vSRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

vSRX - MPLS over GRE?

  • 1.  vSRX - MPLS over GRE?

    Posted 02-10-2021 09:11
    Hey, 

    I can't seem to find a straight answer through my Google fu. 

    This is the situation that I have. 

    I've got Data Center A and Data Center B. 

    I have a single vSRX in both Data DCA and DCB. 

    I have a GRE tunnel up/up connecting the SRXs together. 

    I can ping between my L0s on each SRX through the GRE tunnel.

    I would like to connect customer VRFs between each DC, Ie VRF Testing resources in DCA need to talk with VRF testing resources in DCB. 

    Is this possible? I am utilizing NAT / IPsec in the SRX so I need to keep them in flow-mode, but I should be able to use the "then packet mode" filter for MPLS.  It currently works the way I'm doing it, via virtual-router instances and route-leaking but in the long run that will become more and more confusing to manage.

    Thoughts?


  • 2.  RE: vSRX - MPLS over GRE?

     
    Posted 02-10-2021 10:06
    Hi RoutingFrames,
    first I thought you wanted some flavor of L2VPN, but luckily you seem to want to route packets. With GRE underneath (and a decent JUNOS 19.x) you can run BGP-MPLS-VPNs over this (by pretending the GRE is the physical interface connecting the two PEs). No need for packet mode trickery.  I've been told it's also possible via some packet mode hacks, but I've never tried ...
    Regards
    Ulf


  • 3.  RE: vSRX - MPLS over GRE?

    Posted 02-10-2021 10:08
    Hmm, interesting. 

    That's exactly what I'm running, 19.4.

    If it's not too in-depth,  could you post the config for it?


  • 4.  RE: vSRX - MPLS over GRE?

    Posted 02-11-2021 10:49
    Hmm,

    So i've got LDP up and passing labels, but not getting anything in my route table. 

    Can someone smarter than me tell me what i'm missing? lol


    protocols {
        bgp {
            group MPLS {
                type internal;
                local-address 169.254.46.43;
                family inet-vpn {
                    any;
                }
                neighbor 169.254.39.5;
            }
        }
        ldp {
            interface gr-0/0/0.0;
        }
        mpls {
            interface gr-0/0/0.0;
     
     
     
        }
        Testing {
            protocols {
                bgp {
                    export Testing-resources;
                }
            }                               
            interface lo0.1;
            instance-type vrf;
            route-distinguisher 2:10;
            vrf-target target:1:10;
        }
     
     
     
        }
        policy-statement Testing-resources {
            from interface lo0.1;
            then accept;
     
     
        }
        lo0 {
            unit 0 {
                family inet {
                    address 169.254.46.43/32;
                }
            }
            unit 1 {
                family inet {
                    address 10.10.10.11/32;
                }
            }
     
     
    interfaces {
        gr-0/0/0 {
            unit 0 {
                tunnel {
                    source 172.16.14.6;
                    destination 10.66.1.6;  
                }
                family inet;
                family mpls;
     
     
     }
            from-zone Testing to-zone Shared-Resources {
                policy permit-all {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Testing to-zone Testing {
                policy permit-all {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
     
     
     
     
    Show LDP Database
     
    Input label database, 169.254.46.43:0--169.254.39.5:0
    Labels received: 2
      Label     Prefix
          3      169.254.39.5/32
     300240      169.254.46.43/32
     
    Output label database, 169.254.46.43:0--169.254.39.5:0
    Labels advertised: 2
      Label     Prefix
     300240      169.254.39.5/32
          3      169.254.46.43/32
     
    169.254.39.5          64512       1538       1539       0       0    11:31:57 Establ
      bgp.l3vpn.0: 0/0/0/0
      bgp.l3vpn.2: 0/0/0/0
     
    admin@MLB-vSRX-C1N0> show route table mpls.0 
     
    mpls.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
     
    0                  *[MPLS/0] 11:24:07, metric 1
                           Receive
    1                  *[MPLS/0] 11:24:07, metric 1
                           Receive
    2                  *[MPLS/0] 11:24:07, metric 1
                           Receive
    13                 *[MPLS/0] 11:24:07, metric 1
                           Receive
    300176             *[VPN/170] 10:30:55
                           receive table Testing.inet.0, Pop      
    300240             *[LDP/9] 00:00:15, metric 1
                        >  via gr-0/0/0.0, Pop      
    300240(S=0)        *[LDP/9] 00:00:15, metric 1
                        >  via gr-0/0/0.0, Pop ​


  • 5.  RE: vSRX - MPLS over GRE?

    Posted 02-11-2021 11:04
    Isn't that handled via the BGP type internal? 



  • 6.  RE: vSRX - MPLS over GRE?

     
    Posted 02-11-2021 10:58
    I'd guess:
    - you need an IGP over the GRE tunnel (and on lo0)
    - proto ldp also covering your lo0
    Ulf


  • 7.  RE: vSRX - MPLS over GRE?

     
    Posted 02-11-2021 11:20
    Well, no. BGP internal is just iBGP, which you also need from PE to PE for the customer/VPN routes as you rightly configured ...


  • 8.  RE: vSRX - MPLS over GRE?

    Posted 02-11-2021 11:30
    Damn, nothing yet. 

    How would it look if you made it?


  • 9.  RE: vSRX - MPLS over GRE?

    Posted 02-11-2021 12:07
    You mean packet mode?

    It's already in packet mode and I can't remove packet mode because I need NAT / IPsec. 

    I enabled OSPF area 0 over both gr-0/0/0 as well. 

    table label? 

    I dont' know what I'm doing lol. I'm frankly in too deep at this point lo. 





  • 10.  RE: vSRX - MPLS over GRE?

    Posted 02-11-2021 12:32
    ah okay. That makes sense. 

    I need reboot to change forwarding options to flow based, then I'll add IPs to the gr-0/0/0 interfaces and add those to OSPF. 

    just vrf-tabel-label by itself ala ?
    "set routing-instances Testing vrf-table-label" 


  • 11.  RE: vSRX - MPLS over GRE?

     
    Posted 02-11-2021 11:45
    vrf needs vrf-table-label;
    mpls switched to flow mode?
    IGP with IP-addresses running over the GRE-tunnel?


  • 12.  RE: vSRX - MPLS over GRE?

     
    Posted 02-11-2021 12:22

    no, I mean flow mode for family mpls
    vrf-table-label is a top level statement in the vrf / routing-instance config
    and
    gr-0/0/0 {
            unit 0 {
                tunnel {
                    source 172.16.14.6;
                    destination 10.66.1.6;  
                }
                family inet;​

    needs an address


  • 13.  RE: vSRX - MPLS over GRE?

     
    Posted 02-11-2021 12:39
    ack