Inspeção de túnel para dispositivos da Série SRX para EVPN-VXLAN
RESUMO Leia este tópico para entender como configurar seu dispositivo de segurança para realizar inspeção de túnel para EVPN-VXLAN para fornecer segurança integrada.
Visão geral
(VPN Ethernet) A VXLAN EVPN-(Virtual Extensible LAN) oferece às empresas uma estrutura comum usada para gerenciar suas redes de campus e data center.
O rápido aumento do uso de dispositivos móveis e IoT adiciona um grande número de endpoints a uma rede. As redes empresariais modernas precisam se expandir rapidamente para fornecer acesso imediato aos dispositivos e estender a segurança e o controle para esses endpoints.
Para oferecer flexibilidade de endpoint, a EVPN-VXLAN desacopla a rede underlay (topologia física) da rede overlay (topologia virtual). Ao usar overlays, você ganha a flexibilidade de fornecer conectividade de Camada 2/Camada 3 entre endpoints em todo o campus e data centers, mantendo uma arquitetura underlay consistente.
Você pode usar firewalls da Série SRX em sua solução EVPN-VXLAN para conectar pontos finais em seu campus, data center, filiais e nuvens públicas, ao mesmo tempo em que oferece segurança incorporada.
A partir do Junos OS Release 21.1R1, o firewall da Série SRX também pode ser aplicado seguindo os serviços de segurança de Camada 4/Camada 7 ao tráfego de túneis EVPN-VXLAN:
Identificação de aplicativos
IDP
Juniper ATP (anteriormente conhecido como ATP Cloud)
Segurança de conteúdo
A Figura 1 mostra um cenário de implantação típico da malha EVPN-VXLAN baseada em pontes roteadas de borda (ERB) com firewalls da Série SRX funcionando em uma função de leaf de borda (EBL) aprimorada. A EBL aumenta o papel tradicional de uma folha de borda com a capacidade de realizar inspeção de tráfego em túneis VXLAN.
Na figura, o tráfego VXLAN originado no dispositivo leaf 1 atravessa os firewalls da Série SRX que funcionam como EBLs. Neste caso de uso, o firewall da Série SRX é colocado na fronteira, ou seja, no ponto de entrada e saída do campus ou data center, para fornecer inspeção stateful aos pacotes encapsulados VXLAN que passam por ele.
No diagrama de arquitetura, você pode notar que um firewall da Série SRX é colocado entre dois dispositivos VTEP (dispositivos que executam encapsulamento e decapsulação VXLAN para o tráfego de rede). O firewall da Série SRX realiza inspeção stateful ao habilitar o recurso de inspeção de túnel com uma política de segurança apropriada.
Benefícios
Incluir firewall da Série SRX na EVPN VXLAN fornece:
- Mais segurança com os recursos de um firewall de nível empresarial no overlay EVPN-VXLAN.
- Inspeção aprimorada de túneis para o tráfego encapsulado de VXLAN com serviços de segurança de Camada 4/Camada 7.
Exemplo — Configure políticas de segurança para inspeção de túneis EVPN-VXLAN
Use este exemplo para configurar as políticas de segurança que permitem a inspeção do tráfego de túneis EVPN EVPN-VXLAN em seus firewalls da Série SRX.
- Requisitos
- Antes de começar
- Visão geral
- Configuração
- Configuração rápida da CLI
- Procedimento passo a passo
- Resultados
- Verificação
Requisitos
Este exemplo usa os seguintes componentes de hardware e software:
- Um firewall da Série SRX ou firewall virtual vSRX
- Versão Junos OS 20.4R1
Este exemplo pressupõe que você já tem uma rede baseada em EVPN-VXLAN e deseja permitir a inspeção de túneis no firewall da Série SRX.
Antes de começar
- Certifique-se de ter uma licença válida de recurso de identificação de aplicativos em seu firewall da Série SRX e um pacote de assinatura de aplicativos instalado no dispositivo.
- Certifique-se de entender como a EVPN e a VXLAN funcionam. Veja arquiteturas de campus EVPN-VXLAN para detalhar a compreensão da EVPN-VXLAN
Este exemplo pressupõe que você já tem uma malha de rede baseada em EVPN-VXLAN e deseja permitir a inspeção de túneis no firewall da Série SRX. Você pode ver a configuração amostral de dispositivos leaf e spine usados neste exemplo nas configurações completas do dispositivo.
Visão geral
Neste exemplo, estamos focados na configuração do firewall da Série SRX, que faz parte de uma rede EVPN-VXLAN em funcionamento que consiste em dois locais de DC cada um com uma malha de IP. O firewall da Série SRX é colocado em uma função de interconexão de data center (DCI) entre os dois DCs. Nesta configuração, o firewall da Série SRX realiza inspeção stateful do tráfego encapsulado VXLAN fluindo entre os DCs quando você permite a inspeção de túneis.
Estamos usando a topologia mostrada na Figura 2 neste exemplo.
Como dado na topologia, o firewall da Série SRX está inspecionando tráfego VLAN encapsulado de trânsito a partir do endpoint do túnel VXLAN (VTEP) nas folhas nos data centers DC-1 e DC-2. Qualquer dispositivo da Juniper Networks, tanto físico quanto virtual, que funcione como um gateway VXLAN de Camada 2 ou Camada 3 pode funcionar como dispositivo VTEP para realizar encapsulamento e des encapsulamento.
Após o recebimento de um pacote de dados de Camada 2 ou Camada 3 do servidor 1, o leaf 1 VTEP adiciona o cabeçalho VXLAN apropriado e, em seguida, encapsula o pacote com um cabeçalho externo IPv4 para facilitar o tunelamento do pacote através da rede underlay IPv4. O VTEP remoto na leaf 2 então des encapsula o tráfego e encaminha o pacote original em direção ao host de destino. Com o lançamento do software Junos, os firewalls da Série SRX 20.4 são capazes de realizar inspeção de túnel para tráfego de overlay encapsulado de VXLAN que passa por ele.
Neste exemplo, você criará uma política de segurança para permitir a inspeção do tráfego encapsulado em um túnel VXLAN. Estamos usando os parâmetros descritos na Tabela 1 neste exemplo.
Nome do parâmetro | de descrição | de parâmetros |
---|---|---|
Política de segurança | Política para criar uma sessão de fluxo desencadeada pelo tráfego overlay VXLAN. Essa política faz referência ao endereço externo de origem e destino de IP. Ou seja, os endereços IP dos VTEPs de origem e destino. Neste exemplo, este é o endereço de loopback das folhas. | P1 |
Conjunto de políticas | Política para a inspeção do tráfego interno. Essa política opera com o conteúdo do tráfego de túnel VXLAN correspondente. | PSET-1 |
Perfil de inspeção de túnel | Especifica parâmetros para inspeção de segurança em túneis VXLAN. | TP-1 |
Nome de uma lista ou intervalo de identificador de rede VXLAN (VNI) | Usado para identificar exclusivamente uma lista ou alcance de IDs de túneis VXLAN. | VLAN-100 |
Nome do identificador de túnel VXLAN. | Usado para nomear simbolicamente um túnel VXLAN em um perfil de inspeção de túnel. | VNI-1100 |
Quando você configura políticas de segurança de inspeção de túnel no firewall da Série SRX, ele descapsula o pacote para acessar o cabeçalho interno quando um pacote corresponde a uma política de segurança. Em seguida, aplica-se o perfil de inspeção de túnel para determinar se o tráfego interno é permitido. O dispositivo de segurança usa conteúdo interno de pacotes e os parâmetros de perfil de inspeção de túnel aplicados para fazer uma pesquisa de políticas e, em seguida, realizar inspeção stateful para a sessão interna.
Configuração
Neste exemplo, você configurará a seguinte funcionalidade no firewall da Série SRX:
- Definir uma zona de confiança e não confiável para permitir todo o tráfego de host. Isso oferece suporte à sessão BGP aos dispositivos spine e permite SSH etc de ambas as zonas (DC).
- Inspecione o tráfego que flui de DC1 para DC2 na VNI 1100 (Camada 2 estendida para VLAN 100) para todos os hosts na sub-rede 192.168.100.0/24. Sua política deve permitir pings, mas negar todos os outros tráfegos.
- Permita que todo o tráfego de retorno de DC2 para DC1 sem inspeção de túnel.
- Permita todos os outros tráfegos underlay e overlay sem inspeção de túnel VXLAN de DC1 a DC2.
Use as seguintes etapas para permitir a inspeção de túnel em seu dispositivo de segurança em um ambiente VXLAN-EVPN:
Configurações funcionais completas para todos os dispositivos usados neste exemplo são fornecidas Configurações completas de dispositivo para ajudar o leitor a testar este exemplo.
Este exemplo se concentra nas etapas de configuração necessárias para habilitar e validar o recurso de inspeção de túnel VXLAN. Acredita-se que o firewall da Série SRX esteja configurado com endereçamento de interface, peering BGP e políticas para oferecer suporte à sua função de DCI.
Configuração rápida da CLI
Para configurar rapidamente este exemplo em seu firewall da Série SRX, copie os seguintes comandos, cole-os em um arquivo de texto, remova quaisquer quebras de linha, altere os detalhes necessários para combinar com a configuração da sua rede e, em seguida, copie e cole os comandos no CLI no nível de hierarquia [editar].
Configuração em dispositivo da Série SRX
set system host-name r4-dci-ebr set security address-book global address vtep-untrust 10.255.2.0/24 set security address-book global address vtep-trust 10.255.1.0/24 set security address-book global address vlan100 192.168.100.0/24 set security policies from-zone trust to-zone untrust policy P1 match source-address vtep-trust set security policies from-zone trust to-zone untrust policy P1 match destination-address vtep-untrust set security policies from-zone trust to-zone untrust policy P1 match application junos-vxlan set security policies from-zone trust to-zone untrust policy P1 then permit tunnel-inspection TP-1 set security policies from-zone untrust to-zone trust policy accept-all-dc2 match source-address any set security policies from-zone untrust to-zone trust policy accept-all-dc2 match destination-address any set security policies from-zone untrust to-zone trust policy accept-all-dc2 match application any set security policies from-zone untrust to-zone trust policy accept-all-dc2 then permit set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100 set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100 set security policies policy-set PSET-1 policy PSET-1-P1 match application junos-icmp-all set security policies policy-set PSET-1 policy PSET-1-P1 then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/1.0 set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 policy-set PSET-1 set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 vni VLAN-100 set security tunnel-inspection vni VLAN-100 vni-id 1100 set interfaces ge-0/0/0 description "Link to DC1 Spine 1" set interfaces ge-0/0/0 mtu 9000 set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30 set interfaces ge-0/0/1 description "Link to DC2 Spine 1" set interfaces ge-0/0/1 mtu 9000 set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30
Procedimento passo a passo
- Configure zonas de segurança, interfaces e livros de endereços.
[edit] user@@r4-dci-ebr# set security zones security-zone trust user@@r4-dci-ebr# set security zones security-zone untrust user@@r4-dci-ebr# set interfaces ge-0/0/0 description "Link to DC1 Spine 1" user@@r4-dci-ebr# set interfaces ge-0/0/0 mtu 9000 user@@r4-dci-ebr# set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30 user@@r4-dci-ebr# set interfaces ge-0/0/1 description "Link to DC2 Spine 1" user@@r4-dci-ebr# set interfaces ge-0/0/1 mtu 9000 user@@r4-dci-ebr# set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30 user@@r4-dci-ebr# set security zones security-zone trust host-inbound-traffic system-services all user@@r4-dci-ebr# set security zones security-zone trust host-inbound-traffic protocols all user@@r4-dci-ebr# set security zones security-zone trust interfaces ge-0/0/0.0 user@@r4-dci-ebr# set security zones security-zone untrust host-inbound-traffic system-services all user@@r4-dci-ebr# set security zones security-zone untrust host-inbound-traffic protocols all user@@r4-dci-ebr# set security zones security-zone untrust interfaces ge-0/0/1.0 user@@r4-dci-ebr# set security address-book global address vtep-untrust 10.255.2.0/24 user@@r4-dci-ebr# set security address-book global address vtep-trust 10.255.1.0/24 user@@r4-dci-ebr# set security address-book global address vlan100 192.168.100.0/24
Defina o perfil de inspeção de túnel. Você pode especificar um intervalo ou uma lista de VNIs que devem ser inspecionadas.
[edit] user@@r4-dci-ebr# set security tunnel-inspection vni VLAN-100 vni-id 1100 user@@r4-dci-ebr# set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 vni VLAN-100 user@@r4-dci-ebr# set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 policy-set PSET-1
Neste exemplo, apenas um VNI é necessário para que a
O perfil de inspeção de túnel é vinculado tanto à lista/intervalo VNI quanto à política relacionada que deve ser aplicada ao túnel VXLAN com VNIs correspondentes.vni-id
palavra-chave seja usada em vez da opçãovni-range
.- Crie uma política de segurança para combinar na sessão externa.
[edit] user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy P1 match source-address vtep-trust user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy P1 match destination-address vtep-untrust user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy P1 match application junos-vxlan user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy P1 then permit tunnel-inspection TP-1
TP-1
perfil de inspeção de túnel que você definiu na etapa anterior. Neste exemplo, o objetivo é inspecionar túneis VXLAN que se originam em DC1 e terminam em DC2. Como resultado, uma segunda política para combinar no tráfego de retorno (com o LEAF 1 dc2 o VTEP de origem) não é necessária. Crie o conjunto de políticas para a sessão interna.
[edit] user@@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100 user@@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100 user@@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match application junos-icmp-all user@@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit
Essa política realiza inspeção de segurança contra a carga de tráfego VXLAN correspondente. Neste exemplo, este é o tráfego enviado do Servidor 1 na VLAN 100 em DC1 para o Servidor 1 em DC2. Ao especificar a condição da
junos-icmp-all
correspondência, você garante que tanto a solicitação de ping quanto as respostas podem passar do servidor 1 ion DC1 para o servidor 1 em DC2. Se você especificarjunos-icmp-ping
apenas pings que se originam do DC1 serão permitidos.Lembre-se que, neste exemplo, apenas o ping é permitido para ajudar a facilitar o teste da funcionalidade resultante. Você pode combinar
application any
para permitir todo o tráfego ou alterar os critérios de correspondência para atender às suas necessidades de segurança específicas.Definir as políticas necessárias para aceitar todo o tráfego entre os data centers sem qualquer inspeção de túnel.
[edit] user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy accept-rest match source-address any user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy accept-rest match destination-address any user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy accept-rest match application any user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy accept-rest then permit user@@r4-dci-ebr# set security policies from-zone untrust to-zone trust policy accept-all-dc2 match source-address any user@@r4-dci-ebr# set security policies from-zone untrust to-zone trust policy accept-all-dc2 match destination-address any user@@r4-dci-ebr# set security policies from-zone untrust to-zone trust policy accept-all-dc2 match application any user@@r4-dci-ebr# set security policies from-zone untrust to-zone trust policy accept-all-dc2 then permit
Resultados
A partir do modo de configuração, confirme sua configuração entrando no show security
comando. Se a saída não exibir a configuração pretendida, repita as instruções de configuração neste exemplo para corrigi-la.
[edit]
user@host# show security
address-book { global { address vtep-untrust 10.255.2.0/24; address vtep-trust 10.255.1.0/24; address vlan100 192.168.100.0/24; } } policies { from-zone trust to-zone untrust { policy P1 { match { source-address vtep-trust; destination-address vtep-untrust; application junos-vxlan; } then { permit { tunnel-inspection { TP-1; } } } } policy accept-rest { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy accept-all-dc2 { match { source-address any; destination-address any; application any; } then { permit; } } } policy-set PSET-1 { policy PSET-1-P1 { match { source-address vlan100; destination-address vlan100; application junos-icmp-all; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; } } security-zone untrust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0; } } } tunnel-inspection { inspection-profile TP-1 { vxlan VNI-1100 { policy-set PSET-1; vni VLAN-100; } } vni VLAN-100 { vni-id 1100; } }
Se você terminar de configurar o recurso em seu dispositivo, entre no commit
modo de configuração.
Verificação
Neste momento, você deve gerar tráfego de ping entre o servidor 1 em DC1 e o servidor 1 em DC2. Os pings devem ter sucesso. Permita que este tráfego de teste seja executado em segundo plano enquanto você completa as tarefas de verificação.
r5-dc1_server1> ping 192.168.100.102 PING 192.168.100.102 (192.168.100.102): 56 data bytes 64 bytes from 192.168.100.102: icmp_seq=0 ttl=64 time=565.451 ms 64 bytes from 192.168.100.102: icmp_seq=1 ttl=64 time=541.035 ms 64 bytes from 192.168.100.102: icmp_seq=2 ttl=64 time=651.420 ms 64 bytes from 192.168.100.102: icmp_seq=3 ttl=64 time=303.533 ms . . .
- Verifique os detalhes da política interna
- Verifique o tráfego de inspeção de túneis
- Verifique o perfil de inspeção de túneis e VNI
- Verifique os fluxos de segurança
- Confirme que o SSH está bloqueado
Verifique os detalhes da política interna
Purpose
Verifique os detalhes da política aplicada para a sessão interna.
Action
A partir do modo operacional, entre no show security policies policy-set PSET-1
comando.
From zone: PSET-1, To zone: PSET-1 Policy: PSET-1-P1, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 From zones: any To zones: any Source vrf group: any Destination vrf group: any Source addresses: vlan100 Destination addresses: vlan100 Applications: junos-icmp-all Source identity feeds: any Destination identity feeds: any Action: permit
Verifique o tráfego de inspeção de túneis
Purpose
Exibir os detalhes de tráfego da inspeção de túnel.
Action
A partir do modo operacional, entre no show security flow tunnel-inspection statistics
comando.
Flow Tunnel-inspection statistics: Tunnel-inspection type VXLAN: overlay session active: 4 overlay session create: 289 overlay session close: 285 underlay session active: 3 underlay session create: 31 underlay session close: 28 input packets: 607 input bytes: 171835 output packets: 418 output bytes: 75627 bypass packets: 0 bypass bytes: 0
Verifique o perfil de inspeção de túneis e VNI
Purpose
Exibir o perfil de inspeção de túnel e os detalhes do VNI.
Action
A partir do modo operacional, entre no show security tunnel-inspection profiles
comando.
Logical system: root-logical-system Profile count: 1 Profile: TP-1 Type: VXLAN Vxlan count: 1 Vxlan name: VXT-1 VNI count: 1 VNI:VNI-1 Policy set: PSET-1 Inspection level: 1
A partir do modo operacional, entre no show security tunnel-inspection vnis
comando.
Logical system: root-logical-system VNI count: 2 VNI name: VLAN-100 VNI id count: 1 [1100 - 1100] VNI name: VNI-1 VNI id count: 1 [1100 - 1100]
Verifique os fluxos de segurança
Purpose
Exibir informações de fluxo de segurança VXLAN no SRX para confirmar que a inspeção de túnel VXLAN está funcionando.
Action
A partir do modo operacional, entre no show security flow session vxlan-vni 1100
comando.
Session ID: 3811, Policy name: PSET-1-P1/7, State: Stand-alone, Timeout: 2, Valid In: 192.168.100.101/47883 --> 192.168.100.102/82;icmp, Conn Tag: 0xfcd, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Type: VXLAN, VNI: 1100, Tunnel Session ID: 2193 Out: 192.168.100.102/82 --> 192.168.100.101/47883;icmp, Conn Tag: 0xfcd, If: ge-0/0/1.0, Pkts: 0, Bytes: 0, Type: VXLAN, VNI: 0, Tunnel Session ID: 0 Session ID: 3812, Policy name: PSET-1-P1/7, State: Stand-alone, Timeout: 2, Valid In: 192.168.100.101/47883 --> 192.168.100.102/83;icmp, Conn Tag: 0xfcd, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Type: VXLAN, VNI: 1100, Tunnel Session ID: 2193 Out: 192.168.100.102/83 --> 192.168.100.101/47883;icmp, Conn Tag: 0xfcd, If: ge-0/0/1.0, Pkts: 0, Bytes: 0, Type: VXLAN, VNI: 0, Tunnel Session ID: 0 . . .
Confirme que o SSH está bloqueado
Purpose
Tente estabelecer uma sessão de SSH entre o servidor 1 em DC1 e o servidor 2 em DC2. Com base na política que permite apenas o tráfego de ping nesta sessão, esta sessão deve ser bloqueada no SRX.
Action
A partir do modo operacional, entre no show security flow session vxlan-vni 1100
comando.
r5-dc1_server1> ssh 192.168.100.102 ssh: connect to host 192.168.100.102 port 22: Operation timed out r5_dc1_server1>
Configuração para inspeção de nível de zona, IDP, segurança de conteúdo e anti-malware avançado para inspeção de túneis
Use essa etapa se quiser configurar a inspeção de nível de zona e aplicar serviços de camada 7, como IDP, Juniper ATP, Segurança de conteúdo e anti-malware avançado ao tráfego de túneis. Esse recurso é compatível com o Junos OS Release 21.1R1 em diante.
Este exemplo usa os seguintes componentes de hardware e software:
- Um firewall da Série SRX ou firewall virtual vSRX
- Versão Junos OS 21.1R1
Estamos usando a mesma configuração de livros de endereços, zonas de segurança, interfaces, perfil de inspeção de túneis e política de segurança para a sessão externa criada na configuração
Essa etapa pressupõe que você tenha inscrito seu firewall da Série SRX no Juniper ATP. Para obter mais informações sobre como inscrever seu firewall da Série SRX, veja a inscrição de um dispositivo da Série SRX com a Nuvem Avançada de Prevenção de Ameaças da Juniper.
Nesta configuração, você criará um conjunto de políticas para a sessão interna e aplicará IDP, segurança de conteúdo, antimalware avançado ao tráfego de túneis.
- Configuração rápida da CLI
- Crie inspeção de nível de zona para inspeção de túneis
- Crie IDP, segurança de conteúdo e anti-malware avançado para inspeção de túneis
- Resultados
Configuração rápida da CLI
Para configurar rapidamente este exemplo em seu firewall da Série SRX, copie os seguintes comandos, cole-os em um arquivo de texto, remova quaisquer quebras de linha, altere os detalhes necessários para combinar com a configuração da sua rede e, em seguida, copie e cole os comandos no CLI no nível de hierarquia [editar].
Configuração em dispositivo da Série SRX
set system host-name r4-dci-ebr set security address-book global address vtep-untrust 10.255.2.0/24 set security address-book global address vtep-trust 10.255.1.0/24 set security address-book global address vlan100 192.168.100.0/24 set security policies from-zone trust to-zone untrust policy P1 match source-address vtep-trust set security policies from-zone trust to-zone untrust policy P1 match destination-address vtep-untrust set security policies from-zone trust to-zone untrust policy P1 match application junos-vxlan set security policies from-zone trust to-zone untrust policy P1 then permit tunnel-inspection TP-1 set security policies from-zone untrust to-zone trust policy accept-all-dc2 match source-address any set security policies from-zone untrust to-zone trust policy accept-all-dc2 match destination-address any set security policies from-zone untrust to-zone trust policy accept-all-dc2 match application any set security policies from-zone untrust to-zone trust policy accept-all-dc2 then permit set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100 set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100 set security policies policy-set PSET-1 policy PSET-1-P1 match application junos-icmp-all set security policies policy-set PSET-1 policy PSET-1-P1 match dynamic-application any set security policies policy-set PSET-1 policy PSET-1-P1 match url-category any set security policies policy-set PSET-1 policy PSET-1-P1 match from-zone trust set security policies policy-set PSET-1 policy PSET-1-P1 match to-zone untrust set security policies policy-set PSET-1 policy PSET-1-P1 then permit set security policies policy-set PSET-1 policy PSET-1-P1 then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/1.0 set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 policy-set PSET-1 set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 vni VLAN-100 set security tunnel-inspection vni VLAN-100 vni-id 1100 set interfaces ge-0/0/0 description "Link to DC1 Spine 1" set interfaces ge-0/0/0 mtu 9000 set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30 set interfaces ge-0/0/1 description "Link to DC2 Spine 1" set interfaces ge-0/0/1 mtu 9000 set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30
Crie inspeção de nível de zona para inspeção de túneis
Você pode adicionar controle de política de nível de zona para inspeção de túnel EVPN-VXLAN para o tráfego interno. Essa política realiza inspeção de segurança contra a carga de tráfego VXLAN correspondente. Na etapa seguinte, você especificaremos de zona a zona para zona para o tráfego.
-
[edit] user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100 user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100 user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match application any user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match dynamic-application any user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match url-category any user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match from-zone trust user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match to-zone untrust user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit
Crie IDP, segurança de conteúdo e anti-malware avançado para inspeção de túneis
Você pode adicionar serviços de segurança como IDP, aniti-malware avançado, segurança de conteúdo, proxy SSL para a inspeção de túnel EVPN-VXLAN para o tráfego interno. Essa política realiza inspeção de segurança contra a carga de tráfego VXLAN correspondente.
Na etapa seguinte, você habilitará serviços como IDP, Segurança de conteúdo, proxy SSL, inteligência de segurança, serviços avançados anti-malware, especificando-os em uma ação de permissão de política de segurança, quando o tráfego corresponde à regra da política.
-
[edit] user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100 user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100 user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match application any user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-1 user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services security-intelligence-policy secintel1 user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services advanced-anti-malware-policy P3 user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services idp-policy idp123 user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services utm-policy P1
As etapas a seguir mostram trechos de configuração de segurança de conteúdo, IDP e políticas avançadas anti-malware à primeira vista.
Configure uma política avançada anti-malware.
[edit] user@r4-dci-ebr# set services advanced-anti-malware policy P3 http inspection-profile scripts user@r4-dci-ebr# set services advanced-anti-malware policy P3 http action block user@r4-dci-ebr# set services advanced-anti-malware policy P3 http notification log user@r4-dci-ebr# set services advanced-anti-malware policy P3 http client-notify message "AAMW Blocked!" user@r4-dci-ebr# set services advanced-anti-malware policy P3 verdict-threshold recommended user@r4-dci-ebr# set services advanced-anti-malware policy P3 fallback-options action permit user@r4-dci-ebr# set services advanced-anti-malware policy P3 fallback-options notification log
Configure o perfil de inteligência de segurança.
[edit] user@r4-dci-ebr# set services security-intelligence url https://cloudfeeds.argonqa.junipersecurity.net/api/manifest.xml user@r4-dci-ebr# set services security-intelligence authentication tls-profile aamw-ssl user@r4-dci-ebr# set services security-intelligence profile cc_profile category CC user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 1 user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 2 user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 4 user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 5 user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 6 user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 7 user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 8 user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 9 user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 10 user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule then action block close user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule then log user@r4-dci-ebr# set services security-intelligence profile ih_profile category Infected-Hosts user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule match threat-level 7 user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule match threat-level 8 user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule match threat-level 9 user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule match threat-level 10 user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule then action block close http message "Blocked!" user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule then log user@r4-dci-ebr# set services security-intelligence policy secintel1 CC cc_profile user@r4-dci-ebr# set services security-intelligence policy secintel1 Infected-Hosts ih_profile
Configure a política de IDP.
[edit] user@r4-dci-ebr# set security idp idp-policy idp123 rulebase-ips rule rule1 match application junos-icmp-all user@r4-dci-ebr# set security idp idp-policy idp123 rulebase-ips rule rule1 then action no-action
Configure a política de segurança de conteúdo.
[edit] user@r4-dci-ebr# set security utm default-configuration anti-virus type sophos-engine user@r4-dci-ebr## set security utm utm-policy P1 anti-virus http-profile junos-sophos-av-defaults
Configure perfis SSL.
[edit] user@r4-dci-ebr# set services ssl initiation profile aamw-ssl user@r4-dci-ebr# set services ssl proxy profile ssl-inspect-profile-1 root-ca VJSA
Resultados
A partir do modo de configuração, confirme sua configuração entrando no show security
comando. Se a saída não exibir a configuração pretendida, repita as instruções de configuração neste exemplo para corrigi-la.
[edit]
user@host# show security
address-book { global { address vtep-untrust 10.255.2.0/24; address vtep-trust 10.255.1.0/24; address vlan100 192.168.100.0/24; } } policies { from-zone trust to-zone untrust { policy P1 { match { source-address vtep-trust; destination-address vtep-untrust; application junos-vxlan; } then { permit { tunnel-inspection { TP-1; } } } } policy accept-rest { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy accept-all-dc2 { match { source-address any; destination-address any; application any; } then { permit; } } } policy-set PSET-1 { policy PSET-1-P1 { match { source-address vlan100; destination-address vlan100; application junos-icmp-all; dynamic-application any; url-category any; from-zone trust; to-zone untrust; } then { permit { application-services { idp-policy idp123; ssl-proxy { profile-name ssl-inspect-profile-1; } utm-policy P1; security-intelligence-policy secintel1; advanced-anti-malware-policy P3; } } } } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; } } security-zone untrust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0; } } } tunnel-inspection { inspection-profile TP-1 { vxlan VNI-1100 { policy-set PSET-1; vni VLAN-100; } } vni VLAN-100 { vni-id 1100; } }
[edit]
user@host# show services
application-identification; ssl { initiation { profile aamw-ssl; } proxy { profile ssl-inspect-profile-1 { root-ca VJSA; } } } advanced-anti-malware { policy P3 { http { inspection-profile scripts; action block; client-notify { message "AAMW Blocked!"; } notification { log; } } verdict-threshold recommended; fallback-options { action permit; notification { log; } } } } security-intelligence { url https://cloudfeeds.argonqa.junipersecurity.net/api/manifest.xml; authentication { tls-profile aamw-ssl; } profile cc_profile { category CC; rule cc_rule { match { threat-level [ 1 2 4 5 6 7 8 9 10 ]; } then { action { block { close; } } log; } } } profile ih_profile { category Infected-Hosts; rule ih_rule { match { threat-level [ 7 8 9 10 ]; } then { action { block { close { http { message "Blocked!"; } } } } log; } } } policy secintel1 { CC { cc_profile; } Infected-Hosts { ih_profile; } } }
Se você terminar de configurar o recurso em seu dispositivo, entre no commit
modo de configuração.
Configurações completas de dispositivos
Consulte essas configurações para entender ou recriar melhor o contexto deste exemplo. Eles incluem as configurações EVPN-VXLAN baseadas em ERB completas para os switches da Série QFX que formam as malhas de DC, bem como o estado final do firewall da Série SRX para os exemplos básicos e avançados de inspeção de túneis VXLAN.
As configurações fornecidas não mostram login do usuário, registro de sistema ou configuração relacionada ao gerenciamento, pois isso varia de acordo com a localização não está relacionado ao recurso de inspeção de túnel VXLAN.
Para obter mais detalhes e exemplo sobre a configuração da EVPN-VXLAN, veja o exemplo de configuração de rede na configuração de uma malha EVPN-VXLAN para uma rede de campus com ERB.
- Configuração no dispositivo Leaf 1
- Configuração no dispositivo Spine 1
- Configuração no dispositivo Leaf 2
- Configuração no dispositivo Spine 2
- Configuração básica de inspeção de túnel no dispositivo da Série SRX
- Configuração de inspeção de túnel no dispositivo da Série SRX com serviços de segurança de camada 7
Configuração no dispositivo Leaf 1
set system host-name r0_dc1_leaf1 set interfaces xe-0/0/0 mtu 9000 set interfaces xe-0/0/0 unit 0 family inet address 10.1.1.2/30 set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members v100 set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members v50 set interfaces irb unit 50 virtual-gateway-accept-data set interfaces irb unit 50 family inet address 192.168.50.3/24 preferred set interfaces irb unit 50 family inet address 192.168.50.3/24 virtual-gateway-address 192.168.50.1 set interfaces irb unit 100 virtual-gateway-accept-data set interfaces irb unit 100 family inet address 192.168.100.3/24 preferred set interfaces irb unit 100 family inet address 192.168.100.3/24 virtual-gateway-address 192.168.100.1 set interfaces lo0 unit 0 family inet address 10.255.1.10/32 set interfaces lo0 unit 1 family inet address 10.255.10.10/32 set forwarding-options vxlan-routing next-hop 32768 set forwarding-options vxlan-routing overlay-ecmp set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0 set policy-options policy-statement FROM_Lo0 term 10 then accept set policy-options policy-statement FROM_Lo0 term 20 then reject set policy-options policy-statement OVERLAY_IMPORT term 5 from community comm_pod1 set policy-options policy-statement OVERLAY_IMPORT term 5 then accept set policy-options policy-statement OVERLAY_IMPORT term 10 from community comm_pod2 set policy-options policy-statement OVERLAY_IMPORT term 10 then accept set policy-options policy-statement OVERLAY_IMPORT term 20 from community shared_100_fm_pod2 set policy-options policy-statement OVERLAY_IMPORT term 20 from community shared_100_fm_pod1 set policy-options policy-statement OVERLAY_IMPORT term 20 then accept set policy-options policy-statement T5_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_EXPORT term fm_direct then accept set policy-options policy-statement T5_EXPORT term fm_static from protocol static set policy-options policy-statement T5_EXPORT term fm_static then accept set policy-options policy-statement T5_EXPORT term fm_v4_host from protocol evpn set policy-options policy-statement T5_EXPORT term fm_v4_host from route-filter 0.0.0.0/0 prefix-length-range /32-/32 set policy-options policy-statement T5_EXPORT term fm_v4_host then accept set policy-options policy-statement VRF1_T5_RT_EXPORT term t1 then community add target_t5_pod1 set policy-options policy-statement VRF1_T5_RT_EXPORT term t1 then accept set policy-options policy-statement VRF1_T5_RT_IMPORT term t1 from community target_t5_pod1 set policy-options policy-statement VRF1_T5_RT_IMPORT term t1 then accept set policy-options policy-statement VRF1_T5_RT_IMPORT term t2 from community target_t5_pod2 set policy-options policy-statement VRF1_T5_RT_IMPORT term t2 then accept set policy-options community comm_pod1 members target:65001:1 set policy-options community comm_pod2 members target:65002:2 set policy-options community shared_100_fm_pod1 members target:65001:100 set policy-options community shared_100_fm_pod2 members target:65002:100 set policy-options community target_t5_pod1 members target:65001:9999 set policy-options community target_t5_pod2 members target:65002:9999 set routing-instances TENANT_1_VRF routing-options multipath set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes vni 9999 set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances TENANT_1_VRF instance-type vrf set routing-instances TENANT_1_VRF interface irb.50 set routing-instances TENANT_1_VRF interface irb.100 set routing-instances TENANT_1_VRF interface lo0.1 set routing-instances TENANT_1_VRF route-distinguisher 10.255.1.10:9999 set routing-instances TENANT_1_VRF vrf-import VRF1_T5_RT_IMPORT set routing-instances TENANT_1_VRF vrf-export VRF1_T5_RT_EXPORT set routing-instances TENANT_1_VRF vrf-table-label set routing-options router-id 10.255.1.10 set routing-options autonomous-system 65001 set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set routing-options forwarding-table chained-composite-next-hop ingress evpn set protocols bgp group EVPN_FABRIC type internal set protocols bgp group EVPN_FABRIC local-address 10.255.1.10 set protocols bgp group EVPN_FABRIC family evpn signaling set protocols bgp group EVPN_FABRIC multipath set protocols bgp group EVPN_FABRIC bfd-liveness-detection minimum-interval 1000 set protocols bgp group EVPN_FABRIC bfd-liveness-detection multiplier 3 set protocols bgp group EVPN_FABRIC neighbor 10.255.1.1 set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY export FROM_Lo0 set protocols bgp group UNDERLAY local-as 65510 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 10.1.1.1 peer-as 65511 set protocols evpn encapsulation vxlan set protocols evpn default-gateway no-gateway-community set protocols evpn vni-options vni 150 vrf-target target:65001:150 set protocols evpn vni-options vni 1100 vrf-target target:65001:100 set protocols evpn extended-vni-list 1100 set protocols evpn extended-vni-list 150 set protocols lldp interface all set switch-options vtep-source-interface lo0.0 set switch-options route-distinguisher 10.255.1.10:1 set switch-options vrf-import OVERLAY_IMPORT set switch-options vrf-target target:65001:1 set vlans v100 vlan-id 100 set vlans v100 l3-interface irb.100 set vlans v100 vxlan vni 1100 set vlans v50 vlan-id 50 set vlans v50 l3-interface irb.50 set vlans v50 vxlan vni 150
Configuração no dispositivo Spine 1
set system host-name r1_dc1_spine11 set interfaces xe-0/0/0 mtu 9000 set interfaces xe-0/0/0 unit 0 family inet address 10.1.1.1/30 set interfaces xe-0/0/1 mtu 9000 set interfaces xe-0/0/1 unit 0 family inet address 172.16.1.1/30 set interfaces lo0 unit 0 family inet address 10.255.1.1/32 set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0 set policy-options policy-statement FROM_Lo0 term 10 then accept set policy-options policy-statement FROM_Lo0 term 20 then reject set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.255.0.0/16 orlonger set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.1.0.0/16 orlonger set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK then accept set policy-options policy-statement UNDERLAY-EXPORT term DEFAULT then reject set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.255.0.0/16 orlonger set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.1.0.0/16 orlonger set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK then accept set policy-options policy-statement UNDERLAY-IMPORT term DEFAULT then reject set routing-options autonomous-system 65001 set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set protocols bgp group EVPN_FABRIC type internal set protocols bgp group EVPN_FABRIC local-address 10.255.1.1 set protocols bgp group EVPN_FABRIC family evpn signaling set protocols bgp group EVPN_FABRIC cluster 10.255.1.1 set protocols bgp group EVPN_FABRIC multipath set protocols bgp group EVPN_FABRIC bfd-liveness-detection minimum-interval 1000 set protocols bgp group EVPN_FABRIC bfd-liveness-detection multiplier 3 set protocols bgp group EVPN_FABRIC neighbor 10.255.1.10 set protocols bgp group EVPN_FABRIC vpn-apply-export set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY import UNDERLAY-IMPORT set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY export UNDERLAY-EXPORT set protocols bgp group UNDERLAY local-as 65511 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 10.1.1.2 peer-as 65510 set protocols bgp group UNDERLAY neighbor 172.16.1.2 peer-as 65012 set protocols bgp group OVERLAY_INTERDC type external set protocols bgp group OVERLAY_INTERDC multihop no-nexthop-change set protocols bgp group OVERLAY_INTERDC local-address 10.255.1.1 set protocols bgp group OVERLAY_INTERDC family evpn signaling set protocols bgp group OVERLAY_INTERDC multipath multiple-as set protocols bgp group OVERLAY_INTERDC neighbor 10.255.2.1 peer-as 65002 set protocols lldp interface all
Configuração no dispositivo Leaf 2
set system host-name r2_dc2_leaf1 set interfaces xe-0/0/0 mtu 9000 set interfaces xe-0/0/0 unit 0 family inet address 10.1.2.2/30 set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members v100 set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members v60 set interfaces irb unit 60 virtual-gateway-accept-data set interfaces irb unit 60 family inet address 192.168.60.3/24 preferred set interfaces irb unit 60 family inet address 192.168.60.3/24 virtual-gateway-address 192.168.60.1 set interfaces irb unit 100 virtual-gateway-accept-data set interfaces irb unit 100 family inet address 192.168.100.4/24 preferred set interfaces irb unit 100 family inet address 192.168.100.4/24 virtual-gateway-address 192.168.100.1 set interfaces lo0 unit 0 family inet address 10.255.2.10/32 set interfaces lo0 unit 1 family inet address 10.255.20.10/32 set forwarding-options vxlan-routing next-hop 32768 set forwarding-options vxlan-routing overlay-ecmp set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0 set policy-options policy-statement FROM_Lo0 term 10 then accept set policy-options policy-statement FROM_Lo0 term 20 then reject set policy-options policy-statement OVERLAY_IMPORT term 5 from community comm_pod1 set policy-options policy-statement OVERLAY_IMPORT term 5 then accept set policy-options policy-statement OVERLAY_IMPORT term 10 from community comm_pod2 set policy-options policy-statement OVERLAY_IMPORT term 10 then accept set policy-options policy-statement OVERLAY_IMPORT term 20 from community shared_100_fm_pod2 set policy-options policy-statement OVERLAY_IMPORT term 20 from community shared_100_fm_pod1 set policy-options policy-statement OVERLAY_IMPORT term 20 then accept set policy-options policy-statement T5_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_EXPORT term fm_direct then accept set policy-options policy-statement T5_EXPORT term fm_static from protocol static set policy-options policy-statement T5_EXPORT term fm_static then accept set policy-options policy-statement T5_EXPORT term fm_v4_host from protocol evpn set policy-options policy-statement T5_EXPORT term fm_v4_host from route-filter 0.0.0.0/0 prefix-length-range /32-/32 set policy-options policy-statement T5_EXPORT term fm_v4_host then accept set policy-options policy-statement VRF1_T5_RT_EXPORT term t1 then community add target_t5_pod1 set policy-options policy-statement VRF1_T5_RT_EXPORT term t1 then accept set policy-options policy-statement VRF1_T5_RT_IMPORT term t1 from community target_t5_pod1 set policy-options policy-statement VRF1_T5_RT_IMPORT term t1 then accept set policy-options policy-statement VRF1_T5_RT_IMPORT term t2 from community target_t5_pod2 set policy-options policy-statement VRF1_T5_RT_IMPORT term t2 then accept set policy-options community comm_pod1 members target:65001:1 set policy-options community comm_pod2 members target:65002:2 set policy-options community shared_100_fm_pod1 members target:65001:100 set policy-options community shared_100_fm_pod2 members target:65002:100 set policy-options community target_t5_pod1 members target:65001:9999 set policy-options community target_t5_pod2 members target:65002:9999 set routing-instances TENANT_1_VRF routing-options multipath set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes vni 9999 set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances TENANT_1_VRF instance-type vrf set routing-instances TENANT_1_VRF interface irb.60 set routing-instances TENANT_1_VRF interface irb.100 set routing-instances TENANT_1_VRF interface lo0.1 set routing-instances TENANT_1_VRF route-distinguisher 10.255.1.2:9999 set routing-instances TENANT_1_VRF vrf-import VRF1_T5_RT_IMPORT set routing-instances TENANT_1_VRF vrf-export VRF1_T5_RT_EXPORT set routing-instances TENANT_1_VRF vrf-table-label set routing-options router-id 10.255.2.10 set routing-options autonomous-system 65002 set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set routing-options forwarding-table chained-composite-next-hop ingress evpn set protocols bgp group EVPN_FABRIC type internal set protocols bgp group EVPN_FABRIC local-address 10.255.2.10 set protocols bgp group EVPN_FABRIC family evpn signaling set protocols bgp group EVPN_FABRIC multipath set protocols bgp group EVPN_FABRIC bfd-liveness-detection minimum-interval 1000 set protocols bgp group EVPN_FABRIC bfd-liveness-detection multiplier 3 set protocols bgp group EVPN_FABRIC neighbor 10.255.2.1 set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY export FROM_Lo0 set protocols bgp group UNDERLAY local-as 65522 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 10.1.2.1 peer-as 65523 set protocols evpn encapsulation vxlan set protocols evpn default-gateway no-gateway-community set protocols evpn vni-options vni 160 vrf-target target:65002:160 set protocols evpn vni-options vni 1100 vrf-target target:65002:100 set protocols evpn extended-vni-list 1100 set protocols evpn extended-vni-list 160 set protocols lldp interface all set switch-options vtep-source-interface lo0.0 set switch-options route-distinguisher 10.255.2.10:1 set switch-options vrf-import OVERLAY_IMPORT set switch-options vrf-target target:65002:1 set vlans v100 vlan-id 100 set vlans v100 l3-interface irb.100 set vlans v100 vxlan vni 1100 set vlans v60 vlan-id 60 set vlans v60 l3-interface irb.60 set vlans v60 vxlan vni 160
Configuração no dispositivo Spine 2
set system host-name r3_dc2_spine1 set interfaces xe-0/0/0 mtu 9000 set interfaces xe-0/0/0 unit 0 family inet address 10.1.2.1/30 set interfaces xe-0/0/1 mtu 9000 set interfaces xe-0/0/1 unit 0 family inet address 172.16.2.1/30 set interfaces lo0 unit 0 family inet address 10.255.2.1/32 set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0 set policy-options policy-statement FROM_Lo0 term 10 then accept set policy-options policy-statement FROM_Lo0 term 20 then reject set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.255.0.0/16 orlonger set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.1.0.0/16 orlonger set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK then accept set policy-options policy-statement UNDERLAY-EXPORT term DEFAULT then reject set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.255.0.0/16 orlonger set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.1.0.0/16 orlonger set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK then accept set policy-options policy-statement UNDERLAY-IMPORT term DEFAULT then reject set routing-options autonomous-system 65002 set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set protocols bgp group EVPN_FABRIC type internal set protocols bgp group EVPN_FABRIC local-address 10.255.2.1 set protocols bgp group EVPN_FABRIC family evpn signaling set protocols bgp group EVPN_FABRIC cluster 10.255.2.1 set protocols bgp group EVPN_FABRIC multipath set protocols bgp group EVPN_FABRIC bfd-liveness-detection minimum-interval 1000 set protocols bgp group EVPN_FABRIC bfd-liveness-detection multiplier 3 set protocols bgp group EVPN_FABRIC neighbor 10.255.2.10 set protocols bgp group EVPN_FABRIC vpn-apply-export set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY import UNDERLAY-IMPORT set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY export UNDERLAY-EXPORT set protocols bgp group UNDERLAY local-as 65523 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 10.1.2.2 peer-as 65522 set protocols bgp group UNDERLAY neighbor 172.16.2.2 peer-as 65012 set protocols bgp group OVERLAY_INTERDC type external set protocols bgp group OVERLAY_INTERDC multihop no-nexthop-change set protocols bgp group OVERLAY_INTERDC local-address 10.255.2.1 set protocols bgp group OVERLAY_INTERDC family evpn signaling set protocols bgp group OVERLAY_INTERDC multipath multiple-as set protocols bgp group OVERLAY_INTERDC neighbor 10.255.1.1 peer-as 65001 set protocols lldp interface all
Configuração básica de inspeção de túnel no dispositivo da Série SRX
set system host-name r4-dci-ebr set security address-book global address vtep-untrust 10.255.2.0/24 set security address-book global address vtep-trust 10.255.1.0/24 set security address-book global address vlan100 192.168.100.0/24 set security policies from-zone trust to-zone untrust policy P1 match source-address vtep-trust set security policies from-zone trust to-zone untrust policy P1 match destination-address vtep-untrust set security policies from-zone trust to-zone untrust policy P1 match application junos-vxlan set security policies from-zone trust to-zone untrust policy P1 then permit tunnel-inspection TP-1 set security policies from-zone trust to-zone untrust policy accept-rest match source-address any set security policies from-zone trust to-zone untrust policy accept-rest match destination-address any set security policies from-zone trust to-zone untrust policy accept-rest match application any set security policies from-zone trust to-zone untrust policy accept-rest then permit set security policies from-zone untrust to-zone trust policy accept-return match source-address any set security policies from-zone untrust to-zone trust policy accept-return match destination-address any set security policies from-zone untrust to-zone trust policy accept-return match application any set security policies from-zone untrust to-zone trust policy accept-return then permit set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100 set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100 set security policies policy-set PSET-1 policy PSET-1-P1 match application junos-icmp-all set security policies policy-set PSET-1 policy PSET-1-P1 then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/1.0 set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 policy-set PSET-1 set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 vni VLAN-100 set security tunnel-inspection vni VLAN-100 vni-id 1100 set interfaces ge-0/0/0 description "Link to DC2 Spine 1" set interfaces ge-0/0/0 mtu 9000 set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30 set interfaces ge-0/0/1 mtu 9000 set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30 set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement dci term 1 from protocol direct set policy-options policy-statement dci term 1 then accept set protocols bgp group UNDERLAY export dci set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 172.16.1.1 peer-as 65511 set protocols bgp group UNDERLAY neighbor 172.16.2.1 peer-as 65523 set routing-options autonomous-system 65012 set routing-options forwarding-table export ECMP-POLICY
Configuração de inspeção de túnel no dispositivo da Série SRX com serviços de segurança de camada 7
set system host-name r4-dci-ebrset services application-identification set services ssl initiation profile aamw-ssl set services ssl proxy profile ssl-inspect-profile-1 root-ca VJSA set services advanced-anti-malware policy P3 http inspection-profile scripts set services advanced-anti-malware policy P3 http action block set services advanced-anti-malware policy P3 http client-notify message "AAMW Blocked!" set services advanced-anti-malware policy P3 http notification log set services advanced-anti-malware policy P3 verdict-threshold recommended set services advanced-anti-malware policy P3 fallback-options action permit set services advanced-anti-malware policy P3 fallback-options notification log set services security-intelligence url https://cloudfeeds.argonqa.junipersecurity.net/api/manifest.xml set services security-intelligence authentication tls-profile aamw-ssl set services security-intelligence profile cc_profile category CC set services security-intelligence profile cc_profile rule cc_rule match threat-level 1 set services security-intelligence profile cc_profile rule cc_rule match threat-level 2 set services security-intelligence profile cc_profile rule cc_rule match threat-level 4 set services security-intelligence profile cc_profile rule cc_rule match threat-level 5 set services security-intelligence profile cc_profile rule cc_rule match threat-level 6 set services security-intelligence profile cc_profile rule cc_rule match threat-level 7 set services security-intelligence profile cc_profile rule cc_rule match threat-level 8 set services security-intelligence profile cc_profile rule cc_rule match threat-level 9 set services security-intelligence profile cc_profile rule cc_rule match threat-level 10 set services security-intelligence profile cc_profile rule cc_rule then action block close set services security-intelligence profile cc_profile rule cc_rule then log set services security-intelligence profile ih_profile category Infected-Hosts set services security-intelligence profile ih_profile rule ih_rule match threat-level 7 set services security-intelligence profile ih_profile rule ih_rule match threat-level 8 set services security-intelligence profile ih_profile rule ih_rule match threat-level 9 set services security-intelligence profile ih_profile rule ih_rule match threat-level 10 set services security-intelligence profile ih_profile rule ih_rule then action block close http message "Blocked!" set services security-intelligence profile ih_profile rule ih_rule then log set services security-intelligence policy secintel1 CC cc_profile set services security-intelligence policy secintel1 Infected-Hosts ih_profile set security pki ca-profile aamw-ca ca-identity deviceCA set security pki ca-profile aamw-ca enrollment url http://ca.junipersecurity.net:8080/ejbca/publicweb/apply/scep/SRX/pkiclient.exe set security pki ca-profile aamw-ca revocation-check disable set security pki ca-profile aamw-ca revocation-check crl url http://va.junipersecurity.net/ca/deviceCA.crl set security pki ca-profile aamw-secintel-ca ca-identity JUNIPER set security pki ca-profile aamw-secintel-ca revocation-check crl url http://va.junipersecurity.net/ca/current.crl set security pki ca-profile aamw-cloud-ca ca-identity JUNIPER_CLOUD set security pki ca-profile aamw-cloud-ca revocation-check crl url http://va.junipersecurity.net/ca/cloudCA.crl set security idp idp-policy idp123 rulebase-ips rule rule1 match application junos-icmp-all set security idp idp-policy idp123 rulebase-ips rule rule1 then action no-action set security address-book global address vtep-untrust 10.255.2.0/24 set security address-book global address vtep-trust 10.255.1.0/24 set security address-book global address vlan100 192.168.100.0/24 set security utm default-configuration anti-virus type sophos-engine set security utm utm-policy P1 anti-virus http-profile junos-sophos-av-defaults set security policies from-zone trust to-zone untrust policy P1 match source-address vtep-trust set security policies from-zone trust to-zone untrust policy P1 match destination-address vtep-untrust set security policies from-zone trust to-zone untrust policy P1 match application junos-vxlan set security policies from-zone trust to-zone untrust policy P1 then permit tunnel-inspection TP-1 set security policies from-zone trust to-zone untrust policy accept-rest match source-address any set security policies from-zone trust to-zone untrust policy accept-rest match destination-address any set security policies from-zone trust to-zone untrust policy accept-rest match application any set security policies from-zone trust to-zone untrust policy accept-rest then permit set security policies from-zone untrust to-zone trust policy accept-return match source-address any set security policies from-zone untrust to-zone trust policy accept-return match destination-address any set security policies from-zone untrust to-zone trust policy accept-return match application any set security policies from-zone untrust to-zone trust policy accept-return then permit set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100 set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100 set security policies policy-set PSET-1 policy PSET-1-P1 match application any set security policies policy-set PSET-1 policy PSET-1-P1 match dynamic-application any set security policies policy-set PSET-1 policy PSET-1-P1 match url-category any set security policies policy-set PSET-1 policy PSET-1-P1 match from-zone trust set security policies policy-set PSET-1 policy PSET-1-P1 match to-zone untrust set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services idp-policy idp123 set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-1 set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services utm-policy P1 set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services security-intelligence-policy secintel1 set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services advanced-anti-malware-policy P3 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/1.0 set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 policy-set PSET-1 set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 vni VLAN-100 set security tunnel-inspection vni VLAN-100 vni-id 1100 set interfaces ge-0/0/0 description "Link to DC2 Spine 1" set interfaces ge-0/0/0 mtu 9000 set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30 set interfaces ge-0/0/1 mtu 9000 set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30 set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement dci term 1 from protocol direct set policy-options policy-statement dci term 1 then accept set protocols bgp group UNDERLAY export dci set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 172.16.1.1 peer-as 65511 set protocols bgp group UNDERLAY neighbor 172.16.2.1 peer-as 65523 set routing-options autonomous-system 65012 set routing-options static route 0.0.0.0/0 next-hop 10.9.159.252 set routing-options forwarding-table export ECMP-POLICY