Hello,
I am trying to connect two SRX300 devices in the following way: VPLS over MPLS/LDP over GRE over IPSec.
I have been able to establish everything up to getting the VPLS tunnels up, but unfortunately I can't get the VPLS to forward any traffic. I am attaching the configurations below.
Any insight would be greatly appreciated.
version 15.1X49-D140.2;
system {
host-name srx240-1;
root-authentication {
encrypted-password "..."; ## SECRET-DATA
}
name-server {
8.8.8.8;
8.8.4.4;
}
services {
ssh;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
phone-home {
server https://redirect.juniper.net;
rfc-complaint;
}
}
security {
log {
mode stream;
report;
}
ike {
policy standard {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$LIs7NViHmFnCGDnCtuhcbs24GDHqmTFn"; ## SECRET-DATA
}
gateway srx240-2 {
ike-policy standard;
address 1.1.1.2;
external-interface ge-0/0/0;
}
}
ipsec {
policy standard {
proposal-set standard;
}
vpn ipsec-vpn-1 {
bind-interface st0.0;
df-bit clear;
ike {
gateway srx240-2;
ipsec-policy standard;
}
establish-tunnels immediately;
}
}
policies {
from-zone trust to-zone trust {
policy allow_any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
all;
}
}
}
}
interfaces {
ge-0/0/0 {
description Internet;
mtu 1514;
unit 0 {
family inet {
address 1.1.1.1/30;
}
}
}
gr-0/0/0 {
unit 0 {
description "MPLS core facing interface";
tunnel {
source 172.16.0.1;
destination 172.16.0.2;
}
family inet {
mtu 9000;
address 172.16.255.1/30;
}
family mpls {
mtu 9000;
filter {
input packet-mode;
}
}
}
}
ge-0/0/2 {
description "LAN Side";
mtu 1522;
encapsulation ethernet-vpls;
unit 0 {
description VPLS_VPN-1;
family vpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.1/32;
}
}
}
st0 {
unit 0 {
family inet {
mtu 9178;
address 172.16.0.1/30;
}
}
}
}
routing-options {
autonomous-system 65100;
}
protocols {
mpls {
interface gr-0/0/0.0;
}
bgp {
tcp-mss 1200;
group IBGP {
type internal;
local-address 10.255.255.1;
local-as 65100;
neighbor 10.255.255.2 {
family inet {
any;
}
family inet-vpn {
any;
}
family l2vpn {
signaling;
}
}
}
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface gr-0/0/0.0;
}
}
ldp {
interface gr-0/0/0.0;
interface lo0.0;
}
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
firewall {
family inet {
filter packet-mode-inet {
term all-traffic {
then {
packet-mode;
accept;
}
}
}
}
family mpls {
filter packet-mode {
term all-traffic {
then {
packet-mode;
accept;
}
}
}
}
}
routing-instances {
VPLS_VPN-1 {
instance-type vpls;
interface ge-0/0/2.0;
route-distinguisher 10.255.255.1:1001;
vrf-target target:65100:1001;
protocols {
vpls {
no-tunnel-services;
site 1 {
site-identifier 1;
interface ge-0/0/2.0;
}
}
}
}
}
and the second one
version 15.1X49-D140.2;
system {
host-name srx240-2;
root-authentication {
encrypted-password "...."; ## SECRET-DATA
}
name-server {
8.8.8.8;
8.8.4.4;
}
services {
ssh;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
phone-home {
server https://redirect.juniper.net;
rfc-complaint;
}
}
security {
log {
mode stream;
report;
}
ike {
policy standard {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$2IoaGF39O1h5Q1hSrLXUjHq5Q369pO1"; ## SECRET-DATA
}
gateway srx240-1 {
ike-policy standard;
address 1.1.1.1;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy standard {
proposal-set standard;
}
vpn ipsec-vpn-1 {
bind-interface st0.0;
df-bit clear;
ike {
gateway srx240-1;
ipsec-policy standard;
}
establish-tunnels immediately;
}
}
policies {
from-zone trust to-zone trust {
policy allow_any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
all;
}
}
}
}
interfaces {
ge-0/0/0 {
description Internet;
mtu 1514;
unit 0 {
family inet {
address 1.1.1.2/30;
}
}
}
gr-0/0/0 {
unit 0 {
description "MPLS core facing interface";
tunnel {
source 172.16.0.2;
destination 172.16.0.1;
}
family inet {
mtu 9000;
address 172.16.255.2/30;
}
family mpls {
mtu 9000;
filter {
input packet-mode;
}
}
}
}
ge-0/0/2 {
description "LAN Side";
mtu 1522;
encapsulation ethernet-vpls;
unit 0 {
description VPLS_VPN-1;
family vpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.2/32;
}
}
}
st0 {
unit 0 {
family inet {
mtu 9178;
address 172.16.0.2/30;
}
}
}
}
routing-options {
autonomous-system 65100;
}
protocols {
mpls {
interface gr-0/0/0.0;
}
bgp {
tcp-mss 1200;
group IBGP {
type internal;
local-address 10.255.255.2;
local-as 65100;
neighbor 10.255.255.1 {
family inet {
any;
}
family inet-vpn {
any;
}
family l2vpn {
signaling;
}
}
}
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface gr-0/0/0.0;
}
}
ldp {
interface gr-0/0/0.0;
interface lo0.0;
}
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
firewall {
family inet {
filter packet-mode-inet {
term all-traffic {
then {
packet-mode;
accept;
}
}
}
}
family mpls {
filter packet-mode {
term all-traffic {
then {
packet-mode;
accept;
}
}
}
}
}
routing-instances {
VPLS_VPN-1 {
instance-type vpls;
interface ge-0/0/2.0;
route-distinguisher 10.255.255.2:1001;
vrf-target target:65100:1001;
protocols {
vpls {
no-tunnel-services;
site 2 {
site-identifier 2;
interface ge-0/0/2.0;
}
}
}
}
}