Re: [j-nsp] Strange Behavior
Adnan, What version? Have a look at PR/229851 Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Adnan Mohsin Sent: Monday, December 07, 2009 3:31 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Strange Behavior Hi, I observed strange behavior today with one of my Juniper router. When ever i do show | compare rollback on juniper router, I receive some unexpected output of commands on my TACACS# server and also on messages file on juniper router. The output I receive on TACACS server and messages file is related to authenticaton i.e OSPF authentication , root-authentication and users authentication. I observed this behavior first time. Can any body tell me why i am getting these strange output in my logs? did any body else observed the same behavior before? Following is a output from TACACS# server. Mon Dec 7 07:31:18 2009 cmd=show | compare rollback 0 Mon Dec 7 07:31:19 2009 xxx.xxx.xxx.xxx ttyp0 stop task_id=223 service=shell process*mgd[8696] cmd=set: [system root-authentication encrypted-password] Mon Dec 7 07:31:19 2009 xxx.xxx.xxx.xxx ttyp0 stop task_id=224 service=shell process*mgd[8696] cmd=deactivate: [system root-authentication encrypted-password] "" Mon Dec 7 07:31:19 2009 xxx.xxx.xxx.xxx ttyp0 stop task_id=225 service=shell process*mgd[8696] cmd=set: [system tacplus-server xx.xx.xx.xx secret] Mon Dec 7 07:31:19 2009 xxx.xxx.xxx.xxx ttyp0 stop task_id=226 service=shell process*mgd[8696] cmd=deactivate: [system tacplus-server xx.xx.xx.xx secret] "" Mon Dec 7 07:31:19 2009 xxx.xxx.xxx.xxx ttyp0 stop task_id=227 service=shell process*mgd[8696] cmd=set: [system accounting destination tacplus server xx.xx.xx.xx secret] Mon Dec 7 07:31:19 2009 xxx.xxx.xxx.xxx ttyp0 stop task_id=228 service=shell process*mgd[8696] cmd=deactivate: [system accounting destination tacplus server xx.xx.xx.xx secret] "" Mon Dec 7 07:31:19 2009 xxx.xxx.xxx.xxx ttyp0 stop task_id=233 service=shell process*mgd[8696] cmd=set: [system login user x authentication encrypted-password] Mon Dec 7 07:31:19 2009 xxx.xxx.xxx.xxx ttyp0 stop task_id=234 service=shell process*mgd[8696] cmd=deactivate: [system login user x authentication encrypted-password] "" Mon Dec 7 07:31:19 2009 xxx.xxx.xxx.xxx ttyp0 stop task_id=235 service=shell process*mgd[8696] cmd=set: [protocols ospf area xx.xx.xx.xx interface e1-0/0/2.0 authentication md5 100 key] Mon Dec 7 07:31:19 2009 xxx.xxx.xxx.xxx ttyp0 stop task_id=236 service=shell process*mgd[8696] cmd=deactivate: [protocols ospf area xx.xx.xx.xx interface e1-0/0/2.0 authentication md5 100 key] "" Router messages file output Dec 7 14:44:09 mgd[9362]: %CHANGE-6-UI_CFG_AUDIT_SET_SECRET: User 'x' set: [system root-authentication encrypted-password] Dec 7 14:44:09 mgd[9362]: %CHANGE-6-UI_CFG_AUDIT_OTHER: User 'xx' deactivate: [system root-authentication encrypted-password] "" Dec 7 14:44:09 mgd[9362]: %CHANGE-6-UI_CFG_AUDIT_SET_SECRET: User 'xx' set: [system tacplus-server xx.xx.xx.xx secret] Dec 7 14:44:09 mgd[9362]: %CHANGE-6-UI_CFG_AUDIT_OTHER: User 'xx' deactivate: [system tacplus-server xx.xx.xx.xx secret] "" Dec 7 14:44:09 mgd[9362]: %CHANGE-6-UI_CFG_AUDIT_SET_SECRET: User 'xx' set: [system accounting destination tacplus server xx.xx.xx.xx secret] Dec 7 14:44:09 mgd[9362]: %CHANGE-6-UI_CFG_AUDIT_OTHER: User 'xx' deactivate: [system accounting destination tacplus server xx.xx.xx.xx secret] "" Dec 7 14:44:09 mgd[9362]: %CHANGE-6-UI_CFG_AUDIT_SET_SECRET: User 'xx' set: [system login user x authentication encrypted-password] Dec 7 14:44:09 mgd[9362]: %CHANGE-6-UI_CFG_AUDIT_OTHER: User 'xx' deactivate: [system login user x authentication encrypted-password] "" Dec 7 14:44:09 mgd[9362]: %CHANGE-6-UI_CFG_AUDIT_SET_SECRET: User 'xx' set: [protocols ospf area xx.xx.xx.xx interface e1-0/0/2.0 authentication md5 100 key] Dec 7 14:44:09 mgd[9362]: %CHANGE-6-UI_CFG_AUDIT_OTHER: User 'xx' deactivate: [protocols ospf area xx.xx.xx.xx interface e1-0/0/2.0 authentication md5 100 key] "" Any help would be really appreciated. thanks.Adnan. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] LDP/MPLS is mandatory in the route-reflector bgp vpnv4uplink?
Ricardo, I think that's expected simply because VPN-IPv4 Routes resolve in inet.3 (being MPLS based) To support L3 VPNs, the Juniper Networks PE router uses several routing tables. Inet.0 : The first routing table, inet.0 contains routes learned by the provider's IGP and by BGP. These routes include all destinations within the service provider's own network, including the PE and P routers etc. Inet.3 : The second routing table, inet.3, contains all the routes that are reachable via MPLS LSPs that are learned from either RSVP or LDP. This table provides the connectivity for traffic sent between the PE routers by the CE routers. Bgp.l3vpn.0 : The PE also maintains a routing table referred to as bgp.l3vpn.0. This table stores Layer 3 VPN routes learned from other PE routers. Routes learned from other PE routers are entered into this table when they are received. "The PE router resolves the next hop for these routes by executing a route lookup in the inet.3 table". This enables the PE router to determine the path to the PE advertising the Layer 3 VPN route. So unless you have a route/next-hop in inet.3 (LDP/RSVP), these routes will not be installed & will remain hidden/discarded. Though not sure on cisco's interop part of your query. Hope it helps! Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Ricardo Tavares Sent: Wednesday, December 02, 2009 9:15 PM To: Juniper-Nsp Subject: [j-nsp] LDP/MPLS is mandatory in the route-reflector bgp vpnv4uplink? Hi guys, I did some tests using JunOS 9.4 acting as BGP reflector for vpnv4 address-family and found that when I disable LDP in the uplink to the MPLS core the routes sent by this reflector are discarded by the PEs (Cisco or Juniper) but the routes advertised by a Cisco router acting as vpnv4 reflector works fine without LDP. Is this a normal behavior? If yes someone can explain the process? If yes maybe there is a knob to control this? Best Regards, Ricardo Tavares ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPSec config
A lot is available online, pls help yourself. http://www.juniper.net/techpubs/software/junos/junos90/feature-guide/con figuring-ipsec.html Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of chandrasekaran iyer Sent: Wednesday, December 02, 2009 11:02 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] IPSec config Hi, Can anyone send me the working configs of IPSec configuration. (ASPIC)(ASPIC) R1-R2 -- Thanks with regards Shekar.B -- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Load Balancing in BGP...
Has been discussed before : http://www.mail-archive.com/juniper-nsp@puck.nether.net/msg06616.html The answer is Yes, you need to enable it. Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Hoogen Sent: Tuesday, November 24, 2009 4:06 PM To: juniper-nsp@puck.nether.net; Juniper certification Subject: [j-nsp] Load Balancing in BGP... Hi All, I have a question in BGP case study.. for JNCIP topology when we use multipath options in most case studies.. It does show two next-hops.. But I believe we still need load balance on the forwarding option so as to load balance traffic.. But most of the case studies do not include them as a part of the solutions. Is this overdoing the requirement, or am I missing something.. Any ideas would be great.. -Hoogen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PR Site URL
Check the below hierarchy: Juniper.net>support>Junos Defect Search PR/396291 : https://www2.juniper.net/prsearch/viewmultiplepr.jsp?searchType=sPRNo&tx tPrnumber=396291&sPRNoSearch=Search Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Good One Sent: Saturday, November 14, 2009 9:16 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] PR Site URL Guys- where do you check juniper PRs like PR/396291 etc... Can anyone write me back with the URL pointing towards PR cases stie. Thanks BR/// Andrew _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3 :092010 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PBR config help
Samit, Have a look here, rib-groups is what you may need. http://www.juniper.net/techpubs/software/junos/junos82/swconfig82-policy /html/firewall-config36.html Hope it helps! Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Samit Sent: Saturday, November 14, 2009 9:01 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] PBR config help Hi gurus, I am looking for following cisco PBR example equivalent config for junos and work. interface GigabitEthernet0/0 description WAN1-primary ip address 192.168.1.1 255.255.255.0 interface GigabitEthernet0/1 description WAN2-secondary ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet0/2 description To LAN ip address 192.168.0.1 255.255.255.192 ip policy route-map via-wan2 ip access-list extended pbr-test permit ip 192.168.10.0 0.0.0.255 any route-map via-wan2 permit 10 match ip address pppoe set ip next-hop 192.168.2.1 ip route 0.0.0.0 0.0.0.0 192.168.1.2 All traffic with source Ip address 192.168.10.0/24 will go via 192.168.2.1 secondary link remaining traffic will go via default route 192.168.1.2 primary link . I tried the following in junos but it is not working and all traffic just stuck, any tips would be appreciated.. [edit interfaces ge-0/0/0] unit 0 { description "WAN1-primary"; family inet { address 192.168.1.1/24; } } [edit interfaces ge-0/0/1] unit 0 { description "WAN2-secondary"; family inet { address 192.168.2.1/24; } } [edit interfaces ge-0/0/2] unit 0 { description "LAN"; family inet { filter { input via-WAN2; } address 192.168.0.1/24; } } [edit routing-options static] route 0.0.0.0/0 next-hop 192.168.1.2; [edit firewall filter via-WAN2] term 1 { from { source-address { 192.168.10.0/24; } } then { routing-instance pbr-test; } } [edit routing-instances] pbr-test { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 192.168.2.1; resolve; } } } } Regards, Samit ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP strange problem on M10i
Hi Ramesh, Well, that should be your call. But till the time you make it & for time being with your current configuration, whenever you want to make any change to your import policy you can first deactivate NSR & then commit. NSR can be later reactivated. Thanks & Regards, Tarique A. Nalkhande From: Ramesh Karki [mailto:rameshka...@gmail.com] Sent: Saturday, November 14, 2009 5:34 PM To: Nalkhande Tarique Abbas Cc: Chris Adams; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] BGP strange problem on M10i Hi, Thank for the response and for that Bug information. To achieve high availability we have configured Graceful Routing Engine Switchover with Non-Stop Routing (NSR). So, what do you like to suggest us ?, either change the configuration with Graceful Restart or upgrade the JunOS. Your help will be appreciated. Thank you Ramesh On Sat, Nov 14, 2009 at 1:07 AM, Nalkhande Tarique Abbas wrote: If you have NSR configured, then have a look at PR/396291 Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Ramesh Karki Sent: Friday, November 13, 2009 10:06 PM To: Chris Adams; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] BGP strange problem on M10i Hi, The version we are using is JunOS 9.2R2.15 I also supposed that Junos do not require any kind of reset, but when I add any new prefixes (ow n by AS or its customers) on policy-statement to block incoming via upstream and commit, it does not take effect. But when I hard reset the peer then only it takes on effect. Currently we peering with Tier One1 ISP with two location (Multi-homing to the single AS), and got a full BGP table from both side. Thank you Ramesh. On Fri, Nov 13, 2009 at 8:04 PM, Chris Adams wrote: > Once upon a time, Ramesh Karki said: > > First, we had to hard reset the bgp peer whenever we change the policies > > (inbound policy) that we had set. By just doing soft reset the router > will > > not take effect of that changed policies until we do hard reset. > > You shouldn't need to do any kind of reset; on JUNOS, policy changes are > applied on commit (although it can take a few seconds to work through a > full BGP table). > > You didn't mention what version of JUNOS you are running (always an > important thing to include when discussing possible bugs). > > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP strange problem on M10i
If you have NSR configured, then have a look at PR/396291 Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Ramesh Karki Sent: Friday, November 13, 2009 10:06 PM To: Chris Adams; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] BGP strange problem on M10i Hi, The version we are using is JunOS 9.2R2.15 I also supposed that Junos do not require any kind of reset, but when I add any new prefixes (ow n by AS or its customers) on policy-statement to block incoming via upstream and commit, it does not take effect. But when I hard reset the peer then only it takes on effect. Currently we peering with Tier One1 ISP with two location (Multi-homing to the single AS), and got a full BGP table from both side. Thank you Ramesh. On Fri, Nov 13, 2009 at 8:04 PM, Chris Adams wrote: > Once upon a time, Ramesh Karki said: > > First, we had to hard reset the bgp peer whenever we change the policies > > (inbound policy) that we had set. By just doing soft reset the router > will > > not take effect of that changed policies until we do hard reset. > > You shouldn't need to do any kind of reset; on JUNOS, policy changes are > applied on commit (although it can take a few seconds to work through a > full BGP table). > > You didn't mention what version of JUNOS you are running (always an > important thing to include when discussing possible bugs). > > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP policy-options policy-statement
Hi Onam, The default BGP export policy is to readvertise all learned BGP routes to all BGP speakers. Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Onam Rubio Sent: Wednesday, October 21, 2009 10:14 PM To: Junper J-nsp Subject: Re: [j-nsp] BGP policy-options policy-statement Hello Tarique, I have a new group of BGP, and I will provide internet to my peer, I thought that to send full routing(All routes that I learn from my upstream provider. IMHO) to my neighboard, I need a term Default then accept. Best regards. > Subject: RE: [j-nsp] BGP policy-options policy-statement > Date: Wed, 21 Oct 2009 15:09:44 +0530 > From: ntari...@juniper.net > To: onamru...@hotmail.com; evge...@ip.datagroup.ua; juniper-nsp@puck.nether.net > > > >>> > > I have an issue, I reject my private prefix-list but my BGP policy keep > sending my private prefix-list. > > > set policy-options policy-statement OutBound-BGP-Routes-to- term > No-Advertise from route-filter 10.0.0.0/8 orlonger reject > > > - > > **I chance the configuration and delete the term Default and my BGP > policy stop sending the private prefix-list > > term Default { > then accept; > } > > > I am not at all sure about the intent of this term? What are we trying > to achieve with this term ? > > > > Thanks & Regards, > Tarique A. Nalkhande > > -Original Message- > From: juniper-nsp-boun...@puck.nether.net > [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Onam Rubio > Sent: Wednesday, October 21, 2009 1:22 PM > To: evgeniy; Junper J-nsp > Subject: [j-nsp] BGP policy-options policy-statement > > > Hi experts, > > I have an issue, I reject my private prefix-list but my BGP policy keep > sending my private prefix-list. > > I made the following configuration. > > show configuration policy-options policy-statement > OutBound-BGP-Routes-to-x > > term No-Advertise { > from { > prefix-list Bogus-Networks; > } > then reject; > } > term Default { > then accept; > } > > o...@metis# show policy-options > prefix-list Bogus-Networks { > 10.0.0.0/8; > 127.0.0.0/8; > 172.16.0.0/12; > 192.168.0.0/16; > 224.0.0.0/3; > } > > o...@metis# show protocols bgp group x > type external; > local-address x-x-x-x; > import Inbound-bgp-PRONTO; > family inet { > unicast; > } > export OutBound-BGP-Routes-to-x; > peer-as 28088; > neighbor x-x-x-x; > > [edit] > o...@metis# > > **I chance the configuration and delete the term Default and my BGP > policy stop sending the private prefix-list > > > > > > _ > Invite your mail contacts to join your friends list with Windows Live > Spaces. It's easy! > http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.a > spx&mkt=en-us > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP policy-options policy-statement
>>> I have an issue, I reject my private prefix-list but my BGP policy keep sending my private prefix-list. set policy-options policy-statement OutBound-BGP-Routes-to- term No-Advertise from route-filter 10.0.0.0/8 orlonger reject - **I chance the configuration and delete the term Default and my BGP policy stop sending the private prefix-list term Default { then accept; } I am not at all sure about the intent of this term? What are we trying to achieve with this term ? Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Onam Rubio Sent: Wednesday, October 21, 2009 1:22 PM To: evgeniy; Junper J-nsp Subject: [j-nsp] BGP policy-options policy-statement Hi experts, I have an issue, I reject my private prefix-list but my BGP policy keep sending my private prefix-list. I made the following configuration. show configuration policy-options policy-statement OutBound-BGP-Routes-to-x term No-Advertise { from { prefix-list Bogus-Networks; } then reject; } term Default { then accept; } o...@metis# show policy-options prefix-list Bogus-Networks { 10.0.0.0/8; 127.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; 224.0.0.0/3; } o...@metis# show protocols bgp group x type external; local-address x-x-x-x; import Inbound-bgp-PRONTO; family inet { unicast; } export OutBound-BGP-Routes-to-x; peer-as 28088; neighbor x-x-x-x; [edit] o...@metis# **I chance the configuration and delete the term Default and my BGP policy stop sending the private prefix-list _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.a spx&mkt=en-us ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] is it an attack or not?
Greetings Walaa, These messages are normal. The user is authenticated and it is not an indication of a breach of the router's security. Basically, JWeb logins appear as a JUNOScript client '(unauthenticated user)'. The JWeb client uses JUNOScript to log the username/password that was entered at the JWeb prompt. The username and password are authenticated thereafter. Have a look here, http://kb.juniper.net/index?page=content&id=KB12783 Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Walaa Abdel razzak Sent: Monday, October 19, 2009 12:33 AM To: Jared Mauch Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] is it an attack or not? Hi Actually, we had to deactivate the filter that was doing this for some time and during that time, we got the message in addition to the below messages Oct 18 09:25:20 M320-01-re0 re1 mgd[33869]: %INTERACT-6-UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'set-login-name login-name=Juniper123' Oct 18 09:25:20 M320-01-re0 re1 mgd[33869]: %INTERACT-6-UI_JUNOSCRIPT_CMD: User 'Juniper123' used JUNOScript client to run command 'commit-configuration' Oct 18 09:25:20 JED1-IGR-M320-01-re0 re1 mgd[33869]: %INTERACT-5-UI_COMMIT: User 'Juniper123' requested 'commit' operation (comment: none) Best Regards, Walaa Abdel Razzak -Original Message- From: Jared Mauch [mailto:ja...@puck.nether.net] Sent: Sun 18/10/2009 21:08 To: Walaa Abdel razzak Cc: Subject: Re: [j-nsp] is it an attack or not? Do you filter ssh connections to authorized ip ranges? Jared Mauch On Oct 18, 2009, at 1:57 PM, "Walaa Abdel razzak" wrote: > Hi Experts > > I am getting this message on my router log, is it means an attack or > something perforemed by router itself: > > Oct 18 09:25:16 M320-01-re0 re1 mgd[33869]: %INTERACT-6- > UI_JUNOSCRIPT_CMD: User '(unauthenticated user)' used JUNOScript > client to run command 'request-authentication user=root logname=root > host=M320-01-re0 agent=mgd current-directory=/var/tmp pid=62180 > ppid=1145' > > Best Regards, > Walaa Abdel Razzak > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] group interface
Try fine tuning Configuration groups to accomplish similar task in Junos. http://www.juniper.net/techpubs/software/junos/junos93/swconfig-cli/swco nfig-cli.pdf Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of techt...@gmail.com Sent: Thursday, October 15, 2009 8:13 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] group interface Hi, Which Junos command is parallel to IOS "interface range"? BR, MTC ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue
Hi Jimmy, How about adding another term in your premium-export policy .. term export-CT { from community csr-CT-vrf; then accept; } ... before reject on both the sides. Coming to your query on direct route in bgp.l3vpn table, do you mean this is a direct route from inet.0? Is this BGP peer not under any VRF & at a global level? Thanks & Regards, Tarique A. Nalkhande -Original Message- From: Jimmy Halim [mailto:ji...@pacnet.net] Sent: Monday, October 05, 2009 2:52 PM To: Nalkhande Tarique Abbas; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue Hi Tarique, Yes, I am leaking CT crf routes into premium vrf on router A using the community. policy-options policy-statement csr-rib-policy-from-CT-vrf-peer term aloha { from { community csr-CT-vrf; } to rib vrf_premium.inet.0; then { accept; } } == Export policy on router A: routing-instances vrf_premium: instance-type vrf; route-distinguisher 1.1.1.1:9005; vrf-export premium-export; vrf-table-label; policy-options policy-statement premium-export: term add-premium { from protocol [ direct static bgp ]; then { community add rt-premium; accept; } } then reject; community rt-premium: members target:10026:9005; === Import policy on router B: routing-instances vrf_premium: instance-type vrf; route-distinguisher 2:2:2:2:9005; vrf-import premium-import; vrf-table-label; policy-options policy-statement premium-import term add-premium { from community rt-premium; then accept; } then reject; community rt-premium: members target:10026:9005 By the way, what do you think of the route table bgp.l3vpn.0? Is it correct to say that it shouldn't show the direct peering routes that is provisioned on the same PE? route table bgp.l3vpn.0 61.217.192.0/18 bgp.l3vpn.0: 316803 destinations, 316803 routes (316803 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 122.122.122.1:9003:61.217.192.0/18 *[BGP/170] 6w6d 21:34:02, MED 100, localpref 250, from 122.5.5.1 AS path: 1334 I to 122.5.5.2 via so-1/2/0.0 -> Direct peering interface > to 122.5.5.3 via so-1/3/0.0 -> Direct peering interface == Cheers, Jimmy -Original Message- From: Nalkhande Tarique Abbas [mailto:ntari...@juniper.net] Sent: Monday, October 05, 2009 4:55 PM To: Jimmy Halim; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue --I have confirmed that in router A, all the routes that are learned via direct peering (CT vrf) are inside premium vrf route table. --I can confirm that direct connected, static, and customer's BGP routes that are provisioned in router A under premium vrf are being seen under router B under premium vrf. So the issue is only on those routes that are learned via direct peering under CT vrf. Those routes are not advertised to router B premium vrf. Any clue? So how do you leak CT vrf routes into premium vrf on router A, by means of community? These routes certainly won't fall under static, direct or customers bgp (of premium). With the available information, I would still doubt the export policy on router A & import on router B of premium vrf. Though having a look at outputs/config on both sides would help. Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jimmy Halim Sent: Monday, October 05, 2009 2:03 PM To: juniper-nsp@puck.nether.net Cc: ji...@pacnet.net Subject: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue Hi guys, I have a situation where the PE (router A) is not advertising the routes that they got from direct peering (for example under CT vrf) to other PE (router B) under different vrf (for example premium vrf). I have confirmed that in router A, all the routes that are learned via direct peering (CT vrf) are inside premium vrf route table. It means the import policy is working. The strange thing, thouse routes are not being advertised to premium vrf in router B. I have confirmed there is no problem with export policy in router A and import policy in router B. In router A, under route table bgp.l3vpn.0, I am seeing the route that is learned via direct peering interface. This shouldn't be the case right? == route table bgp.l3vpn.0 61.217.192.0/18 bgp.l3vpn.0: 316803 destinations, 316803 routes (316803 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 122.122.122.1:9003:61.217.192.0/18 *[BGP/170] 6w6d 21:34:02, MED 100, localpref 250, from 12
Re: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue
--I have confirmed that in router A, all the routes that are learned via direct peering (CT vrf) are inside premium vrf route table. --I can confirm that direct connected, static, and customer's BGP routes that are provisioned in router A under premium vrf are being seen under router B under premium vrf. So the issue is only on those routes that are learned via direct peering under CT vrf. Those routes are not advertised to router B premium vrf. Any clue? So how do you leak CT vrf routes into premium vrf on router A, by means of community? These routes certainly won't fall under static, direct or customers bgp (of premium). With the available information, I would still doubt the export policy on router A & import on router B of premium vrf. Though having a look at outputs/config on both sides would help. Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jimmy Halim Sent: Monday, October 05, 2009 2:03 PM To: juniper-nsp@puck.nether.net Cc: ji...@pacnet.net Subject: [j-nsp] Layer 3 VPN Routing and Forwarding (VRF) Tables Issue Hi guys, I have a situation where the PE (router A) is not advertising the routes that they got from direct peering (for example under CT vrf) to other PE (router B) under different vrf (for example premium vrf). I have confirmed that in router A, all the routes that are learned via direct peering (CT vrf) are inside premium vrf route table. It means the import policy is working. The strange thing, thouse routes are not being advertised to premium vrf in router B. I have confirmed there is no problem with export policy in router A and import policy in router B. In router A, under route table bgp.l3vpn.0, I am seeing the route that is learned via direct peering interface. This shouldn't be the case right? == route table bgp.l3vpn.0 61.217.192.0/18 bgp.l3vpn.0: 316803 destinations, 316803 routes (316803 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 122.122.122.1:9003:61.217.192.0/18 *[BGP/170] 6w6d 21:34:02, MED 100, localpref 250, from 122.5.5.1 AS path: 1334 I to 122.5.5.2 via so-1/2/0.0 -> Direct peering interface > to 122.5.5.3 via so-1/3/0.0 -> Direct peering interface == I can confirm that direct connected, static, and customer's BGP routes that are provisioned in router A under premium vrf are being seen under router B under premium vrf. So the issue is only on those routes that are learned via direct peering under CT vrf. Those routes are not advertised to router B premium vrf. Any clue? Cheers, Jimmy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Netflow sampling broken in 9.6R1.13 ?
Alfred, Reply inline... Now Junos 9.6 note "## Warning: 'output' is deprecated" "output" was moved under family in 9.6 & hence the warning. If I activate the new syntax "forwarding-options sampling family inet ...". I get always an error: Config will commit if you remove family inet for input. So basically you just need to reshuffle it & should go through. A sample for you... edit forwarding-options sampling] r...@radium-re1-tarique# show input { rate 1023; run-length 0; } family inet { output { flow-server x.x.x.x { port 1; autonomous-system-type origin; local-dump; source-address y.y.y.y; version 5; } } } [edit forwarding-options sampling] r...@radium-re1-tarique# commit check configuration check succeeds Hope it helps! Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Alfred Schweder Sent: Monday, September 14, 2009 9:45 PM To: juniper-nsp@puck.nether.net Cc: Alfred Schweder Subject: [j-nsp] Netflow sampling broken in 9.6R1.13 ? Hello Till 9.5R2.7 the following is working well: sampling { input ... output { aggregate-export-interval 90; flow-inactive-timeout 15; flow-active-timeout 60; file filename acct files 4 size 521000 world-readable stamp; flow-server 192.168.0.123 { port ; autonomous-system-type origin; aggregation { source-destination-prefix; } no-local-dump; source-address 192.168.0.49; version 8; } } } Now Junos 9.6 note "## Warning: 'output' is deprecated" and the collected data seems to be summariesed at network(?) boundaries. If I activate the new syntax "forwarding-options sampling family inet ..." I get allways an error: error: Check-out failed for Traffic sampling control process (/usr/sbin/sampled) without details error: configuration check-out failed Has somebody a hint ? Thanks and regards, ALF ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RPM for performance monitoring?
I think the key differentiator here would be the RPM timestamps for which you have two versions viz RE based timestamps or Hardware timestamps. The RE based version keeps timestamps in memory when packets are sent and received. This is not very accurate due to the delay added by PFE to RE transit and waiting for CPU time. The desired accuracy for ICMP Echo probes is on the order of that seen via the CLI 'ping' command On the other side MS-PIC based time stamps provide the best performance and accuracy since we have dedicated resources for time stamping. Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Stefan Fouant Sent: Monday, September 14, 2009 9:18 PM To: Juniper List Subject: [j-nsp] RPM for performance monitoring? Folks, I'm interested in gauging performance metrics between nodes (basically looking for minimum, maximum, and average latency) and was wondering if RPM might be a suitable utility for measuring such performance. Before I take an exhaustive look at this in the lab, I'd like to hear your experiences. Ideally, I'd like to push out an SNMP trap in the event the latency exceeds a certain threshold, but at a bare minimum I'll need to be able to look at this data in a historical context. Any thoughts? -- Stefan Fouant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BCP for RE protection
I think you are probably looking for BCP of the following aspects: - Loopback filter for RE protection against surplus ICMP/ssh/ftp etc.. - Minimizing excessive logging/sampling on hard disk. - Utilizing chassis redundancy options {like GRES, failover etc} Am I correct in my understanding? Thanks & Regards, Tarique A. Nalkhande Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of The Dark One Sent: Tuesday, September 08, 2009 8:36 PM To: Juniper Puck Subject: [j-nsp] BCP for RE protection Experts, are you aware of 'best common practice' for RE protection in an SP environment? Thanks, TheDarkOne Я в Моем Мире - http://my.mail.ru/list/thedarkone/ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JNCIP Case Study - 1 Pg 42 - archive size and files
The default maximum file size depends on the platform type: * 128 kilobytes (KB) for J-series Routers * 1 (MB) for M-series, MX-series, and T-series routing platforms * 10 MB for TX Matrix platforms So based on the setup/platform this value should be defined or probably left to default. Thanks & Regards, Tarique A. Nalkhande Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Hoogen Sent: Monday, September 07, 2009 10:23 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] JNCIP Case Study - 1 Pg 42 - archive size and files Modify the syslog parameters to log all interactive CLI commands to a file called rn-cli, where n is equal to the router number. Configure the CLI log to permit four archived copies that will be no larger than 128K, and ensure that CLI-related logging is also sent to 10.0.200.2, which is providing a remote syslog service. All other syslog parameters should be left at their default setting. Book Solution syslog { user * { any emergency; } host 10.0.200.2 { interactive-commands any; } file messages { any notice; authorization info; } file r2-cli { interactive-commands any; archive files 4; } } My concern is the file r2-cli.. wherein archive files 4 is given.. but the question says "permit four archived copies that will be no larger than 128K" My Solution was syslog { user * { any emergency; } host 10.0.200.2 { interactive-commands any; } file messages { any notice; authorization info; } file r1-cli { interactive-commands any; archive size 128k files 4; } Any insight into this... Am I missing something.. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ethernet CCCC Outer Vlan removal
Pls have a look here, http://www.juniper.net/techpubs/software/junos/junos90/swconfig-network- interfaces/stacking-and-rewriting-gigabit-ethernet-iq-vlan-tags.html#id- 12141009 Hope it helps! Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Simon Allard Sent: Friday, August 28, 2009 5:59 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Ethernet Outer Vlan removal I have an incoming Ethernet which is double 802.1q tagged. Ie outer vlan 2000 inter vlan 1000. Is there anyway I can remove the outervlan 2000 before placing it into a Ethernet-? I have a MX960 with a 40-port Gigabit Ethernet R EQ card installed in it. I have been reading this page on pop,push etc, but it seems to only have a place in incoming untagged frames. http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topi c-collections/config-guide-network-interfaces/interfaces-rewriting-vlan- tag-untagged-frames.html Anyone got an idea how I can achieve this? Cheers. Simon Allard ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Partition/Format new HD
Brendan, Your new hdd doesn't look to be in good shape, how about a quick health check? A smartd, r...@radium-re0-tarique% smartd -oX /dev/ad1 Drive Command Successful, Extended Self test has begun Please wait 17 minutes for test to complete Use smartd -oA to abort test Ensure alternate super block exists, r...@radium-re0-tarique% newfs -N /dev/ad1s1a r...@radium-re0-tarique% newfs -N /dev/ad1s1e Perform filechecks, r...@radium-re0-tarique% fsck -f /dev/ad1s1a r...@radium-re0-tarique% fsck -f /dev/ad1s1e {-f : Force fsck to check `clean' filesystems when preening} If the above fails, we could preen. r...@radium-re0-tarique% fsck -p /dev/ad1s1a r...@radium-re0-tarique% fsck -p /dev/ad1s1e -p : Preen filesystems Some of the corrective actions which are not correctable under the -p option can result in some loss of data. The above checks will determine our next step. Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Friday, August 21, 2009 10:03 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Partition/Format new HD Hello, I have been battling trying to replace a failed hard disk on my juniper m7i. I have finally got the disk to be recognized by the system. Now I need to put all the partitions back. The router successfully boots from the CF so I can run system commands. I tried.. r...@ibr1.pit> request system partition hard-disk mount: /dev/ad1s1e on /altconfig: incorrect super block ERROR: Can't access hard disk, aborting partition. Am I missing a command first? Thanks, BRendan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M7i compact flash card
Basically, the CF cards for each of the packages have been exclusively qualified for each type of RE & hence the presence of different upgrade kits. For instance, If you look at the upgrade kits, you can use the kit CF-UPG2-1G-S for RE-400 and RE-850, which is for M7i and M10i. The CF card will be interchangeable on these two RE types. The kit CF-UPG3-1G-S is for RE-600 and RE-1600. These RE's are present on M5,M10,M20,M40,M40e,M160,T320,T640,TX,M320 respectively. So the CF cards are interchangeable amongst these routing platforms, provided the customer has the respective Routing engine models. And hence its recommended to use Juniper CF for above platforms. However for J-series, third party CFs are supported.. details below: http://www.juniper.net/techpubs/software/jseries/junos90/rn-jseries-90/s upported-third-party-hardware.html Hope it helps! Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jonathan Brashear Sent: Thursday, August 20, 2009 9:26 PM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] M7i compact flash card Sorry, I'll rephrase: Juniper doesn't support non-Juniper CFs *when it comes to tech support*. The system will recognize CFs from other sources though. I believe the serial comes up as NON-JNPR or somesuch when you look at the chassis hardware output. Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Thursday, August 20, 2009 10:48 AM To: Jonathan Brashear; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] M7i compact flash card I have successfully done this on RE-400s on M7i's. I used Sandisk 2GB Ultra II 15MB/s CFs. I believe the actual part number is SDCFH-002G-A11. On 8/20/09 10:31 AM, "Jonathan Brashear" http://www.speakeasy.net -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Cyn D. Sent: Thursday, August 20, 2009 8:12 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] M7i compact flash card Hi list, We are looking at adding a compact flash on our M7i boxes. If we don't order it from Juniper, could someone tell me which manufacture Juniper uses for CF? What's the R/W speed of the card or does it even matter? Any specification of the card is appreciated. Thanks. C. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Broken Per-Flow load sharing
Beginning with JUNOS Release 9.3, you can enable router-specific load balancing by configuring a unique, load balance hash value for each Packet Forwarding Engine slot. To configure per-prefix load balancing. include the load-balance statement at the [edit forwarding-options] hierarchy level: [edit forwarding-options] load-balance { indexed-next-hop; per-flow { hash-seed number; <--- } } To enable per-flow load balancing, you must include the hash-seed number statement. The range that you can configure is 0 through 65,535. 0 is the default value; Though if no hash seed is configured, the elected forwarding next hop should be the same as in previous releases. Hope it helps! Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Serge Vautour Sent: Thursday, August 20, 2009 8:14 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Broken Per-Flow load sharing Hello, We have several M320s & T640s in our network running 8.5R4.3. They are all configured for per-flow load sharing: RouterA> show configuration routing-options forwarding-table export perDestinationLoadBalance; RouterA> show configuration policy-options policy-statement perDestinationLoadBalance /* Policy exported against forwarding-table configuration to ensure per-flow-destination load balance */ then { load-balance per-packet; } The routers have 2x 10GEs via switches to reach Aggregation routers. OSPF sees 2 equal cost paths to the BGP next hops and splits the traffic across the links. This has been working fine for a few years (it worked on 8.2 as well). We recently upgraded to 9.3R2.8 and load sharing is no longer working: RouterA> show interfaces xe-1/0/0 detail | match "Output packets.*pps" Output packets: 61838797 pps Output packets:00 pps Output packets:525426 pps Output packets:192790 pps Output packets: 31340 pps Output packets:00 pps RouterA> show interfaces xe-2/0/0 detail | match "Output packets.*pps" Output packets: 285078265156 228705 pps Output packets:00 pps Output packets: 280511288646 221803 pps Output packets: 4118406919 6075 pps Output packets:442607080 894 pps Output packets:00 pps The first "Output" line is the 10GE aggregate. The other output lines are the VLANs on the 10GE. Note that the xe-1/0/0 interface has next to 0 pps on output!! We have upgraded two M320s and they are both showing the same problem. My guess is that the per-flow load balancing hash has changed in the newer release. The 9.3 manual talks about setting something like this: [edit forwarding-options hash-key] family inet { layer-3; layer-4; } But it's a bit unclear as to what happens if it isn't set. Can anyone confirm that this will restore per-flow load sharing? Any help would be appreciated. Thanks, Serge __ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M120 Boot Up Error
Abhijeet, The error you observed is simply due to the fact that CF (ad0) is your primary boot device & your router has root (/) mounted on hard disk (ad2) r...@lab-re1% sysctl -a | grep bootdevs machdep.bootdevs: usb,compact-flash,disk,lan You need to verify couple of things before rectifying it.. If you see CF but its missing from bootlist (use the above command to do so) If so, you need to manually mount it back as below sysctl -w machdep.bootdevs=usb,compact-flash,disk,lan If its present in bootlist but corrupted skip the above & proceed with below Now you can initiate a "request system snapshot" Pls go through the below for more details.. http://www.juniper.net/techpubs/software/junos/junos90/swcmdref-basics-s ervices/request-system-snapshot.html Reboot RE for bootlist to be revaluated. Hope it helps! Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Abhi Sent: Tuesday, August 18, 2009 8:09 PM To: Juniper Puck Subject: [j-nsp] M120 Boot Up Error Hi we have 2 M120 router each with 2 RE; all the 4 RE while booting initially are throwing the following messages. mountroot> panic: Root mount failed, startup aborted. db_log_stack_trace_cmd(c0d196c0) at 0 panic(c0c62be0,c7734ca8,c0514dba,0,f3cd8d10) at 0 vfs_mountroot(c7734ca8,c7735600,debdfb38,3c620096,9714cfea) at 0 start_init(0,f3cd8d38) at 0 fork_exit(c0514dba,0,f3cd8d38) at 0 fork_trampoline() at 0 --- trap 0x1, eip = 0, esp = 0xf3cd8d6c, ebp = 0 --- KDB: enter: panic [thread pid 1 tid 16 ] Stopped at kdb_enter+0x37: pushl $-0x1 db> db>reset after i get this message i type in "reset" then the RE reboots and this time it boots from image from Hard Disk and gives message JUNOS 8.5R1.13 built 2007-11-14 18:00:01 UTC --- --- NOTICE: System is running on alternate media device (/dev/ad2s1a). on thing i have figured out is the image on flash has corrupted somehow for all the RE's. How do i correct this situation? Thanks in Advance Regards Abhijeet.C ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] AS-path
AFAIK, NOT (!) operator isn't currently supported in AS-PATH Regex. Moreso based on your requirement you should only block routes originating form AS100, I don't understand the need for regex to accept routes transiting AS100 (unless you explicity block it elsewhere)? The below should suffice your requirement, set policy-options as-path No100orig ".* 100" Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Judah Scott Sent: Thursday, August 13, 2009 1:26 AM To: Fahad Khan Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] AS-path Without testing It seems like: set as-path 100not1000orig ".* 100 .* (!1000)$" should work. Thanks, J Scott On Wed, Aug 12, 2009 at 11:24 AM, Fahad Khan wrote: > Dear Folks, > > what should be the As-path reg expression for getting the routes transiting > AS 100 and not originating from AS 100 > regards > > -- > Muhammad Fahad Khan > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-321-2370510 > +92-301-8247638 > http://www.linkedin.com/in/muhammadfahadkhan > http://fahad-internetworker.blogspot.com > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] tacplus on EX3200
Hey Bill, Looks expected to me. Pls have a look at the following sequence of log message for a login failure in case if you don't have the user locally configured on the switch. *** /var/log/messages *** {truncated} Jun 7 14:06:34 LAB-RTR login: LOGIN_INVALID_LOCAL_USER: No entry in local password file for user joeuser Jun 7 14:06:43 LAB-RTR login: PAM option: conf=/var/etc/pam_tacplus.conf invalid Jun 7 14:06:43 LAB-RTR login: PAM option: template_user=remote invalid <<-- Jun 7 14:06:43 LAB-RTR login: LOGIN_PAM_NONLOCAL_USER: User joeuser authenticated but has no local login ID Jun 7 14:06:43 LAB-RTR login: LOGIN_FAILED: Login failed for user joeuser from host 10.20.1.251 So either you configure all local accounts on each device OR make use of available templates (remote or local). You may find the below handy.. http://www.juniper.net/techpubs/software/junos/junos82/swconfig82-system -basics/html/sys-mgmt-authentication7.html http://www.juniper.net/techpubs/software/junos/junos82/swconfig82-system -basics/html/sys-mgmt-authentication3.html#1015967 And as it looks... authentication-order [ tacplus password ] .. that you are verifying the user's password against the local password database when access to the TACACS server fails, in that case you eventually need to configure users locally as well. Hope it helps! Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Monday, August 10, 2009 2:23 AM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] tacplus on EX3200 So, I have it working now, but it doesn't seem that is a very elegant solution. I added an account to 'system login user' that corresponds to an account in AD. Seems that when the switch receives a login for a locally configured user, it then (based on my authentication-order) first checks to see it it's in tacacs. With the absence of a locally configured password, the switch then asks tacacs for a password. I was hoping I didn't have to define a bum load of local accounts on each device. I was hoping the switch could just pass the user to tacacs along with the password. authentication-order [ tacplus password ]; tacplus-server { ip.ip.ip.ip { port 49; secret "; ## SECRET-DATA timeout 5; single-connection; source-address ip.ip.ip.ip; user joeuser { uid 2003; class super-user; } user janeuser { uid 2004; class super-user; I could probably simplify the tacacs-server stanza, but this is a start. Thank you to everyone who offered assistance on this issue. -b -Original Message- From: Nalkhande Tarique Abbas [mailto:ntari...@juniper.net] Sent: Sunday, August 09, 2009 10:01 AM To: Bill Blackford; Walaa Abdel razzak Cc: juniper-nsp@puck.nether.net Subject: RE: [j-nsp] tacplus on EX3200 Do you have a remote user configured? Pls try to add this .. system { login { user remote { full-name "All remote users"; uid 2001; class super-user; } } } Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Sunday, August 09, 2009 8:29 PM To: Walaa Abdel razzak Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] tacplus on EX3200 authentication-order [ tacplus password ]; -b -Original Message- From: Walaa Abdel razzak [mailto:wala...@bmc.com.sa] Sent: Sunday, August 09, 2009 7:51 AM To: Bill Blackford; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] tacplus on EX3200 Hi Did you check the authentication order on the router? Tacacs log on the server? BR, Walaa Abdel Razzak This email and any attached files are confidential and intended solely for the use of the individual to whom they are addressed. If you received this email in error or you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying,distributing or taking any action in reliance on the contents of this information is strictly prohibited. -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Sunday, August 09, 2009 5:23 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] tacplus on EX3200 I'm struggling with getting tacplus working on my EX's and was hoping someone on the list has successfully done this. tacplus-server { ###.###.###.### { port 49; secret ""; ## SECRET-DATA
Re: [j-nsp] tacplus on EX3200
Do you have a remote user configured? Pls try to add this .. system { login { user remote { full-name "All remote users"; uid 2001; class super-user; } } } Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Sunday, August 09, 2009 8:29 PM To: Walaa Abdel razzak Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] tacplus on EX3200 authentication-order [ tacplus password ]; -b -Original Message- From: Walaa Abdel razzak [mailto:wala...@bmc.com.sa] Sent: Sunday, August 09, 2009 7:51 AM To: Bill Blackford; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] tacplus on EX3200 Hi Did you check the authentication order on the router? Tacacs log on the server? BR, Walaa Abdel Razzak This email and any attached files are confidential and intended solely for the use of the individual to whom they are addressed. If you received this email in error or you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying,distributing or taking any action in reliance on the contents of this information is strictly prohibited. -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Sunday, August 09, 2009 5:23 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] tacplus on EX3200 I'm struggling with getting tacplus working on my EX's and was hoping someone on the list has successfully done this. tacplus-server { ###.###.###.### { port 49; secret ""; ## SECRET-DATA timeout 5; single-connection; } } I currently have local accounts with two profiles. super-user and: class NOC { permissions [ view view-configuration ]; I would want to integrate these two profiles into tacacs as well, but for now I'd like to just get it to authenticate. Tacacs is doing passthough to AD and works fine with Cisco or extreme devices. What am I missing? Thanks -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp __ Information from ESET Smart Security, version of virus signature database 4223 (20090708) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4223 (20090708) __ The message was checked by ESET Smart Security. http://www.eset.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Command to modify ADSPEC object default on PATH messages.
AFAIK, JUNOS uses the Adspec field for maximum transmission unit (MTU) negotiation. So when an LSP is created across a set of links with different MTU sizes, the ingress router does not know what the smallest MTU is on the LSP path. By default, the maximum packet size for the LSP is based on the MTU for the outgoing interface for the LSP on the ingress router. If this MTU is larger than the MTU of one of the intermediate links, traffic might be dropped, because MPLS packets cannot be fragmented. To prevent this type of packet loss in MPLS LSPs, you can configure MTU signaling in RSVP. Juniper supports the Integrated Services object for MTU signaling in RSVP. MTU signaling in RSVP is disabled by default. To configure maximum transmission unit (MTU) signaling in RSVP, you need to configure MPLS to allow IP packets to be fragmented before they are encapsulated in MPLS. You also need to configure MTU signaling in RSVP. To configure MTU signaling in RSVP, include the path-mtu statement: path-mtu { allow-fragmentation; rsvp { mtu-signaling; <<-- } } l...@ntarique# run show mpls lsp transit detail Transit LSP: 1 sessions 192.168.255.1 From: 192.168.255.7, LSPstate: Up, ActiveRoute: 1 ... truncated... FastReroute desired PATH rcvfrom: 192.168.245.46 (so-0/2/1.0) 42 pkts Adspec: received MTU 1500 sent MTU 1500 <<<--- Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Thiago Drechsel Sent: Friday, August 07, 2009 6:37 PM To: Juniper List Subject: [j-nsp] Command to modify ADSPEC object default on PATH messages. Hi list. Does anybody know what is the configuration needed to add "Guaranteed Service" parameters, on ADSPEC object (RSVP PATH messages)? By default, I see that JUNOS only sends "Default General Parameters" and "Controlled Load" within PATH Thank you! -- Thiago Drechsel ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] router protect policy
Bill, Can you try removing the "except" knob. source-prefix-list { NMS-NETWORKS except; <<<-- source-prefix-list { BGP-NEIGHBORS except; <<<-- Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Wednesday, August 05, 2009 9:24 PM To: Chuck Anderson; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] router protect policy 9.3S1.6 -b -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Chuck Anderson Sent: Wednesday, August 05, 2009 8:42 AM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] router protect policy On Wed, Aug 05, 2009 at 08:11:58AM -0700, Bill Blackford wrote: > I'm trying to form a router protect policy on an EX3200 that is > being used as a layer3 border device receiving default routes only > (temporary until it's replaced by an M series). I was able to create > a policy that works fine for EX series running layer2 only services. > Are there any examples or templates to look at? What version of JUNOS? > ## > ## Warning: configuration block ignored: unsupported platform (ex3200-24t) > ## > source-prefix-list { > NMS-NETWORKS; > } source-prefix-list works on my EX4200's running 9.5R2.7 here. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Stub Router in OSPF
The following is from RFC 2328, page 15. "Interfaces to point-to-point networks need not be assigned IP addresses. When interface addresses are assigned, they are modelled as stub links, with each router advertising a stub connection to the other router's interface address. Optionally, an IP subnet can be assigned to the point-to-point network. In this case, both routers advertise a stub link to the IP subnet, instead of advertising each others' IP interface addresses." Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Fahad Khan Sent: Tuesday, August 04, 2009 12:24 PM To: Nilesh Khambal Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Stub Router in OSPF I have seen that all the networks that are directly connected between neighbours are there as stub lsa in database, why is that so?? R1 ---10.0.0.1/30---10.0.0.2/30---R2 R1 has 10.0.0.2 as stub lsa in its databasewhy?? regards, On Tue, Aug 4, 2009 at 11:44 AM, Nilesh Khambal wrote: > I think it is becuase no adjacencies are formed on the loopback > interface. > > Thanks, > Nilesh > > > -- > Sent from my mobile handheld device > > On Aug 3, 2009, at 11:36 PM, "Fahad Khan" wrote: > > > Dear All, > > > > Why in Junos, a Loopback Network is always advertised as a stub > > route/LSA > > (even if it is associated in the OSPF instance)??? > > > > Thanks in advance, > > regards, > > -- > > Muhammad Fahad Khan > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-321-2370510 > > +92-301-8247638 > > http://www.linkedin.com/in/muhammadfahadkhan > > http://fahad-internetworker.blogspot.com > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Muhammad Fahad Khan IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Zero counters for destination-class
What platform & Junos? AFAIK, DCU filters wont work on output on T-series, M120, & M320 routing platforms b'cos the source class and destination classes are not carried across the platform fabric. Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Alexander Shikoff Sent: Wednesday, July 29, 2009 8:47 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Zero counters for destination-class Hello, I have a problem with configuring DCU for my customer's interface. We split all traffic from/to customer into two classes: minot...@br1-gdr.ki> show configuration policy-options policy-statement Mark-FT term World { from interface [ ge-0/0/0.403 ge-0/0/0.1252 ]; then { destination-class to-World; source-class from-World; accept; } } term UA-IX { from interface [ ge-0/0/0.401 ge-0/0/0.1012 ]; then { destination-class to-UAIX; source-class from-UAIX; accept; } } term default { then accept; } minot...@br1-gdr.ki> show configuration routing-options forwarding-table export Mark-FT; All prefixes in forwarding table is marked properly with classes : minot...@br1-gdr.ki> show route 3.0.0.0/8 extensive | match class: Destination class: to-World Source class: from-World On all interfaces faced to our upstreams accounting is configured as follows: minot...@br1-gdr.ki> show configuration interfaces ge-0/0/0 unit 401 family inet accounting source-class-usage { input; output; } On customer's interface accounting is configured as follows: minot...@br1-gdr.ki> show configuration interfaces ge-0/0/0 unit 404 family inet accounting source-class-usage { output; } destination-class-usage; But counters for DCU on customer's interface are zeros: minot...@br1-gdr.ki> show interfaces ge-0/0/0.404 statistics Logical interface ge-0/0/0.404 (Index 72) (SNMP ifIndex 208) [...] Flags: No-Redirects, DCU, SCU-out Packets Bytes Destination class(packet-per-second) (bits-per-second) to-UAIX0 0 ( 0) ( 0) to-World0 0 ( 0) ( 0) Packets Bytes Source class (packet-per-second) (bits-per-second) from-UAIX 172488 22956232 (102) ( 103505) from-World 559708 212043472 (566) ( 2138642) [...] Any help will be appreciated! Thanks. -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] J6350 auto reboot.
Hi Asif, "Misc hardware failure"..That shouldn't be anything to worry! Apart from that what Junos version? Anything that you feel triggers it? Can you share more details like the complete console output during the reboot. Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Muhammad Asif Rao Sent: Wednesday, July 22, 2009 1:48 PM To: Juniper Puck Subject: [j-nsp] J6350 auto reboot. Hi List, having problem with juniper box getting auto-reboot, logs mentioning misc hardware failure. I would appreciate if anyone could give exact insight to the problem. have logs for details Jul 21 20:10:57 /kernel: WARNING: / was not properly dismounted Jul 21 20:10:57 /kernel: Mounted junos package on /dev/vn0... Jul 21 20:10:57 /kernel: Jul 21 20:10:57 /kernel: Automatic reboot in progress... Jul 21 20:10:57 /kernel: /dev/ad0s1a: Jul 21 20:10:57 /kernel: 292 files, 46398 used, 171641 free Jul 21 20:10:57 /kernel: (121 frags, 21440 blocks, 0.1% fragmentation) Jul 21 20:10:57 /kernel: /dev/bo0s1e: Jul 21 20:10:57 /kernel: 5 files, 17 used, 24374 free Jul 21 20:10:57 /kernel: (14 frags, 3045 blocks, 0.1% fragmentation) Jul 21 20:10:57 /kernel: Verified junos signed by PackageProduction_8_3_0 Jul 21 20:10:57 /kernel: Verified jboot signed by PackageProduction_8_3_0 Jul 21 20:10:57 /kernel: Warning: Block size and bytes per inode restrict cylinders per group to 22. Jul 21 20:10:57 /kernel: Warning: Block size restricts cylinders per group to 23. Jul 21 20:10:57 /kernel: Warning: Block size restricts cylinders per group to 26. Jul 21 20:10:57 /kernel: Warning: Block size restricts cylinders per group to 27. Jul 21 20:10:57 /kernel: Warning: Block size restricts cylinders per group to 26. Jul 21 20:10:57 /kernel: Loading configuration ... Jul 21 20:10:57 /kernel: mgd: commit complete Jul 21 20:10:57 /kernel: Setting initial options: Jul 21 20:10:57 /kernel: debugger_on_panic=NO Jul 21 20:10:57 /kernel: debugger_on_break=NO Jul 21 20:10:57 /kernel: . Jul 21 20:10:57 /kernel: Doing initial network setup: Jul 21 20:10:57 /kernel: Jul 21 20:10:57 /kernel: keyadmin Jul 21 20:10:57 /kernel: . Jul 21 20:10:57 /kernel: Initial interface configuration: Jul 21 20:10:57 /kernel: additional daemons: Jul 21 20:10:57 /kernel: eventd Jul 21 20:10:57 /kernel: . *Jul 21 20:10:58 savecore: no core dump (no dumpdev) Jul 21 20:10:58 /kernel: savecore: no core dump (no dumpdev) Jul 21 20:10:58 savecore: Reboot reason(s): 0x10: misc hardware reason* Jul 21 20:10:58 /kernel: savecore: Reboot reason(s): 0x10: misc hardware reason Jul 21 20:10:58 /kernel: Additional routing options: Jul 21 20:10:58 /kernel: ipsec kld Jul 21 20:10:58 /kernel: rtl kld Jul 21 20:10:58 /kernel: . Jul 21 20:10:58 /kernel: Doing additional network setup: Jul 21 20:10:58 /kernel: . Jul 21 20:10:58 /kernel: Starting final network daemons: Jul 21 20:10:58 /kernel: . Jul 21 20:10:58 /kernel: setting ldconfig path: /usr/lib /opt/lib Jul 21 20:10:58 /kernel: starting standard daemons: Jul 21 20:10:58 /kernel: cron Jul 21 20:10:58 /kernel: . Jul 21 20:10:58 /kernel: Initial rc.i386 initialization: Jul 21 20:10:58 /kernel: microcode kld Jul 21 20:10:58 /kernel: Microcode: No microcode found (cpuid=f49, platform_id=0x10) Thanks, @$if ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP session is not coming up
Hey Mathhias, Any filter on the interface? Config of interface pls? As Truman also pointed out, Can you pls share, show log messages | match NOTIFICATION This would help to identify the BGP Notification code/subcode. Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matthias Gelbhardt Sent: Wednesday, July 22, 2009 12:47 PM To: Muhammad Aamir Cc: juniper-nsp Subject: Re: [j-nsp] BGP session is not coming up Hi! After deleting the local-address (and testing with multihop) I get Jul 22 09:13:41.322465 advertising receiving-speaker only capabilty to neighbor x.x.x.x (External AS xx) Jul 22 09:13:41.323342 bgp_send: sending 59 bytes to x.x.x.x (External AS xx) Jul 22 09:13:41.323954 Jul 22 09:13:41.323954 BGP SEND x.x.x.x+52277 -> x.x.x.x+179 Jul 22 09:13:41.325172 BGP SEND message type 1 (Open) length 59 Jul 22 09:13:41.327835 Jul 22 09:13:41.327835 BGP RECV x.x.x.x+179 -> x.x.x.x+52277 Jul 22 09:13:41.329110 BGP RECV message type 1 (Open) length 29 Jul 22 09:13:41.329866 Jul 22 09:13:41.329866 BGP RECV x.x.x.x+179 -> x.x.x.x+52277 Jul 22 09:13:41.331374 BGP RECV message type 3 (Notification) length 21 The strange thing: That has stopped working out of the blue. As this is a provider, we are unable to get the other side. Matthias Am 22.07.2009 um 09:04 schrieb Muhammad Aamir: > Dear matthias, > > Have u tried this with "multihop", Because you have used local- > address in your ebgp config. If local address is your loopback > interface then you need to configure multihop. Also please share the > remote end config as well if possible. > > Regards. > > Aamir > > On Wed, Jul 22, 2009 at 12:55 PM, Matthias Gelbhardt > wrote: > Hi! > > We have a problem with a BGP session. The session is not coming up, > and I dont know why. It is a eBGP session: > > Log: > > Jul 22 08:30:08 muenster /kernel: tcp_auth_ok: Packet from x.x.x.x: > 179 missing MD5 digest > > tracelog: > > Jul 22 08:50:16.426122 bgp_connect_complete: error connecting to > x.x.x.x (External AS x): Socket is not connected > > tcpdump; > > 08:49:07.632649 Out IP x.x.x.x.60582 > x.x.x.x.179: S > 594093001:594093001(0) win 16384 0,nop,nop,timestamp[|tcp]> > > config: > > group external { >type external; >neighbor xx { >description uplink_; >local-address xx; >import import_bgp_; >inactive: authentication-key "$9$u-xxx"; ## SECRET-DATA >export [ export_prepend export_bgp_external ]; >peer-as xx; >} > } > > Any ideas? > > Leaving the MD5 does not work, I even have restartet the routing > process with no luck. > > Matthias > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] vlan-id 0
Masood, Do you think its possible to configure anything other than unit 0 without vlan-tagging? I hope that answers your question. > ge-1/1/0.1 upup inet 1.1.1.0/31 <-- > ge-1/1/0.2 upup inet 2.2.2.0/31 <-- Thanks & Regards, Tarique A. Nalkhande -Original Message- From: mas...@nexlinx.net.pk [mailto:mas...@nexlinx.net.pk] Sent: Thursday, July 09, 2009 9:46 PM To: Nalkhande Tarique Abbas Cc: Bit Gossip; Juniper List Subject: Re: [j-nsp] vlan-id 0 Your configuration is missing "vlan-tagging" Is behaviour remains the same if you add "vlan-tagging" under interface configuration. Regards, Masood Blog: http://weblogs.com.pk/jahil/ > > Hi > > AFAIK, basically a unit 32767 is created implicitly when "vlan-tagging" > is enabled to pass untagged control traffic (like STP, LACP ... etc). > When a unit with vlan-id 0 is configured, this unit itself is used to > send the control traffic. So the unit 32767 then gets deleted. > > > > ge-1/1/0upup > ge-1/1/0.1 upup inet 1.1.1.0/31 > ge-1/1/0.2 upup inet 2.2.2.0/31 > ge-1/1/0.32767 upup > > r...@sulfur# show | compare > [edit interfaces ge-1/1/0] > +unit 0 { > +vlan-id 0; > +} > > l...@sulfur> show interfaces terse | match ge-1/1/0 > ge-1/1/0upup > ge-1/1/0.0 upup > ge-1/1/0.1 upup inet 1.1.1.0/31 > ge-1/1/0.2 upup inet 2.2.2.0/31 > > > > Thanks & Regards, > Tarique A. Nalkhande > > > -Original Message- > From: juniper-nsp-boun...@puck.nether.net > [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bit Gossip > Sent: Thursday, July 09, 2009 6:13 PM > To: Juniper List > Subject: [j-nsp] vlan-id 0 > > Experts, > do you know what is the meaning of vlan-id 0? > According to: http://en.wikipedia.org/wiki/IEEE_802.1Q > "VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the > frame belongs. A value of 0 means that the frame doesn't belong to any > VLAN; in this case the 802.1Q tag specifies only a priority and is > referred to as a priority tag" > > How would I match this Juniper config: > > show configuration interfaces ge-0/0/0 > vlan-tagging; > unit 0 { > vlan-id 0; > family inet { > address 1.1.1.1/30; > } > } > > on a cisco device on the other end of the cable where vlan starts from > 1? > > r2(config-subif)#encapsulation dot1Q ? > <1-4094> IEEE 802.1Q VLAN ID required > > Thanks, > bit > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] vlan-id 0
