Re: [j-nsp] GRE tunnel on EX4500

[Levi Pederson]

Dave,

We also had an issue with a memory leak shutting down the Forwarding Engine
after about 3 months or so of constant use.  We were running about 8 gigs
at the time on the chassis.  I would also look to see if that issue has
been taken care of.  We were running the minimum to use the GRE which was
13.1 I beleive at the time for our 4550.

Thank you,


*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Wed, Jan 20, 2016 at 6:11 PM, Tony Hawke  wrote:

> Dave,
>
> Unfortunately, it looks like GRE support didn't get implemented on the
> EX4500 until Junos 13.2X50-D15.
>
> http://pathfinder.juniper.net/ is a handy tool for finding out what will
> and won't work on a hardware platform/Junos version combination.
>
> In this case:
>
> http://pathfinder.juniper.net/feature-explorer/feature-info.html?fKey=4026&fn=IPv4+over+generic+routing+encapsulation+(GRE)+tunnels%E2%80%94encapsulation+support
>
> Cheers,
> Tony
>
>
>
> On 21 January 2016 at 10:51, Dave Peters - Terabit Systems <
> d...@terabitsystems.com> wrote:
>
> > Hey everyone--
> >
> > I'm trying to set up a GRE tunnel on an EX4500 running 12.3R9.4, and I'm
> > running into some basic trouble. This page does a pretty basic setup:
> >
> http://www.juniper.net/documentation/en_US/junos15.1/topics/task/configuration/gre-tunnel-services-cli.html
> >
> > But when I start to issue this command :
> > #set chassis fpc 0 pic 0 tunnel-port port-number tunnel-services
> >
> > I don't get the "tunnel-port" option. It's not available, per the below:
> >
> > root# set chassis fpc 0 pic 0 ?
> > Possible completions:
> > + apply-groups Groups from which to inherit configuration data
> > + apply-groups-except  Don't inherit configuration data from these groups
> >   no-multi-rateDisable multi-rate mode
> > > q-pic-large-buffer   Run in large delay buffer mode
> > > sfpplus  Sfpplus configuration option
> > {master:0}[edit]
> > root# set chassis fpc 0 pic 0
> >
> > Clearly I'm doing something wrong. Can anyone point me in the right
> > direction? Google is failing me (or I'm failing Google, which is probably
> > closer to the truth).
> >
> > Thanks much.
> >
> > --Dave Peters
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Quick SRX host-inbound Question

[Levi Pederson]

All,

I have a quick question on host-inbound-traffic system-services on an SRX
Platform using 12.1

I thought you could create your own "service" and apply ports to that
specifically

I'm running into an issue where I don't want to allow-all on the
host-inbound but I do need a fair amount of unlisted ports to still
maintain access.

Does anyone remember if this is possible.  Still sorting through
documentation to validate my memory.

Thank you,

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Breaking an EX cluster?

[Levi Pederson]

Scott,

Something else to consider.

In the configuration of the current 2 member VC

1. Do you have a static membership using the following?
  set virtual-chassis preprovisioned
set virtual-chassis no-split-detection
set virtual-chassis member 0 role routing-engine
set virtual-chassis member 0 serial-number ##1
set virtual-chassis member 1 role routing-engine
set virtual-chassis member 1 serial-number ##2

2.  Do you have set virtual-chassis no-split-detection "recommended for
only 2 member VC's"

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Mon, Aug 17, 2015 at 1:45 PM, Scott Granados 
wrote:

> Ah thanks for the link.
>
> I tried googling and didn’t find much so this will be helpful.
>
> Thank you
>
> > On Aug 17, 2015, at 2:39 PM, Kevin Wormington  wrote:
> >
> > I don't know if sub-versions would matter or not, IIRC my case was
> something like 12.x and 13.x.  It's been a while, I may have also followed
> the instructions from:
> >
> >
> http://forums.juniper.net/t5/Ethernet-Switching/Disable-Virtual-Chasis-on-EX4200/td-p/46663
> >
> > On 08/17/2015 01:32 PM, Scott Granados wrote:
> >> Ah very interesting.  I didn’t think of that.
> >>
> >> The switches all have what ever they were shipped and manufactured
> with.  13.2X51 but not sure if the sub version matches.  I will give that a
> look and match them up if they aren’t a matching set.
> >>
> >>
> >>> On Aug 17, 2015, at 2:29 PM, Kevin Wormington 
> wrote:
> >>>
> >>> Are these units all running the same version of JunOS?  If the lab
> units have a new version or vice-versa it could spell trouble.  I ran into
> a similar issue with 4300's and zeroing them and upgrading JunOS to the
> latest recommend version with no VCP modules/cables installed and then
> forming the chassis one unit at a time did the trick.
> >>>
> >>> Kevin
> >>> On 08/17/2015 01:19 PM, Scott Granados wrote:
> >>>> So let me  be a bit more clear.
> >>>>
> >>>> I have an existing lab chassis.  It’s just something we use to test
> on etc.  We received 2 more decommissioned 4300 members from the field to
> add to the stack.  Right now it’s a stack of 2 and I’d like to make this
> 4.  The existing 2 member chassis boots fine, all the VCP ports show
> adjacency and all is good in the hood.:)
> >>>> When I take the 3rd member whether I zeroize the new member to join
> it restarts but a link is never formed with the VCP ports.  I’m using the
> built in 40G ports and juniper cables that I obtained from Juniper for the
> back plain wiring on the stack.  No matter what I try I can’t get physical
> link between the two existing member chassis and one of my proposed
> repurposed members or member 3 in this case.  (line card roll)
> >>>>
> >>>> I’m leaning towards hardware problem because I can’t get link no
> matter what I attach to the new switches VCP port but the two in the
> original functional chassis form adjacencies on all 4 cables.  So it’s
> adding the new to an existing that’s the problem.  Could be process and a
> very real possibility it’s the guy behind the keyboard writing this that’s
> the problem but not getting physical link was pointing me at hardware
> problems.  I just wanted to make sure I cleaned out the previous configs
> from the proposed new member well enough to not cause it to fail to join.
> >>>>
> >>>> Does that make a bit more sense?
> >>>>
> >>>> Thanks for you and everyone else responses as well. It’s very much
> appreciated.
> >>>>
> >>>> Scott
> >>>>
> >>>>
> >>>> On Aug 17, 2015, at 1:59 PM, Levi Pederson <
> levipeder...@mankatonetworks.net<mailto:levipeder...@mankatonetworks.net>>
> wrote:
> >>>>
> >>>> Scott,
> >>>>
> >>>> I was under the assumption you wanted to zerorize and remove a unit
> from a Virtual Chassis.  Hence the use of system zeorize.
> >>>>
> >>>> If you wanted to completely erase and re-setup a new VC with old
> members of a previous that is a different story.
> >>>>
> >>>> I think you issue might be process related.
> >>>>
> >>>> I would erase and and pre-setup (partially) the first switch in the
> NEW VC with no VC cables attached.
> >>>>
> >>>> Then connect the VC cables and power on the next member (previously
> zeroized).
> >>>>
> >

Re: [j-nsp] Breaking an EX cluster?

[Levi Pederson]

Scott,

I was under the assumption you wanted to zerorize and remove a unit from a
Virtual Chassis.  Hence the use of system zeorize.

If you wanted to completely erase and re-setup a new VC with old members of
a previous that is a different story.

I think you issue might be process related.

I would erase and and pre-setup (partially) the first switch in the NEW VC
with no VC cables attached.

Then connect the VC cables and power on the next member (previously
zeroized).

That should bring up the VC between the two devices.

The other option would be to statically assign the VC nodes using the
serial numbers.

Thank you,




*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Mon, Aug 17, 2015 at 12:33 PM, Scott Granados 
wrote:

> Hi Ross, I had tried this but still no link.  I believe I have a hardware
> problem at work causing the vc ports not to link.  Zeroize seemed to do the
> trick but with out connectivity I’m Dead in the water.  Time to RMA I think.
>
> Thanks
> Scott
>
> > On Aug 17, 2015, at 1:20 PM, Ross Halliday <
> ross.halli...@wtccommunications.ca> wrote:
> >
> > Since you want to nuke the config anyway, break the switch out of the VC
> and use
> >
> >   request system zeroize
> >
> > You may want to assign the soon-to-be-former member an RE role, if it's
> not an automatically elected cluster, just to make things a little easier.
> >
> > Cheers
> > Ross
> >
> >
> > -Original Message-
> > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On
> Behalf Of Scott Granados
> > Sent: Thursday, August 13, 2015 9:23 PM
> > To: juniper-nsp
> > Subject: [j-nsp] Breaking an EX cluster?
> >
> > Hi,
> > Have some EX 4300s that I want to break apart and start like they were
> factory new and reboot.  I know about the factory default button on the
> front and the configuration option but no matter how I apply that I still
> have the node boot thinking it’s a member of the previous chassis.  How do
> I delete it’s membership when it’s active / a stand alone node?
> >
> > Any pointers are most appreciated.
> >
> > Thank you
> > Scott
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Proper Break of MPLS RSVP Ring

[Levi Pederson]

Chris,

I do understand.  My initial thoughts were all theoretical.  Helping me
understand RSVP and the MPLS more.  With some help I did discover i had a
typo between the links forcing them not to pull up any protocol even OSPF
(my internal MPLS routing).  So my entire config was right but I had that
one mistake.

Thank you all to those who provided their two cents and more.

Thank you,


*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Tue, Jul 21, 2015 at 5:44 PM, Chris Kawchuk 
wrote:

> Post relevant configs and an actual diagram (Visio -> PDF)
>
> Without this, anything we say is pure speculation -- and we end up playing
> '20 questions' with you. Getting an MPLS/RSVP/LDP/IGP/BGP/Mesh/TE network
> setup involves multiple steps and config-knobs being turned on and turned
> on correctly. Missing any one of them can result in undesirable behaviour.
>
> 1. RSVP priority/preference (?) has no bearing on forming an MPLS
> forwarding path adjacent between two LSRs.
>
> 2. There is no "break" in an MPLS network if it happens to be attached in
> a ring. This is not Spanning Tree. You have a fully routed network.
> Topology can be arbitrary.
>
> 3. How are you setting "broken RSVP down?" RSVP only goes "up" to a
> neighbour IF it actually has a reason to talk to it's neighbour. If you do
> not book an RSVP LSP across the link (due to ERO or following the IGP to
> the egress point), the two LSR's never exchange RSVP packets, because they
> have no reason to do so. This is known and expected behaviour. This is not
> LDP, which is 'chatty' and tries to reach out and touch it's neighbour and
> dynamically create FECs and transport label tables. RSVP only is invoked on
> an LSR-LSR link if an actual reservation needs to be made on that link.
>
> 4. What does your IGP suggest about the shortest path in the topology?
>
> 5. do you have family mpls enabled on all the relevant interfaces?
>
> 6. do you have all the relevant interfaces you want to run rsvp on,
> declared in protocols rsvp, and protocols mpls?
>
> etc.. ;)
>
> - Ck.
>
>
>
>
> On 22/07/2015, at 5:18 AM, Levi Pederson 
> wrote:
>
> > All,
> >
> > Double Checked the Layer 2 ring today and it seems solid.
> >
> > Once again we have B and C co-located and A and D in remote locations
> with
> > a link between them.
> >
> > Currently there is no RSVP between C and D and this is making my ring go
> > right instead of left!
> >
> > I can Ping from D to C (it's next hop on the ring) if I force it out the
> > MPLS interface.  However when I ping the LSP interfaces (loopbacks) it
> > takes the long way around).  Short is 10ms and the long goes up to almost
> > 26ms (pinging loops , again the long way around).  Current production
> > traffic backs this up.
> >
> > This leads me to believe there is not a Layer 2 issue but something more
> > enigmatic.
> >
> > Currently reading up on RSVP priority/preference but that seems like
> taking
> > a 2Ton Electromagnetic Sentient WreckingBall to hammer in a nail.
> >
> > Thank you,
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Proper Break of MPLS RSVP Ring

[Levi Pederson]

All,

Double Checked the Layer 2 ring today and it seems solid.

Once again we have B and C co-located and A and D in remote locations with
a link between them.

Currently there is no RSVP between C and D and this is making my ring go
right instead of left!

I can Ping from D to C (it's next hop on the ring) if I force it out the
MPLS interface.  However when I ping the LSP interfaces (loopbacks) it
takes the long way around).  Short is 10ms and the long goes up to almost
26ms (pinging loops , again the long way around).  Current production
traffic backs this up.

This leads me to believe there is not a Layer 2 issue but something more
enigmatic.

Currently reading up on RSVP priority/preference but that seems like taking
a 2Ton Electromagnetic Sentient WreckingBall to hammer in a nail.

Thank you,






*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Thu, Jul 16, 2015 at 2:58 PM, Ben Dale  wrote:

> Hi Levi,
>
> > On 17 Jul 2015, at 5:22 am, Levi Pederson <
> levipeder...@mankatonetworks.net> wrote:
> > This is displaying it self in my output by not having an RSVP Neighbor
> > (neighbor down hellos sent) between C&D (and therefore sending my traffic
> > inefficiently 3/4 way around the ring instead of the 1/4 hop it could.
> > Last bit of information is that D sees C as a neighbor but is down.  C
> does
> > not even see D as a neighbor at all.
>
> This sounds like an L2 issue, or perhaps a misconfiguration - all nodes
> should be RSVP neighbours in order to be able to signal LSPs across those
> interfaces.
>
>


> Check your protocols rsvp config for the logical interfaces between D.
>
> Use monitor traffic interface  on D to confirm that RSVP is
> being sent out of the box.
>
> Check any control-plane filtering/firewall filters you have configured on
> C (though it seems to be receiving just fine from B).
>
> > I'm wondering how RSVP breaks that link.  All the documentation I can
> find
> > are focused on LSP validation/creation and not on Link Breaks to stop
> layer
> > 2 loops (is my assumption).  If one of my intervening links goes own I
> > would like to correct it and then move the break to the specified point.
> > But the RSVP documentation is rather...limited to only LSPs if I am
> reading
> > it correctly.
>
> RSVP won’t break the link to stop loops (the LSPs will carry service
> labels which may not even be L2 services), it will simply establish the LSP
> across the best/shortest path between endpoints (based on your TE
> settings), and if this becomes unavailable (and depending on your
> configuration) it will simply re-establish over any alternate path (which
> it sounds like is working well).
>
> Cheers,
>
> Ben
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Proper Break of MPLS RSVP Ring

[Levi Pederson]

Ben,

Thank you for the thought out response.

I'll dive into the L2 side.

Thank you,


*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Thu, Jul 16, 2015 at 2:58 PM, Ben Dale  wrote:

> Hi Levi,
>
> > On 17 Jul 2015, at 5:22 am, Levi Pederson <
> levipeder...@mankatonetworks.net> wrote:
> > This is displaying it self in my output by not having an RSVP Neighbor
> > (neighbor down hellos sent) between C&D (and therefore sending my traffic
> > inefficiently 3/4 way around the ring instead of the 1/4 hop it could.
> > Last bit of information is that D sees C as a neighbor but is down.  C
> does
> > not even see D as a neighbor at all.
>
> This sounds like an L2 issue, or perhaps a misconfiguration - all nodes
> should be RSVP neighbours in order to be able to signal LSPs across those
> interfaces.
>
> Check your protocols rsvp config for the logical interfaces between D.
>
> Use monitor traffic interface  on D to confirm that RSVP is
> being sent out of the box.
>
> Check any control-plane filtering/firewall filters you have configured on
> C (though it seems to be receiving just fine from B).
>
> > I'm wondering how RSVP breaks that link.  All the documentation I can
> find
> > are focused on LSP validation/creation and not on Link Breaks to stop
> layer
> > 2 loops (is my assumption).  If one of my intervening links goes own I
> > would like to correct it and then move the break to the specified point.
> > But the RSVP documentation is rather...limited to only LSPs if I am
> reading
> > it correctly.
>
> RSVP won’t break the link to stop loops (the LSPs will carry service
> labels which may not even be L2 services), it will simply establish the LSP
> across the best/shortest path between endpoints (based on your TE
> settings), and if this becomes unavailable (and depending on your
> configuration) it will simply re-establish over any alternate path (which
> it sounds like is working well).
>
> Cheers,
>
> Ben
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Proper Break of MPLS RSVP Ring

[Levi Pederson]

All,

I've been having a great time with all your help in creating an MPLS ring
and I've made tons of headway.

My issue now my ring is L2 broken using RSVP at an inconvenient point.

I am assuming this break is natural to the creation of an MPLS Ring.

Note the MPLS transport works.  Just taking a +15ms path.

However , I would like it broken at a point where two devices are
co-located.

Device A and B are co-located

Device C and D are geographically separated but have a link between them.

Currently I have the following RSVPs
A
   A-B
   A-D
B
   B-A
   B-C
C
   C-D (Broken rsvp down)
   C-B
D
   D-C (Broken rsvp down)
   D-A

Incidentally The C-D link was the last MPLS Core link I turned up.

This is displaying it self in my output by not having an RSVP Neighbor
(neighbor down hellos sent) between C&D (and therefore sending my traffic
inefficiently 3/4 way around the ring instead of the 1/4 hop it could.
Last bit of information is that D sees C as a neighbor but is down.  C does
not even see D as a neighbor at all.

I'm wondering how RSVP breaks that link.  All the documentation I can find
are focused on LSP validation/creation and not on Link Breaks to stop layer
2 loops (is my assumption).  If one of my intervening links goes own I
would like to correct it and then move the break to the specified point.
But the RSVP documentation is rather...limited to only LSPs if I am reading
it correctly.

Any and all assistance would be much appreciated.

Thank you



*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Basic Implementation of VLAN/LogicalPort across MPLS

[Levi Pederson]

All,

And yes I'm using RSVP, LDP, and LLDP and LLDP-med

Thank you,


*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Wed, Jul 8, 2015 at 4:34 AM, Eric Van Tol  wrote:

> > interfaces {
> > ae0 {
> > aggregated-ether-options {
> > lacp {
> > active;
> > }
> > vlan-tagging;
> > encapsulation flexible-ethernet-services;
> > unit 10 {
> > encapsulation vlan-ccc;
> > vlan-id 10;
> > }
> > unit 20 {
> > encapsulation vlan-ccc;
> > vlan-id 20;
> > }
> > }
>
> Additionally, if you need to transport a single VLAN on one side to a full
> port on the other, you need to pop the VLAN on ingress (and push on egress)
> into (and out of) the tunnel:
>
> unit 10004 {
> description "To Port-Based EoMPLS";
> encapsulation vlan-ccc;
> vlan-id 2123;
> input-vlan-map pop;
> output-vlan-map push;
> family ccc;
> }
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Basic Implementation of VLAN/LogicalPort across MPLS

[Levi Pederson]

All,

Thank you all for your help!  It's putting me on the right track!

One thing to note since I'm using EX4550's I do not have "Flexible Ethernet
Services"  Only vlan-ccc and ethernet-ccc

Thank you all for your help!

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Wed, Jul 8, 2015 at 4:34 AM, Eric Van Tol  wrote:

> > interfaces {
> > ae0 {
> > aggregated-ether-options {
> > lacp {
> > active;
> > }
> > vlan-tagging;
> > encapsulation flexible-ethernet-services;
> > unit 10 {
> > encapsulation vlan-ccc;
> > vlan-id 10;
> > }
> > unit 20 {
> > encapsulation vlan-ccc;
> > vlan-id 20;
> > }
> > }
>
> Additionally, if you need to transport a single VLAN on one side to a full
> port on the other, you need to pop the VLAN on ingress (and push on egress)
> into (and out of) the tunnel:
>
> unit 10004 {
> description "To Port-Based EoMPLS";
> encapsulation vlan-ccc;
> vlan-id 2123;
> input-vlan-map pop;
> output-vlan-map push;
> family ccc;
> }
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Basic Implementation of VLAN/LogicalPort across MPLS

[Levi Pederson]

All,

I've setup an MPLS ring and with your help it's running beautifully. With
it I can easily make port congruence across the MPLS ring with few issues.
For example send a single from one side of the MPLS ring to the other if
the signal lands on a port directly.  I.E a physical interface.

Where I'm having trouble now is landing or starting from a logical
interface such as a VLAN.

For example.

I'm receiving the signal onto a port on PE1 and I need to Add it to a Trunk
Port which is also an aggregate link (ae0 say VLAN 3999).  Each router
currently holds only 1 switched path to each other PE (3 LSPs per device)
 4 Devices total.

My thoughts were to use this

http://www.juniper.net/documentation/en_US/junos14.1/topics/task/configuration/mpls-l2-circuit-cli.html#jd0e171

That turned out to be incorrect or at least I did something that did not
agree with he system.

My l2circuit attempts seem to not pull up when attempted.

Any help or direction would be appreciated.  I'm not looking for massive
l2VPN or anything like that just the simpler l2circuit

I can provide a diagram and documents for those with a serious request to
help.

Thank you,

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MPLS Endpoint Discussion

[Levi Pederson]

All,

I've created simpler MPLS ring between a total of 6 MPLS 4550s.  My
questions what IP do I use for the Label Switched Path Endpoints. I can't
seem to find a "best practice."

Specifically this code

Obfuscated as I'm a little to literal with my descriptions

set protocols mpls label-switched-path PE2-to-PE1 to 10.254.1.1
set protocols mpls label-switched-path PE2-to-PE3 to 10.254.1.6
set protocols mpls label-switched-path PE2-to-PE4 to 10.254.0.4


Do I use the /30 that exists between the Legs?

Or should I use the LoopBack0 ?

My thought would be Leg itself as it creates the path.  But some documents
state LoopBack.


Thank you,

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Buying a used Juniper

[Levi Pederson]

Colton,

When it comes to important gear, something that would require the muscle of
a MX480, I am hesitant to recommend used.  With all the hassles and hoops
and handstands that could possibly be required , might be easier to get
new.  Have you contacted your Sales Rep?  If not I can recommend a few.

Thank you,

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Tue, May 5, 2015 at 11:47 AM, Colton Conor 
wrote:

> What are the limitations of buying a used Juniper MX router? I assume there
> will be no JTAC support, but what would it take to licenses a used router
> to get JTAC support? Does JTAC offer a one time support call fee for
> unlicensed routers?
>
> Assuming I already have access to all the latest releases of JUNOS, not
> sure the other reasons to pay for JTAC.
>
> The router in question would be a MX480. Used, we can get them for under
> 20K with redundant everything and 4 10G ports. New from Juniper I don't
> even want to know what these would cost.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Aggregate policer config

[Levi Pederson]

Peter,

Would an aggregate interface assist in this? If It can be done in your
logical scheme, the aggregate interface would provide a simple way to apply
the entire X bandwidth no matter the pipes up.

Thank you,


*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Wed, Apr 8, 2015 at 7:39 AM, Peter Ehiwe  wrote:

> have you considered writing an event script for this  ?
>
> On Tue, Apr 7, 2015 at 10:15 PM, Matthew Crocker
>  wrote:
> >
> > Hello,
> >
> >  A customer with two connections to my mx240.  I want to police their
> total bandwidth to 800mbps. Right now I have a 800mbps policer but that
> gives them 800mbps on each circuit.
> >
> > Customer Interface 1 is a VLAN on a 10G interface
> > Customer Interface 2 is a VLAN on a 1G interface
> >
> > Each interface has its own /30 IP subnet with a  BGP session on each
> customer IP
> >
> > Customer buys X bandwidth we want to give them X bandwidth over a pair
> of circuits.  If one circuit goes down the policer needs to be set to the X
> bandwidth the purchased.
> >
> > Thanks
> >
> > -Matt
> >
> > --
> > Matthew S. Crocker
> > President
> > Crocker Communications, Inc.
> > PO BOX 710
> > Greenfield, MA 01302-0710
> >
> > E: matt...@crocker.com
> > P: (413) 746-2760
> > F: (413) 746-3704
> > W: http://www.crocker.com
> >
> >
> >
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX VPN in Virtual Router

[Levi Pederson]

M,

I've landed a VPN on an SRX 240 cluster but I had to update the config to a
version of 12+ to use the LoopBack as a VPN end-point. believe it was 12.44
but I would check the information sheets on the OS versions.  Though I am
unsure of the support on the Virtual Side

Thank you,


*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Mon, Mar 30, 2015 at 9:03 AM, M Abdeljawad via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:

> Hi All
> I have a question about SRX VPN support under virtual router;There are two
> WAN links and each link member in different Virtual Router (not inet0), and
> the VPN tunnels must be established from both virtual routers
>
>
>
> Per to my search I found two conflict results as below;
>
>
>
> Below KB link mention that its supported, and the st0interface and the IKE
> listener interface can be assigned to the custom virtualrouter.
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB21487
>
>
>
>
>
> And below document link mention that the IKE listener mustbe member of
> inet.0 for the VPN to work.
>
>
> http://www.juniper.net/documentation/en_US/junos11.4/topics/concept/virtual-router-support-for-route-based-vpns.html
>
>
>
>
>
> What if I used Lo0 interface and assigned it to inet.0 andused it as the
> external VPN interface, is this valid solution?
>
>
> RegardsMahmoud
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MPLS EX4550

[Levi Pederson]

Giuliano,

I thank you for the prompt reply.  I had originally thought that would
create a loop on the switch, but I believe you are right in that it will
just shunt the VLAN as anticipated.  However,  I was wondering if there was
a a solution that can be accomplished without having to use a loop-cable?

Thank you,


*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Fri, Mar 6, 2015 at 2:57 PM, Giuliano (WZTECH) 
wrote:

> We have a situation here and we find a way ... We connect 2 interfaces in
> a optical cable loop ... One that came from a trunk interface ... Family
> ethernet-switching and other family mpls with L2-circuit to do a vlan
> traffic to enter in a mpls interface
>
> Sent from my iPhone
>
> > On Mar 6, 2015, at 17:51, Levi Pederson <
> levipeder...@mankatonetworks.net> wrote:
> >
> > All,
> >
> > I've got a simple MPLS setup with 4 EX4550's.
> >
> > They are currently in an incomplete ring but will soon have a full ring
> > situation.
> >
> > I've currently got 3 circuits on the transport working wonderfully.
> > However I'm trying to add another alas I'm a bit confused as how to
> proceed.
> >
> > Previous other circuits were easier in the fact they were simply saying
> the
> > port on MPLS1-1 is equivalent to this port on MPLS 3-1.
> >
> > The new circuit is different in that I have to take a VLAN recieved on a
> > trunk port and send it through the MPLS network to 3-1 and then into a
> > vlan-tagged MX-10.
> >
> > I was wondering if anyone has attempted this and has any pointers.
> >
> > Thank you,
> >
> > *Levi Pederson*
> > Mankato Networks LLC
> > cell | 612.481.0769
> > work | 612.787.7392
> > levipeder...@mankatonetworks.net
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MPLS EX4550

[Levi Pederson]

All,

I've got a simple MPLS setup with 4 EX4550's.

They are currently in an incomplete ring but will soon have a full ring
situation.

I've currently got 3 circuits on the transport working wonderfully.
However I'm trying to add another alas I'm a bit confused as how to proceed.

Previous other circuits were easier in the fact they were simply saying the
port on MPLS1-1 is equivalent to this port on MPLS 3-1.

The new circuit is different in that I have to take a VLAN recieved on a
trunk port and send it through the MPLS network to 3-1 and then into a
vlan-tagged MX-10.

I was wondering if anyone has attempted this and has any pointers.

Thank you,

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX80-1 JFlow

[Levi Pederson]

All,

Sorry for the inconvenience.  There is a request to move to version9 under
Forwarding options and Services but as I implement I'm getting tons of
requests for config changes that do not make much sense.

Sending Errors Now

-mx80-1# commit check
[edit forwarding-options sampling instance calix family inet output]
  'flow-server'
Output 'interface' or 'inline Jflow' should be configured with
flow-server
[edit forwarding-options sampling instance calix family inet output
flow-server 199.71.143.217]
  'version9'
Service PIC or inline-jflow (j-series and SRX only) must be specified
for version9
error: configuration check-out failed: (statements constraint check failed)

Any help or direction pointing would be helpful.

Thank you,

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 JFlow Setup

[Levi Pederson]

All,

Amazing, prompt and detailed responses.  I'll get to work on these right
away.

Thank you,


*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net


On Tue, Dec 23, 2014 at 11:31 AM, Scott Granados 
wrote:

> Hi there, what you have will work well with a  few modifications.
>
> If you’re using inline sampling you might as well set the rate to 1, the
> sampling is happening at 1:1 regardless and all the rate adjusts in this
> config is the scaling factor.
> You’re config also needs sample points so something like
>
> set interfaces xe-0/0/0.0 family inet sampling input
> place an input sampling statement on the interfaces that face your
> upstream and that face your inside network, do not sample on the output
> channel.
>
> You also don’t need to define everything on the template level
> you can just do services monitoring flow sampling template ipv4
> ipv4-template
>
> you can set your flow sizes on the forwarding options sampling instance
> input section and finally you want to define an ipv4 and ipv6 flow-table
> size on the tfeb.
>
> set chassis tfeb slot 0 sampling instance blah ipv4 and ipv6 table-size
>
> note that the tfeb will restart when configured  to reprogram with the new
> flow table size settings.
>
> Settings are 1-15 where the number is x*256K flows.  You can define ipv4
> only if you do not have any ipv6.
>
> Hope that helps.
>
>
> On Dec 23, 2014, at 12:16 PM, Levi Pederson <
> levipeder...@mankatonetworks.net> wrote:
>
> > All,
> >
> > Trying to get an MX80 to output Flow to an external collector.  I've been
> > reading several pieces of documentation and I keep getting differing
> views
> > and opinions on how this is supposed to be done.  I'm looking for the
> > simplest option right now and if I need to expand I can move to more
> > detailed processes after
> >
> > I'm currently using the following
> >
> > [edit chassis]
> > -   tfeb {
> > -   slot 0 {
> > -   sampling-instance calix;
> > -   }
> > -   }
> > [edit]
> > -  forwarding-options {
> > -  sampling {
> > -  instance {
> > -  calix {
> > -  input {
> > -  rate 50;
> > -  }
> > -  family inet {
> > -  output {
> > -  flow-server [ipaddress] {
> > -  port 2058;
> > -  version-ipfix {
> > -  template {
> > -  ipv4;s
> > -  }
> > -  }
> > -  }
> > -  inline-jflow {
> > -  source-address [ipaddress];
> > -  }
> > -  }
> > -  }
> > -  }
> > -  }
> > -  }
> > -  }
> > -  services {
> > -  flow-monitoring {
> > -  version-ipfix {
> > -  template ipv4 {
> > -  flow-active-timeout 60;
> > -  flow-inactive-timeout 70;
> > -  template-refresh-rate {
> > -  seconds 30;
> > -  }
> > -  option-refresh-rate {
> > -  seconds 30;
> > -  }
> > -  ipv4-template;
> > -  }
> > -  }
> > -  }
> > -  }
> >
> >
> > Edited for Anonymity.
> >
> > Thank you,
> > .
> > *Levi Pederson*
> > Mankato Networks LLC
> > cell | 612.481.0769
> > work | 612.787.7392
> > levipeder...@mankatonetworks.net
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX80 JFlow Setup

[Levi Pederson]

All,

Trying to get an MX80 to output Flow to an external collector.  I've been
reading several pieces of documentation and I keep getting differing views
and opinions on how this is supposed to be done.  I'm looking for the
simplest option right now and if I need to expand I can move to more
detailed processes after

I'm currently using the following

[edit chassis]
-   tfeb {
-   slot 0 {
-   sampling-instance calix;
-   }
-   }
[edit]
-  forwarding-options {
-  sampling {
-  instance {
-  calix {
-  input {
-  rate 50;
-  }
-  family inet {
-  output {
-  flow-server [ipaddress] {
-  port 2058;
-  version-ipfix {
-  template {
-  ipv4;
-  }
-  }
-  }
-  inline-jflow {
-  source-address [ipaddress];
-  }
-  }
-  }
-  }
-  }
-  }
-  }
-  services {
-  flow-monitoring {
-  version-ipfix {
-  template ipv4 {
-  flow-active-timeout 60;
-  flow-inactive-timeout 70;
-  template-refresh-rate {
-  seconds 30;
-  }
-  option-refresh-rate {
-  seconds 30;
-  }
-  ipv4-template;
-  }
-  }
-  }
-  }


Edited for Anonymity.

Thank you,
.
*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX Layer 2 Bridge

[Levi Pederson]

All,

I'm in a bit of a quandry.  I need to land a vlan on a Tagged interface and
then have it processed by the l3 vlan interface.

I currently have 5 different tags landing on that interface and would like
to add another.

Has anyone accomplished this.  All the internet has given me is the use of
the "family bridge" and that is being rejected as there is an "inet"
statement (on another Logical interface) in existence.

Thank you,

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Dual Dynamic VPNS

[Levi Pederson]

All,

Just a quick question.  I'm looking at creating a new Dynamic VPN into the
office here that allows internet throughput and other cool and sexy
options.  We however already have one setup.   We're using an SRX210 with
the basic license.  I'm wondering if I can create the test dynamic VPN
while the other is still in production.  I'm looking at the hierarchy of
the commands required seem to overlap the current configuration.  Has
anyone tried this before?

Thank you,

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Site to Site VPN issues with Cluster

[Levi Pederson]

Greetings,

I've created several VPNs with little or no trouble in the past.  Between
both Cisco and Juniper devices.  But I am a little stumped by I cannot
connect a simple (Static IP) IPSec Tunnel between an SRX240 Cluster and a
single srx210.  I've checked the policies and the proposals and they are
spot on identical.  I've put the external interface on the cluster (lo0.0)
on the right external zone.  I'm also running OS 12.1.X44.D30 which
supports.  I've been reading several diatribes on how to place the loopback
into the redundancy and I have done that as well.  I'm still gathering the
configurations for perusal as they need to be secured.  First question
would be, does anything instantly pop out to anyone?  I'll have the configs
loaded as soon as I can.

Thank you,
*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp