Re: [j-nsp] Suggestions on management of dual-RE devices

[Michael Loftis]

On Wed, Nov 25, 2015 at 7:14 AM, Mike Williams  wrote:
> Thanks to all those who responded.
> master-only is mostly what I wanted!
>
>
> Rather confusingly, Juniper do specify setting lo0 per RE.
> https://www.juniper.net/techpubs/en_US/junos12.3/topics/task/configuration/routing-engine-dual-initial-configuration.html
> But then that document also tells you to run "commit synchronise" from 
> operational mode.
> A single loopback address works, and both REs have the same system SSH key, 
> so no warnings if they switch.
>

On the MX platforms (and the big hardware identical EXes) only the
master processes punted packets.  tcp/22 (subject to the ddos profiles
and firewall filters) gets punted when received on a hardware
interface to an lo0 address, there the master RE in the chassis gets
to process it.  Same path as BGP, OSPF, etc.  "master-only" is thus
only necessary (and applicable) to fxp interfaces.  You can't ssh to
an lo0 address and get a backup RE.  I believe VC EX and QFX behave
the same, pushing the inbound packets towards the VC master.

Hope that clears it up a little bit.

> This is broadly what I've got now.
>
> groups {
> re0 {
> system {
> host-name ...-re0;
> }
> interfaces {
> fxp0 {
> unit 0 {
> family inet {
> address 10.22.0.2/24 {
> master-only;
> }
> address 10.22.0.3/24;
> }
> }
> }
> }
> }
> re1 {
> system {
> host-name ...-re1;
> }
> interfaces {
> fxp0 {
> unit 0 {
> family inet {
> address 10.22.0.2/24 {
> master-only;
> }
> address 10.22.0.4/24;
> }
> }
> }
> }
> }
> }
> interfaces {
> lo0 {
> unit 0 {
> family inet {
> address 10.177.4.2/32;
> }
> }
> }
> }
>
>
> Thanks
>
> On Tuesday 24 November 2015 21:52:38 Olivier Benghozi wrote:
>> Juniper document provides each RE with it's own MANAGEMENT address (on fxp
>> port of each RE), not its own loopback. You configure a single loopback
>> (interface lo0.0).
>>
>> Anyway, about your need, there is:
>> http://www.juniper.net/documentation/en_US/junos15.1/topics/usage-guidelines
>> /interfaces-configuring-a-consistent-management-ip-address.html
>> > es/interfaces-configuring-a-consistent-management-ip-address.html>
>> > Le 24 nov. 2015 à 19:07, Mike Williams  a écrit
>> > :
>> >
>> > Hi all,
>> >
>> > So we just got our first Juniper devices with dual-REs (if you exclude
>> > virtual chassis').
>> > Before I get into actually configuring them, I'm wondering how others
>> > handle management, as I'm a touch confused.
>> >
>> > Normally we just SSH/snmp to the loopback address, optionally jumping off
>> > from a device on the same OoB network if routing is down (yes, we should
>> > configure a backup router).
>> >
>> > Juniper document providing each RE with it's own loopback address.
>> > If you do that, you'd have to detect if what you're connected to is master
>> > or backup, right?
>> > That might be a necessary trade off. As if you had a single loopback
>> > address, wouldn't the system SSH key change as loopback "moved" between
>> > the REs? Can a 'global' single loopback even be configured?
>> >
>> > Or do dual-RE devices actually work like virtual chassis, where the system
>> > SSH key is the same on all nodes, and connections to the backup are
>> > internally redirected to the master?
>
> --
> Mike Williams
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Suggestions on management of dual-RE devices

[Chris Kawchuk]

Relevant config snippet/stanzas:

## Last commit: 2015-11-24 16:03:02 EST by me
version 13.3R6.5;
groups {
re0 {
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.xx.xx.1/24 {
master-only;
}
address 172.xx.xx.2/24;
}
}
}
}
}
re1 {
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.xx.xx.1/24 {
master-only;
}   
address 172.xx.xx.3/24;
}   
}   
}   
}   
}   
}   
apply-groups [ re0 re1 ];
...
...
...

note the 'master-only" directive. You then SNMP/SSH/etc... to the proverbial 
'.1' address, which always goes to the master RE; whichever one is active.

Hope that helps.!

- Ck.




On 25/11/2015, at 5:07 AM, Mike Williams  wrote:

> Hi all,
> 
> So we just got our first Juniper devices with dual-REs (if you exclude 
> virtual 
> chassis').
> Before I get into actually configuring them, I'm wondering how others handle 
> management, as I'm a touch confused.
> 
> Normally we just SSH/snmp to the loopback address, optionally jumping off 
> from 
> a device on the same OoB network if routing is down (yes, we should configure 
> a backup router).
> 
> Juniper document providing each RE with it's own loopback address.
> If you do that, you'd have to detect if what you're connected to is master or 
> backup, right?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Suggestions on management of dual-RE devices

[Olivier Benghozi]

Juniper document provides each RE with it's own MANAGEMENT address (on fxp port 
of each RE), not its own loopback.
You configure a single loopback (interface lo0.0).

Anyway, about your need, there is:
http://www.juniper.net/documentation/en_US/junos15.1/topics/usage-guidelines/interfaces-configuring-a-consistent-management-ip-address.html
 


> Le 24 nov. 2015 à 19:07, Mike Williams  a écrit :
> 
> Hi all,
> 
> So we just got our first Juniper devices with dual-REs (if you exclude 
> virtual 
> chassis').
> Before I get into actually configuring them, I'm wondering how others handle 
> management, as I'm a touch confused.
> 
> Normally we just SSH/snmp to the loopback address, optionally jumping off 
> from 
> a device on the same OoB network if routing is down (yes, we should configure 
> a backup router).
> 
> Juniper document providing each RE with it's own loopback address.
> If you do that, you'd have to detect if what you're connected to is master or 
> backup, right?
> That might be a necessary trade off. As if you had a single loopback address, 
> wouldn't the system SSH key change as loopback "moved" between the REs?
> Can a 'global' single loopback even be configured?
> 
> Or do dual-RE devices actually work like virtual chassis, where the system 
> SSH 
> key is the same on all nodes, and connections to the backup are internally 
> redirected to the master?

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Suggestions on management of dual-RE devices

[Nilesh Khambal]

You could also configure re0 and re1 with different host names by adding -re0 
or -re1 to the hostname in the groups re0 and re1 respectively. This will give 
a visual confirmation when someone logs into the RE with master-only address. 

Thanks,
Nilesh. 

Sent from my iPhone

> On Nov 24, 2015, at 2:41 PM, Chris Kawchuk  wrote:
> 
> Relevant config snippet/stanzas:
> 
> ## Last commit: 2015-11-24 16:03:02 EST by me
> version 13.3R6.5;
> groups {
>re0 {
>interfaces {
>fxp0 {
>unit 0 {
>family inet {
>address 172.xx.xx.1/24 {
>master-only;
>}
>address 172.xx.xx.2/24;
>}
>}
>}
>}
>}
>re1 {
>interfaces {
>fxp0 {
>unit 0 {
>family inet {
>address 172.xx.xx.1/24 {
>master-only;
>}   
>address 172.xx.xx.3/24;
>}   
>}   
>}   
>}   
>}   
> }   
> apply-groups [ re0 re1 ];
> ...
> ...
> ...
> 
> note the 'master-only" directive. You then SNMP/SSH/etc... to the proverbial 
> '.1' address, which always goes to the master RE; whichever one is active.
> 
> Hope that helps.!
> 
> - Ck.
> 
> 
> 
> 
>> On 25/11/2015, at 5:07 AM, Mike Williams  wrote:
>> 
>> Hi all,
>> 
>> So we just got our first Juniper devices with dual-REs (if you exclude 
>> virtual 
>> chassis').
>> Before I get into actually configuring them, I'm wondering how others handle 
>> management, as I'm a touch confused.
>> 
>> Normally we just SSH/snmp to the loopback address, optionally jumping off 
>> from 
>> a device on the same OoB network if routing is down (yes, we should 
>> configure 
>> a backup router).
>> 
>> Juniper document providing each RE with it's own loopback address.
>> If you do that, you'd have to detect if what you're connected to is master 
>> or 
>> backup, right?
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Suggestions on management of dual-RE devices

[Mike Williams]

Hi all,

So we just got our first Juniper devices with dual-REs (if you exclude virtual 
chassis').
Before I get into actually configuring them, I'm wondering how others handle 
management, as I'm a touch confused.

Normally we just SSH/snmp to the loopback address, optionally jumping off from 
a device on the same OoB network if routing is down (yes, we should configure 
a backup router).

Juniper document providing each RE with it's own loopback address.
If you do that, you'd have to detect if what you're connected to is master or 
backup, right?
That might be a necessary trade off. As if you had a single loopback address, 
wouldn't the system SSH key change as loopback "moved" between the REs?
Can a 'global' single loopback even be configured?

Or do dual-RE devices actually work like virtual chassis, where the system SSH 
key is the same on all nodes, and connections to the backup are internally 
redirected to the master?


Thanks

-- 
Mike Williams
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp