You are correct. I have guides on the topic, and would you believe I even have a python script for generating SRX-side peering and policy configuration by pulling data out of Apstra?
The current 11-part series does not include a section on DC firewalls. This is purposeful as I anticipate this topic to be its own multi-part series. The design considerations for both Apstra and the firewall service block range from simple to complex, each with their own considerations:
- Layer-2 fabric with layer-3 firewalls
- Pros: straight-forward routing (L3 gateways on firewalls or split between firewalls and external routers, depending on the requirements)
- Cons: all east-west routed traffic must hairpin out of the fabric and back in
- Layer-3 fabric with layer-3 firewalls (firewalls do not support VLXAN inspection or type-5 EVPN routes)
- Pros: east-west routed traffic that doesn't require policy inspection can forward using the shortest path
- Cons: complex fabric service chaining to ensure routing through firewall service block. very complex firewall configuration to maintain VRF isolation and support routing from/to fabric
- Layer-3 fabric with firewalls that support VXLAN inspection and type-5 EVPN routes
- Pros: east-west routed traffic that doesn't require policy inspection can forward using the shortest path. VRF isolation and inline VXLAN inspection with no VXLAN gateway requirement. Straightforward fabric configuration
- Cons: complex firewall configuration, but still much easier than the L3 firewall design above
In all cases, if you have multiple DC's with overlapping subnets, asynchronous flows are a consideration as firewalls in each DC must maintain flow state.
You mentioned a project? Are you working with a Juniper account team? If so, you can engage me (or our great DC specialist team) through them and we can discuss the different design considerations.
I'll have to dig a bit to see what material I might be able to share.
------------------------------
Colin Doyle
Lead BizDev Manager - Security Strategy
Juniper Networks
https://www.youtube.com/@5minutejunos
------------------------------
Original Message:
Sent: 02-01-2024 15:38
From: jua
Subject: Apstra 4.2.1 in eve-ng step-by-step series: Video 2. Prepping Your Lab
Not sure but did you mention that you don't have a video for directing traffic to firewalls from the fabric? If not, do you have any tips/links/documentation you could share? I'm not quite sure if we actually need this but having some material regarding this would probably help us understand whether or not it's something we'd need in our upcoming project
------------------------------
JUKKA AALTONEN
Original Message:
Sent: 01-29-2024 12:09
From: cdoyle
Subject: Apstra 4.2.1 in eve-ng step-by-step series: Video 2. Prepping Your Lab
#5minutejunos
Video: 2. Prepping Your Lab - Apstra 4.2.1 in eve-ng
Video hashtag: #4.2.1_eve_video-2
I did it… 11 videos recorded - the entire series - in less than a week!
I will be uploading and publishing content as I finish the post-production work, so rather than the weeks it took between videos during the first series, I'm hoping post one or two videos a day.
In this video, I discuss the prerequisites for our lab including recommendations on code, topology considerations, issues, caveats, and other bits and bobs that hopefully make your experience a bit easier.
This video ends with our lab topology in place, the Apstra 4.2.1 server online and configured, and our vJunos nodes prepped for Apstra onboarding.
My eve-ng lab topology is attached. If you want the experience if dragging links between nodes or typing out a bunch of IP's and MAC for an hour, that's certainly fine. Alternately, you can import my topology and edit the nodes to add the correct image and save yourself some time.
Here are some useful links:
(note that downloads may require a Juniper.net account)
Apstra Download
Virtual Platforms Public Landing Page - vJunos and vEvo downloads are here
vEvo release notes
vJunos release notes
Instructions for loading virtual images into eve-ng (don't skim this - details matter!)
------------------------------
Consulting Engineer - Juniper Networks
YouTube - 5MinuteJunos
------------------------------