Re: [j-nsp] [c-nsp] Broadband Model suggestion?
On Wednesday, July 18, 2012 10:17:15 AM Miquel van Smoorenburg wrote: Disadvantage of both PPPoE and VLAN-per-customer: no effective multicast (unless you run that in a seperate second shared-VLAN). In our consideration, Multicast would have been a separate shared VLAN, as it then allows you to run PPPoE for Unicast access on a separate set of core infrastructure if it were really necessary, against the same last mile. But even if Multicast and DHCP Unicast were running on the same edge router, I'd likely still separate both traffic types into different VLAN's. Mark. signature.asc Description: This is a digitally signed message part. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] [c-nsp] Broadband Model suggestion?
On Wednesday, July 18, 2012 10:17:15 AM Miquel van Smoorenburg wrote: Disadvantage of both PPPoE and VLAN-per-customer: no effective multicast (unless you run that in a seperate second shared-VLAN). In our consideration, Multicast would have been a separate shared VLAN, as it then allows you to run PPPoE for Unicast access on a separate set of core infrastructure if it were really necessary, against the same last mile. But even if Multicast and DHCP Unicast were running on the same edge router, I'd likely still separate both traffic types into different VLAN's. Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DHCP option 82 under forwarding-options helpers bootp configuration
Hi, JUNOS(10.4R9.2 at M10i) supports DHCP relay agent information option configuration under forwarding-options helpers bootp. However, despite the configuration, DHCP messages received by DHCP server do not have option 82 present. For example I made such configuration: root@labM10i show configuration forwarding-options helpers bootp dhcp-option82 { circuit-id { use-vlan-id; } remote-id { use-string test; } vendor-id { test; } } description helpers bootp test; server 10.10.10.1; interface { ge-1/2/0.5; } root@labM10i ..and executed dhclient in a broadcast domain associated with interface ge-1/2/0.5. Packet capture results on a 10.10.10.1 DHCP server can be seen here: http://cloudshark.org/captures/e963f493caf8 As you can see, there is no option 82 added. Is it possible to add DHCP option 82 to messages forwarded to DHCP server under forwarding-options helpers bootp configuration? Or is this possible only with dhcp-relay? Latter would make more sense as this option should be strictly DHCP option(http://tools.ietf.org/html/rfc3046) not the BOOTP option? regards, martin ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Tacacs on Junos
Hi Tom Thanks for the reply I was expecting that adding a user and password on the tacacs server and adding server related parameters on the device will be enough such as on Cisco ? why should I configure a user on the router itself ?! BR, Mohammad On Sun, Sep 16, 2012 at 6:02 PM, Tom Storey t...@snnap.net wrote: FWIW here is my TACACs and related config. You need a little bit more than just the tacplus-server stanza itself, e.g. the remote user. system { authentication-order [ tacplus password ]; tacplus-server { 172.25.150.26 { secret ...; ## SECRET-DATA timeout 5; source-address 172.25.150.1; } } accounting { events [ login change-log interactive-commands ]; destination { tacplus; } } login { class rescue { idle-timeout 30; permissions all; } user remote { full-name Remote user template; uid 2002; class rescue; } user rescue { full-name Rescue account; uid 2000; class rescue; authentication { encrypted-password ; ## SECRET-DATA } } } } Something like the rescue user is probably also a good idea, if your TACACs server is ever unreachable you will want a back door to log in with. Tom On 16 September 2012 15:38, Tom Storey t...@snnap.net wrote: When you set the password on the Juniper, did you by any chance enclose the password text in , e.g. password ? If you did, the is encoded as part of the password, rather than suggesting everything inside quotes is the password like it does with other things (like interface descriptions.) I hit that little doozy when I was configuring TACACs for the first time, so thought I'd throw it out there. Tom On 16 September 2012 14:49, Mohammad Khalil eng.m...@gmail.com wrote: Hi all I have mx240 , i want to configure tacacs authentication set system authentication-order tacplus set system tacplus-server x.x.x.x port 49 single-connection secret juniper source-address y.y.y.y Of course the server is reachable from the device I see in the log messages Failed password for mkhalil from 109.107.128.104 port 43262 ssh2 Is there anything missing ? BR, Mohammad ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Tacacs on Junos
On 17 September 2012 15:04, Mohammad Khalil eng.m...@gmail.com wrote: I was expecting that adding a user and password on the tacacs server and adding server related parameters on the device will be enough such as on Cisco ? why should I configure a user on the router itself ?! The users aren't users as such, they are more privilege classes. We for instance configure a 'noc' user, which contains all the permissions our NOC would require when logging into a device. All users that then log in are given the permissions of this 'noc' user. The following URL should help you with the full configuration: http://kb.juniper.net/InfoCenter/index?page=contentid=KB17269 Regards, -- Dave ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Tacacs on Junos
I totally read this as tacos on Junos and got excited for a moment :( ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DHCP option 82 under forwarding-options helpers bootpconfiguration
Hello there, forwarding-options helpers bootp is not DHCP relay, it is a different feature although they both use same socket. To insert option 82, you need forwarding-option dhcp-relay feature which requires a license. BOOTP helper and dhcp-relay|dhcp-local-server cannot be configured together ( see above). dhcp-relay and dhcp-local-server can be configured together in different VRs/VRFs. Thanks Alex - Original Message - From: Martin T m4rtn...@gmail.com To: juniper-nsp@puck.nether.net Sent: Monday, September 17, 2012 1:15 PM Subject: [j-nsp] DHCP option 82 under forwarding-options helpers bootpconfiguration Hi, JUNOS(10.4R9.2 at M10i) supports DHCP relay agent information option configuration under forwarding-options helpers bootp. However, despite the configuration, DHCP messages received by DHCP server do not have option 82 present. For example I made such configuration: root@labM10i show configuration forwarding-options helpers bootp dhcp-option82 { circuit-id { use-vlan-id; } remote-id { use-string test; } vendor-id { test; } } description helpers bootp test; server 10.10.10.1; interface { ge-1/2/0.5; } root@labM10i ..and executed dhclient in a broadcast domain associated with interface ge-1/2/0.5. Packet capture results on a 10.10.10.1 DHCP server can be seen here: http://cloudshark.org/captures/e963f493caf8 As you can see, there is no option 82 added. Is it possible to add DHCP option 82 to messages forwarded to DHCP server under forwarding-options helpers bootp configuration? Or is this possible only with dhcp-relay? Latter would make more sense as this option should be strictly DHCP option(http://tools.ietf.org/html/rfc3046) not the BOOTP option? regards, martin ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Security Survey: Please Participate
[http://www.swiftpage1.com/CampResource/2T0ZVZBHI4PY5TEG/header.jpg] Arbor Networks would like to invite you to participate in our annual Infrastructure Security Survey - a survey of service providers, enterprises, government agencies, universities and other network operators around the world. The purpose of the survey is to gauge and report on general security issues, practices, procedures and observations from the industry. All data gathered from the survey will be compiled in the aggregate and published as Arbor’s 8th annual infrastructure security report and accompanying presentations. Individual responses are treated anonymously and no respondent names will appear in the report or presentations. As a reference, you may access a copy of our 7th annual report here: http://pages.arbornetworks.com/rs/arbor/images/WISR2011_EN.pdfhttp://www.swiftpage1.com/SpeClicks.aspx?X=2T0ZVZBHI4PY5TEG00Y9WW To participate in this year's survey, please click on the following link: http://www.arbornetworks.com/survey/ISR2012http://www.swiftpage1.com/SpeClicks.aspx?X=2T0ZVZBHI4PY5TEG01Y9WW. You will be directed to a secure (SSL) connection to begin. The survey should take 30 minutes or less to complete. Survey completion by September 28, 2012 would be greatly appreciated. Thank you very much for your consideration. Please feel free to contact me at cmora...@arbor.netmailto:cmora...@arbor.net should you have any questions on the survey or Arbor Networks. Regards, Carlos E. Morales Vice President Systems Engineering and Sales Operations ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DHCP option 82 under forwarding-options helpers bootpconfiguration
Alex, I understand this the same way, but for some reason there are dhcp-option82 configuration options under helpers bootp. Looks like at least on some platform(EX series switches) those configuration options really do behave as DHCP option82 settings under dhcp-relay: http://www.juniper.net/techpubs/en_US/junos9.3/topics/example/port-security-dhcp-option82-with-switch-as-relay-agent.html regards, martin 2012/9/17 Alex Arseniev alex.arsen...@gmail.com: Hello there, forwarding-options helpers bootp is not DHCP relay, it is a different feature although they both use same socket. To insert option 82, you need forwarding-option dhcp-relay feature which requires a license. BOOTP helper and dhcp-relay|dhcp-local-server cannot be configured together ( see above). dhcp-relay and dhcp-local-server can be configured together in different VRs/VRFs. Thanks Alex - Original Message - From: Martin T m4rtn...@gmail.com To: juniper-nsp@puck.nether.net Sent: Monday, September 17, 2012 1:15 PM Subject: [j-nsp] DHCP option 82 under forwarding-options helpers bootpconfiguration Hi, JUNOS(10.4R9.2 at M10i) supports DHCP relay agent information option configuration under forwarding-options helpers bootp. However, despite the configuration, DHCP messages received by DHCP server do not have option 82 present. For example I made such configuration: root@labM10i show configuration forwarding-options helpers bootp dhcp-option82 { circuit-id { use-vlan-id; } remote-id { use-string test; } vendor-id { test; } } description helpers bootp test; server 10.10.10.1; interface { ge-1/2/0.5; } root@labM10i ..and executed dhclient in a broadcast domain associated with interface ge-1/2/0.5. Packet capture results on a 10.10.10.1 DHCP server can be seen here: http://cloudshark.org/captures/e963f493caf8 As you can see, there is no option 82 added. Is it possible to add DHCP option 82 to messages forwarded to DHCP server under forwarding-options helpers bootp configuration? Or is this possible only with dhcp-relay? Latter would make more sense as this option should be strictly DHCP option(http://tools.ietf.org/html/rfc3046) not the BOOTP option? regards, martin ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX Design
For what it's worth, we've been harassing pretty much everyone we talk to with a juniper.net email address about SPB. I suspect the biggest limitation is that nowhere in any EX or MX docs is there mention of support for 802.1ah mac-in-mac, which is pretty necessary for SPB. That said, the one time we got an answer we were told that Juniper was going to take a wait and see approach, so there's at least a chance that if enough customers make enough noise, they might start seriously working on it. I, for one, have a dream where spanning tree, in all its incarnations, is reduced to little more than a scary story told by crusty old admins to interns and PFYs by the light of storage array lights. Hey Mr. NetAdmin, tell us the story of CareGroup again! Frank Sweetser fs at wpi.edu| For every problem, there is a solution that Manager of Network Operations | is simple, elegant, and wrong. Worcester Polytechnic Institute | - HL Mencken On 9/17/2012 5:34 PM, Clarke Morledge wrote: Johan, Regarding your question about whether or not to run MSTP up to a pair of MX distribution routers from downstream EX's, I wrestled with this for awhile several years ago. I had a devil of a time trying to get Link Aggregation (LAG) to work even between two MX routers reliably without introducing other issues in the pre-10.4 days, so I gave up on it. The idea of Multi-Chassis LAG active/active does sound inviting, but I guess I am a bit shy still about LAG in general introducing weirdness and bugs. I really would like to see Juniper embrace IEEE802.1aq Shortest Path Bridging or the IETF RBridges, but with the current emphasis on QFabric I am not holding my breadth. At this point, waiting for BGP MPLS Based MAC VPN is a more realistic down-the-road type of thing from Juniper. In the meantime, we opted to bringing MSTP up into the MX routers and make one of MX routers the root and the other a backup root. We lose use of one of the links, but at least it has been very stable over the past few years, and I stay away from proprietary solutions. Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX Design
On 18/09/2012, at 11:56 AM, Frank Sweetser f...@wpi.edu wrote: For what it's worth, we've been harassing pretty much everyone we talk to with a juniper.net email address about SPB. I suspect the biggest limitation is that nowhere in any EX or MX docs is there mention of support for 802.1ah mac-in-mac, which is pretty necessary for SPB. MX has had support for PBB (and thus 802.1ah) since 10.0: http://www.juniper.net/techpubs/en_US/junos10.0/topics/example/pbb-eline-elan-mx-series-configuring.html I too would like to see SPB get some support in Junos, or alternatively, JunosSDK getting some support for layer2 protocols, so someone else can have a crack at implementing it. The pendulum of hype in the data centre appears to be swinging away from distributed control-plane and toward centralised everything (QFabric, Virtual-Chassis, SDN etc). Maybe there is still hope for the metro? Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp