Re: [j-nsp] Best way to detect abnormal traffic without enabling security?
Netflow/jflow should be useful to you. http://kb.juniper.net/InfoCenter/index?page=contentid=KB12512 Have a look at some free collectors that will analyze the output, or consider Juniper STRM if you are running firewalling on the box too. I am currently using a pair of J2350 exporting about 200+ /32 BGP route to my peer, and I'm been hit by DDOS several times, the hardest part for me is to figure out which IP was getting the DDOS and deactivate that route, which will de-announce that route to my peer. However I have no established method right now to figure out which IP is getting DDOSed, so I am hoping somebody can pass along some sampling or dump method to quickly identify toublesome dst ip. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Best way to detect abnormal traffic without enabling security?
But jflow is not going to work in packet mode, right? On Tue, Apr 3, 2012 at 12:15 AM, Per Granath per.gran...@gcc.com.cy wrote: Netflow/jflow should be useful to you. http://kb.juniper.net/InfoCenter/index?page=contentid=KB12512 Have a look at some free collectors that will analyze the output, or consider Juniper STRM if you are running firewalling on the box too. I am currently using a pair of J2350 exporting about 200+ /32 BGP route to my peer, and I'm been hit by DDOS several times, the hardest part for me is to figure out which IP was getting the DDOS and deactivate that route, which will de-announce that route to my peer. However I have no established method right now to figure out which IP is getting DDOSed, so I am hoping somebody can pass along some sampling or dump method to quickly identify toublesome dst ip. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Best way to detect abnormal traffic without enabling security?
I do not see why it would not work in packet mode. It works on the routing platforms (MX, etc) that do not support flow mode. But jflow is not going to work in packet mode, right? On Tue, Apr 3, 2012 at 12:15 AM, Per Granath per.gran...@gcc.com.cy wrote: Netflow/jflow should be useful to you. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Best way to detect abnormal traffic without enabling security?
On Tue, Apr 3, 2012 at 12:20 AM, Yucong Sun (叶雨飞) sunyuc...@gmail.com wrote: But jflow is not going to work in packet mode, right? Netflow-like reporting is probably the right way to detect these types of anomalies in a scalable manner. However, I can't speak to the performance of it on J-series. I'm guessing that since the state is probably handled in-memory and with a CPU on that platform (J-series), that exporting flows will just become another DOS vector. If you're looking to try and narrow down where the bulk of your traffic is going in a more stateless manner, consider looking at monitor interface traffic and looking for abnormally high numbers, or setup a firewall filter that counts term hits. Then, monitor the counters for the filter and see which terms are getting hit the most. Alternatively, tap all of your traffic (if it's a J-series, I can't imagine it's more than 1 - 2 Gbps) and analyze it on another PC. If you have some upstream or downstream managed switches, this could be possible. Using tshark on the command like, I would run something like tshark -ni eth0 -z ip_hosts,tree to get a breakdown from a live capture as to which IPs are talking the most. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX recommended software
On 02/04/2012 22:24, Jeff Rooney wrote: I have a few SRX650's that are running 10.4R9.2 per the Juniper recommended release page http://kb.juniper.net/InfoCenter/index?page=contentid=KB21476 We are running a bunch of SRX650's on 11.1R3.5. This has thus far proven to be the most stable, and was at the time of install the recommended version by our Juniper SE. --Lee ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] rt_pfe_veto Messages
Hi Arun, We are experiencing the same issue after a link flap on a MX480 with DPCs. The link is carrying a v4 and v6 BGP session... Mar 31 19:31:38 fra1.re0 mib2d[1554]: SNMP_TRAP_LINK_DOWN: ifIndex 533, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-5/3/0 Mar 31 19:31:38 fra1.re0 rpd[1528]: bgp_ifachange_group:6485: NOTIFICATION sent to X.X.X.X (External AS 3549): code 6 (Cease) subcode 6 (Other Configuration Change), Reason: Interface change for the peer-group Mar 31 19:31:38 fra1.re0 rpd[1528]: bgp_ifachange_group:6485: NOTIFICATION sent to X:X:X:X::X (External AS 3549): code 6 (Cease) subcode 6 (Other Configuration Change), Reason: Interface change for the peer-group Mar 31 19:32:46 fra1.re0 /kernel: rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 Mar 31 19:32:46 fra1.re0 /kernel: rt_pfe_veto: Possible slowest client is xdpc5. States processed - 184893013. States to be processed - 406929 Mar 31 19:32:47 fra1.re0 rpd[1528]: RPD_KRT_Q_RETRIES: Route Update: No buffer space available Mar 31 19:32:51 fra1.re0 /kernel: rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 Mar 31 19:32:51 fra1.re0 /kernel: rt_pfe_veto: Possible slowest client is xdpc5. States processed - 184914342. States to be processed - 385976 Mar 31 19:32:56 fra1.re0 /kernel: rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 Mar 31 19:32:56 fra1.re0 /kernel: rt_pfe_veto: Possible slowest client is xdpc5. States processed - 185300602. States to be processed - 2 Mar 31 19:38:55 fra1.re0 rpd[1528]: bgp_pp_recv:3184: NOTIFICATION sent to X:X:X:X::X (External AS 3549): code 6 (Cease) subcode 7 (Connection collision resolution), Reason: dropping X:X:X:X::X (External AS 3549), connection collision prefers 2001:450:2008:1020::1+49876 (proto) Regards, Tobias On 04/02/2012 05:10 PM, Arun Gandhi wrote: Hi Joerg, Please open a customer case. Thanks, Arun -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Joerg Staedele Sent: Monday, April 02, 2012 8:07 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] rt_pfe_veto Messages Hi there, i have a M20 (RE-3.0) running 10.4R9 and the log is showing strange entries. I already had a look at juniper PR database but found nothing and have no idea if this indicates a problem or maybe is just a cosmetic problem? rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 rt_pfe_veto: Possible slowest client is scb0. States processed - 21534136. States to be processed - 19306 rt_pfe_veto: Possible second slowest client is fpc400. States processed - 21541745. States to be processed - 11697 rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 rt_pfe_veto: Possible slowest client is scb0. States processed - 21556281. States to be processed - 18353 rt_pfe_veto: Possible second slowest client is fpc400. States processed - 21559490. States to be processed - 15144 rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 rt_pfe_veto: Possible slowest client is scb0. States processed - 21577997. States to be processed - 22403 rt_pfe_veto: Possible second slowest client is fpc400. States processed - 21594125. States to be processed - 6275 rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 rt_pfe_veto: Possible slowest client is scb0. States processed - 21605471. States to be processed - 16070 rt_pfe_veto: Possible second slowest client is fpc400. States processed - 21606742. States to be processed - 14799 rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 rt_pfe_veto: Possible slowest client is scb0. States processed - 21624374. States to be processed - 19126 rt_pfe_veto: Possible second slowest client is fpc400. States processed - 21627352. States to be processed - 16148 rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 rt_pfe_veto: Possible slowest client is scb0. States processed - 21627451. States to be processed - 16063 rt_pfe_veto: Possible second slowest client is fpc400. States processed - 21643501. States to be processed - 13 rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 rt_pfe_veto: Possible slowest client is scb0. States processed - 21647439. States to be processed - 16134 rt_pfe_veto: Possible second slowest client is fpc400. States processed - 21663566. States to be processed - 7 rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2, rtsm_id 5, msg type 2 rt_pfe_veto: Possible slowest client is fpc400. States processed - 21665421. States to be processed - 19005 rt_pfe_veto: Possible second slowest client is fpc401. States processed - 21665421. States to be
[j-nsp] SNMP OID for sessions number
Hello List, what is the right SNMP oid/MIB variable for monitoring of sessions number on J/SRX box? minotaur@BACKUP# run show security flow session summary node0: -- Unicast-sessions: 253200 Multicast-sessions: 0 Failed-sessions: 382648369 Sessions-in-use: 261820 Valid sessions: 252169 Pending sessions: 0 Invalidated sessions: 8611 Sessions in other states: 0 Maximum-sessions: 262144 node1: -- Unicast-sessions: 26153 Multicast-sessions: 0 Failed-sessions: 60631844 Sessions-in-use: 39200 Valid sessions: 28975 Pending sessions: 0 Invalidated sessions: 12233 Sessions in other states: 0 Maximum-sessions: 262144 I want to get all these numbers wia SNMP. Thanks in advance! -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Cluster with two J6350: session overflow
Hello List, I have a strange problem with cluster of two J6350. When there is incoming TCP connection to any service behind cluster two session is created: one (Active) on primary node and second (Backup) on secondary node: {primary:node1}[edit] minotaur@BACKUP# run show security flow session source-prefix 109.68.46.146 destination-prefix 194.247.174.36 node0: -- Session ID: 43853, Policy name: default-policy/2, State: Backup, Timeout: 1816, Valid In: 109.68.46.146/58423 -- 194.247.174.36/80;tcp, If: reth0.501, Pkts: 0, Bytes: 0 Out: 194.247.174.36/80 -- 109.68.46.146/58423;tcp, If: reth0.609, Pkts: 0, Bytes: 0 Total sessions: 1 node1: -- Session ID: 63289, Policy name: default-policy/2, State: Active, Timeout: 116, Valid In: 109.68.46.146/58423 -- 194.247.174.36/80;tcp, If: reth0.501, Pkts: 2, Bytes: 112 Out: 194.247.174.36/80 -- 109.68.46.146/58423;tcp, If: reth0.609, Pkts: 1, Bytes: 60 Total sessions: 1 When TCP connection is closed then session from primary node is removed, but one on secondary node remains: {primary:node1}[edit] minotaur@BACKUP# run show security flow session source-prefix 109.68.46.146 destination-prefix 194.247.174.36 node0: -- Session ID: 43853, Policy name: default-policy/2, State: Backup, Timeout: 36, Valid In: 109.68.46.146/58423 -- 194.247.174.36/80;tcp, If: reth0.501, Pkts: 0, Bytes: 0 Out: 194.247.174.36/80 -- 109.68.46.146/58423;tcp, If: reth0.609, Pkts: 0, Bytes: 0 Total sessions: 1 node1: -- Total sessions: 0 Thus with high number of incoming connections I get fast session table overflow on secondary node: {primary:node1}[edit] minotaur@BACKUP# run show security flow session summary node0: -- Unicast-sessions: 246572 Multicast-sessions: 0 Failed-sessions: 384359280 Sessions-in-use: 255049 Valid sessions: 249838 Pending sessions: 0 Invalidated sessions: 10560 Sessions in other states: 0 Maximum-sessions: 262144 node1: -- Unicast-sessions: 80512 Multicast-sessions: 0 Failed-sessions: 60631844 Sessions-in-use: 91853 Valid sessions: 76154 Pending sessions: 0 Invalidated sessions: 9677 Sessions in other states: 0 Maximum-sessions: 262144 Is there a way to change configuration in order to remove Backup sessions together with Active ones? Thanks in advance! -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] l2vpn tagged PE port to untagged PE port
Hi folks. Have built an l2vpn session but ran into an issue. One side of the session is handed off on a trunked port: [edit interfaces ge-1/3/9] flexible-vlan-tagging; speed 100m; encapsulation flexible-ethernet-services; } unit 444 { description OTA Testing; encapsulation vlan-ccc; vlan-id 444; } The routing instance looks like this: [edit routing-instances OTA-Testing] instance-type l2vpn; interface ge-1/3/9.444; route-distinguisher xx.xx.xxx.71:444; vrf-target target:11666:9444; protocols { l2vpn { encapsulation-type ethernet-vlan; interface ge-1/3/9.444; site dis1.millbrook1 { site-identifier 71; interface ge-1/3/9.444 { remote-site-id 59; } } } } The other end though has an untagged port (straight Ethernet). I cannot figure out how to hand this off and keep getting an encapsulation mismatch on the l2vpn session? {master}[edit interfaces ge-2/1/3] speed 100m; link-mode full-duplex; encapsulation ethernet-ccc; unit 0; Routing instance: {master}[edit routing-instances OTA_Testing] instance-type l2vpn; interface ge-2/1/3.0; route-distinguisher xx.xx.xxx.xx:444; vrf-target target:11666:9444; protocols { l2vpn { encapsulation-type ethernet; interface ge-2/1/3.0; site core1.toronto1 { site-identifier 59; interface ge-2/1/3.0 { remote-site-id 71; } } } } I contacted JTAC and they suggested a VLAN map to pop and push. this didn't work . I previously had this labbed up and can't find my notes ;) Layer-2 VPN connections: Instance: OTA_Testing Local site: core1.toronto1 (59) connection-site Type St Time last up # Up trans 71rmt EM Any thoughts on how I can fix this? Appreciate it, Paul ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP OID for sessions number
SRX240 (non-cluster): Current flows: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6 Max flows: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.7 On my SRX3400 cluster: Current: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6 Max: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.7 SRX5600 cluster: Current: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.8 Max: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.9 Current: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.8 Max: On Tue, Apr 3, 2012 at 8:43 AM, Alexander Shikoff minot...@crete.org.uawrote: Hello List, what is the right SNMP oid/MIB variable for monitoring of sessions number on J/SRX box? minotaur@BACKUP# run show security flow session summary node0: -- Unicast-sessions: 253200 Multicast-sessions: 0 Failed-sessions: 382648369 Sessions-in-use: 261820 Valid sessions: 252169 Pending sessions: 0 Invalidated sessions: 8611 Sessions in other states: 0 Maximum-sessions: 262144 node1: -- Unicast-sessions: 26153 Multicast-sessions: 0 Failed-sessions: 60631844 Sessions-in-use: 39200 Valid sessions: 28975 Pending sessions: 0 Invalidated sessions: 12233 Sessions in other states: 0 Maximum-sessions: 262144 I want to get all these numbers wia SNMP. Thanks in advance! -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP OID for sessions number
On Tue, Apr 03, 2012 at 09:28:04AM -0400, Scott T. Cameron wrote: SRX240 (non-cluster): Current flows: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6 Max flows: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.7 On my SRX3400 cluster: Current: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6 Max: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.7 SRX5600 cluster: Current: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.8 Max: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.9 Current: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.8 Max: What JunOS version are you using? On my cluster of two J6350 with 10.2R3.10 all OIDs are zero: # snmpwalk -v2c -c public x.x.x.x .1.3.6.1.4.1.2636.3.39.1.12 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.2.0 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.2.14 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.3.0 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.3.14 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.4.0 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.4.14 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.5.0 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.5.14 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.6.0 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.6.14 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.7.0 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.7.14 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.8.0 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.8.14 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.9.0 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.9.14 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.10.0 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.10.14 = Gauge32: 1 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.11.0 = STRING: node0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.1.1.11.14 = STRING: node1 JUNIPER-JS-SMI::jnxJsSecurity.12.1.2.0 = Gauge32: 0 JUNIPER-JS-SMI::jnxJsSecurity.12.1.3.0 = Gauge32: 0 -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP OID for sessions number
In response to: what is the right SNMP oid/MIB variable for monitoring of sessions number on J/SRX box? Try this: jnxJsSPUMonitoringCurrentFlowSession which is available in the mib-jnx-js-spu-monitoring MIB. Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Regular maintenance advice
Hey all, I am designing a document for low level technicians to regularly (depending on sensitivity of the device) login to the Juniper router/or switch to look around and make sure that things are 'ok'. I am seeking comments of anything else that would be useful for an technician to look at that would catch their eye that something is potentially wrong. So far I have: --- RJ01 – Router Description: Standard Juniper Router or Switch 1. Show log messages a. Look at last few days for anything suspicious i. Interfaces flapping 2. Show interfaces terse a. Anything down that shouldn’t be? 3. Show chassis alarm a. Look for any alarm information 4. Show system snapshot a. If older than 1 week then – ‘Request system snapshot’ 5. Show system uptime a. As expected? 6. Show system storage a. Confirm / (root) disk space is not getting full. --- Skeeve Stevens, CEO eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco – Brocade - IBM ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
On 04/04/12 00:28, Skeeve Stevens wrote: 1. Show log messages a. Look at last few days for anything suspicious i. Interfaces flapping show int | match flap is your friend. Also chassisd 2. Show interfaces terse a. Anything down that shouldn’t be? Also anything *up* that shouldn't be. If you can be strict about it you can say anything but up/up and down/down are problems. 3. Show chassis alarm a. Look for any alarm information If you have any EX (at least, can't remember for SRX/J, not for M/...) also add: show system alarms (It's sad how few people know about this) 4. Show system snapshot a. If older than 1 week then – ‘Request system snapshot’ er, why? Do a snapshot on OS upgrade, shouldn't be needed after that. Verifing commit sync is default is also good. 5. Show system uptime a. As expected? 6. Show system storage a. Confirm / (root) disk space is not getting full. signature.asc Description: OpenPGP digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] l2vpn tagged PE port to untagged PE port
Simply applying an 'input-vlan-map pop' and 'output-vlan-map push' on the trunked port (ge-1/3/9) didn't do the job ? I used to have to do that all the time and don't recall encountering problems. The routing-instance encapsulation will need to be 'ethernet' on both sides once you do that. David On 3 April 2012 09:23, Paul Stewart p...@paulstewart.org wrote: Hi folks. Have built an l2vpn session but ran into an issue. One side of the session is handed off on a trunked port: [edit interfaces ge-1/3/9] flexible-vlan-tagging; speed 100m; encapsulation flexible-ethernet-services; } unit 444 { description OTA Testing; encapsulation vlan-ccc; vlan-id 444; } The routing instance looks like this: [edit routing-instances OTA-Testing] instance-type l2vpn; interface ge-1/3/9.444; route-distinguisher xx.xx.xxx.71:444; vrf-target target:11666:9444; protocols { l2vpn { encapsulation-type ethernet-vlan; interface ge-1/3/9.444; site dis1.millbrook1 { site-identifier 71; interface ge-1/3/9.444 { remote-site-id 59; } } } } The other end though has an untagged port (straight Ethernet). I cannot figure out how to hand this off and keep getting an encapsulation mismatch on the l2vpn session? {master}[edit interfaces ge-2/1/3] speed 100m; link-mode full-duplex; encapsulation ethernet-ccc; unit 0; Routing instance: {master}[edit routing-instances OTA_Testing] instance-type l2vpn; interface ge-2/1/3.0; route-distinguisher xx.xx.xxx.xx:444; vrf-target target:11666:9444; protocols { l2vpn { encapsulation-type ethernet; interface ge-2/1/3.0; site core1.toronto1 { site-identifier 59; interface ge-2/1/3.0 { remote-site-id 71; } } } } I contacted JTAC and they suggested a VLAN map to pop and push. this didn't work . I previously had this labbed up and can't find my notes ;) Layer-2 VPN connections: Instance: OTA_Testing Local site: core1.toronto1 (59) connection-site Type St Time last up # Up trans 71rmt EM Any thoughts on how I can fix this? Appreciate it, Paul ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP OID for sessions number
On Tue, Apr 03, 2012 at 09:56:46AM -0400, Clarke Morledge wrote: In response to: what is the right SNMP oid/MIB variable for monitoring of sessions number on J/SRX box? Try this: jnxJsSPUMonitoringCurrentFlowSession which is available in the mib-jnx-js-spu-monitoring MIB. Values are zero: JUNIPER-SRX5000-SPU-MONITORING-MIB::jnxJsSPUMonitoringCurrentFlowSession.0 = Gauge32: 0 JUNIPER-SRX5000-SPU-MONITORING-MIB::jnxJsSPUMonitoringCurrentFlowSession.14 = Gauge32: 0 I guess this variable is not fully supported on J-series... :( -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
Excellent Julian. btw. Doing the show system snapshot on a an EX4200 stack just showed me: user@host show system snapshot error: external media missing or invalid I'm guessing a USB key should be installed by default for this? or you think a switch may not need it? *Skeeve Stevens, CEO* eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net http://www.eintellego.net.au Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco – Brocade - IBM On Wed, Apr 4, 2012 at 00:41, Julien Goodwin jgood...@studio442.com.auwrote: On 04/04/12 00:28, Skeeve Stevens wrote: 1. Show log messages a. Look at last few days for anything suspicious i. Interfaces flapping show int | match flap is your friend. Also chassisd 2. Show interfaces terse a. Anything down that shouldn’t be? Also anything *up* that shouldn't be. If you can be strict about it you can say anything but up/up and down/down are problems. 3. Show chassis alarm a. Look for any alarm information If you have any EX (at least, can't remember for SRX/J, not for M/...) also add: show system alarms (It's sad how few people know about this) 4. Show system snapshot a. If older than 1 week then – ‘Request system snapshot’ er, why? Do a snapshot on OS upgrade, shouldn't be needed after that. Verifing commit sync is default is also good. 5. Show system uptime a. As expected? 6. Show system storage a. Confirm / (root) disk space is not getting full. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
If you're running the 10.4 variant that has the dual boot partitions, no USB key is needed. Just change your command to: show system snapshot media internal ~Adam On Tue, Apr 3, 2012 at 10:59 AM, Skeeve Stevens skeeve+juniper...@eintellego.net wrote: Excellent Julian. btw. Doing the show system snapshot on a an EX4200 stack just showed me: user@host show system snapshot error: external media missing or invalid I'm guessing a USB key should be installed by default for this? or you think a switch may not need it? *Skeeve Stevens, CEO* eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net http://www.eintellego.net.au Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco – Brocade - IBM On Wed, Apr 4, 2012 at 00:41, Julien Goodwin jgood...@studio442.com.au wrote: On 04/04/12 00:28, Skeeve Stevens wrote: 1. Show log messages a. Look at last few days for anything suspicious i. Interfaces flapping show int | match flap is your friend. Also chassisd 2. Show interfaces terse a. Anything down that shouldn’t be? Also anything *up* that shouldn't be. If you can be strict about it you can say anything but up/up and down/down are problems. 3. Show chassis alarm a. Look for any alarm information If you have any EX (at least, can't remember for SRX/J, not for M/...) also add: show system alarms (It's sad how few people know about this) 4. Show system snapshot a. If older than 1 week then – ‘Request system snapshot’ er, why? Do a snapshot on OS upgrade, shouldn't be needed after that. Verifing commit sync is default is also good. 5. Show system uptime a. As expected? 6. Show system storage a. Confirm / (root) disk space is not getting full. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] l2vpn tagged PE port to untagged PE port
Thanks David. I went back and checked. ummm. had the VLAN maps on the opposite side (geesh!) Appreciate the second set of eyes.. ;) Paul From: David Ball [mailto:davidtb...@gmail.com] Sent: April-03-12 10:45 AM To: Paul Stewart Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] l2vpn tagged PE port to untagged PE port Simply applying an 'input-vlan-map pop' and 'output-vlan-map push' on the trunked port (ge-1/3/9) didn't do the job ? I used to have to do that all the time and don't recall encountering problems. The routing-instance encapsulation will need to be 'ethernet' on both sides once you do that. David On 3 April 2012 09:23, Paul Stewart p...@paulstewart.org wrote: Hi folks. Have built an l2vpn session but ran into an issue. One side of the session is handed off on a trunked port: [edit interfaces ge-1/3/9] flexible-vlan-tagging; speed 100m; encapsulation flexible-ethernet-services; } unit 444 { description OTA Testing; encapsulation vlan-ccc; vlan-id 444; } The routing instance looks like this: [edit routing-instances OTA-Testing] instance-type l2vpn; interface ge-1/3/9.444; route-distinguisher xx.xx.xxx.71:444; vrf-target target:11666:9444; protocols { l2vpn { encapsulation-type ethernet-vlan; interface ge-1/3/9.444; site dis1.millbrook1 { site-identifier 71; interface ge-1/3/9.444 { remote-site-id 59; } } } } The other end though has an untagged port (straight Ethernet). I cannot figure out how to hand this off and keep getting an encapsulation mismatch on the l2vpn session? {master}[edit interfaces ge-2/1/3] speed 100m; link-mode full-duplex; encapsulation ethernet-ccc; unit 0; Routing instance: {master}[edit routing-instances OTA_Testing] instance-type l2vpn; interface ge-2/1/3.0; route-distinguisher xx.xx.xxx.xx:444; vrf-target target:11666:9444; protocols { l2vpn { encapsulation-type ethernet; interface ge-2/1/3.0; site core1.toronto1 { site-identifier 59; interface ge-2/1/3.0 { remote-site-id 71; } } } } I contacted JTAC and they suggested a VLAN map to pop and push. this didn't work . I previously had this labbed up and can't find my notes ;) Layer-2 VPN connections: Instance: OTA_Testing Local site: core1.toronto1 (59) connection-site Type St Time last up # Up trans 71rmt EM Any thoughts on how I can fix this? Appreciate it, Paul ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] l2vpn tagged PE port to untagged PE port
For what it's worth, that may have eventually worked as well. You'd need to reverse your maps a bit by doing a 'push' on input and a 'pop' on output (at the untagged side), and in that case both RI encapsulations would need to be ethernet-vlan. Accomplishes the same thing, but perhaps a little less intuitive. David On 3 April 2012 11:27, Paul Stewart p...@paulstewart.org wrote: Thanks David… I went back and checked… ummm… had the VLAN maps on the opposite side (geesh!) ** ** Appreciate the second set of eyes…. ;) ** ** Paul ** ** ** ** *From:* David Ball [mailto:davidtb...@gmail.com] *Sent:* April-03-12 10:45 AM *To:* Paul Stewart *Cc:* juniper-nsp@puck.nether.net *Subject:* Re: [j-nsp] l2vpn tagged PE port to untagged PE port ** ** Simply applying an 'input-vlan-map pop' and 'output-vlan-map push' on the trunked port (ge-1/3/9) didn't do the job ? I used to have to do that all the time and don't recall encountering problems. The routing-instance encapsulation will need to be 'ethernet' on both sides once you do that.** ** ** ** David ** ** On 3 April 2012 09:23, Paul Stewart p...@paulstewart.org wrote: Hi folks. Have built an l2vpn session but ran into an issue. One side of the session is handed off on a trunked port: [edit interfaces ge-1/3/9] flexible-vlan-tagging; speed 100m; encapsulation flexible-ethernet-services; } unit 444 { description OTA Testing; encapsulation vlan-ccc; vlan-id 444; } The routing instance looks like this: [edit routing-instances OTA-Testing] instance-type l2vpn; interface ge-1/3/9.444; route-distinguisher xx.xx.xxx.71:444; vrf-target target:11666:9444; protocols { l2vpn { encapsulation-type ethernet-vlan; interface ge-1/3/9.444; site dis1.millbrook1 { site-identifier 71; interface ge-1/3/9.444 { remote-site-id 59; } } } } The other end though has an untagged port (straight Ethernet). I cannot figure out how to hand this off and keep getting an encapsulation mismatch on the l2vpn session? {master}[edit interfaces ge-2/1/3] speed 100m; link-mode full-duplex; encapsulation ethernet-ccc; unit 0; Routing instance: {master}[edit routing-instances OTA_Testing] instance-type l2vpn; interface ge-2/1/3.0; route-distinguisher xx.xx.xxx.xx:444; vrf-target target:11666:9444; protocols { l2vpn { encapsulation-type ethernet; interface ge-2/1/3.0; site core1.toronto1 { site-identifier 59; interface ge-2/1/3.0 { remote-site-id 71; } } } } I contacted JTAC and they suggested a VLAN map to pop and push. this didn't work . I previously had this labbed up and can't find my notes ;) Layer-2 VPN connections: Instance: OTA_Testing Local site: core1.toronto1 (59) connection-site Type St Time last up # Up trans 71rmt EM Any thoughts on how I can fix this? Appreciate it, Paul ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ** ** ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
Hi Skeeve, I think, forwarding messages to syslog server, will avoid rutine of logging on device. rsyslog or syslog-ng with web interface and mysql backend will allow your support to search for desired messages using web UI. For uptime and disk usage - I think, that snmp is the best way. On Apr 3, 2012 6:44 PM, Julien Goodwin jgood...@studio442.com.au wrote: On 04/04/12 00:28, Skeeve Stevens wrote: 1. Show log messages a. Look at last few days for anything suspicious i. Interfaces flapping show int | match flap is your friend. Also chassisd 2. Show interfaces terse a. Anything down that shouldn’t be? Also anything *up* that shouldn't be. If you can be strict about it you can say anything but up/up and down/down are problems. 3. Show chassis alarm a. Look for any alarm information If you have any EX (at least, can't remember for SRX/J, not for M/...) also add: show system alarms (It's sad how few people know about this) 4. Show system snapshot a. If older than 1 week then – ‘Request system snapshot’ er, why? Do a snapshot on OS upgrade, shouldn't be needed after that. Verifing commit sync is default is also good. 5. Show system uptime a. As expected? 6. Show system storage a. Confirm / (root) disk space is not getting full. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX recommended software
I have a pair of 650's clustered running 11.4R1.6 In 11.4, the cluster can support GRE interfaces - which I needed. No issues with stability here. -HTH -Original Message- From: Lee Hetherington [mailto:li...@kerfuffle.net] Sent: Tuesday, April 03, 2012 3:54 AM To: Jeff Rooney Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX recommended software On 02/04/2012 22:24, Jeff Rooney wrote: I have a few SRX650's that are running 10.4R9.2 per the Juniper recommended release page http://kb.juniper.net/InfoCenter/index?page=contentid=KB21476 We are running a bunch of SRX650's on 11.1R3.5. This has thus far proven to be the most stable, and was at the time of install the recommended version by our Juniper SE. --Lee ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
On 3 April 2012 15:41, Julien Goodwin jgood...@studio442.com.au wrote: If you can be strict about it you can say anything but up/up and down/down are problems. What about SONET/SDH interfaces that display down/up? The interface can be admin down, but if its still receiving a SONET/SDH signal from the other side then line proto will be up - nothing necessarily wrong with that. :-) In reply to Skeeves original email, is there any reason you couldn't script something like this? At least give a device a once over and produce a summary report of problems for this device after which the tech can then target only devices that have issues that need attention. Otherwise you find yourself wasting time looking at a bunch of boxes that dont need to be looked at when you could be doing something more productive. Or better yet, syslog and SNMP traps collectors and some scripts that produce a dashboard highlighting any issues detected. :-) Scripts, scripts, scripts everywhere. :-) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
Skeeve, Try this one. This should provide info about current code on both partitions on EX series. show system snapshot media internal Information for snapshot on internal (/dev/da0s1a) (backup) Creation date: Mar 20 15:39:34 2012 JUNOS version on snapshot: jbase : 11.2R1.2 jcrypto-ex: 11.2R1.2 jdocs-ex: 11.2R1.2 jkernel-ex: 11.2R1.2 jroute-ex: 11.2R1.2 jswitch-ex: 11.2R1.2 jweb-ex: 11.2R1.2 Information for snapshot on internal (/dev/da0s2a) (primary) Creation date: Mar 20 18:08:56 2012 JUNOS version on snapshot: jbase : 11.4R1.6 jcrypto-ex: 11.4R1.6 jdocs-ex: 11.4R1.6 jkernel-ex: 11.4R1.6 jroute-ex: 11.4R1.6 jswitch-ex: 11.4R1.6 jweb-ex: 11.4R1.6 2012/4/3 Skeeve Stevens skeeve+juniper...@eintellego.net: Excellent Julian. btw. Doing the show system snapshot on a an EX4200 stack just showed me: user@host show system snapshot error: external media missing or invalid I'm guessing a USB key should be installed by default for this? or you think a switch may not need it? *Skeeve Stevens, CEO* eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net http://www.eintellego.net.au Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco – Brocade - IBM On Wed, Apr 4, 2012 at 00:41, Julien Goodwin jgood...@studio442.com.auwrote: On 04/04/12 00:28, Skeeve Stevens wrote: 1. Show log messages a. Look at last few days for anything suspicious i. Interfaces flapping show int | match flap is your friend. Also chassisd 2. Show interfaces terse a. Anything down that shouldn’t be? Also anything *up* that shouldn't be. If you can be strict about it you can say anything but up/up and down/down are problems. 3. Show chassis alarm a. Look for any alarm information If you have any EX (at least, can't remember for SRX/J, not for M/...) also add: show system alarms (It's sad how few people know about this) 4. Show system snapshot a. If older than 1 week then – ‘Request system snapshot’ er, why? Do a snapshot on OS upgrade, shouldn't be needed after that. Verifing commit sync is default is also good. 5. Show system uptime a. As expected? 6. Show system storage a. Confirm / (root) disk space is not getting full. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Piotr Szlenk e-mail: piotr.szl...@gmail.com | mobile: +48793717288 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
I'm really looking for something more interactive when its needed. *Skeeve Stevens, CEO* eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net http://www.eintellego.net.au Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco – Brocade - IBM On Wed, Apr 4, 2012 at 02:18, Morgan Mclean wrx...@gmail.com wrote: Why don't you poll all of this via snmp? Sent from my iPhone On Apr 3, 2012, at 9:06 AM, Phil Shafer p...@juniper.net wrote: Skeeve Stevens writes: I am designing a document for low level technicians to regularly (depending on sensitivity of the device) login to the Juniper router/or switch to look around and make sure that things are 'ok'. How much of this is generic (or can be made generic) enough to cook into an op script? Checks like indicate system uptime of less than one week and indicate if /, /config, or /tmp is more than 90% full are trivial, and interface flapping is simple enough, but show suspicious log messages are more human detectable than scriptable. I'd be happy enough to do the script work if we can come up with a reasonable set of system health diagnostic checks. Okay, I worked up a bit of a template for it. See attached. Thanks, Phil version 1.0; ns junos = http://xml.juniper.net/junos/*/junos;; ns xnm = http://xml.juniper.net/xnm/1.1/xnm;; ns jcs extension = http://xml.juniper.net/junos/commit-scripts/1.0;; ns dyn extension = http://exslt.org/dynamic;; import ../import/junos.xsl; param $uptime = 60 * 60 * 24 * 7; param $filesystem-threshold = 80; var $fsnames := { fs /; fs /tmp; fs /config; } var $checks := { check { name System Uptime; rpc { get-system-uptime-information; } test uptime-information/up-time/@junos:seconds $uptime; } check { name Filesystem Space; rpc { get-system-storage; } for-each ($fsnames/fs) { test message=. _ is full filesystem[mounted-on = ' _ . _ '][number(used-percent) $filesystem-threshold]; } } } match / { op-script-results { var $conn = jcs:open(); for-each ($checks/check) { expr jcs:output(Checking , name); var $check = .; expr jcs:output([rpc , local-name(rpc/node()), ]); var $res = jcs:execute($conn, rpc); if ($res/..//xnm:error) { expr jcs:output(error from rpc: , $res/..//xnm:error); } else { for-each (test) { var $test = .; for-each ($res) { var $p = dyn:evaluate($test); if (boolean($p)) { var $msg = jcs:first-of($test/@message, failed condition); expr jcs:output(error from test: , $msg); } else { expr jcs:output([passed]); } } } } } expr jcs:close($conn); } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
Phil, Great help! *Skeeve Stevens, CEO* eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net http://www.eintellego.net.au Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco – Brocade - IBM On Wed, Apr 4, 2012 at 02:06, Phil Shafer p...@juniper.net wrote: Skeeve Stevens writes: I am designing a document for low level technicians to regularly (depending on sensitivity of the device) login to the Juniper router/or switch to look around and make sure that things are 'ok'. How much of this is generic (or can be made generic) enough to cook into an op script? Checks like indicate system uptime of less than one week and indicate if /, /config, or /tmp is more than 90% full are trivial, and interface flapping is simple enough, but show suspicious log messages are more human detectable than scriptable. I'd be happy enough to do the script work if we can come up with a reasonable set of system health diagnostic checks. Okay, I worked up a bit of a template for it. See attached. Thanks, Phil version 1.0; ns junos = http://xml.juniper.net/junos/*/junos;; ns xnm = http://xml.juniper.net/xnm/1.1/xnm;; ns jcs extension = http://xml.juniper.net/junos/commit-scripts/1.0;; ns dyn extension = http://exslt.org/dynamic;; import ../import/junos.xsl; param $uptime = 60 * 60 * 24 * 7; param $filesystem-threshold = 80; var $fsnames := { fs /; fs /tmp; fs /config; } var $checks := { check { name System Uptime; rpc { get-system-uptime-information; } test uptime-information/up-time/@junos:seconds $uptime; } check { name Filesystem Space; rpc { get-system-storage; } for-each ($fsnames/fs) { test message=. _ is full filesystem[mounted-on = ' _ . _ '][number(used-percent) $filesystem-threshold]; } } } match / { op-script-results { var $conn = jcs:open(); for-each ($checks/check) { expr jcs:output(Checking , name); var $check = .; expr jcs:output([rpc , local-name(rpc/node()), ]); var $res = jcs:execute($conn, rpc); if ($res/..//xnm:error) { expr jcs:output(error from rpc: , $res/..//xnm:error); } else { for-each (test) { var $test = .; for-each ($res) { var $p = dyn:evaluate($test); if (boolean($p)) { var $msg = jcs:first-of($test/@message, failed condition); expr jcs:output(error from test: , $msg); } else { expr jcs:output([passed]); } } } } } expr jcs:close($conn); } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Identifying am MX80-10
Hey all, Is there any way to identify an MX80-10 (or -5, 40) from the CLI as opposed to real MX10s (5, 40). I just wanted to confirm whether there was any difference and whether this unit is really an MX80 for all intense purposes (2nd MIC, 10ports, throughput). *Skeeve Stevens, CEO* eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net http://www.eintellego.net.au Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco – Brocade - IBM ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JunOS 10.4R8.5 on MX5? Am I forced to run 11.4+?
2012/3/22 Timh Bergström timh.bergst...@videoplaza.com: I recently bought a MX5-T (Instead of the MX80-5G) and I'm running 10.4R8.5 on my other MX80s and would naturally like to run the same codebase on all my MX-series hardware. However when I try to install the 10.4R8.5 release on the MX5-T it says that the platform is not supported, I thought the MX5/10/40 was the same hardware as the MX80 (it surely looks the same, side-by-side)? I just got an MX80 that won't boot 10.4 software. Like you, I did not want to upgrade to newer software yet, as my existing MX80s are all running 10.4R4.5 and we are satisfied with it. FYI my Midplane is REV 09, PEMs REV 04, QXM REV 06. All part numbers are identical to my existing MX80 routers in this network, the only difference is the hardware revision numbers, and the fact that this device doesn't seem to want to run 10.4. I guess I won't plan on deploying any new MX80s until I have time to test 11.2 or newer. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
Thanks for that Piotr. What are the current thoughts/best practices on the snapshot? Like your mis-match below, I have some switches which are the same. Should they be running a current snapshot if possible (maybe except while upgrading or becoming stable) ? *Skeeve Stevens, CEO* eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net http://www.eintellego.net.au Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco – Brocade - IBM On Wed, Apr 4, 2012 at 04:57, Piotr Szlenk piotr.szl...@gmail.com wrote: Skeeve, Try this one. This should provide info about current code on both partitions on EX series. show system snapshot media internal Information for snapshot on internal (/dev/da0s1a) (backup) Creation date: Mar 20 15:39:34 2012 JUNOS version on snapshot: jbase : 11.2R1.2 jcrypto-ex: 11.2R1.2 jdocs-ex: 11.2R1.2 jkernel-ex: 11.2R1.2 jroute-ex: 11.2R1.2 jswitch-ex: 11.2R1.2 jweb-ex: 11.2R1.2 Information for snapshot on internal (/dev/da0s2a) (primary) Creation date: Mar 20 18:08:56 2012 JUNOS version on snapshot: jbase : 11.4R1.6 jcrypto-ex: 11.4R1.6 jdocs-ex: 11.4R1.6 jkernel-ex: 11.4R1.6 jroute-ex: 11.4R1.6 jswitch-ex: 11.4R1.6 jweb-ex: 11.4R1.6 2012/4/3 Skeeve Stevens skeeve+juniper...@eintellego.net: Excellent Julian. btw. Doing the show system snapshot on a an EX4200 stack just showed me: user@host show system snapshot error: external media missing or invalid I'm guessing a USB key should be installed by default for this? or you think a switch may not need it? *Skeeve Stevens, CEO* eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net http://www.eintellego.net.au Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco – Brocade - IBM On Wed, Apr 4, 2012 at 00:41, Julien Goodwin jgood...@studio442.com.au wrote: On 04/04/12 00:28, Skeeve Stevens wrote: 1. Show log messages a. Look at last few days for anything suspicious i. Interfaces flapping show int | match flap is your friend. Also chassisd 2. Show interfaces terse a. Anything down that shouldn’t be? Also anything *up* that shouldn't be. If you can be strict about it you can say anything but up/up and down/down are problems. 3. Show chassis alarm a. Look for any alarm information If you have any EX (at least, can't remember for SRX/J, not for M/...) also add: show system alarms (It's sad how few people know about this) 4. Show system snapshot a. If older than 1 week then – ‘Request system snapshot’ er, why? Do a snapshot on OS upgrade, shouldn't be needed after that. Verifing commit sync is default is also good. 5. Show system uptime a. As expected? 6. Show system storage a. Confirm / (root) disk space is not getting full. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Piotr Szlenk e-mail: piotr.szl...@gmail.com | mobile: +48793717288 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX4200 VC Pity Me
Hi all-- Trying to test a VC with two EX4200s running 10.4R9.2. Very simple. I just can't get the backup (or line card) chassis to pass traffic. Pinging the gateway out of the routing engine or master works fine. Trying to ping through the backup/line card gives me nothing. The VC is recognized (per the below). Something simple I'm doing wrong, I know. Here's some output (and thanks for any help you might provide): root show virtual-chassis Preprovisioned Virtual Chassis Virtual Chassis ID: a8ab.cf0b.66d6 Mastership Neighbor List Member ID Status Serial NoModelpriorityRole ID Interface 0 (FPC 0) PrsntBP0209472119 ex4200-48t 129 Master*1 vcp-0 1 vcp-1 1 (FPC 1) PrsntFV0211137957 ex4200-48t0 Linecard 0 vcp-0 0 vcp-1 root show virtual-chassis vc-port member 0 fpc0: -- Interface Type Trunk Status SpeedNeighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1Up 320001 vcp-0 vcp-1 Dedicated 2Up 320001 vcp-1 {master:0} root show virtual-chassis vc-port member 1 fpc1: -- Interface Type Trunk Status SpeedNeighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1Up 320000 vcp-0 vcp-1 Dedicated 2Up 320000 vcp-1 {master:0} root show configuration ## Last commit: 2012-02-02 09:38:58 UTC by root version 10.4R9.2; system { root-authentication { encrypted-password bJ/GddyoJuiU2; ## SECRET-DATA } services { web-management { http; } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; *!truncated!* vlan { unit 0 { family inet { address 192.168.10.188/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.10.77; } } protocols { igmp-snooping { vlan all; } lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } } vlans { default { l3-interface vlan.0; } } poe { interface all; } virtual-chassis { preprovisioned; no-split-detection; member 1 { role line-card; serial-number FV0211137957; } member 0 { role routing-engine; serial-number BP0209472119; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4200 VC Pity Me
I could be completely wrong, but shouldn't the second 4200 be the backup RE and not forced to be a line card? Could have something to do with it. On Apr 3, 2012, at 8:24 PM, Dave Peters d...@terabitsystems.com wrote: Hi all-- Trying to test a VC with two EX4200s running 10.4R9.2. Very simple. I just can't get the backup (or line card) chassis to pass traffic. Pinging the gateway out of the routing engine or master works fine. Trying to ping through the backup/line card gives me nothing. The VC is recognized (per the below). Something simple I'm doing wrong, I know. Here's some output (and thanks for any help you might provide): root show virtual-chassis Preprovisioned Virtual Chassis Virtual Chassis ID: a8ab.cf0b.66d6 MastershipNeighbor List Member ID Status Serial NoModelpriorityRole ID Interface 0 (FPC 0) PrsntBP0209472119 ex4200-48t 129 Master*1 vcp-0 1 vcp-1 1 (FPC 1) PrsntFV0211137957 ex4200-48t0 Linecard 0 vcp-0 0 vcp-1 root show virtual-chassis vc-port member 0 fpc0: -- Interface Type Trunk Status SpeedNeighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1Up 320001 vcp-0 vcp-1 Dedicated 2Up 320001 vcp-1 {master:0} root show virtual-chassis vc-port member 1 fpc1: -- Interface Type Trunk Status SpeedNeighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1Up 320000 vcp-0 vcp-1 Dedicated 2Up 320000 vcp-1 {master:0} root show configuration ## Last commit: 2012-02-02 09:38:58 UTC by root version 10.4R9.2; system { root-authentication { encrypted-password bJ/GddyoJuiU2; ## SECRET-DATA } services { web-management { http; } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; *!truncated!* vlan { unit 0 { family inet { address 192.168.10.188/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.10.77; } } protocols { igmp-snooping { vlan all; } lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } } vlans { default { l3-interface vlan.0; } } poe { interface all; } virtual-chassis { preprovisioned; no-split-detection; member 1 { role line-card; serial-number FV0211137957; } member 0 { role routing-engine; serial-number BP0209472119; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4200 VC Pity Me
Hi Dave, When you form a VC, the configuration for the second member's interfaces doesn't always get generated - make sure you have set interfaces ge-1/0/0 unit 0 family ethernet-switching (or whatever port you are testing from) configured Cheers, Ben On 04/04/2012, at 9:46 AM, Dave Peters wrote: Hi all-- Trying to test a VC with two EX4200s running 10.4R9.2. Very simple. I just can't get the backup (or line card) chassis to pass traffic. Pinging the gateway out of the routing engine or master works fine. Trying to ping through the backup/line card gives me nothing. The VC is recognized (per the below). Something simple I'm doing wrong, I know. Here's some output (and thanks for any help you might provide): root show virtual-chassis Preprovisioned Virtual Chassis Virtual Chassis ID: a8ab.cf0b.66d6 MastershipNeighbor List Member ID Status Serial NoModelpriorityRole ID Interface 0 (FPC 0) PrsntBP0209472119 ex4200-48t 129 Master*1 vcp-0 1 vcp-1 1 (FPC 1) PrsntFV0211137957 ex4200-48t0 Linecard 0 vcp-0 0 vcp-1 root show virtual-chassis vc-port member 0 fpc0: -- Interface Type Trunk Status SpeedNeighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1Up 320001 vcp-0 vcp-1 Dedicated 2Up 320001 vcp-1 {master:0} root show virtual-chassis vc-port member 1 fpc1: -- Interface Type Trunk Status SpeedNeighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1Up 320000 vcp-0 vcp-1 Dedicated 2Up 320000 vcp-1 {master:0} root show configuration ## Last commit: 2012-02-02 09:38:58 UTC by root version 10.4R9.2; system { root-authentication { encrypted-password bJ/GddyoJuiU2; ## SECRET-DATA } services { web-management { http; } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; *!truncated!* vlan { unit 0 { family inet { address 192.168.10.188/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.10.77; } } protocols { igmp-snooping { vlan all; } lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } } vlans { default { l3-interface vlan.0; } } poe { interface all; } virtual-chassis { preprovisioned; no-split-detection; member 1 { role line-card; serial-number FV0211137957; } member 0 { role routing-engine; serial-number BP0209472119; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4200 VC Pity Me
Two things: 1. The configuration for interfaces on your member 1 switch has been truncated. Just make sure the config is actually there and similar to the ports you were using to plug in for testing (i.e. that they are in the same vlan, etc. Do you learn mac addresses on member 1 when the pings don't work? Is spanning tree blocking at all? 2. Not sure what the recommendation of the day is on the 2-member VC, but you don't need the no-split-detection if you're explicitly forcing the 2nd unit into a purely line card role; no-split-detection is worthwhile in a 2-unit only config where either member may become master. HTH Paul Z On Apr 3, 2012, at 17:27 , Brendan Mannella wrote: I could be completely wrong, but shouldn't the second 4200 be the backup RE and not forced to be a line card? Could have something to do with it. On Apr 3, 2012, at 8:24 PM, Dave Peters d...@terabitsystems.com wrote: Hi all-- Trying to test a VC with two EX4200s running 10.4R9.2. Very simple. I just can't get the backup (or line card) chassis to pass traffic. Pinging the gateway out of the routing engine or master works fine. Trying to ping through the backup/line card gives me nothing. The VC is recognized (per the below). Something simple I'm doing wrong, I know. Here's some output (and thanks for any help you might provide): root show virtual-chassis Preprovisioned Virtual Chassis Virtual Chassis ID: a8ab.cf0b.66d6 MastershipNeighbor List Member ID Status Serial NoModelpriorityRole ID Interface 0 (FPC 0) PrsntBP0209472119 ex4200-48t 129 Master*1 vcp-0 1 vcp-1 1 (FPC 1) PrsntFV0211137957 ex4200-48t0 Linecard 0 vcp-0 0 vcp-1 root show virtual-chassis vc-port member 0 fpc0: -- Interface Type Trunk Status SpeedNeighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1Up 320001 vcp-0 vcp-1 Dedicated 2Up 320001 vcp-1 {master:0} root show virtual-chassis vc-port member 1 fpc1: -- Interface Type Trunk Status SpeedNeighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1Up 320000 vcp-0 vcp-1 Dedicated 2Up 320000 vcp-1 {master:0} root show configuration ## Last commit: 2012-02-02 09:38:58 UTC by root version 10.4R9.2; system { root-authentication { encrypted-password bJ/GddyoJuiU2; ## SECRET-DATA } services { web-management { http; } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; *!truncated!* vlan { unit 0 { family inet { address 192.168.10.188/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.10.77; } } protocols { igmp-snooping { vlan all; } lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } } vlans { default { l3-interface vlan.0; } } poe { interface all; } virtual-chassis { preprovisioned; no-split-detection; member 1 { role line-card; serial-number FV0211137957; } member 0 { role routing-engine; serial-number BP0209472119; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
On Wed, Apr 04, 2012 at 09:27:29AM +1000, Skeeve Stevens wrote: On Wed, Apr 4, 2012 at 04:57, Piotr Szlenk piotr.szl...@gmail.com wrote: Try this one. This should provide info about current code on both partitions on EX series. show system snapshot media internal Thanks for that Piotr. What are the current thoughts/best practices on the snapshot? Like your mis-match below, I have some switches which are the same. You need to manually synchronize the software versions from primary to backup slices on all VC members one at a time after doing a software upgrade (and verifying you are happy with the new software). Otherwise, if there is a failure/corruption of the primary flash, it will boot into the backup slice running the old version. Should they be running a current snapshot if possible (maybe except while upgrading or becoming stable) ? It is only necessary after a change in software version or after flash corruption such as if the switch is power cycled without being shutdown properly (substitute alternate w/1 or 2 as necessary for repair): ex-switch request system snapshot media internal slice alternate member N Another useful command to see what partitions are currently being used for what purposes: ex-switch show system storage partitions fpc0: -- Boot Media: internal (da0) Active Partition: da0s2a Backup Partition: da0s1a Currently booted from: active (da0s2a) Partitions information: Partition Size Mountpoint s1a184M altroot s2a184M / s3d369M /var/tmp s3e123M /var s4d62M/config s4e unused (backup config) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regular maintenance advice
Gordon, Thanks. I already have a different profile for the BGP devices with all of that. ...Skeeve *Skeeve Stevens, CEO* eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net http://www.eintellego.net.au Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco – Brocade - IBM On Wed, Apr 4, 2012 at 09:15, Gordon Smith gor...@gswsystems.com wrote: Most of this you can automate on your monitoring boxes. e.g. use rancid to generate an email on config changes, interfaces flapping chassis alarms will generate SNMP alerts. You only need to snapshot when upgrading code. Definitely make that part of the upgrade procedure, and let rancid keep track of the config. Another thing to look at would be BGP peers - number of routes, uptimes, etc. Low uptimes on a peer can indicate a problem at the far end that the cust isn't aware of. Cheers, Gordon On Wed, 4 Apr 2012 00:28:09 +1000, Skeeve Stevens wrote: Hey all, I am designing a document for low level technicians to regularly (depending on sensitivity of the device) login to the Juniper router/or switch to look around and make sure that things are 'ok'. I am seeking comments of anything else that would be useful for an technician to look at that would catch their eye that something is potentially wrong. So far I have: --- RJ01 – Router Description: Standard Juniper Router or Switch 1. Show log messages a. Look at last few days for anything suspicious i. Interfaces flapping 2. Show interfaces terse a. Anything down that shouldn’t be? 3. Show chassis alarm a. Look for any alarm information 4. Show system snapshot a. If older than 1 week then – ‘Request system snapshot’ 5. Show system uptime a. As expected? 6. Show system storage a. Confirm / (root) disk space is not getting full. __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp