Re: [j-nsp] can i get junos file from device
It validates the checksums then stores an installer locally (with the content of the tgz) that will be started at next boot, which will install the OS and stores the stuff (mainly to /packages/). On some platforms the new OS is installed to the alternate boot partition (on EX platforms by example) which will the active one at next boot. Usually you use the command with the no-copy option to avoid getting/keeping a useless additional local copy of the tgz archive itself (in /var/tmp/ I guess). > On 28 june 2017 at 19:21, Aaron Gouldwrote : > > Thanks Thomasz, well, sort of, I’m wondering if there is a way to upgrade > Junos from a box that is running the desired version ? So I was wondering > how the following command runs and does the juniper device store that ENTIRE > file somewhere ? if so, then I could copy it off and use it. I was asking > if when I do the following command, does that juniper device store the whole > file somewhere, or not? > > request system software add validate force-host > ftp://172.17.143.125/jinstall-acx5k-15.1X54-D61.6-domestic-signed.tgz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IPSec on Logical System
I have user Logical System DATALSYS on my SRX where all my production data is flowing with reth10.X as my exit interfaces to each of the partners. All of these units of reth10 belong to PARTNER zone. On my master Logical System resides fxp0 only, no existing Virtual Router, no Zone. Now I have a new partner Y who requires an IPSec to connect to us. IPSec mandates to configure phase1 and phase2 on the master LS and also mandates the external interface to be in the master LS. I hence then configured reth10.Y on the Master LS, same for the IKE and the IPSec, both in the master LS and bind it to st0.Y who is in the other hand in DATALS LS. My questions are: 1. Is it ok to have interface units on user LS and and another or some units of the same phyisical/ reth10 interface sitting on the master LS? 2. Is it required to assign the unit Y (reth10.Y) to a security zone? 3. Can I put my st0.Y Interface into PARTNER zone of DATALS? Or is it practice to create another zone dedicated for the IPSec tunnels? 4. Since all my partners' flows are on DATALS, with the external interface of partner Y sitting in Master LS, do I need to interconnect DATALS to Master using vpls? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] can i get junos file from device
Nothing there… {master:0} agould@eng-lab-5048-2> file ls /var/sw/pkg/ /var/sw/pkg/: {master:0} agould@eng-lab-5048-2> file ls /var/sw/pkg/? Possible completions: <[Enter]>Execute this command Path to list {master:0} agould@eng-lab-5048-2> file ls /var/sw/pkg/ /var/sw/pkg/: {master:0} agould@eng-lab-5048-2> start shell % bash bash: Command not found. % % ls -la /var/sw/pkg/ total 8 drwxr-xr-x 2 root wheel 512 Jun 6 2016 . drwxr-xr-x 3 root wheel 512 Jun 6 2016 .. % -Aaron Gould ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] can i get junos file from device
Hello, Have a look into /var/sw/pkg: file list detail /var/sw/pkg HTH Thx Alex On 28/06/2017 18:21, Aaron Gould wrote: Thanks Thomasz, well, sort of, I’m wondering if there is a way to upgrade Junos from a box that is running the desired version ? So I was wondering how the following command runs and does the juniper device store that ENTIRE file somewhere ? if so, then I could copy it off and use it. I was asking if when I do the following command, does that juniper device store the whole file somewhere, or not? request system software add validate force-host ftp://172.17.143.125/jinstall-acx5k-15.1X54-D61.6-domestic-signed.tgz -Aaron Gould ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] can i get junos file from device
Thanks Thomasz, well, sort of, I’m wondering if there is a way to upgrade Junos from a box that is running the desired version ? So I was wondering how the following command runs and does the juniper device store that ENTIRE file somewhere ? if so, then I could copy it off and use it. I was asking if when I do the following command, does that juniper device store the whole file somewhere, or not? request system software add validate force-host ftp://172.17.143.125/jinstall-acx5k-15.1X54-D61.6-domestic-signed.tgz -Aaron Gould ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] can i get junos file from device
Hello. You want to update Junos? W dniu śr., 28.06.2017 o 17:33 Aaron Gouldnapisał(a): > request system software add validate force-host > ftp://172.17.143.125/jinstall-acx5k-15.1X54-D61.6-domestic-signed.tgz > > > > .after issuing that command, does that *entire* file exist on that device > that it is sent to ? .or is the file unpacked and loaded and done away with > during the install process ? > > > > - Aaron Gould > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] can i get junos file from device
request system software add validate force-host ftp://172.17.143.125/jinstall-acx5k-15.1X54-D61.6-domestic-signed.tgz .after issuing that command, does that *entire* file exist on that device that it is sent to ? .or is the file unpacked and loaded and done away with during the install process ? - Aaron Gould ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] cheapest juniper router capable of lsys
I will take a look. I have tested on a number of different versions, but nothing as new as 4.11, only been tracking the shipped kernel with Ubuntu 14.04 and 16.04, in the 3.1 and 4.4 versions respectively, but pulling from upstream and compiling from source instead of Ubuntu src packages. -C On 06/28/2017 12:09 AM, Vincent Bernat wrote: ❦ 27 juin 2017 23:26 -0700, Chris Burton: Interesting, in the kernel versions I tested I was not able to get it to work by just passing in the runtime changes to /sys/class/net//bridge/group_fwd_mask, I actually had to make changes to virtual bridge header file and recompile the kernel as there are/were safeguards in place to prevent someone from just making the runtime changes, which makes sense because this is a potentially dangerous change. Recompiling is not a big deal, but would be interested to know which kernel versions you were able to get that to work with just runtime changes as that would save some time. The different cases are handled here: http://elixir.free-electrons.com/linux/v4.11.5/source/net/bridge/br_input.c#L275 fwd_mask_required is not tunable by the user. Unless you are using VLAN-aware bridges _and_ QinQ, its value is 0. group_fwd_mask is the live value you put in sysfs, so it should work. There is a safeguard mechanism to deny acceptance of 01-80-C2-00-00-[00,0B,0C,0D,0F] when setting the group_fwd_mask value. I didn't test recently, but I have used this mechanism in the past for LLDP. Which kernel are you using? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] cheapest juniper router capable of lsys
❦ 27 juin 2017 23:26 -0700, Chris Burton: > Interesting, in the kernel versions I tested I was not able to get it > to work by just passing in the runtime changes to > /sys/class/net//bridge/group_fwd_mask, I actually had to make > changes to virtual bridge header file and recompile the kernel as > there are/were safeguards in place to prevent someone from just making > the runtime changes, which makes sense because this is a potentially > dangerous change. Recompiling is not a big deal, but would be > interested to know which kernel versions you were able to get that to > work with just runtime changes as that would save some time. The different cases are handled here: http://elixir.free-electrons.com/linux/v4.11.5/source/net/bridge/br_input.c#L275 fwd_mask_required is not tunable by the user. Unless you are using VLAN-aware bridges _and_ QinQ, its value is 0. group_fwd_mask is the live value you put in sysfs, so it should work. There is a safeguard mechanism to deny acceptance of 01-80-C2-00-00-[00,0B,0C,0D,0F] when setting the group_fwd_mask value. I didn't test recently, but I have used this mechanism in the past for LLDP. Which kernel are you using? -- 10.0 times 0.1 is hardly ever 1.0. - The Elements of Programming Style (Kernighan & Plauger) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] cheapest juniper router capable of lsys
Interesting, in the kernel versions I tested I was not able to get it to work by just passing in the runtime changes to /sys/class/net//bridge/group_fwd_mask, I actually had to make changes to virtual bridge header file and recompile the kernel as there are/were safeguards in place to prevent someone from just making the runtime changes, which makes sense because this is a potentially dangerous change. Recompiling is not a big deal, but would be interested to know which kernel versions you were able to get that to work with just runtime changes as that would save some time. Cheers, -C On 06/27/2017 11:05 PM, Vincent Bernat wrote: ❦ 27 juin 2017 22:40 -0700, Chris Burton: Also, if you use KVM and linux bridge you can bypass the issues with the bridges not forwarding LLDP and LACP traffic, but you have to willing to dive into modifying certain parts of the virtual bridge network drivers and compile your own custom kernel, as by standards bridges are not supposed to forward the traffic related to LCAP and LLDP. I have also heard that this can be bypassed by using Open vSwitch, but I have not tested that. The only items I have not yet been able to get working are related to Ethernet OAM, but so far everything else I have tested has worked either directly or with some modification. On Linux, you can tell the bridge to let LLDP and LACP traffic without recompiling. This is done by altering the value of /sys/class/net/brXX/bridge/group_fwd_mask. To let LLDP pass, you need to put 0x4000 in it. For LACP, this is 0x4. So 0x4004 should let both of them pass the bridge. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] cheapest juniper router capable of lsys
❦ 27 juin 2017 22:40 -0700, Chris Burton: > Also, if you use KVM and linux bridge you can bypass the issues with > the bridges not forwarding LLDP and LACP traffic, but you have to > willing to dive into modifying certain parts of the virtual bridge > network drivers and compile your own custom kernel, as by standards > bridges are not supposed to forward the traffic related to LCAP and > LLDP. I have also heard that this can be bypassed by using Open > vSwitch, but I have not tested that. The only items I have not yet > been able to get working are related to Ethernet OAM, but so far > everything else I have tested has worked either directly or with some > modification. On Linux, you can tell the bridge to let LLDP and LACP traffic without recompiling. This is done by altering the value of /sys/class/net/brXX/bridge/group_fwd_mask. To let LLDP pass, you need to put 0x4000 in it. For LACP, this is 0x4. So 0x4004 should let both of them pass the bridge. -- Don't stop at one bug. - The Elements of Programming Style (Kernighan & Plauger) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp