Hello all,
I would like to ask you about opinion on routing between VPLS instances
on the SRX platform. I have 3 routers, 2x MX104 and SRX240 (SRX550 works
in the same manner) in MPLS domain using RSVP. There are two VPLS
instances. VPLS1 between MX1 and SRX and VPLS2 between MX2 and SRX. VPLS
are configured with BGP signalling and works good. There is also L3
(vrf) instance on SRX router. There are terminated L3 ifaces from both
VPLS using LT interface in this VRF instance, like this:
unit 4 {
encapsulation vlan-vpls;
vlan-id 1060;
peer-unit 5;
}
unit 5 {
encapsulation vlan;
vlan-id 1060;
peer-unit 4;
family inet {
mtu 1500;
address 10.60.0.1/24;
}
}
unit 6 {
encapsulation vlan-vpls;
vlan-id 1061;
peer-unit 7;
}
unit 7 {
encapsulation vlan;
vlan-id 1061;
peer-unit 6;
family inet {
mtu 1500;
filter {
output 60_to_61;
}
address 10.61.0.1/24;
}
}
__VPLS conf on SRX:__
VPLS-V1060 {
instance-type vpls;
interface lt-0/0/0.4;
interface ge-0/0/3.1060;
route-distinguisher 21.270.16.81:1060;
vrf-target target:24136:1060;
protocols {
vpls {
site-range 4;
mac-table-size {
64;
packet-action drop;
}
no-tunnel-services;
site srx240-1060 {
site-identifier 2;
interface ge-0/0/3.1060;
interface lt-0/0/0.4;
}
connectivity-type ce;
}
}
}
__VRF conf on SRX:__
TEST-L3VPN {
instance-type vrf;
interface lt-0/0/0.5;
interface lt-0/0/0.7;
route-distinguisher 21.270.16.81:1062;
vrf-target target:24136:1062;
vrf-table-label;
routing-options {
maximum-prefixes 100 threshold 90 log-interval 3600;
}
}
lt-0/0/0.4 (and 6) is defined under VPLS instance, lt-0/0/0.5 (and 7) is
defined in the VRF instance. IP adresses of LT unit 5 (and unit 7 for
second VPLS) is gateway for devices in appropriates VLAN (VPLS). There
are also external ifaces to servers and other devices in the VPLSs
instances.
I'm expecting packets forwarding from one VPLS to another and vice versa
with this configuration. But it is not true in some cases/traffic
direction.
When pinging between VLANs (VPLSs) originated and terminated packets on
the remote sides of VPLSs ( example input iface: lt-0/0/0.5 and output
iface: lt-0/0/0.7 from SRX point of view), it doesn't work.
I have port mirror on the switch on SRX uplink and i can see valid
incoming packets from remote side VPLS1 with valid MPLS/VPLS label, etc.
I also have firewall filter on outgoing lt-0/0/0.7 interface for logging
outgoing traffic and it is incrementing/logging:
20:07:16 pfe A lt-0/0/0.5ICMP10.60.0.251
10.61.0.251
20:07:15 pfe A lt-0/0/0.5ICMP10.60.0.251
10.61.0.251
20:07:14 pfe A lt-0/0/0.5ICMP10.60.0.251
10.61.0.251
But there is no corresponding outgoing packets on SRX uplinks to VPLS2
endpoint.
Another communication between VPLS works, for example:
1) ping between VLANs (VPLSs) originated and terminated on local
interface (for example iif ge-0/0/3.1060 and oif ge-0/0/4.1061) and vice
versa works ok
2) ping between VLANs (VPLSs) originated on remote side of VPLS and
terminated on local iface (for example iif lt-0/0/0.5 and oif
ge-0/0/4/1061) and vice versa works ok
3) ping between VLANs (VPLSs) originated on remote side of VPLS and
terminated on lt iface ( iif lt-0/0/0.5 and pointed to local 10.61.0.1
(lt-0/0/0.7) and vice versa works ok
It looks like problem with traffic originated and terminated in VPLS
tunnel (routing from one remote VPLS endpoint to another remote VPLS
endpoint). Has somebody experience with this or similar issue? It looks
like bug for me (or some SRX platform limitation), because output
firewall filter catch (and accept) given traffic, but this traffic
missing on physical link.
It is on SRX240B. I tried upgrade from 12.1X46-D40.2 to 12.1X46-D50.4,
problem persist. The same problem have also on SRX550 with 12.1X46-D40.2
I really appreciate your help/opinion.
Best regards,
Daniel
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
