[j-nsp] MPC4E-32XGE firmware
Hello, i am getting the following notice in the logs: Mar 1 13:58:07 fpc0 CMIC(0/3): VSC8248 cmic-vsc8248-0/0/7 is running out-of-date firmware version 2.52 (0x234). Please upgrade firmware to version 2.53 (0x235) or later. Does anyone know howto update these? -Jonas signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv4 Filter for ECN/CWR tcp bit (RFC3168)
Hi Daniel, thanks for this hint, i'll give it a try! (However would be pleased if juniper could just update the tcp-options stanca to include ECN/CWR). Br, Jonas Am Freitag, den 27.11.2015, 18:48 +0100 schrieb Daniel Verlouw: > Hi Jonas, > > On Fri, Nov 27, 2015 at 2:20 PM, Jonas Frey (Probe Networks) > <j...@probe-networks.de> wrote: > > Does anybody have any idea if its possible to filter for such traffic? > > have you looked at the firewall flexible match conditions? (avail in > 14.2 for MX/MPC). > > https://www.juniper.net/techpubs/en_US/junos14.2/topics/concept/firewall-filter-flexible-match-conditions-overview.html > > BR, Daniel signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IPv4 Filter for ECN/CWR tcp bit (RFC3168)
Hello, i am trying to filter IPv4 traffic based on the tcp-options, in detail i am looking to filter for traffic with options CWR and ECN set (RFC3168). It seems this is not possible on current MX gear running 14.2. From the docs juniper only lists 6 of the current 8 tcp-options available to filter for: http://www.juniper.net/documentation/en_US/junos14.2/topics/reference/general/firewall-filter-service-match-conditions.html If specified a hex value including ECN or CWR options commit will fail with a dfw bitfield error. Does anybody have any idea if its possible to filter for such traffic? It seems even with MS-MIC this is not possible. I am asking since we are seeing new types of dDos attacks using SYN traffic with ECN and CWR bit set (however with a non-zero ACK window). Br, Jonas signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos 12.3 more strict about 3rd party optics?
Most 3rd party vendor's lock down the A0 part of the SFP+, so you cant change values there. Try asking your vendor if they can provide A0 unlocked SFP+...usually they will be a bit more expensive. If they dont want to offer them just choose another supplier...there are plenty. Having a SFP+ EEPROM writer can be very handy, in case you are having problems with vendor XY locking down their routers/switches etc. And dont go with pay as you write SFP eeprom writers which are tied to certain companys. Am Dienstag, den 24.06.2014, 09:17 -0400 schrieb Chuck Anderson: On Wed, Jun 11, 2014 at 03:49:16PM +0100, Phil Mayers wrote: On 11/06/14 15:01, Chuck Anderson wrote: Jun 10 11:40:54 ex4200 chassism[1293]: XCVR: Unit 0, SFP+ of type 0 EEPROM is Mis Programmed!! Yeah, this was the one that caught my eye. I wonder if it's choking on unknown values in the EEPROM. After much investigation, and thanks to Juniper not locking down access to the internal debugging tools on JUNOS, I was able to determine that bytes 3-10 of the SFP ID EEPROM of optic I'm using are coded as all 0's. My reading of the SFF-8472 MSA says that this is invalid: Transceiver Compliance Codes [Address A0h, Bytes 3-10] The following bit significant indicators define the electronic or optical interfaces that are supported by the transceiver. At least one bit shall be set in this field. The top half of byte 3 is defined as follows, and I would expect any MSA Ethernet optic to have at least one of these bits set, even CWDM/DWDM optics: ByteBitDescription 3 7 10G Base-ER 3 6 10G Base-LRM 3 5 10G Base-LR 3 4 10G Base-SR My optic vendor doesn't agree and says that those bits only refer to grey optics--standard wavelengths 850nm or 1310nm, and says that it is VALID to have no bits set all all in bytes 3-10. I'm guessing that the SFP driver in EX4200 doesn't like this, but the one in MX doesn't care. I tried changing the values using xcvrpeek and xcvrpoke (and i2cpeek/i2cpoke). Reads work fine, writes fail with -EIO in dmesg and the values don't change when read back. I guess the optic is locked from writing changes to the EEPROM without some sort of OEM password or something. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX Series BASE to PREMIUM3
Dave, as far as i know starting from PREMIUM2 the chassis also comes with the high capacity fan module. Am Dienstag, den 20.05.2014, 16:32 + schrieb Dave Peters - Terabit Systems: Hi all-- I think I've got this nailed down, but I wanted to make sure I know the differences among the Brocade MX Series routers, and Juniper holds on to this like it's a matter of national security. The parts for the 480 and the 960 seem to be the same. What I've been able to put together (part numbers abbreviated): BASE One SCB One RE-S-1300 Two 1200W PEMs PREMIUM 2 X SCB 2 X RE-S-2000 4 x 1200W PEM PREMIUM2 2 x SCBE 2 x RE-S-1800x-8G 2 x 2500W PEM PREMIUM3 2 x SCBE2 2 x RE-S-1800x-16G 4 x 2500W PEM Is this correct? Anyone have any experience buying these? Can anyone confirm the parts in the bundles? Thanks for any and all help. --Dave Peters ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX4200 stuck in U-boot
Hello, i am having problems with a EX4200 which is stuck in U-boot. Before i can break the U-boot sequence it just hangs at: U-Boot 1.1.6 (Feb 6 2008 - 11:27:42) Board: EX4200-48POE 2.17 EPLD: Version 6.0 (0x85) DRAM: Initializing (1024 MB) FLASH: 8 MB USB: scanning bus for devices... 2 USB Device(s) found scanning bus for storage devices... 1 Storage Device(s) found One the front panel LCD it reads: POST Eth pass.. Anyone have any idea howto fix this? BR, Jonas signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] proposed changes to clear bgp neighbor
+1 for the all requirement Am Mittwoch, den 26.02.2014, 10:36 -0500 schrieb Phil Shafer: Juniper users, We've been asked to make a change the clear bgp neighbor command to make the neighbor or all argument mandatory. The root cause is the severe impact of clear bgp neighbor and the increasing accidental use of this command without a specific neighbor. In general, we avoid changing commands to add mandatory arguments, but my feeling is that the impact and severity of this specific command makes this an acceptable occasion for such a change. I'm looking for feedback about this change. My working assumption is that clear bgp neighbor is a sufficiently rare command and would not be used in automation/scripts, so the impact of making the neighbor/all argument mandatory would be minimal. Is this assumption accurate? Thanks, Phil [I've set reply-to to myself to avoid impacting the list] ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex switch VCP cabel
Hi, it is one indeed. If you look closer at those shipped from juniper you can see its a normal SFF-8088. I doubt they have modified/coded anything to prevent the use of other brands. Am Montag, den 10.02.2014, 09:44 -0800 schrieb Yucong Sun: Hi, VCP cable for EX switch looks a lot like a plain SFF-8088 cable, can someone confirm? SFF-8088 cable is sold $10 on ebay, while the VCP cable is at least $100... Cheers. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex switch VCP cabel
Hi, sorry, i mixed this up with a diff vendor. The VC cable on the EX series is a external pci-e x8 cable. See: http://juniper.cluepon.net/index.php/EX4200 Am Montag, den 10.02.2014, 09:44 -0800 schrieb Yucong Sun: Hi, VCP cable for EX switch looks a lot like a plain SFF-8088 cable, can someone confirm? SFF-8088 cable is sold $10 on ebay, while the VCP cable is at least $100... Cheers. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Procedure for upgrade routing engines.
RE-S-1800 is running JunOS 64, so this will *not* work. Mixing routing engines isnt recommended/supported officially by juniper either, but works to some degree (RE1300/RE2000 32bit). Am Mittwoch, den 08.01.2014, 19:43 +0800 schrieb Xuhu: OS version will be the same or not, official document didn't mention must be same hardware, but so must be the same. Br, On 8 Jan, 2014, at 5:16 pm, Misak Khachatryan m.khachatr...@gnc.am wrote: Hello, Does anybody know the right procedure to upgrade routing engines on working router? We have MX480 with two RE-S-1300, now ordered two RE-S-1800. Is it possible to replace them while router working, i. e. replace one engine, sync config, perform switchover, replace second engine? AS REs are very different I doubt it's possible, but better to ask. signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] smartctl for junos
Hi, unfortunatly there is none. You have to remove the disk/SSD and install it in a regular system to read its smart data. You cant do this from JunOS, as you cant execute unsigned binarys. Am Dienstag, den 07.01.2014, 15:20 -0800 schrieb snort bsd: hi all: there is smartd running on junos, but i am not able to find smartctl utility for smartd. thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 true power consumption
Michael, i understand that it depends on the config. But why is it so hard to give some figures? E.g. base xx Watts, each optic xx Watts, VC module xx Watts and so on. Even Cisco does this (for example Nexus 3k). Right now it appears (with the only 650W power supply figure) as if the EX4550 is a power hog (compared to similar units like the above mentioned Nexus 3k). -J Am Donnerstag, den 24.10.2013, 08:28 -0700 schrieb Michael Loftis: The correct answer is it depends on configuration and traffic. Loaded with LR SFP+s, vc modules, and pushing a significant amount of traffic it will easily be 400W or more. Around 100W for a base, idle unit with a few optics sounds right. Each optic module draws several watts depending on the type. On Oct 23, 2013 10:25 AM, Jonas Frey (Probe Networks) j...@probe-networks.de wrote: Hello, does anybody have real world power consumption specs of the EX4550? (EX4550-32F-AFI) Juniper has no word about this anywhere in the documentation. There are only statements about the power supply itself (650W capacity) and less than five watts per 10GB fiber interface. I've been able to find various values on non-juniper related sites which range from 175W to 345W. Best regards, Jonas ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX4550 true power consumption
Hello, does anybody have real world power consumption specs of the EX4550? (EX4550-32F-AFI) Juniper has no word about this anywhere in the documentation. There are only statements about the power supply itself (650W capacity) and less than five watts per 10GB fiber interface. I've been able to find various values on non-juniper related sites which range from 175W to 345W. Best regards, Jonas signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IDP series SSL decryption
Hello, i wonder if the IDP series (75, 250 etc) are able to decrypt SSL sessions using keys transparently to check for IPS. According to http://www.juniper.net/techpubs/en_US/idp5.0/topics/task/configuration/intrusion-detection-prevention-ssl-decryption-enabling.html this should be possible. I wonder if this is really transparent in terms of certificate errors showing up on the clients browser visiting a site behind the IDP. (Internet - IDP - SSL Server) Does the IDP in this mode mangle with the SSL packets in any way? If anyone has a setup like the above and can confirm that it works i'd like to hear about it. -Jonas signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] replacing M5 RE-3.0 hard drive
Yes, just make sure to use a 2,5 drive. SSD is fine, too. http://juniper.cluepon.net/index.php/Replacing_the_harddisk_with_solid_state_flash Am Mittwoch, den 17.07.2013, 09:42 -1000 schrieb Antonio Querubin: I have a Juniper M5 whose hard drive just failed. The drive appears to be a Fujitsu MHT2030AT. Can I just simply swap in a new hard drive and partition it? Has anyone tried replacing it with a solid state equivalent and if so, what did you use? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SNMP ifIndex 0 on MX after ISSU
Hello, did anyone ever notice problems with wrong/changed SNMP ifIndex settings after ISSU? We ISSU upgraded a MX from 10.4R9.2 to 11.4R7.5 and after this some of the ifIndex changed. When doing the ISSU it brought down FPC-1 (which is a MPC Type 2). Maybe thats why the ifIndex were changed. (We are running mixed DPCE and MPC) Anyway now i do have the problem that some of the interfaces do no longer have a snmp ifIndex at all: user@router show interfaces ge-1/0/2.1 Logical interface ge-1/0/2.1 (Index 333) (SNMP ifIndex 0) Description: C28711 Flags: SNMP-Traps VLAN-Tag [ 0x8100.141 ] Encapsulation: ENET2 Input packets : 6785935 Output packets: 4257005 Protocol inet, MTU: 1500 Flags: No-Redirects, Sendbcast-pkt-to-re [...] (this is a interface on the MPC card) I saw some posts about this happening on EX but none on MX. How do i get the ifIndex right? The workaround for EX doesnt help as there is no such process to restart on MX series. Best regards, Jonas signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP ifIndex 0 on MX after ISSU
Hi, btw, i already tried restart mib-proess and restart snmp, none of both were of any help. Also i can actually see the ifIndex in /var/db/dcd.snmp_ix (which is 560 for this interface) but while trying to read via snmp it always returns 0 despite carrying traffic. Am Freitag, den 08.03.2013, 17:42 +0100 schrieb Tobias Heister: Hi, Am 08.03.2013 16:33, schrieb Jonas Frey (Probe Networks): did anyone ever notice problems with wrong/changed SNMP ifIndex settings after ISSU? We ISSU upgraded a MX from 10.4R9.2 to 11.4R7.5 and after this some of the ifIndex changed. We had that a couple of time with the MX series (with and without ISSU), the last time it happened from 9.6RX to 10.4RX on a couple of systems. We will soon go from 10.4RX to 11.4RX so i am expecting it to happen again. How do i get the ifIndex right? The workaround for EX doesnt help as there is no such process to restart on MX series. I am not aware of a way to fix that. We usually have to fix it in our NMS, which is really annoying every time it happens. regards Tobias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Difference between RE models.
Sunil, those are ordering codes from Juniper. The hardware is exactly the same so you can mix them. RE-400-768-BB = Base bundle (included in chassis order) RE-400-768-R = Redundant module (can be ordered same time with chassis) RE-400-768-S = Spare (to be ordered later to upgrade to redundancy) -J Am Freitag, den 07.12.2012, 01:51 -0800 schrieb Sunil Mayenkar: Hello, I want to know the difference between RE-400-768-S and RE-400-768-R. What does the memory Spare and memory Redundant mean in the RE models. Are there any concerns if both are used together in a chassis? Thanks in advance, Sunil ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Sources for SFP+ optics
The best thing nowadays is to get an eeprom programmer and do all this
stuff yourself, this is what we do.
This way you are flexible with 3rd party optics. You just buy a bunch of
XFPs/SFP/SFP-P's with generic firmware and identifiers and programm the
rest yourself for whatever device you are running which has
vendor-locking.
No reason to have exactly the same xFP hardware several times in stock
just to have it work with different devices.
Dont get me wrong, if i want something to be 100% officially supported
(or the project requires it) we buy the optics from the vendor.
But i dont see any reason to pay $1500 each time for a 10G SFP+ LR optic
when i can buy this from one of the larger SFP vendors for less than
$80.
-Jonas
Am Donnerstag, den 23.02.2012, 08:27 -0800 schrieb Bill Blackford:
heh,
ok, I shouldn't post something I'm clearly not prepared to provide
empirical data for. This is what I've heard and I've certainly
experienced results that support this notion.
:)
-b
On Thu, Feb 23, 2012 at 8:16 AM, Saku Ytti s...@ytti.fi wrote:
On (2012-02-23 06:38 -0800), Bill Blackford wrote:
Several manufacturers, like Finisar, MRV, etc. send the units that
test well to Juniper, Cisco, etc. The ones that don't pass well, go to
third-parties. Alos, if they are surplus and used, they could be
dirty.
{{Citation needed}}
--
++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
signature.asc
Description: This is a digitally signed message part
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SCB-E
PR718485: Workaround: Disable the then log or then syslog in firewall configuration. Am Mittwoch, den 15.02.2012, 12:28 +0100 schrieb Per Randrup Nielsen: PR718485 signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Does MS-PIC (Type2 MultiServices 400) work in MX-FPC2?
Chuck, its not listed on the supported PICs. There are only sonet PIC's listed (not even ethernet ones) so i guess it will very likely not work. I guess your only option is to go with the MS-DPC. Am Dienstag, den 24.01.2012, 17:47 -0500 schrieb Chuck Anderson: Is it possible to reuse a Type2 MS-PIC in an MX-FPC2? Or is upgrading to the MS-DPC the only option? This would be used for stateful firewall and perhaps some NAT. Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] HDD Write Error
for PC address 0x804cc83: PDE = 0x2e7df067, PTE = 2e7a3425 Dumping 16 bytes starting at PC address 0x804cc83: 8b 14 90 89 95 a4 fd ff ff 41 89 8d 60 fd ff ff ... . ... .. Somebody had this problem ? Best Regards Isidoro El 18/11/2011 15:17, Juniper GOWEX escribió: Dear Jonas, Two weeks ago we replaced the HDD ( http://juniper.cluepon.net/Replacing_the_harddisk_with_solid_state_flash ). We bought a identical HDD ( P/N MHT2030AT ) and copy the data 1:1 ( using the windows software EASEUS Todo Backup Free 3.0 ), The cloning process took 35 min approximately. After the restart the error disappeared. Thank you very much for your help Isidoro El 22/09/2011 2:52, Jonas Frey (Probe Networks) escribió: Dear Isidoro, you cant copy the data 1:1atleast not without alot of work. The best thing would be if you reinstall JunOS via a install media (pcmcia/cf card) once you replaced the hard disk. Its very easy to replace the hard disk on either RE2/3/4/5...its normally only secured by 4 screens on the RE. Make sure to save your config files (JunOS config, SSH keys, other data like home directorys, logs etc) before you replace the HDD if neccessary. Best regards, Jonas Am Mittwoch, den 21.09.2011, 17:18 +0200 schrieb Isidoro Cristobal: Hi, First of all thank you very much for your quick response . How to save the data to the new hard disk? Do you know a procedure for replacing hard disk ? Best Regards, Isidoro El 20/09/2011 17:29, Jonas Frey (Probe Networks) escribió: Hi, you are correct, the disk exceeded the maximum write errors permitted by the SMART value and thus is marked as bad. Prepare for a complete failure of the drive soon (1-30 days likely). May be the right time to upgrade the harddisk to a SSD. http://juniper.cluepon.net/Replacing_the_harddisk_with_solid_state_flash Best regards, Jonas Am Dienstag, den 20.09.2011, 17:09 +0200 schrieb Juniper GOWEX: Hi all, From yesterday at the log of my M20 are the following message : smartd[2595]: Device: /dev/ad1a, Failed attribute: (200)Write Error Rate It´s informative, but i think that there is a problem with my HDD ( I still have to run the smartd commands ) . Somebody had this problem ? Best Regards Isidoro ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Difference MX DPC-R / DPCE-R
Keegan, all of the DPC- cards are EOL since long time (05/31/2009). Some of the DPCE- cards are also EOL already. For details here is a list (public): http://www.juniper.net/support/eol/mseries_hw.html Of course juniper wants to move customers to MPC hardware so more and more of the remaining DPCE- cards will go EOL soon. You probably also mixed up DPC-S and DPCE-X, which is the layer2 card. Best regards, Jonas Am Montag, den 12.12.2011, 11:42 -0500 schrieb Keegan Holley: You can find the details on the juniper website. Off the top of my head I know there are fewer queues and you can't do layer-2 and layer-3 services on the same blade. There's a DPC-S that is layer 2 only. In general you should consider the non-e legacy. I believe they might even be end of life by now. The DPC-E's are eventually going to be superseded by the MPC because of the trio chipsets, but there will be several years before they are dropped, if ever. 2011/12/12 Nicolaj Kamensek n...@accelerated.de Hello list, can anyone name the major differences between those modules? DPC are becoming available in the used market for small money and I am wondering if a DPC non-E is good enough for a classical access router environment with 30.000+ ARP entries and a growing number of IPv6 neighbours but nothing fancy overall. Since it's hard to find any facts about this: - does it matter memory-wise if the requirements above are applied to just one routed port or to multiple switched/routed ports? - do bundled links still double the amount of memory required? Thanks! __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX5-T-DC vs MX80-5G-DC-B
Hello, Hi all, these codes are basically the same, both are MX80 based devices with a MIC 1x20GE (all mics are commercially called 3D, no difference here) already installed in one of the two available slots. On MX5 (and in the commercial bundle MX80-5) the 20x1G MIC is the only card available to connect the MX to the network, as the on board 10GE ports are software restricted and not configurable. That is not true. The ports are configurable and usable. But you need a license to be allowed to use them. The license is just paperwork and you dont need to activate it somewhere. However this policy will change in the future, all MX5/10/40 bundles and line cards are EEPROM coded and a later JunOS will activate these limitations (ask your channel partner about this...). So, the two differences are: 1) the MX5 is a chassis which is phisically grey and you can read MX5 on the front panel, whereas MX80-5-DC-B is a commercial bundle based on a MX80 chassis; the commercial bundle was needed to have a faster go to market time schedule, that's it; of course, MX5 chassis (and MX10 MX40) are exactly an MX80, just the color and the label on the front panel change; 2) the T versions (all the T versions, MX5, 10,40 and also MX80-T) supports Sync-E according with G.8261 / G.8262 standards; No, we have multiple MX5/MX10 boxes and none of them have any visual difference to a real MX80. If they changed this in the last 2 months, then this must be new. 1) is just commercial, whereas 2) is a technical difference. Both models are field upgradable to MX10, MX40 and MX80 using the same licensing scheme. If you need MX5 now, my advice is to go with the bundle as the real MX5 will ship end of this year (11.2R4/11.4R1 time frame). Hope this helps! Magno. On Fri, Nov 18, 2011 at 10:12 PM, Paul Stewart p...@paulstewart.org wrote: There are bundles and then there are base units. The bundles typically include the MIC-3D-20GE-SFP - there were no MIC's that I'm aware of that weren't 3D ... definitely not on the MX80 platform. Yes, MX5 is modular it's physically the same as an MX80 box, just with software based restrictions in place (which unless it's changed are honor system based still) as noted by 4x10G fixed ports and 1x front empty MIC slot restricted .. restricted = not usable without software upgrade. Paul -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Kevin Wormington Sent: Friday, November 18, 2011 3:22 PM To: sth...@nethelp.no Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] MX5-T-DC vs MX80-5G-DC-B I agree the specs look to be the same, the only difference I can see is the MX5 says it includes a MIC-3D-20GE-SFP and the MX80 a 20x1G MIC. Did they make a MIC that wasn't 3D? I'm pretty sure the MX5 is modular as well since it has the open MIC slot that you can get an upgrade license to be able to use. On 11/18/2011 01:37 PM, sth...@nethelp.no wrote: The T version is copper only. The DC version is modular. Certain about this? In my price list (from August), these bundles are listed with exactly the same price. MX80-5G-DC-B: MX80 Promotional 5G Bundle, Includes MX80 Modular DC, spare DC Power supply, 20x1G MIC including L3-ADV license, Queuing, Inline Jflow, Junos WW. (4x10G fixed ports and 1x front empty MIC slot restricted) MX5-T-DC: MX5 DC chassis with timing support - includes dual power supplies, MIC-3D-20GE-SFP, Junos, S-MX80-ADV-R, S-MX80-Q S-ACCT-JFLOW-IN-5G licenses. Power-supply cable to be ordered separately Sure looks to me like the specifications are the same too. Steinar Haug, Nethelp consulting, sth...@nethelp.no On Nov 18, 2011, at 11:06 AM, Kevin Wormington wrote: I'm looking at the above two MX bundles and other than timing support on the MX5 they seem to have the same specs. Is there something that I'm missing? Does anyone on the list know why one might want the MX80-5G-DC-B vs the MX5-T-DC? Thanks Kevin ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description:
Re: [j-nsp] MX5-T-DC vs MX80-5G-DC-B
Hi Nico, which JunOS are you running? 10.4R7.5 here. Maybe they changed it on later MX5/10/40 bundles or its now beeing enforced on newer JunOS versions (just as i said)... Best regards, Jonas Am Samstag, den 19.11.2011, 18:46 +0100 schrieb Nicolaj Kamensek: Am 19.11.2011 17:52, schrieb Jonas Frey (Probe Networks): Hello, That is not true. The ports are configurable and usable. But you need a license to be allowed to use them. The license is just paperwork and you dont need to activate it somewhere. However this policy will change in the future, all MX5/10/40 bundles and line cards are EEPROM coded and a later JunOS will activate these limitations (ask your channel partner about this...). I beg to differ: I currently have a MX80-5G bundle in the lab which does show the interfaces in the 'show chassis hardware' statement but does not allow the link to come up. Furthermore, the MIC-3D-20GE-SFP will not come online in the 2nd MIC slot as well. The system is about 8 weeks old. Regards, Nico signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] HDD Write Error
Dear Isidoro, glad it worked for you that way. Please keep in mind that the Fujitsu MHT2030AT are long time end-of-life and the disk you purchased was likely used already. Also the -AT Fujitsu drives are not rated for 24x7 operation thus are a potential problem. Only the -AS series are classified for enhanced 24x7 operation. Anyway...if i was about to replace a hdd on a routing engine i would only use a SSD nowadays. Best regards, Jonas Frey Am Freitag, den 18.11.2011, 15:17 +0100 schrieb Juniper GOWEX: Dear Jonas, Two weeks ago we replaced the HDD ( http://juniper.cluepon.net/Replacing_the_harddisk_with_solid_state_flash ). We bought a identical HDD ( P/N MHT2030AT ) and copy the data 1:1 ( using the windows software EASEUS Todo Backup Free 3.0 ), The cloning process took 35 min approximately. After the restart the error disappeared. Thank you very much for your help Isidoro El 22/09/2011 2:52, Jonas Frey (Probe Networks) escribió: Dear Isidoro, you cant copy the data 1:1atleast not without alot of work. The best thing would be if you reinstall JunOS via a install media (pcmcia/cf card) once you replaced the hard disk. Its very easy to replace the hard disk on either RE2/3/4/5...its normally only secured by 4 screens on the RE. Make sure to save your config files (JunOS config, SSH keys, other data like home directorys, logs etc) before you replace the HDD if neccessary. Best regards, Jonas Am Mittwoch, den 21.09.2011, 17:18 +0200 schrieb Isidoro Cristobal: Hi, First of all thank you very much for your quick response . How to save the data to the new hard disk? Do you know a procedure for replacing hard disk ? Best Regards, Isidoro El 20/09/2011 17:29, Jonas Frey (Probe Networks) escribió: Hi, you are correct, the disk exceeded the maximum write errors permitted by the SMART value and thus is marked as bad. Prepare for a complete failure of the drive soon (1-30 days likely). May be the right time to upgrade the harddisk to a SSD. http://juniper.cluepon.net/Replacing_the_harddisk_with_solid_state_flash Best regards, Jonas Am Dienstag, den 20.09.2011, 17:09 +0200 schrieb Juniper GOWEX: Hi all, From yesterday at the log of my M20 are the following message : smartd[2595]: Device: /dev/ad1a, Failed attribute: (200)Write Error Rate It´s informative, but i think that there is a problem with my HDD ( I still have to run the smartd commands ) . Somebody had this problem ? Best Regards Isidoro ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 'Juniper BGP issues causing locallized Internet Problems, (Mon, Nov 7th)?
