That may be a problem. I have all the ports from SRX to VDX switch (L2) to CER set to MTU 1526. Why is OSPF on the SRX still sending out DBD packets @ mtu 1508?wrote: SRX traceoptions shows that it is sending DBD packets (mtu 1508) multiple times but not receiving any DBD packets from the neighbor. DBD packets are unicast packets.
The VDXs don't even support mtu that low. The lowest they will go is 1522.set interfaces reth0 description UNTRUST set interfaces reth0 mtu 1526 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 redundant-ether-options lacp passive set interfaces reth0 unit 0 family inet address 192.168.1.6/29I am able to ping from SRX to CER and CER to SRX without issue. There are ARP entries for each other.
↧
Re: SRX 550 - OSPF Adjacency Stuck in ExStart State
↧
Re: IS-IS run over GRE
Hi
Yes, it is up while I turned up OSPF over this GRE with MTU 1516 of family inet
> show ospf neighbor
Address Interface State ID Pri Dead
172.54.129.49 gr-5/0/0.1 Full 172.54.129.2 128 38
Best regards,
Cloud
↧
↧
Re: Problems with ospf in IPv6
Hi CICA,
Alright, I just faced the same problem with IPv4 in lab - the neighbor wouldn't show up at all at one end and "show ospf interface" would show 0 nbrs. Issue was resolved after establishing valid IPv4 connectivity on this interface. Should apply to IPv6 too.
{master:0}
labroot@j14-1> show ospf neighbor
{master:0}
labroot@j14-1> show ospf interface
Interface State Area DR ID BDR ID Nbrs
ae11.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0
{master:0}
labroot@j14-1> ping 198.168.10.21
PING 198.168.10.21 (198.168.10.21): 56 data bytes
^C
--- 198.168.10.21 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
{master:0}
labroot@j14-1> show interfaces terse ae11
Interface Admin Link Proto Local Remote
ae11 up up
ae11.0 up up inet 198.168.10.84/31
inet6 fe80::cee1:7fff:fe68:43fb/64
mpls
{master:0}
labroot@j14-1> edit
Entering configuration mode
{master:0}[edit]
labroot@j14-1# replace pattern 198.168.10.84 with 198.168.10.20
{master:0}[edit]
labroot@j14-1# show | compare
[edit interfaces ae11 unit 0 family inet]
+ address 198.168.10.20/31;
- address 198.168.10.84/31;
{master:0}[edit]
labroot@j14-1# commit and-quit
[edit protocols]
'mpls'
warning: requires 'mpls' license
configuration check succeeds
commit complete
Exiting configuration mode
{master:0}
labroot@j14-1> ping 198.168.10.21
PING 198.168.10.21 (198.168.10.21): 56 data bytes
64 bytes from 198.168.10.21: icmp_seq=0 ttl=64 time=11.036 ms
64 bytes from 198.168.10.21: icmp_seq=1 ttl=64 time=11.139 ms
^C
--- 198.168.10.21 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 11.036/11.087/11.139/0.052 ms
{master:0}
labroot@j14-1> show ospf neighbor
Address Interface State ID Pri Dead
198.168.10.21 ae11.0 Full 198.168.10.6 128 3
{master:0}
labroot@j14-1> show ospf interface
Interface State Area DR ID BDR ID Nbrs
ae11.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.
↧
Password Reset on MX104 with 2 Routing Engines
Hello All,
I am having a little trouble resetting the root password on an MX 104 with dual routing engines. I have followed the process outlined here and reset the password successfully.
However, when I commit I get the following errors. I can wait a little while and commit again successfully.
warning: Could not connect to re0 : Can't assign requested address
warning: Cannot connect to other RE, ignoring it
chgrp: wheel: Invalid argument
chown: wheel: Invalid argument
chgrp: wheel: Invalid argument
chown: wheel: Invalid argument
commit complete
When I reboot, the system does not let me login with the new password. Please understand that I am a cisco guy and haven't had a lot of experience with Juniper. Please explaing this to me as if I were 5.
Thanks,
Matt
↧
Re: Password Reset on MX104 with 2 Routing Engines
I've not seen these messages before. They may indicate a hardware issue. But there is an alternative reset method you can try for the MX platform outlined here.
↧
↧
Re: IS-IS run over GRE
Hi,
I think the issue is related to MTU and the fragmentation. What is the peer device? Refer below mentioned KB to understand the behavior of ISIS over GRE:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB7848&cat=&actp=LIST
↧
Re: Password Reset on MX104 with 2 Routing Engines
Hi,
In addition to what Steve suggested, those logs could be transient condition with device.
Could you get the following & the perform the below steps:
#commit | display detail
>show chassis alarm
>show chassis routing-engine
>show system core-dumps
>show log messages| last 200
Restart the MGD Process:
>restart management
Post the restarting mgd, If you get those errors on commit and if pw reset doesn't help, Then perform a factory-default.
#load factory-default
#commit full <full keyword is hidden>
#commit (again and reboot)
If you get those errors on commit and get issue with pw reset, perform factory reset using >request system zeroize.
upon performing a request system zeroize, system can take upto 15 ~ 20 mins to initialize.
Ensure you're connected to the box via console all the time.
If all the above fails, logs a case with JTAC, will examine the node, will issue RMA if required.
↧
Re: IS-IS run over GRE
Hi
It is Juniper MX both on two side. I also saw what you posted, but it seems not work even MTU as 9000.
Thus, I still check the root cause.
Best regards,
Cloud
↧
Re: Password Reset on MX104 with 2 Routing Engines
Hey Guys,
Thanks for your replies. I found a work-around for this issue. I removed one of the routing engines and went through the password reset procedure and did the same for the other routing engine. I am able to log in to the device now. I am also not getting any commit errors now. I will let it run for a few days and play around with the config.
Thanks,
Matt
↧
↧
Real world usage of ospf domain-id
Hi experts,
I have read quite a lot of post about ospf domain-id, DN bit, and vpn tag. Most of them are talking about the use in L3VPN hub and spoke. I understood that domain-id, DN bit and vpn tag are used for loop prevention and they must be overrided when using L3VPN hub and spoke (by setting domain-id disable and vpn tag = 0). However, I am still wondering how domain-id works in real world but not in L3VPN hub and spoke.
Can everyone name some example when we need to configure different ospf domain-id ?
Few references below that I learn from.
https://community.cisco.com/t5/mpls/ospf-domain-tag-or-domain-id/td-p/1516375
Thanks!
↧
Re: Real world usage of ospf domain-id
Since when are MPLS VPNs not part of the real world in networking?
This is just one of the features of ospf created to support mpls vpn for those that don't want to run ISIS as the IGP. So this is the real world use case for the feature.
↧
Re: Problems with ospf in IPv6
Hi mriyaz,
I have connectivity correctly. After executing the commands that you indicated to me previously I observed that in Router1 I see an output package but I do not see input from the other router:
12:06:31.369908 Out
Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 177
Logical Interface Index Extension TLV #4, length 4, value: 339
-----original packet-----
00:22:83:f0:2d:2a > 33:33:00:00:00:05, ethertype IPv6 (0x86dd), length 90: (class 0xc0, hlim 1, next-header: OSPF (89), length: 36) fe80::222:83ff:fef0:2d2a > ff02::5: OSPFv3, Hello, length 36
Router-ID 150.214.242.119, Backbone Area
Options [V6, External, Router]
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.3, Priority 128
Designated Router 150.214.242.119
Neighbor List:
And on Router2 I see an input packet but I do not see an output packet:
12:11:14.394781 In
Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 211
Logical Interface Index Extension TLV #4, length 4, value: 351
-----original packet-----
PFE proto 6 (ipv6): (class 0xc0, hlim 1, next-header: OSPF (89), length: 36) fe80::222:83ff:fef0:2d2a > ff02::5: OSPFv3, Hello, length 36
Router-ID 150.214.242.119, Backbone Area
Options [V6, External, Router]
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.3, Priority 128
Designated Router 150.214.242.119
Neighbor List:
Thank you.
↧
Re: IS-IS run over GRE
Your issue is probably with the MTU setting of a transit device. How big a of a ping can you get between the GRE tunnels without fragmentation?
ping 172.54.129.49 source 172.54.129.50 do-not-fragment size XXXX
↧
↧
Re: MX series dynamic nat help
touching back on this to complete/check the configs. the link in your post responds to me as 403. whats the title to that document so i can find it?
Thanks!
↧
Re: Traffic Engineering configuration requirement under OSPF hierarchy ?
Even without fast-reroute, you would still need a TED because you didn't specify "no-cspf" on your LSP configuration. By default, even without constraints, it will still go through CSPF calculation and come out with an EROs list for RSVP to signal.
↧
Re: IS-IS run over GRE
Hi
As my test, looks like be 1488. If ping with 1489 will be faied.
> ping 172.54.129.49 source 172.54.129.50 do-not-fragment size 1489
PING 172.54.129.49 (172.54.129.49): 1489 data bytes
ping: sendto: Message too long
ping: sendto: Message too long
Best regards,
Cloud
↧
LDP Link Protection
Can some one explain the LDP link protection? How can I configure it?
Regards
↧
↧
EVPN-VXLAN IPv6-only underlay
Helo all,
I am working on some test setups in my lab around EVPN using VXLAN encapsulation on the QFX5100 (48T and 24Q, running 18.1R1.9 ).
In short: the 5100-48's (6) are leaf's, the 24q's spine (2). On the spine layer we also run MPLS but in this scenario they just provide inet6 connectivity between our leaf's.
On the leaf's we have a very simple configuration, no ipv4 at all, bgp in underlay announcing/receiving the loopbacks.
The router-id needs to be filled in or bgp will not come up, but its our only v4 address, it has no purpose and is non-routable.
Configuration (I changed couple things like keys and certain ip's):
root@sw1.rack2# show
## Last changed: 2018-08-12 20:47:25 CEST
## Image name: jinstall-host-qfx-5-18.1R1.9-signed.tgz
version 18.1R1.9;
system {
host-name sw1.rack2;
time-zone Europe/Brussels;
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
services {
ssh {
root-login allow;
}
}
}
security {
authentication-key-chains {
key-chain upstream-bfd {
key 0 {
secret ""; ## SECRET-DATA
start-time "1970-1-1.01:00:01 +0100";
}
}
}
}
interfaces {
xe-0/0/0 {
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members vl0002;
}
}
}
}
et-0/0/48 {
mtu 9216;
unit 0 {
family inet6 {
address 2001:DB8:0001:0004::3/127;
}
}
}
lo0 {
unit 0 {
family inet6 {
address 2001:DB8:0001:0000::3/128 {
primary;
}
}
}
}
}
routing-options {
router-id 1.1.1.1;
forwarding-table {
export load-balance;
}
}
protocols {
bgp {
log-updown;
local-as 65100 loops 2;
graceful-restart;
group UPSTREAM {
type external;
hold-time 45;
family inet6 {
unicast;
}
export export6_bgp;
bfd-liveness-detection {
minimum-interval 1500;
multiplier 3;
authentication {
key-chain upstream-bfd;
algorithm keyed-sha-1;
}
}
neighbor 2001:DB8:0001:0004::2 {
authentication-key ""; ## SECRET-DATA
peer-as 65001;
}
}
group OVERLAY {
type internal;
multihop {
ttl 5;
no-nexthop-change;
}
local-address 2001:DB8:1::3;
hold-time 45;
family evpn {
signaling;
}
authentication-key ""; ## SECRET-DATA
neighbor 2001:DB8:1::1;
}
}
evpn {
vni-options {
vni 1 {
vrf-target target:65100:1001;
}
}
encapsulation vxlan;
multicast-mode ingress-replication;
extended-vni-list all;
}
}
policy-options {
policy-statement EVPN_IMPORT_OVERLAY {
term evpn-overlay-vni1 {
from community evpn-overlay-vni1;
then accept;
}
then reject;
}
policy-statement export6_bgp {
term loopback {
from {
protocol direct;
route-filter 2001:DB8:0001:0000::/64 orlonger;
}
then accept;
}
then reject;
}
policy-statement load-balance {
then {
load-balance per-packet;
}
}
community evpn-overlay-vni1 members target:65100:1001;
}
switch-options {
vtep-source-interface lo0.0 inet6;
route-distinguisher 65100:9993;
vrf-import EVPN_IMPORT_OVERLAY;
vrf-target target:65100:1;
}
vlans {
vl0002 {
vlan-id 2;
vxlan {
vni 1;
ingress-node-replication;
}
}
}
{master:0}[edit]
root@sw1.rack2# For whatever reason bgp is always announcing the router-id as next-hop to the other routers:
root@sw1.rack2> show route advertising-protocol bgp 2001:DB8:1::1 all
default-switch.evpn.0: 2 destinations, 2 routes (1 active, 0 holddown, 1 hidden)
Prefix Nexthop MED Lclpref AS path
3:65100:9993::1::1.1.1.1/248 IM
* 1.1.1.1 100 I
{master:0}
root@sw1.rack2>This offcourse cannot work as we do not have any ipv4 routing enabled.
1) changing the router-id will change the next-hop
2) export policy does not change anything, import policy neither
3) should not following statement take care of it ?
vtep-source-interface lo0.0 inet6;
As this output here looks fine:
root@sw1.rack2# run show ethernet-switching vxlan-tunnel-end-point source
Logical System Name Id SVTEP-IP IFL L3-Idx<default> 0 2001:DB8:1::3 lo0.0 0
L2-RTT Bridge Domain VNID MC-Group-IP
default-switch vl0002+2 1 ::
{master:0}[edit]
root@sw1.rack2# run show ethernet-switching vxlan-tunnel-end-point remote
Logical System Name Id SVTEP-IP IFL L3-Idx
<default> 0 2001:DB8:1::3 lo0.0 0
{master:0}[edit]
root@sw1.rack2# But both the EVPN type-1/type-2 routes get the wrong next-hop.
Anyone tried this before on the QFX platform ? In our new production networks I would like to limit IPv4 to the edge as much as possible 
.
↧
Re: EVPN-VXLAN IPv6-only underlay
IPv6 Underlays are currently not supported on QFX. Please see https://www.juniper.net/documentation/en_US/junos/topics/concept/vxlan-constraints-qfx-series.html
↧
Re: LDP Link Protection
↧