J-Net Community
Your home for the latest technical resources, insights and conversations. Connect with your peers to ask questions, exchange ideas and share expertise.
Hi guys, I'm facing an issue on a SRX300 cluster. It's configuration is quite simple , as it's just used to keep a VPN tunnel open and route some traffic though it. Originally there were one more V... See more...
Hi guys, I'm facing an issue on a SRX300 cluster. It's configuration is quite simple , as it's just used to keep a VPN tunnel open and route some traffic though it. Originally there were one more VPN tunnel, not in use anymore.  We had a reth interface with a public IP set for one of the tunnels (say TUNNEL-A) and another reth interface with a public IP set for the other tunnel (both IP's were within the same range). e.g.:   reth1 { description IF_TUNNEL-A; redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 80.80.80.100/24; } } } reth2 { description IF_TUNNEL-B; redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 80.80.80.101/24 { } } } Say default gw is 80.80.80.1 The thing is that I want to disable the interface reth1. When I commit, the VPN tunnel goes down, and no internet traffic at all. I thought that it may be related to arp entries of the IP of the default gateway (80.80.80.1) associated to the interface I want to disable, so I tried clearing arp entries and setting them as static entries under reth2. But when I tried to disable reth1, same issue occurred.   Any clue? Thanks  
Hello,   I configured 2 bgp sessions to receive only 0.0.0.0 from upstreams, so the traffic goes only via 1 upstream (probably the older session). It looks like this:   admin@SRX1# run show r... See more...
Hello,   I configured 2 bgp sessions to receive only 0.0.0.0 from upstreams, so the traffic goes only via 1 upstream (probably the older session). It looks like this:   admin@SRX1# run show route 0.0.0.0 inet.0: 165304 destinations, 165307 routes (19 active, 0 holddown, 165285 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[BGP/170] 01:40:02, localpref 100 AS path: 1234 I, validation-state: unverified > to 1.1.1.1 via ge-5/0/15.0 [BGP/170] 00:00:30, localpref 100 AS path: 6789 ?, validation-state: unverified > to 2.2.2.2 via ge-0/0/12.0   My current bgp configuration:   admin@SRX1# show protocols bgp group bgp-isp { type external; import import-default-route; export send-my-prefix; neighbor 1.1.1.1 { description isp1-bgp; peer-as 1234; } neighbor 2.2.2.2 { description isp2-bgp; peer-as 6789; } }   I tried to add local-pref in neighbor configuration, but without success. I also tried to apply local-pref to import policy, but without success. Always in "show route" I see that local pref didn't change.   What would be the proper way to to this?  
Hello guys! I have a specific task. The MX-80 router has an XE-0/0/2 interface   set interfaces xe-0/0/2 description - == USERS == - set interfaces xe-0/0/2 vlan-tagging set interfaces xe-0/0/2... See more...
Hello guys! I have a specific task. The MX-80 router has an XE-0/0/2 interface   set interfaces xe-0/0/2 description - == USERS == - set interfaces xe-0/0/2 vlan-tagging set interfaces xe-0/0/2 mtu 9192 set interfaces xe-0/0/2 encapsulation flexible-ethernet-services set interfaces xe-0/0/2 gigether-options no-flow-control set interfaces xe-0/0/2 unit 10 description INET_Users1 set interfaces xe-0/0/2 unit 10 encapsulation vlan-vpls set interfaces xe-0/0/2 unit 10 vlan-id 10 set interfaces xe-0/0/2 unit 10 input-vlan-map pop set interfaces xe-0/0/2 unit 10 output-vlan-map push set interfaces xe-0/0/2 unit 10 family vpls set interfaces xe-0/0/2 unit 879 description DMZ set interfaces xe-0/0/2 unit 879 encapsulation vlan-vpls set interfaces xe-0/0/2 unit 879 vlan-id 879 set interfaces xe-0/0/2 unit 879 input-vlan-map pop set interfaces xe-0/0/2 unit 879 output-vlan-map push set interfaces xe-0/0/2 unit 879 family vpls set interfaces xe-0/0/2 unit 3339 description - == Link-Huawei == - set interfaces xe-0/0/2 unit 3339 vlan-id 3339 set interfaces xe-0/0/2 unit 3339 family inet mtu 1500 set interfaces xe-0/0/2 unit 3339 family inet policer input SHAPE-1G set interfaces xe-0/0/2 unit 3339 family inet policer output SHAPE-1G set interfaces xe-0/0/2 unit 3339 family inet address 172.17.10.125/30 set interfaces xe-0/0/2 unit 4001 description - == Link-Huawei == - set interfaces xe-0/0/2 unit 4001 vlan-id 4001 set interfaces xe-0/0/2 unit 4001 family inet mtu 1500 set interfaces xe-0/0/2 unit 4001 family inet policer input SHAPE-1G set interfaces xe-0/0/2 unit 4001 family inet policer output SHAPE-1G set interfaces xe-0/0/2 unit 4001 family inet address 10.240.98.6/29 set firewall policer SHAPE-1G if-exceeding bandwidth-limit 1g set firewall policer SHAPE-1G if-exceeding burst-size-limit 5m set firewall policer SHAPE-1G then discard   I have a question. 1) Will the SHAPE-1G restriction be common? Or will traffic be limited separately for each subnet? If separately for each subnet, then how to do to combine the speed limit for different units? 2) How to limit port speed for everyone? 3) How to limit the speed for unit 10 and 879 (together and separately? Currently, the restriction occurs on unit 3339 and 4001, but I do not know this general restriction or separately for each.
Hi. I try to stop sending certain mesages (RPM TEST) to syslog server. I relied on https://kb.juniper.net/InfoCenter/index?page=content&id=KB9382&actp=METADATA and https://takab-cng.ir/?exampass=t5/Jun... See more...
Hi. I try to stop sending certain mesages (RPM TEST) to syslog server. I relied on https://kb.juniper.net/InfoCenter/index?page=content&id=KB9382&actp=METADATA and https://takab-cng.ir/?exampass=t5/Junos/Filter-specific-syslog-message/m-p/464559#M15092 But I did not succeed   My config } host 172.21.2.206 { any info; match "!(.*PING_TEST_COMPLETED.*)"; }   The original mesage Jan 17 09:45:50 UFA-SRX240 rmopd[1544]: %DAEMON-6-PING_TEST_COMPLETED: pingCtlOwnerIndex = ISP1, pingCtlTestName = ISP1-TEST2   As I understand I make everything right. But it does not work. Can someone help me?
If ABR connects area 0 and area 2 (NSSA), does this router generates LSA Type 4 into area 0 ? thanks !!
Hi Everyone, i've been working for make redudancy between coreswitch using EVPN/VXLAN. i got some issue when trying to route with static protocol. if there is traffic from PC-HOST (Vlan200) to... See more...
Hi Everyone, i've been working for make redudancy between coreswitch using EVPN/VXLAN. i got some issue when trying to route with static protocol. if there is traffic from PC-HOST (Vlan200) to PE (172.x.x.x) it will pass static route. If i set interface XE-0/0/2 (Core1) down. The traffic from PC-HOST (Vlan200) to PE (172.x.x.x) become down too. where in the routing table there is an evpn route available, the traffic should pass through the evpn route when the interface underlying the static route dies. But it wouldn't. i was trying to make higher the preference on static route than evpn route. it's working but,now the main routes is evpn route. so traffic always goes to the evpn route even though static route is available. So, can i make both of them(static & evpn) become active route? if there something wrong with static route, then traffic will go through evpn route
Hi there  I'm wondering what the process is for generating a certificate so that when we use JWEB that it is a secure connection. Our current platform is Model: ex2300-24p Junos: 15.1X53-D590.1 ... See more...
Hi there  I'm wondering what the process is for generating a certificate so that when we use JWEB that it is a secure connection. Our current platform is Model: ex2300-24p Junos: 15.1X53-D590.1 Thanks :)
Hi,   Lets assume that a switch has RSTP globally enabled, but on some ports it has RSTP disabled (set protocols rstp interface <name> disable). What happens when it receives a RSTP BPDU on one... See more...
Hi,   Lets assume that a switch has RSTP globally enabled, but on some ports it has RSTP disabled (set protocols rstp interface <name> disable). What happens when it receives a RSTP BPDU on one of the ports with rstp disabled? Does it forward them to all the rest of the “rstp disabled” ports? Drops them? Floods to ALL ports?   Regards, Pawel
Is there any offline utility that given a router config file and source/destination IP and port pairs will check if the path is allowed or blocked?
