Difference between revisions of "Juniper Collapsed Spine with EVPN"
Jump to navigation
Jump to search
Line 480: | Line 480: | ||
On EVE-NG ge-0/0/1 is ge-0/0/0 in the vSRX and ge-0/0/2 is ge-0/0/1 and so on. If you connect on EVE-NG for example ge-0/0/5 when you login to the vSRX the interface that needs to be setup will be ge-0/0/4. | On EVE-NG ge-0/0/1 is ge-0/0/0 in the vSRX and ge-0/0/2 is ge-0/0/1 and so on. If you connect on EVE-NG for example ge-0/0/5 when you login to the vSRX the interface that needs to be setup will be ge-0/0/4. | ||
+ | |||
+ | ===Configure the vSRX's to form a cluster=== | ||
==Verification/Testing== | ==Verification/Testing== |
Revision as of 00:44, 19 October 2023
Goal
In this tutorial, We will be setting up a collapsed Spine EVPN/VXLAN with multi-homing.We will use two SRX's in cluster mode to route traffic between the 2 Tenants that we will configure. We will be using BGP for the underlay and overlay.
Prerequisites
For this tutorial we will be using:
- EVE-NG 2.0.3-112
- VQFX model: vqfx-10000 running JUNOS 19.4R1.10 for spines and leaves
- VSRX 3.0
- Debian VM's servers
Diagram
Setup and configuration
Devices | Role | lo.0 IP | VLAN | IP address | ae0 IP | ae0 interfaces | ae1 interfaces | ae2 interfaces | ae5 interfaces | ae6 interfaces | mgmt | local-as underlay | local-as overlay |
cc1 | core swtich1 | 10.179.1.1/32 | 172.16.3.1/3 | xe-0/0[10-11] | xe-0/0/0 | xe-0/0/1 | xe-0/0/9 | xe-0/0/8 | 10.193.0.105/24 | 65012 | 65100 | ||
cc2 | core switch2 | 10.179.1.2/32 | 172.16.3.2/30 | xe-0/0[10-11] | xe-0/0/0 | xe-0/0/1 | xe-0/0/9 | xe-0/0/8 | 10.193.0.106/24 | 65013 | 65100 | ||
sw1 | switch 1 | xe-0/0[0-1] | 10.193.0.107/24 | ||||||||||
sw2 | switch 2 | xe-0/0[0-1] | 10.193.0.108/24 | ||||||||||
srx | Firewall | ||||||||||||
srv1 | Server1 | private1-a-dfw | 10.192.144.100/22 | ||||||||||
srv2 | Server2 | private1-b-dfw | 10.192.160.100/22 | ||||||||||
srv3 | Server3 | private1-d-dfw | 10.192.192.100/22 | ||||||||||
srv4 | Server4 | private1-c-dfw | 10.192.176.100/22 | ||||||||||
srv5 | Server5 | private1-a-dfw | 10.192.144.200/22 | ||||||||||
srv6 | Server6 | private1-b-dfw | 10.192.160.200/22 | ||||||||||
srv7 | Server7 | private1-c-dfw | 10.192.176.200/22 | ||||||||||
srv8 | Server8 | private1-d-dfw | 10.192.192.200/22 |
core switch 1 configuration
set system host-name sswecc1-dfw set system root-authentication encrypted-password "$5$bSgF2gnxBS/rA$sYP/f1pWJhl5d1VN0hHzjxd0jZhmnwGLCiwVm3hE8Z." set system login user homer uid 2002 set system login user homer class super-user set system login user homer authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4xpjWJoQhCf176i77ni9//mcYO3bBWu7necWZwJNVkFsvvT6XuWfkKVMUFnTjTMr1erv8WRDze7le9Jl2a/xMIgo9Cf71SU9faPbd /ukvaLl5VUeGvHKFg9d+7GUGx1z9K1qKY2VOBO5EQCht8+4o4mMaizoXoxHvkNolswAa5Jv/EPwnfCeDyV7TsG+Se1k7 /1h1VFOwW7Dbxno1aCnMDYbcfiBnzGnLSZQGjehok6cqYTjsNIIdAiZYSpH77pnAGglFhxNUSlqj0qRIJZdG3nhPlvIRPjn7fouq3BJEmiWPP8ru67H1J2mdSkix4xOxdUWfGB9eJlENfnobJjBr pp@U18" set system login user ppaul uid 2003 set system login user ppaul class super-user set system login user ppaul authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDST4EbXJc9l/AdrVmOZEPl3sxi6qjGIZyPwkupthSdooFHxPxUIh/a5PC9bMk5go6KvRoChpc4L8XuMRsxLTd6Ro6DsWIZieGHFuO /AL9SRUtmevGiSC2q4ibR7ACosJBUvKPRVK8anYnMSL9YWd7lnmVLnW5mvOM3Alhd8aTNKE3/H9ogDt9UfndEJXmieMTLJzGvx65sw6riqa5hh6iOcw02qb3QQCKLSRJmUJQuToY4oo/ZdLl/prEDKQ0I9DSnOxRYIvZxvUsTzwoXVq9X9dWGkKAAMDw7f2DJfa/4uCNT2dKPydApeN0ea2/69VRL3fmTz47y0CC1RTEd8j1j U18pc " set chassis aggregated-devices ethernet device-count 10 set interfaces xe-0/0/0 description Link_leaf1-xe-0/0/0 set interfaces xe-0/0/0 gigether-options 802.3ad ae1 set interfaces xe-0/0/1 description link_leaf2_xe-0/0/0 set interfaces xe-0/0/1 gigether-options 802.3ad ae2 set interfaces xe-0/0/8 description vsrx_node1_ge-7/0/4 set interfaces xe-0/0/8 gigether-options 802.3ad ae6 set interfaces xe-0/0/9 description vsrx_node0_ge-0/0/4 set interfaces xe-0/0/9 gigether-options 802.3ad ae5 set interfaces xe-0/0/10 gigether-options 802.3ad ae0 set interfaces xe-0/0/11 gigether-options 802.3ad ae0 set interfaces ae0 description link_spine2 set interfaces ae0 mtu 9216 set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic fast set interfaces ae0 unit 0 family inet address 172.16.3.1/30 set interfaces ae1 description sw1_ae1 set interfaces ae1 mtu 9192 set interfaces ae1 esi 00:00:00:ab:cd:00:01:00:00:03 set interfaces ae1 esi all-active set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast set interfaces ae1 aggregated-ether-options lacp system-id 00:11:00:00:00:01 set interfaces ae1 unit 0 family ethernet-switching interface-mode trunk set interfaces ae1 unit 0 family ethernet-switching vlan members private1-a-dfw set interfaces ae1 unit 0 family ethernet-switching vlan members private1-b-dfw set interfaces ae1 unit 0 family ethernet-switching vlan members private1-c-dfw set interfaces ae1 unit 0 family ethernet-switching vlan members private1-d-dfw set interfaces ae2 description sw2_ae1 set interfaces ae2 mtu 9216 set interfaces ae2 esi 00:00:00:ab:cd:00:01:00:00:04 set interfaces ae2 esi all-active set interfaces ae2 aggregated-ether-options lacp active set interfaces ae2 aggregated-ether-options lacp periodic fast set interfaces ae2 aggregated-ether-options lacp system-id 00:22:00:00:00:02 set interfaces ae2 unit 0 family ethernet-switching interface-mode trunk set interfaces ae2 unit 0 family ethernet-switching vlan members private1-a-dfw set interfaces ae2 unit 0 family ethernet-switching vlan members private1-b-dfw set interfaces ae2 unit 0 family ethernet-switching vlan members private1-c-dfw set interfaces ae2 unit 0 family ethernet-switching vlan members private1-d-dfw set interfaces ae5 description "to SRX cluster node0" set interfaces ae5 mtu 9216 set interfaces ae5 esi 00:00:00:00:00:00:00:00:01:11 set interfaces ae5 esi all-active set interfaces ae5 aggregated-ether-options lacp active set interfaces ae5 aggregated-ether-options lacp periodic fast set interfaces ae5 aggregated-ether-options lacp system-id 00:00:00:00:01:11 set interfaces ae5 unit 0 family ethernet-switching interface-mode trunk set interfaces ae5 unit 0 family ethernet-switching vlan members VLAN_42 set interfaces ae5 unit 0 family ethernet-switching vlan members VLAN_46 set interfaces ae6 description "to SRx Cluster" set interfaces ae6 mtu 9216 set interfaces ae6 esi 00:00:00:00:00:00:00:00:01:12 set interfaces ae6 esi all-active set interfaces ae6 aggregated-ether-options lacp active set interfaces ae6 aggregated-ether-options lacp periodic fast set interfaces ae6 aggregated-ether-options lacp system-id 00:00:00:00:01:12 set interfaces ae6 unit 0 family ethernet-switching interface-mode trunk set interfaces ae6 unit 0 family ethernet-switching vlan members VLAN_42 set interfaces ae6 unit 0 family ethernet-switching vlan members VLAN_46 set interfaces em0 unit 0 family inet address 10.193.0.105/24 set interfaces irb unit 20 virtual-gateway-accept-data set interfaces irb unit 20 description "l3 interface for vlan private1-a-dfw" set interfaces irb unit 20 family inet address 10.192.144.3/22 preferred set interfaces irb unit 20 family inet address 10.192.144.3/22 virtual-gateway-address 10.192.144.1 set interfaces irb unit 30 virtual-gateway-accept-data set interfaces irb unit 30 description "l3 interface for vlan private1-b-dfw" set interfaces irb unit 30 family inet address 10.192.160.3/22 preferred set interfaces irb unit 30 family inet address 10.192.160.3/22 virtual-gateway-address 10.192.160.1 set interfaces irb unit 40 virtual-gateway-accept-data set interfaces irb unit 40 description "l3 inteface for vlan private1-c-dfw" set interfaces irb unit 40 family inet address 10.192.176.3/22 preferred set interfaces irb unit 40 family inet address 10.192.176.3/22 virtual-gateway-address 10.192.176.1 set interfaces irb unit 42 description "Tenant1 SRX Interconnect" set interfaces irb unit 42 family inet address 172.16.4.2/29 set interfaces irb unit 46 description "Tenant2 SRx Interconnect" set interfaces irb unit 46 family inet address 172.16.5.2/29 set interfaces irb unit 50 virtual-gateway-accept-data set interfaces irb unit 50 description "l3 interface for vlan private1-d-dfw" set interfaces irb unit 50 family inet address 10.192.192.3/22 preferred set interfaces irb unit 50 family inet address 10.192.192.3/22 virtual-gateway-address 10.192.192.1 set interfaces lo0 unit 0 family inet address 10.179.1.1/32 set interfaces lo0 unit 5 family inet address 10.179.1.3/32 set interfaces lo0 unit 6 family inet address 10.179.1.5/32 set forwarding-options vxlan-routing next-hop 32768 set forwarding-options vxlan-routing overlay-ecmp set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement Interconnect_Tenant1_Export term Tenant_Routes from route-filter 10.192.128.0/17 orlonger set policy-options policy-statement Interconnect_Tenant1_Export term Tenant_Routes from route-filter 10.179.0.0/16 orlonger set policy-options policy-statement Interconnect_Tenant1_Export term Tenant_Routes then accept set policy-options policy-statement Interconnect_Tenant1_Export term DEFAULT then reject set policy-options policy-statement Interconnect_Tenant1_Import term Tenant_Routes from route-filter 10.179.0.0/16 orlonger set policy-options policy-statement Interconnect_Tenant1_Import term Tenant_Routes from route-filter 10.192.128.0/17 orlonger set policy-options policy-statement Interconnect_Tenant1_Import term Tenant_Routes then accept set policy-options policy-statement Interconnect_Tenant1_Import term DEFAULT then reject set policy-options policy-statement Interconnect_Tenant2_Export term Tenant_Routes from route-filter 10.192.128.0/17 orlonger set policy-options policy-statement Interconnect_Tenant2_Export term Tenant_Routes from route-filter 10.179.0.0/16 orlonger set policy-options policy-statement Interconnect_Tenant2_Export term Tenant_Routes then accept set policy-options policy-statement Interconnect_Tenant2_Export term DEFAULT then reject set policy-options policy-statement Interconnect_Tenant2_Import term Tenant_Routes from route-filter 10.179.0.0/16 orlonger set policy-options policy-statement Interconnect_Tenant2_Import term Tenant_Routes from route-filter 10.192.128.0/17 orlonger set policy-options policy-statement Interconnect_Tenant2_Import term Tenant_Routes then accept set policy-options policy-statement Interconnect_Tenant2_Import term DEFAULT then reject set policy-options policy-statement T5_EXPORT term 1 from protocol direct set policy-options policy-statement T5_EXPORT term 1 then accept set policy-options policy-statement T5_EXPORT term 2 from protocol bgp set policy-options policy-statement T5_EXPORT term 2 then accept set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.179.1.0/24 orlonger set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK then accept set policy-options policy-statement UNDERLAY-EXPORT term DEFAULT then reject set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.179.1.0/24 orlonger set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK then accept set policy-options policy-statement UNDERLAY-IMPORT term DEFAULT then reject set routing-instances Tennat1 routing-options multipath set routing-instances Tennat1 protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances Tennat1 protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances Tennat1 protocols evpn ip-prefix-routes vni 1101 set routing-instances Tennat1 protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances Tennat1 protocols bgp group INTERCONNECT type external set routing-instances Tennat1 protocols bgp group INTERCONNECT import Interconnect_Tenant1_Import set routing-instances Tennat1 protocols bgp group INTERCONNECT family inet unicast set routing-instances Tennat1 protocols bgp group INTERCONNECT authentication-key "$9$JNZi.Pfz6CuTzlMX-2gTz3n/tuO1" set routing-instances Tennat1 protocols bgp group INTERCONNECT export Interconnect_Tenant1_Export set routing-instances Tennat1 protocols bgp group INTERCONNECT local-as 65112 set routing-instances Tennat1 protocols bgp group INTERCONNECT multipath multiple-as set routing-instances Tennat1 protocols bgp group INTERCONNECT bfd-liveness-detection minimum-interval 1000 set routing-instances Tennat1 protocols bgp group INTERCONNECT bfd-liveness-detection multiplier 3 set routing-instances Tennat1 protocols bgp group INTERCONNECT neighbor 172.16.4.1 peer-as 65200 set routing-instances Tennat1 instance-type vrf set routing-instances Tennat1 interface irb.20 set routing-instances Tennat1 interface irb.30 set routing-instances Tennat1 interface irb.42 set routing-instances Tennat1 interface lo0.5 set routing-instances Tennat1 route-distinguisher 10.179.1.3:1101 set routing-instances Tennat1 vrf-target target:64701:20 set routing-instances Tennat1 vrf-table-label set routing-instances Tennat2 routing-options multipath set routing-instances Tennat2 protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances Tennat2 protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances Tennat2 protocols evpn ip-prefix-routes vni 1102 set routing-instances Tennat2 protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances Tennat2 protocols bgp group INTERCONNECT type external set routing-instances Tennat2 protocols bgp group INTERCONNECT import Interconnect_Tenant2_Import set routing-instances Tennat2 protocols bgp group INTERCONNECT family inet unicast set routing-instances Tennat2 protocols bgp group INTERCONNECT authentication-key "$9$JNZi.Pfz6CuTzlMX-2gTz3n/tuO1" set routing-instances Tennat2 protocols bgp group INTERCONNECT export Interconnect_Tenant2_Export set routing-instances Tennat2 protocols bgp group INTERCONNECT local-as 65112 set routing-instances Tennat2 protocols bgp group INTERCONNECT multipath multiple-as set routing-instances Tennat2 protocols bgp group INTERCONNECT bfd-liveness-detection minimum-interval 1000 set routing-instances Tennat2 protocols bgp group INTERCONNECT bfd-liveness-detection multiplier 3 set routing-instances Tennat2 protocols bgp group INTERCONNECT neighbor 172.16.5.1 peer-as 65200 set routing-instances Tennat2 instance-type vrf set routing-instances Tennat2 interface irb.40 set routing-instances Tennat2 interface irb.46 set routing-instances Tennat2 interface irb.50 set routing-instances Tennat2 interface lo0.6 set routing-instances Tennat2 route-distinguisher 10.179.1.5:1102 set routing-instances Tennat2 vrf-target target:64701:4050 set routing-instances Tennat2 vrf-table-label set routing-options static route 0.0.0.0/0 next-hop 10.193.0.1 set routing-options static route 0.0.0.0/0 no-readvertise set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set routing-options forwarding-table chained-composite-next-hop ingress evpn set routing-options router-id 10.179.1.1 set routing-options graceful-restart set protocols evpn encapsulation vxlan set protocols evpn default-gateway do-not-advertise set protocols evpn extended-vni-list 5020 set protocols evpn extended-vni-list 5030 set protocols evpn extended-vni-list 5040 set protocols evpn extended-vni-list 5042 set protocols evpn extended-vni-list 5046 set protocols evpn extended-vni-list 5050 set protocols evpn no-core-isolation set protocols bgp group RR-OVERLAY type internal set protocols bgp group RR-OVERLAY local-address 10.179.1.1 set protocols bgp group RR-OVERLAY family evpn signaling set protocols bgp group RR-OVERLAY local-as 65100 set protocols bgp group RR-OVERLAY multipath set protocols bgp group RR-OVERLAY bfd-liveness-detection minimum-interval 1000 set protocols bgp group RR-OVERLAY bfd-liveness-detection multiplier 3 set protocols bgp group RR-OVERLAY neighbor 10.179.1.2 set protocols bgp group RR-OVERLAY vpn-apply-export set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY import UNDERLAY-IMPORT set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY authentication-key "$9$5TnCtpBESe0BVYoGq.0BIRhrevW" set protocols bgp group UNDERLAY export UNDERLAY-EXPORT set protocols bgp group UNDERLAY local-as 65012 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY neighbor 172.16.3.2 peer-as 65013 set protocols bgp graceful-restart restart-time 30 set protocols l2-learning global-mac-table-aging-time 600 set protocols l2-learning global-mac-ip-table-aging-time 300 set switch-options vtep-source-interface lo0.0 set switch-options route-distinguisher 10.179.1.1:64701 set switch-options vrf-target target:64701:9999 set switch-options vrf-target auto set vlans VLAN_42 vlan-id 42 set vlans VLAN_42 l3-interface irb.42 set vlans VLAN_42 vxlan vni 5042 set vlans VLAN_46 vlan-id 46 set vlans VLAN_46 l3-interface irb.46 set vlans VLAN_46 vxlan vni 5046 set vlans private1-a-dfw vlan-id 20 set vlans private1-a-dfw l3-interface irb.20 set vlans private1-a-dfw vxlan vni 5020 set vlans private1-b-dfw vlan-id 30 set vlans private1-b-dfw l3-interface irb.30 set vlans private1-b-dfw vxlan vni 5030 set vlans private1-c-dfw vlan-id 40 set vlans private1-c-dfw l3-interface irb.40 set vlans private1-c-dfw vxlan vni 5040 set vlans private1-d-dfw description Admin set vlans private1-d-dfw vlan-id 50 set vlans private1-d-dfw l3-interface irb.50 set vlans private1-d-dfw vxlan vni 5050
core switch 2 configuration
switch 1 configuration
switch 2 configuration
vSRX configuration
Interface maping EVE-NG/vSRX
On EVE-NG ge-0/0/1 is ge-0/0/0 in the vSRX and ge-0/0/2 is ge-0/0/1 and so on. If you connect on EVE-NG for example ge-0/0/5 when you login to the vSRX the interface that needs to be setup will be ge-0/0/4.