Well...basically yes. The issue (PSN-2011-08-327) is known since august. I guess the fact that juniper has listed the issue as the probability of exploiting this defect is extremely low has led many networks to not implent a immediate fix for this on a security perspective. As you know maintenance usually causes service impact for customers and (if possible) most networks like to avoid unneccessary downtimes. Additionally alot of folks like to test new software in a lab environment first so a simple update to a new JunOS version can sometimes be quite complex and cost intensive. -Jonas Am Montag, den 07.11.2011, 22:46 -0600 schrieb Jack Bates: On 11/7/2011 8:28 PM, Chris Adams wrote: Once upon a time, Jack Batesjba...@brightok.net said: More importantly, if it was the issue dated in August, how in the heck do I get on a list which tells me such a critical bug exists? If you have a Juniper support account, go to www.juniper.net/alerts, scroll to the bottom, and click on Modify Your Alert Preferences. Thanks. So I'm guessing anyone effected by it, shouldn't have been (given I'd think large networks would have been notified and have valid support contracts). Jack ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] HDD Write Error
Hello, havent you changed the HDD yet? Like to live dangerously eh? :-) This is very likely related because those errors messages causes writes to the HDDand if your HDD is dead/has bad sectors that will cause trouble. Good luck, Jonas Am Mittwoch, den 19.10.2011, 16:19 +0200 schrieb Juniper GOWEX: Hi all, Twenty days later, the error reappeared. The error appears in the log always after a RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 4 sec, 228450 usec messages: / Oct 13 23:16:35.278 2011 LEV[2625]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 4 sec, 228450 usec Oct 13 23:17:35.862 2011 LEV[2625]: RPD_SCHED_SLIP: 4 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 804772 usec Oct 13 23:20:07.655 2011 LEV[2625]: RPD_SCHED_SLIP: 4 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 750490 usec Oct 13 23:27:43.598 2011 LEV[2625]: RPD_SCHED_SLIP: 4 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 78894 usec Oct 13 23:28:14.755 2011 LEV[2625]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 903324 usec Oct 13 23:29:16.124 2011 LEV[2625]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 4 sec, 166013 usec Oct 13 23:31:18.118 2011 LEV[2625]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 598753 usec Oct 13 23:35:46.293 2011 ssb NH: resolutions from iif 82 throttled Oct 13 23:38:25.256 2011 LEV[2625]: RPD_SCHED_SLIP: 4 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 762067 usec Oct 13 23:38:55.759 2011 LEV[2625]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 4 sec, 171438 usec Oct 13 23:41:01.342 2011 ssb NH: resolutions from iif 88 throttled Oct 13 23:42:16.283 2011 ssb NH: resolutions from iif 93 throttled Oct 13 23:46:05.391 2011 smartd[2595]: Device: /dev/ad1a, Failed attribute: (200)Write Error Rate / Could this be related?. Best Regards Isidoro El 22/09/2011 8:05, Josh Farrelly escribió: Could you put them both in a Linux box and just 'dd if' them? -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jonas Frey (Probe Networks) Sent: Thursday, 22 September 2011 12:52 To: Isidoro Cristobal Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] HDD Write Error Dear Isidoro, you cant copy the data 1:1atleast not without alot of work. The best thing would be if you reinstall JunOS via a install media (pcmcia/cf card) once you replaced the hard disk. Its very easy to replace the hard disk on either RE2/3/4/5...its normally only secured by 4 screens on the RE. Make sure to save your config files (JunOS config, SSH keys, other data like home directorys, logs etc) before you replace the HDD if neccessary. Best regards, Jonas Am Mittwoch, den 21.09.2011, 17:18 +0200 schrieb Isidoro Cristobal: Hi, First of all thank you very much for your quick response . How to save the data to the new hard disk? Do you know a procedure for replacing hard disk ? Best Regards, Isidoro El 20/09/2011 17:29, Jonas Frey (Probe Networks) escribió: Hi, you are correct, the disk exceeded the maximum write errors permitted by the SMART value and thus is marked as bad. Prepare for a complete failure of the drive soon (1-30 days likely). May be the right time to upgrade the harddisk to a SSD. http://juniper.cluepon.net/Replacing_the_harddisk_with_solid_state_f lash Best regards, Jonas Am Dienstag, den 20.09.2011, 17:09 +0200 schrieb Juniper GOWEX: Hi all, From yesterday at the log of my M20 are the following message : smartd[2595]: Device: /dev/ad1a, Failed attribute: (200)Write Error Rate It´s informative, but i think that there is a problem with my HDD ( I still have to run the smartd commands ) . Somebody had this problem ? Best Regards Isidoro ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] HDD Write Error
Hello, yes that will work. You need to check the interface config of course (because you have less interfaces). The M20 will install the correct PFE module when it loads (it will spit out an error saying its running the incorrect PFE module for this architecture). So booting will take a minute longer than usual but thats it. Jonas Am Mittwoch, den 19.10.2011, 20:14 +0100 schrieb juni...@iber-x.com: Hi experts, Thanks for your replies and advices. Just a quick question, as we have an old M5 and M10, we were wondering if we could replace directly the HDD from one of these two routers to our M20. Is it that possible? any experience doing that? If both of them have the same JUNOS installed, and then copy the current configuration.. thoughts? Many thanks, El 19/10/2011 16:56, Jonas Frey (Probe Networks) escribió: Hello, havent you changed the HDD yet? Like to live dangerously eh? :-) This is very likely related because those errors messages causes writes to the HDDand if your HDD is dead/has bad sectors that will cause trouble. Good luck, Jonas Am Mittwoch, den 19.10.2011, 16:19 +0200 schrieb Juniper GOWEX: Hi all, Twenty days later, the error reappeared. The error appears in the log always after a RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 4 sec, 228450 usec messages: / Oct 13 23:16:35.278 2011 LEV[2625]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 4 sec, 228450 usec Oct 13 23:17:35.862 2011 LEV[2625]: RPD_SCHED_SLIP: 4 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 804772 usec Oct 13 23:20:07.655 2011 LEV[2625]: RPD_SCHED_SLIP: 4 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 750490 usec Oct 13 23:27:43.598 2011 LEV[2625]: RPD_SCHED_SLIP: 4 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 78894 usec Oct 13 23:28:14.755 2011 LEV[2625]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 903324 usec Oct 13 23:29:16.124 2011 LEV[2625]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 4 sec, 166013 usec Oct 13 23:31:18.118 2011 LEV[2625]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 598753 usec Oct 13 23:35:46.293 2011 ssb NH: resolutions from iif 82 throttled Oct 13 23:38:25.256 2011 LEV[2625]: RPD_SCHED_SLIP: 4 sec scheduler slip, user: 0 sec 0 usec, system: 3 sec, 762067 usec Oct 13 23:38:55.759 2011 LEV[2625]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 0 sec 0 usec, system: 4 sec, 171438 usec Oct 13 23:41:01.342 2011 ssb NH: resolutions from iif 88 throttled Oct 13 23:42:16.283 2011 ssb NH: resolutions from iif 93 throttled Oct 13 23:46:05.391 2011 smartd[2595]: Device: /dev/ad1a, Failed attribute: (200)Write Error Rate / Could this be related?. Best Regards Isidoro El 22/09/2011 8:05, Josh Farrelly escribió: Could you put them both in a Linux box and just 'dd if' them? -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jonas Frey (Probe Networks) Sent: Thursday, 22 September 2011 12:52 To: Isidoro Cristobal Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] HDD Write Error Dear Isidoro, you cant copy the data 1:1atleast not without alot of work. The best thing would be if you reinstall JunOS via a install media (pcmcia/cf card) once you replaced the hard disk. Its very easy to replace the hard disk on either RE2/3/4/5...its normally only secured by 4 screens on the RE. Make sure to save your config files (JunOS config, SSH keys, other data like home directorys, logs etc) before you replace the HDD if neccessary. Best regards, Jonas Am Mittwoch, den 21.09.2011, 17:18 +0200 schrieb Isidoro Cristobal: Hi, First of all thank you very much for your quick response . How to save the data to the new hard disk? Do you know a procedure for replacing hard disk ? Best Regards, Isidoro El 20/09/2011 17:29, Jonas Frey (Probe Networks) escribió: Hi, you are correct, the disk exceeded the maximum write errors permitted by the SMART value and thus is marked as bad. Prepare for a complete failure of the drive soon (1-30 days likely). May be the right time to upgrade the harddisk to a SSD. http://juniper.cluepon.net/Replacing_the_harddisk_with_solid_state_f lash Best regards, Jonas Am Dienstag, den 20.09.2011
Re: [j-nsp] MX: bridge-domains and l2circuit
Hello Ivan,
as Humair already pointed out you need to have encapsulation vlan-bridge
and vlan-ccc on one of each of the lt- interfaces.
Best regards,
Jonas
Am Donnerstag, den 13.10.2011, 22:20 +0300 schrieb Ivan Ivanov:
Hello Jonas,
Could you share with us working configuration? Because when I try to
stitch both units of lt- interface I got error 'encapsulation
mismatch'.
Thanks!
On Thu, Aug 18, 2011 at 21:26, Jonas Frey (Probe Networks)
j...@probe-networks.de wrote:
Thanks to all who replied, i got this working the way Chris
described
(via lt tunnels).
I also tried the new iw0 interfaces as per juniper
documentation but it
didnt work. Bridge-domains wont let me add a iw0.x interface
to the
bridge and i was unable to find anymore information on howto
correctly
configure this (probably because its pretty new).
Best regards,
Jonas
Am Donnerstag, den 18.08.2011, 07:37 -0500 schrieb OBrien,
Will:
To implement tagged interfaces with bridge domains, I use
irb interfaces. This is directly from my production box with a
little scrubbing.
xe-0/0/0 {
description blah uplink;
per-unit-scheduler;
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 200 {
encapsulation vlan-bridge;
vlan-id 200;
}
unit 201 {
encapsulation vlan-bridge;
vlan-id 201;
}
}
irb {
unit 200 {
family inet {
inactive: filter {
input I2Inbound;
output I2Outbound;
}
service {
input {
service-set i2-napt service-filter
i2-nat-in;
}
output {
service-set i2-napt service-filter
i2-nat-out;
}
}
address x.x.x.x/30;
}
}
unit 201 {
family inet {
filter {
input PolicerIn;
output PolicerOut;
}
service {
input {
service-set i1-napt service-filter
i1-nat-in;
}
output {
service-set i1-napt service-filter
i1-nat-out;
}
}
address x.x.x.x/30;
}
}
}
show configuration bridge-domains
vlan-200 {
domain-type bridge;
vlan-id 200;
interface xe-0/0/0.200;
routing-interface irb.200;
}
vlan-201 {
domain-type bridge;
vlan-id 201;
interface xe-0/0/0.201;
routing-interface irb.201;
}
On Aug 18, 2011, at 1:54 AM, Chris Kawchuk wrote:
Ahh, slightly different issue then.
First off, once you use that flexible-ethernet-services,
you should be declaring each vlan separately and manually add
them into the bridge-domain config (i.e. bridge-domain VLAN20
interface xe-1/0/0.x). Anyways, that's not what we're
attempting to do here. =)
What you're looking for is to stitch an l2circuit into a
bridge-domain (not pick off a VLAN off an interface and turn
that into a CCC/L2circuit - different solution). Perhaps a
logical-tunnel here may help. (i.e. lt-x/x/x.x interface). I
have stitched l2circuits/ccc's into VPLS domains before; I
assume the same theory holds true.
Have a look at using the tunnel-services on your MX DPC
card. Apologies in advance as I'm writing this in pseudo-code
from memory (i.e. un-tested, more of a general idea as to a
direction to explore):
chassis {
fpc 1 {
pic 3 {
tunnel-services {
bandwidth 1g;
}
}
}
}
interfaces {
lt-1/3/10 {
unit 1 {
encapsulation vlan-ccc;
peer-unit 2;
}
unit 2
Re: [j-nsp] JUNOS and 128.0.0.0 martian (JFYI)
To whomever opened a PR about this: It has been posted on the amsix mailing list that juniper also needs to change internal addressing because of the issue with 128.0.0.0/16 as addresses of this space are used internally within JunOS (see below). Please add this to the PR so it gets fixed. re0 show interfaces em1 terse Interface Admin Link ProtoLocal Remote em1 upup em1.0 upup inet 10.0.0.1/8 10.0.0.4/8 128.0.0.1/2 -- 128.0.0.4/2 -- MX96-01_re0 show interfaces em0 terse Interface Admin Link ProtoLocal Remote em0 upup em0.0 upup inet 10.0.0.1/8 10.0.0.4/8 128.0.0.1/2-- 128.0.0.4/2-- re0 show route 128.0.0.0/2 table __juniper_private1__.inet.0 __juniper_private1__.inet.0: 6 destinations, 10 routes (4 active, 0 holddown, 2 hidden) + = Active Route, - = Last Active, * = Both 128.0.0.0/2*[Direct/0] 31w6d 05:05:46 via em0.0 [Direct/0] 31w6d 05:05:46 via em0.0 [Direct/0] 31w6d 05:05:46 via em1.0 [Direct/0] 31w6d 05:05:46 via em1.0 Am Montag, den 10.10.2011, 16:26 +0200 schrieb Daniel Roesen: On Mon, Oct 10, 2011 at 03:23:48PM +0200, Sebastian Wiesinger wrote: Recently RIPE NCC started to allocate addresses from 128/8 to end users, example: https://apps.db.ripe.net/whois/lookup/ripe/inetnum/128.0.0.0-128.0.7.255.html Junos software (upto and including 11.1) blocks those address by default: If you have a case open with JTAC tell them to remove 191.255.0.0/16 as well. That block is no longer reserved. Same goes for 223.255.255.0/24 Reference: RFC5735 Best regards, Daniel signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M10i JUNOS Upgrade
I think it should be possible to upgrade to 10.x without CF. The M7i initially came without CF. If the box is not in production you could just try updating it. Otherwise just buy a Sandisk 1/2GB CF on ebay for cheap money. If you have redundant routing engines you need to upgrade both seperate. This measn first upgrade RE0 with the install media and then RE1 (by putting the install-media into RE1 and connecting the console cable to RE1). -Jonas Am Mittwoch, den 28.09.2011, 23:24 +0300 schrieb Jake Jake: I do have 2 spare 256MB drams which would meet the requirement. But in most of the documentation in Juniper they mention a mandatory requirement of 1G compact flash. But currently I don't have a compact flash on the router. I can see only ad1s1 . I guess this is the hard disk on the router. Will upgrade be still possible without the compact flash. Further if a install media is used , how would it work with redundant routing engine upgrades. Cheers On Wed, Sep 28, 2011 at 11:12 PM, Jonas Frey (Probe Networks) j...@probe-networks.de wrote: Jake, as far as i know you need more than 512MB dram to go past JunOS 10.x. (I know there was a limitation but i dont recall where in detail). Any way with less than 768MB Ram you are asking for trouble with any modern JunOS. Best would be to upgrade your RE-5 to 768 MB which is the max. The RE-5 only comes with 256MB sticks, so you would only need to buy 1 more. This will be fine if you buy them from juniper ($$$). If you are going the 3rd party route then it'll be better to buy 3x256MB sticks since otherwise the chip types wont match which could lead to problems. The cost for these is probably just a few dollars... 512MB sticks only work on the RE-5+ aka RE-850. As for the upgrade: Get yourself a install media (or create one) and save yourself the trouble of going via various intermediate versions (also this would be alot faster). -Jonas Am Mittwoch, den 28.09.2011, 21:43 +0300 schrieb Jake Jake: Hi all, I am looking at upgrading the JUNOS on our M10i router. Current JUNOS platform is 6.3R1.3 . The router has redundant routing Engine RE-5.0 with 512MB DRAM . Also there is no compact flash on board only *ad1s1*. Can any one suggest on if I can upgrade the router to 11.1R5.4 with the current hardware specification . Please advise on if a direct upgrade can be done as well from 6.3 to 11.1. Plus as I understand M10i has 3 DRAM slots. Is there any way of knowing the combination of RAM used ..i.e 256+256MB or a single 512MB RAM. Cheers ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M10i JUNOS Upgrade
Jake, as far as i know you need more than 512MB dram to go past JunOS 10.x. (I know there was a limitation but i dont recall where in detail). Any way with less than 768MB Ram you are asking for trouble with any modern JunOS. Best would be to upgrade your RE-5 to 768 MB which is the max. The RE-5 only comes with 256MB sticks, so you would only need to buy 1 more. This will be fine if you buy them from juniper ($$$). If you are going the 3rd party route then it'll be better to buy 3x256MB sticks since otherwise the chip types wont match which could lead to problems. The cost for these is probably just a few dollars... 512MB sticks only work on the RE-5+ aka RE-850. As for the upgrade: Get yourself a install media (or create one) and save yourself the trouble of going via various intermediate versions (also this would be alot faster). -Jonas Am Mittwoch, den 28.09.2011, 15:27 -0400 schrieb James Jones: Just a tip I have found it always easier to backup everything and use the jinstall file. On Wed, Sep 28, 2011 at 3:06 PM, Jeff Wheeler j...@inconcepts.biz wrote: On Wed, Sep 28, 2011 at 2:43 PM, Jake Jake 2012j...@gmail.com wrote: I am looking at upgrading the JUNOS on our M10i router. Current JUNOS platform is 6.3R1.3 . The router has redundant routing Engine RE-5.0 with 512MB DRAM . Also there is no compact flash on board only *ad1s1*. Can any one suggest on if I can upgrade the router to 11.1R5.4 with the current hardware specification . Please advise on if a direct upgrade can be done as well from 6.3 to 11.1. If you have DFZ routes you should upgrade the RAM to 768MB, or alternatively, replace the router or buy more modern routing engines. There is a big jump in memory usage in 8.x and if you have only 512MB and are carrying Internet BGP routes, you will be using the swap and the RE will perform badly. No, you cannot do a direct upgrade from 6.3 to 11.1. You'll be going through quite a few intermediate software versions to do that. It will be easier to simply reinstall Junos from an 11.1 install-media disk and then load your configuration. Plus as I understand M10i has 3 DRAM slots. Is there any way of knowing the combination of RAM used ..i.e 256+256MB or a single 512MB RAM. I don't think the RE-5.0 will recognize more than 256MB per slot. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] HDD Write Error
Dear Isidoro, you cant copy the data 1:1atleast not without alot of work. The best thing would be if you reinstall JunOS via a install media (pcmcia/cf card) once you replaced the hard disk. Its very easy to replace the hard disk on either RE2/3/4/5...its normally only secured by 4 screens on the RE. Make sure to save your config files (JunOS config, SSH keys, other data like home directorys, logs etc) before you replace the HDD if neccessary. Best regards, Jonas Am Mittwoch, den 21.09.2011, 17:18 +0200 schrieb Isidoro Cristobal: Hi, First of all thank you very much for your quick response . How to save the data to the new hard disk? Do you know a procedure for replacing hard disk ? Best Regards, Isidoro El 20/09/2011 17:29, Jonas Frey (Probe Networks) escribió: Hi, you are correct, the disk exceeded the maximum write errors permitted by the SMART value and thus is marked as bad. Prepare for a complete failure of the drive soon (1-30 days likely). May be the right time to upgrade the harddisk to a SSD. http://juniper.cluepon.net/Replacing_the_harddisk_with_solid_state_flash Best regards, Jonas Am Dienstag, den 20.09.2011, 17:09 +0200 schrieb Juniper GOWEX: Hi all, From yesterday at the log of my M20 are the following message : smartd[2595]: Device: /dev/ad1a, Failed attribute: (200)Write Error Rate It´s informative, but i think that there is a problem with my HDD ( I still have to run the smartd commands ) . Somebody had this problem ? Best Regards Isidoro ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] HDD Write Error
Hi, you are correct, the disk exceeded the maximum write errors permitted by the SMART value and thus is marked as bad. Prepare for a complete failure of the drive soon (1-30 days likely). May be the right time to upgrade the harddisk to a SSD. http://juniper.cluepon.net/Replacing_the_harddisk_with_solid_state_flash Best regards, Jonas Am Dienstag, den 20.09.2011, 17:09 +0200 schrieb Juniper GOWEX: Hi all, From yesterday at the log of my M20 are the following message : smartd[2595]: Device: /dev/ad1a, Failed attribute: (200)Write Error Rate It´s informative, but i think that there is a problem with my HDD ( I still have to run the smartd commands ) . Somebody had this problem ? Best Regards Isidoro ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 1GE CWDM/DWDM Optics???
Hello, i can confirm that several CWDM SFP's from different vendors work fine with the MX-series. They will show up as unknown vendor as its been said alreadyunless you reprogramm these to return juniper part numbers (if you've got a SFP eeprom programmer). - Jonas Am Freitag, den 09.09.2011, 14:30 +1000 schrieb Ben Dale: I just dropped some MRV CWDM optics (SFP-GDCWZX-xx-R) into an MX80 and they work fine. They show up as unknown vendor: comlinx@bras1-bne# run show chassis hardware Xcvr 0 0NON-JNPR 1JJ680083602548 SFP-SX Xcvr 9 NON-JNPR A28T000100SFP-LH Xcvr 0 0NON-JNPR 1JJ680083602518 SFP-SX Xcvr 9 NON-JNPR A28T000101SFP-LH But you can see more detail in the pic information: comlinx@bras1-bne# run show chassis pic pic-slot 1 fpc-slot 1 PIC port information: FiberXcvr vendor Port Cable typetype Xcvr vendorpart number Wavelength 0 GIGE 1000SX MMFIBERXON INC. FTM-8012C-SLG 850 nm 9 GIGE 1000LH SMMRV COMM, INC. SFP-GDCWZX-51 1511 nm The MX also picks up the digital diagnostics fine with: comlinx@bras1-bne# run show interfaces diagnostics optics ge-1/0/9 Physical interface: ge-1/0/9 Laser bias current: 5.230 mA Laser output power: 1.0920 mW / 0.38 dBm Module temperature: 26 degrees C / 78 degrees F Module voltage: 2.2910 V Receiver signal average optical power : 0.1801 mW / -7.44 dBm Laser bias current high alarm : Off Laser bias current low alarm : Off Laser bias current high warning : Off Laser bias current low warning: Off Laser output power high alarm : Off Laser output power low alarm : Off Laser output power high warning : Off Laser output power low warning: Off Module temperature high alarm : Off Module temperature low alarm : Off Module temperature high warning : Off Module temperature low warning: Off Module voltage high alarm : Off Module voltage low alarm : Off Module voltage high warning : Off Module voltage low warning: Off Laser rx power high alarm : Off Laser rx power low alarm : Off Laser rx power high warning : Off Laser rx power low warning: On Laser bias current high alarm threshold : 110.000 mA Laser bias current low alarm threshold: 4.248 mA Laser bias current high warning threshold : 100.000 mA Laser bias current low warning threshold : 4.500 mA Laser output power high alarm threshold : 5.0110 mW / 7.00 dBm Laser output power low alarm threshold: 0.6310 mW / -2.00 dBm Laser output power high warning threshold : 3.9800 mW / 6.00 dBm Laser output power low warning threshold : 0.7940 mW / -1.00 dBm Module temperature high alarm threshold : 83 degrees C / 181 degrees F Module temperature low alarm threshold: -13 degrees C / 9 degrees F Module temperature high warning threshold : 78 degrees C / 172 degrees F Module temperature low warning threshold : -8 degrees C / 18 degrees F Module voltage high alarm threshold : 3.800 V Module voltage low alarm threshold: 2.800 V Module voltage high warning threshold : 3.500 V Module voltage low warning threshold : 3.100 V Laser rx power high alarm threshold : 3403.8995 mW / 35.32 dBm Laser rx power low alarm threshold: 3735.2205 mW / 35.72 dBm Laser rx power high warning threshold : 3751.1625 mW / 35.74 dBm Laser rx power low warning threshold : 413.2390 mW / 26.16 dBm Cheers, Ben On 09/09/2011, at 1:19 PM, Juno Guy wrote: Anyone know of any 1GE (not 10GE) CWDM/DWDM optics that work with MX series? thx -Juno ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] [m10i] PIC-FPC throughput
The 3.2 Gbps limitation depends on the CFEB you have. The CFEB-E bumps this up to full line rate on all ports (4 Gbps per FPC). M7i 8.4Gbps half-duplex CFEB / 10Gbps half-duplex CFEB-E (this is because of the integrated GE/2FE Ports) M10i 12.8Gbps half-duplex legacy CFEB, 3.2Gbps per FPC 16Gbps half-duplex CFEB-E, 4Gbps per FPC Anyway you always have only 1 Gbps per PIC towards the backplane regardless of how many GE ports that PIC actually has. Jonas Am Dienstag, den 30.08.2011, 02:00 +0400 schrieb Nick Kritsky: Hi all, From the Juniper documentation I know that there is a throughput limitation of 3.2 Gbps per FPC on m10i routers. Does it mean that there is 800Mbps limitation on each PIC inserted in PIC slot on given FPC? Or is it an aggregate limitation. To give you the real life example - should I be worried if total usage on 4 interfaces of ge-0/0/* wants to go over 1G, if the total usage of ge-0/*/* is still below 2G. If that matters, the PIC in question is IQ2. any help is very good. thanks Nick Kritsky ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RE-600 SOLID STATE DRIVE NOT RECOGNIZED
In general every SSD (MLC/SLC) should work. Just need to make sure that you either get a PATA or SATA one (depending on your type of RE) and that its 2,5 form factor. If it doesnt work its in 99% of all cases the jumper for master/slave/cable select. Just try a different setting... you cant damage anythingeither it works or not. Jonas Am Freitag, den 26.08.2011, 01:39 -0400 schrieb Jeff Wheeler: On Thu, Aug 25, 2011 at 3:00 PM, Mario Andres Rueda Jaimes maeve2...@gmail.com wrote: I'm trying to install a 8GB SSD in a RE-600 with compact flash of 2G but Anybody has performed this before or has suggestions ? We use this model drive, a 16GB with old-style parallel IDE connector: http://www.amazon.com/gp/product/B000T9S52W/ref=oss_product signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 32-Bit JunOS on the 64-Bit Routing Engines
Thats not completely accurate, for example the Intel Atom D525 does run 64bit code. There are plenty of machines that do. virtually every intel system since the pentium pro (except the atom) has the hardware if not the bios support for doing so, that's not germain to the question of whether it's feasible/useful in an embedded system. In particular, in a system (like for example a firewall) where kernel datastructures may represent the overwhelming source of memory utilization, the PAE performance hit may trivially overwhelm the value of any memory that can otherwise be freed up for userspace. 64bitness has been the prefered approach for intel based servers since about 2003, but the embedded lifecycle runs on it's own timeline. signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX: bridge-domains and l2circuit
Hello all,
i am trying to build a l2circuit on a MX. The problem is that the vlan
that needs to be included in the l2circuit comes via xe-1/0/0 which is
configured in bridge mode:
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 20 30 40 ];
}
I need to build this l2circuit with vlan 20.
However when configuring the l2circuit i do not have a interface to use
as the bridge doesnt create any subinterface for the vlan.
neighbor xxx {
interface ??? {
virtual-circuit-id 20;
I cant configure any subinterface on xe-1/0/0 (like unit 1) because
bridge mode prohibits that.
How can i get this to work?
Best regards,
Jonas
signature.asc
Description: This is a digitally signed message part
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX: bridge-domains and l2circuit
Hi Chris,
that does not work...
edge# show interfaces xe-1/0/0
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 20 30 40 ];
}
}
unit 1 {
encapsulation vlan-ccc;
vlan-id 20;
}
If i do commit now, this fails as the vlan 20 is already used for the
bridge on unit 0. If i remove the vlan 20 from unit 0 then the vlan is
no longer member of the bridge (show bridge domain). But i need it to be
member of that bridge since that vlan goes out on other ports to local
switches.
edge# show bridge-domains testbridge
domain-type bridge;
vlan-id 20;
What i need to do is to get the VLAN 20 working locally on the bridge
(various ports) as well as getting it connected to a somewhat pseudo
interface to attached it as a l2circuit.
--
Mit freundlichen Grüßen / Best regards,
Jonas Frey
Probe Networks Jonas Freye-Mail: j...@probe-networks.de
Auf Strützberg 26D-3 Merzig
Tel: +(49) (0) 180 5959723* Fax: +(49) (0) 180 5998480*
* (14 Ct./min Festnetz, Mobilfunk ggf. abweichende Preise)
Internet: www.probe-networks.de Hotline: 0800 1656531
Diese E-Mail enthaelt moeglicherweise vertrauliche und/oder rechtlich
geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind
oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte
sofort den Absender und vernichten Sie diese Mail. Das unerlaubte
Kopieren sowie die unbefugte Weitergabe dieser Mail ist strengstens
untersagt.
This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the contents of this
e-mail is strictly prohibited.
--
Am Donnerstag, den 18.08.2011, 16:22 +1000 schrieb Chris Kawchuk:
You'll need to declare your xe- port with flexible-ethernet-services, so you
can do per-unit encapsulations.
interfaces {
xe-1/0/0 {
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 20 {
encapsulation vlan-ccc;
vlan-id 20;
}
unit 100 {
encapsulation vlan-bridge;
vlan-id 100;
}
}
}
neighbor xxx {
interface xe-1/0/0.20 {
virtual-circuit-id 20;
...
...
}
}
On 2011-08-18, at 4:03 PM, Jonas Frey (Probe Networks) wrote:
Hello all,
i am trying to build a l2circuit on a MX. The problem is that the vlan
that needs to be included in the l2circuit comes via xe-1/0/0 which is
configured in bridge mode:
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 20 30 40 ];
}
I need to build this l2circuit with vlan 20.
However when configuring the l2circuit i do not have a interface to use
as the bridge doesnt create any subinterface for the vlan.
neighbor xxx {
interface ??? {
virtual-circuit-id 20;
I cant configure any subinterface on xe-1/0/0 (like unit 1) because
bridge mode prohibits that.
How can i get this to work?
Best regards,
Jonas
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
signature.asc
Description: This is a digitally signed message part
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX: bridge-domains and l2circuit
Thanks to all who replied, i got this working the way Chris described
(via lt tunnels).
I also tried the new iw0 interfaces as per juniper documentation but it
didnt work. Bridge-domains wont let me add a iw0.x interface to the
bridge and i was unable to find anymore information on howto correctly
configure this (probably because its pretty new).
Best regards,
Jonas
Am Donnerstag, den 18.08.2011, 07:37 -0500 schrieb OBrien, Will:
To implement tagged interfaces with bridge domains, I use irb interfaces.
This is directly from my production box with a little scrubbing.
xe-0/0/0 {
description blah uplink;
per-unit-scheduler;
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 200 {
encapsulation vlan-bridge;
vlan-id 200;
}
unit 201 {
encapsulation vlan-bridge;
vlan-id 201;
}
}
irb {
unit 200 {
family inet {
inactive: filter {
input I2Inbound;
output I2Outbound;
}
service {
input {
service-set i2-napt service-filter i2-nat-in;
}
output {
service-set i2-napt service-filter i2-nat-out;
}
}
address x.x.x.x/30;
}
}
unit 201 {
family inet {
filter {
input PolicerIn;
output PolicerOut;
}
service {
input {
service-set i1-napt service-filter i1-nat-in;
}
output {
service-set i1-napt service-filter i1-nat-out;
}
}
address x.x.x.x/30;
}
}
}
show configuration bridge-domains
vlan-200 {
domain-type bridge;
vlan-id 200;
interface xe-0/0/0.200;
routing-interface irb.200;
}
vlan-201 {
domain-type bridge;
vlan-id 201;
interface xe-0/0/0.201;
routing-interface irb.201;
}
On Aug 18, 2011, at 1:54 AM, Chris Kawchuk wrote:
Ahh, slightly different issue then.
First off, once you use that flexible-ethernet-services, you should be
declaring each vlan separately and manually add them into the bridge-domain
config (i.e. bridge-domain VLAN20 interface xe-1/0/0.x). Anyways, that's
not what we're attempting to do here. =)
What you're looking for is to stitch an l2circuit into a bridge-domain (not
pick off a VLAN off an interface and turn that into a CCC/L2circuit -
different solution). Perhaps a logical-tunnel here may help. (i.e.
lt-x/x/x.x interface). I have stitched l2circuits/ccc's into VPLS domains
before; I assume the same theory holds true.
Have a look at using the tunnel-services on your MX DPC card. Apologies in
advance as I'm writing this in pseudo-code from memory (i.e. un-tested,
more of a general idea as to a direction to explore):
chassis {
fpc 1 {
pic 3 {
tunnel-services {
bandwidth 1g;
}
}
}
}
interfaces {
lt-1/3/10 {
unit 1 {
encapsulation vlan-ccc;
peer-unit 2;
}
unit 2 {
encapsulation vlan-bridge;
peer-unit 1;
}
}
bridge-domains {
VL20 {
domain-type bridge;
vlan-id 20;
interface lt-1/3/10.2;
.other access interfaces go here;
}
}
neighbor xxx {
interface lt-1/3/10.1 {
virtual-circuit-id 20;
...
...
}
}
- Chris.
On 2011-08-18, at 4:37 PM, Jonas Frey (Probe Networks) wrote:
Hi Chris,
that does not work...
edge# show interfaces xe-1/0/0
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 20 30 40 ];
}
}
unit 1 {
encapsulation vlan-ccc;
vlan-id 20;
}
If i do commit now, this fails as the vlan 20 is already used for the
bridge on unit 0. If i remove the vlan 20 from unit 0 then the vlan is
no longer member of the bridge (show bridge domain). But i need it to be
member of that bridge since that vlan goes out on other ports to local
switches.
edge# show bridge-domains testbridge
domain-type bridge;
vlan-id 20;
What i need to do is to get the VLAN 20 working locally on the bridge
(various ports) as well as getting it connected to a somewhat pseudo
interface to attached it as a l2circuit.
--
Mit freundlichen Grüßen / Best regards,
Jonas Frey
Probe Networks Jonas Freye-Mail: j...@probe-networks.de
Auf Strützberg 26D-3 Merzig
Tel: +(49) (0) 180 5959723* Fax: +(49) (0) 180 5998480*
* (14 Ct
[j-nsp] Juniper blanks/covers
Hello all, i am looking for 2x PWR-BLANK-M10i-M7i (power blank for m7i/m10i), maybe someone has these unused on his desk. Just wanted to ask before spending $65/ea for a small piece of metal. I am also looking for rackmounts for the M10i...as per global price list this part is not listed...and i wonder how to get them. I do have a couple of blanks here, so if anyone needs anything of the following shoot me a mail, i am willing to give them away. FPC-BLANK-T320 DPC-SCB-BLANK (MX DPC/SCB blank) RE-BLANK-M20 PWR-BLANK-M10-M5 SSB-BLANK-M20 FPC-BLANK (M20) PE-BLANK (M7/M10i pic blank) Best regards, Jonas signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Arbor Peakflow with MX960
Woops,
forgot something. Input also changed and should be now:
sampling {
input {
rate 100;
}
(no longer using family...)
Am Freitag, den 19.08.2011, 00:51 +0200 schrieb Jonas Frey (Probe
Networks):
Matt,
yes the config changed in JunOS 10.x.
See below:
--- OLD ---
sampling {
input {
family inet {
rate 100;
}
}
output {
flow-server A.B.C.D {
port 2055;
version 5;
}
}
--- NEW ---
sampling {
input {
family inet {
rate 100;
}
}
family inet {
output {
flow-server A.B.C.D {
port 2055;
version 5;
}
}
}
They changed the family thing, you now have to define the type of
address family you want to sample (this way you can also separate v4/v6
sampling).
Best regards,
Jonas
Am Donnerstag, den 18.08.2011, 15:33 -0700 schrieb Matt Hite:
Thanks to Jeff Richmond and Jonas Frey who were kind enough to provide
guidance both on and off-list.
This is what I ended up with:
[edit interfaces xe-0/0/0 unit 0 family inet filter]
+ input-list [ sample-cflow accept-da accept-bgp accept-icmp
discard-all ];
[edit forwarding-options]
+ sampling {
+ input {
+ family inet {
+ rate 500;
+ run-length 0;
+ max-packets-per-second 65535;
+ }
+ }
+ output {
+ flow-server 172.20.1.80 {
+ port 5000;
+ version 5;
+ }
+ }
+ }
[edit firewall]
+family inet {
+filter sample-cflow {
+term 1 {
+then sample;
+}
+}
+}
What is interesting is that the config parser tells me the output
stanza is depreciated.
input {
family inet {
rate 500;
run-length 0;
max-packets-per-second 65535;
}
}
output { ## Warning: 'output' is deprecated
flow-server 172.20.1.80 {
port 5000;
version 5;
}
}
Anyone know the new, non-deprecated way?
-M
On Thu, Aug 18, 2011 at 12:43 PM, Matt Hite li...@beatmixed.com wrote:
Hello --
I've recently deployed some MX960 (Treo) and now need to get their
flow data in Arbor Peakflow SP. Unfortunately the instructions in the
Arbor manual appear to be very long in the tooth and a bit confusing.
Specifically, the integration directions are for a JunOS version
5.5B1.3 on a Juniper M5 Router. Now I'm sure there is carry over that
is relevant still, I just want to make sure I'm going down the right
path. Apologies for the rudimentary questions here. My previous
experience was sflow only...
They mention using set forwarding- options family inet filter input
filter name as the easiest way to apply a filter to all packets
received by the system.
They then suggest a filter like this:
admin@m5# set firewall filter cflowd term sampled_packets from
source-address 0.0.0.0/0
admin@m5# set firewall filter cflowd term sampled_packets then accept
admin@m5# set firewall filter cflowd term other then accept
To make things a bit confusing, they also say to enable it on an
interface:
set interfaces e3/4/1 unit 0 family inet filter input cflowd
I'm guessing you would do it on the interface or do it globally with
the set forwarding- options family inet filter input filter name
command? Confused a bit by this...
Also, since I have other filters on the input side of my interfaces, I
presume I'd remove that last term other from their example. Although
I'm a bit concerned that dropping that on the input filter for the
interface will act as a terminating action in the evaluation of
packets flowing through the interface, and it won't continue on with
my other terms.
I also see some mention in the Juniper CLI manual about how to do it
if you have a Monitoring Services PIC:
http://jnpr.net/techpubs/software/junos/junos90/swconfig-policy/configuring-flow-monitoring.html
Also, Arbor provides some instructions on configuring version 9 cflow,
too, although I don't think that's actually what I need to do.
Does anyone have a similar setup who might be willing to help me out
with an annotated example? It would be very much appreciated.
Thanks,
-M
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
signature.asc
Description: This is a digitally signed message part
Re: [j-nsp] Arbor Peakflow with MX960
Yes, basically switched the definitions. But it makes more sense...dont
need to specify the input family as you already do that by applying the
filter on the interface you want to sample which then carries
v4/v6/whatever.
So its only needed for output as you can then split your flow's to
various capture devices (i.e. if you have one for v4 and one for v6).
Best Regards,
Jonas
Am Donnerstag, den 18.08.2011, 16:08 -0700 schrieb Matt Hite:
Bizarre. So you define the family type you want to sample by
specifying it as the family type on the output stanza? (Seems
backwards?)
On Thu, Aug 18, 2011 at 3:51 PM, Jonas Frey (Probe Networks)
j...@probe-networks.de wrote:
Matt,
yes the config changed in JunOS 10.x.
See below:
--- OLD ---
sampling {
input {
family inet {
rate 100;
}
}
output {
flow-server A.B.C.D {
port 2055;
version 5;
}
}
--- NEW ---
sampling {
input {
family inet {
rate 100;
}
}
family inet {
output {
flow-server A.B.C.D {
port 2055;
version 5;
}
}
}
They changed the family thing, you now have to define the type of
address family you want to sample (this way you can also separate v4/v6
sampling).
Best regards,
Jonas
Am Donnerstag, den 18.08.2011, 15:33 -0700 schrieb Matt Hite:
Thanks to Jeff Richmond and Jonas Frey who were kind enough to provide
guidance both on and off-list.
This is what I ended up with:
[edit interfaces xe-0/0/0 unit 0 family inet filter]
+ input-list [ sample-cflow accept-da accept-bgp accept-icmp
discard-all ];
[edit forwarding-options]
+ sampling {
+ input {
+ family inet {
+ rate 500;
+ run-length 0;
+ max-packets-per-second 65535;
+ }
+ }
+ output {
+ flow-server 172.20.1.80 {
+ port 5000;
+ version 5;
+ }
+ }
+ }
[edit firewall]
+family inet {
+filter sample-cflow {
+term 1 {
+then sample;
+}
+}
+}
What is interesting is that the config parser tells me the output
stanza is depreciated.
input {
family inet {
rate 500;
run-length 0;
max-packets-per-second 65535;
}
}
output { ## Warning: 'output' is deprecated
flow-server 172.20.1.80 {
port 5000;
version 5;
}
}
Anyone know the new, non-deprecated way?
-M
On Thu, Aug 18, 2011 at 12:43 PM, Matt Hite li...@beatmixed.com wrote:
Hello --
I've recently deployed some MX960 (Treo) and now need to get their
flow data in Arbor Peakflow SP. Unfortunately the instructions in the
Arbor manual appear to be very long in the tooth and a bit confusing.
Specifically, the integration directions are for a JunOS version
5.5B1.3 on a Juniper M5 Router. Now I'm sure there is carry over that
is relevant still, I just want to make sure I'm going down the right
path. Apologies for the rudimentary questions here. My previous
experience was sflow only...
They mention using set forwarding- options family inet filter input
filter name as the easiest way to apply a filter to all packets
received by the system.
They then suggest a filter like this:
admin@m5# set firewall filter cflowd term sampled_packets from
source-address 0.0.0.0/0
admin@m5# set firewall filter cflowd term sampled_packets then accept
admin@m5# set firewall filter cflowd term other then accept
To make things a bit confusing, they also say to enable it on an
interface:
set interfaces e3/4/1 unit 0 family inet filter input cflowd
I'm guessing you would do it on the interface or do it globally with
the set forwarding- options family inet filter input filter name
command? Confused a bit by this...
Also, since I have other filters on the input side of my interfaces, I
presume I'd remove that last term other from their example. Although
I'm a bit concerned that dropping that on the input filter for the
interface will act as a terminating action in the evaluation of
packets flowing through the interface, and it won't continue on with
my other terms.
I also see some mention in the Juniper CLI manual about how to do it
if you have a Monitoring Services PIC:
http://jnpr.net/techpubs/software/junos/junos90/swconfig-policy/configuring-flow-monitoring.html
Also, Arbor provides some instructions on configuring version 9 cflow,
too, although I don't think that's actually what I need to do.
Does anyone have a similar setup who might be willing to help me out
with an annotated example? It would be very much appreciated
Re: [j-nsp] M20 SSB E Memory seller required
You will need the 128MB DRAM upgrade if you have lots of routes as well as a couple of thousand of arp entrys. This will fill the memory on the SSB-E very fast and once you hit the 64MB limit the router will do weird things (e.g. several ip address no longer reachable, routes not being installed etc). Some time ago i had posted regarding this on the list...if you are interessted just search the archive. We do still run some M20's and we upgraded all of them to 128MB (except those running SSB-E-16 of course). However their days are counted. Best regards, Jonas Am Mittwoch, den 10.08.2011, 11:03 -0700 schrieb Chris Cappuccio: You can upgrade SSB-E to 128MB with http://www.oempcworld.com/Merchant2/merchant.mvc?Screen=PRODProduct_Code=64M-EDO-DIMM-ECC (as per juniper.cluepon.net) The SSB-E-16 has 256MB of RAM by default... I'm not sure if upgrading the DRAM does anything useful or not as Juniper never intended for the SSB-E to have anything other than 64MB DRAM. The 8MB of SRAM on the SSB-E limits it to 550k active routes (l3, l2) so the SSB-E-16 may be a more useful upgrade than 128MB of DRAM. (Of course if I installed an M20 with an SSB-E, i'd put 128MB of DRAM in it just on principle) Martin T [m4rtn...@gmail.com] wrote: I have one M20 SSB-E(710-001951) which uses SMS SM57208809WDTX6 64MB SDRAM DIMM. It uses Samsung K4E6408120-TL50 memory chips. Maybe this information helps if you should accidentally find a SM57208809WDTX6 from second-hand market. regards, martin 2011/8/10 Juan C. Crespo R. jcre...@ifxnw.com.ve: Guys ? ?Does anyone of you could suggest me where I can find memory modules ?for SSB-E ? Thanks JC ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper MX SCBE-MX-R
Hello, i see that there now is a new enhanced SCB for MX series which is SCBE-MX-R. However i havent been able to find any information on this regarding enhancements/features. Does anyone have any details? Best regards, Jonas signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RE-850 memory/ram refurb
I am pretty sure that its PC133/ECC SD-Ram but you can just grab the part number off the memory thats installed and look it up. Most likely its SMART memory (which is hard to find and also very expensive). Normal PC133/ECC SD-Ram is fine and works great on RE3/5. I dont see any reason why you would replace the harddisk with another harddisk. Just go for an SSD and you'll most likely never ever have to worry about it again. See: http://juniper.cluepon.net/Replacing_the_harddisk_with_solid_state_flash Jonas Am Dienstag, den 03.05.2011, 13:23 -0700 schrieb Will Orton: I have serveral RE-850-1536's that are starting to show ECC erorrs and HD failures. I replaced the CF cards a couple years ago but I suppose it's time for more parts to die now. (These are gray-market/non-support contracted). For the drives I'm guessing Hitachi HTE541040G9AT00 might be a good fit: http://www.hitachigst.com/tech/techlib.nsf/techdocs/58B76A9EC8766D3B86256F0900747A03/$file/E5K100_DS.pdf The drives I seem to be pulling out of the RE's are Hitachi HTS, not the enhaced availability version, though I have no idea if they're the original Juniper supplied or if the previous owner messed with them too. The memory is proving to be a little harder to find. Are they just regular PC133/ECC/CL3, maybe similar to what works in RE-3.0? Seem that info on this particular RE is hard to find, maybe not enough of them have starting dying yet... -Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] mitigating dos attack on Juniper M10i
Hello,
the question is: What do you want to do?
a) Filter the attacked IP (your IP) by your ISP in terms of blackhole
community. Does your ISP offer this?
If they do you need to announce them this single IP address (/32) with
their community set.
b) You can filter the attack on the interfaces its coming in but the
traffic will still enter your interface and you might get charged for
it.
c) You can just route the IP beeing attacked to discard which is usefull
if you have multiple interfaces where the attack is incoming.
Regards,
Jonas Frey
Am Dienstag, den 05.04.2011, 13:00 + schrieb kwarteng:
Hello all,
I am having a dos attack from one of my Transit providers.
I already have a bogon filter on the router.
I have also tried a blackhole with a bgp community.
The attack still seem to be on.
My config below:
protocols {
bgp {
group {
type external;
remove-private;
peer-as xxx;
neighbor a.b.c.d {
description eBGP with xxx;
import block_dos_attack;
export [ prefixes_out block_dos_attack ];
}
}
policy-statement block_dos_attack {
term dos_community {
from community dos_origin;
then {
community set dos_origin;
accept;
}
}
term default {
then accept;
}
}
community dos_origin members 64999:0;
}
===
===
firewall {
filter BLOCK-FROM-INTERNET {
term block-bogon-prefix {
from {
source-address {
0.0.0.0/8;
10.0.0.0/8;
127.0.0.0/8;
169.254.0.0/16;
128.0.0.0/24;
172.16.0.0/12;
191.255.0.0/16;
192.0.0.0/24;
192.0.2.0/24;
192.168.0.0/16;
223.255.255.0/24;
224.0.0.0/4;
240.0.0.0/5;
248.0.0.0/5;
255.255.255.255/32;
}
}
then {
count bogon-prefix;
log;
discard;
}
}
term block-anti-spoofing {
from {
source-address {
a.b.0.0/19;
}
}
then {
log;
discard;
}
}
term block-spam-to-mail {
from {
source-address {
96.230.130.132/32;
83.243.37.42/32;
70.154.241.84/32;
194.9.124.125/32;
82.128.87.27/32;
41.26.120.244/32;
64.184.250.236/32;
75.127.159.98/32;
}
destination-address {
a.b.0.d/32;
}
}
then {
count block-spam;
log;
syslog;
discard;
}
}
term DEFAULT {
then accept;
}
}
Any help please
Emmanuel
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
signature.asc
Description: This is a digitally signed message part
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] mitigating dos attack on Juniper M10i
You dont really need netflow to find the host attacking if its a simple
attack.
Do this:
jonas@ffm3-edge# show firewall filter attack
term attack {
then {
log;
accept;
}
}
and then apply to your interface:
unit 0 {
family inet {
filter {
input attack;
}
then you can view the current flows by using:
run show firewall log
If you have other filters, make sure sure you do not have a accept all
with them otherwise the attack filter will never see any packets.
Regards,
Jonas
Am Dienstag, den 05.04.2011, 21:32 + schrieb kwarteng:
Hello all,
I have set up a Net flow analyzer to be able to identify the IP being
attacked or the attacking IP.
I however don't seem to have it populated. Even the file on juniper box
doesn't show anything
What am I doing wrong please?
===
run show log /var/tmp/ddos-debug.log
# Apr 5 16:57:04
#TimeDest Src Dest Src Proto TOS
Pkt IntfIP TCP
#addraddr port port
len num frag flags
===
CONFIG
===
show forwarding-options
sampling {
input {
rate 100;
}
output { ## Warning: 'output' is deprecated
file filename ddos-debug.log;
flow-server a.b.c.d {
port 9996;
}
}
}
show firewall filter all
term all {
then {
sample;
accept;
}
}
show interfaces so-0/1/0
keepalives interval 10;
clocking external;
encapsulation cisco-hdlc;
framing {
sdh;
}
sonet-options {
fcs 32;
}
unit 0 {
family inet {
accounting {
source-class-usage {
input;
output;
}
destination-class-usage;
}
rpf-check;
filter {
input-list [ SAMPLER BLOCK-FROM-INTERNET all ];
output all;
}
sampling {
input;
}
address e.f.g.h/30;
}
}
-Original Message-
From: OBrien, Will [mailto:obri...@missouri.edu]
Sent: Tuesday, April 05, 2011 2:24 PM
To: kwarteng
Cc: Jonas Frey (Probe Networks); juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
It depends on just how bad the attack is.
If you can't identify the major sources with something like netflow/cflow,
you might be able to identify the target. I suggest popping the policer on
your customers one by one and take note of who's inbound traffic spikes the
most.
Alternatively, if it's saturating your link, you could temporarily stop
advertising routes on a per customer basis and look for a significant drop
in inbound traffic. (This assumes that they have significantly different
netblocks)
Unfortunately, a well planned ddos attack can often target multiple end
users, making it more difficult to nail down.
On Apr 5, 2011, at 9:07 AM, kwarteng wrote:
Hello,
The issue is the incoming traffic on my interface has all of a sudden
increased by about 100M.
Input rate : 117310032 bps (11356 pps)
Output rate: 2590056 bps (1863 pps)
I cannot source this huge traffic from anywhere on my network.
I can't figure out my customers IPs which originate this traffic because
the traffic gets cut off on my policy enforcer.
My Transit provider says I can implement this community 64999:0 on my
prefixes to help mitigate this DOS.
I do not want the traffic to enter my interface at all but dropped at my
Transit providers end.
So far I have not been able to figure out which IP in my network is being
attacked. I tried the accounting, but the show commands to go through.
I just want to stop this DOS attack so that my uplink can be used by my
customers.
Any help please
Emmanuel
-Original Message-
From: Jonas Frey (Probe Networks) [mailto:j...@probe-networks.de]
Sent: Tuesday, April 05, 2011 1:36 PM
To: kwarteng
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
Hello,
the question is: What do you want to do?
a) Filter the attacked IP (your IP) by your ISP in terms of blackhole
community. Does your ISP offer this?
If they do you need to announce them this single IP address (/32) with
their community set.
b) You can filter the attack on the interfaces its coming in but the
traffic will still enter your interface and you might get charged for it.
c) You can just route the IP beeing attacked to discard which is usefull
if you have multiple interfaces where the attack is incoming.
Regards,
Jonas Frey
Am Dienstag, den 05.04.2011, 13:00 + schrieb kwarteng:
Hello all,
I am having a dos attack from one of my Transit providers.
I already have a bogon filter on the router.
I have also tried a blackhole with a bgp community.
The attack still seem
Re: [j-nsp] re-600 RAM
Chris, http://juniper.cluepon.net/Route_Engine_DRAM_Compatibility RE-3 aka RE-600 Its SD-RAM, PC100 or PC133 (will run as PC100), ECC. Registered ram will not work. Also you need to get low profile ram otherwise it wont fit. Regards, Jonas Am Donnerstag, den 24.03.2011, 16:14 -0700 schrieb Chris Cappuccio: What kind of RAM does the RE-600 take? I assume DDR PC100 ECC or PC133 ECC? Registered or unregistered? signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] P-1GE -B ethernet
They are neccessary for termination of (vlan)-ccc circuits. So if you just want to have mpls between two routers the non-B is fine. Its just needed for ccc termination on endpoints. Regards, Jonas Am Donnerstag, den 17.03.2011, 08:43 -0700 schrieb Chris Cappuccio: P-1GE-xx-B are necessary for ethernet-ccc services... I have a few -B and many non -B. So Are the -B cards important for the connections _between_ MPLS capable routers, or on endpoints facing connections facilitated through ccc, or _both_ ? signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M20 / RE2 Full table
Patrik, its possible and works well. If you only have 1 full bgp feed i wouldnt worry. If you have multiple they best thing is to upgrade to RE3. Also keep in mind that you can easily max out the SSB-E if you havent upgraded it to 128MB or 256MB (SSB-E-16). This is from a RE2/768: Groups: 11 Peers: 320 Down peers: 3 Table Tot Paths Act Paths SuppressedHistory Damp State Pending inet.0 1252284 342914 0 0 0 0 inet6.0 9648 3385 0 0 0 0 Temperature 27 degrees C / 80 degrees F CPU temperature 30 degrees C / 86 degrees F DRAM 768 MB Memory utilization 91 percent CPU utilization: User 0 percent Background 0 percent Kernel 7 percent Interrupt 3 percent Idle 89 percent Model RE-2.0 Serial ID e2078c0e9c01 Start time 2009-07-15 07:45:14 CEST Uptime595 days, 3 hours, 59 minutes, 46 seconds (yes i know it needs updating/upgrading...but it works well) Regards, Jonas Am Dienstag, den 01.03.2011, 11:30 -0500 schrieb Dan Spataro: I know of one doing this. I would not recommend it in a production environment. DRAM 768 MB Memory utilization 95 percent CPU utilization: User 2 percent Background 2 percent Kernel 5 percent Interrupt 0 percent Idle 91 percent Model RE-2.0 -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Patrik Lagerman Sent: Tuesday, March 01, 2011 5:47 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] M20 / RE2 Full table Can I run a full BGP table on the M20 with a RE2 with 768MB memory? Full IPv4 and IPv6 table. /Patrik ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] general guidelines for installing JUNOS to RE, where HDD and CF are blank
Martin, yes, thats the ones we use. We also tested the 2GB version, works fine. Regards, Jonas Am Sonntag, den 20.02.2011, 23:44 +0200 schrieb Martin T: Pekka, by Extreme model did you mean this one: http://mcaf.ee/7f49a ? Jonas, did I understand correctly, that SDCFB-512-A10(http://mcaf.ee/9f345) and SDCFB-1024-A10(http://mcaf.ee/b2d7a) are both tested and suitable for JONOS installation from CF using install image method? Any other CF cards, which are confirmed to work? regards, martin 2011/2/14 Martin T m4rtn...@gmail.com: Ok, so for example those two should work for sure: SDCFB-512-A10(http://www.amazon.com/SanDisk-CompactFlash-SDCFB-512-A10-Retail-Package/dp/B6B9QF) and SDCFB-1024-A10(http://www.amazon.com/SanDisk-SDCFB-1024-A10-Type-Retail-Package/dp/B6AE3K)? Any other CF cards, which are confirmed to work? The one I tried(with no luck so far), 1GB SiliconDrive CF(SiliconSystems, Inc. Now owned by Western Digital) SSD-C01G-3596, looks like this: http://img23.imageshack.us/img23/8923/jsdd.jpg regards, martin 2011/2/11 Jonas Frey (Probe Networks) j...@probe-networks.de: Ohh...well there are so many models and partnumbers of these i guess its hard to test all of them. Maybe we should write down working partnumbers on the cluepon wiki. The blue SanDisk ones are atleast the same as juniper used time ago. After that they switched to simple tech and probably others (atleast on T320/T640 RE-1600/RE-2000). Am Freitag, den 11.02.2011, 12:14 +0200 schrieb Pekka Savola: On Fri, 11 Feb 2011, Jonas Frey (Probe Networks) wrote: I doubt the PCMCIA Adapter is the problem. I guess its the CFmaybe its too new. I know about serveral newer CF cards not working in RE2/3. Try to get a regular SanDisk 1GB+ CF. (not the Ultra/Extreme models). This should work. Thanks for providing the soapbox ;-). Extreme model worked for us on RE3.0 fine, except that its performance is too good. Juniper RE CPU gets overloaded when writing an image on it and it drops BGP sessions etc. This is not a bug according to JTAC. Be aware if you ever need to do CF flashing on live equipment :P signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RE-333 upgrade
Hi, RE-333 max is 768 MB. Yes it will be enough for a v4+v6 feed. You should also consider upgrading your SBC memory. See http://juniper.cluepon.net for unofficial upgrades. Latest JunOS that will work is 9.2 due to non FPC-E. You also need 1G CF for that within your RE-333 to work. There once was a RE-600 for the M40 which is part number RE-M40-600-2048 but these are very hard to find. Regards, Jonas Am Montag, den 14.02.2011, 15:47 -0600 schrieb Max Pierson: Hi List, I have an old M40 (non-E) that I would like to upgrade as much as possible. I have RE-333's currently. Question is how much memory can this guy hold and will that be enough to take a full v4 + v6 table?? Also, what is the last version of Junos that can run on this kit after I max out the memory and CF on it?? And lastly, is the RE-333 the best that can go in this chassis?? Looked on cluepon, but didn't find the answers, so sorry if this has been hashed 1000 times already. Might as well make it 1001 :) TIA, M ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] general guidelines for installing JUNOS to RE, where HDD and CF are blank
I doubt the PCMCIA Adapter is the problem. I guess its the CFmaybe its too new. I know about serveral newer CF cards not working in RE2/3. Try to get a regular SanDisk 1GB+ CF. (not the Ultra/Extreme models). This should work. Regards, Jonas Am Freitag, den 11.02.2011, 08:43 + schrieb Martin T: SSD-C01G-3596. signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] general guidelines for installing JUNOS to RE, where HDD and CF are blank
Ohh...well there are so many models and partnumbers of these i guess its hard to test all of them. Maybe we should write down working partnumbers on the cluepon wiki. The blue SanDisk ones are atleast the same as juniper used time ago. After that they switched to simple tech and probably others (atleast on T320/T640 RE-1600/RE-2000). Am Freitag, den 11.02.2011, 12:14 +0200 schrieb Pekka Savola: On Fri, 11 Feb 2011, Jonas Frey (Probe Networks) wrote: I doubt the PCMCIA Adapter is the problem. I guess its the CFmaybe its too new. I know about serveral newer CF cards not working in RE2/3. Try to get a regular SanDisk 1GB+ CF. (not the Ultra/Extreme models). This should work. Thanks for providing the soapbox ;-). Extreme model worked for us on RE3.0 fine, except that its performance is too good. Juniper RE CPU gets overloaded when writing an image on it and it drops BGP sessions etc. This is not a bug according to JTAC. Be aware if you ever need to do CF flashing on live equipment :P signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] general guidelines for installing JUNOS to RE, where HDD and CF are blank
Martin, yes thats the correct way to do it. Only the pc-card slot is able to fully partition both CF and HDD using a install-media image and get you a fresh and blank JunOS installed. It will install on both CF and HDD and thus you will have a redundant setup (when either CF or HDD fails). Regards, Jonas Am Donnerstag, den 10.02.2011, 02:52 +0200 schrieb Martin T: Chris, Alex: so one needs to download install-media-*, dd(1) this image(as I understand, it contains MBR and file-system with installation files) to CF and finally insert the CF to PC Card adapter in order to insert it into PC Card slot of RE-850? This will make default setup, where JUNOS is installed to CF(ad0), but /var is mounted to HDD(ad1)? In addition, how to make a redundant setup, where RE is able to boot from HDD and be fully functional if CF fails(I have CF as first boot device and HDD second one)? regards, martin 2011/2/9 Ryu, Alex alex@windstream.com: You just need to copy installation media image to PCMCIA media, and use it for installation. It will automatically format/partition/install JUNOS into RE during the boot. Alex = Alex Ryu(Formerly known as Hyunseog Ryu) Engineer III / Data Engineering Windstream Communications (Formerly KDL, Inc. / Norlight, Inc.) 13935 Bishops Drive Brookfield, WI 53005 U.S.A. Email) alex@windstream.com or alex@kdlinc.com Phone) +1-262-792-4993 Fax) +1-812-206-4682 = -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Martin T Sent: Wednesday, February 09, 2011 1:00 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] general guidelines for installing JUNOS to RE, where HDD and CF are blank I have a RE-850 with Compact Flash and PATA 2.5 form factor HDD installed. However, both of these are zero-filled. What are the general guidelines to get JONOS running on this RE? Boot order in BIOS is following: PCMCIA ATA Flash Card Compact Flash Primary IDE Hard Disk Ethernet As I have no PCMCIA ATA Flash Card in RE, I think it's smart to start with CF. Are the required steps something like this: 1) insert compact flash card(1GB) to laptop using CF-to-PC-Card adapter 2) create MBR partition table like this(CF card is associated with /dev/sdb): printf 0,1024,a5,*\n0,0\n0,0\n0,0\n;\n | sfdisk -uM /dev/sdb ..it will make a partition in 1024MB size with system ID a5(FreeBSD) and make it bootable. Other three primary partitions are not used. In other words output should be something like this: Device Boot Start End Blocks Id System /dev/sdb1 * 12030 1023088+ a5 FreeBSD 3) make filesystem to this /dev/sdb1 partition using ufsutils mkfs.ufs utility: mkfs.ufs -O 1 /dev/sdb1 ..however, I'm very unsure, should I enable journaling, is volume name needed or any other more advanced filesystem options(?) 4) as I understand, now I need to install FreeBSD in order to install jinstall-.tgz bundle using pkg_add later. How to accomplish FreeBSD installation in such conditions? Which version should I install? Or are there any other possibilities to get JUNOS running on CF? regards, martin ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp *** The information contained in this message, including attachments, may contain privileged or confidential information that is intended to be delivered only to the person identified above. If you are not the intended recipient, or the person responsible for delivering this message to the intended recipient, Windstream requests that you immediately notify the sender and asks that you do not read the message or its attachments, and that you delete them without copying or sending them to anyone else. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Creating L2tp/ADSL over M10i
Hi, good luck trying this. When i did this once it was a horrible mess. The l2tp implementation is quite broken. The accounting is just not working correctly and so on... Stay with cisco...that'll save you alot of time. Maybe the MX will have better l2tp supportsometime. Regards, Jonas Am Dienstag, den 01.02.2011, 05:52 +0200 schrieb mohammed edrees: Hi Expertise I'm going to move ADSL customers from cisco to Juniper M10i router and let is working as LNS, I’m installing (Multiservice 100) to support the tunneling and PPP sessions over it. I created the configurations and need any one made this service before to review it. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M20 SSB slot 0 failures
Hi Chris, i havent seen an error like this where the same SSB works fine in slot 1 but not slot 0. But my guess is that slot 0 gives back the true status of the card and the test report from slot 1 is inaccurate. We have seen memory failures of SSB-E(-16) boards a couple of times while running in production. It appears the memory of the boards wears over time and then starts spitting out errors. This works for some time since its ECC memory but all things come to an end. Just go and grab new memory and try again. Its easy to replace and replacement memory (tho unofficial) is pretty cheap. See http://juniper.cluepon.net/Unofficial_hardware_upgrades Regards, Jonas Hi, I have four M20 chassis with continuous slot 0 SSB failures. These are from two completely different vendors.. I would think, oh, a bad chassis, but I am getting this same result with a variety of chassis and SSB cards. I do have chassis that don't display this failure, with the same SSB cards. This is what leads me to believe that I am hitting a rash of bad crap. The failure is as follows. Any SSB tests out fine in slot 1. But in slot 0, the same SSBs fail. Slot 0 often Fails over to slot 1 in operation if both SSBs are populated in these chassis. Is this some kind of known problem? Or am I just the most unlucky person in the Juniper M20 world? Success in slot 1 - SSB1( vty)# bringup chassis slot-state 1 diag Slot 1 state changed from 'on-line' to 'diagnostics' SSB1( vty)# diagnostic set mode manufacturing SSB1( vty)# diag clear log SSB1( vty)# diag bchip 1 sdram [Waiting for completion, a:abort, p:pause] B SDRAM (Slot 1) test phase 1, pass 1, B SDRAM (Slot 1) test: Address Test phase 2, pass 1, B SDRAM (Slot 1) test: Pattern Test phase 3, pass 1, B SDRAM (Slot 1) test: Walking 0 Test phase 4, pass 1, B SDRAM (Slot 1) test: Walking 1 Test phase 5, pass 1, B SDRAM (Slot 1) test: Mem Clear Test B SDRAM (Slot 1) test completed, 1 pass, 0 errors SSB1( vty)# diag bchip 1 sdram [Waiting for completion, a:abort, p:pause] B SDRAM (Slot 1) test phase 1, pass 1, B SDRAM (Slot 1) test: Address Test phase 2, pass 1, B SDRAM (Slot 1) test: Pattern Test phase 3, pass 1, B SDRAM (Slot 1) test: Walking 0 Test phase 4, pass 1, B SDRAM (Slot 1) test: Walking 1 Test phase 5, pass 1, B SDRAM (Slot 1) test: Mem Clear Test B SDRAM (Slot 1) test completed, 1 pass, 0 errors Fail in slot 0 -- SSB0( vty)# bringup chassis slot-state 0 diag Slot 0 state changed from 'diagnostics' to 'diagnostics' SSB0( vty)# diagnostic set mode manufacturing SSB0( vty)# diag clear log SSB0( vty)# diag bchip 0 sdram [Waiting for completion, a:abort, p:pause] B SDRAM (Slot 0) test phase 1, pass 1, B SDRAM (Slot 0) test: Address Test *** Fatal error during B SDRAM (Slot 0) test, pass 1, Data did not compare, Slot 0 (NIC0 B chip SDRAM banks ref. des. U?) B SDRAM (Slot 0) test completed, 1 pass, 1 error [Jan 5 21:34:17.356 LOG: Err] Data Error: Bank 0 (global cell 0x3e52): Expected 0x5280001f, Observed 0x200200 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] P-1GE -B
Not really. Both can do MPLS but only -B is capable of CCC VLANs (513-1024) for MPLS. Regards, Jonas Am Montag, den 27.12.2010, 16:10 -0800 schrieb Chris Cappuccio: Someone refresh my memory...is the -B variant the only one that is MPLS capable? What is the difference between P-1GE-LX and P-1GE-LX-B ?? signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] m10 Hard Disk Crashed
See cluepon: http://juniper.cluepon.net/index.php/Replacing_the_harddisk_with_solid_state_flash Am Mittwoch, den 20.10.2010, 17:19 -0400 schrieb Fernando Atilano: Anybody that can provide as to how to replace a m10 hard disk? one of them failed. any feedback is greatly appreciated. Fernando Atilano| Transtelco| Networking Support MX 52.656.257.1114 US1.915.217.2286 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] m10 Hard Disk Crashed
See: http://www.mail-archive.com/juniper-nsp@puck.nether.net/msg06658.html request system partition hard-disk request system snapshot partition request system snapshot Am Donnerstag, den 21.10.2010, 20:16 -0200 schrieb Giuliano Cardozo Medalha: What are the commands you need to use to upgrade the hard disk ? Somethin like: request system snapshot media ... ? Anyone knows how to do that ? Thanks a lot, Thank you Jonas !! Fernando Atilano| Transtelco| Networking Support MX 52.656.257.1114 US1.915.217.2286 On Oct 21, 2010, at 3:59 PM, Jonas Frey (Probe Networks)j...@probe-networks.de wrote: See cluepon: http://juniper.cluepon.net/index.php/Replacing_the_harddisk_with_solid_state_flash Am Mittwoch, den 20.10.2010, 17:19 -0400 schrieb Fernando Atilano: Anybody that can provide as to how to replace a m10 hard disk? one of them failed. any feedback is greatly appreciated. Fernando Atilano| Transtelco| Networking Support MX 52.656.257.1114 US1.915.217.2286 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp signature.asc Description: This is a digitally signed message part ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP Blackhole communities
Hi,
its easy:
- you need multihop on internal bgp sessions
- configure dsc:
unit 0 {
family inet {
address 10.10.20.1/32 {
destination 10.10.20.2;
}
}
}
Add policy for blackhole filter:
# show policy-options policy-statement blackholefilter
term black {
from {
protocol bgp;
community blackhole;
}
then {
next-hop 10.10.20.2;
}
}
- use this policy as import on internal bgp sessions (to propagate in
your network and block traffic directly on each node)
- add policy to your bgp customer as import policy:
term 2 {
from {
protocol bgp;
community blackhole;
}
then {
community add no-export;
next-hop 10.10.20.2;
accept;
}
}
- define community blackhole:
# show policy-options community blackhole
members yourAS:;
You may need/want to tweak this to suit your needs. The above example
will allow everything upto /32 in size (usually what your customer will
want).
Regards,
Jonas
Am Mittwoch, den 20.10.2010, 12:46 +0100 schrieb Nick Ryce:
Hi Guys,
I am starting to play with BGP and have set up some communities to separate
customer, peer and transit routes. I am trying to figure out how to allow
customers to send me a blackhole community number and then blackhole this.
Does anyone have any examples? I have set up most of my communities
following http://puck.nether.net/bgp/juniper-config.html but still cannot
find any work examples of a blackhole community and how, when a customer adds
this to a prefix, I can discard/nullroute this.
Any help much appreciated
Nick
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted. Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison.
Finally, the recipient should check this email and any attachments for the
presence of viruses. Lumison accept no liability for any
damage caused by any virus transmitted by this email.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
signature.asc
Description: This is a digitally signed message part
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Upgrade without PCMCIA card?
Hello, speaking of CF upgrades...anyone here did any yet? Wondering how much cf memory the RE(2|3) can handle. Regards, Jonas On Thu, December 20, 2007 00:53, Richard A Steenbergen wrote: On Wed, Dec 19, 2007 at 06:09:28PM -0400, chiel wrote: Hi all, I want to upgrade a M5 from 6.2R2.4 to 8.5R1.14. But I don't have a PCMCIA card, see bellow: root request system software add non-validate reboot /var/tmp/jinstall-8.5R1.14-export-signed.tgz Installing package '/var/tmp/jinstall-8.5R1.14-export-signed.tgz' ... Verified MD5 checksum of jinstall-8.5R1.14-export.tgz Adding jinstall... WARNING: This installation will not succeed. WARNING: The boot device is less than 256M. WARNING: A hardware upgrade is required. JUNOS 8.5 and beyond will no longer fit on compact flash less than 256MB (some mysterous 40MB addition to the jpfe-common image which I haven't bothered to track down yet), which means no stock M5 RE will ever support it. You could upgrade your CF (unsupported but doable, not recommended for novices). but if you're like every other M5 user who upgraded to 8.x last week you'll probably end up blowing out with FEB DRAM as soon as you do anyways. You could of course also upgrade this (also unsupported :P), but if any of this is confusing the correct answer is to downgrade code or upgrade platform. :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
