Quick-Series 29 : Mx – Bridge-Domain – Using Vlan-id None ? –

No Comments

Hi,

Continuing on Bridge-Domains on Mx, I came across using vlan-id “none” and initially was surprised by this knob, I mean we create bridge-domain based on a Vlan and associate / segregate traffic based on Vlan-id.

Lets explore a use case or a remote scenario where this might come in handy.

Let us say you have customers with different vlan’s and you are about to be in merger and provide a common Layer-3 IP. Obviously, if you are in a situation where you have them on your sub-interfaces, you cannot have same vlan-id for two Sub-interfaces.

Let see what Vlan-id None can do here

 

Topology

 

Looking closely at the configuration, we see that vlan-id none has been used instead of being specific, but as you see the interfaces, they are clearly in vlans 101 and 102. So, how does thisΒ  work ?

bridge_domain_config_2

There you go, there is a Pop in the inbound direction of the interface, a POP action popping out Vlan and the return traffic is now having PUSH action, hence traffic coming into bridge-domain will not care with what Dot1q tag the packet is coming-in.

interface_details_3

Lets initiate a Ping and see if this works from two customer ends who are in different Vlans.

final_results

There you Go

 

Regards

Rakesh M

Quick-Series 28 – Vlan-Rewrite on Mx

No Comments

Hi,

Vlan Rewrite on Mx is handy and can also be done fairly easily. Let see the scenario where it can come into help.

topology

Problem – Service provider has Vlans, which are currently used by customers as well, so technically we cannot have a bridge domain combining our Internal Lan and Customer Lans (speaking purely from the post perspective)

Vlan Rewrite can be used to bypass this issue.

Initially customer tries to ping the SP, but there appears to be no reply from MX.

initial_ping_response_fail

Now, lets configure Bridge domain for these two customers and have Routing-Interfaces associated to individual Bridge-Domains.

configuring_bridge_domains_2

Configuring Vlan-Rewrite

configuring_interface_rewrite

Final verification is much simpler.

final_verification

 

Regards

Rakesh M

 

 

 

 

Virtual Switch Instance – vMX

6 Comments

Hi,

Virtual-Switch instance was alwaysΒ  a fascination for me, just for a simple fact that you could turn a Router to Bridge/Switch everything. Although there are many advantages and applications, I quickly wanted to write up the Lab scenario which I have Done. I always prefer seeing some simple things first and then may be do a deep-dive about the feature.

Requirement- Router-1 / 2/ 3 are all attached to VMX , they have to ping to each other through vMX and this has to happen via Instance Virtual-Switch. Now, someone who already knows about default-switch / Bridge-domain could have said why not use these, well this Post is going to Expand when we revisit of having Why we needed Virtual-Switch advantage in first place.

 

Below is the Topology

Topology

Ge-0/0/0 is connected to R1 , Ge-0/0/1 connected to R2, Ge-0/0/3 Connected to R3. Let see what we need to configure at a basic level for this to work

 

1_intf_outtputs

So far so Good, whats Next, as per the requirement we were to create a Virtual-Switch Instance

2_instance_creation

Everything is fine, but looks like communication is not yet established, the reason is simple, we have used something called Enterprise-Style definition. To put it simply, we have to configure a Bridge-Domain for these interfaces to be associated with Bridge-Domain of Vlan-id 100. There is something called Learning Domain where it gets associated to Bridge-Domain, but that is not the post about.

Lets Create a Bridge-Domain quickly for Vlan-id 100 and see if it changes anything, please do note the bridge-domain will now be the part of the Instance and here comes the beauty of the virtual-switch, you could have completely a different virtual-switch with same Vlan and it just works fine, re-call the Idea of VRFΒ  / Routing-Instance now πŸ˜‰

Fantastic!

3_final_output

Lets look at the configuration again along with Mac-Table generation

4_final_mac_output

Regards

Rakesh M

 

 

 

 

 

 

Quick-Series 25 – UTM Anti-Spam

No Comments

Hi,

A Quick look at the SRX UTM Feature in relation to Antispam in local Whitelist and Blacklist.

Screen-shot1

Testing Locally on SRX

Screen-shot 2

If it matches Blacklist, its blocked. If it matches whitelist, it gets allowed, and importantly if it does not match then it will be allowed.

 

Regards

Rakesh M

 

Quick Series 7 – SOURCE-NAT – INTERFACE-BASED NAT

No Comments

Hi,

This is the 7th post in the Quick-Series and this is on SRX-SOURCE-NAT using interface.

Requirement

All Lan traffic (172.20.101.0/24) trying to reach to other-end router 172.18.2.2 should be natted to 172.18.1.2 address.

 

Topology

topology

 

First thing is to verify our srx interface and zone definitions

 

pic-1_zones

Verify if proper policies are in place, also make sure you have to write a policy for traffic from trust zone to untrust zone in order for this traffic to flow.

pic-2-srx_nat_config

Final Verification

 

As we can see 172.20.101.1o is being translated to 172.18.1.2

pic-3-srx_verification

 

Regards

Rakesh M

 

 

 

 

What is Lt Interface – How are Logical systems Built in Juniper Mx without a cable ? – JNCIE-SP

No Comments

Hi,

Most of the times I get queries about my preparation for Juniper SP track. While the questions are based on two categories, one what study materials have i used, secondly how i practiced. While the first question is something which I will cover in another blog post, this is mainly based on second Query on how did i practice.

I worked for Juniper Networks – So Its sort of Obvious that i had access to devices, mostly the high end ones like T640 and T320 , T320 with XE-interface Loop was my all time favorite though.

Secondly, again my work experience helped with a huge migration from Juniper 120 boxes to Cisco ASR series and had a lot of fun and struggle then.

But for JNCIE exam, all that matters would be how good you are actually at technology. It will really not matter if you are using a VMX or Real device say Mx/Ex/M/T/SRX box, a simple olive can also do, service provider Layer-3 preparation is beautiful πŸ™‚

Coming to the point, I had access to device which has no Mic Cards, No Physical interfaces (literally not coming up) so i cannot use a loop-cable to do what so ever in regular fashion.

It was just lying around there, waiting for its turn to be Turned off. I was to do some internal training’s and saw this guy perfectly suitable for 14 odd routers by using Logical Tunnel interface. Yes, if you have an MX , even if its physically not possible to loop around, you can build your virtual systems and play around using LT.

 

First things first, I will show you the procedure for building Two Logical Routers, but procedure remains same for almost any number of routers


R1(lt-1/0/0.1)(5.5.12.1)------------R2(lt-1/0/0.2)(5.5.12.2)

 

 

This is interface that you should be looking for


show inter terse | match lt
lt-1/0/0 up up


 

 

This is how you build the tunnel interfaces


Test#show interfaces lt-1/0/0
unit 1 {
encapsulation frame-relay;
peer-unit 2; ( logical unit number of the opposite-end connecting interface)
dlci 12;
family inet {
5.5.12.1/24;
}
}
unit 2 {
encapsulation frame-relay;
peer-unit 1;( logical unit number of the opposite-end connecting interface)
dlci 12;
family inet {
5.5.12.2/24;
}
}

 

Finally you integrate them into logical-systems


test#show logical-systems
r1 {
interfaces {
lt-1/0/0 {
unit 1;
}
}
}

r2 {
interfaces {
lt-1/0/0 {
unit 2;
}
}
}

commit
run ping 5.5.12.1 logical-system r2
PING 5.5.12.1 (5.5.12.1): 56 data bytes
64 bytes from 5.5.12.1 icmp_seq=0 ttl=64 time=0/650ms
^C

Regards
Rakesh

 

 

 

 

 

 

 

 

 

Quick Scenario -3 – Bgp Local-as

No Comments

 

Hi,

3rd post in the quick series is about BGP local-as

BGP Local-AS

“The local-AS feature allows a router to appear to be a member of a second Autonomous systems (AS), in addition to its real AS. This feature can only be used for true eBGP peers. You cannot use this featureΒ  for two peers that are members of different confederation sub-ASs”

 

Requirement – R1 needs to peer with R2 with As number 400 while all other Routers to peer with R2 should use a AS number of 200

 

Capture

As we can see, R2 is acting as Local-as 400 for R1 and AS 2 for R3

 

finalscreenoutput

 

Regards

Rakesh

Quick Scenario -2 – Bgp Communities – (no-advertise)

No Comments

Hi,

2nd post in the quick series is about BGP community no-advertise

Community – No-Advertise

“No-Advertise is similar to No-export, While no-export does not export routes to another AS, this goes further and it will not export route to both ebgp or ibgp neighbors as well.”

Requirement – Make sure R1 advertises its routes to R2, and R2 should not advertise the routes to either EBGP or IBGP neighbors

Topology

TOPOLOGY

Before confiuring anything

before-community

 

ON R1

 

access-list 99 permit host 1.1.1.1

route-map NO-ADV-COMM permit 10
match ip address 99
set community no-advertise

router bgp 100
nei 9.9.12.2 route-map NO-ADV-COMM out

final

 

Regards

Rakesh

 

 

 

 

 

Quick Scenario -1 – Bgp Communities – (no-export)

No Comments

Hi,

This will be a series of posts in which i shall be posting some quick scenario labbings. Mostly i have designed these so that I can relate to some stuff which i do not often use, nevertheless will blog all small topics

Community – No-export

“NO-EXPORT is commonly used within an AS to instruct routers not to export a prefix to eBGP neighbors. For instance, subnets of a larger block can be advertised to influence external AS best-path selection, and those not required for this traffic engineering purpose may be tagged NO-EXPORT to prevent them from being leaked to the Internet (and thus contributing to unnecessary global routing table growth). If a neighboring AS accepts this community, it can be used to selectively leak more specifics for traffic engineering but limit their propagation to just one AS.”

Requirement – R1 has its loopback advertised to R3 via BGP. Make sure the advertisement stays within the AS and should not go to another AS Router in this Case R3

no-export scenario

Before community addition – Routing Table of R3

pic1

AS we can see below route is not seen R3.

pic2.final

Regards

Rakesh M

Close Bitnami banner
Bitnami