Re: [j-nsp] VMX to VMX traffic on ESXi
No I didn't clone the VMs. I did 2 fresh installs from the same juniper image. You can see in my outputs that the MACs are different. Everything is working now that I've applied the license. -Serge On Mon, Mar 21, 2016 at 5:41 PM, Eduardo Schoedlerwrote: > Did you cloned VM? Did you change the mac-address? > > -- > Eduardo Schoedler > > 2016-03-21 16:32 GMT-03:00 serge vautour : > > Hello, > > > > Thanks to everyone who replied with suggestions. > > > > I did not have any licenses installed. Oddly enough VMX2 was showing: > > > > user@LabVMX2> show pfe statistics traffic bandwidth > > Configured Bandwidth : 100 bps > > Bandwidth: 0 bps > > Average Bandwidth: 339 bps > > > > This explains why VMX1 could receive traffic from VMX2. VMX1 had: > > > > user@LabVMX1> show pfe statistics traffic bandwidth > > Configured Bandwidth : 0 bps > > Bandwidth: 0 bps > > Average Bandwidth: 0 bps > > > > This is very strangle considering I created both VMX from the same > install > > file and they have near identical configs!?! > > > > Anyway I downloaded a 60 trial license from the Juniper web site and > > installed on both. Everything is now working as expected. > > > > Thanks, > > Serge > > > > > > On Sun, Mar 20, 2016 at 8:13 AM, Raphael Mazelier > wrote: > > > >> I have got some strange problem with vmx on vmware. > >> First double check if all our vswitch are in promiscuous mode. > >> Check also if you use vxnet or e1000 type of interface, I've got erratic > >> problems with vxnet, and gave up with it. > >> Check the mac address mapping, and finaly check if you have proper > license > >> installed ;) (I've spend one hour to find why one of my test vmx does > not > >> anymore, before I found that the license have expired...) > >> > >> -- > >> Raphael Mazelier > >> > >> Le 18/03/2016 21:49, serge vautour a écrit : > >> > >>> Hello, > >>> > >>> I haven't had any replies in the Juniper VMX forum so I thought I'd try > >>> here: > >>> > >>> I have setup 2 VMX (each with a VCP & VPFE) on one ESXi host using > Junos > >>> VMX 15.1F4. Each VMX seems to be working fine on it's own. I can > remotely > >>> access the fxp0 interface. > >>> > >>> I created a dedicated vswitch with promiscuous mode on for the GE > >>> interface. I used this vswitch for the 3rd NIC on each VPFE. I did not > >>> attach any physical NICs to the vswitch as I only want to use it for > >>> VMX-VMX traffic. Each VMX sees all 8 GE with ge-0/0/0 being up. I > >>> configure: > >>> > >>> user@LabVMX1> show configuration interfaces ge-0/0/0 > >>> description "Link to VMX2 ge-0/0/0"; > >>> unit 0 { > >>> family inet { > >>> address 10.5.5.0/31; > >>> } > >>> } > >>> > >>> user@LabVMX2> show configuration interfaces ge-0/0/0 > >>> description "Link to VMX1 ge-0/0/0"; > >>> unit 0 { > >>> family inet { > >>> address 10.5.5.1/31; > >>> } > >>> } > >>> > >>> I also added OSPF to each interface. VMX1 seems to work fine. It shows > >>> in/out traffic. VMX2 only shows outbound traffic. > >>> > >>> Using "monitor traffic interface ge-0/0/0" command I see: > >>> > >>> VMX1: > >>> > >>> 14:56:57.489954 In IP 10.5.5.1 > 224.0.0.5: OSPFv2, Hello, length 56 > >>> 14:57:02.079691 Out IP truncated-ip - 20 bytes missing! 10.5.5.0 > > >>> 224.0.0.5: > >>> OSPFv2, Hello, length 60 > >>> > >>> VMX2: > >>> 14:57:48.925035 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 > > >>> 224.0.0.5: > >>> OSPFv2, Hello, length 56 > >>> > >>> 14:57:58.487367 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 > > >>> 224.0.0.5: > >>> OSPFv2, Hello, length 56 > >>> > >>> VMX1 arp cache: > >>> > >>> 00:0c:29:a7:e9:09 10.5.5.1 ge-0/0/0.0 none > >>> > >>> VMX2 arp cache is empty. > >>> > >>> I never see any inbound packets on VMX2. I've tied ping same result. I > >>> through this might be a broadcast/multicast problem so I tried > configuring > >>> static arp entries and then did a ping but this didn't help. > >>> > >>> Any help would be appreciated. > >>> > >>> Thanks, > >>> Serge > >>> ___ > >>> juniper-nsp mailing list juniper-nsp@puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp > >>> > >>> ___ > >> juniper-nsp mailing list juniper-nsp@puck.nether.net > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > -- > Eduardo Schoedler > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VMX to VMX traffic on ESXi
Did you cloned VM? Did you change the mac-address? -- Eduardo Schoedler 2016-03-21 16:32 GMT-03:00 serge vautour: > Hello, > > Thanks to everyone who replied with suggestions. > > I did not have any licenses installed. Oddly enough VMX2 was showing: > > user@LabVMX2> show pfe statistics traffic bandwidth > Configured Bandwidth : 100 bps > Bandwidth: 0 bps > Average Bandwidth: 339 bps > > This explains why VMX1 could receive traffic from VMX2. VMX1 had: > > user@LabVMX1> show pfe statistics traffic bandwidth > Configured Bandwidth : 0 bps > Bandwidth: 0 bps > Average Bandwidth: 0 bps > > This is very strangle considering I created both VMX from the same install > file and they have near identical configs!?! > > Anyway I downloaded a 60 trial license from the Juniper web site and > installed on both. Everything is now working as expected. > > Thanks, > Serge > > > On Sun, Mar 20, 2016 at 8:13 AM, Raphael Mazelier wrote: > >> I have got some strange problem with vmx on vmware. >> First double check if all our vswitch are in promiscuous mode. >> Check also if you use vxnet or e1000 type of interface, I've got erratic >> problems with vxnet, and gave up with it. >> Check the mac address mapping, and finaly check if you have proper license >> installed ;) (I've spend one hour to find why one of my test vmx does not >> anymore, before I found that the license have expired...) >> >> -- >> Raphael Mazelier >> >> Le 18/03/2016 21:49, serge vautour a écrit : >> >>> Hello, >>> >>> I haven't had any replies in the Juniper VMX forum so I thought I'd try >>> here: >>> >>> I have setup 2 VMX (each with a VCP & VPFE) on one ESXi host using Junos >>> VMX 15.1F4. Each VMX seems to be working fine on it's own. I can remotely >>> access the fxp0 interface. >>> >>> I created a dedicated vswitch with promiscuous mode on for the GE >>> interface. I used this vswitch for the 3rd NIC on each VPFE. I did not >>> attach any physical NICs to the vswitch as I only want to use it for >>> VMX-VMX traffic. Each VMX sees all 8 GE with ge-0/0/0 being up. I >>> configure: >>> >>> user@LabVMX1> show configuration interfaces ge-0/0/0 >>> description "Link to VMX2 ge-0/0/0"; >>> unit 0 { >>> family inet { >>> address 10.5.5.0/31; >>> } >>> } >>> >>> user@LabVMX2> show configuration interfaces ge-0/0/0 >>> description "Link to VMX1 ge-0/0/0"; >>> unit 0 { >>> family inet { >>> address 10.5.5.1/31; >>> } >>> } >>> >>> I also added OSPF to each interface. VMX1 seems to work fine. It shows >>> in/out traffic. VMX2 only shows outbound traffic. >>> >>> Using "monitor traffic interface ge-0/0/0" command I see: >>> >>> VMX1: >>> >>> 14:56:57.489954 In IP 10.5.5.1 > 224.0.0.5: OSPFv2, Hello, length 56 >>> 14:57:02.079691 Out IP truncated-ip - 20 bytes missing! 10.5.5.0 > >>> 224.0.0.5: >>> OSPFv2, Hello, length 60 >>> >>> VMX2: >>> 14:57:48.925035 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 > >>> 224.0.0.5: >>> OSPFv2, Hello, length 56 >>> >>> 14:57:58.487367 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 > >>> 224.0.0.5: >>> OSPFv2, Hello, length 56 >>> >>> VMX1 arp cache: >>> >>> 00:0c:29:a7:e9:09 10.5.5.1 ge-0/0/0.0 none >>> >>> VMX2 arp cache is empty. >>> >>> I never see any inbound packets on VMX2. I've tied ping same result. I >>> through this might be a broadcast/multicast problem so I tried configuring >>> static arp entries and then did a ping but this didn't help. >>> >>> Any help would be appreciated. >>> >>> Thanks, >>> Serge >>> ___ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> >>> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- Eduardo Schoedler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VMX to VMX traffic on ESXi
Hello, Thanks to everyone who replied with suggestions. I did not have any licenses installed. Oddly enough VMX2 was showing: user@LabVMX2> show pfe statistics traffic bandwidth Configured Bandwidth : 100 bps Bandwidth: 0 bps Average Bandwidth: 339 bps This explains why VMX1 could receive traffic from VMX2. VMX1 had: user@LabVMX1> show pfe statistics traffic bandwidth Configured Bandwidth : 0 bps Bandwidth: 0 bps Average Bandwidth: 0 bps This is very strangle considering I created both VMX from the same install file and they have near identical configs!?! Anyway I downloaded a 60 trial license from the Juniper web site and installed on both. Everything is now working as expected. Thanks, Serge On Sun, Mar 20, 2016 at 8:13 AM, Raphael Mazelierwrote: > I have got some strange problem with vmx on vmware. > First double check if all our vswitch are in promiscuous mode. > Check also if you use vxnet or e1000 type of interface, I've got erratic > problems with vxnet, and gave up with it. > Check the mac address mapping, and finaly check if you have proper license > installed ;) (I've spend one hour to find why one of my test vmx does not > anymore, before I found that the license have expired...) > > -- > Raphael Mazelier > > Le 18/03/2016 21:49, serge vautour a écrit : > >> Hello, >> >> I haven't had any replies in the Juniper VMX forum so I thought I'd try >> here: >> >> I have setup 2 VMX (each with a VCP & VPFE) on one ESXi host using Junos >> VMX 15.1F4. Each VMX seems to be working fine on it's own. I can remotely >> access the fxp0 interface. >> >> I created a dedicated vswitch with promiscuous mode on for the GE >> interface. I used this vswitch for the 3rd NIC on each VPFE. I did not >> attach any physical NICs to the vswitch as I only want to use it for >> VMX-VMX traffic. Each VMX sees all 8 GE with ge-0/0/0 being up. I >> configure: >> >> user@LabVMX1> show configuration interfaces ge-0/0/0 >> description "Link to VMX2 ge-0/0/0"; >> unit 0 { >> family inet { >> address 10.5.5.0/31; >> } >> } >> >> user@LabVMX2> show configuration interfaces ge-0/0/0 >> description "Link to VMX1 ge-0/0/0"; >> unit 0 { >> family inet { >> address 10.5.5.1/31; >> } >> } >> >> I also added OSPF to each interface. VMX1 seems to work fine. It shows >> in/out traffic. VMX2 only shows outbound traffic. >> >> Using "monitor traffic interface ge-0/0/0" command I see: >> >> VMX1: >> >> 14:56:57.489954 In IP 10.5.5.1 > 224.0.0.5: OSPFv2, Hello, length 56 >> 14:57:02.079691 Out IP truncated-ip - 20 bytes missing! 10.5.5.0 > >> 224.0.0.5: >> OSPFv2, Hello, length 60 >> >> VMX2: >> 14:57:48.925035 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 > >> 224.0.0.5: >> OSPFv2, Hello, length 56 >> >> 14:57:58.487367 Out IP truncated-ip - 16 bytes missing! 10.5.5.1 > >> 224.0.0.5: >> OSPFv2, Hello, length 56 >> >> VMX1 arp cache: >> >> 00:0c:29:a7:e9:09 10.5.5.1 ge-0/0/0.0 none >> >> VMX2 arp cache is empty. >> >> I never see any inbound packets on VMX2. I've tied ping same result. I >> through this might be a broadcast/multicast problem so I tried configuring >> static arp entries and then did a ping but this didn't help. >> >> Any help would be appreciated. >> >> Thanks, >> Serge >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Le 21/03/2016 18:12, Raphael Mazelier a écrit : Wow look nice. I will give it try. Can I specify a policy in the rib-groups ? So tested and nope. I will stuck with my strange (but working config) configuration. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Le 21/03/2016 17:21, chip a écrit : Hi Raphael, If I'm understanding what you want correctly you can use rib-groups to do this. routing-options { rib-groups { FROM-VRF-TO-GLOBAL { import-rib [ SOURCE-VRF inet.0 ]; import-policy WHATEVER-POLICY-YOU-WANT; } } } Nope, this didn't work in this case (mp-bgp learned route to inet.0). -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
On Mon, Mar 21, 2016 at 06:12:57PM +0100, Raphael Mazelier wrote: > > > Le 21/03/2016 18:06, Daniel Dobrijałowski a écrit : > > >Use auto-export and rib-groups together: > >http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html > >See "Configuring Overlapping VPNs and Additional Tables" section. > > > >Remember to read the last paragraph in that section, because usage of > >import-rib > >is not standard (primary table is not listed). > > > >It's very nice feature - you don't have to think about how you've received > >routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single > >policy in rib-group declaration. > > > > Wow look nice. I will give it try. Can I specify a policy in the rib-groups Yes, you can. I've tested it in 11.4R7.5 - works fine in a few l3vpns since 2013. -- Pozdrawiam Daniel "orcus" Dobrijałowski Wrocławskie Centrum Sieciowo-Superkomputerowe ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Le 21/03/2016 18:06, Daniel Dobrijałowski a écrit : Use auto-export and rib-groups together: http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html See "Configuring Overlapping VPNs and Additional Tables" section. Remember to read the last paragraph in that section, because usage of import-rib is not standard (primary table is not listed). It's very nice feature - you don't have to think about how you've received routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single policy in rib-group declaration. Wow look nice. I will give it try. Can I specify a policy in the rib-groups ? -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
set routing-instances INTERNET protocols bgp family inet unicast rib-group INTERNET-to-MAIN-UCAST set routing-instances INTERNET protocols bgp family inet6 unicast rib-group INTERNET-to-MAIN-UCAST6 set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib INTERNET.inet.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib inet.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib INTERNET.inet6.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib inet6.0 Mhm I have just tested and it does not work this way for me. Here a snipset of my conf : rib-groups { internet-to-inet0 { import-rib [ internet.inet.0 inet.0 ]; import-policy ipv4-internet-out; } } and in the vrf 'internet' : protocols { bgp { group ibgp-internal { type internal; family inet { unicast { rib-group internet-to-inet0; } } neighbor x.x.x.x; } } } without the neighbor knob activated, the pfx are not leaked. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Hi, On Mon, Mar 21, 2016 at 05:04:35PM +0100, Raphael Mazelier wrote: > - advertise twice the route in family inet in addition to inet-vpn, in order > to leak it with rib-group (since rib-group only work when pfx is in a > primary table) > This last solution seems to be the less manual (I don't want to make config > for each pfx) but seems tricky/ugly. > I got a working setup with these but definitively looks weird. Use auto-export and rib-groups together: http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-overlapping-vpns-using-automatic-route-export-configuring.html See "Configuring Overlapping VPNs and Additional Tables" section. Remember to read the last paragraph in that section, because usage of import-rib is not standard (primary table is not listed). It's very nice feature - you don't have to think about how you've received routes (interface, static, BGP, MP-BGP, IGP) and leak them all using single policy in rib-group declaration. -- Best Regards Daniel "orcus" Dobrijalowski WCSS ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
On Mon, Mar 21, 2016 at 05:04:35PM +0100, Raphael Mazelier wrote: > I am currently evaluating how to migrate the internet dmz, and the > public pfx of my customers into VRF. > During the migration phase I have to leak pfx from vrf to the global table. > Don't ask why, but I cannot do the leaking on the PE-CE side as it > should normaly occur. > So I want to do leaking on the remote PE from pfx learned via mp-bgp > on the vrf to the global, and afaik it is not possible directly. > > I know that this topic have been discussed before, but if someone > have some hints on how to do this the cleanest way possible. You can use rib-groups to do this. > - advertise twice the route in family inet in addition to inet-vpn, > in order to leak it with rib-group (since rib-group only work when > pfx is in a primary table) I don't think this is true. I'm doing this and it works. set routing-instances INTERNET protocols bgp family inet unicast rib-group INTERNET-to-MAIN-UCAST set routing-instances INTERNET protocols bgp family inet6 unicast rib-group INTERNET-to-MAIN-UCAST6 set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib INTERNET.inet.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST import-rib inet.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib INTERNET.inet6.0 set routing-options rib-groups INTERNET-to-MAIN-UCAST6 import-rib inet6.0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Leaking from a vrf to inet0
Hi Raphael, If I'm understanding what you want correctly you can use rib-groups to do this. routing-options { rib-groups { FROM-VRF-TO-GLOBAL { import-rib [ SOURCE-VRF inet.0 ]; import-policy WHATEVER-POLICY-YOU-WANT; } } } see: http://forums.juniper.net/t5/TheRoutingChurn/Using-rib-groups-or-auto-export-for-route-leaking/ba-p/202349 http://kb.juniper.net/InfoCenter/index?page=content=kb16133=search --chip On Mon, Mar 21, 2016 at 12:04 PM, Raphael Mazelierwrote: > Hello, > > I am currently evaluating how to migrate the internet dmz, and the public > pfx of my customers into VRF. > During the migration phase I have to leak pfx from vrf to the global table. > Don't ask why, but I cannot do the leaking on the PE-CE side as it should > normaly occur. > So I want to do leaking on the remote PE from pfx learned via mp-bgp on > the vrf to the global, and afaik it is not possible directly. > > I know that this topic have been discussed before, but if someone have > some hints on how to do this the cleanest way possible. > > Options I found in old threads are : > - use static routes with next-table (tested and work but completely manual) > - use a lt interface between global and vrf (and use some routing protocol > ?) > - advertise twice the route in family inet in addition to inet-vpn, in > order to leak it with rib-group (since rib-group only work when pfx is in a > primary table) > > This last solution seems to be the less manual (I don't want to make > config for each pfx) but seems tricky/ugly. > I got a working setup with these but definitively looks weird. > > What are your opinions/hints ? > > -- > Raphael Mazelier > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Just my $.02, your mileage may vary, batteries not included, etc ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Leaking from a vrf to inet0
Hello, I am currently evaluating how to migrate the internet dmz, and the public pfx of my customers into VRF. During the migration phase I have to leak pfx from vrf to the global table. Don't ask why, but I cannot do the leaking on the PE-CE side as it should normaly occur. So I want to do leaking on the remote PE from pfx learned via mp-bgp on the vrf to the global, and afaik it is not possible directly. I know that this topic have been discussed before, but if someone have some hints on how to do this the cleanest way possible. Options I found in old threads are : - use static routes with next-table (tested and work but completely manual) - use a lt interface between global and vrf (and use some routing protocol ?) - advertise twice the route in family inet in addition to inet-vpn, in order to leak it with rib-group (since rib-group only work when pfx is in a primary table) This last solution seems to be the less manual (I don't want to make config for each pfx) but seems tricky/ugly. I got a working setup with these but definitively looks weird. What are your opinions/hints ? -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp