Friday, 12 October 2012

Junos Flow Based Processing

Understanding the Junos Flow Module is essential piece of knowledge to get under your belt. It's not overly complex but thoroughly understanding how the module works and more importantly, the order of operation will give you good foundational knowledge to tackle exam questions and troubleshoot scenarios.

Current Junos Flow Module
Below is diagram of the Junos Flow Module. It depicts the series of events that take place in the flowd module. Burn this into memory now!
Specifically the items worth focusing on are the NAT components. If you review all of them you notice that Static and Destination NAT take place BEFORE routing and policy evaluation and Source NAT takes place AFTER routing and policy evaluation. The NAT placement was not always in this arrangement, in fact in Junos 9.2 and previous all NAT was processed after routing and policy evaluation. Let's go back in time to take a closer look at how the flow module was in pre 9.2 Junos. This will help solidify why things are the way they are in the current flow module.

Pre-Junos 9.1
Below is a diagram of the Junos Flow Module in Junos 9.1 and earlier.
You will notice in this diagram all NAT was processed after routing and policy evaluation. This was the original Junos Flow module. The configuration was also different in that NAT and Security Policies were configured together. Why was this not ideal?

  • NAT and Security policies are configured together (a policy must match traffic and NAT actions specificed within the policy)
  • Routing/Policy evaluation is done before Destination NAT.



Example#1 [Destination NAT where the destination IP address within the incoming packet is not an IP address the SRX has a route to] In this example let's assume the public network is in a zone called "untrusted" and the private network is a zone called "trusted". Our ISP has given us 100.100.100.1 to use for our FTP server and has routed this address to our SRX. We have leveraged this address to configure destination NAT for users on the internet to access the FTP server. In this case the SRX will not have a route directing 100.100.100.1 to the internal zone.  This means zone lookup/polcy match will fail and ultimately drop the packet. Placing a route on the SRX for the 100.100.100.1/32 address can be done as a workaround but this is inefficient and goofy.

Example#2 [NAT Configuration that requires multiple security policies (due to the fact that NAT and Security Poilcy are configured together)] In the example below the alternate private network of 192.168.2.0/24 has the exact same security requirements as the 200.200.200.0/30 network and they reside in the same zone. Let's also say that no destination NAT is needed between 192.168.1.0/24 and 192.168.2.0/24 networks. We can simply just route between these networks. It would be ideal in this case to create a single rule in the security policy. This cannot be done as NAT parameters are configured within the security policy. To accomplish this tasks multiple policies would need to be configured. 


Next-Generation NAT (used in Junos 9.2 or later)
In Junos 9.2 the flow module was changed so that Destination NAT happens prior to route and policy lookup and the NAT and Security Policy configuration was decoupled. At the time this was called "Next Generation NAT" It was a good move as it makes configuration cleaner (in my opinion) and eliminated the issues explained above. 

Wrap Up & Comments
Junos version older than 9.2 are very OLD. A lot of what was discussed in the post (issues examples, etc.) will not be a concern in any modern day deployment (or lab test for that matter). However you may run into specific configuration/topologies where understanding the order of events in the flow module will help troubleshoot and issues or allow you to drive out the correct NAT configuration in a complex topology. 

Just a note to anyone who is reading the Junos 11.1 Documentation. If you browse to the section called "SRX Series Services Gateway Processing Overview" you will find the flow diagram depicted is actually the old flow diagram. This is incorrect as Junos 11.1 uses "Next Generation NAT" 

No comments:

Post a Comment