[j-nsp] Interconnect two VRFs via L2 security box with redundant path

Clarke Morledge chmorl at wm.edu
Tue Apr 24 12:44:20 EDT 2012 

I have a design question to propose to the list.  Suppose I have two VRFs in my 
MX routing core.  Servers connect to one VRF (South) and the clients connect to 
the other VRF (North).  I have a Layer2 security packet scrubbing box  for 
inspecting traffic between my servers and clients.

I have a sample network diagram:

http://i.imgur.com/ZuOoC.png

Here are my restrictions:

a. I need to interconnect the North and South VRFs with the Layer2 security box 
physically at one of my two core routers (MX East).

b. I also need to have a redundant path, preferably passing through the other 
core router (MX West).  In the event that the Layer2 box dies, or if the MX 
East core router dies, unfortunately traffic will not get inspected but I will 
still have connectivity between the North and South VRFs via the MX West core 
router.

c. Traffic is forced through the Layer2 box using dynamic routing protocols 
(I'd like to stay away from statics if I can).  I would like to stick with 
IS-IS, but I could use BGP if needed for filtering purposes. I need to be 
careful not to introduce a routing loop between the two VRFs. The redundant 
link on MX West needs to be properly weighted such that it is completely 
passive except in the event that there is a failure at MX East and/or the 
Layer2 box.

d. I have an MPLS infrastructure available in the core, so I could build a 
VPLS, L2 VPN, or L3 VPN if it would help.  But I do want to keep things as 
simple as I can.

How would you put together such a design?  How would you implement the routing 
protocols between the VRFs?  Would you use a logical tunnel at MX West to form 
the backup connection between the two VRFs?  If you use vrf-import and 
vrf-export of routes (with auto-export) between the VRFs instead of a logical 
tunnel, how would you properly weight the routing information?

Thanks.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187

More information about the juniper-nsp mailing list