[j-nsp] Interconnect two VRFs via L2 security box with redundant path

Stefan Fouant sfouant at shortestpathfirst.net
Tue Apr 24 15:13:02 EDT 2012 

Comments in-line...

On 4/24/2012 1:48 PM, Clarke Morledge wrote:
> Stefan,
>
> I was just hunting through your blog for ideas when I saw your post :-)
> Thanks for jumping in. A few responses in-line below.....
>
> On Tue, 24 Apr 2012, Stefan Fouant wrote:
>
>> If that adjacency goes down, a simple floating static (static route w/
>> higher preference than the dynamic BGP/IS-IS route) can be used
>> pointing to next-table will do the trick. No need to used
>> Logical-Tunnels or use auto-export.
>
> If my two routers were directly connected all of the time, this would be
> fine. But I'm also thinking of the case of when there might be another
> L3 hop between the two routers. I guess I could insert another floating
> static on the third router, but that just seemed to add a little more
> complexity to me. I was hoping for a way to just let the dynamic routing
> protocols do the work for me instead of fooling with a bunch of statics
> with filter-based forwarding. Don't get me wrong, I like FBF. I was just
> hoping to leverage dynamic routing more.

I guess what I was referring to is that you don't really need to have 
the MX West device be used at all in the event that the L2 Packet 
scrubber dies, as per the restrictions in your initial email:

"I also need to have a redundant path, preferably passing through the 
other core router (MX West).  In the event that the Layer2 box dies, or 
if the MX East core router dies, unfortunately traffic will not get 
inspected but I will still have connectivity between the North and South 
VRFs via the MX West core router. "

What I'm saying is that if the Packet Scrubber dies, the protocol 
adjacency through the VR North and the VR South on the MX East device 
will fail, and you could simply route directly from VR North to VR South 
on the same device by using simple floating static route pointing to 
next-table. In other words, if traffic arrives in VR North on MX East 
and packet scrubber device dies, then the floating static in 
vr_north.inet.0 will point to vr_south.inet.0, and vice-versa for 
traffic in the reverse direction. So you have no need for a redundant 
path through MX West and that would only be used in the event that the 
entire MX East device goes down.

>> Of course, in your case you've got not just two VRFs but also an East
>> and West path which further complicates things - why not just connect
>> the MX West device into your L2 Packet Scrubber as well and keep
>> things the same on both the East and West device so that you can take
>> full advantage of two planes. This will keep configurations uniform
>> regardless of whether traffic comes in on the East or West devices.
>
> I should have given the reason why I do not put the L2 scrubber between
> the two routers: conservation of fiber. I already have fiber connecting
> the routers in different wiring centers for traffic that does not need
> to be scrubbed. Chewing up another set of strands is much more expensive
> than simply connecting both sides of the L2 scrubber to just one router
> in the same rack.

Makes sense...

-- 
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

More information about the juniper-nsp mailing list