[j-nsp] MX204 scale/performance

2022-01-16 Thread Robert Hass via juniper-nsp 
Hi

I'm stating network reorganization moving our infrastructure from
Cisco machines to bunch of MX204 routers.

I have few questions related to MX204 scale and performance:

1) How big ACLs are supported on MX204 ? (number of entries for all
ACLs configured).
2) I want to use lt- interfaces to address routing between default
(global) instance and logical-router. What performance (for IMIX
traffic) is supported for LT interfaces at MX204 ?
3) What FIB programming speed  I can expect from MX204 (number of
routes per second - new BGP routes, withdraws)
4) Can I somehow prioritise which routes are programmed first in FIB ?
(based on BGP community or policy-statement)
5) How many flows for IPFIX are supported on MX204 ? Is IPFIX somehow
hardware accelerated or done pure in Intel CPU ?
6) Any recommendations for JunOS release ? My plan is to use latest
20.4, but maybe I'm wrong. Features used: Logical Routers, ISIS, a lot
of BGP, a lot of ACLe, RE ACL, uRPF, IPFIX

Thanks a lot
Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 upgrade path 18.4R

2020-07-06 Thread Robert Hass 
Hi
14% more memory is used compared to 10.4R. How many full-views you have in
RIB ?
Rob



On Sun, Jul 5, 2020 at 3:35 PM Gavin Henry  wrote:

> Hi Robert,
>
> Have you seen any memory usage improvements yet? We're on v14 and need to
> upgrade or get a pair of mx204 for our second PoP, to match our first PoP.
>
> Thanks.
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 upgrade path 18.4R

2020-07-05 Thread Robert Hass 
Thanks for all the replies. Managed to upgrade 17 units. So I'm sharing -
my path for that upgrade:
10.4R -> 13.3R -> 15.1R -> 18.4R

Just ensured there is enough space on /var partition (remove unused files
in /var/tmp and old junos in /var/pkg/sw)

Rob

On Mon, Jun 15, 2020 at 6:41 PM Leon Kramer  wrote:

> Hi,
>
> +1 for recommending doing a backup of config, a complete reinstallation of
> the device and restore of config.
> More than once I experienced strange issues after updates or reboots which
> were entirely gone after reinstallation.
>
> Kind Regards
>
>
>
>
>
> Am So., 14. Juni 2020 um 11:02 Uhr schrieb Robert Hass  >:
>
>> Hi
>> I have old MX80 running 10.4R14.2.
>> I would like to upgrade it to 18.4R.
>> But what upgrade I should use ?
>>
>> 10.4R -> 15.1R and to 18.4R ?
>>
>> Rob
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX80 upgrade path 18.4R

2020-06-14 Thread Robert Hass 
Hi
I have old MX80 running 10.4R14.2.
I would like to upgrade it to 18.4R.
But what upgrade I should use ?

10.4R -> 15.1R and to 18.4R ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] support of GCM-AES-XPN-128 cipher for MACsec

2019-04-26 Thread Robert Hass 
That documentation is very unclear to me for XPN ciphers.

On Fri, Apr 26, 2019 at 7:20 PM Anderson, Charles R  wrote:

> This might answer your question:
>
>
> https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/cipher-suite-edit-security-macsec.html
>
>
> https://www.juniper.net/documentation/en_US/junos/topics/topic-map/understanding_media_access_control_security_qfx_ex.html#id-configuring-media-access-control-security-macsec
>
> On Fri, Apr 26, 2019 at 07:13:04PM +0200, Robert Hass wrote:
> > Hi
> > I'm looking for list of Juniper devices supporting GCM-AES-XPN-128
> > encryption cipher for MACsec.
> >
> > SRX300 doesn't - just GCM-AES-128
> > What about EX4200, EX4300 or EX3400 ?
> >
> > Coudn't find anything on juniper.net
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] support of GCM-AES-XPN-128 cipher for MACsec

2019-04-26 Thread Robert Hass 
Hi
I'm looking for list of Juniper devices supporting GCM-AES-XPN-128
encryption cipher for MACsec.

SRX300 doesn't - just GCM-AES-128
What about EX4200, EX4300 or EX3400 ?

Coudn't find anything on juniper.net

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Old JunOS upgrade path

2019-03-08 Thread Robert Hass 
Hi
Can I do direct upgrade of JunOS 13.2S to 17.4S ?
Platform is MX80
Or should I go step by step: i.e:
13.2 -> 14.1
14.1 -> 15.1
15.1 -> 16.1
16.1 -> 17.1
17.1 -> 17.4

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vMX questions - vCPU math

2018-12-30 Thread Robert Hass 
>

Thanks
My use-case is vPE, HugePages are already enabled.
I'm using separate VMs for vCP and vFPC (so no nested).

My confusion is related to HT setting, as you wrote to disable it.

But vMX Getting Started Guide for KVM says:

"CPU pinning with flow caching enabled (performance mode) is different than
with flow
caching disabled (lite mode). For both modes, you must enable
hyperthreading"
  ^^

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] vMX questions - vCPU math

2018-12-30 Thread Robert Hass 
Hi
I have few questions regarding vMX deployed on platform:
- KVM+Ubuntu as Host/Hypervisor
- server with 2 CPUs, 8 core each, HT enabled
- DualPort (2x10G) Intel X520 NIC (SR-IOV mode)
- DualPort Intel i350 NIC
- vMX performance-mode (SR-IOV only)
- 64GB RAM (4GB Ubuntu, 8GB vCP, 52GB vFPC)
- JunOS 18.2R1-S1.5 (but I can upgrade to 18.3 or even 18.4)

1) vMX is using CPU-pinning technique. Can vMX use two CPUs for vFPC ?
   Eg. machine with two CPUs, 6 cores each. Total 12 cores. Will vMX
   use secondary CPU for packet processing ?

2) Performance mode for VFP requires cores=(4*number-of-ports)+3.
   So in my case (2x10GE SR-IOV) it's (4*2)+3=11. Will vMX count the
   cores resulting from HT (not physical) in that case?

3) How JunOS Upgrade process looks like on vMX ? Is it regular
   request system software add ...

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Problem with QinQ MPLS Service + Switch

2018-10-06 Thread Robert Hass 
l2circuit configuration on r03 is fine. I just made mistake putting post on
j-nsp.
Why should I push and pop on R03 ? See that QinQ (so adding second dot1q
tag) is done on catalyst switch.

On Sat, Oct 6, 2018 at 3:07 PM Aaron1  wrote:

> And if that doesn’t work, you might need to push and pop on the R03 side...
>
> ...also, is customer sending you 300 tagged frames on r01?  If not then I
> don’t think you should tag and push and pop there on r01 Uni port
>
> Aaron
>
> > On Oct 6, 2018, at 8:03 AM, Aaron1  wrote:
> >
> > At least fix this on r03...
> >
> > interface xe-0/0/0.300
> > Should be ...
> > interface xe-0/0/1.300
> >
> > Aaron
> >
> >> On Oct 6, 2018, at 2:19 AM, Robert Hass  wrote:
> >>
> >> interface xe-0/0/0.300
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Problem with QinQ MPLS Service + Switch

2018-10-06 Thread Robert Hass 
Hi
I have MPLS network based on MX80 routers: r01, r02, r03

I need to establish MPLS Layer2 service with QinQ from r01:xe-0/0/0 to
r03:xe-0/0/1.300 (VLAN 300). Customer on r01 is directly terminated on MX80
And on r03 customer is terminated via Catalyst switch (sw01) on port
TenGig1/1/4 (VLAN300)

L2 service established fine (show l2circuit connections)
But service is not working.
Any idea why ?

Network diagram:

Customer --- xe-0/0/0-r01-xe-0/0/1
 |
 |
 |
   xe-0/0/0
  r02
   xe-0/0/1
 |
 |
 |
   xe-0/0/0
  r03
   xe-0/0/1.300
 |
 |
 |
Customer -- TenG1/1/4-sw01-TenG1/1/3

My configuration:

r01:

xe-0/0/0 {
flexible-vlan-tagging;
mtu 9100;
encapsulation flexible-ethernet-services;
unit 300 {
   encapsulation vlan-ccc;
   vlan-id 300;
   input-vlan-map {
  push;
  tag-protocol-id 0x8100;
   }
   output-vlan-map pop;
   family ccc;
}
}
protocols {
l2circuit {
neighbor 10.10.10.3 {
interface xe-0/0/0.300 {
virtual-circuit-id 300;
}
}
}
}

r03:

xe-0/0/1 {
flexible-vlan-tagging;
mtu 9100;
encapsulation flexible-ethernet-services;
unit 300 {
   encapsulation vlan-ccc;
   vlan-id 300;
   family ccc;
}
}
protocols {
l2circuit {
neighbor 10.10.10.1 {
interface xe-0/0/0.300 {
virtual-circuit-id 300;
}
}
}
}


sw01:

interface TenGig1/1/3
 switchport mode trunk
 switchport trunk allowed vlan 300
!
interface TenGig1/1/4
 switchport mode dot1q-tunnel
 switchport access vlan 300
!
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] QFX5120-48Y feedback

2018-10-03 Thread Robert Hass 
Hi
We're looking for ToR/Leaf switches and QFX5120-48Y looks awesome.
But on Juniper web-page there is no possibility to download software for
that machine - nor release-notes to see what's is not working properly.

Do anyone have experience with this switch ?
Are they orderable ? What about delivery time ? 2-3 months ? (like MX
sometimes)
Any problems with software / bugs ?
What about 25G support ? We tested Cisco and got couple of issues...

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] vMX vFPC CPU utilization

2018-09-11 Thread Robert Hass 
Hi
Is any way to (i.e. CLI command) to display CPU cores utilization for vMX ?
I just know 'show pfe statistics traffic bandwidth" - but it's display
amount of traffic vs installed vMX license.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Force a reboot from the serial console?

2018-06-03 Thread Robert Hass 
On Fri, Jun 1, 2018 at 11:33 AM, Saku Ytti  wrote:

>
> AFAIK (please correct me if I'm wrong). Only Cisco is doing this, and
> even they struggle internally with it, because it does add bit of
> cost, thermal and front-plate density. Cisco's been going on and off
> and on again with CMP port, often citing lack of customer demand when
> they remove CMP port, but then it keeps popping back on.
>

I only noticed CMP was supported on Sup-2T.
Which CSCO latest platforms support CMP or similar ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [rbak-nsp] SE600 End of life status

2017-07-26 Thread Robert Hass 
AFAIK you wrong.

You cannot open JTAC or TAC (Cisco) case if you don't have valid support
contract.
Same regarding software upgrades - you cannot upgrade to next major version
without valid support contract.
You cannot download any software from Juniper or Cisco without valid
service contracts (even it's same version as you have on devices).

What you mean they gets the OEM ? They can raise JTAC case for end of life
/ end of support gear ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [rbak-nsp] SE600 End of life status

2017-07-25 Thread Robert Hass 
Hi
Any how Multiven providing new software releases or fix software bugs ?
Black magic ?

Rob

On Tue, Jul 25, 2017 at 2:29 PM, Phil Green  wrote:

> Jim,
>
> PS. Multiven provides _lifetime_ hardware and software maintenance service
> for all IP networking equipment from all OEMs e.g. redback, cisco, juniper
> etc.
>
> Hence you no longer need to panic into an unnecessary and expensive
> hardware refresh nor leave your network vulnerable to cyberattacks because
> of lack of software maintenance support coverage.
>
> Best
> Phil
>
> - Original Message -
> From: "Olivier Benghozi" 
> To: "redback-nsp" 
> Sent: Tuesday, 25 July, 2017 14:12:56
> Subject: Re: [rbak-nsp] SE600 End of life status
>
> Until the end of 2018:
> - there's still some light software support (no new official SEOS release).
> - Hardware support is provided.
>
> > Le 25 juil. 2017 à 13:34, Jim Tyrrell  a écrit :
> >
> > Can someone tell me what the support status is of SE600 & SE1200
> platforms?  Is the hardware and software now end of life, or are Ericsson
> still supporting this at present?
>
> ___
> redback-nsp mailing list
> redback-...@puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] FIB size at CFEB-E M7i

2017-04-10 Thread Robert Hass 
Hi
What is supported FIB size for M7i router with CFEB-E ?
Is it will handle 1M of routes in FIB ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX 300 stability and potential issues

2016-09-27 Thread Robert Hass 
Hi
I'm wondering about adding new SRX 300 devices to existing network
deployment. Our current network is using SRX100 and SRX240 in branches.

As SRX100/SRX240 are EoS we need to deploy latest SRX300 devices.
They're really fresh so my question is how stable are they ? Any
experiences ?

We will use DMVPN, OSPF, IPS/NGFW application inspection.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX480BASE3-AC - whats inside bundle

2016-04-04 Thread Robert Hass 
On Mon, Apr 4, 2016 at 4:42 AM, Chen Jiang  wrote:

> The only difference between "3" and non-"3" model is the enhanced midplane
> to support new 500G line card.  The old non-"3" chassis midplane could
> support about 300Gbps bandwidth per slot.
>
> Is it delivered with old SCB or with latest SCBE2 ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX480BASE3-AC - whats inside bundle

2016-04-02 Thread Robert Hass 
Hi
I'm looking what is devliered with MX480BASE3-AC bundle.

It should be:
- MX480 chassis
- Fan-Tray
- Two Power Supplies
- One SCB - But which one ? SCB ? SCBE ?
- One RE - But again which RE model ?

Just to compare old bundle (without "3") - MX480-BASE-AC consist:
- MX480 chassis
- Fan-Tray
- Two Power Supplies - 1200W each
- RE-S-1300-2048
- SCB


Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Separate internet transit network versus converged

2016-03-31 Thread Robert Hass 
On Mon, Mar 28, 2016 at 1:36 PM, Tarko Tikan  wrote:

> In our case, we run BGP-free MPLS aggregation and BGP-free core. All IP
> services, be L3VPN or inet, are terminated in separate edge boxes. Edge
> boxes are only connected to core and are not in traffic path for other
> traffic (typical aggregation-edge-core is not the case for us). Traffic
> from aggregation to edge are transported in PW.
>
> We are major provider for Estonia and Estonian government, banks etc.
> Almost all of the GOV services, banking etc. depends on our network and
> lives in L3VPN. So it's not really a capex/opex issue but more of a PR one.


Hi
Tarko, can you say something more about traffic ratio/levels - internet
traffic VS vpn-traffic. I assume Internet traffic can consume 5-10 times
more than your VPN customers. Can you agree with that or your numbers are
completely different ?


Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Separate internet transit network versus converged

2016-03-31 Thread Robert Hass 
On Tue, Mar 29, 2016 at 3:10 PM, Jesper Skriver  wrote:

> Almost certainly such documents would contain 'secret sauce' that
> the vendor does not want to disclose to competitors.
>

Agree. It's always about vendor BU and Law Departments. "It's our
top-secret technology" even
they using merchant silicon :) But true it that people involved in building
such machines are
changing jobs and it's common to see that some guy is two years in Juniper,
next two years in
Cisco, after again Juniper, after some ALU or other. Second people from
former job still in
relation and talk each other - means everybody knows what's going under
competitor table.
Especially in Silicon Valley.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Shutdown an interface based on CRC errors

2016-02-11 Thread Robert Hass 
Hi
I'm looking for function which can shutdown an interface if CRC error
threshold will be overdraft. Is any existing command for this in JunOS for
MX and EX platforms ?

If not maybe some OP script ?

Thanks a lot
Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vMX for ESXi

2016-01-09 Thread Robert Hass 
On Sat, Jan 9, 2016 at 4:35 AM, Phil Bedard  wrote:

>
> Yes I’ve used both versions.  I know it’s supposed to be DPDK enabled but
> I wasn’t able to push very much through the 5.4.0 and 6.0 images I have.
> Not really that close to what the vMX could do.
>

Using 5.4.0 image In pushed easily 3Gbps in one direction (total 6Gbps) on
1 CPU Core.
How much traffic you pushed ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vMX for ESXi

2016-01-07 Thread Robert Hass 
>
> This release for ESXi is joke and crap. Just waste of my time.
>

Someone who wrote documentation (Getting Started Guide) forget that VCP
needs 3rd disk - metadata_usb.vmdk. After adding this disk vMX is proper
detected and communitcation with vFCP is established. I noticed vmxnet3 for
VFP doesn't works well (eg. I cannot ping hosts / show interface ge-0/0/0
freeze CLI), after changed them to e1000 preforms as expected.


Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vMX for ESXi

2016-01-06 Thread Robert Hass 
On Wed, Jan 6, 2016 at 1:51 PM, Adam Vitkovsky 
wrote:

> Got me wondering in what use cases vMX is better than XRv please?
>

It's all about OPEX - we have people here working with JunOS for ages and
never touched XR. Nobody will invest in XR training, also we don't want to
have two platforms for specific services.

Two points against XRv:
- crazy and time consuming upgrade procedure for XR comparing to IOS/IOS
XE/JunOS
- SmartLicensing only, cloud licensing sucks

Big point for XRv:
- great performance
- general packaing/support is much better for Cisco NFV than vMX. But I
hope vMX will catch vSRX which is already mature.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vMX for ESXi

2016-01-06 Thread Robert Hass 
>http://puck.nether.net/pipermail/cisco-nsp/2015-August/100318.html


Our ESXi'es hosts + CSR 1K VMs are already after above tuning

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vMX for ESXi

2016-01-06 Thread Robert Hass 
On Wed, Jan 6, 2016 at 12:53 PM, Mark Tinka  wrote:

> Cisco have been at this longer than Juniper, so you have to appreciate
> that it will take some time to get a decent product from Juniper.
>
> Otherwise, you'll pull all your hair out.
>
>
We're using CSR 1000V (1G AX licenses) for some routing (even BGP)
plus a lot of VPNs (IKEv2, DM-VPN). Performance is not superb in terms
pure packet forwarding (I cannot beat 600-800Mbps), but in terms of
encryption/VPNs is very similar to ASR1000 - easly did 500-600Mbps of
IPSEC. I can pretty recommend CSR for any crypto/VPN tasks.
Very nice piece for NFV software.

I had opportunity to test XRv9K 5.4.0 for more "SP" task - BGP
plus fast forwarding. On 1 CPU core (HT disabled) we did 5-6Gbps
which was totally impossible with CSR 1000V.

But returning to vMX - we have a lot of use-cases for vMX, so Cisco
products are not cure for us :) Still waiting for *WORKING* vMX
do VMware.

Cheers,
Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vMX for ESXi

2016-01-06 Thread Robert Hass 
On Wed, Jan 6, 2016 at 2:34 AM, Mark Tees  wrote:

> One thing I noticed missing in the Vmware document/procedure appeared
> to be the process for using SR-IOV with Vmware.
>
> Do we just follow the Vmware docs on this and the vPFE will pickup the
> virtual functions or is this not supported yet?
>

Hi
This release for ESXi is joke and crap. Just waste of my time.
Forget about checking SR-IOV as I got issues with basics.

Downloaded and deployed according to Getting Started Guide.
My machine is HP DL380p Gen8, Dual E5-2680v2, 256GB RAM, Intel 10GE NICs.
Hypervisor - ESXi 6.0 update 01

In the moment I will deploy again but now on ESXi 5.5 update 02 as
GSG recommends. But I don't feel it will change anything.


1) VCP - olive ?!? probably this is major problem as VM wasn't proper
detected

root@VCP> show version
Hostname: VCP
Model: olive
Junos: 15.1F4.15
JUNOS Base OS boot [15.1F4.15]


root@VCP> show chassis hardware
error: Unrecognized command (chassis-control)


root@VCP> show system license
  ^
syntax error, expecting .


+ crashing process all the time

Jan  6 11:12:15  VCP l2cpd[7747]: stp_enable_modules : Failed to get stp
base mac address.   All modules will remain disabled.
Jan  6 11:12:16  VCP init: l2cpd-service (PID 7747) terminated by signal
number 6. Core dumped!
Jan  6 11:12:16  VCP init: Dump Command: /bin/sh (PID 7937) started
Jan  6 11:12:16  VCP init: l2cpd-service (PID 7938) started
Jan  6 11:12:16  VCP dfwd[2372]: dfwdlib_process_client_disconnect:10664
num_client_id = 1
Jan  6 11:12:16  VCP dfwd[2372]: dfwdlib_process_client_disconnect:10673
num_id_list[0] = 5
Jan  6 11:12:16  VCP gkmd: Exit at main 1105
Jan  6 11:12:17  VCP jpppd: jpppd: main : RLIMIT_STACK cur: 67108864, max:
67108864
Jan  6 11:12:17  VCP jpppd: jpppd: main : RLIMIT_SBSIZE cur: 4294967295,
max: 4294967295
Jan  6 11:12:17  VCP jpppd: pid = 8065: IssuWaitTimer: ctor
Jan  6 11:12:17  VCP jpppd: pid = 8065: PppIssuMgr: ctor
Jan  6 11:12:17  VCP dumpd: Core and context for l2cpd saved in
/var/tmp/l2cpd.core-tarball.4.tgz



2) VFP

last messages from console - stack at waiting for VCP :

/home/pfe/riot/phase2_launch.sh: line 154: /var/jnx/card/local/vm_type: No
such file or directory
/home/pfe/riot/phase2_launch.sh: line 157: /var/jnx/card/local/type: No
such file or directory
Waiting for RE to come up


Probably I will open JTAC case as we own some VMX commercial licenses
bought during
last MX purchase.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vMX for ESXi

2016-01-05 Thread Robert Hass 
> Maybe you missed the VMX getting started guide
>
>
> http://www.juniper.net/techpubs/en_US/vmx15.1f4/information-products/pathway
> -pages/getting-started/vmx-gsg-vmware.html
>
>
Hi
Thanks for this hint. Finally these guide looks What I'm looking for
regarding documentation.
But still TGZ package doesn't have files which I'm looking and above guide
referring them - *.vmdk files :(

Page 24:
Table 7: vMX Package Contents

vmdk/jinstall64-vmx*.vmdk Software image file for VCP.
vmdk/vmxhdd.vmdk Software image file for VCP file storage.
vmdk/vFPC_*.vmdk
vmdk/metadata_usb.vmdk Virtual hard disk with bootstrapping information

Look what we have in F4 vMX TGZ from juniper.net

~/download$ ls -la *.tgz
-rw--- 1 robert users 1561459359 Dec 29 06:36 vmx-15.1F4.15.tgz
~/download$ tar zxf vmx-15.1F4.15.tgz
~/download$ cd vmx-15.1F4-3
~/download/vmx-15.1F4-3$ find ./ -type f | wc -l
  94
~/download/vmx-15.1F4-3$ find ./ -type f | grep vmdk
~/download/vmx-15.1F4-3$

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vMX for ESXi

2016-01-04 Thread Robert Hass 
On Mon, Jan 4, 2016 at 11:29 PM, Dale Shaw 
wrote:

> ESXi support was introduced in vMX release 15.1F4.
>
>
> http://www.juniper.net/techpubs/en_US/vmx15.1f4/information-products/topic-collections/release-notes/jd0e52.html#jd0e52
>
>
Hi
Thanks for update, great to hear that. But I downloaded 15.1F4 vMX from
juniper.net and very disappointed as:
1) There is no OVA images in .tgz. Just *.img, *.tgz which are useless for
VMware. I can convert them to VMDK but come on I want official OVA for
supported product, not dirty solutions
2) installation doc called 'VMX_Release_Notes_Installation_Guide_Beta.pdf'
(see keyword: Beta :) ) doesn't mentioned anything related to VMware ESXi
just KVM & Ubuntu shit.

Above is regarding vmx-15.1F4.15.tgz (size=1561459359)

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] vMX for ESXi

2016-01-04 Thread Robert Hass 
Hi

I'm looking for any scheduled release date for vMX (Virtual MX) for VMware
ESXi platform ?

Current releases are only for Linux virtualization (KVM) which is far away
from VMware in matter of management and easy of use. So until VMware
release for us vMX is currently useless.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] QFX5200 and other software than JunOS

2015-12-08 Thread Robert Hass 
HI
In last mailing Juniper wrote:

QFX5200 switches are the first to run third-party network services using a
disaggregated version of Junos OS that supports the Open Compute Project
(OCP) software model.
I hope OCP is the same like OCX.

Regarding question why we just want buy more Dells - we would like to have
two HW vendors. Also current Juniper offering is more attractive from our
point of view.

Rob

On Tue, Dec 8, 2015 at 9:56 AM, Raphael Mazelier  wrote:

> My bad. QFX5200 should support Onie, so should be supported by third party
> os. That was really great that juniper open his switchs.
>
>
>
> Le 07/12/15 19:28, Luca Salvatore a écrit :
>
>> Juniper announced a while back (at their NXTWORK conference ) that the
>> QFX5200 would be open.  Best to reach out to your account rep to see
>> exactly what the details are.
>> The QFX5200 isn't shipping just yet, i believe it the 32 port one will
>> be Q1 2016 and the 64 port will be Q2
>>
>> We use lots of the QFX5100-24Q and they have been solid.
>>
>>
> --
> Raphael Mazelier
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] QFX5200 and other software than JunOS

2015-12-05 Thread Robert Hass 
Hi
I'm thinking about new QFX5200 and idea of software-less box (whitebox).
Please correct me if I'm wrong - can I buy QFX5200 without software and
install Cumulus Linux on it as 3rd party software ? (I'm doing this right
now on Dell switches for one project)

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Cheaper way to have 2x100G and 16x10G wire-speed in MX480

2015-09-26 Thread Robert Hass 
Hi
What is cheapest way to choose proper MPC/MICs to have 2x100G and 16x10G
all wire-speed plus possibility to extend my configuration to total 32x10G
and 4x100G ?

Is it possible to have 200Gbps (400G in both directions) per slot in cast
of malfunction of one fabric card ?

What you can suggest ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] PTX1000 pricing

2015-09-13 Thread Robert Hass 
Hi
Any rumors about potential pricing of PTX1000 ?
I just looking to replace edge peering routers and PTX1000 looks very very
promising.

Check pricelist from Sep 2015 but there is no any pricing yet

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] EX4300-24T and 40GE ports

2015-09-09 Thread Robert Hass 
Hi
I have two questions regarding 40GE ports build-in into EX4300-24T switch.

Can I use these ports as regular line ports / VLANs / 802.1Q - instead of
VirtualChassis ?
Are they support Breakout into 4x10GE ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] QinQ on MX bridge-ing

2015-04-16 Thread Robert Hass 
I'll try. But what about VLAN 102 and 103 ?
I have also IRB on VLAN 102


On Thu, Apr 16, 2015 at 1:40 AM, Chris Kawchuk 
wrote:

> Try this
>
> set interfaces ge-2/1/2 flexible-vlan-tagging
> set interfaces ge-2/1/2 mtu 9192
> set interfaces ge-2/1/2 encapsulation flexible-ethernet-services
> set interfaces ge-2/1/2 unit 100 encapsulation vlan-bridge
> set interfaces ge-2/1/2 unit 100 vlan-id 100
>
> set interfaces ge-2/1/3 flexible-vlan-tagging
> set interfaces ge-2/1/3 mtu 9192
> set interfaces ge-2/1/3 encapsulation flexible-ethernet-services
> set interfaces ge-2/1/3 unit 100 encapsulation vlan-bridge
> set interfaces ge-2/1/3 unit 100 vlan-id 100
>
> set interfaces ge-2/1/5 mtu 9192
> set interfaces ge-2/1/5 encapsulation ethernet-bridge
> set interfaces ge-2/1/5 unit 0 family bridge
>
> set protocols protection-group ethernet-ring erpsring1 data-channel vlan
> 100  //* if you're using ERPS for failover on a ring of EX42's, which you
> should -- to avoid using dreaded spanning tree protocols ;)
>
> set bridge-domains QinQ vlan-id 100
> set bridge-domains QinQ interface ge-2/1/2.100
> set bridge-domains QinQ interface ge-2/1/3.100
> set bridge-domains QinQ interface ge-2/1/5.0;
>
> 2/1/2 and 2/1/3 are the "trunk" ports, you only care about the outer tag
> here. (its double tagged coming in from the EX42, but you dont care at this
> point)
> 2/1/5 is the "access port" which pops the outer tag on egress, slaps it on
> on ingress; regardless if it's already tagged coming in.
>
> - CK.
>
>
>
>
>
>
>
>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] QinQ on MX bridge-ing

2015-04-16 Thread Robert Hass 
Hi
Yes. It should be:

set bridge-domains VLAN101 domain-type bridge
set bridge-domains VLAN101 vlan-id 101
set bridge-domains VLAN102 domain-type bridge
set bridge-domains VLAN102 vlan-id 102
set bridge-domains VLAN103 domain-type bridge
set bridge-domains VLAN103 vlan-id 103

I made typo in first e-mail

On Thu, Apr 16, 2015 at 1:33 AM, Chris Kawchuk 
wrote:

>
> Don't you mean 102 and 103 for the other vlans?
>
>
> On 16/04/2015, at 8:32 AM, Robert Hass  wrote:
>
> > set bridge-domains VLAN101 domain-type bridge
> > set bridge-domains VLAN101 vlan-id 101
> > set bridge-domains VLAN102 domain-type bridge
> > set bridge-domains VLAN102 vlan-id 101
> > set bridge-domains VLAN103 domain-type bridge
> > set bridge-domains VLAN103 vlan-id 101
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Stable JunOS for MX80

2015-04-16 Thread Robert Hass 
Can you write something details regarding this bug which you encountering
on 11.4R ?

Rob


On Thu, Apr 16, 2015 at 11:28 AM, thiyagarajan b 
wrote:

> Hi Rapheal,
> 11.4 is what we are running now,where we encountered a bug forcing us to
> upgrade. 12.3R8 have few memory related bugs which seems to be resolved in
> 14.1R4.
>
> Warm Regards.
>
> On Thu, Apr 16, 2015 at 2:40 PM, Raphael Mazelier 
> wrote:
>
> >
> >
> > Le 16/04/15 10:58, thiyagarajan b a écrit :
> >
> >> Thanks All for your suggestions,
> >> Have taken 14.1R4 OS which has no bugs relating to our config. The
> memory
> >> (2GB RAM and Flash) would suffice?
> >>
> >>
> > The best release will depends of our need.
> > Basicly if you do not want sampling you are safe running stable 11.4
> > branch. Or use the jtac recommanded version : 12.3R8.7.
> >
> > --
> > Raphael Mazelier
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] QinQ on MX bridge-ing

2015-04-15 Thread Robert Hass 
Hi

I'm looking for hint how to configure port in QinQ mode on MX.
I need to have QinQ enabled on ge-1/1/7 (Customer) and interconnected via
Trunk port to EX4200 on ge-1/1/9. VLAN ID can be 104.

I looked at manuals but cannot find this.

My current L2 bridging configuration:

set interfaces ge-1/1/8 unit 0 family bridge interface-mode access
set interfaces ge-1/1/8 unit 0 family bridge vlan-id 101
set interfaces ge-1/1/9 unit 0 family bridge interface-mode trunk
set interfaces ge-1/1/9 unit 0 family bridge vlan-id-list 102
set interfaces ge-1/1/9 unit 0 family bridge vlan-id-list 103

set bridge-domains VLAN101 domain-type bridge
set bridge-domains VLAN101 vlan-id 101
set bridge-domains VLAN102 domain-type bridge
set bridge-domains VLAN102 vlan-id 101
set bridge-domains VLAN103 domain-type bridge
set bridge-domains VLAN103 vlan-id 101

Thanks
Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Transfer some task from MX to VRR

2014-12-01 Thread Robert Hass 
>I'm pretty sure the VRR is mostly for solving the problem of iBGP session
scaling.

I asked, as solving problems of iBGP is obvious. Terminating customers
sessions on VRR using ebgp-multihop is also possible but it's needs
reconfiguration at customer side. It's time consuming and too many
questions and it's a small complication. I already saw some EFT code coming
from other well-known network vendor where BGP traffic coming to router
control-plane was tunneled to VRR like Virtual-Machine and processed there.
All BGP related commands was also redirected to VRR but router receives FIB
from VRR instead of RIB.

Rob




On Mon, Dec 1, 2014 at 2:09 PM, Eric Van Tol  wrote:

> >-Original Message-
> >From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
> Of Robert Hass
> >Sent: Monday, December 01, 2014 7:30 AM
> >To: juniper-nsp@puck.nether.net
> >Subject: [j-nsp] Transfer some task from MX to VRR
> >
> >Hi
> >Just readed release notes for 14.2 and I found that starting this release
> I
> >can transfer some task to external VRR.
> >
> >So my idea is to move all BGP from MX80 to VRR. But how it can be
> performed
> >for external BGP sessions where I have just /30 or /31 subnets to
> customers
> >? (of course without ebgp multihop).
>
> I'm pretty sure the VRR is mostly for solving the problem of iBGP session
> scaling.  If that's not the case, I'm sure someone will correct me.
>
> You don't have much choice with eBGP if you don't want to use multihop,
> unless you want to backhaul every customer circuit via L2 to your VRR, in
> which case the VRR is basically the gateway for the customer's circuit.
>
> -evt
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Transfer some task from MX to VRR

2014-12-01 Thread Robert Hass 
They're both different products.

VRR is already available. It's pure control-plane without forwarding-plane.
Let's something like JCS1200 but for own Hypervisor deployment.
vMX is full featured router with same control-plane as VRR have. Same like
Cisco CSR 1000V or Brocade vRouter 5400/5600.

So VRR == vMX without forwarding-plane. Maybe cost wise VRR will be cheaper
than vMX, don't know. We will see in Q1 2015 when vMX should be available.

Rob



On Mon, Dec 1, 2014 at 4:01 PM, Mark Tinka  wrote:

> On Monday, December 01, 2014 04:41:54 PM Robert Hass wrote:
>
> > vMX indeed will be full-featured router. But my questions
> > was related to move part of control-plane (basically
> > whole BGP part of rpd) to external server. Maybe
> > OpenFlow somehow helps here ? How openflow take care of
> > eBGP to customers ? Session should be on router or on
> > OpenFlow controller ? OF v1.3 just has been implemented
> > in JunOS 14.x releases for MX series.
>
> That's a little too cutting edge (even) for me :-).
>
> My guess is vRR is a function of vMX. No point in having two
> products. I could be wrong...
>
> Mark.
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Transfer some task from MX to VRR

2014-12-01 Thread Robert Hass 
>I think vMX can forward data.

vMX indeed will be full-featured router. But my questions was related to
move part of control-plane (basically whole BGP part of rpd) to external
server. Maybe OpenFlow somehow helps here ? How openflow take care of eBGP
to customers ? Session should be on router or on OpenFlow controller ? OF
v1.3 just has been implemented in JunOS 14.x releases for MX series.

BTW. Are anyone participating in vMX beta-trial ?

Rob


On Mon, Dec 1, 2014 at 3:06 PM, Mark Tinka  wrote:

> On Monday, December 01, 2014 03:09:15 PM Eric Van Tol wrote:
>
> > I'm pretty sure the VRR is mostly for solving the problem
> > of iBGP session scaling.  If that's not the case, I'm
> > sure someone will correct me.
>
> I think vMX can forward data. It will come down to how well
> it optimizes the CPU, and how good the CPU actually is.
>
> > You don't have much choice with eBGP if you don't want to
> > use multihop, unless you want to backhaul every customer
> > circuit via L2 to your VRR, in which case the VRR is
> > basically the gateway for the customer's circuit.
>
> Agree.
>
> Your design can get complicated if you separate routing from
> forwarding for a particular device or downstream-set.
>
> Mark.
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Transfer some task from MX to VRR

2014-12-01 Thread Robert Hass 
Hi
Just readed release notes for 14.2 and I found that starting this release I
can transfer some task to external VRR.

We have lack of compute power mostly on MX80.

So my idea is to move all BGP from MX80 to VRR. But how it can be performed
for external BGP sessions where I have just /30 or /31 subnets to customers
? (of course without ebgp multihop).

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Move traffic to strict-priority-queue on MX

2014-12-01 Thread Robert Hass 
>Interesting that you use cs0 to define best-effort traffic.
>Why don't you just use be, to ease troubleshooting?

I'll change this to 'be'

>What do you have under [class-of-service]

Nothing. Probably this is my problem. What I should define in
class-of-service ?
Assign particular traffic (DSCP) to specific queues ?

Rob

On Sun, Nov 30, 2014 at 7:13 PM, Mark Tinka  wrote:

> On Sunday, November 30, 2014 03:52:58 PM Robert Hass wrote:
>
> > Finally what I configured:
> > # Clear DSCP + BestEffort queue
> > set firewall filter BestEff term 1 then forwarding-class
> > best-effort set firewall filter BestEff term 1 then dscp
> > cs0 set interfaces ge-1/0/3 unit 0 family inet filter
> > input BestEff
>
> Interesting that you use cs0 to define best-effort traffic.
> Why don't you just use be, to ease troubleshooting?
>
> > # Set EF DSCP + ExpeditiedForwarding queue
> > set firewall filter Set_EF term 1 then forwarding-class
> > expedited-forwarding set firewall filter Set_EF term 1
> > then dscp ef
> > set interfaces ge-1/0/1 unit 0 family inet filter input
> > Set_EF set interfaces irb unit 100 family inet filter
> > input Set_EF
>
> Looks alright.
>
> > But It looks that it's not working. What I missing ?
>
> What do you have under [class-of-service]
>
> Mark.
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] 2x10GE ports on SCBE2 and per slot bandwidth on SCBE/SCBE2

2014-12-01 Thread Robert Hass 
Hi
I just planning to upgrade few of my MX480 to SCBE2 (due to MPE4/32x10G).

I noticed that on SCBE2 I have 2x10GE ports on-board. Are they normal 10GE
line ports with all features ?

Second how much bandwidth per slot is provided by SCBE/SCBE2 ?
What I see :
1) SCBE - 260Gbps per slot in both directions (in+out) -> 13x10GE line-rate
2) SCBE2 - 520Gbps in both directions ?
3) What about redundant and non-redundant SCBE/SCBE2 configurations, do I
have less per slot bandwidth in redundant configuration ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MPC3E oversubscribe rate with two 10x10GE MICs

2014-11-30 Thread Robert Hass 
Hi
I'm currently using MPC3E with one 10x10GE MICs in my MX480 and MX960
routers.

I need to add 10GE ports, if I will put second 10x10GE MIC in existing
MPC3E what will be oversubscribe rate ? I'm not sure but docs says about
200Gbps for MPC3E then It should be wire-speed if docs claims full-duplex
or 1:2 if docs claims half-duplex.

What is best solution (from price point of view) to have 16 x 10GE in 1
slot on MX480/MX960 ? MPC3E + 10x10GE MICs or something different ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Move traffic to strict-priority-queue on MX

2014-11-30 Thread Robert Hass 
Hi
I have deployment based on MX routers where I have to put traffic coming
from one interface (it's video traffic - multicast) to
strict-priority-queue on egress interface - core facing interface.

Topology is simple:

Ingress interfaces:
- ge-1/0/1.0 - interface with video #1
- irb.100 - interface with video #2 (there is IRB mapped for ge-1/0/2)
- ge-1/0/3.0 - interface where IP customers are connected (best-effor
traffic)

Egress interfaces:
- ge-1/0/5 - core-facing interface #1
- ge-1/0/6 - core-facing interface #2

My goal are:
- clear DSCP bits for traffic coming from ge-1/0/3.0, put this traffic on
best-effort queue
- set EF DSCP bit for traffic coming from video interfaces (ge-1/0/1.0 and
irb.100)

Finally what I configured:
# Clear DSCP + BestEffort queue
set firewall filter BestEff term 1 then forwarding-class best-effort
set firewall filter BestEff term 1 then dscp cs0
set interfaces ge-1/0/3 unit 0 family inet filter input BestEff

# Set EF DSCP + ExpeditiedForwarding queue
set firewall filter Set_EF term 1 then forwarding-class expedited-forwarding
set firewall filter Set_EF term 1 then dscp ef
set interfaces ge-1/0/1 unit 0 family inet filter input Set_EF
set interfaces irb unit 100 family inet filter input Set_EF

But It looks that it's not working. What I missing ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Egress policer on EX3300

2014-09-23 Thread Robert Hass 
Hi
Is egress policing or shaping supported on EX3300 platform ?

I tried to configure policing 2Mbps for port ge-0/0/0, but receiving error
at commit:

Referenced filter 'Police-2M' can not be used as policer not supported
on egress
error: configuration check-out failed

Input filters commiting & works without problems.

My config:

interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
filter {
input Police-2M;
output Police-2M;
}
}
}
}
}
firewall {
family ethernet-switching {
filter Police-2M {
term Default {
then policer 2Mbps;
}
}
}
policer 2Mbps {
if-exceeding {
bandwidth-limit 2m;
burst-size-limit 100k;
}
then discard;
}
}


Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Per Port Per VLAN rate-limiting on EX series

2014-09-01 Thread Robert Hass 
Hi
I just want to be sure on which EX modes are Per port Per VLAN
rate-limiting supported ?

I'm interested this mostly in aspect of:

- EX3300
- EX4300
- EX4550
- EX4600

Can any one also give me some configuration clue how to check it ? I have
no experience on EX series so looking for clues how to configure think like
this:

- port xe-1/0/0
- rate-limit VLAN 101 to 10Mbps (ingress) and 11Mbps (egress)
- rate-limit VLAN 102 to 20Mbps (ingress) and 22Mbps (egress)

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX5 and MIC 2x10G

2014-08-06 Thread Robert Hass 
Hi
Is 2x10G MIC supported in MX5 chassis ?
I just need to have router with 2x10G interfaces, and best choice will be
MX5-T + MIC2x10G for me.

But will it work or only 20xSFP are working in first MIC slot of MX5 ?

Please advise

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Usage of older M10 Juniper

2014-06-26 Thread Robert Hass 
Hi
I have old M10 router. I would like to use it for one customer.

Router has Enhanced FEB, RE600-2048 and 3 GE PE PICs.

My questions :
1) How much full-BGP feeds I can have on this machine ?
2) Which JunOS version you can recommend for this old buddy ?
3) How big FIB is available for IPv4 on Enhanced FEB ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX5 first supported JunOS

2014-05-25 Thread Robert Hass 
Hi
We waiting for ordered MX5 routers. Currently we're using MX80 in core
running JunOS 11.4R software.

My question is which first supported JunOS version is usable on MX5 ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MTBF of EX4300 (48 ports, PoE)

2014-05-13 Thread Robert Hass 
HI
I'm looking of MTBF value for EX4300 (48 ports, PoE) switch.
I cannot find it in JNPR datasheets

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] PoE for older Cisco IP Phones

2014-02-03 Thread Robert Hass 
Patrick,
I just connected 7912 and 7940 to EX4200. Works without issues. Tested few
images. Got signal that EX3200 also do the job. But what about EX3300 and
EX2200 (I don't have any of them for testing)

Rob



On Mon, Feb 3, 2014 at 9:24 PM, Patrick Okui  wrote:

> On  3-Feb-2014 18:28:22 (+0300), Robert Hass wrote:
> > I have some older pre-standard PoE IP Phones (it's NOT 802.1af) from
> Cisco:
> > 7940
> > 7912
> >
> > Will Juniper EX2200, EX3300 and EX4300 work with these IP Phones ?
> > I know that they will work with EX4200 but what about newer Juniper
> > switches ?
>
> No. They won't. You'd need a cisco POE switch that knows about cisco's
> proprietary POE (like the SG300-*P series)
>
> --
> patrick
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] PoE for older Cisco IP Phones

2014-02-03 Thread Robert Hass 
I have some older pre-standard PoE IP Phones (it's NOT 802.1af) from Cisco:
7940
7912

Will Juniper EX2200, EX3300 and EX4300 work with these IP Phones ?
I know that they will work with EX4200 but what about newer Juniper
switches ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] EX8200 EoS / EoL ?

2013-11-07 Thread Robert Hass 
Hi
As I would like to buy bunch of EX8200 + XRE I have question will EX8200 go
EoS or EoL in near time as it looks that EX9200 is good successor of this
platform.

Can anyone comment is good choice to still go for EX8200 or maybe better
spend few more $$$ for EX9200 ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] AFL license for EX8200 VirtualChassis

2013-11-07 Thread Robert Hass 
Any response to your problem from Juniper SE or JTAC ?
Good if they confirm that both licenses are required - then we just will
order them.

Rob

On Fri, Nov 8, 2013 at 2:03 AM, Giuliano Medalha wrote:

> Robert,
>
> We did a bad experience buying only  EX-XRE200-AFL.
>
> After the installation and after a commit ... the system continues to
> ask the EX8208 licenses showing warning messages at console.
>
> We bought the licenses and we need to install it by hand using shell ...
>
> The JUNOS version was 12.3R3.
>
> We recommend that you buy to feel free from log messages every commit.
>
> But remember that you will need to create the correct files by hand
> and install it using "vi" by shell only.
>
> If you need more information I can help.
>
> Att,
>
> Giuliano
> Giuliano Cardozo Medalha
> Systems Engineer
> +55 (17) 3011-3811
> +55 (17) 8112-5394
> JUNIPER J-PARTNER ELITE
> giuli...@wztech.com.br
> http://www.wztech.com.br/
>
>
>
>
> WZTECH is registered trademark of WZTECH NETWORKS.
> Copyright © 2013 WZTECH NETWORKS. All Rights Reserved.
>
> The information transmitted in this email message and any attachments
> are solely for the intended recipient and may contain confidential or
> privileged information. If you are not the intended recipient, any
> review, transmission,  dissemination or other use of this information
> is prohibited. If you have received this communication in error,
> please notify the sender immediately and delete the material from any
> computer, including any copies.
>
>
> On Thu, Nov 7, 2013 at 7:08 AM, Robert Hass  wrote:
> > Hi
> > I'm planning to buy AFL licenses for my 2xEX8200 + 2xXRE200
> > (VirtualChassis) setup.
> >
> > Do you need to buy :
> >
> > 2 x EX-XRE200-AFL
> > 2 x EX8208-AFL
> >
> > or just is enough as I'm running setup with XRE/VirtualChassis
> >
> > 2 x EX-XRE200-AFL
> >
> > ?
> >
> > Rob
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] AFL license for EX8200 VirtualChassis

2013-11-07 Thread Robert Hass 
Hi
I'm planning to buy AFL licenses for my 2xEX8200 + 2xXRE200
(VirtualChassis) setup.

Do you need to buy :

2 x EX-XRE200-AFL
2 x EX8208-AFL

or just is enough as I'm running setup with XRE/VirtualChassis

2 x EX-XRE200-AFL

?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX control-link and link is up without cable connected

2013-10-15 Thread Robert Hass 
Hi
I just want to establish control-link between two SRX5800 and I have issue
that link is always up - even without fiber patchcord connected.

Should I use different SFPs ? E.g.JX-SFP-1GE-SX ? I used EX-SFP-1GE-SX
transceivers.
Did anybody had similar issue ?


Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] QFX 3500 and IPv6

2013-09-17 Thread Robert Hass 
Hi
Release - up to Juniper recommendation.
Features - OSPFv3 is required

Rob



On Tue, Sep 17, 2013 at 3:45 AM, Paramasivam Nagarajachetty <
psi...@juniper.net> wrote:

> Hi Rob,
>
> What is the release the customer planning to deploy for and also is there
> any specific ipv6 features is targeted?
>
> Thanks,
> Paramasivam.
>
> -Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
> Of Matt Hite
> Sent: Tuesday, September 17, 2013 12:58 AM
> To: Robert Hass
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] QFX 3500 and IPv6
>
> Never base a purchasing decision upon roadmap promises...
>
>
> On Mon, Sep 16, 2013 at 9:11 AM, Robert Hass  wrote:
>
> > Hi
> > I just want to be sure - Will QFX 3500 support IPv6 static routing and
> > OSPFv3 in near future ? Is I see right now it's unsupported (according
> > to Datasheet). I'm considering buying a lot of this boxes and without
> > IPv6 they can be useless in future in some areas.
> >
> > Rob
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] QFX 3500 and IPv6

2013-09-17 Thread Robert Hass 
Is see static routing for IPv6 but not OSPFv3 :(

Rob


On Tue, Sep 17, 2013 at 11:09 AM, Per Granath wrote:

> It is already supported; in Junos version 12.3X50.
>
>
> http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/general/qfx-series-software-features-overview.html
>
>
> -Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
> Of Robert Hass
> Sent: Monday, September 16, 2013 7:11 PM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] QFX 3500 and IPv6
>
> Hi
> I just want to be sure - Will QFX 3500 support IPv6 static routing and
> OSPFv3 in near future ? Is I see right now it's unsupported (according to
> Datasheet). I'm considering buying a lot of this boxes and without IPv6
> they can be useless in future in some areas.
>
> Rob
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] QFX 3500 and IPv6

2013-09-16 Thread Robert Hass 
Hi
I just want to be sure - Will QFX 3500 support IPv6 static routing and
OSPFv3 in near future ? Is I see right now it's unsupported (according to
Datasheet). I'm considering buying a lot of this boxes and without IPv6
they can be useless in future in some areas.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] IGMP problem

2013-09-10 Thread Robert Hass 
Hi
I would like to setup static IGMP joins between Cisco and Juniper.
But it's not working. Juniper is not sending IGMP Joins.
Same configuration Cisco + Cisco working without issues. Any clues ?

Interface configuration for Juniper at Cisco side:

interface GigabitEthernet1/1/1
 description Juniper
 no switchport
 ip address 10.10.10.21 255.255.255.252
 ip pim passive
!

Here is output of IGMP membership - none :(

cisco#sh ip igmp membership | include GigabitEthernet1/1/1
cisco#

Here is JunOS configuration:

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.10.10.22/30;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.10.10.21;
}
}
protocols {
igmp {
interface ge-0/0/0.0 {
version 2;
static {
group 231.0.0.3;
group 231.0.0.4;
}
}
}
pim {
rp {
static {
address 10.10.10.255 {
version 2;
}
}
}
interface ge-0/0/0.0 {
mode sparse;
version 2;
}
join-load-balance;
}
}

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] qfx3500

2013-09-03 Thread Robert Hass 
Hi
I'm looking for 1U switch with minimum 48x10GE SFP+ and 2x40GE QSFP.
I see than QFX3500 can do all what I need - can this switch work alone
without rest elements of Q-Fabric ?

If someone already is using this switch can write something about stability
and problems ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] EX8200 VirtualChassis versus Cisco VSS

2013-08-15 Thread Robert Hass 
Do I need 2x XRE to have Virtual-Chassis of EX8200 or I can do this without
XRE ?

Rob



On Tue, Aug 13, 2013 at 9:05 PM, Morgan McLean  wrote:

> The 8200 vc stability is the best out of the EX lineup in my testing. I
> can't make it fall over, where as I can find corner cases that will crash
> 3300s etc.
>
> Just keep in mind the VC connections will only work with certain line cards
> afaik. And I thought two RE's were required for dual xre use but I guess a
> 2200 in the middle is indeed a hack. :p
>
> Morgan
>
> On Tuesday, August 13, 2013, Billy Sneed wrote:
>
> > The EX8200 Virtual-Chassis w/ a couple of the XRE200's does well. The
> > XRE's act as the control plane and the 8200's end up just being
> linecards.
> > It's a bit hack-ish IMHO w/ a EX2200 switch acting as the glue between
> each
> > XRE and the 8200.
> >
> > We've run 11.2 - 11.4 and pleased w/ the stability. Our VC is split
> > between two buildings a few SM fiber pairs acting as the VC connections
> > between. We've dozens of aggregation switches (EX4500's & EX4200's)
> > connected w/ LACP to each and are very pleased.
> >
> > Regards,
> > Billy
> >
> > On 08/13/2013 05:46 AM, Robert Hass wrote:
> >
> >> How Virtual-Chassis on Juniper EX8200 is different than Catalyst 6500
> >> (Sup2T) VSS ?
> >>
> >> Are both have shared control-plane ?
> >>
> >> How about stability of Virtual-Chassis and VSS on latest software
> >> releases ?
> >>
> >>
> >>
> >> I would like to implement core layer using EX8200 or Cat6500 (two core
> >> switches).
> >>
> >> Each core device will have only redundant power-supply. Line cards, CPU
> >> etc
> >> will be non-redundant. Redundancy will be archived using two boxes.
> >> Access-Layer switch will be connected to both core devices using 1GE or
> >> 10GE links and aggregated into single PortChannel (LACP).
> >>
> >> Access devices will be Cat2960XR (Cisco) or EX3300 (Juniper).
> >>
> >>
> >>
> >> Rob
> >> __**_
> >> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> https://puck.nether.net/**mailman/listinfo/juniper-nsp<
> https://puck.nether.net/mailman/listinfo/juniper-nsp>
> >>
> > __**_
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/**mailman/listinfo/juniper-nsp<
> https://puck.nether.net/mailman/listinfo/juniper-nsp>
> >
>
>
> --
> Thanks,
> Morgan
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] EX8200 VirtualChassis versus Cisco VSS

2013-08-13 Thread Robert Hass 
How Virtual-Chassis on Juniper EX8200 is different than Catalyst 6500
(Sup2T) VSS ?

Are both have shared control-plane ?

How about stability of Virtual-Chassis and VSS on latest software releases ?



I would like to implement core layer using EX8200 or Cat6500 (two core
switches).

Each core device will have only redundant power-supply. Line cards, CPU etc
will be non-redundant. Redundancy will be archived using two boxes.
Access-Layer switch will be connected to both core devices using 1GE or
10GE links and aggregated into single PortChannel (LACP).

Access devices will be Cat2960XR (Cisco) or EX3300 (Juniper).



Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] 3rd optics on MX/EX/SRX

2013-06-26 Thread Robert Hass 
Hi
I have only experience with MX platfrom where I can use third party optics
without any issues.

We're going to buy also some SRX and EX gear. Are EX/SRX accept third party
optics without any issues or we need any special coding ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] ex9200 fib size

2013-04-09 Thread Robert Hass 
Hi
What is FIB size at latest EX9200 switches ? I cannot find it out from
datasheet.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Firefly (V-SRX) and Dynamic VPN bug

2013-02-20 Thread Robert Hass 
On Wed, Feb 20, 2013 at 10:44 PM, Robert Hass  wrote:
> I just started testing Firefly (SRX on VMware) and occurred problem that I
> cannot connect with JunOS Pulse due to no license:
[...]

Resolved.

I have to upgrade to JunOS Pulse v 4.0.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Firefly (V-SRX) and Dynamic VPN bug

2013-02-20 Thread Robert Hass 
Hi
I just started testing Firefly (SRX on VMware) and occurred problem that I
cannot connect with JunOS Pulse due to no license:

Feb 20 15:41:53  firefly httpd-gk: DYNAMIC_VPN_LICENSE_CHECK_FAILED:
Dynamic VPN license check failed for user test
Feb 20 15:41:53  firefly httpd-gk: DYNAMIC_VPN_AUTH_NO_LICENSE:
Authentication failed for user test due to unavailable license

But I have 'all' features license ;-)

root@firefly> show system license
License usage:
 Licenses LicensesLicensesExpiry
  Feature name   usedinstalled  needed
  all   01   029 days

Licenses installed: none

root@firefly> show version
Hostname: firefly
Model: junosv-firefly
JUNOS Software Release [12.1X44-D10.4]

Is it bug ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 BGP performance after reboot

2013-02-19 Thread Robert Hass 
On Tue, Feb 19, 2013 at 10:54 AM, Sebastian Wiesinger
 wrote:
> This is really frustrating and limits the scope where we can put the
> MX80 platform. Would it have been so much more expensive to put a
> faster CPU/RE into that thing? Or is this just a case of diversifying
> the product line?

It's not about slow CPU. MX80 has very fast PPC (fastest from it's like)
processor but RPD code sucks.  Same family was used eg.  in RSP720 in Cisco
7600 which is much faster - but it's probably becouse IOS preforms better
than JunOS in terms of performance/scheduling on PPC platform.

New MX80 is coming (with Dual-RE) but RE is so small and I don't think it
will be Intel instead of PPC.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] After reboot optic doesn't send light

2013-02-19 Thread Robert Hass 
On Tue, Feb 19, 2013 at 11:27 AM, Grzegorz Janoszka
 wrote:
>
> Every now and then we happen to a see strange case with our linecards
> (MPC 3D 16x 10GE). After a linecard reboot one of the optics sometimes
> stops sending light:

Did you tried power-on/power-off optics ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Dynamic VPN timers reconfiguration

2013-02-19 Thread Robert Hass 
Hi

I'm using dynamic-vpn feature on SRX. I would like to adjust timers for
idle-timeout and hello/keepalive-interval and hello/keepalive-timeout.

Is it possible ? I didn't found it in docs.

Default values are:
- Idle-timeout = 15 minutes
- Hello/Keepalive-Interval = 30 seconds
- Hello/Keepalice-Timeout = 90 seconds

I'm using 11.4R6.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MTU problems over VPLS

2013-02-13 Thread Robert Hass 
On Tuesday, February 12, 2013, Luca Salvatore wrote:

> I have a few sites connected via a VPLS core.  The core devices are all MX
> 10 routers connected via 10Gb fibre.
> I'm having problems doing file copies (SCP between two Centos VMs).
>
>
hi
can you put configuration ? you cam tune up mtu for vpls

rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Logging DOM optics alarms in syslog

2013-02-05 Thread Robert Hass 
Hi

Is it possible to log to syslog events where optics has low-alarm on
temperature ?

Eg.

admin@lab> show interfaces diagnostics optics xe-1/0/0 | match On
Module temperature low alarm  :  On
Module temperature low warning:  On

My current syslog host configuration:

admin@lab> show configuration system syslog host 10.0.0.43
any any;
match "!(\(root\) CMD \(newsyslog\)|arp info overwritten for)";
facility-override local6;

BTW. Platform is MX, JunOS version 10.4R12 or 11.4R6.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Security-flow TCP idle timeout at SRX

2013-02-01 Thread Robert Hass 
Hi

I have issue with one of our applications. We have two security zones: LAN
and Servers.  Computers from LAN are connecting to Servers to port TCP/2020
(it's CTI application).  Users reported that they have to re-logon due to
idle timeout - I checked security logs on SRX and sessions was disconnected
due to tcp idle-timeout which default is 30 minutes.  How I can increase
this timeout for connections TCP/2020 ?

Will below configuration will be sufficient :

security {
 policies {
  from-zone lan to-zone servers {
policy 1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
 }
  }
  from-zone servers to-zone lan {
policy 1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
  }
   }
 }
}
applications {
  application myapp {
protocol tcp;
destination-port 2020;
inactivity-timeout 10;
  }
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX240H vs SRX240H2

2013-01-18 Thread Robert Hass 
Hi
What is difference between SRX240H and SRX240H2 except doubled memory/flash.
I'm mostly interested are CPUs are same.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] VPN from SRX to CIsco with more than subnet locally

2013-01-17 Thread Robert Hass 
On Wednesday, January 16, 2013, Pavel Lunin wrote:
>
>
> Despite this is pretty obvious and elegant, it's a very common case when
> you can't do this for whatever reason. E. g. older IOS could not do VTI
> without GRE but SRX cluster could not do GRE until very recent; remote
> peer is just too dumb, etc. Sometimes remote side just won't switch to
> route-based because they don't know how to or it's a NOC shift with
> strict config guidelines that they can break. A very straightforward
> workarond for such cases is to add another tunnel to the same peer for
> the second pair of subnets. But it requires another global address on
> one side.


 or vpn remote side is ASA which not support GRE and VTI

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] VPN from SRX to CIsco with more than subnet locally

2013-01-16 Thread Robert Hass 
Hi

I have VPN between Cisco 2900 and SRX 240. VPN is working good, but guys
on Cisco side would like to have also access to my second subnet
10.16.0.0/24

How to handle this on SRX side ? I can have only one possition at
proxy-identity local

My config:

set security ipsec vpn TEST ike proxy-identity local 10.0.0.0/24
set security ipsec vpn TEST ike proxy-identity remote 192.168.0.0/24

Cisco NEW config:

access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.16.0.0 0.0.0.255
<-- this added


Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX and not working VRRP

2013-01-08 Thread Robert Hass 
On Wed, Jan 9, 2013 at 12:40 AM, Chuck Anderson  wrote:
> set vrrp-group 0 accept-data

Thanks a lot !. It helped.

I used VRRP earlier on MX where this is not necessary to make VRRP
work (but 10.4 on MX).
Is above command is SRX (JunOS-ES) specific ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX and not working VRRP

2013-01-08 Thread Robert Hass 
Hi
I have SRX100 running 11.4R6.5 and I cannot make VRRP working. I have
configuration like below:

admin@srx100> show configuration interfaces fe-0/0/0
unit 0 {
family inet {
address 10.0.0.69/29 {
vrrp-group 0 {
virtual-address 10.0.0.70;
priority 253;
}
}
}
}

admin@srx100> show vrrp
Interface State   Group   VR state VR Mode   TimerType   Address
fe-0/0/0.0up  0   master   Active  A  0.128 lcl10.0.0.69
vip10.0.0.70

But I cannot ping 10.0.0.70 from host in this subnet (10.0.0.68) and
also from SRX inself:
I'm able to ping 10.0.0.69 without problem from SRX and host 10.0.0.68.

admin@srx100> ping 10.0.0.70
PING 10.0.0.70 (10.0.0.70): 56 data bytes
ping: sendto: No route to host
^C
--- 10.0.0.70 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss


What I did wrong ? I also added protocol VRRP to security, but didn't helped :(

Security config:

admin@srx100> show configuration security zones security-zone untrust
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
ping;
ike;
ssh;
https;
}
protocols {
vrrp;
}
}
}
}

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] IP SLA + Tracking on JunOS

2013-01-06 Thread Robert Hass 
Hi
On Cisco I used IP SLA + Tracking feature to ping remote host and
inject static route if I've got response from remote host. Ping was
send each minute.

Can I have same configuration doing the same on JunOS ? (10.4 or 11.4
-> SRX and MX series)

My goal:

Ping 10.0.0.4 with source-ip 10.0.1.1
If I have response inject static route 192.168.0.0/24 via 10.0.1.2, if
no ping response then static route shouldn't be injected

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] BGP PIC Edge on MX platforms

2012-12-31 Thread Robert Hass 
Hi
Is BGP PIC Edge functionality supported on current MX platforms ? (eg.
JunOS 11.4R6 or 12.x)

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Embedded VPN JunOS Pulse client

2012-12-29 Thread Robert Hass 
Hi
I'm using SRX as VPN gateway. It's running JunOS 11.4R6.5. When new
user downloads VPN client from SRX then JunOS Pulse Client version
2.0.3.11013 is provided.
But we occurring some problems (no communications over GSM) with this
old version. This issue which was resolved in latest JunOS Pulse - eg.
version 3.1R2.

Is any way to upgrade Embedded JunOS Pulse client to version 3.1 ? I
would like to new users fetch 3.1 instead of 2.0.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] FIB Capacity on older platform

2012-12-15 Thread Robert Hass 
Hi
What is maximum FIB capacity on older M-Series platforms ? Eg. Juniper
M5 w/RE600 or Juniper M20

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] EX2200 na VirtualChassis

2012-10-28 Thread Robert Hass 
HI
Can I interconnect few EX2200 and form "bigger" virtual-switch using
virtual-chassis feature ?
If yes do you have to use SFP ports for this or I can use standard
10/100/1000 ports ?
Can it also be interconnected with other EX models like EX3200 in
virtual-chassis mode ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] How reliable is EX multichassis? 3300 and 8200 switches

2012-10-28 Thread Robert Hass 
On Fri, Oct 26, 2012 at 11:44 PM, Giuliano Medalha
 wrote:
> Considering the MX family (240, 480 and 960 with TRIO 3D) and the new MX-L

Hi
What is new MX-L - can you write a little mort ? MX80 successor ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] L4-L7 and SSL offload switch

2012-10-24 Thread Robert Hass 
Hi
I'm looking for alternative for F5 BigIP and Brocade ADX products.

Are Juniper offers product for L4-L7 switching (SLB) and SSL Off-Loading ?

If yes can you share experiences with this gear comparing to F5 or Brocade ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 bridge-domain QinQ question

2012-09-23 Thread Robert Hass 
On Thu, Sep 20, 2012 at 8:39 PM, Doug Hanks  wrote:
[...]
> You'll just need to define each CTAG as you have been doing.

Hi Jeff
Could you paste working configuration here if you find solution ? As
I'm also interested in same configuration.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Transporting VLAN between two 10GE ports on MX80

2012-08-28 Thread Robert Hass 
Hi

I need to transport VLAN (switch / bridge) from port xe-0/0/1 (unit
200) to port xe-0/0/2 (unit 200) on MX80.
It it possible ? If yes can anyone paste configuration for this task.
Can I enable QinQ for this VLAN also ?

BTW. I'm running 10.4S10

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SSH access and not working firewall policy

2012-08-13 Thread Robert Hass 
On Sun, Aug 12, 2012 at 10:46 PM, Alex Arseniev  wrote:
> Try this:
>
>from {
>source-prefix-list { ### <=== must be source
[...]
>
> "prefix-list" checks if either dst.IP or src.IP of incoming packet matches.
> If your box' interface IP is in MGMT prefix-list, then every SSH brute force
> attempt is a match since it most likely targets your interface IP.

Hi Alex
Thanks. This was this!

Now ACL works perfect.

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SSH access and not working firewall policy

2012-08-13 Thread Robert Hass 
On Mon, Aug 13, 2012 at 6:34 AM, Chris Kawchuk  wrote:
> One possibility - They're coming from inside your own network =)
>
> Whats the source IPs on the attempts, and what device is this (EX? MX? J? 
> QFabric?)

Platform is MX

Source IPs are for example from China, so at all not my inside network
- but here is not different for me if packets coming from inside our
outside part of network. These source IPs are not in MGMT prefix-list

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SSH access and not working firewall policy

2012-08-12 Thread Robert Hass 
Hi

I have Juniper running 10.4R7 with RE filter applied to lo.0 but I
still see bruteforce attacks to my SSH in log messages.

I tested policy from hosts not existing in MGMT ACL - I cannot connect
to SSH, so how these attackers can connect to my SSH ?
Any hints ? Maybe I also have to filter more ports ?

Rob

My configuration:

lo0 {
unit 0 {
family inet {
no-redirects;
primary;
filter {
input RE;
}
address 10.0.0.1/32
}

}
}
policy-options {
prefix-list
MGMT {
10.3.0.0/24;
10.4.0.0/24;
}
}
}
filter RE {
term cli_permit {
from {
prefix-list {
MGMT;
}
protocol tcp;
destination-port [ telnet ssh ];
}
then {
count cli_permit;
accept;
}
}
term cli_deny {
from {
protocol tcp;
destination-port [ telnet ssh ];
}
then {
count cli_deny;
log;
discard;
}
}
term default_action {
then accept;
}
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX80 Power

2012-03-29 Thread Robert Hass 
On Thu, Mar 29, 2012 at 7:05 PM, Kevin Wormington  wrote:
> Curious if anyone has used one AC and one DC power supply in an MX80?  Yes, I 
> know the docs say it's not supported but we all know how that goes.

Yes, I'm using this setup. DC power from DC-UPS, and AC from "wall".
Except alarm on chassis all works just fine.

Rob

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] FIB size at new ACX routers

2012-03-18 Thread Robert Hass 
Hi
I'm interested how big FIB (IP) / LFIB (for MPLS/LDP) size are
supported on new ACX routers ?

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Suppress particular messages from syslog

2011-12-30 Thread Robert Hass 
Hi
Is any way to configure something to suppress selected messages from
syslog [messages].

I want to suppress this (running JunOS 10.4):

Dec 30 12:11:46  r02 /kernel: tcp_auth_ok: Packet from 62.77.4.5:179
missing MD5 digest

and

Dec 30 15:08:34  r02 tfeb0 MIC(1/1) link 2 SFP receive power low  alarm set
Dec 30 15:08:55  r02 tfeb0 MIC(1/1) link 2 SFP receive power low  alarm cleared

My current syslog configuration:

file messages {
any notice;
authorization info;
}

Rob
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] LT interfaces at MX80

2011-12-29 Thread Robert Hass 
On Thu, Dec 29, 2011 at 12:40 AM, Doug Hanks  wrote:
> You can actually configure 50G worth of tunnel-services on the MX80.  10g
> worth on FPC0 and 40G worth on FPC1.  You need to be running Junos 10.2R4.
>  All of this without losing any revenue ports, but at the cost of
> over-subscribing them.

I'm running 10.4R7, so good to hear that.
Is any document describing this ?

Thanks

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] LT interfaces at MX80

2011-12-28 Thread Robert Hass 
On Wed, Dec 28, 2011 at 10:40 AM,   wrote:
> On the 1G MICs there is extra capacity to handle an lt interface, so
> you can configure under chassis, assuming a 20x1G MIC in MIC slot 0:
>
> fpc 1 {
>    pic 1 {
>        tunnel-services {
>            bandwidth 1g;
>        }
>    }
> }
>

I understood that as MIC has enough capacity so I can also use all 20x1G
ports on MIC simultaneously with tunneling ?

Can I also use all 1G ports on the MIC if I will change bandwidth to 10g ?

After commit it lt- interface has been renumbered into lt-1/0/0 instead of
lt-1/0/10. So according to documentation it means that 10G tunneling
is supported by what is cost of that comparing to 1G tunneling.

Robert

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

  1   2   >