ON THIS PAGE
Configuring Security Policies Using VRF Group
Overview
In SD-WAN network, when different VRF based traffic enter the device from same tunnel such as GRE or GE, the device applies policy based on the given VRF instance. The device either permit or deny traffic destined to a particular VRF instance to control the VRF based traffic.
Currently, there are 5 matching conditions for each policy:
From zone
To zone
Source address
Destination address
Applications
Figure 1 shows the match conditions in a policy.
With the current policy matching conditions, you cannot permit VRF-B1 or VRF-B2 and deny VRF-A1 or VRF-A2. To support this, additional matching conditions are added to the policy in the SD-WAN network using VRF group.
When the flow receives the information of source and destination VRF groups, it forwards the information to policy search API along with the policy key tuple information to meet the match conditions.
Figure 2 shows the VRF groups added as match condition in a policy.
If the source and destination VRF group information is
not specified in a policy, then these groups matches any VRF group.
Example: Configuring a Security Policy to Permit or Deny VRF-Based Traffic from MPLS Network to an IP Network using Source VRF Group
This example shows how to configure a security policy to permit traffic and deny traffic using the source VRF group.
Requirements
Understand how to create a security zone. SeeExample: Creating Security Zones .
Supported SRX Series Firewall with Junos OS Release 15.1X49-D170 or later. This configuration example is tested for Junos OS Release 15.1X49-D170.
Configure network interfaces on the device. See Interfaces User Guide for Security Devices.
Overview
In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 3, an SRX Series Firewall is deployed in an SD-WAN to control traffic using the source VRF group. Traffic from the GRE MPLS network is sent to site A and site B of the IP network. As per the network requirement, site A traffic should be denied, and only site B traffic should be permitted.
This configuration example shows how to:
Deny traffic from vpn-A (from GRE MPLS)
Permit traffic from vpn-B (from GRE MPLS)
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security l3vpn vrf-group vpn-A vrf VRF-A1 set security l3vpn vrf-group vpn-A vrf VRF-A2 set security l3vpn vrf-group vpn-B vrf VRF-B1 set security l3vpn vrf-group vpn-B vrf VRF-B2 set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-a_policy match source-address any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-a_policy match destination-address any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-a_policy match application any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-a_policy match source-l3vpn-vrf-group vpn-A set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-a_policy then deny set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-b_policy match source-address any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-b_policy match destination-address any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-b_policy match application any set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-b_policy match source-l3vpn-vrf-group vpn-B set security policies from-zone GRE_Zone to-zone GE_Zone policy vrf-b_policy then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
Create VRF group vpn-A with VRF instances A1 and A2
[edit security] user@host# set l3vpn vrf-group vpn-A vrf VRF-A1 user@host# set l3vpn vrf-group vpn-A vrf VRF-A2
Create VRF group vpn-B with VRF instances B1 and B2
[edit security] user@host# set l3vpn vrf-group vpn-B vrf VRF-B1 user@host# set l3vpn vrf-group vpn-B vrf VRF-B2
Create a security policy to deny vpn-A traffic.
[edit security policies from-zone GRE_Zone to-zone GE_Zone] user@host# set policy vrf-a_policy match source-address any user@host# set policy vrf-a_policy match destination-address any user@host# set policy vrf-a_policy match application any user@host# set policy vrf-a_policy match source-l3vpn-vrf-group vpn-A user@host# set policy vrf-a_policy then deny
Create a security policy to permit vpn-B traffic.
[edit security policies from-zone GRE_Zone to-zone GE_Zone] user@host# set policy vrf-b_policy match source-address any user@host# set policy vrf-b_policy match destination-address any user@host# set policy vrf-b_policy match application any user@host# set policy vrf-b_policy match source-l3vpn-vrf-group vpn-B user@host# set policy vrf-b_policy then permit
Results
From configuration mode, confirm your configuration
by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security policies
from-zone GRE_Zone to-zone GE_Zone {
policy vrf-a_policy {
match {
source-address any;
destination-address any;
application any;
source-l3vpn-vrf-group vpn-A;
}
then {
deny;
}
}
policy vrf-b_policy {
match {
source-address any;
destination-address any;
application any;
source-l3vpn-vrf-group vpn-B;
}
then {
permit;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Policy Configuration
Purpose
Verify information about security policies.
Action
From operational mode, enter the show security
policies command to display a summary of all the security policies
configured on the device.
user@root> show security policies
Default policy: permit-all
From zone: GRE_Zone, To zone: GE_Zone
Policy: vrf-a_policy, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source L3VPN VRF Group: vpn-A
destination L3VPN vrf-group: any
Source addresses: any
Destination addresses: any
Applications: any
Action: deny
Policy: vrf-b_policy, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source L3VPN VRF Group: vpn-B
destination L3VPN vrf-group: any
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Example: Configuring a Security Policy to Permit or Deny VRF-Based Traffic from an IP Network to MPLS Network using Destination VRF Group
This example shows how to configure a security policy to permit traffic and deny traffic using the source VRF group.
Requirements
Understand how to create a security zone. See Example: Creating Security Zones.
Supported SRX Series Firewall with Junos OS Release 15.1X49-D170 or later. This configuration example is tested for Junos OS Release 15.1X49-D170.
Configure network interfaces on the device. See Interfaces User Guide for Security Devices.
Overview
In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 4, an SRX Series Firewall is deployed in an SD-WAN to control traffic using the destination VRF group. Traffic from IP network is sent to site A and site B of the GRE MPLS network. As per the network requirement, site A traffic should be denied, and only site B traffic should be permitted.
This configuration example shows how to:
Deny traffic to vpn-A (to GRE MPLS)
Permit traffic to vpn-B (to GRE MPLS)
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security l3vpn vrf-group vpn-A vrf VRF-A1 set security l3vpn vrf-group vpn-A vrf VRF-A2 set security l3vpn vrf-group vpn-B vrf VRF-B1 set security l3vpn vrf-group vpn-B vrf VRF-B2 set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match source-address any set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match destination-address any set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match application any set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match destination-l3vpn-vrf-group vpn-A set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy then deny set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match source-address any set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match destination-address any set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match application any set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match destination-l3vpn-vrf-group vpn-B set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
Create VRF group vpn-A with VRF instances A1 and A2
[edit security] user@host# set l3vpn vrf-group vpn-A vrf VRF-A1 user@host# set l3vpn vrf-group vpn-A vrf VRF-A2
Create VRF group vpn-B with VRF instances B1 and B2
[edit security] user@host# set l3vpn vrf-group vpn-B vrf VRF-B1 user@host# set l3vpn vrf-group vpn-B vrf VRF-B2
Create a security policy to deny vpn-A traffic.
[edit security policies from-zone LAN-a_Zone to-zone GRE_Zone] user@host# set policy vrf-a_policy match source-address any user@host# set policy vrf-a_policy match destination-address any user@host# set policy vrf-a_policy match application any user@host# set policy vrf-a_policy match destination-l3vpn-vrf-group vpn-A user@host# set policy vrf-a_policy then deny
Create a security policy to permit vpn-B traffic.
[edit security policies from-zone LAN-b_Zone e to-zone GRE_Zone] user@host# set policy vrf-b_policy match source-address any user@host# set policy vrf-b_policy match destination-address any user@host# set policy vrf-b_policy match application any user@host# set policy vrf-b_policy match destination-l3vpn-vrf-group vpn-B user@host# set policy vrf-b_policy then permit
Results
From configuration mode, confirm your configuration
by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security policies
from-zone LAN-a_Zone to-zone GRE_Zone {
policy vrf-a_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-A;
}
then {
deny;
}
}
}
from-zone LAN-b_Zone to-zone GRE_Zone {
policy vrf-b_policy {
match {
source-address any;
destination-address any;
application any;
destination-l3vpn-vrf-group vpn-B;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Policy Configuration
Purpose
Verify information about security policies.
Action
From operational mode, enter the show security
policies command to display a summary of all the security policies
configured on the device.
user@root> show security policies
Default policy: permit-all
From zone: LAN-a_Zone, To zone: GRE_Zone
Policy: vrf-a_policy, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source L3VPN VRF Group: any
destination L3VPN vrf-group: vpn-A
Source addresses: any
Destination addresses: any
Applications: any
Action: deny
From zone: LAN-b_Zone, To zone: GRE_Zone
Policy: vrf-b_policy, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source L3VPN VRF Group: any
destination L3VPN vrf-group: vpn-B
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Managing Overlapping VPN using VRF group
When there are two sessions in a L3VPN network, to avoid any conflicts between the two sessions VRF group-ID is added to session key as an additional key to differentiate the sessions.
In Figure 5 network1 and network3 are grouped together to VRF group-A in L3VPN network, and network2 and network4 are grouped together to VRF group-B. The sessions use VRF group-A and VRF group-B as differentiators.
L3VPN Network 1 and 3 session |
L3VPN Network 2 and 4 session |
||
|---|---|---|---|
(Forward) |
(Reverse) |
(Forward) |
(Reverse) |
5-tuple: x/y/sp/dp/p |
5-tuple: y/x/dp/sp/p |
5-tuple: x/y/sp/dp/p |
5-tuple: y/x/dp/sp/p |
Token: GRE1(zone_id+VR_id) + VRF group-ID (A) |
Token: GRE1(zone_id+VR_id) + VRF group-ID (B) |
Token: GRE1(zone_id+VR_id) + VRF group-ID (A’) |
Token: GRE1(zone_id+VR_id) + VRF group-ID (B’) |