Professional Documents
Culture Documents
Published: 2014-02-23
Enterprise WAN Domain Solutions Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Copyright 2014, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
ii
Table of Contents
Part 1
Chapter 1
Chapter 2
iii
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
iv
Table of Contents
Part 2
Chapter 3
Chapter 4
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
89
89
89
90
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Chapter 14
Chapter 15
Chapter 16
Part 3
Appendix
Appendix A
vi
List of Figures
Part 1
Chapter 1
Chapter 2
vii
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Figure 30: Outbound CoS to Small Remote Site Using Leased-Line Access . . . . 62
Figure 31: Secure Overlay Class-of-Service Actions Between Hub and
Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Figure 32: Secure Overlay Class of Service Between Remote Site and
Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Figure 33: The Internet Gateway Role at the WAN Aggregation Site . . . . . . . . . . . 67
Figure 34: Routing Design at the Internet Gateway . . . . . . . . . . . . . . . . . . . . . . . . 68
Figure 35: NAT and Firewall Applied to Internet Gateway Traffic . . . . . . . . . . . . . . 72
Figure 36: Return Traffic Flow from Hosted Services to the Internet . . . . . . . . . . . 73
Figure 37: Aggregation Hub 2 Traffic Flow for Stateful Firewall and NAT . . . . . . . . 73
Figure 38: Return Traffic Flow on Aggregation Hub 2 . . . . . . . . . . . . . . . . . . . . . . . 74
Figure 39: Traffic Flow Inbound from Data Center, Leased-Line, or Layer 3 VPN
to Hosted Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Figure 40: Return Traffic Flow from Hosted Services to Leased-Line, Layer 3
VPN, and Data Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Figure 41: Traffic Flow from Internet Connected Branches (GRE over IPsec) to
Hosted Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Figure 42: Outbound Traffic Flow from Hosted Services to Internet-Connected
Branch Sites (GRE over IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Figure 43: The Flow of Traffic Between Internet-Connected Branches and the
Other Enterprise Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Figure 44: Primary ISP Failover Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Figure 45: Failure of Primary Internet Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Figure 46: Failure of Primary VPN Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Figure 47: Primary WAN Aggregation Router Failure . . . . . . . . . . . . . . . . . . . . . . . . 83
Figure 48: Primary WAN Aggregation Site (Complete Site) Failure Scenario . . . . 84
Part 2
Chapter 3
Chapter 4
Chapter 5
viii
List of Figures
Chapter 6
Chapter 7
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
ix
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Part 3
Appendix
Appendix A
List of Tables
Part 1
Chapter 1
Chapter 2
Part 2
Chapter 3
xi
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
xii
PART 1
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
CHAPTER 1
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
A third trend in the enterprise is the rapid change experienced as business models evolve.
Enterprises often acquire new companies to expand their products and services and need
to integrate them quickly to enable faster time to revenue. This means that they need to
take over management of the acquisition network and resources. The traditional network
model that favored individual uplinks to remote sites becomes complex and
unmanageable as acquisitions become more commonplace and there is a need for a
more extensible mode. Combining the remote sites of two disparate companies is often
an exercise in compromise as network administrators struggle to merge competing
architectures into a single and scalable enterprise WAN. A solution that offers an
architecture built upon modular components can be more easily scaled during these
integration exercises.
A final trend affecting enterprises is the view that they should operate like service
providers, treating the organization as customers for their services and meeting higher
standards for service delivery. This drive by large enterprises to privately emulate service
provider networking provides a great challenge to traditional WAN designs and
architectures. Many companies choose to build completely private WAN clouds, and
many others look to build hybrid networks that give them control and management of
strategic portions of the network instead of relying on an outside provider. This movement
introduces a great deal of complexity, especially for the traditional model of remote site
uplinks, and demands a new approach to privatizing the WAN. The enterprises that fit
this mold are looking for ways to simplify the transition to a private WAN and need new
architectures to support this transition all while increasing network performance and
reliability.
Scope
The Juniper Networks enterprise WAN solution (Figure 1 on page 5) is designed to meet
the needs of an increasingly complex network segment that is a key enabler to current
and future business requirements. This document serves as a complete design and
implementation overview of the Juniper Networks enterprise WAN solution and includes
an overview of challenges, business drivers, design considerations and recommendations,
as well as step-by-step implementation guidance that provides configuration and
verification of each solution component.
The use cases and scenarios covered by the enterprise WAN solution include:
Internet edge The interconnection of the enterprise WAN to one or more service
providers enables user access to the Internet and external access to corporate
resources.
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Audience
The primary target market for the enterprise WAN aggregation and Internet gateway
solution are enterprises that have many geographically dispersed locations. These remote
sites, or branches, need to be connected to a main corporate site, and in some cases,
they require connectivity to other remote sites and to the Internet. Enterprises want a
flexible and reliable design for connecting various types of remote branches over either
traditional private WAN transports or over the public Internet with security overlays. Their
requirements include a breadth of features with low operation costs and low complexity.
They are looking for vendor-guided deployments that are tested, verified, and documented.
This guide is intended to assist you to design and implement WAN solutions in the
enterprise. We intend the guide to be used by the following:
Technical decision makers Responsible for planning the implementation for full
integration and operation with existing enterprise services.
Network architects and engineers Responsible for implementing the solution and
the day-to-day operation of the solution.
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
same operating system can be more easily migrated to more robust platforms as needs
dictate. In addition, having a single operating system throughout the network makes it
easier to introduce new services and configurations to the network, as the same
configuration is likely to migrate wherever it is needed.
Another key challenge is ensuring that cloud services are easily adopted by the enterprise.
The drive to reduce cost in the enterprise combined with the need to provide a high-quality
user experience often collide and cause business needs to come second to the need to
control expense. An answer to this conflict is often found in the adoption of cloud services
in the enterprise. An effective enterprise WAN enables not only intercompany
communication, but it enables a robust and high-quality connection to the data
centereither through direct interconnection to an enterprise data center or through a
direct connection to a cloud data center. Meeting this challenge is critical in controlling
cost while enhancing the user experience with the data center.
The final key challenge in the enterprise WAN is ensuring that the network is
services-ready. The network should be designed to be flexible, scalable, resilient, and
secure as these characteristics are all requirements of any service-ready network. An
effective architecture in this space is modular in nature, allowing the addition of new
services to the enterprise WAN such as VPN, Network Address Translation (NAT), and
stateful firewall services. In addition, the enterprise WAN should support implementation
of value-added services such as WAN acceleration and content caching services.
WAN aggregation
Internet gateway
Services
The target markets for this solution include any organization that has a wide base of hub
sites with a high degree of interconnectivity demands within the enterprise. Large
enterprises that operate as pseudo-carriers are the key target of the use cases provided
in this solution. Large enterprises such as government agencies, universities, financial
and health care organizations, and large technology companies are most likely to benefit
from the deployment scenarios established by the Juniper Networks enterprise WAN
solution. Large enterprises are the mostly likely to establish private aggregation points
of presence, enabling them to consolidate WAN connections prior to backhaul to the HQ
or data center sites. This approach enables the enterprise a central point of control for
regional hub sites, enabling cost savings on backhaul (a single aggregation router is
connected via high speed backhaul to the carrier or private MPLS cloud as well as to the
Internet edge) and management. In the aggregation model, a single point of presence is
configured to provide all enterprise transport services to the regional hubs. This minimizes
configuration points and enables more robust resiliency and performance to those hub
sites. The next section will cover each of the modular components of the WAN aggregation
solution component.
WAN Aggregation
A large enterprise WAN can be built in several ways to accommodate control, security,
and performance concerns within the business. The three models of enterprise WAN
network are public, hybrid overlay, and private. A public enterprise WAN
(Figure 3 on page 9) utilizes a purely service-provider MPLS network to provide
pseudo-private enterprise WAN services. This can also be referred to as a managed
enterprise WAN. In this scenario, the service provider hands off a circuit to the enterprise
site and provides all MPLS services transparently to the enterprise. For most enterprises,
this enterprise WAN architecture provides excellent service with little to no management
required by the enterprise. Many service providers will manage the MPLS CE (customer
edge) routers at all branches, effectively making the WAN transparent to the enterprise
and its users. While this approach is appropriate in most cases, large enterprises often
choose to augment or replace the carrier-managed option with their own architecture
and design. A hybrid overlay network is often one of these choices.
The hybrid overlay network (Figure 4 on page 10)enables the enterprise to consolidate
and control WAN resources where it makes financial and geographical sense, for example
overlaying their private WAN securely over the Internet, to augment the carrier provided
private MPLS service they use. In a hybrid overlay network, regions with a high density of
enterprise offices are aggregated onto an aggregation point-of-presence that is controlled
by the enterprise; this aggregation router has a high-speed transport to the rest of the
enterprise.
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Often, the hybrid approach is not sufficient. In cases where the enterprise wants to build
and manage the entire MPLS network, a private solution is favored (Figure 5 on page 10).
In these solutions, the carrier provides core services to regional aggregation hubs and
acts only as logical transport. All MPLS, class of service, and other configurations are
performed by the enterprise. This model gives the greatest amount of control to the
enterprise, but often at great expense.
In hybrid overlay and private enterprise WAN deployments, the key to the solution is the
WAN aggregation routers that are often at the carrier office: as such, the WAN aggregation
10
routers are a key focus of the overall enterprise WAN solution. WAN aggregation is a
network architecture that consolidates multiple networks such as the campus, branch,
and data center networks, onto the enterprise WAN network (Figure 6 on page 11). It is
within this enterprise WAN component that the various networks and site types are
stitched together to enable seamless communication between the enterprises various
locations. The aggregation model featured most often is that of a single backhaul to a
corporate HQ or data center where all site to data center, and site to site traffic is sent
to be routed within the enterprise. The aggregation of WAN connections can be handled
by private leased line, MPLS Layer 3 VPN, Layer 2 VPN, or by an Internet VPN. It is common
to find a mix of these connection methods in the WAN aggregation as the enterprise
often selects transport based on business need and criticality. Managed service providers
often use access similar to this (a mix of MPLS, Layer 2 VPN, and Internet-based access)
to enable customer access to the enterprise, both through the service provider-managed
MPLS network and over the public Internet using secure tunneling.
PUBLIC/PRIVATE
WAN
WAN AGGREGATION
AS 1
AS 2
M Series/
MX Series
Static Routes/EBGP
MX Series
M Series/
MX Series
INTERNET
M10i
g041749
BRANCH
There are two methods for designing the aggregation hub and the roles or services it
provides (Internet access, IPsec termination, WAN aggregation and services); one is to
use separate routers for each role using the MX5-80 or M7i, the other is to make use of
the rich virtualization features in Junos OS and make each role a virtual-routing instance
in a chassis-based MX (MX240-960)
There are several modular configuration options for the remote branch. Using the WAN
aggregation model Table 1 on page 12, the solution features configurations for three
deployment scenarios: dual router with dual circuit, single router with single connection,
and single router with dual connection.
11
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Platform
Platform
Transport
Large
MX Series
Layer 3 VPN/Layer 2
VPN
M7i, MX5-MX80
Small
Internet
WAN aggregation
Medium
MX Series
Private WAN
Internet
M7i, MX5-MX80
Internet
Private WAN
WAN aggregation
WAN aggregation
The remote branch configurations provided in the solution DIG include uplinks directly
to the Internet, mixed connection profiles with both MPLS and Internet connections from
a service hub (aggregation node), and a complete MPLS connection model with the sites
connected into MPLS for all three deployment scenarios (Figure 7 on page 12)
12
The Juniper Networks enterprise WAN solution provides configurations for each
deployment scenario as well as design recommendations and troubleshooting information
to assist in deploying a new WAN aggregation hub as well as configurations for the remote
sites connecting into the aggregation hub. The configurations are tested in Juniper
Networks solutions labs and are tested against scalability targets, resiliency and
convergence targets, and performance targets. Details on design considerations and
implementation of this scenario can be found in the later chapters of this guide.
Internet Gateway
The Internet gateway deployment scenario is a foundation of the WAN aggregation
deployment scenario. The Internet and mixed aggregation scenarios require working
Internet gateway functionality in order to properly provision WAN aggregation. The
Internet gateway is used to provide Internet access to hub site users, or more commonly,
to provide a public transit for IPsec VPN connection back to the HQ or data center
(Figure 8 on page 13). In many cases, the hub Internet traffic is provided via backhaul to
the company HQ to enable security services such as URL filtering, anti-spam and anti-virus,
and intrusion detection and prevention (IDP). By backhauling traffic to an HQ site, the
enterprise can manage and maintain security between its users and the Internet in a
central location. By sacrificing some speed and performance, the enterprise can ensure
the security of its user base in this design scenario.
The Internet edge module of the larger WAN aggregation solution component provides
carrier-class routing and security to regional enterprise sites that have a requirement for
localized Internet access. The local access either provides direct Internet connection to
13
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
the enterprise remote sites, or provides a transit network to enable intra-enterprise IPsec
VPN connectivity. The aggregation hub providing Internet edge services is services-ready
and can be easily configured with services that enhance the security posture of the
enterprise remote sites. Services such as Dynamic NAT, access lists to white list or blacklist
specific destinations, stateful firewall and intrusion detection and prevention services,
and active-active load balancing to multiple Internet service providers (ISPs) are all key
components of the solution.
Services
The Juniper Networks enterprise WAN is services-ready, enabling the agile addition of
new services. The Juniper Networks solution supports Web Cache Communication
Protocol (WCCP) to enable WAN acceleration devices to enhance the user experience
where required. Other services that can be supported as in-line, network-driven security
services are stateful firewalling and deep packet inspection. In cases where the enterprise
is hosting sensitive data or is likely to be the target of intrusion or attack, control plane
protection and denial of service protection (DOS and DDOS) are integrated into the
Juniper Networks enterprise WAN architecture. Finally, for enterprises that utilize real
time or recorded video content (such as financial streams to banking centers or video
lectures within the education sector), the Juniper Networks enterprise WAN solution
supports the inclusion of content caching. This service is adopted through enhancements
to the networks handling of multicast traffic and by the routing hardware ability to redirect
specific flows to secondary devices or virtual appliances that locally cache and serve
content to remote sites. The Juniper Networks enterprise WAN is able to add these
services in-line with little to no disruption of the user experience.
14
Security
Carrier-class reliability
Security
The enterprise WAN solution and WAN aggregation deployment scenarios are built from
the ground up with security as a key component. Logical separation of remote traffic or
even the separation of different operating units within the remote sites is provided by
the solution. This logical separation enables the enterprise to control not only whom on
the outside each operating group can communicate with, but also controls communication
and leaks between operating groups within the same enterprise.
15
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Carrier-Class Reliability
The ability to keep the enterprise running is another key benefit of the Juniper Networks
enterprise WAN solution. The Juniper Networks MX Series routing platform is a
carrier-grade component, designed with full resiliency at its core. The hardware is designed
for resiliency, utilizing redundant control plane and switching plane hardware as well as
redundant power and cooling. In a design model where the enterprise is acting as a private
service provider to its remote sites, the ability to keep the WAN aggregation routers
available and performing is critical to the success of the solution. At the routing and
software layer, MPLS resiliency mechanisms such as MPLS fast reroute and on-demand
paths are supported to enable fast recovery from core issues that affect backhaul routing
to the HQ. In a multiple chassis deployment, where hardware redundancy is supported
by uplinks to multiple regional aggregation points of presence, the MX Series supports
multi-chassis Link Aggregation Group (LAG) and Virtual Chassis (VC), enabling a single
site to redundantly connect to multiple aggregation points while allowing the redundant
chassis to function and appear to the connected nodes as a single, physical device.
16
CHAPTER 2
Easy to deployA top goal in any effective network architecture should be ease of
deployment. A fantastic solution that features complicated deployment scenarios is
likely to encounter more issues than a network that features easy and documented
deployment.
Flexible and scalableNew network architecture should be designed to grow with the
business and change as business needs dictate. Installing a design that just meets the
needs of the business today is a recipe for increasing expenses and complexity as the
network is upgraded piecemeal.
17
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
18
Ease of Management
An effective WAN aggregation and enterprise WAN architecture should be designed to
be easily managed and operated. Ideally, a single pane of glass in the form of a network
management application, or a collection of applications, should be used to implement,
maintain, and troubleshoot the network as much as possible. The old methods of using
CLI and truck rolls to manage the network is more of a burden as the complexity of the
network grows and as the network becomes more vital to the user experience. An
architecture that focuses on making the network easy to manage includes all FCAPS
elements. FCAPS is an ISO model and framework for network management. FCAPS
includes the following network management elements:
Fault management
Configuration management
Accounting management
Performance management
Security management
Services Ready
Flexibility, scalability, resiliency, and security all are characteristics of a services-ready
network. An architecture featuring a modular design enables technologies and services
to be added when the organization is ready to deploy. In services-ready architecture, new
platforms and extensive network changes are not required to enable service adoption
the network is modular and built to accept these new services with very little change
required. A network architecture that is designed and pre-configured with class of service
19
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
(CoS), for instance, is ready to support high-quality voice and video. A network that is
designed and configured with multicast is ready to support efficient voice and video
delivery. A network with customer edge (CE) platforms that support WCCP is ready to
add caching and acceleration services without requiring extensive changes to the network
design. Other services that should be considered are VPN services, Network Address
Translation (NAT), and stateful firewall services. A network that is designed and built to
support these services from day one can be considered services-ready.
A complete enterprise WAN solution that meets these design goals is built to be scalable,
flexible, and services-ready. The following sections will provide in depth overview on the
architectures, design choices, and recommendations for building a private enterprise
WAN.
The solution is built upon several tiers of configuration and design. The WAN aggregation
tier is the point at which the enterprise remote sites are introduced to the private WAN.
The WAN aggregation tier serves to consolidate all remote site connections into a single
enterprise WAN for backhaul to the corporate HQ and data centers. This tier is configured
with high-speed backhaul over the carriers existing MPLS infrastructure using the existing
MPLS Layer 3 VPN connectivity in place. Some enterprises choose to obtain a Layer 2
20
service that enables the creation of a completely custom Layer 3 VPN overlay. This design
features a Layer 3 VPN routed core configuration.
The second tier of the design involves the various attachment circuits into the WAN
aggregation tier from enterprise remote sites. Given that many large enterprises have
presence throughout the world, it is reasonable to assume that the possibility of utilizing
a single service provider for service to each branch is nearly impossible. To that end, the
enterprise WAN solution features multiple options for connecting remote sites to the
network.
Direct connection via leased lineSome sites that are located close to a WAN
aggregation hub or sites that require dedicated, high-speed access are connected to
the WAN aggregation via leased private line.
MPLS / Layer 3 VPN connectionSites that have access to a service providers existing
Layer 3 VPN footprint can connect into the WAN aggregation via the carriers existing
MPLS service.
IPsec over InternetRemote sites with no access to carrier MPLS or leased line connect
via the public Internet using whatever service is available in the area. In some cases,
even sites that have access to the other connectivity options connect using IPsec as
it is a more cost effective option.
The third tier of the enterprise WAN design is the Internet edge gateway. The Internet
edge is parallel to the WAN aggregation tier in the design and serves several purposes.
The first purpose of the Internet edge is to provide secure Internet access to the enterprise
and its remote sites. The Internet edge also provides access from the Internet to
enterprise-hosted resources such as web sites and other customer portals. Finally, the
Internet edge serves to provide a public-facing peering point for IPsec connected branches.
Given the size of many large enterprises, several distributed WAN aggregation hubs can
be deployed to serve high areas of site concentration. It is possible that only specific
areas will have a local Internet edge configuration. In many cases, the Internet edge will
be located close to the enterprise HQ and data center to minimize the amount of transit
traffic generated by remote sites and inbound resource requests.
This guide will cover each of these areas in detail, with design guidance and considerations
given in the following operational areas:
High availability
Class of service
Security
21
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
as over the Internet using secure overlay (IPsec VPN). To enable scale and more effective
control, the solution focuses on creating regional aggregation hubs to which all regional
sites first connect. From that site, private WAN services are provided to allow connection
to internal enterprise resources such as HQ resources and data centers. The solution is
designed to be simple and scalable. We will cover each of the layers of the design in
detail. The various layers of the WAN aggregation design is covered in the following
sections.
The solution consists of several points of presence and covers configurations for hub
sites, Internet edge connectivity, and remote site connectivity into the aggregation hubs.
This document uses the terms WAN aggregation site, hub, head end, and WAN aggregation
hub to describe the overall WAN aggregation site.
22
WAN Aggregation
WAN aggregation consolidates transports from multiple regional enterprise branches
onto a regional hub, consolidating the various enterprise branch transports into a private
MPLS network with backhaul into the company HQ and data centers.
The WAN aggregation point of presence, or POP, provides three distinct roles as it pertains
to WAN aggregation:
WAN aggregation An internal router role not directly connected to the Internet, this
is where private leased line and private SP managed Layer 3 and Layer 2 VPN services
terminate. This is also where services such as WCCP are hosted
Internet Edge This router is external and peers with the public Internet. In the case
of the WAN aggregation use case, this router provides reachability for the IPsec tunnel
termination.
IPsec VPN Router This router terminates the IPsec and GRE tunnels from the Internet
connected remote locations. The tunnel end points are in an Internet facing
virtual-routing (VR) instance (VPN VR) however the GRE tunnel addressing is internal
and part of the enterprises private routing domain (WAN-GRE VR). To this end the
Internet VR peers with and routes to and from the Internet edge router and the
WAN-GRE VR peers with the WAN aggregation router.
These roles are tightly integrated in the solution, however customers can choose, or
require, only one or two pieces of the functionality and this design is modular enough to
allow this. For example one customers business requirements only dictates the need to
provision WAN aggregation for Layer 3 VPN and leased line remote sites. In this case, the
business would not need the IPsec VPN router or Internet edge router roles at the WAN
aggregation site. Likewise, another customers business requirements require only Internet
connected remote site aggregation. In this case, the customer only needs the IPsec VPN
router at the aggregation hub.
Depending on the needs of the enterprise, the WAN aggregation role provides site-to-site
transport as well (in cases where VoIP or other real-time services require lower latency
than backhauled transport can provide). This design features a hub-and-spoke topology,
though the solution is flexible and can be configured for any-to-any connectivity using
the WAN aggregation hubs as localized spokes.
The WAN aggregation role is primarily to handle routing for the remote sites connecting
to the aggregation hub. It aggregates network connectivity from regional branches and
backhauls via the MPLS backbone to the HQ and data center sites. These connections
can come via leased private line, Layer3 VPNs, or via IPsec connectivity (also called
secure overlay). This router contains routing protocol configuration (BGP or OSPF) for
private routing over the designated transport. If the preferred IGP is IBGP, the WAN
aggregation router peers with the branch and acts as a BGP route reflector for the branch
sites. If OSPF is the preferred IGP of the enterprise, the WAN aggregation router forms
OSPF adjacency with the branch with a separate OSPF area configured for each branch
connected. For Layer 3 VPN connections, the WAN aggregation router also forms an
EBGP adjacency with the service provider. In this scenario, the enterprise is using the
service provider MPLS network as foundation upon which to build a private MPLS network.
23
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
The WAN aggregation router is part of the full IBGP mesh at the aggregation hubs, and
it is in the aggregation hubs OSPF backbone. In addition, it is the location of the multicast
static rendezvous point at hub 1 (the primary WAN aggregation router), and it is an MSDP
peer to the static rendezvous point at hub 2 (the backup WAN aggregation router). WAN
aggregation router holds all routing information for the aggregation hubs, and it acts as
the multicast rendezvous point at the hub. One of the reasons the design utilizes secure
overlay with GRE over IPsec is to enable dual stack (IPv4 and IPv6 traffic) as well as
tunneling of multicast traffic and providing full filtering and per tunnel hierarchal CoS to
secure overlay-connected sites. While dual stack and multicast transmission is fully
supported for Layer 3 VPN and private leased line transports, the secure overlay design
required a bit more complexity in order to fully support all services attached to this
solution. Using GRE as a transport provides the added benefit for a hybrid overlay in that
it can easily be extended to transport MPLS VPN to Internet branches.
VPN
The VPN virtual router directly faces the Internet gateway, and terminates IPsec tunnels
that are initiated at Internet-connected branches. It acts as the IPsec tunnel endpoint
for IPsec requests from the branches. The VPN design in the solution utilizes dynamic
IPsec endpoints: this configuration requires only two IPsec tunnel interfaces.
This virtual router hosts these IPsec tunnel interfaces. Additionally the GRE tunnel
endpoints are configured in this virtual router, this allows for the use of reverse route
injection to advertise these tunnel endpoints even though the addresses used are
private (RFC 1918) addresses and are transported OVER the GRE tunnel.
24
NOTE: The reason for using private tunnel addresses for GRE that are
different than the IPsec tunnel public IP addresses are::
In Junos OS, if the same address is used for the IPsec and the GRE tunnel
a routing recursion issue will occur and the IPsec tunnel will be torn down.
This is a similar situation to the age old issue of advertising a GRE tunnels
endpoint over the GRE tunnel itself, except in this case; once the GRE
tunnel is established, if using the same loopback address as IPsec, the
IPsec traffic will be transported over the GRE tunnel and the IPsec tunnel
will be bought down.
Using this separate private addressing for GRE brings additional benefits:
Finally using RRI allows for much greater scale as no routing protocol is
required to run over the IPsec tunnels directly to advertise GRE tunnel
loopback addressing.
WAN-GRE
The WAN-GRE virtual router terminates GRE tunnels from Internet-connected branches.
Importantly, as detailed previously, this WAN-GRE instance is internal and although
the GRE tunnels are configured in this instance their tunnel end-points exist in the VPN
(external) VR. It contains the private routing protocol configuration, either IBGP or
OSPF, which run over the GRE tunnels to the branches. GRE interfaces, the loopback
interface that provides addressing for GRE tunnels, and the interface to the WAN
aggregation router are in the routing instance. WAN-GRE is in the aggregation hub
OSPF backbone. For Internet-connected branches that use OSPF as the private routing
protocol over GRE tunnels, you configure an OSPF area for each branch in the GRE
routing instance. This allows route filtering and configuration of each Internet remote
site as an OSPF stub network. WAN-GRE is in the full IBGP mesh at the aggregation
hubs. For Internet-connected branches that use BGP as the private routing protocol
over GRE tunnels, you configure an IBGP peer for each branch. These peers are used
to peer with the remote end of the tunnel at the branch.
For traffic to hosted services from the data center and branches, or all internal networks,
WAN-GRE applies NAT and assigns an internal enterprise address. It then forwards
traffic to the HOSTED-WWW-NAT routing instance. This allows internal clients to
access the hosted services resources using the services internal addressing.
25
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Transport
Class of service
High availability
Security
Scale
Traffic flow
26
27
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Branch Design Considerations on page 45 section. Remote sites with Internet access
via cable, DSL, or even satellite, can utilize that public access to gain secure access into
the enterprise WAN through secure overlay connectivity into the VPN termination router.
The individual transports are terminated into one of the router roles on the aggregation
hub. The WAN aggregation role handles termination of private leased line and Layer 3
VPN service while the VPN termination router handles secure overlay connectivity.
Some design considerations that went into the selection of transport configurations
include IP routing, IP protocol and tunneling, and data privacy.
The solution should support the following from an IP routing standpoint:
Provide optimal routing connectivity from the primary WAN aggregation site to all
remote locations
The solution should isolate WAN routing topology changes from the core
When multiple paths exist, the solution should support symmetric routing and load
balancing over the multiple paths
The solution should support site-to-site routing via the primary WAN aggregation site
If the carrier services allow, the solution should permit optimal site-to-site routing
(localized any-to-any rather than backhaul through a central WAN aggregation site).
The solution should support IP Multicast sourced from the primary WAN aggregation
site
Each of these functional requirements were incorporated into the WAN aggregation
design. The elements are covered throughout the next section with select details as to
why specific choices were made over the alternatives.
28
1.
Traffic flows to its destination from either the remote site (over private leased line)
or from the enterprise HQ (or other remote sites).
2. Traffic destined for the enterprise HQ or remote site is processed by the WAN
aggregation router, routed as per the routing table on the WAN aggregation router,
and sent to the next-hop (the remote site or enterprise HQ)
3. Traffic destined for hosted services in enterprise data center:
a. Traffic from enterprise remote site is forwarded based on destination route to VPN
termination router
b. On the VPN termination router, the virtual router (VR) named "Hosted-WWW-NAT"
performs destination NAT translation on traffic (translates the destination IP of
the hosted service), forwards to enterprise data center hosted services
c. Enterprise data center routes/switches traffic as designed
4. Traffic destined for the Internet is forwarded to the VPN termination router.
29
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Figure 13: Return Traffic Flow for Private Leased-Line Remote Sites
1.
2. Return traffic from hosted services: Application traffic from hosted services exits
30
1.
Traffic flows to its destination from either the remote site (via Layer 3 VPN) or from
the enterprise HQ. Traffic between Layer 3 VPN sites goes directly site-site, not via
the aggregation site.
2. Traffic destined for the enterprise HQ or remote site is processed by the WAN
aggregation router, routed as per the routing table on the WAN aggregation router,
and sent to the next-hop (the remote site or enterprise HQ)
3. Traffic destined for hosted services in enterprise data center:
a. Traffic from enterprise remote site is forwarded based on destination route to VPN
termination router
b. On the VPN termination router, the virtual router (VR) named "Hosted-WWW-NAT"
performs destination NAT translation on traffic (translates the destination IP of
the hosted service), forwards to enterprise data center hosted services
c. Enterprise data center routes/switches traffic as designed
4. Traffic destined for the Internet enters the WAN aggregation router and is routed to
the SFW-NAT-SERVICES VR. This VR performs source NAT for outbound Internet
31
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
traffic (NAT source address to public IP pool). Translated traffic forwarded to ISP as
per routing table or default route.
The flow of return traffic from the hosted services/Internet/enterprise sites is shown in
Figure 15 on page 32.
1.
2. Application traffic from hosted services exits enterprise data center and returns to
VPN termination router (via HOSTED-WWW-NAT VR). Inbound firewall and NAT
services applied.
3. Traffic forwarded from VPN termination router to WAN aggregation router for routing
32
Figure 16: Traffic Flow from Secure Overlay Remote Sites to the Enterprise
1.
Traffic flows from the remote site firewall to the VPN termination point via the public
Internet.
Outbound traffic is first encapsulated within GRE by the remote site firewall (SRX
Series) and then encapsulated and encrypted within an IPsec tunnel. These tunnels
terminate at different points in the aggregation hub.
The twice-encapsulated traffic enters the WAN aggregation hub at the Internet
gateway. Traffic is sent to the VPN VR (on the VPN termination router) for IPsec
termination and decryption. The GRE tunnel terminates in the VPN routing instance
as well, but the GRE tunneled traffic is terminated in the WAN-GRE VR. This is known
as VRF aware GRE, where the tunnel endpoints are in one VR and the internal
addressing of the tunnel is in the internal or private WAN-GRE VR. (This is all done
as a function of reverse route injection and VRF-aware GRE covered in the secure
overlay transport overview here:Remote Branch Design Considerations on page 45).
The enterprise traffic exits the WAN-GRE VR and forwards to its destination
(enterprise HQ, other remote site, or data center.
2. Traffic destined for the secure overlay remote site (from the enterprise HQ) is sent
via transport to the WAN aggregation router and routed (as per the routing table) to
33
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
the VPN termination router. The traffic is sent to the WAN-GRE VR for GRE
encapsulation. The GRE tunnel then enters the VPN VR for IPsec encapsulation and
is forwarded to the IPsec endpoint (the remote site). The remote site firewall
decapsulates and decrypts the traffic for host communication.
3. Traffic destined for hosted services in enterprise data center:
a. Traffic from secure overlay remote site is forwarded, as per the VPN termination
routing table, to the WAN-GRE routing instance it then forwarded to the
HOSTED-WWW-NAT VR via the service set.
b. On the VPN termination router, the virtual router (VR) named "Hosted-WWW-NAT"
performs destination NAT translation on traffic (translates the destination IP of
the hosted service), forwards to enterprise data center hosted services.
c. Enterprise data center routes and switches traffic as designed
4. Traffic destined for the Internet: VPN termination router, it then forwards into the
WAN-GRE VR and onto the WAN aggregation router. Finally the SFW-NAT-SERVICES
VR performs source NAT for outbound Internet traffic (NAT source address to public
IP pool). Translated traffic forwarded to ISP as per routing table or default route.
The flow of return traffic from the hosted services/Internet/enterprise sites is shown
inFigure 17 on page 34.
Figure 17: Return Traffic Flow to Secure Overlay Enterprise Remote Site
1.
2. Application traffic from hosted services exits enterprise data center and returns to
VPN termination router (via HOSTED-WWW-NAT VR). Inbound firewall and NAT
34
services applied. Traffic is then in the WAN GRE VR where it is encapsulated as above
and forwarded onto the remote site
3. Traffic bound for secure overlay enterprise remote site is forwarded to WAN-GRE VR
BGP Design
The primary routing protocol selected for the WAN aggregation hubs is BGP.
Figure 18 on page 36 shows the BGP design at the aggregation hubs.
BGP is used to fill a these roles in the design:
Between the WAN aggregation and customer equipment (CE), and remote site, IBGP
is used as the IGP for the remote site to enterprise WAN network.
Between the WAN aggregation tier and the core, BGP is used as the EGP with the
service provider
35
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
BGP design is slightly different, depending on the branch type, connectivity, and role of
the terminating router.
IBGP is used on the WAN aggregation and VPN termination routers (and connecting
remote sites). This configuration features full mesh IBGP, enabling any-to-any
connectivity through the WAN aggregation tier of the enterprise WAN.
Branches that connected over carrier Layer 3 VPN, the remote sites form a BGP peering
with the service provider (most often a route reflector). In this design, we use the BGP
local preference attribute to override service provider routes and give preference to
routes on the enterprise WAN (at WAN aggregation router 1)
For leased line connected sites, an IBGP peer to the branch is configured on the
terminating WAN aggregation router. The WAN aggregation router serves as a route
reflector in this scenario, advertising only the default route to the leased line connected
branch.
OSPF Design
OSPF is used as the IGP for the enterprise WAN design (Figure 19 on page 37). OSPF is
used as the interior gateway routing protocol because it is easy to configure, does not
require a large amount of planning, has flexible summarization and filtering, and can
scale to large networks. OSPF, as deployed in this solution, reduces the amount of
bandwidth, processing, and memory necessary to carry large route tables while reducing
the convergence times associated with link failures. This is accomplished using route
36
summarization on links where logical boundaries exist (distribution layer links to the wide
area or to a core). OSPF fills a slightly different role depending on the branch connection
type utilized.
Leased-line branches can also use OSPF as the IGP, with a separate OSPF area created
for each branch. Routing policies are configured on the terminating WAN aggregation
router to enable export of BGP routes to OSPF for leased line branches.
37
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Selected RPs for selected groups (RP designation). There are often different sets of
RPs to serve content to select receivers. This content can be configured to use a
dedicated RP with only authorized endpoints permitted to join the multicast groups
terminated on the RP.
38
Class of service to limit multicast bandwidth and prioritize multicast traffic. These
limits will be covered in the class-of-service design considerations.
IGMPv2 configured with snooping enabled, enabling the remote site routers to learn
of new multicast senders and join select multicast groups. This prevents flooding of
unnecessary multicast traffic over the WAN links to the remote sites.
High Availability
The enterprise WAN solution features several tiers of resiliency to enable a highly available
WAN for the enterprise. Given that resiliency is a key requirement of the solution, each
tier of the solution was designed with redundancy at both the hardware and software
level. The solution design guidelines dictate that the network must tolerate single failure
conditions of any single WAN transport link or any network device at the primary WAN
aggregation site. Failover and convergence should be fast (within 2 seconds) and
automatic.
Hardware Redundancy
Redundant router components can be built into the design to enable physical redundancy
per WAN aggregation router. The design is built to be resilient without these components,
but to achieve a high level of availability (five nines or more), it is recommended that
fully redundant hardware be deployed at the WAN aggregation tier of the design. Routing
Engine redundancy provides not only backup control plane functionality, but also the
ability to upgrade software with minimal disruption of traffic (In-service software
upgrade). ISSU support requires that graceful Routing Engine switchover (GRES) and
nonstop active routing (NSR) be enabled as well. GRES enables routing platforms with
redundant Routing Engines to continue forwarding traffic in the event that one Routing
Engine fails. GRES preserves interface and kernel information so that traffic forwarding
is not interrupted. GRES does not preserve control plane information: neighboring routers
will detect that the router has experienced a restart as such, the neighbors will react
to the event in a manner prescribed by the configured routing protocol specifications. To
preserve routing during a switchover, GRES must be combined with GRES protocol
extensions or NSR.
NSR enables a routing platform with redundant Routing Engines to switch over from the
primary to the backup without alerting peer nodes that a change has occurred. While
NSR uses the same infrastructure as GRES to preserve interface and kernel information,
it also preserves routing information and protocol sessions by running the routing protocol
process (rpd) on both Routing Engines. NSR also preserves TCP sessions maintained in
the kernel. NSR and GRES must be configured together to enable optimal high availability
in this environment.
Additional layers of hardware redundancy can be put in place to protect against hardware
failure. Redundant power, cooling, and backplanes can be purchased and installed to
protect against the failure of any of these components.
This design guide does not employ hardware redundancy per-platform, instead favoring
software and geographic redundancy combined with multi-platform hardware redundancy
(the implementation of multiple WAN aggregation nodes). Full hardware redundancy
39
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
at the WAN aggregation layer is a recommendation, though it does involve expense and
additional configuration to ensure complete high availability of the environment.
Failover Scenarios
The enterprise WAN solution is designed to use the primary aggregation hub as the main
traffic destination. In the event that the primary aggregation hub fails, or transport to the
primary hub fails, traffic is sent to the backup aggregation hub (Aggregation Hub 2) and
is routed back through the primary aggregation hub (in the event the hub is still active)
to the destination.
The following failover scenarios are covered in this guide:
40
Details on these failure scenarios can be seen here: Solution Failover Scenarios on
page 77
Class of Service
In enterprise WAN environments it is critical to be able to schedule and control the traffic
out to the remote branches in order to support the wide array of business critical traffic
types that are generated by todays enterprise. Fine grained class of service to support
voice and video calls as well as business critical and non-business critical traffic is a core
requirement of the solution. The EWAN must be configured end to end to provide class
of service to business critical and real time flows while de-prioritizing non-essential traffic.
The class of service implementation must also be monitored to ensure the network is
providing a consistently high quality end user experience.
Some key design goals for the EWAN solution are:
Traffic from remote sites is not trustedAll remote branch traffic and core LAN
(HQ/Data Center) traffic is re-marked using multifield (MF) classifiers by the CE /
remote site router (enterprise managed) prior to transmission over the uplink to the
WAN aggregation tier.
Traffic is prioritized through the platforms and service cards as completely as possible:
A complete enterprise traffic profile is evaluated, with high priority and essential
application traffic selected and identified by one of several factors (source IP address,
TCP port, etc.).
Traffic is queued and scheduled at the CE and sent over the WAN with agreed-upon
and configured marking values:
For traffic tunneled over the Internet (IPsec), the traffic is re-marked and policed
before egress from the CE. TOS reflection is configured to ensure the class of service
is propagated from the encrypted payload IP header to the GRE header for processing.
Table 2 on page 42 shows a summary of the classes of service provided by the EWAN
solution, including the service class marking options for layer 3 and layer 2 transports:
41
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Loss Priority
Code Point
Queue
Scheduler
Best_Effort
medium-high
be
SCH_Best_Effort
high
cs1
SCH_Scavenger
medium high
af11, af12
SCH_Bulk_Data
Critical_Data
medium low
af21, af22
SCH_Critical_Data
Video
low
af41, af42
SCH_Video
Voice
low
ef
SCH_Voice
Network_Control
low
cs6, cs7
SCH_Network_Control
Table 2 shows the various classes of service recommended in the EWAN solution. The
class-of-service design supports CoS classification based on Layer 3 header information
using either per-hop behavior (PHB) markings or differentiated services code point
(DSCP).
Because the solution aggregates multiple types of transport, the configuration of CoS
becomes more challenging. For instance, secure overlay traffic features IPsec tunnels
encapsulated by GRE to enable per-unit GRE scheduling. Per-unit GRE scheduling allows
the implementation of a traffic shaper and traffic scheduling per GRE tunnel: this enables
control of the bandwidth permitted over the tunnel and permits class of service
assignment to traffic passing the tunnel. A key design consideration is ensuring that the
VPN termination router supports per-unit GRE scheduling.
Security
The security of the solution involves protection of both the routing infrastructure
(aggregation hubs, CPE devices) and the protection of enterprise traffic. The infrastructure
utilizes routing protocol protection to protect and monitor the routing infrastructure from
intrusion and attack that would affect its ability to route enterprise traffic.
42
43
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Three
Router
Aggregation
Type of Branch
Scale
Bidirectional Throughput
3000 v4 only
800 Mbps
3000 v4+v6
700 Mbps v4
100 Mbps v6
Virtualized
Aggregation
Leased-Line
Platform Throughput
3000 v4 only
1.65 Gbps
3000 v4+v6
1.45 Gbps v4
200 Mbps v6
Leased-Line
Platform Throughput
Network Management
Junos Traffic Vision
Junos Traffic Vision provides increased visibility to network traffic flows to help you
improve security and increase network efficiency, operations, and planning. Junos Traffic
Vision provides data in an industry-standard format that you can export traffic information
to Juniper Networks or third-party tools. You can then use the data to detect intrusions,
monitor service-level agreements, and analyze usage-based accounting, traffic profiling,
and traffic engineering. Junos Traffic Vision used to be known as JFlow accounting.
SNMP
Used to monitor and measure network performance and availability. SNMP is used in
this solution to monitor interface state, packet performance (loss, drops, packets
transmitted). SNMP can be used proactively or reactively. SNMP polling is a regularly
scheduled status poll that is sent from a network management system (OpenNMS on
Junos Space, for instance) that determines the state of various components of the target
system. SNMP polling is usually used to monitor networks for down interfaces and packet
loss so network operators can troubleshoot and restore network operation. SNMP traps
are specifically configured event triggers on a network or host platform that are triggered
by a specific event ( x number of invalid login attempts have occurred on the WAN
acceleration routing engine). SNMP traps are designed for the network operators to react
to events that are not typically caught by SNMP polling.
System Logging
System logging, or syslog, is a standard protocol used for the logging of computer or host
messages. In this solution, syslog is used to forward targeted messages to a downstream
syslog server. The message types are separated and identified by severity level. Network
operators typically look to log and review syslog messages that fall in the Error, Alert,
44
Critical, or Emergency levels. This type of syslog message is often triggered by network
events that must be addressed to prevent outage or potential security issues.
Hardware Platforms
The devices at the aggregation hub must consolidate multiple networks. These devices
must be scalable and support a range of interfaces such as T3, GRE tunnels, they must
support services such as IPsec, IP routing, dual-stack, consolidate multiple networks at
the aggregation hubs.
For the three roles at the WAN aggregation hubInternet edge, WAN aggregation, and
VPN terminationyou can use a separate router for each role or you can use a single
router for all three roles.
SRX Series Services Gateways: SRX Series Services Gateways are high-performance
network security solutions for enterprises and service providers that pack high
port-density, advanced security, and flexible connectivity, into easily managed
platforms. These versatile and cost-effective solutions support fast, secure, and highly
available, data center and branch operations, with unmatched performance to deliver
some of the industrys best price-performance ratios and lowest TCOs.
M7i Multiservice Edge Router: The M7i is the most compact edge routing platform. With
10 Gbps of throughput and integrated service capabilities, the M7i is ideal as an IP/MPLS
service provider edge router in small POPs (points of presence) or as an enterprise
edge router for Internet gateway or branch aggregation.
45
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Dual
Carrier
Dual-Homed
to
aggregation
hub
Link-Level High
Availability
Branch
Size
Branch
Router
Small
Single
T3 or Ethernet
Leased-Line
No
No
BFD
Provided by service
provider
OSPF or BGP
Single
Internet
Yes
Yes
BFD
Security zones
OSPF or BGP
Transport
Security
Routing
Protocol
Large
Single
Dual
Layer 3 VPN
with backup
Internet
Yes
Layer 3 VPN
Yes
Dual
Yes
Yes
Yes
Yes
BFD over
Internet
Transport
security from
service provider
Provided by
service provider
IPsec
OSPF
Routing Engine
protection
BGP
Transport security
from service provider
EBGP
IBGP
Routing Engine
protection
OSPF
IPsec
EBGP
Routing Engine
protection
IBGP
OSPF
Remote site design considerations are covered in the next sections and include:.
Transport
Routing design
High availability
Class of service
Security
Services
46
Leased-Line Transport
The first remote site to enterprise WAN transport featured in the solution is the use of
private leased-line service. With this transport, the branch router connects to an
aggregation hub over a leased line service. This implementation allows for the use of any
TDM or optical-based leased line service as well as Ethernet leased line service as the
transport from the branch to the enterprise WAN. The solution was tested with DS3 (over
Channelized OC3) and Ethernet access: any leased line service should work within this
design. Figure 21 on page 47 shows the topology of leased line transport.
This transport configuration is the simplest of the three solution options because it is
provisioned as a private, point-to-point circuit (circuit-switched service) between the
remote site and enterprise WAN. The connection can terminate on a physical interface
at the remote site and to a single physical interface at the aggregation hub, or as a bundle
of channelized circuits over a larger pipe (terminated as multiple DS3s over a channelized
OC3/STM-1). The design of the end-to-end solution is the simplest with this option but
often comes at a much higher cost due to the typical cost of private circuit-switched
service through the service provider network.
47
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
This design offers a mix of convenience and cost savings at the expense of control. This
service is configured over a packet-switched network (MPLS) that features a large degree
of oversubscription. Because the end-to-end circuit is virtual (not statically configured
as in the leased line transport), this type of service can often be obtained at lower cost
than the leased line option. In this transport option, the end-to-end transport is secure,
private, and will often come with a service-level agreement (SLA) to ensure specific
uptime, performance, and class of service vectors are consistently achieved. This option
does surrender a bit of control to the service provider. Routing on a Layer 3 VPN service
is often performed between the remote site and the carrier: as such, some design
considerations are made to ensure the enterprise can control the routing between the
remote site and the WAN. CoS will often need to be re-mapped as well if the service
providers Layer 3 VPN CoS offering does not exactly match the enterprise. Each of these
design considerations is covered in later sections of this document.
48
The primary design consideration with this scenario involves a trade-off between cost,
convenience, and complexity. This type of solution is common to small enterprise remote
sites because it is inexpensive, some form of Internet access is available most anywhere,
regardless of location, and the enterprise is accustomed to building this type of remote
access network. This option within the enterprise WAN solution is somewhat complex,
however. Before moving on to routing and class-of-service design, it is important to
understand how the secure overlay tunnels are designed and why they are designed this
way.
In understanding the design chosen for IPsec one must consider the multitudes of options
available to configure IPsec in Junos OS. These options are outlined below and
configuration example are provided here: Connecting a Small Branch to Dual-Homed
Aggregation Hubs over the Internet on page 281.
49
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Use point-to-point IPsec tunnel configuration with static remote addressing and static
routing. This is the simplest case but the configuration is extensive and the aggregation
site needs to be configured every time a new site is added. Additionally the remote
sites public IP address needs to be known, so in most SOHO environments this is not
achievable as their addresses are DHCP assigned. It has to rely on dead-peer detection
for failover.
Advantages
Disadvantages
Simple configuration
Large configuration
2. Use point-to-point IPsec tunnel configuration with static remote addressing and
dynamic routing. This is the simplest case but the configuration is extensive and the
aggregation site needs to be configured every time a new site is added. Additionally
the remote sites public IP address needs to be known, so in most SOHO environments
this is not achievable as their addresses are DHCP assigned. As detailed below the
failure discovery can be faster, and choice of routing protocol is important for scale.
BGP scales well, BUT needs additional static routing for peer addressing reachability.
OSPF and IS-IS discover peers.
Advantages
Disadvantages
Simple configuration
Large configuration
3. Use dynamic end point IPsec with dedicated services Interface per site (and
proposal/policy). This option is chosen when the remote sites public IP address is
unknown (dynamic) yet one still wants to run a routing protocol over every IPsec
tunnel. A dedicated service interface is required for a routing protocol as in shared
mode the protocol has no dedicated IFL.
Advantages
Disadvantages
Simple configuration
4. Use dynamic endpoint IPsec with shared services interface and reverse route insertion
(RRI). This option is chosen when the remote sites public IP address is unknown
50
(dynamic) and for scale one does not want to use a dynamic routing protocol over
the IPsec tunnels. Here RRI is very useful as on the aggregator one can use a
super-netted summary network in the proxy-pair configurations matching a site
proposal. These proxy-pair configurations, if accepted, cause installation of a static
route matching the source and destination in the proposal.
Advantages
Disadvantages
Simple configuration
Small configuration.
Need to rely on DPD for failure detection.
Zero touch IPsec provisioning on aggregator.
Site can have a dynamic public IP address.
As you can see form the above options number 4 fits this design perfectly. In this
aggregation design we can make the IPsec very lightweight and use dynamic endpoint
IPsec in shared mode (small configuration) and use RRI to install the routes required for
GRE tunnel endpoint reachability, thereby allowing for a large scale of IPsec tunnels.
Additionally because we are running BGP and OSPF over these GRE tunnels we do not
need to rely on DPD for failure detection. In this case routing protocol hello and
dead-timers are used or for very fast convergence, BFD can be configured.
The creation of a secure remote site to enterprise WAN transport over public Internet is
the goal of this solution. The solution must support full class of service and resiliency
while also protecting the enterprise data. As a result, the secure overlay tunnel designed
in this solution utilizes IPsec to secure the transport between the remote and enterprise
WAN. Within the IPsec transport, a second GRE tunnel is built: it is this GRE tunnel that
encapsulates and transports the enterprise traffic. This stacked tunnel approach involves
a seemingly complex configuration. Once the tunnels are built, the creation of multiple
end tunnels is quite easy because the solution features IPsec dynamic endpoints along
with a simple, automatic configuration that brings up the end-to-end tunnel, establishes
routing, and fails over in redundant environments as per the requirements of the typical
large enterprise.
The first piece of the design, the IPsec tunnel, is configured at the remote site to initiate
from an interface in the untrust-vpn routing instance: the IPsec tunnel terminates on the
VPN VR routing instance at the aggregation hub. During this phase of the transport setup,
the following occurs:
1.
IPsec tunnel negotiates phase 1 / phase 2 using either pre-shared key or certificate
authentication (both were tested): tunnel is established. Tunnel source at remote is
untrust-vr, tunnel destination at aggregation router is the VPN VR of the VPN
termination router (or routing instance).
a. Remote site local-ID/remote-id are the local loopback IP address and the loopback
IP of the aggregation router.
b. The aggregation router matches the remote site loopback (local-id) to a configured
access list and allows the tunnel to terminate on a SP interface.
51
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
c. Reverse route injection occurs, advertising and injecting the /32 route to the remote
loopback (used for the GRE tunnel) pointing to the spawned SP interface
2. The reverse route injection adds the next-hop interface to the routing table as a static
route. This route is the termination point (tunnel end point addressing) for the GRE
tunnel.
The second part of the design, the GRE tunnel, initiates from a loopback interface in the
default routing instance at the branch and terminates at the VPN routing instance of the
aggregation hub, with the INTERNAL addressing of the GRE tunnels (dual stack) belonging
to the WAN-GRE VR:
1.
Once the IPsec tunnel is established, and reverse route injection adds the route to the
loopback interface of the aggregation router, the GRE tunnel is established (between
the loopback at the remote, in trust-vr, and the loopback on the aggregation router,
in the VPN routing instance).
2. All routing between the remote site and enterprise flows through the GRE tunnel
(encapsulated within and encrypted by IPsec). Routing is covered in the next section.
The end-to-end flow and order of tunnel setup is shown in Figure 24 on page 52.
Figure 24: Secure Overlay Design for Connecting Remote Sites to the
Enterprise WAN
52
As mentioned earlier a key to the functionality of this transport is the use of IPsec dynamic
endpoints with reverse route injection. This technology has its roots in client-server VPN.
IPsec dynamic endpoint configuration enables a relatively simple configuration and
initiation of tunneling between the client (remote site) and server (VPN termination @
aggregation hub). The dynamic IPsec endpoints with reverse route injection works in the
following way:
1.
Phase 1 of the IKE negotiation occurs. Pre-shared key (PSK) or certificate are
exchanged and authenticated. Phase 1 is successful, phase 2 IKE negotiation begins.
2. Phase 2 of IKE negotiation occurs. In this phase, local and remote IDs (peer IDs) are
to the IPsec termination loopback address of the remote site and the remote ID
corresponds to the IPsec termination interface on the hub.
4. The hub site is configured with a local ID (the IPsec termination loopback) and a
remote ID. This remote ID is configured as a range of IP addresses, however. (if the
remote sites utilize IP addressing in the 172.20.0.0/20 subnet as their remote local
loopback addresses (used for GRE tunnel termination), the remote ID for the hub
would be 172.20.0.0/20). This configuration enables any remote site with the proper
loopback address to terminate an IPsec tunnel on the hub
5. Once phase 2 occurs, the hub, utilizing the IPsec dynamic endpoint feature, performs
reverse-route injection, inserting a route into the remote sites routing table that points
to the GRE-termination interface at the hub (using the IPsec next-hop at the hub).
6. Once the remote site has a route to the hub loopback (GRE termination loopback),
The use of GRE over IPsec as the tunneling protocols adds some complexity to the
solution but does show the enterprise a couple of benefits:
FlexibilityIPsec support for some solution services such as multicast, class of service,
and dynamic routing protocol configuration has not yet been integrated into the solution
platform. The solution features support for dual-stack deployment (IPv4 and IPv6),
so the combination of IPsec and GRE is required for the current solution.
Greater interoperabilityMost routing vendors support GRE. Deploying GRE allows the
solution to operate with most other vendor routing and VPN termination productions
enabling some assurance that elements of this solution will integrate easily into
multi-vendor environments.
53
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
OSPF and BGP to be used as the IGP for enterprise remote sites. For enterprises with
more than 500 remote sites connecting over the enterprise WAN, we recommend using
BGP due to the greater control and scale it provides. Enterprises with fewer than 500
sites are better served by OSPF due to its simplicity and optimal scale for smaller routing
environments.
When using BGP as the IGP over the leased line interface, the solution utilizes an IBGP
peer group on the branch and WAN aggregation router. The IBGP peer (WAN aggregation
router) acts as a route reflector for the branch BGP session. The branch is configured to
accept only a default route from the WAN aggregation hub (using IBGP import policy)
to ensure that all outbound traffic flows through the configured primary uplink to the
enterprise WAN (to Aggregation Hub 1). BGP export policies deny default route
advertisement back to the hub to prevent routing loops. BGP advertises the remote site
router loopback address to the hub (used as the next-hop interface for branch-bound
traffic).
Generally, when OSPF is used as the IGP, the WAN aggregation router will advertise an
OSPF default route to the remote sites. This minimizes the size of the routing table at
the remote site and enables simpler troubleshooting of routing issues. When OSPF is
used, each remote router is configured as a separate OSPF stub area, advertising its local
networks to the aggregation hub and importing only the default route from the backbone
area (OSPF Area 0). If OSPF is chosen, there are two key design considerations:
The backbone will always be area 0 (This is common to all OSPF deployments as
OSPF area 0 is also called backbone area)
Area x: Each remote site will be assigned a unique OSPF area ID. The area is configured
as a stub area to ensure that branch routes are not advertised beyond the backbone
area and to enable greater control of enterprise routing. The remote site should only
receive a default route from the backbone router.
Leased-Line Routing
This routing scenario is the simplest in the solution due to the presence of a dedicated
virtual circuit between the remote site and the hub. The remote site utilizes a loopback
interface as the peering interface for either BGP or OSPF. The hub site utilizes a similar
configuration in the WAN aggregation router. As in all of these solutions, only a default
route is advertised by either OSPF or BGP to the remote site. BGP route injection and
export filters are used at the remote site to accept only the BGP default-route and to
export all local routes save for the BGP default-route (the remote site often has a second
default-route from a backup uplink). This prevents the introduction of routing loops into
this topology. The hub site should also be configured with a BGP import policy that
prevents import of BGP default-routes from the remote sites to ensure routing loops are
not introduced.
54
To maintain control of routing, the use of the AS Override BGP attribute is required.
This attribute should be set to override the AS assigned to the BGP session, enabling
the remote site router and hub router to exchange routing information.
BGP routing policies must be applied at the remote site to prevent routing loops:
EBGP export policy should be configured to prevent default route from being
advertised to the enterprise. The export policy allows for only OSPF and direct routes
to be exported.
EBGP import policy should be configured to accept only the default route (the peer
should only send the default route). The policy should also set the proper local
preference in cases where there are multiple uplinks (200 preference to configure
the peer as the preferred path, default preference for backup link EBGP peers).
Figure 25: Layer 3 VPN Routing Between Remote Site and Enterprise WAN
If using BGP, import and export policies will dictate import of only default-route and
export of only local routes and OSPF routes (no default route export).
55
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
If using OSPF, the remote site will be configured with a unique area number (stub area)
and will only import the summary (default) route from the enterprise.
56
configured with a lower preference to force all traffic over the primary GRE over IPsec
tunnel. When the primary tunnel experiences an outage, the remote router recognizes
this outage, downs the interface associated with the tunnel (primary loopback) and
replaces the active routes in the routing table with the backup tunnel routes. To enable
fast detection of failures of the secure overlay tunnel, BFD is employed. BFD enables
millisecond-level failure detection at the link layer and enables faster convergence of
configured routing protocols.
Figure 27: Backup Secure Overlay Tunnel Created from Single Uplink
Remote Site
57
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Figure 28: Layer 3 VPN with Secondary CPE and Backup Layer 3 VPN
Service
Use of OSPF (area 1) as the IGP of the remote site. Sites of this type are likely to have
multiple VLANs, business units, and business services such as voice, video, and data,
all coming from different VLANs on the network. The use of OSPF as the IGP enables
a layer 3 switch to act as the local router for the branch, controlling routing within the
branch and advertising local routes to the branch router (which advertises those routes
to the enterprise).
Redundancy between the remote site routers is achieved utilizing Virtual Router
Redundancy Protocol (VRRP). VRRP v3 (RFC 5798) provides a routing redundancy
mechanism for both IPv4 and IPv6, creating virtual router interfaces that favor a primary
or backup router in the redundant pair. A VRRP Master is configured with a priority of
200 and the Backup is configured with a priority of 100 (higher VRRP priority is the
master) to ensure that all traffic flows through the primary router to the enterprise.
58
The primary Layer 3 VPN is configured with an import policy setting the preference
of routes received via that interface to 200, making this the preferred path for traffic.
The backup Layer 3 VPN BGP routes are left as the default preference
Loss Priority
Code Point
Queue
Scheduler
Best_Effort
medium-high
be
SCH_Best_Effort
high
cs1
SCH_Scavenger
medium high
af11, af12
SCH_Bulk_Data
Critical_Data
medium low
af21, af22
SCH_Critical_Data
Video
low
af41, af42
SCH_Video
Voice
low
ef
SCH_VOICE
Network_Control
low
cs6, cs7
SCH_Network_Control
59
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
in the packet header is examined, and this single field determines the CoS settings
applied to the packet. BA classifiers allow you to set the forwarding class and loss
priority of a packet based on the Differentiated Services code point (DSCP) value,
DSCP IPv6 value, IP precedence value, MPLS EXP bits, and IEEE 802.1p value. The
default classifier is based on the IP precedence value.
Forwarding classesThese are simply buckets of traffic that affect the queuing,
prioritization, and forwarding of traffic.
QueuingThis determines the order in which packets are sent to the downstream
router. Higher priority packets are sent first with the lower priority packets queued
and sent as bandwidth becomes available.
SchedulersThe scheduler is the configuration point for queue number, priority, and
loss priority. This determines which packets fall into each CoS queue and how each
type of traffic will be treated.
Policers for traffic classesThese enable the limiting of bandwidth in a certain class
of traffic. Policers are often used to limit the amount of high priority traffic that can
pass: without a policer, high priority traffic could starve the rest of the CoS queues
and cause severe degradation in service. Policers can be applied across the entire
class of service footprint to ensure that no single class of traffic can starve the rest
of the classes.
NOTE: This solution employs various Juniper Networks routing and security
platforms at the aggregation hubs and remote sites. Some platforms have
a slight difference in the way traffic is counted due to the difference in how
each platform accounts for Layer 2 overhead. More information on the
accounting of Layer 2 overhead in interface statistics can be found here:
Juniper Networks Technical Publications.
Egress traffic shaping overhead can also be configured to normalize
accounting statistics. More information on the calculation and modification
of egress shaping overhead in class of service can be found here: Juniper
Networks Knowledge Base.
60
CoS marking on traffic sourced from the core is inherently trusted: no remarking is
performed.
LAN.
Figure 29: Inbound CoS to Small Remote Site Using Leased-Line Access
Class of service configuration and packet flow for outbound traffic is configured as seen
in Figure 30 on page 62.
1.
Inbound traffic from the remote site LAN to the branch router.
2. Ingress interface firewall filter configured with CoS multifield classifier. Mark based
destination.
61
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Figure 30: Outbound CoS to Small Remote Site Using Leased-Line Access
The classification and queuing of upstream traffic in this scenario is done based on DSCP
markings: these markings are applied to the payload IP header (in the DSCP field) by a
multifield classifier. Because the traffic is encrypted and encapsulated, the encapsulating
IP header (GRE header and IPsec header) do not automatically have the class of service
markings from the payload IP header. This is overcome by enabling ToS reflection. ToS
reflection enables the copying of the payload IP header attributes (in this case, the DSCP
field) to the outer IP header (The GRE and IPsec headers). This ensures that downstream
routers and the hub can properly apply class-of-service actions on traffic between the
remote site and enterprise.
Per-unit GRE scheduling is the second feature that must be used to properly enable class
of service in the secure overlay transport scenario. This configuration simply means that
the class of service ingress and egress interface is set to the GRE tunnel interface. At the
remote site, an SRX Series Services Gateway is used to terminate secure overlay tunnels.
In this scenario, the loopback interface is the termination point for the GRE tunnel
(loopback located in the trust-vr and in the untrust security zone). On the hub, the GRE
tunnel terminates on the WAN-GRE VR- class of service is applied to that logical
interface.
62
Class of service is applied between the enterprise (hub) and the remote site as seen in
Figure 31 on page 63:
1.
Inbound traffic from the enterprise is trusted: no remarking is done on this traffic.
Traffic routed to WAN-GRE VR (VPN termination router) for routing to secure overlay
remote site
Between the remote site and enterprise, class of service is applied as seen in
Figure 32 on page 64:
1.
On ingress, the remote site router applies DSCP markings based on multi-field classifier
(source IP, destination IP, protocol, port, source VLAN).
branch.
a. CoS is applied to GRE tunnel: traffic shaped to ISP port rate.
b. ToS reflection is performed, copying the TOS marking from the payload IP header
to the IPsec IP header.
3. On ingress to WAN aggregation, no CoS action is performed
4. On egress to enterprise, DSCP on IP payload header is queued as per enterprise CoS
policy.
63
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Figure 32: Secure Overlay Class of Service Between Remote Site and
Enterprise
The entire solution should be integrated with a global access management system to
enforce access privileges (such as LDAP or MS Active Directory).
Secure Connectivity
All voice, video, and data traffic should be separated on the enterprise LAN to ensure
integrity and performance of high priority traffic.
64
Incoming traffic to the branch and enterprise HQ/Data Center should be verified to
ensure the traffic is coming from an authorized source address.
The branch offices should be protected from malicious attacks from outside and inside
the network.
The branch and enterprise hub CPE should be protected from attacks and intrusion
from within the network (using network management source filters, for instance)
In addition to these security protections, each transport type often requires additional
protection to ensure a secure, end-to-end enterprise WAN.
Leased-Line Security
Leased-line service from a service provider can be reasonably assumed to be secure as
it is a private, circuit-switched service between the remote site and the aggregation hub.
The routing protocols running over the leased line service utilize routing protocol
authentication (MD5) to ensure only valid routers can form peering relationships with
the branch. More security-minded enterprises often choose to configure additional security
between the remote site and hub. IPsec can be configured over the leased line in cases
where elevated security must be achieved.
Secure Overlay
This transport type is configured from a remote site firewall (SRX Series). As such, it
offers elevated protection against most threats against the enterprise. Given that this
transport is directly exposed to the Internet, the elevated security is a strict requirement.
To address this concern, traffic is separated into a trust zone and an untrust zone. We
are using a virtual routing and forwarding (VRF) routing instance for untrusted traffic,
which is defined as Internet traffic; or more specifically route peering with the ISP, IPsec,
and GRE tunnel endpoints. The VRF routing instance contains Internet-facing interfaces
for the branch. This routing instance does not allow Internet traffic onto the branch LAN,
and therefore, protects the enterprises internal routing tables and keeps public addresses
and private addresses separate by not allowing public addresses into the default IPv4
(inet.0) and IPv6 (inet6.0) routing tables.
The remote site also features security zones. On SRX Series, security zones must be
configured before traffic can be forwarded. Once the security zones are created, security
policies must be created to explicitly permit or deny traffic in one direction (trust to untrust
zone, for instance). When secure overlay is in use, we are using three zones: one for trust
traffic, one for untrusted traffic, and one for management traffic. The remote site router
is configured with policies that specify what traffic is allowed to move between zones.
Typically, the firewall will be configured to only allow local IP traffic from the trust zone
(the remote site) to the untrust zone (the rest of the enterprise). Management traffic is
typically not permitted from the trust zone as this solution is designed to be centrally
65
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
managed. Traffic in the management zone (from the enterprise) is permitted to enter
any trust zone, enabling the network operators to remotely access and maintain the
network and the end user devices connecting to the network.
Provide transit for the secure overlay (GRE over IPsec) transport option
Provide inbound access to enterprise services (hosted services, www, e-mail, etc.).
66
Figure 33: The Internet Gateway Role at the WAN Aggregation Site
This solution was tested with two Internet gateways that peer with two separate ISPs.
The Internet gateway on Aggregation Hub 1 is the primary gateway, and the Internet on
Aggregation Hub 2 is the secondary gateway. At Hub 1, the Internet gateway is a separate
physical router. It is directly connected to the VPN termination router over a 1 GE link that
is configured with two VLANs. One VLAN is used to terminate IPsec tunnels on the VPN
termination router. The second VLAN is used for traffic to and from hosted services.
The Internet gateway at Hub 1 has a virtual router routing instance called
SFW-NAT-SERVICES. This routing instance is an internal virtual router that faces the
private enterprise network, and is configured with private addresses. It is used to apply
NAT and stateful firewall to branch and data center traffic going to and from the Internet.
At Hub 2 there is one physical router for all rolesInternet gateway, WAN aggregation,
and VPN termination. The Internet edge role includes two routing instances: IEDGE and
SFW-NAT-SERVICES.
67
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
peers, and routing policies are used to cause routes through the primary Internet gateway
to be preferred over routes to the secondary gateway. In addition, we recommend the
use of routing policy to export routes from the primary to secondary gateway so that in
the event of a failure, the secondary gateway has the current block of addresses that are
being advertised on the Internet edge.
Figure 34 on page 68 shows the routing design on the Internet gateways.
The Internet gateways are EBGP peers with ISP A and ISP B. EBGP policies are designed
as follows:
68
Routes to Internet gateway 1 are preferred over routes to Internet gateway 2. Routes
to Internet gateway 1 are assigned a local preference of 200 to make them preferred
over routes to Internet gateway 2, which uses the default local preference of 100. In
addition, Internet gateway 2 uses AS path prepending. The longer AS path makes
routes to Internet gateway 1 preferred.
Martian routes received from the Internet are blocked. (Martian addresses are host or
network addresses about which all routing information is ignored. When received by
the routing device, these routes are ignored. They commonly are sent by improperly
configured systems on the network and have destination addresses that are obviously
invalid.)
Block of addresses used for source and destination NAT are advertised to the Internet.
On Hub 1, policies block Hub 2 addresses from being advertised on the Internet.
On Hub 2, policies block Hub 1 addresses from being advertised on the Internet.
For Internet access the default route is advertised in BGP and redistributed into OSPF
(for Data Center and OSPF only branches) as primary on Internet gateway 1 and using a
qualified next hop default route on head-end 2 is assigned a higher cost so it is only used
in the event of Internet edge router or WAN aggregation router failure in head-end 1.
With reference to the network ranges used for source NAT (internal accessing the
Internet), destination NAT (hosted services) and IPsec connectivity for the remote sites.
1.
Both Internet edge routers advertise the SAME external address pool used for source
NAT (internal clients accessing the Internet) to the Internet Peering routers. Head-end
2 prepends the route advertisement so it is not the primary router for the site. Given
this, with no failure traffic is routed to Aggregation Hub 1 for traffic in the shared NAT
range (clients that have been NATed accessing the Internet). In a failure of the ISP
link at head-end 1, traffic is now sent to head end 2 from the Internet, but as head-end
2 is also IBGP peering with head-end 1 the NAT pool is still being advertised from
head-end 1. Thus traffic is send across the IBGP (front-side) link and then sent through
the SFW/NAT service set on head-end 1. This brings up two further discussion points:
a. The failover was designed as such because there is NO state sync between the
two Aggregation service cards thus, in this design we chose to keep the SFW-NAT
service active on head-end 1 even if the ISP link fails. For clients accessing the
Internet, internally they see no change. Obviously for Internet branches they will
now be terminated on head-end 2 as the ISP link is now down.
b. Given this failover design requirement a separate VR is required for SFW/NAT
services as when a service set is configured for the shared NAT pool, Junos OS
automatically installs a static route for the NAT pool with a cost of 1. There is no
way to override this, so the NAT service set was configured in the
SFW-NAT-SERVICES VR, thus allowing the use of BGP to control the networks
that are active for the shared NAT subnet/pool. Without this, in the failover scenario
mentioned above, the traffic arriving on head-end 2 would not be send to head-end
1 and would simply be sent through the local service set.
2. The subnet addressing used for IPsec termination and hosted NAT services comes
from a separate subnet, advertised only from the local gateway and blocked from
being advertised from the peer. This means remote sites go directly to the appropriate
gateway for IPsec tunnel termination and on any ISP link failure tear down the tunnel
and use the already-up back up tunnel. Likewise the hosted NAT services in this local
gateway are no longer reachable and will be accessed via the other gateway. These
hosted services can be either on a single device, at a single location or hosted in
separate data centers using separate servers. In this design we have chosen the option
where the secondary site hosts a separate DMZ and different servers. In this case
application failover for Internet clients would be managed by a global DNS service.
69
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
enterprise. This is the reason for configuring two separate Internet gateway routers that
peer to separate ISPs. This prevents a failure of one ISP from affecting the availability of
Internet access. It is important to note that local failure caused by power loss or weather,
for instance, can cause an entire site to experience outage. In many cases, the enterprise
often introduces geographic redundancy to the design, placing the primary gateway in
collocation with the Internet service provider and the backup in a different site. This
prevents a local failure from causing a complete outage. Additional protections to ensure
a highly available environment include:
BFD should be deployed wherever a routing protocol is used to ensure that any link
failure is identified and acted on as soon as possible. BFD can identify a link-level
failure in as little as 30ms.
VRRP should be deployed wherever there are redundant routers in place. This is in
use on the site type with dual CPE.
Internet Traffic for the public Internet. This traffic is assigned the remainder of the
transmit rate with a low scheduling priority.
Network Control Network control traffic, which is assigned 4 percent of the transmit
rate and a strict-high scheduling priority.
70
A scheduler with all three forwarding classes is applied to the interface to the ISP. This
traffic is shaped at the rate of 800m.
The Branch forwarding class is applied to the VLAN that is used to terminate IPsec
tunnels on the VPN termination router.
The Internet forwarding class is applied to the VLAN that is used for hosted services
traffic that is sent to the VPN termination router.
The Internet forwarding class is applied to the services interface that is used all Internal
traffic sent to the Internet.
Best effort Traffic for the public Internet. This traffic is assigned the 20 percent of
the transmit rate with a low scheduling priority.
Network Control Network control traffic, which is assigned 1 percent of the transmit
rate and a strict-high scheduling priority.
A scheduler with all three forwarding classes is applied to the interface to the ISP. This
traffic is shaped at the rate of 800m.
The branch forwarding class is applied to the VLAN that is used to terminate IPsec
tunnels on the VPN termination router.
The Internet forwarding class is applied to the VLAN that is used for hosted services
traffic that is sent to the VPN termination router.
The Internet forwarding class is applied to the services interface that is used all Internal
traffic sent to the Internet.
Routing protocol authenticationBGP groups that peer with the ISP and the OSPF
backbone on the aggregation hubs are configured for MD5 authentication.
Prefix lists that specify trusted IP subnets and address for different types of traffic.
Traffic received from these address are allowed through the firewall. All other traffic
is discarded.
A policy that applies rate limits to the traffic that is accepted by the filter.
71
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Packet counting and logging. We are counting packets received from different sources,
and in some cases logging traffic. You can use counters and logs to check that a
filter is working as expected and to detect unusual amounts of certain types of traffic.
The Internet gateway utilizes source and destination NAT. We are using stateful
firewalls with application-layer gateways (ALGs) to ensure only return traffic sourced
from the enterprise is allowed inbound through the firewall.
Traffic sourced from an enterprise remote site and destined for a hosted service flows
in the following way:
1.
Traffic from the Internet has a destination address of 191.15.100.128/25, which is the
public address that is advertised to the Internet for hosted services.
2. NAT and stateful firewall are applied to traffic. An address from the private pool of
72
Figure 36: Return Traffic Flow from Hosted Services to the Internet
1.
A static route sends traffic to the Ethernet interface on the Internet gateway.
2. The Ethernet interface receives the traffic and forwards it to the Ethernet interface
Figure 37 on page 73 shows how NAT and stateful firewall are applied to inbound traffic
from the Internet going to hosted services on Aggregation Hub 2.
Figure 37: Aggregation Hub 2 Traffic Flow for Stateful Firewall and NAT
1.
Traffic from the Internet has a destination address of 191.15.200.128/25, which is the
public address that is advertised to the Internet for hosted services.
73
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Figure 39 on page 74 shows the inbound traffic flow from the data center, leased line
transports, or Layer VPN transports to hosted services.
Figure 39: Traffic Flow Inbound from Data Center, Leased-Line, or Layer
3 VPN to Hosted Services
1.
Receive traffic from the data center, leased line transports, or Layer 3 VPN transports
to hosted services on the WAN aggregation router, and forward the traffic to the
WAN-GRE routing instance on the VPN termination router.
74
3. Apply the NAT-Branch-www next-hop style service set. Assign an inside address from
Figure 40: Return Traffic Flow from Hosted Services to Leased-Line, Layer
3 VPN, and Data Center.
Figure 41 on page 75 shows the inbound flow for traffic from Internet-connected branches
that use IPsec over GRE tunnels to hosted services.
Figure 41: Traffic Flow from Internet Connected Branches (GRE over IPsec)
to Hosted Services
75
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
1.
Use a static route to send traffic to the sp-0/3/0.4001 in the WAN-GRE routing
instance.
2. Form a GRE tunnel to the branch, and forward traffic to the VPN routing instance.
3. Form an IPsec tunnel over the GRE tunnel, and forward traffic to the Internet gateway.
4. The Internet gateway forwards the tunnel traffic to the branch.
Figure 43 on page 77 shows traffic from Internet-connected branches (GRE over IPsec)
and the various traffic flows between the branch and the data center, Internet, and Layer
3 VPN / leased line branches:
76
The overall goal of the design is to ensure that the primary aggregation hub is always
primary, even when components within that hub fail. A failure at the primary hub does
not necessarily mean that all traffic fails over to the backup aggregation hub (Aggregation
Hub 2). As a general rule, the design fails over only affected services to the backup
aggregation hub.
77
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
78
In this scenario, the primary Internet link fails. The cause of failure is not relevant as
the solution will react the same to all failure resulting in loss of route peering with the
primary ISP).
a. The SFW/NAT service on the Internet gateway router (hub 1) is still active (this
failure is the uplink only). As such, all sessions currently existing over the primary
link are still active in the firewall state tables. In order to avoid resetting existing
sessions, the traffic is still routed to this VR for stateful firewall processing. Traffic
then flows across the direct link between Aggregation Hub 1 and Aggregation Hub
2.
2. Traffic is routed upon failover in the following manner:
a. Traffic from Internet branches enter over the secondary GRE over IPsec tunnel
(which terminates on the VPN VR and WAN-GRE VR). Traffic is then sent to the
WAN aggregation VR ( on Aggregation Hub 2), over the link to the primary WAN
aggregation hub, and into the SFW-NAT-SERVICES VR for firewall/NAT services.
Internet-bound traffic is then sent over the link to the backup Internet gateway for
transmission to the Internet.
b. Traffic from Layer 3 VPN and leased line transports (recall that these enter on the
WAN aggregation router) is routed over the WAN aggregation to Internet gateway
link. The traffic has stateful firewall services and NAT on the SFW-NAT-SERVICES
VR at the primary Internet gateway. Traffic is then sent over the Internet gateway
link to the backup aggregation hub and is sent out the backup Internet gateway.
3. All traffic is then routed over the direct connection between the primary Internet
gateway and the secondary gateway (to the SFW-NAT-SERVICES VR where firewall
and NAT services are performed).
4. Traffic is forwarded to backup ISP connection. Return traffic follows the same path,
79
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
In this scenario, the primary Internet gateway has experienced failure. The cause of
failure is not relevant as the solution will react the same to all failure resulting in loss
of route peering with the primary Internet gateway.
2. The SFW/NAT service on the Internet gateway (hub 1) is no longer active. As such, all
sessions currently existing over the primary link will be lost. Routing protocol peering
from the primary Internet gateway is lost, causing the network to converge, routing
traffic to the backup path.
3. Traffic from remote sites and the data center is routed in the following manner:
a. Traffic from secure overlay branches enters the secondary GRE over IPsec tunnel
and is routed to the backup WAN aggregation router. Traffic bound for the Internet
is routed to the SFW-NAT-SERVICES VR for firewall and NAT and is then forwarded
to the ISP. Traffic destined for remote sites (Layer 3 VPN and leased line) is sent
over the link to the primary WAN aggregation router and is forwarded to the remote
sites via their primary connections.
b. Traffic from Layer 3 VPN and leased line transports is routed from the WAN
aggregation router at hub 1, over the link to Aggregation Hub 2, to the
SFW-NAT-SERVICES VR for firewall and NAT. Internet traffic is then forwarded
to the ISP. Traffic bound for Internet-connected remote sites is sent from the
backup WAN aggregation router to the WAN-GRE VR for encapsulation (WAN-GRE
80
SFW-NAT-SERVICES VR).
5. Traffic is forwarded to backup ISP connection. Return traffic follows the same path
(in secondary gateway, to the WAN aggregation router at hub 2, to WAN aggregation
at hub 1, then back to the branch or data center.
1.
Upon site connection to the enterprise WAN, the secure overlay remote site (GRE over
IPsec) initiates two tunnels. The primary tunnel is terminated at the primary
aggregation hub. A backup tunnel is also initiated and terminated on the aggregation
hub at the backup site (Aggregation Hub 2). Routing is configured to always favor the
primary link and use the backup link only in cases where the primary fails. Failure of
the primary Internet gateway occurs in this scenario as shown in Figure 46 on page 81.
2. Route peering is lost on the primary GRE tunnel and converges on the backup GRE
tunnel. All remote site to enterprise traffic now flows over the backup GRE tunnel
(encapsulated within IPsec, of course). The secure overlay tunnels are terminated at
the backup hub site (IPsec terminates on the VPN VR, while GRE terminates on an lt
81
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
interface on the WAN-GRE VR). Traffic is then sent to the WAN aggregation VR, across
the link to the primary hub site (WAN aggregation 1), and is then forwarded on to its
destination. .
a. Traffic destined for Layer 3 VPN and leased line remote sites is routed to the
appropriate site by the primary WAN aggregation router. Traffic from these sites
destined to the Internet connected branches follows the reverse path (WAN Agg
1 > WAN Agg 2 > VPN VR > remote site via IPsec tunnel).
b. Internet traffic is forwarded from the primary WAN aggregation router to the
SFW-NAT-SERVICES VR on the primary WAN aggregation router. Traffic is then
forwarded to the ISP.
Please note that the solution is designed to always forward traffic via Aggregation Hub
1 (the primary hub) and only forward failover traffic via the backup aggregation hub.
82
1.
Both leased line and Layer 3 VPN transport remote sites terminate and peer with the
primary WAN aggregation router at hub 1. In the event that this router experiences
failure, the following backup routing occurs.
2. In a case where the primary WAN aggregation router fails, traffic is re-routed over a
backup connection (for Layer 3 VPN sites, this connection is often a backup Layer 3
VPN service to the backup aggregation site).
3. Remote sites without a backup Layer 3 VPN connection (leased line sites, for instance),
a backup IPsec VPN connection can be configured. This failover flow is also used for
Internet connected branches (the primary WAN aggregation router is the primary
route reflector in the design; if the primary fails, all routing to Internet-connected sites
will converge to the backup WAN aggregation router). The traffic from these
Internet-connected sites flows over the backup tunnel (terminated on the VPN VR
and WAN-GRE VR on the backup aggregation hub) and are forwarded to the backup
WAN aggregation VR. Traffic bound for Layer 3 VPN and leased-line sites is forwarded
over the routed connections to the remote site (from the backup WAN aggregation
VR).
4. All Internet-bound traffic will flow from the backup aggregation hub over the link to
the primary Internet gateway (flowing first through the SFW-NAT-SERVICES VR for
firewall and NAT services).
83
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Figure 48: Primary WAN Aggregation Site (Complete Site) Failure Scenario
84
1.
The primary aggregation hub fails in this scenario. This means a complete failure, or
a majority of the routers and transports are down. In this scenario, all routing will occur
through Aggregation Hub 2.
2. The various site types re-route as per their local routing design (this has been largely
covered in the previous failover scenarios. The exception is that no traffic is routed
back to the primary aggregation hub (because that entire site is down).
a. Secure overlay sites route traffic over the backup GRE over IPsec tunnel to the
secondary hub. Traffic terminates as in the primary VPN router failure scenario and
routes from Aggregation Hub 2 to its destination (Internet, data center, or other
enterprise sites).
b. Layer 3 VPN and leased line sites fail over as shown in the primary WAN aggregation
failover scenario. Layer 3 VPN converges over the backup MPLS label-switched
path (LSP) and terminates on the WAN aggregation VR at the backup aggregation
hub. All traffic routes locally from Aggregation Hub 2. leased line sites that have
secure overlay backup can have a backup GRE over IPsec tunnel to the secondary
site: in this case, the traffic routes over the backup tunnel to the backup aggregation
hub.
c. Traffic to and from the data center (hosted traffic or enterprise-internal traffic)
routes over backup link or links to Aggregation Hub 2. Traffic routes to its destination
from Aggregation Hub 2.
d. Internet traffic from the data center or enterprise sites routes from Aggregation
Hub 2, through the SFW/NAT service, and out to the backup ISP. Inbound traffic
(hosted service-bound traffic, for instance) will flow inbound, through stateful
firewall rules, destination NAT, and on to its destination. Complete use of this
failover scenario for hosted service requires a domain name service that can do
global load balancing (GSLB), discover a failure of the primary service (primary
Internet circuit or site), and advertise new host records (A, MX, PTR) for all hosted
services.
This section by no means covers every possible failure in the enterprise WAN solution.
The goal of this section was to provide a set of high-level failover scenarios that include
enough information for a reader to determine probable failover scenario routing and
convergence that fall outside these examples.
Services
The final component of the enterprise WAN solution is the inclusion of services. The
solution architecture is designed to accept most any enterprise service as a hosted service,
or in-line with the network at the WAN aggregation tier. The service tested as part of this
version of the solution is the Web Cache Communication Protocol (WCCP). The WCCP
service delivers transparent application acceleration by dynamically forwarding relevant
traffic to one or more off-path cache instances and has built-in load balancing and scaling
mechanisms. It is designed to operate with Web cache products that support the WCCP
protocol. http://tools.ietf.org/id/draft-wilson-wrec-wccp-v2-01.txt
85
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
WCCPThe complete WCCP service offers full functionality that can be used on M
Series and MX Series platforms that have Multiservices PICs (MS-PICs), MS-MICs or
MS-DPCs.
WCCP
WCCP-Lite
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Dynamic services
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
No
Yes
Yes
Supported platforms
86
PART 2
87
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
88
CHAPTER 3
89
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
http://www.juniper.net/techpubs/content-applications/cli-explorer/junos/
90
Hostname
Role
Juniper Networks
Product
Head Office 1
JBUS
Internet Gateway
MX480
JBIKE
VPN Termination
M7i
JBOAT
WAN aggregation
MX80
JLIMO-WAN
WAN aggregation
MX480
JLIMO-IEDGE
Internet Gateway
(Virtual Router-based
JLIMO-VPN
VPN Termination
Branch 1
HUMBER-LL
MX80
Branch 2
PIXO
SRX240
Head Office 2
SEDAN
Medium Branch:
M7i
MANZA
HUMBER
M7i
MX80
SPITFIRE
MX80
SPITFIRE-BR2
MX80
91
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
92
CHAPTER 4
VPN termination routerM7i Multiservice Edge Router with the following PICs:
Two 4-Port Gigabit Ethernet Enhanced IQ2 (IQ2E) PICs with SFP
Overview
Topology
This section focuses on the configuration of the nodes in the blue highlighted area
(Figure 50 on page 94).
93
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
94
Configuring Routing Policies for IBGP Peers on the WAN Aggregation Router on page 97
Configuring Fully-Meshed IBGP Peer Groups on the WAN Aggregation Router on page 98
Configuring the OSPF Backbone on the WAN Aggregation Router on page 100
Configuring Per-Packet Load Balancing on the WAN Aggregation Router on page 115
1.
1.
Create a default static route for IPv4 with the next hop to the WAN aggregation role
at Aggregation Hub 2.
It is used to increase the convergence time in case of a failure at Hub 1.
[edit]
set static route 0.0.0.0/0 next-hop 172.31.254.42
set static route 0.0.0.0/0 preference 250
2.
1.
95
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit interfaces ge-1/2/2
set description "--- To VPN router WAN-GRE VR ---"
set unit 0 account-layer2-overhead ingress 18
set unit 0 account-layer2-overhead egress 18
set unit 0 family inet mtu 1500
set unit 0 family inet address 172.31.254.13/30
set unit 0 family inet6 address 2001:DB8:254:4::1/6
2.
Configure the Ethernet interface to the WAN aggregation router in Aggregation Hub
2.
[edit]
edit interfaces ge-1/3/2
set description "--- B2B link towards WAN-AGG2 VR instance ---"
set unit 0 account-layer2-overhead ingress 18
set unit 0 account-layer2-overhead egress 18
set unit 0 family inet mtu 1500
set unit 0 family inet address 172.31.254.41/30
set unit 0 family inet6 address 2001:DB8:254:3::1/64
3.
4.
Configure the Ethernet interface to the Internet edge router in Aggregation Hub 1.
[edit]
edit interfaces xe-0/0/0
set description "--- IEDGE1 link ---"
set unit 0 account-layer2-overhead ingress 18
set unit 0 account-layer2-overhead egress 18
set unit 0 family inet mtu 1500
set unit 0 family inet address 172.31.254.10/30
96
Configuring Routing Policies for IBGP Peers on the WAN Aggregation Router
Step-by-Step
Procedure
1.
Configure a policy that is used to advertise default static IPv4 routes. It is a next-hop
self policy, which causes the loopback address of the router to be advertised of the
next-hop address.
[edit]
edit policy-options policy-statement ADV_DEFAULT
set term 1 from family inet
set term 1 from protocol static
set term 1 from route-filter 0.0.0.0/0 exact
set term 1 then next-hop self
set term 1 then accept
2.
Configure a next-hop self policy for IPv4 traffic, which causes the loopback address
of the router to be advertised as the next-hop for BGP traffic.
[edit]
edit policy-options policy-statement NHS
set term 1 from protocol bgp
set term 1 then next-hop self
set term 1 then accept
3.
Configure a next-hop self policy, which causes the loopback address of the router
to be advertised as the next-hop address for BGP traffic.
[edit]
edit policy-options policy-statement NHS6
97
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
At the aggregation hubs, we have a full IBGP mesh with the WAN aggregation routers
and the WAN-GRE virtual routers on Aggregation Hub 1 and Aggregation Hub 2.
1.
2.
The NHS export policy causes the router to advertise the address of the loopback
interface as the next hop.
The ADV_DEFAULT export policy causes the default static route to be advertised.
[edit]
edit protocols bgp group IBGP-MESH
set type internal
set local-address 172.31.255.2
set family inet unicast
set family inet multicast
set export NHS
set neighbor 172.31.255.3
set neighbor 172.31.255.5 export ADV_DEFAULT
set neighbor 172.31.255.5 export NHS
set neighbor 172.31.255.6
3.
The NHS export policy causes the router to advertise the address of the loopback
interface as the next hop.
[edit]
edit protocols bgp group IBGP-MESH-v6
set type internal
set local-address 2001:DB8:255::2
set family inet6 unicast
98
Results
99
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Configure routing policies that are used to export default BGP routes into OSPF.
These policies are used for leased line transport that uses OSPF. OSPF obtains its
default route from BGP.
a. Configure a policy for IPv4.
[edit]
edit policy-options policy-statement BGP2OSPF
set term 1 from protocol bgp
set term 1 then metric 20
set term 1 then tag 100
set term 1 then external type 1
set term 1 then accept
b. Configure a policy for IPv6.
[edit]
edit policy-options policy-statement BGP2OSPF-V6
set term 0 from family inet6
set term 0 from route-filter ::/0 exact
set term 0 then reject
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 then metric 20
100
A preference of 175 gives BGP routes, which have a default preference of 170,
preference in the routing table over OSPF routes.
[edit]
edit protocols ospf
set external-preference 175
b. Apply the policy to insert BGP routes into the OSPF routing table.
[edit]
edit protocols ospf
set export BGP2OSPF
c. Create a backbone area, and add the interface to the VPN termination router
(ge-1/2/2), the loopback interface (lo0.0), the interface to the WAN aggregation
router on Aggregation Hub 2 (ge-1/3/2), the interface to the data center
(xe-0/0/2), and the interface to the Internet edge router (xe-0/0/0).
[edit]
edit protocols ospf area 0.0.0.0
set interface ge-1/2/2.0 interface-type p2p
set interface ge-1/2/2.0 authentication md5 0 key
"$9$0MTR1ESvWXbsgikAuO1cSws2"
set interface ge-1/2/2.0 bfd-liveness-detection minimum-interval 500
set interface ge-1/2/2.0 bfd-liveness-detection multiplier 3
set interface lo0.0 passive
set interface ge-1/3/2.0 interface-type p2p
set interface ge-1/3/2.0 authentication md5 0 key
"$9$tRnY01ElKW-VsUj/Ap0REdVw"
set interface ge-1/3/2.0 bfd-liveness-detection minimum-interval 500
set interface ge-1/3/2.0 bfd-liveness-detection multiplier 3
set interface xe-0/0/2.0 interface-type p2p
set interface xe-0/0/2.0 metric 20
set interface xe-0/0/2.0 authentication md5 0 key
"$9$a0Gjk5Q3tuBlK2oJGHkpuO"
set interface xe-0/0/2.0 bfd-liveness-detection minimum-interval 500
set interface xe-0/0/2.0 bfd-liveness-detection multiplier 3
set interface xe-0/0/0.0 interface-type p2p
set interface xe-0/0/0.0 authentication md5 0 key
"$9$vaX8x-Ygaikm69rKM8N-Hk."
set interface xe-0/0/0.0 bfd-liveness-detection minimum-interval 500
set interface xe-0/0/0.0 bfd-liveness-detection multiplier 3
3.
101
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
b. Apply the policy to insert BGP routes into the OSPF routing table.
[edit]
edit protocols ospf3
set export BGP2OSPF-V6
c. Create a backbone area for OSPFv3, and add the loopback interface, the interface
to the WAN aggregation router on Aggregation Hub 1, the interface to the data
center (xe-0/0/2), and the interface to the VPN termination router (ge-1/2/2).
Give the interface to the data center a priority of 200 to give it priority over other
routes because the xe interface is the highest bandwidth link.
[edit]
edit protocols ospf3 area 0.0.0.0
set interface lo0.0
set interface ge-1/3/2.0
set interface xe-0/0/2.0 metric 10
set interface xe-0/0/2.0 priority 200
set interface ge-1/2/2.0 interface-type p2p
Results
State
Full
Full
Full
Full
Full
ID
172.31.255.3
172.31.255.5
172.31.254.9
172.31.255.8
172.16.5.255
Pri
128
128
128
128
128
Dead
36
37
38
37
35
102
Pri
128
Dead
38
128
31
128
34
128
34
For multicast at the aggregation hubs, we are using static rendezvous points (RPs) with
anycast RP. The RPs are configured on loopback interfaces on the WAN aggregation
routers. The WAN aggregation router on Aggregation Hub 1 is the primary RP, and the
WAN aggregation role on Aggregation Hub 2 is the secondary RP. We are using MSDP to
create a peering relationship between the primary and backup RPs.
For anycast RP, you configure the two RPs with a shared anycast IP address on loopback
interfaces. We recommend that you configure the anyc ast address with a 32-bit mask,
making it a host address. The shared anycast IP address is also used as the static RP
address when you configure PIM at the aggregation hub.
1.
103
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2.
In the PIM configuration, specify the static RP. The local address is the address of
the RP, which is also the shared anycast address. The low priority number gives the
RP at Hub 1 priority over the RP at Hub 2.
[edit]
edit protocols pim
set rp local address 172.31.255.15
set rp local priority 1
3.
Configure multicast on the interface to the VPN termination router (ge-1/2/2), the
interface to the WAN aggregation router on Aggregation Hub 2 (ge-1/3/2), and the
interface to the data center (xe-0/0/2).
[edit]
edit protocols pim
set interface ge-1/2/2.0 family inet
set interface ge-1/2/2.0 mode sparse
set interface ge-1/2/2.0 version 2
set interface ge-1/3/2.0 family inet
set interface ge-1/3/2.0 mode sparse
set interface ge-1/3/2.0 version 2
set interface xe-0/0/2.0 mode sparse
set interface xe-0/0/2.0 version 2
4.
5.
Results
V Mode
2
2
2
2
Option
HPLGT
HPLGT
HPLGT
HPLGT
1d
1d
1d
1d
Uptime
02:41:00
02:41:00
02:41:00
00:07:48
Neighbor addr
172.31.254.14
172.31.254.33
172.31.254.42
172.31.241.10
104
address-family INET
RP: 172.31.255.15
Learned via: static configuration
Mode: Sparse
Time Active: 1d 02:42:50
Holdtime: 150
Device Index: 144
Subunit: 32769
Interface: pd-1/3/10.32769
Static RP Override: Off
Group Ranges:
224.0.0.0/4
Register State for RP:
Group
Source
FirstHop
235.1.1.1
172.31.252.10
172.31.255.8
134
235.1.1.2
172.31.252.10
172.31.255.8
132
235.2.1.1
172.31.252.10
172.31.255.8
131
235.2.1.2
172.31.252.10
172.31.255.8
139
235.2.1.3
172.31.252.10
172.31.255.8
140
235.2.1.4
172.31.252.10
172.31.255.8
140
RP Address
State
Timeout
172.31.255.15
Receive
172.31.255.15
Receive
172.31.255.15
Receive
172.31.255.15
Receive
172.31.255.15
Receive
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
. . .
235.4.1.23
172.31.252.10
131
235.4.1.24
172.31.252.10
131
235.4.1.25
172.31.252.10
131
Anycast PIM local address used:
172.31.255.2
address-family INET6
3. Verify that multicast is running over the interfaces.
user@hub1> show pim join
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
Group: 235.2.1.1
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: Local
Group: 235.2.1.1
Source: 172.31.252.10
Flags: sparse,spt
Upstream interface: xe-0/0/2.0
Group: 235.2.1.2
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: Local
105
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Group: 235.2.1.2
Source: 172.31.252.10
Flags: sparse,spt
Upstream interface: xe-0/0/2.0
Group: 235.2.1.3
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: Local
Group: 235.4.1.23
Source: 172.31.252.10
Flags: sparse,spt
Upstream interface: xe-0/0/2.0
Group: 235.4.1.24
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: Local
Group: 235.4.1.24
Source: 172.31.252.10
Flags: sparse,spt
Upstream interface: xe-0/0/2.0
. . .
Group: 235.4.1.25
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: Local
Group: 235.4.1.25
Source: 172.31.252.10
Flags: sparse,spt
Upstream interface: xe-0/0/2.0
Instance: PIM.master Family: INET6
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
4. Verify that IGMP groups are formed on each of the interfaces.
user@hub1> show igmp group
Interface: ge-1/2/2.0, Groups: 5
Group: 224.0.0.2
Source: 0.0.0.0
Last reported by: 172.31.254.14
Timeout:
155 Type: Dynamic
Group: 224.0.0.5
Source: 0.0.0.0
Last reported by: 172.31.254.14
Timeout:
160 Type: Dynamic
Group: 224.0.0.6
Source: 0.0.0.0
Last reported by: 172.31.254.14
Timeout:
161 Type: Dynamic
Group: 224.0.0.13
Source: 0.0.0.0
106
107
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Group: 224.0.0.13
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
Group: 224.0.0.22
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
5. Verify that groups are established with upstream interfaces to the Internet edge router
108
Uptime: 07:38:23
Group: 235.4.1.25
Source: 172.31.252.10/32
Upstream interface: xe-0/0/2.0
Downstream interface list:
ge-1/2/5.0
Session description: Unknown
Statistics: 35 kBps, 150 pps, 4125214 packets
Next-hop ID: 1052582
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 1
Uptime: 07:38:22
Instance: master Family: INET6
6. After you have configured MSDP on Aggregation Hub 2, verify MSDP peers.
user@hub1> show msdp
Peer address
Local address
172.31.255.5
172.31.255.2
State
Last up/down Peer-Group
Established 1d 01:00:37
SA Count
0/0
1.
Configure classifiers.
a. Configure the DSCP behavior aggregate (BA) classifier for IPv4.
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
b. Configure the DSCP BA classifier for IPv6.
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
109
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 1 Scavenger
set queue 2 Bulk_Data
set queue 3 Critical_Data
set queue 4 Video
set queue 5 Voice
set queue 6 Network_Control
d. Configure rewrite rules for IPv4 traffic.
[edit]
edit class-of-service rewrite-rules dscp DEF_DSCP_REWRITE
set forwarding-class Voice loss-priority low code-point 101110
set forwarding-class Video loss-priority low code-point 100010
set forwarding-class Network_Control loss-priority low code-point 111000
set forwarding-class Critical_Data loss-priority low code-point 010010
set forwarding-class Bulk_Data loss-priority high code-point 001010
set forwarding-class Best_Effort loss-priority high code-point 000000
set forwarding-class Scavenger loss-priority high code-point 001000
e. Configure rewrite rules for core IPv6 traffic.
[edit]
edit class-of-service rewrite-rules dscp-ipv6 DEF_DSCP_REWRITE
set forwarding-class Voice loss-priority low code-point 101110
set forwarding-class Video loss-priority low code-point 100010
set forwarding-class Network_Control loss-priority low code-point 111000
set forwarding-class Critical_Data loss-priority low code-point 010010
set forwarding-class Bulk_Data loss-priority high code-point 001010
set forwarding-class Best_Effort loss-priority high code-point 000000
set forwarding-class Scavenger loss-priority high code-point 001000
2.
110
4.
Create a traffic control profile to be applied to the interface to the Layer 3 VPN
service provider.
[edit]
edit class-of-service traffic-control-profiles TO-Layer 3 VPN-VPN1
set scheduler-map MAIN-SCHD
set shaping-rate 400m
5.
Create a traffic control profile that is applied to interfaces to the leased line provider.
[edit]
edit class-of-service traffic-control-profiles LEASED-LINE
set scheduler-map MAIN-SCHD
set shaping-rate 30m
6.
7.
8.
111
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Apply CoS to the interface to the WAN aggregation router at Aggregation Hub 2.
[edit]
edit class-of-service interfaces ge-1/3/2
set unit 0 classifiers dscp DSCP-BA
set unit 0 classifiers dscp-ipv6 DSCP-BA
Results
After the class-of-service configuration steps are complete, verify using the following
commands.
1.
Type
dscp
dscp-ipv6
dscp
dscp-ipv6
Index
61950
61951
961
Type
dscp
dscp-ipv6
Index
961
960
3. Verify CoS on the interface to the WAN aggregation router at Aggregation Hub 2.
user@wanagghub1> show class-of-service interface ge-1/3/2
Physical interface: ge-1/3/2, Index: 180
Queues supported: 8, Queues in use: 7
Scheduler map: MAIN-SCHD, Index: 5286
Congestion-notification: Disabled
Logical interface: ge-1/3/2.0, Index: 335
Object
Name
Classifier
DSCP-BA
Classifier
DSCP-BA
Type
dscp
dscp-ipv6
Index
961
960
4. Verify that traffic counters are incrementing against the configured classes and queues.
user@wanagghub1> show interfaces xe-0/0/2 extensive
Physical interface: xe-0/0/2, Enabled, Physical link is Up
Interface index: 154, SNMP ifIndex: 514, Generation: 157
Description: --- To DC-ACCESS router (Magha-DC-ACCESS xe-0/0/2) ---
112
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 10Gbps, BPDU
Error: None, Loopback: None, Source filtering: Disabled, Flow control: Enabled
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 5c:5e:ab:0e:41:72, Hardware address: 5c:5e:ab:0e:41:72
Last flapped
: 2013-06-18 10:57:39 PDT (1d 00:10 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
7752269351941
795833208 bps
Output bytes :
7814189915614
813114424 bps
Input packets:
28211048134
364239 pps
Output packets:
27979629883
361951 pps
IPv6 transit statistics:
Input bytes :
420496306422
Output bytes :
836948546760
Input packets:
1796992770
Output packets:
3576700052
Dropped traffic statistics due to STP State:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3
incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors:
0,
Resource errors: 0
Output errors:
Carrier transitions: 3, Errors: 0, Drops: 33354, Collisions: 0, Aged
packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0,
Resource errors: 0
Egress queues: 8 supported, 7 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 Best_Effort
25551424919
25551424919
622892576
622875969
617076089
617076089
458237322
458225556
444989807
444986900
285379194
285377120
0
1 Scavenger
0
2 Bulk_Data
16607
3 Critical_Dat
0
4 Video
11766
5 Voice
2907
6 Network_Cont
2074
Queue number:
0
1
2
3
4
5
6
Active alarms : None
113
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
114
18 bytes
18 bytes
Input packets:
379386
Output packets:
285267
Transit statistics:
Input bytes :
7752057465740
795823080 bps
Output bytes :
7813969102963
813102864 bps
Input packets:
28210668072
364238 pps
Output packets:
27979344617
361950 pps
IPv6 transit statistics:
Input bytes :
420496305686
Output bytes :
836948546760
Input packets:
1796992769
Output packets:
3576700052
Protocol inet, MTU: 1500, Generation: 160, Route table: 0
Flags: Sendbcast-pkt-to-re, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.31.241/24, Local: 172.31.241.2, Broadcast:
172.31.241.255, Generation: 150
Protocol inet6, MTU: 1500, Generation: 161, Route table: 0
Flags: Is-Primary
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::5e5e:abff:fe0e:4172
Generation: 152
Addresses, Flags: Is-Preferred Is-Primary
Destination: fec0:31:241::/64, Local: fec0:31:241::2
Protocol multiservice, MTU: Unlimited, Generation: 154
Generation: 162, Route table: 0
Policer: Input: __default_arp_policer__
This solution is configured with per-packet load balancing (PPLB). This configuration
installs the active route as well as all next-hop addresses for a destination in the
forwarding table. You can use load balancing to spread traffic across multiple paths
between routers. Load balancing is configured on the ingress router and uses a hash
algorithm to distribute traffic equally across multiple paths.
NOTE: PPLB enables faster convergence in cases where one of the active
links fails as the remaining links and next hops are installed on the forwarding
table.
The following steps are used to configure per-packet load balancing on the WAN
aggregation router.
1.
2.
Apply the policy configured to routes exported from the routing table to the
forwarding table. This is configured so that if there are two equal cost routes to
destination, the host will use both the next-hop links. This ensures routing load is
distributed
115
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit routing-options
set forwarding-table export PPLB
116
Enabling CoS T1/T3 Interfaces on the VPN Termination Router on page 118
Enabling the PIC for Tunneling and Per-Unit Scheduling on the VPN Termination
Router on page 118
Configuring the Physical Transport on the VPN Termination Router on page 119
Configuring IPsec Tunnel Termination on the VPN Termination Router on page 120
Configuring GRE Tunnel Termination on the VPN Termination Router on page 121
Configuring Access to Hosted Services for External Internet Users on page 124
Configuring Routing Policies for IBGP Peers on the VPN Termination Router on page 127
Configuring Fully-Meshed IBGP Peer Groups on the VPN Termination Router on page 128
117
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2.
3.
To help prevent congestion and packet dropping configure a larger buffer size.
[edit]
edit chassis fpc 0 pic 0
set q-pic-large-buffer
Enabling the PIC for Tunneling and Per-Unit Scheduling on the VPN Termination
Router
Step-by-Step
Procedure
Follow this procedure to enable per-unit scheduling for GRE tunnels on M7i Series routers
with Intelligent Queuing 2 (IQ2) PICs and IQ 2 Enhanced (IQ2E) PICs.
1.
2.
You can specify that IQ2 and IQ2E PICs work exclusively in tunnel mode or as a
regular PIC. The default setting uses IQ2 and IQ2E PICs as a regular PIC. To configure
exclusive tunnel mode, add the tunnel-only statement.
[edit]
edit chassis fpc 0 pic 1
set tunnel-services tunnel-only
3.
118
1.
2.
Add the Ethernet interface that connects to servers that provide hosted services.
[edit]
edit interfaces ge-0/0/3
set description "--- To Hosted Services Hub 1 ---"
set unit 0 family inet mtu 1500
set unit 0 family inet address 172.31.254.49/30
3.
4.
119
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
The VPN routing instance is a public Internet-facing instance that is used for branches
that connect to the hub over IPsec tunnels. It acts as the IPsec endpoint for IPsec requests
from the branch, and it terminates IPsec tunnels that are initiated at the branch.
When you configure a branch scenario that uses IPsec tunnels to Hub 1, you add IPsec
interfaces used for the scenario to the VPN routing instance, and you add the loopback
interface that is used as the GRE tunnel source address at the hub.
1.
2.
2. Add the Ethernet interface to the Internet edge router, and configure a default
static route to the Ethernet interface. This is for reachability to the Internet connected
branches
[edit]
edit routing-instances VPN
set interface ge-0/0/0.0
set routing-options static route 0.0.0.0/0 next-hop 198.51.100.5
Results
*[Static/5] 02:31:29
> to 198.51.100.5 via ge-0/0/0.0
120
The WAN-GRE virtual router routing instance terminates GRE tunnels from the
Internet-connected branches. The routing instance provides private overlay routing over
the GRE tunnels to the branch, and includes OSPF and IBGP routing adjacencies between
the GRE tunnels and the WAN aggregation router over the directly connected Ethernet
link. The routing instance also includes multicast peering with the WAN aggregation
router.
When you configure a branch scenario that uses GRE tunnels to Hub 1, you add GRE
interfaces used for the scenario to the WAN-GRE routing instance, and you add the
loopback interface that is used as the GRE tunnel source address at the hub.
Only the default route is advertised to the branches over OSPF.
1.
Create the virtual router routing instance, and add the Ethernet interface to the
WAN aggregation router.
[edit]
edit routing-instances WAN-GRE
set instance-type virtual-router
set interface ge-0/0/1.0
2.
3.
4.
121
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
5.
Add the static rendezvous point, and add the Ethernet interface to the WAN
aggregation router.
[edit]
edit routing-instances WAN-GRE protocols pim
set rp static address 172.31.255.15
set interface ge-0/0/1.0 mode sparse
set interface ge-0/0/1.0 version 2
Results
After the complete GRE over IPsec tunnel configuration is complete, use the commands
in the following section to verify that the configuration was successful.
1.
Verify that the WAN-GRE routing instance is receiving the default static route from
the WAN aggregation router at Hub 1 for Internet-bound traffic that is sourced from
the Internet-connected branch.
user@vpn1> show route table WAN-GRE.inet.0 0.0.0.0/0 exact
WAN-GRE.inet.0: 27862 destinations, 56271 routes (27862 active, 0 holddown, 0
hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
V
?
?
?
Destination
172.28.1.0/24
172.28.2.0/24
172.28.3.0/24
P Prf
O 10
O 10
O 10
.
?
?
?
..
172.28.248.0/24
172.28.249.0/24
172.28.250.0/24
O
O
O
10
10
10
Metric 1
27
27
27
27
27
27
Metric 2
Next hop
>172.31.254.13
>172.31.254.13
>172.31.254.13
AS path
>172.31.254.13
>172.31.254.13
>172.31.254.13
122
0.787 ms
10.588 ms
0.594 ms
##
Option
HPLGT
123
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Figure 56: Internet User Traffic Flow (SFW + NAT) To and From Enterprise
Hosted Services
The HOSTED-WWW-NAT virtual router routing instance is used to route external Internet
traffic to and from hosted services.
1.
Create a routing instance, and add the interface to the Internet edge router that
handles hosted services traffic (ge-0/0/0.1) and at the interfaces to the hosted
services (ge-0/0/3.0).
[edit]
edit routing-instances HOSTED-WWW-NAT
set instance-type virtual-router
set interface ge-0/0/0.1
set interface ge-0/0/3.0
2.
Create a default static route with a next hop to the interface on the Internet edge
router that handles traffic for hosted services. This route is for return external traffic
from hosted services to the Internet.
[edit]
edit routing-instances HOSTED-WWW-NAT routing-options
set static route 0.0.0.0/0 next-hop 172.31.255.53
124
This configuration is used to provide access to hosted services for internal traffic from
branches or from the data center. Internal users access hosted services using internal
addressing of either 172.16.0.0/12 or 10.0.0.0/8.
1.
2.
3.
125
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit services nat rule Branch-DC-to-www
set match-direction input
set term from-branch-lan from source-address 172.16.0.0/12
set term from-branch-lan from source-address 10.0.0.0/8
set term from-branch-lan then translated source-pool branch-priv-pool
set term from-branch-lan then translated translation-type napt-44
4.
5.
6.
7.
8.
Configure a static route in the GRE routing instance for traffic from the private NAT
pool addresses with the next hop of the inside service interface.
[edit]
edit routing-instances WAN-GRE routing-options
set static route 172.31.254.48/28 next-hop sp-0/3/0.4001
9.
Configure a routing policy that exports the static route to OSPF so that it is advertised
to Aggregation Hub 2.
[edit]
edit policy-options policy-statement STATIC2OSPF
set term 1 from protocol static
set term 1 from route-filter 172.31.254.48/28 exact
set term 1 then accept
10.
126
Configuring Routing Policies for IBGP Peers on the VPN Termination Router
Step-by-Step
Procedure
Configure a next-hop self policy for IPv4 traffic, which causes the loopback address
of the router to be advertised as the next-hop for BGP traffic.
[edit]
edit policy-options policy-statement NHS
set term 1 from protocol bgp
set term 1 then next-hop self
set term 1 then accept
2.
Configure a next-hop self policy for IPv6 traffic, which causes the loopback address
of the router to be advertised as the next-hop address for BGP traffic.
[edit]
edit policy-options policy-statement NHS6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 then next-hop self
set term 1 then accept
3.
Configure a policy that is used to advertise default static IPv4 routes. It is a next-hop
self policy, which causes the loopback address of the router to be advertised of the
next-hop address.
[edit]
edit policy-options policy-statement ADV_DEFAULT
set term 1 from family inet
set term 1 from route-filter 0.0.0.0/0 exact
set term 1 then next-hop self
set term 1 then accept
4.
5.
127
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
At the aggregation hubs, we have a full IBGP mesh with the WAN aggregation router and
the WAN-GRE virtual router on Aggregation Hub 1 and the WAN-GRE virtual router on
Aggregation Hub 2.
1.
2.
The NHS export policy causes the router to advertise the address of the loopback
interface as the next hop.
[edit]
edit routing-instances WAN-GRE protocols bgp group IBGP-Mesh
set type internal
set local-address 172.31.255.3
set export NHS
set bfd-liveness-detection minimum-interval 500
set bfd-liveness-detection multiplier 3
set neighbor 172.31.255.2 authentication-key "$9$m5zntuBSrK-VH.P53nyre"
set neighbor 172.31.255.5 authentication-key "$9$rvMKWXVw2GDHz3hylKLXUDi"
set neighbor 172.31.255.6 authentication-key "$9$EIqSlvxNV4aGP5BRhSKvoaZ"
3.
The NHS6 export policy causes the router to advertise the address of the loopback
interface as the next hop.
[edit]
edit routing-instances WAN-GRE protocols bgp group IBGP-Mesh-V6
set type internal
set local-address 2001:DB8:255::3
set family inet6 unicast
set export NHS6
set neighbor 2001:DB8:255::2 authentication-key "$9$JcUiqTznp01evgaZUkqu0B"
set neighbor 2001:DB8:255::5 authentication-key
"$9$tZ9i01ElKW-VsUj/Ap0REdVw"
set neighbor 2001:DB8:255::6 authentication-key
"$9$/C3aAuBcyeX7daZF69AOBx7-"
128
1.
Configure classifiers.
a. Configure the DSCP behavior aggregate (BA) classifier for IPv4.
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
b. Configure the DSCP BA classifier for IPv6.
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
129
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 1 Scavenger
set queue 2 Bulk_Data
set queue 3 Critical_Data
set queue 4 Video
set queue 5 Voice
set queue 6 Network_Control
d. Configure rewrite rules for IPv4 traffic.
[edit]
edit class-of-service rewrite-rules dscp DEF_DSCP_REWRITE
set forwarding-class Voice loss-priority low code-point 101110
set forwarding-class Video loss-priority low code-point 100010
set forwarding-class Network_Control loss-priority low code-point 111000
set forwarding-class Critical_Data loss-priority low code-point 010010
set forwarding-class Bulk_Data loss-priority high code-point 001010
set forwarding-class Best_Effort loss-priority high code-point 000000
set forwarding-class Scavenger loss-priority high code-point 001000
e. Configure rewrite rules for core IPv6 traffic.
[edit]
edit class-of-service rewrite-rules dscp-ipv6 DEF_DSCP_REWRITE
set forwarding-class Voice loss-priority low code-point 101110
set forwarding-class Video loss-priority low code-point 100010
set forwarding-class Network_Control loss-priority low code-point 111000
set forwarding-class Critical_Data loss-priority low code-point 010010
set forwarding-class Bulk_Data loss-priority high code-point 001010
set forwarding-class Best_Effort loss-priority high code-point 000000
set forwarding-class Scavenger loss-priority high code-point 001000
2.
130
4.
5.
6.
Apply the scheduler to the interface to the WAN aggregation router at Aggregation
Hub 1.
[edit]
edit class-of-service interfaces ge-0/0/1
set unit 0 classifiers dscp DSCP-BA
set unit 0 classifiers dscp-ipv6 DSCP-BA
7.
Apply the scheduler and the control profile to the GRE tunnel interfaces.
[edit]
edit class-of-service interfaces gr-0/1/0
set unit 1 output-traffic-control-profile SMALL-BRANCH
set unit 11 output-traffic-control-profile SCALED-BRANCH
8.
131
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit class-of-service
set tri-color
Results
After class of service is configured and committed, verify the configuration success using
the following commands:
1.
132
Type
dscp
dscp-ipv6
Index
961
CHAPTER 5
Internet edge routerMX480 3D Universal Edge router with dual Routing Engines
Overview
Topology
This section focuses on configuration of the nodes in the blue highlighted area
(Figure 59 on page 133).
ge-1/2/6
ge-0/1/1
xe-0/0/0
xe-1/0/1
WAN
Aggregation
MX80
xe-0/0/0
ge-1/2/2
coc-1/0/1
ge-1/2/5
ge-0/0/2
ge-1/3/7
Test /
Emulation
ge-1/3/2
To Aggregation Hub 2
Hosted
Services
ge-0/0/3
Data
Center
LEASED
LINE
PROVIDER
MPLS
L3 VPN
AS 555
ge-0/0/0
g041803
ISP A
AS 169
VPN
Termination
M7i
133
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring Security Based on Application Traffic on the Internet edge router on page 135
Configuring NAT and Stateful Firewall for Inbound Hosted Services Traffic on the
Internet Gateway on page 139
Configuring NAT and Stateful Firewall for Outbound Traffic on the Internet
Gateway on page 140
Configuring Routing for WAN Aggregation Services on the Internet Gateway on page 149
1.
2.
Configure the interface to the VPN termination router used for hosted services. The
VLAN on unit 1 is configured with a private IP subnet, and is used to send hosted
Web server traffic. Before traffic from a user on the Internet is sent over this interface,
destination-based NAT is applied.
[edit]
edit interfaces ge-1/2/6
set unit 1 vlan-id 2
set unit 1 family inet service input service-set NAT-Hosted-Service
set unit 1 family inet service output service-set NAT-Hosted-Service
set unit 1 family inet address 172.31.255.53/30
3.
4.
Configure the interface to the VPN termination router. The VLAN on unit 0 is
configured with the public IP address that is used to terminate IPsec tunnels on the
VPN termination router.
[edit]
edit interfaces ge-1/2/6
set vlan-tagging
set unit 0 vlan-id 1
134
Configure the Ethernet interface to the Internet edge router at Aggregation Hub 2.
[edit]
edit interfaces xe-0/0/0
set unit 0 family inet address 172.31.254.5/30
set unit 0 family inet6
1.
Configure the services interface used to process NAT and stateful firewalls.
Unit 0 is used in the NAT and stateful firewall service set that is applied to traffic
from the Internet to the enterprise network. This interface is placed in the
SFW-NAT-SERVICES routing instance.
Units 1 and 2 are used in the NAT and stateful firewall service set that is applied to
traffic from branches, the data center, and hosted services to the Internet.
[edit]
edit interfaces sp-3/0/0
set unit 0 family inet
set unit 1 description "--- Branch to WWW NAT service inside interface ---"
set unit 1 family inet
set unit 1 service-domain inside
set unit 2 description "--- Branch to WWW NAT service outside interface ---"
set unit 2 family inet
set unit 2 service-domain outside
2.
We are using Application Layer Gateways (ALGs) in stateful firewalls for applications
for which the return flow can be difficult to predict because the application often creates
separate connections for data and control flows or creates new protocol flows based
on an open connection.
You can customize this ALG configuration to specify traffic that you want to block or
allow through your stateful firewalls.
1.
135
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
edit applications
set application ftp application-protocol ftp
set application ftp protocol tcp
set application ftp destination-port 21
set application tftp application-protocol tftp
set application tftp protocol udp
set application tftp destination-port 69
set application rpcportmaptcp application-protocol rpc-portmap
set application rpcportmaptcp protocol tcp
set application rpcportmaptcp destination-port 111
set application rpcportmapudp application-protocol rpc-portmap
set application rpcportmapudp protocol udp
set application rpcportmapudp destination-port 111
set application rexec application-protocol exec
set application rexec protocol tcp
set application rexec destination-port 512
set application rlogin protocol tcp
set application rlogin destination-port 513
set application rsh application-protocol shell
set application rsh protocol tcp
set application rsh destination-port 514
set application rtsp application-protocol rtsp
set application rtsp protocol tcp
set application rtsp destination-port 554
set application winframe application-protocol winframe
set application winframe protocol tcp
set application winframe destination-port 1494
set application sqlnet application-protocol sqlnet
set application sqlnet protocol tcp
set application sqlnet destination-port 1521
set application h323 application-protocol h323
set application h323 protocol tcp
set application h323 destination-port 1720
set application iiop-java application-protocol iiop
set application iiop-java protocol tcp
set application iiop-java destination-port 1975
set application iiop-orbix application-protocol iiop
set application iiop-orbix protocol tcp
set application iiop-orbix destination-port 3075
136
137
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3.
Create a stateful firewall that allows accounting traffic through the firewall.
[edit]
edit services stateful-firewall rule protect-accounting
set match-direction input
set term allow-accounting-out-alg from application-sets all-alg-set
set term allow-accounting-out-alg then accept
set term allow-accounting-out-no-alg then accept
138
Configuring NAT and Stateful Firewall for Inbound Hosted Services Traffic on the
Internet Gateway
Step-by-Step
Procedure
Figure 60: Inbound NAT and Stateful Firewall for Hosted Services on the
Internet Gateway
This procedure configures destination NAT and the stateful firewall for external traffic
received from the Internet and sent to hosted services.
1.
2.
Create a NAT rule used to perform destination NAT. Use translation type dnat-44,
which causes the destination address to be statically translated (IPv4 to IPv4).
[edit]
edit services nat rule To-Hosted-service
set match-direction output
set term from-internet from destination-address 198.51.100.224/28
set term from-internet then translated destination-pool www-addr
set term from-internet then translated translation-type dnat-44
3.
Create an application set for the DMZ using applications that were previously
configured.
[edit]
edit applications application-set dmz-alg-set
set application icmp-all
set application ftp
set application rtsp
139
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Create a stateful firewall that accepts application traffic that is defined in the
dmz-alg-set application set.
[edit]
edit services stateful-firewall rule internet-to-dmz
set match-direction output
set term allow-web-rtsp from application-sets dmz-alg-set
set term allow-web-rtsp then accept
5.
6.
Configure a static route to the interface on the VPN termination router that handles
hosted services (ge-0/0/0.1). After external traffic has gone through NAT, it is sent
to this route.
[edit routing-options]
set static route 172.31.254.50/32 next-hop 172.31.255.54
Results
Reject
0
0
Errors
0
0
Configuring NAT and Stateful Firewall for Outbound Traffic on the Internet
Gateway
Step-by-Step
Procedure
This procedure configures source NAT and the stateful firewall for traffic from branches,
the data center, or hosted services that is headed to the Internet.
1.
Create a pool of addresses for the enterprise block of assigned addresses. These
addresses are advertised to the Internet, and are used for source NAT.
[edit]
edit services nat pool public-pool
set address 100.64.100.0/24
set port range low 3000
set port range high 10000
2.
140
[edit]
edit services nat rule Branch-DC-to-Internet
set match-direction input
set term from-lan from source-address 172.16.0.0/12
set term from-lan from source-address 10.0.0.0/8
set term from-lan then translated source-pool public-pool
set term from-lan then translated translation-type napt-44
3.
Create a stateful firewall rule that allows all traffic through the firewall.
[edit]
edit services stateful-firewall rule ALLOW_ALL
set match-direction input-output
set term TERM then accept
4.
Create a stateful firewall that specifies application traffic that is allowed from the
enterprise to the Internet. Use the application set that was configured previously.
[edit]
edit services stateful-firewall rule corp-to-internet
set match-direction input
set term allow-all-alg from application-sets all-alg-set
set term allow-all-alg then accept
set term allow-non-alg then accept
5.
Create a next-hop style service set that applies the NAT rule and the stateful firewall.
[edit]
edit services service-set NAT-Branch-internet
set stateful-firewall-rules ALLOW_ALL
set stateful-firewall-rules corp-to-internet
set nat-rules Branch-DC-to-Internet
set next-hop-service inside-service-interface sp-3/0/0.1
set next-hop-service outside-service-interface sp-3/0/0.2
6.
Results
141
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
UDP
10024
NAT
UDP
10024
NAT
TCP
6
NAT
UDP
0
NAT
TCP
5
NAT
.
.
.
NAT
UDP
10166
NAT
TCP
25
NAT
TCP
1
NAT
UDP
10166
NAT
10.2.35.4:50044
->
Forward
10.2.35.4:50044
10.2.25.1:50041 ->
-> 100.64.100.73:7424
140.1.41.1:63
Forward
source
10.2.25.1:50041
172.28.43.1:4502
->
-> 100.64.100.73:7161
140.1.28.1:80
Forward
source
140.1.44.1:63
source
172.28.43.1:4502
-> 100.64.100.232:3566
140.1.7.1:63
-> 100.64.100.73:7526
Forward
dest
100.64.100.73:7526
172.28.18.1:4771
->
source
source
172.28.18.1:4771
->
10.2.41.7:50007
140.1.11.1:80
Forward
-> 100.64.100.232:3834
10.2.35.7:50047
10.2.6.2:50052 ->
-> 100.64.100.73:7427
140.1.2.1:63
Forward
source
10.2.6.2:50052
172.28.2.1:45326 ->
-> 100.64.100.73:6069
140.1.29.1:25
Forward
source
172.28.2.1:45326
10.4.32.1:28362 ->
-> 100.64.100.237:9653
140.1.41.1:143
Forward
source
-> 100.64.100.237:7450
140.1.42.1:63
Forward
10.4.32.1:28362
10.2.25.2:50042 ->
source
10.2.25.2:50042
->
100.64.100.73:7163
142
1.
1.
2.
Configure a policy condition for use in BGP export policies. This policy condition is
based on the existence of 172.31.254.8/30 routes in the SFW-NAT-SERVICES.inet.0
routing table.
[edit]
edit policy-options condition LINK-to-WANAGG
set if-route-exists 172.31.254.8/30
set if-route-exists table SFW-NAT-SERVICES.inet.0
3.
Configure a policy that is used for static routes received from 100.64.100.0/24 (the
address used for source NAT) that meet the condition above.
[edit]
edit policy-options policy-statement ADV-NAT-BLOCK
set term nat from protocol static
set term nat from route-filter 100.64.100.0/24 exact
143
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configure a policy that is used to reject routes from the Aggregation Hub 2 block of
addresses (192.0.2.0/24).
[edit]
edit policy-options policy-statement BLOCK_TO-HEAD-END2_BLOCK
set term 1 from route-filter 192.0.2.0/24 exact
set term 1 then reject
5.
[edit routing-options]
set aggregate route 198.51.100.0/24
b. Configure a policy that is used to advertise the block of addresses used for source
7.
Configure a prefix list and a routing policy that are used to prevent martian routes
from being installed into the routing table.
[edit]
edit policy-options prefix-list RFC1918
set 10.0.0.0/8
set 172.16.0.0/12
set 175.16.0.0/12
set 192.168.0.0/16
[edit]
edit policy-options policy-statement MARTIANS
set term 1 from prefix-list-filter RFC1918 orlonger
set term 1 then reject
8.
Configure a next-hop self policy for IPv4 traffic, which causes the loopback address
of the Internet edge router to be advertised as the next-hop address for BGP traffic.
[edit]
edit policy-options policy-statement NHS
set term 1 from protocol bgp
144
Configure a next-hop self policy for IPv6 traffic, which causes the loopback address
of the Internet edge router to be advertised as the next-hop address for BGP traffic.
[edit]
edit policy-options policy-statement NHS6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 then next-hop self
set term 1 then accept
10.
Configure a policy that is used to set the local route preference to 200.
[edit]
edit policy-options policy-statement SET_LOCAL_PREF
set then local-preference 200
set then accept
1.
2.
3.
Create an IBGP peer group to the Internet edge router at Aggregation Hub 2.
145
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
The ADV-NAT-BLOCK export policy sends routes that are currently being advertised
on Hub 1 to Hub 2. If Hub 1 goes down, Hub 2 has the current block of addresses that
are being advertised on the Internet edge.
The DENY_ALL export policy prevents all other routes from being advertised.
[edit]
edit protocols bgp group TO-HEAD-END2
set type internal
set export ADV-NAT-BLOCK
set export DENY_ALL
set peer-as 2222
set neighbor 172.31.254.6 authentication-key "$9$fQ3/uOIreMVwqP5Q6/lev"
Results
Verify BGP peering to the Internet service provider gateway (191.15.100.1) and to the
Internet edge router at Aggregation Hub 2 (172.31.254.6).
user@iedge1> show bgp summary
Groups: 2 Peers: 2 Down peers: 0
Table
Tot Paths Act Paths Suppressed
History Damp State
Pending
inet.0
2
1
0
0
0
0
Peer
AS
InPkt
OutPkt
OutQ
Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.31.254.6
2222
6007
6585
0
1 2d 1:32:53
0/1/1/0
0/0/0/0
198.51.100.1
169
6599
6602
0
0 2d 1:39:58
1/1/1/0
0/0/0/0
Peers: 2
External: 1
Internal: 1
Down peers: 0
Flaps: 1
inet.0
: 1/2/2/0 External: 1/1/1/0 Internal: 0/1/1/0
SFW-NAT-SERVICES.mdt.0: 0/0/0/0 External: 0/0/0/0 Internal: 0/0/0/0
3. Verify that routes are being received from and advertised to the Internet service
provider.
user@iedge1> show route receive-protocol bgp 198.51.100.1
inet.0: 20 destinations, 21 routes (20 active, 0 holddown, 0 hidden)
Prefix
Nexthop
MED
Lclpref
AS path
* 0.0.0.0/0
198.51.100.1
169 I
SFW-NAT-SERVICES.inet.0: 6204 destinations, 6204 routes (6204 active, 0
holddown, 0 hidden)
146
at Aggregation Hub 2.
user@iedge1> show route receive-protocol bgp 172.31.254.6
inet.0: 20 destinations, 21 routes (20 active, 0 holddown, 0 hidden)
Prefix
Nexthop
MED
Lclpref
AS path
0.0.0.0/0
172.31.254.6
200
269 I
SFW-NAT-SERVICES.inet.0: 6204 destinations, 6204 routes (6204 active, 0
holddown, 0 hidden)
inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
SFW-NAT-SERVICES.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0
hidden)
user@iedge1> show route advertising-protocol bgp 172.31.254.6
inet.0: 20 destinations, 21 routes (20 active, 0 holddown, 0 hidden)
Prefix
Nexthop
MED
Lclpref
AS path
* 100.64.100.0/24
Self
100
I
5. Verify that the inet.0 routing table is showing proper routes.
user@iedge1> show route table inet.0
inet.0: 20 destinations, 21 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
10.205.0.0/16
10.209.0.0/16
10.212.0.0/16
10.216.32.0/20
10.216.36.214/32
172.17.0.0/16
147
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
148
149
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
This routing instance is used to route traffic to the Internet. NAT and stateful firewall is
applied to this traffic.
1.
Create the routing instance, add the services interface that is used for NAT, and
then add the interface to the WAN aggregation router, and add the loopback
interface.
[edit]
edit routing-instances SFW-NAT-SERVICES
set instance-type virtual-router
set interface xe-1/0/1.0
set interface sp-3/0/0.1
2.
3.
150
4.
Create a backbone area, and add the Ethernet interface to the WAN aggregation
router.
MD5 authentication uses an encoded MD5 checksum that is included in the
transmitted packet. Both the receiving and transmitting routing devices must have
the same MD5 key. You define an MD5 key for each interface. If MD5 is enabled on
an interface, that interface accepts routing updates only if MD5 authentication
succeeds. Otherwise, updates are rejected. The routing device accepts only OSPFv2
packets sent using the same key ID that is defined for that interface.
[edit]
edit routing-instances SFW-NAT-SERVICES protocols ospf area 0.0.0.0
set interface xe-1/0/1.0 interface-type p2p
set interface xe-1/0/1.0 authentication md5 0 key
"$9$n/Wd9t0Ecr8XN4aQ369u0LX7"
5.
Step-by-Step
Procedure
After WAN aggregation Routing is configured and committed, use the following commands
to verify the configuration was successful.
1.
2.
Pri Dead
128
Verify routes in the SFW-NAT-SERVICES routing table. The routing table includes
routes that are advertised by the data center and the branches.
user@iedge1> route table SFW-NAT-SERVICES.inet.0
SFW-NAT-SERVICES.inet.0: 6204 destinations, 6204 routes (6204 active, 0
holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
2.2.0.0/30
10.15.0.0/28
10.15.0.16/28
10.15.0.32/28
10.15.0.48/28
10.15.0.64/28
10.15.0.80/28
10.15.0.96/28
10.15.0.112/28
*[Static/5] 2d 03:13:25
> via sp-3/0/0.1
*[OSPF/150] 1d 22:16:42, metric 21,
> to 172.31.254.10 via xe-1/0/1.0
*[OSPF/150] 2d 03:00:34, metric 21,
> to 172.31.254.10 via xe-1/0/1.0
*[OSPF/150] 2d 02:59:53, metric 21,
> to 172.31.254.10 via xe-1/0/1.0
*[OSPF/150] 2d 02:59:47, metric 21,
> to 172.31.254.10 via xe-1/0/1.0
*[OSPF/150] 2d 02:59:42, metric 21,
> to 172.31.254.10 via xe-1/0/1.0
*[OSPF/150] 2d 02:59:25, metric 21,
> to 172.31.254.10 via xe-1/0/1.0
*[OSPF/150] 2d 02:59:07, metric 21,
> to 172.31.254.10 via xe-1/0/1.0
*[OSPF/150] 2d 02:58:41, metric 21,
> to 172.31.254.10 via xe-1/0/1.0
*[OSPF/150] 2d 02:58:23, metric 21,
tag 100
tag 100
tag 100
tag 100
tag 100
tag 100
tag 100
tag 100
tag 100
151
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3.
Verify BFD.
user@iedge1> show bfd session
Address
Multiplier
172.31.254.10
State
Interface
Time
Up
xe-1/0/1.0
1.500
Interval
0.500
1 sessions, 1 clients
Cumulative transmit rate 2.0 pps, cumulative receive rate 2.0 pps
1.
[edit]
edit chassis redundancy
set graceful-switchover
b. Enable nonstop routing.
[edit]
edit routing-options
set nonstop-routing
CoS is used on the Internet edge to separate Internet-connected branch traffic on IPsec
tunnels from public Internet traffic.
1.
Assign fowarding classes for the branches, the Internet, and network control traffic
to transmission queues.
[edit]
edit class-of-service forwarding-classes
set queue 4 BRANCH
set queue 0 INTERNET
set queue 7 Network_Control
2.
152
4.
Modify the queue assignment and DSCP code point for network control (host)
traffic that is generated by the Routing Engine and sent to the Packet Forwarding
Engine. This configuration does not affect transit traffic.
[edit]
edit class-of-service host-outbound-traffic
set forwarding-class Network_Control
set dscp-code-point cs7
5.
Configure a traffic control profile for traffic to the Internet service provider.
[edit]
edit class-of-service traffic-control-profiles TO-ISP1
set scheduler-map ISP-LINK-SCHEDULER
set shaping-rate 800m
6.
7.
Apply CoS to the services interface for traffic sent to the Internet.
[edit]
edit class-of-service interfaces sp-3/0/0
set unit 2 forwarding-class INTERNET
8.
153
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
2150324114
2150324114
1 expedited-fo
2 assured-forw
3 network-cont
10654624152
10654624152
6930
6930
0
0
0
0
4 BRANCH
0
7 Network_Cont
0
Queue number:
0
154
1
expedited-forwarding
2
assured-forwarding
3
network-control
4
BRANCH
7
Network_Control
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
4229139655321
4220500361901
Total packets
12356221175
12804839382
Unicast packets
12356221135
12804839353
Broadcast packets
40
37
Multicast packets
0
0
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Total errors
0
0
Filter statistics:
Input packet count
12355818357
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
12804425207
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote
fault: OK
Local resolution:
Flow control: Symmetric, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 0 (0x00)
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 INTERNET
20
160000000
r
0
low
none
4 BRANCH
79
632000000
r
0
high
none
7 Network_Control
1
8000000
r
0 strict-high
exact
Interface transmit statistics: Disabled
Logical interface ge-1/2/5.0 (Index 346) (SNMP ifIndex 6631) (Generation
159)
Flags: SNMP-Traps 0x4004000 Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
18 bytes
Egress account overhead
:
18 bytes
Traffic statistics:
155
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Input bytes :
4229151344160
Output bytes :
4220510866189
Input packets:
12356255054
Output packets:
12804873648
Local statistics:
Input bytes :
394289
Output bytes :
656703
Input packets:
6203
Output packets:
6930
Transit statistics:
Input bytes :
4229150949871
561619168 bps
Output bytes :
4220510209486
546579856 bps
Input packets:
12356248851
202845 pps
Output packets:
12804866718
208178 pps
Protocol inet, MTU: 1500, Generation: 195, Route table: 0
Flags: Sendbcast-pkt-to-re, User-MTU
Input Filters: ipv4_sample
Addresses, Flags: Is-Preferred Is-Primary
Destination: 198.51.100.0/30, Local: 198.51.100.2, Broadcast:
198.51.100.3, Generation: 151
Protocol multiservice, MTU: Unlimited, Generation: 196, Route table: 0
Policer: Input: __default_arp_policer__
2. Verify the separation of Internet traffic and branch traffic into different queues on
156
0
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: assured-forwarding
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: network-control
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0
0
0
0
0
0
0
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
pps
bps
bps
bps
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
157
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Medium-high
:
0
High
:
0
Queue: 7, Forwarding classes: Network_Control
Queued:
Packets
:
6932
Bytes
:
823262
Transmitted:
Packets
:
6932
Bytes
:
823262
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
158
0 bps
0 bps
0 pps
352 bps
0
352
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
CHAPTER 6
MX480 3D Universal Edge Router with the following MICs and PICs:
Overview
The backup aggregation hub features an MX480 configured virtual routing instances for
each of the WAN aggregation hub functional roles. The topology of Aggregation Hub 2
is shown in Figure 64 on page 160.
Topology
This section focuses on configuration of the nodes in the blue highlighted area
(Figure 64 on page 160).
159
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
To configure high availability at the hardware level of Aggregation Hub 2, use the following
commands:
1.
[edit]
edit chassis redundancy
set graceful-switchover
b. Enable nonstop routing.
[edit]
edit routing-options
set nonstop-routing
To configure per-packed load balancing at the hardware level on Aggregation Hub 2, use
the following commands:
1.
2.
160
Apply the policy configured to routes exported from the routing table to the
forwarding table.
[edit]
edit routing-options
set forwarding-table export PPLB
161
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring the Static Routes on the WAN Aggregation Role on page 162
Configuring BGP Routing Policies on the WAN Aggregation Role on page 164
Configuring Fully-Meshed IBGP Peer Groups on the WAN Aggregation Router on page 165
Configuring the OSPF Backbone on the WAN Aggregation Role on page 167
Configuring Multicast for the WAN Aggregation Role at Aggregation Hub 2 on page 169
1.
2.
3.
1.
162
2.
3.
4.
163
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
5.
1.
Configure a routing policy that is used to advertise default static IPv4 routes,
including routes received from OSPF.
[edit]
edit policy-options policy-statement ADV_DEFAULT
set term 1 from family inet
set term 1 from protocol ospf
set term 1 from protocol static
set term 1 from route-filter 0.0.0.0/0 exact
set term 1 then next-hop self
set term 1 then accept
set term default then reject
2.
Configure a routing policy that is used to advertise default static IPv6 routes.
[edit]
edit policy-options policy-statement ADV_DEFAULT6
set term 1 from protocol static
set term 1 from route-filter ::/0 exact
set term 1 then accept
set term default then reject
3.
Configure a next-hop self routing policy for IPv4 traffic that causes the loopback
address to be advertised as the next hop for BGP traffic.
[edit]
edit policy-options policy-statement NHS
set term 1 from protocol bgp
set term 1 then next-hop self
4.
Configure a next-hop self routing policy for IPv6 traffic that causes the loopback
address to be advertised as the next hop for BGP traffic.
[edit]
edit policy-options policy-statement NHS6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 then next-hop self
164
At the aggregation hubs, we have a full IBGP mesh with the WAN aggregation routers
and the WAN-GRE virtual routers on Aggregation Hub 1 and Aggregation Hub 2.
1.
2.
The NHS export policy causes the router to advertise the address of the loopback
interface as the next hop.
The ADV_DEFAULT export policy causes the default static route to be advertised.
[edit]
edit protocols bgp group IBGP-MESH
set type internal
set local-address 172.31.255.5
set family inet unicast
set export NHS
set bfd-liveness-detection minimum-interval 500
set bfd-liveness-detection multiplier 3
set neighbor 172.31.255.2 authentication-key "$9$63fICpOhSlLx-oJzn/C0OXxN"
set neighbor 172.31.255.3 authentication-key "$9$jxkm5n/A1Rc8XZDikf5IRh"
set neighbor 172.31.255.6 authentication-key "$9$t1cD01ElKW-VsUj/Ap0REdVw"
3.
(2001:DB8:255::3).
(2001:DB8:255::6).
The NHS export policy causes the router to advertise the address of the loopback
interface as the next hop.
[edit]
edit protocols bgp group IBGP-MESH-v6
165
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
166
1.
Configure routing policies that are used to export default BGP routes into OSPF.
These policies are used to advertise all routes except 0.0.0.0/0.
a. Configure a policy for IPv4.
[edit]
edit policy-options policy-statement BGP2OSPF
set term 0 from route-filter 0.0.0.0/0 exact
set term 0 then reject
set term 1 from protocol bgp
set term 1 then metric 20
set term 1 then tag 100
set term 1 then external type 1
set term 1 then accept
b. Configure a policy for IPv6.
[edit]
edit policy-options policy-statement BGP2OSPF-V6
set term 0 from family inet6
set term 0 from route-filter ::/0 exact
set term 0 then reject
set term 1 from family inet6
set term 1 from protocol bgp
167
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
A preference of 175 gives BGP routes, which have a default preference of 170,
preference in the routing table over OSPF routes.
[edit]
edit protocols ospf
set protocols ospf external-preference 175
b. Add the BGP2OSPF export policy, which exports BGP routes to OSPF.
[edit]
edit protocols ospf
set protocols ospf export BGP2OSPF
c. Create a backbone area, and add the loopback interface (lo0.2), the interface
A preference of 175 gives BGP routes, which have a default preference of 170,
preference in the routing table over OSPF routes.
[edit]
edit protocols ospf3
set protocols ospf external-preference 175
b. Add the BGP2OSPF export policy, which exports BGP routes to OSPF.
[edit]
168
Results
State
Full
Full
Full
ID
172.31.255.2
172.31.255.6
172.31.255.8
Pri
128
128
128
Dead
37
39
35
Pri
128
Dead
30
128
30
128
37
For multicast at the aggregation hubs, we are using static rendezvous points (RPs) with
an anycast RP cluster. Loopback interfaces on the WAN aggregation routers are used as
the static rendezvous points. The WAN aggregation router on Aggregation Hub 1 is the
primary RP, and the WAN aggregation role on Aggregation Hub 2 is the secondary RP.
We are using MSDP to connect the two multicast routing domains.
1.
169
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2.
Configure the local address of the rendezvous point, which is the address of the
lo0.2 interface.
Configure the static RP. The local address is the address of the rendezvous point,
which is the address of the lo0.0 interface.
[edit]
edit protocols pim
set rp static address 172.31.255.15
3.
4.
Configure MSDP
[edit]
edit protocols msdp
set peer 172.31.255.2 local-address 172.31.255.5
5.
Results
V Mode
2
2
2
2
Option
HPLGT
HPLGT
HPLGT
HPLGT
1d
1d
1d
1d
Uptime
05:56:51
06:03:11
06:03:21
06:03:23
Neighbor addr
172.31.254.41
172.31.254.37
172.31.254.22
172.31.242.10
170
State
Last up/down Peer-Group
Established 1d 01:00:37
SA Count
0/0
1.
Configure classifiers.
a. Configure DSCP behavior aggregation (BA) for IPv4
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
b. Configure the DSCP BA classifier for IPv6.
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
c. Assign the forwarding classes to transmission queues.
[edit]
edit class-of-service forwarding-classes
171
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit class-of-service rewrite-rules dscp DEF_DSCP_REWRITE
set forwarding-class Voice loss-priority low code-point 101110
set forwarding-class Video loss-priority low code-point 100010
set forwarding-class Network_Control loss-priority low code-point 111000
set forwarding-class Critical_Data loss-priority low code-point 010010
set forwarding-class Bulk_Data loss-priority high code-point 001010
set forwarding-class Best_Effort loss-priority high code-point 000000
set forwarding-class Scavenger loss-priority high code-point 001000
e. Create rewrite rules for IPv6 traffic.
[edit]
edit class-of-service rewrite-rules dscp-ipv6 DEF_DSCP_REWRITE
set forwarding-class Voice loss-priority low code-point 101110
set forwarding-class Video loss-priority low code-point 100010
set forwarding-class Network_Control loss-priority low code-point 111000
set forwarding-class Critical_Data loss-priority low code-point 010010
set forwarding-class Bulk_Data loss-priority high code-point 001010
set forwarding-class Best_Effort loss-priority high code-point 000000
set forwarding-class Scavenger loss-priority high code-point 001000
2.
172
4.
5.
1.
[edit]
edit class-of-service interfaces ge-4/2/1
set unit 0 classifiers dscp DSCP-BA
set unit 0 classifiers dscp-ipv6 DSCP-BA
set unit 0 rewrite-rules dscp DEF_DSCP_REWRITE
set unit 0 rewrite-rules dscp-ipv6 DEF_DSCP_REWRITE
b. Apply CoS to the logical tunnel interface from the WAN aggregation role to the
[edit]
edit class-of-service interfaces xe-4/0/0
set unit 0 classifiers dscp DSCP-BA
set unit 0 classifiers dscp-ipv6 DSCP-BA
set unit 0 rewrite-rules dscp DEF_DSCP_REWRITE
173
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Modify the queue assignment and DSCP code point for network control (host)
traffic that is generated by the Routing Engine and sent to the Packet Forwarding
Engine. This configuration does not affect transit traffic.
[edit]
edit class-of-service host-outbound-traffic
set forwarding-class Network_Control
set dscp-code-point cs7
7.
Results
Verify CoS.
1.
Verify CoS on the interface from the WAN aggregation role to the Data Center.
user@hub2> show class-of-service interface xe-4/0/0
Physical interface: xe-4/0/0, Index: 197
Queues supported: 8, Queues in use: 8
Scheduler map: <default>, Index: 2
Congestion-notification: Disabled
Logical interface: xe-4/0/0.0, Index: 1395
Object
Name
Rewrite
DEF_DSCP_REWRITE
Rewrite
DEF_DSCP_REWRITE
Classifier
DSCP-BA
Classifier
DSCP-BA
Type
dscp
dscp-ipv6
dscp
dscp-ipv6
Index
61950
29182
961
174
Output bytes :
0
Input packets:
0
Output packets:
0
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3
incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors:
0,
Resource errors: 0
Output errors:
Carrier transitions: 1, Errors: 0, Drops: 2325, Collisions: 0, Aged packets:
0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 8 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 Best_Effort
781460759
781460759
1 Scavenger
2 Bulk_Data
162781915
162781050
3 Critical_Dat
233487699
233487699
191711557
191710100
229040835
229040832
117386961
117386961
0
0
865
0
4 Video
1457
5 Voice
3
6 Network_Cont
0
7 BRANCH
0
Queue number:
0
1
2
3
4
5
6
7
Active alarms : None
Active defects : None
PCS statistics
Bit errors
Errored blocks
MAC statistics:
Total octets
Total packets
Unicast packets
Broadcast packets
Multicast packets
CRC/Align errors
FIFO errors
MAC control frames
MAC pause frames
Oversized frames
Jabber frames
Fragment frames
VLAN tagged frames
Code violations
Total errors
Filter statistics:
Seconds
0
0
Receive
696482795007
2485764593
2217112622
50
268651920
0
0
0
0
0
0
0
0
0
0
Transmit
553167579530
1715850119
1715635274
50
214795
0
0
0
0
175
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
176
Generation: 5334
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:242::/64, Local: 2001:DB8:242::2
Protocol multiservice, MTU: Unlimited, Generation: 5336
Generation: 2293, Route table: 0
Flags: Is-Primary
Policer: Input: __default_arp_policer__
Type
dscp
dscp-ipv6
dscp
dscp-ipv6
Index
61950
29182
961
33729
177
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
errors: 0
Egress queues: 8 supported, 8 in use
Queue counters:
Queued packets Transmitted packets
0 Best_Effort
1 Scavenger
2811989467
Dropped packets
2809440349
0
2549118
0
0
2 Bulk_Data
121015
75906
45109
3 Critical_Dat
549935
534913
15022
4 Video
35934
2501
33433
5 Voice
55753142
55676927
76215
6 Network_Cont
1763966
1739491
24475
7 BRANCH
0
0
0
Queue number:
Mapped forwarding classes
0
Best_Effort
1
Scavenger
2
Bulk_Data
3
Critical_Data
4
Video
5
Voice
6
Network_Control
7
BRANCH
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
606408693651
911360397392
Total packets
1810197201
2867443546
Unicast packets
1809906466
2867147929
Broadcast packets
45
54
Multicast packets
290690
295563
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Total errors
0
0
Filter statistics:
Input packet count
1810177681
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
2867412207
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote
fault: OK
178
Local resolution:
Flow control: Symmetric, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 0 (0x00)
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Limit
%
bps
%
0 Best_Effort
95
950000000
95
none
3 Critical_Data
5
50000000
5
none
Interface transmit statistics: Disabled
Buffer Priority
usec
0
low
low
179
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3. Verify CoS on the logical tunnel interface to the VPN termination role.
user@hub2> show class-of-service interface lt-5/1/0
Physical interface: lt-5/1/0, Index: 192
Queues supported: 8, Queues in use: 8
Scheduler map: <default>, Index: 2
Congestion-notification: Disabled
Logical interface: lt-5/1/0.1, Index: 1402
Logical interface: lt-5/1/0.10, Index: 1384
Logical interface: lt-5/1/0.2, Index: 1383
Object
Name
Traffic-control-profile SMALL-BRANCH
Type
Output
Index
14334
Type
dscp
dscp-ipv6
dscp
dscp-ipv6
Index
61950
29182
961
33729
180
Output packets:
51566415
Protocol inet, MTU: 1500, Generation: 2281, Route table: 0
Flags: Sendbcast-pkt-to-re, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.31.254.20/30, Local: 172.31.254.21, Broadcast:
Unspecified, Generation: 5318
Protocol inet6, MTU: 4470, Generation: 2282, Route table: 0
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::2a0:a552:0:2df8
Generation: 5320
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:254:5::/64, Local: 2001:DB8:254:5::1
Generation: 5322
. . .
181
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Enabling Tunneling on the PIC for GRE Tunnels on the VPN Termination Role on page 182
Configuring the VPN Routing Instance on the VPN Termination Role on page 184
Configuring the WAN-GRE Routing Instance on the VPN Termination Role at Hub
2 on page 185
Configuring BGP Routing Policies on the VPN Termination Role on page 191
Configuring Fully-Meshed IBGP Peer Groups on the VPN Termination Router on page 191
Enabling Tunneling on the PIC for GRE Tunnels on the VPN Termination Role
Step-by-Step
Procedure
1.
Enable tunnel services on the FPC uses for GRE tunnels, and specify that a bandwidth
of 10 GBPS is reserved for tunneling. Can add up to 100G depending on the line card.
This step adds all the functionality of tunnel PICs to GRE tunnels.
[edit]
edit chassis fpc 5 pic 1
set tunnel-services bandwidth 10g
182
1.
2.
3.
Configure logical tunnel interfaces that form a point-to-point connection, and are
used to process shaping and queuing in place of per-unit GRE scheduling. Unit 2 is
placed in the WAN-GRE routing instance.
[edit]
edit interfaces lt-5/1/0 unit 20
set description "--- Under WAN-GRE, used for per branch shaping/queuing
(WAN-AGG2, lt-5/1/0.2) ---"
set encapsulation ethernet
set peer-unit 2
set family inet mtu 1500
set family inet address 172.31.254.30/30
[edit]
edit interfaces lt-5/1/0 unit 2
set description "--- Used for per branch shaping/queuing to WAN-GRE (lt-5/1/0.20)
---"
set encapsulation ethernet
set peer-unit 20
183
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
5.
The VPN routing instance is a public Internet-facing instance that is used for branches
that connect to the hub over IPsec tunnels. It acts as the IPsec server for IPsec requests
from the branch, and it terminates IPsec tunnels that are initiated at the branch.
When you configure a branch scenario that uses IPsec tunnels to Hub 1, you add IPsec
interfaces used for the scenario to the VPN routing instance, and you add the loopback
interface that is used as the GRE tunnel source address at the hub.
1.
2.
Add the logical tunnel interface to the Internet edge router, and configure a default
static route to the logical tunnel interface at the Internet edge router (lt-5/1/0.35).
[edit]
edit routing-instances VPN
set interface lt-5/1/0.53
set routing-options static route 0.0.0.0/0 next-hop 192.0.2.5
Results
184
0.0.0.0/0
*[Static/5] 02:31:29
> to 198.51.100.5 via ge-0/0/0.0
Configuring the WAN-GRE Routing Instance on the VPN Termination Role at Hub
2
Step-by-Step
Procedure
The WAN-GRE virtual router routing instance terminates GRE tunnels from the
Internet-connected branches. The routing instance provides private overlay routing over
the GRE tunnels to the branch, and includes OSPF routing adjacencies between the GRE
tunnels and the WAN aggregation router over the directly connected Ethernet link. The
routing instance also includes multicast peering with the WAN aggregation router.
When you configure a branch scenario that uses GRE tunnels to the hub, you will add the
following to the WAN-GRE routing instance:
GRE interfaces used for the scenario to the WAN-GRE routing instance
The loopback interface that is used as the GRE tunnel source address at the hub.
1.
2.
Create a next-hop static route to the logical tunnel interface on the WAN aggregation
router (lt-5/1/0.45). Set the preference of the static route to 200 so that routes to
Aggregation Hub 1 are preferred over routes to Aggregation Hub 2. Hub 1 is always
primary.
185
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
After GRE tunnels are terminated, the static route sends traffic to the WAN
aggregation router.
[edit]
edit routing-instances WAN-GRE routing-options
set static route 0.0.0.0/0 next-hop 172.31.254.21
set static route 0.0.0.0/0 preference 200
3.
Configure OSPF.
Only the default route is advertised to the branches over OSPF.
a. Set the external preference for OSPF routes to 175.
A preference of 175 gives BGP routes, which have a default preference of 170,
preference in the routing table over OSPF routes.
[edit}
edit routing-instances WAN-GRE protocols ospf
set external-preference 175
b. Create a backbone area for IPv4, and add the logical tunnel interface to the WAN
Configure multicast.
Specify the address of the RP, and add the logical tunnel interface to the WAN
aggregation role.
[edit]
edit routing-instances WAN-GRE protocols pim
set rp static address 172.31.255.15
set interface lt-5/1/0.54 mode sparse
set interface lt-5/1/0.54 version 2
Results
186
Address
172.31.254.21
172.16.1.6
172.22.16.162
172.22.16.166
172.22.16.170
172.22.16.174
172.22.16.178
. . .
Interface
lt-5/1/0.54
gr-5/1/0.1
gr-5/1/0.1011
gr-5/1/0.1012
gr-5/1/0.1013
gr-5/1/0.1014
gr-5/1/0.1015
State
Full
Full
Full
Full
Full
Full
Full
ID
172.31.255.5
172.16.0.255
172.23.4.233
172.23.4.234
172.23.4.235
172.23.4.236
172.23.4.237
Pri
128
128
128
128
128
128
128
Dead
38
34
33
35
31
35
33
Pri
128
Dead
32
128
33
128
36
128
37
128
39
128
34
128
35
128
37
128
39
V Mode
2
2
2
2
2
2
2
2
2
2
Option
HPLGT
HPLGT
HPLGT
HPLGT
HPLGT
HPLGT
HPLGT
HPLGT
HPLGT
HPLGT
187
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Figure 67: Traffic Flow for Access to Hosted Services Through Aggregation
Hub 2 (for External Users)
The HOSTED-WWW-NAT routing instance is used to route traffic to and from hosted
services. It connects to the SFW-NAT-SERVICES routing instance, which is in the Internet
edge role. It also connects to the default routing instance. To configure the routing instance
for external users to access hosted services:
1.
2.
Create a routing instance, and add the services interface to the SFW-NAT-SERVICES
routing instance (sp-1/0/0.16006) and the interface to hosted services.
[edit]
edit routing-instances HOSTED-WWW-NAT
set instance-type virtual-router
set interface sp-1/0/0.16006
188
Create a default static route with a next hop to the services interface in the
SFW-NAT-SERVICES routing instance.
[edit]
edit routing-instances HOSTED-WWW-NAT routing-options
set static route 0.0.0.0/0 next-hop sp-1/0/0.16006
Figure 68: Incoming Traffic Flow to Hosted Services from Layer 3 VPN /
Leased-Line Transport
This configuration to used to provide access to hosted services for internal traffic from
the branch or from the data center. Internal users access hosted services using internal
addressing of 172.31.254.80/28. This configuration is in the WAN aggregation role in the
default routing instance.
1.
189
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2.
3.
4.
5.
6.
Configure a static route for traffic from the private NAT pool addresses to the inside
service interface.
[edit]
edit routing-options
set static route 172.31.254.48/28 next-hop sp-1/0/0.12001
7.
Create a routing instance, and add the services interface to the SFW-NAT-SERVICES
routing instance (sp-1/0/0.16006), the interface to the WAN aggregation role
(sp-1/0/0.12002), and the interface to hosted services. ,
[edit]
edit routing-instances HOSTED-WWW-NAT
set interface sp-1/0/0.12002
8.
Configure a routing policy that exports the static route to OSPF so that it is advertised
to Aggregation Hub 1.
[edit]
edit policy-options policy-statement STATIC2OSPF
set term 1 from protocol static
set term 1 from route-filter 172.31.254.48/28 exact
set term 1 then accept
9.
190
1.
Configure a routing policy that is used to advertise default static IPv4 routes,
including routes received from OSPF. The policy is a next-hop policy, which causes
the loopback address to be advertised as the next hop for BGP traffic.
[edit]
edit policy-options policy-statement ADV_DEFAULT
set term 1 from family inet
set term 1 from protocol ospf
set term 1 from protocol static
set term 1 from route-filter 0.0.0.0/0 exact
set term 1 then next-hop self
set term 1 then accept
set term default then reject
2.
Configure a routing policy that is used to advertise default static IPv6 routes.
[edit]
edit policy-options policy-statement ADV_DEFAULT6
set term 1 from protocol static
set term 1 from route-filter ::/0 exact
set term 1 then accept
set term default then reject
3.
Configure a next-hop self routing policy for IPv4 traffic that causes the loopback
address to be advertised as the next hop for BGP traffic.
[edit]
edit policy-options policy-statement NHS
set term 1 from protocol bgp
set term 1 then next-hop self
4.
Configure a next-hop self routing policy for IPv6 traffic that causes the loopback
address to be advertised as the next hop for BGP traffic.
[edit]
edit policy-options policy-statement NHS6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 then next-hop self
set term 1 then accept
At the aggregation hubs, we have a full IBGP mesh with the WAN aggregation router and
the WAN-GRE virtual routing instance on Aggregation Hub 1, the WAN-GRE
1.
191
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
The NHS export policy causes the router to advertise the address of the loopback
interface as the next hop.
[edit}
[edit routing-instances WAN-GRE protocols bgp group IBGP-Mesh
set type internal
set local-address 172.31.255.6
set family inet unicast
set export NHS
set bfd-liveness-detection minimum-interval 500
set bfd-liveness-detection multiplier 3
set neighbor 172.31.255.2 authentication-key "$9$-tbY4UjkTznO1XNdbg4Qz3"
set neighbor 172.31.255.3 authentication-key "$9$4VJUiP5zCt0ylsgoJjiAtu"
set neighbor 172.31.255.5 authentication-key "$9$QyYC3/ABIhKMLs2PTz3CAvM8"
2.
Results
Flaps: 2814
WAN-GRE.inet.0
: 25380/31445/31445/0 External: 0/0/0/0 Internal:
25380/31445/31445/0
WAN-GRE.inet6.0 : 24388/29454/29454/0 External: 0/0/0/0 Internal:
192
24388/29454/29454/0
WAN-GRE.mdt.0
: 0/0/0/0 External: 0/0/0/0 Internal: 0/0/0/0
user@hub2> show bgp summary instance WAN-GRE
Groups: 6 Peers: 2010 Down peers: 6
Table
Tot Paths Act Paths Suppressed
History Damp State
Pending
WAN-GRE.inet.0
31445
25380
0
0
0
0
WAN-GRE.inet6.0
29454
24388
0
0
0
0
WAN-GRE.mdt.0
0
0
0
0
0
0
Peer
AS
InPkt
OutPkt
OutQ
Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.16.2.6
65530
1146
1051
0
3
8:38:32
Establ
WAN-GRE.inet.0: 1/78/78/0
172.16.3.6
65530
1153
1050
0
3
8:38:32
Establ
WAN-GRE.inet.0: 127/129/129/0
172.22.1.2
65530
1047
1048
0
1
8:38:01
Establ
WAN-GRE.inet.0: 1/6/6/0
172.22.1.6
65530
1047
1049
0
1
8:38:12
Establ
WAN-GRE.inet.0: 1/6/6/0
172.22.1.10
65530
1047
1049
0
1
8:38:05
Establ
WAN-GRE.inet.0: 1/6/6/0
172.22.1.14
65530
1047
1049
0
1
8:38:17
Establ
WAN-GRE.inet.0: 1/6/6/0
172.22.1.18
65530
1047
1049
0
1
8:38:21
Establ
WAN-GRE.inet.0: 1/6/6/0
.
.
.
.
1.
Configure classifiers.
a. Configure DSCP behavior aggregation (BA) for IPv4
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
193
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
c. Assign the forwarding classes to transmission queues.
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 1 Scavenger
set queue 2 Bulk_Data
set queue 3 Critical_Data
set queue 4 Video
set queue 5 Voice
set queue 6 Network_Control
2.
[edit]
edit class-of-service rewrite-rules dscp DEF_DSCP_REWRITE
set forwarding-class Voice loss-priority low code-point 101110
set forwarding-class Video loss-priority low code-point 100010
set forwarding-class Network_Control loss-priority low code-point 111000
set forwarding-class Critical_Data loss-priority low code-point 010010
set forwarding-class Bulk_Data loss-priority high code-point 001010
set forwarding-class Best_Effort loss-priority high code-point 000000
set forwarding-class Scavenger loss-priority high code-point 001000
b. Create rewrite rules for IPv6 traffic.
[edit]
edit class-of-service rewrite-rules dscp-ipv6 DEF_DSCP_REWRITE
set forwarding-class Voice loss-priority low code-point 101110
set forwarding-class Video loss-priority low code-point 100010
set forwarding-class Network_Control loss-priority low code-point 111000
set forwarding-class Critical_Data loss-priority low code-point 010010
set forwarding-class Bulk_Data loss-priority high code-point 001010
set forwarding-class Best_Effort loss-priority high code-point 000000
set forwarding-class Scavenger loss-priority high code-point 001000
3.
194
5.
7.
Modify the queue assignment and DSCP code point for network control (host)
traffic that is generated by the Routing Engine and sent to the Packet Forwarding
Engine. This configuration does not affect transit traffic.
195
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit class-of-service host-outbound-traffic
set forwarding-class Network_Control
set dscp-code-point cs7
Verification
Verify Preferred Routes
Action
Verify that the VPN termination role advertises only the default route to
Internet-connected branches that use BGP as the private routing protocol. Also, make
sure that the VPN termination role receives all of the branch prefixes. Make sure that
routes to branches that are received by the VPN termination router at Aggregation Hub
1 from OSPF and BGP are preferred over routes received by Hub 2. In this case, the OSPF
cost and BGP local preference configurations should give preference to Hub 1. .
1.
*[Static/1] 00:13:30
> via sp-1/0/0.2
196
172.16.1.0/30
172.16.1.4/30
172.16.1.5/32
172.16.1.12/30
172.16.1.16/30
172.16.1.20/30
172.16.1.254/32
3. Verify that when the VPN2 GRE tunnels are up all the traffic to IPsec GRE branches
any Internet bound traffic that is sourced from the GRE IPsec branches.
user@hub2> show route table WAN-GRE.inet.0 0.0.0.0/0 exact
WAN-GRE.inet.0: 27866 destinations, 60339 routes (27866 active, 0 holddown, 0
hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
5. Verify the routes that are advertised by the DC-CORE and ping to DC-ACCESS LSYS
V
?
?
?
?
?
?
Destination
172.28.1.0/24
172.28.2.0/24
172.28.3.0/24
172.28.4.0/24
172.28.5.0/24
172.28.6.0/24
P Prf
O 10
O 10
O 10
O 10
O 10
O 10
Metric 1
27
27
27
27
27
27
Metric 2
Next hop
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
AS path
197
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
*
*
*
*
*
*
*
*
*
*
.
.
.
?
?
?
?
?
?
?
?
?
?
172.28.7.0/24
172.28.8.0/24
172.28.9.0/24
172.28.10.0/24
172.28.11.0/24
172.28.12.0/24
172.28.13.0/24
172.28.14.0/24
172.28.15.0/24
172.28.16.0/24
O
O
O
O
O
O
O
O
O
O
10
10
10
10
10
10
10
10
10
10
27
27
27
27
27
27
27
27
27
27
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
>lt-5/1/0.54
198
CHAPTER 7
Overview
The backup aggregation hub features an MX480 configured virtual routing instances for
each of the WAN aggregation hub functional roles. This section focuses on configuration
of the nodes in the blue highlighted area (Figure 69 on page 199).
199
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring Security Based on Application Traffic on the Internet Gateway on page 206
Configuring a Routing Instance for Stateful Firewall and NAT Services on the Internet
Gateway on page 210
Configuring NAT and Stateful Firewall for Inbound Traffic on the Internet
Gateway on page 211
Configuring NAT and Stateful Firewall for Outbound Traffic on the Internet
Gateway on page 213
1.
2.
200
set description "--- Under the IEDGE Service & connected to SFW-NAT-SERVICES
(lt-5/1/0.1)"
set encapsulation ethernet
set peer-unit 1
set family inet mtu 1500
set family inet address 172.31.254.26/30
3.
4.
Configure the Ethernet interface to the Internet edge router at Aggregation Hub 1.
[edit]
edit interfaces xe-5/0/0
set description "--- To Internet edge Hub 1 xe-0/0/0 ---"
set unit 0 account-layer2-overhead ingress 18
set unit 0 account-layer2-overhead egress 18
set unit 0 family inet mtu 1500
set unit 0 family inet address 172.31.254.6/30
5.
6.
Add all of the above interfaces to the IEDGE virtual routing instance.
[edit]
edit routing-instances IEDGE
set interface ge-4/2/6.0
set interface xe-5/0/0.0
set interface lt-5/1/0.10
set interface lt-5/1/0.35
set interface lo0.1
201
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Configure a routing policy that is used to advertise default static IPv4 routes,
including routes received from OSPF.
[edit]
edit policy-options policy-statement ADV_DEFAULT
set term 1 from family inet
set term 1 from protocol ospf
set term 1 from protocol static
set term 1 from route-filter 0.0.0.0/0 exact
set term 1 then next-hop self
set term 1 then accept
set term default then reject
2.
Configure a routing policy that is used to advertise default static IPv6 routes.
[edit]
edit policy-options policy-statement ADV_DEFAULT6
set term 1 from protocol static
set term 1 from route-filter ::/0 exact
set term 1 then accept
set term default then reject
3.
202
Configure a next-hop self routing policy for IPv4 traffic that causes the loopback
address to be advertised as the next hop for BGP traffic.
[edit]
edit policy-options policy-statement NHS
set term 1 from protocol bgp
set term 1 then next-hop self
4.
Configure a next-hop self routing policy for IPv6 traffic that causes the loopback
address to be advertised as the next hop for BGP traffic.
[edit]
edit policy-options policy-statement NHS6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 then next-hop self
set term 1 then accept
5.
Configure a routing policy that is used to reject routes from the Aggregation Hub 1
block of addresses (191.15.100.0/24).
[edit]
edit policy-options policy-statement BLOCK_HEAD1_BLOCK
set term 1 from route-filter 191.15.100.0/24 exact
set term 1 then reject
6.
7.
Configure a policy that is used to advertise the block of addresses used for source
NAT (192.0.2.0/24) and the Aggregation Hub 2 block of addresses (100.64.100.0/24)
used for destination NAT to the Internet.
The AS path prepend adds AS numbers at the beginning of an AS path. AS path
prepending makes a shorter AS path look longer and therefore less preferable BGP.
In this case, a longer AS path on the Internet edge of Hub 2 makes routes to the
Internet edge router on Hub 1 preferable.
[edit]
edit policy-options policy-statement HEAD2-RANGE
set term 1 from protocol aggregate
set term 1 from route-filter 191.15.200.0/24 exact
set term 1 then accept
set term 2 from route-filter 204.164.100.0/24 exact
set term 2 then as-path-prepend "2222 2222 2222"
set term 2 then accept
set term default then reject
8.
Configure a prefix list and routing policy that are used to prevent martian routes
from being installed into the routing table.
[edit]
edit policy-options prefix-list RFC1918
set 10.0.0.0/8
set 172.16.0.0/12
set 192.168.0.0/16
[edit]
edit policy-options policy-statement MARTIANS
203
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
2.
In the IEDGE routing instance, create an IBGP group that is used to as a peer to the
Internet edge router at Aggregation Hub 1.
[edit]
edit routing-instances IEDGE protocols bgp group HEAD1
set type internal
set neighbor 172.31.254.5 authentication-key "$9$zpgIn9t1RcvWXYgfQFnAtMWL"
set neighbor 172.31.254.5 export NHS
set neighbor 172.31.254.5 peer-as 2222
3.
In the IEDGE routing instance, configure an EBGP peer group to the Internet service
provider.
The neighbor is the address of the Internet service provider.
The MARTIANS import policy prevents martian routes received from the Internet
from being installed into the routing table.
The BLOCK_HEAD1_BLOCK import policy prevents routes advertised from the
Aggregation Hub 1 block of addresses (191.15.100.0/24).
The HEAD2-RANGE export policy advertises the enterprise block of addresses used
for source NAT (100.64.100.0/24) and the Aggregation Hub 2 block of addresses
(192.0.2.0/24) used for destination NAT to the Internet.
[edit]
edit routing-instances IEDGE protocols bgp group EBGP_To_AS_269
set type external
set import MARTIANS
set import BLOCK_HEAD1_BLOCK
set export HEAD2-RANGE
set peer-as 269
set neighbor 191.15.200.1 authentication-key "$9$I1rhyeLx-24J.P01Rhleg4a"
204
Step-by-Step
Procedure
Verify BGP peering to the Internet service provider gateway (198.51.100.1) and to
the Internet edge router at Aggregation Hub 2 (172.31.254.6).
user@hub_2> show bgp summary instance IEDGE
Groups: 2 Peers: 2 Down peers: 0
Table
Tot Paths Act Paths Suppressed
Pending
IEDGE.inet.0
2
2
0
0
IEDGE.mdt.0
0
0
0
0
Peer
AS
InPkt
OutPkt
State|#Active/Received/Accepted/Damped...
172.31.254.5
2222
1045
955
Establ
IEDGE.inet.0: 1/1/1/0
192.0.2.1
269
1039
950
Establ
IEDGE.inet.0: 1/1/1/0
2.
OutQ
0
Flaps Last Up/Dwn
7:50:23
7:48:06
Flaps:
Verify that routes are being received from and advertised to the Internet service
provider.
user@hub_2> show route receive-protocol bgp 192.0.2.1
IEDGE.inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 0 hidden)
Prefix
Nexthop
MED
Lclpref
AS path
* 0.0.0.0/0
192.0.2.1
269 I
user@hub_2> route advertising-protocol bgp 192.0.2.1
IEDGE.inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 0 hidden)
Prefix
Nexthop
MED
Lclpref
AS path
* 192.0.2.0/24
Self
I
* 100.64.100.0/24
Self
2222 2222
2222 [2222] I
4.
Verify that routes are being received from and advertised to the Internet edge router
at Aggregation Hub 1.
user@iedge1> show route receive-protocol bgp 172.31.254.5
205
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
206
[edit]
edit applications
set application ftp application-protocol ftp
set application ftp protocol tcp
set application ftp destination-port 21
set application tftp application-protocol tftp
set application tftp protocol udp
set application tftp destination-port 69
set application rpcportmaptcp application-protocol rpc-portmap
set application rpcportmaptcp protocol tcp
set application rpcportmaptcp destination-port 111
set application rpcportmapudp application-protocol rpc-portmap
set application rpcportmapudp protocol udp
set application rpcportmapudp destination-port 111
set application rexec application-protocol exec
set application rexec protocol tcp
set application rexec destination-port 512
set application rlogin protocol tcp
set application rlogin destination-port 513
set application rsh application-protocol shell
set application rsh protocol tcp
set application rsh destination-port 514
set application rtsp application-protocol rtsp
set application rtsp protocol tcp
set application rtsp destination-port 554
set application winframe application-protocol winframe
set application winframe protocol tcp
set application winframe destination-port 1494
set application sqlnet application-protocol sqlnet
set application sqlnet protocol tcp
set application sqlnet destination-port 1521
set application h323 application-protocol h323
set application h323 protocol tcp
set application h323 destination-port 1720
set application iiop-java application-protocol iiop
set application iiop-java protocol tcp
set application iiop-java destination-port 1975
set application iiop-orbix application-protocol iiop
set application iiop-orbix protocol tcp
207
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
208
3.
4.
Create a stateful firewall that specifies application traffic that is allowed from the
enterprise to the Internet.
[edit]
edit services stateful-firewall rule corp-to-internet
set match-direction input
set term allow-all-alg from application-sets all-alg-set
set term allow-all-alg then accept
set term allow-non-alg then accept
209
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
5.
Create a stateful firewall that specifies application traffic that is allowed from the
Internet to the enterprise network.
[edit]
edit services stateful-firewall rule internet-to-dmz
set match-direction output
set term allow-web-rtsp from application-sets dmz-alg-set
set term allow-web-rtsp then accept
6.
Create a stateful firewall that allows accounting traffic through the firewall.
[edit]
edit services stateful-firewall rule protect-accounting
set match-direction input
set term allow-accounting-out-alg from application-sets all-alg-set
set term allow-accounting-out-alg then accept
set term allow-accounting-out-no-alg then accept
Configuring a Routing Instance for Stateful Firewall and NAT Services on the
Internet Gateway
Step-by-Step
Procedure
2.
Configure the services interface that connects to the WAN aggregation role.
[edit]
edit interfaces sp-1/0/0 unit 16002
set description "--- Branch to WWW NAT service outside interface ---"
set family inet
set service-domain outside
3.
4.
Create a virtual router routing instance for NAT and stateful firewall services. Add
the above interfaces to the instance.
[edit]
edit routing-instances SFW-NAT-SERVICES
set instance-type virtual-router
210
Create a static default route to the lt-5/1/0.10 interface on the IEDGE virtual router.
[edit]
edit routing-instances SFW-NAT-SERVICE
set routing-options static route 0.0.0.0/0 next-hop 172.31.254.26
Results
After stateful firewall and NAT services are configured and committed, use the following
commands to verify the configuration was successful
user@hub_2> show route table SFW-NAT-SERVICE.inet.0
SFW-NAT-SERVICE.inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
*[Static/5] 20:59:53
> to 172.31.254.26 via lt-5/1/0.1
172.31.254.24/30
*[Direct/0] 20:59:53
> via lt-5/1/0.1
172.31.254.25/32
*[Local/0] 20:59:53
Local via lt-5/1/0.1
192.0.2.224/32 *[Static/1] 20:59:50
> via sp-1/0/0.16005
[Static/5] 20:59:53
> via sp-1/0/0.16005
100.64.100.0/24
*[Static/1] 20:59:50
> via sp-1/0/0.16002
Configuring NAT and Stateful Firewall for Inbound Traffic on the Internet Gateway
Step-by-Step
Procedure
This procedure configures destination NAT and the stateful firewall for external traffic
received from the Internet and sent to hosted services.
1.
Create an aggregate route for the Aggregation Hub 2 block of addresses that is
advertised to the Internet for hosted services.
[edit]
edit routing-instances IEDGE routing-options
set aggregate route 192.0.2.0/24
2.
Configure a static route in the IEDGE virtual routing instance to send traffic for
192.0.2.224/28 to the interface lt-5/1/0.1 in the SFW-NAT-SERVICES routing
instance.
[edit]
edit routing-instances IEDGE routing-options
set static route 192.0.2.224/28 next-hop 172.31.254.25
3.
Create a NAT pool for the private addresses used for hosted services.
[edit]
edit services nat pool www-addr
set address 172.31.255.48/28
4.
Create a NAT rule used to perform destination NAT. Use translation type dnat-44,
which causes the destination address to be statically translated (IPv4 to IPv4).
211
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit services nat rule internet-www
set match-direction input
set term from-internet from destination-address 192.0.2.224/28
set term from-internet then translated destination-pool www-addr
set term from-internet then translated translation-type dnat-44
5.
Create an application set for the DMZ using applications that were previously
configured.
[edit]
edit applications application-set dmz-alg-set
set application icmp-all
set application ftp
set application rtsp
set application web
set application junos-ip
6.
Create a stateful firewall rule that allows all traffic through the firewall. In your
actual deployment, you would customize your own firewall.
[edit]
edit services stateful-firewall rule ALLOW_ALL
set match-direction input-output
set term TERM then accept
7.
Create a stateful firewall that accepts application traffic that is defined in the
dmz-alg-set application set.
[edit]
edit services stateful-firewall rule internet-to-dmz
set match-direction output
set term allow-web-rtsp from application-sets dmz-alg-set
set term allow-web-rtsp then accept
8.
Results
212
Reject
0
0
Errors
0
0
Errors
0
0
Configuring NAT and Stateful Firewall for Outbound Traffic on the Internet
Gateway
Step-by-Step
Procedure
This procedure configures source NAT and the stateful firewall for internal traffic from
branches, the data center, or hosted services that is headed to the Internet.
1.
Configure a pool of addresses for the enterprise block of assigned addresses. These
addresses are advertised to the Internet, and are used for source NAT.
[edit]
edit services nat pool public-pool
set address 100.64.100.0/24
set port range low 3000
set port range high 10000
2.
Create a NAT rule for traffic from branches, the data center, or hosted services to
the Internet. The source addresses are the internal enterprise addresses.
[edit]
edit services nat rule Branch-DC-to-Internet
set match-direction input
set term from-lan from source-address 172.16.0.0/12
set term from-lan from source-address 10.0.0.0/8
set term from-lan then translated source-pool public-pool
set term from-lan then translated translation-type napt-44
3.
4.
Create a stateful firewall that specifies application traffic that is allowed from the
enterprise to the Internet.
[edit]
edit services stateful-firewall rule corp-to-internet
set match-direction input
set term allow-all-alg from application-sets all-alg-set
set term allow-all-alg then accept
set term allow-non-alg then accept
213
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
5.
Create a stateful firewall rule that allows all traffic through the firewall. In your
actual deployment, you would customize your own firewall.
[edit]
edit services stateful-firewall rule ALLOW_ALL
set match-direction input-output
set term TERM then accept
6.
Create a NAT service set for traffic from branches, the data center, or hosted services
to the Internet.
[edit]
edit services service-set NAT-Branch-internet
set stateful-firewall-rules ALLOW_ALL
set stateful-firewall-rules corp-to-internet
set nat-rules Branch-DC-to-Internet
set next-hop-service inside-service-interface sp-3/0/0.1
set next-hop-service outside-service-interface sp-3/0/0.2
7.
Configure a static route in the IEDGE virtual routing instance to interface lt-5/1/0.1
in the SFW-NAT-SERVICES routing instance.
Configure a static route for the enterprise block of addresses that are used for source
NAT (100.64.100.0/24). Assign a preference of 200 so that routes on Hub1 are
preferred over routes to Hub 2.
[edit]
edit routing-instances IEDGE routing-options
set static route 100.64.100.0/24 next-hop 172.31.254.25
set static route 100.64.100.0/24 preference 200
Results
CoS is used on the Internet edge router to separate incoming traffic from the
Internet-connected branches from traffic coming from the Internet.
1.
2.
3.
214
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 6 Network_Control
set queue 7 BRANCH
4.
5.
6.
Create a traffic control profile for traffic to the Internet service provider.
[edit]
edit class-of-service traffic-control-profiles TO-ISP2
set scheduler-map IEDGE_ISP_LINK_SCHEDULER
set shaping-rate 800m
7.
8.
Apply CoS to the interface on the Internet edge role to the Internet edge router on
Aggregation Hub 1.
[edit]
edit class-of-service interfaces xe-5/0/0
set unit 0 forwarding-class Best_Effort
Step-by-Step
Procedure
If the data center or hosted services are not reachable for Internet-connected branches
or for public Internet traffic, the ge-4/2/6 interface to the ISP is used. You can verify that
CoS is working as expected by following this procedure in a failover scenario.
1.
215
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
216
1
Scavenger
2
Bulk_Data
3
Critical_Data
4
Video
5
Voice
6
Network_Control
7
BRANCH
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
1235574774649
721404556892
Total packets
3227526305
1646217499
Unicast packets
3227526248
1646217458
Broadcast packets
53
41
Multicast packets
0
0
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Total errors
0
0
Filter statistics:
Input packet count
3227484958
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
1646193671
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote
fault: OK
Local resolution:
Flow control: Symmetric, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 0 (0x00)
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 Best_Effort
20
160000000
r
0
low
none
7 BRANCH
79
632000000
r
0
high
none
Interface transmit statistics: Disabled
Logical interface ge-4/2/6.0 (Index 1399) (SNMP ifIndex 752) (Generation
1222)
Flags: SNMP-Traps 0x4004000 Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
18 bytes
Egress account overhead
:
18 bytes
Traffic statistics:
217
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Input bytes :
1235582733047
Output bytes :
721409693912
Input packets:
3227546501
Output packets:
1646229145
Local statistics:
Input bytes :
472056
Output bytes :
565620
Input packets:
7354
Output packets:
7354
Transit statistics:
Input bytes :
1235582260991
132670576 bps
Output bytes :
721409128292
84645928 bps
Input packets:
3227539147
41301 pps
Output packets:
1646221791
23842 pps
Protocol inet, MTU: 1500, Generation: 2303, Route table: 5
Flags: Sendbcast-pkt-to-re, Is-Primary, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 192.0.2.0/30, Local: 192.0.2.2, Broadcast: 192.0.2.3,
Generation: 5352
Protocol multiservice, MTU: Unlimited, Generation: 2304, Route table: 5
Policer: Input: __default_arp_policer__
2.
Verify the separation of Internet traffic and branch traffic into different queues on
traffic sent toward the Internet.
user@hub2> show interfaces queue ge-4/2/6 egress
Physical interface: ge-4/2/6, Enabled, Physical link is Up
Interface index: 207, SNMP ifIndex: 686
Description: --- To Public ISP link ( Navami-PE2 ge-1/2/1 ) --Forwarding classes: 16 supported, 8 in use
Egress queues: 8 supported, 8 in use
Queue: 0, Forwarding classes: Best_Effort
Queued:
Packets
:
508990230
7105 pps
Bytes
:
234586408449
26864608 bps
Transmitted:
Packets
:
508990230
7105 pps
Bytes
:
234586408449
26864608 bps
Tail-dropped packets :
0
0 pps
RED-dropped packets :
0
0 pps
Low
:
0
0 pps
Medium-low
:
0
0 pps
Medium-high
:
0
0 pps
High
:
0
0 pps
RED-dropped bytes
:
0
0 bps
Low
:
0
0 bps
Medium-low
:
0
0 bps
Medium-high
:
0
0 bps
High
:
0
0 bps
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
0 pps
Bytes
:
0
0 bps
Transmitted:
Packets
:
0
0 pps
Bytes
:
0
0 bps
Tail-dropped packets :
0
0 pps
RED-dropped packets :
0
0 pps
Low
:
0
0 pps
Medium-low
:
0
0 pps
218
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
136386039
Bytes
:
82649939634
Transmitted:
Packets
:
136386014
Bytes
:
82649924484
Tail-dropped packets :
25
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
201194827
Bytes
:
96169574111
Transmitted:
Packets
:
201189726
Bytes
:
96167135833
Tail-dropped packets :
3153
RED-dropped packets :
1948
Low
:
1948
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
931144
Low
:
931144
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
399791451
Bytes
:
242273619306
Transmitted:
Packets
:
399790317
Bytes
:
242272932102
Tail-dropped packets :
1134
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0
0
0
0
0
0
0
pps
pps
bps
bps
bps
bps
bps
2000 pps
9699840 bps
2000
9699840
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
3001 pps
11478080 bps
3001
11478080
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
6003 pps
29103424 bps
6003
29103424
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
219
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
220
3752 pps
6663872 bps
3752
6663872
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
2010 pps
4920800 bps
2010
4920800
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
CHAPTER 8
Results
1.
[edit]
set system syslog host log kernel info
set system syslog host log any notice
set system syslog host log pfe info
set system syslog host log interactive-commands any
set system syslog file messages any any
set system syslog file messages kernel info
set system syslog file messages authorization info
set system syslog file messages pfe info
set system syslog file messages archive world-readable
set system syslog file security interactive-commands any
set system syslog file security archive world-readable
command
exiting
command
command
command
command
command
command
221
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring SNMP
Step-by-Step
Procedure
Results
1.
2. Verify MIBs.
user@hub1> show snmp mib walk sysName
sysName.0
= wan-agg-1
222
jnxOperatingCPU.4.1.1.0 = 0
jnxOperatingCPU.4.1.2.0 = 0
jnxOperatingCPU.4.1.3.0 = 0
jnxOperatingCPU.4.1.4.0 = 0
jnxOperatingCPU.4.1.5.0 = 0
jnxOperatingCPU.6.1.0.0 = 16
jnxOperatingCPU.6.1.1.0 = 16
jnxOperatingCPU.7.1.0.0 = 16
jnxOperatingCPU.7.2.0.0 = 16
jnxOperatingCPU.8.1.1.0 = 0
jnxOperatingCPU.8.2.1.0 = 0
jnxOperatingCPU.8.2.3.0 = 0
jnxOperatingCPU.8.2.4.0 = 0
jnxOperatingCPU.9.1.0.0 = 12
jnxOperatingCPU.20.1.1.0 = 0
jnxOperatingCPU.20.2.1.0 = 0
jnxOperatingCPU.20.2.2.0 = 0
1.
2.
3.
4.
Results
223
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Step-by-Step
Procedure
1.
Configure traffic sampling that forwards data to a log file on the router.
[edit]
edit forwarding-options sampling
set input rate 1000
set family inet output file filename sample-ewan.log
set family inet output file size 10m
2.
3.
224
Add the filter to the following interfaces on the VPN termination router.
[edit]
edit interfaces
set ge-0/0/0 unit 0 family inet filter output v4_sample_filter
set ge-0/0/1 unit 0 family inet filter input v4_sample_filter
set gr-0/1/0 unit 1 family inet filter output v4_sample_filter
set sp-0/3/0 unit 1 family inet filter input v4_sample_filter
set sp-0/3/0 unit 2 family inet filter input v4_sample_filter
Results
TOS
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
Pkt
len
312
312
312
312
312
312
312
312
Intf
num
1109
1109
1109
1109
1109
1109
1109
1109
IP
TCP
frag flags
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
. . .
225
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
226
CHAPTER 9
Configuring Routing Engine Protection on the Internet Edge Gateway on Aggregation Hub 1
Configuring Prefix Lists for Routing Engine Protection on the Internet Edge Gateway
on Aggregation Hub 1 on page 227
Configuring Firewall Filters for Routing Engine Protection on the Internet Edge Gateway
at Aggregation Hub 1 on page 228
Configuring Prefix Lists for Routing Engine Protection on the Internet Edge
Gateway on Aggregation Hub 1
Step-by-Step
Procedure
Create a set of prefix lists to be used in firewall filters that are set up for Routing Engine
protection. These prefix lists specify trusted IP subnets and addresses for different types
of traffic. Traffic received from these addresses is allowed through firewalls used for
Routine Engine protection.
1.
2.
227
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
4.
Configuring Firewall Filters for Routing Engine Protection on the Internet Edge
Gateway at Aggregation Hub 1
Step-by-Step
Procedure
To secure the Routing Engine against , we are using a firewall filter. The filter is used to
prevent small packet attacks, fragment attacks, and denial of service (DoS) attacks from
specific protocols such as ICMP, BGP, OSPF, SNMP, UDP, and TCP. The filter accepts
traffic only from trusted sources, and it discards all other traffic. The filter also includes
a policer that applies rate limits to the traffic that is accepted by the filter.
Because loopback interfaces are a link to the Routing Engine, we will apply the firewall
filter to loopback interfaces at the aggregation hub, which means that the filter is applied
to traffic destined for the router control plane and not to transit traffic.
In addition to specifying traffic that is accepted, we are counting packets received from
different sources, and in some cases logging traffic. You can use counters and logs to
check that the filter is working as expected and to detect unusual amounts of certain
types of traffic.
1.
2.
Create a firewall filter, and specify that counters defined in the filter are interface
specific.
[edit]
edit firewall family inet filter RE-PROTECT
set interface-specific
3.
Configure a term that prevents small packet attacks. It counts, logs, and discards
packets with a length of 0 through 24.
[edit]
edit firewall family inet filter RE-PROTECT
set term small-packets from packet-length 0-24
set term small-packets then count small-packet-attack
228
Configure a term that prevents fragment attacks. It counts, logs, and discards
packets that have a fragment offset.
[edit]
edit firewall family inet filter RE-PROTECT
set term fragment-packets from fragment-offset-except 0
set term fragment-packets from protocol icmp
set term fragment-packets from protocol igmp
set term fragment-packets from protocol pim
set term fragment-packets from protocol tcp
set term fragment-packets then count frag-attack
set term fragment-packets then log
set term fragment-packets then discard
5.
Create a filter for ICMP traffic, which includes IPv4 error messages.
[edit]
edit firewall family inet filter RE-PROTECT
set term icmp-in from source-prefix-list trusted-networks
set term icmp-in from protocol icmp
set term icmp-in then policer limit-2m
set term icmp-in then count icmp-in
set term icmp-in then accept
6.
7.
8.
9.
Create a term that controls SSH, FTP, and Telnet access to the router.
229
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit firewall family inet filter RE-PROTECT
set term access-in from source-prefix-list NMS
set term access-in from protocol tcp
set term access-in from port ssh
set term access-in from port ftp
set term access-in from port ftp-data
set term access-in from port telnet
set term access-in then count access-in
set term access-in then accept
10.
Create a term that accepts TCP and TACACS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-tcp from source-prefix-list NMS
set term remote-auth-tcp from protocol tcp
set term remote-auth-tcp from port tacacs
set term remote-auth-tcp then count tacacs
set term remote-auth-tcp then accept
11.
Create a term that accepts UDP and RADIUS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-udp from source-prefix-list NMS
set term remote-auth-udp from protocol udp
set term remote-auth-udp from port radius
set term remote-auth-udp from port radacct
set term remote-auth-udp then count radius
set term remote-auth-udp then accept
12.
13.
Create a filter for incoming traffic with a source and destination loopback address.
[edit]
edit firewall family inet filter RE-PROTECT
set term loopback-in from source-address 127.0.0.1/32
set term loopback-in from destination-address 127.0.0.1/32
set term loopback-in then count loopback-in
set term loopback-in then accept
14.
230
16.
Apply the filter to all loopback interfaces at Aggregation Hub 1. For example:
[edit]
edit interfaces lo0 unit 0
set family inet filter input RE-PROTECT
17.
Results
Bytes
0
1600543
375737
0
162540
4212044
0
0
0
0
38850
0
22698584
Packets
0
29518
4618
0
2828
22054
0
0
0
0
512
0
138406
Bytes
0
0
0
0
0
Packets
0
0
0
0
0
231
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring Routing Engine Protection on the WAN Aggregation Router on Aggregation Hub 1
Configuring Prefix Lists for Routing Engine Protection on the WAN Aggregation
Router on page 232
Configuring Firewall Filters Used for Routing Engine Protection at on the WAN
Aggregation Router on Aggregation Hub 1 on page 233
Configuring Policers for Routing Engine Protection on Aggregation Hub 2 on page 237
Configuring Prefix Lists for Routing Engine Protection on the WAN Aggregation
Router
Step-by-Step
Procedure
Create a set of prefix lists to be used in firewall filters that are set up for Routing Engine
protection. These prefix lists specify trusted IP subnets and addresses for different types
of traffic. Traffic received from these addresses is allowed through firewalls used for
Routine Engine protection.
1.
2.
3.
4.
5.
6.
232
Configuring Firewall Filters Used for Routing Engine Protection at on the WAN
Aggregation Router on Aggregation Hub 1
Step-by-Step
Procedure
To secure the Routing Engine against network attacks, we are using a firewall filter. The
filter is used to prevent small packet attacks, fragment attacks, and denial of service
(DoS) attacks from specific protocols such as ICMP, BGP, OSPF, SNMP, UDP, and TCP.
The filter accepts traffic only from trusted sources, and it discards all other traffic. The
filter also includes a policer that applies rate limits to the traffic that is accepted by the
filter.
Because loopback interfaces are a link to the Routing Engine, we will apply the firewall
filter to loopback interfaces at the aggregation hub, which means that the filter is applied
to traffic destined for the router control plane and not to transit traffic.
In addition to specifying traffic that is accepted, we are counting packets received from
different sources, and in some cases logging traffic. You can use counters and logs to
check that the filter is working as expected and to detect unusual amounts of certain
types of traffic.
1.
2.
Create a firewall filter, and specify that counters defined in the filter are interface
specific.
[edit]
edit firewall family inet filter RE-PROTECT
set interface-specific
3.
Configure a term that prevents small packet attacks. It counts, logs, and discards
packets with a length of 0 through 24.
[edit]
edit firewall family inet filter RE-PROTECT
set term small-packets from packet-length 0-24
set term small-packets then count small-packet-attack
set term small-packets then log
set term small-packets then discard
4.
Configure a term that prevents fragment attacks. It counts, logs, and discards
packets that have a fragment offset.
[edit]
edit firewall family inet filter RE-PROTECT
set term fragment-packets from fragment-offset-except 0
set term fragment-packets from protocol icmp
set term fragment-packets from protocol igmp
set term fragment-packets from protocol pim
set term fragment-packets from protocol tcp
set term fragment-packets then count frag-attack
set term fragment-packets then log
233
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Create a term for ICMP traffic, which includes IPv4 error messages.
[edit]
edit firewall family inet filter RE-PROTECT
set term icmp-in from source-prefix-list trusted-networks
set term icmp-in from protocol icmp
set term icmp-in then policer limit-2m
set term icmp-in then count icmp-in
set term icmp-in then accept
6.
7.
8.
9.
10.
234
Create a term that controls SNMP access from trusted network management
systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term snmp-in from source-prefix-list trusted-networks
set term snmp-in from source-prefix-list NMS
set term snmp-in from protocol udp
set term snmp-in from port snmp
set term snmp-in then policer limit-2m
set term snmp-in then count snmp-in
set term snmp-in then accept
12.
Create a term that controls SSH, FTP, and Telnet access to the router.
[edit]
set term access-in from source-prefix-list NMS
set term access-in from protocol tcp
set term access-in from port ssh
set term access-in from port ftp
set term access-in from port ftp-data
set term access-in from port telnet
set term access-in then count access-in
set term access-in then accept
13.
Create a term that accepts TCP and TACACS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-tcp from source-prefix-list NMS
set term remote-auth-tcp from protocol tcp
set term remote-auth-tcp from port tacacs
set term remote-auth-tcp then count tacacs
set term remote-auth-tcp then accept
14.
Create a term that accepts UDP and RADIUS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-udp from source-prefix-list NMS
set term remote-auth-udp from protocol udp
set term remote-auth-udp from port radius
set term remote-auth-udp from port radacct
set term remote-auth-udp then count radius
set term remote-auth-udp then accept
15.
235
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Create a filter for incoming traffic with a source and destination loopback address.
[edit]
edit firewall family inet filter RE-PROTECT
set term loopback-in from source-address 127.0.0.1/32
set term loopback-in from destination-address 127.0.0.1/32
set term loopback-in then count loopback-in
set term loopback-in then accept
17.
18.
Apply the filter to all loopback interfaces on the WAN aggregation router. For
example:
[edit]
edit interfaces lo0 unit 0
set family inet filter input RE-PROTECT
19.
Results
236
Packets
0
0
41
2
0
0
1
0
14
38
5
0
0
0
0
277
Name
limit-2m-IPsec-lo0.2-i
limit-2m-bgp-in-lo0.2-i
limit-2m-icmp-in-lo0.2-i
limit-2m-msdp-lo0.2-i
limit-2m-ospf-in-lo0.2-i
limit-2m-pim-lo0.2-i
limit-2m-snmp-in-lo0.2-i
limit-2m-udp-services-lo0.2-i
Bytes
0
0
0
0
748
0
0
0
Packets
0
0
0
0
1
0
0
0
1.
Create a policer that discards traffic that exceeds a bandwidth of 100 Mbps or a
burst size of 3 million bytes.
The management policer management-1m will restrict traffic to 1 Mbps and discard
any packets that exceed this bandwidth limit. This policer will be applied to protocols
such as NTP, traceroute, RADIUS, TACAS+, and telnet. Traditionally these protocols
do not require high throughput so they are a good candidate for this policer:
[edit]
edit firewall policer management-1m
set if-exceeding bandwidth-limit 100m
set if-exceeding burst-size-limit 3m
set then discard
2.
Configure a prefix-specific policing and counting action that references the policer
and specifies a portion of a source address prefix.
Specify the prefix range on which IPv4 addresses are to be indexed to the counter
and policer set
Set the prefix-specific action or policer to operate in filter-specific mode, meaning
that all filter terms that reference the prefix-specific action share the same policer
and counter.
[edit]
edit firewall family inet prefix-action management-high-police-set
set policer management-5m
set count
set filter-specific
set subnet-prefix-length 24
set destination-prefix-length 32
3.
Configure a prefix-specific policing and counting action that references the policer
and specifies a portion of a source address prefix.
Specify the prefix range on which IPv4 addresses are to be indexed to the counter
and policer set
Set the prefix-specific action or policer to operate in filter-specific mode, meaning
that all filter terms that reference the prefix-specific action share the same policer
and counter.
[edit]
edit firewall family inet prefix-action management-police-set
set policer management-1m
set count
237
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
set filter-specific
set subnet-prefix-length 24
set destination-prefix-length 32
4.
Create a policer that discards traffic that exceeds a bandwidth of 100 Mbps or a
burst size of 3 million bytes.
[edit]
edit firewall policer management-5m
set if-exceeding bandwidth-limit 100m
set if-exceeding burst-size-limit 3m
set then discard
Configuring Firewall Filters Used on Loopback Interfaces for Routing Engine Protection
at Aggregation Hub 2 on page 239
Configuring Policers for Routing Engine Protection on Aggregation Hub 2 on page 243
Create a set of prefix lists to be used in firewall filters that are set up for Routing Engine
protection. These prefix lists specify trusted IP subnets and addresses for different types
of traffic. Traffic received from these addresses is allowed through firewalls used for
Routine Engine protection.
1.
2.
3.
4.
238
5.
6.
7.
To secure the Routing Engine against , we are using a firewall filter. The filter is used to
prevent small packet attacks, fragment attacks, and denial of service (DoS) attacks from
specific protocols such as ICMP, BGP, OSPF, SNMP, UDP, and TCP. The filter accepts
traffic only from trusted sources, and it discards all other traffic. The filter also includes
a policer that applies rate limits to the traffic that is accepted by the filter.
Because loopback interfaces are a link to the Routing Engine, we will apply the firewall
filter to loopback interfaces at the aggregation hub, which means that the filter is applied
to traffic destined for the router control plane and not to transit traffic.
In addition to specifying traffic that is accepted, we are counting packets received from
different sources, and in some cases logging traffic. You can use counters and logs to
check that the filter is working as expected and to detect unusual amounts of certain
types of traffic.
1.
2.
Create a firewall filter, and specify that counters defined in the filter are interface
specific.
[edit]
edit firewall family inet filter RE-PROTECT
set interface-specific
239
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3.
4.
5.
6.
7.
Create a term that accepts OSPF traffic from trusted OSPF neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term ospf-in from source-prefix-list trusted-ospf-neighbor
set term ospf-in from protocol ospf
set term ospf-in then policer limit-2m
set term ospf-in then count ospf-in
set term ospf-in then accept
8.
240
10.
Create a term for ICMP traffic, which includes IPv4 error messages.
[edit]
edit firewall family inet filter RE-PROTECT
set term icmp-in from source-prefix-list trusted-networks
set term icmp-in from protocol icmp
set term icmp-in then policer limit-2m
set term icmp-in then count icmp-in
set term icmp-in then accept
11.
Create a term that controls SSH, FTP, and Telnet access to the router.
[edit]
edit firewall family inet filter RE-PROTECT
set term access-in from source-prefix-list NMS
set term access-in from protocol tcp
set term access-in from port ssh
set term access-in from port ftp
set term access-in from port ftp-data
set term access-in from port telnet
set term access-in then count access-in
set term access-in then accept
12.
Create a term that accepts TCP and TACACS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-tcp from source-prefix-list NMS
set term remote-auth-tcp from protocol tcp
set term remote-auth-tcp from port tacacs
set term remote-auth-tcp then count tacacs
set term remote-auth-tcp then accept
13.
Create a term that accepts UDP and RADIUS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-udp from source-prefix-list NMS
set term remote-auth-udp from protocol udp
set term remote-auth-udp from port radius
set term remote-auth-udp from port radacct
241
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
15.
Create a term for incoming traffic with a source and destination loopback address.
[edit]
edit firewall family inet filter RE-PROTECT
set term loopback-in from source-address 127.0.0.1/32
set term loopback-in from destination-address 127.0.0.1/32
set term loopback-in then count loopback-in
set term loopback-in then accept
16.
17.
18.
19.
20.
242
[edit]
commit
Results
Bytes
0
0
2151
163
0
0
241
0
988
23064
270
0
0
0
0
20228
Packets
0
0
41
2
0
0
1
0
14
38
5
0
0
0
0
277
Policers:
Name
limit-2m-IPsec-lo0.2-i
limit-2m-bgp-in-lo0.2-i
limit-2m-icmp-in-lo0.2-i
limit-2m-msdp-lo0.2-i
limit-2m-ospf-in-lo0.2-i
limit-2m-pim-lo0.2-i
limit-2m-snmp-in-lo0.2-i
limit-2m-udp-services-lo0.2-i
Bytes
0
0
0
0
748
0
0
0
Packets
0
0
0
0
1
0
0
0
1.
Create a policer that discards traffic that exceeds a bandwidth of 100 MB or a burst
size of 3 MB.
[edit]
edit firewall policer management-1m
set if-exceeding bandwidth-limit 100m
set if-exceeding burst-size-limit 3m
set then discard
2.
Configure a prefix-specific action that references the policer and specifies a portion
of a source address prefix.
Specify the prefix range on which IPv4 addresses are to be indexed to the counter
and policer set.
243
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Create a policer that discards traffic that exceeds a bandwidth of 100m bps or a
burst size of 3m bytes.
[edit]
edit firewall policer management-5m
set if-exceeding bandwidth-limit 100m
set if-exceeding burst-size-limit 3m
set then discard
4.
Configure a prefix-specific action that references the policer and specifies a portion
of a source address prefix.
Specify the prefix range on which IPv4 addresses are to be indexed to the counter
and policer set.
Set the prefix-specific action or policer to operate in filter-specific mode, meaning
that all filter terms that reference the prefix-specific action share the same policer
and counter.
[edit]
edit firewall family inet prefix-action management-high-police-set
set policer management-5m
set count
set filter-specific
set subnet-prefix-length 24
set destination-prefix-length 32
244
CHAPTER 10
Two 10-Gigabit Ethernet LAN/WAN PIC with SFP (10x 1GE(LAN) SFP)
Overview
This design is a small branch with a single router that connects to the aggregation hub
over leased lines (Figure 71 on page 246).
The leased line WAN transport can be either T3 leased lines or Ethernet leased lines.
The scenario describes how both types of leased lines.
The private routing protocol used on the WAN transport is a choice of IBGP or OSPF
over the leased line to the aggregation hub.
OSPF received default route is configured over leased line interfaces to reach the WAN
aggregation hub.
All traffic sent from the branch (to the data center, the Internet, or other branches)
uses the 0.0.0.0/0 route received over the leased line interface.
CoS scheduling and shaping is applied to the leased line interface at the branch.
245
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Topology
246
Configuration Overview
Step-by-Step
Procedure
Before you configure this scenario, configure the base configuration at aggregation hub 1.
Then complete the following:
Configuring OSPF Routing for the WAN Transport on the WAN Aggregation Router at
Aggregation Hub 1 on page 250
Configuring IBGP Routing for the WAN Transport on the WAN Aggregation Router at
Aggregation Hub 1 on page 251
Configuring BGP Link-Level High Availability for the WAN Transport on the WAN
Aggregation Router at Aggregation Hub 1 on page 252
Configuring OSPF Link-Level High Availability for the WAN Transport on the WAN
Aggregation Router at Aggregation Hub 1 on page 253
247
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
no-partition option for the sublevel interface type to t3. A clear channel
[edit]
edit interfaces t3-1/0/1:1
set dce
set encapsulation frame-relay
set unit 0 point-to-point
set unit 0 dlci 101
248
[edit]
edit interfaces ct3-1/0/1:2
set partition 1-28 interface-type t1
[edit]
edit interfaces ct3-1/0/1:3
set partition 1-28 interface-type t1
b. Create the T1 interface.
[edit]
edit interfaces t1-1/0/1:2:1
set no-keepalives
set encapsulation cisco-hdlc
set t1-options fcs 32
set unit 0 family inet address 172.16.100.1/24
3.
1.
249
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2.
Configuring OSPF Routing for the WAN Transport on the WAN Aggregation Router
at Aggregation Hub 1
Step-by-Step
Procedure
If you are using OSPF as your routing protocol, follow this procedure.
1.
If you are using T3 leased lines, configure the OSPF area for the IPv4 transport to
the branch:
[edit]
edit protocols ospf area 0.0.0.6
set stub default-metric 10
set stub no-summaries
set interface t3-1/0/1:1.0 interface-type p2p
set interface t3-1/0/1:1.0 authentication md5 0 key
"$9$LrL7dwoJU.PTApv8X7bwmP5"
2.
If you are using Ethernet leased lines, configure the OSPF area for the transport to
the branch:
[edit]
edit protocols ospf area 0.0.0.6
set stub default-metric 10
set stub no-summaries
set interface ge-1/0/1.0 authentication md5 0 key
"$9$LrL7dwoJU.PTApv8X7bwmP5"
3.
If you are using T3 leased lines, configure the OSPFv3 area for the IPv6 transport
to the branches:
[edit]
250
If you are using Ethernet leased lines, configure the OSPFv3 area for the IPv6
transport to the branches:
[edit]
edit protocols ospf3 area 0.0.0.6
set stub default-metric 10
set stub no-summaries
set interface ge-1/0/0.0 interface-type p2p
Configuring IBGP Routing for the WAN Transport on the WAN Aggregation Router
at Aggregation Hub 1
Step-by-Step
Procedure
If you are using BGP as your routing protocol, follow this procedure.
Configure IBGP groups for peering between the WAN aggregation router at the hub and
the branch. The policies have already been configured in the Aggregation Hub 1 base
configuration.
1.
Configure an IBGP peer group for IPv4 traffic for leased line branches.
The ADV_DEFAULT and the DENY_ALL policies cause BGP to advertise only the
default route to the branch. It prevents the branch from receiving advertisements
for routes to other branches.
251
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
The cluster statement causes the IBGP peer at the aggregation hub to act as a BGP
route reflector.
Instead of configuring a neighbor for each branch, we are using the allow statement,
which allows all peers in 172.17.0.0/16.
[edit]
edit protocols bgp group To_LL_Branches
set type internal
set passive
set out-delay 150
set family inet unicast
set export ADV_DEFAULT
set export DENY_ALL
set cluster 0.0.0.9
set allow 172.17.0.0/16
set neighbor 172.19.1.6
set neighbor 172.19.1.10
2.
Configure an IBGP peer group for IPv6 traffic for all leased line branches.
The ADV_DEFAULT6 policy causes BGP to advertise only the default route to the
branch.
The cluster statement causes the IBGP peer at the aggregation hub to act as a BGP
route reflector.
Instead of configuring a neighbor for each branch, we are using the allow statement,
which allows all peers in fc00:0/8.
[edit]
edit protocols bgp group To_LL_Branches-V6
set type internal
set passive
set out-delay 150
set family inet6 unicast
set export ADV_DEFAULT6
set export DENY_ALL
set cluster 0.0.0.10
set allow fc00:0/8
Configuring BGP Link-Level High Availability for the WAN Transport on the WAN
Aggregation Router at Aggregation Hub 1
Step-by-Step
Procedure
We are using BFD with BGP to detect link failures over the leased lines.
Set the minimum transmit and receive interval for failure detection. This interval is the
minimum time after which the local routing device transmits hello packets and the
minimum interval after which the routing device expects to receive a reply from the
neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
1.
252
Configuring OSPF Link-Level High Availability for the WAN Transport on the WAN
Aggregation Router at Aggregation Hub 1
Step-by-Step
Procedure
We are using the BFD protocol with OSPF to detect link failures over the leased lines.
Set the minimum transmit and receive interval for failure detection. This interval is the
minimum time after which the local routing device transmits hello packets and the
minimum interval after which the routing device expects to receive a reply from the
neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
1.
If you are using T3 interfaces, in OSPF area 0.0.0.6, add BFD liveness detection to
the T3 interface.
[edit]
edit protocols ospf area 0.0.0.6
set interface t3-1/0/1:1.0 bfd-liveness-detection minimum-interval 200
set interface t3-1/0/1:1.0 bfd-liveness-detection multiplier 3
2.
If you are using Ethernet interfaces, in OSPF area 0.0.0.6, add BFD liveness detection
to the Ethernet interface.
[edit]
edit protocols ospf area 0.0.0.6
set interface ge-1/0/0.0 bfd-liveness-detection minimum-interval 200
set interface ge-1/0/0.0 bfd-liveness-detection multiplier 3
1.
253
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2.
Create the loopback interface to the WAN aggregation router on aggregation hub 1.
[edit]
edit interfaces lo0 unit 1
set description "--- Leased-Line Branch ---"
set family inet filter input RE-PROTECTION
set family inet address 172.16.5.255/32
set family inet6 address fec0:16:5::255/128
3.
Results
Local
Remote
172.16.5.2/30
fe80::5e5e:ab10:e:456f/64
fec0:16:5:1::2/64
2.
254
Create the loopback interface to the WAN aggregation router on aggregation hub 1.
[edit]
edit interfaces lo0 unit 1
set description "--- Leased-Line Branch ---"
set family inet filter input RE-PROTECTION
set family inet address 172.16.5.255/32
set family inet6 address 2001:DB8:5::255/128
3.
Results
Local
Remote
172.16.5.2/30
fe80::5e5e:abff:fe0e:4505/64
fec0:16:5:1::2/64
multiservice
Configuring OSPF Routing for the WAN Transport on the Branch Router
Step-by-Step
Procedure
If you are using OSPF to route traffic over the WAN transport from the branch to the
aggregation hub, use this procedure.
We are configuring the OSPF areas as stub areas to prevent advertisement of routes to
other branches.
For security, MD5 authenticates OSPF protocol exchanges to guarantee that only trusted
routing devices participate in the ASs routing.
1.
Configure OSPF.
a. Create OSPF area 0.0.0.6.
[edit]
edit protocols ospf area 0.0.0.6
255
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
b. Specify that the area is a stub area to prevent routes in the branch LAN from
Configure OSPFv3.
a. Create area 0.0.0.6. This area is used on the branch LAN and on the leased line
transport.
[edit protocols ospf3]
edit area 0.0.0.6
b. Create area 0.0.0.6. This area is used on the branch LAN and on the leased line
transport.
[edit protocols ospf3 area 0.0.0.6]
set stub
c. Add the leased line interface to the area.
256
[edit]
commit
Results
This procedure displays the output for T3 leased lines. Use the same procedure to verify
Ethernet leased lines.
1.
State
Full
ID
172.31.255.2
Pri
Dead
128
31
Pri
128
Dead
32
4. Verify the routes learned from OSPFv3 over the leased line interfaces from the
aggregation hub.
user@branch> show route protocol ospf3
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
inet6.0: 17 destinations, 21 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
257
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
::/0
2001:DB8:5:1::/64
ff02::5/128
If you are using BGP to route traffic over the WAN transport from the branch to the
aggregation hub, use this procedure.
1.
2.
3.
4.
Configure a policy that is used to control IPv4 routes that are advertised to the
aggregation hub.
This policy prevents the default static route from being advertised, and assigns the
next hop for routes learned by other protocols to next-hop self, which causes the
loopback address of the branch router to be advertised as the next-hop address.
[edit]
edit policy-options policy-statement BRANCH-PREFIX
set term block-default from route-filter 0.0.0.0/0 exact
set term block-default then reject
set term branch from protocol ospf
set term branch from protocol direct
set term branch then next-hop self
set term branch then accept
set term 2 then reject
5.
Configure a policy that is used to control IPv6 routes that are advertised to the
aggregation hub.
This policy prevents the default static route from being advertised and allows OSPF
and direct routes to be advertised.
[edit]
258
Configure an IPv4 IBPG peer group, and add the remote end of the leased line at
the aggregation hub (172.16.5.1).
The ACCEPT_DEFAULT import policy accepts only the default route from the hub,
which prevents routes from other branches from being distributed to the branch.
The BRANCH-PREFIX export policy controls default route advertisement to the
hub. It prevents default routes learned by another protocol from being advertised
to the hub, and causes the loopback address of the branch router to be advertised
to the hub as the next hop.
[edit]
edit protocols bgp group IBGPoLL
set type internal
set import ACCEPT_DEFAULT
set family inet unicast
set export BRANCH-PREFIX
set neighbor 172.16.5.1 authentication-key "$9$BlaRcrWL7s2ok.pO1RyrY24"
7.
Configure an IPv6 IBGP peer group to the remote end of the leased line.
The ACCEPT_DEFAULT-V6 import policy accepts only the default route from the
hub, which prevents routes from other branches from being distributed to the branch.
The BRANCH-PREFIX-V6 export policy controls default route advertisement to the
hub. It prevents default routes learned by another protocol from being advertised
to the hub.
[edit]
edit protocols bgp group IBGPoLL-H2-V6
set type internal
set import ACCEPT_DEFAULT-V6
set family inet6 unicast
set export BRANCH-PREFIX-V6
set neighbor fec0:16:2:4::1 authentication-key "$9$JxUiqTznp01evgaZUkqu0B"
8.
259
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
Verify IBGP.
1.
260
2.
3.
4.
Results
261
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring OSPF Routing for the LAN Transport on the Branch Router
Step-by-Step
Procedure
If you are using OSPF as the routing protocol for the branch, use this procedure.
1.
Add the branch LAN interfaces as passive interfaces to the branch OSPF area.
A passive interface is one for which the address information is advertised as an
internal route in OSPF, but on which the protocol does not run.
[edit]
edit protocols ospf area 0.0.0.6
set interface ge-1/2/9.45 passive
set interface ge-1/2/9.55 passive
set interface ge-1/2/9.65 passive
2.
Results
Path Route
NH
Metric NextHop
Type Type
Type
Interface
area 0.0.0.6, origin 172.16.5.255, priority medium
172.16.5.8/30
Intra Network
IP
1 ge-1/2/9.45
area 0.0.0.6, origin 172.16.5.255, priority low
262
Nexthop
Address/LSP
172.16.5.12/30
Intra Network
IP
1 ge-1/2/9.55
area 0.0.0.6, origin 172.16.5.255, priority low
172.16.5.16/30
Intra Network
IP
1 ge-1/2/9.65
area 0.0.0.6, origin 172.16.5.255, priority low
172.16.5.255/32
Intra Network
IP
0 lo0.1
area 0.0.0.6, origin 172.16.5.255, priority low
1.
2.
3.
Results
Option
HPLGT
HPLGT
2. Verify that groups are established with upstream interfaces to the hub (t3-1/0/0) and
263
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Configure classifiers.
a. Configure DSCP behavior aggregate (BA) classifiers for IPv4.
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority medium-high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Scavenger loss-priority high code-points cs1
set forwarding-class Bulk_Data loss-priority medium-high code-points af11
set forwarding-class Bulk_Data loss-priority medium-high code-points af12
set forwarding-class Critical_Data loss-priority medium-low code-points af21
set forwarding-class Critical_Data loss-priority medium-low code-points af22
b. Configure DSCP BA classifiers for IPv6.
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
264
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 1 Scavenger
set queue 2 Bulk_Data
set queue 3 Critical_Data
set queue 4 Video
set queue 5 Voice
set queue 6 Network_Control
2.
[edit]
edit class-of-service rewrite-rules dscp Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
set forwarding-class Critical_Data loss-priority medium-low code-point af21
set forwarding-class Video loss-priority low code-point af41
set forwarding-class Voice loss-priority low code-point ef
set forwarding-class Network_Control loss-priority low code-point cs7
b. Configure DSCP rewrite rules for IPv6 core traffic.
[edit]
edit class-of-service rewrite-rules dscp-ipv6 Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
set forwarding-class Critical_Data loss-priority medium-low code-point af21
set forwarding-class Video loss-priority low code-point af41
set forwarding-class Voice loss-priority low code-point ef
set forwarding-class Network_Control loss-priority low code-point cs7
c. Configure a rewrite rule for voice traffic. This rule sets the code-point bit patterns
for the Voice forwarding class and is applied to the branch LAN interfaces.
[edit]
edit class-of-service rewrite-rules dscp voice-ef
set forwarding-class Voice loss-priority low code-point 101110
d. Configure a rewrite rule for video traffic. This rule sets the code-point bit patterns
for the Video forwarding class and is applied to the branch LAN interfaces.
[edit]
edit class-of-service rewrite-rules dscp video-af
265
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit class-of-service schedulers SCH_Best_Effort
set transmit-rate remainder
set buffer-size remainder
set priority medium-low
b. Create a scheduler for the Scavenger forwarding class.
[edit]
edit class-of-service schedulers SCH_Scavenger
set transmit-rate percent 3
set buffer-size percent 10
set priority low
c. Create a scheduler for the Bulk_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Bulk_Data
set transmit-rate percent 20
set buffer-size percent 15
set priority medium-low
d. Create a scheduler for the Critical_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Critical_Data
set transmit-rate percent 15
set transmit-rate exact
set buffer-size percent 15
set priority medium-high
e. Create a scheduler for the Video forwarding class.
[edit]
edit class-of-service schedulers SCH_Video
set transmit-rate percent 20
set transmit-rate exact
set buffer-size percent 10
set priority high
f.
[edit]
edit class-of-service schedulers SCH_Network_Control
set transmit-rate percent 5
266
5.
6.
7.
If you are using Ethernet leased lines, apply CoS to the Ethernet interface.
[edit]
edit class-of-service interfaces ge-1/0/0
set unit 0 scheduler-map MAIN-SCHD
set unit 0 rewrite-rules dscp Rewrite_CORE_TRAFFIC
8.
Modify the queue assignment and DSCP code point for network control (host)
traffic that is generated by the Routing Engine and sent to the Packet Forwarding
Engine. This configuration does not affect transit traffic.
This step is required on MX Series 3D Universal Edge Routers and on M Series
Multiservice Edge Routers.
[edit]
edit class-of-service host-outbound-traffic
set forwarding-class Network_Control
set dscp-code-point cs6
9.
267
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
10.
Configure the egress shaping overhead on the 10-Gigabit Ethernet LAN PIC.
By default, the 10-Gigabit Ethernet LAN/WAN PIC uses 20 bytes as the shaping
overhead. This includes 8 bytes preamble and 12 bytes interpacket gap (IPG) in
shaper operations. To exclude this overhead, set the overhead to 20 bytes.
[edit]
edit chassis fpc 1 pic 2
set traffic-manager egress-shaping-overhead -20
11.
Results
1.
Verify CoS on the leased line interface. For example, to verify CoS on the T3 leased
line:
user@branch> show class-of-service interface t3-1/0/0
Physical interface: t3-1/0/0, Index: 179
Queues supported: 8, Queues in use: 7
Output traffic control profile: leased-line, Index: 57471
Congestion-notification: Disabled
Logical interface: t3-1/0/0, Index: 327
Object
Name
Type
Rewrite
Rewrite_CORE_TRAFFIC
dscp
Classifier
dscp-ipv6-compatibility dscp-ipv6
Classifier
ipprec-compatibility
ip
Index
51863
9
13
268
Index
961
9
Type
dscp
fixed
Index
35765
4
Type
Index
Rewrite
Classifier
voice-ef
Voice
dscp
fixed
28463
5
7603 pps
20632480 bps
7603
20632480
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
269
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Medium-low
:
Medium-high
:
High
:
Queue: 3, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 4, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 5, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 6, Forwarding classes:
Queued:
Packets
:
Bytes
:
270
0
0
0
0 bps
0 bps
0 bps
290854741
68641713888
500 pps
944992 bps
290854741
68641713888
0
0
0
0
0
0
0
0
0
0
0
500
944992
0
0
0
0
0
0
0
0
0
0
0
Critical_Data
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Video
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Voice
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Network_Control
5814
397162
0 pps
0 bps
Transmitted:
Packets
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
:
:
:
:
:
:
:
:
:
:
:
5814
397162
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
4. Verify CoS queues on the leased line interface. For example, to verify CoS on the T3
leased line.
user@branch> show interfaces queue t3-1/0/0
Physical interface: t3-1/0/0, Enabled, Physical link is Up
Interface index: 179, SNMP ifIndex: 562
Forwarding classes: 16 supported, 7 in use
Egress queues: 8 supported, 7 in use
Queue: 0, Forwarding classes: Best_Effort
Queued:
Packets
:
1804250302
Bytes
:
544013769380
Transmitted:
Packets
:
1804250302
Bytes
:
544013769380
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: Bulk_Data
Queued:
3103 pps
7487456 bps
3103
7487456
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
271
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Packets
:
582023165
Bytes
:
289847536170
Transmitted:
Packets
:
582023165
Bytes
:
289847536170
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
873034765
Bytes
:
323022863050
Transmitted:
Packets
:
873034765
Bytes
:
323022863050
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
582023192
Bytes
:
289847549616
Transmitted:
Packets
:
582023192
Bytes
:
289847549616
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
582023199
Bytes
:
66350644686
Transmitted:
Packets
:
582023199
Bytes
:
66350644686
Tail-dropped packets :
0
RED-dropped packets :
0
272
1001 pps
3988512 bps
1001
3988512
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1501 pps
4445888 bps
1501
4445888
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1001 pps
3988512 bps
1001
3988512
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1001 pps
913024 bps
1001
913024
0
0
pps
bps
pps
pps
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
292690177
Bytes
:
70529968344
Transmitted:
Packets
:
292690177
Bytes
:
70529968344
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
bps
bps
bps
bps
bps
502 pps
969632 bps
502
969632
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Configuring OSPF Link-Level High Availability for the WAN Transport on the
Branch Router
Step-by-Step
Procedure
We are using BFD with OSPF to detect link failures over the WAN transport.
Set the minimum transmit and receive interval for failure detection. This interval is the
minimum time after which the local routing device transmits hello packets and the
minimum interval after which the routing device expects to receive a reply from the
neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
1.
If you are using T3 interfaces, in OSPF area 0.0.0.6, add BFD liveness detection to
the T3 interface.
[edit]
edit protocols ospf area 0.0.0.6 interface t3-1/0/0
set bfd-liveness-detection minimum-interval 200
set bfd-liveness-detection multiplier 3
2.
If you are using Ethernet interfaces, in OSPF area 0.0.0.6, add BFD liveness detection
to the Ethernet interface.
[edit]
edit protocols ospf area 0.0.0.6 interface ge-1/0/0.0
set bfd-liveness-detection minimum-interval 200
set bfd-liveness-detection multiplier 3
3.
273
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
commit
Results
State
Up
Interface
t3-1/0/0
Detect
Transmit
Time
Interval
1.500
0.500
Multiplier
3
1 sessions, 1 clients
Cumulative transmit rate 2.0 pps, cumulative receive rate 2.0 pps
Configuring BGP Link-Level High Availability for the WAN Transport on the Branch
Router
Step-by-Step
Procedure
We are using BFD with BGP to detect link failures over the WAN transport.
Set the minimum transmit and receive interval for failure detection. This interval is the
minimum time after which the local routing device transmits hello packets and the
minimum interval after which the routing device expects to receive a reply from the
neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
1.
2.
Results
State
Up
Interface
t3-1/0/0
Detect
Transmit
Time
Interval
1.500
0.500
Multiplier
3
1 sessions, 1 clients
Cumulative transmit rate 2.0 pps, cumulative receive rate 2.0 pps
274
Verification
Verifying End-to-End Data Traffic
Purpose
Action
275
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Verifying Reachability
Purpose
Action
Use this procedure to verify that routes are being advertised properly, and to check
reachability and traffic paths to the loopback interface of the data center router, the
loopback interface of a router in a different branch, and an IP address in the service
provider network that is publicly routable.
1.
Display the default IPv4 routing table to verify reachability throughout the network.
The following table is for a T3 leased-line branch.
user@branch> show route table inet.0
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
172.16.5.0/30
172.16.5.2/32
172.16.5.8/30
172.16.5.9/32
172.16.5.12/30
172.16.5.13/32
172.16.5.16/30
172.16.5.17/32
172.16.5.255/32
276
Verifying the Scenario From the WAN Aggregation Router at Aggregation Hub 1
Purpose
Action
Local
Remote
172.16.5.1/30
fe80::5e5e:ab10:40e:426f/64
2001:DB8:5:1::1/64
State
Full
Full
Full
Full
128 39
ID
172.31.255.3
172.31.255.5
172.31.255.0
172.31.255.8
Pri
128
128
128
128
Dead
32
35
33
35
4. If you are using BGP, verify BGP groups to the Layer 3 VPN service provider.
user>wanagghub1 show bgp summary group To_LL_Branches
Groups: 6 Peers: 4008 Down peers: 0
Table
Tot Paths Act Paths Suppressed
History Damp State
Pending
inet.0
26385
26383
0
0
0
0
inet6.0
25392
25392
0
0
0
0
Peer
AS
InPkt
OutPkt
OutQ
Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.19.1.2
65530
242
247
0
7
1:59:49
277
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
10/10/10/0
0/0/0/0
172.19.1.6
65530
10/10/10/0
0/0/0/0
172.19.1.10
65530
10/10/10/0
0/0/0/0
172.19.1.14
65530
10/10/10/0
0/0/0/0
172.19.1.18
65530
10/10/10/0
0/0/0/0
.
.
.
. ## Total of 2000 peers
.
.
.
.
172.19.32.50
65530
10/10/10/0
0/0/0/0
172.19.32.54
65530
10/10/10/0
0/0/0/0
172.19.32.58
65530
10/10/10/0
0/0/0/0
172.19.32.62
65530
10/10/10/0
0/0/0/0
242
247
1:59:55
242
247
1:59:58
242
247
1:59:58
242
247
1:59:57
242
246
2:00:00
242
247
1:59:49
243
246
2:00:03
242
246
2:00:00
278
.
.
2001:DB8:1:7ce::2
Establ
inet6.0: 10/10/10/0
2001:DB8:1:7cf::2
Establ
inet6.0: 10/10/10/0
2001:DB8:1:7d0::2
Establ
inet6.0: 10/10/10/0
65530
241
4416
1:59:25
65530
242
4417
1:59:32
65530
240
4411
1:58:40
Index
9
13
279
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
280
CHAPTER 11
Junos OS 12.1X44-D10
Overview
This design is a small branch with a single router that connects to the aggregation hub
over the Internet (Figure 74 on page 282).
For high availability, this is a dual-homed scenario with Aggregation Hub 1 as the primary
location and Aggregation Hub 2 as the backup location.
There are dual links provided by two Internet service providers (ISPs) at the aggregation
hubs and a single link provided at the branch. Two tunnels are configured from the
branch over these ISP links. The primary tunnel connects to Aggregation Hub 1, and
the secondary tunnel connects to Aggregation Hub 2.
The private routing protocol used on the WAN transport is OSPF over the GRE tunnels.
For link-level high availability, we are using Bidirectional Forwarding Detection (BFD)
for high availability on the GRE tunnels and on the local LAN.
281
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Topology
Figure 74: Test Lab Topology for Small Sites Connecting to Dual Home
Aggregation Hubs over the Internet (GRE over IPsec)
282
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Configuration Overview
Step-by-Step
Procedure
Before you configure this scenario, configure the base configurations at the Aggregation
Hub 1 and Aggregation Hub 2. Then complete the following:
Configuring Dynamic Endpoints for IPsec Tunnels on the VPN Termination Router at
Hub 1 on page 284
Configuring Private Overlay Security that Uses Certificates on the VPN Termination
Router at Hub 1 on page 286
Configuring Private Overlay Security that Uses Preshared Keys on the VPN Termination
Router at Hub 1 on page 290
Configuring the Overlay WAN Transport on the VPN Termination Router at Hub
1 on page 290
Configuring the Transport Routing Instances on the VPN Termination Router at Hub
1 on page 291
Configuring Private Overlay Routing on the VPN Termination Router at Hub 1 on page 292
Applying CoS to the GRE Tunnel Interfaces on the VPN Termination Router at Hub
1 on page 293
283
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring Dynamic Endpoints for IPsec Tunnels on the VPN Termination Router
at Hub 1
Step-by-Step
Procedure
We are using dynamic endpoints for IPsec tunnels to reduce the configuration and changes
required when a new branch comes online.
1.
Create an IKE access profile that is used to negotiate IKE and IPsec security
associations with dynamic peers.
The client value * (wildcard) means this profile is valid for all dynamic peers that
terminate in the service set that accesses this profile.
284
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
From the hub point of view, the address requested by the branch is the remote
loopback address used for the GRE tunnel endpoint at the branch.
The local proxy pair address on the hub is the local loopback address used for
the GRE tunnel.
The IKE policy is the policy that defines the remote identification values that
correspond to the allowed dynamic peers.
The interface identifier is the interface used to derive the logical service interface
for the session.
[edit]
edit access profile venues client * ike
set allowed-proxy-pair local 172.31.255.31/32 remote 172.16.0.0/20
set ike-policy ike-phase1-policy
set interface-id venues
2.
The dial options interface ID specifies that this logical interface takes part in
dynamic IPsec negotiation for the group of dynamic peers defined for venues.
The dial options shared mode enables the logical interface to be shared across
multiple tunnels.
The inside and outside service domains must match the interface domains
specified in the service set.
[edit]
edit interfaces sp-0/3/0
set unit 0 family inet
set unit 1 dial-options ipsec-interface-id venues
set unit 1 dial-options shared
set unit 1 family inet
set unit 1 service-domain inside
set unit 2 family inet
set unit 2 service-domain outside
3.
The reverse routes at the aggregation hub include next hops that point to the
locations specified by the inside and outside service interfaces. The reverse routes
are inserted into the VPN routing instance routing table because the sp-0/3/0
interfaces are present in this routing instance. The inside and outside service
interfaces must match the inside and outside service domains configured at the
[edit interfaces sp-0/3/0] hierarchy level.
Specify the address and the routing instance of the local gateway. The local
gateway address is the local address of the Ethernet interface from the VPN
termination router to the Internet edge router.
If you are using preshared keys with IPsec, set trusted-ca to self-ca.
285
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit services service-set BR1
set next-hop-service inside-service-interface sp-0/3/0.1
set next-hop-service outside-service-interface sp-0/3/0.2
set ipsec-vpn-options trusted-ca self-ca
set ipsec-vpn-options local-gateway 191.15.100.6
set ipsec-vpn-options local-gateway routing-instance VPN
set ipsec-vpn-options ike-access-profile venues
Configuring Private Overlay Security that Uses Certificates on the VPN Termination
Router at Hub 1
Step-by-Step
Procedure
We are using IPsec to secure the GRE tunnels between the branch and the aggregation
hub. The WAN transport security configuration consists of an Internet Key Exchange
(IKE) configuration for IPsec phase 1 negotiation and an IPsec configuration for phase 2
negotiation.
You can use either certificates or preshared keys in your IPsec implementation. If you are
using certificates, follow this procedure.
1.
and specify that that method to verify revocation status of digital certificates is
the certificate revocation list (CRL). A CRL is a time-stamped list identifying
revoked certificates, which is signed by a CA and made available to the
participating IPsec peers on a regular periodic basis.
[edit]
edit security pki ca-profile ROOT
set ca-identity ROOT
set enrollment url http://10.204.138.55:8080/scep/ROOT/
set revocation-check crl disable on-download-failure
b. Commit the configuration, and verify that the certificate server is reachable.
[edit]
commit
[edit]
run ping 10.204.138.55
PING 10.204.138.55 (10.204.138.55): 56 data bytes
64 bytes from 10.204.138.55: icmp_seq=0 ttl=123 time=2.811 ms
64 bytes from 10.204.138.55: icmp_seq=1 ttl=123 time=2.552 ms
c. Retrieve the certificate from the CA server. Examine the fingerprint of the CA
286
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
[edit]
run request security pki ca-certificate verify ca-profile ROOT
CA certificate ROOT verified successfully
e. Generate a public-private key pair.
[edit]
run request security pki generate-key-pair certificate-id localcert1
Generated key pair localcert11, key size 1024 bits
f.
[edit]
commit
h. Verify that the CA certificate was generated.
[edit]
show security pki ca-certificate detail
Certificate identifier: ROOT
Certificate version: 3
Serial number: 00038b8c
Issuer:
Organization: juniper, Country: India, Common name: ROOT
Subject:
Organization: juniper, Country: India, Common name: ROOT
Validity:
Not before: 04-25-2013 10:36
Not after: 04-25-2014 10:36
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:ea:bf:02:2d:9d:69:c1:22:f6:5d:0a
38:76:fa:9c:11:18:81:23:de:5e:d6:6d:c1:e8:38:73:e9:c4:46:d7
97:22:a4:d9:66:f7:d6:e3:66:b8:d1:82:79:49:57:0d:c6:f9:e7:59
89:ac:57:8e:76:74:78:97:b8:25:12:7a:47:15:0e:88:81:b9:c1:14
76:b0:a4:8d:c1:ea:85:25:cf:a3:ea:3a:a8:1a:32:b8:ad:ac:33:73
97:c4:11:ba:2a:39:74:25:47:9c:cd:e0:03:03:8e:af:db:90:b6:7e
df:ea:81:73:e2:f9:0e:97:4e:50:70:40:bc:41:bc:dc:0e:8a:40:e3
6e:9d:d3:bf:36:9f:53:aa:2a:df:7b:d9:4a:35:c2:b2:68:a0:df:24
e8:af:04:69:35:0b:5e:1a:da:10:f9:fb:d2:22:80:ff:dd:e0:21:25
f6:3b:71:4f:4c:74:c8:38:f9:79:36:40:8c:9e:d3:14:0f:f4:9c:ad
ae:5d:46:59:76:af:b7:2c:ee:5c:a9:c6:ef:d5:30:e2:10:74:5c:2a
b9:1d:4a:80:5f:1a:fb:92:18:1f:98:34:07:5e:c7:01:03:88:ef:f7
56:76:a5:0f:47:be:df:bc:88:81:9f:2d:8b:26:77:90:a3:be:23:cb
f2:83:f9:4a:8d:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://10.204.138.55:8080/crl-as-der/currentcrl-292.crl?id=292
Use for key: CRL signing, Certificate signing, Key encipherment, Digital
signature
287
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Fingerprint:
5d:53:9d:7a:06:23:5e:2a:5e:dc:8d:fb:52:f7:91:ae:1c:a3:ed:bd (sha1)
7d:02:c9:f9:33:99:48:dc:89:37:fe:4a:22:9f:12:84 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started
i.
2.
For IKE phase 1 negotiation with the branch, configure an IKE proposal and policy.
a. Configure an IKE proposal that matches the proposal configured on the branch
router.
[edit]
edit services ipsec-vpn ike proposal ike-phase1-proposal
set authentication-method rsa-signatures
set dh-group group2
set authentication-algorithm sha-256
set encryption-algorithm aes-256-cbc
set lifetime-seconds 28800
b. Configure an IKE (phase 1) proposal to use RSA encryption.
[edit]
edit services ipsec-vpn ike proposal rsa-prop
288
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
[edit]
edit services ipsec-vpn ike policy ike-rsa
set mode main
set proposals ike-phase1-proposal
set local-id fqdn localcert1.juniper.net deactivate local-id
set local-certificate localcert1
set any-remote-id
d. Configure an IKE policy to use RSA encryption.
Configure an IKE policy and associate the IKE proposal with the policy.
[edit]
edit services ipsec-vpn ike policy ike-rsa
set proposals rsa-prop
set local-id fqdn test1.test.com
set local-certificate test1
set remote-id fqdn test2.test.com
3.
[edit]
edit services ipsec-vpn ipsec proposal dynamic_ipsec_proposal
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-256-cbc
b. Configure the IPsec policy, which lists protocols and algorithms (security services)
289
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring Private Overlay Security that Uses Preshared Keys on the VPN
Termination Router at Hub 1
Step-by-Step
Procedure
We are using IPsec to secure the GRE tunnels between the branch and the aggregation
hub. The WAN transport security configuration consists of an IKE configuration for IPsec
phase 1 negotiation and an IPsec configuration for phase 2 negotiation.
You can use either certificates or preshared keys in your IPsec implementation. If you are
using preshared keys, follow this procedure.
1.
For IKE phase 1 negotiation with the branch, configure an IKE proposal and policy.
a. Configure an IKE proposal that matches the proposal configured on the branch
router.
[edit]
edit services ipsec-vpn ike proposal ike-phase1-proposal
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha-256
set encryption-algorithm aes-256-cbc
set lifetime-seconds 28800
b. Configure an IKE policy and associate the IKE proposal with the policy.
[edit]
edit services ipsec-vpn ike policy ike-phase1-policy
set mode main
set proposals ike-phase1-proposal
set pre-shared-key ascii-text "$9$5znCO1hKMXtuMX7-2gTz3"
2.
[edit]
edit services ipsec-vpn ipsec proposal dynamic_ipsec_proposal
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-256-cbc
b. Configure the IPsec policy, which lists protocols and algorithms (security services)
Configuring the Overlay WAN Transport on the VPN Termination Router at Hub
1
Step-by-Step
Procedure
1.
Configure the loopback interface. This loopback interface is included in the VPN
routing instance, and its address is used as the GRE tunnel source address.
[edit]
290
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Specify the outer GRE source and destination tunnel addresses that are used to
form the tunnel. These are the local and remote addresses of the loopback
interfaces.
Specify the routing instance in which the tunnels source and destination resides.
Specify the inner IPv4 and IPv6 addresses that are used after the tunnel is formed.
The GRE interface is later added to the WAN-GRE routing instance so that the
internal addressing of the GRE tunnel is part of the enterprises private routing
space.
[edit]
edit interfaces gr-0/1/0 unit 1
set tunnel source 172.31.255.31
set tunnel destination 172.16.1.255
set tunnel routing-instance destination VPN
set family inet address 172.16.1.1/30
set family inet6 address 2001:DB8:1::1/64
Configure a logical GRE interface for the number of tunnels to be formed between
the branch and the aggregation hub.
On the VPN termination router at the aggregation hub, there are two virtual routing
instances:
WAN-GREAn internal routing instance that terminates the private GRE IPv4
addressing. The WAN-GRE virtual router is part of the internal routing domain and is
an OSPF peer to the WAN aggregation router at the aggregation hub.
1.
Add the IPsec interfaces and the loopback interface to the VPN routing instance.
The loopback interface is the remote endpoint for the branch. The address of the
loopback interface is used as the GRE tunnel source address.
[edit]
edit routing-instances VPN
set interface sp-0/3/0.1
set interface sp-0/3/0.2
set interface lo0.2
2.
291
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
OSPF is the private routing protocol used over the WAN GRE tunnels, and it is configured
in the WAN-GRE routing instance.
1.
Configure the OSPF area for GRE tunnels from the branch.
[edit]
edit routing-instances WAN-GRE protocols ospf area 0.0.0.2
set stub default-metric 10
set stub no-summaries
set interface gr-0/1/0.1 metric 10
set interface gr-0/1/0.1 authentication md5 0 key "$9$gUaGjmfQ9AuSrw24aDjCAp"
Configure the OSPFv3 area for GRE tunnels from the branch.
[edit]
edit routing-instances WAN-GRE protocols ospf3 area 0.0.0.2
set stub default-metric 10
set stub no-summaries
set interface gr-0/1/0.1
There are two levels of high availability that you can use over your private WAN overlay:
Dead peer detection for IPsec tunnels to monitor the tunnel state and remote peer
availability.
BFD with OSPF for GRE tunnels to detect failures over the GRE tunnels.
1.
2.
In OSPF area 0.0.0.2, add BFD liveness detection to the GRE tunnel.
Set the minimum transmit and receive interval for failure detection. This interval is
the minimum time after which the local routing device transmits hello packets and
the minimum interval after which the routing device expects to receive a reply from
the neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
[edit]
edit routing-instances WAN-GRE protocols ospf area 0.0.0.2
set interface gr-0/1/0.1 bfd-liveness-detection minimum-interval 500
set interface gr-0/1/0.1 bfd-liveness-detection multiplier 3
292
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
1.
Add the GRE tunnels to the multicast configuration in the WAN-GRE routing instance.
[edit]
edit routing-instances WAN-GRE protocols pim
set interface gr-0/1/0.1 mode sparse
set interface gr-0/1/0.1 version 2
Applying CoS to the GRE Tunnel Interfaces on the VPN Termination Router at
Hub 1
Step-by-Step
Procedure
In overlay environments it is critical to be able to schedule and control the traffic out to
the remote branches. This is most effectively achieved if you use GRE or tunnel QoS,
where you can implement a CoS shaper and traffic scheduler per tunnel to control the
bandwidth of the tunnel and schedule high-priority traffic over low-priority traffic.
1.
In the CoS configuration, apply the traffic control profile to the GRE tunnel interfaces.
The control profile is configured in the aggregation hub base configuration.
[edit]
edit class-of-service interfaces gr-0/1/0
set unit 1 output-traffic-control-profile SMALL-BRANCH
2.
In the GRE logical interface configuration, configure the tunnels to copy the ToS bit
to the outer IP header on the GRE tunnel.
In this design, we are classifying traffic based on DSCP markings in the ToS byte of
the IP header. Because this header is encapsulated in a GRE tunnel, the ToS byte
of the IP header needs to be copied to the GRE outer header.
[edit]
edit interfaces gr-0/1/0 unit 1
set copy-tos-to-outer-ip-header
293
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring Dynamic Endpoints for IPsec Tunnels on the VPN Termination Router at
Hub 2 on page 294
Configuring Private Overlay Security the Uses Certificates on the VPN Termination
Router at Hub 2 on page 296
Configuring Private Overlay Security that Uses Preshared Keys on the VPN Termination
Router at Hub 2 on page 299
Configuring the Overlay WAN Transport on the VPN Termination Role at Router at Hub
2 on page 300
Configuring Private Overlay Routing on the VPN Termination Router at Hub 2 on page 302
Applying CoS to the Tunnel Interfaces on the VPN Termination Role at Hub 2 on page 303
Configuring Dynamic Endpoints for IPsec Tunnels on the VPN Termination Router
at Hub 2
Step-by-Step
Procedure
We are using dynamic endpoints for IPsec tunnels to reduce the configuration and changes
required when a new branch comes online. You need to configure dynamic endpoints
only once at the aggregation hub.
1.
Create an IKE access profile that is used to negotiate IKE and IPsec security
associations with dynamic peers.
The client value * (wildcard) means this profile is valid for all dynamic peers that
terminate in the service set that accesses this profile.
The local proxy pair address on the hub is the local loopback address used for
the GRE tunnel.
The IKE policy is the policy that defines the remote identification values that
correspond to the allowed dynamic peers.
The interface identifier is the interface used to derive the logical service interface
for the session.
[edit]
294
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
The dial options interface ID specifies that this logical interface takes part in
dynamic IPsec negotiation for the group of dynamic peers defined for
IPsec_Clients_Group1.
The dial options shared mode enables the logical interface to be shared across
multiple tunnels.
The inside and outside service domains must match the interface domains
specified in the service set.
[edit]
edit interfaces sp-1/0/0
set unit 1 description "--- Outbound unit for DEP IPSEC tunnel ----"
set unit 1 family inet
set unit 1 service-domain outside
set unit 2 description "--- Inbound unit for DEP IPSEC (shared) tunnel ---"
set unit 2 dial-options ipsec-interface-id IPsec_Clients_Group1
set unit 2 dial-options shared
set unit 2 family inet
set unit 2 service-domain inside
3.
The reverse routes at the aggregation hub include next hops that point to the
locations specified by the inside and outside service interfaces. The reverse routes
are inserted into the VPN routing instance routing table because the sp-1/0/0
interfaces are present in this routing instance. The inside and outside service
interfaces must match the inside and outside service domains configured at the
[edit interfaces sp-1/0/0] hierarchy level.
Specify the address and the routing instance of the local gateway. The local
gateway address is the local address of logical tunnel interface (5/1/0.53) from
the VPN termination role to the Internet edge role.
If you are using preshared keys with IPsec, set trusted-ca to self-ca.
295
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring Private Overlay Security the Uses Certificates on the VPN Termination
Router at Hub 2
Step-by-Step
Procedure
We are using IPsec to secure the GRE tunnels between the branch and the aggregation
hub. The WAN transport security configuration consists of an IKE configuration for IPsec
phase 1 negotiation and an IPsec configuration for phase 2 negotiation.
1.
and specify that that method to verify revocation status of digital certificates is
the certificate revocation list (CRL). A CRL is a time-stamped list identifying
revoked certificates, which is signed by a CA and made available to the
participating IPsec peers on a regular periodic basis.
[edit]
edit security pki ca-profile ROOT
set ca-identity ROOT
set enrollment url http://10.204.138.55:8080/scep/ROOT/
set revocation-check crl disable on-download-failure
b. Commit the configuration, and verify that the certificate is reachable.
[edit]
commit
[edit]
run ping 10.204.138.55
PING 10.204.138.55 (10.204.138.55): 56 data bytes
64 bytes from 10.204.138.55: icmp_seq=0 ttl=123 time=2.811 ms
64 bytes from 10.204.138.55: icmp_seq=1 ttl=123 time=2.552 ms
c. Retrieve the certificate from the CA server. Examine the fingerprint of the CA
[edit]
run request security pki ca-certificate verify ca-profile ROOT
CA certificate ROOT verified successfully
e. Generate a public-private key pair.
[edit]
run request security pki generate-key-pair certificate-id localcert1
Generated key pair localcert11, key size 1024 bits
296
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
f.
[edit]
commit
h. Verify that the CA certificate was generated.
[edit]
show security pki ca-certificate detail
Certificate identifier: ROOT
Certificate version: 3
Serial number: 00038b8c
Issuer:
Organization: juniper, Country: India, Common name: ROOT
Subject:
Organization: juniper, Country: India, Common name: ROOT
Validity:
Not before: 04-25-2013 10:36
Not after: 04-25-2014 10:36
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:ea:bf:02:2d:9d:69:c1:22:f6:5d:0a
38:76:fa:9c:11:18:81:23:de:5e:d6:6d:c1:e8:38:73:e9:c4:46:d7
97:22:a4:d9:66:f7:d6:e3:66:b8:d1:82:79:49:57:0d:c6:f9:e7:59
89:ac:57:8e:76:74:78:97:b8:25:12:7a:47:15:0e:88:81:b9:c1:14
76:b0:a4:8d:c1:ea:85:25:cf:a3:ea:3a:a8:1a:32:b8:ad:ac:33:73
97:c4:11:ba:2a:39:74:25:47:9c:cd:e0:03:03:8e:af:db:90:b6:7e
df:ea:81:73:e2:f9:0e:97:4e:50:70:40:bc:41:bc:dc:0e:8a:40:e3
6e:9d:d3:bf:36:9f:53:aa:2a:df:7b:d9:4a:35:c2:b2:68:a0:df:24
e8:af:04:69:35:0b:5e:1a:da:10:f9:fb:d2:22:80:ff:dd:e0:21:25
f6:3b:71:4f:4c:74:c8:38:f9:79:36:40:8c:9e:d3:14:0f:f4:9c:ad
ae:5d:46:59:76:af:b7:2c:ee:5c:a9:c6:ef:d5:30:e2:10:74:5c:2a
b9:1d:4a:80:5f:1a:fb:92:18:1f:98:34:07:5e:c7:01:03:88:ef:f7
56:76:a5:0f:47:be:df:bc:88:81:9f:2d:8b:26:77:90:a3:be:23:cb
f2:83:f9:4a:8d:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://10.204.138.55:8080/crl-as-der/currentcrl-292.crl?id=292
Use for key: CRL signing, Certificate signing, Key encipherment, Digital
signature
Fingerprint:
5d:53:9d:7a:06:23:5e:2a:5e:dc:8d:fb:52:f7:91:ae:1c:a3:ed:bd (sha1)
7d:02:c9:f9:33:99:48:dc:89:37:fe:4a:22:9f:12:84 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started
i.
297
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
For IKE phase 1 negotiation with the branch, configure an IKE proposal and policy.
a. Configure an IKE proposal that matches the proposal configured on the branch
router.
[edit]
edit services ipsec-vpn ike proposal ike-phase1-proposal
set authentication-method rsa-signatures
set dh-group group2
set authentication-algorithm sha-256
set encryption-algorithm aes-256-cbc
set lifetime-seconds 28800
b. Configure an IKE (phase 1) proposal to use RSA encryption.
[edit]
edit services ipsec-vpn ike proposal rsa-prop
set authentication-method rsa-signatures
set authentication-algorithm sha1
set encryption-algorithm 3des-cbc
c. Configure an IKE policy and associate the IKE proposal with the policy.
[edit]
edit services ipsec-vpn ike policy ike-rsa
set mode main
set proposals ike-phase1-proposal
set local-id fqdn localcert1.juniper.net deactivate local-id
set local-certificate localcert1
set any-remote-id
298
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Configure an IKE policy and associate the IKE proposal with the policy.
[edit]
edit services ipsec-vpn ike policy ike-rsa
set proposals rsa-prop
set local-id fqdn test1.test.com
set local-certificate test1
set remote-id fqdn test2.test.com
3.
[edit]
edit services ipsec-vpn ipsec proposal dynamic_ipsec_proposal
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-256-cbc
b. Configure the IPsec policy, which lists protocols and algorithms (security services)
Configuring Private Overlay Security that Uses Preshared Keys on the VPN
Termination Router at Hub 2
Step-by-Step
Procedure
We are using IPsec to secure the GRE tunnels between the branch and the aggregation
hub. The WAN transport security configuration consists of an IKE configuration for IPsec
phase 1 negotiation and an IPsec configuration for phase 2 negotiation.
1.
For IKE phase 1 negotiation with the branch, configure an IKE proposal and policy.
a. Configure an IKE proposal that matches the proposal configured on the branch
router.
[edit]
edit services ipsec-vpn ike proposal ike-phase1-proposal
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha-256
set encryption-algorithm aes-256-cbc
set lifetime-seconds 28800
b. Configure an IKE policy and associate the IKE proposal with the policy.
[edit]
edit services ipsec-vpn ike policy ike-phase1-policy
299
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit services ipsec-vpn ipsec proposal dynamic_ipsec_proposal
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-256-cbc
b. Configure the IPsec policy, which lists protocols and algorithms (security services)
Configuring the Overlay WAN Transport on the VPN Termination Role at Router
at Hub 2
Step-by-Step
Procedure
1.
Configure the loopback interface that is configured in the WAN-GRE routing instance.
Its address is used as the source address of GRE tunnels.
[edit]
edit interfaces lo0 unit 3
set family inet address 172.31.255.6/32
2.
Specify the outer GRE source and destination tunnel addresses that are used to
form the tunnel. These are the local and remote addresses of the loopback
interfaces.
Specify the inner IPv4 and IPv6 addresses that are used after the tunnel is formed.
[edit]
edit interfaces gr-5/1/0 unit 1
set tunnel source 172.31.255.231
set tunnel destination 172.16.1.255
set tunnel routing-instance destination VPN
set family inet address 172.16.1.5/30
set family inet6 address fec0:16:1:4::1/64
Configure a logical GRE interface for the number of tunnels to be formed between
the branch and the aggregation hub.
3.
Configure the loopback interface that is configured in the VPN routing instance. Its
address is used on the IPsec tunnels.
[edit]
edit interfaces lo0 unit 3
300
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
On the VPN termination router at the aggregation hub, two virtual routing instances are
created:
WAN-GREAn internal routing instance that terminates the private GRE IPv4
addressing. The WAN-GRE virtual router is part of the internal routing domain and is
an OSPF peer to the WAN aggregation router at the aggregation hub.
1.
interface to the Internet edge router, the loopback interface, which is the remote
endpoint for the branch, and the IPsec interfaces.
The address of the loopback interface is used on the IPsec tunnels.
[edit]
edit routing-instances VPN
set instance-type virtual-router
set interface sp-1/0/0.1
set interface sp-1/0/0.2
set interface lt-5/1/0.53
set interface lo0.3
2.
Create the virtual router routing instance and add interfaces to it.
lo0.4Loopback interface for the GRE tunnels. Its address is used as the GRE
tunnel source address.
gr-5/1/0.1GRE tunnel interface. Create a logical unit for the number of GRE
tunnels that can be formed to the branch.
[edit]
edit routing-instances WAN-GRE
set instance-type virtual-router
set interface lt-5/1/0.20
set interface lt-5/1/0.54
set interface gr-5/1/0.1
set interface lo0.4
301
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
OSPF is the private routing protocol used over the WAN GRE tunnels, and it is configured
in the WAN-GRE routing instance.
1.
Configure the OSPF area for GRE tunnels from the branch. Specify a metric of 20
so that routes to Aggregation Hub 1 will be preferred over routes to Aggregation Hub
2.
[edit]
edit routing-instances WAN-GRE protocols ospf area 0.0.0.2
set stub default-metric 20
set stub no-summaries
set interface gr-5/1/0.1 metric 20
set interface gr-5/1/0.1 authentication md5 0 key "$9$41JUiP5zCt0ylsgoJjiAtu"
Configure the OSPFv3 area for GRE tunnels from the branch.
[edit]
edit routing-instances WAN-GRE protocols ospf3 area 0.0.0.2
set stub default-metric 20
set stub no-summaries
set interface gr-5/1/0.1
There are two levels of high availability that you can use over your private WAN overlay:
Dead peer detection for IPsec tunnels to monitor the tunnel state and remote peer
availability.
BFD with OSPF for GRE tunnels to detect failures over the GRE tunnels.
1.
2.
In OSPF area 0.0.0.2, add BFD liveness detection to the GRE tunnel.
Set the minimum transmit and receive interval for failure detection. This interval is
the minimum time after which the local routing device transmits hello packets and
the minimum interval after which the routing device expects to receive a reply from
the neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
[edit]
edit routing-instances WAN-GRE protocols ospf area 0.0.0.2
set interface gr-0/1/0.1 bfd-liveness-detection minimum-interval 500
set interface gr-0/1/0.1 bfd-liveness-detection multiplier 3
302
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
1.
Add the GRE tunnels to the multicast configuration in the WAN-GRE routing instance.
[edit]
edit routing-instances WAN-GRE protocols pim
set interface gr-5/1/0.1 mode sparse
set interface gr-5/1/0.1 version 2
Applying CoS to the Tunnel Interfaces on the VPN Termination Role at Hub 2
Step-by-Step
Procedure
The router at Aggregation Hub 2 is an MX Series router, and MX Series routers do not
support per-unit GRE scheduling. To work around this, we are configuring the logical
tunnel (lt) interfaces to apply CoS to egress traffic before it is sent over the GRE tunnels
to the branch.
1.
Apply the traffic control profile on the logical tunnel used for scheduling and
queueing.
Before you implement this step, you need to have enabled hierarchical scheduling
on the lt interface, and committed the configuration.
[edit]
edit class-of-service interfaces lt-5/1/0 unit 2
set output-traffic-control-profile SMALL-BRANCH
2.
In the GRE logical interface configuration, configure the tunnels to copy the ToS bit
to the outer IP header on the GRE tunnel.
In this design, we are classifying traffic based on DSCP markings in the ToS byte of
the IP header. Because this header is encapsulated in a GRE tunnel, the ToS byte
of the IP header needs to be copied to the GRE outer header.
[edit]
edit interfaces gr-5/1/0 unit 1
set copy-tos-to-outer-ip-header
303
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring Security Zones and Policies on the Branch Router on page 304
Configuring the Physical WAN Transport on the Branch Router on page 306
Configuring Private Overlay Security that uses Preshared Keys on the Branch
Router on page 315
Configuring the Overlay WAN Transport on the Branch Router on page 320
Configuring the Routing Protocol for the WAN Transport on the Branch
Router on page 324
Configuring the Routing Protocol for the LAN Transport on the Branch Router on page 329
1.
1.
304
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
[edit]
edit security zones security-zone untrust
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces ge-0/0/12.0
set interfaces st0.0
set interfaces lo0.1
set interfaces st0.1
b. Create the trust security zone.
[edit]
edit security zones security-zone trust
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces lo0.0
set interfaces gr-0/0/0.1
set interfaces gr-0/0/0.2
set interfaces ge-0/0/8.40
set interfaces ge-0/0/8.50
set interfaces ge-0/0/8.60
c. Create the management zone.
[edit]
edit security zones security-zone HOST
set interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set interfaces ge-0/0/0.0 host-inbound-traffic protocols all
2.
[edit]
edit security policies from-zone trust to-zone untrust
set policy T-to-UT match source-address any
set policy T-to-UT match destination-address any
set policy T-to-UT match application any
set policy T-to-UT then permit
b. Configure a policy for traffic going from zone untrust to zone trust.
[edit]
edit security policies from-zone untrust to-zone trust
set policy pin match source-address any
set policy pin match destination-address any
set policy pin match application any
set policy pin then permit
c. Configure a policy for traffic going from zone untrust to zone untrust.
[edit]
edit security policies from-zone untrust to-zone untrust
set policy u2u match source-address any
set policy u2u match destination-address any
set policy u2u match application any
set policy u2u then permit
305
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
d. Configure a policy for traffic going from zone trust to zone trust.
[edit]
edit security policies from-zone trust to-zone trust
set policy t2t match source-address any
set policy t2t match destination-address any
set policy t2t match application any
set policy t2t then permit
1.
2.
Results
1.
Local
1.1.0.2/30
Remote
2. Verify that the physical interface is running in the untrust security zone.
user@branch> show interfaces ge-0/0/12.0
Logical interface ge-0/0/12.0 (Index 79) (SNMP ifIndex 542)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 2271619491438
Output packets: 22710745288
Security: Zone: untrust
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf ospf3 pgm pim
rip ripng router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
rpm rsh snmp snmp-trap
ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip dhcpv6 r2cp
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re, Is-Primary
Addresses, Flags: Is-Preferred Is-Primary
Destination: 1.1.0.0/30, Local: 1.1.0.2, Broadcast: 1.1.0.3
Configure the virtual router routing instance in the untrusted zone for Internet traffic. The
routing instance does not allow traffic to the branch LAN from the Internet, and it protects
the internal branch routing tables.
1.
306
Unit 0 is in the untrust zone, and is used for the connections to the aggregation
hubs.
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Unit 1 is in the trust zone, is in the default inet.0 routing table, and is used with the
branch LANs.
[edit]
edit interfaces lo0
set unit 0 family inet address 172.16.1.254/32
set unit 0 family inet6 address fec0:16:1::254/128
set unit 1 family inet address 172.16.1.255/32
2.
3.
Create the routing instance and add the Internet-facing interfacesthe Ethernet
interface to the ISP, unit 1 of the loopback interface, and the IPsec interfaces.
[edit]
edit routing-instances untrust-vpn
set instance-type virtual-router
set interface ge-0/0/12.0
set interface lo0.1
set interface st0.0
set interface st0.1
4.
Add a default static route to the ISP. This default route is used to provide reachability
to the ISPs public IP address for IPsec tunnel initiation. It is not used for local Internet
access. All internal traffic, including traffic to the Internet, traverses the GRE tunnels.
[edit]
edit routing-instances untrust-vpn
set routing-options static route 0.0.0.0/0 next-hop 1.1.0.1
5.
Add a static route to the loopback address of the VPN termination router on
Aggregation Hub 1 and Aggregation Hub 2. These routes are used to establish GRE
tunnels.
[edit]
edit routing-instances untrust-vpn
set routing-options static route 172.31.255.31/32 next-hop st0.0
set routing-options static route 172.31.255.231/32 next-hop st0.1
The corresponding host route to the aggregation hubs GRE loopback address is
advertised using the proxy identities configured in the IPsec VPN, and is installed
on the aggregation hub.
6.
Results
1.
Verify that the ISP gateway is reachable from the untrust-vpn routing instance.
user@branch> ping 1.1.0.1 routing-instance VPN count 5
307
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
time=3.378
time=1.889
time=2.160
time=2.193
time=2.171
ms
ms
ms
ms
ms
--- 1.1.0.1 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.889/2.358/3.378/0.522 ms
2. Verify the routes that are learned from the aggregation hub by displaying the inet.0
Configuring Private Overlay Security that uses Certificates on the Branch Router
Step-by-Step
Procedure
We are using IPsec to secure the GRE tunnels between the branch and the aggregation
hub. The WAN transport security configuration consists of an IKE configuration for IPsec
phase 1 negotiation and an IPsec configuration for phase 2 negotiation.
You can use either certificates or preshared keys in your IPsec implementation. If you are
using certificates, follow this procedure.
1.
and specify that that method to verify revocation status of digital certificates is
the certificate revocation list (CRL). A CRL is a time-stamped list identifying
revoked certificates, which is signed by a CA and made available to the
participating IPsec peers on a regular periodic basis.
[edit]
edit security pki ca-profile ROOT
set ca-identity ROOT
set enrollment url http://10.204.138.55:8080/scep/ROOT/
set revocation-check crl disable on-download-failure
b. Commit the configuration, and verify that the certificate is reachable.
[edit]
308
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
commit
[edit]
run ping 10.204.138.55
PING 10.204.138.55 (10.204.138.55): 56 data bytes
64 bytes from 10.204.138.55: icmp_seq=0 ttl=123 time=2.811 ms
64 bytes from 10.204.138.55: icmp_seq=1 ttl=123 time=2.552 ms
c. Retrieve the certificate from the CA server. Examine the fingerprint of the CA
[edit]
run request security pki ca-certificate verify ca-profile ROOT
CA certificate ROOT verified successfully
e. Generate a public-private key pair.
[edit]
run request security pki generate-key-pair certificate-id localcert11
Generated key pair localcert11, key size 1024 bits
f.
[edit]
commit
h. Verify that the CA certificate was generated.
[edit]
show security pki ca-certificate detail
Certificate identifier: ROOT
Certificate version: 3
Serial number: 00038b8c
Issuer:
Organization: juniper, Country: India, Common name: ROOT
Subject:
Organization: juniper, Country: India, Common name: ROOT
309
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Subject string:
C=India, O=juniper, CN=ROOT
Validity:
Not before: 04-25-2013 10:36
Not after: 04-25-2014 10:36
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:ea:bf:02:2d:9d:69:c1:22:f6:5d:0a
38:76:fa:9c:11:18:81:23:de:5e:d6:6d:c1:e8:38:73:e9:c4:46:d7
97:22:a4:d9:66:f7:d6:e3:66:b8:d1:82:79:49:57:0d:c6:f9:e7:59
89:ac:57:8e:76:74:78:97:b8:25:12:7a:47:15:0e:88:81:b9:c1:14
76:b0:a4:8d:c1:ea:85:25:cf:a3:ea:3a:a8:1a:32:b8:ad:ac:33:73
97:c4:11:ba:2a:39:74:25:47:9c:cd:e0:03:03:8e:af:db:90:b6:7e
df:ea:81:73:e2:f9:0e:97:4e:50:70:40:bc:41:bc:dc:0e:8a:40:e3
6e:9d:d3:bf:36:9f:53:aa:2a:df:7b:d9:4a:35:c2:b2:68:a0:df:24
e8:af:04:69:35:0b:5e:1a:da:10:f9:fb:d2:22:80:ff:dd:e0:21:25
f6:3b:71:4f:4c:74:c8:38:f9:79:36:40:8c:9e:d3:14:0f:f4:9c:ad
ae:5d:46:59:76:af:b7:2c:ee:5c:a9:c6:ef:d5:30:e2:10:74:5c:2a
b9:1d:4a:80:5f:1a:fb:92:18:1f:98:34:07:5e:c7:01:03:88:ef:f7
56:76:a5:0f:47:be:df:bc:88:81:9f:2d:8b:26:77:90:a3:be:23:cb
f2:83:f9:4a:8d:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://10.204.138.55:8080/crl-as-der/currentcrl-292.crl?id=292
Use for key: CRL signing, Certificate signing, Key encipherment, Digital
signature
Fingerprint:
5d:53:9d:7a:06:23:5e:2a:5e:dc:8d:fb:52:f7:91:ae:1c:a3:ed:bd (sha1)
7d:02:c9:f9:33:99:48:dc:89:37:fe:4a:22:9f:12:84 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started
i.
310
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
2.
For IKE phase 1 negotiation, configure an IKE proposal and policy and define the
IPsec peer (gateway) at the remote end of the tunnel with which IKE is negotiated.
a. Configure an IKE proposal that matches the proposal configured on the VPN
[edit]
edit security ike proposal rsa-prop
set authentication-method rsa-signatures
set encryption-algorithm aes-256-cbc
c. Configure an IKE policy. Associate the IKE proposal with the policy, and specify
[edit]
311
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
For IPsec phase 2 negotiation, configure an IPsec proposal and policy and then
configure an IPsec VPN to the aggregation hubs.
a. Configure the IPsec proposal, which lists protocols and algorithms (security
services) to be negotiated with the remote IPsec peer at the aggregation hub.
[edit]
edit security ipsec proposal ipsec-phase2-proposal
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-256-cbc
b. Create an IPsec policy that defines security parameters (IPsec proposals) used
The proxy identities are used for reverse route injection (RRI). The local proxy
identity is the IP address of the local GRE tunnel endpoint. The remote tunnel
identity is the IP address of the remote GRE tunnel endpoint.
The proxy identity values match the values set in the venues IKE access profile
configured on the VPN termination router at the aggregation hub.
[edit]
edit security ipsec vpn ike-vpn-chicago
set bind-interface st0.0
set ike gateway gw-branch
set ike proxy-identity local 172.16.1.255/32
set ike proxy-identity remote 172.31.255.31/32
set ike ipsec-policy ipsec-phase2-policy
set establish-tunnels immediately
d. Create an IPsec VPN to Aggregation Hub 2.
[edit]
edit security ipsec vpn ike-vpn-head2
set bind-interface st0.1
set ike gateway br-head2
set ike proxy-identity local 172.16.1.255/32
set ike proxy-identity remote 172.31.255.231/32
set ike ipsec-policy ipsec-phase2-policy
312
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Results
1.
*[Static/5] 2d 05:01:03
> to 1.1.0.1 via ge-0/0/12.0
ms
ms
ms
ms
ms
--- 198.51.100.6 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.990/2.431/2.814/0.315 ms
2. Verify IKE that security associations for Aggregation Hub 1 (198.51.100.6) and
Remote Address
198.51.100.6
192.0.2.6
3. Verify IKE security associations for Aggregation Hub 1 (198.51.100.6) and Aggregation
Hub 2 (192.0.2.6).
user@branch> show security ike security-associations
IKE peer 198.51.100.6, Index 2166656, Gateway Name: gw-branch
Role: Initiator, State: UP
Initiator cookie: 8330e20474ab9bf5, Responder cookie: 5ab22ffd73c77477
Exchange type: Main, Authentication method: RSA-signatures
Local: 1.1.0.2:500, Remote: 198.51.100.6:500
Lifetime: Expires in 27899 seconds
Peer ike-id: 198.51.100.6
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication
: hmac-sha256-128
Encryption
: aes256-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes :
10088
Output bytes :
10408
Input packets:
94
Output packets:
95
Flags: IKE SA is created
IPsec security associations: 1 created, 0 deleted
313
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Hub 2 (192.0.2.6).
user@branch> show security ipsec security-associations
Total active tunnels: 2
ID
Algorithm
SPI
Life:sec/kb Mon vsys Port
<131073 ESP:3des/sha1 63f37ac1 3571/ unlim
root 500
>131073 ESP:3des/sha1 d8d36260 3571/ unlim
root 500
<131074 ESP:3des/sha1 1b24ee6b 815/ unlim
root 500
>131074 ESP:3des/sha1 545643c7 815/ unlim
root 500
Gateway
198.51.100.6
198.51.100.6
192.0.2.6
192.0.2.6
5. Verify local and remote identity and the security algorithms in IPsec security
314
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Configuring Private Overlay Security that uses Preshared Keys on the Branch
Router
Step-by-Step
Procedure
We are using IPsec to secure the GRE tunnels between the branch and the aggregation
hub. The WAN transport security configuration consists of an IKE configuration for IPsec
phase 1 negotiation and an IPsec configuration for phase 2 negotiation.
If you are using preshared keys in your IPsec implementation, use this procedure.
1.
For IKE phase 1 negotiation, configure an IKE proposal and policy and define the
IPsec peer (gateway) at the remote end of the tunnel with which IKE is negotiated.
a. Configure an IKE proposal that matches the proposal configured on the VPN
[edit]
edit security ike policy ike-phase1-policy
set mode main
set proposals ike-phase1-proposal
set pre-shared-key ascii-text "$9$tw4101hevLVwgSrwgoJHkp0B"
c. Define an IKE gateway for Aggregation Hub 1. IKE uses the default static route
315
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit security ike gateway br-head2
set ike-policy ike-phase1-policy
set address 191.15.200.6
set external-interface ge-0/0/12
2.
For IPsec phase 2 negotiation, configure an IPsec proposal and policy and then
configure an IPsec VPN to the aggregation hubs.
a. Configure the IPsec proposal, which lists protocols and algorithms (security
services) to be negotiated with the remote IPsec peer at the aggregation hub.
[edit]
edit security ipsec proposal ipsec-phase2-proposal
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-256-cbc
b. Create an IPsec policy that defines security parameters (IPsec proposals) used
The proxy identities are used for reverse route injection (RRI). The local proxy
identity is the IP address of the local GRE tunnel endpoint. The remote tunnel
identity is the IP address of the remote GRE tunnel endpoint.
The proxy identity values match the values set in the venues IKE access profile
configured on the VPN termination router at the aggregation hub.
[edit]
edit security ipsec vpn ike-vpn-chicago
set bind-interface st0.0
set ike gateway gw-branch
set ike proxy-identity local 172.16.1.255/32
set ike proxy-identity remote 172.31.255.31/32
set ike ipsec-policy ipsec-phase2-policy
set establish-tunnels immediately
d. Create an IPsec VPN to Aggregation Hub 2.
[edit]
edit security ipsec vpn ike-vpn-head2
set bind-interface st0.1
316
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Results
1.
*[Static/5] 2d 05:01:03
> to 1.1.0.1 via ge-0/0/12.0
ms
ms
ms
ms
ms
--- 198.51.100.6 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.990/2.431/2.814/0.315 ms
2. Verify IKE security associations for Aggregation Hub 1 (198.51.100.6) and Aggregation
Hub 2 (192.0.2.6).
user@branch> show security ike security-associations
Index
State Initiator cookie Responder cookie Mode
6670350 UP
2fa9609b522c5f75 7a28d06fe17bdab7 Main
6670351 UP
f8dc5b2a4791ca4d 376e89a90fce1394 Main
Remote Address
198.51.100.6
192.0.2.6
3. Verify IKE security associations for Aggregation Hub 1 (198.51.100.6) and Aggregation
Hub 2 (192.0.2.6).
user@branch> show security ike security-associations detail
IKE peer 198.51.100.6, Index 7315412, Gateway Name: gw-branch
Role: Initiator, State: UP
Initiator cookie: a5b12ad39b8033df, Responder cookie: dfc0a26c3e4beee7
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 1.1.0.2:500, Remote: 198.51.100.6:500
Lifetime: Expires in 25165 seconds
Peer ike-id: 198.51.100.6
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication
: hmac-sha256-128
Encryption
: aes256-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes :
40140
317
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Output bytes :
40588
Input packets:
367
Output packets:
370
Flags: IKE SA is created
IPsec security associations: 2 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 1.1.0.2:500, Remote: 191.15.100.6:500
Local identity: 1.1.0.2
Remote identity: 198.51.100.6
Flags: IKE SA is created
IKE peer 192.0.2.6, Index 7315413, Gateway Name: br-head2
Role: Initiator, State: UP
Initiator cookie: 212f98969acd8105, Responder cookie: ff9a1590e5a2687a
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 1.1.0.2:500, Remote: 192.0.2.6:500
Lifetime: Expires in 25165 seconds
Peer ike-id: 192.0.2.6
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication
: hmac-sha256-128
Encryption
: aes256-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes :
40140
Output bytes :
40588
Input packets:
367
Output packets:
370
Flags: IKE SA is created
IPsec security associations: 2 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 1.1.0.2:500, Remote: 192.0.2.6:500
Local identity: 1.1.0.2
Remote identity: 192.0.2.6
Flags: IKE SA is created
4. Verify IPsec security associations for Aggregation Hub 1 (198.51.100.6) and Aggregation
Hub 2 (192.0.2.6).
user@branch> show security ipsec security-associations
Total active tunnels: 2
ID
Algorithm
SPI
Life:sec/kb Mon vsys Port
<131073 ESP:3des/sha1 63f37ac1 3571/ unlim
root 500
>131073 ESP:3des/sha1 d8d36260 3571/ unlim
root 500
<131074 ESP:3des/sha1 1b24ee6b 815/ unlim
root 500
>131074 ESP:3des/sha1 545643c7 815/ unlim
root 500
Gateway
198.51.100.6
198.51.100.6
192.0.2.6
192.0.2.6
5. Verify local and remote identity and the security algorithms in IPsec security
318
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Bind-interface: st0.0
Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 600a29
Tunnel Down Reason: Lifetime expired
Direction: inbound, SPI: 7dd6e0bc, AUX-SPI: 0
, VPN Monitoring: Hard lifetime: Expires in 2954 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2316 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: ebf88e72, AUX-SPI: 0
, VPN Monitoring: Hard lifetime: Expires in 2954 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2316 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
ID: 131074 Virtual-system: root, VPN Name: ike-vpn-head2
Local Gateway: 1.1.0.2, Remote Gateway: 192.0.2.6
Local Identity: ipv4(any:0,[0..3]=172.16.1.255)
Remote Identity: ipv4(any:0,[0..3]=172.31.255.231)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.1
Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 600a29
Tunnel Down Reason: Lifetime expired
Direction: inbound, SPI: e2453bd2, AUX-SPI: 0
, VPN Monitoring: Hard lifetime: Expires in 2942 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2319 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: ca13403a, AUX-SPI: 0
, VPN Monitoring: Hard lifetime: Expires in 2942 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2319 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
319
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Specify the outer GRE tunnel source and destination addresses that are used to form
the tunnel. These are the local and remote addresses of the loopback interfaces.
Specify the destination routing instance that points to the routing table that contains
the tunnel destination address.
Specify the inner IPv4 and IPv6 GRE addresses that are used after the tunnel is formed.
1.
2.
3.
320
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
4.
Results
1.
*[Static/5] 1d 05:25:51
> via st0.0
*[Static/5] 1d 05:25:51
> via st0.0
*[Static/5] 05:11:42
> via st0.1
*[Static/5] 05:11:42
> via st0.1
321
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
up
up
inet
inet6
Local
Remote
172.16.1.2/30
fe80::fac0:100:8c:e500/64
fec0:16:1::2/64
172.16.1.6/30
fe80::fac0:100:8c:e500/64
fec0:16:1:4::2/64
4. Verify that traffic is flowing over the GRE tunnels to Aggregation Hub 1 (gr-0/0/0.1)
322
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf ospf3 pgm pim rip ripng router-discovery rsvp sap vrrp dhcp finger ftp
tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
ntp sip dhcpv6 r2cp
Protocol inet, MTU: 9168
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.1.0/30, Local: 172.16.1.2, Broadcast: 172.16.1.3
Protocol inet6, MTU: 9168
Flags: None
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::fac0:100:8c:e500
Addresses, Flags: Is-Preferred Is-Primary
Destination: fec0:16:1::/64, Local: fec0:16:1::2
Logical interface gr-0/0/0.2 (Index 82) (SNMP ifIndex 553)
Flags: Point-To-Point SNMP-Traps 0x0 IP-Header
172.31.255.231:172.16.1.255:47:df:64:0000000000000004 Encapsulation: GRE-NULL
Copy-tos-to-outer-ip-header: Off
Gre keepalives configured: Off, Gre keepalives adjacency state: down
Input packets : 2379091635
Output packets: 2052503543
Security: Zone: trust
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf ospf3 pgm pim rip ripng router-discovery rsvp sap vrrp dhcp finger ftp
tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
ntp sip dhcpv6 r2cp
Protocol inet, MTU: 9168
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.1.4/30, Local: 172.16.1.6, Broadcast: 172.16.1.7
Protocol inet6, MTU: 9168
Flags: None
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::fac0:100:8c:e500
Addresses, Flags: Is-Preferred Is-Primary
Destination: fec0:16:1:4::/64, Local: fec0:16:1:4::2
5. Now that you have verified that the GRE tunnels are up, you can verify that the IPsec
Local
Remote
10.0.0.1
--> 10.0.0.16
10.0.0.6
128.0.0.1
--> 0/0
--> 128.0.1.16
128.0.0.6
--> 0/0
323
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Device flags
:
Interface flags:
Link type
:
Link flags
:
Last flapped
:
Input rate
:
Output rate
:
Present Running
Point-To-Point SNMP-Traps Internal: 0x0
Full-Duplex
None
2013-04-12 04:24:12 PDT (5w5d 12:18 ago)
0 bps (0 pps)
0 bps (0 pps)
Configuring the Routing Protocol for the WAN Transport on the Branch Router
Step-by-Step
Procedure
being advertised to the aggregation hub and to other branches. Include the
no-summaries option to restrict summary LSAs from entering the area.
[edit protocols ospf area 0.0.0.2]
set stub no-summaries
c. Add the GRE tunnels and include an MD5 authentication key for the tunnels, with
a key ID of 0.
MD5 authentication uses an encoded MD5 checksum that is included in the
transmitted packet. Both the receiving and transmitting routing devices must
324
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
have the same MD5 key. You define an MD5 key for each interface. If MD5 is
enabled on an interface, that interface accepts routing updates only if MD5
authentication succeeds. Otherwise, updates are rejected. The routing device
accepts only OSPFv2 packets sent using the same key ID that is defined for that
interface.
[edit protocols ospf area 0.0.0.2]
set interface gr-0/0/0.1
set interface gr-0/0/0.1 authentication md5 0 key
"$9$0EqM1ESvWXbsgikAuO1cSws2"
set interface gr-0/0/0.2 authentication md5 0 key
"$9$xco-bYJGjP5zp0WX7-sYf5Q"
d. Add the loopback interface to the area.
325
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
1.
State
Full
Full
ID
172.31.255.3
172.31.255.6
Pri
128
128
Dead
39
32
Address
Interface
State
ID
172.16.1.1
gr-0/0/0.1
Full
172.31.255.3
Area 0.0.0.2, opt 0x50, DR 0.0.0.0, BDR 0.0.0.0
Up 01:32:49, adjacent 01:32:49
172.16.1.5
gr-0/0/0.2
Full
172.31.255.6
Area 0.0.0.2, opt 0x50, DR 0.0.0.0, BDR 0.0.0.0
Up 01:37:47, adjacent 01:37:47
Pri
128
Dead
37
128
39
Pri
128
Dead
36
128
34
3. Verify the routes learned from OSPF over the GRE tunnels from the aggregation hub.
user@branch> show route protocol ospf
inet.0: 25 destinations, 27 routes (25 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
172.16.1.0/30
172.16.1.4/30
224.0.0.5/32
4. Verify the routes learned from OSPFv3 over the GRE tunnels from the aggregation
hub.
user@branch> show route protocol ospf3
inet6.0: 22 destinations, 28 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
::/0
2001:DB8:1::/64
2001:DB8:1:4::/64
ff02::5/128
326
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
There are three interfaces to the branch LAN: one for data, one for video, and one for
voice.
1.
2.
3.
4.
5.
Results
Verify that the LAN interfaces are running in the trust zone.
user@branch1> show interfaces ge-0/0/8
Physical interface: ge-0/0/8, Enabled, Physical link is Up
Interface index: 142, SNMP ifIndex: 518
Link-level type: Ethernet, MTU: 1518, Link-mode: Full-duplex, Speed: 1000mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
CoS queues
: 8 supported, 8 maximum usable queues
Current address: f8:c0:01:8c:e5:08, Hardware address: f8:c0:01:8c:e5:08
Last flapped
: 2013-04-12 04:24:19 PDT (5w5d 12:20 ago)
Input rate
: 16759720 bps (6698 pps)
Output rate
: 17724152 bps (6892 pps)
Active alarms : None
327
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
328
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Configuring the Routing Protocol for the LAN Transport on the Branch Router
Step-by-Step
Procedure
1.
Add the branch LAN interfaces as passive interfaces to the OSPF area.
A passive interface is one for which the address information is advertised as an
internal route in OSPF, but on which the protocol does not run.
[edit protocols ospf area 0.0.0.2]
set interface ge-0/0/8.40 passive
set interface ge-0/0/8.50 passive
set interface ge-0/0/8.60 passive
2.
Add the branch LAN interfaces as passive interfaces to the OSPF3 area.
[edit protocols ospf3 area 0.0.0.2]
set interface ge-0/0/8.40 passive
set interface ge-0/0/8.50 passive
set interface ge-0/0/8.60 passive
3.
Results
The route advertised from Aggregation Hub 1 has a metric of 10, and the route advertised
from Aggregation Hub 2 has a metric of 20.
user@branch> show ospf database detail
OSPF database, Area 0.0.0.2
Type
ID
Adv Rtr
Summary 0.0.0.0
172.31.255.3
mask 0.0.0.0
Topology default (ID 0) -> Metric: 10
Summary 0.0.0.0
172.31.255.6
mask 0.0.0.0
Topology default (ID 0) -> Metric: 20
Seq
0x80000008
Age
2777
0x8000002a
2590
0x20 0xee41
28
1.
[edit]
edit protocols pim
329
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Add the GRE tunnel and on the branch LAN interfaces to the multicast configuration.
[edit protocols pim]
set interface gr-0/0/0.1 version 2
set interface ge-0/0/8.40 version 2
set interface ge-0/0/8.50 version 2
set interface ge-0/0/8.60 version 2
3.
Results
1.
330
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Source: 172.31.251.10
Flags: sparse,spt
Upstream interface: gr-0/0/0.1
Group: 235.1.1.2
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: gr-0/0/0.1
Group: 235.1.1.2
Source: 172.31.251.10
Flags: sparse,spt
Upstream interface: gr-0/0/0.1
Instance: PIM.master Family: INET6
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
IP V Mode
4 2
4 2
Option
HPLGT
HPLGT
4. Verify that groups are established with upstream GRE tunnel to the Aggregation Hub
331
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
332
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
1.
Configure classifiers.
a. Configure DSCP behavior aggregate (BA) classifiers for IPv4.
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority medium-high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Scavenger loss-priority high code-points cs1
set forwarding-class Bulk_Data loss-priority medium-high code-points af11
set forwarding-class Bulk_Data loss-priority medium-high code-points af12
set forwarding-class Critical_Data loss-priority medium-low code-points af21
set forwarding-class Critical_Data loss-priority medium-low code-points af22
b. Configure DSCP BA classifiers for IPv6.
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
c. Assign the forwarding classes to transmission queues.
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 1 Scavenger
set queue 2 Bulk_Data
set queue 3 Critical_Data
set queue 4 Video
set queue 5 Voice
set queue 6 Network_Control
2.
[edit]
edit class-of-service rewrite-rules dscp Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
333
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit class-of-service rewrite-rules dscp-ipv6 Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
set forwarding-class Critical_Data loss-priority medium-low code-point af21
set forwarding-class Video loss-priority low code-point af41
set forwarding-class Voice loss-priority low code-point ef
set forwarding-class Network_Control loss-priority low code-point cs7
c. Configure a rewrite rule for voice traffic. This rule sets the code-point bit patterns
for the Voice forwarding class and is applied to the branch LAN interfaces.
[edit]
edit class-of-service rewrite-rules dscp voice-ef
set forwarding-class Voice loss-priority low code-point 101110
d. Configure a rewrite rule for video traffic. This rule sets the code-point bit patterns
for the Video forwarding class and is applied to the branch LAN interfaces.
[edit]
edit class-of-service rewrite-rules dscp video-af
set forwarding-class Video loss-priority low code-point 100010
e. Configure a rewrite rule for voice and video traffic. This rule sets the code-point
bit patterns for the Voice and Video forwarding classes and will be applied to
the GRE tunnels.
[edit]
edit class-of-service rewrite-rules dscp Video_Voice
set forwarding-class Voice loss-priority low code-point 101110
set forwarding-class Video loss-priority low code-point 100010
334
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
3.
[edit]
edit class-of-service schedulers SCH_Best_Effort
set transmit-rate remainder
set buffer-size remainder
set priority medium-low
b. Create a scheduler for the Scavenger forwarding class.
[edit]
edit class-of-service schedulers SCH_Scavenger
set transmit-rate percent 3
set buffer-size percent 10
set priority low
c. Create a scheduler for the Bulk_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Bulk_Data
set transmit-rate percent 20
set buffer-size percent 15
set priority medium-low
d. Create a scheduler for the Critical_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Critical_Data
set transmit-rate percent 15
set transmit-rate exact
set buffer-size percent 15
set priority medium-high
e. Create a scheduler for the Video forwarding class.
[edit]
edit class-of-service schedulers SCH_Video
set transmit-rate percent 20
set transmit-rate exact
set buffer-size percent 10
set priority high
f.
[edit]
edit class-of-service schedulers SCH_Network_Control
set transmit-rate percent 5
set transmit-rate exact
set buffer-size percent 3
335
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
5.
6.
336
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
7.
[edit]
set interfaces gr-0/0/0.1 per-unit-scheduler
set interfaces gr-0/0/0.2 per-unit-scheduler
c. Apply shaping on the GRE tunnel interfaces.
We are setting a shaping rate on GRE tunnels instead of a using a policer because
the shaper has a buffer and is more flexible than a policer, which applies a hard
limit to the rate and drops packets when a transmission rate is reached.
[edit]
set class-of-service interfaces gr-0/0/0 unit 0 shaping-rate 30M
set class-of-service interfaces gr-0/0/0 unit 1 shaping-rate 30M
8.
337
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
1.
Type
Output
dscp
dscp-ipv6
dscp
dscp-ipv6
Type
Output
dscp
dscp-ipv6
dscp
dscp-ipv6
338
Type
dscp
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Classifier
Video
fixed
4
Logical interface: ge-0/0/8.60, Index: 77
Object
Name
Index
Rewrite
voice-ef
28463
Classifier
Voice
5
Type
dscp
fixed
339
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
340
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
High
:
Queue: 3, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 4, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 5, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 6, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
0 bps
74891172
34900242422
800 pps
3175984 bps
74891172
34900242422
0
0
0
0
0
0
0
0
0
0
0
800 pps
3175984 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
67107671
34090667356
1000 pps
4064000 bps
67107671
34090667356
0
0
0
0
0
0
0
0
0
0
0
1000 pps
4064000 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
119126769
14770997856
1400 pps
1388992 bps
Critical_Data
Video
Voice
119126769
14770997856
0
0
0
0
0
0
0
0
0
0
0
Network_Control
42540243
10720122986
42540243
1400 pps
1388992 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
500 pps
1009000 bps
500 pps
341
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
342
:
:
:
:
:
:
:
:
:
:
:
:
10720122986
0
0
0
0
0
0
0
0
0
0
0
1009000
0
0
0
0
0
0
0
0
0
0
0
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
2711 pps
7760328 bps
2711 pps
7760328 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
803 pps
3316000 bps
803 pps
3316000 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
343
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
344
Critical_Data
67557032
26081332286
805 pps
2494672 bps
67556848
26081261824
23
0
0
0
0
0
0
0
0
0
0
805 pps
2494672 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
41954776
21648664416
502 pps
2073272 bps
41954716
21648633456
0
0
0
0
0
0
0
0
0
0
0
502 pps
2073272 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
117446026
15502875432
1405 pps
1484616 bps
Video
Voice
117445988
15502870416
0
0
0
0
0
0
0
0
0
0
0
Network_Control
1405 pps
1484616 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
41970048
10912205750
502 pps
1044672 bps
41969692
10912113190
502 pps
1044672 bps
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
:
:
:
:
:
:
:
:
:
323
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0 pps
0 bps
0 pps
0 pps
345
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
1482284
Bytes
:
440888442
Transmitted:
Packets
:
1482063
Bytes
:
440802694
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
655781
Bytes
:
338382996
Transmitted:
Packets
:
655708
Bytes
:
338345328
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
1836197
Bytes
:
242378004
Transmitted:
Packets
:
1836152
Bytes
:
242372064
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
346
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
bps
bps
bps
bps
bps
2 pps
1520 bps
2 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1520
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
655904
Bytes
:
170514684
Transmitted:
Packets
:
655793
Bytes
:
170485824
Tail-dropped packets :
27
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0 bps
0 bps
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
There are two levels of high availability that you can use over your private WAN overlay:
Dead peer detection for IPsec tunnels to monitor the tunnel state and remote peer
availability.
BFD with OSPF for GRE tunnels to detect failures over the GRE tunnels.
1.
[edit]
edit security ike gateway gw-branch
set dead-peer-detection always-send
set dead-peer-detection interval 10
set dead-peer-detection threshold 5
b. Add dead peer detection to the IKE gateway for Aggregation Hub 2.
[edit]
edit security ike gateway br-head2
set dead-peer-detection always-send
set dead-peer-detection interval 10
set dead-peer-detection threshold 5
2.
In OSPF area 0.0.0.2, add BFD liveness detection to the GRE tunnel.
Set the minimum transmit and receive interval for failure detection. This interval is
the minimum time after which the local routing device transmits hello packets and
the minimum interval after which the routing device expects to receive a reply from
the neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
[edit]
347
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
State
Up
Up
Interface
gr-0/0/0.1
gr-0/0/0.2
Detect
Time
1.500
1.500
Transmit
Interval
0.500
0.500
Multiplier
3
3
2 sessions, 2 clients
Cumulative transmit rate 4.0 pps, cumulative receive rate 4.0 pps
348
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Verification
Verifying End-to-End Data Traffic From the Branch
Purpose
Action
Verify that traffic is travelling end-to-end on the WAN transport to Aggregation Hub 1.
Run the following show command on the interface to the ISP.
user@branch> show interfaces ge-0/0/12 extensive
Physical interface: ge-0/0/12, Enabled, Physical link is Up
Interface index: 146, SNMP ifIndex: 522, Generation: 149
Description: --- To public ISP link (jbeer.PE1 fe-2/2/0) --Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,
BPDU Error: None,
MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow
contol: Enabled,
Auto-negotiation: Enabled, Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: f8:c0:01:8c:e5:0c, Hardware address: f8:c0:01:8c:e5:0c
Last flapped
: 2013-07-11 06:33:02 PDT (1w4d 08:51 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
24050979548186
18311512 bps
Output bytes :
1607029530371
20029000 bps
Input packets:
61293323878
5802 pps
Output packets:
4206882777
6499 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3
incompletes: 0,
L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors:
0
Output errors:
Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0,
HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 7 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 Best_Effort
1812260255
1812260255
1 Scavenger
2 Bulk_Data
517725523
517725523
3 Critical_Dat
519925434
519925434
4 Video
323579455
323579455
5 Voice
711867867
711867867
6 Network_Cont
323577885
323577885
Queue number:
0
1
2
349
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3
Critical_Data
4
Video
5
Voice
6
Network_Control
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
1539813184453
1683053270866
Total packets
3751615794
4208925916
Unicast packets
3751615349
4208925464
Broadcast packets
445
452
Multicast packets
0
0
CRC/Align errors
0
0
FIFO errors
469
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Filter statistics:
Input packet count
0
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
0
Output packet pad count
0
Output packet error count
0
CAM destination filters: 2, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: None, Remote fault: OK, Link partner
Speed: 100 Mbps
Local resolution:
Flow control: None, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 0
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 Best_Effort
95
950000000
95
0
low
none
3 Critical_Data
5
50000000
5
0
low
none
Interface transmit statistics: Disabled
Logical interface ge-0/0/12.0 (Index 79) (SNMP ifIndex 542) (Generation 144)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes :
24050972806826
Output bytes :
1607015914385
Input packets:
61293323879
Output packets:
4206882778
Local statistics:
Input bytes :
18708773
Output bytes :
49856647
Input packets:
169690
350
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Output packets:
341301
Transit statistics:
Input bytes :
24050954098053
18311512 bps
Output bytes :
1606966057738
20028392 bps
Input packets:
61293154189
5802 pps
Output packets:
4206541477
6499 pps
Security: Zone: untrust
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf ospf3 pgm pim rip ripng router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm
rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip
dhcpv6 r2cp
Flow Statistics :
Flow Input statistics :
Self packets :
167353
ICMP packets :
27040
VPN packets :
3589475062
Multicast packets :
0
Bytes permitted by policy :
17033313
Connections established :
0
Flow Output statistics:
Multicast packets :
0
Bytes permitted by policy :
25806316
Flow error statistics (Packets dropped due to):
Address spoofing:
0
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
No SA for incoming SPI:
46497
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
0
Policy denied:
0
Security association not active:
2851
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 1500, Generation: 164, Route table: 4
Flags: Sendbcast-pkt-to-re, Is-Primary, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 1.1.0.0/30, Local: 1.1.0.2, Broadcast: 1.1.0.3, Generation:
170
351
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
172.16.1.2/32
172.16.1.4/30
172.16.1.6/32
172.16.1.12/30
172.16.1.13/32
172.16.1.16/30
172.16.1.17/32
172.16.1.20/30
172.16.1.21/32
172.16.1.254/32
172.17.0.0/16
172.31.255.31/32
172.31.255.231/32
224.0.0.2/32
224.0.0.5/32
224.0.0.13/32
224.0.0.22/32
352
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Verifying Reachability
Purpose
Action
Use this procedure to verify reachability and traffic paths to the loopback interface of
the data center router, the loopback interface of a router in a different branch, and an IP
address in the service provider network that is publicly routable.
1.
3. Verify connectivity from the branch to an IP address in the service provider network
353
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Action
Verify that a failure of the primary IPsec over GRE tunnel to Aggregation Hub 1 causes all
traffic to be rerouted through the secondary IPsec over GRE tunnel to Aggregation Hub
2.
1.
Log in to the branch router as the root user, and enter the following command to take
down the primary GRE tunnel interface to Aggregation Hub 1.
root@branch% ifconfig gr-0/0/0.1 down
2. Verify that the active default route is to the GRE interface to Aggregation Hub 2.
user@branch> show route 0.0.0.0
inet.0: 25 destinations, 27 routes (25 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
3. Verify that the GRE tunnel interface at Aggregation Hub 2 is an OSPF neighbor.
user@branch> show ospf neighbor
Address
Interface
172.16.1.5
gr-0/0/0.2
State
Full
ID
172.31.255.6
Pri
128
Dead
32
4. Check the path taken by traffic to the data center after the primary link failure.
user@branch> ping 172.31.255.8 rapid
PING 172.31.255.8 (172.31.255.8): 56 data bytes
!!!!!
--- 172.31.255.8 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.346/3.512/3.647/0.109 ms
user@branch> traceroute 172.31.255.8
traceroute to 172.31.255.8 (172.31.255.8), 30 hops max, 40 byte packets
1 172.16.1.5 (172.16.1.5) 6.205 ms 3.528 ms 3.569 ms # GRE endpoint hub 2
2 172.31.254.21 (172.31.254.21) 3.520 ms 7.031 ms 3.703 ms # WANaggr 2
loopback
3 172.31.255.8 (172.31.255.8) 4.241 ms 3.620 ms 3.485 ms # DC loopback
5. Check the branch-to-branch path taken by traffic after the primary link failure.
user@branch> ping 172.16.2.254 rapid
PING 172.16.2.254 (172.16.2.254): 56 data bytes
!!!!!
--- 172.16.2.254 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.191/3.598/4.309/0.407 ms
user@branch> traceroute 172.16.2.254
traceroute to 172.16.2.254 (172.16.2.254), 30 hops max, 40 byte packets
1 172.16.1.5 (172.16.1.5) 3.505 ms 5.703 ms 7.324 ms # GRE endpoint hub 2
354
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
2
2
3
1
4
5
6
172.31.254.21 (172.31.254.21)
7.655 ms
2.815 ms
172.31.254.41 (172.31.254.41)
3.657 ms
3.387 ms
6. Check the branch-to-Internet path taken by traffic after the primary link failure.
user@branch> ping 100.65.4.2
PING 100.65.4.2 (100.65.4.2): 56 data bytes
64 bytes from 100.65.4.2: icmp_seq=0 ttl=58 time=2.923 ms
64 bytes from 100.65.4.2: icmp_seq=1 ttl=58 time=2.473 ms
64 bytes from 100.65.4.2: icmp_seq=2 ttl=58 time=8.303 ms
^C
--- 100.65.4.2 ping statistics --3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.473/4.566/8.303/2.649 ms
user@branch> traceroute 100.65.4.2
traceroute to 100.65.4.2 (100.65.4.2), 30 hops max, 40 byte packets
1 172.16.1.5(172.16.1.5) 4.244 ms 9.479 ms 3.110 ms # GRE hub 2
2 172.31.254.21 (172.31.254.21) 3.434 ms 3.125 ms 3.497 ms # WAN aggr hub
2
3 172.31.254.41 (172.31.254.41) 3.548 ms 3.682 ms 3.315 ms # WAN aggr hub
1
4 172.31.254.9 (172.31.254.9) 3.730 ms 3.753 ms 8.749 ms # Internet Edge 1
5 191.15.100.1 (191.15.100.1) 3.759 ms 3.988 ms 4.878 ms # Internet Edge 2
6 veloz-1-2-01.hotlink.com.br (189.1.2.1) 3.851 ms 10.126 ms 3.660 ms # ISP
7 * * *
# Expected because trace route is blocked by SFW on Internet Edge
8 * * *
9 * * *
355
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Aggregation Hub 2.
user@branch> show multicast rpf 172.16.31.15
Multicast RPF table: inet.0 , 24 entries
0.0.0.0/0
Protocol: OSPF
Interface: gr-0/0/0.2
Neighbor: (null)
b. Verify that groups are established with upstream GRE tunnel to the Aggregation
356
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
Verifying This Scenario from the VPN Termination Router on Aggregation Hub 1
Purpose
Action
Use this procedure to verify this scenario from the VPN termination router on Aggregation
Hub 1
1.
Exchange
Main
Protocol
ESP
ESP
357
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
*[Static/5] 01:54:40
> to 191.15.100.5 via ge-0/0/0.0
*[Static/1] 01:54:28
> via sp-0/3/0.1
358
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
7. Verify that egress traffic from the hub is separated into queues.
user@vpn-router> interfaces queue gr-0/1/0.1 egress
Logical interface gr-0/1/0.1 (Index 80) (SNMP ifIndex 3950)
Forwarding classes: 16 supported, 7 in use
Egress queues: 8 supported, 7 in use
Queue: 0, Forwarding classes: Best_Effort
Queued:
Packets
:
9214364874225190861
Bytes
:
9214364912392081712
Transmitted:
Packets
:
9214364874225190861
Bytes
:
9214364912392081712
Tail-dropped packets :
0
RED-dropped packets : 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
RED-dropped bytes
: 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
9214364874105159688
Bytes
:
5188692096283836424
Transmitted:
Packets
:
9214364874105159688
Bytes
:
9214364874105159688
Tail-dropped packets :
0
RED-dropped packets : 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
RED-dropped bytes
: 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
9214364874161408153
Bytes
:
9214364903185613489
Transmitted:
Packets
:
9214364874161408153
Bytes
:
9214364903185613489
Tail-dropped packets :
0
RED-dropped packets : 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
RED-dropped bytes
: 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
Queue: 3, Forwarding classes: Critical_Data
1697 pps
4158920 bps
1697
4158920
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
800 pps
3308800 bps
800
3308800
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
359
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Queued:
Packets
:
9214364874161410076
Bytes
:
9214364895986342726
Transmitted:
Packets
:
9214364874161410076
Bytes
:
9214364895986342726
Tail-dropped packets :
0
RED-dropped packets : 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
RED-dropped bytes
: 14385041682817089568
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
5188691134211162120
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
9214364874175422110
Bytes
:
9214364910430660432
Transmitted:
Packets
:
9214364874175422110
Bytes
:
9214364910430660432
Tail-dropped packets :
0
RED-dropped packets : 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
RED-dropped bytes
: 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
9214364874182834757
Bytes
:
9214364884435941065
Transmitted:
Packets
:
9214364874182834757
Bytes
:
9214364884435941065
Tail-dropped packets :
0
RED-dropped packets : 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
RED-dropped bytes
: 18410715422711087136
Low, non-TCP
:
9214364874105159688
Low, TCP
:
9214364874105159688
High, non-TCP
:
9214364874105159688
High, TCP
:
9214364874105159688
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
9214364874140517033
Bytes
:
9214364883296699349
Transmitted:
Packets
:
9214364874140517033
Bytes
:
9214364883296699349
Tail-dropped packets :
0
360
800 pps
2489600 bps
800
2489600
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1000 pps
4136000 bps
1000
4136000
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1100 pps
1170400 bps
1100
1170400
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
501 pps
1045048 bps
501 pps
1045048 bps
0 pps
Chapter 11: Connecting a Small Branch to Dual-Homed Aggregation Hubs over the Internet
RED-dropped packets
Low, non-TCP
Low, TCP
High, non-TCP
High, TCP
RED-dropped bytes
Low, non-TCP
Low, TCP
High, non-TCP
High, TCP
:
:
:
:
:
:
:
:
:
:
18410715422711087136
9214364874105159688
9214364874105159688
9214364874105159688
9214364874105159688
14385040720744415264
9214364874105159688
5188690172138487816
9214364874105159688
9214364874105159688
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
8. Verify that OSPF and OSPFv3 are running to the WAN aggregation router and over
Pri
128
128
Dead
37
36
Dead
34
38
V Mode
2
2
2
2
Option
HPLGT
HPLGT
HPLGT
HPLGT
Uptime
23:30:16
15:53:59
23:29:56
23:29:50
Neighbor addr
172.31.254.13
172.16.1.2
172.21.2.102
172.21.16.118
2
2
HPLGT
HPLGT
23:30:16 172.21.16.98
23:30:18 172.21.16.102
361
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
362
CHAPTER 12
Requirements
This example uses the following hardware and software components at the branch:
1x Gbe PIC
NOTE: This remote site type was tested using an M7i Multiservice Edge Router.
This design can be easily migrated to an MX Series with an MS-MIC for use
as an Internet-connected branch router. An example configuration is shown
here: Appendix A: Alternate Configuration Aggregation and Branch using
MX80 with Services MIC on page 737
363
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Overview
This design is a medium-sized branch with a single branch router (Figure 76 on page 365).
364
For high availability, this is a dual-homed scenario with Aggregation Hub 1 as the primary
location and Aggregation Hub 2 as the backup location.
The secondary transport to Aggregation Hub 2 is the public Internet using GRE tunnels.
For security, the GRE tunnels run over IPsec tunnels. IPsec provides a secure session
and GRE provides the IP multicast and multiprotocol capabilities.
Link-level high availability on the Layer 3 VPN transport is provided by the service
provider.
All traffic sent from the branch (to the data center, the Internet, or other branches)
uses the 0.0.0.0/0 route received over Layer 3 VPN (primary path) and GRE IPsec IBGP
session (secondary path).
The primary Layer 3 VPN transport uses the EBGP routing protocol. The branch is a
peer with the Layer 3 VPN service provider.
The GRE tunnels that run over the Internet transport use IBGP to peer with the VPN
router at Aggregation Hub 2.
The secondary transport uses IBGP for a peer relationship over the GRE tunnels. BFD
is configured for this IBGP session for fast failure detection.
The branch router has three VLANs (data, voice, and video) configured towards the
branch switch.
CoS scheduling and shaping is applied to both the Layer 3 VPN physical link and the
GRE tunnels.
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Topology
Figure 76: Test Lab Topology Connecting Medium Branch over Layer 3
VPN with Backup GRE over IPsec Tunnel
365
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Before you configure this scenario, configure the base configurations at Aggregation Hub
1 and Aggregation Hub 2. Then complete the following:
366
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Configuring the WAN Transport on the WAN Aggregation Router at Aggregation Hub
1 on page 367
Configuring EBGP Routing for the WAN Transport on the WAN Aggregation Router at
Aggregation Hub 1 on page 367
Applying CoS to the WAN Transport on the WAN Aggregation Router at Aggregation
Hub 1 on page 368
Configuring Multicast on the WAN Aggregation Router at Aggregation Hub 1 on page 368
Configuring EBGP Routing for the WAN Transport on the WAN Aggregation Router
at Aggregation Hub 1
Step-by-Step
Procedure
Configure EBGP groups for peering between the WAN aggregation router at the hub and
the Layer 3 VPN service provider.
The policies have already been configured in the Aggregation Hub 1 base configuration.
1.
367
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
2.
Apply the traffic control profile, classifiers, and rewrite rules to the WAN transport
interface. The classifiers and rewrite rules are configured in the aggregation hub
base configuration.
[edit]
edit class-of-service interfaces ge-1/2/5
set output-traffic-control-profile TO-L3VPN-VPN1
set unit 0 classifiers dscp DSCP-BA
set unit 0 classifiers dscp-ipv6 DSCP-BA
set unit 0 rewrite-rules dscp DEF_DSCP_REWRITE
set unit 0 rewrite-rules dscp-ipv6 DEF_DSCP_REWRITE
1.
Add the physical interface to the Layer 3 VPN service provider to the multicast
configuration.
[edit]
edit protocols pim interface ge-1/2/5.0
set mode sparse
set version 2
368
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Configuring WAN Transport Security on the VPN Termination Role at Aggregation Hub
2 on page 369
Configuring Dynamic Endpoints for IPsec Tunnels on the VPN Termination Role at
Aggregation Hub 2 on page 370
Configuring the Overlay WAN Transport on the VPN Termination Role at Role at
Aggregation Hub 2 on page 372
Configuring Private Overlay Routing on the VPN Termination Role at Aggregation Hub
2 on page 373
Configuring Multicast on the VPN Termination Role at Aggregation Hub 2 on page 374
Applying CoS to the Tunnel Interfaces on the VPN Termination Role at Aggregation
Hub 2 on page 375
We are using IPsec to secure the GRE tunnels between the branch and the aggregation
hub. The WAN transport security configuration consists of an Internet Key Exchange
(IKE) configuration for IPsec phase 1 negotiation and an IPsec configuration for phase 2
negotiation.
1.
For IKE phase 1 negotiation with the branch, configure an IKE proposal and policy.
a. Configure an IKE proposal that matches the proposal configured on the branch
router.
[edit]
edit services ipsec-vpn ike proposal ike-phase1-proposal
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha-256
set encryption-algorithm aes-256-cbc
set lifetime-seconds 28800
369
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
b. Configure an IKE policy and associate the IKE proposal with the policy.
[edit]
edit services ipsec-vpn ike policy ike-phase1-policy
set mode main
set proposals ike-phase1-proposal
set pre-shared-key ascii-text "$9$5znCO1hKMXtuMX7-2gTz3"
2.
[edit]
edit services ipsec-vpn ipsec proposal dynamic_ipsec_proposal
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-256-cbc
b. Configure the IPsec policy, which lists protocols and algorithms (security services)
Configuring Dynamic Endpoints for IPsec Tunnels on the VPN Termination Role
at Aggregation Hub 2
Step-by-Step
Procedure
Dynamic endpoint IPsec is used to reduce the configuration and changes required when
a new branch comes online. You need to configure dynamic endpoints only once at the
aggregation hub.
1.
Create an IKE access profile that is used to negotiate IKE and IPsec security
associations with dynamic peers.
The client value * (wildcard) means this profile is valid for all dynamic peers that
terminate in the service set that accesses this profile.
370
The local proxy pair address on the hub is the local loopback address used for
the GRE tunnel.
The IKE policy is the policy that defines the remote identification values that
correspond to the allowed dynamic peers.
The interface identifier is the interface used to derive the logical service interface
for the session.
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
[edit]
edit access profile IPsec_Clients_Group1 client * ike
set allowed-proxy-pair local 172.31.255.231/32 remote 172.16.0.0/20
set allowed-proxy-pair local 172.31.255.231/32 remote 172.20.0.0/16
set ike ike-policy ike-phase1-policy
set ike interface-id IPsec_Clients_Group1
2.
The dial options interface ID specifies that this logical interface takes part in
dynamic IPsec negotiation for the group of dynamic peers defined for
IPsec_Clients_Group1.
The dial options shared mode enables the logical interface to be shared across
multiple tunnels.
The inside and outside service domains must match the interface domains
specified in the service set.
[edit]
edit interfaces sp-1/0/0
set unit 1 description "--- Outbound unit for DEP IPSEC tunnel ----"
set unit 1 family inet
set unit 1 service-domain outside
set unit 2 description "--- Inbound unit for DEP IPSEC (shared) tunnel ---"
set unit 2 dial-options ipsec-interface-id IPsec_Clients_Group1
set unit 2 dial-options shared
set unit 2 family inet
set unit 2 service-domain inside
3.
The reverse routes at the aggregation hub include next hops that point to the
locations specified by the inside and outside service interfaces. The reverse routes
are inserted into the VPN routing instance routing table because the sp-1/0/0
interfaces are present in this routing instance. The inside and outside service
interfaces must match the inside and outside service domains configured at the
[edit interfaces sp-1/0/0] hierarchy.
Specify the address and the routing instance of the local gateway. The local
gateway address is the local address of logical tunnel interface (5/1/0.53) from
the VPN termination role to the Internet edge role.
371
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring the Overlay WAN Transport on the VPN Termination Role at Role at
Aggregation Hub 2
Step-by-Step
Procedure
1.
Specify the outer GRE source and destination tunnel addresses that are used to
form the tunnel. These are the local and remote addresses of the loopback
interfaces.
Specify the inner IPv4 and IPv6 addresses that are used after the tunnel is formed.
[edit]
edit interfaces gr-5/1/0 unit 1
set tunnel source 172.31.255.231
set tunnel destination 172.16.1.255
set tunnel routing-instance destination VPN
set family inet address 172.16.1.5/30
set family inet6 address fec0:16:1:4::1/64
Configure a logical GRE interface for the number of tunnels to be formed between
the branch and the aggregation hub.
2.
Configure the loopback interface that is configured in the VPN routing instance. Its
address is used on the IPsec tunnels.
[edit]
edit interfaces lo0 unit 3
set family inet address 172.31.255.231/32
3.
Configure the loopback interface that is configured in the WAN-GRE routing instance.
Its address is used as the source address of GRE tunnels.
[edit]
edit interfaces lo0 unit 4
set family inet address 172.31.255.6/32
set family inet6 address 2001:DB8:255::6/128
On the VPN termination router at the aggregation hub, there are two virtual routing
instances:
WAN-GREAn internal routing instance that terminates the private GRE IPv4
addressing. The WAN-GRE virtual router is part of the internal routing domain and is
an IBGP peer with the IPsec tunnel at the branch.
1.
Add the IPsec interfaces and the loopback interface to the VPN routing instance.
The loopback interface is the remote endpoint for the branch. The address of the
loopback interface is used on the IPsec tunnels.
[edit]
372
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Add the GRE tunnel interfaces to the WAN-GRE routing instance. Create a logical
unit for the number of GRE tunnels that can be formed to the branch. Add the
loopback interface for the GRE tunnels. The loopback interface address is used as
the GRE tunnel source address.
[edit]
edit routing-instances WAN-GRE
set interface gr-5/1/0.1
set interface lo0.4
Routing for the WAN transport is in the WAN-GRE routing instance. The routing in this
instance includes routing adjacencies over the GRE tunnel and to the WAN aggregation
router at Aggregation Hub 2.
1.
Create an IBGP peer group for IPv4 to peer with the remote GRE tunnel endpoint
at the branch.
This IBGP peer group uses the default local preference value of 100, which gives a
lower preference to routes to Aggregation Hub 2 than routes to Aggregation Hub 1,
which have a local preference value of 200.
The ADV_DEFAULT policy causes BGP to advertise only the default route to the
branch. It prevents the branch from receiving advertisements for routes to other
branches.
The cluster statement causes the IBGP peer at the aggregation hub to act as a BGP
route reflector.
[edit]
edit routing-instances WAN-GRE protocols bgp group IBGPoGRE
set type internal
set passive
set out-delay 450
set family inet unicast
set authentication-key "$9$PTF6p01ylvdbkmfTn6rlK"
set export ADV_DEFAULT
set cluster 0.0.0.3
set neighbor 172.16.2.6 description
2.
Create an IBGP peer group for IPv6 to peer with the remote GRE tunnel endpoint
at the branch.
This IBGP peer group uses the default local preference value of 100, which gives a
lower preference to routes to Aggregation Hub 2 than routes to Aggregation Hub 1,
which have a local preference value of 200.
373
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
The ADV_DEFAULT-V6 policy causes BGP to advertise only the default route to the
branch. It prevents the branch from receiving advertisements for routes to other
branches.
The cluster statement causes the IBGP peer at the aggregation hub to act as a BGP
route reflector.
[edit]
edit routing-instances WAN-GRE protocols bgp group IBGPoGRE-V6
set type internal
set passive
set out-delay 450
set family inet6 unicast
set export ADV_DEFAULT-V6
set cluster 0.0.0.4
set neighbor fec0:16:2:4::2 authentication-key "$9$-WbY4UjkTznO1XNdbg4Qz3"
There are two levels of high availability that you can use over your private WAN overlay:
Dead peer detection for IPsec tunnels to monitor the tunnel state and remote peer
availability.
BFD with OSPF for GRE tunnels to detect failures over the GRE tunnels.
1.
2.
In the IBGP peer group to the remote end of the GRE tunnel at the branch, add the
following statements:
Set the minimum transmit and receive interval for failure detection. This interval is
the minimum time after which the local routing device transmits hello packets and
the minimum interval after which the routing device expects to receive a reply from
the neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
[edit]
edit routing-instances WAN-GRE protocols bgp group IBGPoGRE
set bfd-liveness-detection minimum-interval 500
set bfd-liveness-detection multiplier 3
374
1.
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Applying CoS to the Tunnel Interfaces on the VPN Termination Role at Aggregation
Hub 2
Step-by-Step
Procedure
In overlay environments it is critical to be able to schedule and control the traffic out to
the remote branches. This is most effectively achieved if you use GRE or tunnel QoS,
where you can implement a CoS shaper and traffic scheduler per tunnel to control the
bandwidth of the tunnel and schedule high-priority traffic over low-priority traffic.
The router at Aggregation Hub 2 is an MX Series router, and MX Series routers do not
support per-unit GRE scheduling. To work around this, we are configuring CoS on logical
tunnel (lt) interfaces on the MX Series router. The lt interfaces apply CoS to egress traffic
before it is sent over the GRE tunnels to the branch.
1.
Apply the scheduler map to the GRE tunnel interfaces. The scheduler map is
configured in the Aggregation Hub 2 base configuration.
[edit]
edit class-of-service interfaces gr-5/1/0
set scheduler-map MAIN-SCHD
2.
In the GRE logical interface configuration, configure the tunnels to copy the ToS bit
to the outer IP header on the GRE tunnel.
In this design, we are classifying traffic based on DSCP markings in the ToS byte of
the IP header. Because this header is encapsulated in a GRE tunnel, the ToS byte
of the IP header needs to be copied to the GRE outer header.
[edit]
edit interfaces gr-5/1/0 unit 1
set copy-tos-to-outer-ip-header
3.
Apply the traffic control profile to the logical tunnel that is used for scheduling and
queueing.
Before you implement this step, you need to have enabled hierarchical scheduling
on the lt interface, and committed the configuration.
[edit]
edit class-of-service interfaces lt-5/1/0
set unit 2 output-traffic-control-profile SMALL-BRANCH
375
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring the Physical WAN Transport on the Branch Router on page 380
Configuring the Internet WAN Transport Routing on the Branch Router on page 381
Configuring the WAN Transport Routing Protocols on the Branch Router on page 383
Configuring Internet WAN Transport Security on the Branch Router on page 387
Configuring the Logical Internet WAN Transport on the Branch Router on page 390
Configuring the Routing Protocol for the LAN Transport on the Branch Router on page 395
1.
Create a set of prefix lists that are used in firewall filters that are set up for Routing
Engine protection. These prefix lists specify trusted IP subnets and addresses for
different types of traffic. Traffic received from these addresses will be allowed
through firewalls used for Routine Engine protection.
[edit]
edit policy-options
set prefix-list trusted-bgp-peers 2.2.0.0/24
set prefix-list trusted-bgp-peers 172.16.2.0/24
set prefix-list trusted-networks 10.0.0.0/8
set prefix-list trusted-networks 172.16.0.0/12
set prefix-list trusted-networks 192.168.0.0/16
set prefix-list NMS 10.0.0.0/8
set prefix-list NMS 172.16.0.0/12
set prefix-list NMS 192.168.0.0/16
set prefix-list IPsec-Servers 191.15.200.0/24
2.
3.
376
Create a firewall filter used for Routing Engine protection. The filter is used to prevent
small packet attacks, fragment attacks, and denial of service (DoS) attacks from
specific protocols such as ICMP, BGP, OSPF, SNMP, UDP, and TCP. The filter accepts
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
traffic only from trusted sources, and it discards all other traffic. The filter also
includes a policer that applies rate limits to the traffic that is accepted by the filter.
a. Create the firewall filter, and specify that counters defined in the filter are
interface specific.
[edit]
edit firewall family inet filter RE-PROTECT
set interface-specific
b. Create a term for IPsec traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term IPsec from source-prefix-list IPsec-Servers
set term IPsec from protocol udp
set term IPsec from port 500
set term IPsec from port 4500
set term IPsec then policer limit-150k
set term IPsec then count IPsec
set term IPsec then accept
c. Create a term for BGP traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term bgp-in from source-prefix-list trusted-bgp-peers
set term bgp-in from protocol tcp
set term bgp-in from port bgp
set term bgp-in then policer limit-150k
set term bgp-in then count bgp-in
set term bgp-in then accept
d. Create a term that accepts traffic from trusted PIM neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term pim from source-prefix-list trusted-networks
set term pim from protocol pim
set term pim then policer limit-150k
set term pim then count pim
set term pim then accept
e. Create a term that accepts OSPF traffic from trusted OSPF neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term ospf-in from source-prefix-list trusted-networks
set term ospf-in from protocol ospf
set term ospf-in then policer limit-150k
set term ospf-in then count ospf-in
set term ospf-in then accept
f.
377
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit firewall family inet filter RE-PROTECT
set term snmp-in from source-prefix-list NMS
set term snmp-in from protocol udp
set term snmp-in from port snmp
set term snmp-in then policer limit-150k
set term snmp-in then count snmp-in
set term snmp-in then accept
h. Create a term for ICMP traffic, which includes IPv4 error messages.
[edit]
edit firewall family inet filter RE-PROTECT
set term icmp-in from source-prefix-list trusted-networks
set term icmp-in from protocol icmp
set term icmp-in then policer limit-150k
set term icmp-in then count icmp-in
set term icmp-in then accept
i.
Create a term that controls SSH, FTP, and Telnet access to the router.
[edit]
edit firewall family inet filter RE-PROTECT
set term access-in from source-prefix-list NMS
set term access-in from protocol tcp
set term access-in from port ssh
set term access-in from port ftp
set term access-in from port ftp-data
set term access-in from port telnet
set term access-in then count access-in
set term access-in then accept
j.
Create a term that accepts TCP and TACACS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-tcp from source-prefix-list NMS
set term remote-auth-tcp from protocol tcp
set term remote-auth-tcp from port tacacs
set term remote-auth-tcp then count tacacs
set term remote-auth-tcp then accept
k. Create a term that accepts UDP and RADIUS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-udp from source-prefix-list NMS
set term remote-auth-udp from protocol udp
378
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
m. Create a term for incoming traffic with a source and destination loopback address.
[edit]
edit firewall family inet filter RE-PROTECT
set term loopback-in from source-address 127.0.0.1/32
set term loopback-in from destination-address 127.0.0.1/32
set term loopback-in then count loopback-in
set term loopback-in then accept
n. Configure a term that prevents small packet attacks.
[edit]
edit firewall family inet filter RE-PROTECT
set term small-packets from packet-length 0-24
set term small-packets then count small-packet-attack
set term small-packets then log
set term small-packets then discard
o. Configure a term that prevents fragment attacks.
[edit]
edit firewall family inet filter RE-PROTECT
set term fragment-packets from fragment-offset-except 0
set term fragment-packets from protocol icmp
set term fragment-packets from protocol igmp
set term fragment-packets from protocol pim
set term fragment-packets from protocol tcp
set term fragment-packets then count frag-attack
set term fragment-packets then log
set term fragment-packets then discard
p. Configure a term that explicitly discards all other traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term deny-all then count illegal-traffic-in
set term deny-all then log
set term deny-all then discard
4.
379
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
1.
There are two physical WAN transports configured in this scenariothe physical interface
to the Layer 3 VPN service provider and the physical interface to the Internet service
provider.
1.
2.
3.
Results
1.
Verify that the physical transport to the Layer 3 VPN service provider is up:
user@branch> show interfaces ge-0/0/2 terse
Interface
Admin Link Proto
ge-0/0/2
up
up
380
Local
Remote
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
ge-0/0/2.0
up
up
inet
inet6
172.16.2.2/30
fe80::5e5e:abff:fefe:6802/64
2001:DB8:2:1::2/64
multiservice
2. Verify that the physical transport to the Internet service provider is up:
user@branch> show interfaces ge-0/0/1 terse
Interface
Admin Link Proto
Local
ge-0/0/1
up
up
ge-0/0/1.0
up
up
inet
2.2.0.2/30
multiservice
Remote
Configure the virtual routing instance for Internet traffic. The routing instance does not
allow traffic to the branch LAN from the Internet, and it protects the internal branch
routing tables.
1.
Unit 0 is used in the VPN termination routing instance, and is used for the
connections to the aggregation hub.
Unit 1 is used in the default routing instance, and is used with the branch LANs.
[edit]
edit interfaces lo0
set unit 0 description "--- VPN Routing instance ---"
set unit 0 family inet filter input RE-PROTECTION deactivate unit 0 family inet filter
input
set unit 0 family inet address 172.16.2.255/32
set unit 1 description "--- Default Routing instance ---"
set unit 1 family inet filter input RE-PROTECTION deactivate unit 1 family inet filter
input
set unit 1 family inet address 172.16.2.254/32
set unit 1 family inet6 address fec0:16:2::254/128
2.
3.
Configure the routing instance and add the Internet-facing interfacesthe Ethernet
interface to the Internet service provider, Unit 0 of the loopback interface, and the
IPsec interfaces.
[edit]
edit routing-instances VPN
set instance-type virtual-router
set interface ge-0/0/1.0
set interface sp-0/3/0.1
381
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Add a static route to the loopback address of the VPN termination router on
Aggregation Hub 2. This route is used to establish GRE tunnels.
[edit]
edit routing-instances VPN
set routing-options static route 172.31.255.231/32 next-hop sp-0/3/0.1
5.
6.
7.
Results
1.
Verify that the Internet service provider gateway is reachable from the VPN routing
instance.
user@branch> ping 2.2.0.1 routing-instance VPN count 5
PING 2.2.0.1 (2.2.0.1): 56 data bytes
64 bytes from 2.2.0.1: icmp_seq=0 ttl=64 time=0.992
64 bytes from 2.2.0.1: icmp_seq=1 ttl=64 time=0.724
64 bytes from 2.2.0.1: icmp_seq=2 ttl=64 time=0.799
64 bytes from 2.2.0.1: icmp_seq=3 ttl=64 time=0.732
64 bytes from 2.2.0.1: icmp_seq=4 ttl=64 time=0.834
ms
ms
ms
ms
ms
--- 2.2.0.1 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.724/0.816/0.992/0.097 ms
2. Verify EBGP peering with the Internet service provider gateway.
user@branch> show bgp summary instance VPN
Groups: 1 Peers: 1 Down peers: 0
Table
Tot Paths Act Paths Suppressed
History Damp State
Pending
VPN.inet.0
1
1
0
0
0
0
VPN.mdt.0
0
0
0
0
0
0
Peer
AS
InPkt
OutPkt
OutQ
Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
2.2.0.1
69
31149
30992
0
1 3d 15:00:01
Establ
VPN.inet.0: 1/1/1/0
382
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
3. Verify the routes that are learned from the aggregation hub by displaying the inet.0
2.2.0.0/30
2.2.0.2/32
172.16.2.255/32
172.31.255.231/32
1.
Configure the AS number, and specify the number of times the AS can be in an AS
path.
[edit]
edit routing-options
set autonomous-system 65530
set autonomous-system loops 2
2.
[edit]
edit policy-options policy-statement ACCEPT_DEFAULT
set term 1 from route-filter 0.0.0.0/0 exact
set term 1 then accept
set term default then reject
b. Configure a policy that is used to accept only default IPv6 routes.
[edit]
edit policy-options policy-statement ACCEPT_DEFAULT-V6
set term 1 from family inet6
set term 1 from route-filter ::/0 exact
set term 1 then accept
set term default then reject
c. Configure a policy that is used to control IPv4 routes that are advertised to the
aggregation hub.
This policy prevents the default static route from being advertised and allows
OSPF and direct routes to be advertised. Make the policy a next-hop self policy,
which causes the loopback address to be advertised as the next-hop address.
[edit]
edit policy-options policy-statement BRANCH-PREFIX
set term block-default from route-filter 0.0.0.0/0 exact
set term block-default then reject
383
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
aggregation hub.
This policy prevents the default static route from being advertised and allows
OSPF and direct routes to be advertised.
[edit]
edit policy-options policy-statement BRANCH-PREFIX6
set term block-default from family inet6
set term block-default from route-filter ::/0 exact
set term block-default then reject
set term branch from protocol ospf3
set term branch from protocol direct
set term branch then accept
set term 2 then reject
e. Configure a policy that sets the local preference to 200 for the IPv4 default route
Configure a policy that sets the local preference to 200 for the IPv6 default route
and IPv6 routes learned from BGP.
[edit]
edit policy-options policy-statement SET_LOCAL_PREF6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 from route-filter ::/0 exact
set term 1 then local-preference 200
set term 1 then accept
set term default then reject
3.
Configure EBGP peer groups between the branch and the Layer 3 VPN service
provider.
a. Configure an IPv4 EBPG peer group between the branch router and the Layer 3
384
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Configure IBGP peer groups between the branch and the remote end of the GRE
tunnels.
a. Configure an IPv4 IBPG peer group to the remote end of the GRE tunnel.
The ACCEPT_DEFAULT import policy accepts only the default route from the
hub, which prevents routes from other branches from being distributed to the
branch.
The BRANCH-PREFIX export policy controls default route advertisement to the
hub. It prevents default routes learned by another protocol from being advertised
to the hub, and causes the loopback address of the branch router to be advertised
to the hub as the next hop.
[edit]
edit protocols bgp group IBGPoGRE-H2
set type internal
385
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
The ACCEPT_DEFAULT-V6 import policy accepts only the default route from
the hub, which prevents routes from other branches from being distributed to
the branch.
The BRANCH-PREFIX-V6 export policy controls default route advertisement to
the hub. It prevents default routes learned by another protocol from being
advertised to the hub, and causes the loopback address of the branch router to
be advertised to the hub as the next hop.
[edit]
edit protocols bgp group IBGPoGRE-H2-V6
set type internal
set import ACCEPT_DEFAULT-V6
set family inet6 unicast
set export BRANCH-PREFIX-V6
set neighbor fec0:16:2:4::1 authentication-key "$9$JxUiqTznp01evgaZUkqu0B"
5.
Results
1.
Verify BGP peering to the Internet service provider gateway (2.2.0.2), to the Layer 3
VPN service provider gateway (172.16.2.1), and to the remote GRE tunnel endpoint
(172.16.2.5).
user@branch> show bgp summary
Groups: 5 Peers: 5 Down peers: 2
Table
Tot Paths Act Paths Suppressed
History Damp State
Pending
inet.0
1
1
0
0
0
0
inet6.0
1
1
0
0
0
0
Peer
AS
InPkt
OutPkt
OutQ
Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
2.2.0.1
69
21912
21862
0
0 6d 21:23:11
Establ
VPN.inet.0: 1/1/1/0
172.16.2.1
555
21675
21901
0
0 6d 21:23:15
Establ
inet.0: 1/1/1/0
172.16.2.5
65530
5609
6130
0
4 4d 22:44:45
Connect
fec0:16:2:1::1
555
21673
22056
0
0 6d 21:23:04
Establ
inet6.0: 1/1/1/0
fec0:16:2:4::1
65530
5609
6286
0
3 4d 22:44:42
Active
386
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
2. Verify that default routes to the Layer 3 VPN transport have a higher preference than
For the backup Internet transport to Aggregation Hub 2, IPsec is used to secure the GRE
tunnels between the branch and the aggregation hub. The WAN transport security
configuration consists of an Internet Key Exchange (IKE) configuration for IPsec phase
1 negotiation and an IPsec configuration for phase 2 negotiation.
1.
For IKE phase 1 negotiation, configure an IKE proposal and policy, and define the
IPsec peer (gateway) at the remote end of the tunnel with which IKE is negotiated.
a. Configure an IKE proposal that matches the proposal configured on the VPN
[edit]
edit services ipsec-vpn ike policy ike-phase1-policy
set mode main
set proposals ike-phase1-proposal
set pre-shared-key ascii-text "$9$5znCO1hKMXtuMX7-2gTz3"
2.
For IPsec phase 2 negotiation, configure an IPsec proposal and policy, and then
configure an IPsec rule for the remote destination at the aggregation hub.
a. Configure the IPsec proposal, which lists protocols and algorithms (security
services) to be negotiated with the remote IPsec peer at the aggregation hub.
[edit]
edit services ipsec-vpn ipsec proposal dynamic_ipsec_proposal
set authentication-method pre-shared-keys
387
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
The destination address is the address of the GRE tunnel interface at the
aggregation hub.
The source and destination addresses must match the proxy identity values set
in the IPsec_Clients_Group1 IKE access profile configured on the VPN termination
router at the aggregation hub.
The remote gateway is the address of the logical tunnel interface (lt-5/1/0.53)
in the VPN routing instance at Aggregation Hub 2.
[edit]
edit services ipsec-vpn rule To_Hub2
set term 1 from source-address 172.16.2.255/32
set term 1 from destination-address 172.31.255.231/32
set term 1 then remote-gateway 191.15.200.6
set term 1 then dynamic ike-policy ike-phase1-policy
set term 1 then dynamic ipsec-policy dynamic_ipsec_policy
set match-direction input
3.
The inside and outside IPsec interfaces must match the inside and outside service
domain configuration at the [edit interfaces sp-0/3/0] hierarchy.
4.
388
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
5.
Results
bytes
ttl=60
ttl=60
ttl=60
ttl=60
ttl=60
time=0.947
time=0.887
time=0.898
time=0.909
time=0.912
ms
ms
ms
ms
ms
--- 192.0.2.6 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.887/0.911/0.947/0.020 ms
2. Verify IKE security associations for Aggregation Hub 2.
user@branch> show services ipsec-vpn ike security-associations
Remote Address State
Initiator cookie Responder cookie Exchange
type
192.0.2.6
Not matured
334a28e9694a22c5 0000000000000000 Main
3. Verify IKE security associations for Aggregation Hub 2.
user@branch> show services ipsec-vpn ike security-associations detail
IKE peer 192.0.2.6
Role: Initiator, State: Matured
Initiator cookie: d9d21dadbf8be9ea, Responder cookie: 511417b7267560d7
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 2.2.0.2, Remote: 191.15.200.6
Lifetime: Expires in 15931 seconds
Algorithms:
Authentication
: hmac-sha256-128
Encryption
: aes256-cbc
Pseudo random function: hmac-sha256
Traffic statistics:
Input bytes :
89432
Output bytes :
89680
Input packets:
968
Output packets:
970
Flags: IKE SA created
IPsec security associations: 2 created, 1 deleted
4. Verify IPsec security associations for Aggregation Hub 2.
user@branch> show services ipsec-vpn ipsec security-associations extensive
389
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Specify the outer GRE tunnel source and destination addresses that are used to form
the tunnel. These are the local and remote addresses of the loopback interfaces.
Specify the destination routing instance that points to the routing table that contains
the tunnel destination address.
Specify the inner IPv4 and IPv6 GRE addresses that are used after the tunnel is formed.
1.
2.
390
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Results
1.
Verify that the default route to GRE tunnel destination to Aggregation Hub 2 is
reachable.
Note that the default route to Aggregation Hub 1 over the Ethernet interface to the
Layer 3 VPN is active, but the default route to Aggregation Hub 2 over the GRE tunnel
is not active. The route to the Layer 3 VPN is active because it has a higher local
preference than the GRE tunnel. The default route over the GRE tunnel becomes
active only if the route to the Layer 3 VPN goes down.
user@branch> show route 172.31.255.231
inet.0: 98 destinations, 99 routes (98 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
Local
Remote
172.16.2.6/30
fe80::2a0:a504:73:96be/64
2001:DB8:2:4::2/64
391
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Local
Remote
392
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
There are three interfaces to the branch LAN: one for data, one for video, and one for
voice.
1.
2.
3.
4.
5.
393
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
394
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Configuring the Routing Protocol for the LAN Transport on the Branch Router
Step-by-Step
Procedure
1.
Create a backbone area, add unit 1 of the loopback interface, and then add the
branch LAN interfaces to the area.
[edit]
edit protocols ospf area 0.0.0.0
set interface lo0.1
set interface ge-0/0/0.41
set interface ge-0/0/0.51
set interface ge-0/0/0.61
2.
Create a backbone area for OSPFv3, add unit 1 of the loopback interface, and then
add the branch LAN interfaces to the area.
[eedit protocols ospf3 area 0.0.0.0]
set interface lo0.1
set interface ge-0/0/0.41
set interface ge-0/0/0.51
set interface ge-0/0/0.61
3.
395
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
State
Full
Full
Full
ID
172.16.2.10
172.16.2.14
172.16.2.18
Pri
0
0
0
Dead
33
33
33
2. Verify OSPF routes on the branch LAN and on the loopback interface.
user@branch> show ospf route extensive
Topology default Route Table:
Prefix
Path
Route
172.16.2.10
Type Type
Intra AS BR
NH
Metric NextHop
Type
IP
Nexthop
Interface
1 ge-0/0/0.41
Address/LSP
172.16.2.10
172.16.2.14
172.16.2.18
172.16.2.10
172.16.2.10
172.16.2.10
low
1 ge-0/0/0.51
low
1 ge-0/0/0.61
low
0 lo0.1
low
There are two levels of high availability that you can use over your private WAN overlay:
Dead peer detection for IPsec tunnels to monitor the tunnel state and remote peer
availability.
BFD with IBGP for GRE tunnels to detect failures over the GRE tunnels.
1.
396
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
In the IBGP peer group to the remote end of the GRE tunnel at the aggregation hub,
add the following statements:
We are using BFD with BGP to detect link failures over the GRE tunnels.
Set the minimum transmit and receive interval for failure detection. This interval is
the minimum time after which the local routing device transmits hello packets and
the minimum interval after which the routing device expects to receive a reply from
the neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
[edit]
edit protocols bgp group IBGPoGRE-H2
set neighbor 172.16.2.5 bfd-liveness-detection minimum-interval 500
set neighbor 172.16.2.5 bfd-liveness-detection multiplier 3
3.
Results
Address
172.16.2.5
State
Up
Interface
gr-0/2/0.2
Detect
Time
1.500
Transmit
Interval
0.500
Multiplier
3
1 sessions, 1 clients
Cumulative transmit rate 2.0 pps, cumulative receive rate 2.0 pps
397
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Configure classifiers.
a. Configure DSCP behavior aggregate (BA) classifiers for IPv4.
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority medium-high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Scavenger loss-priority high code-points cs1
set forwarding-class Bulk_Data loss-priority medium-high code-points af11
set forwarding-class Bulk_Data loss-priority medium-high code-points af12
set forwarding-class Critical_Data loss-priority medium-low code-points af21
set forwarding-class Critical_Data loss-priority medium-low code-points af22
b. Configure DSCP BA classifiers for IPv6.
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
c. Assign the forwarding classes to transmission queues.
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 1 Scavenger
set queue 2 Bulk_Data
set queue 3 Critical_Data
set queue 4 Video
set queue 5 Voice
set queue 6 Network_Control
2.
[edit]
edit class-of-service rewrite-rules dscp Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
398
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
[edit]
edit class-of-service rewrite-rules dscp-ipv6 Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
set forwarding-class Critical_Data loss-priority medium-low code-point af21
set forwarding-class Video loss-priority low code-point af41
set forwarding-class Voice loss-priority low code-point ef
set forwarding-class Network_Control loss-priority low code-point cs7
399
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3.
[edit]
edit class-of-service schedulers SCH_Best_Effort
set transmit-rate remainder
set buffer-size remainder
set priority medium-low
b. Create a scheduler for the Scavenger forwarding class.
[edit]
edit class-of-service schedulers SCH_Scavenger
set transmit-rate percent 3
set buffer-size percent 10
set priority low
c. Create a scheduler for the Bulk_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Bulk_Data
set transmit-rate percent 20
set buffer-size percent 15
set priority medium-high
d. Create a scheduler for the Critical_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Critical_Data
set transmit-rate percent 15
set buffer-size percent 15
set priority high
e. Create a scheduler for the Video forwarding class.
[edit]
edit class-of-service schedulers SCH_Video
set transmit-rate percent 20
set buffer-size percent 10
set priority high
f.
[edit]
edit class-of-service schedulers SCH_Network_Control
set transmit-rate percent 5
set buffer-size percent 3
set priority high
400
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
4.
5.
Create a traffic control profile to be applied to the link to the Layer 3 VPN.
We are setting a shaping rate instead of a policer because the shaper has a buffer
and is more flexible than a policer, which applies a hard limit to the rate and drops
packets when a transmission rate is reached.
[edit]
edit class-of-service traffic-control-profiles mpls-link
set scheduler-map MAIN-SCHD
set shaping-rate 50m
6.
7.
8.
9.
401
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
10.
Modify the queue assignment and DSCP code point for network control (host)
traffic that is generated by the Routing Engine and sent to the Packet Forwarding
Engine. This configuration does not affect transit traffic.
[edit]
[edit class-of-service host-outbound-traffic
set forwarding-class Network_Control
set dscp-code-point cs6
11.
This step adds all the functionality of tunnel PICs to GRE tunnels. CoS for GRE
tunnel traffic is applied as the traffic is looped through IQ2 and IQ2E PICs. Shaping
is performed on full packets that pass through the GRE tunnel.
Include the tunnel-only statement to specify that the PIC works exclusively in
tunnel mode.
[edit]
set chassis fpc 0 pic 2 tunnel-services tunnel-only
b. Enable CoS queuing and scheduling on both the egress and ingress sides for the
PIC.
[edit]
set chassis fpc 0 pic 2 traffic-manager mode ingress-and-egress
c. Enable hierarchical scheduling on the GRE tunnel interfaces.
[edit]
set interfaces gr-0/2/0 hierarchical-scheduler
d. Specify that the ToS byte is to be copied from the inner IP header to the outer
402
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Results
1.
Type
dscp
ip
Index
51863
13
Classifier
DSCP-BA
dscp
Index
29951
51863
961
Index
45866
45866
Type
dscp
Index
961
Type
fixed
Index
4
Type
fixed
Index
5
403
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Description: --- To MPLS_VPN_PROVIDER1 link (jbeer ge-7/0/3) --Forwarding classes: 16 supported, 7 in use
Ingress queues: 8 supported, 7 in use
Queue: 0, Forwarding classes: Best_Effort
Queued:
Packets
:
10383056799
12401 pps
Bytes
:
3834330678075
36711296 bps
Transmitted:
Packets
:
10383056799
12401 pps
Bytes
:
3834330678075
36711296 bps
Tail-dropped packets : Not Available
RED-dropped packets :
0
0 pps
Low
:
0
0 pps
Medium-low
:
0
0 pps
Medium-high
:
0
0 pps
High
:
0
0 pps
RED-dropped bytes
:
0
0 bps
Low
:
0
0 bps
Medium-low
:
0
0 bps
Medium-high
:
0
0 bps
High
:
0
0 bps
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
0 pps
Bytes
:
0
0 bps
Transmitted:
Packets
:
0
0 pps
Bytes
:
0
0 bps
Tail-dropped packets : Not Available
RED-dropped packets :
0
0 pps
Low
:
0
0 pps
Medium-low
:
0
0 pps
Medium-high
:
0
0 pps
High
:
0
0 pps
RED-dropped bytes
:
0
0 bps
Low
:
0
0 bps
Medium-low
:
0
0 bps
Medium-high
:
0
0 bps
High
:
0
0 bps
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
0
0 pps
Bytes
:
0
0 bps
Transmitted:
Packets
:
0
0 pps
Bytes
:
0
0 bps
Tail-dropped packets : Not Available
RED-dropped packets :
0
0 pps
Low
:
0
0 pps
Medium-low
:
0
0 pps
Medium-high
:
0
0 pps
High
:
0
0 pps
RED-dropped bytes
:
0
0 bps
Low
:
0
0 bps
Medium-low
:
0
0 bps
Medium-high
:
0
0 bps
High
:
0
0 bps
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
670064141
800 pps
Bytes
:
168826758233
1612800 bps
404
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Transmitted:
Packets
:
670064141
Bytes
:
168826758233
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
800 pps
1612800 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0 pps
0 pps
0 pps
405
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Forwarding classes: 16 supported, 7 in use
Egress queues: 8 supported, 7 in use
Queue: 0, Forwarding classes: Best_Effort
Queued:
Packets
:
6534515537
Bytes
:
2432521370086
Transmitted:
Packets
:
6534515537
Bytes
:
2432521370086
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
1507969192
Bytes
:
766048349536
Transmitted:
Packets
:
1507969192
Bytes
:
766048349536
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
406
0
0
0
0
0
0
0
pps
pps
bps
bps
bps
bps
bps
7801 pps
23182432 bps
7801 pps
23182432 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1800 pps
7315200 bps
1800 pps
7315200 bps
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
1172867746
Bytes
:
445689383032
Transmitted:
Packets
:
1172867746
Bytes
:
445689383032
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
1047200842
Bytes
:
531978028240
Transmitted:
Packets
:
1047200842
Bytes
:
531978028240
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
1633633313
Bytes
:
202570530812
Transmitted:
Packets
:
1633633313
Bytes
:
202570530812
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
670510720
Bytes
:
168931059291
Transmitted:
0 bps
0 bps
1400 pps
4256000 bps
1400 pps
4256000 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1250 pps
5084032 bps
1250 pps
5084032 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1950 pps
1934400 bps
1950 pps
1934400 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
800 pps
1612800 bps
407
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Packets
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
670510720
:
168931059291
: Not Available
:
0
:
0
:
0
:
0
:
0
:
0
:
0
:
0
:
0
:
0
408
800 pps
1612800 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
20200 pps
57282048 bps
20200
57282848
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1800 pps
7056000 bps
1800
7056000
0
0
pps
bps
pps
pps
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
1842847674
Bytes
:
581376003284
Transmitted:
Packets
:
1842847674
Bytes
:
581376003284
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
1047299855
Bytes
:
513184734644
Transmitted:
Packets
:
1047299855
Bytes
:
513184734644
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
1633787774
Bytes
:
173193681014
Transmitted:
Packets
:
1633787774
Bytes
:
173193681014
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
bps
bps
bps
bps
bps
2200 pps
5552000 bps
2200
5552000
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1250 pps
4900000 bps
1250
4900000
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1950 pps
1653600 bps
1950
1653600
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
409
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
675023604
Bytes
:
157225809565
Transmitted:
Packets
:
675023604
Bytes
:
157225809565
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
410
0 bps
0 bps
804 pps
1499528 bps
804
1499528
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
2711 pps
7760328 bps
2711 pps
7760328 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
803 pps
3316000 bps
803 pps
3316000 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
411
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
412
Critical_Data
67557032
26081332286
805 pps
2494672 bps
67556848
26081261824
23
0
0
0
0
0
0
0
0
0
0
805 pps
2494672 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
41954776
21648664416
502 pps
2073272 bps
41954716
21648633456
0
0
0
0
0
0
0
0
0
0
0
502 pps
2073272 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
117446026
15502875432
1405 pps
1484616 bps
Video
Voice
117445988
15502870416
0
0
0
0
0
0
0
0
0
0
0
Network_Control
1405 pps
1484616 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
41970048
10912205750
502 pps
1044672 bps
41969692
10912113190
502 pps
1044672 bps
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
:
:
:
:
:
:
:
:
:
323
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0 pps
0 bps
0 pps
0 pps
413
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
1482284
Bytes
:
440888442
Transmitted:
Packets
:
1482063
Bytes
:
440802694
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
655781
Bytes
:
338382996
Transmitted:
Packets
:
655708
Bytes
:
338345328
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
1836197
Bytes
:
242378004
Transmitted:
Packets
:
1836152
Bytes
:
242372064
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
414
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
bps
bps
bps
bps
bps
2 pps
1520 bps
2 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1520
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
655904
Bytes
:
170514684
Transmitted:
Packets
:
655793
Bytes
:
170485824
Tail-dropped packets :
27
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0 bps
0 bps
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
1.
2.
Add the GRE tunnels, the physical interface to the Layer 3 VPN, and the branch LAN
interfaces to the multicast configuration at the hub.
[edit]
edit protocols pim
set interface gr-0/2/0.2 mode sparse
set interface gr-0/2/0.2 version 2
set interface ge-0/0/2.0 mode sparse
set interface ge-0/0/2.0 version 2
set interface ge-0/0/0.41 mode sparse
set interface ge-0/0/0.41 version 2
set interface ge-0/0/0.51 mode sparse
set interface ge-0/0/0.51 version 2
set interface ge-0/0/0.61 mode sparse
set interface ge-0/0/0.61 version 2
415
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
Verify that multicast is running over the Layer 3 VPN and the branch LAN. Multicast is
not currently running on the backup Internet transport.
1.
2. Verify that multicast is running over the Layer 3 VPN transport (ge-0/0/2).
user@branch> show pim join
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
Group: 235.2.1.1
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/2.0
Group: 235.2.1.1
Source: 172.31.252.10
Flags: sparse,spt
Upstream interface: ge-0/0/2.0
Group: 235.2.1.2
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/2.0
416
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
. . .
Group: 235.2.1.8
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/2.0
Group: 235.2.1.8
Source: 172.31.252.10
Flags: sparse,spt
Upstream interface: ge-0/0/2.0
Instance: PIM.master Family: INET6
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
3. Verify multicast on the branch LAN interfaces and the interface to the Layer 3 VPN
transport.
user@branch>show pim neighbors
B = Bidirectional Capable, G = Generation Identifier
H = Hello Option Holdtime, L = Hello Option LAN Prune Delay,
P = Hello Option DR Priority, T = Tracking Bit
Instance: PIM.master
Interface
IP V Mode
ge-0/0/2.0
4 2
ge-0/0/2.0
6 2
fe80::5e5e:abff:fe4f:cff5
Option
HPLGT
HPLGT
4. Verify that groups are established with upstream interface to the Layer 3 VPN service
provider (ge-0/0/2) and the downstream interfaces to the branch LAN (ge-0/0/0).
user@branch> show multicast route extensive
Instance: master Family: INET
Group: 235.2.1.1
Source: 172.31.252.10/32
Upstream interface: ge-0/0/2.0
Downstream interface list:
ge-0/0/0.41
Session description: Unknown
Statistics: 35 kBps, 150 pps, 41144688 packets
Next-hop ID: 1048575
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 3d 04:29:18
. . .
Group: 235.2.1.8
Source: 172.31.252.10/32
Upstream interface: ge-0/0/2.0
Downstream interface list:
ge-0/0/0.41
Session description: Unknown
Statistics: 35 kBps, 150 pps, 41144576 packets
Next-hop ID: 1048575
417
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
rendezvous point.
user@branch> show multicast rpf 172.31.255.15
Multicast RPF table: inet.0 , 97 entries
0.0.0.0/0
Protocol: BGP
Interface: ge-0/0/2.0
Neighbor: 172.16.2.1
6. Verify that routes are created and traffic is flowing.
user@branch> show pim rps extensive
Instance: PIM.master
address-family INET
RP: 172.31.255.15
Learned via: static configuration
Mode: Sparse
Time Active: 6d 23:22:07
Holdtime: 0
Device Index: 149
Subunit: 32769
Interface: pe-1/2/0.32769
Static RP Override: Off
Group Ranges:
224.0.0.0/4
Active groups using RP:
235.2.1.1
235.2.1.2
235.2.1.3
235.2.1.4
235.2.1.5
235.2.1.6
235.2.1.7
235.2.1.8
total 8 groups active
address-family INET6
418
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Verification
Verifying End-to-End Data Traffic
Purpose
Action
Verify that traffic is travelling end-to-end on the Layer 3 VPN WAN transport to
Aggregation Hub 1.
1.
1396372
1396372
1 Scavenger
2 Bulk_Data
0
0
0
419
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3 Critical_Dat
116615
116615
4 Video
5 Voice
0
0
0
6 Network_Cont
0
0
0
Egress queues: 8 supported, 7 in use
Queue counters:
Queued packets Transmitted packets
0 Best_Effort
667657
667657
1 Scavenger
2 Bulk_Data
144108
144108
3 Critical_Dat
112084
112084
4 Video
100073
100073
5 Voice
156115
156115
Dropped packets
0
0
0
0
0
0
6 Network_Cont
557301
557301
0
Queue number:
Mapped forwarding classes
0
Best_Effort
1
Scavenger
2
Bulk_Data
3
Critical_Data
4
Video
5
Voice
6
Network_Control
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
517330454
615278424
Total packets
1512987
1737338
Unicast packets
1512676
1737024
Broadcast packets
311
314
Multicast packets
0
0
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Filter statistics:
Input packet count
1512987
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
1737338
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
420
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote
fault: OK
Local resolution:
Flow control: Symmetric, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 0 (0x00)
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 Best_Effort
95
950000000
95
0
low
none
3 Critical_Data
5
50000000
5
0
low
none
Direction : Input
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 Best_Effort
95
950000000
95
0
low
none
3 Critical_Data
5
50000000
5
0
low
none
Interface transmit statistics: Disabled
Logical interface ge-0/0/1.0 (Index 77) (SNMP ifIndex 527) (Generation 142)
Flags: SNMP-Traps 0x4000 Encapsulation: ENET2
Traffic statistics:
Input bytes :
516936694
Output bytes :
614722212
Input packets:
1512987
Output packets:
1737338
Local statistics:
Input bytes :
5205658
Output bytes :
14416068
Input packets:
98440
Output packets:
98334
Transit statistics:
Input bytes :
511731036
0 bps
Output bytes :
600306144
0 bps
Input packets:
1414547
0 pps
Output packets:
1639004
0 pps
Protocol inet, MTU: 1500, Generation: 166, Route table: 4
Flags: Sendbcast-pkt-to-re, Is-Primary, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2.2.0.0/30, Local: 2.2.0.2, Broadcast: 2.2.0.3, Generation:
165
Protocol multiservice, MTU: Unlimited, Generation: 167, Route table: 4
Flags: Is-Primary
Policer: Input: __default_arp_policer__
421
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Verifying Reachability
Purpose
Action
Verify reachability and traffic paths to the loopback interface of the data center router,
the loopback interface of a router in a different branch, and an IP address in the service
provider network that is publicly routable.
1.
Display the default IPv4 routing table to verify reachability throughout the network.
user@branch> show route table inet.0
inet.0: 97 destinations, 97 routes (97 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
10.2.1.0/24
10.2.2.0/24
10.155.8.1/32
10.155.210.151/32
10.157.92.176/32
10.204.138.55/32
10.209.0.0/16
10.212.0.0/16
10.216.32.0/20
10.216.36.244/32
14.4.4.0/24
14.4.4.1/32
172.16.2.0/30
172.16.2.2/32
172.16.2.4/30
172.16.2.6/32
172.16.2.8/30
172.16.2.9/32
172.16.2.12/30
172.16.2.13/32
422
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
172.16.2.16/30
172.16.2.17/32
172.16.2.254/32
172.17.0.0/16
224.0.0.2/32
224.0.0.5/32
224.0.0.13/32
224.0.0.22/32
423
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
packets
#
#
#
6. Verify connectivity from the branch to a publicly routable IP address in the service
provider network.
user@branch>ping 100.65.4.2 rapid
PING 100.65.4.2 (100.65.4.2): 56 data bytes
!!!!!
--- 100.65.4.2 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.915/0.981/1.166/0.094 ms
7. Verify path from branch to publicly routable host using traceroute.
user@branch>traceroute 100.65.4.2
traceroute to 100.65.4.2 (100.65.4.2), 30 hops max, 40 byte packets
1 172.16.2.1 (172.16.2.1) 1.361 ms 0.790 ms 1.019 ms #
2 172.31.254.33 (172.31.254.33) 0.829 ms 0.835 ms 0.922 ms #
3 172.31.254.34 (172.31.254.34) 1.150 ms 0.744 ms 0.721 ms #
4 172.31.254.9 (172.31.254.9) 0.708 ms 0.713 ms 0.740 ms #
5 * * *
6 * * *
## This is expected - trace route is blocked by the stateful firewall on the
Internet edge router ##
424
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Action
Verify that a failure of the branch router layer 3 VPN WAN transport to Aggregation Hub
1 causes all traffic to be rerouted over the GRE tunnel secondary WAN transport to
Aggregation Hub 2 with minimal traffic loss.
1.
Log in to the branch router as the root user, and enter the following command to take
down the physical WAN transport.
root@branch% ifconfig ge-0/0/2 down
2. Verify that the route to the remote GRE endpoint is the active default route.
user@branch> show route table inet.0
inet.0: 97 destinations, 97 routes (97 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
. . .
3. Verify BGP routes. The routes to the Layer 3 VPN ISP are idle (172.16.2.1,2001:DB8:2:1::1).
The routes to the Internet service provider (2.2.0.1) and to the remote end of the GRE
tunnel (172.16.2.5, 2001:DB8:2:4::1) are established.
user@branch> show bgp summary
Groups: 5 Peers: 5 Down peers: 2
Table
Tot Paths Act Paths Suppressed
History Damp State
Pending
inet.0
1
1
0
0
0
0
inet.2
0
0
0
0
0
0
inet6.0
1
1
0
0
0
0
Peer
AS
InPkt
OutPkt
OutQ
Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
2.2.0.1
69
31801
31639
0
1 3d 19:55:02
Establ
VPN.inet.0: 1/1/1/0
172.16.2.1
555
4209
4254
0
4
1:12
Idle
172.16.2.5
65530
29113
31548
0
38
5:06:59
Establ
inet.0: 1/1/1/0
2001:DB8:2:1::1
555
4203
4251
0
4
1:12
Idle
2001:DB8:2:4::1
65530
28969
31554
0
24
5:07:54
Establ
inet6.0: 1/1/1/0
4. Verify that the physical link to the Layer 3 VPN service provider is down.
user@branch> show interfaces ge-0/0/2 extensive
Physical interface: ge-0/0/2, Administratively down, Physical link is Down
Interface index: 131, SNMP ifIndex: 503, Generation: 134
Description: --- To MPLS_VPN_PROVIDER1 link (jbeer ge-7/0/3) ---
425
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, BPDU Error: None,
MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled,
Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags
: Present Running Down
Interface flags: Hardware-Down Down SNMP-Traps Internal: 0x4000
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 5c:5e:ab:fe:68:02, Hardware address: 5c:5e:ab:fe:68:02
Last flapped
: 2013-06-17 12:00:09 PDT (00:25:04 ago)
Statistics last cleared: 2013-06-16 04:14:16 PDT (1d 08:10 ago)
Traffic statistics:
Input bytes :
161572949616
0 bps
Output bytes :
153096884999
0 bps
Input packets:
416892314
0 pps
Output packets:
433906680
0 pps
IPv6 total statistics:
Input bytes :
2417952315
Output bytes :
2418038487
Input packets:
9605437
Output packets:
9601956
Ingress traffic statistics at Packet Forwarding Engine:
Input bytes :
161572862484
0 bps
Input packets:
416892072
0 pps
Drop
bytes :
0
0 bps
Drop
packets:
0
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3
incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors:
0,
Resource errors: 0
Output errors:
Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets:
0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Ingress queues: 8 supported, 7 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 Best_Effort
392454194
392454194
1 Scavenger
2 Bulk_Data
0
0
0
426
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
427
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
428
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
0 pps
0 pps
0 bps
0 pps
0 bps
0
0
0
0
0
pps
bps
pps
pps
bps
0 pps
0 pps
0 bps
0 pps
0 pps
0 bps
0 pps
0 pps
0 bps
429
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Transmitted:
Packets
: 9214364874108142009
1950 pps
Bytes
: 9214364874501808514
2074800 bps
Tail-dropped packets :
0
RED-dropped packets :
9214364874105159688
RED-dropped bytes
:
9214364874105159688
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
: 9214364874106428359
802 pps
Bytes
: 9214364874428064791
1671664 bps
Transmitted:
Packets
: 9214364874106428359
802 pps
Bytes
: 9214364874428064791
1671664 bps
Tail-dropped packets :
0
RED-dropped packets :
9214364874105159688
RED-dropped bytes
:
5188690172138487816
0 pps
0 pps
0 bps
0 pps
0 pps
0 bps
7. Check the path taken by traffic to the data center after Layer 3 VPN primary link failure.
user@branch> ping 172.31.255.8 source 172.16.2.254 rapid
PING 172.31.255.8 (172.31.255.8): 56 data bytes
!!!!!
--- 172.31.255.8 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.271/2.818/5.957/1.652 ms
user@branch> traceroute 172.31.255.8 source 172.16.2.254
traceroute to 172.31.255.8 (172.31.255.8) from 172.16.2.254, 30 hops max, 40
byte packets
1 172.16.2.5 (172.16.2.5) 1.160 ms 1.340 ms 1.021 ms # GRE endpoint at hub
2
2 172.31.254.21 (172.31.254.21) 2.639 ms 1.019 ms 0.948 ms # WAN
Aggregation Hub 2
3 172.31.255.8 (172.31.255.8) 1.198 ms 1.226 ms 1.174 ms # Data Center
8. Check the branch-to-branch path taken by traffic after Layer 3 VPN primary link failure.
user@branch> ping 172.16.1.254 source 172.16.2.254 rapid
PING 172.16.1.254 (172.16.1.254): 56 data bytes
!!!!!
--- 172.16.1.254 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.961/2.802/3.744/0.622 ms
user@branch> traceroute 172.16.1.254 source 172.16.2.254
traceroute to 172.16.1.254 (172.16.1.254) from 172.16.2.254, 30 hops max, 40
byte packets
1 172.16.2.5 (172.16.2.5) 1.304 ms 1.366 ms 1.365 ms # GRE endpoint at hub
2
2 172.16.1.254 (172.16.1.254) 4.000 ms 3.654 ms 3.411 ms # # Branch loopback
430
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
9. Verify connectivity from the branch to a publicly routable IP address in the service
431
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
432
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
433
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
. . .
Group: 235.2.1.8
Source: 172.31.252.10/32
Upstream interface: ge-0/0/2.0
Downstream interface list:
ge-0/0/0.41
Session description: Unknown
Statistics: 35 kBps, 150 pps, 78695219 packets
Next-hop ID: 1048575
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 6d 02:01:36
Instance: master Family: INET6
434
Chapter 12: Connecting a Medium Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Verifying This Scenario from the WAN Aggregation Router at Aggregation Hub 1
Purpose
Action
Use this procedure to verify this scenario from the WAN aggregation router at Aggregation
Hub 1.
1.
Verify that the link to the Layer 3 VPN service provider is up.
user@wanagghub1> show interfaces ge-1/2/5 terse
Interface
Admin Link Proto
Local
Remote
ge-1/2/5
up
up
ge-1/2/5.0
up
up
inet
172.31.254.34/30
inet6
fe80::5e5e:abff:fe0e:4205/64
2001:DB8:254:1::2/64
multiservice
user@wanagghub1> ping 172.31.254.33 rapid
Interface
Admin Link Proto
ge-1/2/5
up
up
ge-1/2/5.0
up
up
inet
inet6
Local
Remote
172.31.254.34/30
fe80::5e5e:abff:fe0e:4205/64
2001:DB8:254:1::2/64
multiservice
provider.
user@wanagghub1> show route advertising-protocol bgp 172.31.254.33
inet.0: 30847 destinations, 57234 routes (30847 active, 0 holddown, 0 hidden)
435
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Prefix
* 0.0.0.0/0
Nexthop
Self
MED
0
Lclpref
AS path
I
436
Nexthop
Self
MED
Lclpref
AS path
I
CHAPTER 13
Requirements
This scenario uses the following hardware and software components:
Branch router 1MX80 3D Universal Edge Router with the following PICs:
Branch router 2MX80 3D Universal Edge Router with the following PICs:
Overview
This design is a large branch that connects to the aggregation hubs over a Layer 3 VPN
transport that is provided by a service provider.
For device-level high availability at the branch there are dual routers in an
active/standby configuration. Branch router 1 is the primary router, and branch router
2 is the secondary router. We use Virtual Router Redundancy Protocol (VRRP) to
elect the primary and secondary router.
For carrier-level high availability the branch routers each use a separate Layer 3 VPN
service provider.
437
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Branch router 2 connects to Aggregation Hub 2 over Layer 3 VPN provided by ISP
B.
For link-level high availability, the service providers are responsible for providing high
availability as agreed upon in the service-level agreement with the service provider.
438
EBGP is used for peering with the Layer 3 VPN service provider.
IBGP is used for peering between the two branch routers. It uses the loopback
addresses of the branch routers to form IBGP sessions between the routers, and it
learns the loopback addresses from OSPF.
OSPF is used on the local branch VLANS, and it is used to provide reachability
between the two branch routers.
CoS is applied on the branch VLANs and on the link to the Layer 3 VPN service provider.
.
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Topology
Figure 78: Test Lab Topology for Large Remote Site Using Redundant
CEs to Connect to Redundant Layer 3 VPN Carriers
439
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Figure 79: Routing Configuration for Large Remote Site Using Redundant
CEs to Connect to Redundant Layer 3 VPN Providers
Before you configure this scenario, configure the base configurations at Aggregation Hub
1 and Aggregation Hub 2. Then complete the following:
440
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Configuring the WAN Transport on the WAN Aggregation Router at Aggregation Hub
1 on page 441
Configuring EBGP Routing for the WAN Transport on the WAN Aggregation Router at
Aggregation Hub 1 on page 441
Applying CoS to the WAN Transport on the WAN Aggregation Router at Aggregation
Hub 1 on page 442
Configuring Multicast on the WAN Aggregation Router at Aggregation Hub 1 on page 442
Configuring EBGP Routing for the WAN Transport on the WAN Aggregation Router
at Aggregation Hub 1
Step-by-Step
Procedure
Configure EBGP groups for peering between the WAN aggregation router at the hub and
ISP A.
The policies have already been configured in the Aggregation Hub 1 base configuration.
1.
441
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
2.
Apply the traffic control profile, classifiers, and rewrite rules to the WAN transport
interface. The classifiers and rewrite rules are configured in the aggregation hub
base configuration.
[edit]
edit class-of-service interfaces ge-1/2/5
set output-traffic-control-profile TO-L3VPN-VPN1
set unit 0 classifiers dscp DSCP-BA
set unit 0 classifiers dscp-ipv6 DSCP-BA
set unit 0 rewrite-rules dscp DEF_DSCP_REWRITE
set unit 0 rewrite-rules dscp-ipv6 DEF_DSCP_REWRITE
442
[edit]
edit protocols pim interface ge-1/2/5.0
set mode sparse
set version 2
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Configuring EBGP Peering on the WAN Transport on Branch Router 1 on page 450
Configuring OSPF Routing for the LAN Transport on Branch Router 1 on page 457
Configuring the LAN Transport to Branch Router 2 on Branch Router 1 on page 458
Configuring VRRP for High Availability of Dual Routers on Branch Router 1 on page 466
1.
Create a set of prefix lists that are used in firewall filters that are set up for Routing
Engine protection. These prefix lists specify trusted IP subnets and addresses for
different types of traffic. Traffic received from these addresses will be allowed
through firewalls used for Routine Engine protection.
[edit]
edit policy-options
set prefix-list trusted-bgp-peers 172.16.4.0/24
set prefix-list trusted-networks 10.0.0.0/8
set prefix-list trusted-networks 172.16.0.0/12
set prefix-list trusted-networks 192.168.0.0/16
set prefix-list NMS 10.0.0.0/8
set prefix-list NMS 172.16.0.0/12
set prefix-list NMS 192.168.0.0/16
2.
3.
Create a firewall filter used for Routing Engine protection. The filter is used to prevent
small packet attacks, fragment attacks, and denial of service (DoS) attacks from
specific protocols such as ICMP, BGP, OSPF, SNMP, UDP, and TCP. The filter accepts
traffic only from trusted sources, and it discards all other traffic. The filter also
includes a policer that applies rate limits to the traffic that is accepted by the filter.
a. Create the firewall filter, and specify that counters defined in the filter are
interface specific.
[edit]
edit firewall family inet filter RE-PROTECT
443
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
set interface-specific
b. Create a term for BGP traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term bgp-in from source-prefix-list trusted-bgp-peers
set term bgp-in from protocol tcp
set term bgp-in from port bgp
set term bgp-in then policer limit-150k
set term bgp-in then count bgp-in
set term bgp-in then accept
c. Create a term that accepts traffic from trusted PIM neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term pim from source-prefix-list trusted-networks
set term pim from protocol pim
set term pim then policer limit-150k
set term pim then count pim
set term pim then accept
d. Create a term that accepts OSPF traffic from trusted OSPF neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term ospf-in from source-prefix-list trusted-networks
set term ospf-in from protocol ospf
set term ospf-in then policer limit-150k
set term ospf-in then count ospf-in
set term ospf-in then accept
e. Create a term that accepts BFD traffic from trusted neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term bfd from source-prefix-list trusted-networks
set term bfd from protocol udp
set term bfd from source-port 49152-65335
set term bfd from destination-port 3784-3785
set term bfd then count accept-bfd
set term bfd then accept
f.
444
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
g. Create a term for ICMP traffic, which includes IPv4 error messages.
[edit]
edit firewall family inet filter RE-PROTECT
set term icmp-in from source-prefix-list trusted-networks
set term icmp-in from protocol icmp
set term icmp-in then policer limit-150k
set term icmp-in then count icmp-in
set term icmp-in then accept
h. Create a term for VRRP traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term vrrp from source-prefix-list trusted-networks
set term vrrp from protocol vrrp
set term vrrp then policer limit-150k
set term vrrp then count vrrp
set term vrrp then accept
i.
Create a term that controls SSH, FTP, and Telnet access to the router.
[edit]
edit firewall family inet filter RE-PROTECT
set term access-in from source-prefix-list NMS
set term access-in from protocol tcp
set term access-in from port ssh
set term access-in from port ftp
set term access-in from port ftp-data
set term access-in from port telnet
set term access-in then count access-in
set term access-in then accept
j.
Create a term that accepts TCP and TACACS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-tcp from source-prefix-list NMS
set term remote-auth-tcp from protocol tcp
set term remote-auth-tcp from port tacacs
set term remote-auth-tcp then count tacacs
set term remote-auth-tcp then accept
k. Create a term that accepts UDP and RADIUS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-udp from source-prefix-list NMS
set term remote-auth-udp from protocol udp
set term remote-auth-udp from port radius
set term remote-auth-udp from port radacct
set term remote-auth-udp then count radius
set term remote-auth-udp then accept
445
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
l.
m. Create a term for incoming traffic with a source and destination loopback address.
[edit]
edit firewall family inet filter RE-PROTECT
set term loopback-in from source-address 127.0.0.1/32
set term loopback-in from destination-address 127.0.0.1/32
set term loopback-in then count loopback-in
set term loopback-in then accept
n. Configure a term that prevents small packet attacks.
[edit]
edit firewall family inet filter RE-PROTECT
set term small-packets from packet-length 0-24
set term small-packets then count small-packet-attack
set term small-packets then log
set term small-packets then discard
o. Configure a term that prevents fragment attacks.
[edit]
edit firewall family inet filter RE-PROTECT
set term fragment-packets from fragment-offset-except 0
set term fragment-packets from protocol icmp
set term fragment-packets from protocol igmp
set term fragment-packets from protocol pim
set term fragment-packets from protocol tcp
set term fragment-packets then count frag-attack
set term fragment-packets then log
set term fragment-packets then discard
p. Configure a term that explicitly discards all other traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term deny-all then count illegal-traffic-in
set term deny-all then log
set term deny-all then discard
4.
446
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
5.
Results
Packets
0
81704
12282
0
350
17214
82808
0
84070
15674
0
0
1896
0
547872
476917
Packets
0
0
0
0
0
0
0
0
447
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
2.
Results
Local
Remote
172.16.4.2/30
fe80::5e5e:abff:fe0d:d901/64
2001:DB8:4:1::2/64
multiservice
448
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
449
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2.
Configure a policy that is used to control IPv4 routes that are advertised to the
aggregation hub.
This policy prevents the default static route from being advertised and allows OSPF
and direct routes to be advertised.
[edit]
edit policy-options policy-statement BRANCH-PREFIX
set term block-default from route-filter 0.0.0.0/0 exact
set term block-default then reject
set term branch from protocol ospf
set term branch from protocol direct
set term branch then accept
set term default then reject
3.
Configure a policy that is used to control IPv6 routes that are advertised to the
aggregation hub.
This policy prevents the default static route from being advertised and allows OSPF
and direct routes to be advertised.
[edit]
edit policy-options policy-statement BRANCH-PREFIX6
set term block-default from family inet6
set term block-default from route-filter ::/0 exact
set term block-default then reject
set term branch from family inet6
set term branch from protocol ospf3
set term branch from protocol direct
set term branch then accept
set term default then reject
4.
Configure a policy that sets the local preference to 200 for IPv4 routes learned from
BGP.
[edit]
edit policy-options policy-statement SET_LOCAL_PREF
set term 1 then local-preference 200
set term 1 then accept
5.
Configure a policy that sets the local preference to 200 for default static IPv6 routes
learned from BGP.
[edit]
edit policy-options policy-statement SET_LOCAL_PREF6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 from route-filter ::/0 exact
450
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Create an IPv4 EBGP group between the branch router and the Layer 3 VPN service
provider.
The SET_LOCAL_PREF import policy sets the local preference value for routes over
the Layer 3 VPN to 200. Routes from branch router 2 use the default local route
preference value of 100, which gives routes on Branch router 1 a higher preference
over Branch router 2.
The BRANCH-PREFIX export policy controls default route advertisement to the
hub. It prevents default routes learned by another protocol from being advertised
to the hub.
[edit]
edit protocols bgp group EBGP_AS_555
set type external
set import SET_LOCAL_PREF
set export BRANCH-PREFIX
set peer-as 555
set neighbor 172.16.4.1 family inet unicast
set neighbor 172.16.4.1 authentication-key "$9$l.dv87wYojHm-VHmfT/9evW"
7.
Create an IPv6 EBGP group between the branch router and the Layer 3 VPN service
provider.
The SET_LOCAL_PREF6 import policy sets the local preference value for routes
over the Layer 3 VPN to 200. Routes to Branch router 2 use the default local route
preference value of 100, which gives routes on Branch router 1 a higher preference
over Branch router 2.
The BRANCH-PREFIX6 export policy controls default route advertisement to the
hub. It prevents default routes learned by another protocol from being advertised
to the hub, and causes the loopback address of the branch router to be advertised
to the hub as the next hop.
[edit]
edit protocols bgp group EBGP_AS_555-V6
set type external
set import SET_LOCAL_PREF-V6
set family inet6 unicast
set export BRANCH-PREFIX-V6
set peer-as 555
set neighbor 2001:DB8:4:1::1 authentication-key "$9$WmrXNb4aU.PQs2PQFnpu8X7"
8.
451
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
452
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
There are three interfaces to the branch LAN: one for data, one for video, and one for
voice.
1.
2.
3.
4.
453
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
454
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Results
ge-1/2/0.53
up
up
ge-1/2/0.63
up
up
ge-1/2/0.32767
up
up
Local
Remote
172.16.4.9/29
172.16.4.11/29
inet6
fe80::200:5eff:fe00:20a/64
fe80::5e5e:ab00:2b0d:d900/64
2001:DB8:4:43::1/64
2001:DB8:4:43::3/64
multiservice
inet
172.16.4.17/29
172.16.4.19/29
inet6
fe80::200:5eff:fe00:214/64
fe80::5e5e:ab00:350d:d900/64
2001:DB8:4:53::1/64
2001:DB8:4:53::3/64
multiservice
inet
172.16.4.25/29
172.16.4.27/29
inet6
fe80::200:5eff:fe00:21e/64
fe80::5e5e:ab00:3f0d:d900/64
2001:DB8:4:63::1/64
2001:DB8:4:63::3/64
multiservice
multiservice
455
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
456
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
1.
Create an IPv4 area for the branch, and add the branch LAN interfaces to the area.
[edit]
edit protocols ospf area 0.0.0.1
set interface ge-1/2/0.43
set interface ge-1/2/0.53
set interface ge-1/2/0.63
2.
Create an IPv6 area for the branch, and add the branch LAN interfaces to the area.
[edit]
edit protocols ospf3 area 0.0.0.1
set interface ge-1/2/0.43
set interface ge-1/2/0.53
set interface ge-1/2/0.63
3.
Results
State
Full
Full
Full
Full
Full
Full
ID
172.16.4.12
172.16.4.254
172.16.4.20
172.16.4.254
172.16.4.28
172.16.4.254
Pri
0
Dead
34
128
34
34
128
36
34
128
31
Pri
0
128
0
128
0
128
Dead
33
33
33
39
33
35
457
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2.
3.
4.
458
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
459
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
After you configure Branch router 2, verify that the LAN interface to Branch router 2 is up.
user@branch1> show interfaces ge-1/3/4
Physical interface: ge-1/3/4, Enabled, Physical link is Up
Interface index: 162, SNMP ifIndex: 2157
Description: --- To intra branch router B2B link BRANCH-ROUTER2 ge-1/2/4) --Link-level type: Ethernet, MTU: 1518, Speed: 1000mbps, BPDU Error: None,
MAC-REWRITE Error: None,
Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled,
Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
CoS queues
: 8 supported, 8 maximum usable queues
Current address: 5c:5e:ab:0d:d9:1c, Hardware address: 5c:5e:ab:0d:d9:1c
Last flapped
: 2013-07-04 05:46:24 PDT (3w5d 04:57 ago)
Input rate
: 9569512 bps (3278 pps)
Output rate
: 416 bps (0 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-1/3/4.1 (Index 354) (SNMP ifIndex 521)
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.1 ] Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
22 bytes
Egress account overhead
:
22 bytes
Input packets : 19370858140
Output packets: 8461884573
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.4.32/30, Local: 172.16.4.33, Broadcast: 172.16.4.35
Protocol inet6, MTU: 1500
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::5e5e:ab00:10d:d91c
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:4:3::/64, Local: 2001:DB8:4:3::1
Protocol multiservice, MTU: Unlimited
Logical interface ge-1/3/4.2 (Index 355) (SNMP ifIndex 522)
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.2 ] Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
22 bytes
Egress account overhead
:
22 bytes
Input packets : 1143583
Output packets: 1831498
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.4.36/30, Local: 172.16.4.37, Broadcast: 172.16.4.39
Protocol inet6, MTU: 1500
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::5e5e:ab00:20d:d91c
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:4:33::/64, Local: 2001:DB8:4:33::1
Protocol multiservice, MTU: Unlimited
Logical interface ge-1/3/4.32767 (Index 350) (SNMP ifIndex 527)
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x0000.0 ] Encapsulation: ENET2
460
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Input packets : 0
Output packets: 0
Protocol multiservice, MTU: Unlimited
Flags: None
461
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configure the backbone area for IPv4. Add the loopback interface and unit 1 of the
Ethernet interface that connect to Branch router 2 to the area.
[edit]
edit protocols ospf area 0.0.0.0
set interface lo0.0
set interface ge-1/3/4.2
2.
Add unit 2 of the Ethernet interface that connects to Branch router 2 to OSPF Area
1.
[edit]
edit protocols ospf area 0.0.0.1
set interface ge-1/2/4.2
3.
Configure the backbone area for IPv6. Add the loopback interface and unit 1 of the
Ethernet interface that connect to Branch router 2 to the area.
[edit]
edit protocols ospf3 area 0.0.0.0
set interface lo0.0
set interface ge-1/3/4.1
4.
Add unit 2 of the Ethernet interfaces that connects to Branch router 2 to OSPFv3
Area 1.
[edit]
edit protocols ospf3 area 0.0.0.1
set interface ge-1/3/4.2
5.
Results
After you configure Branch router 2, verify that OSPF is running between the branch
routers.
1.
Verify that OSPF and OSPFv3 are running between the branch routers.
user@branch1> show ospf neighbor
Address
Interface
172.16.4.34
ge-1/3/4.1
. . .
172.16.4.38
ge-1/3/4.2
462
State
Full
ID
172.16.4.254
Pri
128
Dead
31
Full
172.16.4.254
128
35
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Pri
128
Dead
39
128
35
. . .
172.16.4.254
ge-1/3/4.2
Full
Neighbor-address fe80::5e5e:ab00:20d:d904
463
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Create a next-hop self policy for IPv4 traffic, which causes the loopback address
of the branch router to be advertised as the next-hop address.
[edit]
edit policy-options policy-statement NHS
set then next-hop self
2.
Create a next-hop self policy for IPv6 traffic, which causes the loopback address
of the branch router to be advertised as the next-hop address for BGP traffic.
[edit]
edit policy-options policy-statement NHS6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 then next-hop self
set term 1 then accept
3.
Configure an IBGP group for IPv4 traffic. Add Branch router 2 as a neighbor and use
the address of lo0.0 as the local address.
[edit]
edit protocols bgp group To-BR2
set type internal
set export NHS
set neighbor 172.16.4.255 local-address 172.16.4.254
set neighbor 172.16.4.255 family inet unicast
4.
Configure an IBGP group for IPv6 traffic. Add Branch router 2 as a neighbor, and use
the address of lo0.0 as the local address.
[edit]
edit protocols bgp group To-BR2-V6
set type internal
set local-address 2001:DB8:4::254
set family inet6 unicast
set export NHS6
set neighbor 2001:DB8:4::255
5.
Results
After you configure Branch router 2, verify BGP between the branch routers.
1.
464
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
State|#Active/Received/Accepted/Damped...
172.16.4.1
555
82476
1/1/1/0
0/0/0/0
172.16.4.255
64514
83131
0/0/0/0
0/0/0/0
2001:DB8:4::255
64514
83131
Establ
inet6.0: 0/0/0/0
2001:DB8:4:1::1
555
82475
Establ
inet6.0: 1/1/1/0
83434
18
3w5d5h
83140
36
3w5d5h
83141
25
3w5d5h
83494
15
3w5d5h
465
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Set the routers priority for being elected to be the master router in the VRRP group. A
larger value indicates a higher priority for being elected.
Enable the master router to accept all packets destined for the virtual IP address.
Specify the interface to be tracked for this VRRP group, and set the priority cost for
becoming the master default router. The router with the highest priority within the
group becomes the master.
1.
Configure a VRRP group for IPv4 and IPv6 for the data interface to the branch LAN.
[edit]
edit interfaces ge-1/2/0 unit 43 family inet address 172.16.4.11/29
set vrrp-group 10 virtual-address 172.16.4.9
set vrrp-group 10 priority 200
set vrrp-group 10 fast-interval 333
set vrrp-group 10 preempt
set vrrp-group 10 accept-data
[edit]
edit interfaces ge-1/2/0 unit 43 family inet6 address 2001:DB8:4:43::3/64
set vrrp-inet6-group 10 virtual-inet6-address 2001:DB8:4:43::1
set vrrp-inet6-group 10 priority 200
set vrrp-inet6-group 10 preempt
set vrrp-inet6-group 10 accept-data
set vrrp-inet6-group 10 track interface ge-1/2/1 priority-cost 110
2.
Configure a VRRP group for IPv4 and IPv6 for the video interface to the branch LAN.
[edit]
edit interfaces ge-1/2/0 unit 53 family inet address 172.16.4.19/29
set vrrp-group 20 virtual-address 172.16.4.17
set vrrp-group 20 priority 200
set vrrp-group 20 fast-interval 333
set vrrp-group 20 preempt
set vrrp-group 20 accept-data
set vrrp-group 20 track interface ge-1/2/1 priority-cost 110
[edit]
edit interfaces ge-1/2/0 unit 53 family inet6 address 2001:DB8:4:53::3/64
set vrrp-inet6-group 20 virtual-inet6-address 2001:DB8:4:53::1
set vrrp-inet6-group 20 priority 200
set vrrp-inet6-group 20 preempt
set vrrp-inet6-group 20 accept-data
set vrrp-inet6-group 20 track interface ge-1/2/1 priority-cost 110
3.
Configure a VRRP group for IPv4 and IPv6 for the voice interface to the branch LAN.
[edit]
edit interfaces ge-1/2/0 unit 63 family inet address 172.16.4.27/29
set vrrp-group 30 virtual-address 172.16.4.25
466
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Results
ge-1/2/0.43
up
10
master
Active
Timer
Type
0.290 lcl
vip
0.038 lcl
Address
172.16.4.11
172.16.4.9
2001:DB8:4:43::3
vip
fe80::200:5eff:fe00:20a
ge-1/2/0.53
up
20
master
ge-1/2/0.53
up
20
master
Active
Active
vip
0.109 lcl
2001:DB8:4:43::1
172.16.4.19
vip
0.351 lcl
172.16.4.17
2001:DB8:4:53::3
vip
fe80::200:5eff:fe00:214
ge-1/2/0.63
up
30
master
ge-1/2/0.63
up
30
master
Active
Active
vip
0.003 lcl
2001:DB8:4:53::1
172.16.4.27
vip
0.064 lcl
172.16.4.25
2001:DB8:4:63::3
vip
fe80::200:5eff:fe00:21e
vip
2001:DB8:4:63::1
467
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
2.
Configure multicast on the interface to the Layer 3 VPN service provider, the branch
LAN data interface, and the interface to Branch router 2.
Assign a priority of 20000 on the branch LAN to give it priority over the interface to
the branch LAN on Branch router 2.
[edit]
edit protocols pim
set interface ge-1/2/1.0 mode sparse
set interface ge-1/2/1.0 version 2
set interface ge-1/2/0.43 mode sparse
set interface ge-1/2/0.43 priority 20000
set interface ge-1/2/0.43 version 2
set interface ge-1/3/4.1 mode sparse
set interface ge-1/3/4.1 version 2
set interface ge-1/3/4.2 mode sparse
set interface ge-1/3/4.2 version 2
3.
Results
468
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
469
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3. Verify multicast on the branch LAN interface, the interface to Branch router 2, and the
470
Option
HPLGT
HPLGT
HPLGT
HPLGT
HPLGT
Uptime
1w3d8h
1w3d8h
1w3d8h
1w3d8h
1w3d8h
HPLGT
1w3d8h
HPLGT
1w3d8h
HPLGT
1w3d8h
Neighbor addr
172.16.4.10
172.16.4.1
172.16.4.34
172.16.4.38
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
4. Verify that groups are established with upstream interfaces to the Layer 3 VPN service
471
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
rendezvous point.
user@branch1> show multicast rpf 172.31.255.15
Multicast RPF table: inet.0 , 197 entries
0.0.0.0/0
Protocol: BGP
Interface: ge-1/2/1.0
Neighbor: 172.16.4.1
6. Verify that routes are created and traffic is flowing.
user@branch1> show pim rps extensive
Instance: PIM.master
address-family INET
RP: 172.31.255.15
Learned via: static configuration
Mode: Sparse
Time Active: 6w4d 02:47:16
Holdtime: 0
Device Index: 137
Subunit: 32769
Interface: pe-1/3/10.32769
Static RP Override: Off
Group Ranges:
224.0.0.0/4
Active groups using RP:
235.4.1.1
235.4.1.2
235.4.1.3
235.4.1.4
235.4.1.5
235.4.1.6
235.4.1.7
235.4.1.8
235.4.1.9
235.4.1.10
235.4.1.11
235.4.1.12
235.4.1.13
235.4.1.14
235.4.1.15
235.4.1.16
235.4.1.17
235.4.1.18
235.4.1.19
235.4.1.20
235.4.1.21
235.4.1.22
235.4.1.23
235.4.1.24
235.4.1.25
total 25 groups active
address-family INET6
472
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
1.
Configure classifiers.
a. Configure DSCP behavior aggregate (BA) classifiers for IPv4.
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority medium-high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Scavenger loss-priority high code-points cs1
set forwarding-class Bulk_Data loss-priority medium-high code-points af11
set forwarding-class Bulk_Data loss-priority medium-high code-points af12
set forwarding-class Critical_Data loss-priority medium-low code-points af21
set forwarding-class Critical_Data loss-priority medium-low code-points af22
b. Configure DSCP BA classifiers for IPv6.
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
c. Assign the forwarding classes to transmissions queues.
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 1 Scavenger
set queue 2 Bulk_Data
set queue 3 Critical_Data
set queue 4 Video
set queue 5 Voice
set queue 6 Network_Control
2.
[edit]
edit class-of-service rewrite-rules dscp Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
473
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit class-of-service rewrite-rules dscp-ipv6 Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
set forwarding-class Critical_Data loss-priority medium-low code-point af21
set forwarding-class Video loss-priority low code-point af41
set forwarding-class Voice loss-priority low code-point ef
set forwarding-class Network_Control loss-priority low code-point cs7
c. Configure a DSCP rewrite rule for voice traffic. This rule sets the code-point bit
patterns for the Voice forwarding class and is applied to the branch LAN interface.
[edit]
edit class-of-service rewrite-rules dscp voice-ef
set forwarding-class Voice loss-priority low code-point 101110
d. Configure a rewrite rule for video traffic. This rule sets the code-point bit patterns
for the Video forwarding class and is applied to the branch LAN interface.
[edit]
edit class-of-service rewrite-rules dscp video-af
set forwarding-class Video loss-priority low code-point 100010
474
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
3.
[edit]
edit class-of-service schedulers SCH_Best_Effort
set transmit-rate remainder
set buffer-size remainder
set priority medium-low
b. Create a scheduler for the Scavenger forwarding class.
[edit]
edit class-of-service schedulers SCH_Scavenger
set transmit-rate percent 3
set buffer-size percent 10
set priority low
c. Create a scheduler for the Bulk_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Bulk_Data
set transmit-rate percent 20
set buffer-size percent 15
set priority medium-low
d. Create a scheduler for the Critical_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Critical_Data
set transmit-rate percent 15
set transmit-rate exact
set buffer-size percent 15
set priority medium-high
e. Create a scheduler for the Video forwarding class.
[edit]
edit class-of-service schedulers SCH_Video
set transmit-rate percent 20
set transmit-rate exact
set buffer-size percent 10
set priority high
f.
[edit]
edit class-of-service schedulers SCH_Network_Control
set transmit-rate percent 5
set transmit-rate exact
set buffer-size percent 3
475
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
5.
Create a traffic control profile for use on the WAN transport to the Layer 3 VPN
service provider.
The 150 MB shaping rate is the service purchased from the service provider.
[edit]
edit class-of-service traffic-control-profiles mpls-link
set scheduler-map MAIN-SCHD
set shaping-rate 150m
6.
7.
8.
476
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Results
1.
Check that the traffic control profile is running on the WAN transport.
user@branch1> show class-of-service traffic-control-profile
Traffic control profile: mpls-link, Index: 9175
Shaping rate: 150000000
Scheduler map: MAIN-SCHD
Index
51863
9
13
Index
961
9
Type
dscp
fixed
Index
35765
4
Type
dscp
fixed
Index
28463
5
0 pps
0 bps
0
0
0
0
pps
bps
pps
pps
477
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
2894391697
Bytes
:
677657237045
Transmitted:
Packets
:
2894391697
Bytes
:
677657237045
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
478
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
13 pps
7328 bps
13
7328
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Medium-high
:
High
:
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
0
0
0 bps
0 bps
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
479
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
480
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
High
:
Queue: 3, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 4, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 5, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 6, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
0 bps
6494596421
2285209268544
0 pps
224 bps
6494593911
2285208582928
44
2466
0
791
0
1675
673360
0
284760
0
388600
0
224
0
0
0
0
0
0
0
0
0
0
0
Critical_Data
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Video
4730799976
2308630388288
0 pps
0 bps
4730799976
2308630388288
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Voice
6622098422
688746154296
6622063870
688738081792
1820
32732
32732
0
0
0
7731928
7731928
0
0
0
Network_Control
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
2703086633
627116098856
0 pps
0 bps
2703086633
0 pps
481
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
482
:
:
:
:
:
:
:
:
:
:
:
:
627116098856
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Configuring the EBGP Routing for the WAN Transport at Aggregation Hub 2 on page 485
483
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
2.
Results
Local
Remote
172.31.254.38/30
fe80::2e21:72ff:feb2:45ce/64
2001:DB8:254:2::2/64
multiservice
484
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Configuring the EBGP Routing for the WAN Transport at Aggregation Hub 2
Step-by-Step
Procedure
Configure EBGP groups for peering between the WAN aggregation role at the hub and
Layer 3 VPN Service Provider B.
The policies have already been configured in the Aggregation Hub 1 base configuration.
1.
2.
485
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
2.
Apply the traffic control profile, the classifiers, and the rewrite rules to the WAN
transport interface. The classifiers and rewrite rules are configured in the aggregation
hub base configuration.
[edit]
edit class-of-service interfaces ge-4/2/2
set output-traffic-control-profile TO-MPLS-VPN2
set unit 0 classifiers dscp DSCP-BA
set unit 0 classifiers dscp-ipv6 DSCP-BA
set unit 0 rewrite-rules dscp DEF_DSCP_REWRITE
set unit 0 rewrite-rules dscp-ipv6 DEF_DSCP_REWRITE
486
1.
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Configuring EBGP Peering on the WAN Transport on Branch Router 2 on page 494
Configuring OSPF Routing for the LAN Transport on Branch Router 2 on page 501
Configure the LAN Transport to Branch Router 1 on Branch Router 2 on page 502
Configuring VRRP for High Availability of Dual Routers on Branch Router 2 on page 510
1.
Create a set of prefix lists that are used in firewall filters that are set up for Routing
Engine protection. These prefix lists specify trusted IP subnets and addresses for
different types of traffic. Traffic received from these addresses will be allowed
through firewalls used for Routine Engine protection.
[edit]
edit policy-options
set prefix-list trusted-bgp-peers 172.16.4.0/24
set prefix-list trusted-networks 10.0.0.0/8
set prefix-list trusted-networks 172.16.0.0/12
set prefix-list trusted-networks 192.168.0.0/16
set prefix-list NMS 10.0.0.0/8
set prefix-list NMS 172.16.0.0/12
set prefix-list NMS 192.168.0.0/16
2.
3.
Create a firewall filter used for Routing Engine protection. The filter is used to prevent
small packet attacks, fragment attacks, and denial of service (DoS) attacks from
specific protocols such as ICMP, BGP, OSPF, SNMP, UDP, and TCP. The filter accepts
traffic only from trusted sources, and it discards all other traffic. The filter also
includes a policer that applies rate limits to the traffic that is accepted by the filter.
a. Create the firewall filter, and specify that counters defined in the filter are
interface specific.
[edit]
edit firewall family inet filter RE-PROTECT
487
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
set interface-specific
b. Create a term for BGP traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term bgp-in from source-prefix-list trusted-bgp-peers
set term bgp-in from protocol tcp
set term bgp-in from port bgp
set term bgp-in then policer limit-150k
set term bgp-in then count bgp-in
set term bgp-in then accept
c. Create a term that accepts traffic from trusted PIM neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term pim from source-prefix-list trusted-networks
set term pim from protocol pim
set term pim then policer limit-150k
set term pim then count pim
set term pim then accept
d. Create a term that accepts OSPF traffic from trusted OSPF neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term ospf-in from source-prefix-list trusted-networks
set term ospf-in from protocol ospf
set term ospf-in then policer limit-150k
set term ospf-in then count ospf-in
set term ospf-in then accept
e. Create a term that accepts BFD traffic from trusted neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term bfd from source-prefix-list trusted-networks
set term bfd from protocol udp
set term bfd from source-port 49152-65335
set term bfd from destination-port 3784-3785
set term bfd then count accept-bfd
set term bfd then accept
f.
488
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
g. Create a term for ICMP traffic, which includes IPv4 error messages.
[edit]
edit firewall family inet filter RE-PROTECT
set term icmp-in from source-prefix-list trusted-networks
set term icmp-in from protocol icmp
set term icmp-in then policer limit-150k
set term icmp-in then count icmp-in
set term icmp-in then accept
h. Create a term for VRRP traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term vrrp from source-prefix-list trusted-networks
set term vrrp from protocol vrrp
set term vrrp then policer limit-150k
set term vrrp then count vrrp
set term vrrp then accept
i.
Create a term that controls SSH, FTP, and Telnet access to the router.
[edit]
edit firewall family inet filter RE-PROTECT
set term access-in from source-prefix-list NMS
set term access-in from protocol tcp
set term access-in from port ssh
set term access-in from port ftp
set term access-in from port ftp-data
set term access-in from port telnet
set term access-in then count access-in
set term access-in then accept
j.
Create a term that accepts TCP and TACACS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-tcp from source-prefix-list NMS
set term remote-auth-tcp from protocol tcp
set term remote-auth-tcp from port tacacs
set term remote-auth-tcp then count tacacs
set term remote-auth-tcp then accept
k. Create a term that accepts UDP and RADIUS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-udp from source-prefix-list NMS
set term remote-auth-udp from protocol udp
set term remote-auth-udp from port radius
set term remote-auth-udp from port radacct
set term remote-auth-udp then count radius
set term remote-auth-udp then accept
489
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
l.
m. Create a term for incoming traffic with a source and destination loopback address.
[edit]
edit firewall family inet filter RE-PROTECT
set term loopback-in from source-address 127.0.0.1/32
set term loopback-in from destination-address 127.0.0.1/32
set term loopback-in then count loopback-in
set term loopback-in then accept
n. Configure a term that prevents small packet attacks.
[edit]
edit firewall family inet filter RE-PROTECT
set term small-packets from packet-length 0-24
set term small-packets then count small-packet-attack
set term small-packets then log
set term small-packets then discard
o. Configure a term that prevents fragment attacks.
[edit]
edit firewall family inet filter RE-PROTECT
set term fragment-packets from fragment-offset-except 0
set term fragment-packets from protocol icmp
set term fragment-packets from protocol igmp
set term fragment-packets from protocol pim
set term fragment-packets from protocol tcp
set term fragment-packets then count frag-attack
set term fragment-packets then log
set term fragment-packets then discard
p. Configure a term that explicitly discards all other traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term deny-all then count illegal-traffic-in
set term deny-all then log
set term deny-all then discard
4.
490
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
5.
Results
Packets
0
0
20449
0
0
10040
0
0
83565
19652
0
0
0
0
0
1429061
Packets
0
0
0
0
0
0
0
0
1.
[edit]
edit routing-options
set router-id 172.16.4.254
491
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
2.
Results
Local
Remote
172.16.4.6/30
fe80::5e5e:abff:fe0d:d919/64
2001:DB8:4:2::2/64
multiservice
492
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
493
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2.
Configure a policy that is used to control IPv4 routes that are advertised to the
aggregation hub.
This policy prevents the default static route from being advertised and allows OSPF
and direct routes to be advertised.
[edit]
edit policy-options policy-statement BRANCH-PREFIX
set term block-default from route-filter 0.0.0.0/0 exact
set term block-default then reject
set term branch from protocol ospf
set term branch from protocol direct
set term branch then accept
set term default then reject
3.
Configure a policy that is used to control IPv6 routes that are advertised to the
aggregation hub. This policy prevents the default static route from being advertised
and allows OSPF and direct routes to be advertised.
[edit]
edit policy-options policy-statement BRANCH-PREFIX6
set term block-default from family inet6
set term block-default from route-filter ::/0 exact
set term block-default then reject
set term branch from family inet6
set term branch from protocol ospf3
set term branch from protocol direct
set term branch then accept
set term default then reject
4.
Create an IPv4 EBGP group between the branch router and the Layer 3 VPN service
provider.
This BGP peer group uses the default local preference value of 100, which gives a
lower preference to routes to Aggregation Hub 2 than routes to Aggregation Hub 1,
which have a local preference value of 200.
The BRANCH-PREFIX export policy controls default route advertisement to the
hub. It prevents default routes learned by another protocol from being advertised
to the hub.
[edit]
edit protocols bgp group EBGP_AS_556
set type external
set export BRANCH-PREFIX
set peer-as 556
set neighbor 172.16.4.5 family inet unicast
494
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Create an IPv6 EBGP group between the branch router and the Layer 3 VPN service
provider.
This BGP peer group uses the default local preference value of 100, which gives a
lower preference to routes to Aggregation Hub 2 than routes to Aggregation Hub 1,
which have a local preference value of 200.
The BRANCH-PREFIX6 export policy controls default route advertisement to the
hub. It prevents default routes learned by another protocol from being advertised
to the hub, and causes the loopback address of the branch router to be advertised
to the hub as the next hop.
[edit]
edit protocols bgp group EBGP_AS_556-V6
set type external
set family inet6 unicast
set export BRANCH-PREFIX6
set peer-as 556
set neighbor fec0:16:4:2::1 authentication-key "$9$WC9XNb4aU.PQs2PQFnpu8X7"
6.
495
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
1.
Verify EBGP peering with Layer 3 VPN Service Provider B (172.16.4.5). The address
172.16.4.254 is the loopback address on Branch router 1.
user@branch2> show bgp summary
Groups: 4 Peers: 4 Down peers: 0
Table
Tot Paths Act Paths Suppressed
History Damp State
Pending
inet.0
2
1
0
0
0
0
inet6.0
2
1
0
0
0
0
Peer
AS
InPkt
OutPkt
OutQ
Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.16.4.5
556
197181
197792
0
2
6w0d6h
0/1/1/0
0/0/0/0
172.16.4.254
64514
83669
83664
0
36
3w5d6h
1/1/1/0
0/0/0/0
2001:DB8:4::254
64514
85943
85933
0
25
3w5d6h
Establ
inet6.0: 1/1/1/0
2001:DB8:4:2::1
556
197173
197928
0
1
7w6d2h
Establ
inet6.0: 0/1/1/0
2. Verify the default static routes to Layer 3 VPN Service Provider A and B.
The route to Layer 3 VPN Service Provider A via ge-1/2/4.1 on Branch router 1 is active,
and it has a local preference of 200, which makes it preferred over the route to Service
Provider B, which has a local preference of 100.
user@branch2> show route 0.0.0.0
inet.0: 22 destinations, 23 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
496
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
There are three interfaces to the branch LAN: one for data, one for video, and one for
voice.
1.
2.
3.
497
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
498
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Results
ge-1/3/0.53
up
up
ge-1/3/0.63
up
up
Local
Remote
172.16.4.9/29
172.16.4.10/29
inet6
fe80::5e5e:ab00:2b0d:d918/64
2001:DB8:4:43::2/64
multiservice
inet
172.16.4.17/29
172.16.4.18/29
inet6
fe80::5e5e:ab00:350d:d918/64
2001:DB8:4:53::2/64
multiservice
inet
172.16.4.25/29
172.16.4.26/29
inet6
fe80::5e5e:ab00:3f0d:d918/64
2001:DB8:4:63::2/64
multiservice
499
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
500
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
1.
Create an IPv4 area for the branch, and add the branch LAN interfaces to the area.
[edit]
edit protocols ospf area 0.0.0.1
set interface ge-1/3/0.43
set interface ge-1/3/0.53
set interface ge-1/3/0.63
2.
Create an IPv6 area for the branch, and add the branch LAN interfaces to the area.
[edit]
edit protocols ospf3 area 0.0.0.1
set interface ge-1/3/0.43
set interface ge-1/3/0.53
set interface ge-1/3/0.63
3.
Results
State
Full
Full
Full
Full
Full
Full
ID
172.16.4.12
172.16.4.255
172.16.4.20
172.16.4.255
172.16.4.28
172.16.4.255
Pri
0
Dead
30
128
37
30
128
32
30
128
31
Pri
0
128
0
128
0
128
Dead
35
35
35
34
35
31
501
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2.
3.
4.
502
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
commit
503
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
1.
ge-1/2/4.2
up
up
ge-1/2/4.32767
up
up
Local
Remote
172.16.4.34/30
fe80::5e5e:ab00:10d:d904/64
2001:DB8:4:3::2/64
multiservice
inet
172.16.4.38/30
inet6
fe80::5e5e:ab00:20d:d904/64
2001:DB8:4:33::2/64
multiservice
multiservice
504
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
505
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configure the backbone area for IPv4. Add the loopback and unit 1 of the Ethernet
interface that connect to Branch router 1 to the area.
[edit]
edit protocols ospf area 0.0.0.0
set interface lo0.1
set interface ge-1/2/4.1
2.
Add the unit 2 of the Ethernet interface that connects to Branch router 1 to Area 1.
[edit]
edit protocols ospf area 0.0.01
set interface ge-1/2/4.2
3.
Configure the backbone area for IPv6. Add the loopback and Ethernet interfaces
that connect to Branch router 1 to the area.
[edit]
edit protocols ospf3 area 0.0.0.0
set interface lo0.1
set interface ge-1/2/4.1
4.
Add unit 2 of the Ethernet interfaces that connects to Branch router 1 to OSPFv3
Area 1.
[edit]
edit protocols ospf3 area 0.0.0.1
set interface ge-1/2/4.2
Results
Verify that OSPF and OSPFv3 are running between the branch routers.
user@branch2> show ospf neighbor
Address
Interface
172.16.4.33
ge-1/2/4.1
172.16.4.37
ge-1/2/4.2
. . .
State
Full
Full
506
ID
172.16.4.255
172.16.4.255
Pri
128
Dead
37
128
31
30
128
33
30
Pri
128
128
Dead
38
39
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Neighbor-address fe80::200:1eff:fefe:73
172.16.4.255
ge-1/3/0.53
Full
Neighbor-address fe80::5e5e:ab00:350d:d900
172.16.4.28
ge-1/3/0.63
Full
Neighbor-address fe80::200:1eff:fefe:75
172.16.4.255
ge-1/3/0.63
Full
Neighbor-address fe80::5e5e:ab00:3f0d:d900
128
34
30
128
36
507
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Create a next-hop self policy for IPv4 traffic, which causes the loopback address
of the branch router to be advertised as the next-hop address.
[edit]
edit policy-options policy-statement NHS
set then next-hop self
2.
Create a next-hop self policy for IPv6 traffic, which causes the loopback address
of the branch router to be advertised as the next-hop address.
[edit]
edit policy-options policy-statement NHS6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 then next-hop self
set term 1 then accept
3.
Configure an IBGP group for IPv4 traffic. Add Branch router 2 as a neighbor, and use
the address of lo0.1 as the local address.
[edit]
edit protocols bgp group To-BR1
set type internal
set export NHS
set neighbor 172.16.4.254 local-address 172.16.4.255
set neighbor 172.16.4.254 family inet unicast
4.
Configure an IBGP group for IPv6 traffic. Add Branch router 2 as a neighbor, and use
the address of lo0.1 as the local address.
[edit]
edit protocols bgp group To-BR1-V6
set type internal
set local-address fec0:16:4::255
set family inet6 unicast
set export NHS6
set neighbor 2001:DB8:4::254
5.
Results
1.
508
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
State|#Active/Received/Accepted/Damped...
172.16.4.5
556
197223
197833
0/1/1/0
0/0/0/0
172.16.4.254
64514
83710
83705
1/1/1/0
0/0/0/0
2001:DB8:4::254
64514
85985
85974
Establ
inet6.0: 1/1/1/0
2001:DB8:4:2::1
556
197214
197970
Establ
inet6.0: 0/1/1/0
6w0d7h
36
3w5d6h
25
3w5d6h
7w6d2h
509
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Set the routers priority for being elected to be the master router in the VRRP group. A
larger value indicates a higher priority for being elected.
The branch LAN on Branch router 1 has a priority of 200, and the branch LAN on Branch
router 2 has a priority of 100.
Enable the master router to accept all packets destined for the virtual IP address.
1.
Configure a VRRP group for IPv4 and IPv6 for the data interface to the branch LAN.
[edit]
[edit interfaces ge-1/3/0 unit 43 family inet address 172.16.4.10/29
set vrrp-group 10 virtual-address 172.16.4.9
set vrrp-group 10 priority 100
set vrrp-group 10 preempt
set vrrp-group 10 accept-data
[edit]
edit interfaces ge-1/3/0 unit 43 family inet6 address 2001:DB8:4:43::2/64
set vrrp-inet6-group 10 virtual-inet6-address 2001:DB8:4:43::1
set vrrp-inet6-group 10 priority 100
set vrrp-inet6-group 10 preempt
set vrrp-inet6-group 10 accept-data
2.
Configure a VRRP group for IPv4 and IPv6 for the video interface to the branch LAN.
[edit]
edit interfaces ge-1/3/0 unit 53 family inet address 172.16.4.18/29
set vrrp-group 20 virtual-address 172.16.4.17
set vrrp-group 20 priority 100
set vrrp-group 20 preempt
set vrrp-group 20 accept-data
[edit]
edit interfaces ge-1/3/0 unit 53 family inet6 address 2001:DB8:4:53::2/64
set vrrp-inet6-group 20 virtual-inet6-address 2001:DB8:4:53::1
set vrrp-inet6-group 20 priority 100
set vrrp-inet6-group 20 preempt
set vrrp-inet6-group 20 accept-data
3.
Configure a VRRP group for IPv4 and IPv6 for the voice interface to the branch LAN.
[edit]
edit interfaces ge-1/3/0 unit 63 family inet address 172.16.4.26/29
set vrrp-group 30 virtual-address 172.16.4.25
set vrrp-group 30 priority 100
set vrrp-group 30 preempt
set vrrp-group 30 accept-data
[edit]
edit interfaces ge-1/3/0 unit 63 family inet6 address 2001:DB8:4:63::2/64
510
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Results
up
10
backup
Active
Timer
Type
0.586 lcl
vip
D 3.464 lcl
vip
A
Address
172.16.4.10
172.16.4.9
2001:DB8:4:43::2
fe80::200:5eff:fe00:20a
fe80::5e5e:ab00:2b0d:d900
ge-1/3/0.53
up
20
master
Active
ge-1/3/0.53
Active
up
20
backup
vip
mas
2001:DB8:4:43::1
0.205 lcl
vip
3.537 lcl
vip
172.16.4.18
172.16.4.17
2001:DB8:4:53::2
vip
mas
2001:DB8:4:53::1
0.658 lcl
vip
2.955 lcl
vip
172.16.4.26
172.16.4.25
2001:DB8:4:63::2
vip
mas
2001:DB8:4:63::1
fe80::200:5eff:fe00:214
fe80::5e5e:ab00:350d:d900
ge-1/3/0.63
up
30
master
Active
ge-1/3/0.63
Active
up
30
backup
fe80::200:5eff:fe00:21e
fe80::5e5e:ab00:3f0d:d900
511
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Configure multicast.
a. Specify the static rendezvous point at Aggregation Hub 1.
[edit]
edit protocols pim
set rp static address 172.31.255.15
b. Configure multicast on the branch LAN interfaces and on the interface to Branch
router 2.
Assign a priority of 10000 on the branch LAN to give the branch LAN on Branch
router 1 priority over this branch.
[edit]
edit protocols pim
set interface ge-1/3/1.0 mode sparse
set interface ge-1/3/1.0 version 2
set interface ge-1/3/0.43 mode sparse
set interface ge-1/3/0.43 priority 10000
set interface ge-1/3/0.43 version 2
set interface ge-1/2/4.1 mode sparse
set interface ge-1/2/4.1 version 2
set interface ge-1/2/4.2 mode sparse
set interface ge-1/2/4.2 version 2
Results
1.
Verify that IGMP groups are formed with the branch LAN.
user@branch2>show igmp group
Interface: ge-1/3/0.43, Groups: 31
Group: 224.0.0.2
Source: 0.0.0.0
Last reported by: 172.16.4.11
Timeout:
153 Type: Dynamic
Group: 224.0.0.5
Source: 0.0.0.0
Last reported by: 172.16.4.11
Timeout:
151 Type: Dynamic
. . .
Interface: local, Groups: 6
Group: 224.0.0.2
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
Group: 224.0.0.5
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
Group: 224.0.0.6
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
Group: 224.0.0.13
Source: 0.0.0.0
512
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
neighbor. The interface to Branch router 1 is the upstream neighbor in this case because
as long as the WAN transport on Branch router is up, all traffic flows on that transport.
user@branch2> show pim join
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
Group: 235.4.1.1
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: ge-1/2/4.1
Group: 235.4.1.2
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: ge-1/2/4.1
. . .
Group: 235.4.1.25
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: ge-1/2/4.1
Instance: PIM.master Family: INET6
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
513
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3. Verify multicast on the branch LAN interfaces, the interface to Branch router 2, and
514
Option
HPLGT
HPLGT
HPLGT
HPLGT
HPLGT
Uptime
3w5d7h
3w5d7h
3w5d7h
6w0d7h
3w5d7h
HPLGT
3w5d7h
HPLGT
3w5d7h
HPLGT
7w6d3h
Neighbor addr
172.16.4.33
172.16.4.37
172.16.4.11
172.16.4.5
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
4. Verify that groups are established with upstream interfaces to the Layer 3 VPN service
rendezvous point. The interface to Branch router 1 is used because as long as the WAN
transport on Branch router is up, all traffic flows on that transport.
user@branch2> show multicast rpf 172.31.255.15
Multicast RPF table: inet.0 , 192 entries
0.0.0.0/0
Protocol: BGP
Interface: ge-1/2/4.1
515
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
516
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
1.
Configure classifiers.
a. Configure DSCP behavior aggregate (BA) classifiers for IPv4.
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority medium-high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Scavenger loss-priority high code-points cs1
set forwarding-class Bulk_Data loss-priority medium-high code-points af11
set forwarding-class Bulk_Data loss-priority medium-high code-points af12
set forwarding-class Critical_Data loss-priority medium-low code-points af21
set forwarding-class Critical_Data loss-priority medium-low code-points af22
b. Configure DSCP BA classifiers for IPv6.
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
c. Assign the forwarding classes to transmissions queues.
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 1 Scavenger
set queue 2 Bulk_Data
set queue 3 Critical_Data
set queue 4 Video
set queue 5 Voice
set queue 6 Network_Control
2.
[edit]
edit class-of-service rewrite-rules dscp Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
517
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit class-of-service rewrite-rules dscp-ipv6 Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
set forwarding-class Critical_Data loss-priority medium-low code-point af21
set forwarding-class Video loss-priority low code-point af41
set forwarding-class Voice loss-priority low code-point ef
set forwarding-class Network_Control loss-priority low code-point cs7
c. Configure a DSCP rewrite rule for voice traffic. This rule sets the code-point bit
patterns for the Voice forwarding class and is applied to the branch LAN interface.
[edit]
edit class-of-service rewrite-rules dscp voice-ef
set forwarding-class Voice loss-priority low code-point 101110
d. Configure a rewrite rule for video traffic. This rule sets the code-point bit patterns
for the Video forwarding class and is applied to the branch LAN interface.
[edit]
edit class-of-service rewrite-rules dscp video-af
set forwarding-class Video loss-priority low code-point 100010
518
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
3.
[edit]
edit class-of-service schedulers SCH_Best_Effort
set transmit-rate remainder
set buffer-size remainder
set priority medium-low
b. Create a scheduler for the Scavenger forwarding class.
[edit]
edit class-of-service schedulers SCH_Scavenger
set transmit-rate percent 3
set buffer-size percent 10
set priority low
c. Create a scheduler for the Bulk_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Bulk_Data
set transmit-rate percent 20
set buffer-size percent 15
set priority medium-low
d. Create a scheduler for the Critical_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Critical_Data
set transmit-rate percent 15
set transmit-rate exact
set buffer-size percent 15
set priority medium-high
e. Create a scheduler for the Video forwarding class.
[edit]
edit class-of-service schedulers SCH_Video
set transmit-rate percent 20
set transmit-rate exact
set buffer-size percent 10
set priority high
f.
[edit]
edit class-of-service schedulers SCH_Network_Control
set transmit-rate percent 5
set transmit-rate exact
set buffer-size percent 3
519
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
5.
Create a traffic control profile for use on the WAN transport to the Layer 3 VPN
service provider.
The 150 MB shaper rate is the service purchased from the service provider.
[edit]
edit class-of-service traffic-control-profiles mpls-link
set scheduler-map MAIN-SCHD
set shaping-rate 150m
6.
7.
520
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Results
1.
Check that the traffic control profile is running on the WAN transport.
user@branch2> show class-of-service traffic-control-profile
Traffic control profile: mpls-link, Index: 9175
Shaping rate: 150000000
Scheduler map: MAIN-SCHD
Index
51863
9
13
Index
961
9
Type
fixed
Index
4
Type
fixed
Index
5
521
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
450445710
Bytes
:
104986805549
Transmitted:
Packets
:
450445710
Bytes
:
104986805549
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
522
0
0
0
0
0
0
0
0
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
3 pps
1952 bps
3
1952
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
70201
Bytes
:
26777140
Transmitted:
Packets
:
70201
Bytes
:
26777140
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
130598
Bytes
:
51073312
Transmitted:
Packets
:
130598
Bytes
:
51073312
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0 bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
523
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
524
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
High
:
Queue: 3, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 4, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 5, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 6, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
0 bps
553967993
151465615630
0 pps
0 bps
553967993
151465615630
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Critical_Data
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Video
139506722
68079269619
0 pps
0 bps
139506722
68079269619
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
196139623
20398535207
0 pps
0 bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Voice
196139623
20398535207
0
0
0
0
0
0
0
0
0
0
0
Network_Control
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
79830140
18520592480
0 pps
0 bps
79830140
0 pps
525
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
526
:
:
:
:
:
:
:
:
:
:
:
:
18520592480
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Verification
Verifying End-to-End Data Traffic
Purpose
Action
Verify that traffic is travelling end-to-end on the WAN transport on Branch router 1.
43757323702
43757206977
116725
1 Scavenger
2 Bulk_Data
6790394937
6790394937
527
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3 Critical_Dat
6526853292
6526850782
2510
4 Video
4753810645
4753810645
5 Voice
6654143223
6654108671
34552
6 Network_Cont
2716159704
2716159704
Queue number:
Mapped forwarding classes
0
Best_Effort
1
Scavenger
2
Bulk_Data
3
Critical_Data
4
Video
5
Voice
6
Network_Control
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
20974200739886
25183170196916
Total packets
55972501000
71198507985
Unicast packets
48442275104
71198257847
Broadcast packets
965
1008
Multicast packets
7530224933
249128
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Total errors
0
0
Filter statistics:
Input packet count
55972528002
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
71198534989
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote fault:
OK
Local resolution:
Flow control: Symmetric, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 1
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 Best_Effort
r
r
r
0 medium-low
none
1 Scavenger
3
4500000
10
0
low
none
528
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
2 Bulk_Data
20
30000000
none
3 Critical_Data
15
22500000
exact
4 Video
20
30000000
exact
5 Voice
5
7500000
none
6 Network_Control
5
7500000
exact
Interface transmit statistics: Disabled
15
0 medium-high
15
high
10
high
0 strict-high
high
Logical interface ge-1/2/1.0 (Index 353) (SNMP ifIndex 1577) (Generation 163)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
18 bytes
Egress account overhead
:
18 bytes
Traffic statistics:
Input bytes :
20954721074096
Output bytes :
25162506188842
Input packets:
55972511208
Output packets:
71198523194
IPv6 transit statistics:
Input bytes :
330503818296
Output bytes :
330813258096
Input packets:
1412409266
Output packets:
1413731784
Local statistics:
Input bytes :
53064549
Output bytes :
96692626
Input packets:
666365
Output packets:
772064
Transit statistics:
Input bytes :
20954668009547
688 bps
Output bytes :
25162409496216
0 bps
Input packets:
55971844843
1 pps
Output packets:
71197751130
0 pps
IPv6 transit statistics:
Input bytes :
330503818296
Output bytes :
330813258096
Input packets:
1412409266
Output packets:
1413731784
Protocol inet, MTU: 1500, Generation: 216, Route table: 0
Flags: Sendbcast-pkt-to-re, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.4.0/30, Local: 172.16.4.2, Broadcast: 172.16.4.3,
Generation: 396
Protocol inet6, MTU: 1500, Generation: 217, Route table: 0
Flags: Is-Primary
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::5e5e:abff:fe0d:d901
Generation: 284
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:4:1::/64, Local: 2001:DB8:4:1::2
Protocol multiservice, MTU: Unlimited, Generation: 286
Generation: 218, Route table: 0
Flags: Is-Primary
Policer: Input: __default_arp_policer__
529
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Verifying Reachability
Purpose
Action
Verify reachability and traffic paths to the loopback interface of the data center router,
the loopback interface of a router in a different branch, and an IP address in the service
provider network that is publicly routable.
1.
Display the default IPv4 routing tables on each branch to verify reachability throughout
the network.
user@branch1> show route table inet.0
inet.0: 197 destinations, 197 routes (197 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
10.4.1.0/24
10.4.2.0/24
10.4.3.0/24
10.4.4.0/24
10.4.5.0/24
10.4.6.0/24
10.4.7.0/24
10.4.8.0/24
10.4.1.0/24
10.4.2.0/24
10.4.3.0/24
530
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
10.4.4.0/24
10.4.5.0/24
10.4.6.0/24
10.4.7.0/24
*[OSPF/150] 18:11:48,
> to 172.16.4.12 via
*[OSPF/150] 18:11:48,
> to 172.16.4.12 via
*[OSPF/150] 18:11:48,
> to 172.16.4.12 via
*[OSPF/150] 18:11:48,
> to 172.16.4.12 via
0
0
0
0
. . .
10.4.247.0/24
10.4.248.0/24
10.4.249.0/24
10.4.250.0/24
10.4.251.0/24
10.4.252.0/24
10.4.253.0/24
10.4.254.0/24
10.4.255.0/24
172.16.4.4/30
172.16.4.6/32
172.16.4.8/29
172.16.4.9/32
172.16.4.10/32
172.16.4.16/29
172.16.4.17/32
172.16.4.18/32
172.16.4.24/29
172.16.4.25/32
172.16.4.26/32
172.16.4.32/30
172.16.4.34/32
172.16.4.36/30
172.16.4.38/32
172.16.4.254/32
0
0
0
0
0
0
0
0
0
531
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
172.16.4.255/32
224.0.0.2/32
224.0.0.5/32
224.0.0.13/32
224.0.0.22/32
provider network.
user@branch1> traceroute 100.65.4.2
traceroute to 189.1.4.2 (189.1.4.2), 30 hops max, 40 byte packets
1 172.16.4.1 (172.16.4.1) 0.684 ms 0.550 ms 0.445 ms # L3VPN ISP A
2 172.31.254.33 (172.31.254.33) 1.278 ms 0.545 ms 0.535 ms #ISP A
3 172.31.254.34 (172.31.254.34) 0.521 ms 0.524 ms 0.468 ms #WANaggr 1
4 172.31.254.9 (172.31.254.9) 0.479 ms 0.520 ms 0.481 ms #Int edge 1
5 * * * # Expected because traceroute is blocked by SFW on Internet Edge
6
532
* * *
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Action
Verify that a failure of the Branch router 1 physical WAN transport to Aggregation Hub 1
causes all traffic to be rerouted through Branch router 2 to Aggregation Hub 2 with minimal
traffic loss.
1.
Log in to Branch router 1 as the root user, and enter the following command to take
down the physical WAN transport.
root@branch1% ifconfig ge-1/2/1 down
2. On Branch router 1, verify that the active default route is to ISP B over the interface to
Branch router 2.
user@branch1> show route 0.0.0.0
inet.0: 196 destinations, 196 routes (196 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
3. On Branch router 2, verify EBGP peering with the Layer 3 VPN ISP B (172.16.4.5) and
5. Verify traffic counters and queue statistics on Branch router 2 after failure.
user@branch2> show interfaces ge-1/3/1 extensive
533
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
534
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Multicast packets
5742972
2378
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Total errors
0
0
Filter statistics:
Input packet count
27331751
Input packet rejects
815
Input DA rejects
0
Input SA rejects
0
Output packet count
38532479
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote
fault: OK
Local resolution:
Flow control: Symmetric, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 1
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority Limit
%
bps %
usec
0 Best_Effort
r
r r
0 medium-low none
1 Scavenger
3
4500000 10
0 low none
2 Bulk_Data
20
30000000 15
0 medium-high none
3 Critical_Data
15
22500000 15
0 high exact
4 Video
20
30000000 10
0 high exact
5 Voice
5
7500000 r
0 strict-high none
6 Network_Control
5
7500000 3
0 high exact
Interface transmit statistics: Disabled
Logical interface ge-1/3/1.0 (Index 349) (SNMP ifIndex 3000) (Generation
170)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
22 bytes
Egress account overhead
:
22 bytes
Traffic statistics:
Input bytes :
10942558763
Output bytes :
13795716347
Input packets:
27312207
Output packets:
38512293
IPv6 transit statistics:
Input bytes :
135016504
Output bytes :
135055908
Input packets:
576993
Output packets:
577162
Local statistics:
Input bytes :
525592
Output bytes :
693776
535
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Input packets:
6525
Output packets:
7019
Transit statistics:
Input bytes :
10942033171
125398040 bps
Output bytes :
13795022571
130224664 bps
Input packets:
27305682
39900 pps
Output packets:
38505274
45401 pps
IPv6 transit statistics:
Input bytes :
135016504
Output bytes :
135055908
Input packets:
576993
Output packets:
577162
Protocol inet, MTU: 1500, Generation: 237, Route table: 6
Flags: Sendbcast-pkt-to-re, Is-Primary, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.4.4/30, Local: 172.16.4.6, Broadcast: 172.16.4.7,
Generation: 398
Protocol inet6, MTU: 1500, Generation: 238, Route table: 6
Flags: Is-Primary
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::5e5e:abff:fe0d:d919
Generation: 362
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:4:2::/64, Local: 2001:DB8:4:2::2
Protocol multiservice, MTU: Unlimited, Generation: 364
Generation: 239, Route table: 6
Policer: Input: __default_arp_policer__
536
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
6. Verify traffic counters and queue statistics on Branch router 2 after failure.
user@branch2> show interfaces queue ge-1/3/1
Physical interface: ge-1/3/1, Enabled, Physical link is Up
Interface index: 159, SNMP ifIndex: 2147
Description: --- To MPLS_VPN_PROVIDER2 link (magha ge-1/3/1) --Forwarding classes: 16 supported, 7 in use
Egress queues: 8 supported, 7 in use
Queue: 0, Forwarding classes: Best_Effort
Queued:
Packets
:
36093293
41712
Bytes
:
12417782294
113860384
Transmitted:
Packets
:
36093293
41712
Bytes
:
12417782294
113860384
Tail-dropped packets :
0
0
RED-dropped packets :
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
High
:
0
0
RED-dropped bytes
:
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
High
:
0
0
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
0
Bytes
:
0
0
Transmitted:
Packets
:
0
0
Bytes
:
0
0
Tail-dropped packets :
0
0
RED-dropped packets :
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
High
:
0
0
RED-dropped bytes
:
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
High
:
0
0
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
786418
396
Bytes
:
383771984
1545984
Transmitted:
Packets
:
786418
396
Bytes
:
383771984
1545984
Tail-dropped packets :
0
0
RED-dropped packets :
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
High
:
0
0
RED-dropped bytes
:
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
537
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
High
:
Queue: 3, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 4, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 5, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 6, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
538
0 bps
2197283
599916192
2203 pps
4455296 bps
2197283
599916192
0
0
0
0
0
0
0
0
0
0
0
2203
4455296
0
0
0
0
0
0
0
0
0
0
0
559139
272859832
701 pps
2739040 bps
559139
272859832
0
0
0
0
0
0
0
0
0
0
0
701
2739040
0
0
0
0
0
0
0
0
0
0
0
Critical_Data
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Video
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Voice
766606
79727024
766606
79727024
0
0
0
0
0
0
0
0
0
0
0
Network_Control
310 pps
258240 bps
310
258240
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
314617
72991144
158 pps
293984 bps
314617
158 pps
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
:
:
:
:
:
:
:
:
:
:
72991144
0
0
0
0
0
0
0
0
0
0
0
293984
0
0
0
0
0
0
0
0
0
0
0
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
7. Check the path taken by traffic to the data center after Branch router 1 primary link
failure.
user@branch2> ping 172.31.255.8
PING 172.31.255.8 (172.31.255.8): 56 data bytes
64 bytes from 172.31.255.8: icmp_seq=0 ttl=59 time=0.821 ms
64 bytes from 172.31.255.8: icmp_seq=1 ttl=59 time=0.666 ms
64 bytes from 172.31.255.8: icmp_seq=2 ttl=59 time=0.732 ms
^C
--- 172.31.255.8 ping statistics --3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.666/0.740/0.821/0.064 ms
user@branch2> traceroute 172.31.255.8
traceroute to 172.31.255.8 (172.31.255.8), 30 hops max, 40 byte packets
1 172.16.4.34 (172.16.4.34) 0.546 ms 0.475 ms 0.377 ms # Branch Router 2
2 172.16.4.5 (172.16.4.5) 0.437 ms 0.514 ms 0.510 ms # L3VPN ISPB PE 2
3 * * *
4 172.31.254.38 (172.31.254.38) 0.975 ms 8.610 ms 9.448 ms # WAN
Aggregation Hub 2
5 172.31.255.8 (172.31.255.8) 1.374 ms 0.704 ms 0.583 ms # Data Center
8. Check the Branch-to-Branch path taken by traffic after Branch router 1 primary link
failure.
user@branch2> ping 172.16.1.254
PING 172.16.1.254 (172.16.1.254): 56 data bytes
64 bytes from 172.16.1.254: icmp_seq=0 ttl=58 time=2.796 ms
64 bytes from 172.16.1.254: icmp_seq=1 ttl=58 time=1.712 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=58 time=2.323 ms
--- 172.16.1.254 ping statistics --3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.712/2.277/2.796/0.444 ms
user@branch2> traceroute 172.16.1.254
traceroute to 172.16.1.254 (172.16.1.254), 30 hops max, 40 byte packets
1 172.16.4.34 (172.16.4.34) 0.570 ms 0.464 ms 0.459 ms # Secondary Router
2
3
4
5
6
7
539
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
9. Check the Branch-to-Internet path taken by traffic after Branch router 1 primary link
failure.
user@branch2> traceroute 100.65.4.2
rtraceroute to 100.65.4.2 (100.65.4.2), 30 hops max, 40 byte packets
1 172.16.4.34 (172.16.4.34) 0.621 ms 0.453 ms 0.377 ms # Secondary Router
2
3
4
5
6
7
8
540
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Verify that groups are established with upstream interfaces to the Layer 3 VPN service
provider 2 (ge-1/3/1) and downstream interfaces to Branch router 1 (ge-1/2/4).
user@branch2> show multicast route extensive
Instance: master Family: INET
Group: 235.4.1.1
Source: 172.31.252.10/32
Upstream interface: ge-1/3/1.0
Downstream interface list:
ge-1/2/4.1
Session description: Unknown
Statistics: 127 kBps, 260 pps, 196361 packets
Next-hop ID: 1048581
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 4278
Uptime: 00:12:36
Group: 235.4.1.2
Source: 172.31.252.10/32
Upstream interface: ge-1/3/1.0
Downstream interface list:
ge-1/2/4.1
Session description: Unknown
Statistics: 127 kBps, 260 pps, 196325 packets
Next-hop ID: 1048581
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 4123
Uptime: 00:12:35
Group: 235.4.1.3
Source: 172.31.252.10/32
Upstream interface: ge-1/3/1.0
Downstream interface list:
ge-1/2/4.1
Session description: Unknown
Statistics: 127 kBps, 260 pps, 196318 packets
Next-hop ID: 1048581
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 3405
Uptime: 00:12:35
541
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Verifying This Scenario from the WAN Aggregation Router at Aggregation Hub 1
Purpose
Action
Verify this scenario from the WAN aggregation router at Aggregation Hub 1.
1.
Verify that the link to the Layer 3 VPN service provider is up.
user@wanagghub1> show interfaces ge-1/2/5 terse
Interface
Admin Link Proto
Local
Remote
ge-1/2/5
up
up
ge-1/2/5.0
up
up
inet
172.31.254.34/30
inet6
fe80::5e5e:abff:fe0e:4205/64
2001:DB8:254:1::2/64
multiservice
user@wanagghub1> ping 172.31.254.33 rapid
Interface
Admin Link Proto
ge-1/2/5
up
up
ge-1/2/5.0
up
up
inet
inet6
Local
Remote
172.31.254.34/30
fe80::5e5e:abff:fe0e:4205/64
2001:DB8:254:1::2/64
multiservice
provider.
user@wanagghub1> show route advertising-protocol bgp 172.31.254.33
inet.0: 30847 destinations, 57234 routes (30847 active, 0 holddown, 0 hidden)
Prefix
* 0.0.0.0/0
542
Nexthop
Self
MED
0
Lclpref
AS path
I
Chapter 13: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN
Nexthop
Self
MED
Lclpref
AS path
I
543
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
544
CHAPTER 14
Requirements
This example uses the following hardware and software components at the branch :
Two 10 Gigabit Ethernet LAN/WAN PICs with SFP PICs(10x 1GE(LAN) SFP)
1x G/E PIC
545
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Overview
Branch router 1 is the primary router, and Branch router 2 is the secondary router. Virtual
Router Redundancy Protocol (VRRP) is used to elect the primary and secondary router.
For high availability, there are dual routers at the branch that are dual-homed to the
aggregation hubs over two separate carriers:
Branch router 1 is the primary router and connects to Aggregation Hub 1 over a Layer
3 VPN transport provided by Service Provider A.
Branch router 2 is the secondary router and connects to Aggregation Hub 2 over an
Internet transport provided by Service Provider B.
Routing is designed so that so that routes from Branch router 1 to Aggregation Hub 1
are always preferred over routes from Branch router 2 to Aggregation Hub 2. The design
also ensures that if the connection from Branch router 1 to the hub goes down, Branch
router 2 receives the routing information that it needs to send traffic to the backup
hub. BGP and OSPF are the routing protocols used in this design:
EBGP is used between the branch routers and the service providers.
OSPF is used for routing between the two branch routers and for routing on the
branch LAN.
BGP exports routes to OSPF so that the backup router always has routing information.
546
The transport to Aggregation Hub 2 is the public Internet using GRE tunnels. For security,
the GRE tunnels run over IPsec tunnels. IPsec provides a secure session and GRE
provides the IP multicast and multiprotocol capabilities.
All traffic sent from the branch to the hub uses the 0.0.0.0/0 route received over Layer
3 VPN (primary path) and GRE over IPsec IBGP session. (secondary path)
The branch router has 3 VLANs (data, voice, and video) configured towards the branch
switch and running OSPF on these.
CoS scheduling and shaping is applied to both Layer 3 VPN physical link and the GRE
tunnels.
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Topology
Figure 80: Test Lab Configuration Connecting Large Remote Branch with
Primary Layer 3 VPN and Backup GRE over IPsec
Before you configure this scenario, configure the base configurations at Aggregation Hub
1 and Aggregation Hub 2. Then complete the following:
547
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuration Overview
Configuring the WAN Aggregation Router at Aggregation Hub 1
To configure the router at Aggregation Hub 1, perform these tasks:
Configuring the WAN Transport on the WAN Aggregation Router at Aggregation Hub
1 on page 548
Configuring EBGP Routing for the WAN Transport on the WAN Aggregation Router at
Aggregation Hub 1 on page 548
Applying CoS to the WAN Transport on the WAN Aggregation Router at Aggregation
Hub 1 on page 549
Configuring Multicast on the WAN Aggregation Router at Aggregation Hub 1 on page 549
Configuring EBGP Routing for the WAN Transport on the WAN Aggregation Router
at Aggregation Hub 1
Step-by-Step
Procedure
Configure EBGP peering between the WAN aggregation router at the hub and Service
Provider A.
The policies have already been configured in the Aggregation Hub 1 base configuration.
1.
548
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
CoS classifiers, rewrite rules, and schedulers are all configured in the hub base
configuration.
1.
2.
Apply the traffic control profile, classifiers, and rewrite rules to the WAN transport
interface. The classifiers and rewrite rules are configured in the aggregation hub
base configuration.
[edit]
edit class-of-service interfaces ge-1/2/5
set output-traffic-control-profile TO-L3VPN-VPN1
set unit 0 classifiers dscp DSCP-BA
set unit 0 classifiers dscp-ipv6 DSCP-BA
set unit 0 rewrite-rules dscp DEF_DSCP_REWRITE
set unit 0 rewrite-rules dscp-ipv6 DEF_DSCP_REWRITE
1.
Add the interface to the Layer 3 VPN service provider to the multicast configuration
at the hub.
[edit]
edit protocols pim interface ge-1/2/5.0
set mode sparse
549
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
set version 2
550
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Configuring EBGP Routing on the WAN Transport on Branch Router 1 on page 558
Configuring OSPF Routing for the LAN Transport on Branch Router 1 on page 565
Configuring the LAN Transport to Branch Router 2 on Branch Router 1 on page 566
Configuring OSPF Routing Between Branch Routers on Branch Router 1 on page 570
Configuring VRRP for High Availability of Dual Routers on Branch Router 1 on page 573
1.
Create a set of prefix lists that are used in firewall filters that are set up for Routing
Engine protection. These prefix lists specify trusted IP subnets and addresses for
different types of traffic. Traffic received from these addresses will be allowed
through firewalls used for Routine Engine protection.
[edit]
edit policy-options
set prefix-list trusted-bgp-peers 172.16.3.0/24
set prefix-list trusted-networks 10.0.0.0/8
set prefix-list trusted-networks 172.16.0.0/12
set prefix-list trusted-networks 192.168.0.0/16
set prefix-list NMS 10.0.0.0/8
set prefix-list NMS 172.16.0.0/12
set prefix-list NMS 192.168.0.0/16
2.
3.
Create a firewall filter used for Routing Engine protection. The filter is used to prevent
small packet attacks, fragment attacks, and denial of service (DoS) attacks from
specific protocols such as ICMP, BGP, OSPF, SNMP, UDP, and TCP. The filter accepts
traffic only from trusted sources, and it discards all other traffic. The filter also
includes a policer that applies rate limits to the traffic that is accepted by the filter.
a. Create the firewall filter, and specify that counters defined in the filter are
interface specific.
[edit]
551
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit firewall family inet filter RE-PROTECT
set term bgp-in from source-prefix-list trusted-bgp-peers
set term bgp-in from protocol tcp
set term bgp-in from port bgp
set term bgp-in then policer limit-150k
set term bgp-in then count bgp-in
set term bgp-in then accept
c. Create a term that accepts traffic from trusted PIM neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term pim from source-prefix-list trusted-networks
set term pim from protocol pim
set term pim then policer limit-150k
set term pim then count pim
set term pim then accept
d. Create a term that accepts OSPF traffic from trusted OSPF neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term ospf-in from source-prefix-list trusted-networks
set term ospf-in from protocol ospf
set term ospf-in then policer limit-150k
set term ospf-in then count ospf-in
set term ospf-in then accept
e. Create a term that accepts BFD traffic from trusted neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term bfd from source-prefix-list trusted-networks
set term bfd from protocol udp
set term bfd from source-port 49152-65335
set term bfd from destination-port 3784-3785
set term bfd then count accept-bfd
set term bfd then accept
f.
552
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
g. Create a term for ICMP traffic, which includes IPv4 error messages.
[edit]
edit firewall family inet filter RE-PROTECT
set term icmp-in from source-prefix-list trusted-networks
set term icmp-in from protocol icmp
set term icmp-in then policer limit-150k
set term icmp-in then count icmp-in
set term icmp-in then accept
h. Create a term for VRRP traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term vrrp from source-prefix-list trusted-networks
set term vrrp from protocol vrrp
set term vrrp then policer limit-150k
set term vrrp then count vrrp
set term vrrp then accept
i.
Create a term that controls SSH, FTP, and Telnet access to the router.
[edit]
edit firewall family inet filter RE-PROTECT
set term access-in from source-prefix-list NMS
set term access-in from protocol tcp
set term access-in from port ssh
set term access-in from port ftp
set term access-in from port ftp-data
set term access-in from port telnet
set term access-in then count access-in
set term access-in then accept
j.
Create a term that accepts TCP and TACACS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-tcp from source-prefix-list NMS
set term remote-auth-tcp from protocol tcp
set term remote-auth-tcp from port tacacs
set term remote-auth-tcp then count tacacs
set term remote-auth-tcp then accept
k. Create a term that accepts UDP and RADIUS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-udp from source-prefix-list NMS
set term remote-auth-udp from protocol udp
set term remote-auth-udp from port radius
set term remote-auth-udp from port radacct
set term remote-auth-udp then count radius
set term remote-auth-udp then accept
553
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
l.
m. Create a term for incoming traffic with a source and destination loopback address.
[edit]
edit firewall family inet filter RE-PROTECT
set term loopback-in from source-address 127.0.0.1/32
set term loopback-in from destination-address 127.0.0.1/32
set term loopback-in then count loopback-in
set term loopback-in then accept
n. Configure a term that prevents small packet attacks.
[edit]
edit firewall family inet filter RE-PROTECT
set term small-packets from packet-length 0-24
set term small-packets then count small-packet-attack
set term small-packets then log
set term small-packets then discard
o. Configure a term that prevents fragment attacks.
[edit]
edit firewall family inet filter RE-PROTECT
set term fragment-packets from fragment-offset-except 0
set term fragment-packets from protocol icmp
set term fragment-packets from protocol igmp
set term fragment-packets from protocol pim
set term fragment-packets from protocol tcp
set term fragment-packets then count frag-attack
set term fragment-packets then log
set term fragment-packets then discard
p. Configure a term that explicitly discards all other traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term deny-all then count illegal-traffic-in
set term deny-all then log
set term deny-all then discard
4.
554
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
5.
Results
Packets
0
0
36444
2055
0
347
12708
82603
0
82705
15651
0
0
1922
0
545672
17
Packets
0
0
0
0
0
0
0
0
0
1.
[edit]
edit routing-options
set router-id 172.16.3.255
555
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
2.
Results
Verify that the physical transport to the Layer 3 VPN service provider is up:
user@branch1> show interfaces ge-1/2/5 terse
Interface
Admin Link Proto
ge-1/2/5
up
up
ge-1/2/5.0
up
up
inet
inet6
Local
Remote
172.16.3.2/30
fe80::5e5e:abff:fe0e:4505/64
2001:DB8:3:1::2/64
multiservice
556
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Current address: 5c:5e:ab:0e:45:05, Hardware address: 5c:5e:ab:0e:45:05
Last flapped
: 2013-07-09 04:49:00 PDT (4w5d 07:07 ago)
Input rate
: 59779088 bps (21998 pps)
Output rate
: 85155096 bps (25769 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-1/2/5.0 (Index 337) (SNMP ifIndex 587)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
18 bytes
Egress account overhead
:
18 bytes
Input packets : 47303379424
Output packets: 58482773807
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.3.0/30, Local: 172.16.3.2, Broadcast: 172.16.3.3
Protocol inet6, MTU: 1500
Flags: Is-Primary
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::5e5e:abff:fe0e:4505
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:3:1::/64, Local: 2001:DB8:3:1::2
Protocol multiservice, MTU: Unlimited
Flags: Is-Primary
557
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configure EBGP peering between the branch router and Service Provider A.
1.
Configure the autonomous system (AS) number for the router, and specify the
number of times the AS can be in an AS path.
[edit]
edit routing-options
set autonomous-system 65530
set autonomous-system loops 2
2.
aggregation hub.
This policy prevents the default static route from being advertised and allows
OSPF and direct routes to be advertised.
[edit]
edit policy-options policy-statement BRANCH-PREFIX
set term block-default from route-filter 0.0.0.0/0 exact
set term block-default then reject
set term branch from protocol ospf
set term branch from protocol direct
set term branch then accept
set term default then reject
b. Configure a policy that is used to control IPv6 routes that are advertised to the
aggregation hub.
This policy prevents the default static route from being advertised and allows
OSPF and direct routes to be advertised.
[edit]
edit policy-options policy-statement BRANCH-PREFIX6
set term block-default from family inet6
set term block-default from route-filter ::/0 exact
set term block-default then reject
set term branch from family inet6
set term branch from protocol ospf3
set term branch from protocol direct
set term branch then accept
set term default then reject
c. Configure a policy that sets the local preference to 200 for the IPv4 default route
558
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
d. Configure a policy that sets the local preference to 200 for default static IPv6
Create an IPv4 EBGP group between the branch router and the Layer 3 VPN service
provider.
The SET_LOCAL_PREF import policy sets the local preference value for routes over
the Layer 3 VPN to 200. Routes from Branch router 2 use the default local route
preference value of 100, which gives routes on Branch router 1 a higher preference
over Branch router 2.
The BRANCH-PREFIX export policy controls default route advertisement to the
hub. It prevents default routes learned by another protocol from being advertised
to the hub.
[edit]
edit protocols bgp group EBGP_AS_555
set type external
set import SET_LOCAL_PREF
set export BRANCH-PREFIX
set peer-as 555
set local-as 64513
set neighbor 172.16.3.1 authentication-key "$9$SVDlv8-VsJGjTzRcylW8ZGD"
4.
Create an IPv6 EBGP group between the branch router and the Layer 3 VPN service
provider.
The SET_LOCAL_PREF6 import policy sets the local preference value for routes
over the Layer 3 VPN to 200. Routes to Branch router 2 use the default local route
preference value of 100, which gives routes on Branch router 1 a higher preference
over Branch router 2.
The BRANCH-PREFIX6 export policy controls default route advertisement to the
hub. It prevents default routes learned by another protocol from being advertised
to the hub, and causes the loopback address of the branch router to be advertised
to the hub as the next hop.
[edit]
edit protocols bgp group EBGP_AS_555-V6
set type external
set import SET_LOCAL_PREF-V6
set export BRANCH-PREFIX-V6
set peer-as 555
set local-as 64513
set neighbor 2001:DB8:3:1::1 authentication-key "$9$w92oZHqP36CRh-bs2JZn69"
559
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
5.
Results
Verify EBGP peering with the Layer 3 VPN service provider (17.16.3.1). The interface that
connects to the service provider is ge-1/2/5.0
user@branch1> show bgp summary
Groups: 2 Peers: 2 Down peers: 0
Table
Tot Paths Act Paths Suppressed
History Damp State
Pending
inet.0
1
1
0
0
0
0
inet6.0
1
1
0
0
0
0
Peer
AS
InPkt
OutPkt
OutQ
Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.16.3.1
555
119671
121612
0
8
4w5d8h
1/1/1/0
0/0/0/0
2001:DB8:3:1::1
555
119666
121549
0
8
4w5d8h
Establ
inet6.0: 1/1/1/0
user@branch1> show route 0.0.0.0
inet.0: 147 destinations, 147 routes (147 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
560
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
There are three interfaces to the branch LAN: one for data, one for video, and one for
voice.
1.
2.
3.
4.
561
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit interfaces ge-1/3/5 unit 62
set account-layer2-overhead ingress 22
set account-layer2-overhead egress 22
set description "--- VOICE VLAN 62 ---"
set vlan-id 62
set family inet address 172.16.3.27/29
set family inet6 address 2001:DB8:3:62::3/64
562
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Results
ge-1/3/5.52
up
up
ge-1/3/5.62
up
up
ge-1/3/5.32767
up
up
Local
Remote
172.16.3.9/29
172.16.3.11/29
inet6
fe80::200:5eff:fe00:20a/64
fe80::5e5e:ab00:2a0e:451d/64
2001:DB8:3:42::1/64
2001:DB8:3:42::3/64
multiservice
inet
172.16.3.17/29
172.16.3.19/29
inet6
fe80::200:5eff:fe00:214/64
fe80::5e5e:ab00:340e:451d/64
2001:DB8:3:52::1/64
2001:DB8:3:52::3/64
multiservice
inet
172.16.3.25/29
172.16.3.27/29
inet6
fe80::200:5eff:fe00:21e/64
fe80::5e5e:ab00:3e0e:451d/64
2001:DB8:3:62::1/64
2001:DB8:3:62::3/64
multiservice
multiservice
563
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
564
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
1.
Create an IPv4 area for the branch, and add the branch LAN interfaces to the area.
[edit]
edit protocols ospf area 0.0.0.1
set interface ge-1/3/5.42 metric 100
set interface ge-1/3/5.52 metric 100
set interface ge-1/3/5.62 metric 100
2.
Create an IPv6 area for the branch, and add the branch LAN interfaces to the area.
[edit]
edit protocols ospf3 area 0.0.0.1
set interface ge-1/3/5.42 metric 100
set interface ge-1/3/5.52 metric 100
set interface ge-1/3/5.62 metric 100
3.
Results
Full
Full
Full
Full
Full
Full
172.16.3.12
172.16.3.254
172.16.3.20
172.16.3.254
172.16.3.28
172.16.3.254
Pri
0
Dead
32
128
37
32
128
35
32
128
36
0
128
0
128
0
128
36
37
36
37
36
37
565
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configure the interface for VLAN tagging, and specify a description for the interface.
[edit]
edit interfaces ge-1/2/1
set description "--- To BRANCH-ROUTER2 ge-0/0/2 ---"
set vlan-tagging
2.
3.
4.
566
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
[edit]
edit interfaces lo0 unit 0
set description "--- Default Routing instance ---"
set family inet address 172.16.3.255/32
set family inet6 address 2001:DB8:3::255/128
5.
567
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
After you configure Branch router 2, verify that the LAN interfaces to Branch router 2 are
up.
user@branch1> show interfaces ge-1/2/1
Physical interface: ge-1/2/1, Enabled, Physical link is Up
Interface index: 181, SNMP ifIndex: 539
Description: --- B2B Connection to Secondary Branch Edge (ge-0/0/2) --Link-level type: Ethernet, MTU: 1518, Speed: 1000mbps, BPDU Error: None,
MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled,
Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
CoS queues
: 8 supported, 8 maximum usable queues
Current address: 5c:5e:ab:0e:45:01, Hardware address: 5c:5e:ab:0e:45:01
Last flapped
: 2013-07-04 06:06:00 PDT (5w3d 08:03 ago)
Input rate
: 0 bps (0 pps)
Output rate
: 416 bps (0 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-1/2/1.1 (Index 334) (SNMP ifIndex 626)
Description: --- OSPF Area 0 vlan --Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.1 ] Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
22 bytes
Egress account overhead
:
22 bytes
Input packets : 1595164
Output packets: 2381597
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.3.32/30, Local: 172.16.3.34, Broadcast: 172.16.3.35
Protocol inet6, MTU: 1500
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::5e5e:ab00:10e:4501
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:3:2::/64, Local: 2001:DB8:3:2::2
Protocol multiservice, MTU: Unlimited
Logical interface ge-1/2/1.2 (Index 335) (SNMP ifIndex 631)
Description: --- OSPF Area 1 vlan --Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.2 ] Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
22 bytes
Egress account overhead
:
22 bytes
Input packets : 1650355
Output packets: 130075817
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.3.36/30, Local: 172.16.3.38, Broadcast: 172.16.3.39
Protocol inet6, MTU: 1500
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::5e5e:ab00:20e:4501
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:3:22::/64, Local: 2001:DB8:3:22::2
Protocol multiservice, MTU: Unlimited
Logical interface ge-1/2/1.32767 (Index 336) (SNMP ifIndex 637)
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x0000.0 ] Encapsulation: ENET2
568
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Input packets : 0
Output packets: 0
Protocol multiservice, MTU: Unlimited
Flags: None
569
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
We are using an OSPF backbone area between the two branch routers. Default BGP
routes are exported to OSPF. This configuration is required for failover scenarios where
the link from Branch router 1 and the Layer 3 VPN service provider goes down. Traffic is
rerouted to Branch router 2 and then to Aggregation Hub 2. In this case, Branch router 2
receives the routes that it needs from OSPF.
1.
Configure IPv4 and IPv6 routing policies that are used to export default BGP routes
into OSPF. Set the external metric type for routes exported by OSPF to 1.
When OSPF exports routes from external ASs, it includes a cost, or external metric,
in the route. The metric type determines how OSPF calculates the cost of the route.
Type 1 external metrics are equivalent to the link-state metric, where the cost is
equal to the sum of the internal costs plus the external cost. This means that Type
1 external metrics include the external cost to the destination as well as the cost
(metric) to reach the AS boundary router.
[edit]
edit policy-options policy-statement BGP2OSPF
set term 1 from protocol bgp
set term 1 from route-filter 0.0.0.0/0 exact
set term 1 then metric 10
set term 1 then external type 1
set term 1 then accept
[edit]
edit policy-options policy-statement BGP2OSPF-V6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 from route-filter ::/0 exact
set term 1 then metric 10
set term 1 then external type 1
set term 1 then accept
2.
Applying the policy as an export policy for OSPF causes OSPF to advertise IPv6
default routes learned through BGP.
[edit]
edit protocols ospf
set export BGP2OSPF
b. Set the external preference for OSPF routes to 175 so that default routes learned
from BGP on Branch router 2 have a higher priority so that if BGP goes down on
the Branch router 1 WAN transport, traffic is sent to the aggregation hub over
the Branch router 2 transport.
[edit]
edit protocols ospf
set external-preference 175
570
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
c. Create a backbone area. The OSPF backbone area contains the point-to-point
interface and the loopback interface between Branch router 1 and Branch router
2.
[edit]
edit protocols ospf area 0.0.0.0
set interface lo0.0
set interface ge-1/2/1.1 interface-type p2p
d. Add the unit 2 of the Ethernet interface that connects to Branch router 2 to Area
1.
[edit]
edit protocols ospf area 0.0.0.1
set interface ge-1/2/1.2 interface-type p2p
3.
Applying the policy as an export policy for OSPF causes OSPF to advertise IPv6
default routes learned through BGP.
[edit]
edit protocols ospf3
set export BGP2OSPF-V6
b. Set the external preference for OSPFv3 routes to 175 so that default routes
learned from BGP on Branch router 2 have a higher priority so that if BGP goes
down on the Branch router 1 WAN transport, traffic is sent to the aggregation
hub over the Branch router 2 transport.
[edit]
edit protocols ospf3
set external-preference 175
4.
Create a backbone area. The OSPF backbone area contains the point-to-point
interface and the loopback interface between Branch router 1 and Branch router 2.
[edit]
edit protocols ospf3 area 0.0.0.0
set interface lo0.0
set interface ge-1/2/1.1 interface-type p2p
5.
Add the unit 2 of the Ethernet interface that connects to Branch router 2 to Area 1.
[edit]
edit protocols osp3f area 0.0.0.1
set interface ge-1/2/1.2 interface-type p2p
571
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Step-by-Step
Procedure
After you configure Branch router 2, verify that OSPF is running between the branch
routers.
1.
Verify that OSPF and OSPFv3 are running between the branch routers.
user@branch1> show ospf neighbor
Address
Interface
172.16.3.33
ge-1/2/1.1
38
172.16.3.37
ge-1/2/1.2
37
State
Full
ID
172.16.3.254
Full
172.16.3.254
572
Pri
128
Dead
33
128
37
Pri Dead
128
128
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Set the routers priority for being elected to be the master router in the VRRP group. A
larger value indicates a higher priority for being elected.
Enable the master router to accept all packets destined for the virtual IP address.
Specify the interface to be tracked for this VRRP group, and set the priority cost for
becoming the master default router. The router with the highest priority within the
group becomes the master.
1.
Configure a VRRP group for IPv4 and IPv6 for the data interface to the branch LAN.
[edit]
edit interfaces ge-1/3/5 unit 42 family inet address 172.16.3.11/29
set vrrp-group 10 virtual-address 172.16.3.9
set vrrp-group 10 priority 200
set vrrp-group 10 preempt
set vrrp-group 10 accept-data
set vrrp-group 10 track interface ge-1/2/5 priority-cost 110
[edit]
edit interfaces ge-1/3/5 unit 42 family inet6 address 2001:DB8:3:42::3/64
set vrrp-inet6-group 10 virtual-inet6-address 2001:DB8:3:42::1
set vrrp-inet6-group 10 priority 200
set vrrp-inet6-group 10 preempt
set vrrp-inet6-group 10 accept-data
set vrrp-inet6-group 10 track interface ge-1/2/5 priority-cost 110
2.
Configure a VRRP group for IPv4 and IPv6 for the video interface to the branch LAN.
[edit]
edit interfaces ge-1/3/5 unit 52 family inet address 172.16.3.19/29
set vrrp-group 20 virtual-address 172.16.3.17
set vrrp-group 20 priority 200
set vrrp-group 20 preempt
set vrrp-group 20 accept-data
set vrrp-group 20 track interface ge-1/2/5 priority-cost 110
[edit]
edit interfaces ge-1/3/5 unit 52 family inet6 address 2001:DB8:3:52::3/64
set vrrp-inet6-group 20 virtual-inet6-address 2001:DB8:3:52::1
set vrrp-inet6-group 20 priority 200
set vrrp-inet6-group 20 preempt
set vrrp-inet6-group 20 accept-data
set vrrp-inet6-group 20 track interface ge-1/2/5 priority-cost 110
3.
Configure a VRRP group for IPv4 and IPv6 for the voice interface to the branch LAN.
[edit]
edit interfaces ge-1/3/5 unit 62 family inet address 172.16.3.27/29
set vrrp-group 30 virtual-address 172.16.3.25
set vrrp-group 30 priority 200
573
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
ge-1/3/5.42
up
2001:DB8:3:42::3
Group
10
10
VR state VR Mode
master
Active
master
Timer
Type
A 0.673 lcl
Active
vip
0.179 lcl
Address
172.16.3.11
172.16.3.9
vip
fe80::200:5eff:fe00:20a
vip
2001:DB8:3:42::1
ge-1/3/5.52
up
ge-1/3/5.52
up
2001:DB8:3:52::3
20
20
master
master
Active
Active
0.120 lcl
vip
0.273 lcl
172.16.3.19
172.16.3.17
vip
fe80::200:5eff:fe00:214
vip
2001:DB8:3:52::1
ge-1/3/5.62
up
ge-1/3/5.62
up
2001:DB8:3:62::3
30
30
master
master
Active
Active
0.687 lcl
vip
0.046 lcl
172.16.3.27
172.16.3.25
vip
fe80::200:5eff:fe00:21e
vip
2001:DB8:3:62::1
574
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
1.
2.
Configure multicast on the branch LAN interfaces and on the interface to Branch
router 2.
[edit]
edit protocols pim
set interface ge-1/2/5.0 mode sparse
set interface ge-1/2/5.0 version 2
set interface ge-1/3/5.42 mode sparse
set interface ge-1/3/5.42 version 2
set interface ge-1/2/1.1 mode sparse
set interface ge-1/2/1.1 version 2
set interface ge-1/2/1.2 mode sparse
set interface ge-1/2/1.2 version 2
3.
Results
575
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
576
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
. . .
Group: 235.3.1.15
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: ge-1/2/5.0
Group: 235.3.1.15
Source: 172.31.252.10
Flags: sparse,spt
Upstream interface: ge-1/2/5.0
Instance: PIM.master Family: INET6
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
577
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3. Verify multicast on the branch LAN interfaces, the interface to Branch router 2, and
578
V Mode
2
2
2
2
Option
HPLGT
HPLGT
HPLGT
HPLGT
Uptime
1w6d8h
1w6d8h
1w1d9h
1w6d3h
Neighbor addr
172.16.3.33
172.16.3.37
172.16.3.1
172.16.3.10
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
4. Verify that groups are established with the upstream interface to the Layer 3 VPN
service provider (ge-1/2/5) and downstream interfaces to the branch LAN (ge-1/3/5).
user@branch1> show multicast route extensive
Instance: master Family: INET
Group: 235.3.1.1
Source: 172.31.252.10/32
Upstream interface: ge-1/2/5.0
Downstream interface list:
ge-1/3/5.42
Session description: Unknown
Statistics: 35 kBps, 150 pps, 813644 packets
Next-hop ID: 1048575
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 01:30:26
Group: 235.3.1.2
Source: 172.31.252.10/32
Upstream interface: ge-1/2/5.0
Downstream interface list:
ge-1/3/5.42
Session description: Unknown
Statistics: 35 kBps, 150 pps, 813644 packets
Next-hop ID: 1048575
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 01:30:26
Group: 235.3.1.3
Source: 172.31.252.10/32
Upstream interface: ge-1/2/5.0
Downstream interface list:
ge-1/3/5.42
Session description: Unknown
Statistics: 35 kBps, 150 pps, 813645 packets
Next-hop ID: 1048575
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 01:30:26
Group: 235.3.1.4
Source: 172.31.252.10/32
Upstream interface: ge-1/2/5.0
Downstream interface list:
ge-1/3/5.42
Session description: Unknown
Statistics: 35 kBps, 150 pps, 813643 packets
Next-hop ID: 1048575
Upstream protocol: PIM
Route state: Active
579
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
. . .
Group: 235.3.1.15
Source: 172.31.252.10/32
Upstream interface: ge-1/2/5.0
Downstream interface list:
ge-1/3/5.42
Session description: Unknown
Statistics: 35 kBps, 150 pps, 813632 packets
Next-hop ID: 1048575
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 01:30:26
Instance: master Family: INET6
5. Verify the multicast reverse-path-forwarding (RPF) calculations for the static
rendezvous point.
user@branch1> show multicast rpf 172.31.255.15
Multicast RPF table: inet.0 , 147 entries
0.0.0.0/0
Protocol: BGP
Interface: ge-1/2/5.0
Neighbor: 172.16.3.1
580
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
581
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Configure classifiers.
a. Configure DSCP behavior aggregate (BA) classifiers for IPv4.
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority medium-high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Scavenger loss-priority high code-points cs1
set forwarding-class Bulk_Data loss-priority medium-high code-points af11
set forwarding-class Bulk_Data loss-priority medium-high code-points af12
set forwarding-class Critical_Data loss-priority medium-low code-points af21
set forwarding-class Critical_Data loss-priority medium-low code-points af22
b. Configure DSCP BA classifiers for IPv6.
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
c. Assign the forwarding classes to transmissions queues.
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 1 Scavenger
set queue 2 Bulk_Data
set queue 3 Critical_Data
set queue 4 Video
set queue 5 Voice
set queue 6 Network_Control
2.
[edit]
edit class-of-service rewrite-rules dscp Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
582
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
[edit]
edit class-of-service rewrite-rules dscp-ipv6 Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
set forwarding-class Critical_Data loss-priority medium-low code-point af21
set forwarding-class Video loss-priority low code-point af41
set forwarding-class Voice loss-priority low code-point ef
set forwarding-class Network_Control loss-priority low code-point cs7
c. Configure a DSCP rewrite rule for voice traffic. This rule sets the code-point bit
patterns for the Voice forwarding class and is applied to the branch LAN interface.
[edit]
edit class-of-service rewrite-rules dscp voice-ef
set forwarding-class Voice loss-priority low code-point 101110
d. Configure a rewrite rule for video traffic. This rule sets the code-point bit patterns
for the Video forwarding class and is applied to the branch LAN interface.
[edit]
edit class-of-service rewrite-rules dscp video-af
set forwarding-class Video loss-priority low code-point 100010
583
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3.
[edit]
edit class-of-service schedulers SCH_Best_Effort
set transmit-rate remainder
set buffer-size remainder
set priority medium-low
b. Create a scheduler for the Scavenger forwarding class.
[edit]
edit class-of-service schedulers SCH_Scavenger
set transmit-rate percent 3
set buffer-size percent 10
set priority low
c. Create a scheduler for the Bulk_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Bulk_Data
set transmit-rate percent 20
set buffer-size percent 15
set priority medium-low
d. Create a scheduler for the Critical_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Critical_Data
set transmit-rate percent 15
set transmit-rate exact
set buffer-size percent 15
set priority medium-high
e. Create a scheduler for the Video forwarding class.
[edit]
edit class-of-service schedulers SCH_Video
set transmit-rate percent 20
set transmit-rate exact
set buffer-size percent 10
set priority high
f.
[edit]
edit class-of-service schedulers SCH_Network_Control
set transmit-rate percent 5
set transmit-rate exact
set buffer-size percent 3
584
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
5.
Create a traffic control profile for use on the transport to Service Provider A.
[edit]
edit class-of-service traffic-control-profiles mpls-link
set scheduler-map MAIN-SCHD
set shaping-rate 100m
6.
7.
585
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Step-by-Step
Procedure
1.
Check that the traffic control profile is running on the WAN transport.
user@branch1 show class-of-service traffic-control-profile
Traffic control profile: mpls-link, Index: 9175
Shaping rate: 150000000
Scheduler map: MAIN-SCHD
2.
3.
Index
51863
4.
Index
961
Type
dscp
fixed
Index
35765
Type
dscp
fixed
Index
28463
586
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Transmitted:
Packets
:
13760948671
Bytes
:
5076881876090
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
852367
Bytes
:
453459244
Transmitted:
Packets
:
852367
Bytes
:
453459244
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
1000267940
Bytes
:
276237601824
Transmitted:
Packets
:
1000267940
Bytes
:
276237601824
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
20525
60628576
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1501 pps
3315584 bps
1501
3315584
0
0
0
0
pps
bps
pps
pps
pps
pps
587
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
1064756
Bytes
:
566450192
Transmitted:
Packets
:
1064756
Bytes
:
566450192
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
1581547
Bytes
:
234068956
Transmitted:
Packets
:
1581547
Bytes
:
234068956
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
9617920
Bytes
:
1142330558
Transmitted:
Packets
:
9617920
Bytes
:
1142330558
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
588
0
0
0
0
0
0
0
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
7 pps
6304 bps
7
6304
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
5.
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
589
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
High
:
Queue: 3, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 4, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 5, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 6, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
590
0 bps
2374123893
854683894096
3000 pps
8640000 bps
2374123893
854683894096
0
0
0
0
0
0
0
0
0
0
0
3000
8640000
0
0
0
0
0
0
0
0
0
0
0
1978434961
965475248321
2500 pps
9760608 bps
1978434961
965475248321
0
0
0
0
0
0
0
0
0
0
0
2500
9760608
0
0
0
0
0
0
0
0
0
0
0
2967253687
308595411083
3750 pps
3120192 bps
Critical_Data
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Video
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Voice
2967253687
308595411083
0
0
0
0
0
0
0
0
0
0
0
Network_Control
3750
3120192
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1187393893
275434845733
1499 pps
2783680 bps
1187393893
1499 pps
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
:
:
:
:
:
:
:
:
:
:
275434845733
0
0
0
0
0
0
0
0
0
0
0
2783680
0
0
0
0
0
0
0
0
0
0
0
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
591
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring WAN Transport Security on the VPN Termination Role at Hub 2 on page 592
Configuring Dynamic Endpoints for IPsec Tunnels on the VPN Termination Role at Hub
2 on page 594
Configuring the Overlay WAN Transport on the VPN Termination Role at Role at Hub
2 on page 596
Configuring the Transport Routing Instances on the VPN Termination Role at Hub
2 on page 597
Configuring Private Overlay Routing on the VPN Termination Role at Hub 2 on page 598
Applying CoS to the Tunnel Interfaces on the VPN Termination Role at Hub 2 on page 600
IPsec is used to secure the GRE tunnels between the branch and the aggregation hub.
The WAN transport security configuration consists of an IKE configuration for IPsec phase
1 negotiation and an IPsec configuration for phase 2 negotiation.
1.
For IKE phase 1 negotiation with the branch, configure an IKE proposal and policy.
a. Configure an IKE proposal that matches the proposal configured on the branch
router.
[edit]
edit services ipsec-vpn ike proposal ike-phase1-proposal
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha-256
set encryption-algorithm aes-256-cbc
set lifetime-seconds 28800
b. Configure an IKE policy and associate the IKE proposal with the policy.
[edit]
edit services ipsec-vpn ike policy ike-phase1-policy
set mode main
set proposals ike-phase1-proposal
set pre-shared-key ascii-text "$9$5znCO1hKMXtuMX7-2gTz3"
2.
[edit]
edit services ipsec-vpn ipsec proposal dynamic_ipsec_proposal
592
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
593
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring Dynamic Endpoints for IPsec Tunnels on the VPN Termination Role
at Hub 2
Step-by-Step
Procedure
Dynamic endpoint IPsec is used to reduce the configuration and changes required when
a new branch comes online. You need to configure dynamic endpoints only once at the
aggregation hub.
1.
Create an IKE access profile that is used to negotiate IKE and IPsec security
associations with dynamic peers.
The client value * (wildcard) means this profile is valid for all dynamic peers that
terminate in the service set that accesses this profile.
The local proxy pair address on the hub is the local loopback address used for
the GRE tunnel.
The IKE policy is the policy that defines the remote identification values that
correspond to the allowed dynamic peers.
The interface identifier is the interface used to derive the logical service interface
for the session.
[edit]
edit access profile IPsec_Clients_Group1 client * ike
set allowed-proxy-pair local 172.31.255.231/32 remote 172.16.0.0/20
set allowed-proxy-pair local 172.31.255.231/32 remote 172.20.0.0/16
set ike ike-policy ike-phase1-policy
set ike interface-id IPsec_Clients_Group1
2.
The dial options interface ID specifies that this logical interface takes part in
dynamic IPsec negotiation for the group of dynamic peers defined for
IPsec_Clients_Group1.
The dial options shared mode enables the logical interface to be shared across
multiple tunnels.
The inside and outside service domains must match the interface domains
specified in the service set.
[edit]
edit interfaces sp-1/0/0
set unit 1 description "--- Outbound unit for DEP IPSEC tunnel ----"
set unit 1 family inet
set unit 1 service-domain outside
594
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
set unit 2 description "--- Inbound unit for DEP IPSEC (shared) tunnel ---"
set unit 2 dial-options ipsec-interface-id IPsec_Clients_Group1
set unit 2 dial-options shared
set unit 2 family inet
set unit 2 service-domain inside
3.
The reverse routes at the aggregation hub include next hops that point to the
locations specified by the inside and outside service interfaces. The reverse routes
are inserted into the VPN routing instance routing table because the sp-1/0/0
interfaces are present in this routing instance. The inside and outside service
interfaces must match the inside and outside service domains configured at the
[edit interfaces sp-1/0/0] hierarchy.
Specify the address and the routing instance of the local gateway. The local
gateway address is the local address of logical tunnel interface (5/1/0.53) from
the VPN termination role to the Internet edge role.
595
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configuring the Overlay WAN Transport on the VPN Termination Role at Role at
Hub 2
Step-by-Step
Procedure
1.
Specify the outer GRE source and destination tunnel addresses that are used to
form the tunnel. These are the local and remote addresses of the loopback
interfaces.
Specify the inner IPv4 and IPv6 addresses that are used after the tunnel is formed.
[edit]
edit interfaces gr-5/1/0 unit 1
set tunnel source 172.31.255.231
set tunnel destination 172.16.1.255
set tunnel routing-instance destination VPN
set family inet address 172.16.1.5/30
set family inet6 address fec0:16:1:4::1/64
Configure a logical GRE interface for the number of tunnels to be formed between
the branch and the aggregation hub.
2.
Configure the loopback interface that is configured in the VPN routing instance. Its
address is used on the IPsec tunnels.
[edit]
edit interfaces lo0 unit 3
set family inet address 172.31.255.231/32
3.
Configure the loopback interface that is configured in the WAN-GRE routing instance.
Its address is used as the source address of GRE tunnels.
[edit]
edit interfaces lo0 unit 4
set family inet address 172.31.255.6/32
set family inet6 address 2001:DB8:255::6/128
596
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Configuring the Transport Routing Instances on the VPN Termination Role at Hub
2
Step-by-Step
Procedure
On the VPN termination router at the aggregation hub, there are two virtual routing
instances:
WAN-GREAn internal routing instance that terminates the private GRE IPv4
addressing. The WAN-GRE virtual router is part of the internal routing domain and is
an IBGP peer with the IPsec tunnel at the branch.
1.
The loopback interfaces is the remote endpoint for the branch. The address of
the loopback interface is used on the IPsec tunnels.
[edit]
edit routing-instances VPN
set interface sp-1/0/0.1
set interface sp-1/0/0.2
set interface lo0.3
2.
unit for the number of GRE tunnels that can be formed to the branch. Add the
loopback interface for the GRE tunnels. The loopback interface address is used
as the GRE tunnel source address.
[edit]
edit routing-instances WAN-GRE
set interface gr-5/1/0.1
set interface lo0.4
597
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Routing for the WAN transport is in the WAN-GRE routing instance. The routing in this
instance includes routing adjacencies over the GRE tunnel and to the WAN aggregation
router at Aggregation Hub 2.
1.
Create an IBGP peer group for IPv4 to have a peer relationship with the remote GRE
tunnel endpoint at the branch.
This IBGP peer group uses the default local preference value of 100, which gives a
lower preference to routes to Aggregation Hub 2 than routes to Aggregation Hub 1,
which have a local preference value of 200.
The ADV_DEFAULT policy causes BGP to advertise only the default route to the
branch. It prevents the branch from receiving advertisements for routes to other
branches.
The cluster statement causes the IBGP peer at the aggregation hub to act as a BGP
route reflector.
[edit]
edit routing-instances WAN-GRE protocols bgp group IBGPoGRE
set type internal
set passive
set out-delay 450
set family inet unicast
set authentication-key "$9$PTF6p01ylvdbkmfTn6rlK"
set export ADV_DEFAULT
set cluster 0.0.0.3
set neighbor 172.16.2.6 description
2.
Create an IBGP peer group for IPv6 to have a peer relationship with the remote GRE
tunnel endpoint at the branch.
This IBGP peer group uses the default local preference value of 100, which gives a
lower preference to routes to Aggregation Hub 2 than routes to Aggregation Hub 1,
which have a local preference value of 200.
The ADV_DEFAULT-V6 policy causes BGP to advertise only the default route to the
branch. It prevents the branch from receiving advertisements for routes to other
branches.
The cluster statement causes the IBGP peer at the aggregation hub to act as a BGP
route reflector.
[edit]
edit routing-instances WAN-GRE protocols bgp group IBGPoGRE-V6
set type internal
set passive
set out-delay 450
set family inet6 unicast
set export ADV_DEFAULT-V6
set cluster 0.0.0.4
set neighbor 2001:DB8:2:4::2 authentication-key "$9$-WbY4UjkTznO1XNdbg4Qz3"
598
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
There are two levels of high availability that you can use over your private WAN overlay:
Dead peer detection for IPsec tunnels to monitor the tunnel state and remote peer
availability.
BFD with OSPF for GRE tunnels to detect failures over the GRE tunnels.
1.
2.
In the IBGP peer group to the remote end of the GRE tunnel at the branch, add the
following statements:
We are using BFD with BGP to detect link failures over the GRE tunnels.
Set the minimum transmit and receive interval for failure detection. This interval is
the minimum time after which the local routing device transmits hello packets and
the minimum interval after which the routing device expects to receive a reply from
the neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
[edit]
edit routing-instances WAN-GRE protocols bgp group IBGPoGRE
set bfd-liveness-detection minimum-interval 500
set bfd-liveness-detection multiplier 3
1.
[edit]
edit routing-instances WAN-GRE protocols pim
set interface gr-5/1/0.1 mode sparse
set interface gr-5/1/0.1 version 2
599
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Applying CoS to the Tunnel Interfaces on the VPN Termination Role at Hub 2
Step-by-Step
Procedure
In overlay environments it is critical to be able to schedule and control the traffic out to
the remote branches. This is most effectively achieved if you use GRE or tunnel QoS,
where you can implement a CoS shaper and traffic scheduler per tunnel to control the
bandwidth of the tunnel and schedule high-priority traffic over low-priority traffic.
The router at Aggregation Hub 2 is an MX Series router, and MX Series routers do not
support per-unit GRE scheduling. To work around this, we are configuring CoS on logical
tunnel (lt) interfaces on the MX Series router. The lt interfaces apply CoS to egress traffic
before it is sent over the GRE tunnels to the branch.
1.
Apply the scheduler map to the GRE tunnel interfaces. The scheduler map is
configured in the Aggregation Hub 2 base configuration.
[edit]
edit class-of-service interfaces gr-5/1/0
set scheduler-map MAIN-SCHD
2.
In the GRE logical interface configuration, configure the tunnels to copy the ToS bit
to the outer IP header on the GRE tunnel.
In this design, we are classifying traffic based on DSCP markings in the ToS byte of
the IP header. Because this header is encapsulated in a GRE tunnel, the ToS byte
of the IP header needs to be copied to the GRE outer header.
[edit]
edit interfaces gr-5/1/0 unit 1
set copy-tos-to-outer-ip-header
3.
Apply the traffic control profile to the logical tunnel that is used for scheduling and
queueing.
Before you implement this step, you need to have enabled hierarchical scheduling
on the lt interface, and committed the configuration.
[edit]
edit class-of-service interfaces lt-5/1/0
set unit 2 output-traffic-control-profile SMALL-BRANCH
600
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Configuring the Internet WAN Transport Routing on Branch Router 2 on page 606
Configuring the WAN Transport Routing Protocol on Branch Router 2 on page 608
Configuring the Internet WAN Transport Security on Branch Router 2 on page 610
Configuring OSPF for the Branch LAN on Branch Router 2 on page 618
Configuring the LAN Transport to Branch Router 1 on Branch Router 2 on page 619
Configuring OSPF Routing Between Branch Routers on Branch Router 2 on page 621
Configuring VRRP for High Availability of Dual Routers on Branch Router 2 on page 624
1.
Create a set of prefix lists that are used in firewall filters that are set up for Routing
Engine protection. These prefix lists specify trusted IP subnets and addresses for
different types of traffic. Traffic received from these addresses will be allowed
through firewalls used for Routine Engine protection.
[edit]
edit policy-options
set prefix-list trusted-bgp-peers 3.3.0.0/24
set prefix-list trusted-bgp-peers 172.16.3.0/24
set prefix-list trusted-networks 10.0.0.0/8
set prefix-list trusted-networks 172.16.0.0/12
set prefix-list trusted-networks 192.168.0.0/16
set prefix-list NMS 10.0.0.0/8
set prefix-list NMS 172.16.0.0/12
set prefix-list NMS 192.168.0.0/16
set prefix-list IPsec-Servers 192.0.2.0/24
2.
3.
Create a firewall filter used for Routing Engine protection. The filter is used to prevent
small packet attacks, fragment attacks, and denial of service (DoS) attacks from
specific protocols such as ICMP, BGP, OSPF, SNMP, UDP, and TCP. The filter accepts
601
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
traffic only from trusted sources, and it discards all other traffic. The filter also
includes a policer that applies rate limits to the traffic that is accepted by the filter.
a. Create the firewall filter, and specify that counters defined in the filter are
interface specific.
[edit]
edit firewall family inet filter RE-PROTECT
set interface-specific
b. Create a term for IPsec traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term IPsec from source-prefix-list IPsec-Servers
set term IPsec from protocol udp
set term IPsec from port 500
set term IPsec from port 4500
set term IPsec then policer limit-150k
set term IPsec then count IPsec
set term IPsec then accept
c. Create a term for BGP traffic.
[edit]
edit firewall family inet filter RE-PROTECT
set term bgp-in from source-prefix-list trusted-bgp-peers
set term bgp-in from protocol tcp
set term bgp-in from port bgp
set term bgp-in then policer limit-150k
set term bgp-in then count bgp-in
set term bgp-in then accept
d. Create a term that accepts traffic from trusted PIM neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term pim from source-prefix-list trusted-networks
set term pim from protocol pim
set term pim then policer limit-150k
set term pim then count pim
set term pim then accept
e. Create a term that accepts OSPF traffic from trusted OSPF neighbors.
[edit]
edit firewall family inet filter RE-PROTECT
set term ospf-in from source-prefix-list trusted-networks
set term ospf-in from protocol ospf
set term ospf-in then policer limit-150k
set term ospf-in then count ospf-in
set term ospf-in then accept
f.
602
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
[edit]
edit firewall family inet filter RE-PROTECT
set term snmp-in from source-prefix-list NMS
set term snmp-in from protocol udp
set term snmp-in from port snmp
set term snmp-in then policer limit-150k
set term snmp-in then count snmp-in
set term snmp-in then accept
h. Create a term for ICMP traffic, which includes IPv4 error messages.
[edit]
edit firewall family inet filter RE-PROTECT
set term icmp-in from source-prefix-list trusted-networks
set term icmp-in from protocol icmp
set term icmp-in then policer limit-150k
set term icmp-in then count icmp-in
set term icmp-in then accept
i.
j.
Create a term that controls SSH, FTP, and Telnet access to the router.
[edit]
edit firewall family inet filter RE-PROTECT
set term access-in from source-prefix-list NMS
set term access-in from protocol tcp
set term access-in from port ssh
set term access-in from port ftp
set term access-in from port ftp-data
set term access-in from port telnet
set term access-in then count access-in
set term access-in then accept
k. Create a term that accepts TCP and TACACS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-tcp from source-prefix-list NMS
set term remote-auth-tcp from protocol tcp
set term remote-auth-tcp from port tacacs
603
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Create a term that accepts UDP and RADIUS traffic from trusted network
management systems.
[edit]
edit firewall family inet filter RE-PROTECT
set term remote-auth-udp from source-prefix-list NMS
set term remote-auth-udp from protocol udp
set term remote-auth-udp from port radius
set term remote-auth-udp from port radacct
set term remote-auth-udp then count radius
set term remote-auth-udp then accept
[edit]
edit firewall family inet filter RE-PROTECT
set term udp-services from source-prefix-list trusted-networks
set term udp-services from protocol udp
set term udp-services from source-port 1024-65535
set term udp-services then policer limit-150k
set term udp-services then count udp-in
set term udp-services then accept
n. Create a term for incoming traffic with a source and destination loopback address.
[edit]
edit firewall family inet filter RE-PROTECT
set term loopback-in from source-address 127.0.0.1/32
set term loopback-in from destination-address 127.0.0.1/32
set term loopback-in then count loopback-in
set term loopback-in then accept
o. Configure a term that prevents small packet attacks.
[edit]
edit firewall family inet filter RE-PROTECT
set term small-packets from packet-length 0-24
set term small-packets then count small-packet-attack
set term small-packets then log
set term small-packets then discard
p. Configure a term that prevents fragment attacks.
[edit]
edit firewall family inet filter RE-PROTECT
set term fragment-packets from fragment-offset-except 0
set term fragment-packets from protocol icmp
set term fragment-packets from protocol igmp
set term fragment-packets from protocol pim
set term fragment-packets from protocol tcp
set term fragment-packets then count frag-attack
set term fragment-packets then log
set term fragment-packets then discard
q. Configure a term that explicitly discards all other traffic.
604
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
[edit]
edit firewall family inet filter RE-PROTECT
set term deny-all then count illegal-traffic-in
set term deny-all then log
set term deny-all then discard
4.
5.
Results
Packets
0
0
36444
2055
0
347
12708
82603
0
82705
15651
0
0
1922
0
545672
17
Packets
0
0
0
0
0
0
0
0
0
605
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
2.
Results
Verify that the physical transport to the Internet service provider is up:
user@branch2> show interfaces ge-0/0/1 terse
Interface
Admin Link Proto
Local
ge-0/0/1
up
up
ge-0/0/1.0
up
up
inet
3.3.0.2/30
multiservice
Remote
Configure the virtual routing instance for Internet traffic. The routing instance does not
allow traffic to the branch LAN from the Internet, and it protects the internal branch
routing tables. It includes the EBGP peer group between the branch and Service Provider
B.
1.
Unit 0 is used in the default routing instance, and is used with the branch LANs.
Unit 1 is used in the VPN termination routing instance, and is used for the
connections to the aggregation hub.
[edit]
edit interfaces lo0
set unit 0 description "--- Default Routing instance ---"
set unit 0 family inet address 172.16.3.253/32
set unit 1 description "--- VPN Routing instance ---"
set unit 1 family inet address 172.16.3.254/32
set unit 1 family inet6 address 2001:DB8:3::254/128
2.
606
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Configure the routing instance and add the Internet-facing interfacesthe Ethernet
interface to the Internet service provider, unit 0 of the loopback interface, and the
IPsec interfaces.
[edit]
edit routing-instances VPN
set instance-type virtual-router
set interface ge-0/0/1.0
set interface sp-0/1/0.1
set interface sp-0/1/0.2
set interface lo0.0
4.
Add a static route to the loopback address of the VPN termination router on
Aggregation Hub 2. This route is used to establish GRE tunnels.
[edit]
edit routing-instances VPN
set routing-options static route 172.31.255.231/32 next-hop sp-0/1/0.1
5.
6.
7.
Results
1.
Verify that the Internet service provider gateway is reachable from the VPN routing
instance.
user@branch2> ping 3.3.0.1 routing-instance VPN count 5
PING 3.3.0.1 (3.3.0.1): 56 data bytes
64 bytes from 3.3.0.1: icmp_seq=0 ttl=64 time=0.845
64 bytes from 3.3.0.1: icmp_seq=1 ttl=64 time=1.597
64 bytes from 3.3.0.1: icmp_seq=2 ttl=64 time=0.707
64 bytes from 3.3.0.1: icmp_seq=3 ttl=64 time=0.833
64 bytes from 3.3.0.1: icmp_seq=4 ttl=64 time=0.720
ms
ms
ms
ms
ms
--- 3.3.0.1 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.707/0.940/1.597/0.333 ms
607
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
2. Verify the routes that are learned from the aggregation hub by displaying the inet.0
3.3.0.0/30
3.3.0.2/32
172.16.3.253/32
172.31.255.231/32
1.
2.
[edit]
edit policy-options policy-statement ACCEPT_DEFAULT
set term 1 from route-filter 0.0.0.0/0 exact
set term 1 then accept
set term default then reject
[edit]
edit policy-options policy-statement ACCEPT_DEFAULT-V6
set term 1 from family inet6
set term 1 from route-filter ::/0 exact
set term 1 then accept
set term default then reject
b. Configure policies that are used to control IPv4 and IPv6 routes that are
608
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
[edit]
edit policy-options policy-statement BRANCH-PREFIX6
set term block-default from family inet6
set term block-default from route-filter ::/0 exact
set term block-default then reject
set term branch from family inet6
set term branch from protocol ospf3
set term branch from protocol direct
set term branch then accept
set term default then reject
3.
tunnel.
The ACCEPT_DEFAULT import policies accept only the default route from the
hub, which prevents routes from other branches from being distributed to the
branch.
The BRANCH-PREFIX export policies control default route advertisement to the
hub. They prevents default routes learned by another protocol from being
advertised to the hub, and cause the loopback address of the branch router to
be advertised to the hub as the next hop.
[edit]
edit protocols bgp group IBGPoGRE-H2
set type internal
set import ACCEPT_DEFAULT
set family inet unicast
set export BRANCH-PREFIX
set neighbor 172.16.3.5 authentication-key "$9$pKaKOIhev8dbYDi9tuOEhVbs"
[edit]
edit protocols bgp group IBGPoGRE-H2-V6
set type internal
set import ACCEPT_DEFAULT-V6
set family inet6 unicast
set export BRANCH-PREFIX-V6
set neighbor 2001:DB8:3:4::1 authentication-key "$9$DNH.f36CBIhWLJUjHPf1IE"
4.
Results
1.
Verify BGP peering to the Internet service provider gateway (3.3.0.1) and to the remote
GRE tunnel endpoint (172.16.3.5).
user@branch2> show bgp summary
Groups: 3 Peers: 3 Down peers: 0
Table
Tot Paths Act Paths Suppressed
inet6.0
1
0
0
0
inet.0
1
0
0
0
Pending
609
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Peer
AS
InPkt
OutPkt
State|#Active/Received/Accepted/Damped...
3.3.0.1
69
978
977
Establ
VPN.inet.0: 1/1/1/0
172.16.3.5
65530
891
1080
Establ
inet.0: 0/1/1/0
2001:DB8:3:4::1
65530
917
1112
Establ
inet6.0: 0/1/1/0
OutQ
4:00:43
4:00:35
17
3:56:31
2. Verify that default routes to the Layer 3 VPN transport have a higher preference than
IPsec is used to secure the GRE tunnels between the branch and the aggregation hub.
The WAN transport security configuration consists of an Internet Key Exchange (IKE)
configuration for IPsec phase 1 negotiation and an IPsec configuration for phase 2
negotiation.
1.
For IKE phase 1 negotiation, configure an Internet Key Exchange (IKE) proposal and
policy and define the IPsec peer (gateway) at the remote end of the tunnel with
which IKE is negotiated.
a. Configure an IKE proposal that matches the proposal configured on the VPN
[edit]
edit services ipsec-vpn ike policy ike-phase1-policy
set mode main
set proposals ike-phase1-proposal
610
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
For IPsec phase 2 negotiation, configure an IPsec proposal and policy and then
configure an IPsec VPN to the aggregation hubs.
a. Configure the IPsec proposal, which lists protocols and algorithms (security
services) to be negotiated with the remote IPsec peer at the aggregation hub.
[edit]
edit services ipsec-vpn ipsec proposal dynamic_ipsec_proposal
set protocol esp
set authentication-algorithm sha-256
set encryption-algorithm aes-256-cbc
b. Create an IPsec policy that defines security parameters (IPsec proposals) used
The destination address is the address of the GRE tunnel interface at the
aggregation hub.
The remote gateway is the address of the logical tunnel (lt) interface in the VPN
routing instance at Aggregation Hub 2.
The source and destination and destination addresses must match the proxy
identity values set in the IPsec_Clients_Group1 IKE access profile configured on
the VPN termination router at the aggregation hub.
The remote gateway is the address of the logical tunnel interface (lt-5/1/0.53)
in the VPN routing instance at Aggregation Hub 2.
[edit]
edit services ipsec-vpn rule To_ hub_2
set term 1 from source-address 172.16.3.253/32
set term 1 from destination-address 172.31.255.231/32
set term 1 then remote-gateway 191.15.200.6
set term 1 then dynamic ike-policy ike-phase1-policy
set term 1 then dynamic ipsec-policy dynamic_ipsec_policy
set match-direction input
3.
The inside and outside IPsec interfaces must match the inside and outside service
domain configuration at the [edit interfaces sp-0/3/0] hierarchy.
The local gateway is the Ethernet interface to the Internet service provider.
611
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
5.
Results
1.
bytes
ttl=60
ttl=60
ttl=60
ttl=60
ttl=60
time=0.947
time=0.887
time=0.898
time=0.909
time=0.912
ms
ms
ms
ms
ms
--- 192.0.2.6 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.887/0.911/0.947/0.020 ms
2. Verify IKE security associations for Aggregation Hub 2 (192.0.2.6).
user@branch2> show services ipsec-vpn ike security-associations
Remote Address State
Initiator cookie Responder cookie Exchange
type
192.0.2.6
Matured
7ffbae9a3390cf44 1bde5696e787e293 Main
user@branch> show services ipsec-vpn ike security-associations detail
IKE peer 192.0.2.6
Role: Initiator, State: Not matured
Initiator cookie: 3899eb82a73f87ab, Responder cookie: 0000000000000000
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 3.3.0.2, Remote: 192.0.2.6
Algorithms:
Authentication
: Encryption
: Pseudo random function: Traffic statistics:
Input bytes :
0
Output bytes :
784
612
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Input packets:
0
Output packets:
4
Flags: Waiting for done
IPsec security associations: 0 created, 0 deleted
3. Verify IPsec security associations for Aggregation Hub 2 (192.0.2.6).
user@branch2> show services ipsec-vpn ipsec security-associations To_HUB2
Service set: To_HUB2, IKE Routing-instance: VPN
Rule: To_ hub_2, Term: 1, Tunnel index: 1
Local gateway: 3.3.0.2, Remote gateway: 191.15.200.6
IPsec inside interface: sp-0/1/0.1, Tunnel MTU: 1500
Direction SPI
AUX-SPI
Mode
Type
inbound
3403657556 0
tunnel
dynamic
outbound 1814204950 0
tunnel
dynamic
Protocol
ESP
ESP
Specify the outer GRE tunnel source and destination addresses that are used to form
the tunnel. These are the local and remote addresses of the loopback interfaces.
Specify the destination routing instance that points to the routing table that contains
the tunnel destination address.
Specify the inner IPv4 and IPv6 GRE addresses that are used after the tunnel is formed.
1.
613
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Results
1.
Local
Remote
172.16.3.6/30
fe80::2a0:a514:72:5a85/64
2001:DB8:3:4::2/64
614
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
3. Verify that traffic is flowing from the GRE tunnels to the aggregation hub, and verify
4. Now that you have verified that the GRE tunnels are up, you can verify that the IPsec
Local
Remote
615
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
There are three interfaces to the branch LAN: one for data, one for video, and one for
voice.
1.
2.
3.
616
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
[edit]
edit interfaces ge-0/0/0 unit 52
set description "--- VIDEO VLAN 52 ---"
set vlan-id 52
set family inet address 172.16.3.18/29
set family inet6 address 2001:DB8:3:52::2/64
4.
5.
Results
617
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Create an IPv4 area for the branch, and add the branch LAN interfaces to the area.
[edit]
edit protocols ospf area 0.0.0.1
set interface ge-0/0/0.42 metric 100
set interface ge-0/0/0.52 metric 100
set interface ge-0/0/0.62 metric 100
2.
Create an IPv6 area for the branch, and add the branch LAN interfaces to the area.
[edit]
edit protocols ospf3 area 0.0.0.1
set interface ge-0/0/0.42 metric 100
set interface ge-0/0/0.52 metric 100
set interface ge-0/0/0.62 metric 100
3.
618
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
commit
Results
State
Full
Full
Full
ID
172.16.3.255
172.16.3.255
172.16.3.255
Pri
128
Dead
33
128
34
128
38
Pri
128
128
128
Dead
38
36
31
Results
1.
ge-0/0/2.2
up
up
ge-0/0/2.32767
up
up
Local
Remote
172.16.3.33/30
fe80::5e5e:ab00:1fe:e802/64
2001:DB8:3:2::1/64
multiservice
inet
172.16.3.37/30
inet6
fe80::5e5e:ab00:2fe:e802/64
2001:DB8:3:22::1/64
multiservice
multiservice
619
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
620
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
We are using an OSPF backbone area between the two branch routers. Default BGP
routes are exported to OSPF. This configuration is required for failover scenarios where
the link from Branch router 1 and the Layer 3 VPN service provider goes down. Traffic is
rerouted to Branch router 2 and then to Aggregation Hub 2. In this case, Branch router 2
receives the routes that it needs from OSPF.
1.
Configure IPv4 and IPv6 routing policies that are used to export default BGP routes
into OSPF. Set the external metric type for routes exported by OSPF to 1.
When OSPF exports routes from external ASs, it includes a cost, or external metric,
in the route. The metric type determines how OSPF calculates the cost of the route.
Type 1 external metrics are equivalent to the link-state metric, where the cost is
equal to the sum of the internal costs plus the external cost. This means that Type
1 external metrics include the external cost to the destination as well as the cost
(metric) to reach the AS boundary router.
[edit]
edit policy-options policy-statement BGP2OSPF
set term 1 from protocol bgp
set term 1 from route-filter 0.0.0.0/0 exact
set term 1 then metric 10
set term 1 then external type 1
set term 1 then accept
[edit]
edit policy-options policy-statement BGP2OSPF-V6
set term 1 from family inet6
set term 1 from protocol bgp
set term 1 from route-filter ::/0 exact
set term 1 then metric 10
set term 1 then external type 1
set term 1 then accept
2.
Applying the policy as an export policy for OSPF causes OSPF to advertise IPv6
default routes learned through BGP.
[edit]
edit protocols ospf
set export BGP2OSPF
b. Create a backbone area. The OSPF backbone area contains the point-to-point
interface and the loopback interface between Branch router 1 and Branch router
2.
[edit]
edit protocols ospf area 0.0.0.0
set interface lo0.0
set interface ge-0/0/2.1 interface-type p2p
621
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
c. Add the unit 2 of the Ethernet interface that connects to Branch router 2 to Area
1.
[edit]
edit protocols ospf area 0.0.0.1
set interface ge-0/0/2.2 interface-type p2p
3.
Applying the policy as an export policy for OSPF causes OSPF to advertise IPv6
default routes learned through BGP.
[edit]
edit protocols ospf3
set export BGP2OSPF-V6
4.
Create a backbone area. The OSPF backbone area contains the point-to-point
interface and the loopback interface between Branch router 1 and Branch router 2.
[edit]
edit protocols ospf3 area 0.0.0.0
set interface lo0.0
set interface ge-0/0/2.1 interface-type p2p
5.
Add the unit 2 of the Ethernet interface that connects to Branch router 2 to Area 1.
[edit]
edit protocols ospf3 area 0.0.0.1
set interface ge-0/0/2.2 interface-type p2p
6.
Step-by-Step
Procedure
State
Full
Full
Full
Full
Full
622
ID
172.16.3.255
172.16.3.255
172.16.3.255
172.16.3.255
172.16.3.255
Pri
128
Dead
32
128
34
128
33
128
35
Pri
128
128
128
128
128
Dead
36
36
36
39
39
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
There are two levels of high availability that you can use over your private WAN overlay:
Dead peer detection for IPsec tunnels to monitor the tunnel state and remote peer
availability.
BFD with IBGP for GRE tunnels to detect failures over the GRE tunnels.
1.
2.
In the IBGP peer group to the remote end of the GRE tunnel at the aggregation hub,
add the following statements:
We are using BFD with BGP to detect link failures over the GRE tunnels.
Set the minimum transmit and receive interval for failure detection. This interval is
the minimum time after which the local routing device transmits hello packets and
the minimum interval after which the routing device expects to receive a reply from
the neighbor with which it has established a BFD session.
Set a multiplier for hello packets, which is the number of hello packets that are not
received by a neighbor, which causes the originating interface to be declared down.
[edit]
edit protocols bgp group IBGPoGRE-H2
set neighbor 172.16.3.5 bfd-liveness-detection minimum-interval 500
set neighbor 172.16.3.5 bfd-liveness-detection multiplier 3
3.
Results
State
Up
Up
Interface
gr-0/0/0.1
gr-0/0/0.2
Detect
Time
1.500
1.500
Transmit
Interval
0.500
0.500
Multiplier
3
3
2 sessions, 2 clients
Cumulative transmit rate 4.0 pps, cumulative receive rate 4.0 pps
623
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Set the routers priority for being elected to be the master router in the VRRP group. A
larger value indicates a higher priority for being elected.
Enable the master router to accept all packets destined for the virtual IP address.
On the data interface, set the priority cost for becoming the master default router. The
router with the highest priority within the group becomes the master.
1.
Configure a VRRP group for IPv4 and IPv6 for the data interface to the branch LAN.
[edit]
edit interfaces ge-0/0/0 unit 42 family inet address 172.16.3.10/29
set vrrp-group 10 virtual-address 172.16.3.9
set vrrp-group 10 priority 100
set vrrp-group 10 preempt
set vrrp-group 10 accept-data
set vrrp-group 10 priority-cost 20
[edit]
edit interfaces ge-0/0/0 unit 42 family inet6 address fec0:16:3:42::2/64
set vrrp-inet6-group 10 virtual-inet6-address fec0:16:3:42::1
set vrrp-inet6-group 10 priority 100
set vrrp-inet6-group 10 preempt
set vrrp-inet6-group 10 accept-data
2.
Configure a VRRP group for IPv4 and IPv6 for the video interface to the branch LAN.
[edit]
edit interfaces ge-0/0/0 unit 52 family inet address172.16.3.18/29
set vrrp-group 20 virtual-address 172.16.3.17
set vrrp-group 20 priority 100
set vrrp-group 20 preempt
set vrrp-group 20 accept-data
[edit]
edit interfaces ge-0/0/0 unit 52 family inet6 address fec0:16:3:52::2/64
set vrrp-inet6-group 20 virtual-inet6-address fec0:16:3:52::1
set vrrp-inet6-group 20 priority 100
set vrrp-inet6-group 20 preempt
set vrrp-inet6-group 20 accept-data
3.
Configure a VRRP group for IPv4 and IPv6 for the voice interface to the branch LAN.
[edit]
edit interfaces ge-0/0/0 unit 62 family inet address 172.16.3.26/29
set vrrp-group 30 virtual-address 172.16.3.25
set vrrp-group 30 priority 100
set vrrp-group 30 preempt
set vrrp-group 30 accept-data
[edit]
624
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Results
Group
10
VR state VR Mode
backup
Active
Timer
Type
D 3.409 lcl
Address
172.16.3.10
vip
172.16.3.9
mas
ge-0/0/0.42
up
2001:DB8:3:42::2
10
backup
Active
172.16.3.11
3.541 lcl
vip
fe80::200:5eff:fe00:20a
vip
2001:DB8:3:42::1
mas
fe80::5e5e:ab00:2a0e:451d
ge-0/0/0.52
up
ge-0/0/0.52
up
2001:DB8:3:52::2
20
20
backup
backup
Active
Active
3.244 lcl
172.16.3.18
vip
172.16.3.17
mas
172.16.3.19
3.239 lcl
vip
fe80::200:5eff:fe00:214
vip
2001:DB8:3:52::1
mas
fe80::5e5e:ab00:340e:451d
ge-0/0/0.62
up
ge-0/0/0.62
up
2001:DB8:3:62::2
30
30
backup
backup
Active
Active
3.223 lcl
172.16.3.26
vip
172.16.3.25
mas
172.16.3.27
3.191 lcl
vip
fe80::200:5eff:fe00:21e
vip
2001:DB8:3:62::1
mas
fe80::5e5e:ab00:3e0e:451d
625
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1.
Configure classifiers.
a. Configure DSCP behavior aggregate (BA) classifiers for IPv4.
[edit]
edit class-of-service classifiers dscp DSCP-BA
set forwarding-class Best_Effort loss-priority medium-high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Scavenger loss-priority high code-points cs1
set forwarding-class Bulk_Data loss-priority medium-high code-points af11
set forwarding-class Bulk_Data loss-priority medium-high code-points af12
set forwarding-class Critical_Data loss-priority medium-low code-points af21
set forwarding-class Critical_Data loss-priority medium-low code-points af22
b. Configure DSCP BA classifiers for IPv6.
[edit]
edit class-of-service classifiers dscp-ipv6 DSCP-BA
set forwarding-class Best_Effort loss-priority high code-points be
set forwarding-class Video loss-priority low code-points af41
set forwarding-class Video loss-priority low code-points af42
set forwarding-class Voice loss-priority low code-points ef
set forwarding-class Network_Control loss-priority low code-points cs6
set forwarding-class Network_Control loss-priority low code-points cs7
set forwarding-class Scavenger loss-priority low code-points cs1
set forwarding-class Bulk_Data loss-priority high code-points af11
set forwarding-class Bulk_Data loss-priority high code-points af12
set forwarding-class Critical_Data loss-priority low code-points af21
set forwarding-class Critical_Data loss-priority low code-points af22
c. Assign the forwarding classes to transmission queues.
[edit]
edit class-of-service forwarding-classes
set queue 0 Best_Effort
set queue 1 Scavenger
set queue 2 Bulk_Data
set queue 3 Critical_Data
set queue 4 Video
set queue 5 Voice
set queue 6 Network_Control
2.
[edit]
edit class-of-service rewrite-rules dscp Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
626
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
[edit]
edit class-of-service rewrite-rules dscp-ipv6 Rewrite_CORE_TRAFFIC
set forwarding-class Best_Effort loss-priority medium-high code-point be
set forwarding-class Bulk_Data loss-priority medium-high code-point af11
set forwarding-class Scavenger loss-priority high code-point cs1
set forwarding-class Critical_Data loss-priority medium-low code-point af21
set forwarding-class Video loss-priority low code-point af41
set forwarding-class Voice loss-priority low code-point ef
set forwarding-class Network_Control loss-priority low code-point cs7
627
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3.
[edit]
edit class-of-service schedulers SCH_Best_Effort
set transmit-rate remainder
set buffer-size remainder
set priority medium-low
b. Create a scheduler for the Scavenger forwarding class.
[edit]
edit class-of-service schedulers SCH_Scavenger
set transmit-rate percent 3
set buffer-size percent 10
set priority low
c. Create a scheduler for the Bulk_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Bulk_Data
set transmit-rate percent 20
set buffer-size percent 15
set priority medium-high
d. Create a scheduler for the Critical_Data forwarding class.
[edit]
edit class-of-service schedulers SCH_Critical_Data
set transmit-rate percent 15
set buffer-size percent 15
set priority high
e. Create a scheduler for the Video forwarding class.
[edit]
edit class-of-service schedulers SCH_Video
set transmit-rate percent 20
set buffer-size percent 10
set priority high
f.
[edit]
edit class-of-service schedulers SCH_Network_Control
set transmit-rate percent 5
set buffer-size percent 3
set priority high
628
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
4.
5.
6.
7.
8.
9.
Modify the queue assignment and DSCP code point for network control (host)
traffic that is generated by the Routing Engine and sent to the Packet Forwarding
Engine. This configuration does not affect transit traffic.
[edit]
[edit class-of-service host-outbound-traffic
set forwarding-class Network_Control
set dscp-code-point cs6
629
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
10.
This step adds all the functionality of tunnel PICs to GRE tunnels. CoS for GRE
tunnel traffic is applied as the traffic is looped through IQ2 and IQ2E PICs. Shaping
is performed on full packets that pass through the GRE tunnel.
Include the tunnel-only statement to specify that the PIC works exclusively in
tunnel mode.
[edit]
edit chassis
set fpc 0 pic 3 tunnel-services tunnel-only
b. Enable hierarchical scheduling on the GRE tunnel interfaces.
[edit]
set interfaces gr-1/2/0 hierarchical-scheduler
c. Specify that the ToS byte is to be copied from the inner IP header to the outer
630
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Results
1.
Type
dscp
ip
Index
51863
13
Classifier
DSCP-BA
dscp
Index
29951
51863
961
Index
45866
45866
Type
dscp
Index
961
Type
fixed
Index
4
Type
fixed
Index
5
631
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Description: --- To Public ISP link (jbeer.PE1 ge-7/0/4) --Forwarding classes: 16 supported, 7 in use
Ingress queues: 8 supported, 7 in use
Queue: 0, Forwarding classes: Best_Effort
Queued:
Packets
:
25650641
23252 pps
Bytes
:
11648797616
83585856 bps
Transmitted:
Packets
:
25650641
23252 pps
Bytes
:
11648797616
83585856 bps
Tail-dropped packets : Not Available
RED-dropped packets :
0
0 pps
Low
:
0
0 pps
Medium-low
:
0
0 pps
Medium-high
:
0
0 pps
High
:
0
0 pps
RED-dropped bytes
:
0
0 bps
Low
:
0
0 bps
Medium-low
:
0
0 bps
Medium-high
:
0
0 bps
High
:
0
0 bps
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
0 pps
Bytes
:
0
0 bps
Transmitted:
Packets
:
0
0 pps
Bytes
:
0
0 bps
Tail-dropped packets : Not Available
RED-dropped packets :
0
0 pps
Low
:
0
0 pps
Medium-low
:
0
0 pps
Medium-high
:
0
0 pps
High
:
0
0 pps
RED-dropped bytes
:
0
0 bps
Low
:
0
0 bps
Medium-low
:
0
0 bps
Medium-high
:
0
0 bps
High
:
0
0 bps
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
0
0 pps
Bytes
:
0
0 bps
Transmitted:
Packets
:
0
0 pps
Bytes
:
0
0 bps
Tail-dropped packets : Not Available
RED-dropped packets :
0
0 pps
Low
:
0
0 pps
Medium-low
:
0
0 pps
Medium-high
:
0
0 pps
High
:
0
0 pps
RED-dropped bytes
:
0
0 bps
Low
:
0
0 bps
Medium-low
:
0
0 bps
Medium-high
:
0
0 bps
High
:
0
0 bps
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
5355
0 pps
Bytes
:
689238
0 bps
632
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Transmitted:
Packets
:
5355
Bytes
:
689238
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0 pps
0 pps
0 pps
633
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Forwarding classes: 16 supported, 7 in use
Egress queues: 8 supported, 7 in use
Queue: 0, Forwarding classes: Best_Effort
Queued:
Packets
:
18905865
Bytes
:
10345213174
Transmitted:
Packets
:
18905865
Bytes
:
10345213174
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
2116907
Bytes
:
1240507502
Transmitted:
Packets
:
2116907
Bytes
:
1240507502
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
634
0
0
0
0
0
0
0
pps
pps
bps
bps
bps
bps
bps
12999 pps
59533232 bps
12999 pps
59533232 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
2000 pps
9371344 bps
2000 pps
9371344 bps
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
3491035
Bytes
:
1558478958
Transmitted:
Packets
:
3491035
Bytes
:
1558478958
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
2650975
Bytes
:
1553471350
Transmitted:
Packets
:
2650975
Bytes
:
1553471350
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
3969002
Bytes
:
801738602
Transmitted:
Packets
:
3969002
Bytes
:
801738602
Tail-dropped packets : Not Available
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
1660667
Bytes
:
534724414
Transmitted:
0 bps
0 bps
3000 pps
10992000 bps
3000 pps
10992000 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
2500 pps
11720000 bps
2500 pps
11720000 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
3750 pps
6060000 bps
3750 pps
6060000 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1502 pps
3962336 bps
635
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Packets
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
1660667
:
534724414
: Not Available
:
0
:
0
:
0
:
0
:
0
:
0
:
0
:
0
:
0
:
0
636
1502 pps
3962336 bps
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
36250 pps
123403968 bps
36250
123405056
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
2000 pps
9088000 bps
2000
9088000
0
0
pps
bps
pps
pps
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: Critical_Data
Queued:
Packets
:
3495349
Bytes
:
1495529988
Transmitted:
Packets
:
3495349
Bytes
:
1495529988
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: Video
Queued:
Packets
:
2646445
Bytes
:
1503180760
Transmitted:
Packets
:
2646445
Bytes
:
1503180760
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 5, Forwarding classes: Voice
Queued:
Packets
:
3962207
Bytes
:
729046088
Transmitted:
Packets
:
3962208
Bytes
:
729046272
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
bps
bps
bps
bps
bps
3000 pps
10560000 bps
3000
10560000
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
2500 pps
11360000 bps
2500
11360000
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
3750 pps
5520000 bps
3750
5520408
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
637
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
1832908
Bytes
:
526167817
Transmitted:
Packets
:
1832908
Bytes
:
526167817
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0 bps
0 bps
1514 pps
3754216 bps
1514
3754216
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
1.
Configure multicast.
a. Specify the static rendezvous point at Aggregation Hub 1.
[edit]
edit protocols pim
set rp static address 172.31.255.15
b. Configure multicast on the GRE tunnels, the physical interface to the Layer 3
638
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Results
1.
Verify that IGMP groups are formed with the branch LAN.
user@branch2>show igmp group
Interface: ge-0/0/0.42, Groups: 6
Group: 224.0.0.2
Source: 0.0.0.0
Last reported by: 172.16.3.11
Timeout:
207 Type: Dynamic
Group: 224.0.0.5
Source: 0.0.0.0
Last reported by: 172.16.3.11
Timeout:
212 Type: Dynamic
Group: 224.0.0.6
Source: 0.0.0.0
Last reported by: 172.16.3.11
Timeout:
212 Type: Dynamic
Group: 224.0.0.13
Source: 0.0.0.0
Last reported by: 172.16.3.11
Timeout:
209 Type: Dynamic
Group: 224.0.0.18
Source: 0.0.0.0
Last reported by: 172.16.3.11
Timeout:
211 Type: Dynamic
Group: 224.0.0.22
Source: 0.0.0.0
Last reported by: 172.16.3.11
Timeout:
212 Type: Dynamic
Interface: local, Groups: 6
Group: 224.0.0.2
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
Group: 224.0.0.5
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
Group: 224.0.0.6
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
Group: 224.0.0.13
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
Group: 224.0.0.18
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
Group: 224.0.0.22
Source: 0.0.0.0
Last reported by: Local
Timeout:
0 Type: Dynamic
2. Verify that multicast is running over the interface to Branch router 1 as the upstream
neighbor. The interface to Branch router 1 is the upstream neighbor in this case because
as long as the WAN transport on Branch router is up, all traffic flows on that transport.
639
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
. . .
Group: 235.3.1.15
Source: *
RP: 172.31.255.15
Flags: sparse,rptree,wildcard
Upstream interface: ge-1/2/5.0
Group: 235.3.1.15
Source: 172.31.252.10
Flags: sparse,spt
Upstream interface: ge-1/2/5.0
Instance: PIM.master Family: INET6
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
3. Verify multicast on the branch LAN interfaces, the interface to Branch router 2, and
640
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
V Mode
2
2
2
2
Option
HPLGT
HPLGT
HPLGT
HPLGT
Uptime
1w6d8h
1w6d8h
1w1d9h
1w6d3h
Neighbor addr
172.16.3.33
172.16.3.37
172.16.3.1
172.16.3.10
4. Verify that groups are established with upstream interfaces to the Internet service
641
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
642
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
643
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
. . .
Group: 235.3.1.15
Source: 172.31.252.10/32
Upstream interface: ge-1/2/5.0
Downstream interface list:
ge-1/3/5.42
Session description: Unknown
Statistics: 35 kBps, 150 pps, 813632 packets
Next-hop ID: 1048575
Upstream protocol: PIM
644
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
rendezvous point. The interface to Branch router 1 is used because as long as the WAN
transport on Branch router is up, all traffic flows on that transport.
user@branch> show multicast rpf 172.31.255.15
645
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
address-family INET6
646
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Verification
Verifying End-to-End Data Traffic
Purpose
Action
647
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
1
Scavenger
2
Bulk_Data
3
Critical_Data
4
Video
5
Voice
6
Network_Control
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
7918134180545
8354202134062
Total packets
22262865924
23824615991
Unicast packets
19288602349
23824482277
Broadcast packets
798
794
Multicast packets
2974262776
132921
CRC/Align errors
1
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Total errors
1
0
Filter statistics:
Input packet count
22262843252
Input packet rejects
2
Input DA rejects
0
Input SA rejects
0
Output packet count
23824590883
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote fault:
OK
Local resolution:
Flow control: Symmetric, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 1
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 Best_Effort
r
r
r
0 medium-low
none
1 Scavenger
3
3000000
10
0
low
none
2 Bulk_Data
20
20000000
15
0 medium-high
none
3 Critical_Data
15
15000000
15
0
high
exact
4 Video
20
20000000
10
0
high
exact
5 Voice
5
5000000
r
0 strict-high
none
6 Network_Control
5
5000000
3
0
high
exact
648
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
649
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Verifying Reachability
Purpose
Action
Use this procedure to verify reachability and traffic paths to the loopback interface of
the data center router, the loopback interface of a router in a different branch, and an IP
address in the service provider network that is publicly routable.
1.
Display the default IPv4 routing tables on each branch to verify reachability throughout
the network.
user@branch1> show route table inet.0
inet.0: 197 destinations, 197 routes (197 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
10.4.1.0/24
10.4.2.0/24
10.4.3.0/24
10.4.4.0/24
10.4.5.0/24
10.4.6.0/24
10.4.7.0/24
10.4.8.0/24
10.4.1.0/24
10.4.2.0/24
10.4.3.0/24
10.4.4.0/24
10.4.5.0/24
10.4.6.0/24
10.4.7.0/24
. . .
650
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
10.4.247.0/24
10.4.248.0/24
10.4.249.0/24
10.4.250.0/24
10.4.251.0/24
10.4.252.0/24
10.4.253.0/24
10.4.254.0/24
10.4.255.0/24
172.16.4.4/30
172.16.4.6/32
172.16.4.8/29
172.16.4.9/32
172.16.4.10/32
172.16.4.16/29
172.16.4.17/32
172.16.4.18/32
172.16.4.24/29
172.16.4.25/32
172.16.4.26/32
172.16.4.32/30
172.16.4.34/32
172.16.4.36/30
172.16.4.38/32
172.16.4.254/32
172.16.4.255/32
224.0.0.2/32
224.0.0.5/32
224.0.0.13/32
224.0.0.22/32
0
0
0
0
0
0
0
0
0
651
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
MultiRecv
provider network.
user@branch1> traceroute 100.65.4.2
traceroute to 100.65.4.2 (100.65.4.2), 30 hops max, 40 byte packets
1 172.16.4.1 (172.16.4.1) 0.684 ms 0.550 ms 0.445 ms # L3VPN ISP A
2 172.31.254.33 (172.31.254.33) 1.278 ms 0.545 ms 0.535 ms #ISP A
3 172.31.254.34 (172.31.254.34) 0.521 ms 0.524 ms 0.468 ms #WANaggr 1
4 172.31.254.9 (172.31.254.9) 0.479 ms 0.520 ms 0.481 ms #Int edge 1
5 * * * # Expected because traceroute is blocked by SFW on Internet Edge
6
652
* * *
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Action
This procedure verifies that a failure of the Branch router 1 physical WAN transport to
Aggregation Hub 1 causes all traffic to be rerouted through Branch router 2 to Aggregation
Hub 2 with minimal traffic loss.
1.
Log in to Branch router 1 as the root user, and enter the following command to take
down the physical WAN transport.
root@branch1% ifconfig ge-1/2/1 down
2. On Branch router 1, verify that the active default route is to Service Provider B over the
3. On Branch router 2, verify EBGP peering with the Layer 3 VPN Service Provider B
5. Verify traffic counters and queue statistics on Branch router 2 after failure.
user@branch2> show interfaces ge-1/3/1 extensive
653
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
654
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Multicast packets
5742972
2378
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Total errors
0
0
Filter statistics:
Input packet count
27331751
Input packet rejects
815
Input DA rejects
0
Input SA rejects
0
Output packet count
38532479
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote
fault: OK
Local resolution:
Flow control: Symmetric, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 1
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority Limit
%
bps %
usec
0 Best_Effort
r
r r
0 medium-low none
1 Scavenger
3
4500000 10
0 low none
2 Bulk_Data
20
30000000 15
0 medium-high none
3 Critical_Data
15
22500000 15
0 high exact
4 Video
20
30000000 10
0 high exact
5 Voice
5
7500000 r
0 strict-high none
6 Network_Control
5
7500000 3
0 high exact
Interface transmit statistics: Disabled
Logical interface ge-1/3/1.0 (Index 349) (SNMP ifIndex 3000) (Generation
170)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
22 bytes
Egress account overhead
:
22 bytes
Traffic statistics:
Input bytes :
10942558763
Output bytes :
13795716347
Input packets:
27312207
Output packets:
38512293
IPv6 transit statistics:
Input bytes :
135016504
Output bytes :
135055908
Input packets:
576993
Output packets:
577162
Local statistics:
Input bytes :
525592
Output bytes :
693776
655
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Input packets:
6525
Output packets:
7019
Transit statistics:
Input bytes :
10942033171
125398040 bps
Output bytes :
13795022571
130224664 bps
Input packets:
27305682
39900 pps
Output packets:
38505274
45401 pps
IPv6 transit statistics:
Input bytes :
135016504
Output bytes :
135055908
Input packets:
576993
Output packets:
577162
Protocol inet, MTU: 1500, Generation: 237, Route table: 6
Flags: Sendbcast-pkt-to-re, Is-Primary, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.4.4/30, Local: 172.16.4.6, Broadcast: 172.16.4.7,
Generation: 398
Protocol inet6, MTU: 1500, Generation: 238, Route table: 6
Flags: Is-Primary
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::5e5e:abff:fe0d:d919
Generation: 362
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:4:2::/64, Local: 2001:DB8:4:2::2
Protocol multiservice, MTU: Unlimited, Generation: 364
Generation: 239, Route table: 6
Policer: Input: __default_arp_policer__
656
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
6. Verify traffic counters and queue statistics on Branch router 2 after failure.
user@branch2> show interfaces queue ge-1/3/1
Physical interface: ge-1/3/1, Enabled, Physical link is Up
Interface index: 159, SNMP ifIndex: 2147
Description: --- To MPLS_VPN_PROVIDER2 link (magha ge-1/3/1) --Forwarding classes: 16 supported, 7 in use
Egress queues: 8 supported, 7 in use
Queue: 0, Forwarding classes: Best_Effort
Queued:
Packets
:
36093293
41712
Bytes
:
12417782294
113860384
Transmitted:
Packets
:
36093293
41712
Bytes
:
12417782294
113860384
Tail-dropped packets :
0
0
RED-dropped packets :
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
High
:
0
0
RED-dropped bytes
:
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
High
:
0
0
Queue: 1, Forwarding classes: Scavenger
Queued:
Packets
:
0
0
Bytes
:
0
0
Transmitted:
Packets
:
0
0
Bytes
:
0
0
Tail-dropped packets :
0
0
RED-dropped packets :
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
High
:
0
0
RED-dropped bytes
:
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
High
:
0
0
Queue: 2, Forwarding classes: Bulk_Data
Queued:
Packets
:
786418
396
Bytes
:
383771984
1545984
Transmitted:
Packets
:
786418
396
Bytes
:
383771984
1545984
Tail-dropped packets :
0
0
RED-dropped packets :
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
High
:
0
0
RED-dropped bytes
:
0
0
Low
:
0
0
Medium-low
:
0
0
Medium-high
:
0
0
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
657
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
High
:
Queue: 3, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 4, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 5, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 6, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
658
0 bps
2197283
599916192
2203 pps
4455296 bps
2197283
599916192
0
0
0
0
0
0
0
0
0
0
0
2203
4455296
0
0
0
0
0
0
0
0
0
0
0
559139
272859832
701 pps
2739040 bps
559139
272859832
0
0
0
0
0
0
0
0
0
0
0
701
2739040
0
0
0
0
0
0
0
0
0
0
0
Critical_Data
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Video
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Voice
766606
79727024
766606
79727024
0
0
0
0
0
0
0
0
0
0
0
Network_Control
310 pps
258240 bps
310
258240
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
314617
72991144
158 pps
293984 bps
314617
158 pps
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
:
:
:
:
:
:
:
:
:
:
72991144
0
0
0
0
0
0
0
0
0
0
0
293984
0
0
0
0
0
0
0
0
0
0
0
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
7. Check the path taken by traffic to the data center after Branch router 1 primary link
failure.
user@branch2> ping 172.31.255.8
PING 172.31.255.8 (172.31.255.8): 56 data bytes
64 bytes from 172.31.255.8: icmp_seq=0 ttl=59 time=0.821 ms
64 bytes from 172.31.255.8: icmp_seq=1 ttl=59 time=0.666 ms
64 bytes from 172.31.255.8: icmp_seq=2 ttl=59 time=0.732 ms
^C
--- 172.31.255.8 ping statistics --3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.666/0.740/0.821/0.064 ms
user@branch2> traceroute 172.31.255.8
traceroute to 172.31.255.8 (172.31.255.8), 30 hops max, 40 byte packets
1 172.16.4.34 (172.16.4.34) 0.546 ms 0.475 ms 0.377 ms # Branch Router 2
2 172.16.4.5 (172.16.4.5) 0.437 ms 0.514 ms 0.510 ms # L3VPN ISPB PE 2
3 * * *
4 172.31.254.38 (172.31.254.38) 0.975 ms 8.610 ms 9.448 ms # WAN
Aggregation Hub 2
5 172.31.255.8 (172.31.255.8) 1.374 ms 0.704 ms 0.583 ms # Data Center
8. Check the Branch-to-Branch path taken by traffic after Branch router 1 primary link
failure.
user@branch2> ping 172.16.1.254
PING 172.16.1.254 (172.16.1.254): 56 data bytes
64 bytes from 172.16.1.254: icmp_seq=0 ttl=58 time=2.796 ms
64 bytes from 172.16.1.254: icmp_seq=1 ttl=58 time=1.712 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=58 time=2.323 ms
--- 172.16.1.254 ping statistics --3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.712/2.277/2.796/0.444 ms
user@branch2> traceroute 172.16.1.254
traceroute to 172.16.1.254 (172.16.1.254), 30 hops max, 40 byte packets
1 172.16.4.34 (172.16.4.34) 0.570 ms 0.464 ms 0.459 ms # Secondary Router
2
3
4
5
6
7
659
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
9. Check the Branch-to-Internet path taken by traffic after Branch router 1 primary link
failure.
user@branch2> traceroute 100.65.4.2
rtraceroute to 100.65.4.2 (100.65.4.2), 30 hops max, 40 byte packets
1 172.16.4.34 (172.16.4.34) 0.621 ms 0.453 ms 0.377 ms # Secondary Router
2
3
4
5
6
7
8
660
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Verify that groups are established with upstream interfaces to the Layer 3 VPN service
provider 2 (ge-1/3/1) and downstream interfaces to Branch router 1 (ge-1/2/4).
user@branch2> show multicast route extensive
Instance: master Family: INET
Group: 235.4.1.1
Source: 172.31.252.10/32
Upstream interface: ge-1/3/1.0
Downstream interface list:
ge-1/2/4.1
Session description: Unknown
Statistics: 127 kBps, 260 pps, 196361 packets
Next-hop ID: 1048581
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 4278
Uptime: 00:12:36
Group: 235.4.1.2
Source: 172.31.252.10/32
Upstream interface: ge-1/3/1.0
Downstream interface list:
ge-1/2/4.1
Session description: Unknown
Statistics: 127 kBps, 260 pps, 196325 packets
Next-hop ID: 1048581
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 4123
Uptime: 00:12:35
Group: 235.4.1.3
Source: 172.31.252.10/32
Upstream interface: ge-1/3/1.0
Downstream interface list:
ge-1/2/4.1
Session description: Unknown
Statistics: 127 kBps, 260 pps, 196318 packets
Next-hop ID: 1048581
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 3405
Uptime: 00:12:35
661
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Verifying This Scenario from the WAN Aggregation Router at Aggregation Hub 1
Purpose
Action
Use this procedure to verify this scenario from the WAN aggregation router at Aggregation
Hub 1.
1.
Verify that the link to the Layer 3 VPN service provider is up.
user@wanagghub1> show interfaces ge-1/2/5 terse
Interface
Admin Link Proto
Local
Remote
ge-1/2/5
up
up
ge-1/2/5.0
up
up
inet
172.31.254.34/30
inet6
fe80::5e5e:abff:fe0e:4205/64
2001:DB8:254:1::2/64
multiservice
user@wanagghub1> ping 172.31.254.33 rapid
Interface
Admin Link Proto
ge-1/2/5
up
up
ge-1/2/5.0
up
up
inet
inet6
Local
Remote
172.31.254.34/30
fe80::5e5e:abff:fe0e:4205/64
2001:DB8:254:1::2/64
multiservice
provider.
user@wanagghub1> show route advertising-protocol bgp 172.31.254.33
inet.0: 30847 destinations, 57234 routes (30847 active, 0 holddown, 0 hidden)
662
Chapter 14: Connecting a Large Branch to Dual-Homed Aggregation Hubs over Layer 3 VPN with Internet Backup
Prefix
* 0.0.0.0/0
Nexthop
Self
MED
0
Lclpref
AS path
I
Nexthop
Self
MED
Lclpref
AS path
I
663
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
664
CHAPTER 15
Requirements
This example uses the following hardware and software components:
Two M7i or MX Series Juniper Networks routers with a MS-PIC and MS-DPC installed.
Overview
WCCP delivers transparent application acceleration by dynamically forwarding relevant
traffic to one or more off-path cache instances. The results include optimized resource
utilization, reduced response time, improved user experience, and increased productivity.
WCCP supports the following features:
Dynamic services
665
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Figure 81 on page 666 shows how application acceleration between two branch offices is
set up using WCCP.
Topology
Installing the Full WCCP Package on the Branch Router on page 666
Before running WCCP, the WCCP package must be installed on the branch router. The
first step is to configure the provider ID for Juniper Networks so that the SDK service
daemon (SSD) is enabled and will allow for the installation and running of WCCP.
1.
2.
666
3.
4.
Results
1.
2.
3.
4.
5.
667
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit interfaces ms-0/1/0
set unit 0 family inet
set unit 1 family inet
set unit 2 family inet
6.
7.
Configure an OSPF backbone area. Add the Ethernet interface to the aggregation
hub, and add the loopback interface.
[edit]
edit protocols ospf area 0.0.0.0
set interface ge-0/0/2.0
set interface lo0.0 passive
In this example, the WCCP data module is configured to run on a Multiservices PIC. The
WCCP application is configured for WCCP service group 61 (TCP traffic). Hash assignment
method is used to decide the target client WCCP appliance device. Traffic is forwarded
to one of the client WCCP appliance devices for acceleration using the GRE (Layer 3)
forwarding method. In this case, the gretunnel-ip must be specified, which acts as an
endpoint of the GRE tunnel between the router and a client WCCP appliance device. For
any traffic that does not meet the configured policy for application acceleration, the
client WCCP appliance device returns the traffic to WCCP again using the GRE redirection
method.
1.
2.
The cache timeout is the interval, in seconds, at which a cache sends HERE_I_AM
messages to the routers in a service group. This parameter is used to derive the
value of cache communication timeout which is three times the configured value
The port is the port on which WCCP communicates.
The router ID is an IP address that is reachable from the caches.
[edit]
edit wccp
set configure cache-timeout 20
set configure wccp-port 2048
set configure router-id 100.1.1.1
668
3.
4.
Traffic must be steered to the MS-PIC interface for processing by the WCCP MS-PIC
daemon. In this example, an egress filter is applied to steer all egress traffic to the
ms-interface unit which is received by the WCCP data component. The WCCP data
component processes the traffic and redirects it to one of the client WCCP appliance
devices if it matches the WCCP service group definition.
1.
2.
3.
669
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
If a cache decides not to accelerate certain traffic forwarded to it for whatever reason,
it is returned to the router using the selected return method This example uses the GRE
method of returning traffic. The GRE method steers the return traffic to the MS-PIC
interface on a unit different than the one used for the forwarding traffic interface so the
WCCP can decapsulate the original packet and forward it normally.
1.
Configure a service filter with the rule that any traffic coming from the WCCP cache
will use the GRE method of returning traffic, and other traffic and other traffic is
skipped.
[edit]
edit firewall family inet
set service-filter gre_return term service from protocol gre
set service-filter gre_return term service then count to_wccp
set service-filter gre_return term service then service
set service-filter skip_all term no_Service then count from_wccp
set service-filter skip_all term no_Service then skip
2.
3.
Configure gre_return to see if GRE packets are received from the cache device.
[edit]
edit interfaces ge-0/0/1 unit 0 family inet
set service input service-set wccp_cache_return service-filter gre_return
set output service-set wccp_cache_return service-filter skip_all
670
1.
2.
3.
4.
5.
6.
7.
Configure an OSPF backbone area. Add the Ethernet interface to the aggregation
hub, and add the loopback interface.
[edit]
edit protocols ospf area 0.0.0.0
set interface ge-0/0/2.0
set interface lo0.0 passive
671
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
In this example, the WCCP data module is configured to run on a Multiservices PIC. The
WCCP application is configured for WCCP service group 61 (TCP traffic). Hash assignment
method is used to decide the target client WCCP appliance device. Traffic is forwarded
to one of the client WCCP appliance devices for acceleration using the GRE (Layer 3)
forwarding method. In this case, the gretunnel-ip must be specified, which acts as an
endpoint of the GRE tunnel between the router and a client WCCP appliance device. For
any traffic that does not meet the configured policy for application acceleration, the
client WCCP appliance device returns the traffic to WCCP again using the GRE redirection
method.
1.
2.
The cache timeout is the interval, in seconds, at which a cache sends HERE_I_AM
messages to the routers in a service group. This parameter is used to derive the
value of cache communication timeout which is three times the configured value
The port is the port on which WCCP communicates.
The router ID is an IP address that is reachable from the caches.
[edit]
edit wccp
set configure cache-timeout 20
set configure wccp-port 2048
set configure router-id 200.1.1.1
3.
4.
672
Traffic must be steered to the MS-PIC interface for processing by the WCCP MS-PIC
daemon. In this example, an egress filter is applied to steer all egress traffic to the
ms-interface unit which is received by the WCCP data component. The WCCP data
component processes the traffic and redirects it to one of the client WCCP appliance
devices if it matches the WCCP service group definition.
1.
2.
3.
4.
If a cache decides not to accelerate certain traffic forwarded to it for whatever reason,
it is returned to the router using the selected return method This example uses the GRE
method of returning traffic. The GRE method steers the return traffic to the MS-PIC
interface on a unit different than the one used for the forwarding traffic interface so the
WCCP can decapsulate the original packet and forward it normally.
1.
Configure a service filter with the rule that any traffic coming from the WCCP cache
will use the GRE method of returning traffic, and other traffic and other traffic is
skipped.
673
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit firewall family inet
set service-filter gre_return term service from protocol gre
set service-filter gre_return term service then count to_wccp
set service-filter gre_return term service then service
set service-filter skip_all term no_Service then count from_wccp
set service-filter skip_all term no_Service then skip
2.
3.
Configure gre_return to see if GRE packets are received from the cache device.
[edit]
edit interfaces ge-0/0/1 unit 0 family inet
set service input service-set wccp_cache_return service-filter gre_return
set output service-set wccp_cache_return service-filter skip_all
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Reachability
Purpose
674
Verify that the network is up and running with the proper interfaces and routes installed.
Action
Local
Remote
1.1.1.2/24
*[Static/5] 20:45:50
> via ms-0/1/0.2
*[Static/5] 20:45:59
> to 1.1.1.1 via gr-0/1/0.1
Meaning
*[Static/5] 20:45:59
> via ms-0/1/0.2
The show interfaces command confirms that the configured interfaces are up and
running.
The ping command shows that packets are being sent and received.
The show route commands ensure that egress_steer_ri functionality is working, and
display the number of destinations and routes.
675
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Verifying WCCP
Purpose
Action
Verify that WCCP is working and the proper protocols are enabled.
Status
Receive ID
Assigned Time
Assigned
428894207
20:47
Routers
1
Meaning
676
The output shows that the WCCP cache engines and service groups are functioning
properly.
The cache engine details show that GRE has been selected as both the forwarding
and return method.
The service group details show the total amount of packets redirected and returned
through GRE.
Example: Configuring WAN Acceleration Between a Branch and Aggregation Hub Using
WCCP-Lite
This example shows how to configure the Web Cache Configuration Protocol Lite
(WCCP-Lite) to achieve WAN acceleration between a branch router and aggregation
hub (Figure 82 on page 678).
Requirements
This example uses the following hardware and software components:
Two M7i, MX Series or SRX Series Juniper Networks routers with a MS-PIC and MS-DPC
installed.
Overview
WCCP-Lite delivers transparent application acceleration to small networks by dynamically
forwarding relevant traffic to a off path cache instance. The results include optimized
resource utilization, reduced response time, improved user experience, and increased
productivity.
WCCP-Lite supports the following features:
Dynamic services
677
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Topology
Configuration
Before running WCCP, the WCCP package must be installed on the branch router. The
first step is to configure the provider ID for Juniper Networks so that the SDK service
daemon (SSD) is enabled and will allow for the installation and running of WCCP.
1.
2.
3.
678
4.
Results
1.
2.
3.
4.
5.
6.
679
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configure an OSPF backbone area. Add the Ethernet interface to the aggregation
hub, and add the loopback interface.
[edit]
edit protocols ospf area 0.0.0.0
set interface ge-0/0/2.0
set interface lo0.0 passive
In this example, the WCCP data module is configured to run on a Multiservices PIC. The
WCCP application is configured for WCCP service group 61 (TCP traffic). Hash assignment
method is used to decide the target client WCCP appliance device. Traffic is forwarded
to one of the client WCCP appliance devices for acceleration using the GRE (Layer 3)
forwarding method. In this case, the gretunnel-ip must be specified, which acts as an
endpoint of the GRE tunnel between the router and a client WCCP appliance device. For
any traffic that does not meet the configured policy for application acceleration, the
client WCCP appliance device returns the traffic to WCCP again using the GRE redirection
method.
1.
2.
The cache timeout is the interval, in seconds, at which a cache sends HERE_I_AM
messages to the routers in a service group. This parameter is used to derive the
value of cache communication timeout which is three times the configured value
The port is the port on which WCCP communicates.
The router ID is an IP address that is reachable from the caches.
[edit]
edit wccp
set configure cache-timeout 20
set configure wccp-port 2048
set configure router-id 100.1.1.1
3.
4.
680
Set the return method that the cache uses to return forwarded traffic to the router.
Set the method to used to assign a cache for a packet to hash.
[edit]
edit wccp
set configure service tcp_promo wccp-service 61
set configure service tcp_promo forwarding-method l2
set configure service tcp_promo return-method l2
set configure service tcp_promo assignment-method hash
5.
6.
1.
2.
3.
4.
5.
6.
[edit]
edit interfaces lo0
681
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configure an OSPF backbone area. Add the Ethernet interface to the aggregation
hub, and add the loopback interface.
[edit]
edit protocols ospf area 0.0.0.0
set interface ge-0/0/2.0
set interface lo0.0 passive
In this example, the WCCP application is configured for WCCP service group 61 (TCP
traffic). Hash assignment method is used to decide the target client WCCP appliance
device. Traffic is forwarded to one of the client WCCP appliance devices for acceleration
using the Layer 2 forwarding method. The WCCP-Lite application adds or updates the
terms to filter named wccplite_filter to redirect the traffic to the client WCCP appliance
device. For any traffic that does not meet the configured policy for application
acceleration, the client WCCP appliance device returns the traffic to WCCP again using
the Layer 2 redirection method.
1.
2.
The cache timeout is the interval, in seconds, at which a cache sends HERE_I_AM
messages to the routers in a service group. This parameter is used to derive the
value of cache communication timeout which is three times the configured value
The port is the port on which WCCP communicates.
The router ID is an IP address that is reachable from the caches.
[edit]
edit wccp
set configure cache-timeout 20
set configure wccp-port 2048
set configure router-id 200.1.1.1
3.
4.
682
Set the return method that the cache uses to return forwarded traffic to the router.
Set the method to used to assign a cache for a packet to hash.
[edit]
edit wccp
set configure service tcp_promo wccp-service 61
set configure service tcp_promo forwarding-method l2
set configure service tcp_promo return-method l2
set configure service tcp_promo assignment-method hash
5.
6.
[edit]
edit interfaces ge-0/0/3
set unit 0 family inet filter input wccplite_filter
Verification
Verifying Reachability
Purpose
Verify that the network is up and running with the proper interfaces and routes installed.
683
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Action
Local
Remote
1.1.1.2/24
*[Static/5] 20:45:50
> via ms-0/1/0.2
*[Static/5] 20:45:59
> to 1.1.1.1 via gr-0/1/0.1
Meaning
*[Static/5] 20:45:59
> via ms-0/1/0.2
The show interfaces command confirms that the configured interfaces are up and
running.
The ping command shows that packets are being sent and received.
The show route commands ensure that egress_steer_ri functionality is working, and
display the number of destinations and routes.
Verifying WCCP
Purpose
684
Verify that WCCP is working and the proper protocols are enabled.
Action
Status
Receive ID
Assigned Time
Assigned
428894207
20:47
Routers
1
Meaning
The output shows that the WCCP cache engines and service groups are functioning
properly.
The cache engine details show that GRE has been selected as both the forwarding
and return method.
The service group details show the total amount of packets redirected and returned
through GRE.
Example: Configuring WAN Acceleration Between a Branch and Aggregation Hub Using
WCCP Full
This example shows how to configure the Web Cache Configuration Protocol (WCCP)
to achieve WAN acceleration between a branch router and aggregation hub in a network
with multiple cache devices (Figure 83 on page 687).
685
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Requirements
This example uses the following hardware and software components:
Two M7i or MX Series Juniper Networks routers with a MS-PIC and MS-DPC installed.
Overview
WCCP delivers transparent application acceleration by dynamically forwarding relevant
traffic to one or more off path cache instances. The results include optimized resource
utilization, reduced response time, improved user experience, and increased productivity.
WCCP supports the following features:
686
Dynamic services
Topology
Configuration
Installing the WCCP Full Package on the Branch Router on page 687
Before running WCCP, the WCCP package must be installed on the branch router. The
first step is to configure the provider ID for Juniper Networks so that the SDK service
daemon (SSD) is enabled and will allow for the installation and running of WCCP.
1.
2.
687
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3.
4.
Results
1.
2.
3.
4.
5.
688
6.
7.
Configure an OSPF backbone area. Add the Ethernet interface to the aggregation
hub, and add the loopback interface.
[edit]
edit protocols ospf area 0.0.0.0
set interface ge-0/0/2.0
set interface lo0.0 passive
In this example, the WCCP data module is configured to run on a Multiservices PIC. The
WCCP application is configured for WCCP service group 61 (TCP traffic). Hash assignment
method is used to decide the target client WCCP appliance device. Traffic is forwarded
to one of the client WCCP appliance devices for acceleration using the GRE (Layer 3)
forwarding method. In this case, the gretunnel-ip must be specified, which acts as an
endpoint of the GRE tunnel between the router and a client WCCP appliance device. For
any traffic that does not meet the configured policy for application acceleration, the
client WCCP appliance device returns the traffic to WCCP again using the GRE redirection
method.
1.
2.
The cache timeout is the interval, in seconds, at which a cache sends HERE_I_AM
messages to the routers in a service group. This parameter is used to derive the
value of cache communication timeout which is three times the configured value
The port is the port on which WCCP communicates.
The router ID is an IP address that is reachable from the caches.
[edit]
edit wccp
set configure cache-timeout 20
set configure wccp-port 2048
set configure router-id 100.1.1.1
3.
689
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
4.
Traffic must be steered to the MS-PIC interface for processing by the WCCP MS-PIC
daemon. In this example, an egress filter is applied to steer all egress traffic to the
ms-interface unit which is received by the WCCP data component. The WCCP data
component processes the traffic and redirects it to one of the client WCCP appliance
devices if it matches the WCCP service group definition.
1.
2.
3.
4.
690
If a cache decides not to accelerate certain traffic forwarded to it for whatever reason,
it is returned to the router using the selected return method This example uses the GRE
method of returning traffic. The GRE method steers the return traffic to the MS-PIC
interface on a unit different than the one used for the forwarding traffic interface so the
WCCP can decapsulate the original packet and forward it normally.
1.
Configure a service filter with the rule that any traffic coming from the WCCP cache
will use the GRE method of returning traffic, and other traffic and other traffic is
skipped.
[edit]
edit firewall family inet
set service-filter gre_return term service from protocol gre
set service-filter gre_return term service then count to_wccp
set service-filter gre_return term service then service
set service-filter skip_all term no_Service then count from_wccp
set service-filter skip_all term no_Service then skip
2.
3.
Configure gre_return to see if GRE packets are received from the cache device.
[edit]
edit interfaces ge-0/0/1 unit 0 family inet
set service input service-set wccp_cache_return service-filter gre_return
set output service-set wccp_cache_return service-filter skip_all
set address 14.4.4.1/24
1.
2.
691
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
3.
4.
5.
6.
7.
[edit]
edit interfaces lo0
set unit 0 family inet address 200.1.1.1/32 primary
set unit 0 family inet address 200.1.1.1/32 preferred
Configure an OSPF backbone area. Add the Ethernet interface to the aggregation
hub, and add the loopback interface.
[edit]
edit protocols ospf area 0.0.0.0
set interface ge-0/0/2.0
set interface lo0.0 passive
In this example, the WCCP data module is configured to run on a Multiservices PIC. The
WCCP application is configured for WCCP service group 61 (TCP traffic). Hash assignment
method is used to decide the target client WCCP appliance device. Traffic is forwarded
to one of the client WCCP appliance devices for acceleration using the GRE (Layer 3)
forwarding method. In this case, the gretunnel-ip must be specified, which acts as an
endpoint of the GRE tunnel between the router and a client WCCP appliance device. For
any traffic that does not meet the configured policy for application acceleration, the
client WCCP appliance device returns the traffic to WCCP again using the GRE redirection
method.
1.
692
2.
The cache timeout is the interval, in seconds, at which a cache sends HERE_I_AM
messages to the routers in a service group. This parameter is used to derive the
value of cache communication timeout which is three times the configured value.
The port is the port on which WCCP communicates.
The router ID is an IP address that is reachable from the caches.
[edit]
edit wccp
set configure cache-timeout 20
set configure wccp-port 2048
set configure router-id 200.1.1.1
3.
4.
Traffic must be steered to the MS-PIC interface for processing by the WCCP MS-PIC
daemon. In this example, an egress filter is applied to steer all egress traffic to the
ms-interface unit which is received by the WCCP data component. The WCCP data
component processes the traffic and redirects it to one of the client WCCP appliance
devices if it matches the WCCP service group definition.
1.
2.
693
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
[edit]
edit routing-instances egress_steer_ri
set instance-type forwarding
set routing-options static route 0.0.0.0/0 next-hop ms-0/1/0.2
3.
4.
If a cache decides not to accelerate certain traffic forwarded to it for whatever reason,
it is returned to the router using the selected return method This example uses the GRE
method of returning traffic. The GRE method steers the return traffic to the MS-PIC
interface on a unit different than the one used for the forwarding traffic interface so the
WCCP can decapsulate the original packet and forward it normally.
1.
Configure a service filter with the rule that any traffic coming from the WCCP cache
will use the GRE method of returning traffic, and other traffic and other traffic is
skipped.
[edit]
edit firewall family inet
set service-filter gre_return term service from protocol gre
set service-filter gre_return term service then count to_wccp
set service-filter gre_return term service then service
set service-filter skip_all term no_Service then count from_wccp
set service-filter skip_all term no_Service then skip
2.
3.
Configure gre_return to see if GRE packets are received from the cache device.
[edit]
edit interfaces ge-0/0/1 unit 0 family inet
set service input service-set wccp_cache_return service-filter gre_return
694
Verification
Verifying Reachability
Purpose
Action
Verify that the network is up and running with the proper interfaces and routes installed.
Local
Remote
1.1.1.2/24
*[Static/5] 20:45:50
> via ms-0/1/0.2
*[Static/5] 20:45:59
> to 1.1.1.1 via gr-0/1/0.1
Meaning
*[Static/5] 20:45:59
> via ms-0/1/0.2
The show interfaces command confirms that the configured interfaces are up and
running.
The ping command shows that packets are being sent and received.
695
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
The show route commands ensure that egress_steer_ri functionality is working, and
display the number of destinations and routes.
Verifying WCCP
Purpose
Action
Verify that WCCP is working and the proper protocols are enabled.
Status
Receive ID
Assigned Time
Assigned
424334100
20:26
Assigned
424334099
20:26
Meaning
The output shows that the WCCP cache engines and service groups are functioning
properly.
696
The cache engine details show that GRE has been selected as both the forwarding
and return method.
CHAPTER 16
697
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
This troubleshooting scenario shows how to troubleshoot and repair branch GRE over
IPsec transport that is not functioning properly.
If the VPN (GRE over IPsec) service is not passing traffic properly to the primary VPN
server, use the following troubleshooting steps from the VPN router 1:
1.
*[Static/5] 03:20:30
> to 172.31.255.53 via ge-1/1/1.1
*[Static/5] 03:20:30
> to 198.51.100.5 via ge-1/1/1.0
698
Description: --- IPsec tunnels termination VLAN ( Jbus ge-1/2/6 ) --Flags: Up SNMP-Traps 0x0 VLAN-Tag [ 0x8100.1 ] Encapsulation: ENET2
Input packets : 1884615121
Output packets: 1852099195
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re, Is-Primary, User-MTU
Addresses, Flags: Is-Preferred Is-Primary
Destination: 198.51.100.4/30, Local: 198.51.100.6, Broadcast:
198.51.100.7
Protocol multiservice, MTU: UnlimitedAdd the following script.
[edit]
set system scripts op file juniper-wccp-l2-fbf.xsl
3. Verify the IKE security association
regress@effenberg> show services ipsec-vpn ike security-associations 1.1.0.2 detail
IKE peer 1.1.0.2
Role: Responder, State: Matured
Initiator cookie: f9fd11d9721cf32e, Responder cookie: 68fb472ba04d35ee
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 198.51.100.6, Remote: 1.1.0.2
Lifetime: Expires in 16844 seconds
Algorithms:
Authentication
: hmac-sha1-96
Encryption
: aes128-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : 2
Traffic statistics:
Input bytes :
112388
Output bytes :
111668
Input packets:
1210
Output packets:
1201
Flags: IKE SA created
IPsec security associations: 10 created, 8 deleted
4. Verify the IPsec security association
regress@effenberg> show services ipsec-vpn ipsec security-associations
Service set: BR1, IKE Routing-instance: VPN
Rule: _junos_, Term: tunnel635, Tunnel index: 635
Local gateway: 198.51.100.6, Remote gateway: 1.1.0.2
IPsec inside interface: ms-0/2/0.1, Tunnel MTU: 1500
Direction SPI
AUX-SPI
Mode
Type
Protocol
inbound
3895211860 0
tunnel
dynamic ESP
outbound 2053749959 0
tunnel
dynamic ESP
5. Verify the IPsec security association
regress@effenberg> show services ipsec-vpn ipsec security-associations
Service set: BR1, IKE Routing-instance: VPN
Rule: _junos_, Term: tunnel635, Tunnel index: 635
Local gateway: 198.51.100.6, Remote gateway: 1.1.0.2
IPsec inside interface: ms-0/2/0.1, Tunnel MTU: 1500
Direction SPI
AUX-SPI
Mode
Type
Protocol
inbound
3895211860 0
tunnel
dynamic ESP
outbound 2053749959 0
tunnel
dynamic ESP
6. Verify that the lo0 (loopback interface) of the remote branch is reachable
regress@effenberg> show route 172.16.1.255 table VPN.inet.0 detail
VPN.inet.0: 1030 destinations, 1030 routes (1030 active, 0 holddown, 0 hidden)
172.16.1.255/32 (1 entry, 1 announced)
*Static Preference: 1
699
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
700
This troubleshooting scenario shows how to troubleshoot and repair SFW and NAT
services.
If the SFW/NAT policy is not working properly (no hits, traffic drops, SFW/NAT not working
at all), use the following troubleshooting steps from the primary Internet Gateway:
1.
[edit]
set system scripts op file juniper-wccp-l2-fbf.xsl
2. Verify routing in both directions (Branch DC to Internet)
regress@jbus> show route 0.0.0.0
inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
*[Static/5] 01:07:33
> via sp-3/0/0.1
*[Static/1] 01:09:33
701
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Frm
I
702
Reject
Errors
0
5
0
*[Static/1] 01:15:31
Service to NAT-HOSTED-WEB
This troubleshooting scenario shows how to troubleshoot and repair convergence on the
EWAN solution.
If the network is converging slowly or not at all, use the following troubleshooting steps
from the primary Internet Gateway:
1.
Bytes
0
Packets
38066
41325
0
724
670
1064
316118
0
2354
0
0
0
1322
0
3085824
18816
703
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Name
limit-2m-bgp-in-lo0.0-i
0
limit-2m-icmp-in-lo0.0-i
0
limit-2m-ospf-in-lo0.0-i
0
limit-2m-snmp-in-lo0.0-i
0
limit-2m-udp-services-lo0.0-i
0
Bytes
0
Packets
0
0
0
0
2. Verify PFE traffic statistics (look for packet drops in the output)
regress@jbus> show pfe statistics traffic
Packet Forwarding Engine traffic statistics:
Input packets:
154251005
851 pps
Output packets:
154253246
856 pps
Packet Forwarding Engine local traffic statistics:
Local packets input
:
5369
Local packets output
:
3999
Software input control plane drops :
0
Software input high drops
:
0
Software input medium drops
:
0
Software input low drops
:
0
Software output drops
:
0
Hardware input drops
:
0
Packet Forwarding Engine local protocol statistics:
HDLC keepalives
:
0
ATM OAM
:
0
Frame Relay LMI
:
0
PPP LCP/NCP
:
0
OSPF hello
:
539
OSPF3 hello
:
0
RSVP hello
:
0
LDP hello
:
0
BFD
:
10656
IS-IS IIH
:
0
LACP
:
0
ARP
:
33
ETHER OAM
:
0
Unknown
:
1014
Packet Forwarding Engine hardware discard statistics:
Timeout
:
0
Truncated key
:
0
Bits to test
:
0
Data error
:
0
Stack underflow
:
0
Stack overflow
:
0
Normal discard
:
7
Extended discard
:
0
Invalid interface
:
0
Info cell drops
:
0
Fabric drops
:
0
Packet Forwarding Engine Input IPv4 Header Checksum Error and Output MTU Error
statistics:
Input Checksum
:
0
Output MTU
:
0
704
This troubleshooting scenario shows how to troubleshoot and repair multicast issues on
the enterprise WAN
If multicast is not converging or performing poorly, use the following troubleshooting
steps from the primary Internet Gateway:
1.
V Mode
2
2
2
2
Option
HPLGT
HPLGT
HPLGT
HPLGT
1d
1d
1d
1d
Uptime
02:41:00
02:41:00
02:41:00
00:07:48
Neighbor addr
172.31.254.14
172.31.254.33
172.31.254.42
172.31.241.10
State
Last up/down Peer-Group
Established 1d 01:00:37
SA Count
0/0
RP Address
State
Timeout
172.31.255.15
Receive
172.31.255.15
Receive
172.31.255.15
Receive
172.31.255.15
Receive
172.31.255.15
Receive
705
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
235.2.1.4
140
235.2.1.5
135
235.2.1.6
136
235.2.1.7
137
235.2.1.8
138
235.3.1.1
135
235.3.1.2
135
235.3.1.3
136
235.3.1.4
131
235.3.1.5
131
235.3.1.6
131
235.3.1.7
132
235.3.1.8
132
235.3.1.9
132
235.3.1.10
132
235.3.1.11
132
235.3.1.12
132
235.3.1.13
132
235.3.1.14
132
235.3.1.15
132
235.4.1.1
141
235.4.1.2
142
235.4.1.3
130
235.4.1.4
143
235.4.1.5
144
235.4.1.6
133
235.4.1.7
129
235.4.1.8
145
235.4.1.9
146
235.4.1.10
131
235.4.1.11
706
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
172.31.252.10
172.31.255.8
172.31.255.15
Receive
147
235.4.1.12
172.31.252.10
147
235.4.1.13
172.31.252.10
148
235.4.1.14
172.31.252.10
130
235.4.1.15
172.31.252.10
149
235.4.1.16
172.31.252.10
134
235.4.1.17
172.31.252.10
150
235.4.1.18
172.31.252.10
151
235.4.1.19
172.31.252.10
129
235.4.1.20
172.31.252.10
129
235.4.1.21
172.31.252.10
131
235.4.1.22
172.31.252.10
134
235.4.1.23
172.31.252.10
131
235.4.1.24
172.31.252.10
131
235.4.1.25
172.31.252.10
131
Anycast PIM local address used:
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.8
172.31.255.15
Receive
172.31.255.2
address-family INET6
707
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
708
Mismatch error:
Mismatch no route:
Routing notify:
Resolve error:
Notify filtered:
In packets:
Out packets:
0
0
0
0
0
0
0
Mismatch error:
Mismatch no route:
Routing notify:
Resolve error:
Notify filtered:
In packets:
Out packets:
0
0
0
0
0
0
0
Mismatch error:
Mismatch no route:
Routing notify:
Resolve error:
Notify filtered:
In packets:
Out packets:
0
0
0
0
0
0
245606
Interface: ge-1/2/5.0
Routing protocol:
PIM
Mismatch error:
0
Mismatch:
0
Mismatch no route:
0
Kernel resolve:
0
Routing notify:
0
Resolve no route:
0
Resolve error:
0
Resolve filtered:
0
Notify filtered:
0
In kbytes:
0
In packets:
0
Out kbytes:
1346890
Out packets:
5894087
Interface: ge-1/3/2.0
Routing protocol:
PIM
Mismatch error:
0
Mismatch:
0
Mismatch no route:
0
Kernel resolve:
0
Routing notify:
0
Resolve no route:
0
Resolve error:
0
Resolve filtered:
0
Notify filtered:
0
In kbytes:
0
In packets:
0
Out kbytes:
0
Out packets:
0
Interface: xe-0/0/2.0
Routing protocol:
PIM
Mismatch error:
0
Mismatch:
0
Mismatch no route:
0
Kernel resolve:
50
Routing notify:
91
Resolve no route:
0
Resolve error:
0
Resolve filtered:
0
Notify filtered:
0
In kbytes:
1464417
In packets:
6139693
Out kbytes:
0
Out packets:
0
Resolve requests on interfaces not enabled for multicast 0
Resolve requests with no route to source 0
Routing notifications on interfaces not enabled for multicast 0
Routing notifications with no route to source 0
Interface mismatches on interfaces not enabled for multicast 0
Group memberships on interfaces not enabled for multicast 0
Instance: master Family: INET6
Resolve requests on interfaces not enabled for multicast 0
Resolve requests with no route to source 0
Routing notifications on interfaces not enabled for multicast 0
Routing notifications with no route to source 0
Interface mismatches on interfaces not enabled for multicast 0
Group memberships on interfaces not enabled for multicast 0
709
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
This troubleshooting scenario shows how to troubleshoot class of service on the enterprise
WAN.
Troubleshoot from the branch officeIf class of service is not functioning properly, use
the following troubleshooting steps from the branch office:
1.
710
2810 pps
7056352 bps
2810 pps
7056352 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0
0
0
0
0
0
0
0
0
0
Bulk_Data
258064556
133161310896
258061413
133159689108
100
0
0
0
0
0
0
0
0
0
0
Critical_Data
802 pps
3313096 bps
802 pps
3313096 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
259502429
100242302632
804 pps
2492488 bps
259500402
100241526076
109
0
0
0
0
0
0
0
0
0
0
804 pps
2492488 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
Video
161365394
83264543304
501 pps
2070168 bps
161364038
83263843608
0
0
0
0
0
0
0
0
0
0
0
501 pps
2070168 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
419730795
55404464940
1104 pps
1166016 bps
419728166
55404117912
1104 pps
1166016 bps
Voice
711
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 6, Forwarding classes: Network_Control
Queued:
Packets
:
161303708
Bytes
:
41938864606
Transmitted:
Packets
:
161300653
Bytes
:
41938070460
Tail-dropped packets :
1857
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
501 pps
1044144 bps
501 pps
1044144 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
State
Last up/down Peer-Group
Established 1d 01:00:37
SA Count
0/0
712
713
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
714
Type
Output
dscp
dscp-ipv6
dscp
dscp-ipv6
Type
Output
dscp
dscp-ipv6
dscp
dscp-ipv6
Troubleshoot from the Internet edge routerIf class of service is not functioning properly,
use the following troubleshooting steps:
1.
2150324114
2150324114
1 expedited-fo
2 assured-forw
3 network-cont
10654624152
10654624152
6930
6930
0
0
0
0
4 BRANCH
0
7 Network_Cont
0
715
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Queue number:
Mapped forwarding classes
0
INTERNET
1
expedited-forwarding
2
assured-forwarding
3
network-control
4
BRANCH
7
Network_Control
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
4229139655321
4220500361901
Total packets
12356221175
12804839382
Unicast packets
12356221135
12804839353
Broadcast packets
40
37
Multicast packets
0
0
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Total errors
0
0
Filter statistics:
Input packet count
12355818357
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
12804425207
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote
fault: OK
Local resolution:
Flow control: Symmetric, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 0 (0x00)
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 INTERNET
20
160000000
r
0
low
none
4 BRANCH
79
632000000
r
0
high
none
7 Network_Control
1
8000000
r
0 strict-high
exact
Interface transmit statistics: Disabled
Logical interface ge-1/2/5.0 (Index 346) (SNMP ifIndex 6631) (Generation
159)
Flags: SNMP-Traps 0x4004000 Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
18 bytes
716
717
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: assured-forwarding
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: network-control
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 4, Forwarding classes: BRANCH
Queued:
Packets
:
10656517898
Bytes
:
3751917751504
Transmitted:
Packets
:
10656517898
Bytes
:
3751917751504
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
718
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
171242 pps
482972416 bps
171242
482972416
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
Medium-high
:
0
High
:
0
Queue: 7, Forwarding classes: Network_Control
Queued:
Packets
:
6932
Bytes
:
823262
Transmitted:
Packets
:
6932
Bytes
:
823262
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0 bps
0 bps
0 pps
352 bps
0
352
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Type
ip
Index
13
719
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Filter: RE-PROTECT-lo0.0-i
Counters:
Name
accept-bfd-lo0.0-i
0
access-in-lo0.0-i
bgp-in-lo0.0-i
frag-attack-lo0.0-i
0
icmp-in-lo0.0-i
20
illegal-traffic-in-lo0.0-i
loopback-in-lo0.0-i
0
ospf-in-lo0.0-i
0
radius-lo0.0-i
0
small-packet-attack-lo0.0-i
0
snmp-in-lo0.0-i
36
tacacs-lo0.0-i
0
udp-in-lo0.0-i
Policers:
Name
limit-2m-bgp-in-lo0.0-i
0
limit-2m-icmp-in-lo0.0-i
0
limit-2m-ospf-in-lo0.0-i
0
limit-2m-snmp-in-lo0.0-i
0
limit-2m-udp-services-lo0.0-i
0
Bytes
0
Packets
17855
60084
0
340
795
1232
270633
0
1635
0
0
0
2644
0
3503368
Bytes
0
21362
Packets
0
0
0
0
Filter: __service-NAT-HOSTED-WEB
Filter: anyany
Counters:
Name
allpkts
0
Filter: discard-all
Counters:
Name
discard-all-TTL_1-unknown
0
discard-icmp
0
discard-ip-options
0
discard-netbios
0
discard-tcp
0
discard-udp
720
Bytes
0
Packets
Bytes
0
Packets
0
0
0
0
0
0
discard-unknown
0
Filter: ipv4_sample
Troubleshoot from the VPN termination routerIf class of service is not functioning
properly, use the following troubleshooting steps:
1.
Type
dscp
dscp-ipv6
Index
961
960
Index
14334
9
13
Index
2367
9
13
721
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
722
in use
Best_Effort
10852078976
2802629539734
10852078976
2802629539734
0
0
0
0
0
0
0
0
0
0
0
0
0
Scavenger
167084 pps
344852704 bps
167084
344852704
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
bps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
bps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Bulk_Data
62532070
31961293132
800 pps
3283200 bps
62532070
31961293132
0
0
0
0
0
0
0
0
0
0
0
0
0
800
3283200
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
bps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Critical_Data
62515685
24009452927
799 pps
2463040 bps
62515685
24009452927
0
0
0
0
0
0
0
0
0
0
0
0
0
799
2463040
0
0
0
0
0
0
0
0
0
0
0
0
0
39063316
20039317076
499 pps
2051360 bps
39063316
20039317076
0
0
0
0
0
0
0
0
0
0
0
0
0
499
2051360
0
0
0
0
0
0
0
0
0
0
0
0
0
85956375
11088434709
1099 pps
1134400 bps
pps
bps
pps
pps
bps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Video
pps
bps
pps
pps
bps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Voice
85956375
11088434709
0
0
0
0
0
0
0
0
0
0
0
0
0
Network_Control
1099
1134400
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
bps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
723
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Queued:
Packets
Bytes
Transmitted:
Packets
Bytes
Tail-dropped packets
RL-dropped packets
RL-dropped bytes
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
78120505
12936074733
763 pps
1186432 bps
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
78120505
12936074733
0
0
0
0
0
0
0
0
0
0
0
0
0
763
1186432
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
bps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Troubleshooting from the WAN aggregation routerIf class of service is not functioning
properly, use the following troubleshooting steps:
1.
Type
dscp
dscp-ipv6
dscp
dscp-ipv6
Index
61950
61951
961
960
Index
9
13
724
Type
dscp
dscp-ipv6
dscp
dscp-ipv6
Index
61950
61951
961
960
Type
dscp
dscp-ipv6
Index
961
960
725
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Input packets:
28211048134
364239 pps
Output packets:
27979629883
361951 pps
IPv6 transit statistics:
Input bytes :
420496306422
Output bytes :
836948546760
Input packets:
1796992770
Output packets:
3576700052
Dropped traffic statistics due to STP State:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3
incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors:
0,
Resource errors: 0
Output errors:
Carrier transitions: 3, Errors: 0, Drops: 33354, Collisions: 0, Aged
packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0,
Resource errors: 0
Egress queues: 8 supported, 7 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 Best_Effort
25551424919
25551424919
622892576
622875969
617076089
617076089
458237322
458225556
444989807
444986900
285379194
285377120
0
1 Scavenger
0
2 Bulk_Data
16607
3 Critical_Dat
0
4 Video
11766
5 Voice
2907
6 Network_Cont
2074
Queue number:
0
1
2
3
4
5
6
Active alarms : None
Active defects : None
PCS statistics
Bit errors
Errored blocks
MAC statistics:
Total octets
Total packets
Unicast packets
Broadcast packets
Multicast packets
CRC/Align errors
FIFO errors
MAC control frames
MAC pause frames
726
Seconds
1
2
Receive
7754332915577
28211375206
27437394916
45
773980234
0
0
0
0
Transmit
7815845819263
27979953716
27979771866
44
181825
0
0
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Total errors
0
0
Filter statistics:
Input packet count
28211011680
Input packet rejects
3461
Input DA rejects
0
Input SA rejects
0
Output packet count
27979593645
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Packet Forwarding Engine configuration:
Destination slot: 0
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 Best_Effort
95
9500000000
95
0
low
none
3 Critical_Data
5
500000000
5
0
low
none
Interface transmit statistics: Disabled
Logical interface xe-0/0/2.0 (Index 333) (SNMP ifIndex 566) (Generation 142)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
18 bytes
Egress account overhead
:
18 bytes
Traffic statistics:
Input bytes :
7752269021059
Output bytes :
7814188205420
Input packets:
28211047458
Output packets:
27979629884
IPv6 transit statistics:
Input bytes :
420496305686
Output bytes :
836948546760
Input packets:
1796992769
Output packets:
3576700052
Local statistics:
Input bytes :
211555319
Output bytes :
219102457
Input packets:
379386
Output packets:
285267
Transit statistics:
Input bytes :
7752057465740
795823080
Output bytes :
7813969102963
813102864
Input packets:
28210668072
364238
Output packets:
27979344617
361950
IPv6 transit statistics:
Input bytes :
420496305686
Output bytes :
836948546760
Input packets:
1796992769
Output packets:
3576700052
Protocol inet, MTU: 1500, Generation: 160, Route table: 0
Flags: Sendbcast-pkt-to-re, User-MTU
bps
bps
pps
pps
727
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
728
1229027701
1228828098
0
2 Bulk_Data
547433581
547398812
34769
3 Critical_Dat
497812815
497779434
33381
4 Video
1129350602
1129337716
12886
5 Voice
450860992
450860992
0
6 Network_Cont
237687401
237682216
5185
Queue number:
Mapped forwarding classes
0
Best_Effort
1
Scavenger
2
Bulk_Data
3
Critical_Data
4
Video
5
Voice
6
Network_Control
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
1639494368647
1567219012228
Total packets
4644850473
4091886629
Unicast packets
4644842207
3364943679
Broadcast packets
45
40
Multicast packets
8218
726942914
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Total errors
0
0
Filter statistics:
Input packet count
4644794509
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
4091836717
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote
fault: OK
Local resolution:
Flow control: Symmetric, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 1
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 Best_Effort
r
r
20
0 medium-low
729
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
none
1 Scavenger
2
8000000
none
2 Bulk_Data
20
80000000
none
3 Critical_Data
15
60000000
none
4 Video
20
80000000
none
5 Voice
6
24000000
exact
6 Network_Control
6
24000000
none
Interface transmit statistics: Disabled
20
low
20
0 medium-high
15
0 medium-high
r
high
0 strict-high
r
high
Logical interface ge-1/2/5.0 (Index 336) (SNMP ifIndex 576) (Generation 145)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Statistics account overhead :
Ingress account overhead :
18 bytes
Egress account overhead
:
18 bytes
Traffic statistics:
Input bytes :
1638216709719
Output bytes :
1565958726262
Input packets:
4644892556
Output packets:
4091924187
IPv6 transit statistics:
Input bytes :
23257623456
Output bytes :
23072332686
Input packets:
99391555
Output packets:
98599659
Local statistics:
Input bytes :
3572874
Output bytes :
2364779
Input packets:
24393
Output packets:
23831
Transit statistics:
Input bytes :
1638213136845
155927384 bps
Output bytes :
1565956361483
153750600 bps
Input packets:
4644868163
55946 pps
Output packets:
4091900356
49898 pps
IPv6 transit statistics:
Input bytes :
23257623456
Output bytes :
23072332686
Input packets:
99391555
Output packets:
98599659
Protocol inet, MTU: 1500, Generation: 168, Route table: 0
Flags: Sendbcast-pkt-to-re, User-MTU
Policer: Output: to-mpls-ge-1/2/5.0-inet-o
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.31.254.32/30, Local: 172.31.254.34, Broadcast:
172.31.254.35, Generation: 168
Protocol inet6, MTU: 1500, Generation: 169, Route table: 0
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::5e5e:abff:fe0e:4205
Generation: 170
Addresses, Flags: Is-Preferred Is-Primary
Destination: 2001:DB8:254:1::/64, Local: 2001:DB8:254:1::2
Protocol multiservice, MTU: Unlimited, Generation: 172
Generation: 170, Route table: 0
730
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
pps
bps
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
731
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Medium-low
:
Medium-high
:
High
:
Queue: 3, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 4, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 5, Forwarding classes:
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 6, Forwarding classes:
Queued:
Packets
:
Bytes
:
732
0
0
0
0 bps
0 bps
0 bps
65946
26378400
5900 pps
18880000 bps
65946
26378400
0
0
0
0
0
0
0
0
0
0
0
5900
18880000
0
0
0
0
0
0
0
0
0
0
0
153691
81148848
13750 pps
58083456 bps
153691
81148848
0
0
0
0
0
0
0
0
0
0
0
13750
58083456
0
0
0
0
0
0
0
0
0
0
0
Critical_Data
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Video
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Voice
59799
8611056
59799
8611056
0
0
0
0
0
0
0
0
0
0
0
Network_Control
31296
8512350
5350 pps
6163360 bps
5350
6163360
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
2800 pps
6093792 bps
Transmitted:
Packets
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
:
:
:
:
:
:
:
:
:
:
:
31296
8512350
0
0
0
0
0
0
0
0
0
0
0
2800
6093792
0
0
0
0
0
0
0
0
0
0
0
pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Bytes
0
Packets
29264
314414
0
556
1349
168
159641
0
1400
72437
9533156
133560
0
1339
16964
1854
0
1322
0
4823192
Bytes
67183
0
65262
Packets
125
0
1960488
0
1453
0
0
733
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
0
Filter: discard-all
Counters:
Name
discard-all-TTL_1-unknown
0
discard-icmp
0
discard-ip-options
0
discard-netbios
0
discard-tcp
0
discard-udp
0
discard-unknown
0
Filter: mcast
Counters:
Name
MCAST
0
Bytes
0
Packets
0
0
0
0
0
0
Bytes
0
Packets
Filter: v4_sample
734
PART 3
Appendix
735
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
736
APPENDIX A
Requirements
This example uses the following hardware and software components in the role of VPN
termination router at Aggregation Hub 1:
MS-MIC
Overview
With the addition of Junos OS features delivered in 13.3, mainly per unit GRE CoS and
MS-MIC support on the MX80 in the threerouter aggregation hub design the MX80 can
now fulfill the IPSec VPN termination router role and the SFW/NAT role. The IPSec VPN
termination and Internet gateway roles can now be fulfilled as the MS-MIC delivers the
IPsec and SFW/NAT functionality. Additionally per unit GRE CoS allows traffic control
to Internet connected branches from all MX variants. One additional note here is that
with the addition of MS-MIC and Junos OS feature additions the MX5 through the MX80
can now fulfill the collapsed WAN aggregation role completely.
This design option (Figure 84 on page 738) features the MX80 with an MS-MIC in the role
of VPN termination router (in place of the M7i in the original design)
737
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Topology
Figure 84: Test Lab Configuration that Employs an MX80 as the VPN
Termination Router
AGGREGATION HUB 1
Internet Gateway
MX480
ISP A
AS 169
ge-1/2/5
VPN
Termination
ge-1/2/6
MX80
ge-1/1/0
xe-0/0/0
Hosted
Services
ge-1/1/1.1
xe-1/0/1
Data
Center
LEASED
LINE
PROVIDER
WAN
Aggregation
MX80
xe-0/0/0
ge-1/2/2
coc-1/0/1
MPLS
L3 VPN
AS 555
ge-1/1/1.0
ge-1/2/5
ge-0/0/2
ge-1/3/7
Test /
Emulation
g041844
ge-1/3/2
To Aggregation Hub 2
Configure VPN VR (IPsec Termination Point in the VPN Termination Role on page 739
Configuring Dynamic IPsec endpoints (DEP) on the VPN Termination Router on page 739
Automation Script: Bring Down the Link to iEdge1 when the WAN-AGG1 Connectivity
Is Lost on page 748
Interface Configuration toward iEdge, WAN-AGG1, Hosted Web Server & Loopback
Step-by-Step
Procedure
Configure vlan-tagging and logical interfaces for VPN termination and data center
services.
[edit]
set interfaces ge-1/1/1 vlan-tagging
set interfaces ge-1/1/1 unit 0 description "--- IPsec tunnels termination VLAN ( Jbus
ge-1/2/6 ) ---"
set interfaces ge-1/1/1 unit 0 vlan-id 1
738
Appendix A: Alternate Configuration Aggregation and Branch Using MX80 with Services MIC
3.
4.
1.
[edit]
set interfaces ms-0/2/0 unit 0 description "--- Jflow v9 ----"
set interfaces ms-0/2/0 unit 0 family inet
739
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
set interfaces ms-0/2/0 unit 1 description "--- Inbound unit for DEP IPSEC ( shared)
tunnel ---"
set interfaces ms-0/2/0 unit 1 dial-options ipsec-interface-id venues
set interfaces ms-0/2/0 unit 1 dial-options shared
set interfaces ms-0/2/0 unit 1 family inet
set interfaces ms-0/2/0 unit 1 service-domain inside
set interfaces ms-0/2/0 unit 2 description "--- Outbound unit for DEP IPSEC tunnel
----"
set interfaces ms-0/2/0 unit 2 family inet
set interfaces ms-0/2/0 unit 2 service-domain outside
2.
3.
740
Appendix A: Alternate Configuration Aggregation and Branch Using MX80 with Services MIC
The following section shows the configurations required to enable GRE tunneling on the
VPN termination router.
1.
NOTE: This is a key difference between the original config and the
alternate config.
2.
Add the Ethernet interface to the Internet edge router, and configure a default static
route to the Ethernet interface.
[edit]
set interfaces gr-1/0/0 hierarchical-scheduler
set interfaces gr-1/0/0 unit 1 tunnel source 172.31.255.31
set interfaces gr-1/0/0 unit 1 tunnel destination 172.16.1.255
set interfaces gr-1/0/0 unit 1 tunnel routing-instance destination VPN
set interfaces gr-1/0/0 unit 1 family inet address 172.16.1.1/30
set interfaces gr-1/0/0 unit 1 family inet6 mtu 1400
set interfaces gr-1/0/0 unit 1 family inet6 address 2001:DB8:1::1/64
set interfaces gr-1/0/0 unit 1 copy-tos-to-outer-ip-header
Configuring WAN-GRE VR
Step-by-Step
Procedure
The WAN-GRE virtual router routing instance terminates GRE tunnels from the
Internet-connected branches. The routing instance provides private overlay routing over
the GRE tunnels to the branch, and includes OSPF routing adjacencies between the GRE
tunnels.
1.
741
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
742
Appendix A: Alternate Configuration Aggregation and Branch Using MX80 with Services MIC
743
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
744
Appendix A: Alternate Configuration Aggregation and Branch Using MX80 with Services MIC
6.
This configuration has a classifier applied to on the 1 GbE link to WAN-AGG1 and per-unit
shaping and scheduling applied to the primary GRE over IPsec branch (small branch
connected to dual-homed aggregation hubs over Internet)
1.
745
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
746
Appendix A: Alternate Configuration Aggregation and Branch Using MX80 with Services MIC
3.
4.
747
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Configure scheduler-maps
[edit]
set class-of-service scheduler-maps MAIN-SCHD forwarding-class Voice scheduler
SCH_VOICE
set class-of-service scheduler-maps MAIN-SCHD forwarding-class Video scheduler
SCH_Video
set class-of-service scheduler-maps MAIN-SCHD forwarding-class Scavenger
scheduler SCH_Scavenger
set class-of-service scheduler-maps MAIN-SCHD forwarding-class Network_Control
scheduler SCH_Network_Control
set class-of-service scheduler-maps MAIN-SCHD forwarding-class Critical_Data
scheduler SCH_Critical_Data
set class-of-service scheduler-maps MAIN-SCHD forwarding-class Bulk_Data
scheduler SCH_Bulk_Data
set class-of-service scheduler-maps MAIN-SCHD forwarding-class Best_Effort
scheduler SCH_Best_Effort
set class-of-service scheduler-maps GRE_Scaled_Branches forwarding-class
Best_Effort scheduler GRE_Scaled_Branches_Best_Effort
set class-of-service scheduler-maps GRE_Scaled_Branches forwarding-class
Network_Control scheduler GRE_Scaled_Branches_Network_Control
Automation Script: Bring Down the Link to iEdge1 when the WAN-AGG1
Connectivity Is Lost
Step-by-Step
Procedure
This configuration is used to force the entire WAN aggregation hub (primary) into a down
state in the event that an internal link to WAN-AGG1 is called down.
1.
Set event options to call interface down and up based on underlying op script
[edit]
set event-options policy DOWN events bfdd_trap_shop_state_down
set event-options policy DOWN attributes-match
bfdd_trap_shop_state_down.pip-interface matches ge-1/1/0
748
Appendix A: Alternate Configuration Aggregation and Branch Using MX80 with Services MIC
749
Enterprise WAN Aggregation and Internet Edge Design and Implementation Guide
Verification
Verifying VPN Termination Router Configuration
Purpose
Action
Local
Remote
1.1.1.2/24
*[Static/5] 20:45:50
> via ms-0/1/0.2
*[Static/5] 20:45:59
> to 1.1.1.1 via gr-0/1/0.1
750
*[Static/5] 20:45:59
> via ms-0/1/0.2