Geneve Packet Flow Tunnel Inspection
Enable Security Policies for Geneve Packet Flow Tunnel Inspection
Use this configuration to enable security policies on vSRX Virtual Firewall 3.0 for Geneve packet flow tunnel inspection.
With Geneve support on vSRX Virtual Firewall 3.0 instances, you can use vSRX3.0 to:
-
Connect end points in a campus, data center, and public cloud environments and their banches.
-
Secure these environments with embedded security.
- Requirements
- Overview
- Configuration (vSRX Virtual Firewall 3.0 as Tunnel Endpoint)
- Configuration (vSRX Virtual Firewall 3.0 as Transit Router)
Requirements
This example uses the following hardware and software components:
-
vSRX Virtual Firewall 3.0
-
Junos OS Release 23.1R1
Before you begin:
-
Make sure you understand how the Geneve protocol works.
Overview
Using this configuration you can:
-
Enable the security policies to process the Geneve tunnel encapsulated L3 packets.
-
Create distinct profiles for Geneve traffic based on VNI and vendor TLV attributes-Policy once attached with an inspection profile dictates the type of Geneve traffic to be processed and policies to be applied to the inner traffic.
-
Configure the regular security policy on vSRX Virtual Firewall 3.0 to apply L4 and L7 services on the inner traffic.
Configuration (vSRX Virtual Firewall 3.0 as Tunnel Endpoint)
- Simplified Geneve Traffic Flow Topology with AWS GWLB and vSRX Virtual Firewall 3.0 as Tunnel End-point
- CLI Quick Configuration
- Procedure
- Results
- Verify Tunnel Inspection Profile and VNI
- Verify Tunnel Inspection Profile and VNI
Simplified Geneve Traffic Flow Topology with AWS GWLB and vSRX Virtual Firewall 3.0 as Tunnel End-point
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a
text file, remove any line breaks, change any details necessary to match your
network configuration, copy and paste the commands into the CLI at the
[edit] hierarchy level, and then enter
commit from configuration mode.
Define a trust and untrust zone to permit all host traffic.
set security tunnel-inspection inspection-profile ti-vendor geneve g-rule policy-set ps-vendorset security tunnel-inspection inspection-profile ti-vendor geneve g-rule vni vni-vendorset security tunnel-inspection vni vni-vendor vni-id 0set security policies from-zone vtepc to-zone junos-host policy self match application junos-geneveset security policies from-zone vtepc to-zone junos-host policy self match source-address anyset security policies from-zone vtepc to-zone junos-host policy self match destination-address anyset security policies from-zone vtepc to-zone junos-host policy self then permit tunnel-inspection ti-vendorset security policies default-policy deny-allset security policies policy-set ps-vendor policy self match source-address anyset security policies policy-set ps-vendor policy self match destination-address anyset security policies policy-set ps-vendor policy self match application anyset security policies policy-set ps-vendor policy self then permitset interfaces ge-0/0/1 mtu 9000set interfaces ge-0/0/1 unit 0 family inet address anyset interfaces ge-0/0/1 unit 0 family inet6 address any
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Geneve flow support for tunnel inspection on vSRX Virtual Firewall 3.0:
-
Define a trust and untrust zone to permit all host traffic under the [edit security zones] hierarchy.
-
Define the
tunnel-inspectionprofile.[edit security tunnel-inspection] user@host# set security tunnel-inspection inspection-profile ti-vendor geneve g-rule policy-set ps-vendor user@host# set security tunnel-inspection inspection-profile ti-vendor geneve g-rule vni vni-vendor user@host# set security tunnel-inspection vni vni-vendor vni-id 0
-
Define outer session policies to the outer packets and attach the referenced tunnel inspection profile
Note:In the policy configuration, the
to-zonefor the outer policy in case of vSRX Virtual Firewall 3.0 as tunnel endpoint must bejunos-host, which is an inbuilt (reserved identifier) zone to process traffic.[edit security policies] user@host# set security policies from-zone vtepc to-zone junos-host policy self match source-address any user@host# set security policies from-zone vtepc to-zone junos-host policy self match destination-address any user@host# set security policies from-zone vtepc to-zone junos-host policy self match application junos-geneve user@host# set security policies from-zone vtepc to-zone junos-host policy self then permit tunnel-inspection ti-vendor user@host# set security policies default-policy deny-all
-
Define an inner policy under
policy-setto process the decapsulated packet.[edit security policies] user@host# set security policies policy-set ps-vendor policy self match source-address any user@host# set security policies policy-set ps-vendor policy self match destination-address any user@host# set security policies policy-set ps-vendor policy self match application any user@host# set security policies policy-set ps-vendor policy self then permit
-
Configure the interface associated with
from-zoneof the virtual tunnel endpoint client (VTEPC) to receive the Geneve-encapsulated packets and the health-check packets.[edit] user@host# set interfaces ge-0/0/1 mtu 9000 user@host# set interfaces ge-0/0/1 unit 0 family inet address any user@host# set interfaces ge-0/0/1 unit 0 family inet6 address any
Results
From the configuration mode, confirm your configuration by entering the
show security policies command. If the output does not
display the intended configuration, repeat the instructions in this example to
correct the configuration.
user@host# show security policies
from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
application-traffic-control {
rule-set ftp-test1;
}
}
}
}
}
policy internet-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy dst-nat-pool-access {
match {
source-address any;
destination-address 233.252.0.1/21;
application any;
}
then {
permit;
}
}
}
from-zone vtepc to-zone junos-host {
policy self {
match {
source-address any;
destination-address any;
application junos-geneve;
}
then {
permit {
tunnel-inspection {
ti-vendor;
}
}
}
}
}
policy-set ps-vendor {
policy self {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}user@host# show security tunnel-inspection
inspection-profile ti-vendor {
geneve g-rule {
policy-set ps-vendor;
vni vni-vendor;
}
}
vni v1 {
vni-id 0;
}
vni vni-vendor {
vni-id 0;
}After you complete configuring the feature on your device, enter
commit from the configuration mode.
Verify Tunnel Inspection Profile and VNI
Purpose
Verify that you have configured the tunnel-inspection
profile and the VXLAN network identifier (VNI).
Action
From operational mode, enter the show security tunnel-inspection
profiles ti-vendor and show security tunnel-inspection
vnis commands.
user@host> show security tunnel-inspection profiles ti-vendor
--------------------------------------------------------------------------
Logical system: root-logical-system
Profile count: 1
Profile: ti-vendor
Type: Geneve
geneve count: 1
geneve name: g-rule
VNI count: 1
VNI: vni-vendor
Policy set: ps-vendor
Inspection level: 1user@host> show security tunnel-inspection vnis
--------------------------------------------------------------------------
Logical system: root-logical-system
VNI count: 1
VNI name: vni-vendor
VNI id count: 0Meaning
The output displays that the Geneve tunnel-inspection profile is enabled and the VXLAN network identifier (VNI) is configured.
Verify Tunnel Inspection Profile and VNI
Purpose
Verify that you have configured the tunnel-inspection
profile and the VXLAN network identifier (VNI).
Action
From operational mode, enter the show security tunnel-inspection
profiles ti-vendor and show security tunnel-inspection
vnis commands.
user@host> show security tunnel-inspection profiles ti-vendor
--------------------------------------------------------------------------
Logical system: root-logical-system
Profile count: 1
Profile: ti-vendor
Type: Geneve
geneve count: 1
geneve name: g-rule
VNI count: 1
VNI: vni-vendor
Policy set: ps-vendor
Inspection level: 1user@host> show security tunnel-inspection vnis
--------------------------------------------------------------------------
Logical system: root-logical-system
VNI count: 1
VNI name: vni-vendor
VNI id count: 0Meaning
The output displays that the Geneve tunnel-inspection profile is enabled and the VXLAN network identifier (VNI) is configured.
Configuration (vSRX Virtual Firewall 3.0 as Transit Router)
- Simplified Geneve Traffic Flow Topology vSRX Virtual Firewall 3.0 as Transit Router
- CLI Quick Configuration
- Procedure
- Results
Simplified Geneve Traffic Flow Topology vSRX Virtual Firewall 3.0 as Transit Router
In this deployment mode the virtual tunnel endpoint client (vtepc) (Geneve tunnel endpoint) must ensure that packets destined to both the client and the server pass through virtual tunnel endpoint server (vteps) (vSRX Virtual Firewall 3.0). The source port is selected by the virtual tunnel endpoint (vtep).
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a
text file, remove any line breaks, change any details necessary to match your
network configuration, copy and paste the commands into the CLI at the
[edit] hierarchy level, and then enter
commit from configuration mode.
set security tunnel-inspection vni r1 vni-range 1 to 100set security tunnel-inspection vni r1 vni-id 500set security tunnel-inspection profile inspection-profile ti-vendor geneve geneve1 vni r1set security tunnel-inspection profile inspection-profile ti-vendor geneve geneve1 policy-set pset1set security tunnel-inspection vni r2 vni-range 200 to 400set security tunnel-inspection vni r2 vni-id 500set security tunnel-inspection profile inspection-profile ti-vendor geneve geneve2 vni r2set security tunnel-inspection profile inspection-profile ti-vendor geneve geneve2 policy-set pset2set security policies from-zone vtepc to-zone vteps policy p1 match application junos-geneveset security policies from-zone vtepc to-zone vteps policy p1 match source-address anyset security policies from-zone vtepc to-zone vteps policy p1 match destination-address anyset security policies from-zone vtepc to-zone vteps policy p1 then permit tunnel-inspection ti-vendorset security policies from-zone vteps to-zone vtepc policy p1 match application junos-geneveset security policies from-zone vteps to-zone vtepc policy p1 match source-address anyset security policies from-zone vteps to-zone vtepc policy p1 match destination-address anyset security policies from-zone vteps to-zone vtepc policy p1 then permit tunnel-inspection ti-vendorset security policies default-policy deny-allset security policies policy-set pset1 policy pset_p1 match source-address anyset security policies policy-set pset1 policy pset_p1 match destination-address anyset security policies policy-set pset1 policy pset_p1 match application anyset security policies policy-set pset1 policy pset_p1 then permitset interfaces ge-0/0/1 mtu 9000set interfaces ge-0/0/1 unit 0 family inet address anyset interfaces ge-0/0/1 unit 0 family inet6 address any
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Geneve flow support for tunnel inspection on vSRX Virtual Firewall 3.0 (vSRX Virtual Firewall 3.0 as transit router) :
-
Define a trust and untrust zone to permit all host traffic under the [edit security zones] hierarchy.
-
Define the
tunnel-inspectionprofile.[edit security tunnel-inspection] user@host# set security tunnel-inspection vni r1 vni-range 1 to 100 user@host# set security tunnel-inspection vni r1 vni-id 500 user@host# set security tunnel-inspection profile inspection-profile ti-vendor geneve geneve1 vni r1 user@host# set security tunnel-inspection profile inspection-profile ti-vendor geneve geneve1 policy-set pset1 user@host# set security tunnel-inspection vni r2 vni-range 200 to 400 user@host# set security tunnel-inspection vni r2 vni-id 500 user@host# set security tunnel-inspection profile inspection-profile ti-vendor geneve geneve2 vni r2 user@host# set security tunnel-inspection profile inspection-profile ti-vendor geneve geneve2 policy-set pset2
-
Define outer session policies.
Note:For vSRX Virtual Firewall 3.0 as transit router, you need two policies in each direction. The
from-zoneandto-zoneare the respective zones that must be defined under the interfaces.[edit security policies] user@host# set security policies from-zone vtepc to-zone vteps policy p1 match source-address any user@host# set security policies from-zone vtepc to-zone vteps policy p1 match destination-address any user@host# set security policies from-zone vtepc to-zone vteps policy p1 match application junos-geneve user@host# set security policies from-zone vtepc to-zone vteps policy p1 then permit tunnel-inspection ti-vendor user@host# set security policies from-zone vteps to-zone vtepc policy p1 match application junos-geneve user@host# set security policies from-zone vteps to-zone vtepc policy p1 match source-address any user@host# set security policies from-zone vteps to-zone vtepc policy p1 match destination-address any user@host# set security policies from-zone vteps to-zone vtepc policy p1 then permit tunnel-inspection ti-vendor user@host#set security policies default-policy deny-all
-
Define an inner policy under
policy-setto process the decapsulated packet.[edit security policies] user@host# set security policies policy-set pset1 policy pset_p1 match source-address any user@host# set security policies policy-set pset1 policy pset_p1 match destination-address any user@host# set security policies policy-set pset1 policy pset_p1 match application any user@host# set security policies policy-set pset1 policy pset_p1 then permit
-
Configure the interface associated with
from-zoneof the virtual tunnel endpoint client (VTEPC) to receive the Geneve-encapsulated packets and the health-check packets.Note:In case of transit mode, vSRX Virtual Firewall 3.0 must be configured with two L3 interfaces for ingress and egress.
[edit] user@host# set interfaces ge-0/0/1 mtu 9000 user@host# set interfaces ge-0/0/1 unit 0 family inet address any user@host# set interfaces ge-0/0/1 unit 0 family inet6 address any
Results
From the configuration mode, confirm your configuration by entering the
show security policies command. If the output does not
display the intended configuration, repeat the instructions in this example to
correct the configuration.
user@host# show security policies
from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
application-traffic-control {
rule-set ftp-test1;
}
}
}
}
}
}
from-zone vtepc to-zone vteps {
policy p1 {
match {
source-address any;
destination-address any;
application junos-geneve;
}
then {
permit {
tunnel-inspection {
ti-vendor;
}
}
}
}
}
from-zone vteps to-zone vtepc {
policy p1 {
match {
source-address any;
destination-address any;
application junos-geneve;
}
then {
permit {
tunnel-inspection {
ti-vendor;
}
}
}
}
}
policy-set pset1 {
policy pset_p1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}}user@host# show security tunnel-inspection
inspection-profile ti-vendor {
geneve g-rule {
policy-set ps-vendor;
vni vni-vendor;
}
}
inspection-profile pro1;
vni r1 {
vni-id 500;
}
vni r2 {
vni-id 500;
}
}After you complete configuring the feature on your device, enter
commit from the configuration mode.