Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Zero Trust Inline Segmentation

Zero Trust Inline Segmentation (ZTIS) extends GBP support to Mist access points (APs).

Starting in Junos OS Release 25.4R1, we support Zero Trust Inline Segmentation (ZTIS) on the EX4100, EX4400, EX4650, and QFX5120 switches listed in Supported GBP Platforms.

Zero Trust Inline Segmentation enables supported switches to learn GBP tags from Mist APs, allowing both wired and wireless clients to participate in GBP microsegmentation.

ZTIS GBP Messages

When you enable ZTIS on a supported switch, the switch learns GBP tag assignments from attached Mist APs through proprietary ZTIS GBP messages.

Table 1 shows the two types of ZTIS GBP messages:

Table 1: ZTIS GBP Messages
ZTIS GBP Message Type Description
ZTIS GBP update

A ZTIS GBP update message contains the mapping between a MAC address and a GBP tag. This can be a solicited or unsolicited message from the sender to convey a tag assignment to the receiver.

This can be a unicast or multicast message.

ZTIS GBP lookup

A ZTIS GBP lookup message is a request by the sender to obtain the GBP tag assignment from the receiver for the MAC address specified within the message.

This is a unicast message.

Note: ZTIS GBP update messages contain MAC-based GBP tag assignments only and ZTIS GBP lookup messages request MAC-based GBP tag assignments only.

Figure 1 shows the format of the ZTIS GBP messages. The messages are signed with a key to detect tampering.

Figure 1: ZTIS GBP Message Format ZTIS GBP Message Format

The following sections describe how these messages are used.

ZTIS Interface Roles

The ZTIS interface role determines how ZTIS GBP update and lookup messages are handled and propagated. You can configure the interface role explicitly or you can let the switch auto-detect the role on an interface.

Note:

If the interface role changes for any reason (for example, new configuration), the switch flushes its MAC address tables on that interface. MAC addresses will have to be relearned and GBP tag assignments rebuilt.

ZTIS Access-Point Role

The ZTIS access-point role describes an interface that connects a ZTIS-enabled access switch directly to a Mist AP. The Mist AP conveys GBP tag assignments across this link to the access switch through a ZTIS GBP message exchange.

Specifically, the Mist AP and the access switch behave as follows:

  • If a wireless client is assigned a GBP tag during authentication, the Mist AP sends a multicast ZTIS GBP update message containing the MAC-based GBP tag assignment to the upstream access switch. The destination multicast MAC address in the message is set to 5d:5b:35:ff:ff:01 and the source MAC address is set to the MAC address of the Mist AP.

    When the access switch receives this ZTIS GBP update message, the switch updates its MAC address tables and internal data structures with the specified MAC-based tag assignment.

  • If the ZTIS GBP update message is dropped or if the access switch reboots, the tag assignment is lost. In this situation, if the access switch receives a client data frame with a source MAC address that has no GBP tag assigned, the access switch sends a ZTIS GBP lookup message to the Mist AP asking for the missing tag assignment. The destination MAC address in the ZTIS GBP lookup message is set to the MAC address of the Mist AP. The source MAC address is set to a derivation of the chassis MAC address of the access switch.

    When the Mist AP receives this ZTIS GBP lookup message, the Mist AP looks up the specified MAC address to obtain the GBP tag. If the GBP tag exists, the Mist AP responds to the ZTIS GBP lookup message with a unicast ZTIS GBP update message containing the tag assignment. The destination unicast MAC address in the response is set to the MAC address of the access switch (a derivation of the chassis MAC address). The source MAC address is set to the MAC address of the Mist AP.

Figure 2 shows ZTIS in an EVPN-VXLAN network connecting wired and wireless clients. GBP tags for wired clients are assigned statically using the CLI or dynamically through RADIUS authentication as is usual. GBP tags for wireless clients are assigned through RADIUS authentication and the tag assignments are communicated from the Mist AP to upstream switches in ZTIS GBP update messages. The switch receiving the ZTIS GBP update messages configures its MAC address tables and internal data structures with the GBP tag assignments as if the GBP tags were assigned through the CLI or learned locally. Regular GBP tag processing then occurs. There is no restriction or limitation in functionality due to the tag being assigned through a ZTIS GBP message instead of the CLI.

Figure 2: Zero Trust Inline Segmentation in an EVPN-VXLAN Network Zero Trust Inline Segmentation in an EVPN-VXLAN Network

Although the above example shows ZTIS in an EVPN-VXLAN network, you can configure ZTIS in a pure L2 network as well. The ZTIS capability works independently from the underlying infrastructure.

Note: Be careful not to use the CLI to assign GBP tags that conflict with GBP tags learned through ZTIS GBP update messages. Unpredictable behavior occurs if the GBP tag that you assign to a MAC address through the CLI is different from the GBP tag that is learned for that same MAC address through ZTIS GBP update messages.

To configure a ZTIS access-point role on an interface:

  • set protocols unified-access-policy interface <name> (all supported releases)

    The role defaults to access-point when you don't explicitly specify a role.

  • set protocols unified-access-policy interface <name> access-point (Junos OS Release 26.2R1 and higher)

ZTIS Inter-Switch-Link Role

While the ZTIS access-point role describes the interface connecting to a Mist AP, the ZTIS inter-switch-link role describes the interface connecting to another ZTIS-enabled switch. This role is key to propagating MAC-based GBP tags across an L2 network of ZTIS-enabled switches.

Note: You must enable LLDP in order for ZTIS GBP messages to be sent and received across inter-switch links. LLDP allows neighboring ZTIS-enabled switches to discover each other.

Specifically, the ZTIS-enabled switches with the inter-switch-link role behave as follows:

  • Wireless - If an access switch receives a ZTIS GBP update message from a Mist AP, the access switch processes the message as described in ZTIS Access-Point Role and passes this multicast message out all inter-switch link interfaces. This message then propagates across all ZTIS-enabled switches where this tag assignment is learned.

  • Wired - If an access switch learns of a GBP tag assignment for a wired user (for example, through CLI configuration or RADIUS authentication), it creates a unicast ZTIS GBP update message containing that tag assignment and sends it out all inter-switch links to its ZTIS-enabled neighbors.

Passing ZTIS GBP update messages across the network in this manner allows access switches to enforce policy on both the source and destination GBP tags at the ingress. This feature, however, is limited to ZTIS-enabled switches in a pure L2 network.

Figure 3 shows how ZTIS GBP messages propagate over inter-switch links across a pure layer 2 network. GBP tags from both wired and wireless clients are propagated in this manner.

Figure 3: Zero Trust Inline Segmentation in a Pure Layer 2 Network Zero Trust Inline Segmentation in a Pure Layer 2 Network

To configure a ZTIS inter-switch-link role on an interface:

Auto-Detecting the Interface Role

Starting in Junos OS Release 26.2R1, you can configure the switch to auto-detect interface roles on specified ZTIS interfaces or on all ZTIS interfaces. Auto-detection leverages the use of LLDP to detect the device attached to the interface and configures the role based on the identity of that attached device.

Note: Auto-detection requires LLDP to be enabled on both ends of the link. Enable LLDP on the local interface and on the interface of the attached device.

If, through LLDP, the switch determines that the attached device is a Mist AP, then the switch configures the interface with the access-point role. If the switch determines that the attached device is a ZTIS-enabled switch, then the switch configures the interface with the inter-switch-link role.

If you configure auto-detection on an interface, but the switch cannot determine the identity of the attached device either because the attached device does not have LLDP enabled or because the attached device did not identify itself as a Mist AP or a ZTIS-enabled switch, then the interface remains a regular non-ZTIS interface. A regular non-ZTIS interface is simply a switch interface that is not configured for ZTIS and is displayed as a server side interface in the CLI.

The switch will not send unicast ZTIS GBP messages on a server side interface nor will it process any unicast ZTIS GBP messages received on that interface. However, it will continue to relay multicast messages to and from that interface as is appropriate for a switch. This means that multicast ZTIS GBP messages will still be propagated on that interface (but not otherwise acted upon or processed).

To configure a specific interface for auto-detection:

To configure all interfaces for auto-detection:

Note: Configuration on a specified interface overrides the interface all configuration for that interface. For example, in the below configuration, the specified interface statement prevails and ge-0/0/1 becomes an access-point interface:

ZTIS Configuration

Use this procedure to configure Zero Trust Inline Segmentation (ZTIS).
Note: Zero Trust Inline Segmentation is shown as unified-access-policy in the CLI.
  1. Enable ZTIS by configuring the key used to sign and verify ZTIS GBP messages.
    This key is used to sign and verify:
    • ZTIS GBP messages sent to and received from the Mist APs, and

    • ZTIS GBP messages sent and received on the ZTIS inter-switch links

    where <key> is the key used to sign and verify ZTIS GBP messages. This <key> must match the key you configure on the Mist APs and all the ZTIS-enabled switches.

  2. Configure the interface roles.
    1. Specify the ZTIS access-point interfaces. These interfaces connect the switch to a Mist AP.
      where <if-name> is the name of the interface that faces towards the Mist APs.
      Note: When you don't explicitly specify a role, the interface assumes the access-point role.
    2. Specify the ZTIS inter-switch-link interfaces. These interfaces connect ZTIS switches together in a pure layer 2 network.
      Note: Configure ZTIS inter-switch-link interfaces only for pure layer 2 networks.
      where <if-name> is the name of the inter-switch-link interface.

    Repeat this step to cover all applicable interfaces.

  3. Configure the source MAC address to use in ZTIS GBP messages if you have a multi-homed deployment.

    By default, the ZTIS-enabled switch uses a source MAC address that is derived from the chassis MAC address. This results in each ZTIS-enabled switch having a different source MAC address, which is the desired behavior in a single-homed deployment.

    In a multi-homed deployment, however, where a ZTIS-enabled access switch is connected to two ZTIS-enabled upstream switches, we want both connected upstream switches to appear as one for the purpose of the ZTIS GBP message exchange. In this latter situation, configure the same source MAC address on both connected upstream switches as follows:

    where <source-address> is the Ethernet source address you want to use for ZTIS GBP messages in this multi-homed scenario.
  4. Optionally, set the number of attempts to send the ZTIS GBP lookup messages.
    where <count> is the number of times to send the lookup message if there is no response. The default count is 3 (at non-configurable one-second intervals).
  5. After committing your configuration, check that you've configured the interfaces as intended.
    For example:
  6. Repeat for all ZTIS-enabled switches.

Use the GBP Pure L2 Profile

In some deployments, you may want to perform policy enforcement on access switches that are not L3 gateways. Perhaps you want to keep your access switches at layer 2 for simplicity and move the routing and gateway responsibility to a WAN router. This means that the access switches do not perform IP route lookups and cannot participate in L3 segmentation.

In this situation, if you enable the gbp-pure-l2-profile, we allow you to add a destination IP address/subnet match to your policy. This gives you the ability to support both L2 and L3 segmentation even on a pure L2 access switch.

Figure 4 shows GBP-enabled layer 2 access switches connected to a WAN router. The WAN router does not support EVPN-VXLAN and does not support GBP. However, even in this scenario, the access switch can still participate in L2 and L3 segmentation if you enable the gbp-pure-l2-profile and enforce policy on the combination of a local (source) GBP tag and a destination IP address/subnet.

Figure 4: Microsegmentation Using GBP Pure L2 Profile

This feature allows you to incorporate third-party WAN and core/distribution routers into your network and continue to support GBP microsegmentation. This is ideal for smaller sites where policy enforcement at the access layer simplifies design and reduces dependency on core infrastructure.

Table 2 and Table 3 show the supported GBP tag assignment and policy enforcement features with the gbp-pure-l2-profile. A pure layer 2 device only supports a subset of the tagging and enforcement features.

Table 2: GBP Tag Assignment with the GBP Pure L2 Profile
Tag Assignment Based On ... Support

MAC address only

Yes

Interface only

Yes

VLAN only

Yes1

Interface and VLAN

Yes1

IP address

No

IEEE 802.1X

Yes

1Not supported on EX4100 switches.
Table 3: GBP Policy Enforcement with the GBP Pure L2 Profile
Enforcement Support

Egress

Yes, with destination GBP tag

Ingress

Yes, with source GBP tag and destination IP address

L4 fields

Yes

Ingress with Tag Propagation

No

Explicit Default Discard

No

MAC/IP Inter-tagging

No

Filter-Based Forwarding

No

Below is an example of configuring GBP with the gbp-pure-l2-profile.

Note: Although this network use case does not require EVPN-VXLAN, you'll still need to create a VTEP (for historical reasons). Create the VTEP prior to starting this procedure. Here's an example of VTEP configuration. Change this to suit your network.For all VLANS:
  1. Configure the access switches for the gbp-pure-l2-profile.
    This not only sets the UFT table sizes appropriately for a pure L2 deployment, but it also allows you to create a policy enforcement filter that includes a destination IP address match (as shown in step 3).
  2. Configure ZTIS on the access switch connecting to the Mist AP. See ZTIS Configuration.
  3. Create a GBP policy enforcement filter.
    Augment the filter with a destination IPv4 address match. For example: