epcim
7/16/2018 - 2:35 PM
juniper contrail opencontrail vsrx openstack vmx
juniper contrail opencontrail vsrx openstack vmx
version 15.1X49-D70.3;
system {
host-name vSRX-pri;
domain-name lab.cloud.corp;
domain-search lab.cloud.corp;
backup-router 10.68.235.30;
time-zone Europe/Berlin;
root-authentication {
encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
}
name-server {
10.17.122.10;
10.17.121.30;
}
login {
user netconf {
uid 2000;
class super-user;
}
}
services {
ssh;
netconf {
ssh;
traceoptions {
file nc;
}
}
web-management {
http {
interface fxp0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 10.17.122.25;
server 10.4.12.100;
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
inactive: policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
}
}
}
interfaces {
ge-0/0/0 {
mtu 9192;
unit 0 {
family inet {
address 10.0.1.252/24;
}
family mpls;
}
}
ge-0/0/1 {
mtu 9192;
unit 0 {
family inet {
address 10.0.2.252/24 {
vrrp-group 2 {
virtual-address 10.0.2.254;
priority 254;
accept-data;
authentication-type md5;
authentication-key "$xxxxxxxxxxxxxxxxx"; ## SECRET-DATA
track {
interface ge-0/0/0 {
priority-cost 200;
}
}
}
}
}
family mpls;
}
}
ge-0/0/2 {
mtu 9192;
unit 0 {
family inet {
address 155.56.44.28/27;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 172.16.172.36/27;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.68.235.252/24;
}
}
}
lo0 {
unit 1 {
family inet {
address 10.100.100.100/32;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.68.235.30;
route 10.0.1.0/24 next-table mcp-public.inet.0;
route 10.0.2.0/24 next-table mcp-public.inet.0;
}
router-id 10.0.1.252;
route-distinguisher-id 10.0.1.252;
autonomous-system 64512;
dynamic-tunnels {
mcp_dynamic_overlay_tunnels {
source-address 10.0.1.252;
gre;
destination-networks {
10.0.1.21/32;
10.0.1.22/32;
10.0.1.23/32;
10.0.2.0/24;
}
}
}
}
protocols {
mpls {
interface all;
}
bgp {
group contrail_mcp_control {
type internal;
local-address 10.0.1.252;
keep all;
mtu-discovery;
family inet-vpn {
unicast;
}
family inet6-vpn {
unicast;
}
family evpn {
signaling;
}
family route-target;
peer-as 64512;
neighbor 10.0.1.21;
neighbor 10.0.1.22;
neighbor 10.0.1.23;
}
}
}
routing-instances {
mcp-public {
instance-type vrf;
interface ge-0/0/2.0;
interface lo0.1;
vrf-target target:64512:10000;
vrf-table-label;
routing-options {
static {
route 0.0.0.0/0 next-hop 155.56.44.30;
route 172.16.172.32/27 discard;
route 192.1.0.0/16 discard;
}
router-id 10.0.1.252;
autonomous-system 64512;
auto-export {
family inet {
unicast;
}
family inet6 {
unicast;
}
}
}
}
}Doc
- https://www.juniper.net/documentation/en_US/vsrx/information-products/pathway-pages/security-vsrx-contrail-guide-pwp.html
- http://www.opencontrail.org/how-to-setup-opencontrail-gateway-juniper-mx-cisco-asr-and-software-gw/
Tasks
licences
Purchase/get licences from: https://www.juniper.net/support/downloads/?p=vsrx
adjust VRF and RT
TODO, adjust VRF and RT, based on the Floating ranges and public network configuration
add contrail controllers as bgp peers
TODO, add contrail controllers as bgp peers - section contrail_mcp_control