MPLS VPN and the MS-MIC next-hop-service

Since I am interested in MPLS VPNs, I thought I’d share a quick and easy example configuration. In this example, I'll enable both NAT and stateful firewalling for an MPLS VPN. The topology on which I was trying out this configuration was the following:



Packets that are send from the VPN to the Internet, and vice versa, pass a stateful firewall that is configured on the MIC. Furthermore, all users with a private IP address will be able to access the Internet through a single public IP address. This is done by configuring NAPT-44.

The service-set is configured with the next-hop-service. This is used instead of enabling the service-set in the [ edit interface unit x family inet service ] stanza

The MS-interface part:
set interfaces ms-0/0/0 unit 1 description test-firewall-outside
set interfaces ms-0/0/0 unit 1 family inet
set interfaces ms-0/0/0 unit 1 service-domain outside

set interfaces ms-0/0/0 unit 2 description test-firewall-inside
set interfaces ms-0/0/0 unit 2 family inet address 96.0.0.1/24
set interfaces ms-0/0/0 unit 2 service-domain inside
The routing-instance part:

The routing-instance is configured with two things that are interesting in this scenario. First, the inside firewall interface is placed inside the MPLS VPN. Second (the last configuration command), the MPLS VPN’s default route has the ms-0/0/0.2 interface as a next-hop:

set routing-instances ipvpn instance-type vrf
set routing-instances ipvpn interface ms-0/0/0.2
set routing-instances ipvpn interface ae1.4002
set routing-instances ipvpn interface ae1.4003
set routing-instances ipvpn route-distinguisher 1:1
set routing-instances ipvpn vrf-target target:1:1
set routing-instances ipvpn vrf-table-label
set routing-instances ipvpn routing-options static route 0.0.0.0/0 next-hop ms-0/0/0.2

Another thing that may be useful is the configuration of interface ae1.4003. This interface is configured as follows:

set interfaces ae1 unit 4003 description dc-server-farm
set interfaces ae1 unit 4003 vlan-id 4003
set interfaces ae1 unit 4003 family inet unnumbered-address ms-0/0/0.2

The interface is using the IP address that is configured under the ms-0/0/0.2 interface. This way, for the DC location, the ms-0/0/0.2 interface is acting as a default gateway (suppose this setup could be useful in a hub-and-spoke topology).

The static routes part:

The public IP-addresses in use inside the MPLS VPN are simply routed towards the outside interface of the firewall. The following static routes, configured for the global routing table, will make three /24’s reachable through the stateful firewall:

set routing-options static route 96.0.0.0/24 next-hop ms-0/0/0.1
set routing-options static route 96.1.0.0/24 next-hop ms-0/0/0.1
set routing-options static route 96.2.0.0/24 next-hop ms-0/0/0.1

Another policy on the MX will advertise these public IP addresses to the rest of the world. So adding any additional prefix to the MPLS VPN becomes very easy.

The stateful firewall part:

Not a lot of (sensible) rules, but I’m sure that you can understand where I’m going with this:

set services stateful-firewall rule input-rules match-direction input
set services stateful-firewall rule input-rules term 1-cloud from source-address 96.1.0.3/32
set services stateful-firewall rule input-rules term 1-cloud from destination-address 80.0.0.2/32
set services stateful-firewall rule input-rules term 1-cloud then accept
set services stateful-firewall rule input-rules term 2-datacenter1 from source-address 96.0.0.2/32
set services stateful-firewall rule input-rules term 2-datacenter1 from destination-address 80.0.0.2/32
set services stateful-firewall rule input-rules term 2-datacenter1 then accept
set services stateful-firewall rule input-rules term 3-datacenter2 from source-address 96.2.0.2/32
set services stateful-firewall rule input-rules term 3-datacenter2 from destination-address 80.0.0.2/32
set services stateful-firewall rule input-rules term 3-datacenter2 then accept
The NAT-part:

First the nat pool and the nat-rule:

set services nat pool firewall-public address 89.0.0.4/32
set services nat pool firewall-public port automatic

set services nat rule nat-firewall match-direction input
set services nat rule nat-firewall term 1 from destination-address any-ipv4
set services nat rule nat-firewall term 1 from source-prefix-list rfc1918
set services nat rule nat-firewall term 1 then translated source-pool firewall-public
set services nat rule nat-firewall term 1 then translated translation-type napt-44

set policy-options prefix-list rfc1918 10.0.0.0/8
set policy-options prefix-list rfc1918 172.16.0.0/12
set policy-options prefix-list rfc1918 192.168.0.0/16                    
                

The addresses that are eligible to be translated also need to be allowed by the firewall. For this, another rule was needed:

set services stateful-firewall rule input-rules term 4-rfc1918-napt-access-to-internet from destination-address any-ipv4
set services stateful-firewall rule input-rules term 4-rfc1918-napt-access-to-internet from source-prefix-list rfc1918
set services stateful-firewall rule input-rules term 4-rfc1918-napt-access-to-internet then accept
The service-set part:

Finally, the service-set. Here, we need to enable both NAT and firewalling for the service-set. Additionally, we need to put in a reference to the ms-interfaces we configured:

set services service-set test-firewall stateful-firewall-rules input-rules
set services service-set test-firewall nat-rules nat-firewall
set services service-set test-firewall next-hop-service inside-service-interface ms-0/0/0.2
set services service-set test-firewall next-hop-service outside-service-interface ms-0/0/0.1

In closing, a short overview on what configuration stanza’s are referencing each other:



The example configuration was applied to an MX104 running Junos 14.2R3.8. The MX was outfitted with an MS-MIC-16G.

10-6-2015