Re: [j-nsp] SRX drops BGP session

Would it no be advisae to either teace it or a tcpdump from the OS you can > see what packets are being sent and received on the interface? Generally yes, but. Though this doesn't seem to be the case for Jeroen since he uses eBGP with direct interface address peering, you must keep in mind that

Re: [j-nsp] TCAM full on EX8200?

On 10/13/2011 05:51 PM, David Ball wrote: > On 13 October 2011 14:41, Chris Morrow wrote: >>> >>> I can't help but wonder if perhaps Juniper just expects us to >>> buyI dunnoroutersto do routing. I'm not trying to justify >> >> this is a flavor of the 'its only a TOR switch' discu

Re: [j-nsp] JUNOS and 128.0.0.0 martian (JFYI)

*The PR was opened to alter the default martian table and also the PR is public now. Even though we have workaround, customer wants the future junos releases have the updated martian table. Workaround: set routing-options martians 128.0.0.0/16 orlonger allow set routing-options martians 191.255.0

Re: [j-nsp] SRX drops BGP session

Would it no be advisae to either teace it or a tcpdump from the OS you can see what packets are being sent and received on the interface? -- Sent using BlackBerry - Original Message - From: juniper-nsp-boun...@puck.nether.net To: Jeroen Valcke Cc: juniper-nsp@

Re: [j-nsp] SRX drops BGP session

> Indeed, when I check the session table on the SRX. I do get an entry for > the > BGP session, but it dissapears after only a few seconds. That seems wrong > to > me. > You mean a firewall session in "show security flow session"? If so, let me express my doubts, an MTU related issue could make it

Re: [j-nsp] TCAM full on EX8200?

On 13 October 2011 14:41, Chris Morrow wrote: >> >>   I can't help but wonder if perhaps Juniper just expects us to >> buyI dunnoroutersto do routing.  I'm not trying to justify > > this is a flavor of the 'its only a TOR switch' discussion, but... Should it not be ? >

Re: [j-nsp] SRX drops BGP session

Definitely sounds like an MTU issue ... we had a similar experience between a Cisco & Juniper BGP session a while back -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jeroen Valcke Sent: Thursday, October 13, 2011 4

Re: [j-nsp] SRX drops BGP session

If the srx is not filtering BGP KAs, which would be odd if they allow the session to come up to begin with, I would look at a mtu mismatch/PMTU malfunction, especially if this is a multi-hop session. If not already on, enabling bgp pmtu may resolve. If pmtu is on, then use ping with dnf to the

[j-nsp] SRX drops BGP session

Hello, I've setup a BGP session between an M120 and an SRX240. Session comes up but after 1m30sec the session is shut down. The BGP error is "Hold Timer Expired Error". I'm pretty sure that the SRX is blocking the BGP keepalives after the initial BGP session has been established. Indeed, when I c

Re: [j-nsp] MX: bridge-domains and l2circuit

Thank you, It seams that the problem is that I am trying to stitch from one side 'encapsulation vlan-bridge' and from the other 'encapsulation vlan-vpls'. vlan-vpls on both ends again returns 'encapsulation mismatch' Maybe this is not supported between two bridge domains. Thank you again! On Th

Re: [j-nsp] TCAM full on EX8200?

On 10/13/2011 04:23 PM, David Ball wrote: > On 13 October 2011 13:53, Paul WALL wrote: >> You'll never be able to get a full table on your current cards, they're >> defective, and will never be able to perform as advertised. The only >> solution is to buy all new (and more expensive) cards, or s

Re: [j-nsp] MX: bridge-domains and l2circuit

Hello Ivan, as Humair already pointed out you need to have encapsulation vlan-bridge and vlan-ccc on one of each of the lt- interfaces. Best regards, Jonas Am Donnerstag, den 13.10.2011, 22:20 +0300 schrieb Ivan Ivanov: > Hello Jonas, > > > Could you share with us working configuration? Becaus

Re: [j-nsp] TCAM full on EX8200?

On 13 October 2011 13:53, Paul WALL wrote: > You'll never be able to get a full table on your current cards, they're > defective, and will never be able to perform as advertised. The only > solution is to buy all new (and more expensive) cards, or stop carrying > full tables. I can't help but w

Re: [j-nsp] TCAM full on EX8200?

On Wed, Oct 12, 2011 at 11:40 AM, Michele Bergonzoni wrote: > THE SHORT QUESTION: > > How can I see how full my IPv4 FIB is, on an EX8200 with EX8200-40XS > linecards and 11.3R2.4 ? I can connect to fpc and give the show commands, > but I need help interpreting the results. > > If it actually turn

Re: [j-nsp] TCAM full on EX8200?

On 10/13/11 12:21 , Richard A Steenbergen wrote: > On Thu, Oct 13, 2011 at 02:19:40PM +0200, Michele Bergonzoni wrote: >> Il 13/10/2011 13.31, Chen Jiang ha scritto: >>> AFAIK, The EX8200 use SRAM for FIB and TCAM for ACL, that's not like >>> EX2200/3200/4200 that use TCAM for all FIB and ACL. >> >

Re: [j-nsp] MX: bridge-domains and l2circuit

> Would something like this work ? > > lt-0/0/0 { > > unit 0 { > > encapsulation vlan-ccc; > > vlan-id 100; > > peer-unit 1; > > } > > unit 1 { > > encapsulation vlan-bridge; > > vlan-id 100; > > peer-unit 0; > > } > > } > > ge-0/1/5 { > > flexible-vlan-tagging; > > encapsulation flexible-ethernet-

Re: [j-nsp] TCAM full on EX8200?

On Thu, Oct 13, 2011 at 02:19:40PM +0200, Michele Bergonzoni wrote: > Il 13/10/2011 13.31, Chen Jiang ha scritto: > > AFAIK, The EX8200 use SRAM for FIB and TCAM for ACL, that's not like > > EX2200/3200/4200 that use TCAM for all FIB and ACL. > > > You could vty to line card and try this knob and

Re: [j-nsp] MX: bridge-domains and l2circuit

Hello Jonas, Could you share with us working configuration? Because when I try to stitch both units of lt- interface I got error 'encapsulation mismatch'. Thanks! On Thu, Aug 18, 2011 at 21:26, Jonas Frey (Probe Networks) < j...@probe-networks.de> wrote: > Thanks to all who replied, i got this

Re: [j-nsp] Firewall filter for system service ssh on outside interface?

If you create a loopback in your trust zone then you will have to create security policy to allow traffic from untrust to trust for ssh. Or you can use the external interface and the firewall filter, be sure to remember the host-inbound-traffic for your untrust zone. I'm not sure which would reall

Re: [j-nsp] Firewall filter for system service ssh on outside interface?

On 10/13/2011 09:40 AM, Daniel M Daloia Jr wrote: > Hi Folks, > > Is there any reason why I shouldn't allow ssh access to a remote SRX > with a firewall filter only allowing a single network on an untrust > (reth) interface? Maybe should create a loopback instead, allow > system-services ssh, a

Re: [j-nsp] JUNOS and 128.0.0.0 martian (JFYI)

Thanks for the update Tima, I'll distribute this internally - thank you. On Thu, Oct 13, 2011 at 10:17 AM, Tima Maryin wrote: > On 10.10.2011 17:17, Graham Brown wrote: > >> Hello Tima, >> >> Thank you for making me aware of this and raising this with JTAC, I am >> sure that this would be deemed

[j-nsp] Firewall filter for system service ssh on outside interface?

Hi Folks, Is there any reason why I shouldn't allow ssh access to a remote SRX with a firewall filter only allowing a single network on an untrust (reth) interface? Maybe should create a loopback instead, allow system-services ssh,  and apply the filter there? My thought for using a lo interfac

Re: [j-nsp] TCAM full on EX8200?

Il 13/10/2011 13.31, Chen Jiang ha scritto: AFAIK, The EX8200 use SRAM for FIB and TCAM for ACL, that's not like EX2200/3200/4200 that use TCAM for all FIB and ACL. You could vty to line card and try this knob and see what happened: PFEM2(vty)# show shim route lpm-dmm-stats Not sure to under

Re: [j-nsp] JUNOS and 128.0.0.0 martian (JFYI)

On 10.10.2011 17:17, Graham Brown wrote: Hello Tima, Thank you for making me aware of this and raising this with JTAC, I am sure that this would be deemed as critical and an easy fix. If you get allocated a PR, could you please share this with the group so we can monitor the progress and get a h