SRX Services Gateway
Reply
Visitor
ehomo
Posts: 6
Registered: ‎01-22-2009
0
Accepted Solution

SRX: both flow and packet mode

[ Edited ]

Hello, forum.

 

Is there any way to enable both flow and packet mode?

I am looking for any suggestion how to configure MPLS/L3VPN on SRX and enable flow services for traffic destined for VRF.

Contributor
manishja
Posts: 13
Registered: ‎08-31-2010
0

Re: SRX: both flow and packet mode

AFAIK you configure devices to direct traffic to use packet-based forwarding on the internal LAN and then direct the same traffic to use flow-based forwarding as it transits to the Internet.

 

Please find the sample configs below.

 

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-admin-guide/...

 

Visitor
ehomo
Posts: 6
Registered: ‎01-22-2009
0

Re: SRX: both flow and packet mode

[ Edited ]

My solution follows below

 

 

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                mtu 1500;
                address 192.168.100.1/30;
            }
            family mpls {
                filter {
                    input mpls;
                }
            }
        }                               
    }
    lt-0/0/0 {
        unit 1 {
            description "Tunnel Interface bound to Packet VRF";
            encapsulation frame-relay;
            dlci 30;
            peer-unit 2;
            family inet {
                filter {
                    input packet-mode;
                }
            }
        }
        unit 2 {
            encapsulation frame-relay;
            dlci 30;
            peer-unit 1;
            family inet;
        }
    }
    fe-0/0/2 {
        unit 0 {
            family inet {
                address 10.15.14.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.1.1.2/32;
            }
        }
        unit 1 {
            family inet {
                address 10.15.16.1/32;
            }
        }
    }
}

 

protocols {
    mpls {
        interface ge-0/0/0.0;
        interface lo0.0;
    }
    bgp {
        local-address 1.1.1.2;
        group ELTEL {
            type internal;
            family inet {
                labeled-unicast;
            }
            family inet-vpn {           
                unicast;
            }
            export iBGP-export;
            neighbor 1.1.1.1 {
                description RemotePE;
            }
        }
    }
    ospf {
        reference-bandwidth 40k;
        area 0.0.0.1 {
            stub;
            interface ge-0/0/0.0;
            interface lo0.0 {
                passive;
            }
        }
    }
    ldp {
        import LDP_exchange;
        export LDP_exchange;
        egress-policy LDP_originate;
        transport-address 1.1.1.2;
        interface ge-0/0/0.0;
        interface lo0.0;
    }
}

[ Policies obvious and here omitted. ]

security {
    zones {
        security-zone untrust {
            address-book {
                address MPLS-LO 1.1.1.2/32;
            }
            host-inbound-traffic {
                system-services {
                    telnet;
                }
                protocols {
                    ospf;
                    ldp;
                    bgp;
                }
            }
            interfaces {                
                ge-0/0/0.0;
                lo0.0;
            }
        }
        security-zone trust-flow {
            host-inbound-traffic {
                system-services {
                    telnet;
                    ping;
                }
            }
            interfaces {
                fe-0/0/2.0;
            }
        }
        security-zone untrust-flow {
            interfaces {
                lt-0/0/0.2;
            }
        }
        security-zone untrust-pctks {
            interfaces {
                lt-0/0/0.1;
                lo0.1;
            }
        }
    }
    policies {
        from-zone untrust to-zone untrust {
            policy LDP {
                match {
                    source-address any;
                    destination-address MPLS-LO;
                    application [ junos-ldp-tcp junos-ldp-udp ];
                }
                then {
                    permit;
                }
            }
            policy BGP {
                match {
                    source-address any-ipv4;
                    destination-address MPLS-LO;
                    application junos-bgp;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust-flow to-zone untrust-flow {
            policy permit-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {                  
                    permit;
                }
            }
        }
        default-policy {
            deny-all;
        }
    }
    flow {
        tcp-mss {
            all-tcp {
                mss 1400;
            }
        }
    }
}
firewall {
    family inet {
        filter packet-mode {
            interface-specific;
            term main {
                then {
                    count pctks;
                    packet-mode;
                    accept;
                }
            }
        }
    }
    family mpls {
        filter mpls {
            term main {
                then {
                    count mpls;
                    packet-mode;
                    accept;
                }
            }
        }
    }
}
routing-instances {
    TEST {
        instance-type vrf;
        interface lt-0/0/0.1;
        interface lo0.1;
        route-distinguisher 65535:111;
        vrf-import vrf_TEST_in;
        vrf-export vrf_TEST_out;
        routing-options {
            static {                    
                route 10.15.14.0/24 next-hop lt-0/0/0.1;
            }
        }
    }
    TEST-VR {
        instance-type virtual-router;
        interface lt-0/0/0.2;
        interface fe-0/0/2.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop lt-0/0/0.2;
            }
        }
    }
}


 

the solution is in applying appropriate filters to ge-0/0/0 and lt-0/0/0 interfaces. It works well with Junos 10.3 I found hint with filters in presentation from Juniper describing how flow-mode works on branch SRX series. 



Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: SRX: both flow and packet mode

Thanks for the share!
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Contributor
hoand
Posts: 202
Registered: ‎04-05-2011
0

Re: SRX: both flow and packet mode

Thanks so much for sharing. I will read it more carefully.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.