Hi All,

one of my customer having MX-480 & MX-960 and they want to use MS-MIC for inline active flow monitoring on each box. Junos version is 14.2 and they want to use Junos traffic vision V9 only.

1. It seems from the below link that while using MS-MIC on Junos 13.2 and above , it supports inline active flow monitoring? is it true?

https://www.juniper.net/documentation/en_US/release-independent/junos/topics/reference/general/mic-mx-series-ms.html

There is another link which is supporting the above statement.

https://www.juniper.net/documentation/en_US/junos/topics/example/jflow-v9-configuring-on-ms-mic.html

2. is there any difference between inline active flow monitoring and active flow monitoring?

i will really apprecite your quick response on this query.

Regards

Badar

Hi Badar,

We can do flow monitoring using the below methods in junos:

1. Inline active flow monitoring is implemented on the Packet Forwarding Engine on the FPC.

2. Active flow monitoring is using MS-MIC/ Multiservice cards

Inline Jflow is a feature which aims at supporting jflow on the pfe rather than on the services pic.

Hope this helps

Hi Rahul,

Thought it may be appropriate here to post a warning regarding the configuration used:

It appears that although everything seems to be working perfectly there was a slight issue that I had:

On the MX240 that I am using as an LNS, it appeared that ISIS was accepting route advertisement entering from the MX240 Core and anything attached to it, but the MX240 itself was not advertising the other way. So the static route to the LAC and the VPN assigned traffic and any other external routes were not being advertised. Therefore, the user could not be authenticated against the RADIUS because there was no route back. I removed the config and it all worked again okay.

Can you let me know a reason why the following would cause that:

set policy-options policy-statement dyn-vpn-route term 1 from instance master

After completing traceoptions on ISIS it was showing "Reject routes" and naming "instance master" as the reason. I know that the Instance Master utilises the inet0 routing table.... any ideas Rahul?

Thanks

Hi,

Set up: 

Laptop -> Cisco 1841 (PPP PAP client) -> Cisco 1841 (LAC) -> Juniper MX240 (LNS) -> MX240 (Core) -> SRX1500 -> RADIUS

When powering up all the devices I get an L2TP tunnel and authentication accept from the RADIUS. No problem there. When I look at the routing table on the Core MX I can see all routes from the Radius back to the LNS and I can ping everywhere, except for the client address issued to the PPP interface on the PAP Client. With a "show ip int brief" I can see the allocaiton of the address from the pool configured on the LNS. So, to get around this issue, I configured a static route on the MX240 (LNS) pointing to the network with a next-hop address of the tunnel interface. I then configured a routing-policy that had an accept/ reject term associated. 

Strangely, even though the authenticaiton still worked and the PAP client still had the IP address assigned (showing connectivity in bothe directions from the PAP client to the RADIUS), there were routes suddenly missing on the MX240 Core.... the route for the PAP PPP Client was now there and could be ping'd but now the routes for the MX240 LNS loopback and tunnel interface were missing, even though the L2TP still worked. I tried this with the following two methods:

set policy-options policy-statement term 1 from instance master

ISIS Traceoptions showed routes were being rejected because of this.... So I then tried:

set policy-options policy-statement term 1 from instance inet.0

This seemed to cause the same issue.... very strange behaviour and I am hoping someone can tell me the best way forward to advertise a network at the far end on the client, so I can test IPv6 to IPv4 and vice versa.... I can't do this until I can advertise the networks.....

Thanks

As an add on to this, with a little more information......

I believe that the required network advertisements will take place via BGP once it is configured, but I cannot do that yet until it is connected to the secondary ISP (Wholesale) and I don't want to do that until tested. I can get another 1841 and see if I can configure BGP on it and advertise the networks..... see what happens from there....

Hi,

For every PPP subscribers terminating on LNS there will have access-internal route. We redistribute the same using export policy.

Not sure why you need instance master for redistributing subscribers route to core.

Suppose we've 16k subscribers terminating on LNS. Redistributing 16k access-internal is not an ideal solution as it can cause CPU related issue due to frequent login/logout of subscribers. In this scenario, we uses aggregate route to redistribute subscriber aggregate route as there will be contributing access-internal route.

Note: For  network behind subscriber, we uses framed-route. This is pushed via radius during subscriber login. framed-route will create access route which is redistributed in same way like access-internal.

Example is shown below

"Framed-Route" = "X.X.X.0/24 1 tag 66 distance 10"
 
X.X.X.X/32      *[Access-internal/12] 00:00:31
                      Private unicast
X.X.X.0/24      *[Access/10] 00:00:31, metric 1, tag 66
                      Private unicast

Regards,

Rahul N

Hi Rahul,

Our end resolution, as we have already diuscussed, is that we will supply the CPE (or CE) with the following configuration:

CE to Provider Edge -- IPv6

CE facing customer circuits - IPv6 and IPv4

So, given the above, what we are going to be testing is connectvity from a pure IPv6 client to an IPv4 only client at the far end and vice-versa.

I took the code from the Juniper Website and change it slightly to suit our needs. The weird thing is, even though the routes don't seem to exist, I can still ping the address. I will take some screenshots and post here.

Thanks for the other information Rahul... much appreciated as always.

Thanks

Hello All,

I have two EX9200's directly connected (P+PE/CE in one) with MPLS and the EVPN overlay protocol enabled.

On EX9200-1 i have an external connection (ge-0/0/2) with several multicast sources. For this PIM and IGMP is enabled.
Multicast routing works fine. Hosts in a different VLAN (irb/vlan 545) can recieve multicast groups (audio/video) fine

Because we run EVPN, we also have irb/vlan 545 on ex9200-2.  I also want that segment to be able to recieve the multicast groups.

For this i have enabled mvpn and setup a tunnel-provider connection between the EX devices using this information:

https://www.juniper.net/documentation/en_US/junos/topics/example/multicast-vpn-example-mbgp-mvpn-solutions.html

Only change is that i use ISIS instead of OSPF and LDP instead of RSVP.

IGMP join packets from devices attached to EX9200-2 are recieved by the RP (EX9200-1) and mVPN is advertising all available groups to EX9200.

Stuff should work but it doesn't.

Config EX9200-1

#show configuration routing-instances HOSTING-VRF protocols

pim {
    }
    rp {
        local {
            address 10.10.254.11;
        }
    }
    interface ge-0/0/2.0 {
        mode sparse;
        version 2;
    }
    interface lo0.1 {
        mode sparse;
        version 2;
    }
    interface irb.545 {
        mode sparse;
        version 2;
    }
}
mvpn {
    route-target {
        import-target {
            target target:100:1010;
        }
        export-target {
            target target:100:1010;
        }
    }
}

#show configuration routing-instances HOSTING-VRF provider-tunnel
ldp-p2mp;

# show configuration protocols igmp

interface ge-0/0/2.0 {
    version 3;
}
interface irb.545 {
    version 3;

Config EX9200-2:

#show configuration routing-instances HOSTING-VRF protocols

pim {
    rp {
        static {
            address 10.10.254.11;
        }
    }
    interface lo0.1 {
        mode sparse;
        version 2;
    }
    interface irb.545 {
        mode sparse;
        version 2;
    }
}
mvpn {
    route-target {
        import-target {
            target target:100:1010;
        }
        export-target {
            target target:100:1010;
        }
    }

#show configuration routing-instances HOSTING-VRF provider-tunnel
ldp-p2mp;

#show configuration protocols igmp

Results:

EX9200-1

#show route table HOSTING-VRF.mvpn.0

7:10.10.254.5:9:12345:32:20.20.174.14:32:224.1.4.26/240
                   *[MVPN/70] 1w0d 03:00:53, metric2 1
                      Multicast (IPv4) Composite
                    [PIM/105] 1w0d 03:00:53
                      Multicast (IPv4) Composite

#show mvpn neighbor instance-name HOSTING-VRF

MVPN instance:
Legend for provider tunnel
S-    Selective provider tunnel

Legend for c-multicast routes properties (Pr)
DS -- derived from (*, c-g)          RM -- remote VPN route
Family : INET

Instance : HOSTING-VRF
  MVPN Mode : SPT-ONLY
  Neighbor                              Inclusive Provider Tunnel
  10.10.254.4                          LDP-P2MP:10.10.254.4, lsp-id 16777217

MVPN instance:
Legend for provider tunnel
S-    Selective provider tunnel

Legend for c-multicast routes properties (Pr)
DS -- derived from (*, c-g)          RM -- remote VPN route
Family : INET6

Instance : HOSTING-VRF
  MVPN Mode : SPT-ONLY
  Neighbor                              Inclusive Provider Tunnel
  10.10.254.4                          LDP-P2MP:10.10.254.4, lsp-id 16777217

EX9200-2:

#show route table HOSTING-VRF.mvpn.0

5:10.10.254.5:9:32:80.79.37.230:32:224.1.4.232/240
                   *[BGP/170] 1w2d 00:12:11, localpref 100, from 10.10.254.5
                      AS path: I, validation-state: unverified
                    > to 10.10.254.194 via ae0.0

#show mvpn neighbor instance-name HOSTING-VRF

MVPN instance:
Legend for provider tunnel
S-    Selective provider tunnel

Legend for c-multicast routes properties (Pr)
DS -- derived from (*, c-g)          RM -- remote VPN route
Family : INET

Instance : HOSTING-VRF
  MVPN Mode : SPT-ONLY
  Neighbor                              Inclusive Provider Tunnel
  10.10.254.5                          LDP-P2MP:10.10.254.5, lsp-id 16777217

MVPN instance:
Legend for provider tunnel
S-    Selective provider tunnel

Legend for c-multicast routes properties (Pr)
DS -- derived from (*, c-g)          RM -- remote VPN route
Family : INET6

Instance : HOSTING-VRF
  MVPN Mode : SPT-ONLY
  Neighbor                              Inclusive Provider Tunnel
  10.10.254.5                          LDP-P2MP:10.10.254.5, lsp-id 16777217

Does anyone ever get this setup to work?

Hi All,

I am struggling being able to configure the irb on my MX104 to be able to ping across to my reth on my SRX240H2.
See the following configurations, but do note that since I am building this out in my lab, there is only one uplink in the reth and irb at this time.
MX Config

root> show configuration bridge-domains
srx240 {
domain-type bridge;
vlan-id 100;
interface ge-0/1/0.0;
routing-interface irb.0;
}
irb {
mtu 1500;
unit 0 {
family inet {
address 10.38.38.1/24;
}
}
}
ge-0/1/0 {
encapsulation ethernet-bridge;
unit 0 {
family bridge;
}
}

SRX Configuration

redundancy-group 2 {
node 0 priority 100;
node 1 priority 1;
}
root@lab-srx-01-a> show configuration interfaces reth2
redundant-ether-options {
redundancy-group 2;
}
unit 0 {
family inet {
mtu 1500;
sampling {
input;
output;
}
address 10.38.38.65/24;
}
}

root@lab-srx-01-a> show configuration security zones security-zone trust
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
ge-1/0/0 {
gigether-options {
redundant-parent reth2;
}
}

I am unable to get the reth to show as up, showing interfaces terse shows the reth as down. When I configure each interface as a layer 3 interface, it works fine, I seem to be missing something.

Thanks in advance for any help you can provide. 

Hi Rahul,

Strangely all the routes have come back now....

As mentioned, I need to test IPv6 and as such have changed my pool address assignment from IPv4 to IPv6 as per below:

I removed these commands:

delete access address-assignment pool POOL family inet network 192.168.85.0/24
delete access address-assignment pool POOL family inet range lns low 192.168.85.1
delete access address-assignment pool POOL family inet range lns high 192.168.85.254

And replaced the pool with:

set access address-assignment pool POOL family inet6 prefix 2a05:d840:0100::/48
set access address-assignment pool POOL family inet6 range lns low 2a05:d840:0100:ffff:ffff:ffff:0000:0001/48
set access address-assignment pool POOL family inet6 range lns high 2a05:d840:0100:ffff:ffff:ffff:0000:0050/48

No IP address is being aassigned to the PPP Client.... any idea why please Rahul?

Thanks

Clive

Here is my current configuration. Juniper does not make it clear in its website reference IPv6 configuration:

set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" interface "$junos-interface-name"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix next-hop "$junos-framed-route-nexthop"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix metric "$junos-framed-route-cost"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix preference "$junos-framed-route-distance"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access-internal route $junos-subscriber-ip-address qualified-next-hop "$junos-interface-name"
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" dial-options l2tp-interface-id l2tp-encapsulation
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" dial-options dedicated
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" no-traps
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"

set system services subscriber-management enable

set chassis fpc 1 pic 2 tunnel-services bandwidth 1g
set chassis fpc 1 pic 2 inline-services bandwidth 1g
set chassis fpc 1 pic 2 max-queues-per-interface 8
set chassis network-services enhanced-ip
set services l2tp tunnel-group LAC l2tp-access-profile l2tp-profile
set services l2tp tunnel-group LAC aaa-access-profile aaa-profile
set services l2tp tunnel-group LAC local-gateway address 195.80.0.29
set services l2tp tunnel-group LAC service-device-pool lns
set services l2tp tunnel-group LAC dynamic-profile dyn-hex-lns-profile
set services l2tp traceoptions file ninel2tp
set services l2tp traceoptions file size 100m
set services l2tp traceoptions level all
set services l2tp traceoptions flag all
set services service-device-pools pool lns interface si-1/2/0

set interfaces si-1/2/0 hierarchical-scheduler maximum-hierarchy-levels 2
set interfaces si-1/2/0 encapsulation generic-services
set interfaces si-1/2/0 unit 0 family inet
set interfaces si-1/2/0 unit 0 family inet6

set protocols ppp-service traceoptions file jpppd
set protocols ppp-service traceoptions file size 800m
set protocols ppp-service traceoptions file files 15
set protocols ppp-service traceoptions level all
set protocols ppp-service traceoptions flag all
set policy-options policy-statement export-statics term 1 from protocol static
set policy-options policy-statement export-statics term 1 then accept
set access group-profile l2tp-group-profile ppp idle-timeout 200
set access group-profile l2tp-group-profile ppp ppp-options pap
set access group-profile l2tp-group-profile ppp ppp-options mtu 1430
set access group-profile l2tp-group-profile ppp keepalive 30
set access group-profile l2tp-group-profile ppp primary-dns 8.8.8.8
set access group-profile l2tp-group-profile ppp secondary-dns 8.8.4.4
set access profile l2tp-profile client 21HEX l2tp maximum-sessions-per-tunnel 4000
set access profile l2tp-profile client 21HEX l2tp interface-id l2tp-encapsulation
set access profile l2tp-profile client 21HEX l2tp shared-secret "$9$uQmC0EyMWxdwgX7gJUH5T9Ap0RhylK8xN"
set access profile l2tp-profile client 21HEX user-group-profile l2tp-group-profile
set access profile aaa-profile authentication-order radius
set access profile aaa-profile radius authentication-server 172.16.16.36
set access profile aaa-profile radius-server 172.16.16.36 secret "$9$NS-YoDjqfQnk.nCpBSy8X7-s2oJGiqm"
set access address-assignment pool POOL family inet6 prefix 2a05:d840:0100::/48
set access address-assignment pool POOL family inet6 range lns low 2a05:d840:0100:ffff:ffff:ffff:0000:0001/48
set access address-assignment pool POOL family inet6 range lns high 2a05:d840:0100:ffff:ffff:ffff:0000:0050/48

There are a couple of commands tht could be changed I believe. Like the Unnumbered command... should that be changed to an inet6 commad reference?

Thanks

Hello,

RETH is not supported on standalone SRX. You have to have a SRX cluster built first.

HTH

Thx
Alex

Hi Alex,

Thanks for the response.

The reth is indeed configured on an SRX cluster. I was under the impression I could deploy a reth on a cluster with a single physical interface in the reth. Is this not the case?

Thomas 

Dear Experts,

I need to interoperate NOKIA (Alcatel-Lucent) and Juniper (I believe SRX)

On Nokia I am running routed-VPLS. Can I do that on Juniper? Cisco can do it as well. I read somethig about VPLS Routing, or VPLS integrated Routing but I am not sure...

Basicalle routed-MPLS is the following: Allows a VPLS instance to be associated with a VRF. In other words, Inside a VRF, we communicate two interfaces (in two PEs for instance) in a VRF via a pseudowire (VPLS).

Thanks a lot!! 

with routed-vpls we communicate internally both VPLS and VPRN without needing an external hairpin.

In case this is needed: 

MX version: 

root> show version
Model: mx104
Junos: 13.3R1.8
JUNOS Base OS boot [13.3R1.8]
JUNOS Base OS Software Suite [13.3R1.8]
JUNOS Kernel Software Suite [13.3R1.8]
JUNOS Packet Forwarding Engine Support (MX104) [13.3R1.8]
JUNOS Online Documentation [13.3R1.8]
JUNOS Services Application Level Gateways [13.3R1.8]
JUNOS Services Jflow Container package [13.3R1.8]
JUNOS Services Stateful Firewall [13.3R1.8]
JUNOS Services NAT [13.3R1.8]
JUNOS Services RPM [13.3R1.8]
JUNOS Routing Software Suite [13.3R1.8]

SRX version:

root@lab-srx-01-a> show version
node0:
--------------------------------------------------------------------------
Model: srx240h
JUNOS Software Release [12.1X46-D67]

node1:
--------------------------------------------------------------------------
Model: srx240h
JUNOS Software Release [12.1X46-D67]

Hi, 

This is possibe by configuring an irb routing-interface on the vpls instance and then the same irb interface can be added to any RIs/vrfs.

set routing-instances <vpls> routing-interface irb.x

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/vpls-irb-solutions.html

I think Juniper had it before ALU/Nokia.

Cheers,

Ashvin

Ashvin

Hi,

You need following configuration to bring IPv6 up. Hope you're requesting only NDRA prefix.

Define family  IPv6 and RA under Dynamic-profile.

LNS# show dynamic-profiles dyn-lns-profile | no-more
interfaces {
    "$junos-interface-ifd-name" {
        unit "$junos-interface-unit" {
            dial-options {
                l2tp-interface-id l2tp-encapsulation;
            }
            family inet {
                unnumbered-address "$junos-loopback-interface";
            }
            family inet6 {
                unnumbered-address "$junos-loopback-interface";
            }
        }
    }
}
protocols {
    router-advertisement {
        interface "$junos-interface-name" {
            prefix $junos-ipv6-ndra-prefix;
        }
    }
}

Define IPv6 address matching the pool under lo0 /128.

Define NDRA prefix pool under Access Stanza.

{master}[edit access]
LNS# show
 address-assignment {
    neighbor-discovery-router-advertisement POOL

Regards,

Rahul

You could also see if this command gives you the model numbers that match your inventory system.

show chassis hardware models