Having fun with the vSRX

Lagging behind with the vSRX (I actually never used it up until now) I decided to play around with it a bit. Apart from trying it out as a firewall, I wanted to see if I could do some interesting labs with the vSRX. I figured that 10 or so vSRXs would make for a nice lab suitable to train others.

After getting a trial here I connected a vSRX to an environment I already had running:



I wanted to test a few things and got most of wanted to try working. As soon as the vSRX started, I turned the firewall into a router. This can be done in the following way:

configure
delete security
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based
commit and-quit

After committing this and performing a reboot, the vSRX was ready to be turned into a PE. Most of the things worked straight away. IS-IS, BGP, MPLS and RSVP ( with link-protection) were not an issue. After that, I tried an MPLS VPN. This also worked instantaneously. I could ping to and fro between different locations.

Next stop was VPLS, both the LDP as well as the BGP signaled one. I tunneled LDP over RSVP and activated the l2vpn family under BGP. Well, so far, so good. I then configured two routing-instances, one LDP and one using BGP. Routes and labels were exchanged and both instances came up, nice!

I wanted to wrap things up and send a ping through the VPLS and that was where I hit a wall. I did not manage to send any traffic through the VPLS. I tried everything I could think of (static arp entries, no-mac-learning, turning on traceoptions and more) but I just could not get it working. I guess that for trainging purposes, getting a VPLS in the state ‘Up’ will still suffice though.

For a more advanced training (or one involving switching or CoS) this is not really going to work. Anyway, the following was the configuration of my vSRX:

play@VSRX-01> show configuration
## Last commit: 2015-07-23 12:05:12 UTC by play
version 12.1X47-D20.7;
system {
    host-name VSRX-01;
    root-authentication {
        encrypted-password "$lalala."; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.2/30;
            }
        }
    }
    ge-0/0/1 {
        description vSRX-TRUNK;
        flexible-vlan-tagging;
        unit 996 {
            description Hadrian;
            vlan-id 996;
            family inet {
                address 192.168.1.14/30;
            }
            family iso;
            family mpls;
        }
        unit 997 {
            vlan-id 997;
            family inet {
                address 192.168.1.10/30;
            }
            family iso;
            family mpls;
        }
        unit 998 {
            vlan-id 998;
            family inet {
                address 192.168.1.6/30;
            }
        }
        inactive: unit 999 {
            description vCPE;
            vlan-id 999;
            family inet {
                address 192.168.1.2/30;
            }
        }
    }
    ge-0/0/2 {
        vlan-tagging;
        encapsulation vlan-vpls;
        unit 0 {
            encapsulation vlan-vpls;
            vlan-id 995;
            family vpls;
        }
        unit 1 {
            encapsulation vlan-vpls;
            vlan-id 994;
            family vpls;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.1.1.253/32;
            }
            family iso {
                address 49.0010.0010.0100.1253.00;
            }
        }
        unit 4000 {
            family inet {
                address 1.1.1.253/32;
            }
        }
    }
}
routing-options {
    autonomous-system 1;
}
protocols {
    rsvp {
        interface ge-0/0/1.997 {
            authentication-key "$9$Qg303A0B1hKMX690Icr8LgoJGkPpu1cSeTzhrlK7N"; ## SECRET-DATA
            aggregate;
            reliable;
            link-protection;
        }
        interface ge-0/0/1.996 {
            authentication-key "$9$Qg303A0B1hKMX690Icr8LgoJGkPpu1cSeTzhrlK7N"; ## SECRET-DATA
            aggregate;
            reliable;
            link-protection;
        }
    }
    mpls {
        revert-timer 120;
        label-switched-path to_Commodus {
            to 1.1.1.4;
            node-link-protection;
            primary via_Septimus;
            secondary via_Hadrian {
                standby;
            }
        }
        label-switched-path to_Tiberius {
            to 1.1.1.9;
            ldp-tunneling;
            node-link-protection;
            primary via_Hadrian;
            secondary via_Septimus {
                standby;
            }
        }
        label-switched-path to_Aether {
            to 1.1.1.254;
            node-link-protection;
            primary via_Hadrian;
            secondary via_Septimus {
                standby;
            }
        }
        label-switched-path to_MX104 {
            to 1.1.1.20;
            node-link-protection;
            primary via_Hadrian;
            secondary via_Septimus {
                standby;
            }
        }
        path via_Hadrian {
            192.168.1.13 strict;
        }
        path via_Septimus {
            192.168.1.9 strict;
        }
        interface ge-0/0/1.997;
        interface ge-0/0/1.996;
    }
    bgp {
        local-address 1.1.1.253;
        out-delay 2;
        log-updown;
        group rr {
            type internal;
            family inet-vpn {
                unicast;
            }
            family l2vpn {
                signaling;
            }
            authentication-key "$9$4EZUiPfQz3/uOrKMXdV"; ## SECRET-DATA
            peer-as 1;
            neighbor 1.1.1.1 {
                description Aurelius_rr;
            }
        }
    }
    isis {
        traffic-engineering {
            family inet {
                shortcuts;
            }
        }
        level 2 {
            authentication-key "$9$0Uz1OESrlMXNbKMDkqmF3"; ## SECRET-DATA
            authentication-type md5;
            wide-metrics-only;
        }
        interface ge-0/0/1.996 {
            point-to-point;
            level 1 disable;
        }
        interface ge-0/0/1.997 {
            point-to-point;
            level 1 disable;
        }
        interface lo0.0 {
            level 1 disable;
        }
    }
    ldp {
        interface lo0.0;
    }
}
security {
    forwarding-options {
        family {
            mpls {
                mode packet-based;
            }
            iso {
                mode packet-based;
            }
        }
    }
}
routing-instances {
    bgp-signaled-vpls {
        instance-type vpls;
        vlan-id 995;
        interface ge-0/0/2.0;
        route-distinguisher 2:2;
        vrf-target target:2:2;
        protocols {
            vpls {
                traceoptions {
                    file vpls-y-u-no-work;
                    flag all;
                }
                site-range 3;
                no-tunnel-services;
                site vSRX {
                    site-identifier 1;
                }
                connectivity-type permanent;
            }
        }
    }
    ipvpn {
        instance-type vrf;
        interface ge-0/0/0.0;
        interface lo0.4000;
        route-distinguisher 1:1;
        vrf-target target:1:1;
        vrf-table-label;
    }
    ldp-signaled-vpls {
        instance-type vpls;
        interface ge-0/0/2.1;
        protocols {
            vpls {
                no-tunnel-services;
                vpls-id 1;
                neighbor 1.1.1.9;
                connectivity-type permanent;
            }
        }
    }
}

23-7-2015