Re: [j-nsp] BGP PIC for inet6
Thanks for that. By the way, this seems to work also, which is more consistent between IPv4 & IPv6: set routing-options rib inet.0 protect core set routing-options rib inet6.0 protect core Jay Ford, Network Engineering, University of Iowa On Tue, 21 Nov 2017, david@orange.com wrote: For ipv6 set routing-options rib inet6.0 protect core For ipv4 set routing-options protect core David Roy IP/MPLS NOC engineer - Orange France Ph. : +33 2 99 28 57 66 Mob. : +33 6 85 52 22 13 SkypeID : davidroy.35 david@orange.com JNCIE x3 (SP #703 ; ENT #305 ; SEC #144) -Message d'origine- De : juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] De la part de Jay Ford Envoyé : mardi 21 novembre 2017 22:07 À : juniper-nsp@puck.nether.net Objet : [j-nsp] BGP PIC for inet6 There is Juniper documentation acknowledging the use case of BGP PIC for inet & inet6 unicast, but I can't find a way to enable it for inet6 at Junos 16.2R2.8. Pointers to how to do so would be cool, but confirmation that it isn't supported (yet) would also be appreciated. Jay Ford, Network Engineering, University of Iowa ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP PIC for inet6
Hello For ipv6 set routing-options rib inet6.0 protect core For ipv4 set routing-options protect core David Roy IP/MPLS NOC engineer - Orange France Ph. : +33 2 99 28 57 66 Mob. : +33 6 85 52 22 13 SkypeID : davidroy.35 david@orange.com JNCIE x3 (SP #703 ; ENT #305 ; SEC #144) -Message d'origine- De : juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] De la part de Jay Ford Envoyé : mardi 21 novembre 2017 22:07 À : juniper-nsp@puck.nether.net Objet : [j-nsp] BGP PIC for inet6 There is Juniper documentation acknowledging the use case of BGP PIC for inet & inet6 unicast, but I can't find a way to enable it for inet6 at Junos 16.2R2.8. Pointers to how to do so would be cool, but confirmation that it isn't supported (yet) would also be appreciated. Jay Ford, Network Engineering, University of Iowa ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] BGP PIC for inet6
There is Juniper documentation acknowledging the use case of BGP PIC for inet & inet6 unicast, but I can't find a way to enable it for inet6 at Junos 16.2R2.8. Pointers to how to do so would be cool, but confirmation that it isn't supported (yet) would also be appreciated. Jay Ford, Network Engineering, University of Iowa ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX3400 or EX4600, and HPE FlexFabric-20/40, QSFP+ DAC's
On Tue, Nov 21, 2017 at 06:28:07AM -0800, Emille Blanc wrote: > Hello folks, > > Trudging through the woes that are cross-vendor compatibility issues, and > failing completely at getting a link between an EX3400 or EX4600, and an HPE > FlexFabric-20/40 F8 card in our c7000 enclosure using an HPE branded QSFP+ > 3mtr DAC. That is to say, Juniper on one side, HPE on the other. > As an added bonus, the HPE module seems to be allergic to Juniper's QSFP > completely. > > After the inevitable "It's not us, it's them" back-and-forth between JTAC and > HPE Support, I'm looking for any success (or failure) stories from the > community. > > We've been testing with a pair of HPE DACs, and they each work fine when we > loop it to two QSFP+ slots in the same chassis/module. > > Has anyone been successful in making such a connection in the wild? Buy cheap QSFP+ optics and use fiber? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX3400 or EX4600, and HPE FlexFabric-20/40, QSFP+ DAC's
Hello folks, Trudging through the woes that are cross-vendor compatibility issues, and failing completely at getting a link between an EX3400 or EX4600, and an HPE FlexFabric-20/40 F8 card in our c7000 enclosure using an HPE branded QSFP+ 3mtr DAC. That is to say, Juniper on one side, HPE on the other. As an added bonus, the HPE module seems to be allergic to Juniper's QSFP completely. After the inevitable "It's not us, it's them" back-and-forth between JTAC and HPE Support, I'm looking for any success (or failure) stories from the community. We've been testing with a pair of HPE DACs, and they each work fine when we loop it to two QSFP+ slots in the same chassis/module. Has anyone been successful in making such a connection in the wild? Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
Sorry, I meant the opposite (i.e. the defaults are too high). One that is specially high is the IGMP at 20k. Multicast loops on large layer-2 fabrics (IXPs) will bring down first-gen Trios very easily (can't say the same for the newer ones up to Eagle). On Tue, Nov 21, 2017 at 10:19 AM, Saku Ytti wrote: > On 21 November 2017 at 14:12, Luis Balbinot wrote: > >> The DDoS protection factory defaults are very low in some cases. The >> Juniper MX Series book has a nice chapter on that. > > Do you have an example? Most of them are like 20kpps, which ismore > than you need to congest the built-in NPU=>PFE_CPU policer. I.e. they > are massively too large out-of-the-box. > > I doubt anyone has configured them to sensible values, as it would be > hundreds of lines of ddos-protection config, as you cannot set default > values which apply to all of them and then more-specific ones to the > ones you care. Correct configuration needs to manually configure each > and every one, those which you don't need, as low as you want, like > 10pps. > > > -- > ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
On 21 November 2017 at 14:12, Luis Balbinot wrote: > The DDoS protection factory defaults are very low in some cases. The > Juniper MX Series book has a nice chapter on that. Do you have an example? Most of them are like 20kpps, which ismore than you need to congest the built-in NPU=>PFE_CPU policer. I.e. they are massively too large out-of-the-box. I doubt anyone has configured them to sensible values, as it would be hundreds of lines of ddos-protection config, as you cannot set default values which apply to all of them and then more-specific ones to the ones you care. Correct configuration needs to manually configure each and every one, those which you don't need, as low as you want, like 10pps. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
Most likely spoofed traffic or you don't have full tables or a default route. A /18 will pull a lot of unwanted traffic. The DDoS protection factory defaults are very low in some cases. The Juniper MX Series book has a nice chapter on that. On Tue, 21 Nov 2017 at 09:02 Karl Gerhard wrote: > Hello > > our syslog is getting spammed with the following messages: > jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol > resolve:ucast-v4 is violated at fpc 11 for 1389 times > jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol > resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times > > What is puzzling is that there is barely any traffic going through that > machine (like 5 MBit/s). It seems like those messages are being triggered > by random noise from the internet just by announcing a single /18. > > Is that normal? Is there a way to gracefully handle those messages (i.e. > save them into another file) without losing important information? > > Regards > Karl > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
Hi Karl, DDOS subsystem applies only to the traffic destined to the host (router itself) and not transit traffic. When you announce that /18 have you got all destinations of that /18 reachable by the router? Have you got default route ? The graceful way to handle those messages is to figure out what causing them i presume. I'd start figuring out what's going on from answering above questions and looking at below outputs: show ddos-protection protocols resolve statistics brief show ddos-protection protocols violations I'm sure if you google this topic you may find a lot of information as well On 21-Nov-17 12:01, Karl Gerhard wrote: Hello our syslog is getting spammed with the following messages: jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol resolve:ucast-v4 is violated at fpc 11 for 1389 times jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times What is puzzling is that there is barely any traffic going through that machine (like 5 MBit/s). It seems like those messages are being triggered by random noise from the internet just by announcing a single /18. Is that normal? Is there a way to gracefully handle those messages (i.e. save them into another file) without losing important information? Regards Karl ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
Hey Karl, Do you have large connected subnet, largely empty? I believe 'resolve' is packet needing ARP resolution. I.e. you got packet to subnet address 192.0.2.42, but it did not have MAC address, so it could not be forwarded, but had to be punted to software for ARP resolution. Because it involves software it is ratelimited. Be glad it exists, for longest time resolve packets hit the DDoS policer of their protocol so if someone was hitting 192.0.2.42 with BGP packets, it hit your BGP policer, and would bring your core iBGP down, and there was nothing you could do to protect from it (resolve is not subject to lo0, for obvious reasons). 4Mbps was all it took. On 21 November 2017 at 13:01, Karl Gerhard wrote: > Hello > > our syslog is getting spammed with the following messages: > jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol > resolve:ucast-v4 is violated at fpc 11 for 1389 times > jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol > resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times > > What is puzzling is that there is barely any traffic going through that > machine (like 5 MBit/s). It seems like those messages are being triggered by > random noise from the internet just by announcing a single /18. > > Is that normal? Is there a way to gracefully handle those messages (i.e. save > them into another file) without losing important information? > > Regards > Karl > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
Hello our syslog is getting spammed with the following messages: jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol resolve:ucast-v4 is violated at fpc 11 for 1389 times jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times What is puzzling is that there is barely any traffic going through that machine (like 5 MBit/s). It seems like those messages are being triggered by random noise from the internet just by announcing a single /18. Is that normal? Is there a way to gracefully handle those messages (i.e. save them into another file) without losing important information? Regards Karl ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp