Re: [j-nsp] bgp to ospf

[Richard Zheng]

On Thu, Jun 16, 2011 at 7:55 AM, Jeff Wheeler  wrote:

> On Thu, Jun 16, 2011 at 12:48 PM, Payam Chychi  wrote:
> > Were you able to figure this out?
>
> As I mentioned, take my post with a grain of salt.  I may be incorrect here
> about the actual functioning, as I have never, ever had reason to utilize
> this in a practical network.  But if you do some reading, the intended
> purpose of Fwd Adr is expressed above.  The original poster should not be
> using it for what he wants to do (I don't think it will work), and should
> instead utilize BGP or change his topology.
>
>
I came up with the same conclusion. I figured that OSPF can only set forward
address under very strict conditions. Using another router's IP is not
supported by most implementation, not sure supported by RFC though.

My summary is posted here,
http://mailman.nanog.org/pipermail/nanog/2011-June/037479.html.

I did come across another interesting issue when implementing IBGP between
RTR A and RTR B. RTR A sent the customer route to border router B, then B
redistributed from IBGP to OSPF. In the whole AS, the route was bounced on
and off from routing table every few seconds.

JUNOS uses different administrative distance from Cisco. In JUNOS, OSPF is
150 and BGP is 170. When the route is learned from EBGP, it is 170 and sent
to IBGP, then redistribute to OSPF. Then the route is propagated through
OSPF to RTR A, the same route from OSPF has a distance of 150, it overrides
the EBGP route and then withdraws via IBGP to RTRB. RTR B stops
redistribution from IBGP to OSPF. Once it disappears from OSPF, the EBGP
route comes back. It goes through the same cycle again.

The solution I can think about is to change administrative distance of BGP
to a lower number, say 120. So the OSPF route won't take over in the routing
table. Should be ok, but not quite sure.

Richard
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX loopback filter and monitor traffic

[Stefan Fouant]

Hi Clarke,

One thing you forgot to mention is if your re-protect filter is actually 
discarding the traffic or not. However, assuming that you are discarding, the 
reason you are not seeing the traffic via the monitor command is because the 
traffic destined to the RE is not actually being filtered on the RE itself but 
is actually being filtered at the PFE. When you commit the config, the compiled 
filter is pushed down to microkernel on PFE so anything destined to the RE can 
be filtered via forwarding plane hardware. You can see counters because those 
are actually gathered at PFE and then the statistics are sent to the RE.

Hope this makes sense. Sorry for the top post, I am on my Android.

Stefan Fouant
GPG Key ID: 0xB4C956EC

Sent from my HTC EVO.

- Reply message -
From: "Clarke Morledge" 
Date: Thu, Jun 16, 2011 10:53 am
Subject: [j-nsp] MX loopback filter and monitor traffic
To: 

I have a question about how the "monitor traffic" capability works on the 
loopback interface, particularly with respect to a filter.

If write a filter, such as under a "firewall family inet filter 
re-protect" stanza, and apply it to the loopback address, unit 0:

set interfaces lo0 unit 0 family inet filter input re-protect

I can see traffic hitting the filter, if I have any counters configured in 
the filter.   I can see that the traffic coming into the filter is getting 
to the RE via any IRBs or other layer 3 interfaces that are terminated on 
the MX.   I can do a "monitor traffic"  on any of these layer 3 interfaces 
on the input side and see the relevant traffic (to and/or from the RE).

However, if I do a "monitor traffic" on the loopback interface itself, I 
see nothing:

MX> monitor traffic interface lo0.0 no-resolve
no-domain-names
verbose output suppressed, use  or  for full protocol
decode
Address resolution is OFF.
Listening on lo0.0, capture size 96 bytes

^C
0 packets received by filter
0 packets dropped by kernel


If all of the traffic that comes into the router to the RE via these 
exposed Layer3 interfaces eventually makes it way to the RE via the 
loopback address, at unit 0, why is that the "monitor traffic" command 
does not show me anything?Why is the loopback interface so "special"?


Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] bgp to ospf

[Jeff Wheeler]

On Thu, Jun 16, 2011 at 12:48 PM, Payam Chychi  wrote:
> Were you able to figure this out?

I don't have lab gear to test this correctly, so please take my post with a
grain of salt.  Please excuse the use of gmail "Rich Text" to get a
fixed-width typeface in my composer:

  /\
  ||
ASBR1ABR5---ASBR3

ABR5 redistributes 192.0.2.0/24 into iBGP, but not into OSPF.
ASBR3 redistributes same /24 from BGP into OSPF as an E2 with "set next-hop"
to ABR5 loopback in the routing policy.
ASBR1 learns the E2 route and its RIB (and FIB) show a next-hop directly to
ABR5

However, in ASBR1 "show ospf database external" CLI output, the Fwd Adr is
0, not the ABR5 next-hop.

I am really not surprised by this, because the purpose of OSPF Forwarding
Address is, as expressly documented in relevant RFCs, for situations where
several routers are using a multi-access or broadcast media (frame-relay,
Ethernet, etc.) to reach an external neighbor, yet not all of these routers
have routing protocol sessions to same neighbor.  For example:

   AS16631
  |
  ==
||
  ASBR1ASBR2
||
   AR3  AR4

In this stick-figure, === might be Ethernet, ATM, Frame, smoke signals,
whatever.  What matters is you will have eBGP from ASBR1 to the external
neighbor AS16631, but not to ASBR2.  However, if you want ASBR2 to be
capable of routing traffic directly to AS16631 without sending it through
ASBR1, you can use OSPF External routes with Fwd Adr set to the next-hop
address of AS16631 (imagine that ASBR2 just doesn't have the capability of
speaking BGP.)

In fact, on Cisco IOS, the router will not let you accidentally send Fwd Adr
if you send these External routes also to AR3.  It will omit Fwd Adr and so
AR3 will utilize ASBR1 to reach the neighbor.  So Fwd Adr is only set on
LSAs flooded to the === interface.  Further, I do not believe ASBR2 would
preserve Fwd Adr when sending LSA to AR4.

As I mentioned, take my post with a grain of salt.  I may be incorrect here
about the actual functioning, as I have never, ever had reason to utilize
this in a practical network.  But if you do some reading, the intended
purpose of Fwd Adr is expressed above.  The original poster should not be
using it for what he wants to do (I don't think it will work), and should
instead utilize BGP or change his topology.

-- 
Jeff S Wheeler 
Sr Network Operator  /  Innovative Network Concepts
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Memmory for M20 SSB-E

[Chris Cappuccio]

http://juniper.cluepon.net/Unofficial_hardware_upgrades

-> 2x 
http://www.oempcworld.com/Merchant2/merchant.mvc?Screen=PROD&Product_Code=64M-EDO-DIMM-ECC

Juan C. Crespo R. [jcre...@ifxnw.com.ve] wrote:
> Guys
> 
> Does anyone of you knows where I can find the modules for one
> Juniper M20 SSB-E ?, I've tried a lot on Ebay & Google with no
> useful results :(
> 
> Thanks
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

-- 
the preceding comment is my own and in no way reflects the opinion of the Joint 
Chiefs of Staff
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] bgp to ospf

[Payam Chychi]

Hey Richard,

Were you able to figure this out?

cheers
Payam

Joseph Soricelli wrote:

What do you get from "show route f.j.h.i"?

-joe

Joseph Soricelli
JNCIE #14/ CCIE #4803
703-980-3999
j...@proteus.net 
Twitter - @proteusnetworks



On Jun 13, 2011, at 6:44 PM, Richard Zheng wrote:




On Mon, Jun 13, 2011 at 7:50 AM, Payam Chychi > wrote:


Hey Richard,

The then next-hop x.x.x.x should work as long as the next-hop is
valid 'in the routing table'.

mind showing your config?

Thanks
Payam


Customer router C sends route x.y.z.0/24 to router A. it connects 
with Router B with a /30 which is our IP block and part of OSPF. 
Router A and B talk OSPF. The issues seems to be redistribution from 
EBGP to OSPF can't set the forward address for external routes.


On router A:

protocols {
  bgp {
group cust-C {
type external;
multihop {
ttl 3;
}
local-address a.b.c.d;
import cust-C-in;
export send-default-only;
peer-as x;
neighbor f.j.h.i {
remove-private;
}
  ospf {
export bgp-to-ospf;
  }
}

policy-options {
policy-statement bgp-to-ospf {
term hds {
from {
protocol bgp;
route-filter x.y.z.0/24 exact;
}
then accept;
}
term reject-others {
then reject;
}
}
policy-statement cust-C-in {
term set-attr {
from {
protocol bgp;
route-filter x.y.z.0/24 exact;
}
then {
local-preference 200;
community add all;
accept;
}
}
term reject-others {
then reject;
}
}







___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX loopback filter and monitor traffic

[Jeff Wheeler]

On Thu, Jun 16, 2011 at 10:53 AM, Clarke Morledge  wrote:
> However, if I do a "monitor traffic" on the loopback interface itself, I see
> nothing:

I like to think of "monitor traffic" as something which is nice when
it works the way I hope it will, but isn't something to really get
concerned about when it doesn't behave as expected.  If you really
need detailed information to debug a problem, mirroring traffic to an
interface (or a GRE tunnel, etc.) and doing packet capture on a PC is
more reliable than betting on the output of "monitor traffic."

-- 
Jeff S Wheeler 
Sr Network Operator  /  Innovative Network Concepts

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX loopback filter and monitor traffic

[Clarke Morledge]

I have a question about how the "monitor traffic" capability works on the 
loopback interface, particularly with respect to a filter.


If write a filter, such as under a "firewall family inet filter 
re-protect" stanza, and apply it to the loopback address, unit 0:


set interfaces lo0 unit 0 family inet filter input re-protect

I can see traffic hitting the filter, if I have any counters configured in 
the filter.   I can see that the traffic coming into the filter is getting 
to the RE via any IRBs or other layer 3 interfaces that are terminated on 
the MX.   I can do a "monitor traffic"  on any of these layer 3 interfaces 
on the input side and see the relevant traffic (to and/or from the RE).


However, if I do a "monitor traffic" on the loopback interface itself, I 
see nothing:


MX> monitor traffic interface lo0.0 no-resolve
no-domain-names
verbose output suppressed, use  or  for full protocol
decode
Address resolution is OFF.
Listening on lo0.0, capture size 96 bytes

^C
0 packets received by filter
0 packets dropped by kernel


If all of the traffic that comes into the router to the RE via these 
exposed Layer3 interfaces eventually makes it way to the RE via the 
loopback address, at unit 0, why is that the "monitor traffic" command 
does not show me anything?Why is the loopback interface so "special"?



Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Memmory for M20 SSB-E

[Juan C. Crespo R.]

Guys

Does anyone of you knows where I can find the modules for one Juniper 
M20 SSB-E ?, I've tried a lot on Ebay & Google with no useful results :(


Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] difference between "halt" and "power-off"

[Sebastian Wiesinger]

* Martin T  [2011-06-15 00:30]:
> What is the difference between "request system halt" and "request
> system power-off" under JUNOS? Is there a possibility to completely
> turn off the router remotely(for example in case of Cisco it's
> impossible)?

On MX "power-off" turns off the RE(s) but leaves the chassis powered.
"halt" does the same but you can reboot the RE(s) via console.

Regards

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp