Re: [j-nsp] About Juniper Control Plan Policy (CoPP)
This should walk you through most of your questions:
http://www.juniper.net/us/en/community/junos/training-certification/day-one
/fundamentals-series/securing-routing-engine/
Doug
On 8/22/12 8:35 PM, Md. Jahangir Hossain jrjahan...@yahoo.com wrote:
Dear all friend:
Wishes all are fine.
I quit new in juniper OS platform . i need some information about juniper
Control Plan Policy (CoPP). i read the RFC 6192 of Protect Router
Control Plane which is:
http://tools.ietf.org/html/rfc6192#appendix-A.2
After reading the RFC 6192 i have a little query as like,In cisco router
we put input policy on control plan.
as like;
control-plane service-policy input COPPBut in Juniper router we put input
policy into loopback interface according to this RFC .
Here this is:
interfaces { lo0 { unit 0 { family inet { filter input
protect-router-control-plane; }Based on my question is, how
juniper router loopback interface control all router control plan ? or i
need to put this input filter policy individually on different
interfaces as like:
interfaces{ em0 { unit 0 { family inet { filter input
protect-router-control-plane; }
interfaces { em1 { unit 0 { family inet { filter input
protect-router-control-plane; }
it would be nice for me can anyone please confirm me about this
configuration .
Thanks
Jahangir Hossain
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4200 Virtual chassis ??
* Rachid DHOU We have two EX4200 switches, mainly used for L2 functionalities. We want to add two new EX4200 Switches and we want to connect them with the old switches. i have two possibilities : * Either, interconnect them and control everything with STP. * or use Virtual chassis. Please advise, what is the best way ? did you try Virtual chassis in EX ? Do you have other options ? We have several VCs from both EX4200s and EX4500s (no mixed VCs though), and disregarding some troubles with the former when the EX product line was brand spanking new several years ago, they've been rock solid and I wouldn't hesitate to recommend it over a traditional approach with STP. You'll get one management interface, and you can build a loop-free redundant network without STP wasting your bandwidth on blocked ports. The core switch in one of our data centres is a two-node EX4500 VC with LAGs to each downstream switch/device and upstream routers. The LAGs has at least one member from each physical node in the VC, so it's all fully redundant and I'm very happy with the setup. The largest downside with it is that upgrading JUNOS, you will have a 30-60 sec downtime on the LACP and OSPF adjacencies, due to the fact that a VC will not form if the member nodes have different JUNOS versions. So after first having upgraded the line-card node, when rebooting the routing-engine node, the upgraded line-card must start everything from scratch when assuming the routing-engine role. This is about to improve though, as I hear JUNOS 12.1 has gained support for NSSU. Haven't tried it myself though, so I don't know if it's mature enough to be trusted quite yet. (Interested in hearing about any experiences though.) BTW: Make sure to enable no-split-detection in your VC, or your two EX4200s will be mutually dependent and you'll have no HA. Best regards, -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX MPLS
I saw the following exceptions for SRX-series: VPLS multihoming, which allows connecting a CE device to multiple PE routers to provide redundant connectivity, is not supported on J Series or SRX Series devices I'm going to have two SRX's on each site and using vrrp between them, will I hit this exception then? Regards Johan On Wed, Aug 15, 2012 at 5:11 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 15/08/12 15:29, Johan Borch wrote: Hi, I have a design question regarding MPLS. I'm planning to create a MPLS rings with 4-8 SRX240 devices in packet mode and the main purpose is L3VPN/VPLS p1-p2-p3-p4-p5-p1 (p5 connects back to p1) My budget is low for this and the srx240 is cheap, we will push max 1Gbps. That should be ok. I've had hundreds of megabits of MPLS out of the SRX210. For example in some sites there will be two SRX and the plan is to use these two as P/PE and use VRRP for customer equipment. At the same time they will be P routers for other sites. Example site: P1P3-P4--P5 \ / (vrrp) Customer equipment Do I make any sense? Will this work? :) Should do. We use them in similar (but not identical) configurations. I've never tested VRRP on them, however. __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX MPLS
Err VPLS Implies Layer 2 only. Where is the VRP runninng in-between? Are you doing vlan-id inside the VPLS instance for normalization, then binding an irb.x into it? I dont think that works in SRX/J either. (l3 within VPLS). - CK. On 2012-08-23, at 6:39 PM, Johan Borch wrote: VPLS multihoming, which allows connecting a CE device to multiple PE routers to provide redundant connectivity, is not supported on J Series or SRX Series devices I'm going to have two SRX's on each site and using vrrp between them, will I hit this exception then? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX MPLS
Your'e right of course :) My question was more how the VPLS multihoming will affect this setup. Regards Johan On Thu, Aug 23, 2012 at 11:21 AM, Chris Kawchuk juniperd...@gmail.comwrote: Err VPLS Implies Layer 2 only. Where is the VRP runninng in-between? Are you doing vlan-id inside the VPLS instance for normalization, then binding an irb.x into it? I dont think that works in SRX/J either. (l3 within VPLS). - CK. On 2012-08-23, at 6:39 PM, Johan Borch wrote: VPLS multihoming, which allows connecting a CE device to multiple PE routers to provide redundant connectivity, is not supported on J Series or SRX Series devices I'm going to have two SRX's on each site and using vrrp between them, will I hit this exception then? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] About Juniper Control Plan Policy (CoPP)
Thanks Doug for your information.
- Original Message -
From: Doug Hanks dha...@juniper.net
To: Md. Jahangir Hossain jrjahan...@yahoo.com; juniper-nsp@puck.nether.net
juniper-nsp@puck.nether.net
Cc:
Sent: Thursday, August 23, 2012 12:02 PM
Subject: Re: [j-nsp] About Juniper Control Plan Policy (CoPP)
This should walk you through most of your questions:
http://www.juniper.net/us/en/community/junos/training-certification/day-one
/fundamentals-series/securing-routing-engine/
Doug
On 8/22/12 8:35 PM, Md. Jahangir Hossain jrjahan...@yahoo.com wrote:
Dear all friend:
Wishes all are fine.
I quit new in juniper OS platform . i need some information about juniper
Control Plan Policy (CoPP). i read the RFC 6192 of Protect Router
Control Plane which is:
http://tools.ietf.org/html/rfc6192#appendix-A.2
After reading the RFC 6192 i have a little query as like,In cisco router
we put input policy on control plan.
as like;
control-plane service-policy input COPPBut in Juniper router we put input
policy into loopback interface according to this RFC .
Here this is:
interfaces { lo0 { unit 0 { family inet { filter input
protect-router-control-plane; }Based on my question is, how
juniper router loopback interface control all router control plan ? or i
need to put this input filter policy individually on different
interfaces as like:
interfaces{ em0 { unit 0 { family inet { filter input
protect-router-control-plane; }
interfaces { em1 { unit 0 { family inet { filter input
protect-router-control-plane; }
it would be nice for me can anyone please confirm me about this
configuration .
Thanks
Jahangir Hossain
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] About Juniper Control Plan Policy (CoPP)
Thanks Apurva for your information.
From: apurva modh modh.apu...@gmail.com
To: Md. Jahangir Hossain jrjahan...@yahoo.com
Cc: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net
Sent: Thursday, August 23, 2012 11:08 AM
Subject: Re: [j-nsp] About Juniper Control Plan Policy (CoPP)
All the Routing engine bound traffic into Juniper is handled through the
loopback interface. So if you apply the input direction filter on the loopback
interface, it would simulate the exact behavior of the control plane filter of
cisco. You dont need to apply protect routing-engine filter to physical
interfaces.
Hope this solves your query.
Regards,
On Thu, Aug 23, 2012 at 9:05 AM, Md. Jahangir Hossain jrjahan...@yahoo.com
wrote:
Dear all friend:
Wishes all are fine.
I quit new in juniper OS platform . i need some information about juniper
Control Plan Policy (CoPP). i read the RFC 6192 of Protect Router Control
Plane which is:
http://tools.ietf.org/html/rfc6192#appendix-A.2
After reading the RFC 6192 i have a little query as like,In cisco router we
put input policy on control plan.
as like;
control-plane service-policy input COPPBut in Juniper router we put input
policy into loopback interface according to this RFC .
Here this is:
interfaces { lo0 { unit 0 { family inet { filter input
protect-router-control-plane; }Based on my question is, how
juniper router loopback interface control all router control plan ? or i need
to put this input filter policy individually on different
interfaces as like:
interfaces{ em0 { unit 0 { family inet { filter input
protect-router-control-plane; }
interfaces { em1 { unit 0 { family inet { filter input
protect-router-control-plane; }
it would be nice for me can anyone please confirm me about this configuration .
Thanks
Jahangir Hossain
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Arbor peak flow sp and TMS
Hi expert Do Juniper have equivalent product? With Regard Wan T - Via Aiped ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX960 AC power strip
Hi I need advice if someone is having an MX960 up on AC power. Usually high capacity (32A) power bars (PDU) come with C13 or C19 outlets while Juniper has no provision for such power cords. If European power cords are ordered with MX960, the CEE7/7 plug can be connected to Schuko outlets. But there is no Schuko PDU that supports more than 16A. One can easily exceed 16A if two power supplies are connected on same PDU. Can anyone recommend some alternative or if anyone faced similar situation? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 AC power strip
I double checked the hardware guide to ensure, and they're not fixed cable: http://www.juniper.net/shared/img/products/mx-series/mx960/mx960-rear-high.jpg (If you're using the high-cap supplies there's a second input on the PSU's themselves) So just 8x C18-19 cables would be fine. On 23/08/12 23:59, JA wrote: Hi I need advice if someone is having an MX960 up on AC power. Usually high capacity (32A) power bars (PDU) come with C13 or C19 outlets while Juniper has no provision for such power cords. If European power cords are ordered with MX960, the CEE7/7 plug can be connected to Schuko outlets. But there is no Schuko PDU that supports more than 16A. One can easily exceed 16A if two power supplies are connected on same PDU. Can anyone recommend some alternative or if anyone faced similar situation? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Julien Goodwin Studio442 Blue Sky Solutioneering signature.asc Description: OpenPGP digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 AC power strip
We run 208v to ours, which reduces the amp load. Then we use 1u rackable tripplite PDUs on 30a circuits with C13s and C19s and C19-C20 cables. Will On Aug 23, 2012, at 8:59 AM, JA wrote: Hi I need advice if someone is having an MX960 up on AC power. Usually high capacity (32A) power bars (PDU) come with C13 or C19 outlets while Juniper has no provision for such power cords. If European power cords are ordered with MX960, the CEE7/7 plug can be connected to Schuko outlets. But there is no Schuko PDU that supports more than 16A. One can easily exceed 16A if two power supplies are connected on same PDU. Can anyone recommend some alternative or if anyone faced similar situation? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 AC power strip
You can easily get 30A PDUs with L6-20Rs which is what Juniper recommends for the MX960... e.g. http://www.apc.com/products/resource/include/techspec_index.cfm?base_sku=AP7893 Geist, ServerTech, etc. all also make many many options. -Scott H. -Login Inc. On 08/23/2012 07:59 AM, JA wrote: Hi I need advice if someone is having an MX960 up on AC power. Usually high capacity (32A) power bars (PDU) come with C13 or C19 outlets while Juniper has no provision for such power cords. If European power cords are ordered with MX960, the CEE7/7 plug can be connected to Schuko outlets. But there is no Schuko PDU that supports more than 16A. One can easily exceed 16A if two power supplies are connected on same PDU. Can anyone recommend some alternative or if anyone faced similar situation? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 AC power strip
On 8/23/12 6:59 AM, JA wrote: Hi I need advice if someone is having an MX960 up on AC power. Usually high capacity (32A) power bars (PDU) come with C13 or C19 outlets while Juniper has no provision for such power cords. we use c19-c20 cables. we have a standard supplier for those so I don't believe we're using a juniper p/n the device (well the whole rack) is fed off two PDUs with a 30a 3 phase service for each If European power cords are ordered with MX960, the CEE7/7 plug can be connected to Schuko outlets. But there is no Schuko PDU that supports more than 16A. One can easily exceed 16A if two power supplies are connected on same PDU. Can anyone recommend some alternative or if anyone faced similar situation? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX960 AC power strip
Just FYI: The Juniper SKU for the MX c19/c20 power cord is CBL-MX-PWR-C19-C20 if anyone needed it. Patrick From: joel jaeggli joe...@bogus.com To: JA mjaferab...@gmail.com Cc: juniper-nsp@puck.nether.net Sent: Thursday, August 23, 2012 9:08 AM Subject: Re: [j-nsp] MX960 AC power strip On 8/23/12 6:59 AM, JA wrote: Hi I need advice if someone is having an MX960 up on AC power. Usually high capacity (32A) power bars (PDU) come with C13 or C19 outlets while Juniper has no provision for such power cords. we use c19-c20 cables. we have a standard supplier for those so I don't believe we're using a juniper p/n the device (well the whole rack) is fed off two PDUs with a 30a 3 phase service for each If European power cords are ordered with MX960, the CEE7/7 plug can be connected to Schuko outlets. But there is no Schuko PDU that supports more than 16A. One can easily exceed 16A if two power supplies are connected on same PDU. Can anyone recommend some alternative or if anyone faced similar situation? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX MPLS
Shouldn't affect it in the classical BGP active./backup sense; only 1 'vrf' is active in a multi-homing BGP setup. However, since the SRX/J doesn't do that, both will end up being active - You'll need a way to suppress one of them from getting any traffic. Perhaps think about using an EX4200 underneath using an RTG to each SRX at layer 2 to prevent the loop. Should have zero effect on vrrp/layer-3 stuff. - CK. On 23/08/2012, at 7:47 PM, Johan Borch johan.bo...@gmail.com wrote: Your'e right of course :) My question was more how the VPLS multihoming will affect this setup. Regards Johan On Thu, Aug 23, 2012 at 11:21 AM, Chris Kawchuk juniperd...@gmail.com wrote: Err VPLS Implies Layer 2 only. Where is the VRP runninng in-between? Are you doing vlan-id inside the VPLS instance for normalization, then binding an irb.x into it? I dont think that works in SRX/J either. (l3 within VPLS). - CK. On 2012-08-23, at 6:39 PM, Johan Borch wrote: VPLS multihoming, which allows connecting a CE device to multiple PE routers to provide redundant connectivity, is not supported on J Series or SRX Series devices I'm going to have two SRX's on each site and using vrrp between them, will I hit this exception then? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
