Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Considerations when implementing VXLAN-GBP

There are a few areas to consider when testing VXLAN-GBP support as covered in this document.

VXLAN-GBP Needs IP Clos Fabrics

The technology only supports VXLAN-GBP in an IP Clos fabric because this is the only design where the VXLAN Layer 2 VTEP is supported at the access switch layer.

Figure 1: Group-Based Policy Support A screen shot of a computer Description automatically generated

All other fabric types like EVPN multihoming, centrally-routed bridging (CRB), and edge-routed bridging (ERB) do not allow GBP tag management of wired clients because:

  • The VXLAN layer starts at the distribution or collapsed core layer, hence, wired clients can communicate uncontrolled to each other locally from port-to-port within the same access switch. Private VLANs do not help in this case because they are created through static Junos OS configuration and won’t follow a dynamically assigned GBP tag.
  • There is only a standard LAG established between the access switch and upper switches such as distribution or collapsed core. Hence, between these stages of the fabric-only VLANs and MAC addresses play a role, and the GBP tag gets lost in transit. You must start with VXLAN at the lowest stage of the fabric.
  • For wired clients performing dynamic RADIUS-based authentication, the wired client gets a GBP tag assigned as part of the authorization process on the access switch it is attached to. Again, there is no additional protocol to pass this information to the upper fabric stage, so this information is unseen by the fabric and cannot be reconstructed by it.
Note:

You can attach a desktop switch to the fabric’s access switch to manage, for example, a VoIP phone and a PC on a campus fabric IP Clos. If you want to perform dynamic authentication, you must perform a second, MAC-based authentication on the fabric’s access switch to get synchronized information about which GBP tag to assign. This is because the attached desktop switch does not share its RADIUS-based authorization information with the access switch.

No Support for VRF-to-VRF GBP Tag Distribution

The GBP tag distribution is limited to the VLANs inside the same VRF. This may be applicable if your network has a fabric with more than a single virtual routing and forwarding (VRF) instance. As shown in Figure 2, VRF-to-VRF GBP tag distribution does not work due to the following technical reasons:

  • All Juniper Mist-managed campus fabrics have isolation inside the fabric when traffic is passing between two VRFs. There is no route leaking between VRFs allowed inside the fabric itself for security reasons. Traffic between VRFs must always go south-to-north to the WAN router. The WAN router can then permit or forward the traffic between the VRFs and allow the traffic to flow back through the fabric to the destination VRF and VLAN.
  • WAN routers are usually not part of the VXLAN layer of a fabric. They use either a:
    • Layer 2 configuration with VLANs and trunk ports and static routes between the fabric and the WAN router.
    • Layer 3 configuration with point-to-point links and a routing protocol such as OSPF or eBGP between the fabric and the WAN router.
  • You encounter a similar situation as in EVPN multihoming of CRB and ERB fabrics mentioned above where traffic between stages uses a different environment and the on-hook information of the VXLAN tunnel gets lost between these stages. It is almost impossible to reconstruct the original information because when the packet gets back into the fabric towards the destination VRF, the original MAC address is lost.
Figure 2: GBP Does Not Work for Traffic Between VRFs GBP Does Not Work for Traffic Between VRFs

It’s better to consider moving the VLANs into the same VRF in the fabric since such traffic will remain inside the fabric as east-west traffic and not be sent through the WAN router. In such a case, GBP-based management remains valid. See Figure 3.

Figure 3: GBP Works in a Single-VRF Fabric GBP Works in a Single-VRF Fabric
Note:

A single global VRF is recommended to be used in this case. The usage of GBP then mitigates the need for multiple VRFs for security needs.

Known Junos OS Switch Firmware Notes

When configuring GBP usage for the first time on an access switch, you need to schedule a maintenance window before it gets activated and used. Junos OS requires a restart of the control plane to include this change:

  • On a standalone switch, you could restart the Packet Forwarding Engine (PFE) to achieve the needed control plane restart for GBP inclusion.
  • On a Virtual Chassis, you need to issue a complete reboot of the entire Virtual Chassis to achieve the needed control plane restart for GBP activation.

Known Hardware Restrictions

Juniper Networks® EX4100 Switches have the following documented limitations:

  • Static interface/port and VLAN ID-based GBP tag assignments are not supported on the EX4100 Switch.
  • Static VLAN ID-based GBP tag assignments are not possible on the EX4100 Switch. We suggest you use the IPv4 prefix of the VLAN to achieve similar functionality.

Known Campus Fabric Deployment Functionally

Depending on when you have built your campus fabric IP Clos, the following needs to be checked:

  • If the campus fabric IP Clos was created after July 2024, you need to use Junos OS Release 24.2R2 or higher on the access switches for GBP. This is because a fabric created after this date automatically gets EVPN Type 2/5 coexistence configured for larger scale. The first Junos OS release version which supports EVPN Type 2/5 coexistence together with GBP is Junos OS Release 24.2R2.

Known Juniper Mist Portal Restrictions

In the current version, the Juniper Mist portal only supports the following static GBP tag assignments:

  • IPv4 prefix-based static GBP tag assignments called Subnets.
  • MAC address host-based static GBP tag assignments called MAC Address.
  • VLAN ID-based static GBP tag assignments called Network.

Currently, you must use additional Junos OS CLI commands if you want to make use of:

  • Switch port-based (interface-based) static GBP tag assignments
  • Switch port-based (interface-based) and VLAN ID-based static GBP tag assignments.
  • L4 match conditions for policies as documented here.
  • Using a default deny option on all communication that does not have an explicit allow policy.

Wireless and Wired Client Segmentation Policies Use Different Sections in the Juniper Mist Portal

Currently, the microsegmentation of Juniper Mist-managed fabrics is achieved for wired and wireless clients in different sections of the Juniper Mist portal:

  • GBP and SGT-based microsegmentation of wired clients should be configured on the Organization > Switch Templates page. See Figure 4.
Figure 4: Switch Templates Location in the Juniper Mist Portal Switch Templates Location in the Juniper Mist Portal
  • Policy configuration of microsegmentation for wireless clients should be configured on the Organization > WLAN Templates page. See Figure 5.
Figure 5: WLAN Templates Location in the Juniper Mist Portal WLAN Templates Location in the Juniper Mist Portal

After you create a new WLAN template, you can start to manage and configure the policies for wireless clients.