Data Center Filter-Based Forwarding: Service Leafs
Juniper Learning Bytes: Configuring Service Leafs with Zach Gibbs.
In this Learning Byte, you’ll learn how to configure the service leaf with regards to filter-based forwarding. This video is most appropriate for users with a high degree of knowledge and skill with data center technologies.
You’ll learn
Step by step how to configure the service leaf with the Inspect-VRF and the Secure-VRF and all the parameters that go along with that
The first step: Configure the interface that is facing the firewall
How to match the Ethernet VPN (EVPN) routes and export them
Who is this for?
Host
Transcript
0:02 [Music]
0:11 hello my name is zach gibbs and i'm a
0:14 content developer within education
0:16 services inside juniper networks and
0:19 today we will be going through the data
0:21 center filter-based forwarding service
0:23 leaves learning byte
0:25 all right so here is our topology
0:28 we have a few different devices we have
0:31 the two router leafs that's router l1
0:33 and router l2
0:35 and then we have the service leaf which
0:37 is service l1 now there are other
0:39 learning bytes that discussed that i've
0:41 done
0:42 the of the configuration of router l1
0:45 and router l2 and there will be another
0:46 learning byte that goes over the
0:48 configuration of the dc firewall so look
0:50 out for that as well and there'll also
0:52 be another learning byte that goes over
0:54 verification of filterbase forwarding in
0:56 a data center okay so with that we want
0:59 to focus on configuring the service leaf
1:01 we need to configure the service leaf
1:02 with the inspect vrf and the secure vrf
1:05 and all the parameters that go along
1:07 with that so with that being said let's
1:09 go ahead and jump to the cli of the
1:11 service leaf service l1 and get this
1:13 going
1:15 all right so here is our topology and
1:17 here you can see that service leaf one
1:20 in the middle here has both the inspect
1:22 vrf and the secure vrf and so right now
1:24 we're going to focus on configuring the
1:26 inspect vrf and then we'll configure the
1:28 secure vrf and again what's going to
1:30 happen is host 1 will send traffic it'll
1:32 filter base forward from vrf1 to the
1:35 inspect vrf to service leaf service l1
1:38 inspect vrf and then we'll go to the
1:40 firewall and then back to the secure vrf
1:43 on the service leaf and then to the
1:45 secure vrf on the router router l2 leaf
1:49 then to vrf1 and then to the host 2.
1:52 so with that let's go ahead and jump
1:53 back to the cli of service leaf l1 and
1:57 get this going
1:59 all right so here is service leaf l1
2:02 jump into configuration mode and the
2:03 first thing we want to do is we want to
2:05 configure the interface that is facing
2:09 the firewall and so let's go into the
2:11 interfaces this is going to be xe-06
2:17 and we need to set this up as a trunk
2:19 interface
2:26 and we need to apply two different vlans
2:28 here and the reason behind that is the
2:32 firewall interface is going to be using
2:34 vlan tagging and it's going to have one
2:37 interface split into two different
2:38 interfaces two different logical
2:40 interfaces and one of those is going to
2:42 be a part of one vlan and i'm going to
2:43 be a part of the securezone and the
2:45 other interface will be a part of the
2:47 inspect zone and that will receive the
2:50 traffic and then send it out the other
2:52 interface and so they'll be part of
2:55 different vlans so we need to set some
2:56 vlan members here
3:00 and so we'll say vlan
3:02 members
3:03 991 and 992. this matches up
3:06 uh with the vni and the route targets
3:08 we're using for the secure and the
3:10 inspect vrs
3:12 and so you can see that we have that
3:13 configured
3:15 and then let's go ahead and we'll also
3:17 want to configure some irb interfaces
3:23 set unit 991
3:26 family inet address and of course this
3:28 is going to be working within the
3:30 991 vlan
3:32 so 10.91.91.2
3:34 30.
3:36 we'll set unit 992
3:38 configure this 10.92.92.2
3:41 30.
3:43 and then we'll set or rather let's take
3:46 a quick look at those we can see that's
3:47 configured correctly and then let's
3:49 configure some loopback addresses as
3:51 well so we'll say
3:53 or loopback interfaces
3:55 unit 991
3:58 and then we'll do the same
4:00 992 and these will be in the different
4:03 routing instances
4:06 and then we want to configure the vlans
4:11 vlan v9n1 is going to have vlan id 991
4:15 and then
4:17 we're going to have the l3 interface
4:20 irb.991
4:23 and then
4:24 v992 vlan is going to have vlan id 992
4:29 and l3 interface irb.992
4:33 so that's how the interfaces or the
4:35 vlans are configured and then let's jump
4:37 into the routing instances
4:40 you see here we have nothing configured
4:42 and keep in mind we're configuring the
4:43 inspect vrf and the secure vrf
4:46 and that is
4:48 we are not going to configure vrf1 here
4:51 vf1 is not part of the service leaf
4:54 and so with that let's go ahead and
4:56 configure the
4:57 inspect
4:59 vrf
5:00 and it's going to be instance type
5:03 vrf
5:05 we're going to use interface
5:07 irb.991 recall that interface is a part
5:10 of
5:11 vlan v 991 which uses vlan id 991
5:16 and then we're also going to put the
5:17 loopback interface in there
5:19 and again it's not necessary with these
5:21 loopback interfaces but it is nice to
5:22 verify that these are being passed
5:24 around correctly
5:27 specify the route distinguisher remember
5:29 these need to be unique
5:33 and the end of that route distinguisher
5:35 is going to match the vni with what
5:37 we're using here
5:39 and we'll configure the v9 just a little
5:41 bit
5:42 figure the route target
5:46 and
5:48 recall that the route target in the
5:50 inspect brf here needs to match the
5:52 route target in the inspect vrf on the
5:55 router leaf router l1
6:00 and so there's the configuration for
6:01 that and we're not done yet though we
6:03 need to configure bgp because what
6:05 happens here is we're going to be
6:07 getting some well passing
6:09 bgp routes the evpn routes to bgp to the
6:14 firewall and then receiving some bgp
6:16 routes as well that's how we're going to
6:18 handle the routing and get the routes
6:20 back and forth
6:21 so edit protocols
6:24 vgp
6:25 call this group
6:27 dc-fw
6:29 dash inspect since it's going to be a
6:31 part of the inspect vrf
6:34 and say external
6:36 export we have not configured this
6:38 export policy yet but we will configure
6:40 it soon
6:42 and we're going to local aist this is
6:45 going to be our local as for this vrf
6:48 and then the neighbor this is going to
6:50 be the srx
6:51 the dc firewall
6:53 so there's actually going to be two bgp
6:55 sessions with the
6:56 dc firewall
6:59 and we can see here the configuration we
7:00 haven't configured that export policy
7:02 yet this export policy we recall that
7:05 with these the router leafs we are
7:07 sending
7:08 uh static routes and direct routes into
7:13 evpn as type 5 evpn routes and so what
7:17 that means
7:18 on the inspect vrf and the secure vrf
7:20 we're going to see receive those routes
7:23 as type 5
7:24 evpn routes and so what we need to do
7:27 when configuring this export policy the
7:28 firewall or the fw evpn export policies
7:32 we need to
7:33 match on those evp evpn routes and
7:36 export them and so let's go ahead and
7:39 configure that policy now
7:43 and we're just going to say term evpn
7:46 from protocol
7:48 evpn
7:50 and we're going to accept that
7:53 that's all we need to do for that and
7:55 let's jump back to the routing instance
8:00 and so you can see that's taken care of
8:02 there now we need to configure what
8:03 we're going to export into the inspect
8:06 vrf because what's going to happen here
8:08 is we're going to receive a default
8:09 route from the dc firewall and we're
8:12 going to export that default route into
8:15 the inspect vrf
8:17 and then that way the leaf route or the
8:20 router leaf router l1 will know that
8:23 okay to get to host 2 i've got a default
8:25 route i'm just going to send it to well
8:27 service leaf l1 and so with that let's
8:29 go ahead and configure that then so
8:33 edit protocols
8:34 evpn and then set ip prefix routes
8:39 we're going to do the direct hop with
8:40 the advertise again
8:42 and then we're going to say
8:43 encapsulation vxlan
8:45 and vni
8:48 5991 and this vni of course matches what
8:52 we have on router leaf router l1
8:55 in the inspect vrf
8:58 and then we're going to specify an
9:00 export
9:01 and this has not been configured yet
9:03 we're just going to call this t5
9:04 underscore
9:05 export
9:07 and then
9:09 we have that configured
9:12 but we need to configure that policy
9:14 right so let's go ahead and jump to the
9:17 policy options hierarchy
9:21 and make sure i spelt that right i've
9:23 messed that up before and so what we
9:25 want to do we want to set one term
9:27 from protocol
9:29 direct we want to export our direct
9:31 routes which is just going to be the
9:32 loopback interface here
9:34 and also it's going to be loopback
9:35 interface and the irb interfaces i guess
9:37 are the addresses associated with that
9:39 and then with term two we want to
9:43 match on a route filter
9:47 zero slash zero exact so that's that
9:48 default routes that is going to be
9:50 coming from the firewall
9:53 and accept it
9:54 and so that is the configuration for the
9:57 inspect vrf on the service leaf
10:00 all right so here is the topology and we
10:03 are currently working on service leaf l1
10:06 we've already configured router l1 with
10:09 the inspect vrf we've configured router
10:11 l2
10:12 that leaf you know router l1 is also a
10:14 route it's a normal router leaf and
10:17 router l2 is a normal router leaf we
10:19 configured the secure vrf
10:21 and we've configured the inspect vrf
10:23 already so that's going to match up with
10:25 inspect vrf with router l1 leaf and now
10:28 we need to configure the secure vrf
10:30 which will match up with the secure vrf
10:33 in router l2
10:35 and so here we have vni 5992
10:38 on both of them that will need to match
10:40 and also the route target that we
10:41 configure will need to match and so
10:44 let's go ahead and jump back to the cli
10:47 of service l1 which is our service leaf
10:49 and configure this
10:52 all right so here is service leaf l1
10:54 let's go ahead and jump
10:56 to the routing instance is
10:59 and you can see here we have the inspect
11:00 vrf configured so let's configure the
11:02 secure
11:03 vrf
11:05 the instance type is going to be
11:08 vrf of course
11:10 and we're going to specify the interface
11:12 rb.992 we've already configured that
11:15 interface and then specify the interface
11:18 of lootback.992 now the irb interface
11:20 now i didn't explain this when we
11:22 configured the inspect vrf earlier
11:24 that's going to be the
11:26 anchor point for the bgp pairings with
11:29 the dc firewall device
11:31 and so that's why its importance in this
11:33 vrf and so
11:35 let's configure the route distinguisher
11:37 of course this needs to be unique
11:41 the 992 matches the vni configuration
11:45 that we'll have to configure here in
11:46 just a moment well it's uh 5992 is the
11:49 vni but it's based off that that is
11:51 doesn't necessarily match it but it's
11:52 based off of it
11:53 and then we need to set the route target
11:58 and it is also based on the route target
12:00 too i guess in the 992. so but the thing
12:02 to keep in mind here is that the route
12:04 target in the secure vrf here matches
12:07 the route target in the secure vrf on
12:09 router leaf router l2
12:14 so you can see the configuration there
12:15 with what we currently have configured
12:17 so let's go ahead and configure the bgp
12:20 group
12:22 and this will appear with the firewall
12:24 because what's going to happen is it'll
12:27 the firewall is acting in this scenario
12:28 as a one-arm firewall
12:30 more than likely in a real data center
12:32 you'd have multiple firewalls but here
12:34 it's just a one-arm firewall so it's
12:36 going to leave on the one irb interface
12:38 in the inspect zone hit the firewall
12:40 come back and then come back in on the
12:42 one irb interface in the secure vrf
12:46 and so we need to configure two
12:47 different bgp groups for that and so
12:50 let's get to the
12:52 group now and so it's going to dc dash
12:55 fw
12:56 dash secure
12:58 and it's going to be type external
13:01 and we're going to export
13:03 that fw
13:05 and export policy and recall we
13:07 configured this earlier but let's take a
13:09 quick look
13:11 and we can see here what we're doing
13:12 here is we're taking
13:14 from protocol evpn and then accepting it
13:17 so we're going to export anything that's
13:19 evpn and the reason why we need to do
13:21 that is in the secure vrf
13:24 we will be receiving
13:25 a route that is originally a static
13:28 route from the leaf router l2
13:32 in evpn and we need to get that to the
13:34 firewall device so the routing can be
13:36 propagated correctly
13:38 and so with that
13:40 we need to configure a few more bgp
13:42 parameters local aes
13:44 265 999 and this of course is going to
13:47 be different than the
13:48 local as we have in the inspect vrf
13:53 bgp group so keep that in mind that is
13:55 different the neighbor
13:57 92.92.1 puris 64
14:01 that's going to be the peer information
14:03 for the
14:04 dc firewall
14:07 and so that is configured there
14:09 and so then we need to edit the evpn
14:12 parameters
14:15 and this is going to be what we're doing
14:16 with the type 5 routes how we're going
14:18 to export that
14:19 and we're going to advertise with the
14:21 direct next top
14:22 i'm going to say encapsulation vxlan
14:26 and we're going to say
14:28 vni
14:29 vni here we go 5992
14:32 and of course that's going to match the
14:33 vni in the other secure vrf that's on
14:36 router leaf
14:38 router l2
14:39 and then we need to specify the export
14:42 policy and we have this export policy
14:44 already configured because it was
14:45 configured earlier
14:46 t5 export now let's look at that policy
14:50 and it's matching on protocol direct so
14:52 it's going to export the irb interface
14:54 route and also the loopback interface
14:56 route and then also
14:58 the default route that we're getting
15:00 from
15:01 the firewall we're going to export that
15:03 into evpn as a type 5 route and that is
15:07 the configuration
15:09 for the service leaf so let's commit and
15:11 quit to apply that configuration and
15:13 exit to operational mode
15:16 so that does bring us to the end of this
15:17 learning byte and here we demonstrated
15:20 how to configure the service leaf with
15:21 regards to data center filter-based
15:23 forwarding so as always thanks for
15:25 watching
15:28 visit the juniper education services
15:30 website to learn more about courses
15:33 view our full range of classroom online
15:36 and e-learning courses
15:38 learning paths industry segment and
15:41 technology specific training paths
15:44 juniper networks certification program
15:47 the ultimate demonstration of your
15:49 competence
15:50 and the training community from forums
15:53 to social media
15:54 join the discussion
