Hi,
Here is a sample of working configuration between SRX and SSR using SVR (vector routing):
SRX side
services {
vector-routing {
authority-name Authority128;
cipher-suites {
vsrx {
authentication-disabled;
encryption-disabled;
}
internal {
authentication-disabled;
encryption-disabled;
}
}
router vsrx-222 {
node vsrx-222 {
interfaces {
ge-0/0/1.0;
ge-0/0/0.0 {
adjacency {
adj1 {
address 1.2.3.4;
peer 128R8-Budapest;
cipher-suite vsrx;
}
adj2 {
address 2.3.4.5;
peer TA-DC-Router;
cipher-suite vsrx;
}
}
cipher-suite vsrx;
}
}
}
peer {
128R8-Budapest {
authority Authority128;
router 128R8-Budapest;
}
TA-DC-Router {
authority Authority128;
router TA-DC-Router;
}
}
service-routes {
sr1 {
peer 128R8-Budapest;
destination-service server1;
}
sr2 {
peer TA-DC-Router;
destination-service DC-LAN;
}
}
}
source-tenants {
host1-zone {
ip-prefix 192.168.246.2/32;
interfaces {
ge-0/0/1.0;
}
}
Budapest-tenants {
ip-prefix 10.0.128.0/24;
interfaces {
ge-0/0/1.0;
}
}
}
destination-services {
vsrx-222-lan {
ip-prefix 192.168.246.0/24;
access-policy Budapest-tenants permission allow;
cipher-suite vsrx;
}
server1 {
ip-prefix 10.0.128.65/32;
transport {
tcp;
icmp;
}
access-policy host1-zone permission allow;
cipher-suite vsrx;
}
DC-LAN {
ip-prefix 10.19.15.0/24;
transport {
tcp;
udp;
icmp;
}
access-policy host1-zone permission allow;
cipher-suite vsrx;
}
}
meta-bfd {
desired-tx-interval 1000;
required-min-rx-interval 1000;
link-test-interval 1;
multiplier 3;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description untrust;
family inet {
address 1.1.1.1;
}
}
}
ge-0/0/1 {
unit 0 {
description trust;
family inet {
address 192.168.246.1/24;
}
}
}
}
On the SSR side
router TA-DC-Router
name TA-DC-Router
peer vsrx-222
name vsrx-222
authority-name Authority128
router-name vsrx-222
exit
node node1
name node1
device-interface WAN1
name WAN1
pci-address 0000:02:00.0
capture-filter len>0
network-interface WAN1
name WAN1
global-id 1
conductor true
neighborhood wan1
name wan1
topology hub
vector wan1
path-mtu-discovery
enabled true
exit
exit
inter-router-security internal
source-nat true
management false
address 2.3.4.5
ip-address 2.3.4.5
prefix-length 27
gateway 2.3.4.6
exit
adjacency 1.1.1.1 vsrx-222
ip-address 1.1.1.1
peer vsrx-222
inter-router-security internal
external-nat-address 1.1.1.1
exit
exit
exit
device-interface LAN
name LAN
pci-address 0000:02:00.1
capture-filter len>0
network-interface LAN
name LAN
global-id 2
neighborhood lan-dc
name lan-dc
exit
tenant DC-LAN
inter-router-security internal
source-nat false
address 10.19.15.1
ip-address 10.19.15.1
prefix-length 24
gateway 10.19.15.254
service-route DC-LAN-sr
name DC-LAN-sr
service-name DC-LAN
next-hop node1 LAN
node-name node1
interface LAN
gateway-ip 10.19.15.254
exit
exit
tenant DC-LAN
name DC-LAN
exit
tenant host1-zone
name host1-zone
member vsrx-222
neighborhood vsrx-222
address 192.168.246.2/32
exit
exit
security vsrx
name vsrx
encrypt false
hmac-mode disabled
exit
service DC-LAN
name DC-LAN
security vsrx
address 10.19.15.0/24
access-policy host1-zone
source host1-zone
exit
source-nat disabled
exit
SVR is working on both SRX and vSRX, and it should work on NFX as well using version:
version 21.4R2.10;
You should see that the peering is up before the SRV interconnection will work:
show services vector-routing peer-summary
Logical-system or Tenant Peer adjacency status
------------------------------------------------------------------------------------------
root-logical-system
TA-DC-Router
adj2 UP
Please note that some naming must match in both sides (SRX and SSR), for example Authority name, Router name, Service name, Tenant name, Security policy name, etc.
This example is without encryption between nodes and later will post another example with encryption and how to configure it.
Hope it helps,
Ivan
------------------------------
Ivan Stanev
------------------------------
Original Message:
Sent: 07-11-2022 05:22
From: DUSTY MORRISON
Subject: SRX and SSR / Conductor intergration
Hi Dustin,
I saw that SVR was introduced as a feature for SRX in Junos 21.4, but the release note below doesn't mention anything about Conductor (or Mist post v6.0 release) integration. Is this on the roadmap for SRX? It would be great to be able to deploy SRXs with full Conductor based SVR and interoperability with SSRs.
https://www.juniper.net/documentation/us/en/software/junos/release-notes/21.4/junos-release-notes-21.4r1/topics/new-features/feature-descriptions/routing-policy-and-firewall-filters-6.html
Cheers
Dusty
------------------------------
DUSTY MORRISON
Original Message:
Sent: 07-05-2022 12:37
From: Dustin Goss
Subject: SRX and SSR / Conductor intergration
The SRX does not currently support the SVR protocol. Integration would be accomplished through standard routing protocols just as if you are connecting to any other router. Please elaborate if you need further assistance.
------------------------------
Dustin Goss
System Engineer Tech Lead
Original Message:
Sent: 06-30-2022 09:01
From: Unknown User
Subject: SRX and SSR / Conductor intergration
Hello all
I'm looking for configuration example for integration between SRX and SSR.
Can someone help with this?
Thanks