Overview of Segmentation in a Campus Fabric: IP Clos Network
About This Network Configuration Example
This network configuration example (NCE) describes how to configure a campus fabric: IP Clos network with segments for different logical groups.
Use Case Overview
Enterprise networks are undergoing massive transitions to accommodate the growing demand for cloud-ready networks and the plethora of IoT and mobile devices. As the number of devices grows, so does the complexity with a greater need for scalability and segmentation. To meet these challenges, you need a network with increased scalability and operational simplification. IP Clos networks provide increased scalability and segmentation.
Benefits of Campus Fabric: IP Clos
With increasing number of devices connecting to the network, you will need to scale your campus network rapidly without adding complexity. Many IoT devices have limited networking capabilities and require Layer 2 adjacency across buildings and campuses. Traditionally, this problem was solved by extending VLANs across buildings and campuses using data plane flood and learn. This approach is inefficient because it uses excessive network bandwidth. It is also difficult to manage because you need to configure and manually manage VLANs in order to extend them to new network ports. This problem increases multifold when you take into consideration the explosive growth of IoT and mobile devices.
The benefit of having a IP Clos network is that you can easily connect a number of switches in a IP Clos network or campus fabric. IP Clos extends the EVPN fabric to connect VLANs across multiple buildings by stretching the Layer 2 VXLAN network. You can use an IP Clos network from the distribution and core layers to the access layers of your topology.
An EVPN-VXLAN network solves these issues and provides the following benefits:
Reduced flooding and learning—Control plane-based Layer 2/Layer 3 learning reduces the flood and learn issues associated with data plane learning. Learning MAC addresses in the forwarding plane has an adverse impact on network performance as the number of endpoints grows. The EVPN control plane handles the exchange and learning of routes, so newly learned MAC addresses are not exchanged in the forwarding plane
Scalability—Faster control plane-based Layer 2/Layer 3 learning allows the EVPN-VXLAN network to scale up to support a larger number of mobile devices.
Consistent network—A universal EVPN-VXLAN-based architecture across campuses and data centers means a consistent end-to-end network for endpoints and applications. In addition, you can enable microsegmentation and macrosegmentation with EVPN-VXLAN to minimize Layer 2 flooding, reduce security threats, and simplify the network.
Location-agnostic connectivity—The EVPN-VXLAN campus architecture provides a consistent endpoint experience no matter where the endpoint is located. Some endpoints require Layer 2 reachability, such as legacy building security systems or IoT devices. The Layer 2 VXLAN overlay provides Layer 2 reachability across campuses without any changes to the underlay network. With our standards-based network access control integration, an endpoint can be connected anywhere in the network.
The campus fabric, with an EVPN-VXLAN architecture, decouples the overlay network from the underlay network. This approach addresses the needs of the modern enterprise network by allowing network administrators to create logical Layer 2 networks across different Layer 3 networks. By configuring different routing instances, you can create separate virtual networks and each routing instance will have its own separate routing and switching table.
VXLAN is the overlay data plane encapsulation protocol that tunnels Ethernet frames between network endpoints on the Layer 3 IP network. Devices that perform VXLAN encapsulation and decapsulation for the network are referred to as a VXLAN tunnel endpoint (VTEP). Before a VTEP sends a frame into a VXLAN tunnel, it wraps the original frame in a VXLAN header that includes a virtual network identifier (VNI). The VNI maps the packet to the original VLAN that at the ingress switch. After applying a VXLAN header, the frame is encapsulated into a UDP/IP packet for transmission to another VTEP over an IP network.
A campus fabric with EVPN-VXLAN is a more modern and scalable network that uses a BGP or OSPF underlay from the core to the access layer switches. The access layer switches are VTEPs that encapsulate and decapsulate the VXLAN traffic. In addition, the VTEPs route packets in and out of VXLAN tunnels.
Figure 1 show a campus fabric: IP Clos network with Juniper EX4300-MP, EX4650 and EX9200 and QFX 5120 switches.
Segmentation in the Campus Fabric
Network Architects need to apply a combination of microsegmentation, macrosegmentation, and application segmentation techniques to secure data and assets.
Macrosegmentation is the logical separation of the network across shared links and within a shared device. You can implement macrosegmentation by using VLANs and virtual routing and forwarding(VRF) routing instances. VLANs create separate virtual networks (VNs) in Layer 2 while VRFs allow you to create different routing table instances to isolate IP traffic. Figure 2 shows two VRFs in a campus fabric with segmentation—an employee VRF for the employee VN and an IoT VRF for the IoT VN. With VRFs, there are no direct paths for traffic between the employee and IoT networks. The employee VRF isolates traffic in the employeeVN and the IoT VRF isolates the traffic in the IoT VN. IoT traffic is separated from employee traffic. Segmentation ensures zero communication between the two forwarding domains. Both static and dynamic VLANs, and firewall filters prevent lateral east-west communication within the VN.
Microsegmentation addresses critical network protection issues, reduces risks, and adapts security to changing demands. The three traditional microsegmentation practice includes host-agent segmentation, hypervisor segmentation, and network segmentation. Juniper Networks support microsegmentation using access control lists (ACLs) or Firewall filters to control intra-VN traffic. Firewall filters provide rules that define whether to permit, deny, or forward the packets that are transiting an interface on a Juniper Networks EX Series Ethernet Switch. You can configure and apply firewall filters to control traffic before it enters or exits a port, VLAN, or Layer 3 (routed) interface. Firewall filters restrict the east-west traffic between devices in a VLAN. For example, you can create a firewall filter to keep Video Camera traffic from the IoT device within the IoT VLAN and IoT VRF. Application segmentation uses higher layer controls to isolate one application tier from another. It isolates and protects an application from other applications and other resources. You can use microsegmentation to implement application segmentation with greater visibility and granularity.
Network Access Control in the Campus Fabric
You can further define VLANs and firewall filters to control network access, separate end devices into groups, and to limit access to the LAN. You can use dynamic profiles with RADIUS to dynamically create logical VLAN interfaces for a routing instance with 802.1X Authentication. When DHCP clients in the same VLAN become active, the corresponding interfaces are assigned to the specified routing instance. You can then attach filters to the static interfaces by using dynamic profiles and by specifying a variable for the input and output filters. Dynamic profiles use the RADIUS Vendor-Specific Attributes (VSA) for ingress and egress policies.
Juniper Networks EX Series Ethernet Switch and Aruba ClearPass Policy Manager work together to authenticate wired endpoints that connect to the EX Series switches. Enterprises typically have a variety of users and endpoints. This means that the policy infrastructure must address multiple use cases. Endpoints may use multiple authentication methods, such as 802.1X authentication, MAC RADIUS authentication, or captive portal authentication. Once devices are authenticated, you can apply different policies based on the type of device, authorization level, or use both policies to achieve segmentation dynamically. Device profiling on a RADIUS server like Aruba ClearPass, can help determine the type of endpoint that is being authenticated—for example, an access point, IoT device, or Smart Security device —and use that information to enforce the appropriate access policy.