Re: [j-nsp] Help: Learning routes from same ASN, cisco vs juniper

2013-09-11 Thread Payam Chychi 
Unless im mistaken... Thats a safety which detects a loop and rejects the 
prefix 

Allowas-in as well as as-override will get you around it but dont mod unless 
you know how its going to affect ur network


-- 
Payam Chychi
Network Engineer / Security Specialist


On Tuesday, 10 September, 2013 at 10:28 AM, OBrien, Will wrote:

> I've found an interesting issue and I wanted to get some thoughts before 
> talking to JTAC about it.
> 
> 
> I have a few of MX480s. In the past, I've advertised a dedicated /24 from my 
> lab to my providers upstream.
> That /24 was never learned by my primary MX.
> 
> The issue comes down to either the MX or the Cisco filtering routes that are 
> from the same ASN. It's been a couple of years since I ran across this and I 
> can't remember who was at fault.
> 
> 
> This behavior is biting my with regard to my DR site.
> 
> 
> At my DR, I have a SRX with say ASN 1234. It's advertising a /24.
> 
> At my primary site, I also use ASN1234. I do not receive the /24 via BGP.
> 
> So, either the Cisco (7600 I think) isn't advertising the route to me because 
> it's from my ASN - OR - The MX is filtering it because it's from my ASN and 
> coming in on a eBGP link.
> 
> 
> If it's the MX, I'm certain I can write an import filter, but I'm having an 
> issue hunting down syntax on that.
> If it's the Cisco, then I can yell at the provider to have them open a TAC 
> case. 
> 
> 
> 
> Like I said, I ran across this a few years ago, but can't remember who was at 
> fault. I could build a multi-hop neighbor relationship to get around this, 
> but surely there's a simpler solution...
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Help: Learning routes from same ASN, cisco vs juniper

2013-09-11 Thread OBrien, Will 
I was too busy yesterday working on this to say thanks.

The loops threshold was exactly what I needed although my upstream was ALSO 
filtering.
I have to admit that it did take me a few minutes to realize that the loops 
limit also applies to external routes learned by an ibgp neighbor!

the internal neighbor adds an additional AS hop to it, so I had to raise my 
threshold one more than I initially assessed.



Thanks again all.


On Sep 10, 2013, at 12:46 PM, Andrew Tutten wrote:

I believe the command you're looking for is:

set routing-options autonomous-system loops <#>

where # is the acceptable number of times your AS# shows up in an eBGP as-path


On Tue, Sep 10, 2013 at 12:28 PM, OBrien, Will 
mailto:obri...@missouri.edu>> wrote:
I've found an interesting issue and I wanted to get some thoughts before 
talking to JTAC about it.


I have a few of MX480s.  In the past, I've advertised a dedicated /24 from my 
lab to my providers upstream.
That /24 was never learned by my primary MX.

The issue comes down to either the MX or the Cisco filtering routes that are 
from the same ASN.  It's been a couple of years since I ran across this and I 
can't remember who was at fault.


This behavior is biting my with regard to my DR site.


At my DR, I have a SRX with say ASN 1234. It's advertising a /24.

At my primary site, I also use ASN1234. I do not receive the /24 via BGP.

So, either the Cisco (7600 I think) isn't advertising the route to me because 
it's from my ASN - OR - The MX is filtering it because it's from my ASN and 
coming in on a eBGP link.


If it's the MX, I'm certain I can write an import filter, but I'm having an 
issue hunting down syntax on that.
If it's the Cisco, then I can yell at the provider to have them open a TAC case.



Like I said, I ran across this a few years ago, but can't remember who was at 
fault. I could build a multi-hop neighbor relationship to get around this, but 
surely there's a simpler solution...
___
juniper-nsp mailing list 
juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



--
Andrew Tutten
Senior Network Engineer
API Digital Communications Group
[http://www.api-digital.com/mkt/email_logo_200x60.png]

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] virtual router on mx

2013-09-11 Thread Piotr 


Problem solved, problem with L2,

thanks for help


W dniu 2013-09-11 11:25, Antonio Sanchez-Monge pisze:

Hi Piotr,

What ping options are you using? You also need to specify the
routing-instance option. The interface option only changes the source
address, see chapter two of this PDF:

http://www.juniper.net/us/en/community/junos/training-certification/day-one
/networking-technologies-series/a-packet-walkthrough/

Thanks!

Antonio Sánchez-Monge
Juniper Networks

Want to win up to 200 Junosphere VM days?

Take the Mastering Junos Configuration Challenge!

http://juni.pr/14yzj5v






On 9/10/13 9:13 PM, "Piotr"  wrote:


Hello,

On my mx240 ( 11.4R5.5) i try to make virtual router with additional bgp
session to my isp. Main bgp session in main routing table goes via
ae0.74, extra session in vr blackhole should go via ae0.77. Problem is
that there is no communication with peer in this virtual router. When i
ping remote site from interface in vr blackhole i see this packets on
interface in main router.. I don't know why junos  transmit packets via
main routing table ?

Appreciate the help
many thanks
Peter


below config and some output


p2p addresses:
me: 10.10.7.154/30
remote: 10.10.7.153/30


# show interfaces ae0.74
description main_interface;
vlan-id 74;
family inet {
 address 10.10.7.130/30;
}


#show interfaces ae0.77
description vr-blackholing;
vlan-id 77;
family inet {
 address 10.10.7.154/30;
}



# show routing-instances blackhole
instance-type virtual-router;
interface ae0.77;
routing-options {
 static {
 route 10.10.0.243/32 next-hop 10.10.7.153;
 }
 autonomous-system 138;
}
protocols {
 bgp {
 group blackhole {
 type external;
 multihop;
 local-address 10.10.7.154;
 import blackhole-in;
 export blackhole-out;
 peer-as 123;
 neighbor 10.10.0.243;
 }
 }
}


# run show route 10.10.7.153
inet.0: 466059 destinations, 1693894 routes (466053 active, 6 holddown,
2 hidden)


10.10.0.0/16 *[BGP/170] 1w5d 12:40:05, MED 0, localpref 1141, from
10.10.0.243
   AS path: 123 I
 > to 10.10.7.129 via ae0.74


blackhole.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0
hidden)
+ = Active Route, - = Last Active, * = Both

10.10.7.152/30   *[Direct/0] 00:47:23
 > via ae0.77




___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp








___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] TCN guard on Juniper EX

2013-09-11 Thread Mark Tees 
http://forums.juniper.net/t5/Ethernet-Switching/spanning-tree-bpdufilter/td-p/113048

http://en.wikipedia.org/wiki/Multicast_address#Ethernet

Looks like someone else with the same issue. Careful taking your layer 2
domains too far :D

Mark


On Wed, Sep 11, 2013 at 8:18 PM, Dennis Hagens  wrote:

> Hi All,
>
> Is there some way to filter out STP TCN BPDU's on a Juniper EX series
> switch?
>
> We have some old Netgears in our office environment (yes, I need to get
> rid of those) which send TCN's on edge port flaps.
> This causes a lot of reconvergence / mac table flushes on our datacenter
> switches, which are connected via layer 2 with the office. We currently
> hooked up an HP switch with TCN  guard to mitigate this, but this
> introduces a SPOF.
>
> Any ideas?
>
> Thanks,
>
> Dennis Hagens
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Regards,

Mark L. Tees
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] TCN guard on Juniper EX

2013-09-11 Thread Dennis Hagens 
Hi Ben,

We currently implement root-protect already. This indeed does not filter TCN's.
These Netgears can't even do MSTP or RSTP... as i said, really need to get rid 
of them :-). The closest thing I found just now is "fast link" which i assume 
is somewhat like cisco portfast.
I need to validate in a test environment if that stops the switches from 
sending TCN's...

Dennis

From: Ben Dale [bd...@comlinx.com.au]
Sent: Wednesday, September 11, 2013 1:45 PM
To: Dennis Hagens
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] TCN guard on Juniper EX

Hi Dennis,

The closest thing Junos has at the moment is root-guard, which would stop your 
Netgears assuming root for the topology, but AFAIK TCNs would still be accepted 
and acted upon.

Are your netgear boxes manageable?  You can't force ports into edge mode to 
stop this?

On 11/09/2013, at 8:18 PM, Dennis Hagens  wrote:

> Hi All,
>
> Is there some way to filter out STP TCN BPDU's on a Juniper EX series switch?
>
> We have some old Netgears in our office environment (yes, I need to get rid 
> of those) which send TCN's on edge port flaps.
> This causes a lot of reconvergence / mac table flushes on our datacenter 
> switches, which are connected via layer 2 with the office. We currently 
> hooked up an HP switch with TCN  guard to mitigate this, but this introduces 
> a SPOF.
>
> Any ideas?
>
> Thanks,
>
> Dennis Hagens
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] TCN guard on Juniper EX

2013-09-11 Thread Ben Dale 
Hi Dennis,

The closest thing Junos has at the moment is root-guard, which would stop your 
Netgears assuming root for the topology, but AFAIK TCNs would still be accepted 
and acted upon.

Are your netgear boxes manageable?  You can't force ports into edge mode to 
stop this?

On 11/09/2013, at 8:18 PM, Dennis Hagens  wrote:

> Hi All,
> 
> Is there some way to filter out STP TCN BPDU's on a Juniper EX series switch?
> 
> We have some old Netgears in our office environment (yes, I need to get rid 
> of those) which send TCN's on edge port flaps.
> This causes a lot of reconvergence / mac table flushes on our datacenter 
> switches, which are connected via layer 2 with the office. We currently 
> hooked up an HP switch with TCN  guard to mitigate this, but this introduces 
> a SPOF.
> 
> Any ideas?
> 
> Thanks,
> 
> Dennis Hagens
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] TCN guard on Juniper EX

2013-09-11 Thread Dennis Hagens 
Hi All,

Is there some way to filter out STP TCN BPDU's on a Juniper EX series switch?

We have some old Netgears in our office environment (yes, I need to get rid of 
those) which send TCN's on edge port flaps.
This causes a lot of reconvergence / mac table flushes on our datacenter 
switches, which are connected via layer 2 with the office. We currently hooked 
up an HP switch with TCN  guard to mitigate this, but this introduces a SPOF.

Any ideas?

Thanks,

Dennis Hagens
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] virtual router on mx

2013-09-11 Thread Antonio Sanchez-Monge 
Hi Piotr,

What ping options are you using? You also need to specify the
routing-instance option. The interface option only changes the source
address, see chapter two of this PDF:

http://www.juniper.net/us/en/community/junos/training-certification/day-one
/networking-technologies-series/a-packet-walkthrough/

Thanks!

Antonio Sánchez-Monge
Juniper Networks

Want to win up to 200 Junosphere VM days?

Take the Mastering Junos Configuration Challenge!

http://juni.pr/14yzj5v






On 9/10/13 9:13 PM, "Piotr"  wrote:

>Hello,
>
>On my mx240 ( 11.4R5.5) i try to make virtual router with additional bgp
>session to my isp. Main bgp session in main routing table goes via
>ae0.74, extra session in vr blackhole should go via ae0.77. Problem is
>that there is no communication with peer in this virtual router. When i
>ping remote site from interface in vr blackhole i see this packets on
>interface in main router.. I don't know why junos  transmit packets via
>main routing table ?
>
>Appreciate the help
>many thanks
>Peter
>
>
>below config and some output
>
>
>p2p addresses:
>me: 10.10.7.154/30
>remote: 10.10.7.153/30
>
>
># show interfaces ae0.74
>description main_interface;
>vlan-id 74;
>family inet {
> address 10.10.7.130/30;
>}
>
>
>#show interfaces ae0.77
>description vr-blackholing;
>vlan-id 77;
>family inet {
> address 10.10.7.154/30;
>}
>
>
>
># show routing-instances blackhole
>instance-type virtual-router;
>interface ae0.77;
>routing-options {
> static {
> route 10.10.0.243/32 next-hop 10.10.7.153;
> }
> autonomous-system 138;
>}
>protocols {
> bgp {
> group blackhole {
> type external;
> multihop;
> local-address 10.10.7.154;
> import blackhole-in;
> export blackhole-out;
> peer-as 123;
> neighbor 10.10.0.243;
> }
> }
>}
>
>
># run show route 10.10.7.153
>inet.0: 466059 destinations, 1693894 routes (466053 active, 6 holddown,
>2 hidden)
>
>
>10.10.0.0/16 *[BGP/170] 1w5d 12:40:05, MED 0, localpref 1141, from
>10.10.0.243
>   AS path: 123 I
> > to 10.10.7.129 via ae0.74
>
>
>blackhole.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0
>hidden)
>+ = Active Route, - = Last Active, * = Both
>
>10.10.7.152/30   *[Direct/0] 00:47:23
> > via ae0.77
>
>
>
>
>___
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] M5 or M10 AC power supplies

2013-09-11 Thread Darren O'Connor 
I have one spare, working, AC PSU for an old M10. I am however located in the 
UK. 

Thanks
Darren
http://www.mellowd.co.uk/ccie



> Date: Tue, 10 Sep 2013 17:16:41 -0400
> From: c...@wpi.edu
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] M5 or M10 AC power supplies
> 
> I have an old M10 (not M10i) with DC power supplies.  Does anyone have
> any AC power supplies they'd be willing to part with or trade for the
> 2 DC ones I have?  This is just for playing around in the home lab...
> 
> Alternatively, does anyone know of a cheap way to get enough DC power
> for these in a lab that doesn't have DC power?  Each power supply
> needs 14A at 48V, about 700W.
> 
> This needs to be really cheap or free, because otherwise I'm just
> going to trash the whole router.
> 
> Thanks,
> Chuck
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp