Expert,
in a ring such as R1-r2-r3-R1 where, R1-r3 is the RPL and R1 is the RPL
owner and fully supporting ERP, while r2 and r3 don't understand ERP and
just forward transparently the ERP frames which are to mcast mac-address
01:19:a7:00:00:01; from an ERP perspective the ring is just R1-R1.
So
Experts,
in a setup like this one, once lo0.0 is put in ospf ALL of it addresses
are advertised by OSPF. Is it possible to select which addresses to
advertise?
Redistributing direct is not an option because will make them external.
Thanks,
bit.
lo0 {
unit 0 {
family inet {
This is Mx480 Junos10.2R2.11 and DPC.
Any idea why I can not apply a physical-interface-policer to a
physical-interface?
While it can be applied to 'unit 0' of the same interface.
Thanks,
bit.
[edit interfaces xe-4/1/0]
l...@rc2# run show configuration firewall policer L-ECN
, Oct 13, 2010 at 8:36 AM, Bit Gossip
bit.gos...@chello.nl wrote:
This is Mx480 Junos10.2R2.11 and DPC.
Any idea why I can not apply a
physical-interface-policer to a
physical-interface?
While it can
Experts,
in Junos policy language, is it possible, and how, to match route with
NO community attached?
Bit
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Experts,
in the simple Olive 10.2R1.8 setup described below 'ping mpls' fails
from R1 to R6; by monitoring traffic on R3 I see that R3 receives the
ping mpls, it replies but it doesn't forward it to R6.
Notice that if I replace Olive R6 with a real M7i it works.
Any idea why the LSP-PING stops at
: Chris Tracy [mailto:ctr...@es.net]
Sent: Thursday, July 15, 2010 7:55 PM
To: bit gossip
Cc: Peter Krupl; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] MS-DPC and netflow.
Peter, Luca,
I believe you need to be running 9.6 or later in order to use the config that
Luca provided below
Hi Peter,
this should be working
Thanks,
Luca.
forwarding-options {
sampling {
input {
rate 1;
run-length 0;
}
family inet {
output {
flow-server 1.1.1.66 {
port ;
Experts,
how is treated traffic which is associated to a forwarding-class FC9
which is not listed in the scheduler-map which looks something like
this:
scheduler-maps {
SCMAP {
forwarding-class FC1 scheduler SCHED-1;
forwarding-class FC2 scheduler SCHED-2;
Experts,
for M series, is it somehow possible to retrive any of these 2 figures
via SNMP?
Could not find it in the MIB documentation.
Thanks,
bit.
l...@jr4 show route summary
Autonomous system number: 1
Router ID: 10.4.4.4
inet.0: .., 637083 routes
or
l...@jr4 show bgp summary
for every destination there are usually a few paths of which one is
selected as best.
Is it possible to somehow cap the number of paths accepted per
destination?
Bit.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
pretty nasty indeed!
Is there a JTAC case open for this? Or a PR?
Tx,
b.
Ok I should have known better than to jinx it like that... just
discovered a pretty nasty bug in 9.5R3 where when an ae interface (I
THINK one member of the interface is enough to do it, but still
investigating) flaps
I had 2x T320 configured each with a bundle of 3x 10GE and traffic was
split correctly 33% 33% 33%
These has been in place for several years and across several Junos
releases.
On Thu, 2010-01-14 at 02:57 -0300, alexi wrote:
Hello Stefan:
Thanks for your answer, this was a costumer question
/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-firewall-filter-how-to-specify-match-conditions.html
Example:
destination-address {
0.0.0.0/0;
10.1.1.0/24 except;
}
Greetings,
-Alex
On Mon, Dec 21, 2009 at 11:16 AM, Bit Gossip bit.gos
Experts,
rs2 is a IOS router and rc2 is Junos router and they have an established
ISIS adjacency with BFD; fine. Then with a fw filter I block BFD packets
reaching RC2; the ISIS session goes down as I would expect but then it
is re-established. How is that possible the session is re-established
Dear experts,
I am struggling to formulate a term to drop all packets with any
ip-option set apart from router-alert.
The following term does NOT work because drops not only packets with
ip-options other than router-alert, but also packet with NO
ip-option Which of course is devastating !
Hi Uttam,
I think it is common practice, and it is required also by major netflow
tools, to have sampling enabled as input on all interfaces. This allows
to directly getting stats for ingress traffic and indirectly getting
stats for egress traffic by aggregating on the egress if-index of the
Experts,
is it possible to have a Juniper router behave like a multicast host
that wants to receive a multicast group and sends IGMP reports out of
the interface?
From my test, 'protocol igmp static group' simulates the receiving of a
igmp report onto a specific interface but it doesn't send it
de Bit Gossip
Envoyé : mercredi 11 novembre 2009 22:11
À : Juniper List
Objet : Re: [j-nsp] RE : VRRP packets neither counted nor logged
Well this is getting interesting: I have enabled md5 and this is what I get
(jr4=Junos9.5 CoPP=IOS12.4
Experts, any idea why?
The firewall term VRRP matches packets because if I change the action to
reject the vrrp status changes to master because vrrp from the other
router are not heard anymore.
Nevertheless matched packet are neither counted nor logged :-(
l...@jr4 show configuration
I have checked: Juniper Enterprise Specific MIB: Firewalls MIB
but all the objects there are either readonly or not-accessible
Does this mean that there is no way to set via snmp the policer
threshold ?-(
Bit.
___
juniper-nsp mailing list
Experts,
out of the well-known values for ip options:
x...@jr4# set ip-options ?
Possible completions:
range Range of values
[Open a set of values
any Any IP option
loose-source-route Loose source route
route-record Route
-defined ARP-POLICER is that the default
thresholds for it may change between Junos releases and platforms and
therefore it is not safe to depend on those values.
Bit
On Tue, 2009-10-20 at 10:10 +0300, Pekka Savola wrote:
On Fri, 16 Oct 2009, Bit Gossip wrote:
https://puck.nether.net/pipermail/juniper
In reply to (a little bit late :-):
https://puck.nether.net/pipermail/juniper-nsp/2009-May/013325.html
I have done some testing with M7i and Junos 9.5R2 and simulated
ARP-FLOOD attack. No protection on the M7i.
Attack generates ~850 arp requests in 180 secs
which makes roughly 48000
the post below forgot to mention IPDR :-)
Bit
On Mon, 2009-10-12 at 21:39 +0100, Paolo Lucente wrote:
Hi Brendan,
On Sun, Oct 11, 2009 at 11:24:36PM -0400, Brendan Mannella wrote:
I have a project to gain some much needed visibility into my network. All
Visibility is quite a broad
A good and cheap option is Cisco IP-SLA which translates into Junos RPM
You can easily snmp poll them via snmp and make nice graphs with cacti
HTH,
L.
On Thu, 2009-10-08 at 14:06 +1000, Dale Shaw wrote:
Hi Ivan,
We use Accedian EtherNID and MetroNID products for this kind of
(RFC2544)
Experts,
I guess that the effect of this command is to maintain a cache of all
the active connection and for each of them assign the discovered value
of the max mtu allowed accross the path.
At least the output of 'show system connections inet extensive'
doesn't show any trace of PMTU;
Anyidea of
Experts,
do you also know if this works also for packet originated by a MS-PIC
rather that a RE: i.e. flow export?
Thanks,
Bit.
On Fri, 2009-09-11 at 10:16 +, rivo nurges wrote:
On Fri, Sep 11, 2009 at 11:15:31AM +0200, Bit Gossip wrote:
Hi!
is it possible to set the value of return
Experts,
is it possible to set the value of return traffic from RE so that it is
set to a specific ip-prec or dscp value?
I have tested the following behaviour on MX480 Junos 9.5, where the MX
is the server:
- PING: a client ping the MX using tos=x, the Mx replies with same TOS=x
- SSH: a client
Experts,
on the ground that only the following protocols are allowed to reach the
RE:
- BGP (runs PMTU so should not fragment packets)
- ISIS is only L2 so it is not blocked by a firewall filter
- OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them
- ssh, snmp, tacacs, ntp, Icmp, domain
My point of view in this case is the following:
- the network should have standard MTU configured on both side of all
links; should there be a non standard, this is a misconfiguration.
- in the loopback firewall filter, fragments are dropped with the count
and log option so that we can see what is
cacti (http://cacti.net/) does it out-of-the box...
On Thu, 2009-08-13 at 09:06 -0400, harbor235 wrote:
To all,
I would like to monitor a juniper router interface via snmp, simple enough.
However, I do not want bps, I want to monitor the interface as a percentage
of it's total capacity. In
I could get it to work after fixing multicast in QEMU because it looks
like that interface driver for fxp interfaces doesn't accept mcast
packets by default.
HTH,
bit.
On Wed, 2009-08-05 at 12:49 -0400, Stefan Fouant wrote:
Anybody have any luck getting VRRP to run in an Olive?
Experts,
do you know what is the meaning of vlan-id 0?
According to: http://en.wikipedia.org/wiki/IEEE_802.1Q
VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the
frame belongs. A value of 0 means that the frame doesn't belong to any
VLAN; in this case the 802.1Q tag specifies
;
}
then discard;
}
On 4/15/09 1:33 PM, Bit Gossip wrote:
platform MX480 junos 9.3
in the following config the same policer is appllied to 2 different
interfaces via 2 different firewall filters.
Will the policer police at 1 mbps the aggregate traffic of the 2
interfaces
Hi Sergio,
it really doesn't seem to work in my setup, filtering locally
originated/terminated traffic. Would you share how you got it
working.
Thanks,
bit.
b...@rr1 show configuration interfaces fxp0.0
family inet {
no-redirects;
filter {
input DENYALL;
output
Experts,
it seems to me that firewall filters have no effect in Olive, even if
applied to lo0 interface. Is it really the case?
Thanks,
bit.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Experts,
does anybody understand the meaning of the 2 vlan parameters in the
following entry:
-net nic,macaddr=00:1A:4B:91:F1:00,vlan=0,model=i82559er -net
tap,vlan=0,ifname=tap100,script=./qemu-ifup \
I have done the following tests:
- whatever VLAN I put there if I tcpdump on the tap
Experts,
do you have pointers or examples on how to use XML to fetch data instead
of snmp?
IE I would like the output of this snmpwalk in a single XML document...
l...@rc2 show snmp mib walk ifAlias
ifAlias.1
ifAlias.4
ifAlias.5
ifAlias.6
ifAlias.7
ifAlias.8
.
Cheers
Martin
-Message d'origine-
De : juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] De la part de Bit Gossip
Envoyé : mercredi 6 mai 2009 12:18
À : juniper-nsp
Objet : [j-nsp] how to populate a forwarding routing-instance
Experts,
I want to configure
Martin
-Message d'origine-
De : Bit Gossip [mailto:bit.gos...@chello.nl]
Envoyé : mercredi 6 mai 2009 14:48
À : Mogensen,M,Martin,JPECS R
Cc : juniper-nsp@puck.nether.net
Objet : Re: [j-nsp] how to populate a forwarding routing-instance
Martin,
as a 'virtual-router' the protocol configuration
declared in the routing-instance.
run ping 1.1.1.2 routing-instance PIPPO
Cheers
Martin
-Message d'origine-
De : Bit Gossip [mailto:bit.gos...@chello.nl]
Envoyé : mercredi 6 mai 2009 15:53
À : Mogensen,M,Martin,JPECS R
Cc : juniper-nsp@puck.nether.net
Objet : Re: [j-nsp] how to populate
platform MX480 junos 9.3
in the following config the same policer is appllied to 2 different
interfaces via 2 different firewall filters.
Will the policer police at 1 mbps the aggregate traffic of the 2
interfaces; or it will police independent at 1 mbps the 2 differrent
interfaces?
ge-5/2/1 {
: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bit Gossip
Sent: Monday, April 13, 2009 2:51 AM
To: Juniper List
Subject: [j-nsp] clear firewall log
Experts,
do you know if it is possible and how to clear the firewall log that
is
shown
Experts,
do you know if it is possible and how to clear the firewall log that is
shown by:
'run show firewall log detail'
Thanks,
bit
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
-log.html
On Mon, Apr 13, 2009 at 11:50 AM, Bit Gossip bit.gos...@chello.nl
wrote:
Experts,
do you know if it is possible and how to clear the firewall
log that is
shown by:
'run show firewall log detail'
Thanks,
bit
PL_PREVIOUS_NAME=$PL_NAME
fi
done
echo \}
Example
$ echo 'ip prefix-list bit-gossip seq 5 permit 1.1.1.0/24'\
| ./prefixlist-2j.sh
prefix-list BIT-GOSSIP {
1.1.1.0/24;
}
___
juniper-nsp mailing list juniper-nsp
Experts,
is the default route generated by the following config used for general
forwarding? I see that it is installed in inet.0.
Thanks,
bit.
groups {
re0 {
interfaces {
fxp0 {
unit 0 {
family inet {
address
of course: apply-groups [ re0 re1 ];
Bit.
On Mon, 2009-02-16 at 12:15 +0100, Patrik Olsson wrote:
Do you apply the group?
Patrik
Bit Gossip wrote:
Experts,
is the default route generated by the following config used for general
forwarding? I see that it is installed in inet.0
The scp URL works fine in the 'file copy' but not in the 'request system
software add'
Is this a bug or a feature?
Thanks,
bit.
l...@olive-00 request system software add
scp://l...@192.168.122.254/jinstall-9.3R2.8-domestic-signed.tgz
fetch:
Experts,
can you provide a reference to scripts for automatically generate
prefix-list out of the RIPE database
What would be the best option: using Junos script or external script?
Thanks,
bit.
___
juniper-nsp mailing list
Experts,
do you know if Junos (8.5 for mx960) will load balance across two equal
cost path once I install them in inet.2 with the following:
routing-options {
rib inet.2 {
static {
route 104.104.104.104/29 next-hop 1.1.1.1;
route 104.104.104.104/29 next-hop
If you want to sample all traffic, as it appears from your config, you
don't really need a fw filter but you can use the following simple form:
ge-0/0/0 {
unit 0 {
family inet {
sampling {
input;
}
}
}
Experts,
I know that while using tacacs authentication, all accounts are mapped
to single local account 'remote'. How is it possible in this situation
to grant different privileges to different tacacs accounts?
Thanks,
Bit.
___
juniper-nsp mailing list
Experts,
how would you connect 2 olive instances running on qemu with a
point-to-point link across 2 of their fxp interfaces?
I am asking because I am rather out of options:
- if I create many tap interfaces the linux kernel bridges between them
and I end up with a big single broadcast domain
Experts,
do you know if it is possible, and how, to create a rewrite-rule in
Junos to rewrite BOTH:
ieee-802.1 IEEE-802.1 rewrite rule
inet-precedence IPv4 precedence rewrite rule
Thanks,
bit
___
juniper-nsp mailing list
Experts,
can you provide an example on how to configure in Junos something like:
- packet enters from interface X please route according to routing table
Y; otherwise normal routing.
Thanks,
Luca.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
Experts,
I would like my Junos 8.5 and 9.2 routers to send traps when there is a
change in the VRRP status but I can not find any reference in the
documentation. Anyone has experience and can give me an hint..
Thanks,
Bit
___
juniper-nsp mailing
Experts,
I need to setup a limited number of LSPs where the PE device is Juniper
(MX and T320) and the P are Cisco 76xx. Are both LDP and RSVP valid
options? Or are there interop issues I should be aware?
Thanks,
Bit.
___
juniper-nsp mailing list
Experts,
can you help to clear the confusion here:
loss-priority high = PLP high = the packet is LESS likely to get dropped
loss-priority low = PLP low = the packet is MORE likely to get dropped
Is this correct?
Thanks,
Bit.
___
juniper-nsp
Experts,
do you know if there is a Junos equivalent to the following Cisco:
rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
1-254 maximum number of hops
Thanks,
Bit
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
Experts,
with regards to class-of-service, does a multicast packet receive the
same treatment of a unicast one?
Therefore my qos config works exactly the same for multicast and unicast
and I don't need any special config for multicast?
Thanks,
bit,
___
experts,
we are experiencing a constant presence of L3 incomplete on a 1 Gige
PIC. This is ~1 every 5 mins. Any idea what can be the reason?
The Junos doc says This counter increments when the incoming packet
fails Layer 3 (usually IPv4) checks of the header. For example, a frame
with less than
Experts,
would it be possible to run an instance of ISIS solely for multicast
routing?
That is: on interface A, B, C I want to run OSPF solely for unicast and
ISIS solely for multicast?
Thanks,
Luca.
___
juniper-nsp mailing list
-table {
export QPPB-64600-policy;
}
}
Bit Gossip wrote on Wed, Mar 19, 2008 at 05:32:33AM SGT :
| Group,
| I would like to implement the following with Junos 8.5:
|
| Router A is connected to a number of BGP customers behind a 10GE
| interfaces
|
| Customer Cx tag
Someone is so kind to provide some reference and examples on Junos
Script.
Bit
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Hi,
someone has a sample of a JunosScript that can intercept RTR traps and
act upon them.
Thanks,
Bit.
On Mon, 2007-12-03 at 23:49, Dale Ben wrote:
Hi Eric,
The JUNOS equivalent to SAA is called RPM or Real-time Performance
Monitor [edit services rpm]. I don't think there is too much
I notice that a Juniper router doesn't forward packets between fxp0 and
all other interfaces, even if a route exists. Is there a way to change
this behaviour?
Thanks,
Luca.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
I certainly will not do it on a production router, but I kind of need an
hack for that for my lab.
Thanks,
Bit.
On Tue, 2007-11-20 at 15:36, Eugeniu Patrascu wrote:
Bit Gossip wrote:
I notice that a Juniper router doesn't forward packets between fxp0 and
all other interfaces, even
69 matches
Mail list logo