I've applied the settings you recomended. I've also noticed my MX80 applies this filter ok, but the router in question MX104 is not applying this filter correctly. (see below).

Below is my static v6 routes. However they have been like this for a long time without previous issues.

routing-options {
    rib inet6.0 {
        static {
            route 2602:XXXX::/36 discard;
            route 2001:XXXX:XXXX::/40 discard;
            route 2602:XXXX:XXXX:507::/64 next-hop 2602:XXXX:0:1507::;
            route 2602:XXXX:XXXX::/48 next-hop 2602:XXXX:XXXX:7777::1;
            route 2001:XXXX:XXXX::/48 discard;

set policy-options prefix-list BGPv6-NEIGHBORS apply-path "protocols bgp group <*> neighbor <*:*>"

set interfaces lo0 unit 0 family inet6 filter input ProtectREv6

firewall {
family inet6 {
filter ProtectREv6 {
term ospfv3 {
from {
source-address {
fe80::/10;
}
next-header ospf;
}
then accept;
}
term bgpv6-connect {
from {
source-prefix-list {
BGPv6-NEIGHBORS;
}
next-header tcp;
destination-port bgp;
}
then accept;
}
term icmpv6 {
from {
payload-protocol icmp6;
}
then accept;
}
term default {
then {
count discardfilterv6;
discard;
}
}
}
}

# show interfaces filters lo0
Interface       Admin Link Proto Input Filter         Output Filter
lo0             up    up
lo0.0           up    up   inet  ProtectRE
                           inet6

It's not applying the filter?

 Filter ProtectREv6 is Trio specific; will not get installed on DPCs for interface lo0

I have configurated the load balancing export policy , next hop are both active as you suggested.

But why , one next-hop override the other one ?

as it goes

0.0.0.0/0 route  192.168.1.18 next-hop

0.0.0.0/0 route  93.109.249.45 next-hop  this one it's always override the first one.

Is there anyway , 192.168.1.18 to be main and stay as main.  Second it's just gateway for destination nat. I don't want the internet to be used from 93.109.249.45

in the source Nat it's

Trust to Trust  for the 192.168.1.18 this is a piplink balancer ip with are balancing a lot of ISP and the

Trust to Untrust  for public 93.109.249.45

Best Regards.

@Nellikka

Maybe not so obvious...

I changed the priorities to the metric and have now on Branch Office site:

root@Client2# show protocols

ospf {

    rib-group ExportRouting;

    export inet0;

    area 0.0.0.0 {

        interface st0.250 {

            interface-type p2mp;

            neighbor 10.250.250.1 eligible;

            neighbor 10.250.250.2;

        }

        interface vlan.0 {

            passive;

        }

    }

}

root@Client2# show routing-instances ISP2-vr protocols

ospf {

    rib-group ImportRouting;

    export StaticdoOSPF;

    area 0.0.0.0 {

        interface st0.251 {

            interface-type p2mp;

            metric 50;

            neighbor 10.250.251.1 eligible;

            neighbor 10.250.251.2;

        }

    }

}

And status:

root@Client2# run show route protocol ospf 172.16.120.0/24

inet.0: 20 destinations, 31 routes (20 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.120.0/24    *[OSPF/10] 00:15:22, metric 2

                    > to 10.250.250.1 via st0.250

                      to 10.250.250.2 via st0.250

                    [OSPF/10] 00:15:17, metric 51

                      to 10.250.251.1 via st0.251

                    > to 10.250.251.2 via st0.251

ISP2-vr.inet.0: 20 destinations, 31 routes (20 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.120.0/24    *[OSPF/10] 00:15:22, metric 2

                    > to 10.250.250.1 via st0.250

                      to 10.250.250.2 via st0.250

                    [OSPF/10] 00:15:17, metric 51

                      to 10.250.251.1 via st0.251

                    > to 10.250.251.2 via st0.251

After some time status:
 

inet.0: 20 destinations, 31 routes (20 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.120.0/24    *[OSPF/10] 00:25:12, metric 2

                      to 10.250.250.1 via st0.250

                    > to 10.250.250.2 via st0.250

                    [OSPF/10] 00:25:20, metric 51

                      to 10.250.251.1 via st0.251

                    > to 10.250.251.2 via st0.251

ISP2-vr.inet.0: 20 destinations, 31 routes (20 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.120.0/24    *[OSPF/10] 00:25:12, metric 2

                    > to 10.250.250.1 via st0.250

                      to 10.250.250.2 via st0.250

                    [OSPF/10] 00:25:20, metric 51

                    > to 10.250.251.1 via st0.251

                      to 10.250.251.2 via st0.251

After some time status:

inet.0: 20 destinations, 31 routes (20 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.120.0/24    *[OSPF/10] 00:27:08, metric 2

                    > to 10.250.250.1 via st0.250

                      to 10.250.250.2 via st0.250

                    [OSPF/10] 00:27:19, metric 51

                    > to 10.250.251.1 via st0.251

                      to 10.250.251.2 via st0.251

ISP2-vr.inet.0: 20 destinations, 31 routes (20 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.120.0/24    *[OSPF/10] 00:27:08, metric 2

                      to 10.250.250.1 via st0.250

                    > to 10.250.250.2 via st0.250

                    [OSPF/10] 00:27:19, metric 51

                    > to 10.250.251.1 via st0.251

                      to 10.250.251.2 via st0

@SPuluka

I would really like to do it with ospf, but maybe I should change the concept. Maybe separate the area between each dc/drc and branch to make a separate area? 

Maybe I was not too clear, I will try again - it's easier.

I have a situation like in an attachment OSPF-IPSec2 (attached to this post) + static routing:

Client inet.0:

route 0.0.0.0/0 next-hop 10.1.0.10;
route 172.16.120.0/24 {

    next-hop 10.250.250.1;

    qualified-next-hop 10.250.251.1 {

        preference 6;

    }

    qualified-next-hop 10.250.250.2 {

        preference 7;

    }

    qualified-next-hop 10.250.251.2 {

        preference 8;

    }

    preference 5;

}

Client ISP2-vr.inet.0:

    route 0.0.0.0/0 next-hop 10.2.0.10;

    route 172.16.120.0/24 {

        next-hop 10.250.250.1;

        qualified-next-hop 10.250.251.1 {

            preference 6;

        }

        qualified-next-hop 10.250.250.2 {

            preference 7;

        }

        qualified-next-hop 10.250.251.2 {

            preference 8;

        }

        preference 5;

    }

DC inet.0:

    route 0.0.0.0/0 next-hop 10.3.0.10;

    route 192.168.78.0/24 {

        next-hop 10.250.250.78;

        qualified-next-hop 10.250.251.78 {

            preference 6;

        }

        preference 5;

DRC inet.0:

    route 0.0.0.0/0 next-hop 10.4.0.10;

    route 192.168.78.0/24 {

        next-hop 10.250.250.78;

        qualified-next-hop 10.250.251.78 {

            preference 6;

        }

        preference 5;

It works perfectly! How to convert this to OSPF?

I have a Meraki security appliance connected to a Cisco router and to Juniper SRX550.  I can talk to the SRX and Cisco from the Meraki device.  They are directly connected using ethernet cables.  They're all sitting next to each other.

I have static routes on the SRX and Cisco to the Meraki VPN subnet, 192.168.50.0 /24

I can connect to the Cisco when I’m on the Meraki VPN, but I can’t talk to the Juniper.

Since st0 interface is configured as multipoint, you can not control routes like static routes as interface cost is same for both neighbors.  One option is to advertise the 172.16.120.0/24 with low cost from DC and high cost from DRC. You can achieve this by adding high metric statement on the interface which is having 172.16.120.0/24 network on DRC. Or you may have to change the design and  use st0 interface as point-to-point interfaces

Hello,

---

 wrote:

 

I've also noticed my MX80 applies this filter ok, but the router in question MX104 is not applying this filter correctly. (see below).

<skip> 

It's not applying the filter?

 

---

 Loopback filter is (1) unrelated to Trio DDOS feature and (2) executed before Trio DDOS policers.

HTH

Thx
Alex

thanks for the reply ... i am running version Junos: 15.1R6.7

Low CPU router;

law@rt1.wg.net> show task accounting | except "0.0          0.0          0.0"    
Task accounting is enabled.

Task                       Started    User Time  System Time  Longest Run
Scheduler                     6829          0.2          0.0          0.0
hakr                             1            0          0.0          0.0
RT                            1365          0.8          0.2          0.0
ICMPv6                           1          0.0            0          0.0
BGP MultiPath                  495          0.1          0.0          0.0
BGP_Listen.0.0.0.0+179        1747          0.9          0.2          0.0

High CPU router

law@rt1.n4.net> show task accounting | except "0.0          0.0          0.0"    
Task accounting is enabled.
Task                       Started    User Time  System Time  Longest Run
Memory                           1          0.0            0          0.0
hakr                             1          0.0            0          0.0
RT                             289          15.          0.2          0.0
BGP MultiPath                  256          17.          0.0          0.1
PIM I/O./var/run/ppmd_con        7          0.0            0          0.0
BGP_RT_Background                5          0.0            0          0.0
BGP_Listen.0.0.0.0+179         651          0.6          0.0          0.0
Resolve tree 2                 595          54.          0.1          0.1

as can be seen the resove tree 2 is huge at 54.... though you are right there is some taken by Multipath also... this is configured the same on both routers... though don't think it is needed as looking at the forwarding table there is no load-balancing anyways././/./ .

Hi,

does anyone have any experience with the persistent database backup for DHCP snooping?

DHCP snooping looks to be working fine for me.. though it just won't back up... not even locally!

Any ideas anyone????? been trying to get this to back up for some time now... though statistics show that it isn't even attempting

Junos: 15.1R7.9, ex4200-48t

law@core-sw-3> show configuration | match oop | display set
set protocols igmp-snooping vlan all
set ethernet-switching-options secure-access-port dhcp-snooping-file location tftp://192.168.99.217/dhcp/core-sw3.dhcpdb
set ethernet-switching-options secure-access-port dhcp-snooping-file write-interval 90

law@core-sw-3> show dhcp snooping binding       
DHCP Snooping Information:
MAC address        IP address                           Lease (seconds)  Type     VLAN    Interface
00:10:75:5E:84:36  192.168.1.170                                 603980  dynamic  BO      ge-4/0/37.0
00:24:21:5F:CB:9F  192.168.1.75                                  603933  dynamic  BO      ge-4/0/29.0
00:24:21:AD:21:8A  192.168.1.194                                 603673  dynamic  BO      ge-4/0/5.0
10:60:4B:81:04:12  192.168.1.53                                  603367  dynamic  BO      ge-4/0/40.0
10:60:4B:8C:5B:C2  192.168.1.244                                 603898  dynamic  BO      ge-4/0/25.0
34:64:A9:11:C2:10  192.168.1.32                                  604220  dynamic  BO      ge-4/0/43.0
34:64:A9:12:35:A3  192.168.1.203                                 603194  dynamic  BO      ge-4/0/24.0
50:9A:4C:BD:25:4C  192.168.1.184                                 603034  dynamic  BO      ge-4/0/14.0
6C:3B:E5:39:BD:FE  192.168.1.146                                 604059  dynamic  BO      ge-4/0/31.0

{master:0}
law@core-sw-3> show dhcp snooping statistics
DHCP Snoop Persistence statistics
Successful Remote Transfers: 0           Failed Remote Transfers: 0      
Successful Record Reads    : 0           Failed Record Reads    : 0      
Successful Record Writes   : 0           Failed Record Writes   : 0

This was the error I seen from show log messages, So I'm assuming its valid? Why would it be complaining? We are slated to upgrade firmware soon but before I wanted to assure this was solved.

Hello there,

If You are asking about this message

Filter ProtectREv6 is Trio specific; will not get installed on DPCs for interface lo0

- then MX80 and MX104 do not support DPC cards and should not log this message. 

Are You still seeing the customer outages _AND_ DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Rejectv6 messages after changing the policer?

HTH

Thx

Alex

any one have any working examples?

Hi 

We found some log to execute unknown command by root. But I can't execute by root manually.

Could anyone tell me how to execute ? or is it Juniper's process to execute automatically ?

Jan  5 11:43:49.932  xxxx_RE0 mgd[72690]: UI_CMDLINE_READ_LINE: User 'root', command 'set alarm yellow alarm-id 0small-msg '

Jan  7 13:16:17.605  xxxx_RE0 mgd[84333]: UI_CMDLINE_READ_LINE: User 'root', command 'clear alarm 0 '

Thanks

Cloud

And I don't saw any source IP, just loing into with root.

Is this by console  ? Like below 

Jan 8 18:14:56.534 xxxxx_RE1 mgd[61867]: UI_CMDLINE_READ_LINE: User 'root', command 'show system uptime no-forwarding '
Jan 8 18:14:56.826 xxxxx_RE1 mgd[61867]: UI_CMDLINE_READ_LINE: User 'root', command 'show version detail no-forwarding '
Jan 8 18:14:58.242 xxxxx_RE1 mgd[61867]: UI_CMDLINE_READ_LINE: User 'root', command 'show system core-dumps no-forwarding '
Jan 8 18:14:58.256 xxxxx_RE1 mgd[61867]: UI_CMDLINE_READ_LINE: User 'root', command 'show chassis alarms no-forwarding '

........

---

 wrote:

And I don't saw any source IP, just loing into with root.

Is this by console  ? Like below 

 

Jan 8 18:14:56.534 xxxxx_RE1 mgd[61867]: UI_CMDLINE_READ_LINE: User 'root', command 'show system uptime no-forwarding '
Jan 8 18:14:56.826 xxxxx_RE1 mgd[61867]: UI_CMDLINE_READ_LINE: User 'root', command 'show version detail no-forwarding '
Jan 8 18:14:58.242 xxxxx_RE1 mgd[61867]: UI_CMDLINE_READ_LINE: User 'root', command 'show system core-dumps no-forwarding '
Jan 8 18:14:58.256 xxxxx_RE1 mgd[61867]: UI_CMDLINE_READ_LINE: User 'root', command 'show chassis alarms no-forwarding '

........

