Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Traffic Forwarding for a cSRX Container

    You can change the traffic forwarding mode of the cSRX container as a means to facilitate security service provisioning when running the cSRX. For example, if you deploy a cSRX container inline of protected segments, the cSRX should be transparent to avoid changing the virtual network topology. In other deployments, the cSRX container should be able to specify the next-hop address of egress traffic. To address variations in cSRX network deployment, you can configure the traffic forwarding mode of the cSRX to operate in routing mode (static routing only) or secure-wire mode.

    Note: The cSRX uses routing as the default environment variable for traffic forwarding mode.

    This section includes the following topics:

    Configuring Routing Mode

    When running the cSRX container in routing mode, the cSRX uses a static route to forward traffic for routes destined to interfaces ge-0/0/0 and ge-0/0/1. You will need to create a static route and specify the next-hop address.

    Include the -e CSRX_FORWARD_MODE=routing environment variable in the docker run command to instruct the cSRX to run in static route forwarding mode.

    To configure the cSRX container to run in static routing mode:

    1. Launch the cSRX container in routing forwarding mode:

      root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e CSRX_FORWARD_MODE="routing" --name=<csrx-container-name> <csrx-image-name>

    2. After you start the cSRX container, log in to it and configure static routes.

      root@csrx# cli

      root@csrx> configure


      root@csrx# show | display set

      root@csrx# set interfaces ge-0/0/0 unit 0 family inet address

      root@csrx# set interfaces ge-0/0/1 unit 0 family inet address

      root@csrx# set routing-options static route next-hop

    3. View the forwarding table to verify the static routes.

      root@csrx> show route forwarding-table

      Routing table: default.inet
      Destination        Type RtRef Next hop           Type Index    NhRef Netif            perm     0                    dscd      517     1            perm     0            locl     2006     1           perm     0          ucast     5501     1      perm     0                    bcst     2007     1
      1/8                perm     0                    rslv     2009     1            perm     0            locl     2001     1           perm     0          ucast     5500     1      perm     0                    bcst     2002     1
      2/8                perm     0                    rslv     2004     1          perm     0                    mcst      515     1
      224/4              perm     0                    mdsc      516     1         perm     0          ucast     5501     1
      Routing table: default.inet6
      Destination        Type RtRef Next hop           Type Index    NhRef Netif
      ::                 perm     0                    dscd      527     1
      ff00::/8           perm     0                    mdsc      526     1
      ff02::1            perm     0                    mcst      525     1
    4. Specify a route for the management interface. Static routes can only configure routes destined for interfaces ge-0/0/0 and ge-0/0/1. The route destined for the management interfaces (eth0) must be added by using the Linux route shell command.

      root@csrx% route add -net gw

      root@csrx% route -n

      Kernel IP routing table
      Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         U     0      0        0 pfe_tun       U     0      0        0 tap1       U     0      0        0 tap0 UG    0      0        0 tap1   UG    0      0        0 eth0     U     0      0        0 eth0
    5. If required for your network environment, you can configure an IPv6 static route for the cSRX using the set routing-options rib inet6.0 static route command.

      [edit routing-options]

      root@csrx# set routing-options rib inet6.0 static route 3000::0/64 next-hop 1000::10/128

      [edit interfaces]

      root@csrx# commit

      root@csrx# show routing-options rib inet6.0

      static {

      route 3000::0/64 next-hop 1000::10/128;


    6. Under routing mode, the control plane ARP/NDP learning/response is provided by the Linux kernel through the TAP 0 and TAP 1 interfaces created to host the traffic for eth1 and eth2 through srxpfe. You can view ARP entries by using the Linux arp shell command.

      Note: While there are multiple interfaces created inside the cSRX container, only two interfaces, ge-0/0/0 and ge-0/0/1, are visible in srxpfe and added to security zones by default.

      root@csrx% arp -a

      ? ( at 6e:81:38:41:5e:0e [ether] on tap0
      ? ( at 96:33:66:a1:e5:03 [ether] on tap1
      ? ( at 02:c4:39:fa:0a:0d [ether] on eth0

      The default ARP/NDP entries timeout is set to 1200 seconds. You can adjust this value by modifying either the ARP_TIMEOUT or NDP_TIMEOUT environment variable when launching the cSRX container. For example:

      root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e CSRX_FORWARD_MODE="routing" -e CSRX_ARP_TIMEOUT=<seconds> -e CSRX_NDP_TIMEOUT=<seconds> --name=<csrx-container-name> <csrx-image-name>

      The maximum ARP entry number is controlled by the Linux host kernel. If there are a large number of neighbors, you might need to adjust the ARP or NDP entry limitations on the Linux host. There are options in the sysctl command on the Linux host to adjust the ARP or NDP entry limitations.

      For example, to adjust the maximum ARP entries to 4096:

      # sysctl -w net.ipv4.neigh.default.gc_thresh1=1024

      # sysctl -w net.ipv4.neigh.default.gc_thresh2=2048

      # sysctl -w net.ipv4.neigh.default.gc_thresh3=4096

      For example, to adjust the maximum NDP entries to 4096:

      # sysctl -w net.ipv6.neigh.default.gc_thresh1=1024

      # sysctl -w net.ipv6.neigh.default.gc_thresh1=2048

      # sysctl -w net.ipv6.neigh.default.gc_thresh1=4096

    Configuring Secure-Wire Mode

    When operating in secure-wire mode, all traffic that arrives on a specific interface, ge-0/0/0 or ge-0/0/1, will be forwarded unchanged through the interface. This mapping of interfaces, called secure wire, allows the cSRX to be deployed in the path of network traffic without requiring a change to routing tables or a reconfiguration of neighboring devices. A cross-connection is set up between interface pairs ge-0/0/0 and ge-0/0/1 to steer traffic from one port to the other port based on the Interworking and Interoperability Function (IIF) as the input key.

    Include the -e CSRX_FORWARD_MODE=wire environment variable in the docker run command to instruct the cSRX to run in secure-wire forwarding mode.

    Note: When you launch the cSRX container in secure-wire mode, the cSRX instance automatically creates a default secure-wire named csrx_sw in the srxpfe process, and the ge-0/0/0 and ge-0/0/1 interface pair are added into the secure-wire. With the default configured zone, it is not necessary to configure a configuration at the interface and zone level. Instead, you define the security policies that are enforced between the trust and untrust zones.

    Launch the cSRX instance in secure-wire mode using the following command:

    root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e CSRX_FORWARD_MODE="wire" --name=<csrx-container-name> <csrx-image-name>

    Figure 1 illustrates the cSRX operating in secure-wire mode.

    Figure 1: cSRX in Secure-Wire Mode

    cSRX in Secure-Wire Mode

    Modified: 2018-01-23