Re: [j-nsp] Simple v4 vs v6 traffic measurement

2017-10-31 Thread Tim St. Pierre 
Cool.  I made up the filters and counters, and I can see them at show 
firewall counter customer-v4-down filter res-out-4 for example.


Now I just need to install the firewall MIB for Cacti.

Thanks!


On 2017-10-31 04:50 PM, Saku Ytti wrote:

Hey Tim,


Can anyone suggest a simple way to measure interface traffic by address
family?  Currently, I'm measuring interface traffic using SNMP queries and
just grabbing the in / out bit byte counters.

One way would be to create firewall filter with counter for both AFIs.
Filter counters are SNMP gettable.



--

--
Tim St. Pierre
System Operator
Communicate Freely
289-225-1220 x5101

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Simple v4 vs v6 traffic measurement

2017-10-31 Thread Daniel Verlouw 
Tim,

On Tue, Oct 31, 2017 at 9:00 PM, Tim St. Pierre
 wrote:
> Can anyone suggest a simple way to measure interface traffic by address
> family?  Currently, I'm measuring interface traffic using SNMP queries and
> just grabbing the in / out bit byte counters.

check out 
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/forwarding-class-accounting-edit-interfaces.html
(only on MX/MPC)
IIRC there's a separate MIB too.

  --Daniel.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-10-31 Thread Tim Jackson 
I've done 1g MACSEC over l2circuit or ccc just fine.. You can even do stuff
like get an MX104 with a 20G MIC that supports MACSEC, loop a 1g port back
into itself, carry that EoMPLS over a GRE tunnel w/ inline frag/re-assembly
and do "encrypted" VPN using a pair of MX104s..

--
Tim

On Tue, Oct 31, 2017 at 3:49 PM, Chuck Anderson  wrote:

> My testing has revealed that it works, as long as the service provider
> (MX) is doing something like e-line/l2circuit/CCC rather than bridging.  I
> even got it to work with ethernet-ccc on the MX port facing the EX4300 and
> vlan-ccc on the MX port facing the core/WAN.
>
> However I've now run into an issue where I can only get a single MACsec
> connection working on the EX4300's.  As soon as I add a 2nd one, it fails
> to come up.  If I then reboot, neither one comes up.  If I deactivate the
> 2nd one, the 1st one comes up.
>
> On Tue, Oct 31, 2017 at 07:30:35PM +, Nick Cutting wrote:
> > I am also interested in this - my carriers keep saying "try it"
> >
> > I have the config now - still have not tested - but I'm moving many of
> my customer P2P links (hosted by carriers) to nexus switches that don't
> support macsec.
> >
> > Is anyone in the enterprise doing this over e-line services?
> >
> > -Original Message-
> > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On
> Behalf Of Chuck Anderson
> > Sent: Friday, October 27, 2017 9:39 PM
> > To: juniper-nsp@puck.nether.net
> > Subject: Re: [j-nsp] MACsec over a service provider
> >
> > This Message originated outside your organization.
> >
> > Destination MAC 01:80:c2:00:00:03, EtherType 0x888e (ieee8021x) is eaten
> by the PE router (MX480).  I'm not sure about the ASR9k at the other end of
> the production scenario--it may have the same trouble.
> >
> > My lab is like this, with the EX2200 substituting for the ASR9k.  The
> idea is to have MACsec between the EX4300s, with the middle being
> transparent to it.
> >
> > I got this working:
> >
> > EX4300---EX2200---EX4300
> >
> > For the EX2200, I had to configure layer2-protocol-tunneling to allow
> the EAPOL 802.1x through:
> >
> > vlans {
> > MACSEC-TRANSPORT {
> > vlan-id 10;
> > ##
> > ## Warning: requires 'dot1q-tunneling' license
> > ##
> > dot1q-tunneling {
> > layer2-protocol-tunneling {
> > all;
> > }
> > }
> > }
> > }
> >
> > MACsec comes up fine on both EX4300s and I can ping between them.
> >
> >
> > But this fails:
> >
> > EX4300---EX2200---MX480---EX4300
> >
> > I'm doing simple bridging through the MX, but the MX doesn't support the
> mac-rewrite needed (ieee8021x).  Anyone have any clever ideas to work
> around that limitation?
> >
> > On Fri, Oct 27, 2017 at 05:40:57PM +0300, Elijah Zhuravlev wrote:
> > > Hello
> > >
> > > Ethertypes 0x888e and 0x88e5 should be supported by the switching hw,
> > > no any other special requirements.
> > > Btw keep in the mind macsec overhead, +32.
> > >
> > > regards, Eli
> > >
> > > On Fri, 27 Oct 2017 10:23:01 -0400
> > > Chuck Anderson  wrote:
> > >
> > > > Has anyone been able to run MACsec over a service provider's
> > > > Ethernet Private Line (or even just a 802.1q vlan)?  I'm looking at
> > > > using 10gig ports on the EX4300 or the EX4600/QFX5100-24Q with the
> > > > MACsec uplink module.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Simple v4 vs v6 traffic measurement

2017-10-31 Thread Saku Ytti 
Hey Tim,

> Can anyone suggest a simple way to measure interface traffic by address
> family?  Currently, I'm measuring interface traffic using SNMP queries and
> just grabbing the in / out bit byte counters.

