Re: [j-nsp] Advertise inactive route EBGP session

2016-12-01 Thread David Lockuan 
Hi Mileto,

Maybe you need to change the default preference of static route to value
major (as 180 or 200) , with this the bgp route will be preference over
static route.

Best regards,

---
David


On Wed, Nov 30, 2016 at 4:46 PM, Mileto Tales 
wrote:

> Hello,
>
>
> I'm not having success to advertise the best BGP inactive route to my eBGP
> peer. My scenario is very simple. I have configured one static route "set
> routing-options static route 192.168.0.0/24 next-hop 10.0.1.1" and I'm
> receiving this same route by eBGP.
>
>
>
> 192.168.0.0/24 (2 entries, 1 announced)
> *Static Preference: 5
> Next hop type: Router, Next hop index: 596
> Address: 0x3e5e47c
> Next-hop reference count: 14
> Next hop: 10.0.1.1 via xe-1/3/0.0, selected
> Session Id: 0x2f5a
> State: 
> Local AS: 100
> Age: 32:19
> Validation State: unverified
> Task: RT
> Announcement bits (3): 0-KRT 7-BGP_RT_Background 8-Resolve
> tree 2
> Communities: 6:6
>  BGPPreference: 170/-301
> Next hop type: Router, Next hop index: 596
> Address: 0x3e5e47c
> Next-hop reference count: 14
> Source: 10.0.1.1
> Next hop: 10.0.1.1 via xe-1/3/0.0, selected
> Session Id: 0x2f5a
> State: 
> Inactive reason: Route Preference
> Local AS: 100 Peer AS: 200
> Age: 1d 20:50:59
> Validation State: unverified
> Task: BGP_200.10.0.1.1+39577
> Announcement bits (1): 7-BGP_RT_Background
> AS path: 200 200 I
> Communities: 1:1
> Accepted
> Localpref: 300
> Router ID: 200.200.200.200
>
>
> I want to keep the static route configured in the router and advertise BGP
> learned route to another eBGP peers. In my understanding the
> advertise-inactive configuration inside the BGP group was supposed to work
> in this scenario. I add this configuration, cleared the BGP session and I'm
> still having problems to advertise the inactive route.
>
>
> Another test that I did:I created a policy matching on routes that are in
> inactive state and tried to export then. If I remove the static route then
> the BGP is advertised (best route)
>
>
> Anyone have this configuration working?
>
>
>
> MT
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] how to disconnect/kill tcp session from juniper router

2016-11-24 Thread David Lockuan 
Hi Aaron,

When a telnet session is established, the process is not a telnetd dameon
after the process pass to cli process. You should be filter with grep
comand looking for "cli". Check my example:

***
tecnologia@MX240-2_LAB-RE0> show system users
12:28PM  up 93 days,  1:45, 6 users, load averages: 0.16, 0.08, 0.02
USER TTY  FROM  LOGIN@  IDLE WHAT
tecnologia d0 -07Nov16 16days -cli
(cli)
tecnologia p1 10.10.0.240  Wed04PM 19:26 -cli
(cli)
tecnologia p5 10.10.90.2   26Oct16 28days -cli
(cli)
tecnologia pj 10.10.90.2   12:28PM - -cli
(cli)
tecnologia qi 10.10.0.240  26Oct16 28days
telnet
tecnologia qn 10.10.0.240  26Oct16 28days -cli
(cli)

{master}
tecnologia@MX240-2_LAB-RE0> start shell
%
% ps -aux | grep cli
tecnologia 90751  0.0  0.7 30400 24536  d0  S+7Nov16   0:04.78 -cli
(cli)
tecnologia 67215  0.0  0.7 30384 24336  p1  S+4:47PM   0:00.34 -cli
(cli)
tecnologia 86298  0.0  0.7 30400 24468  p5  S+   26Oct16   0:06.88 -cli
(cli)
tecnologia 83579  0.0  0.7 30376 24312  pj  S12:28PM   0:00.09 -cli
(cli)
tecnologia 83599  0.0  0.0  2024   864  pj  R+   12:29PM   0:00.00 grep cli
tecnologia 86010  0.0  0.7 30412 24424  qi  I+   26Oct16   0:00.24 -cli
(cli)
tecnologia 86670  0.0  0.7 30408 24488  qn  S+   26Oct16   0:06.95 -cli
(cli)
% exit
exit
***

If the session don't appear with the cli command "show system users", it is
probably the process is hang in the shell.

I hope to help you.

Regards,

---
David


On Thu, Nov 24, 2016 at 11:37 AM, Hugo Slabbert  wrote:

> Always a good reference:
>
> http://www.team-cymru.org/templates.html
> http://www.cymru.com/gillsr/documents/junos-template.pdf
>
> --
> Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
> pgp key: B178313E   | also on Signal
>
>
> On Thu 2016-Nov-24 11:07:45 +, Alexander Arseniev <
> arsen...@btinternet.com> wrote:
>
> Hello,
>>
>> Someone is brute-forcing Your router password, and that is very common
>> nowadays. Good loopback filter would prevent this.
>>
>> In addition:
>>
>> 1/ You can only do "request system logout" for sessions that passed
>> authentication+login+got TTY assigned. If You see "unsuccessful login" it
>> means this session did not get past authentication. Unautheticated sessions
>> got disconnected after 3 wrong password attempts, or 120 secs if there is
>> no data flowing (from memory)
>>
>> 2/ Best practice is not to allow telnet at all. Use SSH instead. To
>> disable telnet, make sure You do NOT have the "telnet" line under "[system
>> services]" stanza.
>>
>> 3/ Also, You should be using:
>>
>> 3a/ loopback filter allowing SSH from trusted source IPs only. If You
>> manage router via internet, and must keep remote access to it open to
>> ANYONE that's not a good practice at all.
>>
>> 3b/ SSH public key authentication instead of password
>>
>> 3c/ backoff timer to fire after 3-5 unsuccessful login tries
>>
>> 3d/ inactivity timer to close hanging SSH sessions - to make sure You are
>> not locked out of the router access because all TTYs are taken.
>>
>> Thanks
>>
>> Alex
>>
>>
>> On 21/11/2016 21:29, Aaron wrote:
>>
>>> I have an unauthorized telnet session attached to my router but it does
>>> not
>>> show up under "show system users" and they have not successfully logged
>>> so
>>> it doesn't seem that I can do the "request system logout.." thing
>>>
>>>
>>> I do however so unsuccessful login attempts in syslog
>>>
>>>
>>> How do I kill/disconnect this tcp session ?
>>>
>>>
>>> me@j1> show system connections | grep ".23 "
>>>
>>> tcp4   0  0  109.109.109.109.23
>>> 181.181.181.181.55436  ESTABLISHED
>>>
>>> tcp4   0  0  *.23  *.*
>>> LISTEN
>>>
>>> tcp4   0  0  *.6023*.*
>>> LISTEN
>>>
>>> tcp4   0  0  *.6023*.*
>>> LISTEN
>>>
>>> udp4   0  0  128.0.0.1.123 *.*
>>>
>>> udp4   0  0  *.123 *.*
>>>
>>> udp4   0  0  *.6123*.*
>>>
>>> udp4   0  0  *.6123*.*
>>>
>>>
>>>
>>> {master:0}
>>>
>>> me@j1> show system processes | grep "PID|telnet"
>>>
>>>   PID  TT  STAT  TIME COMMAND
>>>
>>> 70193  ??  Is 0:00.00 telnetd
>>>
>>>
>>>
>>> {master:0}
>>>
>>> me@j1> start shell
>>>
>>> % ps -awwux | grep telnet
>>>
>>> root   70193  0.0  0.1  2128  1396  ??  Is1:34PM   0:00.00 telnetd
>>>
>>> remote 70971  0.0  0.0   480   296  p5  R+3:19PM   0:00.00 grep
>>> telnet
>>>
>>> %
>>>
>>>
>>> - Aaron
>>>
>>>

Re: [j-nsp] MX 14.2R7 / PR1177571

2016-11-08 Thread David Lockuan 
Hi all,

I have the same issue but only in RE-2000, in the RE-18000-x4 this alarm
don't appeared.

I found this PR1207864 where said that this issue is a false positive.

I had reviewed this alarms into RE-2000, and I had noted that the
partition(ad2) was mounted correctly, I think that the SW is looking for
partition /dev/ad1 when the system is mounted as partition /dev/ad2.

I hope to help you.

BR,

---
David


On Tue, Nov 8, 2016 at 6:56 AM, Theo Voss  wrote:

> Hi Santi,
>
> upgrade vom 14.2R6.5 to R7.5, also on two different RE types (1800x4,
> 2000).
>
> Best regards,
> Theo
>
> Von: santiago martinez 
> Datum: Montag, 7. November 2016 um 15:02
> An: Theo Voss , Martin T 
> Cc: "juniper-nsp@puck.nether.net" 
> Betreff: Re: [j-nsp] MX 14.2R7 / PR1177571
>
> Hi Theo and Martin,
> Thats weird, was a direct upgrade or you had an interim release?
> We hit the PR several times but always cleared without any issues.
> The only diff i can see is that we used 14.2r6s2.2.
>
> Cheers.
> Santi
>
>
> El lun., 7 nov. 2016 a las 13:22, Theo Voss ( l...@theo-voss.de>>) escribió:
> Hi Martin,
>
> same issue here, and I know a third provider with the same problem. We've
> stopped upgrading until 14.2R8 will be released.
>
> Best regards,
> Theo
>
> -Ursprüngliche Nachricht-
> Von: Martin T >
> Datum: Montag, 7. November 2016 um 14:19
> An: Theo Voss >
> Cc: "juniper-nsp@puck.nether.net" <
> juniper-nsp@puck.nether.net>
> Betreff: Re: [j-nsp] MX 14.2R7 / PR1177571
>
> Theo,
>
> did you manage to find a solution for this? We were able to replicate
> this behavior in lab and even system reboot did not clear the alarm
> message.
>
>
> thanks,
> Martin
>
> On Wed, Oct 26, 2016 at 4:30 PM, Olivier Benghozi
> > wrote:
> > Here the alarm (detected on the re0 in older version) disappeared as
> soon as re1 (in newer version) took mastership in the chassis (non-GRES
> switchover, as specified in JunOS updating documents).
> >
> >> Le 26 oct. 2016 à 15:19, Theo Voss  @theo-voss.de>> a écrit :
> >>
> >> Hi Santiago,
> >>
> >> did the alarm disappeared after the 2nd RE was detected with the same
> software or after a complete reboot?
> >>
> >> Best regards,
> >> Theo
> >>
> >> Von: santiago martinez >
> >> Datum: Mittwoch, 26. Oktober 2016 um 15:15
> >> An: Theo Voss >
> >> Cc: "juniper-nsp@puck.nether.net" <
> juniper-nsp@puck.nether.net>, Olivier
> Benghozi >
> >> Betreff: Re: [j-nsp] MX 14.2R7 / PR1177571
> >>
> >> Hi there, yes we did hit the same PR.
> >>
> >> the alarm was raised during the upgrade and completely disappear after
> both RE. were running the same code version (14.2R6).
> >>
> >> Regards
> >>
> >> santiago
> >>
> >>
> >> On 26 Oct 2016 12:00, "Theo Voss"  @theo-voss.de> >>
> wrote:
> >> Hi Olivier,
> >>
> >> thanks for your reply. Yes, /var is correctly mounted.
> >>
> >> Best regards,
> >> Theo
> >>
> >> -Ursprüngliche Nachricht-
> >> Von: juniper-nsp   puck.nether.net>> im Auftrag
> von Olivier Benghozi  wifirst.fr>  bengh...@wifirst.fr>>>
> >> Datum: Mittwoch, 26. Oktober 2016 um 10:59
> >> An: "juniper-nsp@puck.nether.net
> >"
>   juniper-nsp@puck.nether.net>>
> >> Betreff: Re: [j-nsp] MX 14.2R7 / PR1177571
> >>
> >> Yes but with 14.2R6 on re0 and 15.1R4 on re1 (so, during the update).
> >>
> >> Did you check that /var was properly mounted on re1? :)
> >>
> >> > Le 26 oct. 2016 à 10:53, Theo Voss  @theo-voss.de> >> a
> écrit :
> >> >
> >> > we've upgraded two of our MXs (MX960, 1800x4-32) to 14.2R7 and ran
> into PR1177571 which should already be fixed in R7.
> >> >
> >> > router> show version invoke-on all-routing-engines | match boot
> >> > JUNOS Base OS boot [14.2R7.5]
> >> > JUNOS Base OS boot [14.2R7.5]
> >> >
> >> > router> show

Re: [j-nsp] CGNat PBA - MX104 w/MS-MIC

2016-04-24 Thread David Lockuan 
Hi Aaron,

I think that the message error is because the block-size of PBA.

According the best practice the block-size would be power of 2 (check the
link
http://www.juniper.net/techpubs/en_US/junos14.1/topics/concept/nat-best-practices.html#jd0e110
).

To read the best practice and try again.

Best regard,

David.

On Friday, April 22, 2016, Aaron  wrote:

> Ugh, I hate when it clumps it all together like that... here it is again,
> hopefully that's better...
>
>
> agould@eng-lab-mx104-cgn> show configuration services service-set
> cgn-sset |
> display set
>
> set services service-set cgn-sset syslog host 172.22.14.247 services any
>
> set services service-set cgn-sset syslog host 172.22.14.247
> facility-override daemon
>
> set services service-set cgn-sset syslog host 172.22.14.247 class
> session-logs open
>
> set services service-set cgn-sset syslog host 172.22.14.247 class nat-logs
>
> set services service-set cgn-sset syslog host 172.22.14.247 source-address
> 10.101.12.243
>
> set services service-set cgn-sset nat-rules rule1
>
> set services service-set cgn-sset next-hop-service inside-service-interface
> ms-1/0/0.1
>
> set services service-set cgn-sset next-hop-service
> outside-service-interface
> ms-1/0/0.2
>
>
> agould@eng-lab-mx104-cgn> show configuration services nat | display set
>
> set services nat pool nat1 address-range low 1.2.3.128 high 1.2.3.255
>
> set services nat pool nat1 port automatic
>
> set services nat rule rule1 match-direction input
>
> set services nat rule rule1 term other1 from source-address 10.144.0.0/24
>
> set services nat rule rule1 term other1 then translated source-pool nat1
>
> set services nat rule rule1 term other1 then translated translation-type
> napt-44
>
> - Aaron
>
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


-- 

---
David Lockuán
JNCIA-E
JNCIS-E
JNCIA-Junos
JNCIS-SP
JNCIP-SP
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Junos PyEz on Solaris 10.

2016-03-23 Thread David Lockuan 
Hi all,

I am testing the Junos Automation with PyEZ, I have installed it in Ubuntu
and work fine.

But my customer have Desktop PC with Solaris 10 and they want to test this
library of Junos Python on their PC.

Then, I had reviewed the documentation about this but it don't show me
nothing about installing on Solaris, so I would like to know of somebody
have test it over solaris?

Thanks in advance for your comments.

---
David.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Question about 100 Gbps MPC4E

2015-01-30 Thread David Lockuan 
Hi Giuliano,

If you read the documentation, the option of SA-Multicast is to
interoperability between MPC4E and PIC 100G FPC4 (Juniper Devices). And it
is because the PIC 100G for FPC4 have 2 PFE of 50Gbps.

If you have gone to connect MX and ASR to 100G, you need to use
vlan-steering configuration, this to interoperability between different
vendors.

Br,

---
David


On Fri, Jan 30, 2015 at 4:16 AM, Damian Holdcroft 
damian.holdcr...@gmail.com wrote:

 I believe that configuration option is only required when connecting to
 100GE cards in type-4 FPCs in T-series. You shouldn't need it to connect to
 an ASR9K.

 Cheers,
 Damian
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 port-mirror config

2014-05-31 Thread David Lockuan 
Hi Mattew,

You are using port-mirror for layer3 traffic (in your filter you are using
family inet) , if you want to do mirroring to layer2 traffic, you need to
use bridge-domain and put the filter in the family bridge.

In the next link, you can check differents type of layer2 mirroring.

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/layer-2-services-port-mirroring-application.html

I hope to help you.

Best regards,

---
David


On Sat, May 31, 2014 at 11:15 AM, Matthew Crocker matt...@corp.crocker.com
wrote:



 Hello,

  I’m trying to setup a port-mirror to see the traffic in/out on a XE
 interface of my MX80.  The port-mirror is working but it is only showing
 layer 3, not layer 2 data.I would like to be able to see the VLAN  MAC
 addresses used in the original packets.  Right now the Ethernet frame info
 is Juniper - Wireshark

 Anyone know what I can do to make this show all the data?

 interface ge-1/3/3 {
 description Wireshark port-mirror destination;
 enable;
 mtu 9192;
 unit 0 {
 family inet {
 address 192.168.10.10/24;
 }
 }

 interfaces xe-0/0/2 {
 enable;
 flexible-vlan-tagging;
 mtu 9192;
 unit 1155 {
 vlan-id 1155;
 family inet {
 filter {
 input port-mirror;
 output port-mirror;
 }
 address A.B.C.D/25;
 }
 }

 port-mirroring {
 input {
 rate 1;
 maximum-packet-length 9216;
 }
 family inet {
 output {
 interface ge-1/3/3.0 {
 next-hop 192.168.10.2;   — IP of linux machine running
 tcpdump/wireshark
 }
 }
 }
 }

 firewall {
 family inet {
   filter port-mirror {
 term pcap {
 then {
 port-mirror;
 accept;
 }
 }
 }
 }



 --
 Matthew S. Crocker
 President
 Crocker Communications, Inc.
 PO BOX 710
 Greenfield, MA 01302-0710

 E: matt...@crocker.com
 P: (413) 746-2760
 F: (413) 746-3704
 W: http://www.crocker.com





 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] 6pe between Cisco and Juniper

2012-09-03 Thread David Lockuan 
Hi Mihai,

I think that you scheme is a topology of IPv6 over cloud IPv4. If you
want to test 6PE over this scenary you need configure some steps:

1.- Configure family inet6 on interfaces CE-facing and Core.
2.- Configure on protocols mpls: ipv6-tunneling
3.- Configure on protocols bgp: capability labeled-unicast explicit-null on
inet6.

I used this link as reference:

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/fg-ipv6-islands-to-ipv4-mpls-tc/fg-ipv6-islands-to-ipv4-mpls-tc.pdf

I hope this can help you.

BR

---
David



On Mon, Sep 3, 2012 at 10:30 AM, Mihai Gabriel mihaigabr...@gmail.comwrote:

 I  thought so,but Juniper doesn't let me :

 juniper# commit check
 re0:
 [edit protocols]
   'bgp'
 Error in neighbor 10.10.10.20 of group test:
 peer cannot have both inet6 unicast and inet6 labeled-unicast nlri



 On Mon, Sep 3, 2012 at 6:22 PM, Colby Barth cba...@juniper.net wrote:

  Mihai-
 
  Based on the error message:
 
  peer: inet-unicast inet6-unicast inet6-labeled-unicast(273) us:
  inet-unicast inet6-labeled-unicast(257)
 
  You need to enable the unicast address family under ipv6
 
  set protocols bgp group test family inet6 unicast
 
  -cb
 
  On Sep 3, 2012, at 11:04 AM, Mihai Gabriel wrote:
 
   Hello,
   Did any of you manage to  configure a bgp session between Cisco and
  Juniper
   using family inet6 labeled-unicast on Juniper? I am trying to configure
  6PE
   but the bgp session does not come up because Juniper does not send
   ipv6-unicast capabity to Cisco
  
   Juniper config:
  
   group test {
   type internal;
   local-address 10.10.10.10;
   import pol-reject-any;
   family inet {
  unicast;
   }
   family inet6 {
  labeled-unicast {
  explicit-null;
  }
   }
   export pol-reject-any;
   neighbor 10.10.10.20;
  
   Cisco config:
  
   neighbor test peer-group
   neighbor test remote-as 65500
   neighbor test update-group loopback0
  
   address-family ipv4
   neighbor test send-community
   neighbor test send-label
   neighbor 10.10.10.10 activate
  
   address-family ipv6
   neighbor test send-community
   neighbor test send-label
   neighbor 10.10.10.10 activate
  
  
   and the error:
  
   Sep  3 17:33:31  juniper rpd[2115]: bgp_process_caps: mismatch NLRI
 with
   10.10.10.20 (Internal AS 65500):
   peer: inet-unicast inet6-unicast inet6-labeled-unicast(273) us:
   inet-unicast inet6-labeled-unicast(257)
  
   Any advice?
   ___
   juniper-nsp mailing list juniper-nsp@puck.nether.net
   https://puck.nether.net/mailman/listinfo/juniper-nsp
 
 
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] dual stack bandwidth limitation on E-series

2012-06-22 Thread David Lockuan 
Hi Roman,

About your question, the LM10 for E320 and E120 don't support, for the
moment, external-parent group, this feature should be for the release
14.1.x of JunoSE.

In my case, we are using QoS profile to limit the downstream traffic and
the limit of upstream will be done in the DSLAM.

Hope I had help you.

---
David


On Fri, Jun 22, 2012 at 2:55 PM, Roman A. Nozdrin drr...@ya.ru wrote:

 Hello All,

 I'm trying to introduce commercial IPv6 services for pppoe customers in my
 network. I realized that I don't know how to put an aggregated limitation
 on both(ipv4/v6) downstreams. I've tried compound shared shaping and
 external parent group policing. Both features don't work the way I want.
 I'll appreciate any ideas how to put aggregated shaper or policer using
 E-120 with LM-10 cards.

 Roman
 __**_
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] bgp ipv6 route problem

2012-03-19 Thread David Lockuan 
Hi bruno,

I am working the Junos 10.4R9.2 and I have both scheme 6PE and 6VPE. I read
the comments and I think that you need to configure the command
ipv6-tunneling inside the protocols mpls. This command permit to install
the route of IPv6 and forward the traffic of IPv6.

Best regards,

---
David



On Sat, Mar 17, 2012 at 8:07 AM, bruno bruno.juni...@gmail.com wrote:

 i am use 10.4R9.2. it did change it to :: when i advertise the bgp
 route as next-hop .  when i add a ipv6 route on interface,
 the router receive the route from peer, not ignore any more.  BUT is it
 the right way we do ? any other solution?  any advice is welcome.
 lab@test# run show version
 Hostname: test
 Model: olive
 JUNOS Base OS boot [10.4R9.2]
 JUNOS Base OS Software Suite [10.4R9.2]
 JUNOS Kernel Software Suite [10.4R9.2]
 JUNOS Crypto Software Suite [10.4R9.2]
 JUNOS Packet Forwarding Engine Support (M/T Common) [10.4R9.2]
 JUNOS Packet Forwarding Engine Support (M20/M40) [10.4R9.2]








 -- Original --
 From:  Per Granathper.gran...@gcc.com.cy;
 Date:  Sat, Mar 17, 2012 02:42 PM
 To:  brunobruno.juni...@gmail.com;
 Cc:  Kazmierczak, Tomasz (NSN - US/Irving)tomasz.kazmierc...@nsn.com;
 juniper-nspjuniper-nsp@puck.nether.net;
 Subject:  Re: [j-nsp] bgp ipv6 route problem


 Are you sure you are not running Junos 11.x ?

 I said before it was in 10.4 that mapped addresses changed from :: to
 ::: but it was probably from 11.1. Been some time since I looked into
 it.

 Have a look at the Day One book Advanced IPv6 Configuration for an example
 with :::.
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Decode $9$ encrypted Junos secrets

2012-03-19 Thread David Lockuan 
Thanks Matt,

This is a good tool.

Best regards,

---
David


On Mon, Mar 19, 2012 at 4:23 PM, Matt Hite li...@beatmixed.com wrote:

 Greetings,

 Threw this together a few days ago to recover $9$ encrypted Junos
 passwords (RADIUS secrets, BGP MD5's, etc.).

 It is ported from this Perl library:


 http://cpansearch.perl.org/src/KBRINT/Crypt-Juniper-0.02/lib/Crypt/Juniper.pm

 to a Python 2.7 script:

 https://github.com/mhite/junosdecode

 Remember to escape your $'s on the CLI when launching the script:

 $ ./junosdecode.py \$9\$U-iqf36A1cSTzRSreXxDik.Tzn/CuBI
 junos password decrypter
 python version by matt hite
 original perl version by kevin brintnall

 encrypted version: $9$U-iqf36A1cSTzRSreXxDik.Tzn/CuBI
 decrypted version: juiper123

 Thanks,

 -M
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Monitoring interface 100G by MRTG

2011-10-12 Thread David Lockuan 
Hi guys,

We have a new interfaces 100G into T1600 and to appeared the question
about:  what is the best way to monitor the 100G interface??. First option
to monitor the booth interfaces et- and the second option to monitor only
the LAG interface.

Someone could recommend me, what option is the best?

Best regards,

---
David
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Bad time and date on firewall log.

2011-06-08 Thread David Lockuan 
Hi guys,

I was testing the firewall filter over a MX960 with release 10.4R1.9 and I
noted that time and date of the firewall logs was wrong. I am doing an
upgrade to release 10.4R4.5 and the issue continue.

*
{master}
test@MX960-LAB-RE0 show version
Hostname: MX960-LAB-RE0
Model: mx960
JUNOS Base OS boot [10.4R4.5]
JUNOS Base OS Software Suite [10.4R4.5]
JUNOS Kernel Software Suite [10.4R4.5]
JUNOS Crypto Software Suite [10.4R4.5]
JUNOS Packet Forwarding Engine Support (M/T Common) [10.4R4.5]
JUNOS Packet Forwarding Engine Support (MX Common) [10.4R4.5]
JUNOS Online Documentation [10.4R4.5]
JUNOS Voice Services Container package [10.4R4.5]
JUNOS Border Gateway Function package [10.4R4.5]
JUNOS Services AACL Container package [10.4R4.5]
JUNOS Services LL-PDF Container package [10.4R4.5]
JUNOS Services PTSP Container package [10.4R4.5]
JUNOS Services Stateful Firewall [10.4R4.5]
JUNOS Services NAT [10.4R4.5]
JUNOS Services Application Level Gateways [10.4R4.5]
JUNOS Services Captive Portal and Content Delivery Container package
[10.4R4.5]
JUNOS Services RPM [10.4R4.5]
JUNOS AppId Services [10.4R4.5]
JUNOS IDP Services [10.4R4.5]
JUNOS Runtime Software Suite [10.4R4.5]
JUNOS Routing Software Suite [10.4R4.5]

{master}
nsn@MX960-LAB-RE0 show firewall log detail
Time of Log: 1969-12-31 19:19:47 PET, Filter: pfe, Filter action: accept,
Name of interface: ge-7/0/4.2040
Name of protocol: RSVP, Packet Length: 140, Source address: 10.113.0.18,
Destination address: 10.113.0.17
Time of Log: 1969-12-31 19:19:46 PET, Filter: pfe, Filter action: accept,
Name of interface: ge-7/0/4.2000
Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.2,
Destination address: 10.113.0.1
Time of Log: 1969-12-31 19:19:46 PET, Filter: pfe, Filter action: accept,
Name of interface: ge-7/0/4.2040
Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.18,
Destination address: 10.113.0.17
Time of Log: 1969-12-31 19:19:42 PET, Filter: pfe, Filter action: accept,
Name of interface: ge-7/0/4.2000
Name of protocol: RSVP, Packet Length: 148, Source address: 10.113.0.2,
Destination address: 10.113.0.1
Time of Log: 1969-12-31 19:19:37 PET, Filter: pfe, Filter action: accept,
Name of interface: ge-7/0/4.2000
Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.2,
Destination address: 10.113.0.1
Time of Log: 1969-12-31 19:19:37 PET, Filter: pfe, Filter action: accept,
Name of interface: ge-7/0/4.2040
Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.18,
Destination address: 10.113.0.17
Time of Log: 1969-12-31 19:19:28 PET, Filter: pfe, Filter action: accept,
Name of interface: ge-7/0/4.2000
Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.2,
Destination address: 10.113.0.1
Time of Log: 1969-12-31 19:19:28 PET, Filter: pfe, Filter action: accept,
Name of interface: ge-7/0/4.2040
Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.18,
Destination address: 10.113.0.17

{master}
test@MX960-LAB-RE0 show configuration logical-systems was firewall
filter test_arfc {
term 1 {
then {
log;
accept;
}
}
}

{master}
test@MX960-LAB-RE0 show system uptime
Current time: 2011-06-08 12:50:53 PET
System booted: 2011-06-08 12:25:55 PET (00:24:58 ago)
Protocols started: 2011-06-08 12:26:56 PET (00:23:57 ago)
Last configured: 2011-06-08 12:18:26 PET (00:32:27 ago) by root
12:50PM  up 25 mins, 1 user, load averages: 0.02, 0.02, 0.05

*

Someone had the similar problem.

Thanks in advance,

---
David
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] RE : Bad time and date on firewall log.

2011-06-08 Thread David Lockuan 
Hi David,

Here the output of the command request pfe execute...

*
{master}
test@MX960-LAB-RE0 request pfe execute command show sntp target fpc7
SENT: Ukern command: show sntp
GOT:
GOT: SNTP status:
GOT:  current time:  Jan  1 02:54:24.583
GOT:  last SNTP update time: (null)
GOT:  seconds since last update: 10464
GOT:  last update interval:  64.000 seconds
GOT:
GOT:  last time offset:  0us
GOT:  last frequency offset: 0.000 PPM
GOT:  last RTT delay:0us
GOT:  Good SNTP updates: 0
GOT:  Bad SNTP updates:  0
GOT:  Number of overflows:   0
LOCAL: End of file

{master}
test@MX960-LAB-RE0 request pfe execute command show sntp target fpc0
SENT: Ukern command: show sntp
GOT:
GOT: SNTP status:
GOT:  current time:  Jan  1 02:54:41.158
GOT:  last SNTP update time: (null)
GOT:  seconds since last update: 10481
GOT:  last update interval:  64.000 seconds
GOT:
GOT:  last time offset:  0us
GOT:  last frequency offset: 0.000 PPM
GOT:  last RTT delay:0us
GOT:  Good SNTP updates: 0
GOT:  Bad SNTP updates:  0
GOT:  Number of overflows:   0
LOCAL: End of file

{master}
test@MX960-LAB-RE0
*

I note that the date is different from the system uptime. Do you know how we
can change the date and time of the PFE?

thanks for all,

BR,

---
David

On Wed, Jun 8, 2011 at 2:19 PM, david@orange-ftgroup.com wrote:

 Hi,

 Did you try to check the time at PFE level :

 request pfe execute command show sntp target fpcX

 Regards,
 David
 
 De : juniper-nsp-boun...@puck.nether.net [
 juniper-nsp-boun...@puck.nether.net] de la part de David Lockuan [
 dlock...@gmail.com]
 Date d'envoi : mercredi 8 juin 2011 19:52
 À : juniper-nsp@puck.nether.net
 Objet : [j-nsp] Bad time and date on firewall log.

 Hi guys,

 I was testing the firewall filter over a MX960 with release 10.4R1.9 and I
 noted that time and date of the firewall logs was wrong. I am doing an
 upgrade to release 10.4R4.5 and the issue continue.


 *
 {master}
 test@MX960-LAB-RE0 show version
 Hostname: MX960-LAB-RE0
 Model: mx960
 JUNOS Base OS boot [10.4R4.5]
 JUNOS Base OS Software Suite [10.4R4.5]
 JUNOS Kernel Software Suite [10.4R4.5]
 JUNOS Crypto Software Suite [10.4R4.5]
 JUNOS Packet Forwarding Engine Support (M/T Common) [10.4R4.5]
 JUNOS Packet Forwarding Engine Support (MX Common) [10.4R4.5]
 JUNOS Online Documentation [10.4R4.5]
 JUNOS Voice Services Container package [10.4R4.5]
 JUNOS Border Gateway Function package [10.4R4.5]
 JUNOS Services AACL Container package [10.4R4.5]
 JUNOS Services LL-PDF Container package [10.4R4.5]
 JUNOS Services PTSP Container package [10.4R4.5]
 JUNOS Services Stateful Firewall [10.4R4.5]
 JUNOS Services NAT [10.4R4.5]
 JUNOS Services Application Level Gateways [10.4R4.5]
 JUNOS Services Captive Portal and Content Delivery Container package
 [10.4R4.5]
 JUNOS Services RPM [10.4R4.5]
 JUNOS AppId Services [10.4R4.5]
 JUNOS IDP Services [10.4R4.5]
 JUNOS Runtime Software Suite [10.4R4.5]
 JUNOS Routing Software Suite [10.4R4.5]

 {master}
 nsn@MX960-LAB-RE0 show firewall log detail
 Time of Log: 1969-12-31 19:19:47 PET, Filter: pfe, Filter action: accept,
 Name of interface: ge-7/0/4.2040
 Name of protocol: RSVP, Packet Length: 140, Source address: 10.113.0.18,
 Destination address: 10.113.0.17
 Time of Log: 1969-12-31 19:19:46 PET, Filter: pfe, Filter action: accept,
 Name of interface: ge-7/0/4.2000
 Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.2,
 Destination address: 10.113.0.1
 Time of Log: 1969-12-31 19:19:46 PET, Filter: pfe, Filter action: accept,
 Name of interface: ge-7/0/4.2040
 Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.18,
 Destination address: 10.113.0.17
 Time of Log: 1969-12-31 19:19:42 PET, Filter: pfe, Filter action: accept,
 Name of interface: ge-7/0/4.2000
 Name of protocol: RSVP, Packet Length: 148, Source address: 10.113.0.2,
 Destination address: 10.113.0.1
 Time of Log: 1969-12-31 19:19:37 PET, Filter: pfe, Filter action: accept,
 Name of interface: ge-7/0/4.2000
 Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.2,
 Destination address: 10.113.0.1
 Time of Log: 1969-12-31 19:19:37 PET, Filter: pfe, Filter action: accept,
 Name of interface: ge-7/0/4.2040
 Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.18,
 Destination address: 10.113.0.17
 Time of Log: 1969-12-31 19:19:28 PET, Filter: pfe, Filter action: accept,
 Name of interface: ge-7/0/4.2000
 Name of protocol: RSVP, Packet Length: 52, Source address: 10.113.0.2,
 Destination address: 10.113.0.1
 Time of Log: 1969-12-31 19:19:28 PET, Filter: pfe, Filter action

Re: [j-nsp] RE : RE : RE : Bad time and date on firewall log.

2011-06-08 Thread David Lockuan 
Thanks David,

I tested it and it's working correctly. In my case, it wasn't necessary to
configure the loopback address in the interface lo0 maybe because I am using
logical-system, but I will keep into account your recommendation.

Best regards,

---
David Lockuán
JNCIA-E
JNCIS-E
JNCIA-M
JNCIS-M


On Wed, Jun 8, 2011 at 4:19 PM, david@orange-ftgroup.com wrote:

 oups I forgot : set interface lo0 unit 0 family inet address 127.0.0.1

 
 De : juniper-nsp-boun...@puck.nether.net [
 juniper-nsp-boun...@puck.nether.net] de la part de
 david@orange-ftgroup.com [david@orange-ftgroup.com]
 Date d'envoi : mercredi 8 juin 2011 23:01
 À : David Lockuan
 Cc : juniper-nsp@puck.nether.net
 Objet : [j-nsp] RE : RE :  Bad time and date on firewall log.

 yep ! So I guess you don't use NTP.

 Try this :

 edit ex
  set system ntp boot-server 127.0.0.1
  set system ntp server 127.0.0.1
 commit sync and-quit

 And check RE system uptime and sntp at PFE level

 I believe it works but I don't know if it's supported by Juniper ;-)

 Regards,
 David


 
 De : David Lockuan [dlock...@gmail.com]
 Date d'envoi : mercredi 8 juin 2011 22:26
 À : ROY David DTF/DERX
 Cc : juniper-nsp@puck.nether.net
 Objet : Re: RE : [j-nsp] Bad time and date on firewall log.

 Hi David,

 Here the output of the command request pfe execute...


 *
 {master}
 test@MX960-LAB-RE0 request pfe execute command show sntp target fpc7
 SENT: Ukern command: show sntp
 GOT:
 GOT: SNTP status:
 GOT:  current time:  Jan  1 02:54:24.583
 GOT:  last SNTP update time: (null)
 GOT:  seconds since last update: 10464
 GOT:  last update interval:  64.000 seconds
 GOT:
 GOT:  last time offset:  0us
 GOT:  last frequency offset: 0.000 PPM
 GOT:  last RTT delay:0us
 GOT:  Good SNTP updates: 0
 GOT:  Bad SNTP updates:  0
 GOT:  Number of overflows:   0
 LOCAL: End of file

 {master}
 test@MX960-LAB-RE0 request pfe execute command show sntp target fpc0
 SENT: Ukern command: show sntp
 GOT:
 GOT: SNTP status:
 GOT:  current time:  Jan  1 02:54:41.158
 GOT:  last SNTP update time: (null)
 GOT:  seconds since last update: 10481
 GOT:  last update interval:  64.000 seconds
 GOT:
 GOT:  last time offset:  0us
 GOT:  last frequency offset: 0.000 PPM
 GOT:  last RTT delay:0us
 GOT:  Good SNTP updates: 0
 GOT:  Bad SNTP updates:  0
 GOT:  Number of overflows:   0
 LOCAL: End of file

 {master}
 test@MX960-LAB-RE0

 *

 I note that the date is different from the system uptime. Do you know how
 we can change the date and time of the PFE?

 thanks for all,

 BR,

 ---
 David

 On Wed, Jun 8, 2011 at 2:19 PM, david@orange-ftgroup.commailto:
 david@orange-ftgroup.com wrote:
 Hi,

 Did you try to check the time at PFE level :

 request pfe execute command show sntp target fpcX

 Regards,
 David
 
 De : juniper-nsp-boun...@puck.nether.netmailto:
 juniper-nsp-boun...@puck.nether.net [juniper-nsp-boun...@puck.nether.net
 mailto:juniper-nsp-boun...@puck.nether.net] de la part de David Lockuan
 [dlock...@gmail.commailto:dlock...@gmail.com]
 Date d'envoi : mercredi 8 juin 2011 19:52
 À : juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net
 Objet : [j-nsp] Bad time and date on firewall log.

 Hi guys,

 I was testing the firewall filter over a MX960 with release 10.4R1.9 and I
 noted that time and date of the firewall logs was wrong. I am doing an
 upgrade to release 10.4R4.5 and the issue continue.


 *
 {master}
 test@MX960-LAB-RE0 show version
 Hostname: MX960-LAB-RE0
 Model: mx960
 JUNOS Base OS boot [10.4R4.5]
 JUNOS Base OS Software Suite [10.4R4.5]
 JUNOS Kernel Software Suite [10.4R4.5]
 JUNOS Crypto Software Suite [10.4R4.5]
 JUNOS Packet Forwarding Engine Support (M/T Common) [10.4R4.5]
 JUNOS Packet Forwarding Engine Support (MX Common) [10.4R4.5]
 JUNOS Online Documentation [10.4R4.5]
 JUNOS Voice Services Container package [10.4R4.5]
 JUNOS Border Gateway Function package [10.4R4.5]
 JUNOS Services AACL Container package [10.4R4.5]
 JUNOS Services LL-PDF Container package [10.4R4.5]
 JUNOS Services PTSP Container package [10.4R4.5]
 JUNOS Services Stateful Firewall [10.4R4.5]
 JUNOS Services NAT [10.4R4.5]
 JUNOS Services Application Level Gateways [10.4R4.5]
 JUNOS Services Captive Portal and Content Delivery Container package
 [10.4R4.5]
 JUNOS Services RPM [10.4R4.5]
 JUNOS AppId Services [10.4R4.5]
 JUNOS IDP Services [10.4R4.5]
 JUNOS Runtime Software Suite [10.4R4.5]
 JUNOS Routing Software Suite [10.4R4.5]

 {master}
 nsn@MX960-LAB-RE0 show firewall log

Re: [j-nsp] ISIS between ERX 1440 and MX960

2011-05-20 Thread David Lockuan 
Hi David,

Could you try to put the authentication with md5? I say this because when I
was doing interoperability between JunOS and IOS, I noted that the simple
authentication don't work correctly. Maybe the hash-key is not compatible
when you use the simple authentication.

Now we are using md5 as authentication-type and point-to-point configuration
between equipments ERX, T1600, GSR and CRS.

BR,

---
David


On Fri, May 20, 2011 at 10:47 AM, Payam Chychi pchy...@gmail.com wrote:

 correction:
 point-to-point is configured under the interface on the erx

  interface blah/0

 isis network point-to-point 


 -Payam


 Payam Chychi wrote:

 Hey,

 Have you tried setting each side up as a. Point-to-point network? Its
 done under protocol isis

 Try that and see if it works. If so, ur dst mac on one side is getting
 filtered (by the device itself or perhaps your  provider)


 On 5/20/11, david@orange-ftgroup.com david@orange-ftgroup.com
 wrote:


 Hi,

 I don't know how to go on with the ERX. I tried many things without
 success.
 More traces below. Thanks for your help : May be a bug ?!?

 Regards,
 David


 ERX :
 ###

 interface loopback 50
  ip address x.x.x.x 255.255.255.255
  no ip redirects
 !
 interface gigabitEthernet 12/0
  mtu 4488
  ip address y.y.y.1 255.255.255.252
  no ip redirects
  ip router isis 31337
  isis circuit-type level-2-only
  isis authentication-key level-2 foo123
 !
 router isis 31337
  is-type level-2-only
  passive-interface loopback50
  net 49.0001....00
  domain-authentication psnp
  domain-authentication csnp
  domain-message-digest-key 1 hmac-md5 foo123
  metric-style wide
 !


 MX :
 ###

 ge-2/2/2 {
mtu 4484;
unit 0 {
family inet {
address y.y.y.2/30;
}
family iso;
}
 }

 isis {
level 2 {
authentication-key ; ## SECRET-DATA = foo123
authentication-type md5;
wide-metrics-only;
}
interface ge-2/2/2.0 {
  level 1 disable;
  level 2 {
  hello-authentication-key $9$fQ39yrv8xdBIs4aJDjCtpBhS; ##
 SECRET-DATA = foo123
  hello-authentication-type simple;
  }
   }
 }


 Trace on MX :
 ##

 show interfaces ge-2/2/2
 Physical interface: ge-2/2/2, Enabled, Physical link is Up
  Interface index: 251, SNMP ifIndex: 556
  Description: Connection To LNS
  Link-level type: Ethernet, MTU: 4484, Speed: 1000mbps, BPDU Error: None,
 MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Enabled, Auto-negotiation:
 Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x4000
  Link flags : None
  CoS queues : 8 supported, 8 maximum usable queues
  Schedulers : 0
  Current address: 84:18:88:e8:c9:9e, Hardware address: 84:18:88:e8:c9:9e
  Last flapped   : 2011-05-20 11:54:46 EEST (01:08:11 ago)
  Input rate : 6144 bps (8 pps)
  Output rate: 0 bps (0 pps)
  Active alarms  : None
  Active defects : None

  Logical interface ge-2/2/2.0 (Index 75) (SNMP ifIndex 656)
Flags: SNMP-Traps 0x400 Encapsulation: ENET2
Input packets : 27981
Output packets: 600
Protocol inet, MTU: 4470
  Flags: Sendbcast-pkt-to-re
  Addresses, Flags: Is-Preferred Is-Primary
Destination: x.x.x.x/30, Local: x.x.x.x, Broadcast: x.x.x.x
Protocol iso, MTU: 4467
 ISO MTU
Protocol multiservice, MTU: Unlimited


 monitor traffic interface ge-2/2/2.0 layer2-headers no-resolve size 4488
 verbose output suppressed, use detail or extensive for full protocol
 decode
 Address resolution is OFF.
 Listening on ge-2/2/2.0, capture size 4488 bytes

 TO ERX :

 13:04:34.156857 Out 84:18:88:e8:c9:9e  1:80:c2:0:0:15, 802.3, length
 1509:
 LLC, dsap OSI (0xfe) Individual, ssap OSI (0xfe) Command, ctrl 0x03: OSI
 NLPID IS-IS (0x83): L2 Lan IIH, src-id 2131.3905.5002, lan-id
 2131.3905.5002.00, prio 64, length 1492   PDU length including hello
 padding of the MX

 FROM ERX :

 13:04:35.450255  In 0:90:1a:41:fa:f5  1:80:c2:0:0:15, 802.3, length
 1514:
 LLC, dsap OSI (0xfe) Individual, ssap OSI (0xfe) Command, ctrl 0x03: OSI
 NLPID IS-IS (0x83): L2 Lan IIH, src-id 1921.6801.6029, lan-id
 1921.6801.6029.01, prio 64, length 1497   PDU length including hello
 padding of the ERX



 Trace on ERX :
 ##



 sho int gi 12/0
 GigabitEthernet12/0 is Up, Administrative status is Up
  Hardware is PMC 3386, address is 0090.1a41.faf5
  Primary MAU is 1000BASE-LX 10km, secondary MAU is 1000BASE-LX 10km
  MTU: Operational 4488, Administrative 4488
  MTU seems good
  Duplex Mode: Operational Full Duplex, Administrative Auto Negotiate
  Speed: Operational 1000 Mbps, Administrative Auto Negotiate
  Debounce: State is Disabled
  Link: Operational Primary Link Selected,
Administrative Link Selected Automatically
  Link Failover Timeout: Operational 727 ms, Administrative default
  Primary link selected 258 times, Secondary link selected 252 times

Re: [j-nsp] MX-series Redundant RE - Unable to mask fxp0 down alarm

2011-05-05 Thread David Lockuan 
Hi Chris,

I have a MX960 with Junos 10.4R1.9 and I have the same problem, I have to do
a restart of chassis-control process and the alarmas was cleared.

I hope to have help you.

---
David

On Mon, May 2, 2011 at 1:03 AM, Brent Jones br...@servuhome.net wrote:

 On Sun, May 1, 2011 at 6:00 PM, Chris Kawchuk juniperd...@gmail.com
 wrote:
  Heh. Good question! I just had to double check:
 
  show config system
 commit synchronize;
 
  Thats in there.. OK let's try it manually.
 
  ckawchuk@jmx480# commit synchronize and-quit
  re0:
  configuration check succeeds
  re1:
  commit complete
  re0:
  commit complete
  Exiting configuration mode
 
  {master}
  ckawchuk@jmx480 show chassis alarms
  1 alarms currently active
  Alarm time   Class  Description
  2011-04-07 11:19:35 EST  Major  Host 1 fxp0 : Ethernet Link Down
 
  Yeah... alarm still there. No worries - it's just an annoyance more than
 anything.
 
  - Chris.
 
 
  On 2011-05-02, at 10:52 AM, OBrien, Will wrote:
 
  Silly question... You did use commit sync, correct?
 
  Will O'Brien
 
  On May 1, 2011, at 7:51 PM, Chris Kawchuk juniperd...@gmail.com
 wrote:
 
  Hi Paul..!
 
  Yeah - I tried that as well initially with no luck (and just tried
 again just now...)
 
  me@wowter show configuration chassis
  alarm {
   management-ethernet {
   link-down ignore;
   }
  }
 
  user@wowter show chassis alarms
  1 alarms currently active
  Alarm time   Class  Description
  2011-04-07 11:19:35 EST  Major  Host 1 fxp0 : Ethernet Link Down
 
  ... Which now definitely leads me to suspect it's a bug in this
 release; as you don't seem have this issue in 10.0 =)
 
  Thanks! I'll ignore it for now, and see what happens when we do our
 10.4 upgrade soon.
 
  - Chris.
 
 
 
  On 2011-05-02, at 10:42 AM, Paul Stewart wrote:
 
  Hey Chris...
 
  On MX480's running 10.0R3.10 we just have it setup as:
 
  paul@core2.toronto1 show chassis alarms
  No alarms currently active
 
  paul@core2.toronto1 show configuration chassis alarm
  management-ethernet {
  link-down ignore;
  }
 
  Thanks,
 
  Paul
 
 
  ___
  juniper-nsp mailing list juniper-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/juniper-nsp
 
 
  ___
  juniper-nsp mailing list juniper-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/juniper-nsp
 

 On EX switches, I've had the alarm get stuck. I had to restart
 chassis-control and it went away

 --
 Brent Jones
 br...@servuhome.net

 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Multiple LAG Groups / Common Layer3 Routing

2011-04-05 Thread David Lockuan 
Hi Paul,

Yes, you need to create a bridge domains with respective vlan or vlan's.
Then you insert the aeX on the bridgde domain.

If you need to apply routing on this bridge, you need to create a irb
interface and configure in the bridge the routing-interface.

Best regards,



On Tue, Apr 5, 2011 at 8:34 AM, Paul Stewart p...@paulstewart.org wrote:

 Hi folks..



 Not sure if my subject line reads correctly or not.  MX platform running
 10.0R3.10



 I have eight physical interfaces and want 4 LAG groups (2 interfaces X 4
 LAG
 groups) - LACP Passive mode.



 All 4 LAG groups must belong to the same layer3 network.



 I have tried to create AE interfaces with family bridge however it
 rejects
 this but I know this should be something with bridge domains?



 Thanks,



 Paul





 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp




-- 
David
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] 64-bit Junos Install Media

2011-03-23 Thread David Lockuan 
Hi Martin,

From the price-list of today, I have been reviewing that there are only RE
of 64bit for T1600 and T640. These are the models of RE's:

  RE-DUO-C1800-8G-BB Routing engine with dual core 1800MHz processor, SSD
and 8GB memory, Base Bundle T1600, T640  RE-DUO-C1800-8G-R Routing engine
with dual core 1800MHz processor, SSD and 8GB memory, Redundant T1600, T640
Both RE need JunOS 9.6 or higher.

Best regards,



On Wed, Mar 23, 2011 at 6:50 AM, Martin T m4rtn...@gmail.com wrote:

 Has anyone tried to install for example
 install-media64-10.4R3.4-export? I tried to install this on
 M10i(RE-850, Intel Pentium III i686) with not much luck as I ended up
 in debugging subshell:

 ERROR: Package jbundle is not compatible - amd64 vs {i386}
 ERROR: jbundle-10.4R3.4-export fails requirements check
 Running pre-install for jbundle-10.4R3.4-export...
 ERROR: Package jbundle is not compatible - amd64 vs {i386}
 ERROR: jbundle-10.4R3.4-export fails pre-install
 ERROR: addpackage: error during pkg_add
 /var/tmp/jbundle64-10.4R3.4-export.tgz
 You are now in a debugging subshell (you may not see a prompt)...

 It was rather expected as PIII should have no 64bit support.

 Which platforms support 64bit JUNOS? Has anyone successfully installed
 64bit JUNOS?


 regards,
 martin
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp




-- 
David
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] l3vpn help needed

2011-03-11 Thread David Lockuan 
Hi Vlad,

Maybe you need to review to this link:

http://puck.nether.net/pipermail/juniper-nsp/2010-October/018150.html

Here we are taking the topic about the use of vrf-table-label.

Best regards,

David.

On Fri, Mar 11, 2011 at 8:01 PM, b...@paulen.net b...@paulen.net wrote:

 Hi,

 I was thinking pinging the remote if with source address local if.

 /bt

 - Reply message -
 Fra: Vlad Ion vlad.th...@gmail.com
 Til: Bjørn Tore b...@paulen.net
 Kopi: juniper-nsp@puck.nether.net
 Emne: [j-nsp] l3vpn help needed
 Dato: fre., mars 11, 2011 19:47
 hi Bjørn,

 If I ping 10.10.1.254 (local vrrp interface or 10.10.1.253 local physical
 interface)... I get 100% success rate.

 Br,
 Vlad

 On Fri, Mar 11, 2011 at 3:56 PM, Bjørn Tore b...@paulen.net wrote:


 Den 11.03.2011 12:45, skrev Vlad Ion:


 ping routing-instance vpn-a 10.10.2.254

 PING 10.10.2.254 (10.10.2.254): 56 data bytes

 ^C

 --- 10.10.2.254 ping statistics ---

 6 packets transmitted, 0 packets received, 100% packet loss

 ___

 juniper-nsp mailing list juniper-nsp@puck.nether.net

 https://puck.nether.net/mailman/listinfo/juniper-nsp


 What happens if you specify your local interface-address as source address?



 --

 Bjørn Tore Paulen

 Holsjordet 45

 Tlf 95981603



 ___

 juniper-nsp mailing list juniper-nsp@puck.nether.net

 https://puck.nether.net/mailman/listinfo/juniper-nsp
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Juniper QoS Using AS Match

2011-01-31 Thread David Lockuan 
Hello Friend,

I agree with Chris, in any network environment that you have and are using
the QPPB of Cisco. For interoperability with equipments Juniper, you need to
use the configuration of SCU/DCU from JunOS, they are arrays of policies
where you can select some parameters of BGP and applied to specific
traffic-class or queue of CoS.

I'm attaching some examples that you can see and try to replicated your
policies of QPPB.

And this links is about SCU/DCU:
http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-collections/config-guide-network-mgm/source-class-usage-options-junos-nm.html

Best regards,

David.


On Mon, Jan 31, 2011 at 1:38 PM, Walaa Abdel razzak wala...@bmc.com.sawrote:

 No it's hyprid.

 -Original Message-
 From: Amos Rosenboim [mailto:a...@oasis-tech.net]
 Sent: Monday, January 31, 2011 9:05 PM
 To: Walaa Abdel razzak
 Cc: juniper-nsp@puck.nether.net
 Subject: Re: [j-nsp] Juniper QoS Using AS Match

 If the network is Juniper end to end you can evaluate flow spec.

 Regards,

 Amos

 Sent from my iPhone

 On 31 Jan 2011, at 19:17, Walaa Abdel razzak wala...@bmc.com.sa
 wrote:

  Hi Experts
 
 
 
  I need to implement a QoS based on AS number match. I couldn't match
 on
  subnets as it's not fixed range. I need somethins like QPPB in Cisco,
  Any Ideas?
 
 
 
  ___
  juniper-nsp mailing list juniper-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/juniper-nsp

 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] OAM CFM over logical-systems.

2010-12-13 Thread David Lockuan 
Hi all,

I am testing OAM CFM with MX960 and JunOS version 10.0R4.7, but when I tried
to configure over logical-system, I don't have the option of oam in the
hierarchy level of protocols:

***
{master}[edit logical-systems TEST-TMARC]
n...@mx960-lab-re0#

{master}[edit logical-systems TEST-TMARC]
n...@mx960-lab-re0# set protocols oam
 ^
syntax error.
n...@mx960-lab-re0# set protocols ?
Possible completions:
 ancp Access Node Control Protocol options
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
 bgp  BGP options
 connections  Circuit cross-connect configuration
 dvmrpDVMRP options
 igmp IGMP options
 ilmi Interim Local Management Interface Protocol
configuration
 isis IS-IS options
 l2circuitConfiguration for Layer 2 circuits over MPLS
 l2iw Configuration for Layer 2 interworking
 lacp Link Aggregation Control Protocol configuration
 ldp  LDP options
 link-management  LMP options
 mld  MLD options
 mpls Multiprotocol Label Switching options
 msdp MSDP configuration
 mstp Multiple Spanning Tree Protocol options
 ospf OSPF configuration
 ospf3OSPFv3 configuration
 pgm  PGM options
 pim  PIM configuration
 ppp  Configure PPP process
 ppp-service  Configure PPP service
 rip  RIP options
 ripngRIPng options
 router-advertisement  IPv6 router advertisement options
 router-discovery ICMP router discovery options
 rstp Rapid Spanning Tree Protocol options
 rsvp RSVP options
 sap  Session Advertisement Protocol options
 vrrp VRRP options
 vstp VLAN Spanning Tree Protocol options
{master}[edit logical-systems TEST-TMARC]
n...@mx960-lab-re0# set protocols
***

Anybody know if it is possible to do this configuration on logical-system?

Thanks in advances,

BR

-- 
David
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Files tcpdump of Junos on Wireshark.

2010-12-01 Thread David Lockuan 
Thanks for all tips, i will test on my lab.

After I will comment you.

Best regards,


On Wed, Dec 1, 2010 at 1:08 PM, Phill Jolliffe phill.jolli...@gmail.comwrote:

 l2-header option during capture?

 I know without real L2 headers are eaten by L chip/B chip/I chips
 Lchip logic block.

 Maybe adding the switch helps?

 On Wed, Dec 1, 2010 at 2:47 AM, David Lockuan dlock...@gmail.com wrote:
  Hi guys,
 
  I was testing the hidden command of JunOS,  monitor traffic write-file
  name_files interface xx-X/X/X. In theory, this files is with format
  tcpdump but when I try to see with Wireshark, it don't show me on detail
 of
  the packet.
 
  I see that the wireshark detect a protocol juniper, I don't know how to
  decode this part or maybe I need a particular library to wireshark.
 
  Has someone used this command??
 
  Thanks for all.
 
  Best regards,
 
  --
  David.
  ___
  juniper-nsp mailing list juniper-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/juniper-nsp
 



 --
 Phill Jolliffe




-- 
David
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Files tcpdump of Junos on Wireshark.

2010-11-30 Thread David Lockuan 
Hi guys,

I was testing the hidden command of JunOS,  monitor traffic write-file
name_files interface xx-X/X/X. In theory, this files is with format
tcpdump but when I try to see with Wireshark, it don't show me on detail of
the packet.

I see that the wireshark detect a protocol juniper, I don't know how to
decode this part or maybe I need a particular library to wireshark.

Has someone used this command??

Thanks for all.

Best regards,

-- 
David.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] RSTP over logical-system.

2010-11-03 Thread David Lockuan 
Hi Nilesh,

Sorry for don't put the release, I am working with JunOS 10.0R4.7 and the
chassis is a MX960.

I was thinking the same about the bridge-id I noted it but I wasn't sure if
it was possible to implement on logical-system with the same system MAC.

Do you know if there are any limit with protocols of Layer2 and
logical-systems?

I will try with MSTP, I will comment the result of my tests.

Best regards,


On Tue, Nov 2, 2010 at 9:38 PM, Nilesh Khambal nkham...@juniper.net wrote:

 David,

 I don't think you can run RSTP in logical routers. As you can see from your
 outputs below, RSTP instances in all the LRs are using same system MAC. You
 can probably try MSTP but don't think RSTP will work in LRs.

 BTW, what JUNOS version is this?

 Thanks,
 Nilesh.

  n...@mx960-lab-re0 ...ge logical-system SW1 routing-instance 11
  STP bridge parameters
  Routing instance name   : SW1/11
  Context ID  : 1
  Enabled protocol: STP
Root ID   : 0.80:71:1f:8c:7f:d0
Hello time: 2 seconds
Maximum age   : 20 seconds
Forward delay : 15 seconds
Message age   : 0
Number of topology changes: 2
Time since last topology change   : 388 seconds
Local parameters
  Bridge ID   : 0.80:71:1f:8c:7f:d0 
  Extended system ID  : 0
 
  {master}
  n...@mx960-lab-re0 ...tree bridge logical-system SW2 routing-instance 12
  STP bridge parameters
  Routing instance name   : SW2/12
  Context ID  : 2
  Enabled protocol: STP
Root ID   : 8192.80:71:1f:8c:7f:d0
Hello time: 2 seconds
Maximum age   : 20 seconds
Forward delay : 15 seconds
Message age   : 0
Number of topology changes: 1
Time since last topology change   : 396 seconds
Local parameters
  Bridge ID   : 8192.80:71:1f:8c:7f:d0  
  Extended system ID  : 0



 On 11/2/10 7:08 PM, David Lockuan dlock...@gmail.com wrote:

  Hi guys,
 
  I'm testing the protocols rstp over logical-systems, but when I set the
  priority over one interface for it work as root, it is not change the
 status
  in the protocols rstp  and the other interface don't change to Blocking.
  theirs always keep on Forwarding state.
 
  The topology that I am using it is the next:
 
  SW1 (logical)---ge-3/0/2loop
  fisicoge-3/0/3--SW2(logical)
  SW1 (logical)---ge-3/0/4loop
  fisicoge-3/0/5--SW2(logical)
 
  I want to put the interface ge-3/0/2 as root interface.
 
  These are configuration of both logical-systems:
 

 **
 *
  {master}
  n...@mx960-lab-re0 show configuration interfaces
  ge-3/0/2 {
  encapsulation ethernet-bridge;
  }
  ge-3/0/3 {
  encapsulation ethernet-bridge;
  }
  ge-3/0/4 {
  encapsulation ethernet-bridge;
  }
  ge-3/0/5 {
  encapsulation ethernet-bridge;
  }
 
  {master}
  n...@mx960-lab-re0 show configuration logical-systems SW1
  interfaces {
  ge-3/0/2 {
  unit 0 {
  family bridge;
  }
  }
  ge-3/0/4 {
  unit 0 {
  family bridge;
  }
  }
  }
  routing-instances {
  11 {
  instance-type virtual-switch;
  protocols {
  rstp {
  bridge-priority 0;
  interface ge-3/0/2 {
  priority 0;
  mode point-to-point;
  }
  interface ge-3/0/4 {
  mode point-to-point;
  }
  force-version stp;
  }
  }
  bridge-domains {
  br1 {
  interface ge-3/0/2.0;
  interface ge-3/0/4.0;
  }
  }
  }
  }
 
  {master}
  n...@mx960-lab-re0 show configuration logical-systems SW2
  interfaces {
  ge-3/0/3 {
  unit 0 {
  family bridge;
  }
  }
  ge-3/0/5 {
  unit 0 {
  family bridge;
  }
  }
  }
  routing-instances {
  12 {
  instance-type virtual-switch;
  protocols {
  rstp {
  bridge-priority 8k;
  interface ge-3/0/3 {
  mode point-to-point;
  }
  interface ge-3/0/5 {
  mode point-to-point;
  }
  force-version stp;
  }
  }
  bridge-domains {
  br1 {
  interface ge-3/0/3.0;
  interface ge-3/0/5.0

[j-nsp] RSTP over logical-system.

2010-11-02 Thread David Lockuan 
Hi guys,

I'm testing the protocols rstp over logical-systems, but when I set the
priority over one interface for it work as root, it is not change the status
in the protocols rstp  and the other interface don't change to Blocking.
theirs always keep on Forwarding state.

The topology that I am using it is the next:

SW1 (logical)---ge-3/0/2loop
fisicoge-3/0/3--SW2(logical)
SW1 (logical)---ge-3/0/4loop
fisicoge-3/0/5--SW2(logical)

I want to put the interface ge-3/0/2 as root interface.

These are configuration of both logical-systems:
***
{master}
n...@mx960-lab-re0 show configuration interfaces
ge-3/0/2 {
encapsulation ethernet-bridge;
}
ge-3/0/3 {
encapsulation ethernet-bridge;
}
ge-3/0/4 {
encapsulation ethernet-bridge;
}
ge-3/0/5 {
encapsulation ethernet-bridge;
}

{master}
n...@mx960-lab-re0 show configuration logical-systems SW1
interfaces {
ge-3/0/2 {
unit 0 {
family bridge;
}
}
ge-3/0/4 {
unit 0 {
family bridge;
}
}
}
routing-instances {
11 {
instance-type virtual-switch;
protocols {
rstp {
bridge-priority 0;
interface ge-3/0/2 {
priority 0;
mode point-to-point;
}
interface ge-3/0/4 {
mode point-to-point;
}
force-version stp;
}
}
bridge-domains {
br1 {
interface ge-3/0/2.0;
interface ge-3/0/4.0;
}
}
}
}

{master}
n...@mx960-lab-re0 show configuration logical-systems SW2
interfaces {
ge-3/0/3 {
unit 0 {
family bridge;
}
}
ge-3/0/5 {
unit 0 {
family bridge;
}
}
}
routing-instances {
12 {
instance-type virtual-switch;
protocols {
rstp {
bridge-priority 8k;
interface ge-3/0/3 {
mode point-to-point;
}
interface ge-3/0/5 {
mode point-to-point;
}
force-version stp;
}
}
bridge-domains {
br1 {
interface ge-3/0/3.0;
interface ge-3/0/5.0;
}
}
}
}

{master}
n...@mx960-lab-re0
***

The output of the show spanning-tree commands:

***
{master}
n...@mx960-lab-re0 ...e interface logical-system SW1 routing-instance 11

Spanning tree interface parameters for instance 0

InterfacePort IDDesignated  Designated PortState
Role
 port IDbridge ID  Cost
ge-3/0/2 0:1230:123  0.80711f8c7fd0 2  FWD
DESG
ge-3/0/4   128:125  128:125  0.80711f8c7fd0 2  FWD
DESG

{master}
n...@mx960-lab-re0 ...e interface logical-system SW2 routing-instance 12

Spanning tree interface parameters for instance 0

InterfacePort IDDesignated  Designated PortState
Role
 port IDbridge ID  Cost
ge-3/0/3   128:124  128:124   8192.80711f8c7fd0 2  FWD
DESG
ge-3/0/5   128:126  128:126   8192.80711f8c7fd0 2  FWD
DESG

{master}
n...@mx960-lab-re0 show spanning-tree bridge logical-system SW1
Spanning-tree is not enabled in layer2-control instance SW1/default.

{master}
n...@mx960-lab-re0 ...ge logical-system SW1 routing-instance 11
STP bridge parameters
Routing instance name   : SW1/11
Context ID  : 1
Enabled protocol: STP
  Root ID   : 0.80:71:1f:8c:7f:d0
  Hello time: 2 seconds
  Maximum age   : 20 seconds
  Forward delay : 15 seconds
  Message age   : 0
  Number of topology changes: 2
  Time since last topology change   : 388 seconds
  Local parameters
Bridge ID   : 0.80:71:1f:8c:7f:d0
Extended system ID  : 0

{master}
n...@mx960-lab-re0 ...tree bridge logical-system SW2 routing-instance 12
STP bridge parameters
Routing instance name   : SW2/12
Context ID  : 2
Enabled protocol: STP
  Root ID   : 8192.80:71:1f:8c:7f:d0
  Hello time: 2 seconds
  Maximum age   : 20 seconds
  Forward delay : 15 seconds
  Message age   : 0
  Number of topology changes: 1
  Time since last topology

Re: [j-nsp] Problem of Forwarding on VPN using vrf-table-label.

2010-10-16 Thread David Lockuan 
Hi Cristian,

It is correct, I had 2 PE with 2 VPN. Sorry I don't send the
configuration of both PE's. Just now I send you the both
configurations.

I noted that when I used the command vrf-table-label the next-hop
after the label lookup is to next-table of the VPN and when I don't
used it the next-hop is the IP address or interface to face the CE
router. Other things that I noted is the vpn-label on both PE is the
same for each VPN and when I don't use the command the vpn-label is
different for each VPN.

I send the output of my review. In this case I put only into VPN-A the
command and the VPN-B is without the command.

***
{master}
n...@mx960-lab-re0 ...cal-systems PE1 routing-instances | display set
set logical-systems PE1 routing-instances VPN-A instance-type vrf
set logical-systems PE1 routing-instances VPN-A interface ge-3/0/0.2400
set logical-systems PE1 routing-instances VPN-A route-distinguisher 100:10
set logical-systems PE1 routing-instances VPN-A vrf-import VPN-A-import
set logical-systems PE1 routing-instances VPN-A vrf-export VPN-A-export
set logical-systems PE1 routing-instances VPN-A vrf-target target:100:10
set logical-systems PE1 routing-instances VPN-A vrf-table-label
set logical-systems PE1 routing-instances VPN-A routing-options static
route 172.20.0.0/24 next-hop 10.10.5.2
set logical-systems PE1 routing-instances VPN-B instance-type vrf
set logical-systems PE1 routing-instances VPN-B interface ge-3/0/0.2402
set logical-systems PE1 routing-instances VPN-B route-distinguisher 100:20
set logical-systems PE1 routing-instances VPN-B vrf-import VPN-B-import
set logical-systems PE1 routing-instances VPN-B vrf-export VPN-B-export
set logical-systems PE1 routing-instances VPN-B vrf-target target:100:20
set logical-systems PE1 routing-instances VPN-B routing-options static
route 192.168.0.0/24 next-hop 10.10.5.6

{master}
n...@mx960-lab-re0 ...ogical-systems PE2 routing-instances | display set
set logical-systems PE2 routing-instances VPN-A instance-type vrf
set logical-systems PE2 routing-instances VPN-A interface ge-3/0/0.2602
set logical-systems PE2 routing-instances VPN-A route-distinguisher 100:10
set logical-systems PE2 routing-instances VPN-A vrf-import VPN-A-import
set logical-systems PE2 routing-instances VPN-A vrf-export VPN-A-export
set logical-systems PE2 routing-instances VPN-A vrf-target target:100:10
set logical-systems PE2 routing-instances VPN-A vrf-table-label
set logical-systems PE2 routing-instances VPN-A routing-options static
route 172.20.1.0/24 next-hop 10.10.6.6
set logical-systems PE2 routing-instances VPN-B instance-type vrf
set logical-systems PE2 routing-instances VPN-B interface ge-3/0/0.2600
set logical-systems PE2 routing-instances VPN-B route-distinguisher 100:20
set logical-systems PE2 routing-instances VPN-B vrf-import VPN-B-import
set logical-systems PE2 routing-instances VPN-B vrf-export VPN-B-export
set logical-systems PE2 routing-instances VPN-B vrf-target target:100:20
set logical-systems PE2 routing-instances VPN-B routing-options static
route 192.168.1.0/24 next-hop 10.10.6.2

{master}
n...@mx960-lab-re0 ...te table VPN-A.inet.0 logical-system PE1 detail

VPN-A.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
10.10.5.0/30 (1 entry, 1 announced)
*Direct Preference: 0
Next hop type: Interface
Next-hop reference count: 1
Next hop: via ge-3/0/0.2400, selected
State: Active Int
Age: 2d 16:06:32
Task: IF
Announcement bits (1): 2-BGP RT Background
AS path: I

10.10.5.1/32 (1 entry, 0 announced)
*Local  Preference: 0
Next hop type: Local
Next-hop reference count: 8
Interface: ge-3/0/0.2400
State: Active NoReadvrt Int
Age: 2d 16:06:32
Task: IF
AS path: I

10.10.6.4/30 (1 entry, 1 announced)
*BGPPreference: 170/-101
Route Distinguisher: 100:10
Next hop type: Indirect
Next-hop reference count: 6
Source: 1.1.1.12
Next hop type: Router, Next hop index: 1048587
Next hop: 10.10.2.1 via ge-3/0/1.2000, selected
Label operation: Push 16, Push 299952(top)
Next hop: 10.10.2.5 via ge-3/0/1.2002
Label operation: Push 16, Push 299968(top)
Protocol next hop: 1.1.1.12
Push 16
Indirect next hop: 8ea0240 1048589
State: Secondary Active Int Ext
Local AS:   100 Peer AS:   100
Age: 3:07   Metric2: 1
Task: BGP_100.1.1.1.12+61440
Announcement bits (1): 1-KRT
AS path: I
Communities: target:100:10

[j-nsp] Problem of Forwarding on VPN using vrf-table-label.

2010-10-14 Thread David Lockuan 
Hi guys,

I have been doing a lab with a MX960 with release 10.0R3.10, I set a
topology with logical-systems, in theory all it is working because I can see
the routes of VRF into table bgp.l3vpn.0 but the forwarding between the CE
is not working. This is the configuration of the routing-instance of PE:

**
set logical-systems PE1 routing-instances VPN-A instance-type vrf
set logical-systems PE1 routing-instances VPN-A interface ge-3/0/0.2400
set logical-systems PE1 routing-instances VPN-A route-distinguisher 100:10
set logical-systems PE1 routing-instances VPN-A vrf-import VPN-A-import
set logical-systems PE1 routing-instances VPN-A vrf-export VPN-A-export
set logical-systems PE1 routing-instances VPN-A vrf-table-label
set logical-systems PE1 routing-instances VPN-A vrf-target target:100:10
set logical-systems PE1 routing-instances VPN-A routing-options static route
172.20.0.0/24 next-hop 10.10.5.2
set logical-systems PE1 routing-instances VPN-B instance-type vrf
set logical-systems PE1 routing-instances VPN-B interface ge-3/0/0.2402
set logical-systems PE1 routing-instances VPN-B route-distinguisher 100:20
set logical-systems PE1 routing-instances VPN-B vrf-import VPN-B-import
set logical-systems PE1 routing-instances VPN-B vrf-export VPN-B-export
set logical-systems PE1 routing-instances VPN-A vrf-table-label
set logical-systems PE1 routing-instances VPN-B vrf-target target:100:20
set logical-systems PE1 routing-instances VPN-B routing-options static route
192.168.0.0/24 next-hop 10.10.5.6
**
But when I unset the command of vrf-table-label, the forwarding between
CE's, it works correctly.

Someone know when it is necessary to used the command vrf-table-label? The
only diferent that I found it was in the VPN label. When the command
vrf-table-label is set, the vpn label is 16 or in the range of 16 - 1023.
And when the command is not set, the vpn label is 30 or in the range of
10 - 1048075.

Thanks in advance,

Best regards,

-- 
David.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp