Hello and welcome to the Juniper Network’s Campus Fabric Group Based Policy Micro segmentation Overview and Demo.
Juniper, driven by Mist AI, supports various campus architectures based on EVPN-VXLAN. The Campus Fabric IP Clos architecture extends EVPN-VXLAN from the core through the distribution down to the axis layer.
One of the main deliverables for customers implementing this solution set, this architecture, would be support of varying degrees of micro segmentation. Micro segmentation can happen within the VLAN itself, within the broadcast domain, and is typically supported through proprietary technologies, such as private VLANs. Private VLANs have been around for some time, but lack scale, lack interoperability, and are very difficult to extend past a single switch.
Group-based policy is a standards-based implementation that leverages the VXLAN header that we’ll see in the next slide. Notice intra- and interswitch support of micro segmentation, as well as dynamic GBP, or scalable group tagging, with the access control device. This allows the access layer switches to build firewall filters, not on MAC entries, but on scalable group tags, which provides a condensed look and a much more concise look.
Group-based policy is supported at the same level where devices authenticate into the network: at the access layer. You notice the group-based policy ID and where it sits within the VXLAN header itself, and it’s critical as traffic leaves the ingress switch that the VXLAN group-based policy ID is router across the network, lands at the far end, VXLAN-VTEP is stripped off, and policies are applied at that point.
This particular demo focuses on GBP micro segmentation capabilities within the same switch. Although GBP is supported across an EVPN-VXLAN fabric, Juniper supports GBP micro segmentation capabilities within the same switch. In this case, a medical department laptop and mobile x-ray device are both plugged into the same 4400 access switch. They both authenticate against the free radio server where they receive VLAN information, they receive disparate scalable group tags, and the 4400 firewall filters are applied to drop traffic between these two scalable group tags within the same switch.
Let’s move on to the demo. We’re here at the demo at desktop one, IP address of 10.99.99.99. We have desktop two, IP address of 10.99.99.42. Both in the same broadcast domain, VLAN 1099, and we have our 4400 switch. First order of business to validate both devices can communicate outside of its respective VLAN. Let’s reach 1.1. We’re routing this through the campus fabric accordingly.
Second item we want to validate is the fact that both devices have dynamically authenticated against the radius server, and those credentials have been passed on to the 4400. Notice a couple discrepancies. The first, remember the picture we had before. Port 11, that is our laptop, our medical laptop. It has supplicant, but it’s a MAC-based supplicant, so there might not be anything on that laptop specifically other than just its MAC address that it’s authenticating with. This could be an older device that does not support a .1X supplicant. You’ll see MAC radius here as our method. We’re placed a 10 0 99 and we have received a dynamic group tag of 200. This is our scalable group tag.
Down below, this is our x-ray device. It does have an .1X supplicant and username. Notice there’s a MAC address also that’s associated with that. Authentication method is radius, the same VLAN, and we’ve received a different group-based tag, different scalable group tag.
So this demonstration really is very similar to private VLAN where you have multiple devices in the same VA, in this case on the same switch, but these devices have to be isolated entirely. That’s a proprietary implementation amongst all vendors, and it’s almost impossible to support across multiple switches, and certainly across a dynamic fabric or a large network.
So let’s try to ping desktop two from desktop one, and this should fail, and it does. Going to the 4400, we look at our firewall filter and we do see that the filter is being hit for each connection. And we also want to spend a little bit of time and look at the firewall filter. You’ll notice that a vast majority of the filtering is done at the group-based tag, so I don’t have to manage a large extensive MAC address filter ACL. You’ll notice I do have a Mac address filter down below, and this might be for one-off environments where you might need to implement this particular filter, but for the vast majority of what we’re testing and showing today, this is focusing on the group tags, from source group tag to destination group tag, whether we discard or we accept, and we also a always add counters so that our far more filters up top here will be hit.
Hopefully this demonstration’s been valuable. Next demonstration will focus on extending this capability across an EVPN-VXLAN fabric.
This particular demo extends GBP micro segmentation across EVPN-VXLAN fabric. We add an additional device to this demonstration, mobile X-ray number two, off EX4400-2. You’ll notice that all devices are placed in the same VLAN upon authentication. They all receive disparate scalable group tags, and yet the policy is implemented on both the 4400-1 and -2 switch to allow SGT 100 to talk to SGT 300, but disallows any communication between the medical department and both X-ray one and X-ray two. Let’s move to the demo.
Let’s jump into demo two. You’ll notice we have desktop one and desktop two, our partners in crime from the first demo. We have also added desktop four, which is attached to switch number two. So remember the diagram we just showed, this switch, this device is attached to port number 12, multi-gig port on desk on access switch number two. This device is also in the same VLAN as the other devices, VLAN 1099. It’s IP address is 10.99.99.23. What we want show here is that it can reach out to the internet, and so let’s kind of do the same thing we did before.
Let’s go look at authentication, real-time authentication requirements on both devices. We see we’ve got both devices authenticated as we had before on access switch number one. We also have the same type of authentication requirements on access switch number two. Notice that this x-ray machine is falling back to MAC supplicant, so there’s no .1X supplicant on this particular device in the same VLAN, and we are now actually in GBP tag 300. So we have three distinct GBP tags, or scalable group tags: 100, 200, 300.
200 is completely isolated from 100 and 300, and 100 and 300 can talk amongst themselves, and so the connectivity between these devices should be as such. I should not be able to ping desktop two or desktop four from desktop one. From desktop two, I should be able to ping desktop number four, which I can. I should not be able to ping desktop number one, which I can’t. And then across the network I should be able to ping desktop number two, which I can. And once again, I should not be able to reach desktop number one, which is discarded.
And as with anything, we look at our firewall filters here and we see those particular filters incrementing depending on what type of flow is coursing through the system. You’ll also notice that both devices have very similar, if not identical, firewall filters. In this case, it makes sense to keep them the same. In some cases, maybe not, but you’ll notice that, once again, we focus on the group-based policy source and destination tags on both.
So hopefully this demonstration was valuable. The focus of this demonstration was to validate and verify micro segmentation using group-based policies across a campus fabric running EVPN-VXLAN.