[j-nsp] Suggestions on management of dual-RE devices
Michael Loftis
mloftis at wgops.com
Fri Nov 27 10:46:18 EST 2015
On Wed, Nov 25, 2015 at 7:14 AM, Mike Williams <mike.williams at comodo.com> wrote:
> Thanks to all those who responded.
> master-only is mostly what I wanted!
>
>
> Rather confusingly, Juniper do specify setting lo0 per RE.
> https://www.juniper.net/techpubs/en_US/junos12.3/topics/task/configuration/routing-engine-dual-initial-configuration.html
> But then that document also tells you to run "commit synchronise" from operational mode.
> A single loopback address works, and both REs have the same system SSH key, so no warnings if they switch.
>
On the MX platforms (and the big hardware identical EXes) only the
master processes punted packets. tcp/22 (subject to the ddos profiles
and firewall filters) gets punted when received on a hardware
interface to an lo0 address, there the master RE in the chassis gets
to process it. Same path as BGP, OSPF, etc. "master-only" is thus
only necessary (and applicable) to fxp interfaces. You can't ssh to
an lo0 address and get a backup RE. I believe VC EX and QFX behave
the same, pushing the inbound packets towards the VC master.
Hope that clears it up a little bit.
> This is broadly what I've got now.
>
> groups {
> re0 {
> system {
> host-name ...-re0;
> }
> interfaces {
> fxp0 {
> unit 0 {
> family inet {
> address 10.22.0.2/24 {
> master-only;
> }
> address 10.22.0.3/24;
> }
> }
> }
> }
> }
> re1 {
> system {
> host-name ...-re1;
> }
> interfaces {
> fxp0 {
> unit 0 {
> family inet {
> address 10.22.0.2/24 {
> master-only;
> }
> address 10.22.0.4/24;
> }
> }
> }
> }
> }
> }
> interfaces {
> lo0 {
> unit 0 {
> family inet {
> address 10.177.4.2/32;
> }
> }
> }
> }
>
>
> Thanks
>
> On Tuesday 24 November 2015 21:52:38 Olivier Benghozi wrote:
>> Juniper document provides each RE with it's own MANAGEMENT address (on fxp
>> port of each RE), not its own loopback. You configure a single loopback
>> (interface lo0.0).
>>
>> Anyway, about your need, there is:
>> http://www.juniper.net/documentation/en_US/junos15.1/topics/usage-guidelines
>> /interfaces-configuring-a-consistent-management-ip-address.html
>> <http://www.juniper.net/documentation/en_US/junos15.1/topics/usage-guidelin
>> es/interfaces-configuring-a-consistent-management-ip-address.html>
>> > Le 24 nov. 2015 à 19:07, Mike Williams <mike.williams at comodo.com> a écrit
>> > :
>> >
>> > Hi all,
>> >
>> > So we just got our first Juniper devices with dual-REs (if you exclude
>> > virtual chassis').
>> > Before I get into actually configuring them, I'm wondering how others
>> > handle management, as I'm a touch confused.
>> >
>> > Normally we just SSH/snmp to the loopback address, optionally jumping off
>> > from a device on the same OoB network if routing is down (yes, we should
>> > configure a backup router).
>> >
>> > Juniper document providing each RE with it's own loopback address.
>> > If you do that, you'd have to detect if what you're connected to is master
>> > or backup, right?
>> > That might be a necessary trade off. As if you had a single loopback
>> > address, wouldn't the system SSH key change as loopback "moved" between
>> > the REs? Can a 'global' single loopback even be configured?
>> >
>> > Or do dual-RE devices actually work like virtual chassis, where the system
>> > SSH key is the same on all nodes, and connections to the backup are
>> > internally redirected to the master?
>
> --
> Mike Williams
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
More information about the juniper-nsp
mailing list