[j-nsp] Load Balancing on 2x MSPIC 100 for NAT

Pajlatek pajlatek at widzew.net
Sat Jan 14 18:22:12 EST 2012 

Thank  you  Artur,  to  provide  me with such a detail description. The
cgn-pic  trigger  was  tested  by  me(on  m10i/m7i)  2 days ago during
upgrade to Junos 11.4 and it  gave us some more juice from the card we are using now, thus giving us
time to test new config.

The LB config from the official Juniper Carrier Grade  Nat PDF has some holes, which i will be investigating
further,   but   your  setup  makes it more simpler and i will test it
in next few days.

Peter


AM> On Thursday 12 of January 2012 21:50:14 Pajlatek wrote:
>> Hi
>> I  am  searching for any one that is using more than 1 MSPIC 100 in M-
>> routers  (M10i or M7i) and does a load-balance between them to get the
>> additional thruoutput over 1Gb/s
>> 
AM> I'm not sure if it's going to work on M10i/M7i but it should help you to find a
AM> solution.

AM> Let's assume you have MX router with a MS-DPC (fpc 2) and you have to configure
AM> NAPT-44 between internal network (10.100/16) and the Internet. Topology:
AM> http://makutunowicz.net/download/cgn_scenario.png

AM> How to configure it?
AM> 1) Enable layer-3 services on each PIC (MS-DPC has two NPUs: one at PIC0 and
AM> the other at PIC1).
AM> set chassis fpc 2 pic 0 adaptive-services service-package layer-3
AM> set chassis fpc 2 pic 1 adaptive-services service-package layer-3

AM> 2) Configure sp- interfaces:
AM> set interfaces sp-2/0/0 unit 0 family inet
AM> set interfaces sp-2/0/0 services-options cgn-pic
AM> set interfaces sp-2/1/0 unit 0 family inet
AM> set interfaces sp-2/1/0 services-options cgn-pic

AM> Note that cgn-pic was introduced in Junos 11.2 and may work on MX with MS-DPC
AM> only.

AM> 3) Create 2 service-sets with proper sp- interfaces attached. 

AM> set services service-set SS_PART1 nat-rules NAT_RULE_1
AM> set services service-set SS_PART1 interface-service service-interface sp-2/0/0
AM> set services service-set SS_PART2 nat-rules NAT_RULE_2
AM> set services service-set SS_PART2 interface-service service-interface sp-2/1/0

AM> 4) Apply service-sets to the internal interface. You also have to manually
AM> distribute incoming packets to PICs for processing, eg. half of the internal
AM> network is processed by sp-2/0/0 and the other by sp-2/1/0 (that's why the
AM> service filters are necessary).

AM> set interfaces ge-0/0/0 unit 0 family inet address 10.100.0.1/16
AM> set interfaces ge-0/0/1 unit 0 family inet address  192.168.0.1/24
AM> set interfaces ge-0/0/0 unit 0 family inet service input service-set SS_PART1
AM> service-filter SS_PART1_FILTER
AM> set interfaces ge-0/0/0 unit 0 family inet service input service-set SS_PART2
AM> service-filter SS_PART2_FILTER
AM> set interfaces ge-0/0/0 unit 0 family inet service output service-set SS_PART2
AM> service-filter SS_PART2_FILTER
AM> set interfaces ge-0/0/0 unit 0 family inet service output service-set SS_PART1
AM> service-filter SS_PART1_FILTER

AM> 5) Create the service-filters:

AM> set firewall family inet service-filter SS_PART1_FILTER term part1 from source-
AM> address 10.100.0.0/17
AM> set firewall family inet service-filter SS_PART1_FILTER term part1 then service
AM> set firewall family inet service-filter SS_PART1_FILTER term default then skip
AM> set firewall family inet service-filter SS_PART2_FILTER term part2 from source-
AM> address 10.100.128.0/17
AM> set firewall family inet service-filter SS_PART2_FILTER term part2 then service
AM> set firewall family inet service-filter SS_PART2_FILTER term default then skip

AM> 6) Create the NAT pools (one pool for 10.100/17 and the other for 
AM> 10.100.128/17):

AM> set services nat pool POOL_PART1 address 192.168.100.0/24
AM> set services nat pool POOL_PART1 port automatic
AM> set services nat pool POOL_PART2 address 192.168.200.0/24
AM> set services nat pool POOL_PART2 port automatic

AM> 7) Create the NAT rules:

AM> set services nat rule NAT_RULE_1 match-direction input
AM> set services nat rule NAT_RULE_1 term part1 from source-address 10.100.0.0/17
AM> set services nat rule NAT_RULE_1 term part1 then translated source-pool
AM> POOL_PART1
AM> set services nat rule NAT_RULE_1 term part1 then translated translation-type
AM> napt-44
AM> set services nat rule NAT_RULE_2 match-direction input
AM> set services nat rule NAT_RULE_2 term part2 from source-address 
AM> 10.100.128.0/17
AM> set services nat rule NAT_RULE_2 term part2 then translated source-pool
AM> POOL_PART2
AM> set services nat rule NAT_RULE_2 term part2 then translated translation-type
AM> napt-44

AM> napt-44 translation type was introduced in Junos 11.2. If you have Junos
AM> version < 11.2, set translation type to "source dynamic".

AM> To summarize:
AM> When a user with IP 10.100.0.100 wants to access the Internet, it hits
AM> ge-0/0/0 interface, matches SS_PART1_FILTER so SS_PART1 service set is
AM> applied. He's translated to the IP from pool 192.168.100.0/24 (by NAT_RULE_1)
AM> using sp-2/0/0 interface.

AM> Of course the load balancing method is going to work if IP address assignment
AM> follows uniform distribution. However, you can be more granular in the service
AM> filters (eg. split all the internal address space to several /24 slices).

AM> Hope it's helpful.

AM> Best regards,
AM> Artur



-- 
Best regards,
 Pajlatek                            mailto:pajlatek at widzew.net

More information about the juniper-nsp mailing list