Re: [j-nsp] SRX cluster and VC Lags
The EX4550 supports up to 8 interfaces in each LAG, while you have 12. http://www.juniper.net/techpubs/en_US/junos/topics/concept/interfaces-lag-overview.html However, that's not an issue there, since even though on the SRX side you should have one RETH with all 12 interfaces, on the EX-VC since you should have two separate AE interfaces, with 6 physical interfaces in each. A couple of good exampls... http://juniperguru.wordpress.com/2013/08/04/srx-chassis-cluster-with-redundant-lacp-lag-trunk/ http://cooperlees.com/blog/?p=401 The hashing for load balancing is not configurable on the EX. For IPv4 it is based on source/destination, IP/port. http://kb.juniper.net/InfoCenter/index?page=contentid=KB22943 (probably needs an account to be viewed). -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Fahad Khan Sent: Thursday, November 07, 2013 7:05 AM To: Mike Devlin Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX cluster and VC Lags Since your Primary SRX-firewall will be connecting with the switch through 6 interfaces hence the load balancing will done over this aggregate interface , perhaps per packet level by default. The other 6 interface of the other (secondary) firewall will be disabled in your A/P design. Muhammad Fahad Khan JNCIE-M # 756 Lead Network and Security Consultant - IBM +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Thu, Nov 7, 2013 at 3:17 AM, Mike Devlin mikecdev...@gmail.com wrote: is the load distribution going to be in some fashion even on 12 interfaces? Or even 6? Cisco i know has funky load-balancing across aggregated links if its not 2, 4 or 8 interfaces. Is Junipers load-balancing going to be any different/better? On Wed, Nov 6, 2013 at 4:19 AM, Fahad Khan fahad.k...@gmail.com wrote: Yeah , you can do soYou don't need any explicit configuration on SRX Side, while you would need to enable LACP on Switch port level. All the 6 interfaces/Firewall will participate in one reth interface and then you can enable vlan-tagging to provision inter-vlan routing. You will be having interface like (e.g) reth1.100, reth1.110, reth1.120 as per your VLANs configuration. Muhammad Fahad Khan JNCIE-M # 756 Lead Network and Security Consultant - IBM +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Mon, Oct 28, 2013 at 2:28 AM, Mohammed Shafi msh...@abc.com.qa wrote: Dear experts, I have query regarding SRX (650)cluster lag between and ex-4550 virtual chassis. I have 6 physical link from each member VC to wards each node in the srx cluster . I have multiple vlans in ex switch and planing to host the L3 interface in srx cluster . Now the question is can i build a lag between ex and srx with a SINGLE reth interface , say reth 1 and associate all physical interfaces from ex switch ( 6 interface , total 12 ) and enable vlan tagging under reth 1 with unit interfaces for l3 interfaces . Is there any limitation for reth interface such that it can only have a pair of physical interfaces from each node ? Sent from my iPad ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] AFL license for EX8200 VirtualChassis
Hi I'm planning to buy AFL licenses for my 2xEX8200 + 2xXRE200 (VirtualChassis) setup. Do you need to buy : 2 x EX-XRE200-AFL 2 x EX8208-AFL or just is enough as I'm running setup with XRE/VirtualChassis 2 x EX-XRE200-AFL ? Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] AFL license for EX8200 VirtualChassis
For any virtual chassis only two licenses are required - for master and backup RE. For the EX82-VC is the two XRE. http://www.juniper.net/techpubs/en_US/junos/topics/concept/ex-series-software-licenses-overview.html -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Robert Hass Sent: Thursday, November 07, 2013 11:08 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] AFL license for EX8200 VirtualChassis Hi I'm planning to buy AFL licenses for my 2xEX8200 + 2xXRE200 (VirtualChassis) setup. Do you need to buy : 2 x EX-XRE200-AFL 2 x EX8208-AFL or just is enough as I'm running setup with XRE/VirtualChassis 2 x EX-XRE200-AFL ? Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] J-series, hoping packets between routing-instances
Hi all, I might have painted myself into a corner here, so I'm here looking for options from people far cleverer than I. Firstly, a bit of history. We're using J6350s, and SRX650s, as security devices on a stick. Our Ms and MXs punt packets into a routing instance on the security devices with firewall filters. Those routing instances purposely only use the most basic of static routes possible (10/8, 192.168/16, etc), so we can be certain what zones packets pass through so the policies match. That all works fine. We're also centralising our inter-site IPSec onto the Js and SRXs, but need OSPF there, so have a second routing-instance and a partial mesh of routed tunnels between them. Still, all good. Offices and what-not have tunnels tied directly to the IPSec routing-instances and OSPF metrics keep traffic flows sane. All hunky dory. Now the problem. I need to take traffic from servers behind an M/MX have it policy'd by the security routing instance, then encrypted by the IPSec routing-instance. If I punt traffic into security, let it come back to the router, then punt it back into ipsec, everything works as expected. However each packet has to pass across the M/MX-J/SRX link 4 times, in out, in out. Shake it all about. Obviously this would be better if we could shortcut the M/MX step in the middle and move packets from security to ipsec, and ipsec to security directly. As security doesn't run OSPF/BGP/ISIS/etc adding a static route next-table ipsec.inet.0 is fine. ipsec *does* run OSPF though, so I need to do FBF to override that. I've tried a then routing-instance security filter applied on output on the interface facing the M/MX, but my traffic get lost somewhere. Security policies from 'input-ipsec-zone' to 'output-security-zone' were added. I'm wondering if 'moving' packets from routing-instance to routing-instance on a flow-mode device simply screws up security policies. As one of the input or output interface don't exist in the routing-instance. So I figured *routing* packets from routing-instance to routing-instance would be better. Time for some logical tunnels! J-series devices don't support logical tunnels though. Argh! -- Mike Williams ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] QinQ on MX5
Hi,
I need to connect an interface of an EX2200 with an MX5. On this interface
I do QinQ:
set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk
-- interface to MX
set interfaces vlan unit 2 family inet address X.X.X.X
set vlans svlan1 vlan-id 3001
set vlans svlan1 interface ge-0/1/1.0
set vlans svlan1 dot1q-tunneling customer-vlans 2
set vlans svlan1 dot1q-tunneling customer-vlans 10
set vlans svlan1 dot1q-tunneling customer-vlans 20
set vlans vlan2 description Management
set vlans vlan2 vlan-id 2
set vlans vlan2 l3-interface vlan.2
On MX side, this kind of configuration is not possible. I tried to use
vlan-map, but MX doen't like it:
[edit interfaces]
+ ge-1/1/5 {
+ vlan-tagging;
+ mtu 9192;
+ encapsulation flexible-ethernet-services;
+ unit 2 {
+ description MANAGEMENT;
+ vlan-id 2;
+ input-vlan-map pop;
+ output-vlan-map {
+ push;
+ tag-protocol-id 0x8100;
+ vlan-id 3001;
+ }
+ family inet {
+ mtu 1500;
+ address X.X.X.X;
+ }
+ }
+ unit 401 {
+ description VLAN DATI;
+ vlan-id 401;
+ input-vlan-map pop;
+ output-vlan-map {
+ push;
+ tag-protocol-id 0x8100;
+ vlan-id 3002;
+ }
+ family inet {
+ mtu 1500;
+ address X.X.X.X;
+ }
+ family mpls;
+ }
+ unit 402 {
+ description VLAN INTERNET;
+ vlan-id 402;
+ input-vlan-map pop;
+ output-vlan-map {
+ push;
+ tag-protocol-id 0x8100;
+ vlan-id 3002;
+ }
+ family inet {
+ mtu 1500;
+ address X.X.X.X;
+ }
+ family mpls;
+ }
+ }
+ vlan {
+ unit 2 {
+ family inet {
+ address X.X.X.X;
+ }
+ }
+ }
[edit]
# commit check
[edit interfaces ge-1/1/5]
'unit 2'
vlan map ge-1/1/5: input-vlan-map or output-vlan-map can only be
specified in vlan-ccc, extended-vlan-ccc, vlan-vpls or extended-vlan-vpls
encapsulations
error: configuration check-out failed
Do you have some suggestion?
Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX80 / 3D MIC buffers/queues
Does anyone know if there is there a way to see how much buffer space/queue space is being used for shaping policies on the MX80 / MIC-3D-20SFP? I can see queue status but I'm more interested in how much memory is being consumed for shaping. We apply some shaping policies per unit on interfaces and we have _a lot_ of them, I'm wondering if there is any sort of limit of how many interfaces can be shaped reliably or how we can check buckets/buffers per physical port to ensure we are not overflowing / losing the shaping ability. Hopefully that question makes sense, thanks. -- Scott H. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QinQ on MX5
Not clear what you want to do, although it looks like family inet..., but
would this work?
# show interfaces ge-1/1/0
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 2 {
vlan-tags outer 3001 inner 2;
family inet {
address 1.1.1.1/31;
}
}
-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of
Massimo Ravizza
Sent: Thursday, November 07, 2013 4:51 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] QinQ on MX5
Hi,
I need to connect an interface of an EX2200 with an MX5. On this interface I do
QinQ:
set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk
-- interface to MX
set interfaces vlan unit 2 family inet address X.X.X.X set vlans svlan1 vlan-id
3001 set vlans svlan1 interface ge-0/1/1.0 set vlans svlan1 dot1q-tunneling
customer-vlans 2 set vlans svlan1 dot1q-tunneling customer-vlans 10 set vlans
svlan1 dot1q-tunneling customer-vlans 20 set vlans vlan2 description Management
set vlans vlan2 vlan-id 2 set vlans vlan2 l3-interface vlan.2
On MX side, this kind of configuration is not possible. I tried to use
vlan-map, but MX doen't like it:
[edit interfaces]
+ ge-1/1/5 {
+ vlan-tagging;
+ mtu 9192;
+ encapsulation flexible-ethernet-services;
+ unit 2 {
+ description MANAGEMENT;
+ vlan-id 2;
+ input-vlan-map pop;
+ output-vlan-map {
+ push;
+ tag-protocol-id 0x8100;
+ vlan-id 3001;
+ }
+ family inet {
+ mtu 1500;
+ address X.X.X.X;
+ }
+ }
+ unit 401 {
+ description VLAN DATI;
+ vlan-id 401;
+ input-vlan-map pop;
+ output-vlan-map {
+ push;
+ tag-protocol-id 0x8100;
+ vlan-id 3002;
+ }
+ family inet {
+ mtu 1500;
+ address X.X.X.X;
+ }
+ family mpls;
+ }
+ unit 402 {
+ description VLAN INTERNET;
+ vlan-id 402;
+ input-vlan-map pop;
+ output-vlan-map {
+ push;
+ tag-protocol-id 0x8100;
+ vlan-id 3002;
+ }
+ family inet {
+ mtu 1500;
+ address X.X.X.X;
+ }
+ family mpls;
+ }
+ }
+ vlan {
+ unit 2 {
+ family inet {
+ address X.X.X.X;
+ }
+ }
+ }
[edit]
# commit check
[edit interfaces ge-1/1/5]
'unit 2'
vlan map ge-1/1/5: input-vlan-map or output-vlan-map can only be specified
in vlan-ccc, extended-vlan-ccc, vlan-vpls or extended-vlan-vpls encapsulations
error: configuration check-out failed
Do you have some suggestion?
Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QinQ on MX5
At the moment I can't test it. Tomorrow I will let you know. Thanks to all
for the suggestion of the vlan-tags solution.
2013/11/7 Per Granath per.gran...@gcc.com.cy
Not clear what you want to do, although it looks like family inet...,
but would this work?
# show interfaces ge-1/1/0
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 2 {
vlan-tags outer 3001 inner 2;
family inet {
address 1.1.1.1/31;
}
}
-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
Of Massimo Ravizza
Sent: Thursday, November 07, 2013 4:51 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] QinQ on MX5
Hi,
I need to connect an interface of an EX2200 with an MX5. On this interface
I do QinQ:
set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk
-- interface to MX
set interfaces vlan unit 2 family inet address X.X.X.X set vlans svlan1
vlan-id 3001 set vlans svlan1 interface ge-0/1/1.0 set vlans svlan1
dot1q-tunneling customer-vlans 2 set vlans svlan1 dot1q-tunneling
customer-vlans 10 set vlans svlan1 dot1q-tunneling customer-vlans 20 set
vlans vlan2 description Management set vlans vlan2 vlan-id 2 set vlans
vlan2 l3-interface vlan.2
On MX side, this kind of configuration is not possible. I tried to use
vlan-map, but MX doen't like it:
[edit interfaces]
+ ge-1/1/5 {
+ vlan-tagging;
+ mtu 9192;
+ encapsulation flexible-ethernet-services;
+ unit 2 {
+ description MANAGEMENT;
+ vlan-id 2;
+ input-vlan-map pop;
+ output-vlan-map {
+ push;
+ tag-protocol-id 0x8100;
+ vlan-id 3001;
+ }
+ family inet {
+ mtu 1500;
+ address X.X.X.X;
+ }
+ }
+ unit 401 {
+ description VLAN DATI;
+ vlan-id 401;
+ input-vlan-map pop;
+ output-vlan-map {
+ push;
+ tag-protocol-id 0x8100;
+ vlan-id 3002;
+ }
+ family inet {
+ mtu 1500;
+ address X.X.X.X;
+ }
+ family mpls;
+ }
+ unit 402 {
+ description VLAN INTERNET;
+ vlan-id 402;
+ input-vlan-map pop;
+ output-vlan-map {
+ push;
+ tag-protocol-id 0x8100;
+ vlan-id 3002;
+ }
+ family inet {
+ mtu 1500;
+ address X.X.X.X;
+ }
+ family mpls;
+ }
+ }
+ vlan {
+ unit 2 {
+ family inet {
+ address X.X.X.X;
+ }
+ }
+ }
[edit]
# commit check
[edit interfaces ge-1/1/5]
'unit 2'
vlan map ge-1/1/5: input-vlan-map or output-vlan-map can only be
specified in vlan-ccc, extended-vlan-ccc, vlan-vpls or extended-vlan-vpls
encapsulations
error: configuration check-out failed
Do you have some suggestion?
Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 / 3D MIC buffers/queues
Thanks! So here's what I got, does this mean I'm not even to 1 % utilization even with 1866 buffers? ## request pfe execute command show qxchip 0 memory target tfeb0 SENT: Ukern command: show qxchip 0 memory GOT: GOT: QX Linkram : 0 GOT:Total buffers in use: 5 (0%) GOT: Bank 0 in use: 1 (0%) GOT: Bank 1 in use: 4 (0%) GOT:Use meter regions: GOT: region up-threshold down-threshold GOT: -- -- GOT:068% 0%--- current region GOT:187% 65% GOT:293% 83% GOT:3100% 89% GOT: QX Linkram : 1 GOT:Total buffers in use: 1866 (0%) GOT: Bank 0 in use: 977 (0%) GOT: Bank 1 in use: 889 (0%) GOT:Use meter regions: GOT: region up-threshold down-threshold GOT: -- -- GOT:068% 0%--- current region GOT:187% 65% GOT:293% 83% GOT:3100% 89% LOCAL: End of file ## Scott H. On 11/7/13, 10:15 AM, Nikita Shirokov wrote: in trio qxchip is responsible for H-QOS. you can check it's memory utilization thru this command: hostnamerequest pfe execute command show qxchip 0 memory target tfeb0 SENT: Ukern command: show qxchip 0 memory GOT: GOT: QX Linkram : 0 GOT:Total buffers in use: 6 (0%) GOT: Bank 0 in use: 3 (0%) GOT: Bank 1 in use: 3 (0%) GOT:Use meter regions: GOT: region up-threshold down-threshold GOT: -- -- GOT:068% 0%--- current region GOT:187% 65% GOT:293% 83% GOT:3100% 89% GOT: QX Linkram : 1 GOT:Total buffers in use: 6 (0%) GOT: Bank 0 in use: 3 (0%) GOT: Bank 1 in use: 3 (0%) GOT:Use meter regions: GOT: region up-threshold down-threshold GOT: -- -- GOT:068% 0%--- current region GOT:187% 65% GOT:293% 83% GOT:3100% 89% LOCAL: End of file 2013/11/7 Scott Harvanek scott.harva...@login.com mailto:scott.harva...@login.com Does anyone know if there is there a way to see how much buffer space/queue space is being used for shaping policies on the MX80 / MIC-3D-20SFP? I can see queue status but I'm more interested in how much memory is being consumed for shaping. We apply some shaping policies per unit on interfaces and we have _a lot_ of them, I'm wondering if there is any sort of limit of how many interfaces can be shaped reliably or how we can check buckets/buffers per physical port to ensure we are not overflowing / losing the shaping ability. Hopefully that question makes sense, thanks. -- Scott H. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net mailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 / 3D MIC buffers/queues
this output shows you how many queues have been consumed (and maximum ammount of queues). actual packet's buffering happened on the mqchip. i dont remebemer the command which shows you how many of packet's buffer have been consumed. will try to find it. 2013/11/7 Scott Harvanek scott.harva...@login.com Thanks! So here's what I got, does this mean I'm not even to 1 % utilization even with 1866 buffers? ## request pfe execute command show qxchip 0 memory target tfeb0 SENT: Ukern command: show qxchip 0 memory GOT: GOT: QX Linkram : 0 GOT:Total buffers in use: 5 (0%) GOT: Bank 0 in use: 1 (0%) GOT: Bank 1 in use: 4 (0%) GOT:Use meter regions: GOT: region up-threshold down-threshold GOT: -- -- GOT:068% 0%--- current region GOT:187% 65% GOT:293% 83% GOT:3100% 89% GOT: QX Linkram : 1 GOT:Total buffers in use: 1866 (0%) GOT: Bank 0 in use: 977 (0%) GOT: Bank 1 in use: 889 (0%) GOT:Use meter regions: GOT: region up-threshold down-threshold GOT: -- -- GOT:068% 0%--- current region GOT:187% 65% GOT:293% 83% GOT:3100% 89% LOCAL: End of file ## Scott H. On 11/7/13, 10:15 AM, Nikita Shirokov wrote: in trio qxchip is responsible for H-QOS. you can check it's memory utilization thru this command: hostnamerequest pfe execute command show qxchip 0 memory target tfeb0 SENT: Ukern command: show qxchip 0 memory GOT: GOT: QX Linkram : 0 GOT:Total buffers in use: 6 (0%) GOT: Bank 0 in use: 3 (0%) GOT: Bank 1 in use: 3 (0%) GOT:Use meter regions: GOT: region up-threshold down-threshold GOT: -- -- GOT:068% 0%--- current region GOT:187% 65% GOT:293% 83% GOT:3100% 89% GOT: QX Linkram : 1 GOT:Total buffers in use: 6 (0%) GOT: Bank 0 in use: 3 (0%) GOT: Bank 1 in use: 3 (0%) GOT:Use meter regions: GOT: region up-threshold down-threshold GOT: -- -- GOT:068% 0%--- current region GOT:187% 65% GOT:293% 83% GOT:3100% 89% LOCAL: End of file 2013/11/7 Scott Harvanek scott.harva...@login.com Does anyone know if there is there a way to see how much buffer space/queue space is being used for shaping policies on the MX80 / MIC-3D-20SFP? I can see queue status but I'm more interested in how much memory is being consumed for shaping. We apply some shaping policies per unit on interfaces and we have _a lot_ of them, I'm wondering if there is any sort of limit of how many interfaces can be shaped reliably or how we can check buckets/buffers per physical port to ensure we are not overflowing / losing the shaping ability. Hopefully that question makes sense, thanks. -- Scott H. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] J-series, hoping packets between routing-instances
Hello, Multiple routing-instances with next-table statics is a supported SRX configuration, see http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security-mutiple-isp-configuring.html You can shortcut packets between RI with lt-* interfaces as well, but lt-* interfaces are not supported in SRX cluster. HTH Thanks Alex On 07/11/2013 14:37, Mike Williams wrote: Hi all, I might have painted myself into a corner here, so I'm here looking for options from people far cleverer than I. Firstly, a bit of history. We're using J6350s, and SRX650s, as security devices on a stick. Our Ms and MXs punt packets into a routing instance on the security devices with firewall filters. Those routing instances purposely only use the most basic of static routes possible (10/8, 192.168/16, etc), so we can be certain what zones packets pass through so the policies match. That all works fine. We're also centralising our inter-site IPSec onto the Js and SRXs, but need OSPF there, so have a second routing-instance and a partial mesh of routed tunnels between them. Still, all good. Offices and what-not have tunnels tied directly to the IPSec routing-instances and OSPF metrics keep traffic flows sane. All hunky dory. Now the problem. I need to take traffic from servers behind an M/MX have it policy'd by the security routing instance, then encrypted by the IPSec routing-instance. If I punt traffic into security, let it come back to the router, then punt it back into ipsec, everything works as expected. However each packet has to pass across the M/MX-J/SRX link 4 times, in out, in out. Shake it all about. Obviously this would be better if we could shortcut the M/MX step in the middle and move packets from security to ipsec, and ipsec to security directly. As security doesn't run OSPF/BGP/ISIS/etc adding a static route next-table ipsec.inet.0 is fine. ipsec *does* run OSPF though, so I need to do FBF to override that. I've tried a then routing-instance security filter applied on output on the interface facing the M/MX, but my traffic get lost somewhere. Security policies from 'input-ipsec-zone' to 'output-security-zone' were added. I'm wondering if 'moving' packets from routing-instance to routing-instance on a flow-mode device simply screws up security policies. As one of the input or output interface don't exist in the routing-instance. So I figured *routing* packets from routing-instance to routing-instance would be better. Time for some logical tunnels! J-series devices don't support logical tunnels though. Argh! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 / 3D MIC buffers/queues
in trio qxchip is responsible for H-QOS. you can check it's memory utilization thru this command: hostnamerequest pfe execute command show qxchip 0 memory target tfeb0 SENT: Ukern command: show qxchip 0 memory GOT: GOT: QX Linkram : 0 GOT:Total buffers in use: 6 (0%) GOT: Bank 0 in use: 3 (0%) GOT: Bank 1 in use: 3 (0%) GOT:Use meter regions: GOT: region up-threshold down-threshold GOT: -- -- GOT:068% 0%--- current region GOT:187% 65% GOT:293% 83% GOT:3100% 89% GOT: QX Linkram : 1 GOT:Total buffers in use: 6 (0%) GOT: Bank 0 in use: 3 (0%) GOT: Bank 1 in use: 3 (0%) GOT:Use meter regions: GOT: region up-threshold down-threshold GOT: -- -- GOT:068% 0%--- current region GOT:187% 65% GOT:293% 83% GOT:3100% 89% LOCAL: End of file 2013/11/7 Scott Harvanek scott.harva...@login.com Does anyone know if there is there a way to see how much buffer space/queue space is being used for shaping policies on the MX80 / MIC-3D-20SFP? I can see queue status but I'm more interested in how much memory is being consumed for shaping. We apply some shaping policies per unit on interfaces and we have _a lot_ of them, I'm wondering if there is any sort of limit of how many interfaces can be shaped reliably or how we can check buckets/buffers per physical port to ensure we are not overflowing / losing the shaping ability. Hopefully that question makes sense, thanks. -- Scott H. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] J-series, hoping packets between routing-instances
Hi Mike, First.. Yikes! Second - yes this is possible. It is perfectly legal to use FBF to bounce across routing instances and still match security policy - just ensure your security policy includes the source and destination zones for the *ultimate* destination of the flow is correct - whether it exists in the instance the traffic ends up in is ignored by the flow engine. On 8 Nov 2013, at 12:37 am, Mike Williams mike.willi...@comodo.com wrote: Hi all, I might have painted myself into a corner here, so I'm here looking for options from people far cleverer than I. Firstly, a bit of history. We're using J6350s, and SRX650s, as security devices on a stick. Our Ms and MXs punt packets into a routing instance on the security devices with firewall filters. Those routing instances purposely only use the most basic of static routes possible (10/8, 192.168/16, etc), so we can be certain what zones packets pass through so the policies match. That all works fine. We're also centralising our inter-site IPSec onto the Js and SRXs, but need OSPF there, so have a second routing-instance and a partial mesh of routed tunnels between them. Still, all good. Offices and what-not have tunnels tied directly to the IPSec routing-instances and OSPF metrics keep traffic flows sane. All hunky dory. Now the problem. I need to take traffic from servers behind an M/MX have it policy'd by the security routing instance, then encrypted by the IPSec routing-instance. If I punt traffic into security, let it come back to the router, then punt it back into ipsec, everything works as expected. However each packet has to pass across the M/MX-J/SRX link 4 times, in out, in out. Shake it all about. Obviously this would be better if we could shortcut the M/MX step in the middle and move packets from security to ipsec, and ipsec to security directly. As security doesn't run OSPF/BGP/ISIS/etc adding a static route next-table ipsec.inet.0 is fine. ipsec *does* run OSPF though, so I need to do FBF to override that. I've tried a then routing-instance security filter applied on output on the interface facing the M/MX, but my traffic get lost somewhere. Security policies from 'input-ipsec-zone' to 'output-security-zone' were added. I'm wondering if 'moving' packets from routing-instance to routing-instance on a flow-mode device simply screws up security policies. As one of the input or output interface don't exist in the routing-instance. So I figured *routing* packets from routing-instance to routing-instance would be better. Time for some logical tunnels! J-series devices don't support logical tunnels though. Argh! -- Mike Williams ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] 100% CPU HIT on EX4200
Hi All, CPU on EX4200 run up to 100% for a period of time and I have not yet found what caused this. Based on your experiences, what are the things that can cause this and what are the commands to check this ? Thanks, Sam ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 100% CPU HIT on EX4200
Hi Sam, 'show chassis routing-engine' and 'show system processes extensive' are two commands to start with, when investigating this issue. The second command will show you what process is consuming resources etc. HTH, Graham On 8 November 2013 13:51, Samol molas...@gmail.com wrote: Hi All, CPU on EX4200 run up to 100% for a period of time and I have not yet found what caused this. Based on your experiences, what are the things that can cause this and what are the commands to check this ? Thanks, Sam ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Graham Brown Twitter - @mountainrescuer https://twitter.com/#!/mountainrescuer LinkedIn http://www.linkedin.com/in/grahamcbrown ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] AFL license for EX8200 VirtualChassis
Robert, We did a bad experience buying only EX-XRE200-AFL. After the installation and after a commit ... the system continues to ask the EX8208 licenses showing warning messages at console. We bought the licenses and we need to install it by hand using shell ... The JUNOS version was 12.3R3. We recommend that you buy to feel free from log messages every commit. But remember that you will need to create the correct files by hand and install it using vi by shell only. If you need more information I can help. Att, Giuliano Giuliano Cardozo Medalha Systems Engineer +55 (17) 3011-3811 +55 (17) 8112-5394 JUNIPER J-PARTNER ELITE giuli...@wztech.com.br http://www.wztech.com.br/ WZTECH is registered trademark of WZTECH NETWORKS. Copyright © 2013 WZTECH NETWORKS. All Rights Reserved. The information transmitted in this email message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any review, transmission, dissemination or other use of this information is prohibited. If you have received this communication in error, please notify the sender immediately and delete the material from any computer, including any copies. On Thu, Nov 7, 2013 at 7:08 AM, Robert Hass robh...@gmail.com wrote: Hi I'm planning to buy AFL licenses for my 2xEX8200 + 2xXRE200 (VirtualChassis) setup. Do you need to buy : 2 x EX-XRE200-AFL 2 x EX8208-AFL or just is enough as I'm running setup with XRE/VirtualChassis 2 x EX-XRE200-AFL ? Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 100% CPU HIT on EX4200
You might want to share your Junos version too Being an EX, follow up Graham's suggestions with: show log messages (filtered down to times during the event) show spanning-tree bridge (check Time since last topology change/number of changes - this is usually a culprit in pegging CPU) On 8 Nov 2013, at 10:57 am, Graham Brown juniper-...@grahambrown.info wrote: Hi Sam, 'show chassis routing-engine' and 'show system processes extensive' are two commands to start with, when investigating this issue. The second command will show you what process is consuming resources etc. HTH, Graham On 8 November 2013 13:51, Samol molas...@gmail.com wrote: Hi All, CPU on EX4200 run up to 100% for a period of time and I have not yet found what caused this. Based on your experiences, what are the things that can cause this and what are the commands to check this ? Thanks, Sam ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Graham Brown Twitter - @mountainrescuer https://twitter.com/#!/mountainrescuer LinkedIn http://www.linkedin.com/in/grahamcbrown ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] AFL license for EX8200 VirtualChassis
Any response to your problem from Juniper SE or JTAC ? Good if they confirm that both licenses are required - then we just will order them. Rob On Fri, Nov 8, 2013 at 2:03 AM, Giuliano Medalha giuli...@wztech.com.brwrote: Robert, We did a bad experience buying only EX-XRE200-AFL. After the installation and after a commit ... the system continues to ask the EX8208 licenses showing warning messages at console. We bought the licenses and we need to install it by hand using shell ... The JUNOS version was 12.3R3. We recommend that you buy to feel free from log messages every commit. But remember that you will need to create the correct files by hand and install it using vi by shell only. If you need more information I can help. Att, Giuliano Giuliano Cardozo Medalha Systems Engineer +55 (17) 3011-3811 +55 (17) 8112-5394 JUNIPER J-PARTNER ELITE giuli...@wztech.com.br http://www.wztech.com.br/ WZTECH is registered trademark of WZTECH NETWORKS. Copyright © 2013 WZTECH NETWORKS. All Rights Reserved. The information transmitted in this email message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any review, transmission, dissemination or other use of this information is prohibited. If you have received this communication in error, please notify the sender immediately and delete the material from any computer, including any copies. On Thu, Nov 7, 2013 at 7:08 AM, Robert Hass robh...@gmail.com wrote: Hi I'm planning to buy AFL licenses for my 2xEX8200 + 2xXRE200 (VirtualChassis) setup. Do you need to buy : 2 x EX-XRE200-AFL 2 x EX8208-AFL or just is enough as I'm running setup with XRE/VirtualChassis 2 x EX-XRE200-AFL ? Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX8200 EoS / EoL ?
Hi As I would like to buy bunch of EX8200 + XRE I have question will EX8200 go EoS or EoL in near time as it looks that EX9200 is good successor of this platform. Can anyone comment is good choice to still go for EX8200 or maybe better spend few more $$$ for EX9200 ? Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX8200 EoS / EoL ?
Much better to spend more $$$ in 9200 because it scales to 40G and 100G and because it uses a king if TRIO ASIC (other name and limited FIB/RIB only) ... and it is prepared to SDN ... integrated to QFX5100 ... so on ... Giuliano Cardozo Medalha Systems Engineer +55 (17) 3011-3811 +55 (17) 8112-5394 JUNIPER J-PARTNER ELITE giuli...@wztech.com.br http://www.wztech.com.br/ WZTECH is registered trademark of WZTECH NETWORKS. Copyright © 2013 WZTECH NETWORKS. All Rights Reserved. The information transmitted in this email message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any review, transmission, dissemination or other use of this information is prohibited. If you have received this communication in error, please notify the sender immediately and delete the material from any computer, including any copies. On Fri, Nov 8, 2013 at 12:01 AM, Robert Hass robh...@gmail.com wrote: Hi As I would like to buy bunch of EX8200 + XRE I have question will EX8200 go EoS or EoL in near time as it looks that EX9200 is good successor of this platform. Can anyone comment is good choice to still go for EX8200 or maybe better spend few more $$$ for EX9200 ? Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
