Example: Configuring MPLS over GRE with IPsec Fragmentation and Reassembly
The virtual private network (VPN) traffic forwarded over 1500-byte media is blocked because of the protocol encapsulation overhead (Layer 2, MPLS, GRE and IPsec, and GRE or IPsec).
This document provide a solution to fragment an IPsec encapsulated packet and reassemble the fragmented packets.
This example shows how to configure selective packet services using a single routing instance (the default one) without utilizing the lt interface.
You can perform IPsec encapsulated packet fragmentation on the outgoing physical interface of the sending device and reassembly on the receiving device before IPsec decryption.
The reassembly of fragmented packets uses a lot of device resources, and the performance of the device will be slower than the nonfragmented traffic.
The topic includes the following sections:
Requirements
This example uses the following hardware and software components:
Branch SRX Series Services Gateways
Junos OS Release 11.4 or later
Overview and Topology
This example includes the following configurations:
Configure interfaces for the appropriate protocol encapsulation with a required maximum transmission unit (MTU) value.
Apply firewall filter on the ge-0/0/10.10 interface to set the packet mode. Configure the outgoing interface ge-0/0/14.0 with an appropriate MTU value.
Set the largest MTU value to GRE and IPsec logical interfaces to avoid IPsec fragmentation at logical interfaces. GRE encapsulated traffic is tunneled inside IPsec.
Add the MPLS family to the GRE interface gr-0/0/0 and apply a firewall filter to enable packet mode. Create firewall filters to configure interfaces to work with packet mode.
Perform basic IPsec tunnel configuration on the device with the df-bit clear option added in IPsec VPN configuration to allow fragmentation of oversized IPsec packets on the outgoing interface ge-0/0/14.0.
Configure all noncustomer- facing interfaces such as ge-0/0/14.0, gr-0/0/0.0, lo0.0, and st0.0 in a single security zone.
Configure a policy to permit all (intrazone) traffic.
Configure OSPF for lo0.0 address distribution, and LDP for label distribution. Then you configure IBGP with the inet-vpn and l2vpn families.
Configure two routing instances, one for Layer 3 VPN and other for VPLS application.
Figure 1 shows the topology used in this example.
Table 1 provides a summary of the parameters used in this topology.
Table 1: Components of the Topology
Components | Description |
|---|---|
PE1 and PE2 | PE1 AND PE2 SRX Series Firewalls:
ge-0/0/10.10:
|
ge-0/0/11.0:
| |
ge-0/0/14.0:
| |
gr-0/0/0:
| |
lo0:
| |
st0.0:
| |
|
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set interfaces ge-0/0/10.10 description "LAN
Side"set interfaces ge-0/0/10.10 vlan-taggingset interfaces ge-0/0/10.10 mtu 9192set interfaces ge-0/0/10.10 unit 10 description
L3VPN-1set interfaces ge-0/0/10.10 unit 10 vlan-id
10set interfaces ge-0/0/10.10 unit 10 family inet
filter input packet-mode-inetset interfaces ge-0/0/10.10 unit 10 family inet
address 192.168.0.1/24set interfaces ge-0/0/11 description "LAN Side"set interfaces ge-0/0/11 flexible-vlan-tagging set interfaces ge-0/0/11 mtu 1522 set interfaces ge-0/0/11 encapsulation vlan-vplsset interfaces ge-0/0/11 unit 0 description
VPLS_VPN-1set interfaces ge-0/0/11 unit 0 encapsulation
vlan-vplsset interfaces ge-0/0/11 unit 0 vlan-id 512 set interfaces ge-0/0/14 description Internetset interfaces ge-0/0/14 mtu 1514set interfaces ge-0/0/14 unit 0 family inet
address 1.1.1.1/30set interfaces gr-0/0/0 unit 0 description "MPLS
core facing interface"set interfaces gr-0/0/0 unit 0 tunnel source
172.16.0.1set interfaces gr-0/0/0 unit 0 tunnel destination
172.16.0.2set interfaces gr-0/0/0 unit 0 family inet mtu
9000set interfaces gr-0/0/0 unit 0 family inet address
172.16.255.1/30set interfaces gr-0/0/0 unit 0 family mpls mtu
9000set interfaces gr-0/0/0 unit 0 family mpls filter
input packet-modeset interfaces lo0 unit 0 family inet address
10.255.255.1/32set interfaces st0 unit 0 family inet mtu 9178
address 172.16.0.1/30set firewall family inet filter packet-mode-inet
term all-traffic then packet-modeset firewall family inet filter packet-mode-inet
term all-traffic then acceptset firewall family mpls filter packet-mode
term all-traffic then packet-modeset firewall family mpls filter packet-mode
term all-traffic then acceptset security ike policy standard mode mainset security ike policy standard proposal-set
standardset security ike policy standard pre-shared-key
ascii-text "$9$GOjkPFnCBIc5QIcylLXUjH"set security ike gateway srx240-2 ike-policy
standardset security ike gateway srx240-2 address 1.1.1.2 set security ike gateway srx240-2 external-interface
ge-0/0/14.0set security ipsec policy standard proposal-set
standardset security ipsec vpn ipsec-vpn-1 bind-interface
st0.0set security ipsec vpn ipsec-vpn-1 df-bit clearset security ipsec vpn ipsec-vpn-1 ike gateway
srx240-2set security ipsec vpn ipsec-vpn-1 ike ipsec-policy
standardset security ipsec vpn ipsec-vpn-1 establish-tunnels
immediatelyset security policies from-zone Internet to-zone
Internet policy Internet match source-address anyset security policies from-zone Internet to-zone
Internet policy Internet match destination-address anyset security policies from-zone Internet to-zone
Internet policy Internet match application anyset security policies from-zone Internet to-zone
Internet policy Internet then permitset security zones security-zone Internet host-inbound-traffic
system-services allset security zones security-zone Internet host-inbound-traffic
protocols allset security zones security-zone Internet interfaces
ge-0/0/14.0set security zones security-zone Internet interfaces
gr-0/0/0.0set security zones security-zone Internet interfaces
lo0.0set security zones security-zone Internet interfaces
st0.0set protocols mpls interface gr-0/0/0.0set protocols bgp tcp-mss 1200set protocols bgp group IBGP type internalset protocols bgp group IBGP local-address 10.255.255.1set protocols bgp group IBGP local-as 65100set protocols bgp group IBGP neighbor 10.255.255.2 set protocols bgp group IBGP neighbor 10.255.255.2
family inet anyset protocols bgp group IBGP neighbor 10.255.255.2
family inet-vpn anyset protocols bgp group IBGP neighbor 10.255.255.2
family l2vpn signalingset protocols ospf traffic-engineeringset protocols ospf area 0.0.0.0 interface lo0.0set protocols ospf area 0.0.0.0 interface lo0.0
passiveset protocols ospf area 0.0.0.0 interface gr-0/0/0.0set protocols ldp interface gr-0/0/0.0set protocols ldp interface lo0.0set routing-instances L3VPN-1 instance-type
vrfset routing-instances L3VPN-1 interface ge-0/0/10.10 set routing-instances L3VPN-1 route-distinguisher
10.255.255.1:1000set routing-instances L3VPN-1 vrf-target target:65100:1000 set routing-instances L3VPN-1 vrf-target import
target:65100:1000set routing-instances L3VPN-1 vrf-target export
target:65100:1000set routing-instances L3VPN-1 vrf-table-labelset routing-instances L3VPN-1 routing-options
auto-exportset routing-instances VPLS_VPN-1 instance-type
vpls set routing-instances VPLS_VPN-1 interface
ge-0/0/11.0set routing-instances VPLS_VPN-1 route-distinguisher
10.255.255.1:1001set routing-instances VPLS_VPN-1 vrf-target
target:65100:1001set routing-instances VPLS_VPN-1 protocols vpls
no-tunnel-servicesset routing-instances VPLS_VPN-1 protocols vpls
site 1 site-identifier 1set routing-instances VPLS_VPN-1 protocols vpls
site 1 interface ge-0/0/11.0set routing-instances VPLS_VPN-1 protocols vpls
mac-tlv-receiveset routing-instances VPLS_VPN-1 protocols vpls
mac-tlv-sendStep-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To fragment the MPLS frame and reassemble the packet:
- Configure the physical Interfaces.[edit interfaces]user@host# set ge-0/0/10.10 description "LAN Side"user@host# set ge-0/0/10.10 vlan-tagginguser@host# set ge-0/0/10.10 mtu 9192user@host# set ge-0/0/10.10 unit 10 description L3VPN-1user@host# set ge-0/0/10.10 unit 10 vlan-id 10user@host# set ge-0/0/10.10 unit 10 family inet filter input packet-mode-inetuser@host# set ge-0/0/10.10 unit 10 family inet address 192.168.0.1/24user@host# set ge-0/0/11 description "LAN Side"user@host# set ge-0/0/11 flexible-vlan-tagginguser@host# set ge-0/0/11 mtu 1522user@host# set ge-0/0/11 encapsulation vlan-vplsuser@host# set ge-0/0/11 unit 0 description VPLS_VPN-1user@host# set ge-0/0/11 unit 0 encapsulation vlan-vplsuser@host# set ge-0/0/11 unit 0 vlan-id 512user@host# set ge-0/0/14 description Internetuser@host# set ge-0/0/14 mtu 1514user@host# set ge-0/0/14 unit 0 family inet address 1.1.1.1/30
- Configure the logical Interfaces.[edit interfaces]user@host# set gr-0/0/0 unit 0 description "MPLS core facing interface"user@host# set gr-0/0/0 unit 0 tunnel source 172.16.0.1user@host# set gr-0/0/0 unit 0 tunnel destination 172.16.0.2user@host# set gr-0/0/0 unit 0 family inet mtu 9000user@host# set gr-0/0/0 unit 0 family inet address 172.16.255.1/30user@host# set gr-0/0/0 unit 0 family mpls mtu 9000user@host# set gr-0/0/0 unit 0 family mpls filter input packet-modeuser@host# set lo0 unit 0 family inet address 10.255.255.1/32user@host# set st0 unit 0 family inet mtu 9178 address 172.16.0.1/30
- Configure the firewall filters that are used to configure
interfaces to work with packet mode.[edit firewall]user@host# set family inet filter packet-mode-inet term all-traffic then packet-modeuser@host# set family inet filter packet-mode-inet term all-traffic then acceptuser@host# set family mpls filter packet-mode term all-traffic then packet-modeuser@host# set family mpls filter packet-mode term all-traffic then accept
- Configure the IKE and IPsec policies.[edit security]user@host# set ike policy standard mode mainuser@host# set ike policy standard proposal-set standarduser@host# set ike policy standard pre-shared-key ascii-text "$9$GOjkPFnCBIc5QIcylLXUjH"user@host# set ike gateway srx240-2 ike-policy standarduser@host# set ike gateway srx240-2 address 1.1.1.2user@host# set ike gateway srx240-2 external-interface ge-0/0/14.0user@host# set ipsec policy standard proposal-set standarduser@host# set ipsec vpn ipsec-vpn-1 bind-interface st0.0user@host# set ipsec vpn ipsec-vpn-1 df-bit clearuser@host# set ipsec vpn ipsec-vpn-1 ike gateway srx240-2user@host# set ipsec vpn ipsec-vpn-1 ike ipsec-policy standarduser@host# set ipsec vpn ipsec-vpn-1 establish-tunnels immediately
- Configure all noncustomer-facing interfaces in a single
security zone and a policy to permit all (intrazone) traffic.[edit security policies from-zone Internet to-zone Internet]user@host# set policy Internet match source-address anyuser@host# set policy Internet match destination-address anyuser@host# set policy Internet match application anyuser@host# set policy Internet then permit[edit security zones security-zone Internet]user@host# set host-inbound-traffic system-services alluser@host# set host-inbound-traffic protocols alluser@host# set interfaces ge-0/0/14.0user@host# set interfaces gr-0/0/0.0user@host# set interfaces lo0.0user@host# set interfaces st0.0
- Configure the OSPF protocol for lo0.0 address distribution,
and configure IBGP with the inet-vpn and l2vpn families.[edit protocols]user@host# set mpls interface gr-0/0/0.0user@host# set bgp tcp-mss 1200user@host# set bgp group IBGP type internaluser@host# set bgp group IBGP local-address 10.255.255.1user@host# set bgp group IBGP local-as 65100user@host# set bgp group IBGP neighbor 10.255.255.2user@host# set bgp group IBGP neighbor 10.255.255.2 family inet anyuser@host# set bgp group IBGP neighbor 10.255.255.2 family inet-vpn anyuser@host# set bgp group IBGP neighbor 10.255.255.2 family l2vpn signalinguser@host# set ospf traffic-engineeringuser@host# set ospf area 0.0.0.0 interface lo0.0user@host# set ospf area 0.0.0.0 interface lo0.0 passiveuser@host# set ospf area 0.0.0.0 interface gr-0/0/0.0user@host# set ldp interface gr-0/0/0.0user@host# set ldp interface lo0.0
- Configure two routing instances, one for Layer 3 VPN and
the other for the VPLS application.[edit routing-instances]user@host# set L3VPN-1 instance-type vrfuser@host# set L3VPN-1 route-distinguisher 10.255.255.1:1000user@host# set L3VPN-1 interface ge-0/0/10.10user@host# set L3VPN-1 vrf-target target:65100:1000user@host# set L3VPN-1 vrf-target import target:65100:1000user@host# set L3VPN-1 vrf-target export target:65100:1000user@host# set L3VPN-1 vrf-table-labeluser@host# set L3VPN-1 routing-options auto-exportuser@host# set VPLS_VPN-1 instance-type vplsuser@host# set VPLS_VPN-1 interface ge-0/0/11.0user@host# set VPLS_VPN-1 route-distinguisher 10.255.255.1:1001user@host# set VPLS_VPN-1 vrf-target target:65100:1001user@host# set VPLS_VPN-1 protocols vpls no-tunnel-servicesuser@host# set VPLS_VPN-1 protocols vpls site 1 site-identifier 1user@host# set VPLS_VPN-1 protocols vpls site 1 interface ge-0/0/11.0user@host# set VPLS_VPN-1 protocols vpls mac-tlv-receiveuser@host# set VPLS_VPN-1 protocols vpls mac-tlv-send
Results
Display the results of the configuration:
Verification
Confirm that the configuration is working properly.
Verifying That the Physical and Logical Interfaces Are Up
Purpose
Verify that the physical and logical interfaces are up on the device.
Action
From operational mode on the SRX Series Services Gateway, enter the show interfaces terse command.
user@host> show interfaces terse Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 1.1.1.1/30
192.168.184.109/25
gr-0/0/0 up up
gr-0/0/0.0 up up inet 172.16.255.1/30
mpls
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
ge-0/0/9 up down
ge-0/0/10 up down
ge-0/0/10.10 up down inet 192.168.0.1/24
ge-0/0/10.32767 up down
ge-0/0/11 up down
ge-0/0/11.0 up down vpls
ge-0/0/11.32767 up down
ge-0/0/12 up down
ge-0/0/13 up down
ge-0/0/14 up down
ge-0/0/14.0 up down inet
ge-0/0/15 up down
fxp2 up up
fxp2.0 up up tnp 0x1
gre up up
ipip up up
lo0 up up
lo0.0 up up inet 10.255.184.109 --> 0/0
10.255.255.1 --> 0/0
127.0.0.1 --> 0/0
inet6
st0 up up
st0.0 up up inet 172.16.0.1/30
tap up up
vlan up up
<some output removed for brevity>Meaning
The output of the show interfaces terse command shows that all physical and logical interfaces used in this configuration are up and active.
Verifying the Fragmented IP Packet on the Outgoing Interface
Purpose
Verify that the IP packet of 1500 bytes is created and sent to the outgoing interface ge-0/0/14.0.
Action
From operational mode on the SRX Series Services Gateway, enter the show interfaces ge-0/0/14.0 extensive
user@host> show interfaces ge-0/0/14.0 extensive
Logical interface ge-0/0/14.0 (Index 79) (SNMP ifIndex 564) (Generation 144) Flags: Device-Down SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Security: Zone: Internet Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip Flow Statistics : Flow Input statistics : Self packets : 0 ICMP packets : 0 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 0 Connections established : 0 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 0 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Security association not active: 64 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 1500, Generation: 158, Route table: 0 Flags: Sendbcast-pkt-to-re Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 1.1.1.0/30, Local: 1.1.1.1, Broadcast: 1.1.1.3, Generation: 154
Meaning
The output of the show interfaces ge-0/0/14.0 extensive command shows that the fragmented IP packet of 1500 bytes is sent to outgoing interface ge-0/0/14.