Re: [j-nsp] Layer 2 port mirroring on MX960
Thank you much Siva, That does explain the missing bridge option. A lot of the documentation I looked at included the bridge option in the 'forwarding-options port-mirroring' section, but I am using the vpls option with no success. I didn't post the mirror interface information as I had nothing configured under it. After my email, I configured it under 'family bridge interface-type access' and added the same vlan-id as the monitor port and I started seeing traffic. However, I'm not sure that this traffic is being forwarded traffic from the firewall filter, but rather traffic on the vlan as if the interface is in promiscuous mode. Makes me concerned as it doesn't seem that I'm seeing all the packets. Also, from the examples and documentation I've read, it doesn't show configuring the mirror port as such. Terry From: Sivasankar Subbiah Date: Wednesday, January 9, 2013 3:18 PM To: Terry Jones Cc: Subject: Re: [j-nsp] Layer 2 port mirroring on MX960 Hi, as per the Juniper documentation, Note: Under the [edit forwarding-options port-mirroring instance pm-instance-name] hierarchy level, the protocol family statement family bridge is an alias for family vpls. The CLI displays Layer 2 port-mirroring configurations as family vpls, even for Layer 2 port-mirroring configured as family bridge. Cheers Siva On 9 January 2013 22:44, Terry Jones wrote: > Greetings All, > > > > I am trying to get a port mirror working with no success. I want to > port-mirror ge-1/0/0 interfaces that is interface-type access. > > > > When I configure the forwarding-options, there is no longer a bridge > option.only ccc, inet and vpls. Even though not showing, when I configure > 'forwarding-options port-mirroring instance wireshark9 family bridge', it > takes it, but changes it to 'forwarding-options port-mirroring instance > wireshark9 family vpls'. > > > > The port-mirror output shows down on the output, but I do see the counters > increment. > > > > Any thoughts, ideas or tips would be appreciated. > > > > tjo...@crsw01.cn.sb2# show forwarding-options port-mirroring instance > wireshark9 | display set > > set forwarding-options port-mirroring instance wireshark9 input rate 1 > > set forwarding-options port-mirroring instance wireshark9 family vpls output > interface xe-5/2/1.0 > > set forwarding-options port-mirroring instance wireshark9 family vpls output > no-filter-check > > > > tjo...@crsw01.cn.sb2# show interfaces ge-1/0/0 | display set > > set interfaces ge-1/0/0 unit 0 family bridge filter input wireshark9 > > set interfaces ge-1/0/0 unit 0 family bridge filter output wireshark9 > > set interfaces ge-1/0/0 unit 0 family bridge interface-mode access > > set interfaces ge-1/0/0 unit 0 family bridge vlan-id 802 > > > > tjo...@crsw01.cn.sb2# show firewall family bridge filter wireshark9 | > display set > > set firewall family bridge filter wireshark9 term 1 then count wireshark9 > > set firewall family bridge filter wireshark9 term 1 then accept > > set firewall family bridge filter wireshark9 term 1 then > port-mirror-instance wireshark9 > > > > tjo...@crsw01.cn.sb2# run show forwarding-options port-mirroring wireshark9 > > Instance Name: wireshark9 > > Instance Id: 11 > > Input parameters: > > Rate : 1 > > Run-length: 0 > > Maximum-packet-length : 0 > > Output parameters: > > Family State Destination Next-hop > > vplsdown xe-5/2/1.0 > > > > tjo...@crsw01.cn.sb2# run show firewall counter wireshark9 filter wireshark9 > > > > Filter: wireshark9 > > Counters: > > NameBytes > Packets > > wireshark9 80634 > 744 > > > > Thanks, > > Terry > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] OSPF import policy
Hi All, I'm trying to filter some inter-area OSPF routes from being installed into the route table on a few routers. I seem to remember that in Junos it isn't possible to filter inter-area routes with an import policy - only externals. However I do also remember a rumour that this feature would be available at some point Is this still the case? I'm thinking it isn't possible, since I can't get it to work :( Running Junos 11.5r5 Thanks Luca ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Layer 2 port mirroring on MX960
Hi, as per the Juniper documentation, *Note: *Under the [edit forwarding-options port-mirroring instance * pm-instance-name*] hierarchy level, the protocol family statement family bridge is an alias for family vpls. The CLI displays Layer 2 port-mirroring configurations as family vpls, even for Layer 2 port-mirroring configured as family bridge. Cheers Siva On 9 January 2013 22:44, Terry Jones wrote: > Greetings All, > > > > I am trying to get a port mirror working with no success. I want to > port-mirror ge-1/0/0 interfaces that is interface-type access. > > > > When I configure the forwarding-options, there is no longer a bridge > option.only ccc, inet and vpls. Even though not showing, when I configure > 'forwarding-options port-mirroring instance wireshark9 family bridge', it > takes it, but changes it to 'forwarding-options port-mirroring instance > wireshark9 family vpls'. > > > > The port-mirror output shows down on the output, but I do see the counters > increment. > > > > Any thoughts, ideas or tips would be appreciated. > > > > tjo...@crsw01.cn.sb2# show forwarding-options port-mirroring instance > wireshark9 | display set > > set forwarding-options port-mirroring instance wireshark9 input rate 1 > > set forwarding-options port-mirroring instance wireshark9 family vpls > output > interface xe-5/2/1.0 > > set forwarding-options port-mirroring instance wireshark9 family vpls > output > no-filter-check > > > > tjo...@crsw01.cn.sb2# show interfaces ge-1/0/0 | display set > > set interfaces ge-1/0/0 unit 0 family bridge filter input wireshark9 > > set interfaces ge-1/0/0 unit 0 family bridge filter output wireshark9 > > set interfaces ge-1/0/0 unit 0 family bridge interface-mode access > > set interfaces ge-1/0/0 unit 0 family bridge vlan-id 802 > > > > tjo...@crsw01.cn.sb2# show firewall family bridge filter wireshark9 | > display set > > set firewall family bridge filter wireshark9 term 1 then count wireshark9 > > set firewall family bridge filter wireshark9 term 1 then accept > > set firewall family bridge filter wireshark9 term 1 then > port-mirror-instance wireshark9 > > > > tjo...@crsw01.cn.sb2# run show forwarding-options port-mirroring > wireshark9 > > Instance Name: wireshark9 > > Instance Id: 11 > > Input parameters: > > Rate : 1 > > Run-length: 0 > > Maximum-packet-length : 0 > > Output parameters: > > Family State Destination Next-hop > > vplsdown xe-5/2/1.0 > > > > tjo...@crsw01.cn.sb2# run show firewall counter wireshark9 filter > wireshark9 > > > > Filter: wireshark9 > > Counters: > > NameBytes > Packets > > wireshark9 80634 > 744 > > > > Thanks, > > Terry > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Layer 2 port mirroring on MX960
Greetings All, I am trying to get a port mirror working with no success. I want to port-mirror ge-1/0/0 interfaces that is interface-type access. When I configure the forwarding-options, there is no longer a bridge option.only ccc, inet and vpls. Even though not showing, when I configure 'forwarding-options port-mirroring instance wireshark9 family bridge', it takes it, but changes it to 'forwarding-options port-mirroring instance wireshark9 family vpls'. The port-mirror output shows down on the output, but I do see the counters increment. Any thoughts, ideas or tips would be appreciated. tjo...@crsw01.cn.sb2# show forwarding-options port-mirroring instance wireshark9 | display set set forwarding-options port-mirroring instance wireshark9 input rate 1 set forwarding-options port-mirroring instance wireshark9 family vpls output interface xe-5/2/1.0 set forwarding-options port-mirroring instance wireshark9 family vpls output no-filter-check tjo...@crsw01.cn.sb2# show interfaces ge-1/0/0 | display set set interfaces ge-1/0/0 unit 0 family bridge filter input wireshark9 set interfaces ge-1/0/0 unit 0 family bridge filter output wireshark9 set interfaces ge-1/0/0 unit 0 family bridge interface-mode access set interfaces ge-1/0/0 unit 0 family bridge vlan-id 802 tjo...@crsw01.cn.sb2# show firewall family bridge filter wireshark9 | display set set firewall family bridge filter wireshark9 term 1 then count wireshark9 set firewall family bridge filter wireshark9 term 1 then accept set firewall family bridge filter wireshark9 term 1 then port-mirror-instance wireshark9 tjo...@crsw01.cn.sb2# run show forwarding-options port-mirroring wireshark9 Instance Name: wireshark9 Instance Id: 11 Input parameters: Rate : 1 Run-length: 0 Maximum-packet-length : 0 Output parameters: Family State Destination Next-hop vplsdown xe-5/2/1.0 tjo...@crsw01.cn.sb2# run show firewall counter wireshark9 filter wireshark9 Filter: wireshark9 Counters: NameBytes Packets wireshark9 80634 744 Thanks, Terry ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QOS Design
I'd also recommend the great Junos Day One books on QoS: http://www.juniper.net/au/en/community/junos/training-certification/day-one/fundamentals-series/deploying-basic-qos/ http://www.juniper.net/au/en/community/junos/training-certification/day-one/fundamentals-series/junos-qos/ The Junos QoS for IOS Engineers book is a great reference if you are have experience in IOS. On Tue, Jan 8, 2013 at 3:25 AM, Doug Hanks wrote: > > Thank you, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Question about Routing Engine Redundancy on MX
On Wed, Jan 09, 2013 at 03:43:04PM -0500, Paul Stewart wrote: > Thanks RAS.. that's interesting as we've never actually tried that... > > Have you tried this in a production environment or would you? Do we > have any idea on whether or not JTAC would support this configuration > officially? > > I realize these are loaded questions - just really curious on this > topic as it opens up some "new possibilities" for us in some > deployments... Our SE basically told us to "run" from this idea > previously... The difference between an RE-2000 and an RE-1300 is pretty minimal. Yeah it's a slightly slower CPU, and maybe it has less RAM, but the architecture itself is still basically the same. If you configure NSR you'll be passing a lot of internal state in raw form back and forth, so you have no hope of making it work between completely different architectures like the REs which run JUNOS 64, but technically speaking there is nothing that would prevent something like RE-1300 and RE-2000 from talking and working. Personally I wouldn't run any of it in production, after having been bitten by way too many extremely severe bugs in NSR/GRES over the last many years. I've probably suffered 1000x more operational impact from NSR related bugs than I've EVER saved from NSR working correctly, and don't even get me started on the massive design flaws of GRES. At this point you're MUCH more likely to make your router work correctly if you turn on as few knobs as possible, and NSR is a pretty darn complex thing to actually make work correctly. Plus, I don't think I've actually had NSR work correctly in about 4-5 years now. There are hard-coded time-outs during the NSR sync process after the backup RE reboots, and if your network is big enough that you carry some decent number of BGP paths it will take so long to sync that this will time out and fail the entire process. I once had a case open about this issue, but after about 1.5 years of being unable to explain it to the idiot in JTAC I just gave up. I checked several years later, and it was still broken in exactly the same way, so I'm going to guess that no other large network dares to run NSR either. :) -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Question about Routing Engine Redundancy on MX
Thanks RAS.. that's interesting as we've never actually tried that... Have you tried this in a production environment or would you? Do we have any idea on whether or not JTAC would support this configuration officially? I realize these are loaded questions - just really curious on this topic as it opens up some "new possibilities" for us in some deployments... Our SE basically told us to "run" from this idea previously... Cheers ;) Paul -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Richard A Steenbergen Sent: January-09-13 2:56 PM To: Jose Sanchez Cc: juniper-nsp Subject: Re: [j-nsp] Question about Routing Engine Redundancy on MX On Wed, Jan 09, 2013 at 12:39:05PM -0600, Jose Sanchez wrote: > Hello, > > Does anybody know if the RE Redundancy in Juniper MX Routers requires > that both RE are the same hardware or it is enough that the REs has > the same JUNOS Version? As long as they're reasonably similar it should work fine. For MX that pretty much means RE-2000 and RE-1300, you have no hope in hell of mismatching the new ones (RE-1800x2/4, which require 64-bit JUNOS) with the old ones. For some definition of work of course (for all of the active redundancy), where in my experience the answer is "it doesn't". :) -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Question about Routing Engine Redundancy on MX
On Wed, Jan 09, 2013 at 12:39:05PM -0600, Jose Sanchez wrote: > Hello, > > Does anybody know if the RE Redundancy in Juniper MX Routers requires that > both RE are the same hardware or it is enough that the REs has the same > JUNOS Version? As long as they're reasonably similar it should work fine. For MX that pretty much means RE-2000 and RE-1300, you have no hope in hell of mismatching the new ones (RE-1800x2/4, which require 64-bit JUNOS) with the old ones. For some definition of work of course (for all of the active redundancy), where in my experience the answer is "it doesn't". :) -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Question about Routing Engine Redundancy on MX
My .02. I too cannot find documentation that mandates the same RE hardware or Junos SW for all HA features. The 12.2 HA guide does mandate the same version for NSR, and my extension ISSU. (page 80): http://www.juniper.net/techpubs/en_US/junos12.2/information-products/topic-collections/config-guide-high-availability/config-guide-high-availability.pdf IMO, GRES/NSR/ISSU is complex enough. Generally speaking you are only adding potential for "less than desirable" outcomes if you attempt to deploy such features with mismatched RE hardware or Junos versions. It would be safe to say that testing HA features with all possible mismatches of RE HW and SW is not done routinely; it may work, or may not, and you may well be the first to know, being the first to ever try some specific test with some specific set of mismatched HW or SW. As with all things in life, to some degree success or failure is a matter of how significant the mismatch is. Junos 7.0 on master and 12.2 on BU as opposed to 12.1R1 vs. 12.1R2; here the later will likely do OK... Same with RE hardware. If the master RE is significantly faster or has significantly more memory than the BU, you may hit timing issues with kernel or NSR synchronization, or, may find that post NSR things go poorly as the new master RE struggles to keep up now that it has to run the show. If you expect the BU RE to take over with no hit, it's quite reasonable to mandate that it at least have the same capabilities as the master In the end it's a complex interaction of how significant the mismatch is, whether it effects some key feature that is in use, and the degree to which the test box is scaled; in the end its intractable to try and predict all the possible permutations. As a final anecdote, I would never open a PR for a HA feature where the DUT had any such mismatch (unless it was a specific feature that mandated the disparity), as the first thing the engineer will ask is for me to try and repro with matched settings HTHs Regards -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Paul Stewart Sent: Wednesday, January 09, 2013 10:52 AM To: 'Jose Sanchez' Cc: 'juniper-nsp' Subject: Re: [j-nsp] Question about Routing Engine Redundancy on MX Nothing that I have handy - sorry. we asked this question a few times to our Juniper SE and were told that (so presumed it to be factual) J From: Jose Sanchez [mailto:jasjuni...@gmail.com] Sent: January-09-13 1:49 PM To: Paul Stewart Cc: juniper-nsp Subject: Re: [j-nsp] Question about Routing Engine Redundancy on MX Thank you, Any link to the documentation that require this? Thanks again Jose On Wed, Jan 9, 2013 at 12:43 PM, Paul Stewart wrote: Both same hardware -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jose Sanchez Sent: January-09-13 1:39 PM To: juniper-nsp Subject: [j-nsp] Question about Routing Engine Redundancy on MX Hello, Does anybody know if the RE Redundancy in Juniper MX Routers requires that both RE are the same hardware or it is enough that the REs has the same JUNOS Version? Thanks Jose ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Question about Routing Engine Redundancy on MX
Nothing that I have handy - sorry. we asked this question a few times to our Juniper SE and were told that (so presumed it to be factual) J From: Jose Sanchez [mailto:jasjuni...@gmail.com] Sent: January-09-13 1:49 PM To: Paul Stewart Cc: juniper-nsp Subject: Re: [j-nsp] Question about Routing Engine Redundancy on MX Thank you, Any link to the documentation that require this? Thanks again Jose On Wed, Jan 9, 2013 at 12:43 PM, Paul Stewart wrote: Both same hardware -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jose Sanchez Sent: January-09-13 1:39 PM To: juniper-nsp Subject: [j-nsp] Question about Routing Engine Redundancy on MX Hello, Does anybody know if the RE Redundancy in Juniper MX Routers requires that both RE are the same hardware or it is enough that the REs has the same JUNOS Version? Thanks Jose ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Question about Routing Engine Redundancy on MX
Thank you, Any link to the documentation that require this? Thanks again Jose On Wed, Jan 9, 2013 at 12:43 PM, Paul Stewart wrote: > Both same hardware > > -Original Message- > From: juniper-nsp-boun...@puck.nether.net > [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jose Sanchez > Sent: January-09-13 1:39 PM > To: juniper-nsp > Subject: [j-nsp] Question about Routing Engine Redundancy on MX > > Hello, > > Does anybody know if the RE Redundancy in Juniper MX Routers requires that > both RE are the same hardware or it is enough that the REs has the same > JUNOS Version? > > Thanks > > Jose > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Question about Routing Engine Redundancy on MX
Both same hardware -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jose Sanchez Sent: January-09-13 1:39 PM To: juniper-nsp Subject: [j-nsp] Question about Routing Engine Redundancy on MX Hello, Does anybody know if the RE Redundancy in Juniper MX Routers requires that both RE are the same hardware or it is enough that the REs has the same JUNOS Version? Thanks Jose ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Question about Routing Engine Redundancy on MX
Hello, Does anybody know if the RE Redundancy in Juniper MX Routers requires that both RE are the same hardware or it is enough that the REs has the same JUNOS Version? Thanks Jose ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
