[j-nsp] test - please ignore
armwrestling procmailrc... sorry for the noise -- Pierfrancesco Caci p...@caci.it ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] RSVP automesh
Hi list, Has anyone played around with RSVP/MPLS automesh feature and can share some experiences and/or example configs? I believe it was introduced in 10.1, but can't find anything in the release notes and docs aren't very clear either; http://www.juniper.net/techpubs/en_US/junos10.1/topics/task/configuration/rsvp-automatic-mesh.html Regards, --Daniel. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] ISIS between ERX 1440 and MX960
Hi all, I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is new for me) and 1 MX without success : I double checked the mtu, subnet, Area (not checked for L2), authentication key (I tried simple and MD5 types) The problem seems to be at the ERX side. Indeed, the MX receives well the IIH of the ERX and put its state to Init, then it sends an IIH to the ERX. At the ERX level, IIH is discarded (at the Interface level : Input Discard counter). I don't understand why. I guess there is a MTU issue with the hello padding process but I'm not sure. Config at the MX side --- ge-2/2/2.0 { family iso; faimly inet address 10.1.1.1/30 } lo0 { family iso address 49.0001.xxx } protocol isis { level 2 { authentication-key sdjskdjskd; authentication-type md5; } interface ge-2/2/2.0 { level 1 disable; level 2 { hello-authetication-key FOO; hello-authetication-type md5; } } Config at the ERX side : router isis 1234 is-type level-2-only net 49.0001.xxx domain-message-digest-key 1 hmac-md5 FOO passive-interface loopback50 int gi 12/0 ip router isis 1234 isis circuit-type level-2-only isis message-digest-key 1 hmac-md5 FOO level-2 I tried to monitor ISIS packet at the MX side. I noticed that the PDU length of the MX IIH is equal to 1492 and the ERX one is equal to 1497. Moreover, the protocol capabilities of the MX are IPv4 and IPv6 and for the ERX that are CLNP and IPv4. Any help would be most welcome. thanks Regards, David IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles et peuvent etre protegees par la loi. Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus. Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message et tous les fichiers eventuellement attaches. Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite. Tout message electronique est susceptible d alteration. A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie. De meme, il appartient au destinataire de s assurer de l absence de tout virus. IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. Any unauthorized view, usage or disclosure ofthis message is prohibited. Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified. Additionally the recipient should ensure they are actually virus free. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
Hi Chris, On 19.5.2011, at 16:30, Chris Tracy wrote: Hi Matjaž, Are you doing RE-based sampling, or using an MS-DPC? Can you post a sanitized version of your config? It is RE-based. We don't have a $MS-DPC :-( The config is very simple and it worked for us in 9.6. In firewall filters we use terms like that: term Sample { then { count cntrS_Sample; sample; next term; } } (all these filters are ingress/input) ...and we sample with: [ forwarding-options sampling ] input { rate 256; run-length 0; max-packets-per-second 8000; } family inet { output { flow-active-timeout 300; flow-server *** { port ***; autonomous-system-type peer; no-local-dump; source-address x.y.z.w; version 5; } } } You might want to look at some of the previous posts to the list on this topic, such as: https://puck.nether.net/pipermail/juniper-nsp/2010-July/017293.html This thread was specific to NetFlow v9 using an MS-DPC though... -Chris Kind regards, Matjaž ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
Hi Matjaž, Comments in-line below. It is RE-based. We don't have a $MS-DPC :-( The config is very simple and it worked for us in 9.6. In firewall filters we use terms like that: term Sample { then { count cntrS_Sample; sample; next term; } } (all these filters are ingress/input) ...and we sample with: [ forwarding-options sampling ] input { rate 256; run-length 0; max-packets-per-second 8000; There is a hard limit of 7000, you'll never get more than that with RE-based sampling. I'd recommend lowering this, but this likely has nothing to do with your problem. family inet { output { flow-active-timeout 300; flow-server *** { port ***; autonomous-system-type peer; no-local-dump; source-address x.y.z.w; version 5; } } I'd try changing this to: [ remove family inet {...}, put directly under sampling { ... } ] output { cflowd x.x.x.x { /* instead of flow-server... */ ...same... } } Please let the list know if this helps! Cheers, -Chris -- Chris Tracy ctr...@es.net Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ex4200 Routing Engine
Actually. Sorry to reply to my own thread. I see why.. root@agg1.pit1 show system processes extensive last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05 14:15:21 106 processes: 7 running, 80 sleeping, 19 waiting Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd 614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism 722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem 615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid 11 root1 171 52 0K16K RUN2342.0 0.00% idle 13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock 12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net 29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0 i2c1 745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd 737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd 616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd 744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd 747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd 28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1 I don't even use the web server, anyone know how to disable it? I would assume this will fix it? -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:17 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Ex4200 Routing Engine All, I have a pair of 4200's in a VC config. Just happened to look at the show chassis routing-engine command the other day and saw... root@agg1.pit1 show chassis routing-engine Routing Engine status: Slot 0: Current state Master Temperature 36 degrees C / 96 degrees F DRAM 1024 MB Memory utilization 19 percent CPU utilization: User 11 percent Kernel88 percent Interrupt 1 percent Idle 0 percent Model EX4200-24T, 8 POE Serial ID BM0208388984 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 1.13 1.17 1.16 Routing Engine status: Slot 1: Current state Backup Temperature 29 degrees C / 84 degrees F DRAM 1024 MB Memory utilization 14 percent CPU utilization: User 8 percent Kernel 4 percent Interrupt 0 percent Idle 88 percent Model EX4200-24T, 8 POE Serial ID BM0208417115 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 0.06 0.09 0.07 These are still running 9.3R4.4, is there some commands I could use to see why the kernel is at 88%? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ISIS between ERX 1440 and MX960
Hi Payam, I'm trying with ERX not EX. Thanks David -Message d'origine- De : Payam Chychi [mailto:pchy...@gmail.com] Envoyé : jeudi 19 mai 2011 19:46 À : ROY David DTF/DERX Cc : juniper-nsp@puck.nether.net Objet : Re: [j-nsp] ISIS between ERX 1440 and MX960 Hey David, by default on the ex's igmp snooping is active. disable this on the vlan being used for carry the isis traffic and it will build nei adj cheers Payam david@orange-ftgroup.com wrote: Hi all, I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is new for me) and 1 MX without success : I double checked the mtu, subnet, Area (not checked for L2), authentication key (I tried simple and MD5 types) The problem seems to be at the ERX side. Indeed, the MX receives well the IIH of the ERX and put its state to Init, then it sends an IIH to the ERX. At the ERX level, IIH is discarded (at the Interface level : Input Discard counter). I don't understand why. I guess there is a MTU issue with the hello padding process but I'm not sure. Config at the MX side --- ge-2/2/2.0 { family iso; faimly inet address 10.1.1.1/30 } lo0 { family iso address 49.0001.xxx } protocol isis { level 2 { authentication-key sdjskdjskd; authentication-type md5; } interface ge-2/2/2.0 { level 1 disable; level 2 { hello-authetication-key FOO; hello-authetication-type md5; } } Config at the ERX side : router isis 1234 is-type level-2-only net 49.0001.xxx domain-message-digest-key 1 hmac-md5 FOO passive-interface loopback50 int gi 12/0 ip router isis 1234 isis circuit-type level-2-only isis message-digest-key 1 hmac-md5 FOO level-2 I tried to monitor ISIS packet at the MX side. I noticed that the PDU length of the MX IIH is equal to 1492 and the ERX one is equal to 1497. Moreover, the protocol capabilities of the MX are IPv4 and IPv6 and for the ERX that are CLNP and IPv4. Any help would be most welcome. thanks Regards, David IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles et peuvent etre protegees par la loi. Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus. Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message et tous les fichiers eventuellement attaches. Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite. Tout message electronique est susceptible d alteration. A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie. De meme, il appartient au destinataire de s assurer de l absence de tout virus. IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. Any unauthorized view, usage or disclosure ofthis message is prohibited. Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified. Additionally the recipient should ensure they are actually virus free. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles et peuvent etre protegees par la loi. Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus. Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message et tous les fichiers eventuellement attaches. Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite. Tout message electronique est susceptible d alteration. A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie. De meme, il appartient au destinataire de s assurer de l absence de tout virus. IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender
Re: [j-nsp] Ex4200 Routing Engine
I did set system processes web-management disable but based on the amount of time the process has been running, it seems like just a stuck process.. Does anyone know if it safe to just kill the process id? From: Kevin Shymkiw [mailto:kshym...@gmail.com] Sent: Thursday, May 19, 2011 2:25 PM To: Brendan Mannella Subject: Re: [j-nsp] Ex4200 Routing Engine Brendan, Should be able to kill HTTP Access with something like delete system services http HTH Kevin On Thu, May 19, 2011 at 2:20 PM, Brendan Mannella bmanne...@teraswitch.commailto:bmanne...@teraswitch.com wrote: Actually. Sorry to reply to my own thread. I see why.. root@agg1.pit1 show system processes extensive last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05 14:15:21 106 processes: 7 running, 80 sleeping, 19 waiting Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd 614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism 722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem 615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid 11 root1 171 52 0K16K RUN2342.0 0.00% idle 13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock 12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net 29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0 i2c1 745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd 737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd 616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd 744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd 747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd 28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1 I don't even use the web server, anyone know how to disable it? I would assume this will fix it? -Original Message- From: juniper-nsp-boun...@puck.nether.netmailto:juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.netmailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:17 PM To: juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net Subject: [j-nsp] Ex4200 Routing Engine All, I have a pair of 4200's in a VC config. Just happened to look at the show chassis routing-engine command the other day and saw... root@agg1.pit1 show chassis routing-engine Routing Engine status: Slot 0: Current state Master Temperature 36 degrees C / 96 degrees F DRAM 1024 MB Memory utilization 19 percent CPU utilization: User 11 percent Kernel88 percent Interrupt 1 percent Idle 0 percent Model EX4200-24T, 8 POE Serial ID BM0208388984 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 1.13 1.17 1.16 Routing Engine status: Slot 1: Current state Backup Temperature 29 degrees C / 84 degrees F DRAM 1024 MB Memory utilization 14 percent CPU utilization: User 8 percent Kernel 4 percent Interrupt 0 percent Idle 88 percent Model EX4200-24T, 8 POE Serial ID BM0208417115 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 0.06 0.09 0.07 These are still running 9.3R4.4, is there some commands I could use to see why the kernel is at 88%? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ex4200 Routing Engine
Someone may correct me here but if http isn't enabled under System -- Services then I believe it doesn't run at all Logged into a EX4200-VC running 10.0S12 and don't see it running at all ... load is average for it... paul@dis1.xx show system processes extensive last pid: 39531; load averages: 0.03, 0.05, 0.02 up 106+10:49:25 14:33:58 109 processes: 6 running, 84 sleeping, 19 waiting Mem: 169M Active, 19M Inact, 90M Wired, 59M Cache, 110M Buf, 646M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 11 root1 171 52 0K16K RUN2261.3 92.33% idle 849 root1 80 81544K 26468K nanslp 113.8H 1.42% pfem 845 root1 -90 13928K 4420K i2c_wt 59.7H 0.00% chassism 847 root2 8 -88 63780K 7216K nanslp 56.1H 0.00% sfid 12 root1 -20 -139 0K16K RUN834:48 0.00% swi7: clock 861 root1 40 33972K 11440K kqread 660:05 0.00% rpd 870 root1 960 5788K 2720K RUN429:44 0.00% ppmd 14 root1 -40 -159 0K16K WAIT 331:34 0.00% swi2: net paul@dis1.x show system processes extensive | match httpd {master:0} Cheers, Paul -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:20 PM To: Brendan Mannella; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Ex4200 Routing Engine Actually. Sorry to reply to my own thread. I see why.. root@agg1.pit1 show system processes extensive last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05 14:15:21 106 processes: 7 running, 80 sleeping, 19 waiting Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd 614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism 722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem 615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid 11 root1 171 52 0K16K RUN2342.0 0.00% idle 13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock 12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net 29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0 i2c1 745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd 737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd 616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd 744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd 747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd 28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1 I don't even use the web server, anyone know how to disable it? I would assume this will fix it? -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:17 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Ex4200 Routing Engine All, I have a pair of 4200's in a VC config. Just happened to look at the show chassis routing-engine command the other day and saw... root@agg1.pit1 show chassis routing-engine Routing Engine status: Slot 0: Current state Master Temperature 36 degrees C / 96 degrees F DRAM 1024 MB Memory utilization 19 percent CPU utilization: User 11 percent Kernel88 percent Interrupt 1 percent Idle 0 percent Model EX4200-24T, 8 POE Serial ID BM0208388984 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 1.13 1.17 1.16 Routing Engine status: Slot 1: Current state Backup Temperature 29 degrees C / 84 degrees F DRAM 1024 MB Memory utilization 14 percent CPU utilization: User 8 percent Kernel 4 percent Interrupt 0 percent Idle 88 percent Model EX4200-24T, 8 POE Serial ID BM0208417115 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 0.06 0.09 0.07 These are still
Re: [j-nsp] ISIS between ERX 1440 and MX960
hi david, 1. is the erx interface configured with an ip-address? http://www.juniper.net/techpubs/software/erx/junose72/swconfig-ip-ipv6-igp/html/isis-config6.html#89040 says erx should have atleast one ip-addres/router-id configured. 2. if yes, then pls try if adjusting hello-padding attributes on both ends. it does look like mtu and padding issue. perhaps try adaptive/strict padding on junos side to see if there are mtu issues. kaliraj On Thu, May 19, 2011 at 10:24 AM, david@orange-ftgroup.com wrote: Hi all, I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is new for me) and 1 MX without success : I double checked the mtu, subnet, Area (not checked for L2), authentication key (I tried simple and MD5 types) The problem seems to be at the ERX side. Indeed, the MX receives well the IIH of the ERX and put its state to Init, then it sends an IIH to the ERX. At the ERX level, IIH is discarded (at the Interface level : Input Discard counter). I don't understand why. I guess there is a MTU issue with the hello padding process but I'm not sure. Config at the MX side --- ge-2/2/2.0 { family iso; faimly inet address 10.1.1.1/30 } lo0 { family iso address 49.0001.xxx } protocol isis { level 2 { authentication-key sdjskdjskd; authentication-type md5; } interface ge-2/2/2.0 { level 1 disable; level 2 { hello-authetication-key FOO; hello-authetication-type md5; } } Config at the ERX side : router isis 1234 is-type level-2-only net 49.0001.xxx domain-message-digest-key 1 hmac-md5 FOO passive-interface loopback50 int gi 12/0 ip router isis 1234 isis circuit-type level-2-only isis message-digest-key 1 hmac-md5 FOO level-2 I tried to monitor ISIS packet at the MX side. I noticed that the PDU length of the MX IIH is equal to 1492 and the ERX one is equal to 1497. Moreover, the protocol capabilities of the MX are IPv4 and IPv6 and for the ERX that are CLNP and IPv4. Any help would be most welcome. thanks Regards, David IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles et peuvent etre protegees par la loi. Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus. Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message et tous les fichiers eventuellement attaches. Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite. Tout message electronique est susceptible d alteration. A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie. De meme, il appartient au destinataire de s assurer de l absence de tout virus. IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. Any unauthorized view, usage or disclosure ofthis message is prohibited. Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified. Additionally the recipient should ensure they are actually virus free. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ISIS between ERX 1440 and MX960
Hi Thanks 1. yes 2. I tried but without success. I believe that the ISO MTU is less than the padded hello of the MX. I will try to set mtu of the gi 12/0 of the ERX to 1518 : I will update you if it works Regards David David Roy Orange - IP Domestic Backbone - TAC Tel. +33(0)299876472 Mob. +33(0)685522213 Email. david@orange-ftgroup.com JNCIE-M/T #703 ; JNCIS-ENT -Message d'origine- De : Kaliraj [mailto:kalir...@gmail.com] Envoyé : jeudi 19 mai 2011 20:37 À : ROY David DTF/DERX Cc : juniper-nsp@puck.nether.net Objet : Re: [j-nsp] ISIS between ERX 1440 and MX960 hi david, 1. is the erx interface configured with an ip-address? http://www.juniper.net/techpubs/software/erx/junose72/swconfig-ip-ipv6-igp/html/isis-config6.html#89040 says erx should have atleast one ip-addres/router-id configured. 2. if yes, then pls try if adjusting hello-padding attributes on both ends. it does look like mtu and padding issue. perhaps try adaptive/strict padding on junos side to see if there are mtu issues. kaliraj On Thu, May 19, 2011 at 10:24 AM, david@orange-ftgroup.com wrote: Hi all, I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is new for me) and 1 MX without success : I double checked the mtu, subnet, Area (not checked for L2), authentication key (I tried simple and MD5 types) The problem seems to be at the ERX side. Indeed, the MX receives well the IIH of the ERX and put its state to Init, then it sends an IIH to the ERX. At the ERX level, IIH is discarded (at the Interface level : Input Discard counter). I don't understand why. I guess there is a MTU issue with the hello padding process but I'm not sure. Config at the MX side --- ge-2/2/2.0 { family iso; faimly inet address 10.1.1.1/30 } lo0 { family iso address 49.0001.xxx } protocol isis { level 2 { authentication-key sdjskdjskd; authentication-type md5; } interface ge-2/2/2.0 { level 1 disable; level 2 { hello-authetication-key FOO; hello-authetication-type md5; } } Config at the ERX side : router isis 1234 is-type level-2-only net 49.0001.xxx domain-message-digest-key 1 hmac-md5 FOO passive-interface loopback50 int gi 12/0 ip router isis 1234 isis circuit-type level-2-only isis message-digest-key 1 hmac-md5 FOO level-2 I tried to monitor ISIS packet at the MX side. I noticed that the PDU length of the MX IIH is equal to 1492 and the ERX one is equal to 1497. Moreover, the protocol capabilities of the MX are IPv4 and IPv6 and for the ERX that are CLNP and IPv4. Any help would be most welcome. thanks Regards, David IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles et peuvent etre protegees par la loi. Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus. Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message et tous les fichiers eventuellement attaches. Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite. Tout message electronique est susceptible d alteration. A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie. De meme, il appartient au destinataire de s assurer de l absence de tout virus. IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. Any unauthorized view, usage or disclosure ofthis message is prohibited. Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified. Additionally the recipient should ensure they are actually virus free. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles et peuvent etre protegees par la loi. Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus. Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message et tous les fichiers eventuellement attaches. Toute
Re: [j-nsp] Ex4200 Routing Engine
My config shows.. services { ssh { connection-limit 10; rate-limit 10; } And processes { web-management disable; I assume 8986.9 is the number of hours the process has been running. Can I drop to the cli and kill the process id without breaking anything. root@agg1:RE:0% ps -aux | grep httpd nobody 46466 87.5 0.6 8176 5864 ?? R 2Feb10 539252:22.28 /packages/mnt/jcrypto-ex/usr/sbin/httpd -N root 93359 0.0 0.1 2040 816 p0 R+3:01PM 0:00.01 grep httpd -Original Message- From: Paul Stewart [mailto:p...@paulstewart.org] Sent: Thursday, May 19, 2011 2:35 PM To: Brendan Mannella; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Ex4200 Routing Engine Someone may correct me here but if http isn't enabled under System -- Services then I believe it doesn't run at all Logged into a EX4200-VC running 10.0S12 and don't see it running at all ... load is average for it... paul@dis1.xx show system processes extensive last pid: 39531; load averages: 0.03, 0.05, 0.02 up 106+10:49:25 14:33:58 109 processes: 6 running, 84 sleeping, 19 waiting Mem: 169M Active, 19M Inact, 90M Wired, 59M Cache, 110M Buf, 646M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 11 root1 171 52 0K16K RUN2261.3 92.33% idle 849 root1 80 81544K 26468K nanslp 113.8H 1.42% pfem 845 root1 -90 13928K 4420K i2c_wt 59.7H 0.00% chassism 847 root2 8 -88 63780K 7216K nanslp 56.1H 0.00% sfid 12 root1 -20 -139 0K16K RUN834:48 0.00% swi7: clock 861 root1 40 33972K 11440K kqread 660:05 0.00% rpd 870 root1 960 5788K 2720K RUN429:44 0.00% ppmd 14 root1 -40 -159 0K16K WAIT 331:34 0.00% swi2: net paul@dis1.x show system processes extensive | match httpd {master:0} Cheers, Paul -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:20 PM To: Brendan Mannella; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Ex4200 Routing Engine Actually. Sorry to reply to my own thread. I see why.. root@agg1.pit1 show system processes extensive last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05 14:15:21 106 processes: 7 running, 80 sleeping, 19 waiting Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd 614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism 722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem 615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid 11 root1 171 52 0K16K RUN2342.0 0.00% idle 13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock 12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net 29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0 i2c1 745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd 737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd 616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd 744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd 747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd 28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1 I don't even use the web server, anyone know how to disable it? I would assume this will fix it? -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:17 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Ex4200 Routing Engine All, I have a pair of 4200's in a VC config. Just happened to look at the show chassis routing-engine command the other day and saw... root@agg1.pit1 show chassis routing-engine Routing Engine status: Slot 0: Current state Master Temperature 36 degrees C / 96 degrees F DRAM 1024 MB Memory utilization 19 percent CPU utilization: User 11 percent Kernel88 percent Interrupt 1 percent Idle 0 percent Model EX4200-24T, 8 POE Serial ID BM0208388984 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 1.13 1.17 1.16 Routing Engine status: Slot 1: Current state
Re: [j-nsp] SUSPECT : Re: ISIS between ERX 1440 and MX960
Sniffing the ISIS packets should give some more clues. Le 19/05/2011 20:37, Kaliraj a écrit : hi david, 1. is the erx interface configured with an ip-address? http://www.juniper.net/techpubs/software/erx/junose72/swconfig-ip-ipv6-igp/html/isis-config6.html#89040 says erx should have atleast one ip-addres/router-id configured. 2. if yes, then pls try if adjusting hello-padding attributes on both ends. it does look like mtu and padding issue. perhaps try adaptive/strict padding on junos side to see if there are mtu issues. kaliraj On Thu, May 19, 2011 at 10:24 AM,david@orange-ftgroup.com wrote: Hi all, I'm trying to establish an ISIS L2 adjacency between an ERX (Junose is new for me) and 1 MX without success : I double checked the mtu, subnet, Area (not checked for L2), authentication key (I tried simple and MD5 types) The problem seems to be at the ERX side. Indeed, the MX receives well the IIH of the ERX and put its state to Init, then it sends an IIH to the ERX. At the ERX level, IIH is discarded (at the Interface level : Input Discard counter). I don't understand why. I guess there is a MTU issue with the hello padding process but I'm not sure. Config at the MX side --- ge-2/2/2.0 { family iso; faimly inet address 10.1.1.1/30 } lo0 { family iso address 49.0001.xxx } protocol isis { level 2 { authentication-key sdjskdjskd; authentication-type md5; } interface ge-2/2/2.0 { level 1 disable; level 2 { hello-authetication-key FOO; hello-authetication-type md5; } } Config at the ERX side : router isis 1234 is-type level-2-only net 49.0001.xxx domain-message-digest-key 1 hmac-md5 FOO passive-interface loopback50 int gi 12/0 ip router isis 1234 isis circuit-type level-2-only isis message-digest-key 1 hmac-md5 FOO level-2 I tried to monitor ISIS packet at the MX side. I noticed that the PDU length of the MX IIH is equal to 1492 and the ERX one is equal to 1497. Moreover, the protocol capabilities of the MX are IPv4 and IPv6 and for the ERX that are CLNP and IPv4. Any help would be most welcome. thanks Regards, David IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles et peuvent etre protegees par la loi. Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus. Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message et tous les fichiers eventuellement attaches. Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite. Tout message electronique est susceptible d alteration. A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie. De meme, il appartient au destinataire de s assurer de l absence de tout virus. IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. Any unauthorized view, usage or disclosure ofthis message is prohibited. Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified. Additionally the recipient should ensure they are actually virus free. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
Hi Chris, On 19.5.2011, at 20:11, Chris Tracy wrote: Hi Matjaž, Comments in-line below. ... family inet { output { flow-active-timeout 300; flow-server *** { port ***; autonomous-system-type peer; no-local-dump; source-address x.y.z.w; version 5; } } I'd try changing this to: [ remove family inet {...}, put directly under sampling { ... } ] output { cflowd x.x.x.x { /* instead of flow-server... */ ...same... } } Thank you for the hint, but this is the old style from pre-IPv6 era ;-) I thought the cflowd ... has been forgotten by now. Please let the list know if this helps! Cheers, -Chris -- Chris Tracy ctr...@es.net Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory Cheers, Matjaž ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ISIS between ERX 1440 and MX960
2. I tried but without success. I believe that the ISO MTU is less than the padded hello of the MX. I will try to set mtu of the gi 12/0 of the ERX to 1518 : I will update you if it works We have IS-IS running between MX and ERX with no problem. Use 4 byte more for the ERX MTU than the MX MTU on the physical interfaces, and you should be all set. Example of working config below, lightly anonymized. Steinar Haug, Nethelp consulting, sth...@nethelp.no -- interface gigabitEthernet 2/0 mtu 4488 ip address a.b.2.202 255.255.255.252 ip router isis isis network point-to-point isis circuit-type level-2-only interface loopback 0 ip address a.b.0.75 255.255.255.255 ip router isis isis circuit-type level-2-only router isis is-type level-2-only net 47.0001...0075.00 metric-style wide level-2 interfaces { ge-0/0/3 { mtu 4484; unit 0 { family inet { address a.b.2.201/30; } family iso; } } lo0 { unit 0 { family inet { address a.b.0.78/32; } family iso { address 47.0001...0078.00; } } } } protocols { isis { level 2 wide-metrics-only; level 1 disable; interface ge-0/0/3.0 { point-to-point; } interface lo0.0 { level 2 passive; } } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
I'd try changing this to: [ remove family inet {...}, put directly under sampling { ... } ] Thank you for the hint, but this is the old style from pre-IPv6 era ;-) I thought the cflowd ... has been forgotten by now. Not like it will matter anyways with v5 RE-based sampling. :-) I just went through some of my notes. 9.6 introduced a whole bunch of changes with the way sampling is configured, especially with v9 using an MS-DPC. I had forgotten about the change from cflowd to flow-server. You are not seeing ## Warning: 'output' is deprecated when you show the config, are you? -Chris -- Chris Tracy ctr...@es.net Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
On 19.5.2011, at 21:45, Chris Tracy wrote: I'd try changing this to: [ remove family inet {...}, put directly under sampling { ... } ] Thank you for the hint, but this is the old style from pre-IPv6 era ;-) I thought the cflowd ... has been forgotten by now. Not like it will matter anyways with v5 RE-based sampling. :-) Yes, you're right :-) But it is more clear that way. Unfortunately, I can not configure family inet6 output ... version 9... in a similar manner. I just went through some of my notes. 9.6 introduced a whole bunch of changes with the way sampling is configured, especially with v9 using an MS-DPC. I had forgotten about the change from cflowd to flow-server. You are not seeing ## Warning: 'output' is deprecated when you show the config, are you? No, not now with the flow-server style ;-). I still remember the diff: + version 9.6R3.8; - output { + output { ## Warning: 'output' is deprecated - cflowd x.y.z.w { + flow-server x.y.z.w { ...when we moved to 9.6 more than a year ago. Families were introduced even before that. -Chris -- Chris Tracy ctr...@es.net Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory Regards, Matjaž ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
You are not seeing ## Warning: 'output' is deprecated when you show the config, are you? No, not now with the flow-server style ;-). I still remember the diff: + version 9.6R3.8; - output { + output { ## Warning: 'output' is deprecated - cflowd x.y.z.w { + flow-server x.y.z.w { Hmm. What do you get if you run show sample summary or show sample [association | instance] after connecting to your FPC (start shell pfe network fpcX) ? -Chris -- Chris Tracy ctr...@es.net Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS major releases - differences between revisions
Hi, On Thu, May 19, 2011 at 10:49:27AM +1000, Dale Shaw wrote: Q: Is there a way to determine what has changed between two revisions of a major JUNOS release? For argument's sake, how do I find out precisely what changed between 10.4R3 and 10.4R4? Recent official Juniper answer: buy professional services to get the bugfix list. And they really mean it. No kiddin'. Best regards, Daniel -- CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] netflow sampling problem in 10.2
On 19.5.2011, at 22:52, Chris Tracy wrote: What do you get if you run show sample summary or show sample [association | instance] after connecting to your FPC (start shell pfe network fpcX) ? Total samples accepted: 606849979 Samples accepted: 1048 Total samples accepted: 606926864 Samples accepted: 2333 Samples dropped: 0 Total samples accepted: 606950396 Samples accepted: 2191 So clearly it _is_ sampling. If you are really sure that flow packets are not being exported, they could be getting dropped in a number of different places. Thank you, Chris. Strange, I will have another - closer - look into that. The only other places I know to check are: 'show ichip 0 r counters' (look for HNP discards incrementing) 'show ttp statistics' (look for queue drops) 'netstat -p tudp' on the RE (look for dropped due to full socket buffers) -Chris -- Chris Tracy ctr...@es.net Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory Cheers, Matjaž ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp