close

keyboard_arrow_left

Table of Contents Expand all

play_arrow CSDS Architecture Overview
- CSDS Overview
- CSDS Solution Architecture
play_arrow CSDS Deployment Overview
play_arrow CSDS Deployment Scenarios and Topologies
play_arrow CSDS and ECMP Based Consistent Hashing
play_arrow CSDS and TLB
play_arrow Unified Management with JNU in CSDS
play_arrow vSRX Orchestration with JDM in CSDS
play_arrow Configure CSDS

list Table of Contents

English

Example: Single MX Series (ECMP Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone) for IPsec VPN

date_range 23-Apr-24

arrow_backward

arrow_forward

In this configuration, you’ll learn to setup a single MX Series with scaled-out SRX Series Firewalls in standalone for IPsec VPN services.

Overview

Table 1 shows the deployment components used in the example.

Table 1: Deployment Details
CSDS Components	Details
Forwarding Layer	MX304 with Junos OS Release 23.4R1 or later
Services Layer	vSRX 3.0 with Junos OS Release 23.4R1 or later
Redundancy	Single MX Series with ECMP based Consistent Hashing for load balancer. SRX Series Firewalls (Standalone)
Features	IPsec VPN
Additional Component	IPsec initiator device – MX router with SPC3 card. You can use any IPsec initiator device.

See Table 2 and Table 3 for traffic flow and VPN details.

Table 2: Traffic Flows for IPsec VPN
Feature	Traffic Flow Component	IP Address
IPsec VPN on SRX1, SRX2 and SRX3	IKE Gateway Source (IPsec Initiator)	200.0.0.0/8
	IKE Gateway Destination (IPsec Responder)	100.0.0.1/32
	IPsec Data Source	6.0.0.0/8
	IPsec Data Destination	75.0.0.0/8

Table 3: IPsec VPN Details
Device	IKE Gateways	IPsec Data Endpoints
SRX1	200.0.0.1 and 100.0.0.1	Tunnel 1 between 6.0.0.3 and 75.0.0.3
SRX2	200.0.0.2 and 100.0.0.1	Tunnel 2 between 6.0.0.2 and 75.0.0.2
SRX3	200.0.0.6 and 100.0.0.1	Tunnel 3 between 6.0.0.1 and 75.0.0.1

See Table 4 for traffic flow.

Table 4: Load Balancer to SRX Series Firewalls for IPsec VPN Services
Flow Type	Traffic Flow Component	IP Address
IKE Initiator to SRX	Source Load Balancer (Route Filter on MX)	100.0.0.1/32
IPsec VPN forward Flow	Routing-Based
IPsec VPN Reverse Flow	Routing-Based	Unique ARI route per SRX

Topology Illustration

Figure 1: Single MX Series (ECMP based Consistent Hashing) and Scaled-Out SRX Series Firewalls for IPsec VPN Services

Figure 2: Route Advertisements in IKE Gateway for IPsec VPN Services

Figure 3: Route Advertisements for IPsec Endpoint for IPsec VPN Services

Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

These configurations are captured from a lab environment and are provided for reference only. Actual configurations might vary based on the specific requirements of your environment.

The following items show a list of configuration components for this example:

Configure MX Series
Configure the IPsec Initiator
Configure SRX1
Configure SRX2
Configure SRX3

Configure MX Series

content_copy zoom_out_map
[edit]
set interfaces et-0/0/0 gigether-options 802.3ad ae1
set interfaces et-0/0/1 gigether-options 802.3ad ae2
set interfaces et-0/0/2 gigether-options 802.3ad ae3
set interfaces et-0/0/7 gigether-options 802.3ad ae1
set interfaces et-0/0/8 gigether-options 802.3ad ae2
set interfaces et-0/0/9 gigether-options 802.3ad ae3
set interfaces et-0/0/10 gigether-options 802.3ad ae10
set interfaces et-0/0/11 gigether-options 802.3ad ae10
set interfaces et-0/1/0 gigether-options 802.3ad ae10
set interfaces et-0/1/1 gigether-options 802.3ad ae10
set interfaces et-0/1/2 gigether-options 802.3ad ae10
set interfaces ae1 vlan-tagging
set interfaces ae1 aggregated-ether-options minimum-links 1
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast
set interfaces ae1 unit 0 vlan-id 1
set interfaces ae1 unit 0 family inet address 10.1.1.1/31
set interfaces ae1 unit 0 family inet6 address 10:1:1::1/127
set interfaces ae1 unit 1 vlan-id 2
set interfaces ae1 unit 1 family inet address 10.1.1.3/31
set interfaces ae1 unit 1 family inet6 address 10:1:1::3/127
set interfaces ae2 vlan-tagging
set interfaces ae2 aggregated-ether-options minimum-links 1
set interfaces ae2 aggregated-ether-options lacp active
set interfaces ae2 aggregated-ether-options lacp periodic fast
set interfaces ae2 unit 0 vlan-id 9
set interfaces ae2 unit 0 family inet address 10.1.1.9/31
set interfaces ae2 unit 0 family inet6 address 10:2:2::1/127
set interfaces ae2 unit 1 vlan-id 10
set interfaces ae2 unit 1 family inet address 10.1.1.11/31
set interfaces ae2 unit 1 family inet6 address 10:2:2::3/127
set interfaces ae3 vlan-tagging
set interfaces ae3 aggregated-ether-options minimum-links 1
set interfaces ae3 aggregated-ether-options lacp active
set interfaces ae3 aggregated-ether-options lacp periodic fast
set interfaces ae3 unit 0 vlan-id 9
set interfaces ae3 unit 0 family inet address 10.1.1.17/31
set interfaces ae3 unit 0 family inet6 address 10:3:3::1/127
set interfaces ae3 unit 1 vlan-id 10
set interfaces ae3 unit 1 family inet address 10.1.1.19/31
set interfaces ae3 unit 1 family inet6 address 10:3:3::3/127
set interfaces ae10 flexible-vlan-tagging
set interfaces ae10 encapsulation flexible-ethernet-services
set interfaces ae10 aggregated-ether-options minimum-links 1
set interfaces ae10 aggregated-ether-options lacp active
set interfaces ae10 aggregated-ether-options lacp periodic fast
set interfaces ae10 unit 40 vlan-id 40
set interfaces ae10 unit 40 family inet address 40.1.1.2/30
set interfaces ae10 unit 40 family inet6 address 40:1:1::2/124
set interfaces ae10 unit 80 vlan-id 80
set interfaces ae10 unit 80 family inet address 80.1.1.2/30
set interfaces ae10 unit 80 family inet6 address 80:1:1::2/124
set routing-instances TRUST_VR instance-type virtual-router
set routing-instances TRUST_VR routing-options autonomous-system 1000
set routing-instances TRUST_VR routing-options autonomous-system independent-domain no-attrset
set routing-instances TRUST_VR protocols bgp group MX-to-TRUST_GW_Router type external
set routing-instances TRUST_VR protocols bgp group MX-to-TRUST_GW_Router export srx_ike_endpoint_export
set routing-instances TRUST_VR protocols bgp group MX-to-TRUST_GW_Router peer-as 1500
set routing-instances TRUST_VR protocols bgp group MX-to-TRUST_GW_Router local-as 1000
set routing-instances TRUST_VR protocols bgp group MX-to-TRUST_GW_Router bfd-liveness-detection minimum-interval 300
set routing-instances TRUST_VR protocols bgp group MX-to-TRUST_GW_Router bfd-liveness-detection minimum-receive-interval 300
set routing-instances TRUST_VR protocols bgp group MX-to-TRUST_GW_Router bfd-liveness-detection multiplier 3
set routing-instances TRUST_VR protocols bgp group MX-to-TRUST_GW_Router neighbor 40.1.1.1
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx1 type external
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx1 import pfe_consistent_hash
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx1 export trust-to-untrust-export
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx1 peer-as 500
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx1 local-as 1000
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx1 multipath
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx1 bfd-liveness-detection minimum-interval 300
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx1 bfd-liveness-detection minimum-receive-interval 300
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx1 bfd-liveness-detection multiplier 3
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx1 neighbor 10.1.1.0
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx2 type external
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx2 import pfe_consistent_hash
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx2 export trust-to-untrust-export
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx2 peer-as 500
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx2 local-as 1000
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx2 multipath
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx2 bfd-liveness-detection minimum-interval 300
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx2 bfd-liveness-detection minimum-receive-interval 300
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx2 bfd-liveness-detection multiplier 3
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx2 neighbor 10.1.1.8
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx3 type external
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx3 import pfe_consistent_hash
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx3 export trust-to-untrust-export
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx3 peer-as 500
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx3 local-as 1000
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx3 multipath
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx3 bfd-liveness-detection minimum-interval 300
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx3 bfd-liveness-detection minimum-receive-interval 300
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx3 bfd-liveness-detection multiplier 3
set routing-instances TRUST_VR protocols bgp group MX-to-vsrx3 neighbor 10.1.1.16
set routing-instances TRUST_VR interface ae1.0
set routing-instances TRUST_VR interface ae2.0
set routing-instances TRUST_VR interface ae3.0
set routing-instances TRUST_VR interface ae10.40
set policy-options policy-statement srx_ike_endpoint_export term 1 from protocol bgp
set policy-options policy-statement srx_ike_endpoint_export term 1 from route-filter 100.0.0.1/32 exact
set policy-options policy-statement srx_ike_endpoint_export term 1 then next-hop self
set policy-options policy-statement srx_ike_endpoint_export term 1 then accept
set policy-options policy-statement srx_ike_endpoint_export term 2 then reject
set policy-options policy-statement trust-to-untrust-export term 1 from protocol bgp
set policy-options policy-statement trust-to-untrust-export term 1 from protocol static
set policy-options policy-statement trust-to-untrust-export term 1 then next-hop self
set policy-options policy-statement trust-to-untrust-export term 1 then accept
set policy-options policy-statement trust-to-untrust-export term 2 then reject
set routing-instances UNTRUST_VR instance-type virtual-router
set routing-instances UNTRUST_VR routing-options autonomous-system 2000
set routing-instances UNTRUST_VR routing-options autonomous-system independent-domain no-attrset
set routing-instances UNTRUST_VR protocols bgp group MX-to-UNTRUST_GW_Router type external
set routing-instances UNTRUST_VR protocols bgp group MX-to-UNTRUST_GW_Router export srx_ari_route_export
set routing-instances UNTRUST_VR protocols bgp group MX-to-UNTRUST_GW_Router peer-as 2500
set routing-instances UNTRUST_VR protocols bgp group MX-to-UNTRUST_GW_Router local-as 2000
set routing-instances UNTRUST_VR protocols bgp group MX-to-UNTRUST_GW_Router bfd-liveness-detection minimum-interval 300
set routing-instances UNTRUST_VR protocols bgp group MX-to-UNTRUST_GW_Router bfd-liveness-detection minimum-receive-interval 300
set routing-instances UNTRUST_VR protocols bgp group MX-to-UNTRUST_GW_Router bfd-liveness-detection multiplier 3
set routing-instances UNTRUST_VR protocols bgp group MX-to-UNTRUST_GW_Router neighbor 80.1.1.1
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx1 type external
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx1 export untrust-to-trust-export
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx1 peer-as 500
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx1 local-as 2000
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx1 multipath
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx1 bfd-liveness-detection minimum-interval 300
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx1 bfd-liveness-detection minimum-receive-interval 300
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx1 bfd-liveness-detection multiplier 3
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx1 neighbor 10.1.1.2
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx2 type external
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx2 export untrust-to-trust-export
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx2 peer-as 500
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx2 local-as 2000
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx2 multipath
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx2 bfd-liveness-detection minimum-interval 300
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx2 bfd-liveness-detection minimum-receive-interval 300
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx2 bfd-liveness-detection multiplier 3
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx2 neighbor 10.1.1.10
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx3 type external
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx3 export untrust-to-trust-export
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx3 peer-as 500
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx3 local-as 2000
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx3 multipath
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx3 bfd-liveness-detection minimum-interval 300
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx3 bfd-liveness-detection minimum-receive-interval 300
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx3 bfd-liveness-detection multiplier 3
set routing-instances UNTRUST_VR protocols bgp group MX-to-vsrx3 neighbor 10.1.1.18
set routing-instances UNTRUST_VR interface ae1.1
set routing-instances UNTRUST_VR interface ae2.1
set routing-instances UNTRUST_VR interface ae3.1
set routing-instances UNTRUST_VR interface ae10.80
set policy-options policy-statement srx_ari_route_export term 1 from protocol bgp
set policy-options policy-statement srx_ari_route_export term 1 from route-filter 6.0.0.0/8 orlonger
set policy-options policy-statement srx_ari_route_export term 1 then next-hop self
set policy-options policy-statement srx_ari_route_export term 1 then accept
set policy-options policy-statement srx_ari_route_export term 2 then reject
set policy-options policy-statement untrust-to-trust-export term 1 from protocol bgp
set policy-options policy-statement untrust-to-trust-export term 1 from protocol static
set policy-options policy-statement untrust-to-trust-export term 1 then next-hop self
set policy-options policy-statement untrust-to-trust-export term 1 then accept
set policy-options policy-statement untrust-to-trust-export term 2 then reject
set policy-options policy-statement pfe_consistent_hash from route-filter 100.0.0.1/32 exact
set policy-options policy-statement pfe_consistent_hash then load-balance consistent-hash
set policy-options policy-statement pfe_consistent_hash then accept
set policy-options policy-statement pfe_lb_hash term source_hash from route-filter 100.0.0.1/32 exact
set policy-options policy-statement pfe_lb_hash term source_hash then load-balance source-ip-only
set policy-options policy-statement pfe_lb_hash term source_hash then accept
set policy-options policy-statement pfe_lb_hash term ALL-ELSE then load-balance per-packet
set policy-options policy-statement pfe_lb_hash term ALL-ELSE then accept
set routing-options forwarding-table export pfe_lb_hash

Configure IPsec Initiator

content_copy zoom_out_map
[edit]
set services service-set IPSEC_TUN_1 next-hop-service inside-service-interface vms-3/0/0.1
set services service-set IPSEC_TUN_1 next-hop-service outside-service-interface vms-3/0/0.2001
set services service-set IPSEC_TUN_1 ipsec-vpn TUN_1
set services service-set IPSEC_TUN_2 next-hop-service inside-service-interface vms-3/0/0.2
set services service-set IPSEC_TUN_2 next-hop-service outside-service-interface vms-3/0/0.2002
set services service-set IPSEC_TUN_2 ipsec-vpn TUN_2
set services service-set IPSEC_TUN_3 next-hop-service inside-service-interface vms-3/0/0.3
set services service-set IPSEC_TUN_3 next-hop-service outside-service-interface vms-3/0/0.2003
set services service-set IPSEC_TUN_3 ipsec-vpn TUN_3
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group2
set security ike proposal IKE_PROP authentication-algorithm sha1
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 3600
set security ike policy IKE_POLICY proposals IKE_PROP
set security ike policy IKE_POLICY pre-shared-key ascii-text "$ABC123"
set security ike gateway IKE_GW_1 ike-policy IKE_POLICY
set security ike gateway IKE_GW_1 address 100.0.0.1
set security ike gateway IKE_GW_1 dead-peer-detection probe-idle-tunnel
set security ike gateway IKE_GW_1 dead-peer-detection interval 10
set security ike gateway IKE_GW_1 dead-peer-detection threshold 3
set security ike gateway IKE_GW_1 local-identity hostname peer1.juniper.net
set security ike gateway IKE_GW_1 remote-identity hostname vsrx.juniper.net
set security ike gateway IKE_GW_1 external-interface lo0.0
set security ike gateway IKE_GW_1 local-address 200.0.0.1
set security ike gateway IKE_GW_1 version v2-only
set security ike gateway IKE_GW_2 ike-policy IKE_POLICY
set security ike gateway IKE_GW_2 address 100.0.0.1
set security ike gateway IKE_GW_2 dead-peer-detection probe-idle-tunnel
set security ike gateway IKE_GW_2 dead-peer-detection interval 10
set security ike gateway IKE_GW_2 dead-peer-detection threshold 3
set security ike gateway IKE_GW_2 local-identity hostname peer2.juniper.net
set security ike gateway IKE_GW_2 remote-identity hostname vsrx.juniper.net
set security ike gateway IKE_GW_2 external-interface lo0.0
set security ike gateway IKE_GW_2 local-address 200.0.0.2
set security ike gateway IKE_GW_2 version v2-only
set security ike gateway IKE_GW_3 ike-policy IKE_POLICY
set security ike gateway IKE_GW_3 address 100.0.0.1
set security ike gateway IKE_GW_3 dead-peer-detection probe-idle-tunnel
set security ike gateway IKE_GW_3 dead-peer-detection interval 10
set security ike gateway IKE_GW_3 dead-peer-detection threshold 3
set security ike gateway IKE_GW_3 local-identity hostname peer3.juniper.net
set security ike gateway IKE_GW_3 remote-identity hostname vsrx.juniper.net
set security ike gateway IKE_GW_3 external-interface lo0.0
set security ike gateway IKE_GW_3 local-address 200.0.0.6
set security ike gateway IKE_GW_3 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-gcm
set security ipsec proposal IPSEC_PROP lifetime-seconds 3600
set security ipsec policy IPSEC_POLICY proposals IPSEC_PROP
set security ipsec vpn TUN_1 bind-interface st0.1
set security ipsec vpn TUN_1 ike gateway IKE_GW_1
set security ipsec vpn TUN_1 ike ipsec-policy IPSEC_POLICY
set security ipsec vpn TUN_1 traffic-selector ts1 local-ip 6.0.0.1/32
set security ipsec vpn TUN_1 traffic-selector ts1 remote-ip 75.0.0.1/32
set security ipsec vpn TUN_1 establish-tunnels immediately
set security ipsec vpn TUN_2 bind-interface st0.2
set security ipsec vpn TUN_2 ike gateway IKE_GW_2
set security ipsec vpn TUN_2 ike ipsec-policy IPSEC_POLICY
set security ipsec vpn TUN_2 traffic-selector ts1 local-ip 6.0.0.2/32
set security ipsec vpn TUN_2 traffic-selector ts1 remote-ip 75.0.0.2/32
set security ipsec vpn TUN_2 establish-tunnels immediately
set security ipsec vpn TUN_3 bind-interface st0.3
set security ipsec vpn TUN_3 ike gateway IKE_GW_3
set security ipsec vpn TUN_3 ike ipsec-policy IPSEC_POLICY
set security ipsec vpn TUN_3 traffic-selector ts1 local-ip 6.0.0.3/32
set security ipsec vpn TUN_3 traffic-selector ts1 remote-ip 75.0.0.3/32
set security ipsec vpn TUN_3 establish-tunnels immediately
set security ipsec anti-replay-window-size 512
set security flow power-mode-ipsec
set interfaces vms-3/0/0 unit 1 family inet
set interfaces vms-3/0/0 unit 1 service-domain inside
set interfaces vms-3/0/0 unit 2 family inet
set interfaces vms-3/0/0 unit 2 service-domain inside
set interfaces vms-3/0/0 unit 3 family inet
set interfaces vms-3/0/0 unit 3 service-domain inside
set interfaces vms-3/0/0 unit 2001 family inet
set interfaces vms-3/0/0 unit 2001 service-domain outside
set interfaces vms-3/0/0 unit 2002 family inet
set interfaces vms-3/0/0 unit 2002 service-domain outside
set interfaces vms-3/0/0 unit 2003 family inet
set interfaces vms-3/0/0 unit 2003 service-domain outside
set interfaces lo0 unit 0 family inet address 200.0.0.1/32
set interfaces lo0 unit 0 family inet address 200.0.0.2/32
set interfaces lo0 unit 0 family inet address 200.0.0.6/32
set interfaces st0 unit 1 family inet
set interfaces st0 unit 2 family inet
set interfaces st0 unit 3 family inet
set interfaces et-7/0/0 gigether-options 802.3ad ae10
set interfaces et-7/1/3 gigether-options 802.3ad ae10
set interfaces et-7/0/3 gigether-options 802.3ad ae10
set interfaces et-7/0/4 gigether-options 802.3ad ae10
set interfaces et-7/0/1 gigether-options 802.3ad ae11
set interfaces et-7/0/2 gigether-options 802.3ad ae11
set interfaces et-7/1/0 gigether-options 802.3ad ae11
set interfaces et-7/1/1 gigether-options 802.3ad ae11
set interfaces et-7/1/2 mtu 9192
set interfaces et-7/1/2 unit 0 family inet address 50.0.0.1/30
set interfaces et-7/1/4 mtu 9192
set interfaces et-7/1/4 unit 0 family inet address 60.0.0.1/30
set interfaces ae10 flexible-vlan-tagging
set interfaces ae10 encapsulation flexible-ethernet-services
set interfaces ae10 aggregated-ether-options minimum-links 1
set interfaces ae10 aggregated-ether-options lacp active
set interfaces ae10 aggregated-ether-options lacp periodic fast
set interfaces ae10 unit 40 vlan-id 40
set interfaces ae10 unit 40 family inet address 40.1.1.1/30
set interfaces ae10 unit 40 family inet6 address 40:1:1::1/124
set interfaces ae10 unit 80 vlan-id 80
set interfaces ae10 unit 80 family inet address 80.1.1.1/30
set interfaces ae10 unit 80 family inet6 address 80:1:1::1/124
set interfaces ae11 flexible-vlan-tagging
set interfaces ae11 encapsulation flexible-ethernet-services
set interfaces ae11 aggregated-ether-options minimum-links 1
set interfaces ae11 aggregated-ether-options lacp active
set interfaces ae11 aggregated-ether-options lacp periodic fast
set interfaces ae11 unit 41 vlan-id 41
set interfaces ae11 unit 41 family inet address 41.1.1.1/30
set interfaces ae11 unit 41 family inet6 address 41:1:1::1/124
set interfaces ae11 unit 81 vlan-id 81
set interfaces ae11 unit 81 family inet address 81.1.1.1/30
set interfaces ae11 unit 81 family inet6 address 81:1:1::1/124
set routing-instances TRUST_VR instance-type virtual-router
set routing-instances TRUST_VR routing-options autonomous-system 1500
set routing-instances TRUST_VR protocols bgp group trust_GW-to-MX1_trust type external
set routing-instances TRUST_VR protocols bgp group trust_GW-to-MX1_trust export client_to_server_export
set routing-instances TRUST_VR protocols bgp group trust_GW-to-MX1_trust peer-as 1000
set routing-instances TRUST_VR protocols bgp group trust_GW-to-MX1_trust local-as 1500
set routing-instances TRUST_VR protocols bgp group trust_GW-to-MX1_trust bfd-liveness-detection minimum-interval 300
set routing-instances TRUST_VR protocols bgp group trust_GW-to-MX1_trust bfd-liveness-detection minimum-receive-interval 300
set routing-instances TRUST_VR protocols bgp group trust_GW-to-MX1_trust bfd-liveness-detection multiplier 3
set routing-instances TRUST_VR protocols bgp group trust_GW-to-MX1_trust neighbor 40.1.1.2
set routing-instances TRUST_VR protocols bgp multipath
set routing-instances TRUST_VR interface vms-3/0/0.2001
set routing-instances TRUST_VR interface vms-3/0/0.2002
set routing-instances TRUST_VR interface vms-3/0/0.2003
set routing-instances TRUST_VR interface ae10.40
set routing-instances TRUST_VR interface lo0.0
set policy-options policy-statement client_to_server_export term 1 from protocol direct
set policy-options policy-statement client_to_server_export term 1 from route-filter 200.0.0.0/8 orlonger
set policy-options policy-statement client_to_server_export term 1 then accept
set policy-options policy-statement client_to_server_export term 2 then reject
set policy-options policy-statement client_to_server_export_mx2 term 1 from protocol static
set policy-options policy-statement client_to_server_export_mx2 term 1 from route-filter 141.0.0.0/8 orlonger
set policy-options policy-statement client_to_server_export_mx2 term 1 from route-filter 140.0.0.0/8 orlonger
set policy-options policy-statement client_to_server_export_mx2 term 1 then accept
set policy-options policy-statement client_to_server_export_mx2 term 2 then reject
set routing-instances UNTRUST_VR instance-type virtual-router
set routing-instances UNTRUST_VR routing-options autonomous-system 2500
set routing-instances UNTRUST_VR routing-options static route 75.0.0.0/8 next-hop 60.0.0.2
set routing-instances UNTRUST_VR protocols bgp group Untrust_GW-to-MX1_Untrust type external
set routing-instances UNTRUST_VR protocols bgp group Untrust_GW-to-MX1_Untrust export server_to_client_export
set routing-instances UNTRUST_VR protocols bgp group Untrust_GW-to-MX1_Untrust peer-as 2000
set routing-instances UNTRUST_VR protocols bgp group Untrust_GW-to-MX1_Untrust local-as 2500
set routing-instances UNTRUST_VR protocols bgp group Untrust_GW-to-MX1_Untrust bfd-liveness-detection minimum-interval 300
set routing-instances UNTRUST_VR protocols bgp group Untrust_GW-to-MX1_Untrust bfd-liveness-detection minimum-receive-interval 300
set routing-instances UNTRUST_VR protocols bgp group Untrust_GW-to-MX1_Untrust bfd-liveness-detection multiplier 3
set routing-instances UNTRUST_VR protocols bgp group Untrust_GW-to-MX1_Untrust neighbor 80.1.1.2
set routing-instances UNTRUST_VR protocols bgp multipath
set routing-instances UNTRUST_VR interface et-7/1/4.0
set routing-instances UNTRUST_VR interface ae10.80
set policy-options policy-statement server_to_client_export term t1 from protocol static
set policy-options policy-statement server_to_client_export term t1 from route-filter 75.0.0.0/8 exact
set policy-options policy-statement server_to_client_export term t1 then accept
set policy-options policy-statement server_to_client_export term t2 then reject
set policy-options policy-statement server_to_client_export_mx2 term t1 from protocol static
set policy-options policy-statement server_to_client_export_mx2 term t1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement server_to_client_export_mx2 term t1 then accept
set policy-options policy-statement server_to_client_export_mx2 term t2 then reject
set routing-instances client instance-type virtual-router
set routing-instances client routing-options static route 6.0.0.0/8 next-hop 50.0.0.2
set routing-instances client interface vms-3/0/0.1
set routing-instances client interface vms-3/0/0.2
set routing-instances client interface vms-3/0/0.3
set routing-instances client interface et-7/1/2.0
set routing-instances client interface st0.1
set routing-instances client interface st0.2
set routing-instances client interface st0.3
set policy-options policy-statement ECMP_POLICY-LB then load-balance per-packet
set routing-options forwarding-table export ECMP_POLICY-LB

Configure SRX1

content_copy zoom_out_map
[edit] 
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group2
set security ike proposal IKE_PROP authentication-algorithm sha1
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 3600
set security ike policy IKE_POLICY proposals IKE_PROP
set security ike policy IKE_POLICY pre-shared-key ascii-text "$ABC123"
set security ike gateway avpn_ike_gw ike-policy IKE_POLICY
set security ike gateway avpn_ike_gw dynamic hostname .juniper.net
set security ike gateway avpn_ike_gw dynamic ike-user-type group-ike-id
set security ike gateway avpn_ike_gw dead-peer-detection probe-idle-tunnel
set security ike gateway avpn_ike_gw dead-peer-detection interval 10
set security ike gateway avpn_ike_gw dead-peer-detection threshold 3
set security ike gateway avpn_ike_gw local-identity hostname vsrx.juniper.net
set security ike gateway avpn_ike_gw external-interface lo0.0
set security ike gateway avpn_ike_gw local-address 100.0.0.1
set security ike gateway avpn_ike_gw version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-gcm
set security ipsec proposal IPSEC_PROP lifetime-seconds 3600
set security ipsec policy IPSEC_POLICY proposals IPSEC_PROP
set security ipsec vpn avpn_ipsec_vpn bind-interface st0.1
set security ipsec vpn avpn_ipsec_vpn ike gateway avpn_ike_gw
set security ipsec vpn avpn_ipsec_vpn ike ipsec-policy IPSEC_POLICY
set security ipsec vpn avpn_ipsec_vpn traffic-selector ts local-ip 0.0.0.0/0
set security ipsec vpn avpn_ipsec_vpn traffic-selector ts remote-ip 0.0.0.0/0
set security ipsec anti-replay-window-size 512
set interfaces lo0 unit 0 family inet address 100.0.0.1/32
set interfaces st0 unit 1 family inet
set interfaces st0 unit 2 family inet
set interfaces st0 unit 3 family inet
set security zones security-zone vr-1_trust_zone host-inbound-traffic system-services all
set security zones security-zone vr-1_trust_zone host-inbound-traffic protocols all
set security zones security-zone vr-1_trust_zone interfaces ae1.0
set security zones security-zone vr-1_trust_zone interfaces lo0.0
set security zones security-zone vr-1_trust_zone interfaces st0.1
set security zones security-zone vr-1_trust_zone interfaces st0.2
set security zones security-zone vr-1_trust_zone interfaces st0.3
set security zones security-zone vr-1_untrust_zone host-inbound-traffic system-services all
set security zones security-zone vr-1_untrust_zone host-inbound-traffic protocols all
set security zones security-zone vr-1_untrust_zone interfaces ae1.1
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY match source-address ipsec_data_source_prefix_6.0.0.0/8
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY match destination-address any
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY match application any
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY then permit
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY match source-address ike_source_prefix_200.0.0.0/8
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY match destination-address any
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY match application any
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY then permit
set security policies default-policy permit-all
set security address-book global address ipsec_data_source_prefix_6.0.0.0/8 6.0.0.0/8
set security address-book global address ike_source_prefix_200.0.0.0/8 200.0.0.0/8
set interfaces et-1/0/0 gigether-options 802.3ad ae1
set interfaces et-1/0/1 gigether-options 802.3ad ae1
set interfaces ae1 vlan-tagging
set interfaces ae1 aggregated-ether-options minimum-links 1
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast
set interfaces ae1 unit 0 vlan-id 1
set interfaces ae1 unit 0 family inet address 10.1.1.0/31
set interfaces ae1 unit 0 family inet6 address 10:1:1::0/127
set interfaces ae1 unit 1 vlan-id 2
set interfaces ae1 unit 1 family inet address 10.1.1.2/31
set interfaces ae1 unit 1 family inet6 address 10:1:1::2/127
set protocols bgp group Vsrx-to-MX_TRUST type external
set protocols bgp group Vsrx-to-MX_TRUST export ike_endpoint_export_policy
set protocols bgp group Vsrx-to-MX_TRUST local-as 500
set protocols bgp group Vsrx-to-MX_TRUST bfd-liveness-detection minimum-interval 300
set protocols bgp group Vsrx-to-MX_TRUST bfd-liveness-detection minimum-receive-interval 300
set protocols bgp group Vsrx-to-MX_TRUST bfd-liveness-detection multiplier 3
set protocols bgp group Vsrx-to-MX_TRUST neighbor 10.1.1.1 peer-as 1000
set protocols bgp group Vsrx-to-MX_UNTRUST type external
set protocols bgp group Vsrx-to-MX_UNTRUST export ari_export_untrust
set protocols bgp group Vsrx-to-MX_UNTRUST local-as 500
set protocols bgp group Vsrx-to-MX_UNTRUST bfd-liveness-detection minimum-interval 300
set protocols bgp group Vsrx-to-MX_UNTRUST bfd-liveness-detection minimum-receive-interval 300
set protocols bgp group Vsrx-to-MX_UNTRUST bfd-liveness-detection multiplier 3
set protocols bgp group Vsrx-to-MX_UNTRUST neighbor 10.1.1.3 peer-as 2000
set policy-options policy-statement ari_export_untrust term 1 from protocol ari-ts
set policy-options policy-statement ari_export_untrust term 1 then accept
set policy-options policy-statement ari_export_untrust term defualt then reject
set policy-options policy-statement ike_endpoint_export_policy term 1 from protocol direct
set policy-options policy-statement ike_endpoint_export_policy term 1 from route-filter 100.0.0.1/32 exact
set policy-options policy-statement ike_endpoint_export_policy term 1 then next-hop self
set policy-options policy-statement ike_endpoint_export_policy term 1 then accept
set policy-options policy-statement ike_endpoint_export_policy term 2 then reject
set policy-options policy-statement ecmp_policy_lab then load-balance per-packet
set routing-options forwarding-table export ecmp_policy_lab

Configure SRX2

content_copy zoom_out_map
[edit] 
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group2
set security ike proposal IKE_PROP authentication-algorithm sha1
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 3600
set security ike policy IKE_POLICY proposals IKE_PROP
set security ike policy IKE_POLICY pre-shared-key ascii-text "$ABC123"
set security ike gateway avpn_ike_gw ike-policy IKE_POLICY
set security ike gateway avpn_ike_gw dynamic hostname .juniper.net
set security ike gateway avpn_ike_gw dynamic ike-user-type group-ike-id
set security ike gateway avpn_ike_gw dead-peer-detection probe-idle-tunnel
set security ike gateway avpn_ike_gw dead-peer-detection interval 10
set security ike gateway avpn_ike_gw dead-peer-detection threshold 3
set security ike gateway avpn_ike_gw local-identity hostname vsrx.juniper.net
set security ike gateway avpn_ike_gw external-interface lo0.0
set security ike gateway avpn_ike_gw local-address 100.0.0.1
set security ike gateway avpn_ike_gw version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-gcm
set security ipsec proposal IPSEC_PROP lifetime-seconds 3600
set security ipsec policy IPSEC_POLICY proposals IPSEC_PROP
set security ipsec vpn avpn_ipsec_vpn bind-interface st0.1
set security ipsec vpn avpn_ipsec_vpn ike gateway avpn_ike_gw
set security ipsec vpn avpn_ipsec_vpn ike ipsec-policy IPSEC_POLICY
set security ipsec vpn avpn_ipsec_vpn traffic-selector ts local-ip 0.0.0.0/0
set security ipsec vpn avpn_ipsec_vpn traffic-selector ts remote-ip 0.0.0.0/0
set security ipsec anti-replay-window-size 512
set interfaces lo0 unit 0 family inet address 100.0.0.1/32
set interfaces st0 unit 1 family inet
set interfaces st0 unit 2 family inet
set interfaces st0 unit 3 family inet
set security zones security-zone vr-1_trust_zone host-inbound-traffic system-services all
set security zones security-zone vr-1_trust_zone host-inbound-traffic protocols all
set security zones security-zone vr-1_trust_zone interfaces ae1.0
set security zones security-zone vr-1_trust_zone interfaces lo0.0
set security zones security-zone vr-1_trust_zone interfaces st0.1
set security zones security-zone vr-1_trust_zone interfaces st0.2
set security zones security-zone vr-1_trust_zone interfaces st0.3
set security zones security-zone vr-1_untrust_zone host-inbound-traffic system-services all
set security zones security-zone vr-1_untrust_zone host-inbound-traffic protocols all
set security zones security-zone vr-1_untrust_zone interfaces ae1.1
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY match source-address ipsec_data_source_prefix_6.0.0.0/8
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY match destination-address any
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY match application any
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY then permit
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY match source-address ike_source_prefix_200.0.0.0/8
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY match destination-address any
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY match application any
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY then permit
set security policies default-policy permit-all
set security address-book global address ipsec_data_source_prefix_6.0.0.0/8 6.0.0.0/8
set security address-book global address ike_source_prefix_200.0.0.0/8 200.0.0.0/8
set interfaces et-1/0/0 gigether-options 802.3ad ae1
set interfaces et-1/0/1 gigether-options 802.3ad ae1
set interfaces ae1 vlan-tagging
set interfaces ae1 aggregated-ether-options minimum-links 1
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast
set interfaces ae1 unit 0 vlan-id 9
set interfaces ae1 unit 0 family inet address 10.1.1.8/31
set interfaces ae1 unit 0 family inet6 address 10:2:2::0/127
set interfaces ae1 unit 1 vlan-id 10
set interfaces ae1 unit 1 family inet address 10.1.1.10/31
set interfaces ae1 unit 1 family inet6 address 10:2:2::2/127
set protocols bgp group Vsrx-to-MX_TRUST type external
set protocols bgp group Vsrx-to-MX_TRUST export ike_endpoint_export_policy
set protocols bgp group Vsrx-to-MX_TRUST local-as 500
set protocols bgp group Vsrx-to-MX_TRUST bfd-liveness-detection minimum-interval 300
set protocols bgp group Vsrx-to-MX_TRUST bfd-liveness-detection minimum-receive-interval 300
set protocols bgp group Vsrx-to-MX_TRUST bfd-liveness-detection multiplier 3
set protocols bgp group Vsrx-to-MX_TRUST neighbor 10.1.1.9 peer-as 1000
set protocols bgp group Vsrx-to-MX_UNTRUST type external
set protocols bgp group Vsrx-to-MX_UNTRUST export ari_export_untrust
set protocols bgp group Vsrx-to-MX_UNTRUST local-as 500
set protocols bgp group Vsrx-to-MX_UNTRUST bfd-liveness-detection minimum-interval 300
set protocols bgp group Vsrx-to-MX_UNTRUST bfd-liveness-detection minimum-receive-interval 300
set protocols bgp group Vsrx-to-MX_UNTRUST bfd-liveness-detection multiplier 3
set protocols bgp group Vsrx-to-MX_UNTRUST neighbor 10.1.1.11 peer-as 2000
set policy-options policy-statement ari_export_untrust term 1 from protocol ari-ts
set policy-options policy-statement ari_export_untrust term 1 then accept
set policy-options policy-statement ari_export_untrust term defualt then reject
set policy-options policy-statement ike_endpoint_export_policy term 1 from protocol direct
set policy-options policy-statement ike_endpoint_export_policy term 1 from route-filter 100.0.0.1/32 exact
set policy-options policy-statement ike_endpoint_export_policy term 1 then next-hop self
set policy-options policy-statement ike_endpoint_export_policy term 1 then accept
set policy-options policy-statement ike_endpoint_export_policy term 2 then reject
set policy-options policy-statement ecmp_policy_lab then load-balance per-packet
set routing-options forwarding-table export ecmp_policy_lab

Configure SRX3

content_copy zoom_out_map
[edit] 
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group2
set security ike proposal IKE_PROP authentication-algorithm sha1
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 3600
set security ike policy IKE_POLICY proposals IKE_PROP
set security ike policy IKE_POLICY pre-shared-key ascii-text "$ABC123"
set security ike gateway avpn_ike_gw ike-policy IKE_POLICY
set security ike gateway avpn_ike_gw dynamic hostname .juniper.net
set security ike gateway avpn_ike_gw dynamic ike-user-type group-ike-id
set security ike gateway avpn_ike_gw dead-peer-detection probe-idle-tunnel
set security ike gateway avpn_ike_gw dead-peer-detection interval 10
set security ike gateway avpn_ike_gw dead-peer-detection threshold 3
set security ike gateway avpn_ike_gw local-identity hostname vsrx.juniper.net
set security ike gateway avpn_ike_gw external-interface lo0.0
set security ike gateway avpn_ike_gw local-address 100.0.0.1
set security ike gateway avpn_ike_gw version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-gcm
set security ipsec proposal IPSEC_PROP lifetime-seconds 3600
set security ipsec policy IPSEC_POLICY proposals IPSEC_PROP
set security ipsec vpn avpn_ipsec_vpn bind-interface st0.1
set security ipsec vpn avpn_ipsec_vpn ike gateway avpn_ike_gw
set security ipsec vpn avpn_ipsec_vpn ike ipsec-policy IPSEC_POLICY
set security ipsec vpn avpn_ipsec_vpn traffic-selector ts local-ip 0.0.0.0/0
set security ipsec vpn avpn_ipsec_vpn traffic-selector ts remote-ip 0.0.0.0/0
set security ipsec anti-replay-window-size 512
set interfaces lo0 unit 0 family inet address 100.0.0.1/32
set interfaces st0 unit 1 family inet
set interfaces st0 unit 2 family inet
set interfaces st0 unit 3 family inet
set security zones security-zone vr-1_trust_zone host-inbound-traffic system-services all
set security zones security-zone vr-1_trust_zone host-inbound-traffic protocols all
set security zones security-zone vr-1_trust_zone interfaces ae1.0
set security zones security-zone vr-1_trust_zone interfaces lo0.0
set security zones security-zone vr-1_trust_zone interfaces st0.1
set security zones security-zone vr-1_trust_zone interfaces st0.2
set security zones security-zone vr-1_trust_zone interfaces st0.3
set security zones security-zone vr-1_untrust_zone host-inbound-traffic system-services all
set security zones security-zone vr-1_untrust_zone host-inbound-traffic protocols all
set security zones security-zone vr-1_untrust_zone interfaces ae1.1
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY match source-address ipsec_data_source_prefix_6.0.0.0/8
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY match destination-address any
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY match application any
set security policies from-zone vr-1_trust_zone to-zone vr-1_untrust_zone policy IPSEC_DATA_POLICY then permit
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY match source-address ike_source_prefix_200.0.0.0/8
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY match destination-address any
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY match application any
set security policies from-zone vr-1_trust_zone to-zone vr-1_trust_zone policy IKE_ALLOW_POLICY then permit
set security policies default-policy permit-all
set security address-book global address ipsec_data_source_prefix_6.0.0.0/8 6.0.0.0/8
set security address-book global address ike_source_prefix_200.0.0.0/8 200.0.0.0/8
set interfaces et-1/0/0 gigether-options 802.3ad ae1
set interfaces et-1/0/1 gigether-options 802.3ad ae1
set interfaces ae1 vlan-tagging
set interfaces ae1 aggregated-ether-options minimum-links 1
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast
set interfaces ae1 unit 0 vlan-id 9
set interfaces ae1 unit 0 family inet address 10.1.1.16/31
set interfaces ae1 unit 1 vlan-id 10
set interfaces ae1 unit 1 family inet address 10.1.1.18/31
set protocols bgp group Vsrx-to-MX_TRUST type external
set protocols bgp group Vsrx-to-MX_TRUST export ike_endpoint_export_policy
set protocols bgp group Vsrx-to-MX_TRUST local-as 500
set protocols bgp group Vsrx-to-MX_TRUST bfd-liveness-detection minimum-interval 300
set protocols bgp group Vsrx-to-MX_TRUST bfd-liveness-detection minimum-receive-interval 300
set protocols bgp group Vsrx-to-MX_TRUST bfd-liveness-detection multiplier 3
set protocols bgp group Vsrx-to-MX_TRUST neighbor 10.1.1.17 peer-as 1000
set protocols bgp group Vsrx-to-MX_UNTRUST type external
set protocols bgp group Vsrx-to-MX_UNTRUST export ari_export_untrust
set protocols bgp group Vsrx-to-MX_UNTRUST local-as 500
set protocols bgp group Vsrx-to-MX_UNTRUST bfd-liveness-detection minimum-interval 300
set protocols bgp group Vsrx-to-MX_UNTRUST bfd-liveness-detection minimum-receive-interval 300
set protocols bgp group Vsrx-to-MX_UNTRUST bfd-liveness-detection multiplier 3
set protocols bgp group Vsrx-to-MX_UNTRUST neighbor 10.1.1.19 peer-as 2000
set policy-options policy-statement ari_export_untrust term 1 from protocol ari-ts
set policy-options policy-statement ari_export_untrust term 1 then accept
set policy-options policy-statement ari_export_untrust term defualt then reject
set policy-options policy-statement ike_endpoint_export_policy term 1 from protocol direct
set policy-options policy-statement ike_endpoint_export_policy term 1 from route-filter 100.0.0.1/32 exact
set policy-options policy-statement ike_endpoint_export_policy term 1 then next-hop self
set policy-options policy-statement ike_endpoint_export_policy term 1 then accept
set policy-options policy-statement ike_endpoint_export_policy term 2 then reject
set policy-options policy-statement ecmp_policy_lab then load-balance per-packet
set routing-options forwarding-table export ecmp_policy_lab

Verification

The following items highlight a list of show commands used to verify the feature in this example.

Verify MX Series configuration
Verify SRX1 configuration
Verify SRX2 configuration
Verify SRX3 configuration

Verify MX Series Configuration

content_copy zoom_out_map
user@MX304# run show route 100.0.0.1/32 active-path
              TRUST_VR.inet.0: 12 destinations, 14 routes (12 active, 0 holddown, 0 hidden)
              + = Active Route, - = Last Active, * = Both
              100.0.0.1/32       *[BGP/170] 03:14:10, localpref 100
                                   AS path: 500 I, validation-state: unverified
                                    to 10.1.1.0 via ae1.0
                                 >  to 10.1.1.8 via ae2.0
                                    to 10.1.1.16 via ae3.0

content_copy zoom_out_map
user@MX304# run show route 100.0.0.1/32 active-path extensive
              TRUST_VR.inet.0: 12 destinations, 14 routes (12 active, 0 holddown, 0 hidden)
              100.0.0.1/32 (3 entries, 1 announced)
              TSI:
              KRT in-kernel 100.0.0.1/32 -> {list:10.1.1.0, 10.1.1.8, 10.1.1.16 Flags source ip load-balance}
              Page 0 idx 1, (group MX-to-TRUST_GW_Router type External) Type 1 val 0x12b04ce0 (adv_entry)
                Advertised metrics:
                  Flags: Nexthop Change
                  Nexthop: Self
                  AS path: [1000] 500 I
                  Communities:
                 Advertise: 00000001
              Path 100.0.0.1
              from 10.1.1.8
              Vector len 4.  Val: 1
                     *BGP    Preference: 170/-101
                             Next hop type: Router, Next hop index: 0
                             Address: 0xf918b24
                             Next-hop reference count: 2, Next-hop session id: 0
                             Kernel Table Id: 0
                             Source: 10.1.1.8
                             Next hop: 10.1.1.0 via ae1.0
                             Session Id: 0
                             Next hop: 10.1.1.8 via ae2.0, selected
                             Session Id: 0
                             Next hop: 10.1.1.16 via ae3.0
                             Session Id: 0
                             State: <Active Ext LoadBalConsistentHash>
                             Local AS:  1000 Peer AS:   500
                             Age: 3:14:15
                             Validation State: unverified
                             Task: BGP_500_1000.10.1.1.8
                             Announcement bits (3): 0-KRT 1-BGP_Multi_Path 2-BGP_RT_Background
                             AS path: 500 I
                             Accepted Multipath
                             Localpref: 100
                             Router ID: 10.255.33.26
                             Thread: junos-main

content_copy zoom_out_map
user@MX304# run show route 75/8
              UNTRUST_VR.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
              + = Active Route, - = Last Active, * = Both
              75.0.0.0/8         *[BGP/170] 06:27:07, localpref 100
                                   AS path: 2500 I, validation-state: unverified
                                 >  to 80.1.1.1 via ae10.80

content_copy zoom_out_map
user@MX304# run show route 6/8
              UNTRUST_VR.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
              + = Active Route, - = Last Active, * = Both
              6.0.0.1/32         *[BGP/170] 03:13:30, MED 5, localpref 100
                                   AS path: 500 I, validation-state: unverified
                                 >  to 10.1.1.18 via ae3.1
              6.0.0.2/32         *[BGP/170] 03:13:31, MED 5, localpref 100
                                   AS path: 500 I, validation-state: unverified
                                 >  to 10.1.1.10 via ae2.1
              6.0.0.3/32         *[BGP/170] 02:12:57, MED 5, localpref 100
                                   AS path: 500 I, validation-state: unverified
                                 >  to 10.1.1.2 via ae1.1

content_copy zoom_out_map
user@MX304# run show route 200/8
              TRUST_VR.inet.0: 12 destinations, 14 routes (12 active, 0 holddown, 0 hidden)
              + = Active Route, - = Last Active, * = Both
              200.0.0.1/32       *[BGP/170] 06:26:30, localpref 100
                                   AS path: 1500 I, validation-state: unverified
                                 >  to 40.1.1.1 via ae10.40
              200.0.0.2/32       *[BGP/170] 06:26:30, localpref 100
                                   AS path: 1500 I, validation-state: unverified
                                 >  to 40.1.1.1 via ae10.40
              200.0.0.6/32       *[BGP/170] 02:14:13, localpref 100
                                   AS path: 1500 I, validation-state: unverified
                                 >  to 40.1.1.1 via ae10.40

content_copy zoom_out_map
user@MX304# run show bgp summary
              Warning: License key missing; requires 'bgp' license
              Threading mode: BGP I/O
              Default eBGP mode: advertise - accept, receive - accept
              Groups: 8 Peers: 8 Down peers: 0
              Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
              10.1.1.0                500        501        493       0       6     3:44:50 Establ
               TRUST_VR.inet.0: 1/1/1/0
              10.1.1.2                500        466        449       0       6     3:25:47 Establ
               UNTRUST_VR.inet.0: 1/1/1/0
              10.1.1.8                500        503        495       0       5     3:45:35 Establ
               TRUST_VR.inet.0: 1/1/1/0
              10.1.1.10               500        529        504       0       3     3:50:55 Establ
               UNTRUST_VR.inet.0: 1/1/1/0
              10.1.1.16               500        780        768       0       3     5:50:32 Establ
               TRUST_VR.inet.0: 1/1/1/0
              10.1.1.18               500        792        763       0       2     5:50:37 Establ
               UNTRUST_VR.inet.0: 1/1/1/0
              40.1.1.1               1500      13601      13345       0       1  4d 7:42:56 Establ
               TRUST_VR.inet.0: 3/3/3/0
              80.1.1.1               2500      13588      13405       0       1  4d 7:42:56 Establ
               UNTRUST_VR.inet.0: 1/1/1/0

content_copy zoom_out_map
user@MX304# run show bfd session
                                                               Detect   Transmit
              Address                  State     Interface      Time     Interval  Multiplier
              10.1.1.0                 Up        ae1.0          0.900     0.300        3
              10.1.1.2                 Up        ae1.1          0.900     0.300        3
              10.1.1.8                 Up        ae2.0          0.900     0.300        3
              10.1.1.10                Up        ae2.1          0.900     0.300        3
              10.1.1.16                Up        ae3.0          0.900     0.300        3
              10.1.1.18                Up        ae3.1          0.900     0.300        3
              40.1.1.1                 Up        ae10.40        0.900     0.300        3
              80.1.1.1                 Up        ae10.80        0.900     0.300        3
              8 sessions, 8 clients
              Cumulative transmit rate 26.7 pps, cumulative receive rate 26.7 pps

Verify IPsec Initiator Configuration

content_copy zoom_out_map
user@IPsec# run show security ike security-associations
              Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
              380363  UP     a8b642f8a828eb57  de97df1ba140e292  IKEv2          100.0.0.1
              380364  UP     55b7e5a43d7462ba  201a1b9523442c50  IKEv2          100.0.0.1
              380365  UP     3484ff0e307d1ddc  869cabffae9d261e  IKEv2          100.0.0.1

content_copy zoom_out_map
user@IPsec# run show security ipsec security-associations
               Total active tunnels: 3     Total IPsec sas: 3
               ID      Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
               <542828 ESP:aes-gcm-256/aes256-gcm 0xd23dbafa 3009/ unlim - root 500 100.0.0.1
               >542828 ESP:aes-gcm-256/aes256-gcm 0xb74e6311 3009/ unlim - root 500 100.0.0.1
               <542827 ESP:aes-gcm-256/aes256-gcm 0xb2943202 3053/ unlim - root 500 100.0.0.1
               >542827 ESP:aes-gcm-256/aes256-gcm 0xd87a527b 3053/ unlim - root 500 100.0.0.1
               <542832 ESP:aes-gcm-256/aes256-gcm 0x960b3fe9 834/ unlim - root 500 100.0.0.1
               >542832 ESP:aes-gcm-256/aes256-gcm 0x1143a22f 834/ unlim - root 500 100.0.0.1

Verify SRX1 Configuration

content_copy zoom_out_map
user@SRX1> show security ike security-associations
              Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
              20      UP     a8b642f8a828eb57  de97df1ba140e292  IKEv2          200.0.0.6

content_copy zoom_out_map
user@SRX1> show security ipsec security-associations
               Total active tunnels: 1     Total IPsec sas: 1
               ID      Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
               <500017 ESP:aes-gcm-256/aes256-gcm 0x1143a22f 1314/ unlim - root 500 200.0.0.6
               >500017 ESP:aes-gcm-256/aes256-gcm 0x960b3fe9 1314/ unlim - root 500 200.0.0.6

content_copy zoom_out_map
user@SRX1> show bgp summary
              Threading mode: BGP I/O
              Default eBGP mode: advertise - accept, receive - accept
              Groups: 2 Peers: 2 Down peers: 0
              Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
              inet.0
                                    4          4          0          0          0          0
              Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
              10.1.1.1               1000        500        505       0       4     3:47:18 Establ
               inet.0: 3/3/3/0
              10.1.1.3               2000        456        470       0       4     3:28:15 Establ
               inet.0: 1/1/1/0

content_copy zoom_out_map
user@SRX1> show bfd session
                                                               Detect   Transmit
              Address                  State     Interface      Time     Interval  Multiplier
              10.1.1.1                 Up        ae1.0          0.900     0.300        3
              10.1.1.3                 Up        ae1.1          0.900     0.300        3
              2 sessions, 2 clients
              Cumulative transmit rate 6.7 pps, cumulative receive rate 6.7 pps

content_copy zoom_out_map
user@SRX1> show route 200.0.0.0/8
              inet.0: 27 destinations, 27 routes (26 active, 0 holddown, 1 hidden)
              + = Active Route, - = Last Active, * = Both
              200.0.0.1/32       *[BGP/170] 03:47:45, localpref 100
                                   AS path: 1000 1500 I, validation-state: unverified
                                 >  to 10.1.1.1 via ae1.0
              200.0.0.2/32       *[BGP/170] 03:47:45, localpref 100
                                   AS path: 1000 1500 I, validation-state: unverified
                                 >  to 10.1.1.1 via ae1.0
              200.0.0.6/32       *[BGP/170] 02:16:35, localpref 100
                                   AS path: 1000 1500 I, validation-state: unverified
                                 >  to 10.1.1.1 via ae1.0

content_copy zoom_out_map
user@SRX1> show route 6.0.0.0/8
              inet.0: 27 destinations, 27 routes (26 active, 0 holddown, 1 hidden)
              + = Active Route, - = Last Active, * = Both
              6.0.0.3/32         *[ARI-TS/5] 02:16:49, metric 5
                                 >  via st0.1

content_copy zoom_out_map
user@SRX1> show route 75.0.0.0/8
              inet.0: 27 destinations, 27 routes (26 active, 0 holddown, 1 hidden)
              + = Active Route, - = Last Active, * = Both
              75.0.0.0/8         *[BGP/170] 03:29:51, localpref 100
                                   AS path: 2000 2500 I, validation-state: unverified
                                 >  to 10.1.1.3 via ae1.1

content_copy zoom_out_map
user@SRX1> show security flow session protocol esp
              Session ID: 2894133, Policy name: N/A, Timeout: N/A, Session State: Valid
               In: 200.0.0.6/0 --> 100.0.0.1/0;esp, Conn Tag: 0x0, If: ae1.0, Pkts: 0, Bytes: 0,
              Session ID: 2894160, Policy name: N/A, Timeout: N/A, Session State: Valid
               In: 200.0.0.6/4419 --> 100.0.0.1/41519;esp, Conn Tag: 0x0, If: lo0.0, Pkts: 0, Bytes: 0,
              Total sessions: 2

content_copy zoom_out_map
user@SRX1> show security flow session protocol udp source-prefix 75.0.0.0/8
              Session ID: 2894145, Policy name: IPSEC_DATA_POLICY, Timeout: 60, Session State: Valid
               In: 75.0.0.3/2001 --> 6.0.0.3/1002;udp, Conn Tag: 0x0, If: ae1.1, Pkts: 51609457, Bytes: 30036703974,
               Out: 6.0.0.3/1002 --> 75.0.0.3/2001;udp, Conn Tag: 0x0, If: st0.1, Pkts: 7741418, Bytes: 4505505276,

Verify SRX2 Configuration

content_copy zoom_out_map
user@SRX2> show security ike security-associations
              Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
              26      UP     3484ff0e307d1ddc  869cabffae9d261e  IKEv2          200.0.0.2

content_copy zoom_out_map
user@SRX2> show security ipsec security-associations
               Total active tunnels: 1     Total IPsec sas: 1
               ID      Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
               <500018 ESP:aes-gcm-256/aes256-gcm 0xd87a527b 3257/ unlim - root 500 200.0.0.2
               >500018 ESP:aes-gcm-256/aes256-gcm 0xb2943202 3257/ unlim - root 500 200.0.0.2

content_copy zoom_out_map
user@SRX2> show bgp summary
              Threading mode: BGP I/O
              Default eBGP mode: advertise - accept, receive - accept
              Groups: 2 Peers: 2 Down peers: 0
              Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
              inet.0
                                    4          4          0          0          0          0
              Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
              10.1.1.9               1000        511        516       0       3     3:52:21 Establ
               inet.0: 3/3/3/0
              10.1.1.11              2000        520        542       0       1     3:57:40 Establ
               inet.0: 1/1/1/0

content_copy zoom_out_map
user@SRX2> show bfd session
                                                               Detect   Transmit
              Address                  State     Interface      Time     Interval  Multiplier
              10.1.1.9                 Up        ae1.0          0.900     0.300        3
              10.1.1.11                Up        ae1.1          0.900     0.300        3
              2 sessions, 2 clients
              Cumulative transmit rate 6.7 pps, cumulative receive rate 6.7 pps

content_copy zoom_out_map
user@SRX2> show route 200.0.0.0/8
              inet.0: 29 destinations, 29 routes (28 active, 0 holddown, 1 hidden)
              + = Active Route, - = Last Active, * = Both
              200.0.0.1/32       *[BGP/170] 03:52:29, localpref 100
                                   AS path: 1000 1500 I, validation-state: unverified
                                 >  to 10.1.1.9 via ae1.0
              200.0.0.2/32       *[BGP/170] 03:52:29, localpref 100
                                   AS path: 1000 1500 I, validation-state: unverified
                                 >  to 10.1.1.9 via ae1.0
              200.0.0.6/32       *[BGP/170] 02:20:34, localpref 100
                                   AS path: 1000 1500 I, validation-state: unverified
                                 >  to 10.1.1.9 via ae1.0

content_copy zoom_out_map
user@SRX2> show route 6.0.0.0/8
              inet.0: 29 destinations, 29 routes (28 active, 0 holddown, 1 hidden)
              + = Active Route, - = Last Active, * = Both
              6.0.0.2/32         *[ARI-TS/5] 03:21:10, metric 5
                                 >  via st0.1

content_copy zoom_out_map
user@SRX2> show route 75.0.0.0/8
              inet.0: 29 destinations, 29 routes (28 active, 0 holddown, 1 hidden)
              + = Active Route, - = Last Active, * = Both
              75.0.0.0/8         *[BGP/170] 03:58:00, localpref 100
                                   AS path: 2000 2500 I, validation-state: unverified
                                 >  to 10.1.1.11 via ae1.1

content_copy zoom_out_map
user@SRX2> show security flow session protocol esp
              Session ID: 2897660, Policy name: N/A, Timeout: N/A, Session State: Valid
               In: 200.0.0.2/0 --> 100.0.0.1/0;esp, Conn Tag: 0x0, If: ae1.0, Pkts: 0, Bytes: 0,
              Session ID: 2897694, Policy name: N/A, Timeout: N/A, Session State: Valid
               In: 200.0.0.2/55418 --> 100.0.0.1/21115;esp, Conn Tag: 0x0, If: lo0.0, Pkts: 0, Bytes: 0,
              Total sessions: 2

content_copy zoom_out_map
user@SRX2> show security flow session protocol udp source-prefix 75.0.0.0/8
              Session ID: 2897677, Policy name: IPSEC_DATA_POLICY, Timeout: 60, Session State: Valid
               In: 75.0.0.2/2001 --> 6.0.0.2/1009;udp, Conn Tag: 0x0, If: ae1.1, Pkts: 52336685, Bytes: 30459950670,
               Out: 6.0.0.2/1009 --> 75.0.0.2/2001;udp, Conn Tag: 0x0, If: st0.1, Pkts: 7850503, Bytes: 4568992746,

Verify SRX3 Configuration

content_copy zoom_out_map
user@SRX3> show security ike security-associations
              Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
              19      UP     55b7e5a43d7462ba  201a1b9523442c50  IKEv2          200.0.0.1

content_copy zoom_out_map
user@SRX3> show security ipsec security-associations
               Total active tunnels: 1     Total IPsec sas: 1
               ID      Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
               <500009 ESP:aes-gcm-256/aes256-gcm 0xb74e6311 3107/ unlim - root 500 200.0.0.1
               >500009 ESP:aes-gcm-256/aes256-gcm 0xd23dbafa 3107/ unlim - root 500 200.0.0.1

content_copy zoom_out_map
user@SRX3> show bgp summary
              Threading mode: BGP I/O
              Default eBGP mode: advertise - accept, receive - accept
              Groups: 2 Peers: 2 Down peers: 0
              Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
              inet.0
                                    4          4          0          0          0          0
              Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
              10.1.1.17              1000        787        797       0       1     5:58:59 Establ
               inet.0: 3/3/3/0
              10.1.1.19              2000        783        810       0       0     5:59:04 Establ
               inet.0: 1/1/1/0

content_copy zoom_out_map
user@SRX3> show bfd session
                                                               Detect   Transmit
              Address                  State     Interface      Time     Interval  Multiplier
              10.1.1.17                Up        ae1.0          0.900     0.300        3
              10.1.1.19                Up        ae1.1          0.900     0.300        3
              2 sessions, 2 clients
              Cumulative transmit rate 6.7 pps, cumulative receive rate 6.7 pps

content_copy zoom_out_map
user@SRX3> show route 200.0.0.0/8
              inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
              + = Active Route, - = Last Active, * = Both
              200.0.0.1/32       *[BGP/170] 05:59:07, localpref 100
                                   AS path: 1000 1500 I, validation-state: unverified
                                 >  to 10.1.1.17 via ae1.0
              200.0.0.2/32       *[BGP/170] 05:59:07, localpref 100
                                   AS path: 1000 1500 I, validation-state: unverified
                                 >  to 10.1.1.17 via ae1.0
              200.0.0.6/32       *[BGP/170] 02:22:15, localpref 100
                                   AS path: 1000 1500 I, validation-state: unverified
                                 >  to 10.1.1.17 via ae1.0

content_copy zoom_out_map
user@SRX3> show route 6.0.0.0/8
              inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
              + = Active Route, - = Last Active, * = Both
              6.0.0.1/32         *[ARI-TS/5] 03:22:51, metric 5
                                 >  via st0.1

content_copy zoom_out_map
user@SRX3> show route 75.0.0.0/8
              inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
              + = Active Route, - = Last Active, * = Both
              75.0.0.0/8         *[BGP/170] 05:59:22, localpref 100
                                   AS path: 2000 2500 I, validation-state: unverified
                                 >  to 10.1.1.19 via ae1.1

content_copy zoom_out_map
user@SRX3> show security flow session protocol esp
              Session ID: 2889066, Policy name: N/A, Timeout: N/A, Session State: Valid
               In: 200.0.0.1/0 --> 100.0.0.1/0;esp, Conn Tag: 0x0, If: ae1.0, Pkts: 0, Bytes: 0,
              Session ID: 2889104, Policy name: N/A, Timeout: N/A, Session State: Valid
               In: 200.0.0.1/46926 --> 100.0.0.1/25361;esp, Conn Tag: 0x0, If: lo0.0, Pkts: 0, Bytes: 0,
              Total sessions: 2

content_copy zoom_out_map
user@SRX3> show security flow session protocol udp source-prefix 75.0.0.0/8
              Session ID: 2889087, Policy name: IPSEC_DATA_POLICY, Timeout: 60, Session State: Valid
               In: 75.0.0.1/2001 --> 6.0.0.1/1005;udp, Conn Tag: 0x0, If: ae1.1, Pkts: 53008715, Bytes: 30851072130,
               Out: 6.0.0.1/1005 --> 75.0.0.1/2001;udp, Conn Tag: 0x0, If: st0.1, Pkts: 7951308, Bytes: 4627661256,

arrow_backward PREVIOUS Understand vSRX Orchestration with JDM for CSDS

NEXT arrow_forward Example: Single MX Series (ECMP Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone) for NAT and Stateful Firewall

Connected Security Distributed Services Architecture Deployment Guide

ON THIS PAGE

Example: Single MX Series (ECMP Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone) for IPsec VPN

Overview

Topology Illustration

Configuration

Verification