Okay, welcome back to the second demo which is group based policy micro segmentation leverage leveraging the Mist Cloud. So remember we just build a fabric, a campus fabric IP Clos. We did that just a couple of minutes ago and we now have full telemetry from from the campus side of it. So you notice that access to here now is fully green and we’ve got some nice nice telemetry coming in a couple things that.
I I really want to show as well and I’ll include this in this particular piece of the demonstration is EVP and Insights Switch insights. This is really valuable information, deep seated telemetry that customers can use to determine the state of the network. And what we see here is we’ve got access to and four of course we could we can go back in time over the last you know 24 hours, seven days, last 60 minutes.
Just to take a look at what’s happening and you we see here of course it’s very important when BGP peers state changes that’s something that we absolutely want to understand. Why did it go from you know established to active or active back to establish certainly establishes what we want to see. This is the the latest update from the cloud. So the cool thing is, is that you know that the campus fabric once it’s built we can leverage what to get the the telemetry across these links.
To pull into the Misted UI to make discernible information for the end user. So let’s jump into a group based policy. First of all, what I want to do is I want to verify that my desktops can communicate. So I’m going to go ahead and hit 1099. Let’s do a traceroute. First of all, let’s do a traceroute to 10.99.99.99. First of all, let’s ping it. All right, we’re able to ping that. Good deal.
OK, so the trace route probably didn’t work because I don’t have TTL turned on. So we’ve got our ping going here. I’m able to ping, obviously back to the workstation. OK, I’m able to ping out to the Internet. Good deal there. And let’s go ahead and trace route back to Internet again just to make sure that I am using the path that I want to use, which is 109999.1. OK, good deal.
All right. So let’s keep the ping going there. I’ll keep this ping to the Internet. Let’s just do that, okay. So what we’re going to do is we’re going to build a policy through the Misted UI and using a template based construct. So here if we look at, we go to organizational switch templates. What’s cool about templates is that we can build prebuild information whether the system’s operation or not. We talked about that earlier in the campus fabric build.
But here we’ve got predefined, not predefined. We’ve got the, we’ve got defined policies based on what we call group based policy tags. So a GB P tag is a standard mechanism to share tagging information across an EVP&VX land network. So remember, we’ve got access one and access to they’re connected to this fabric, we’ve got desktop one, desktop two connected back through access one and access 2, and they’re routing through this EVP&VX land network.
The VX land header itself has a 16 bit tag and that’s where the group based policy construct resides. So what Juniper has done, we’ve done this for some time. We we fall into really fall into standards. We we believe that this is the right approach for us and for our customers is to leverage standards that are already built so that we don’t have to reinvent the wheel. So what we’ve done here is we built some some current tags and.
Which are which are relatively straightforward. So for instance guest Wi-Fi, that entire network which is a VLAN 10011033 irrespective where it’s located, will have this tag 1031033. Our contractors that are coming in can have a different type of tag based on maybe an IP subnet. So the way that GDP can be associated can be associated with a Mac address, it could be associated with an IP address, a range of IP addresses.
It could be associated with a vland and also a port. So you can actually create a vland port combination. So what we’re what you’re looking at here are tags that are that are defined and they’re defined through this interface and you can see that this is actually relatively straightforward. Now what makes it even easier is you come down here to our to our switch policy and and we basically say look contractors can’t talk to developers or IT staff and and so by default that’s going to block them but they’ll be able to access everything else.
I T staff and developers, we certainly want them to communicate and the reason why I have this here is because the desktops that I’m going to communicate from or between our desktop one is part of IT staff it’s part of that particular subnet 109999 and desktop two is part of developer subnet which is 108888. So what I want to do is really just have my allow all policy and I’m going to build a new tag.
For desktop one, and we’re going to assign to its particular IP address. Now we can use a. This is going to be. Think of this as almost like a host IP address. Let’s assign that 99 and then we’ll assign desktop to 88. OK, remember, they are in distinctly different subnets, although the subnets by default can communicate amongst themselves.
OK. So we’re pretty much doing like an override to that particular switch policy which we’re going to create right now. So we’re going to call this, we’re going to call this desktop. So what I want to do here is basically select from a group of options here. I’m going to say select desktop one, we’re going to go desktop one talking to desktop two and we’re going to block that. Now I could have multiple devices here I I can really be pretty flexible in how I build the switch policy.
Okay, so that makes sense. If you look at it, it makes sense as human readable format. We’re in pretty good shape and we are still pinging from desktop one out to the Internet. Obviously, we wouldn’t expect that to change. And we’ve got desktop two, ping, desktop one. So let’s go ahead and push out this policy, all right. So I’m going to go back over here to our active ping.
And we should see this policy any second here. Stop and looks like it has. Okay cool. So I’m still able to ping the Internet from desktop one that hasn’t affected me. And I can’t ping 10888888 and I can’t obviously do that here either. So you know, although I should be able to ping other, you know, other devices and other subnets here from this workstation. I’m just not going to be able to ping.
The host 109999, right. And that’s because of our policy. So this was a pretty high level overview of group based policy. We’ve imported that into this cloud. It pushes the policy down to the respective devices. The access switches that are are layer 3 boundary supporting VX land, layer two, layer 3 gateway capability, really exciting stuff. Hopefully this has been educational for you. Thank you for spending time.
Okay, welcome back to the second demo which is group based policy micro segmentation leverage leveraging the Mist Cloud. So remember we just build a fabric, a campus fabric IP Clos. We did that just a couple of minutes ago and we now have full telemetry from from the campus side of it. So you notice that access to here now is fully green and we’ve got some nice nice telemetry coming in a couple things that.