Re: [j-nsp] CGN ob MX5?

[magno]

Hi Pavel, some corrections inline.

Ciao
Magno

On Sat, Apr 14, 2012 at 2:09 PM, Pavel Lunin  wrote:

> Hi,
>
> Until Juniper realizes MS-MIC (I have no idea when it will happen) MX5–80
> boxes really supports no NAT at all.
>
[MAGNO] Not dynamic NAT (or PBA), just static 1:1 nat

>
> What they call Inline NAT on Trio (recently realized) is by now… umm… sort
> of a patch for a particular customer or something like. It only supports
> 1:1 bidirectional static mapping, which in no way has any relation to CGN.
> If you take the license price into account, you'll understand what my
> "umm…"  really means.
>
> AFAIK, the idea behind real inline NAT (not just static mapping) on Trio is
> using the embedded TCAM memory. Something like what NetScreen/ISG firewalls
> did. This approach processes first packets though the 'long cycle' in
> software and than offloads the session state to TCAM, though which the
> subsequent packets are switched.
>
[MAGNO] Not really. 1:1 static nat is not using TCAM, basically it is a
very basic form of NAT which won't require the maintenance of any
connection table.
Handling a connection table to support dynamic form of NAT is not suitable
for TRIO (or for any other forwarding asic) for both memory constraints and
processing time.

>
> Two challenges arise here:
>
> 1. The need for a flexible and powerful CPU for 'long cycle' processing.
> I'm afraid, the LU-chip inside Trio is not the best thing here.
> 2. TCAM update speed bottleneck.
>
> [MAGNO] LU may even be able to do NAT, it is really very flexible indeed,
but it can't maintain any session / connection table, for sure not at a
scale. MS-DPC has for instance 4 Gigabytes of RAM and a dedicated multicore
processor to do it. TCAM is not used in inline nat.


> If you take a look at the new session per second rate of any TCAM-based
> flow-device, you'll see it's quite not much in the context of CGN.
>
> However, as of what I know, Juniper mobile team, which develops GGSN from
> MX, is going this way and they even have special MPCs with extended TCAM.
> In mobile world, though, where session lengths are usually longer on
> account of the lower access rates and, consequently, the new sps rates a
> also lower, theoretically, this can be a solution.
>
> [MAGNO] the TCAM won't be enlarged on the new Enhanced MPCs, just a region
of LU memory will be doubled. TCAM is physicall present inside MPCs but it
is not used by any software as per today. TCAMs are not the most suitable
solution to scale and maintaining low power consumption for instance.

> --
> Pavel
>  ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Problem with API connection and errors

[Skeeve Stevens]

Model: mx80
JUNOS Base OS boot [11.2R4.3]

It is indeed an MX80, but running 11.2R4.3

and I have more than just jl2tpd having issues.

Apr 11 18:34:50  HOST-PE01 init: can not access /usr/sbin/jl2tpd: No such
file or directory
Apr 11 18:34:50  HOST-PE01 init: can not access /usr/sbin/relayd: No such
file or directory
Apr 11 18:34:50  HOST-PE01 init: can not access /usr/sbin/jddosd: No such
file or directory

*Skeeve Stevens, CEO*
eintellego Pty Ltd
ske...@eintellego.net ; www.eintellego.net 

Phone: 1300 753 383 ; Fax: (+612) 8572 9954

Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellego

twitter.com/networkceoau ; www.linkedin.com/in/skeeve

PO Box 7726, Baulkham Hills, NSW 1755 Australia

The Experts Who The Experts Call
Juniper - Cisco – Brocade - IBM



On Tue, Apr 17, 2012 at 03:17, Dan Young  wrote:

> On Mon, Apr 16, 2012 at 9:40 AM, Skeeve Stevens
>  wrote:
> >
> > Hey everyone.
> >
> > We're using the JUNOScript method to provision services on our MX80's.
> >
> > We have an issue where a bunch of processes seem to be having issues.
> >
> > Does anything below look familiar to anyone?
> >
> > I am concerned by the following mostly:
> >
> > init: ddos-service
> > the No such file or directory's
>
> The "No such file or directory" for jl2tpd and relayd sound like
> PR/581093 as noted in the 11.1r1-4 release notes.
>
> --
> Dan Young 
> Cascade Technology Alliance / MESD - Network Services
> 503-257-1562
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] ERX: ICR with bulk interfaces

[Martin Lorentz]

Hi,

has anyone ever tried using bulk configured interfaces with ICR (inter chassis 
redundancy) in JunosE.

The bulk config and the ICR config bits alone seem to work, but once its put 
together, it breaks: the PPPoE session is terminated before it gets to 
authenticate the user. 'show vlan subinterface' shows the dynamically created 
interface on the router which is in ICR master state.

Here's the relevant bits from the config of one of the ERX:

profile "vlan-pppoe"
 vlan auto-configure pppoe
 svlan ethertype 8100
 vlan profile pppoe pppoeGoetel
! 
[...]
interface gigabitEthernet 1/1
 mtu 1522 
 encapsulation vlan
 auto-configure vlan
 vlan bulk-config "bulk-pppoe"
 profile vlan bulk-config "bulk-pppoe" "vlan-pppoe"
 vlan bulk-config "bulk-pppoe" vlan-range 80 89
! 
interface gigabitEthernet 1/1.23
 vlan id 23 icr-control-interface
 ip address 10.1.0.10 255.255.255.248
 ip vrrp 23 virtual-address 10.1.0.9
 no ip vrrp 23 preempt
 ip vrrp 23 priority 200
 ip vrrp 23 enable
 ip vrrp 23 icr-partition icrVlan
 ip vrrp 23 icr-partition group vlan
 ip vrrp 23 icr-partition vlan-range 80 89 advertise-mac control-interface
! 

This is an ERX-310 with JUNOSe 11.3.2. The other ERX in the ICR pair is 
configured accordingly. When I disable the dynamic interface creation on the 
backup router with "no auto-configure vlan", the PPPoE client connects just 
fine. On the other hand, if I get rid of the "vlan bulk-config" and statically 
configure the PPPoE VLAN interfaces, it also works as expected. What am I 
missing?

Regards,
Martin

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Problem with API connection and errors

[Dan Young]

On Mon, Apr 16, 2012 at 9:40 AM, Skeeve Stevens
 wrote:
>
> Hey everyone.
>
> We're using the JUNOScript method to provision services on our MX80's.
>
> We have an issue where a bunch of processes seem to be having issues.
>
> Does anything below look familiar to anyone?
>
> I am concerned by the following mostly:
>
> init: ddos-service
> the No such file or directory's

The "No such file or directory" for jl2tpd and relayd sound like
PR/581093 as noted in the 11.1r1-4 release notes.

--
Dan Young 
Cascade Technology Alliance / MESD - Network Services
503-257-1562
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Problem with API connection and errors

[Skeeve Stevens]

Hey everyone.

We're using the JUNOScript method to provision services on our MX80's.

We have an issue where a bunch of processes seem to be having issues.

Does anything below look familiar to anyone?

I am concerned by the following mostly:

init: ddos-service
the No such file or directory's

After this started to occur, we've had problems (connection refused) for
the API.

...Skeeve

---

Apr 11 18:34:44  HOST-PE01 stunnel[53690]: stunnel 4.04 on
i386-unknown-freebsd4.2 FORK+LIBWRAP with OpenSSL 0.9.8r 8 Feb 2011
Apr 11 18:34:44  HOST-PE01 stunnel[53690]: stunnel connected from
x.y.z.162:11325
Apr 11 18:34:45  HOST-PE01 jade[53691]: JADE_AUTH_SUCCESS: Authentication
succeded for user 'USERNAME'
Apr 11 18:34:49  HOST-PE01 file[53691]: UI_COMMIT: User 'USERNAME'
requested 'commit' operation (comment: none)
Apr 11 18:34:50  HOST-PE01 init: can not access /usr/sbin/jl2tpd: No such
file or directory
Apr 11 18:34:50  HOST-PE01 init: ce-l2tp-service (PID 0) started
Apr 11 18:34:50  HOST-PE01 init: can not access /usr/sbin/relayd: No such
file or directory
Apr 11 18:34:50  HOST-PE01 init: relay-process (PID 0) started
Apr 11 18:34:50  HOST-PE01 init: can not access /usr/sbin/jddosd: No such
file or directory
Apr 11 18:34:50  HOST-PE01 init: ddos-service (PID 0) started
Apr 11 18:34:51  HOST-PE01 l2cp[53722]: Initializing PNAC state machines
Apr 11 18:34:51  HOST-PE01 l2cp[53722]: Initializing PNAC state machines
complete
Apr 11 18:34:51  HOST-PE01 l2cp[53722]: Initialized 802.1X module and state
machines
Apr 11 18:34:51  HOST-PE01 l2cp[53722]: Read acess profile () config
Apr 11 18:34:53  HOST-PE01 file[53691]: UI_COMMIT: User 'USERNAME'
requested 'commit' operation (comment: none)
Apr 11 18:34:54  HOST-PE01 init: can not access /usr/sbin/jl2tpd: No such
file or directory
Apr 11 18:34:54  HOST-PE01 init: ce-l2tp-service (PID 0) started
Apr 11 18:34:54  HOST-PE01 init: can not access /usr/sbin/relayd: No such
file or directory
Apr 11 18:34:54  HOST-PE01 init: relay-process (PID 0) started
Apr 11 18:34:54  HOST-PE01 init: can not access /usr/sbin/jddosd: No such
file or directory
Apr 11 18:34:54  HOST-PE01 init: ddos-service (PID 0) started
Apr 11 18:34:54  HOST-PE01 l2cp[53754]: Initializing PNAC state machines
Apr 11 18:34:54  HOST-PE01 l2cp[53754]: Initializing PNAC state machines
complete
Apr 11 18:34:54  HOST-PE01 l2cp[53754]: Initialized 802.1X module and state
machines
Apr 11 18:34:54  HOST-PE01 l2cp[53754]: Read acess profile () config
Apr 11 18:34:54  HOST-PE01 ffp[53756]: "dynamic-profiles": No change to
profiles
Apr 11 18:34:57  HOST-PE01 l2cp[1185]: Read acess profile () config
Apr 11 18:35:18  HOST-PE01 file[53691]: UI_COMMIT: User 'USERNAME'
requested 'commit' operation (comment: none)
Apr 11 18:35:20  HOST-PE01 l2cp[53794]: Initializing PNAC state machines
Apr 11 18:35:20  HOST-PE01 l2cp[53794]: Initializing PNAC state machines
complete
Apr 11 18:35:20  HOST-PE01 l2cp[53794]: Initialized 802.1X module and state
machines
Apr 11 18:35:20  HOST-PE01 l2cp[53794]: Read acess profile () config
Apr 11 18:35:22  HOST-PE01 file[53691]: UI_COMMIT: User 'USERNAME'
requested 'commit' operation (comment: none)
Apr 11 18:35:23  HOST-PE01 l2cp[53822]: Initializing PNAC state machines
Apr 11 18:35:23  HOST-PE01 l2cp[53822]: Initializing PNAC state machines
complete
Apr 11 18:35:23  HOST-PE01 l2cp[53822]: Initialized 802.1X module and state
machines
Apr 11 18:35:23  HOST-PE01 l2cp[53822]: Read acess profile () config
Apr 11 18:35:23  HOST-PE01 ffp[53824]: "dynamic-profiles": No change to
profiles
Apr 11 18:35:24  HOST-PE01 l2cp[1185]: Read acess profile () config
Apr 11 18:35:40  HOST-PE01 file[53691]: UI_COMMIT: User 'USERNAME'
requested 'commit' operation (comment: none)
Apr 11 18:35:41  HOST-PE01 init: can not access /usr/sbin/jl2tpd: No such
file or directory
Apr 11 18:35:41  HOST-PE01 init: ce-l2tp-service (PID 0) started
Apr 11 18:35:41  HOST-PE01 init: can not access /usr/sbin/relayd: No such
file or directory
Apr 11 18:35:41  HOST-PE01 init: relay-process (PID 0) started
Apr 11 18:35:41  HOST-PE01 init: can not access /usr/sbin/jddosd: No such
file or directory
Apr 11 18:35:41  HOST-PE01 init: ddos-service (PID 0) started
Apr 11 18:35:41  HOST-PE01 file[53691]: UI_CHILD_EXITED: Child exited: PID
53847, status 1, command '/sbin/dcd'
Apr 11 18:35:42  HOST-PE01 file[53691]: UI_CHILD_EXITED: Child exited: PID
53857, status 1, command '/usr/sbin/l2ald'
Apr 11 18:35:42  HOST-PE01 l2cp[53858]: Initializing PNAC state machines
Apr 11 18:35:42  HOST-PE01 l2cp[53858]: Initializing PNAC state machines
complete
Apr 11 18:35:42  HOST-PE01 l2cp[53858]: Initialized 802.1X module and state
machines
Apr 11 18:35:42  HOST-PE01 file[53691]: UI_CHILD_EXITED: Child exited: PID
53858, status 1, command '/usr/sbin/l2cpd'
Apr 11 18:35:43  HOST-PE01 stunnel[53690]: Connection closed: 4032 bytes
sent to SSL, 4336 bytes sent to socket

---


Skeeve Stevens, CEO

eintellego Pty Ltd
ske...@eintellego.net ; www.eintellego.net

Phone: 1

Re: [j-nsp] Capturing/displaying contents of incoming packets

[Kevin Cullimore]

On 4/16/2012 4:35 AM, Phil Mayers wrote:

On 04/15/2012 09:01 AM, Daniel Roesen wrote:

On Fri, Apr 13, 2012 at 04:17:51PM +0100, Phil Mayers wrote:

On 13/04/12 16:11, Jose Madrid wrote:
Why not just use "monitor interface"?  I have used it in the past 
and its a

tcp-dump like output.


That just shows control-plane packets.


And only those control-plane packets which go from/to the routing
engine. Packets handled by distributed PPM on the linecards won't show
up. E.g. BFD, LACP, ...


Interesting. I didn't know that (but then we don't have any 
distributed Juniper kit at the mo). Useful to know, but not useful for 
it to be that way ;o)
On at least some combinations of hardware/software you can disable PFE 
PPM processing, which at least leaves you with some decent visibility 
for intermediate-system to intermediate-system basic connectivity 
troubleshooting.

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp




___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] EX4200 Captive Portal

[Manaf Al Oqlah]

Hi, 

I have configured captive portal on EX4200 switch and users are authenticated 
using radius server. how can I specify speed for each user using radius 
attributes or any other way.

Regards.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Capturing/displaying contents of incoming packets

[Phil Mayers]

On 04/15/2012 09:01 AM, Daniel Roesen wrote:

On Fri, Apr 13, 2012 at 04:17:51PM +0100, Phil Mayers wrote:

On 13/04/12 16:11, Jose Madrid wrote:

Why not just use "monitor interface"?  I have used it in the past and its a
tcp-dump like output.


That just shows control-plane packets.


And only those control-plane packets which go from/to the routing
engine. Packets handled by distributed PPM on the linecards won't show
up. E.g. BFD, LACP, ...


Interesting. I didn't know that (but then we don't have any distributed 
Juniper kit at the mo). Useful to know, but not useful for it to be that 
way ;o)

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp