Re: [j-nsp] ng-mvpn problem
Hello, You are always right :) Everything works as expected now. Thanks, Mihai On Wed, Oct 23, 2013 at 2:04 AM, Antonio Sanchez-Monge amo...@juniper.netwrote: Agreed, that should do the trick too :) On 10/23/13 1:01 AM, Stacy W. Smith st...@acm.org wrote: Agreed. The lt-1/1/10.770 interface which is in VRF mvpn on logical-system x must have PIM enabled (or multicast forwarding enabled). If running PIM, it must be the DR. I wasn't suggesting disabling PIM on the lt-1/1/10.770 interface which is in VRF mvpn on logical-system x, just disabling PIM on the remote end of the a-x link (in logical-system a). --Stacy On Oct 22, 2013, at 4:49 PM, Antonio Sanchez-Monge amo...@juniper.net wrote: You need PIM in the interface towards the source IMHO On 10/23/13 12:47 AM, Stacy W. Smith st...@acm.org wrote: Yes, that would also work, but since logical-system a is really just emulating a multicast source, there's really no need for it to run PIM. A typical multicast source would not be running PIM. --Stacy On Oct 22, 2013, at 4:44 PM, Antonio Sanchez-Monge amo...@juniper.net wrote: Solution would be setting a higher PIM priority in lt-1/1/10.770, so that it becomes the DR On 10/23/13 12:40 AM, Antonio Sanchez-Monge amo...@juniper.net wrote: That's a brilliant analysis Stacy, I think you nailed it (awaiting Mihai's confirmation). On 10/22/13 11:59 PM, Stacy W. Smith st...@acm.org wrote: On Oct 22, 2013, at 2:44 PM, Mihai mihaigabr...@gmail.com wrote: Removing PIM fromlt-1/1/10.770 is not a solution because the PE will not learn about the source and the multicast group. Actually, removing lt-1/1/10.770 from PIM would allow the source and multicast group to be learned, and fix the problem (as long as multicast routing was still enabled on the lt-1/1/10.770 interface). The problem is that there's a PIM neighbor relationship between a and x. Because of your IP addressing, a is the DR for the a-x LAN. Because you are injecting traffic with ping and bypass-routing interface lt-1/1/10.771 logical-system a is NOT the first-hop router. It's simply acting as a multicast source that's pumping traffic with destination IP 225.10.10.10 out the lt-1/1/10.771 interface. Logical-system x instance mvpn receives this traffic on lt-1/1/10.770 and does not forward it because it is not the DR. Therefore, the logical-system x instance mvpn doesn't learn about the active (S,G). Another way to solve this problem is disabling PIM on logical-system a. This will make lt-1/1/10.770 on logical-system x instance mvpn the DR, and cause it to learn about the active S,G (and therefore generate the NG-MVPN Type 5 route). I have mocked up your configuration in the lab and confirmed that removing PIM from logical-system a fixes the issue. --Stacy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Internet access SRX
Hi all I have SRX and I have configured NAT on it with internet access with no issues My question is when you ping from the SRX itself using source {LAN} there is no response even though there is internet access from the LAN clients , in Cisco there is response when you ping from the router or the firewall itself ? BR, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ng-mvpn problem
Brilliant! I think the reason why it worked with rpt-spt, even for non-DR, is that the upstream PE was receiving type 6 route, so that triggered the signaling without the need of a pre-existing type 5 route. From: Mihai Gabriel mihaigabr...@gmail.commailto:mihaigabr...@gmail.com Date: Wednesday, October 23, 2013 8:49 AM To: Antonio Sanchez Monge amo...@juniper.netmailto:amo...@juniper.net Cc: Stacy W. Smith st...@acm.orgmailto:st...@acm.org, juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net Subject: Re: [j-nsp] ng-mvpn problem Hello, You are always right :) Everything works as expected now. Thanks, Mihai On Wed, Oct 23, 2013 at 2:04 AM, Antonio Sanchez-Monge amo...@juniper.netmailto:amo...@juniper.net wrote: Agreed, that should do the trick too :) On 10/23/13 1:01 AM, Stacy W. Smith st...@acm.orgmailto:st...@acm.org wrote: Agreed. The lt-1/1/10.770 interface which is in VRF mvpn on logical-system x must have PIM enabled (or multicast forwarding enabled). If running PIM, it must be the DR. I wasn't suggesting disabling PIM on the lt-1/1/10.770 interface which is in VRF mvpn on logical-system x, just disabling PIM on the remote end of the a-x link (in logical-system a). --Stacy On Oct 22, 2013, at 4:49 PM, Antonio Sanchez-Monge amo...@juniper.netmailto:amo...@juniper.net wrote: You need PIM in the interface towards the source IMHO On 10/23/13 12:47 AM, Stacy W. Smith st...@acm.orgmailto:st...@acm.org wrote: Yes, that would also work, but since logical-system a is really just emulating a multicast source, there's really no need for it to run PIM. A typical multicast source would not be running PIM. --Stacy On Oct 22, 2013, at 4:44 PM, Antonio Sanchez-Monge amo...@juniper.netmailto:amo...@juniper.net wrote: Solution would be setting a higher PIM priority in lt-1/1/10.770, so that it becomes the DR On 10/23/13 12:40 AM, Antonio Sanchez-Monge amo...@juniper.netmailto:amo...@juniper.net wrote: That's a brilliant analysis Stacy, I think you nailed it (awaiting Mihai's confirmation). On 10/22/13 11:59 PM, Stacy W. Smith st...@acm.orgmailto:st...@acm.org wrote: On Oct 22, 2013, at 2:44 PM, Mihai mihaigabr...@gmail.commailto:mihaigabr...@gmail.com wrote: Removing PIM fromlt-1/1/10.770 is not a solution because the PE will not learn about the source and the multicast group. Actually, removing lt-1/1/10.770 from PIM would allow the source and multicast group to be learned, and fix the problem (as long as multicast routing was still enabled on the lt-1/1/10.770 interface). The problem is that there's a PIM neighbor relationship between a and x. Because of your IP addressing, a is the DR for the a-x LAN. Because you are injecting traffic with ping and bypass-routing interface lt-1/1/10.771 logical-system a is NOT the first-hop router. It's simply acting as a multicast source that's pumping traffic with destination IP 225.10.10.10 out the lt-1/1/10.771 interface. Logical-system x instance mvpn receives this traffic on lt-1/1/10.770 and does not forward it because it is not the DR. Therefore, the logical-system x instance mvpn doesn't learn about the active (S,G). Another way to solve this problem is disabling PIM on logical-system a. This will make lt-1/1/10.770 on logical-system x instance mvpn the DR, and cause it to learn about the active S,G (and therefore generate the NG-MVPN Type 5 route). I have mocked up your configuration in the lab and confirmed that removing PIM from logical-system a fixes the issue. --Stacy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Internet access SRX
Check your nat rules to make sure that this self initiated traffic is being NATted. If you have a restrictive nat rule then the traffic from the firewall may not match the nat rules. Also check the flows for the pings to see if nat is taking place show security flow session protocol icmp On 23 October 2013 08:34, Mohammad Khalil eng.m...@gmail.com wrote: Hi all I have SRX and I have configured NAT on it with internet access with no issues My question is when you ping from the SRX itself using source {LAN} there is no response even though there is internet access from the LAN clients , in Cisco there is response when you ping from the router or the firewall itself ? BR, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Internet access SRX
The normal NAT handling only works with transit traffic, not self-sourced traffic. With newer Junos, you can set up NAT rules using the zone junos-host to get the wanted behaviour. /Per 23 okt 2013 kl. 09:34 skrev Mohammad Khalil eng.m...@gmail.com: Hi all I have SRX and I have configured NAT on it with internet access with no issues My question is when you ping from the SRX itself using source {LAN} there is no response even though there is internet access from the LAN clients , in Cisco there is response when you ping from the router or the firewall itself ? BR, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Internet access SRX
junos-host appears first in version 11.4. /Per 23 okt 2013 kl. 10:54 skrev Mohammad Khalil eng.m...@gmail.com: I am having JUNOS Software Release [10.4R6.5] , I think the feature you are talking about is not available yet right ? No I do not have any policies or restrictions , all is allowed BR, Mohammad On Wed, Oct 23, 2013 at 10:56 AM, Per Westerlund p...@westerlund.se wrote: The normal NAT handling only works with transit traffic, not self-sourced traffic. With newer Junos, you can set up NAT rules using the zone junos-host to get the wanted behaviour. /Per 23 okt 2013 kl. 09:34 skrev Mohammad Khalil eng.m...@gmail.com: Hi all I have SRX and I have configured NAT on it with internet access with no issues My question is when you ping from the SRX itself using source {LAN} there is no response even though there is internet access from the LAN clients , in Cisco there is response when you ping from the router or the firewall itself ? BR, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Internet access SRX
Thanks very much BR, Mohammad On Wed, Oct 23, 2013 at 12:40 PM, Per Westerlund p...@westerlund.se wrote: junos-host appears first in version 11.4. /Per 23 okt 2013 kl. 10:54 skrev Mohammad Khalil eng.m...@gmail.com: I am having JUNOS Software Release [10.4R6.5] , I think the feature you are talking about is not available yet right ? No I do not have any policies or restrictions , all is allowed BR, Mohammad On Wed, Oct 23, 2013 at 10:56 AM, Per Westerlund p...@westerlund.se wrote: The normal NAT handling only works with transit traffic, not self-sourced traffic. With newer Junos, you can set up NAT rules using the zone junos-host to get the wanted behaviour. /Per 23 okt 2013 kl. 09:34 skrev Mohammad Khalil eng.m...@gmail.com: Hi all I have SRX and I have configured NAT on it with internet access with no issues My question is when you ping from the SRX itself using source {LAN} there is no response even though there is internet access from the LAN clients , in Cisco there is response when you ping from the router or the firewall itself ? BR, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Internet access SRX
I am having JUNOS Software Release [10.4R6.5] , I think the feature you are talking about is not available yet right ? No I do not have any policies or restrictions , all is allowed BR, Mohammad On Wed, Oct 23, 2013 at 10:56 AM, Per Westerlund p...@westerlund.se wrote: The normal NAT handling only works with transit traffic, not self-sourced traffic. With newer Junos, you can set up NAT rules using the zone junos-host to get the wanted behaviour. /Per 23 okt 2013 kl. 09:34 skrev Mohammad Khalil eng.m...@gmail.com: Hi all I have SRX and I have configured NAT on it with internet access with no issues My question is when you ping from the SRX itself using source {LAN} there is no response even though there is internet access from the LAN clients , in Cisco there is response when you ping from the router or the firewall itself ? BR, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] srx cluster - port channel - cisco switches - esx devices - 12.1x45-d15.5 some virtual machines can't be reached
Hi all, I'm running a cluster of srx 240 connected to a pair of cisco 2960 switches with a port channel. ESXi servers are also connected to the same stack of cisco switches. vlan 1000 with ip 192.168.100.0 is used for out of band management and reachability. I'm using a dedicated virtual router to route the traffic from this vlan to other vlans. Some virtual machines can be reached but some others can't. I upgraded today to 12.1X45-D15.5, as I require vpn termination on loopback interface, and I suspect this release to have introduced weirdness into the configuration. Does anyone use a pair of srx devices with this release 12.1X45-D15.5 have some issues with this kind of configuration ? Are there any specific configurations to be used on the port channels connected to the srx on the cisco stack ? Best regards. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] srx cluster - port channel - cisco switches - esx devices - 12.1x45-d15.5 some virtual machines can't be reached
are the ciscos configured with a distributed port-channel as well? (On a rethx from the SRX i'm assuming) On 13-10-23 11:12 AM, pkc_mls wrote: Hi all, I'm running a cluster of srx 240 connected to a pair of cisco 2960 switches with a port channel. ESXi servers are also connected to the same stack of cisco switches. vlan 1000 with ip 192.168.100.0 is used for out of band management and reachability. I'm using a dedicated virtual router to route the traffic from this vlan to other vlans. Some virtual machines can be reached but some others can't. I upgraded today to 12.1X45-D15.5, as I require vpn termination on loopback interface, and I suspect this release to have introduced weirdness into the configuration. Does anyone use a pair of srx devices with this release 12.1X45-D15.5 have some issues with this kind of configuration ? Are there any specific configurations to be used on the port channels connected to the srx on the cisco stack ? Best regards. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] srx cluster - port channel - cisco switches - esx devices - 12.1x45-d15.5 some virtual machines can't be reached
Le 23/10/2013 17:15, Gabriel Blanchard a écrit : are the ciscos configured with a distributed port-channel as well? (On a rethx from the SRX i'm assuming) Hi, Can you please indicate what a distributed port channel is ? this is a stack of 2960 devices. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] srx cluster - port channel - cisco switches - esx devices - 12.1x45-d15.5 some virtual machines can't be reached
On 13-10-23 11:59 AM, pkc_mls wrote: Le 23/10/2013 17:15, Gabriel Blanchard a écrit : are the ciscos configured with a distributed port-channel as well? (On a rethx from the SRX i'm assuming) Hi, Can you please indicate what a distributed port channel is ? this is a stack of 2960 devices. If they are stacked then it's not what you are using. I should have just called it vpc. Which is cisco speak for it. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX4550 true power consumption
Hello, does anybody have real world power consumption specs of the EX4550? (EX4550-32F-AFI) Juniper has no word about this anywhere in the documentation. There are only statements about the power supply itself (650W capacity) and less than five watts per 10GB fiber interface. I've been able to find various values on non-juniper related sites which range from 175W to 345W. Best regards, Jonas signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] srx cluster - port channel - cisco switches - esx devices - 12.1x45-d15.5 some virtual machines can't be reached
On 24 Oct 2013, at 1:12 am, pkc_mls pkc_...@yahoo.fr wrote: Hi all, I'm running a cluster of srx 240 connected to a pair of cisco 2960 switches with a port channel. ESXi servers are also connected to the same stack of cisco switches. vlan 1000 with ip 192.168.100.0 is used for out of band management and reachability. I'm using a dedicated virtual router to route the traffic from this vlan to other vlans. Some virtual machines can be reached but some others can't. I upgraded today to 12.1X45-D15.5, as I require vpn termination on loopback interface, and I suspect this release to have introduced weirdness into the configuration. Does anyone use a pair of srx devices with this release 12.1X45-D15.5 have some issues with this kind of configuration ? Are there any specific configurations to be used on the port channels connected to the srx on the cisco stack ? Best regards. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp Can you confirm that you have two active port-channels configured on the Cisco side, one into each SRX? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX-MPC2-3D layer 3 license required
Is the layer 3 license required or is it an honour system? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp