Zach Gibbs, Content Developer, Education Services, Juniper Networks

Data Center Filter-Based Forwarding: Service Leafs

Learning Bytes Data Center
Zach Gibbs Headshot
A diagram illustrating configuring the service leaf.

Juniper Learning Bytes: Configuring Service Leafs with Zach Gibbs.

In this Learning Byte, you’ll learn how to configure the service leaf with regards to filter-based forwarding. This video is most appropriate for users with a high degree of knowledge and skill with data center technologies.

Show more

You’ll learn

  • Step by step how to configure the service leaf with the Inspect-VRF and the Secure-VRF and all the parameters that go along with that 

  • The first step: Configure the interface that is facing the firewall 

  • How to match the Ethernet VPN (EVPN) routes and export them 

Who is this for?

Business Leaders Network Professionals


Zach Gibbs Headshot
Zach Gibb
Content Developer, Education Services, Juniper Networks


0:02 [Music]

0:11 hello my name is zach gibbs and i'm a

0:14 content developer within education

0:16 services inside juniper networks and

0:19 today we will be going through the data

0:21 center filter-based forwarding service

0:23 leaves learning byte

0:25 all right so here is our topology

0:28 we have a few different devices we have

0:31 the two router leafs that's router l1

0:33 and router l2

0:35 and then we have the service leaf which

0:37 is service l1 now there are other

0:39 learning bytes that discussed that i've

0:41 done

0:42 the of the configuration of router l1

0:45 and router l2 and there will be another

0:46 learning byte that goes over the

0:48 configuration of the dc firewall so look

0:50 out for that as well and there'll also

0:52 be another learning byte that goes over

0:54 verification of filterbase forwarding in

0:56 a data center okay so with that we want

0:59 to focus on configuring the service leaf

1:01 we need to configure the service leaf

1:02 with the inspect vrf and the secure vrf

1:05 and all the parameters that go along

1:07 with that so with that being said let's

1:09 go ahead and jump to the cli of the

1:11 service leaf service l1 and get this

1:13 going

1:15 all right so here is our topology and

1:17 here you can see that service leaf one

1:20 in the middle here has both the inspect

1:22 vrf and the secure vrf and so right now

1:24 we're going to focus on configuring the

1:26 inspect vrf and then we'll configure the

1:28 secure vrf and again what's going to

1:30 happen is host 1 will send traffic it'll

1:32 filter base forward from vrf1 to the

1:35 inspect vrf to service leaf service l1

1:38 inspect vrf and then we'll go to the

1:40 firewall and then back to the secure vrf

1:43 on the service leaf and then to the

1:45 secure vrf on the router router l2 leaf

1:49 then to vrf1 and then to the host 2.

1:52 so with that let's go ahead and jump

1:53 back to the cli of service leaf l1 and

1:57 get this going

1:59 all right so here is service leaf l1

2:02 jump into configuration mode and the

2:03 first thing we want to do is we want to

2:05 configure the interface that is facing

2:09 the firewall and so let's go into the

2:11 interfaces this is going to be xe-06

2:17 and we need to set this up as a trunk

2:19 interface

2:26 and we need to apply two different vlans

2:28 here and the reason behind that is the

2:32 firewall interface is going to be using

2:34 vlan tagging and it's going to have one

2:37 interface split into two different

2:38 interfaces two different logical

2:40 interfaces and one of those is going to

2:42 be a part of one vlan and i'm going to

2:43 be a part of the securezone and the

2:45 other interface will be a part of the

2:47 inspect zone and that will receive the

2:50 traffic and then send it out the other

2:52 interface and so they'll be part of

2:55 different vlans so we need to set some

2:56 vlan members here

3:00 and so we'll say vlan

3:02 members

3:03 991 and 992. this matches up

3:06 uh with the vni and the route targets

3:08 we're using for the secure and the

3:10 inspect vrs

3:12 and so you can see that we have that

3:13 configured

3:15 and then let's go ahead and we'll also

3:17 want to configure some irb interfaces

3:23 set unit 991

3:26 family inet address and of course this

3:28 is going to be working within the

3:30 991 vlan

3:32 so

3:34 30.

3:36 we'll set unit 992

3:38 configure this

3:41 30.

3:43 and then we'll set or rather let's take

3:46 a quick look at those we can see that's

3:47 configured correctly and then let's

3:49 configure some loopback addresses as

3:51 well so we'll say

3:53 or loopback interfaces

3:55 unit 991

3:58 and then we'll do the same

4:00 992 and these will be in the different

4:03 routing instances

4:06 and then we want to configure the vlans

4:11 vlan v9n1 is going to have vlan id 991

4:15 and then

4:17 we're going to have the l3 interface

4:20 irb.991

4:23 and then

4:24 v992 vlan is going to have vlan id 992

4:29 and l3 interface irb.992

4:33 so that's how the interfaces or the

4:35 vlans are configured and then let's jump

4:37 into the routing instances

4:40 you see here we have nothing configured

4:42 and keep in mind we're configuring the

4:43 inspect vrf and the secure vrf

4:46 and that is

4:48 we are not going to configure vrf1 here

4:51 vf1 is not part of the service leaf

4:54 and so with that let's go ahead and

4:56 configure the

4:57 inspect

4:59 vrf

5:00 and it's going to be instance type

5:03 vrf

5:05 we're going to use interface

5:07 irb.991 recall that interface is a part

5:10 of

5:11 vlan v 991 which uses vlan id 991

5:16 and then we're also going to put the

5:17 loopback interface in there

5:19 and again it's not necessary with these

5:21 loopback interfaces but it is nice to

5:22 verify that these are being passed

5:24 around correctly

5:27 specify the route distinguisher remember

5:29 these need to be unique

5:33 and the end of that route distinguisher

5:35 is going to match the vni with what

5:37 we're using here

5:39 and we'll configure the v9 just a little

5:41 bit

5:42 figure the route target

5:46 and

5:48 recall that the route target in the

5:50 inspect brf here needs to match the

5:52 route target in the inspect vrf on the

5:55 router leaf router l1

6:00 and so there's the configuration for

6:01 that and we're not done yet though we

6:03 need to configure bgp because what

6:05 happens here is we're going to be

6:07 getting some well passing

6:09 bgp routes the evpn routes to bgp to the

6:14 firewall and then receiving some bgp

6:16 routes as well that's how we're going to

6:18 handle the routing and get the routes

6:20 back and forth

6:21 so edit protocols

6:24 vgp

6:25 call this group

6:27 dc-fw

6:29 dash inspect since it's going to be a

6:31 part of the inspect vrf

6:34 and say external

6:36 export we have not configured this

6:38 export policy yet but we will configure

6:40 it soon

6:42 and we're going to local aist this is

6:45 going to be our local as for this vrf

6:48 and then the neighbor this is going to

6:50 be the srx

6:51 the dc firewall

6:53 so there's actually going to be two bgp

6:55 sessions with the

6:56 dc firewall

6:59 and we can see here the configuration we

7:00 haven't configured that export policy

7:02 yet this export policy we recall that

7:05 with these the router leafs we are

7:07 sending

7:08 uh static routes and direct routes into

7:13 evpn as type 5 evpn routes and so what

7:17 that means

7:18 on the inspect vrf and the secure vrf

7:20 we're going to see receive those routes

7:23 as type 5

7:24 evpn routes and so what we need to do

7:27 when configuring this export policy the

7:28 firewall or the fw evpn export policies

7:32 we need to

7:33 match on those evp evpn routes and

7:36 export them and so let's go ahead and

7:39 configure that policy now

7:43 and we're just going to say term evpn

7:46 from protocol

7:48 evpn

7:50 and we're going to accept that

7:53 that's all we need to do for that and

7:55 let's jump back to the routing instance

8:00 and so you can see that's taken care of

8:02 there now we need to configure what

8:03 we're going to export into the inspect

8:06 vrf because what's going to happen here

8:08 is we're going to receive a default

8:09 route from the dc firewall and we're

8:12 going to export that default route into

8:15 the inspect vrf

8:17 and then that way the leaf route or the

8:20 router leaf router l1 will know that

8:23 okay to get to host 2 i've got a default

8:25 route i'm just going to send it to well

8:27 service leaf l1 and so with that let's

8:29 go ahead and configure that then so

8:33 edit protocols

8:34 evpn and then set ip prefix routes

8:39 we're going to do the direct hop with

8:40 the advertise again

8:42 and then we're going to say

8:43 encapsulation vxlan

8:45 and vni

8:48 5991 and this vni of course matches what

8:52 we have on router leaf router l1

8:55 in the inspect vrf

8:58 and then we're going to specify an

9:00 export

9:01 and this has not been configured yet

9:03 we're just going to call this t5

9:04 underscore

9:05 export

9:07 and then

9:09 we have that configured

9:12 but we need to configure that policy

9:14 right so let's go ahead and jump to the

9:17 policy options hierarchy

9:21 and make sure i spelt that right i've

9:23 messed that up before and so what we

9:25 want to do we want to set one term

9:27 from protocol

9:29 direct we want to export our direct

9:31 routes which is just going to be the

9:32 loopback interface here

9:34 and also it's going to be loopback

9:35 interface and the irb interfaces i guess

9:37 are the addresses associated with that

9:39 and then with term two we want to

9:43 match on a route filter

9:47 zero slash zero exact so that's that

9:48 default routes that is going to be

9:50 coming from the firewall

9:53 and accept it

9:54 and so that is the configuration for the

9:57 inspect vrf on the service leaf

10:00 all right so here is the topology and we

10:03 are currently working on service leaf l1

10:06 we've already configured router l1 with

10:09 the inspect vrf we've configured router

10:11 l2

10:12 that leaf you know router l1 is also a

10:14 route it's a normal router leaf and

10:17 router l2 is a normal router leaf we

10:19 configured the secure vrf

10:21 and we've configured the inspect vrf

10:23 already so that's going to match up with

10:25 inspect vrf with router l1 leaf and now

10:28 we need to configure the secure vrf

10:30 which will match up with the secure vrf

10:33 in router l2

10:35 and so here we have vni 5992

10:38 on both of them that will need to match

10:40 and also the route target that we

10:41 configure will need to match and so

10:44 let's go ahead and jump back to the cli

10:47 of service l1 which is our service leaf

10:49 and configure this

10:52 all right so here is service leaf l1

10:54 let's go ahead and jump

10:56 to the routing instance is

10:59 and you can see here we have the inspect

11:00 vrf configured so let's configure the

11:02 secure

11:03 vrf

11:05 the instance type is going to be

11:08 vrf of course

11:10 and we're going to specify the interface

11:12 rb.992 we've already configured that

11:15 interface and then specify the interface

11:18 of lootback.992 now the irb interface

11:20 now i didn't explain this when we

11:22 configured the inspect vrf earlier

11:24 that's going to be the

11:26 anchor point for the bgp pairings with

11:29 the dc firewall device

11:31 and so that's why its importance in this

11:33 vrf and so

11:35 let's configure the route distinguisher

11:37 of course this needs to be unique

11:41 the 992 matches the vni configuration

11:45 that we'll have to configure here in

11:46 just a moment well it's uh 5992 is the

11:49 vni but it's based off that that is

11:51 doesn't necessarily match it but it's

11:52 based off of it

11:53 and then we need to set the route target

11:58 and it is also based on the route target

12:00 too i guess in the 992. so but the thing

12:02 to keep in mind here is that the route

12:04 target in the secure vrf here matches

12:07 the route target in the secure vrf on

12:09 router leaf router l2

12:14 so you can see the configuration there

12:15 with what we currently have configured

12:17 so let's go ahead and configure the bgp

12:20 group

12:22 and this will appear with the firewall

12:24 because what's going to happen is it'll

12:27 the firewall is acting in this scenario

12:28 as a one-arm firewall

12:30 more than likely in a real data center

12:32 you'd have multiple firewalls but here

12:34 it's just a one-arm firewall so it's

12:36 going to leave on the one irb interface

12:38 in the inspect zone hit the firewall

12:40 come back and then come back in on the

12:42 one irb interface in the secure vrf

12:46 and so we need to configure two

12:47 different bgp groups for that and so

12:50 let's get to the

12:52 group now and so it's going to dc dash

12:55 fw

12:56 dash secure

12:58 and it's going to be type external

13:01 and we're going to export

13:03 that fw

13:05 and export policy and recall we

13:07 configured this earlier but let's take a

13:09 quick look

13:11 and we can see here what we're doing

13:12 here is we're taking

13:14 from protocol evpn and then accepting it

13:17 so we're going to export anything that's

13:19 evpn and the reason why we need to do

13:21 that is in the secure vrf

13:24 we will be receiving

13:25 a route that is originally a static

13:28 route from the leaf router l2

13:32 in evpn and we need to get that to the

13:34 firewall device so the routing can be

13:36 propagated correctly

13:38 and so with that

13:40 we need to configure a few more bgp

13:42 parameters local aes

13:44 265 999 and this of course is going to

13:47 be different than the

13:48 local as we have in the inspect vrf

13:53 bgp group so keep that in mind that is

13:55 different the neighbor

13:57 92.92.1 puris 64

14:01 that's going to be the peer information

14:03 for the

14:04 dc firewall

14:07 and so that is configured there

14:09 and so then we need to edit the evpn

14:12 parameters

14:15 and this is going to be what we're doing

14:16 with the type 5 routes how we're going

14:18 to export that

14:19 and we're going to advertise with the

14:21 direct next top

14:22 i'm going to say encapsulation vxlan

14:26 and we're going to say

14:28 vni

14:29 vni here we go 5992

14:32 and of course that's going to match the

14:33 vni in the other secure vrf that's on

14:36 router leaf

14:38 router l2

14:39 and then we need to specify the export

14:42 policy and we have this export policy

14:44 already configured because it was

14:45 configured earlier

14:46 t5 export now let's look at that policy

14:50 and it's matching on protocol direct so

14:52 it's going to export the irb interface

14:54 route and also the loopback interface

14:56 route and then also

14:58 the default route that we're getting

15:00 from

15:01 the firewall we're going to export that

15:03 into evpn as a type 5 route and that is

15:07 the configuration

15:09 for the service leaf so let's commit and

15:11 quit to apply that configuration and

15:13 exit to operational mode

15:16 so that does bring us to the end of this

15:17 learning byte and here we demonstrated

15:20 how to configure the service leaf with

15:21 regards to data center filter-based

15:23 forwarding so as always thanks for

15:25 watching

15:28 visit the juniper education services

15:30 website to learn more about courses

15:33 view our full range of classroom online

15:36 and e-learning courses

15:38 learning paths industry segment and

15:41 technology specific training paths

15:44 juniper networks certification program

15:47 the ultimate demonstration of your

15:49 competence

15:50 and the training community from forums

15:53 to social media

15:54 join the discussion

Show more