Hi all!

I have broken mx5 Router. I try to indicate FPC built-in module, but is isn't not displayed. 

root@jMX80-Test> show chassis fpc
Temp CPU Utilization (%) Memory Utilization (%)
Slot State (C) Total Interrupt DRAM (MB) Heap Buffer
0 Empty
1 Empty

root@jMX80-Test> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis F5591 MX5-T
Midplane REV 08 711-038215 ZX3550 MX5-T
PEM 1 Rev 04 740-028288 VL11669 AC Power Entry Module
Routing Engine BUILTIN BUILTIN Routing Engine
TFEB 0 BUILTIN BUILTIN Forwarding Engine Processor
Fan Tray Fan Tray

Also all links is down.

I try to connect to tfeb via start shell pfe network tfeb0, but it reset connection after few seconds. Also in this mode I can see a lot of suspicious logs. I attached it.

Any idea about this issue? Or I can throw away this router?

Hi

In my datacenter network there are

- 2 * MX80 as BGP speakers to ISP

- VC EX4550 

- and a lot of ex3300 as a access switches.

Do you have any idea how to get on these devices what "Private VLANs" do? As I understand, i would need powerful SRX to run private VLANs, so im looking to workaround/alternative.

Hello !

I built a VPLS Network for a customer and I'm  experiencing an issue when customer want to set layer 2 connections.

The scheme enclosed is a simplified version of reality.

Traffic coming from remote sites is encapsulated in a vlan by the RAD and decapsulated on the RAD ETX220.

Fiber provider encapsulate traffic from the RAD until our PoP.

Each site is only connected to the customer Cisco ASR.

The remote sites can connect to Internet and set up L3 connections through Cisco ASR.

Customer site 2 and 3 can set up L2 connections through Cisco ASR.

Customer site 2 and 4 can set up L2 connections through Cisco ASR.

Customer site 4 and 5 CAN'T set up L2 connections through Cisco ASR.

I check MTU, It's good.

Do you have any ideas on  the origin of the problem ?

You can find enclosed some parts of the MX and Switch config.

Thank you for your help

Aurélien

Is nobody else doing something similar and able to help me here?

Thanks,
Jonas

Hi, 

I am having "overflow" problems on Multicast Clients conected to my EX4200. I need to monitor the multicast group usage  (bytes). I am looking for a OID  that can give me that information, so I can make a graph for each group, but I  cant find anything.  

Does any body knows the OID? or other way I can get that information from the switch?  (maybe only with a script)

show multicast usage

Group Sources Packets Bytes
230.7.3.0 1 99741 0
230.7.7.0 1 80834 118272
230.7.7.4 1 80812 87360
230.7.7.8 1 80770 33600
230.7.7.12 1 80763 25536
230.7.7.5 1 80747 0
230.7.7.6 1 80747 0
230.7.7.16 1 80747 0  

Thank you for your help.

I have two edge routers. They have a direct link that is p2p with ospf and then I run iBGP over that link. It's basically simple and straight out of the Juniper handbook   They both take full tables from their respective ISP's that are terminated in them  One router (R2) shows what I expect to be a normal full routing table AND shows the installed routes from it's peer. For example:

inet.0: 627531 destinations, 1244831 routes (627530 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

1.0.4.0/24         *[BGP/170] 6d 02:15:23, localpref 100, from 172.17.3.1
                      AS path: 4323 3356 174 4826 38803 56203 I, validation-state: unverified
                    > to 10.0.0.1 via ge-0/1/9.0
                    [BGP/170] 00:52:05, MED 0, localpref 100, from 68.86.80.92
                      AS path: 26264 26264 26264 26264 7922 174 4826 38803 56203 I, validation-state: unverified> to 50.233.71.125 via ge-0/0/1.0

However, even though the iBGP configuration between the peers is in the "Established" state, I get totally different behaviour between the two.  Like I shared above, R2 gets it's ISP full tables (the one padded with 26264) and the tabled from R1.  On R2 I see the advertisement correctly:

gsadmin@SSC-ERTR02> show route receive-protocol bgp 172.17.3.1        

inet.0: 627576 destinations, 1244909 routes (627575 active, 0 holddown, 1 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 1.0.4.0/24              172.17.3.1                   100        4323 3356 174 4826 38803 56203 I
* 1.0.5.0/24              172.17.3.1                   100        4323 3356 174 4826 38803 56203 I
* 1.0.6.0/24              172.17.3.1                   100        4323 3356 174 4826 38803 56203 56203 56203 I
* 1.0.64.0/18             172.17.3.1                   100        4323 2516 7670 18144 I
* 1.0.128.0/17            172.17.3.1                   100        4323 3356 3491 3491 38040 9737 I
* 1.0.128.0/18            172.17.3.1                   100        4323 3356 3491 3491 38040 9737 I
* 1.0.128.0/19            172.17.3.1                   100        4323 3356 3491 3491 38040 9737 I
* 1.0.128.0/24            172.17.3.1                   100        4323 3356 3491 3491 38040 23969 I
* 1.0.129.0/24            172.17.3.1                   100        4323 3356 4651 23969 I
* 1.0.131.0/24            172.17.3.1                   100        4323 3356 3491 3491 38040 23969 I
* 1.0.132.0/22            172.17.3.1                   100        4323 3356 3491 3491 38040 23969 I

and on R2 I am advertising correctly:

gsadmin@SSC-ERTR02> show route advertising-protocol bgp 172.17.3.1

inet.0: 627566 destinations, 1244882 routes (627565 active, 0 holddown, 1 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 1.11.0.0/21             Self                 0       100        26264 26264 26264 26264 7922 1239 9318 38091 18313 I
* 1.11.8.0/21             Self                 0       100        26264 26264 26264 26264 7922 1239 9318 38091 18313 I
* 1.11.16.0/21            Self                 0       100        26264 26264 26264 26264 7922 1239 9318 38091 18313 I
* 1.11.24.0/21            Self                 0       100        26264 26264 26264 26264 7922 1239 9318 38091 18313 I
* 1.11.32.0/21            Self                 0       100        26264 26264 26264 26264 7922 1239 9318 38091 18313 I
* 1.11.40.0/21            Self                 0       100        26264 26264 26264 26264 7922 1239 3786 9457 38091 18313 I
* 1.11.48.0/21            Self                 0       100        26264 26264 26264 26264 7922 1239 9318 38091 18313 I
* 1.11.56.0/21            Self                 0       100        26264 26264 26264 26264 7922 1239 9318 38091 18313 I
* 1.11.64.0/21            Self                 0       100        26264 26264 26264 26264 7922 1239 9318 38091 I
* 1.11.72.0/21            Self                 0       100        26264 26264 26264 26264 7922 1239 9318 38091 I
~etc~

However here is where the issue takes place.  On R1 the advertising is correct but it's acting like its not receiving anything from R2:

gsadmin@SSC-ERTR01> show route receive-protocol bgp 172.17.3.2 

inet.0: 620593 destinations, 620593 routes (620593 active, 0 holddown, 0 hidden)

gsadmin@SSC-ERTR01> 

and R1's BGP session is suspiciously absent of prefixes:

gsweetadmin@SSC-ERTR01> show bgp neighbor 172.17.3.2 
Peer: 172.17.3.2+53020 AS 26264 Local: 172.17.3.1+179 AS 26264
  Description: Local iBGP peering for DIA circuits
  Type: Internal    State: Established    Flags: <Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: Hold Timer Expired Error
  Export: [ next-hop-self ] 
  Options: <Preference LocalAddress Refresh>
  Local Address: 172.17.3.1 Holdtime: 90 Preference: 170
  Number of flaps: 1
  Last flap event: HoldTime
  Error: 'Hold Timer Expired Error' Sent: 1 Recv: 0
  Peer ID: 198.97.232.3    Local ID: 198.97.232.2      Active Holdtime: 90
  Keepalive Interval: 30         Group index: 0    Peer index: 0   
  BFD: disabled, down
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast
  NLRI for this session: inet-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  NLRI that restart is negotiated for: inet-unicast
  NLRI of received end-of-rib markers: inet-unicast
  NLRI of all end-of-rib markers sent: inet-unicast
  Peer supports 4 byte AS extension (peer-as 26264)
  Peer does not support Addpath
  Table inet.0 Bit: 10000
    RIB State: BGP restart is complete
    Send state: in sync
    Active prefixes:              0
    Received prefixes:            0
    Accepted prefixes:            0
    Suppressed due to damping:    0
    Advertised prefixes:          620594
  Last traffic (seconds): Received 2    Sent 3    Checked 19  
  Input messages:  Total 140170 Updates 8800    Refreshes 0     Octets 3457531
  Output messages: Total 12948952       Updates 12818134        Refreshes 0     Octets 1427317246
  Output Queue[0]: 0

Note that accepted and received prefixes are 0.

Configuration options for R1:

> show configuration policy-options 
policy-statement BGP-Prefixes {
    from protocol bgp;
    then accept;
}
policy-statement BGP-TimeWarner-IN {
    term Default {
        then accept;
    }
    term otherwise {
        then reject;
    }
}
policy-statement BGP-TimeWarner-OUT {
    term Default {
        from {
            protocol direct;
            route-filter 198.97.232.0/24 exact;
        }
        then accept;
    }
    term otherwise {
        then reject;
    }
}
policy-statement next-hop-self {
    then {
        next-hop self;
    }
}> show configuration protocols 
bgp {
    group TimeWarner_Peer {
        type external;
        local-address 66.193.43.186;
        log-updown;
        import BGP-TimeWarner-IN;
        export BGP-TimeWarner-OUT;
        peer-as 4323;
        neighbor 66.193.43.185;
    }
    group local-peers {
        type internal;
        description "Local iBGP peering for DIA circuits";
        local-address 172.17.3.1;
        export next-hop-self;
        neighbor 172.17.3.2;
    }
}
ospf {
    area 0.0.0.0 {
        interface lo0.0 {
            passive;
        }
        interface ge-0/1/9.0;
    }
}

Configuration for R2:

> show configuration policy-options 
policy-statement BGP-Comcast-IN {
    term reject-routes {
        from {
            route-filter 0.0.0.0/0 exact;
        }
        then reject;
    }
    term Default {
        then {
            as-path-prepend "26264 26264 26264 26264";
            accept;
        }
    }
    term otherwise {
        then reject;
    }
}
policy-statement BGP-Comcast-OUT {
    term Default {
        from {
            protocol direct;
            route-filter 198.97.232.0/24 exact;
        }
        then accept;
    }
    term otherwise {
        then reject;
    }
}
policy-statement BGP-Prefixes {
    from protocol bgp;
    then accept;
}
policy-statement next-hop-self {
    then {
        next-hop self;
    }
}> show configuration protocols 
bgp {
    group Comcast_Peer {
        type external;
        local-address 50.233.71.126;
        log-updown;
        import BGP-Comcast-IN;
        export BGP-Comcast-OUT;
        peer-as 7922;
        neighbor 50.233.71.125;
        neighbor 68.86.80.92 {
            multihop;
        }
    }
    group local-peers {
        type internal;
        description "Local iBGP peering for DIA circuits";
        local-address 172.17.3.2;
        export next-hop-self;
        neighbor 172.17.3.1;
    }
}
ospf {
    area 0.0.0.0 {
        interface lo0.0 {
            passive;
        }
        interface ge-0/1/9.0;
    }
}

Thoughts? Opinions? Corrections?

Hi, I understand that it is IBGP and you are traying to advertise Full table between them rigth?  Have you try to configure that peer as a cluster on R2?    Also declare as NHS on R2.  

Regards.

EC.

Hi,  once I have that problem... I was having problem to advertise full table to a IBGP, I place it as a cluster and it work fine. Maybe it will work for u.  

EC

Hello,

Seems you are forcing an AS Path loop. The issue is that you are adding as-path-prepends with your own ASN 26264 to the prefixes received on R2 from Comcast. Then you advertise this prefixes to R1, who is also on ASN 26264, R1 detects this routes with a looped AS path, and discards them. You could see the hidden routes if you configure "keep all" under protocols bgp (I don't recommend doing this on your production network.

To correct this, use another BGP attribute instead of as-path-prepends, like local-preference, which would be more suitable. For example, configuration on R2 would be:

> show configuration policy-options 
policy-statement BGP-Comcast-IN {
    term reject-routes {
        from {
            route-filter 0.0.0.0/0 exact;
        }
        then reject;
    }
    term Default {
        then {
            local-preference 90;
            accept;
        }
    }
    term otherwise {
        then reject;
    }
}

 I hope this helps. Any further doubts are welcome.

Solved.

show snmp mib walk decimal 1.3.6.1.3.60.1.1.2.1.10
ipMRoute1Octets.230.7.3.0.10.7.2.5.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.0.10.7.0.1.255.255.255.255 = 118272
ipMRoute1Octets.230.7.7.1.10.7.0.5.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.2.10.7.0.9.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.3.10.7.0.13.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.4.10.7.0.1.255.255.255.255 = 87360
ipMRoute1Octets.230.7.7.5.10.7.0.5.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.6.10.7.0.9.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.7.10.7.0.13.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.8.10.7.0.1.255.255.255.255 = 33600
ipMRoute1Octets.230.7.7.9.10.7.0.5.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.10.10.7.0.9.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.11.10.7.0.13.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.12.10.7.0.1.255.255.255.255 = 25536
ipMRoute1Octets.230.7.7.13.10.7.0.5.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.14.10.7.0.9.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.15.10.7.0.9.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.16.10.7.0.13.255.255.255.255 = 0
ipMRoute1Octets.230.7.7.17.10.7.0.1.255.255.255.255 = 0

I'm not sure what you are looking for as Private VLANs and SRX firewalls are two entirely different things.

https://www.juniper.net/documentation/en_US/junos15.1/topics/concept/private-vlans-ex-series.html

pVLANs allow a speaker to connect with the default gateway but not other hosts in the same network.

SRX firewalls provide stateful inspection of traffic between security zones and allow nuanced control of traffic and the use of NAT for internet access.

If you are looking from something SRX like on switches perhaps firewall filters would give you some of the traffic control. But these are packet filter based not stateful.  And they are more cumbersome to manage and monitor.

http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-ex-series-overview.html

Hi,

The FPC on MX5 router is built-in. Please help to clarify following:

1. Since when the router is in this state? Was there any JUNOS upgrade/downgrade performed?

2. Have you tried rebooting the router without any MICs installed? If not, can you please give a try?

3. Did you have any licenses installed on this router earlier?

Thanks

Thanks for answer. 

We have got ex4550 as a L3 gateway and a few  ex3300 as an access switches. All of them support pvlan.

The problem is that i would need router with promiscous port -i think our MXes cant (od can) do that. Thats why i write about SRX.

I enclosed schema. I would like to separate customers from the same ip class.

Any ideas how to do it without SRX? 

I'm sorry this is still not clear to me what your end state is desired.   You currently use PVLAN for the gateway.

Are you looking to move the gateway to the MX and no longer have PVLAN?

Or you want some kind of separation of the clients AND keep them in the same broadcast domain?

Or you want separation from the clients and need normal VLAN operation?

Feels like a hardware failure to me.  Are there any log messages?

I would try to reinstall or upgrade Junos just in case it would clear the issue.

Thanks for trying to understand me

I don't use pvlan at the moment because i don't have router that support promiscous mode.

At the moment all customers are in the same vlan, in one broadcast domain and in one network class.

I'm looking for solution to prohibit customer1 from use customer2's ip adresses.

The other thing is that customer2 has vmware and he can move his ip adresses between VMs so MAC addresses can change.  

Yes I can move gateway to MXes.

Thanks for reply.
Some logs from tfeb:
[Jan 30 09:21:58.344 LOG: Err] HSL2: Missing end/ends for table-trained/channel-trained channel in offset 0
[Jan 30 09:21:58.344 LOG: Err] HSL2: Table-trained sub_table 0 failed verification.
[Jan 30 09:21:58.344 LOG: Err] HSL2: cmtfpc_hsl2_bringup: hsl2_table_trained_bringup failed (1)
[Jan 30 09:21:58.344 LOG: Err] CMT: Failed to initialize HSL2 channels: generic failure
[Jan 30 09:21:58.344 LOG: Emergency] CMT: Error initializing PFE asics
[Jan 30 09:21:58.408 LOG: Debug] cmtfpc_fm_check_fabric: Planes on the removed cb 1 are not active
[Jan 30 09:22:08.848 LOG: Info] cmtfpc_pic_send_status fpc=0 pic=0 type=2f9
[Jan 30 09:22:08.934 LOG: Info] cmtfpc_pic_send_status fpc=1 pic=0 type=2ef
[Jan 30 09:22:09.019 LOG: Info] cmtfpc_pic_send_status fpc=1 pic=1 type=2ef
[Jan 30 09:22:09.019 LOG: Info] ipc_pipe_write_wait(): Failed! (generic failure)
[Jan 30 09:22:09.019 LOG: Err] CMLC: Error writing 'PIC Status' msg to pipe
[Jan 30 09:22:09.020 LOG: Err] CMLC: Master closed connection (errno=38)
[Jan 30 09:22:09.523 LOG: Emergency] CMLC: Chassis Manager terminated
[Jan 30 09:22:09.528 LOG: Emergency] Oinker: Function CM Watchdog (0x402bb9e4) took 5023 us

I upgrade junos from 13.3 to 14.2, don't help.

there are all logs from tfeb0. it can't load and this logs followed by circle:

Can you paste in the output of "show chassis network-services" and "show configuration chassis network-services"?

Thanks for the clarification.

PVLAN is not a solution for our issue.  With PVLAN each host can only communicate with the gateway not each other.  This would likely not be good for your customers with multiple devices that they would want to talk to each other.  And it will not prevent someone for adding another host ip address in the same subnet which you had allocated to someone else.

Your only real solution to locking down ip addresses per client is to assign each client their own subnet and gateway.  With this restriction they cannot step outside their allocation onto other client services.  The MX is a good platform to scale out this type of multiple VLAN and ip range setup.