Quantcast
Channel: All Routing posts
Viewing all 8688 articles
Browse latest View live

Two ISP on two routers

June 21, 2016, 6:17 am
$
0
0

Hi Team,

 

My scenario is: 

We have on DC site with MX router , Ex core switch, and SRX firewall

And DR site with same devices.

Both Sites are in Active-Active mode. and i want both routers should utilise well.

 

Requirement: if a packet took path of R1 router their return path should be the same (With R2) 

and If a packet took the path of R2 router, then their return path should be same (With R2). 

 

Currently, if one router (R1) goes down then the second router will do routing. I want both routers should do routing simultaneously. with the equal load and same path. 

 

is it possible ?

Kindly find the attached network diagram. 

 

Search

Re: Two ISP on two routers

June 21, 2016, 9:20 am
$
0
0

Hi,

 

Can you elaborate on the routing protocols being used [VRRP / IGP / BGP] ?

Much will depend on how the routing is designed.

 

Cheers,

Ashvin

Re: SRX "Hairpining" issue

June 22, 2016, 12:30 am
$
0
0

Just to ensure that my understanding is correct, the 10.213.0.10 and the 10.213.0/24 subnet are the TRUST. The uplink is in UNTRUST. You want to access the 10.213.0.10 from both TRUST and UNTRUST. Is this correct?

 

If yes then you are missing the TRUST to TRUST source NAT rule:

 

set security nat source rule-set hairpin from zone TRUST
set security nat source rule-set hairpin to zone TRUST
set security nat source rule-set hairpin rule hairpin-nat-rule match destination-address 10.213.0.10
set security nat source rule-set hairpin rule hairpin-nat-rule then source-nat interface

 

Next, you need to modify the static NAT:

 

delete security nat static rule-set STATIC-NAT from interface (uplink int. ip 3.3.3.3)
set security nat static rule-set STATIC-NAT from zone [TRUST UNTRUST]

 

The above change ensures static NAT is hit irrespective of who tries to access 2.2.2.2

You also need to delete the following:

 

delete security nat destination rule-set HAIRPIN from zxone TRUST
delete security nat destination rule-set HAIRPIN rule rule-hairpin-destination match source-address 10.213.0.0/24
delete security nat destination rule-set HAIRPIN rule rule-hairpin-destination match destination-address 2.2.2.2/32
delete security nat destination rule-set HAIRPIN rule rule-hairpin-destination then destination-nat pool hairpin-pool

 

 

So traffic initiated from source 10.213.0.20 to 2.2.2.2 will undergo the following:
1) SRX flow lookup will do static NAT first and translate 2.2.2.2 to 10.213.0.10.
2) The route and zone lookup will determine TRUST.
3) The policy lookup will permit (since it is an 'any any' rule)
4) Source NAT rule will match and find packet destined for 10.213.0.10 and will translate to interface IP.
5) The return packet (SYN+ACK) will now have SRX interface IP as destination. Flow session will take care of the rest.

 

Let me know if this fixes the issue.

 

Regards,

Srinath

Re: SRX "Hairpining" issue

June 22, 2016, 12:57 am

Re: How much firewall filter (ACLs) MX80 & MX240 can handle

June 22, 2016, 1:14 am
$
0
0

Dear all,

 

I have same question, where can I find such information?

Re: How much firewall filter (ACLs) MX80 & MX240 can handle

June 22, 2016, 1:34 am
$
0
0

Hello,

It depends on :

1/ filter complexity - simple 5-tuple filter match terms wth "accept" or "discard" action scale into hundreds of thousands

2/ filter action - "then next term" filter action causes re-evaluation of the packet and therefore scales less. "Reject" action causes sending ICMP Dest Unreach for each matching packet subject to internal rate-limiters and therefore also scales less. 

3/ hardware - MX240 ICHIP DPC cards have a limited reserved memory space for filters which can also be used for storing the routes.Trio chipset in MX80 and MX240 MPC cards have much more memory.

All-in-all,  the best source to obtain such information for Your specific design and business goals is Your nearest friendly Juniper Systems Engineer.

HTH

Thx

Alex

Re: MX route table size

June 22, 2016, 2:37 am
$
0
0

MX5 - MX80 FIB Capacity:

  • 1M (IPv4)
  • 700k(IPv6)

MX104 FIB Capacity:

  • 1.8M (IPv4)
  • 1M(IPv6)

Re: How much firewall filter (ACLs) MX80 & MX240 can handle

June 22, 2016, 8:51 pm
$
0
0

Thank you for your reply, Alex!

 

I understand that number of firewall filters MX can handle depend on reserved memory for firewall filter. But this space is flexible depending on the size of memory (total memory in case of MX80 or DPC memory with MX240-480-960 right?). Since this memory is shared for many resources: nexthop, counter, filter... there is not a fixed limitation of filter rules. Therefore, It is more difficult to monitor proactively, we should monitor the memory usage rather than filter rules limitation (in this case it is 256K?).

 

In MX (except MX80 series), issue this command to monitor memory resource (from O'Reilly Juniper MX Series) :

 

{master}
regress@halfpint> request pfe execute target fpc5 command "show jnh 0 pool usage"
SENT: Ukern command: show jnh 0 pool usage
GOT:
GOT: EDMEM overall usage:
GOT: [NH///////////////|FW///|CNTR////////|HASH/////|ENCAPS////|---------------]
GOT: 0                 7.0   9.0          14.0      21.8       25.9            32.0M
GOT:
GOT: Next Hop
GOT: [***************************************************|--] 7.0M (98% | 2%)
GOT:
GOT: Firewall
GOT: [|--------------------] 2.0M (1% | 99%)
GOT:
GOT: Counters
GOT: [|----------------------------------------] 5.0M (1% | 99%)
GOT:
GOT:

 

However, I cannot find similar command in MX5/10/40/80. Any help?

 

Thank you so much,

 

Trung

 

Search

Re: Two ISP on two routers

June 22, 2016, 9:38 pm
$
0
0

We are using BGP pn ISP site (Above MX router) and OSPF in our network (Below ISP).

 

A per vendor "it is not possible to control inbound traffic coming from the Service Provider in the active-active setup, it makes the traffic asymmetric in firewall cluster which will cause the application access issues"

 

then How I will achieve this ?

Re: Two ISP on two routers

June 22, 2016, 9:54 pm
$
0
0

I feel what vendor says is correct. We cannot control how the upstream/ISP wants to route/foward traffic. We can advertise our routes with same prefernces but its upto ISP on how they want to use the route. To achieve what you need we need ISP to implement load balancing (per session based as you two dofferent locations) , not sure if they will do it.

Re: Two ISP on two routers

June 22, 2016, 11:30 pm
$
0
0

HI,

 

Is there any reason you require traffic to be symmetric? Is it because of stateful filtering on the SRX?

 

On the IGP side, you can use Equal Cost Multipath [ECMP] for load balancing.

On the transit side, outgoing traffic can be load shared based on BGP best paths/routes coming from ISPs. That will still depend on the design.  Incoming traffic can also be load shared using BGP traffic engineering using a combination of prefix splitting / aggregating routes and/or AS-PATH pre-prend.  However, there is no guarantee for symmetric routing.

 

I have had experience implementing a more or less similar design with active-active Main/DR sites using the above-mentioned protocols.  If you can provide a logical topology [i.e eBGP/iBGP / IGP / virtual router instances etc], that may provide better insight.

 

Cheers,

Ashvin

 

 

 

MX960: Low quality power supplies?

June 23, 2016, 2:02 am
$
0
0

In the past 6 months, many of our MX960 Routers' power supplies failed, but we can't find a reason for this.  Our datacentre claims that all is fine with the power feed and that it is stable and pure.  

 

1.) Are the power supplies of low quality or ultra sensitive to the power input?  Why do they fail so often?

2.) Are there any recommended tools to use to measure the power input feed to ensure that it is stable and pure?

 

Thank you in advance

Jacques

 

 

 

 

Re: MX960: Low quality power supplies?

June 23, 2016, 5:29 am

Re: MX960: Low quality power supplies?

June 23, 2016, 5:45 am
$
0
0

Thanks Ashvin.

 

As far as I can see, the chassisd log's information does not shed any more light on the issue, unless 'check circuit breaker' means something specific?

 

Here is the chassisd log's entries for when the power supply failed.  This is the fourth time now:

Jun 23 05:41:18  Modifying fan speed to 189 as high temp is now 51 C
Jun 23 05:53:03  Modifying fan speed to 199 as high temp is now 53 C
Jun 23 06:02:27  Modifying fan speed to 189 as high temp is now 51 C
Jun 23 06:12:31  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:31  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:31  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:31  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:31  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:31  send: red alarm set, device PEM 2, reason PEM 2 Not OK
Jun 23 06:12:31  I2CS write cmd to FPM#0 [0x8], reg 0x50, cmd 0x12
Jun 23 06:12:31 CHASSISD_PEM_INPUT_BAD: status failure for power supply 2 (status bits: 0x0); check circuit breaker
Jun 23 06:12:36  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:36  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:36  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:36  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:36 CHASSISD_PEM_INPUT_BAD: status failure for power supply 2 (status bits: 0x0); check circuit breaker
Jun 23 06:12:42  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:42  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:42  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:42  PEM 2 i2c slave not ok, status 0x8 failed 1 times
Jun 23 06:12:42 CHASSISD_PEM_INPUT_BAD: status failure for power supply 2 (status bits: 0x0); check circuit breaker
Jun 23 06:12:44 CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply failed (jnxContentsContainerIndex 2, jnxContentsL1Index 3, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr PEM 2, jnxOperatingState/Temp 6)
Jun 23 06:12:46  PEM 2 i2c slave not ok, status 0x8 failed 1 times

Re: MX960: Low quality power supplies?

June 23, 2016, 6:04 am
Search

Re: MX960: Low quality power supplies?

June 23, 2016, 6:18 am
$
0
0

Thanks, will look into the circuit breaker link that you provided.

 

Here is the output of those commands:

 

> show chassis power

PEM 0:
  State:     Online
  AC input:  OK (2 feed expected, 2 feed connected)
  Capacity:  4100 W (maximum 4100 W)
  DC output: 684 W (zone 0, 12 A at 57 V, 16% of capacity)

PEM 1:
  State:     Online
  AC input:  OK (2 feed expected, 2 feed connected)
  Capacity:  4100 W (maximum 4100 W)
  DC output: 684 W (zone 1, 12 A at 57 V, 16% of capacity)

PEM 2:
  State:     Unknown
  AC input:  Out of range (1 feed expected, 0 feed connected)
  Capacity:  0 W (maximum 4100 W)

PEM 3:
  State:     Online
  AC input:  OK (2 feed expected, 2 feed connected)
  Capacity:  4100 W (maximum 4100 W)
  DC output: 684 W (zone 1, 12 A at 57 V, 16% of capacity)

System:
  Zone 0:
      Capacity:          4100 W (maximum 4100 W)
      Allocated power:   2399 W (1701 W remaining)
      Actual usage:      684 W
  Zone 1:
      Capacity:          4100 W (maximum 4100 W)
      Allocated power:   2400 W (1700 W remaining)
      Actual usage:      1368 W
  Total system capacity: 8200 W (maximum 8200 W)
  Total remaining power: 3401 W

> show chassis environment pem
PEM 0 status:
  State                      Online
  Temperature                OK
  DC Output           Voltage(V) Current(A)  Power(W)  Load(%)
                          57        12            684      16
PEM 1 status:
  State                      Online
  Temperature                OK
  DC Output           Voltage(V) Current(A)  Power(W)  Load(%)
                          57        12            684      16
PEM 2 status:
  State                      Unknown
PEM 3 status:
  State                      Online
  Temperature                OK
  DC Output           Voltage(V) Current(A)  Power(W)  Load(%)
                          56        12            672      16

Re: MX960: Low quality power supplies?

June 23, 2016, 6:36 am
$
0
0

Hi,

PEM2 does not look very good. I guess you mentioned already its failed. Do you have an active alarm?

"show chassis alarms"

 

Any issues with the power feed?

  AC input:  Out of range (1 feed expected, 0 feed connected)
  Capacity:  0 W (maximum 4100 W)

Cheers,

Ashvin 

Re: MX960: Low quality power supplies?

June 23, 2016, 6:58 am
$
0
0

Hi Ashvin,

 

Yes, that was the power supply that failed and we've now already replaced it.

 

I am wondering if there is a device out there that can be plugged in between the MX960 and the power feed to monitor the stability of the power and to report on it?

 

I suspect that the power feed into the box is a bit unstable/unpure, but of course I need to prove it first.  Either that, or the power supplies on the MX960's are really low quality.

 

 

Re: MX960: Low quality power supplies?

June 23, 2016, 7:30 am
$
0
0

Hi,

 

That is quite a challenge to prove power is not clean. I had a similar dilemna in the past and did not manage to prove much other than providing logs from the MX960.  I guess JTAC might help to perform an RCA and discount the low quality of the PSU at least.

 

Cheers,

Ashvin

Do we have show ipv6 bgp summary command?

June 23, 2016, 8:17 am
$
0
0

Do we have show ipv6 bgp summary command? Thank you

Viewing all 8688 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>