pair of 4200's in a VC config. Just happened to look at the show chassis routing-engine command the other day and saw... root@agg1.pit1 show chassis routing-engine Routing Engine status: Slot 0: Current state Master Temperature 36 degrees C / 96 degrees F DRAM 1024 MB Memory utilization 19 percent CPU utilization: User 11 percent Kernel88 percent Interrupt 1 percent Idle 0 percent Model EX4200-24T, 8 POE Serial ID BM0208388984 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 1.13 1.17 1.16 Routing Engine status: Slot 1: Current state Backup Temperature 29 degrees C / 84 degrees F DRAM 1024 MB Memory utilization 14 percent CPU utilization: User 8 percent Kernel 4 percent Interrupt 0 percent Idle 88 percent Model EX4200-24T, 8 POE Serial ID BM0208417115 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 0.06 0.09 0.07 These are still running 9.3R4.4, is there some commands I could use to see why the kernel is at 88%? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ISIS between ERX 1440 and MX960
Hi Payam,
I'm trying with ERX not EX.
Thanks
David
-Message d'origine-
De : Payam Chychi [mailto:pchy...@gmail.com]
Envoyé : jeudi 19 mai 2011 19:46
À : ROY David DTF/DERX
Cc : juniper-nsp@puck.nether.net
Objet : Re: [j-nsp] ISIS between ERX 1440 and MX960
Hey David,
by default on the ex's igmp snooping is active.
disable this on the vlan being used for carry the isis traffic and it will
build nei adj
cheers
Payam
david@orange-ftgroup.com wrote:
Hi all,
I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is
new for me) and 1 MX without success : I double checked the mtu,
subnet, Area (not checked for L2), authentication key (I tried simple
and MD5 types)
The problem seems to be at the ERX side. Indeed, the MX receives well the IIH
of the ERX and put its state to Init, then it sends an IIH to the ERX. At the
ERX level, IIH is discarded (at the Interface level : Input Discard counter).
I don't understand why. I guess there is a MTU issue with the hello padding
process but I'm not sure.
Config at the MX side
---
ge-2/2/2.0
{
family iso;
faimly inet address 10.1.1.1/30
}
lo0
{
family iso address 49.0001.xxx
}
protocol isis
{
level 2 {
authentication-key sdjskdjskd;
authentication-type md5;
}
interface ge-2/2/2.0 {
level 1 disable;
level 2 {
hello-authetication-key FOO;
hello-authetication-type md5;
}
}
Config at the ERX side :
router isis 1234
is-type level-2-only
net 49.0001.xxx
domain-message-digest-key 1 hmac-md5 FOO passive-interface loopback50
int gi 12/0
ip router isis 1234
isis circuit-type level-2-only
isis message-digest-key 1 hmac-md5 FOO level-2
I tried to monitor ISIS packet at the MX side. I noticed that the PDU length
of the MX IIH is equal to 1492 and the ERX one is equal to 1497. Moreover,
the protocol capabilities of the MX are IPv4 and IPv6 and for the ERX that
are CLNP and IPv4.
Any help would be most welcome.
thanks
Regards,
David
IMPORTANT.Les informations contenues dans ce message electronique y compris
les fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s)
mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine,
veuillez immediatement le signaler a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans
ce message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s
il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout
virus.
IMPORTANT.This e-mail message and any attachments are strictly confidential
and may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named
recipient(s), please immediately notify the sender and delete this e-mail
message.
Any unauthorized view, usage or disclosure ofthis message is prohibited.
Since e-mail messages may not be reliable, France Telecom Group shall not be
liable for any message if modified, changed or falsified.
Additionally the recipient should ensure they are actually virus free.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
IMPORTANT.Les informations contenues dans ce message electronique y compris les
fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s)
mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine,
veuillez immediatement le signaler a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans ce
message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s
il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout virus.
IMPORTANT.This e-mail message and any attachments are strictly confidential and
may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named recipient(s),
please immediately notify the sender
Re: [j-nsp] Ex4200 Routing Engine
I did set system processes web-management disable but based on the amount of time the process has been running, it seems like just a stuck process.. Does anyone know if it safe to just kill the process id? From: Kevin Shymkiw [mailto:kshym...@gmail.com] Sent: Thursday, May 19, 2011 2:25 PM To: Brendan Mannella Subject: Re: [j-nsp] Ex4200 Routing Engine Brendan, Should be able to kill HTTP Access with something like delete system services http HTH Kevin On Thu, May 19, 2011 at 2:20 PM, Brendan Mannella bmanne...@teraswitch.commailto:bmanne...@teraswitch.com wrote: Actually. Sorry to reply to my own thread. I see why.. root@agg1.pit1 show system processes extensive last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05 14:15:21 106 processes: 7 running, 80 sleeping, 19 waiting Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd 614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism 722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem 615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid 11 root1 171 52 0K16K RUN2342.0 0.00% idle 13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock 12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net 29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0 i2c1 745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd 737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd 616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd 744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd 747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd 28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1 I don't even use the web server, anyone know how to disable it? I would assume this will fix it? -Original Message- From: juniper-nsp-boun...@puck.nether.netmailto:juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.netmailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:17 PM To: juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net Subject: [j-nsp] Ex4200 Routing Engine All, I have a pair of 4200's in a VC config. Just happened to look at the show chassis routing-engine command the other day and saw... root@agg1.pit1 show chassis routing-engine Routing Engine status: Slot 0: Current state Master Temperature 36 degrees C / 96 degrees F DRAM 1024 MB Memory utilization 19 percent CPU utilization: User 11 percent Kernel88 percent Interrupt 1 percent Idle 0 percent Model EX4200-24T, 8 POE Serial ID BM0208388984 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 1.13 1.17 1.16 Routing Engine status: Slot 1: Current state Backup Temperature 29 degrees C / 84 degrees F DRAM 1024 MB Memory utilization 14 percent CPU utilization: User 8 percent Kernel 4 percent Interrupt 0 percent Idle 88 percent Model EX4200-24T, 8 POE Serial ID BM0208417115 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 0.06 0.09 0.07 These are still running 9.3R4.4, is there some commands I could use to see why the kernel is at 88%? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ex4200 Routing Engine
Someone may correct me here but if http isn't enabled under System --
Services then I believe it doesn't run at all
Logged into a EX4200-VC running 10.0S12 and don't see it running at all ...
load is average for it...
paul@dis1.xx show system processes extensive
last pid: 39531; load averages: 0.03, 0.05, 0.02 up 106+10:49:25
14:33:58
109 processes: 6 running, 84 sleeping, 19 waiting
Mem: 169M Active, 19M Inact, 90M Wired, 59M Cache, 110M Buf, 646M Free
Swap:
PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND
11 root1 171 52 0K16K RUN2261.3 92.33% idle
849 root1 80 81544K 26468K nanslp 113.8H 1.42% pfem
845 root1 -90 13928K 4420K i2c_wt 59.7H 0.00% chassism
847 root2 8 -88 63780K 7216K nanslp 56.1H 0.00% sfid
12 root1 -20 -139 0K16K RUN834:48 0.00% swi7: clock
861 root1 40 33972K 11440K kqread 660:05 0.00% rpd
870 root1 960 5788K 2720K RUN429:44 0.00% ppmd
14 root1 -40 -159 0K16K WAIT 331:34 0.00% swi2: net
paul@dis1.x show system processes extensive | match httpd
{master:0}
Cheers,
Paul
-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Thursday, May 19, 2011 2:20 PM
To: Brendan Mannella; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Ex4200 Routing Engine
Actually. Sorry to reply to my own thread.
I see why..
root@agg1.pit1 show system processes extensive
last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05
14:15:21
106 processes: 7 running, 80 sleeping, 19 waiting
Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free
Swap:
PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND
46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd
614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism
722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem
615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid
11 root1 171 52 0K16K RUN2342.0 0.00% idle
13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock
12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net
29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0
i2c1
745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd
737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd
616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd
744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd
747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd
28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1
I don't even use the web server, anyone know how to disable it? I would
assume this will fix it?
-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Thursday, May 19, 2011 2:17 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Ex4200 Routing Engine
All,
I have a pair of 4200's in a VC config. Just happened to look at the show
chassis routing-engine command the other day and saw...
root@agg1.pit1 show chassis routing-engine
Routing Engine status:
Slot 0:
Current state Master
Temperature 36 degrees C / 96 degrees F
DRAM 1024 MB
Memory utilization 19 percent
CPU utilization:
User 11 percent
Kernel88 percent
Interrupt 1 percent
Idle 0 percent
Model EX4200-24T, 8 POE
Serial ID BM0208388984
Start time 2009-08-18 01:02:43 EDT
Uptime 639 days, 13 hours, 10 minutes, 15
seconds
Load averages: 1 minute 5 minute 15 minute
1.13 1.17 1.16
Routing Engine status:
Slot 1:
Current state Backup
Temperature 29 degrees C / 84 degrees F
DRAM 1024 MB
Memory utilization 14 percent
CPU utilization:
User 8 percent
Kernel 4 percent
Interrupt 0 percent
Idle 88 percent
Model EX4200-24T, 8 POE
Serial ID BM0208417115
Start time 2009-08-18 01:02:43 EDT
Uptime 639 days, 13 hours, 10 minutes, 15
seconds
Load averages: 1 minute 5 minute 15 minute
0.06 0.09 0.07
These are still
Re: [j-nsp] ISIS between ERX 1440 and MX960
hi david,
1. is the erx interface configured with an ip-address?
http://www.juniper.net/techpubs/software/erx/junose72/swconfig-ip-ipv6-igp/html/isis-config6.html#89040
says erx should have atleast one ip-addres/router-id configured.
2. if yes, then pls try if adjusting hello-padding attributes on both
ends. it does look like mtu and padding issue. perhaps try
adaptive/strict padding on junos side to see if there are mtu issues.
kaliraj
On Thu, May 19, 2011 at 10:24 AM, david@orange-ftgroup.com wrote:
Hi all,
I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is new
for me) and 1 MX without success : I double checked the mtu, subnet, Area
(not checked for L2), authentication key (I tried simple and MD5 types)
The problem seems to be at the ERX side. Indeed, the MX receives well the IIH
of the ERX and put its state to Init, then it sends an IIH to the ERX. At the
ERX level, IIH is discarded (at the Interface level : Input Discard counter).
I don't understand why. I guess there is a MTU issue with the hello padding
process but I'm not sure.
Config at the MX side
---
ge-2/2/2.0
{
family iso;
faimly inet address 10.1.1.1/30
}
lo0
{
family iso address 49.0001.xxx
}
protocol isis
{
level 2 {
authentication-key sdjskdjskd;
authentication-type md5;
}
interface ge-2/2/2.0 {
level 1 disable;
level 2 {
hello-authetication-key FOO;
hello-authetication-type md5;
}
}
Config at the ERX side :
router isis 1234
is-type level-2-only
net 49.0001.xxx
domain-message-digest-key 1 hmac-md5 FOO
passive-interface loopback50
int gi 12/0
ip router isis 1234
isis circuit-type level-2-only
isis message-digest-key 1 hmac-md5 FOO level-2
I tried to monitor ISIS packet at the MX side. I noticed that the PDU length
of the MX IIH is equal to 1492 and the ERX one is equal to 1497. Moreover,
the protocol capabilities of the MX are IPv4 and IPv6 and for the ERX that
are CLNP and IPv4.
Any help would be most welcome.
thanks
Regards,
David
IMPORTANT.Les informations contenues dans ce message electronique y compris
les fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s)
mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine,
veuillez immediatement le signaler a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans
ce message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s
il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout
virus.
IMPORTANT.This e-mail message and any attachments are strictly confidential
and may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named
recipient(s), please immediately notify the sender and delete this e-mail
message.
Any unauthorized view, usage or disclosure ofthis message is prohibited.
Since e-mail messages may not be reliable, France Telecom Group shall not be
liable for any message if modified, changed or falsified.
Additionally the recipient should ensure they are actually virus free.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ISIS between ERX 1440 and MX960
Hi
Thanks
1. yes
2. I tried but without success. I believe that the ISO MTU is less than the
padded hello of the MX. I will try to set mtu of the gi 12/0 of the ERX to 1518
: I will update you if it works
Regards
David
David Roy
Orange - IP Domestic Backbone - TAC
Tel. +33(0)299876472
Mob. +33(0)685522213
Email. david@orange-ftgroup.com
JNCIE-M/T #703 ; JNCIS-ENT
-Message d'origine-
De : Kaliraj [mailto:kalir...@gmail.com]
Envoyé : jeudi 19 mai 2011 20:37
À : ROY David DTF/DERX
Cc : juniper-nsp@puck.nether.net
Objet : Re: [j-nsp] ISIS between ERX 1440 and MX960
hi david,
1. is the erx interface configured with an ip-address?
http://www.juniper.net/techpubs/software/erx/junose72/swconfig-ip-ipv6-igp/html/isis-config6.html#89040
says erx should have atleast one ip-addres/router-id configured.
2. if yes, then pls try if adjusting hello-padding attributes on both ends. it
does look like mtu and padding issue. perhaps try adaptive/strict padding on
junos side to see if there are mtu issues.
kaliraj
On Thu, May 19, 2011 at 10:24 AM, david@orange-ftgroup.com wrote:
Hi all,
I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is
new for me) and 1 MX without success : I double checked the mtu,
subnet, Area (not checked for L2), authentication key (I tried simple
and MD5 types)
The problem seems to be at the ERX side. Indeed, the MX receives well the IIH
of the ERX and put its state to Init, then it sends an IIH to the ERX. At the
ERX level, IIH is discarded (at the Interface level : Input Discard counter).
I don't understand why. I guess there is a MTU issue with the hello padding
process but I'm not sure.
Config at the MX side
---
ge-2/2/2.0
{
family iso;
faimly inet address 10.1.1.1/30
}
lo0
{
family iso address 49.0001.xxx
}
protocol isis
{
level 2 {
authentication-key sdjskdjskd;
authentication-type md5;
}
interface ge-2/2/2.0 {
level 1 disable;
level 2 {
hello-authetication-key FOO;
hello-authetication-type md5;
}
}
Config at the ERX side :
router isis 1234
is-type level-2-only
net 49.0001.xxx
domain-message-digest-key 1 hmac-md5 FOO passive-interface loopback50
int gi 12/0
ip router isis 1234
isis circuit-type level-2-only
isis message-digest-key 1 hmac-md5 FOO level-2
I tried to monitor ISIS packet at the MX side. I noticed that the PDU length
of the MX IIH is equal to 1492 and the ERX one is equal to 1497. Moreover,
the protocol capabilities of the MX are IPv4 and IPv6 and for the ERX that
are CLNP and IPv4.
Any help would be most welcome.
thanks
Regards,
David
IMPORTANT.Les informations contenues dans ce message electronique y compris
les fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s)
mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine,
veuillez immediatement le signaler a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans
ce message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s
il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout
virus.
IMPORTANT.This e-mail message and any attachments are strictly confidential
and may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named
recipient(s), please immediately notify the sender and delete this e-mail
message.
Any unauthorized view, usage or disclosure ofthis message is prohibited.
Since e-mail messages may not be reliable, France Telecom Group shall not be
liable for any message if modified, changed or falsified.
Additionally the recipient should ensure they are actually virus free.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
IMPORTANT.Les informations contenues dans ce message electronique y compris les
fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s)
mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine,
veuillez immediatement le signaler a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute
Re: [j-nsp] Ex4200 Routing Engine
My config shows..
services {
ssh {
connection-limit 10;
rate-limit 10;
}
And
processes {
web-management disable;
I assume 8986.9 is the number of hours the process has been running. Can I drop
to the cli and kill the process id without breaking anything.
root@agg1:RE:0% ps -aux | grep httpd
nobody 46466 87.5 0.6 8176 5864 ?? R 2Feb10 539252:22.28
/packages/mnt/jcrypto-ex/usr/sbin/httpd -N
root 93359 0.0 0.1 2040 816 p0 R+3:01PM 0:00.01 grep httpd
-Original Message-
From: Paul Stewart [mailto:p...@paulstewart.org]
Sent: Thursday, May 19, 2011 2:35 PM
To: Brendan Mannella; juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] Ex4200 Routing Engine
Someone may correct me here but if http isn't enabled under System --
Services then I believe it doesn't run at all
Logged into a EX4200-VC running 10.0S12 and don't see it running at all ...
load is average for it...
paul@dis1.xx show system processes extensive
last pid: 39531; load averages: 0.03, 0.05, 0.02 up 106+10:49:25
14:33:58
109 processes: 6 running, 84 sleeping, 19 waiting
Mem: 169M Active, 19M Inact, 90M Wired, 59M Cache, 110M Buf, 646M Free
Swap:
PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND
11 root1 171 52 0K16K RUN2261.3 92.33% idle
849 root1 80 81544K 26468K nanslp 113.8H 1.42% pfem
845 root1 -90 13928K 4420K i2c_wt 59.7H 0.00% chassism
847 root2 8 -88 63780K 7216K nanslp 56.1H 0.00% sfid
12 root1 -20 -139 0K16K RUN834:48 0.00% swi7: clock
861 root1 40 33972K 11440K kqread 660:05 0.00% rpd
870 root1 960 5788K 2720K RUN429:44 0.00% ppmd
14 root1 -40 -159 0K16K WAIT 331:34 0.00% swi2: net
paul@dis1.x show system processes extensive | match httpd
{master:0}
Cheers,
Paul
-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Thursday, May 19, 2011 2:20 PM
To: Brendan Mannella; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Ex4200 Routing Engine
Actually. Sorry to reply to my own thread.
I see why..
root@agg1.pit1 show system processes extensive
last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05
14:15:21
106 processes: 7 running, 80 sleeping, 19 waiting
Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free
Swap:
PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND
46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd
614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism
722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem
615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid
11 root1 171 52 0K16K RUN2342.0 0.00% idle
13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock
12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net
29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0
i2c1
745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd
737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd
616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd
744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd
747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd
28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1
I don't even use the web server, anyone know how to disable it? I would
assume this will fix it?
-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Thursday, May 19, 2011 2:17 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Ex4200 Routing Engine
All,
I have a pair of 4200's in a VC config. Just happened to look at the show
chassis routing-engine command the other day and saw...
root@agg1.pit1 show chassis routing-engine
Routing Engine status:
Slot 0:
Current state Master
Temperature 36 degrees C / 96 degrees F
DRAM 1024 MB
Memory utilization 19 percent
CPU utilization:
User 11 percent
Kernel88 percent
Interrupt 1 percent
Idle 0 percent
Model EX4200-24T, 8 POE
Serial ID BM0208388984
Start time 2009-08-18 01:02:43 EDT
Uptime 639 days, 13 hours, 10 minutes, 15
seconds
Load averages: 1 minute 5 minute 15 minute
1.13 1.17 1.16
Routing Engine status:
Slot 1:
Current state
Re: [j-nsp] SUSPECT : Re: ISIS between ERX 1440 and MX960
Sniffing the ISIS packets should give some more clues.
Le 19/05/2011 20:37, Kaliraj a écrit :
hi david,
1. is the erx interface configured with an ip-address?
http://www.juniper.net/techpubs/software/erx/junose72/swconfig-ip-ipv6-igp/html/isis-config6.html#89040
says erx should have atleast one ip-addres/router-id configured.
2. if yes, then pls try if adjusting hello-padding attributes on both
ends. it does look like mtu and padding issue. perhaps try
adaptive/strict padding on junos side to see if there are mtu issues.
kaliraj
On Thu, May 19, 2011 at 10:24 AM,david@orange-ftgroup.com wrote:
Hi all,
I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is new for
me) and 1 MX without success : I double checked the mtu, subnet, Area (not
checked for L2), authentication key (I tried simple and MD5 types)
The problem seems to be at the ERX side. Indeed, the MX receives well the IIH
of the ERX and put its state to Init, then it sends an IIH to the ERX. At the
ERX level, IIH is discarded (at the Interface level : Input Discard counter). I
don't understand why. I guess there is a MTU issue with the hello padding
process but I'm not sure.
Config at the MX side
---
ge-2/2/2.0
{
family iso;
faimly inet address 10.1.1.1/30
}
lo0
{
family iso address 49.0001.xxx
}
protocol isis
{
level 2 {
authentication-key sdjskdjskd;
authentication-type md5;
}
interface ge-2/2/2.0 {
level 1 disable;
level 2 {
hello-authetication-key FOO;
hello-authetication-type md5;
}
}
Config at the ERX side :
router isis 1234
is-type level-2-only
net 49.0001.xxx
domain-message-digest-key 1 hmac-md5 FOO
passive-interface loopback50
int gi 12/0
ip router isis 1234
isis circuit-type level-2-only
isis message-digest-key 1 hmac-md5 FOO level-2
I tried to monitor ISIS packet at the MX side. I noticed that the PDU length of
the MX IIH is equal to 1492 and the ERX one is equal to 1497. Moreover, the
protocol capabilities of the MX are IPv4 and IPv6 and for the ERX that are CLNP
and IPv4.
Any help would be most welcome.
thanks
Regards,
David
IMPORTANT.Les informations contenues dans ce message electronique y compris les
fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s)
mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine,
veuillez immediatement le signaler a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans ce
message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s
il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout virus.
IMPORTANT.This e-mail message and any attachments are strictly confidential and
may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named recipient(s),
please immediately notify the sender and delete this e-mail message.
Any unauthorized view, usage or disclosure ofthis message is prohibited.
Since e-mail messages may not be reliable, France Telecom Group shall not be
liable for any message if modified, changed or falsified.
Additionally the recipient should ensure they are actually virus free.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
Hi Chris,
On 19.5.2011, at 20:11, Chris Tracy wrote:
Hi Matjaž,
Comments in-line below.
...
family inet {
output {
flow-active-timeout 300;
flow-server *** {
port ***;
autonomous-system-type peer;
no-local-dump;
source-address x.y.z.w;
version 5;
}
}
I'd try changing this to:
[ remove family inet {...}, put directly under sampling { ... } ]
output {
cflowd x.x.x.x { /* instead of flow-server... */
...same...
}
}
Thank you for the hint,
but this is the old style from pre-IPv6 era ;-) I thought the cflowd ... has
been forgotten by now.
Please let the list know if this helps!
Cheers,
-Chris
--
Chris Tracy ctr...@es.net
Energy Sciences Network (ESnet)
Lawrence Berkeley National Laboratory
Cheers,
Matjaž
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ISIS between ERX 1440 and MX960
2. I tried but without success. I believe that the ISO MTU is less than the
padded hello of the MX. I will try to set mtu of the gi 12/0 of the ERX to
1518 : I will update you if it works
We have IS-IS running between MX and ERX with no problem. Use 4 byte
more for the ERX MTU than the MX MTU on the physical interfaces, and
you should be all set.
Example of working config below, lightly anonymized.
Steinar Haug, Nethelp consulting, sth...@nethelp.no
--
interface gigabitEthernet 2/0
mtu 4488
ip address a.b.2.202 255.255.255.252
ip router isis
isis network point-to-point
isis circuit-type level-2-only
interface loopback 0
ip address a.b.0.75 255.255.255.255
ip router isis
isis circuit-type level-2-only
router isis
is-type level-2-only
net 47.0001...0075.00
metric-style wide level-2
interfaces {
ge-0/0/3 {
mtu 4484;
unit 0 {
family inet {
address a.b.2.201/30;
}
family iso;
}
}
lo0 {
unit 0 {
family inet {
address a.b.0.78/32;
}
family iso {
address 47.0001...0078.00;
}
}
}
}
protocols {
isis {
level 2 wide-metrics-only;
level 1 disable;
interface ge-0/0/3.0 {
point-to-point;
}
interface lo0.0 {
level 2 passive;
}
}
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
I'd try changing this to:
[ remove family inet {...}, put directly under sampling { ... } ]
Thank you for the hint,
but this is the old style from pre-IPv6 era ;-) I thought the cflowd ...
has been forgotten by now.
Not like it will matter anyways with v5 RE-based sampling. :-)
I just went through some of my notes. 9.6 introduced a whole bunch of changes
with the way sampling is configured, especially with v9 using an MS-DPC. I had
forgotten about the change from cflowd to flow-server.
You are not seeing ## Warning: 'output' is deprecated when you show the
config, are you?
-Chris
--
Chris Tracy ctr...@es.net
Energy Sciences Network (ESnet)
Lawrence Berkeley National Laboratory
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
On 19.5.2011, at 21:45, Chris Tracy wrote:
I'd try changing this to:
[ remove family inet {...}, put directly under sampling { ... } ]
Thank you for the hint,
but this is the old style from pre-IPv6 era ;-) I thought the cflowd ...
has been forgotten by now.
Not like it will matter anyways with v5 RE-based sampling. :-)
Yes, you're right :-) But it is more clear that way. Unfortunately, I can not
configure family inet6 output ... version 9... in a similar manner.
I just went through some of my notes. 9.6 introduced a whole bunch of
changes with the way sampling is configured, especially with v9 using an
MS-DPC. I had forgotten about the change from cflowd to flow-server.
You are not seeing ## Warning: 'output' is deprecated when you show the
config, are you?
No, not now with the flow-server style ;-). I still remember the diff:
+ version 9.6R3.8;
- output {
+ output { ## Warning: 'output' is deprecated
- cflowd x.y.z.w {
+ flow-server x.y.z.w {
...when we moved to 9.6 more than a year ago. Families were introduced even
before that.
-Chris
--
Chris Tracy ctr...@es.net
Energy Sciences Network (ESnet)
Lawrence Berkeley National Laboratory
Regards,
Matjaž
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
You are not seeing ## Warning: 'output' is deprecated when you show the
config, are you?
No, not now with the flow-server style ;-). I still remember the diff:
+ version 9.6R3.8;
- output {
+ output { ## Warning: 'output' is deprecated
- cflowd x.y.z.w {
+ flow-server x.y.z.w {
Hmm.
What do you get if you run show sample summary or show sample [association |
instance] after connecting to your FPC (start shell pfe network fpcX) ?
-Chris
--
Chris Tracy ctr...@es.net
Energy Sciences Network (ESnet)
Lawrence Berkeley National Laboratory
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS major releases - differences between revisions
Hi, On Thu, May 19, 2011 at 10:49:27AM +1000, Dale Shaw wrote: Q: Is there a way to determine what has changed between two revisions of a major JUNOS release? For argument's sake, how do I find out precisely what changed between 10.4R3 and 10.4R4? Recent official Juniper answer: buy professional services to get the bugfix list. And they really mean it. No kiddin'. Best regards, Daniel -- CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
On 19.5.2011, at 22:52, Chris Tracy wrote: What do you get if you run show sample summary or show sample [association | instance] after connecting to your FPC (start shell pfe network fpcX) ? Total samples accepted: 606849979 Samples accepted: 1048 Total samples accepted: 606926864 Samples accepted: 2333 Samples dropped: 0 Total samples accepted: 606950396 Samples accepted: 2191 So clearly it _is_ sampling. If you are really sure that flow packets are not being exported, they could be getting dropped in a number of different places. Thank you, Chris. Strange, I will have another - closer - look into that. The only other places I know to check are: 'show ichip 0 r counters' (look for HNP discards incrementing) 'show ttp statistics' (look for queue drops) 'netstat -p tudp' on the RE (look for dropped due to full socket buffers) -Chris -- Chris Tracy ctr...@es.net Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory Cheers, Matjaž ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
