Hi there,
Does the following config filter out bgp prefixes from the primary-table inet.0 as well as from the secondary table test.inet.0 ? My understanding is that the RIB-GROUP import-policy does not process prefixes destined for the primary-table but only for the secondary-table(s).
rib-groups {
TEST-RIB-GROUP {
import-rib [ inet.0 test.inet.0];
import-policy FILTER;
}
}
policy-options {
policy-statement FILTER {
term FILTER-TERM {
from protocol bgp;
then reject;
}
Thanks a lot guys
Andrea
Hi all,
Is there any command that we can use to check how long the PEM is power on? We want to investigate whether have power interruption or not that make the chassis reboot.
Thanks and appreciate any feedback
Hello,
I'm trying to set up some type of load sharing for my bgp peering sessions that I have at exchange AMS-ix. Currently, I have 2 core routers (router1 & router2) with the same bgp peering sessions but at the moment all traffic from the sessions are going over router1. I would like to configure the bgp peering session in such a way that 50% of the session is active in router1 and other 50% over router2. I have read up on using MED and Multipath but this will not really achieve what I need, does anyone have a suggest or provide an article that I can read up would be much appreciated. Both paths between my core router's are of equal bandwidth
I have a ACX2200 Router and I am trying to setup an LSP using RSVP. The management network is a IPV6 network. I have ospf3 running which comes up fine. But if our unit send a RSVP PATH message , the juniper router rejects it and sends back an ICMP6 error "Parameter Problem (unrecognized next header type encountered)". If the network is changed to ipv4 it works fine and I can see the PATH and RESV messages and the labels get exchanged.
Please let me know if I am missing any configuration. Current configuration pasted below. I can provide more details in case it is needed.
Thank you,
Ram Krishnan
interfaces {
ge-0/0/2 {
unit 0 {
family inet6 {
address 00:fe:1::01/64;
}
family mpls;
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 2.3.4.5/28;
}
family inet6 {
address 00:fc:1::1/64;
}
family mpls;
}
}
fxp0 {
unit 0 {
family inet {
address 10.3.64.250/16;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
}
routing-options {
router-id 2.2.2.2;
}
protocols {
rsvp {
tunnel-services;
interface all;
interface fxp0.0 {
disable;
}
}
mpls {
interface all;
}
ospf {
area 0.0.0.0 {
interface ge-0/0/3.0;
}
}
ospf3 {
area 0.0.0.0 {
interface ge-0/0/3.0;
}
}
}
Hello,
We have EX3400 stacked switches that have two routes to our management network. One is through the VME interfaces that are connected to our management switch, and the other is through a static route to our management router. I followed the instructions located here but it seems like the switches are still trying to send the packets out the VME interface instead of through the route to our management router.
How can I check that the VME is in the mgmt_junos routing-instance with its own gateway and routing table?
I necro'd a thread https://forums.juniper.net/t5/Routing/IPv6-RE-filter-not-working/m-p/463405#M19729 and was requested that I create my own and link to it. I have an MX104 that is having issues with locking down the SSH port. In that thread they recommend trying to change the payload-protocol to next-header in the firewall due to the age of the JUNOS. I am working on getting that done now.
Hi all,
In the vMX i can see "redudancy-event" option but i'm not see on MX80? So if my event script like vMX below so how to apply it in MX80?
Appreciate any feedback
vMX
root@vMX# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destinations List of destinations referred to in 'then' clause
> event-script Configure event-scripts
> generate-event Generate an internal event
max-policies Number of policies that can be executed simultaneously
> policy Event policy for event policy manager
> redundancy-event Events for policies to take action on
> traceoptions Trace options for the event processing daemon
[edit event-options]
root@vMX# show
policy SHUT-LINK {
events LINK-DOWN;
within 30 {
trigger on 3;
}
then {
event-script link_down.slax;
}
}
event-script {
file link_down.slax;
}
redundancy-event LINK-DOWN {
monitor {
link-down {
ge-0/0/0;
ge-0/0/1;
ge-0/0/2;
}
}
}
MX80
root@MX80# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destinations List of destinations referred to in 'then' clause
> event-script Configure event-scripts
> generate-event Generate an internal event
max-policies Number of policies that can be executed simultaneously
> policy Event policy for event policy manager
> traceoptions Trace options for the event processing daemon
why does
root@srx1# run show route aspath-regex "1912 1620 5555 . (2222|3333) +1111"
Match this route
inet.0: 551 destinations, 559 routes (512 active, 0 holddown, 40 hidden)
+ = Active Route, - = Last Active, * = Both
44.33.0.0/16 *[BGP/170] 00:12:13, localpref 150
AS path: 1912 1620 5555 4444 3333 2222 1111 I, validation-state: unverified
> to 172.16.101.1 via ge-0/0/4.101
H1.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
H3.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
inet6.0: 85 destinations, 94 routes (85 active, 0 holddown, 0 hidden)
[edit]
root@srx1#
from what I can see working right to left the match should fail on 4444
+1111 matches 1111
(2222|3333) matches 2222
. matches 3333
4444 does not match 5555
so why does it match ? so confused. Any assistance appreciated,
Hello all,
I'm configuring a L3VPN (VRF) for a customer of ours.
PPPoE clients enter the L3VPN and are terminated on our router.
The IP addresses of these PPPoE clients need to be redistributed to a BGP peer configured within this L3VPN.
My understanding was that these IP addresses (in this case access-internal routes) are being redistributed to all BGP peers when no export policy is configured.
However, after configuring an 'accept all' policy, I suddenly saw routes being announced to my peer.
Readvertise all active BGP routes to all BGP speakers, while following protocol-specific rules that prohibit one IBGP speaker from readvertising routes learned from another IBGP speaker, unless it is functioning as a route reflector.
Doesn't this mean that these routes should be re-advertised to my BGP peer?
Twice per year there is an event in the middle of Sweden. It’s a large festival where visitors bring their computers and play with each other, this is in our industry called a LAN-party. This will be a write up by two members of the team that builds network and infrastructure for this event and will give in-depth information about the struggles but also how we have solved an issue that has come up when building worlds largest LAN-party.
To start with we want to emphasize how happy we are that we get to work with latest hardware from Juniper when building this network. This post does not have anything to do with performance of the hardware, this is a write up on what we have done and how we have planned the network. We are aware that some of the technology is very early state and that there is a possibility for bugs but that is also what makes it fun for us.
This write-up will reflect on one recurring problem we have come by the last years of running with MX series routers from Juniper. And the reason we do this is that we quite fast noticed that there is very little information about troubles in MC-AE when you search for it and with this we hope to help some other network engineer who ends up having similar problems as we have faced. Before this we used Cisco ASR as our core routers but when the chance of working with Juniper came up we got very happy and it has given the team possibility to use completely new hardware and software. The environment consists of multiple different vendors today.
We also want to make clear, that the way we have built the network is not the only way, and we do not claim that it’s the right way either.
POP: https://i.imgur.com/UVDrkki.jpg (Current event DreamHack Summer 2019)
MX10003, QFX5110 & SRX4200: https://i.imgur.com/1IOSCxC.jpg (Current event DreamHack Summer 2019)
During the past years we’ve had a couple of different routers, but the basic setup is the same.
We have two MX series routers as core, with separate L2 interconnections for the switching and L3 for routing. Connected to these routers are the distribution switches for services and participants, and access switches to them.
https://i.imgur.com/LMks9FF.jpg
The routers terminate our internet connection and run BGP+BFD towards the ISP. These routers are standalone but run MC-AE with ICCP for synchronization, no virtual chassis. We have a couple of VRFs, so we run MP-BGP with MPLS L3-VPN to distribute prefixes between the routers, which handle all layer 3 in the network.
Connected to these core routers are the distribution switches. Each switch has one connection to each router in a LACP AE. The routers have one virtual switch per distribution switch since some VLAN IDs are reused, and use one VLAN in a QinQ over the interlink for vswitch to vswitch communication.
The picture below try to visualize how all these logical parts connect to each other.
https://i.imgur.com/rVvCsS5.png
The problem we have identified every time is that clients have problems getting IPv4 addresses assigned from DHCP. This issue then varies between networks (VLAN’s) in the network, some of them do not get DHCP at all and some of them get addresses directly when sending DHCP requests.
The problem seems to arise when both of the unicast DHCP OFFERs happens to be load shared to the “wrong” router from the service distribution switch, the packet with destination IP of R1’s gateway is sent to R2 which in turn routes it out via the IRB to the local subnet and switches it via the vswitch interlink to R1, which drops it.
By setting the AE facing the DHCP server in LACP active/backup mode, we force both replies towards one of the routers, one will always fail and one will always succeed. The drawback of this is that half of the link capacity is lost.
By default, each address configured on the routers has a /32 entry in the local routing table from the protocol Local, with the BGP community NoReadvrt to avoid sending it to any peers. By setting “set routing-instances VPN_DH routing-options interface-routes family inet export lan” we remove this community and the /32 prefixes are distributed to the other router. So when a DHCP reply arrives at the “wrong” router and it performs its routing lookup, it will use this prefix instead of the /25 Direct one and route it over MPLS, instead of routing it to the local subnet and sending it over the switching link.
Here’s a part of the routing table after the fix:
77.80.129.128/25 *[Direct/0] 3d 01:27:59> via irb.104
[BGP/170] 2d 23:02:30, localpref 100, from 10.255.0.2
AS path: I, validation-state: unverified> to 10.255.1.2 via ae1.2, Push 16
77.80.129.129/32 *[Local/0] 3d 01:27:56
Local via irb.104
[BGP/170] 2d 23:02:30, localpref 100, from 10.255.0.2
AS path: I, validation-state: unverified> to 10.255.1.2 via ae1.2, Push 16
77.80.129.130/32 *[Local/0] 3d 01:27:59
Local via irb.104
77.80.129.131/32 *[BGP/170] 2d 23:02:30, localpref 100, from 10.255.0.2 <<<<<< This the Local /32 advertised after the fix.
AS path: I, validation-state: unverified> to 10.255.1.2 via ae1.2, Push 16We’ve only experienced this problem on MX960 MPC4E (MPC4E 3D 32XGE) line cards and MX10003 (LC2103 with MIC1-MACSEC), not MX960 MPC5E (MPC5E 3D 24XGE+6XLGE).
We tried multiple softwares when troubleshooting MPC4E, including 15.1R6-S3 and 17.3r1.10.
This article is written by
Oscar Ekeroth
@zmegolaz
Markus Viitamäki
@suom1
Hi,
we have three EX3400 configured in a Virtual Chassis that are handling our internal L3 routing. Since some time, we are trying to use targeted-broadcast to forward WoL messages across subnets. We installed Junos 18.1R3-S6 yesterday to resolve 1390629, and it started to work for some networks.
For others, we are seeing the following lines in /var/log/messages:
dc-pfe: brcm_rt_ip_uc_host_install:1509(ip host add/change failed) Reason :Invalid parameter dc-pfe: brcm_rt_ip_uc_entry_install:1232brcm_rt_ip_uc_entry_install Error: host(/32) ip route install failed vrf 1 ip 10.201.9.255 nh-swidx 1664 nh-hwidx 100037 dc-pfe: brcm_rt_ip_uc_host_install:1509(ip host add/change failed) Reason :Invalid parameter dc-pfe: brcm_rt_ip_uc_entry_install:1232brcm_rt_ip_uc_entry_install Error: host(/32) ip route install failed vrf 1 ip 10.201.10.255 nh-swidx 1684 nh-hwidx 100039 dc-pfe: brcm_rt_ip_uc_host_install:1509(ip host add/change failed) Reason :Invalid parameter dc-pfe: brcm_rt_ip_uc_entry_install:1232brcm_rt_ip_uc_entry_install Error: host(/32) ip route install failed vrf 1 ip 10.201.8.255 nh-swidx 1688 nh-hwidx 100033
I have verified that targeted-broadcast does indeed not work for these networks. Looking at the error messages, they all have nh-hwidx > 100000. What is the meaning of that number and can I somehow find out the indices of the working networks? If I remember correctly, they were all added before the networks that don't work and have lower vlan-ids.
