Example: Configuring Selective Stateless Packet-Based Services—End-to-End Packet-Based

In this example, you configure devices for typical Intranet traffic flowing between private WAN interfaces. In this case, end-to-end forwarding is packet-based and the traffic bypasses flow-based forwarding completely.

Figure 15 shows a network topology that is used in this example.

Figure 15: Intranet Traffic Using End-to-End Packet-Based Services

Your company’s branch offices are connected with each other via private WAN. For this internal traffic, packet forwarding is required because security is not an issue. Hence for this traffic, you decide to configure selective stateless packet-based services to bypass flow-based forwarding. The remaining traffic, to and from the Internet, uses flow-based forwarding.

To bypass flow-based processing on Internal traffic, you configure interfaces on devices R0, R1, R2, and R3 used in this configuration. Next, configure the following on device R1:

• Configure zones trust and untrust. Assign internal interfaces ge-0/0/1 and ge-0/0/2 to zone trust and interface ge-0/0/3 to zone untrust.
• Configure security policies to allow transit traffic to pass between trust and untrust zones.
• Create a stateless firewall filter bypass-flow-filter. Define two terms—bypass-flow-term-1 and bypass-flow-term-2. Specify source and destination addresses as match conditions and packet-mode as the action modifier. Define another term accept-rest that does not include the packet-mode action modifier.
• Apply the firewall filter bypass-flow-filter to interfaces in the internal network—ge-0/0/1 and ge-0/0/2.

In this example, you configure the filter bypass-flow-filter with terms bypass-flow-term-1 and bypass-flow-term-2 that match the traffic between internal interfaces ge-0/0/1 and ge-0/0/2 and contain the packet-mode action modifier. You configure the next term accept-rest to match the remaining traffic and not contain the packet-mode action modifier. Next, you apply this filter on internal interfaces (not on the external interface). As a result, all internal traffic bypasses flow-based forwarding and the traffic to and from the Internet does not bypass flow-based forwarding.

This section includes the following topics:

• CLI Configuration
• Related Topics

CLI Configuration

To configure selective stateless packet-based services for end-to-end packet-based forwarding:

1. Configure the IP addresses for the interfaces in your network. In the following statements you configure interfaces on devices R0, R1, R2, and R3:

   On device R0:

   user@R0# set interfaces description “Internal 1” ge-0/0/1 unit 0 family inet address 10.1.1.2/24

   On device R1:

   user@R1# set interfaces description “Internal 1” ge-0/0/1 unit 0 family inet address 10.1.1.1/24

   user@R1# set interfaces description “Internal 2” ge-0/0/2 unit 0 family inet address 10.2.1.1/24

   user@R1# set interfaces description “Internet” ge-0/0/3 unit 0 family inet address 1.1.1.1/30

   On device R2:

   user@R2# set interfaces description “Internet” ge-0/0/3 unit 0 family inet address 1.1.1.2/30

   On device R3:

   user@R3# set interfaces description “Internal 2” ge-0/0/2 unit 0 family inet address 10.2.1.2/24

2. Create static routes and associate appropriate next-hop addresses. The following statements create static routes and associate next-hop addresses for devices R0, R1, R2, and R3:

   On device R0:

   user@R0# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1

   On device R1:

   user@R1# set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2

   On device R2:

   user@R2# set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

   On device R3:

   user@R3# set routing-options static route 0.0.0.0/0 next-hop 10.2.1.1

3. Configure security zones and assign interfaces to them. In the following statements you create a zone untrust and assign interface ge-0/0/3 to it. You also create a zone trust and assign interfaces ge-0/0/1 and ge-0/0/2 to it:

   user@R1# set security zones security-zone untrust interfaces ge-0/0/3

   user@R1# set security zones security-zone trust interfaces ge-0/0/1

   user@R1# set security zones security-zone trust interfaces ge-0/0/2

4. Configure application services for zones. In the following statement you configure trust and untrust zones to allow all supported application services as inbound services:

   user@R1# set security zones security-zone trust host-inbound-traffic system-services all

   user@R1# set security zones security-zone untrust host-inbound-traffic system-services all

5. Configure a security policy to allow transit traffic to pass between zones. in the following statements you allow traffic from any source address, destination address, and application to pass between zones:

   user@R1# set security policies from-zone trust to-zone untrust policy Internet-traffic match source-address any destination-address any application any

   user@R1# set security policies from-zone trust to-zone untrust policy Internet-traffic then permit

   user@R1# set security policies from-zone untrust to-zone trust policy Incoming-traffic match source-address any destination-address any application any

   user@R1# set security policies from-zone untrust to-zone trust policy Incoming-traffic then permit

   user@R1# set security policies from-zone trust to-zone trust policy Intrazone-traffic match source-address any destination-address any application any

   user@R1# set security policies from-zone trust to-zone trust policy Intrazone-traffic then permit

6. Create a firewall filter and define terms for all the packet-based forwarding traffic. In the following statements you create the firewall filter bypass-flow-filter, define the terms bypass-flow-term-1 and bypass-flow-term-2, and specify match conditions and actions for the terms:

   user@R1# set firewall family inet filter bypass-flow-filter term bypass-flow-term-1 from source-address 10.1.1.0/24

   user@R1# set firewall family inet filter bypass-flow-filter term bypass-flow-term–1 from destination-address 10.2.1.0/24

   user@R1# set firewall family inet filter bypass-flow-filter term bypass-flow-term-1 then packet-mode

   user@R1# set firewall family inet filter bypass-flow-filter term bypass-flow-term-2 from source-address 10.2.1.0/24

   user@R1# set firewall family inet filter bypass-flow-filter term bypass-flow-term-2 from destination-address 10.1.1.0/24

   user@R1# set firewall family inet filter bypass-flow-filter term bypass-flow-term-2 then packet-mode

7. Define another term for the remaining traffic. In the following statements you define the term accept-rest to accept all remaining traffic:

   user@R1# set firewall family inet filter bypass-flow-filter term accept-rest then accept

8. Apply the firewall filter to relevant interfaces. In the following statements you apply the firewall filter bypass-flow-filter to internal interfaces ge-0/0/1 and ge-0/0/2:

   user@R1# set interfaces description “Internal 1” ge-0/0/1 unit 0 family inet filter bypass-flow-filter

   user@R1# set interfaces description “Internal 2” ge-0/0/2 unit 0 family inet filter bypass-flow-filter

9. If you are finished configuring the router, commit the configuration.

For more information about the configuration statements used in this example, see the JUNOS Policy Framework Configuration Guide.

Related Topics

• Verifying the Selective Stateless Packet-Based Services Configuration—End-to-End Packet-Based
• Configuring Selective Stateless Packet-Based Services