I'm prepping for JNCIS-SP and haven't found any MPLS related practice questions in the Genius exams or elsewhere. Does someone have a source?
Hi folks,   Is there a way to store or reference a file that has a list of prefixes that I can reference in the configuration but not store it in the configuration?   The idea here, is that I... See more...
Hi folks,   Is there a way to store or reference a file that has a list of prefixes that I can reference in the configuration but not store it in the configuration?   The idea here, is that I want to create a whitelist based on a GeoIP database and block everything outside of the whitelist. The Geo block I'm concerned about is 65-70,000 prefixes. I don't want to store that in my config. But I'd like to reference a file that stores this. There are a few other Network vendors that provide this capability, but I'm not sure if Junos allows for a pointer to a text file like this.   Just to be clear, I'm not asking about merging the configuration. I want to keep this separate so the config doesn't grow so large that its a pain to read.   The next question, how many entries are supported on an SRX300 for a prefix-list? That might ultimately be another limiting factor.   I script all this today on my Linux hosts referencing an  'ip set' in iptables to block a lot of the countries I don't do business with. Its a sledgehammer approach, but works for what I need. I want to take this a step further and block the traffic before it even gets on the 'trust' zone of the network. All I need is plain old Junos firewall rules (stateless) applied to the ingress interface as a prefix-list. That is what I'm ultimately trying to accomplish, but didn't know if Junos has a feature to reference a file for the prefix-list.   Thanks,   -J
I don't think it's a problem, but might be worth mentionning .. using SecureCRT, I issued a request system power-off command to 21 EX2300 running 18.2R3S2 all with the same config and in test lab. ... See more...
I don't think it's a problem, but might be worth mentionning .. using SecureCRT, I issued a request system power-off command to 21 EX2300 running 18.2R3S2 all with the same config and in test lab.  Upon walking ion the lab, I noticed 3 of them still had their leds on. No ip ping anymor from outside, they looked like PowerOff. The rightmost small selector switch was active , and the sys spd and mst leds were on.  Upon connecting to console to investigate, the first key I hit initiated a reboot !!!!!!    I guess pulling the plug still remains the best way to turn those things off :-) Michel Lapointe
Hello everyone, Yesterday I tried to upgrade our EX3300 stack with Junos 12.3R12. The current fw is 12.3R6.6. I have downloaded fw to: /var/tmp/jinstall-ex-3300-12.3R12.4-domestic-signed.tgz on mas... See more...
Hello everyone, Yesterday I tried to upgrade our EX3300 stack with Junos 12.3R12. The current fw is 12.3R6.6. I have downloaded fw to: /var/tmp/jinstall-ex-3300-12.3R12.4-domestic-signed.tgz on master switch, after that I have issed command to validate new fw: request system software validate /var/tmp/jinstall-ex-3300-12.3R12.4-domestic-signed.tgz And finally I have started upgrade of last virtual-chassis member (9th), to avoid a downtime of whole VC: request system software add /var/tmp/jinstall-ex-3300-12.3R12.4-domestic-signed.tgz member 9 Unfortunately after the member 9 has been rebooted it fails to load Junos. In the console some disquieting things has appeared during start of this switch (as below). After a while I have managed to take a snapshot and start switch with previous version of Junos (12.3R12). The affected switch status of virtual-chassis was 'not present'. Can anybody explain me what happened and what I have done wrong?   MISSING '.' I=4097 OWNER=0 MODE=40755 SIZE=512 MTIME=Mar 17 12:26 2014 DIR=? UNEXPECTED SOFT UPDATE INCONSISTENCY FIX? yes DIRECTORY CORRUPTED I=4098 OWNER=0 MODE=40755 SIZE=512 MTIME=Jun 14 08:27 2013 DIR=? UNEXPECTED SOFT UPDATE INCONSISTENCY SALVAGE? yes MISSING '.' I=4098 OWNER=0 MODE=40755 SIZE=512 MTIME=Jun 14 08:27 2013 DIR=? ... UNREF DIR I=4131 OWNER=0 MODE=40700 SIZE=512 MTIME=Feb 12 13:49 2015 RECONNECT? yes NO lost+found DIRECTORY CREATE? yes CG 0: BAD MAGIC NUMBER UNEXPECTED SOFT UPDATE INCONSISTENCY SORRY. CANNOT CREATE lost+found DIRECTORY UNEXPECTED SOFT UPDATE INCONSISTENCY UNREF DIR I=4130 OWNER=0 MODE=40700 SIZE=512 MTIME=Feb 12 13:49 2015 RECONNECT? yes NO lost+found DIRECTORY CREATE? yes CG 0: BAD MAGIC NUMBER UNEXPECTED SOFT UPDATE INCONSISTENCY SORRY. CANNOT CREATE lost+found DIRECTORY UNEXPECTED SOFT UPDATE INCONSISTENCY ... UNEXPECTED SOFT UPDATE INCONSISTENCY SORRY. CANNOT CREATE lost+found DIRECTORY UNEXPECTED SOFT UPDATE INCONSISTENCY CLEAR? yes UNREF FILE I=4106 OWNER=0 MODE=120755 SIZE=25 MTIME=Feb 12 13:50 2015 RECONNECT? yes NO lost+found DIRECTORY CREATE? yes CG 0: BAD MAGIC NUMBER UNEXPECTED SOFT UPDATE INCONSISTENCY SORRY. CANNOT CREATE lost+found DIRECTORY UNEXPECTED SOFT UPDATE INCONSISTENCY    
Hello,   I've got an MX204 router and I'm using all break-out ports xe-0/0/[0-3]:[0-3]. These interfaces have a couple of thousand logical units which i don't want to monitor. How would a reg... See more...
Hello,   I've got an MX204 router and I'm using all break-out ports xe-0/0/[0-3]:[0-3]. These interfaces have a couple of thousand logical units which i don't want to monitor. How would a regular expression look like to ony get the physical ports in an SNMP walk (i.e. xe-0/0/0:0 and xe-0/0/1:3) ?   I've tried numerous things and so far I've got this one (which works fine for a MX5, but not for a MX204): "!(ge-.*/[0-9]$|ge-.*/1[0-9]$|xe-.*/[0-9]$|xe-.*/1[0-9]$|ae[0-9] $)"   Beeelze
Hi There,   I am interested to monitor all vrrp messages on a specific interface. Reading this: https://www.juniper.net/assets/us/en/local/pdf/books/day-one-poster-monitor-command.pdf It seem... See more...
Hi There,   I am interested to monitor all vrrp messages on a specific interface. Reading this: https://www.juniper.net/assets/us/en/local/pdf/books/day-one-poster-monitor-command.pdf It seems that the syntax of the command is something like   monitor traffic interface ae90.11 matching  "([ip] proto 112 | ip[9]=112)" but i get syntax error as soon i run this command hw: mx80 sw: 16.1R5.7 Any suggestion is welcome: target is only moniotr vrrp traffic. Thanks.  
hi guys, I got anther one truble on MX80. Mx80 doesn`t accept more than one subscriber per stacked-vlan set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" demux-sou... See more...
hi guys, I got anther one truble on MX80. Mx80 doesn`t accept more than one subscriber per stacked-vlan set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" demux-source inet set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" proxy-arp set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" vlan-tags outer "$junos-stacked-vlan-id" set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" vlan-tags inner "$junos-vlan-id" set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-un set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0 set interfaces xe-0/0/1 flexible-vlan-tagging set interfaces xe-0/0/1 auto-configure stacked-vlan-ranges dynamic-profile VLAN-IPoE accept dhcp-v4 set interfaces xe-0/0/1 auto-configure stacked-vlan-ranges dynamic-profile VLAN-IPoE ranges 1002-1002,10-16 set interfaces xe-0/0/1 auto-configure remove-when-no-subscribers set interfaces xe-0/0/1 encapsulation flexible-ethernet-services set system services dhcp-local-server forward-snooped-clients configured-interfaces set system services dhcp-local-server group IPoE authentication password IPoE set system services dhcp-local-server group IPoE authentication username-include user-prefix OPT82NOIP set system services dhcp-local-server group IPoE authentication username-include mac-address set system services dhcp-local-server group IPoE dynamic-profile CLIENTS-IPoE set system services dhcp-local-server group IPoE interface demux0.0   dmitry@Mine-Juniper-GW# run show subscribers Interface IP Address/VLAN ID User Name LS:RI demux0.3221230371 0x8100.1002 0x8100.10 default:default demux0.3221230373 89.1.3.26 OPT82NOIP.64d1.5406.c59b default:default demux0.3221230394 89.1.3.27 OPT82NOIP.68ff.7b98.0083 default:default Here we can see 2 subscribers one of which works fine (first) but the second subscriber doesn`t work, if I destroy first subscriber than second subscriber after reconnect will work. I assume that the interface for the second subscriber is not created. Probably it is normal. Is there way to fix it? Thanks.
I am refreshing my OSPF via some Juniper trainings now. I have some questions about LSA type 1 fields. Here is my packet capture for LSA type 1 Type 1 contains Link type, link ID and Lin... See more...
I am refreshing my OSPF via some Juniper trainings now. I have some questions about LSA type 1 fields. Here is my packet capture for LSA type 1 Type 1 contains Link type, link ID and Link Data, Metric and etc. These fields are stored LSA header or Data payload.  Here I only captured the header, I could not see them.  Anything I have missed ?   thanks !!
Hi all,   I am not sure if a rpm based failover can be achieved in such a static setup. The scenario is as follows: Subnets A to G are internal and go through ISP link 1. There is a Zscalerredi... See more...
Hi all,   I am not sure if a rpm based failover can be achieved in such a static setup. The scenario is as follows: Subnets A to G are internal and go through ISP link 1. There is a Zscalerredirect filter applied to the LAN interface of the firewall thatpicks these internal subnets and causes them to take exit point (ISP link 1) as per the custom routing table to traverse to Zscaler.   Subnets H to L are public subnets and go through ISP link 2. There is Publicredirect filter that causes these subnets to take exit point (ISP link 2) as per the custom routing table to direct egress to internet. (This filter is NOT applied to LAN interface of firewall). The internal and public subnets are in the same major class network i.e 10.0.0.0/8.   In both these routing tables exit hop to ISP Link 1 and ISP Link 2 is setup as below Routing table Internal primary exit path >>> ISP Link 1 backup exit path >>> ISP Link 2   Routing table Public primary exit path >>> ISP Link 2 backup exit path >>> ISP Link 1   Is there a way to achieve automatic failover using RPM / ip-monitoring probes provided that there is static routing tables already setup for these two different classes of INTERNAL and PUBLIC subnets ?   Note : There is dynamic routing protocol used, the setup of routing table entries is all static..   The physical setup is very typical as below: Single LAN connection on gig interface of the firewall and ISP link 1 on port 1 and ISP link 2 on port 2 respectively.
Hello,   I've got a very specific question, or better, a request about filtering two specific logical interfaces. I'm already filtering like this:   beeelze@ams-nik-er2# show snmp fil... See more...
Hello,   I've got a very specific question, or better, a request about filtering two specific logical interfaces. I'm already filtering like this:   beeelze@ams-nik-er2# show snmp filter-interfaces {     interfaces {         pp0;         demux0;         ".\.[0-50000]";     }     all-internal-interfaces; } filter-duplicates;   Now, I want to monitor two specific logical interfaces: ge-1/0/6.287 and ge-1/0/6.288 At the same time, all other logical interface units may NOT be monitored, for the sake of the MX5's CPU. I've tried a lot, but am unable to come up with a solution.   Beelze
Greetings, We have an old EdgeRouter that we're upgrading to an SRX. We have an mid-size network with 100 workstations and 20 servers, some servers are public facing We have a split-view DNS ... See more...
Greetings, We have an old EdgeRouter that we're upgrading to an SRX. We have an mid-size network with 100 workstations and 20 servers, some servers are public facing We have a split-view DNS system for public WAN and private LAN queries We're migrating to a new IP block for the SRX We're trying to make this migration a seamless one with very little downtime We're documenting and testing as much as we can think of, but what are we not thinking about? Does anyone have experience in migrating from an older system to a new one and doing IP address migrations? What have you done in your experience to make sure your transition was a smooth one? What other advice can you recommend? Thank you.