ON THIS PAGE
Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN
SUMMARY VXLAN-GBP
Overview
You can achieve micro and macro segmentation, for example to secure data and assets, in a VXLAN architecture using Group Based Policy (GBP). VXLAN-GBP works by leveraging reserved fields in the VXLAN header for use as a Scalable Group Tag (SGT), which you can then use as match conditions in firewall filter rules. Using a SGT is more robust than using port or MAC addresses to achieve similar results. SGTs can be assigned statically (by configuring the switch on a per port or per MAC basis), or they can be configured on the RADIUS server and pushed to the switch via 802.1X when the user is authenticated.
The segmentation enabled by VXLAN-GBP is especially useful in campus VXLAN environments because it gives you a practical way to create network access policies that are independent of the underlying network topology. It simplifies the design and implementation phases of developing network-application and endpoint-device security policies.
You can find more detailed information on the VXLAN-GBP standard in the IEEE RFC, I-D.draft-smith-vxlan-group-policy. For the purposes of this example, suffice to say, VXLAN-GBP leverages reserved fields in the VXLAN header as Scalable Group Tag, as shown in the illustration.
Assigning SGTs with a RADIUS Server
In this example we configure SGTs on a RADIUS server, and then use 802.1X access control on the EX4400 to receive them. RADIUS servers are commonly used in campus environments for access control and, for example, to govern the assignment of VLANs.
To accommodate the use of SGTs on the RADIUS server, we need to leverage vendor specific attribute (VSA), as supported by the AAA service framework (these VSA are carried as part of the standard RADIUS request reply message, and provide a built-in extension to handle implementation-specific information such as our SGTs). The exact syntax on the RADIUS server varies according to whether the authentication scheme is MAC or EAP based. For MAC based clients, the configuration looks like this:
001094001199 Cleartext-Password := "001094001199" Juniper-Switching-Filter = "apply action gbp-tag 100"
For EAP based clients, the SGT is pushed from RADIUS server at the time of authentication. The configuration looks like this:
PermEmp01 Auth-Type = EAP, Cleartext-Password := "gbp" Juniper-Switching-Filter = "apply action gbp-tag 100"
Starting with Junos Release 21.1R1, EX4400 switches introduce a new match criteria for use with VXLAN-GBP that allows the firewall to recognize the SGT tags that get passed by the RADIUS server and inserted into the VXLAN header.
You can see how this works in the following code samples. GBP firewall policies are framed on the basis of source and destination GBP tags. A source tag is the 16-bit field in the VXLAN header in the incoming packet, while the destination tag is derived at the egress tunnel endpoint, according to the configured tag assignment.
Let's say we have an egress end point with the configuration shown below. Packets
from source MAC address 00:01:02:03:04:10:10 are assigned the
tag 100, and packets from source MAC address 00:01:02:03:04:20:20
are assigned 200.
set firewall family ethernet-switching filter assign_tag term tag100 from source-mac-address 00:01:02:03:04:10:10 set firewall family ethernet-switching filter assign_tag term tag100 then gbp-src-tag 100 set firewall family ethernet-switching filter assign_tag term tag200 from source-mac-address 00:01:02:03:04:20:20 set firewall family ethernet-switching filter assign_tag term tag200 then gbp-src-tag 200
For packets with GBP tag 100 and a destination MAC address of
00:01:02:03:04:10:10, the destination group tag
(gbp-dst-tag) will be 100, and it will match on term
t10-100. Likewise, for packets with GBP tag 100 and a
destination MAC address of 00:01:02:03:04:20:20, the
destination group tag will be 200, and it will match term
t10-200.
set firewall family ethernet-switching filter gbp-policy term t10-100 from gbp-src-tag 100 set firewall family ethernet-switching filter gbp-policy term t10-100 from gbp-dst-tag 100 set firewall family ethernet-switching filter gbp-policy term t10-100 then accept set firewall family ethernet-switching filter gbp-policy term t10-200 from gbp-src-tag 100 set firewall family ethernet-switching filter gbp-policy term t10-200 from gbp-dst-tag 200 set firewall family ethernet-switching filter gbp-policy term t10-200 then discard
The same tag assignment used to map the source MAC address to the source tag is also used to map the destination MAC address to the destination tag. This is true for port based assignments as well.
Let's look at another code sample, this time using a GBP source tag of 300, and
with packets ingressing interface ge-0/0/30.0. As you can see
below, GBP source tag 300 is assigned and in egress direction, and 300 is also
GBP destination group tag.
set firewall family ethernet-switching filter assign_tag term tag300 from interface ge-0/0/30.0 set firewall family ethernet-switching filter assign_tag term tag300 then gbp-src-tag 300
Note that you need to configure the GBP firewall filter on the egress switch, because there is no way for the ingress switch to know what group tags are used at the egress switch. In addition, you must enable VXLAN-GBP globally on the ingress node, so it can perform the look-up on the matches and add SGT in the VXLAN header, and also on the egress node. Do this with the configuration command shown here:
set chassis forwarding-options vxlan-gbp-profile
Before creating any rules, it can be helpful to organize your scheme by creating a table for all your endpoints (users and devices) and the assigned SGT value. Here, we show one such table, the values of which will later be applied in a matrix, that can be used to further simplify the logic and clarify your rules.
|
Endpoint |
Assigned SGT value |
|---|---|
|
Permanent Employee (PE) |
100 |
|
Contractor (CON) |
200 |
|
Security Staff (SS) |
300 |
|
Security Cam (CAM) |
400 |
|
Engineering Server (ES) |
500 |
The relationship between the RADIUS server and SGTs, the EX4400 and VXLAN packet headers, and a central firewall filter to manage the access policy, is such that a matrix becomes a handy way to organize the values. In the following table, we list user roles down the first column and device types across the first row to create an access matrix. Each user role and device type is assigned a SGT and the RADIUS configuration has been updated with the information.
This example uses three types of employees, Permanent Employee (PE), Contractor (CON), and Security Staff (SS). It also uses two types of resources, Eng Server (ES) and security camera (CAM). We use Y to indicate access is permitted, and N to shown when access is blocked. The table serves as a useful resource when creating the various firewall rules in the policy and makes access mapping simple and clear.
| ES (SGT 500) | CAM (SGT 400) | PE (SGT 100) | CON (SGT 200) | SS (SGT 300) | |
|---|---|---|---|---|---|
| PE (SGT 100) | Y | N | Y | Y | N |
| CON (SGT 200) | N | N | Y | N | N |
| SS (SGT 300) | N | Y | N | N | Y |
Topology
For the sake of simplicity, all the configuration in this example is done on a single Juniper EX4400 series switch running Junos OS Release 21.1R1. The switch is connected to a RADIUS server for AAA. This switch functions as egress in this example. Recall that for SGTs you must define the firewall on the egress switch, whereas you would typically do it on the ingress VXLAN gateway for the access layer.
Requirements
VXLAN-GBP is supported in Junos OS Release 21.1R1 on the following switches: EX4400-24P, EX4400-24T, EX4400-48F, EX4400-48P, and EX4400-48T.
Configuration
We can summarize the sequence of events underlying VXLAN-GBP based segmentation, laid out in the paragraphs above, as follows:
- Users log on to the network and are authenticated by the RADIUS server (on which SGTs are configured for all the endpoints).
- Using firewall filters, the EX4400 selects traffic on the basis of the 802.1X
authentication or MAC address, and then assigns a group tag to matching frames.
(for dot1x authenticated clients, the static firewall configuration is not
needed). The mechanics of this are performed using firewall policy, as shown
here:
set firewall family ethernet-switching filter name term name from source-mac-address MAC-Addr
set firewall family ethernet-switching filter name term name then gbp-src-tag PE-GRP
- Tagged traffic passing through the EX4400 is evaluated on the basis SGT values,
again, using the mechanics of the firewall filter. For this to happen, you first
need to enable
chassis forwarding-options vxlan-gbp-profileon the switch, then you use thegbp-dst-tagand/orgbp-src-tagmatch conditions to write your firewall rules, and include them in the routing policy on the egress switch you use for GBP microsegmentation.
Configuring a Stand-Alone Juniper EX4400 Switch for VXLAN-GBP
Use the following commands to configure VXLAN-GBP segmentation in a sandbox environment. Typically, you would create the firewall filter rules on the switch that serves as the (egress) VXLAN gateway for the access layer, but for the sake of simplicity, we’re using the same stand-alone EX4400 for both the firewall filter rules and the RADIUS server (EAP, here). The values we use in this example are taken from the previous tables.
The commands below include variables such as profile names and IP addresses, which must be adapted to make sense for your test environment.
- Configure the radius
server:
set groups dot1xgbp access radius-server 10.204.96.102 port 1812 set groups dot1xgbp access radius-server 10.204.96.102 secret “secret key" set groups dot1xgbp access profile radius_profile_dev12 authentication-order radius set groups dot1xgbp access profile radius_profile_dev12 radius authentication-server 10.204.96.102 set groups dot1xgbp access profile radius_profile_dev12 radius accounting-server 10.204.96.102 set groups dot1xgbp access profile radius_profile_dev12 accounting order radius
- Configure the physical ports to support RADIUS
authentication:
set groups dot1xgbp protocols dot1x authenticator authentication-profile-name radius_profile_dev12 set groups dot1xgbp protocols dot1x authenticator interface xe-0/0/46.0 supplicant multiple set groups dot1xgbp protocols dot1x authenticator interface xe-0/0/46.0 mac-radius
- Set up the SGT tags on the RADIUS
server:
Contractor01 Auth-Type = EAP, Cleartext-Password := "gbp" Juniper-Switching-Filter = "apply action gbp-tag 100" Contractor01 Auth-Type = EAP, Cleartext-Password := "gbp" Juniper-Switching-Filter = "apply action gbp-tag 200" SecurityStaff01 Auth-Type = EAP, Cleartext-Password := "gbp" Juniper-Switching-Filter = "apply action gbp-tag 300" SecurityCam01 Auth-Type = EAP, Cleartext-Password := "gbp" Juniper-Switching-Filter = "apply action gbp-tag 400" EngServer01 Auth-Type = EAP, Cleartext-Password := "gbp" Juniper-Switching-Filter = "apply action gbp-tag 500"
- Enable VXLAN-GBP on the
switch:
set chassis forwarding-options vxlan-gbp-profile
- Create Firewall filter rules that leverage the SGTs (using values organized
in the
matrix):
set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-pe from gbp-src-tag 100 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-pe from gbp-dst-tag 100 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-pe then accept set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-pe then count PE-PE set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-es from gbp-src-tag 100 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-es from gbp-dst-tag 500 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-es then accept set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-es then count PE-ES set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-cam from gbp-src-tag 100 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-cam from gbp-dst-tag 400 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-cam then discard set groups gbp-policy firewall family ethernet-switching filter gbp-policy term pe-to-cam then count PE-CAM set groups gbp-policy firewall family ethernet-switching filter gbp-policy term con-to-cam from gbp-src-tag 200 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term con-to-cam from gbp-dst-tag 400 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term con-to-cam then discard set groups gbp-policy firewall family ethernet-switching filter gbp-policy term con-to-cam then count CON-CAM set groups gbp-policy firewall family ethernet-switching filter gbp-policy term con-to-es from gbp-src-tag 200 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term con-to-es from gbp-dst-tag 500 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term con-to-es then discard set groups gbp-policy firewall family ethernet-switching filter gbp-policy term con-to-es then count CON-ES set groups gbp-policy firewall family ethernet-switching filter gbp-policy term ss-to-cam from gbp-src-tag 300 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term ss-to-cam from gbp-dst-tag 400 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term ss-to-cam then accept set groups gbp-policy firewall family ethernet-switching filter gbp-policy term ss-to-cam then count SS-CAM set groups gbp-policy firewall family ethernet-switching filter gbp-policy term ss-to-es from gbp-src-tag 300 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term ss-to-es from gbp-dst-tag 500 set groups gbp-policy firewall family ethernet-switching filter gbp-policy term ss-to-es then discard set groups gbp-policy firewall family ethernet-switching filter gbp-policy term ss-to-es then count SS-ES set apply-groups gbp-policy
- Run a commit check in Junos to verify that the commands and the variables
you used are valid. When satisfied with your configuration commit the
candidate configuration to make it active on the device. These commands are
shown below. You can also review your configuration by typing
run show configuration.commit check configuration check succeeds commit commit complete