Configure MLFR (Multilink Frame Relay) on Juniper SRX Firewalls
I came across one of the Integrated Services type firewall, and was asked to configure a MLFR bundle on it. The firewall was Juniper SRX (I admit, I love these boxes). But MLFR on a firewall … who has heard of those. I had prepared for doing a MLPPP but on the turn up call, the service provider wanted us to use MLFR as that’s what they supported for that particular site.
For the non techy gurus who are wondering what the MLFR is, it’s a simple Multilink Frame Relay Bundle, meaning you have more than one T1/E1 Link and you bundle them on frame relay (Yes … some of us still use Frame Relay )
More often you would have done MPPP bundling, but the exciting part was to do a MLFR between Juniper and Cisco and on the Juniper end it was a firewall.
Here is a simple diagram
As you can see the connectivity from customer perspective is pretty simple. There are 2 Physical links going on the Service Provider network (T1 Links) and we need to create a bundle logical connectivity (The Solid red line ) between us and the service provider.
Points to Note:
- Since we are creating the MLFR bundle between Cisco and Juniper, we can only use FRF.16 specification for the MLFR bundle.
- To read about the FRF.16 Specification Click Here
Since we will talk in detail about the juniper end, I would briefly mention the Cisco end Configuration
Cisco Sample Configuration:
! controller T1 0/0/0 framing esf linecode b8zs channel-group 0 timeslots 1-24 speed 64 ! controller T1 0/0/1 framing esf linecode b8zs channel-group 0 timeslots 1-24 speed 64 ! interface MFR1 description MultiLink Bundle no ip address encapsulation frame-relay IETF frame-relay multilink bid frame-relay lmi-type ansi no shutdown ! interface MFR1.100 point-to-point description ip unnumbered Fastethernet0/0 frame-relay interface-dlci 100 IETF ! interface Serial0/0/0 description MultiLink Circuit 1 no ip address encapsulation frame-relay MFR1 no arp frame-relay ! interface Serial0/1/0 description MultiLink Circuit 2 no ip address encapsulation frame-relay MFR1 no arp frame-relay !
Juniper Configuration:
To configure a MLFR bundle on Juniper routers and Firewalls are the same thing, execpt for the few extra steps on Firewall
- Configure the T1 Links
- Bring up the virtual Interfaces
- Configure the Virtual Interface
- Assign the Virtual Interface in a Security Zone (Firewall Only)
As you can see the first 3 steps are similar in the Juniper Routers and SRX firewalls
Configure T1 links:
By far the simplest, most of the values for this will be given by the service provider itself
- Clocking
- Encapsulation
- Line Encoding
- Framing
These are the configurations needed. We first need to boot the SRX and see the T1 cards are recognized or not. You can do that by issuing the “show interface terse | match t1”
root@DEMOSRX> show interfaces terse | match t1 t1-3/0/0 up up t1-4/0/0 up up
As you can see above the 2 T1 cards are detected in FPC 3 and 4. Now we need to bundle that. Here is the configuration sample for one (Please make sure both have identical configuration) (Under edit Interfaces)
t1-3/0/0 {
keepalives;
clocking external;
encapsulation multilink-frame-relay-uni-nni;
t1-options {
timeslots 1-24;
line-encoding b8zs;
framing esf;
}
}
So you can see that we have set the T1 options for the first t1 card, we will need to do the same for the second one as well.
Bring up Virtual interface
In JunOS, we need to explicitly bring up the virtual interfaces. The virtual interfaces is a multipurpose one. We will not go into detail. But please remember in version 10.x of the JunOS, in SRX, the virtual interfaces are called “lsq” interfaces and in the old versions and the routers we have them as “ls” interfaces.
We need to create the virtual bundles by the following (Under Edit)
chassis {
fpc 0 {
pic 0 {
mlfr-uni-nni-bundles 1;
}
}
}
So here we say that we need to create a single mlfr bundle. We can create upto 32 of these bundles, but I don’t think practically on a SRX, we would go that far.
Once you commit the above configurations you should have new interfaces created, Just type the command “show interface terse | match lsq”
root@DEMOSRX> show interfaces terse | match lsq lsq-0/0/0 up up lsq-0/0/0:0 up up
As you can see the new Interfaces “lsq-0/0/0:0” was created. So we have created the virtual interface
Configure the Virtual interface:
In configuring the Virtual interface, there are 2 steps, we need to add the T1 interfaces on the virtual interface and we will need to configure the interface itself.This is how the interface t1-3/0/0 looks
root@DEMOSRX> show configuration interfaces t1-3/0/0 keepalives; clocking external; encapsulation multilink-frame-relay-uni-nni; t1-options { timeslots 1-24; line-encoding b8zs; framing esf; } unit 0 { family mlfr-uni-nni { bundle lsq-0/0/0:0; } }
Here you see that we created a unit and then mentioned the name of the lsq interface, which will associate the t1 link to that bundle. Similarly, we need to do that on the t1-4/0/0 as well
AS far as the configuration of the lsq interface itself is concerned, here is how it looks
root@DEMOSRX> show configuration interfaces lsq-0/0/0:0
description ***MLFR Bundle Logical Interface***;
encapsulation multilink-frame-relay-uni-nni;
mlfr-uni-nni-bundle-options {
cisco-interoperability {
send-lip-remove-link-for-link-reject;
}
lmi-type ansi;
}
unit 0 {
dlci 100;
}
So you can see that here is where we mention the DLCI and the LMI type.
If you are on a router, the link is now going to be up, you can verify that by looking at the show interface terse and the lsq sub interface will show as up – up
Associating Security Zone:
Once you are trying to do it in a SRX, you will need to associate it to a security zone and the interface needs to be bound to the zone and the policies need to be applied.root@DEMOSRX> show configuration security zones security-zone external-zone
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
lsq-0/0/0:0.0;
}
So here we created a zone called external-zone and map the interface lsq-0/0/0:0.0 to this zone. Once this is done, and you have made a security policy and applied for this zone and added routes, you should be up and running.
Hope you find this informative and please let me know if you have questions, I will try my best to answer them.
Great stuff!
ReplyDeleteThanks for sharing.
juniper srx