Re: [j-nsp] QFX10002 Inline Flow
+-1c.1-[18-1d]00.0 Juniper Networks Device 0077 >+-1c.2-[1e-23]--+-00.0 Broadcom Corporation Device b041 >| \-00.1 Broadcom Corporation Device b041 >+-1c.3-[24-29]00.0 Xilinx Corporation Device 0505 >+-1d.0 Intel Corporation DH89xxCC USB2 Enhanced Host Controller #1 >+-1f.0 Intel Corporation DH89xxCC LPC Controller >+-1f.2 Intel Corporation DH89xxCC 4 Port SATA AHCI Controller >+-1f.3 Intel Corporation DH89xxCC SMBus Controller >\-1f.7 Intel Corporation DH89xxCC Watchdog Timer > > > -- > *From:* juniper-nsp on behalf of > Nikolas Geyer > *Sent:* Thursday, December 3, 2020 5:18:04 AM > *To:* Brendan Mannella; juniper-nsp@puck.nether.net > *Subject:* Re: [j-nsp] QFX10002 Inline Flow > > What version did you upgrade from? Check out > https://lkhill.com/juniper-qfx10k-ipfix/ as there were some things > changed in Junos 17 that resulted in broken IPFIX. > > Sent from my iPhone > > On Dec 1, 2020, at 9:51 PM, Brendan Mannella > wrote: > > Curious if anyone else has completely broken Inline flow on QFX10002 in > any > of the recent recommended versions. It was running fine with the current > configuration, then we upgraded two different sets and both ended up with > broken flow. > > We are running --- JUNOS 19.1R3-S3.2 Kernel 64-bit and --- JUNOS 20.2R2.11 > Kernel 64-bit > > Is anyone else seeing this? > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] QFX10002 Inline Flow
Curious if anyone else has completely broken Inline flow on QFX10002 in any of the recent recommended versions. It was running fine with the current configuration, then we upgraded two different sets and both ended up with broken flow. We are running --- JUNOS 19.1R3-S3.2 Kernel 64-bit and --- JUNOS 20.2R2.11 Kernel 64-bit Is anyone else seeing this? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Sflow QFX 10008 and/or 5200
We just upgraded our QFX10k2 to the latest recommended 19.1R3 and it completely broke Inline IPFIX. It no longer exports any flow. On Sun, Oct 18, 2020 at 7:05 PM H I Baysal wrote: > Hi Everybody, > > I have a question and an observation for which I would like to ask > feedback from the community. > > In my experience, a QFX10008 with Junos 17.4R3.16 is not sending Layer 2 > information and AS information in S-Flow packets, > I tested it with a same device but on version 15.1X53 and I _do_ see Layer > 2 information and AS information. > > Has anybody encountered this as well, I have searched the archive but > couldn’t find anything about this. > And does anybody use sflow with Junos version 18.x, and do you collect ASN > and Layer 2 information? > > Thank you! > > Kind Regards, > > Halil Baysal > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- *Brendan Mannella* *CEOTeraSwitch Inc.Main/Support - 1.412.945.7045Direct - 1.412.945.7049Bare-Metal Servers . Colocation . Cloud . Connectivity* ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Any red flags on this MX240 configuration...
We have MPC-3D-16XGE-SFPP and SCBE working in production. Haven’t noticed any issues. On Wed, Feb 26, 2020 at 9:04 AM Benjamin Collet wrote: > Hi Alain, > > On Wed, Feb 26, 2020 at 08:46:42AM -0500, Alain Hebert wrote: > > Beside the RE-S-2000-4096-S being EOL. My experience with 16.2 was > > pretty solid. > > > > We're planning to have 3 Full Routes BGP and the MPLS alphabet soup, > > yadi yada. > > > > We don't want 2 RE since we'll use 2 MX240 and there is no point to > go > > for ISSU since the RE is EOL. > > > >1x CHAS-BP-MX240-S > >1x FFANTRAY-MX240-HC > >1x RE-S-2000-4096-S > >1x SCBE-MX-S > >2x PWR-MX480-1200-AC > >1x MPC-3D-16XGE-SFPP > > > I am not sure the MPC-3D-16XGE-SFPP can work with a SCBE-MX-S, it seems > you need at least a SCBE2 (same goes if you plan to insert a MPC7): > > > https://www.juniper.net/documentation/en_US/release-independent/junos/topics/concept/enhanced-mx-scb-description-mx960.html > > Cheers, > Ben > -- > Benjamin Collet > _______ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- *Brendan Mannella* *CEOTeraSwitch Inc.Main/Support - 1.412.945.7045Direct - 1.412.945.7049Bare-Metal Servers . Colocation . Cloud . Connectivity* ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] QFX5100 NAT
Trying to do NAT on a QFX5100 and cannot find where its configured. Googling around i see its supported but none of the configuration examples work for it. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QFX5100 ACLs
+ Programmed: YES + Total TCAM entries available: 1788 + Total TCAM entries installed : 516 Brendan Mannella TeraSwitch Inc. Main - 1.412.945.7045 Direct - 1.412.945.7049 eFax - 1.412.945.7049 Colocation . Cloud . Connectivity This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this On Mon, Dec 4, 2017 at 11:57 AM, Saku Ytti <s...@ytti.fi> wrote: > Hey Brendan, > > This is news to me, but plausible. Can you do this for me > > start shell pfe network fpc0 > show filter > > show filter hw show_term_info > > Compare how many TCAM entries are needed, and how many are available. > > Also if you can take a risk of reloading the FPC run: > show filter hw show_terms_brcm > > This may crash your PFE, if you actually did not have all of the > entries programmed in HW. > > > commit will succeed if you build filter which will not fit in HW, > there should be syslog entry, but no complain during commit. You will > end up having no filter or some mangled version of it. So it's just > alternative theory on why you may be accepting something you thought > you aren't. > > > On 4 December 2017 at 18:02, Brendan Mannella <bmanne...@teraswitch.com> > wrote: > > Hello, > > > > So i have been testing QFX5100 product for use as a core L3 switch/router > > with BGP/OSPF. I have my standard RE filter blocking various things > > including BGP from any unknown peer. I started to receive errors in my > logs > > showing BGP packets getting through from hosts that weren't allowed. > After > > digging around i found that Juniper apparently has built in ACL to allow > > BGP, which bypasses my ACLs, probably for VCF or something.. Is there any > > way to disable this behavior or does anyone have any other suggestions? > > > > root@XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms" > > > > Filter name : dyn-bgp-pkts > > Filter enum : 47 > > Filter location : IFP > > List of tcam entries : [(total entries: 2) > > Entry: 37 > > - Unit 0 > > - Entry Priority 0x7FFC > > - Matches: > > PBMP 0x0001fffc > > PBMP xe > > L4 SRC Port 0x00B3 mask 0x > > IP Protocol 0x0006 mask 0x00FF > > L3DestHostHit 1 1 > > - Actions: > > ChangeCpuQ > > ColorIndependent param1: 1, param2: 0 > > CosQCpuNew cosq: 30 > > Implicit Counter > > Entry: 38 > > - Unit 0 > > - Entry Priority 0x7FFC > > - Matches: > > PBMP 0x0001fffc > > PBMP xe > > L4 DST Port 0x00B3 mask 0x > > IP Protocol 0x0006 mask 0x00FF > > L3DestHostHit 1 1 > > - Actions: > > ChangeCpuQ > > ColorIndependent param1: 1, param2: 0 > > CosQCpuNew cosq: 30 > > Implicit Counter > >] > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > -- > ++ytti > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] FPC Error Debug
Perfect. Thank you. I will try the reboot first. Brendan Mannella TeraSwitch Inc. Main - 1.412.945.7045 Direct - 1.412.945.7049 eFax - 1.412.945.7049 Colocation . Cloud . Connectivity On Wed, Nov 9, 2016 at 11:13 AM, <david@orange.com> wrote: > > Hello > Usually it means either : > > - transient HW error (Parity error - a reboot can fix it) > - HW failure of LUCHIP memory >> RMA > > > > David Roy > IP/MPLS NOC engineer - Orange France > Ph. : +33 2 99 28 57 66 > Mob. : +33 6 85 52 22 13 > SkypeID : davidroy.35 > david@orange.com > > JNCIE x3 (SP #703 ; ENT #305 ; SEC #144) > > > > > > -Message d'origine- > De : juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] De la part > de Brendan Mannella > Envoyé : mercredi 9 novembre 2016 16:39 > À : juniper-nsp@puck.nether.net > Objet : [j-nsp] FPC Error Debug > > Does anyone have any insight into what these errors mean? > > Nov 9 09:34:52 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error > 0x0743 > > Nov 9 09:34:52 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 12, PC bf, > 0x00bf: init_context_lmem > > Nov 9 09:34:54 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error > 0x0743 > > Nov 9 09:34:54 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 20, PC bf, > 0x00bf: init_context_lmem > > Nov 9 09:34:58 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error > 0x0743 > > Nov 9 09:34:58 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 26, PC bf, > 0x00bf: init_context_lmem > > Nov 9 09:35:02 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error > 0x0743 > > Nov 9 09:35:02 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 31, PC bf, > 0x00bf: init_context_lmem > > Nov 9 09:35:06 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error > 0x0743 > > Nov 9 09:35:06 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 34, PC bf, > 0x00bf: init_context_lmem > > Nov 9 09:35:10 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error > 0x0743 > > Nov 9 09:35:10 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 38, PC bf, > 0x00bf: init_context_lmem > > Nov 9 09:35:14 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error > 0x0743 > > Nov 9 09:35:14 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 42, PC bf, > 0x00bf: init_context_lmem > > Nov 9 09:35:22 re0.edge2 fpc1 LMEM errors require LUCHIP(3) PPE 9 Zone > 14 disable. > > Nov 9 09:35:32 re0.edge2 fpc1 LUCHIP(3):LMEM errors require LUCHIP(3) PPE > 9 Zone 14 disable. > > Nov 9 09:35:32 re0.edge2 fpc1 TNPC CM received unknown trigger (type > Queue, id 1) > > Nov 9 09:35:32 re0.edge2 alarmd[3048]: Alarm set: FPC color=RED, > class=CHASSIS, reason=FPC 1 Major Errors > > Nov 9 09:35:32 re0.edge2 craftd[1632]: Major alarm set, FPC 1 Major > Errors ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > _ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez > recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and > delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] FPC Error Debug
Does anyone have any insight into what these errors mean? Nov 9 09:34:52 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error 0x0743 Nov 9 09:34:52 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 12, PC bf, 0x00bf: init_context_lmem Nov 9 09:34:54 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error 0x0743 Nov 9 09:34:54 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 20, PC bf, 0x00bf: init_context_lmem Nov 9 09:34:58 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error 0x0743 Nov 9 09:34:58 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 26, PC bf, 0x00bf: init_context_lmem Nov 9 09:35:02 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error 0x0743 Nov 9 09:35:02 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 31, PC bf, 0x00bf: init_context_lmem Nov 9 09:35:06 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error 0x0743 Nov 9 09:35:06 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 34, PC bf, 0x00bf: init_context_lmem Nov 9 09:35:10 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error 0x0743 Nov 9 09:35:10 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 38, PC bf, 0x00bf: init_context_lmem Nov 9 09:35:14 re0.edge2 fpc1 LUCHIP(3) PPE_9 Errors lmem data error 0x0743 Nov 9 09:35:14 re0.edge2 fpc1 PPE PPE HW Fault Trap: Count 42, PC bf, 0x00bf: init_context_lmem Nov 9 09:35:22 re0.edge2 fpc1 LMEM errors require LUCHIP(3) PPE 9 Zone 14 disable. Nov 9 09:35:32 re0.edge2 fpc1 LUCHIP(3):LMEM errors require LUCHIP(3) PPE 9 Zone 14 disable. Nov 9 09:35:32 re0.edge2 fpc1 TNPC CM received unknown trigger (type Queue, id 1) Nov 9 09:35:32 re0.edge2 alarmd[3048]: Alarm set: FPC color=RED, class=CHASSIS, reason=FPC 1 Major Errors Nov 9 09:35:32 re0.edge2 craftd[1632]: Major alarm set, FPC 1 Major Errors ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JUNOS Upgrade
Hello, So i am running a MX with 11.2 and have finally been able to schedule a long overdue software upgrade. Issue is the oldest still available on Junipers site is 12.3. I understand the recommended upgrade paths would prefer i go to 11.4 first, then 12.3 then to 13.3 which is where i would like to end up. My question is, can i go from 11.2 to 12.3 or even direct to 13.3 without breaking anything? What are my risks? Configuration and features are very basic. Thanks in advance. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS Upgrade
