Hello all, I would like to ask you about opinion on routing between VPLS instances on the SRX platform. I have 3 routers, 2x MX104 and SRX240 (SRX550 works in the same manner) in MPLS domain using RSVP. There are two VPLS instances. VPLS1 between MX1 and SRX and VPLS2 between MX2 and SRX. VPLS are configured with BGP signalling and works good. There is also L3 (vrf) instance on SRX router. There are terminated L3 ifaces from both VPLS using LT interface in this VRF instance, like this:
unit 4 { encapsulation vlan-vpls; vlan-id 1060; peer-unit 5; } unit 5 { encapsulation vlan; vlan-id 1060; peer-unit 4; family inet { mtu 1500; address 10.60.0.1/24; } } unit 6 { encapsulation vlan-vpls; vlan-id 1061; peer-unit 7; } unit 7 { encapsulation vlan; vlan-id 1061; peer-unit 6; family inet { mtu 1500; filter { output 60_to_61; } address 10.61.0.1/24; } } __VPLS conf on SRX:__ VPLS-V1060 { instance-type vpls; interface lt-0/0/0.4; interface ge-0/0/3.1060; route-distinguisher 21.270.16.81:1060; vrf-target target:24136:1060; protocols { vpls { site-range 4; mac-table-size { 64; packet-action drop; } no-tunnel-services; site srx240-1060 { site-identifier 2; interface ge-0/0/3.1060; interface lt-0/0/0.4; } connectivity-type ce; } } } __VRF conf on SRX:__ TEST-L3VPN { instance-type vrf; interface lt-0/0/0.5; interface lt-0/0/0.7; route-distinguisher 21.270.16.81:1062; vrf-target target:24136:1062; vrf-table-label; routing-options { maximum-prefixes 100 threshold 90 log-interval 3600; } } lt-0/0/0.4 (and 6) is defined under VPLS instance, lt-0/0/0.5 (and 7) is defined in the VRF instance. IP adresses of LT unit 5 (and unit 7 for second VPLS) is gateway for devices in appropriates VLAN (VPLS). There are also external ifaces to servers and other devices in the VPLSs instances. I'm expecting packets forwarding from one VPLS to another and vice versa with this configuration. But it is not true in some cases/traffic direction. When pinging between VLANs (VPLSs) originated and terminated packets on the remote sides of VPLSs ( example input iface: lt-0/0/0.5 and output iface: lt-0/0/0.7 from SRX point of view), it doesn't work. I have port mirror on the switch on SRX uplink and i can see valid incoming packets from remote side VPLS1 with valid MPLS/VPLS label, etc. I also have firewall filter on outgoing lt-0/0/0.7 interface for logging outgoing traffic and it is incrementing/logging: 20:07:16 pfe A lt-0/0/0.5 ICMP 10.60.0.251 10.61.0.251 20:07:15 pfe A lt-0/0/0.5 ICMP 10.60.0.251 10.61.0.251 20:07:14 pfe A lt-0/0/0.5 ICMP 10.60.0.251 10.61.0.251 But there is no corresponding outgoing packets on SRX uplinks to VPLS2 endpoint. Another communication between VPLS works, for example: 1) ping between VLANs (VPLSs) originated and terminated on local interface (for example iif ge-0/0/3.1060 and oif ge-0/0/4.1061) and vice versa works ok 2) ping between VLANs (VPLSs) originated on remote side of VPLS and terminated on local iface (for example iif lt-0/0/0.5 and oif ge-0/0/4/1061) and vice versa works ok 3) ping between VLANs (VPLSs) originated on remote side of VPLS and terminated on lt iface ( iif lt-0/0/0.5 and pointed to local 10.61.0.1 (lt-0/0/0.7) and vice versa works ok It looks like problem with traffic originated and terminated in VPLS tunnel (routing from one remote VPLS endpoint to another remote VPLS endpoint). Has somebody experience with this or similar issue? It looks like bug for me (or some SRX platform limitation), because output firewall filter catch (and accept) given traffic, but this traffic missing on physical link. It is on SRX240B. I tried upgrade from 12.1X46-D40.2 to 12.1X46-D50.4, problem persist. The same problem have also on SRX550 with 12.1X46-D40.2 I really appreciate your help/opinion. Best regards, Daniel _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp