Re: [j-nsp] port mirror to multiple ports on MX80 in inet6
Alex,
On 19/10/12 7:33 AM, Alex Arseniev wrote:
You could do cascaded PM. In a nutshell:
1/ port-mirror original packet, send the original packet on its way
2/ send the COPY into a loop (cable loop or looped tunnel)
3/ take the looped COPY and mirror it once again, creating 2nd copy.
4/ send 1st copy and 2nd copy on their respective ways.
The problem I see there is how do you configure the [ port-mirroring
family inet6 ] section with a different output interface on the second
run once you hit the port-mirror statement in the firewall rule.
forwarding-options {
port-mirroring {
family inet6 {
output {
interface ge-1/3/2.0 {
next-hop fdb5:1281:f3cf:c7c4::2;
}
no-filter-check;
}
}
}
}
Can you perhaps send me some example config on how to do this?
What strikes me is that the lack of next-hop-groups for inet6 feels like
a software limitation.
~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] port mirror to multiple ports on MX80 in inet6
Have you tried PM instances?
- Original Message -
From: Paul Vlaar p...@vlaar.net
To: Alex Arseniev alex.arsen...@gmail.com
Cc: juniper-nsp@puck.nether.net
Sent: Friday, October 19, 2012 9:49 AM
Subject: Re: [j-nsp] port mirror to multiple ports on MX80 in inet6
Alex,
On 19/10/12 7:33 AM, Alex Arseniev wrote:
You could do cascaded PM. In a nutshell:
1/ port-mirror original packet, send the original packet on its way
2/ send the COPY into a loop (cable loop or looped tunnel)
3/ take the looped COPY and mirror it once again, creating 2nd copy.
4/ send 1st copy and 2nd copy on their respective ways.
The problem I see there is how do you configure the [ port-mirroring
family inet6 ] section with a different output interface on the second
run once you hit the port-mirror statement in the firewall rule.
forwarding-options {
port-mirroring {
family inet6 {
output {
interface ge-1/3/2.0 {
next-hop fdb5:1281:f3cf:c7c4::2;
}
no-filter-check;
}
}
}
}
Can you perhaps send me some example config on how to do this?
What strikes me is that the lack of next-hop-groups for inet6 feels like
a software limitation.
~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX and SRX code selection
Hey Guys, Im wondering what code recommendation the list would make for the following platforms: EX2200-C-PWR SRX210BE I am currently running 10.4R9.2 on the SRX, as this was the code previously certified by my former employer for SRX3600 and SRX5800 deployments in our infrastructure. EX was never evaluated before I was laid off, so im simply running whatever it was shipped with (11.4 something). Although this is simply a home setup, i am looking to run code that has been through a testing team and had a proper bug scrub wherever possible. I appreciate the feedback. Thanks, Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IPv6 Packet too big !
Hi all, Does anybody know which source IPv6 address is used by a Juniper router to send back an ICMPv6 Packet too Big. If I configure the default address selection feature and have an IPv6 address on my loopback ? Does it use this address or still use the IPv6 interface address ? thanks David _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified. Thank you. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX and SRX code selection
http://kb.juniper.net/InfoCenter/index?page=contentid=KB21476actp=RSS ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX and SRX code selection
Thanks Marco On Fri, Oct 19, 2012 at 11:28 AM, Marco Nesler sat...@gmail.com wrote: http://kb.juniper.net/InfoCenter/index?page=contentid=KB21476actp=RSS ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] port mirror to multiple ports on MX80 in inet6
What I do is plug the monitor (output) port into a switch with a
separate monitoring VLAN and then set the destination MAC address to
an unknown one like 02:02:02:02:02:02--the switch will forward all the
unknown traffic to all ports in the monitoring VLAN. Works great with
an EX4200 (on which I'm also using other ports for normal traffic):
MX show configuration forwarding-options port-mirroring
input {
rate 1;
run-length 0;
}
family inet {
output {
interface ge-0/1/2.0 {
next-hop 192.0.2.2;
}
}
}
family inet6 {
output {
interface ge-0/1/2.0 {
next-hop 2001:0db8::2;
}
}
}
MX show configuration interfaces ge-0/1/2
unit 0 {
family inet {
no-redirects;
no-neighbor-learn;
address 192.0.2.1/30 {
arp 192.0.2.2 mac 02:02:02:02:02:02;
}
}
family inet6 {
no-neighbor-learn;
address 2001:0db8::1/126 {
ndp 2001:0db8::2 mac 02:02:02:02:02:02;
}
}
}
EX show configuration vlans MIRROR
vlan-id 2;
EX show configuration interfaces ge-0/0/0
