Mailing List Archive

Hey, how about that. It works when I set the encapsulation type to
flexible-ethernet-services - I'm not sure why this works, but it seems
too...

thomas at NCT_M02# show interfaces ge-1/3/0
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 0 {
vlan-id 1;
family inet {
address 10.0.0.2/26;
}
}
unit 1 {
vlan-id 900;
family inet {
address 10.44.44.1/30;
}
}

Basic ping to a box in the 10.0.0.0/26 network is successful. It's all the
testing I've done so far, but hopefully this will do the trick. Thanks for
everyone's help.

Cheers,
Thomas


>
> humm...
>
> have you tried vlan 1 on J box ?
>
> regards,
> --
> Nuno Vieira
> NFSi - Solu??es Internet, Lda.
> Chief Technical Officer
>
> Office Phone : +351 244 145615
> Mobile Phone : +351 91 6184656
> General Phone : +351 244 145600 (ext. 15)
> Fax : +351 244 145601

On Tue, Jan 18, 2005 at 05:54:01PM +1300, Thomas Salmen wrote:
>
> Hey, how about that. It works when I set the encapsulation type to
> flexible-ethernet-services - I'm not sure why this works, but it seems
> too...
>
> thomas at NCT_M02# show interfaces ge-1/3/0
> vlan-tagging;
> encapsulation flexible-ethernet-services;
> unit 0 {
> vlan-id 1;
> family inet {
> address 10.0.0.2/26;
> }
> }
> unit 1 {
> vlan-id 900;
> family inet {
> address 10.44.44.1/30;
> }
> }
>
> Basic ping to a box in the 10.0.0.0/26 network is successful. It's all the
> testing I've done so far, but hopefully this will do the trick. Thanks for
> everyone's help.

"VLAN 0" is what you use to pass 802.1p QoS/priority tagging information.

From a reading of the docs on flexible-ethernet-services (which I've never
used, since I don't use IQ/Quad Price PICs :P), I don't see how this would
directly affect what you are trying to do:

Flexible Ethernet services (flexible-ethernet-services)?Gigabit Ethernet
IQ interfaces and Gigabit Ethernet interfaces with SFPs can use flexible
Ethernet services encapsulation. Aggregated Ethernet bundles cannot use
this encapsulation type. You use this encapsulation type when you want to
configure multiple per-unit Ethernet encapsulations. This encapsulation
type allows you to configure any combination of route, TCC, CCC, and VPLS
encapsulations on a single physical port. If you configure flexible
Ethernet services encapsulation on the physical interface, VLAN IDs from 1
through 511 are no longer reserved for normal VLANs

Do you really need to mix tagged and un-tagged, or are you just trying to
use a native vlan (like 1, a usual default :P) that isn't tagged? If this
is the case, you can probably turn on native vlan tagging on whatever your
other side is.

--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

you must have misunderstood me the os is JUNOSe

----- Original Message -----
From: "Peder Bach" <pederbach@gmail.com>
To: "sunnyday" <cscosunny@gmail.com>
Cc: "Juniper-Nsp" <juniper-nsp@puck.nether.net>
Sent: Monday, February 04, 2008 5:25 PM
Subject: Re: [j-nsp] (no subject)


> firewall {
> filter 2000 {
> /* access-list 2000 permit tcp any any established log */
> term T1 {
> from {
> protocol tcp;
> tcp-established;
> }
> then {
> accept;
> log;
> }
> }
> }
> }
>
>
> On Feb 4, 2008 3:54 PM, sunnyday <cscosunny@gmail.com> wrote:
>> Hello i want to convert a cisco command on junose
>>
>> access-list 2000 permit tcp any any established log
>>
>>
>> i can seem to find the established option in classifier-list conf
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

The syntax given is *not* JUNOSe - It;s JUNOS

I thought I had unicast that email to ... well whatever...


On 2/4/08, sunnyday <cscosunny@gmail.com> wrote:
>
> you must have misunderstood me the os is JUNOSe
>
> ----- Original Message -----
> From: "Peder Bach" <pederbach@gmail.com>
> To: "sunnyday" <cscosunny@gmail.com>
> Cc: "Juniper-Nsp" <juniper-nsp@puck.nether.net>
> Sent: Monday, February 04, 2008 5:25 PM
> Subject: Re: [j-nsp] (no subject)
>
>
> > firewall {
> > filter 2000 {
> > /* access-list 2000 permit tcp any any established log */
> > term T1 {
> > from {
> > protocol tcp;
> > tcp-established;
> > }
> > then {
> > accept;
> > log;
> > }
> > }
> > }
> > }
> >
> >
> > On Feb 4, 2008 3:54 PM, sunnyday <cscosunny@gmail.com> wrote:
> >> Hello i want to convert a cisco command on junose
> >>
> >> access-list 2000 permit tcp any any established log
> >>
> >>
> >> i can seem to find the established option in classifier-list conf
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Oops - wrong recipient - ;)

Normally I unicast answers...

SunnyDay you did mention JUNOSe ...
Peder did respond with JUNOS example

So - in the last couple of weeks I have seen this a number of times...
people
responding to the *wrong* track

Found it slightly irritating, but certainly not a "train smash"

Got me thinking that perhaps it may be better if recipients on the list had
a heads up to read or not...depending on experience/interest

Something as simple as JUNOS:subject, JUNOSe:subject, SceenOS:subject...

On the other hand I wont loose much sleep juts deleting emails that seem
inappropriate, but will also not provide answers...

Alan


On 2/4/08, Alan Gravett <alangra@gmail.com> wrote:
>
> The syntax given is *not* JUNOSe - It;s JUNOS
>
> I thought I had unicast that email to ... well whatever...
>
>
> On 2/4/08, sunnyday <cscosunny@gmail.com> wrote:
> >
> > you must have misunderstood me the os is JUNOSe
> >
> > ----- Original Message -----
> > From: "Peder Bach" <pederbach@gmail.com>
> > To: "sunnyday" <cscosunny@gmail.com>
> > Cc: "Juniper-Nsp" <juniper-nsp@puck.nether.net>
> > Sent: Monday, February 04, 2008 5:25 PM
> > Subject: Re: [j-nsp] (no subject)
> >
> >
> > > firewall {
> > > filter 2000 {
> > > /* access-list 2000 permit tcp any any established log */
> > > term T1 {
> > > from {
> > > protocol tcp;
> > > tcp-established;
> > > }
> > > then {
> > > accept;
> > > log;
> > > }
> > > }
> > > }
> > > }
> > >
> > >
> > > On Feb 4, 2008 3:54 PM, sunnyday <cscosunny@gmail.com> wrote:
> > >> Hello i want to convert a cisco command on junose
> > >>
> > >> access-list 2000 permit tcp any any established log
> > >>
> > >>
> > >> i can seem to find the established option in classifier-list conf
> > >> _______________________________________________
> > >> juniper-nsp mailing list juniper-nsp@puck.nether.net
> > >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >>
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

I have never had a problem wit the classifers not working properly.. I
suggest you either review your config or contact JTAC.

Cheers,

Callum Barr
Network Engineer
WorldxChange Communications


-----Original Message-----
From: cscosunny [mailto:cscosunny@gmail.com]
Sent: Tuesday, 22 April 2008 8:07 p.m.
To: Callum Barr
Subject: RE: [j-nsp] (no subject)

1: I thing the classification was not working but im going to try it
with
the 8.2.2 p06 to seem how it goes.

2:Thank you ill give it a try :>>

-----Original Message-----
From: Callum Barr [mailto:cbarr@wxc.co.nz]
Sent: Tuesday, April 22, 2008 10:57 AM
To: cscosunny; Juniper-Nsp
Subject: RE: [j-nsp] (no subject)

Well, I'm running 8.2.2 p04 and it seems to work fine for me... Please
clarify what you mean by 'not working'

And to answer your second question, yes there is a way to delete entries
in your classifier lists when in use;

t-rex#sh classifier-list

Classifier Control List Table
---------- ------- ---- -----
IP voice.2 ip any host xx.xx.xx.xx
IP voice.5 ip host xx.xx.xx.xx any
IP voice.7 udp any host xx.xx.xx.xx range 5060 5065
IP voice.8 udp any host xx.xx.xx.xx range 5060 5065

To delete an entry just go into config and type;

No classifier-list voice x (where x is the number corresponding to the
rule you want to nuke)

Also - you may want to RTFM.

Cheers,

Callum Barr
Network Engineer
WorldxChange Communications

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of cscosunny
Sent: Tuesday, 22 April 2008 6:15 p.m.
To: Juniper-Nsp
Subject: [j-nsp] (no subject)

Hello I have two questions:

In which software version of junose vlan classification and policy lists
work?

I tried with 8-2-2 (cant remember which patch version)and didn't work.

And second is there a way to delete classifier list commands from
policies
being used?

Thank you







_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

SunnyDay,

I don't know the OID, but using snmpwalk.exe to find the outOctets you
would use the following:
snmpwalk.exe -v 1 -c "community" "device ip" ifOutOctets
Which will give you output resembling: (mib.ifIndex = outOctets)
ifOutOctets.35 = 3474330439
ifOutOctets.36 = 984860543
ifOutOctets.37 = 0
ifOutOctets.38 = 3450966616

>From here you'll have to find out the ifIndex of the interface you wish
to view:
In the juniper:
show snmp mib walk ifDescr

-Ben


-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of sunnyday
Sent: Monday, June 23, 2008 3:45 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] (no subject)

Hello anyone knows the OID or how can I view the output of the command:

Show egress-queue rates interface gigabitEthernet x/x/x

Via SNMP?

Thank you











_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



***************************************************************************************

The information contained in this message, including attachments, may contain
privileged or confidential information that is intended to be delivered only to the
person identified above. If you are not the intended recipient, or the person
responsible for delivering this message to the intended recipient, Windstream requests
that you immediately notify the sender and asks that you do not read the message or its
attachments, and that you delete them without copying or sending them to anyone else.

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

I tried what you said with no result this is what I get:
And also to tell you that it on junose not junos.


C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31>snmpwalk.exe -v 2c -c
pop-RO 192.168.30.238 ifOutOctets

Cannot find module (IP-MIB): At line 0 in (none)
Cannot find module (IF-MIB): At line 0 in (none)
Cannot find module (TCP-MIB): At line 0 in (none)
Cannot find module (UDP-MIB): At line 0 in (none)
Cannot find module (SNMPv2-MIB): At line 0 in (none)
Cannot find module (SNMPv2-SMI): At line 0 in (none)
Cannot find module (UCD-SNMP-MIB): At line 0 in (none)
Cannot find module (UCD-DEMO-MIB): At line 0 in (none)
Cannot find module (SNMP-TARGET-MIB): At line 0 in (none)
Cannot find module (SNMP-VIEW-BASED-ACM-MIB): At line 0 in (non
Cannot find module (SNMP-COMMUNITY-MIB): At line 0 in (none)
Cannot find module (UCD-DLMOD-MIB): At line 0 in (none)
Cannot find module (SNMP-FRAMEWORK-MIB): At line 0 in (none)
Cannot find module (SNMP-MPD-MIB): At line 0 in (none)
Cannot find module (SNMP-USER-BASED-SM-MIB): At line 0 in (none
Cannot find module (SNMP-NOTIFICATION-MIB): At line 0 in (none)
Cannot find module (SNMPv2-TM): At line 0 in (none)
ifOutOctets: (Sub-id not found: (top) -> ifOutOctets)

C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31>













-----Original Message-----
From: Boyd, Benjamin R [mailto:Benjamin.R.Boyd@windstream.com]
Sent: Monday, June 23, 2008 5:20 PM
To: sunnyday; juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] (no subject)

SunnyDay,

I don't know the OID, but using snmpwalk.exe to find the outOctets you
would use the following:
snmpwalk.exe -v 1 -c "community" "device ip" ifOutOctets
Which will give you output resembling: (mib.ifIndex = outOctets)
ifOutOctets.35 = 3474330439
ifOutOctets.36 = 984860543
ifOutOctets.37 = 0
ifOutOctets.38 = 3450966616

>From here you'll have to find out the ifIndex of the interface you wish
to view:
In the juniper:
show snmp mib walk ifDescr

-Ben


-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of sunnyday
Sent: Monday, June 23, 2008 3:45 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] (no subject)

Hello anyone knows the OID or how can I view the output of the command:

Show egress-queue rates interface gigabitEthernet x/x/x

Via SNMP?

Thank you











_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



****************************************************************************
***********

The information contained in this message, including attachments, may
contain
privileged or confidential information that is intended to be delivered only
to the
person identified above. If you are not the intended recipient, or the
person
responsible for delivering this message to the intended recipient,
Windstream requests
that you immediately notify the sender and asks that you do not read the
message or its
attachments, and that you delete them without copying or sending them to
anyone else.

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

This is because snmpwalk.exe cannot find the MIB files, and therefore does not know how to translate ifOutOctets to ask for it from the router.

http://www.net-snmp.org/docs/FAQ.html#What_does__Cannot_find_module__XXX_MIB___mean_

-Jonathan

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of sunnyday
Sent: Tuesday, June 24, 2008 1:51 AM
To: 'Boyd, Benjamin R'; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] (no subject)

I tried what you said with no result this is what I get:
And also to tell you that it on junose not junos.


C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31>snmpwalk.exe -v 2c -c
pop-RO 192.168.30.238 ifOutOctets

Cannot find module (IP-MIB): At line 0 in (none)
Cannot find module (IF-MIB): At line 0 in (none)
Cannot find module (TCP-MIB): At line 0 in (none)
Cannot find module (UDP-MIB): At line 0 in (none)
Cannot find module (SNMPv2-MIB): At line 0 in (none)
Cannot find module (SNMPv2-SMI): At line 0 in (none)
Cannot find module (UCD-SNMP-MIB): At line 0 in (none)
Cannot find module (UCD-DEMO-MIB): At line 0 in (none)
Cannot find module (SNMP-TARGET-MIB): At line 0 in (none)
Cannot find module (SNMP-VIEW-BASED-ACM-MIB): At line 0 in (non
Cannot find module (SNMP-COMMUNITY-MIB): At line 0 in (none)
Cannot find module (UCD-DLMOD-MIB): At line 0 in (none)
Cannot find module (SNMP-FRAMEWORK-MIB): At line 0 in (none)
Cannot find module (SNMP-MPD-MIB): At line 0 in (none)
Cannot find module (SNMP-USER-BASED-SM-MIB): At line 0 in (none
Cannot find module (SNMP-NOTIFICATION-MIB): At line 0 in (none)
Cannot find module (SNMPv2-TM): At line 0 in (none)
ifOutOctets: (Sub-id not found: (top) -> ifOutOctets)

C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31>













-----Original Message-----
From: Boyd, Benjamin R [mailto:Benjamin.R.Boyd@windstream.com]
Sent: Monday, June 23, 2008 5:20 PM
To: sunnyday; juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] (no subject)

SunnyDay,

I don't know the OID, but using snmpwalk.exe to find the outOctets you
would use the following:
snmpwalk.exe -v 1 -c "community" "device ip" ifOutOctets
Which will give you output resembling: (mib.ifIndex = outOctets)
ifOutOctets.35 = 3474330439
ifOutOctets.36 = 984860543
ifOutOctets.37 = 0
ifOutOctets.38 = 3450966616

>From here you'll have to find out the ifIndex of the interface you wish
to view:
In the juniper:
show snmp mib walk ifDescr

-Ben


-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of sunnyday
Sent: Monday, June 23, 2008 3:45 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] (no subject)

Hello anyone knows the OID or how can I view the output of the command:

Show egress-queue rates interface gigabitEthernet x/x/x

Via SNMP?

Thank you











_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



****************************************************************************
***********

The information contained in this message, including attachments, may
contain
privileged or confidential information that is intended to be delivered only
to the
person identified above. If you are not the intended recipient, or the
person
responsible for delivering this message to the intended recipient,
Windstream requests
that you immediately notify the sender and asks that you do not read the
message or its
attachments, and that you delete them without copying or sending them to
anyone else.

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

That means there`s not a way to view the output of the command: Show
egress-queue rates interface gigabitEthernet x/x/x through SNMP?




-----Original Message-----
From: Jonathan Crawford [mailto:jj@powerset.com]
Sent: Tuesday, June 24, 2008 12:10 PM
To: sunnyday; juniper-nsp@puck.nether.net
Subject: [?? Probable Spam] RE: [j-nsp] (no subject)

This is because snmpwalk.exe cannot find the MIB files, and therefore does
not know how to translate ifOutOctets to ask for it from the router.

http://www.net-snmp.org/docs/FAQ.html#What_does__Cannot_find_module__XXX_MIB
___mean_

-Jonathan

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of sunnyday
Sent: Tuesday, June 24, 2008 1:51 AM
To: 'Boyd, Benjamin R'; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] (no subject)

I tried what you said with no result this is what I get:
And also to tell you that it on junose not junos.


C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31>snmpwalk.exe -v 2c -c
pop-RO 192.168.30.238 ifOutOctets

Cannot find module (IP-MIB): At line 0 in (none)
Cannot find module (IF-MIB): At line 0 in (none)
Cannot find module (TCP-MIB): At line 0 in (none)
Cannot find module (UDP-MIB): At line 0 in (none)
Cannot find module (SNMPv2-MIB): At line 0 in (none)
Cannot find module (SNMPv2-SMI): At line 0 in (none)
Cannot find module (UCD-SNMP-MIB): At line 0 in (none)
Cannot find module (UCD-DEMO-MIB): At line 0 in (none)
Cannot find module (SNMP-TARGET-MIB): At line 0 in (none)
Cannot find module (SNMP-VIEW-BASED-ACM-MIB): At line 0 in (non
Cannot find module (SNMP-COMMUNITY-MIB): At line 0 in (none)
Cannot find module (UCD-DLMOD-MIB): At line 0 in (none)
Cannot find module (SNMP-FRAMEWORK-MIB): At line 0 in (none)
Cannot find module (SNMP-MPD-MIB): At line 0 in (none)
Cannot find module (SNMP-USER-BASED-SM-MIB): At line 0 in (none
Cannot find module (SNMP-NOTIFICATION-MIB): At line 0 in (none)
Cannot find module (SNMPv2-TM): At line 0 in (none)
ifOutOctets: (Sub-id not found: (top) -> ifOutOctets)

C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31>













-----Original Message-----
From: Boyd, Benjamin R [mailto:Benjamin.R.Boyd@windstream.com]
Sent: Monday, June 23, 2008 5:20 PM
To: sunnyday; juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] (no subject)

SunnyDay,

I don't know the OID, but using snmpwalk.exe to find the outOctets you
would use the following:
snmpwalk.exe -v 1 -c "community" "device ip" ifOutOctets
Which will give you output resembling: (mib.ifIndex = outOctets)
ifOutOctets.35 = 3474330439
ifOutOctets.36 = 984860543
ifOutOctets.37 = 0
ifOutOctets.38 = 3450966616

>From here you'll have to find out the ifIndex of the interface you wish
to view:
In the juniper:
show snmp mib walk ifDescr

-Ben


-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of sunnyday
Sent: Monday, June 23, 2008 3:45 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] (no subject)

Hello anyone knows the OID or how can I view the output of the command:

Show egress-queue rates interface gigabitEthernet x/x/x

Via SNMP?

Thank you











_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



****************************************************************************
***********

The information contained in this message, including attachments, may
contain
privileged or confidential information that is intended to be delivered only
to the
person identified above. If you are not the intended recipient, or the
person
responsible for delivering this message to the intended recipient,
Windstream requests
that you immediately notify the sender and asks that you do not read the
message or its
attachments, and that you delete them without copying or sending them to
anyone else.

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

You'll need to install this module to run snmpwalk... Sorry
http://www.net-snmp.org/

-Ben

-----Original Message-----
From: sunnyday [mailto:cscosunny@gmail.com]
Sent: Tuesday, June 24, 2008 3:51 AM
To: Boyd, Benjamin R; juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] (no subject)

I tried what you said with no result this is what I get:
And also to tell you that it on junose not junos.


C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31>snmpwalk.exe -v 2c
-c pop-RO 192.168.30.238 ifOutOctets

Cannot find module (IP-MIB): At line 0 in (none) Cannot find module
(IF-MIB): At line 0 in (none) Cannot find module (TCP-MIB): At line 0 in
(none) Cannot find module (UDP-MIB): At line 0 in (none) Cannot find
module (SNMPv2-MIB): At line 0 in (none) Cannot find module
(SNMPv2-SMI): At line 0 in (none) Cannot find module (UCD-SNMP-MIB): At
line 0 in (none) Cannot find module (UCD-DEMO-MIB): At line 0 in (none)
Cannot find module (SNMP-TARGET-MIB): At line 0 in (none) Cannot find
module (SNMP-VIEW-BASED-ACM-MIB): At line 0 in (non Cannot find module
(SNMP-COMMUNITY-MIB): At line 0 in (none) Cannot find module
(UCD-DLMOD-MIB): At line 0 in (none) Cannot find module
(SNMP-FRAMEWORK-MIB): At line 0 in (none) Cannot find module
(SNMP-MPD-MIB): At line 0 in (none) Cannot find module
(SNMP-USER-BASED-SM-MIB): At line 0 in (none Cannot find module
(SNMP-NOTIFICATION-MIB): At line 0 in (none) Cannot find module
(SNMPv2-TM): At line 0 in (none)
ifOutOctets: (Sub-id not found: (top) -> ifOutOctets)

C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31>













-----Original Message-----
From: Boyd, Benjamin R [mailto:Benjamin.R.Boyd@windstream.com]
Sent: Monday, June 23, 2008 5:20 PM
To: sunnyday; juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] (no subject)

SunnyDay,

I don't know the OID, but using snmpwalk.exe to find the outOctets you
would use the following:
snmpwalk.exe -v 1 -c "community" "device ip" ifOutOctets Which will give
you output resembling: (mib.ifIndex = outOctets)
ifOutOctets.35 = 3474330439
ifOutOctets.36 = 984860543
ifOutOctets.37 = 0
ifOutOctets.38 = 3450966616

>From here you'll have to find out the ifIndex of the interface you wish
to view:
In the juniper:
show snmp mib walk ifDescr

-Ben


-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of sunnyday
Sent: Monday, June 23, 2008 3:45 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] (no subject)

Hello anyone knows the OID or how can I view the output of the command:

Show egress-queue rates interface gigabitEthernet x/x/x

Via SNMP?

Thank you











_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



************************************************************************
****
***********

The information contained in this message, including attachments, may
contain privileged or confidential information that is intended to be
delivered only to the person identified above. If you are not the
intended recipient, or the person responsible for delivering this
message to the intended recipient, Windstream requests that you
immediately notify the sender and asks that you do not read the message
or its attachments, and that you delete them without copying or sending
them to anyone else.




***************************************************************************************

The information contained in this message, including attachments, may contain
privileged or confidential information that is intended to be delivered only to the
person identified above. If you are not the intended recipient, or the person
responsible for delivering this message to the intended recipient, Windstream requests
that you immediately notify the sender and asks that you do not read the message or its
attachments, and that you delete them without copying or sending them to anyone else.

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

You know how to tell when someone has an apple product?

They tell you they do..... :)

On Jun 4, 2010 7:34 AM, "Tomasz Mikołajek" <tmikolajek@gmail.com> wrote:

Someone has IPhone.
Sent from my MacBook. ;-)

2010/6/4 Shane Short <shane@short.id.au>


> It's the answer to the universe!!!!!
>
>
> *faints*
>
> On 04/06/2010, at 11:08 AM, Tommy Pernici...
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

It is willed by Emperor Jobs. May the farce be with you. When You finish eating an apple, does the disposal of the core, make the receptacle an Ican or an Ibin.

Apologies

Sent from my HTC. Opps! I've been Googled into an Android

----- Reply message -----
From: "Chris Evans" <chrisccnpspam2@gmail.com>
Date: Fri, Jun 4, 2010 12:55
Subject: [j-nsp] (no subject)
To: "Tomasz Mikołajek" <tmikolajek@gmail.com>
Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net>


You know how to tell when someone has an apple product?

They tell you they do..... :)

On Jun 4, 2010 7:34 AM, "Tomasz Mikołajek" <tmikolajek@gmail.com> wrote:

Someone has IPhone.
Sent from my MacBook. ;-)

2010/6/4 Shane Short <shane@short.id.au>


> It's the answer to the universe!!!!!
>
>
> *faints*
>
> On 04/06/2010, at 11:08 AM, Tommy Pernici...
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Ok, so if we are talking about mobile phones/smartphones, which one in the
best for network engineer? I am befor changing my phone to new one. I need
SSH and VPN.

W dniu 4 czerwca 2010 13:55 u¿ytkownik Chris Evans <chrisccnpspam2@gmail.com
> napisa³:

> You know how to tell when someone has an apple product?
>
> They tell you they do..... :)
>
> On Jun 4, 2010 7:34 AM, "Tomasz Miko³ajek" <tmikolajek@gmail.com> wrote:
>
> Someone has IPhone.
> Sent from my MacBook. ;-)
>
> 2010/6/4 Shane Short <shane@short.id.au>
>
>
> > It's the answer to the universe!!!!!
> >
> >
> > *faints*
> >
> > On 04/06/2010, at 11:08 AM, Tommy Pernici...
>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

I would vote for iphone. It can do both ssh and vpn. I know because I have used both of them with iphone and they work like my desktop with minimal setup efforts. I currently use winmo device. I can do telnet/ssh with it (with certain winmo apps) but vpn has always been a bit tricky with it. May be I am not using it right. I use ssl vpn with juniper firewall and it does the job for me whenever needed. But I prefer iphone any day over winmo for its ease of use.



-----Original Message-----
From: Tomasz Miko³ajek <tmikolajek@gmail.com>
Sent: Sunday, June 06, 2010 1:12 AM
To: Chris Evans <chrisccnpspam2@gmail.com>
Cc: juniper-nsp@puck.nether.net <juniper-nsp@puck.nether.net>
Subject: Re: [j-nsp] (no subject)

Ok, so if we are talking about mobile phones/smartphones, which one in the
best for network engineer? I am befor changing my phone to new one. I need
SSH and VPN.

W dniu 4 czerwca 2010 13:55 u¿ytkownik Chris Evans <chrisccnpspam2@gmail.com
> napisa³:

> You know how to tell when someone has an apple product?
>
> They tell you they do..... :)
>
> On Jun 4, 2010 7:34 AM, "Tomasz Miko³ajek" <tmikolajek@gmail.com> wrote:
>
> Someone has IPhone.
> Sent from my MacBook. ;-)
>
> 2010/6/4 Shane Short <shane@short.id.au>
>
>
> > It's the answer to the universe!!!!!
> >
> >
> > *faints*
> >
> > On 04/06/2010, at 11:08 AM, Tommy Pernici...
>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Jailbreaked iPhone, even you can use RDP in ssh tunnel.

Upcoming iPhone OS 4 will support SSL VPN from Juniper.

I haven't tried Android, but iPhone is good enough when you used to use
shell with touch screen.

[?]

2010/6/5 Tomasz Miko³ajek <tmikolajek@gmail.com>

> Ok, so if we are talking about mobile phones/smartphones, which one in the
> best for network engineer? I am befor changing my phone to new one. I need
> SSH and VPN.
>
> W dniu 4 czerwca 2010 13:55 u¿ytkownik Chris Evans <
> chrisccnpspam2@gmail.com
> > napisa³:
>
> > You know how to tell when someone has an apple product?
> >
> > They tell you they do..... :)
> >
> > On Jun 4, 2010 7:34 AM, "Tomasz Miko³ajek" <tmikolajek@gmail.com> wrote:
> >
> > Someone has IPhone.
> > Sent from my MacBook. ;-)
> >
> > 2010/6/4 Shane Short <shane@short.id.au>
> >
> >
> > > It's the answer to the universe!!!!!
> > >
> > >
> > > *faints*
> > >
> > > On 04/06/2010, at 11:08 AM, Tommy Pernici...
> >
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



--
Best Regards!

Ivan Ivanov

Have you ever used Junos Pulse on mobile phone?

W dniu 5 czerwca 2010 22:29 u¿ytkownik Ivan Ivanov
<ivanov.ivan@gmail.com>napisa³:

> Jailbreaked iPhone, even you can use RDP in ssh tunnel.
>
> Upcoming iPhone OS 4 will support SSL VPN from Juniper.
>
> I haven't tried Android, but iPhone is good enough when you used to use
> shell with touch screen.
>
> [?]
>
> 2010/6/5 Tomasz Miko³ajek <tmikolajek@gmail.com>
>
>> Ok, so if we are talking about mobile phones/smartphones, which one in the
>> best for network engineer? I am befor changing my phone to new one. I need
>> SSH and VPN.
>>
>> W dniu 4 czerwca 2010 13:55 u¿ytkownik Chris Evans <
>> chrisccnpspam2@gmail.com
>> > napisa³:
>>
>> > You know how to tell when someone has an apple product?
>> >
>> > They tell you they do..... :)
>> >
>> > On Jun 4, 2010 7:34 AM, "Tomasz Miko³ajek" <tmikolajek@gmail.com>
>> wrote:
>> >
>> > Someone has IPhone.
>> > Sent from my MacBook. ;-)
>> >
>> > 2010/6/4 Shane Short <shane@short.id.au>
>> >
>> >
>> > > It's the answer to the universe!!!!!
>> > >
>> > >
>> > > *faints*
>> > >
>> > > On 04/06/2010, at 11:08 AM, Tommy Pernici...
>> >
>> >
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>
> --
> Best Regards!
>
> Ivan Ivanov
>

On 6/5/2010 3:36 PM, Tomasz Miko³ajek wrote:
> Ok, so if we are talking about mobile phones/smartphones, which one in the
> best for network engineer? I am befor changing my phone to new one. I need
> SSH and VPN.

I'm quite happy so far with my Droid. It has an excellent ssh client,
ConnectBot, that lets you open up multiple simultaneous ssh sessions. I
haven't played around with it's VPN capabilities, but it claims support for
PPTP, L2TP, and IPSec connections, and if you're willing to root the phone,
openvpn as well.

--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

+1

Droid is great for SSH... Connectbot is by far the best mobile SSH client
ever... Better than blackberry's offerings and WinMo...

--
Tim

2010/6/5 Frank Sweetser <fs@wpi.edu>

> On 6/5/2010 3:36 PM, Tomasz Miko³ajek wrote:
>
>> Ok, so if we are talking about mobile phones/smartphones, which one in the
>> best for network engineer? I am befor changing my phone to new one. I need
>> SSH and VPN.
>>
>
> I'm quite happy so far with my Droid. It has an excellent ssh client,
> ConnectBot, that lets you open up multiple simultaneous ssh sessions. I
> haven't played around with it's VPN capabilities, but it claims support for
> PPTP, L2TP, and IPSec connections, and if you're willing to root the phone,
> openvpn as well.
>
> --
> Frank Sweetser fs at wpi.edu | For every problem, there is a solution
> that
> WPI Senior Network Engineer | is simple, elegant, and wrong. - HL
> Mencken
> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

http://maryknoll.macrored.net/site.twitter.page.php?w=b2o2x5s2y7
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

http://accounts.frameboxx.in/best_site.php?e=b9g4f4q9r9
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

http://ceriategas.com/page_facebook.php?m=o7a4f6m1d1
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

http://getafeservicios.com/www.foxnews.com.happynewjob.news35.php
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

http://domaine-de-montboulon.com/work.at.home.n.php?ID=020
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

I get sick of these idiots sending this...

Does Juniper have any protection they can offer the puck list? :)
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Route through google groups , Then it only bothers moderators.

On Thu, Jan 10, 2013 at 4:32 PM, Paulhamus, Jon <jpaulhamus@iu17.org> wrote:
> I get sick of these idiots sending this...
>
> Does Juniper have any protection they can offer the puck list? :)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

As the list owner (it's not run by juniper) these are harder to block than you think and not that easy.

Jared Mauch

On Jan 10, 2013, at 4:53 PM, 叶雨飞 <sunyucong@gmail.com> wrote:

> Route through google groups , Then it only bothers moderators.
>
> On Thu, Jan 10, 2013 at 4:32 PM, Paulhamus, Jon <jpaulhamus@iu17.org> wrote:
>> I get sick of these idiots sending this...
>>
>> Does Juniper have any protection they can offer the puck list? :)
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Are you ready to lose 7 pounds of fat in your first week? Start now http://radiosonfm.com/weight.drop.n.php?SID=918
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

http://www.diagnosticarte.com/nwpuyw/ozb.rvh?ze


















snort bsd
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Obviously
Den 1 apr 2016 18:48 skrev "Peter Ehiwe" <peterehiwe@gmail.com>:

> Swssr
>
> --
> Sent from Mobile
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

HI! Mark

Thanks for your help. Attached is my configuration file. FYI.

BR!

Chen Jiang


On Mon, Nov 15, 2021 at 7:44 AM Mark Tees <marktees@gmail.com> wrote:

> Hey,
>
> I have done some similar testing for L2.
>
> Are you able to send your example/test config in a text file or
> something allowing for easy reading and I can test it in the lab for
> you also?
>
> Your message came through in a hard to read format/possibly your mail
> client remove the spaces and newlines from the Junos config.
>
> On Sun, 14 Nov 2021 at 16:52, Chen Jiang via juniper-nsp
> <juniper-nsp@puck.nether.net> wrote:
> >
> > Hi! Experts
> >
> > End user asked us to implement QinQ (translate inner tag and push outer
> > tag) in QFX5100, but from POC it did not work as expected, Could QFX
> work
> > as in the configuration below? Someone said QFX could only handle outer
> > tag. Thanks for your advice. *Requirement:*
> > QFX et-0/0/0/48 receive customer traffic with vlan 96, QFX5100 need push
> > SVLAN tag 10 when sending out from interface et-0/0/49;
> > QFX et-0/0/0/48 receive customer traffic with vlan 914, QFX5100 need
> > translate CVLAN from 914 to 200 and push SVLAN tag 10 when sending out
> from
> > interface et-0/0/49; *POC configuration:* lab@GM2# show interfaces
> > et-0/0/48 flexible-vlan-tagging; mtu 9000; encapsulation
> > flexible-ethernet-services; unit 10 { encapsulation vlan-bridge; vlan-id
> > 96; input-vlan-map { swap-push; vlan-id 10; inner-vlan-id 96; }
> > output-vlan-map pop-swap; } unit 20 { encapsulation vlan-bridge; vlan-id
> > 914; input-vlan-map { swap-push; vlan-id 10; inner-vlan-id 200; }
> > output-vlan-map pop-swap; } lab@GM2# show interfaces et-0/0/49
> > flexible-vlan-tagging; encapsulation flexible-ethernet-services; unit 10
> {
> > encapsulation vlan-bridge; vlan-tags outer 10 inner 96; } unit 20 {
> > encapsulation vlan-bridge; vlan-tags outer 10 inner 200; } lab@GM2# show
> > vlans qinq10-200 { interface et-0/0/48.20; interface et-0/0/49.20; }
> > qinq10-96 { interface et-0/0/48.10; interface et-0/0/49.10; }
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
>
> M Tees
>


--
BR!



James Chen

HI! Mark

Thanks for your sharing, so this means QFX5K cannot do double tag
(pop/swap/push inner tags) operation?

BR!

James

On Wed, Nov 17, 2021 at 5:39 AM Mark Tees <marktees@gmail.com> wrote:

> Hi Chen,
>
> In my testing the operations that worked involve double tagged frames were:
>
> * match on both tags (STAG/CTAG)
> * pop/swap/push on outer tag only. Any operation involving inner tags
> either dropped traffic or just did nothing
>
> If we required double tag operations like pop-pop or swap-swap then we
> did full port tunnel over L2Circuit to MX then back down.
>
> My testing was with VLAN bridge and L2Circuit.
>
> --Mark
>
> On Mon, 15 Nov 2021 at 15:14, Chen Jiang <ilovebgp4@gmail.com> wrote:
> >
> >
> > HI! Mark
> >
> > Thanks for your help. Attached is my configuration file. FYI.
> >
> > BR!
> >
> > Chen Jiang
> >
> >
> > On Mon, Nov 15, 2021 at 7:44 AM Mark Tees <marktees@gmail.com> wrote:
> >>
> >> Hey,
> >>
> >> I have done some similar testing for L2.
> >>
> >> Are you able to send your example/test config in a text file or
> >> something allowing for easy reading and I can test it in the lab for
> >> you also?
> >>
> >> Your message came through in a hard to read format/possibly your mail
> >> client remove the spaces and newlines from the Junos config.
> >>
> >> On Sun, 14 Nov 2021 at 16:52, Chen Jiang via juniper-nsp
> >> <juniper-nsp@puck.nether.net> wrote:
> >> >
> >> > Hi! Experts
> >> >
> >> > End user asked us to implement QinQ (translate inner tag and push
> outer
> >> > tag) in QFX5100, but from POC it did not work as expected, Could QFX
> work
> >> > as in the configuration below? Someone said QFX could only handle
> outer
> >> > tag. Thanks for your advice. *Requirement:*
> >> > QFX et-0/0/0/48 receive customer traffic with vlan 96, QFX5100 need
> push
> >> > SVLAN tag 10 when sending out from interface et-0/0/49;
> >> > QFX et-0/0/0/48 receive customer traffic with vlan 914, QFX5100 need
> >> > translate CVLAN from 914 to 200 and push SVLAN tag 10 when sending
> out from
> >> > interface et-0/0/49; *POC configuration:* lab@GM2# show interfaces
> >> > et-0/0/48 flexible-vlan-tagging; mtu 9000; encapsulation
> >> > flexible-ethernet-services; unit 10 { encapsulation vlan-bridge;
> vlan-id
> >> > 96; input-vlan-map { swap-push; vlan-id 10; inner-vlan-id 96; }
> >> > output-vlan-map pop-swap; } unit 20 { encapsulation vlan-bridge;
> vlan-id
> >> > 914; input-vlan-map { swap-push; vlan-id 10; inner-vlan-id 200; }
> >> > output-vlan-map pop-swap; } lab@GM2# show interfaces et-0/0/49
> >> > flexible-vlan-tagging; encapsulation flexible-ethernet-services; unit
> 10 {
> >> > encapsulation vlan-bridge; vlan-tags outer 10 inner 96; } unit 20 {
> >> > encapsulation vlan-bridge; vlan-tags outer 10 inner 200; } lab@GM2#
> show
> >> > vlans qinq10-200 { interface et-0/0/48.20; interface et-0/0/49.20; }
> >> > qinq10-96 { interface et-0/0/48.10; interface et-0/0/49.10; }
> >> > _______________________________________________
> >> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >>
> >>
> >> --
> >>
> >> M Tees
> >
> >
> >
> > --
> > BR!
> >
> >
> >
> > James Chen
>
>
>
> --
>
> M Tees
>


--
BR!



James Chen
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Barry,

Thanks for the link. I had to laugh at this: 'you are tired of arguing with your network architecture team (“we are here to transport packets” vs “the Internet firewall” ;-)'. 20 years later, that still rings awfully true for me.

This diagram accurately displays how I've built a dirtyVRF that can use either FBF or, these days, Flowspec to vrf redirection. For example I have 5 ASBR and the inspection POC is only attached to a single POP. FBF indeed works great and scales “good enough” if well designed.

