Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Security Policies Using VRF Group

Overview

In SD-WAN network, when different VRF based traffic enter the device from same tunnel such as GRE or GE, the device applies policy based on the given VRF instance. The device either permit or deny traffic destined to a particular VRF instance to control the VRF based traffic.

Currently, there are 5 matching conditions for each policy:

  • From zone

  • To zone

  • Source address

  • Destination address

  • Applications

Figure 1 shows the match conditions in a policy.

Figure 1: Match ConditionsMatch Conditions

With the current policy matching conditions, you cannot permit VRF-B1 or VRF-B2 and deny VRF-A1 or VRF-A2. To support this, additional matching conditions are added to the policy in the SD-WAN network using VRF group.

When the flow receives the information of source and destination VRF groups, it forwards the information to policy search API along with the policy key tuple information to meet the match conditions.

Figure 2 shows the VRF groups added as match condition in a policy.

Figure 2: Match Conditions with VRF groupMatch Conditions with VRF group
Note:

If the source and destination VRF group information is not specified in a policy, then these groups matches any VRF group.

Example: Configuring a Security Policy to Permit or Deny VRF-Based Traffic from MPLS Network to an IP Network using Source VRF Group

This example shows how to configure a security policy to permit traffic and deny traffic using the source VRF group.

Requirements

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 3, an SRX Series device is deployed in an SD-WAN to control traffic using the source VRF group. Traffic from the GRE MPLS network is sent to site A and site B of the IP network. As per the network requirement, site A traffic should be denied, and only site B traffic should be permitted.

Figure 3: Policy Control from MPLS networkPolicy Control from MPLS network

This configuration example shows how to:

  • Deny traffic from vpn-A (from GRE MPLS)

  • Permit traffic from vpn-B (from GRE MPLS)

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

  1. Create VRF group vpn-A with VRF instances A1 and A2

  2. Create VRF group vpn-B with VRF instances B1 and B2

  3. Create a security policy to deny vpn-A traffic.

  4. Create a security policy to permit vpn-B traffic.

Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration
Purpose

Verify information about security policies.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring a Security Policy to Permit or Deny VRF-Based Traffic from an IP Network to MPLS Network using Destination VRF Group

This example shows how to configure a security policy to permit traffic and deny traffic using the source VRF group.

Requirements

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 4, an SRX Series device is deployed in an SD-WAN to control traffic using the destination VRF group. Traffic from IP network is sent to site A and site B of the GRE MPLS network. As per the network requirement, site A traffic should be denied, and only site B traffic should be permitted.

This configuration example shows how to:

Figure 4: Policy control to MPLS networkPolicy control to MPLS network
  • Deny traffic to vpn-A (to GRE MPLS)

  • Permit traffic to vpn-B (to GRE MPLS)

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

  1. Create VRF group vpn-A with VRF instances A1 and A2

  2. Create VRF group vpn-B with VRF instances B1 and B2

  3. Create a security policy to deny vpn-A traffic.

  4. Create a security policy to permit vpn-B traffic.

Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration
Purpose

Verify information about security policies.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Managing Overlapping VPN using VRF group

When there are two sessions in a L3VPN network, to avoid any conflicts between the two sessions VRF group-ID is added to session key as an additional key to differentiate the sessions.

In Figure 5 network1 and network3 are grouped together to VRF group-A in L3VPN network, and network2 and network4 are grouped together to VRF group-B. The sessions use VRF group-A and VRF group-B as differentiators.

Figure 5: Overlapping VPN using VRF groupsOverlapping VPN using VRF groups

Table 1

Table 1: L3VPN Session Information

L3VPN Network 1 and 3 session

L3VPN Network 2 and 4 session

(Forward)

(Reverse)

(Forward)

(Reverse)

5-tuple: x/y/sp/dp/p

5-tuple: y/x/dp/sp/p

5-tuple: x/y/sp/dp/p

5-tuple: y/x/dp/sp/p

Token: GRE1(zone_id+VR_id) + VRF group-ID (A)

Token: GRE1(zone_id+VR_id) + VRF group-ID (B)

Token: GRE1(zone_id+VR_id) + VRF group-ID (A’)

Token: GRE1(zone_id+VR_id) + VRF group-ID (B’)