Re: [j-nsp] Shaping per logical VLAN interface
I understand that shaping-rate refers to PIR and guaranteed-rate refers to CIR. Correct me if I'm wrong. Also, if your traffic is bursty in nature you may need to consider the burst-size in bytes what the telco is doing. Also, if you are using DPCs in MX you need to consider that they use the l3 frame data part (without L2 headers) for shaping. Whereas the latest MPC (trio chipset) uses whole L2 frame (including headers IFG etc). The latest being the actual traffic on the wire, would most probably used by Telco, if you are getting a sub-rate cct on a Gig link. You probably need to use the following command: set chassis fpc x pic x traffic-manager egress-shaping-overhead x Cheers From: Chris Kawchuk juniperd...@gmail.com To: Joao Kluck gkl...@gmail.com Cc: juniper-nsp@puck.nether.net Sent: Tuesday, March 20, 2012 12:11 AM Subject: Re: [j-nsp] Shaping per logical VLAN interface If the access is a full 1Gig (to the lease provider) and all you want to do is shape each VLAN to 100 Mbit, then do this: interfaces { ge-0/0/0 { per-unit-scheduler; unit 100 { vlan/customer specific stuff goes here } unit 200 { vlan/customer specific stuff goes here } } } class-of-service { interfaces { ge-0/0/0 { unit 100 { scheduler-map MyQoS; shaping-rate 100m; } unit 200 { scheduler-map MyQoS; shaping-rate 100m; } } } } If you want to also shape the entire Gig port to an arbitrary throughput (say 500m), then you need to do something like the following: interfaces { ge-0/0/0 { hierarchical-scheduler; } } class-of-service { interfaces { ge-0/0/0 { scheduler-map MyQoS; shaping-rate 500m; unit 100 { output-traffic-control-profile 100m-shaping; } unit 200 { output-traffic-control-profile 100m-shaping; } } } traffic-control-profiles { 100m-shaping { scheduler-map MyQoS; shaping-rate 100m; } } } Note: ... I'm writing this from memory/pseudo-code... so you may need to scrub this a bit. I think you need the Q version of the cards in order to do this per VLAN or hierarchical tho. The non-Q cards I believe are only per-port shapers (not capable of per-VLAN); but someone correct me if I'm wrong here... Hope this helps...! - CK. On 2012-03-20, at 10:37 AM, Joao Kluck wrote: Dear Community, We are analyzing a scenario where we have one MX in a Hub location connecting remote sites through a 3rd part leased line provider. The MX is connected to the 3rd part provider with 1Gbps physical interface with trunked VLAN logical interface. The E-lines leased lines connecting MX hub to the remote sites provide 100Mbps (CIR=PIR). There are 4 different class of service in the internal network and the aggregated traffic needs to be shaped at 100Mbps in MX egress interface per-destination (i.e VLAN) in order to conform the Leased line SLA provider. How it the simplest way to implement this? Do we need to implement a kind of HQoS (4x CoS per shaped-VLAN)? We intend to use non-Q/EQ MPC. Thanks. Rgs, GK ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MLPPPoLNS on JUNOS possible?
Hello, Does anyone know if it is possible to run: MLPPPoLNS (multiple ppp sessions bundled as MLPPP inside a L2TP tunnel to a LAC) with per subscriber QoS on the Juniper MX series router? I know this is possible on JUNOSe hardware i.e. Juniper E series routers but I need it to run on JUNOS based architecture, MX etc. Any help | thoughts would be appreciated. Regards Liam ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Enhanced cFEB - Throughput
Hi All, Can anyone help me with Enhanced CFEB throughput for M10i/M7i pls. Whats is the throughput per PIC slot? Also, simialr values for normal cFEBs would also be helpful. Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX interface-range and commit scripts
* Phil Shafer p...@juniper.net [2012-03-15 15:35]: Sebastian Wiesinger writes: is there any way for a commit script running on the EX series to get the configuration *after* interface-ranges are applied? Right now the interface-range ist not expanded and the individual interface configuration is not visible for the commit script. I can manually display it with the | display inheritance cli option but I found no way to do this in the commit script. I thought that interface ranges are somewhat similar to groups but that doesn't seem to be the case. The config that gets passed to a commit script should be post-inheritance, so interface ranges should be expanded. Do you have an example of it failing? Hi, sorry for the late reply. Yes I do have an example but as this is our live network I can't post the full config here. I did trace the commit script and in the trace log I see that the config for the interfaces is not expanded and the interface-range statements are still there. (I assume that the trace log would show the expanded config?). Here is an example from the trace file: ... interface-range nameCUST-DMZ-PORT/name member-range namege-0/0/0/name end-rangege-0/0/3/end-range /member-range descriptioncustomer DMZ/description unit name0/name family ethernet-switching port-modeaccess/port-mode vlan membersCUST-DMZ/members /vlan /ethernet-switching /family /unit /interface-range ... interface namege-0/0/0/name unit name0/name family ethernet-switching /ethernet-switching /family /unit /interface ... This is with EX4200 VC running 10.4R6.5. The commit script checks if every active interface has a description and currently it emits a warning for every interface, even if the description is set in the interface-range for that interface. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Destination NAT on SRX cluster
Hello Folks, I am configuring a cluster of SRX240s running 11.1R3.5 for destination NAT. Simply, a device in the DMZ zone on a private IP address listening on port 22 needs to be reachable from the untrust zone on port 22. destination { pool wilderness { address 172.16.253.10/32 port 22; } rule-set incoming-connections { from interface reth0.352; rule port-forward { match { destination-address 88.94.205.5/32; destination-port 22; } then { destination-nat pool wilderness; } } } } proxy-arp { interface reth0.352 { address { 88.94.205.5/32; } } } I think this looks OK, but when I commit I get this error: error: The number of destination NAT pools exceeds limit of 0 [edit security nat destination rule-set incoming-connections rule port-forward then destination-nat] 'pool' failed to get pool (wilderness) error: configuration check-out failed Does anybody know whats happening here? Thanks, Leigh Porter UK Broadband __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DSCP classifier on CCC interface
Did you try setting the 802.1p field and classifying based on that? I'm about to do this also, but since this is a layer 2 service then you are right, I don't think the IP header will be looked at. But I expect that it will look at 802.1p and use that for QoS classification. -- Leigh -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Serge Vautour Sent: 19 March 2012 18:32 To: juniper-nsp@puck.nether.net Subject: [j-nsp] DSCP classifier on CCC interface Hello, Would anyone know if it's possible to apply a DSCP classifier on a CCC interface? Here's what I have: Interface: ge-1/2/1 { encapsulation ethernet-ccc; unit 0; } Routing-Instance: instance-type l2vpn; interface ge-1/2/1.0; vrf-target target:123:41; protocols { l2vpn { encapsulation-type ethernet; no-control-word; site Site1 { site-identifier 1; interface ge-1/2/1.0; } } } Class-of-Service interface: ge-1/2/1 { unit 0 { classifiers { dscp dscp-classifier; } } } Class-of-service classifier: dscp dscp-classifier { import default; forwarding-class expedited-forwarding { loss-priority low code-points [ 101000 101001 101010 101011 101100 101101 101110 10 ]; } } Note that the L2VPN is port based. Any valid ethernet frame will go through. To test this I generate a ping and set the ToS field to 101. The classifier above should drive this to the EF class but it isn't. I'm wondering if maybe you can't use a DSCP classifier on a non-IP interface? Anybody tried this before? I thought I'd try this mailing list before opening a case. Thanks, Serge ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Destination NAT on SRX cluster
Hi Leigh, On 20/03/2012, at 10:53 PM, Leigh Porter wrote: error: The number of destination NAT pools exceeds limit of 0 [edit security nat destination rule-set incoming-connections rule port-forward then destination-nat] 'pool' failed to get pool (wilderness) error: configuration check-out failed It looks like a bug, but try changing the from interface reth0.352 to from zone zone of interface reth0.352 and see if the issue goes away. Failing that, upgrade to 11.1R6 and see if that fixes it. Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX BRAS and event-script for DHCP
All, I am trying to wrap my head around SLAX and the ability to write some values to the utility mib as an event script. Since I am running pre 11.x, the DHCP MIB is not implemented. What I want to do is to put the values from MX480 show network-access aaa statistics address-assignment pool routing-instance MY-VRF MY-DHCP-POOL into jnxUtilMib - so I can create pretty graphs.. Now - there is no rpc equivalent to the command above: MX480 show network-access aaa statistics address-assignment pool routing-instance MY-VRF MY-DHCP-POOL | display xml rpc rpc-reply xmlns:junos=http://xml.juniper.net/junos/10.4S8/junos; message xml rpc equivalent of this command is not available. /message cli banner/banner /cli /rpc-reply Anyone did this already? /BT ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DSCP classifier on CCC interface
Serge: What platform/line-card are you trying this on? This is possible in JUNOS 11.4 when using Trio/MPC line-cards on the MX. See 11.4 release notes: http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/release-notes/11.4/index.html?topic-62949.html#jd0e3519 --Addy. On Mon, Mar 19, 2012 at 2:27 PM, Serge Vautour sergevaut...@yahoo.cawrote: Hello, Would anyone know if it's possible to apply a DSCP classifier on a CCC interface? Here's what I have: Interface: ge-1/2/1 { encapsulation ethernet-ccc; unit 0; } Routing-Instance: instance-type l2vpn; interface ge-1/2/1.0; vrf-target target:123:41; protocols { l2vpn { encapsulation-type ethernet; no-control-word; site Site1 { site-identifier 1; interface ge-1/2/1.0; } } } Class-of-Service interface: ge-1/2/1 { unit 0 { classifiers { dscp dscp-classifier; } } } Class-of-service classifier: dscp dscp-classifier { import default; forwarding-class expedited-forwarding { loss-priority low code-points [ 101000 101001 101010 101011 101100 101101 101110 10 ]; } } Note that the L2VPN is port based. Any valid ethernet frame will go through. To test this I generate a ping and set the ToS field to 101. The classifier above should drive this to the EF class but it isn't. I'm wondering if maybe you can't use a DSCP classifier on a non-IP interface? Anybody tried this before? I thought I'd try this mailing list before opening a case. Thanks, Serge ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX960 VC Code
I'm looking for the most stable code to run MX960's in a virtual-chassis. They'll be an MPLS (RSVP and LDP signaled) PE. I've narrowed it down to one of the latest 11.2 revs or 11.4R1.14. Any opinions out there? --- Ben Boyd b...@sinatranetwork.com http://about.me/benboyd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 VC Code
Much of the L2 functionality (VPLS, etc.) came in 11.4 and was not available in 11.2. See the release notes. I'm looking for the most stable code to run MX960's in a virtual-chassis. They'll be an MPLS (RSVP and LDP signaled) PE. I've narrowed it down to one of the latest 11.2 revs or 11.4R1.14. Any opinions out there? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DSCP classifier on CCC interface
Hello, I was testing this on a DPC card in an MX960. That link helps. It's not the news I wanted to hear but it helps. Thanks, Serge From: Addy Mathur addy.mat...@gmail.com To: Serge Vautour se...@nbnet.nb.ca Cc: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Sent: Tuesday, March 20, 2012 11:49:40 AM Subject: Re: [j-nsp] DSCP classifier on CCC interface Serge: What platform/line-card are you trying this on? This is possible in JUNOS 11.4 when using Trio/MPC line-cards on the MX. See 11.4 release notes: http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/release-notes/11.4/index.html?topic-62949.html#jd0e3519 --Addy. On Mon, Mar 19, 2012 at 2:27 PM, Serge Vautour sergevaut...@yahoo.cawrote: Hello, Would anyone know if it's possible to apply a DSCP classifier on a CCC interface? Here's what I have: Interface: ge-1/2/1 { encapsulation ethernet-ccc; unit 0; } Routing-Instance: instance-type l2vpn; interface ge-1/2/1.0; vrf-target target:123:41; protocols { l2vpn { encapsulation-type ethernet; no-control-word; site Site1 { site-identifier 1; interface ge-1/2/1.0; } } } Class-of-Service interface: ge-1/2/1 { unit 0 { classifiers { dscp dscp-classifier; } } } Class-of-service classifier: dscp dscp-classifier { import default; forwarding-class expedited-forwarding { loss-priority low code-points [ 101000 101001 101010 101011 101100 101101 101110 10 ]; } } Note that the L2VPN is port based. Any valid ethernet frame will go through. To test this I generate a ping and set the ToS field to 101. The classifier above should drive this to the EF class but it isn't. I'm wondering if maybe you can't use a DSCP classifier on a non-IP interface? Anybody tried this before? I thought I'd try this mailing list before opening a case. Thanks, Serge ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DSCP classifier on CCC interface
Therefore, you do not have to depend on the underlying Layer 2 QoS support. So it sounds as though is the layer 2 QoS field is there you can use that. -- Leigh -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Addy Mathur Sent: 20 March 2012 14:58 To: Serge Vautour Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] DSCP classifier on CCC interface Serge: What platform/line-card are you trying this on? This is possible in JUNOS 11.4 when using Trio/MPC line-cards on the MX. See 11.4 release notes: http://www.juniper.net/techpubs/en_US/junos11.4/information- products/topic-collections/release-notes/11.4/index.html?topic- 62949.html#jd0e3519 --Addy. On Mon, Mar 19, 2012 at 2:27 PM, Serge Vautour sergevaut...@yahoo.cawrote: Hello, Would anyone know if it's possible to apply a DSCP classifier on a CCC interface? Here's what I have: Interface: ge-1/2/1 { encapsulation ethernet-ccc; unit 0; } Routing-Instance: instance-type l2vpn; interface ge-1/2/1.0; vrf-target target:123:41; protocols { l2vpn { encapsulation-type ethernet; no-control-word; site Site1 { site-identifier 1; interface ge-1/2/1.0; } } } Class-of-Service interface: ge-1/2/1 { unit 0 { classifiers { dscp dscp-classifier; } } } Class-of-service classifier: dscp dscp-classifier { import default; forwarding-class expedited-forwarding { loss-priority low code-points [ 101000 101001 101010 101011 101100 101101 101110 10 ]; } } Note that the L2VPN is port based. Any valid ethernet frame will go through. To test this I generate a ping and set the ToS field to 101. The classifier above should drive this to the EF class but it isn't. I'm wondering if maybe you can't use a DSCP classifier on a non-IP interface? Anybody tried this before? I thought I'd try this mailing list before opening a case. Thanks, Serge ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Destination NAT on SRX cluster
From: Ben Dale [mailto:bd...@comlinx.com.au] Hi Leigh, On 20/03/2012, at 10:53 PM, Leigh Porter wrote: error: The number of destination NAT pools exceeds limit of 0 [edit security nat destination rule-set incoming-connections rule port-forward then destination-nat] 'pool' failed to get pool (wilderness) error: configuration check-out failed It looks like a bug, but try changing the from interface reth0.352 to from zone zone of interface reth0.352 and see if the issue goes away. Failing that, upgrade to 11.1R6 and see if that fixes it. Yeah I thought bug too. I tried the from zone .. but it didn't fix it. I'm just about to try 11.blah Thanks, Leigh __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Decode $9$ encrypted Junos secrets
Matt Hite writes: It's interesting to note just how many things are stored in $9$ encrypted format: RADIUS secrets, IS-IS authentication keys, BGP MD5 secrets, etc. It's really obfuscation, not encryption. These are values that have to be available in raw form to various software components. So we have this unreadable type that obfuscates the values so someone looking over your shoulder won't immediately know your secrets. In contrast, user passwords are encrypted in a one way method using the normal md5 hash marker ($1$). These cannot be reversed like the $9$ values. Thanks, Phil ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Destination NAT on SRX cluster
I'd agree it seems that you're running into a bug. Trying your config on my SRX I am able to commit through. Reth's tend to be different than a normal interface from a code standpoint, but nat isn't a limitation (thank god). If you're working in a lab, try to upgrade to my code version perhaps. If you're in prod, good luck..open up a jtac case and find out which release fixes it. Sorry Leigh, best of luck. [edit security nat] root@Lab-SRX240-11# commit check configuration check succeeds [edit security nat] root@Lab-SRX240-11# show | compare [edit security nat] + destination { + pool wilderness { + address 172.16.253.10/32 port 22; + } + rule-set incoming-connections { + from interface ge-0/0/0.0; + rule port-forard { + match { + destination-address 88.94.205.5/32; + destination-port 22; + } + then { + destination-nat pool wilderness; + } + } + } + } + proxy-arp { + interface ge-0/0/0.0 { + address { + 88.94.205.5/32; + } + } + } [edit security nat] root@Lab-SRX240-11# run show version Hostname: Lab-SRX240-11 Model: srx240h-poe JUNOS Software Release [11.4R1.6] Hope this helps, -Tim Eberhard On Tue, Mar 20, 2012 at 12:09 PM, Leigh Porter leigh.por...@ukbroadband.com wrote: From: Ben Dale [mailto:bd...@comlinx.com.au] Hi Leigh, On 20/03/2012, at 10:53 PM, Leigh Porter wrote: error: The number of destination NAT pools exceeds limit of 0 [edit security nat destination rule-set incoming-connections rule port-forward then destination-nat] 'pool' failed to get pool (wilderness) error: configuration check-out failed It looks like a bug, but try changing the from interface reth0.352 to from zone zone of interface reth0.352 and see if the issue goes away. Failing that, upgrade to 11.1R6 and see if that fixes it. Yeah I thought bug too. I tried the from zone .. but it didn't fix it. I'm just about to try 11.blah Thanks, Leigh __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Decode $9$ encrypted Junos secrets
On Tue, Mar 20, 2012 at 10:54 AM, Phil Shafer p...@juniper.net wrote: Matt Hite writes: It's interesting to note just how many things are stored in $9$ encrypted format: RADIUS secrets, IS-IS authentication keys, BGP MD5 secrets, etc. It's really obfuscation, not encryption. These are values that have to be available in raw form to various software components. So we have this unreadable type that obfuscates the values so someone looking over your shoulder won't immediately know your secrets. In contrast, user passwords are encrypted in a one way method using the normal md5 hash marker ($1$). These cannot be reversed like the $9$ values. Absolutely. Your clarification is appreciated. -M ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] FW: OID for BGP inet/0 and inet6.0
I forgot to mention, this is for an M router From: Darren O'Connor Sent: 20 March 2012 22:05 To: juniper-nsp@puck.nether.net Subject: OID for BGP inet/0 and inet6.0 Hi all. Does anyone know the oid value to get the current inet.0 and inet6.0 BGP total values via SNMP? Thanks Darren O'Connor _ This e-mail and all attachments have been scanned by the hSo virus scanning service and no known viruses were detected. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] OID for BGP inet/0 and inet6.0
Hi all. Does anyone know the oid value to get the current inet.0 and inet6.0 BGP total values via SNMP? Thanks Darren O'Connor _ This e-mail and all attachments have been scanned by the hSo virus scanning service and no known viruses were detected. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Rack mounting a EX4200-48PX, concerned about weight
I've got a couple of new EX4200-48PX with dual 930W power supply which have just arrived and I'm quite concerned about the weight of the units in relation to the rack ears. It is the same ears for the EX4200/3200 family. Has anyone racked these before, if so how much sag do you get and do you suggest a shelve underneath? I've seen what a Cisco2811 does and how much it sags and this will be a lot worse. Thanks James ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight
Yeah I had a thought about that, however they are quite pricey Thanks anyway -Original Message- From: Patrick Dickey [mailto:patrick.dic...@virtualarmor.com] Sent: Wednesday, 21 March 2012 11:26 a.m. To: James Baker; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight James- I would suggest using the 4 post rack mounts for the EX4200. Juniper has them on the price list. They do sag a little too much for my taste as well, and with the bigger PSUs... yikes! I've seen them after a year on a 2 post stock mount and they were fine physically, though. HTH Patrick -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of James Baker Sent: Tuesday, March 20, 2012 4:20 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight I've got a couple of new EX4200-48PX with dual 930W power supply which have just arrived and I'm quite concerned about the weight of the units in relation to the rack ears. It is the same ears for the EX4200/3200 family. Has anyone racked these before, if so how much sag do you get and do you suggest a shelve underneath? I've seen what a Cisco2811 does and how much it sags and this will be a lot worse. Thanks James ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight
I've got a number of customers with 10 of these on top of each other with the dual 930W PSUs - after 18 months they do have a slight dip in them, but nothing too serious. If you want a cost-effective fix though, get the 4-post rail kit, but only for the bottom switch (provided the switches are directly stacked on top of each other). That way it can take the load of the remaining switches. Ben On 21/03/2012, at 8:38 AM, James Baker wrote: Yeah I had a thought about that, however they are quite pricey Thanks anyway -Original Message- From: Patrick Dickey [mailto:patrick.dic...@virtualarmor.com] Sent: Wednesday, 21 March 2012 11:26 a.m. To: James Baker; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight James- I would suggest using the 4 post rack mounts for the EX4200. Juniper has them on the price list. They do sag a little too much for my taste as well, and with the bigger PSUs... yikes! I've seen them after a year on a 2 post stock mount and they were fine physically, though. HTH Patrick -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of James Baker Sent: Tuesday, March 20, 2012 4:20 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight I've got a couple of new EX4200-48PX with dual 930W power supply which have just arrived and I'm quite concerned about the weight of the units in relation to the rack ears. It is the same ears for the EX4200/3200 family. Has anyone racked these before, if so how much sag do you get and do you suggest a shelve underneath? I've seen what a Cisco2811 does and how much it sags and this will be a lot worse. Thanks James ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight
I have a number of the EX4200-48P switches with dual 930w PS racked and have had no problems. They sag some but not as much as I have seen with other equipment. If you are leaving space between them, you could use a 1u blanking plate on the back of a 2 post for support. The metal kind anyway. The plastic ones won't be much help. I'd worry if I was in a seismically active area. From: Brian Dantzig Senior Network Engineer Medline Industries, Inc. phone: 847.837.2795 bdant...@medline.com -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of James Baker Sent: Tuesday, March 20, 2012 5:20 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight I've got a couple of new EX4200-48PX with dual 930W power supply which have just arrived and I'm quite concerned about the weight of the units in relation to the rack ears. It is the same ears for the EX4200/3200 family. Has anyone racked these before, if so how much sag do you get and do you suggest a shelve underneath? I've seen what a Cisco2811 does and how much it sags and this will be a lot worse. Thanks James ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Decode $9$ encrypted Junos secrets
For one-way hash: http://www.openwall.com/john/ Matt Hite [li...@beatmixed.com] wrote: On Tue, Mar 20, 2012 at 10:54 AM, Phil Shafer p...@juniper.net wrote: Matt Hite writes: It's interesting to note just how many things are stored in $9$ encrypted format: RADIUS secrets, IS-IS authentication keys, BGP MD5 secrets, etc. It's really obfuscation, not encryption. ?These are values that have to be available in raw form to various software components. So we have this unreadable type that obfuscates the values so someone looking over your shoulder won't immediately know your secrets. In contrast, user passwords are encrypted in a one way method using the normal md5 hash marker ($1$). ? These cannot be reversed like the $9$ values. Absolutely. Your clarification is appreciated. -M ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- The language of the totalist environment is characterized by the thought-terminating cliche. The most far-reaching and complex of human problems are compressed into brief, highly reductive, definitive-sounding phrases, easily memorized and easily expressed. These become the start and finish of any ideological analysis. - Robert Jay Lifton ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight
I actually mounted one of these in an older cabinet where the cage nuts were not the tightest fit, but (and I do not advocate this) taking a laptop bag strap along the back of the chassis and up to points on the back of the cabinet to act as a sling to help hold up the back. Four post rails would probably be the best solution. -b On Tue, Mar 20, 2012 at 3:19 PM, James Baker ja...@jgbaker.co.nz wrote: I've got a couple of new EX4200-48PX with dual 930W power supply which have just arrived and I'm quite concerned about the weight of the units in relation to the rack ears. It is the same ears for the EX4200/3200 family. Has anyone racked these before, if so how much sag do you get and do you suggest a shelve underneath? I've seen what a Cisco2811 does and how much it sags and this will be a lot worse. Thanks James ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Supported REs for M7i
Phil Mayers [p.may...@imperial.ac.uk] wrote: I really just want an RE which can be put on support. RE-400-256 doesn't cut it, RE-850 can still, but can't be bought new, so is of less use. Which leaves the new (and by the sound of it, prohibitively expensive) RE-1800. What's the big deal here? Buy some RE-850s, refurb the flash and hard disk, re-install OS, done. So what if you can't buy it new? If you can't justify the RE-1800, you only have one option. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight
James, I rack mounted 6 EX4200s w/ dual ps in a VC config with just the ears. They do sag. about half inch. Those ears and screws are strong! Just a preference thing, they are still standing 3 years later. Mike Azevedo On 3/20/2012 5:38 PM, James Baker wrote: Yeah I had a thought about that, however they are quite pricey Thanks anyway -Original Message- From: Patrick Dickey [mailto:patrick.dic...@virtualarmor.com] Sent: Wednesday, 21 March 2012 11:26 a.m. To: James Baker; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight James- I would suggest using the 4 post rack mounts for the EX4200. Juniper has them on the price list. They do sag a little too much for my taste as well, and with the bigger PSUs... yikes! I've seen them after a year on a 2 post stock mount and they were fine physically, though. HTH Patrick -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of James Baker Sent: Tuesday, March 20, 2012 4:20 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Rack mounting a EX4200-48PX, concerned about weight I've got a couple of new EX4200-48PX with dual 930W power supply which have just arrived and I'm quite concerned about the weight of the units in relation to the rack ears. It is the same ears for the EX4200/3200 family. Has anyone racked these before, if so how much sag do you get and do you suggest a shelve underneath? I've seen what a Cisco2811 does and how much it sags and this will be a lot worse. Thanks James ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DSCP classifier on CCC interface
pbit based classifiers work fine, I've used them before. The problem is the traffic will be untagged and therefore I wanted to use DSCP/ToS. I found a similar reference in the 11.2 release notes for DPC cards. It's not ideal but at least I know why it doesn't work. Thanks -Serge From: Leigh Porter leigh.por...@ukbroadband.com To: Addy Mathur addy.mat...@gmail.com; Serge Vautour se...@nbnet.nb.ca Cc: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Sent: Tuesday, March 20, 2012 1:59:41 PM Subject: RE: [j-nsp] DSCP classifier on CCC interface Therefore, you do not have to depend on the underlying Layer 2 QoS support. So it sounds as though is the layer 2 QoS field is there you can use that. -- Leigh -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Addy Mathur Sent: 20 March 2012 14:58 To: Serge Vautour Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] DSCP classifier on CCC interface Serge: What platform/line-card are you trying this on? This is possible in JUNOS 11.4 when using Trio/MPC line-cards on the MX. See 11.4 release notes: http://www.juniper.net/techpubs/en_US/junos11.4/information- products/topic-collections/release-notes/11.4/index.html?topic- 62949.html#jd0e3519 --Addy. On Mon, Mar 19, 2012 at 2:27 PM, Serge Vautour sergevaut...@yahoo.cawrote: Hello, Would anyone know if it's possible to apply a DSCP classifier on a CCC interface? Here's what I have: Interface: ge-1/2/1 { encapsulation ethernet-ccc; unit 0; } Routing-Instance: instance-type l2vpn; interface ge-1/2/1.0; vrf-target target:123:41; protocols { l2vpn { encapsulation-type ethernet; no-control-word; site Site1 { site-identifier 1; interface ge-1/2/1.0; } } } Class-of-Service interface: ge-1/2/1 { unit 0 { classifiers { dscp dscp-classifier; } } } Class-of-service classifier: dscp dscp-classifier { import default; forwarding-class expedited-forwarding { loss-priority low code-points [ 101000 101001 101010 101011 101100 101101 101110 10 ]; } } Note that the L2VPN is port based. Any valid ethernet frame will go through. To test this I generate a ping and set the ToS field to 101. The classifier above should drive this to the EF class but it isn't. I'm wondering if maybe you can't use a DSCP classifier on a non-IP interface? Anybody tried this before? I thought I'd try this mailing list before opening a case. Thanks, Serge ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Enhanced cFEB - Throughput
1Gbps per PIC in cFEB-E vs 800Mbps per PIC in old cFEB On Tue, Mar 20, 2012 at 6:44 PM, Shiva S Shankar sshankar...@yahoo.comwrote: Hi All, Can anyone help me with Enhanced CFEB throughput for M10i/M7i pls. Whats is the throughput per PIC slot? Also, simialr values for normal cFEBs would also be helpful. Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IPFIX Egress Flow not working - MX80
Hi NSP, I have got a couple of MX80 router running Junos 11.2 IPFIX (inline jflow) configured for both input and output flow sampling. One router is exporting both input and output flows correctly to flow collector but the other router is not exporting output flows only input flows. The configuration of both routers are identical. What would be the issue in the second router which is not exporting output flows? Any bugs discovered so far? How does the licensing model works for IPFIX - is it honor based licensing where the feature is disabled automatically after 30 days unless it is purchased? thanks in advance Arun ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp