[j-nsp] Load Balancing on 2x MSPIC 100 for NAT

Artur Makutunowicz artur at makutunowicz.net
Sat Jan 14 17:20:24 EST 2012 

On Thursday 12 of January 2012 21:50:14 Pajlatek wrote:
> Hi
> I  am  searching for any one that is using more than 1 MSPIC 100 in M-
> routers  (M10i or M7i) and does a load-balance between them to get the
> additional thruoutput over 1Gb/s
> 
I'm not sure if it's going to work on M10i/M7i but it should help you to find a 
solution.

Let's assume you have MX router with a MS-DPC (fpc 2) and you have to configure 
NAPT-44 between internal network (10.100/16) and the Internet. Topology: 
http://makutunowicz.net/download/cgn_scenario.png

How to configure it?
1) Enable layer-3 services on each PIC (MS-DPC has two NPUs: one at PIC0 and 
the other at PIC1).
set chassis fpc 2 pic 0 adaptive-services service-package layer-3
set chassis fpc 2 pic 1 adaptive-services service-package layer-3

2) Configure sp- interfaces:
set interfaces sp-2/0/0 unit 0 family inet
set interfaces sp-2/0/0 services-options cgn-pic
set interfaces sp-2/1/0 unit 0 family inet
set interfaces sp-2/1/0 services-options cgn-pic

Note that cgn-pic was introduced in Junos 11.2 and may work on MX with MS-DPC 
only.

3) Create 2 service-sets with proper sp- interfaces attached. 

set services service-set SS_PART1 nat-rules NAT_RULE_1
set services service-set SS_PART1 interface-service service-interface sp-2/0/0
set services service-set SS_PART2 nat-rules NAT_RULE_2
set services service-set SS_PART2 interface-service service-interface sp-2/1/0

4) Apply service-sets to the internal interface. You also have to manually 
distribute incoming packets to PICs for processing, eg. half of the internal 
network is processed by sp-2/0/0 and the other by sp-2/1/0 (that's why the 
service filters are necessary).

set interfaces ge-0/0/0 unit 0 family inet address 10.100.0.1/16
set interfaces ge-0/0/1 unit 0 family inet address  192.168.0.1/24
set interfaces ge-0/0/0 unit 0 family inet service input service-set SS_PART1 
service-filter SS_PART1_FILTER
set interfaces ge-0/0/0 unit 0 family inet service input service-set SS_PART2 
service-filter SS_PART2_FILTER
set interfaces ge-0/0/0 unit 0 family inet service output service-set SS_PART2 
service-filter SS_PART2_FILTER
set interfaces ge-0/0/0 unit 0 family inet service output service-set SS_PART1 
service-filter SS_PART1_FILTER

5) Create the service-filters:

set firewall family inet service-filter SS_PART1_FILTER term part1 from source-
address 10.100.0.0/17
set firewall family inet service-filter SS_PART1_FILTER term part1 then service
set firewall family inet service-filter SS_PART1_FILTER term default then skip
set firewall family inet service-filter SS_PART2_FILTER term part2 from source-
address 10.100.128.0/17
set firewall family inet service-filter SS_PART2_FILTER term part2 then service
set firewall family inet service-filter SS_PART2_FILTER term default then skip

6) Create the NAT pools (one pool for 10.100/17 and the other for 
10.100.128/17):

set services nat pool POOL_PART1 address 192.168.100.0/24
set services nat pool POOL_PART1 port automatic
set services nat pool POOL_PART2 address 192.168.200.0/24
set services nat pool POOL_PART2 port automatic

7) Create the NAT rules:

set services nat rule NAT_RULE_1 match-direction input
set services nat rule NAT_RULE_1 term part1 from source-address 10.100.0.0/17
set services nat rule NAT_RULE_1 term part1 then translated source-pool 
POOL_PART1
set services nat rule NAT_RULE_1 term part1 then translated translation-type 
napt-44
set services nat rule NAT_RULE_2 match-direction input
set services nat rule NAT_RULE_2 term part2 from source-address 
10.100.128.0/17
set services nat rule NAT_RULE_2 term part2 then translated source-pool 
POOL_PART2
set services nat rule NAT_RULE_2 term part2 then translated translation-type 
napt-44

napt-44 translation type was introduced in Junos 11.2. If you have Junos 
version < 11.2, set translation type to "source dynamic".

To summarize:
When a user with IP 10.100.0.100 wants to access the Internet, it hits 
ge-0/0/0 interface, matches SS_PART1_FILTER so SS_PART1 service set is 
applied. He's translated to the IP from pool 192.168.100.0/24 (by NAT_RULE_1) 
using sp-2/0/0 interface.

Of course the load balancing method is going to work if IP address assignment 
follows uniform distribution. However, you can be more granular in the service 
filters (eg. split all the internal address space to several /24 slices).

Hope it's helpful.

Best regards,
Artur

More information about the juniper-nsp mailing list