---

You generally see them when you collect RSI

Did anyone ran "request support information | no-more"

If you do, you would see them as follows (either in cli-commands or interavtive-commands)

Jan  9 12:09:32.440  re0 mgd[52695]: UI_CMDLINE_READ_LINE: User 'root', command 'show system uptime no-forwarding '
Jan  9 12:09:32.464  re0 mgd[52695]: UI_CMDLINE_READ_LINE: User 'root', command 'show version detail no-forwarding '
Jan  9 12:09:33.301  re0 mgd[52695]: UI_CMDLINE_READ_LINE: User 'root', command 'show system core-dumps no-forwarding '
Jan  9 12:09:33.308  re0 mgd[52695]: UI_CMDLINE_READ_LINE: User 'root', command 'show chassis alarms no-forwarding '
Jan  9 12:09:33.309  re0 mgd[52695]: UI_CMDLINE_READ_LINE: User 'root', command 'show chassis hardware detail no-forwarding '
Jan  9 12:09:34.227  re0 mgd[52695]: UI_CMDLINE_READ_LINE: User 'root', command 'show system processes extensive no-forwarding '
Jan  9 12:09:34.239  re0 mgd[52695]: UI_CMDLINE_READ_LINE: User 'root', command 'show pfe statistics error '
Jan  9 12:09:34.589  re0 mgd[52695]: UI_CMDLINE_READ_LINE: User 'root', command 'show pfe statistics traffic '
Jan  9 12:09:34.593  re0 mgd[52695]: UI_CMDLINE_READ_LINE: User 'root', command 'show chassis routing-engine no-forwarding '
Jan  9 12:09:34.594  re0 mgd[52695]: UI_CMDLINE_READ_LINE: User 'root', command 'show chassis environment no-forwarding '

This log message of alram is an expected behavior when mgd encounters a process issue i.e it spawns a root login to generate this log message. This set alarm message in logs by root can encountered in various conditions. You can run this command if you wish to manually from CLI. The "alarm" keyword/command is hidden:

{master}
lab@jtac-mx> set alarm ?
Possible completions:
  alarm-id             Alarm identification number (1..2147483647)
  alarm-life           Alarm life in seconds (1..2147483647)
  long-msg             Message to write to system log
  red                  Highest level alarm
  short-msg            Message to display on front panel
  yellow               Minor alarm

Or the clearm alarm:

lab@jtac-mx> clear alarm ?  
Possible completions:
  <id-number>          Alarm identification number
{master}

I would suggest NOT to modify "set alarm" knob unless you have specfic use case.

I am not sure I follow your description of the flows.  Sorry if these are not what you are seeing.

For the outbound traffic remember that ECMP binds flows to the same next hop.  So as a general rule traffic from the same ip address will use the same next hop.

It also seems like you want inbound nat traffic to be sure to return to the same ISP.  In this case I generally recommend having the traffic use source nat to the srx interface in addition to destination nat.  This makes the srx interface itself the return address of the packet and forces the flow out the desired interface.

Hello, I'm running vMX  JUNOS 16.2R1-S2.1 Kernel 64-bit  JNPR-10.3-20161102.338446_build and seeing this issue.

I set the chassis to set network-services enhanced-ip and reboot and still seeing the same issue -

admin@vMX-JUNOS-01> show configuration chassis
fpc 0 {
lite-mode;
}
network-services enhanced-ip;

admin@vMX-JUNOS-01>

admin@vMX-JUNOS-01> configure
Entering configuration mode
The configuration has been changed but not committed

[edit]
admin@vMX-JUNOS-01# set routing-instances customer-1200 interface ge-0/0/1.0

[edit]
admin@vMX-JUNOS-01# commit
[edit routing-instances customer-1200 interface]
'ge-0/0/1.0'
RT Instance: Only loopback interface is supported under vrf routing instances in triton mode.
error: configuration check-out failed

[edit]

Thanks for any help,

Bill Wade

Hi,

1. I am trying to add community to subnet 172.16.1.0/24 on R2. Apprently the said community is not getting attached. Attached are the screen shot for clariy.

2. I understand routing is not efficient but  my idea is just to tag a community value.

3. I do not want import statement on R3.

4. Ther is another way to attach community on R2 under routing-option hierarch, such as

  set routing option static route 172.16.1.0/24 community 64512:1 but i do not wish to use it. 

Hello,

You need to change the order of the export policies for Your idea to work. The correct order is below.

export [ TAR SEND-STATIC ];

HTH

Thx

Alex