JNCIS-SP
Junos Intermediate Routing On-Demand – DONE
Junos Service Provider Switching – DONE
Junos MPLS Fundamentals – DONE
https://jlabs.juniper.net/vlabs
=========================================
Junos Intermediate Routing On-Demand
=========================================
CBT Junos Tunnels
gr-0/0/0 GRE
ip-0/0/0 IPoverIP
set chasis fpc 1 pic 2 tunnel-services [bandwidth X]–> enable tunnels in x-1/2/x
GRE header: 24bytes = 20byes IP header + 4bytes (reserv, version, protocol type) => increase MTU !!! 0x800 = ipv4 / 8x86dd iv6
frames over GRE: set chassis network-services enhanced-ip
set intefaces gr-0/0/0 unit 0 family bridge interface-mode trunk vlan-id-list 100 core-facing
set routing-instances virtsw instance-type virtual-switch
interface ge-0/0/2.0
gr-0/0/0.0
bridge-domain C100 vlan-id 100CBT Chassis HA
vrrp: MAC 0000.5E00.01xx (MC.18) group-id (8bit) identical, priority (8bit 1-254, def=100) or hights IP,
v3: ipv6 and <1s
(inside interface config)
set vrrp-group 1 virtual-address VIP [priority x]
GR: graceful restart
set routing-options graceful-restart (show ospf overview)
GRES: Graceful Routing Engine Switchover, BUT Control Planel needs to reconverge !!!
set chassis redundancy graceful-switchover
request chassis routing-engine master switch check
NSR: Non-stop active routing. NSR helps GRES to get CP syncronize between REs. Incompatible with GR !!!
set routing-options nonstop-routing
set systen commit syschronize
show task replication
ISSU: in-service sw upgrade
Needs GRES+NSR
request system software in-service-upgrade /var/tmp/file.tgz reboot
virtual-chassis
CBT IPv6
multicast FF00::/8
link-local FE80::/10 (no routable), NDP (like ARP) neighbor discovery prot (Neigh Solicitation, Neigh Adver)
unique-local FC00 or FEC8 (no internet routable – like private IP)
global unicst: 2000::/3
dhcp:
slaac (staless): EUI-64: use MAC 48b + FFFE (mac 24b (flip 7th) FFFE mac 24b) -> 64 bits + 64 bits from Route Solication
set interface ge-0/0/2 unit 0 family inet6 address 2012:db8::/64 eui-64
dhcpv6 (stateful)
ospf3: needs a router-id that is ipv4!!!
set routing-options router-id ipv4
CBT LACP
802.3ad
max 8 links per lacp
set chassis aggregated-devices ethernet device-count X
set interfaces ge-0/0/0 ether-options 802.3ad ae0
1
set interfacce ae0 aggregated-ether-options lacp active|passive periodic fast|slow (30s) (def is fast=1sec)
unit 0 family etherent-switching port-mode trunk (EX)
interface-mode (QFX(
bridge interface-mode trunk vlan-id-list 300 (MX)
CBT ISIS
level0 – ES-IS
level1 – IS-IS intra-area
level2 – IS-IS inter-area
intra-area AD=15 idemISIS inter-area AD=18 – metric default 10s
IIH = Hello using MAC address. Router ID, area, Neighbor discovery
CSNP = Like DB descriptor in OSPF. After neighbor discovery
PSNP = request prefix and route info
Border router, establish L2 adj (differnt area) -> 2x LSDB!!!
establish L1 adj (same area)
LSPDU: sent by border router, with Attached bit. The router L1 that receives it install a default route to the originator of LSPDU
NET address: network entity title. In lo0 !!!
49.(16b – area ID).(48b MAC).00
Set adjacencies (no need IPs!)
1) set NET in lo0.0 under family iso
2) set protocols isis interface X.0
3) set interface x.0 family iso (NET not needed!(
4) disable the level you dont need!! (by default all links are l1/l2)
authentication-type simple or md5
authenticaion-key key
Protocol Independent Routing (Static routes)
0 directed connectAD: 5 static routes
7 rsvp-lsp
8 sr-te
9 lsdp-lsp
10 ospf internal
15 isis l1
18 isis l2
105 pim
130 agg
150 ospf ext
160 isis ext
170 bgp
prefernce=5
nh = ip directled connected, reject, discard
no recursive loop-up performed by default (like cisco) -> need to use “resolve”
qualified-next-hop IP preference X
no-readvertise (ie for mgmt not advertised into IGP) block exporting via policies
as-path, community, metric, preference
ipv4: edit routing-options staic route …
ipv6: edit routing-options rib inet6.0 static route …
Aggregate routes
preference=130
at least one contributing route active
default nh = reject
as-path, community, metric, policy, preference
show route AGG/22 exact detail
edit routing-optons aggregate ->
*If contributing routes don’t have a next hop (i.e., are not usable), the aggregate route may still appear, but it will be hidden (inactive) — and not advertised unless you use a discard next-hop or similar workaround.
Generated Routes
similar to agg routes. NH = nh of primary (lowest preference) contributing route (aggregate nh=reject)
diff from agg:
-you can assign a next hop.
-And you don’t need the contributing route to be resolvable — it just needs to exist in the routing table (even if unusable).
-It allows more flexibility when the contributing route is unusable or when you want to inject a route into the table regardless of reachability.
ie: advertise default into osfp if you are learning a specific prefix from your ISP.
set policy-option policy-statement match-contributing-prefix term match-bgp from protocol bgp route-filter NET1/16 exact then accept
term else-reject then reject
set policy-option policy-statement export-default term match-default from protocol aggregate route-filter 0.0.0.0/0 exact then accept
set routing-options generate route 0.0.0.0/0 policy match-contributing-prefix
set protocol ospf export export-default
Martia Routes
0.0.0.0/8 orlonger
127.0.0.0/8 orlonger
192.0.0.0/24 orlonger
240.0.0.0/4 orlonger
ipv6: loopback, rfc 2373, link-local
set routing-options martians x/8 orlonger
show route martians table inet.0
Routing Instance (LAB)
show route instance -> default: master -> inet.0 inet6.0
edit routing-instances
set instance-type x=forwarding, l2vpn, no-forwarding (make big network smaller), virtual-router (system virtualization), vpls, vrf (for l3vpn)
set interface ge-0xxxx
set routing-options static route …. next-hop xxx
set protocols ospf area 0.0.0.0 interface ge-xxxxx
show route table INSTANCE.inet.0
show interface terse routing-instance INSTANCE
rib groups: share routes between routing tables
edit routing-options
rib-groups NAME
export-rib T0 (only one! – where routes should be taken from) normally omitted because it is always the primary rib
import-rib T1 T2 (severals tables – where routes should be placed) ????????/
import-policy POLICY
edit routing-options
rib-group test
import-rib [ inet.0 test.inet.0] ===> routes from inet.0 TO test.inet.0 ???? ^^^^ differente from aboves
edit protocols ospf
set rib-group test
area 0.0.0.0 interface ge-0/0/0.0 lo0.0
create a logical-tunnel interface between instances and route between them: lt-0/0/0
*requires service card
edit interfaces lt-0/0/0
unit 0
encapsulation ethernet
peer-unit 1
family inet
uni t
encapsulation ethernet
peer-unit 0
family inet
LOAD BALANCING
per-packet issue -> out-of-order (Junos doesnt do per-packet !!!!)
per-flow LB:
set policy-options policy-statement LB-ALL then load-balance per-packet
set routing-options forwarding-place export LB-ALL
show route forwarding-plane
default flow ipv4: incoming interface, src add, dst add, protocol
ipv6: l3,l4,traffic class
modify: set forwarding-option hash-key family inet layer-3 layer-4
Filter-Based-Forwarding (FBF) (lab)
forwarding based on source IP
1) using RIB-groups
-create match filter and apply to incomming interfaces
set firewall family inet filter F-NAME term TERM from CONDITION then routing-instance INSTANCE
- create default term because by default, filter discard traffic!
set interface ge-0/0/0 unit 0 family inet filter input F-NAME
-create routing instance
set routing-instance INSTANCE instance-type forwarding!! routing-option static route 0.0.0/0 next-hop IP
next-table inet.0
-create rib group
set routing-options interface-routes rib-group inet GROUP
rib-groups NAME import-rib [ inet.0 INSTANCE.inet.0 ]
show route table INSTANCE.inet.0
2) using instance-import instead of RIB-group
set policy-options policy-statement ISP-IMPORT from instance master then accept
set routing-options ISP instance-type forwarding!! routing-options static route 0.0.0/0 next-hop IP
instancce-import ISP-IMPORT
Fundamenals OSPF
LSDB, flooding LSA, all routers must have identical LSDB, SPF algo
packets type:
1 hello: 10s default, MC to 224.0.0.5, incluse: netmask, hello interval, dead, options, priority, DR, BDR, neighbor
2 db description: during adj formation, hightest RID is primary for sync and set/maintein seq nu. This relationship is forgotten after transfer. LSDB = ospf header, seq nu, lsa header
3 ls-request: request precise version of db: ospf header, ls-type, ls-id, adv-router (RID of the originator router)
4 ls-update:to 224.0.0.5/6: ospf header, num of adc, ls-adv
5 ls-ack: unicast to originator.
Adj states
down
init: hello packet sent
2way: hell received, bidir achieved
exStart: decide primary router for db sync
exchange: lsdb exchange started
load: transmision finish but still reading from peer
full: lsdb is sync
ethernet: avoid adj all routers. DR only router creates adj to all routers in segment. BDR creates adj to all routers too.
interface-type p2p: no DR/BDR is elected (saves time), no lsa type-2 generated
DR: higher priority (default 128), higher RID, no preemption,
NoDR routers create 2way adj with other NoDR routers.
scalability
reduce lsdb: multiple areas, route summarization between areas.
areas:
area0: all connect to area0
ABR: connect areaX to area0
ASBR: outside ospf to areaX
stub area: LSA3 yes (inter-area), no LSA4/5 (ext) and no ASBR. Inject default route (need configuration)
totally stubby-area: only default, no LSA3-5.
not-so-stubby-area: it gets external routes and can advertise them to are0 but it can’t receive LSA5 from other areas.
lsa1: router links (intra-area)
lsa2: network links (by DR only), describe routers attached to the segment
lsa3: summary, by ABR, inter-are links
lsa4: by ABR, path to ASBR.
lsa5: external, prefix redistributed by ASBR, by-default lsa5-type2 (ext cost not included) (type1 cost to ASBR includded)
lsa7: nssa, by ASBR in NSSA, then the ABR creates a LS5.
Deploy OSPF
ospfv3 works with ipv4/6/
auth, summarization (ABR), external prefix-limit, graceful-restart, BFD
!! cost=ref-bw/bw !!
set protocols osfp reference-bandwidth X (100Mbps default) (lo.0 has always cost 0)
set routing-options router-id LO-IP
set protocols ospf|ospf3 area AREAID interface x.x
set policy-options policy-statement 2OSPF term MATCH from protocol direct route-filter NET/X exact then accept
set protocols ospf export 2OSPF
show ospf neighbor extensive
clear ospf neighbor
show ospf interface [extensive]
show ospf route [abr, asbr, inter, intra, extern, detail,instance]
show ospf database [brief (default), detail, extensive,]
show ospf statistics
show ospf log
troubleshooting:
no neighbor: check link status
exstart: check MTU
2way: normal for DR-other neighbor
set protocols ospf traceoptions file TRACE-ospf flag error detail flag even detail ….
show log TRACE-ospf
edit protocols ospf
save /var/tmp/working-ospf.confg ==> save config to a file from config mode.
Fundamenals BGP
path vector routing protocol.
NLRI: Network Layer Reachability Information
classless, bgpv4, rfc 4271
nonportable (ISP provide IP range), portable (customer has its own prefix).
ebgp -> ttl=1 !!!
ibgp: full-mesh, using lo0 !!!
tcp 179, manually defined neighbors
loop avoidance: as path,
state:
idle: init stte
connect: waiting for tcp to complete
active: trying to establish tcp connection
opensent: tcp completed. wait for open from peer
openconfirm: wait for keep alive from peer.
established: received keepalive from peer. all done
4096 max bgp message size, min 19 bytes
messages:
open: after tcp completed, initiates bgp sesson
update: transport routing info
keepalive:
notificaton: signal when something is wrong.
refresh: soft clearing bgp session to re-advertise route
attributes
wellknown-mandatory: as-path, origin, NH. supported by al bgp implementations. included in each bgp update
wk-discretionary: local-pref, atomic-agg. supported by all bgp implementation. not included in each bgp update
optional-transitive: community, agg. not supported by all bgp implementation. but they need to pass it along unchanged
optional-nontransitive: MED, cluster-list, originator ID. not supported by all bgp implemnetation. If attribure is not identified, it is ignored and not passed along.
NH: ip of peer advertising prfix, must be in RIB-local. ibgp doesnt change it, ebgp changes it.
LP: determine outbound. higher best. used withing individual AS, not redistributed to ebgp (default 100)
as-path: check loop
origin: where was received: 0 – IGP, 1 – EGP, ? – incomplete (redistribute)
MED: multihomed to same external ISP (same ASN!!!). determine inbound from that ISP to you. lower best (default 0)
communities: edit policy-optionss
path-selection:
NH + no loop, highest LP, shortest AS-path, lowest origin, lowest med, ebgp before ibgp, if all ibgp then best exit from AS, if all ebgp, choose current active or one from peer with lowest RID, RR: shortest cluster lenght, routes from peer with lowest RID
nh calculation: checki inet.0 (ipv4) and inet.3 (mpls). If preference equal, inet.3 preferred.
Deploy BGP
ibgp: split-horizon -> full-mesh. NH not changed for routes coming from ebgp (change it with “next-hop self”)
edit policy-options
set policy-statemen NH-self term 1 then next-hop self
edit routing-options
set router-id LO.0
set autonomous-system ASN
edit protocols bgp
set group int-ASN
type internal
local-addess LO.0
neihbor R1.lo0
export NH-self
set group ext-ASN
type external
peer-as ASN
neighbor R2.interface.IP
edit routing-options aggregate
route IP/22
edit policy-options
set policy-statement adv-agg term 1 from protocol aggregate route-filter IP/22 extac then accept
routers from peers -> RIB-in -> import-policy -> RIB-local -> export-policy -> RIB_out -> routes to peers
only for active routes
RIB-in: shw route receved-protocol bgp IP (before routing filtering!!!)
RIB-out: show route advertised-protocol bgp IP (after route filtering!!!)
IP Tunneling
both statelss by default: keepalive config possible or use BFD
set protocols oam gre-tunnel interface gr-x/x/x.1 keepalive-time 10 hold-time 30
define static routes to use tunnel
set routing-options static route LAN2 next-hop gr-x/x/x.0
GRE: ipv4/6, mpls. 24B overhead. TTL decremented. RFC1702
gr-x/x/x
support multiple logical units per interface. as stateless, you need a valid route to the remote endpoints
set interface gr-0/0/0 unit 0 tunnel source IP1 destination IP2
family inet
IP-IP: 20B overhead. TTL decremented. rfc2003. Only for IP
ip-x/x/x
pmtud: set system internet-options gre-path-mtu-discovery
watch out MTU !!!
GR and BFD
uptime <> availability
GR=Graceful Restart: (NSR is mutuel excluent from GR)
BFD: hello bassed
VRRP: vip lan side
ISSU: dual RE, upgrade withouth interruption
GR
rquest grace period to neighbord. fowarding continue during restart. neighbord hide the failure to the rest of the network
supported: ospf, isis,bgp, rsvp, ldp.
requirements: all routers (restarting and helpers) need to support GR and NonStopForwarding !!!!
GR !!helper!! mode is enabled by default, but not for restarter???
set routing-options graceful-restart disable (globla or can do via protocol)
show bgp neighbor IP
set protocols ospf traceoptions flap graceul-restart
BFD ospf, isis, bgp, rsvp, pim, static routes. 3 hellos missed -> down
set protocols bgp group G1 bfd-liveness-detection minimun-interval 300
show bfd session
show bgp neighbor IP
How are the timers actually negotiated? Each system, upon receiving a BFD control packet will take the “Required Min RX Interval” and compare it to its own “Desired Min TX Interval” and take the greater (slower) of the two values and use it as the transmission rate for its BFD packets. Thus, the slower of the two systems determines the transmission rate.
GRES, NSR, Unified ISSU
GRE switchover: doesnt conserve control plane… if NSR is configured, then it is kept.
without GRES: PFE is restarted, the new RE restart RPD
with GRES: PFE is not restarted, new RP restars RPD.
set groups RE1 system hostname R1-RE1 backup-router IP
interfaces fxp0 …
RE0 system hostname R1-RE0 backup-router IP
interfaces fxp0
commit synchronize
set chassis redudancy gracedful-switchover
show system switchover (only in backup RE)
NSR: uses GRES. RPD runs in backup RE. Mutually exclusive with GR
set routing-options nonstop-routing
chassis redunddancy graceufl-switchover
show task replication
Unified ISSU: unifie in-service software upgrade. ugrade junos withou disruption CP
GRES + NSR
VRRP
rfc 2338, by default master doesnt respond to ICMP to VIP (can be changed), support auth, preempt enabled by default
vrrp master: responds to ARP
224.0.0.18, ttl=255, 1s interval
virtual mac: 00.00.5E.00.01.VRID
hight priority -> best (dfault 100)
set interface ge-0/0/3 unit 0 family inet address IP vrrp-group X virtual-address VIP priority 200
show vrrp summary
INTRO IPv6
QoS, no NAT, end2end ipsec, autoconfig
header 40B. version, traffic class, flow label, payoad length, next header, hop limit, src add, dst add
extension headers
hop-by-hop options
routing
fragment
destination options
auth
enc security payload
8x 16b hex blocs
unicast
multicast
anycast
::/0 = default route
::1 -> loopback
scope:
broadcast: none!!!!!!!!!
multicast: MAC: 33-33:.. // FF00::/8
link-local: always assigned, no routable: FE80::/10 or /64
unique local: like priv ip, routable internally. FC00::/7 or FD00::/8
global unicast: pub ip, routable internet 2000::/3
NDP = Neighbor Discovery Protocol -> ICMP + link-local + multicast.
- Duplicate address detection (DAD)
- link layer address resolution
— Neighbor Solicitation: src.ip=link-local dst.ip=solicited_node_ip (ff02::1:)
— Neigbor Advertisiement:
Router Discovery:
router solicitation: RS, request sent by host, dst.ip: FF02::2 (all routers) use link-local as src.ip
router advertisement: RA, reply sent by router, src.ip link-local, dst.ip = FF02::1 (all hosts in link-local). It contains global unicast range
SLAAC: Stateless Address AutoConfiguration
1) obtain prefix through RA
2) host creates its own interface id.
2.1: use EUI-64: use MAC (48b) and filling -> 1st half MAC + FFFE + 2nd half MAC + flip the 7th bit of the MAC.
dhcpv6: rfc3315 – it doenst require the MAC to build the ipv6
anycast: rfc2526
set routing-options rib inet.6 static route 0::/0 next-hop IP
ospf3
tunneling ipv6 over ipv4:
set interfaces gr-0/0/0 unit 0 tunnel source IPv4.r1.loopback destination IPv4.r2.loopback
family inet6 address IPV6
INTRO ISIS
CLNP packets originally
PDU – protocol data units. IP reachability include in updates
LSDB. Single AS (IGP)
End-System = host
Intermidiate-System = router
L1: route within the area or towards L2
L2: route between areas and toward other AS
ospf similiraties:
L1L2 router = ABR
L2 = area 0
ISIS PDU:
hello: discover neighbor (IIH) like ospf hello, regular intervals 3sec for DR. broadcast networks => uses MC.14/15.
circuit type (l1,l2,l1l2, source ID (system ID), holding time, pdu lenght, priority (0-127), LAN ID
LS PDU: flood periodically in area. build LSDB
Seq Num PDU: complete: all LS in LSDB, flood periodically. multicast
partial: request missing LS PDU
CSNP: maintain LSDB in sync. sent by DIS only
TLV: encodig Type length Value
Adj:
L1: area ID must be same
L2: area ID can be different
DIS election (like DR in OSPF for multicass networks = ethernet). Use priority (0=never DIS, higher = winner) There is a DIS for L1 and L2.
there is no backup DIS, there is preemption.
metric: max=1023
delay
expense
error
wide metrics: 2^24
config:
by default all links are l1l2
edit protocols
set isis interface ge-0/0/0.0 level 1 disable
set interfaces ge-0/0/0 unit 0 family iso
family inet address IP
lo unit 0 family iso address 49.001.0192.0168.0291.00
inet address IP
show isis interfaces
show isis database
show isis adjacency
show isis spf log
show isis statistics
show isis route
set protocols isis traceoptions file isis-trace flag error detail flag hello detail
monitor start log-file-name
show log log-file-name
issues: physical (l1) or ethernet (l2) issue. Mismatch ares (for level1) and levels, minimum MTU 1492, lack of iso-net, missing lo0
CBT Service Provider Bridging Concepts
802.1q tag 32b -> vlan id: 12b. It doesnt scale ->
802.1ad SP (q-in-q) to overcome 802.1q: C-TAG, S-TAG –> 2x 802.1q header!
-> it must still learn MACs !
-> between SP, you need vlan translation
PEB (PE) customer port is “access port” !!! // IVL – independent VLAN Learning
set interface ge-0/0/2 unit 0 family bridge vlan-id S-TAG interface-mode access
if needed to filter C-TAG, in PE to P port:
set interface ge-0/0/2 unit 0 family bridge inteface-mode trunnk
inner-vlan-id-list x-y [limit the C-TAG vlans from customer]
vlan-id S-TAG
S-VLAN Bridge (P device) and PE-P ports
set interface ge-0/0/2 unit 0 family bridge vlan-id S-TAG interface-mode trunk
encapsulation flexible-ethernet-services (aka 802.1ad!)
flexible-vlan-tagging
MX: create vlans -> family bridge!!! (created under edit bridge-domains)
set bridge-domains CUSt1 vlan-id or vlan-id-list 200-204
show bridge mac-table
CE are trunk ports C-VLAN normalization (mainly PEB) = rewrite C-TAG
vlan-id none -> pop C-TAG!
set bridge-domains CUST1 vlan-id none
interface ge-0/0/0.200
.201
interface ge-0/0/2.300
// interface PE-> CE
set interface ge-0/0/0 flexible-vlan-taggin
encapsulation flexible-ethernet-services
unit 200 encapsulation vlan-bridge vlan-id 200
unit 201 201
// interface to PE->P
set interface ge-0/0/2 flexible-vlan-tagging
encapsulation flexible-ethernet-services
unit 300 (S-TAG!) encapsulation vlan-bridge
vlan-tags outer 300 inner 200
S-VLAN translation. In P router, link between SP1 P and SP2 P
set interface ge-0/0/2 flexible-vlan-tagging
encapsulation flexible-ethernet-services
unit 0 family bridge interface-mode trunk vlan-id-list 300
vlan-rewrite translate INCOMING_S_TAG OUR_S_TAG
vpls: mpls, igp, 802.1q (replacement of q-in-q)
=========================================
Junos SP Switching On-Demand
=========================================
Ethernet Switching and L2
physical (show interface terse) vs logical (.x), interface family (inet, inet6, iso, mpls, etc)
ethernet ieee 802.3, single broadcast and collision domain, MAC 48bits, uses CSMA/CD
hub: collisions can occur, no csma/cd
bridgin: 802.1d-2004, segments of a single collision domain, isolates L1, FIB,
learning domain: is a DB, attaches to bridge domain 1:1,
learning: check all frames, learn MAC, src port and timing.
forwarding/flooding(BUM)/filtering/aging
show bridge mac-table
timeout = 300s, max learned MAC 393215
mac-table-size default 5120
l2 firewall filters:
set firewall family bridge filter NAME term 1 from x then y
set interface ge-0/0/0 unit 0 family bridge filter input/output FILTER
- default: discard
VLANS and IRBs
vlan: broadcast domain
trunk: native-vlan-id
802.1q frame: 4 bytes: tag protocol: 16 bits – 0x8100,
priority: 3 bits, 802.1p
canonical format indicator: CFI = 0 (1 bit)
unique vlan id: 12 bits
vlan-id-list [100 500-505] Really Mean? – This interface accepts or outputs only VLAN IDs 100 and 500 to 505 — after translation!!
It’s the post-rewrite VLAN ID list. This is the range of VLANs that can be present after any translation occurs.
It’s bi-directional (symmetric translation).
set bridge-domains NAME vlan-id [ X y z a-b ]
set interfaces ge-1/0/0 unit 0 family brige interface-mode access vlan-id X
set interfaces ge-2/0/0 native-vlan-id x vlan-tagging unit 0 famyly bridge interface-mode trunk
vlan-id-list [ x y ] or [ x-y z a-b ]
show bridge domain [ NAME detail]
MVRP: multiple vlan registration protocol, l2 messaging protocol to automae creation and mgmt vlans. only on trunk ports.
MRP messages
set protocols mvrp no-dynamic-vlans interface ge-0/0/0.0
show mvrp statistics
IRB: integrated routing and bridging: l3 gw for a vlan.
set interfaces irb unit X description vlan-x family inet address IPx
set brige domains NAMEX vlan-id x
routing-interface irb.x
show bridge mac-table
chatgpt:
Each bridge-domain is a VLAN.
You define bridge-domains explicitly in Junos, and then map interfaces (and VLANs) to them.
Because each bridge-domain has its own MAC table, flood domain, and associated interfaces — it behaves like a mini switch inside the virtual-switch.
You can associating Multiple VLANs to One Bridge-Domain: why? Service Provider bridging where customer traffic uses many VLANs, but you want to transport all of them over a single bridge-domain — maybe because you’re mapping all of them into one L2VPN or EVPN instance
Virtual Switches (lab) ***
routing instances -> virtual router (default) or virtual switch (default-switch)
set routing-instances NAME instance-type virtual-router|virtual-switch
interface ge-0/0/0.0
bridge-domains NAMEv100 vlan-id 100
NAMEv200 vlan-id 200 routing-instance irb.1
show bridge domain
show route instance
interconnecting methods:
internal: loginal tunnel = only supported for VR -> enable in PFE:
set chassis fpc 1 pic 0 tunnel-service bandwidht 1g => that creates le-1/0/x interface!
set interfaces le-1/0/10 unit 0 peer-unit 1
vlan-id 100
….
le-1/0/10 unit 1 peer-unit 0
vlan-id 200
….
external: using physical interfaces, supported for VS and VR
Logical-Systems: LSYS – max 15, offer routing and mgmt separation
set logical-systems LSYS-1 interfaces ge-1/0/5 unit 0 family bridge interface-mode access vlan-id 100
show bridge domain logical-system LSYS-1
interconnect: via logical-tunnel or physical loop
Provider Bridging LAB ***
802.1q
vlan id 12bit= 4094
802.1ad stacking vlans: c-vlan (inner tag) = one customer vlan / s-vlan (outer tag) = service vlan represent customer
issue: mac learning form customers
s-vlan tag: tag prot id (16b 0x88A8), priority (3b), drop eligibility (1 bit, default=0), unique vlan-id (12b)
c-vlan tag: 0x8100 canonical fomat indicator
PBN = Provider Bridged Network
push, pop, swap, pop-pop, push-push, swap-swap, pop-swap, swap-push, rewrite vlan and tag-protocol-id
Learning:
-IVL: independent vlan learning: learning domain for eachc VLAN (included BUM)#
-SVL: single learning domain shared by all vlans in a bridge domain
set interfaces ge-0/0/0 flexible-vlan-tagging unit 0 vlan-id 200 // s-tag
family bridge interface-mode trunk
inner-vlan-id-list 111-114 // c-tag
set bridge-domain NAME vlan-id 200 // s-tag
customer edge port
set interfaces ge-1/0/0 vlan-tagging encapsulation flexible-ethernet-service unit 111 encapsulation vlan-bridge
vlan-id 111
input-vlan-map push vlan-id 200 // s-vlan
output-vlan-map pop
provider network port
set interfaces ge-1/0/4 stacked-vlan-tagging encapsulation flexible-ethernet-service unit 0 encapsulation vlan-bridge
vlan-tags outer 200 inner 111
set bridge-domains NAME1 interface ge-1/0/0
ge-1/0/4
vlan-id none => C-vlan pops before MAC table look-up
VPLS
for customer is just a LAN segment
PE learns MACs, MAC mapped to outbound LSP o interfaces
STP
broadcast storm, duplicated packets
slow convergence, excessive flooding, single tree
rstp: rapid
mstp: rapid and per instance
root bridge: loweest bridge id (priority + mac)
root port: port in a bride closest to the root bridge
default cost = 20k for 1G port
designated port: forwarding port on a LAN segment
BPDU: info about STP, 2sec
config: sent by root bridge
tcn: topology change notificatin: sent by any bridge towards root.
blocking: doesnt sent BPDU, but listen
convergence: 2xforwading-delay (15s) + max-age (20)
RSTP 802.1w / 802.1d-2004
in p2p links: transition to forwarding without waiting for timers to expire
edge port: if unique port in LAN, then always forwarding
new port-roles:
alternate: alternate path to root bridge (backup for root port). Block traffi while receiving superior BPDU
backup: backup of designated port. block traffic while receivng superior BPDU
states: discarding (disabled, blocking, listening // role: alternate, backup, disable), learning, forwarding (role: root, designated, edge)
bpdu: as keepalive (2s)
mx full-duplex -> port is p2p.
format: flags,
bridge id: priority (4b) + extended id (12b) + bridge address (48b)
tcn: only when non-edge (intereconnect switches) port transition to fw state. Transition to discarding doesnt trigger tcn
initiator of tcn, sends out of all designated ports and root port.
received of tcn: doesnt flush MAC learned from edge-ports, doesnt flush MAC learned on the port receiving the TCNMSTP 802.1s – 802.1q-2003
extension rstp
stp per vlan. MSTI. Maps 1or+ vlans to one MSTI -> load-balancing
MST region: MST switches with same region name, revision level and vlan-2-instance mapping
max 64 MSTI per region, one regional root bridge per instancce
CST = common ST, interconnects MST regions, one root bridge for CST, each MSTP region appears as a virtual bridge
IST = internal ST, STP inside the region
RSTP is used to interconnect MSTP regions or RSTP-only bridges
VSTP: similat to RSTP, 4094 instances, proprietary
Configuring STP (MSTP Lab)
show spanning-tree interface
bridge
statistics interface
set protocols rstp hello-time X max-age x forward-delay x bridge-priority x
interface ge-1/0/1 priority 128 mode point-to-point|shared cost x
edge (to host)
extended-system-id 0 (default)
set protocols mstp configuration-name REGION1 revision-level x
interface ge-1/0/0
…
msti 1 bridge-priority 4k vlan 100-199
msti 2 bridge-priority 8k vlan 200-299
show spanning-tree mstp configuration
set protocols vstp interface ge-1/0/1
…
vlan 100 bridge-priority 60k
interface ge-1/0/1
…
vlan 200 bridge-priority 8k
interface ge-1/0/1
bpdu protection
show spanning-tree interface
set protocols rstp interface ge-1/0/1 edge
bpdu-block-on-edge
if not rstp:
set protocols layer2-control bpdu-block interface [ ge-1/0/0 ge-1/0/1 ]
show l2-learning interface
clear error bpdu interface
- loop protection -> on all root and alternate ports -> lack of BPDUs -> transition to “loop inconsistent state” = DIS state = blocking. Returns to origital state when receives BPDUs
set protocols rstp interface ge-1/0/1 bpdu-timeout-action block
- root protection: on ports shouldn’t be elected as root port (shouldn’t receive supeior BPDUs) -> If receive supeior BPDU -> transition to Inconsisent state. When stops receiving BPDUs, returns to the original state.
set protocols rstp interface ge-1/0/1 no-root-port
set protocols rstp force-version stp
Ethernet OAM
Operation Administration Maintenance – OAM
availability, frame delay, frame delay variation (jitter), frame lost – 802.3-2008.clause – First mile OAM. Link Fault Management LFM
detect defects: use of continuitity check messages (CCM), unidirect and without ack, by intervals
indicators:
node detect failure -> send AIS (Alarm Indicator Signal) and FDI (Forward Defect Indicator) downstream
node received AIS/FDI -> notifies upstream devices when failure occurs in reverse direction (BDI – Backward Defect Indicator)
loopback messages:
nonintrusice loopback: like ping
intrusive loopback: signal a remote node to go into special test mode (where normal traffic can’t flow)
Link Trace Messages LTMs: like traceroute. identify nodes along the path. perform bidir continuity check
LFM: Link Fault Management is limitied to a single Ethernet link (no AIS available)
client needs to support LFM. L2, no IP needed. exchange OAM PDUs, dst MAC = 0180c2-000002 (never flooded). Discovery
Active client start the discovery
OAM PDU
codes:
0x00 information -> discovery, heartbeat (1s), Critical events
0x01 event notification -> signal link events and stats
0x02-03 variable request/response (polling MIBs) – not supported in Junos
0x04 loopback control: signal remote peer to set/unset looped interface
flags
bit 0: link fault
bit 1: dying gasp (external failure: ie power)
bit 2: critical event
bit 3-4: used during discovery
CFM: Connectivity Fault Management
- fault monitoring using continuity check CC (neighbor discovery and health check)
- path discovery and fault verifiation using LFM
- fault isolation using loopbak protocol
- frame delay measurement dst MAC, src MAC, vlan tag, type/length, CFM header, Data(TLVs), FCS maintenance domains:
5-7: customer
3-4: SP
0-2: operator (subset SP network) quicker fault detection maintenacne point: Port of type:
MEP: Maintenance End Point: edge port to edge port (protecting E-Line) or EVC (Ethernet Virtual Connect) or
edge port to multiple edge ports (protecting E-LAN) or multipoint-to-multipoint EVC
MIP: Maintenance Intermidiate Point: internal to a domain. Optional. Respond to CFM messages from higher level than their own
Transparent: doesn’t respond to CFM messages task
initiate CFM message: MEP
respond to loopback and link trace messages: MEP, MIP
track CCM: MEP, MIP MEP: forms neighbor exchanging CCMs with other MEPs in same maintenance domain, maintenance association, level and direction - Down MEP: MEP interface that faces a neighbor down MEP
- Up MEP: MEP interface that faces away from a neighboring UP MEP CCM maintenance 0 -> dst MAC 0180C2-000030 (multicast) | 38 (link trace)
7 7 | 3F (link trace) LBR: LoopBack Reply
Configuring OAM (LAB)
** LFM config
set protocols oam ethernet link-fault-management action-profile NAME event link-adjacency-loss (when PDU are missing)
action link-down
interfacce ge-1/3/6 apply-action-profile NAME
pdu-interval 100 (ms)
link-discovery active
pdu-threshold 10
negotiation-options allow-mode-loopbackcs
remote-loopback -> set a loop on the reote peer
show oam ethenet link-fault-management
–
test looped circuit
edit interface ge-1/3/5 unit 0 family inet
set address 10.0.0.0/31 arp 10.0.0.1 mac
ping 10.0.0.1 –> It seem TTL exceed that is good!!! loop works
** CFM config: customer bridge
set protocols oam ethernet connectivity-fault-management action-profile NAME event adjacency-loss
action interface-down
maintenance-domain customer leve 5
maintenance-association evc1 continuity-check internval 100ms
mep 101 inteface ge-0/0.115 vlan 115
direction down
auto-discovery
remote-mep 106
action-profile NAME
provider bridge
set protocols oam ethernet connectivity-fault-management
maintenance-domain provider leve 4
maintenance-association evc1 continuity-check internval 100ms
mep 102 inteface ge-0/0.115 vlan 115
direction up
auto-discovery
mip-half-function default
show oam ethernet connecitivty-fault-management interface ge-1/1/5.115 vlan 115 [extensive]
ping ethernet maintenance-domain customer maintenance-association evc1 mep 106
traceroute ethernet maintenance-domain customer maintenance-association evc1 mep 106
monitor ethernet delay-measurement maintenance-domain customer maintenance-association evc1 mep 106 two-way
ERP and LAG
ERP = Ethernet Ring Protection – ITU-T G.8032. Replaces STP, less 50ms recovery for ring.
RPL = Ring protection Link. RPL-owner places RPF in blocking state during normal operation. When failure, RPL-owner puts RPL in forwarding
RPL-owner sents R-APS (Ring-Automatic Protection Switching) eachc 5sec
Normal node generates R-APS whne local link failure occurs. Listen and forward R-APS
APS requires a vlan to deliver R-APS. all vlans affeccted by APS. Uses CFM frame format Opcode = 40. Flags=0. dst MAC = 0119A7-000001
Frame fields: Request/State 4bits 1011 (signal fail 0000 (no request), Reserved, RPL Blocked 1b, Do not flush 1b, Status Reserved 6b, NodeID (MAC(, Reserved
config: must have eas and west-interfacce
set protocols protection-group ethernet-ring PNAME
guar-interval x
node-id MAC
eas-interface ring-protecton-link-end
control-chnnel CHA-NAME vlan X interface
west-interface control-channel CHA-NAMe vlan X interface
ring-protectoin-link-owner
show protection-group ethernet-ring aps [detail]
LAG
802.3ad
duplex, speed, max 8 link. RE generated traffic always sent on lowest member link. IP traffic hashing uses l2-4
LACP: actor, partner (remote). Active or passive (default). you must one active end. Junos doesnt do automatic aggregation.
set chassis aggregated-devices ethernet device-count x
set interface ae0 unit 0 family bridge
aggregated-ether-options lacp active (1sec) / passive (30s)
ge-0/0/0 gigether-options 802.3ad ae0
ge-0/0/7 gigether-options 802.3ad ae0
MC-LAG and Virtual-Chassis
MC-LAG uses ICCP (Inter-Chassis Control Protocol, used TCP similar to BGP) to exchange info between nodes
active/standby or active/active (all links active, MCP cards onluy, must have a ICL link betweend devices)
set switching-options service-id X (idem in both devices)
set protocols iccp local-ip-addre IP
peer IP2 redundancy-group-id-list x
liveness-detection minimym-interval 300
multiplier 3
set interface ae0 aggregated-ether-option lacp active
periodic fast
system-id 00000000000
admin-key 1
mc-ae
mc-ae-id x
redundancy-group 1
chassis-id 0 (the other peer is 1)
status-contorl active (the other peer is standby)
mode activ-active
unit 0 family bridge interface-mode trunk
vlan-id-list XXX
multi-chassis-protection IP2 interface ge-0/0/x // the peer is: IP1 interface ge-0/0/x (only for active/active)
show iccp
show interfaces mc-ae
MX virtual-chassis:
inter chassis redundancy. VCCP, based on ISIS, MPC cards, recommend 10G interfaces for VCP ports.
primary router
Troubleshooting
show system processses
show system core-dumps
file list /var/tmp/core
edit protocols rstp
traceoptions
show chassis routing-engine
edit snmp
set health-monitor
jflowv10 – mpc card
edit services
flow-monitoring
version-ipfix
template NAME
ipv4-template
edit forwarding-options sampling
instance NAME input rate 10
run-lenght 5
max-packet-per-second 30000
edit chassis
tfeb
slot 0
sampling-instance X
inline-servies
flow-table-size
ipv4-flw-table-size 10
ipv6-flow-table-size 5 (requires reboot because by default is onlu ipv4)
show services accounting status inline-jflow
port-mirroring
edit forwarding-options port-mirroring
input rate 1
family inet output inerface ge-0//0.0 next-hop IP
edit firewall family inet
filter port-mirror
term 1
then port-mirror
ARP entry for the monitoring device
show forwarding-options port-mirroring
=========================================
Junos MPLS Fundamentalss On-Demand
=========================================
MPLS Intro
p2mp -> avoid to run multicast
MPLS Mechanics
mpls header: 32b
label: 20 bits – no 0-15: reserved special use
label 3 = implicit null = pop label before sending. this label is sent by egreess PE to neighbor
label 0 (ipv4) / 2 (ipv6 = explicit null = the neihgbor uses label 0/2
label 1 = router alert -> pop label and process packet locally, push label 1 again, it is never on the bottom of the stack
tc (traffic class or EXP): 3b
s: 1b – bottom of stack 1=it is the bottom / 0= is not the bottom and there are labels underneath
ttl: 8b – by default copied from ip ttl
LSP is unidirectional
head-end: ingress router
tail-end: egress router
PHP: penultime hop poping
inet.3 -> all ingress LSP for the router. inet.3 is used to resolve bgp NH. BGP checks inet.0 and inet.3s, the protocol with lower AD wins (RSVP/LDP is lower that ISIS OSPF etc). inet.3 is used for no-labeled traffic
** You use install active when you want regular traffic (not BGP-labeled) to use the LSP directly — for example, in LSP ping tests, or when configuring static routes using LSPs.
set protocols mpls label-switched-path R1-to-R2 to 192.0.2.2
set protocols mpls label-switched-path R1-to-R2 install 192.0.2.2/32 active
set routing-options static route 10.10.10.0/24 next-hop 192.0.2.2
show route table mpls.0 label 16 detail (mpls.0 = LFIB) – mpls.0 is used for labeled traffic. So mainly in P routers
static LSP: rare in prod networks
RSVP:
manual creation. but very powerfull
LDP:
simple. automatically creates a full mesh LSPs. Follows the best path according your IGP -> trade-off !!! for TE mainly
SR:
MPLS SR advertise labels directly in OSPF/ISIS -> no extra protocol needed! It has best-path and TE capabilities.
BGP-LU: BGP can advertise labels using special address-family. Run MPLs VPN between AS
MPLS STATIC LSP and forwarding plane
set interfaces ge-0/0/0 unit 0 family mpls (for data plane)
set protocols mpls interface ge-0/0/0.0 (for control plane) -> show mls interface (says noting about remote routers! only local)
1.000.000 – 1.400.000 statuc labels
!! unidirectioal !!
For ingress:
set protocols mpls static-label-switched-path NAME ingress next-hop PHY-IP to Lo.IP-egrees-PE push
For transit (P)
set protocols mpls static-lable-switch-path NAME transit next-hop PHY-IP2 swap
For PHP (P)
set protocols mpls static-label-switch-path NAME transit pop next-hop PHY_PE_IP
- you can use LSP as NH for static route
set routing-options static route NET/2x static-lsp-next-hop LSP_NAME
show mpls static-lsp ingress|transit
show route table mpls.0 (routing based on incoming labels) you may see (S=0) that’t the stack-bottom bit !!!
show route Lo.IP-egrees-PE => will show the static lsp in inet.3 !!
show route NET_advertised_by_egrees_PE [detail]
set protocols mpls icmp-tunneling => show mpls hops in traceroute
set cli logical-system X
clear cli logial-system -> back to main system
RSVP INTRO
create RSVP LSP at ingress router. Every other hop takes care by itself.
feature rich. backup standby LSP from headend (ingress), create local-repair LSP to protect from link/node failure.
ospf/isis used for advertise TE. default by isis.
TE is stored in TED.
RSVP can use TED: ERO = Explicit Route Object, created by ingress PE, and each router in path obeys ERO.
or LSDB: isis/ospf, follows best path hop by hop, no ERO
set interfaces ge-0/0/0 unit 0 family mpls (for data plane)
set protocols mpls interface ge-0/0/0.0 (for control plane) -> show mpls interface (says noting about remote routers! only local)
set protocols rsvp interface ge-0/0/0.0 (for control plane) -> show rsvp interfaces (idem) / show rsvp neighbor
enable firewall if CoP enabled!
set firewall family inet filter NAME term RSVP from protocol rsvp then accept
MPLS_PING from protocol udp port 8503 then accept.
RSVP: config basic LSP
set protocols ospf areo 0.0.0.0 interface X.0 interface-type p2p
…
interface lo0.0
reference-bandwidth 100g
set protocols mpls (!!!) label-switched-path NAME to lo.IP.egreess_PE no-cspf (turns-off constrained shortest path first -> dont use TED!!)
- confirm your lsp with “Resv messages” (from destination back to origin)
show mpls lsp [name NAME] [ingress, transit, egress] [extensive]
RRO=Record route object -> each hop adds to this object to indicate the full end-to-end path. avoid loops too!
show rsvp session
show route table inet.3
show route NET/x (advertised by egrees PE)
mpls self-ping: check if lsp is ready to forward traffic because lsp are unidirect!
udp ping sent down the lsp: src: r1 dst: r1
udp ping returned as regular IP traffic (not via LSP!!!)
-needed for backup/local repair paths! if mpls self-ping doesnt work, traffic will never be moved over to these backups
hello message
path message: head-end to tail-end
resv message: tail-end to head-end. confrirm the lsp was successful
messages contain many objects.
RSVP TED
bw visibility, tag links. Every router has almost identical TED. ISIS gives hostname!! OSPF gives router Id number -> difficult!
show ted database [extensive ]
remote: 0.0.0.0 -> pseudonode = LAN
ISIS TLVs.
show isis database extensive
set protocols mpls label-switched-path NAME to lo.IP.egreess_PE
show mpls lsp [name NAME] detail -> shows ERO. Transit router never calculate an alternate path. ERO can be strict or loose
extensive -> shows CSPF
stric: hops must be directly connected.
loose: can be many hops away
set protocols mpls path NAME_PATH lo0.PEx loose
set protocols mpls path NAME_PATH lo0.PEy strict
set protocols mpls label-switched-path NAME_LSP to lo.PEz primary NAME_PATH
—
set protocols ospf traffic-engineering -> LSA type10 – opaque LSA, not sent outside area
show ospf database opaque-area [extensive lsa-id IP advertising-router Lo0.PE]
—
you can use TE features in a non-TE network but are limited
-ERO: but hops in between stil decide the best next hop
-bw reservation: if no bw, lsp can’t find another path.
RSVP LSP bw reservation
It uses CSPF
lsp priority: when there is no enough bw, the lsp with higher priority can force low priority lsp to find alternative path.
bw reservation is not a policer! it is just a reservation at control plane
manual bw reservation are hard -> auto-bw, but complicated. not showed in this curse.
set protocols mpls label-switch-path NAME1 to lo0.PE1 bandwidth Xm
show mpls lsp name NAME1 detail
show rsvp interface
show ted database extensive lo0.PE1
oversubscribe vs undersubscribe
set protocols rsvp interface ge-0/0/0.0 subscription 500 -> oversubscribe link by 5x!
1.0 bandwidth 2g -> change the total bw. For example if physical is 1g, now you say it is 2g.
monitor labeled-swith-path NAME -> show traffic stats
- Juniper Paragon: monitor LSP
RSVP LSP Priorities
solve issue from bw reservation. first lsp gets best path. Or some LSP may not come up
- the bin packing problem: pack big items first
priority: 0 = best / 7 = worst. Priority only matters: 1) best path cannot offer enough bw. low-priority may not come up if no bw availabel anywhere.
2) box has many lsp: high priority signaled first. Equal priority, signalled alphabetical order
Two values: setup priority (default 7): value used to install lsp in a path. It is compared with the hold value of other lsp
hold priority (default 0): value used to keep a lsp. this is compared with the setup priority of a contenden lsp.
=> if setup is better (lower value) than hold -> existing lsp is kicked off
- lsp setup priority can never be better than its hold priority !!! Only preempt if better (if equal, no changes)
set protocols mpls label-switch-path NAME1 priority SETUP HOLD –> This can trigger LSP flaps !!!!s
show mpls lsp name NAME detail
show ted database Lo0.PE.NAME extensive
set groups RSVP_PRIO protocols mpls labeled-switched-path <*> priority 5 4
set apply-groups RSVP_PRIO
show configuration protocols mpls | display intheritance no-commens
default: lsp rerouting is not graceful!!! because it turns down and signals a new path
-> sol: soft-preemption
set groups RSVP_PRIO protocols mpls labeled-switched-path <*> soft-preemption
–> find a new path first, move traffic, and if good for 30s, delete old path
CSPF and Adming Groups
CSPF = Constrained Shortest Path First. Used TED. like SPF
- compute LSPs one at a time – Start with high-priority LSP, tie braker is alphabetic order.
- links are pruned if: not enough bw, dont contain mandatory tag or tagged to be avoided
- strict and loose hops are considered
- equal cost paths? -> choose the one with least hops, if still equal, choose random (default) or available bw ratio (most full path or least full path)
100G with 60G reserved = 40% avail bw ratio
10G with 1G reserved = 90% avail bw ratio
least-fill -> highest avail bw ratio
most-fill -> lowest avail bw ratio -> good to avoid bin packing prob
set protocols mpls label-switched-path NAME to IP [random, most-fill, lest-fill]
Admin Groups = affinity group, link coloring. Group link to be avoided or be used. This is unidirectional !!!
set protocols mpls admin-groups ADGROUP [0-31] -> only number is advertised !!! so you have to map the names to number in each device when writing config!!!
it is a 32-bit value, so an interface can “activate” several groups.
set protocols mpls interface ge-0/0/0.0 admin-group ADGROUP
set protocols mpls lable-switched-path LSP to PE-IP adming-group [include-any | inclide-all | exclude ] [GROUP1 GROUP2]
- if you tag a link AFTER an LSP is up, nothing happens by default or you can configure self-optimize
ie: to put a pure P transit router in maintenance, just add all links into “MAintenance” group and have all LSP to exclude Maintenance, and add self-optimize
LSP Failures, errors and session Maintenance
messages: (path->egress(direct path) / resv->ingress(return path))
PathTear: towards egress (direct path: downstream). Tear down LSP
ResvTear: towards ingress (return path: upstream)
PathErr: towards ingrees (upstream). Commumicate errors info
ResvErr: towards egress (downstream)
- diffent direct from Tear messages!!! This is slow process until the ingress PE received the ResvTear and a new LSP is programmed
sol: backup local repair lsp: pre-signaled lsp around link or node failures. each hop can generate a local repair path
secondary path: pre-signaled and with differnt constrains from primary
overload reduction:
initial: soft-state (it was like UDP)
rfc 2961: rsvp refresh overhead reduction extensions
hello are optional: default 9sec in junos (hello-interval)
Primary and secondary path
Primary is used. several secondary paths can be defined. secondary is calculated if primary goes down.
Scondary is used until primary is recovered, after 60s.
- constraints -> + diversity
- constraints -> + difficult to scale
set protocols mpls path PATH1 PE1-LO loose
set protocols mpls label-switched-path LSPx to PEx-Lo primary PATH1 secondary PATH2 secondary PATH3
retry-limit: default 0 (unlimiited) – number of times will try to find a new primary
retry-timer: default 30s – time between attempts
revert-timer: default 60s – (0 = never revert) once primary is up, wait x sec before move traffic to primary
or dont define primary, and just define secondary paths for the lsp
set protocols mpls label-switched-path LSP1 secondary PATHx select manual –> secondary path comes up immediately and used for forwarding.
-> this is very manual!!1 ie: used for re-route traffic when node in maintenance -> all LSP going through that node need the “select manual”
—
defining secondary constraints is manual and tedious
-> sol: secondary standby paths: pre-calculated, pre-signaled and always-up. It adds a temp metric of 8M to each link used by primary path.
set protocols mpls label-switched-path LSP1 to PEx-Lo primary BLANK_PRIMARY secondary BLANK_SECONDARY standby!
set protocols mpls path BLANK_PRIMARY (without constraints!)
set protocols mpls path BLANK_SECONDARY (without constraints!)
show mpls lsp ingress LSP1 detail
trade-off: standby secondary -> double up number RSVP tunnels
if standby is configured with bw constraints -> you may artificially run out of RSVP bw.
show route IP/x detail | match “inet.0|IP|via|Push”
-> you see path for primary and secondary in RIB, but only lowest weigh route is installed in FIB!!
if you want both installed (but only the primary actually used) you need to configure LB (as per JNCIA and below)
show route forwarding-table matching IP/x extensive
enable LB in FIB:
set policy-options policy-statement LB then load-balace per-packet
set routing-options forwardinig-table export LB
Local-Repair P1: 121 backup or FRR (Fast Reroute)
protect agains link and node failure, reduce downtime -> always-on backup LSP at the “point of local repair”. Used short time until headend calculate new LSP
Local repair sens PathErr to head-end to program new lsp. It does only node protection
rfc 4090
-121 backup: 1 backup path (“detour”) for each LSP. At each hop along the path! (scale issues) pointing to the tailend!!! = Fast-Reroute
– node protection, find fastest path to tailend
– as it creates many LSP, some nodes can “merge” detour (1+ ingress) and only generate 1 egress detour
set protocols mpls label-switched-path LSP1 to PE-IP fast-reroute [hop-limit 6=default | bandwidth 0=default | include-any GROUP]
+ CONFIGURE LB in FIB
show mpls lsp ingress extensive
show rsvp session detail
show mpls lsp transit -> detour lsp uses the same name as the main lsp!!! so you can't figure out if it is a detour!
detour number x means the number of detour have been merged to x detour
-> show rsvp session detail | match "Detour branch from" -> This can help you to figure out if it is a detour
and if several detour branch have the same "label out" => it is merged!Local-Repair P2: Facility Backup or Node-Link-Protection
-facility backcup: 1 backup pth (“bypass”) for many LSP. = link-protection or node-link-protectio (better). Scales better in big networks
it is a separate, standalone LSP with its own name. The bypass LSP pushes a second label !! There is PHP to pop the second label. It doesnt signal to the tailend.
bypass to next-hop -> protects link-failure
bypass to next-next-hop -> proteccts link and node failure. trade-off: LSP is longer, may impact delay-sensitive traffic
set protocols rsvp interface ge-0/0/0.0 link-protection [on all links you want link-protection/node-protection]
set protocols mlps label-swtiched-path LSP1 to PEx-lo [link-protection | node-link-protection ]
show route IP/x [detail] -> you can see Bypass!! it has hight weight, the bottom label is the one for identifying the next-next-hop,
and top label for the bypass lsp that is the next node.
show route table inet.3
show mpls lsp
show mpls lsp bypass ingress
show rsvp sesion ingress -> all lsps included bypass
big networks -> facility backup if they support 3 labels at least, if not, use FRR
but one bypass LSP can overwhelm a link! -> setup several bypass or put bandwidht reservation for each bypass
ring topology + 121 -> ech router merges incomeing detour into its outgoing detour
+ node-protection -> traffic has to make a U-turn twice !!! (need drawing)
RSVP LSP Optimization
lsp stays in same path until tear-down or kicked-out by LSP with lower priority value
optimization -> runs CSPF periodically
global: set protocols mpls optimize-timer X (0s=never until 65535s)
indiv: set protocols mpls label-switched-path LSP1 to PE-Lo optmize-timer X
manual: clear mpls lsp name LSP optimize -> It will not clear it!!!
conditions for LSP optimization
- new CSPF metric must not be higher than old path
- if metrics are same, new path must no have more hops
- new path must not cause preemption of other lsps
- new path must not have worse “available bw ratio” (but only the 4 lowest ratios are compared in the path no matter how long)
if least-fill used, new path should be at least 10% less than current path
set protocols mpls optimize-aggressive -> optimized purely in IGP metric!
clear mpls lsp name LSP optmize-aggressive
optmize detour and bupass:
set protocols rsvp fast-reroute optimize-timer (0..65535)
set protocols rsvp interface ge-0/0/0 link-protecton optimize-timer (0..65535)
RSVP Make-before-break and adaptive
when link/node down, temporarily, there are two copies same LSP: same name, same tunnel ID but different LSP ids -> show rsvp session
MBB: make before break: traffic is hitlessly moved to an alternative path
show mpls lsp name LSP extensive
outside scope: auto-bw and p2mp lsp (l2vpn course – vpls)
preventing double-counting of bw: this happens with two copies of the same LSP share a link. By default, routers see two copies of same LSP as tehy are different LSPs -> problem
sol: reservation style:
- fixed filter FF: default, cannot share bw reservations. two of same lsp are treated as separate lsps
- shared explicit SE: two of same lsps can share a bw reservation -> “adaptive” knob
set protocols mpls label-switched-path LSP1 adaptive // it enabled MBB
show rsvp session extensive name LSPx -> look for “Resv style”
map traffic to rsvp lsp:
set policy-options policy-statement MAP term T1 from route-filer IP/x exact then install-nexthop lsp LSP1 accept
next-hop ingress-PE-Lo
match bgp community list
term T2 from route-filter IP2/y exact then install-nexthop lsp LSP2 accept
term T3 then accept
set routing-options forwarding-table export MAP
show route IP/x
IP2/y
LDP – INTRO
automatic full-mesh lsp to loobacks, follows igp best path -> inet.3
No TE.
FEC = forwarding equivalence class = set of traffic is forwarded through an LSP
PE Lo0 is a FEC
RSVP: ingress router send a Path message = “downstream on deman” –>
LDP: egrees router advertises a FEC for itself unprompted = “downstream unsolicited” <–
Ordered control: junos only advertised a FEC when it has received a label downstream
Liberal label retention: junos keep all labels they receive (speeds up recovery for link/node failures)
LDP LSP are like a tree -> multipoint-to-point LSP (the top is the originating PE.lo=FEC) Every PE has a LSP to the egress = top
LDP – CONFIG
hello msg: dst IP: 224.0.0.2. it containes the lo.0 so then they can start TCP sesion. TCP started by highest Lo IP
tcp: 646
header: version:1 , LSR ID = loopbackc, Label Space ID = 0 (any label can be used)
set protocols ldp interface ge-0/0/0.0 (not needed in the loopback) (CP)
set protocols mpls interfacce ge-0/0/0.0 (CP)
set interfaces ge-0/0/0.0 unit 0 family mpls (DP)
set firewall family inet filter LO term LDP from protocol tcp udp port ldp then accept
show ldp interface [detail | extensive]
show ldp neighbor [extensive] (physical interfaces)
show ldp session [Lo.IP detail] (loopback interfaces) -> two negihbor routers, have as many neighbor as interfaces, but only one session
show ldp databse [session lo.IP]
show route table inet.3
show ldp traffic-statistics
clear ldp session/neighbor [all | lo.IP]
LDP – ENHANCEMENTS
ldp-igp sync: If not ldp in best path, mpls packets are dropped
with “ldp-synchronization”, router advertises a high metric (isis/ospf) until LDP is up. Once it is up for 10s, the metric changes to real value
set protocols isis interface ge-0/0/0.0 ldp-synchronization (only in p2p interface!!!!)
by default ldp metric = 1 -> if used with BGP multipath => LDP can LB with un-equal cost paths.
-> change that
set protocols ldp track-igp-metric
“session-protection” creates an always-up multihop LDP neighborship from loopback to loopback. The router were adjacent, but the link went down.
set protocols ldp interface lo0.0
set protocols ldp session-protection
LDP – EGRESS, IMPORT, EXPORT
egress policies: advertise other FECs apart from PE lo0.
set policy-options policy-statement LDP_EGRESS term export from route-fileter CPE-LO/32 route-filter PE-LO/32 (default term is rejecT!!!)… then accept
set protocols ldp egress-policy LDP_EGRESS
- this will advertise all new FECs with the same transport label (aggregation) -> load-balancing is not going to be possible
if you want LB:
set protocols ldp deaggreate (in all routers!!!)
import/export: act on FECs that already exist
import: tag received FEC as filtered in LDP db. Prevent FEC to be imported into inet.3 and to be readvertised
set policy-options policy-statement LDP_IMPORT term block from route-fileter PEx-LO/32 then reject
term rest then accept
(** default policy for LDP is to accept all in import but make it clear)
set protocols ldp import LDP_IMPORT
show ldp database session PE-Lo
show route table inet.3 PE-Lo
export: Prevent accepted FEC to be readvertised
set policy-options policy-statement LDP_EXPORT term block from route-fileter PEx-LO/32 then reject
term rest then accept (**default ldp export policy for LDP is to reject all!!!)
set protocols ldp export LDP_EXPORT
-ldp tunneling
-ldp local repair
-ldp auth
SEGMENT ROUTING
2010 – SR or SPRING. shortest-path, TE and local-repair. Source-based routing.
SRv6: uses ipv6 headers instead of mpls labels
SR advertises labels using is-is/ospf, so all routers know the labels that every other router has assinged, router can build a stack of labels to specify an exact path: huge reduction in state -> no extra adjecencis (rsvp/ldp), TE lsp dont need to be signaled
segment = link, router, prefix, etc. each segment has SID (segment ID). All advertised by isis/ospf
Adj SID: label allocated to each link running isis/ospf. One label for ipv4 and other for ipv6
Node SID: router. populate inet.3
set interface ge-0/0/0 unit 0 family mpls (DP)
set protocols mpls interface ge-0/0/0.0 (CP)
set chassis network-services enhanced-ip => reboot !!!
set protocols isis source-packet-routing
show isis adjacency R4 detail
show isis databse R3 detail
Flags: F (family) no set = ipv4 / set = ipv6
V value
L local signigicant
P persistent SID across reboots
B backup = local-repair
S belongs to set of interfaces for unequal-cost load balancing
show route table mpls.0 label X
Controller for generating stack of labels: Juniper Paragon Pathfinder.
Replace LDP: no need label stacks, no need external controller. SR can use the same transport label at every hop.
each router allocates a block of labels (advice: configure the same block in each router)
eachc router has a uniquer id = node SID -> mpls label = node SID + starting label
*ldp generates a label for itself and for each received FEC.
*SR advertise an entire block of labels = SRGB = SR Global Block. By default SRGB=4096
set protocols isis source-packet-routing node-segment ipv4-index 405
ipv6-index 605
(same in all routers)
set protocols isis source-packet-routing srgb start-label 800000
index-range 4000 (by default is 4096) -> 50% for ipv4 and 50% for ipv6.
show route table mpls.0 label XXX
when you configure node SIDs on each router, you will find that inet.3 is automatically populated with a full mesh of shortest-paths LSP to each other router, like LDP => show route table inet.3
calculating label = next-hop router starting label + router destination SID