Zach Gibbs, Content Developer, Education Services, Juniper Networks

Data Center Filter-Based Forwarding: Service Leafs

Learning Bytes Data Center
Zach Gibbs Headshot
A diagram illustrating configuring the service leaf.

Juniper Learning Bytes: Configuring Service Leafs with Zach Gibbs.

In this Learning Byte, you’ll learn how to configure the service leaf with regards to filter-based forwarding. This video is most appropriate for users with a high degree of knowledge and skill with data center technologies.

Show more

You’ll learn

  • Step by step how to configure the service leaf with the Inspect-VRF and the Secure-VRF and all the parameters that go along with that 

  • The first step: Configure the interface that is facing the firewall 

  • How to match the Ethernet VPN (EVPN) routes and export them 

Who is this for?

Business Leaders Network Professionals

Host

Zach Gibbs Headshot
Zach Gibb
Content Developer, Education Services, Juniper Networks

Transcript

0:02 [Music]

0:11 hello my name is zach gibbs and i'm a

0:14 content developer within education

0:16 services inside juniper networks and

0:19 today we will be going through the data

0:21 center filter-based forwarding service

0:23 leaves learning byte

0:25 all right so here is our topology

0:28 we have a few different devices we have

0:31 the two router leafs that's router l1

0:33 and router l2

0:35 and then we have the service leaf which

0:37 is service l1 now there are other

0:39 learning bytes that discussed that i've

0:41 done

0:42 the of the configuration of router l1

0:45 and router l2 and there will be another

0:46 learning byte that goes over the

0:48 configuration of the dc firewall so look

0:50 out for that as well and there'll also

0:52 be another learning byte that goes over

0:54 verification of filterbase forwarding in

0:56 a data center okay so with that we want

0:59 to focus on configuring the service leaf

1:01 we need to configure the service leaf

1:02 with the inspect vrf and the secure vrf

1:05 and all the parameters that go along

1:07 with that so with that being said let's

1:09 go ahead and jump to the cli of the

1:11 service leaf service l1 and get this

1:13 going

1:15 all right so here is our topology and

1:17 here you can see that service leaf one

1:20 in the middle here has both the inspect

1:22 vrf and the secure vrf and so right now

1:24 we're going to focus on configuring the

1:26 inspect vrf and then we'll configure the

1:28 secure vrf and again what's going to

1:30 happen is host 1 will send traffic it'll

1:32 filter base forward from vrf1 to the

1:35 inspect vrf to service leaf service l1

1:38 inspect vrf and then we'll go to the

1:40 firewall and then back to the secure vrf

1:43 on the service leaf and then to the

1:45 secure vrf on the router router l2 leaf

1:49 then to vrf1 and then to the host 2.

1:52 so with that let's go ahead and jump

1:53 back to the cli of service leaf l1 and

1:57 get this going

1:59 all right so here is service leaf l1

2:02 jump into configuration mode and the

2:03 first thing we want to do is we want to

2:05 configure the interface that is facing

2:09 the firewall and so let's go into the

2:11 interfaces this is going to be xe-06

2:17 and we need to set this up as a trunk

2:19 interface

2:26 and we need to apply two different vlans

2:28 here and the reason behind that is the

2:32 firewall interface is going to be using

2:34 vlan tagging and it's going to have one

2:37 interface split into two different

2:38 interfaces two different logical

2:40 interfaces and one of those is going to

2:42 be a part of one vlan and i'm going to

2:43 be a part of the securezone and the

2:45 other interface will be a part of the

2:47 inspect zone and that will receive the

2:50 traffic and then send it out the other

2:52 interface and so they'll be part of

2:55 different vlans so we need to set some

2:56 vlan members here

3:00 and so we'll say vlan

3:02 members

3:03 991 and 992. this matches up

3:06 uh with the vni and the route targets

3:08 we're using for the secure and the

3:10 inspect vrs

3:12 and so you can see that we have that

3:13 configured

3:15 and then let's go ahead and we'll also

3:17 want to configure some irb interfaces

3:23 set unit 991

3:26 family inet address and of course this

3:28 is going to be working within the

3:30 991 vlan

3:32 so 10.91.91.2

3:34 30.

3:36 we'll set unit 992

3:38 configure this 10.92.92.2

3:41 30.

3:43 and then we'll set or rather let's take

3:46 a quick look at those we can see that's

3:47 configured correctly and then let's

3:49 configure some loopback addresses as

3:51 well so we'll say

3:53 or loopback interfaces

3:55 unit 991

3:58 and then we'll do the same

4:00 992 and these will be in the different

4:03 routing instances

4:06 and then we want to configure the vlans

4:11 vlan v9n1 is going to have vlan id 991

4:15 and then

4:17 we're going to have the l3 interface

4:20 irb.991

4:23 and then

4:24 v992 vlan is going to have vlan id 992

4:29 and l3 interface irb.992

4:33 so that's how the interfaces or the

4:35 vlans are configured and then let's jump

4:37 into the routing instances

4:40 you see here we have nothing configured

4:42 and keep in mind we're configuring the

4:43 inspect vrf and the secure vrf

4:46 and that is

4:48 we are not going to configure vrf1 here

4:51 vf1 is not part of the service leaf

4:54 and so with that let's go ahead and

4:56 configure the

4:57 inspect

4:59 vrf

5:00 and it's going to be instance type

5:03 vrf

5:05 we're going to use interface

5:07 irb.991 recall that interface is a part

5:10 of

5:11 vlan v 991 which uses vlan id 991

5:16 and then we're also going to put the

5:17 loopback interface in there

5:19 and again it's not necessary with these

5:21 loopback interfaces but it is nice to

5:22 verify that these are being passed

5:24 around correctly

5:27 specify the route distinguisher remember

5:29 these need to be unique

5:33 and the end of that route distinguisher

5:35 is going to match the vni with what

5:37 we're using here

5:39 and we'll configure the v9 just a little

5:41 bit

5:42 figure the route target

5:46 and

5:48 recall that the route target in the

5:50 inspect brf here needs to match the

5:52 route target in the inspect vrf on the

5:55 router leaf router l1

6:00 and so there's the configuration for

6:01 that and we're not done yet though we

6:03 need to configure bgp because what

6:05 happens here is we're going to be

6:07 getting some well passing

6:09 bgp routes the evpn routes to bgp to the

6:14 firewall and then receiving some bgp

6:16 routes as well that's how we're going to

6:18 handle the routing and get the routes

6:20 back and forth

6:21 so edit protocols

6:24 vgp

6:25 call this group

6:27 dc-fw

6:29 dash inspect since it's going to be a

6:31 part of the inspect vrf

6:34 and say external

6:36 export we have not configured this

6:38 export policy yet but we will configure

6:40 it soon

6:42 and we're going to local aist this is

6:45 going to be our local as for this vrf

6:48 and then the neighbor this is going to

6:50 be the srx

6:51 the dc firewall

6:53 so there's actually going to be two bgp

6:55 sessions with the

6:56 dc firewall

6:59 and we can see here the configuration we

7:00 haven't configured that export policy

7:02 yet this export policy we recall that

7:05 with these the router leafs we are

7:07 sending

7:08 uh static routes and direct routes into

7:13 evpn as type 5 evpn routes and so what

7:17 that means

7:18 on the inspect vrf and the secure vrf

7:20 we're going to see receive those routes

7:23 as type 5

7:24 evpn routes and so what we need to do

7:27 when configuring this export policy the

7:28 firewall or the fw evpn export policies

7:32 we need to

7:33 match on those evp evpn routes and

7:36 export them and so let's go ahead and

7:39 configure that policy now

7:43 and we're just going to say term evpn

7:46 from protocol

7:48 evpn

7:50 and we're going to accept that

7:53 that's all we need to do for that and

7:55 let's jump back to the routing instance

8:00 and so you can see that's taken care of

8:02 there now we need to configure what

8:03 we're going to export into the inspect

8:06 vrf because what's going to happen here

8:08 is we're going to receive a default

8:09 route from the dc firewall and we're

8:12 going to export that default route into

8:15 the inspect vrf

8:17 and then that way the leaf route or the

8:20 router leaf router l1 will know that

8:23 okay to get to host 2 i've got a default

8:25 route i'm just going to send it to well

8:27 service leaf l1 and so with that let's

8:29 go ahead and configure that then so

8:33 edit protocols

8:34 evpn and then set ip prefix routes

8:39 we're going to do the direct hop with

8:40 the advertise again

8:42 and then we're going to say

8:43 encapsulation vxlan

8:45 and vni

8:48 5991 and this vni of course matches what

8:52 we have on router leaf router l1

8:55 in the inspect vrf

8:58 and then we're going to specify an

9:00 export

9:01 and this has not been configured yet

9:03 we're just going to call this t5

9:04 underscore

9:05 export

9:07 and then

9:09 we have that configured

9:12 but we need to configure that policy

9:14 right so let's go ahead and jump to the

9:17 policy options hierarchy

9:21 and make sure i spelt that right i've

9:23 messed that up before and so what we

9:25 want to do we want to set one term

9:27 from protocol

9:29 direct we want to export our direct

9:31 routes which is just going to be the

9:32 loopback interface here

9:34 and also it's going to be loopback

9:35 interface and the irb interfaces i guess

9:37 are the addresses associated with that

9:39 and then with term two we want to

9:43 match on a route filter

9:47 zero slash zero exact so that's that

9:48 default routes that is going to be

9:50 coming from the firewall

9:53 and accept it

9:54 and so that is the configuration for the

9:57 inspect vrf on the service leaf

10:00 all right so here is the topology and we

10:03 are currently working on service leaf l1

10:06 we've already configured router l1 with

10:09 the inspect vrf we've configured router

10:11 l2

10:12 that leaf you know router l1 is also a

10:14 route it's a normal router leaf and

10:17 router l2 is a normal router leaf we

10:19 configured the secure vrf

10:21 and we've configured the inspect vrf

10:23 already so that's going to match up with

10:25 inspect vrf with router l1 leaf and now

10:28 we need to configure the secure vrf

10:30 which will match up with the secure vrf

10:33 in router l2

10:35 and so here we have vni 5992

10:38 on both of them that will need to match

10:40 and also the route target that we

10:41 configure will need to match and so

10:44 let's go ahead and jump back to the cli

10:47 of service l1 which is our service leaf

10:49 and configure this

10:52 all right so here is service leaf l1

10:54 let's go ahead and jump

10:56 to the routing instance is

10:59 and you can see here we have the inspect

11:00 vrf configured so let's configure the

11:02 secure

11:03 vrf

11:05 the instance type is going to be

11:08 vrf of course

11:10 and we're going to specify the interface

11:12 rb.992 we've already configured that

11:15 interface and then specify the interface

11:18 of lootback.992 now the irb interface

11:20 now i didn't explain this when we

11:22 configured the inspect vrf earlier

11:24 that's going to be the

11:26 anchor point for the bgp pairings with

11:29 the dc firewall device

11:31 and so that's why its importance in this

11:33 vrf and so

11:35 let's configure the route distinguisher

11:37 of course this needs to be unique

11:41 the 992 matches the vni configuration

11:45 that we'll have to configure here in

11:46 just a moment well it's uh 5992 is the

11:49 vni but it's based off that that is

11:51 doesn't necessarily match it but it's

11:52 based off of it

11:53 and then we need to set the route target

11:58 and it is also based on the route target

12:00 too i guess in the 992. so but the thing

12:02 to keep in mind here is that the route

12:04 target in the secure vrf here matches

12:07 the route target in the secure vrf on

12:09 router leaf router l2

12:14 so you can see the configuration there

12:15 with what we currently have configured

12:17 so let's go ahead and configure the bgp

12:20 group

12:22 and this will appear with the firewall

12:24 because what's going to happen is it'll

12:27 the firewall is acting in this scenario

12:28 as a one-arm firewall

12:30 more than likely in a real data center

12:32 you'd have multiple firewalls but here

12:34 it's just a one-arm firewall so it's

12:36 going to leave on the one irb interface

12:38 in the inspect zone hit the firewall

12:40 come back and then come back in on the

12:42 one irb interface in the secure vrf

12:46 and so we need to configure two

12:47 different bgp groups for that and so

12:50 let's get to the

12:52 group now and so it's going to dc dash

12:55 fw

12:56 dash secure

12:58 and it's going to be type external

13:01 and we're going to export

13:03 that fw

13:05 and export policy and recall we

13:07 configured this earlier but let's take a

13:09 quick look

13:11 and we can see here what we're doing

13:12 here is we're taking

13:14 from protocol evpn and then accepting it

13:17 so we're going to export anything that's

13:19 evpn and the reason why we need to do

13:21 that is in the secure vrf

13:24 we will be receiving

13:25 a route that is originally a static

13:28 route from the leaf router l2

13:32 in evpn and we need to get that to the

13:34 firewall device so the routing can be

13:36 propagated correctly

13:38 and so with that

13:40 we need to configure a few more bgp

13:42 parameters local aes

13:44 265 999 and this of course is going to

13:47 be different than the

13:48 local as we have in the inspect vrf

13:53 bgp group so keep that in mind that is

13:55 different the neighbor

13:57 92.92.1 puris 64

14:01 that's going to be the peer information

14:03 for the

14:04 dc firewall

14:07 and so that is configured there

14:09 and so then we need to edit the evpn

14:12 parameters

14:15 and this is going to be what we're doing

14:16 with the type 5 routes how we're going

14:18 to export that

14:19 and we're going to advertise with the

14:21 direct next top

14:22 i'm going to say encapsulation vxlan

14:26 and we're going to say

14:28 vni

14:29 vni here we go 5992

14:32 and of course that's going to match the

14:33 vni in the other secure vrf that's on

14:36 router leaf

14:38 router l2

14:39 and then we need to specify the export

14:42 policy and we have this export policy

14:44 already configured because it was

14:45 configured earlier

14:46 t5 export now let's look at that policy

14:50 and it's matching on protocol direct so

14:52 it's going to export the irb interface

14:54 route and also the loopback interface

14:56 route and then also

14:58 the default route that we're getting

15:00 from

15:01 the firewall we're going to export that

15:03 into evpn as a type 5 route and that is

15:07 the configuration

15:09 for the service leaf so let's commit and

15:11 quit to apply that configuration and

15:13 exit to operational mode

15:16 so that does bring us to the end of this

15:17 learning byte and here we demonstrated

15:20 how to configure the service leaf with

15:21 regards to data center filter-based

15:23 forwarding so as always thanks for

15:25 watching

15:28 visit the juniper education services

15:30 website to learn more about courses

15:33 view our full range of classroom online

15:36 and e-learning courses

15:38 learning paths industry segment and

15:41 technology specific training paths

15:44 juniper networks certification program

15:47 the ultimate demonstration of your

15:49 competence

15:50 and the training community from forums

15:53 to social media

15:54 join the discussion

Show more