Switching

last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  FBF Not Cooperating

    Posted 12-03-2012 12:46

    Hardware: Five EX4200 in Virtual Chassis Configuration

    Software: Junos 10.4R5.5

     

    In the past, I've used FBF on an SRX-100 to balance some traffic over various commodity Internet connections.  Since I did this fairly easily after learning the process, I didn't figure this to be much of an issue.

     

    I couldn't have been more wrong.

     

    The problem is simple.  We're moving from one ISP to another, and wish to do this gradually.  Thankfully our network is set up as such that I can move a building at a time based on the IP subnets in the buildings.  Currently, I'm just trying to get my laptop in my office to work as proof of concept, then move the building, then move everyone else.  In my original config, the traffic wasn't even being shipped to the new routing instance.  Now, it seems to be dropped altogether.  Below is my relevant config:

     

    interfaces{
    ae0 {
        aggregated-ether-options {
            lacp {
                active;
            }
        }
        unit 0 {
            family inet {
                filter {
                    input InternetTraffic;
                }
                address 192.168.88.1/24;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet NewISP;
    }
    static {
        route 0.0.0.0/0 next-hop 192.168.128.1;
        route 172.24.88.0/22 next-hop 192.168.88.254;
        route 172.25.88.0/22 next-hop 192.168.88.254;
        route 172.26.88.0/22 next-hop 192.168.88.254;
        route 172.27.88.0/22 next-hop 192.168.88.254;
        route 172.22.88.0/22 next-hop 172.24.128.13;
        route 172.23.88.0/22 next-hop 172.24.128.13;
        route 172.28.88.0/22 next-hop 192.168.88.254;
    }
    rib-groups {
        NewISP {
            import-rib [ inet.0 NewISP.inet.0 ];
        }
    }
}
policy-options {
    prefix-list NewISPRoutes {
        172.26.89.131/32;
    }
}
firewall {
    family inet {
        filter InternetTraffic {
            term NewISP {
                from {
                    source-prefix-list {
                        NewISPRoutes;
                    }
                }
                then {
                    routing-instance NewISP;
                }
            }
            term default {
                then accept;
            }
        }
    }
}
routing-instances {
    NewISP {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 172.24.128.2;
                route 172.24.88.0/22 next-hop 192.168.88.254;
                route 172.25.88.0/22 next-hop 192.168.88.254;
                route 172.26.88.0/22 next-hop 192.168.88.254;
                route 172.27.88.0/22 next-hop 192.168.88.254;
                route 172.28.88.0/22 next-hop 192.168.88.254;
                route 172.22.88.0/22 next-hop 172.24.128.13;
                route 172.23.88.0/22 next-hop 172.24.128.13;
            }
        }
    }
}

     I'm pretty much at my wits end.  I've been struggling with this for over a week and have yet to find why my traffic isn't passing.  Traceroutes die at this router every time.  If I add a different IP to the prefix list and remove mine, everything routes as normal for me again while killing the other IP's traffic, so I know the rule is being observed.  The biggest issue hurting me is that I have no visibility.  On SRX, I could run a "show security flow session" and see how traffic was being routed.  That command doesn't exist outside the "security" version of Junos that I can see.  Even dropping to shell and running tcpdump on the ae0 interface turns up very little traffic, and none of the traffic I'm trying to find.  This may be the biggest help, to at least be able to see where things are going.  Any help would be immensely appreciated.



  • 2.  RE: FBF Not Cooperating

    Posted 12-04-2012 01:48

    Hi,

     

    there is confusion here your testing IP is from another subnet than 192.168.88.0/24. Could you paste your full configuration it will be much better

     

    Regards,

    mohamed Elhariry



  • 3.  RE: FBF Not Cooperating

    Posted 12-04-2012 05:48
    @mhariry wrote:

    Hi,

     

    there is confusion here your testing IP is from another subnet than 192.168.88.0/24. Could you paste your full configuration it will be much better

     

    Regards,

    mohamed Elhariry

    192.168.88.0/24 is the point to point connection between the core router whose configuration you're seeing and the building router.  ae0 on the core router is configured with 192.168.88.1/24 and ae0 on the building router is configured with 192.168.88.254/24.  The IP space that is being used by the building is the 172.22,23,24,25,26,27,28.x.x that has been posted.



  • 4.  RE: FBF Not Cooperating

    Posted 12-04-2012 02:47

    Hello,

    Only "instance-type virtual-router" is supported on EX.

    "instance-type forwarding" is not supported.

    HTH

    Rgds

    Alex



  • 5.  RE: FBF Not Cooperating

    Posted 12-04-2012 05:44
    @aarseniev wrote:

    Hello,

    Only "instance-type virtual-router" is supported on EX.

    "instance-type forwarding" is not supported.

    HTH

    Rgds

    Alex


    Can you point me at that documentation?  I only ask because I have a lab setup where this is working, but with a far less complex configuration.



  • 6.  RE: FBF Not Cooperating

    Posted 12-10-2012 07:23

    An update on this situation.  My co-worker pulled the config off of our production core and loaded it to our lab core, which is a 2 EX-4200 virtual chassis with two EX-2200s configured as routers connected to it, and an edge switch EX-2200 connected to each of those.  The FBF works flawlessly in the lab environment.  I'm all sorts of confused now!  😕 



  • 7.  RE: FBF Not Cooperating
    Best Answer

    Posted 01-08-2013 07:00

    I can finally close the book on this one.  This took a call to JTAC to figure the problem out.  Though I'd configured everything absolutely correctly, for some reason the cli commands did not filter down to the BSD level.  The JTAC tech ran the following commands to confirm:

     

    root@RoutingCore# run start shell 
root@RoutingCore:RE:0% vty fpc0

BSD platform (MPC 8544 processor, 48MB memory, 0KB flash)
PFEM0(vty)# sh rout ip table
Protocol: IPv4
Table Name Table Index (lrid ) # of Routes Bytes FRRP TID 
-----------------------------------------------------------------------------------------------
NewISP.5 5 (0 ) 1 136 low ----
__juniper_private1__.1 1 (0 ) 8 1084 low ----
__juniper_private2__.2 2 (0 ) 5 676 low ----
__juniper_services__.3 3 (0 ) 9 1220 low ----
__master.anon__.4 4 (0 ) 5 676 low ----
default.0 0 (0 ) 298 40524 low ----
PFEM0(vty)# show route ip table index 5 
IPv4 Route Table 5, Frontier.5, 0x0:
Destination NH IP Addr Type NH ID Interface
------------ --------------- -------- ----- ---------
255.255.255.255 Bcast 1471 RT-ifl 0 .local..5 ifl 133
PFEM0(vty)# exit on signal 2
root@RoutingCore:RE:0% ps -aux | grep pfem
root 894 1.1 2.4 85124 24500 ?? S 28Nov11 25560:18.87 /usr/sbin/pfem -N
root 68406 0.0 0.1 2112 832 p0 R+ 2:02PM 0:00.01 grep pfem
root@RoutingCore:RE:0%

     

    As you can see, the only route in the NewISP table was the broadcast route.  Not very helpful.  There are two potential solutions to the issue.  One is a complete reboot, and the other is to find and kill the Packet Forwarding Engine process at the BSD level and let it restart itself.  Both were service impacting solutions, so I had to wait for a maintenance window.  As I also wanted to upgrade code, I took that opportunity to do so.  Following the restart, everything worked as it should have from the beginning.