Appendix: Test Case Example Information
Virtual Test Lab
The examples in this appendix to the JVDE are evaluated in a virtual test lab consisting of a vJunos-switch , a vMX router, and vSRX V3.0 firewalls. We did not create a pair of virtual service block switches but ensured that both types of WAN routers (router or firewall) were available as redundant pairs. This is not the same lab used for testing that required the use physical hardware. We use this as an example and something you can potentially build yourself with environments such as EVE-NG to build your own labs to test the configuration examples. The fabric, in this case, was configured as IP Clos.
L2 Exit with Stretched VLAN
Note:
When you create any VLAN or VRF creation with campus fabric remember the following best practices:
- Do not use this method in a production environment You must use the transport VLAN method instead.
- Create all VLANs in a switch template and then import them in the campus fabric dialogue. Creating the VLANs anywhere else in the Mist GUI ultimately leads to inconsistency which makes it hard to resolve issues.
- If needed, the fabric creates any required VRFs. Do not create VRFs manually elsewhere in the Mist GUI.
- We recommend that you create port profiles within switch templates so that any changes are in sync on all switches in a fabric.
The following configuration is the exported version of the switch template used in this fabric. Use this to review your setup when importing. As you can see, there is only one VLAN per VRF hence a stretched approach is required.
{
"additional_config_cmds": [],
"networks": {
"vlan1099": {
"vlan_id": 1099,
"subnet": "10.99.99.0/24"
},
"vlan1088": {
"vlan_id": 1088,
"subnet": "10.88.88.0/24"
},
"vlan1033": {
"vlan_id": 1033,
"subnet": "10.33.33.0/24"
}
},
"port_usages": {
"vlan1099": {
"mode": "access",
"disabled": false,
"port_network": "vlan1099",
"voip_network": null,
"stp_edge": false,
"mac_auth_protocol": null,
"all_networks": false,
"networks": null,
"port_auth": null,
"enable_mac_auth": null,
"mac_auth_only": null,
"guest_network": null,
"bypass_auth_when_server_down": null,
"speed": "auto",
"duplex": "auto",
"mac_limit": 0,
"persist_mac": false,
"poe_disabled": false,
"enable_qos": false,
"storm_control": {},
"mtu": null,
"description": "",
"disable_autoneg": false
},
"vlan1088": {
"mode": "access",
"disabled": false,
"port_network": "vlan1088",
"voip_network": null,
"stp_edge": false,
"mac_auth_protocol": null,
"all_networks": false,
"networks": null,
"port_auth": null,
"enable_mac_auth": null,
"mac_auth_only": null,
"guest_network": null,
"bypass_auth_when_server_down": null,
"speed": "auto",
"duplex": "auto",
"mac_limit": 0,
"persist_mac": false,
"poe_disabled": false,
"enable_qos": false,
"storm_control": {},
"mtu": null,
"description": "",
"disable_autoneg": false
},
"dynamic": {
"mode": "dynamic",
"reset_default_when": "link_down",
"rules": []
}
},
"switch_matching": {
"enable": true,
"rules": []
},
"switch_mgmt": {
"config_revert_timer": 10,
"root_password": "<password>",
"protect_re": {
"enabled": false
},
"tacacs": {
"enabled": false
}
},
"mist_nac": {
"enabled": true,
"network": null
},
"radius_config": {
"auth_servers": [],
"acct_servers": [],
"auth_servers_timeout": 5,
"auth_servers_retries": 3,
"fast_dot1x_timers": false,
"acct_interim_interval": 0,
"auth_server_selection": "ordered",
"coa_enabled": false,
"coa_port": ""
},
"vrf_config": {
"enabled": false
},
"remote_syslog": {
"enabled": false
},
"snmp_config": {
"enabled": false
},
"dhcp_snooping": {
"enabled": false
},
"dns_servers": [],
"dns_suffix": [],
"ntp_servers": [],
"acl_policies": [],
"port_mirroring": {},
"name": "campus-fabric"
}When inside the Campus Fabric Configuration dialogue there is a page called Configure Networks. This is where you import your VLANs from the switch template. In this case, see Figure 1 for the result.
Figure 1: Networks
Configuration Window
The next step is to create all 3 VRFs and attach one of the networks to each as shown in Figure 2 .
Figure 2: VRF
Configuration
Next, you go to each VRF and add a manual route to the VIP that your WAN router has in each subnet. The VRF configurations are shown in the following three images.
Continue with the Fabric Configuration dialogue until it starts building the fabric.
Core1 and Core2 Switch Configuration
The service block function is virtual and co-located on the core switch, hence we must configure the two core switches. This following pseudo-code is a description of what to configure on switches core1 and core2:
# Create a new local Port Profile called ‘l2fabricexit’ and configure: # Mode=’Trunk’ # Port Network (Untagged/Native VLAN)=’None’ # Add the following 3 Networks as Trunk Networks: # Network=vlan1099 # Network=vlan1088 # Network=vlan1033 # MTU=’9018’ # Create a new port configuration where: # Port Aggregation=Enable/Checked # AE Index=11 # ESI-LAG=Enable/Checked # Port IDs=ge-0/0/3 # Interface=L2 Interface # Configuration Profile=l2fabricexit # Create a new Port configuration where: # Port Aggregation=Enable/Checked # AE Index=12 # ESI-LAG=Enable/Checked # Port IDs=ge-0/0/4 # Interface=L2 Interface # Configuration Profile=l2fabricexit
The following three screenshots show a major part of the above-described configuration. We start with the port profile. Keep in mind that only the stretched VLANs used are included.
Figure 3: Port Profiles
Figure 4: Bind Port Profiles to Each Uplink
Port
Figure 5: Uplink to the First WAN Router
The second uplink configuration is very similar. Only the AE Index changes from 11 to 12.
Note:
You must ensure that the AE Indexes on each service block function are in sync with each other towards the same WAN router and that you define them each as ESI-LAG. You must also ensure that you don’t reuse an AE Index that is already defined elsewhere in the fabric.
Juniper MX as the WAN Router
The following is the configuration of the interfaces, the VRRP gateway redundancy, and the static routes as example. You might need to add default routes and interfaces to complete the configuration.
Set system host-name wanrouter1 set chassis aggregated-devices ethernet device-count 10 delete interfaces ae0 delete policy-options policy-statement fabric delete policy-options policy-statement internet delete routing-instances public-int set protocols lldp port-id-subtype interface-name set protocols lldp interface all set protocols lldp-med interface all delete interfaces ge-0/0/1 set interfaces ge-0/0/1 gigether-options 802.3ad ae11 delete interfaces ge-0/0/2 set interfaces ge-0/0/2 gigether-options 802.3ad ae11 delete interfaces ae11 set interfaces ae11 mtu 9018 set interfaces ae11 aggregated-ether-options lacp active set interfaces ae11 aggregated-ether-options lacp admin-key 11 set interfaces ae11 unit 0 family bridge interface-mode trunk set interfaces ae11 unit 0 family bridge vlan-id-list 1099 set interfaces ae11 unit 0 family bridge vlan-id-list 1088 set interfaces ae11 unit 0 family bridge vlan-id-list 1033 set bridge-domains vlan1099 vlan-id 1099 set bridge-domains vlan1099 routing-interface irb.1099 set bridge-domains vlan1088 vlan-id 1088 set bridge-domains vlan1088 routing-interface irb.1088 set bridge-domains vlan1033 vlan-id 1033 set bridge-domains vlan1033 routing-interface irb.1033 set interfaces irb unit 1099 family inet address 10.99.99.253/24 vrrp-group 1 virtual-address 10.99.99.254 set interfaces irb unit 1099 family inet address 10.99.99.253/24 vrrp-group 1 priority 110 set interfaces irb unit 1099 family inet address 10.99.99.253/24 vrrp-group 1 accept-data set interfaces irb unit 1088 family inet address 10.88.88.253/24 vrrp-group 2 virtual-address 10.88.88.254 set interfaces irb unit 1088 family inet address 10.88.88.253/24 vrrp-group 2 priority 110 set interfaces irb unit 1088 family inet address 10.88.88.253/24 vrrp-group 2 accept-data set interfaces irb unit 1033 family inet address 10.33.33.253/24 vrrp-group 3 virtual-address 10.33.33.254 set interfaces irb unit 1033 family inet address 10.33.33.253/24 vrrp-group 3 priority 110 set interfaces irb unit 1033 family inet address 10.33.33.253/24 vrrp-group 3 accept-data set routing-options static route 172.16.193.0/24 next-hop 10.99.99.1 set routing-options static route 172.16.194.0/24 next-hop 10.88.88.1 set routing-options static route 172.16.195.0/24 next-hop 10.33.33.1
On the second WAN router, the notable configuration changes are usually AE keys, indexes, and the static IP addresses.
Set system host-name wanrouter2 set chassis aggregated-devices ethernet device-count 10 delete interfaces ae0 delete policy-options policy-statement fabric delete policy-options policy-statement internet delete routing-instances public-int set protocols lldp port-id-subtype interface-name set protocols lldp interface all set protocols lldp-med interface all delete interfaces ge-0/0/1 set interfaces ge-0/0/1 gigether-options 802.3ad ae12 delete interfaces ge-0/0/2 set interfaces ge-0/0/2 gigether-options 802.3ad ae12 delete interfaces ae12 set interfaces ae12 mtu 9018 set interfaces ae12 aggregated-ether-options lacp active set interfaces ae12 aggregated-ether-options lacp admin-key 12 set interfaces ae12 unit 0 family bridge interface-mode trunk set interfaces ae12 unit 0 family bridge vlan-id-list 1099 set interfaces ae12 unit 0 family bridge vlan-id-list 1088 set interfaces ae12 unit 0 family bridge vlan-id-list 1033 set bridge-domains vlan1099 vlan-id 1099 set bridge-domains vlan1099 routing-interface irb.1099 set bridge-domains vlan1088 vlan-id 1088 set bridge-domains vlan1088 routing-interface irb.1088 set bridge-domains vlan1033 vlan-id 1033 set bridge-domains vlan1033 routing-interface irb.1033 set interfaces irb unit 1099 family inet address 10.99.99.252/24 vrrp-group 1 virtual-address 10.99.99.254 set interfaces irb unit 1099 family inet address 10.99.99.252/24 vrrp-group 1 accept-data set interfaces irb unit 1088 family inet address 10.88.88.252/24 vrrp-group 2 virtual-address 10.88.88.254 set interfaces irb unit 1088 family inet address 10.88.88.252/24 vrrp-group 2 accept-data set interfaces irb unit 1033 family inet address 10.33.33.252/24 vrrp-group 3 virtual-address 10.33.33.254 set interfaces irb unit 1033 family inet address 10.33.33.252/24 vrrp-group 3 accept-data set routing-options static route 172.16.193.0/24 next-hop 10.99.99.1 set routing-options static route 172.16.194.0/24 next-hop 10.88.88.1 set routing-options static route 172.16.195.0/24 next-hop 10.33.33.1
You may wonder about those static routes in the 172.16.19x.0 range. Remember that IP Clos is an anycast fabric. As such, you must have the static routes to prepare for when the DHCP relay will use IP addresses in the fabric overlay. You can see the definition in Figure 6 :
Figure 6: Topology
Settings
These overlay loopback IPs are assigned to each VRF on a switch as a /24 range. You can figure them by looking at a fabric access switch as shown in Figure 7 . You must map them back as any other additional VLAN attached to the VRF to achieve the required reachability.
Figure 7: Access Switch
Loopback Addresses
L2 Exit with Transport VLAN
Note:
When doing any VLAN or VRF creation with campus fabric remember the following best practices:
- Create all VLANs in a switch template and then import them in the Campus Fabric dialogue. Creating the VLANs anywhere else in the Mist GUI ultimately leads to inconsistency which makes it hard to resolve issues.
- With the exception of the service block functions, do not create VRFs outside of the Campus Fabric dialogue.
- The transport VLAN method requires you to create VRFs manually on the service block function and add the transport VLAN and routes locally to the VRFs. Do not create the VRFs or routes in the Campus Fabric dialogue.
- We recommend that you create port profiles within switch templates so that any changes are in sync on all switches in the fabric.
When defining the transport VLANs in the switch template, do not set the subnet information. You configure this information later as Additional IP Subnet on each service block function. See Figure 8 , Figure 9 , and Figure 10 .
Figure 8: Empty Subnet
Configuration on Transport VLAN 1
Figure 9: Empty Subnet
Configuration on Transport VLAN 2
Figure 10: Empty Subnet
Configuration on Transport VLAN 3
The following CLI configuration shows the exported version of the switch template used in the transport VLAN fabric. This allows you to review our setup when importing. As you can see, there is a minimum of two VLANs per VRF plus an additional transport VLAN per VRF.
{
“additional_config_cmds”: [],
“networks”: {
“vlan1099”: {
“vlan_id”: 1099,
“subnet”: “10.99.99.0/24”
},
“vlan1088”: {
“vlan_id”: 1088,
“subnet”: “10.88.88.0/24”
},
“vlan1033”: {
“vlan_id”: 1033,
“subnet”: “10.33.33.0/24”
},
“vlan1091”: {
“vlan_id”: 1091,
“subnet”: “10.99.91.0/24”
},
“vlan1081”: {
“vlan_id”: 1081,
“subnet”: “10.88.81.0/24”
},
“vlan1031”: {
“vlan_id”: 1031,
“subnet”: “10.33.31.0/24”
},
“trans1”: {
“vlan_id”: “101”,
“subnet”: “”
},
“trans2”: {
“vlan_id”: “102”,
“subnet”: “”
},
“trans3”: {
“vlan_id”: “103”,
“subnet”: “”
}
},
“port_usages”: {
“vlan1099”: {
“mode”: “access”,
“disabled”: false,
“port_network”: “vlan1099”,
“voip_network”: null,
“stp_edge”: false,
“mac_auth_protocol”: null,
“all_networks”: false,
“networks”: null,
“port_auth”: null,
“enable_mac_auth”: null,
“mac_auth_only”: null,
“guest_network”: null,
“bypass_auth_when_server_down”: null,
“speed”: “auto”,
“duplex”: “auto”,
“mac_limit”: 0,
“persist_mac”: false,
“poe_disabled”: false,
“enable_qos”: false,
“storm_control”: {},
“mtu”: null,
“description”: “”,
“disable_autoneg”: false
},
“vlan1088”: {
“mode”: “access”,
“disabled”: false,
“port_network”: “vlan1088”,
“voip_network”: null,
“stp_edge”: false,
“mac_auth_protocol”: null,
“all_networks”: false,
“networks”: null,
“port_auth”: null,
“enable_mac_auth”: null,
“mac_auth_only”: null,
“guest_network”: null,
“bypass_auth_when_server_down”: null,
“speed”: “auto”,
“duplex”: “auto”,
“mac_limit”: 0,
“persist_mac”: false,
“poe_disabled”: false,
“enable_qos”: false,
“storm_control”: {},
“mtu”: null,
“description”: “”,
“disable_autoneg”: false
},
“dynamic”: {
“mode”: “dynamic”,
“rules”: []
}
},
“switch_matching”: {
“enable”: true,
“rules”: []
},
“switch_mgmt”: {
“config_revert_timer”: 10,
“root_password”: “<password>”,
“protect_re”: {
“enabled”: false
},
“tacacs”: {
“enabled”: false
}
},
“mist_nac”: {
“enabled”: true,
“network”: null
},
“radius_config”: {
“auth_servers”: [],
“acct_servers”: [],
“auth_servers_timeout”: 5,
“auth_servers_retries”: 3,
“fast_dot1x_timers”: false,
“acct_interim_interval”: 0,
“auth_server_selection”: “ordered”,
“coa_enabled”: false,
“coa_port”: “”
},
“vrf_config”: {
“enabled”: false
},
“remote_syslog”: {
“enabled”: false
},
“snmp_config”: {
“enabled”: false
},
“dhcp_snooping”: {
“enabled”: false
},
“dns_servers”: [],
“dns_suffix”: [],
“ntp_servers”: [],
“acl_policies”: [],
“port_mirroring”: {},
“name”: “campus-fabric”
}Within the Campus Fabric Configuration dialogue, there is a section called Configure Networks. This is where you import your six access VLANs from the switch template. When finished, the configuration should be as shown in Figure 11 and the result in our case will look as shown below. Since the three transport VLANs are not part of the access layer, they are not defined in the service block function.
Figure 11: Access VLAN Import
Within Campus Fabric Configuration Dialogue
Next, you create 3 VRFs and attach two of the access networks to each VRF as shown in Figure 12 .
Figure 12: VRF
Configuration
Next, go to each VRF and confirm that you only have access networks defined with no default route. You will define the transport VLANs and default routes later in the service block function. See Figure 13, Figure 14 , and Figure 15 .
Figure 13: VRF1—Access
VLANs Without Default Routes
Figure 14: VRF2—Access
VLANs Without Default Routes
Figure 15: VRF3—Access
VLANs Without Default Routes
Core1 and Core2 Switch Configuration
In the transport VLAN attach example, the service block function is virtual and co-located on the core switch. Therefore, you must configure the two core switches. The following pseudocode represents the configuration you must apply to the core1 and core2 switches:
# configure the additional IP subnet 10.99.1.1/28 to network/VLAN:trans1 # configure the additional IP subnet 10.88.1.1/28 to network/VLAN:trans2 # configure the additional IP subnet 10.33.1.1/28 to network/VLAN:trans3 # Create a new local Port Profile called 'l2fabricexit' and configure: # Mode='Trunk' # Port Network (Untagged/Native VLAN)='None' # Add the following 3 Networks as Trunk Networks: # Network=trans1 # Network=trans2 # Network=trans3 # MTU='9018' # Create a new Port configuration where: # Port IDs=ge-0/0/3 # Interface=L2 Interface # Configuration Profile=l2fabricexit # Port Aggregation=Enable/Checked # AE Index=11 # ESI-LAG=Enable/Checked # Create a new Port configuration where: # Port IDs=ge-0/0/4 # Interface=L2 Interface # Configuration Profile=l2fabricexit # Port Aggregation=Enable/Checked # AE Index=12 # ESI-LAG=Enable/Checked # In VRF Configuration # Override Site/Template Settings=Checked # In Instance customera # Override Template Defined VRF Instance=Checked # Add the Network trans1 to the existing list of networks # Add the Extra Route 0.0.0.0/0 with via: 10.99.1.14 # In Instance customerb # Override Template Defined VRF Instance=Checked # Add the Network trans2 to the existing list of networks # Add the Extra Route 0.0.0.0/0 with via: 10.88.1.14 # In Instance device # Override Template Defined VRF Instance=Checked # Add the Network trans3 to the existing list of networks # Add the Extra Route 0.0.0.0/0 with via: 10.33.1.14
The following four images display the Mist GUI configuration that results from the previous pseudocode starting with the additional IP configuration required to assign the local IP addresses to each transport VLAN.
Figure 16: Transport VLAN Additional IP
Configuration
Figure 17: VLAN trans1 Configuration
Figure 18: VLAN trans2 Configuration
Figure 19: VLAN trans3 Configuration
Next, you define the Port Profile used for the uplinks. It is critical that you only include the transport VLAN in the Trunk Networks definition since only those VLANs are used and visible to the WAN router.
Figure 20: Port Profile for WAN Router Attach Using
Transport VLAN
Next, you assign the port profiles to each uplink port.
Figure 21: Port Profile Assignment for Transport VLAN
Attach
.png)
Figure 22 shows the configuration of the first uplink to the first WAN router.
Figure 22: Port Configuration
for First Uplink to First WAN Router
.png)
Figure 23 shows the configuration of the second uplink to the first WAN router.
Figure 23: Port Configuration
for Second Uplink to First WAN Router
Note:
You must ensure that the AE Indexes on each service block function are in sync with each other towards the same WAN router and that you define them each as ESI-LAG. You must also ensure that you don’t reuse an AE Index that is already defined elsewhere in the fabric service block.
Next you create and modify local VRFs. Remember this is an exception made only for the transport VLAN exit method. Usually, the fabric creates the VRFs automatically. In this case we must enable the Override Site/Template Settings checkbox in the VRF configuration. Figure 24 shows the required configuration in the Mist GUI.
Figure 24: Override Template
Settings for Transport VLAN Exit
Next you must perform the following three configurations in each of your three VRS instances:
- Enable Override Template Defined VRF Instance checkbox
- Add your transport VLAN to the pre-populated list of access VLANs
- Add a default route where the gateway IP address is the VRRP-VIP address of your WAN router.
- Figure 25 , Figure 26 , and Figure 27 show the override configurations for each of the three VRFs.
Figure 25: VRF1 Override
Configurations
Figure 26: VRF2 Override
Configuration
Figure 27: VRF3 Override
Configuration
Now you must configure additional CLI to modify the transport VLANs to use VGA configuration to help avoid excess hair-pin routing of traffic within the fabric. In the switch configuration for each of your service block function switches, locate the CLI Configuration section in the Mist GUI. You must paste the required configuration into the field indicated in Figure 28 .
Figure 28: Location of
Additional CLI Commands Field
The example CLI configuration for your core1 switch, is shown in the following code block. We have configured the static IP address as the virtual gateway IP address + 1 (10.99.1.2).
# when service block function is a EX92xx change to VGA with the below delete groups top routing-instances evpn_vs protocols evpn default-gateway do-not-advertise set groups top routing-instances evpn_vs protocols evpn default-gateway no-gateway-community # on non-EX92xx switches change to VGA with the below # delete groups top protocols evpn default-gateway do-not-advertise # set groups top protocols evpn default-gateway no-gateway-community # modify our transport VLANs to VGA delete interfaces irb unit 101 family inet address 10.99.1.1/28 set interfaces irb unit 101 family inet address 10.99.1.2/28 virtual-gateway-address 10.99.1.1 set interfaces irb unit 101 virtual-gateway-accept-data set interfaces irb unit 101 virtual-gateway-v4-mac 00:00:5e:e4:05:01 delete interfaces irb unit 102 family inet address 10.88.1.1/28 set interfaces irb unit 102 family inet address 10.88.1.2/28 virtual-gateway-address 10.88.1.1 set interfaces irb unit 102 virtual-gateway-accept-data set interfaces irb unit 102 virtual-gateway-v4-mac 00:00:5e:e4:05:02 delete interfaces irb unit 103 family inet address 10.33.1.1/28 set interfaces irb unit 103 family inet address 10.33.1.2/28 virtual-gateway-address 10.33.1.1 set interfaces irb unit 103 virtual-gateway-accept-data set interfaces irb unit 103 virtual-gateway-v4-mac 00:00:5e:e4:05:03
For your core2 switch, only the static IP addresses of the transport VLAN are changed to be the virtual gateway IP address + 2 (10.88.1.3).
# when service block function is a EX92xx change to VGA with the below delete groups top routing-instances evpn_vs protocols evpn default-gateway do-not-advertise set groups top routing-instances evpn_vs protocols evpn default-gateway no-gateway-community # on all non-EX92xx switches change to VGA with the below # delete groups top protocols evpn default-gateway do-not-advertise # set groups top protocols evpn default-gateway no-gateway-community # modify our transport VLANs to VGA delete interfaces irb unit 101 family inet address 10.99.1.1/28 set interfaces irb unit 101 family inet address 10.99.1.3/28 virtual-gateway-address 10.99.1.1 set interfaces irb unit 101 virtual-gateway-accept-data set interfaces irb unit 101 virtual-gateway-v4-mac 00:00:5e:e4:05:01 delete interfaces irb unit 102 family inet address 10.88.1.1/28 set interfaces irb unit 102 family inet address 10.88.1.3/28 virtual-gateway-address 10.88.1.1 set interfaces irb unit 102 virtual-gateway-accept-data set interfaces irb unit 102 virtual-gateway-v4-mac 00:00:5e:e4:05:02 delete interfaces irb unit 103 family inet address 10.33.1.1/28 set interfaces irb unit 103 family inet address 10.33.1.3/28 virtual-gateway-address 10.33.1.1 set interfaces irb unit 103 virtual-gateway-accept-data set interfaces irb unit 103 virtual-gateway-v4-mac 00:00:5e:e4:05:03
Note:
Keep in mind that our test lab used virtual EX9214 switches as core switches. In most production environments you will not use an EX92xx switch. Therefore, you must uncomment the two lines that are commented out in the previous configuration snippet:
# delete groups top protocols evpn default-gateway do-not-advertise # set groups top protocols evpn default-gateway no-gateway-community
Note:
Service block for each transport VLAN used per VRF you must manually set the MAC address of the virtual gateway address used on the IRB interface. In our example, we used different MAC addresses per transport VLAN because it’s easier to debug.
Juniper MX as WAN Router
The following CLI snippet example contains the configuration of the interfaces, the VRRP gateway redundancy, and the static routes for the first WAN router. You may need to add default routes and interfaces to complete the configuration.
set system host-name wanrouter1 set chassis aggregated-devices ethernet device-count 10 delete interfaces ae0 delete policy-options policy-statement fabric delete policy-options policy-statement internet delete routing-instances public-int set protocols lldp port-id-subtype interface-name set protocols lldp interface all set protocols lldp-med interface all delete interfaces ge-0/0/1 set interfaces ge-0/0/1 gigether-options 802.3ad ae11 delete interfaces ge-0/0/2 set interfaces ge-0/0/2 gigether-options 802.3ad ae11 delete interfaces ae11 set interfaces ae11 mtu 9018 set interfaces ae11 aggregated-ether-options lacp active set interfaces ae11 aggregated-ether-options lacp admin-key 11 set interfaces ae11 unit 0 family bridge interface-mode trunk set interfaces ae11 unit 0 family bridge vlan-id-list 101 set interfaces ae11 unit 0 family bridge vlan-id-list 102 set interfaces ae11 unit 0 family bridge vlan-id-list 103 set bridge-domains trans1 vlan-id 101 set bridge-domains trans1 routing-interface irb.101 set bridge-domains trans2 vlan-id 102 set bridge-domains trans2 routing-interface irb.102 set bridge-domains trans3 vlan-id 103 set bridge-domains trans3 routing-interface irb.103 set interfaces irb unit 101 family inet address 10.99.1.13/28 vrrp-group 1 virtual-address 10.99.1.14 set interfaces irb unit 101 family inet address 10.99.1.13/28 vrrp-group 1 priority 110 set interfaces irb unit 101 family inet address 10.99.1.13/28 vrrp-group 1 accept-data set interfaces irb unit 102 family inet address 10.88.1.13/28 vrrp-group 2 virtual-address 10.88.1.14 set interfaces irb unit 102 family inet address 10.88.1.13/28 vrrp-group 2 priority 110 set interfaces irb unit 102 family inet address 10.88.1.13/28 vrrp-group 2 accept-data set interfaces irb unit 103 family inet address 10.33.1.13/28 vrrp-group 3 virtual-address 10.33.1.14 set interfaces irb unit 103 family inet address 10.33.1.13/28 vrrp-group 3 priority 110 set interfaces irb unit 103 family inet address 10.33.1.13/28 vrrp-group 3 accept-data set routing-options static route 10.99.91.0/24 next-hop 10.99.1.1 set routing-options static route 10.99.99.0/24 next-hop 10.99.1.1 set routing-options static route 172.16.193.0/24 next-hop 10.99.1.1 set routing-options static route 10.88.81.0/24 next-hop 10.88.1.1 set routing-options static route 10.88.88.0/24 next-hop 10.88.1.1 set routing-options static route 172.16.194.0/24 next-hop 10.88.1.1 set routing-options static route 10.33.31.0/24 next-hop 10.33.1.1 set routing-options static route 10.33.33.0/24 next-hop 10.33.1.1 set routing-options static route 172.16.195.0/24 next-hop 10.33.1.1
On the second WAN router, the notable configuration changes are the AE keys and indexes, and the static IP addresses.
set system host-name wanrouter2 set chassis aggregated-devices ethernet device-count 10 set protocols lldp port-id-subtype interface-name set protocols lldp interface all set protocols lldp-med interface all delete interfaces ge-0/0/1 set interfaces ge-0/0/1 gigether-options 802.3ad ae12 delete interfaces ge-0/0/2 set interfaces ge-0/0/2 gigether-options 802.3ad ae12 delete interfaces ae12 set interfaces ae12 mtu 9018 set interfaces ae12 aggregated-ether-options lacp active set interfaces ae12 aggregated-ether-options lacp admin-key 12 set interfaces ae12 unit 0 family bridge interface-mode trunk set interfaces ae12 unit 0 family bridge vlan-id-list 101 set interfaces ae12 unit 0 family bridge vlan-id-list 102 set interfaces ae12 unit 0 family bridge vlan-id-list 103 set bridge-domains trans1 vlan-id 101 set bridge-domains trans1 routing-interface irb.101 set bridge-domains trans2 vlan-id 102 set bridge-domains trans2 routing-interface irb.102 set bridge-domains trans3 vlan-id 103 set bridge-domains trans3 routing-interface irb.103 set interfaces irb unit 101 family inet address 10.99.1.12/28 vrrp-group 1 virtual-address 10.99.1.14 set interfaces irb unit 101 family inet address 10.99.1.12/28 vrrp-group 1 accept-data set interfaces irb unit 102 family inet address 10.88.1.12/28 vrrp-group 2 virtual-address 10.88.1.14 set interfaces irb unit 102 family inet address 10.88.1.12/28 vrrp-group 2 accept-data set interfaces irb unit 103 family inet address 10.33.1.12/28 vrrp-group 3 virtual-address 10.33.1.14 set interfaces irb unit 103 family inet address 10.33.1.12/28 vrrp-group 3 accept-data set routing-options static route 10.99.91.0/24 next-hop 10.99.1.1 set routing-options static route 10.99.99.0/24 next-hop 10.99.1.1 set routing-options static route 172.16.193.0/24 next-hop 10.99.1.1 set routing-options static route 10.88.81.0/24 next-hop 10.88.1.1 set routing-options static route 10.88.88.0/24 next-hop 10.88.1.1 set routing-options static route 172.16.194.0/24 next-hop 10.88.1.1 set routing-options static route 10.33.31.0/24 next-hop 10.33.1.1 set routing-options static route 10.33.33.0/24 next-hop 10.33.1.1 set routing-options static route 172.16.195.0/24 next-hop 10.33.1.1
You may wonder about those static routes in the 172.16.19x.0 range. Remember that IP Clos is an anycast fabric. As such, you must have th static routes to prepare for when the DHCP relay will use IP addresses in the fabric overlay. See Figure 29 for an example definition.
Figure 29: Loopback per VRF
Subnet
.png)
The overlay Loopbacks IPs are assigned to each VRF on a switch as a /24 range. You can figure them out by looking at a fabric access switch as shown in Figure 30 . Hence, you must map them back like any other additional VLAN attached to the VRF to achieve the required reachability.
Figure 30: VRF Loopback IP
Addresses
.png)
The following commands help to debug the connections on WAN router1.
root@wanrouter1> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name
ge-0/0/0 - 4c:96:14:95:09:80 516 internet
ge-0/0/1 ae11 2c:6b:f5:3a:42:c0 ge-0/0/3 core1
ge-0/0/2 ae11 2c:6b:f5:7f:7d:c0 ge-0/0/3 core2
root@wanrouter1> show lacp interfaces
Aggregated interface: ae11
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/1 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/1 Partner No No Yes Yes Yes Yes Fast Active
ge-0/0/2 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/2 Partner No No Yes Yes Yes Yes Fast Active
LACP protocol: Receive State Transmit State Mux State
ge-0/0/1 Current Fast periodic Collecting distributing
ge-0/0/2 Current Fast periodic Collecting distributing
root@wanrouter1> show vrrp
Interface State Group VR state VR Mode Timer Type Address
irb.101 up 1 master Active A 0.350 lcl 10.99.1.13
vip 10.99.1.14
irb.102 up 2 master Active A 0.625 lcl 10.88.1.13
vip 10.88.1.14
irb.103 up 3 master Active A 0.830 lcl 10.33.1.13
vip 10.33.1.14The following commands help you to debug connections on WAN router2.
root@wanrouter2> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name
ge-0/0/0 - 4c:96:14:95:09:80 517 internet
ge-0/0/1 ae12 2c:6b:f5:3a:42:c0 ge-0/0/4 core1
ge-0/0/2 ae12 2c:6b:f5:7f:7d:c0 ge-0/0/4 core2
root@wanrouter2> show lacp interfaces
Aggregated interface: ae12
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/1 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/1 Partner No No Yes Yes Yes Yes Fast Active
ge-0/0/2 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/2 Partner No No Yes Yes Yes Yes Fast Active
LACP protocol: Receive State Transmit State Mux State
ge-0/0/1 Current Fast periodic Collecting distributing
ge-0/0/2 Current Fast periodic Collecting distributing
root@wanrouter2> show vrrp
Interface State Group VR state VR Mode Timer Type Address
irb.101 up 1 backup Active D 2.811 lcl 10.99.1.12
vip 10.99.1.14
mas 10.99.1.13
irb.102 up 2 backup Active D 3.303 lcl 10.88.1.12
vip 10.88.1.14
mas 10.88.1.13
irb.103 up 3 backup Active D 2.798 lcl 10.33.1.12
vip 10.33.1.14
mas 10.33.1.13L3 Exit With eBGP Routing Protocol
Note:
When you create any VLAN or VRF creation with campus fabric remember the following best practices:
- Create all VLANs in a switch template and then import them into the Campus Fabric Dialogue. Creating the VLANs anywhere else in the Mist GUI ultimately leads to inconsistency which makes it hard to resolve issues.
- If needed, the fabric creates any required VRFs. Do not create VRFs manually elsewhere in the Mist GUI.
- We recommend that you create port profiles within switch templates so that any changes are in sync on all switches in a fabric.
Before you begin, you need a plan for:
- How to implement the routing protocol and route exchange
- How to configure the P2P links
- How to distribute the VLAN assignment that is indirectly used to identify the VRF
Even if the VRF already exists elsewhere in the fabric, such as on the access switch for IP Clos, the system will automatically re-create it on all service block functions when doing an L3 exit.
For each WAN router, you must reuse a VLAN name on a VRF to help the automatic creation of VRFs on the service block function. Keep in mind that when you define the local P2P links and reuse the VLAN, those definitions are purely local, so they do not conflict with the overlay VLAN definition. Additionally, you do not need to define special transport VLANs here. However, you can still use and define special transport VLANs for the P2P links if that better suits your needs.
When defining the P2P links, you must ensure that they are outside of the address range in use by the fabric. The default range used by the fabric for these links is 10.255.240.0/20. We recommend that you a /31 netmask. With that plan, you can use the even number IP addresses for the WAN router side and the odd IP addresses for the fabric side.
The system requires that you use a VLAN for each P2P link on a physical cable. This allows you to have multiple VRFs multiplexed on a single uplink cable. Remember the VLAN internally refers back to the VRF.
For eBGP you must also define your own private ASN for peering. By hardcoded default, the fabric uses 65000 ASN for the EVPN control plane and starts allocating configurable ASN at 65001. After that, it advances one digit for each node. Therefore, we recommend using ASN values below 65000 to avoid conflict with system assigned ASN. The QFX switch only allows 16 local ASN. Therefore, we recommend that you use a shared ASN among all VRFs. However, in our example, we decided to use a different ASN per WAN router.
Figure 31 shows how the two service block functions of the fabric would connect to the first WAN router.
Figure 31: L3 eBGP-Based
Fabric to WAN Router1 Attach
Figure 32 shows how the two service block functions of the fabric would connect to the second WAN router. Notice that we now use the second block of VLANs from each VRF.
Figure 32: L3 eBGP-Based
Fabric to WAN Router2 Attach
Table 1 displays the full configuration between the core1 and core2 switches, as service block function, and the two WAN routers. You can also see the ASN chosen for eBGP.
| Switch | Switch AS | VRF | Core P2P IP | Core IF | WAN Router | WAN Router P2P IP | WAN Router AS | WAN Router IF | VLAN-ID |
|---|---|---|---|---|---|---|---|---|---|
| core1 | 64911 | customera | 10.255.224.1/31 | ge-0/0/3.1091 | wanrouter1 | 10.255.224.0/31 | 64901 | ge-0/0/1.1091 | 1091 |
| core1 | 64911 | customerb | 10.255.224.3/31 | ge-0/0/3.1081 | wanrouter1 | 10.255.224.2/31 | 64901 | ge-0/0/1.1081 | 1081 |
| core1 | 64911 | devices | 10.255.224.5/31 | ge-0/0/3.1031 | wanrouter1 | 10.255.224.4/31 | 64901 | ge-0/0/1.1031 | 1031 |
| core1 | 64911 | customera | 10.255.225.1/31 | ge-0/0/4.1099 | wanrouter2 | 10.255.225.0/31 | 64902 | ge-0/0/1.1099 | 1099 |
| core1 | 64911 | customerb | 10.255.225.3/31 | ge-0/0/4.1088 | wanrouter2 | 10.255.225.2/31 | 64902 | ge-0/0/1.1088 | 1088 |
| core1 | 64911 | devices | 10.255.225.5/31 | ge-0/0/4.1033 | wanrouter2 | 10.255.225.4/31 | 64902 | ge-0/0/1.1033 | 1033 |
| core2 | 64911 | customera | 10.255.226.1/31 | ge-0/0/3.1091 | wanrouter1 | 10.255.226.0/31 | 64901 | ge-0/0/2.1091 | 1091 |
| core2 | 64911 | customerb | 10.255.226.3/31 | ge-0/0/3.1081 | wanrouter1 | 10.255.226.2/31 | 64901 | ge-0/0/2.1081 | 1081 |
| core2 | 64911 | devices | 10.255.226.5/31 | ge-0/0/3.1031 | wanrouter1 | 10.255.226.4/31 | 64901 | ge-0/0/2.1031 | 1031 |
| core2 | 64911 | customera | 10.255.227.1/31 | ge-0/0/4.1099 | wanrouter2 | 10.255.227.0/31 | 64902 | ge-0/0/2.1099 | 1099 |
| core2 | 64911 | customerb | 10.255.227.3/31 | ge-0/0/4.1088 | wanrouter2 | 10.255.227.2/31 | 64902 | ge-0/0/2.1088 | 1088 |
| core2 | 64911 | devices | 10.255.227.5/31 | ge-0/0/4.1033 | wanrouter2 | 10.255.227.4/31 | 64902 | ge-0/0/2.1033 | 1033 |
The code block below shows the exported version of the switch template used in this fabric. This allows you to review our setup when importing. As you can see, we have a minimum of two VLANs per VRF. Remember that the L3 exit model requires one VLAN per WAN router and VRF).
{
"additional_config_cmds": [],
"networks": {
"vlan1099": {
"vlan_id": 1099,
"subnet": "10.99.99.0/24"
},
"vlan1088": {
"vlan_id": 1088,
"subnet": "10.88.88.0/24"
},
"vlan1033": {
"vlan_id": 1033,
"subnet": "10.33.33.0/24"
},
"vlan1091": {
"vlan_id": 1091,
"subnet": "10.99.91.0/24"
},
"vlan1081": {
"vlan_id": 1081,
"subnet": "10.88.81.0/24"
},
"vlan1031": {
"vlan_id": 1031,
"subnet": "10.33.31.0/24"
}
},
"port_usages": {
"vlan1099": {
"mode": "access",
"disabled": false,
"port_network": "vlan1099",
"voip_network": null,
"stp_edge": false,
"mac_auth_protocol": null,
"all_networks": false,
"networks": null,
"port_auth": null,
"enable_mac_auth": null,
"mac_auth_only": null,
"guest_network": null,
"bypass_auth_when_server_down": null,
"speed": "auto",
"duplex": "auto",
"mac_limit": 0,
"persist_mac": false,
"poe_disabled": false,
"enable_qos": false,
"storm_control": {},
"mtu": null,
"description": "",
"disable_autoneg": false
},
"vlan1088": {
"mode": "access",
"disabled": false,
"port_network": "vlan1088",
"voip_network": null,
"stp_edge": false,
"mac_auth_protocol": null,
"all_networks": false,
"networks": null,
"port_auth": null,
"enable_mac_auth": null,
"mac_auth_only": null,
"guest_network": null,
"bypass_auth_when_server_down": null,
"speed": "auto",
"duplex": "auto",
"mac_limit": 0,
"persist_mac": false,
"poe_disabled": false,
"enable_qos": false,
"storm_control": {},
"mtu": null,
"description": "",
"disable_autoneg": false
},
"dynamic": {
"mode": "dynamic",
"reset_default_when": "link_down",
"rules": []
}
},
"switch_matching": {
"enable": true,
"rules": []
},
"switch_mgmt": {
"config_revert_timer": 10,
"root_password": "<password>",
"protect_re": {
"enabled": false
},
"tacacs": {
"enabled": false
}
},
"mist_nac": {
"enabled": true,
"network": null
},
"radius_config": {
"auth_servers": [],
"acct_servers": [],
"auth_servers_timeout": 5,
"auth_servers_retries": 3,
"fast_dot1x_timers": false,
"acct_interim_interval": 0,
"auth_server_selection": "ordered",
"coa_enabled": false,
"coa_port": ""
},
"vrf_config": {
"enabled": false
},
"remote_syslog": {
"enabled": false
},
"snmp_config": {
"enabled": false
},
"dhcp_snooping": {
"enabled": false
},
"dns_servers": [],
"dns_suffix": [],
"ntp_servers": [],
"acl_policies": [],
"port_mirroring": {},
"name": "campus-fabric"
}Within the Campus Fabric Configuration dialogue, there is a page called Configure Networks. This is where you import your six VLAN’s from the switch template. The resulting configuration is shown in the following figures.
Figure 33: Network and Other IP
Configuration
Figure 34: Create 3 VRF Instances and Attach 2 Networks
to Each
Then you go to each VRF and delete all manual routes you may have. Make sure each VRF has a minimum of two VLAN’s attached as those are used to identify the VRF later.
Figure 35: VRF1 Configure 2 VLANs and Remove All Extra
Routes
Figure 36: VRF2 Configure 2 VLANs and Remove All Extra
Routes
Figure 37: VRF3 Configure 2 VLANs and Remove All Extra
Routes
Core1 Switch Configuration
In this example, the service block function is virtual and co-located on the core switch. Therefore, you must configure the two core switches. The following block of pseudocode describes what you need to configure on the core1 switch:
# configure the Additional IP-Subnet 10.255.224.1 255.255.255.254 to Network/VLAN:vlan1091 # configure the Additional IP-Subnet 10.255.224.3 255.255.255.254 to Network/VLAN:vlan1081 # configure the Additional IP-Subnet 10.255.224.5 255.255.255.254 to Network/VLAN:vlan1031 # Then bind these 3 Network/VLANs to Port Interface ge-0/0/3 as L3-Sub-Interfaces with MTU=9018 # configure the Additional IP-Subnet 10.255.225.1 255.255.255.254 to Network/VLAN:vlan1099 # configure the Additional IP-Subnet 10.255.225.3 255.255.255.254 to Network/VLAN:vlan1088 # configure the Additional IP-Subnet 10.255.225.5 255.255.255.254 to Network/VLAN:vlan1033 # Then bind these 3 Network/VLANs to Port Interface ge-0/0/4 as L3-Sub-Interfaces with MTU=9018 # Enable BGP and create an Export policy called 'export-vrfs' # Add to this export Policy the following Networks as: # - Add Term w. Name=vlan1091 Prefix=10.99.91.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1099 Prefix=10.99.99.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1081 Prefix=10.88.81.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1088 Prefix=10.88.88.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1031 Prefix=10.33.31.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1033 Prefix=10.33.33.0/24 Protocol=None Then=Accept # - Add Term w. Name=overlaylo0 Prefix=172.16.192.0/19-32 Protocol=None Then=Accept # Create an Export policy called 'import-default' # - Name=default Prefix=0.0.0.0/0 Protocol=BGP Action=Accept # Create a BGP Group with: # - Name=customera0 # - Type=External # - Network (VLAN)=vlan1091 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.224.0 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=customerb0 # - Type=External # - Network (VLAN)=vlan1081 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.224.2 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=devices0 # - Type=External # - Network (VLAN)=vlan1031 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.224.4 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=customera1 # - Type=External # - Network (VLAN)=vlan1099 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.225.0 Neighbor_AS=64902 Hold-Time=90 # Create a BGP Group with: # - Name=customerb1 # - Type=External # - Network (VLAN)=vlan1088 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.225.2 Neighbor_AS=64902 Hold-Time=90 # Create a BGP Group with: # - Name=devices1 # - Type=External # - Network (VLAN)=vlan1033 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.225.4 Neighbor_AS=64902 Hold-Time=90
The following screenshots show the previous configuration translated into the Mist GUI. We start with the additional IP configuration. Notice that the VLAN IP addresses do not match the IP addresses that these VLANs had originally in the overlay. This is by design. You must always have the VLAN as a reference back to the VRF.
Figure 38: Additional IP Configuration
Figure 39: One of Six VLANs to Configure
In the Port Configuration window, you must enable the L3-sub-interfaces and assign the first 3 sub-interfaces defined.
In the second Port Configuration window, towards the other WAN router, assign the second 3 sub-interfaces defined.
Next, you must enter the entire eBGP configuration with all six peers (three VRFs and two WAN routers. When finished, the overview page should be as shown in Figure 40 .
Figure 40: Complete eBGP
Configuration
First, you define two routing policies, a summary of which is shown in the above table.
Figure 41: Routing Policy Summary
The export route policies contain a subnet for each VLAN in your VRFs and a definition for the loopback-per-VRF subnet that is part of the definition in the initial fabric dialogue. You can substitute a single 0.0.0.0/0-32 prefix for all six prefixes. Writing the prefix as 0.0.0.0/0-32 is a way of defining orlonger in the Junos OS.
The import policy imports the default route from the WAN router.
Figure 42 shows the configuration of a single BGP peering entry with the required entries called out.
Figure 42: Example BGP
Peering Entry
You must also define the WAN router as a BGP neighbor.
You may see a warning message as shown in Figure 43 . It is safe to ignore those.
Figure 43: Potential Warning
Message
Core2 Switch Configuration
The following pseudocode represents the configuration you must apply to the core2 switch:
# configure the Additional IP-Subnet 10.255.226.1 255.255.255.254 to Network/VLAN:vlan1091 # configure the Additional IP-Subnet 10.255.226.3 255.255.255.254 to Network/VLAN:vlan1081 # configure the Additional IP-Subnet 10.255.226.5 255.255.255.254 to Network/VLAN:vlan1031 # Then bind these 3 Network/VLANs to Port Interface ge-0/0/3 as L3-Sub-Interfaces with MTU=9018 # configure the Additional IP-Subnet 10.255.227.1 255.255.255.254 to Network/VLAN:vlan1099 # configure the Additional IP-Subnet 10.255.227.3 255.255.255.254 to Network/VLAN:vlan1088 # configure the Additional IP-Subnet 10.255.227.5 255.255.255.254 to Network/VLAN:vlan1033 # Then bind these 3 Network/VLANs to Port Interface ge-0/0/4 as L3-Sub-Interfaces with MTU=9018 # Enable BGP and create an Export policy called 'export-vrfs' # Add to this export Policy the following Networks as: # - Add Term w. Name=vlan1091 Prefix=10.99.91.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1099 Prefix=10.99.99.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1081 Prefix=10.88.81.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1088 Prefix=10.88.88.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1031 Prefix=10.33.31.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1033 Prefix=10.33.33.0/24 Protocol=None Then=Accept # - Add Term w. Name=overlaylo0 Prefix=172.16.192.0/19-32 Protocol=None Then=Accept # Create an Export policy called 'import-default' # - Name=default Prefix=0.0.0.0/0 Protocol=BGP Action=Accept # Create a BGP Group with: # - Name=customera0 # - Type=External # - Network (VLAN)=vlan1091 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.226.0 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=customerb0 # - Type=External # - Network (VLAN)=vlan1081 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.226.2 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=devices0 # - Type=External # - Network (VLAN)=vlan1031 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.226.4 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=customera1 # - Type=External # - Network (VLAN)=vlan1099 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.227.0 Neighbor_AS=64902 Hold-Time=90 # Create a BGP Group with: # - Name=customerb1 # - Type=External # - Network (VLAN)=vlan1088 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.227.2 Neighbor_AS=64902 Hold-Time=90 # Create a BGP Group with: # - Name=devices1 # - Type=External # - Network (VLAN)=vlan1033 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.227.4 Neighbor_AS=64902 Hold-Time=90
Aside from the P2P subnets and the BGP neighbours, the configuration on the core2 switch is the same as the configuration on the core1 switch.
Figure 44: Core2 Switch Additional IP
Configuration
Figure 45: Core2 Switch BGP Neighbor
Configuration
Juniper MX as a WAN Router
The following several code blocks show the Junos OS CLI configuration of the P2P interfaces, the entire eBGP config with all BGP neighbours, and all import and export route policies for each WAN router. You may need to add default routes and interfaces to complete the configuration because those need to be signalled to the fabric but we don’t know how your device gets to know those.
CLI configuration for the first WAN router:
set system host-name wanrouter1 delete interfaces ge-0/0/1 set interfaces ge-0/0/1 flexible-vlan-tagging set interfaces ge-0/0/1 mtu 9014 set interfaces ge-0/0/1 unit 1091 description vlan1091 set interfaces ge-0/0/1 unit 1091 vlan-id 1091 set interfaces ge-0/0/1 unit 1091 family inet address 10.255.224.0/31 set interfaces ge-0/0/1 unit 1081 description vlan1081 set interfaces ge-0/0/1 unit 1081 vlan-id 1081 set interfaces ge-0/0/1 unit 1081 family inet address 10.255.224.2/31 set interfaces ge-0/0/1 unit 1031 description vlan1031 set interfaces ge-0/0/1 unit 1031 vlan-id 1031 set interfaces ge-0/0/1 unit 1031 family inet address 10.255.224.4/31 delete interfaces ge-0/0/2 set interfaces ge-0/0/2 flexible-vlan-tagging set interfaces ge-0/0/2 mtu 9014 set interfaces ge-0/0/2 unit 1091 description vlan1091 set interfaces ge-0/0/2 unit 1091 vlan-id 1091 set interfaces ge-0/0/2 unit 1091 family inet address 10.255.226.0/31 set interfaces ge-0/0/2 unit 1081 description vlan1081 set interfaces ge-0/0/2 unit 1081 vlan-id 1081 set interfaces ge-0/0/2 unit 1081 family inet address 10.255.226.2/31 set interfaces ge-0/0/2 unit 1031 description vlan1031 set interfaces ge-0/0/2 unit 1031 vlan-id 1031 set interfaces ge-0/0/2 unit 1031 family inet address 10.255.226.4/31 # needed in and export policy delete policy-options set policy-options policy-statement fabric term 1 from protocol bgp set policy-options policy-statement fabric term 1 from route-filter 0.0.0.0/0 orlonger set policy-options policy-statement fabric term 1 then accept set policy-options policy-statement fabric term 2 then reject set policy-options policy-statement internet term 1 from protocol static set policy-options policy-statement internet term 1 from route-filter 0.0.0.0/0 exact set policy-options policy-statement internet term 1 then accept set policy-options policy-statement internet term 2 then reject delete routing-instances public-int set routing-instances public-int instance-type virtual-router set routing-instances public-int interface ge-0/0/1.1091 set routing-instances public-int interface ge-0/0/1.1081 set routing-instances public-int interface ge-0/0/1.1031 set routing-instances public-int interface ge-0/0/2.1091 set routing-instances public-int interface ge-0/0/2.1081 set routing-instances public-int interface ge-0/0/2.1031 delete routing-instances public-int protocols bgp group customera set routing-instances public-int protocols bgp group customera type external set routing-instances public-int protocols bgp group customera family inet unicast set routing-instances public-int protocols bgp group customera multipath multiple-as set routing-instances public-int protocols bgp group customera local-as 64901 set routing-instances public-int protocols bgp group customera hold-time 90 set routing-instances public-int protocols bgp group customera import fabric set routing-instances public-int protocols bgp group customera export internet set routing-instances public-int protocols bgp group customera bfd-liveness-detection minimum-interval 1000 set routing-instances public-int protocols bgp group customera bfd-liveness-detection multiplier 3 set routing-instances public-int protocols bgp group customera bfd-liveness-detection session-mode automatic set routing-instances public-int protocols bgp group customera neighbor 10.255.224.1 peer-as 64911 set routing-instances public-int protocols bgp group customera neighbor 10.255.226.1 peer-as 64911 delete routing-instances public-int protocols bgp group customerb set routing-instances public-int protocols bgp group customerb type external set routing-instances public-int protocols bgp group customerb family inet unicast set routing-instances public-int protocols bgp group customerb multipath multiple-as set routing-instances public-int protocols bgp group customerb local-as 64901 set routing-instances public-int protocols bgp group customerb hold-time 90 set routing-instances public-int protocols bgp group customerb import fabric set routing-instances public-int protocols bgp group customerb export internet set routing-instances public-int protocols bgp group customerb bfd-liveness-detection minimum-interval 1000 set routing-instances public-int protocols bgp group customerb bfd-liveness-detection multiplier 3 set routing-instances public-int protocols bgp group customerb bfd-liveness-detection session-mode automatic set routing-instances public-int protocols bgp group customerb neighbor 10.255.224.3 peer-as 64911 set routing-instances public-int protocols bgp group customerb neighbor 10.255.226.3 peer-as 64911 delete routing-instances public-int protocols bgp group devices set routing-instances public-int protocols bgp group devices type external set routing-instances public-int protocols bgp group devices family inet unicast set routing-instances public-int protocols bgp group devices multipath multiple-as set routing-instances public-int protocols bgp group devices local-as 64901 set routing-instances public-int protocols bgp group devices hold-time 90 set routing-instances public-int protocols bgp group devices import fabric set routing-instances public-int protocols bgp group devices export internet set routing-instances public-int protocols bgp group devices bfd-liveness-detection minimum-interval 1000 set routing-instances public-int protocols bgp group devices bfd-liveness-detection multiplier 3 set routing-instances public-int protocols bgp group devices bfd-liveness-detection session-mode automatic set routing-instances public-int protocols bgp group devices neighbor 10.255.224.5 peer-as 64911 set routing-instances public-int protocols bgp group devices neighbor 10.255.226.5 peer-as 64911
Configuration for the second WAN router:
set system host-name wanrouter2 delete interfaces ge-0/0/1 set interfaces ge-0/0/1 flexible-vlan-tagging set interfaces ge-0/0/1 mtu 9014 set interfaces ge-0/0/1 unit 1099 description vlan1099 set interfaces ge-0/0/1 unit 1099 vlan-id 1099 set interfaces ge-0/0/1 unit 1099 family inet address 10.255.225.0/31 set interfaces ge-0/0/1 unit 1088 description vlan1088 set interfaces ge-0/0/1 unit 1088 vlan-id 1088 set interfaces ge-0/0/1 unit 1088 family inet address 10.255.225.2/31 set interfaces ge-0/0/1 unit 1033 description vlan1033 set interfaces ge-0/0/1 unit 1033 vlan-id 1033 set interfaces ge-0/0/1 unit 1033 family inet address 10.255.225.4/31 delete interfaces ge-0/0/2 set interfaces ge-0/0/2 flexible-vlan-tagging set interfaces ge-0/0/2 mtu 9014 set interfaces ge-0/0/2 unit 1099 description vlan1099 set interfaces ge-0/0/2 unit 1099 vlan-id 1099 set interfaces ge-0/0/2 unit 1099 family inet address 10.255.227.0/31 set interfaces ge-0/0/2 unit 1088 description vlan1088 set interfaces ge-0/0/2 unit 1088 vlan-id 1088 set interfaces ge-0/0/2 unit 1088 family inet address 10.255.227.2/31 set interfaces ge-0/0/2 unit 1033 description vlan1033 set interfaces ge-0/0/2 unit 1033 vlan-id 1033 set interfaces ge-0/0/2 unit 1033 family inet address 10.255.227.4/31 # needed in and export policy delete policy-options set policy-options policy-statement fabric term 1 from protocol bgp set policy-options policy-statement fabric term 1 from route-filter 0.0.0.0/0 orlonger set policy-options policy-statement fabric term 1 then accept set policy-options policy-statement fabric term 2 then reject set policy-options policy-statement internet term 1 from protocol static set policy-options policy-statement internet term 1 from route-filter 0.0.0.0/0 exact set policy-options policy-statement internet term 1 then accept set policy-options policy-statement internet term 2 then reject delete routing-instances public-int set routing-instances public-int instance-type virtual-router set routing-instances public-int interface ge-0/0/1.1099 set routing-instances public-int interface ge-0/0/1.1088 set routing-instances public-int interface ge-0/0/1.1033 set routing-instances public-int interface ge-0/0/2.1099 set routing-instances public-int interface ge-0/0/2.1088 set routing-instances public-int interface ge-0/0/2.1033 delete routing-instances public-int protocols bgp group customera set routing-instances public-int protocols bgp group customera type external set routing-instances public-int protocols bgp group customera family inet unicast set routing-instances public-int protocols bgp group customera multipath multiple-as set routing-instances public-int protocols bgp group customera local-as 64902 set routing-instances public-int protocols bgp group customera hold-time 90 set routing-instances public-int protocols bgp group customera import fabric set routing-instances public-int protocols bgp group customera export internet set routing-instances public-int protocols bgp group customera bfd-liveness-detection minimum-interval 1000 set routing-instances public-int protocols bgp group customera bfd-liveness-detection multiplier 3 set routing-instances public-int protocols bgp group customera bfd-liveness-detection session-mode automatic set routing-instances public-int protocols bgp group customera neighbor 10.255.225.1 peer-as 64911 set routing-instances public-int protocols bgp group customera neighbor 10.255.227.1 peer-as 64911 delete routing-instances public-int protocols bgp group customerb set routing-instances public-int protocols bgp group customerb type external set routing-instances public-int protocols bgp group customerb family inet unicast set routing-instances public-int protocols bgp group customerb multipath multiple-as set routing-instances public-int protocols bgp group customerb local-as 64902 set routing-instances public-int protocols bgp group customerb hold-time 90 set routing-instances public-int protocols bgp group customerb import fabric set routing-instances public-int protocols bgp group customerb export internet set routing-instances public-int protocols bgp group customerb bfd-liveness-detection minimum-interval 1000 set routing-instances public-int protocols bgp group customerb bfd-liveness-detection multiplier 3 set routing-instances public-int protocols bgp group customerb bfd-liveness-detection session-mode automatic set routing-instances public-int protocols bgp group customerb neighbor 10.255.225.3 peer-as 64911 set routing-instances public-int protocols bgp group customerb neighbor 10.255.227.3 peer-as 64911 delete routing-instances public-int protocols bgp group devices set routing-instances public-int protocols bgp group devices type external set routing-instances public-int protocols bgp group devices family inet unicast set routing-instances public-int protocols bgp group devices multipath multiple-as set routing-instances public-int protocols bgp group devices local-as 64902 set routing-instances public-int protocols bgp group devices hold-time 90 set routing-instances public-int protocols bgp group devices import fabric set routing-instances public-int protocols bgp group devices export internet set routing-instances public-int protocols bgp group devices bfd-liveness-detection minimum-interval 1000 set routing-instances public-int protocols bgp group devices bfd-liveness-detection multiplier 3 set routing-instances public-int protocols bgp group devices bfd-liveness-detection session-mode automatic set routing-instances public-int protocols bgp group devices neighbor 10.255.225.5 peer-as 64911 set routing-instances public-int protocols bgp group devices neighbor 10.255.227.5 peer-as 64911
You can use the following CLI commands to assist with debugging on WAN router1.
root@wanrouter1> show bgp summary
Threading mode: BGP I/O
Default eBGP mode: advertise - accept, receive - accept
Groups: 3 Peers: 6 Down peers: 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.255.224.1 64911 30 27 0 0 11:37 Establ
public-int.inet.0: 2/2/2/0
10.255.224.3 64911 29 27 0 0 11:31 Establ
public-int.inet.0: 2/2/2/0
10.255.224.5 64911 29 27 0 0 11:37 Establ
public-int.inet.0: 1/1/1/0
10.255.226.1 64911 30 27 0 0 11:30 Establ
public-int.inet.0: 2/2/2/0
10.255.226.3 64911 30 27 0 0 11:39 Establ
public-int.inet.0: 2/2/2/0
10.255.226.5 64911 29 27 0 0 11:38 Establ
public-int.inet.0: 1/1/1/0
root@wanrouter1> show route table public-int.inet.0
public-int.inet.0: 23 destinations, 25 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:42
> to 192.168.230.1 via ge-0/0/0.0
10.88.88.0/24 *[BGP/170] 00:11:47, localpref 100
AS path: 64911 65002 65003 65005 I, validation-state: unverified
to 10.255.224.3 via ge-0/0/1.1081
> to 10.255.226.3 via ge-0/0/2.1081
[BGP/170] 00:11:47, localpref 100
AS path: 64911 65001 65003 65005 I, validation-state: unverified
> to 10.255.224.3 via ge-0/0/1.1081
10.99.99.0/24 *[BGP/170] 00:11:46, localpref 100, from 10.255.224.1
AS path: 64911 65001 65003 65005 I, validation-state: unverified
to 10.255.224.1 via ge-0/0/1.1091
> to 10.255.226.1 via ge-0/0/2.1091
[BGP/170] 00:11:46, localpref 100
AS path: 64911 65002 65003 65005 I, validation-state: unverified
> to 10.255.226.1 via ge-0/0/2.1091
10.255.224.0/31 *[Direct/0] 00:22:31
> via ge-0/0/1.1091
10.255.224.0/32 *[Local/0] 00:22:31
Local via ge-0/0/1.1091
10.255.224.2/31 *[Direct/0] 00:22:31
> via ge-0/0/1.1081
10.255.224.2/32 *[Local/0] 00:22:31
Local via ge-0/0/1.1081
10.255.224.4/31 *[Direct/0] 00:22:31
> via ge-0/0/1.1031
10.255.224.4/32 *[Local/0] 00:22:31
Local via ge-0/0/1.1031
10.255.226.0/31 *[Direct/0] 00:22:31
> via ge-0/0/2.1091
10.255.226.0/32 *[Local/0] 00:22:31
Local via ge-0/0/2.1091
10.255.226.2/31 *[Direct/0] 00:22:31
> via ge-0/0/2.1081
10.255.226.2/32 *[Local/0] 00:22:31
Local via ge-0/0/2.1081
10.255.226.4/31 *[Direct/0] 00:22:31
> via ge-0/0/2.1031
10.255.226.4/32 *[Local/0] 00:22:31
Local via ge-0/0/2.1031
172.16.193.1/32 *[BGP/170] 00:11:53, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.224.1 via ge-0/0/1.1091
172.16.193.2/32 *[BGP/170] 00:11:46, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.226.1 via ge-0/0/2.1091
172.16.194.1/32 *[BGP/170] 00:11:47, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.224.3 via ge-0/0/1.1081
172.16.194.2/32 *[BGP/170] 00:11:55, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.226.3 via ge-0/0/2.1081
172.16.195.1/32 *[BGP/170] 00:11:53, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.224.5 via ge-0/0/1.1031
172.16.195.2/32 *[BGP/170] 00:11:54, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.226.5 via ge-0/0/2.1031
192.168.230.0/24 *[Direct/0] 00:01:08
> via ge-0/0/0.0
192.168.230.99/32 *[Local/0] 00:01:08
Local via ge-0/0/0.0You can use the following CLI commands to assist with debugging on WAN router2.
root@wanrouter2> show bgp summary
Threading mode: BGP I/O
Default eBGP mode: advertise - accept, receive - accept
Groups: 3 Peers: 6 Down peers: 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.255.225.1 64911 36 33 0 0 14:29 Establ
public-int.inet.0: 2/2/2/0
10.255.225.3 64911 36 33 0 0 14:21 Establ
public-int.inet.0: 2/2/2/0
10.255.225.5 64911 35 34 0 0 14:31 Establ
public-int.inet.0: 1/1/1/0
10.255.227.1 64911 36 34 0 0 14:35 Establ
public-int.inet.0: 2/2/2/0
10.255.227.3 64911 36 34 0 0 14:35 Establ
public-int.inet.0: 2/2/2/0
10.255.227.5 64911 34 33 0 0 14:21 Establ
public-int.inet.0: 1/1/1/0
root@wanrouter2> show route table public-int.inet.0
public-int.inet.0: 23 destinations, 25 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:24
> to 192.168.230.1 via ge-0/0/0.0
10.88.88.0/24 *[BGP/170] 00:14:35, localpref 100
AS path: 64911 65002 65003 65005 I, validation-state: unverified
to 10.255.225.3 via ge-0/0/1.1088
> to 10.255.227.3 via ge-0/0/2.1088
[BGP/170] 00:14:35, localpref 100
AS path: 64911 65001 65003 65005 I, validation-state: unverified
> to 10.255.225.3 via ge-0/0/1.1088
10.99.99.0/24 *[BGP/170] 00:14:43, localpref 100
AS path: 64911 65002 65003 65005 I, validation-state: unverified
to 10.255.225.1 via ge-0/0/1.1099
> to 10.255.227.1 via ge-0/0/2.1099
[BGP/170] 00:14:43, localpref 100
AS path: 64911 65001 65003 65005 I, validation-state: unverified
> to 10.255.225.1 via ge-0/0/1.1099
10.255.225.0/31 *[Direct/0] 00:25:19
> via ge-0/0/1.1099
10.255.225.0/32 *[Local/0] 00:25:19
Local via ge-0/0/1.1099
10.255.225.2/31 *[Direct/0] 00:25:19
> via ge-0/0/1.1088
10.255.225.2/32 *[Local/0] 00:25:19
Local via ge-0/0/1.1088
10.255.225.4/31 *[Direct/0] 00:25:19
> via ge-0/0/1.1033
10.255.225.4/32 *[Local/0] 00:25:19
Local via ge-0/0/1.1033
10.255.227.0/31 *[Direct/0] 00:25:19
> via ge-0/0/2.1099
10.255.227.0/32 *[Local/0] 00:25:19
Local via ge-0/0/2.1099
10.255.227.2/31 *[Direct/0] 00:25:19
> via ge-0/0/2.1088
10.255.227.2/32 *[Local/0] 00:25:19
Local via ge-0/0/2.1088
10.255.227.4/31 *[Direct/0] 00:25:19
> via ge-0/0/2.1033
10.255.227.4/32 *[Local/0] 00:25:19
Local via ge-0/0/2.1033
172.16.193.1/32 *[BGP/170] 00:14:43, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.225.1 via ge-0/0/1.1099
172.16.193.2/32 *[BGP/170] 00:14:49, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.227.1 via ge-0/0/2.1099
172.16.194.1/32 *[BGP/170] 00:14:35, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.225.3 via ge-0/0/1.1088
172.16.194.2/32 *[BGP/170] 00:14:49, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.227.3 via ge-0/0/2.1088
172.16.195.1/32 *[BGP/170] 00:14:45, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.225.5 via ge-0/0/1.1033
172.16.195.2/32 *[BGP/170] 00:14:35, localpref 100
AS path: 64911 I, validation-state: unverified
> to 10.255.227.5 via ge-0/0/2.1033
192.168.230.0/24 *[Direct/0] 00:00:24
> via ge-0/0/0.0
192.168.230.98/32 *[Local/0] 00:00:24
Local via ge-0/0/0.0Juniper SRX Series Firewall as WAN Router
The following example table and configurations show the differences between using an SRX Series Firewall in cluster mode and an MX router as the WAN router. On the fabric side, only the interface names of the SRX cluster change from the MX router configuration. Because the SRX Series Firewall runs in active/active cluster mode, there is only a single WAN router configuration and a single ASN to consider. That single configuration also includes cluster management and trust-zone management commands that are not present in a similar MX router-based configuration.
This SRX Series Firewall -based approach is less complicated than configuring redundant ethernet (reth) interfaces and link aggregation groups (LAG) on the MX router. In addition, there is need for additional CLI on the fabric side to insert virtual gateways, and so on.
Table 2 shows the configuration information for the core1 and core2 switches as service block function along with the WAN router configuration for the SRX cluster. We’ve marked the changes with respect to Table 1 (for MX WAN routers in bold).
| Switch | Switch AS | VRF | Core P2P IP | Core IF | WAN Router | WAN Router P2P IP | WAN Router AS | WAN Router IF | VLAN-ID |
|---|---|---|---|---|---|---|---|---|---|
| core1 | 64911 | customera | 10.255.224.1/31 | ge-0/0/5.1091 | node0 | 10.255.224.0/31 | 64901 | ge-0/0/2.1091 | 1091 |
| core1 | 64911 | customerb | 10.255.224.3/31 | ge-0/0/5.1081 | node0 | 10.255.224.2/31 | 64901 | ge-0/0/2.1081 | 1081 |
| core1 | 64911 | devices | 10.255.224.5/31 | ge-0/0/5.1031 | node0 | 10.255.224.4/31 | 64901 | ge-0/0/2.1031 | 1031 |
| core1 | 64911 | customera | 10.255.225.1/31 | ge-0/0/6.1099 | node1 | 10.255.225.0/31 | 64901 | ge-7/0/2.1099 | 1099 |
| core1 | 64911 | customerb | 10.255.225.3/31 | ge-0/0/6.1088 | node1 | 10.255.225.2/31 | 64901 | ge-7/0/2.1088 | 1088 |
| core1 | 64911 | devices | 10.255.225.5/31 | ge-0/0/6.1033 | node1 | 10.255.225.4/31 | 64901 | ge-7/0/2.1033 | 1033 |
| core2 | 64911 | customera | 10.255.226.1/31 | ge-0/0/5.1091 | node0 | 10.255.226.0/31 | 64901 | ge-0/0/3.1091 | 1091 |
| core2 | 64911 | customerb | 10.255.226.3/31 | ge-0/0/5.1081 | node0 | 10.255.226.2/31 | 64901 | ge-0/0/3.1081 | 1081 |
| core2 | 64911 | devices | 10.255.226.5/31 | ge-0/0/5.1031 | node0 | 10.255.226.4/31 | 64901 | ge-0/0/3.1031 | 1031 |
| core2 | 64911 | customera | 10.255.227.1/31 | ge-0/0/6.1099 | node1 | 10.255.227.0/31 | 64901 | ge-7/0/3.1099 | 1099 |
| core2 | 64911 | customerb | 10.255.227.3/31 | ge-0/0/6.1088 | node1 | 10.255.227.2/31 | 64901 | ge-7/0/3.1088 | 1088 |
| core2 | 64911 | devices | 10.255.227.5/31 | ge-0/0/6.1033 | node1 | 10.255.227.4/31 | 64901 | ge-7/0/3.1033 | 1033 |
The following pseudocode describes what you need to configure on the core1 switch for this example:
# configure the Additional IP-Subnet 10.255.224.1 255.255.255.254 to Network/VLAN:vlan1091 # configure the Additional IP-Subnet 10.255.224.3 255.255.255.254 to Network/VLAN:vlan1081 # configure the Additional IP-Subnet 10.255.224.5 255.255.255.254 to Network/VLAN:vlan1031 # Then bind these 3 Network/VLANs to Port Interface ge-0/0/5 as L3-Sub-Interfaces with MTU=9018 # configure the Additional IP-Subnet 10.255.225.1 255.255.255.254 to Network/VLAN:vlan1099 # configure the Additional IP-Subnet 10.255.225.3 255.255.255.254 to Network/VLAN:vlan1088 # configure the Additional IP-Subnet 10.255.225.5 255.255.255.254 to Network/VLAN:vlan1033 # Then bind these 3 Network/VLANs to Port Interface ge-0/0/6 as L3-Sub-Interfaces with MTU=9018 # Enable BGP and create an Export policy called 'export-vrfs' # Add to this export Policy the following Networks as: # - Add Term w. Name=vlan1091 Prefix=10.99.91.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1099 Prefix=10.99.99.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1081 Prefix=10.88.81.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1088 Prefix=10.88.88.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1031 Prefix=10.33.31.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1033 Prefix=10.33.33.0/24 Protocol=None Then=Accept # - Add Term w. Name=overlaylo0 Prefix=172.16.192.0/19-32 Protocol=None Then=Accept # Create an Export policy called 'import-default' # - Name=default Prefix=0.0.0.0/0 Protocol=BGP Action=Accept # Create a BGP Group with: # - Name=customera0 # - Type=External # - Network (VLAN)=vlan1091 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.224.1 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=customerb0 # - Type=External # - Network (VLAN)=vlan1081 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.224.3 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=devices0 # - Type=External # - Network (VLAN)=vlan1031 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.224.5 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=customera1 # - Type=External # - Network (VLAN)=vlan1099 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.225.1 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=customerb1 # - Type=External # - Network (VLAN)=vlan1088 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.225.3 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=devices1 # - Type=External # - Network (VLAN)=vlan1033 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.225.5 Neighbor_AS=64901 Hold-Time=90
The following pseudocode describes what you need to configure on the core2 switch for this example:
# configure the Additional IP-Subnet 10.255.226.1 255.255.255.254 to Network/VLAN:vlan1091 # configure the Additional IP-Subnet 10.255.226.3 255.255.255.254 to Network/VLAN:vlan1081 # configure the Additional IP-Subnet 10.255.226.5 255.255.255.254 to Network/VLAN:vlan1031 # Then bind these 3 Network/VLANs to Port Interface ge-0/0/5 as L3-Sub-Interfaces with MTU=9018 # configure the Additional IP-Subnet 10.255.227.1 255.255.255.254 to Network/VLAN:vlan1099 # configure the Additional IP-Subnet 10.255.227.3 255.255.255.254 to Network/VLAN:vlan1088 # configure the Additional IP-Subnet 10.255.227.5 255.255.255.254 to Network/VLAN:vlan1033 # Then bind these 3 Network/VLANs to Port Interface ge-0/0/6 as L3-Sub-Interfaces with MTU=9018 # Enable BGP and create an Export policy called 'export-vrfs' # Add to this export Policy the following Networks as: # - Add Term w. Name=vlan1091 Prefix=10.99.91.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1099 Prefix=10.99.99.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1081 Prefix=10.88.81.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1088 Prefix=10.88.88.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1031 Prefix=10.33.31.0/24 Protocol=None Then=Accept # - Add Term w. Name=vlan1033 Prefix=10.33.33.0/24 Protocol=None Then=Accept # - Add Term w. Name=overlaylo0 Prefix=172.16.192.0/19-32 Protocol=None Then=Accept # Create an Export policy called 'import-default' # - Name=default Prefix=0.0.0.0/0 Protocol=BGP Action=Accept # Create a BGP Group with: # - Name=customera0 # - Type=External # - Network (VLAN)=vlan1091 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.226.1 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=customerb0 # - Type=External # - Network (VLAN)=vlan1081 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.226.3 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=devices0 # - Type=External # - Network (VLAN)=vlan1031 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.226.5 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=customera1 # - Type=External # - Network (VLAN)=vlan1099 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.227.1 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=customerb1 # - Type=External # - Network (VLAN)=vlan1088 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.227.3 Neighbor_AS=64901 Hold-Time=90 # Create a BGP Group with: # - Name=devices1 # - Type=External # - Network (VLAN)=vlan1033 # - BFD interval=1000 # - Local AS=64911 # - Hold Time=90 # - Set Export=export-vrfs and Import=import-default # Add also the following Neighbor # - IP_Address=10.255.227.5 Neighbor_AS=64901 Hold-Time=90
When finished with configuring the individual service block functions (here core1 and core2 Switch) your overview table should be as shown in Figure 46 .
Figure 46 shows an overview of how the BGP looks after you have configured the individual service block functions for the core1 and core2 switches.
Figure 46: BGP Configuration
Summary with SRX Series Firewall as WAN Router
The following Junos OS CLI represents the entire configuration needed on the Series Firewall cluster for this example.
set groups node0 system host-name srx1_node0
set groups node1 system host-name srx2_node1
set apply-groups "${node}"
set chassis aggregated-devices ethernet device-count 10
set chassis cluster control-link-recovery
set chassis cluster reth-count 5
set chassis cluster initial-hold 60
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 gratuitous-arp-count 4
# Interface monitoring turned OFF for vSRX
# set chassis cluster redundancy-group 1 interface-monitor ge-0/0/2 weight 255
# set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
# set chassis cluster redundancy-group 1 interface-monitor ge-7/0/2 weight 255
# set chassis cluster redundancy-group 1 interface-monitor ge-7/0/3 weight 255
set interfaces fab0 fabric-options member-interfaces ge-0/0/0
set interfaces fab1 fabric-options member-interfaces ge-7/0/0
# rebuild trust zone to clear old interfaces bound
delete security zones security-zone trust
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
delete interfaces ge-0/0/2
set interfaces ge-0/0/2 flexible-vlan-tagging
set interfaces ge-0/0/2 mtu 9018
set interfaces ge-0/0/2 unit 1091 description vlan1091
set interfaces ge-0/0/2 unit 1091 vlan-id 1091
set interfaces ge-0/0/2 unit 1091 family inet address 10.255.224.0/31
set security zones security-zone trust interfaces ge-0/0/2.1091 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-0/0/2.1091 host-inbound-traffic system-services ping
set interfaces ge-0/0/2 unit 1081 description vlan1081
set interfaces ge-0/0/2 unit 1081 vlan-id 1081
set interfaces ge-0/0/2 unit 1081 family inet address 10.255.224.2/31
set security zones security-zone trust interfaces ge-0/0/2.1081 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-0/0/2.1081 host-inbound-traffic system-services ping
set interfaces ge-0/0/2 unit 1031 description vlan1031
set interfaces ge-0/0/2 unit 1031 vlan-id 1031
set interfaces ge-0/0/2 unit 1031 family inet address 10.255.224.4/31
set security zones security-zone trust interfaces ge-0/0/2.1031 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-0/0/2.1031 host-inbound-traffic system-services ping
delete interfaces ge-0/0/3
set interfaces ge-0/0/3 flexible-vlan-tagging
set interfaces ge-0/0/3 mtu 9018
set interfaces ge-0/0/3 unit 1091 description vlan1091
set interfaces ge-0/0/3 unit 1091 vlan-id 1091
set interfaces ge-0/0/3 unit 1091 family inet address 10.255.226.0/31
set security zones security-zone trust interfaces ge-0/0/3.1091 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-0/0/3.1091 host-inbound-traffic system-services ping
set interfaces ge-0/0/3 unit 1081 description vlan1081
set interfaces ge-0/0/3 unit 1081 vlan-id 1081
set interfaces ge-0/0/3 unit 1081 family inet address 10.255.226.2/31
set security zones security-zone trust interfaces ge-0/0/3.1081 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-0/0/3.1081 host-inbound-traffic system-services ping
set interfaces ge-0/0/3 unit 1031 description vlan1031
set interfaces ge-0/0/3 unit 1031 vlan-id 1031
set interfaces ge-0/0/3 unit 1031 family inet address 10.255.226.4/31
set security zones security-zone trust interfaces ge-0/0/3.1031 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-0/0/3.1031 host-inbound-traffic system-services ping
delete interfaces ge-7/0/2
set interfaces ge-7/0/2 flexible-vlan-tagging
set interfaces ge-7/0/2 mtu 9018
set interfaces ge-7/0/2 unit 1099 description vlan1099
set interfaces ge-7/0/2 unit 1099 vlan-id 1099
set interfaces ge-7/0/2 unit 1099 family inet address 10.255.225.0/31
set security zones security-zone trust interfaces ge-7/0/2.1099 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-7/0/2.1099 host-inbound-traffic system-services ping
set interfaces ge-7/0/2 unit 1088 description vlan1088
set interfaces ge-7/0/2 unit 1088 vlan-id 1088
set interfaces ge-7/0/2 unit 1088 family inet address 10.255.225.2/31
set security zones security-zone trust interfaces ge-7/0/2.1088 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-7/0/2.1088 host-inbound-traffic system-services ping
set interfaces ge-7/0/2 unit 1033 description vlan1033
set interfaces ge-7/0/2 unit 1033 vlan-id 1033
set interfaces ge-7/0/2 unit 1033 family inet address 10.255.225.4/31
set security zones security-zone trust interfaces ge-7/0/2.1033 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-7/0/2.1033 host-inbound-traffic system-services ping
delete interfaces ge-7/0/3
set interfaces ge-7/0/3 flexible-vlan-tagging
set interfaces ge-7/0/3 mtu 9018
set interfaces ge-7/0/3 unit 1099 description vlan1099
set interfaces ge-7/0/3 unit 1099 vlan-id 1099
set interfaces ge-7/0/3 unit 1099 family inet address 10.255.227.0/31
set security zones security-zone trust interfaces ge-7/0/3.1099 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-7/0/3.1099 host-inbound-traffic system-services ping
set interfaces ge-7/0/3 unit 1088 description vlan1088
set interfaces ge-7/0/3 unit 1088 vlan-id 1088
set interfaces ge-7/0/3 unit 1088 family inet address 10.255.227.2/31
set security zones security-zone trust interfaces ge-7/0/3.1088 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-7/0/3.1088 host-inbound-traffic system-services ping
set interfaces ge-7/0/3 unit 1033 description vlan1033
set interfaces ge-7/0/3 unit 1033 vlan-id 1033
set interfaces ge-7/0/3 unit 1033 family inet address 10.255.227.4/31
set security zones security-zone trust interfaces ge-7/0/3.1033 host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces ge-7/0/3.1033 host-inbound-traffic system-services ping
# needed in and export policy
delete policy-options
set policy-options policy-statement fabric term 1 from protocol bgp
set policy-options policy-statement fabric term 1 from route-filter 0.0.0.0/0 orlonger
set policy-options policy-statement fabric term 1 then accept
set policy-options policy-statement fabric term 2 then reject
set policy-options policy-statement internet term 1 from protocol static
set policy-options policy-statement internet term 1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement internet term 1 then accept
set policy-options policy-statement internet term 2 then reject
delete routing-instances public-int
set routing-instances public-int instance-type virtual-router
set routing-instances public-int interface ge-0/0/2.1091
set routing-instances public-int interface ge-0/0/2.1081
set routing-instances public-int interface ge-0/0/2.1031
set routing-instances public-int interface ge-0/0/3.1091
set routing-instances public-int interface ge-0/0/3.1081
set routing-instances public-int interface ge-0/0/3.1031
set routing-instances public-int interface ge-7/0/2.1099
set routing-instances public-int interface ge-7/0/2.1088
set routing-instances public-int interface ge-7/0/2.1033
set routing-instances public-int interface ge-7/0/3.1099
set routing-instances public-int interface ge-7/0/3.1088
set routing-instances public-int interface ge-7/0/3.1033
delete routing-instances public-int protocols bgp group customera
set routing-instances public-int protocols bgp group customera type external
set routing-instances public-int protocols bgp group customera family inet unicast
set routing-instances public-int protocols bgp group customera multipath multiple-as
set routing-instances public-int protocols bgp group customera local-as 64901
set routing-instances public-int protocols bgp group customera hold-time 90
set routing-instances public-int protocols bgp group customera import fabric
set routing-instances public-int protocols bgp group customera export internet
set routing-instances public-int protocols bgp group customera bfd-liveness-detection minimum-interval 1000
set routing-instances public-int protocols bgp group customera bfd-liveness-detection multiplier 3
set routing-instances public-int protocols bgp group customera bfd-liveness-detection session-mode automatic
set routing-instances public-int protocols bgp group customera neighbor 10.255.224.1 peer-as 64911
set routing-instances public-int protocols bgp group customera neighbor 10.255.226.1 peer-as 64911
set routing-instances public-int protocols bgp group customera neighbor 10.255.225.1 peer-as 64911
set routing-instances public-int protocols bgp group customera neighbor 10.255.227.1 peer-as 64911
delete routing-instances public-int protocols bgp group customerb
set routing-instances public-int protocols bgp group customerb type external
set routing-instances public-int protocols bgp group customerb family inet unicast
set routing-instances public-int protocols bgp group customerb multipath multiple-as
set routing-instances public-int protocols bgp group customerb local-as 64901
set routing-instances public-int protocols bgp group customerb hold-time 90
set routing-instances public-int protocols bgp group customerb import fabric
set routing-instances public-int protocols bgp group customerb export internet
set routing-instances public-int protocols bgp group customerb bfd-liveness-detection minimum-interval 1000
set routing-instances public-int protocols bgp group customerb bfd-liveness-detection multiplier 3
set routing-instances public-int protocols bgp group customerb bfd-liveness-detection session-mode automatic
set routing-instances public-int protocols bgp group customerb neighbor 10.255.224.3 peer-as 64911
set routing-instances public-int protocols bgp group customerb neighbor 10.255.226.3 peer-as 64911
set routing-instances public-int protocols bgp group customerb neighbor 10.255.225.3 peer-as 64911
set routing-instances public-int protocols bgp group customerb neighbor 10.255.227.3 peer-as 64911
delete routing-instances public-int protocols bgp group devices
set routing-instances public-int protocols bgp group devices type external
set routing-instances public-int protocols bgp group devices family inet unicast
set routing-instances public-int protocols bgp group devices multipath multiple-as
set routing-instances public-int protocols bgp group devices local-as 64901
set routing-instances public-int protocols bgp group devices hold-time 90
set routing-instances public-int protocols bgp group devices import fabric
set routing-instances public-int protocols bgp group devices export internet
set routing-instances public-int protocols bgp group devices bfd-liveness-detection minimum-interval 1000
set routing-instances public-int protocols bgp group devices bfd-liveness-detection multiplier 3
set routing-instances public-int protocols bgp group devices bfd-liveness-detection session-mode automatic
set routing-instances public-int protocols bgp group devices neighbor 10.255.224.5 peer-as 64911
set routing-instances public-int protocols bgp group devices neighbor 10.255.226.5 peer-as 64911
set routing-instances public-int protocols bgp group devices neighbor 10.255.225.5 peer-as 64911
set routing-instances public-int protocols bgp group devices neighbor 10.255.227.5 peer-as 64911