Re: [j-nsp] move routes from VRF to inet.0

2014-02-04 Thread Olivier Benghozi
Hi Mike, also what we do here. However, that was not that easy, we observed that a discard route imported to another vrf via auto-export on the same box was imported with its next-hop, that is... discard, instead of triggering an additional lookup in the internet table (what we use on some

Re: [j-nsp] move routes from VRF to inet.0

2014-02-04 Thread Adam Tajer
Tobias, When you receive inet-vpn routes from remote PE, they are put into bgp.l3vpn.0 first. This is their primary RIB from the perspective of this PE. Entries in VRF are considered secondary are already leaked based on vrf-target/vrf-import policy (think of it as automatic leaking between

[j-nsp] RSVP neighbor sequence changes

2014-02-04 Thread Eric Van Tol
Hi all, Two sets of routers in my network keep logging the following message: rpd[1559]: RPD_RSVP_NBRDOWN: RSVP neighbor x.x.x.x down on interface ae0.1 nbr-type Direct, neighbor seq number change The interface is different on the two sets of routers, obviously. All other RSVP sessions seem

[j-nsp] Loopback Filter - NTP Question

2014-02-04 Thread Paul Stewart
Hi there We are still finding some JunOS devices vulnerable in our network to the NTP issue. For devices with an IP address on the loopback this has proven to be just an update to existing firewall filters where we allow the remote NTP servers we query from and include the loopback IP itself.

Re: [j-nsp] Loopback Filter - NTP Question

2014-02-04 Thread Mark Tinka
On Tuesday, February 04, 2014 09:43:47 PM Paul Stewart wrote: Juniper says we must put an IP address on the loopback to work around this issue so I am wondering what other folks are doing in these specific situations? I have NTP filters against a Loopack without an IP address, and they are

Re: [j-nsp] Loopback Filter - NTP Question

2014-02-04 Thread Chad Myers
If it requires an address, you can put the loopback address 127.0.0.1/32 on the loopback interface itself. It is possible to add disable monitor to /var/etc/ntp.conf to disable the monlist command. The caveat is that a full commit (or rollback) will recreate ntp.conf and delete the entry.

Re: [j-nsp] Loopback Filter - NTP Question

2014-02-04 Thread Wojciech Owczarek
On 4 February 2014 21:24, Chad Myers chad.my...@theice.com wrote: If it requires an address, you can put the loopback address 127.0.0.1/32on the loopback interface itself. It is possible to add disable monitor to /var/etc/ntp.conf to disable the monlist command. The caveat is that a full

[j-nsp] Join my network on LinkedIn

2014-02-04 Thread Paulhamus Jon a través de LinkedIn
LinkedIn Paulhamus Jon ha indicado que eres amigo(a). -- Como eres alguien en quien confío, me gustaría añadirte a mi red. Accept invitation from Paulhamus Jon