Routing
Highlighted
Routing

MX to SRX cluster interconnect for multiple VLANs

3 weeks ago

This should be a very simple question to answer, but somehow I cannot figure it out or find a working example. Let's say I want to configure two MX routers and an SRX cluster as shown in the picture below. How do I do it on the MX side?

 

mx-srx.png

 

I have a multitenant environment with customer connections (external ISPs etc) terminating on the MX routers, each customer in their own routing-instance. On the SRX cluster I have similar routing-instances for each customer and I would like to connect the customer routing-instances between MX and SRX over one physical link pair per MX, each customer in their own VLAN.

 

SRX side is easy, I just create reth interfaces with vlan-tagging and a subinterface for each link, assigned to their relevant routing-instances and security-zones.

set interfaces reth0 description mx1
set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 1000 vlan-id 1000
set interfaces reth0 unit 1000 family inet address 100.91.0.1/31
set interfaces reth1 description mx2
set interfaces reth1 vlan-tagging
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 1000 vlan-id 1000
set interfaces reth1 unit 1000 family inet address 100.91.0.3/31

set security zones security-zone testnet host-inbound-traffic system-services ping
set security zones security-zone testnet interfaces reth0.1000
set security zones security-zone testnet interfaces reth1.1000

set routing-instances testnet instance-type virtual-router
set routing-instances testnet interface reth0.1000
set routing-instances testnet interface reth1.1000

 

However, the MX side I cannot figure out. I was thinking this would work, but obviously it doesn't. The irb stays down in Hardware-Down state, I guess logical units don't work as bridge members in this case? I would also love to have a way to only enter vlan tags once, not under every physical member interface.

set interfaces xe-0/0/0 flexible-vlan-tagging
set interfaces xe-0/0/0 mtu 1514
set interfaces xe-0/0/0 encapsulation flexible-ethernet-services
set interfaces xe-0/0/0 unit 1000 description fw1-testnet
set interfaces xe-0/0/0 unit 1000 vlan-id 1000
set interfaces xe-0/0/1 flexible-vlan-tagging
set interfaces xe-0/0/1 mtu 1514
set interfaces xe-0/0/1 encapsulation flexible-ethernet-services
set interfaces xe-0/0/1 unit 1000 description fw1-testnet
set interfaces xe-0/0/1 unit 1000 vlan-id 1000

set interfaces irb unit 1000 family inet address 100.91.0.0/31

set routing-instances testnet-vr instance-type virtual-router
set routing-instances testnet-vr interface irb.1000

set bridge-domains fw1-1000 description fw1-testnet
set bridge-domains fw1-1000 domain-type bridge
set bridge-domains fw1-1000 vlan-id 1000
set bridge-domains fw1-1000 interface xe-0/0/0.1000
set bridge-domains fw1-1000 interface xe-0/0/1.1000
set bridge-domains fw1-1000 routing-interface irb.1000

 

root@mx1> show interfaces irb.1000 terse 
Interface               Admin Link Proto    Local                 Remote
irb.1000                up    down inet     100.91.0.0/31   
                                   multiservice

root@mx1> show bridge domain 
Routing instance        Bridge domain            VLAN ID     Interfaces
default-switch          fw1-1000           1000

root@mx1> show interfaces xe-0/0/0 terse    
Interface               Admin Link Proto    Local                 Remote
xe-0/0/0              up    up
xe-0/0/0.1000         up    up   multiservice
xe-0/0/0.32767        up    up   multiservice

root@mx1> show interfaces irb.1000 
  Logical interface irb.1000 (Index 93) (SNMP ifIndex 574)
    Flags: Hardware-Down Up SNMP-Traps 0x4004000 Encapsulation: ENET2
    Bandwidth: 1Gbps
    Routing Instance: default-switch Bridging Domain: fw1-1000
    Input packets : 0
    Output packets: 0
    Protocol inet, MTU: 1514
    Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
        Destination: 100.91.0.0/31, Local: 100.91.0.0
    Protocol multiservice, MTU: 1514

 

Also, if I'm doing this in a completely stupid way feel free to tell it. The goal is just to route customer internet traffic via the MX routers to the SRX, each customer separately in their own route tables. Each customer has different kinds of internet connections from different ISPs connected to the MX. Behind the SRX will be the actual production networks and the SRX does the security, IPSec tunnels and so on.

1 REPLY 1
Highlighted
Routing
Solution
Accepted by topic author stnzzz
3 weeks ago

Re: MX to SRX cluster interconnect for multiple VLANs

3 weeks ago

Answering to myself, this works now. The MX subinterfaces were missing encapsulation vlan-bridge.

set interfaces xe-0/0/0.1000 encapsulation vlan-bridge

set interfaces xe-0/0/1.1000 encapsulation vlan-bridge

 

However, am I still doing this in a stupid way? Would there be a better way to connect the routing-instances on the MX routers to respective instances on the SRX cluster in a multitenant service provider datacenter network? Let's say there will be some 500 routing-instances (customers) and they will be changing all the time, so reducing the configuration steps would be great.

Feedback