SRX Services Gateway
SRX Services Gateway

vpls over gre over ipsec

3 weeks ago

Hello.

 

I have 3 srx220h2 I am trying to set up vpls over gre over ipsec. i have been able to set up the gre tunnel between all sites. Rsvp, mpls is all up but I have been unable to get my vpls running. I keep getting errors that the local interface is down. Any help would be appreciated.

 

Thanks.

 

srx1

 

interfaces {
ge-0/0/0 {
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}
gr-0/0/0 {
unit 0 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.1;
destination 100.100.100.2;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.10/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
unit 1 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.1;
destination 100.100.100.3;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.11/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
}
ge-0/0/1 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 100.168.1.254/24;
}
}
}
ge-0/0/3 {
unit 0;
}
ge-0/0/4 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/5 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/6 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/7 {
unit 0 {
family inet {
dhcp;
}
}
}
ae0 {
description Switchs;
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ Audio Cameras Computers Doors Guest Phones test4.1 test5.1 vpls-test ];
}
native-vlan-id default;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.1/32 {
primary;
}
address 127.0.0.1/32;
}
family mpls;
}
}
st0 {
unit 0 {
multipoint;
family inet {
address 100.100.100.1/24;
}
}
}
vlan {
unit 0 {
family inet {
address 10.100.0.1/24;
}
}
unit 1 {
family inet {
address 10.168.1.1/24;
}
}
unit 2 {
family inet {
address 10.168.10.1/24;
}
}
unit 3 {
family inet {
address 10.168.20.1/24;
}
}
unit 4 {
family inet {
address 10.168.30.1/24;
}
}
unit 5 {
family inet {
address 10.168.40.1/24;
}
}
unit 10 {
family inet {
address 10.168.90.1/24;
}
}
unit 11 {
family inet {
address 10.168.4.1/24;
}
}
unit 12 {
family inet {
address 10.168.5.1/24;
}
}
unit 100 {
family inet {
address 100.168.1.1/24 {
vrrp-group 1 {
virtual-address 100.168.1.1;
priority 255;
accept-data;
}
}
}
}
}
}
snmp {
name SunshineSRX;
view jweb-view-all {
oid .1 include;
}
community private {
view jweb-view-all;
authorization read-write;
}
community public {
authorization read-only;
}
health-monitor {
interval 300;
rising-threshold 90;
falling-threshold 80;
}
}
forwarding-options {
helpers {
domain {
server 10.168.1.202;
interface {
vlan.1;
vlan.2;
vlan.3;
vlan.4;
vlan.100;
}
}
bootp {
relay-agent-option;
server 10.168.1.202;
server 10.168.2.202;
vpn;
interface {
vlan.1;
vlan.2;
vlan.3;
vlan.4;
vlan.100;
}
}
}
}
routing-options {
static {
route 10.168.11.0/24 next-hop 100.100.100.2;
route 10.168.12.0/24 next-hop 100.100.100.3;
route 10.168.22.0/24 next-hop 100.100.100.3;
route 10.168.32.0/24 next-hop 100.100.100.3;
route 10.168.52.0/24 next-hop 100.100.100.3;
route 10.168.42.0/24 next-hop 100.100.100.3;
route 0.0.0.0/0 next-hop [ x.x.x.x x.x.x.x ];
route 10.0.0.2/32 next-hop gr-0/0/0.0;
route 10.0.0.3/32 next-hop gr-0/0/0.1;
route 10.10.10.20/32 next-hop gr-0/0/0.0;
route 10.10.10.21/32 next-hop gr-0/0/0.0;
route 10.10.10.30/32 next-hop gr-0/0/0.1;
route 10.10.10.31/32 next-hop gr-0/0/0.1;
route 10.168.3.0/24 next-hop 100.100.100.3;
route 10.168.2.0/24 next-hop 100.100.100.2;
}
router-id 10.0.0.1;
autonomous-system 65001;
}
protocols {
rsvp {
interface gr-0/0/0.0;
interface gr-0/0/0.1;
}
mpls {
no-cspf;
label-switched-path mpls1 {
from 10.10.10.10;
to 10.10.10.21;
}
label-switched-path mpls2 {
from 10.10.10.11;
to 10.10.10.31;
}
interface gr-0/0/0.0;
interface gr-0/0/0.1;
interface lo0.0;
}
bgp {
group VPLS {
type internal;
multihop;
local-address 10.0.0.1;
family l2vpn {
signaling;
}
neighbor 10.10.10.21 {
local-address 10.10.10.10;
}
neighbor 10.10.10.31 {
local-address 10.10.10.11;
}
}
}
lldp {
interface all;
}
lldp-med {
interface all;
}
igmp-snooping {
vlan all {
version 2;
}
}
}
firewall {
family inet {
filter inet-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family mpls {
filter mpls-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family ccc {
filter ccc-packet-mode {
term all {
then {
packet-mode;
accept;
}
}
}
filter l2circuit-packet-mode {
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
}
routing-instances {
VPLS {
instance-type vpls;
interface ge-0/0/0.0;
route-distinguisher 10.10.10.10:100;
vrf-target target:65001:100;
protocols {
vpls {
no-tunnel-services;
site Sunshine {
site-identifier 1;
interface ge-0/0/0.0;
}
}
}
}
}
schedulers {
scheduler Open-Hours {
monday {
start-time 06:00:00 stop-time 18:00:00;
}
tuesday {
start-time 06:00:00 stop-time 18:00:00;
}
wednesday {
start-time 06:00:00 stop-time 18:00:00;
}
thursday {
start-time 06:00:00 stop-time 18:00:00;
}
friday {
start-time 06:00:00 stop-time 18:00:00;
}
}
}
vlans {
Audio {
description Audio;
vlan-id 5;
l3-interface vlan.4;
}
Cameras {
description Cameras;
vlan-id 4;
l3-interface vlan.3;
}
Computers {
description Computers;
vlan-id 2;
l3-interface vlan.1;
}
Doors {
description Doors;
vlan-id 6;
l3-interface vlan.5;
}
Guest {
description Guest;
vlan-id 10;
l3-interface vlan.10;
}
Phones {
description Phones;
vlan-id 3;
l3-interface vlan.2;
}
default {
description default;
vlan-id 1;
l3-interface vlan.0;
}
test4.1 {
vlan-id 7;
l3-interface vlan.11;
}
test5.1 {
vlan-id 8;
l3-interface vlan.12;
}
vpls-test {
vlan-id 100;
l3-interface vlan.100;
}
}

 

 

srx 2

 

 

interfaces {
traceoptions {
file interface;
}
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
gr-0/0/0 {
unit 0 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.2;
destination 100.100.100.3;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.20/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
unit 1 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.2;
destination 100.100.100.1;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.21/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ Audio Computers default vpls-test ];
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Audio;
}
}
}
}
ge-0/0/3 {
traceoptions {
flag all;
}
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}
ge-0/0/4 {
flexible-vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 100.168.1.253/24;
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/7 {
unit 0;
}
lo0 {
unit 0 {
family inet {
address 10.0.0.2/32 {
primary;
}
address 127.0.0.1/32;
}
family mpls;
}
}
st0 {
unit 0 {
multipoint;
family inet {
address 100.100.100.2/24;
}
}
}
vlan {
unit 0 {
family inet {
address 10.100.0.1/24;
}
}
unit 1 {
family inet {
address 10.168.2.1/24;
}
}
unit 2 {
family inet {
address 10.168.11.1/24;
}
}
unit 100 {
family inet {
address 100.168.1.2/24 {
vrrp-group 1 {
virtual-address 100.168.1.1;
priority 254;
accept-data;
}
}
}
}
}
}
forwarding-options {
helpers {
domain {
server 10.168.2.202;
interface {
vlan.1;
vlan.2;
vlan.3;
vlan.4;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop [ x.x.x.x x.x.x.x ];
route 10.168.1.0/24 next-hop 100.100.100.1;
route 10.168.20.0/24 next-hop 100.100.100.1;
route 10.168.30.0/24 next-hop 100.100.100.1;
route 10.168.10.0/24 next-hop 100.100.100.1;
route 10.168.50.0/24 next-hop 100.100.100.1;
route 10.168.40.0/24 next-hop 100.100.100.1;
route 10.168.3.0/24 next-hop 100.100.100.3;
route 10.168.22.0/24 next-hop 100.100.100.3;
route 10.168.12.0/24 next-hop 100.100.100.3;
route 10.168.32.0/24 next-hop 100.100.100.3;
route 10.168.42.0/24 next-hop 100.100.100.3;
route 10.168.52.0/24 next-hop 100.100.100.3;
route 10.10.10.30/32 next-hop gr-0/0/0.0;
route 10.10.10.31/32 next-hop gr-0/0/0.0;
route 10.10.10.10/32 next-hop gr-0/0/0.1;
route 10.10.10.11/32 next-hop gr-0/0/0.1;
route 10.0.0.1/32 next-hop gr-0/0/0.1;
route 10.0.0.3/32 next-hop gr-0/0/0.0;
}
router-id 10.0.0.2;
autonomous-system 65001;
}
protocols {
rsvp {
traceoptions {
file rsvp;
flag all;
}
interface gr-0/0/0.0;
interface gr-0/0/0.1;
}
mpls {
traceoptions {
file mpls;
flag all;
}
no-cspf;
label-switched-path mpls1 {
from 10.10.10.21;
to 10.10.10.10;
}
label-switched-path mpls3 {
from 10.10.10.20;
to 10.10.10.30;
}
interface gr-0/0/0.0;
interface gr-0/0/0.1;
interface lo0.0;
}
bgp {
traceoptions {
file bgp;
flag all;
}
group VPLS {
type internal;
multihop;
local-address 10.0.0.2;
family l2vpn {
signaling;
}
neighbor 10.10.10.30 {
local-address 10.10.10.20;
}
neighbor 10.10.10.10 {
local-address 10.10.10.21;
}
}
}
lldp {
interface all;
}
lldp-med {
interface all;
}
igmp-snooping {
vlan all {
version 2;
}
}
}
firewall {
family inet {
filter inet-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family mpls {
filter mpls-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family ccc {
filter ccc-packet-mode {
term all {
then {
packet-mode;
accept;
}
}
}
filter l2circuit-packet-mode {
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
}
routing-instances {
VPLS {
instance-type vpls;
interface ge-0/0/3.0;
route-distinguisher 10.10.10.20:100;
vrf-target target:65001:100;
protocols {
vpls {
traceoptions {
file vpls world-readable;
flag all;
}
interface ge-0/0/3.0;
no-tunnel-services;
site Schreiner {
site-identifier 2;
interface ge-0/0/3.0;
}
}
}
}
}
vlans {
Audio {
vlan-id 3;
l3-interface vlan.2;
}
Computers {
vlan-id 2;
l3-interface vlan.1;
}
default {
vlan-id 1;
l3-interface vlan.0;
}
vpls-test {
vlan-id 100;
l3-interface vlan.100;
}
}

 

SRX3

 

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address x.x.x.x/24;
}
}
}
gr-0/0/0 {
unit 0 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.3;
destination 100.100.100.2;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.30/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
unit 1 {
clear-dont-fragment-bit;
tunnel {
source 100.100.100.3;
destination 100.100.100.1;
allow-fragmentation;
}
family inet {
mtu 1300;
filter {
input inet-packet-mode;
}
address 10.10.10.31/24;
}
family mpls {
mtu 1200;
filter {
input mpls-packet-mode;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
}
}
ge-0/0/3 {
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 100.168.1.252/24;
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Cameras;
}
}
}
}
ge-0/0/6 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/7 {
gigether-options {
802.3ad ae0;
}
}
ae0 {
description Switchs;
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ Audio Cameras Computers Guest Phones Security vpls-test ];
}
native-vlan-id default;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.3/32 {
primary;
}
address 127.0.0.1/32;
}
family mpls;
}
}
st0 {
unit 0 {
multipoint;
family inet {
address 100.100.100.3/24;
}
}
}
vlan {
unit 0 {
family inet {
address 10.30.0.1/24;
}
}
unit 1 {
family inet {
address 10.168.3.1/24;
}
}
unit 2 {
family inet {
address 10.168.12.1/24;
}
}
unit 3 {
family inet {
address 10.168.22.1/24;
}
}
unit 4 {
family inet {
address 10.168.32.1/24;
}
}
unit 5 {
family inet {
address 10.168.42.1/24;
}
}
unit 9 {
family inet {
address 10.168.92.1/24;
}
}
unit 100 {
family inet {
address 100.168.1.3/24 {
vrrp-group 1 {
virtual-address 100.168.1.1;
priority 253;
accept-data;
}
}
}
}
}
}
forwarding-options {
helpers {
domain {
server 10.168.3.202;
interface {
vlan.1;
vlan.2;
vlan.3;
vlan.4;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop [ x.x.x.x x.x.x.x ];
route 10.168.1.0/24 next-hop 100.100.100.1;
route 10.168.2.0/24 next-hop 100.100.100.2;
route 10.168.11.0/24 next-hop 100.100.100.2;
route 10.168.10.0/24 next-hop 100.100.100.1;
route 10.168.20.0/24 next-hop 100.100.100.1;
route 10.168.30.0/24 next-hop 100.100.100.1;
route 10.168.40.0/24 next-hop 100.100.100.1;
route 10.168.50.0/24 next-hop 100.100.100.1;
route 10.10.10.11/32 next-hop gr-0/0/0.1;
route 10.10.10.20/32 next-hop gr-0/0/0.0;
route 10.0.0.1/32 next-hop gr-0/0/0.1;
route 10.0.0.2/32 next-hop gr-0/0/0.0;
}
router-id 10.0.0.3;
autonomous-system 65001;
}
protocols {
rsvp {
interface gr-0/0/0.0;
interface gr-0/0/0.1;
}
mpls {
no-cspf;
label-switched-path mpls1 {
from 10.10.10.31;
to 10.10.10.11;
}
label-switched-path mpls3 {
from 10.10.10.30;
to 10.10.10.20;
}
interface gr-0/0/0.0;
interface gr-0/0/0.1;
interface lo0.0;
}
bgp {
group VPLS {
type internal;
multihop;
local-address 10.0.0.3;
family l2vpn {
signaling;
}
neighbor 10.10.10.11 {
local-address 10.10.10.31;
}
neighbor 10.10.10.20 {
local-address 10.10.10.30;
}
}
}
lldp {
interface all;
}
lldp-med {
interface all;
}
igmp-snooping {
vlan all {
version 2;
}
}
}
firewall {
family inet {
filter inet-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family mpls {
filter mpls-packet-mode {
term packet-mode {
then {
packet-mode;
accept;
}
}
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family ccc {
filter ccc-packet-mode {
term all {
then {
packet-mode;
accept;
}
}
}
filter l2circuit-packet-mode {
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
}
routing-instances {
VPLS {
instance-type vpls;
interface ge-0/0/3.0;
route-distinguisher 10.10.10.30:100;
vrf-target target:65001:100;
protocols {
vpls {
no-tunnel-services;
site After {
site-identifier 3;
interface ge-0/0/3.0;
}
}
}
}
}
vlans {
Audio {
description Audio;
vlan-id 5;
l3-interface vlan.4;
}
Cameras {
description Cameras;
vlan-id 4;
l3-interface vlan.3;
}
Computers {
vlan-id 2;
l3-interface vlan.1;
}
Guest {
description Guest;
vlan-id 10;
l3-interface vlan.9;
}
Phones {
description Phones;
vlan-id 3;
l3-interface vlan.2;
}
Security {
description Security;
vlan-id 6;
l3-interface vlan.5;
}
default {
description Computers;
vlan-id 1;
l3-interface vlan.0;
}
vpls-test {
vlan-id 100;
l3-interface vlan.100;
}
}

 

9 REPLIES 9
SRX Services Gateway

Re: vpls over gre over ipsec

3 weeks ago
Local interface down normally means the interface configured under VPLS instance is down. Can you make sure the vpls interfaces are up ? Also share the “show vpls connections” output?
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: vpls over gre over ipsec

[ Edited ]
3 weeks ago

it looks like the interfaces are missing their logical unit according to the interface terse. after looking at the junos documentation of the CE facing interface everything looks correct. i included the terse and vpls connections in attachments.

 

ge-0/0/3 {
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}

 

Thanks.

Greg

Attachments

SRX Services Gateway

Re: vpls over gre over ipsec

3 weeks ago

your observation is correct ge-0/0/3.0 has not been created resulting in LD state in VPLS connection

can you please delete the configuration on ge-0/0/3 and re-apply it. if that doesn't help you can also try "commit full" it will re-parse the whole config.

PS: please mark my response as solution if itasnwers your query, kuods are appreiated too!

Thanks
Vishal

SRX Services Gateway

Re: vpls over gre over ipsec

[ Edited ]
3 weeks ago

ok I rebuilt interface 3 still geting same results. I also set interface 7 for vpls as well and receive the same results. all three srx's have same result.

thanks.

greg

SRX Services Gateway

Re: vpls over gre over ipsec

3 weeks ago

After trying vlan encapsulation i do get a logical interface, but not with Ethernet encapsulation. any ideas?

Thanks.

Greg

SRX Services Gateway

Re: vpls over gre over ipsec

3 weeks ago

As per the doc it should support ethernet-vpls

https://www.juniper.net/documentation/en_US/junos/topics/concept/vpls-security-overview.html

 

VPLS Exceptions on SRX Series Devices:

SRX Series devices support only the following encapsulation types on VPLS interfaces that face CE devices: extended VLAN VPLS, Ethernet VPLS, and VLAN VPLS. Ethernet VPLS over ATM LLC encapsulation is not supported.

Do you see some errors in log when commiting the ethernet-vpls config?

Thanks

Vishal

SRX Services Gateway

Re: vpls over gre over ipsec

3 weeks ago

no error everything commits as it should.

thanks.

greg

SRX Services Gateway

Re: vpls over gre over ipsec

[ Edited ]
3 weeks ago

Update. if i configure the vpls interface facing the ce to vlan-vpls or extended-vlan-vpls, I do not get the logical unit either but i do get a ge-0/0/0.32768 but not the .600 i used. looks like lt interfaces don't work either. is there anyway to use the vlan as the ce interface?

thanks.

greg

srx version version 12.3X48-D95.2

SRX Services Gateway

Re: vpls over gre over ipsec

2 weeks ago

any one have any ideas. I am guessing a bug in the firmware seems to only effect VPLS encapsulated ports.

Thanks.

Greg