[j-nsp] help

Matt Arthur MArthur at SHOMEPOWER.com
Tue Jul 12 09:20:14 EDT 2005


help 

Please unsubscribe me.

Thanks,
Matt






CONFIDENTIALITY / PRIVILEGE NOTICE   This transmission and any
attachments are intended solely for the addressee.  The information
contained in this transmission is confidential in nature and protected
from further use or disclosure under U.S. Pub. L. 106-102, 113 U.S.
Stat. 1338 (1999), and may be subject to attorney-client or other legal
privilege.  Your use or disclosure of this information for any purpose
other than that intended by its transmittal is strictly prohibited, and
may subject you to fines and/or penalties under federal and state law.
If you are not the intended recipient of this transmission, please
DESTROY ALL COPIES RECEIVED and confirm destruction to the sender via
return transmittal.



-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
juniper-nsp-request at puck.nether.net
Sent: Monday, July 11, 2005 6:36 PM
To: juniper-nsp at puck.nether.net
Subject: juniper-nsp Digest, Vol 32, Issue 13

Send juniper-nsp mailing list submissions to
	juniper-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://puck.nether.net/mailman/listinfo/juniper-nsp
or, via email, send a message with subject or body 'help' to
	juniper-nsp-request at puck.nether.net

You can reach the person managing the list at
	juniper-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific than
"Re: Contents of juniper-nsp digest..."


Today's Topics:

   1. Virtual router questions (Joe McGuckin)
   2. RE: Virtual router questions (Doug Marschke)
   3. IPSec + GRE on same box, config example (telecom at servidor.unam.mx)
   4. RE: IPSec + GRE on same box, config example
      (telecom at servidor.unam.mx)
   5. RE: IPSec + GRE on same box, config example (Raymond Cheh)
   6. Hot... or not? ;) (Daniel Roesen)
   7. Re: Hot... or not? ;) (Jared Gull)
   8. Re: Hot... or not? ;) (Jared Mauch)


----------------------------------------------------------------------

Message: 1
Date: Mon, 11 Jul 2005 12:59:59 -0700
From: Joe McGuckin <joe at via.net>
Subject: [j-nsp] Virtual router questions
To: <juniper-nsp at puck.nether.net>
Message-ID: <BEF81DCF.99F7C%joe at via.net>
Content-Type: text/plain; charset="US-ASCII"

Can I virtual router use device subinterfaces. The virtual router
doesn;t have to 'own' a complete physical interface - right?

Can somone supply a simple example of a virtual router?

Thanks,

Joe

-- 

Joe McGuckin

ViaNet Communications
994 San Antonio Road
Palo Alto, CA  94303

Phone: 650-213-1302
Cell:  650-207-0372
Fax:   650-969-2124




------------------------------

Message: 2
Date: Mon, 11 Jul 2005 13:09:55 -0700
From: "Doug Marschke" <doug at ipath.net>
Subject: RE: [j-nsp] Virtual router questions
To: "'Joe McGuckin'" <joe at via.net>, <juniper-nsp at puck.nether.net>
Message-ID: <0MKz1m-1Ds4bM0QtC-000637 at mrelay.perfora.net>
Content-Type: text/plain;	charset="us-ascii"

I assume you mean JUNOS?  Example using a sub-interface in the virtual
router instance.  (other is in main instance)

[edit interfaces]
user at host# show
fe-0/0/0 {
    vlan-tagging;
    unit 0 {
        vlan-id 100;
        family inet {
            address 10.0.30.2/24;
        }
    }
    unit 1 {
        vlan-id 200;
        family inet {
            address 10.0.31.2/24

[edit routing-instances example]
user at host# show
instance-type virtual-router;
interface fe-0/0/0.1;

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Joe McGuckin
Sent: Monday, July 11, 2005 1:00 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Virtual router questions

Can I virtual router use device subinterfaces. The virtual router
doesn;t have to 'own' a complete physical interface - right?

Can somone supply a simple example of a virtual router?

Thanks,

Joe

-- 

Joe McGuckin

ViaNet Communications
994 San Antonio Road
Palo Alto, CA  94303

Phone: 650-213-1302
Cell:  650-207-0372
Fax:   650-969-2124


_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp



------------------------------

Message: 3
Date: Mon, 11 Jul 2005 15:15:18 -0500 (CDT)
From: telecom at servidor.unam.mx
Subject: [j-nsp] IPSec + GRE on same box, config example
To: juniper-nsp at puck.nether.net
Message-ID:
	<Pine.LNX.4.58.0507111455410.14001 at pine.servidores.unam.mx>
Content-Type: TEXT/PLAIN; charset=US-ASCII


 Hi everybody, I've done both tests separately with an AS PIC and so far
the results have been great. Recently, i've been asked if it's possible
to transport multicast over GRE over IPSec on an AS PIC. So before i
jumped into the lab, I'd like to know if this is even supported today.
Juniper is great at documenting their supported features and since I
havent seen anything on their documentation, i'm wondering if anybody
has tried this before. Thanks

-- 


------------------------------

Message: 4
Date: Mon, 11 Jul 2005 16:19:17 -0500 (CDT)
From: telecom at servidor.unam.mx
Subject: RE: [j-nsp] IPSec + GRE on same box, config example
To: Mario Puras <mario.puras at solunet.com>
Cc: juniper-nsp at puck.nether.net
Message-ID:
	<Pine.LNX.4.58.0507111617210.14001 at pine.servidores.unam.mx>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 11 Jul 2005, Mario Puras wrote:

Ok thanks, mine case with AS PIC for both IPSec and GRE, not ES PIC but
i'll try to give this a try... So I guess that Juniper doesnt officially
supports this right?


> I have been working on a config for one of my customers to do just 
> what you are wanting to do but I have not heard back from them whether

> it has worked or not.  Perhaps you can try it and let me know?
> 
>  
> interfaces {
>     gr-0/1/0 {
>         unit 0 {
>             tunnel {
>                 source 192.168.12.1;  
>                 destination 192.168.12.2;  
>             }
>             family inet {
>                 address 1.1.1.6/30;
>             }
>         }
>     }
>     es-0/2/0 {
>         unit 0 {
>             tunnel {
>                 source 10.0.0.3;  
>                 destination 10.0.0.1;  
>             }
>             family inet {
>                 ipsec-sa testing_Proposal_IPSec;
>                 address 1.1.1.2/30;
>             }
>         }
>     }
>     t1-4/0/0 {
>         unit 0 {
>             family inet {
>                 address 192.168.12.1/30;
>             }
>         }
>     }
>  lo0 {
>         unit 0 {
>             family inet {
>                 address 10.0.0.3/32;
>             }
>         }
>     }
> }
> security {
>     traceoptions {
>         file files 10;
>         flag all;
>     }
>     ipsec {
>         proposal testing_Proposal_IPSec {
>             protocol esp;
>             authentication-algorithm hmac-md5-96;
>             encryption-algorithm des-cbc;
>             lifetime-seconds 86400;
>         }
>         policy testing_Policy_IPSec {
>             perfect-forward-secrecy {
>                 keys group1;
>             }
>             proposals testing_Proposal_IPSec;
>         }
>         security-association testing_SA_IPSec {
>             description "...IPSec SA testing";
>             mode tunnel;
>             dynamic {
>                 ipsec-policy testing_Policy_IPSec;
>             }
>         }
>     }
>     ike {
>         proposal testing {
>             authentication-method pre-shared-keys;
>             authentication-algorithm md5;
>             encryption-algorithm des-cbc;
>         }
>         policy 10.0.0.1 {
>             proposals testing;
>             pre-shared-key ascii-text "$9$ef0vX7dbs4JGVbfTFnCAX7N-24";
>         }
>     }
> }
>  
> 
> It may be possible that you use the same lo0 interface on your GRE but

> I have not tried this.
> 
> 1.  Have a local static route pointing to the remote GRE tunnel 
> destination with a next-hop of the IPSec tunnel (like es-0/2/0.0).
> 2.  Point you multicast traffic at the GRE interface: gr-0/1/0.0.  
> 
> Let me know how it turns out.
> 
> 
> 
> Thanks,
> 
> Mario Puras
> SoluNet/SoluServe TAC Manager
> Web Address:  www.solunet.com
> Mailto: mpuras at solunet.com
> Direct: (321) 309-1410
> Fax: (321) 676-1287
> TAC: 888.449.5766 (USA) / 888.SOLUNET (Canada)
> 
> 
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
> telecom at servidor.unam.mx
> Sent: Monday, July 11, 2005 4:15 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] IPSec + GRE on same box, config example
> 
> 
>  Hi everybody, I've done both tests separately with an AS PIC and so 
> far the results have been great. Recently, i've been asked if it's 
> possible to transport multicast over GRE over IPSec on an AS PIC. So 
> before i jumped into the lab, I'd like to know if this is even
supported today.
> Juniper is great at documenting their supported features and since I 
> havent seen anything on their documentation, i'm wondering if anybody 
> has tried this before. Thanks
> 
> --
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 

-- 


------------------------------

Message: 5
Date: Mon, 11 Jul 2005 14:56:30 -0700
From: "Raymond Cheh" <rcheh at juniper.net>
Subject: RE: [j-nsp] IPSec + GRE on same box, config example
To: <telecom at servidor.unam.mx>, "Mario Puras"
	<mario.puras at solunet.com>
Cc: juniper-nsp at puck.nether.net
Message-ID: <062B922B6EC55149B5A267ECE78E5D44076755DB at photon.jnpr.net>
Content-Type: text/plain;	charset="US-ASCII"

Mario,

This is one with IPSec + GRE but you'll need to add multicast on it. I
don't have one as detailed as they put in the configuration guides but I
hope this helps.

interfaces {
    so-0/1/0 {
        unit 0 {
            family inet {
                service {
                    input {
                        service-set ss-1;
                    }
                    output {
                        service-set ss-1;
                    }
                }
                address 10.10.10.1/30;
            }
            family iso;
        }
    }
    gr-2/2/0 {
        unit 1 {
            tunnel {
                source 10.0.0.1;
                destination 10.0.0.2;
            }
            family inet {
                address 11.1.1.1/30;
            }
        }
    }
    sp-2/2/0 {
        unit 0 {
            family inet;
        }
    }
}
services {
    service-set ss-1 {
        interface-service {
            service-interface sp-2/2/0;
        }
        ipsec-vpn-options {
            local-gateway 10.10.10.1;
        }
        ipsec-vpn-rules espdes;
    }
    ipsec-vpn {
        rule espdes {
            term term-dynamic-SA {
                from {
                    source-address {
                        10.0.0.1/32;
                    }
                    destination-address {
                        10.10.10.2/32;
                    }
                }
                then {
                    remote-gateway 10.30.1.2;
                    dynamic {
                        ike-policy hello;
                        ipsec-policy policy1;
                    }
                }
            }
            match-direction output;
        }
        ipsec {
            proposal ipsec1 {
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm des-cbc;
            }
            policy policy1 {
                perfect-forward-secrecy {
                    keys group2;
                }
                proposals ipsec1;
            }
        }
        ike {       
            proposal ike1 {
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm sha1;
                encryption-algorithm des-cbc;
            }
            policy hello {
                mode main;
                proposals ike1;
                pre-shared-key ascii-text
"$9$6fQDAtOrlMXNbp0MX7Nbwmf5F9A";
            }
        }
    }
}

Raymond
rcheh at juniper.net

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp- 
> bounces at puck.nether.net] On Behalf Of telecom at servidor.unam.mx
> Sent: Monday, July 11, 2005 2:19 PM
> To: Mario Puras
> Cc: juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] IPSec + GRE on same box, config example
> 
> On Mon, 11 Jul 2005, Mario Puras wrote:
> 
> Ok thanks, mine case with AS PIC for both IPSec and GRE, not ES PIC
but
> i'll try to give this a try... So I guess that Juniper doesnt
officially
> supports this right?
> 
> 
> > I have been working on a config for one of my customers to do just
what
> > you are wanting to do but I have not heard back from them whether it
has
> > worked or not.  Perhaps you can try it and let me know?
> >
> >
> > interfaces {
> >     gr-0/1/0 {
> >         unit 0 {
> >             tunnel {
> >                 source 192.168.12.1;
> >                 destination 192.168.12.2;
> >             }
> >             family inet {
> >                 address 1.1.1.6/30;
> >             }
> >         }
> >     }
> >     es-0/2/0 {
> >         unit 0 {
> >             tunnel {
> >                 source 10.0.0.3;
> >                 destination 10.0.0.1;
> >             }
> >             family inet {
> >                 ipsec-sa testing_Proposal_IPSec;
> >                 address 1.1.1.2/30;
> >             }
> >         }
> >     }
> >     t1-4/0/0 {
> >         unit 0 {
> >             family inet {
> >                 address 192.168.12.1/30;
> >             }
> >         }
> >     }
> >  lo0 {
> >         unit 0 {
> >             family inet {
> >                 address 10.0.0.3/32;
> >             }
> >         }
> >     }
> > }
> > security {
> >     traceoptions {
> >         file files 10;
> >         flag all;
> >     }
> >     ipsec {
> >         proposal testing_Proposal_IPSec {
> >             protocol esp;
> >             authentication-algorithm hmac-md5-96;
> >             encryption-algorithm des-cbc;
> >             lifetime-seconds 86400;
> >         }
> >         policy testing_Policy_IPSec {
> >             perfect-forward-secrecy {
> >                 keys group1;
> >             }
> >             proposals testing_Proposal_IPSec;
> >         }
> >         security-association testing_SA_IPSec {
> >             description "...IPSec SA testing";
> >             mode tunnel;
> >             dynamic {
> >                 ipsec-policy testing_Policy_IPSec;
> >             }
> >         }
> >     }
> >     ike {
> >         proposal testing {
> >             authentication-method pre-shared-keys;
> >             authentication-algorithm md5;
> >             encryption-algorithm des-cbc;
> >         }
> >         policy 10.0.0.1 {
> >             proposals testing;
> >             pre-shared-key ascii-text
"$9$ef0vX7dbs4JGVbfTFnCAX7N-24";
> >         }
> >     }
> > }
> >
> >
> > It may be possible that you use the same lo0 interface on your GRE
but I
> > have not tried this.
> >
> > 1.  Have a local static route pointing to the remote GRE tunnel 
> > destination with a next-hop of the IPSec tunnel (like es-0/2/0.0).
> > 2.  Point you multicast traffic at the GRE interface: gr-0/1/0.0.
> >
> > Let me know how it turns out.
> >
> >
> >
> > Thanks,
> >
> > Mario Puras
> > SoluNet/SoluServe TAC Manager
> > Web Address:  www.solunet.com
> > Mailto: mpuras at solunet.com
> > Direct: (321) 309-1410
> > Fax: (321) 676-1287
> > TAC: 888.449.5766 (USA) / 888.SOLUNET (Canada)
> >
> >
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net
> > [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
> > telecom at servidor.unam.mx
> > Sent: Monday, July 11, 2005 4:15 PM
> > To: juniper-nsp at puck.nether.net
> > Subject: [j-nsp] IPSec + GRE on same box, config example
> >
> >
> >  Hi everybody, I've done both tests separately with an AS PIC and so
far
> > the results have been great. Recently, i've been asked if it's
possible
> > to transport multicast over GRE over IPSec on an AS PIC. So before i

> > jumped into the lab, I'd like to know if this is even supported
today.
> > Juniper is great at documenting their supported features and since I

> > havent seen anything on their documentation, i'm wondering if
anybody
> > has tried this before. Thanks
> >
> > --
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net 
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> 
> --
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> http://puck.nether.net/mailman/listinfo/juniper-nsp



------------------------------

Message: 6
Date: Tue, 12 Jul 2005 01:17:29 +0200
From: Daniel Roesen <dr at cluenet.de>
Subject: [j-nsp] Hot... or not? ;)
To: juniper-nsp at puck.nether.net
Message-ID: <20050711231729.GA7258 at srv01.cluenet.de>
Content-Type: text/plain; charset=us-ascii

Hi,

temperature readings (M10):
Temp  FPC 0                  OK         27 degrees C / 80 degrees F
      FPC 1                  OK         26 degrees C / 78 degrees F
      FEB                    OK         26 degrees C / 78 degrees F
      PS Intake              OK         23 degrees C / 73 degrees F
      PS Exhaust             OK         26 degrees C / 78 degrees F
      Routing Engine         OK         25 degrees C / 77 degrees F

but:
Alarm time               Class  Description
2005-06-29 02:16:35 CEST Major  Host 0 Temperature Hot

chassisd spitting out:

CHASSISD_RE_OVER_TEMP_SHUTDOWN_CONDITION: Routing Engine 0 temperature
(124 C) over 100 degrees C, platform will shutdown in -586749 seconds if
condition persists
CHASSISD_RE_OVER_TEMP_SHUTDOWN: Routing Engine 0 temperature above 100
degrees C for too long; powering down all FRUs

and sometimes even traps get sent:
CHASSISD_SNMP_TRAP6: SNMP trap generated: Over Temperature!
(jnxContentsContainerIndex 9, jnxContentsL1Index 1, jnxContentsL2Index
0, jnxContentsL3Index 0, jnxContentsDescr Routing Engine,
jnxOperatingState/Temp 122)
CHASSISD_SNMP_TRAP6: SNMP trap generated: Temperature back to normal
(jnxContentsContainerIndex 9, jnxContentsL1Index 1, jnxContentsL2Index
0, jnxContentsL3Index 0, jnxContentsDescr Routing Engine,
jnxOperatingState/Temp 22)

Of course, the FRUs aren't being powered down at all. Looks like a
purely cosmetic bug. And looks like the box thinks that it's exactly 100
degrees C hotter than reality.

Known bug? 7.2R1


Best regards,
Daniel

--
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0


------------------------------

Message: 7
Date: Mon, 11 Jul 2005 16:35:44 -0700 (PDT)
From: Jared Gull <jmgull at yahoo.com>
Subject: Re: [j-nsp] Hot... or not? ;)
To: Daniel Roesen <dr at cluenet.de>, juniper-nsp at puck.nether.net
Message-ID: <20050711233544.82658.qmail at web60715.mail.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

Daniel,

Check out PR57855.  It has been fixed in 6.4R4 7.0R3
7.1R3 7.2R2 7.3R1.  

HTHs.

Jared

--- Daniel Roesen <dr at cluenet.de> wrote:

> Hi,
> 
> temperature readings (M10):
> Temp  FPC 0                  OK         27 degrees C
> / 80 degrees F
>       FPC 1                  OK         26 degrees C
> / 78 degrees F
>       FEB                    OK         26 degrees C
> / 78 degrees F
>       PS Intake              OK         23 degrees C
> / 73 degrees F
>       PS Exhaust             OK         26 degrees C
> / 78 degrees F
>       Routing Engine         OK         25 degrees C
> / 77 degrees F
> 
> but:
> Alarm time               Class  Description
> 2005-06-29 02:16:35 CEST Major  Host 0 Temperature
> Hot
> 
> chassisd spitting out:
> 
> CHASSISD_RE_OVER_TEMP_SHUTDOWN_CONDITION: Routing
> Engine 0 temperature
> (124 C) over 100 degrees C, platform will shutdown
> in -586749 seconds if
> condition persists
> CHASSISD_RE_OVER_TEMP_SHUTDOWN: Routing Engine 0
> temperature above 100
> degrees C for too long; powering down all FRUs
> 
> and sometimes even traps get sent:
> CHASSISD_SNMP_TRAP6: SNMP trap generated: Over
> Temperature!
> (jnxContentsContainerIndex 9, jnxContentsL1Index 1,
> jnxContentsL2Index
> 0, jnxContentsL3Index 0, jnxContentsDescr Routing
> Engine,
> jnxOperatingState/Temp 122)
> CHASSISD_SNMP_TRAP6: SNMP trap generated:
> Temperature back to normal
> (jnxContentsContainerIndex 9, jnxContentsL1Index 1,
> jnxContentsL2Index
> 0, jnxContentsL3Index 0, jnxContentsDescr Routing
> Engine,
> jnxOperatingState/Temp 22)
> 
> Of course, the FRUs aren't being powered down at
> all. Looks like a
> purely cosmetic bug. And looks like the box thinks
> that it's exactly
> 100 degrees C hotter than reality.
> 
> Known bug? 7.2R1
> 
> 
> Best regards,
> Daniel
> 
> -- 
> CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet --
> PGP: 0xA85C8AA0
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


------------------------------

Message: 8
Date: Mon, 11 Jul 2005 19:35:53 -0400
From: Jared Mauch <jared at puck.nether.net>
Subject: Re: [j-nsp] Hot... or not? ;)
To: juniper-nsp at puck.nether.net
Message-ID: <20050711233553.GA24584 at puck.nether.net>
Content-Type: text/plain; charset=us-ascii

On Tue, Jul 12, 2005 at 01:17:29AM +0200, Daniel Roesen wrote:
> Known bug? 7.2R1

	Yes, we've seen this, it's a known bug, I don't kow the PR for
this.

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only
mine.


------------------------------

_______________________________________________
juniper-nsp mailing list
juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp


End of juniper-nsp Digest, Vol 32, Issue 13
*******************************************




More information about the juniper-nsp mailing list