ON THIS PAGE
Configure Security Policies for VXLAN
Summary
Use this example to configure security policies for EVPN (Ethernet VPN) Virtual Extensible LAN (VXLAN) tunnel inspection.
Requirements
VXLAN support on SRX series devices provides the flexibility to bring an enterprise grade firewall to connect end points in their campus, data center, branch and public cloud environments while providing embedded security.
This example uses the following hardware and software components:
SRX4600 device
Junos OS Release 20.4R1
Before you begin:
Make sure you understand how EVPN and VXLAN works.
Overview
The EVPN solution provides large enterprises a common framework used to manage their campus and data center networks. An EVPN-VxLAN architecture supports efficient Layer 2 and Layer 3 network connectivity with scale, simplicity, and agility. Figure 1 shows an simplified VXLAN traffic flow topology.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security zones security-zone trust
set security zones security-zone cloud-1
set security tunnel-inspection inspection-profile
ins-pf1 vxlan vx1 vni r2
set security tunnel-inspection inspection-profile
ins-pf1 vxlan vx1 vni r1
set security tunnel-inspection inspection-profile
ins-pf1 vxlan vx1 vni r2
set security tunnel-inspection inspection-profile
ins-pf1 vxlan vx1 vni r3
set security tunnel-inspection inspection-profile
ins-pf1 vxlan vx1 vni r5
set security tunnel-inspection inspection-profile
ins-pf1 vxlan vx1 policy-set pset1
set security tunnel-inspection vni r1 vni-range
160 to 200
set security tunnel-inspection vni r2 vni-id
155
set security tunnel-inspection vni r3 vni-range
300 to 399
set security tunnel-inspection vni r5 vni-range
100 to 120
set security tunnel-inspection vni v1 vni-range
1 to 100
set security policies from-zone dc-1 to-zone
cloud-1 policy p1 match source-address any
set security policies from-zone dc-1 to-zone
cloud-1 policy p1 match destination-address any
set security policies from-zone dc-1 to-zone
cloud-1 policy p1 match application junos-vxlan
set security policies from-zone dc-1 to-zone
cloud-1 policy p1 then permit tunnel-inspection profile-1
set security policies from-zone cloud-1 to-zone
dc-1 policy p1 match source-address any
set security policies from-zone cloud-1 to-zone
dc-1 policy p1 match destination-address any
set security policies from-zone cloud-1 to-zone
dc-1 policy p1 match application junos-vxlan
set security policies from-zone cloud-1 to-zone
dc-1 policy p1 then permit tunnel-inspection ins-pf1
set security policies policy-set pset1 policy
pset_p1 match source-address any
set security policies policy-set pset1 policy
pset_p1 match destination-address any
set security policies policy-set pset1 policy
pset_p1 match application any
set security policies policy-set pset1 policy
pset_p1 then permit
set security policies default-policy deny-all
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure VXLAN:
- Define tunnel-inspection profile.[edit security tunnel-inspection]user@host# set inspection-profile ins-pf1 vxlan vx1 vni r1user@host# set inspection-profile ins-pf1 vxlan vx1 vni r2user@host# set inspection-profile ins-pf1 vxlan vx1 vni r3user@host# set inspection-profile ins-pf1 vxlan vx1 vni r5user@host# set inspection-profile ins-pf1 vxlan vx1 policy-set pset1user@host# set vni r1 vni-range 160 to 200user@host# set vni r2 vni-id 155user@host# set vni r3 vni-range 300 to 399user@host# set vni r5 vni-range 100 to 120user@host# set vni v1 vni-range 1 to 100
- Define outer session policies.[edit security policies]user@host# set from-zone dc-1 to-zone cloud-1 policy p1 match source-address anyuser@host# set from-zone dc-1 to-zone cloud-1 policy p1 match destination-address anyuser@host# set from-zone dc-1 to-zone cloud-1 policy p1 match application junos-vxlanuser@host# set from-zone dc-1 to-zone cloud-1 policy p1 then permit tunnel-inspection profile-1user@host# set from-zone cloud-1 to-zone dc policy p1 match source-address anyuser@host# set from-zone cloud-1 to-zone dc-1 policy p1 match destination-address anyuser@host# set from-zone cloud-1 to-zone dc-1 policy p1 match application junos-vxlanuser@host# set from-zone cloud-1 to-zone dc-1 policy p1 then permit tunnel-inspection ins-pf1user@host#
- Define policy-set.[edit security policies]user@host# set policy-set pset1 policy pset_p1 match source-address anyuser@host# set policy-set pset1 policy pset_p1 destination-address anyuser@host# set policy-set pset1 policy pset_p1 match application junos-pinguser@host# set policy-set pset1 policy pset_p1 match application junos-httpuser@host# set policy-set pset1 policy pset_p1 then permit application-services utm-policy utmpolicy1user@host# set default-policy deny-all
Results
From operational mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
user@host> show security policiesnode0:
--------------------------------------------------------------------------
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: as0
Destination addresses: as1
Applications: junos-icmp-ping, junos-icmp6-echo-request, junos-ftp, junos-dns-udp, junos-dns-tcp, junos-telnet, junos-http, junos-https, my_app_tcp,
my_app_udp
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
Policy: vxlan1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: as0
Destination addresses: as1
Applications: junos-vxlan
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
Policy: vxlan12, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: as0
Destination addresses: as1
Applications: junos-vxlan
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
Policy: vxlan13, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: as0
Destination addresses: as1
Applications: junos-vxlan
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
From zone: trust, To zone: dmz
Policy: vxlan, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: as0
Destination addresses: as2
Applications: app_set1
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
From zone: dmz, To zone: trust
Policy: vxlan, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: as2
Destination addresses: as0
Applications: app_set1
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
From zone: untrust, To zone: trust
Policy: up2, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: as1
Destination addresses: as0
Applications: junos-icmp-ping, junos-icmp6-echo-request, junos-telnet, junos-ftp, junos-dns-udp, junos-dns-tcp, junos-http, junos-https, my_app_udp,
my_app_tcp
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
Policy: vxlan, State: enabled, Index: 11, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: as1
Destination addresses: as0
Applications: junos-vxlan
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
Policy: vxlan2, State: enabled, Index: 12, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: as1
Destination addresses: as0
Applications: junos-vxlan
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
Policy: vxlan3, State: enabled, Index: 13, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: as1
Destination addresses: as0
Applications: junos-vxlan
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
From zone: pset2, To zone: pset2
Policy: pset2_p2, State: enabled, Index: 20, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
From zones: any
To zones: any
Source vrf group: any
Destination vrf group: any
Source addresses: ts1
Destination addresses: ts0
Applications: junos-http, junos-https, junos-ftp, junos-dns-tcp, junos-dns-udp, junos-icmp-ping, junos-icmp6-echo-request, junos-telnet, my_app_tcp,
my_app_udp
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
From zone: pset3, To zone: pset3
Policy: pset3_p5, State: enabled, Index: 21, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
From zones: any
To zones: any
Source vrf group: any
Destination vrf group: any
Source addresses: ts1
Destination addresses: ts0
Applications: junos-http, junos-https, junos-ftp, junos-dns-tcp, junos-dns-udp, junos-icmp-ping, junos-icmp6-echo-request, junos-telnet, my_app_tcp,
my_app_udp
Source identity feeds: any
Destination identity feeds: any
Action: permit, log
From zone: pset1, To zone: pset1
Policy: gp3, State: enabled, Index: 22, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
From zones: untrust
To zones: trust
Source vrf group: any
Destination vrf group: any
Source addresses: ts1
Destination addresses: ts0
Applications: junos-ping, junos-telnet, junos-ftp, junos-http, junos-https, my_app_udp, my_app_tcp
Source identity feeds: any
Destination identity feeds: any
Action: permit, loguser@host# show security policies
from-zone trust to-zone internet {
policy sec_policy {
match {
source-address any;
destination-address any;
application [ junos-ping junos-http ];
}
then {
permit {
application-services {
utm-policy utmpolicy1;
}
}
}
}
}
default-policy {
deny-all;
}
If you are done configuring the feature on your device, enter commit from configuration mode.
Verification
Verify tunnel inspection profiles and VNI
Purpose
Verify that the tunnel inpection profile and VNI are confugured..
Action
From operational mode, enter the show security tunnel-inspection profiles ins-pf1 and show security tunnel-inspection vnis commands.
user@host> show security tunnel-inspection profiles
ins-pf1node0:
--------------------------------------------------------------------------
Logical system: root-logical-system
Profile count: 6
Profile: ins-pf1
Type: VXLAN
Vxlan count: 1
Vxlan name: vx1
VNI count: 4
VNI:r1, r2, r3, r5
Policy set: pset1
Inspection level: 1user@host> show security tunnel-inspection vnisnode0:
--------------------------------------------------------------------------
Logical system: root-logical-system
VNI count: 6
VNI name: r1
VNI id count: 1
[160 - 200]
VNI name: r2
VNI id count: 1
[155 - 155]
VNI name: r3
VNI id count: 1
[300 - 399]
VNI name: r4
VNI id count: 1
[100 - 110]
VNI name: r5
VNI id count: 1
[100 - 120]
VNI name: v1
VNI id count: 1
[1 - 100]
Meaning
The output displays that the VXLAN feature is enabled and there are no safe search redirects and safe search rewrites.
Verify Safe Search Function
Purpose
Verify that the safe search feature is enabled for UTM Web filtering solutions.
Action
From operational mode, enter the Show security flow tunnel-inspection statistic command to view the tunnel-inspection statistics.
user@host> show security flow tunnel-inspection
statisticsnode0:
--------------------------------------------------------------------------
Flow Tunnel-inspection statistics:
Tunnel-inspection statistics of FPC4 PIC1:
Tunnel-inspection type VXLAN:
overlay session active: 0
overlay session create: 269
overlay session close: 269
underlay session active: 0
underlay session create: 566
underlay session close: 566
input packets: 349717
input bytes: 363418345
output packets: 348701
output bytes: 363226339
bypass packets: 501
bypass bytes: 50890
Tunnel-inspection statistics of FPC4 PIC2:
Tunnel-inspection type VXLAN:
overlay session active: 0
overlay session create: 270
overlay session close: 270
underlay session active: 0
underlay session create: 586
underlay session close: 586
input packets: 194151
input bytes: 200171306
output packets: 193221
output bytes: 199987258
bypass packets: 617
bypass bytes: 92902
Tunnel-inspection statistics of FPC4 PIC3:
Tunnel-inspection type VXLAN:
overlay session active: 0
overlay session create: 275
overlay session close: 275
underlay session active: 0
underlay session create: 615
underlay session close: 615
input packets: 216486
input bytes: 222875066
output packets: 213827
output bytes: 222460378
bypass packets: 2038
bypass bytes: 270480
Tunnel-inspection statistics summary:
Tunnel-inspection type VXLAN:
overlay session active: 0
overlay session create: 814
overlay session close: 814
underlay session active: 0
underlay session create: 1767
underlay session close: 1767
input packets: 760354
input bytes: 786464717
output packets: 755749
output bytes: 785673975
bypass packets: 3156
bypass bytes: 414272
node1:
--------------------------------------------------------------------------
Flow Tunnel-inspection statistics:
Tunnel-inspection statistics of FPC4 PIC1:
Tunnel-inspection type VXLAN:
overlay session active: 0
overlay session create: 269
overlay session close: 269
underlay session active: 0
underlay session create: 566
underlay session close: 566
input packets: 0
input bytes: 0
output packets: 0
output bytes: 0
bypass packets: 0
bypass bytes: 0
Tunnel-inspection statistics of FPC4 PIC2:
Tunnel-inspection type VXLAN:
overlay session active: 0
overlay session create: 270
overlay session close: 270
underlay session active: 0
underlay session create: 586
underlay session close: 586
input packets: 0
input bytes: 0
output packets: 0
output bytes: 0
bypass packets: 0
bypass bytes: 0
Tunnel-inspection statistics of FPC4 PIC3:
Tunnel-inspection type VXLAN:
overlay session active: 0
overlay session create: 275
overlay session close: 275
underlay session active: 0
underlay session create: 615
underlay session close: 615
input packets: 0
input bytes: 0
output packets: 0
output bytes: 0
bypass packets: 0
bypass bytes: 0
Tunnel-inspection statistics summary:
Tunnel-inspection type VXLAN:
overlay session active: 0
overlay session create: 814
overlay session close: 814
underlay session active: 0
underlay session create: 1767
underlay session close: 1767
input packets: 0
input bytes: 0
output packets: 0
output bytes: 0
bypass packets: 0
bypass bytes: 0 Meaning
The output displays that the VXLAN feature is enabled and there are no safe search redirects and safe search rewrites.