Multiservices MIC quick start: turning the MX into a stateful firewall

This is a quick start guide to enable stateful firewalling on an MX router. In this example, I’ll enable the MS-MIC-16G on a MX104. After that, I’ll configure stateful firewalling, enabling communication between the loopback IP addresses of two routers:



This day started with a goody from Juniper, an MS-MIC-16G:



What I usually like to do, before deepdiving into the documentation, is to just get it working asap. So I unpacked the box and slid the card into an MX104 right away.

After I had inserted the card, I saw it became a part of the hardware inventory. I did not see any services interfaces appear. After some digging, I found that you'll need to run at least Junos OS 14.2 for an MX104 to be able to utilize the MS-MIC-16G. Starting 14.2, you’ll see the interface ms-0/0/0 appear and you can have a go at it.

So, let's assuming your using an MX104 running at least Junos OS 14.2. After inserting the blade, check what FPC it is inserted in using the ‘show chassis hardware models’ command:

< output omitted >
FPC 0                     BUILTIN      BUILTIN
  MIC 0          REV 17   750-043688   JABR9999          MS-MIC-16G
< output omitted >                    
                

This tells us that the services MIC was placed into FPC0. This is important later on, when we want to enable the MIC for layer 3 services.

On to the quick start for this scenario:



Enabling the services MIC for layer 3 services:
set chassis fpc 0 pic 0 adaptive-services service-package layer-3
                
Configuring a service-set, binding it to a logical services interface and to a firewall rule:
set services service-set test-firewall stateful-firewall-rules Aurelius
set services service-set test-firewall interface-service service-interface ms-0/0/0.1
                
Configuring the firewall rule for our scenario:
set services stateful-firewall rule Aurelius match-direction input
set services stateful-firewall rule Aurelius term 1 from source-address 1.1.1.1/32
set services stateful-firewall rule Aurelius term 1 from destination-address 1.1.1.3/32
set services stateful-firewall rule Aurelius term 1 then accept 
                
Configuring the services interface:
set interfaces ms-0/0/0 unit 1 description test-firewall
set interfaces ms-0/0/0 unit 1 family inet
                
Configuring the interface towards the Aurelius router with the service part (enables stateful firewalling):
set interfaces xe-2/0/0 unit 4000 description Aurelius
set interfaces xe-2/0/0 unit 4000 vlan-id 4000
set interfaces xe-2/0/0 unit 4000 family inet mtu 1500
set interfaces xe-2/0/0 unit 4000 family inet service input service-set test-firewall
set interfaces xe-2/0/0 unit 4000 family inet service output service-set test-firewall
set interfaces xe-2/0/0 unit 4000 family inet address 192.168.1.2/30
                
Configuring the interface towards the Gaius router (just a plain old regular interface configuration):
set interfaces ae1 unit 4000 description Gaius
set interfaces ae1 unit 4000 vlan-id 4000
set interfaces ae1 unit 4000 family inet mtu 1500
set interfaces ae1 unit 4000 family inet address 192.168.0.2/30                    
                

That was really all there was to it. Of course, it is also nice to see that it actually works. Let's start by verifying this from the Aurelius router:

play@MX480-TEST-RE0:Aurelius> ping 1.1.1.3 source 1.1.1.1 count 100 rapid
PING 1.1.1.3 (1.1.1.3): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
--- 1.1.1.3 ping statistics ---
100 packets transmitted, 100 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.651/0.753/1.194/0.092 ms

{master}
play@MX480-TEST-RE0:Aurelius> ping 1.1.1.3
PING 1.1.1.3 (1.1.1.3): 56 data bytes
^C
--- 1.1.1.3 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

{master}
play@MX480-TEST-RE0:Aurelius>                    
                

This tells us that IP connectivity from source 1.1.1.1 towards destination 1.1.1.3 is there. When another IP address is used to source the packet, there is no IP connectivity.

The following command can be used to see what flows were created by the Multiservices MIC:

play@MX104-TEST-HB> show services stateful-firewall flows
Interface: ms-0/0/0, Service set: test-firewall
Flow                                                State    Dir       Frm count
ICMP            1.1.1.1        ->         1.1.1.3        Watch    I             100
ICMP            1.1.1.3        ->         1.1.1.1        Watch    O             100                    
                

The output above shows us there is a flow active for service-set ‘test-firewall’ on ms-0/0/0, enabling ICMP from Aurelius towards Gaius and back.

play@MX104-TEST-HB> show services stateful-firewall statistics
Interface   Service set          Accept      Discard       Reject       Errors
ms-0/0/0    test-firewall             1            1            0            0

play@MX104-TEST-HB>                    
                

The output above tells us that 1 flow was accepted, and 1 flow was discarded. The descarded flow was our attempt to source the ICMP with an IP address other than the one allowed in the stateful-firewall rule.

There is a lot more that the Multiservices MIC has to offer on the topic of stateful firewalling. And besides that, the Multiservices MIC also allows for IPsec, carrier grade NAT, flow monitoring and more. According to Juniper, it provides for 9GB of service throughput, which makes it quite a beasty firewall.

Enough for today's quick start. I'll try to do another post on the Multiservices MIC somewhere in the near future.

28-5-2015