Mailing List Archive

PFE-forwarded IPv6
I'm having an odd problem routing IPv6 traffic through an MX-960 I'm
testing. I'm sending traffic from a directly connected host through the
Juniper box to be routed out to the Internet. I can ping the address on
the MX from the downstream router, but can't seem to route *through* the
Juniper.

One thing that may be pertinent is that the next-hop I expect the
traffic should take is on the other end of a 6in4 tunnel.

Any ideas?

Cheers,
jonathan
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: PFE-forwarded IPv6 [ In reply to ]
Can you post the relevant configuration from the box? I expect that the host is directly connect to the MX-960; and the interface that is facing the host is running RA; furthermore if you look at the routing table on the host, you will see a default route to the MX's link-local address?

Now is the 6in4 tunnel configured on the MX or is this further upstream? Does the other end of the 6in4 tunnel know how to reach your prefixes?

Kind regards,
Truman



On 21/12/2009, at 9:57 AM, Jonathan Lassoff wrote:

> I'm having an odd problem routing IPv6 traffic through an MX-960 I'm
> testing. I'm sending traffic from a directly connected host through the
> Juniper box to be routed out to the Internet. I can ping the address on
> the MX from the downstream router, but can't seem to route *through* the
> Juniper.
>
> One thing that may be pertinent is that the next-hop I expect the
> traffic should take is on the other end of a 6in4 tunnel.
>
> Any ideas?
>
> Cheers,
> jonathan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: PFE-forwarded IPv6 [ In reply to ]
Excerpts from Truman Boyes's message of Tue Dec 22 04:17:22 -0800 2009:
> Can you post the relevant configuration from the box? I expect that the host is
> directly connect to the MX-960; and the interface that is facing the host is
> running RA; furthermore if you look at the routing table on the host, you will
> see a default route to the MX's link-local address?

Actually, I was testing with a Cisco Cat6k/Sup720 box downstream to test
the interoperability of the two routers, and also IPv6 on the Cat6k.

As a test to better understand what's going on, I attached a host
downstream from the MX960. I can ping and reach the MX's inet6 interface
just fine. I'm also setting my default route to go through the inet6
interface on the MX. Pinging out to 2001:500:2f::f (f.root-servers.net)
through this interface causes the MX to return an ICMPv6 Unreachable
(Address unreachable) message.

However, there's a route on the MX to that destination:

--------------------------------------------------------------------------
jof@mx1.sfo2-re0> show route 2001:500:2f::f

inet6.0: 2299 destinations, 2302 routes (2299 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:500:2f::/48 *[BGP/170] 1w3d 20:24:53, localpref 100
AS path: xxxx xxxxx 3557 I
> to xxxx:xxx:xxxx:xx::1 via ipip.0
--------------------------------------------------------------------------

Here's the relevant configuration of interface "ipip":
--------------------------------------------------------------------------
jof@mx1.sfo2-re0> show configuration interfaces ipip
unit 0 {
tunnel {
source xxx.xxx.xxx.xxx;
destination xxx.xxx.xxx.xxx;
}
family inet6 {
address 2001:xxx:xxxx:xx::2/64;
}
}
--------------------------------------------------------------------------

Thanks for any help or insight you can provide.

Cheers,
jonathan
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: PFE-forwarded IPv6 [ In reply to ]
Hi,

Have you enabled the tunnel-services statement at the [ edit chassis fpc slot-number pic pic-number] stanza?

Otherwise the ipip.0 tunnel is only from the RE, which can't forward transit traffic.

Truman


On 23/12/2009, at 8:47 AM, Jonathan Lassoff wrote:

> Excerpts from Truman Boyes's message of Tue Dec 22 04:17:22 -0800 2009:
>> Can you post the relevant configuration from the box? I expect that the host is
>> directly connect to the MX-960; and the interface that is facing the host is
>> running RA; furthermore if you look at the routing table on the host, you will
>> see a default route to the MX's link-local address?
>
> Actually, I was testing with a Cisco Cat6k/Sup720 box downstream to test
> the interoperability of the two routers, and also IPv6 on the Cat6k.
>
> As a test to better understand what's going on, I attached a host
> downstream from the MX960. I can ping and reach the MX's inet6 interface
> just fine. I'm also setting my default route to go through the inet6
> interface on the MX. Pinging out to 2001:500:2f::f (f.root-servers.net)
> through this interface causes the MX to return an ICMPv6 Unreachable
> (Address unreachable) message.
>
> However, there's a route on the MX to that destination:
>
> --------------------------------------------------------------------------
> jof@mx1.sfo2-re0> show route 2001:500:2f::f
>
> inet6.0: 2299 destinations, 2302 routes (2299 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 2001:500:2f::/48 *[BGP/170] 1w3d 20:24:53, localpref 100
> AS path: xxxx xxxxx 3557 I
>> to xxxx:xxx:xxxx:xx::1 via ipip.0
> --------------------------------------------------------------------------
>
> Here's the relevant configuration of interface "ipip":
> --------------------------------------------------------------------------
> jof@mx1.sfo2-re0> show configuration interfaces ipip
> unit 0 {
> tunnel {
> source xxx.xxx.xxx.xxx;
> destination xxx.xxx.xxx.xxx;
> }
> family inet6 {
> address 2001:xxx:xxxx:xx::2/64;
> }
> }
> --------------------------------------------------------------------------
>
> Thanks for any help or insight you can provide.
>
> Cheers,
> jonathan
>

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: PFE-forwarded IPv6 [ In reply to ]
Excerpts from Truman Boyes's message of Tue Dec 22 18:25:23 -0800 2009:
> Have you enabled the tunnel-services statement at the [ edit chassis fpc
> slot-number pic pic-number] stanza?

Thanks Truman!

Nope. I've yet to find reference to this in the documentation relating
to setting up tunnels. Do you have any recommendations for where I find
out more about what this is doing architectually?

On which slot and pic number do you think I should choose? I read that
the MX's DPCs have built-in tunnel-services PICs along with a number of
fixed interface PICs.

I assumed I should choose the DPC and PIC number for the upstream
interface that goes towards the tunnel's outer IP destination:

jof@mx1.sfo2-re0> show configuration chassis fpc 3
pic 0 {
tunnel-services {
bandwidth 1g;
}
}

However, I'm still seeing the same ICMPv6 responses, and traffic is not
passing.

Thanks,
Jonathan
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: PFE-forwarded IPv6 [ In reply to ]
Hi Jonathan,

You can use any of your DPCs. On non-MX JUNOS routers you need to have tunnel pics (ie. packet that needs to be encapsulated/tunneled/etc will switch from PFE to PIC to PFE). MX does not require this because you can make the DPC perform tunnel-services.

Once you create the tunnel-services function on the DPC, you can associate the IPIP tunnel interface with the tunnel service. Ie. Change the IPIP.0 to: ip-3/0/0.0, which corresponds to your FPC 3 PIC 0, port 0 unit 0.

Take a look at:

http://www.juniper.net/techpubs/software/junos/junos83/swconfig83-services/download/tunnel-config.pdf

Search for MX960.

Hope this helps. Your tunnel should work once you create this association.

Kind regards,
Truman




On 23/12/2009, at 2:49 PM, Jonathan Lassoff wrote:

> Excerpts from Truman Boyes's message of Tue Dec 22 18:25:23 -0800 2009:
>> Have you enabled the tunnel-services statement at the [ edit chassis fpc
>> slot-number pic pic-number] stanza?
>
> Thanks Truman!
>
> Nope. I've yet to find reference to this in the documentation relating
> to setting up tunnels. Do you have any recommendations for where I find
> out more about what this is doing architectually?
>
> On which slot and pic number do you think I should choose? I read that
> the MX's DPCs have built-in tunnel-services PICs along with a number of
> fixed interface PICs.
>
> I assumed I should choose the DPC and PIC number for the upstream
> interface that goes towards the tunnel's outer IP destination:
>
> jof@mx1.sfo2-re0> show configuration chassis fpc 3
> pic 0 {
> tunnel-services {
> bandwidth 1g;
> }
> }
>
> However, I'm still seeing the same ICMPv6 responses, and traffic is not
> passing.
>
> Thanks,
> Jonathan
>

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: PFE-forwarded IPv6 [ In reply to ]
Excerpts from Truman Boyes's message of Tue Dec 22 20:12:34 -0800 2009:
> Hi Jonathan,
>
> You can use any of your DPCs. On non-MX JUNOS routers you need to have tunnel
> pics (ie. packet that needs to be encapsulated/tunneled/etc will switch from
> PFE to PIC to PFE). MX does not require this because you can make the DPC
> perform tunnel-services.
>
> Once you create the tunnel-services function on the DPC, you can associate the
> IPIP tunnel interface with the tunnel service. Ie. Change the IPIP.0 to:
> ip-3/0/0.0, which corresponds to your FPC 3 PIC 0, port 0 unit 0.


That seems to have done the trick.

One thing I found when trying this on my platform is that configuring:

fpc 3 {
pic 0 {
tunnel-services {
bandwidth 1g;
}
}
}

Which is:

FPC 3 REV 15 750-021157 xxxxxx DPCE 40x 1GE R TX
CPU REV 03 710-022351 xxxxxx DPC PMB
PIC 0 BUILTIN BUILTIN 10x 1GE(LAN) RJ45

Yields an ip-3/0/10, instead of the ip-3/0/0 that's shown as an example in the documentation.

I configured this, and traffic passes just fine.

Thanks for the tip Truman.

Cheers,
jonathan
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: PFE-forwarded IPv6 [ In reply to ]
> From: Jonathan Lassoff <jof@thejof.com>
> Date: Tue, 22 Dec 2009 23:10:54 -0800
> Sender: juniper-nsp-bounces@puck.nether.net
>
> Excerpts from Truman Boyes's message of Tue Dec 22 20:12:34 -0800 2009:
> > Hi Jonathan,
> >
> > You can use any of your DPCs. On non-MX JUNOS routers you need to have tunnel
> > pics (ie. packet that needs to be encapsulated/tunneled/etc will switch from
> > PFE to PIC to PFE). MX does not require this because you can make the DPC
> > perform tunnel-services.
> >
> > Once you create the tunnel-services function on the DPC, you can associate the
> > IPIP tunnel interface with the tunnel service. Ie. Change the IPIP.0 to:
> > ip-3/0/0.0, which corresponds to your FPC 3 PIC 0, port 0 unit 0.
>
>
> That seems to have done the trick.
>
> One thing I found when trying this on my platform is that configuring:
>
> fpc 3 {
> pic 0 {
> tunnel-services {
> bandwidth 1g;
> }
> }
> }
>
> Which is:
>
> FPC 3 REV 15 750-021157 xxxxxx DPCE 40x 1GE R TX
> CPU REV 03 710-022351 xxxxxx DPC PMB
> PIC 0 BUILTIN BUILTIN 10x 1GE(LAN) RJ45
>
> Yields an ip-3/0/10, instead of the ip-3/0/0 that's shown as an example in the documentation.
>
> I configured this, and traffic passes just fine.

On a GE PIC (1/4 of a DPC, not a physical PIC) the tunnel "PIC" supports
only GE capacity and "steals" it from the other ports. Since the
physical GE porta are 3/0/0-3/0/9, the pseudo-PIC for the tunnel is
labeled 3/0/10.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: PFE-forwarded IPv6 [ In reply to ]
On Wed, Dec 23, 2009 at 09:46:09PM -0800, Kevin Oberman wrote:
> On a GE PIC (1/4 of a DPC, not a physical PIC) the tunnel "PIC" supports
> only GE capacity and "steals" it from the other ports. Since the
> physical GE porta are 3/0/0-3/0/9, the pseudo-PIC for the tunnel is
> labeled 3/0/10.

On a 10x1GE "PIC" it doesn't take away any capacity from the real ports,
so you still get all 10 GE ports plus an 11th gig of tunnel capacity
(hence the pseudo port /10 name). On the 1x10GE "PIC" it disables the
entire port to give you a 10G tunnel, and uses the regular /0 name.
Personally I always wanted a free 1G tunnel on a 10G port (since I own
100% 10GE cards), but alas that wasn't supported last I looked. :)

--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp