Example: Configuring MPLS over GRE with IPsec Fragmentation and Reassembly
The virtual private network (VPN) traffic forwarded over 1500-byte media is blocked because of the protocol encapsulation overhead (Layer 2, MPLS, GRE and IPsec, and GRE or IPsec).
This document provide a solution to fragment an IPsec encapsulated packet and reassemble the fragmented packets.
This example shows how to configure selective packet services using a single routing instance (the default one) without utilizing the lt interface.
You can perform IPsec encapsulated packet fragmentation on the outgoing physical interface of the sending device and reassembly on the receiving device before IPsec decryption.
The reassembly of fragmented packets uses a lot of device resources, and the performance of the device will be slower than the nonfragmented traffic.
The topic includes the following sections:
Requirements
This example uses the following hardware and software components:
Branch SRX Series Services Gateways
Junos OS Release 11.4 or later
Overview and Topology
This example includes the following configurations:
Configure interfaces for the appropriate protocol encapsulation with a required maximum transmission unit (MTU) value.
Apply firewall filter on the ge-0/0/10.10 interface to set the packet mode. Configure the outgoing interface ge-0/0/14.0 with an appropriate MTU value.
Set the largest MTU value to GRE and IPsec logical interfaces to avoid IPsec fragmentation at logical interfaces. GRE encapsulated traffic is tunneled inside IPsec.
Add the MPLS family to the GRE interface gr-0/0/0 and apply a firewall filter to enable packet mode. Create firewall filters to configure interfaces to work with packet mode.
Perform basic IPsec tunnel configuration on the device with the df-bit clear option added in IPsec VPN configuration to allow fragmentation of oversized IPsec packets on the outgoing interface ge-0/0/14.0.
Configure all noncustomer- facing interfaces such as ge-0/0/14.0, gr-0/0/0.0, lo0.0, and st0.0 in a single security zone.
Configure a policy to permit all (intrazone) traffic.
Configure OSPF for lo0.0 address distribution, and LDP for label distribution. Then you configure IBGP with the inet-vpn and l2vpn families.
Configure two routing instances, one for Layer 3 VPN and other for VPLS application.
Figure 1 shows the topology used in this example.

Table 1 provides a summary of the parameters used in this topology.
Table 1: Components of the Topology
Components | Description |
---|---|
PE1 and PE2 | PE1 AND PE2 SRX Series Firewalls:
ge-0/0/10.10:
|
ge-0/0/11.0:
| |
ge-0/0/14.0:
| |
gr-0/0/0:
| |
lo0:
| |
st0.0:
| |
|
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set interfaces ge-0/0/10.10 description "LAN
Side"
set interfaces ge-0/0/10.10 vlan-tagging
set interfaces ge-0/0/10.10 mtu 9192
set interfaces ge-0/0/10.10 unit 10 description
L3VPN-1
set interfaces ge-0/0/10.10 unit 10 vlan-id
10
set interfaces ge-0/0/10.10 unit 10 family inet
filter input packet-mode-inet
set interfaces ge-0/0/10.10 unit 10 family inet
address 192.168.0.1/24
set interfaces ge-0/0/11 description "LAN Side"
set interfaces ge-0/0/11 flexible-vlan-tagging
set interfaces ge-0/0/11 mtu 1522
set interfaces ge-0/0/11 encapsulation vlan-vpls
set interfaces ge-0/0/11 unit 0 description
VPLS_VPN-1
set interfaces ge-0/0/11 unit 0 encapsulation
vlan-vpls
set interfaces ge-0/0/11 unit 0 vlan-id 512
set interfaces ge-0/0/14 description Internet
set interfaces ge-0/0/14 mtu 1514
set interfaces ge-0/0/14 unit 0 family inet
address 1.1.1.1/30
set interfaces gr-0/0/0 unit 0 description "MPLS
core facing interface"
set interfaces gr-0/0/0 unit 0 tunnel source
172.16.0.1
set interfaces gr-0/0/0 unit 0 tunnel destination
172.16.0.2
set interfaces gr-0/0/0 unit 0 family inet mtu
9000
set interfaces gr-0/0/0 unit 0 family inet address
172.16.255.1/30
set interfaces gr-0/0/0 unit 0 family mpls mtu
9000
set interfaces gr-0/0/0 unit 0 family mpls filter
input packet-mode
set interfaces lo0 unit 0 family inet address
10.255.255.1/32
set interfaces st0 unit 0 family inet mtu 9178
address 172.16.0.1/30
set firewall family inet filter packet-mode-inet
term all-traffic then packet-mode
set firewall family inet filter packet-mode-inet
term all-traffic then accept
set firewall family mpls filter packet-mode
term all-traffic then packet-mode
set firewall family mpls filter packet-mode
term all-traffic then accept
set security ike policy standard mode main
set security ike policy standard proposal-set
standard
set security ike policy standard pre-shared-key
ascii-text "$9$GOjkPFnCBIc5QIcylLXUjH"
set security ike gateway srx240-2 ike-policy
standard
set security ike gateway srx240-2 address 1.1.1.2
set security ike gateway srx240-2 external-interface
ge-0/0/14.0
set security ipsec policy standard proposal-set
standard
set security ipsec vpn ipsec-vpn-1 bind-interface
st0.0
set security ipsec vpn ipsec-vpn-1 df-bit clear
set security ipsec vpn ipsec-vpn-1 ike gateway
srx240-2
set security ipsec vpn ipsec-vpn-1 ike ipsec-policy
standard
set security ipsec vpn ipsec-vpn-1 establish-tunnels
immediately
set security policies from-zone Internet to-zone
Internet policy Internet match source-address any
set security policies from-zone Internet to-zone
Internet policy Internet match destination-address any
set security policies from-zone Internet to-zone
Internet policy Internet match application any
set security policies from-zone Internet to-zone
Internet policy Internet then permit
set security zones security-zone Internet host-inbound-traffic
system-services all
set security zones security-zone Internet host-inbound-traffic
protocols all
set security zones security-zone Internet interfaces
ge-0/0/14.0
set security zones security-zone Internet interfaces
gr-0/0/0.0
set security zones security-zone Internet interfaces
lo0.0
set security zones security-zone Internet interfaces
st0.0
set protocols mpls interface gr-0/0/0.0
set protocols bgp tcp-mss 1200
set protocols bgp group IBGP type internal
set protocols bgp group IBGP local-address 10.255.255.1
set protocols bgp group IBGP local-as 65100
set protocols bgp group IBGP neighbor 10.255.255.2
set protocols bgp group IBGP neighbor 10.255.255.2
family inet any
set protocols bgp group IBGP neighbor 10.255.255.2
family inet-vpn any
set protocols bgp group IBGP neighbor 10.255.255.2
family l2vpn signaling
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols ospf area 0.0.0.0 interface lo0.0
passive
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface lo0.0
set routing-instances L3VPN-1 instance-type
vrf
set routing-instances L3VPN-1 interface ge-0/0/10.10
set routing-instances L3VPN-1 route-distinguisher
10.255.255.1:1000
set routing-instances L3VPN-1 vrf-target target:65100:1000
set routing-instances L3VPN-1 vrf-target import
target:65100:1000
set routing-instances L3VPN-1 vrf-target export
target:65100:1000
set routing-instances L3VPN-1 vrf-table-label
set routing-instances L3VPN-1 routing-options
auto-export
set routing-instances VPLS_VPN-1 instance-type
vpls
set routing-instances VPLS_VPN-1 interface
ge-0/0/11.0
set routing-instances VPLS_VPN-1 route-distinguisher
10.255.255.1:1001
set routing-instances VPLS_VPN-1 vrf-target
target:65100:1001
set routing-instances VPLS_VPN-1 protocols vpls
no-tunnel-services
set routing-instances VPLS_VPN-1 protocols vpls
site 1 site-identifier 1
set routing-instances VPLS_VPN-1 protocols vpls
site 1 interface ge-0/0/11.0
set routing-instances VPLS_VPN-1 protocols vpls
mac-tlv-receive
set routing-instances VPLS_VPN-1 protocols vpls
mac-tlv-send
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To fragment the MPLS frame and reassemble the packet:
- Configure the physical Interfaces.[edit interfaces]user@host# set ge-0/0/10.10 description "LAN Side"user@host# set ge-0/0/10.10 vlan-tagginguser@host# set ge-0/0/10.10 mtu 9192user@host# set ge-0/0/10.10 unit 10 description L3VPN-1user@host# set ge-0/0/10.10 unit 10 vlan-id 10user@host# set ge-0/0/10.10 unit 10 family inet filter input packet-mode-inetuser@host# set ge-0/0/10.10 unit 10 family inet address 192.168.0.1/24user@host# set ge-0/0/11 description "LAN Side"user@host# set ge-0/0/11 flexible-vlan-tagginguser@host# set ge-0/0/11 mtu 1522user@host# set ge-0/0/11 encapsulation vlan-vplsuser@host# set ge-0/0/11 unit 0 description VPLS_VPN-1user@host# set ge-0/0/11 unit 0 encapsulation vlan-vplsuser@host# set ge-0/0/11 unit 0 vlan-id 512user@host# set ge-0/0/14 description Internetuser@host# set ge-0/0/14 mtu 1514user@host# set ge-0/0/14 unit 0 family inet address 1.1.1.1/30
- Configure the logical Interfaces.[edit interfaces]user@host# set gr-0/0/0 unit 0 description "MPLS core facing interface"user@host# set gr-0/0/0 unit 0 tunnel source 172.16.0.1user@host# set gr-0/0/0 unit 0 tunnel destination 172.16.0.2user@host# set gr-0/0/0 unit 0 family inet mtu 9000user@host# set gr-0/0/0 unit 0 family inet address 172.16.255.1/30user@host# set gr-0/0/0 unit 0 family mpls mtu 9000user@host# set gr-0/0/0 unit 0 family mpls filter input packet-modeuser@host# set lo0 unit 0 family inet address 10.255.255.1/32user@host# set st0 unit 0 family inet mtu 9178 address 172.16.0.1/30
- Configure the firewall filters that are used to configure
interfaces to work with packet mode.[edit firewall]user@host# set family inet filter packet-mode-inet term all-traffic then packet-modeuser@host# set family inet filter packet-mode-inet term all-traffic then acceptuser@host# set family mpls filter packet-mode term all-traffic then packet-modeuser@host# set family mpls filter packet-mode term all-traffic then accept
- Configure the IKE and IPsec policies.[edit security]user@host# set ike policy standard mode mainuser@host# set ike policy standard proposal-set standarduser@host# set ike policy standard pre-shared-key ascii-text "$9$GOjkPFnCBIc5QIcylLXUjH"user@host# set ike gateway srx240-2 ike-policy standarduser@host# set ike gateway srx240-2 address 1.1.1.2user@host# set ike gateway srx240-2 external-interface ge-0/0/14.0user@host# set ipsec policy standard proposal-set standarduser@host# set ipsec vpn ipsec-vpn-1 bind-interface st0.0user@host# set ipsec vpn ipsec-vpn-1 df-bit clearuser@host# set ipsec vpn ipsec-vpn-1 ike gateway srx240-2user@host# set ipsec vpn ipsec-vpn-1 ike ipsec-policy standarduser@host# set ipsec vpn ipsec-vpn-1 establish-tunnels immediately
- Configure all noncustomer-facing interfaces in a single
security zone and a policy to permit all (intrazone) traffic.[edit security policies from-zone Internet to-zone Internet]user@host# set policy Internet match source-address anyuser@host# set policy Internet match destination-address anyuser@host# set policy Internet match application anyuser@host# set policy Internet then permit[edit security zones security-zone Internet]user@host# set host-inbound-traffic system-services alluser@host# set host-inbound-traffic protocols alluser@host# set interfaces ge-0/0/14.0user@host# set interfaces gr-0/0/0.0user@host# set interfaces lo0.0user@host# set interfaces st0.0
- Configure the OSPF protocol for lo0.0 address distribution,
and configure IBGP with the inet-vpn and l2vpn families.[edit protocols]user@host# set mpls interface gr-0/0/0.0user@host# set bgp tcp-mss 1200user@host# set bgp group IBGP type internaluser@host# set bgp group IBGP local-address 10.255.255.1user@host# set bgp group IBGP local-as 65100user@host# set bgp group IBGP neighbor 10.255.255.2user@host# set bgp group IBGP neighbor 10.255.255.2 family inet anyuser@host# set bgp group IBGP neighbor 10.255.255.2 family inet-vpn anyuser@host# set bgp group IBGP neighbor 10.255.255.2 family l2vpn signalinguser@host# set ospf traffic-engineeringuser@host# set ospf area 0.0.0.0 interface lo0.0user@host# set ospf area 0.0.0.0 interface lo0.0 passiveuser@host# set ospf area 0.0.0.0 interface gr-0/0/0.0user@host# set ldp interface gr-0/0/0.0user@host# set ldp interface lo0.0
- Configure two routing instances, one for Layer 3 VPN and
the other for the VPLS application.[edit routing-instances]user@host# set L3VPN-1 instance-type vrfuser@host# set L3VPN-1 route-distinguisher 10.255.255.1:1000user@host# set L3VPN-1 interface ge-0/0/10.10user@host# set L3VPN-1 vrf-target target:65100:1000user@host# set L3VPN-1 vrf-target import target:65100:1000user@host# set L3VPN-1 vrf-target export target:65100:1000user@host# set L3VPN-1 vrf-table-labeluser@host# set L3VPN-1 routing-options auto-exportuser@host# set VPLS_VPN-1 instance-type vplsuser@host# set VPLS_VPN-1 interface ge-0/0/11.0user@host# set VPLS_VPN-1 route-distinguisher 10.255.255.1:1001user@host# set VPLS_VPN-1 vrf-target target:65100:1001user@host# set VPLS_VPN-1 protocols vpls no-tunnel-servicesuser@host# set VPLS_VPN-1 protocols vpls site 1 site-identifier 1user@host# set VPLS_VPN-1 protocols vpls site 1 interface ge-0/0/11.0user@host# set VPLS_VPN-1 protocols vpls mac-tlv-receiveuser@host# set VPLS_VPN-1 protocols vpls mac-tlv-send
Results
Display the results of the configuration:
Verification
Confirm that the configuration is working properly.
Verifying That the Physical and Logical Interfaces Are Up
Purpose
Verify that the physical and logical interfaces are up on the device.
Action
From operational mode on the SRX Series Services Gateway, enter the show interfaces terse command.
user@host> show interfaces terse
Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 1.1.1.1/30 192.168.184.109/25 gr-0/0/0 up up gr-0/0/0.0 up up inet 172.16.255.1/30 mpls ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up ge-0/0/9 up down ge-0/0/10 up down ge-0/0/10.10 up down inet 192.168.0.1/24 ge-0/0/10.32767 up down ge-0/0/11 up down ge-0/0/11.0 up down vpls ge-0/0/11.32767 up down ge-0/0/12 up down ge-0/0/13 up down ge-0/0/14 up down ge-0/0/14.0 up down inet ge-0/0/15 up down fxp2 up up fxp2.0 up up tnp 0x1 gre up up ipip up up lo0 up up lo0.0 up up inet 10.255.184.109 --> 0/0 10.255.255.1 --> 0/0 127.0.0.1 --> 0/0 inet6 st0 up up st0.0 up up inet 172.16.0.1/30 tap up up vlan up up <some output removed for brevity>
Meaning
The output of the show interfaces terse command shows that all physical and logical interfaces used in this configuration are up and active.
Verifying the Fragmented IP Packet on the Outgoing Interface
Purpose
Verify that the IP packet of 1500 bytes is created and sent to the outgoing interface ge-0/0/14.0.
Action
From operational mode on the SRX Series Services Gateway, enter the show interfaces ge-0/0/14.0 extensive
user@host> show interfaces ge-0/0/14.0 extensive
Logical interface ge-0/0/14.0 (Index 79) (SNMP ifIndex 564) (Generation 144) Flags: Device-Down SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Security: Zone: Internet Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip Flow Statistics : Flow Input statistics : Self packets : 0 ICMP packets : 0 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 0 Connections established : 0 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 0 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Security association not active: 64 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 1500, Generation: 158, Route table: 0 Flags: Sendbcast-pkt-to-re Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 1.1.1.0/30, Local: 1.1.1.1, Broadcast: 1.1.1.3, Generation: 154
Meaning
The output of the show interfaces ge-0/0/14.0 extensive command shows that the fragmented IP packet of 1500 bytes is sent to outgoing interface ge-0/0/14.