set routing-options rib <rib> aggregate route...
works for me under Junos 15.1F6.
Check out:
http://www.juniper.net/techpubs/en_US/junos16.1/topics/concept/policy-aggregate-routes.html
For more information.
↧
Re: Rib-groups with aggregate routes
↧
Re: Source Based - Routing
Do you have a DNS server configured that the SRX use for name resolution? If not, do you wish to configure one? This can be internal or external DNS server.
We must be missing some important detail which we are not aware of. he forwarding type routing instance is the simplest configuration which just works, so this is really strange.
As a test make this temporary change:
interfaces {
reth0.125 {
host-inbound-traffic {
system-services {
all;
>show security flow status (this will tell if the system needs to be rebooted)
>show route table Content_Filter_Instance.inet.0 10.154.2.19
>show route table Content_Filter_Instance.inet.0 10.154.20.6
This is to test simple connectivity to PC.s from the interface on which they connect. This must work!
>ping 10.154.20.6 interface reth0.125 rapid count 5
>ping 10.154.20.7 interface reth0.125 rapid count 5
This is to test simple connectivity to Security Appliance from the interface on which it is connected. This must work!
>ping 10.154.2.19 interface reth0.120 rapid count 5
The following test are to check that you can ping the gateway which is the Security appliance, google, the two client pc's, with source being the defined routing instance
>ping 10.154.2.19 routing-instance Content_Filter_Instance rapid count 5
>ping 172.217.4.142 routing-instance Content_Filter_Instance rapid count 5
>ping 10.154.20.6 routing-instance Content_Filter_Instance rapid count 5
>ping 10.154.20.7 routing-instance Content_Filter_Instance rapid count 5
↧
↧
Re: Source Based - Routing
I suspect in reading about websense that your filter needs to be more specific adding the ports http and https only instead of all traffic. This will then only forward the web traffic to the web sense server and not all traffic.
You should apply the filter to any interface where the ingress of the traffic will occur. This will depend on where this traffic enters the SRX.
↧
Re: Forwarding table policy not working on MX
Problem is that the route resolution is done in bgp.l3vpn.0 before it is imported into the VRF:
"When a PE router receives a route from another PE router, it places the route into its bgp.l3vpn.0 routing table. The route is resolved using the information in the inet.3 routing table. The resultant route is converted into IPv4 format and redistributed to all routing-instance-name.inet.0 routing tables on the PE router if it matches the VRF import policy." (Source: http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/vpn-routing-tables-vpn-forwarding-tables.html)
So, your forwarding table policy has to be based on information which is already present in the bgp.l3vpn.0.
Cheers,
Carsten
↧
Re: L2VPN Remote site id inheritance
The text is a little misleading, but what happens is that the local site id is skipped (thus resulting in an inrease of 2), i.e.
protocols {
l2vpn {
encapsulation-type ethernet-vlan;
site ce10 {
site-identifier 2;
interface ge-0/0/7.550; # RSI=1
interface ge-0/0/7.551; # RSI=3 (because site id 2 is local)
interface ge-0/0/7.552; # RSI=4
}
}
}See https://forums.juniper.net/t5/Routing/question-in-L2VPN/td-p/90950 for more details.
Cheers,
Carsten
↧
↧
Re: Rib-groups with aggregate routes
I am talking about moving aggregate routes from one VRF to another using rib-groups in the same way that can be done for direct, static, OSPF, BGP routes etc., not defining routes in the routing table.
The option is not there:
{master}[edit routing-instances R-1]
lab@MX480_re0# set routing-options static ri?
Possible completions:
rib-group Routing table group
{master}[edit routing-instances R-1]
lab@MX480_re0# set routing-options aggregate ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> defaults Global route options
> route Individual route options
↧
Re: L2VPN Remote site id inheritance
Thanks,
Yea i have been up and down that thread.
Thought i had it figured out until i came accross that page in the book and doubted it for a bit.
Figured i,d see what the consensus was.
Appreciate the help.
↧
PLS-HELP no-mac-learning
Hello Guys,
I need your help regarding no-mac-learning command
We'd faced an isssue in our link as as result tc/udp packets were transferred however ICMP pakcets were not getting transported.
We've vrf lite at customer side router .we checked with provider ( PTT ) they said issue was due to "no-mac-learning" was configured at their core switch
Now, If no-mac-learning is layer 2 command, it shud impact all the traffic (layer 3 traffic I mean ) , which it can only impacted ICMP traffic
Please share your views
↧
Re: Source Based - Routing
This is the flow:
parce@CRSJ-RHR-FW-PRI> show security flow status
node0:
--------------------------------------------------------------------------
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
node1:
--------------------------------------------------------------------------
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
Route Tables:
...ble Content_Filter_Instance.inet.0 10.154.25.21
Content_Filter_Instance.inet.0: 39 destinations, 39 routes (39 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.154.25.0/24 *[Direct/0] 1w3d 20:45:48
> via reth0.125
...t_Filter_Instance.inet.0 10.154.2.19
Content_Filter_Instance.inet.0: 39 destinations, 39 routes (39 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.154.2.0/26 *[Direct/0] 1w3d 20:44:49
> via reth0.120
The only ping not working are these:
...ilter_Instance rapid count 5
PING 10.154.2.19 (10.154.2.19): 56 data bytes
ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.
--- 10.154.2.19 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
{primary:node0}
parce@CRSJ-RHR-FW-PRI> ..._Filter_Instance rapid count 5
PING 172.217.4.142 (172.217.4.142): 56 data bytes
ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.
--- 172.217.4.142 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
{primary:node0}
parce@CRSJ-RHR-FW-PRI> ping 10.154.25.21 routing-instance Content_Filter_In
PING 10.154.25.21 (10.154.25.21): 56 data bytes
ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.ping: sendto: Can't assign requested address
.
The correct PC IP is 10.154.25.21
↧
↧
Re: Rib-groups with aggregate routes
Try using an import policy with the "instance import" function instead of rib groups. This is more flexible and may allow the import.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB19787
↧
bgp load balancing
hi guys !
just wondering how to configure bgp load balancing.
i have 6 routers and this connect to 2 different PE of the same ISP lets say AS65501. I have 2 more ISP for relience how can i load balance this on an active/active set up since its a 10G port each and as much want to use and balance the traffic.
in between the the 6 router will be running ibgp and and rr for the first 2 router that we purchase.
i just want to load balance the inbound/outbound on this same ISP on AS65501 using my 2 router that interface with them
any way to acheive this ?
↧
Re: bgp load balancing
Hello,
There is not enough information in the original post. Namely:
1/ no topology diagram
2/ are Your ISPs giving You full table each, or only some of them?
3/ do You want to load-balance both upload+download, or only download?
4/ are You using MPLS internally in Your AS?
Please provide more information so other users could assist better.
HTH
Thx
Alex
↧
Problem with NAT service (MX80)
Hello. Using Juniper MX80 as BRAS. Junos version: 13.3R9.13.
Clients go in internet via NAT. Clients count about 4.2k. In last time faced with high load of MS-MIC-16G card, which affect response time of resource in internet ( from example from ~10 sec to ~40 sec).
After rebooting ms-mic-16g, cpu load return to normal and response time improved. But after a while time cpu load grows and response time also. This is shownin the graph (red line ms-mic-16g cpu utilization)
Here config:
pool NAT-POOL-1 {
address-range low XXX.XXX.XXX.1 high XXX.XXX.XXX.254
port {
automatic {
random-allocation;
}
}
}
rule NAT-RULE {
match-direction input;
term EIM {
from {
source-prefix-list {
NAT-PREFIX-LIST;
}
applications [ junos-pptp junos-ipsec-esp ];
application-sets APP;
}
then {
translated {
source-pool NAT-POOL-1;
translation-type {
napt-44;
}
address-pooling paired;
}
}
}
term SIMPLY {
from {
source-prefix-list {
NAT-PREFIX-LIST;
}
}
then {
translated {
source-pool NAT-POOL-1;
translation-type {
napt-44;
}
address-pooling paired;
}
}
}
}NAT statistics
router_name>show services nat statistics
Interface: ms-0/2/0
Session statistics
Session statistics
Total Session Interest events :487733053
Total Session Create events :245970868
Total Session Destroy events :499617371
Total Session Pub Req events :24
Total Session Accepts :245956398
Total Session Discards :241762154
Total Session Ignores :14501
Session interest thru pub event :0
ALG Session interest :48
ALG Session Create :48
Packet Dst in NAT route :241757812
Packet drop in backup state :0
Session Ext Alloc Failures :0
Session Ext Set Failures :0
Session Created for EIF :0
Session Created for EIM :0
NAT rule lookup failures :241772313
Pool session count update failed on create :0
Pool session count update failed on close :0
NAT Allocation statistics
NAT allocation Successes :245956350
NAT allocation Failures :0
NAT Free Successes :245826422
NAT Free Failures :0
NAT EIM mapping reused :0
NAT EIM mapping allocation failures :0
NAT EIM mapping Duplicate entry :0
NAT EIM mapping create failed :0
NAT EIM mapping Created :0
NAT EIM mapping Updated :0
NAT EIF mapping Free :0
NAT EIM mapping Free :0
NAT EIM waiting for init :0
NAT EIM waiting for init failed :0
NAT EIM lookup and hold success :0
NAT EIM lookup entry in timeout :0
NAT EIM lookup timer cleared for timeout entry :0
NAT EIM lookup timeout entry without timer :0
NAT EIM release without entry :0
NAT EIM release entry in timeout :0
NAT EIM release race :0
NAT EIM release set entry for timeout :0
NAT EIM timer entry refreshed :0
NAT EIM timer invalid timer started :0
NAT EIM timer entry freed :0
NAT EIM timer entry updated :0
NAT EIM entry drained :0
Packet statistics
Total Packets Processed :2801621451
Total Packets Forwarded :2801621442
Total Packets Discarded :9
Total Packets Translated :1773706062
Total Packets Restored :996650560
Translation statistics
Src IPv4 Translations :1768704401
Src IPv4 Restorations :0
Dst IPv4 Translations :5001661
Dst IPv4 Restorations :996650560
Src IPv6 Translations :0
Src IPv6 Restorations :0
Dst IPv6 Translations :0
Dst IPv6 Restorations :0
Src Port Translations :1756790969
Src Port Restorations :0
Dst Port Translations :0
Dst Port Restorations :996153639
ICMP ID Translations :1025754
ICMP ID Restorations :496921
ICMP Error Translations :31264820
TCP Port Translations :1828529677
TCP Port Restorations :3321986633
UDP Port Translations :4223228588
UDP Port Restorations :1969134302
NAT Unexpected Protocol With Port Xlation :0
GRE CallID Translations :5001661
GRE CallID Restorations :0
GRE Wrong protocol value :0
SRC IP restored in ICMP Error :0
DST IP restored in ICMP Error :28198026
SRC IP translated in ICMP Error :3066794
DST IP translated in ICMP Error :0
New SRC IP translated in ICMP Error :0
Inner SRC IP restored in ICMP Error :28198026
Inner SRC port restored in ICMP Error :28198014
Inner DST port restored in ICMP Error :0
Inner DST IP restored in ICMP Error :0
Inner SRC IP translated in ICMP Error :3066794
Inner SRC port translated in ICMP Error :3066794
Inner DST port translated in ICMP Error :0
Inner DST IP translated in ICMP Error :0
Misc Errors
NAT error - no policy :0
NAT error - IP version :0
NAT error - xlate free called with null ext :0
NAT error - ext free failed :0
NAT error - policy add failed :0
NAT error - policy delete failed :0
NAT error - prefix filter allocation failed :0
NAT error - prefix filter name failed :0
NAT error - prefix list create failed :0
NAT error - prefix filter tree add failed :0
Misc Counters
NAT prefix filter created :0
NAT prefix filter changed :0
NAT prefix filter control free :0
NAT prefix filter match :0
NAT prefix filter no match :0
NAT prefix filter mapping add :0
NAT prefix filter mapping remove :0
NAT prefix filter mapping free :0
NAT prefix filter unsupported IP version :0
NAT unsupported layer-4 header for port translation :0
NAT unsupported icmp id for port translation :0
NAT64 Counters
NAT64 - IP options drop :0
NAT64 - UDP checksum zero drop :0
NAT64 - Unsupported ICMP type drop :0
NAT64 - Unsupported ICMP code drop :0
NAT64 - Unsupported header drop :0
NAT64 - Unsupported L4 drop :0
NAT64 - MTU exceeded :0
NAT64 - TTL exceeded :0
NAT64 - dfbit set :0
NAT64 - Unsupported ICMP error :0
NAT64 error - mapping ipv4 source :0
NAT64 error - mapping ipv6 destination :0
NAT64 error - MTU exceed build :0
NAT64 error - TTL exceed build :0
NAT64 error - MTU exceed send :0
NAT64 error - TTL exceed send :0
Somebody faced a similar degradation of NAT? If so, please, let me know solution to improve my service.
↧
↧
Re: Problem with NAT service (MX80)
Hello,
JUNOS 13.3 is not recommended for use with MS-MIC/MS-MPC CGNAT.
Please use 14.2R7-S2 or newer, this release has numerous bug fixes specifically for MS-MIC/MS-MPC.
Also, it seems that You have lots of traffic not matching Your NAT rules:
NAT rule lookup failures :241772313
Could be either a mistake in Your prefix-list, or NAT hairpinning, or attacks from internet.
Could take a repeated "show services nat statistics" printout during Your troubles with MS-MIC to see if this counter goes up a lot at the same time?
HTH
Thx
Alex
↧
Re: Problem with NAT service (MX80)
Hi all , small correction, 14.2 is not qualified for subscriber management, so you need 15.1.
You can try with 15.1R5 , which released few days ago
↧
Continuous ospf redist events
Hi
I made an interesting observation. This is not affecting production (yet) but I would like to find out the root cause and know whether this is cosmetic or something to worry about.
"show ospf log" command is displaying continuous flow of "Redist" type events in "Last 100 events" list.
For example:
user@router> show ospf log
Topology default SPF log:
Last instance of each event type
When Type Elapsed
22:16:03 SPF 0.000534
22:16:03 Stub 0.001594
22:16:03 Interarea 0.000005
22:16:03 External 0.000070
22:16:03 NSSA 0.000002
22:16:03 Cleanup 0.004944
Maximum length of each event type
When Type Elapsed
3w1d 22:05:05 SPF 0.115054
15w3d 13:11:21 Stub 0.005442
27w1d 16:09:33 Interarea 0.000420
27w1d 15:31:46 External 0.006790
17w6d 15:55:14 NSSA 0.000495
8w0d 22:08:26 Cleanup 0.013487
Last 100 events
When Type Elapsed
00:01:25 Redist 0.000046
00:01:25 Redist 0.000037
00:01:25 Redist 0.000040
[...]
00:00:01 Redist 0.000026
00:00:01 Redist 0.000026
Ospf traceoptions w/ "flag spf" produces lots of log like this:
Nov 25 12:42:25.536012 Finished flash processing for topology default
Nov 25 12:42:26.407881 Starting flash processing for topology default
Nov 25 12:42:26.409175 Redist elapsed time 0.001223s
Nov 25 12:42:26.409208 Processed 26 routes
Nov 25 12:42:26.409228 Finished flash processing for topology default
Nov 25 12:42:26.412845 Starting flash processing for topology default
Nov 25 12:42:26.413579 Redist elapsed time 0.000687s
Nov 25 12:42:26.413608 Processed 26 routes
Nov 25 12:42:26.413627 Finished flash processing for topology default
This is happening on a few production routers (MX). They have a simple ospf export policy that's injecting 0/0 (static discard) route to ospf. The static 0/0 route is not flapping. I don't see any routes flapping. OSPF is flat area 0.
I didn't have the courage to try traceoptions w/ "flag spf detail" yet.
Has anyone seen this? Ideas how to troubleshoot further?
Thanks
↧
Re: Continuous ospf redist events
Hello,
Last time I saw a similar problem it was duplicated router-ids on 2 boxes.
Back to Your observations:
smith_john75 wrote:Hi
This is happening on a few production routers (MX). They have a simple ospf export policy that's injecting 0/0 (static discard) route to ospf.
Show us this policy, or better a whole sanitized config & topology. You say that only one 0/0 that gets redistributed - fine, but then it does not tally with with 26 routes that get processed by OSPF during redistribution event.
HTH
Thx
Alex
↧
↧
obtaining full packets from exception packet trace on mx
Hi I have a mx2020 running 13.3 with mpc6e line cards, I was curious to know if there is a way to capture full packets from an exception trace packet capture. It seems like after removing the parcel header of 25-bytes I'm left with 70 byte packets consitently. I was wondering if the exception trace packet capture is configurable.
I was trying to troubleshoot bad ipv4 packet length discards, so I did the following (this isn't a cut and paste from output)
rooter> start shell pfe network fpc18
rpmc18> debug jnh exceptions 12 discard # 12 is for bad ipv4 packet length according to show jnh 0 exceptions terse
rpmc18> debug jnh exceptions-trace
rpmc18> show jnh exceptions-trace # gives me the dump that i format, i note that each packet is 70bytes
Its not critical for me to get the full packet, as I can packet capture with alternative methods. I'm curious though, is there a way to get the full packet from the exception trace? Thanks.
↧
Re: Source Based - Routing
Hello All,
Any other thoughts in how to fix this?
Thanks
↧
Block traffic between vlans
is there any way to block the traffic between vlans in all the network ?
↧