Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Inter-VLAN Filter Based Forwarding

SUMMARY This NCE illustrates how to use the Filter-based Forwarding (FBF) feature to implement advanced security inspection for selected inter-VLAN traffic flows in a EVPN-VXLAN fabric.

Requirements

This EVPN-VXLAN fabric uses the edge-routed bridging (ERB) model. Inter-VLAN routing happens on the leaf devices. This example assumes the ERB fabric is in place so the focus can be placed on using FBF to select flows for security inspection. The detailed configurations at the end of the example show the configuration needed for a working ERB baseline in addition to the FBF needed to inspect specific flows. The example topology is shown below.

For background information and configuration details for an ERB EVPN-VXLAN fabric see EVPN-VXLAN Architecture and Technology.

Figure 1: EVPN-VXLAN FBF Example Topology EVPN-VXLAN FBF Example Topology

Topology

This NCE describes an EVPN-VXLAN fabric that is comprised of four server leaf switches, two underlay spine switches, two service leaf switches, and a firewall.

Spine Nodes

  • QFX5120-32C series switches running Junos version 20.2R2

Server Leaf

  • QFX5120-48Y series switches running Junos version 20.3R1

Service Leaf

  • QFX5120-32C series switches running Junos version 20.2R2

Firewall

  • SRX 4200 Services Gateway running Junos version 20.1R2

Step-by-Step Configurations

In the following configuration, we connect Endpoint 11 to Server Leaf-1. We also create a new routing instance, INSPECT_VRF, and configure it to export and import type-5 routes with Service Leaf-1 and Service Leaf-2. We use filter-based forwarding to redirect traffic from Endpoint 11 to Endpoint12 to the INSPECT_VRF.

Server Leaf-1

  1. On Server Leaf-1, set up the INSPECT_VRF routing instance:

  2. Add a static route for Endpoint 11 that points to Tenant1_VRF:

  3. The Inspect_VRF needs to advertise a type-5 static host route for Endpoint 11 so the firewall can receive the traffic. The firewall also needs to advertise a default route for Leaf 1:

  4. Now we need to set up firewall filter for Leaf-1. The filter matches traffic from Endpoint 11 to Endpoint 21, and redirects these packets to the INSPECT_VRF. All other traffic is routed as usual in the Tenant1_VRF:

  5. On Leaf-1, we need to apply the firewall filter to VLAN 110 traffic as it traverses IRB.110 (this is the interface connected to Endpoint 11):

Server Leaf-2

Next, we need to create the SECURE_VRF routing instance on Server Leaf-2 in order to export and import type-5 routes with both Service Leaf-1 and Service Leaf-2. As before, we use filter-based forwarding to redirect traffic from Endpoint 21 to Endpoint 11 into the INSPECT VRF.

  1. On Server Leaf-2, set up the INSPECT_VRF routing instance:

  2. Configure a static route for Endpoint 21 that points to Tenant1_VRF:

  3. Inside the SECURE_VRF, we need to advertise a type-5 static host route for Endpoint 21 so the firewall can receive the traffic. The firewall also needs to advertise a default route for Leaf 2:

  4. As before, we now need to set up firewall filter for Leaf-2. This time, the filter matches traffic from Endpoint 21 to Endpoint 11, and redirects these packets to the SECURE_VRF. All other traffic is routed as usual in the Tenant1_VRF:

  5. Finally, on Leaf-2, we need to apply the firewall filter to VLAN 111 traffic as it traverses IRB.111 (this is the interface connected to Endpoint 21).

Service Leaf-1

Service Leaf-1 includes both the INSPECT_VRF and SECURE_VRF routing instances, and it connects the service leaf and the firewall, as shown in the following figure. Interface IRB.991 is in the INSPECT VRF and interface IRB.992 is in the SECURE VRF.

In both routing instances, the service leaf establishes EBGP peering with the firewall, from which it receives a default route. Service Leaf-1 advertises the default routes to the server leafs using type-5, and from them receives specific host routes for Endpoint 11 and Endpoint 21, which it then advertises to the firewall using EBGP.

  1. The connection from the service leaf to the firewall is a trunk port that contains VLAN 991 and VLAN 992, each with a IRB. interface, as shown here:

  2. We need to set up the routing instances on Service Leaf-1:

  3. We also need to set up the policy statements on Service Leaf-1:

Service Leaf-2

The configuration on Service Leaf-2 is similar to the Service Leaf-1 configuration.

  1. Here we set up firewall interconnect Service Leaf-2:

  2. Here we set up the routing instances on Service Leaf-2:

  3. And lastly, we set up the policy statements on Service Leaf-2:

Firewall

The firewall interfaces are configured as VLAN tagged interfaces. It establishes two EBGP sessions with each service leaf, as shown in Figure 2.

Figure 2: Firewall Configuration Firewall Configuration
  1. Here, we set up the Firewall-1 service leaf interconnect shown in the image, as well as the BGP peering and route export:

  2. Now we need to set up the zones and policies configuration for Firewall-1. We put traffic traversing logical interface 991 into the INSPECT_Zone, and traffic traversing logical interface 992 into the SECURE_Zone.

  3. To restrict communication from Endpoint 11 to Endpoint 21 to specific protocols only, (Ping, HTTPS, SSH, and UDP to support trace route from the servers) we create security policies for traffic between the INSPECT_Zone and SECURE_Zone:

  4. You define a policy that accepts all traffic from the SECURE zone to the INSPECT zone:

Verification

The commands and output in this section validate that FBF is working correctly for the traffic between EP11 and EP21.

  1. Generate pings between EP11 and EP21. While the pings are flowing, first clear, and then display firewall counters at leaf 1 and leaf 2:

    The output from Leaf 1 confirms that the BMS ping traffic is hitting the SecureTraffic filter and the firewall term that redirects the traffic to the INSPECT_VRF. Similar results are noted at Leaf2 for the SecureResponseTraffic filter that steers the replies into the SECURE_VRF.

  2. Display security flow information on the SRX device:

    The output confirms that the BMS ping traffic is being inspected by the firewall. This confirms FBF is directing traffic sent by EP11 to EP21 from the leaf to the service leaf, and from there to the firewall device.

  3. Trace the path between EP11 and EP21. You expect to see underlay forwarding hops through the firewall device.

    The results are shown in Figure 3

    Note: The traffic from EP11 is encapsulated into VXLAN and sent from leaf 1 to the service leaf. The service leaf decapsulates the traffic and routes it as native IP to the firewall device, which allows the underlay hops to be exposed in the output of the trace route.
    Figure 3: EP11 to EP21 Trace route With FBF EP11 to EP21 Trace route With FBF

    The trace route output from EP11 (BMS 1) shows the additional fabric forwarding hops used to steer traffic through the firewall. In the output, hops 1 and 6 represent the IRB interfaces in leaf 1 and leaf 2, respectively. The 10.81.91.2 hop, in contract, represents the irb.991 interface, housed in the INSPECT_VRF, on service leaf 1. These results add additional confirmation that EP11 to EP21 traffic is correctly directed through the firewall.

  4. Deactivate the firewall filter applied to the IRB interface at both leaf 1 and leaf 2. Be sure to commit the changes.

    Repeat the trace route between EP11 and EP21. The results are shown in Figure 4

    Figure 4: EP11 to EP21 Trace route Without FBF EP11 to EP21 Trace route Without FBF

    The trace route output show that with the filter deactivated the EP11 to EP21 traffic flows directly between the IRB interfaces in the leaf devices. With FBF remove the service leaves and firewall device are no longer in the forwarding path between these endpoints.

Complete Device Configurations

This section provides the full configurations for all devices used in this example. Site specific configuration for user login, system services, logging, and the management interface is omitted.

Configuration for Spine-1

Configuration for Spine-2

Configuration for Server Leaf-1

Configuration for Server Leaf-2:

Configuration for Service Leaf-1

Configuration for Service Leaf-2

Configuration for Firewall