One way would be to create firewall filter with counter for both AFIs.
Filter counters are SNMP gettable.

-- 
  ++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-10-31 Thread Chuck Anderson 
My testing has revealed that it works, as long as the service provider (MX) is 
doing something like e-line/l2circuit/CCC rather than bridging.  I even got it 
to work with ethernet-ccc on the MX port facing the EX4300 and vlan-ccc on the 
MX port facing the core/WAN.

However I've now run into an issue where I can only get a single MACsec 
connection working on the EX4300's.  As soon as I add a 2nd one, it fails to 
come up.  If I then reboot, neither one comes up.  If I deactivate the 2nd one, 
the 1st one comes up.

On Tue, Oct 31, 2017 at 07:30:35PM +, Nick Cutting wrote:
> I am also interested in this - my carriers keep saying "try it"
> 
> I have the config now - still have not tested - but I'm moving many of my 
> customer P2P links (hosted by carriers) to nexus switches that don't support 
> macsec.
> 
> Is anyone in the enterprise doing this over e-line services? 
> 
> -Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of 
> Chuck Anderson
> Sent: Friday, October 27, 2017 9:39 PM
> To: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] MACsec over a service provider
> 
> This Message originated outside your organization.
> 
> Destination MAC 01:80:c2:00:00:03, EtherType 0x888e (ieee8021x) is eaten by 
> the PE router (MX480).  I'm not sure about the ASR9k at the other end of the 
> production scenario--it may have the same trouble.
> 
> My lab is like this, with the EX2200 substituting for the ASR9k.  The idea is 
> to have MACsec between the EX4300s, with the middle being transparent to it.
> 
> I got this working:
> 
> EX4300---EX2200---EX4300
> 
> For the EX2200, I had to configure layer2-protocol-tunneling to allow the 
> EAPOL 802.1x through:
> 
> vlans {
> MACSEC-TRANSPORT {
> vlan-id 10;
> ##
> ## Warning: requires 'dot1q-tunneling' license
> ##
> dot1q-tunneling {
> layer2-protocol-tunneling {
> all;
> }
> }
> }
> }
> 
> MACsec comes up fine on both EX4300s and I can ping between them.
> 
> 
> But this fails:
> 
> EX4300---EX2200---MX480---EX4300
> 
> I'm doing simple bridging through the MX, but the MX doesn't support the 
> mac-rewrite needed (ieee8021x).  Anyone have any clever ideas to work around 
> that limitation?
> 
> On Fri, Oct 27, 2017 at 05:40:57PM +0300, Elijah Zhuravlev wrote:
> > Hello
> > 
> > Ethertypes 0x888e and 0x88e5 should be supported by the switching hw, 
> > no any other special requirements.
> > Btw keep in the mind macsec overhead, +32.
> > 
> > regards, Eli
> > 
> > On Fri, 27 Oct 2017 10:23:01 -0400
> > Chuck Anderson  wrote:
> > 
> > > Has anyone been able to run MACsec over a service provider's 
> > > Ethernet Private Line (or even just a 802.1q vlan)?  I'm looking at 
> > > using 10gig ports on the EX4300 or the EX4600/QFX5100-24Q with the 
> > > MACsec uplink module.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Simple v4 vs v6 traffic measurement

2017-10-31 Thread Tim St. Pierre 

Hello,

Can anyone suggest a simple way to measure interface traffic by address 
family?  Currently, I'm measuring interface traffic using SNMP queries 
and just grabbing the in / out bit byte counters.


I would like to somehow measure the amount of IPv4 and IPv6 traffic 
separately, mostly to see how well our customer uptake is on the v6 side 
of things.  Without getting into traffic sampling (may try that another 
day), is there a simple way to set a counter by address family on an 
interface?


I'm mostly working with MX, but have one M10i in there too.

Thanks!

-Tim

--

--
Tim St. Pierre
System Operator
Communicate Freely
289-225-1220 x5101

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MPC5EQ Feedback?

2017-10-31 Thread Scott Harvanek 
Hey folks,

We have some MX480s we need to add queuing capable 10G/40G ports to and it 
looks like MPC5EQ-40G10G is going to be our most cost effective solution.  Has 
anyone run into any limitations with these MPCs that aren’t clearly documented?

We intend to use them for L3/VLAN traffic w/ CoS/Shaping.  Currently we’re 
doing that on MPC2E NG Qs w/ 10XGE-SFPP MICs , any reason we couldn’t do the 
same on this along with the adding of the 40G ports? Any Layer3 limitations or 
the normal 2MM/6MM FIB/RIB?

Scott H


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp