Juniper MX Series SECOND EDITION Douglas Richard Hanks, Jr., Harry Reynolds & David Roy Juniper MX Series by Douglas Richard Hanks, Harry Reynolds, and David Roy Copyright © 2016 Douglas Hanks, Harry Reynolds, David Roy All rights reserved Printed in the United States of America Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O’Reilly books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (http://safaribooksonline.com) For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com Editors: Brian Anderson and Courtney Allen Production Editor: Nicholas Adams Copyeditor: Jasmine Kwityn Proofreader: Charles Roumeliotis Indexer: WordCo Indexing Services, Inc Interior Designer: David Futato Cover Designer: Randy Comer Illustrator: Rebecca Demarest October 2012: First Edition September 2016: Second Edition Revision History for the Second Edition 2016-08-24: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781491932728 for release details The O’Reilly logo is a registered trademark of O’Reilly Media, Inc Juniper MX Series, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work Use of the information and instructions contained in this work is at your own risk If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights 978-1-491-93272-8 [LSI] Second Edition Dedication I would like to dedicate this book to my wife, Magali, my two sons, Noan and Timéo, and my parents Jacques and Micheline, for all their encouragement and support during this big project A very special thank you to Harry Reynolds—I learned a lot from him, and I’m still so impressed by his technical and writing skills A great thank you to Doug Hanks, Paul Abbot, Ping Song, and Antonio Sanchez-Monge from Juniper Networks for helping me during the project I also thank Patrick Ames, who helped me a lot and corrected the English of a poor French guy Thank you to Artur Makutunowicz and Matt Dinham for their technical review Finally, a great thank you to the folks at Juniper, who gave me the opportunity to share my passion for the MX Series through this second edition —David Roy Preface One of the most popular routers in the Enterprise and Service Provider market is the Juniper MX Series The industry is moving to high-speed, high port-density Ethernet-based routers, and the Juniper MX was designed from the ground up to solve these challenges This book is going to show you, step by step, how to build a better network using the Juniper MX—it’s such a versatile platform that it can be placed in the core, aggregation, or edge of any type of network and provide instant value The Juniper MX was designed to be a network virtualization beast You can virtualize the physical interfaces, logical interfaces, control plane, data plane, network services, and even have virtualized services span several Juniper MX routers What was traditionally done with an entire army of routers can now be consolidated and virtualized into a single Juniper MX router Second Edition Notes This Second Edition of Juniper MX Series maintains the existing chapters from the First Edition, but is updated with recent technical information based on Junos release 14.2 Moreover, two new chapters have been added The first of these, Chapter 7, covers the large topic of load balancing—it explains how Junos implements the load balancing features on the Trio chipset for the different types of traffic (IP, MPLS, bridged, etc.) The chapter then details some advanced technologies such as symmetric load balancing, consistent hashing, and the adaptive load balancing features set The second new chapter, Chapter 11, focuses on the virtual instance of the MX: the vMX It first introduces the benefits of using vMX and typical use cases of the virtual carrier grade router It also presents the technical architecture of the vMX and gives an overview of some virtualization techniques that gravitate around vMX, such as paravirtualization, PCI-Passthrough, and SR-IOV It finally provides some detailed information about how vMX is currently implemented and discusses the current vMX QoS model In addition to these brand new chapters, the following updates have been made: For Chapter 1, we present the new Junos release model and give you an overview of the Junos modernization by covering the topics of RPD multithreading and JAM model We also detail how the key process of ppmd works We present the hardware of the MPC1e up to MPC9e line cards and also how the fabric planes have been upgraded to support new, high-density line cards We finally provide technical details regarding the hypermode feature For Chapter 2, we added some content related to VLAN normalization To prevent Layer loops, we present the new MAC move feature We finally provide technical details regarding VXLAN support on MX with a case study: MX as a VTEP For Chapter 3, several new features are introduced or technically detailed This includes the new filter modes supported by Junos 14.2 but also some advanced filtering features, such as shared bandwidth policing, flexible match firewall filters, and the Fast Lookup Filter feature supported on the new generation of Trio ASICs For Chapter 4, we provided more technical details about how the DDOS protection feature has been improved Moreover, relying on a case study, the chapter presents the DDOS Suspicious Control Flow Detection feature Chapter 5, which covers class of service, has been enriched with some new features such as the support of ingress queuing on the Trio line card The chapter also details the feature that allows enabling limited per-VLAN queuing on a nonqueueing MPC Finally, it explains in detail how the new policy-map feature allows flexible packet CoS remarking For Chapter 6, which covers the MX multi-chassis feature, the “Locality Bias” feature, which allows a better usage of the VCP bandwidth are presented Chapter 8, dedicated to Trio inline services, has received several updates The inline sampling feature (IPFIX) has been updated with recent enhancements The tunnel service features has been enriched with a technical deep dive We provided a configuration example in order to ensure redundancy for logical tunnels New features, including inline GRE with filter-based tunnel, are detailed and illustrated with a real-world case study Finally, the port mirroring part has also been updated and enriched with a presentation of the new Layer Analyzer feature Chapter and Chapter 10, which covers MC-LAG and high-availability features, respectively, has been refreshed with the latest information The new NSR-supported features are also included in Chapter 10 No Apologies We’re avid readers of technology books, and we always get a bit giddy when a new book is released, because we can’t wait to read it and learn more about a specific technology However, one trend we have noticed is that every networking book tends to regurgitate the basics over and over There are only so many times you can force yourself to read about spanning tree, the split horizon rule, or OSPF LSA types One of the goals of this book is to introduce new and fresh content that hasn’t been published before There was a conscious decision made between the authors to keep the technical quality of this book very high; this created a constant debate whether or not to include primer or introductory material in the book to help refresh a reader’s memory with certain technologies and networking features In short, here’s what we decided: Spanning Tree There’s a large chapter on bridging, VLAN mapping, IRB, and virtual switches A logical choice would be to include the spanning tree protocol in this chapter However, spanning tree has been around forever and quite frankly there’s nothing special or interesting about it Spanning tree is covered in great detail in every JNCIA and CCNA book on the market If you want to learn more about spanning tree, check out Junos Enterprise Switching by O’Reilly or CCNA ICND2 Official Exam and Certification Guide, Second Edition, by Cisco Press Basic Firewall Filters We decided to skip the basic firewall filter introduction and jump right into the advanced filtering and policing that’s available on the Juniper MX Hierarchical policers, two-rate three-color policers, and cascading firewall filters are much more interesting Class of Service This was a difficult decision because Chapter is over 170 pages of advanced hierarchal class of service Adding another 50 pages of class of service basics would have exceeded page count constraints and provided no additional value If you would like to learn more about basic class of service, check out QoSEnabled Networks by Wiley, Junos Enterprise Routing, Second Edition by O’Reilly, or Juniper Networks Certified Internet Expert Study Guide by Juniper Networks 10 Trio Inline Services, Trio Inline Services-Summary about, What Are Trio Inline Services? inline GRE with filter-based tunnel, Inline GRE with Filter-Based Tunnel-Inline GRE with Filter-Based Tunnel inline IPFIX configuration, Inline IPFIX Configuration-Interface mode inline IPFIX performance, Inline IPFIX Performance inline IPFIX software architecture, Inline IPFIX Software Architecture inline IPFIX verification, Inline IPFIX Verification-Inline IPFIX Verification J-Flow, J-Flow Layer analyzer, Layer Analyzer-Layer Analyzer Summary Network Address Translation, Network Address Translation-Network Address Translation Summary port mirroring, Port Mirroring-Port Mirroring Summary tunnel services, Tunnel Services-Tunnel Services Summary Trio load balancing, Trio Load Balancing-Summary Adaptive Load Balancing, Adaptive Load Balancing-True per-packet load balancing for ECMP advanced features, Advanced Load Balancing-True per-packet load balancing for ECMP and network polarization, The Problem of Polarization backward compatibility, Trio Load Balancing and Backward CompatibilityEnable PIM load balancing consistent hashing, Consistent Hashing-Verify consistent hashing hash computation, Hash Computation hashing, Hashing 1509 host outbound LB, Host Outbound Load Balancing ingress/egress encapsulation options, Family and Enhanced Hash Field Summary ISO CNLP/CNLS hashing and load balancing, Hash computation for multiservice traffic Junos load balancing overview, Junos Load Balancing Overview-Junos Load Balancing Summary multicast, What About Multicast?-Enable PIM load balancing next-hop, The Next-Hop-The Next-Hop per family load balancing configuration, Configure Per-Family Load BalancingHash computation for multiservice traffic per-prefix vs per-flow, Per-Prefix Versus Per-Flow Load Balancing symmetric load balancing, Symmetric Load Balancing-Force symmetric balancing on AE Trio MPC I-Chip/ADPC vs., Trio versus I-Chip/ADPC CoS differences-Trio versus IChip/ADPC CoS differences restricted queue feature, Low queue warnings Trio MPC/MIC interfaces bandwidth accounting, Trio bandwidth accounting buffering, Trio buffering drop profiles, Trio drop profiles shaping granularity, Trio shaping granularity Trio PFE and family bridge filter, HTTP filter definition EXP classification and rewrite defaults, Trio MPLS EXP classification and rewrite defaults 1510 trunk mode (interface-mode option), Trunk tunnel services, Tunnel Services-Tunnel Services Summary case study: interconnecting logical and physical routers, Case Study: Interconnect Logical and Physical Routers-Tunnel services case study final verification case study: traffic mitigation based on GRE filter-based tunnel, Case Study: Traffic Mitigation Based on GRE Filter-Based Tunnel-Case Study: Traffic Mitigation Based on GRE Filter-Based Tunnel enabling, Enabling Tunnel Services-Enabling Tunnel Services inline GRE with filter-based tunnel, Inline GRE with Filter-Based Tunnel-Inline GRE with Filter-Based Tunnel redundancy, Tunnel Services Redundancy-Tunnel Services Redundancy tunneled packet walkthrough, A Tunneled Packet Walkthrough-A Tunneled Packet Walkthrough tunneling protocols, increasing entropy for, Increasing entropy for IP tunnels two-rate three-color marker (trTCM) policer color modes for, Color modes for three-color policers configuration, Configure two-rate three-color policers nonconformance, trTCM nonconformance srTCM vs., Single and Two-Rate Three-Color Policers three-rate policer vs., Single and Two-Rate Three-Color Policers traffic parameters, Two-rate traffic parameters-Two-rate traffic parameters TX thread, vMX Packet Walkthrough U UI (User Interface), Junos, Management daemon unicast next-hop, The Next-Hop 1511 unidirectional CoS baseline configuration, Baseline configuration-Baseline configuration baseline establishment, Establish a CoS baseline-Establish a CoS baseline classification confirmation, Confirm queuing and classification-Use ping to test MF classification configuration, Configure Unidirectional CoS-Apply schedulers and shaping log error checking, Check for any log errors-Check for any log errors queuing confirmation, Confirm queuing and classification-Use ping to test MF classification scheduler block, The scheduler block-The scheduler block scheduler confirmation, Confirm scheduling details-Confirm scheduling details scheduling mode, Select a scheduling mode-Apply schedulers and shaping verification, Verify Unidirectional CoS-Check for any log errors unilist next-hop, The Next-Hop User Interface (UI), Junos, Management daemon V VC (virtual chassis), MX-VC Terminology (see also MX Virtual Chassis (MX-VC)) VCCP (Virtual Chassis Control Protocol), MX-VC Terminology and MX-VC topology, Virtual chassis topology-Virtual chassis topology mastership election, Mastership Election VCP (see Virtual Control Plane) VFP (see Virtual Forwarding Plane) VID (VLAN Identifier), IEEE 802.1Q 1512 Virtual Chassis Port (VCP) interfaces classifiers, Classifiers configuring R1 on, R1 VCP Interface configuring R2 on, R2 VCP Interface-R2 VCP Interface CoS, VCP Interface Class of Service-Verification defined, MX-VC Terminology final configuration, Final Configuration forwarding classes, Forwarding Classes rewrite rules, Rewrite Rules schedulers, Schedulers-Schedulers traffic encapsulation, VCP Traffic Encapsulation verification, Verification walkthrough, VCP Class of Service Walkthrough-VCP Class of Service Walkthrough Virtual Control Plane (VCP) about, vMX, A Technical Overview of vMX-A Technical Overview of vMX elements of, VCP/VFP Architecture Virtual eXtensible LAN (see VXLAN) Virtual Forwarding Plane (VFP) about, vMX, A Technical Overview of vMX-A Technical Overview of vMX elements of, VCP/VFP Architecture Virtual LAN (VLAN) (see VLAN entries) virtual machine (VM), What is virtualization? virtual MX (vMX), vMX, The Virtual MX-Summary 1513 benefits of using, Assure service agility-Putting it all together CPU pinning/CPU affinity, A word about CPU pinning and CPU affinity deployments to use with, Deployments to Use with vMX-Deployments to Use with vMX initial configuration, vMX Initial Configuration-vMX Initial Configuration installation resources for lab simulation, Resources for Installing vMX for Lab Simulation-vMX Initial Configuration licensing, vMX Licensing network virtualization techniques, Network Virtualization Techniques for vMX packet walkthrough, vMX Packet Walkthrough-vMX Packet Walkthrough physical MX vs., Physical or Virtual QoS model, The vMX QoS Model-The vMX QoS Model reasons for using, Why Use vMX and for What Purpose?-Deployments to Use with vMX software acceleration for dataplane, Software acceleration for dataplaneSoftware acceleration for dataplane technical details, Technical Details of the vMX-The vMX QoS Model technical overview, A Technical Overview of vMX-Summary using several instances per server, Several vMX Instances per Server VCP/VFP architecture, VCP/VFP Architecture-A word about CPU pinning and CPU affinity virtual network interfaces, The virtual network interfaces-The virtual network interfaces virtual world and, vMX and the Virtual World-Summary virtualization concepts, Virtualization Concepts-Software acceleration for dataplane 1514 Virtual Private LAN Service (VPLS), Multi-Chassis Link Aggregation, MC-LAG Family Support virtual Route Reflector (vRR), Deployments to Use with vMX Virtual Router Redundancy Protocol (VRRP), MC-LAG Family Support, Virtual Router Redundancy Protocol virtual switch, Virtual Switch-Configuration virtualization concepts, Virtualization Concepts-Software acceleration for dataplane defined, What is virtualization? paravirtualization vs., Hardware virtualization versus paravirtualization VLAN Identifier (VID), IEEE 802.1Q VLAN mapping (see Service Provider VLAN mapping) VLAN rewriting/normalization bridge domains, VLAN Normalization and Rewrite Operations Enterprise-style interface bridge configuration, VLAN Rewrite VLAN tagging, VLAN tagging and Service Provider bridging, Service Provider style flexible, Flexible VLAN tagging IEEE 802.1Q, VLAN tagging stacked, Stacked VLAN tagging-Stacked VLAN tagging vlan-id-range option, vlan-id-range VLAN, VXLAN vs., VXLAN vlan-id (IFL code), Enterprise style vlan-id (stack operation option), input-vlan-map 1515 vlan-id-range (tagging option), vlan-id-range VM (virtual machine), What is virtualization? vMX (see virtual MX) VPLS (Virtual Private LAN Service), Multi-Chassis Link Aggregation, MC-LAG Family Support vrf-table-label, Configure Per-Family Load Balancing, Enabling Tunnel Services vRR (virtual Route Reflector), Deployments to Use with vMX VRRP (Virtual Router Redundancy Protocol), MC-LAG Family Support, Virtual Router Redundancy Protocol VTEP (VXLAN Tunnel End Point) about, VXLAN as a Layer Overlay-VXLAN as a Layer Overlay MX case study, VXLAN on Trio: case study-VXLAN on Trio: case study MX Series and, VXLAN on MX Series vTrio threads, vMX Packet Walkthrough VXLAN, VXLAN-VXLAN on Trio: case study as Layer overlay, VXLAN as a Layer Overlay-VXLAN as a Layer Overlay on MX Series, VXLAN on MX Series-VXLAN on Trio: case study Trio case study, VXLAN on Trio: case study-VXLAN on Trio: case study VXLAN Tunnel End Point (see VTEP) W walkthrough (see packet walkthrough) weight, of interface node, Independent guaranteed bandwidth and weight WRED (Weighted Random Early Detection), WRED-WRED, Level 4: Queues, Configure WRED drop profiles-Configure WRED drop profiles X 1516 XL Filter Block (Fast Lookup Filter), Fast Lookup Filter-Advanced Filtering Summary 1517 About the Authors Douglas Richard Hanks, Jr is a Data Center Architect with Juniper Networks and focuses on solution architecture Previously, he was a Senior Systems Engineer with Juniper Networks, supporting large Enterprise accounts such as Chevron, HP, and Zynga He is certified with Juniper Networks as JNCIE-ENT #213 and JNCIESP #875 Douglas’s interests are network engineering and architecture for Enterprise and Service Provider technologies He is the author of several Day One books published by Juniper Networks Books Douglas is also the cofounder of the Bay Area Juniper Users Group (BAJUG) When he isn’t busy with networking, Douglas enjoys computer programming, photography, and Arduino hacking Douglas can be reached at doug@juniper.net or on Twitter @douglashanksjr Harry Reynolds has over 30 years of experience in the networking industry, with the last 20 years focused on LANs and LAN interconnection He is CCIE #4977 and JNCIE #3 and also holds various other industry and teaching certifications Harry was a contributing author to Juniper Network Complete Reference (McGraw-Hill) and wrote the JNCIE and JNCIP Study Guides (Sybex Books) He coauthored the O’Reilly books Junos Enterprise Routing and Junos Enterprise Switching Prior to joining Juniper, Harry served in the US Navy as an Avionics Technician, worked for equipment manufacturer Micom Systems, and spent much time developing and presenting hands-on technical training curricula targeted to both Enterprise and Service Provider needs Harry has developed and presented internetworking classes for organizations such as American Institute, American Research Group, Hill Associates, and Data Training Resources Currently, Harry performs customer-specific testing that simulates one of the nation’s largest private IP backbones at multidimensional scale When the testing and writing is done (a rare event, to be sure), Harry can be found in his backyard metal shop trying to make Japanese-style blades David Roy is a Network Support Engineer who works for Orange, one of the main Service Providers in Europe During the last 10 years, he has been involved in many projects based on IP and MPLS technologies He is also a focus technical support engineer for the French domestic backbone of Orange Before that, he was part of a Research and Development team focused on Digital Video Broadcasting and IP-over-Satellite technologies He loves troubleshooting complex routing and switching issues and has spent much time in the lab to reverse-engineer different routing platforms, including the Juniper MX Series He is the author of the Day One book This Week: An Expert Packet Walkthrough on the MX Series 3D David is triple JNCIE SP #703, ENT #305, and SEC #144 When not diving into the hardware’s routers, he plays drums, listens to rock, and savors some nice beers 1518 David can be reached on Twitter @door7302 1519 About the Lead Technical Reviewers Stefan Fouant is a Technical Trainer and JNCP Proctor at Juniper Networks with over 15 years of experience in the networking industry His first exposure to Junos was with Junos 3.4 on the original M40 back in 1998, and it has been a love affair ever since His background includes launching an industry-first DDoS Mitigation and Detection service at Verizon Business, as well as building customized solutions for various mission-critical networks He holds several patents in the areas of DDoS Detection and Mitigation, as well as many industry certifications including CISSP, JNCIE-SP, JNCIE-ENT, and JNCIE-SEC Artur Makutunowicz has over five years of experience in Information Technology He was a Technical Team Leader at a large Juniper Elite partner His main areas of interest are Service Provider technologies, network device architecture, and Software-Defined Networking (SDN) He was awarded with JNCIE-ENT #297 certification Artur was also a technical reviewer of Day One: Scaling Beyond a Single Juniper SRX in the Data Center, published by Juniper Networks Books He is currently an independent contractor and can be reached at artur@makutunowicz.net 1520 About the Technical Reviewers Many Junos engineers reviewed this book They are, in the authors’ opinion, some of smartest and most capable networking people around They include but are not limited to: Kannan Kothandaraman, Ramesh Prabagaran, Dogu Narin, Russell Gerald Kelly, Rohit Puri, Sunesh Rustagi, Ajay Gaonkar, Shiva Shenoy, Massimo Magnani, Eswaran Srinivasan, Nitin Kumar, Ariful Huq, Nayan Patel, Deepak Ojha, Ramasamy Ramanathan, Brandon Bennett, Scott Mackie, Sergio Danelli, QiZhong Cao, Eric Cheung Young Sen, Richard Fairclough, Madhu Kopalle, Jarek Sawczuk, Philip Seavey, and Amy Buchanan The following reviewers provided feedback on the Second Edition, particularly Chapter 11: Paul Abbott, Matt Dinham, and Ping Song 1521 Proof of Concept Laboratory In addition, the authors humbly thank the POC Lab in Sunnyvale, California, where the test bed for this book was cared for and fed by Roberto Hernandez, Ridha Hamidi, and Matt Bianchi Without access to test equipment, this book would have been impossible 1522 Colophon The animal on the cover of Juniper MX Series is the tawny-shouldered podargus (Podargus humeralis), a type of bird found throughout the Australian mainland, Tasmania, and southern New Guinea These birds are often mistaken for owls and have yellow eyes and a wide beak topped with a tuft of bristly feathers They make loud clacking sounds with their beaks and emit a reverberating, booming call These birds hunt at night and spend the day roosting on a dead log or tree branch close to the tree trunk Their camouflage is excellent—staying very still and upright, they look just like part of the branch The tawny-shouldered podargus is almost exclusively insectivorous, feeding rarely on frogs and other small prey They catch their prey with their beaks rather than with their talons, and sometimes drop from their perch onto the prey on the ground The bird’s large eyes and excellent hearing aid in nocturnal hunting Tawny-shouldered podargus pairs stay together until one of the pair dies After mating, the female lays two or three eggs onto a lining of green leaves in the nest Both male and female take turns sitting on the eggs to incubate them until they hatch about 25 days later, and both parents help feed the chicks Many of the animals on O’Reilly covers are endangered; all of them are important to the world To learn more about how you can help, go to animals.oreilly.com The cover image is from Wood’s Animate Creation The cover fonts are URW Typewriter and Guardian Sans The text font is Adobe Minion Pro; the heading font is Adobe Myriad Condensed; and the code font is Dalton Maag’s Ubuntu Mono 1523 ...2 Juniper MX Series SECOND EDITION Douglas Richard Hanks, Jr., Harry Reynolds & David Roy Juniper MX Series by Douglas Richard Hanks, Harry Reynolds,... Wiley Juniper Networks Certified Internet Expert, Juniper Networks Juniper Networks Certified Internet Professional, Juniper Networks 11 Juniper Networks Certified Internet Specialist, Juniper. .. Core Router/WAN Router Juniper MX2 40 with an MPC2 Enhanced Queuing line card R3: Core Router/WAN Router Juniper MX2 40 with an MPC2 line card R4: Core Router/WAN Router Juniper MX2 40 with an MPC2