Junos OS

Hi,

I know that I should use newer MPC card to configure NAT on my MX router with BRAS with Junos 16.1R6

But I found that there is some workaround described in https://forums.juniper.net/t5/Junos/Recommended-Junos-BNG-amp-MS-DPC/td-p/321241

Before my company will to acquire a MPC I'd like to use my old DPC temporarily.

But after configuring via routing instance it not work at all.

{master}[edit]
root# show routing-instances Nat 
instance-type virtual-router;
interface sp-5/1/0.10;
routing-options {
    static {
        route 0.0.0.0/0 next-hop sp-5/1/0.10;
        route 10.0.0.0/8 next-table inet.0;
    }
}

forwarding not working too:

{master}[edit]
root# show routing-instances Nat 
instance-type forwarding;
routing-options {
    static {
        route 0.0.0.0/0 next-hop sp-5/1/0.10;
    }
}
# set routing-options interface-routes rib-group inet iface_rib 
# set routing-options rib-groups iface_rib import-rib [ inet.0 Nat.inet.0 ] 

show command does not show any interesting events:

{master}[edit]
root# run show services stateful-firewall flows count 
Interface   Service set                                              Flow count
sp-5/1/0    isp                                                               0

{master}[edit]
root# run show services stateful-firewall flow-analysis 
  Services PIC Name:    sp-5/1/0
Flow Analysis Statistics:
  Total Flows Active                   :0            
  Total TCP Flows Active               :0           
...
{master}[edit]
root# run show services nat pool detail 
Interface: sp-5/1/0, Service set: isp
  NAT pool: isp_pool, Translation type: dynamic
    Address range: 19.66.159.1-19.66.159.62
    Configured port range: 512-65535
    Port range: 1024-65535, Ports in use: 0, Out of port errors: 0, Max ports used: 0
    AP-P port allocation errors: 0, AP-P port limit allocation errors: 0
    Memory allocation errors: 0
    Max number of port blocks used: 0, Current number of port blocks in use: 0, Port block allocation errors: 0,
    Port block memory allocation errors: 0
    Port blocks limit exceeded errors: 0
    Unique pool users: 0
    Current EIF Inbound flows count: 0
    EIF flow limit exceeded drops: 0

Can someone help to figure what is going wrong?

There are some messages in log.

...
Aug 19 10:54:52   last message repeated 46 times
Aug 19 10:54:52   fpc5 RT: Failed prefix add IPv4 - 23.50.160/20 (No memory) on FE 0
Aug 19 10:54:52   fpc5 NH: unable to create RNH_HOLD ENH entry
...

Full NAT config in attachment file.

Attachment(s)

junos_mpc_nat_config.txt   2 KB 1 version

Hello,

1. You should be configuring the filter under "firewall family inet"

2. Please add counter to the FW filter as below

set firewall filter nat-test-input term goto-Nat then count offered_pkts_to_NAT

Then repeat the test and post the pintout

show firewall filter nat-test-input

3. It looks like You pushed too many routes to MS-DPC. MS-DPC is ICHIP-based and it has much lower route capacity than MPC. Please do not push full table to MS-DPC, use only 0/0 and offload the optimal routing to Your border routers/ASBRs.

HTH

Thanks

Alex 

Thaks for the reply,

Looks like you are right (of course) about pushing too many routes to DPC.

But how to prevent this?

I found that when my DPC was only installed with no configuration the errors was exists.

And I've added counters to firewall filter.

I'm using - firewall filter knob - just because I need to use this firewall filter in my dynamic profile later.

{master}[edit]
root# run show firewall filter nat-test-input                   
Filter: nat-test-input                                         
Counters:
Name                                                Bytes              Packets
offered_pkts_to_NAT                                   596                    9

This is for:

{master}[edit]
root# show interfaces ae25.1515  
vlan-id 1515;
family inet {
    filter {
        input nat-test-input;
    }
    address 10.11.3.254/23;
}

{master}[edit]
root# show firewall filter nat-test-input 
term goto-Nat {
    from {
        source-address {
            10.0.0.0/8;
        }
    }
    then {
        count offered_pkts_to_NAT;
        routing-instance Nat;
    }
}

Now my RI is virtual router:

{master}[edit]
root# show routing-instances Nat 
instance-type virtual-router;
interface sp-5/1/0.10;
routing-options {
    static {
        route 0.0.0.0/0 next-hop sp-5/1/0.10;
        route 10.0.0.0/8 next-table inet.0;
    }
}

And messages sill exist in log file

Aug 19 17:13:33 fpc5 NH: unable to create RNH_HOLD ENH entry
Aug 19 17:13:36 last message repeated 47 times
Aug 19 17:13:36 fpc5 RT: Failed prefix add IPv4 - 109.248.45/24 (No memory) on FE 0
Aug 19 17:13:36 fpc5 NH: unable to create RNH_HOLD ENH entry

With MPC in slot 5

FPC 5
  PFE #0
      Plane 0: Plane enabled
      Plane 1: Plane enabled
      Plane 2: Plane enabled
      Plane 3: Destination error
      Plane 4: Links ok
      Plane 5: Links ok
  PFE #1
      Plane 0: Plane enabled
      Plane 1: Plane enabled
      Plane 2: Plane enabled
      Plane 3: Destination error
      Plane 4: Links ok
      Plane 5: Links ok

Hello,

---

@schadel wrote:

Thaks for the reply,

Looks like you are right (of course) about pushing too many routes to DPC.

But how to prevent this?

There is no way to selectively prevent installation of routes into MS-DPC and let other cards have all routes.

The whole box has to have less routes in order for MS-DPC to stop complaining.

---

@schadel wrote:

 

I found that when my DPC was only installed with no configuration the errors was exists.

As I said above - in JUNOS, all the routes are pushed to all linecards, even without configuration. There is a feature which was intended to selectively prevent installation of routes into given linecards - called VRF localization, see https://www.juniper.net/documentation/en_US/junos/topics/topic-map/l3-vpns-routes-vrf-tables.html#id-understanding-vrf-localization-in-layer-3-vpns - but ICHIP cards are not supported.

HTH

Thx

Alex