BGP L3VPN with Flow services

This is the 5th and final post of my MPLS series. You can find all posts under mpls-tutorial tag. So far I have run all SRX devices in packet mode which means we weren’t able to use service features of SRX firewall. With this new config, we can also inspect the traffic. You can find the juniper document which describes this setup also in here I am just taking the flow section of this document and try to explain it the way I comprehend it. I have also modified my topology to make things simpler.

mpls_flow_vr_3

First of all topology needs some clarification. Two MPLS-PE SRX devices (J40 and J35) have IBGP peerings through the MPLS cloud. Each SRX has a customer R2 and R1 respectively (They don’t have to be SRX devices, just some customer device) Two red colored devices connected to each SRX devices with dashed lines are actually two routing instances on each device. The purpose of this setup is to enable flow mode in each SRX (J40,J35) and inspect the traffic and enforce security policies if necessary. This requires to put these devices in flow mode and enable packet services on VRF instances. Now let’s see how we can achieve this:

All following configs are on J40 device. At the end of the post
you can find entire config from both devices J40 and J35.

Enabling Flow Mode
In previous posts, packet mode was enabled. Delete packet mode config to go to flow mode;

root@j40#del security forwarding-options family mpls mode packet-based

Create a firewall filter on PE router
This is put some interfaces into packet mode selectively.

[edit]
root@j40# show firewall 
family inet {
    filter inet-packet-mode {
        term 10 {
            then {
                packet-mode;
                accept;
            }
        }
    }
}

Create Logical Tunnel Interfaces
This is for inter routing instance communication

[edit]
root@j40# show interfaces lt-0/0/0 
unit 0 {
    description Flow-VR-R2;
    encapsulation frame-relay;
    dlci 300;
    peer-unit 1;
    family inet {
        address 2.2.2.1/24;
    }
}
unit 1 {
    description Packet-VRF-R2;
    encapsulation frame-relay;
    dlci 300;
    peer-unit 0;
    family inet {
        filter {
            input inet-packet-mode;
        }
        address 2.2.2.2/24;
    }
}

Create routing instances

[edit]
root@j40# show routing-instances 
Flow-VR-R2 {
    instance-type virtual-router;
    interface lt-0/0/0.0;
    interface ge-0/0/4.804;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop lt-0/0/0.0;
        }
    }
}
vpn-R2 {
    instance-type vrf;
    interface lt-0/0/0.1;
    route-distinguisher 10002:100;
    vrf-target {
        import target:8602:34;
        export target:8602:34;
    }
    vrf-table-label;
    routing-options {
        static {
            route 72.1.1.0/24 next-hop lt-0/0/0.1;
        }
    }
}

Flow-VR:
As you can see Flow-VR-R2 has two interfaces and ge-0/0/4.804 is the R2 facing interface. Packets entering this Flow-VR have to be inspected by flow daemon. These both interfaces must be assigned to security zones which we will do later. Flow-VR’s default route is lt-0/0/0.0 which is actually directly connected to vpn-R2 VRF instance. In the end VRF is also connected to MPLS cloud. VRF doesn’t have to have a physical interface to connect to the cloud.Flow VR takes the packet inspect it and pass it over to the VRF. Then VRF checks its routing table and forwards the packet by labeling.

vpn-R2:
VRF is nothing different than previous MPLS posts. It has logical tunnel interface instead if you want to reach any customer network (i.e network on R2) you can simply add a static route and forwarded to lt-0/0/0.1 through which it will be forwarded to Flow-VR. All other L3VPN config is the same as before.

Assign required interfaces to security zones

[edit]
root@j40# show security zones 
security-zone mpls-core {
    host-inbound-traffic {
        system-services {
            ping;
            ssh;
        }
        protocols {
            rsvp;
            bgp;
            ospf;
        }
    }
    interfaces {
        ge-0/0/0.0;
        ge-0/0/1.0;
        lo0.0;
    }
}
security-zone R2-zone {
    host-inbound-traffic {
        system-services {
            ping;
        }
    }
    interfaces {
        ge-0/0/4.804;
        lt-0/0/0.0;
    }
}

For testing purposes set default policy to permit-all

set security policies default-policy permit-all

Let’s see what routes we have in our vpn-R2 VRF

root@j40> show route table vpn-R2.inet.0 

vpn-R2.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.0/24         *[BGP/170] 01:32:17, localpref 100, from 10.1.1.7
                      AS path: I
                    > to 25.1.2.1 via ge-0/0/1.0, label-switched-path j40-to-j35
                      to 24.1.1.1 via ge-0/0/0.0, label-switched-path j40-to-j35
2.2.2.0/24         *[Direct/0] 01:40:50
                    > via lt-0/0/0.1
2.2.2.2/32         *[Local/0] 01:40:50
                      Local via lt-0/0/0.1
34.1.1.0/24        *[BGP/170] 01:32:17, localpref 100, from 10.1.1.7
                      AS path: I
                    > to 25.1.2.1 via ge-0/0/1.0, label-switched-path j40-to-j35
                      to 24.1.1.1 via ge-0/0/0.0, label-switched-path j40-to-j35
72.1.1.0/24        *[Static/5] 01:40:50
                    > via lt-0/0/0.1

According to the topology, 34.1.1.0/24 route is advertised by J35 by using MP-BGP.
I will connect to R1 from R2 via SSH and see how the packet is inspected on J40

root@j40> show security flow session destination-prefix 34.1.1.2    
Session ID: 134, Policy name: default-policy-00/2, Timeout: 17968, Valid
  In: 72.1.1.2/61506 --> 34.1.1.2/22;tcp, If: ge-0/0/4.804, Pkts: 83, Bytes: 6617
  Out: 34.1.1.2/22 --> 72.1.1.2/61506;tcp, If: lt-0/0/0.0, Pkts: 146, Bytes: 20401
Total sessions: 1

As you can see packet enters from Flow-VR ge-0/0/4.804 interface and exits at lt-0/0/0.0 which is directly connected to VRF. According to VRF routing table above, packet is forwarded to 25.1.2.1 via ge-0/0/1.0 but you don’t see it in the session output as the packet has already left Flow-VR

You can enhance this configuration by configuring BGP on Flow-VR and dynamically share routes with R2. I have chosen static way to make it simpler.

This is the end of these MPLS series. I should have already started my JNCIE-SEC studies but I am bit obsessed with MPLS and L3VPNs. I hope to write about my JNCIE-SEC studies till I take the exam from now on.

Below are the entire configuration from PE routers J40 and J35 for your reference

J40 Config

set system host-name j40
set system services ssh
set interfaces ge-0/0/0 unit 0 family inet address 24.1.1.2/24
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces lt-0/0/0 unit 0 description Flow-VR-R2
set interfaces lt-0/0/0 unit 0 encapsulation frame-relay
set interfaces lt-0/0/0 unit 0 dlci 300
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 family inet address 2.2.2.1/24
set interfaces lt-0/0/0 unit 1 description Packet-VRF-R2
set interfaces lt-0/0/0 unit 1 encapsulation frame-relay
set interfaces lt-0/0/0 unit 1 dlci 300
set interfaces lt-0/0/0 unit 1 peer-unit 0
set interfaces lt-0/0/0 unit 1 family inet filter input inet-packet-mode
set interfaces lt-0/0/0 unit 1 family inet address 2.2.2.2/24
set interfaces ge-0/0/1 unit 0 family inet address 25.1.2.2/24
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces ge-0/0/2 unit 0 family inet address 98.1.1.1/24
set interfaces ge-0/0/3 unit 0 family inet address 99.1.1.1/24
set interfaces ge-0/0/4 vlan-tagging
set interfaces ge-0/0/4 unit 804 vlan-id 804
set interfaces ge-0/0/4 unit 804 family inet address 72.1.1.1/24
set interfaces lo0 unit 0 family inet address 10.1.1.8/32
set routing-options router-id 10.1.1.8
set routing-options autonomous-system 8500
set routing-options forwarding-table export load-balance
set protocols rsvp interface ge-0/0/0.0
set protocols rsvp interface ge-0/0/1.0
set protocols mpls expand-loose-hop
set protocols mpls label-switched-path j40-to-j35 to 10.1.1.7
set protocols mpls label-switched-path j40-to-j35 inter-domain
set protocols mpls label-switched-path j40-to-j35 fast-reroute
set protocols mpls label-switched-path j40-to-j35 primary resilient
set protocols mpls path north 24.1.1.1 strict
set protocols mpls path north 10.1.1.3 strict
set protocols mpls path north 10.1.1.6 strict
set protocols mpls path south-backup 25.1.2.1
set protocols mpls path resilient
set protocols mpls interface all
set protocols bgp group int type internal
set protocols bgp group int local-address 10.1.1.8
set protocols bgp group int family inet unicast
set protocols bgp group int family inet-vpn unicast
set protocols bgp group int export my-nets
set protocols bgp group int neighbor 10.1.1.7
set protocols ospf traffic-engineering
set protocols ospf export my-nets
set protocols ospf reference-bandwidth 10g
set protocols ospf area 0.0.0.2 interface ge-0/0/0.0
set protocols ospf area 0.0.0.2 interface ge-0/0/1.0
set protocols ospf area 0.0.0.2 interface lo0.0
set protocols ospf area 0.0.0.2 interface ge-0/0/3.0
set policy-options policy-statement load-balance then load-balance per-packet
set policy-options policy-statement my-nets term 1 from protocol direct
set policy-options policy-statement my-nets term 1 from route-filter 98.1.1.0/24 exact
set policy-options policy-statement my-nets term 1 to protocol ospf
set policy-options policy-statement my-nets term 1 then reject
set policy-options policy-statement my-nets term 10 from protocol direct
set policy-options policy-statement my-nets term 10 then accept
set policy-options policy-statement my-ospf-routes term 10 from protocol ospf
set policy-options policy-statement my-ospf-routes term 10 then accept
set security policies default-policy permit-all
set security zones security-zone mpls-core host-inbound-traffic system-services ping
set security zones security-zone mpls-core host-inbound-traffic system-services ssh
set security zones security-zone mpls-core host-inbound-traffic protocols rsvp
set security zones security-zone mpls-core host-inbound-traffic protocols bgp
set security zones security-zone mpls-core host-inbound-traffic protocols ospf
set security zones security-zone mpls-core interfaces ge-0/0/0.0
set security zones security-zone mpls-core interfaces ge-0/0/1.0
set security zones security-zone mpls-core interfaces lo0.0
set security zones security-zone R2-zone host-inbound-traffic system-services ping
set security zones security-zone R2-zone interfaces ge-0/0/4.804
set security zones security-zone R2-zone interfaces lt-0/0/0.0
set firewall family inet filter inet-packet-mode term 10 then packet-mode
set firewall family inet filter inet-packet-mode term 10 then accept
set firewall family mpls filter packet-mode term 10 then packet-mode
set firewall family mpls filter packet-mode term 10 then accept
set routing-instances Flow-VR-R2 instance-type virtual-router
set routing-instances Flow-VR-R2 interface lt-0/0/0.0
set routing-instances Flow-VR-R2 interface ge-0/0/4.804
set routing-instances Flow-VR-R2 routing-options static route 0.0.0.0/0 next-hop lt-0/0/0.0
set routing-instances vpn-R2 instance-type vrf
set routing-instances vpn-R2 interface lt-0/0/0.1
set routing-instances vpn-R2 route-distinguisher 10002:100
set routing-instances vpn-R2 vrf-target import target:8602:34
set routing-instances vpn-R2 vrf-target export target:8602:34
set routing-instances vpn-R2 vrf-table-label
set routing-instances vpn-R2 routing-options static route 72.1.1.0/24 next-hop lt-0/0/0.1

J35 Config

set system host-name j35
set system services ssh
set interfaces ge-0/0/0 unit 0 family inet address 172.40.1.2/24 primary
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces lt-0/0/0 unit 0 description Flow-VR-R1
set interfaces lt-0/0/0 unit 0 encapsulation frame-relay
set interfaces lt-0/0/0 unit 0 dlci 100
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 family inet address 1.1.1.1/24
set interfaces lt-0/0/0 unit 1 description Packet-VRF-R1
set interfaces lt-0/0/0 unit 1 encapsulation frame-relay
set interfaces lt-0/0/0 unit 1 dlci 100
set interfaces lt-0/0/0 unit 1 peer-unit 0
set interfaces lt-0/0/0 unit 1 family inet filter input inet-packet-mode
set interfaces lt-0/0/0 unit 1 family inet address 1.1.1.2/24
set interfaces ge-0/0/1 unit 0 family inet address 172.41.1.2/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.200.1/24
set interfaces ge-0/0/1 unit 0 family mpls filter input mpls-do-packet-mode
set interfaces ge-0/0/2 unit 0 family inet address 12.1.1.1/24
set interfaces ge-0/0/3 unit 0 family inet address 12.2.2.1/24
set interfaces ge-0/0/4 vlan-tagging
set interfaces ge-0/0/4 unit 704 description "CE R2 INT"
set interfaces ge-0/0/4 unit 704 vlan-id 704
set interfaces ge-0/0/4 unit 704 family inet address 34.1.1.1/24
set interfaces lo0 unit 0 family inet address 10.1.1.7/32
set routing-options router-id 10.1.1.7
set routing-options autonomous-system 8500
set protocols mpls expand-loose-hop
set protocols mpls label-switched-path j35-to-j40 to 10.1.1.8
set protocols mpls label-switched-path j35-to-j40 inter-domain
set protocols mpls label-switched-path j35-to-j40 fast-reroute
set protocols mpls label-switched-path j35-to-j40 primary resilient
set protocols mpls path north 172.40.1.1 strict
set protocols mpls path north 10.1.1.3 strict
set protocols mpls path north 10.1.1.2 strict
set protocols mpls path south-backup 172.41.1.1
set protocols mpls path resilient
set protocols mpls interface all
set protocols bgp group int type internal
set protocols bgp group int local-address 10.1.1.7
set protocols bgp group int family inet unicast
set protocols bgp group int family inet-vpn unicast
set protocols bgp group int export bgp-my-nets
set protocols bgp group int neighbor 10.1.1.8
set protocols ospf traffic-engineering
set protocols ospf export my-nets
set protocols ospf reference-bandwidth 10g
set protocols ospf area 0.0.0.1 interface ge-0/0/0.0
set protocols ospf area 0.0.0.1 interface ge-0/0/1.0
set protocols ospf area 0.0.0.1 interface lo0.0
set policy-options policy-statement bgp-my-nets term 10 from protocol direct
set policy-options policy-statement bgp-my-nets term 10 then accept
set policy-options policy-statement my-nets term 10 from protocol direct
set policy-options policy-statement my-nets term 10 then metric 100
set policy-options policy-statement my-nets term 10 then external type 1
set policy-options policy-statement my-nets term 10 then accept
set security policies default-policy permit-all
set security zones security-zone mpls-core host-inbound-traffic system-services ping
set security zones security-zone mpls-core host-inbound-traffic system-services ssh
set security zones security-zone mpls-core host-inbound-traffic protocols ospf
set security zones security-zone mpls-core host-inbound-traffic protocols bgp
set security zones security-zone mpls-core host-inbound-traffic protocols rsvp
set security zones security-zone mpls-core interfaces ge-0/0/0.0
set security zones security-zone mpls-core interfaces ge-0/0/1.0
set security zones security-zone mpls-core interfaces lo0.0
set security zones security-zone R1-zone host-inbound-traffic system-services ping
set security zones security-zone R1-zone interfaces ge-0/0/4.704
set security zones security-zone R1-zone interfaces lt-0/0/0.0
set firewall family inet filter inet-packet-mode term 10 then packet-mode
set firewall family inet filter inet-packet-mode term 10 then accept
set firewall family mpls filter mpls-do-packet-mode term 10 then packet-mode
set firewall family mpls filter mpls-do-packet-mode term 10 then accept
set routing-instances Flow-VR-R1 instance-type virtual-router
set routing-instances Flow-VR-R1 interface lt-0/0/0.0
set routing-instances Flow-VR-R1 interface ge-0/0/4.704
set routing-instances Flow-VR-R1 routing-options static route 0.0.0.0/0 next-hop lt-0/0/0.0
set routing-instances vpn-R1 instance-type vrf
set routing-instances vpn-R1 interface lt-0/0/0.1
set routing-instances vpn-R1 route-distinguisher 10001:100
set routing-instances vpn-R1 vrf-target import target:8602:34
set routing-instances vpn-R1 vrf-target export target:8602:34
set routing-instances vpn-R1 vrf-table-label
set routing-instances vpn-R1 routing-options static route 34.1.1.0/24 next-hop lt-0/0/0.1

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.