On Wed, Nov 25, 2015 at 7:14 AM, Mike Williams <mike.willi...@comodo.com> wrote: > Thanks to all those who responded. > master-only is mostly what I wanted! > > > Rather confusingly, Juniper do specify setting lo0 per RE. > https://www.juniper.net/techpubs/en_US/junos12.3/topics/task/configuration/routing-engine-dual-initial-configuration.html > But then that document also tells you to run "commit synchronise" from > operational mode. > A single loopback address works, and both REs have the same system SSH key, > so no warnings if they switch. >
On the MX platforms (and the big hardware identical EXes) only the master processes punted packets. tcp/22 (subject to the ddos profiles and firewall filters) gets punted when received on a hardware interface to an lo0 address, there the master RE in the chassis gets to process it. Same path as BGP, OSPF, etc. "master-only" is thus only necessary (and applicable) to fxp interfaces. You can't ssh to an lo0 address and get a backup RE. I believe VC EX and QFX behave the same, pushing the inbound packets towards the VC master. Hope that clears it up a little bit. > This is broadly what I've got now. > > groups { > re0 { > system { > host-name ...-re0; > } > interfaces { > fxp0 { > unit 0 { > family inet { > address 10.22.0.2/24 { > master-only; > } > address 10.22.0.3/24; > } > } > } > } > } > re1 { > system { > host-name ...-re1; > } > interfaces { > fxp0 { > unit 0 { > family inet { > address 10.22.0.2/24 { > master-only; > } > address 10.22.0.4/24; > } > } > } > } > } > } > interfaces { > lo0 { > unit 0 { > family inet { > address 10.177.4.2/32; > } > } > } > } > > > Thanks > > On Tuesday 24 November 2015 21:52:38 Olivier Benghozi wrote: >> Juniper document provides each RE with it's own MANAGEMENT address (on fxp >> port of each RE), not its own loopback. You configure a single loopback >> (interface lo0.0). >> >> Anyway, about your need, there is: >> http://www.juniper.net/documentation/en_US/junos15.1/topics/usage-guidelines >> /interfaces-configuring-a-consistent-management-ip-address.html >> <http://www.juniper.net/documentation/en_US/junos15.1/topics/usage-guidelin >> es/interfaces-configuring-a-consistent-management-ip-address.html> >> > Le 24 nov. 2015 à 19:07, Mike Williams <mike.willi...@comodo.com> a écrit >> > : >> > >> > Hi all, >> > >> > So we just got our first Juniper devices with dual-REs (if you exclude >> > virtual chassis'). >> > Before I get into actually configuring them, I'm wondering how others >> > handle management, as I'm a touch confused. >> > >> > Normally we just SSH/snmp to the loopback address, optionally jumping off >> > from a device on the same OoB network if routing is down (yes, we should >> > configure a backup router). >> > >> > Juniper document providing each RE with it's own loopback address. >> > If you do that, you'd have to detect if what you're connected to is master >> > or backup, right? >> > That might be a necessary trade off. As if you had a single loopback >> > address, wouldn't the system SSH key change as loopback "moved" between >> > the REs? Can a 'global' single loopback even be configured? >> > >> > Or do dual-RE devices actually work like virtual chassis, where the system >> > SSH key is the same on all nodes, and connections to the backup are >> > internally redirected to the master? > > -- > Mike Williams > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp