Data Center Filter-Based Forwarding — Firewall

0:11 hello my name is zach gibbs and i'm a content  developer within education services inside juniper  

0:18 networks and today we will be going through the  data center filter-based forwarding firewall  

0:24 learning bike all right so here is the topology  and in here we have a few different devices we  

0:32 have router l1 router l2 which are normal router  leaves and then service leaf service l1 which is  

0:39 a service leaf and then we have the dc firewall  or dcfw which is our firewall for our data center  

0:47 and with this learning by we're going to be  focusing on the firewall configuration so it's  

0:52 dcfw and keep in mind that i have done other  learning bytes that go over the router l1 and  

0:59 router l2 configuration as well as the service l1  configuration and there will be another learning  

1:04 byte that goes over the verification of this whole  filter-based forwarding in a data center scenario  

1:10 so with that being said let's go ahead and jump  to the cli and get this going all right so here  

1:17 is the firewall device we won't be doing too much  configuration or really any configuration here  

1:21 i've pre-done that configuration because this is a  lot to go through with all this configuration but  

1:27 there is some things we do need to look at and  so with that being said uh let's go ahead and  

1:32 jump back to the topology to have a look and see  where we're at all right so here's the topology  

1:38 we have previously configured router l1 and router  l2 and surface leaf l1 we configured the inspect  

1:44 vrf on both of those or all three of those or i  guess it's both just two and the secure vrfs on  

1:50 the surface leaf l1 and router leaf l2 connected  those together with the correct route targets  

1:55 configure the correct vnis configured the evpn  protocol to export routes as type 5 routes and  

2:02 so the routing is being shared and we'll show  the verification of that later but right now  

2:06 we want to focus on the dc fw which is the  data center firewall and here you can see  

2:12 it connects into service leaf one we have two  different interfaces gigi002.91 and gigi002.992  

2:19 those interfaces connect into uh well the 991  connects into the inspect vrf and the 992 connects  

2:26 into the secure brf on the service leaf and so  we'll look at that configuration and see what's  

2:30 going on and we'll look at the bgp groups the  pairings we configure that with service leaf one  

2:36 so let's go ahead and jump back to the firewall  and so here let's first look at the bgp groups

2:43 and you can see that we do have two groups recall  that 10991 or rather the 10 91 91.2 is the inspect  

2:53 vrf on the service relief and 10.92.92.2 is the  secure vrf on the service leaf so we can look  

3:01 at the routes see what we're receiving and you  can see here we have the host one route the host  

3:08 two route and then the loopback interfaces or  the vrfs those are being sent and that's good  

3:16 that's what we want to do and so with that let's  see what we're sending the service leaf vrfs

3:27 let's see just specify the neighbor and  you can see we're sending them a default  

3:33 route and that's exactly what we want to  do because that'll help attract the traffic  

3:37 in the vrfs towards the  firewall and so we can look at

3:44 what we're sending the secure vrf and again the  default route now that default route is just  

3:51 something that's configured here locally as  a static route with a next top of discard so  

3:57 if there's no specific host route then and  traffic comes in and matches something else  

4:01 it's just going to discard it and that's what  we want to do we only want to be passing around  

4:05 traffic for specific routes and here recall that  if we look at bgp routes we can see here we have  

4:15 routes for host one and host two so we won't  be discarding that traffic if any other traffic  

4:19 shows up here it's going to discard it because  that's what the next hop for the default route is  

4:25 and so okay so what else do we  want to show we want to show  

4:29 security zones there we go the security  zones okay we can see here that gigi  

4:34 uh zero zero two nine nine one is part of the  inspect zone and gigi002.992 is part of the  

4:41 secure zone and for host inbound traffic we're  only permitting bgp traffic and that's because we  

4:46 need to have bgp pairings with the service leaf  from the firewall so that makes perfect sense  

4:52 and then uh what else do we would be good  to show okay so the security policies let's  

4:57 jump in there we're going to need to edit some  of those security policies because we'll see  

5:02 we'll see how they look currently they're  currently set up but they're not set up correctly  

5:05 okay so from zone secure to zone no we don't want  to do that we want to inspect to secure now recall  

5:13 it's going to be coming in the inspect interface  or the inspect zone coming from the inspect brf  

5:19 and then to the secure zone to the secure vrf  on the service lead and so we have some security  

5:25 policy set up but we've set up to permit icmp and  block and log or deny and log ssh and we want to  

5:32 flip that around remember we're not going to allow  icmp but we're going to allow ssh so let's just go  

5:38 ahead and delete those policies and we'll say  paul's edit policy allow ssh source set match  

5:47 source address post one now this it's already  host one is already configured in the address book  

5:53 uh destination address host to application junos  ssh and we're gonna set then permit we're just  

6:02 gonna permit that traffic so that looks good  and we're gonna specify a new policy called uh  

6:09 block icmp we're gonna say match source  address post one destination address hosts  

6:18 post two application i'm going to say junos icmp  all and then we're going to say deny or set then  

6:28 let's say reject log i'm going to say set then  log session to net so the session initialization  

6:37 now one thing to look at with this is this is only  coming from the inspect zone to the secure zone so  

6:42 if host two attempts to initiate traffic to host  one it won't even attempt to set up the session  

6:48 we don't even have it set up to log those  attempts or whatever but at least with this  

6:54 regards we do have it set up to permit the  ssh traffic from host one host two and block  

6:59 icmp traffic and log that now if something  else say it's some sort of mail protocol or ftp  

7:06 or something else comes through it'll just  get silently rejected or discarded because  

7:11 the default policy on an srx is to silently  discard without logging so keep that in mind  

7:18 and so i think we're good there let's go ahead and  commit that and exit to operational mode and then  

7:23 we can verify this and so we have the firewall  configured and so next we'll jump to verification  

7:29 right this brings us to the end of this learning  byte here we demonstrate how to configure the  

7:34 firewall with regards to data center filter  based forwarding so as always thanks for watching  

7:41 visit the juniper education services website to  learn more about courses view our full range of  

7:48 classroom online and e-learning courses learning  paths industry segment and technology specific  

7:56 training paths juniper networks certification  program the ultimate demonstration of your  

8:02 competence and the training community from  forums to social media join the discussion

8:14 you