book

Juniper MX Series

by Douglas Richard Hanks Jr., Harry Reynolds

October 2012

Intermediate to advanced

902 pages

28h 9m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Juniper MX Series
Dedication
Dedication
SPECIAL OFFER: Upgrade this ebook with O’Reilly
About the Authors
About the Lead Technical Reviewers
About the Technical Reviewers
Proof of Concept Laboratory
Preface
No Apologies
Book Topology
Interface NamesAggregate Ethernet AssignmentsLayer 2IPv4 AddressingIPv6 Addressing

What’s in This Book?
Conventions Used in This Book
Using Code Examples
Safari® Books Online
How to Contact Us
1. Juniper MX Architecture
Junos
One JunosSoftware ReleasesThree Release CadenceSoftware ArchitectureDaemonsManagement DaemonRouting Protocol DaemonDevice Control DaemonChassis Daemon (and Friends)Routing Sockets
Juniper MX Chassis
MX80MX80 Interface NumberingMX80-48T Interface NumberingMidrangeMX240Interface NumberingFull RedundancyNo RedundancyMX480Interface NumberingMX960Interface NumberingFull RedundancyNo Redundancy
Trio
Trio ArchitectureBuffering BlockLookup BlockInterfaces BlockDense Queuing Block
Line Cards and Modules
Dense Port ConcentratorModular Port ConcentratorMPC1MPC2MPC-3D-16X10GE-SFPPMPC3EMultiple Lookup Block ArchitectureSource MAC LearningDestination MAC LearningPolicingPacket WalkthroughMPC1 and MPC2 with Enhanced QueuingMPC3EModular Interface CardNetwork Services
Switch and Control Board
Ethernet SwitchSwitch FabricMX240 and MX480 Fabric PlanesMX960 Fabric PlanesJ-CellJ-Cell FormatJ-Cell FlowRequest and GrantMX Switch Control BoardMX SCB and MPC CaveatsMX240 and MX480MX960Enhanced MX Switch Control BoardMX240 and MX480MX960
MX2020
ArchitectureSwitch Fabric BoardPower SupplyAir FlowLine Card Compatibility
Summary
Chapter Review Questions
Chapter Review Answers
2. Bridging, VLAN Mapping, IRB, and Virtual Switches
Isn’t the MX a Router?
Layer 2 Networking
Ethernet IIIEEE 802.1QIEEE 802.1QinQ
Junos Interfaces
Interface Bridge Configuration
Basic Comparison of Service Provider versus Enterprise StyleService Provider StyleEnterprise Style
Service Provider Interface Bridge Configuration
TaggingVLAN Taggingvlan-id-rangeStacked VLAN TaggingFlexible VLAN TaggingEncapsulationEthernet BridgeExtended VLAN BridgeFlexible Ethernet ServicesService Provider Bridge Domain Configuration
Enterprise Interface Bridge Configuration
Interface ModeAccessTrunkIEEE 802.1QinQIEEE 802.1Q and 802.1QinQ CombinedVLAN Rewrite
Service Provider VLAN Mapping
Stack Data StructureStack OperationsStack Operations Mapinput-vlan-mapoutput-vlan-mapTag CountBridge Domain RequirementsExample: Push and PopExample: Swap-Push and Pop-Swap
Bridge Domains
Learning DomainSingle Learning DomainMultiple Learning DomainsBridge Domain ModesDefaultNoneAllListSingleDualBridge Domain OptionsMAC Table SizeGlobalBridge domainInterfaceNo MAC learningShow Bridge Domain Commandsshow bridge domainshow bridge mac-tableshow bridge statisticsshow l2-learning instance detailClear MAC AddressesSpecific MAC AddressEntire Bridge-DomainMAC Accounting
Integrated Routing and Bridging
IRB Attributes
Virtual Switch
Configuration
Summary
Chapter Review Questions
Chapter Review Answers
3. Stateless Filters, Hierarchical Policing, and Tri-Color Marking
Firewall Filter and Policer Overview
Stateless versus StatefulStatelessStatefulStateless Filter ComponentsStateless Filter TypesProtocol FamiliesFilter TermsThe Implicit Deny-All TermFilter MatchingA Word on Bit Field MatchingFilter ActionsFilters versus Routing PolicyFilter ScalingFilter Optimization TipsFiltering Differences for MPC versus DPCEnhanced Filter Mode
Filter Operation
Stateless Filter ProcessingFilter ActionsTerminating ActionsNonterminating ActionsFlow Control Actions
Policing
Rate Limiting: Shaping or Policing?ShapingThe Leaky Bucket AlgorithmThe Token Bucket AlgorithmPolicingJunos Policer OperationPolicer ParametersA Suggested Burst SizePolicer ActionsBasic Policer ExampleBandwidth PolicerLogical Bandwidth PolicerCascaded PolicersSingle and Two-Rate Three-Color PolicersTCM Traffic ParametersSingle-Rate Traffic ParametersTwo-Rate Traffic ParametersColor Modes for Three-Color PolicersConfigure Single-Rate Three-Color PolicerssrTCM NonconformanceConfigure Two-Rate Three-Color PolicerstrTCM NonconformanceHierarchical PolicersHierarchical Policer Example
Applying Filters and Policers
Filter Application PointsLoopback Filters and RE ProtectionInput Interface FiltersOutput Interface FiltersAggregate or Interface SpecificFilter ChainingFilter NestingForwarding Table FiltersGeneral Filter RestrictionsApplying PolicersLogical Interface PolicersFilter-Evoked Logical Interface PolicersPhysical Interface PolicersPolicer Application Restrictions
Bridge Filtering Case Study
Filter Processing in Bridged and Routed EnvironmentsMonitor and Troubleshoot Filters and PolicersMonitor System Log for ErrorsBridge Family Filter and Policing Case StudyPolicer DefinitionHTTP Filter DefinitionFlood FilterVerify Proper OperationSummary
Chapter Review Questions
Chapter Review Answers
4. Routing Engine Protection and DDoS Prevention
RE Protection Case Study
IPv4 RE Protection FilterIPv6 RE Protection FilterNext-Header Nesting, the Bane of Stateless FiltersThe Sample IPv6 Filter
DDoS Protection Case Study
The Issue of Control Plane DepletionDDoS Operational OverviewHost-Bound Traffic ClassificationA Gauntlet of PolicersConfiguration and Operational VerificationDisabling and TracingConfigure Protocol Group PropertiesVerify DDoS OperationLate Breaking DDoS Updates
DDoS Case Study
The Attack Has Begun!Analyze the Nature of the DDoS Threat
Mitigate DDoS Attacks
BGP Flow-Specification to the RescueConfigure Local Flow-Spec RoutesFlow-Spec Algorithm VersionValidating Flow RoutesLimit Flow-Spec Resource UsageSummary
BGP Flow-Specification Case Study
Let the Attack Begin!Determine Attack Details and Define Flow RouteSummary
Chapter Review Questions
Chapter Review Answers
5. Trio Class of Service
MX CoS Capabilities
Port versus Hierarchical Queuing MPCsH-CoS and the MX80CoS Capabilities and ScaleQueue and Scheduler ScalingHow Many Queues per Port?Configure Four- or Eight-Queue ModeLow Queue WarningsTrio versus I-Chip/ADPC CoS Differences
Trio CoS Flow
Intelligent OversubscriptionThe Remaining CoS Packet FlowCoS Processing: Port- and Queue-Based MPCsSwitch Fabric PriorityClassification and PolicingClassification and Rewrite on IRB InterfacesEgress ProcessingEgress Queuing: Port or Dense Capable?WREDTrio Hashing and Load BalancingA Forwarding Table Per-Packet Policy Is NeededLoad Balancing and SymmetryKey Aspects of the Trio CoS ModelIndependent Guaranteed Bandwidth and WeightGuaranteed versus Excess Bandwidth and Priority HandlingInput Queuing on TrioTrio BufferingTrio Drop ProfilesTrio Bandwidth AccountingTrio Shaping GranularityTrio MPLS EXP Classification and Rewrite DefaultsTrio CoS Processing Summary
Hierarchical CoS
The H-CoS Reference ModelLevel 4: QueuesExplicit Configuration of Queue Priority and RatesLevel 3: IFLThe Guaranteed RatePriority Demotion and PromotionG-Rate Based Priority Handling at NodesPer Priority Shaping–Based Demotion at NodesQueue-Level Priority DemotionLevel 2: IFL-SetsRemaining Traffic ProfilesForcing a Two-Level Scheduling HierarchyLevel 1: IFDRemainingRemaining ExampleInterface Modes and Excess Bandwidth SharingPIR CharacteristicsPIR/CIR CharacteristicsShaper Burst SizesCalculating the Default Burst SizeChoosing the Actual Burst SizeBurst Size ExampleShapers and Delay BuffersDelay Buffer Rate and the H-CoS HierarchySharing Excess BandwidthScheduler NodesQueuesExcess NoneExcess Handling DefaultsExcess Rate and PIR Interface ModeExcess Sharing ExamplePriority-Based ShapingFabric CoSControl CoS on Host-Generated TrafficDefault Routing Engine CoSDynamic Profile OverviewDynamic Profile LinkingDynamic CoSH-CoS Summary
Trio Scheduling and Queuing
Scheduling DisciplineScheduler Priority LevelsScheduler to Hardware Priority MappingPriority PropagationPriority Promotion and DemotionScheduler ModesPort-Level QueuingOperation Verification: Port LevelPer Unit SchedulerHierarchical SchedulerH-CoS and Aggregated Ethernet InterfacesAggregated Ethernet H-CoS ModesSchedulers, Scheduler Maps, and TCPsScheduler MapsConfigure WRED Drop ProfilesScheduler Feature SupportTraffic Control ProfilesOverhead Accounting on TrioTrio Scheduling and Priority Summary
MX Trio CoS Defaults
Four Forwarding Classes, but Only Two QueuesDefault BA and Rewrite Marker TemplatesMX Trio CoS Defaults Summary
Predicting Queue Throughput
Where to Start?Trio CoS Proof-of-Concept Test LabA Word on RatiosExample 1: PIR ModeExample 2: CIR/PIR ModeExample 3: Make a Small, “Wafer-thin” Configuration ChangePredicting Queue Throughput Summary
CoS Lab
Configure Unidirectional CoSEstablish a CoS BaselineBaseline ConfigurationThe Scheduler BlockSelect a Scheduling ModeApply Schedulers and ShapingVerify Unidirectional CoSConfirm Queuing and ClassificationUse Ping to Test MF ClassificationConfirm Scheduling DetailsCheck for Any Log ErrorsConfirm Scheduling BehaviorMatch Tester’s Layer 2 Rate to Trio Layer 1 ShapingCompute Queue Throughput: L3The Layer 3 IFL Calculation: MaximumThe Layer 3 IFL Calculation: Actual Throughput
Add H-CoS for Subscriber Access
Configure H-CoSVerify H-CoSVerify H-CoS in the Data PlaneTrio CoS Summary
Chapter Review Questions
Chapter Review Answers
6. MX Virtual Chassis
What is Virtual Chassis?
MX-VC TerminologyMX-VC Use CaseMX-VC RequirementsMX-VC ArchitectureMX-VC Kernel SynchronizationMX-VC Routing Engine FailuresVC-Mm failureVC-Mb failureVC-Bm failureVC-Bb failureVC-Lm failureVC-LbMX-VC Interface NumberingMX-VC Packet WalkthroughVirtual Chassis TopologyMastership ElectionSummary
MX-VC Configuration
Chassis Serial NumberMember IDR1 VCP InterfaceRouting Engine GroupsVirtual Chassis ConfigurationGRES and NSRR2 VCP InterfaceVirtual Chassis VerificationVirtual Chassis TopologyRevert to StandaloneSummary
VCP Interface Class of Service
VCP Traffic EncapsulationVCP Class of Service WalkthroughForwarding ClassesSchedulersClassifiersRewrite RulesFinal ConfigurationVerification
Summary
Chapter Review Questions
Chapter Review Answers
7. Trio Inline Services
What are Trio Inline Services?
J-Flow
J-Flow EvolutionInline IPFIX PerformanceInline IPFIX ConfigurationChassis ConfigurationFlow MonitoringSampling InstanceFirewall FilterInline IPFIX VerificationIPFIX Summary
Network Address Translation
Types of NATServices Inline InterfaceService SetsNext-Hop Style Service SetsInterface Style Service SetsTraffic DirectionsNext-Hop Style Traffic DirectionsInterface Style Traffic DirectionsDestination NAT ConfigurationNetwork Address Translation Summary
Tunnel Services
Enabling Tunnel ServicesTunnel Services Case StudyTunnel Services Case Study Final VerificationTunnel Services Summary
Port Mirroring
Port Mirror Case StudyConfigurationPort Mirror Summary
Summary
Chapter Review Questions
Chapter Review Answers
8. Multi-Chassis Link Aggregation
Multi-Chassis Link Aggregation
MC-LAG State OverviewMC-LAG Active-StandbyMC-LAG Active-ActiveMC-LAG State SummaryMC-LAG Family SupportMulti-Chassis Link Aggregation versus MX Virtual-ChassisMC-LAG Summary
Inter-Chassis Control Protocol
ICCP HierarchyICCP Topology GuidelinesHow to Configure ICCPICCP Configuration GuidelinesValid ConfigurationsInvalid ConfigurationsICCP Split BrainICCP Summary
MC-LAG Modes
Active-StandbyActive-ActiveICL ConfigurationMAC Address SynchronizationMC-LAG Modes Summary
Case Study
Logical Interfaces and Loopback AddressingLayer 2Loop PreventionInput FeatureOutput FeatureLoop Prevention VerificationR1 and R2Bridging and IEEE 802.1QIEEE 802.3adS1 and S2Bridging and IEEE 802.1QIEEE 802.3adLayer 3Interior Gateway Protocol—IS-ISBidirectional Forwarding DetectionVirtual Router Redundancy ProtocolMC-LAG ConfigurationICCPR1 and R2R3 and R4ICCP VerificationMulti-Chassis Aggregated Ethernet InterfacesR1 and R2R3 and R4Connectivity VerificationIntradata Center VerificationInterdata Center VerificationCase Study Summary
Summary
Chapter Review Questions
Chapter Review Answers
9. Junos High Availability on MX Routers
Junos High-Availability Feature Overview
Graceful Routing Engine Switchover
The GRES ProcessSynchronizationRouting Engine SwitchoverWhat Can I Expect after a GRES?Configure GRESGRES OptionsDisk FailProcess Failure Induced SwitchoversVerify GRES OperationGRES, Before and AfterGRES and Software Upgrade/DowngradesGRES Summary
Graceful Restart
GR ShortcomingsGraceful Restart Operation: OSPFRestarting RouterGrace LSAHelper RouterAborting GRA Graceful Restart, at LastA Fly in the Ointment—And an Improved GR for OSPFOSPF Restart Signaling RFCs 4811, 4812, and 4813Graceful Restart and other Routing ProtocolsJunos GR Support by ReleaseConfigure and Verify OSPF GREnable Graceful-Restart GloballyOSPF GR OptionsVerify OSPF GRAn Ungraceful RestartA Graceful RestartGraceful Restart Summary
Nonstop Routing and Bridging
Replication, the Magic That Keeps Protocols RunningNonstop BridgingNSB Only Replicates Layer 2 StateNSB and Other Layer 2 FunctionsCurrent NSR/NSB SupportBFD and NSR/GRES SupportBFD Scaling with NSRBFD and GR—They Don’t Play Well TogetherNSR and BGPNSR and PIMPIM Supported FeaturesPIM Unsupported FeaturesPIM Incompatible FeaturesNSR and RSVP-TE LSPsNSR and VRRPThis NSR Thing Sounds Cool; So What Can Go Wrong?NSR, the good . . .. . . And the badPracticing Safe NSRsThe Preferred Way to Induce SwitchoversOther Switchover MethodsTips for a Hitless (and Happy) SwitchoverConfigure NSR and NSBNSR and Graceful Restart: Not like Peanut Butter and ChocolateGeneral NSR Debugging TipsVerify NSR and NSBConfirm Pre-NSR Protocol StateConfirm Pre-NSR Replication StateBGP ReplicationIS-IS ReplicationConfirm BFD ReplicationLayer 2 NSB VerificationPerform a NSRTroubleshoot a NSR/NSB ProblemNSR Summary
In-Service Software Upgrades
ISSU OperationISSU Dark WindowsBFD and the Dark WindowISSU Layer 3 Protocol SupportISSU Layer 2 SupportMX MIC/MPC ISSU SupportISSU: A Double-Edged KnifeISSU RestrictionsISSU Troubleshooting TipsISSU Summary
ISSU Lab
Verify ISSU ReadinessPerform an ISSUConfirm ISSUSummary
Chapter Review Questions
Chapter Review Answers
Index
About the Authors
Colophon
SPECIAL OFFER: Upgrade this ebook with O’Reilly
Copyright

Content preview from Juniper MX Series

Port Mirroring

One of the most useful tools in the troubleshooting bag is port mirroring. It allows you to specify traffic with a firewall filter and copy it to another interface. The copied traffic can then be used for analysis or testing. One of the most interesting use cases I recall is when a customer wanted to test a firewall’s throughput on production data, but obviously not impact production traffic. Port mirroring was the perfect tool to match the production data and send a copy of the traffic to the firewall under test, while the original traffic was forwarded to its final destination on the production network.

Junos has supported port mirroring for a very long time, and the architecture is very simple and flexible. There are four major components that make up port mirroring, as shown in Figure 7-15: FPC, port mirroring instances, next-hop groups, and next-hops.

Figure 7-15. Port Mirroring Workflow.

Port mirroring instances are associated with FPCs, and up to two port mirroring instances can be associated with a single FPC. This concept is similar to other Trio inline functions where the FPC is associated to an instance or inline service. The next component is a next-hop group; this is simply a collection of interfaces and associated next-hops. The use of a next-hop group is optional. The last components are the next-hops that reference a specific interface and next-hop.

However, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781449358143Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Juniper MX Series

by Douglas Richard Hanks Jr., Harry Reynolds

Port Mirroring

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.