Thanks for the help. Yes i believe those are both EEOL releases so that is supported. I was just hoping to save a few reloads of the router. In addition i cant find 11.4 on Junipers site anymore. Brendan Mannella TeraSwitch Inc. Main - 1.412.945.7045 Direct - 1.412.945.7049 eFax - 1.412.945.7049 Colocation . Cloud . Connectivity On Sat, Jan 2, 2016 at 3:35 PM, Dan White <dwh...@olp.net> wrote: > We upgraded an MX480, with a subscriber management license, a few months > ago 11.4X27.42 to 12.3R10.2 without any issues. > > The 'Upgrade and Downgrade Support Policy for Junos OS Releases' section > discusses what's supported, and it's not clear without further research if > a 11.2 to 12.3 upgrade would be supported. TAC would be your best resource > to find out. > > My guess is your primary risk would be the inability to perform a > downgrade, or configuration after upgrade not being correct, but that's > speculation. > > On 01/02/16 15:17 -0500, Brendan Mannella wrote: > >> Hello, >> >> So i am running a MX with 11.2 and have finally been able to schedule a >> long overdue software upgrade. Issue is the oldest still available on >> Junipers site is 12.3. I understand the recommended upgrade paths would >> prefer i go to 11.4 first, then 12.3 then to 13.3 which is where i would >> like to end up. >> >> My question is, can i go from 11.2 to 12.3 or even direct to 13.3 without >> breaking anything? What are my risks? Configuration and features are very >> basic. >> > > -- > Dan White > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Sampling - High CPU
We have a mx240 with inline flow enable, we were getting frequent cpu spikes, we installed 12.3R8 yesterday and the spikes are resolved. On Wednesday, October 1, 2014, Sebastian Wiesinger juniper-...@ml.karotte.org wrote: * Graham Brown juniper-...@grahambrown.info javascript:; [2014-09-23 22:33]: 12.3R8 and 13.3R4 are due out anytime now with the fixes in place. I think there are many people waiting for these two releases... So, 12.3R8 is out. Any practical experiences if inline jflow / sampling is faster now? Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net javascript:; https://puck.nether.net/mailman/listinfo/juniper-nsp -- Brendan Mannella bmanne...@teraswitch.com TeraSwitch Inc. Direct - 1.412.297.0225 Mobile - 1.412.592.7848 Fax - 412.202.7094 Cloud . Colocation . Connectivity ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QFX5100 3rd party optic/DAC
We have 15m Mellanox QSFP DAC working fine. On Monday, September 29, 2014, Darren O'Connor darre...@outlook.com wrote: Anyone having any luck with this? I've got a few QSFP DACs that work perfectly fine on a 4300 stack, but the QFX5100 refuses to work with them. Work fine with a Juniper branded DAC. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net javascript:; https://puck.nether.net/mailman/listinfo/juniper-nsp -- Brendan Mannella bmanne...@teraswitch.com TeraSwitch Inc. Direct - 1.412.297.0225 Mobile - 1.412.592.7848 Fax - 412.202.7094 Cloud . Colocation . Connectivity ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4200 VC Pity Me
I could be completely wrong, but shouldn't the second 4200 be the backup RE and not forced to be a line card? Could have something to do with it. On Apr 3, 2012, at 8:24 PM, Dave Peters d...@terabitsystems.com wrote: Hi all-- Trying to test a VC with two EX4200s running 10.4R9.2. Very simple. I just can't get the backup (or line card) chassis to pass traffic. Pinging the gateway out of the routing engine or master works fine. Trying to ping through the backup/line card gives me nothing. The VC is recognized (per the below). Something simple I'm doing wrong, I know. Here's some output (and thanks for any help you might provide): root show virtual-chassis Preprovisioned Virtual Chassis Virtual Chassis ID: a8ab.cf0b.66d6 MastershipNeighbor List Member ID Status Serial NoModelpriorityRole ID Interface 0 (FPC 0) PrsntBP0209472119 ex4200-48t 129 Master*1 vcp-0 1 vcp-1 1 (FPC 1) PrsntFV0211137957 ex4200-48t0 Linecard 0 vcp-0 0 vcp-1 root show virtual-chassis vc-port member 0 fpc0: -- Interface Type Trunk Status SpeedNeighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1Up 320001 vcp-0 vcp-1 Dedicated 2Up 320001 vcp-1 {master:0} root show virtual-chassis vc-port member 1 fpc1: -- Interface Type Trunk Status SpeedNeighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1Up 320000 vcp-0 vcp-1 Dedicated 2Up 320000 vcp-1 {master:0} root show configuration ## Last commit: 2012-02-02 09:38:58 UTC by root version 10.4R9.2; system { root-authentication { encrypted-password bJ/GddyoJuiU2; ## SECRET-DATA } services { web-management { http; } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; *!truncated!* vlan { unit 0 { family inet { address 192.168.10.188/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.10.77; } } protocols { igmp-snooping { vlan all; } lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } } vlans { default { l3-interface vlan.0; } } poe { interface all; } virtual-chassis { preprovisioned; no-split-detection; member 1 { role line-card; serial-number FV0211137957; } member 0 { role routing-engine; serial-number BP0209472119; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] RPF-Check
Hello Everyone, I have a question regarding RPF-Check. I currently have a edge router with two transits, getting full routes from both. Asymmetric routing We have RPF-Check enabled on both the transit interfaces. We also have unicast reverse path feasible-paths enabled. I am currently troubleshooting a issue when a customer cannot reach my network and believe its failing a RPF-Check. Transit A is advertising the customer /20 to me, and a return path is in my routing table. Transit B i am not receiving a route, customers provider has no export on the route. Customers traffic comes in on transit B and my traffic back to them takes Transit A, as thats the only route back. My questions are.. Is there a way to get more detail with regard to the number of packets being discarded? Maybe even what source address? Also do you think i am better off running in loose mode instead? Thanks in advance Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Junos 11.2R4.3 on MX
Just wondering if anyone has been brave enough to run Junos 11.2R4.3 yet on a MX960? We are currently on the latest 10.4, but would really like to upgrade to get “trunk style” config on Trio line cards. I also noticed during a previous ISSU that the Trio based line cards aren’t compatible yet with ISSU and had to be rebooted during a software upgrade. This feature is also available in 11.2. Our configuration is pretty basic, Layer2, BGP, OSPF, nothing fancy. Any info would be appreciated. Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] VLAN / IRB config on MX Trio
Hi, Does anyone know what the latest stable build of JUNOS is that supports the new style vlan trunk config on a MX platform with all trio based cards? I have a MX running 10.4R8.5 and cant seem to get my irb / vlan trunk config working, then i found the below link. www.mail-archive.com/juniper-nsp@puck.nether.net/msg11424.html My fear is if i reconfig to the old style, eventually when code catches up, i will then have to reconfigure everything to the new style. Any help is appreciated. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX Firewall Capabilities
Nice, and if I decided I want stateful firewalling and IPS, I see I can use the DPC card... Are there any pros/cons to this vs just buying a separate SRX? -Original Message- From: OBrien, Will [mailto:obri...@missouri.edu] Sent: Tuesday, July 12, 2011 1:04 PM To: sth...@nethelp.no Cc: Brendan Mannella; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] MX Firewall Capabilities Yup. That is correct. Border filters are no problem without the ms-dpc. Sent from my iPad On Jul 12, 2011, at 12:56 PM, sth...@nethelp.no sth...@nethelp.no wrote: Just wondering what the firewalling capabilities are with the MX series vs the SRX. We just would like to have basic firewall (block all incoming ports, allow specifcs). Would we need the MS-DPC to achieve this? The new router will be are trio cards. As long as you don't need *state* tracking but simply basic filtering on ports, IP addresses etc your standard MX cards work just fine - no need for MS-DPC. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX Firewall Capabilities
Thanks for the info. I think I will be better of just buying some SRX instead of trying to use the DPC. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jul 12, 2011, at 11:12 PM, Mark Tinka mti...@globaltransit.net wrote: On Wednesday, July 13, 2011 01:19:02 AM Brendan Mannella wrote: Nice, and if I decided I want stateful firewalling and IPS, I see I can use the DPC card... Note that there have been a number of reports where DPC's and MPC's don't play nice in the same chassis in certain vesions of code. You would do well to test your scenario before you buy. Also, some features that are required specifically when you have an MPC will cause the router NOT to boot the DPC if it's installed alongside the Trio. Some of this information isn't public yet, so talking to your SE about this would be recommended before you buy. Cheers, Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ex4200 Routing Engine
Actually. Sorry to reply to my own thread. I see why.. root@agg1.pit1 show system processes extensive last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05 14:15:21 106 processes: 7 running, 80 sleeping, 19 waiting Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd 614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism 722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem 615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid 11 root1 171 52 0K16K RUN2342.0 0.00% idle 13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock 12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net 29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0 i2c1 745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd 737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd 616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd 744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd 747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd 28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1 I don't even use the web server, anyone know how to disable it? I would assume this will fix it? -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:17 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Ex4200 Routing Engine All, I have a pair of 4200's in a VC config. Just happened to look at the show chassis routing-engine command the other day and saw... root@agg1.pit1 show chassis routing-engine Routing Engine status: Slot 0: Current state Master Temperature 36 degrees C / 96 degrees F DRAM 1024 MB Memory utilization 19 percent CPU utilization: User 11 percent Kernel88 percent Interrupt 1 percent Idle 0 percent Model EX4200-24T, 8 POE Serial ID BM0208388984 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 1.13 1.17 1.16 Routing Engine status: Slot 1: Current state Backup Temperature 29 degrees C / 84 degrees F DRAM 1024 MB Memory utilization 14 percent CPU utilization: User 8 percent Kernel 4 percent Interrupt 0 percent Idle 88 percent Model EX4200-24T, 8 POE Serial ID BM0208417115 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 0.06 0.09 0.07 These are still running 9.3R4.4, is there some commands I could use to see why the kernel is at 88%? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ex4200 Routing Engine
I did set system processes web-management disable but based on the amount of time the process has been running, it seems like just a stuck process.. Does anyone know if it safe to just kill the process id? From: Kevin Shymkiw [mailto:kshym...@gmail.com] Sent: Thursday, May 19, 2011 2:25 PM To: Brendan Mannella Subject: Re: [j-nsp] Ex4200 Routing Engine Brendan, Should be able to kill HTTP Access with something like delete system services http HTH Kevin On Thu, May 19, 2011 at 2:20 PM, Brendan Mannella bmanne...@teraswitch.commailto:bmanne...@teraswitch.com wrote: Actually. Sorry to reply to my own thread. I see why.. root@agg1.pit1 show system processes extensive last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05 14:15:21 106 processes: 7 running, 80 sleeping, 19 waiting Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd 614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism 722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem 615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid 11 root1 171 52 0K16K RUN2342.0 0.00% idle 13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock 12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net 29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0 i2c1 745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd 737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd 616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd 744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd 747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd 28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1 I don't even use the web server, anyone know how to disable it? I would assume this will fix it? -Original Message- From: juniper-nsp-boun...@puck.nether.netmailto:juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.netmailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:17 PM To: juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net Subject: [j-nsp] Ex4200 Routing Engine All, I have a pair of 4200's in a VC config. Just happened to look at the show chassis routing-engine command the other day and saw... root@agg1.pit1 show chassis routing-engine Routing Engine status: Slot 0: Current state Master Temperature 36 degrees C / 96 degrees F DRAM 1024 MB Memory utilization 19 percent CPU utilization: User 11 percent Kernel88 percent Interrupt 1 percent Idle 0 percent Model EX4200-24T, 8 POE Serial ID BM0208388984 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 1.13 1.17 1.16 Routing Engine status: Slot 1: Current state Backup Temperature 29 degrees C / 84 degrees F DRAM 1024 MB Memory utilization 14 percent CPU utilization: User 8 percent Kernel 4 percent Interrupt 0 percent Idle 88 percent Model EX4200-24T, 8 POE Serial ID BM0208417115 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 0.06 0.09 0.07 These are still running 9.3R4.4, is there some commands I could use to see why the kernel is at 88%? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ex4200 Routing Engine
My config shows.. services { ssh { connection-limit 10; rate-limit 10; } And processes { web-management disable; I assume 8986.9 is the number of hours the process has been running. Can I drop to the cli and kill the process id without breaking anything. root@agg1:RE:0% ps -aux | grep httpd nobody 46466 87.5 0.6 8176 5864 ?? R 2Feb10 539252:22.28 /packages/mnt/jcrypto-ex/usr/sbin/httpd -N root 93359 0.0 0.1 2040 816 p0 R+3:01PM 0:00.01 grep httpd -Original Message- From: Paul Stewart [mailto:p...@paulstewart.org] Sent: Thursday, May 19, 2011 2:35 PM To: Brendan Mannella; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Ex4200 Routing Engine Someone may correct me here but if http isn't enabled under System -- Services then I believe it doesn't run at all Logged into a EX4200-VC running 10.0S12 and don't see it running at all ... load is average for it... paul@dis1.xx show system processes extensive last pid: 39531; load averages: 0.03, 0.05, 0.02 up 106+10:49:25 14:33:58 109 processes: 6 running, 84 sleeping, 19 waiting Mem: 169M Active, 19M Inact, 90M Wired, 59M Cache, 110M Buf, 646M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 11 root1 171 52 0K16K RUN2261.3 92.33% idle 849 root1 80 81544K 26468K nanslp 113.8H 1.42% pfem 845 root1 -90 13928K 4420K i2c_wt 59.7H 0.00% chassism 847 root2 8 -88 63780K 7216K nanslp 56.1H 0.00% sfid 12 root1 -20 -139 0K16K RUN834:48 0.00% swi7: clock 861 root1 40 33972K 11440K kqread 660:05 0.00% rpd 870 root1 960 5788K 2720K RUN429:44 0.00% ppmd 14 root1 -40 -159 0K16K WAIT 331:34 0.00% swi2: net paul@dis1.x show system processes extensive | match httpd {master:0} Cheers, Paul -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:20 PM To: Brendan Mannella; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Ex4200 Routing Engine Actually. Sorry to reply to my own thread. I see why.. root@agg1.pit1 show system processes extensive last pid: 92762; load averages: 1.35, 1.23, 1.18 up 639+13:13:05 14:15:21 106 processes: 7 running, 80 sleeping, 19 waiting Mem: 104M Active, 101M Inact, 56M Wired, 97M Cache, 110M Buf, 626M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 46466 nobody 1 1320 8176K 5864K RUN8986.9 85.50% httpd 614 root1 1240 13236K 4352K RUN1536.8 6.64% chassism 722 root1 80 79912K 18092K nanslp 625.2H 1.37% pfem 615 root2 44 -52 62672K 5596K select 266.9H 0.05% sfid 11 root1 171 52 0K16K RUN2342.0 0.00% idle 13 root1 -20 -139 0K16K RUN 87.7H 0.00% swi7: clock 12 root1 -40 -159 0K16K WAIT32.3H 0.00% swi2: net 29 root1 -52 -171 0K16K WAIT29.9H 0.00% irq43: i2c0 i2c1 745 root1 40 8852K 6996K kqread 22.8H 0.00% eswd 737 root1 960 4916K 1992K RUN 22.7H 0.00% ppmd 616 root1 4 -20 7236K 5392K kqread 19.8H 0.00% vccpd 744 root1 40 7340K 5668K kqread 409:57 0.00% lldpd 747 root1 40 5452K 3832K kqread 385:21 0.00% mcsnoopd 28 root1 -52 -171 0K16K WAIT 342:59 0.00% irq2: mpfe1 I don't even use the web server, anyone know how to disable it? I would assume this will fix it? -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, May 19, 2011 2:17 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Ex4200 Routing Engine All, I have a pair of 4200's in a VC config. Just happened to look at the show chassis routing-engine command the other day and saw... root@agg1.pit1 show chassis routing-engine Routing Engine status: Slot 0: Current state Master Temperature 36 degrees C / 96 degrees F DRAM 1024 MB Memory utilization 19 percent CPU utilization: User 11 percent Kernel88 percent Interrupt 1 percent Idle 0 percent Model EX4200-24T, 8 POE Serial ID BM0208388984 Start time 2009-08-18 01:02:43 EDT Uptime 639 days, 13 hours, 10 minutes, 15 seconds Load averages: 1 minute 5 minute 15 minute 1.13 1.17 1.16 Routing Engine status: Slot 1: Current state
Re: [j-nsp] EX4200 ARP Issue
Checking the Juniper site, i dont see the S releases. The recommended software version doc shows the following now. EX2200 JUNOS 10.1R3.7 Standard 24 Sept 2010 EX3200 JUNOS 10.0R4.7 Standard 24 Sept 2010 EX4200 JUNOS 10.0R4.7 Standard 24 Sept 2010 EX4500 JUNOS 10.2R1 Standard 31 Aug 2010 EX8200 JUNOS 10.0R4.7 Standard 24 Sept 2010 - Original Message - From: Richard A Steenbergen r...@e-gerbil.net To: Brendan Mannella bmanne...@teraswitch.com Cc: juniper-nsp@puck.nether.net Sent: Tuesday, September 28, 2010 1:39:45 AM Subject: Re: [j-nsp] EX4200 ARP Issue On Mon, Sep 27, 2010 at 11:31:50AM -0400, Brendan Mannella wrote: I am running 9.3R4.4. Has anyone seen this, or have any ideas? You might want to upgrade to something a little more modern. Basically the baby EX's spent the first year+ of their lives barely qualified to work as a doorstop or a support for whatever was rackmounted above them. The early software was so unusable that I still routinely have trouble getting it to pass packets well enough to upgrade off the code that it shipped with. Personally I recommend 10.1S6 (have a lot of experience with it at any rate, 10.1S8 will hopefully fix a lot of my other outstanding issues :P). -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX4200 Error Log
Has anyone ever seen this in the message logs? Seems to be the exact same time my network started to flap. Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1890, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1888, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1890, type:Unicast...? Sep 27 11:53:47 core1.pit1 last message repeated 2 times Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1456, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1890, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc1 Resolve request came for an address matching on Wrong nh nh:1462, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1457, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1457, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1458, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1459, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1462, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1458, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1462, type:Unicast...? Sep 27 11:53:47 core1.pit1 last message repeated 3 times Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1489, type:Hold...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1582, type:Hold...? Sep 27 11:53:47 core1.pit1 fpc1 Resolve request came for an address matching on Wrong nh nh:1615, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1620, type:Unicast...? Sep 27 11:53:47 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1635, type:Unicast...? Sep 27 11:53:48 core1.pit1 fpc1 Resolve request came for an address matching on Wrong nh nh:1661, type:Unicast...? Sep 27 11:53:48 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1661, type:Unicast...? Sep 27 11:53:48 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1667, type:Hold...? Sep 27 11:53:48 core1.pit1 last message repeated 2 times Sep 27 11:53:48 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1666, type:Unicast...? Sep 27 11:53:48 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1667, type:Hold...? Sep 27 11:53:48 core1.pit1 snmpd[729]: SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 24.3.51.125 to unknown community name (public) Sep 27 11:53:52 core1.pit1 last message repeated 2 times Sep 27 11:53:54 core1.pit1 snmpd[729]: SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 24.3.51.125 to unknown community name (public) Sep 27 11:53:56 core1.pit1 fpc0 Resolve request came for an address matching on Wrong nh nh:1726, type:Unicast...? Sep 27 11:54:28 core1.pit1 alarmd[727]: Alarm cleared: License color=YELLOW, class=CHASSIS, reason=BGP Routing Protocol usage requires a license Sep 27 11:54:28 core1.pit1 alarmd[727]: Alarm set: License color=YELLOW, class=CHASSIS, reason=BGP Routing Protocol usage requires a license Sep 27 11:54:28 core1.pit1 alarmd[727]: LICENSE_EXPIRED: License for feature bgp(47) expired Sep 27 11:55:28 core1.pit1 alarmd[727]: Alarm cleared: License color=YELLOW, class=CHASSIS, reason=BGP Routing Protocol usage requires a license Sep 27 11:55:28 core1.pit1 alarmd[727]: Alarm set: License color=YELLOW, class=CHASSIS, reason=BGP Routing Protocol usage requires a license Sep 27 11:55:28 core1.pit1 alarmd[727]: LICENSE_EXPIRED: License for feature bgp(47) expired Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX4200 ARP Issue
Just wondering if anyone else has experienced anything like this before on the EX4200 platform. This morning users started complaining that there ips were flapping, they would work for 5 minutes then stop working for 5 minutes. What seemed to fix this issue was clearing the ARP table. This switch has all customer vlans and routes customer subnets. Another thing i noticed was... 00:06:5b:f1:f0:72 public ip here vlan.13 none 00:06:5b:f1:f0:72 public ip here vlan.13 none 00:06:5b:f1:f0:72 public ip here vlan.13 none 00:06:5b:f1:f0:72 public ip here vlan.13 none 00:06:5b:f1:f0:72 public ip here vlan.13 none 00:06:5b:f1:f0:71 public ip here vlan.13 none 00:06:5b:f1:f0:72 public ip here vlan.13 none 00:06:5b:f1:f0:71 public ip here vlan.13 none One customer has a firewall, and its outside interface has all the above ips assigned to it. Its outside interface has the :71 mac address. For some reason :72 is showing up and that is the firewalls inside interface. During this time, the ips attached to the :71 interface were working, the :72 were not. When i cleared the ARP, all ips had :71 again. I am running 9.3R4.4. Has anyone seen this, or have any ideas? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Single Fiber SM SFP
Does anyone know a company that makes a SFP that works with Juniper EX switches for use with a single strand of single mode fiber? Cisco has the following.. 1000BASE-BX10-D and 1000BASE-BX10-U SFP for Single-Fiber Bidirectional Applications The 1000BASE-BX-D and 1000BASE-BX-U SFPs, compatible with the IEEE 802.3ah 1000BASE-BX10-D and 1000BASE-BX10-U standards, operate on a single strand of standard SMF. A 1000BASE-BX10-D device is always connected to a 1000BASE-BX10-U device with a single strand of standard SMF with an operating transmission range up to 10 km. The communication over a single strand of fiber is achieved by separating the transmission wavelength of the two devices as depicted in Figure 3: 1000BASE-BX10-D transmits a 1490-nm channel and receives a 1310-nm signal, whereas 1000BASE-BX10-U transmits at a 1310-nm wavelength and receives a 1490-nm signal. Note in Figure 3 the presence of a wavelength-division multiplexing (WDM) splitter integrated into the SFP to split the 1310-nm and 1490-nm light paths. Thanks in Advance Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Single Fiber SM SFP
Wow, they have added some SFPs, there werent nearly that many options last i checked. Sorry about that. - Original Message - From: Malte von dem Hagen m...@hosteurope.de To: Brendan Mannella bmanne...@teraswitch.com Cc: juniper-nsp juniper-nsp@puck.nether.net Sent: Friday, August 6, 2010 10:15:26 AM Subject: Re: [j-nsp] Single Fiber SM SFP Hi, Am 06.08.10 14:56, schrieb Brendan Mannella: Does anyone know a company that makes a SFP that works with Juniper EX switches for use with a single strand of single mode fiber? Cisco has the following.. what about http://www.juniper.net/us/en/products-services/switching/ex-series/ex3200/#ordering (scroll down)? .m -- Malte von dem Hagen Teamleitung Network Engineering Operation Abteilung Technik --- Host Europe GmbH - http://www.hosteurope.de Welserstraße 14 - 51149 Köln - Germany Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*) HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678 Geschäftsführer: Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller (*) 0,14 EUR/Min. aus dem dt. Festnetz; maximal 0,42 EUR/Min. aus den dt. Mobilfunknetzen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
I double checked i do have from zone untrust I will try updating the address book and remove the periods. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:19:32 PM Subject: Re: [j-nsp] SRX Config Question the rule-set won't be natting, it'll be whatever rule-set rule 214 exists in Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:19:32 PM Subject: Re: [j-nsp] SRX Config Question the rule-set won't be natting, it'll be whatever rule-set rule 214 exists in -Ben On Mon, Jun 21, 2010 at 3:13 PM, Brendan Mannella bmanne...@teraswitch.com wrote: I have to double check but i might have missed set security nat static rule-set natting from zone untrust... I will double check and update the list. - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com , juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:10:43 PM Subject: Re: [j-nsp] SRX Config Question I noticed you didn't include all of the nat config.make sure you have the from-zone configured for the static nat rule-set... ex. set security nat static rule-set natting from zone untrust set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32 set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32 I've also noticed strange things when using . inside of an address-book address. I use _ instead. -Ben On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote: The system does default deny if you haven't specified a default policy action. set security policies default-policy permit-all As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? -Ben On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto: juniper-nsp- boun...@puck.nether.net ] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214 : from-zone untrust to-zone trust { policy 240-51 { match { source
Re: [j-nsp] SRX Config Question
Ok i updated the address book from . to _ Below is the output of the commands, i havent had a chance to retest with the updated address book to see if that does it, i will let you know. The Nat and polices look ok.. r...@srx210 show security nat static rule all Total static-nat rules: 58 Static NAT rule: 51 Rule-set: static Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 111.111.111.214 (external public ip) Host addresses : 192.168.1.214 Netmask : 255.255.255.255 Host routing-instance : N/A Translation hits : 0 r...@srx210 show security policies detail Default policy: deny-all Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: 240-214, action-type: permit, State: enabled, Index: 5 Sequence number: 1 From zone: untrust, To zone: trust Source addresses: any: 0.0.0.0/0 Destination addresses: 192_168_1_214: 192.168.1.214/32 Application: rdp IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3389-3389] Application: junos-dns-udp IP protocol: udp, ALG: dns, Inactivity timeout: 60 Source port range: [0-0] Destination port range: [53-53] Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443] Application: junos-ms-sql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [1433-1433] Session log: at-create, at-close - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Tuesday, June 22, 2010 1:32:52 PM Subject: Re: [j-nsp] SRX Config Question If the results of the show security policies detail operational command show the policies in the right order and allowing the right ports and show security nat static rule 214 looks like it's natting correctly, and removing the periods doesn't fix it, the only thing I can think of is that 192.168.1.214 isn't reachable from the SRX and the SRX is dropping the traffic. I typically start with an any any any permit to verify ping/trace through the SRX, then replace that with a narrowed down policy On Tue, Jun 22, 2010 at 12:06 PM, Brendan Mannella bmanne...@teraswitch.com wrote: I double checked i do have from zone untrust I will try updating the address book and remove the periods. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
I have to double check but i might have missed set security nat static rule-set natting from zone untrust... I will double check and update the list. - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:10:43 PM Subject: Re: [j-nsp] SRX Config Question I noticed you didn't include all of the nat config.make sure you have the from-zone configured for the static nat rule-set... - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:10:43 PM Subject: Re: [j-nsp] SRX Config Question I noticed you didn't include all of the nat config.make sure you have the from-zone configured for the static nat rule-set... ex. set security nat static rule-set natting from zone untrust set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32 set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32 I've also noticed strange things when using . inside of an address-book address. I use _ instead. -Ben On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote: The system does default deny if you haven't specified a default policy action. set security policies default-policy permit-all As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? -Ben On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto: juniper-nsp- boun...@puck.nether.net ] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214 : from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper
Re: [j-nsp] Need suggestions..
What version of code are you using. I have two m7i's, each taking one full table. One runs 8.5 and the other 9.3 and there is a VERY big difference in memory usage. Brendan Mannella, CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Feb 4, 2010, at 11:43 AM, TCIS List Acct lista...@tulsaconnect.com wrote: We have 4 M7i's with RE-400's and 768M RAM and have never had a problem with taking full routes (we are at 55% memory usage right now). With all of the comments on this topic, should we be worried? Our units push ~200Mbit traffic, so they are nowhere near capacity CPU wise. I can confirm your worry about the RE-850. We had one box with a full Internet table (~310K prefixes) *and* a reasonable number of L3VPNs with a total of ~160K prefixes, *and* a high number of interfaces. This box needed enough RE memory that we started seeing swap usage. Not good. Now the box has a reduced Internet table, and is happy. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- - Mike Bacher / lista...@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com - ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] LH SFP
Thanks for the info. So the ZX will have no issue working in Juniper PICs? On 2/3/10 12:50 PM, Richard A Steenbergen r...@e-gerbil.net wrote: On Wed, Feb 03, 2010 at 12:35:40PM -0500, Brendan Mannella wrote: Does anyone know where to source LH SFP optics for Juniper PICs, looking for non-Juniper? I checked Fluxlight but they only have LX. I need to shoot the light 26 miles, and LX only seems to be able to do 10km. What Juniper calls LH is what the rest of the (Cisco following) world calls ZX. What Cisco calls LH is actually an alias for LX, more or less. The original LX spec was only for 2km, so when a 10km version of the same optic came along Cisco called it LH. Eventually everyone standardized on the 10km version to the point that nobody even remembers the 2km version any more, and now Cisco calls it LX/LH and everyone else just calls it LX. Just search for ZX SFP, you'll find an infinite supply of them for cheap. http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=120522439087 Or you could pay a few bucks more and get a 100km budget version of the same thing, etc. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JUNOS
Because of the recent code issues with JUNOS we are upgrading all our router code. What is the latest stable release the recommended at this point for the M-Series? I see 9.5 is at R3.7 and 9.4 is at R4.5. Also we have some router still running 8.5R4.3 and was wondering if we needed to upgrade in order or can we jump directly to 9.4 or 9.5. Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX3200/EX4200 Rate-Limit
Upgrading to 9.3R4.4 seems to have broken my rate-limiting. The switch is being used to aggregate colo customers, and i need to be able to create rate-limits for different speeds and apply them to different physical ports. Can anyone provide a example config for this? I had.. firewall { policer 10m { ## ## Warning: statement ignored: unsupported platform (ex3200-48t) ## filter-specific; if-exceeding { bandwidth-limit 10m; burst-size-limit 100k; } then discard; } family ethernet-switching { filter rate-limit-10m { term 1 { then policer 10m; Thanks, Brendan Mannella ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper Ex8200
Experts, I was wondering if anyone had any good or bad experiences with the EX8200 platform. Specifically how well it works as a core/ agg box running BGP / OSPF . This box would aggregate all customer L2 switches with .1q trunks to it. It would route all customer Vlans and act as the default gateway for customers. I would expect it to run OSPF and IBGP with my two M7i border routers. The big question is will it hold a full table? I see it can do 512k routes. I know the MX could do it, but its out of budget range at this time. Any information/experiences would be helpful. Regards, Brendan Mannella ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper Traffic Monitoring
I was wondering what the list recommends for traffic monitoring as far as software and which method is the most popular. I have a project to gain some much needed visibility into my network. All devices are Juniper. I know there are multiple options available such as NetFlow, Sflow, and port mirroring but what do most people use and what are the pros and cons? Also I was wondering what software is most popular. I have seen some options like NTOP, Scrutinizer, etc. Any insight would be appreciated. Thanks in advance. Brendan Mannella ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] cannot see hard disk
The command he is referring to is... From shell, as root, check the boot devices sysctl -a | grep bootdevs (You will most likely see this) machdep.bootdevs: pcmcia-flash,compact-flash,lan (at prompt, copy and paste this to put the HD back in the boot order) sysctl -w machdep.bootdevs: pcmcia-flash,compact-flash,disk,lan Repeat 'sysclt-a | grep bootdevs' to ensure that it was changed. If it happens again, there is most likely something wrong with the hard disk which seems to be common on the M7i, then your options are to RMA the RE if you have support, if not you can replace with a SSD drive. Hope this helps. Brendan Mannella - Original Message - From: Jonathan Looney jonloo...@gmail.com To: Shankar shanka...@gmail.com Cc: juniper-nsp@puck.nether.net Sent: Thursday, September 24, 2009 11:31:26 AM GMT -05:00 US/Canada Eastern Subject: Re: [j-nsp] cannot see hard disk If your system booted without the hard disk, it is likely the hard disk was removed from the boot order. If the hard disk was removed from the boot order, it won't show up in show chassis hardware details (at least in my experience). It probably won't even show up in the boot messages. However, that does not mean that the hard disk is permanently destroyed, defective, etc.; rather, it just means that the system detected an error (whether transient or fatal) and stopped using it (including removing it from the boot order). I believe there is at least one way to re-add it to the boot order; however, it involves dropping down to the shell (and, therefore, is not supported without JTAC blessing). You should probably contact the JTAC for help. -Jon On Thu, Sep 24, 2009 at 10:53 AM, Shankar shanka...@gmail.com wrote: can you check if you have hard-dish using the following commands: show chassis hardware details show system boot-messaages... if not, you should have seen some hardware errors or logs relating to hard-disk..if yes, replace the RE... cheers On Thu, Sep 24, 2009 at 12:20 PM, Erol KAHRAMAN erol.kahra...@gmail.com wrote: Hi all, I have m7i box. It restarted today and hard disk went off. I cannot see it in my storage devices. Router1 show system storage Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 217M61M 139M 30% / devfs16K16K 0B 100% /dev/ /dev/vn0 16M16M 0B 100% /packages/mnt/jbase /dev/vn1 65M65M 0B 100% /packages/mnt/jkernel-8.4R1.13 /dev/vn28.5M 8.5M 0B 100% /packages/mnt/jpfe-M7i-8.4R1.13 /dev/vn32.6M 2.6M 0B 100% /packages/mnt/jdocs-8.4R1.13 /dev/vn4 22M22M 0B 100% /packages/mnt/jroute-8.4R1.13 /dev/vn58.0M 8.0M 0B 100% /packages/mnt/jcrypto-8.4R1.13 /dev/vn6 14M14M 0B 100% /packages/mnt/jpfe-common-8.4R1.13 mfs:136 62M 1.0K57M0% /tmp mfs:150 62M16M41M 28% /mfs /dev/ad0s1e 24M18K22M0% /config procfs 4.0K 4.0K 0B 100% /proc How i can get it back. Any idea? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] cannot see hard disk
If not you could also replace the hard disk with another one or even a new SSD drive. I just went through this if you need assistance. Brendan - Original Message - From: Shankar shanka...@gmail.com To: erol kahraman erol.kahra...@gmail.com Cc: juniper-nsp@puck.nether.net Sent: Thursday, September 24, 2009 10:53:48 AM GMT -05:00 US/Canada Eastern Subject: Re: [j-nsp] cannot see hard disk can you check if you have hard-dish using the following commands: show chassis hardware details show system boot-messaages... if not, you should have seen some hardware errors or logs relating to hard-disk..if yes, replace the RE... cheers On Thu, Sep 24, 2009 at 12:20 PM, Erol KAHRAMAN erol.kahra...@gmail.comwrote: Hi all, I have m7i box. It restarted today and hard disk went off. I cannot see it in my storage devices. Router1 show system storage Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 217M61M 139M 30% / devfs16K16K 0B 100% /dev/ /dev/vn0 16M16M 0B 100% /packages/mnt/jbase /dev/vn1 65M65M 0B 100% /packages/mnt/jkernel-8.4R1.13 /dev/vn28.5M 8.5M 0B 100% /packages/mnt/jpfe-M7i-8.4R1.13 /dev/vn32.6M 2.6M 0B 100% /packages/mnt/jdocs-8.4R1.13 /dev/vn4 22M22M 0B 100% /packages/mnt/jroute-8.4R1.13 /dev/vn58.0M 8.0M 0B 100% /packages/mnt/jcrypto-8.4R1.13 /dev/vn6 14M14M 0B 100% /packages/mnt/jpfe-common-8.4R1.13 mfs:136 62M 1.0K57M0% /tmp mfs:150 62M16M41M 28% /mfs /dev/ad0s1e 24M18K22M0% /config procfs 4.0K 4.0K 0B 100% /proc How i can get it back. Any idea? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] LX SFP Question
Set no negotiate on the interface. This is most likely the problem. Brendan Mannella On Sep 24, 2009, at 5:35 PM, Paul Stewart p...@paulstewart.org wrote: Hi folks... Does anyone know the tolerance of the LH SFP's from Juniper? We are trying to get an EX3200 switch configured and ready for production - have a case open at JTAC but haven't been able to resolve. In fairness to the JTAC engineer, I haven't had a lot of time to troubleshoot except for performing a software upgrade which has been completed (9.4) The link is up/up from the EX3200 to a Cisco 6500 but the distance at the moment (while testing) is literally 15' or so. In the Cisco world we have no problem on such short distances but wondering if something is different or causing a problem for the Juniper. We see up/up and at one point were seeing a MAC address but unable to access the Management VLAN on the switch (only VLAN configured at the moment). Since the software upgrade we cannot see a MAC address even which has me wondering about the connection running too hot JTAC verified that the configuration is correct - Cisco TAC has verified that the IOS configuration is correct. Many thanks, Paul ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4200
I was running 9.5r1.8, all I did was add a vlan member to the physcial port that's tagged to the m7i and traffic stopped on that interface. Sent from my iPhone On Aug 27, 2009, at 1:30 PM, Ross Vandegrift r...@kallisti.us wrote: On Mon, Aug 17, 2009 at 02:18:16PM -0400, Brendan Mannella wrote: I was wondering if anyone has ever seen a EX4200 drop OSPF/BGP session when adding a vlan member to a interface? ge-0/1/2 { description ge-1-3-0.m7i.pit2; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ v101 v501 v510 505 ]; This link connects to a gig interface on a m7i, which I have not configured the additional vlans on yet. Though 101, 501, 510, and 505 are configured on there. All I did was added vlan members 513, 514, 515 and commited it and that brought down all connections that pass through the 4200 interface ge-0/1/2 to the m7i. Brendan, Could you comment a bit more on your config with this issue? I just attempted to replicate it on a 9.5R2 lab box and was unable. I tested with OSPF running on an RVI with two upstream routers. Changing trunks unrelated to OSPF didn't flap. Neither did changing trunks carrying the VLAN for my RVI. I just want to make sure I'm 100% avoiding this potential issue. -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Partition/Format new HD
Hello, I have been battling trying to replace a failed hard disk on my juniper m7i. I have finally got the disk to be recognized by the system. Now I need to put all the partitions back. The router successfully boots from the CF so I can run system commands. I tried.. r...@ibr1.pit request system partition hard-disk mount: /dev/ad1s1e on /altconfig: incorrect super block ERROR: Can't access hard disk, aborting partition. Am I missing a command first? Thanks, BRendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Partition/Format new HD
I am actually ok now, thanks to Kevin Oberman from Energy Sciences Network (ESnet). I am working on documenting the events to post to the list, as I am sure this will happen to someone else. And surprisingly I could not find one place for the answer. On 8/21/09 2:13 PM, Nalkhande Tarique Abbas ntari...@juniper.net wrote: Brendan, Your new hdd doesn't look to be in good shape, how about a quick health check? A smartd, r...@radium-re0-tarique% smartd -oX /dev/ad1 Drive Command Successful, Extended Self test has begun Please wait 17 minutes for test to complete Use smartd -oA to abort test Ensure alternate super block exists, r...@radium-re0-tarique% newfs -N /dev/ad1s1a r...@radium-re0-tarique% newfs -N /dev/ad1s1e Perform filechecks, run these several times r...@radium-re0-tarique% fsck -f /dev/ad1s1a r...@radium-re0-tarique% fsck -f /dev/ad1s1e {-f : Force fsck to check `clean' filesystems when preening} If the above fails, we could preen. r...@radium-re0-tarique% fsck -p /dev/ad1s1a r...@radium-re0-tarique% fsck -p /dev/ad1s1e -p : Preen filesystems Some of the corrective actions which are not correctable under the -p option can result in some loss of data. The above checks will determine our next step. Thanks Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Friday, August 21, 2009 10:03 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Partition/Format new HD Hello, I have been battling trying to replace a failed hard disk on my juniper m7i. I have finally got the disk to be recognized by the system. Now I need to put all the partitions back. The router successfully boots from the CF so I can run system commands. I tried.. r...@ibr1.pit request system partition hard-disk mount: /dev/ad1s1e on /altconfig: incorrect super block ERROR: Can't access hard disk, aborting partition. Am I missing a command first? Thanks, BRendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Partition/Format new HD
Yes, but that command did not work for me until I did request system snapshot partition first. Then I did request system partition hard-disk Initially I replaced the bad disk with a brand new SSD out of the box, booted and ran. request system partition hard-disk and I got the following error.. r...@ibr1.pit request system partition hard-disk mount: /dev/ad1s1e on /altconfig: incorrect super block ERROR: Can't access hard disk, aborting partition. Not until I ran request system snapshot partition first did it work. On 8/21/09 1:53 PM, Kevin Oberman ober...@es.net wrote: Date: Fri, 21 Aug 2009 09:56:45 -0700 From: Kevin Oberman ober...@es.net Sender: juniper-nsp-boun...@puck.nether.net Date: Fri, 21 Aug 2009 12:32:30 -0400 From: Brendan Mannella bmanne...@teraswitch.com Sender: juniper-nsp-boun...@puck.nether.net Hello, I have been battling trying to replace a failed hard disk on my juniper m7i. I have finally got the disk to be recognized by the system. Now I need to put all the partitions back. The router successfully boots from the CF so I can run system commands. I tried.. r...@ibr1.pit request system partition hard-disk mount: /dev/ad1s1e on /altconfig: incorrect super block ERROR: Can't access hard disk, aborting partition. Am I missing a command first? request system snapshot partition but, if the disk is already partitioned for Windows, you should first start shell and 'dd if=/dev/zero of=/dev/adq bs=512 count=1024 This assumes the hard disk is ad1. You can confirm this with 'tail /var/run/dmesg' after starting shell or 'file show /var/run/dmesg' in the CLI. Replying to myself to correct my mistakes: The command to wipe the partition table on a disk set up for Windows, it should have read: dd if=/dev/zero of=/dev/ad1 bs=512 count=1024 Lazy finger! More importantly, once that is done 'request system partition hard-disk' is the correct way to partition the hard drive. the snapshot command will only create the partitions needed to snapshot the flash and not 'b' (swap) or 'f' (var) which don't exist on the CF. Sorry for posting the bogus information. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4200
I have just went to 9.3r4.4 and it fixed most issues Seems very stable so far. Sent from my iPhone On Aug 20, 2009, at 4:42 AM, Michael Schedrin msched...@gmail.com wrote: I saw ospf drop when adding vlan to interface. 9.5R2.7 I've seen lots of other bugs on ex switches, this one is not the worst :( 2009/8/17 Brendan Mannella bmanne...@teraswitch.com I was wondering if anyone has ever seen a EX4200 drop OSPF/BGP session when adding a vlan member to a interface? ge-0/1/2 { description ge-1-3-0.m7i.pit2; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ v101 v501 v510 505 ]; This link connects to a gig interface on a m7i, which I have not configured the additional vlans on yet. Though 101, 501, 510, and 505 are configured on there. All I did was added vlan members 513, 514, 515 and commited it and that brought down all connections that pass through the 4200 interface ge-0/1/2 to the m7i. Any ideas? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- С уважением, Щедрин Михаил Начальник отдела ТП2 SkyNet Telecom http://sknt.ru тел. +7 911 934-79-83 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M7i compact flash card
I have successfully done this on RE-400s on M7i's. I used Sandisk 2GB Ultra II 15MB/s CFs. I believe the actual part number is SDCFH-002G-A11. On 8/20/09 10:31 AM, Jonathan Brashear jonathan.brash...@hq.speakeasy.net wrote: With the caveat that Juniper doesn't support CFs you buy elsewhere, I believe the 'Juniper' CFs are re-branded Sandisk CFs. Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Cyn D. Sent: Thursday, August 20, 2009 8:12 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] M7i compact flash card Hi list, We are looking at adding a compact flash on our M7i boxes. If we don't order it from Juniper, could someone tell me which manufacture Juniper uses for CF? What's the R/W speed of the card or does it even matter? Any specification of the card is appreciated. Thanks. C. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M7i Hard Disk Replacement
So I have settled on replacing the hard drive with a SSD. But I have two more questions. 1) I see on the cluepon link that they are using a 8gb drive. RE-400 comes with a 20 gig drive. Will a 8gb be fine, or should I get something of similar size to the factory size. 2) I did have a CF card in the router, is it normal/default behavior for it to reboot the router upon disk failure? Brendan On 8/14/09 12:50 PM, Jonas Frey j...@probe-networks.de wrote: I recommend using SSD's, see: http://juniper.cluepon.net/index.php/Replacing_the_harddisk_with_solid_state_f lash Regards, Jonas Hello, I was wondering if anyone has successfully replaced a hard disk on a M7i RE-5.0. If so with what model disk, and once installed what is the procedure to get the disk back to working/formatted condition. No magic involved. Just replace it with a disk of the same or greater capacity. Be sure it's one rated for continuous operation, not a standard laptop drive. (This will make the drive a lot more expensive!) Then just request system snapshot partition for format, partition, load the drive. Make sure the jumper on the drive is set to slave mode. - Kevin ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX3200 Interface Strangeness
What happens if a 10g card is installed? Do you lose the last two ports? And is this behavior the same on the 4200? On 8/17/09 10:41 AM, Bill Blackford bblackf...@nwresd.k12.or.us wrote: That makes sense. I'm not at all happy with it, but it makes sense. I'm am using ge-0/1/0 which must correspond to ge-0/0/20. Thanks. -b -Original Message- From: Mike Mainer [mailto:mmai...@tekinside.com] Sent: Monday, August 17, 2009 7:39 AM To: Bill Blackford Subject: Re: [j-nsp] EX3200 Interface Strangeness The 3200 is setup so that if an uplink Mod is installed you loose the last X ports. Example: you have a 24x10/100/1000 with 4x1GigE card. If/when ports are active on this 4x1GigE card ports 20-23 become INACTIVE. They are mutely exclusive. -Mike Mainer Bill Blackford wrote: I'm experiencing a weird issue with an interface that seems to have vanished. (see below 1.) I also have a general question on how the EX platform indexes interfaces. (see below 2.) = 1. Vanishing Interface I have several ex3200's in production and noticed that ge-0/0/20 shows up in the config, but doesn't appear to exist. bblackf...@wsc-sw-ex3200-1 show chassis hardware Hardware inventory: Item Version Part number Serial number Description ChassisBH0208188142 EX3200-24T FPC 0REV 07 750-021261 BH0208188142 EX3200-24T, 8 POE CPU BUILTIN BUILTIN FPC CPU PIC 0 BUILTIN BUILTIN 24x 10/100/1000 Base-T PIC 1 REV 04 711-021270 AR0209216364 4x GE SFP Xcvr 0NON-JNPR FFX20H700284 SFP-SX Power Supply 0 REV 02 740-020957 AT0508119769 PS 320W AC Fan Tray Fan Tray bblackf...@wsc-sw-ex3200-1 show version Hostname: wsc-sw-ex3200-1 Model: ex3200-24t JUNOS Base OS boot [9.5R2.7] bblackf...@wsc-sw-ex3200-1 show chassis fpc pic-status Slot 0 Online EX3200-24T, 8 POE PIC 0 Online 24x 10/100/1000 Base-T PIC 1 Online 4x GE SFP Now, bblackf...@wsc-sw-ex3200-1 show configuration interfaces ge-0/0/20 unit 0 { family ethernet-switching { vlan { members VOIP; } } } bblackf...@wsc-sw-ex3200-1 show interfaces ge-0/0/20 error: device ge-0/0/20 not found snmpwalk from a host: ifDescr.148 = STRING: ge-0/0/18 ifDescr.149 = STRING: ge-0/0/18.0 ifDescr.150 = STRING: ge-0/0/19 ifDescr.151 = STRING: ge-0/0/19.0 == 152 and 153 are missing ifDescr.154 = STRING: ge-0/0/21 ifDescr.155 = STRING: ge-0/0/21.0 ifDescr.156 = STRING: ge-0/0/22 ifDescr.157 = STRING: ge-0/0/22.0 ifDescr.158 = STRING: ge-0/0/1.0 ifDescr.159 = STRING: ge-0/0/23 ifDescr.160 = STRING: ge-0/0/0 ifDescr.161 = STRING: ge-0/0/0.0 ifDescr.162 = STRING: ge-0/0/1 ifDescr.163 = STRING: vlan ifDescr.164 = STRING: vlan.0 ifDescr.165 = STRING: vlan.1 ifDescr.166 = STRING: ge-0/1/0 ifDescr.167 = STRING: ge-0/1/0.0 ifDescr.170 = STRING: ge-0/0/23.0 == 2. Indexing question During the gathering of data for issue 1 above, I ran some walks against other ex3200's I have and noticed that the indexing is not consistent. Here's another ex3200 running the same code rev as above: ifDescr.148 = STRING: ge-0/0/18 ifDescr.149 = STRING: ge-0/0/18.0 ifDescr.150 = STRING: ge-0/0/19 ifDescr.151 = STRING: ge-0/0/19.0 ifDescr.152 = STRING: ge-0/0/20 ifDescr.153 = STRING: ge-0/0/20.0 ifDescr.154 = STRING: ge-0/0/21 ifDescr.155 = STRING: ge-0/0/21.0 ifDescr.156 = STRING: ge-0/0/22 ifDescr.157 = STRING: ge-0/0/22.0 ifDescr.158 = STRING: ge-0/0/23 ifDescr.159 = STRING: ge-0/0/23.0 ifDescr.160 = STRING: vlan ifDescr.163 = STRING: ge-0/0/0 ifDescr.164 = STRING: ge-0/0/0.0 ifDescr.165 = STRING: ge-0/0/1 ifDescr.166 = STRING: ge-0/0/11.69 ifDescr.167 = STRING: ge-0/0/11.70 ifDescr.168 = STRING: ge-0/0/1.0 There seems to be no correlation between the ifDescr seq numbers and the interface names. Now, the switch above has a 4x GE SFP PIC and the one below does not, but I find it strange that interfaces show up all over the place as if they were dynamically populated into a table. == Sorry for the length of this post. Thank you for any input. -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX4200
I was wondering if anyone has ever seen a EX4200 drop OSPF/BGP session when adding a vlan member to a interface? ge-0/1/2 { description ge-1-3-0.m7i.pit2; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ v101 v501 v510 505 ]; This link connects to a gig interface on a m7i, which I have not configured the additional vlans on yet. Though 101, 501, 510, and 505 are configured on there. All I did was added vlan members 513, 514, 515 and commited it and that brought down all connections that pass through the 4200 interface ge-0/1/2 to the m7i. Any ideas? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4200
Also forgot to mention, I am running 9.5R1.8 On 8/17/09 2:18 PM, Brendan Mannella bmanne...@teraswitch.com wrote: I was wondering if anyone has ever seen a EX4200 drop OSPF/BGP session when adding a vlan member to a interface? ge-0/1/2 { description ge-1-3-0.m7i.pit2; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ v101 v501 v510 505 ]; This link connects to a gig interface on a m7i, which I have not configured the additional vlans on yet. Though 101, 501, 510, and 505 are configured on there. All I did was added vlan members 513, 514, 515 and commited it and that brought down all connections that pass through the 4200 interface ge-0/1/2 to the m7i. Any ideas? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Hardware issue with M7i
All, My juniper m7i suddently rebooted today. The logs show the following. Can someone tell me what exactly failed. It appears the onboard hard disk was the issue, but i just wanted to verify. Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=18 e=03 Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=28 e=03 Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=09 e=09 Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=1a e=09 Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=2a e=09 Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=0b e=0b Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=1d e=1d Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=2c e=1d Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=0d e=0d Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=1f e=1f Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=00 e=1f Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=0f e=0f Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=20 e=0f Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit /kernel: ad1: timeout sending command=ca s=01 e=01 Aug 12 10:08:11 ibr1.pit /kernel: ad1: error executing command - resetting Aug 12 10:08:11 ibr1.pit /kernel: ata0: resetting devices .. Aug 12 10:08:11 ibr1.pit rpd[3126]: RPD_TRACE_FAILED: bgp_keepalive_timeout: peer 204.16.241.252 (Internal AS 20326) last checked 18 last recv'd 17 last sent 17 last keepalive 29RPD_TRACE_FAILED: Unable to write to trace file /var/log/bgp Aug 12 10:08:11 ibr1.pit cfeb CM: ALARM SET: (Major) RE chassis socket closed abruptly Aug 12 10:08:11 ibr1.pit cfeb PFEMAN: Master socket closed Aug 12 10:08:11 ibr1.pit cfeb CM: Routing engine CM reconnection succeeded after 3 tries Aug 12 10:08:11 ibr1.pit rpd[3126]: bgp_hold_timeout: NOTIFICATION sent to 208.4.47.65 (External AS 1239): code 4 (Hold Timer Expired Error), Reason: holdtime expired for 208.4.47.65 (External AS 1239), socket buffer sndcc: 19 rcvcc: 1623 TCP state: 4, snd_una: 2628552212 snd_nxt: 2628552231 snd_wnd: 32350 rcv_nxt: 2226880899 rcv_adv: 2226895660, hold timer 0 Aug 12 10:08:11 ibr1.pit rpd[3126]: RPD_BGP_NEIGHBOR_UPDOWN: bgp_event: peer 208.4.47.65 (External AS 1239) old state Established event HoldTime new state Idle Aug 12 10:08:11 ibr1.pit rpd[3126]: RPD_SCHED_SLIP: 75 sec scheduler slip, user: 0 sec 0 usec, system: 0 sec, 2769 usec Aug 12 10:08:11 ibr1.pit rpd[3126]: RPD_PPM_WRITE_ERROR: ppm_send: write error on pipe to ppmd (Broken pipe) Aug 12 10:08:11 ibr1.pit cfeb CM: ALARM CLEAR: RE chassis socket closed abruptly Aug 12 10:08:11 ibr1.pit /kernel: pfe_listener_disconnect: conn dropped: listener idx=0, tnpaddr=0x2, reason: socket error Aug 12 10:08:11 ibr1.pit craftd[3121]: Minor alarm set, Host 0 hard-disk drive error Aug 12 10:08:11 ibr1.pit alarmd[3120]: Alarm set: RE color=YELLOW, class=CHASSIS, reason=Host 0 hard-disk drive error Aug
[j-nsp] M7i Hard Disk Replacement
Hello, I was wondering if anyone has successfully replaced a hard disk on a M7i RE-5.0. If so with what model disk, and once installed what is the procedure to get the disk back to working/formatted condition. Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Failed to find the resolving address node
Does anyone know what this means? I have these all through my message logs on a 4200 VC. Jun 26 14:58:19 core1.pit1 fpc0 Failed to find the resolving address node Jun 26 14:58:23 core1.pit1 fpc1 Failed to find the resolving address node Jun 26 14:58:25 core1.pit1 fpc0 Failed to find the resolving address node Jun 26 14:58:27 core1.pit1 fpc1 Failed to find the resolving address node ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS
ibr1.ash show route all inet.0: 283638 destinations, 486468 routes (283619 active, 18 holddown, 2 hidden ) ibr1.ash show chassis routing-engine Routing Engine status: Temperature 30 degrees C / 86 degrees F CPU temperature 28 degrees C / 82 degrees F DRAM 768 MB Memory utilization 89 percent CPU utilization: User 0 percent Background 0 percent Kernel 2 percent Interrupt 0 percent Idle 97 percent Model RE-5.0 Serial ID Start time 2008-11-23 14:53:50 EST Uptime 211 days, 19 hours, 23 minutes, 19 seconds Load averages: 1 minute 5 minute 15 minute 0.05 0.10 0.04 I have a 2gig flash card installed, so is no issue. I am just trying to figure out if its a software issue/bug causing this or its just the number of routes i have. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Sean Clarke s...@clarke-3.demon.nl To: Brendan Mannella bmanne...@teraswitch.com Sent: Tuesday, June 23, 2009 10:58:24 AM GMT -05:00 US/Canada Eastern Subject: Re: [j-nsp] JUNOS Hi Brendan How many routes etc do you have ? The memory sounds a bit high utilised to me, if it stays at 91%. There are many bug fixes from 9.1 to 9.5, of course, if you have a 1G flash card (or no flash card) then you can upgrade anyway ... the memory should not max out. Typically the RE should be about 5% utilised, if the routes are stable cheers On 6/23/09 11:45 AM, Brendan Mannella wrote: Hello, I have two M7i routers with RE-400-768s. One is running 9.1R1.8 and the other 8.3R4.3. They each have one transit link landed on them and very little IBGP/OSPF. The router with 9.1 on it has 91% memory usage while the 8.3 has 59%. Now I know the more recent code probably has more features and so forth. But I am worried that maybe that version of code has a memory leak or related issue. Does anyone know of any outstanding issues with 9.1R1.8? The router came with this version of code on it and I don¹t like the fact that its R1.8 but I am worried about upgrading to a more stable release as I don¹t want the memory maxed out. Any suggestions? What is the most stable code at this point for this platform? Thanks in Advance. Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS
Ok heres what i got.. @ibr1.ash show system processes brief last pid: 40751; load averages: 0.00, 0.00, 0.00 up 211+21:54:08 13:47:2 8 112 processes: 3 running, 92 sleeping, 17 waiting Mem: 405M Active, 136M Inact, 112M Wired, 57M Cache, 69M Buf, 32M Free Swap: 1536M Total, 1536M Free so i guess i am not in all that bad of shape.. Can someone recommend the most stable version of Junos or the M series? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: martin mogensen martin.mogen...@bt.com To: bmanne...@teraswitch.com Cc: juniper-nsp@puck.nether.net, s...@clarke-3.demon.nl Sent: Tuesday, June 23, 2009 11:49:56 AM GMT -05:00 US/Canada Eastern Subject: RE: [j-nsp] JUNOS Brendan You can try: show system processes brief to see how much memory is marked as inactive. The percentage calculation considers inactive memory as used memory which strictly speaking is correct (this is managed by the FreeBSD that JUNOS run on top of). However, inactive memory will be freed up automatically by the router if needed. This way the percentage value can look bad even though the router still has plenty of inactive memory left it can free up as needed. If the inactive memory is indeed high and you want to monitor the percentage, you can lauch a memory intentive task, ie compression/decompression of large files, which will free up inactive memory so the calculation will become more representative. Naturally you should only do this if there is indeed a large amount off inactive memory - you should not risk to run out of memory. Cheers Martin -Message d'origine- De : juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] De la part de Brendan Mannella Envoyé : mardi 23 juin 2009 16:58 À : Sean Clarke Cc : juniper-nsp@puck.nether.net Objet : Re: [j-nsp] JUNOS ibr1.ash show route all inet.0: 283638 destinations, 486468 routes (283619 active, 18 holddown, 2 hidden ) ibr1.ash show chassis routing-engine Routing Engine status: Temperature 30 degrees C / 86 degrees F CPU temperature 28 degrees C / 82 degrees F DRAM 768 MB Memory utilization 89 percent CPU utilization: User 0 percent Background 0 percent Kernel 2 percent Interrupt 0 percent Idle 97 percent Model RE-5.0 Serial ID Start time 2008-11-23 14:53:50 EST Uptime 211 days, 19 hours, 23 minutes, 19 seconds Load averages: 1 minute 5 minute 15 minute 0.05 0.10 0.04 I have a 2gig flash card installed, so is no issue. I am just trying to figure out if its a software issue/bug causing this or its just the number of routes i have. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Sean Clarke s...@clarke-3.demon.nl To: Brendan Mannella bmanne...@teraswitch.com Sent: Tuesday, June 23, 2009 10:58:24 AM GMT -05:00 US/Canada Eastern Subject: Re: [j-nsp] JUNOS Hi Brendan How many routes etc do you have ? The memory sounds a bit high utilised to me, if it stays at 91%. There are many bug fixes from 9.1 to 9.5, of course, if you have a 1G flash card (or no flash card) then you can upgrade anyway ... the memory should not max out. Typically the RE should be about 5% utilised, if the routes are stable cheers On 6/23/09 11:45 AM, Brendan Mannella wrote: Hello, I have two M7i routers with RE-400-768s. One is running 9.1R1.8 and the other 8.3R4.3. They each have one transit link landed on them and very little IBGP/OSPF. The router with 9.1 on it has 91% memory usage while the 8.3 has 59%. Now I know the more recent code probably has more features and so forth. But I am worried that maybe that version of code has a memory leak or related issue. Does anyone know of any outstanding issues with 9.1R1.8? The router came with this version of code on it and I don¹t like the fact that its R1.8 but I am worried about upgrading to a more stable release as I don¹t want the memory maxed out. Any suggestions? What is the most stable code at this point for this platform? Thanks in Advance. Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4200 and speed/duplex
Does anyone know the ETA for the next release? Sent from my iPhone On Jun 9, 2009, at 9:35 AM, Nitzan Tzelniker nitzan.tzelni...@gmail.com wrote: Hi I have a case about this issue it should be fixed in the next version 9.3R4 9.4R3 9.5R2 Nitzan On Tue, Jun 9, 2009 at 15:48, Bjørn Tore b...@paulen.net wrote: We are trying out some EX 4200 switches running 9.5R1.8. Anyone managed to actually lock the port to 1000Fdx? Seems that this is a feature yet to be implemented. Auto/auto works fine. If I do ether-options { no-auto-negotiation; no-flow-control; link-mode full-duplex; speed { 1g; } } } I get link one way (on the other non-Juniper switch) because it will link on incoming light. The EX does not. Anyone tried this? Bjørn Tore ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper EX AE Bundle with LACP active
Felix, When you say disabled LACP does that mean make both sides passive? Or one side active and the other side passive? I tryed searching the docs, but all i got out of it was that if both sides are set to passive the link will not automatically come up. What exactly does that mean? And how would i bring it up. Thanks, Brendan - Original Message - From: Felix Schueren felix.schue...@hosteurope.de To: Brendan Mannella bmanne...@teraswitch.com Cc: juniper-nsp@puck.nether.net Sent: Wednesday, May 27, 2009 4:26:40 AM GMT -05:00 US/Canada Eastern Subject: Re: [j-nsp] Juniper EX AE Bundle with LACP active Brendan, just wondering if anyone else has experienced any issues with EX switches and ae bundles. yes, we have. I have a 3200 with ports 0 and 1 in a ae bundle (ae0) with lacp active. Those uplink to to a 4200 VC and land on port 0 on each switch. Again with lacp active. For no reason the bundle has been flapping at random, a few times per day. The physical interfaces never flap, just the bundle. exactly the same as we saw. All switches are running 9.5R1.8 we saw that with 9.1, 9.2 at least, not sure if we saw it in 9.3 - JTAC suggested that we disable LACP (which we did), no more flapping since then. We never got a root cause for this, I suspect it's the same thing that keeps BFD falling over every once in a while (and thus the internal link between RE PFE). Kind regards, Felix -- Felix Schüren Head of NOC -- Host Europe GmbH - http://www.hosteurope.de Welserstraße 14 - D-51149 Köln - Germany Telefon: (0800) 4 67 83 87 - Telefax: (01805) 66 32 33 HRB 28495 Amtsgericht Köln - UST ID DE187370678 Geschäftsführer: Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper EX AE Bundle with LACP active
All, just wondering if anyone else has experienced any issues with EX switches and ae bundles. I have a 3200 with ports 0 and 1 in a ae bundle (ae0) with lacp active. Those uplink to to a 4200 VC and land on port 0 on each switch. Again with lacp active. For no reason the bundle has been flapping at random, a few times per day. The physical interfaces never flap, just the bundle. All switches are running 9.5R1.8 I have already opened a case with juniper, but while waiting i just wanted to check with everyone else. Thanks, Brendan Mannella ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper EX AE Bundle with LACP active
I am the only person with access to the switches, and I have not committed any new config in days. On 5/26/09 3:36 PM, Ross Vandegrift r...@kallisti.us wrote: On Tue, May 26, 2009 at 02:18:25PM -0400, Brendan Mannella wrote: just wondering if anyone else has experienced any issues with EX switches and ae bundles. Very much so. For no reason the bundle has been flapping at random, a few times per day. The physical interfaces never flap, just the bundle. Can you find any relation to config commits? I once saw a VC develop a problem where any commits caused aggregated ethernet devices to flap, though the individual member interfaces did not flap. I was able to resolve this issue by changing the LACP mode fast and then back to default. My feeling is that restarting lacp should've fixed it as well, but that's not the tact that JTAC wants to take on the issue. All switches are running 9.5R1.8 Everyone that I've talked to inside Juniper has suggest JUNOS 9.3R3 as the suggested version for all of my deployments, but all of my EX boxes are 4200 virtual chassis. -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SSH Filter
All, i know this has been covered a million times, but i just wanted to check with the list to see if this is the best/recommended way to restrict ssh access to a EX switch. I did google this, but noticed people doing it different ways. set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.1/32 set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.2/32 set firewall family inet filter RE_FILTER term SSH from protocol tcp set firewall family inet filter RE_FILTER term SSH from destination-port 22 set firewall family inet filter RE_FILTER term SSH then accept set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp set firewall family inet filter RE_FILTER term SSH_BLOCK from destination-port 22 set firewall family inet filter RE_FILTER term SSH_BLOCK then discard set firewall family inet filter RE_FILTER term everything-else then accept set interfaces lo0 unit 0 family inet filter input RE_FILTER Please Advise. Thanks, Brendan Mannella ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH Filter
True, i have seen those. I understand i would need to think of everything needed. So even OSPF, BGP, basically any protocol i would use. But i dont need to worry about traffic transiting the switch such as customer services, like http, ftp, etc. Correct? Thanks, Brendan - Original Message - From: Stefan Fouant sfou...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Friday, May 22, 2009 10:57:42 AM GMT -05:00 US/Canada Eastern Subject: Re: [j-nsp] SSH Filter That filter would certainly do what you want but I would strongly advise against using an accept-all term as your last term. If you truly want to take a hardened control plane security posture, why not allow that which is specifically required and drop the rest? Team Cymru has some good control plane filter templates available on their website. Regards, On 5/22/09, Brendan Mannella bmanne...@teraswitch.com wrote: All, i know this has been covered a million times, but i just wanted to check with the list to see if this is the best/recommended way to restrict ssh access to a EX switch. I did google this, but noticed people doing it different ways. set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.1/32 set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.2/32 set firewall family inet filter RE_FILTER term SSH from protocol tcp set firewall family inet filter RE_FILTER term SSH from destination-port 22 set firewall family inet filter RE_FILTER term SSH then accept set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp set firewall family inet filter RE_FILTER term SSH_BLOCK from destination-port 22 set firewall family inet filter RE_FILTER term SSH_BLOCK then discard set firewall family inet filter RE_FILTER term everything-else then accept set interfaces lo0 unit 0 family inet filter input RE_FILTER Please Advise. Thanks, Brendan Mannella ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Stay the patient course. Of little worth is your ire. The network is down. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Ex Series Bandwidth Policer
Hi, I was wondering what the best way to limit bandwidth per customer port on a EX3200 would be. Lets say i have customer A on port 3 and customer B on port 4 and would like to give each one 10 mbits per sec up and down. Something like this... ge-0/0/3 { description Customer A; unit 0 { family ethernet-switching { port-mode access; vlan { members 43; ge-0/0/4 { description Customer B; unit 0 { family ethernet-switching { port-mode access; vlan { members 44 ; firewall { policer 10m { if-exceeding { bandwidth-limit 10m; burst-size-limit 100k; } then discard; Then i would just apply the 10m policer to both interfaces for both input and output? Any clarification on this would be helpful. Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ex Series Bandwidth Policer
Here is what i came up with, but it didnt seem to work. I just want to rate-limit ALL traffic to 10 meg, so i assume using the source address of 0.0.0.0/0 is correct. I had this interface pegged at 100 meg, and when i commited the filter it didnt seem to reduce the traffic. Any ideas? ge-0/0/4 { description Customer A; unit 0 { family ethernet-switching { port-mode access; vlan { members 38; } filter { input rate-limit-10m; policer 10m { filter-specific; if-exceeding { bandwidth-limit 10m; burst-size-limit 100k; } then discard; } family ethernet-switching { filter rate-limit-10m { interface-specific; term 1 { from { source-address { 0.0.0.0/0; } } then policer 10m; r...@switch show firewall filter rate-limit-10m-ge-0/0/4.0-i Filter: rate-limit-10m-ge-0/0/4.0-i Policers: Name Packets 10m 2012276 - Original Message - From: mas...@nexlinx.net.pk To: Brendan manne...@nexlinx.net.pk, juniper-nsp@puck.nether.net Sent: Tuesday, May 19, 2009 6:02:57 PM GMT -05:00 US/Canada Eastern Subject: Re: [j-nsp] Ex Series Bandwidth Policer The way you have done it, bandwidth will be shared among multiple interfaces. Adding filter-specific knob to the policer will make them unique. Further, use the interface-specific command in the firewall filter, In this case you can use the same filter in multiple interfaces without having shared bandwidth. firewall { policer 10m { filter-specific; this will make all policer unique. if-exceeding { bandwidth-limit 10m; burst-size-limit 100k; } then discard; Create a filter instead of applying filter directly on an interface and use filter-specific under [edit firewall family family-name filter filter-name] Regards, Masood Blog: http://weblogs.com.pk/jahil/ -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Tuesday, May 19, 2009 7:36 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Ex Series Bandwidth Policer Hi, I was wondering what the best way to limit bandwidth per customer port on a EX3200 would be. Lets say i have customer A on port 3 and customer B on port 4 and would like to give each one 10 mbits per sec up and down. Something like this... ge-0/0/3 { description Customer A; unit 0 { family ethernet-switching { port-mode access; vlan { members 43; ge-0/0/4 { description Customer B; unit 0 { family ethernet-switching { port-mode access; vlan { members 44 ; firewall { policer 10m { if-exceeding { bandwidth-limit 10m; burst-size-limit 100k; } then discard; Then i would just apply the 10m policer to both interfaces for both input and output? Any clarification on this would be helpful. Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Traffic Information
Wondering what the best/preferred method of capturing network traffic for analysis is. Using a mirrored port or actually sending the flows directly to a collector. Looking for pros and cons of each approach. Also if you can give me some examples of whats used as a collector. I have been looking at ntop on the open source side and inmon traffic sentinel on the commercial side. Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX Series Experiences
All, I am looking to purchase a few Juniper EX switches, specifically 3200 series. I am interested in hearing how they are performing. And if they are stable. Regards, Brendan Mannella ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Redistribute Connected
Hello, I am working with two M7is running EBGP with a transit on each, and IBGP between the two routers. When i create a new sub interface with a ip and vlan on one router the route is not being advertised to the other router via IBGP. I assume i need some policy for that. Can anyone shed any light on how to do this? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Redistribute Connected
I already advertise my entire /21 to eBGP transits. I am just trying to make the two router aware of which has a specific subnet. Brendan Mannella President and CEO TeraSwitch Networks Inc. Ph: 412-387-3543 Mobile: 412-592-7848 Efax: 412-202-7094 - Original Message - From: le van cuong [EMAIL PROTECTED] To: Brendan Mannella [EMAIL PROTECTED] Cc: juniper-nsp@puck.nether.net Sent: Monday, November 24, 2008 8:57:08 PM GMT -05:00 US/Canada Eastern Subject: Re: [j-nsp] Redistribute Connected Hi Brendan, I think you need to create a policy with mach term direct and then export to IBGP and also EBGP if needed. BGP itself will not be redistributed other protocol to its neighbor. ex: policy-options { policy-statement dr-bgp { term 1 { from { protocol direct; route-filter x.x.x./y exact; } then accept; } } } Regards Good Luck, Cuong, On Tue, Nov 25, 2008 at 8:25 AM, Brendan Mannella [EMAIL PROTECTED] wrote: Hello, I am working with two M7is running EBGP with a transit on each, and IBGP between the two routers. When i create a new sub interface with a ip and vlan on one router the route is not being advertised to the other router via IBGP. I assume i need some policy for that. Can anyone shed any light on how to do this? Thanks, Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Routing Issue
Hello, This is more of a general routing question/issue, but hopefully someone can help. This week i have been seeing wierd issues were customers are unable to get to some servers on the internet and its seems that this happens when the route goes through Savvis. For instance. A customer server on my network running a traceroute to mail.tecumsehherald.com gets the following... orange:~traceroute mail.tecumsehherald.com traceroute to mail.tecumsehherald.com (64.14.74.42) 1 204.16.245.97 (204.16.245.97) 0.580 ms 0.800 ms 1.020 ms 2 204.16.241.225 (204.16.241.225) 0.496 ms 0.478 ms 0.699 ms 3 64.209.102.233 (64.209.102.233) 7.177 ms 7.420 ms 7.417 ms 4 te1-3-10g.ar2.DCA3.gblx.net (67.17.108.145) 7.630 ms 7.870 ms 8.105 ms 5 * * * 6 * * * Now if i go to Global Crossings looking glass and run a trace from their DC router to the same host, it makes it. 1 64.214.14.161 (64.214.14.161) 0.457 ms 0.429 ms 2 te7-1-10G.ar2.DCA3.gblx.net (67.17.109.34) 1.401 ms 1.658 ms 3 savvis-1.ar2.DCA3.gblx.net (64.212.107.26) 1.567 ms 1.339 ms 4 ber1-tenge-2-1.virginiaequinix.savvis.net (204.70.193.6) 1.586 ms 1.511 ms 5 cr1-tengig0-7-2-0.washington.savvis.net (204.70.197.242) 2.367 ms 2.547 ms 6 cr1-pos-0-0-0-0.boston.savvis.net (204.70.193.177) 15.163 ms 15.836 ms 7 hr1-pos-1-0-0.Waltham2bo2.savvis.net (208.172.51.66) 11.702 ms 11.780 ms 8 csr1-ve242.Waltham1bo1.savvis.net (64.14.70.19) 12.202 ms 11.728 ms 9 64.14.67.130 (64.14.67.130) 11.570 ms 11.592 ms 10 ns2.s426.sureserver.com (64.14.74.42) 11.811 ms 11.927 ms With all of my issues this week, the common thing seems to be Savvis. But why would it not work just for my network. Its almost like Savvis is blackholeing traffic from my network, but if i run a traceroute to savvis.net, it goes through. So it only appears to be certain hosts. raceroute to www.savvis.net (216.91.182.78), 30 hops max, 40 byte packets 1 204.16.240.57 (204.16.240.57) 0.538 ms 0.737 ms 0.977 ms 2 204.16.241.225 (204.16.241.225) 0.385 ms 0.438 ms 0.482 ms 3 64.209.102.233 (64.209.102.233) 7.957 ms 7.910 ms 7.865 ms 4 te2-1-10G.ar2.DCA3.gblx.net (67.17.105.133) 7.668 ms 7.112 ms 8.335 ms 5 savvis-1.ar2.DCA3.gblx.net (64.212.107.26) 6.769 ms 6.753 ms 6.695 ms 6 er2-tengig2-1.virginiaequinix.savvis.net (204.70.193.102) 6.934 ms 6.891 ms 6.836 ms 7 cr2-tengig0-7-3-0.washington.savvis.net (204.70.197.246) 14.571 ms 14.661 ms 14.622 ms 8 cr1-tengig-0-0-5-0.chicago.savvis.net (204.70.195.113) 40.376 ms 40.124 ms 40.660 ms 9 ber1-tengig-9-0-0.Chicago.savvis.net (204.70.195.114) 32.512 ms 32.612 ms 32.488 ms 10 acr1-ge-1-1-0.chicago.savvis.net (204.70.204.206) 32.922 ms 32.904 ms 32.971 ms 11 scr1-stls6.sec.savvis.net (208.172.1.138) 38.814 ms 38.895 ms 38.838 ms 12 64.241.46.5 (64.241.46.5) 38.637 ms 38.584 ms 38.785 ms Does anyone have any ideas? Brendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Routing Issue
Yes in RADB. Brendan Mannella President and CEO TeraSwitch Networks Inc. Ph: 412-387-3543 Mobile: 412-592-7848 Efax: 412-202-7094 - Original Message - From: Mark Tinka [EMAIL PROTECTED] To: juniper-nsp@puck.nether.net Cc: Brendan Mannella [EMAIL PROTECTED] Sent: Saturday, July 19, 2008 10:35:14 PM GMT -05:00 US/Canada Eastern Subject: Re: [j-nsp] Routing Issue On Sunday 20 July 2008 08:45:09 Brendan Mannella wrote: Does anyone have any ideas? Could be a filtering issue within Savvis. Just to make sure, do you have prefixes installed in one of the known RIR's route registries (assuming Savvis use those to build filters), e.g., RIPE, RADB, e.t.c.? Cheers, Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] NTP Update
Hello, I am trying to use the command, ³ set date ntp² on my M7i to update the clock, but no matter what time server I try I get the below errors... Does anyone have any ideas? [EMAIL PROTECTED] set date ntp time-a.nist.gov 25 Jun 09:12:54 ntpdate[7535]: no server suitable for synchronization found user@ router set date ntp time-b.nist.gov 25 Jun 09:13:09 ntpdate[7547]: no server suitable for synchronization found user@ router set date ntp north-america.pool.ntp.org 25 Jun 09:16:14 ntpdate[7559]: no server suitable for synchronization found user@ router set date ntp otc1.psu.edu 25 Jun 09:19:46 ntpdate[7571]: no server suitable for synchronization found user@ router set date ntp clock.nyc.he.net 25 Jun 09:20:24 ntpdate[7583]: no server suitable for synchronization found And in the messages log... Jun 25 09:13:09 xntpd[4271]: ntpd 4.2.0-a Fri Apr 25 07:34:52 UTC 2008 (1) Jun 25 09:13:09 mgd[7499]: UI_CHILD_EXITED: Child exited: PID 7540, status 1, command '/usr/libexec/ui/ntp-date' Jun 25 09:16:14 xntpd[4271]: ntpd exiting on signal 1 Jun 25 09:16:14 xntpd[4271]: ntpd 4.2.0-a Fri Apr 25 07:34:52 UTC 2008 (1) Jun 25 09:16:14 mgd[7499]: UI_CHILD_EXITED: Child exited: PID 7552, status 1, command '/usr/libexec/ui/ntp-date' Jun 25 09:19:46 xntpd[4271]: ntpd exiting on signal 1 Jun 25 09:19:46 xntpd[4271]: ntpd 4.2.0-a Fri Apr 25 07:34:52 UTC 2008 (1) Jun 25 09:19:46 mgd[7499]: UI_CHILD_EXITED: Child exited: PID 7564, status 1, command '/usr/libexec/ui/ntp-date' Jun 25 09:20:24 xntpd[4271]: ntpd exiting on signal 1 Jun 25 09:20:24 xntpd[4271]: ntpd 4.2.0-a Fri Apr 25 07:34:52 UTC 2008 (1) Jun 25 09:20:24 mgd[7499]: UI_CHILD_EXITED: Child exited: PID 7576, status 1, command '/usr/libexec/ui/ntp-date' ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Interface Errors
Hello, i have a M7i with a FE-4FE-TX, and i am seeing collisions on the interfaces. I am using two ports of the four, and both are showing the errors. I am also seeing some FIFO errors. Are these signs of a faulty PIC or should i not be concerned? Thoughts? Thanks in Advance. Physical interface: fe-0/3/0, Enabled, Physical link is Up Interface index: 128, SNMP ifIndex: 59, Generation: 129 Link-level type: Ethernet, MTU: 1514, Speed: 100mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x4000 CoS queues : 4 supported, 4 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:12:1e:c3:04:5d, Hardware address: 00:12:1e:c3:04:5d Last flapped : 2008-06-03 04:13:38 EDT (09:01:49 ago) Statistics last cleared: 2008-06-03 12:11:32 EDT (01:03:55 ago) Traffic statistics: Input bytes : 930986300 1274864 bps Output bytes : 1534120873 4255680 bps Input packets: 3435984 911 pps Output packets: 2193180 620 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 1917, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 138037, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 4 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 2190776 2190776 0 1 expedited-fo 0 0 0 2 assured-forw 0 0 0 3 network-cont 2412 2412 0 Active alarms : None Active defects : None MAC statistics: Receive Transmit Total octets 1001868802 1514245506 Total packets 3438593 2192123 Unicast packets 3436675 2192082 Broadcast packets 0 3 Multicast packets 1918 0 CRC/Align errors 0 0 FIFO errors 0 212 MAC control frames 0 0 MAC pause frames 0 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 3438592 Input packet rejects 0 Input DA rejects 1918 Input SA rejects 0 Output packet count 2193599 Output packet pad count 0 Output packet error count 0 CAM destination filters: 1, CAM source filters: 0 Autonegotiation information: Negotiation status: Complete Link partner: Link mode: Half-duplex, Flow control: None, Remote fault: OK Packet Forwarding Engine configuration: Destination slot: 0 Direction : Output CoS transmit queue Bandwidth Buffer Priority Limit % bps % usec 0 best-effort 95 9500 95 0 low none 3 network-control 5 500 5 0 low none Logical interface fe-0/3/0.0 (Index 66) (SNMP ifIndex 63) (Generation 132) Flags: SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 930986300 Output bytes : 1534120873 Input packets: 3435984 Output packets: 2193180 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 26 Output bytes : 56401 Input packets: 816 Output packets: 732 Transit statistics: Input bytes :