juniper contrail opencontrail vsrx openstack vmx
version 15.1X49-D70.3;
system {
host-name vSRX-pri;
domain-name lab.cloud.corp;
domain-search lab.cloud.corp;
backup-router 10.68.235.30;
time-zone Europe/Berlin;
root-authentication {
encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
}
name-server {
10.17.122.10;
10.17.121.30;
}
login {
user netconf {
uid 2000;
class super-user;
}
}
services {
ssh;
netconf {
ssh;
traceoptions {
file nc;
}
}
web-management {
http {
interface fxp0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 10.17.122.25;
server 10.4.12.100;
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
inactive: policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
}
}
}
interfaces {
ge-0/0/0 {
mtu 9192;
unit 0 {
family inet {
address 10.0.1.252/24;
}
family mpls;
}
}
ge-0/0/1 {
mtu 9192;
unit 0 {
family inet {
address 10.0.2.252/24 {
vrrp-group 2 {
virtual-address 10.0.2.254;
priority 254;
accept-data;
authentication-type md5;
authentication-key "$xxxxxxxxxxxxxxxxx"; ## SECRET-DATA
track {
interface ge-0/0/0 {
priority-cost 200;
}
}
}
}
}
family mpls;
}
}
ge-0/0/2 {
mtu 9192;
unit 0 {
family inet {
address 155.56.44.28/27;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 172.16.172.36/27;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.68.235.252/24;
}
}
}
lo0 {
unit 1 {
family inet {
address 10.100.100.100/32;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.68.235.30;
route 10.0.1.0/24 next-table mcp-public.inet.0;
route 10.0.2.0/24 next-table mcp-public.inet.0;
}
router-id 10.0.1.252;
route-distinguisher-id 10.0.1.252;
autonomous-system 64512;
dynamic-tunnels {
mcp_dynamic_overlay_tunnels {
source-address 10.0.1.252;
gre;
destination-networks {
10.0.1.21/32;
10.0.1.22/32;
10.0.1.23/32;
10.0.2.0/24;
}
}
}
}
protocols {
mpls {
interface all;
}
bgp {
group contrail_mcp_control {
type internal;
local-address 10.0.1.252;
keep all;
mtu-discovery;
family inet-vpn {
unicast;
}
family inet6-vpn {
unicast;
}
family evpn {
signaling;
}
family route-target;
peer-as 64512;
neighbor 10.0.1.21;
neighbor 10.0.1.22;
neighbor 10.0.1.23;
}
}
}
routing-instances {
mcp-public {
instance-type vrf;
interface ge-0/0/2.0;
interface lo0.1;
vrf-target target:64512:10000;
vrf-table-label;
routing-options {
static {
route 0.0.0.0/0 next-hop 155.56.44.30;
route 172.16.172.32/27 discard;
route 192.1.0.0/16 discard;
}
router-id 10.0.1.252;
autonomous-system 64512;
auto-export {
family inet {
unicast;
}
family inet6 {
unicast;
}
}
}
}
}
Purchase/get licences from: https://www.juniper.net/support/downloads/?p=vsrx
TODO, adjust VRF and RT, based on the Floating ranges and public network configuration
TODO, add contrail controllers as bgp peers - section contrail_mcp_control