SRX Services Gateway
SRX Services Gateway

SRX Interop with Cisco L3VPN (MPLS over dynamic GRE)

[ Edited ]
‎08-10-2014 06:05 PM

Hi,

I am replacing a Cisco router with a Firefly virtual router as a proof of concept.


The existing router used Ciscos L3VPN which uses a multihop BGP connection for control and point to point GRE for the transport.

 

This seems to be a similar fit to dynamic tunnels:

http://www.juniper.net/techpubs/en_US/junos13.3/topics/usage-guidelines/services-configuring-dynamic...

 

This is my config:

set interfaces lo0 unit 0 family inet address 10.17.20.1/24

 

set routing-options autonomous-system 65535
set routing-options dynamic-tunnels traceoptions file dynamictunnels
set routing-options dynamic-tunnels Lab source-address x.x.x.x
set routing-options dynamic-tunnels Lab gre
set routing-options dynamic-tunnels Lab destination-networks y.y.y.y/32

set protocols bgp group L3VPN type external
set protocols bgp group L3VPN family inet-vpn unicast
set protocols bgp group L3VPN neighbor y.y.y.y multihop ttl 255
set protocols bgp group L3VPN neighbor y.y.y.y peer-as 65000


set routing-instances Lab instance-type vrf
set routing-instances Lab interface lo0.0
set routing-instances Lab route-distinguisher 65000:65535
set routing-instances Lab vrf-target target:65000:65535
set routing-instances Lab vrf-target import target:65000:65000

 

I have routes (both ends can see each others):
aclark@firefly> show route table Lab.inet.0

Alphawest.inet.0: 32 destinations, 32 routes (32 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.12.0.0/16 *[BGP/170] 00:29:25, localpref 100, from y.y.y.y
AS path: 65000 ?
> via gr-0/0/0.32770, Push 55

 

I even have packets outbound when I ping:

aclark@firefly> ping routing-instance Lab 10.12.2.126 source 10.17.20.1    

aclark@firefly> show interfaces gr-0/0/0.32770 extensive
Logical interface gr-0/0/0.32770 (Index 75) (SNMP ifIndex 525) (Generation 155)
Flags: Point-To-Point SNMP-Traps 0x4000 IP-Header y.y.y.y:x.x.x.x:47:df:64:0000000800000000 Encapsulation: GRE-NULL
Gre keepalives configured: Off, Gre keepalives adjacency state: down
Traffic statistics:
Input bytes : 0
Output bytes : 3696
Input packets: 0
Output packets: 33
Local statistics:
Input bytes : 0
Output bytes : 3696
Input packets: 0
Output packets: 33
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Security: Zone: Null
Flow Statistics :
Flow Input statistics :
Self packets : 0
ICMP packets : 0
VPN packets : 0
Multicast packets : 0
Bytes permitted by policy : 0
Connections established : 0
Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 0
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self packets: 0
No minor session: 0
No more sessions: 0
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1463, Generation: 171, Route table: 0
Flags: None
Protocol mpls, MTU: 1451, Maximum labels: 3, Generation: 172, Route table: 0
Flags: Is-Primary

 

But a GRE packet is never recieved on the other end.

 

I also never recieve any packets if I initiate a ping from the other end, but a GRE packet is sent.

 

I have noticed that the tunnel has no security zone.  Given it is an SRX is this significant?

 

Cheers,

  Adam 

1 REPLY 1
SRX Services Gateway

Re: SRX Interop with Cisco L3VPN (MPLS over dynamic GRE)

‎08-11-2014 02:16 AM

So, I think this might have something to do with the SRX in flow mode:

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/mpls-security-enabling-cli.html

 

Would this only be available in packet mode?

 

Cheers

 

Adam