Mar 7, 2014

JUNOS CoS processing building block with related CLI commands

Juniper CLI learning is a little challenge for junior network engineers or Cisco IOS engineers, because the JUNOS modular and hierarchical structure design.
Some features may need several command line which were configured under different hierarchical levels, then combined all of them together in another hierarchical level.
Such kind of CLI design especially not easy to learn when apply CoS on juniper device.(I believe many Cisco IOS engineers don't want to switch to JUNOS because of this...)


As above figure is my understanding about the related JUNOS command which is using in our production network.

Mar 6, 2014

[POC] Use Juniper Firefly Perimeter to support RTBH BGP scale with 120 BGP Peers

As Juniper FIREFLY-PERIMETER is an ideal candidate of virtual router solution for RTBH router, because its just need control plane and memory(it will not be limited by hardware) for BGP exchange route with community. No much data forwarding plane packet process was needed.

So I rebuild the lab with Juniper firefly to see the difference with physical routers as below topology.



In my vmware workstation lab, I assigned two interface to each firefly, ge-0/0/0 was used for BGP connections and ge-0/0/1 was used for SSH purpose only(to be more easier for config copy/paste.

The most obviously advantage of firefly is the response time of commit action, it was almost done immediately after you press Enter key when I initialized the configuration clean-up, its great!
...But after I copy & paste all my configurations to it then the response time still became longer.

[edit]
lab@FIREFLY-PERIMETER-1# run show chassis hardware
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                22cbfad3dcef      FIREFLY-PERIMETER
Midplane       
System IO      
Routing Engine                                           FIREFLY-PERIMETER RE
FPC 0                                                    Virtual FPC
 PIC 0                                                  Virtual GE
Power Supply 0

[edit]
lab@FIREFLY-PERIMETER-1# run show chassis forwarding
FWDD status:
  State                                 Online   
  Microkernel CPU utilization        28 percent
  Real-time threads CPU utilization   0 percent
  Heap utilization                   21 percent
  Buffer utilization                  3 percent
  Uptime:                               15 hours, 10 minutes, 32 seconds
 

I think Firefly is a great candidate for this kind of role(BGP Route Reflector), without much forwarding traffic pass-through, so you don't need to concern the forwarding performance.
It works just for BGP signaling and routing sustain so it can always keep low CPU loading.

lab@FIREFLY-PERIMETER-2# run show bgp summary | match 0/0/0/0 | count
Count: 120 lines
lab@FIREFLY-PERIMETER-1# run show chassis routing-engine
Routing Engine status:
    Total memory              2048 MB Max   655 MB used ( 32 percent)
      Control plane memory    1150 MB Max   460 MB used ( 40 percent)
      Data plane memory        898 MB Max   189 MB used ( 21 percent)
    CPU utilization:
      User                       0 percent
      Background                 0 percent
      Kernel                     1 percent
      Interrupt                  0 percent
      Idle                      99 percent
    Model                          FIREFLY-PERIMETER RE
    Start time                     2014-03-05 18:49:02 UTC
    Uptime                         15 hours, 11 minutes, 42 seconds
    Last reboot reason             Router rebooted after a normal shutdown.
    Load averages:                 1 minute   5 minute  15 minute
                                       0.00       0.00       0.00
So I tried to enable additional BGP features - BFD(Bidirectional Forwarding Detection) over 120 BGP sessions to test the CPU loading impact:
[edit]
lab@FIREFLY-PERIMETER-1# run show bfd session
                                                  Detect   Transmit
Address                  State     Interface      Time     Interval  Multiplier
1.1.1.2                  Up        ge-0/0/0.1     3.000     1.000        3  
2.2.2.2                  Up        ge-0/0/0.2     3.000     1.000        3  
3.3.3.2                  Up        ge-0/0/0.3     3.000     1.000        3  
...
119.119.119.2            Up        ge-0/0/0.119   3.000     1.000        3  
120.120.120.2            Up        ge-0/0/0.120   3.000     1.000        3  

120 sessions, 120 clients
Cumulative transmit rate 120.0 pps, cumulative receive rate 120.0 pps
Then the result surprise me...the CPU loading(0%) became less than before ???
Cool!

[edit]
lab@FIREFLY-PERIMETER-1# run show chassis routing-engine   
Routing Engine status:
    Total memory              2048 MB Max   655 MB used ( 32 percent)
      Control plane memory    1150 MB Max   460 MB used ( 40 percent)
      Data plane memory        898 MB Max   198 MB used ( 22 percent)
    CPU utilization:
      User                       0 percent
      Background                 0 percent
      Kernel                     0 percent
      Interrupt                  0 percent
      Idle                     100 percent
    Model                          FIREFLY-PERIMETER RE
    Start time                     2014-03-05 18:49:02 UTC
    Uptime                         15 hours, 31 minutes, 33 seconds
    Last reboot reason             Router rebooted after a normal shutdown.
    Load averages:                 1 minute   5 minute  15 minute
                                       0.00       0.00       0.00
Compared with previously Firefly version, I found the difference is that I cannot see the expiry license anymore when I show system license:
[edit]
lab@FIREFLY-PERIMETER-1# run show system license
License usage: none

Licenses installed: none


Maybe its the Juniper's gift without expiry date ?
Try it and you will know!


Mar 5, 2014

[POC] Use Juniper SRX100H to support RTBH BGP scale with 120 BGP Peers

Since our company current RTBH router was EOL(Cisco 1800), and our security team would like to expand the RTBH scope to all office SSL VPN all over the world(more than 100s), so we are trying to survey a good candidate for this position.

We have a spare Juniper M10i and I believe it can meet the requirement for sure, but its too big so our operation team tried to leverage the lab device - Juniper SRX100H for this purpose. That's why I did this POC to prove the BGP scalability of SRX100H.

As below is the Juniper SRX100H hardware features, as a such small device but has 1GB RAM so it can do much more than my expectation in its control plane:
  • DDR Memory: 1 GB
  • Power supply adapter: 30 watts
  • AC input voltage: 100 to240 VAC
  • FastEthernetports: 8
  • Consoleport: 1
  • USB port: 1
  • LEDs: 4
  • NAND flash: 1 GB 
My POC topology as below is very simple and straight, I used a single cable connect between two SRX100H, then setup a trunk w/ 120 VLANs between them, each VLAN will have a direct connect EBGP session.
After all configuration was done, all 120 BGP neighbors were UP without issues:
lab@SRX100-2# run show bgp summary 
Groups: 1 Peers: 120 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0              2400         20          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
1.1.1.1                   1        215        216       0       1     3:23:49 20/20/20/0           0/0/0/0
2.2.2.1                   1        214        214       0       1     3:23:45 0/20/20/0            0/0/0/0
3.3.3.1                   1        213        214       0       1     3:23:41 0/20/20/0            0/0/0/0
...
118.118.118.1             1        213        214       0       1     3:23:39 0/20/20/0            0/0/0/0
119.119.119.1             1        213        214       0       1     3:23:35 0/20/20/0            0/0/0/0
120.120.120.1             1        213        214       0       1     3:23:31 0/20/20/0            0/0/0/0

lab@SRX100-2# run show bgp summary | match 0/0/0/0 | count
Count: 120 lines

And I configured 20 BGP networks annoncement to each neighbor:


lab@SRX100-2# run show route protocol bgp | count
Count: 2400 lines

Then check the SRX CPU and memory usage, its looks great!


lab@SRX100-2# run show chassis routing-engine
Routing Engine status:
    Temperature                 60 degrees C / 140 degrees F
    Total memory              1024 MB Max   461 MB used ( 45 percent)
      Control plane memory     560 MB Max   330 MB used ( 59 percent)
      Data plane memory        464 MB Max   135 MB used ( 29 percent)
    CPU utilization:
      User                       4 percent
      Background                 0 percent
      Kernel                     8 percent
      Interrupt                  0 percent
      Idle                      88 percent
    Model                          RE-SRX100H
    Serial ID                      AT1612AF0205
    Start time                     2014-03-05 09:40:12 UTC
    Uptime                         4 hours, 29 minutes, 8 seconds
    Last reboot reason             0x1:power cycle/failure 
    Load averages:                 1 minute   5 minute  15 minute
                                       0.11       0.13       0.07 
If you have similar case and realistic resource limitation, maybe you can consider to reuse your spare Juniper SRX to do this kind of job :)
Good luck!