Routing

Expand all | Collapse all

[SRX300] <--> [SRX300]

Jump to Best Answer
  • 1.  [SRX300] <--> [SRX300]

    Posted 06-11-2018 06:23

    Hello,

     

    I am trying to connect two SRX300 devices in the following way: VPLS over MPLS/LDP over GRE over IPSec.

     

    I have been able to establish everything up to getting the VPLS tunnels up, but unfortunately I can't get the VPLS to forward any traffic. I am attaching the configurations below.

     

    Any insight would be greatly appreciated.

     

    version 15.1X49-D140.2;
    system {
        host-name srx240-1;
        root-authentication {
            encrypted-password "..."; ## SECRET-DATA
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        services {
            ssh;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        phone-home {
            server https://redirect.juniper.net;
            rfc-complaint;
        }
    }
    security {
        log {
            mode stream;
            report;
        }
        ike {
            policy standard {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "$9$LIs7NViHmFnCGDnCtuhcbs24GDHqmTFn"; ## SECRET-DATA
            }
            gateway srx240-2 {
                ike-policy standard;
                address 1.1.1.2;
                external-interface ge-0/0/0;
            }
        }
        ipsec {
            policy standard {
                proposal-set standard;
            }
            vpn ipsec-vpn-1 {
                bind-interface st0.0;
                df-bit clear;
                ike {
                    gateway srx240-2;
                    ipsec-policy standard;
                }
                establish-tunnels immediately;
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy allow_any {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    all;
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            description Internet;
            mtu 1514;
            unit 0 {
                family inet {
                    address 1.1.1.1/30;
                }
            }
        }
        gr-0/0/0 {
            unit 0 {
                description "MPLS core facing interface";
                tunnel {
                    source 172.16.0.1;
                    destination 172.16.0.2;
                }
                family inet {
                    mtu 9000;
                    address 172.16.255.1/30;
                }
                family mpls {
                    mtu 9000;
                    filter {
                        input packet-mode;
                    }
                }
            }
        }
        ge-0/0/2 {
            description "LAN Side";
            mtu 1522;
            encapsulation ethernet-vpls;
            unit 0 {
                description VPLS_VPN-1;
                family vpls;
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 10.255.255.1/32;
                }
            }
        }
        st0 {
            unit 0 {
                family inet {
                    mtu 9178;
                    address 172.16.0.1/30;
                }
            }
        }
    }
    routing-options {
        autonomous-system 65100;
    }
    protocols {
        mpls {
            interface gr-0/0/0.0;
        }
        bgp {
            tcp-mss 1200;
            group IBGP {
                type internal;
                local-address 10.255.255.1;
                local-as 65100;
                neighbor 10.255.255.2 {
                    family inet {
                        any;
                    }
                    family inet-vpn {
                        any;
                    }
                    family l2vpn {
                        signaling;
                    }
                }
            }
        }
        ospf {
            traffic-engineering;
            area 0.0.0.0 {
                interface lo0.0 {
                    passive;
                }
                interface gr-0/0/0.0;
            }
        }
        ldp {
            interface gr-0/0/0.0;
            interface lo0.0;
        }
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    firewall {
        family inet {
            filter packet-mode-inet {
                term all-traffic {
                    then {
                        packet-mode;
                        accept;
                    }
                }
            }
        }
        family mpls {
            filter packet-mode {
                term all-traffic {
                    then {
                        packet-mode;
                        accept;
                    }
                }
            }
        }
    }
    routing-instances {
        VPLS_VPN-1 {
            instance-type vpls;
            interface ge-0/0/2.0;
            route-distinguisher 10.255.255.1:1001;
            vrf-target target:65100:1001;
            protocols {
                vpls {
                    no-tunnel-services;
                    site 1 {
                        site-identifier 1;
                        interface ge-0/0/2.0;
                    }
                }
            }
        }
    }
    

    and the second one

    version 15.1X49-D140.2;
    system {
        host-name srx240-2;
        root-authentication {
            encrypted-password "...."; ## SECRET-DATA
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        services {
            ssh;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        phone-home {
            server https://redirect.juniper.net;
            rfc-complaint;
        }
    }
    security {
        log {
            mode stream;
            report;
        }
        ike {
            policy standard {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "$9$2IoaGF39O1h5Q1hSrLXUjHq5Q369pO1"; ## SECRET-DATA
            }
            gateway srx240-1 {
                ike-policy standard;
                address 1.1.1.1;
                external-interface ge-0/0/0.0;
            }
        }
        ipsec {
            policy standard {
                proposal-set standard;
            }
            vpn ipsec-vpn-1 {
                bind-interface st0.0;
                df-bit clear;
                ike {
                    gateway srx240-1;
                    ipsec-policy standard;
                }
                establish-tunnels immediately;
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy allow_any {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    all;
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            description Internet;
            mtu 1514;
            unit 0 {
                family inet {
                    address 1.1.1.2/30;
                }
            }
        }
        gr-0/0/0 {
            unit 0 {
                description "MPLS core facing interface";
                tunnel {
                    source 172.16.0.2;
                    destination 172.16.0.1;
                }
                family inet {
                    mtu 9000;
                    address 172.16.255.2/30;
                }
                family mpls {
                    mtu 9000;
                    filter {
                        input packet-mode;
                    }
                }
            }
        }
        ge-0/0/2 {
            description "LAN Side";
            mtu 1522;
            encapsulation ethernet-vpls;
            unit 0 {
                description VPLS_VPN-1;
                family vpls;
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 10.255.255.2/32;
                }
            }
        }
        st0 {
            unit 0 {
                family inet {
                    mtu 9178;
                    address 172.16.0.2/30;
                }
            }
        }
    }
    routing-options {
        autonomous-system 65100;
    }
    protocols {
        mpls {
            interface gr-0/0/0.0;
        }
        bgp {
            tcp-mss 1200;
            group IBGP {
                type internal;
                local-address 10.255.255.2;
                local-as 65100;
                neighbor 10.255.255.1 {
                    family inet {
                        any;
                    }
                    family inet-vpn {
                        any;
                    }
                    family l2vpn {
                        signaling;
                    }
                }
            }
        }
        ospf {
            traffic-engineering;
            area 0.0.0.0 {
                interface lo0.0 {
                    passive;
                }
                interface gr-0/0/0.0;
            }
        }
        ldp {
            interface gr-0/0/0.0;
            interface lo0.0;
        }
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    firewall {
        family inet {
            filter packet-mode-inet {
                term all-traffic {
                    then {
                        packet-mode;
                        accept;
                    }
                }
            }
        }
        family mpls {
            filter packet-mode {
                term all-traffic {
                    then {
                        packet-mode;
                        accept;
                    }
                }
            }
        }
    }
    routing-instances {
        VPLS_VPN-1 {
            instance-type vpls;
            interface ge-0/0/2.0;
            route-distinguisher 10.255.255.2:1001;
            vrf-target target:65100:1001;
            protocols {
                vpls {
                    no-tunnel-services;
                    site 2 {
                        site-identifier 2;
                        interface ge-0/0/2.0;
                    }
                }
            }
        }
    }
    
    

     



  • 2.  RE: [SRX300] <--> [SRX300]
    Best Answer

    Posted 06-11-2018 13:26

    For those who are interested, I was able to get this working, but using L2VPN, not VPLS, configuration as follow:

     

    version 15.1X49-D140.2;
    system {
        host-name srx240-2;
        root-authentication {
            encrypted-password "..."; ## SECRET-DATA
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        services {
            ssh;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        phone-home {
            server https://redirect.juniper.net;
            rfc-complaint;
        }
    }
    security {
        log {
            mode stream;
            report;
        }
        ike {
            policy standard {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "$9$2IoaGF39O1h5Q1hSrLXUjHq5Q369pO1"; ## SECRET-DATA
            }
            gateway srx240-1 {
                ike-policy standard;
                address 1.1.1.1;
                external-interface ge-0/0/0.0;
            }
        }
        ipsec {
            policy standard {
                proposal-set standard;
            }
            vpn ipsec-vpn-1 {
                bind-interface st0.0;
                df-bit clear;
                ike {
                    gateway srx240-1;
                    ipsec-policy standard;
                }
                establish-tunnels immediately;
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy allow_any {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    all;
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            description Internet;
            mtu 1514;
            unit 0 {
                family inet {
                    address 1.1.1.2/30;
                }
            }
        }
        gr-0/0/0 {
            unit 0 {
                description "MPLS core facing interface";
                tunnel {
                    source 172.16.0.2;
                    destination 172.16.0.1;
                }
                family inet {
                    mtu 9000;
                    filter {
                        input packet-mode-inet;
                        output packet-mode-inet;
                    }
                    address 172.16.255.2/30;
                }
                family mpls {
                    mtu 9000;
                    filter {
                        input packet-mode;
                    }
                }
            }
        }
        ge-0/0/1 {
            vlan-tagging;
            mtu 9192;
            unit 10 {
                description "LAN Side";
                vlan-id 10;
                family inet {
                    filter {
                        input packet-mode-inet;
                    }
                    address 192.168.1.1/24;
                }
            }
        }
        ge-0/0/2 {
            description "LAN Side";
            mtu 9192;
            encapsulation ethernet-ccc;
            unit 0 {
                description VPLS_VPN-1;
                family ccc {
                    filter {
                        input ccc-packet-mode;
                        output ccc-packet-mode;
                    }
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 10.255.255.2/32;
                }
            }
        }
        st0 {
            unit 0 {
                family inet {
                    mtu 9178;
                    address 172.16.0.2/30;
                }
            }
        }
    }
    routing-options {
        autonomous-system 65100;
    }
    protocols {
        mpls {
            interface gr-0/0/0.0;
        }
        bgp {
            tcp-mss 1200;
            group IBGP {
                type internal;
                local-address 10.255.255.2;
                local-as 65100;
                neighbor 10.255.255.1 {
                    family inet {
                        any;
                    }
                    family inet-vpn {
                        any;
                    }
                    family l2vpn {
                        signaling;
                    }
                }
            }
        }
        ospf {
            traffic-engineering;
            area 0.0.0.0 {
                interface lo0.0 {
                    passive;
                }
                interface gr-0/0/0.0;
            }
        }
        ldp {
            interface gr-0/0/0.0;
            interface lo0.0;
        }
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    firewall {
        family inet {
            filter packet-mode-inet {
                term all-traffic {
                    then {
                        packet-mode;
                        accept;
                    }
                }
            }
        }
        family mpls {
            filter packet-mode {
                term all-traffic {
                    then {
                        packet-mode;
                        accept;
                    }
                }
            }
        }
        family ccc {
            filter ccc-packet-mode {
                term 1 {
                    then {
                        packet-mode;
                        accept;
                    }
                }
            }
        }
    }
    routing-instances {
        L2VPN-01 {
            instance-type l2vpn;
            interface ge-0/0/2.0;
            route-distinguisher 10.255.255.2:1001;
            vrf-target target:65100:1001;
            protocols {
                l2vpn {
                    encapsulation-type ethernet;
                    site 2 {
                        site-identifier 2;
                        interface ge-0/0/2.0 {
                            remote-site-id 1;
                        }
                    }
                }
            }
        }
    }
    

    Because you can't apply packet-mode under firewall for family vpls. I am not sure about the pros and cons of L2VPN over VPLS.



  • 3.  RE: [SRX300] <--> [SRX300]

    Posted 04-03-2019 09:19

    HI there

    This looks interesting. What I hear you say is that VPLS and SRX (300) is a no-go?

    I am trying to set it up but OK with no success:0). I think it should work over a core with MPLS/LDP and using BGP???

    Maybe I am waisting my time?

    Thanks for you post by the way!

    BR. Peter.

    (peth.edu@gmail.com)



  • 4.  RE: [SRX300] <--> [SRX300]

    Posted 04-03-2019 09:22

    Forgot to ask if you have a diagram of the setup?

    WOuld it be possible to do the setup without using physical switches? I was more like have a routing instance in the box that connect a L2 device (laptop) just to show the functionality.

    Thanks. Peter.

    (peth.edu@gmail.com)