I am starting to learn more and more about different scenarios where customers have multiple sites, and need to ensure that the same broadcast domain is available over a layer 3 connection (sometimes referred to as layer 2 being "stretched") to each location. A prime example of this would be a highly virtualized organization that has multiple datacenters across multiple, geographically dispersed locations. Certain features (i.e. VMotion) require a layer 2 connection in order to function. This obviously presents a problem. Below is an example of what I did with one customer to overcome this exact issue by following this blog post. It wasn't very clear, so I thought I would post a configuration from my lab along with explanations. I thought this was a cool option because it is all done within the same default virtual router (I have seen other examples of L2VPN over MPLS, where there are multiple VRs configured). In short, there are obviously many different ways to accomplish this task.
The configuration is based on the topology below:
SRX1:
First, we have to create two firewall filters that we will later apply to the interfaces that we will be using in our configuration. These are required in order to change the interfaces on the SRX from secure context (flow-based forwarding) to router context (packet-based forwarding), which is necessary in order to avoid the flow module in the SRX itself. A full explanation can be found here:
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then accept
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then accept
Layer 2 interface configuration:
set interfaces ge-0/0/0 mtu 1614
set interfaces ge-0/0/0 encapsulation ethernet-ccc
set interfaces ge-0/0/0 unit 0 family ccc filter input CCC-PACKET-MODE
Layer 3 interface configuration:
set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.1/30
GRE tunnel interface configuration:
set interfaces gr-0/0/0 unit 0 tunnel source 10.2.2.1
set interfaces gr-0/0/0 unit 0 tunnel destination 10.2.2.2
set interfaces gr-0/0/0 unit 0 family inet mtu 9000
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.9/30
set interfaces gr-0/0/0 unit 0 family mpls filter input MPLS-PACKET-MODE
Loopback interface configuration:
set interfaces lo0 unit 0 family inet address 192.168.0.1/30
IPSec tunnel interface configuration:
set interfaces st0 unit 0 family inet address 10.2.2.1/30
Protocols configuration:
set protocols mpls interface gr-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.0.2 interface ge-0/0/0.0 virtual-circuit-id 100000
set protocols l2circuit neighbor 192.168.0.2 interface ge-0/0/0.0 encapsulation-type ethernet
IPSec VPN configuration:
set security ike policy 1 mode main
set security ike policy 1 proposal-set standard
set security ike policy 1 pre-shared-key ascii-text Juniper1
set security ike gateway 1 ike-policy 1
set security ike gateway 1 address 10.0.0.2
set security ike gateway 1 external-interface ge-0/0/1.0
set security ipsec policy 1 proposal-set standard
set security ipsec vpn 1 bind-interface st0.0
set security ipsec vpn 1 ike gateway 1
set security ipsec vpn 1 ike ipsec-policy 1
set security ipsec vpn 1 establish-tunnels immediately
For simplicity's sake, I put all interfaces except for my WAN interface in the TRUST zone:
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces ge-0/0/0.0
set security zones security-zone TRUST interfaces lo0.0
set security zones security-zone TRUST interfaces gr-0/0/0.0
set security zones security-zone TRUST interfaces st0.0
set security zones security-zone UNTRUST host-inbound-traffic system-services all
set security zones security-zone UNTRUST host-inbound-traffic protocols all
set security zones security-zone UNTRUST interfaces ge-0/0/1.0
Security policy configuration:
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match application any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST then permit
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match application any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST then permit
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit
SRX2:
Firewall Filters:
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then accept
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then accept
Layer 2 interface configuration:
set interfaces ge-0/0/0 mtu 1614
set interfaces ge-0/0/0 encapsulation ethernet-ccc
set interfaces ge-0/0/0 unit 0 family ccc filter input CCC-PACKET-MODE
Layer 3 interface configuration:
set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.2/30
GRE tunnel interface configuration:
set interfaces gr-0/0/0 unit 0 tunnel source 10.2.2.2
set interfaces gr-0/0/0 unit 0 tunnel destination 10.2.2.1
set interfaces gr-0/0/0 unit 0 family inet mtu 9000
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.10/30
set interfaces gr-0/0/0 unit 0 family mpls filter input MPLS-PACKET-MODE
Loopback interface configuration:
set interfaces lo0 unit 0 family inet address 192.168.0.2/30
IPSec tunnel interface configuration:
set interfaces st0 unit 0 family inet address 10.2.2.2/30
Protocols configuration:
set protocols mpls interface gr-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.0.1 interface ge-0/0/0.0 virtual-circuit-id 100000
set protocols l2circuit neighbor 192.168.0.1 interface ge-0/0/0.0 encapsulation-type ethernet
IPSec VPN configuration:
set security ike policy 1 mode main
set security ike policy 1 proposal-set standard
set security ike policy 1 pre-shared-key ascii-text Juniper1
set security ike gateway 1 ike-policy 1
set security ike gateway 1 address 10.0.0.1
set security ike gateway 1 external-interface ge-0/0/1.0
set security ipsec policy 1 proposal-set standard
set security ipsec vpn 1 bind-interface st0.0
set security ipsec vpn 1 ike gateway 1
set security ipsec vpn 1 ike ipsec-policy 1
set security ipsec vpn 1 establish-tunnels immediately
For simplicity's sake, I put all interfaces except for my WAN interface in the TRUST zone:
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces ge-0/0/0.0
set security zones security-zone TRUST interfaces lo0.0
set security zones security-zone TRUST interfaces gr-0/0/0.0
set security zones security-zone TRUST interfaces st0.0
set security zones security-zone UNTRUST host-inbound-traffic system-services all
set security zones security-zone UNTRUST host-inbound-traffic protocols all
set security zones security-zone UNTRUST interfaces ge-0/0/1.0
Security policy configuration:
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match application any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST then permit
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match application any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST then permit
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit