Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring Traffic Forwarding on a cSRX Container Firewall Container

You can change the traffic forwarding mode of the cSRX Container Firewall container as a means to facilitate security service provisioning when running the cSRX Container Firewall. For example, if you deploy a cSRX Container Firewall container inline of protected segments, the cSRX Container Firewall should be transparent to avoid changing the virtual network topology. In other deployments, the cSRX Container Firewall container should be able to specify the next-hop address of egress traffic. To address variations in cSRX Container Firewall network deployment, you can configure the traffic forwarding mode of the cSRX Container Firewall to operate in routing mode (static routing only) or secure-wire mode.

Note:

The cSRX Container Firewall uses routing as the default environment variable for traffic forwarding mode.

This section includes the following topics:

Configuring Routing Mode

When running the cSRX Container Firewall container in routing mode, the cSRX Container Firewall uses a static route to forward traffic for routes destined to interfaces ge-0/0/0 and ge-0/0/1. You will need to create a static route and specify the next-hop address.

When you start the cSRX Container Firewall container, you need to specify port number in the environment using the variable CSRX_PORT_NUM to define the number of interfaces you need to add to container in routing mode.

For example, to launch cSRX Container Firewall instance in routing mode with 17 interfaces:

root@csrx-ubuntu3:~/csrx# docker run -d --privileged --net=none -e CSRX_PORT_NUM=17 CSRX_SIZE=large -e CSRX_HUGEPAGES=no -e CSRX_PACKET_DRIVER=interrupt -e CSRX_FORWARD_MODE=routing --name=<srx-container-name> <csrx-image-name>

Note:

The interfaces specified in the CSRX_PORT_NUM environment variable (default value is 3) must be added to a network after instantiation of the cSRX Container Firewall. Unless all the interfaces are added to the bridge or the macvlan networks, the PFE will not be launched on the cSRX Container Firewall, and the ge-x/y/z interfaces will remain down.

Include the -e CSRX_FORWARD_MODE=routing environment variable in the docker run command to instruct the cSRX Container Firewall to run in static route forwarding mode.

To configure the cSRX Container Firewall container to run in static routing mode:

  1. Launch the cSRX Container Firewall container in routing forwarding mode:

    root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e CSRX_FORWARD_MODE="routing" --name=<csrx-container-name> <csrx-image-name>

  2. Log into cSRX Container Firewall instance and start configuration mode.
  3. Configure interfaces.

    Starting from 19.2R1.8, each cSRX Container Firewall can be configured with up to 15 revenue inter-faces: eth1, eth2, and so on, until eth15. The number of interfaces can be predefined while booting up a cSRX Container Firewall. Usually, management IP on a cSRX Container Firewall is assigned by docker based on network settings while spinning the cSRX Container Firewall(--network=mgt_bridge). If you don’t specify this variable, docker is going to assign IP from default docker network bridge.

    The eth0 is used by the cSRX Container Firewall for out-of-band management to the accept management sessions and traffic, and eth1 and eth2 are both used by the cSRX Container Firewall as the two revenue ports to process in-band data traffic (the ge-0/0/0 and ge-0/0/1 interfaces).

    For this example, assume that the docker default or the custom network management bridge is 172.31.21.0/24, docker assigns one IP address from this network. If your cSRX Container Firewall is the first container on the system, cSRX Container Firewall will get assigned with 172.31.21.2 and default gateway for the cSRX Container Firewall management plane going to be 172.31.21.1.

    Table 1: IP Address Assignment for Interfaces
    Interface IP Address

    Management Interface eth0 (fxp0)

    172.31.21.1

    Default gateway for the cSRX Container Firewall management plane

    172.31.21.2

    Eth1 (ge-0/0/0)

    172.19.0.2/24

    Eth2 (ge-0/0/1)

    172.20.0.2/24

    External Server

    10.10.10.0

    root@csrx# show | display set

    root@csrx# set interfaces ge-0/0/0 unit 0 family inet address 172.19.0.2/24

    root@csrx# set interfaces ge-0/0/1 unit 0 family inet address 172.20.0.2/24

  4. Configure static routes.
    Configure static route and specify next-hop address.

    root@csrx# set routing-options static route 0.0.0.0/0 next-hop 172.19.0.2/24

  5. View the forwarding table to verify the static routes.

    root@csrx> show route forwarding-table

  6. Specify a route for the management interface. Static routes can only configure routes destined for interfaces ge-0/0/0 and ge-0/0/1. The route destined for the management interfaces (eth0) must be added by using the Linux route shell command.

    root@csrx% route add -net 10.10.10.0/24 gw 172.31.21.1

    root@csrx% route -n

  7. If required for your network environment, you can configure an IPv6 static route for the cSRX Container Firewall using the set routing-options rib inet6.0 static route command.

    [edit routing-options]

    root@csrx# set routing-options rib inet6.0 static route 3000::0/64 next-hop 1000::10/128

    [edit interfaces]

    root@csrx# commit

    root@csrx# show routing-options rib inet6.0

    static {

    route 3000::0/64 next-hop 1000::10/128;

    }

  8. Under routing mode, the control plane ARP/NDP learning/response is provided by the Linux kernel through the TAP 0 and TAP 1 interfaces created to host the traffic for eth1 and eth2 through srxpfe. You can view ARP entries by using the Linux arp shell command.
    Note:

    While there are multiple interfaces created inside the cSRX Container Firewall container, only two interfaces, ge-0/0/0 and ge-0/0/1, are visible in srxpfe.

    root@csrx% arp -a

    The default ARP/NDP entries timeout is set to 1200 seconds. You can adjust this value by modifying either the ARP_TIMEOUT or NDP_TIMEOUT environment variable when launching the cSRX Container Firewall container. For example:

    root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e CSRX_FORWARD_MODE="routing" -e CSRX_ARP_TIMEOUT=<seconds> -e CSRX_NDP_TIMEOUT=<seconds> --name=<csrx-container-name> <csrx-image-name>

    The maximum ARP entry number is controlled by the Linux host kernel. If there are a large number of neighbors, you might need to adjust the ARP or NDP entry limitations on the Linux host. There are options in the sysctl command on the Linux host to adjust the ARP or NDP entry limitations.

    For example, to adjust the maximum ARP entries to 4096:

    # sysctl -w net.ipv4.neigh.default.gc_thresh1=1024

    # sysctl -w net.ipv4.neigh.default.gc_thresh2=2048

    # sysctl -w net.ipv4.neigh.default.gc_thresh3=4096

    For example, to adjust the maximum NDP entries to 4096:

    # sysctl -w net.ipv6.neigh.default.gc_thresh1=1024

    # sysctl -w net.ipv6.neigh.default.gc_thresh1=2048

    # sysctl -w net.ipv6.neigh.default.gc_thresh1=4096

Configuring Secure-Wire Mode

When operating in secure-wire mode, all traffic that arrives on a specific interface, ge-0/0/0 or ge-0/0/1, will be forwarded unchanged through the interface. This mapping of interfaces, called secure wire, allows the cSRX Container Firewall to be deployed in the path of network traffic without requiring a change to routing tables or a reconfiguration of neighboring devices. A cross-connection is set up between interface pairs ge-0/0/0 and ge-0/0/1 to steer traffic from one port to the other port based on the Interworking and Interoperability Function (IIF) as the input key.

Include the -e CSRX_FORWARD_MODE=wire environment variable in the docker run command to instruct the cSRX Container Firewall to run in secure-wire forwarding mode.

Note:

When you launch the cSRX Container Firewall container in secure-wire mode, the cSRX Container Firewall instance automatically creates a default secure-wire named csrx_sw in the srxpfe process, and the ge-0/0/0 and ge-0/0/1 interface pair are added into the secure-wire.

Launch the cSRX Container Firewall instance in secure-wire mode using the following command:

root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e CSRX_FORWARD_MODE="wire" --name=<csrx-container-name> <csrx-image-name>