Demo - Deploying Group-Based Policy at Scale with Juniper Microsegmentation

0:08 well there was a lot of questions on

0:10 group based policy uh that's why we

0:12 wanted to spend some time on uh

0:15 group-based policy and what when would

0:17 you use it who would want to use this uh

0:19 we'll talk about group based policies

0:21 and how we get to this

0:23 group based policy is GBP in short uh it

0:27 is it sits it's a simple tag it sits in

0:30 the vxlan header uh we are able to

0:33 actually say uh we know in in the

0:36 traditional firewall filters uh you

0:37 could do you know uh segmentation based

0:40 on vlans IP subnets that that resulted

0:42 in a lot of uh firewall rules and then

0:45 you started hitting you know tcam uh

0:48 places so how can we make this simpler

0:51 and also solve for the most important

0:53 problem micro segmentation is a lot of

0:55 larger terminology I think if we take a

0:57 couple of Point use cases which can come

0:59 into mind there's influx of iot devices

1:02 that are plugging into the wired

1:04 switching Network now uh there's a

1:07 school year School District that I work

1:09 with very closely and uh initially they

1:11 said okay we're going to move everything

1:13 to Wi-Fi uh there's going to be much

1:15 lesser switches when they said they

1:16 would refresh turns out the host of

1:18 devices that's on their Network now IP

1:21 clocks uh you know cameras you name the

1:23 lots of things require power lights all

1:27 of these things require power they would

1:29 want to control them you know when they

1:30 want it to be turned on turned off all

1:31 of that remotely so you can you're green

1:34 as well uh and now there's a host of

1:37 devices on the network now that also

1:38 means host of devices through which you

1:41 can get into the network so how do we

1:43 actually say what what are the things

1:45 that these devices can talk to

1:46 especially at the layer 2 level would we

1:48 want them to communicate to each other

1:50 and instantiate the DDOS attack rather

1:52 or not so for example cameras there was

1:54 a there was a attack of that nature how

1:57 can we prevent uh devices or isolate

2:00 devices from talking to each other's uh

2:02 use case of that would be you know

2:04 whenever they are on board whatever your

2:06 favorite way of tagging is we'll talk

2:07 about the different ways of tagging tag

2:09 them and say if cameras cannot talk to

2:12 cameras say camera attack cannot talk to

2:13 camera tag that's and then say and the

2:16 next policy say cameras can only talk to

2:18 their controller which is an IP address

2:20 or it could be another tag also that's a

2:22 simple use Point use case to say when

2:24 this could be really powerful you do not

2:27 even want their broadcast to be

2:28 exchanged between each other and that's

2:30 the true power of micro segmentation so

2:32 they're not talking to each other in any

2:33 form

2:35 um

2:36 that's that's uh you know overall how

2:38 you would want to do group based

2:40 policies and what are we bringing to the

2:41 table obviously this is a standard now

2:44 you have one point of policy management

2:46 in the form of mist we we configured the

2:49 entire campus fabric from the Miss

2:51 dashboard now we are also saying you can

2:54 configure policy at one point and that

2:57 could be templatized you're talking

2:58 thousands of switches that you manage

3:00 can we manage them simply using a same

3:02 form factor of templatization we said

3:04 you could templatize uh all pieces a

3:07 couple of quick questions you said it's

3:08 a standard but you got a draft URL up

3:10 there is it a standard NetSpend that's a

3:12 full RFC it is uh it is still a draft

3:16 standard it is written in 2017 to my

3:19 knowledge we are the only vendor who

3:21 actually utilizes utilizes it yeah the

3:23 the bit within the header itself and are

3:26 you able to read that in Hardware

3:28 yes okay yeah that's that's something

3:30 that was in just in in ex switches with

3:34 it is it is ex which is 5120s as well so

3:38 the so the ex 4400

3:40 the x4100

3:42 the qfx 5120 and 50 and 46.50 they all

3:46 support GBP at this level okay so we're

3:49 saying it's a standard practically

3:50 speaking I'm in the Juniper ecosystem to

3:53 leverage group based policies is that

3:54 fair yes okay yes

3:57 do you have a way within missed AI to

4:00 monitor tag to tag communication so

4:04 let's say I'm trying to build my

4:05 Baseline of what should talk to what I

4:07 want to see what's out there today and I

4:09 can determine how to write that policy

4:11 is there a way within Mist I can go in

4:14 and see like a matrix of hey these tags

4:17 are typically talking to these tags on

4:19 on these ports and protocols I'll

4:21 quickly get through the demo the

4:22 greatest question is it's a very good

4:24 question uh but we'll definitely

4:26 showcase that too

4:28 so that's a group based policy and what

4:31 we bring to the table Miss helps you uh

4:35 you know with one policy management

4:37 frame but now your actual implementation

4:40 of this happens locally at the switches

4:42 hopefully closest to the to the source

4:44 where you are at

4:46 we saw this uh being built right in

4:48 front of you here uh we want to just

4:50 take it up a notch with that we are

4:52 having communication between desktop one

4:53 and desktop two we don't want that to

4:55 happen and uh let's see how how to break

4:58 or how to take the communication

5:02 um

5:03 I want to talk about the the tag

5:06 Administration itself because that's

5:07 that's the most critical part of this

5:09 whole concept of uh you know group based

5:11 policies now in from from a perspective

5:14 of uh tagging uh if you see we've built

5:17 a bunch of tags in there already if you

5:19 say add GBP tags

5:22 um this is the missed UI again it's the

5:24 same template that they use to

5:25 administer the rest of the full campus

5:27 your networks your vlans all of these

5:29 pieces now we've just added uh the

5:31 ability for you to do group based

5:33 tagging as well

5:34 so the tags can either be dynamic or

5:38 static Dynamic is a way for you to say I

5:41 would like for this device to receive a

5:44 tag from a radius attribute value pair

5:46 and the attribute value pair is listed

5:47 there it says

5:49 um Juniper switching filter and apply

5:51 action you know the GBP tag itself so uh

5:54 depending upon how you posture your

5:55 clients how you onboard your clients you

5:58 can give a tag of of whatever the nature

6:01 is for anything that is a supplicant or

6:04 uh yeah any device that is a supplicant

6:06 that's reaching uh the the radius server

6:09 so that's you know for the volume set of

6:11 devices that you know that are usually

6:13 supplicants or even doing uh Mac oth can

6:16 all get the tags directly so that's

6:18 Dynamic that's easy to onboard so you're

6:21 not in the business of adding static

6:22 tags but sometimes you also have uh

6:26 devices that are outside your Fabric or

6:29 even subnets that are out here outside

6:31 your fabric but you still want to

6:32 administer them to say my employees of

6:34 net should not be talking to this

6:36 particular website and or this

6:38 particular IP scheme or IP subnet

6:40 whatever the reason is you could

6:42 statically say let me call it the uh you

6:45 can either say a particular Mac address

6:47 a network which is another VLAN you can

6:51 do VLAN to VLAN communication as fully

6:53 blocked and then add a policy to say

6:55 only to talk to a controller or you

6:57 could also IP subnet to say uh 192.168

7:00 0.1 or 0 0.0 16 is off limits for this

7:05 particular tag and that can also be

7:06 tagged statically so anything that's

7:09 outside the fabric usually uh or well

7:11 within the fabric that cannot do

7:13 supplicant uh nature then definitely

7:16 they are candidates for them to be

7:17 static tags all of these tags are

7:19 individually pushed down to individual

7:21 switches so they are all in the know of

7:23 what tag this belongs to that way we can

7:26 position Ingress tagging more and more

7:28 now from a policy perspective currently

7:31 as you can see desktop one is talking to

7:33 desktop too uh so you can go ahead and

7:36 hit uh block and then it'll go kill

7:38 let's set up the make sure we're pinging

7:40 these guys back here I think we are

7:42 blink doink

7:44 yes okay so they're picking across each

7:46 other

7:47 and we will change the policy to block

7:49 block and then you could save the

7:50 configuration and let's go back after

7:52 saving let's go back to the policy sets

7:54 itself so

8:01 so if you go down all the way to the

8:02 policy set real quick uh the tagging is

8:06 done here and their corresponding

8:08 policies are built here so you could

8:09 actually choose to use any of these tags

8:11 here on on your uh on on at the policy

8:15 itself this is where you define the

8:17 policy usage on a per device basis if

8:19 you go to the switches Tab and then go

8:21 to the access switch that we are

8:23 foreign

8:34 so if you saw we didn't build any of

8:36 these uh configurations on this

8:38 particular switch we inherited

8:39 everything from the template but we also

8:41 have the ability to pull usages uh this

8:44 is uh to answer your question which

8:46 policies are being hit more which

8:48 policies are being hit less uh this is a

8:51 constant dashboard where you can get to

8:53 so let's quickly look at the

8:55 uh and to add on to that do you so do

8:57 you have a way to tag devices without

8:59 doing the enforcement so you can just

9:01 see before I'm enforcing I want to make

9:04 sure I know what day-to-day

9:06 communication is so you could you could

9:08 have a policy to allow okay

9:11 and then you go deny them and say that's

9:13 a really good use case actually uh you

9:16 build the policy look at the usage if

9:18 it's only few or if it's a lot right

9:20 depending upon how you'd want to

9:21 implement and I might have missed it but

9:23 where in there

9:25 did it define whether the enforcement

9:28 was at Ingress or egress so from a

9:30 tagging perspective that's the beauty of

9:32 it at this point in time uh the tagging

9:34 is you know you can say desktop one to

9:36 desktop 2 is uh you don't have to

9:38 mention the direction yeah totally from

9:40 a tag perspective it's actually so

9:43 um this is irrelevant whether it's

9:45 Ingress or egress how it's tagged I mean

9:47 in other words the tagging policy itself

9:49 you tell the system through uh through a

9:52 command that I want to do Ingress policy

9:54 enforcement

9:55 okay right

9:56 so at this point you see the actual

9:59 device is no longer pinging uh this can

10:01 be expanded to as as further you would

10:03 want to take it right this is a simple

10:04 example of desktop one not talking to

10:06 desktop 2. this could be you tagging all

10:09 of your cameras and then a lot not

10:11 allowing camera to camera communication

10:13 only to controller communication

10:14 whatever the use case is it's

10:17 administered here in one place and it's

10:20 uh it's you can observe and then you can

10:23 push this down to thousands of switches

10:25 across across the entire segment can you

10:27 get back to your CLI and cancel it so I

10:29 can see it failed

10:31 can I get back to the CLS CLI and cancel

10:33 the pink so I can say oh sure yeah yeah

10:35 yeah

10:37 right now it's pinging at 90 packets

10:40 nothing thank you all right no problem

10:43 hold our feet as far I love it I love it

10:45 you got to right let's turn it back on

10:47 and we'll make sure we're we can turn

10:49 the policy back on and yeah or turn back

10:51 up oh yeah turn it back on I guess

10:52 awesome uh so that's GBP uh there's a

10:55 whole lot of use cases we can do with it

10:57 but we wanted to bring about you know

10:58 the the ease of which we can manage that

11:01 uh and uh how you can do pot and now

11:03 it's pinging back again

11:05 with