Thursday, May 15, 2014

Juniper L2VPN over MPLS over GRE over IPSec

I am starting to learn more and more about different scenarios where customers have multiple sites, and need to ensure that the same broadcast domain is available over a layer 3 connection (sometimes referred to as layer 2 being "stretched") to each location. A prime example of this would be a highly virtualized organization that has multiple datacenters across multiple, geographically dispersed locations. Certain features (i.e. VMotion) require a layer 2 connection in order to function. This obviously presents a problem. Below is an example of what I did with one customer to overcome this exact issue by following this blog post. It wasn't very clear, so I thought I would post a configuration from my lab along with explanations. I thought this was a cool option because it is all done within the same default virtual router (I have seen other examples of L2VPN over MPLS, where there are multiple VRs configured). In short, there are obviously many different ways to accomplish this task.

The configuration is based on the topology below:


SRX1:

First, we have to create two firewall filters that we will later apply to the interfaces that we will be using in our configuration. These are required in order to change the interfaces on the SRX from secure context (flow-based forwarding) to router context (packet-based forwarding), which is necessary in order to avoid the flow module in the SRX itself. A full explanation can be found here:
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then accept
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then accept

Layer 2 interface configuration:
set interfaces ge-0/0/0 mtu 1614
set interfaces ge-0/0/0 encapsulation ethernet-ccc
set interfaces ge-0/0/0 unit 0 family ccc filter input CCC-PACKET-MODE

Layer 3 interface configuration:
set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.1/30

GRE tunnel interface configuration:
set interfaces gr-0/0/0 unit 0 tunnel source 10.2.2.1
set interfaces gr-0/0/0 unit 0 tunnel destination 10.2.2.2
set interfaces gr-0/0/0 unit 0 family inet mtu 9000
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.9/30
set interfaces gr-0/0/0 unit 0 family mpls filter input MPLS-PACKET-MODE

Loopback interface configuration:
set interfaces lo0 unit 0 family inet address 192.168.0.1/30

IPSec tunnel interface configuration:
set interfaces st0 unit 0 family inet address 10.2.2.1/30

Protocols configuration:
set protocols mpls interface gr-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.0.2 interface ge-0/0/0.0 virtual-circuit-id 100000
set protocols l2circuit neighbor 192.168.0.2 interface ge-0/0/0.0 encapsulation-type ethernet

IPSec VPN configuration:
set security ike policy 1 mode main
set security ike policy 1 proposal-set standard
set security ike policy 1 pre-shared-key ascii-text Juniper1
set security ike gateway 1 ike-policy 1
set security ike gateway 1 address 10.0.0.2
set security ike gateway 1 external-interface ge-0/0/1.0
set security ipsec policy 1 proposal-set standard
set security ipsec vpn 1 bind-interface st0.0
set security ipsec vpn 1 ike gateway 1
set security ipsec vpn 1 ike ipsec-policy 1
set security ipsec vpn 1 establish-tunnels immediately

For simplicity's sake, I put all interfaces except for my WAN interface in the TRUST zone:
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces ge-0/0/0.0
set security zones security-zone TRUST interfaces lo0.0
set security zones security-zone TRUST interfaces gr-0/0/0.0
set security zones security-zone TRUST interfaces st0.0
set security zones security-zone UNTRUST host-inbound-traffic system-services all
set security zones security-zone UNTRUST host-inbound-traffic protocols all
set security zones security-zone UNTRUST interfaces ge-0/0/1.0

Security policy configuration:
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match application any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST then permit
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match application any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST then permit
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit

SRX2:

Firewall Filters:
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family mpls filter MPLS-PACKET-MODE term ALL-TRAFFIC then accept
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then packet-mode
set firewall family ccc filter CCC-PACKET-MODE term ALL-TRAFFIC then accept

Layer 2 interface configuration:
set interfaces ge-0/0/0 mtu 1614
set interfaces ge-0/0/0 encapsulation ethernet-ccc
set interfaces ge-0/0/0 unit 0 family ccc filter input CCC-PACKET-MODE

Layer 3 interface configuration:
set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.2/30

GRE tunnel interface configuration:
set interfaces gr-0/0/0 unit 0 tunnel source 10.2.2.2
set interfaces gr-0/0/0 unit 0 tunnel destination 10.2.2.1
set interfaces gr-0/0/0 unit 0 family inet mtu 9000
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.10/30
set interfaces gr-0/0/0 unit 0 family mpls filter input MPLS-PACKET-MODE

Loopback interface configuration:
set interfaces lo0 unit 0 family inet address 192.168.0.2/30

IPSec tunnel interface configuration:
set interfaces st0 unit 0 family inet address 10.2.2.2/30

Protocols configuration:
set protocols mpls interface gr-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.0.1 interface ge-0/0/0.0 virtual-circuit-id 100000
set protocols l2circuit neighbor 192.168.0.1 interface ge-0/0/0.0 encapsulation-type ethernet

IPSec VPN configuration:
set security ike policy 1 mode main
set security ike policy 1 proposal-set standard
set security ike policy 1 pre-shared-key ascii-text Juniper1
set security ike gateway 1 ike-policy 1
set security ike gateway 1 address 10.0.0.1
set security ike gateway 1 external-interface ge-0/0/1.0
set security ipsec policy 1 proposal-set standard
set security ipsec vpn 1 bind-interface st0.0
set security ipsec vpn 1 ike gateway 1
set security ipsec vpn 1 ike ipsec-policy 1
set security ipsec vpn 1 establish-tunnels immediately

For simplicity's sake, I put all interfaces except for my WAN interface in the TRUST zone:
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces ge-0/0/0.0
set security zones security-zone TRUST interfaces lo0.0
set security zones security-zone TRUST interfaces gr-0/0/0.0
set security zones security-zone TRUST interfaces st0.0
set security zones security-zone UNTRUST host-inbound-traffic system-services all
set security zones security-zone UNTRUST host-inbound-traffic protocols all
set security zones security-zone UNTRUST interfaces ge-0/0/1.0

Security policy configuration:
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST match application any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-to-UNTRUST then permit
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST match application any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-to-TRUST then permit
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit

3 comments:

  1. Can't get this to work. Trying to get it to work on SRX340 + SRX4100.

    All looks good:

    # run show l2circuit connections | find Neigh
    Neighbor: 10.3.3.2
    Interface Type St Time last up # Up trans
    xe-0/0/7.0(vc 1) rmt Up Dec 1 06:20:18 2017 1
    Remote PE: 10.3.3.2, Negotiated control-word: Yes (Null)
    Incoming label: 299904, Outgoing label: 299888
    Negotiated PW status TLV: No
    Local interface: xe-0/0/7.0, Status: Up, Encapsulation: ETHERNET
    Flow Label Transmit: No, Flow Label Receive: No

    # run show ldp session
    Address State Connection Hold time Adv. Mode
    10.3.3.2 Operational Open 20 DU

    Just dont know what's wrong =/

    ReplyDelete
    Replies
    1. Are you doing this on two SRXs? Show me the configs.

      Delete
  2. Dear Mitchel
    Hope you are doing well now days
    I ahve the same issue on the 2 srx 345. i have configured equipment based on your example. but unfortunatelly it not works. is there any way to connect with you?

    ReplyDelete