Re: [j-nsp] MX5 firewall filter behaviour
Harry,
You were correct. It was indeed a blocked DNS request.
I have opened up the DNS port and there are no more delays.
Thanks for the help!
Michael
On Fri, Jul 20, 2012 at 11:52 AM, Harry Reynolds wrote:
> Perhaps a reverse dns lookup that fails, thereby delaying prompt? Maybe add
> a dns term to see if that helps. The DNS query likely goes off subnet.
>
> HTHs
>
>
> Regards
>
>
>
> -Original Message-
> From: juniper-nsp-boun...@puck.nether.net
> [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Michael Phung
> Sent: Friday, July 20, 2012 11:36 AM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] MX5 firewall filter behaviour
>
> Hey Guys,
>
> Got a weird scenario which has be baffled,
>
> I have MX5 with several irbs. These irbs are protected with filters to permit
> only specific IPs through to manage the servers within. for the most part the
> filters are doing it's job, but there is a behaviour where when the filters
> are put in place, SSH'ing from within the subnet, there is a long 30-45 sec
> pause before the password prompt comes up, where as when I remove the filter,
> password prompt comes up instantly. Since all the servers are on the same
> subnet, why would making changes to the gateway affect this connectivity? It
> shouldn't even hit the router. Am I missing something?
>
> Below are the configs;
>
> unit 300 {
> description "management network";
> family inet {
> filter {
> output mgmt-in;
> }
> address 10.1.1.2/28 {
> vrrp-group 0 {
> virtual-address 10.1.1.1;
> accept-data;
> }
> }
> }
> }
>
>
> filter mgmt-in {
> term tcp-established {
> from {
> protocol tcp;
> tcp-established;
> }
> then accept;
> }
> term full-access {
> from {
> source-address {
> 192.168.1.50/32;
> }
> }
> then accept;
> }
> term reject-all {
> then {
> reject;
> }
> }
> }
>
>
> Looking to see if anyone has any suggestions.
>
> Thanks,
> Michael
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX5 firewall filter behaviour
Hey Guys,
Got a weird scenario which has be baffled,
I have MX5 with several irbs. These irbs are protected with filters to
permit only specific IPs through to manage the servers within. for the
most part the filters are doing it's job, but there is a behaviour
where when the filters are put in place, SSH'ing from within the
subnet, there is a long 30-45 sec pause before the password prompt
comes up, where as when I remove the filter, password prompt comes up
instantly. Since all the servers are on the same subnet, why would
making changes to the gateway affect this connectivity? It shouldn't
even hit the router. Am I missing something?
Below are the configs;
unit 300 {
description "management network";
family inet {
filter {
output mgmt-in;
}
address 10.1.1.2/28 {
vrrp-group 0 {
virtual-address 10.1.1.1;
accept-data;
}
}
}
}
filter mgmt-in {
term tcp-established {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term full-access {
from {
source-address {
192.168.1.50/32;
}
}
then accept;
}
term reject-all {
then {
reject;
}
}
}
Looking to see if anyone has any suggestions.
Thanks,
Michael
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VPLS configuration
So I have tried the following with no success;
chrismas {
instance-type vpls;
interface irb.800; ## 'irb.800' is not defined
route-distinguisher x.x.x.x:1;
vrf-target target:1000:10;
protocols {
vpls {
site-range 10;
no-tunnel-services;
site A {
site-identifier 1;
interface irb.800;
}
}
}
}
Config still does not check out as I get the following error;
Error in parsing routing instances: IRB interfaces need to be
configured using 'routing-interface' command
I know what I am doing wrong, however I'm not sure how to get it
right. I know I'm referencing a IRB here, but the VLAN I'm trunking up
to the PE router is purely L2 and not tied to any IRB. I want to
bridge this L2 Vlan on the other PE router.
So, would this work instead?
xe-4/1/0 {
description "link to SW";
flexible-vlan-tagging;
mtu 1622;
encapsulation flexible-ethernet-services;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 1000 936 232 ];
}
}
}
}
chrismas {
instance-type virtual-switch;
interface xe-4/1/0.0;
route-distinguisher x.x.x.x:1;
vrf-target target:X:10;
protocols {
vpls {
site-range 10;
no-tunnel-services;
site A {
site-identifier 1;
}
}
}
bridge-domains {
vpls-test {
vlan-id 232;
}
}
}
However, when I commit check this I get a error msg;
STP for interface xe-4/1/0.0 must be configured within the virtual
switch chrismas
Doing a "set chrismas protocols rstp interface xe-4/1/0" yields the
following error;
interface xe-4/1/0'
L2CPD : xSTP is already enabled on interface xe-4/1/0 in another
routing instance "master"
Obviously due to the existing rstp protocol running on that interface
Can anyone help?
Thanks,
Michael
On Tue, Jan 17, 2012 at 10:01 AM, Michael Phung wrote:
> Hello Everyone,
>
> We're looking to deploy VPLS and L3VPN services on our network and I'm
> looking for some help on creating these instances across our network.
> So far we are focused on providing VPLS first. I've looked through a
> lot of the examples available online from Juniper and also some past
> j-nsp threads, but nothing resembles what we have in place on our MX
> routers. Mostly because we are using bridge family on the the links
> facing our customer switch fabric. I'm hoping someone can help me out
> on creating a VPLS instance that spans multiple PE routers. Day one
> we'll be looking to do just a point-point VPLS and have it scale to
> point-multipoint in the future.
>
>
> Here is the topology;
>
> We are using IS-IS/LDP and have enabled l2vpn signalling on our BGP.
>
> C= Customer
> SW= Switch
>
> C---SW---PE-A---P---PE-B---SW---C
>
>
> PE-A router (PE-B is pretty much a mirror config)
>
> interfaces {
> xe-4/0/0 {
> apply-groups flows;
> description "link to P router";
> mtu 1614;
> unit 0 {
> family inet {
> address X.X.X.X/30;
> }
> family iso;
> family mpls;
> }
> }
> xe-4/1/0 {
> description "link to SW";
> flexible-vlan-tagging;
> mtu 1622;
> encapsulation flexible-ethernet-services;
> unit 0 {
> family bridge {
> interface-mode trunk;
> vlan-id-list [ 1000 936 232 ];
> }
> }
> }
> }
> protocols {
> mpls {
> interface xe-4/0/0.0;
> }
> bgp {
> graceful-restart;
> group ibgp-mesh {
> type internal;
> neighbor X.X.X.X {
> description "*P router";
> family inet {
> unicast;
> }
> family inet-vpn {
> unicast;
> }
> family l2vpn {
> signaling;
> }
> }
> neighbor X.X.X.X {
> description "PE-B";
> family inet {
> unicast;
> }
> family inet-vpn {
> unicast;
> }
> family l2vpn {
> signaling;
> }
> }
> }
> }
> isis {
> traffic-engineering ignore-lsp-metrics;
> level 1 disable;
> level 2 wide-metrics-only;
> interface xe-4/0/0.0 {
> apply-groups
[j-nsp] VPLS configuration
Hello Everyone,
We're looking to deploy VPLS and L3VPN services on our network and I'm
looking for some help on creating these instances across our network.
So far we are focused on providing VPLS first. I've looked through a
lot of the examples available online from Juniper and also some past
j-nsp threads, but nothing resembles what we have in place on our MX
routers. Mostly because we are using bridge family on the the links
facing our customer switch fabric. I'm hoping someone can help me out
on creating a VPLS instance that spans multiple PE routers. Day one
we'll be looking to do just a point-point VPLS and have it scale to
point-multipoint in the future.
Here is the topology;
We are using IS-IS/LDP and have enabled l2vpn signalling on our BGP.
C= Customer
SW= Switch
C---SW---PE-A---P---PE-B---SW---C
PE-A router (PE-B is pretty much a mirror config)
interfaces {
xe-4/0/0 {
apply-groups flows;
description "link to P router";
mtu 1614;
unit 0 {
family inet {
address X.X.X.X/30;
}
family iso;
family mpls;
}
}
xe-4/1/0 {
description "link to SW";
flexible-vlan-tagging;
mtu 1622;
encapsulation flexible-ethernet-services;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 1000 936 232 ];
}
}
}
}
protocols {
mpls {
interface xe-4/0/0.0;
}
bgp {
graceful-restart;
group ibgp-mesh {
type internal;
neighbor X.X.X.X {
description "*P router";
family inet {
unicast;
}
family inet-vpn {
unicast;
}
family l2vpn {
signaling;
}
}
neighbor X.X.X.X {
description "PE-B";
family inet {
unicast;
}
family inet-vpn {
unicast;
}
family l2vpn {
signaling;
}
}
}
}
isis {
traffic-engineering ignore-lsp-metrics;
level 1 disable;
level 2 wide-metrics-only;
interface xe-4/0/0.0 {
apply-groups [ bfd-isis-default isis-node-protection ];
ldp-synchronization;
point-to-point;
level 2 {
metric 10;
}
}
interface lo0.0 {
passive;
}
ldp {
track-igp-metric;
interface xe-4/0/0.0;
interface lo0.0;
session-protection;
}
}
bridge-domains {
vlan1000-mgmt {
vlan-id 1000;
routing-interface irb.1000;
}
vlan936-customer {
vlan-id 936;
routing-interface irb.936;
}
vlan232-L2-customer {
vlan-id 232;
}
}
What I'm trying to achieve is to create a VPLS instance that spans
across both PE routers where the servers on the VLAN on either end are
seen on the same Layer 2 segment.
In most examples it shows that the trunk interface configured as
individual units for each vlan, where as we have created a family
bridge and with vlan members.
What I was thinking was the following, but since this is purely just
Layer 2, I do not have a irb defined for the VLAN.
PE-A
routing-instances
chrismas {
instance-type vpls;
interface irb.232;
route-distinguisher X.X.X.X:100;
vrf-target target:1:1;
protocols {
vpls {
site-range 10;
site PE-A {
site-identifier 1;
}
}
}
}
}
PE-B
routing-instances
chrismas {
instance-type vpls;
interface irb.232;
route-distinguisher Y.Y.Y.Y:100;
vrf-target target:1:1;
protocols {
vpls {
site-range 10;
site PE-B {
site-identifier 2;
}
}
}
}
}
Any help would be greatly appreciated, and please excuse my ignorance.
New with MPLS and still learning.
Thanks,
Michael
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MPC-3D-16XGE-SFPP on MX960
Ahh now that makes sense. Yes the other card is a DPC card. In order to correct this, I'll have to migrate our connections the MPC card. Do you know if a reload is required or can I just pull the DPCs and online the MPC? Thanks, Michael On Tue, May 4, 2010 at 2:46 AM, Richard A Steenbergen wrote: > On Tue, May 04, 2010 at 02:25:16AM -0400, Michael Phung wrote: >> Hey Guys, >> >> We just tired installing a MPC-3D-16XGE-SFPP on a MX960 running >> 10.0R2.10 on slot 0 and got a error "FPC 0 misconfigured". After this >> message, any attempt to "online" the FPC just fails with the same >> message again. The output of "show chassis fpc" shows the following; >> >> Temp CPU Utilization (%) Memory Utilization (%) >> Slot State (C) Total Interrupt DRAM (MB) Heap Buffer >> 0 Offline ---FPC misconfiguration--- >> 1 Online 28 12 0 1024 23 33 >> >> >> Anyone else encounter this problem before? This is occurring on 2 >> separate cards on different routers, so I don't think the cards are >> faulty. > > Is the other card in the chassis a trio card as well? You can't mix trio > and non-trio cards until 10.2, and you can't run the MPC/MIC cards until > 10.1. > > -- > Richard A Steenbergen http://www.e-gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MPC-3D-16XGE-SFPP on MX960
Hey Guys, We just tired installing a MPC-3D-16XGE-SFPP on a MX960 running 10.0R2.10 on slot 0 and got a error "FPC 0 misconfigured". After this message, any attempt to "online" the FPC just fails with the same message again. The output of "show chassis fpc" shows the following; Temp CPU Utilization (%) MemoryUtilization (%) Slot State(C) Total Interrupt DRAM (MB) Heap Buffer 0 Offline ---FPC misconfiguration--- 1 Online28 12 0 1024 23 33 Anyone else encounter this problem before? This is occurring on 2 separate cards on different routers, so I don't think the cards are faulty. Any help would be greatly appreciated! Thanks, Michael ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Trunking routed vlan interfaces on a Juniper mx960
This is some great information!
This is one of the only things I dislike about Junipers; there are so
many ways to do one thing... In the long rung I suppose it's better
that way. I'm going to read up on the different options here and see
what is a right fit for our design based on the two examples shown
here.
I noticed on the Brian's example; it includes the STP configuration
via VSTP . Is this still required but just not included in the initial
config same by James? I just want to make sure I have this crystal
clear in my head before diving into the documentation.
Thanks for all the help guys!!
Michael
*off to read more JUNOS*
On Fri, Aug 21, 2009 at 3:09 PM, Nilesh Khambal wrote:
> Hi Brian,
>
> Your way of configuring trunks and access ports is what I call an old style
> of configuration before the introduction of "interface-mode trunk" and
> "interface-mode access" knobs in JUNOS. Old style was a bit painful to use
> when you had to configure multiple vlans on trunk interface. With new style,
> you don't need to configure trunk interfaces with multiple logical units and
> assign each unit to its corresponding bridge-domains. Interface-mode knob is
> more user-friendly in that, when you configure it in access or trunk mode
> with either vlan-id or vlan-id-list respectively, the interface is
> automatically associated with the corresponding bridge-domain.
>
> Again, it all depends on user convenience. You should be able to mix
> old-style configuration with new-style configuration, especially in cases
> where vlan id normalization is needed.
>
> Thanks,
> Nilesh.
>
>
> On 8/21/09 12:47 PM, "Brian Fitzgerald" wrote:
>
> Hello Michael
>
> An alternate is to use the flexible-services that the MX has available -
> leaves you able to use other vlans on the ports for direct routed use,
> logical routers, QinQ tagging, VPLS, etc.
>
> HSRP is Cisco specific - the equivalent with everyone else is VRRP -
> which most Cisco gear also supports
>
> The VSTP spanning tree protocol used on the MX (essentially PVST+) is
> something I tinkered with, but we never implemented, so double-check my
> syntax. As well, it does limit you to using the same vlan tags and a
> matching "normalizing" bridge group tag on all interfaces that are part
> of the bridge group - a fixed requirement on TCAM based Cisco gear, but
> NOT on the MX (which allows you to bridge together dissimilar tags on
> each interface that are part of a bridge group, if you aren't using
> VSTP)
>
> Example:
>
>
> interfaces {
> ge-2/0/0 {
> flexible-vlan-tagging;
> encapsulation flexible-ethernet-services;
> unit 200 {
> encapsulation vlan-bridge;
> vlan-id 200;
> }
> }
> ge-2/1/0 {
> flexible-vlan-tagging;
> encapsulation flexible-ethernet-services;
> unit 200 {
> encapsulation vlan-bridge;
> vlan-id 200;
> }
> }
> irb {
> unit 200 {
> family inet {
> address 10.10.10.2/26;
> vrrp-group 1 {
> virtual-address 10.10.10.1;
> priority 10;
> }
> }
> }
> }
> }
> protocols {
> vstp {
> vlan 200 {
> interface ge-2/0/0.200;
> interface ge-2/1/0.200;
> }
> }
> }
>
> bridge-domains {
> vlan200 {
> domain-type bridge;
> vlan-id 200;
> interface ge-2/0/0.200;
> interface ge-2/1/0.200;
> routing-interface irb.200
> }
> }
>
> -Original Message-
> From: juniper-nsp-boun...@puck.nether.net
> [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Michael Phung
> Sent: Friday, August 21, 2009 9:24 AM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] Trunking routed vlan interfaces on a Juniper mx960
>
> Hello everyone,
>
> I just got my hands on a Juniper mx router and I'm starting the
> initial config in preparation to convert from Cisco. As I configure
> the interfaces, I can't seem to figure our how to create a routed vlan
> interface and have the ability to trunk it down multiple physical
> interfaces. I've looked up on the the web but was unable to find
> anything that direct describes what I'm trying to achieve.
>
> Below is a sample config from a Cisco;
>
> !
> spanning-tree mode pvst
> spanning-tree vlan 200 priority 8192
> !
> interface GigabitEthernet2/1
> switchport
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 200
> switchport mode trunk
> switchport
[j-nsp] Trunking routed vlan interfaces on a Juniper mx960
Hello everyone, I just got my hands on a Juniper mx router and I'm starting the initial config in preparation to convert from Cisco. As I configure the interfaces, I can't seem to figure our how to create a routed vlan interface and have the ability to trunk it down multiple physical interfaces. I've looked up on the the web but was unable to find anything that direct describes what I'm trying to achieve. Below is a sample config from a Cisco; ! spanning-tree mode pvst spanning-tree vlan 200 priority 8192 ! interface GigabitEthernet2/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 200 switchport mode trunk switchport nonegotiate ! interface GigabitEthernet2/10 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 200 switchport mode trunk switchport nonegotiate ! interface Vlan200 ip address 10.10.10.2 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp standby ip 10.10.10.1 ! Can this be done on a MX router? if so, can a sample config be provided? Any help would be much appreciated. Michael ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Missing SNMP trapping
Hello,
Has anyone here had problems setting up their Juniper router m120 to
report proper SNMP traps, specifically relating to routing protocols?
We're looking to receive SNMP trap notifications on BGP session
up/down states, and OSPF up/down states. We have setup the router
with the full compliment of categories but only receive up to this
point PIC power on/off states traps and SONET related traps.
We have the following configured;
snmp {
community 123456;
trap-options {
source-address x.x.x.x;
}
trap-group SNMPc {
version v2;
categories {
authentication;
chassis;
link;
remote-operations;
routing;
startup;
rmon-alarm;
vrrp-events;
configuration;
services;
sonet-alarms;
}
targets {
x.x.x.x;
}
}
}
Thanks,
Michael
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
