Zach Gibbs, Content Developer, Education Services, Juniper Networks

Data Center Filter-Based Forwarding Router Leaf

Learning Bytes Data Center
Zach Gibbs Headshot
Screenshot showing lines of code.

Juniper Learning Byte: Configuring router leafs with tech educator Zach Gibbs.

Start here to learn how to configure router leafs with filter-based forwarding on data center devices. In part one of this Learning Byte Series, Juniper’s Zach Gibbs will walk you step by step through the process. Note that this video is most appropriate for users with a high degree of knowledge and skill with data center technologies.

Show more

You’ll learn

  • How to inspect the traffic between two hosts in a data center that need to communicate 

  • How to redirect the traffic to the data center firewall and configure the router and service leaf

  • How to verify the firewall is configured properly 

Who is this for?

Network Professionals Security Professionals


Zach Gibbs Headshot
Zach Gibbs
Content Developer, Education Services, Juniper Networks 


0:00 [Music]

0:12 hello my name is zach gibbs and i'm a

0:14 content developer within education

0:17 services inside juniper networks and

0:19 today we will be going through the data

0:21 center filter-based forwarding router

0:23 leaf part one learning byte

0:27 all right so what do we want to do here

0:28 well host one and host two are two hosts

0:30 in a data center and they need to

0:32 communicate and we want to inspect that

0:34 traffic and we're going to send that

0:36 traffic instead of directly going from

0:38 host one to host two we want to redirect

0:41 or filter base for that traffic to the

0:43 data center firewall which in our case

0:45 is the dc-fw

0:48 all right so let's have a look at the

0:50 topology here this is a lot to digest so

0:52 i'll try to make it as simple as

0:53 possible

0:54 here in the topology we have two spines

0:56 s1 and s2

0:58 and then we have

1:00 two router leafs that's router l1 and

1:02 router l2 and then one server sleeve in

1:05 the middle and these devices are using

1:07 edge routed bridging and so the underlay

1:10 and the overlay functionality is already

1:12 there and so we're set there we're not

1:13 going to worry about configuring the erb

1:15 part of things and so

1:17 with that

1:18 we want to as i talked about earlier

1:21 want to send traffic from host 1 to host

1:23 2 but redirect it filter-based forward

1:26 it through the firewall which is dcfw

1:28 you can see that dcfw is connected to

1:30 service leaf one and on this topology

1:33 you can see that there's a few different

1:35 vrf's you have vrf1 which host one and

1:37 host two are a part of and notice how

1:39 host 1 and host 2 are in different

1:41 subnets they can be part of the same vrf

1:43 and be in different subnets that works

1:45 fine so they're different vlan since

1:47 they're different subnets

1:48 which means different broadcast domains

1:50 and then we have vrf1 which they connect

1:53 into and which is on the router leafs

1:56 router l1 and router l2 then we have the

1:59 inspect vrfs

2:01 now the inspect vrfs are for the traffic

2:03 that needs to be inspected

2:05 and then we have the secure vrs and

2:07 that's the traffic that's already been

2:09 inspected and there on the firewall

2:11 you'll see the inspect zone and secure

2:13 zone so as traffic comes into the

2:15 firewall we'll be coming into the

2:17 inspect zone when it leaves the firewall

2:19 it'll leave on the secure zone and so

2:21 okay so with that let's just do a quick

2:22 walkthrough of how this communication is

2:24 supposed to happen we have host one that

2:27 initiates traffic to host two

2:29 and so host one sends the traffic to

2:33 router l1 at the vrf1 in router l1 and

2:36 we have erb setup so that means there's

2:39 a layer 3 gateway there that is sending

2:41 the traffic to because it's traffic

2:42 outside of its local subnet right

2:45 and so what happens there is

2:48 it gets sent to vrf1 there's a firewall

2:50 filter on the irb interface that's

2:52 acting as the layer 3 interface with

2:54 vrf1 and then that firewall filter

2:56 filter base forwards that traffic to the

2:58 inspect vrf

2:59 and now the inspect vrf is configured

3:02 with a vni and a route target that

3:05 connects it with the inspect brf on the

3:07 service leaf

3:08 so it goes into that inspect vrf and

3:12 then gets forwarded to the service leaf

3:14 inspect vrf and then from there the

3:16 inspect vrf with service leaf l1

3:19 forwards the traffic to the firewall and

3:20 then it lands on the inspect zone the

3:22 firewall does its inspections it's

3:24 analyzing whatever it's doing with the

3:26 traffic blocking accepting permitting

3:28 logging

3:29 and then once it's done doing that if

3:30 the traffic is permitted then it sends

3:32 it out the secure

3:34 zone and the interface that's in the

3:35 secure zone back towards service leaf

3:38 one and into the secure vrf which then

3:40 has a route target vni and things like

3:43 that matches up with the secure vrf on

3:46 router l2 you can see that the vni is

3:48 5992 here

3:50 on service leaf l1 with the secure vrf

3:53 secure vrf on router l2 that's the

3:56 router leaf l2 also has the same dni and

3:59 they have matching route targets not

4:01 shown on the slide but there has to be

4:03 matching route targets there so that

4:04 gets forwarded to there

4:06 and then from there there's a route

4:08 inside that secure vrf and i'll show

4:10 this stuff as we go through the learning

4:12 byte as well so don't think that there's

4:13 just way too much to figure out here

4:15 just right here you know you don't have

4:16 to learn it all right here we'll go

4:18 through it all and then in vrf1 it gets

4:21 forwarded to vr4 on that traffic and

4:23 then reaches host 2. and then the return

4:25 traffic is basically going to follow the

4:27 reverse path there so that's how that

4:29 works okay so what do we want to do we

4:32 want to permit ssh traffic

4:34 going from host one host two and then we

4:36 want to block and log any icmp traffic

4:38 that's going from host one to host2 so

4:40 we'll have to set that up in the

4:41 firewall

4:42 and uh yeah we talked about erb being in

4:44 use we need to configure filter-based

4:46 forwarding on the router leafs the

4:48 service leaf and we'll have to do some

4:50 configuration on the firewall mainly the

4:52 security policies i'm not going to

4:54 go through the firewall configuration as

4:56 far as the zones and whatnot because

4:58 that's not really specific to

5:00 filter-based forwarding but we'll still

5:01 take a look at things there all right so

5:03 with that let's go ahead and configure

5:05 the router leaf now this learning byte

5:06 will have a few major sections we'll

5:08 configure the router leafs and then the

5:10 service leaf and then we'll look at the

5:11 firewall and then we'll do some

5:12 verification so

5:14 we'll see that as we go so with that

5:16 let's go ahead and jump to leaf router

5:18 l1 and get this going

5:20 all right so here is the cli of leaf

5:23 router l1 and one thing i want to point

5:26 out is that we will be jumping back to

5:28 the topology because this is a lot to

5:30 try to do

5:31 and try to explain without jumping back

5:34 to the topology and so keep that in mind

5:36 as we're doing this i'm just going to

5:37 jump back and forth as we go so with

5:39 that

5:40 let's go ahead and jump back to the

5:41 topology

5:43 and here is our topology so we are

5:45 configuring router l1 and that means

5:48 we'll need to configure inspect vrf and

5:50 we won't be configuring vrf1 that's

5:52 already configured because that's part

5:54 of the erb architecture so let's go

5:56 ahead and jump back to

5:58 router l1

6:00 and remember this is a router leaf hence

6:02 why it's called router l1 and we want to

6:04 jump to the inspect vrf that's going to

6:06 be a routing instance

6:10 this has not been configured yet and

6:12 before i show that let's look at the

6:14 current vrf1 you can see that's already

6:16 configured notice how the route target

6:18 is

6:19 target colon one two three coin one that

6:21 matches on router l2 that leaf on the

6:24 other side that host two connects to

6:26 that matches there that's very important

6:28 that that matches and that's just basic

6:30 erb so keep that in mind that's not

6:31 really part of filter-based forwarding

6:33 however it is part of erb okay so with

6:36 that let's go ahead and configure the

6:38 instance type we need to set that to

6:40 vrf

6:42 and then we

6:44 don't necessarily need to but it's good

6:46 practice to put a loopback interface in

6:48 here and this loopback interface isn't

6:50 configured yet so we'll need to

6:52 configure that later

6:53 and then we set the route distinguisher

6:56 and let's go ahead and set that to

6:58 this ip well

7:01 it's going to be based off of the ip

7:03 address the loopback address

7:05 but we do need to make it unique

7:08 and we're just naming this what you see

7:10 here with the colon 5991

7:13 and so just

7:15 with the with the other device or with

7:17 the service leaf that is a part of the

7:19 inspector vrf we won't

7:22 you know it'll be unique on that side

7:24 with the route distinguisher itself all

7:25 right so

7:27 with that we need to set the uh the

7:28 route target so we'll use vrf target

7:31 and we'll say

7:33 target

7:35 65601 0 0 1 991

7:39 and this is going to need to match with

7:42 the service leaf

7:43 because these two routing instances

7:45 these two vrs will need to connect

7:47 together all right then we need to

7:49 create a static route

7:53 that points towards host one

7:58 and we need to say next table we need to

8:00 specify

8:02 vrf-1.inet.0 and what this does there's

8:04 really two parts of it what it does it

8:06 allows the return traffic coming back

8:08 that is for host one so the return

8:10 traffic is gonna be from host two to

8:11 host one uh when host one initiates from

8:14 host one to host two and so the return

8:16 traffic when it hits this vrf it'll know

8:18 how to get back to the vr1 vrf

8:22 and then the other part of it is we're

8:23 going to use an export policy to export

8:26 this into the evpn as a type 5 route

8:28 and so then host 2 knows how to get back

8:31 to it as well and also the firewall and

8:33 whatnot so this is very very important

8:35 all right and so with that let's uh set

8:37 up the

8:38 uh set up the the leaf here to advertise

8:41 the ip routes into the uh evpm so we

8:44 need to say protocols set protocols evpn

8:48 iprefix routes

8:50 advertise direct next top we want to

8:53 specify direct next stop we can we don't

8:55 have to do that but we have to do some

8:56 other things this is a nice quick easy

8:57 way to do it so it uses the direct next

9:00 hop

9:01 and then we have the encapsulation vxlan

9:05 now we need to set the vni this is

9:08 important it's gonna be five

9:10 nine nine one

9:11 and you might realize this kind of

9:13 matches the uh the route distinguisher

9:16 that we set up that's not absolutely

9:18 necessary but

9:19 it kind of makes it nice to track things

9:20 down that way so i like to do that

9:23 and then we need to set an export policy

9:25 what are we going to export into the

9:27 evpn as type fibre routes so set

9:31 uh export

9:33 and we need to specify a policy now this

9:34 policy has not been created yet

9:38 so we'll need to create this policy as

9:39 well

9:44 and so we need to configure the

9:46 interface the the loopback interface as

9:48 well as that policy

9:50 and so let's go ahead and create that

9:52 loopback interface right now

10:00 and again this isn't strictly necessary

10:02 it just kind of makes it nice so you can

10:04 see where the routes are coming from and

10:05 make sure stuff is getting passed

10:06 correctly

10:08 and then after that we need to configure

10:10 the

10:11 the export policy that we just created

10:13 there or applied there rather we need to

10:16 create it so let's go to policy options

10:18 policy statement t5 underscore inspect

10:23 underscore export so this is the export

10:25 policy for that inspect brf that's where

10:27 that's coming from

10:29 and then we need to

10:31 need to set one term

10:33 from protocol

10:35 direct we want to accept that

10:40 and set a second term

10:41 that is from

10:43 protocol

10:44 static and accept that and so that's

10:47 going to

10:48 that's going to grab that

10:51 loopback interface or the address

10:53 associated with the loopback interface

10:54 and also that static route and we're

10:56 going to advertise that towards the

10:58 service leaf

11:00 and recall we haven't configured the

11:02 service leaf yet so we'll still need to

11:04 do that okay so now that we've done that

11:07 here we can look at the routing instance

11:08 again

11:10 we can see that okay we don't have any

11:12 warnings this time like what we had

11:13 before we have everything configured

11:16 and now we need to configure the

11:18 firewall filter so let's go ahead and

11:21 jump because this is going to be what we

11:22 use to send the traffic into the filter

11:25 base for the traffic towards

11:27 the inspect vrf

11:30 so let's go ahead and

11:33 create a filter we'll just call this

11:35 inspect

11:37 traffic

11:39 and we need to set some terms here term

11:41 one

11:42 uh actually let's call this host

11:44 one

11:46 two host two

11:48 and we're gonna say from source address

11:50 and this is gonna be host one source

11:51 address

11:53 and then destination address and host

11:56 two's destination address

11:59 and then we need to say then

12:01 we're gonna specify the routing instance

12:03 and it's gonna be our inspect vrf

12:04 routing instance and then

12:06 i like to count the traffic here it's

12:08 not necessary but it is nice to set up a

12:10 counter so you know if it's actually

12:12 hitting that firewall filter term and

12:14 being sent towards the routing instance

12:16 very helpful for verification

12:18 troubleshooting and then if we look at

12:19 this we need to add a second term if we

12:21 don't then all the all other traffic

12:23 will get blocked because firewalls have

12:25 an implicit deny so let's go ahead and

12:27 say set term

12:28 i'll say rest

12:31 traffic

12:32 then accept so we want to accept all

12:34 other traffic

12:35 and so things look good there and so

12:37 what we need to do next is we need to

12:40 jump to the layer 3 interface now if we

12:43 go to the routing instance brf1 you can

12:46 see in here that we have two irb

12:49 interfaces irb10 and irb irb20 we need

12:52 to apply this firewall filter to one of

12:54 those interfaces

12:56 so let's go to the irb interface and

12:58 have a look here all right so here you

12:59 can see we have unit 10 and unit 20. and

13:03 so you might ask yourself well what do

13:04 we want to apply this to well recall

13:07 that post one the ip address is

13:12 24 which is

13:14 part of unit 10. unit 20

13:18 is

13:20 and they have a virtual gateway address

13:22 as well within that same subnet

13:24 and so that would be what host 2 is part

13:26 of now that is done this way because erb

13:29 is set up so the layer 3 gateways are

13:31 here on the leaf devices and so it's set

13:35 up this way for that reason and so what

13:37 you want to use unit 10.

13:40 apply that filter as an input filter

13:44 and that is the configuration for leaf

13:46 one let's go ahead and commit that

13:48 configuration

13:49 or router l1 which is the leaf connected

13:52 to the host one device

13:55 okay so now that we have that device

13:58 configured router l1 let's configure

13:59 router l2 but let's jump back to the

14:02 topology and have another look at the

14:03 topology to make sure we know what we're

14:06 doing so let's go ahead and jump back

14:08 there

14:08 okay so here is the topology and you can

14:10 see host 2

14:12 is connected to router l2 so that's a

14:14 leaf device in our data center and

14:16 recall we are using erb so edge routed

14:19 bridging

14:20 and so the layer 3 layer 2 gateways are

14:22 on the router leaf devices and so what

14:26 we did previously is we configured

14:28 router l1 that leaf device we configured

14:31 the inspect vrf

14:32 and so what we need to do now is and we

14:35 also configured the filter-based

14:36 forwarding with the firewall filter

14:38 and so what we need to do now is we need

14:40 to configure the secure vrf on router l2

14:44 and what happens there is it's going to

14:46 be very similar to the inspect vrf one

14:48 big difference here is notice how we use

14:50 vni 5991 we're using vni5992

14:53 that's going to match up with the secure

14:55 vrf service leaf l1 uh vni here and same

14:59 thing over here vni 5991 vni 5991 with

15:03 the inspect vrs so that's that's

15:05 important those need to match and also

15:07 the route targets need to match for the

15:08 inspect vrs and as well as a different

15:11 route target needs to match for the

15:12 secure vrs and so here with router l2

15:16 that leaf that router leaf we are going

15:18 to be configuring the secure brf now

15:20 this is erb vf1 is already configured

15:23 but we'll still take a look at things

15:24 there and again host two is in a

15:26 different subnet different vlan than

15:29 host one just something i want to point

15:31 out and so with what we're going to

15:32 focus on right now is the configuration

15:34 of

15:35 router leaf router l2

15:38 so let's go ahead and jump to the cli of

15:41 router l2 and get this going

15:44 all right so here is router l2 and let's

15:47 jump into configuration mode let's go to

15:48 the routing instances hierarchy and have

15:51 a look here and you can see we have vrf1

15:53 you see the route distinguisher the

15:55 interfaces interface type vrf

15:57 the vrf route target that is the route

16:00 target is target colon 123 coin one and

16:04 recall that vrf1 on router l2 so that

16:08 leaf on the other side that is connected

16:10 to host one

16:11 also uses that exact same route target

16:13 for the vrf that's very important those

16:15 two need to match they are part of the

16:17 same vrf

16:18 and so with that let's configure the

16:20 secure

16:22 secure vrf routing instance set the

16:24 instance type

16:26 as

16:27 vrf

16:29 and then set the interface

16:31 loopback interface 992. now again just

16:33 like with router l2 leaf

16:36 it's not necessary but it is helpful for

16:38 tracking purposes that we're setting

16:40 around the loopback interface into the

16:42 evpn as a type 5 route and so we'll need

16:45 to set the route distinguisher

16:47 and we're going to set that

16:51 based off of just the loopback address

16:53 and then specify

16:56 after the colon it's going to be based

16:57 off of the vni

16:59 and then we need to set the route target

17:03 set that to target

17:05 6501 colon 992. now if you remember with

17:10 the leaf router l1 that router leaf we

17:13 used a similar route target but that

17:16 route target was target 65001 colon 991

17:21 and so it doesn't match here because it

17:23 shouldn't match we don't want it to

17:24 match here it will match with a secure

17:26 vrf that is on the service leaf and so

17:30 with that you see here we haven't

17:32 created the loopback interface yet so

17:34 let's go ahead and set that

17:41 and so that is set we don't have that

17:43 warning anymore and then we need to

17:44 create a static route

17:52 and this is for host 2

17:54 we say next table

17:57 brf.1.inet.0.

18:00 and if you remember with configuring the

18:02 leaf router-l1

18:05 we did that for host one because on that

18:08 leaf host one need to be reachable

18:11 through the inspect vrf and that was for

18:13 the return traffic for r2 to be able to

18:15 get to host one from the inspect vrf and

18:19 here it's something very similar just

18:20 the reverse we are setting the static

18:22 route here so host one

18:24 the initiating traffic from a host one

18:27 can get to host two through the secure

18:30 vrf and so we will be exporting this

18:32 static route into the evpn as a type

18:34 five route and so with that let's go

18:37 ahead and configure the type five route

18:40 parameters

18:41 and so let's say protocols evpn ip

18:44 prefix routes advertise direct next hop

18:47 encapsulation vxlan

18:50 set the vni this is going to be 5992 for

18:53 the vni

18:54 and then we need to accept the export

18:56 policy this is going to be t5

18:59 underscore export

19:01 actually let's do secure

19:04 underscore export

19:07 and that hasn't been configured yet so

19:08 let's go ahead and configure that policy

19:11 and so policy options policy statement

19:14 t5

19:17 here

19:18 x

19:20 port

19:21 term one this is going to look very

19:22 familiar to what we did on router leaf

19:25 router l1

19:27 and so with that we'll say set

19:30 from protocol

19:32 direct

19:34 set

19:35 then accept

19:36 and we're going to configure a second

19:38 term that's from

19:40 protocol static

19:42 then accept

19:45 and so if we jump back to the routing

19:46 instance

19:48 we can see here that we have configured

19:51 that export policy it's not giving us a

19:52 warning now so that'll export

19:55 the static route we have configured and

19:57 the route associated with the loopback

19:59 unit 992 interface

20:02 and so the next step would be to

20:04 configure the firewall filter

20:06 and again we have the vrf1 routing

20:08 instance and we have the two interfaces

20:10 rb10 and irb20

20:13 and so we need to figure out which

20:15 interface we need to apply it to

20:17 the firewall filter that is and if you

20:20 look at here

20:21 you can see that host 1 is in the subnet

20:24 of irb.10 host 2 is in the subnet of

20:28 irb.20. so we're going to apply that

20:30 firewall filter there

20:31 on unit 20. but before we apply it we

20:34 need to create it so let's go ahead and

20:36 create that firewall filter should have

20:37 done that first

20:47 call the term host two to host one since

20:51 it'll be the return direction set the

20:53 host address we'll set it to match on

20:57 the host to source address

21:02 and then the host one destination

21:04 address

21:09 say routing instance secure so this is

21:11 going to be going to the secure vrf

21:12 because the traffic this traffic at this

21:15 point will already be inspected and

21:17 analyzed by the firewall

21:19 and then we need to

21:21 set a counter again strictly not

21:24 necessary but it's really helpful for

21:26 troubleshooting purposes and

21:28 verification and then again we want to

21:31 set a catch-all term

21:34 for any other traffic

21:39 and then let's jump back to the irb

21:41 interfaces

21:43 recall it's unit 20 we want to use here

21:45 for the input filter

21:51 and that is the configuration for the

21:53 router leaf router l2

21:56 alright so that brings us to the end of

21:58 this learning byte

22:00 we demonstrated how to configure router

22:02 leafs with regards to data center filter

22:04 based forwarding so as always thanks for

22:07 watching

22:09 visit the juniper education services

22:12 website to learn more about courses

22:15 view our full range of classroom online

22:18 and e-learning courses

22:20 learning paths

22:22 industry segment and technology specific

22:24 training paths juniper networks

22:27 certification program the ultimate

22:29 demonstration of your competence and the

22:32 training community from forums to social

22:35 media join the discussion

22:43 you

Show more