Re: [j-nsp] what is differnet between bridge and ethernet-switching ?
Well using the one word for both of them as bridging sounds good as it actually is using bridging protocol for learn, forwarding, flooding, filtering, and aging which is what is being done in case of ethernet-switching too. Whether bridging Interfaces or Vlans :). Atif Saleem On Wed, Aug 15, 2012 at 10:38 AM, Xu Hu jstuxuhu0...@gmail.com wrote: Sound like a good news, let's wait for juniper rocking. 2012/8/15 Mike Devlin mikecdev...@gmail.com Juniper is moving to a single standard in future release to remove this confusion (from what i have been told) It will be bridge across all platforms. On Mon, Aug 13, 2012 at 11:44 AM, Xu Hu jstuxuhu0...@gmail.com wrote: Bridge is using in router, Ethernet-switching is called in switched. Thanks and regards, Xu Hu On 13 Aug, 2012, at 21:00, Stefan Fouant sfou...@shortestpathfirst.net wrote: There is no difference between the two. Sent from my HTC on the Now Network from Sprint! - Reply message - From: bruno.juniper bruno.juni...@gmail.com Date: Mon, Aug 13, 2012 4:01 am Subject: [j-nsp] what is differnet between bridge and ethernet-switching ? To: juniper-nsp juniper-nsp@puck.nether.net what is differnet between bridge and ethernet-switching ? i am always confused . as i know ,when i configure mx ,we use bridge . when i configure ex ,we use ethernet-switching. root@test# set interfaces fe-0/0/0 unit 0 family ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups bridge Layer-2 bridging parameters ccc Circuit cross-connect parameters ethernet-switching Ethernet switching parameters inet IPv4 parameters inet6IPv6 protocol parameters iso OSI ISO protocol parameters mlfr-end-to-end Multilink Frame Relay end-to-end protocol parameters mlfr-uni-nni Multilink Frame Relay UNI NNI protoc -- Best Regards, Bruno ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Atif ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange ARP issue on M7i
On (2012-08-14 13:09 -0700), Jonathan Lassoff wrote: Moral of the story, as I see it: avoid static routing. This is bit circular. Vendor had software defect in ARP and you arrived to conclusion consequently we should not use static routing, but dynamic. However our choice of configuration does not affect quality of the code as implemented by vendor, so just as well we might have BGP defect doing something nasty, and someone might draw conclusion 'avoid bgp routing'. Moral of the story is, avoid broken software, which is easier said than done. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange ARP issue on M7i
On Wed, Aug 15, 2012 at 12:13 AM, Saku Ytti s...@ytti.fi wrote: On (2012-08-14 13:09 -0700), Jonathan Lassoff wrote: Moral of the story, as I see it: avoid static routing. This is bit circular. Vendor had software defect in ARP and you arrived to conclusion consequently we should not use static routing, but dynamic. However our choice of configuration does not affect quality of the code as implemented by vendor, so just as well we might have BGP defect doing something nasty, and someone might draw conclusion 'avoid bgp routing'. Moral of the story is, avoid broken software, which is easier said than done. You make a very good point here. My thing was more along the lines that routing (RIB) / next-hop path information ought to be learned and/or monitored over protocols that ride that same path, so that any path failures are detected and routed around. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange ARP issue on M7i
On (2012-08-15 00:21 -0700), Jonathan Lassoff wrote: My thing was more along the lines that routing (RIB) / next-hop path information ought to be learned and/or monitored over protocols that ride that same path, so that any path failures are detected and routed around. In static route they are also, ARP timeout in JunOS is 20min by default, so it'll just take quite long time to invalidate the static route (short of bugs like the OP sees) Cisco has 4h, which is absolutely ridiculous. Linux uses 1min, which is better than default BGP holdtime in Cisco or Juniper. So statically routed Linux would converge faster than BGP routed Juniper in sudden disappearance of peer. Of course both ARP timeout and BGP holdtime are tunable as well as either BGP or static could run BFD. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] what is differnet between bridge and ethernet-switching ?
There is no difference between the two. ...Until You jump on an SRX branch where you use both for completely different things (eg: transparent mode) ; ) My (albeit limited) understanding is that bridging interfaces/bridge-domains aren't bound to a specific ingress VLAN tag, allowing you to bring diverse tagged interfaces together into the one broadcast domain easily, whereas ethernet-switching interfaces/VLANs strictly enforce a single ingress tag to a domain. - Reply message - From: bruno.juniper bruno.juni...@gmail.com Date: Mon, Aug 13, 2012 4:01 am Subject: [j-nsp] what is differnet between bridge and ethernet-switching ? To: juniper-nsp juniper-nsp@puck.nether.net what is differnet between bridge and ethernet-switching ? i am always confused . as i know ,when i configure mx ,we use bridge . when i configure ex ,we use ethernet-switching. root@test# set interfaces fe-0/0/0 unit 0 family ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups bridge Layer-2 bridging parameters ccc Circuit cross-connect parameters ethernet-switching Ethernet switching parameters inet IPv4 parameters inet6IPv6 protocol parameters iso OSI ISO protocol parameters mlfr-end-to-end Multilink Frame Relay end-to-end protocol parameters mlfr-uni-nni Multilink Frame Relay UNI NNI protoc -- Best Regards, Bruno ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX MPLS
Hi, I have a design question regarding MPLS. I'm planning to create a MPLS rings with 4-8 SRX240 devices in packet mode and the main purpose is L3VPN/VPLS p1-p2-p3-p4-p5-p1 (p5 connects back to p1) My budget is low for this and the srx240 is cheap, we will push max 1Gbps. For example in some sites there will be two SRX and the plan is to use these two as P/PE and use VRRP for customer equipment. At the same time they will be P routers for other sites. Example site: P1P3-P4--P5 \ / (vrrp) Customer equipment Do I make any sense? Will this work? :) Regards Johan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX MPLS
On 15/08/12 15:29, Johan Borch wrote: Hi, I have a design question regarding MPLS. I'm planning to create a MPLS rings with 4-8 SRX240 devices in packet mode and the main purpose is L3VPN/VPLS p1-p2-p3-p4-p5-p1 (p5 connects back to p1) My budget is low for this and the srx240 is cheap, we will push max 1Gbps. That should be ok. I've had hundreds of megabits of MPLS out of the SRX210. For example in some sites there will be two SRX and the plan is to use these two as P/PE and use VRRP for customer equipment. At the same time they will be P routers for other sites. Example site: P1P3-P4--P5 \ / (vrrp) Customer equipment Do I make any sense? Will this work? :) Should do. We use them in similar (but not identical) configurations. I've never tested VRRP on them, however. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX MPLS
Phill, Could ou please share some juniper links or configurations on how about to configure SRX boxes with MPLS in a RING topology ? Are you using L3 MPLS VPN or L2 VPLS or EoMPLS ? Is it possible to share some configurations or links ? Thanks a lot, Giuliano On 15/08/12 15:29, Johan Borch wrote: Hi, I have a design question regarding MPLS. I'm planning to create a MPLS rings with 4-8 SRX240 devices in packet mode and the main purpose is L3VPN/VPLS p1-p2-p3-p4-p5-p1 (p5 connects back to p1) My budget is low for this and the srx240 is cheap, we will push max 1Gbps. That should be ok. I've had hundreds of megabits of MPLS out of the SRX210. For example in some sites there will be two SRX and the plan is to use these two as P/PE and use VRRP for customer equipment. At the same time they will be P routers for other sites. Example site: P1P3-P4--P5 \ / (vrrp) Customer equipment Do I make any sense? Will this work? :) Should do. We use them in similar (but not identical) configurations. I've never tested VRRP on them, however. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX MPLS
On 15/08/12 16:50, GIULIANO (WZTECH) wrote:
Phill,
Could ou please share some juniper links or configurations on how about
to configure SRX boxes with MPLS in a RING topology ?
Sure.
I'm assuming you have a basic Juniper layer3 provider core configured.
In particular, you'll want an IGP (OSPF, IS-IS) and BGP configured, as
well as basic addressing. In other words, something like this:
interfaces {
ge-0/0/0 {
description faces other routers;
mtu 2000;
unit 0 {
family inet {
address 192.0.2.1/31;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.0.2.100/32;
}
}
}
}
routing-options {
router-id 192.0.2.100;
}
protocols {
bgp {
local-as 65000;
group Core {
type internal;
family inet {
any;
}
peer-as 65000;
neighbor 192.0.2.101;
neighbor ...;
neighbor 192.0.2.102;
}
}
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0 {
interface-type p2p;
}
interface lo0.0 {
passive;
}
}
}
}
You then need to add MPLS:
interfaces {
ge-0/0/0 {
unit 0 {
family mpls;
}
}
}
protocols {
mpls {
interface ge-0/0/0.0;
}
ldp {
interface ge-0/0/0.0;
}
bgp {
group Core {
family inet-vpn {
any;
}
}
}
}
Finally, on the SRX you need to enable packet mode:
security {
zones {
security-zone zone_default {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
all;
}
}
}
forwarding-options {
family {
inet6 {
mode packet-based;
}
mpls {
mode packet-based;
}
}
}
}
...and reboot. Once that's done, you can add a layer 3 VPN:
interfaces {
ge-0/0/1 {
vlan-tagging;
unit 100 {
vlan-id 100;
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-instances {
PROD {
instance-type vrf;
interface ge-0/0/1.100;
route-distinguisher 65000:1;
vrf-target target:65000:1;
vrf-table-label;
}
}
Are you using L3 MPLS VPN or L2 VPLS or EoMPLS ?
We use L3VPN. I've tested EoMPLS, but I don't have a configuration to hand.
I haven't tested VPLS on the SRX.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX as a server load balancer for service redundancy?
I'm wondering if I can do a simple server load balancer using a SRX. Example: Server A offers up service on port . Server B has the same service. If Server A goes offline, send traffic over to server B. Resume when Server A becomes available again. One thought is to use something like track-ip to push a static nat mapping around. Ideally, I'd love to monitor the port. Ideas or examples? This is really just for failover, rather than load balancing. I suppose I could monitor the service from a control machine and have a script execute a configuration change if the service becomes unreachable. I'd prefer it if the entire process were managed from the SRX. (In this case it's a pair of clustered SRX 210s.) Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX as a server load balancer for service redundancy?
The SRX isn't a loadbalancer. Use something sensible like haproxy, nginx, etc. Scott On Wed, Aug 15, 2012 at 12:07 PM, OBrien, Will obri...@missouri.edu wrote: I'm wondering if I can do a simple server load balancer using a SRX. Example: Server A offers up service on port . Server B has the same service. If Server A goes offline, send traffic over to server B. Resume when Server A becomes available again. One thought is to use something like track-ip to push a static nat mapping around. Ideally, I'd love to monitor the port. Ideas or examples? This is really just for failover, rather than load balancing. I suppose I could monitor the service from a control machine and have a script execute a configuration change if the service becomes unreachable. I'd prefer it if the entire process were managed from the SRX. (In this case it's a pair of clustered SRX 210s.) Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX as a server load balancer for service redundancy?
Maybe d-nat pool is what you are looking for. I am not sure if there is a health-check though - you may need to read documentation on that. nick On Wed, Aug 15, 2012 at 8:07 PM, OBrien, Will obri...@missouri.edu wrote: I'm wondering if I can do a simple server load balancer using a SRX. Example: Server A offers up service on port . Server B has the same service. If Server A goes offline, send traffic over to server B. Resume when Server A becomes available again. One thought is to use something like track-ip to push a static nat mapping around. Ideally, I'd love to monitor the port. Ideas or examples? This is really just for failover, rather than load balancing. I suppose I could monitor the service from a control machine and have a script execute a configuration change if the service becomes unreachable. I'd prefer it if the entire process were managed from the SRX. (In this case it's a pair of clustered SRX 210s.) Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX as a server load balancer for service redundancy?
On 8/15/12 9:34 AM, Scott T. Cameron wrote: The SRX isn't a loadbalancer. Use something sensible like haproxy, nginx, etc. We do layer 3 ecmp in front of our load balancer tier and I imagine that would be fairly straight forward to implement with an srx. each destination to be load balanced to is available via several nexthops, in this case the destinations are advertised using a ebgp session originating from a private ASN. This approach doesn't deal with application health checks or asymmetric load balancing but you can take a destination out of the rotation by withdrawing the routes and if the bgp session drops that happens automatically. l3+l4 hash per flow load balancing is stateless but sticky. it can be implemented on more than one device. I'm generally down on the idea of putting a stateful firewall in front of a service that accepts unsolicited incoming connections, it will tend to be the least scalable item in the path. Scott On Wed, Aug 15, 2012 at 12:07 PM, OBrien, Will obri...@missouri.edu wrote: I'm wondering if I can do a simple server load balancer using a SRX. Example: Server A offers up service on port . Server B has the same service. If Server A goes offline, send traffic over to server B. Resume when Server A becomes available again. One thought is to use something like track-ip to push a static nat mapping around. Ideally, I'd love to monitor the port. Ideas or examples? This is really just for failover, rather than load balancing. I suppose I could monitor the service from a control machine and have a script execute a configuration change if the service becomes unreachable. I'd prefer it if the entire process were managed from the SRX. (In this case it's a pair of clustered SRX 210s.) Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX as a server load balancer for service redundancy?
On Wed, Aug 15, 2012 at 12:53 PM, joel jaeggli joe...@bogus.com wrote: On 8/15/12 9:34 AM, Scott T. Cameron wrote: The SRX isn't a loadbalancer. Use something sensible like haproxy, nginx, etc. We do layer 3 ecmp in front of our load balancer tier and I imagine that would be fairly straight forward to implement with an srx. each destination to be load balanced to is available via several nexthops, in this case the destinations are advertised using a ebgp session originating from a private ASN. This approach doesn't deal with application health checks or asymmetric load balancing but you can take a destination out of the rotation by withdrawing the routes and if the bgp session drops that happens automatically. l3+l4 hash per flow load balancing is stateless but sticky. it can be implemented on more than one device. I'm generally down on the idea of putting a stateful firewall in front of a service that accepts unsolicited incoming connections, it will tend to be the least scalable item in the path. You might consider using a DNS server that supports health checking to support your objective. gdnsd supports simple failovers, health checks, multiple or single A record returns, and geo targetting. Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange ARP issue on M7i
Hi JP and all, thanks for all the replies. show policer shows: ad...@ffm01.rt show policer Policers: Name Packets __default_arp_policer__ 1140304 __policer_tmpl__-term 0 __policer_tmpl__-fc00 __policer_tmpl__-fc00 __policer_tmpl__-fc10 __policer_tmpl__-fc00 __policer_tmpl__-fc10 __policer_tmpl__-fc20 __policer_tmpl__-fc00 __policer_tmpl__-fc10 __policer_tmpl__-fc20 __policer_tmpl__-fc30 What does that mean? I don't seem to have anything configured related to that: ad...@ffm01.rt show configuration | grep arp empty Thank you! Markus Am 14.08.2012 21:37, schrieb JP Senior: Hi, Markus. I have experienced issues in previous deployments that have involved built-in ARP policers. Hit up 'show policer', and look for __default_arp_policer__. JP Senior -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Markus Sent: 14 August 2012 7:13 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Strange ARP issue on M7i Hi all, last night I encountered something weird (in my opinion). Not sure if Juniper related but maybe someone here has seen something like this? I was experiencing a strange effect that several websites hosted on a Linux KVM VM didn't load properly. They would load but 90% of the time hang in some strange way, the browser displaying Waiting for www.sitename.com... after all the page has loaded, or even before anything of the page was displayed. A minute later it would work sometimes, but only for a short period of time. After eliminating all MySQL, Apache, KVM etc. as the source of the problem I logged into the M7i in front of that host and saw: ad...@ffm01.rt show arp no-resolve |grep 195.100.100.7 00:25:90:38:66:c6 195.100.100.7ge-0/0/0.0none 00:25:90:38:66:c6 195.100.101.34 ge-0/0/0.0none With 195.100.100.7 being the KVM host. So I thought: why is 101.34 up? It's an IP that wasn't in use for years. And in the Juniper config a whole /24 was still getting routed to it. I thought, OK, the KVM host got hax0red or something and the intruder assigned 101.34, but couldnt find anything. 101.34 wasn't reachable from any machine in the same LAN and the MAC could not be seen either. No traffic to/from it on the Switch monitoring port either. All I saw was traffic (port scans I think) to the /24 which ended up on the KVM host (195.100.100.7). That was an indicator that the KVM host was really also saying I have 195.100.101.34. Or the Juniper insisted that the IP is at that MAC. I suspect the latter. I shutdown the KVM host physically and cleared the ARP cache on the Juniper, 195.100.100.7 was gone, but 195.100.101.34 was still there with the identical MAC, as before. I then removed the static route entry for the /24 which was pointing to 195.100.101.34 and only then the arp entry for 195.100.101.34 disappeared! Isn't that weird? Where did that arp entry come from and why was it saved on the Juniper for so long, and only got removed after I removed the static routing of that /24? I'm running JUNOS 8.0R2.8. :) This didn't eliminate the problem with the websites reachability, I think it is something local with my dialup connection as I see a lot of TCP retransmission errors when accessing all sites on any of the VMs hosted on that KVM host. Through an alternative dialup provider everything is fine. Other sites on other boxes in the same LAN work just fine though via the first provider. The problem comes and goes now. Really puzzled! Anyway, can't stop thinking about the ARP thing so I thought I would ask here! Thank you very much! Regards Markus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net
Re: [j-nsp] Strange ARP issue on M7i
it represents that the default arp pollicer is dropping the arp packets. You dont need to apply this filter on any interface. It is applied on all interfaces by default ... Default values of the arp policer is fine-tuned such that it does not interrupt normal arp mechanism .. the counter in the show policer should not increment in ideal scenarios ... check if there is any machine is spoofing/flooding arp or not ... btw, Your junos is very old .. try changing to new junos ,, there are many improvements since then ... On Wed, Aug 15, 2012 at 11:44 PM, Markus unive...@truemetal.org wrote: Hi JP and all, thanks for all the replies. show policer shows: ad...@ffm01.rt show policer Policers: Name Packets __default_arp_policer__ 1140304 __policer_tmpl__-term 0 __policer_tmpl__-fc00 __policer_tmpl__-fc00 __policer_tmpl__-fc10 __policer_tmpl__-fc00 __policer_tmpl__-fc10 __policer_tmpl__-fc20 __policer_tmpl__-fc00 __policer_tmpl__-fc10 __policer_tmpl__-fc20 __policer_tmpl__-fc30 What does that mean? I don't seem to have anything configured related to that: ad...@ffm01.rt show configuration | grep arp empty Thank you! Markus Am 14.08.2012 21:37, schrieb JP Senior: Hi, Markus. I have experienced issues in previous deployments that have involved built-in ARP policers. Hit up 'show policer', and look for __default_arp_policer__. JP Senior -Original Message- From: juniper-nsp-bounces@puck.**nether.netjuniper-nsp-boun...@puck.nether.net[mailto: juniper-nsp-bounces@**puck.nether.netjuniper-nsp-boun...@puck.nether.net] On Behalf Of Markus Sent: 14 August 2012 7:13 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Strange ARP issue on M7i Hi all, last night I encountered something weird (in my opinion). Not sure if Juniper related but maybe someone here has seen something like this? I was experiencing a strange effect that several websites hosted on a Linux KVM VM didn't load properly. They would load but 90% of the time hang in some strange way, the browser displaying Waiting for www.sitename.com... after all the page has loaded, or even before anything of the page was displayed. A minute later it would work sometimes, but only for a short period of time. After eliminating all MySQL, Apache, KVM etc. as the source of the problem I logged into the M7i in front of that host and saw: ad...@ffm01.rt show arp no-resolve |grep 195.100.100.7 00:25:90:38:66:c6 195.100.100.7ge-0/0/0.0none 00:25:90:38:66:c6 195.100.101.34 ge-0/0/0.0none With 195.100.100.7 being the KVM host. So I thought: why is 101.34 up? It's an IP that wasn't in use for years. And in the Juniper config a whole /24 was still getting routed to it. I thought, OK, the KVM host got hax0red or something and the intruder assigned 101.34, but couldnt find anything. 101.34 wasn't reachable from any machine in the same LAN and the MAC could not be seen either. No traffic to/from it on the Switch monitoring port either. All I saw was traffic (port scans I think) to the /24 which ended up on the KVM host (195.100.100.7). That was an indicator that the KVM host was really also saying I have 195.100.101.34. Or the Juniper insisted that the IP is at that MAC. I suspect the latter. I shutdown the KVM host physically and cleared the ARP cache on the Juniper, 195.100.100.7 was gone, but 195.100.101.34 was still there with the identical MAC, as before. I then removed the static route entry for the /24 which was pointing to 195.100.101.34 and only then the arp entry for 195.100.101.34 disappeared! Isn't that weird? Where did that arp entry come from and why was it saved on the Juniper for so long, and only got removed after I removed the static routing of that /24? I'm running JUNOS 8.0R2.8. :) This didn't eliminate the problem with the websites reachability, I think it is something local with my dialup connection as I see a lot of TCP retransmission errors when accessing all sites on any of the VMs hosted on that KVM host. Through an alternative dialup provider everything is fine. Other sites on other boxes in the same LAN work just fine though via the first provider. The problem comes and goes now. Really puzzled! Anyway, can't stop thinking about the ARP thing so I thought I would ask here! Thank you very much! Regards Markus __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net
[j-nsp] test
Test ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX MPLS
Johan, You might want to know that VRRPv6 isn't supported on the branch SRX so if you need IPv6 resiliency, you're out of luck. If you need both v4 and v6 node resiliency, the only way to do it now is clustering which is a whole different beast altogether. On Aug 15, 2012, at 10:29 PM, Johan Borch wrote: Hi, I have a design question regarding MPLS. I'm planning to create a MPLS rings with 4-8 SRX240 devices in packet mode and the main purpose is L3VPN/VPLS p1-p2-p3-p4-p5-p1 (p5 connects back to p1) My budget is low for this and the srx240 is cheap, we will push max 1Gbps. For example in some sites there will be two SRX and the plan is to use these two as P/PE and use VRRP for customer equipment. At the same time they will be P routers for other sites. Example site: P1P3-P4--P5 \ / (vrrp) Customer equipment Do I make any sense? Will this work? :) Regards Johan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
