Quite often I see ip ospf mtu-ignore configured when two router’s MTU have a mismatch. This is bad. To demonstrate why I’ll use the following simple topology:
Let’s create a simple area 0 point-to-point adjacency between the two routers and make R1′s MTU slightly larger. Then ignore OSPF MTU otherwise the adjacency will not come up:
R1 interface GigabitEthernet1/0 mtu 2000 ip address 10.0.0.1 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore ip ospf 1 area 0
The adjacency is fine as far as we can see:
R1#sh ip ospf neighbor | beg Nei Neighbor ID Pri State Dead Time Address Interface 1.2.3.255 0 FULL/ - 00:00:30 10.0.0.1 GigabitEthernet1/0
Now I’ve added 256 loopback interfaces onto R1 and put them all into OSPF by using network 0.0.0.0 0.0.0.0 area 0. This means all those loopback interfaces will be part of the type1 LSA originated by R1. What happens though?
interface Loopback1 ip address 1.2.3.1 255.255.255.255 ! interface Loopback2 ip address 1.2.3.2 255.255.255.255 ! interface Loopback3 ! [etc etc etc] ! router ospf 1 network 0.0.0.0 0.0.0.0 area 0
At first, nothing seems wrong. But take a look at the database from R1 and R2′s perspective. Remember the database should be identical.
R1#sh ip ospf database
OSPF Router with ID (1.2.3.255) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
1.2.3.255 1.2.3.255 33 0x80000005 0x00767B 257
10.0.0.2 10.0.0.2 100 0x80000011 0x00C816 2
R2#sh ip ospf database
OSPF Router with ID (10.0.0.2) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
1.2.3.255 1.2.3.255 130 0x80000004 0x00856D 2
10.0.0.2 10.0.0.2 128 0x80000011 0x00C816 2
R1 sees a link count of 257 for R1s router LSA, while R2 only sees 2. This can be confimred by seeing that R2 doesn’t have any OSPF routers to R1′s loopback:
R2#sh ip route ospf | beg Gate Gateway of last resort is not set
If you wait a while you’ll see LOADING on the adjacency too. And eventually the adjacency resets and tries again:
R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.2.3.255 0 LOADING/ - 00:00:32 10.0.0.1 GigabitEthernet1/0 R2# *Feb 6 19:11:26.958: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.3.255 on GigabitEthernet1/0 from LOADING to DOWN, Neighbor Down: Too many retransmissions
So what exactly is happening? If you check Wireshark you’ll see the issue straight away
OSPF does not do any sort of path MTU discovery. R1 is attempting to send a type1 LSA and it’s using an MTU size of 2000. R2 cannot receive that large a frame and so those fragments get dropped. R2 never acknowledges the LSA as it’s not receiving anything, and eventually that causes the adjacency to reset. This then continues over and over.
This could be hidden though. Let’s stop R1 advertising all those addresses via it’s type1 LSA and instead redistribute the links into OSPF:
R1(config)#router ospf 1
R1(config-router)#no network 0.0.0.0 0.0.0.0 area 0
R1(config-router)#redistribute connected subnet
R1(config-router)#end
R2#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.2.3.255 0 FULL/ - 00:00:38 10.0.0.1 GigabitEthernet1/0
R2#sh ip route ospf | beg Gate
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 255 subnets
O E2 1.2.3.1 [110/20] via 10.0.0.1, 00:01:14, GigabitEthernet1/0
O E2 1.2.3.2 [110/20] via 10.0.0.1, 00:01:14, GigabitEthernet1/0
O E2 1.2.3.3 [110/20] via 10.0.0.1, 00:01:14, GigabitEthernet1/0
O E2 1.2.3.4 [110/20] via 10.0.0.1, 00:01:14, GigabitEthernet1/0
O E2 1.2.3.5 [110/20] via 10.0.0.1, 00:01:14, GigabitEthernet1/0
O E2 1.2.3.6 [110/20] via 10.0.0.1, 00:01:14, GigabitEthernet1/0
O E2 1.2.3.7 [110/20] via 10.0.0.1, 00:01:14, GigabitEthernet1/0
O E2 1.2.3.8 [110/20] via 10.0.0.1, 00:01:14, GigabitEthernet1/0
O E2 1.2.3.9 [110/20] via 10.0.0.1, 00:01:14, GigabitEthernet1/0
[etc]
This time it works, even with a mismatched MTU. Why? A type 5 LSA only has space for a single address. This means that R1 originates 255 type 5 LSAs and each of those LSA are much much smaller than 2000 bytes. This means that the LSA updates are not bigger than 1500 bytes and so we never have R2 dropping any of those packets.
A router only originates a single router LSA, and that single LSA has to contain all the interface addresses for that router that is enabled for OSPF in the area. If a router has 1000 interfaces, well that’s a large type1.
You can see the individual type5s in the database itself:
R2#sh ip ospf database | beg External
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
1.2.3.1 1.2.3.255 390 0x80000001 0x00692A 0
1.2.3.2 1.2.3.255 390 0x80000001 0x005F33 0
1.2.3.3 1.2.3.255 390 0x80000001 0x00553C 0
1.2.3.4 1.2.3.255 390 0x80000001 0x004B45 0
1.2.3.5 1.2.3.255 390 0x80000001 0x00414E 0
1.2.3.6 1.2.3.255 390 0x80000001 0x003757 0
1.2.3.7 1.2.3.255 390 0x80000001 0x002D60 0
1.2.3.8 1.2.3.255 390 0x80000001 0x002369 0
1.2.3.9 1.2.3.255 390 0x80000001 0x001972 0
1.2.3.10 1.2.3.255 390 0x80000001 0x000F7B 0
[etc etc]
Out of interest, type3, type4, type5, and type7 LSAs all follow the ‘single address per LSA’ model and as such should never be that big. A type2 LSA will expand to reflect the amount of routers on the layer 2 segment, but I find it hard to believe that there would be over 100 routers on a single segment (though not impossible)
By the way, I wrote a separate post explaining a few more in-depth spf considerations when it comes to type1s and type5s over here: OSPF – Type 1 LSA vs Type 5 LSA (passive vs redistribute)
So there you have it. Ignore the MTU at your own peril. Rather fix the MTU issue than just ignoring it. It’s something that might not be an issue ‘now’ but as your router LSA grows in size you suddenly run into a problem.
Junos has some pretty handy shortcuts when it comes to prefix-lists.
For this example I’m using a cut-down version of my JNCIE-SP topology:
R1 and R2 are internal BGP neighbours. They are running both OSPFv2 and OSPFv3 running authentication. R3 and R4 are external BGP peers running both v4 and v6 address families.
In order to mitigate attacks on the router’s CPU, we need a filter in place. In the filter we can specify over which interfaces BGP is allowed, and which neighbours. You can do this per-neighbour, but this is not scalable if you have hundreds of peers which is common when you have a router in an internet exchange point. There is a much better way. Junos can inherit properties from another stanza. This is dynamic as when you add another BGP peer, the filter adds the new address. When you remove a peer, that address is removed. This is how I’ve done mine:
USER2:R2> show configuration policy-options prefix-list BGP-PEER-ADDRESS apply-path "logical-systems R2 protocols bgp group <*> neighbor <*.*>";
You can show what addresses this actually expands to by displaying inheritance:
USER2:R2> show configuration policy-options prefix-list BGP-PEER-ADDRESS | display inheritance ## ## apply-path was expanded to: ## 1.1.1.1/32; ## 10.0.4.1/32; ## 10.0.4.9/32; ## apply-path "logical-systems R2 protocols bgp group <*> neighbor <*.*>";
If I add a new neighbour, the filter is automatically updated:
USER2:R2# set protocols bgp group INTERNAL neighbor 10.10.10.10 peer-as 500 [edit] USER2:R2# commit and-quit commit complete Exiting configuration mode USER2:R2> show configuration policy-options prefix-list BGP-PEER-ADDRESS | display inheritance ## ## apply-path was expanded to: ## 1.1.1.1/32; ## 10.10.10.10/32; ## 10.0.4.1/32; ## 10.0.4.9/32; ## apply-path "logical-systems R2 protocols bgp group <*> neighbor <*.*>";
Removing the neighbour removes it from the filter straight away.
The same can be done with IPv6, but you match on the colon instead of the period:
USER2:R2> show configuration policy-options prefix-list IPv6-BGP-PEER-ADDRESS apply-path "logical-systems R2 protocols bgp group <*> neighbor <*:*>";
USER2:R2> show configuration policy-options prefix-list IPv6-BGP-PEER-ADDRESS | display inheritance ## ## apply-path was expanded to: ## 2001:1:23::3/128; ## 2001:1:24::4/128; ## apply-path "logical-systems R2 protocols bgp group <*> neighbor <*:*>";
I wanted to put together a topology for my JNCIE-SP studies. This may evolve over time as I want to practice new things.
I only have a single tunnel PIC so it’s going to be tricky getting certain things like multicast to work. Let’s see how far I get though.
I’ve got my physical M10 connected to a Cisco 3750G like so:
You’ll notice that the logical topology is extremely similar to the JNCIE-M study guide by Harry Reynolds. I’ve made a few changes here and there, mainly I’m only using ethernet and aggregated ethernet interfaces. I’ll probably expand on this topology in the future with some route-injectors and vm’s acting as hosts. Maybe as I’m not sure if I need them yet.
Click on the image for the full topology as I can’t fit it on the page:
T1, C2, and P1 routers are going to be regular IOS routers as they aren’t doing anything special. If I need to I will add another virtual system for these routers.
This is the config I have used:
set system login class C1-superuser logical-system C1 set system login class C1-superuser permissions all set system login class DC1-superuser logical-system DC1 set system login class DC1-superuser permissions all set system login class R1-superuer logical-system R1 set system login class R1-superuer permissions all set system login class R2-superuer logical-system R2 set system login class R2-superuer permissions all set system login class R3-superuer logical-system R3 set system login class R3-superuer permissions all set system login class R4-superuer logical-system R4 set system login class R4-superuer permissions all set system login class R5-superuer logical-system R5 set system login class R5-superuer permissions all set system login class R6-superuer logical-system R6 set system login class R6-superuer permissions all set system login class R7-superuer logical-system R7 set system login class R7-superuer permissions all set system login user USER1 uid 2001 set system login user USER1 class R1-superuer set system login user USER1 authentication encrypted-password "$1$lDtkDsHm$eelHGn4WRtFRWoMDOOnJe." set system login user USER2 uid 2003 set system login user USER2 class R2-superuer set system login user USER2 authentication encrypted-password "$1$mu8Qv22V$0UNQfvQhofE3U3QcGCvA/1" set system login user USER3 uid 2004 set system login user USER3 class R3-superuer set system login user USER3 authentication encrypted-password "$1$..yI5/3y$55Jve0qo3ExZ9fly0RC800" set system login user USER4 uid 2005 set system login user USER4 class R4-superuer set system login user USER4 authentication encrypted-password "$1$1bGZut11$/t/kOHd1TOF4RsIC35iKi1" set system login user USER5 uid 2006 set system login user USER5 class R5-superuer set system login user USER5 authentication encrypted-password "$1$DORTDfVE$iIQg5wjxlMIbs1or8UH1d." set system login user USER6 uid 2007 set system login user USER6 class R6-superuer set system login user USER6 authentication encrypted-password "$1$dru6DbTm$cW/mkb5KKaJoxJnkRZhRk/" set system login user USER7 uid 2008 set system login user USER7 class R7-superuer set system login user USER7 authentication encrypted-password "$1$BD5mwm9a$5LdFlrfjdJd0rteIbfDUH1" set system login user USERC1 uid 2009 set system login user USERC1 class C1-superuser set system login user USERC1 authentication encrypted-password "$1$xZdBRvek$aFPGNhmNr7gLlSchowTbs/" set system login user USERDC1 uid 2010 set system login user USERDC1 class DC1-superuser set system login user USERDC1 authentication encrypted-password "$1$ymRQYukx$FlrTexvuIj364FPk2V/Vo/" set system services ftp set system services ssh set system syslog user * any emergency set system syslog file messages any notice set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set logical-systems C1 interfaces fe-0/0/3 unit 117 vlan-id 117 set logical-systems C1 interfaces fe-0/0/3 unit 117 family inet address 172.16.0.2/30 set logical-systems C1 interfaces fe-1/0/3 unit 114 vlan-id 114 set logical-systems C1 interfaces fe-1/0/3 unit 114 family inet address 172.16.0.6/30 set logical-systems C1 protocols ospf area 0.0.0.0 interface all set logical-systems DC1 interfaces fe-1/0/3 unit 106 vlan-id 106 set logical-systems DC1 interfaces fe-1/0/3 unit 106 family inet address 10.0.8.1/30 set logical-systems DC1 interfaces fe-1/0/3 unit 107 vlan-id 107 set logical-systems DC1 interfaces fe-1/0/3 unit 107 family inet address 10.0.8.13/30 set logical-systems R2 interfaces fe-0/0/3 unit 12 vlan-id 12 set logical-systems R2 interfaces fe-0/0/3 unit 12 family inet address 10.0.4.6/30 set logical-systems R2 interfaces fe-0/0/3 unit 24 vlan-id 24 set logical-systems R2 interfaces fe-0/0/3 unit 24 family inet address 10.0.4.10/30 set logical-systems R2 interfaces fe-1/0/3 unit 112 vlan-id 112 set logical-systems R2 interfaces fe-1/0/3 unit 112 family inet address 10.0.5.2/24 set logical-systems R2 interfaces ae0 unit 23 vlan-id 23 set logical-systems R2 interfaces ae0 unit 23 family inet address 10.0.4.2/30 set logical-systems R3 interfaces fe-0/0/3 unit 36 vlan-id 36 set logical-systems R3 interfaces fe-0/0/3 unit 36 family inet address 10.0.2.14/30 set logical-systems R3 interfaces fe-0/0/3 unit 103 vlan-id 103 set logical-systems R3 interfaces fe-0/0/3 unit 103 family inet address 172.16.0.13/30 set logical-systems R3 interfaces fe-1/0/3 unit 13 vlan-id 13 set logical-systems R3 interfaces fe-1/0/3 unit 13 family inet address 10.0.4.13/30 set logical-systems R3 interfaces fe-1/0/3 unit 34 vlan-id 34 set logical-systems R3 interfaces fe-1/0/3 unit 34 family inet address 10.0.2.5/30 set logical-systems R3 interfaces ae0 unit 35 vlan-id 35 set logical-systems R3 interfaces ae0 unit 35 family inet address 10.0.2.2/30 set logical-systems R3 interfaces ae1 unit 23 vlan-id 23 set logical-systems R3 interfaces ae1 unit 23 family inet address 10.0.4.1/30 set logical-systems R4 interfaces fe-0/0/3 unit 34 vlan-id 34 set logical-systems R4 interfaces fe-0/0/3 unit 34 family inet address 10.0.2.6/30 set logical-systems R4 interfaces fe-0/0/3 unit 114 vlan-id 114 set logical-systems R4 interfaces fe-0/0/3 unit 114 family inet address 172.16.0.5/30 set logical-systems R4 interfaces fe-1/0/3 unit 24 vlan-id 24 set logical-systems R4 interfaces fe-1/0/3 unit 24 family inet address 10.0.4.9/30 set logical-systems R4 interfaces ae0 unit 45 vlan-id 45 set logical-systems R4 interfaces ae0 unit 45 family inet address 10.0.8.10/30 set logical-systems R4 interfaces ae0 unit 47 vlan-id 47 set logical-systems R4 interfaces ae0 unit 47 family inet address 10.0.2.18/30 set logical-systems R4 interfaces ae1 unit 14 vlan-id 14 set logical-systems R4 interfaces ae1 unit 14 family inet address 10.0.4.17/30 set logical-systems R5 interfaces ae0 unit 56 vlan-id 56 set logical-systems R5 interfaces ae0 unit 56 family inet address 10.0.8.6/30 set logical-systems R5 interfaces ae0 unit 57 vlan-id 57 set logical-systems R5 interfaces ae0 unit 57 family inet address 10.0.8.10/30 set logical-systems R5 interfaces ae1 unit 35 vlan-id 35 set logical-systems R5 interfaces ae1 unit 35 family inet address 10.0.2.1/30 set logical-systems R5 interfaces ae1 unit 45 vlan-id 45 set logical-systems R5 interfaces ae1 unit 45 family inet address 10.0.8.9/30 set logical-systems R6 interfaces fe-0/0/3 unit 106 vlan-id 106 set logical-systems R6 interfaces fe-0/0/3 unit 106 family inet address 10.0.8.2/30 set logical-systems R6 interfaces fe-0/0/3 unit 206 vlan-id 206 set logical-systems R6 interfaces fe-0/0/3 unit 206 family inet address 172.16.0.9/30 set logical-systems R6 interfaces fe-1/0/3 unit 36 vlan-id 36 set logical-systems R6 interfaces fe-1/0/3 unit 36 family inet address 10.0.2.13/30 set logical-systems R6 interfaces ae1 unit 56 vlan-id 56 set logical-systems R6 interfaces ae1 unit 56 family inet address 10.0.8.5/30 set logical-systems R7 interfaces fe-0/0/3 unit 107 vlan-id 107 set logical-systems R7 interfaces fe-0/0/3 unit 107 family inet address 10.0.8.14/30 set logical-systems R7 interfaces fe-1/0/3 unit 117 vlan-id 117 set logical-systems R7 interfaces fe-1/0/3 unit 117 family inet address 172.16.0.1/30 set logical-systems R7 interfaces ae1 unit 47 vlan-id 47 set logical-systems R7 interfaces ae1 unit 47 family inet address 10.0.2.17/30 set logical-systems R7 interfaces ae1 unit 57 vlan-id 57 set logical-systems R7 interfaces ae1 unit 57 family inet address 10.0.8.10/30 set chassis aggregated-devices ethernet device-count 15 set interfaces fe-0/0/0 fastether-options 802.3ad ae1 set interfaces fe-0/0/1 fastether-options 802.3ad ae1 set interfaces fe-0/0/3 vlan-tagging set interfaces fe-0/0/3 unit 13 vlan-id 13 set interfaces fe-0/0/3 unit 13 family inet address 10.0.4.14/30 set interfaces fe-0/0/3 unit 112 vlan-id 112 set interfaces fe-0/0/3 unit 112 family inet address 10.0.5.1/24 set interfaces fe-1/0/0 fastether-options 802.3ad ae0 set interfaces fe-1/0/1 fastether-options 802.3ad ae0 set interfaces fe-1/0/3 vlan-tagging set interfaces fe-1/0/3 unit 12 vlan-id 12 set interfaces fe-1/0/3 unit 12 family inet address 10.0.4.5/30 set interfaces ae0 vlan-tagging set interfaces ae0 unit 14 vlan-id 14 set interfaces ae0 unit 14 family inet address 10.0.4.18/30 set interfaces ae1 vlan-tagging set interfaces fxp0 unit 0 family inet address 192.168.254.8/31 set routing-options static route x.x.x.x/32 next-hop 192.168.254.9
Note that the user passwords are all passw0rd and the root password is junip3r
The 3750G config is pretty simple:
vlan 12-14,23-24,34-36,45,47,56-57,103,106-107,112,114,117,206 ! interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate ! interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 1 mode on ! interface FastEthernet1/0/2 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 1 mode on ! interface FastEthernet1/0/11 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/13 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate ! interface FastEthernet1/0/23 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 2 mode on ! interface FastEthernet1/0/24 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 2 mode on
Initially I was going to run LACP, but the pfe on this old M10 doesn’t support it. Hence the reason the channels are merely ‘on’
I bashed this up together as I wanted a topology I could easily jump on and do things. This is all running on logical systems on a single M10.
This is the logical topology (Click to view the full size image):
The actual physical topology is very simple:
The switch has been configured to run dot1q trunks to the M10 and I’ve created and allowed all needed vlan tags across.
I’ve used 2 different fastethernet PICs, but there is nothing stopping you from using just one. I’ve created a separate user account for each system so that I can log in with a user directly into each logical-system. Just adjust the config for your interfaces
This is my actual configuration itself:
set system login class J1-superuser logical-system J1 set system login class J1-superuser permissions all set system login class J10-superuser logical-system J10 set system login class J10-superuser permissions all set system login class J11-superuser logical-system J11 set system login class J11-superuser permissions all set system login class J12-superuser logical-system J12 set system login class J12-superuser permissions all set system login class J13-superuser logical-system J13 set system login class J13-superuser permissions all set system login class J2-superuser logical-system J2 set system login class J2-superuser permissions all set system login class J3-superuser logical-system J3 set system login class J3-superuser permissions all set system login class J4-superuser logical-system J4 set system login class J4-superuser permissions all set system login class J5-superuser logical-system J5 set system login class J5-superuser permissions all set system login class J6-superuser logical-system J6 set system login class J6-superuser permissions all set system login class J7-superuser logical-system J7 set system login class J7-superuser permissions all set system login class J8-superuser logical-system J8 set system login class J8-superuser permissions all set system login class J9-superuser logical-system J9 set system login class J9-superuser permissions all set system login user USER1 uid 2000 set system login user USER1 class J1-superuser set system login user USER1 authentication encrypted-password "$1$fEMYRcpU$ckP4LFp/joAmkQ1sLnQ1a0" set system login user USER10 uid 2012 set system login user USER10 class J10-superuser set system login user USER10 authentication encrypted-password "$1$LDmrPRX.$Nkk0p1Ou8h.p2FGMYLlne1" set system login user USER11 uid 2017 set system login user USER11 class J11-superuser set system login user USER11 authentication encrypted-password "$1$1RNXWIVL$VRfTSmnGaJIkUfHf0exW1/" set system login user USER12 uid 2018 set system login user USER12 class J12-superuser set system login user USER12 authentication encrypted-password "$1$.Nd48UM0$RZS1F/5Rp3DrdgN2sEGsY0" set system login user USER13 uid 2019 set system login user USER13 class J13-superuser set system login user USER13 authentication encrypted-password "$1$EODMZXa4$z2qvVh/p57DtJPv0NFyzx1" set system login user USER2 uid 2003 set system login user USER2 class J2-superuser set system login user USER2 authentication encrypted-password "$1$U/jh6hA/$pmtdTtpVmjSCiQ4khqvNa1" set system login user USER3 uid 2009 set system login user USER3 class J3-superuser set system login user USER3 authentication encrypted-password "$1$/T3X1azh$lZYZHo4ZVSQUQkcZYbZyg0" set system login user USER4 uid 2010 set system login user USER4 class J4-superuser set system login user USER4 authentication encrypted-password "$1$Gnf/qqpk$ntwqdXpCIrqb2GBf.jlHu/" set system login user USER5 uid 2011 set system login user USER5 class J5-superuser set system login user USER5 authentication encrypted-password "$1$V5u2xmGv$wywji87Ny6BYK5mryKPnL0" set system login user USER6 uid 2013 set system login user USER6 class J6-superuser set system login user USER6 authentication encrypted-password "$1$D6.zttrE$wBubykb76IPG1Pf89OCkL1" set system login user USER7 uid 2014 set system login user USER7 class J7-superuser set system login user USER7 authentication encrypted-password "$1$23BG/cYA$VTtS3i6TK7m/9VjU.ENJE0" set system login user USER8 uid 2015 set system login user USER8 class J8-superuser set system login user USER8 authentication encrypted-password "$1$c5cJZahO$mqIttBhdQdnuK6pf7RQxk0" set system login user USER9 uid 2016 set system login user USER9 class J9-superuser set system login user USER9 authentication encrypted-password "$1$pNo90Key$.3KVzcsuBLu9TI1ke93rh0" set system login user darreno full-name "Darren O'Connor" set system login user darreno uid 2002 set system login user darreno class super-user set system login user darreno authentication encrypted-password "$1$lWD7BqVU$/51zXBjngOU3B/qQLgeLW1" set system services ssh set system services telnet set system syslog user * any emergency set system syslog file messages any notice set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set logical-systems J1 interfaces fe-0/0/0 unit 13 vlan-id 13 set logical-systems J1 interfaces fe-0/0/0 unit 13 family inet address 10.1.3.1/24 set logical-systems J1 interfaces fe-0/0/0 unit 15 vlan-id 15 set logical-systems J1 interfaces fe-0/0/0 unit 15 family inet address 10.1.8.1/24 set logical-systems J1 interfaces lo0 unit 1 family inet address 1.1.1.1/32 set logical-systems J10 interfaces fe-0/0/1 unit 56 vlan-id 56 set logical-systems J10 interfaces fe-0/0/1 unit 56 family inet address 10.56.56.10/24 set logical-systems J10 interfaces fe-1/3/0 unit 79 vlan-id 79 set logical-systems J10 interfaces fe-1/3/0 unit 79 family inet address 10.10.13.10/24 set logical-systems J10 interfaces fe-1/3/3 unit 72 vlan-id 72 set logical-systems J10 interfaces fe-1/3/3 unit 72 family inet address 10.10.12.10/24 set logical-systems J10 interfaces lo0 unit 10 family inet address 10.10.10.10/32 set logical-systems J11 interfaces fe-0/0/0 unit 51 vlan-id 51 set logical-systems J11 interfaces fe-0/0/0 unit 51 family inet address 10.8.11.11/24 set logical-systems J11 interfaces fe-0/0/1 unit 66 vlan-id 66 set logical-systems J11 interfaces fe-0/0/1 unit 66 family inet address 10.9.11.11/24 set logical-systems J11 interfaces fe-1/3/0 unit 16 vlan-id 16 set logical-systems J11 interfaces fe-1/3/0 unit 16 family inet address 10.11.12.11/24 set logical-systems J11 interfaces fe-1/3/0 unit 19 vlan-id 19 set logical-systems J11 interfaces fe-1/3/0 unit 19 family inet address 10.11.13.11/24 set logical-systems J11 interfaces lo0 unit 11 family inet address 11.11.11.11/32 set logical-systems J12 interfaces fe-0/0/0 unit 59 vlan-id 59 set logical-systems J12 interfaces fe-0/0/0 unit 59 family inet address 10.8.12.12/24 set logical-systems J12 interfaces fe-1/3/0 unit 72 vlan-id 72 set logical-systems J12 interfaces fe-1/3/0 unit 72 family inet address 10.10.12.12/24 set logical-systems J12 interfaces fe-1/3/3 unit 14 vlan-id 14 set logical-systems J12 interfaces fe-1/3/3 unit 14 family inet address 10.12.13.12/24 set logical-systems J12 interfaces fe-1/3/3 unit 16 vlan-id 16 set logical-systems J12 interfaces fe-1/3/3 unit 16 family inet address 10.11.12.12/24 set logical-systems J12 interfaces lo0 unit 12 family inet address 12.12.12.12/32 set logical-systems J13 interfaces fe-0/0/1 unit 63 vlan-id 63 set logical-systems J13 interfaces fe-0/0/1 unit 63 family inet address 10.9.13.13/24 set logical-systems J13 interfaces fe-1/3/0 unit 14 vlan-id 14 set logical-systems J13 interfaces fe-1/3/0 unit 14 family inet address 10.12.13.13/24 set logical-systems J13 interfaces fe-1/3/3 unit 19 vlan-id 19 set logical-systems J13 interfaces fe-1/3/3 unit 19 family inet address 10.11.13.13/24 set logical-systems J13 interfaces fe-1/3/3 unit 79 vlan-id 79 set logical-systems J13 interfaces fe-1/3/3 unit 79 family inet address 10.10.13.13/24 set logical-systems J13 interfaces lo0 unit 13 family inet address 13.13.13.13/32 set logical-systems J2 interfaces fe-0/0/0 unit 25 vlan-id 25 set logical-systems J2 interfaces fe-0/0/0 unit 25 family inet address 10.2.8.2/24 set logical-systems J2 interfaces lo0 unit 2 family inet address 2.2.2.2/32 set logical-systems J3 interfaces fe-0/0/1 unit 13 vlan-id 13 set logical-systems J3 interfaces fe-0/0/1 unit 13 family inet address 10.1.3.3/24 set logical-systems J3 interfaces fe-0/0/1 unit 36 vlan-id 36 set logical-systems J3 interfaces fe-0/0/1 unit 36 family inet address 10.3.9.3/24 set logical-systems J3 interfaces lo0 unit 3 family inet address 3.3.3.3/32 set logical-systems J4 interfaces fe-0/0/1 unit 46 vlan-id 46 set logical-systems J4 interfaces fe-0/0/1 unit 46 family inet address 10.4.9.4/24 set logical-systems J4 interfaces lo0 unit 4 family inet address 4.4.4.4/32 set logical-systems J5 interfaces fe-1/3/0 unit 56 vlan-id 56 set logical-systems J5 interfaces fe-1/3/0 unit 56 family inet address 10.56.56.5/24 set logical-systems J5 interfaces lo0 unit 5 family inet address 5.5.5.5/32 set logical-systems J6 interfaces fe-1/3/3 unit 56 vlan-id 56 set logical-systems J6 interfaces fe-1/3/3 unit 56 family inet address 10.56.56.6/24 set logical-systems J6 interfaces lo0 unit 6 family inet address 6.6.6.6/32 set logical-systems J7 interfaces fe-0/0/0 unit 56 vlan-id 56 set logical-systems J7 interfaces fe-0/0/0 unit 56 family inet address 10.56.56.7/24 set logical-systems J7 interfaces lo0 unit 7 family inet address 7.7.7.7/32 set logical-systems J8 interfaces fe-0/0/1 unit 15 vlan-id 15 set logical-systems J8 interfaces fe-0/0/1 unit 15 family inet address 10.1.8.8/24 set logical-systems J8 interfaces fe-0/0/1 unit 25 vlan-id 25 set logical-systems J8 interfaces fe-0/0/1 unit 25 family inet address 10.2.8.8/24 set logical-systems J8 interfaces fe-0/0/1 unit 51 vlan-id 51 set logical-systems J8 interfaces fe-0/0/1 unit 51 family inet address 10.8.11.8/24 set logical-systems J8 interfaces fe-0/0/1 unit 59 vlan-id 59 set logical-systems J8 interfaces fe-0/0/1 unit 59 family inet address 10.8.12.8/24 set logical-systems J8 interfaces lo0 unit 8 family inet address 8.8.8.8/32 set logical-systems J9 interfaces fe-0/0/0 unit 36 vlan-id 36 set logical-systems J9 interfaces fe-0/0/0 unit 36 family inet address 10.3.9.9/24 set logical-systems J9 interfaces fe-0/0/0 unit 46 vlan-id 46 set logical-systems J9 interfaces fe-0/0/0 unit 46 family inet address 10.4.9.9/24 set logical-systems J9 interfaces fe-0/0/0 unit 63 vlan-id 63 set logical-systems J9 interfaces fe-0/0/0 unit 63 family inet address 10.9.13.9/24 set logical-systems J9 interfaces fe-0/0/0 unit 66 vlan-id 66 set logical-systems J9 interfaces fe-0/0/0 unit 66 family inet address 10.9.11.9/24 set logical-systems J9 interfaces lo0 unit 9 family inet address 9.9.9.9/32 set interfaces fe-0/0/0 vlan-tagging set interfaces fe-0/0/1 vlan-tagging set interfaces fe-1/3/0 vlan-tagging set interfaces fe-1/3/3 vlan-tagging
My last post explained that my CCIE is on short hold thanks to me not currently holding my passport. And so instead of just wasting time I’ve decided to learn a bit more about my Juniper devices.
A while back I showed how you can load JUNOS onto some old Nokia devices. This post and this post shows how.
One of the problems in the second post was that you could only install up to JUNOS 8.4 on these boxes. Anything more and you bork the box and need to start over.
So what if you need to run a bunch of Juniper routers and don’t have 10 sitting on your desk? Well the beauty of JUNOS is that you can partition a single router into multiple logical routers. This is not simply a separate VRF, it’s a whole logical router running it’s own processes and everything. In fact each logical system can even be running it’s own vrfs as well!
So I happen to have an old M10 router sitting in my lab. I actually have 2, but only 1 is currently working. To do any proper configuration you need more than a single box of course. This M10 is running a much newer release of JUNOS – 10.4 R1.9
So let’s get started. I’ve factory default the box by doing a load factory-default then commit
root> show version Model: m10 JUNOS Base OS boot [10.4R1.9] /removed/
This is my actual physical topology:
There is simply a physical Cat5 cable connecting port fe-0/0/0 to port fe-0/0/1
Below is the planned logical topology. 2 Juniper routers connected over 2 separate links.
First I’m going to set the interfaces to send tagged traffic so I can run multiple virtual links, each with a different vlan tag. Then I’ll set up the interfaces as above
set interfaces fe-0/0/0 vlan-tagging set interfaces fe-0/0/1 vlan-tagging set logical-systems JUNIPER1 interfaces fe-0/0/0 unit 1 vlan-id 20 set logical-systems JUNIPER1 interfaces fe-0/0/0 unit 1 family inet address 10.2.2.1/24 set logical-systems JUNIPER1 interfaces fe-0/0/1 unit 1 vlan-id 10 set logical-systems JUNIPER1 interfaces fe-0/0/1 unit 1 family inet address 10.1.1.1/24 set logical-systems JUNIPER2 interfaces fe-0/0/0 unit 2 vlan-id 10 set logical-systems JUNIPER2 interfaces fe-0/0/0 unit 2 family inet address 10.1.1.2/24 set logical-systems JUNIPER2 interfaces fe-0/0/1 unit 2 vlan-id 20 set logical-systems JUNIPER2 interfaces fe-0/0/1 unit 2 family inet address 10.2.2.2/24
Here we have created 2 logical systems – JUNIPER1 and JUNIPER2. I’ve then assigned 2 subinterfaces to each router. Let’s have a look to see if this actually works. To log into a logical system we use the set cli logical-system [logical system name] command. Once in there we can check the interfaces and then ping across
root> set cli logical-system JUNIPER1 Logical system: JUNIPER1 root:JUNIPER1> show interfaces terse Interface Admin Link Proto Local Remote fe-0/0/0 fe-0/0/0.1 up up inet 10.2.2.1/24 fe-0/0/1 fe-0/0/1.1 up up inet 10.1.1.1/24 root:JUNIPER1> ping 10.2.2.2 rapid PING 10.2.2.2 (10.2.2.2): 56 data bytes !!!!! --- 10.2.2.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.055/1.572/3.450/0.941 ms
No problems there at all. Note that once you are inside a logical system, you can configure it as though it’s a normal box. You don’t need to mention any logical system in the config. Let’s configure OSPF on these 2 interfaces:
root:JUNIPER1> configure Entering configuration mode [edit] root:JUNIPER1# edit protocols ospf area 0.0.0.0 [edit protocols ospf area 0.0.0.0] root:JUNIPER1# set interface fe-0/0/0.1 [edit protocols ospf area 0.0.0.0] root:JUNIPER1# set interface fe-0/0/1.1 [edit protocols ospf area 0.0.0.0] root:JUNIPER1# commit commit complete [edit protocols ospf area 0.0.0.0] root:JUNIPER1# exit [edit] root:JUNIPER1# exit Exiting configuration mode
So now how do we get out of this logical system back into the root? Use the clear cli logical-system command. Let’s get of of JUNIPER1 and go into JUNIPER2 and configure OSPF
root:JUNIPER1> clear cli logical-system Cleared default logical system root> set cli logical-system JUNIPER2 Logical system: JUNIPER2 root:JUNIPER2> configure Entering configuration mode [edit] root:JUNIPER2# edit protocols ospf area 0.0.0.0 [edit protocols ospf area 0.0.0.0] root:JUNIPER2# set interface fe-0/0/0.2 [edit protocols ospf area 0.0.0.0] root:JUNIPER2# set interface fe-0/0/1.2 [edit protocols ospf area 0.0.0.0] root:JUNIPER2# top [edit] root:JUNIPER2# commit commit complete [edit] root:JUNIPER2# exit Exiting configuration mode
So has it all worked?
root:JUNIPER2> show ospf neighbor Address Interface State ID Pri Dead 10.1.1.1 fe-0/0/0.2 Full 10.1.1.1 128 36 10.2.2.1 fe-0/0/1.2 Full 10.1.1.1 128 37
Of course it has ;)
While this works, it’s a big hassle having to log into the root system and then logging into the logical system. It also defeats the purpose of a logical system a bit as it would be ideal to give different users access to different logical systems.
Let’s create 2 users. user1 will be responsible for JUNIPER1 and user2 will be responsible for JUNIPER2. You’ll need to get back into the root system to do this.
set system login class USER1 logical-system JUNIPER1 set system login class USER1 permissions all set system login class USER2 logical-system JUNIPER2 set system login class USER2 permissions all set system login user user1 class USER1 set system login user user1 authentication encrypted-password "$1$2.bgMkK/$ALFH1kC1Q2s.Rgm8Uvuuh/" set system login user user2 class USER2 set system login user user2 authentication encrypted-password "$1$aOaM2CQa$OXMUk4burCY7vFlzmLZdR0"
Let’s give this a test by logging right out and then back in:
Amnesiac (ttyd0) login: user1 Password: --- JUNOS 10.4R1.9 built 2010-12-04 09:20:43 UTC user1:JUNIPER1>
Note that if you log in this way, you can’t clear out of the logical system. As far as you are concerned this is a separate router
user1:JUNIPER1> clear cli logical-system error: You are not a allowed to execute this command
So there you have it. I now have 2 routers running inside a single physical box. Juniper says you can have up to 15 logical routers inside a box so that gives me a lot to play with. If I get the second M10 working that’ll be 30 Juniper routers at my disposal. More than enough for even the most complex topologies
Comments