[j-nsp] Interconnect two VRFs via L2 security box with redundant path

Stefan Fouant sfouant at shortestpathfirst.net
Tue Apr 24 12:56:23 EDT 2012 

On 4/24/2012 12:44 PM, Clarke Morledge wrote:
> I have a design question to propose to the list. Suppose I have two VRFs
> in my MX routing core. Servers connect to one VRF (South) and the
> clients connect to the other VRF (North). I have a Layer2 security
> packet scrubbing box for inspecting traffic between my servers and clients.
>
> I have a sample network diagram:
>
> http://i.imgur.com/ZuOoC.png
>
> Here are my restrictions:
>
> a. I need to interconnect the North and South VRFs with the Layer2
> security box physically at one of my two core routers (MX East).
>
> b. I also need to have a redundant path, preferably passing through the
> other core router (MX West). In the event that the Layer2 box dies, or
> if the MX East core router dies, unfortunately traffic will not get
> inspected but I will still have connectivity between the North and South
> VRFs via the MX West core router.
>
> c. Traffic is forced through the Layer2 box using dynamic routing
> protocols (I'd like to stay away from statics if I can). I would like to
> stick with IS-IS, but I could use BGP if needed for filtering purposes.
> I need to be careful not to introduce a routing loop between the two
> VRFs. The redundant link on MX West needs to be properly weighted such
> that it is completely passive except in the event that there is a
> failure at MX East and/or the Layer2 box.
>
> d. I have an MPLS infrastructure available in the core, so I could build
> a VPLS, L2 VPN, or L3 VPN if it would help. But I do want to keep things
> as simple as I can.
>
> How would you put together such a design? How would you implement the
> routing protocols between the VRFs? Would you use a logical tunnel at MX
> West to form the backup connection between the two VRFs? If you use
> vrf-import and vrf-export of routes (with auto-export) between the VRFs
> instead of a logical tunnel, how would you properly weight the routing
> information?

Clarke,

I've done designs like this before and it was always a combination of 
some dynamic routing protocol such as IS-IS or BGP between the two VRs 
across the L2 connection through the packet scrubber. This path will 
always be used so long as the adjacency remains operational.

If that adjacency goes down, a simple floating static (static route w/ 
higher preference than the dynamic BGP/IS-IS route) can be used pointing 
to next-table will do the trick. No need to used Logical-Tunnels or use 
auto-export.

Of course, in your case you've got not just two VRFs but also an East 
and West path which further complicates things - why not just connect 
the MX West device into your L2 Packet Scrubber as well and keep things 
the same on both the East and West device so that you can take full 
advantage of two planes. This will keep configurations uniform 
regardless of whether traffic comes in on the East or West devices.

-- 
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

More information about the juniper-nsp mailing list