versionsix/juniper-vsrx-contrail.md

## juniper-vsrx-contrail.md

      
    Raw
  

              juniper-vsrx-contrail.md
            
          
    Doc


https://mirantis.jira.com/wiki/spaces/SDNNFV/pages/364571766/MCP+Lab
https://www.juniper.net/documentation/en_US/vsrx/information-products/pathway-pages/security-vsrx-contrail-guide-pwp.html
http://www.opencontrail.org/how-to-setup-opencontrail-gateway-juniper-mx-cisco-asr-and-software-gw/

Tasks

licences

Purchase/get licences from: https://www.juniper.net/support/downloads/?p=vsrx
adjust VRF and RT

TODO, adjust VRF and RT, based on the Floating ranges and public network configuration
add contrail controllers as bgp peers

TODO, add contrail controllers as bgp peers - section contrail_mcp_control

  
## vsrx-example.cfg
version 15.1X49-D70.3;
system {
    host-name vSRX-pri;
    domain-name lab.cloud.corp;
    domain-search lab.cloud.corp;
    backup-router 10.68.235.30;
    time-zone Europe/Berlin;
    root-authentication {
        encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
    }
    name-server {
        10.17.122.10;
        10.17.121.30;
    }
    login {
        user netconf {
            uid 2000;
            class super-user;
        }
    }
    services {
        ssh;
        netconf {
            ssh;
            traceoptions {
                file nc;
            }
        }
        web-management {
            http {
                interface fxp0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 10.17.122.25;
        server 10.4.12.100;
    }
}
security {
    forwarding-options {
        family {
            mpls {
                mode packet-based;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    inactive: policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
}
interfaces {
    ge-0/0/0 {
        mtu 9192;
        unit 0 {
            family inet {
                address 10.0.1.252/24;
            }
            family mpls;
        }
    }
    ge-0/0/1 {
        mtu 9192;
        unit 0 {
            family inet {
                address 10.0.2.252/24 {
                    vrrp-group 2 {
                        virtual-address 10.0.2.254;
                        priority 254;
                        accept-data;
                        authentication-type md5;
                        authentication-key "$xxxxxxxxxxxxxxxxx"; ## SECRET-DATA
                        track {
                            interface ge-0/0/0 {
                                priority-cost 200;
                            }
                        }
                    }
                }
            }
            family mpls;
        }
    }
    ge-0/0/2 {
        mtu 9192;
        unit 0 {
            family inet {
                address 155.56.44.28/27;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family inet {
                address 172.16.172.36/27;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 10.68.235.252/24;
            }
        }
    }
    lo0 {
        unit 1 {
            family inet {
                address 10.100.100.100/32;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.68.235.30;
        route 10.0.1.0/24 next-table mcp-public.inet.0;
        route 10.0.2.0/24 next-table mcp-public.inet.0;
    }
    router-id 10.0.1.252;
    route-distinguisher-id 10.0.1.252;
    autonomous-system 64512;
    dynamic-tunnels {
        mcp_dynamic_overlay_tunnels {
            source-address 10.0.1.252;
            gre;
            destination-networks {
                10.0.1.21/32;
                10.0.1.22/32;
                10.0.1.23/32;
                10.0.2.0/24;
            }
        }
    }
}
protocols {
    mpls {
        interface all;
    }
    bgp {
        group contrail_mcp_control {
            type internal;
            local-address 10.0.1.252;
            keep all;
            mtu-discovery;
            family inet-vpn {
                unicast;
            }
            family inet6-vpn {
                unicast;
            }
            family evpn {
                signaling;
            }
            family route-target;
            peer-as 64512;
            neighbor 10.0.1.21;
            neighbor 10.0.1.22;
            neighbor 10.0.1.23;
        }
    }
}
routing-instances {
    mcp-public {
        instance-type vrf;
        interface ge-0/0/2.0;
        interface lo0.1;
        vrf-target target:64512:10000;
        vrf-table-label;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 155.56.44.30;
                route 172.16.172.32/27 discard;
                route 192.1.0.0/16 discard;
            }
            router-id 10.0.1.252;
            autonomous-system 64512;
            auto-export {
                family inet {
                    unicast;
                }
                family inet6 {
                    unicast;
                }
            }
        }
    }
}
	version 15.1X49-D70.3;
	system {
	host-name vSRX-pri;
	domain-name lab.cloud.corp;
	domain-search lab.cloud.corp;
	backup-router 10.68.235.30;
	time-zone Europe/Berlin;
	root-authentication {
	encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
	}
	name-server {
	10.17.122.10;
	10.17.121.30;
	}
	login {
	user netconf {
	uid 2000;
	class super-user;
	}
	}
	services {
	ssh;
	netconf {
	ssh;
	traceoptions {
	file nc;
	}
	}
	web-management {
	http {
	interface fxp0.0;
	}
	}
	}
	syslog {
	user * {
	any emergency;
	}
	file messages {
	any any;
	authorization info;
	}
	file interactive-commands {
	interactive-commands any;
	}
	}
	license {
	autoupdate {
	url https://ae1.juniper.net/junos/key_retrieval;
	}
	}
	ntp {
	server 10.17.122.25;
	server 10.4.12.100;
	}
	}
	security {
	forwarding-options {
	family {
	mpls {
	mode packet-based;
	}
	}
	}
	screen {
	ids-option untrust-screen {
	icmp {
	ping-death;
	}
	ip {
	source-route-option;
	tear-drop;
	}
	tcp {
	syn-flood {
	alarm-threshold 1024;
	attack-threshold 200;
	source-threshold 1024;
	destination-threshold 2048;
	timeout 20;
	}
	land;
	}
	}
	}
	inactive: policies {
	from-zone trust to-zone trust {
	policy default-permit {
	match {
	source-address any;
	destination-address any;
	application any;
	}
	then {
	permit;
	}
	}
	}
	from-zone trust to-zone untrust {
	policy default-permit {
	match {
	source-address any;
	destination-address any;
	application any;
	}
	then {
	permit;
	}
	}
	}
	}
	zones {
	security-zone trust {
	tcp-rst;
	interfaces {
	ge-0/0/0.0 {
	host-inbound-traffic {
	system-services {
	all;
	}
	}
	}
	ge-0/0/1.0 {
	host-inbound-traffic {
	system-services {
	all;
	}
	}
	}
	}
	}
	security-zone untrust {
	screen untrust-screen;
	}
	}
	}
	interfaces {
	ge-0/0/0 {
	mtu 9192;
	unit 0 {
	family inet {
	address 10.0.1.252/24;
	}
	family mpls;
	}
	}
	ge-0/0/1 {
	mtu 9192;
	unit 0 {
	family inet {
	address 10.0.2.252/24 {
	vrrp-group 2 {
	virtual-address 10.0.2.254;
	priority 254;
	accept-data;
	authentication-type md5;
	authentication-key "$xxxxxxxxxxxxxxxxx"; ## SECRET-DATA
	track {
	interface ge-0/0/0 {
	priority-cost 200;
	}
	}
	}
	}
	}
	family mpls;
	}
	}
	ge-0/0/2 {
	mtu 9192;
	unit 0 {
	family inet {
	address 155.56.44.28/27;
	}
	}
	}
	ge-0/0/3 {
	unit 0 {
	family inet {
	address 172.16.172.36/27;
	}
	}
	}
	fxp0 {
	unit 0 {
	family inet {
	address 10.68.235.252/24;
	}
	}
	}
	lo0 {
	unit 1 {
	family inet {
	address 10.100.100.100/32;
	}
	}
	}
	}
	routing-options {
	static {
	route 0.0.0.0/0 next-hop 10.68.235.30;
	route 10.0.1.0/24 next-table mcp-public.inet.0;
	route 10.0.2.0/24 next-table mcp-public.inet.0;
	}
	router-id 10.0.1.252;
	route-distinguisher-id 10.0.1.252;
	autonomous-system 64512;
	dynamic-tunnels {
	mcp_dynamic_overlay_tunnels {
	source-address 10.0.1.252;
	gre;
	destination-networks {
	10.0.1.21/32;
	10.0.1.22/32;
	10.0.1.23/32;
	10.0.2.0/24;
	}
	}
	}
	}
	protocols {
	mpls {
	interface all;
	}
	bgp {
	group contrail_mcp_control {
	type internal;
	local-address 10.0.1.252;
	keep all;
	mtu-discovery;
	family inet-vpn {
	unicast;
	}
	family inet6-vpn {
	unicast;
	}
	family evpn {
	signaling;
	}
	family route-target;
	peer-as 64512;
	neighbor 10.0.1.21;
	neighbor 10.0.1.22;
	neighbor 10.0.1.23;
	}
	}
	}
	routing-instances {
	mcp-public {
	instance-type vrf;
	interface ge-0/0/2.0;
	interface lo0.1;
	vrf-target target:64512:10000;
	vrf-table-label;
	routing-options {
	static {
	route 0.0.0.0/0 next-hop 155.56.44.30;
	route 172.16.172.32/27 discard;
	route 192.1.0.0/16 discard;
	}
	router-id 10.0.1.252;
	autonomous-system 64512;
	auto-export {
	family inet {
	unicast;
	}
	family inet6 {
	unicast;
	}
	}
	}
	}
	}