Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Security Policies for a VRF Routing Instance

Overview

A security policy is a set of statements that controls traffic from a specified source to a specified destination using a specified service. A policy permits, denies, or tunnels specified types of traffic unidirectionally between two points. Security policies enforce a set of rules for transit traffic, identifying which traffic can pass through the firewall and the actions taken on the traffic as it passes through the firewall. Actions for traffic matching the specified criteria include permit and deny.

When an SRX Series device receives a packet that matches the specifications, it performs the action specified in the policy.

Controlling Traffic in SD-WAN Architecture

In an SD-WAN, the SRX Series device can be configured in a hub and spoke location. You can permit or deny virtual routing and forwarding (VRF) based traffic that enters the device from overlay tunnels by applying firewall policies. You can configure the SRX Series device to permit or deny traffic that is sent to a VRF instance. Configuring the device at the hub location enables you to control all traffic at one location, and provide access to specific network services by applying firewall policies.

Each security policy consists of:

  • A unique name for the policy.

  • A from-zone and a to-zone, for example: user@host# set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone.

  • A set of match criteria defining the conditions that must be satisfied to apply the policy rule. The match criteria are based on a source IP address, destination IP address, and applications. The user identity firewall provides greater granularity by including an additional tuple, such as source-identity, as part of the policy statement.

  • A set of actions to be performed in case of a match—permit or deny.

  • A set of source VRF names.

  • A set of destination VRF names.

Note:

The configuration options for the source and destination VRF instances are optional. You can configure either the source VRF or a destination VRF, but we recommend that you do not configure both source VRF and destination VRF. The main reason for configuring the source VRF or destination VRF is to differentiate different MPLS labels going through a shared physical network interface.

Table 1 lists when to configure the source VRF and destination VRF.

Table 1: Recommendations for Configuring VRF Options

Network Type from Source to Destination

Recommended to Configure Source VRF

Recommended to Configure Destination VRF

VRF Policy Differentiated By

IP network to IP network

No

No

Zones

IP network to MPLS network

No

Yes

Destination VRF

MPLS network to IP network

Yes

No

Source VRF

MPLS network to MPLS network without destination NAT

Yes

No

Source VRF

MPLS network to MPLS network with destination NAT

Yes

Yes

Source VRF and Destination VRF

Understanding Security Policy Rules

A security policy applies security rules to the transit traffic within a context (from-zone to to-zone). Each policy is uniquely identified by its name. The traffic is classified by matching its source and destination zones, the source and destination addresses, the application, the source VRF, and the destination VRF that the traffic carries in its protocol headers with the policy database in the data plane.

Each policy is associated with the following characteristics:

  • A source zone

  • A destination zone

  • One or many source address names or address set names

  • One or many destination address names or address set names

  • One or many application names or application set names

  • One or many source VRF instances, for example, the VRF routing instance associated with an incoming packet

  • One or many destination VRF instances in which the MPLS next hop or destination address route is located

These characteristics are called the match criteria. Each policy also has actions associated with it: permit, deny, and reject. You have to specify the match condition arguments when you configure a policy, source address, destination address, application name, source VRF, and destination VRF.

You can configure either source VRF or destination VRF, but not recommended to configure both source VRF and destination VRF. The main reason for configuring source VRF and destination VR is to differentiate different MPLS labels going through a shared physical network interface. If the source VRF and destination VRF are not configured, then the device determines the source and destination VRF as any.

Example: Configuring a Security Policy to Permit or Deny VRF-Based Traffic from MPLS Network to an IP Network

This example shows how to configure a security policy to permit traffic and deny traffic using the source VRF.

Requirements

Note:

An MPLS policy is configurable only when set security flow advanced-options overlapping-l3vpn is enabled. By default, this command is disabled.

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 1, an SRX Series device is deployed in an SD-WAN to control traffic using the source VRF. Traffic from the MPLS network is sent to site A and site B of the IP network. As per the network requirement, site A traffic should be denied, and only site B traffic should be permitted.

This configuration example shows how to:

  • Deny traffic to VRF-a (from GRE_Zone-GE_Zone to GRE_Zone)

  • Permit traffic to VRF-b (from GRE_Zone-GE_Zone to GRE_Zone)

In this example, the source VRF is configured. We recommend that you configure the source VRF when the destination network points to the MPLS network.

Figure 1: Permitting or Denying VRF-Based Traffic from MPLS Network to an IP NetworkPermitting or Denying VRF-Based Traffic from MPLS Network to an IP Network

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

  2. Assign a route distinguisher to the routing instance.

  3. Create a community policy to import or export all routes.

  4. Assign a single VPN label for all the routes in the VRF.

  5. Create a security policy to deny VRF-a traffic.

  6. Create a security policy to permit VRF-b traffic.

    Note:

    If no destination VRF is configured, then the device considers the traffic passes from VRF-a to any-vrf.

Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration
Purpose

Verify information about security policies.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring a Security Policy to Permit VRF-Based Traffic from an IP Network to an MPLS Network

This example shows how to configure a security policy to permit traffic using the destination VRF.

Requirements

Note:

The MPLS policy is configurable only when set security flow advanced-options overlapping-l3vpn is enabled. By default, this command is disabled.

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device.

In this example, an SRX Series device is deployed in an SD-WAN architecture to control traffic using the destination VRF. You need to configure policies to control the traffic. The default policy does not support VRF options. Traffic from the IP network, that is site A and site B, is sent to the MPLS network. By configuring the policies, you can permit both the traffic from site A and site B to the MPLS network.

In Figure 2, the source VRF is not configured as the LAN interface does not belong to an MPLS network. We recommend that you configure the destination VRF when the destination network points to the MPLS network.

Figure 2: Permitting VRF-Based Traffic from an IP Network to an MPLS NetworkPermitting VRF-Based Traffic from an IP Network to an MPLS Network

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a policy to permit traffic from the IP network to the MPLS network using the destination VRF:

  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

  2. Assign a route distinguisher to the routing instance.

  3. Create a community policy to import or export all routes.

  4. Assign a single VPN label for all the routes in the VRF.

  5. Create a security policy to permit VRF-a’ traffic from the IP network.

  6. Create a security policy to permit VRF-b’ traffic from the IP network.

Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration
Purpose

Verify that the security policy permits VRF-based traffic from the IP network to the MPLS network.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring a Security Policy to Permit VRF-Based Traffic from an MPLS Network to an MPLS Network over GRE without NAT

This example shows how to configure a security policy to permit traffic using the source VRF.

Requirements

Note:

The MPLS policy is configurable only when set security flow advanced-options overlapping-l3vpn is enabled. By default, this command is disabled.

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 3, an SRX Series device is deployed in an SD-WAN architecture to control traffic using the source VRF. You need to configure policies to control the traffic. You can permit traffic from an MPLS network to another MPLS network by configuring policies.

We recommend that you configure both the source VRF and the destination VRF when the source and destination are from the MPLS network.

Figure 3: Permitting VRF-Based Traffic from an MPLS Network to an MPLS Network over GRE without NATPermitting VRF-Based Traffic from an MPLS Network to an MPLS Network over GRE without NAT

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a policy to permit traffic from an MPLS network to an MPLS network using source VRF:

  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

  2. Assign a route distinguisher to the routing instance.

  3. Create a community policy to import or export all routes.

  4. Assign a single VPN label for all the routes in the VRF.

  5. Create a security policy to permit VRF-a traffic from the MPLS network.

  6. Create a security policy to permit VRF-b traffic from the MPLS network.

Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration
Purpose

Verify that the security policy permits VRF based traffic from the IP network to the MPLS network.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring Security Policies Using VRF Routing Instances in an MPLS Network

This example shows how to configure security policies using VRF routing instances.

Requirements

Overview

In this example, you create security policies using virtual routing and forwarding (VRF) instances to isolate traffic traversing in the following networks:

  • An MPLS to a private IP network

  • A Global IP to an MPLS network

MPLS Network to Private IP Network

Procedure

Step-by-Step Procedure
  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

  2. Assign a route distinguisher to the routing instance.

  3. Create a community policy to import or export all routes.

  4. Assign a single VPN label for all the routes in the VRF.

  5. Create a security policy to permit traffic from VRF-a destined for LAN A.

  6. Create a security policy to permit traffic from VRF-b destined for LAN B.

Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Global IP Network to an MPLS Network

Procedure

Step-by-Step Procedure
  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

  2. Assign a route distinguisher to the routing instance.

  3. Create a community policy to import or export all routes.

  4. Assign a single VPN label for all the routes in the VRF.

  5. Create the destination NAT pool.

  6. Create a destination NAT rule set.

  7. Configure a rule that matches packets and translates the destination address to the address in the pool.

  8. Configure a security policy that allows traffic from the untrust zone to the server in the trust zone.

Results

From configuration mode, confirm your configuration by entering the show security policies, show routing-instances, and the show security nat commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Destination NAT Rule
Purpose

Display information about all the destination NAT rules.

Action

From operational mode, enter the show security nat destination rule all command.

[...Output truncated...]

Meaning

The command displays the destination NAT rule. View the Translation hits field to check for traffic that matches the destination rule.

Verifying Flow Session
Purpose

Display information about all the currently active security sessions on the device.

Action

From operational mode, enter the show security flow session command.

Meaning

The command displays details about all the active sessions. View the VRF field to check the VRF routing instance details in the flow.