SRX

Dear Experts,

 

I have a L3VPN (VRF) configured on two PEs.

I also  a L2VPN (VPLS) configured on both PEs.

I am trying to ping two different interfaces on each VRF. Those two interface should use the pseudowire VPLS.

On one PE (nokia), the interface is up up

On the other PE (Juniper) the irb is up up, but the irb.300 being used is up down. I would say that is the problem. 

 

Please find below config + show commands:

 

NOKIA {
instance-type vrf;
interface ge-0/0/2.100;
interface irb.300;
interface lo0.700;
route-distinguisher 172.25.2.3:16;
vrf-target target:111111:16;
vrf-table-label;
routing-options {
router-id 70.70.70.70;
autonomous-system 111111;
}
protocols {
bgp {
export OSPF-2-BGP;
group A {
type internal;
local-address 70.70.70.70;
neighbor 80.80.80.80;
}
}
ospf {
export BGP-2-OSPF;
area 0.0.0.50 {
interface ge-0/0/2.100;
interface lo0.700;
interface irb.300;
}
}
}
}

 

VPLS {
instance-type vpls;
vlan-id 300;
interface ge-0/0/3.300;
routing-interface irb.300;
protocols {
vpls {
traceoptions {
file VPLS;
flag all;
}
interface ge-0/0/3.300;
no-tunnel-services;
vpls-id 300;
neighbor 172.25.1.100;
}
}
}

 

 

# run show interfaces terse irb
Interface Admin Link Proto Local Remote
irb up up
irb.300 up down inet 192.168.51.100/24

 

0# run show interfaces irb.300
Logical interface irb.300 (Index 84) (SNMP ifIndex 572)
Flags: Hardware-Down Up SNMP-Traps 0x0 Encapsulation: ENET2
Bandwidth: 1000mbps
Routing Instance: None Bridging Domain: None
Input packets : 0
Output packets: 0
Security: Zone: Null
Protocol inet, MTU: 1514
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 192.168.51/24, Local: 192.168.51.100, Broadcast: 192.168.51.255

 

show version
Hostname: GINOP-SRX340
Model: srx340
Junos: 15.1X49-D90.7
JUNOS Software Release [15.1X49-D90.7]

 

 

Perhaps we have a stopper cuz of mix-mode...

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-mixed-mode-understanding.html

 

Thanks a lot!!

 

NOTE: I have no clue about Juniper, therefore if u ask me something, you better write the command.

What is the status of the physical interface ge-0/0/3.300

 

In order for the irb interface to be up at least one physical interface member of the bridge group has to be up.

 

ge-0/0/3.300            up    up   vpls

What is the bridge domain configuration for this interface

 

show bridge-domain VLANname

 

I cannot exesute that:

 

SRX340> show bri
                         ^
syntax error, expecting <command>.
SRX340> show bridge
                         ^

SRX340> configure
Entering configuration mode

[edit]
SRX340# show bridge
                         ^
syntax error.

[edit]
SRX340# show b
                         ^
syntax error.

Sorry, that was the MX version on the SRX it is under vlans not bridge domain

show vlans 

 

SRX340# show vlans
irb_vlans {
vlan-id 300;
l3-interface irb.300;

 

 

Starting in Junos OS Release 12.3X48-D10 and Junos OS Release 17.3R1, some conditions apply to mixed-mode operations. Note the conditions here:

• On SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices, you cannot configure Ethernet switching and virtual private LAN service (VPLS) using mixed mode (Layer 2 and Layer 3).

The reason the irb interface is down is that there are no physical interfaces in the vlan.

I assume you would want to add ge-0/0/3.300 to this vlan in order to get the irb interface up / up.

 

I'm not sure about the vpls comment from the documentation you have posted.  I usually run the vpls routing instances on the MX.  So this may not be supported per that note.

 

That is not the problem.

On the first post of this thread you can see the VPLS configuration, including:

 

VPLS {
instance-type vpls;
vlan-id 300;
interface ge-0/0/3.300;

 

therefore there are physical interfaces configured.

 

Thanks a lot!

Is it possible for u paste your config ?

If not than, give following outputs from config mode..
#show interfaces
#show protocols
other Required commands-
#run show version
#run show chassis hardware
#run show interface terse | no-more

Thanks for your time!

 

 

CONFIG:

-----------

-----------

Entering configuration mode

[edit]
SRX340# show
## Last changed: 2017-11-16 15:55:40 CET
version 15.1X49-D90.7;
groups {
OSPF {
protocols {
ospf {
area <*> {
interface <*> {
interface-type p2p;
authentication {
md5 1 key "$9$CwUYtIEM8X-VYuO87VbaJDikqPQ"; ## SECRET-DATA
}
bfd-liveness-detection {
minimum-interval 500;
multiplier 3;
}
}
}
}
}
}
RSVP {
protocols {
rsvp {
interface <*> {
authentication-key "$9$xPd-sgGUHPfzNdb2aJHkn/C"; ## SECRET-DATA
aggregate;
reliable;
subscription 80;
link-protection {
optimize-timer 300;
}
}
}
}
}
MPLS {
protocols {
mpls {
label-switched-path <*> {
ldp-tunneling;
node-link-protection;
}
}
}
}
}
system {
host-name SRX340;
time-zone Europe;
root-authentication {
encrypted-password "$5$LmF.VlJh$OiYfOBQua8efhZli.6TfDrxmrkChubEF71WAKAm.rmD"; ## SECRET-DATA
}
login {
user kapsch {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$LlMQ6Mdc$4Fsw1xAcfPbyoe8hx3EDy."; ## SECRET-DATA
}
}
user mvmnet {
uid 2001;
class super-user;
authentication {
encrypted-password "$5$IjBhGebb$2w.S1/j6/NW9RorNSizSu569XjCORd84nP5rdy5mZo."; ## SECRET-DATA
}
}
user xxxxxx {
uid 2002;
class super-user;
authentication {
encrypted-password "$5$J6TBsEBw$b55xzjoRE54vrjnAfAKP7TdpRcIVmyMS6NBtE0xsgtC"; ## SECRET-DATA
}
}
}
services {
ssh {
protocol-version v2;
max-sessions-per-connection 32;
}
netconf {
ssh;
}
}
syslog {
file messages {
any any;
}
}
}
chassis {
alarm {
ethernet {
link-down red;
}
}
}
security {
macsec {
connectivity-association ca1 {
security-mode static-cak;
include-sci;
pre-shared-key {
ckn 37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311;
cak "$9$RC7cev8X7NbsBIrv8LN-.PfT69AtO1Ic9CvWX7sYZUjk5QCtuBRh0Ohrev7N.PfQ/C0BIEhrmfQn9A0O-Vbs2aqmfTFnYg"; ## SECRET-DATA
}
}
interfaces {
ge-0/0/6 {
connectivity-association ca1;
}
ge-0/0/7 {
connectivity-association ca1;
}
}
}
forwarding-options {
family {
inet6 {
mode packet-based;
}
mpls {
mode packet-based;
}
iso {
mode packet-based;
}
}
}
}
interfaces {
protect: ge-0/0/0 {
unit 0 {
family inet {
address 10.250.11.159/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.25.1/30;
}
}
}
ge-0/0/2 {
description NOKIA;
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 15 {
encapsulation vlan-ccc;
vlan-id 15;
input-vlan-map pop;
output-vlan-map push;
family ccc;
}
unit 100 {
vlan-id 100;
family inet {
address 192.168.10.1/30;
}
}
unit 200 {
vlan-id 200;
family inet {
address 192.168.20.1/30;
}
}
}
ge-0/0/3 {
description A;
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 15 {
vlan-id 15;
family inet {
address 192.168.15.1/24;
}
}
unit 100 {
vlan-id 100;
family inet {
address 192.168.10.2/30;
}
}
unit 200 {
vlan-id 200;
family inet {
address 192.168.20.2/30;
}
}
unit 300 {
description VPLS;
encapsulation vlan-vpls;
vlan-id 300;
family vpls;
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.168.25.2/30;
}
}
}
ge-0/0/5 {
description "backdoor link";
flexible-vlan-tagging;
mtu 9000;
encapsulation flexible-ethernet-services;
unit 15 {
vlan-id 15;
family inet {
address 192.168.15.2/24;
}
}
unit 100 {
vlan-id 100;
family inet {
address 192.168.50.5/24;
}
}
}
ge-0/0/14 {
description "to GINOP-MX104";
mtu 9192;
unit 0 {
family inet {
address 10.16.2.5/31;
}
family mpls;
}
}
ge-0/0/15 {
unit 0 {
family inet {
address 10.20.30.40/31;
}
}
}
irb {
unit 300 {
family inet {
address 192.168.51.100/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.25.2.3/32;
}
}
unit 700 {
family inet {
address 70.70.70.70/32;
}
}
unit 800 {
family inet {
address 80.80.80.80/32;
}
}
unit 900 {
family inet {
address 90.90.90.90/32;
}
}
}
}
routing-options {
static {
route 10.250.0.0/16 next-hop 10.250.11.1;
}
autonomous-system XXXXXX;
}
protocols {
rsvp {
apply-groups RSVP;
interface ge-0/0/14.0;
}
mpls {
label-switched-path SRX340-TO-MX104 {
to 172.17.0.16;
}
interface ge-0/0/14.0;
}
bgp {
path-selection external-router-id;
traceoptions {
file bgp;
flag all detail;
}
advertise-inactive;
mtu-discovery;
log-updown;
authentication-key "$9$zPcQn9t1RcvWXJG/A"; ## SECRET-DATA
group METRO-REGIO {
type internal;
local-address 172.25.2.3;
family inet {
labeled-unicast {
resolve-vpn;
}
}
family inet-vpn {
unicast;
}
family inet6 {
unicast;
}
family inet6-vpn {
unicast;
}
family l2vpn {
signaling;
}
family route-target;
export TO-BORDER-NODE;
multipath;
neighbor 172.17.0.16;
neighbor 172.25.1.100 {
authentication-key "$9$ZiDkPu0IcyKn/Cu"; ## SECRET-DATA
}
}
}
ospf {
apply-groups OSPF;
traffic-engineering;
area 0.0.0.2 {
interface ge-0/0/14.0;
interface lo0.0 {
passive;
}
}
}
ldp {
interface lo0.0;
}
l2circuit {
neighbor 172.25.1.100 {
interface ge-0/0/2.15 {
virtual-circuit-id 15;
no-control-word;
}
}
}
}
policy-options {
policy-statement BGP-2-OSPF {
term 1 {
from {
protocol bgp;
route-filter 90.90.90.90/32 exact;
}
then {
external {
type 1;
}
}
}
term 2 {
then accept;
}
}
policy-statement OSPF-2-BGP {
term 1 {
from {
route-filter 80.80.80.80/32 exact;
}
then accept;
}
term 2 {
then accept;
}
}
policy-statement TO-BORDER-NODE {
term LOCAL-LOOPBACK {
from {
protocol direct;
rib inet.0;
interface lo0.0;
route-filter 0.0.0.0/0 prefix-length-range /32-/32;
}
then accept;
}
term ROUTE-TARGET-FILTERING {
from {
protocol [ bgp route-target ];
rib bgp.rtarget.0;
}
then accept;
}
term VRFS {
from family inet-vpn;
then accept;
}
term VPLS {
from {
protocol bgp;
rib bgp.l2vpn.0;
}
then accept;
}
then reject;
}
policy-statement vrB-TO-nokia {
term Loopbak {
from interface lo0.900;
then accept;
}
}
}
routing-instances {
virtual-ce {
instance-type virtual-router;
interface ge-0/0/2.200;
interface ge-0/0/3.100;
interface lo0.800;
routing-options {
router-id 80.80.80.80;
autonomous-system XXXXXX;
}
protocols {
bgp {
group NOKIA {
type internal;
local-address 80.80.80.80;
neighbor 70.70.70.70;
}
}
ospf {
area 0.0.0.50 {
interface lo0.800 {
passive;
}
interface ge-0/0/3.100;
interface ge-0/0/2.200;
}
}
}
}
virtual-ce {
instance-type virtual-router;
interface ge-0/0/3.200;
interface ge-0/0/5.100;
interface lo0.900;
routing-options {
router-id 90.90.90.90;
autonomous-system 196958;
}
protocols {
bgp {
export vrB-TO-nokia;
group SAR {
type internal;
local-address 90.90.90.90;
neighbor 3.3.3.3;
}
}
ospf {
area 0.0.0.50 {
interface ge-0/0/5.100;
interface lo0.900 {
passive;
}
interface ge-0/0/3.200;
}
}
}
}
}
protocols {
bgp {
group External {
type external;
neighbor 10.1.1.2 {
peer-as 1000;
local-as XXXXX;
}
}
}
ospf {
area 0.0.0.1 {
interface ge-0/0/15.0 {
interface-type p2p;
}
}
}
}
}
NOKIA {
instance-type vrf;
interface ge-0/0/2.100;
interface irb.300;
interface lo0.700;
route-distinguisher 172.25.2.3:16;
vrf-target target:196958L:16;
vrf-table-label;
routing-options {
router-id 70.70.70.70;
autonomous-system XXXXXX;
}
protocols {
bgp {
export OSPF-2-BGP;
group A {
type internal;
local-address 70.70.70.70;
neighbor 80.80.80.80;
}
}
ospf {
export BGP-2-OSPF;
area 0.0.0.50 {
interface ge-0/0/2.100;
interface lo0.700;
interface irb.300;
}
}
}
}
}
}
}
}
}
VPLS {
instance-type vpls;
vlan-id none;
interface ge-0/0/3.300;
routing-interface irb.300;
route-distinguisher 172.25.2.3:300;
vrf-target target:196958L:300;
protocols {
vpls {
site-range 10;
interface-mac-limit {
200;
}
no-tunnel-services;
site SRX340 {
site-identifier 2;
interface ge-0/0/3.300;
}
}
}
}
}
}
vlans {
irb_vlans {
vlan-id 300;
l3-interface irb.300;
}
}

 

Is it possible for you to try any vlan id higher than 512?

Add this config in SRX

set vlans irb_vlans interface ge-0/0/3.300

set routing-instances VPLS protocols vpls connectivity-type irb

 

 

and check if the the interfaces is coming up and VPLS is working as expected.

 

If not, then you may add family bridge on ge-0/0/3.300

Josu,

 

Sorry for nto being clear in my previous comment.

 

IRB interfaces will not come up/up unless a physical interface in the same vlan is up/up.

In this stanza there are NO physical interfaces in the vlan only the irb so the irb interface will be up/down

SRX340# show vlans
irb_vlans {
vlan-id 300;
l3-interface irb.300;

 

You need to add the physical interface to this vlan stanza to bring the IRB interface up.