SRX Services Gateway

SRX Interop with Cisco L3VPN (MPLS over dynamic GRE)

‎08-10-2014 06:05 PM


I am replacing a Cisco router with a Firefly virtual router as a proof of concept.

The existing router used Ciscos L3VPN which uses a multihop BGP connection for control and point to point GRE for the transport.


This seems to be a similar fit to dynamic tunnels:


This is my config:

set interfaces lo0 unit 0 family inet address


set routing-options autonomous-system 65535
set routing-options dynamic-tunnels traceoptions file dynamictunnels
set routing-options dynamic-tunnels Lab source-address x.x.x.x
set routing-options dynamic-tunnels Lab gre
set routing-options dynamic-tunnels Lab destination-networks y.y.y.y/32

set protocols bgp group L3VPN type external
set protocols bgp group L3VPN family inet-vpn unicast
set protocols bgp group L3VPN neighbor y.y.y.y multihop ttl 255
set protocols bgp group L3VPN neighbor y.y.y.y peer-as 65000

set routing-instances Lab instance-type vrf
set routing-instances Lab interface lo0.0
set routing-instances Lab route-distinguisher 65000:65535
set routing-instances Lab vrf-target target:65000:65535
set routing-instances Lab vrf-target import target:65000:65000


I have routes (both ends can see each others):
aclark@firefly> show route table Lab.inet.0

Alphawest.inet.0: 32 destinations, 32 routes (32 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both *[BGP/170] 00:29:25, localpref 100, from y.y.y.y
AS path: 65000 ?
> via gr-0/0/0.32770, Push 55


I even have packets outbound when I ping:

aclark@firefly> ping routing-instance Lab source    

aclark@firefly> show interfaces gr-0/0/0.32770 extensive
Logical interface gr-0/0/0.32770 (Index 75) (SNMP ifIndex 525) (Generation 155)
Flags: Point-To-Point SNMP-Traps 0x4000 IP-Header y.y.y.y:x.x.x.x:47:df:64:0000000800000000 Encapsulation: GRE-NULL
Gre keepalives configured: Off, Gre keepalives adjacency state: down
Traffic statistics:
Input bytes : 0
Output bytes : 3696
Input packets: 0
Output packets: 33
Local statistics:
Input bytes : 0
Output bytes : 3696
Input packets: 0
Output packets: 33
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Security: Zone: Null
Flow Statistics :
Flow Input statistics :
Self packets : 0
ICMP packets : 0
VPN packets : 0
Multicast packets : 0
Bytes permitted by policy : 0
Connections established : 0
Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 0
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self packets: 0
No minor session: 0
No more sessions: 0
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1463, Generation: 171, Route table: 0
Flags: None
Protocol mpls, MTU: 1451, Maximum labels: 3, Generation: 172, Route table: 0
Flags: Is-Primary


But a GRE packet is never recieved on the other end.


I also never recieve any packets if I initiate a ping from the other end, but a GRE packet is sent.


I have noticed that the tunnel has no security zone.  Given it is an SRX is this significant?




Re: SRX Interop with Cisco L3VPN (MPLS over dynamic GRE)

‎08-11-2014 02:16 AM

So, I think this might have something to do with the SRX in flow mode:


Would this only be available in packet mode?