close
keyboard_arrow_left
Table of Contents
list Table of Contents
示例:通过 IPsec 分段和重组配置 GRE 上的 MPLS
date_range
24-Aug-23
此示例基于当 WAN 提供商不提供巨型 MTU 选项时,需要支持标准的 1,500 字节 MTU 到由 GRE over IPsec 隧道支持的虚拟专用网络 (VPN) 客户端。通过 1500 字节 WAN 链路转发的流量可能会被丢弃,因为协议封装开销(第 2 层、MPLS、GRE 和 IPsec)会导致帧超出 WAN 链路 MTU。
与 MTU 相关的丢弃主要是无法分段的流量的问题。例如,标记为“不分段”的 IP 流量或第 2 层 VPN/VPLS 流量,就其性质而言,它们不能分段。出于性能原因,许多 IPsec 配置会阻止加密后分段,从而导致丢包。
本文档通过向您展示如何配置 IPsec 隧道以对原本无法分段的流量执行分段后,提供了此问题的解决方案。在这种情况下,您可以通过强制分段后来牺牲加密性能,而不必减少 VPN 客户端的 MTU 以防止与 MTU 相关的丢弃。
此示例说明如何使用单个路由实例(默认实例)配置选择性数据包服务模式,以将 VPN 流量处理成数据包模式。在数据包模式下,将绕过安全区域。这意味着第 2 层和第 3 层 VRF 接口不会放置在安全区域中,也不需要策略来允许它们通过互联网区域进行通信。
使用此示例中的步骤,您可以在发送设备的传出物理接口上执行 IPsec 封装的数据包分段,并在 IPsec 解密之前在接收设备上进行重组。
注意:
分段数据包的重组会使用大量设备资源,并且设备的性能将比非分段流量慢。如果可能,您应该在 WAN 接口上配置巨型 MTU,以避免分段。此示例说明如何向客户端设备提供标准的 1,500 字节 MTU,以便在通过不提供巨型支持的 WAN 连接使用 IPsec 时阻止分段。
本主题包括以下部分:
要求
此示例使用以下硬件和软件组件:
两个 SRX 系列服务网关
Junos OS 11.4 或更高版本
此示例已在 Junos OS 20.3R1 版上重新验证
注意:
要使此示例按文档所述工作,您必须确保您的 SRX 配置没有任何已启用的 family ethernet-switching 接口。使用可将 family ethernet-switching SRX 设备置于混合模式操作。此示例基于路由操作模式。有关路由和混合操作模式的详细信息 ,请参阅了解安全设备上的第 2 层接口。此外,我们使用层次结构的 edit protocols l2-learning 出厂默认设置测试了此示例。
概述和拓扑
此示例包括以下配置:
为适当的协议封装和最大传输单元 (MTU) 值配置接口。
在 ge-0/0/0.10 接口上应用防火墙过滤器以设置数据包模式。使用 1,524 字节 MTU 配置面向 WAN 的接口 ge-0/0/1.0。
为 GRE 和 IPsec 逻辑接口设置较大的 MTU 值,以避免逻辑接口上出现 IPsec 分段。GRE 封装的流量在 IPsec 内部通过隧道传输。
将 MPLS 系列添加到 GRE 接口 gr-0/0/0,并应用防火墙过滤器以启用数据包模式。
使用 IPsec VPN 配置中的选项在设备上配置 IPsec 隧道,以允许在
df-bit clear传出 ge-0/0/1.0 接口上对超大 IPsec 数据包进行分段。此设置允许 SRX 设备对标有不分段 (DNF) 位的 VPN 客户端流量执行分段后 IPsec 加密。未标记为 DNF 的 VPN 客户端流量在 IPsec 加密之前会分段以提高性能。在名为“Internet”的单个安全区域中配置所有不面向客户的接口,例如 ge-0/0/1.0、gr-0/0/0.0、lo0.0 和 st0.0。此示例使用单个安全区域来关注 MPLS over GRE over IPSec 的分段问题。通过将设备置于 MPLS 流模式,然后将面向客户的接口放入区域中,可以增强安全性。进入区域后,安全策略可以控制通信,并唤起 IDP 和应用程序识别等高级功能。有关详细信息 ,请参阅安全区域。
配置策略以允许所有(区域内)流量。
配置 OSPF 用于 lo0.0 地址分配,LDP 用于标签分配/MPLS 传输,并将 IBGP
inet-vpn与 和l2vpn族配置 以支持 VPN 客户端。配置两个路由实例,一个用于第 3 层 VPN,另一个用于第 2 层 VPLS 服务。
图 1 显示了此示例的拓扑。
图 1:基于 IPsec 隧道的 GRE MPLS 拓扑示例 
此示例重点介绍 IPsec 隧道上的 VPLS 和第 3 层 VPN。还支持第 2 层电路。对于第 2 层电路,您需要同时配置一个系列 MPLS 过滤器和一个系列 CCC 过滤器。过滤器用于唤起数据包模式处理,以支持通过 IPsec 进行分段。
拓扑
表 1 汇总了此拓扑中用于 PE1 器件的参数。您可以调整 PE2 设备的参数,或使用下面提供的 PE2 快速配置。
组件 | 描述 |
|---|---|
PE1 | PE1 SRX 系列防火墙: ge-0/0/0.10:
|
ge-0/0/2.11:
| |
ge-0/0/1.0:
| |
gr-0/0/0:
| |
lo0:
| |
st0.0:
| |
|
配置
程序
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改与您的网络配置匹配所需的任何详细信息,将命令复制并粘贴到层次结构级别的 CLI [edit] 中,然后从配置模式进入 commit 。
SRX1 (PE1) 设备的配置:
content_copy zoom_out_map
set system host-name SRX1 set security ike policy standard mode main set security ike policy standard proposal-set standard set security ike policy standard pre-shared-key ascii-text "$9$1OsIclKvL7NblegoGUHk" set security ike gateway srx-2 ike-policy standard set security ike gateway srx-2 address 172.16.23.1 set security ike gateway srx-2 external-interface ge-0/0/1.0 set security ipsec policy standard proposal-set standard set security ipsec vpn ipsec-vpn-1 bind-interface st0.0 set security ipsec vpn ipsec-vpn-1 df-bit clear set security ipsec vpn ipsec-vpn-1 ike gateway srx-2 set security ipsec vpn ipsec-vpn-1 ike ipsec-policy standard set security ipsec vpn ipsec-vpn-1 establish-tunnels immediately set security policies from-zone Internet to-zone Internet policy Internet match source-address any set security policies from-zone Internet to-zone Internet policy Internet match destination-address any set security policies from-zone Internet to-zone Internet policy Internet match application any set security policies from-zone Internet to-zone Internet policy Internet then permit set security zones security-zone Internet host-inbound-traffic system-services all set security zones security-zone Internet host-inbound-traffic protocols all set security zones security-zone Internet interfaces ge-0/0/1.0 set security zones security-zone Internet interfaces gr-0/0/0.0 set security zones security-zone Internet interfaces lo0.0 set security zones security-zone Internet interfaces st0.0 set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 mtu 4000 set interfaces ge-0/0/0 description L3VPN set interfaces ge-0/0/0 unit 10 vlan-id 10 set interfaces ge-0/0/0 unit 10 family inet filter input packet-mode-inet set interfaces ge-0/0/0 unit 10 family inet address 192.168.0.1/24 set interfaces gr-0/0/0 description "MPLS core facing interface" set interfaces gr-0/0/0 unit 0 tunnel source 172.16.0.1 set interfaces gr-0/0/0 unit 0 tunnel destination 172.16.0.2 set interfaces gr-0/0/0 unit 0 family inet mtu 9000 set interfaces gr-0/0/0 unit 0 family inet address 172.16.255.1/30 set interfaces gr-0/0/0 unit 0 family mpls mtu 9000 set interfaces gr-0/0/0 unit 0 family mpls filter input packet-mode set interfaces ge-0/0/1 description Internet set interfaces ge-0/0/1 mtu 1514 set interfaces ge-0/0/1 unit 0 family inet address 172.16.13.1/30 set interfaces ge-0/0/2 flexible-vlan-tagging set interfaces ge-0/0/2 mtu 1522 set interfaces ge-0/0/2 encapsulation vlan-vpls set interfaces ge-0/0/2 unit 11 description VPLS set interfaces ge-0/0/2 unit 11 encapsulation vlan-vpls set interfaces ge-0/0/2 unit 11 vlan-id 512 set interfaces lo0 unit 0 family inet address 10.255.255.1/32 set interfaces st0 unit 0 family inet mtu 9178 set interfaces st0 unit 0 family inet address 172.16.0.1/30 set firewall family inet filter packet-mode-inet term all-traffic then packet-mode set firewall family inet filter packet-mode-inet term all-traffic then accept set firewall family mpls filter packet-mode term all-traffic then packet-mode set firewall family mpls filter packet-mode term all-traffic then accept set routing-instances L3VPN routing-options auto-export set routing-instances L3VPN interface ge-0/0/0.10 set routing-instances L3VPN instance-type vrf set routing-instances L3VPN route-distinguisher 10.255.255.1:1000 set routing-instances L3VPN vrf-target target:65100:1000 set routing-instances L3VPN vrf-table-label set routing-instances VPLS protocols vpls site 1 interface ge-0/0/2.11 set routing-instances VPLS protocols vpls site 1 site-identifier 1 set routing-instances VPLS protocols vpls no-tunnel-services set routing-instances VPLS protocols vpls mac-tlv-receive set routing-instances VPLS protocols vpls mac-tlv-send set routing-instances VPLS interface ge-0/0/2.11 set routing-instances VPLS instance-type vpls set routing-instances VPLS route-distinguisher 10.255.255.1:1001 set routing-instances VPLS vrf-target target:65100:1001 set protocols ospf traffic-engineering set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface gr-0/0/0.0 set protocols bgp group IBGP type internal set protocols bgp group IBGP local-address 10.255.255.1 set protocols bgp group IBGP local-as 65100 set protocols bgp group IBGP neighbor 10.255.255.2 family inet any set protocols bgp group IBGP neighbor 10.255.255.2 family inet-vpn any set protocols bgp group IBGP neighbor 10.255.255.2 family l2vpn signaling set protocols bgp tcp-mss 1200 set protocols ldp interface gr-0/0/0.0 set protocols ldp interface lo0.0 set protocols mpls interface gr-0/0/0.0 set routing-options static route 172.16.23.0/30 next-hop 172.16.13.2 set routing-options router-id 10.255.255.1
SRX2 (PE2) 设备的配置:
content_copy zoom_out_map
set system host-name SRX2 set security ike policy standard mode main set security ike policy standard proposal-set standard set security ike policy standard pre-shared-key ascii-text "$9$Ahg6tORhclvMXREdb2gJZ" set security ike gateway srx-1 ike-policy standard set security ike gateway srx-1 address 172.16.13.1 set security ike gateway srx-1 external-interface ge-0/0/1.0 set security ipsec policy standard proposal-set standard set security ipsec vpn ipsec-vpn-1 bind-interface st0.0 set security ipsec vpn ipsec-vpn-1 df-bit clear set security ipsec vpn ipsec-vpn-1 ike gateway srx-1 set security ipsec vpn ipsec-vpn-1 ike ipsec-policy standard set security ipsec vpn ipsec-vpn-1 establish-tunnels immediately set security policies from-zone Internet to-zone Internet policy Internet match source-address any set security policies from-zone Internet to-zone Internet policy Internet match destination-address any set security policies from-zone Internet to-zone Internet policy Internet match application any set security policies from-zone Internet to-zone Internet policy Internet then permit set security zones security-zone Internet host-inbound-traffic system-services all set security zones security-zone Internet host-inbound-traffic protocols all set security zones security-zone Internet interfaces ge-0/0/1.0 set security zones security-zone Internet interfaces gr-0/0/0.0 set security zones security-zone Internet interfaces lo0.0 set security zones security-zone Internet interfaces st0.0 set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 mtu 4000 set interfaces ge-0/0/0 description L3VPN set interfaces ge-0/0/0 unit 10 vlan-id 10 set interfaces ge-0/0/0 unit 10 family inet filter input packet-mode-inet set interfaces ge-0/0/0 unit 10 family inet address 192.168.1.1/24 set interfaces gr-0/0/0 description "MPLS core facing interface" set interfaces gr-0/0/0 unit 0 tunnel source 172.16.0.2 set interfaces gr-0/0/0 unit 0 tunnel destination 172.16.0.1 set interfaces gr-0/0/0 unit 0 family inet mtu 9000 set interfaces gr-0/0/0 unit 0 family inet address 172.16.255.2/30 set interfaces gr-0/0/0 unit 0 family mpls mtu 9000 set interfaces gr-0/0/0 unit 0 family mpls filter input packet-mode set interfaces ge-0/0/1 description Internet set interfaces ge-0/0/1 mtu 1514 set interfaces ge-0/0/1 unit 0 family inet address 172.16.23.1/30 set interfaces ge-0/0/2 flexible-vlan-tagging set interfaces ge-0/0/2 mtu 1522 set interfaces ge-0/0/2 encapsulation vlan-vpls set interfaces ge-0/0/2 unit 11 description VPLS set interfaces ge-0/0/2 unit 11 encapsulation vlan-vpls set interfaces ge-0/0/2 unit 11 vlan-id 512 set interfaces lo0 unit 0 family inet address 10.255.255.2/32 set interfaces st0 unit 0 family inet mtu 9178 set interfaces st0 unit 0 family inet address 172.16.0.2/30 set firewall family inet filter packet-mode-inet term all-traffic then packet-mode set firewall family inet filter packet-mode-inet term all-traffic then accept set firewall family mpls filter packet-mode term all-traffic then packet-mode set firewall family mpls filter packet-mode term all-traffic then accept set routing-instances L3VPN routing-options auto-export set routing-instances L3VPN interface ge-0/0/0.10 set routing-instances L3VPN instance-type vrf set routing-instances L3VPN route-distinguisher 10.255.255.2:1000 set routing-instances L3VPN vrf-target target:65100:1000 set routing-instances L3VPN vrf-table-label set routing-instances VPLS protocols vpls site 2 interface ge-0/0/2.11 set routing-instances VPLS protocols vpls site 2 site-identifier 2 set routing-instances VPLS protocols vpls no-tunnel-services set routing-instances VPLS protocols vpls mac-tlv-receive set routing-instances VPLS protocols vpls mac-tlv-send set routing-instances VPLS interface ge-0/0/2.11 set routing-instances VPLS instance-type vpls set routing-instances VPLS route-distinguisher 10.255.255.2:1001 set routing-instances VPLS vrf-target target:65100:1001 set protocols ospf traffic-engineering set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface gr-0/0/0.0 set protocols bgp group IBGP type internal set protocols bgp group IBGP local-address 10.255.255.2 set protocols bgp group IBGP local-as 65100 set protocols bgp group IBGP neighbor 10.255.255.1 family inet any set protocols bgp group IBGP neighbor 10.255.255.1 family inet-vpn any set protocols bgp group IBGP neighbor 10.255.255.1 family l2vpn signaling set protocols bgp tcp-mss 1200 set protocols ldp interface gr-0/0/0.0 set protocols ldp interface lo0.0 set protocols mpls interface gr-0/0/0.0 set routing-options static route 172.16.13.0/30 next-hop 172.16.23.2 set routing-options router-id 10.255.255.2
分步过程
以下示例要求您在配置层次结构中导航各个级别。有关如何执行此操作的说明,请参阅 Junos OS CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要对 MPLS 帧进行分段并重组数据包:
配置物理接口。
content_copy zoom_out_map[edit interfaces] user@SRX1# set ge-0/0/0 description L3VPN user@SRX1# set ge-0/0/0 mtu 4000 user@SRX1# set ge-0/0/0 unit 10 vlan-id 10 user@SRX1# set ge-0/0/0 unit 10 family inet filter input packet-mode-inet user@SRX1# set ge-0/0/0 unit 10 family inet address 192.168.0.1/24 user@SRX1# set ge-0/0/1 description Internet user@SRX1# set ge-0/0/1 mtu 1514 user@SRX1# set ge-0/0/1 unit 0 family inet address 172.16.13.1/30 user@SRX1# set ge-0/0/2 description VPLS user@SRX1# set ge-0/0/2 flexible-vlan-tagging user@SRX1# set ge-0/0/2 mtu 1522 user@SRX1# set ge-0/0/2 encapsulation vlan-vpls user@SRX1# set ge-0/0/2 unit 11 encapsulation vlan-vpls user@SRX1# set ge-0/0/2 unit 11 vlan-id 512
配置逻辑接口。
content_copy zoom_out_map[edit interfaces] user@SRX1# set gr-0/0/0 unit 0 description "MPLS core facing interface" user@SRX1# set gr-0/0/0 unit 0 tunnel source 172.16.0.1 user@SRX1# set gr-0/0/0 unit 0 tunnel destination 172.16.0.2 user@SRX1# set gr-0/0/0 unit 0 family inet mtu 9000 user@SRX1# set gr-0/0/0 unit 0 family inet address 172.16.255.1/30 user@SRX1# set gr-0/0/0 unit 0 family mpls mtu 9000 user@SRX1# set gr-0/0/0 unit 0 family mpls filter input packet-mode user@SRX1# set lo0 unit 0 family inet address 10.255.255.1/32 user@SRX1# set st0 unit 0 family inet mtu 9178 user@SRX1# set st0 unit 0 family inet address 172.16.0.1/30
配置用于配置接口以使用数据包模式的防火墙过滤器。
content_copy zoom_out_map[edit firewall] user@SRX1# set family inet filter packet-mode-inet term all-traffic then packet-mode user@SRX1# set family inet filter packet-mode-inet term all-traffic then accept user@SRX1# set family mpls filter packet-mode term all-traffic then packet-mode user@SRX1# set family mpls filter packet-mode term all-traffic then accept
注意:如果要配置第 2 层电路,还必须在系列 CCC 下面向 CE 的接口上添加过滤器以唤起数据包模式:
content_copy zoom_out_mapset firewall family ccc filter packet-mode-ccc term all-traffic then packet-mode set firewall family ccc filter packet-mode-ccc term all-traffic then accept
配置 IKE 和 IPsec 策略。
content_copy zoom_out_map[edit security] user@SRX1# set ike policy standard mode main user@SRX1# set ike policy standard proposal-set standard user@SRX1# set ike policy standard pre-shared-key ascii-text "$9$1OsIclKvL7NblegoGUHk" user@SRX1# set ike gateway srx-2 ike-policy standard user@SRX1# set ike gateway srx-2 address 172.16.23.1 user@SRX1# set ike gateway srx-2 external-interface ge-0/0/1.0 user@SRX1# set ipsec policy standard proposal-set standard user@SRX1# set ipsec vpn ipsec-vpn-1 bind-interface st0.0 user@SRX1# set ipsec vpn ipsec-vpn-1 df-bit clear user@SRX1# set ipsec vpn ipsec-vpn-1 ike gateway srx-2 user@SRX1# set ipsec vpn ipsec-vpn-1 ike ipsec-policy standard user@SRX1# set ipsec vpn ipsec-vpn-1 establish-tunnels immediately
注意:为了关注 IPsec 上的分段,我们在此示例中使用默认密码 (3DES-CBC)。为了提高性能和安全性,请考虑使用更新的密码,例如AES-GCM-256。请参阅 加密算法(安全 IKE)
在单个安全区域中配置所有不面向客户的接口,并使用一个策略来允许所有(区域内)流量。
content_copy zoom_out_map[edit security policies from-zone Internet to-zone Internet] user@SRX1# set policy Internet match source-address any user@SRX1# set policy Internet match destination-address any user@SRX1# set policy Internet match application any user@SRX1# set policy Internet then permit [edit security zones security-zone Internet] user@SRX1# set host-inbound-traffic system-services all user@SRX1# set host-inbound-traffic protocols all user@SRX1# set interfaces ge-0/0/1.0 user@SRX1# set interfaces gr-0/0/0.0 user@SRX1# set interfaces lo0.0 user@SRX1# set interfaces st0.0
配置 OSPF 协议以进行 lo0.0 地址分配,使用 inet-vpn 和 l2vpn 系列配置 IBGP。同时配置 MPLS 和 LDP 信令。
content_copy zoom_out_map[edit protocols] user@SRX1# set bgp tcp-mss 1200 user@SRX1# set bgp group IBGP type internal user@SRX1# set bgp group IBGP local-address 10.255.255.1 user@SRX1# set bgp group IBGP local-as 65100 user@SRX1# set bgp group IBGP neighbor 10.255.255.2 user@SRX1# set bgp group IBGP neighbor 10.255.255.2 family inet any user@SRX1# set bgp group IBGP neighbor 10.255.255.2 family inet-vpn any user@SRX1# set bgp group IBGP neighbor 10.255.255.2 family l2vpn signaling user@SRX1# set ospf traffic-engineering user@SRX1# set ospf area 0.0.0.0 interface lo0.0 user@SRX1# set ospf area 0.0.0.0 interface lo0.0 passive user@SRX1# set ospf area 0.0.0.0 interface gr-0/0/0.0 user@SRX1# set mpls interface gr-0/0/0.0 user@SRX1# set ldp interface gr-0/0/0.0 user@SRX1# set ldp interface lo0.0
配置路由器 ID 和到 WAN 链路远程端的静态路由。
content_copy zoom_out_map[edit routing-option] user@SRX1# set static route 172.16.23.0/30 next-hop 172.16.13.2 user@SRX1# set router-id 10.255.255.1
配置两个路由实例,一个用于第 3 层 VPN,另一个用于 VPLS 应用程序。
content_copy zoom_out_map[edit routing-instances] user@SRX1# set L3VPN instance-type vrf user@SRX1# set L3VPN route-distinguisher 10.255.255.1:1000 user@SRX1# set L3VPN interface ge-0/0/0.10 user@SRX1# set L3VPN vrf-target target:65100:1000 user@SRX1# set L3VPN vrf-target import target:65100:1000 user@SRX1# set L3VPN vrf-target export target:65100:1000 user@SRX1# set L3VPN vrf-table-label user@SRX1# set L3VPN routing-options auto-export user@SRX1# set VPLS instance-type vpls user@SRX1# set VPLS interface ge-0/0/2.11 user@SRX1# set VPLS route-distinguisher 10.255.255.1:1001 user@SRX1# set VPLS vrf-target target:65100:1001 user@SRX1# set VPLS protocols vpls no-tunnel-services user@SRX1# set VPLS protocols vpls site 1 site-identifier 1 user@SRX1# set VPLS protocols vpls site 1 interface ge-0/0/2.11 user@SRX1# set VPLS protocols vpls mac-tlv-receive user@SRX1# set VPLS protocols vpls mac-tlv-send
结果
显示配置结果:
content_copy zoom_out_map
user@SRX1> show configuration
security {
ike {
policy standard {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$1OsIclKvL7NblegoGUHk"; ## SECRET-DATA
}
gateway srx-2 {
ike-policy standard;
address 172.16.23.1;
external-interface ge-0/0/1.0;
}
}
ipsec {
policy standard {
proposal-set standard;
}
vpn ipsec-vpn-1 {
bind-interface st0.0;
df-bit clear;
ike {
gateway srx-2;
ipsec-policy standard;
}
establish-tunnels immediately;
}
}
policies {
from-zone Internet to-zone Internet {
policy Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internet {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
gr-0/0/0.0;
lo0.0;
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
vlan-tagging;
mtu 4000;
unit 10 {
description L3VPN;
vlan-id 10;
family inet {
filter {
input packet-mode-inet;
}
address 192.168.0.1/24;
}
}
}
gr-0/0/0 {
unit 0 {
description "MPLS core facing interface";
tunnel {
source 172.16.0.1;
destination 172.16.0.2;
}
family inet {
mtu 9000;
address 172.16.255.1/30;
}
family mpls {
mtu 9000;
filter {
input packet-mode;
}
}
}
}
ge-0/0/1 {
description Internet;
mtu 1514;
unit 0 {
family inet {
address 172.16.13.1/30;
}
}
}
ge-0/0/2 {
flexible-vlan-tagging;
mtu 1522;
encapsulation vlan-vpls;
unit 11 {
description VPLS;
encapsulation vlan-vpls;
vlan-id 512;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.1/32;
}
}
}
st0 {
unit 0 {
family inet {
mtu 9178;
address 172.16.0.1/30;
}
}
}
}
firewall {
family inet {
filter packet-mode-inet {
term all-traffic {
then {
packet-mode;
accept;
}
}
}
}
family mpls {
filter packet-mode {
term all-traffic {
then {
packet-mode;
accept;
}
}
}
}
}
routing-instances {
L3VPN {
routing-options {
auto-export;
}
interface ge-0/0/0.10;
instance-type vrf;
route-distinguisher 10.255.255.1:1000;
vrf-target {
target:65100:1000;
import target:65100:1000;
export target:65100:1000;
}
vrf-table-label;
}
VPLS {
protocols {
vpls {
site 1 {
interface ge-0/0/2.11;
site-identifier 1;
}
no-tunnel-services;
mac-tlv-receive;
mac-tlv-send;
}
}
interface ge-0/0/2.11;
instance-type vpls;
route-distinguisher 10.255.255.1:1001;
vrf-target target:65100:1001;
}
}
protocols {
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface gr-0/0/0.0;
}
}
bgp {
group IBGP {
type internal;
local-address 10.255.255.1;
local-as 65100;
neighbor 10.255.255.2 {
family inet {
any;
}
family inet-vpn {
any;
}
family l2vpn {
signaling;
}
}
}
tcp-mss 1200;
}
ldp {
interface gr-0/0/0.0;
interface lo0.0;
}
mpls {
interface gr-0/0/0.0;
}
}
routing-options {
static {
route 172.16.23.0/30 next-hop 172.16.13.2;
}
router-id 10.255.255.1;
}
验证
确认配置工作正常。
- 验证物理接口和逻辑接口是否已启动
- 验证 IPsec 安全关联
- 验证 OSPF 和 BGP
- 验证 LDP 操作
- 验证 VPLS 连接
- 验证设置了 DNF 的大型数据包的端到端 VPLS 连接
- 验证传出接口上的 IP 分段
- 验证 L3VPN
验证物理接口和逻辑接口是否已启动
目的
验证设备上的物理接口和逻辑接口是否已启动。
行动
在 SRX 系列服务网关的操作模式下,输入 show interfaces terse 命令。
content_copy zoom_out_map
user@SRX1> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.10 up up inet 192.168.0.1/24
ge-0/0/0.32767 up up
gr-0/0/0 up up
gr-0/0/0.0 up up inet 172.16.255.1/30
mpls
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
inet6
sp-0/0/0.16383 up up inet
ge-0/0/1 up up
ge-0/0/1.0 up up inet 172.16.13.1/30
ge-0/0/2 up up
ge-0/0/2.11 up up vpls
ge-0/0/2.32767 up up
dsc up up
fti0 up up
fxp0 up up
fxp0.0 up up inet 10.54.5.56/19
gre up up
ipip up up
irb up up
lo0 up up
lo0.0 up up inet 10.255.255.1 --> 0/0
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.0.4 --> 0/0
128.0.1.16 --> 0/0
lo0.32768 up up
lsi up up
lsi.0 up up inet
iso
inet6
lsi.1048576 up up vpls
. . .
<some output removed for brevity>意义
命令 show interfaces terse 输出显示此配置中使用的所有物理和逻辑接口均可运行。
验证 IPsec 安全关联
目的
验证设备上的 IKE 和 IPsec 安全关联是否已启动。
行动
在 SRX 系列服务网关的操作模式下,输入 show security ike security-association 和 show security ipsec security-association 命令。
content_copy zoom_out_map
user@SRX1>show security ike security-associationsIndex State Initiator cookie Responder cookie Mode Remote Address 6699112 UP 2a5d1a37e5bd0cd1 09880f53cdbb35bb Main 172.16.23.1 user@SRX1>show security ipsec security-associationsTotal active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 f1396d7e 1868/ unlim - root 500 172.16.23.1 >131073 ESP:3des/sha1 ff799c04 1868/ unlim - root 500 172.16.23.1
意义
输出显示 IKE 会话的预期 Up 状态,以及已成功建立 IPsec 隧道。
验证 OSPF 和 BGP
目的
验证 OSPF 和 BGP 是否在 GRE 隧道上正常运行。回想一下,GRE 隧道依次通过上一步中验证的 IPsec 隧道进行路由。在此示例中,正确的 OSPF/BGP 操作会间接验证流量是否能够通过 GRE(然后是 IPsec)隧道。如果需要,可以对 GRE 端点执行 ping 操作以添加验证。
行动
在 SRX 系列服务网关的操作模式下,输入 show ospf neighbor 和 show bgp summary 命令。
content_copy zoom_out_map
user@SRX1>show ospf neighborAddress Interface State ID Pri Dead 172.16.255.2 gr-0/0/0.0 Full 10.255.255.2 128 33 user@SRX1>show bgp summaryThreading mode: BGP I/O Default eBGP mode: advertise - accept, receive - accept Groups: 1 Peers: 1 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending inet.0 0 0 0 0 0 0 inet.2 0 0 0 0 0 0 bgp.l3vpn.0 1 1 0 0 0 0 bgp.l3vpn.2 0 0 0 0 0 0 bgp.l2vpn.0 1 1 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped... 10.255.255.2 65100 988 988 0 1 7:21:03 Establ inet.0: 0/0/0/0 inet.2: 0/0/0/0 bgp.l3vpn.0: 1/1/1/0 bgp.l3vpn.2: 0/0/0/0 bgp.l2vpn.0: 1/1/1/0 L3VPN.inet.0: 1/1/1/0 VPLS.l2vpn.0: 1/1/1/0
意义
输出确认预期的 OSPF 邻居状态 full。此 OSPF 邻接方通过 GRE 接口进行隔离。鉴于 OSPF 正常运行,您期望本地 SRX 已获知到远程 SRX 环路地址的路由。此路由允许(通过 GRE 隧道)建立基于环回的 IBGP 对等会话。命令 show bgp summary 输出确认 BGP 会话处于建立状态,并且正在交换 L3VPN 和 L2VPN 路由。
验证 LDP 操作
目的
验证 LDP 是否在 GRE 隧道上正常运行。在此示例中,LDP 用作 MPLS 信令协议。
行动
在 SRX 系列服务网关的操作模式下,输入 show ldp neighbor 和 show ldp session 命令。
content_copy zoom_out_map
user@SRX1>show ldp neighborAddress Interface Label space ID Hold time 172.16.255.2 gr-0/0/0.0 10.255.255.2:0 12 user@SRX1>show ldp sessionAddress State Connection Hold time Adv. Mode 10.255.255.2 Operational Open 28 DU
意义
输出确认通过 GRE 接口的预期 LDP 邻居关系。命令 show ldp session 输出确认成功建立到远程 SRX 设备的环路地址的会话。这允许 LDP 交换传输标签,进而支持 VPN 客户端的 MPLS 转发。
验证 VPLS 连接
目的
验证 VPLS 连接是否处于启动状态。
行动
在 SRX 系列服务网关的操作模式下,输入 show vpls connections 命令。
content_copy zoom_out_map
user@SRX1> show vpls connections
Layer-2 VPN connections:
Legend for connection status (St)
EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up
OR -- out of range Up -- operational
OL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control failure
RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch MI -- Mesh-Group ID not available
BK -- Backup connection ST -- Standby connection
PF -- Profile parse failure PB -- Profile busy
RS -- remote site standby SN -- Static Neighbor
LB -- Local site not best-site RB -- Remote site not best-site
VM -- VLAN ID mismatch HS -- Hot-standby Connection
Legend for interface status
Up -- operational
Dn -- down
Instance: VPLS
Edge protection: Not-Primary
Local site: 1 (1)
connection-site Type St Time last up # Up trans
2 rmt Up Aug 25 07:52:38 2021 1
Remote PE: 10.255.255.2, Negotiated control-word: No
Incoming label: 262146, Outgoing label: 262145
Local interface: lsi.1048578, Status: Up, Encapsulation: VPLS
Description: Intf - vpls VPLS local site 1 remote site 2
Flow Label Transmit: No, Flow Label Receive: No意义
输出显示 VPLS 连接的预期 Up 状态。连接正常运行后,VPN 客户端设备应该能够传递流量。
验证设置了 DNF 的大型数据包的端到端 VPLS 连接
目的
验证第 2 层 VPLS 客户端设备是否能够发送设置了 DNF 位的 1500 字节帧。由于这是第 2 层服务,因此无法进行分段。因此,DNF 位以端到端方式运行。回想一下,对于此示例中的配置,此类设置会导致入口 SRX 设备在流量加密后(分段 后)对 IPsec 数据包进行分段。当流量从面向 WAN 的 ge-0/0/1 接口出口时,会发生分段后的情况。
分段后会强制远程 SRX 设备在执行解密之前重新组装数据包,这可能会影响加密流量的转发性能。这是使用该选项时的 df-bit clear 预期行为。演示此行为是此 NHE 的原因。其他 df-bit 选项(即 df-bit copy 和 df-bit set)会导致在 VPN 客户端设置 DNF 位时,对于超过 WAN MTU 的 VPN 数据包,会导致数据包丢弃并生成 ICMP 错误消息。
行动
在 VPLS Host1 上的操作模式下,以生成设置了 DNF 位的 1500 字节 IP 数据包的方式对 VPLS Host2 执行 ping 操作。当此流量添加了 MPLS、GRE 和 IPsec 开销时,它将超过传出 WAN 接口的 MTU。鉴于作为第 2 层服务(或者在 L3VPN 客户端的情况下,通过设置 DNF 位)阻止了分片前,此类数据包会根据选项的 df-bit clear 设置强制分片后
VPN 客户端设备的配置和操作超出了此示例的范围。为了进行测试,MX 路由器用作 VPN 客户端。因此,演示的 ping 命令基于 Junos CLI。
content_copy zoom_out_map
user@vpls-host1> ping 192.168.2.102 size 1472 do-not-fragment count 2
PING 192.168.2.102 (192.168.2.102): 1472 data bytes
1480 bytes from 192.168.2.102: icmp_seq=0 ttl=64 time=23.045 ms
1480 bytes from 192.168.2.102: icmp_seq=1 ttl=64 time=5.342 ms
--- 192.168.2.102 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.342/14.194/23.045/8.852 ms意义
输出显示 ping 成功。添加 20 字节 IP 报头时,1480 字节的回显流量将生成 1500 字节的 IP 数据包。因此,结果证实 VPLS 客户端设备可以通过 WAN 链路与 1500 字节 MTU 交换 1,500 字节数据包,尽管存在封装开销。回想一下,由于这是第 2 层服务,因此不可能进行分段,并且 DNF 位端到端运行。但是,在测试 L3VPN 客户端时,使用 DNF 位非常重要,因为 PE 设备能够对 IP 流量进行分段。
验证传出接口上的 IP 分段
目的
验证超过 WAN MTU 的 VPLS 客户端流量是否在传出 ge-0/0/1.0 接口上分段。在此步骤中,计时非常重要,因为后台 OSPF、LDP 和 BGP 流量会导致 ge-0/0/0.0 接口计数器递增。目标是从 VPLS 主机生成 100 个 1,500 字节的数据包,然后快速比较 IPsec 和接口统计信息,以确认传出 WAN 接口上看到的数据包数大约是 IPsec 隧道上的计数的两倍。
行动
在 SRX 系列服务网关的操作模式下,使用 和 clear interfaces statistics all clear security ipsec statistics 命令清除 IPsec 和接口统计信息。然后在 VPLS 端点之间生成 100 个数据包大小为 1,500 字节的快速 ping。ping 完成后,使用 and show interfaces ge-0/0/1 detail show security ipsec statistics 命令显示 IPsec 隧道和 ge-0/0/1 接口的数据包计数。
content_copy zoom_out_map
user@SRX1>clear interfaces statistics alluser@SRX1>clear interfaces statistics all
在 VPLS 端点之间生成 100 次数据包大小为 1,500 字节的快速 ping。为简洁起见,不显示此内容。请参阅上一步中的命令。为简洁起见,此处未显示。
content_copy zoom_out_map
user@SRX1>show interfaces ge-0/0/1 detailPhysical interface: ge-0/0/1, Enabled, Physical link is Up Interface index: 136, SNMP ifIndex: 509, Generation: 139 Description: Internet Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Link-mode: Full-duplex, Speed: 10Gbps, BPDU Error: None, Loop Detect PDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x4000 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 56:04:19:00:3a:7b, Hardware address: 56:04:19:00:3a:7b Last flapped : 2021-08-27 12:17:01 PDT (01:27:43 ago) Statistics last cleared: 2021-08-27 13:44:28 PDT (00:00:16 ago) Traffic statistics: Input bytes : 163440 0 bps Output bytes : 162000 0 bps Input packets: 210 0 pps Output packets: 200 0 pps Egress queues: 8 supported, 4 in use . . . user@SRX1>show security ipsec statisticsESP Statistics: Encrypted bytes: 161896 Decrypted bytes: 155722 Encrypted packets: 113 Decrypted packets: 112 . . .
意义
命令 show interfaces ge-0/0/1.0 detail 的输出显示已发送和接收超过 200 个数据包。相比之下,IPsec 统计信息确认了大约 100 个数据包的计数。这确认了 VPLS 客户端发送的每个数据包都在面向 WAN 的 ge-0/0/1.0 接口上进行了分段。
验证 L3VPN
目的
验证 L3VPN 操作。
行动
在 SRX 系列服务网关的操作模式下,使用命令显示 show route 到远程 L3VPN 子网的路由。然后生成到远程 L3VPN 端点的 ping 以验证连接性。
content_copy zoom_out_map
user@SRX1> show route 192.168.1.0/24
L3VPN.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.1.0/24 *[BGP/170] 01:05:44, localpref 100, from 10.255.255.2
AS path: I, validation-state: unverified
> via gr-0/0/0.0, Push 16
bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.255.255.2:1000:192.168.1.0/24
*[BGP/170] 01:05:44, localpref 100, from 10.255.255.2
AS path: I, validation-state: unverified
> via gr-0/0/0.0, Push 16测试从本地 SRX 到远程 VPN 端点的连接:
content_copy zoom_out_map
user@SRX1> ping 192.168.1.101 routing-instance L3VPN count 2
PING 192.168.1.101 (192.168.1.101): 56 data bytes
64 bytes from 192.168.1.101: icmp_seq=0 ttl=63 time=3.485 ms
64 bytes from 192.168.1.101: icmp_seq=1 ttl=63 time=3.412 ms
--- 192.168.1.101 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.412/3.449/3.485/0.036 ms
注意:
在此配置中,从本地 SRX 到本地 L3VPN 客户端的 ping 操作不会成功。这与分组模式的使用和 VPN 接口缺少安全区域有关。如上所示,您可以从本地 SRX ping到远程 L3VPN 目标。尽管未显示,但从本地 L3VPN 客户端到本地 PE VRF 接口生成的 ping 操作预计会成功。
测试 L3VPN 的端到端连接。在 L3VPN 客户端端点之间生成巨型 ping。回想一下,在本例中,L3VPN 客户端配置了 4k MTU。我们再次使用 MX 路由器来填充 L3VPN 客户端,因此使用了 Junos ping 语法:
content_copy zoom_out_map
user@l3vpn1> ping 192.168.1.101 size 3000 do-not-fragment count 2
PING 192.168.1.101 (192.168.1.101): 3000 data bytes
3008 bytes from 192.168.1.101: icmp_seq=0 ttl=62 time=5.354 ms
3008 bytes from 192.168.1.101: icmp_seq=1 ttl=62 time=5.607 ms
--- 192.168.1.101 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.354/5.481/5.607/0.126 ms意义
输出显示到远程 L3VPN 客户端的路由是通过 BGP 正确获知的,并且它指向具有 MPLS 标签操作的 GRE 接口。ping 测试的结果确认了 L3VPN 的预期连接,即使发送 3,000 + 字节 ping 并设置了 DNF 位也是如此。