SD-WAN

 View Only
last person joined: yesterday 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).
  • 1.  SRX and SSR / Conductor intergration

    Posted 06-30-2022 09:02
    Hello all
    I'm looking for configuration example for integration between SRX and SSR.
    Can someone help with this?

    Thanks


  • 2.  RE: SRX and SSR / Conductor intergration

     
    Posted 07-05-2022 12:37
    The SRX does not currently support the SVR protocol. Integration would be accomplished through standard routing protocols just as if you are connecting to any other router. Please elaborate if you need further assistance.

    ------------------------------
    Dustin Goss
    System Engineer Tech Lead
    ------------------------------



  • 3.  RE: SRX and SSR / Conductor intergration

    Posted 07-11-2022 10:22
    Hi Dustin, 

    I saw that SVR was introduced as a feature for SRX in Junos 21.4, but the release note below doesn't mention anything about Conductor (or Mist post v6.0 release) integration. Is this on the roadmap for SRX? It would be great to be able to deploy SRXs with full Conductor based SVR and interoperability with SSRs. 

    https://www.juniper.net/documentation/us/en/software/junos/release-notes/21.4/junos-release-notes-21.4r1/topics/new-features/feature-descriptions/routing-policy-and-firewall-filters-6.html

    Cheers
    Dusty

    ------------------------------
    DUSTY MORRISON
    ------------------------------



  • 4.  RE: SRX and SSR / Conductor intergration

     
    Posted 11-16-2022 08:50
    Hi,

    Here is a sample of working configuration between SRX and SSR using SVR (vector routing):
    SRX side
    services {
        vector-routing {
            authority-name Authority128;
            cipher-suites {
                vsrx {
                    authentication-disabled;
                    encryption-disabled;
                }
                internal {
                    authentication-disabled;
                    encryption-disabled;
                }
            }
            router vsrx-222 {
                node vsrx-222 {
                    interfaces {
                        ge-0/0/1.0;
                        ge-0/0/0.0 {
                            adjacency {
                                adj1 {
                                    address 1.2.3.4;
                                    peer 128R8-Budapest;
                                    cipher-suite vsrx;
                                }
                                adj2 {
                                    address 2.3.4.5;
                                    peer TA-DC-Router;
                                    cipher-suite vsrx;
                                }
                            }
                            cipher-suite vsrx;
                        }
                    }
                }
                peer {
                    128R8-Budapest {
                        authority Authority128;
                        router 128R8-Budapest;
                    }
                    TA-DC-Router {
                        authority Authority128;
                        router TA-DC-Router;
                    }
                }
                service-routes {
                    sr1 {
                        peer 128R8-Budapest;
                        destination-service server1;
                    }
                    sr2 {
                        peer TA-DC-Router;
                        destination-service DC-LAN;
                    }
                }
            }
            source-tenants {
                host1-zone {
                    ip-prefix 192.168.246.2/32;
                    interfaces {
                        ge-0/0/1.0;
                    }
                }
                Budapest-tenants {
                    ip-prefix 10.0.128.0/24;
                    interfaces {
                        ge-0/0/1.0;
                    }
                }
            }
            destination-services {
                vsrx-222-lan {
                    ip-prefix 192.168.246.0/24;
                    access-policy Budapest-tenants permission allow;
                    cipher-suite vsrx;
                }
                server1 {
                    ip-prefix 10.0.128.65/32;
                    transport {
                        tcp;
                        icmp;
                    }
                    access-policy host1-zone permission allow;
                    cipher-suite vsrx;
                }
                DC-LAN {
                    ip-prefix 10.19.15.0/24;
                    transport {
                        tcp;
                        udp;
                        icmp;
                    }
                    access-policy host1-zone permission allow;
                    cipher-suite vsrx;
                }
            }
            meta-bfd {
                desired-tx-interval 1000;
                required-min-rx-interval 1000;
                link-test-interval 1;
                multiplier 3;
            }
        }
    }​
    
    interfaces {
        ge-0/0/0 {
            unit 0 {
                description untrust;
                family inet {
                    address 1.1.1.1;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                description trust;
                family inet {
                    address 192.168.246.1/24;
                }
            }
        }
    }
    
    
    On the SSR side
           router             TA-DC-Router
                name                        TA-DC-Router
    
    
                peer                        vsrx-222
                    name            vsrx-222
                    authority-name  Authority128
                    router-name     vsrx-222
                exit
    
                node                        node1
                    name              node1
    
                    device-interface  WAN1
                        name               WAN1
                        pci-address        0000:02:00.0
                        capture-filter     len>0
    
                        network-interface  WAN1
                            name                   WAN1
                            global-id              1
                            conductor              true
    
                            neighborhood           wan1
                                name                wan1
                                topology            hub
                                vector              wan1
    
                                path-mtu-discovery
                                    enabled  true
                                exit
                            exit
                            inter-router-security  internal
                            source-nat             true
                            management             false
    
                            address                2.3.4.5
                                ip-address     2.3.4.5
                                prefix-length  27
                                gateway        2.3.4.6
    
                            exit
    
                            adjacency              1.1.1.1 vsrx-222
                                ip-address             1.1.1.1
                                peer                   vsrx-222
                                inter-router-security  internal
                                external-nat-address   1.1.1.1
                            exit
                        exit
                    exit
    
                    device-interface  LAN
                        name               LAN
                        pci-address        0000:02:00.1
                        capture-filter     len>0
    
                        network-interface  LAN
                            name                   LAN
                            global-id              2
    
                            neighborhood           lan-dc
                                name  lan-dc
                            exit
                            tenant                 DC-LAN
                            inter-router-security  internal
                            source-nat             false
    
                            address                10.19.15.1
                                ip-address     10.19.15.1
                                prefix-length  24
                                gateway        10.19.15.254
    
    
                service-route               DC-LAN-sr
                    name          DC-LAN-sr
                    service-name  DC-LAN
    
                    next-hop      node1 LAN
                        node-name   node1
                        interface   LAN
                        gateway-ip  10.19.15.254
                    exit
                exit
    
    
            tenant             DC-LAN
                name  DC-LAN
            exit
    
    
            tenant             host1-zone
                name    host1-zone
    
                member  vsrx-222
                    neighborhood  vsrx-222
                    address       192.168.246.2/32
                exit
            exit
    
            security           vsrx
                name            vsrx
                encrypt         false
                hmac-mode       disabled
            exit
    
    
            service            DC-LAN
                name           DC-LAN
                security       vsrx
                address        10.19.15.0/24
    
                access-policy  host1-zone
                    source  host1-zone
                exit
                source-nat     disabled
            exit
    
     ​

    SVR is working on both SRX and vSRX, and it should work on NFX as well using version:
    version 21.4R2.10;​


    You should see that the peering is up before the SRV interconnection will work:

    show services vector-routing peer-summary
    
    Logical-system or Tenant            Peer               adjacency                  status
    ------------------------------------------------------------------------------------------
    
    root-logical-system
                                        TA-DC-Router
                                                           adj2                       UP

    Please note that some naming must match in both sides (SRX and SSR), for example Authority name, Router name, Service name, Tenant name, Security policy name, etc.
    This example is without encryption between nodes and later will post another example with encryption and how to configure it.

    Hope it helps,
    Ivan

    ------------------------------
    Ivan Stanev
    ------------------------------