Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation
QFX5120Data Center
QFX5120 Collapsed Spine with EVPN Multihoming Example: How to Configure a Collapsed Spine Data Center Architecture With EVPN Multihoming

Collapsed Spine with EVPN Multihoming

keyboard_arrow_up
close
keyboard_arrow_left
Collapsed Spine with EVPN Multihoming
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Advanced Security and Data Center Interconnect Configurations

date_range 19-Dec-24
arrow_backward
arrow_forward

Use these examples to configure advanced security and DCI on your collapsed spine data center architecture.

Configure Advanced Security for Inter-Tenant Traffic

The SRX Series is a next-generation firewall that can provide advanced security services for inter-tenant traffic. Use this section to route inter-tenant traffic between JNPR_1 and JNPR_2 in DC1 through the SRX chassis cluster.

Requirements

Overview

The SRX Series Firewalls in your chassis cluster operate as a single device to provide device, interface, and service-level redundancy. Use this section to separate the chassis cluster into zones and configure the routing policies so that the correct traffic is routed through the security devices.

Topology

Both spine switches are physically connected to both SRX nodes as shown in Figure 1.

Figure 1: Physical Topology of SRX Cluster Physical Topology of SRX Cluster
Note:

This example is based on SRX345 devices. Once placed into a HA cluster, the interfaces on node 1 are associated with FPC slot 5. This means the ge-0/0/11 interface shown for node 1 is actually configured as ge-5-0/11 once the cluster is formed. The FPC number for node 1 in a HA cluster can vary by SRX model type.

Reth1 is a logical interface in the SRX cluster. It is active on one of the nodes of the SRX cluster. If the primary node or interconnect link between the SRX devices and the spine switches fails, Reth1 will failover to the secondary node. Figure 2 shows the logical interfaces between the SRX devices and the spine switches.

Figure 2: Overlay Topology of SRX Cluster Overlay Topology of SRX Cluster

Each spine switch establishes separate EBGP peerings with the SRX cluster in each routing instance or tenant as shown in Figure 3. For example, Spine 1 has two peerings with the SRX cluster, one in each routing instance: JNPR_1 and JNPR_2. Reth1.991 peers with the JNPR_1 routing instance on the spine switches and belongs to the JNPR_1 security zone. Reth1.992 peers with the JNPR_2 routing instance on the spine switches and belongs to the JNPR_2 security zone.

The SRX Series Firewall advertises a summary route that covers all prefixes (for example, 192.168.0.0/16). The spine switches advertise specific subnets in each routing instance.

Figure 3: Topology of SRX Cluster with EBGP Peering Topology of SRX Cluster with EBGP Peering

Configure the Interfaces

Configure the SRX Device

Step-by-Step Procedure

  1. Configure the group for the logical interfaces on the SRX device.

    content_copy zoom_out_map
    set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 preempt
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/11 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/12 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/11 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/12 weight 255

  2. Configure the logical interfaces. Reth1 is a tagged Layer 3 interface on the SRX cluster. Reth1.991 peers with the JNPR_1 routing instance on the spine switches. Reth1.992 peers with the JNPR_2 routing instance on the spine switches.

    content_copy zoom_out_map
    set interfaces reth1 vlan-tagging
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp active
set interfaces reth1 redundant-ether-options lacp periodic fast
set interfaces reth1 unit 991 description "Spine Interconnect for JNPR_1"
set interfaces reth1 unit 991 vlan-id 991
set interfaces reth1 unit 991 family inet address 192.168.191.1/28

set interfaces reth1 unit 992 description "Spine Interconnect for JNPR_2"
set interfaces reth1 unit 992 vlan-id 992
set interfaces reth1 unit 992 family inet address 192.168.192.1/28

set interfaces ge-0/0/11 description "To Spine1 | ge-0/0/10"
set interfaces ge-0/0/11 gigether-options no-auto-negotiation
set interfaces ge-0/0/11 gigether-options redundant-parent reth1

set interfaces ge-5/0/11 description "To Spine1 | ge-0/0/11"
set interfaces ge-5/0/11 gigether-options no-auto-negotiation
set interfaces ge-5/0/11 gigether-options redundant-parent reth1

set interfaces ge-0/0/12 description "To Spine2 | ge-0/0/10"
set interfaces ge-0/0/12 gigether-options no-auto-negotiation
set interfaces ge-0/0/12 gigether-options redundant-parent reth1

set interfaces ge-5/0/12 description "To Spine2 | ge-0/0/11"
set interfaces ge-5/0/12 gigether-options no-auto-negotiation
set interfaces ge-5/0/12 gigether-options redundant-parent reth1

  3. Place the logical interfaces into separate security zones. Reth1.991 belongs in the JNPR_1 security zone and Reth1.992 belongs in the JNPR_2 security zone.

    content_copy zoom_out_map
    set security zones security-zone JNPR_1-Zone host-inbound-traffic system-services ping
set security zones security-zone JNPR_1-Zone host-inbound-traffic protocols bgp
set security zones security-zone JNPR_1-Zone interfaces reth1.991

set security zones security-zone JNPR_2-Zone host-inbound-traffic system-services ping
set security zones security-zone JNPR_2-Zone host-inbound-traffic protocols bgp
set security zones security-zone JNPR_2-Zone interfaces reth1.992

  4. Check the status of the chassis cluster.

    content_copy zoom_out_map
    user@srx1> show chassis cluster status
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring              
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring      RE  Relinquish monitoring
 
Cluster ID: 1
Node   Priority Status               Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  100      primary              no      no       None           
node1  1        secondary            no      no       None           

Redundancy group: 1 , Failover count: 5
node0  200      primary              yes     no       None           
node1  100      secondary            yes     no       None

Configure Spine 1

Step-by-Step Procedure

  1. Configure the SRX Series Firewall interconnected interfaces on Spine 1.

    content_copy zoom_out_map
    set interfaces ge-0/0/10 ether-options 802.3ad ae11
set interfaces ge-0/0/11 ether-options 802.3ad ae12

set interfaces ae11 description "to SRX Cluster | SRX-0"
set interfaces ae11 mtu 9216
set interfaces ae11 esi 00:00:00:00:00:00:00:00:01:11
set interfaces ae11 esi all-active
set interfaces ae11 aggregated-ether-options lacp active
set interfaces ae11 aggregated-ether-options lacp periodic fast
set interfaces ae11 aggregated-ether-options lacp system-id 00:00:00:00:01:11
set interfaces ae11 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae11 unit 0 family ethernet-switching vlan members VLAN-991

set interfaces ae12 description "to SRX Cluster | SRX-1"
set interfaces ae12 mtu 9216
set interfaces ae12 esi 00:00:00:00:00:00:00:00:01:12
set interfaces ae12 esi all-active
set interfaces ae12 aggregated-ether-options lacp active
set interfaces ae12 aggregated-ether-options lacp periodic fast
set interfaces ae11 aggregated-ether-options lacp system-id 00:00:00:00:01:12
set interfaces ae12 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae12 unit 0 family ethernet-switching vlan members VLAN-992

  2. Configure IRB interfaces.

    content_copy zoom_out_map
    set interfaces irb unit 991 description "Tenant1 SRX Interconnect"
set interfaces irb unit 991 family inet address 192.168.191.3/28
set routing-instances JNPR_1_VRF interface irb.991

set interfaces irb unit 992 description "Tenant2 SRX Interconnect"
set interfaces irb unit 992 family inet address 192.168.192.3/28
set routing-instances JNPR_2_VRF interface irb.992

  3. Configure the VLANs.

    content_copy zoom_out_map
    set vlans VLAN-991 vlan-id 991
set vlans VLAN-991 l3-interface irb.991
set vlans VLAN-991 vxlan vni 5991

set vlans VLAN-992 vlan-id 992
set vlans VLAN-992 l3-interface irb.992
set vlans VLAN-992 vxlan vni 5992

  4. Configure VNIs as part of the EVPN MP-BGP domain.

    content_copy zoom_out_map
    set protocols evpn extended-vni-list 5991
set protocols evpn extended-vni-list 5992

Configure Spine 2

Step-by-Step Procedure

  1. Configure the SRX Series Firewall interconnected interfaces on Spine 2.

    content_copy zoom_out_map
    set interfaces ge-0/0/10 ether-options 802.3ad ae11
set interfaces ge-0/0/11 ether-options 802.3ad ae12

set interfaces ae11 description "to SRX Cluster | SRX-0"
set interfaces ae11 mtu 9216
set interfaces ae11 esi 00:00:00:00:00:00:00:00:01:11
set interfaces ae11 esi all-active
set interfaces ae12 aggregated-ether-options lacp active
set interfaces ae12 aggregated-ether-options lacp periodic fast
set interfaces ae11 aggregated-ether-options lacp system-id 00:00:00:00:01:11
set interfaces ae11 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae11 unit 0 family ethernet-switching vlan members VLAN-991

set interfaces ae12 description "to SRX Cluster | SRX-1"
set interfaces ae12 mtu 9216
set interfaces ae12 esi 00:00:00:00:00:00:00:00:01:12
set interfaces ae12 esi all-active
set interfaces ae12 aggregated-ether-options lacp active
set interfaces ae12 aggregated-ether-options lacp periodic fast
set interfaces ae11 aggregated-ether-options lacp system-id 00:00:00:00:01:12
set interfaces ae12 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae12 unit 0 family ethernet-switching vlan members VLAN-992

  2. Configure IRB interfaces.

    content_copy zoom_out_map
    set interfaces irb unit 991 description "Tenant1 SRX Interconnect"
set interfaces irb unit 991 family inet address 192.168.191.2/28
set routing-instances JNPR_1_VRF interface irb.991

set interfaces irb unit 992 description "Tenant2 SRX Interconnect"
set interfaces irb unit 992 family inet address 192.168.192.2/28
set routing-instances JNPR_2_VRF interface irb.992

  3. Configure the VLANs.

    content_copy zoom_out_map
    set vlans VLAN-991 vlan-id 991
set vlans VLAN-991 l3-interface irb.991
set vlans VLAN-991 vxlan vni 5991

set vlans VLAN-992 vlan-id 992
set vlans VLAN-992 l3-interface irb.992
set vlans VLAN-992 vxlan vni 5992

  4. Configure VNIs as part of the EVPN MP-BGP domain.

    content_copy zoom_out_map
    set protocols evpn extended-vni-list 5991
set protocols evpn extended-vni-list 5992

Configure EBGP

Configure the SRX Device

Step-by-Step Procedure

  1. Configure the EBGP interconnect.

    content_copy zoom_out_map
    set protocols bgp group INTERCONNECT type external
set protocols bgp group INTERCONNECT import INTERCONNECT-IMPORT
set protocols bgp group INTERCONNECT family inet unicast
set protocols bgp group INTERCONNECT authentication-key "$ABC123"
set protocols bgp group INTERCONNECT export INTERCONNECT-EXPORT
set protocols bgp group INTERCONNECT local-as 65200
set protocols bgp group INTERCONNECT multipath multiple-as
set protocols bgp group INTERCONNECT bfd-liveness-detection minimum-interval 1000
set protocols bgp group INTERCONNECT bfd-liveness-detection multiplier 3
set protocols bgp group INTERCONNECT neighbor 192.168.191.2 peer-as 65112
set protocols bgp group INTERCONNECT neighbor 192.168.191.3 peer-as 65113
set protocols bgp group INTERCONNECT neighbor 192.168.192.2 peer-as 65212
set protocols bgp group INTERCONNECT neighbor 192.168.192.3 peer-as 65213

  2. Configure the routing options.

    content_copy zoom_out_map
    set routing-options static route 192.168.0.0/16 discard

  3. Configure the policy options.

    content_copy zoom_out_map
    set policy-options policy-statement INTERCONNECT-EXPORT term Tenant_Aggregate from protocol static
set policy-options policy-statement INTERCONNECT-EXPORT term Tenant_Aggregate from route-filter 192.168.0.0/16 exact
set policy-options policy-statement INTERCONNECT-EXPORT term Tenant_Aggregate then accept
set policy-options policy-statement INTERCONNECT-EXPORT term Advertise_Loopback from protocol direct
set policy-options policy-statement INTERCONNECT-EXPORT term Advertise_Loopback from route-filter 192.168.255.1/32 exact
set policy-options policy-statement INTERCONNECT-EXPORT term Advertise_Loopback then accept
set policy-options policy-statement INTERCONNECT-EXPORT term Reject_All then reject

set policy-options policy-statement INTERCONNECT-IMPORT term Tenant_Routes from route-filter 192.168.0.0/16 longer
set policy-options policy-statement INTERCONNECT-IMPORT term Tenant_Routes then accept
set policy-options policy-statement INTERCONNECT-IMPORT term DEFAULT then reject

Configure Spine 1

Step-by-Step Procedure

  1. Configure the EBGP peerings in the JNPR_1 routing instance.

    content_copy zoom_out_map
    set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT type external
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT import Interconnect_JNPR_1-IMPORT
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT family inet unicast
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT authentication-key "$ABC123"
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT export Interconnect_JNPR_1-EXPORT
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT local-as 65113
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT multipath multiple-as
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT bfd-liveness-detection minimum-interval 1000
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT bfd-liveness-detection multiplier 3
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT neighbor 192.168.191.1 peer-as 65200

  2. Configure the EBGP peerings in the JNPR_2 routing instance.

    content_copy zoom_out_map
    set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT type external
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT import Interconnect_JNPR_2-IMPORT
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT family inet unicast
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT authentication-key "$ABC123"
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT export Interconnect_JNPR_2-EXPORT
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT local-as 65213
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT multipath multiple-as
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT bfd-liveness-detection minimum-interval 1000
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT bfd-liveness-detection multiplier 3
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT neighbor 192.168.192.1 peer-as 65200

  3. Configure the import and export policies for interconnect with the SRX device.

    content_copy zoom_out_map
    set policy-options policy-statement Interconnect_JNPR_1-EXPORT term Tenant_Routes from route-filter 192.168.0.0/16 orlonger
set policy-options policy-statement Interconnect_JNPR_1-EXPORT term Tenant_Routes then accept
set policy-options policy-statement Interconnect_JNPR_1-EXPORT term DEFAULT then reject
set policy-options policy-statement Interconnect_JNPR_1-IMPORT term Tenant_Routes from route-filter 192.168.0.0/16 orlonger
set policy-options policy-statement Interconnect_JNPR_1-IMPORT term Tenant_Routes then accept
set policy-options policy-statement Interconnect_JNPR_1-IMPORT term DEFAULT then reject

set policy-options policy-statement Interconnect_JNPR_2-EXPORT term Tenant_Routes from route-filter 192.168.0.0/16 orlonger
set policy-options policy-statement Interconnect_JNPR_2-EXPORT term Tenant_Routes then accept
set policy-options policy-statement Interconnect_JNPR_2-EXPORT term DEFAULT then reject
set policy-options policy-statement Interconnect_JNPR_2-IMPORT term Tenant_Routes from route-filter 192.168.0.0/16 orlonger
set policy-options policy-statement Interconnect_JNPR_2-IMPORT term Tenant_Routes then accept
set policy-options policy-statement Interconnect_JNPR_2-IMPORT term DEFAULT then reject

Configure Spine 2

Step-by-Step Procedure

  1. Configure the EBGP peerings in the JNPR_1 routing instance.

    content_copy zoom_out_map
    set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT type external
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT import Interconnect_JNPR_1-IMPORT
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT family inet unicast
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT authentication-key "$ABC123"
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT export Interconnect_JNPR_1-EXPORT
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT local-as 65112
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT multipath multiple-as
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT bfd-liveness-detection minimum-interval 1000
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT bfd-liveness-detection multiplier 3
set routing-instances JNPR_1_VRF protocols bgp group INTERCONNECT neighbor 192.168.191.1 peer-as 65200

  2. Configure the EBGP peerings in the JNPR_2 routing instance.

    content_copy zoom_out_map
    set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT type external
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT import Interconnect_JNPR_2-IMPORT
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT family inet unicast
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT authentication-key "$ABC123"
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT export Interconnect_JNPR_2-EXPORT
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT local-as 65212
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT multipath multiple-as
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT bfd-liveness-detection minimum-interval 1000
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT bfd-liveness-detection multiplier 3
set routing-instances JNPR_2_VRF protocols bgp group INTERCONNECT neighbor 192.168.192.1 peer-as 65200

  3. Configure the import and export policies for interconnect with the SRX device.

    content_copy zoom_out_map
    set policy-options policy-statement Interconnect_JNPR_1-EXPORT term Tenant_Routes from route-filter 192.168.0.0/16 orlonger
set policy-options policy-statement Interconnect_JNPR_1-EXPORT term Tenant_Routes then accept
set policy-options policy-statement Interconnect_JNPR_1-EXPORT term DEFAULT then reject
set policy-options policy-statement Interconnect_JNPR_1-IMPORT term Tenant_Routes from route-filter 192.168.0.0/16 orlonger
set policy-options policy-statement Interconnect_JNPR_1-IMPORT term Tenant_Routes then accept
set policy-options policy-statement Interconnect_JNPR_1-IMPORT term DEFAULT then reject

set policy-options policy-statement Interconnect_JNPR_2-EXPORT term Tenant_Routes from route-filter 192.168.0.0/16 orlonger
set policy-options policy-statement Interconnect_JNPR_2-EXPORT term Tenant_Routes then accept
set policy-options policy-statement Interconnect_JNPR_2-EXPORT term DEFAULT then reject
set policy-options policy-statement Interconnect_JNPR_2-IMPORT term Tenant_Routes from route-filter 192.168.0.0/16 orlonger
set policy-options policy-statement Interconnect_JNPR_2-IMPORT term Tenant_Routes then accept
set policy-options policy-statement Interconnect_JNPR_2-IMPORT term DEFAULT then reject

Configure the SRX Series Firewall Security Policies

Step-by-Step Procedure

  1. Configure the security policies in Zone 1 for JNPR_1.

    content_copy zoom_out_map
    set security policies from-zone JNPR_1-Zone to-zone JNPR_2-Zone policy Allow_All match source-address any
set security policies from-zone JNPR_1-Zone to-zone JNPR_2-Zone policy Allow_All match destination-address any
set security policies from-zone JNPR_1-Zone to-zone JNPR_2-Zone policy Allow_All match application any
set security policies from-zone JNPR_1-Zone to-zone JNPR_2-Zone policy Allow_All then permit

  2. Configure the security policies in Zone 1 for JNPR_2.

    content_copy zoom_out_map
    set security policies from-zone JNPR_2-Zone to-zone JNPR_1-Zone policy Allow_All match source-address any
set security policies from-zone JNPR_2-Zone to-zone JNPR_1-Zone policy Allow_All match destination-address any
set security policies from-zone JNPR_2-Zone to-zone JNPR_1-Zone policy Allow_All match application any
set security policies from-zone JNPR_2-Zone to-zone JNPR_1-Zone policy Allow_All then permit

Verify BGP on the SRX Chassis Cluster

Step-by-Step Procedure

  1. Ensure that all BGP peering sessions with the spine switches are established.

    content_copy zoom_out_map
    user@srx> show bgp summary
Groups: 1 Peers: 4 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0               
                      26         14          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.191.2         65112        113        106       0      73       47:34 Establ
  inet.0: 4/7/7/0
192.168.191.3         65113        110        107       0      41       47:35 Establ
  inet.0: 4/7/7/0
192.168.192.2         65212        111        106       0      71       47:35 Establ
  inet.0: 3/6/6/0
192.168.192.3         65213        109        106       0      34       47:35 Establ
  inet.0: 3/6/6/0

  2. Verify the SRX Series Firewall received the BGP routes from the JNPR_1 tenant.

    content_copy zoom_out_map
    user@srx> show route receive-protocol bgp 192.168.191.2 
inet.0: 18 destinations, 35 routes (18 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
  192.168.191.0/28        192.168.191.2                           65112 I
  192.168.191.1/32        192.168.191.2                           65112 I
  192.168.201.0/24        192.168.191.2                           65112 I
* 192.168.202.42/32       192.168.191.2                           65112 I
  192.168.202.0/24        192.168.191.2                           65112 I
* 192.168.251.12/32       192.168.191.2                           65112 I
  192.168.251.13/32       192.168.191.2                           65112 65100 I
    content_copy zoom_out_map
    user@srx> show route receive-protocol bgp 192.168.191.3
inet.0: 18 destinations, 35 routes (18 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
  192.168.191.0/28        192.168.191.3                           65113 I
  192.168.191.1/32        192.168.191.3                           65113 I
* 192.168.201.0/24        192.168.191.3                           65113 I
  192.168.202.42/32       192.168.191.3                           65113 I
* 192.168.202.0/24        192.168.191.3                           65113 I
  192.168.251.12/32       192.168.191.3                           65113 65100 I
* 192.168.251.13/32       192.168.191.3                           65113 I

  3. Verify the SRX Series Firewall received the BGP routes from the JNPR_2 tenant.

    content_copy zoom_out_map
    user@srx> show route receive-protocol bgp 192.168.192.2 
inet.0: 18 destinations, 35 routes (18 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
  192.168.192.0/28        192.168.192.2                           65212 I
  192.168.192.1/32        192.168.192.2                           65212 I
  192.168.211.0/24        192.168.192.2                           65212 I
  192.168.212.0/24        192.168.192.2                           65212 I
* 192.168.252.12/32       192.168.192.2                           65212 I
  192.168.252.13/32       192.168.192.2                           65212 65100 I
    content_copy zoom_out_map
    user@srx> show route receive-protocol bgp 192.168.192.3
inet.0: 18 destinations, 35 routes (18 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
  192.168.192.0/28        192.168.192.3                           65213 I
  192.168.192.1/32        192.168.192.3                           65213 I
* 192.168.211.0/24        192.168.192.3                           65213 I
* 192.168.212.0/24        192.168.192.3                           65213 I
  192.168.252.12/32       192.168.192.3                           65213 65100 I
* 192.168.252.13/32       192.168.192.3                           65213 I

  4. Verify that the SRX chassis cluster is advertising a summary route to the spine devices.

    content_copy zoom_out_map
    user@srx> show route advertising-protocol bgp 192.168.191.2 
inet.0: 18 destinations, 35 routes (18 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.0.0/16          Self                                    I
* 192.168.255.1/32        Self                                    I
    content_copy zoom_out_map
    user@srx> show route advertising-protocol bgp 192.168.191.3    
inet.0: 18 destinations, 35 routes (18 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.0.0/16          Self                                    I
* 192.168.255.1/32        Self                                    I
    content_copy zoom_out_map
    user@srx> show route advertising-protocol bgp 192.168.192.2
inet.0: 18 destinations, 35 routes (18 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.0.0/16          Self                                    I
* 192.168.255.1/32        Self                                    I
    content_copy zoom_out_map
    user@srx> show route advertising-protocol bgp 192.168.192.3
inet.0: 18 destinations, 35 routes (18 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.0.0/16          Self                                    I
* 192.168.255.1/32        Self                                    I

  5. Verify inter-tenant traffic through the SRX chassis cluster.

    In this example, Endpoint12 is part of VLAN 212 and tenant JNPR_2. Endpoint12 is pinging Endpoint2, which is part of VLAN 201 and tenant JNPR_1, as shown in Figure 4. Since this is inter-tenant traffic, this traffic goes through the active member of the SRX chassis cluster. SRX-Node0 is the active member of the SRX chassis cluster and SRX-Node1 is the passive member.

    Figure 4: Inter-Tenant Traffic Through the SRX Cluster Inter-Tenant Traffic Through the SRX Cluster

    Confirm that the flow table on the SRX Series Firewall shows this traffic traversing the SRX chassis cluster.

    content_copy zoom_out_map
    user@srx> show security flow session destination-prefix 192.168.202.42 
node0:
--------------------------------------------------------------------------

Session ID: 15548, Policy name: Allow_All/7, State: Active, Timeout: 2, Valid
  In: 192.168.212.61/623 --> 192.168.202.42/8204;icmp, Conn Tag: 0x0, If: reth1.992, Pkts: 1, Bytes: 84, 
  Out: 192.168.202.42/8204 --> 192.168.212.61/623;icmp, Conn Tag: 0x0, If: reth1.991, Pkts: 1, Bytes: 84, 

Session ID: 15551, Policy name: Allow_All/7, State: Active, Timeout: 2, Valid
  In: 192.168.212.61/624 --> 192.168.202.42/8204;icmp, Conn Tag: 0x0, If: reth1.992, Pkts: 1, Bytes: 84, 
  Out: 192.168.202.42/8204 --> 192.168.212.61/624;icmp, Conn Tag: 0x0, If: reth1.991, Pkts: 1, Bytes: 84, 

Session ID: 15555, Policy name: Allow_All/7, State: Active, Timeout: 4, Valid
  In: 192.168.212.61/625 --> 192.168.202.42/8204;icmp, Conn Tag: 0x0, If: reth1.992, Pkts: 1, Bytes: 84, 
  Out: 192.168.202.42/8204 --> 192.168.212.61/625;icmp, Conn Tag: 0x0, If: reth1.991, Pkts: 1, Bytes: 84, 
Total sessions: 3

    You have configured advanced security for your data center and confirmed that inter-tenant traffic is routed through the SRX chassis cluster.

Configure Data Center Interconnect (DCI)

Overview

Now that you have configured a collapsed spine architecture for both data centers and added advanced security to DC1, it is time to connect DC1 and DC2 using Data Center Interconnect (DCI).

Topology

In this example, there is no need to stretch Layer 2 between data centers. Inter-data center communication is routed through the SRX chassis cluster in DC1, as shown in Figure 5. The spine switches each have a WAN routing instance and are connected to the WAN between data centers. The spine switches hand off the Layer 3 routes to the WAN router (not shown in this figure).

The SRX chassic cluster is advertising a 192.168.0.0/16 subnet. The DC2 spine switches Spine 3 and Spine 4 are advertising the two subnets 192.168.221.0/24 and 192.168.222.0/24.

Figure 5: Data Center Interconnect TopologyData Center Interconnect Topology

Each SRX Series Firewall is configured with three zones that correspond to the JNPR_1, JNPR_2, and WAN routing instances. All inter-tenant traffic between JNPR_1 and JNPR_2 is routed through the SRX chassis cluster. All traffic between DC1 and DC2 is routed through the SRX chassis cluster using the WAN routing instance. Each SRX Series Firewall has individual EBGP peering with Spine 1 and Spine 2 in each of the routing instances. Figure 6 shows the EBGP peering between the spine switches and the SRX chassis cluster in DC1.

Figure 6: SRX Chassis Cluster EBGP Peering TopologySRX Chassis Cluster EBGP Peering Topology

Configuration

Configure the SRX Device

Step-by-Step Procedure

Each SRX Series Firewall must be divided into three zones that correspond to the three routing instances: JNPR_1, JNPR_2, and WAN. You already created the JNPR_1 zone and the JNPR_2 zone in Configure Advanced Security for Inter-Tenant Traffic.

  1. Add a new sub interface on Reth1 for the WAN interconnect.

    content_copy zoom_out_map
    set interfaces reth1 unit 993 description "DC1 Spine Interconnect for WAN VRF"
set interfaces reth1 unit 993 vlan-id 993
set interfaces reth1 unit 993 family inet address 192.168.193.1/28

  2. Configure the WAN security zone.

    content_copy zoom_out_map
    set security zones security-zone WAN-Zone host-inbound-traffic system-services ping
set security zones security-zone WAN-Zone host-inbound-traffic protocols bgp
set security zones security-zone WAN-Zone interfaces reth1.993

  3. Configure EBGP for the WAN security zone.

    content_copy zoom_out_map
    set protocols bgp group INTERCONNECT neighbor 192.168.193.2 peer-as 65312 
set protocols bgp group INTERCONNECT neighbor 192.168.193.3 peer-as 65313

  4. Configure the security policies. For simplicity, the security policies in this example are open. In your setup, modify the security policies as necessary.

    content_copy zoom_out_map
    set security address-book global address 192.168.221.0/24 192.168.221.0/24
set security address-book global address 192.168.222.0/24 192.168.222.0/24
    content_copy zoom_out_map
    set security policies from-zone WAN-Zone to-zone JNPR_1-Zone policy ALLOW_ALL match source-address 192.168.221.0/24
set security policies from-zone WAN-Zone to-zone JNPR_1-Zone policy ALLOW_ALL match source-address 192.168.222.0/24
set security policies from-zone WAN-Zone to-zone JNPR_1-Zone policy ALLOW_ALL match destination-address any
set security policies from-zone WAN-Zone to-zone JNPR_1-Zone policy ALLOW_ALL match application any
set security policies from-zone WAN-Zone to-zone JNPR_1-Zone policy ALLOW_ALL then permit
    content_copy zoom_out_map
    set security policies from-zone WAN-Zone to-zone JNPR_2-Zone policy ALLOW_ALL match source-address 192.168.221.0/24
set security policies from-zone WAN-Zone to-zone JNPR_2-Zone policy ALLOW_ALL match source-address 192.168.222.0/24
set security policies from-zone WAN-Zone to-zone JNPR_2-Zone policy ALLOW_ALL match destination-address any
set security policies from-zone WAN-Zone to-zone JNPR_2-Zone policy ALLOW_ALL match application any
set security policies from-zone WAN-Zone to-zone JNPR_2-Zone policy ALLOW_ALL then permit
    content_copy zoom_out_map
    set security policies from-zone JNPR_1-Zone to-zone WAN-Zone policy ALLOW_ALL match source-address any
set security policies from-zone JNPR_1-Zone to-zone WAN-Zone policy ALLOW_ALL match destination-address 192.168.222.0/24
set security policies from-zone JNPR_1-Zone to-zone WAN-Zone policy ALLOW_ALL match destination-address 192.168.221.0/24
set security policies from-zone JNPR_1-Zone to-zone WAN-Zone policy ALLOW_ALL match application any
set security policies from-zone JNPR_1-Zone to-zone WAN-Zone policy ALLOW_ALL then permit
    content_copy zoom_out_map
    set security policies from-zone JNPR_2-Zone to-zone WAN-Zone policy ALLOW_ALL match source-address any
set security policies from-zone JNPR_2-Zone to-zone WAN-Zone policy ALLOW_ALL match destination-address 192.168.222.0/24
set security policies from-zone JNPR_2-Zone to-zone WAN-Zone policy ALLOW_ALL match destination-address 192.168.221.0/24
set security policies from-zone JNPR_2-Zone to-zone WAN-Zone policy ALLOW_ALL match application any
set security policies from-zone JNPR_2-Zone to-zone WAN-Zone policy ALLOW_ALL then permit

Configure Spine Switches

Step-by-Step Procedure

  1. Configure the routing instances and irb interface on Spine 1.

    content_copy zoom_out_map
    set interfaces irb unit 993 family inet address 192.168.193.3/28
set routing-instances WAN_VRF description "VRF for tenant WAN"
set routing-instances WAN_VRF instance-type vrf
set routing-instances WAN_VRF interface et-0/0/48.0
set routing-instances WAN_VRF interface irb.993
set routing-instances WAN_VRF interface lo0.103
set routing-instances WAN_VRF route-distinguisher 192.168.253.13:103
set routing-instances WAN_VRF vrf-target target:3:65001
set routing-instances WAN_VRF vrf-table-label
set routing-instances WAN_VRF routing-options auto-export
set routing-instances WAN_VRF routing-options multipath
set routing-instances WAN_VRF protocols bgp group INTERCONNECT type external
set routing-instances WAN_VRF protocols bgp group INTERCONNECT import Interconnect_WAN-IMPORT
set routing-instances WAN_VRF protocols bgp group INTERCONNECT family inet unicast
set routing-instances WAN_VRF protocols bgp group INTERCONNECT authentication-key "$ABC123"
set routing-instances WAN_VRF protocols bgp group INTERCONNECT export Interconnect_WAN-EXPORT
set routing-instances WAN_VRF protocols bgp group INTERCONNECT local-as 65313
set routing-instances WAN_VRF protocols bgp group INTERCONNECT multipath multiple-as
set routing-instances WAN_VRF protocols bgp group INTERCONNECT bfd-liveness-detection minimum-interval 1000
set routing-instances WAN_VRF protocols bgp group INTERCONNECT bfd-liveness-detection multiplier 3
set routing-instances WAN_VRF protocols bgp group INTERCONNECT neighbor 192.168.193.1 peer-as 65200

set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY type external
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY description "Connection to EBGP WAN_UNDERLAY"
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY family inet unicast
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY authentication-key "$ABC123"
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY local-as 65313
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY multipath multiple-as
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY bfd-liveness-detection minimum-interval 350
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY bfd-liveness-detection multiplier 3
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY neighbor 192.168.100.2 peer-as 65300

  2. Configure the routing instances on Spine 2.

    content_copy zoom_out_map
    set interfaces irb unit 993 family inet address 192.168.193.2/28
set routing-instances WAN_VRF description "VRF for tenant WAN"
set routing-instances WAN_VRF instance-type vrf
set routing-instances WAN_VRF interface et-0/0/48.0
set routing-instances WAN_VRF interface irb.993
set routing-instances WAN_VRF interface lo0.103
set routing-instances WAN_VRF route-distinguisher 192.168.253.12:103
set routing-instances WAN_VRF vrf-target target:3:65001
set routing-instances WAN_VRF vrf-table-label
set routing-instances WAN_VRF routing-options auto-export
set routing-instances WAN_VRF routing-options multipath
set routing-instances WAN_VRF protocols bgp group INTERCONNECT type external
set routing-instances WAN_VRF protocols bgp group INTERCONNECT import Interconnect_WAN-IMPORT
set routing-instances WAN_VRF protocols bgp group INTERCONNECT family inet unicast
set routing-instances WAN_VRF protocols bgp group INTERCONNECT authentication-key "$ABC123"
set routing-instances WAN_VRF protocols bgp group INTERCONNECT export Interconnect_WAN-EXPORT
set routing-instances WAN_VRF protocols bgp group INTERCONNECT local-as 65312
set routing-instances WAN_VRF protocols bgp group INTERCONNECT multipath multiple-as
set routing-instances WAN_VRF protocols bgp group INTERCONNECT bfd-liveness-detection minimum-interval 1000
set routing-instances WAN_VRF protocols bgp group INTERCONNECT bfd-liveness-detection multiplier 3
set routing-instances WAN_VRF protocols bgp group INTERCONNECT neighbor 192.168.193.1 peer-as 65200

set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY type external
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY description "Connection to EBGP WAN_UNDERLAY"
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY family inet unicast
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY authentication-key "$ABC123"
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY local-as 65312
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY multipath multiple-as
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY bfd-liveness-detection minimum-interval 350
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY bfd-liveness-detection multiplier 3
set routing-instances WAN_VRF protocols bgp group WAN_UNDERLAY neighbor 192.168.100.0 peer-as 65300

  3. Configure EBGP on Spine 3.

    content_copy zoom_out_map
    set protocols bgp group WAN_UNDERLAY type external
set protocols bgp group WAN_UNDERLAY description "Connection to EBGP WAN_UNDERLAY"
set protocols bgp group WAN_UNDERLAY family inet unicast
set protocols bgp group WAN_UNDERLAY authentication-key "$ABC123"
set protocols bgp group WAN_UNDERLAY export WAN_EXPORT
set protocols bgp group WAN_UNDERLAY local-as 65322
set protocols bgp group WAN_UNDERLAY multipath multiple-as
set protocols bgp group WAN_UNDERLAY bfd-liveness-detection minimum-interval 350
set protocols bgp group WAN_UNDERLAY bfd-liveness-detection multiplier 3
set protocols bgp group WAN_UNDERLAY neighbor 192.168.100.10 peer-as 65300
 
set policy-options policy-statement WAN_EXPORT term DIRECT_ROUTES from protocol direct
set policy-options policy-statement WAN_EXPORT term DIRECT_ROUTES from route-filter 192.168.221.0/24 exact
set policy-options policy-statement WAN_EXPORT term DIRECT_ROUTES from route-filter 192.168.222.0/24 exact
set policy-options policy-statement WAN_EXPORT term DIRECT_ROUTES then accept

  4. Configure EBGP on Spine 4.

    content_copy zoom_out_map
    set protocols bgp group WAN_UNDERLAY type external
set protocols bgp group WAN_UNDERLAY description "Connection to EBGP WAN_UNDERLAY"
set protocols bgp group WAN_UNDERLAY family inet unicast
set protocols bgp group WAN_UNDERLAY authentication-key "$ABC123"
set protocols bgp group WAN_UNDERLAY export WAN_EXPORT
set protocols bgp group WAN_UNDERLAY local-as 65323
set protocols bgp group WAN_UNDERLAY multipath multiple-as
set protocols bgp group WAN_UNDERLAY bfd-liveness-detection minimum-interval 350
set protocols bgp group WAN_UNDERLAY bfd-liveness-detection multiplier 3
set protocols bgp group WAN_UNDERLAY neighbor 192.168.100.16 peer-as 65300
 
set policy-options policy-statement WAN_EXPORT term DIRECT_ROUTES from protocol direct
set policy-options policy-statement WAN_EXPORT term DIRECT_ROUTES from route-filter 192.168.221.0/24 exact
set policy-options policy-statement WAN_EXPORT term DIRECT_ROUTES from route-filter 192.168.222.0/24 exact
set policy-options policy-statement WAN_EXPORT term DIRECT_ROUTES then accept

Verify DCI Routes

Step-by-Step Procedure

  1. Verify the routes on the SRX chassis cluster. The SRX should learn all the specific routes for the different subnets.

    content_copy zoom_out_map
    user@srx> show route
inet.0: 31 destinations, 37 routes (31 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
192.168.201.0/24   *[BGP/170] 00:59:11, localpref 100
                  	AS path: 65113 I, validation-state: unverified
                	> to 192.168.191.3 via reth1.991
192.168.201.10/32  *[BGP/170] 00:00:07, localpref 100
                  	AS path: 65113 I, validation-state: unverified
                	> to 192.168.191.3 via reth1.991
192.168.201.81/32  *[BGP/170] 00:00:07, localpref 100
                  	AS path: 65113 I, validation-state: unverified
                	> to 192.168.191.3 via reth1.991
192.168.202.0/24   *[BGP/170] 00:59:11, localpref 100
                  	AS path: 65113 I, validation-state: unverified
                	> to 192.168.191.3 via reth1.991
192.168.202.61/32  *[BGP/170] 00:59:11, localpref 100
                  	AS path: 65113 I, validation-state: unverified
                	> to 192.168.191.3 via reth1.991
192.168.202.62/32  *[BGP/170] 00:59:11, localpref 100
                  	AS path: 65113 I, validation-state: unverified
                	> to 192.168.191.3 via reth1.991
192.168.203.0/24   *[BGP/170] 00:59:11, localpref 100
                  	AS path: 65113 I, validation-state: unverified
                	> to 192.168.191.3 via reth1.991
192.168.203.61/32  *[BGP/170] 00:15:09, localpref 100
                  	AS path: 65113 I, validation-state: unverified
                	> to 192.168.191.3 via reth1.991
192.168.211.0/24   *[BGP/170] 00:34:09, localpref 100
                  	AS path: 65213 I, validation-state: unverified
                	> to 192.168.192.3 via reth1.992
192.168.212.0/24   *[BGP/170] 00:34:09, localpref 100
                  	AS path: 65213 I, validation-state: unverified
                	> to 192.168.192.3 via reth1.992
192.168.221.0/24   *[BGP/170] 00:25:07, localpref 100
                  	AS path: 65313 65300 65322 I, validation-state: unverified
                	> to 192.168.193.3 via reth1.993
192.168.222.0/24   *[BGP/170] 00:25:07, localpref 100
                  	AS path: 65313 65300 65322 I, validation-state: unverified
                	> to 192.168.193.3 via reth1.993

  2. Verify the routes on Spine 1 and Spine 2. The SRX cluster advertises the 192.168.0.0/16 summary route to the spine devices on all the VRFs. All inter-VRF traffic and DCI traffic goes through the SRX chassis cluster.

    content_copy zoom_out_map
    user@spine1> show route 192.168.0.0
JNPR_1_VRF.inet.0: 19 destinations, 23 routes (19 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
192.168.0.0/16 	*[BGP/170] 01:05:15, localpref 100
                  	AS path: 65200 I, validation-state: unverified
                	>  to 192.168.191.1 via irb.991
 
JNPR_2_VRF.inet.0: 13 destinations, 16 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
192.168.0.0/16 	*[BGP/170] 00:40:12, localpref 100
                  	AS path: 65200 I, validation-state: unverified
                	>  to 192.168.192.1 via irb.992
 
WAN_VRF.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
192.168.0.0/16 	*[BGP/170] 01:04:59, localpref 100
                  	AS path: 65200 I, validation-state: unverified
                	>  to 192.168.193.1 via irb.993

  3. Verify the routes on Spine 3 and Spine 4. The DC2 spine devices receive the aggregate route from the WAN VRFs on the DC1 spine devices. All traffic between the two data centers is routed through the SRX chassis cluster.

    content_copy zoom_out_map
    user@spine3> show route 192.168.0.0
inet.0: 24 destinations, 26 routes (21 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
192.168.0.0/16  	[BGP ] 00:11:47
                  	AS path: 65300 65313 65200 I, validation-state: unverified
                	>  to 192.168.100.10 via et-0/0/30.0

    You have connected your collapsed spine data center networks with DCI.

arrow_backward PREVIOUS How to Configure a Collapsed Spine with EVPN Multihoming
NEXT arrow_forward Optional Configurations: DHCP Relay and Multicast
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top