Junos
Highlighted
Junos

virtual router's default route over a GRE tunnel

Wednesday

Hi - 

I'm attempting to provide guest internet access to a remote site that only has a WAN connection back to the main office.   The main office has an internet connection that is currently used by guests.  The remote site has an EX4200 switch and the main office has an SRX550.  My thought was to:

 

- create a GRE tunnel from the remote site to the main site

- create a guest VLAN in the remote site

- create a virtual router in the remote site that is associated with the guest VLAN

- create a default route in that virtual router that forced everything in that vlan down the tunnel

- on the SRX at the main office, associate the GRE tunnel with our already existing guest zone

- create a route on the SRX to point back to the guest network over the GRE tunnel

 

I've been able to bring the tunnel up and ping the other end of the tunnel successfully.  I have a test computer at the remote site that has an interface in the guest vlan, and it can also ping the remote end of the tunnel.  Unfortunately it cannot ping any further.  

 

I'm new at this, so I'm hoping someone can help me figure out where I might be going wrong.  I appreciate the help.  Here is the important info:

 

Remote Switch:


chassis {
....
    fpc 0 {
        pic 0 {
            tunnel-port 0 {
                tunnel-services;
            }
        }
    }
}
....
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 172.22.12.2;
                destination 172.22.10.1;
            }
            family inet {
                address 192.168.111.2/30;
            }                           
        }
    }
....
    vlan {
....
        unit 2 {                        
            family inet {
                address 192.168.222.1/24;
            }
        }
    }
}
....
routing-instances {
    guestroute {
        interface gr-0/0/0.0;
        interface vlan.2;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop gr-0/0/0.0;
            }
        }
    }
}
....          
vlans {
....
    Test-Guest {
        description Test-Guest;
        vlan-id 222;
        l3-interface vlan.2;
    }

SRX at main site:

    zones {
        security-zone trust {
            interfaces {
                vlan.1;
....
            }
        }
        security-zone guest {
....
            interfaces {
....
                gr-0/0/0.0;
            }
        }
interfaces {
....
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 172.22.10.1;
                destination 172.22.12.2;
            }
            family inet {
                address 192.168.111.1/30;
            }
        }
    }
    vlan {
        unit 1 {
            family inet {
                address 172.22.10.1/24;
            }
        }
....
routing-options {
static {
route 192.168.222.0/24 next-hop gr-0/0/0.0;
..... vlans { ... Core { description "Core"; vlan-id 10; l3-interface vlan.1; }

show route on remote switch:

guestroute.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:53:38
                    > via gr-0/0/0.0
192.168.111.0/30   *[Direct/0] 02:18:51
                    > via gr-0/0/0.0
192.168.111.2/32   *[Local/0] 02:18:51
                      Local via gr-0/0/0.0
192.168.222.0/24   *[Direct/0] 03:31:00
                    > via vlan.2
192.168.222.1/32   *[Local/0] 03:41:04
                      Local via vlan.2

Any recommendations on what I might be doing wrong?  Anything I can provide to help troubleshoot this?

 

Thanks,

 

Al

 

2 REPLIES 2
Junos

Re: virtual router's default route over a GRE tunnel

Friday

Good day,

 

Can you ping both ends of GRE tunnel? Did you allow GRE on SRX?

Junos

Re: virtual router's default route over a GRE tunnel

Friday

Hi,

I drew out a basic picture so I can speak to each part below:

 

 SRX can ping vlan IP on EX4200:

 

root@srx> ping 192.168.222.1 interface gr-0/0/0 count 1 
PING 192.168.222.1 (192.168.222.1): 56 data bytes
64 bytes from 192.168.222.1: icmp_seq=0 ttl=64 time=2.507 ms

--- 192.168.222.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.507/2.507/2.507/0.000 ms

 

The SRX cannot ping the remote PC:

 

 

root@srx> ping 192.168.222.222 interface gr-0/0/0 count 1  
PING 192.168.222.222 (192.168.222.222): 56 data bytes

--- 192.168.222.222 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

 

EX4200 can ping the remote end of the tunnel:

 

 

root@ex4200> ping 192.168.111.1 routing-instance guestroute count 1 
PING 192.168.111.1 (192.168.111.1): 56 data bytes
64 bytes from 192.168.111.1: icmp_seq=0 ttl=64 time=3.168 ms

--- 192.168.111.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.168/3.168/3.168/0.000 ms

 

EX4200 can ping to the internet:

 

 

root@ex4200> ping 8.8.8.8 routing-instance guestroute count 1          
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=9.325 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 9.325/9.325/9.325/0.000 ms

 

System (server) in main office can ping the remote side of the tunnel:

 

[user@mainoffice ~]$ ping 192.168.111.2 -c 1
PING 192.168.111.2 (192.168.111.2) 56(84) bytes of data.
64 bytes from 192.168.111.2: icmp_seq=1 ttl=63 time=3.08 ms

--- 192.168.111.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.088/3.088/3.088/0.000 ms

 

System (server) in main office can ping the vlan IP on the remote switch:

[user@mainoffice ~]$ ping 192.168.222.1 -c 1
PING 192.168.222.1 (192.168.222.1) 56(84) bytes of data.
64 bytes from 192.168.222.1: icmp_seq=1 ttl=63 time=2.60 ms
--- 192.168.222.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.601/2.601/2.601/0.000 ms

 

System (server) in main office cannot ping the remote PC:

[user@mainoffice ~]$ ping 192.168.222.222 -c 1
PING 192.168.222.222 (192.168.222.222) 56(84) bytes of data.
^C
--- 192.168.222.222 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

 

remote PC can ping the remote side of the tunnel:

[user@remotepc ~]$ ping 192.168.111.2 -c 1
PING 192.168.111.2 (192.168.111.2) 56(84) bytes of data.
64 bytes from 192.168.111.2: icmp_seq=1 ttl=63 time=1.25 ms

--- 192.168.111.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.245/1.245/1.245/0.000 ms

 

remote PC cannot ping the main office side of the tunnel:

[user@remotepc ~]$ ping 192.168.111.1 -c 1
PING 192.168.111.1 (192.168.111.1) 56(84) bytes of data.
^C
--- 192.168.111.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

 

I think that about sums up my ping experiences.

Thanks for looking at this with me.