SRX Services Gateway
Highlighted
SRX Services Gateway

vpls over gre over ipsec

‎02-08-2020 11:41 PM

Hello.

 

I have 3 srx220h2 I am trying to set up vpls over gre over ipsec. i have been able to set up the gre tunnel between all sites. Rsvp, mpls is all up but I have been unable to get my vpls running. I keep getting errors that the local interface is down. Any help would be appreciated.

 

Thanks.

 

srx1

 

interfaces {
ge-0/0/0 {
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}
gr-0/0/0 {
unit 0 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.1;
destination 100.100.100.2;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.10/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
unit 1 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.1;
destination 100.100.100.3;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.11/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
}
ge-0/0/1 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 100.168.1.254/24;
}
}
}
ge-0/0/3 {
unit 0;
}
ge-0/0/4 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/5 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/6 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/7 {
unit 0 {
family inet {
dhcp;
}
}
}
ae0 {
description Switchs;
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ Audio Cameras Computers Doors Guest Phones test4.1 test5.1 vpls-test ];
}
native-vlan-id default;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.1/32 {
primary;
}
address 127.0.0.1/32;
}
family mpls;
}
}
st0 {
unit 0 {
multipoint;
family inet {
address 100.100.100.1/24;
}
}
}
vlan {
unit 0 {
family inet {
address 10.100.0.1/24;
}
}
unit 1 {
family inet {
address 10.168.1.1/24;
}
}
unit 2 {
family inet {
address 10.168.10.1/24;
}
}
unit 3 {
family inet {
address 10.168.20.1/24;
}
}
unit 4 {
family inet {
address 10.168.30.1/24;
}
}
unit 5 {
family inet {
address 10.168.40.1/24;
}
}
unit 10 {
family inet {
address 10.168.90.1/24;
}
}
unit 11 {
family inet {
address 10.168.4.1/24;
}
}
unit 12 {
family inet {
address 10.168.5.1/24;
}
}
unit 100 {
family inet {
address 100.168.1.1/24 {
vrrp-group 1 {
virtual-address 100.168.1.1;
priority 255;
accept-data;
}
}
}
}
}
}
snmp {
name SunshineSRX;
view jweb-view-all {
oid .1 include;
}
community private {
view jweb-view-all;
authorization read-write;
}
community public {
authorization read-only;
}
health-monitor {
interval 300;
rising-threshold 90;
falling-threshold 80;
}
}
forwarding-options {
helpers {
domain {
server 10.168.1.202;
interface {
vlan.1;
vlan.2;
vlan.3;
vlan.4;
vlan.100;
}
}
bootp {
relay-agent-option;
server 10.168.1.202;
server 10.168.2.202;
vpn;
interface {
vlan.1;
vlan.2;
vlan.3;
vlan.4;
vlan.100;
}
}
}
}
routing-options {
static {
route 10.168.11.0/24 next-hop 100.100.100.2;
route 10.168.12.0/24 next-hop 100.100.100.3;
route 10.168.22.0/24 next-hop 100.100.100.3;
route 10.168.32.0/24 next-hop 100.100.100.3;
route 10.168.52.0/24 next-hop 100.100.100.3;
route 10.168.42.0/24 next-hop 100.100.100.3;
route 0.0.0.0/0 next-hop [ x.x.x.x x.x.x.x ];
route 10.0.0.2/32 next-hop gr-0/0/0.0;
route 10.0.0.3/32 next-hop gr-0/0/0.1;
route 10.10.10.20/32 next-hop gr-0/0/0.0;
route 10.10.10.21/32 next-hop gr-0/0/0.0;
route 10.10.10.30/32 next-hop gr-0/0/0.1;
route 10.10.10.31/32 next-hop gr-0/0/0.1;
route 10.168.3.0/24 next-hop 100.100.100.3;
route 10.168.2.0/24 next-hop 100.100.100.2;
}
router-id 10.0.0.1;
autonomous-system 65001;
}
protocols {
rsvp {
interface gr-0/0/0.0;
interface gr-0/0/0.1;
}
mpls {
no-cspf;
label-switched-path mpls1 {
from 10.10.10.10;
to 10.10.10.21;
}
label-switched-path mpls2 {
from 10.10.10.11;
to 10.10.10.31;
}
interface gr-0/0/0.0;
interface gr-0/0/0.1;
interface lo0.0;
}
bgp {
group VPLS {
type internal;
multihop;
local-address 10.0.0.1;
family l2vpn {
signaling;
}
neighbor 10.10.10.21 {
local-address 10.10.10.10;
}
neighbor 10.10.10.31 {
local-address 10.10.10.11;
}
}
}
lldp {
interface all;
}
lldp-med {
interface all;
}
igmp-snooping {
vlan all {
version 2;
}
}
}
firewall {
family inet {
filter inet-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family mpls {
filter mpls-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family ccc {
filter ccc-packet-mode {
term all {
then {
packet-mode;
accept;
}
}
}
filter l2circuit-packet-mode {
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
}
routing-instances {
VPLS {
instance-type vpls;
interface ge-0/0/0.0;
route-distinguisher 10.10.10.10:100;
vrf-target target:65001:100;
protocols {
vpls {
no-tunnel-services;
site Sunshine {
site-identifier 1;
interface ge-0/0/0.0;
}
}
}
}
}
schedulers {
scheduler Open-Hours {
monday {
start-time 06:00:00 stop-time 18:00:00;
}
tuesday {
start-time 06:00:00 stop-time 18:00:00;
}
wednesday {
start-time 06:00:00 stop-time 18:00:00;
}
thursday {
start-time 06:00:00 stop-time 18:00:00;
}
friday {
start-time 06:00:00 stop-time 18:00:00;
}
}
}
vlans {
Audio {
description Audio;
vlan-id 5;
l3-interface vlan.4;
}
Cameras {
description Cameras;
vlan-id 4;
l3-interface vlan.3;
}
Computers {
description Computers;
vlan-id 2;
l3-interface vlan.1;
}
Doors {
description Doors;
vlan-id 6;
l3-interface vlan.5;
}
Guest {
description Guest;
vlan-id 10;
l3-interface vlan.10;
}
Phones {
description Phones;
vlan-id 3;
l3-interface vlan.2;
}
default {
description default;
vlan-id 1;
l3-interface vlan.0;
}
test4.1 {
vlan-id 7;
l3-interface vlan.11;
}
test5.1 {
vlan-id 8;
l3-interface vlan.12;
}
vpls-test {
vlan-id 100;
l3-interface vlan.100;
}
}

 

 

srx 2

 

 

interfaces {
traceoptions {
file interface;
}
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
gr-0/0/0 {
unit 0 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.2;
destination 100.100.100.3;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.20/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
unit 1 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.2;
destination 100.100.100.1;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.21/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ Audio Computers default vpls-test ];
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Audio;
}
}
}
}
ge-0/0/3 {
traceoptions {
flag all;
}
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}
ge-0/0/4 {
flexible-vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 100.168.1.253/24;
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/7 {
unit 0;
}
lo0 {
unit 0 {
family inet {
address 10.0.0.2/32 {
primary;
}
address 127.0.0.1/32;
}
family mpls;
}
}
st0 {
unit 0 {
multipoint;
family inet {
address 100.100.100.2/24;
}
}
}
vlan {
unit 0 {
family inet {
address 10.100.0.1/24;
}
}
unit 1 {
family inet {
address 10.168.2.1/24;
}
}
unit 2 {
family inet {
address 10.168.11.1/24;
}
}
unit 100 {
family inet {
address 100.168.1.2/24 {
vrrp-group 1 {
virtual-address 100.168.1.1;
priority 254;
accept-data;
}
}
}
}
}
}
forwarding-options {
helpers {
domain {
server 10.168.2.202;
interface {
vlan.1;
vlan.2;
vlan.3;
vlan.4;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop [ x.x.x.x x.x.x.x ];
route 10.168.1.0/24 next-hop 100.100.100.1;
route 10.168.20.0/24 next-hop 100.100.100.1;
route 10.168.30.0/24 next-hop 100.100.100.1;
route 10.168.10.0/24 next-hop 100.100.100.1;
route 10.168.50.0/24 next-hop 100.100.100.1;
route 10.168.40.0/24 next-hop 100.100.100.1;
route 10.168.3.0/24 next-hop 100.100.100.3;
route 10.168.22.0/24 next-hop 100.100.100.3;
route 10.168.12.0/24 next-hop 100.100.100.3;
route 10.168.32.0/24 next-hop 100.100.100.3;
route 10.168.42.0/24 next-hop 100.100.100.3;
route 10.168.52.0/24 next-hop 100.100.100.3;
route 10.10.10.30/32 next-hop gr-0/0/0.0;
route 10.10.10.31/32 next-hop gr-0/0/0.0;
route 10.10.10.10/32 next-hop gr-0/0/0.1;
route 10.10.10.11/32 next-hop gr-0/0/0.1;
route 10.0.0.1/32 next-hop gr-0/0/0.1;
route 10.0.0.3/32 next-hop gr-0/0/0.0;
}
router-id 10.0.0.2;
autonomous-system 65001;
}
protocols {
rsvp {
traceoptions {
file rsvp;
flag all;
}
interface gr-0/0/0.0;
interface gr-0/0/0.1;
}
mpls {
traceoptions {
file mpls;
flag all;
}
no-cspf;
label-switched-path mpls1 {
from 10.10.10.21;
to 10.10.10.10;
}
label-switched-path mpls3 {
from 10.10.10.20;
to 10.10.10.30;
}
interface gr-0/0/0.0;
interface gr-0/0/0.1;
interface lo0.0;
}
bgp {
traceoptions {
file bgp;
flag all;
}
group VPLS {
type internal;
multihop;
local-address 10.0.0.2;
family l2vpn {
signaling;
}
neighbor 10.10.10.30 {
local-address 10.10.10.20;
}
neighbor 10.10.10.10 {
local-address 10.10.10.21;
}
}
}
lldp {
interface all;
}
lldp-med {
interface all;
}
igmp-snooping {
vlan all {
version 2;
}
}
}
firewall {
family inet {
filter inet-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family mpls {
filter mpls-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family ccc {
filter ccc-packet-mode {
term all {
then {
packet-mode;
accept;
}
}
}
filter l2circuit-packet-mode {
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
}
routing-instances {
VPLS {
instance-type vpls;
interface ge-0/0/3.0;
route-distinguisher 10.10.10.20:100;
vrf-target target:65001:100;
protocols {
vpls {
traceoptions {
file vpls world-readable;
flag all;
}
interface ge-0/0/3.0;
no-tunnel-services;
site Schreiner {
site-identifier 2;
interface ge-0/0/3.0;
}
}
}
}
}
vlans {
Audio {
vlan-id 3;
l3-interface vlan.2;
}
Computers {
vlan-id 2;
l3-interface vlan.1;
}
default {
vlan-id 1;
l3-interface vlan.0;
}
vpls-test {
vlan-id 100;
l3-interface vlan.100;
}
}

 

SRX3

 

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address x.x.x.x/24;
}
}
}
gr-0/0/0 {
unit 0 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.3;
destination 100.100.100.2;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.30/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
unit 1 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.3;
destination 100.100.100.1;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.31/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
}
}
ge-0/0/3 {
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 100.168.1.252/24;
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Cameras;
}
}
}
}
ge-0/0/6 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/7 {
gigether-options {
802.3ad ae0;
}
}
ae0 {
description Switchs;
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ Audio Cameras Computers Guest Phones Security vpls-test ];
}
native-vlan-id default;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.3/32 {
primary;
}
address 127.0.0.1/32;
}
family mpls;
}
}
st0 {
unit 0 {
multipoint;
family inet {
address 100.100.100.3/24;
}
}
}
vlan {
unit 0 {
family inet {
address 10.30.0.1/24;
}
}
unit 1 {
family inet {
address 10.168.3.1/24;
}
}
unit 2 {
family inet {
address 10.168.12.1/24;
}
}
unit 3 {
family inet {
address 10.168.22.1/24;
}
}
unit 4 {
family inet {
address 10.168.32.1/24;
}
}
unit 5 {
family inet {
address 10.168.42.1/24;
}
}
unit 9 {
family inet {
address 10.168.92.1/24;
}
}
unit 100 {
family inet {
address 100.168.1.3/24 {
vrrp-group 1 {
virtual-address 100.168.1.1;
priority 253;
accept-data;
}
}
}
}
}
}
forwarding-options {
helpers {
domain {
server 10.168.3.202;
interface {
vlan.1;
vlan.2;
vlan.3;
vlan.4;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop [ x.x.x.x x.x.x.x ];
route 10.168.1.0/24 next-hop 100.100.100.1;
route 10.168.2.0/24 next-hop 100.100.100.2;
route 10.168.11.0/24 next-hop 100.100.100.2;
route 10.168.10.0/24 next-hop 100.100.100.1;
route 10.168.20.0/24 next-hop 100.100.100.1;
route 10.168.30.0/24 next-hop 100.100.100.1;
route 10.168.40.0/24 next-hop 100.100.100.1;
route 10.168.50.0/24 next-hop 100.100.100.1;
route 10.10.10.11/32 next-hop gr-0/0/0.1;
route 10.10.10.20/32 next-hop gr-0/0/0.0;
route 10.0.0.1/32 next-hop gr-0/0/0.1;
route 10.0.0.2/32 next-hop gr-0/0/0.0;
}
router-id 10.0.0.3;
autonomous-system 65001;
}
protocols {
rsvp {
interface gr-0/0/0.0;
interface gr-0/0/0.1;
}
mpls {
no-cspf;
label-switched-path mpls1 {
from 10.10.10.31;
to 10.10.10.11;
}
label-switched-path mpls3 {
from 10.10.10.30;
to 10.10.10.20;
}
interface gr-0/0/0.0;
interface gr-0/0/0.1;
interface lo0.0;
}
bgp {
group VPLS {
type internal;
multihop;
local-address 10.0.0.3;
family l2vpn {
signaling;
}
neighbor 10.10.10.11 {
local-address 10.10.10.31;
}
neighbor 10.10.10.20 {
local-address 10.10.10.30;
}
}
}
lldp {
interface all;
}
lldp-med {
interface all;
}
igmp-snooping {
vlan all {
version 2;
}
}
}
firewall {
family inet {
filter inet-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family mpls {
filter mpls-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family ccc {
filter ccc-packet-mode {
term all {
then {
packet-mode;
accept;
}
}
}
filter l2circuit-packet-mode {
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
}
routing-instances {
VPLS {
instance-type vpls;
interface ge-0/0/3.0;
route-distinguisher 10.10.10.30:100;
vrf-target target:65001:100;
protocols {
vpls {
no-tunnel-services;
site After {
site-identifier 3;
interface ge-0/0/3.0;
}
}
}
}
}
vlans {
Audio {
description Audio;
vlan-id 5;
l3-interface vlan.4;
}
Cameras {
description Cameras;
vlan-id 4;
l3-interface vlan.3;
}
Computers {
vlan-id 2;
l3-interface vlan.1;
}
Guest {
description Guest;
vlan-id 10;
l3-interface vlan.9;
}
Phones {
description Phones;
vlan-id 3;
l3-interface vlan.2;
}
Security {
description Security;
vlan-id 6;
l3-interface vlan.5;
}
default {
description Computers;
vlan-id 1;
l3-interface vlan.0;
}
vpls-test {
vlan-id 100;
l3-interface vlan.100;
}
}

 

9 REPLIES 9
Highlighted
SRX Services Gateway

Re: vpls over gre over ipsec

‎02-09-2020 12:32 AM
Local interface down normally means the interface configured under VPLS instance is down. Can you make sure the vpls interfaces are up ? Also share the “show vpls connections” output?
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: vpls over gre over ipsec

[ Edited ]
‎02-09-2020 08:46 AM

it looks like the interfaces are missing their logical unit according to the interface terse. after looking at the junos documentation of the CE facing interface everything looks correct. i included the terse and vpls connections in attachments.

 

ge-0/0/3 {
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}

 

Thanks.

Greg

Attachments

Highlighted
SRX Services Gateway

Re: vpls over gre over ipsec

‎02-09-2020 10:34 AM

your observation is correct ge-0/0/3.0 has not been created resulting in LD state in VPLS connection

can you please delete the configuration on ge-0/0/3 and re-apply it. if that doesn't help you can also try "commit full" it will re-parse the whole config.

PS: please mark my response as solution if itasnwers your query, kuods are appreiated too!

Thanks
Vishal

Highlighted
SRX Services Gateway

Re: vpls over gre over ipsec

[ Edited ]
‎02-09-2020 10:53 AM

ok I rebuilt interface 3 still geting same results. I also set interface 7 for vpls as well and receive the same results. all three srx's have same result.

thanks.

greg

Highlighted
SRX Services Gateway

Re: vpls over gre over ipsec

‎02-10-2020 06:34 AM

After trying vlan encapsulation i do get a logical interface, but not with Ethernet encapsulation. any ideas?

Thanks.

Greg

Highlighted
SRX Services Gateway

Re: vpls over gre over ipsec

‎02-10-2020 07:27 AM

As per the doc it should support ethernet-vpls

https://www.juniper.net/documentation/en_US/junos/topics/concept/vpls-security-overview.html

 

VPLS Exceptions on SRX Series Devices:

SRX Series devices support only the following encapsulation types on VPLS interfaces that face CE devices: extended VLAN VPLS, Ethernet VPLS, and VLAN VPLS. Ethernet VPLS over ATM LLC encapsulation is not supported.

Do you see some errors in log when commiting the ethernet-vpls config?

Thanks

Vishal

Highlighted
SRX Services Gateway

Re: vpls over gre over ipsec

‎02-10-2020 07:29 AM

no error everything commits as it should.

thanks.

greg

Highlighted
SRX Services Gateway

Re: vpls over gre over ipsec

[ Edited ]
‎02-10-2020 10:57 AM

Update. if i configure the vpls interface facing the ce to vlan-vpls or extended-vlan-vpls, I do not get the logical unit either but i do get a ge-0/0/0.32768 but not the .600 i used. looks like lt interfaces don't work either. is there anyway to use the vlan as the ce interface?

thanks.

greg

srx version version 12.3X48-D95.2

Highlighted
SRX Services Gateway

Re: vpls over gre over ipsec

‎02-12-2020 03:06 PM

any one have any ideas. I am guessing a bug in the firmware seems to only effect VPLS encapsulated ports.

Thanks.

Greg

Feedback