Flow Management in SRX Series Devices Using VRF Routing Instance
Virtual Routing and Forwarding Instances in SD-WAN Deployments
Virtual routing and forwarding (VRF) instances are required to separate the routes of each tenant from the route of other tenants and from other network traffic. SRX Series Firewalls use VRF instances for segmenting networks for increased security and improved manageability in SD-WAN deployments. For example, you can create distinct routing domains called tenants to segment large corporate networks and segment traffic to support multiple customer networks. Each tenant has its own routing table, which enables the support for overlapping IP subnets. VRF can be used to manage routes and to forward traffic based on independent forwarding tables in VRF for a specific tenant.
In an SD-WAN deployments, a provider edge (PE) router can be both a hub device and a spoke device that receives and forwards MPLS traffic. A customer edge (CE) router is an SRX Series Firewall that interacts with a PE router to transmit VPN traffic using VRF routing instances. The VRF instances forward each customer VPN traffic and each VRF instance contains one label to represent all the customer traffic that flows through that VRF.
Different sites that connect to a spoke-side SRX Series Firewall can belong to the same tenant or to the same VRF routing instance. These sites send the IP traffic that is intended to reach either public Internet or remote tenant sites.
When the traffic reaches the spoke-side SRX Series Firewall, the device identifies the VRF instance from the LAN interfaces that are connected to those sites. After security processing on this traffic, the traffic finds a route to the destination in that VRF routing table. If the destination is MPLS over next-hop-based generic routing encapsulation (GRE), the SRX Series Firewall adds a corresponding MPLS label and forwards the packet to the hub-side device.
At the hub-side device, after receiving MPLS over GRE tunneled traffic, the SRX Series Firewall associates the MPLS label to identify the corresponding VRF routing instance. After security processing of the traffic is complete, the device identifies whether the destination is on public Internet or reachable via MPLS next-hop.
If the destination is public Internet, Network Address Translation (NAT) converts VRF private IP address to a public IP address and establish the session. If the destination is a type of MPLS next-hop, corresponding MPLS label is added and the packet is forwarded to the remote spoke using a GRE overlay tunnel.
At the remote spoke side, after receiving the MPLS over GRE tunnel traffic, the device identifies the corresponding VRF routing-instance using the MPLS labels. Using that VRF routing instance, the SRX Series Firewall finds the correct destination LAN interface in that VRF to forward the packet to the destination.
Flow Management Using VRF Routing Instance
An SRX Series Firewall flow creates sessions based on 5-tuple data (source IP address, destination IP address, source port number, destination port number, and protocol number) along with interface tokens of input interface and output interface of traffic. For example, the routing instance VRF-1 and the routing instance VRF-2 have the same 5-tuple traffic that can enter and exit through the same physical GRE tunnel. When these overlapping IP addresses from the same tunnel enter or exit through the SRX Series Firewall, then SRX Series Firewall flow cannot install multiple sessions in the database because of the conflict in session information. Additional information is required for the SRX Series Firewall to differentiate sessions during the installation.
Starting in Junos OS Release 15.1X49-D160, SRX Series Firewalls can use VRF information from the MPLS-tagged packets in the session key to differentiate sessions. To differentiate sessions from different VRF instances, flow uses VRF identification numbers to the existing session key to identify each VRF instance. This session key is used as one of the matching criteria during session look-up.
You can use the following matching criteria along with existing 5-tuple matching conditions in a security policy to permit or deny traffic based on given VRF:
Source VRF—This is the VRF routing instance associated with the incoming interface of the packet. When an incoming MPLS packet containing a label arrives at an SRX Series Firewall, the device decodes the label, and maps the label to the incoming interface.
Destination VRF—This is the VRF routing instance associated with the final route to the destination. During the first packet processing for a new session, flow needs a destination route for routing a packet to the next-hop device or interface. Flow searches the initial routing table from either the incoming interface or from a separate RTT table until it finds the final next-hop device or interface. Once the final route entry is found, and if that route points to an MPLS next-hop device, then the destination VRF is assigned to the routing instance in which the final route is found.
Virtual Routing and Forwarding Groups
SD-WAN enterprise network is composed of multiple L3VPN networks as shown in Figure 1.
L3VPN networks are identified at a site (CPE device) as a set of VRF instances. The VRF instances at a site belonging to a L3VPN network at a site are used for application policy based forwarding. SRX flow session handling has enhanced to support mid-stream traffic switching between these VRF instances based on application based steering policies. The VRF instances which are logically part of a given L3VPN network can be configured as a VRF group. Existing firewall, NAT configuration commands have been enhanced to support operations on VRF group.
The Figure 2 describes how traffic steering within an L3VPN is done across multiple VRFs based on APBR policies.
When you configure the VRF groups using VRF instances, a VRF group-ID is generated. These VRF groups are used in the following modules to control SD-WAN L3VPN:
Security Policy - For policy control.
Flow - To search policies based on VRF group names, along with source or destination zone, source or destination IP address, and protocol. Hence, sessions are created using VRF groups as one of differentiator.
NAT - To support NAT rules based on VRF group names.
ALG - To create ALG sessions using VRF groups as one of differentiator.
The functionality of the VRF groups:
It allows a session to switch between two MPLS VRFs.
When the VRF instances are part of the same VRF group, security features such as flow, policy, NAT, or ALG modules treat the VRF instances similarly.
When you configure the VRF groups using VRF instances, a VRF group-ID is generated. This group-ID is stored in session for identifying the VRF group of a particular VRF instance.
- Understanding VRF groups
- Types of VRF groups
- VRF Movement
- VRF group-ID
- Configuring VRF groups
- VRF group Operations
Understanding VRF groups
VRF group is introduced to support L3VPN MPLS based sessions in SD-WAN network. It is used to control the MPLS L3VPN traffic in policy, flow, NAT and ALG modules when there are overlapping or no overlapping IP network addresses in the MPLS L3VPN network.
If the traffic pass between non MPLS L3VPN networks, VRF groups
are not configured. When VRF groups are not configured, the VRF group-ID
will be zero or the policy will use the option any for
VRF group.
The purpose of VRF groups is:
To differentiate L3VPN sessions between MPLS L3VPN network.
To have policy and NAT control between MPLS L3VPN network.
Types of VRF groups
There are two important VRF group in L3VPN network are:
Source-VRF group
Destination-VRF group
To understand which VRF instances can be grouped together for Source-VRF group or Destination-VRF group, use the following information:
Source-VRF instances—List of VRF instances that negotiates different MPLS paths to the same in-bound destination.
Destination-VRF instances— List of VRF instances that contain the destination routes for a given L3VPN traffic.
If the traffic is initiated in the opposite direction, the VRF groups switch roles with respect to the direction of the traffic.
VRF Movement
From Figure 3, the initial traffic flow for a session establishment is from left to right. The traffic enters GRE-Zone1, then enters Source-VRF group (A) and passes through Destination-VRF group (A’) before it exits through GRE_Zone2.
Similarly, the policy search is initiated from GRE_Zone1->Source-VRF
group(A)->Destination-VRF group->(A’)->GRE_Zone2 and the
flow sessions is set-up, using Source-VRF group (A) and Destination-VRF
group (A) as an additional key values in sessions. When the flow sessions
are done using VRF groups, traffic can switch (re-route) from one
VRF to another VRF within Group.
VRF group-ID
For storing the VRF group-ID, a 16-bits number is used in a session key data structure.
Configuring VRF groups
To configure a VRF group, use the following steps:
List the VRF instances that needs to be grouped.
Assign a name to the VRF group.
Apply the VRF instances and the VRF group name in the CLI command
set security l3vpn vrf-group group-name vrf vrf1 vrf vrf2
The source and destination VRF groups are configured separately based on different context.
Source VRF group—The source VRF group for routing-instance is associated with MPLS packet. When the device receives a MPLS packet, the packet is decoded and mapped to LSI interface. The LSI interface contains the routing table information that helps in identifying the VRF group details.
Destination VRF group—During first-path flow processing of packet for a new session, the destination route information is required to route the packet to the next-hop or interface. Flow searches the routing table to get the route information. When the received route information points to MPLS as next-hop, then the VRF of this route is used to identify the destination VRF group.
The source and destination VRF groups are same in some cases when you prefer to control all the related VRFs in a L3VPN network.
VRF group Operations
When a VRF group is configured, a Group-ID is created which is unique for different VRF groups. You can perform different operations such as adding, removing, or modifying a VRF to a VRF group.
Adding VRF to a VRF group
When a VRF is added to a VRF group, the corresponding VRF group-ID is assigned to the VRF. When you add a VRF to VRF group, remember the following:
A VRF can be added to only one VRF group. It cannot be a part of multiple VRF groups.
A maximum of 32 VRFs are be configured in a VRF group.
When a VRF is added, it impacts the existing session and a new session is created as per policy.
When new sessions are created after adding a new VRF to VRF group, the sessions use the new VRF group-ID of the new VRF.
Removing VRF from a VRF group
When a VRF is removed from a VRF group, the VRF group-ID of that VRF group changes to zero but the VRF will still be available in the device. When you remove a VRF from a VRF group, it impacts the existing sessions in two ways:
Impacting existing sessions—When a VRF is removed from the VRF group, the existing session is removed and a new session will be created as per policy
Match Traffic—When a VRF is removed from VRF group, the VRF group-ID for that VRF changes to zero and hence will not match the session. The packet drops and a new session is created as per policy.
When a VRF is removed from the VRF group, the new session that is processed using the impacted VRF installs a new VRF group-ID. This VRF group-ID will be zero, or a new Group-ID is created if you add the VRF to a new VRF group
Modifying VRF group
Modifying a VRF group involves the following operations:
Changing VRF group name: When you change the VRF group name, the policy module scans the existing sessions to verify if the new VRF group name matches the existing rules.
Adding VRF to VRF group: When a VRF is added to a VRF group, the corresponding VRF group-ID is assigned to the VRF.
Removing VRF from VRF group: When a VRF is removed from a VRF group, the VRF group-ID of that VRF changes to zero and still the VRF will be available in the device.
Removing VRF group
When you remove a VRF group using CLI, a session scan will be performed on the existing sessions to match the VRF group that is removed. If the session match the removed VRF group, then that session is removed from the device by setting an invalid timeout. For sessions that does not match the removed VRP-Group-ID are not impacted.
Flow Processing using Virtual Routing and Forwarding Group
- First Path Processing using VRF Group
- Fast Path Processing using VRF Group
- Example: Configuring a Security Policy to Permit VRF-Based Traffic from an IP Network to MPLS Network using VRF Group
- Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to an IP Network using VRF Group
- Example: Configuring a Security Policy to Permit VRF-Based Traffic from Public IP Network to MPLS Network using VRF Group
- Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to Public IP Network to using VRF Group
- Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to MPLS Network without NAT using VRF Group
- Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to MPLS Network using NAT and VRF Group
- Multicast Support in SD-WAN Deployments
First Path Processing using VRF Group
To process a packet, the first path processing performs the following:
MPLS Decoder—When flow receives a MPLS or non-MPLS packet, the packet is processed to retrieve the details of the incoming packet, interface, and routing-instance of the incoming interface.
FBF configuration—When you configure FBF rules to re-direct the incoming packets to different routing-instance, the FBF rule finds the routing-instance information and pass the FBF routing-instance information instead of packet incoming interface routing-instance. This FBF VRF should be a part of VRF group to control the L3VPN network.
Initialize Routing-Table—When the flow receives the packet, the initial routing-table for the packet is created. If the FBF configuration matches the firewall filters, then the routing-instance information from FBF is used for route look-up. Else, flow uses the incoming interface routing-instance information for route look-up.
Finding Source VRF group—If the incoming packet is from MPLS network, then the packet is mapped to the VRF instance of source VRF group. If the incoming packet is not MPLS packet, then the source VRF group id is zero.
Destination NAT using VRF group—Flow checks if the destination IP needs NAT translation. Destination NAT supports two types of match criteria for VRF:
NAT rule search using VRF routing-group.
NAT rule result using VRF routing-instance and NAT information.
Destination Route—The route look-up which is done in initial route table is used to identify the outgoing interface and destination-VRF information. This information is used in policy search and session installation.
Final next-hop—The first step in finding destination route is to find final the next-hop of the pointed route. Using this next-hop, flow will check if the next-hop points to MPLS network or not. If it is not pointing to MPLS network, the destination VRF group will be zero.
Destination VRF group— When the destination VRF is identified, the destination VRF Group-ID is initialized. If the destination VRF is not assigned to any group, it is set to zero.
First Path Policy Search—Flow performs policy search to check if the packet needs to be permitted or denied. Flow gathers the 5-tuple policy-key information and VRF information and this information is used by policy search module to find the appropriate VRF policy.
Source NAT using VRF group—Flow session does source NAT using source VRF group NAT rule search. Source-NAT supports two types of NAT search criteria.
Source-NAT rule search using VRF group.
Static-NAT rule search using VRF group or VRF instance.
Static NAT using VRF group or VRF instance—Static NAT supports routing-group in rule-set and routing-instance in rule with VRF type.
When static NAT matches as destination NAT translation for a given IP packet, the VRF routing-group will be one of the match criteria and the VRF routing-instance ill be used as destination routing table.
When static NAT matches as source NAT translation for a given IP packet, the VRF routing-instance will be one of the match criteria.
Session Installation using VRF group—During session installation process, source VRF group-ID is stored in forward-wing indicating that the wing points MPLS network. The destination VRF group-ID that is found from route look-up is stored in reverse-wing indicating that the wing points MPLS network.
Re-routing using VRF group—Once the session is established using VRF group information, re-route is initiated if the interface is down or initial route is not available. These changed routes should be part of same VRF group (Source-VRF group/Destination-VRF group), in which the session is initially established on either side. Else, traffic will not match session and future traffic of session might get dropped or create new sessions as per policy.
Fast Path Processing using VRF Group
The fast path processing performs the following steps to process a packet.
MPLS Decoder—When a packet MPLS or non-MPLS packet is received, the packet undergoes MPLS processing. When the processing is complete, the flow receives the details of the incoming packet, interface, and routing-instance of the incoming interface.
FBF configuration—When you configure FBF rules to re-direct the incoming packets to different routing-instance, the FBF rule finds the routing-instance information and pass the FBF routing-instance information instead of packet incoming interface routing-instance. This FBF VRF should be a part of VRF group to control the L3VPN network.
Session look-up using VRF Group-ID—During session look-up process, flow checks whether to pass the VRF Group-ID in session key for look-up. If the incoming interface is MPLS, flow will pass the VRF Group-ID information of the mapped VRF routing-instance to session key along with other key tuple information. If the incoming interface is not MPLS, the VRF Group-ID will be zero.
Session Route change—If the route changes for session in mid-stream, flow checks for the new VRF that belongs to this route. If the new VRF Group-ID differs from the VRF Group-ID of the session, then the route will not be processed and the future packets are dropped. Hence, for re-routing the new route should belong to a VRF that belongs to session VRF Group.
VRF Group policy change—When VRF group session policy is changed due to policy attributes such as zone/interface/IP/Source-VRF group/Destination-VRF group, the policy will be re-matched for the same session by supplying policy 5-tuple along with source VRF group and destination VRF group values to check if the policy is valid or not. Upon re-match, if policy does not match the session information, then the session terminates.
VRF session display—Source-VRF Group and Destination-VRF Group are displayed in session output display to differentiate different VRF group for the same tuple.
High Availability—High availability is supported with no behavior change when additional VRF group-ID information is synchronized to the HA peer node for differentiating different VRF group in the session
Example: Configuring a Security Policy to Permit VRF-Based Traffic from an IP Network to MPLS Network using VRF Group
This example shows how to configure a security policy to permit traffic from a private IP network to MPLs network using VRF group.
Requirements
-
Supported SRX Series Firewall with Junos OS Release 15.1X49-D170 or later. This configuration example is tested for Junos OS Release 15.1X49-D170.
Overview
In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 4, an SRX Series Firewall is deployed in an SD-WAN to permit the traffic from a private IP network to MPLS network using VRF group.
This configuration example shows how to:
Permit traffic from IP network (LAN-a) to VRF group
Permit traffic from IP network (LAN-b) to VRF group
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security l3vpn vrf-group vpn-A vrf VRF-A1 set security l3vpn vrf-group vpn-A vrf VRF-A2 set security l3vpn vrf-group vpn-A1 vrf VRF-A11 set security l3vpn vrf-group vpn-A1 vrf VRF-A21 set security l3vpn vrf-group vpn-B vrf VRF-B1 set security l3vpn vrf-group vpn-B vrf VRF-B2 set security l3vpn vrf-group vpn-B1 vrf VRF-B11 set security l3vpn vrf-group vpn-B1 vrf VRF-B21 set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match source-address any set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match destination-address any set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match application any set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match destination-l3vpn-vrf-group vpn-A1 set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy then permit set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match source-address any set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match destination-address any set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match application any set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match destination-l3vpn-vrf-group vpn-B1 set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in theCLI User Guide.
Create VRF group vpn-A with VRF instances A1 and A2
[edit security] user@host# set l3vpn vrf-group vpn-A vrf VRF-A1 user@host# set l3vpn vrf-group vpn-A vrf VRF-A2
Create VRF group vpn-A1 with VRF instances A11, and A21
[edit security] user@host# set l3vpn vrf-group vpn-A1 vrf VRF-A11 user@host# set l3vpn vrf-group vpn-A1 vrf VRF-A21
Create VRF group vpn-B with VRF instances B1 and B2
[edit security] user@host# set l3vpn VRF group vpn-B vrf VRF-B1 user@host# set l3vpn VRF group vpn-B vrf VRF-B2
Create VRF group vpn-B1 with VRF instances B11 and B21
[edit security] user@host# set l3vpn vrf-group vpn-B1 vrf VRF-B11 user@host# set l3vpn vrf-group vpn-B1 vrf VRF-B21
Create a security policy to permit vrf-a traffic.
[edit security policies from-zone LAN-a_Zone to-zone GRE_Zone] user@host# set policy vrf-a_policy match source-address any user@host# set policy vrf-a_policy match destination-address any user@host# set policy vrf-a_policy match application any user@host# set policy vrf-a_policy match destination-l3vpn-vrf-group vpn-A1 user@host# set policy vrf-a_policy then permit
Create a security policy to permit vrf-b traffic.
[edit security policies from-zone LAN-a_Zone to-zone GRE_Zone] user@host# set policy vrf-b_policy match source-address any user@host# set policy vrf-b_policy match destination-address any user@host# set policy vrf-b_policy match application any user@host# set policy vrf-b_policy match destination-l3vpn-vrf-group vpn-B1 user@host# set policy vrf-b_policy then permit
Results
From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security policies
from-zone LAN-a_Zone to-zone GRE_Zone {
policy vrf-a_policy {
match {
source-address any;
destination-address any;
application any;
source-l3vpn-VRF group vpn-A1;
}
then {
permit;
}
}
from-zone LAN-b_Zone to-zone GRE_Zone {
policy vrf-b_policy {
match {
source-address any;
destination-address any;
application any;
source-l3vpn-VRF group vpn-B1;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Policy Configuration
Purpose
Verify information about security policies.
Action
From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.
user@root> show security policies
Default policy: permit-all
From zone: LAN-a_Zone, To zone: GRE_Zone
Policy: vrf-a_policy, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source L3VPN vrf-group: vpn-A1
destination L3VPN VRF Group: any
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: LAN-b_Zone, To zone: GRE_Zone
Policy: vrf-b_policy, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source L3VPN vrf-group: vpn-B1
destination L3VPN VRF Group: any
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to an IP Network using VRF Group
This example shows how to configure a security policy to permit traffic from MPLS to IP netwrok using the VRF group.
Requirements
-
Supported SRX Series Firewall with Junos OS Release 15.1X49-D170 or later. This configuration example is tested for Junos OS Release 15.1X49-D170.
-
Configure network interfaces on the device. See Interfaces User Guide for Security Devices.
Overview
In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 5, an SRX Series Firewall is deployed in an SD-WAN to permit traffic from a MPLS network to private network using VRF group.
This configuration example shows how to:
Permit traffic from GRE MPLS to LAN-a
Permit traffic from GRE MPLS to LAN-b
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security l3vpn vrf-group vpn-A vrf VRF-A1 set security l3vpn vrf-group vpn-A vrf VRF-A2 set security l3vpn vrf-group vpn-B vrf VRF-B1 set security l3vpn vrf-group vpn-B vrf VRF-B2 set security policies from-zone GRE_Zone to-zone LAN-a_Zone policy vrf-a_policy match source-address any set security policies from-zone GRE_Zone to-zone LAN-a_Zone policy vrf-a_policy match destination-address any set security policies from-zone GRE_Zone to-zone LAN-a_Zone policy vrf-a_policy match application any set security policies from-zone GRE_Zone to-zone LAN-a_Zone policy vrf-a_policy match source-l3vpn-vrf-group vpn-A set security policies from-zone GRE_Zone to-zone LAN-a_Zone policy vrf-a_policy then permit set security policies from-zone GRE_Zone to-zone LAN-b_Zone policy vrf-b_policy match source-address any set security policies from-zone GRE_Zone to-zone LAN-b_Zone policy vrf-b_policy match destination-address any set security policies from-zone GRE_Zone to-zone LAN-b_Zone policy vrf-b_policy match application any set security policies from-zone GRE_Zone to-zone LAN-b_Zone policy vrf-b_policy match source-l3vpn-vrf-group vpn-B set security policies from-zone GRE_Zone to-zone LAN-b_Zone policy vrf-b_policy then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in theCLI User Guide.
Create VRF group vpn-A with VRF instances A1 and A2.
[edit security] user@host# set l3vpn vrf-group vpn-A vrf VRF-A1 user@host# set l3vpn vrf-group vpn-A vrf VRF-A2
Create VRF group vpn-B with VRF instances B1 and B2.
[edit security] user@host# set l3vpn vrf-group vpn-B vrf VRF-B1 user@host# set l3vpn vrf-group vpn-B vrf VRF-B2
Create a security policy to permit VRF-a traffic.
[edit security policies from-zone GRE_Zone to-zone LAN-a_Zone] user@host# set policy vrf-a_policy match source-address any user@host# set policy vrf-a_policy match destination-address any user@host# set policy vrf-a_policy match application any user@host# set policy vrf-a_policy match source-l3vpn-vrf-group vpn-A user@host# set policy vrf-a_policy then permit
Create a security policy to permit VRF-b traffic.
[edit security policies from-zone GRE_Zone to-zone LAN-b_Zone] user@host# set policy vrf-b_policy match source-address any user@host# set policy vrf-b_policy match destination-address any user@host# set policy vrf-b_policy match application any user@host# set policy vrf-b_policy match destination-l3vpn-vrf-group vpn-B user@host# set policy vrf-b_policy then permit
Results
From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security policies
from-zone GRE_Zone to-zone LAN-a_Zone {
policy vrf-a_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-A;
}
then {
permit;
}
}
from-zone GRE_Zone to-zone LAN-b_Zone {
policy vrf-b_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-B;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Policy Configuration
Purpose
Verify information about security policies.
Action
From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.
user@root> show security policies
Default policy: permit-all
From zone: GRE_Zone, To zone: LAN-a_Zone
Policy: vrf-a_policy, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source L3VPN VRF-Group: any
destination L3VPN VRF Group: vpn-A
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: GRE_Zone, To zone: LAN-b_Zone
Policy: vrf-b_policy, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source L3VPN VRF Group: any
destination L3VPN VRF-Group: vpn-B
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Example: Configuring a Security Policy to Permit VRF-Based Traffic from Public IP Network to MPLS Network using VRF Group
This example describes how to configure the destination NAT rule to translate incoming public IP network to MPLS network using VRF group.
Requirements
Understand how SRX Series Firewalls work in an SD-WAN deployment for NAT.
Understand Virtual Routing and Forwarding Instances. See Virtual Routing and Forwarding Instances in SD-WAN Deployments.
Overview
In Figure 6, an SRX Series Firewall is configured with destination NAT rule to translate incoming public IP network to per VRF based destination routing table and IP. The SRX Series Firewall is configured with two VRF groups, vpn-A and vpn-B.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security l3vpn vrf-group vpn-A vrf VRF-A1 set security l3vpn vrf-group vpn-A vrf VRF-A2 set security l3vpn vrf-group vpn-B vrf VRF-B1 set security l3vpn vrf-group vpn-B vrf VRF-B2 set security nat destination pool vrf-a_p routing-instance VRF-a set security nat destination pool vrf-a_p address 192.168.1.200 set security nat destination rule-set rs from interface ge-0/0/1.0 set security nat destination rule-set rs rule vrf-a_r match destination-address 203.0.113.200 set security nat destination rule-set rs rule vrf-a_r then destination-nat pool vrf-a_p set security nat destination pool vrf-b_p routing-instance VRF-b set security nat destination pool vrf-b_p address 192.168.1.201 set security nat destination rule-set rs from interface ge-0/0/1.1 set security nat destination rule-set rs rule vrf-b_r match destination-address 203.0.113.201 set security nat destination rule-set rs rule vrf-b_r then destination-nat pool vrf-b_p set security policies from-zone GE_Zone to-zone GRE_Zone policy vrf-a_policy match source-address any set security policies from-zone GE_Zone to-zone GRE_Zone policy vrf-a_policy match destination-address any set security policies from-zone GE_Zone to-zone GRE_Zone policy vrf-a_policy match application any set security policies from-zone GE_Zone to-zone GRE_Zone policy vrf-a_policy match source-l3vpn-vrf-group vpn-A set security policies from-zone GE_Zone to-zone GRE_Zone policy vrf-a_policy then permit set security policies from-zone GE_Zone to-zone GRE_Zone policy vrf-b_policy match source-address any set security policies from-zone GE_Zone to-zone GRE_Zone policy vrf-b_policy match destination-address any set security policies from-zone GE_Zone to-zone GRE_Zone policy vrf-b_policy match application any set security policies from-zone GE_Zone to-zone GRE_Zone policy vrf-b_policy match source-l3vpn-vrf-group vpn-B set security policies from-zone GE_Zone to-zone GRE_Zone policy vrf-b_policy then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in theCLI User Guide.
To configure destination NAT mapping for a single VRF:
In Layer 3 VPNs create a VRF group vpn-A with VRF instances A1 and A2.
[edit security] user@host#set l3vpn vrf-group vpn-A vrf VRF-A1 user@host#set l3vpn vrf-group vpn-A vrf VRF-A2
Create another VRF group vpn-B with VRF instances B1 and B2.
[edit security] user@host#set l3vpn vrf-group vpn-B vrf VRF-B1 user@host#set l3vpn vrf-group vpn-B vrf VRF-B2
Specify a destination NAT IP address pool.
[edit security nat destination] user@host# set pool vrf-a_p address 192.168.1.200 user@host# set pool vrf-b_p address 192.168.1.201
Assign the routing instance to the destination pool.
[edit security nat destination] user@host# set pool vrf-a_p routing-instance VRF-a user@host# set pool vrf-b_p routing-instance VRF-b
Create a destination NAT rule set.
[edit security nat destination] user@host# set rule-set rs from routing-group vpn-A user@host# set rule-set rs from routing-group vpn-B user@host# set rule-set rs from interface ge-0/0/1.0 user@host# set rule-set rs from interface ge-0/0/1.1
Configure a rule that matches packets and translates the destination IP address to an IP address in the destination NAT IP address pool.
[edit security nat destination] user@host# set rule-set rs rule vrf-a_r match destination-address 203.0.113.200 user@host# set rule-set rs rule vrf-a_r then destination-nat pool vrf-a_p user@host# set rule-set rs rule vrf-b_r match destination-address 203.0.113.201 user@host# set rule-set rs rule vrf-b_r then destination-nat pool vrf-b_p
Create a security policy to permit VRF-a traffic.
[edit security policies from-zone GE_Zone to-zone GRE_Zone] user@host# set policy vrf-a_policy match source-address any user@host# set policy vrf-a_policy match destination-address any user@host# set policy vrf-a_policy match application any user@host# set policy vrf-a_policy match destination-l3vpn-vrf-group vpn-A user@host# set policy vrf-a_policy then permit
Create a security policy to permit VRF-b traffic.
[edit security policies from-zone GE_Zone to-zone GRE_Zone] user@host# set policy vrf-b_policy match source-address any user@host# set policy vrf-b_policy match destination-address any user@host# set policy vrf-b_policy match application any user@host# set policy vrf-b_policy match destination-l3vpn-vrf-group vpn-B user@host# set policy vrf-b_policy then permit
Results
From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security nat
destination {
pool vrf-a_p {
routing-instance {
VRF-a;
}
address 192.168.1.200/32;
}
pool vrf-b_p {
routing-instance {
VRF-b;
}
address 192.168.1.201/32;
}
rule-set rs {
from interface [ ge-0/0/1.0 ge-0/0/1.1 ];
rule vrf-a_r {
match {
destination-address 203.0.113.200/32;
}
then {
destination-nat {
pool {
vrf-a_p;
}
}
}
}
rule vrf-b_r {
match {
destination-address 203.0.113.201/32;
}
then {
destination-nat {
pool {
vrf-b_p;
}
}
}
}
}
}
[edit]
user@host# show security policies
from-zone GE_Zone to-zone GRE_Zone {
policy vrf-a_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-A;
}
then {
permit;
}
}
policy vrf-b_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-B;
}
then {
permit;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Destination NAT Rule Usage and Security Policies
Purpose
Verify that there is traffic matching the destination NAT rule.
Action
From operational mode, enter the show security nat destination rule all command. In the Translation hits field, verify whether there is traffic that matches the destination NAT rule.
user@host> show security nat destination rule all
Total destination-nat rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Destination NAT rule: vrf-a_r Rule-set: rs
Rule-Id : 1
Rule position : 1
From interface : ge-0/0/1.0
Destination addresses : 203.0.113.200 - 203.0.113.200
Action : vrf-a_p
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Destination NAT rule : vrf-b_r
Rule-set : rs
Rule-Id : 2
Rule position : 2
From interface : ge-0/0/1.1
Destination addresses : 203.0.113.201 - 203.0.113.201
Action : vrf-b_p
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.
user@root> show security policies
Default policy: permit-all
From zone: GE_Zone, To zone: GRE_Zone
Policy: vrf-a_policy, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source L3VPN VRF Group: any
destination L3VPN VRF-Group: vpn-A
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: GE_Zone, To zone: GRE_Zone
Policy: vrf-b_policy, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source L3VPN VRF Group: any
destination L3VPN VRF-Group: vpn-B
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to Public IP Network to using VRF Group
This example describes how to configure the routing group to translate per VRF group network traffic to global IP pool.
Requirements
Understand how SRX Series Firewalls work in an SD-WAN deployment for NAT.
Understand Virtual Routing and Forwarding Instances. See Virtual Routing and Forwarding Instances in SD-WAN Deployments.
Overview
In Figure 7, an SRX Series Firewall is configured with routing group to permit VRF group network traffic from MPLS to global IP pool. The SRX Series Firewall is configured with two VRF groups, vpn-A and vpn-B.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security l3vpn vrf-group vpn-A vrf VRF-A1 set security l3vpn vrf-group vpn-A vrf VRF-A2 set security l3vpn vrf-group vpn-B vrf VRF-B1 set security l3vpn vrf-group vpn-B vrf VRF-B2 set security nat source pool vrf-a_p address 203.0.113.200 set security nat source rule-set vrf-a_rs from routing-group vpn-A set security nat source rule-set vrf-a_rs to zone GE_Zone set security nat source rule-set vrf-a_rs rule rule1 match source-address 192.168.1.200 set security nat source rule-set vrf-a_rs rule rule1 then source-nat pool vrf-a_p set security nat source pool vrf-b_p address 203.0.113.201 set security nat source rule-set vrf-b_rs from routing-group vpn-B set security nat source rule-set vrf-b_rs to zone GE_Zone set security nat source rule-set vrf-b_rs rule rule2 match source-address 192.168.1.201 set security nat source rule-set vpn-b_rs rule rule2 then source-nat pool vrf-b_p set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-a_policy match source-address any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-a_policy match destination-address any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-a_policy match application any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-a_policy match source-l3vpn-vrf-group vpn-A set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-a_policy then permit set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-b_policy match source-address any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-b_policy match destination-address any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-b_policy match application any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-b_policy match source-l3vpn-vrf-group vpn-B set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-b_policy then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in theCLI User Guide.
To configure source NAT mapping for a single VRF:
In Layer 3 VPNs create a VRF group vpn-A with VRF instances A1 and A2.
[edit security] user@host#set l3vpn vrf-group vpn-A vrf VRF-A1 user@host#set l3vpn vrf-group vpn-A vrf VRF-A2
Create another VRF group vpn-B with VRF instances B1 and B2.
[edit security] user@host#set l3vpn vrf-group vpn-B vrf VRF-B1 user@host#set l3vpn vrf-group vpn-B vrf VRF-B2
Specify a source NAT IP address pool.
[edit security nat source] user@host# set pool vrf-a_p address 192.168.1.200 user@host# set pool vrf-b_p address 192.168.1.201
Create a source NAT rule set.
[edit security nat source] user@host# set rule-set rs from routing-group vpn-A user@host# set rule-set rs from routing-group vpn-B user@host# set rule-set rs to zone GE_Zone
Configure a rule that matches packets and translates per VRF group network traffic to global IP pool.
[edit security nat source] user@host# set rule-set rs rule vrf-a_r match destination-address 203.0.113.200 user@host# set rule-set rs rule vrf-a_r then destination-nat pool vrf-a_p user@host# set rule-set rs rule vrf-b_r match destination-address 203.0.113.201 user@host# set rule-set rs rule vrf-b_r then destination-nat pool vrf-b_p
Create a security policy to permit vpn-A traffic.
[edit security policies from-zone GRE_Zone to-zone GE_Zone] user@host# set policy vrf-a_policy match source-address any user@host# set policy vrf-a_policy match destination-address any user@host# set policy vrf-a_policy match application any user@host# set policy vrf-a_policy match destination-l3vpn-vrf-group vpn-A user@host# set policy vrf-a_policy then permit
Create a security policy to permit vpn-B traffic.
[edit security policies from-zone GRE_Zone to-zone GE_Zone] user@host# set policy vrf-b_policy match source-address any user@host# set policy vrf-b_policy match destination-address any user@host# set policy vrf-b_policy match application any user@host# set policy vrf-b_policy match destination-l3vpn-vrf-group vpn-B user@host# set policy vrf-b_policy then permit
Results
From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security nat
source {
pool vrf-a_p {
address {
203.0.113.200/32;
}
}
pool vrf-b_p {
address {
203.0.113.201/32;
}
}
rule-set vrf-a_rs {
from routing-group vpn-A;
to zone GE_Zone1;
rule rule1 {
match {
source-address 192.168.1.200/32;
}
then {
source-nat {
pool {
vrf-a_p;
}
}
}
}
rule-set vrf-b_rs {
from routing-group vpn-B;
to zone GE_Zone;
match {
source-address 192.168.1.201/32;
}
then {
source-nat {
pool {
vrf-b_p;
}
}
}
}
}
}
[edit]
user@host# show security policies
from-zone GRE_Zone to-zone GE_Zone {
policy vrf-a_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-A;
}
then {
permit;
}
}
policy vrf-b_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-B;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Destination NAT Rule Usage and Security Policies
Purpose
Verify that there is traffic matching the source NAT rule.
Action
From operational mode, enter the show security nat source rule all command. In the Translation hits field, verify whether there is traffic that matches the source NAT rule.
user@host> show security nat source rule all
Total source-nat rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Source NAT rule : vrf-a_r
Rule-set: rs
Rule-Id : 1
Rule position : 1
From routing-group : vpn-A To zone : GE_Zone1
Source addresses : 203.0.113.200 - 203.0.113.200
Action : vrf-a_p
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Source NAT rule : vrf-b_r
Rule-set: rs
Rule-Id : 2
Rule position : 2
From routing-group : vpn-A
To zone : GE_Zone
Destination addresses : 203.0.113.201 - 203.0.113.201
Action : vrf-b_p
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.
user@root> show security policies
Default policy: permit-all
From zone: GRE_Zone, To zone: GE_Zone
Policy: vrf-a_policy, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source L3VPN VRF Group: any
destination L3VPN VRF Group: vpn-A
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: GRE_Zone, To zone: GE_Zone
Policy: vrf-b_policy, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source L3VPN VRF Group: any
destination L3VPN VRF Group: vpn-B
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to MPLS Network without NAT using VRF Group
This example describes how to configure the routing group to permit traffic between MPLS networks without using NAT.
Requirements
Understand how SRX Series Firewalls work in an SD-WAN deployment for NAT.
Understand Virtual Routing and Forwarding Instances. See Virtual Routing and Forwarding Instances in SD-WAN Deployments.
Overview
In Figure 8, an SRX Series Firewall is configured with routing group to permit traffic between MPLS networks without using NAT. The SRX Series Firewall is configured with two VRF groups, vpn-A and vpn-B.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security l3vpn vrf-group vpn-A vrf VRF-A1 set security l3vpn vrf-group vpn-A vrf VRF-A2 set security l3vpn vrf-group vpn-A1 vrf VRF-A11 set security l3vpn vrf-group vpn-A1 vrf VRF-A12 set security l3vpn vrf-group vpn-B vrf VRF-B1 set security l3vpn vrf-group vpn-B vrf VRF-B2 set security l3vpn vrf-group vpn-B1 vrf VRF-B11 set security l3vpn vrf-group vpn-B1 vrf VRF-B12 set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match source-address any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match destination-address any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match application any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match source-l3vpn-vrf-group vpn-A1 set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy then permit set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match source-address any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match destination-address any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match application any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match source-l3vpn-vrf-group vpn-B1 set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure source NAT mapping for a single VRF:
In Layer 3 VPNs create a VRF group vpn-A with VRF instances A1and A2.
[edit security] user@host#set l3vpn vrf-group vpn-A vrf VRF-A1 user@host#set l3vpn vrf-group vpn-A vrf VRF-A2
In Layer 3 VPNs create a VRF group vpn-A1 with VRF instances A11and A12.
[edit security] user@host#set l3vpn vrf-group vpn-A1 vrf VRF-A11 user@host#set l3vpn vrf-group vpn-A1 vrf VRF-A12
Create another VRF group vpn-B with VRF instances B1 and B2.
[edit security] user@host#set l3vpn vrf-group vpn-B vrf VRF-B1 user@host#set l3vpn vrf-group vpn-B vrf VRF-B2
Create another VRF group vpn-B1 with VRF instances B11 and B12.
[edit security] user@host#set l3vpn vrf-group vpn-B1 vrf VRF-B11 user@host#set l3vpn vrf-group vpn-B1 vrf VRF-B12
Create a security policy to permit vpn-A1 traffic.
[edit security policies from-zone GRE-1_Zone to-zone GRE-2_Zone] user@host# set policy vrf-a_policy match source-address any user@host# set policy vrf-a_policy match destination-address any user@host# set policy vrf-a_policy match application any user@host# set policy vrf-a_policy match destination-l3vpn-vrf-group vpn-A1 user@host# set policy vrf-a_policy then permit
Create a security policy to permit vpn-B1 traffic.
[edit security policies from-zone GRE-1_Zone to-zone GRE-2_Zone] user@host# set policy vrf-b_policy match source-address any user@host# set policy vrf-b_policy match destination-address any user@host# set policy vrf-b_policy match application any user@host# set policy vrf-b_policy match destination-l3vpn-vrf-group vpn-B1 user@host# set policy vrf-b_policy then permit
Results
From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security policies
from-zone GRE-1_Zone to-zone GRE-2_Zone {
policy vrf-a_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-A1;
}
then {
permit;
}
}
policy vrf-b_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-B1;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Security Policies
Purpose
Verify that configuration output of security policies.
Action
From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.
user@root> show security policies
Default policy: permit-all
From zone: GRE-1_Zone, To zone: GRE-2_Zone
Policy: vrf-a_policy, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source L3VPN VRF Group: any
destination L3VPN VRF-Group: vpn-A1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: GRE-1_Zone, To zone: GRE-2_Zone
Policy: vrf-b_policy, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source L3VPN VRF Group: any
destination L3VPN VRF-Group: vpn-B1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to MPLS Network using NAT and VRF Group
This example describes how to configure the routing group and permit traffic between MPLS networks using NAT.
Requirements
Understand how SRX Series Firewalls work in an SD-WAN deployment for NAT.
Understand Virtual Routing and Forwarding Instances. See Virtual Routing and Forwarding Instances in SD-WAN Deployments.
Overview
In Figure 9, an SRX Series Firewall is configured the routing group and permit traffic between MPLS networks using NAT. The SRX Series Firewall is configured with the VRF groups, vpn-A, vpn-A1, vpn-B, and vpn-B1.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security l3vpn vrf-group vpn-A vrf VRF-A1 set security l3vpn vrf-group vpn-A vrf VRF-A2 set security l3vpn vrf-group vpn-A1 vrf VRF-A11 set security l3vpn vrf-group vpn-A1 vrf VRF-A12 set security l3vpn vrf-group vpn-B vrf VRF-B1 set security l3vpn vrf-group vpn-B vrf VRF-B2 set security l3vpn vrf-group vpn-B1 vrf VRF-B11 set security l3vpn vrf-group vpn-B1 vrf VRF-B12 set security nat source pool vrf-a_p address 203.0.113.200 set security nat source rule-set vrf-a_rs from routing-group vpn-A set security nat source rule-set vrf-a_rs to routing-group vpn-A1 set security nat source rule-set vrf-a_rs rule rule1 match source-address 192.168.1.200 set security nat source rule-set vrf-a_rs rule rule1 then source-nat pool vrf-a_p set security nat source pool vrf-b_p address 203.0.113.201 set security nat source rule-set vrf-b_rs from routing-group vpn-B set security nat source rule-set vrf-b_rs to routing-group vpn-B1 set security nat source rule-set vrf-b_rs rule rule2 match source-address 192.168.1.201 set security nat source rule-set vrf-b_rs rule rule2 then source-nat pool vrf-b_p set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match source-address any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match destination-address any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match application any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match source-l3vpn-vrf-group vpn-A1 set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy then permit set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match source-address any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match destination-address any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match application any set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match source-l3vpn-vrf-group vpn-B1 set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide..
To configure source NAT mapping for a single VRF:
In Layer 3 VPNs create a VRF group vpn-A with VRF instances A1and A2.
[edit security] user@host#set l3vpn vrf-group vpn-A vrf VRF-A1 user@host#set l3vpn vrf-group vpn-A vrf VRF-A2
In Layer 3 VPNs create a VRF group vpn-A1 with VRF instances A11and A12.
[edit security] user@host#set l3vpn vrf-group vpn-A1 vrf VRF-A11 user@host#set l3vpn vrf-group vpn-A1 vrf VRF-A12
Create another VRF group vpn-B with VRF instances B1 and B2.
[edit security] user@host#set l3vpn vrf-group vpn-B vrf VRF-B1 user@host#set l3vpn vrf-group vpn-B vrf VRF-B2
Create another VRF group vpn-B1 with VRF instances B11 and B12.
[edit security] user@host#set l3vpn vrf-group vpn-B1 vrf VRF-B11 user@host#set l3vpn vrf-group vpn-B1 vrf VRF-B12
Specify a source NAT IP address pool.
[edit security nat source] user@host# set pool vrf-a_p address 192.168.1.200 user@host# set pool vrf-b_p address 192.168.1.201
Create a source NAT rule set.
[edit security nat source] user@host# set rule-set rs from routing-group vpn-A user@host# set rule-set rs from routing-group vpn-B user@host# set rule-set rs to routing-group vpn-A1 user@host# set rule-set rs to routing-group vpn-B1
Configure a rule that matches packets and translates per VRF group network traffic to global IP pool.
[edit security nat source] user@host# set rule-set rs rule vrf-a_rs match destination-address 203.0.113.200 user@host# set rule-set rs rule vrf-a_rs then destination-nat pool vrf-a_p user@host# set rule-set rs rule vrf-b_rs match destination-address 203.0.113.201 user@host# set rule-set rs rule vrf-b_rs then destination-nat pool vrf-b_p
Create a security policy to permit vpn-A1 traffic.
[edit security policies from-zone GRE-1_Zone to-zone GRE-2_Zone] user@host# set policy vrf-a_policy match source-address any user@host# set policy vrf-a_policy match destination-address any user@host# set policy vrf-a_policy match application any user@host# set policy vrf-a_policy match destination-l3vpn-vrf-group vpn-A1 user@host# set policy vrf-a_policy then permit
Create a security policy to permit vpn-B1 traffic.
[edit security policies from-zone GRE-1_Zone to-zone GRE-2_Zone] user@host# set policy vrf-b_policy match source-address any user@host# set policy vrf-b_policy match destination-address any user@host# set policy vrf-b_policy match application any user@host# set policy vrf-b_policy match destination-l3vpn-vrf-group vpn-B1 user@host# set policy vrf-b_policy then permit
Results
From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security nat
source {
pool vrf-a_p {
address {
203.0.113.200/32;
}
}
pool vrf-b_p {
address {
203.0.113.201/32;
}
}
rule-set vrf-a_rs {
from routing-group vpn-A;
to routing-group vpn-A1;
rule rule1 {
match {
source-address 192.168.1.200/32;
}
then {
source-nat {
pool {
vrf-a_p;
}
}
}
}
rule-set vrf-b_rs {
from routing-group vpn-B;
to routing-group vpn-B1;
match {
source-address 192.168.1.201/32;
}
then {
source-nat {
pool {
vrf-b_p;
}
}
}
}
}
}
[edit]
user@host# show security policies
from-zone GRE-1_Zone to-zone GRE-2_Zone {
policy vrf-a_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-A1;
}
then {
permit;
}
}
policy vrf-b_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-B1;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Security Policies
Purpose
Verify that there is traffic matching the source NAT rule.
Action
From operational mode, enter the show security nat source rule all command. In the Translation hits field, verify whether there is traffic that matches the destination NAT rule.
user@host> show security nat source rule all
Total source-nat rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Source NAT rule : vrf-a_r
Rule-set : rs
Rule-Id : 1
Rule position : 1
From routing-group : vpn-A
To zone : GE_Zone1
Source addresses : 203.0.113.200 - 203.0.113.200
Action : vrf-a_p
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Source NAT rule : vrf-b_r
Rule-set : rs
Rule-Id : 2
Rule position : 2
From routing-group : vpn-A
To zone : GE_Zone
Destination addresses : 203.0.113.201 - 203.0.113.201
Action : vrf-b_p
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.
user@root> show security policies
Default policy: permit-all
From zone: GRE-1_Zone, To zone: GRE-2_Zone
Policy: vrf-a_policy, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source L3VPN VRF Group: any
destination L3VPN VRF Group: vpn-A1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: GRE-1_Zone, To zone: GRE-2_Zone
Policy: vrf-b_policy, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source L3VPN VRF Group: any
destination L3VPN VRF Group: vpn-B1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Multicast Support in SD-WAN Deployments
Starting in Junos OS Release 21.2R1, we've added support for multicast traffic on SRX
Series Firewalls in Provider Edge (PE) for SD-WAN deployments. The support for
multicast traffic is available when the security device is operating with forwarding
option set as as flow-based in the set security forwarding-options family
mpls mode hierarchy. See forwarding-options (Security).
Limitations
- Support for multicast traffic not available when the device is operating
with forwarding option set as
packet-based. - Support for multicast traffic available for only hub-and-spoke topology with IP-over-MPLS-over-GRE and IP-over-MPLS-over-GRE-over-IPsec
- Support for multicast traffic does not introduce any changes or address any limitations related to multicast VPN (MVPN) data forwarding functionality. See Limiting Routes to Be Advertised by an MVPN VRF Instance.