Re: [j-nsp] SRX sending thousands of VRRP packets per second

2012-10-18 Thread Alex Arseniev 

Multicast loop/L2 loop in the network?

- Original Message - 
From: Saba Sumsam saba+j...@eintellego.net

To: juniper-nsp@puck.nether.net
Sent: Thursday, October 18, 2012 5:18 AM
Subject: [j-nsp] SRX sending thousands of VRRP packets per second



Hi,
We have two SRX 100s configured for VRRP; where SRX-A is the primary and
SRX-B is the backup. I have noticed a great deal of VRRP packets being 
sent
out - I have a capture of 50k packets being sent out in the first 7 
seconds

I monitored. The packets being sent out on SRX-B is lesser than on SRX-A
but still is a lot more than what would be expected. Both devices are
configured with the default vrrp advertisement interval of 1 sec.

Any thoughts on why I would be seeing so much traffic?

Regards,
Saba
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] port mirror to multiple ports on MX80 in inet6

2012-10-18 Thread Paul Vlaar 
Hi, I've currently successfully gotten port mirroring setup to more than
one port, using the following config:

port-mirroring {
family inet {
output {
next-hop-group default-collect;
}
}

next-hop-group default-collect {
group-type inet;
interface ge-1/3/2.0 {
next-hop 192.168.10.2;
}
interface ge-1/3/5.0 {
next-hop 192.168.20.2;
}
}

router show configuration interfaces ge-1/3/2
unit 0 {
family inet {
address 192.168.10.1/30 {
arp 192.168.10.2 mac 00:1b:21:86:a2:92;
}
}
family inet6 {
address fdb5:1281:f3cf:c7c4::1/64 {
ndp fdb5:1281:f3cf:c7c4::2 mac 00:1b:21:86:a2:92;
}
}
}

router show configuration interfaces ge-1/3/5
unit 0 {
family inet {
address 192.168.20.1/30 {
arp 192.168.20.2 mac 00:1b:21:86:a3:9a;
}
}
family inet6 {
address fd3d:122a:8541:ecb5::1/64 {
ndp fd3d:122a:8541:ecb5::2 mac 00:1b:21:86:a2:93;
}
}
}

This works very nicely, I see traffic at both measurement hosts. I would
like to do the same for IPv6, but there's no next-hop-group setting
available:

[edit forwarding-options port-mirroring family inet6 output]
router# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
 interfaceInterfaces through which to send sampled traffic
  no-filter-check  Do not check for filters on port-mirroring interface
[edit forwarding-options port-mirroring family inet6 output]

This limitation is actually mentioned in the documentation, here:

http://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/services-configuring-port-mirroring.html

Port mirroring supports up to 16 next hops, but there is no next-hop
group support for inet6.

However I was wondering perhaps someone knows if there's a trick to this
using filter based forwarding? I can't really figure out how from the
examples given.

This is an MX80 on JunOS 11.2R3.3

Thanks!

~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] port mirror to multiple ports on MX80 in inet6

2012-10-18 Thread Paul Vlaar 
Hi, I've currently successfully gotten port mirroring setup to more than
one port, using the following config:

port-mirroring {
family inet {
output {
next-hop-group default-collect;
}
}

next-hop-group default-collect {
group-type inet;
interface ge-1/3/2.0 {
next-hop 192.168.10.2;
}
interface ge-1/3/5.0 {
next-hop 192.168.20.2;
}
}

router show configuration interfaces ge-1/3/2
unit 0 {
family inet {
address 192.168.10.1/30 {
arp 192.168.10.2 mac 00:1b:21:86:a2:92;
}
}
family inet6 {
address fdb5:1281:f3cf:c7c4::1/64 {
ndp fdb5:1281:f3cf:c7c4::2 mac 00:1b:21:86:a2:92;
}
}
}

router show configuration interfaces ge-1/3/5
unit 0 {
family inet {
address 192.168.20.1/30 {
arp 192.168.20.2 mac 00:1b:21:86:a3:9a;
}
}
family inet6 {
address fd3d:122a:8541:ecb5::1/64 {
ndp fd3d:122a:8541:ecb5::2 mac 00:1b:21:86:a2:93;
}
}
}

This works very nicely, I see traffic at both measurement hosts. I would
like to do the same for IPv6, but there's no next-hop-group setting
available:

[edit forwarding-options port-mirroring family inet6 output]
router# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
 interfaceInterfaces through which to send sampled traffic
  no-filter-check  Do not check for filters on port-mirroring interface
[edit forwarding-options port-mirroring family inet6 output]

This limitation is actually mentioned in the documentation, here:

http://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/services-configuring-port-mirroring.html

Port mirroring supports up to 16 next hops, but there is no next-hop
group support for inet6.

However I was wondering perhaps someone knows if there's a trick to this
using filter based forwarding? I can't really figure out how from the
examples given.

This is an MX80 on JunOS 11.2R3.3

Thanks!

~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

2012-10-18 Thread Alex Arseniev 

You could do cascaded PM. In a nutshell:
1/ port-mirror original packet, send the original packet on its way
2/ send the COPY into a loop (cable loop or looped tunnel)
3/ take the looped COPY and mirror it once again, creating 2nd copy.
4/ send 1st copy and 2nd copy on their respective ways.
HTH
Rgds
Alex


- Original Message - 
From: Paul Vlaar p...@vlaar.net

To: juniper-nsp@puck.nether.net
Sent: Thursday, October 18, 2012 11:45 PM
Subject: [j-nsp] port mirror to multiple ports on MX80 in inet6



Hi, I've currently successfully gotten port mirroring setup to more than
one port, using the following config:

port-mirroring {
   family inet {
   output {
   next-hop-group default-collect;
   }
   }

next-hop-group default-collect {
   group-type inet;
   interface ge-1/3/2.0 {
   next-hop 192.168.10.2;
   }
   interface ge-1/3/5.0 {
   next-hop 192.168.20.2;
   }
}

router show configuration interfaces ge-1/3/2
unit 0 {
   family inet {
   address 192.168.10.1/30 {
   arp 192.168.10.2 mac 00:1b:21:86:a2:92;
   }
   }
   family inet6 {
   address fdb5:1281:f3cf:c7c4::1/64 {
   ndp fdb5:1281:f3cf:c7c4::2 mac 00:1b:21:86:a2:92;
   }
   }
}

router show configuration interfaces ge-1/3/5
unit 0 {
   family inet {
   address 192.168.20.1/30 {
   arp 192.168.20.2 mac 00:1b:21:86:a3:9a;
   }
   }
   family inet6 {
   address fd3d:122a:8541:ecb5::1/64 {
   ndp fd3d:122a:8541:ecb5::2 mac 00:1b:21:86:a2:93;
   }
   }
}

This works very nicely, I see traffic at both measurement hosts. I would
like to do the same for IPv6, but there's no next-hop-group setting
available:

[edit forwarding-options port-mirroring family inet6 output]
router# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups

interfaceInterfaces through which to send sampled traffic

 no-filter-check  Do not check for filters on port-mirroring interface
[edit forwarding-options port-mirroring family inet6 output]

This limitation is actually mentioned in the documentation, here:

http://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/services-configuring-port-mirroring.html

Port mirroring supports up to 16 next hops, but there is no next-hop
group support for inet6.

However I was wondering perhaps someone knows if there's a trick to this
using filter based forwarding? I can't really figure out how from the
examples given.

This is an MX80 on JunOS 11.2R3.3

Thanks!

~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp