[j-nsp] RE : ISIS between ERX 1440 and MX960

Payam Chychi pchychi at gmail.com
Fri May 20 14:49:48 EDT 2011


Hey David,

I believe its expected behavior when you setup ptp to stop sending iih pkts.

Do you know if the erx has igmp snooping? this really sounds like the 
issue we were facing on links that traversed our (ex) in between. I know 
yours is an erx but if igmp snooping is enabled, it will discard pkts 
based on certain dst-mac addresses and unfortunately junipers filtering 
actually blocks certain legit macs.

so again, this could totally not be the issue however from what you have 
explained so far... its 99% same behavior that we saw on our devices 
with igmp snooping enabled.
One thing you might want to also check is contact your provider and see 
if the link connecting your devices goes through any switch fabrics that 
may be performing mac-add filtering. We had one provider that was 
filtering dst-mac but they were not able to locate where so changing to 
ptp got around the issue

If you find the problem please let us know =)
cheers
Payam




david.roy at orange-ftgroup.com wrote:
> Thanks.
>
> I tried too, but I ve the same behavior ! IIH discarded at the ERX side.  
>
> Moreover when i configure my interface in point-to-point the ERX stops sending IIH ! So strange. The MX has already ISIS adjacencies with ALU 7750, other Juniper T and M series and Cisco boxes as well. I don't understand why I can't do it with ERX ! Maybe a bug ! ERX is in 10.2.1
>
> David
>
> ________________________________________
> De : David Lockuan [dlockuan at gmail.com]
> Date d'envoi : vendredi 20 mai 2011 20:03
> À : ROY David DTF/DERX
> Cc : sthaug at nethelp.no; juniper-nsp at puck.nether.net
> Objet : Re: [j-nsp] ISIS between ERX 1440 and MX960
>
> Hi David,
>
> Could you try to put the authentication with md5? I say this because when I was doing interoperability between JunOS and IOS, I noted that the simple authentication don't work correctly. Maybe the hash-key is not compatible when you use the simple authentication.
>
> Now we are using md5 as authentication-type and point-to-point configuration between equipments ERX, T1600, GSR and CRS.
>
> BR,
>
> ---
> David
>
>
> On Fri, May 20, 2011 at 10:47 AM, Payam Chychi <pchychi at gmail.com<mailto:pchychi at gmail.com>> wrote:
> correction:
> point-to-point is configured under the interface on the erx
>
> " interface blah/0
>
> isis network point-to-point "
>
>
> -Payam
>
>
> Payam Chychi wrote:
> Hey,
>
> Have you tried setting each side up as a. Point-to-point network? Its
> done under protocol isis
>
> Try that and see if it works. If so, ur dst mac on one side is getting
> filtered (by the device itself or perhaps your  provider)
>
>
> On 5/20/11, david.roy at orange-ftgroup.com<mailto:david.roy at orange-ftgroup.com> <david.roy at orange-ftgroup.com<mailto:david.roy at orange-ftgroup.com>> wrote:
>
> Hi,
>
> I don't know how to go on with the ERX. I tried many things without success.
> More traces below. Thanks for your help : May be a bug ?!?
>
> Regards,
> David
>
>
> ERX :
> #######
>
> interface loopback 50
>  ip address x.x.x.x 255.255.255.255
>  no ip redirects
> !
> interface gigabitEthernet 12/0
>  mtu 4488
>  ip address y.y.y.1 255.255.255.252
>  no ip redirects
>  ip router isis 31337
>  isis circuit-type level-2-only
>  isis authentication-key level-2 foo123
> !
> router isis 31337
>  is-type level-2-only
>  passive-interface loopback50
>  net 49.0001.xxxx.xxxx.xxxx.00
>  domain-authentication psnp
>  domain-authentication csnp
>  domain-message-digest-key 1 hmac-md5 foo123
>  metric-style wide
> !
>
>
> MX :
> #######
>
> ge-2/2/2 {
>    mtu 4484;
>    unit 0 {
>        family inet {
>            address y.y.y.2/30;
>        }
>        family iso;
>    }
> }
>
> isis {
>    level 2 {
>        authentication-key "xxxxxxxx"; ## SECRET-DATA = foo123
>        authentication-type md5;
>        wide-metrics-only;
>    }
>    interface ge-2/2/2.0 {
>      level 1 disable;
>      level 2 {
>          hello-authentication-key "$9$fQ39yrv8xdBIs4aJDjCtpBhS"; ##
> SECRET-DATA = foo123
>          hello-authentication-type simple;
>      }
>   }
> }
>
>
> Trace on MX :
> ##############
>
> show interfaces ge-2/2/2
> Physical interface: ge-2/2/2, Enabled, Physical link is Up
>  Interface index: 251, SNMP ifIndex: 556
>  Description: Connection To LNS
>  Link-level type: Ethernet, MTU: 4484, Speed: 1000mbps, BPDU Error: None,
> MAC-REWRITE Error: None, Loopback: Disabled,
>  Source filtering: Disabled, Flow control: Enabled, Auto-negotiation:
> Enabled, Remote fault: Online
>  Device flags   : Present Running
>  Interface flags: SNMP-Traps Internal: 0x4000
>  Link flags     : None
>  CoS queues     : 8 supported, 8 maximum usable queues
>  Schedulers     : 0
>  Current address: 84:18:88:e8:c9:9e, Hardware address: 84:18:88:e8:c9:9e
>  Last flapped   : 2011-05-20 11:54:46 EEST (01:08:11 ago)
>  Input rate     : 6144 bps (8 pps)
>  Output rate    : 0 bps (0 pps)
>  Active alarms  : None
>  Active defects : None
>
>  Logical interface ge-2/2/2.0 (Index 75) (SNMP ifIndex 656)
>    Flags: SNMP-Traps 0x4000000 Encapsulation: ENET2
>    Input packets : 27981
>    Output packets: 600
>    Protocol inet, MTU: 4470
>      Flags: Sendbcast-pkt-to-re
>      Addresses, Flags: Is-Preferred Is-Primary
>        Destination: x.x.x.x/30, Local: x.x.x.x, Broadcast: x.x.x.x
>    Protocol iso, MTU: 4467
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<ISO MTU
>    Protocol multiservice, MTU: Unlimited
>
>
> monitor traffic interface ge-2/2/2.0 layer2-headers no-resolve size 4488
> verbose output suppressed, use <detail> or <extensive> for full protocol
> decode
> Address resolution is OFF.
> Listening on ge-2/2/2.0, capture size 4488 bytes
>
> TO ERX :
>
> 13:04:34.156857 Out 84:18:88:e8:c9:9e > 1:80:c2:0:0:15, 802.3, length 1509:
> LLC, dsap OSI (0xfe) Individual, ssap OSI (0xfe) Command, ctrl 0x03: OSI
> NLPID IS-IS (0x83): L2 Lan IIH, src-id 2131.3905.5002, lan-id
> 2131.3905.5002.00, prio 64, length 1492  <<< PDU length including hello
> padding of the MX
>
> FROM ERX :
>
> 13:04:35.450255  In 0:90:1a:41:fa:f5 > 1:80:c2:0:0:15, 802.3, length 1514:
> LLC, dsap OSI (0xfe) Individual, ssap OSI (0xfe) Command, ctrl 0x03: OSI
> NLPID IS-IS (0x83): L2 Lan IIH, src-id 1921.6801.6029, lan-id
> 1921.6801.6029.01, prio 64, length 1497  <<< PDU length including hello
> padding of the ERX
>
>
>
> Trace on ERX :
> ##############
>
>
>
> sho int gi 12/0
> GigabitEthernet12/0 is Up, Administrative status is Up
>  Hardware is PMC 3386, address is 0090.1a41.faf5
>  Primary MAU is 1000BASE-LX 10km, secondary MAU is 1000BASE-LX 10km
>  MTU: Operational 4488, Administrative 4488
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< MTU seems good
>  Duplex Mode: Operational Full Duplex, Administrative Auto Negotiate
>  Speed: Operational 1000 Mbps, Administrative Auto Negotiate
>  Debounce: State is Disabled
>  Link: Operational Primary Link Selected,
>        Administrative Link Selected Automatically
>  Link Failover Timeout: Operational 727 ms, Administrative default
>  Primary link selected 258 times, Secondary link selected 252 times
>  Primary link signal detected, Secondary link signal not detected
>
>  No baseline has been set
>  5 minute input rate 1024 bits/sec, 0 packets/sec
>  5 minute output rate 19456 bits/sec, 12 packets/sec
>
>  In: Bytes 789821048435, Unicast 4769999720
>   Multicast 2224876, Broadcast 2088
>   Errors 0, Discards 36549, Mac Errors 0, Alignment 0  <<<<<<<<<<<<<<<<<
> IIH coming from MX are discarded
>   CRC 0, Too Longs 0, Symbol Errors 0
>  Out: Bytes 6824490336601, Unicast 6292729944
>   Multicast 4577411, Broadcast 103
>   Errors 0, Discards 0, Mac Errors 0, Deferred 0, No Carrier 0
>   Collisions: Single 0, Multiple 0, Late 0, Excessive 0
> Policed Statistics:
>  In: 0, Out: 0
> ARP Statistics:
>  In: ARP requests 211, ARP responses 8
>   Errors 0, Discards 6
>  Out: ARP requests 103, ARP responses 204
>   Errors 0, Discards 7
>
> Administrative qos-shaping-mode: none
> Operational qos-shaping-mode: frame
> queue 0: traffic class best-effort, bound to ethernet GigabitEthernet12/0
>  Queue length 0 bytes
>  Forwarded packets 0, bytes 0
>  Dropped committed packets 0, bytes 0
>  Dropped conformed packets 0, bytes 0
>  Dropped exceeded packets 0, bytes 0
> queue 1: traffic class control, bound to GigabitEthernet12/0
>  Queue length 0 bytes
>  Forwarded packets 22347807, bytes 1630937549
>  Dropped committed packets 0, bytes 0
>  Dropped conformed packets 0, bytes 0
>  Dropped exceeded packets 0, bytes 0
>
>
>
> sho clns interface gi 12/0
> GigabitEthernet12/0 is up, line protocol is up
>  Checksums Enabled, MTU 4470, Encapsulation SNAP  <<<<<<<<<< MTU ISO
>  Next ESH/ISH is 7 seconds
>  Routing Protocol: IS-IS
>    Circuit Type: level-2
>    Interface number 0x495886, local circuit ID 0x1
>    Level-1 Metric: 10, DIS Priority: 0, Priority: 64,
>            Circuit ID: BRAS3-WDOO.01
>            L1 Designated IS: Disabled
>    Number of active level-1 adjacencies: 0
>    Level-2 Metric: 10, DIS Priority: 64, Priority: 64,
>            Circuit ID: BRAS3-WDOO.01
>
>            L2 Designated IS: BRAS3-WDOO:default.01 (not us)
>    Number of active level-2 adjacencies: 0
>    Next IS-IS LAN Level-1 Hello in 0 seconds
>    Next IS-IS LAN Level-2 Hello in 6 seconds
>    BFD disabled
>    Mesh Group Inactive
>    Authentication Level-2:
>      Key-id:   0 Type: password*
>        Start Accept:   THU MAY 19 18:08:31 2011
>        Start Generate: THU MAY 19 18:08:31 2011
>        Stop Accept:    0
>        Stop Generate:  0
>
>
> sho clns traffic detail
> IS-IS: Baseline last set 28 days, 22 hours, 11 minutes, 17 seconds
> IS-IS: Corrupted LSPs: 0
> IS-IS: L1 LSP Database Overloads: 0
> IS-IS: L2 LSP Database Overloads: 0
> IS-IS: Area Addresses Dropped: 0
> IS-IS: Attempts to Exceed Max Sequence: 0
> IS-IS: Sequence Numbers Skipped: 0
> IS-IS: Total LSPs Purged: 414
> IS-IS: Own LSPs Purged: 0
> IS-IS: System ID Length Mismatches: 0
> IS-IS: Maximum Area Mismatches: 0
> IS-IS: Area/Domain Authentication Failures: 0
> IS-IS: Level-1 LSPs Sent: 0 Rcvd: 0 Dropped: 0
> IS-IS: Level-2 LSPs Sent: 3086 Rcvd: 529403 Dropped: 0
> IS-IS: LSP checksum errors received: 0
>
> Interface: GigabitEthernet12/0
> IS-IS: Baseline last set 28 days, 22 hours, 11 minutes, 17 seconds
> IS-IS: Protocol PDUs (in/out): 0/0
> IS-IS: Init Failures: 0
> IS-IS: Adjacencies Changes: 0
> IS-IS: Adjacencies Rejected: 0
> IS-IS: Bad LSPs: 0
> IS-IS: Level-1 Designated IS Changes: 2
> IS-IS: Level-2 Designated IS Changes: 11
> IS-IS: Invalid 9542s: 0
> IS-IS: Malformed PDU reecived: 0
> IS-IS: Authentication Failures: 0
> IS-IS: Level-1 Hellos (in/out/dropped): 0/0/0
> IS-IS: Level-2 Hellos (in/out/dropped): 0/300/0   <<<<<<<<<<<<< ONLY SENT
> IIH
> IS-IS: Level-1 CSNPs (in/out): 0/0
> IS-IS: Level-2 CSNPs (in/out): 0/0
> IS-IS: Level-1 PSNPs (in/out): 0/0
> IS-IS: Level-2 PSNPs (in/out): 0/0
> IS-IS: LSPs Retransmitted : 0
>
>
>
> David Roy
> Orange - IP Domestic Backbone - TAC
> Tel.   +33(0)299876472
> Mob. +33(0)685522213
> Email. david.roy at orange-ftgroup.com<mailto:david.roy at orange-ftgroup.com>
> JNCIE-M/T  #703 ; JNCIS-ENT
>
> -----Message d'origine-----
> De : sthaug at nethelp.no<mailto:sthaug at nethelp.no> [mailto:sthaug at nethelp.no<mailto:sthaug at nethelp.no>]
> Envoyé : jeudi 19 mai 2011 21:35
> À : ROY David DTF/DERX
> Cc : kalirajv at gmail.com<mailto:kalirajv at gmail.com>; juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> Objet : Re: [j-nsp] ISIS between ERX 1440 and MX960
>
>
> 2. I tried but without success. I believe that the ISO MTU is less
> than the padded hello of the MX. I will try to set mtu of the gi 12/0
> of the ERX to 1518 : I will update you if it works
>
> We have IS-IS running between MX and ERX with no problem. Use 4 byte more
> for the ERX MTU than the MX MTU on the physical interfaces, and you should
> be all set.
>
> Example of working config below, lightly anonymized.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no<mailto:sthaug at nethelp.no>
> ----------------------------------------------------------------------
>
> interface gigabitEthernet 2/0
>  mtu 4488
>  ip address a.b.2.202 255.255.255.252
>  ip router isis
>  isis network point-to-point
>  isis circuit-type level-2-only
>
> interface loopback 0
>  ip address a.b.0.75 255.255.255.255
>  ip router isis
>  isis circuit-type level-2-only
>
> router isis
>  is-type level-2-only
>  net 47.0001.0000.0000.0075.00
>  metric-style wide level-2
>
> interfaces {
>    ge-0/0/3 {
>        mtu 4484;
>        unit 0 {
>            family inet {
>                address a.b.2.201/30;
>            }
>            family iso;
>        }
>    }
>    lo0 {
>        unit 0 {
>            family inet {
>                address a.b.0.78/32;
>            }
>            family iso {
>                address 47.0001.0000.0000.0078.00;
>            }
>        }
>    }
> }
>
> protocols {
>    isis {
>        level 2 wide-metrics-only;
>        level 1 disable;
>        interface ge-0/0/3.0 {
>            point-to-point;
>        }
>        interface lo0.0 {
>            level 2 passive;
>        }
>    }
> }
>
>
> ********************************************************************************
> IMPORTANT.Les informations contenues dans ce message electronique y compris
> les fichiers attaches sont strictement confidentielles
> et peuvent etre protegees par la loi.
> Ce message electronique est destine exclusivement au(x) destinataire(s)
> mentionne(s) ci-dessus.
> Si vous avez recu ce message par erreur ou s il ne vous est pas destine,
> veuillez immediatement le signaler  a l expediteur et effacer ce message
> et tous les fichiers eventuellement attaches.
> Toute lecture, exploitation ou transmission des informations contenues dans
> ce message est interdite.
> Tout message electronique est susceptible d alteration.
> A ce titre, le Groupe France Telecom decline toute responsabilite notamment
> s il a ete altere, deforme ou falsifie.
> De meme, il appartient au destinataire de s assurer de l absence de tout
> virus.
>
> IMPORTANT.This e-mail message and any attachments are strictly confidential
> and may be protected by law. This message is
> intended only for the named recipient(s) above.
> If you have received this message in error, or are not the named
> recipient(s), please immediately notify the sender and delete this e-mail
> message.
> Any unauthorized view, usage or disclosure ofthis message is prohibited.
> Since e-mail messages may not be reliable, France Telecom Group shall not be
> liable for any message if modified, changed or falsified.
> Additionally the recipient should ensure they are actually virus free.
> ********************************************************************************
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> ********************************************************************************
> IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles
> et peuvent etre protegees par la loi.
> Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus.
> Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler  a l expediteur et effacer ce message 
> et tous les fichiers eventuellement attaches.
> Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite.
> Tout message electronique est susceptible d alteration.
> A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie.
> De meme, il appartient au destinataire de s assurer de l absence de tout virus.
>
> IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is
> intended only for the named recipient(s) above.
> If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
> Any unauthorized view, usage or disclosure ofthis message is prohibited.
> Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified.
> Additionally the recipient should ensure they are actually virus free.
> ********************************************************************************
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>   



More information about the juniper-nsp mailing list