Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
juniper contrail opencontrail vsrx openstack vmx

Doc

Tasks

licences

Purchase/get licences from: https://www.juniper.net/support/downloads/?p=vsrx

adjust VRF and RT

TODO, adjust VRF and RT, based on the Floating ranges and public network configuration

add contrail controllers as bgp peers

TODO, add contrail controllers as bgp peers - section contrail_mcp_control

version 15.1X49-D70.3;
system {
host-name vSRX-pri;
domain-name lab.cloud.corp;
domain-search lab.cloud.corp;
backup-router 10.68.235.30;
time-zone Europe/Berlin;
root-authentication {
encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
}
name-server {
10.17.122.10;
10.17.121.30;
}
login {
user netconf {
uid 2000;
class super-user;
}
}
services {
ssh;
netconf {
ssh;
traceoptions {
file nc;
}
}
web-management {
http {
interface fxp0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 10.17.122.25;
server 10.4.12.100;
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
inactive: policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
}
}
}
interfaces {
ge-0/0/0 {
mtu 9192;
unit 0 {
family inet {
address 10.0.1.252/24;
}
family mpls;
}
}
ge-0/0/1 {
mtu 9192;
unit 0 {
family inet {
address 10.0.2.252/24 {
vrrp-group 2 {
virtual-address 10.0.2.254;
priority 254;
accept-data;
authentication-type md5;
authentication-key "$xxxxxxxxxxxxxxxxx"; ## SECRET-DATA
track {
interface ge-0/0/0 {
priority-cost 200;
}
}
}
}
}
family mpls;
}
}
ge-0/0/2 {
mtu 9192;
unit 0 {
family inet {
address 155.56.44.28/27;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 172.16.172.36/27;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.68.235.252/24;
}
}
}
lo0 {
unit 1 {
family inet {
address 10.100.100.100/32;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.68.235.30;
route 10.0.1.0/24 next-table mcp-public.inet.0;
route 10.0.2.0/24 next-table mcp-public.inet.0;
}
router-id 10.0.1.252;
route-distinguisher-id 10.0.1.252;
autonomous-system 64512;
dynamic-tunnels {
mcp_dynamic_overlay_tunnels {
source-address 10.0.1.252;
gre;
destination-networks {
10.0.1.21/32;
10.0.1.22/32;
10.0.1.23/32;
10.0.2.0/24;
}
}
}
}
protocols {
mpls {
interface all;
}
bgp {
group contrail_mcp_control {
type internal;
local-address 10.0.1.252;
keep all;
mtu-discovery;
family inet-vpn {
unicast;
}
family inet6-vpn {
unicast;
}
family evpn {
signaling;
}
family route-target;
peer-as 64512;
neighbor 10.0.1.21;
neighbor 10.0.1.22;
neighbor 10.0.1.23;
}
}
}
routing-instances {
mcp-public {
instance-type vrf;
interface ge-0/0/2.0;
interface lo0.1;
vrf-target target:64512:10000;
vrf-table-label;
routing-options {
static {
route 0.0.0.0/0 next-hop 155.56.44.30;
route 172.16.172.32/27 discard;
route 192.1.0.0/16 discard;
}
router-id 10.0.1.252;
autonomous-system 64512;
auto-export {
family inet {
unicast;
}
family inet6 {
unicast;
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.