description mirror from mx ge-0/1/2;
unit 0 {
family ethernet-switching {
vlan {
members 2;
}
}
}
EX show configuration interfaces ge-0/0/1
description mirror to destination1;
unit 0 {
family ethernet-switching {
vlan {
members 2;
}
}
}
EX show configuration interfaces ge-0/0/2
description mirror to destination2;
unit 0 {
family ethernet-switching {
vlan {
members 2;
}
}
}
On Fri, Oct 19, 2012 at 12:45:40AM +0200, Paul Vlaar wrote:
Hi, I've currently successfully gotten port mirroring setup to more than
one port, using the following config:
port-mirroring {
family inet {
output {
next-hop-group default-collect;
}
}
next-hop-group default-collect {
group-type inet;
interface ge-1/3/2.0 {
next-hop 192.168.10.2;
}
interface ge-1/3/5.0 {
next-hop 192.168.20.2;
}
}
router show configuration interfaces ge-1/3/2
unit 0 {
family inet {
address 192.168.10.1/30 {
arp 192.168.10.2 mac 00:1b:21:86:a2:92;
}
}
family inet6 {
address fdb5:1281:f3cf:c7c4::1/64 {
ndp fdb5:1281:f3cf:c7c4::2 mac 00:1b:21:86:a2:92;
}
}
}
router show configuration interfaces ge-1/3/5
unit 0 {
family inet {
address 192.168.20.1/30 {
arp 192.168.20.2 mac 00:1b:21:86:a3:9a;
}
}
family inet6 {
address fd3d:122a:8541:ecb5::1/64 {
ndp fd3d:122a:8541:ecb5::2 mac 00:1b:21:86:a2:93;
}
}
}
This works very nicely, I see traffic at both measurement hosts. I would
like to do the same for IPv6, but there's no next-hop-group setting
available:
[edit forwarding-options port-mirroring family inet6 output]
router# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
interfaceInterfaces through which to send sampled traffic
no-filter-check Do not check for filters on port-mirroring interface
[edit forwarding-options port-mirroring family inet6 output]
This limitation is actually mentioned in the documentation, here:
http://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/services-configuring-port-mirroring.html
Port mirroring supports up to 16 next hops, but there is no next-hop
group support for inet6.
However I was wondering perhaps someone knows if there's a trick to this
using filter based forwarding? I can't really figure out how from the
examples given.
This is an MX80 on JunOS 11.2R3.3
Thanks!
~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Half Duplex VRF
Does Juniper supports Half fuplex vrf? Thanks BR, Mohammad ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Half Duplex VRF
Please check the link for more clarification http://www.cisco.com/en/US/docs/ios/ios_xe/mpls/configuration/guide/mp_vpn_half_dup_vrf_xe.pdf BR, Mohammad On Sat, Oct 20, 2012 at 1:52 AM, Daniel Hilj daniel.h...@ipnett.se wrote: What do you mean by that?? //Daniel 20 okt 2012 kl. 00:34 skrev Mohammad Khalil eng.m...@gmail.com: Does Juniper supports Half fuplex vrf? Thanks BR, Mohammad ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- This e-mail has been checked for virus by IPnett's Security solution -- -- This e-mail has been checked for virus by IPnett's Security solution -- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Half Duplex VRF
What do you mean by that?? //Daniel 20 okt 2012 kl. 00:34 skrev Mohammad Khalil eng.m...@gmail.com: Does Juniper supports Half fuplex vrf? Thanks BR, Mohammad ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- This e-mail has been checked for virus by IPnett's Security solution -- -- This e-mail has been checked for virus by IPnett's Security solution -- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Half Duplex VRF
Daniel Hilj [daniel.h...@ipnett.se] wrote: What do you mean by that?? He means that the concept is applicable on any implementation. It's not a special feature that has to be designed in. The cisco configuration should be trivial to translate to junos. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Switch EX4200 doing broadcast for all ports from multicast traffic
People, We have 4 x EX4200 (4200-24F and EX4200-48T) running 12.1R3.5 code connected using Virtual Chassis configuration. The configuration is very simple with 2 vlans. VLAN - LAN vlan id 10. The problem is related to traffic monitor software (wireshark for instance). When we connect wireshark on any port of the switch we can see every connection on the netowork ... not only broadcast and multicast traffic. Its like the switch port is a Hub port ... or the asic is mirroring all vlan traffic to all ports. basically RTSP traffic and unicast traffic ... 80, 22, 25, etc ... The network is very full and the devices are all down ... Does anyone saw this kind of problem before ? Is it any kind of bug ? VIRTUAL CHASSIS requires any special software ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