Hi AFAIK, basically a unit 32767 is created implicitly when "vlan-tagging" is enabled to pass untagged control traffic (like STP, LACP ... etc). When a unit with vlan-id 0 is configured, this unit itself is used to send the control traffic. So the unit 32767 then gets deleted. ge-1/1/0upup ge-1/1/0.1 upup inet 1.1.1.0/31 ge-1/1/0.2 upup inet 2.2.2.0/31 ge-1/1/0.32767 upup r...@sulfur# show | compare [edit interfaces ge-1/1/0] +unit 0 { +vlan-id 0; +} l...@sulfur> show interfaces terse | match ge-1/1/0 ge-1/1/0upup ge-1/1/0.0 upup ge-1/1/0.1 upup inet 1.1.1.0/31 ge-1/1/0.2 upup inet 2.2.2.0/31 Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bit Gossip Sent: Thursday, July 09, 2009 6:13 PM To: Juniper List Subject: [j-nsp] vlan-id 0 Experts, do you know what is the meaning of vlan-id 0? According to: http://en.wikipedia.org/wiki/IEEE_802.1Q "VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs. A value of 0 means that the frame doesn't belong to any VLAN; in this case the 802.1Q tag specifies only a priority and is referred to as a priority tag" How would I match this Juniper config: show configuration interfaces ge-0/0/0 vlan-tagging; unit 0 { vlan-id 0; family inet { address 1.1.1.1/30; } } on a cisco device on the other end of the cable where vlan starts from 1? r2(config-subif)#encapsulation dot1Q ? <1-4094> IEEE 802.1Q VLAN ID required Thanks, bit ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Sanitising m/t series routers?
Hi Andrew, [edit] load factory-default commit or load override /packages/mnt/jbase/sbin/install/default-juniper.conf. This will restore back the factory-default juniper configuration and will flush out the rest. Hope it helps. [P.S: you may be required to add back root-authentication for successful commit] Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Andrew Cheng Sent: Tuesday, July 07, 2009 11:12 AM To: juniper-nsp Subject: [j-nsp] Sanitising m/t series routers? Hi There I have to sanitise a large number of routers (ie, remove all configs, logs.. everything), and was wondering if there was a magic way of doing it remotely? There is the tedious way of going through and deleteing /var/log, all configs.. etc etc, but surely there must be a better way? Thanks, Andrew ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] UK adsl config
Hey Nick, AFAIK, the access-profile configuration should work if the client name matches the service provider BRAS hostname. Try to use "passive" knob under ppp-options chap & also add local-name under it. unit 0 { description "ADSL Backup"; encapsulation atm-ppp-vc-mux; vci 38; ppp-options { chap { access-profile adsl-details; local-name <> <<--- passive; <<--- } If that doesn't work, wont be a bad idea to try the other way round. i.e., using "passive" knob under the [ppp-options chap] and also "local-name " and "default-chap-secret ". unit 0 { description "ADSL Backup"; encapsulation atm-ppp-vc-mux; vci 38; ppp-options { chap { default-chap-secret ""$90BIRhr";## SECRET-DATA local-name <>; passive <<-- Thanks & Regards, Tarique A. N. -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Nick Ryce Sent: Tuesday, June 30, 2009 6:19 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] UK adsl config Hi Guys, I am having difficulties getting an adsl pim module to work in a j2320 running 9.3R2.8 Enhanced services. SP is using ppoa whith chap authentication and I have confirmed the adsl line is working by using a netgear adsl modem. We are seeing sync but cannot establish a PPP connection. Below is my config, any help much appreciated. description "ADSL Connection"; mtu 1500; encapsulation atm-pvc; atm-options { vpi 0; } dsl-options { operating-mode auto; } unit 0 { description "ADSL Backup"; encapsulation atm-ppp-vc-mux; vci 38; ppp-options { chap { access-profile adsl-details; } } keepalives interval 10 up-count 1 down-count 3; family inet { negotiate-address; } } Adsl-details have a client name anc a chap secret which we have confirmed is correct. Nick -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Maximum no. of static arp entries in M7i
Samit Something similar to limit source-mac should help...you can try to fine tune it further! l...@m120# show interfaces ge-1/3/0 encapsulation flexible-ethernet-services; gigether-options { <=== source-filtering; } } vlan-id 1001; encapsulation vlan-vpls accept-source-mac { mac-address 00:17:9a:00:73:91; <=== Thanks & Regards, Tarique -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Samit Sent: Friday, June 26, 2009 10:50 AM To: Patrik Olsson Cc: juniper-nsp Subject: Re: [j-nsp] Maximum no. of static arp entries in M7i In a static IP address allocation to the customers scenario, is there any other way other to discourage the users to abuse another subscribers IP or MAC address and access/abuse the internet in a L2 switched network (wire/wireless) where you do not have capabilities to control this from a switch port? Currently am using linux router and doing IP+Mac filtering using iptables, and now wondering if I can replace it with Juniper M7i do the same but I believe it is not possible to run such filtering. Samit Patrik Olsson wrote: > Out of sheer curiosity, why static arp:s? > > Patrik > >> Hi, >> >> Any idea how many no. of static arp entries M7i interfaces/junos will >> accept and work? >> >> interfaces ge-1/3/0 { >> unit 0 { >> family inet { >> address 192.168.0.1/24 { >> arp 192.168.0.2 mac 00:17:f2:cb:89:43; >> } >> } >> } >> } >> >> Regards, >> Samit >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] as-path filtering
Try this.. set policy-options as-path a ".*1234" set policy-options as-path b ".*5678" Thanks & Regards, Tarique A. Nalkhande -Original Message- From: Samit [mailto:janasa...@wlink.com.np] Sent: Monday, June 22, 2009 10:47 AM To: Nalkhande Tarique Abbas Cc: juniper-nsp Subject: Re: [j-nsp] as-path filtering Thanks Scott/Tarique, changed the rule as per your advice but for some reason it is not working...and could not figure out either. protocols { bgp { group "ebgp-test" { type external; import test-in; peer-as 200; neighbor 192.168.0.1 } } policy-options { policy-statement test-in { from as-path [a b]; then reject; } as-path a "_1234$"; as-path b "_5678$"; } } Still seeing routes originated from AS1234 and 5678 in the routing table. Regards, Samit Nalkhande Tarique Abbas wrote: > Pls make appropriate changes as below & it should work ! > > > lab# show | compare > [edit policy-options] > + policy-statement test { > + from as-path [ test test1 ]; > + then reject; > + } > [edit policy-options] > + as-path test "_1234$"; > + as-path test1 "_5678$"; > > > > Thanks & Regards, > Tarique A. Nalkhande > > > -Original Message- > From: juniper-nsp-boun...@puck.nether.net > [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Samit > Sent: Sunday, June 21, 2009 6:47 PM > To: juniper-nsp > Subject: [j-nsp] as-path filtering > > Hi, > > How to do this in junos? > > Cisco config example: > > ip as-path access-list 1 deny _1234$ > ip as-path access-list 1 deny _5678$ > ip as-path access-list 1 permit .* > > router bgp 100 > neighbor 192.168.0.1 remote-as 200 > neighbor 192.168.0.1 des ebgp-test > neighbor 192.168.0.1 filter-list 1 in > > Tried but not working.. > > protocols { > bgp { > group "ebgp-test" { > type external; > import test-in; > peer-as 200; > neighbor 192.168.0.1 { > } > } > policy-options { > policy-statement test-in { > term 1 { > from as-path-group test; > then reject; > } > term 2 { > then accept; > } > } > as-path-group test { > as-path a "_1234$"; > as-path b "_5678$"; > } > } > > > Regards, > Samit > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] as-path filtering
Pls make appropriate changes as below & it should work ! lab# show | compare [edit policy-options] + policy-statement test { + from as-path [ test test1 ]; + then reject; + } [edit policy-options] + as-path test "_1234$"; + as-path test1 "_5678$"; Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Samit Sent: Sunday, June 21, 2009 6:47 PM To: juniper-nsp Subject: [j-nsp] as-path filtering Hi, How to do this in junos? Cisco config example: ip as-path access-list 1 deny _1234$ ip as-path access-list 1 deny _5678$ ip as-path access-list 1 permit .* router bgp 100 neighbor 192.168.0.1 remote-as 200 neighbor 192.168.0.1 des ebgp-test neighbor 192.168.0.1 filter-list 1 in Tried but not working.. protocols { bgp { group "ebgp-test" { type external; import test-in; peer-as 200; neighbor 192.168.0.1 { } } policy-options { policy-statement test-in { term 1 { from as-path-group test; then reject; } term 2 { then accept; } } as-path-group test { as-path a "_1234$"; as-path b "_5678$"; } } Regards, Samit ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Interpreting output of "show route route protocol bgpdetail"
Junaid, It's the Preference2 value. JUNOS stores the 1's complement of the LocalPref value in the Preference2 field. For example, if the LocalPref value for Route 1 is 100, the Preference2 value is -101. If the LocalPref value for Route 2 is 155, the Preference2 value is -156. Route 2 is preferred because it has a higher LocalPref value and simultaneously a lower Preference2 value. Nothing to worry, its just done to use a common comparison routine (Since in every routing metric except for the BGP LocalPref attribute, a lesser value is preferred) Hope it clarifies. BR// Tarique -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Junaid Sent: Saturday, June 13, 2009 4:21 PM To: Juniper-Nsp Subject: [j-nsp] Interpreting output of "show route route protocol bgpdetail" Hi, there is something that's bothering me for quite a while; can anyone please explain what does "-101" signify in the following output in the "Preference" field: # run show route protocol bgp detail inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden) 192.168.20.0/24 (1 entry, 1 announced) *BGPPreference: 170/-101 Next hop type: Indirect Next-hop reference count: 3 Source: 10.0.4.13 Next hop type: Router, Next hop index: 131071 Next hop: 10.0.4.6 via em3.12 Next hop: 10.0.4.13 via em3.13, selected Protocol next hop: 10.0.4.2 Indirect next hop: 8a2209c 131072 State: Local AS: 65412 Peer AS: 65412 Age: 3:48 Metric2: 10 Task: BGP_65412.10.0.4.13+179 Announcement bits (2): 0-KRT 5-Resolve tree 2 AS path: I (Originator) Cluster list: 1.1.1.1 AS path: Originator ID: 10.0.6.2 Localpref: 100 Router ID: 10.0.3.3 Thank you. -- Regards, Junaid ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PPP Negotiation Issues
Hey Jason, I don't see any LCP Conf-Ack for the LCP request sent by Adtran, & as you pointed the endpoint discriminator option block received from the peer are truncated with a LCP config-reject message. So what Junos version router is loaded with? Check if you are hitting PR/97169 (available on website) Thanks & Regards, Tarique A. Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jason Iannone Sent: Friday, April 24, 2009 11:51 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] PPP Negotiation Issues All, I'm having trouble understanding a PPP Negotation issue with a single T1 on a Multilink interface. The Juniper appears to be rejecting an LCP configuration option including a MAC address received from an Adtran. I haven't been able to find a reference in RFC 1661 indicating that "End-Disc" is a valid option. This is the second time we've seen this issue and I'm not sure if I'm digressing from the real issue or if I should continue to pursue this. The following debugs were from the same ~20 second period. The Adtran never indicates that it has received an LCP message, while the Juniper both transmits and receives. In the interest of brevity, I have removed all but two cycles of configure reject messages from the Juniper monitor traffic interface detail output. Adtran PPP debug: 2009.04.24 17:40:08 PPP.NEGOTIATION PPPtx[t1 1/1] LCP: Conf-Req ID=152 Len=23 MAGIC(027e2bf2) MRRU(1520) ED(3:00a0c84068c2) 2009.04.24 17:40:12 PPP.NEGOTIATION PPPtx[t1 1/1] LCP: Conf-Req ID=153 Len=23 MAGIC(027e2bf2) MRRU(1520) ED(3:00a0c84068c2) 2009.04.24 17:40:16 PPP.NEGOTIATION PPPtx[t1 1/1] LCP: Conf-Req ID=154 Len=23 MAGIC(027e2bf2) MRRU(1520) ED(3:00a0c84068c2) 2009.04.24 17:40:20 PPP.NEGOTIATION PPPtx[t1 1/1] LCP: Conf-Req ID=155 Len=23 MAGIC(027e2bf2) MRRU(1520) ED(3:00a0c84068c2) 2009.04.24 17:40:24 PPP.NEGOTIATION PPPtx[t1 1/1] LCP: Conf-Req ID=156 Len=23 MAGIC(027e2bf2) MRRU(1520) ED(3:00a0c84068c2) 2009.04.24 17:40:28 PPP.NEGOTIATION PPPtx[t1 1/1] LCP: Conf-Req ID=157 Len=23 MAGIC(027e2bf2) MRRU(1520) ED(3:00a0c84068c2) 2009.04.24 17:40:32 PPP.NEGOTIATION PPPtx[t1 1/1] LCP: Conf-Req ID=158 Len=23 MAGIC(7bb2b1cf) MRRU(1520) ED(3:00a0c84068c2) 2009.04.24 17:40:32 PPP.NEGOTIATION PPPtx[t1 1/1] LCP: Conf-Req ID=159 Len=23 MAGIC(7bb2b1cf) MRRU(1520) ED(3:00a0c84068c2) --- Juniper debug: 17:40:08.685156 In LCP, Conf-Request (0x01), id 152, length 25 encoded length 23 (=Option(s) length 19) Magic-Num Option (0x05), length 6: 0x027e2bf2 MRRU Option (0x11), length 4: 1520 End-Disc Option (0x13), length 9: MAC 00:a0:c8:40:68:c2 17:40:08.685294 Out LCP, Conf-Reject (0x04), id 152, length 15 encoded length 13 (=Option(s) length 9) End-Disc Option (0x13), length 9: MAC 00:a0:c8:40:68:c2 17:40:11.382693 Out LCP, Conf-Request (0x01), id 53, length 27 encoded length 25 (=Option(s) length 21) MRU Option (0x01), length 4: 1514 Magic-Num Option (0x05), length 6: 0x49fc248a MRRU Option (0x11), length 4: 1504 End-Disc Option (0x13), length 7: IPv4 64.129.252.137 17:40:12.684943 In LCP, Conf-Request (0x01), id 153, length 25 encoded length 23 (=Option(s) length 19) Magic-Num Option (0x05), length 6: 0x027e2bf2 MRRU Option (0x11), length 4: 1520 End-Disc Option (0x13), length 9: MAC 00:a0:c8:40:68:c2 17:40:12.685070 Out LCP, Conf-Reject (0x04), id 153, length 15 encoded length 13 (=Option(s) length 9) End-Disc Option (0x13), length 9: MAC 00:a0:c8:40:68:c2 Thanks for your time, Jason ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] hidden route
Try Removing as-overide from R2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Opala Sent: Friday, November 07, 2008 3:30 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] hidden route Hi gurus, Imagine following topology: P2(AS11)--R2(AS100)---R3(AS100)---P3(AS11) In order to advertise route 199.199.0.0/16 (static, redistriuted to BGP) from router P2 to P3 (and some routes form P3 to P2), as-override has been configured on both R2 and R3: [EMAIL PROTECTED] show group p2 type external; peer-as 11; as-override; neighbor 192.168.1.2; [edit protocols bgp] [EMAIL PROTECTED] [EMAIL PROTECTED] show group p3 type external; peer-as 11; as-override; neighbor 192.168.2.2; {master}[edit protocols bgp] [EMAIL PROTECTED] Route 199.199.0.0/16 is present in P3 routing table: [EMAIL PROTECTED]> show route protocol bgp terse 199.199/16 inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A DestinationP Prf Metric 1 Metric 2 Next hopAS path * 199.199.0.0/16 B 170100>192.168.2.1 100 100 I Apparently the same route is advertised back, from R2 to P2 (it can be seen as a hidden route): [EMAIL PROTECTED]> show route hidden extensive inet.0: 8 destinations, 10 routes (8 active, 0 holddown, 1 hidden) 199.199.0.0/16 (2 entries, 1 announced) TSI: KRT in-kernel 199.199.0.0/16 -> {} Page 0 idx 0 Type 1 val 89768b8 Nexthop: Self AS path: [11] I Communities: Path 199.199.0.0 Vector len 4. Val: 0 BGP Next hop type: Router Next-hop reference count: 1 Source: 192.168.1.1 Next hop: 192.168.1.2 via ge-1/2/1.2, selected State: Inactive reason: Unusable path Local AS:11 Peer AS: 100 Age: 13:52:22 Task: BGP_100.192.168.1.1+60006 AS path: 100 100 I Router ID: 10.0.1.2 [EMAIL PROTECTED]> Do you have any explanation of hidden route in P2? Thanks, Tomasz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Routing question
With no dynamic routing involved. The election of path should be based on static entries for the concerned routes. Thanks & Regards, Tarique A. Nalkhande Juniper Technical Assistance Center 888.314. JTAC (888.314.5822) Toll Free 408.745.9500 Domestic & International Email : - [EMAIL PROTECTED] Please CC: [EMAIL PROTECTED], with the case number in the subject line. Working hours: Tuesday to Saturday ( 05:00 hrs to 13:00 hrs GMT ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sunnyday Sent: Thursday, July 24, 2008 2:40 PM To: 'Juniper-Nsp' Subject: [j-nsp] Routing question Hello im going to ask a stupid question guys. I have 2 paths to a route one is fast Ethernet and one is serial and no routing protocol is present Which interface will be selected? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp