Thank you Artur, to provide me with such a detail description. The cgn-pic trigger was tested by me(on m10i/m7i) 2 days ago during upgrade to Junos 11.4 and it gave us some more juice from the card we are using now, thus giving us time to test new config.
The LB config from the official Juniper Carrier Grade Nat PDF has some holes, which i will be investigating further, but your setup makes it more simpler and i will test it in next few days. Peter AM> On Thursday 12 of January 2012 21:50:14 Pajlatek wrote: >> Hi >> I am searching for any one that is using more than 1 MSPIC 100 in M- >> routers (M10i or M7i) and does a load-balance between them to get the >> additional thruoutput over 1Gb/s >> AM> I'm not sure if it's going to work on M10i/M7i but it should help you to find a AM> solution. AM> Let's assume you have MX router with a MS-DPC (fpc 2) and you have to configure AM> NAPT-44 between internal network (10.100/16) and the Internet. Topology: AM> http://makutunowicz.net/download/cgn_scenario.png AM> How to configure it? AM> 1) Enable layer-3 services on each PIC (MS-DPC has two NPUs: one at PIC0 and AM> the other at PIC1). AM> set chassis fpc 2 pic 0 adaptive-services service-package layer-3 AM> set chassis fpc 2 pic 1 adaptive-services service-package layer-3 AM> 2) Configure sp- interfaces: AM> set interfaces sp-2/0/0 unit 0 family inet AM> set interfaces sp-2/0/0 services-options cgn-pic AM> set interfaces sp-2/1/0 unit 0 family inet AM> set interfaces sp-2/1/0 services-options cgn-pic AM> Note that cgn-pic was introduced in Junos 11.2 and may work on MX with MS-DPC AM> only. AM> 3) Create 2 service-sets with proper sp- interfaces attached. AM> set services service-set SS_PART1 nat-rules NAT_RULE_1 AM> set services service-set SS_PART1 interface-service service-interface sp-2/0/0 AM> set services service-set SS_PART2 nat-rules NAT_RULE_2 AM> set services service-set SS_PART2 interface-service service-interface sp-2/1/0 AM> 4) Apply service-sets to the internal interface. You also have to manually AM> distribute incoming packets to PICs for processing, eg. half of the internal AM> network is processed by sp-2/0/0 and the other by sp-2/1/0 (that's why the AM> service filters are necessary). AM> set interfaces ge-0/0/0 unit 0 family inet address 10.100.0.1/16 AM> set interfaces ge-0/0/1 unit 0 family inet address 192.168.0.1/24 AM> set interfaces ge-0/0/0 unit 0 family inet service input service-set SS_PART1 AM> service-filter SS_PART1_FILTER AM> set interfaces ge-0/0/0 unit 0 family inet service input service-set SS_PART2 AM> service-filter SS_PART2_FILTER AM> set interfaces ge-0/0/0 unit 0 family inet service output service-set SS_PART2 AM> service-filter SS_PART2_FILTER AM> set interfaces ge-0/0/0 unit 0 family inet service output service-set SS_PART1 AM> service-filter SS_PART1_FILTER AM> 5) Create the service-filters: AM> set firewall family inet service-filter SS_PART1_FILTER term part1 from source- AM> address 10.100.0.0/17 AM> set firewall family inet service-filter SS_PART1_FILTER term part1 then service AM> set firewall family inet service-filter SS_PART1_FILTER term default then skip AM> set firewall family inet service-filter SS_PART2_FILTER term part2 from source- AM> address 10.100.128.0/17 AM> set firewall family inet service-filter SS_PART2_FILTER term part2 then service AM> set firewall family inet service-filter SS_PART2_FILTER term default then skip AM> 6) Create the NAT pools (one pool for 10.100/17 and the other for AM> 10.100.128/17): AM> set services nat pool POOL_PART1 address 192.168.100.0/24 AM> set services nat pool POOL_PART1 port automatic AM> set services nat pool POOL_PART2 address 192.168.200.0/24 AM> set services nat pool POOL_PART2 port automatic AM> 7) Create the NAT rules: AM> set services nat rule NAT_RULE_1 match-direction input AM> set services nat rule NAT_RULE_1 term part1 from source-address 10.100.0.0/17 AM> set services nat rule NAT_RULE_1 term part1 then translated source-pool AM> POOL_PART1 AM> set services nat rule NAT_RULE_1 term part1 then translated translation-type AM> napt-44 AM> set services nat rule NAT_RULE_2 match-direction input AM> set services nat rule NAT_RULE_2 term part2 from source-address AM> 10.100.128.0/17 AM> set services nat rule NAT_RULE_2 term part2 then translated source-pool AM> POOL_PART2 AM> set services nat rule NAT_RULE_2 term part2 then translated translation-type AM> napt-44 AM> napt-44 translation type was introduced in Junos 11.2. If you have Junos AM> version < 11.2, set translation type to "source dynamic". AM> To summarize: AM> When a user with IP 10.100.0.100 wants to access the Internet, it hits AM> ge-0/0/0 interface, matches SS_PART1_FILTER so SS_PART1 service set is AM> applied. He's translated to the IP from pool 192.168.100.0/24 (by NAT_RULE_1) AM> using sp-2/0/0 interface. AM> Of course the load balancing method is going to work if IP address assignment AM> follows uniform distribution. However, you can be more granular in the service AM> filters (eg. split all the internal address space to several /24 slices). AM> Hope it's helpful. AM> Best regards, AM> Artur -- Best regards, Pajlatek mailto:pajla...@widzew.net _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp