BGP L3VPN with Flow services

This is the 5th and final post of my MPLS series. You can find all posts under mpls-tutorial tag. So far I have run all SRX devices in packet mode which means we weren’t able to use service features of SRX firewall. With this new config, we can also inspect the traffic. You can find the juniper document which describes this setup also in here I am just taking the flow section of this document and try to explain it the way I comprehend it. I have also modified my topology to make things simpler.


First of all topology needs some clarification. Two MPLS-PE SRX devices (J40 and J35) have IBGP peerings through the MPLS cloud. Each SRX has a customer R2 and R1 respectively (They don’t have to be SRX devices, just some customer device) Two red colored devices connected to each SRX devices with dashed lines are actually two routing instances on each device. The purpose of this setup is to enable flow mode in each SRX (J40,J35) and inspect the traffic and enforce security policies if necessary. This requires to put these devices in flow mode and enable packet services on VRF instances. Now let’s see how we can achieve this:

All following configs are on J40 device. At the end of the post
you can find entire config from both devices J40 and J35.

Enabling Flow Mode
In previous posts, packet mode was enabled. Delete packet mode config to go to flow mode;

Create a firewall filter on PE router
This is put some interfaces into packet mode selectively.

Create Logical Tunnel Interfaces
This is for inter routing instance communication

Create routing instances

As you can see Flow-VR-R2 has two interfaces and ge-0/0/4.804 is the R2 facing interface. Packets entering this Flow-VR have to be inspected by flow daemon. These both interfaces must be assigned to security zones which we will do later. Flow-VR’s default route is lt-0/0/0.0 which is actually directly connected to vpn-R2 VRF instance. In the end VRF is also connected to MPLS cloud. VRF doesn’t have to have a physical interface to connect to the cloud.Flow VR takes the packet inspect it and pass it over to the VRF. Then VRF checks its routing table and forwards the packet by labeling.

VRF is nothing different than previous MPLS posts. It has logical tunnel interface instead if you want to reach any customer network (i.e network on R2) you can simply add a static route and forwarded to lt-0/0/0.1 through which it will be forwarded to Flow-VR. All other L3VPN config is the same as before.

Assign required interfaces to security zones

For testing purposes set default policy to permit-all

Let’s see what routes we have in our vpn-R2 VRF

According to the topology, route is advertised by J35 by using MP-BGP.
I will connect to R1 from R2 via SSH and see how the packet is inspected on J40

As you can see packet enters from Flow-VR ge-0/0/4.804 interface and exits at lt-0/0/0.0 which is directly connected to VRF. According to VRF routing table above, packet is forwarded to via ge-0/0/1.0 but you don’t see it in the session output as the packet has already left Flow-VR

You can enhance this configuration by configuring BGP on Flow-VR and dynamically share routes with R2. I have chosen static way to make it simpler.

This is the end of these MPLS series. I should have already started my JNCIE-SEC studies but I am bit obsessed with MPLS and L3VPNs. I hope to write about my JNCIE-SEC studies till I take the exam from now on.

Below are the entire configuration from PE routers J40 and J35 for your reference

J40 Config

J35 Config

You have a feedback?