SD-WAN

 View Only
last person joined: 8 days ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).
  • 1.  SRX and SSR / Conductor intergration

    Posted 06-30-2022 09:02
    Hello all
    I'm looking for configuration example for integration between SRX and SSR.
    Can someone help with this?

    Thanks


  • 2.  RE: SRX and SSR / Conductor intergration

     
    Posted 07-05-2022 12:37
    The SRX does not currently support the SVR protocol. Integration would be accomplished through standard routing protocols just as if you are connecting to any other router. Please elaborate if you need further assistance.

    ------------------------------
    Dustin Goss
    System Engineer Tech Lead
    ------------------------------



  • 3.  RE: SRX and SSR / Conductor intergration

    Posted 07-11-2022 10:22
    Hi Dustin, 

    I saw that SVR was introduced as a feature for SRX in Junos 21.4, but the release note below doesn't mention anything about Conductor (or Mist post v6.0 release) integration. Is this on the roadmap for SRX? It would be great to be able to deploy SRXs with full Conductor based SVR and interoperability with SSRs. 

    https://www.juniper.net/documentation/us/en/software/junos/release-notes/21.4/junos-release-notes-21.4r1/topics/new-features/feature-descriptions/routing-policy-and-firewall-filters-6.html

    Cheers
    Dusty

    ------------------------------
    DUSTY MORRISON
    ------------------------------



  • 4.  RE: SRX and SSR / Conductor intergration

     
    Posted 11-16-2022 08:50
    Hi,

    Here is a sample of working configuration between SRX and SSR using SVR (vector routing):
    SRX side
    services {
        vector-routing {
            authority-name Authority128;
            cipher-suites {
                vsrx {
                    authentication-disabled;
                    encryption-disabled;
                }
                internal {
                    authentication-disabled;
                    encryption-disabled;
                }
            }
            router vsrx-222 {
                node vsrx-222 {
                    interfaces {
                        ge-0/0/1.0;
                        ge-0/0/0.0 {
                            adjacency {
                                adj1 {
                                    address 1.2.3.4;
                                    peer 128R8-Budapest;
                                    cipher-suite vsrx;
                                }
                                adj2 {
                                    address 2.3.4.5;
                                    peer TA-DC-Router;
                                    cipher-suite vsrx;
                                }
                            }
                            cipher-suite vsrx;
                        }
                    }
                }
                peer {
                    128R8-Budapest {
                        authority Authority128;
                        router 128R8-Budapest;
                    }
                    TA-DC-Router {
                        authority Authority128;
                        router TA-DC-Router;
                    }
                }
                service-routes {
                    sr1 {
                        peer 128R8-Budapest;
                        destination-service server1;
                    }
                    sr2 {
                        peer TA-DC-Router;
                        destination-service DC-LAN;
                    }
                }
            }
            source-tenants {
                host1-zone {
                    ip-prefix 192.168.246.2/32;
                    interfaces {
                        ge-0/0/1.0;
                    }
                }
                Budapest-tenants {
                    ip-prefix 10.0.128.0/24;
                    interfaces {
                        ge-0/0/1.0;
                    }
                }
            }
            destination-services {
                vsrx-222-lan {
                    ip-prefix 192.168.246.0/24;
                    access-policy Budapest-tenants permission allow;
                    cipher-suite vsrx;
                }
                server1 {
                    ip-prefix 10.0.128.65/32;
                    transport {
                        tcp;
                        icmp;
                    }
                    access-policy host1-zone permission allow;
                    cipher-suite vsrx;
                }
                DC-LAN {
                    ip-prefix 10.19.15.0/24;
                    transport {
                        tcp;
                        udp;
                        icmp;
                    }
                    access-policy host1-zone permission allow;
                    cipher-suite vsrx;
                }
            }
            meta-bfd {
                desired-tx-interval 1000;
                required-min-rx-interval 1000;
                link-test-interval 1;
                multiplier 3;
            }
        }
    }​
    
    interfaces {
        ge-0/0/0 {
            unit 0 {
                description untrust;
                family inet {
                    address 1.1.1.1;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                description trust;
                family inet {
                    address 192.168.246.1/24;
                }
            }
        }
    }
    
    
    On the SSR side
           router             TA-DC-Router
                name                        TA-DC-Router
    
    
                peer                        vsrx-222
                    name            vsrx-222
                    authority-name  Authority128
                    router-name     vsrx-222
                exit
    
                node                        node1
                    name              node1
    
                    device-interface  WAN1
                        name               WAN1
                        pci-address        0000:02:00.0
                        capture-filter     len>0
    
                        network-interface  WAN1
                            name                   WAN1
                            global-id              1
                            conductor              true
    
                            neighborhood           wan1
                                name                wan1
                                topology            hub
                                vector              wan1
    
                                path-mtu-discovery
                                    enabled  true
                                exit
                            exit
                            inter-router-security  internal
                            source-nat             true
                            management             false
    
                            address                2.3.4.5
                                ip-address     2.3.4.5
                                prefix-length  27
                                gateway        2.3.4.6
    
                            exit
    
                            adjacency              1.1.1.1 vsrx-222
                                ip-address             1.1.1.1
                                peer                   vsrx-222
                                inter-router-security  internal
                                external-nat-address   1.1.1.1
                            exit
                        exit
                    exit
    
                    device-interface  LAN
                        name               LAN
                        pci-address        0000:02:00.1
                        capture-filter     len>0
    
                        network-interface  LAN
                            name                   LAN
                            global-id              2
    
                            neighborhood           lan-dc
                                name  lan-dc
                            exit
                            tenant                 DC-LAN
                            inter-router-security  internal
                            source-nat             false
    
                            address                10.19.15.1
                                ip-address     10.19.15.1
                                prefix-length  24
                                gateway        10.19.15.254
    
    
                service-route               DC-LAN-sr
                    name          DC-LAN-sr
                    service-name  DC-LAN
    
                    next-hop      node1 LAN
                        node-name   node1
                        interface   LAN
                        gateway-ip  10.19.15.254
                    exit
                exit
    
    
            tenant             DC-LAN
                name  DC-LAN
            exit
    
    
            tenant             host1-zone
                name    host1-zone
    
                member  vsrx-222
                    neighborhood  vsrx-222
                    address       192.168.246.2/32
                exit
            exit
    
            security           vsrx
                name            vsrx
                encrypt         false
                hmac-mode       disabled
            exit
    
    
            service            DC-LAN
                name           DC-LAN
                security       vsrx
                address        10.19.15.0/24
    
                access-policy  host1-zone
                    source  host1-zone
                exit
                source-nat     disabled
            exit
    
     ​

    SVR is working on both SRX and vSRX, and it should work on NFX as well using version:
    version 21.4R2.10;​


    You should see that the peering is up before the SRV interconnection will work:

    show services vector-routing peer-summary
    
    Logical-system or Tenant            Peer               adjacency                  status
    ------------------------------------------------------------------------------------------
    
    root-logical-system
                                        TA-DC-Router
                                                           adj2                       UP

    Please note that some naming must match in both sides (SRX and SSR), for example Authority name, Router name, Service name, Tenant name, Security policy name, etc.
    This example is without encryption between nodes and later will post another example with encryption and how to configure it.

    Hope it helps,
    Ivan

    ------------------------------
    Ivan Stanev
    ------------------------------



  • 5.  RE: SRX and SSR / Conductor intergration

    Posted 07-10-2023 14:34

    Hello Ivan,

    I would love to get some guidance around configuring two SRX's - one being behind NAT - to run SVR and route traffic over it, perhaps with BGP!

    Your snippet was quite enlightening, much more so than the docs for "vector-routing" and it would make me very happy if you could share more infos!

    If you have any more SRX-side configs I can learn more from, I'd be oh so happy.

    Kind Regards,

    Adrian.



    ------------------------------
    ADRIAN PISTOL
    ------------------------------



  • 6.  RE: SRX and SSR / Conductor intergration

     
    Posted 08-22-2023 08:05

    Hi Adrian,

    Sorry was on a long summer holiday...

    Unfortunately, it looks like there is current limitation SRX SVR where it cannot be behind a NAT. I tried in the past configuring behind a NAT and couldn't succeed, and I also compared the SVR metadata with a SSR router behind a NAT. That's why I think currently there is a limitation.

    I also tried once to hack the SRX config with same IP behind a NAT, but couldn't succeed - my idea was to configure the originating public IP on the internal interface and do a double NAT so inside SRX should be like: SVR interface 1.1.1.1 <-NAT-> 10.10.10.10 <-NAT-> 1.1.1.1 <-> WAN 

    Not sure if that could be done, but due to lack if time I couldn't spent more time for it.

    Regards,

    Ivan



    ------------------------------
    Ivan Stanev
    ------------------------------