From snaidu@juniper.net Wed Jan 23 08:10:42 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NDAdSi089689 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 08:10:42 -0500 (EST) (envelope-from snaidu@juniper.net) X-Envelope-From: snaidu@juniper.net Received: from exprod7og108.obsmtp.com (exprod7og108.obsmtp.com [64.18.2.169]) by npd.nether.net (8.13.8/8.12.9) with ESMTP id m0N4Sl4K024836 for ; Wed, 23 Jan 2008 04:29:12 GMT (envelope-from snaidu@juniper.net) Received: from source ([66.129.224.36]) by exprod7ob108.postini.com ([64.18.6.12]) with SMTP; Tue, 22 Jan 2008 20:20:27 PST Received: from emailbng1.jnpr.net ([10.209.194.15]) by emailsmtp56.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Tue, 22 Jan 2008 20:06:46 -0800 Received: from emailbng3.jnpr.net ([10.209.194.27]) by emailbng1.jnpr.net with Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 Jan 2008 09:36:42 +0530 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Wed, 23 Jan 2008 09:36:41 +0530 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [j-nsp] Traffic statistics explanation Thread-Index: Acfr6n9slgdtMmT6RiCtzWjKWR0xXxxioYDA From: "Sreenivas Naidu" To: "Rui Bernardo" , X-OriginalArrivalTime: 23 Jan 2008 04:06:42.0570 (UTC) FILETIME=[5C922EA0:01C85D75] X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 08:10:42 -0500 (EST) X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Wed, 23 Jan 2008 04:29:12 +0000 (UTC) Subject: Re: [j-nsp] Traffic statistics explanation X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 13:10:43 -0000 0 bps indicates that at the time of polling for the stats there is no traffic received on this port. This is obvious from the fact that the link is down. You will see some value other than zero for bps when u have continuous traffic running on this interface. > -----Original Message----- > From: juniper-nsp-bounces@puck.nether.net [mailto:juniper-nsp- > bounces@puck.nether.net] On Behalf Of Rui Bernardo > Sent: Friday, August 31, 2007 9:45 PM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] Traffic statistics explanation >=20 > Hi guys, > Can any one explain me what the 'Traffic statistics' means of the 'show > interfaces extensive ge-1/0/0'? > In the 'input bytes' what mens the second column? >=20 > According to documentation, the 'Traffic statistics'mens the number and > rate > of bytes and packets received and transmitted on the physical interface. > Why > it have the 0 value?? >=20 > z@Taipei> show interfaces extensive ge-1/0/0 > Physical interface: ge-1/0/0, Enabled, Physical link is Down > ... > Statistics last cleared: Never > Traffic statistics: > Input bytes : 184452 0 bps > Output bytes : 195752 0 bps > Input packets: 2489 0 pps > Output packets: 2491 0 pps > Input errors: >=20 > Regards, > RB > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp From tim.tiriche@gmail.com Thu Jan 24 01:00:30 2008 Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0O60TtI025745 for ; Thu, 24 Jan 2008 01:00:30 -0500 (EST) (envelope-from tim.tiriche@gmail.com) X-Envelope-From: tim.tiriche@gmail.com Received: by ug-out-1314.google.com with SMTP id o4so284821uge.7 for ; Wed, 23 Jan 2008 22:00:29 -0800 (PST) Received: by 10.67.116.16 with SMTP id t16mr1848232ugm.55.1201154428856; Wed, 23 Jan 2008 22:00:28 -0800 (PST) Received: by 10.67.86.8 with HTTP; Wed, 23 Jan 2008 22:00:28 -0800 (PST) Message-ID: <2833eecf0801232200g2f93b5adv990a9906380e3d66@mail.gmail.com> Date: Thu, 24 Jan 2008 01:00:28 -0500 From: "tim tiriche" To: juniper-nsp@puck.nether.net MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Thu, 24 Jan 2008 01:00:30 -0500 (EST) Subject: [j-nsp] BGP multipath question X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 06:00:31 -0000 Hello, I would like to know when does Multipath kick in the BGP path selection process. lets say, i have 2 routers, rtrA and rtrB connected with two physical links. First, For example, if i were to configure rtrA with 'multipath' and if rtrB would advertise a prefix on one session with shorter as_path. would rtrA load balance or would that break it? Second, I heard the following, is this true, if i have EIbgp multipath configured. (mpls vpn environment) if rtrA is Cisco and receives route 192.168/24 with AS_PATH 100 200 and AS_PATH 100 300. Cisco routers would not consider them to be the same even though the length is the same but the ASN's are different and move on to the next process in BGP decision process and break eibgp multipath. However, if rtrA were a juniper, the AS_path length would be considered the same and rtrA would load balance. If so, are there any knobs to change this? Last, whats the equivalent of maximum-paths eibgp in juniper? Any pointers or documentation that explains more on this would be appreciated. (rfc's, whitepapers, search terms to use, books, etc) Sincerely, -- Tim From davidtball@gmail.com Thu Jan 24 10:56:22 2008 Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.187]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0OFuM6b023019 for ; Thu, 24 Jan 2008 10:56:22 -0500 (EST) (envelope-from davidtball@gmail.com) X-Envelope-From: davidtball@gmail.com Received: by rv-out-0910.google.com with SMTP id c24so246282rvf.37 for ; Thu, 24 Jan 2008 07:56:21 -0800 (PST) Received: by 10.140.251.1 with SMTP id y1mr602546rvh.11.1201190181876; Thu, 24 Jan 2008 07:56:21 -0800 (PST) Received: by 10.140.201.8 with HTTP; Thu, 24 Jan 2008 07:56:21 -0800 (PST) Message-ID: <8d4861b00801240756r1b26d869oa87e900a9e522d49@mail.gmail.com> Date: Thu, 24 Jan 2008 08:56:21 -0700 From: "David Ball" To: juniper-nsp@puck.nether.net MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Thu, 24 Jan 2008 10:56:22 -0500 (EST) Subject: [j-nsp] out-bound anti-spoofing rules when using community-based routing X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 15:56:22 -0000 We use community-based routing for our internet customers in that any static routes or accepted BGP routes are tagged with a community, such that we'll know what we should and should not export to our upstreams. This helps to avoid having to maintain large prefix-lists on each node. I'm now struggling to find another way to prevent our customers from spoofing. The previous method relied on a firewall filter which indeed references a prefix-list of all our customers' space. I'm having a hard time getting away from this, as I can't create a firewall filter which will look up the community assigned to a source-address (to see if it's legitimately a customer). How have others gotten around this? Am I overlooking something? Or is maintaining large lists the only way to go ? David From estevao@datacom.ind.br Thu Jan 24 12:03:27 2008 Received: from mail.datacom-telematica.com.br (gw.datacom-telematica.com.br [200.213.13.1]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0OH3OMf040047 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 24 Jan 2008 12:03:26 -0500 (EST) (envelope-from estevao@datacom.ind.br) X-Envelope-From: estevao@datacom.ind.br Received: by mail.datacom-telematica.com.br (Postfix, from userid 65) id B1FB651C6C; Thu, 24 Jan 2008 15:04:14 -0200 (BRDT) Received: from [176.16.10.14] (unknown [176.16.10.14]) by mail.datacom-telematica.com.br (Postfix) with ESMTP id 7808B51C65 for ; Thu, 24 Jan 2008 15:04:14 -0200 (BRDT) Message-ID: <4798C4D7.20500@datacom.ind.br> Date: Thu, 24 Jan 2008 15:03:19 -0200 From: =?ISO-8859-1?Q?DATACOM_-_Est=EAv=E3o?= Organization: DATACOM User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: juniper-nsp@puck.nether.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Thu, 24 Jan 2008 12:03:27 -0500 (EST) Subject: [j-nsp] Submodules MIB <=> PICs and DPCs X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: estevao@datacom.ind.br List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 17:03:27 -0000 Hello, There's a MIB called "jnxSubmoduleGeneric" which identifies the type of the PICs in the devices. It has values such as: jnxPicQuadEther jnxPicGigEther jnxPicSingleQHGE jnxPicFicGE But I was trying to find out what would be the values answered for the DPCs supported by the MX960 router. Can any one help me on this? Thank you in advance, -- ESTÊVÃO Miguel Zanette Rohr DATACOM Av. França, 735 - Porto Alegre, RS - 90230-220 Fone: 51 3358 0170 Fax: 51 3358 0101 site: www.datacom.ind.br e-mail: estevao@datacom.ind.br From jmadrid2@gmail.com Thu Jan 24 12:12:17 2008 Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.153]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0OHCFQi041888 for ; Thu, 24 Jan 2008 12:12:16 -0500 (EST) (envelope-from jmadrid2@gmail.com) X-Envelope-From: jmadrid2@gmail.com Received: by fg-out-1718.google.com with SMTP id 16so267272fgg.39 for ; Thu, 24 Jan 2008 09:12:14 -0800 (PST) Received: by 10.82.181.7 with SMTP id d7mr1667063buf.8.1201194734461; Thu, 24 Jan 2008 09:12:14 -0800 (PST) Received: by 10.82.134.3 with HTTP; Thu, 24 Jan 2008 09:12:14 -0800 (PST) Message-ID: <867d5e9c0801240912t1faf3938lf894556f041ad318@mail.gmail.com> Date: Thu, 24 Jan 2008 12:12:14 -0500 From: "Jose Madrid" To: juniper-nsp@puck.nether.net MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Thu, 24 Jan 2008 12:12:17 -0500 (EST) Subject: [j-nsp] J2320 Issues X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 17:12:17 -0000 Hello all, I currently have a j2320 with 90 BGP peers and receiving 500K+ routes. This device has 1GB RAM and it consistently at 75% Memory usage, for obvious reasons and previously was consistently about 40% CPU. The issue we are having is that once I go over 40Mbps on the main circuit on this device, we start seeing subtle packet loss of about 1% and latency through this device. I opened a JTAC case as I had noticed some issues similar to those listed here: http://www.mail-archive.com/juniper-nsp@puck.nether.net/msg01686.html. I upgraded the code on the device to 8.5R1.14 and now am seeing other issues related to the reporting of CPU usage. So my question is can anybody lend any advice as to what may be going on with the traffic and the packet loss being caused? Also with the CPU reporting, etc. Thanks in advance for any info you guys can send over my way. CPU utilization: User -17 percent Real-time threads 185 percent Kernel -167 percent Idle 99 percent Output of show bgp summary: Groups: 7 Peers: 85 Down peers: 3 Table Tot Paths Act Paths Suppressed History Damp State Pending inet.0 584762 243156 0 0 0 0 -- It has to start somewhere, it has to start sometime. What better place than here? What better time than now? From pfry-lists@redsword.com Thu Jan 24 14:00:49 2008 Received: from redsword.com (redsword.com [65.65.78.111]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0OJ0mkJ064924 for ; Thu, 24 Jan 2008 14:00:49 -0500 (EST) (envelope-from pfry-lists@redsword.com) X-Envelope-From: pfry-lists@redsword.com Received: from redsword.com (65.65.78.111 [65.65.78.111]) by redsword.com (SurgeMail 3.8s) with ESMTP id 1520799-1866120 for ; Thu, 24 Jan 2008 13:00:47 -0600 Received: from 68.90.109.223 by HTTP Sender: pfry-lists@redsword.com From: "Peter E. Fry" To: juniper-nsp@puck.nether.net X-Mailer: Quality Web Email v3.1t X-Originating-IP: 68.90.109.223 Date: Thu, 24 Jan 2008 13:00:44 -0600 Message-id: <4798e05c.344.3d8.26454@redsword.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Authenticated-User: pfry-lists@redsword.com X-DNS-Paranoid: Required reverse lookup failed for ||remoteip|| X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Thu, 24 Jan 2008 14:00:49 -0500 (EST) Subject: Re: [j-nsp] out-bound anti-spoofing rules when using community-based routing X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 19:00:49 -0000 [...] > I'm now struggling to find another way to prevent our > customers from spoofing. The previous method relied on a > firewall filter which indeed references a prefix-list of > all our customers' space. I'm having a hard time getting > away from this, as I can't create a firewall filter which > will look up the community assigned to a source-address > (to see if it's legitimately a customer). > How have others gotten around this? Am I overlooking > something? Or is maintaining large lists the only way to > go ? I'm curious myself... I guess URPF doesn't fit your needs? I'm not sure how a community match would differ a whole lot. Sadly enough, the best method I can think of offhand would be to run two filters -- one general and one specific to the customer link. By the way: > config cbq.1 traffic-class.Test src-bgp- completions are: src-bgp-as-expression src-bgp-community That's from an old Lucent (Xedia) router (I use it as a traffic shaper on my DSL). It'd be nice if the big two would pick up some of the odd innovations from old, dead devices like this one. Never can tell when you'll want to filter packets by domain name, AS, community, etc. Peter E. Fry From pekkas@netcore.fi Thu Jan 24 14:27:17 2008 Received: from netcore.fi (netcore.fi [193.94.160.1]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0OJREli073115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 24 Jan 2008 14:27:16 -0500 (EST) (envelope-from pekkas@netcore.fi) X-Envelope-From: pekkas@netcore.fi Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.13.8/8.13.8) with ESMTP id m0OJR64p006394; Thu, 24 Jan 2008 21:27:06 +0200 Received: from localhost (pekkas@localhost) by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id m0OJR5pu006390; Thu, 24 Jan 2008 21:27:06 +0200 Date: Thu, 24 Jan 2008 21:27:05 +0200 (EET) From: Pekka Savola To: David Ball In-Reply-To: <8d4861b00801240756r1b26d869oa87e900a9e522d49@mail.gmail.com> Message-ID: References: <8d4861b00801240756r1b26d869oa87e900a9e522d49@mail.gmail.com> User-Agent: Alpine 1.00 (LRH 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV 0.92/5532/Wed Jan 23 23:08:36 2008 on otso.netcore.fi X-Virus-Status: Clean X-Spam-Status: No, score=-3.6 required=5.0 tests=ALL_TRUSTED, AWL, BAYES_00, TW_GW autolearn=ham version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on otso.netcore.fi X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Thu, 24 Jan 2008 14:27:17 -0500 (EST) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] out-bound anti-spoofing rules when using community-based routing X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 19:27:17 -0000 On Thu, 24 Jan 2008, David Ball wrote: > I'm now struggling to find another way to prevent our customers from > spoofing. The previous method relied on a firewall filter which > indeed references a prefix-list of all our customers' space. I'm > having a hard time getting away from this, as I can't create a > firewall filter which will look up the community assigned to a > source-address (to see if it's legitimately a customer). > How have others gotten around this? Am I overlooking something? Or > is maintaining large lists the only way to go ? Firewall filters are programmed on the ASICs. As a result, they can't change dynamically based on control plane information (routes), at least this wasn't possible a couple of years ago. You'll need the list of prefixes in any case. You'll want to have inbound policy reject routes that advertise more specifics of your address space (routing hijack). Community based mechanism won't help with that so you'll need a static list. If you build the prefix lists in a flexible manner, you can also use the same prefix lists to do egress/ingress filtering at your peering/upstream edges. At the customer edge you can probably use uRPF and static prefix lists for BGP customers. This is a bit more generic but may be useful to you (comments welcome): http://tools.ietf.org/id/draft-savola-rtgwg-backbone-attacks-03.txt -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From davidtball@gmail.com Thu Jan 24 16:05:39 2008 Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.184]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0OL5cPZ092331 for ; Thu, 24 Jan 2008 16:05:38 -0500 (EST) (envelope-from davidtball@gmail.com) X-Envelope-From: davidtball@gmail.com Received: by rv-out-0910.google.com with SMTP id c24so320627rvf.37 for ; Thu, 24 Jan 2008 13:05:38 -0800 (PST) Received: by 10.140.82.40 with SMTP id f40mr392368rvb.16.1201208738192; Thu, 24 Jan 2008 13:05:38 -0800 (PST) Received: by 10.140.201.8 with HTTP; Thu, 24 Jan 2008 13:05:38 -0800 (PST) Message-ID: <8d4861b00801241305h6cc03e23oe0b7409c7341cbff@mail.gmail.com> Date: Thu, 24 Jan 2008 14:05:38 -0700 From: "David Ball" To: "Pekka Savola" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8d4861b00801240756r1b26d869oa87e900a9e522d49@mail.gmail.com> X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Thu, 24 Jan 2008 16:05:39 -0500 (EST) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] out-bound anti-spoofing rules when using community-based routing X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 21:05:39 -0000 I suppose uRPF would do the trick, though since I have some customers with redundant connectivity to us, asymmetry is possible. So, in that case we'd end up having to maintain prefix-lists after all, which we'd reference in the 'rpf-check fail-filter'. I had done away with prefix-lists for the most part for our BGP customers and simply listed their blocks in their policy-statements, but I guess reverting back to referencing prefix-lists using 'prefix-list-filter orlonger' would work the same, and allow me to reference same prefix-list in a fail-filter. Serves me right for trying to save a few lines of config. Thanks for the comments. On a related note, did anything ever happen with the idea of 'feasible path' RPF, which would consider multiple paths to the same prefix, instead of just the active one? David On 24/01/2008, Pekka Savola wrote: > On Thu, 24 Jan 2008, David Ball wrote: > > I'm now struggling to find another way to prevent our customers from > > spoofing. The previous method relied on a firewall filter which > > indeed references a prefix-list of all our customers' space. I'm > > having a hard time getting away from this, as I can't create a > > firewall filter which will look up the community assigned to a > > source-address (to see if it's legitimately a customer). > > How have others gotten around this? Am I overlooking something? Or > > is maintaining large lists the only way to go ? > > Firewall filters are programmed on the ASICs. As a result, they can't > change dynamically based on control plane information (routes), at > least this wasn't possible a couple of years ago. > > You'll need the list of prefixes in any case. You'll want to have > inbound policy reject routes that advertise more specifics of your > address space (routing hijack). Community based mechanism won't help > with that so you'll need a static list. > > If you build the prefix lists in a flexible manner, you can also > use the same prefix lists to do egress/ingress filtering at your > peering/upstream edges. > > At the customer edge you can probably use uRPF and static prefix lists > for BGP customers. > > This is a bit more generic but may be useful to you (comments > welcome): > http://tools.ietf.org/id/draft-savola-rtgwg-backbone-attacks-03.txt > > -- > Pekka Savola "You each name yourselves king, yet the > Netcore Oy kingdom bleeds." > Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings > From mtinka@globaltransit.net Thu Jan 24 20:09:11 2008 Received: from the-host.globaltransit.net (the-host.globaltransit.net [203.223.134.84] (may be forged)) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0P1980B040794 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 24 Jan 2008 20:09:10 -0500 (EST) (envelope-from mtinka@globaltransit.net) X-Envelope-From: mtinka@globaltransit.net Received: from [127.0.0.1] (helo=localhost) by the-host.globaltransit.net with esmtp (Exim 4.63) (envelope-from ) id 1JID44-0001Rq-Et; Fri, 25 Jan 2008 09:09:04 +0800 From: Mark Tinka Organization: Global Transit International To: juniper-nsp@puck.nether.net Date: Fri, 25 Jan 2008 09:09:02 +0800 User-Agent: KMail/1.9.5 References: <4798e05c.344.3d8.26454@redsword.com> In-Reply-To: <4798e05c.344.3d8.26454@redsword.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4554541.nm8EtE4K5p"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200801250909.03712.mtinka@globaltransit.net> X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Thu, 24 Jan 2008 20:09:11 -0500 (EST) Subject: Re: [j-nsp] out-bound anti-spoofing rules when using community-based routing X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: mtinka@globaltransit.net List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 01:09:11 -0000 --nextPart4554541.nm8EtE4K5p Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 25 January 2008 03:00, Peter E. Fry wrote: > I'm curious myself... > I guess URPF doesn't fit your needs? I'm not sure how > a community match would differ a whole lot. Sadly > enough, the best method I can think of offhand would be > to run two filters -- one general and one specific to the > customer link. This is how we do it as well. Have a general outbound prefix-list to BGP customers that's=20 secure enough, but if a customer needs to use your=20 automated blackholing BGP community, you may build a more=20 specific one for them that includes only their prefixes, so=20 you don't have your "evil" customers potentially=20 blackholing routes they do not own. The configuration could grow, but perhaps automating this=20 process (via RPSL, and making sure your customers "talk" to=20 at least one RR) is one way forward. Cheers, Mark. --nextPart4554541.nm8EtE4K5p Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQIVAwUAR5k2r2cZuYTeKm+GAQLZZQ/8DArPwKjJpny+Bo2Jn3WCZ2OmKgCN3BJI gpE/TJj8d1MYBju+TUWlwWPbPB7C0/tfyPPqQIJAPAfcX2ulR8cr0hy/+3elEthu hgG/VDDDrZQO9ux+bjr/kkNH1xwhWNqJYaLUTa1auPRmghJO3eldlT60Dls5sJ9t VDExkuySEpDUAwfmsxOsROWaww/AWCRed+J9wLSIOX4V3lauU3f1j1JZYQw9RYIF Az881s6eKlIl20+bbtOpUu1wBHqo28tHngh0TSzRArGD9kZPxEwE92YnPlE25NmW N37k6NnvybKQF6YXeS2rj/W6GsQDQSzAOUKuLdq9Q06noKDOf0kVd0JErPpH1IE/ bgoh6bC7irHZTfteYOihmmruye6EQK/zbOSnuLI/Hx0fgWQjjjANvywIivB7j15y mZiNczbjoyPBGMXwDBCRUtRZ33zKqCLm2MHpCXtOeuxeJ29fT870h8emL9hawNKQ ZZWvvuLHrSBgS7RS60zresnT9ODUhN3U2Im2ugFXnIxpX0IB4HoWU8OuVW408KHd FRJTuL4z9o3pNEiGNKuHyOkR/kgPCUw9X/J+d/kQp2Z8G0/Thw0OVo8HG1+KDN9U 0bCAezcduoxdjHgbzekStwwnYanGQ8AVpyYkuDWz/VoZ//Kg9XYb7AN+Y8svpdqm bgSHXcvfJS4= =0qdt -----END PGP SIGNATURE----- --nextPart4554541.nm8EtE4K5p-- From pekkas@netcore.fi Thu Jan 24 23:57:01 2008 Received: from netcore.fi (netcore.fi [193.94.160.1]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0P4uxs5070585 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 24 Jan 2008 23:57:01 -0500 (EST) (envelope-from pekkas@netcore.fi) X-Envelope-From: pekkas@netcore.fi Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.13.8/8.13.8) with ESMTP id m0P4uqO2018436; Fri, 25 Jan 2008 06:56:52 +0200 Received: from localhost (pekkas@localhost) by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id m0P4upg2018432; Fri, 25 Jan 2008 06:56:52 +0200 Date: Fri, 25 Jan 2008 06:56:51 +0200 (EET) From: Pekka Savola To: David Ball In-Reply-To: <8d4861b00801241305h6cc03e23oe0b7409c7341cbff@mail.gmail.com> Message-ID: References: <8d4861b00801240756r1b26d869oa87e900a9e522d49@mail.gmail.com> <8d4861b00801241305h6cc03e23oe0b7409c7341cbff@mail.gmail.com> User-Agent: Alpine 1.00 (LRH 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV 0.92/5546/Thu Jan 24 23:32:07 2008 on otso.netcore.fi X-Virus-Status: Clean X-Spam-Status: No, score=-3.6 required=5.0 tests=ALL_TRUSTED, AWL, BAYES_00 autolearn=ham version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on otso.netcore.fi X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Thu, 24 Jan 2008 23:57:01 -0500 (EST) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] out-bound anti-spoofing rules when using community-based routing X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 04:57:01 -0000 On Thu, 24 Jan 2008, David Ball wrote: > I suppose uRPF would do the trick, though since I have some > customers with redundant connectivity to us, asymmetry is possible. > So, in that case we'd end up having to maintain prefix-lists after > all, which we'd reference in the 'rpf-check fail-filter'. As already replied, feasible-paths can help here. We use feasible paths uRPF also on multihomed customers, some of which have sometimes asymmetry -- works fine provided that the customer's announcements are "consistent". There are also some other cases that you may need to consider, see section 3 of http://tools.ietf.org/id/draft-savola-bcp84-urpf-experiences-03.txt One example which would NOT work is that your customer advertises an aggregate through you and more specifics through your peer, and you accept those more specifics from your peer. The customer would need to advertise the same more specifics to you as well, but use a community to mark them so that you won't readvertise them. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From jr@xor.at Fri Jan 25 12:34:57 2008 Received: from mail.xor.at (mail.xor.at [78.47.252.92]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0PHYt0B001208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 25 Jan 2008 12:34:57 -0500 (EST) (envelope-from jr@xor.at) X-Envelope-From: jr@xor.at Received: from mail.xor.at (localhost [127.0.0.1]) by mail.xor.at (Postfix) with SMTP id 5DD1054C1BC for ; Fri, 25 Jan 2008 18:34:51 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on mail.xor.at X-Spam-Level: X-Spam-Status: No, score=-2.6 required=4.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.7-deb Received: from mail.xor.at (localhost [127.0.0.1]) by mail.xor.at (Postfix) with ESMTP id 26E6654C1D2 for ; Fri, 25 Jan 2008 18:34:51 +0100 (CET) Received: from [192.168.178.10] (schwyz.xor.at [193.72.75.33]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.xor.at (Postfix) with ESMTP id E51E754C1BC for ; Fri, 25 Jan 2008 18:34:50 +0100 (CET) Message-ID: <479A1D82.7070105@xor.at> Date: Fri, 25 Jan 2008 18:33:54 +0100 From: Johannes Resch User-Agent: Icedove 1.5.0.14pre (X11/20071018) MIME-Version: 1.0 To: juniper-nsp@puck.nether.net References: <867d5e9c0801240912t1faf3938lf894556f041ad318@mail.gmail.com> In-Reply-To: <867d5e9c0801240912t1faf3938lf894556f041ad318@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AV-Checked: ClamAV using ClamSMTP X-Greylist: Delayed for 05:33:14 by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Fri, 25 Jan 2008 12:34:57 -0500 (EST) Subject: Re: [j-nsp] J2320 Issues X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 17:34:57 -0000 [resending this to the list, lets see if it gets through now] > http://www.mail-archive.com/juniper-nsp@puck.nether.net/msg01686.html. > I upgraded the code on the device to 8.5R1.14 and now am seeing other > issues related to the reporting of CPU usage. So my question is can > anybody lend any advice as to what may be going on with the traffic > and the packet loss being caused? Also with the CPU reporting, etc. > Thanks in advance for any info you guys can send over my way. > > CPU utilization: > User -17 percent > Real-time threads 185 percent > Kernel -167 percent > Idle 99 percent I'm being told this b0rked CPU usage stats on J-Series are a regression in 8.5 and will be fixed in: 9.0R1, 9.1R1, 8.5R3. Regards, -jr From davidtball@gmail.com Fri Jan 25 12:56:47 2008 Received: from hs-out-2122.google.com (hs-out-0708.google.com [64.233.178.245]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0PHuj6g008215 for ; Fri, 25 Jan 2008 12:56:46 -0500 (EST) (envelope-from davidtball@gmail.com) X-Envelope-From: davidtball@gmail.com Received: by hs-out-2122.google.com with SMTP id x43so843248hsb.9 for ; Fri, 25 Jan 2008 09:56:45 -0800 (PST) Received: by 10.140.147.18 with SMTP id u18mr1600028rvd.267.1201283804878; Fri, 25 Jan 2008 09:56:44 -0800 (PST) Received: by 10.140.201.8 with HTTP; Fri, 25 Jan 2008 09:56:44 -0800 (PST) Message-ID: <8d4861b00801250956k5f3944f3v82252ad09cfac769@mail.gmail.com> Date: Fri, 25 Jan 2008 10:56:44 -0700 From: "David Ball" To: "Pekka Savola" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8d4861b00801240756r1b26d869oa87e900a9e522d49@mail.gmail.com> <8d4861b00801241305h6cc03e23oe0b7409c7341cbff@mail.gmail.com> X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Fri, 25 Jan 2008 12:56:47 -0500 (EST) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] out-bound anti-spoofing rules when using community-based routing X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 17:56:47 -0000 Thanks for the responses all, and for the pointer to the 'feasible-paths' config Doug. Strange that they don't mention those knobs in the 'RPF with asymmetry' docs at juniper.net. As all of our internet customers are put into the same routing-instance, I can't help but wonder what resource issues I might encounter if 'feasible-paths' is enabled. I've seen a few posts here and there on the list with folks trying to save on resources by explicitly NOT using RPF. This would be done on T640s so perhaps there is less to worry about on that front, but comments would be appreciated. Pekka, I'm not sure I caught why your example of a BGP customer advertising an aggregate to us but the specifics to another upstream wouldn't work. If 'feasible-paths' is in use, doesn't that alleviate the problem? Even if the 'preferred' path is not their local port, we should still have the aggregate which should pass the uRPF check, no? David On 24/01/2008, Pekka Savola wrote: > On Thu, 24 Jan 2008, David Ball wrote: > > I suppose uRPF would do the trick, though since I have some > > customers with redundant connectivity to us, asymmetry is possible. > > So, in that case we'd end up having to maintain prefix-lists after > > all, which we'd reference in the 'rpf-check fail-filter'. > > As already replied, feasible-paths can help here. > > We use feasible paths uRPF also on multihomed customers, some of which > have sometimes asymmetry -- works fine provided that the customer's > announcements are "consistent". There are also some other cases that > you may need to consider, see section 3 of > http://tools.ietf.org/id/draft-savola-bcp84-urpf-experiences-03.txt > > One example which would NOT work is that your customer advertises an > aggregate through you and more specifics through your peer, and you > accept those more specifics from your peer. The customer would need > to advertise the same more specifics to you as well, but use a > community to mark them so that you won't readvertise them. > > -- > Pekka Savola "You each name yourselves king, yet the > Netcore Oy kingdom bleeds." > Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings > From pekkas@netcore.fi Fri Jan 25 13:16:52 2008 Received: from netcore.fi (netcore.fi [193.94.160.1]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0PIGorQ012240 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 25 Jan 2008 13:16:52 -0500 (EST) (envelope-from pekkas@netcore.fi) X-Envelope-From: pekkas@netcore.fi Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.13.8/8.13.8) with ESMTP id m0PIGiG9004308; Fri, 25 Jan 2008 20:16:44 +0200 Received: from localhost (pekkas@localhost) by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id m0PIGiJf004305; Fri, 25 Jan 2008 20:16:44 +0200 Date: Fri, 25 Jan 2008 20:16:44 +0200 (EET) From: Pekka Savola To: David Ball In-Reply-To: <8d4861b00801250956k5f3944f3v82252ad09cfac769@mail.gmail.com> Message-ID: References: <8d4861b00801240756r1b26d869oa87e900a9e522d49@mail.gmail.com> <8d4861b00801241305h6cc03e23oe0b7409c7341cbff@mail.gmail.com> <8d4861b00801250956k5f3944f3v82252ad09cfac769@mail.gmail.com> User-Agent: Alpine 1.00 (LRH 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV 0.92/5546/Thu Jan 24 23:32:07 2008 on otso.netcore.fi X-Virus-Status: Clean X-Spam-Status: No, score=-3.6 required=5.0 tests=ALL_TRUSTED, AWL, BAYES_00 autolearn=ham version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on otso.netcore.fi X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Fri, 25 Jan 2008 13:16:52 -0500 (EST) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] out-bound anti-spoofing rules when using community-based routing X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 18:16:52 -0000 On Fri, 25 Jan 2008, David Ball wrote: > Pekka, I'm not sure I caught why your example of a BGP customer > advertising an aggregate to us but the specifics to another upstream > wouldn't work. If 'feasible-paths' is in use, doesn't that alleviate > the problem? Even if the 'preferred' path is not their local port, we > should still have the aggregate which should pass the uRPF check, no? No, feasible paths won't help in that case. If: - your customer advertises a prefix P with mask n (P/n) - you get the same prefix P/n from some other source (e.g., your peer network or customer's another interface), and that route is preferred. - your customer-facing router receives the preferred advertisement In this scenario: - without feasible paths, your router would reject all traffic (because your peer-learned route is active and your customer-learned route is not) - with feasible paths, your router would accept traffic from P/n from the customer because even though the customer-learned path is inactive, it's still considered "feasible" and uRPF accepts it. Now, if you get more specifics of P/n from your peer, that's a different route compared to the aggregate. If you don't learn the same more specific route from the customer, all customer's traffic from that more specific prefix gets dropped. This is because your router will think that the correct direction to the more specific is to your peer network, not the direct connection to customer. You can think of this as "longest prefix matching wins every time, if you have the same prefixes with the same length, you select one and the rest are considered feasible". RFC 3704 section 2.3 tries to explain this but probably doesn't make it much better than above. HTH, -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From lbarrios@NAVEGA.com Fri Jan 25 13:33:30 2008 Received: from lotus.navega.com.gt (lotus.navega.com [200.35.168.69]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0PIXT0e016428 for ; Fri, 25 Jan 2008 13:33:29 -0500 (EST) (envelope-from lbarrios@NAVEGA.com) X-Envelope-From: lbarrios@NAVEGA.com In-Reply-To: To: juniper-nsp@puck.nether.net MIME-Version: 1.0 X-Mailer: Lotus Notes Release 7.0.2 December 03, 2006 Message-ID: Date: Fri, 25 Jan 2008 11:49:14 -0600 From: lbarrios@NAVEGA.com X-MIMETrack: Serialize by Router on lotus.navega.com.gt/NAVEGA(Release 7.0.2FP2|May 14, 2007) at 01/25/2008 12:34:56 PM, Serialize complete at 01/25/2008 12:34:56 PM X-Greylist: Delayed for 00:45:42 by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Fri, 25 Jan 2008 13:33:30 -0500 (EST) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: [j-nsp] About CFEB Master and Backup X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 18:33:30 -0000 Hello , how are you ... I have a question about CFEB . I have juniper m10i with 2 CFEBs , i don=B4= t=20 have any configuration about the CFEBs.=20 show chassis=20 redundancy { routing-engine 0 master; routing-engine 1 backup; cfeb 0 preferred; failover on-loss-of-keepalives; graceful-switchover { enable; } } CFEB status: Slot 0 information: State Master=20 Intake temperature 23 degrees C / 73 degrees F Exhaust temperature 32 degrees C / 89 degrees F CPU utilization 24 percent Interrupt utilization 15 percent Heap utilization 35 percent Buffer utilization 28 percent Total CPU DRAM 128 MB Internet Processor II Version 1, Foundry IBM, Part=20 number 164 Start time: 2007-09-25 23:22:22 CST Uptime: 121 days, 10 hours, 41 minutes, 19 = seconds Slot 1 information: State Backup=20 My question is .. I need to make a test with the CFEBs so, i need to use = the cfeb in slot 1 as master ( now cfeb master is in slot 0 ) . what=20 should be the procedure ?? ..=20 can i put offline the cfeb 0 ? .. can i make this with remote=20 administration or via console ? and the most important, how many time=20 could experiment traffic interrupt ?? . I have bgp configuration,=20 mpls, ldp, ibgp, vrfs in that juniper.=20 thanks so much , for your comments . i will apreciate it so much. luis=20 Este correo electr=F3nico puede contener informaci=F3n confidencial y=20 protegida legalmente bajo secreto profesional. La informaci=F3n est=E1=20 dirigida solamente a la persona o entidad indicada como destinatario y su=20 acceso por cualquier otra persona no est=E1 autorizado. Si usted recibi=F3 = este mensaje electr=F3nico por error, inf=F3rmeselo al remitente y b=F3rrel= o.=20 Aclaramos que los conceptos y opiniones comprendidos en este correo=20 electr=F3nico, deben atribuirse exclusivamente a su autor y no deben=20 entenderse como necesariamente coincidentes con las de NAVEGA.COM, S.A. y=20 en consecuencia, absolutamente ajenos a la responsabilidad de sus=20 directores y ejecutivos, en tanto no hayan participado de su confesi=F3n y/= o=20 emisi=F3n y quede esta participaci=F3n expresamente consignada en el mensaj= e.=20 La divulgaci=F3n p=FAblica de este correo electr=F3nico, como as=ED su copi= a,=20 reproducci=F3n total o parcial queda prohibida, dando lugar en caso de=20 inobservancia de esta todas las acciones legales que pudiesen=20 corresponder. Muchas Gracias. From jeff.richmond@frontiercorp.com Fri Jan 25 14:44:01 2008 Received: from frontiercorp.com (mail05.frontiercorp.com [66.133.172.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0PJi0JQ036984 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Fri, 25 Jan 2008 14:44:01 -0500 (EST) (envelope-from jeff.richmond@frontiercorp.com) X-Envelope-From: jeff.richmond@frontiercorp.com Received: from ([10.160.69.53]) by mail05.frontiercorp.com with ESMTP with TLS id 5503521.15572128; Fri, 25 Jan 2008 09:45:24 -0500 Received: from ROCH-EXCH1.corp.pvt ([10.160.69.50]) by NYROFCS03EXHT02.corp.pvt ([10.160.69.53]) with mapi; Fri, 25 Jan 2008 14:43:37 -0500 From: "Richmond, Jeff" To: "lbarrios@navega.com" , "juniper-nsp@puck.nether.net" Date: Fri, 25 Jan 2008 14:42:24 -0500 Thread-Topic: [j-nsp] About CFEB Master and Backup Thread-Index: AchfgXzSvSU6eIBqRmeb4XA610fvXwACOu32 Message-ID: <2E2FECEBAE57CC4BAACDE67638305F10479F9F159D@ROCH-EXCH1.corp.pvt> References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Fri, 25 Jan 2008 14:44:01 -0500 (EST) Subject: Re: [j-nsp] About CFEB Master and Backup X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 19:44:01 -0000 You can just do a mastership switch on the CFEB, just like you would an RE.= You will experience an outage during the switch, however, so be prepared f= or that. jrichmon@test> request chassis cfeb ? Possible completions: master Set CFEB mastership offline Take CFEB offline online Bring CFEB online restart Restart CFEB -Jeff ________________________________________ From: juniper-nsp-bounces@puck.nether.net [juniper-nsp-bounces@puck.nether.= net] On Behalf Of lbarrios@navega.com [lbarrios@navega.com] Sent: Friday, January 25, 2008 9:49 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] About CFEB Master and Backup Hello , how are you ... I have a question about CFEB . I have juniper m10i with 2 CFEBs , i don=B4= t have any configuration about the CFEBs. show chassis redundancy { routing-engine 0 master; routing-engine 1 backup; cfeb 0 preferred; failover on-loss-of-keepalives; graceful-switchover { enable; } } CFEB status: Slot 0 information: State Master Intake temperature 23 degrees C / 73 degrees F Exhaust temperature 32 degrees C / 89 degrees F CPU utilization 24 percent Interrupt utilization 15 percent Heap utilization 35 percent Buffer utilization 28 percent Total CPU DRAM 128 MB Internet Processor II Version 1, Foundry IBM, Part number 164 Start time: 2007-09-25 23:22:22 CST Uptime: 121 days, 10 hours, 41 minutes, 19 seconds Slot 1 information: State Backup My question is .. I need to make a test with the CFEBs so, i need to use the cfeb in slot 1 as master ( now cfeb master is in slot 0 ) . what should be the procedure ?? .. can i put offline the cfeb 0 ? .. can i make this with remote administration or via console ? and the most important, how many time could experiment traffic interrupt ?? . I have bgp configuration, mpls, ldp, ibgp, vrfs in that juniper. thanks so much , for your comments . i will apreciate it so much. luis Este correo electr=F3nico puede contener informaci=F3n confidencial y protegida legalmente bajo secreto profesional. La informaci=F3n est=E1 dirigida solamente a la persona o entidad indicada como destinatario y su acceso por cualquier otra persona no est=E1 autorizado. Si usted recibi=F3 este mensaje electr=F3nico por error, inf=F3rmeselo al remitente y b=F3rrel= o. Aclaramos que los conceptos y opiniones comprendidos en este correo electr=F3nico, deben atribuirse exclusivamente a su autor y no deben entenderse como necesariamente coincidentes con las de NAVEGA.COM, S.A. y en consecuencia, absolutamente ajenos a la responsabilidad de sus directores y ejecutivos, en tanto no hayan participado de su confesi=F3n y/= o emisi=F3n y quede esta participaci=F3n expresamente consignada en el mensaj= e. La divulgaci=F3n p=FAblica de este correo electr=F3nico, como as=ED su copi= a, reproducci=F3n total o parcial queda prohibida, dando lugar en caso de inobservancia de esta todas las acciones legales que pudiesen corresponder. Muchas Gracias. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp From davidtball@gmail.com Fri Jan 25 15:28:16 2008 Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.186]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0PKSFRU050085 for ; Fri, 25 Jan 2008 15:28:15 -0500 (EST) (envelope-from davidtball@gmail.com) X-Envelope-From: davidtball@gmail.com Received: by rv-out-0910.google.com with SMTP id c24so656281rvf.37 for ; Fri, 25 Jan 2008 12:28:12 -0800 (PST) Received: by 10.140.174.18 with SMTP id w18mr1717734rve.227.1201292892087; Fri, 25 Jan 2008 12:28:12 -0800 (PST) Received: by 10.140.201.8 with HTTP; Fri, 25 Jan 2008 12:28:12 -0800 (PST) Message-ID: <8d4861b00801251228j69e1945t1aab01b14ab9ed12@mail.gmail.com> Date: Fri, 25 Jan 2008 13:28:12 -0700 From: "David Ball" To: "Pekka Savola" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8d4861b00801240756r1b26d869oa87e900a9e522d49@mail.gmail.com> <8d4861b00801241305h6cc03e23oe0b7409c7341cbff@mail.gmail.com> <8d4861b00801250956k5f3944f3v82252ad09cfac769@mail.gmail.com> X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Fri, 25 Jan 2008 15:28:16 -0500 (EST) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] out-bound anti-spoofing rules when using community-based routing X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 20:28:17 -0000 Ah..so longest match still wins....understood. thanks again. david On 25/01/2008, Pekka Savola wrote: > On Fri, 25 Jan 2008, David Ball wrote: > > Pekka, I'm not sure I caught why your example of a BGP customer > > advertising an aggregate to us but the specifics to another upstream > > wouldn't work. If 'feasible-paths' is in use, doesn't that alleviate > > the problem? Even if the 'preferred' path is not their local port, we > > should still have the aggregate which should pass the uRPF check, no? > > No, feasible paths won't help in that case. > > If: > - your customer advertises a prefix P with mask n (P/n) > - you get the same prefix P/n from some other source (e.g., your peer > network or customer's another interface), and that route is preferred. > - your customer-facing router receives the preferred advertisement > > In this scenario: > - without feasible paths, your router would reject all traffic > (because your peer-learned route is active and your customer-learned > route is not) > - with feasible paths, your router would accept traffic from P/n from > the customer because even though the customer-learned path is > inactive, it's still considered "feasible" and uRPF accepts it. > > Now, if you get more specifics of P/n from your peer, that's a > different route compared to the aggregate. If you don't learn the > same more specific route from the customer, all customer's traffic > from that more specific prefix gets dropped. This is because your > router will think that the correct direction to the more specific is > to your peer network, not the direct connection to customer. > > You can think of this as "longest prefix matching wins every time, if > you have the same prefixes with the same length, you select one and > the rest are considered feasible". > > RFC 3704 section 2.3 tries to explain this but probably doesn't make > it much better than above. > > HTH, > > -- > Pekka Savola "You each name yourselves king, yet the > Netcore Oy kingdom bleeds." > Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings > From 3gIqbRwAAC-0YjcXeTg-cheejRZ.cTiWTg.cTi@orkut.bounces.google.com Sat Jan 26 14:31:13 2008 Received: from an-out-0910.google.com (an-out-0910.google.com [209.85.132.190]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0QJVDaY041340 for ; Sat, 26 Jan 2008 14:31:13 -0500 (EST) (envelope-from 3gIqbRwAAC-0YjcXeTg-cheejRZ.cTiWTg.cTi@orkut.bounces.google.com) X-Envelope-From: 3gIqbRwAAC-0YjcXeTg-cheejRZ.cTiWTg.cTi@orkut.bounces.google.com Received: by an-out-0910.google.com with SMTP id d13so5388265and.17 for ; Sat, 26 Jan 2008 11:31:13 -0800 (PST) MIME-Version: 1.0 Message-ID: <1201375872.2.16117738835664066886.4@mail.orkut.com> Date: Sat, 26 Jan 2008 11:31:12 -0800 Sender: atiqurrahman.mohammed@gmail.com Received: by 10.35.108.12 with SMTP id k12mr4411488pym.3.1201375872955; Sat, 26 Jan 2008 11:31:12 -0800 (PST) From: "Atiqur Rahman ." <16117738835664066886@mail.orkut.com> To: juniper-nsp@puck.nether.net Content-Type: text/plain; charset=ISO-8859-1; Format=Flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Sat, 26 Jan 2008 14:31:13 -0500 (EST) Subject: [j-nsp] orkut - Invitation to join from Atiqur Rahman . X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: "Atiqur Rahman ." List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jan 2008 19:31:14 -0000 You have been invited to join Atiqur Rahman .'s (atiqurrahman.mohammed@gmail.com) network of friends at orkut. To join orkut click on the following link: http://www.orkut.com/Join.aspx?id=479B8A8036A2B8CC Having problems? If you get an error when you try to accept this invitation, you may need to copy and paste this URL into a new browser window. * * * orkut is a community of friends and trusted acquaintances that connects individuals through a social network that grows person by person. With orkut, you can catch up with old friends, make new acquaintances through people you trust, and maybe even find that certain someone you've been looking for everywhere. orkut helps you organize and attend events, join communities that share your interests, and find partners to participate in the activities you most enjoy. * * * If you're already an orkut member, make sure that the email address at which you received this note is entered into your orkut profile. That way, you'll automatically be connected to all of your friends. This invitation was sent on behalf of Atiqur Rahman . (atiqurrahman.mohammed@gmail.com). You can block all orkut users from sending you email by visiting: http://www.orkut.com/Block.aspx From wang.dong.bei@gmail.com Mon Jan 28 02:00:58 2008 Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.184]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0S70vSB042439 for ; Mon, 28 Jan 2008 02:00:57 -0500 (EST) (envelope-from wang.dong.bei@gmail.com) X-Envelope-From: wang.dong.bei@gmail.com Received: by rv-out-0910.google.com with SMTP id c24so1338097rvf.37 for ; Sun, 27 Jan 2008 23:00:56 -0800 (PST) Received: by 10.140.125.21 with SMTP id x21mr3175704rvc.234.1201503656833; Sun, 27 Jan 2008 23:00:56 -0800 (PST) Received: by 10.141.34.16 with HTTP; Sun, 27 Jan 2008 23:00:56 -0800 (PST) Message-ID: <94e3e3d80801272300r270b1f07l728701cfb00b659@mail.gmail.com> Date: Mon, 28 Jan 2008 15:00:56 +0800 From: "wang dong bei" To: juniper-nsp@puck.nether.net MIME-Version: 1.0 X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 02:00:58 -0500 (EST) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: [j-nsp] L2VPN path in a LDP core X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 07:00:58 -0000 Hi Talents, I have got a LDP based MPLS core with a few CE's attached to the PE's. Those CE's are running l2vpn and l3vpn. When one CE is trying to communicate with another, ether via l2vpn and/or l3vpn, how can i know exactly which P's are being transversed? thanks in advance for your help. dong bei From radu.pavaloiu@datanets.ro Mon Jan 28 02:54:33 2008 Received: from www.datanets.ro (www.datanets.ro [91.195.145.200]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0S7sW0m048476 for ; Mon, 28 Jan 2008 02:54:32 -0500 (EST) (envelope-from radu.pavaloiu@datanets.ro) X-Envelope-From: radu.pavaloiu@datanets.ro Received: from [91.195.144.94] (unverified [91.195.144.94]) by datanets.ro (Rockliffe SMTPRA 6.1.22) with ESMTP id ; Mon, 28 Jan 2008 09:22:34 +0200 Message-ID: <479D82A0.30203@datanets.ro> Date: Mon, 28 Jan 2008 09:22:08 +0200 From: Radu Pavaloiu User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: wang dong bei References: <94e3e3d80801272300r270b1f07l728701cfb00b659@mail.gmail.com> In-Reply-To: <94e3e3d80801272300r270b1f07l728701cfb00b659@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Delayed for 00:32:01 by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 02:54:33 -0500 (EST) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] L2VPN path in a LDP core X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 07:54:33 -0000 Hi, , You have MPLS OAM. Kindest Regards Radu Pavaloiu Service Provider Team Leader CCIE #14582, JNCIS M/T mobile: +40 743286118 phone: +40 21 3178787 ext. 45 fax: +40 21 3179797 www.datanets.ro "Believe in more" In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away. wang dong bei wrote: > Hi Talents, > > I have got a LDP based MPLS core with a few CE's attached to the PE's. Those > CE's are running l2vpn and l3vpn. When one CE is trying to communicate with > another, ether via l2vpn and/or l3vpn, how can i know exactly which P's are > being transversed? > > thanks in advance for your help. > > dong bei > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > From wang.dong.bei@gmail.com Mon Jan 28 03:26:17 2008 Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.188]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0S8QB6V070204 for ; Mon, 28 Jan 2008 03:26:17 -0500 (EST) (envelope-from wang.dong.bei@gmail.com) X-Envelope-From: wang.dong.bei@gmail.com Received: by rv-out-0910.google.com with SMTP id c24so1359854rvf.37 for ; Mon, 28 Jan 2008 00:26:08 -0800 (PST) Received: by 10.141.42.10 with SMTP id u10mr3228138rvj.154.1201508768548; Mon, 28 Jan 2008 00:26:08 -0800 (PST) Received: by 10.141.34.16 with HTTP; Mon, 28 Jan 2008 00:26:08 -0800 (PST) Message-ID: <94e3e3d80801280026m3a2792a3i73c7df1347ae9a51@mail.gmail.com> Date: Mon, 28 Jan 2008 16:26:08 +0800 From: "wang dong bei" To: "Radu Pavaloiu" In-Reply-To: <479D82A0.30203@datanets.ro> MIME-Version: 1.0 References: <94e3e3d80801272300r270b1f07l728701cfb00b659@mail.gmail.com> <479D82A0.30203@datanets.ro> X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 03:26:17 -0500 (EST) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] L2VPN path in a LDP core X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 08:26:17 -0000 Hi Radu, Could you enlighten me with more details about it? regards, william 2008/1/28, Radu Pavaloiu : > > Hi, > , > You have MPLS OAM. > > Kindest Regards > > Radu Pavaloiu > Service Provider Team Leader > CCIE #14582, JNCIS M/T > mobile: +40 743286118 > phone: +40 21 3178787 ext. 45 > fax: +40 21 3179797 > www.datanets.ro "Believe in more" > > In protocol design, perfection has been reached not when there is > nothing left to add, but when there is nothing left to take away. > > > > wang dong bei wrote: > > Hi Talents, > > > > I have got a LDP based MPLS core with a few CE's attached to the PE's. > Those > > CE's are running l2vpn and l3vpn. When one CE is trying to communicate > with > > another, ether via l2vpn and/or l3vpn, how can i know exactly which P's > are > > being transversed? > > > > thanks in advance for your help. > > > > dong bei > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > > > From cscosunny@gmail.com Mon Jan 28 04:28:12 2008 Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0S9SBTX070803 for ; Mon, 28 Jan 2008 04:28:11 -0500 (EST) (envelope-from cscosunny@gmail.com) X-Envelope-From: cscosunny@gmail.com Received: by fg-out-1718.google.com with SMTP id 16so1451899fgg.39 for ; Mon, 28 Jan 2008 01:28:10 -0800 (PST) Received: by 10.86.25.17 with SMTP id 17mr5027092fgy.15.1201512490827; Mon, 28 Jan 2008 01:28:10 -0800 (PST) Received: from acerfd6b6b72e3 ( [83.171.234.58]) by mx.google.com with ESMTPS id 3sm7882619fge.7.2008.01.28.01.28.08 (version=SSLv3 cipher=RC4-MD5); Mon, 28 Jan 2008 01:28:09 -0800 (PST) Message-ID: <005e01c86190$18945ba0$9b1ea8c0@acerfd6b6b72e3> From: "sunnyday" To: "Juniper-Nsp" Date: Mon, 28 Jan 2008 11:28:06 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 04:28:12 -0500 (EST) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: [j-nsp] Telnet e320 X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 09:28:12 -0000 hello i want to know if i can telnet to a virtual router configured on the box = since the only way i do it now is through the default virtual router, is = this possible? thanks in advance From pautore@columbus-networks.com Mon Jan 28 08:31:38 2008 Received: from cndc.columbus-networks.com (mail.nwncable.com [63.245.7.3]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0SDVbVk014872 for ; Mon, 28 Jan 2008 08:31:38 -0500 (EST) (envelope-from pautore@columbus-networks.com) X-Envelope-From: pautore@columbus-networks.com Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Mon, 28 Jan 2008 08:25:48 -0500 Message-ID: <9E6682E52B89BE47B72BCE81C141CD1706756EB6@nwndc.nwncable.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [j-nsp] L2VPN path in a LDP core Thread-Index: AchhhyqCJ2AeDaqUTTCHQSPyA+04bwAIjtog References: <94e3e3d80801272300r270b1f07l728701cfb00b659@mail.gmail.com><479D82A0.30203@datanets.ro> <94e3e3d80801280026m3a2792a3i73c7df1347ae9a51@mail.gmail.com> From: "Paolo Autore" To: "wang dong bei" , "Radu Pavaloiu" X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 08:31:38 -0500 (EST) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] L2VPN path in a LDP core X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 13:31:39 -0000 Try this command show rsvp session extensive -----Original Message----- From: juniper-nsp-bounces@puck.nether.net [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of wang dong bei Sent: Monday, January 28, 2008 08:26 To: Radu Pavaloiu Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] L2VPN path in a LDP core Hi Radu, Could you enlighten me with more details about it? regards, william 2008/1/28, Radu Pavaloiu : > > Hi, > , > You have MPLS OAM. > > Kindest Regards > > Radu Pavaloiu > Service Provider Team Leader > CCIE #14582, JNCIS M/T > mobile: +40 743286118 > phone: +40 21 3178787 ext. 45 > fax: +40 21 3179797 > www.datanets.ro "Believe in more" > > In protocol design, perfection has been reached not when there is > nothing left to add, but when there is nothing left to take away. > > > > wang dong bei wrote: > > Hi Talents, > > > > I have got a LDP based MPLS core with a few CE's attached to the PE's. > Those > > CE's are running l2vpn and l3vpn. When one CE is trying to communicate > with > > another, ether via l2vpn and/or l3vpn, how can i know exactly which P's > are > > being transversed? > > > > thanks in advance for your help. > > > > dong bei > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp From amos@oasis-tech.net Mon Jan 28 08:45:15 2008 Received: from cemetery.inter.net.il (cemetery.inter.net.il [213.8.233.29]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0SDjDtE017043 for ; Mon, 28 Jan 2008 08:45:13 -0500 (EST) (envelope-from amos@oasis-tech.net) X-Envelope-From: amos@oasis-tech.net Received: from romy.inter.net.il (romy.inter.net.il [213.8.233.24]) by cemetery.inter.net.il (Postfix) with ESMTP id 4E8F81335C7 for ; Mon, 28 Jan 2008 15:45:07 +0200 (IST) Received: from [213.8.20.122] (tony10-20-122.inter.net.il [213.8.20.122]) by romy.inter.net.il (MOS 3.7.3-GA) with ESMTP id KAZ19350 (AUTH slick); Mon, 28 Jan 2008 15:44:00 +0200 (IST) Mime-Version: 1.0 (Apple Message framework v753) In-Reply-To: <9E6682E52B89BE47B72BCE81C141CD1706756EB6@nwndc.nwncable.com> References: <94e3e3d80801272300r270b1f07l728701cfb00b659@mail.gmail.com><479D82A0.30203@datanets.ro> <94e3e3d80801280026m3a2792a3i73c7df1347ae9a51@mail.gmail.com> <9E6682E52B89BE47B72BCE81C141CD1706756EB6@nwndc.nwncable.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <8DCC07B4-A9D5-4117-954D-78FB5FD7E42E@oasis-tech.net> Content-Transfer-Encoding: 7bit From: Amos Rosenboim Date: Mon, 28 Jan 2008 15:44:12 +0200 To: wang dong bei , juniper-nsp@puck.nether.net X-Mailer: Apple Mail (2.753) X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 08:45:15 -0500 (EST) Subject: Re: [j-nsp] L2VPN path in a LDP core X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 13:45:16 -0000 Since you are using LDP, which (at least for me) means that you don't have any MPLS traffic engineering in the network, then LDP LSP follows the IGP path. This means that a simple trace route can show you the path between the edge routers. Cheers, Amos On Jan 28, 2008, at 3:25 PM, Paolo Autore wrote: > Try this command > show rsvp session extensive > > -----Original Message----- > From: juniper-nsp-bounces@puck.nether.net > [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of wang dong > bei > Sent: Monday, January 28, 2008 08:26 > To: Radu Pavaloiu > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] L2VPN path in a LDP core > > Hi Radu, > > Could you enlighten me with more details about it? > > regards, > > william > > 2008/1/28, Radu Pavaloiu : >> >> Hi, >> , >> You have MPLS OAM. >> >> Kindest Regards >> >> Radu Pavaloiu >> Service Provider Team Leader >> CCIE #14582, JNCIS M/T >> mobile: +40 743286118 >> phone: +40 21 3178787 ext. 45 >> fax: +40 21 3179797 >> www.datanets.ro "Believe in more" >> >> In protocol design, perfection has been reached not when there is >> nothing left to add, but when there is nothing left to take away. >> >> >> >> wang dong bei wrote: >>> Hi Talents, >>> >>> I have got a LDP based MPLS core with a few CE's attached to the > PE's. >> Those >>> CE's are running l2vpn and l3vpn. When one CE is trying to > communicate >> with >>> another, ether via l2vpn and/or l3vpn, how can i know exactly which > P's >> are >>> being transversed? >>> >>> thanks in advance for your help. >>> >>> dong bei >>> _______________________________________________ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> >>> >>> >> > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp From pautore@columbus-networks.com Mon Jan 28 08:50:29 2008 Received: from cndc.columbus-networks.com (mail.nwncable.com [63.245.7.3]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0SDoQfU018132 for ; Mon, 28 Jan 2008 08:50:26 -0500 (EST) (envelope-from pautore@columbus-networks.com) X-Envelope-From: pautore@columbus-networks.com Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Mon, 28 Jan 2008 08:44:36 -0500 Message-ID: <9E6682E52B89BE47B72BCE81C141CD1706756EBD@nwndc.nwncable.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [j-nsp] L2VPN path in a LDP core Thread-Index: Achhs7h4PIVgK5MhRUmmGX31O6OWqQAB7XOA References: <94e3e3d80801272300r270b1f07l728701cfb00b659@mail.gmail.com><479D82A0.30203@datanets.ro><94e3e3d80801280026m3a2792a3i73c7df1347ae9a51@mail.gmail.com><9E6682E52B89BE47B72BCE81C141CD1706756EB6@nwndc.nwncable.com> <8DCC07B4-A9D5-4117-954D-78FB5FD7E42E@oasis-tech.net> From: "Paolo Autore" To: "Amos Rosenboim" , "wang dong bei" , X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 08:50:29 -0500 (EST) Subject: Re: [j-nsp] L2VPN path in a LDP core X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 13:50:29 -0000 Sorry-- I didn't see that you were using LDP as the signaling protocol.=20 -----Original Message----- From: juniper-nsp-bounces@puck.nether.net [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Amos Rosenboim Sent: Monday, January 28, 2008 13:44 To: wang dong bei; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] L2VPN path in a LDP core Since you are using LDP, which (at least for me) means that you don't =20 have any MPLS traffic engineering in the network, then LDP LSP =20 follows the IGP path. This means that a simple trace route can show you the path between =20 the edge routers. Cheers, Amos On Jan 28, 2008, at 3:25 PM, Paolo Autore wrote: > Try this command > show rsvp session extensive > > -----Original Message----- > From: juniper-nsp-bounces@puck.nether.net > [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of wang dong =20 > bei > Sent: Monday, January 28, 2008 08:26 > To: Radu Pavaloiu > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] L2VPN path in a LDP core > > Hi Radu, > > Could you enlighten me with more details about it? > > regards, > > william > > 2008/1/28, Radu Pavaloiu : >> >> Hi, >> , >> You have MPLS OAM. >> >> Kindest Regards >> >> Radu Pavaloiu >> Service Provider Team Leader >> CCIE #14582, JNCIS M/T >> mobile: +40 743286118 >> phone: +40 21 3178787 ext. 45 >> fax: +40 21 3179797 >> www.datanets.ro "Believe in more" >> >> In protocol design, perfection has been reached not when there is >> nothing left to add, but when there is nothing left to take away. >> >> >> >> wang dong bei wrote: >>> Hi Talents, >>> >>> I have got a LDP based MPLS core with a few CE's attached to the > PE's. >> Those >>> CE's are running l2vpn and l3vpn. When one CE is trying to > communicate >> with >>> another, ether via l2vpn and/or l3vpn, how can i know exactly which > P's >> are >>> being transversed? >>> >>> thanks in advance for your help. >>> >>> dong bei >>> _______________________________________________ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> >>> >>> >> > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp From s.juergensen@kielnet.de Mon Jan 28 08:54:26 2008 Received: from mailsrv1.kielnet.net (mailsrv1.kielnet.net [89.27.130.243]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0SDsPBj019006 for ; Mon, 28 Jan 2008 08:54:26 -0500 (EST) (envelope-from s.juergensen@kielnet.de) X-Envelope-From: s.juergensen@kielnet.de Received: from nautilus.kielnet.de (mail.kielnet [10.200.21.210]) by mailsrv1.kielnet.net (Postfix) with ESMTP id 1D084522E8 for ; Mon, 28 Jan 2008 14:54:21 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by nautilus.kielnet.de (Postfix) with ESMTP id AD9A0B6E6A for ; Mon, 28 Jan 2008 14:54:20 +0100 (CET) Received: from [10.200.21.106] (heretic.kielnet [10.200.21.106]) by nautilus.kielnet.de (Postfix) with ESMTP id E1FDA1083F9 for ; Mon, 28 Jan 2008 14:54:13 +0100 (CET) Message-ID: <479DDE85.3030304@kielnet.de> Date: Mon, 28 Jan 2008 14:54:13 +0100 From: "Sven Juergensen (KielNET)" User-Agent: Thunderbird 2.0.0.9 (X11/20071031) MIME-Version: 1.0 To: juniper-nsp@puck.nether.net X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 08:54:26 -0500 (EST) Subject: [j-nsp] JUNOSe and ECMP X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 13:54:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, warming up the topic once again ;) Scenario: two routers connected using 2x GIGE. Both of them having a loopback interface. Now, either router has two static routes for the loopback interface of the opposite router. I understand that the default hashed mode is distributing the sessions roughly even across both links. Perhaps my way of judging on this lacks something but when I'm pinging the far end loopback across the router with the other loopback from a firewall, the traffic always picks the next hop which is listed first in the routing table, even when using multiple pings from different source adresses. This also happens when announcing the loopback interface via OSPF w/ a maximum-paths of 4. Am I missing something? Is there a switch that enables ECMP globally for static routing or in general? Does the implementation of ECMP consider ICMP as something else? Thanks and best regards, sven03 Mit freundlichen Gruessen i. A. Sven Juergensen - -- Fachbereich Informationstechnologie KielNET GmbH Gesellschaft fuer Kommunikation Preusserstr. 1-9, 24105 Kiel Telefon : 0431 / 2219-053 Telefax : 0431 / 2219-005 E-Mail : s.juergensen@kielnet.de Internet: http://www.kielnet.de AS# 25295 Key fingerprint: 65B6 90FC 010A 39CE DCA5 336D 9C45 3B7A B02D E132 "221 2.7.0 Error: I can break rules, too. Goodbye." Geschaeftsfuehrer Eberhard Schmidt HRB 4499 (Amtsgericht Kiel) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFHnd6FnEU7erAt4TIRAqKCAJ0ZiqMPmDoI+eEJuR+cat6X1cxMqQCeJx1+ /OK+rUN15FwrToc7F8EsTiE= =3oXi -----END PGP SIGNATURE----- From jeff.richmond@frontiercorp.com Mon Jan 28 09:08:57 2008 Received: from frontiercorp.com (mail02.frontiercorp.com [66.133.172.20]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0SE8vel021610 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Mon, 28 Jan 2008 09:08:57 -0500 (EST) (envelope-from jeff.richmond@frontiercorp.com) X-Envelope-From: jeff.richmond@frontiercorp.com Received: from ([10.160.69.53]) by mail02.frontiercorp.com with ESMTP with TLS id 5503513.19566546; Mon, 28 Jan 2008 04:09:33 -0500 Received: from ROCH-EXCH1.corp.pvt ([10.160.69.50]) by NYROFCS03EXHT02.corp.pvt ([10.160.69.53]) with mapi; Mon, 28 Jan 2008 09:08:42 -0500 From: "Richmond, Jeff" To: sunnyday , Juniper-Nsp Date: Mon, 28 Jan 2008 09:07:44 -0500 Thread-Topic: [j-nsp] Telnet e320 Thread-Index: AchhkNJoqnfNpIZ2RjuJEfRnHoY4QwAJlK1O Message-ID: <2E2FECEBAE57CC4BAACDE67638305F1047A12E57C5@ROCH-EXCH1.corp.pvt> References: <005e01c86190$18945ba0$9b1ea8c0@acerfd6b6b72e3> In-Reply-To: <005e01c86190$18945ba0$9b1ea8c0@acerfd6b6b72e3> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 09:08:57 -0500 (EST) Subject: Re: [j-nsp] Telnet e320 X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 14:08:57 -0000 Unless something has changed in recent code versions, you cannot Telnet/SSH= in to a VR other than Default. This is very annoying to say the least... -Jeff ________________________________________ From: juniper-nsp-bounces@puck.nether.net [juniper-nsp-bounces@puck.nether.= net] On Behalf Of sunnyday [cscosunny@gmail.com] Sent: Monday, January 28, 2008 1:28 AM To: Juniper-Nsp Subject: [j-nsp] Telnet e320 hello i want to know if i can telnet to a virtual router configured on the box si= nce the only way i do it now is through the default virtual router, is this= possible? thanks in advance _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp From alamontagne@gmail.com Mon Jan 28 09:37:36 2008 Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.189]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0SEbZR9026460 for ; Mon, 28 Jan 2008 09:37:35 -0500 (EST) (envelope-from alamontagne@gmail.com) X-Envelope-From: alamontagne@gmail.com Received: by rv-out-0910.google.com with SMTP id c24so1452462rvf.37 for ; Mon, 28 Jan 2008 06:37:32 -0800 (PST) Received: by 10.140.126.10 with SMTP id y10mr3460380rvc.214.1201531051486; Mon, 28 Jan 2008 06:37:31 -0800 (PST) Received: by 10.141.96.9 with HTTP; Mon, 28 Jan 2008 06:37:31 -0800 (PST) Message-ID: Date: Mon, 28 Jan 2008 09:37:31 -0500 From: Andy To: "Sven Juergensen (KielNET)" In-Reply-To: <479DDE85.3030304@kielnet.de> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <479DDE85.3030304@kielnet.de> X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 09:37:36 -0500 (EST) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] JUNOSe and ECMP X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 14:37:36 -0000 To enable ECMP load balancing: routing-options { forwarding-table { export load-balancing-policy; } } policy-options { policy-statement load-balancing-policy { then { load-balance per-packet; } } On Jan 28, 2008 8:54 AM, Sven Juergensen (KielNET) wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi list, > > warming up the topic once again ;) > > Scenario: two routers connected > using 2x GIGE. Both of them having > a loopback interface. Now, either > router has two static routes for > the loopback interface of the opposite > router. > > I understand that the default hashed > mode is distributing the sessions > roughly even across both links. > > Perhaps my way of judging on this > lacks something but when I'm pinging > the far end loopback across the > router with the other loopback from > a firewall, the traffic always picks > the next hop which is listed first > in the routing table, even when using > multiple pings from different source > adresses. > > This also happens when announcing > the loopback interface via OSPF w/ > a maximum-paths of 4. > > Am I missing something? Is there > a switch that enables ECMP globally > for static routing or in general? > > Does the implementation of ECMP > consider ICMP as something else? > > Thanks and best regards, > > sven03 > > Mit freundlichen Gruessen > > i. A. Sven Juergensen > > - -- > Fachbereich > Informationstechnologie > > KielNET GmbH > Gesellschaft fuer Kommunikation > Preusserstr. 1-9, 24105 Kiel > > Telefon : 0431 / 2219-053 > Telefax : 0431 / 2219-005 > E-Mail : s.juergensen@kielnet.de > Internet: http://www.kielnet.de > > AS# 25295 > > Key fingerprint: > 65B6 90FC 010A 39CE DCA5 336D 9C45 3B7A B02D E132 > > "221 2.7.0 Error: I can break rules, too. Goodbye." > > Geschaeftsfuehrer Eberhard Schmidt > HRB 4499 (Amtsgericht Kiel) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.7 (GNU/Linux) > > iD8DBQFHnd6FnEU7erAt4TIRAqKCAJ0ZiqMPmDoI+eEJuR+cat6X1cxMqQCeJx1+ > /OK+rUN15FwrToc7F8EsTiE= > =3oXi > -----END PGP SIGNATURE----- > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > From nitinvig@juniper.net Mon Jan 28 10:20:54 2008 Received: from exprod7og112.obsmtp.com (exprod7og112.obsmtp.com [64.18.2.177]) by puck.nether.net (8.14.2/8.12.9) with SMTP id m0SFKrxO034329 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 28 Jan 2008 10:20:54 -0500 (EST) (envelope-from nitinvig@juniper.net) X-Envelope-From: nitinvig@juniper.net Received: from source ([66.129.224.36]) by exprod7ob112.postini.com ([64.18.6.12]) with SMTP; Mon, 28 Jan 2008 07:20:33 PST Received: from gaugeboson.jnpr.net ([10.209.194.17]) by emailsmtp55.jnpr.net with Microsoft SMTPSVC(6.0.3790.1830); Mon, 28 Jan 2008 07:20:52 -0800 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 28 Jan 2008 20:42:22 +0530 Message-ID: <0DB0FFEA6887E349861A3F6B40D71C3A03D740C8@gaugeboson.jnpr.net> In-Reply-To: <2E2FECEBAE57CC4BAACDE67638305F1047A12E57C5@ROCH-EXCH1.corp.pvt> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [j-nsp] Telnet e320 Thread-Index: AchhkNJoqnfNpIZ2RjuJEfRnHoY4QwAJlK1OAAIuBuA= From: "Nitin Vig" To: "Richmond, Jeff" , "sunnyday" , "Juniper-Nsp" X-OriginalArrivalTime: 28 Jan 2008 15:20:52.0436 (UTC) FILETIME=[5EA2A940:01C861C1] X-Greylist: Sender IP whitelisted by DNSRBL, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 10:20:54 -0500 (EST) Subject: Re: [j-nsp] Telnet e320 X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 15:20:54 -0000 Not true.....You can use 'telnet listen' command in the VR.=20 1440-2:t1#sh ip int br Interface IP-Address Status Protocol Description =20 -------------------- ------------------- ---------- ----------- --------------- null0 255.255.255.255/32 up up FastEthernet0/0.20 10.10.10.1/24 up up 1440-2:t1# 1440-2:t1#ping 10.10.10.2 Sending 5 ICMP echoes to 10.10.10.2, timeout =3D 2 sec. !!!!! =20 Success rate =3D 100% (5/5), round-trip min/avg/max =3D 1/3/12 ms 1440-2:t1#telnet 10.10.10.2 1440-2:t1# 1440-2:t1#conf t Enter configuration commands, one per line. End with ^Z. 1440-2:t1(config)#vir t2 1440-2:t2(config)#telnet listen 1440-2:t2(config)#^Z 1440-2:t2#vir t1 1440-2:t1#telnet 10.10.10.2 Logged in on vty 1 via telnet. Copyright (c) 1999-2007 Juniper Networks, Inc. All rights reserved. 1440-2:t2> 1440-2:t2> 1440-2:t2>exit Logging out. 1440-2:t1# Regards, Nitin -----Original Message----- From: juniper-nsp-bounces@puck.nether.net [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Richmond, Jeff Sent: Monday, January 28, 2008 7:38 PM To: sunnyday; Juniper-Nsp Subject: Re: [j-nsp] Telnet e320 Unless something has changed in recent code versions, you cannot Telnet/SSH in to a VR other than Default. This is very annoying to say the least... -Jeff ________________________________________ From: juniper-nsp-bounces@puck.nether.net [juniper-nsp-bounces@puck.nether.net] On Behalf Of sunnyday [cscosunny@gmail.com] Sent: Monday, January 28, 2008 1:28 AM To: Juniper-Nsp Subject: [j-nsp] Telnet e320 hello i want to know if i can telnet to a virtual router configured on the box since the only way i do it now is through the default virtual router, is this possible? thanks in advance _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp From nitinvig@juniper.net Mon Jan 28 10:21:03 2008 Received: from exprod7og101.obsmtp.com (exprod7og101.obsmtp.com [64.18.2.155]) by puck.nether.net (8.14.2/8.12.9) with SMTP id m0SFKvm9034337 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 28 Jan 2008 10:20:58 -0500 (EST) (envelope-from nitinvig@juniper.net) X-Envelope-From: nitinvig@juniper.net Received: from source ([66.129.224.36]) by exprod7ob101.postini.com ([64.18.6.12]) with SMTP; Mon, 28 Jan 2008 07:20:46 PST Received: from gaugeboson.jnpr.net ([10.209.194.17]) by emailsmtp55.jnpr.net with Microsoft SMTPSVC(6.0.3790.1830); Mon, 28 Jan 2008 07:20:54 -0800 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 28 Jan 2008 20:47:19 +0530 Message-ID: <0DB0FFEA6887E349861A3F6B40D71C3A03D740C9@gaugeboson.jnpr.net> In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [j-nsp] JUNOSe and ECMP Thread-Index: Achhu+rVVUHV4PIWTQCcba1MXSnbzwABFqOw From: "Nitin Vig" To: "Andy" , "Sven Juergensen (KielNET)" X-OriginalArrivalTime: 28 Jan 2008 15:20:54.0468 (UTC) FILETIME=[5FD8B840:01C861C1] X-Greylist: Sender IP whitelisted by DNSRBL, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 10:21:03 -0500 (EST) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] JUNOSe and ECMP X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 15:21:04 -0000 If this is about JUNOSe, there is no specific knob for this it should work by default. You may find this useful: http://www.juniper.net/kb/viewka.jsp?txtKANumber=3D18702 Regards, Nitin -----Original Message----- From: juniper-nsp-bounces@puck.nether.net [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Andy Sent: Monday, January 28, 2008 8:08 PM To: Sven Juergensen (KielNET) Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] JUNOSe and ECMP To enable ECMP load balancing: routing-options { forwarding-table { export load-balancing-policy; } } policy-options { policy-statement load-balancing-policy { then { load-balance per-packet; } } On Jan 28, 2008 8:54 AM, Sven Juergensen (KielNET) wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi list, > > warming up the topic once again ;) > > Scenario: two routers connected > using 2x GIGE. Both of them having > a loopback interface. Now, either > router has two static routes for > the loopback interface of the opposite > router. > > I understand that the default hashed > mode is distributing the sessions > roughly even across both links. > > Perhaps my way of judging on this > lacks something but when I'm pinging > the far end loopback across the > router with the other loopback from > a firewall, the traffic always picks > the next hop which is listed first > in the routing table, even when using > multiple pings from different source > adresses. > > This also happens when announcing > the loopback interface via OSPF w/ > a maximum-paths of 4. > > Am I missing something? Is there > a switch that enables ECMP globally > for static routing or in general? > > Does the implementation of ECMP > consider ICMP as something else? > > Thanks and best regards, > > sven03 > > Mit freundlichen Gruessen > > i. A. Sven Juergensen > > - -- > Fachbereich > Informationstechnologie > > KielNET GmbH > Gesellschaft fuer Kommunikation > Preusserstr. 1-9, 24105 Kiel > > Telefon : 0431 / 2219-053 > Telefax : 0431 / 2219-005 > E-Mail : s.juergensen@kielnet.de > Internet: http://www.kielnet.de > > AS# 25295 > > Key fingerprint: > 65B6 90FC 010A 39CE DCA5 336D 9C45 3B7A B02D E132 > > "221 2.7.0 Error: I can break rules, too. Goodbye." > > Geschaeftsfuehrer Eberhard Schmidt > HRB 4499 (Amtsgericht Kiel) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.7 (GNU/Linux) > > iD8DBQFHnd6FnEU7erAt4TIRAqKCAJ0ZiqMPmDoI+eEJuR+cat6X1cxMqQCeJx1+ > /OK+rUN15FwrToc7F8EsTiE=3D > =3D3oXi > -----END PGP SIGNATURE----- > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp From jeff.richmond@frontiercorp.com Mon Jan 28 10:46:28 2008 Received: from frontiercorp.com (mail02.frontiercorp.com [66.133.172.20]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0SFkRZM039423 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Mon, 28 Jan 2008 10:46:28 -0500 (EST) (envelope-from jeff.richmond@frontiercorp.com) X-Envelope-From: jeff.richmond@frontiercorp.com Received: from ([10.160.69.53]) by mail02.frontiercorp.com with ESMTP with TLS id 5503513.19612800; Mon, 28 Jan 2008 05:47:07 -0500 Received: from ROCH-EXCH1.corp.pvt ([10.160.69.50]) by NYROFCS03EXHT02.corp.pvt ([10.160.69.53]) with mapi; Mon, 28 Jan 2008 10:46:16 -0500 From: "Richmond, Jeff" To: Nitin Vig , sunnyday , Juniper-Nsp Date: Mon, 28 Jan 2008 10:43:14 -0500 Thread-Topic: [j-nsp] Telnet e320 Thread-Index: AchhkNJoqnfNpIZ2RjuJEfRnHoY4QwAJlK1OAAIuBuAAASeWgA== Message-ID: <2E2FECEBAE57CC4BAACDE67638305F1047A12E57C8@ROCH-EXCH1.corp.pvt> References: <2E2FECEBAE57CC4BAACDE67638305F1047A12E57C5@ROCH-EXCH1.corp.pvt>, <0DB0FFEA6887E349861A3F6B40D71C3A03D740C8@gaugeboson.jnpr.net> In-Reply-To: <0DB0FFEA6887E349861A3F6B40D71C3A03D740C8@gaugeboson.jnpr.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 10:46:28 -0500 (EST) Subject: Re: [j-nsp] Telnet e320 X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 15:46:28 -0000 Interesting, has that always been there? Funny, nobody at Juniper seemed to= know about it when I asked. I did just confirm it was there though, but an= y idea if there is a corresponding SSH command of some sorts? Thanks, -Jeff ________________________________________ From: Nitin Vig [nitinvig@juniper.net] Sent: Monday, January 28, 2008 7:12 AM To: Richmond, Jeff; sunnyday; Juniper-Nsp Subject: RE: [j-nsp] Telnet e320 Not true.....You can use 'telnet listen' command in the VR. 1440-2:t1#sh ip int br Interface IP-Address Status Protocol Description -------------------- ------------------- ---------- ----------- --------------- null0 255.255.255.255/32 up up FastEthernet0/0.20 10.10.10.1/24 up up 1440-2:t1# 1440-2:t1#ping 10.10.10.2 Sending 5 ICMP echoes to 10.10.10.2, timeout =3D 2 sec. !!!!! Success rate =3D 100% (5/5), round-trip min/avg/max =3D 1/3/12 ms 1440-2:t1#telnet 10.10.10.2 1440-2:t1# 1440-2:t1#conf t Enter configuration commands, one per line. End with ^Z. 1440-2:t1(config)#vir t2 1440-2:t2(config)#telnet listen 1440-2:t2(config)#^Z 1440-2:t2#vir t1 1440-2:t1#telnet 10.10.10.2 Logged in on vty 1 via telnet. Copyright (c) 1999-2007 Juniper Networks, Inc. All rights reserved. 1440-2:t2> 1440-2:t2> 1440-2:t2>exit Logging out. 1440-2:t1# Regards, Nitin -----Original Message----- From: juniper-nsp-bounces@puck.nether.net [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Richmond, Jeff Sent: Monday, January 28, 2008 7:38 PM To: sunnyday; Juniper-Nsp Subject: Re: [j-nsp] Telnet e320 Unless something has changed in recent code versions, you cannot Telnet/SSH in to a VR other than Default. This is very annoying to say the least... -Jeff ________________________________________ From: juniper-nsp-bounces@puck.nether.net [juniper-nsp-bounces@puck.nether.net] On Behalf Of sunnyday [cscosunny@gmail.com] Sent: Monday, January 28, 2008 1:28 AM To: Juniper-Nsp Subject: [j-nsp] Telnet e320 hello i want to know if i can telnet to a virtual router configured on the box since the only way i do it now is through the default virtual router, is this possible? thanks in advance _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp From nitinvig@juniper.net Mon Jan 28 11:06:59 2008 Received: from exprod7og108.obsmtp.com (exprod7og108.obsmtp.com [64.18.2.169]) by puck.nether.net (8.14.2/8.12.9) with SMTP id m0SG6scb044224 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 28 Jan 2008 11:06:55 -0500 (EST) (envelope-from nitinvig@juniper.net) X-Envelope-From: nitinvig@juniper.net Received: from source ([66.129.224.36]) by exprod7ob108.postini.com ([64.18.6.12]) with SMTP; Mon, 28 Jan 2008 08:03:19 PST Received: from gaugeboson.jnpr.net ([10.209.194.17]) by emailsmtp56.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Mon, 28 Jan 2008 08:05:24 -0800 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 28 Jan 2008 21:35:16 +0530 Message-ID: <0DB0FFEA6887E349861A3F6B40D71C3A03D740CE@gaugeboson.jnpr.net> In-Reply-To: <2E2FECEBAE57CC4BAACDE67638305F1047A12E57C8@ROCH-EXCH1.corp.pvt> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [j-nsp] Telnet e320 Thread-Index: AchhkNJoqnfNpIZ2RjuJEfRnHoY4QwAJlK1OAAIuBuAAASeWgAAAtV6Q From: "Nitin Vig" To: "Richmond, Jeff" , "sunnyday" , "Juniper-Nsp" X-OriginalArrivalTime: 28 Jan 2008 16:05:24.0300 (UTC) FILETIME=[9730C0C0:01C861C7] X-Greylist: Sender IP whitelisted by DNSRBL, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 11:06:59 -0500 (EST) Subject: Re: [j-nsp] Telnet e320 X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 16:07:00 -0000 AFAIK, it's been there for a long time. Yes SSH to the VR works too. Configuring the SSH config commands in the VR should do. http://www.juniper.net/techpubs/software/erx/junose82/swconfig-system-ba sics/html/passwords-security-config8.html#1032536 Regards, Nitin -----Original Message----- From: Richmond, Jeff [mailto:Jeff.Richmond@frontiercorp.com]=20 Sent: Monday, January 28, 2008 9:13 PM To: Nitin Vig; sunnyday; Juniper-Nsp Subject: RE: [j-nsp] Telnet e320 Interesting, has that always been there? Funny, nobody at Juniper seemed to know about it when I asked. I did just confirm it was there though, but any idea if there is a corresponding SSH command of some sorts? Thanks, -Jeff ________________________________________ From: Nitin Vig [nitinvig@juniper.net] Sent: Monday, January 28, 2008 7:12 AM To: Richmond, Jeff; sunnyday; Juniper-Nsp Subject: RE: [j-nsp] Telnet e320 Not true.....You can use 'telnet listen' command in the VR. 1440-2:t1#sh ip int br Interface IP-Address Status Protocol Description -------------------- ------------------- ---------- ----------- --------------- null0 255.255.255.255/32 up up FastEthernet0/0.20 10.10.10.1/24 up up 1440-2:t1# 1440-2:t1#ping 10.10.10.2 Sending 5 ICMP echoes to 10.10.10.2, timeout =3D 2 sec. !!!!! Success rate =3D 100% (5/5), round-trip min/avg/max =3D 1/3/12 ms 1440-2:t1#telnet 10.10.10.2 1440-2:t1# 1440-2:t1#conf t Enter configuration commands, one per line. End with ^Z. 1440-2:t1(config)#vir t2 1440-2:t2(config)#telnet listen 1440-2:t2(config)#^Z 1440-2:t2#vir t1 1440-2:t1#telnet 10.10.10.2 Logged in on vty 1 via telnet. Copyright (c) 1999-2007 Juniper Networks, Inc. All rights reserved. 1440-2:t2> 1440-2:t2> 1440-2:t2>exit Logging out. 1440-2:t1# Regards, Nitin -----Original Message----- From: juniper-nsp-bounces@puck.nether.net [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Richmond, Jeff Sent: Monday, January 28, 2008 7:38 PM To: sunnyday; Juniper-Nsp Subject: Re: [j-nsp] Telnet e320 Unless something has changed in recent code versions, you cannot Telnet/SSH in to a VR other than Default. This is very annoying to say the least... -Jeff ________________________________________ From: juniper-nsp-bounces@puck.nether.net [juniper-nsp-bounces@puck.nether.net] On Behalf Of sunnyday [cscosunny@gmail.com] Sent: Monday, January 28, 2008 1:28 AM To: Juniper-Nsp Subject: [j-nsp] Telnet e320 hello i want to know if i can telnet to a virtual router configured on the box since the only way i do it now is through the default virtual router, is this possible? thanks in advance _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp From benny.sumitro@gmail.com Mon Jan 28 11:54:48 2008 Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.184]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0SGsksH056561 for ; Mon, 28 Jan 2008 11:54:47 -0500 (EST) (envelope-from benny.sumitro@gmail.com) X-Envelope-From: benny.sumitro@gmail.com Received: by rv-out-0910.google.com with SMTP id c24so1485589rvf.37 for ; Mon, 28 Jan 2008 08:54:41 -0800 (PST) Received: by 10.141.185.3 with SMTP id m3mr3577345rvp.167.1201539281495; Mon, 28 Jan 2008 08:54:41 -0800 (PST) Received: by 10.141.209.17 with HTTP; Mon, 28 Jan 2008 08:54:41 -0800 (PST) Message-ID: Date: Mon, 28 Jan 2008 23:54:41 +0700 From: "Benny Sumitro" To: "Juniper NSP" MIME-Version: 1.0 X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 11:54:48 -0500 (EST) Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: [j-nsp] Sampling on fxp0 X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 16:54:48 -0000 Hi list, One quick question about traffic sampling on JNCIE pg 331. The book states that the requirement is to put a sampling filter on all r5's interfaces which are transit interfaces and fxp or OOB interface but in the next paragraph it states that samping does not fuction for traffic flowing on the router's fxp0 OoB management port. Which are from two statements in the same page of JNCIE book correct :) ? Thanks, Benny From sabri@cluecentral.net Mon Jan 28 13:15:48 2008 Received: from cluecentral.net (rb1-core-1.network.virt-ix.net [213.193.208.75]) by puck.nether.net (8.14.2/8.12.9) with SMTP id m0SIFlT7073394 for ; Mon, 28 Jan 2008 13:15:48 -0500 (EST) (envelope-from sabri@cluecentral.net) X-Envelope-From: sabri@cluecentral.net Received: (qmail 88009 invoked from network); 28 Jan 2008 18:15:45 -0000 Received: from ip-84-5.members.virt-ix.net (HELO ?195.16.84.5?) (195.16.84.5) by cluecentral.net with SMTP; 28 Jan 2008 18:15:45 -0000 Message-ID: <479E1BB6.9090905@cluecentral.net> Date: Mon, 28 Jan 2008 19:15:18 +0100 From: Sabri Berisha User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Benny Sumitro References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 13:15:48 -0500 (EST) Cc: Juniper NSP Subject: Re: [j-nsp] Sampling on fxp0 X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 18:15:48 -0000 Benny Sumitro wrote: Hi Benny > One quick question about traffic sampling on JNCIE pg 331. > The book states that the requirement is to put a sampling filter on all r5's > interfaces which are transit interfaces and fxp or OOB interface but in the > next paragraph it states that samping does not fuction for traffic flowing > on the router's fxp0 OoB management port. > > Which are from two statements in the same page of JNCIE book correct :) ? > > Hmm, I think they would mean lo0 instead of fxp0. It is not possible to sample traffic on fxp0 as this traffic does not reach the Cf-chip. Thanks, Sabri From stevanus@datacomm.co.id Mon Jan 28 13:18:38 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0SIIbI4073889 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 28 Jan 2008 13:18:38 -0500 (EST) (envelope-from stevanus@datacomm.co.id) X-Envelope-From: stevanus@datacomm.co.id Received: from dtcmail.datacomm.co.id ([124.195.5.180]) by npd.nether.net (8.13.8/8.12.9) with ESMTP id m0SIP4wa089967 for ; Mon, 28 Jan 2008 18:25:10 GMT (envelope-from stevanus@datacomm.co.id) Received: from localhost (localhost [127.0.0.1]) by dtcmail.datacomm.co.id (Postfix) with ESMTP id 624CD17FC55B; Tue, 29 Jan 2008 00:52:39 +0700 (WIT) X-Spam-Score: -4.117 X-Spam-Level: X-Spam-Status: No, score=-4.117 tagged_above=-10 required=6.6 tests=[ALL_TRUSTED=-1.8, AWL=0.282, BAYES_00=-2.599] Received: from dtcmail.datacomm.co.id ([127.0.0.1]) by localhost (dtcmail.datacomm.co.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dBuYJFA+ymy2; Tue, 29 Jan 2008 00:52:32 +0700 (WIT) Received: from [10.15.33.218] (unknown [202.93.36.87]) by dtcmail.datacomm.co.id (Postfix) with ESMTP id 5B92E17FC559; Tue, 29 Jan 2008 00:52:29 +0700 (WIT) Message-ID: <479E1565.7090104@datacomm.co.id> Date: Tue, 29 Jan 2008 00:48:21 +0700 From: Stevanus User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Benny Sumitro References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 13:18:38 -0500 (EST) X-Greylist: Delayed for 00:36:01 by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Mon, 28 Jan 2008 18:25:10 +0000 (UTC) Cc: Juniper NSP Subject: Re: [j-nsp] Sampling on fxp0 X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: stevanus@datacomm.co.id List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 18:18:38 -0000 Hi Ben, I think both are correct. The first statement is only requirement from the configuration scenario on jncie book. In order to avoid point loss, fxp0 must be sampled as it is one of r5's interfaces. The second statement is also correct. I have tested it myself in the lab :P. Just try it yourself if you don't believe me... Regards, Stevanus Benny Sumitro wrote: > Hi list, > > One quick question about traffic sampling on JNCIE pg 331. > The book states that the requirement is to put a sampling filter on all r5's > interfaces which are transit interfaces and fxp or OOB interface but in the > next paragraph it states that samping does not fuction for traffic flowing > on the router's fxp0 OoB management port. > > Which are from two statements in the same page of JNCIE book correct :) ? > > Thanks, > Benny > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > From snortbsd@yahoo.com.au Mon Jan 28 17:06:05 2008 Received: from web38114.mail.mud.yahoo.com (web38114.mail.mud.yahoo.com [209.191.124.141]) by puck.nether.net (8.14.2/8.12.9) with SMTP id m0SM65oM033862 for ; Mon, 28 Jan 2008 17:06:05 -0500 (EST) (envelope-from snortbsd@yahoo.com.au) X-Envelope-From: snortbsd@yahoo.com.au Received: (qmail 37091 invoked by uid 60001); 28 Jan 2008 22:05:59 -0000 X-YMail-OSG: OqJHjfMVM1lPUoP.5ndFBi301Uvr0Jip_2R6rWQlaLtiNrgheDgo16iCH1N5SMlUKw-- Received: from [12.159.64.16] by web38114.mail.mud.yahoo.com via HTTP; Mon, 28 Jan 2008 14:05:59 PST X-Mailer: YahooMailRC/818.31 YahooMailWebService/0.7.160 Date: Mon, 28 Jan 2008 14:05:59 -0800 (PST) From: snort bsd To: nanog@merit.edu, juniper-nsp MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID: <803685.36721.qm@web38114.mail.mud.yahoo.com> X-Greylist: Sender IP whitelisted by DNSRBL, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Mon, 28 Jan 2008 17:06:05 -0500 (EST) Subject: [j-nsp] IPv6 questions X-BeenThere: juniper-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Juniper for Network Service Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 22:06:06 -0000 Hi All:=0A=0AWith link-local IPv6 address, the converting from MAC-48 to ED= U-64 address format (FF FE stuffing). How does the VLAN tags affect the con= version?=0A=0AWith the rule of FF FE stuffing, I can see clearly work on th= e ptp interfaces. But on those Ethernet based VLANs, it doesn't seem to fol= low that pattern:=0A=0ACurrent address: 00:90:69:4a:b9:5d, Hardware address= : 00:90:69:4a:b9:5d=0A=0Awell, i assume the link-local should be fe80::290:= 69f