Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface / Errata / Update
Agreed on cheaper switch. High end EX series seems a bit different tought. Some big IX (Linx, FranceIX) run with vpls topologies on EX9200 series (with some issues :) ). Rectification: Linx does not use EX9200 switches but high end PTX 5000 switches. FranceIX use EX9200 switches. Sorry for the mistake (this is pulicly available informations) They both use VPLS but the design slighly differ. Update : Finally the VPLS issue on the France-IX seems to be fixed (with the help of the jtac). No problem since the new release was in production. -- Raphael Mazelier AS39605 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface SOLVED
So to end this thread with some kind of success :)
And to sum up what work and what didn't.
So basic l2circuit (CCC/Ldp signaling) between my EX and MX with lt
interface finally work with a config as simple as :
EX side :
ge-0/0/10 {
encapsulation ethernet-ccc;
unit 0 {
family ccc;
}
}
l2circuit {
neighbor 10.10.176.10 {
interface ge-0/0/10.0 {
virtual-circuit-id 10666;
no-control-word;
}
}
}
MX side :
lt-1/1/10 {
unit 0 {
encapsulation ethernet-ccc;
peer-unit 1;
family ccc;
}
unit 1 {
encapsulation ethernet;
peer-unit 0;
family inet {
address 10.1.1.6/24;
}
}
}
l2circuit {
neighbor 10.10.176.13 {
interface lt-1/1/10.0 {
virtual-circuit-id 10666;
no-control-word;
}
}
}
What's wrong with my EX was the interco between the EX and the next core
router. When It was tagged everything work (ISIS, MBGP, LDP, L3VPN),
except the l2circuit ?!
Even if it was a bad idea to use tagged interco it's a bit surprising
(and remember the original idea was to backhaul transit customer to core
with vlan).
Little experiment with EX4550 give me also some result I can share :
- l2circuit with vlan-ccc encapsulation work as well, but with a liltte
trick in the interface configuration on the ex-side (unless the
l2circuit report Encapsultion Invalid) ex :
ge-0/0/10 {
encapsulation vlan-ccc;
vlan-tagging;
unit 66 {
encapsulation vlan-ccc; this is redundant but needed
vland-id 66;
family ccc;
}
}
- connections ccc (rsvp based) seems to works as well, but I don't want
to use rsvp in my network by now.
- l2vpn ccc (bgp signalling) didn't work on EX, configuration passed
with ethernet-ccc encapsulation, not vlan-ccc so I think it was not
supported. This is uncool since I think it was the better approach.
Anyway the cool thing with l2circuit is that there was inter operable
with other vendor.
- vpls didn't work at all on EX4550 (but that's clear on the specsheat)
- l3vpn is quite limited in term of routing instance and route, but work.
Another things I try is to separate fib/rib to show how much route an
ex4550 can manage in his rib. OK I know this is bad idea :)
The answer is 300K route approx before rpd crash.
So no full view, even only in RIB.
After all this cheap switch was making his job. Good value for money.
Thks for all.
--
Raphael Mazelier
AS39605
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
Le 13/11/14 01:29, Chip Gwyn a écrit : I was using RSVP at the time, sorry I left that part out. If you're getting one-way traffic it might be that one of the LSPs isn't up. --chip That's it but I wonder why ? EX side : rancid@sr-dc2-01# run show mpls lsp Ingress LSP: 1 sessions To FromState Rt P ActivePath LSPname 192.58.176.10 192.58.176.13 Up 0 * from-ex-to-mx Total 1 displayed, Up 1, Down 0 Egress LSP: 1 sessions To FromState Rt Style Labelin Labelout LSPname 192.58.176.13 192.58.176.10 Up 0 1 FF 300304- from-mx-to-ex Total 1 displayed, Up 1, Down 0 rancid@sr-dc2-01# run ping mpls rsvp from-ex-to-mx ! --- lsping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss So it's OK this way. MX side : rancid@cr-dc2-01# run show mpls lsp Ingress LSP: 1 sessions To FromState Rt P ActivePath LSPname 192.58.176.13 192.58.176.10 Up 0 * from-mx-to-ex Total 1 displayed, Up 1, Down 0 Egress LSP: 1 sessions To FromState Rt Style Labelin Labelout LSPname 192.58.176.10 192.58.176.13 Up 0 1 FF 300176- from-ex-to-mx Total 1 displayed, Up 1, Down 0 Transit LSP: 0 sessions Total 0 displayed, Up 0, Down 0 rancid@cr-dc2-01# run ping mpls rsvp from-mx-to-ex . --- lsping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss What could be missing ? Here is my config : http://pastebin.com/bHP9FFsp Thks. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
Le 11/11/2014 21:08, Karl Brumund - lists a écrit : EX (and QFX) have limited MPLS capabilities. The data sheet is rather optimistic about the capabilities, and a bit misleading about such things as route limits Expecting a cheap switch with merchant silicon to do the same as an expensive MX with custom ASICs is asking for trouble. Seriously, just do L2. Customer port is access, MX80 is trunked. You’re just asking for trouble with MPLS and L2VPN. Much of the same opinion, from quite recent exposure. Cheers, mh Agreed on cheaper switch. High end EX series seems a bit different tought. Some big IX (Linx, FranceIX) run with vpls topologies on EX9200 series (with some issues :) ). Anyway. Redesigning my network at this stage might be challenging. I will try to let this work, and think about a new design in //. Thks. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
Le 12/11/2014 12:11, Raphael Mazelier a écrit : Le 11/11/2014 21:08, Karl Brumund - lists a écrit : EX (and QFX) have limited MPLS capabilities. The data sheet is rather optimistic about the capabilities, and a bit misleading about such things as route limits Expecting a cheap switch with merchant silicon to do the same as an expensive MX with custom ASICs is asking for trouble. Seriously, just do L2. Customer port is access, MX80 is trunked. You’re just asking for trouble with MPLS and L2VPN. Much of the same opinion, from quite recent exposure. Cheers, mh Agreed on cheaper switch. High end EX series seems a bit different tought. Some big IX (Linx, FranceIX) run with vpls topologies on EX9200 series (with some issues :) ). Yep, the higher end ones have richer spec's, right. Anyway. Redesigning my network at this stage might be challenging. I will try to let this work, and think about a new design in //. I know. Maybe Chip's way? TTYS, mh Thks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
On Nov 12, 2014, at 7:34 AM, Michael Hallgren m.hallg...@free.fr wrote: Le 12/11/2014 12:11, Raphael Mazelier a écrit : Le 11/11/2014 21:08, Karl Brumund - lists a écrit : EX (and QFX) have limited MPLS capabilities. The data sheet is rather optimistic about the capabilities, and a bit misleading about such things as route limits Expecting a cheap switch with merchant silicon to do the same as an expensive MX with custom ASICs is asking for trouble. Seriously, just do L2. Customer port is access, MX80 is trunked. You’re just asking for trouble with MPLS and L2VPN. Much of the same opinion, from quite recent exposure. Cheers, mh Agreed on cheaper switch. High end EX series seems a bit different tought. Some big IX (Linx, FranceIX) run with vpls topologies on EX9200 series (with some issues :) ). Yep, the higher end ones have richer spec's, right. They are still limited. Merchant silicon. Not even close to MX capabilities. Proceed with caution. We tried using them as full PEs in $previous_job and it was just trouble. Limited routes, can’t leak connected routes to another RI, and basically dead when J killed the next-gen cards. Good, fast, cheap. Pick any 2. And on a bad day, you’re lucky to get one. Anyway. Redesigning my network at this stage might be challenging. I will try to let this work, and think about a new design in //. I know. Maybe Chip's way? As Randy Bush said, “I strongly encourage all of my competitors to do the above. TTYS, mh Thks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
