[j-nsp] Avoid route loop for joining IS-IS/OSPF areas with redundancy? (Clarke Morledge)

Nguyen Hoang Nam nhnam81 at gmail.com
Thu May 19 11:14:41 EDT 2011


Hi !

         IS-IS
          OSPF-------------OSPF
          RTR B             RTR D
        /  |                  \
       /   |                   \
      /    |                    \
IS-IS     |                   OSPF
RTR A     |                   RTR F --static-route 0.0.0.0/0->my ISP
     \     |                    /
      \    |                   /
       \   |                  /
       IS-IS                 /
        OSPF---------------OSPF
        RTR C               RTR E

Assume that you have IP planning below:
A: loopback 1.1.1.1/32
B: 2.2.2.2/32
C: 3.3.3.3/32
D: 4.4.4.4/32
E: 5.5.5.5/32
F: 6.6.6.6/32
A-B: 192.168.1.0/30
A-C: 192.168.1.4/30
B-C: 192.168.1.8/30
B-D: 192.168.1.12/30
C-D: 192.168.1.16/30
D-F: 192.168.1.20/30
E-F: 192.168.1.24/30

I hope this solution can help: 
1. set preference isis level2 to 155 to avoid looping of 0/0 route from OSPF when redistribute to ISIS
2. Do policy import OSPF on B, C to filter route OSPF (origin from ISIS) advertise from B to C and vice versa:

root at router-lab-1# show policy-options 
policy-statement filter-ospf {
    term 1 {
        from {
            protocol ospf;
            route-filter 1.1.1.1/32 exact;
            route-filter 192.168.1.0/29 longer;
        }
        then reject;
    }
}

[edit]
root at router-lab-1# show protocols ospf   
import filter-ospf;

3. Using Specific policy redistribute OSPF-ISIS to avoid sub-optimal:
policy-statement ospf-isis {
    term 1 {
        from {
            protocol ospf;
            route-filter 0.0.0.0/0 exact;
            route-filter 192.168.1.16/29 longer;
            route-filter 192.168.1.24/30 exact;
            route-filter 2.2.2.2/32 exact;
            route-filter 3.3.3.3/32 exact;
            route-filter 4.4.4.4/32 exact;
            route-filter 6.6.6.6/32 exact;
        }
        to level 2;
        then accept;
    }
    term 2 {
        from {
            protocol direct;
            route-filter 192.168.1.8/30 exact;
            route-filter 192.168.1.12/30 exact;
        }
        to level 2;
        then {
            metric 0;
            accept;
        }
    }
}

4. Using specific policy redistribute from ISIS to OSPF to avoid sub-optimal:
policy-statement isis-ospf {
    term 1 {
        from {
            protocol isis;
            level 2;
            route-filter 1.1.1.1/32 exact;
            route-filter 192.168.1.0/29 longer;
        }
        then {
            external {
                type 1;
            }
            accept;
        }           
    }
    term 2 {
        from {
            protocol direct;
            route-filter 192.168.1.0/29 longer;
        }
        then {
            external {
                type 1;
            }
            accept;
        }
    }
}

Nam
nhnam81 at gmail.com

----- Original Message -----
From: juniper-nsp-request at puck.nether.net
To: juniper-nsp at puck.nether.net
Sent: Thursday, May 19, 2011 9:23:25 PM
Subject: juniper-nsp Digest, Vol 102, Issue 24

Send juniper-nsp mailing list submissions to
	juniper-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/juniper-nsp
or, via email, send a message with subject or body 'help' to
	juniper-nsp-request at puck.nether.net

You can reach the person managing the list at
	juniper-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of juniper-nsp digest..."


Today's Topics:

   1. Avoid route loop for joining IS-IS/OSPF areas with
      redundancy? (Clarke Morledge)
   2. Re: EX switches and TCAM utilisation (Charlie Allom)
   3. JUNOS major releases - differences between revisions (Dale Shaw)
   4. Re: JUNOS major releases - differences between revisions (Alex)
   5. Re: Copy files to RE (Pierfrancesco Caci)
   6. bono tac_plus configuration for juniper (Jimmy Halim)
   7. test - please ignore (Pierfrancesco Caci)
   8. netflow sampling problem in 10.2 (Matja? Straus Isteni?)
   9. RSVP automesh (Daniel Verlouw)


----------------------------------------------------------------------

Message: 1
Date: Wed, 18 May 2011 17:16:26 -0400 (EDT)
From: Clarke Morledge <chmorl at wm.edu>
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Avoid route loop for joining IS-IS/OSPF areas with
	redundancy?
Message-ID: <alpine.GSO.2.00.1105181627270.23663 at stat.wm.edu>
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

I am trying to solve some problems and I need a little sanity 
check.  I have some routers that only support OSPF and I am trying to 
integrate this OSPF area/autonomous-system  into a level2 IS-IS 
area/autonomous-system.   Simplified, it looks like this:


         IS-IS
          OSPF-------------OSPF
          RTR B             RTR D
        /  |                  \
       /   |                   \
      /    |                    \
IS-IS     |                   OSPF
RTR A     |                   RTR F --static-route 0.0.0.0/0->my ISP
     \     |                    /
      \    |                   /
       \   |                  /
       IS-IS                 /
        OSPF---------------OSPF
        RTR C               RTR E

A couple other things to note:

a. there is no Level 1 IS-IS here, just Level 2.

b.  OSPF is area 0.0.0.0.

c. IS-IS wide metrics only, so no real distinction between internal and 
external routes with IS-IS.

d. the static route 0.0.0.0/0 pointing to my ISP needs to be propagated 
into the IS-IS autonomous system, and I want to rely on OSPF costing on 
the interfaces to traffic engineer the path for the default route, while 
still allowing for redundancy.

e. to avoid looping in general, I tag routes redistributed from IS-IS into 
OSPF and then reject routes from OSPF to be redistributed into IS-IS 
matching that tag.   The same logic applies for routes from OSPF to IS-IS.

Here is the first problem:

If I stay with the default Junos route preferences and let's say that one 
of the ASBRs (Router B or C) goes down and comes back up, I'll get a 
routing loop for the default route.  Since wide-metrics forces IS-IS to 
forget about the internal/external distinction, the default route gets 
lost between Routers B and C.

Following the advice of Herrero and Van Der Ven in _Network Mergers and 
Migrations_, it should be sufficient to prefer OSPF internal AND external 
routes above IS-IS.  For example, I could drop the IS-IS level 2 internal 
preference from 18 down to something below the default OSPF external route 
preference of 150 to something like 155.  I would need to do this on both 
routers B and C.  This would force the OSPF external route for 0.0.0.0/0 
to win over IS-IS at the border routers, B and C.

But here is a second problem:

If I do not have OSPF configured directly between Routers B and C, I could 
get a suboptimal routing situation.  For example, let's say I have a 
loopback address on router A and the path from A to C is "shorter" than 
the path from A to B.  Router B would then see router A's loopback as best 
advertised through OSPF via Router D.  Ugh.

So perhaps I just need to configure OSPF between B and C.  This still 
isn't the most optimal method, because now that loopback address for A is 
best reachable from router B through router C, even though A is right next 
door.

I could just extend OSPF all the way over to router A and clean that up, 
even though I really am trying to move off OSPF as soon as possible to 
simplify life, but I guess I can live with it temporarily.  I just need to 
remember to apply the same route preference settings and redistribution 
routing logic with tags on router A as I have done on routers B and C.

In the future, when I want to replace the OSPF-only routers with routers 
that support OSPF and IS-IS, I can simply go from router to router and 
reverse the route preferences for IS-IS and OSPF, making IS-IS better, and 
then I can remove OSPF altogether.

Anyway, am I on the right track here, or am I forgetting something really 
important?


Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187



------------------------------

Message: 2
Date: Thu, 19 May 2011 00:46:32 +0100
From: Charlie Allom <charlie at playlouder.com>
To: Richard A Steenbergen <ras at e-gerbil.net>
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] EX switches and TCAM utilisation
Message-ID: <20110518234632.GA11931 at spodder.com>
Content-Type: text/plain; charset=us-ascii

On Wed, May 18, 2011 at 12:42:22PM -0500, Richard A Steenbergen <ras at e-gerbil.net> wrote:
> On Wed, May 18, 2011 at 05:10:54PM +0100, William J Hulley wrote:
> > Hi,
> > 
> > I'm using some EX3200s running 10.0S6.1 and developing a configuration 
> > using filter based forwarding to policy route traffic between routing 
> > instances.
> > 
> > It's all working fine in the lab but I'm concerned about the potential 
> > growth of the firewall policy and utilisation of the TCAM in 
> > production and would obviously like to model the usage and monitor it.
> > 
> > Are there any known supported/un-supported ways of getting useful 
> > stats out of the box beyond just relying on syslog messages saying 
> > there isn't enough cam?
> 
> Drop into the fpc shell from root, like so:
> 
> RE:0% vty fpc0


Wow Richard,

that is amazing info.

What version of JunOS was that from? on 10.0S I sadly only get these columns:

Number of rules as   Egress PCL: 59335

59335   Egress PCL rules


Page_id Entry_id  Instance      fw_id   Rule                        Rule-Index
--------------------------------------------------------------------------
32      0         2        3735928559   ospf-neighbours.8.ext.0     64
32      2         2        3735928559   ospf-neighbours.8.ext.1     65
33      0         2        3735928559   ospf-neighbours.8.ext.2     66
    ...
1687    2         2        3735928559   puppet_dashboard.44.ext.8   3375
1691    0         2        3735928559   deny-all.44.ext.0           3382

So it's hard to tell when the tcam is full.

  C.
-- 
 +442077294797
 http://mediaserviceprovider.com/


------------------------------

Message: 3
Date: Thu, 19 May 2011 10:49:27 +1000
From: Dale Shaw <dale.shaw+j-nsp at gmail.com>
To: juniper-nsp <juniper-nsp at puck.nether.net>
Subject: [j-nsp] JUNOS major releases - differences between revisions
Message-ID: <BANLkTik3v+K6qVF_x15Tcpxjod9RAiBVKg at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi all,

I feel like a bit of a newbie asking this (and, relatively speaking, I
am!) because it feels like something that should be fairly
straight-forward. And maybe it is.

Q: Is there a way to determine what has changed between two revisions
of a major JUNOS release?

For argument's sake, how do I find out precisely what changed between
10.4R3 and 10.4R4?

The release notes for 10.4 don't spell it out very clearly. I suppose
I could look just at the outstanding and resolved issues sections of
the release notes but I'm not even sure how I can go back and look at
the 10.4 release notes at the time the previous revision was released.
A 'single' 10.4 release note exists and is simply revised when a new
revision to the major release goes out.

I know (in theory) there shouldn't be any new features between
revisions -- just bug fixes. I'm more familiar navigating cisco IOS
release notes where, even between maintenance releases, it's made
fairly clear what has changed.

Cheers,
Dale


------------------------------

Message: 4
Date: Thu, 19 May 2011 06:37:05 +0100
From: "Alex" <alex.arseniev at gmail.com>
To: "Dale Shaw" <dale.shaw+j-nsp at gmail.com>, "juniper-nsp"
	<juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] JUNOS major releases - differences between
	revisions
Message-ID: <05952A66F1094A8C80C9D6A43CBFD3BD at jnpr.net>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=original

Hello there,
There are _no_ single release notes doc for 10.4
Link to 10.4R3 release notes 
http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/release-notes/10.4/junos-release-notes-10.4r3.pdf
Link to 10.4R4 release notes 
http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/release-notes/10.4/junos-release-notes-10.4.pdf
And you can find all previous and current 10.4 release notes docs (note 
plural) - 10.4R1, 10.4R2, 10.4R3 and 10.4R4 - on this page
http://www.juniper.net/techpubs/en_US/junos10.4/information-products/pathway-pages/product/10.4/index.html
HTH
Rgds
Alex

----- Original Message ----- 
From: "Dale Shaw" <dale.shaw+j-nsp at gmail.com>
To: "juniper-nsp" <juniper-nsp at puck.nether.net>
Sent: Thursday, May 19, 2011 1:49 AM
Subject: [j-nsp] JUNOS major releases - differences between revisions


> Hi all,
>
> I feel like a bit of a newbie asking this (and, relatively speaking, I
> am!) because it feels like something that should be fairly
> straight-forward. And maybe it is.
>
> Q: Is there a way to determine what has changed between two revisions
> of a major JUNOS release?
>
> For argument's sake, how do I find out precisely what changed between
> 10.4R3 and 10.4R4?
>
> The release notes for 10.4 don't spell it out very clearly. I suppose
> I could look just at the outstanding and resolved issues sections of
> the release notes but I'm not even sure how I can go back and look at
> the 10.4 release notes at the time the previous revision was released.
> A 'single' 10.4 release note exists and is simply revised when a new
> revision to the major release goes out.
>
> I know (in theory) there shouldn't be any new features between
> revisions -- just bug fixes. I'm more familiar navigating cisco IOS
> release notes where, even between maintenance releases, it's made
> fairly clear what has changed.
>
> Cheers,
> Dale
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 



------------------------------

Message: 5
Date: Thu, 19 May 2011 07:54:34 +0200
From: Pierfrancesco Caci <pf at caci.it>
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Copy files to RE
Message-ID: <20110519075434.540e96ea.pf at caci.it>
Content-Type: text/plain; charset=US-ASCII

On Wed, 18 May 2011 09:29:25 -0400
Chris Evans <chrisccnpspam2 at gmail.com> wrote:

> How about automatic script sync too

now now, don't be greedy :-)

but yes, that is sorely missing too.


-- 
Pierfrancesco Caci <pf at caci.it>


------------------------------

Message: 6
Date: Thu, 19 May 2011 18:09:36 +0800
From: Jimmy Halim <jhalim10 at gmail.com>
To: juniper-nsp at puck.nether.net
Cc: jhalim10 at gmail.com
Subject: [j-nsp] bono tac_plus configuration for juniper
Message-ID: <BANLkTi=0tZvngh4feae9=D+sgbFHy7xbEQ at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi guys,

I have stuck with bono tac_plus.cfg configuration for juniper. Anyone has
any idea on how to do it in bono?

This is the setting in traditional tac_plus.cfg configuration:

group = NETWORK-OPS

          service = junos-exec {

                local-user-name = network-ops

                deny-commands = "request"

                deny-configuration = "chassis"

        }


Any idea the equivalent "deny-command" and "deny-configuration" setting in
bono?

Thanks,
Jimmy


------------------------------

Message: 7
Date: Thu, 19 May 2011 14:25:00 +0200
From: Pierfrancesco Caci <pf at caci.it>
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] test - please ignore
Message-ID: <20110519142500.1ebfca08.pf at caci.it>
Content-Type: text/plain; charset=US-ASCII

armwrestling procmailrc... sorry for the noise

-- 
Pierfrancesco Caci <pf at caci.it>


------------------------------

Message: 8
Date: Thu, 19 May 2011 15:05:13 +0200
From: Matja? Straus Isteni? <juniper at arnes.si>
To: juniper-nsp at puck.nether.net
Cc: Arnes Juniper group <juniper at arnes.si>
Subject: [j-nsp] netflow sampling problem in 10.2
Message-ID: <DD58D828-20E2-4710-9CC8-0C2ED6019960 at arnes.si>
Content-Type: text/plain; charset=utf-8

Hi there,

we've recently upgraded our MX routers to 10.2R3.10 (from 9.6). After that, netflow sampling based on firewall filters does not export any packets, not even to a local file. Total silence! We are sampling IPv4 packets ingress on all interfaces. Firewall filters work fine. The corresponding firewall filter terms still count bytes and packets, but no samples are seen.

Have some of you run into similar problems with sampled netflow on 10.2? Release notes do not mention anything similar.

Kind regards,
	Matja?

---
Matja? Straus Isteni?, Arnes
http://www.arnes.si

Tel: +386 1 4798-877
Fax: +386 1 4798-878
matjaz.straus at arnes.si
MS6745-RIPE
PGP 490F3B4F 2009-10-21
Fingerprint = 6172 7BF8 B0B7 1F09 47B3  AFA3 0946 1701 490F 3B4F


------------------------------

Message: 9
Date: Thu, 19 May 2011 16:23:23 +0200
From: Daniel Verlouw <daniel at shunoshu.net>
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] RSVP automesh
Message-ID: <BANLkTik-QSBpAyZQuwi2rBCTvXpmjid_Uw at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi list,

Has anyone played around with RSVP/MPLS automesh feature and can share
some experiences and/or example configs? I believe it was introduced
in 10.1, but can't find anything in the release notes and docs aren't
very clear either;

<http://www.juniper.net/techpubs/en_US/junos10.1/topics/task/configuration/rsvp-automatic-mesh.html>


Regards,

  --Daniel.


------------------------------

_______________________________________________
juniper-nsp mailing list
juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

End of juniper-nsp Digest, Vol 102, Issue 24
********************************************


More information about the juniper-nsp mailing list