Re: [j-nsp] SRX Dynamic Address limits

We're using stamparm/ipsum: Daily feed of bad IPs (with blacklist hit scores) (github.com) with SRX300. ~37k entries with no issues. Address name : ipsum-l2 Address id: 11 IPv4 entries : 37317 Regards

Re: [j-nsp] Hardware configuration for cRPD as RR

Hi I'm curious, when moving from vRR to cRPD, how do you plan to manage/setup the infrastructure that cRPD runs on? BMS with basic Docker or K8s? (kind of an appliance approach) VM in hypervisor with the above? Existing K8s cluster? I can imagine that many networking teams would like an AIO

Re: [j-nsp] Thanks for all the fish

Not the first rumour of Juniper getting acquired. Last time it was Ericsson and before that I think it was IBM or EMC, but perhaps this time it's the real deal. Juniper has been very successful in Enterprise with the Mist acquisition, so I'm a bit surprised that the stock price is still stale.

Re: [j-nsp] juniper fanless devices

Hi With fans ACX7024 comes to mind, -40 to +65: acx7024-cloud-metro-router-datasheet.pdf (juniper.net) It's a Qumran-2U (Jericho2 family) ASIC. Regards Roger On Fri, Dec 8, 2023

Re: [j-nsp] proxy-arp on EVPN irb

Hi It seems that proxy arp is disabled by default: proxy-arp | Junos OS | Juniper Networks Regarding proxy-arp for EVPN (arp suppression) it only works for the same

Re: [j-nsp] QFX5110 / EVPN-VXLAN with IPv6 underlay

an ASIC limitation as QFX5110 is using Trident 2+ and QFX5120/EX4400 is using Trident 3. Regards Roger On Tue, Nov 28, 2023 at 3:48 PM Roger Wiklund wrote: > Hey > > You're interpreting the default switch limitation incorrectly. > > It doesn't mean the QFX5120 can't support MAC

Re: [j-nsp] QFX5110 / EVPN-VXLAN with IPv6 underlay

Hey You're interpreting the default switch limitation incorrectly. It doesn't mean the QFX5120 can't support MAC-VRFs, it means even if you implement MAC-VRFs you still only have a single switch domain and can't have overlapping VLANs in the different MAC-VRFs. (MX does not have this limitation.

Re: [j-nsp] ACX7100-48L

Hi Some generic pointers here: Checklist for Collecting Crash Data - TechLibrary - Juniper Networks show chassis routing-engine What does "last reboot reason say"? I would

Re: [j-nsp] QFX DDOS Violations

Hi John The default DDoS values on QFX5k for EVPN-VXLAN is way too low. I recommend these values + very tight storm-control on each applicable port. RSVP and LDP are not used but share the same queue as BGP so you will see strange triggers if you omit these. set system ddos-protection protocols

Re: [j-nsp] Collapse spine EVPN type 5 routes issue

Hi Niklas We always use unique ASNs per device in the VRFs. Loop 2 should work fine, as-override also as previously mentioned. There's also a few knobs for RT5 you can play with: root@qfx5120-48y-02# set routing-instances test protocols evpn ip-prefix-routes route-attributes ? Possible

Re: [j-nsp] VXLAN multi-site solution problem

Hi I assume you have some broad policy config on the leafs like this: set policy-options policy-statement BGP-OVERLAY-IN term reject-remote-gw from family evpn set policy-options policy-statement BGP-OVERLAY-IN term reject-remote-gw from next-hop 2.255.255.1 set policy-options policy-statement

Re: [j-nsp] EVPN VGA MAC address learning cause flooding

Sorry I missed you _actual_ question :) I never figured out why this is the default behavior, sorry. Regards Roger On Tue, Dec 7, 2021 at 4:40 PM Roger Wiklund wrote: > Hi > > Yes you need to set the vga-v4/v6-mac on the IRB interface: > > virtual-gateway-v4-mac | EVPN User

Re: [j-nsp] EVPN VGA MAC address learning cause flooding

Hi Yes you need to set the vga-v4/v6-mac on the IRB interface: virtual-gateway-v4-mac | EVPN User Guide | Juniper Networks TechLibrary eg: set interfaces

Re: [j-nsp] evpn trouble

Hi What data plane are you using, MPLS or VXLAN? Instance-type evpn is VLAN-Based Service. I.E one VLAN per EVPN instance, is this what you want? Configuring EVPN with VLAN-Based Service | EVPN User Guide | Juniper Networks TechLibrary

Re: [j-nsp] Does QinQ work with VPLS on Juniper300?

That's interesting. According to this page QinQ is not supported on SRX300/320, not sure if that has anything to do with it? Configuring Q-in-Q Tunneling on Security Devices - TechLibrary - Juniper Networks

Re: [j-nsp] Big flows up to 320 Gbs

Hardware wise I would go with at least QFX5110-48S, then you have 4x1000Gbps uplinks, but even better go with QFX5120-48Y for 8x100G uplinks. Also, don't use VC or MC-LAG unless you really must. Instead use EVPN-VXLAN to provide multihoming, L2 stretch, Anycasted default GW etc etc. Regards Roger

Re: [j-nsp] Routing Engine Protection

Hi Here's the general behaviour in Junos: (routing) https://kb.juniper.net/InfoCenter/index?page=content=KB23547 However, QFX5k is different:

Re: [j-nsp] Juniper SRX dynamic interface ACL via csv

Hi Are you referring to a stateless firewall filter on an interface? In that case you need some sort of automation to populate this. I would use Ansible to check if the CSV has been updated and then push the new IPs to the device. However as this is an SRX you should use stateful firewalling

Re: [j-nsp] How to pick JUNOS Version

I'm not sure how long Arista can keep the single binary approach as they expand their portfolio and feature set. For example it makes very little sense to have full BNG code on EX access switches, imge would be huge. As for JTAC recommended release, it's a very generic recommendation not taking

Re: [j-nsp] SNMP OIDs for Yellow/Red Alarm on MX204

Maybe you can use an SNMP script as a workaround? https://www.juniper.net/documentation/en_US/junos/topics/example/junos-script-automation-snmp-script-example.html /Roger On Fri, Aug 7, 2020 at 3:32 PM Arzhel Younsi wrote: > Hi, > > Our rep opened ER-080949 last month. > > Cheers. > > -- >

Re: [j-nsp] Advertisement of VRRP IP in an EVPN with IRB setup

Hi Why are you using VRRP instead of Virtual Gateway Address? https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/virtual-gateway-address-edit-interfaces.html /Roger On Wed, May 20, 2020 at 2:51 PM Alex D. wrote: > Hello, > > i'm trying to setup a

Re: [j-nsp] Junos Telemetry Interface

lthbot still an > option? > > On Mon, Apr 13, 2020 at 4:22 PM Roger Wiklund > wrote: > >> Hi >> >> Check out Juniper Healthbot. It can consume Netconf, SNMP, Syslog, Native >> and OpenConfig, also works with Cisco. >> Still pretty fresh product b

Re: [j-nsp] Junos Telemetry Interface

currently support streaming telemetry, and its not on their > road map at the moment? > > On Mon, Apr 13, 2020 at 3:23 PM Roger Wiklund > wrote: > >> Hi >> >> Native sensors: >> >> https://www.juniper.net/documentation/en_US/junos/topics/reference/conf

Re: [j-nsp] Junos Telemetry Interface

Hi Native sensors: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/sensor-edit-services-analytics.html OpenConfig sensors: https://www.juniper.net/documentation/en_US/junos/topics/reference/general/junos-telemetry-interface-grpc-sensors.html Plugins to

Re: [j-nsp] EVPN IRB / gateway selection

Hi Nathan You're not missing anything. EVPN Overlay IRB VGA selection does NOT take underlay metrics into consideration yet (it's on the roadmap) What you need to do is to filter out the remote DC IRB VGAs on each leaf switch using a policy. Leaf switches: set policy-options policy-statement

Re: [j-nsp] NFX150 VPLS

Last I checked VPLS is not supported on NFX150. However you can deploy a vSRX as an VNF and that will have MPLS/VPLS capabilities. Silly, yes. /Roger On Fri, Jan 3, 2020 at 12:22 PM Dave Bell wrote: > Looking at the feature explorer, it barely even supports MPLS. > > My guess would be that

Re: [j-nsp] MX204 MACsec

an use for this? > > On Tue, 26 Nov 2019 at 22:28, Roger Wiklund > wrote: > >> Hi >> >> MX204 does not support MACsec, it lacks the hardware for it. >> >> >> >> On Tue, Nov 26, 2019 at 9:04 PM Mohammad Khalil >> wrote: >> >>>

Re: [j-nsp] MX204 MACsec

Hi MX204 does not support MACsec, it lacks the hardware for it. On Tue, Nov 26, 2019 at 9:04 PM Mohammad Khalil wrote: > Thanks Graham for the kind reply. > But in general that means MACsec standard 802.1ae is not support on MX204 > ports? > > Thanks again > > On Tue, 26 Nov 2019 at 21:44,

Re: [j-nsp] EVPN - no remote route of type EVPN in the L3VPN

Forget 14.1R1. Go with 18.1R3-S6 and try again. /Roger On Wed, Jul 3, 2019 at 2:52 PM Enoch Nyatoti via juniper-nsp < juniper-nsp@puck.nether.net> wrote: > Hi guys, > I have a lab set up on EVE-NG to test EVPN. I am running version > 14.1R1.10. > > When my local PE router learns a new MAC/IP

Re: [j-nsp] IPAM like tool/DB for managing communities

NIPAP maybe? http://spritelink.github.io/NIPAP/ Personally I like phpIPAM, it's quite easy to add custom stuff. https://phpipam.net On Mon, Dec 10, 2018 at 10:30 AM wrote: > Hi folks, > > I'm just wondering if anyone happens to know about a tool that can be used > to manage BGP communities

Re: [j-nsp] Juniper MPC2E-3D-NG-R-B vs MPC2E-3D-R-B

High level diff: MPC2E 2xPFE@40G each No IR license mode (all features but 32VRF limit per MPC) Minimum Junos 11.2R4 MPC2E-NG 1xPFE@80G IR license mode available Minimum Junos 14.1R4 Requires SCBE or SCBE2 More details here about specific features: (dynamic power, flexible queueing, hqos, l2tp

Re: [j-nsp] QFX5110 / VXLAN

Hi Scott Should be fine as L2 GW. L3 GW and Route Type 5 support is quite recent. Beefier alternatives are QFX10002, or MX204 if you want to go MX route with fewer ports. Both have custom ASICs with higher scale, and higher chance to overcome caveats/limitations especially tied to chipset

Re: [j-nsp] SRX 300 VPN

443 NCP Exclusive Remote Access Client v2, which supports IPsec messages with an SSL/TLS connection (NCP v2 uses TLSv1.0.) On Fri, May 25, 2018 at 9:10 PM, Ola Thoresen <o...@nytt.no> wrote: > On 25. mai 2018 20:37, Roger Wiklund wrote: > > Juniper sold Junos Pulse and that beca

Re: [j-nsp] SRX 300 VPN

My bad, IKEv2 is not supported for dynamic VPNs. https://www.juniper.net/documentation/en_US/junos/topics/concept/vpn-security-dynamic-tunnel-understanding.html On Fri, May 25, 2018 at 8:37 PM, Roger Wiklund <roger.wikl...@gmail.com> wrote: > Juniper sold Junos Pulse and that bec

Re: [j-nsp] SRX 300 VPN

Juniper sold Junos Pulse and that became Pulse Secure. The SRX300 supports SSL VPN but requires the third party NCP client (not free). For "free" SSL VPN use OpenVPN or download Pulse Connect Secure VM: (no time limit, 3 users) https://www.pulsesecure.net/trynow/pulse-connect-secure/

Re: [j-nsp] SRX and http/https proxy

You can download the latest signature here: https://kb.juniper.net/InfoCenter/index?page=content=KB27038 Try this: 1. unzip the file, then gunzip all gz files: gzip -d *.gz 2. copy all files to the device with scp: scp -r * root@ip :/var/db/idpd/sec-download/ 3. request security idp

Re: [j-nsp] SRX and http/https proxy

Two options on the top of my head: 1. Use Security Director, that will download the signature to the server and then push it to the device. (SD will also give you lots of other benefits/visibility) 2. Download the update to a web server the SRX can reach, then use offline-download "request

Re: [j-nsp] Topology failure on EX4200

/implementation-guides/8010018-en.pdf /Roger On Sun, Jul 16, 2017 at 5:17 PM, Victor Sudakov <v...@mpeks.tomsk.su> wrote: > Roger Wiklund wrote: >> > There is a ring of EX4200 switches, please look at >> > http://noc.sibptus.ru/jun1.png >> > >> > If MUX1

Re: [j-nsp] Why JUNOS need re-establish neighbour relationship when configuring advertise-inactive

Hi Indeed you are right Saku. set routing-instances VR2 protocols bgp group TO-VR1-AND-VR2 neighbor 10.0.0.1 peer-as 100 set routing-instances VR2 protocols bgp group TO-VR1-AND-VR2 neighbor 20.0.0.2 advertise-inactive set routing-instances VR2 protocols bgp group TO-VR1-AND-VR2 neighbor

Re: [j-nsp] Topology failure on EX4200

Hi Have you configured loop protection? https://www.juniper.net/documentation/en_US/junos/topics/example/stp-loop-protection-qfx-series.html On a design note, why not use Virtual Chassis instead? /Roger On Mon, Jul 10, 2017 at 6:34 AM, Victor Sudakov wrote: > Dear

Re: [j-nsp] Why JUNOS need re-establish neighbour relationship when configuring advertise-inactive

Hi What version are you running? Is this on MX? Just for kicks I tried this setup on my SRX300 in packet mode running 15.1X49-D100, and it works without session reset. https://www.juniper.net/documentation/en_US/junos/topics/example/bgp-advertise-inactive.html The only difference is that I only

Re: [j-nsp] cheapest juniper router capable of lsys

Spend your money on a decent server instead and run Wistar + vRR https://github.com/Juniper/wistar /Roger On Tue, Jun 27, 2017 at 11:24 PM, Doug McIntyre wrote: > On Tue, Jun 27, 2017 at 08:57:10PM +, Simone Spinelli wrote: >> For study/personal lab I would also take a

Re: [j-nsp] A wierd problem with QinQ at QFX5100

Hi Try 14.1X53-D43, it has some fixes for L2PT. /Roger On Sat, May 27, 2017 at 9:50 PM, Giuliano C. Medalha wrote: > Andrew > > Good afternoon. > > Q-in-Q works fine here for us in our production networks and in our labs. > > Do you need the a sample config ? > > We

Re: [j-nsp] ACX500 PTP grandmaster

I have not done it myself, but here's a guide if you have not seen it: http://www.juniper.net/techpubs/en_US/junos/topics/task/configuration/ptp-gm-clock-acx-series.html On Tue, Mar 14, 2017 at 5:43 PM, Carsten Pettersson wrote: > Hi folks, > > I am trying to get an

Re: [j-nsp] Soft removal of traffic from AE?

Hi The question is actually regarding maintenance. I have 40+ dual homed servers, and I need to upgrade the switches. It's not feasible to steer traffic away on each server, therefore I asked about what can be done on the switch itself. I wanted to know if there is a better way than just

Re: [j-nsp] Soft removal of traffic from AE?

Thanks, have you tested this? What happens to traffic/sessions on the link? Is it non disruptive, or at least less disruptive than disabling the interface? /Roger On Fri, Oct 28, 2016 at 1:17 PM, Eugeniu Patrascu <eu...@imacandi.net> wrote: > On Fri, Oct 28, 2016 at 12:53 PM, Roge

[j-nsp] Soft removal of traffic from AE?

Hi Is there a way to remove one interface from an AE without disabling the interface? I was thinking about removing the 802.3ad aeX config from the interface but I have not tried it yet. Thanks /Roger ___ juniper-nsp mailing list

Re: [j-nsp] Free JNCIA Practice test

There's also a CBT nugget on JN0-102 that's pretty good. And of course the Junos Genius app that Matt mentioned. On Tue, Jul 19, 2016 at 10:27 AM, Roger Wiklund <roger.wikl...@gmail.com> wrote: > You'll find everything here: > > https://learningportal.juniper.net/juniper/user_fastt

Re: [j-nsp] Free JNCIA Practice test

You'll find everything here: https://learningportal.juniper.net/juniper/user_fasttrack_study.aspx?track=Fast+Track+JNCIA-JUNOS /Roger On Tue, Jul 19, 2016 at 12:12 AM, Matt Freitag wrote: > Simone, > > I've found the Junos Genius app for Android (and maybe iOS) is a really >

Re: [j-nsp] MX80 base model

What about the new SRX1500, x86 platform, 2m routes: https://www.juniper.net/assets/us/en/local/pdf/datasheets/1000551-en.pdf On Thu, May 12, 2016 at 3:25 PM, Adam Vitkovsky wrote: >> From: Colton Conor [mailto:colton.co...@gmail.com] >> Sent: Tuesday, May 10, 2016