Re: [j-nsp] flowspec in logical-systems
Thanks Thomas, good info, I'll proceed wiser now. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] flowspec in logical-systems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2017-04-07 20:43, Aaron Gould wrote: > Do you all use logical-systems in your operational network? How pleased are > you with them? I have an MX104 with about 8 lsys's and I am using it for a > study lab and love it. Our ISP uses logical systems on their CPE routers to provide their customers (us) access to them, so we don't have to e.g buy routers with BGP licenses. We can also use them as part of our core network, if we so wish; just pay for the extra linecards if what they provide by default is not enough. (Actually, since they upgraded from MX80 to MX480 as CPE routers last year, we customers get to use the main instance, and our ISP has a logical system which they use for their purposes. But they are the NREN, and we are universities, so they trust us to not abuse it. A commercial ISP might be more reluctant of doing it that way...) At our site, we have also created a logical system for managing what is essentially just a VRF. The intent was to be able to let some persons manage that without being able to affect the rest of the configuration and screw up the entire university's network, and also to separate out that part, so it doesn't clutter up the rest of the configuration. > I envision being able to cleanly separate router functions in my network for > P or PE type things... and uplink PE to P using a lt-0/0/0 interface with > mpls on it. You should be aware that there are some limitations to logical systems, and they aren't quite as independant and isolated as one might expect. I believe for example that you can't do netflow or multi-chassis LAG in an lsys. And SNMP monitoring is configured in the main instance, not per logical system. (You can limit SNMP communities to specific logical systems, but it can break SNMP monitoring in other ways; I don't remeber the details about this, though.) Also, traffice over logical tunnel interfaces, has to go via the backplane, which may limit the bandwidth you can use. At least with the linecards we have in "our" MX480, we are limited to 65 Gbit/s for such traffic. Thus, we as a customer talk BGP with ISP's core router in their POP elsewhere in the city, not with the ISP's logical system in the CPE router over a logical tunnel interface. (We don't use enough bandwidth for this to be a practical problem at the moment, though.) If you just want to separate configuration into related chunks, then using groups might be a viable alternative to logical systems. And you don't need MX class hardware. :-) I use that on the QFX5100:s I have as core router/switches at my department. Then I can use 'show configuration groups FOO' to see everything concerning FOO, without having to wade through everything that concerns FIE or FUM. - -- Thomas Bellman, National Supercomputer Centre, Linköping Univ., Sweden "Life IS pain, highness. Anyone who tells ! bellman @ nsc . liu . se differently is selling something." ! Make Love -- Nicht Wahr! -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJY6lLpAAoJEGqUdKqa3HTs3jgP/1tDEWvyvlPC718QttOJAJbm Hqqy2n15jkAgFipiSmunWYvpGHxN6s/aEX5D0vEzf89FNeqWVF7ge8QnVEnW06oC M8Ze0MFEpSAKRzD91/7zXGZ1nBMAX6u3VOj/AQJ85fCVtWeM4vKTDw4V7kvZBdl/ fimxrfWx9vqp0pn4ICtQ35QTgFbUqnNVMNsnwxV/ganOmEaOEjUvkPuISvswDueP /WYBlzmpRMPd4VP87byr9AujoBi/LxLuY5HWw57EwKeoMxF2XS9W0cGg0CK2JSEE xlXJSgkCn33zf7HrhlwyzIUSiM3y/anH3R1v0isBRqbcON4tbWKwmYi9xw+7KoIr LIMwB2bfHWWwSXiWNnia5WlqrXhEpzqYA3h6NxWvKCvVtxW1Y2y4aBThHuLmbooB X2vPdQjhT3CCrMBc8nllRFfIncVyrbOUDlfLs7M9aDW53FURaa+s/7NuvboxEzP9 J1+grkMXguKBlRSPAEehHW7y+dVOooaKi7kAt1R94xDfgBT91VAqgKkm3o85r4rb 9SVyoqRVamN7brZls3FzCWItnFpiTPOc4vcmudHv5aaks3ne1dnQH1Zl9RVs/fcI Ks+tzcfcUePMwMHeH9TcG9CYWsoan+ud0on5BX44EdDPAC3Krrb6/gZPKknegp6Q XdrlmQZc4s1o2Tgdu+vJ =Xg8H -END PGP SIGNATURE- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] flowspec in logical-systems
Hi, We use it to seperate production environnements between our different entities. I know that we have run into some odd limitations when using L-SYS. If it's only for testing purposes, I guess that spinning a VM with vSRX / vMX does the trick. HTH. Y. > Le 7 avr. 2017 à 20:43, Aaron Gould a écrit : > > Do you all use logical-systems in your operational network? How pleased are > you with them? I have an MX104 with about 8 lsys's and I am using it for a > study lab and love it. > > I envision being able to cleanly separate router functions in my network for > P or PE type things... and uplink PE to P using a lt-0/0/0 interface with > mpls on it. > > Just looking for some insights into how much you all use lsys operationally > and how well it performs for what it supports. > > -Aaron > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] flowspec in logical-systems
Do you all use logical-systems in your operational network? How pleased are you with them? I have an MX104 with about 8 lsys's and I am using it for a study lab and love it. I envision being able to cleanly separate router functions in my network for P or PE type things... and uplink PE to P using a lt-0/0/0 interface with mpls on it. Just looking for some insights into how much you all use lsys operationally and how well it performs for what it supports. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] flowspec in logical-systems
Hi Michail, We have been bitten by L-SYS funky limitations as well a certain number of times. As you state, it's a pity. Best regards. 2017-03-23 15:33 GMT+01:00 Michail Litvak : > Hi Timur, > > It's pity. > > Thanks for the information. > > On Thu, Mar 23, 2017 at 4:28 PM, Timur Maryin wrote: > > > Hi Michael, > > > > > > I believe it's not supported. > > > > > > > > > > On 22-Mar-17 20:07, Michail Litvak wrote: > > > >> Hi all, > >> > >> Did anybody tried to use flowspec in the logical-system ? > >> > > > > > > > -- > MYL2-RIPE > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] flowspec in logical-systems
Hi Timur, It's pity. Thanks for the information. On Thu, Mar 23, 2017 at 4:28 PM, Timur Maryin wrote: > Hi Michael, > > > I believe it's not supported. > > > > > On 22-Mar-17 20:07, Michail Litvak wrote: > >> Hi all, >> >> Did anybody tried to use flowspec in the logical-system ? >> > > -- MYL2-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] flowspec in logical-systems
Hi Michael, I believe it's not supported. On 22-Mar-17 20:07, Michail Litvak wrote: Hi all, Did anybody tried to use flowspec in the logical-system ? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] flowspec in logical-systems
Hi Chuck, No, no any flowspec filter in LS has been created. To check I've created a dummy filter in the LS: 1. admin@lab-2> show firewall logical-system LS4 2. 3. Filter: __LS4/dummy 4. So, the question is still open On Thu, Mar 23, 2017 at 2:05 AM, Chuck Anderson wrote: > Try: > > show firewall | match flowspec > > Sometimes the filter names aren't what you expect when dealing with > logical-systems. The ones I see are prepended with __LSYSNAME/ to you > might find them names __LSYSNAME/__flowspec_ > > On Wed, Mar 22, 2017 at 09:07:22PM +0200, Michail Litvak wrote: > > Hi all, > > > > Did anybody tried to use flowspec in the logical-system ? > > The BGP session with flowspec family is up and receiving appropriate > NLRI, > > the inetflow.0 table exists in the LS with appropriate values: > > > > But no firewall filter __flowspec_default_inet__ exists in the LS. > > > > > >1. > > > >admin@lab-2> show firewall filter logical-system LS4 > > __flowspec_default_inet__ > > > >2. > > > >error: filter name inconsistent with logical router > -- MYL2-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] flowspec in logical-systems
Try: show firewall | match flowspec Sometimes the filter names aren't what you expect when dealing with logical-systems. The ones I see are prepended with __LSYSNAME/ to you might find them names __LSYSNAME/__flowspec_ On Wed, Mar 22, 2017 at 09:07:22PM +0200, Michail Litvak wrote: > Hi all, > > Did anybody tried to use flowspec in the logical-system ? > The BGP session with flowspec family is up and receiving appropriate NLRI, > the inetflow.0 table exists in the LS with appropriate values: > > But no firewall filter __flowspec_default_inet__ exists in the LS. > > >1. > >admin@lab-2> show firewall filter logical-system LS4 > __flowspec_default_inet__ > >2. > >error: filter name inconsistent with logical router ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] flowspec in logical-systems
Hi all, Did anybody tried to use flowspec in the logical-system ? The BGP session with flowspec family is up and receiving appropriate NLRI, the inetflow.0 table exists in the LS with appropriate values: 1. logical-system: LS4 2. 3. inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) 4. + = Active Route, - = Last Active, * = Both 5. 6. 172.16.22.139,*/term:N/A 7. *[BGP/170] 00:00:37, localpref 100, from 172.16.24.36 8. AS path: I, validation-state: unverified 9. Fictitious But no firewall filter __flowspec_default_inet__ exists in the LS. 1. admin@lab-2> show firewall filter logical-system LS4 __flowspec_default_inet__ 2. error: filter name inconsistent with logical router I'd appreciate any feedback. -- WBR, Michail ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp