I currently have a routing instance running on a QFX which manages several VLANs, some VLANs have their own filers assigned. I will be adding a new network, or networks, and I wanted to find the most efficient way to:
- Allow the devices on the new VLANs to communicate with each other, without transversing the network to the central router. Improving east-west speed between simular devices.
- Allow to route traffic from one router instance on the device to the other router instance if needed. Again I would like to avoid transversing the network to a central router if posible.
- I would prefer to keep the new network as isolated as possible, only allowing select traffic between the existing router instance and the new instance though the QFX.
My questions are:
- Which process would help keep the ACL lists to a minimum, while still providing isolation between VLANs used by different groups?
- When routing between virtual-routers would it be best to use a RIB group or a logical tunnel?
- Would an "instance import" allow for too much combining of the router instances, which would required more firewall filters to separate the traffic?
Reviewing the current configuration most of the VLANs which are allowed on this QFX pass though without a irb interface or ACL directly connected. Then there are several VLANs configured with a irb interface. These are all using the same virtual-router instances. Some irb units have their own inet/ VLAN firewall filter, while most traffic is checked using a general firewall filter ACL, sorry not sure of the correct term for this level of ACL rules. From what I have found I will need to:
- configure the new VLANs
- configure the new irb interfaces for those VLANs
- configure a new virtual-router
- Add the new irb interfaces to be included in the new routing instance
- This provides isolation for the network on the current virtual router, as well as routing traffic between these networks though the QFX
- Configure a method to route between the two virtual routers in the rare event that something on the old networks needs to communicate on the new network. Logic Tunnels or RIB-group.
- Add new firewall filters to further control access within the new virtual router
Did I miss any steps?
If it matters here is a bit of how the current firewall and routing-instance are configured
firewall {
family inet {
filter FrontStaff1-filter {
term Block-DatabaseStaff1 {
from {
destination-address {
10.x.x.x/24;
}
}
then {
discard;
}
}
term default-accept {
then accept;
}
}
}
filter ACLS {
term FrontStaff1-to-InternalStaff1 {
from {
source-address {
10.10.1.0/24;
}
destination-address {
10.10.2.0/24;
}
}
then accept;
}
term Else-Router1 {
from {
source-address {
0.0.0.0/0;
}
destination-address {
0.0.0.0/0;
}
}
then {
routing-instance RouteDC;
}
}
}
}
routing-instances {
Router1 {
instance-type virtual-router;
interface irb.10;
interface irb.11;
interface irb.12;
interface irb.13;
interface irb.14;
interface irb.15;
interface irb.16;
interface irb.17;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.x.x.x;
}
}
forwarding-options {
dhcp-relay {
server-group {
DHCP-Relay-Router1 {
172.x.x.x;
10.x.x.x;
}
}
active-server-group DHCP-Relay-Router1;
group DHCP-Relay-Router1 {
interface irb.15;
interface irb.16;
interface irb.17;
}
}
}
}
}