Juniper: 6VPE Centralized Internet Access

I recently worked on a pilot project which aim is to provide IPv6-only global connectivity to a open wireless network. The network is mostly made of IEEE 802.11n base stations routing traffic from various mobile devices (e,g. laptops, smartphones) to outside services on the Internet. I had to address three challenges; the first being the lack of proper IPv6 support on some platforms, in particular on 'old' Android 4.x devices. The second challenge was to forward and transport the native IPv6 traffic from the clients, through the base stations and up to the nearest service provider's exit point. To address the latter I decided to leverage 6VPE on the MPLS backbone; the latter being composed of multi-vendors equipments from Cisco Systems and Juniper Networks. The label distribution protocol chosen is LDP for it's simplicity of operation and troubleshooting. Finally, and this is the topic of this article, I had to provide Internet Services to the wireless VPN instances so mobile clients can browse the web in a transparent and efficient manner, despite their physical locations and the base station they're associated with.

Read More

NAT66 and IPv6 ULA on Juniper SRX

Sometimes, you do not have access to enough public address space to number all your subnets. This is especially recurrent in virtualized environments where network segmentation is a natural design choice. In such environments, you may have several VLANs and routing instances (call them routing domains, or contexts, depending of the vendor terminology you're familiar with), and for each, comes a unique set of subnets. Every network operator knows how painful IP address management is, and we all want to avoid renumbering our network, especially if the following account for hundreds, if not thousands of subnets. You certainly also figured out that Network Address Translation (NAT) could help in this manner, but do you know its benefits could be as well applied to the IPv6 world?

Read More

Juniper Firefly Perimeter on OpenStack

Juniper recently announced the General Availability of Firefly Perimeter (also known as JunosV Firefly), a virtual firewall based on the Juniper's SRX Services Gateway code. Firefly Perimeter runs as a virtual machine and delivers similar networking and security features as the branch SRXes, such as Routing, NAT and VPN. It allows you to secure business applications and services in private and public cloud environments. As of version 12.1X46, it support two hypervisors, namely VMware ESXi and Linux KVM. Each instances of the virtual appliance can support up to ten Gigabit Ethernet vNICs. As I already had an OpenStack lab up and running, I decided to give Firefly Perimeter a try.

Read More

Did you know? IS-IS Minimum MTU

I recently came across the fact that my favorite IGP, the Intermediate System To Intermediate System (IS-IS) Routing Protocol has strict requirements regarding the minimum MTU of a link. In fact, for your adjacency to come up, the IS-IS link's maximum transmission unit (MTU) must be at least of 1492 bytes.

Read More

Juniper: Constrained Shortest Path First (CSPF)

It's time to recap a few basics of MPLS, and in particular of CSPF. The Constrained Shortest Path First (CSPF) algorithm allow an ingress LSR to compute a Label Switched Path (LSP) out of a Traffic Engineering (TE) database, the latter includes various constraints or requirements on how a LSP must be signaled. As you may wonder, CSPF is widely use for traffic engineering purpose, but it's also a prerequisite for two protection mechanisms, namely Fast Reroute (FRR) and link/node protection. In fact, these two, uses the TE database to compute and later signal backup tunnels (or bypass LSPs). CSPF is therefore an important piece on the MPLS chessboard.

Read More

Juniper: CoS Schedulers

Schedulers is certainly one of the most important component of Quality of Service (QoS) on Juniper Junos. Schedulers defines the queue parameters your traffic will be subject to. Each queues can receives different scheduling parameters thus allowing for service differentiation.

Read More

Juniper: VPLS Multihoming - Multiple PE

There's actually a few ways to avoid bridging loops in a VPLS network. Bridging in a VPLS environment is not really different from a standard Ethernet network, a spanning-tree protocol like the original IEEE 802.1D or any of its variants like RSTP or MSTP can be enabled to block the redundant link(s). Ethernet Ring Protection (ERP) could also be enabled on platforms supporting it (e,g. Juniper MX series), but certainly the most common and effective way is to carefully provision the VPLS VPN instances using BGP and to respect a few basic rules.

Read More

QoS: Differentiated Services Model

I cannot cover Diffserv without ever mentioning his predecessor, the Integrated Services model or Intserv. The latter never seen global deployment because of scalability issues inherent of its architectural design. The idea behind Intserv was to provide end-to-end QoS guarantees to applications like voice, video and conferencing.

Read More