Any help would be appreciated, including experiences with later versions of Junos that don't have this problem. Thanks,
Jonas
We have two routers R1,R2 at location A and R3,R4 at location B. Kompella based L2VPN has been configured between routers at Location A(R1- Active router, R2- Standby Router) and Location B(R3- Active router, R4- Standby Router).My question is it necessary for R1 router to store R2 router route for l2vpn route table ? If vrf-target is configured instead of vrf-expot/vrf-import all routes is imported in local l2vpn route table. Why it might be required to import all the routes in local l2vpn route table ?
Hi all,
I'm try searching whether the "dying-gasp" feature support on MX series or not (path finder feature explorer). But i just found it stated on ACX series only.
Can someone verify whether it's true or not because sometimes path finder is not correct.
Thanks
Hello,
I am looking for advise/idea about configuring QoS Policy Propagation via BGP.
I have Juniper MX204 and have 2 BGP sessions to ISP-A and B. 1234:100 and 1234:200 are the BGP community from different ISP. Also, I have one client behind MX204.
My purpose is whenever client going out via ISP-A, I would like to do policer 7Mbps. And if this client go out via ISP-B, 3Mbps policing is applied.
By using above mentioned BGP community, please advise for example configuration.
Thanks and regads,
Good morning eveybody.
I have a short question at the this time.
Can I make an active / active evpn mpls in my VR?
We want to make a second server-farm feoredundant without vxlan.....
An it is important for us to make this active active.
Have a nice day
Thomas
Hi Team,
I am unable to put interface in logical-system EDGE-2, i have working logical-system EDGE-1
xpaul@H1-EDGE-re0> show configuration logical-systems EDGE-1 |display set
set logical-systems EDGE-1 interfaces xe-1/0/0 unit 0
xpaul@H1-EDGE-re0> show configuration interfaces xe-1/0/0 |display set
set interfaces xe-1/0/0 vlan-tagging
set interfaces xe-1/0/0 unit 0 vlan-id 2500
set interfaces xe-1/0/0 unit 0 family inet address 1.1.1.2/24 vrrp-group 4 virtual-address 1.1.1.1
set interfaces xe-1/0/0 unit 0 family inet address 1.1.1.2/24 vrrp-group 4 priority 110
set interfaces xe-1/0/0 unit 0 family inet address 1.1.1.2/24 vrrp-group 4 preempt
set interfaces xe-1/0/0 unit 0 family inet address 1.1.1.2/24 vrrp-group 4 accept-data
xpaul@H1-EDGE-re0> show vrrp logical-system EDGE-1
Not seeing VRRP output? why?
xpaul@H1-EDGE-re0# set logical-systems EDGE-2 interfaces xe-1/1/1 unit 0
[edit]
xpaul@H1-EDGE-re0# show interfaces xe-1/1/1
##
## inactive: interfaces xe-1/1/1
##
vlan-tagging;
unit 0 {
vlan-id 2500;
family inet {
address 1.1.1.3/24 {
vrrp-group 4 {
virtual-address 1.1.1.1;
priority 150;
preempt;
accept-data;
}
}
}
}
[edit]
xpaul@H1-EDGE-re0# activate interfaces xe-1/1/1
[edit]
xpaul@H1-EDGE-re0# commit
[edit interfaces xe-1/1/1 unit 0 family inet address 1.1.1.3/24]
'vrrp-group 4'
Duplicate virtual-ip : 1.1.1.1 detected on interface: xe-1/1/1 unit: 0 vrrp-group: 4 for address: 1.1.1.3 on logical-system default routing-instance default
error: configuration check-out failed
Why does this detect duplicate when i have trying these two in different logical-systems?
Dear all.
The feature explorer show that QFX5100 doesn't support "static rendezvous point (RP)" for PIM (Protocol Independent Multicast).
I tried to enter static RP configuration bit on our lab QFX5100 Virtual chassis (Junos 14.1X53-D47) and configuration was commited without error. However I don't have needed devices to create/test whole multicast scenario and validate the multicast streaming indeed works.
Does somebody have practical experience with static RP for PIM configuration on QFX5100 virtual chassis or standalone QFX5100 please? I find it bit odd that this feature is not supported on this platform.
Thank you.
See the graphic from an old JNCIS-ENT Routing study guide:
Can somebody explain me how the routing tables of the intermediate routers should look like to route to the 192.168.x.x (private) addres? How can you route over the internet to private IP addresses?
With regards,
