Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Routing between 2 bridge domains through IRBs issues... :(

    Posted 10-03-2021 05:44
    I have an MX104  that I'm trying to route between two bridge domains through the IRB:

    bridge-domains {
        QBypass {
            domain-type bridge;
            vlan-id 200;
            routing-interface irb.200;
        }
        grebd {
            domain-type bridge;
            vlan-id 624;
            routing-interface irb.624;
        }
    }
    
    interfaces {
      irb {
        unit 200 {
          family inet {
            mtu 1500;
            address 10.0.10.52/28;
          }
        }
        unit 624 {
          proxy-arp unrestricted;
          family inet {
            address 172.16.0.1/26;
          }
        }
      }
    }
    ​

    IRB.200's address participates in OSPF and can be pinged by any other router in that area. Outside routers can also ping IRB.624's address.

    Clients in the grebd bridge domain (who also have 172.16.0.0/26 addresses) can ping the  irb.624 address: 17.16.0.1, and even the irb.200 address: 10.0.10.52, but are unable to ping anything beyond that. No outside routers can ping 172.16.0.0/26 clients. 

    I get the feeling that something is wrong with my routing, though the routes seem complete....

    admin@mxr> show route protocol direct
    
    inet.0: 382 destinations, 384 routes (382 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    10.0.10.48/28      *[Direct/0] 01:42:57
                        >  via irb.200
    172.16.0.0/26      *[Direct/0] 05:52:39
                        >  via irb.624​

    Anything else I can try? 


  • 2.  RE: Routing between 2 bridge domains through IRBs issues... :(

    Posted 10-04-2021 05:42
    Can you verify the clients in grebd have 172.16.0.1 as their gateway or default route?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Routing between 2 bridge domains through IRBs issues... :(

    Posted 10-04-2021 13:27
    Yes, I've verified their default route. After some packet captures, I realized that traffic was exiting the MX properly and being routed correctly! Unfortunately it seems that traffic doesn't return, or dies in transit somewhere. I haven't been able to verify yet if traffic is returning to the MX and stopping there, or if it ever returns at all. Because I can ping the 172.16.0.1 address from the rest of the network, I'm assuming that other IPs in the /26 are also routing properly to the MX. I'm guessing that they make it back to the MX, which has a direct route to the /26 and a next-hop of the IRB, and then stop there? 



  • 4.  RE: Routing between 2 bridge domains through IRBs issues... :(

    Posted 10-05-2021 05:58
    On Junos devices you can use a firewall filter to count packets that match criteria on any interface.  

    firewall {
        family inet {
    filter Peer_Count_Out {
                interface-specific;
                term traffic {
                    from {
                        source-prefix-list {
                            Inside_Addresses;
                        }
                        destination-prefix-list {
                            Outside_Addresses;
                        }
                    }
                    then count Peer_Out;
                }
                term allow {
                    then accept;
                }
            }
    
    filter Peer_Count_In {
                interface-specific;
                term traffic {
                    from {
                        source-prefix-list {
                            Outside_Addresses;
                        }
                        destination-prefix-list {
                            Inside_Addresses;
                        }
                    }
                    then count Peer_In;
                }
                term allow {
                    then accept;
                }
            }​

    In the prefix list you put the addresses you expect to see in the conversation inside the VR and outside client.

    Then apply these to the interfaces you want to verify the traffic.
    family inet {
                    filter {
                        input Peer_Count_In;
                        output Peer_Count_Out;
                    }​

    Then display the results per interface using operation command
    show firewall


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Routing between 2 bridge domains through IRBs issues... :(

    Posted 10-06-2021 12:37
    Interesting results...


    I put the filters on IRB.200 and (in reverse) on IRB.624.  I placed them in reverse on unit 624 because otherwise I was getting zero traffic.  If I'm interpreting this correctly: the packets do seem to be returning to IRB.624. Perhaps the disconnect is somewhere in the bridge domain; that for some reason the packets aren't traversing into the GRE tunnels. I have a device in the middle between my MX104 and the GRE clients. Capturing packets there show that are no return packets, so my suspicion is growing stronger that it's something to do with the bridge-domain. 



  • 6.  RE: Routing between 2 bridge domains through IRBs issues... :(

    Posted 10-07-2021 05:32
    Oh HEY! I added a little mikrotik to a port on the MX104 and used it as a port-mirroring destination to listen to traffic on the IRB.624. I am able to confirm that traffic is being routed correctly to the IRB.624. I then turned it into a client on the bridge-domain (sans GRE) and it was able to send and receive pings just fine! 

    That leaves the GRE tunnel interface that's causing the issue. For some reason the packets are hitting the irb.624 -> bridge-domain -> X    and dying. They aren't being wrapped in the GRE tunnel and sent on their way.  The ARP table shows it knows where to send the packets to though. :/  Problem lies in the GRE tunnel encapsulation or something?


  • 7.  RE: Routing between 2 bridge domains through IRBs issues... :(

    Posted 10-07-2021 05:33
    PROGRESS!  If I change a gre interface from interface-mode access to interface-mode trunk and set my end-client to the appropriate vlan, then two way traffic works! Unfortunatley I don't think I can set my clients to a vlan in production. This leads me to believe that there's a disconnect somehow with the access mode on the interface and incoming packets either getting tagged (or not getting tagged) on the bridge-domain. Is it possible the bridge-domain isn't tagging the packet and the GRE tunnel then rejects it? Or the inverse?


  • 8.  RE: Routing between 2 bridge domains through IRBs issues... :(

    Posted 10-07-2021 05:41
    I'm not very familiar with gre tunnels as I've rarely used them but I assume your untagged clients for the bridge domain will have interfaces added as a member of the bridge domain. 

    When you add a sub interface to a bridge domain, the member interface can be tagged with any vlan or no vlan at all and it will be treated as the vlan for the bridge domain to the rest of the interfaces on the device.

    So If you are looking to connect the gre tunnel into this bridge specifically, you could go ahead and and see if you can make the gre family bridge and a member of the bridge domain.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 9.  RE: Routing between 2 bridge domains through IRBs issues... :(

    Posted 10-07-2021 13:22
    Interfaces on a bridge domain aren't allowed to have interface-mode on the sub unit, and for GRE tunnels to work, its required to have an interface-mode , so I'm unable to add GRE interfaces to a bridge domain. Instead, they match up on the VLAN and their traffic is then given to the bridge-domain.

    It just seems that the access interface mode, with IPv6, doesn't encapsulate the return traffic and put it back on the tunnel. I'm sort of pointing my finger at VLANs for this one, since when I change it to trunk, and tag the inbound traffic, the data starts flowing again.  :/   I need to get with a TAC engineer or something and see why the traffic isn't being encapsulated properly.