-Michael

From: Barry Raveendran Greene <bgreene@senki.org>
Sent: Tuesday, April 2, 2024 11:30 AM
To: Michael Hare <michael.hare@wisc.edu>
Cc: juniper-nsp@puck.nether.net
Subject: Re: (No subject)


Have you reviewed the MPLS Shunt work from the mid-2000s? David Smith figured this out with AT&T.

[.note: attachment removed by michael.hare, my outlook helpful tried to inline it. See Barry’s original message]


On Apr 2, 2024, at 10:25, Michael Hare via juniper-nsp <juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>> wrote:
?Hi there,

We're a US research and education ISP and we've been tasked for coming up with an architecture to allow on premise DDoS scrubbing with an appliance. As a first pass I've created an cleanL3VPN routing-instance to function as a clean VRF that uses rib-groups to mirror the relevant parts of inet.0. It is in production and is working great for customer learned BGP routes. It falls apart when I try to protect a directly attached destination that has a mac address in inet.0. I think I understand why and the purpose of this message is to see if anyone has been in a similar situation and has thoughts/advice/warnings about alternative designs.

To explain what I see, I noticed that mac address based nexthops don't seem to be copied from inet.0 into cleanL3VPN.inet.0. I assume this means that mac-address based forwarding must be referencing inet.0 [see far below]. This obviously creates a loop once the best path in inet.0 becomes a BGP /32. For example when I'm announcing a /32 for 1.2.3.4 out of a locally attached 1.2.3.0/26, traceroute implies the packet enters inet.0, is sent to 5.6.7.8 as the nexthop correctly, arrives in cleanL3VPN which decides to forward to 5.6.7.8 in a loop, even though the BGP /32 isn't part of cleanL3VPN [see below], cleanL3VPN Is dependent on inet.0 for resolution. Even if I could copy inet.0 mac addresses into cleanL3VPN, eventually the mac address would age out of inet.0 because the /32 would no longer be directly connected. If I want to be able to protect locally attached destinations so I think my design is unworkable, I think my solutions are

= use flowspec redirection to dirty VRF, keep inet.0 as clean and use flowspec interface filter-group appropriately on backbone interfaces [routing-options flow interface-group exclude, which I already have deployed correctly]. This seems easy but is less performant.
= put my customers into a customerVRF and deal with route leaking between global and customerVRF. This is a well-known tactic but more complicated to approach and disruptive to deploy as I have to airlift basically all the customers to into a VRF to have full coverage.

For redirection, to date I've been looking at longest prefix match solutions due to the presumed scalability vs using flowspec. I have an unknown amount of "always on" redirects I might be asked to entertain. 10? 100? 1000? I'm trying to come up with a solution that doesn't rely on touching the routers themselves. I did think about creating a normal [non flowspec] input firewall term on untrusted interfaces that redirects to dirty VRF based in a single destination prefix-list and just relying on flowspec for on demand stuff with the assumption one firewall term with let's say 1000 prefixes is more performant than 1000 standalone flowspec rules. I think my solution is fundamentally workable but I don't think the purchased turnkey ddos orchestration is going to natively interact with our Junipers, so that is looked down upon, since it would require " a router guy " or writing custom automation when adding/removing always-on protection. Seems technically very viable to me, I jus
t bring up these details because I feel like without a ton of effort VRF redirection can be made to be nearly as performant as longest prefix match.

While we run MPLS, currently all of our customers/transit are in the global table. I'm trying to avoid solutions for now that puts the 1M+ RIB DFZ zone into an L3VPN; it's awfully big change I don't want to rush into especially for this proof of concept but I'd like to hear opinions if that's the best solution to this specific problem. I'm not sure it's fundamentally different than creating a customerVRF, seems like I just need to separate the customers from the internet ingress.

My gut says "the best" thing to do is to create a customerVRF but it feels a bit complicated as I have to worry about things like BGP/static/direct and will lose addPath [.I recently discovered add-path and route-target are mutually exclusive in JunOS].

My gut says "the quickest" and least disruptive thing to do is to go the flowspec/filter route and frankly I'm beginning to lean that way since I'm already partially in production and needed to have a solution 5 days ago to this problem :>

I've done all of these things before [flowspec, rib leaking] I think it's just a matter of trying to figure out the next best step and was looking to see if anyone has been in a similar situation and has thoughts/advice/warnings.

I'm talking about IPv4 below but I ack IPv6 is a thing and I would just do the same solution.

-Michael

===/===

@$myrouter> show route forwarding-table destination 1.2.3.4 extensive
Apr 02 08:39:10
Routing table: default.inet [Index 0]
Internet:

Destination: 1.2.3.4/32
Route type: user
Route reference: 0 Route interface-index: 0
Multicast RPF nh index: 0
P2mpidx: 0
Flags: sent to PFE
Next-hop type: indirect Index: 1048588 Reference: 3
Nexthop: 5.6.7.8
Next-hop type: unicast Index: 981 Reference: 3
Next-hop interface: et-0/1/10.3099

Destination: 1.2.3.4/32
Route type: destination
Route reference: 0 Route interface-index: 85
Multicast RPF nh index: 0
P2mpidx: 0
Flags: none
Nexthop: 0:50:56:b3:4f:fe
Next-hop type: unicast Index: 1562 Reference: 1
Next-hop interface: ae17.3347

Routing table: cleanL3VPN.inet [Index 21]
Internet:

Destination: 1.2.3.0/26
Route type: user
Route reference: 0 Route interface-index: 0
Multicast RPF nh index: 0
P2mpidx: 0
Flags: sent to PFE, rt nh decoupled
Next-hop type: table lookup Index: 1 Reference: 40
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp<https://urldefense.com/v3/__https:/puck.nether.net/mailman/listinfo/juniper-nsp__;!!Mak6IKo!LuXdRHuh0QetZnMvY86BUL0wmgh25IeJFYeF-boBkqP0E84R086b72TtAOLcF5CcRVcSfkuMoCMrLjY9g38$>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp