[j-nsp] 2014-07 Security Bulletin: Junos: Denial of Service in TCP packet processing (CVE-2004-0230)
Hey Juniper, If you're going to send out a security update on what is literally now a 10 year old issue (god I feel old), you should at least wait until Throwback Thursday. :) 2014-07 Security Bulletin: Junos: Denial of Service in TCP packet processing (CVE-2004-0230) Junos now implements the TCP robustness improvements outlined in Section 4 of RFC 5961. Junos will send an ACK in response to any SYN or RST flag received, irrespective of the sequence number. The following software releases have been updated to resolve this specific issue: Junos OS 11.4R11, 12.1R10, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20, 12.1X47-D10, 12.2R8, 12.3R6, 13.1R4, 13.2R4, 13.3R2, 14.1R1, and all subsequent releases (i.e. all releases built after 14.1R1). -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] proposed changes to clear bgp neighbor
On Wed, Feb 26, 2014 at 10:36:39AM -0500, Phil Shafer wrote: Juniper users, We've been asked to make a change the clear bgp neighbor command to make the neighbor or all argument mandatory. The root cause is the severe impact of clear bgp neighbor and the increasing accidental use of this command without a specific neighbor. In general, we avoid changing commands to add mandatory arguments, but my feeling is that the impact and severity of this specific command makes this an acceptable occasion for such a change. I'm looking for feedback about this change. My working assumption is that clear bgp neighbor is a sufficiently rare command and would not be used in automation/scripts, so the impact of making the neighbor/all argument mandatory would be minimal. Is this assumption accurate? Personally I'd support this, either through requiring an all, or adding a yes/no confirmation after executing the command (which sounds like it would solve the problem for those silly humans, without impacting the scripting interfaces as badly). This is a sufficiently rare command in a good way that you should really have some form of additional error check, just like delete from the top level of the config. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] NTP Reflection
Dear Juniper, Please tell me you didn't actually do this. Please tell me that I'm just missing something, and that you would never do something so insane. Did you guys REALLY ship code that automatically enables an NTP server that responds to the world, with no authentication or options to restrict access or commands, whenever someone configures the router to be an NTP client? Because that's sure what it looks like. The documentation on the subject is interesting too: http://www.juniper.net/techpubs/en_US/junos13.1/topics/task/configuration/network-time-protocol-time-server-time-services-configuring.html Configuring the Router or Switch to Operate in Client Mode: * Do something Configuring the Router or Switch to Operate in Server Mode: * Do the exact same thing Sigh... I'd be more disappointed, but hey it doesn't crash anything when someone uses your routers as an NTP reflection attack amplifier, so I suppose you can at least be proud of that. For anyone who doesn't know what I'm talking about, you might want to read: http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300 And then start making sure UDP/123 is blocked in your lo0 firewall filters. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] ddos-protection
Does anyone have any good documentation on exactly what types of packets match each of the ddos-protection protocols out there? For example, I was just helping someone who was getting a flood of sample:pfe hits on an MX, and I noticed the documentation says exactly nothing about it: http://www.juniper.net/techpubs/en_US/junos/topics/reference/command-summary/show-ddos-protocols.html sample - The following sample packet types are available: pfe - Packet Forwarding Engine packets. Now for this particular one it wasn't too hard to figure out that they meant excessive sampled packets being punted from the pfe to the RE, in this case from a firewall then log action. But, that's probably not even close to obvious to the vast majority of people, and there are a lot of other matches in here that aren't terribly self-explanitory either. It also seems like there should be some overview documentation explaining what the default rate-limits are for each type, but I'm not finding it. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ISSU timeouts on MX upgrades due to large routing tables?
On Tue, May 21, 2013 at 09:01:57PM -0400, Clarke Morledge wrote: I was curious to know if anyone has run into any issues with large routing tables on an MX causing ISSU upgrades to fail? On several occasions, I have been able to successfully do an In-Software-Service-Upgrade (ISSU) in a lab environment but then it fails to work in production. I find it difficult to replicate the issue in a lab, since in production I am dealing with lots of routes as compared to a small lab. Does anyone have any experience when the backup RE gets its new software, then reboots, but since it takes a long time to populate the routing kernel database on the newly upgraded RE that it appears to timeout? I have seen behavior like this with upgrades moving from 10.x to a newer 10.y and from 10.x to 11.y. We had that issue for many years. There is a hard-coded timeout in the NSR process which is very easy to hit if you have a box with a large number of routes. We had a case open on it for about 1.5 years, but Juniper refused to actually fix it (it works fine in the lab), and eventually we just gave us and declared ISSU to be dead. There are way too many other bugs with it anyways, even turning on NSR caused nothing but problems. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Best route reflector platform
On Sun, Apr 21, 2013 at 02:47:58PM +0400, Pavel Lunin wrote: 2. Branch SRX do not support more than 2G of RAM. Moreover about 700M+ is preallocated for flow session table and it is not released even when you switch the box into packed mode (well, at least used to be last time I checked a year or so ago). Plus JUNOS itself. In practice you have just about ~700M of free control plane memory on SRX650. A decent amount of memory is required for RR purposes too. We're pretty much to the point that if its not running 64-bit JUNOS (which actualley only bumps the max rpd memory from 2GB to 3GB, so it's not that big an improvement :P) it either won't work at all, or won't survive for very long. And that's after taking a lot of steps to reduce core IBGP mesh route load. I haven't touched any of the virtual SRX stuff, does it run 64-bit JUNOS? In fairness I really don't think there is a big market for dedicated RR's, so I'm sure it isn't on the top of anyone's radar. That said, it is an absurdly easy problem to solve, with almost no work required (ship JUNOS on 1U PC and call it JCS100). So besides greatly pissing off many of its largest customers, they're leaving money on the floor and forcing people into other solutions with other vendors. I really can't imagine that the benefit of selling an extra MX240 chassis, even if sold at regular price, is worth the money being lost from everyone else. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Best route reflector platform
On Tue, Apr 16, 2013 at 09:26:29AM +1000, Craig Askings wrote: I'd love to see Juniper take the xre200, slap some extra ram into it and call it their route reflector platform. It would be a reasonable compromise between using generic compute and Juniper getting $$$ for selling you some tin. I begged them to do this right when that box first came out, but there were no takers. They cripple it in software so the XRE can't be made to run rpd stand-alone and act as a route reflector. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] interface-transmit-statistics
I was skimming through some release notes and noticed the following new feature, which was supposedly added in 12.3 and 11.4R3 (new features in an R3 release? *cough*): http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/interface-transmit-statistics-reporting-improvements-overview.html http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/interface-transmit-statistics-edit-interfaces.html The description on this is pretty vague, but it SOUNDS like this might compensate for the long-standing issue where the L2 overhead on packets don't get reported in the SNMP counters on Juniper hardware, in violation of the spec and opposition to how every other vendor does it. Actually it doesn't sound like this at all (did I mention this description is ridiculously vague and poorly written), but that's a pretty serious long-standing issue that I'd LOVE to see get addressed, and the only one I can think of related to transmit statistics, so I'm hopeful that this is what it fixes. If anybody has any further details, it'd be much appreciated. :) That said, what hardware is it actually supported on? The release notes just say MX, but when I try it on MPC-16XGE or MPC2 interfaces on a box running 11.4R6 it says: dcd[1550]: %DAEMON-3: Interface-Transmit-Statistics Knob not supported on this hardware. Will have no effect. And a more interesting question, would this also affect the packet counters reported to MPLS LSPs when doing auto-bandwidth calculations? This issue causes one of the biggest problems with auto-bandwidth on Juniper, the lack of L2 overhead in the counters makes it possible for high-pps traffic like a DoS attack to be completely invisible to RSVP, causing uncompensated for congestion. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MQ-chip bandwidth drops
Does anybody know how an MX (Trio) hitting MQ-Chip memory bandwidth limitations will report the drops? I've got a couple of boxes reporting fabric drops in show pfe statistics traffic and show class-of-service fabric statistics (though of course the two numbers aren't even close to the same :P), but there aren't any corrosponding drops on the mqchip fi counters or show chassis fabric statistics, plus none of them are MX960 + 16-port MPC so they should be getting full fabric capacity anyways. Does an MQ drop count as a fabric drop maybe? -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Question about Routing Engine Redundancy on MX
On Wed, Jan 09, 2013 at 12:39:05PM -0600, Jose Sanchez wrote: Hello, Does anybody know if the RE Redundancy in Juniper MX Routers requires that both RE are the same hardware or it is enough that the REs has the same JUNOS Version? As long as they're reasonably similar it should work fine. For MX that pretty much means RE-2000 and RE-1300, you have no hope in hell of mismatching the new ones (RE-1800x2/4, which require 64-bit JUNOS) with the old ones. For some definition of work of course (for all of the active redundancy), where in my experience the answer is it doesn't. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Question about Routing Engine Redundancy on MX
On Wed, Jan 09, 2013 at 03:43:04PM -0500, Paul Stewart wrote: Thanks RAS.. that's interesting as we've never actually tried that... Have you tried this in a production environment or would you? Do we have any idea on whether or not JTAC would support this configuration officially? I realize these are loaded questions - just really curious on this topic as it opens up some new possibilities for us in some deployments... Our SE basically told us to run from this idea previously... The difference between an RE-2000 and an RE-1300 is pretty minimal. Yeah it's a slightly slower CPU, and maybe it has less RAM, but the architecture itself is still basically the same. If you configure NSR you'll be passing a lot of internal state in raw form back and forth, so you have no hope of making it work between completely different architectures like the REs which run JUNOS 64, but technically speaking there is nothing that would prevent something like RE-1300 and RE-2000 from talking and working. Personally I wouldn't run any of it in production, after having been bitten by way too many extremely severe bugs in NSR/GRES over the last many years. I've probably suffered 1000x more operational impact from NSR related bugs than I've EVER saved from NSR working correctly, and don't even get me started on the massive design flaws of GRES. At this point you're MUCH more likely to make your router work correctly if you turn on as few knobs as possible, and NSR is a pretty darn complex thing to actually make work correctly. Plus, I don't think I've actually had NSR work correctly in about 4-5 years now. There are hard-coded time-outs during the NSR sync process after the backup RE reboots, and if your network is big enough that you carry some decent number of BGP paths it will take so long to sync that this will time out and fail the entire process. I once had a case open about this issue, but after about 1.5 years of being unable to explain it to the idiot in JTAC I just gave up. I checked several years later, and it was still broken in exactly the same way, so I'm going to guess that no other large network dares to run NSR either. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS and MX-240's
On Mon, Jan 07, 2013 at 08:10:45PM -0800, Eric Cables wrote: It's interesting that Flowspec was one of the presentations at the Bay Area Juniper User's Group in October, and heavily used by CloudFlare. http://www.slideshare.net/junipernetworks/flowspec-bay-area-juniper-user-group-bajug I did warn Terry about this issue before he gave that presentation, but note that their performance requirements are MUCH lower than mine. The graphs in this presentation show 100-1000Mbps attacks and 45kpps attacks, which doesn't require much in the way of router resources. Line rate for a 10GE is 14.88Mpps, and when you suddenly can't do more than 4Mpps per port because of a couple dozen flowspec rules, I consider this a BIG problem. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS and MX-240's
On Mon, Jan 07, 2013 at 05:41:06AM +, Dobbins, Roland wrote: On Jan 6, 2013, at 11:14 PM, Richard Gross wrote: I am seeking advise. If you wanted to block 800K /32's from your inbound pipes, how would you do it? You don't need nor want to do this. Flowspec and S/RTBH are very useful tools for blocking, as Chris indicated, but nobody needs to block 800K /32s. http://mailman.nanog.org/pipermail/nanog/2011-January/030051.html Still has the same issue. Juniper has basically let Flowspec bit-rot into complete uselessness since Pedro left. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] VPLS issues
Does anybody have any experience with forced LSP path selection for VPLS
circuits? Long story short, when we fire up traffic on one particular
VPLS instance, we're seeing SOME of the traffic it's carrying being
blackholed. The pattern is one of certain IP or even TCP port pairs
being blocked, and it seems to rotate over time, which screams hashing
across multiple LSPs where one of them is doing something bad, and it
changes as the LSPs resignal over time to me. To try and lock this
down, I'm trying to force the VPLS traffic to route over a single LSP,
in the usual manner with a forwarding-table export policy, and a very
simple extended community regexp against the vrf-target community.
term VPLS {
from community MATCH_VPLS;
then {
install-nexthop lsp-regex .*-SILVER.*;
load-balance per-packet;
accept;
}
}
But it sure as hell doesn't look like it's narrowing the LSP selection:
ras@re0.router show route forwarding-table family vpls table blah
Routing table: blah.vpls
VPLS:
DestinationType RtRef Next hop Type Index NhRef Netif
...
00:xx:xx:xx:xx:xx/48 user 0 indr 1050634 5
idxd 3223 2
idx:1 xx.xx.142.132 Push 262153, Push 655412(top)
4543 1 xe-7/3/0.0
idx:1 xx.xx.142.62 Push 262153, Push 752660, Push
691439(top) 1315 1 xe-4/1/0.0
idx:2 xx.xx.142.132 Push 262153, Push 758372(top)
1923 1 xe-7/3/0.0
idx:2 xx.xx.142.62 Push 262153, Push 382341, Push
691439(top) 2541 1 xe-4/1/0.0
idx:3 xx.xx.142.132 Push 262153, Push 758372(top)
1923 1 xe-7/3/0.0
idx:3 xx.xx.142.62 Push 262153, Push 382341, Push
691439(top) 2541 1 xe-4/1/0.0
idx:4 xx.xx.142.30 Push 262153, Push 714676(top)
1500 1 xe-4/1/1.0
idx:4 xx.xx.142.62 Push 262153, Push 619458, Push
378636(top) 3864 1 xe-4/1/0.0
idx:xx xx.xx.142.82 Push 262153, Push 601828(top)
989 1 xe-5/0/0.0
idx:xx xx.xx.142.132 Push 262153, Push 684644(top)
3516 1 xe-7/3/0.0
idx:xx xx.xx.142.62 Push 262153, Push 528898, Push
760875(top) 4766 1 xe-4/1/0.0
idx:xx xx.xx.142.62 Push 262153, Push 792036, Push
691439(top) 3473 1 xe-4/1/0.0
Any ideas, about this or about troubleshooting the forwarding plane for
VPLS in general? Other than that VPLS just sucks... :)
--
Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] How reliable is EX multichassis? 3300 and 8200 switches
On Fri, Oct 26, 2012 at 07:44:27PM -0200, Giuliano Medalha wrote: Morgan, I really dont know why JUNIPER did this kind of crazy environment with EX8200. Considering the MX family (240, 480 and 960 with TRIO 3D) and the new MX-L I think you do not need the external routing engines for virtual chassis. An external routing engine is actually a really good idea, you should ask them to do it more, not less. There is absolutely no reason the RE needs to be in the chassis, all it does it drive up the cost and slow down upgrade cycles. When was the last time you saw a several year old off the shelf PC that cost $32k? In the EX's case, the EX8200 is vastly underprovisioned on the stock RE (one of the worst design decisions of all times), so it REALLY benefits from an external RE. I never actually tried it in production though, so no comments about the reliability (IMHO multi-chassis boxes are for people who can't figure out routing protocols, I'd personally rather have two independant control-planes instead). I'm still sad that I couldn't get Juniper to bless the XRE200 as an external route reflector, since it's an infinitely more useful form factor than a JCS, but alas lack of common sense knows no bounds. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Krt queue issues
On Mon, Oct 01, 2012 at 03:15:39PM +0300, Saku Ytti wrote: JunOS is exceedingly poorly performing platform in control-plane, especially with PPC control-plane. 200 neighbours on MX80 does not sound like a good idea right now. You probably should have gone with bigger MX where you'd get XEON. MX80 has faster CPU than RSP720, but RSP720 runs circles around MX80 :/ Indeed. For extra fun, try watching your show route forwarding-table summary after you reboot, and see how long it takes for your router to actually get a full table installed. The more BGP load you have on the device, the more you'll see that it totally stalls the installation of routes into the FIB. At this point I can't describe it as anything less than a major architectural flaw which Juniper is completely powerless to fix. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] mx-class units now advertisement management interface networks in BGP
On Thu, Sep 27, 2012 at 08:28:46PM -0400, Jeff Wheeler wrote: On Thu, Sep 27, 2012 at 1:49 PM, Jo Rhett jrh...@netconsonance.com wrote: I don't know when Juniper broke this Hey, Jo, I remember Junos working like this since forever. I'm 100% sure it has worked like this since way before MX80 existed. I dunno what he's complaining about, JTAC solved the issue in less than a year, so he's already ahead of the curve. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] route BGP stall bug
On Wed, Jul 18, 2012 at 12:03:39AM +0200, Tim Vollebregt wrote: Hi All, This morning during a maintenance I experienced the route stall bug Richard mentioned a few times already on j-nsp. Hardware kit: -MX480 with SCB (non-e) -2 x RE-S-1800x4 -4 x MPC 3D 16x 10GE Software version: 10.4R8.5 During this maintenance I was placing 2 new routing engines into the router, replacing the 'old' RE-S-2000. This router is pushing a lot of traffic and receiving 14 x full BGP tables from eBGP peers/1 RR session to it's 'mate'/several iBGP peers with partial tables Rest assured this issue is still alive and well in every piece of code I've ever looked at. I've basically just given up and accepted that Juniper can't actually handle a large number of routes, and nobody seems capable of fixing it. EX's are especially bad, I can't get a full fib installed from a reboot in anything less than an hour, even if I turn off most of the BGP sessions so it converges faster. Either stop carrying so many routes (14x full tables = you're screwed), or go buy a Cisco. :( -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Update on 10.4R9 stability for MX?
On Mon, May 21, 2012 at 03:43:33PM +0200, Mark Tinka wrote: On Thursday, May 10, 2012 01:59:55 AM Richard A Steenbergen There is a serious issue with MPLS RSVP auto-bandwidth in 10.4R9, which can cause the reservation calculations to be off by quite a bit. The least broken code we've found so far is 10.4S9, I'm surprised they haven't done an R10 yet. As far back as I can remember, Richard, you've pretty much had this particular issue with almost every major train Juniper have released :-). I wish it was a single issue, at least then I would have one definite thing to bitch about. It's more like a dozen different issues affecting the same subsystem, in a dozen different versions of code, over the last couple of years. You could say the same thing about SNMP, it's been broken about as many times over about as many different revisions (including recent ones :/). 10.4S9 does seem to have solved this latest issue, which was causing wildly inaccurate reservations. It's almost comical when RSVP tries to reserve a several petabit LSP (not much to do with recent JUNOS except laugh at this point, right? :P), but it's a lot less funny when nearly empty high-priority LSPs get mis-calculated to several gigabits and start causing incorrect preemptions... -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JUNOS downloads
Has anybody else noticed that the old software download page isn't getting updated at the same time as the new one? For example, 11.4R3 came out 3 days ago, but it isn't listed on the old software page at all. The new and improved system also appears to require javascript to work properly, for example the proceed button at the bottom of the EULA acceptance is non-functional in lynx or elinks if you're trying to download your JUNOS images via a unix shell. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Update on 10.4R9 stability for MX?
On Wed, May 09, 2012 at 03:13:26PM -0400, Clarke Morledge wrote: It has been a couple of months since the JTAC recommended Junos software versions has been updated for the MX. As of February, the recommendation was to use 10.4R8.5 for the MX, except that there is an issue related to BFD configurations on the DPC line cards. Supposedly, the fix is in 10.4R9. In looking at the release notes, there are some issues that have been resolved in the 11.x series but nothing noted yet for any future 10.4.x releases. Perhaps there are future 10.4.x versions planned to carry forward these fixes? I am curious to know about anyone's experience with 10.4R9 over the past few months. I have DPC only currently; i.e. no MPC hardware -- and no MultiServices. There is a serious issue with MPLS RSVP auto-bandwidth in 10.4R9, which can cause the reservation calculations to be off by quite a bit. The least broken code we've found so far is 10.4S9, I'm surprised they haven't done an R10 yet. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Woot. Updated MX software recommendation
On Wed, Apr 11, 2012 at 01:19:01PM -0400, Chris Morrow wrote: counting is hard... let's go shopping?? wtf? Yeah, it's not like we need to bill customers with these routers or anything. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JNCIP-SP latest dumps
On Fri, Mar 30, 2012 at 11:59:35PM +1100, Skeeve Stevens wrote: I would like to see exams include man pages, or at least an approved reference book that would let you look up obscure crap you almost never need to know off the top of your head. The labs actually do include full access to the documentation, since memorization of obscure commands isn't really the goal of the test. The prometric exams are a bit more limited of course, due to the shared testing environment, but they're a lot simpler too. FWIW I personally think the new -SP exams are complete and utter crap compared to the classic -M exams, or at least the JNCIP-SP that I took to renew my JNCIE was at any rate... They're far more Cisco-like these days, full of totally useless questions, poor grammar, and ambiguous or even flat out incorrect answers, so plan accordingly. :( Binary-Hex-Decimal math... bullshit, I can't believe we're not able to use even a calculator these days... even highschool exams allow calculators! I don't remember any of this on any Juniper exams I've ever taken, but if you can't do simple binary-hex-decimal math you have bigger problems. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 100Base-LX10 and MX80
On Wed, Feb 29, 2012 at 02:35:09PM +0100, ??ukasz Dudzi??ski wrote: I did it already. The topic you have mentioned does not cover the essence of my question. I've asked for that specific SFP (100Base-LX10), not for using third party optics at all. The problem is that I don't know if it is possible to use 100Base-LX10 optics in MX80, because Juniper documentation does not mention about 100Base-LX10 SFP. There is a note regarding 100Base-FX (FE on MMF), but no 100Base-LX10 (FE on SMF). Generally speaking, the answer is unless the pluggable requires some special handling from the router above and beyond what is considered 'normal' relative to the other pluggables, it WILL work regardless of whether or not it is officially supported. So far the only two examples I've found of the above are copper vs fiber (copper sometimes requires special handling to do things like detect link state properly), and 100 vs 1000. The LX10 part is irrelevent, if it was a 1000BASE optic you could throw in 1km or 100km and the router wouldn't know the difference, but you're on shaky ground with the 100 support. You also run into questions about whether 100 is even supported at all, since there are different ways to implement the PHY, one with 10/100/1000 support, and another with 1000-only. My personal recollection is that MX back in the DPC days only supported 1000. I could probably go dust off some documentation on the internals of the MX80 and tell you whether the PHY for the modular version supports 10/100/1000 for the SFPs or not (its a slightly different hw layout for modular vs non-modular, obviously the non-modular does because its 10/100/1000 copper), but its late and lets be honest I really don't care that much. :) I'm sure someone else will do it now that I've taunted them though (I can think of at least 5 or 6 usual suspects who probably know this off the top of their head :P), so just consider the above as generic advice for when this question comes up again in the future. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Firewall filter using a prefix-list, not updating
On Sun, Mar 04, 2012 at 04:45:04PM -, David Gee wrote: If I create a relatively simple filter such as the one below, and attach it as an output filter on a vlan interface, it works as per the prefix-list it references. However, if I update the prefix-list, like add an additional /32, the firewall filter does not permit it. If I remove and re-apply the filter, it has no effect on the new addition to the prefix-list (even though the prefix shows up in the prefix-list). To force the new prefix to become active, I have had to re-apply the firewall filter statement that references the prefix-list (i.e. delete it, and re-apply it). Is this normal? Depends on your definition of normal. I run into firewall bugs like this all the time these days (probably on my 6th one in the last 2 years). When in doubt, remove the filter and re-apply, this causes a data structure rebuild on the hw and makes the badness go away. And just consider yourself lucky that it doesn't cause the FPCs to crash when you reorder firewall terms like on EX8200 running 11.1R5. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Sources for SFP+ optics
On Fri, Feb 24, 2012 at 12:06:03AM +0200, Saku Ytti wrote: On (2012-02-23 16:53 -0500), Brandon Ross wrote: I have no idea how they do it, but I can tell you for certain that I've been able to source DWDM optics for my clients within a week every single time. And yes, I'm referring to specific colors. Sure you can source them, by querying multiple sources. But no one carries stock of everything, you simply cannot offload them at profit then, unless your customers are ready to pay high premium. Good/cheap DWDM optics are, generally speaking, in universally short supply. Production has barely been staying ahead of demand for quite some time now, hence the 7-8 week lead times from manufacturers. Agreed, you might get lucky and find someone who happens to have the color and optic type you're looking for on occasion, but there is nobody who is in a position to maintain an inventory of everything and still sell them at close to wholesale prices. There just isn't any money in it, which is why everyone who cares self-spares (often with the help of tuneables as universal donors) . -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SCB-E
On Wed, Feb 08, 2012 at 07:44:10AM +0100, Daniel Roesen wrote: So as far as things stand, SCB-E not deployable before mid 2012 earliest if (and that's a big if when looking at 10.4 experience) 11.4R3 is going to be usable. Given the state of the code and the lack of faith/experience in 11.4 (i.e. I don't know any sane companies with an interesting network running 11.4 right now, and thus I have zero faith that it has been well tested), maybe the correct answer is to backport some kind of SCB-E support to the 10.4 train. Then again, considering that they are STILL introducing new showstopper bugs in a bugfix-only code train even at 10.4R8, maybe this is a bad idea. I really don't know what else to say about this issue, other than: *SIGH* -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QFX3500 optics lock?
On Fri, Jan 06, 2012 at 09:34:35PM -0500, Chuck Anderson wrote: Like I said, that is nuts. I will NEVER buy the QFX then as long as this vendor arrogance exists. And don't give me this but we haven't tested it with every possible SFP+ vendor so we can't allow you to use any vendor crap. FWIW they've actually had serious problems interoperating correctly with copper SFPs from other vendors, on EX and MX. There are still unsolved issues with ports showing link state up despite nothing being plugged in. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QFX3500 optics lock?
On Sat, Jan 07, 2012 at 11:45:40AM +, Phil Mayers wrote: Oh for the love of... In terms of practical what now ideas, have you tried to source a Juniper compatible SFP+ i.e. someone has blown the string into the EEPROM? Or maybe investigate FlexOptix' flexBox? FWIW eoptolink's stock SFP+'s seem to not set off the NON-JNPR flag in EX without any additional hackery required, though I have no clue at all if they'd work properly in a QFX. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QFX3500 optics lock?
On Sun, Jan 08, 2012 at 02:27:44PM +1100, Julien Goodwin wrote: Nobody is asking Juniper to *support* third party optics, they never have before. All we want is, that like all other Juniper products to date (that I'm aware of) that third party optics work, and have feature parity. Be careful what you ask for... We've seen many issues with the support for third party optics, for example we still have ongoing issues with Cisco copper SFPs which show link up despite nothing being plugged in when used in an MX80... It's not as bad as a blatant lock, but if they don't have to support it they don't need to fix it either. :) The better way to say it is, we aren't going to call you and make you fix it if it's just one broken optic doing something bad, but we still expect you to make every reasonable effort to make your product work correctly with other standards compliant components. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QFX3500 optics lock?
On Sun, Jan 08, 2012 at 12:11:19PM +, Phil Mayers wrote: However - crappy though they were, imagine my irritation when, even with service unsupported-transceiver, a duplicate SFP serial number caused err-disable on BOTH ports, and requires BOTH transceivers to be removed. It's not obvious to me that this is a reasonable response; the 1st transceiver was in, and forwarding packets. Why disable it? What possible value does that add? Actually, this one I get... They're trying to detect and block a counterfeit product that says Cisco on it, and which as you said, was introduced into the supply chain without your knowledge that it was an inferior fake (and maybe even without your VARs knowledge too). This is COMPLETELY different from artificially disabling a third party's product. Of course, if they weren't so busy trying to do the later there wouldn't be nearly as much demand for people doing the former, but they're still probably justified in blocking the duplicate serial #'s of Cisco products. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] QFX3500 optics lock?
On Mon, Jan 09, 2012 at 11:37:03PM +, Phil Mayers wrote: I am not trying to compare this to vendor locking. They are indeed completely different, and I merely cite it as illustration of one other position on the spectrum of transceiver permissiveness. I will grant that denying the new optic is understandable. But shutting down an existing link is deeply unhelpful (as well as TOTALLY NON-OBVIOUS to the person inserting the optics). For starters - what if the existing link is a Genuine Cisco(tm) SFP? Then the forged SFP not only doesn't work (fine) but stops a valid SFP from working (not fine). Unlikely I will admit, but not impossible. I will also add that I have no evidence this duplicate checking is limited to transceivers matching CISCO* in the EEPROM; for all I know, it does it for any transceiver... In theory the way it's supposed to work is that a cryptographically verifiable code based on the serial number (probably some sort of hash, but no clue what they actually use) is written to the EEPROM. That way, Cisco can give the actual manufacturers a list of SN's and codes equal to the number of units they're purchasing, to prevent the classic counterfeiting problem of the factory in China running during the day for the customer and at night for themselves. But even without defeating the hash, they can always just clone the serial number from a known good one... Of course in theory there should never be two identical serial numbers, so when they do show up in the same chassis you should be guaranteed that they're both counterfeit. Of course, I'm sure mistakes do happen from time to time, and you could make the argument that it's bad to affect production customer traffic if the customer didn't know, but there is at least some logic behind it. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos 11.2R4.3 on MX
On Sat, Dec 24, 2011 at 09:27:55PM +0800, Mark Tinka wrote: On Friday, December 23, 2011 07:51:45 PM Sebastian Wiesinger wrote: Oh and to fix it you have to reset the VPLS BGP sessions. Changing the config back does not help. That's a nasty bug. So, just another day using JUNOS then? :) It would almost be funny, if it wasn't so tragic. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DA rejects
On Sat, Dec 17, 2011 at 08:11:39AM -0500, Paul Stewart wrote: It has magically started working again for the customer, which is quite strange. Again, very confident this is a CPE issue but wanted to ensure I understood how JunOS will look at ARP output like above (make sure there is no confusion) :) Erm, did you move the customer to a new endpoint on your side? If so, you were probably receiving DA Rejects because they had your old router MAC address stuck in their arp cache, and it magically fixed itself when their ARP cache timed out and it re-learned the gateway mac. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DA rejects
On Thu, Dec 15, 2011 at 02:11:18PM -0500, randy.tay...@bell.ca wrote: I have seen this before facing Cisco device running CDP. Maybe you have something that is running on your box that it does not understand. DA Rejects are when your router receive receives a packet that is destined for a MAC address that isn't it... This is normal/expected behavior in small doses, since even on a switched network the unknown unicast flooding stage of MAC learning will result in a few packets being sent to ports that weren't actually the correct destinations. If the router was an ordinary host these would be the type of packets you would need to turn on promiscuous mode to see. This is not to be confused with L3 Incompletes, which is what you're probably thinking about re: CDP. This simply means a packet without a L3 header that the router doesn't know what to do with (since the Juniper device doesn't speak CDP), and thus discards. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Difference MX DPC-R / DPCE-R
On Mon, Dec 12, 2011 at 05:05:20PM +0100, Nicolaj Kamensek wrote: Hello list, can anyone name the major differences between those modules? DPC are becoming available in the used market for small money and I am wondering if a DPC non-E is good enough for a classical access router environment with 30.000+ ARP entries and a growing number of IPv6 neighbours but nothing fancy overall. Since it's hard to find any facts about this: - does it matter memory-wise if the requirements above are applied to just one routed port or to multiple switched/routed ports? - do bundled links still double the amount of memory required? Well since nobody has answered this one correctly I guess I'll do it... The only difference between DPC and DPCE is the size of the microcode on the EZChip ASIC used for L2 framing (1.5KB vs 6KB instruction space). Almost no features require the larger microcode space, so you should be pretty safe... When the DPCs first came out, almost nothing used the EZChips at all, and even over the last couple years the only thing I've seen that doesn't like running on the Rev A's is PBB (Provider Backbone Bridging). Maybe you can get someone from Juniper to provide a more extensive list, but it's pretty safe to assume that nothing about the config you mentioned above will be impacted by DPC non-E's at all. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] traffic drops to 8 Gb/s when a firewall filter is applied
On Fri, Dec 09, 2011 at 01:19:54PM -0500, Keegan Holley wrote: Yea but it should have enough silicon to do simple policing in hardware unless you have every single other feature on the box enabled. If a policer with no queueing, and no marking etc, caused throughput to decrease by 20% across the board I'd inquire about their return policy. Hopefully, it's the policer config. Most of my 10G interfaces do not require policers, but I've got 1G interfaces with hundreds of logicals each with a unique policer. Unfortunately not... There are all kinds of ways to make I-chip cards not deliever line rate performance even with relatively simple firewall rules, and it's very poorly logged when this does happen. Admittedly I've never seen a simple then accept push it over the edge, but maybe it was RIGHT on the edge before... Try looking for some discards, such as WAN_DROP_CNTR, on the *INGRESS* interface (i.e. not the one where you added the egress filter). For xe-x/y/0 do: start shell pfe network fpcx show ichip y iif stat example: Traffic stats: Counter NameTotal Rate Peak Rate -- -- -- GFAB_BCNTR 4229125816477883 949530 1276098290 KA_PCNTR0 0 0 KA_BCNTR0 0 0 Discard counters: Counter NameTotal Rate Peak Rate -- -- -- WAN_DROP_CNTR 298 0 82 FAB_DROP_CNTR 1511 0419 KA_DROP_CNTR0 0 0 HOST_DROP_CNTR0 0 0 -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Resource Temporarily Unavailable - Juniper MX
On Mon, Dec 05, 2011 at 07:48:22AM -0500, Paul Stewart wrote: Can anyone shed some light on these log messages? Nov 30 04:48:21 core2.toronto1 rpd[1359]: bgp_send: sending 19 bytes to xx.xxx.52.50 (External AS x) blocked (no spooling requested): Resource temporarily unavailable grep Resource temporar /usr/include/errno.h #define EAGAIN 35 /* Resource temporarily unavailable */ man 2 send ... [EAGAIN] The socket is marked non-blocking and the requested operation would block. It's just a socket message saying it can't write the data it wants to write into that particular TCP session... This COULD potentially indicate a problem, such as congestion or errors, but it can also just be a quick dump of data filling up the socket buffer before the other side can read it. 99% odds are this is cosmetic. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Summarize Global Table
On Tue, Oct 25, 2011 at 06:45:27PM +0100, Phil Mayers wrote: This (aggregate routes on next-hop) comes up now and again, and the idea seems to be controversial for some people. Various criticisms are cited - unpredictability (a single route change could result in a large jump in FIB use), performance implications, and fairly limited improvement (the thread cited below reckons 30% mean, 10% worst case, 45% best case, depending on connectivity topology) Foundry did dynamic FIB aggregation using a covering default route to remove more specifics 10-some years ago, back when they had routers with only enough CAM for 8k or 16k FIB entries (ye olde Ironcore days). It actually worked pretty darn well, and the improvement IS significant in my experience (anyone who claims otherwise is full of shit or not being realistic in their modeling). It's also pretty straightforward to implement, I could prototype the code for it in a few minutes. The only REAL objections seem to be: a) The benefits are very non-deterministic, and customers may/will be confused if they make one covering route change and it causes thousands of FIB entries to be created or destroyed as a result. Nobody likes confusing customers more than is necessary, especially when your support organization is as disasterously broken as JTAC. b) It's not entirely impossible that doing this won't cause breakage in some unanticipated way. For example, say someone rapidly flaps a covering route, which causes a lot of FIB churn. There are a lot of potential implementations for performance, interaction with the krt, etc. Somebody has to actually take the time to model and test this to make sure it doesn't cause something to break/crash/blackhole/etc in practice. I'm personally not sure it would actually be any worse than the hour+ times to install a full FIB that some of these boxes are suffering from already, but I can understand why nobody is particularly eager to jump in and own this issue if they don't have to do so. c) Vendors would much rather sell you new cards wih more FIB capacity than find a way to implement a free solution in software (big shocker, I know). :) Of course given the EX8200 situation, where they've knowingly sold a bunch of cards that can't possibly do what they claimed they could do, maybe a horde of pissed off customers will motivate some renewed interest in providing some software assistance. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] TCAM full on EX8200?
On Sun, Oct 23, 2011 at 01:20:28PM +0400, Pavel Lunin wrote: TBH, I haven't checked the pricing but I'd expect Brocade MLX MLX(e) is an edge device and is much like MX in most things. It's cheaper but at a cost of some features lack and few caveats. Although it's a good product, it's not a label-oriented LSR anyway. The hardware functionality for label switching in MLX/XMR seems to be fine (as far as I can tell), it's only the software that is still a giant mess. To be honestly they seem to be ok for very simple stuff like pseudowires, but last I looked things like rsvp-te were still a complete and total mess. Global Crossing recently tried to roll out XMRs as pure LSR supercore boxes alongside existing T640s, and a whole bunch of blackholing and pissed off customers later they seem to have abandoned that project and moved the boxes to L3 edge router roles. As I said, I have yet to find ANY vendor other than Cisco/Juniper who ACTUALLY understand MPLS well. And even those guys I wonder about sometimes. :) On Sun, Oct 23, 2011 at 12:24:05PM +0300, Tarko Tikan wrote: Same way MX is not ment to be used as LSR, yet everyone does that. That's because we're not stupid (well, some of us aren't at any rate), and we know the difference between what the box is promoted for in marketing vs what it can actually do. :) Foundry on the other hand doesn't appear to have any serious MPLS users at all (beyond relatively simple pseudowire/vpls, nothing I would classify as serious at any rate). -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] TCAM full on EX8200?
On Sat, Oct 22, 2011 at 08:19:33PM +0400, Pavel Lunin wrote: As far as I understand, it's not really correct to compare difficulty of these two operations, since they are performed by two different units inside the chip. While label lookup instead of full IP table can dramatically simplify the lookup unit's life, the unit, which inspects packets and extracts bits from them, must be still quite complex even for label-only router. Hashing ALU's life is not a peace of cake either. Say, EX series PFE use only 6-bit seeds to construct hash on them. In case you want to push a whole 20-bit label to the hash seed, I'm afraid, you'll need more bits in ALU registers, more cycles or something else. Well, nobody said it was EASY, just EASIER. :) The point is, just by going from full tables to not-full-tables you can start taking advantage of existing commodity chips which CAN do IP and some pretty deep hashing already, and move from thousands of dollars per 10GE and 80-120G/slot (MX/ASR-style) down into hundreds of dollars per 10GE and 480-640G/slot. Personally my take is that PTX missed the mark as far as interesting target customer size goes. There are still a *LOT* of places where you could very easily replace a $1mil core T/CRS box at $retardecarrier with a $10-20k 1-2U box that does 64x10GE, or 40GE, etc. But obviously Juniper doesn't want to canibalize from their own T (or at worst MX) market, which is why only made the PTX product that they did (pick between massive or super-$%^ing massive, and at only ~MX-style port prices). Eventually someone will come along and realize that there is an untapped market here, and then the promise of cheap label switching routers will be fulfilled. IMHO the reasons this hasn't happened yet are a) only Cisco/Juniper *REALLY* have a good handle on the software side of MPLS, and b) not enough non-carriers are currently running (or even currently able to conceptualize running) label-only cores. Of course the large carriers with the most to gain also tend to be the least innovative and the most unwilling to consider cost when designing their architecture, until they go bankrupt of course. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] TCAM full on EX8200?
On Sat, Oct 15, 2011 at 11:04:37AM +0100, Phil Mayers wrote: ...whereas because ACLs are variable length, determined by customers and possibly large, performance of a RAM-based ACL algorithm is hard to predict, and people want predictable performance, and usually line-rate performance. Just wait until you figure out that it's possible to get significantly less than line-rate performance out of an I-chip with just a dozen relatively simple firewall terms. :( Hehe. Tag switching will make core routers really cheap, you'll have a few really big PE routers only. Wasn't that the line we were sold with TDP? And they totally could be too, if anyone bothered to actually make them. You don't even need to spin custom ASICs (one could argue that their might not be enough business to justify it anyways), label switching is so easy from a hardware perspective that it's not even funny. Everyone and their mother is busy churning out Broadcom Trident+ based 64x10G 1U boxes right now (see: Juniper QFX, etc), and at a price of a couple hundred bucks a 10G even on the high end. Why aren't these boxes making great LSRs? The problem is, the software side of MPLS (i.e. all of the associated protocols surrounding it) is so complicated, only Cisco and Juniper have figured out how to actually implement it correctly (and that is only because they wrote most of it :P). All the hardware in the world doesn't help you if you don't have the right software, and C/J shockingly don't want to make a $10k box that obsoletes the need for a $1mil T-series. This is why OpenFlow has them all running scared. :) The PTX is the first thing to actually attempt to be a label switching router only, but even that one is a) still vaporware, and b) designed to be sold to only a handful of super large carriers, and still at fairly premium prices. All they're trying to do is keep the T-series business unit from losing money to the MX-series business unit (since the MX is just as capable of doing everything T does w/MPLS as a core router, but at 1/4 the price), they aren't ACTUALLY trying to make a cheaper LSR. :) If more people used MPLS, and if some competetive vendor could figure out how to write all the protocols for it to run on a small/cheap box, the core router market could get REALLY interesting. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] TCAM full on EX8200?
On Sat, Oct 15, 2011 at 02:56:01PM -0400, Jeff Wheeler wrote: Most customers find that their Juniper boxes still operate at wire rate even when they load up some ugly filters. On some boxes in some cases, however, that is not true. But to generalize, M/MX does everything with RAM, provides the operator with more flexibility, but also gives him a little more rope with which to hang himself. It turns out that on I-chip, a dozen or so relatively simple filter terms are enough to exceed maximum number of accesses that give you line rate performance. It's especially bad if you try to use filter chains, since there is no next filter command, and the next term command (which is REQUIRED in every term in order to keep processing things further into the chain) is relatively expensive (4 lookups each, and you only get ~28 for line rate performance). Having flowspec routes is another good way to make it angry, since they get evaluated on every ingress interface. Even worse, when you DO exceed your lookup capacity, the only symptom will be silent packet drops, with nothing logged on any interface counter outside of show ichip commands in the pfe shell. We had to kill our filter chains and use commit script built non-chain filters to implement chain-like logic (i.e. re-use of common filter config components), it was the only way to do it without killing the box. I doubt Juniper has ignored the possibility of grafting some CAM onto their router boxes for certain operations, but when you already have the ALU+RAM method RD'd and you can simply scale it up a little bit, this is probably more sensible than adding a power-hungry CAM and all the guts necessary to interface to it, and then do more RD to have the control-plane figure out how to take advantage of it, and *then* still live with the fact that Juniper firewall filters *still* give you the flexibility to make that operation not perform at wire rate also. They actually did put TCAM onto the modular MPCs (i.e. MPC1 and MPC2, but not the 16x10GE MPC, and also I'd like to take this opportunity to offer an extreme DIAF to whoever butchered the use of the word modular on these products!) for exactly this reason. But I've been told there are no immediate plans to actually add any support for it in software, if ever. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] TCAM full on EX8200?
On Sun, Oct 16, 2011 at 12:56:41PM +1100, Julien Goodwin wrote: What's needed is for an OEM to build a generic router chassis that has separate control plane, power, and forwarding modules that can be swapped as needed. Potentially ATCA might be a good platform for this This is already being worked on through something called OpenFlow, which aims to provide an open API to programming the hardware so that anyone can come along and write their own software for it. The chip makers are already able to produce massively high performance hardware for cheap, but none of them can figure out how to write the software for it to save their lives. This is why vendors are so scared of OpenFlow, if someone else can come along and write a good OS/BGP/etc for someone else's hardware they're in for a world of hurt. At this point vendors like Cisco and Juniper aren't actually hardware companies, they're software companies. In many ways their hardware is inferior to the absurdly cheap and high performance chips being produced by folks like Broadcom (with the caveat that many times those chips have design flaws caused by lack of practical experience, see: nearly everyting wrong with the EX, for example :P), but the software is what keeps people buying the hardware. Of course the traditional router vendors are also realizing that they won't be able to compete on price given the massive volumes that third party ASIC makers are doing, so they've already started building systems around those chips. The Cisco ASR is EZChip, the Juniper EX is Marvell, the Juniper QFX and a dozen other similar products are Broadcom, etc. But ultimately, it still comes down to software. The exact same Broadcom reference design box can be sold by Dell for $1k or by Force10 for $15k, and the difference is the software. :) There are other potential solutions, for example: http://www.nanog.org/meetings/nanog50/presentations/Monday/NANOG50.Talk17.swhyte_Opensource_LSR_Presentation.pdf Yup, this is an example of software using OpenFlow. I do object to the still vaporware, not due to ship until the end of the year is closer. The main threat to the T-series is that 10ge slowly removing the need for Sonet/SDH, and if all you need is 10g LAN-PHY the MX with the 16-port MIC does it nicely. It's been talked about for a while, but I'll believe it when I actually see it. :) PTX is also priced very similarly to MX hardware, so while it may indeed be cheaper than T, that doesn't really mean much (except for which Juniper business unit gets the revenue :P). It's not anything revolutionary, that one is still waiting to happen. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] TCAM full on EX8200?
On Thu, Oct 13, 2011 at 02:19:40PM +0200, Michele Bergonzoni wrote: Il 13/10/2011 13.31, Chen Jiang ha scritto: AFAIK, The EX8200 use SRAM for FIB and TCAM for ACL, that's not like EX2200/3200/4200 that use TCAM for all FIB and ACL. You could vty to line card and try this knob and see what happened: PFEM2(vty)# show shim route lpm-dmm-stats Not sure to understand how something can switch data at that speed using SRAM as a FIB, but it's consistent with my TCAM appearing almost empty. Anyway, here's the output: PFEM2(vty)# show shim route lpm-dmm-stats IPV4 - ShadowIdx: 0Partition: 0 numOfUsedBlocks : 2077numOfAllocatedBytes : 48216 numOfFreeBytes : 2046640 numOfPickAllocatedBytes : 48380 numOfPickAllBlocks : 2370 ShadowIdx: 0Partition: 1 numOfUsedBlocks : 320 numOfAllocatedBytes : 667884 numOfFreeBytes : 1427132 numOfPickAllocatedBytes : 672216 numOfPickAllBlocks : 448 ShadowIdx: 0Partition: 2 numOfUsedBlocks : 17569 numOfAllocatedBytes : 2083064 numOfFreeBytes : 11952 numOfPickAllocatedBytes : 2083816 numOfPickAllBlocks : 22343 EX8200 uses SRAM for forwarding lookups, and TCAM for firewall filtering. SRAM is perfectly capable of doing lookups at these speeds, and infact is a lot more flexible than TCAM, whereas TCAM is actually much better suited for doing high speed packet filtering. At any rate, your problem is in partion 2. See how you have 2MB allocated and only 11k free, while in partition 0 it is almost completely unused, and in partition 1 only 667k out of 2MB is used? One of your SRAM partitions is full, and thus you can't add more routes to the FIB. Determining exactly how this happened, and how far you need to plant your foot up Juniper's ass to get it fixed, is best left as an excercise for the reader. All I will say is that they are now selling -ES (enhanced scale) linecards for EX8200 which have more SRAM capacity. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] download.juniper.net mime types
On Tue, Aug 30, 2011 at 01:52:45PM -0500, Richard A Steenbergen wrote: Dear Juniper, You guys broke your mime types again, at least for all the 10.4S6.6 service release URLs. :) Sigh... I know nobody wants to bother trying to be standards compliant or testing things on any platform other than IE these days, but I really can't believe nobody cares about not serving up your .tgz junos downloads with Content-Type: plain/html... Does nobody else notice that it's now an epic pain in the ass to download code with something like lynx? -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Securing management access to Juniper gear
On Fri, Sep 02, 2011 at 02:37:11PM -0400, Mark Kamichoff wrote: I'm not an EX guru, but I believe the same concepts can be applied. With the caveats that: 1) lo0 filters *WILL* (quite incorrectly) match data plane exception packets that get punted to the RE for further processing as well, such as TTL expiring traceroute packets routing THROUGH the box. Mostly this issue applies to EX, which seems to punt a whole bunch of everything to the RE rather than deal with it on the FPC CPU like traditional Juniper hardware, but the same thing actually still happens with TTL expiring packets being popped out of an LSP on MX Trio hardware too. You need to make exceptions for this in your lo0 filter, or else you'll find your control plane filters matching more than just control plane packets, breaking traceroute/etc, and generally pissing everyone off. I believe there was also a related ongoing issue on EX where an lo0 filter with an explicit deny of all traffic at the end would actually match ARP traffic too, so you should probably be careful with those as well. :) 2) EX lo0 filters don't actually work correctly for DoS prevention, they get applied *AFTER* the packets have already destroyed the RE, and thus are completely ineffective at defending the boxes from attack. The only way to correctly block control plane traffic on EX is with ingress filters on real intefaces (or RVIs). -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS 10.4S6 for EX8200 - PR/676826
On Wed, Aug 31, 2011 at 08:59:26PM +0800, Mark Tinka wrote: 10.4R4.5 today on our EX3200's/4200's. We were forced (kicking and screaming) into 11.1S2 on our EX8200s for some feature support that just wasn't available any other way, but all things considered the code has actually been pretty darn good (as far as EX code goes). Put it this way, I was expecting a LOT worse. Yes you can still royally screw up the fib if you insert cards while it's converging, or make it take an hour to update the fib by looking at it funny, but things have actually been relatively stable and light on the other major issues (crashing, blackholing, etc). Chalk one up to the new development process I guess, though personally I'm still pretty darn annoyed at the whole hour to update the fib thing. :) SRX, you might as well run whatever came on it, because it won't work anyway. The ALGs don't work, at times proxy arp doesn't work, your logs will be full of interesting (and scary) error messages, bugs that were supposed to have been fixed aren't, licensed features (like dynamic-vpn) don't work at ALL, etc. None here, but the constant pain about them on the list is glaring. I have an SRX210 in my basement doing my home routing, and it is the only free device I've ever been given that I would seriously consider returning and asking for my money back. Broken doesn't even begin to describe it, my condolences to anyone who actually needs to run these things in production. M/T series probably have the most flexibility as they have been around long enough not to push people towards 10.4/11.[12] -- people can just select the appropriate SR. Agree - we have far fewer issues with these as they're older and most of the new junk going into Junos today isn't to do with them save for a couple of features (which are sometimes hardware dependent) and general bug fixes. We've hit some silly bugs on the M-/T-series lately, but nothing near as bad as the MX. We've been running 10.4 on MX ever since R4, with a healthy mix of I-chip and Trio boxes (not combined though), and the code has actually been pretty solid. Yes there are some outstanding issues somewhere between annoying and obnoxious but you can work around it that still aren't fixed until R7, but in the grand scheme of things it all mostly works. Then again, after the debacle that was 10.2 I'm excited when the things don't randomly shoot flaming packets out of their ass, so maybe it's just a case of lowered expectations. :) Can't blame you. If you're new to Juniper, just coming from Cisco, feelings might be familiar. If you started with Juniper back in the days of Junos 5, 6, 7 and 8.4, as they say, Those were the days. About as good as Cisco is where I'd put things today on the code reliability scale. Not to say that I'm happy with that state of affairs, but as Homer would say, urge to kill... fading :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS 10.4S6 for EX8200 - PR/676826
On Thu, Sep 01, 2011 at 11:48:36AM -0400, Paul Stewart wrote: Actually I'm curious as well - RAS is not typically wrong though about this kind of stuff ;) We have numerous SRX deployed for firewall and router functionality - some are running Dynamic VPN (which yes, we've had issues with - definitely it's not perfect). We've been bitten by some surprises as well ... so I'm not disagreeing, just saying that we're pretty used to these issues we've encountered and don't deploy if we know they will come up. Typically, we use them as site to site VPN boxes along with firewalling. I have an SRX210 at my home as well - run the full UTM suite on it and had no real issues (granted it's a home environment to be fair). RAS, can you share a few highlights of broken? Just doing simple routing and IPSec tunnels, and we're talking every random little thing you can possibly imagine, across about a dozen different versions of code and a lot of time hoping it would get better. I still have to reboot the thing once every few weeks just to keep the packets forwarding. The most insane thing I saw was when trying to use BGP to originate a /24 over my IPSec tunnels, you couldn't keep the sessions up for more than ~24 hours without restarting rpd. I've had to disable just about every feature to keep things even mostly working, for example the last time I tried to configure IPv6 on a gre tunnel it would sometimes randomly not configure ANY IPs on the interface when it would boot. You could show int terse gr-#/#/# and they just wouldn't be there, no matter what the config was, etc. I'd have more reliable internet at home if I had a Linksys. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] download.juniper.net mime types
Dear Juniper, You guys broke your mime types again, at least for all the 10.4S6.6 service release URLs. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS 10.4S6 for EX8200 - PR/676826
On Wed, Aug 31, 2011 at 07:42:21AM +1000, Dale Shaw wrote: Hi all, So, --sigh--, it looks like there are still severe bugs being discovered in JUNOS 10.4: http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2011-08-348actionBtn=Search Does anyone know more about PR/676826 and what the various conditions that trigger it might be? Anyone know when the defect was introduced? I've opened a JTAC case in an attempt to find out more because we've just embarked on an upgrade to 10.4R6; if the bug can/will bite us I need to decide whether to stick with 10.4R6, go to 10.4S6, or wait for 10.4R7. We hit this bug on several MX devices running junos 64 at the 49 day mark. 10.4R7 isn't due until October, so if you're running the new REs you probably want to go with S6.6 for the fix. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] CWDM SFP+ 10gigE
On Tue, Aug 30, 2011 at 06:31:04PM -0400, Chuck Anderson wrote: Has anyone tried third-party CWDM SFP+ 10gigE transceivers in MX Trio or EX4500? A quick Google search turns up many vendors I haven't heard of: We're running many of the 40km DWDM SFP+ in EX8200 quite successfully, can't speak to the other platforms. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper MX SCBE-MX-R
On Thu, Aug 11, 2011 at 07:33:20AM -0400, Chuck Anderson wrote: I'd rather they slip and put out well tested, stable code than to just release what they have on a specific time schedule. Don't worry, they can still find a way to fail at both. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Any takers on 10.4R5.5 yet ?
On Mon, Jun 27, 2011 at 11:05:48AM -0600, David Ball wrote: I know it's unreasonable to have people continually posting to the list asking about which code is best, but I know many were waiting for a stable 10.4 revision (due in part to its' EEOL nature) but last I heard, 10.4R2 (or was it R3) wasn't ready for primetime. Didn't find much in the archives about 10.4R4. 10.4R4 has been the least problematic code on MX (either trio or ichip, but not mixed) that we've seen in a very long time, probably at least 1.5 years. There were a handful of mostly minor issues in it, but in theory they've been fixed in 10.4R5 (though we have only a couple of routers running R5 so far, so we don't have a massive experience base yet). As always it varies by your feature set, but for a v4/v6/mpls/bgp heavy core router things are finally starting to look up. About damn time too. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Understanding versioning of service and regular releases
On Fri, Jun 03, 2011 at 11:58:00AM +0200, Tore Anderson wrote: On 2011-05-27, JUNOS 11.1S2 was released for the EX. So this release is a couple of weeks newer than JUNOS 11.1R2.3. However, https://www.juniper.net/customers/csc/software/junos_software_versions.jsp says 11.1R2.3 is the recommended version for the EX 4500 in VC configurations. Let me throw out some warnings about 11.1S2 for EX real quick. First off, when you upgrade a backup RE (we saw this on EX8200 but it might apply to VC's too) and are running some older code on the master (we saw this on several dfiff versions of 10.1, 10.2, and 10.3), there is a ~15% chance that when the backup RE comes online is will cause the router to completely stop forwarding traffic. This isn't a case of the backup stealing control of the pfe, and it doesn't leave anything in the logs, it just silently disrupts the master RE so it can't reach anything, and stays that way until you restart the router or switch over to the 11.1 RE. We've seen this happen several times now on several different routers, no GRES or anything like that, and there is no PR yet. Also, they've done something to royally hose the sync process between master and backup RE on this code. When running 11.1S2 on the backup, and any of a dozen different versions of 10.1, 10.2, or 10.3 (haven't tested 10.4, doesn't seem to happen when both REs are running 11.1S2), a commit sync will always fail. This wouldn't be so bad, except that on EX (at least on EX8200) you CAN'T disable commit sync, even if you don't specify it it always does it. This means that you will never be able to commit with the backup RE online, and the only workaround seems to be to reboot the backup RE before you commit on the master so that it sees it offline and successfully ignores it. Again no PR on this yet. No experience with it on 3200/4200/4500/VCs yet, but based on our experience w/EX8200 so far this code should come with a warning label, may be hazardous to your health. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Opinions
On Fri, Jun 03, 2011 at 08:31:51AM -0700, Serge Vautour wrote: Hello, Would it be possible for you to share what code version you recommend for Trio? We've had a few MX80s in Prod with 10.2S6 for a while now. We need to add MPC cards to our MX960s and are struggling what version to go with. Continue with 10.2 or move to 10.4? We're also planning on adding alot more MX80s. As of right now we're doing 10.4R4 on new deployments/upgrades of MX80 and MPC, and it's working reasonably well. It's not perfect of course, we have a few fixes already in the queue for 10.4R5 and just found a new rpd coredump the other day, but it's a hell of a lot better than any previous 10.4 builds, and now seems to be the right time to pick up the EEoL release. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Opinions
On Sat, Jun 04, 2011 at 12:04:09AM +0800, Mark Tinka wrote: One thing to think seriously about is whether you're going to run your MX's with a mixture of DPC's and MPC's. Depending on which features you need to turn on, you may not be able to boot DPC cards if you have MPC's installed as well. I'd seriously suggest checking with your SE before turning up any features if you're going to mix DPC's and MPC's, or if certain features for the MPC's seem kinky. We've had too much pain for some items. Agreed 100%, plus getting line-rate out of a mixed DPC/MPC environment is a real bitch for a number of reasons, so you'll be MUCH better off if you convert a whole chassis at a time. Though I will say that 10.4R4 didn't give us ANY grief when doing mixed DPC/MPC during the actual conversion maintenance, which is a first for the dozen or so places where we've done this already. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH/Telnet session hanging
On Thu, Jun 02, 2011 at 05:44:38AM -0700, Serge Vautour wrote: Hello, I'm confused by your statement that BGP is limited to 4096. I have BGP peers up with 8192: From RFC4271: 4. Message Formats This section describes message formats used by BGP. BGP messages are sent over TCP connections. A message is processed only after it is entirely received. The maximum message size is 4096 octets. All implementations are required to support this maximum message size. The smallest message that may be sent consists of a BGP header without a data portion (19 octets). I suppose JUNOS lets it use an MSS of Nx4096 that will fit in the PMTU. Then again, there was a long standing bug that shows 2x whatever the actual MSS was on show system connections output too, so who knows. :) But under protocols bgp neighbor x.x.x.x tcp-mss the maximum value you can specify if you aren't doing automatic PMTUD is 4096, go figure. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Opinions
On Thu, Jun 02, 2011 at 04:26:54PM -0700, Doug Hanks wrote: Daniel, I have nothing but good things to say about the MX80. I have almost nothing but good things to say, now that 90-95% of the cripling Trio-specific bugs have been worked out of the current code. The integrated RE is probably the biggest design limitation. For example, we just got bit by a bad flash drive on one, which caused the kernel to lock up when writing to the disk. This required a physical power cycle to bring the box back every time it happened, left no evidence in the logs (so we had to catch it actually happening on console to know what was going on), and required a complete RMA of the chassis to fix. The lack of redundant REs severely limits the potential of this otherwise excellent little box. Oh and don't forget, a single RE will make your upgrade process take a lot longer too. Juniper would really do well to introduce a 1U small/simple external RE which can be connected over Ethernet, to redundantize a box like the MX80, and to be a reasonably sized BGP route reflector. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Opinions
On Fri, Jun 03, 2011 at 11:47:30AM +1000, Julien Goodwin wrote: There was talk of a VC-like implementation for the MX80, although I don't know if that went anywhere. Now that they have the XRE200 what about letting us install Junos64 on it and making it a reflector platform. We actually tested the XRE200 for RR use (since it's a hell of a lot more sane than a JCS), but they specifically lock it down so you can't run BGP on it directly. This is the only JUNOS platform which is SMP enabled right now, and from what I've heard the regular kernel krt isn't thread safe, so my theory is to make it do SMP they may have had to disable some of the normal routing operations and only make it capable of controlling other EX chassis. I'm sure it would make a fine, if very overpriced, Olive though. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Opinions
On Thu, Jun 02, 2011 at 09:59:15PM -0400, jnprb...@gmail.com wrote: Although expensive, you can buy the JCS1200 with 64-bit Junos to run as a standalone RR. It's probably more economical if you could also benefit from VPNv4 RRs for MPLS VPN deployments. Price aside, anyone who wants a 12U RE needs to have their head examined. :) How freaking hard can it be to take an off-the-shelf 1U PC, slap a Juniper logo on the front, mark it up 20x like everything else, and sell it to us as a fully supported RR? I'm still confused how this has managed to escape their attention. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Opinions
On Thu, Jun 02, 2011 at 07:11:31PM -0700, Doug Hanks wrote: The new MX REs run 64-bit Junos. 64-bit JUNOS != SMP enabled. The only difference is the amount of ram it can address, those fancy quad-core CPUs only run on a single core. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS major releases - differences between revisions
On Fri, May 20, 2011 at 10:38:22AM -0700, Jim Boyle wrote: You can also take a look at the results from our online PRSearch application. http://www.juniper.net/prsearch/ Select 10.4R3, or 10.4R4 and show the results Closed in that release. That will show available PRs with commits/resolution in that release (Closed isn't quite accurate here as the PR may be open for other releases or follow-on actions) Thanks to Alex for the pointers on the release notes. In general, the release notes show what is fixed in that release (under Resolved Issues for each section). So if you check the PRs in the 10.4R4 ones, and cross check them on the web, you should find they are resolved in 10.4R4. I'll admit that finding the this information isn't as easy as it should be. Juniper certainly has room for improvement here for usability as well as consistency of information. We are working towards improvements in this area. Alas we find that something like 75% of our PRs end up being marked confidential until we ask for them to be changed (sometimes multiple times :P), even when there is no reason for them to be, which tends to make the PR search all but useless for any real work. And I won't even start complaining about the accuracy of the PR public facing descriptions, that would be a whole 'nother thread. :) Sorry but the only way to get any real work done is to have an RE or SE be your bitch and look up the PRs to tell you what they're REALLY about, hoping for anything else is a complete fantasy. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX switches and TCAM utilisation
On Wed, May 18, 2011 at 05:10:54PM +0100, William J Hulley wrote: Hi, I'm using some EX3200s running 10.0S6.1 and developing a configuration using filter based forwarding to policy route traffic between routing instances. It's all working fine in the lab but I'm concerned about the potential growth of the firewall policy and utilisation of the TCAM in production and would obviously like to model the usage and monitor it. Are there any known supported/un-supported ways of getting useful stats out of the box beyond just relying on syslog messages saying there isn't enough cam? Drop into the fpc shell from root, like so: RE:0% vty fpc0 BSD platform (MPC 8544 processor, 48MB memory, 0KB flash) PFEM0(vty)# Next you need to find the vendor ID for the platform, like so: PFEM0(vty)# show tcam vendor Vendor = internal_ch3_tcam Vendor_id = 1 For EX8200 it's vendor id 6, for EX3200 it seems to be vendor id 1. Then you need to find the instance ID for the hardware you're looking for. On EX8200 I know instance 2 is used for GE cards, instance 4 is used for XE cards. On EX3200 there only seems to be instance 2 (as you'd expect): PFEM0(vty)# show tcam vendor 1 instances Vendor InstancePage Size internal_ch3_tcam 2 4 So then to view the usage info for this vendor/instance: PFEM0(vty)# show tcam vendor 1 instance 2 rules Number of rules as Ingress PACL: 0 Number of rules as Ingress VACL: 0 Number of rules as Ingress RACL: 528 Number of rules as Egress PCL: 135 528 Ingress RACL rules HW-indexPage_idEntry_idrule_size fw_idRule 6296 1574 0227 AUTOFW-INVALID-PROTOCOLS.ext.0 6298 1574 2227 AUTOFW-INVALID-PROTOCOLS.ext.1 6496 1624 0227 AUTOFW-BORDER-FILTERED-PROTOCOLS.ext.0 6498 1624 2227 AUTOFW-BORDER-FILTERED-PROTOCOLS.ext.1 6708 1677 0227 AUTOFW-BORDER-LIMIT-IP-OPTIONS.ext.0 6710 1677 2227 AUTOFW-BORDER-LIMIT-IP-OPTIONS.ext.1 6960 1740 0227 AUTOFW-LIMIT-ICMP-ECHO.ext.0 ... TCAM utilization: 1326(used), 12938(free), 14264(total) And there is your total tcam utilization above. Depending on code and platform it may show you a slightly different view, for example here is the utilization on an EX8200 running older 10.1 code: PFEM15(vty)# show tcam vendor 6 instance 4 rules Instance 4 DB 0 Ingr PACL:0/ 996 (current/max) rules. Util. 0.000% DB 1 Ingr VACL:0/ 12288 (current/max) rules. Util. 0.000% DB 2 Ingr RACL: 410/ 32768 (current/max) rules. Util. 1.251% DB 3 Egr PACL:0/1024 (current/max) rules. Util. 0.000% DB 4 Egr PCL1: 103/8188 (current/max) rules. Util. 1.258% But you get the gist. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SFP Status and Conditions
On Wed, May 11, 2011 at 03:39:39PM -0300, Giuliano Medalha wrote: People, Is it any possible to monitor the SPF status of an EX switch ? Is there some commands to see SFP or XFP or SFP+ status ? - power - model - temperature Some SFP supports DD for verification. Juniper supports it ? show interfaces diagnostics optics You may also be interested in http://juniper.cluepon.net/OS_dom, which adds a sorely needed summary view for DOM. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Series | 10.4R3.4 Limited Received Routes
On Sat, Apr 30, 2011 at 08:48:59AM -0700, Bill Blackford wrote:
So if what you are saying is that the EX, only being capable of 16k
routes, will only Receive and Accept a random smattering of a full
table being sent up to 16k and any filters beyond that filter on the
16k Received and installs that balance as Active?
If this assumption is correct, then what I'm seeing is expected
behavior?
The 16k limit is a RIB limit from the default hard-coded configuration
on small-EX's. This doesn't really protect the FIB, as the FIB is much
smaller still, more along the lines of 12k total unicast entries for
IPv4 (and much less if you actually install IPv6 routes) on
EX3200/4200..
You can see the RIB limit at /etc/config/ex-series-defaults.conf:
routing-options {
rib inet.0 {
maximum-prefixes 16384;
}
rib inet6.0 {
maximum-prefixes 4096;
}
All you have to do to override this is apply those options with
increased values to your own configuration. Of course if you do, you'll
immediately hit the next limit, a hard-coded maximum data size of 128MB
which will cause rpd to coredump when it allocates that much memory. To
change this, you have to edit /boot/loader.conf and increase the
kern.maxdsiz line to something a little more sensible (like say 512MB).
Unfortunately this value will be blown away every time you do a new
jinstall, so you'll need to keep it up to date every time you upgrade.
To not flood your FIB, you'll need to block a bunch of routes at the
RIB-FIB export layer, which happens in a policy you apply at
routing-options forwarding-table export XX. For example, you might
want to allow a default, static, isis|ospf, and some internal cust
routes, but otherwise block the rest of the BGP routes to keep the table
size small.
None of this has anything to do with an arbitrary liit of 28k active
routes. If you were bumping up against the maximum-prefixes config, the
number would be 16k total for the RIB, not 28k. When this limit gets
hit the future routes are just silently dropped from the RIB, which is
certainly a lot better than the Cisco method of disabling CEF and making
the box unusuable until someone goes to reboot it. :)
--
Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex4200 egress filter
On Thu, Apr 28, 2011 at 12:22:43PM +0100, Nick Ryce wrote: Hi Chris, The issue should be resolved next week in a service release against 11.1R1 We hit this issue while testing 11.1R1, and oh what a mighty big screwup it was on Juniper's part too (that it even tries to parse the packets that are killing it in the first place, when NOT CONFIGURED TO DO SO, simply boggles the mind). Unfortunately it's also not the only packet of death which crashes the FPCs issue in 11.1 on EX, we also discovered another one which DIDN'T get fixed in 11.1S1, so you're taking your life into your own hands if you try to run that code in production. Oh and BTW, 11.1 on EX will also blackhole your packets while BGP converges following bootup, for up to 15 minutes in our testing. Consider yourselves warned. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex4200 egress filter
On Thu, Apr 28, 2011 at 05:17:46PM +0200, Tore Anderson wrote: * Richard A Steenbergen We hit this issue while testing 11.1R1, and oh what a mighty big screwup it was on Juniper's part too (that it even tries to parse the packets that are killing it in the first place, when NOT CONFIGURED TO DO SO, simply boggles the mind). Unfortunately it's also not the only packet of death which crashes the FPCs issue in 11.1 on EX, we also discovered another one which DIDN'T get fixed in 11.1S1, so you're taking your life into your own hands if you try to run that code in production. Hi Richard, Could you be a bit more specific about this issue that remains outstanding in 11.1S1? Is there a PSN for it? I have a pair of EX4500s in my lab for setup currently, and any older release isn't an option due to the lack of IPv6 and VC support. No comment on how to reproduce it, at least until they fix it and ok the release of details. No PSN yet, but basically it's just another magic packet of death which crashes the FPCs, similar to the last NetBIOS issue. Almost all of our testing is on EX8200, but often times these things behave similarly across the smaller EX's too. I'm just warning people not to jump into 11.1S1 expecting everything to work great, because it most certainly does not. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] output-list for ex4200
On Wed, Apr 27, 2011 at 12:24:25PM +0100, Nick Ryce wrote: Any ideas if this is supported in 10.4 as we have a standard ACL we use on most customer vlans and then a customer specific vlan? Nah, filter chains are definitely not supported on EX, and I'm not aware of any near term plans to add it. Even on the major platforms, filter chains aren't exactly a completely well-thought-out solution. Doing the next term operation that you need to force packets to be evaluated all the way through the chain actually consumes lookup capacity inside the firewall processing, and it is surprisingly easy to exhaust this capacity. For example, something on the order of a dozen filter terms in a chain, doing relatively simple matching, is enough to exhaust the capacity of an I-Chip on an MX DPC. When this happens, you'll suddenly discover that your ports are no longer capable of doing line rate packets/sec, and there will be no indications of the drops short of poking around in the show ichip commands on the PFE. Needless to say, this can make for a really bad day. We use a commit script to automatically build unique per-interface firewall filters out of individual filter config components. It's not pretty, but unfortunately this is really the only practical way to get the kind of config reuse you're looking for, not to mention the only way to actually protect the control plane on the EX. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX480 troubles.
On Wed, Apr 13, 2011 at 01:27:15PM -0400, Chris Evans wrote: Question to you all... It seems like alot of folks run bleeding edge code with some if these major bugs popping up.I also get the impression that a lot of shops don't test code before they deploy. I'm just curious how this works for you. In my company we would get seriously reprimanded for deploying software that is not tested and any time we have outages we have to go through big hoops to understand why how to fix etc.. so we do the best we can to deploy architectures/platforms/code that wont have issues. I couldn't imagine being bleeding edge in a service provider environment, its just a concept I can't fathom being in the environment I'm in.. Nobody wants to run bleeding edge code, but newer code is required to support new hardware such as the MX Trio cards (which are much cheaper per port, higher density, and more featureful). Unfortunately a lot of the older newer code that had initial support for the new hardware (such as 10.2) is *REALLY* buggy, which makes the bug fixes in really new code a lot more attractive. We've tried to look at 10.4R3 (since it finally fixes ISSU for us for the first time in close to 2 years :P), but it's still just too buggy in the lab, so we're still doing 10.3R3 on new MX deployments/upgrades. Overall 10.3R3 has been relatively less bad than a lot of other recent code. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX480 troubles.
On Wed, Apr 13, 2011 at 10:48:30AM -0700, Derick Winkworth wrote: They don't 1.? immediately just blame you or 2.? just tell you to upgrade and sit and do nothing until you do 3.? or tell you that you should have known that with some very narrow set of unlikely circumstances after two or three weeks?some bug will occur.? I don't know what 7 leaf clover you picked to have that kind of luck, but all 3 of the above describe nearly every one of my (many, many) JTAC cases. I'd also throw in: 4. Repeatedly fail to read/comprehend anything you say in the ticket, sometimes for months (or even years) on end. Just the other day I had an exchange with ATAC which went something like this: Me Hi, when this bgp neighbor flaps it sometimes doesn't syslog the event correctly, and instead records garbage messages. ATAC The bgp neighbor is flapping, that is why you are logging the neighbor down, can I close this case? I couldn't make this stuff up if I tried. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX480 troubles.
On Wed, Apr 13, 2011 at 10:09:12AM -0700, Keith wrote: We saw random reboots, sometimes hourly, with the first MPC and this was on 10.4R2.6. Juniper wanted to RMA it. When the latest MPC and MIC arrive I will update to 10.4R3.4 and see how that goes. Honestly, sometimes they get a little too RMA happy and throw that out as the solution instead of actually trying to find the real issue. Personally I'd be far more inclined to believe that the problem is software than it is two bad cards in a row, especially where 10.4R2 is involved. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80-48T Fan Speed Variation
On Tue, Apr 05, 2011 at 11:42:08PM +0200, Daniel Roesen wrote: JUNOS logging is a desaster. Either you get FAR too much noise (JUNOS developers love to leave a bouqet of debug messages in there, miscategorized as something else than debug), or you don't get relevant things anymore (like link/adjacency up events). Looks like extensive logging regexp is the only way to get proper logging. :-( A mechanism to recategorize syslogging on an event basis using a policy (so you can fix these terrible defaults) is very VERY high on my feature request list. I forget the exact details, but the last I heard there was at least some interest in implementing this some time in the next year or so. If you agree that this is an important feature, please ask your account teams to make this a higher prority. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Changing SSH port on EX switches, M routers
On Fri, Apr 01, 2011 at 08:23:31PM -0400, Jesus Alvarez wrote: Hi, Is there a way to change the SSH port for managing the EX switches and M routers? We normally avoid using the standard port 22. No, I've been asking for this feature. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] XFP-10G-L-OC192-SR1
On Thu, Mar 24, 2011 at 08:07:57AM -0400, Paul Stewart wrote: Hi folks. These are 10KM optics - how short of a run can you use them for? We have several of these spared at the moment and I'd like to use them for connections between MX480's in the same rack. will they run too hot? http://www.nanog.org/meetings/nanog48/presentations/Sunday/RAS_opticalnet_N48.pdf See page 79. LR and below has no blindness danger even back-to-back, ER has a blindness danger but not a damage danger, and ZR you can actually damage if you don't have enough attenuation before going into the receiver. We don't even bother with shorter reach optics, after way too many issues encountered with SR and the like. It's easier (and cheaper if you have the right sources) to just buy all LR and standardize on SMF than it is to bother maintaining two inventories and mucking with orange cables even for intra-rack stuff. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 10.0 or 10.4?
On Tue, Mar 22, 2011 at 05:18:47PM +0100, bas wrote: Hi All, Well, after this thread I still didn't know which version I should choose for our 960 with MPC's only. From what I read it was; In the field (Ras, Raphael) we see 10.3r3 as the better choice, and people who talk to JTAC say 10.4r2 is the better choice. (Of course it depends on configuration and config.) But we chose to upgrade to 10.3r3, and installed the version this morning. The upgrade seemed to have gone smooth, but after all BGP sessions had been re-established, and prefixes re-learnt the CPU stayed at 100%. Dropping to shell I saw rpd consuming 99% CPU. Looking at task accounting and rtsockmon I saw no obvious causes. A failover to the backup RE had no effect, the new master RE consumed 100% within a couple of minutes. A colleague of mine did a trace of the process saw that the cycles are being consumed by getrusage system calls. Tomorrow morning we'll try to restart routing, if that has no effect we will try 10.4r2. Haven't seen that here. Both 10.3R3 and 10.4R2 picked up a very similar set of fixes (they have very close release dates) for major PRs which were giving us grief, but 10.3R3 seemed to introduce less new ones in the process. 10.4R3 just came out yesterday, so feel free to give it a shot and report back, but most of our 10.3R3 issues have been relatively less bad than normal. Occasional logging of these junk messages: Mar 22 11:47:12.629 re1.xx1.xxx1 /kernel: %KERN-3: Unlist request: unilist(nh index = 1049538) found on the rnhlist_deleted_root patnode, hence returning Logging of these junk messages (note the incorrect timestamps too, these were actually logged AFTER the Mar 22 output above :P): Mar 4 10:29:50.527 re1.cr1.xxx1 rpd[89570]: %DAEMON-4: , hold timer 1:07.860442 Mar 4 10:47:22.577 re1.cr1.xxx1 rpd[89570]: %DAEMON-4: , hold timer 1:22.570405 Mar 4 10:55:44.479 re1.cr1.xxx1 rpd[89570]: %DAEMON-4: , hold timer 1:21.765648 Mar 4 10:59:59.056 re1.cr1.xxx1 rpd[89570]: %DAEMON-4: , hold timer 1:19.371199 Mar 4 11:02:04.228 re1.cr1.xxx1 rpd[89570]: %DAEMON-4: , hold timer 1:18.704278 Weird stuff like that. Probably the worst issue we've seen so far is that on MX w/MPC cards (not sure if its the sw or hw) doing an l2circuit to a vlan-ccc endpoint and then confusing vlan-maps to push/pop the vlan tag off of the packet before encapsulating in the pseudowire (so you can mismatch vlan IDs on the endpoints) seems to block ISIS packets from being transported (most likely blocking 802.3 LLC frames is my guess). On EX there is a definite problem with the power supplies getting stuck 110v low power mode as far as the chassis is concerned, which is an issue if you need 220v power to fully and redundantly power your FPCs. But at least this code hasn't crashed or blown up massively yet (or failed to do some really important operation like say correctly counting packets in SNMP so you can bill your customers), which is definitely an improvement over a lot of other recent JUNOS code. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 10.0 or 10.4?
On Tue, Mar 22, 2011 at 05:18:47PM +0100, bas wrote: From what I read it was; In the field (Ras, Raphael) we see 10.3r3 as the better choice, and people who talk to JTAC say 10.4r2 is the better choice. Oh and btw, I have multiple confirmed reports of YET ANOTHER major memory leak in mib2d in 10.4R2. Hope everyone learned their lesson about trusting JTAC version recommendations. :) From 10.4R3 release notes: The mib2d process leaks memory during SNMP walks. [PR/586074: This issue has been resolved.] I'm going to assume it's that. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] about 10.4R3 on EX
On Tue, Mar 22, 2011 at 12:54:25PM -0700, Kaj Niemi wrote: Hi, sarcasm To whomever who decided to introduce new features in a R3 release, thanks ;-( Specifically installing jloader separately is highly appreciated. /sarcasm Sadly, they've been silently introducing new features in the middle of a bug fix release (and introducing new bugs too, which is how I find out about them) for a while now. But for extra bonus points, be prepared for the upgrade to take a REALLY long time to complete too. :) From the release notes: How Long Will the Upgrade Process Take? The process of upgrading to a resilient dual-root partitions release takes longer due to the additional step of upgrading the loader software and a longer reboot time while the disk is reformattedto four partitions during the reboot of the switch that completes the Junos OS upgrade. The reformat increases the reboot time for EX2200, EX3200, EX4200, and EX4500 switches by 5 to 10 minutes. For EX8200 switches, the reboot time increases by 10 to 25 minutes per Routing Engine, and additional reboots are required. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] about 10.4R3 on EX
On Tue, Mar 22, 2011 at 03:46:36PM -0500, Richard A Steenbergen wrote: The process of upgrading to a resilient dual-root partitions release takes longer due to the additional step of upgrading the loader software and a longer reboot time while the disk is reformattedto four partitions during the reboot of the switch that completes the Junos OS upgrade. The reformat increases the reboot time for EX2200, EX3200, EX4200, and EX4500 switches by 5 to 10 minutes. For EX8200 switches, the reboot time increases by 10 to 25 minutes per Routing Engine, and additional reboots are required. Also, in reading the upgrade process for the new boot loader, it says: For an EX8200 switch with redundant Routing Engines, you must upgrade the loader software on both Routing Engines. You can upgrade the loader software on a Routing Engine only when it is master. Make sure that graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) are disabled before you begin the upgrade. The requirement that you can only upgrade it when the RE is the master is a pretty serious issue. This means you can't just pre-stage the upgrade on the backup RE and then switch over to it in a single move, you've got to take down the entire device for the duration of multiple reloads (4 apparently, 2 per RE * 2 REs) to complete the upgrade. Is there some other interpretation of this that I'm missing? From my quick lab testing it looks like you can at least get the jinstall and 25 minute reformatting out of the way beforehand, but you've still got to be master to upgrade the actual loader. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SFPs in MX.
On Fri, Mar 18, 2011 at 12:40:14PM -0700, Keith wrote: FPC slot 0, PIC slot 0 information: Type 10x 1GE(LAN) SFP StateOnline PIC version 2.22 Uptime 4 hours, 58 minutes, 49 seconds PIC port information: FiberXcvr vendor Port Cable typetype Xcvr vendorpart number Wavelength 0 GIGE 1000LX10 SMMRV COMM, INC. SFP-GD-LX 1310 nm 1 GIGE 1000SX MMMRVSFP-DGD-SX850 nm 2 GIGE 1000Tn/a MRVSFP-GA-R n/a 3 GIGE 1000Tn/a MRVSFP-GA-R n/a The uptime is not a good sign as I upgraded this box and rebooted both RE's: System booted: 2011-03-17 13:31:12 PDT (22:54:34 ago) Going through the messages log it appears an CHASSISD_SNMP_TRAP10: FRU Power-On is being generated then a whole lot of messages that looks like a whack of processes are restarting. Can't go into production like this. That means the DPC in question was rebooted 5 hours ago. If you weren't adding or restarting the card then, go look through the logs and figure out why. Scroll back starting at that FRU Power-On message. As for the MRV optics, yes they are non-Juniper branded. Juniper (or any other router vendor for that matter) doesn't actually make their own optics, they just slap a label on optics from a variety of other suppliers. Fortunately Juniper doesn't play games with vendor locking of optics, so you shouldn't have any problems. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper equivalents for migration from Cisco
On Thu, Mar 17, 2011 at 11:23:59AM +0200, Delian Delchev wrote: You may mistakenly assume that EX8200 is equivalent to 65xx, and it is, in size. But against 65xx and 76xx the more correct juniper product should be the MX. Not really. The best direct comparison to the EX8200 is the Nexus 7k line, but 6500/7600s with LAN cards are at least a pretty close runner up (trading in some higher bandwidths and lower prices per port for a more mature platform with some features that haven't been written for EX8200 or N7K yet). Comparing 6500/7600 to MX is pretty apples to oranges, especially if you aren't talking about a 7600 stuffed full of expensive ES/SIP cards. You've really gotta get into ASR9k before you can even start to make a comparison to MX in most categories, which is no big shock considering ASR9k was made specifically to compete against the MX. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 10.0 or 10.4?
On Tue, Mar 15, 2011 at 10:57:56AM -0700, Steve Feldman wrote: What sorts of bugs did you see in 10.4R2? We were just testing 10.4 on MX, since EX features are being a lot more actively developed, thus making major version jumps much more risky. For example, when we tried moving from 10.1 to 10.2 on EX8200 we discovered a major SNMP issue caused by some internal changes that broke polling and caused severe billing issues. There are a lot of firewall specific changes in 10.4 for EX which we wanted more time to properly test before deploying, since this is an area which tends to cause major outages when bugs do pop up. I already outlined a few of the issues we found on 10.4R2 on MX in a previous post, and seeing as it seemed much less stable than 10.3R3 for near equivalent features and bugfixes I didn't see the point of pursuing it further right now. JTAC is recommending 10.4R2 on our EX8200s to fix a bug (PR581625 in 10.1R4) where some of our firewall filter rules were being silently ignored. Well, here is what I can tell you about the reasons behind our most recent move to 10.3R3 on EX8200 (where these are all fixed). A couple of these were actually fixed in 10.2R3, but a few other nasty issues were introduced at the same time, making 10.2R3 unusable in production. We're heading towards 11.1 in the near future for other reasons anyways, which is why we went after 10.3R3 instead of 10.2R4 for our next major code goal, but 10.4R2 was definitely not confidence inspiring based on the issues we saw under MX. :) PR588115 - Changing the forwarding-table export policy twice in a row quickly (while the previous change is still being evaluated) will cause rpd to coredump. PR581139 - Similar to above, but causes the FPC to crash too. Give it several minutes before you commit again following a forwarding-table export policy change. PR523493 - Mysterious FPC crashes PR509303 - Massive SNMP slowness and stalls, severely impacting polling of 10.2R3 boxes with a decent number of interfaces (the more interfaces the worse the situation). PR566782 PR566717 PR540577 - Some more mysterious rpd and pfem crashes, with extra checks added to prevent it in the future. PR559679 - Commit script transient change issue, which sometimes causes changes to not be picked up correctly unless you do a commit full. PR548166 - Sometimes most or all BGP sessions on a CPU loaded box will drop to Idle following a commit and take 30+ minutes to come back up. PR554456 - Sometimes netconf connections to EX8200's will result in junk error messages being logged to the XML stream, corrupting the netconf session. PR550902 - On a CPU loaded box sometimes BGP policy-statement evaluation will simply stop working, requiring a hard clear of the neighbor (or ironically enough, sometimes just renaming the term in the policy will fix it :P) to restore normal evaluation. PR521993 - Ports on EX8200 FPCs will sometimes not initialize correctly, resulting in situations where for example ports 4 and 5 on every FPC will be able to receive packets but never transmit them. If you continue to try and transmit packets down a wedged port (such as would happen if the port is configured for L2), it will cause the FPC to crash. There are also significant BGP convergence performance improvements introduced in 10.3R3 and 10.4R2 if you have a lot of routes with communities on them. For us this reduced convergence times on EX8200 with a few transit and ibgp rr feed views (~2mil paths) from 1 hour+ to 15-20 minutes. Still not good by any means, but significantly less bad. Of course there are a few other issues introduced in 10.3R3 too (shocker, that NEVER happens :P), but I already discussed them previously. Ultimately I think 10.4 will be more interesting in its R3 or R4 timeframe, with SRs past that, but I don't think we're going to end up using it much on EX8200 (as I said, we're being forced into 11.1 to support specific hardware anyways). -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 10.0 or 10.4?
On Tue, Mar 15, 2011 at 07:43:25PM +1100, Chris Kawchuk wrote: Just installed 14 x MX960s for a large Aussie Mobile company - The release train we've decided on is 10.4R2 for now, due to EEOL support; and the fact that 10.0 didn't support a few of the cards we added. (16x10GE Trio for example didn't come till 10.2). I hear people make this argument a lot, but in many cases it seems to be more of a knee-jerk reaction than a logical decision. The EEOL branches are definitely interesting once you get into the post-R4 timeframe, but I question the sensibility of trying to deploy it in the R2 timeframe just because it is the EEOL train. Honestly, in many cases the code doesn't even begin to get stable until it reaches R4 and EOL status. The problem we run into is that we almost always discover at least one serious bug in every R4, no matter how well-intentioned the development efforts, but because R4 marks the end of engineering status we're constantly chasing the next branch to get a bugfix for things introduced in the previous branch. Of course what that really means is we discover all new brokeness in the new branch, and the cycle starts all over again. EEOL releases can end up being a lot more stable since you aren't introducing any new features (though anyone who tells you they don't introduce a ton of new bugs just doing service releases is completely full of it :P), so they're a good thing. But, what is the real benefit to deploying 10.4R2 now, as opposed to say 10.3R3? Either way you'll have to do an upgrade later on, so until you get to 10.4R4 there is no difference in 10.4 being the EEOL branch. We recently spent a fair bit of time trying to decide between 10.3R3 and 10.4R2 for a lot of MX960 and EX8200 upgrades, and came to the conclusion that 10.4R2 was significantly buggier. Why JTAC is recommending it I can't even begin to guess, I really think they have the recommended version page hooked up to a random number generator some days, but in our testing it wasn't even close. Which isn't to say 10.3R3 is perfect, but it's definitely on the less broken than ever side of things. So far we haven't had any issues with Trio hardware or snmp problems that we saw in 10.2R3 or 10.3R2, and if you carry a large number of BGP routes with communities you'll see some significant performance gains in policy evaluation which can improve convergence times quite a bit. Off the top of my head some issues we've seen with 10.3R3 so far are: * Syslogging of BGP messages seems quite broken, in many cases not logging state changes correctly at all. * ISIS packets inside a l2circuit are eatten by MX's when vlan-mapping is configured on the endpoint vlan-ccc. * EX8200 power supplies will think they're running in 1200W 110V input power mode if you reinsert them after a reboot, even if fed with 220V power which should run them in 2000W mode. This will cause cards to power down if the chassis thinks there is insufficient power, so you may not have proper power supply redundancy. No doubt there are plenty more too, but at least in a core service provider role it's been a lot less bad (lets just say its nice to not have to hard clear bgp neighbors to make policy changes take effect :P). I have also hear that 10.4 also included a mass re-write/re-development of a lot of the JunOS code; trying to bring it back within a manageable framework. (Note how it went from 10.2R3 to 10.4, skipping a 10.3 release for some platforms). Hence, 10.4 is the new code base. I don't know if this is a good thing or a bad thing initially, but should only improve with time. Actually it's the opposite, 10.3 and 10.4 were both nobody touch anything that isn't essential no-feature releases, to try and bring the development framework into a more manageable state. I'll confirm that they're less broken than 10.2, but that certainly doesn't take much. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Uplink failure detection in EX series
On Tue, Mar 15, 2011 at 12:25:59PM +0100, Tore Anderson wrote: Hi, I'm wondering if it possible to configure something equivalent to the EX2500's Uplink Failure Detection on the JUNOS-based EX series switches? I want to designate a couple of interfaces as uplink ports, and if they all go down, all the other ports on the switch should be disabled as well. I think uplink failure detection is on the roadmap for 11.1, though I'm not sure about the EX-specificness of it. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] sflow on 2x EX4200 VC - no sflow data send
On Tue, Mar 15, 2011 at 02:15:52PM +, Giovanni Bellac wrote: The problem is, that the VC is not exporting sflow data to the collector. We found a number of sFlow issues in our testing. For example, it didn't actually export any data at all on routed interfaces until 10.2. Of course it's not actually useable for us until they fix some of the missing fields (like dst ifindex and nexthop, added in 10.4 I believe), so our testing was very limited. Actually it probably won't be usable in our production systems until the fix the lack of a netmask field (i.e. it'll tell you that the dst IP is 1.2.3.4, but they don't send the field to tell you that the dst route was 1.2.3.0/24), so we're still waiting to do anything serious with it. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Debug vmcore files
On Tue, Mar 01, 2011 at 07:21:58AM -0500, Scott T. Cameron wrote: You could use gdb. But the likelihood of any success without source code is slim. You'd be absolutely amazed how much JTAC stupidity can be avoided by looking at the coredump backtrace yourself, without needing source access. As I understand it they use some point and click tool for automatically identifying PRs which match a coredump, and in my experience their tool is on crack a VERY high percentage of the time. Being able to say uh no, that's not even close to what I see in the backtrace, please try again can literally cut months off the time it takes for a case to be resolved. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Qfabric
On Sat, Feb 26, 2011 at 10:06:45PM -0800, Joel Jaeggli wrote: you'll find no tcam in your high-end MX style platforms and ultimately the power requirements for large amounts of cam will doom the current iterations of tcam technology. 800w per slot devices are bad enough 2kw per slot devices would be a serious pain. Technically not true, MPCs (the modular ones, not the 16x10G card) have TCAM on them, it's just not actually used by any software yet, and it would be used for accelerated firewall lookups not routing. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Qfabric
On Thu, Feb 24, 2011 at 10:03:30AM -0500, Stefan Fouant wrote: No offense, but you are dead wrong on this issue. I come in contact with organizations every single day who have mission critical data requirements and latency is a VERY big requirement for many of these organizations. And while this might not be your experience given the financial services organization you work with, reduced latency was a key enabler/differentiator for the NYSE and one of the main reasons that they chose Juniper for their next-generation data centers. That doesn't actually make it important, it just means there are some customers out there who believe the hype. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Qfabric
On Thu, Feb 24, 2011 at 10:55:10AM -0500, Jared Mauch wrote: I heard about someone building a microwave link btw CHI and NYC due to the lower latency compared to fiber and technology that they are able to attain. This is valuable for the high frequency traders, which while they operate networks, These might care about the latency, but people suffering from other services that are not latency sensitive (eg: TCP) esp when using modern IP stacks, this is less of an issue for 95% of the people out there. You're talking about multiple miliseconds of propagation latency, and one very very specific application (which doesn't even demand a specific latency in and of itself, just that you are better than the other guy so you can out-trade him). When it comes to microseconds of latency in the forwarding plane of a switch/router, I'm far less convinced that this is a real issue. I'm sure you can find people who will vehemently testify that their quad shielded 4 thick $300 Monster HDMI cable makes their tv's picture noticably better too, but that doesn't make it true. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP if-mib stops responding
On Tue, Feb 15, 2011 at 06:27:29PM +0200, Amos Rosenboim wrote: Hello all, This morning one of our MX routers stopped responding to SNMP if-mib queries. It responds nicely to other SNMP queries. The SNMP responses simply arrive empty. Restarting SNMP does not help. We are running 10.2R3. Is anyone aware of this issue and is there any workaround or is a software upgrade the only solution ? restart mib-process -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] How to access routing engine BIOS
On Wed, Feb 09, 2011 at 07:41:36PM +0200, Martin T wrote: Press DEL to enter SETUP However, pressing the Delete button(or F1, F2, Esc which are often used in order to enter BIOS) does nothing. It this possible to access BIOS on some routing engines? Is this possible to change boot device order in routing engine BIOS? DEL will work, you've just gotta work on your timing. It's very tricky. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] How to access routing engine BIOS
On Wed, Feb 09, 2011 at 06:22:07PM +, Martin T wrote: Ok :) Any hints? Even if I press DEL rapidly, it still continues with normal boot process.. Keep trying until you get it right. :) You need to hit it sooner than you expect, due to the lag time of drawing the screen at 9600bps. I've done it hundreds of times, it DOES work, but the timing is tricky. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] juniper / mx series fib usage information?
On Tue, Feb 08, 2011 at 07:08:21PM -0600, Michael Hare wrote: Hello- A quick google didn't help; is there a way to tell how much space you have left in your FIB [absolute RAM, percentage, whatever], specifically for an MX with DPCs? ras@re1.router start shell pfe network fpc0 ADPC platform (1200Mhz MPC 8548 processor, 1024MB memory, 512KB flash) ADPC0(re1.router vty)# sh jtree 0 memory Jtree memory segment 0 (Context: 0x4430cfd0) --- Memory Statistics: 16777216 bytes total 6366560 bytes used 10407144 bytes available (6060032 bytes from free pages) --- 3024 bytes wasted 488 bytes unusable 32768 pages total 11529 pages used (2568 pages used in page alloc) 9403 pages partially used 11836 pages free (max contiguous = 11285) You can also see a breakdown of the individual services like so, but the output above will take multiple tables into account and show you the true utilization on the rldram. In a default configuration, segment 0 is your routing memory, segment 1 is your firewall filters. ADPC0(re1.router vty)# sh jtree 0 summary Protocol Routes Bytes Used - -- -- IPv4 341307 4906680 IPv64579 84256 MPLS 4876792 Multi-service 1 16 I am contemplating activating cymru fullbogons [v4/v6]. We currently carry about 350,000k v4 and 5000k v6 routes. While initially I'm not worried, my gut tells me the v6 fullbogons feed will not be sustainable as it is already at 30k route for ~5k active v6 announcements. While their template doesn't suggest so, I plan to put in ingress prefix-limit maximum on their sessions to something 'reasonable'. Carrying a bogons bgp feed is pretty darn close to worthless really, but you're in no danger of bumping an MX's route capacity unless you're running multiple tables. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX480 JunOS version.
On Fri, Jan 28, 2011 at 02:03:54PM -0800, Keith wrote: Currently the box is running 10.2R1.8. It has a MIC-3D 20 port card, MPC1, and RE-S-2000. Juniper just put out a tech bulletin this morning admitting the obvious, that 10.2R1/R2/R3 and 10.3R1 for Trio (MPC) cards are massively broken and shouldn't be used. Try 10.3R2, it's been mostly ok for us (not counting the bug we hit the other day where all the MPCs crashed in an endless loop after updating a prefix-list referenced in a firewall filter on them, but at least so far this seems rare :P). Alas 10.3R3 seems to be delayed, but you'll be far better off with 10.3R2 than you will with 10.2R1 in the config above. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX480 JunOS version.
On Fri, Jan 28, 2011 at 06:15:08PM -0500, Paul Stewart wrote: We're still running 10.0R3.10 on MX platform (MX480) and with an uptime of about 261 days and no obvious issues (notice I choose my words carefully there) is there a reason to upgrade or just sit back at this point? I realize this is a bit of a loaded question but today we have no issues that we're aware of. The simpler your network and the less features you use (and to some extent, the less observant you are :P), the less likely you are to run into bugs. You're also using the older DPC cards which are a lot more stable, the fun starts with the brand new MPC/Trio cards. If it ain't broke, why fix it. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX480 JunOS version.
On Fri, Jan 28, 2011 at 07:10:27PM -0500, Jonathan Towne wrote: I actually find myself in the same situation as the OP, as I just powered up and started doing some initial configuration, testing, and most of all: some learning on our new MX480 (with MX-MPC2-3D), it seems to have shipped with 10.3R1.9 on it. Can you elaborate on the bustedness of this release at all, or bound to secrecy? I haven't run into anything weird yet, but I'm very early on in the process, only having some basic connectivity to a few LAN switches, and a logical system with a pair of IBGP sessions up inside it. Where should I expect oddity, as I was hoping to wait and get a better lab setup with it to try an ISSU to 10.3R2 to see how it goes (I also have GRES and NSR enabled..)? This has been discussed to death already, go look at some past threads on Trio/code stability in recent months. Lots of issues have been seen, like several different ways to break snmp counters, blackholing of packets under various mpls configurations, crashing MPCs, etc, etc. Also ISSU doesn't work on Trio hardware yet, so don't get your hopes up, and doing a GRES switchover is one way to trigger SNMP counter issues on that code. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP polling issue MX
On Sun, Jan 09, 2011 at 04:14:04PM +0300, Tarique A. Nalkhande - BMC wrote:
All,
Even we faced a similar problem on our MX's running 10.2R3. Further
findings revealed memory leak bug for mib2d process.. restarting mib2d
fixed it.
Juniper is probably tracking it through some internal PR, the
committed release is 10.2R3 which doesn't look likely.
Hrmm supposedly the mib2d memory leak is fixed was 10.2R3, but we never
actually tested it, we just skipped straight ahead to 10.3R2 on new
deployments (as there were many other SNMP bugs still not fixed in 10.2
at the time). A quick and dirty workaround for the memory leak issue is
to periodically restart the mib2d process, which you can do with an
event script like so:
event-options {
generate-event {
/* Adjust ttimer as necessary based on memory consumption */
restart-mib2d time-interval 604800;
}
policy restart-mib2d {
events restart-mib2d;
/* Adjust this too, to something slightly less than above */
within 60 {
not events restart-mib2d;
}
then {
event-script restart-mib2d;
}
}
}
/var/db/scripts/op/restart-mib2d.slax:
version 1.0;
ns junos = http://xml.juniper.net/junos/*/junos;;
ns xnm = http://xml.juniper.net/xnm/1.1/xnm;;
ns jcs = http://xml.juniper.net/junos/commit-scripts/1.0;;
import ../import/junos.xsl;
match / {
op-script-results {
var $restart-mib2d = {
command restart mib-process gracefully;
}
var $result = jcs:invoke($restart-mib2d);
}
}
--
Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] current JunOS versions for MX80, EX8200?
0pf+0w 0.088u 0.137s 0:00.61 34.4% 4345+2926k 0+0io 0pf+0w 0.104u 0.159s 0:00.68 36.7% 4491+3047k 0+0io 0pf+0w 0.114u 0.159s 0:03.94 6.5% 4425+3080k 0+0io 0pf+0w 0.111u 0.147s 0:00.80 31.2% 4441+3026k 0+0io 0pf+0w ^^^ I forget if 10.1R4 had most of the fixes for the issues we've been dealing with, but it might be your best runner up if you need something that works immediately (and if you don't mind that sflow doesn't work at all on routed interfaces in pre-10.2 code). If you can wait a little while, we're currently targeting 10.3R3 as our new try to fix everything release for EX8200, and it's due out at the end of Jan. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RE accessories
On Fri, Dec 24, 2010 at 08:21:18AM -0500, Paul Stewart wrote: That's hilarious! ;) Can I get one for every case I have open please? Please ship 28 of them immediatelyhehehe I wonder if I can get an ER filed to make the humping speed variable based on the load on the router. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] RE accessories
Dear Juniper, I will deploy one of these on every router until all my cases are resolved. :) http://cluepon.net/ras/juniper-accessory.wmv Love, ras -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
