Scribd
Upload
95 views

JNCIE-SEC-11.a - C10 - Extended ImplementationConcepts - Pps

Uploaded by

Yang Jerry
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
95 views

JNCIE-SEC-11.a - C10 - Extended ImplementationConcepts - Pps

Uploaded by

Yang Jerry
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 24

Extended Implementation

Concepts

2014 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Objectives

After successfully completing this content, you will be


able to:
Describe the required knowledge needed under the
Extended Implementations concepts of JNCIE-SEC exam
Discuss the basic steps of configuration of these items
Verify that your configuration meets defined objectives

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2
Agenda: Extended Implementation
Concepts

Transparent Mode
Filter-Based Forwarding

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3
What Is Transparent Mode?

When a SRX is used in a Layer 2 mode

End User
Device

Internal Router to
Switch Outside

End User
Device
Possible locations for
the SRX to be
installed

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4
What Are the Rules?

Can the SRX support transparent mode and Layer 3


at the same time? NO
How do the interfaces have to be configured?
family bridge
interface-mode trunk (if traffic is carried in VLANs)
interface-mode access (if the traffic is untagged)
What controls traffic forwarding?
VLANS and bridge domains
What is required before an SRX will process traffic in
Layer 2?
A rebootvery important to remember

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5
Preparing a Device

Start with a minimally configured device


Inspect and possibly delete the following sections:
routing-options
interfaces
firewall
vlans
security

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6
Configuration Steps Review

What are the configuration components?


Configure interfaces
Create IRB
Create bridge domain
Associate with L2 zones
Create L2 policies
Create a static route if necessary for IRB

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7
Configure Interfaces

Place all interfaces in family bridge


Instead of port-mode use interface-mode
Access ports use vlan-id
Allows you to accept packets with no vlan-identifier
Trunk ports use vlan-id-list
Accepts and sends vlan tags

ACCESS TRUNK
[edit interfaces] [edit interfaces]
ge-0/0/1 { ge-0/0/1 {
unit 0 { unit 0 {
family bridge { family bridge {
interface-mode access; interface-mode trunk;
vlan-id 20; vlan-id-list 20;

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 8
Rewriting VLAN-ids

A bridge domain can only have a single VLAN


If a user is connecting using a different VLAN, rewrite
the vlan-id
[edit interfaces]
ge-0/0/1 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 20;
vlan-rewrite {
translate 125 20;
}
}
}
}

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 9
Create IRB Interface for mgmt

Used for a Layer 3 access point


Manage the device
Apply firewall user authentication
Stream logs
Cannot route traffic directly
Must be on a link that is part of the same network
Needs a static route to get beyond local network
Responds to zone host-inbound-traffic of ingress
traffic
[edit interfaces irb]
unit 0 {
family inet {
address 10.1.1.50/24;

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 10
Create a Bridge-domain

Groups L2 interfaces into a single broadcast domain


[edit bridge-domains ]
L2_vlan20 {
domain-type bridge;
vlan-id 20;
routing-interface irb.0;
}
}

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 11
Associate Interfaces with Zones

Layer 2 interfaces need to be associated to zones


Policies need to be written for traffic to flow between
zones
Policies do not support:
NAT
IPsec VPNs
Intrusion detection
UTM

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 12
Options in Transparent Mode

Four options to control how the SRX floods traffic;


configured under [security flow bridge]
block-non-ip-all blocks all Layer 2 non-IP such as ARP, IGMP, DHCP;
included broadcast and multicast traffic
bypass-non-ip-unicast allows non-IP unicast Layer 2 traffic to pass
through the device (does not include IPv6)
no-packet-flooding changes the default behavior of flooding all unknown
destination MAC address frames our all interfaces with the same VLAN except
the one it came in on, and allows you to instead to ether send an ARP and ICMP
traceroute or just an ARP
bpdu-vlan-flooding changes the default behavior of BPDU flooding, which
is all our interfaces except the one it came in on and restricts the flooding only to
the originating VLAN

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 13
Transparent Mode Verification

Basic commands
To view all of the active bridge domains defined:
>show bridge domain
To view MAC addresses learned from MAC discovery:
>show bridge mac-table

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 14
Issues and Tips

Not rebooting device after only Layer 2 interfaces


have been configured
As long as the SRX is only connected to routed or
endpoint devices, loops should not be expected
Not including the appropriate interfaces in zones
Not including the proper services in the zones
Misconfigured firewall filter

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 15
Agenda: Extended Implementation
Concepts

Transparent Mode
Filter-Based Forwarding

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 16
What Is Filter-Based Forwarding?

When some traffic needs to follow a different path


than the normal routed traffic
End User Internet
Device

End User
Device
MPLS
Router
Web traffic

Security
Device

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 17
What Is Required? (1 of 2)

Requires a separate routing table? Yes


How do you create this table? Routing instance
What instance type? Forwarding
How do you put routes in the routing table?
Static route
What issue do you have when you add a static route
to a table that does not have any other routes?
Routes not active
You can create a rib-group to share routes from other
instances into the new routing-instance

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 18
What Is Required? (2 of 2)

How do we direct traffic to use the new


routing-instance for its route lookup?
Create a firewall filter that matches on the type of traffic you
want to redirect
Set the action of the firewall filter to be the new routing-
instance that we created
Apply the firewall filter as an ingress filter to the interface
receiving the traffic we want to redirect

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 19
Filter-Based Forwarding Config (1 of 2)

Routing instance RIB group


[edit routing-instances] [edit routing-options]
FW { interface-routes {
instance-type forwarding; rib-group inet share-routes;
routing-options { }
static { rib-groups {
route 0.0.0.0/0 share-routes {
next-hop 2.2.2.2; import-rib [ inet.0 FW.inet.0 ];
} }
} }
}

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 20
Filter-Based Forwarding Config (2 of 2)
Firewall filter Applying filter
[edit firewall family inet] [edit interfaces ge-0/0/1]
filter Forward_Web { unit 0 {
term 1 { family inet {
from { filter {
source-address { input Forward_Web;
10.200.101.11/32; }
} address 10.200.101.254/24;
destination-port [ 80 443 ]; }
} }
then {
routing-instance FW;
}
}
term 2 {
then accept;
}
}
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 21
Summary

In this content, we:


Described the required knowledge needed under the
Extended Implementations concepts of JNCIE-SEC exam
Discussed the basic steps of configuration of those items
Verified that your configuration meets defined objectives

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 22
Extended Implementations Lab

Perform filter-based forwarding.


Implement transparent mode.

2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 23
Worldwide Education Services

You might also like