Example: Configuring Selective Stateless Packet-Based Services—Packet-Based to Flow-Based
In this example, you configure devices to direct traffic to use packet-based forwarding on the internal LAN and then direct the same traffic to use flow-based forwarding as it transits to the Internet.
Before You Begin |
|---|
|
Figure 21 shows a network topology that is used in this example.
Figure 21: Selective Stateless Packet-Based Services—Packet-Based to Flow-Based
In this example, the interface facing the private LAN does not need any security services, but the interface facing the WAN needs security. In this case, you decide to configure both packet-based and flow-based forwarding for secure and not so secure traffic by configuring two routing instances—one handling the packet-based forwarding and the other handling the flow-based forwarding.
In this example, you create a virtual routing instance to perform flow-based forwarding. The default master routing instance is used to perform packet-based forwarding. You then configure an internal service interface lt-0/0/0 to transmit traffic between the two virtual router routing instances and configure OSPF to exchange the routes between the routing instances. Because all packets traversing the master routing instance need packet-based forwarding, you apply the stateless firewall filter with the packet-mode action modifier on all the interfaces (ge-0/0/2 and lt-0/0/0.0) associated with the master routing instance. Similarly, because all packets traversing the virtual routing instance Internet-VR need flow-based forwarding, you do not apply the stateless firewall filter with packet-mode action modifier to all interfaces (ge-0/0/3 and lt-0/0/0.1) associated with this virtual router routing instance.
To bypass flow-based processing on internal traffic, you configure interfaces on devices R0, R1, and R2 used in this configuration. Next, configure the following on device R1:
- Create a virtual router routing instance, Internet-VR, allowing you to segment your network to isolate traffic for packet-based and flow-based forwarding on R1.
- Set an internal service interface lt-0/0/0 to transmit traffic between the two virtual routers.
- Enable OSPF on all interfaces by creating an OSPF area and adding interfaces to it.
- Configure zones and policies to permit all traffic.
- Create a stateless firewall filter bypass-flow-filter. Define a term, bypass-flow-term, that specifies the action accept and the action modifier packet-mode.
- Apply the firewall filter bypass-flow-filter to interfaces in the internal network—ge-0/0/2 and lt-0/0/0.0.
In this example, you configure the filter bypass-flow-filter with the term bypass-flow-term that contains the packet-mode action modifier. Because you have not specified any match conditions, this filter applies to all traffic that traverses the interfaces on which it is applied. Next, you apply this filter on interfaces associated with the master routing instance. You do not apply the filter to the interfaces associated with the Internet-VR routing instance. As a result, all traffic when traversing the LAN interfaces associated with the master routing instance uses packet-based forwarding and when traversing the Internet-VR routing instance uses flow-based forwarding.
This section includes the following topics:
CLI Configuration
To configure selective stateless packet-based services for end-to-end packet-based forwarding:
- Configure the IP addresses for the interfaces
in your network. In the following statements you configure interfaces
on devices R0, R1, and R2:
On device R0:
user@R0# set interfaces description “Connect to Master VR” ge-0/0/2 unit 0 family inet address 9.9.9.9/24On device R1:
user@R1# set interfaces description “Connect to R0” ge-0/0/2 unit 0 family inet address 9.9.9.10/24user@R1# set interfaces description “Connect to R2” ge-0/0/3 unit 0 family inet address 5.5.5.5/24On device R2:
user@R2# set interfaces description “Connect to Internet-VR” ge-0/0/3 unit 0 family inet address 5.5.5.9/24 - Set an internal service interface lt-0/0/0 between routing instances. The following statements
configure the lt service interface and configure a peer relationship
between the two virtual routers:user@R1# set interfaces lt-0/0/0 unit 0 encapsulation frame-relay dlci 100 peer-unit 1 family inet address 1.1.1.1/16user@R1# set interfaces lt-0/0/0 unit 1 encapsulation frame-relay dlci 100 peer-unit 0 family inet address 1.1.1.2/16
- Configure security zones, assign interfaces
to zones and configure zones to allow application services and protocols.
In the following statements you create a zone HOST, assign
interfaces to it and configure it, to allow all supported applications
and protocols:user@R1# set security zones security-zone HOST host-inbound-traffic system-services any-serviceuser@R1# set security zones security-zone HOST host-inbound-traffic protocols alluser@R1# set security zones security-zone HOST interfaces all
- Configure policies. In the following
statement you set the default policy and specify that all packets
are permitted:user@R1# set security policies default-policy permit-all
- Configure a virtual router routing instance.
The following statement configures a virtual router routing instance Internet-VR and assigns interfaces for flow-based forwarding:user@R1# set routing-instances Internet-VR instance-type virtual-router interface lt-0/0/0.1user@R1# set routing-instances Internet-VR instance-type virtual-router interface ge-0/0/3.0
- Enable OSPF on all interfaces in the
network. The following statements enable OSPF on devices R0, R1, and R2:
On device R0:
user@R0# set protocols ospf area 0.0.0.0 interface ge-0/0/2.0On device R1 (for Master-VR):
user@R1# set protocols ospf area 0.0.0.0 interface ge-0/0/2.0user@R1# set protocols ospf area 0.0.0.0 interface lt-0/0/0.0On device R1 (for Internet-VR):
user@R1# set routing-instances Internet-VR protocols ospf area 0.0.0.0 interface lt-0/0/0.1user@R1# set routing-instances Internet-VR protocols ospf area 0.0.0.0 interface ge-0/0/3.0On device R2:
user@R2# set protocols ospf area 0.0.0.0 interface ge-0/0/3 - Create a firewall filter and define a
term for packet-based forwarding traffic. In the following statements
you create a firewall filter bypass-flow-filter, define a
term bypass-flow-term, and specify actions for the term:user@R1# set firewall family inet filter bypass-flow-filter term bypass-flow-term then acceptuser@R1# set firewall family inet filter bypass-flow-filter term bypass-flow-term then packet-mode
- Apply the firewall filter to relevant
interfaces. In the following statements you apply the firewall filter bypass-flow-filter to internal interfaces ge-0/0/2 and lt-0/0/0.0:user@R1# set interfaces ge-0/0/2 unit 0 family inet bypass-flow-filteruser@R1# set interfaces lt-0/0/0 unit 0 family inet bypass-flow-filter
- If you are finished configuring the router, commit the configuration.
For more information about the configuration statements used in this example, see the JUNOS Software CLI Reference.