JNCIE-SEC-11.a - C10 - Extended ImplementationConcepts - Pps

Extended Implementation
Concepts
2014 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Objectives
After successfully completing this content, you will be

able to:
Describe the required knowledge needed under the
Extended Implementations concepts of JNCIE-SEC exam
Discuss the basic steps of configuration of these items
Verify that your configuration meets defined objectives
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2
Agenda: Extended Implementation
Concepts
Transparent Mode
Filter-Based Forwarding
What Is Transparent Mode?
When a SRX is used in a Layer 2 mode
End User
Device
Internal Router to
Switch Outside
End User
Device
Possible locations for
the SRX to be
installed
What Are the Rules?
Can the SRX support transparent mode and Layer 3

at the same time? NO
How do the interfaces have to be configured?
family bridge
interface-mode trunk (if traffic is carried in VLANs)
interface-mode access (if the traffic is untagged)
What controls traffic forwarding?
VLANS and bridge domains
What is required before an SRX will process traffic in
Layer 2?
A rebootvery important to remember
Preparing a Device
Start with a minimally configured device

Inspect and possibly delete the following sections:
routing-options
interfaces
firewall
vlans
security
Configuration Steps Review
What are the configuration components?

Configure interfaces
Create IRB
Create bridge domain
Associate with L2 zones
Create L2 policies
Create a static route if necessary for IRB
Configure Interfaces
Place all interfaces in family bridge

Instead of port-mode use interface-mode
Access ports use vlan-id
Allows you to accept packets with no vlan-identifier
Trunk ports use vlan-id-list
Accepts and sends vlan tags
ACCESS TRUNK
[edit interfaces] [edit interfaces]
ge-0/0/1 { ge-0/0/1 {
unit 0 { unit 0 {
family bridge { family bridge {
interface-mode access; interface-mode trunk;
vlan-id 20; vlan-id-list 20;
Rewriting VLAN-ids
A bridge domain can only have a single VLAN

If a user is connecting using a different VLAN, rewrite
the vlan-id
[edit interfaces]
ge-0/0/1 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 20;
vlan-rewrite {
translate 125 20;
}
}
}
}
Create IRB Interface for mgmt
Used for a Layer 3 access point

Manage the device
Apply firewall user authentication
Stream logs
Cannot route traffic directly
Must be on a link that is part of the same network
Needs a static route to get beyond local network
Responds to zone host-inbound-traffic of ingress
traffic
[edit interfaces irb]
unit 0 {
family inet {
address 10.1.1.50/24;
Create a Bridge-domain
Groups L2 interfaces into a single broadcast domain

[edit bridge-domains ]
L2_vlan20 {
domain-type bridge;
vlan-id 20;
routing-interface irb.0;
}
}
Associate Interfaces with Zones
Layer 2 interfaces need to be associated to zones

Policies need to be written for traffic to flow between
zones
Policies do not support:
NAT
IPsec VPNs
Intrusion detection
UTM
Options in Transparent Mode
Four options to control how the SRX floods traffic;

configured under [security flow bridge]
block-non-ip-all blocks all Layer 2 non-IP such as ARP, IGMP, DHCP;
included broadcast and multicast traffic
bypass-non-ip-unicast allows non-IP unicast Layer 2 traffic to pass
through the device (does not include IPv6)
no-packet-flooding changes the default behavior of flooding all unknown
destination MAC address frames our all interfaces with the same VLAN except
the one it came in on, and allows you to instead to ether send an ARP and ICMP
traceroute or just an ARP
bpdu-vlan-flooding changes the default behavior of BPDU flooding, which
is all our interfaces except the one it came in on and restricts the flooding only to
the originating VLAN
Transparent Mode Verification
Basic commands
To view all of the active bridge domains defined:
>show bridge domain
To view MAC addresses learned from MAC discovery:
>show bridge mac-table
Issues and Tips
Not rebooting device after only Layer 2 interfaces

have been configured
As long as the SRX is only connected to routed or
endpoint devices, loops should not be expected
Not including the appropriate interfaces in zones
Not including the proper services in the zones
Misconfigured firewall filter
Agenda: Extended Implementation
Concepts
Transparent Mode
Filter-Based Forwarding
What Is Filter-Based Forwarding?
When some traffic needs to follow a different path

than the normal routed traffic
End User Internet
Device
End User
Device
MPLS
Router
Web traffic
Security
Device
What Is Required? (1 of 2)
Requires a separate routing table? Yes

How do you create this table? Routing instance
What instance type? Forwarding
How do you put routes in the routing table?
Static route
What issue do you have when you add a static route
to a table that does not have any other routes?
Routes not active
You can create a rib-group to share routes from other
instances into the new routing-instance
What Is Required? (2 of 2)
How do we direct traffic to use the new

routing-instance for its route lookup?
Create a firewall filter that matches on the type of traffic you
want to redirect
Set the action of the firewall filter to be the new routing-
instance that we created
Apply the firewall filter as an ingress filter to the interface
receiving the traffic we want to redirect
Filter-Based Forwarding Config (1 of 2)
Routing instance RIB group

[edit routing-instances] [edit routing-options]
FW { interface-routes {
instance-type forwarding; rib-group inet share-routes;
routing-options { }
static { rib-groups {
route 0.0.0.0/0 share-routes {
next-hop 2.2.2.2; import-rib [ inet.0 FW.inet.0 ];
} }
} }
}
Filter-Based Forwarding Config (2 of 2)
Firewall filter Applying filter
[edit firewall family inet] [edit interfaces ge-0/0/1]
filter Forward_Web { unit 0 {
term 1 { family inet {
from { filter {
source-address { input Forward_Web;
10.200.101.11/32; }
} address 10.200.101.254/24;
destination-port [ 80 443 ]; }
} }
then {
routing-instance FW;
}
}
term 2 {
then accept;
}
}
Summary
In this content, we:

Described the required knowledge needed under the
Extended Implementations concepts of JNCIE-SEC exam
Discussed the basic steps of configuration of those items
Verified that your configuration meets defined objectives
Extended Implementations Lab
Perform filter-based forwarding.

Implement transparent mode.
Worldwide Education Services

JNCIE-SEC-11.a - C10 - Extended ImplementationConcepts - Pps

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

JNCIE-SEC-11.a - C10 - Extended ImplementationConcepts - Pps

Загружено:

Авторское право:

Доступные форматы

Extended Implementation

After successfully completing this content, you will be

When a SRX is used in a Layer 2 mode

Can the SRX support transparent mode and Layer 3

Start with a minimally configured device

What are the configuration components?

Place all interfaces in family bridge

A bridge domain can only have a single VLAN

Used for a Layer 3 access point

Groups L2 interfaces into a single broadcast domain

Layer 2 interfaces need to be associated to zones

Four options to control how the SRX floods traffic;

Not rebooting device after only Layer 2 interfaces

When some traffic needs to follow a different path

Requires a separate routing table? Yes

How do we direct traffic to use the new

Routing instance RIB group

In this content, we:

Perform filter-based forwarding.

Вам также может понравиться