[j-nsp] FBF with st interfaces on SRX3400
Per Westerlund
p1 at westerlund.se
Wed Dec 19 17:18:21 EST 2012
1) Careful with that FBF so you don't black hole on Riverbed problems. No help with fail-to-wire in this kind of setup.
2) I usually use MTU 1400 with GRE IF. Not optimal, but close, always works and easy to remember.
3) In TCP environment, tcp-mss 1350 takes care of most PMTU-problems.
/Per
Sent from my iPad, please ignore stupid spelling corrections!
19 dec 2012 kl. 22:57 skrev Dennis Hagens <root at ipaddr.nl>:
> Hi Per,
>
> Thanks a lot for your suggestion! So you suggest dropping the extra VR's and tunnel GRE over IPSec and then applying the FBF on the GRE and PHY if's? Didn't think of that, but sounds pretty solid.
>
> I'm gonna see if i can build a test setup for this. Pitty though that i will have another 24 bytes overhead because of GRE...
>
> Thanks,
>
> Dennis
> ________________________________________
> From: Per Westerlund [p1 at westerlund.se]
> Sent: Wednesday, December 19, 2012 10:55 PM
> To: Dennis Hagens
> Subject: Re: [j-nsp] FBF with st interfaces on SRX3400
>
> GRE!
>
> I have not set up what you need myself, but I have had problems with missing knobs for firewall filters with st0 interfaces before.
>
> If you add another tunnel layer, GRE, you will find that the gr-x/x/x interfaces will take filters, and thus enable FBF. OSPF also works well over GRE, of course.
>
> /Per
>
> Sent from my iPad, please ignore stupid spelling corrections!
>
> 19 dec 2012 kl. 12:18 skrev Dennis Hagens <root at ipaddr.nl>:
>
>> Hi,
>>
>> I'm running into a design problem for FBF with a Riverbed Steelhead. Our requirement is, to send __part__ of our VPN traffic through a Riverbed appliance for acceleration.
>> The complicating factors here, are a multi tunnel VPN connection between 2 sites, running OSPF over the tunnel interfaces. Also, since we will process a lot more VPN traffic than the Riverbed can handle (1G+ whilst the Riverbed only has 1G interfaces), we cannot put the Riverbed physically in-line.
>>
>> I have been able to separate the traffic with firewall filters and as such i can apply an action like send to different routing instance. I cannot however apply this to a tunnel (st) interface in this firewall, running Junos 12.1R2.9.
>>
>> Currently i'm considering to set up 3 (Riverbed+VPN+inet.0) routing instances and running OSPF between 2 of them over a logical tunnel and using 1 of them purely for connectivity to the Riverbed (see http://postimage.org/image/tsxjq5gjv/ ).
>> That way i i can apply the FBF filters on the lt and physical interfaces and redirect traffic to the riverbed instance, with a default to the riverbed. The riverbed would have a default back to the physical interface, where i could apply FBF again and push all traffic back to inet.0 again.
>> The Riverbed would run in virtual in-path mode.
>>
>> Besides the fact that in my initial setup OSPF wasn't working over the lt interfaces, i don't like the complexity of this. If i would be able to attach filters to the tunnel interfaces, i think i could set this up somewhat more simple.
>>
>> Does anyone have a suggestion or experience with a similar setup?
>>
>> Kind regards,
>>
>> Dennis Hagens
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list