On Wednesday, November 12, 2014 04:44:21 PM Karl Brumund - lists wrote: They are still limited. Merchant silicon. Not even close to MX capabilities. Proceed with caution. We tried using them as full PEs in $previous_job and it was just trouble. Limited routes, can’t leak connected routes to another RI, and basically dead when J killed the next-gen cards. Good, fast, cheap. Pick any 2. And on a bad day, you’re lucky to get one. If you're trying to make a router out of something that looks like a switch, the Cisco ME3600X is hard to beat. Brocade's NetIron's were very promising when I last tested them. ALU have a good product, but hardware layout is still an issue for me in this space. Juniper have continued to come short in this area. And no, the ACX doesn't cut it. Mark. signature.asc Description: This is a digitally signed message part. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
On Wed, Nov 12, 2014 at 10:04 AM, Mark Tinka mark.ti...@seacom.mu wrote: If you're trying to make a router out of something that looks like a switch, the Cisco ME3600X is hard to beat. ME3600X is wonderful, but very expensive once you get the full feature set. We are waiting (rather impatiently at this point) for our first ASR920 to arrive to test out. This is supposed to be the replacement for the ME3400, but with MPLS. It fits us nicer than the ME3600X, as the footprint is much smaller and there are various models for port density. ALU have a good product, but hardware layout is still an issue for me in this space. Odd - we tried to engage ALU and they said all their gear is layer-2 only. They were supposed to come to our office for a meet-and-greet, but never came. This is the second time we've tried to engage them with no success. Guess they are not interested in our business. Juniper have continued to come short in this area. And no, the ACX doesn't cut it. Agreed. ACX is just not there. It baffles me why Juniper has left this market untapped. The mid-range MX is just too expensive and too big for our deployments and the lack of LSR functionality in the EX won't work for us. Now, to get back on topic: OP - we have some L2circuits on LT interfaces, but not with an EX on the other end. Is there any way you can try this by hairpinning a couple of GE ports on the MX80? Also, what's the reason behind using 'l2vpn' instead of 'l2circuit'? I see you are using private addressing on your interface - is there any chance that there are blanket filters applied to your interface using configuration groups or perhaps a forwarding table filter to prevent 1918 space from traversing your network? Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
Le 11/11/14 22:29, chip a écrit : http://pastebin.com/YYfHk9M2 That should get you. *Caveats apply* but it does work =) --chip Thks you chip. With your configuration I've made some progress. Now I've got some arp replies on the CE connected to the EX : 2.1.1.5 2.1.1.6: ICMP echo request, id 26654, seq 11, length 64 17:42:39.031721 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 2.1.1.5 tell 2.1.1.6, length 46 17:42:39.031731 ARP, Ethernet (len 6), IPv4 (len 4), Reply 2.1.1.5 is-at 78:2b:cb:28:2d:55, length 28 The lt mac is correctly learn on the CE. But for one reason or another the mac address of the ce is not learn on the mx80 side ?! I'm just out of luck for this setup :( -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
There is a line missing on MX side: set interfaces lt-0/0/0.0 family ccc Thanks Alex 12/11/2014 16:51, Raphael Mazelier wrote: Le 11/11/14 22:29, chip a écrit : http://pastebin.com/YYfHk9M2 That should get you. *Caveats apply* but it does work =) --chip Thks you chip. With your configuration I've made some progress. Now I've got some arp replies on the CE connected to the EX : 2.1.1.5 2.1.1.6: ICMP echo request, id 26654, seq 11, length 64 17:42:39.031721 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 2.1.1.5 tell 2.1.1.6, length 46 17:42:39.031731 ARP, Ethernet (len 6), IPv4 (len 4), Reply 2.1.1.5 is-at 78:2b:cb:28:2d:55, length 28 The lt mac is correctly learn on the CE. But for one reason or another the mac address of the ce is not learn on the mx80 side ?! I'm just out of luck for this setup :( ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
On Wednesday, November 12, 2014 05:38:54 PM Eric Van Tol wrote: ME3600X is wonderful, but very expensive once you get the full feature set. Agree. We are waiting (rather impatiently at this point) for our first ASR920 to arrive to test out. This is supposed to be the replacement for the ME3400, but with MPLS. It fits us nicer than the ME3600X, as the footprint is much smaller and there are various models for port density. Interesting. I'm speaking with the SPAG BU on this platform, to see where it falls short of (or outperforms) the ME3600X/3800X. Odd - we tried to engage ALU and they said all their gear is layer-2 only. They were supposed to come to our office for a meet-and-greet, but never came. This is the second time we've tried to engage them with no success. Guess they are not interested in our business. ALU have some pretty good routers, actually. Their 7xxx series routers and switches are up there with the best. In fact, I find their subscriber management solutions to be quite interesting compared to Cisco and Juniper. I did some testing at their lab in Antwerp a few months ago, and was mighty impressed with some of the work they've done in mobile to wi-fi hand-off. Very good boxes and solutions, to be honest. It's just that in the metro, they still don't have anything close to the ME3600X (or ASR920). Agreed. ACX is just not there. It baffles me why Juniper has left this market untapped. The mid-range MX is just too expensive and too big for our deployments and the lack of LSR functionality in the EX won't work for us. Back when the MX80 was launching (c. 2009), I was speaking to the Juniper folk heading the project, and they promised a 1U MX80 with 20x or 40x Gig-E ports, and 2x or 4x 10Gbps uplinks, with all MX software features. How I still wish for such a box. Mark. signature.asc Description: This is a digitally signed message part. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
Le 12/11/2014 16:38, Eric Van Tol a écrit : Now, to get back on topic: OP - we have some L2circuits on LT interfaces, but not with an EX on the other end. Is there any way you can try this by hairpinning a couple of GE ports on the MX80? Also, what's the reason behind using 'l2vpn' instead of 'l2circuit'? I see you are using private addressing on your interface - is there any chance that there are blanket filters applied to your interface using configuration groups or perhaps a forwarding table filter to prevent 1918 space from traversing your network? I have only 10G port on my mx80, but since there are not totally in prod, I will test that using a XFP DAC (and I finaly find an utitility for this cable :) No reason to use l2vpn, I've tried l2circuit too, and now connections (rsvp based ccc). I would prefer using l2vpn if it work since I think it's smarter to use bgp signalling; but l2circuit are acceptable. And no; no filter (I deactivate all filter...) With chip's configuration I've have some traffic (arp in one way), but nothing more. I think there is definitively something wrong with EX and l2vpn. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
There's no need to run protocols ldp ? -- Eduardo Schoedler 2014-11-12 17:18 GMT-02:00 Alexander Arseniev arsen...@btinternet.com: There is a line missing on MX side: set interfaces lt-0/0/0.0 family ccc Thanks Alex 12/11/2014 16:51, Raphael Mazelier wrote: Le 11/11/14 22:29, chip a écrit : http://pastebin.com/YYfHk9M2 That should get you. *Caveats apply* but it does work =) --chip Thks you chip. With your configuration I've made some progress. Now I've got some arp replies on the CE connected to the EX : 2.1.1.5 2.1.1.6: ICMP echo request, id 26654, seq 11, length 64 17:42:39.031721 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 2.1.1.5 tell 2.1.1.6, length 46 17:42:39.031731 ARP, Ethernet (len 6), IPv4 (len 4), Reply 2.1.1.5 is-at 78:2b:cb:28:2d:55, length 28 The lt mac is correctly learn on the CE. But for one reason or another the mac address of the ce is not learn on the mx80 side ?! I'm just out of luck for this setup :( ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Eduardo Schoedler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
I was using RSVP at the time, sorry I left that part out. If you're getting one-way traffic it might be that one of the LSPs isn't up. --chip Sent from my mobile device, please excuse any typos. On Nov 12, 2014, at 5:16 PM, Eduardo Schoedler lis...@esds.com.br wrote: There's no need to run protocols ldp ? -- Eduardo Schoedler 2014-11-12 17:18 GMT-02:00 Alexander Arseniev arsen...@btinternet.com: There is a line missing on MX side: set interfaces lt-0/0/0.0 family ccc Thanks Alex 12/11/2014 16:51, Raphael Mazelier wrote: Le 11/11/14 22:29, chip a écrit : http://pastebin.com/YYfHk9M2 That should get you. *Caveats apply* but it does work =) --chip Thks you chip. With your configuration I've made some progress. Now I've got some arp replies on the CE connected to the EX : 2.1.1.5 2.1.1.6: ICMP echo request, id 26654, seq 11, length 64 17:42:39.031721 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 2.1.1.5 tell 2.1.1.6, length 46 17:42:39.031731 ARP, Ethernet (len 6), IPv4 (len 4), Reply 2.1.1.5 is-at 78:2b:cb:28:2d:55, length 28 The lt mac is correctly learn on the CE. But for one reason or another the mac address of the ce is not learn on the mx80 side ?! I'm just out of luck for this setup :( ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Eduardo Schoedler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
The ALU 7210 line is very similar to the 3600X and 920. 24x1G and 2x10G or 4x10G, support full MPLS, L2VPN, L3VPN, CES. I’ve posted about them before, we have thousands of them deployed in MPLS rings. They have a 2.5RU modular one now with 6 slots with 2x10G, 10x1G, and 1/10 combo modules. Its not all that impressive but will do 6x10G and 60x1G and has redundant control boards. I agree that Juniper never really pursued the market, the MX isn't a great fit and the ACX/BX are underwhelming. Phil From: Mark Tinka Sent: Wednesday, November 12, 2014 3:53 PM To: Eric Van Tol Cc: m...@xalto.net, juniper-nsp@puck.nether.net List On Wednesday, November 12, 2014 05:38:54 PM Eric Van Tol wrote: ME3600X is wonderful, but very expensive once you get the full feature set. Agree. We are waiting (rather impatiently at this point) for our first ASR920 to arrive to test out. This is supposed to be the replacement for the ME3400, but with MPLS. It fits us nicer than the ME3600X, as the footprint is much smaller and there are various models for port density. Interesting. I'm speaking with the SPAG BU on this platform, to see where it falls short of (or outperforms) the ME3600X/3800X. Odd - we tried to engage ALU and they said all their gear is layer-2 only. They were supposed to come to our office for a meet-and-greet, but never came. This is the second time we've tried to engage them with no success. Guess they are not interested in our business. ALU have some pretty good routers, actually. Their 7xxx series routers and switches are up there with the best. In fact, I find their subscriber management solutions to be quite interesting compared to Cisco and Juniper. I did some testing at their lab in Antwerp a few months ago, and was mighty impressed with some of the work they've done in mobile to wi-fi hand-off. Very good boxes and solutions, to be honest. It's just that in the metro, they still don't have anything close to the ME3600X (or ASR920). Agreed. ACX is just not there. It baffles me why Juniper has left this market untapped. The mid-range MX is just too expensive and too big for our deployments and the lack of LSR functionality in the EX won't work for us. Back when the MX80 was launching (c. 2009), I was speaking to the Juniper folk heading the project, and they promised a 1U MX80 with 20x or 40x Gig-E ports, and 2x or 4x 10Gbps uplinks, with all MX software features. How I still wish for such a box. Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
On Thursday, November 13, 2014 06:00:23 AM phil...@gmail.com wrote: The ALU 7210 line is very similar to the 3600X and 920. 24x1G and 2x10G or 4x10G, support full MPLS, L2VPN, L3VPN, CES. I’ve posted about them before, we have thousands of them deployed in MPLS rings. They have a 2.5RU modular one now with 6 slots with 2x10G, 10x1G, and 1/10 combo modules. Its not all that impressive but will do 6x10G and 60x1G and has redundant control boards. My issue with them is we wanted a 1U version of the 7210. Mark. signature.asc Description: This is a digitally signed message part. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
Le 10/11/2014 21:18, Hugo Slabbert a écrit : Correct. I think I see Rafael's issue, though. He has a mix of predominantly MPLS (probably L3VPN) customers that terminate L3 on the EX, which can handle that because that's internal routes only, not full tables. He also has a few transit customers coming through the EX, though. The EX (unlike the MX) can't handle a mix of L2 and L3 on the same port. His MX-EX touchdown is currently L3 on the EX in order to support his MPLS customers. He would need that EX port in L2 in order to carry customer VLANs through to the MX. If he does that, though, he'd need his L3 on the EX on VLAN interfaces, and per his comment: That's exactly my use case. ...that's apparently not supported, which means his MPLS customer setup would break in order to support switching his transit customers through the EX to the MX. Yes, and I have very few transit customers compared to my 'l3vpn' customers. I haven't done the L2VPN setup to LTs that you're working with, Rafael, so I can't help you out there. An alternative may be to move your L3 and MPLS config from the EX to the MX, but that has a bunch of downsides (loads up your 10G link with additional traffic that would have been only on the EX's backplane before; maintenance hit for moving all of the config; changes topology; more load on the MX80; etc). Yep moving my L3 and MPLS config to the MX is not an option. The main reason is because my EX are double attached to two MX. I can handle the lost of one EX with no problem (aside my transit cust, but that is marginal). Aside from that, I'll bow out for someone that might have worked with the LT setup you're attempting. It's frustrating because I think I'm very close, since the L2vpn/L2circuit comes up. I will try to capture the traffic to see what happen (some encapsulation problem). And even if the correct solution is to force my transit customer to use ebgp multihop, I need this plan B solution for some customers I cannot contact (sigh)... -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
On Tuesday, November 11, 2014 10:55:47 AM Raphael Mazelier wrote: It's frustrating because I think I'm very close, since the L2vpn/L2circuit comes up. I will try to capture the traffic to see what happen (some encapsulation problem). And even if the correct solution is to force my transit customer to use ebgp multihop, I need this plan B solution for some customers I cannot contact (sigh)... Speculation on my side, but given the limited MPLS capabilities on EX switchs, control plane may work fine due to common code within the Juniper product line, but the forwarding plane fails you. This could explain why things look up/up, but without traffic. Mark. signature.asc Description: This is a digitally signed message part. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
Speculation on my side, but given the limited MPLS capabilities on EX switchs, control plane may work fine due to common code within the Juniper product line, but the forwarding plane fails you. This could explain why things look up/up, but without traffic. Well, you should be right. On the other the spec of the EX4550 specifie that l2vpn (at least l2circuit) should be working... And some other guys on the list report some kind of success with that. Thks. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
EX (and QFX) have limited MPLS capabilities. The data sheet is rather optimistic about the capabilities, and a bit misleading about such things as route limits Expecting a cheap switch with merchant silicon to do the same as an expensive MX with custom ASICs is asking for trouble. Seriously, just do L2. Customer port is access, MX80 is trunked. You’re just asking for trouble with MPLS and L2VPN. …karl On Nov 11, 2014, at 5:22 AM, Raphael Mazelier r...@futomaki.net wrote: Speculation on my side, but given the limited MPLS capabilities on EX switchs, control plane may work fine due to common code within the Juniper product line, but the forwarding plane fails you. This could explain why things look up/up, but without traffic. Well, you should be right. On the other the spec of the EX4550 specifie that l2vpn (at least l2circuit) should be working... And some other guys on the list report some kind of success with that. Thks. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
Le 11/11/2014 21:08, Karl Brumund - lists a écrit : EX (and QFX) have limited MPLS capabilities. The data sheet is rather optimistic about the capabilities, and a bit misleading about such things as route limits Expecting a cheap switch with merchant silicon to do the same as an expensive MX with custom ASICs is asking for trouble. Seriously, just do L2. Customer port is access, MX80 is trunked. You’re just asking for trouble with MPLS and L2VPN. Much of the same opinion, from quite recent exposure. Cheers, mh …karl On Nov 11, 2014, at 5:22 AM, Raphael Mazelier r...@futomaki.net wrote: Speculation on my side, but given the limited MPLS capabilities on EX switchs, control plane may work fine due to common code within the Juniper product line, but the forwarding plane fails you. This could explain why things look up/up, but without traffic. Well, you should be right. On the other the spec of the EX4550 specifie that l2vpn (at least l2circuit) should be working... And some other guys on the list report some kind of success with that. Thks. -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
http://pastebin.com/YYfHk9M2
That should get you. *Caveats apply* but it does work =)
--chip
On Mon, Nov 10, 2014 at 11:23 AM, Raphael Mazelier r...@futomaki.net
wrote:
Hello,
I'm redesigning my network, and I have to terminate some customer BGP
sessions (full view) on new EX4550 (no comment, ... )
Since the EX4550 does not support full view, I had to logicaly terminate
the session on a real router (MX80 in this case).
The logical way to do is to use bgp multi hop, but some of my customer are
unaware of changing their settings on their side.
So my plan is to use l2vpn (or l2circuit) between the EX and the MX, and
to use a virtual interface on the MX to end the sessions.
And reading some thread it seems that I have to use lt interface.
The l2vpn connections are OK on both side, but nothing is reachable (and I
have nothing to tcpdump yet).
Bellow is my config :
EX side :
interfaces {
ge-1/0/11 {
encapsulation ethernet-ccc;
unit 0;
}
}
routing-instances {
l2vpn {
instance-type l2vpn;
interface ge-1/0/11.0;
route-distinguisher 666:666;
vrf-target target:666:666;
protocols {
l2vpn {
encapsulation-type ethernet;
site EX {
site-identifier 1;
ignore-mtu-mismatch;
interface ge-1/0/11.0 {
remote-site-id 2;
}
}
ignore-encapsulation-mismatch;
}
}
}
}
MX side :
interfaces {
lt-0/0/10 {
unit 0 {
encapsulation ethernet-ccc;
peer-unit 1;
family ccc;
}
unit 1 {
encapsulation ethernet;
peer-unit 0;
family inet {
address 10.1.1.1/24;
}
}
}
}
routing-instances {
l2vpn {
instance-type l2vpn;
interface lt-0/0/10.0;
route-distinguisher 666:666;
vrf-target target:666:666;
protocols {
l2vpn {
encapsulation-type ethernet;
site cr-dc2-01 {
site-identifier 2;
ignore-mtu-mismatch;
interface lt-0/0/10.0;
}
}
}
}
}
Any suggestions ? or other way to do ? (I ve tested l2circuit and it does
not work anyway)
--
Raphael Mazelier
AS39605
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Just my $.02, your mileage may vary, batteries not included, etc
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
Hello,
I'm redesigning my network, and I have to terminate some customer BGP
sessions (full view) on new EX4550 (no comment, ... )
Since the EX4550 does not support full view, I had to logicaly terminate
the session on a real router (MX80 in this case).
The logical way to do is to use bgp multi hop, but some of my customer
are unaware of changing their settings on their side.
So my plan is to use l2vpn (or l2circuit) between the EX and the MX, and
to use a virtual interface on the MX to end the sessions.
And reading some thread it seems that I have to use lt interface.
The l2vpn connections are OK on both side, but nothing is reachable (and
I have nothing to tcpdump yet).
Bellow is my config :
EX side :
interfaces {
ge-1/0/11 {
encapsulation ethernet-ccc;
unit 0;
}
}
routing-instances {
l2vpn {
instance-type l2vpn;
interface ge-1/0/11.0;
route-distinguisher 666:666;
vrf-target target:666:666;
protocols {
l2vpn {
encapsulation-type ethernet;
site EX {
site-identifier 1;
ignore-mtu-mismatch;
interface ge-1/0/11.0 {
remote-site-id 2;
}
}
ignore-encapsulation-mismatch;
}
}
}
}
MX side :
interfaces {
lt-0/0/10 {
unit 0 {
encapsulation ethernet-ccc;
peer-unit 1;
family ccc;
}
unit 1 {
encapsulation ethernet;
peer-unit 0;
family inet {
address 10.1.1.1/24;
}
}
}
}
routing-instances {
l2vpn {
instance-type l2vpn;
interface lt-0/0/10.0;
route-distinguisher 666:666;
vrf-target target:666:666;
protocols {
l2vpn {
encapsulation-type ethernet;
site cr-dc2-01 {
site-identifier 2;
ignore-mtu-mismatch;
interface lt-0/0/10.0;
}
}
}
}
}
Any suggestions ? or other way to do ? (I ve tested l2circuit and it
does not work anyway)
--
Raphael Mazelier
AS39605
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
Le 10/11/14 18:40, Hugo Slabbert a écrit : What's the connection between the EX and the MX? Could you not just switch the customers through the EX to the MX and land them on tagged interfaces on the MX? I don't know all of your requirements, but perhaps the simple option works here? Ah good question. I have only one 10G ethernet back to back connection between the EX and the MX. And I want to use my EX as a router for managing the gateway of my clients on it. So I need BGP/MPLS on it, and unfortunelaty MPLS does not work on vlan interface on Ex :( I was a pseudo BGP/Tor design. It work well, but I does not want to use a dedicated MX80 port and switch to transit customers (wich are not the majority). If I had more money I had bought some MX480 :p -- Raphael Mazelier ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
It would be cheaper easier in the long run to teach your customers about
multi-hop BGP. Give them code snippets they can cut-n-paste into their
router. Offer to configure their router. Adding complexity to your side for
something a customer is unable/unwilling to do is wrong (IMHO)
Good luck
-Matt
--
Matthew S. Crocker
President
Crocker Communications, Inc.
PO BOX 710
Greenfield, MA 01302-0710
E: matt...@crocker.com
P: (413) 746-2760
F: (413) 746-3704
W: http://www.crocker.com
On Nov 10, 2014, at 11:23 AM, Raphael Mazelier r...@futomaki.net wrote:
Hello,
I'm redesigning my network, and I have to terminate some customer BGP
sessions (full view) on new EX4550 (no comment, ... )
Since the EX4550 does not support full view, I had to logicaly terminate the
session on a real router (MX80 in this case).
The logical way to do is to use bgp multi hop, but some of my customer are
unaware of changing their settings on their side.
So my plan is to use l2vpn (or l2circuit) between the EX and the MX, and to
use a virtual interface on the MX to end the sessions.
And reading some thread it seems that I have to use lt interface.
The l2vpn connections are OK on both side, but nothing is reachable (and I
have nothing to tcpdump yet).
Bellow is my config :
EX side :
interfaces {
ge-1/0/11 {
encapsulation ethernet-ccc;
unit 0;
}
}
routing-instances {
l2vpn {
instance-type l2vpn;
interface ge-1/0/11.0;
route-distinguisher 666:666;
vrf-target target:666:666;
protocols {
l2vpn {
encapsulation-type ethernet;
site EX {
site-identifier 1;
ignore-mtu-mismatch;
interface ge-1/0/11.0 {
remote-site-id 2;
}
}
ignore-encapsulation-mismatch;
}
}
}
}
MX side :
interfaces {
lt-0/0/10 {
unit 0 {
encapsulation ethernet-ccc;
peer-unit 1;
family ccc;
}
unit 1 {
encapsulation ethernet;
peer-unit 0;
family inet {
address 10.1.1.1/24;
}
}
}
}
routing-instances {
l2vpn {
instance-type l2vpn;
interface lt-0/0/10.0;
route-distinguisher 666:666;
vrf-target target:666:666;
protocols {
l2vpn {
encapsulation-type ethernet;
site cr-dc2-01 {
site-identifier 2;
ignore-mtu-mismatch;
interface lt-0/0/10.0;
}
}
}
}
}
Any suggestions ? or other way to do ? (I ve tested l2circuit and it does not
work anyway)
--
Raphael Mazelier
AS39605
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4550 L2Circuit/VPN to MX80/lt Interface
I think the question is, why not carry the customer traffic on a VLAN back to the MX80? Scott H. Login Inc. On 11/10/14 12:55 PM, Raphael Mazelier wrote: Le 10/11/14 18:40, Hugo Slabbert a écrit : What's the connection between the EX and the MX? Could you not just switch the customers through the EX to the MX and land them on tagged interfaces on the MX? I don't know all of your requirements, but perhaps the simple option works here? Ah good question. I have only one 10G ethernet back to back connection between the EX and the MX. And I want to use my EX as a router for managing the gateway of my clients on it. So I need BGP/MPLS on it, and unfortunelaty MPLS does not work on vlan interface on Ex :( I was a pseudo BGP/Tor design. It work well, but I does not want to use a dedicated MX80 port and switch to transit customers (wich are not the majority). If I had more money I had bought some MX480 :p ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
