Re: [j-nsp] can i get junos file from device

[Olivier Benghozi]

It validates the checksums then stores an installer locally (with the content 
of the tgz) that will be started at next boot, which will install the OS and 
stores the stuff (mainly to /packages/). On some platforms  the new OS is 
installed to the alternate boot partition (on EX platforms by example) which 
will the active one at next boot.

Usually you use the command with the no-copy option to avoid getting/keeping a 
useless additional local copy of the tgz archive itself (in /var/tmp/ I guess).

> On 28 june 2017 at 19:21, Aaron Gould  wrote :
> 
> Thanks Thomasz, well, sort of, I’m wondering if there is a way to upgrade 
> Junos from a box that is running the desired version ?  So I was wondering 
> how the following command runs and does the juniper device store that ENTIRE 
> file somewhere ?  if so, then I could copy it off and use it.  I was asking 
> if when I do the following command, does that juniper device store the whole 
> file somewhere, or not?  
> 
> request system software add validate force-host 
> ftp://172.17.143.125/jinstall-acx5k-15.1X54-D61.6-domestic-signed.tgz
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] IPSec on Logical System

[Network Geek]

I have user Logical System DATALSYS on my SRX where all my production data
is flowing with reth10.X as my exit interfaces to each of the partners. All
of these units of reth10 belong to PARTNER zone.

On my master Logical System resides fxp0 only, no existing Virtual Router,
no Zone.

Now I have a new partner Y who requires an IPSec to connect to us.
IPSec mandates to configure phase1 and phase2 on the master LS and also
mandates the external interface to be in the master LS.

I hence then configured reth10.Y on the Master LS, same for
 the IKE and the IPSec, both in the master LS and bind it to st0.Y who is
in the other hand in DATALS LS.

My questions are:
1. Is it ok to have interface units on user LS and and another or some
units of the same phyisical/ reth10 interface sitting on the master LS?

2. Is it required to assign the unit Y (reth10.Y) to a security zone?

3. Can I put my st0.Y Interface into PARTNER zone of DATALS? Or is it
practice to create another zone dedicated for the IPSec tunnels?

4. Since all my partners' flows are on DATALS, with the external interface
of partner Y sitting in Master LS, do I need to interconnect DATALS to
Master using vpls?

Thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] can i get junos file from device

[Aaron Gould]

Nothing there…

 

{master:0}

agould@eng-lab-5048-2> file ls /var/sw/pkg/

 

/var/sw/pkg/:

 

{master:0}

agould@eng-lab-5048-2> file ls /var/sw/pkg/?

Possible completions:

  <[Enter]>Execute this command

 Path to list

{master:0}

agould@eng-lab-5048-2> file ls /var/sw/pkg/

 

/var/sw/pkg/:

 

{master:0}

agould@eng-lab-5048-2> start shell

% bash

bash: Command not found.

%

% ls -la /var/sw/pkg/

total 8

drwxr-xr-x  2 root  wheel  512 Jun  6  2016 .

drwxr-xr-x  3 root  wheel  512 Jun  6  2016 ..

%

 

-Aaron Gould 

 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] can i get junos file from device

[Alexander Arseniev]

Hello,

Have a look into /var/sw/pkg:

file list detail /var/sw/pkg

HTH
Thx
Alex

On 28/06/2017 18:21, Aaron Gould wrote:

Thanks Thomasz, well, sort of, I’m wondering if there is a way to upgrade Junos 
from a box that is running the desired version ?  So I was wondering how the 
following command runs and does the juniper device store that ENTIRE file 
somewhere ?  if so, then I could copy it off and use it.  I was asking if when 
I do the following command, does that juniper device store the whole file 
somewhere, or not?

  


request system software add validate force-host 
ftp://172.17.143.125/jinstall-acx5k-15.1X54-D61.6-domestic-signed.tgz



-Aaron Gould

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] can i get junos file from device

[Aaron Gould]

Thanks Thomasz, well, sort of, I’m wondering if there is a way to upgrade Junos 
from a box that is running the desired version ?  So I was wondering how the 
following command runs and does the juniper device store that ENTIRE file 
somewhere ?  if so, then I could copy it off and use it.  I was asking if when 
I do the following command, does that juniper device store the whole file 
somewhere, or not?  

 

request system software add validate force-host 
ftp://172.17.143.125/jinstall-acx5k-15.1X54-D61.6-domestic-signed.tgz



-Aaron Gould

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] can i get junos file from device

[Tomasz Mikołajek]

Hello. You want to update Junos?

W dniu śr., 28.06.2017 o 17:33 Aaron Gould  napisał(a):

> request system software add validate force-host
> ftp://172.17.143.125/jinstall-acx5k-15.1X54-D61.6-domestic-signed.tgz
>
>
>
> .after issuing that command, does that *entire* file exist on that device
> that it is sent to ? .or is the file unpacked and loaded and done away with
> during the install process ?
>
>
>
> - Aaron Gould
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] can i get junos file from device

[Aaron Gould]

request system software add validate force-host
ftp://172.17.143.125/jinstall-acx5k-15.1X54-D61.6-domestic-signed.tgz

 

.after issuing that command, does that *entire* file exist on that device
that it is sent to ? .or is the file unpacked and loaded and done away with
during the install process ?

 

- Aaron Gould

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] cheapest juniper router capable of lsys

[Chris Burton]

I will take a look.  I have tested on a number of different versions, 
but nothing as new as 4.11, only been tracking the shipped kernel with 
Ubuntu 14.04 and 16.04, in the 3.1 and 4.4 versions respectively, but 
pulling from upstream and compiling from source instead of Ubuntu src 
packages.


-C


On 06/28/2017 12:09 AM, Vincent Bernat wrote:

  ❦ 27 juin 2017 23:26 -0700, Chris Burton  :


Interesting, in the kernel versions I tested I was not able to get it
to work by just passing in the runtime changes to
/sys/class/net//bridge/group_fwd_mask, I actually had to make
changes to virtual bridge header file and recompile the kernel as
there are/were safeguards in place to prevent someone from just making
the runtime changes, which makes sense because this is a potentially
dangerous change.  Recompiling is not a big deal, but would be
interested to know which kernel versions you were able to get that to
work with just runtime changes as that would save some time.

The different cases are handled here:
  
http://elixir.free-electrons.com/linux/v4.11.5/source/net/bridge/br_input.c#L275

fwd_mask_required is not tunable by the user. Unless you are using
VLAN-aware bridges _and_ QinQ, its value is 0. group_fwd_mask is the
live value you put in sysfs, so it should work. There is a safeguard
mechanism to deny acceptance of 01-80-C2-00-00-[00,0B,0C,0D,0F] when
setting the group_fwd_mask value.

I didn't test recently, but I have used this mechanism in the past for
LLDP. Which kernel are you using?


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] cheapest juniper router capable of lsys

[Vincent Bernat]

 ❦ 27 juin 2017 23:26 -0700, Chris Burton  :

> Interesting, in the kernel versions I tested I was not able to get it
> to work by just passing in the runtime changes to
> /sys/class/net//bridge/group_fwd_mask, I actually had to make
> changes to virtual bridge header file and recompile the kernel as
> there are/were safeguards in place to prevent someone from just making
> the runtime changes, which makes sense because this is a potentially
> dangerous change.  Recompiling is not a big deal, but would be
> interested to know which kernel versions you were able to get that to
> work with just runtime changes as that would save some time.

The different cases are handled here:
 
http://elixir.free-electrons.com/linux/v4.11.5/source/net/bridge/br_input.c#L275

fwd_mask_required is not tunable by the user. Unless you are using
VLAN-aware bridges _and_ QinQ, its value is 0. group_fwd_mask is the
live value you put in sysfs, so it should work. There is a safeguard
mechanism to deny acceptance of 01-80-C2-00-00-[00,0B,0C,0D,0F] when
setting the group_fwd_mask value.

I didn't test recently, but I have used this mechanism in the past for
LLDP. Which kernel are you using?
-- 
10.0 times 0.1 is hardly ever 1.0.
- The Elements of Programming Style (Kernighan & Plauger)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] cheapest juniper router capable of lsys

[Chris Burton]

Interesting, in the kernel versions I tested I was not able to get it to 
work by just passing in the runtime changes to 
/sys/class/net//bridge/group_fwd_mask, I actually had to make 
changes to virtual bridge header file and recompile the kernel as there 
are/were safeguards in place to prevent someone from just making the 
runtime changes, which makes sense because this is a potentially 
dangerous change.  Recompiling is not a big deal, but would be 
interested to know which kernel versions you were able to get that to 
work with just runtime changes as that would save some time.


Cheers,

-C


On 06/27/2017 11:05 PM, Vincent Bernat wrote:

  ❦ 27 juin 2017 22:40 -0700, Chris Burton  :


Also, if you use KVM and linux bridge you can bypass the issues with
the bridges not forwarding LLDP and LACP traffic, but you have to
willing to dive into modifying certain parts of the virtual bridge
network drivers and compile your own custom kernel, as by standards
bridges are not supposed to forward the traffic related to LCAP and
LLDP.  I have also heard that this can be bypassed by using Open
vSwitch, but I have not tested that.  The only items I have not yet
been able to get working are related to Ethernet OAM, but so far
everything else I have tested has worked either directly or with some
modification.

On Linux, you can tell the bridge to let LLDP and LACP traffic without
recompiling. This is done by altering the value of
/sys/class/net/brXX/bridge/group_fwd_mask. To let LLDP pass, you need to
put 0x4000 in it. For LACP, this is 0x4. So 0x4004 should let both of
them pass the bridge.


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] cheapest juniper router capable of lsys

[Vincent Bernat]

 ❦ 27 juin 2017 22:40 -0700, Chris Burton  :

> Also, if you use KVM and linux bridge you can bypass the issues with
> the bridges not forwarding LLDP and LACP traffic, but you have to
> willing to dive into modifying certain parts of the virtual bridge
> network drivers and compile your own custom kernel, as by standards
> bridges are not supposed to forward the traffic related to LCAP and
> LLDP.  I have also heard that this can be bypassed by using Open
> vSwitch, but I have not tested that.  The only items I have not yet
> been able to get working are related to Ethernet OAM, but so far
> everything else I have tested has worked either directly or with some
> modification.

On Linux, you can tell the bridge to let LLDP and LACP traffic without
recompiling. This is done by altering the value of
/sys/class/net/brXX/bridge/group_fwd_mask. To let LLDP pass, you need to
put 0x4000 in it. For LACP, this is 0x4. So 0x4004 should let both of
them pass the bridge.
-- 
Don't stop at one bug.
- The Elements of Programming Style (Kernighan & Plauger)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp