ON THIS PAGE
Test Bed Device Configuration
Apply-Groups
Repetitive configuration of interface settings, BGP groups settings, and VRF settings are grouped into apply-groups, so that the same set of settings (inherited from the apply-group) are applied.
Apply-Groups for Interfaces
groups {
GR-CORE-INTF-IPV6 {
interfaces {
<*> {
description ****GR-CORE-INTF-SETTINGS-APPLIED-ADD-DESCRIPTION****;
traps;
mtu 9192;
hold-time up 2000 down 0;
damping { # Interface damping supported on MX and PTX only
half-life 30;
max-suppress 600;
reuse 250;
suppress 2000;
enable;
}
unit 0 {
traps;
family iso {
mtu 9106;
}
family inet6 {
mtu 9106;
}
}
}
<ae*> {
aggregated-ether-options {
bfd-liveness-detection {
version automatic;
minimum-interval 50;
multiplier 3;
no-adaptation;
}
lacp {
active;
accept-data; # LACP accept-data supported on MX only
hold-time up 2;
}
}
}
/* Interface types: et-, ge-, xe- */
"<[egx][te]-*>" {
optics-options {
alarm low-light-alarm {
link-down;
}
warning low-light-warning {
syslog;
}
}
}
}
}
GR-CORE-INTF-LAG-MEMBER {
interfaces {
<*> {
description **GR-CORE-INTF-LAG-MEMBER-SETTINGS-APPLIED-ADD-DESCRIPTION**;
traps;
hold-time up 2000 down 0;
damping { # Interface damping supported on MX and PTX only
half-life 30;
max-suppress 600;
reuse 250;
suppress 2000;
enable;
}
optics-options {
alarm low-light-alarm {
link-down;
}
warning low-light-warning {
syslog;
}
}
}
}
}
GR-EDGE-INTF { # Group not required on CR
interfaces {
<*> {
description ****GR-EDGE-INTF-SETTINGS-APPLIED-ADD-DESCRIPTION****;
traps;
flexible-vlan-tagging;
mtu 9102;
hold-time up 180000 down 0;
damping { # Interface damping supported on MX and PTX only
half-life 30;
max-suppress 600;
reuse 250;
suppress 2000;
enable;
}
encapsulation flexible-ethernet-services;
}
<ae*> {
aggregated-ether-options {
lacp {
active;
accept-data; # LACP accept-data supported on MX only
hold-time up 2;
}
}
}
"<[egx][te]-*>" {
optics-options {
alarm low-light-alarm {
link-down;
}
warning low-light-warning {
syslog;
}
}
}
}
}
GR-EDGE-INTF-LAG-MEMBER { # Group not required on CR
interfaces {
<*> {
traps;
hold-time up 180000 down 0;
damping { # Interface damping supported on MX and PTX only
half-life 30;
max-suppress 600;
reuse 250;
suppress 2000;
enable;
}
optics-options {
alarm low-light-alarm {
link-down;
}
warning low-light-warning {
syslog;
}
}
}
}
}
GR-INTER-AS-INTF-IPV6 { # Group required on BR and MSE only
interfaces {
<*> {
description ****GR-CORE-INTF-SETTINGS-APPLIED-ADD-DESCRIPTION****;
traps;
mtu 9192;
hold-time up 2000 down 0;
damping {
half-life 30;
max-suppress 600;
reuse 250;
suppress 2000;
enable;
}
unit 0 {
traps;
family inet6 {
mtu 9106;
}
}
}
<ae*> {
aggregated-ether-options {
bfd-liveness-detection {
version automatic;
minimum-interval 50;
multiplier 3;
no-adaptation;
}
lacp {
active;
accept-data; # LACP accept-data supported on MX only
hold-time up 2;
}
}
}
/* Interface types: et-, ge-, xe- */
"<[egx][te]-*>" {
optics-options {
alarm low-light-alarm {
link-down;
}
warning low-light-warning {
syslog;
}
}
}
}
}
}Apply-Groups for Protocols
groups {
GR-ISIS-IPV6 {
protocols {
isis {
/* Interface types: ae, et-, ge-, xe-; not included: lo0 */
interface <*e*> {
level 1 disable;
level 2 {
srv6-adjacency-segment {
unprotected {
locator SL-FA-000 {
micro-adjacency-sid;
}
locator SL-FA-128 {
micro-adjacency-sid;
}
locator SL-FA-129 {
micro-adjacency-sid;
}
}
}
post-convergence-lfa {
node-protection cost 16777214;
}
application-specific {
attribute-group LA-FA {
advertise-delay-metric;
te-metric 1000; # Default TE metric. Can be
application { # overridden on interface
flex-algorithm;
}
}
}
hello-authentication-key-chain KC-ISIS;
}
delay-measurement;
hello-padding strict;
point-to-point;
}
/* Interface types: et-, ge-, xe- */
interface "<[egx][te]-*>" {
family inet6 {
bfd-liveness-detection {
minimum-interval 50;
multiplier 3;
no-adaptation;
}
}
}
interface lo0.0 {
level 1 disable;
passive;
}
}
}
}
GR-BGP {
protocols {
bgp {
group <GR-IBGP-*> {
type internal;
authentication-algorithm ao;
authentication-key-chain KC-BGP;
multipath;
tcp-mss 4096;
}
group <GR-EBGP-*> { # This group required on BR and MSE only
type external;
authentication-algorithm ao;
authentication-key-chain KC-EBGP;
multipath;
tcp-mss 4096;
bfd-liveness-detection {
minimum-interval 50;
multiplier 3;
no-adaptation;
}
}
}
}
}
}
Other Apply-Groups
groups {
GR-L3VPN { # Group not needed on CR
routing-instances {
<*> {
instance-type vrf;
routing-options {
static {
route 0.0.0.0/0 {
discard;
retain;
no-readvertise;
preference 4294967295;
}
}
protect {
core;
}
}
vrf-table-label;
}
}
}
GR-SRV6 {
routing-options {
source-packet-routing {
srv6 {
locator <SL-*> {
micro-sid {
flavor {
psp;
usp;
usd;
}
}
}
}
}
}
}
}Interfaces
Loopbacks
interfaces {
lo0 {
unit 0 {
family inet6 {
address $LOCAL_IPV6_LOOPBACK_ADDRESS;
}
}
unit $IFL { # These IFLs required on AN, AG, BR and MSE
family <inet|inet6> {
address $VPN_LOOPBACK_IP_ADDRESS;
}
}
}
}Unbundled WAN Interfaces
interfaces {
$IFD {
apply-groups GR-CORE-INTF-IPV6;
description $DESCRIPTION;
}
}Bundled WAN Interfaces
interfaces {
$IFD {
apply-groups GR-CORE-INTF-LAG-MEMBER;
description $DESCRIPTION;
ether-options {
802.3ad ae$AE_ID;
}
}
ae$AE_ID {
apply-groups GR-CORE-INTF-IPV6;
description $DESCRIPTION;
aggregated-ether-options {
bfd-liveness-detection {
neighbor $NEIGHBOR_IPV6_LOOPBACK_ADDRESS;
local-address $LOCAL_IPV6_LOOPBACK_ADDRESS;
}
}
}
}Unbundled Edge Interfaces
interfaces {
$IFD {
apply-groups GR-EDGE-INTF;
description $DESCRIPTION;
unit $IFL {
vlan-id $VLAN_ID;
<other service specific parameters>
}
}
}Bundled Edge Interfaces
interfaces {
$IFD {
apply-groups GR-EDGE-INTF-LAG-MEMBER;
description $DESCRIPTION;
ether-options {
802.3ad ae$AE_ID;
}
}
ae$AE_ID {
apply-groups GR-EDGE-INTF;
description $DESCRIPTION;
unit $IFL {
vlan-id $VLAN_ID;
<other service specific parameters>
}
}
}Inter-region Interfaces
interfaces {
$IFD {
apply-groups GR-INTER-AS-INTF-IPV6;
description $DESCRIPTION;
unit 0 {
family inet6 {
address $INTER_REGION_LINK_GLOBAL_ADDRESS;
}
}
}
}IS-IS
IS-IS on CR Routers
routing-options {
flex-algorithm 128 {
use-transport-class {
inet3-install;
}
}
flex-algorithm 129 {
use-transport-class {
inet3-install;
}
}
source-packet-routing {
srv6 {
apply-groups GR-SRV6;
block SB-FA-000 {
5f00:1::/32;
local-micro-sid {
maximum-static-sids 2000;
}
}
block SB-FA-128 {
5f00:a1::/32;
local-micro-sid {
maximum-static-sids 2000;
}
}
block SB-FA-129 {
5f00:b1::/32;
local-micro-sid {
maximum-static-sids 2000;
}
}
locator SL-FA-000 {
5f00:1:6048::/48; # Example for node 48, in region 1, area 6
micro-sid {
block-name SB-FA-000;
}
}
locator SL-FA-128 {
algorithm 128;
5f00:a1:6048::/48; # Example for node 48, in region 1, area 6
micro-sid {
block-name SB-FA-128;
}
}
locator SL-FA-129 {
algorithm 129;
5f00:b1:6048::/48; # Example for node 48, in region 1, area 6
micro-sid {
block-name SB-FA-129;
}
}
}
}
router-id $ROUTER_ID;
ipv6-router-id $LOCAL_IPV6_LOOPBACK_ADDRESS;
transport-class {
auto-create;
name TC-128 {
color 128;
}
name TC-129 {
color 129;
}
}
nonstop-routing;
forwarding-table {
export PS-LOAD-BALANCE;
}
}
services {
<rpm|monitoring> { # MX: rpm, PTX: monitoring
twamp {
server {
authentication-mode none; # Configuration supported only on MX
light {
offload-type pfe-timestamp; # Configuration supported only on PTX
}
}
}
}
}
policy-options {
policy-statement PS-ISIS-EXPORT {
term TR-OOB-MANAGEMENT {
from interface [ em0.0 fxp0.0 re0:mgmt-0.0 ];
then reject;
}
term TR-LOCAL-LOOPBACK-IPV6 {
from {
family inet6;
protocol direct;
interface lo0.0;
}
then {
tag 102;
accept;
}
}
then reject;
}
policy-statement PS-ISIS-IMPORT {
term TR-HIGH {
from tag 101;
then {
priority high;
accept;
}
}
term TR-HIGH-LOCATORS {
from {
route-filter 5f00::/24 prefix-length-range /36-/48;
}
then {
priority high;
accept;
}
}
term TR-MEDIUM {
from tag 102;
then {
priority medium;
accept;
}
}
term LOW {
then {
priority low;
no-backup;
accept;
}
}
}
policy-statement PS-LOAD-BALANCE {
then {
load-balance per-flow;
}
}
}
security {
authentication-key-chains {
key-chain KC-ISIS {
key 1 {
secret "$ENCRYPTED_KEY"; ## SECRET-DATA
start-time "2016-12-31.16:00:00 -0800";
algorithm hmac-sha-1;
options isis-enhanced;
}
}
}
}
protocols {
isis {
apply-groups GR-ISIS-IPV6;
interface $IFL { # static uA only in CR, BR, and EDGE
level 2 { # (default IS-IS instance) routers.
srv6-adjacency-segment {
unprotected {
locator SL-FA-$FA-ID {
micro-adjacency-sid {
$SID_VALUE;
}
}
}
}
}
}
interface lo0.0 {
passive;
}
source-packet-routing {
flex-algorithm [ 128 129 ];
no-strict-spf;
srv6 {
locator SL-FA-000 micro-node-sid;
locator SL-FA-128 micro-node-sid;
locator SL-FA-129 micro-node-sid;
}
}
level 1 disable;
level 2 {
purge-originator empty;
authentication-key-chain KC-ISIS;
wide-metrics-only;
prefix-export-limit 3000;
}
traceoptions {
flag error detail;
flag hello detail;
file isis size 5m files 10 world-readable;
}
backup-spf-options {
use-post-convergence-lfa maximum-backup-paths 2;
use-source-packet-routing;
}
export PS-ISIS-EXPORT;
import PS-ISIS-IMPORT;
reference-bandwidth 4000g;
lsp-lifetime 65535;
max-hello-size 9106;
no-ipv4-routing;
no-external-export {
protocol bgp; # BGP export must be allowed on MSE
protocol ospf;
protocol static;
}
topologies ipv6-unicast;
overload {
timeout 60;
advertise-high-metrics;
internal-prefixes;
external-prefixes;
}
dynamic-overload no-overload-on-prefix-export-limit;
net 49.$R00$I.0000.0000.00$NN.00;
}
esis {
disable; # Configuration supported only on MX
}
}IS-IS on BR and MSE Routers
The BR and MSE routers are ASBR routers between regions. Therefore, there is a single significant change in IS-IS configuration as compared to the Edge or CR routers:
The BR and MSE routers either redistribute or summarize between regions; therefore, they use different PS-ISIS-EXPORT policies.
The following are the changes in the IS-IS configuration on the MSE routers (compared to the Edge or CR routers).
routing-options {
rib inet6.0 {
aggregate {
route 5f00:1::/32 {
tag 201;
tag2 1000;
preference 14;
discard;
}
route 5f00:a1::/32 {
tag 201;
tag2 1000;
preference 14;
discard;
algorithm 128;
}
route 5f00:b1::/32 {
tag 201;
tag2 1000;
preference 14;
discard;
algorithm 129;
}
}
}
}
policy-options {
policy-statement PS-ISIS-EXPORT {
term TR-OOB-MANAGEMENT {
from interface [ em0.0 fxp0.0 re0:mgmt-0.0 ];
then reject;
}
term TR-LOCAL-LOOPBACK-IPV6 {
from {
family inet6;
protocol direct;
interface lo0.0;
}
then {
tag 102;
accept;
}
}
term TR-REGION-1-LOOPBACK-SUMMARY-IPV6 {
from {
family inet6;
protocol bgp;
community CM-LOOPBACK-65001;
}
then {
tag 202;
tag2 0;
accept;
}
}
term TR-REGION-1-LOCATOR-SUMMARY-IPV6 {
from {
family inet6;
protocol aggregate;
tag 201;
tag2 1000;
}
then {
advertise-locator;
accept;
}
}
then reject;
}
community CM-LOOPBACK members 65001:10000;
}The following are the changes in the IS-IS configuration on the BR routers (compared to the Edge or CR routers).
routing-options {
rib inet6.0 {
aggregate {
route 5f00:0::/32 {
tag 201;
tag2 0;
preference 14;
discard;
}
route 5f00:a0::/32 {
tag 201;
tag2 0;
preference 14;
discard;
algorithm 128;
}
route 5f00:b0::/32 {
tag 201;
tag2 0;
preference 14;
discard;
algorithm 129;
}
}
}
}
policy-options {
policy-statement PS-ISIS-EXPORT {
term TR-OOB-MANAGEMENT {
from interface [ em0.0 fxp0.0 re0:mgmt-0.0 ];
then reject;
}
term TR-LOCAL-LOOPBACK-IPV6 {
from {
family inet6;
protocol direct;
interface lo0.0;
}
then {
tag 102;
accept;
}
}
term TR-REGION-0-LOOPBACK-SUMMARY-IPV6 {
from {
family inet6;
protocol bgp;
community CM-LOOPBACK-65000;
}
then {
tag 202;
tag2 0;
set-down-bit;
accept;
}
}
term TR-REGION-0-LOCATOR-SUMMARY-IPV6 {
from {
family inet6;
protocol aggregate;
tag 201;
tag2 0;
}
then {
advertise-locator;
set-down-bit;
accept;
}
}
then reject;
}
}BGP
BGP on Edge (BGP RR Clients)
routing-options {
resolution {
preserve-nexthop-hierarchy;
}
router-id $ROUTER_ID;
autonomous-system $AS_ID;
forwarding-table {
srv6-chain-merge;
}
}
security {
authentication-key-chains {
key-chain KC-BGP {
key 1 {
secret "$ENCRYPTED_KEY"; ## SECRET-DATA
start-time "2016-12-31.16:00:00 -0800";
algorithm ao;
ao-attribute {
send-id 1;
recv-id 1;
tcp-ao-option enabled;
cryptographic-algorithm aes-128-cmac-96;
}
}
}
}
}
protocols {
bgp {
apply-groups GR-BGP;
path-selection external-router-id;
advertise-from-main-vpn-tables;
vpn-apply-export;
group GR-IBGP-TO-RR-SRV6 {
local-address $LOCAL_IPV6_LOOPBACK_ADDRESS;
family inet {
unicast {
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet-vpn {
unicast {
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6 {
unicast {
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6-vpn {
unicast {
advertise-srv6-service;
accept-srv6-service;
}
}
family evpn {
signaling {
advertise-srv6-service;
accept-srv6-service;
}
}
family route-target {
nexthop-resolution {
no-resolution;
}
}
neighbor $RR_IPV6_LOOPBACK_ADDRESS {
description $RR_DESCRIPTION;
}
}
precision-timers;
traceoptions {
file bgp size 10m files 5 world-readable;
flag open detail;
}
advertise-inactive;
inactive: advertise-external;
log-updown;
bgp-error-tolerance;
multipath {
list-nexthop;
}
rfc8950-compliant;
defaults {
ebgp {
no-policy {
receive reject-always;
advertise reject-always;
}
}
}
}
}BGP on CR Routers (BGP Route Reflectors)
routing-options {
resolution {
preserve-nexthop-hierarchy;
}
router-id $ROUTER_ID;
autonomous-system $AS_ID;
forwarding-table {
srv6-chain-merge;
}
}
security {
authentication-key-chains {
key-chain KC-BGP {
key 1 {
secret "$ENCRYPTED_KEY"; ## SECRET-DATA
start-time "2016-12-31.16:00:00 -0800";
algorithm ao;
ao-attribute {
send-id 1;
recv-id 1;
tcp-ao-option enabled;
cryptographic-algorithm aes-128-cmac-96;
}
}
}
}
}
protocols {
bgp {
apply-groups GR-BGP;
path-selection external-router-id;
advertise-from-main-vpn-tables;
vpn-apply-export;
group GR-IBGP-PE-SRV6 {
local-address $LOCAL_IPV6_LOOPBACK_ADDRESS;
family inet {
unicast {
nexthop-resolution {
no-resolution;
}
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet-vpn {
unicast {
nexthop-resolution {
no-resolution;
}
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6 {
unicast {
nexthop-resolution {
no-resolution;
}
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6-vpn {
unicast {
advertise-srv6-service;
accept-srv6-service;
}
}
family evpn {
signaling {
nexthop-resolution {
no-resolution;
}
advertise-srv6-service;
accept-srv6-service;
}
}
family route-target {
advertise-default;
nexthop-resolution {
no-resolution;
}
}
cluster $ROUTER_ID;
neighbor $PE_IPV6_LOOPBACK_ADDRESS {
description $PE_DESCRIPTION;
}
}
group GR-IBGP-PE-SRV6 {
local-address $LOCAL_IPV6_LOOPBACK_ADDRESS;
family inet {
unicast {
nexthop-resolution {
no-resolution;
}
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet-vpn {
unicast {
nexthop-resolution {
no-resolution;
}
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6 {
unicast {
nexthop-resolution {
no-resolution;
}
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6-vpn {
unicast {
advertise-srv6-service;
accept-srv6-service;
}
}
family evpn {
signaling {
nexthop-resolution {
no-resolution;
}
advertise-srv6-service;
accept-srv6-service;
}
}
family route-target {
external-paths 2; # Number of ASBRs
nexthop-resolution {
no-resolution;
}
}
cluster $ROUTER_ID;
neighbor $ASBR_IPV6_LOOPBACK_ADDRESS {
description $ASBR_DESCRIPTION;
}
}
group GR-IBGP-RRS-SRV6 {
local-address $LOCAL_IPV6_LOOPBACK_ADDRESS;
family inet {
unicast {
nexthop-resolution {
no-resolution;
}
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet-vpn {
unicast {
nexthop-resolution {
no-resolution;
}
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6 {
unicast {
nexthop-resolution {
no-resolution;
}
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6-vpn {
unicast {
advertise-srv6-service;
accept-srv6-service;
}
}
family evpn {
signaling {
nexthop-resolution {
no-resolution;
}
advertise-srv6-service;
accept-srv6-service;
}
}
family route-target {
advertise-default;
nexthop-resolution {
no-resolution;
}
}
neighbor $RR_IPV6_LOOPBACK_ADDRESS {
description $RR_DESCRIPTION;
}
}
precision-timers;
traceoptions {
file bgp size 10m files 5 world-readable;
flag open detail;
}
advertise-inactive;
inactive: advertise-external;
log-updown;
bgp-error-tolerance;
multipath {
list-nexthop;
}
rfc8950-compliant;
defaults {
ebgp {
no-policy {
receive reject-always;
advertise reject-always;
}
}
}
}
}BGP on BR Routers (BGP ASBRs)
routing-options {
rib inet6.0 {
aggregate {
route 2001:db8:bad:cafe::1000:0/100 { # AS65001 loopback summary
tag 202;
tag2 0;
preference 14;
discard;
}
}
}
resolution {
preserve-nexthop-hierarchy;
}
router-id $ROUTER_ID;
autonomous-system $AS_ID;
forwarding-table {
srv6-chain-merge;
}
}
security {
authentication-key-chains {
key-chain KC-BGP {
key 1 {
secret "$ENCRYPTED_KEY"; ## SECRET-DATA
start-time "2016-12-31.16:00:00 -0800";
algorithm ao;
ao-attribute {
send-id 1;
recv-id 1;
tcp-ao-option enabled;
cryptographic-algorithm aes-128-cmac-96;
}
}
}
key-chain KC-EBGP {
key 1 {
secret "$ENCRYPTED_KEY"; ## SECRET-DATA
start-time "2017-1-1.00:00:00 +0000";
algorithm ao;
ao-attribute {
send-id 1;
recv-id 1;
tcp-ao-option enabled;
cryptographic-algorithm aes-128-cmac-96;
}
}
}
}
}
policy-options {
policy-statement PS-IBGP-SRV6-IMP {
then {
tag 65001;
}
policy-statement PS-EBGP-IMP {
term TR-REGION-0-LOCATORS {
from rib {
inet6.0;
community CM-LOOPBACK-65000;
}
then {
preference 160;
community add CM-NO-ADVERTISE;
accept;
}
}
term TR-REGION-0-LOCATORS {
from rib inet6.0;
then {
community add CM-NO-ADVERTISE;
accept;
}
}
}
policy-statement PS-EBGP-NHS {
term TR-REMOTE {
from tag 65001;
then next policy;
}
term TR-LOCAL {
then next-hop $LOCAL_IPV6_LOOPBACK_ADDRESS;
}
}
policy-statement PS-EBGP-SRV6-EXP {
term TR-LOOPBACK-SUMMARY {
from {
protocol aggregate;
tag 202;
tag2 0;
}
then {
community add CM-LOOPBACK-65001;
next-hop self;
accept;
}
}
term TR-LOCATORS {
from {
route-filter 5f00::/24 prefix-length-range /48-/48;
}
then accept;
}
term TR-RTC {
from rib bgp.rtarget.0;
then accept;
}
term TR-L3VPN {
from community RT-SRV6;
then accept;
}
}
community CM-NO-ADVERTISE members no-advertise;
community RT-SRV6 members target:65001:9...; # RTs used by SRv6 services
community CM-LOOPBACK-65000 members 65000:10000;
community CM-LOOPBACK-65001 members 65001:10000;
}
protocols {
bgp {
apply-groups GR-BGP;
path-selection external-router-id;
advertise-from-main-vpn-tables;
vpn-apply-export;
group GR-IBGP-TO-RR-SRV6 {
local-address $LOCAL_IPV6_LOOPBACK_ADDRESS;
import PS-IBGP-SRV6-IMP;
family inet {
unicast {
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet-vpn {
unicast {
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6 {
unicast {
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6-vpn {
unicast {
advertise-srv6-service;
accept-srv6-service;
}
}
family evpn {
signaling {
advertise-srv6-service;
accept-srv6-service;
}
}
family route-target {
nexthop-resolution {
no-resolution;
}
}
neighbor $RR_IPV6_LOOPBACK_ADDRESS {
description $RR_DESCRIPTION;
}
}
group GR-EBGP-AS65000-SRV6 {
multihop {
ttl 255;
no-nexthop-change;
}
import PS-EBGP-IMP;
family inet-vpn {
unicast {
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6 {
unicast;
}
family inet6-vpn {
unicast {
advertise-srv6-service;
accept-srv6-service;
}
}
family evpn {
signaling {
advertise-srv6-service;
accept-srv6-service;
}
}
family route-target {
nexthop-resolution {
no-resolution;
}
}
export [ PS-EBGP-NHS PS-EBGP-SRV6-EXP ];
peer-as $PEER_AS;
neighbor $EBGP_PEER_LINK_ADDRESS {
description $EBGP_PEER_DESCRIPTION;
local-address $LOCAL_LINK_ADDRESS;
}
advertise-prefix-sid;
accept-prefix-sid;
}
precision-timers;
traceoptions {
file bgp size 10m files 5 world-readable;
flag open detail;
}
advertise-inactive;
inactive: advertise-external;
log-updown;
bgp-error-tolerance;
multipath {
list-nexthop;
no-nexthop-change;
}
rfc8950-compliant;
defaults {
ebgp {
no-policy {
receive reject-always;
advertise reject-always;
}
}
}
}
}BGP on MSE Routers
routing-options {
resolution {
preserve-nexthop-hierarchy;
}
router-id $ROUTER_ID;
autonomous-system $AS_ID;
forwarding-table {
srv6-chain-merge;
}
}
security {
authentication-key-chains {
key-chain KC-BGP {
key 1 {
secret "$ENCRYPTED_KEY"; ## SECRET-DATA
start-time "2016-12-31.16:00:00 -0800";
algorithm ao;
ao-attribute {
send-id 1;
recv-id 1;
tcp-ao-option enabled;
cryptographic-algorithm aes-128-cmac-96;
}
}
}
key-chain KC-EBGP {
key 1 {
secret "$ENCRYPTED_KEY"; ## SECRET-DATA
start-time "2017-1-1.00:00:00 +0000";
algorithm ao;
ao-attribute {
send-id 1;
recv-id 1;
tcp-ao-option enabled;
cryptographic-algorithm aes-128-cmac-96;
}
}
}
}
}
policy-options {
policy-statement PS-EBGP-IMP {
term TR-REGION-1-LOOPBACK-SUMMARY {
from {
rib inet6.0;
community CM-LOOPBACK-65001;
}
then {
preference 160;
community add CM-NO-ADVERTISE;
accept;
}
}
term TR-REGION-1-LOCATORS {
from rib inet6.0;
then {
preference 160;
community add CM-NO-ADVERTISE;
accept;
}
}
then accept;
}
policy-options policy-statement PS-EBGP-NHS
term TR-REMOTE {
from tag 65000;
then {
community add CM-TEST1;
next policy;
}
}
term TR-LOCAL {
then {
next-hop $LOCAL_IPV6_LOOPBACK_ADDRESS;
}
}
policy-statement PS-EBGP-SRV6-EXP {
term TR-RTC {
from rib bgp.rtarget.0;
then accept;
}
term TR-LOOPBACK-SUMMARY {
from {
protocol aggregate;
tag 202;
tag2 0;
}
then {
community add CM-LOOPBACK-65000;
next-hop self;
accept;
}
}
term TR-LOCATORS {
from {
route-filter 5f00::/24 prefix-length-range /48-/48;
}
then accept;
}
term TR-L3VPN {
from community RT-SRV6;
then accept;
}
}
community CM-NO-ADVERTISE members no-advertise;
community RT-SRV6 members target:65001:9...; # RTs used by SRv6 services
community CM-LOOPBACK-65000 members 65000:10000;
community CM-LOOPBACK-65001 members 65001:10000;
}
protocols {
bgp {
apply-groups GR-BGP;
path-selection external-router-id;
advertise-from-main-vpn-tables;
vpn-apply-export;
group GR-IBGP-SRV6 {
local-address $LOCAL_IPV6_LOOPBACK_ADDRESS;
import PS-IBGP-SRV6-IMP;
family inet-vpn {
unicast {
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6-vpn {
unicast {
advertise-srv6-service;
accept-srv6-service;
}
}
family evpn {
signaling {
advertise-srv6-service;
accept-srv6-service;
}
}
family route-target {
nexthop-resolution {
no-resolution;
}
}
export PS-IBGP-SRV6-EXP;
neighbor $IBGP_PEER_IPV6_LOOPBACK_ADDRESS {
description $IBGP_PEER_DESCRIPTION;
}
}
group GR-EBGP-AS65001-SRV6 {
multihop {
ttl 255;
no-nexthop-change;
}
import PS-EBGP-IMP;
family inet-vpn {
unicast {
extended-nexthop;
advertise-srv6-service;
accept-srv6-service;
}
}
family inet6 {
unicast;
}
family inet6-vpn {
unicast {
advertise-srv6-service;
accept-srv6-service;
}
}
family evpn {
signaling {
advertise-srv6-service;
accept-srv6-service;
}
}
family route-target {
nexthop-resolution {
no-resolution;
}
}
export [ PS-EBGP-NHS PS-EBGP-SRV6-EXP ];
peer-as $PEER_AS;
neighbor $EBGP_PEER_LINK_ADDRESS {
description $EBGP_PEER_DESCRIPTION;
local-address $LOCAL_LINK_ADDRESS;
}
advertise-prefix-sid;
accept-prefix-sid;
}
precision-timers;
traceoptions {
file bgp size 10m files 5 world-readable;
flag open detail;
}
advertise-inactive;
inactive: advertise-external;
log-updown;
bgp-error-tolerance;
multipath {
list-nexthop;
}
rfc8950-compliant;
defaults {
ebgp {
no-policy {
receive reject-always;
advertise reject-always;
}
}
}
}
}Services
Internet through Global Routing Table
interfaces {
$PEERING_IFD {
apply-groups GR-EDGE-INTF;
description $IFD_DESCRIPTION;
unit $PEERING_IFL {
family inet address $VPN_IPV4_PEERING_ADDRESS/$PREFIX_LENGTH;
family inet6 address $VPN_IPV6_PEERING_ADDRESS/$PREFIX_LENGTH;
}
}
}
protocols {
bgp {
source-packet-routing {
srv6 {
locator SL-FA-000 {
micro-dt46-sid;
}
}
}
}
}L3VPN with Static SID Allocation
Statically allocated default SID is assigned to the VRF. The VRF advertises all prefixes that use that SID except for prefixes matched by a per-prefix policy.
interfaces {
lo0 {
unit $LOOPBACK_IFL {
family inet address $VPN_IPV4_LOOPBACK_ADDRESS/32;
family inet6 address $VPN_IPV6_LOOPBACK_ADDRESS/128;
}
}
$PE_CE_IFD {
apply-groups GR-EDGE-INTF;
description $IFD_DESCRIPTION;
unit $PE_CE_IFL {
family inet address $VPN_IPV4_PE_CE_ADDRESS/$PREFIX_LENGTH;
family inet6 address $VPN_IPV6_PE_CE_ADDRESS/$PREFIX_LENGTH;
}
}
}
policy-options {
policy-statement $PER_PREFIX_POLICY {
term $TERM_NAME {
from <prefix-selection-criteria>;
then {
srv6 locator SL-FA-$FA_ID_NON_DEFAULT micro-dt46-sid;
accept;
}
}
}
}
protocols {
bgp {
group GR-IBGP-TO-RR-SRV6 {
export $PER_PREFIX_POLICY;
}
}
}
routing-instances {
$L3VPN_STATIC_NAME {
apply-groups GR-L3VPN;
routing-options {
router-id $VPN_IPV4_LOOPBACK_ADDRESS;
ipv6-router-id $VPN_IPV6_LOOPBACK_ADDRESS;
}
protocols {
bgp {
source-packet-routing {
srv6 {
locator SL-FA-$FA_ID_DEFAULT { # e.g. 000
micro-dt46-sid $SID_VALUE_DEFAULT;
}
locator SL-FA-$FA_ID_NON_DEFAULT { # e.g. 128 or 129
micro-dt46-sid $SID_VALUE_NON_DEFAULT non-default;
}
}
}
}
}
interface lo0.$LOOPBACK_IFL;
interface $PE_CE_IFD.$PE_CE_IFL;
route-distinguisher $RD_VALUE;
vrf-target target:$RT_VALUE;
}
}L3VPN with Dynamic SID Allocation
interfaces {
lo0 {
unit $LOOPBACK_IFL {
family inet address $VPN_IPV4_LOOPBACK_ADDRESS/32;
family inet6 address $VPN_IPV6_LOOPBACK_ADDRESS/128;
}
}
$PE_CE_IFD {
apply-groups GR-EDGE-INTF;
description $IFD_DESCRIPTION;
unit $PE_CE_IFL {
family inet address $VPN_IPV4_PE_CE_ADDRESS/$PREFIX_LENGTH;
family inet6 address $VPN_IPV6_PE_CE_ADDRESS/$PREFIX_LENGTH;
}
}
}
policy-options {
policy-statement $PER_PREFIX_POLICY {
term $TERM_NAME {
from <prefix-selection-criteria>;
then {
srv6 locator SL-FA-$FA_ID_NON_DEFAULT micro-dt46-sid;
accept;
}
}
}
}
protocols {
bgp {
group GR-IBGP-TO-RR-SRV6 {
export $PER_PREFIX_POLICY;
}
}
}
routing-instances {
$L3VPN_DYNAMIC_NAME {
apply-groups GR-L3VPN;
routing-options {
router-id $VPN_IPV4_LOOPBACK_ADDRESS;
ipv6-router-id $VPN_IPV6_LOOPBACK_ADDRESS;
}
protocols {
bgp {
source-packet-routing {
srv6 {
locator SL-FA-$FA_ID_DEFAULT { # e.g. 000
micro-dt46-sid;
}
locator SL-FA-$FA_ID_NON_DEFAULT { # e.g. 128 or 129
micro-dt46-sid non-default;
}
}
}
}
}
interface lo0.$LOOPBACK_IFL;
interface $PE_CE_IFD.$PE_CE_IFL;
route-distinguisher $RD_VALUE;
vrf-target target: RT_VALUE;
}
}L3VPN SRv6 SID Resolution Through Dynamic-Tunnels
SRv6 dynamic feature is required on the BR and MSE routers for proper SRv6 SID resolution (for L3VPN prefixes received from another AS), as IS-IS SRv6 locator TLV does not exist for locators used by SRv6 SIDs from another AS.
# MSE dynamic-tunnel configuration
policy-options {
policy-statement PS-REGION-1-LOCATORS {
term 1 {
from {
route-filter 5f00:1::/32 prefix-length-range /32-/48;
route-filter 5f00:a1::/32 prefix-length-range /32-/48;
route-filter 5f00:b1::/32 prefix-length-range /32-/48;
}
then accept;
}
then reject;
}
}
routing-options {
dynamic-tunnels {
forwarding-rib {
inet6.0 {
inet6-import PS-REGION-1-LOCATORS;
}
}
DT-REGION-1 {
source-address IPV6_LOOPBACK_ADDRESS;
srv6;
destination-networks {
5f00:1::/32;
5f00:a1::/32;
5f00:b1::/32;
}
}
}
}
# BR dynamic-tunnel configuration
policy-options {
policy-statement PS-REGION-0-LOCATORS {
term 1 {
from {
route-filter 5f00::/32 prefix-length-range /32-/48;
route-filter 5f00:a0::/32 prefix-length-range /32-/48;
route-filter 5f00:b0::/32 prefix-length-range /32-/48;
}
then accept;
}
then reject;
}
}
routing-options {
dynamic-tunnels {
forwarding-rib {
inet6.0 {
inet6-import PS-REGION-0-LOCATORS;
}
}
DT-REGION-0 {
source-address IPV6_LOOPBACK_ADDRESS;
srv6;
destination-networks {
5f00::/32;
5f00:a0::/32;
5f00:b0::/32;
}
}
}
}Note:
The SRv6 locator range (5f00::/16 or longer) MUST be blocked on eBGP peers, to address any security threat, whereas other autonomous systems advertising prefixes from 5f00::/16 or longer range may attract SRv6-encapsulated VPN traffic.
L3VPN with IRB as PE-CE Interface
In many cases, multiple CE devices connected to a PE router are interconnected between each other through Layer 2 (using bridge-domain on PE), sharing a common PE-CE subnet, with the IRB interface placed inside VRF as PE-CE interface.
interfaces {
$PE-CE-X-IFD {
apply-groups GR-EDGE-INTF;
description $DESCRIPTION-X;
unit $IFL {
encapsulation vlan-bridge;
vlan-id $VLAN_ID;
}
}
$PE-CE-Y-IFD {
apply-groups GR-EDGE-INTF;
description $DESCRIPTION-Y;
unit $IFL {
encapsulation vlan-bridge;
vlan-id $VLAN_ID;
}
}
irb {
unit $IFL {
family inet {
address $PE_CE_ADDRESS/$PE_CE_SUBNET;
}
}
}
}
bridge-domains {
$BD_NAME {
vlan-id $VLAN_ID;
interface $PE-CE-X-IFD.$IFL;
interface $PE-CE-Y-IFD.$IFL;
routing-interface irb.$IFL;
}
routing-instances {
$L3VPN_<STATIC|DYNAMIC>_NAME {
(…)
interface irb.$IFL;
(…)
}
}EVPN E-Line (VPWS) with Single-Active Multi-Homing using Static SID Allocation
interfaces {
$PE_CE_IFD {
apply-groups GR-EDGE-INTF;
description $IFD_DESCRIPTION;
unit $IFL_EVPN_VPWS {
encapsulation vlan-ccc;
vlan-id $VLAN_ID_EVPN_VPWS;
esi {
$ESI_ID;
single-active;
}
}
}
}
routing-instances {
$EVPN_ELINE_SA_NAME {
instance-type evpn-vpws;
protocols {
evpn {
interface $PE_CE_IFD.$IFL_EVPN_VPWS {
vpws-service-id {
local $VC_ID_LOCAL;
remote $VC_ID_REMOTE;
source-packet-routing {
srv6 locator SL-FA-$FA_ID micro-dx2-sid $SID_VALUE;
}
}
}
encapsulation srv6;
}
}
interface $PE_CE_IFD.$IFL_EVPN_VPWS;
route-distinguisher $RD_VALUE;
vrf-target target:$EVPN_VPWS_VPN_RT_VALUE;
}
}EVPN E-Line (VPWS) with All-Active Multi-Homing Using Dynamic SID Allocation
interfaces {
$PE_CE_IFD {
apply-groups GR-EDGE-INTF-LAG-MEMBR;
description $IFD_DESCRIPTION;
<gigether-options|ether-options> { # Depending on the interface and
802.3ad ae$PE_CE_LAG_ID; # platform, gigaether or ether
}
}
}
interfaces {
ae$PE_CE_LAG_ID {
apply-groups GR-EDGE-INTF;
description $IFD_DESCRIPTION;
aggregated-ether-options {
lacp {
system-id $LACP_SYSTEM_ID;
}
}
unit $IFL_EVPN_VPWS {
encapsulation vlan-ccc;
vlan-id $VLAN_ID_EVPN_VPWS;
esi {
$ESI_ID;
all-active;
}
}
}
}
routing-instances {
$EVPN_ELINE_AA_NAME {
instance-type evpn-vpws;
protocols {
evpn {
interface ae$PE_CE_LAG_ID.$IFL_EVPN_VPWS {
vpws-service-id {
local $VC_ID_LOCAL;
remote $VC_ID_REMOTE;
source-packet-routing {
srv6 locator SL-FA-$FA_ID; # e.g. 000, 128, 129
}
}
}
encapsulation srv6;
}
}
interface ae$PE_CE_LAG_ID.$IFL_EVPN_VPWS;
route-distinguisher $RD_VALUE;
vrf-target target:$EVPN_VPWS_VPN_RT_VALUE;
}
}EVPN E-Line (VPWS) with All-Active Multi-Homing Using Static SID Allocation
interfaces {
$PE_CE_IFD {
apply-groups GR-EDGE-INTF-LAG-MEMBR;
description $IFD_DESCRIPTION;
<gigether-options|ether-options> { # Depending on the interface and
802.3ad ae$PE_CE_LAG_ID; # platform, gigaether or ether
}
}
}
interfaces {
ae$PE_CE_LAG_ID {
apply-groups GR-EDGE-INTF;
description $IFD_DESCRIPTION;
aggregated-ether-options {
lacp {
system-id $LACP_SYSTEM_ID;
}
}
unit $IFL_EVPN_VPWS {
encapsulation vlan-ccc;
vlan-id $VLAN_ID_EVPN_VPWS;
esi {
$ESI_ID;
all-active;
}
}
}
}
routing-instances {
$EVPN_ELINE_AA_NAME {
instance-type evpn-vpws;
protocols {
evpn {
interface ae$PE_CE_LAG_ID.$IFL_EVPN_VPWS {
vpws-service-id {
local $VC_ID_LOCAL;
remote $VC_ID_REMOTE;
source-packet-routing {
srv6 locator SL-FA-$FA_ID micro-dx2-sid $SID_VALUE;
}
}
}
encapsulation srv6;
}
}
interface ae$PE_CE_LAG_ID.$IFL_EVPN_VPWS;
route-distinguisher $RD_VALUE;
vrf-target target:$EVPN_VPWS_VPN_RT_VALUE;
}
}Miscellaneous
chassis {
network-services enhanced-ip; # MX only
}