M:Juniper SRX MPLS over GRE with IPsec
Материал из xapmc.net
- Задача
Cоединить:
- 1. Две локации в один широковещательный L2 домен
- 2. Две локации в одну таблицу маршрутизации L3
- Решение
Для решения требуется : VPLS, GRE, OSPF, IPsec, VLAN, VRF, iBGP
- Оборудование
| Вендор | Модель |
|---|---|
| 1. Mikrotik | RB941-2nD-TC |
| 4. Juniper | srx100h2 |
| 4. Juniper | srx100h2 |
- Схема сети
| Full configure SRX100h2 name:200 |
|---|
| set interfaces fe-0/0/1 unit 10 description "LAN Side" |
| set interfaces fe-0/0/1 vlan-tagging |
| set interfaces fe-0/0/1 mtu 1600 |
| set interfaces fe-0/0/1 unit 10 description L3VPN-1 |
| set interfaces fe-0/0/1 unit 10 vlan-id 10 |
| set interfaces fe-0/0/1 unit 10 family inet filter input packet-mode-inet |
| set interfaces fe-0/0/1 unit 10 family inet address 192.168.2.1/24 |
| set interfaces fe-0/0/2 description "LAN Side" |
| set interfaces fe-0/0/2 flexible-vlan-tagging |
| set interfaces fe-0/0/2 mtu 1522 |
| set interfaces fe-0/0/2 encapsulation vlan-vpls |
| set interfaces fe-0/0/2 unit 0 description VPLS_VPN-1 |
| set interfaces fe-0/0/2 unit 0 encapsulation vlan-vpls |
| set interfaces fe-0/0/2 unit 0 vlan-id 512 |
| set interfaces fe-0/0/7 description Internet |
| set interfaces fe-0/0/7 mtu 1514 |
| set interfaces gr-0/0/0 unit 0 description "MPLS core facing interface" |
| set interfaces gr-0/0/0 unit 0 tunnel source 172.16.0.1 |
| set interfaces gr-0/0/0 unit 0 tunnel destination 172.16.0.2 |
| set interfaces gr-0/0/0 unit 0 family inet mtu 9000 |
| set interfaces gr-0/0/0 unit 0 family inet address 172.16.255.1/30 |
| set interfaces gr-0/0/0 unit 0 family mpls mtu 9000 |
| set interfaces gr-0/0/0 unit 0 family mpls filter input packet-mode |
| set interfaces lo0 unit 0 family inet address 10.255.255.2/32 |
| set interfaces st0 unit 0 family inet mtu 9178 address 172.16.0.1/30 |
| set firewall family inet filter packet-mode-inet term all-traffic then packet-mode |
| set firewall family inet filter packet-mode-inet term all-traffic then accept |
| set firewall family mpls filter packet-mode term all-traffic then packet-mode |
| set firewall family mpls filter packet-mode term all-traffic then accept |
| set security ike policy standard mode main |
| set security ike policy standard proposal-set standard |
| set security ike policy standard pre-shared-key ascii-text "DFJUUhqwih2634976zxb" |
| set security ike gateway tun1 ike-policy standard |
| set security ike gateway tun1 address 1.1.1.2 |
| set security ike gateway tun1 external-interface fe-0/0/7.0 |
| set security ipsec policy standard proposal-set standard |
| set security ipsec vpn ipsec-vpn-1 bind-interface st0.0 |
| set security ipsec vpn ipsec-vpn-1 df-bit clear |
| set security ipsec vpn ipsec-vpn-1 ike gateway tun1 |
| set security ipsec vpn ipsec-vpn-1 ike ipsec-policy standard |
| set security ipsec vpn ipsec-vpn-1 establish-tunnels immediately |
| set security policies from-zone Internet to-zone Internet policy Internet match source-address any |
| set security policies from-zone Internet to-zone Internet policy Internet match destination-address any |
| set security policies from-zone Internet to-zone Internet policy Internet match application any |
| set security policies from-zone Internet to-zone Internet policy Internet then permit |
| set security zones security-zone Internet host-inbound-traffic system-services all |
| set security zones security-zone Internet host-inbound-traffic protocols all |
| set security zones security-zone Internet interfaces fe-0/0/7.0 |
| set security zones security-zone Internet interfaces gr-0/0/0.0 |
| set security zones security-zone Internet interfaces lo0.0 |
| set security zones security-zone Internet interfaces st0.0 |
| set protocols mpls interface gr-0/0/0.0 |
| set protocols bgp tcp-mss 1200 |
| set protocols bgp group IBGP type internal |
| set protocols bgp group IBGP local-address 10.255.255.1 |
| set protocols bgp group IBGP local-as 65100 |
| set protocols bgp group IBGP neighbor 10.255.255.2 |
| set protocols bgp group IBGP neighbor 10.255.255.2 family inet any |
| set protocols bgp group IBGP neighbor 10.255.255.2 family inet-vpn any |
| set protocols bgp group IBGP neighbor 10.255.255.2 family l2vpn signaling |
| set protocols ospf traffic-engineering |
| set protocols ospf area 0.0.0.0 interface lo0.0 |
| set protocols ospf area 0.0.0.0 interface lo0.0 passive |
| set protocols ospf area 0.0.0.0 interface gr-0/0/0.0 |
| set protocols ldp interface gr-0/0/0.0 |
| set protocols ldp interface lo0.0 |
| set routing-instances L3VPN-1 instance-type vrf |
| set routing-instances L3VPN-1 interface fe-0/0/1.10 |
| set routing-instances L3VPN-1 route-distinguisher 10.255.255.1:1000 |
| set routing-instances L3VPN-1 vrf-target target:65100:1000 |
| set routing-instances L3VPN-1 vrf-target import target:65100:1000 |
| set routing-instances L3VPN-1 vrf-target export target:65100:1000 |
| set routing-instances L3VPN-1 vrf-table-label |
| set routing-instances L3VPN-1 routing-options auto-export |
| set routing-instances VPLS_VPN-1 instance-type vpls |
| set routing-instances VPLS_VPN-1 interface fe-0/0/2.0 |
| set routing-instances VPLS_VPN-1 route-distinguisher 10.255.255.1:1001 |
| set routing-instances VPLS_VPN-1 vrf-target target:65100:1001 |
| set routing-instances VPLS_VPN-1 protocols vpls no-tunnel-services |
| set routing-instances VPLS_VPN-1 protocols vpls site 1 site-identifier 1 |
| set routing-instances VPLS_VPN-1 protocols vpls site 1 interface fe-0/0/2.0 |
| set routing-instances VPLS_VPN-1 protocols vpls mac-tlv-receive |
| set routing-instances VPLS_VPN-1 protocols vpls mac-tlv-send |
| Full configure SRX100h2 name:201 |
|---|
| set interfaces fe-0/0/1 unit 10 description "LAN Side" |
| set interfaces fe-0/0/1 vlan-tagging |
| set interfaces fe-0/0/1 mtu 1600 |
| set interfaces fe-0/0/1 unit 10 description L3VPN-1 |
| set interfaces fe-0/0/1 unit 10 vlan-id 10 |
| set interfaces fe-0/0/1 unit 10 family inet filter input packet-mode-inet |
| set interfaces fe-0/0/1 unit 10 family inet address 192.168.2.1/24 |
| set interfaces fe-0/0/2 description "LAN Side" |
| set interfaces fe-0/0/2 flexible-vlan-tagging |
| set interfaces fe-0/0/2 mtu 1522 |
| set interfaces fe-0/0/2 encapsulation vlan-vpls |
| set interfaces fe-0/0/2 unit 0 description VPLS_VPN-1 |
| set interfaces fe-0/0/2 unit 0 encapsulation vlan-vpls |
| set interfaces fe-0/0/2 unit 0 vlan-id 512 |
| set interfaces fe-0/0/7 description Internet |
| set interfaces fe-0/0/7 mtu 1514 |
| set interfaces gr-0/0/0 unit 0 description "MPLS core facing interface" |
| set interfaces gr-0/0/0 unit 0 tunnel source 172.16.0.1 |
| set interfaces gr-0/0/0 unit 0 tunnel destination 172.16.0.2 |
| set interfaces gr-0/0/0 unit 0 family inet mtu 9000 |
| set interfaces gr-0/0/0 unit 0 family inet address 172.16.255.1/30 |
| set interfaces gr-0/0/0 unit 0 family mpls mtu 9000 |
| set interfaces gr-0/0/0 unit 0 family mpls filter input packet-mode |
| set interfaces lo0 unit 0 family inet address 10.255.255.2/32 |
| set interfaces st0 unit 0 family inet mtu 9178 address 172.16.0.1/30 |
| set firewall family inet filter packet-mode-inet term all-traffic then packet-mode |
| set firewall family inet filter packet-mode-inet term all-traffic then accept |
| set firewall family mpls filter packet-mode term all-traffic then packet-mode |
| set firewall family mpls filter packet-mode term all-traffic then accept |
| set security ike policy standard mode main |
| set security ike policy standard proposal-set standard |
| set security ike policy standard pre-shared-key ascii-text "DFJUUhqwih2634976zxb" |
| set security ike gateway tun1 ike-policy standard |
| set security ike gateway tun1 address 1.1.1.2 |
| set security ike gateway tun1 external-interface fe-0/0/7.0 |
| set security ipsec policy standard proposal-set standard |
| set security ipsec vpn ipsec-vpn-1 bind-interface st0.0 |
| set security ipsec vpn ipsec-vpn-1 df-bit clear |
| set security ipsec vpn ipsec-vpn-1 ike gateway tun1 |
| set security ipsec vpn ipsec-vpn-1 ike ipsec-policy standard |
| set security ipsec vpn ipsec-vpn-1 establish-tunnels immediately |
| set security policies from-zone Internet to-zone Internet policy Internet match source-address any |
| set security policies from-zone Internet to-zone Internet policy Internet match destination-address any |
| set security policies from-zone Internet to-zone Internet policy Internet match application any |
| set security policies from-zone Internet to-zone Internet policy Internet then permit |
| set security zones security-zone Internet host-inbound-traffic system-services all |
| set security zones security-zone Internet host-inbound-traffic protocols all |
| set security zones security-zone Internet interfaces fe-0/0/7.0 |
| set security zones security-zone Internet interfaces gr-0/0/0.0 |
| set security zones security-zone Internet interfaces lo0.0 |
| set security zones security-zone Internet interfaces st0.0 |
| set protocols mpls interface gr-0/0/0.0 |
| set protocols bgp tcp-mss 1200 |
| set protocols bgp group IBGP type internal |
| set protocols bgp group IBGP local-address 10.255.255.1 |
| set protocols bgp group IBGP local-as 65100 |
| set protocols bgp group IBGP neighbor 10.255.255.2 |
| set protocols bgp group IBGP neighbor 10.255.255.2 family inet any |
| set protocols bgp group IBGP neighbor 10.255.255.2 family inet-vpn any |
| set protocols bgp group IBGP neighbor 10.255.255.2 family l2vpn signaling |
| set protocols ospf traffic-engineering |
| set protocols ospf area 0.0.0.0 interface lo0.0 |
| set protocols ospf area 0.0.0.0 interface lo0.0 passive |
| set protocols ospf area 0.0.0.0 interface gr-0/0/0.0 |
| set protocols ldp interface gr-0/0/0.0 |
| set protocols ldp interface lo0.0 |
| set routing-instances L3VPN-1 instance-type vrf |
| set routing-instances L3VPN-1 interface fe-0/0/1.10 |
| set routing-instances L3VPN-1 route-distinguisher 10.255.255.1:1000 |
| set routing-instances L3VPN-1 vrf-target target:65100:1000 |
| set routing-instances L3VPN-1 vrf-target import target:65100:1000 |
| set routing-instances L3VPN-1 vrf-target export target:65100:1000 |
| set routing-instances L3VPN-1 vrf-table-label |
| set routing-instances L3VPN-1 routing-options auto-export |
| set routing-instances VPLS_VPN-1 instance-type vpls |
| set routing-instances VPLS_VPN-1 interface fe-0/0/2.0 |
| set routing-instances VPLS_VPN-1 route-distinguisher 10.255.255.1:1001 |
| set routing-instances VPLS_VPN-1 vrf-target target:65100:1001 |
| set routing-instances VPLS_VPN-1 protocols vpls no-tunnel-services |
| set routing-instances VPLS_VPN-1 protocols vpls site 1 site-identifier 1 |
| set routing-instances VPLS_VPN-1 protocols vpls site 1 interface fe-0/0/2.0 |
| set routing-instances VPLS_VPN-1 protocols vpls mac-tlv-receive |
| set routing-instances VPLS_VPN-1 protocols vpls mac-tlv-send |
