Mailing List Archive: nsp: juniper

Interconnect two VRFs via L2 security box with redundant path

Index | Next | Previous | View Threaded

chmorl at wm

Apr 24, 2012, 9:44 AM

Post #1 of 4 (328 views)
Permalink

Interconnect two VRFs via L2 security box with redundant path

I have a design question to propose to the list. Suppose I have two VRFs in my
MX routing core. Servers connect to one VRF (South) and the clients connect to
the other VRF (North). I have a Layer2 security packet scrubbing box for
inspecting traffic between my servers and clients.

I have a sample network diagram:

http://i.imgur.com/ZuOoC.png

Here are my restrictions:

a. I need to interconnect the North and South VRFs with the Layer2 security box
physically at one of my two core routers (MX East).

b. I also need to have a redundant path, preferably passing through the other
core router (MX West). In the event that the Layer2 box dies, or if the MX
East core router dies, unfortunately traffic will not get inspected but I will
still have connectivity between the North and South VRFs via the MX West core
router.

c. Traffic is forced through the Layer2 box using dynamic routing protocols
(I'd like to stay away from statics if I can). I would like to stick with
IS-IS, but I could use BGP if needed for filtering purposes. I need to be
careful not to introduce a routing loop between the two VRFs. The redundant
link on MX West needs to be properly weighted such that it is completely
passive except in the event that there is a failure at MX East and/or the
Layer2 box.

d. I have an MPLS infrastructure available in the core, so I could build a
VPLS, L2 VPN, or L3 VPN if it would help. But I do want to keep things as
simple as I can.

How would you put together such a design? How would you implement the routing
protocols between the VRFs? Would you use a logical tunnel at MX West to form
the backup connection between the two VRFs? If you use vrf-import and
vrf-export of routes (with auto-export) between the VRFs instead of a logical
tunnel, how would you properly weight the routing information?

Thanks.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

sfouant at shortestpathfirst

Apr 24, 2012, 9:56 AM

Post #2 of 4 (307 views)
Permalink

Re: Interconnect two VRFs via L2 security box with redundant path [In reply to]

On 4/24/2012 12:44 PM, Clarke Morledge wrote:
> I have a design question to propose to the list. Suppose I have two VRFs
> in my MX routing core. Servers connect to one VRF (South) and the
> clients connect to the other VRF (North). I have a Layer2 security
> packet scrubbing box for inspecting traffic between my servers and clients.
>
> I have a sample network diagram:
>
> http://i.imgur.com/ZuOoC.png
>
> Here are my restrictions:
>
> a. I need to interconnect the North and South VRFs with the Layer2
> security box physically at one of my two core routers (MX East).
>
> b. I also need to have a redundant path, preferably passing through the
> other core router (MX West). In the event that the Layer2 box dies, or
> if the MX East core router dies, unfortunately traffic will not get
> inspected but I will still have connectivity between the North and South
> VRFs via the MX West core router.
>
> c. Traffic is forced through the Layer2 box using dynamic routing
> protocols (I'd like to stay away from statics if I can). I would like to
> stick with IS-IS, but I could use BGP if needed for filtering purposes.
> I need to be careful not to introduce a routing loop between the two
> VRFs. The redundant link on MX West needs to be properly weighted such
> that it is completely passive except in the event that there is a
> failure at MX East and/or the Layer2 box.
>
> d. I have an MPLS infrastructure available in the core, so I could build
> a VPLS, L2 VPN, or L3 VPN if it would help. But I do want to keep things
> as simple as I can.
>
> How would you put together such a design? How would you implement the
> routing protocols between the VRFs? Would you use a logical tunnel at MX
> West to form the backup connection between the two VRFs? If you use
> vrf-import and vrf-export of routes (with auto-export) between the VRFs
> instead of a logical tunnel, how would you properly weight the routing
> information?

Clarke,

I've done designs like this before and it was always a combination of
some dynamic routing protocol such as IS-IS or BGP between the two VRs
across the L2 connection through the packet scrubber. This path will
always be used so long as the adjacency remains operational.

If that adjacency goes down, a simple floating static (static route w/
higher preference than the dynamic BGP/IS-IS route) can be used pointing
to next-table will do the trick. No need to used Logical-Tunnels or use
auto-export.

Of course, in your case you've got not just two VRFs but also an East
and West path which further complicates things - why not just connect
the MX West device into your L2 Packet Scrubber as well and keep things
the same on both the East and West device so that you can take full
advantage of two planes. This will keep configurations uniform
regardless of whether traffic comes in on the East or West devices.

--
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

chmorl at wm

Apr 24, 2012, 10:48 AM

Post #3 of 4 (303 views)
Permalink

Re: Interconnect two VRFs via L2 security box with redundant path [In reply to]

Stefan,

I was just hunting through your blog for ideas when I saw your post :-)
Thanks for jumping in. A few responses in-line below.....

On Tue, 24 Apr 2012, Stefan Fouant wrote:

> If that adjacency goes down, a simple floating static (static route w/ higher
> preference than the dynamic BGP/IS-IS route) can be used pointing to
> next-table will do the trick. No need to used Logical-Tunnels or use
> auto-export.

If my two routers were directly connected all of the time, this would be
fine. But I'm also thinking of the case of when there might be another L3
hop between the two routers. I guess I could insert another floating
static on the third router, but that just seemed to add a little more
complexity to me. I was hoping for a way to just let the dynamic routing
protocols do the work for me instead of fooling with a bunch of statics
with filter-based forwarding. Don't get me wrong, I like FBF. I was
just hoping to leverage dynamic routing more.

> Of course, in your case you've got not just two VRFs but also an East and
> West path which further complicates things - why not just connect the MX West
> device into your L2 Packet Scrubber as well and keep things the same on both
> the East and West device so that you can take full advantage of two planes.
> This will keep configurations uniform regardless of whether traffic comes in
> on the East or West devices.

I should have given the reason why I do not put the L2 scrubber between
the two routers: conservation of fiber. I already have fiber connecting
the routers in different wiring centers for traffic that does not need to
be scrubbed. Chewing up another set of strands is much more expensive
than simply connecting both sides of the L2 scrubber to just one router in
the same rack.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

sfouant at shortestpathfirst

Apr 24, 2012, 12:13 PM

Post #4 of 4 (309 views)
Permalink

Re: Interconnect two VRFs via L2 security box with redundant path [In reply to]

Comments in-line...

On 4/24/2012 1:48 PM, Clarke Morledge wrote:
> Stefan,
>
> I was just hunting through your blog for ideas when I saw your post :-)
> Thanks for jumping in. A few responses in-line below.....
>
> On Tue, 24 Apr 2012, Stefan Fouant wrote:
>
>> If that adjacency goes down, a simple floating static (static route w/
>> higher preference than the dynamic BGP/IS-IS route) can be used
>> pointing to next-table will do the trick. No need to used
>> Logical-Tunnels or use auto-export.
>
> If my two routers were directly connected all of the time, this would be
> fine. But I'm also thinking of the case of when there might be another
> L3 hop between the two routers. I guess I could insert another floating
> static on the third router, but that just seemed to add a little more
> complexity to me. I was hoping for a way to just let the dynamic routing
> protocols do the work for me instead of fooling with a bunch of statics
> with filter-based forwarding. Don't get me wrong, I like FBF. I was just
> hoping to leverage dynamic routing more.

I guess what I was referring to is that you don't really need to have
the MX West device be used at all in the event that the L2 Packet
scrubber dies, as per the restrictions in your initial email:

"I also need to have a redundant path, preferably passing through the
other core router (MX West). In the event that the Layer2 box dies, or
if the MX East core router dies, unfortunately traffic will not get
inspected but I will still have connectivity between the North and South
VRFs via the MX West core router. "

What I'm saying is that if the Packet Scrubber dies, the protocol
adjacency through the VR North and the VR South on the MX East device
will fail, and you could simply route directly from VR North to VR South
on the same device by using simple floating static route pointing to
next-table. In other words, if traffic arrives in VR North on MX East
and packet scrubber device dies, then the floating static in
vr_north.inet.0 will point to vr_south.inet.0, and vice-versa for
traffic in the reverse direction. So you have no need for a redundant
path through MX West and that would only be used in the event that the
entire MX East device goes down.

>> Of course, in your case you've got not just two VRFs but also an East
>> and West path which further complicates things - why not just connect
>> the MX West device into your L2 Packet Scrubber as well and keep
>> things the same on both the East and West device so that you can take
>> full advantage of two planes. This will keep configurations uniform
>> regardless of whether traffic comes in on the East or West devices.
>
> I should have given the reason why I do not put the L2 scrubber between
> the two routers: conservation of fiber. I already have fiber connecting
> the routers in different wiring centers for traffic that does not need
> to be scrubbed. Chewing up another set of strands is much more expensive
> than simply connecting both sides of the L2 scrubber to just one router
> in the same rack.

Makes sense...

--
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads