Juniper Apstra Demo: Group Based Policies for Increased Assurance and Segmentation

Demo Drop Network Automation
A picture on the left of a man in a sweater standing in the light of a computer screen. The text on top of the image says, “Simplify End - End Policy Deployment.” Text on the right has the headline, Group Based Policies. There are three bullet points underneath outlining Apstra Group Policy capabilities.

Automate to great: Apstra offers a new approach to data center security.

Are you feeling the stress of managing an increasingly complex web of resources, policy models, methods, and a mix of infrastructures? Apstra, with its simple interface and complete end-to-end data center automation capabilities, can help. Here’s how. 

Show more

You’ll learn

  • How to create a security policy to segment traffic within an Apstra managed data center fabric 

  • Apstra’s intelligent capabilities for creating complex security policies when there are numerous rules, different networks with different tenants, and lots of commands

  • How Apstra automatically renders policies you specify in the vendor-specific syntax

Who is this for?

Network Professionals Business Leaders


0:06 network administrators are always under

0:08 a lot of stress to manage an

0:09 increasingly complex web of resources

0:12 not to mention different policy models

0:15 methods and a mix of new and legacy

0:17 infrastructure appstra delivers complete

0:20 end-to-end data center automation with

0:22 hardware and device os vendor agnostic

0:25 templates that allows you to apply

0:28 security policies using a simple user

0:30 interface

0:32 you specify the policy and they are

0:34 automatically rendered in the

0:36 vendor-specific syntax and methods in

0:39 this short demo video we will see how to

0:41 create a security policy to segment

0:44 traffic within an abstra managed data

0:46 center fabric

0:47 juniper appstra and the fabric assurance

0:50 feature is also known as group based

0:52 policy

0:56 this feature is what creates a security

0:58 policy to segment traffic within an

1:00 appstra managed data center fabric

1:07 there are some very intelligent

1:08 capabilities when creating complex

1:10 security policies where there are

1:12 numerous rules different virtual

1:14 networks with different tenants lots of

1:16 commands and potentially conflicting

1:19 statements

1:21 these capabilities will take a policy

1:23 that's been created and go through the

1:25 components of how it's put together and

1:27 analyze it

1:28 on the right side you see this table

1:31 where you have policies

1:32 the ability to search if you have a vast

1:35 number of policies

1:36 conflicts where you have rules that are

1:38 contradictory and settings where you can

1:41 fine-tune the behavior of the system and

1:43 how it reacts when it does encounter

1:45 conflicting statements

1:48 an example of this might be a shadow

1:50 rule where one acl statement is a

1:52 superset of another acl statement

1:55 you might want to tell the system i want

1:57 to use the more specific rule rather

2:00 than the more vague rule or vice versa

2:03 so that's performed in the settings

2:06 on this page we have a very simple

2:08 policy that was created to block pings

2:11 between two servers here

2:18 these servers are known as endpoints

2:22 and here is the policy

2:27 we are denying icmp and permitting

2:30 everything else

2:34 there are some primitive elements here

2:36 that we need to take a look at

2:40 under the virtual tab we have another

2:42 set of objects where we can define

2:44 endpoints

2:48 these endpoints as you see on the right

2:51 side consist of internal endpoints which

2:54 are servers or workloads that are

2:56 considered inside the realm of the

2:58 appstra managed fabric

3:00 external endpoints which are the same

3:03 thing but outside of the managed fabric

3:06 enforcement points which are places

3:08 within the fabric where the access

3:09 control lists are placed and endpoint

3:12 groups where we can group together

3:14 individual endpoints either internal or

3:17 external into larger objects which make

3:19 them easier to be used in a policy

3:22 this is providing segmentation amongst

3:24 traffic with acls and some of those

3:26 intelligent features mentioned earlier

3:30 in this table you can see the web server

3:32 three in the first line and the virtual

3:34 network that is located within

3:37 and virtual networks are the overlays

3:44 this is the multi-tenancy capability

3:46 within an evpn vxlon environment

3:50 these endpoints represent the elements

3:52 in this lab platform and that are used

3:54 within the policy

3:56 we create these elements and assemble

3:59 them into a policy which is found under

4:01 the security policies tab

4:06 i hope this provides a little bit of an

4:08 overview of what appsta calls group

4:10 based policy and the feature called

4:12 fabric assurance

Show more