Demo - Deploying Group-Based Policy at Scale with Juniper Microsegmentation
It is time to rethink current metro design beyond connectivity.
Cloud Metro represents an exciting new market category, which is highly distinct from the traditional Retro Metro across a range of attributes. Juniper is the only vendor in the market that delivers a truly compelling and differentiated portfolio that unlocks the advantages of the Cloud Metro for service providers.
AI-ops-driven automation, future-proof network systems, transport (100GE, 400GE), service assurance, and network security, are service providers' topmost metro requirements to build a future metro infrastructure and deliver differentiated user experiences.
You’ll learn
Juniper Cloud Metro sets service providers on the path to sustainable outcomes
What comprises a sustainable architecture
Who is this for?
Host
Transcript
0:08 well there was a lot of questions on
0:10 group based policy uh that's why we
0:12 wanted to spend some time on uh
0:15 group-based policy and what when would
0:17 you use it who would want to use this uh
0:19 we'll talk about group based policies
0:21 and how we get to this
0:23 group based policy is GBP in short uh it
0:27 is it sits it's a simple tag it sits in
0:30 the vxlan header uh we are able to
0:33 actually say uh we know in in the
0:36 traditional firewall filters uh you
0:37 could do you know uh segmentation based
0:40 on vlans IP subnets that that resulted
0:42 in a lot of uh firewall rules and then
0:45 you started hitting you know tcam uh
0:48 places so how can we make this simpler
0:51 and also solve for the most important
0:53 problem micro segmentation is a lot of
0:55 larger terminology I think if we take a
0:57 couple of Point use cases which can come
0:59 into mind there's influx of iot devices
1:02 that are plugging into the wired
1:04 switching Network now uh there's a
1:07 school year School District that I work
1:09 with very closely and uh initially they
1:11 said okay we're going to move everything
1:13 to Wi-Fi uh there's going to be much
1:15 lesser switches when they said they
1:16 would refresh turns out the host of
1:18 devices that's on their Network now IP
1:21 clocks uh you know cameras you name the
1:23 lots of things require power lights all
1:27 of these things require power they would
1:29 want to control them you know when they
1:30 want it to be turned on turned off all
1:31 of that remotely so you can you're green
1:34 as well uh and now there's a host of
1:37 devices on the network now that also
1:38 means host of devices through which you
1:41 can get into the network so how do we
1:43 actually say what what are the things
1:45 that these devices can talk to
1:46 especially at the layer 2 level would we
1:48 want them to communicate to each other
1:50 and instantiate the DDOS attack rather
1:52 or not so for example cameras there was
1:54 a there was a attack of that nature how
1:57 can we prevent uh devices or isolate
2:00 devices from talking to each other's uh
2:02 use case of that would be you know
2:04 whenever they are on board whatever your
2:06 favorite way of tagging is we'll talk
2:07 about the different ways of tagging tag
2:09 them and say if cameras cannot talk to
2:12 cameras say camera attack cannot talk to
2:13 camera tag that's and then say and the
2:16 next policy say cameras can only talk to
2:18 their controller which is an IP address
2:20 or it could be another tag also that's a
2:22 simple use Point use case to say when
2:24 this could be really powerful you do not
2:27 even want their broadcast to be
2:28 exchanged between each other and that's
2:30 the true power of micro segmentation so
2:32 they're not talking to each other in any
2:33 form
2:35 um
2:36 that's that's uh you know overall how
2:38 you would want to do group based
2:40 policies and what are we bringing to the
2:41 table obviously this is a standard now
2:44 you have one point of policy management
2:46 in the form of mist we we configured the
2:49 entire campus fabric from the Miss
2:51 dashboard now we are also saying you can
2:54 configure policy at one point and that
2:57 could be templatized you're talking
2:58 thousands of switches that you manage
3:00 can we manage them simply using a same
3:02 form factor of templatization we said
3:04 you could templatize uh all pieces a
3:07 couple of quick questions you said it's
3:08 a standard but you got a draft URL up
3:10 there is it a standard NetSpend that's a
3:12 full RFC it is uh it is still a draft
3:16 standard it is written in 2017 to my
3:19 knowledge we are the only vendor who
3:21 actually utilizes utilizes it yeah the
3:23 the bit within the header itself and are
3:26 you able to read that in Hardware
3:28 yes okay yeah that's that's something
3:30 that was in just in in ex switches with
3:34 it is it is ex which is 5120s as well so
3:38 the so the ex 4400
3:40 the x4100
3:42 the qfx 5120 and 50 and 46.50 they all
3:46 support GBP at this level okay so we're
3:49 saying it's a standard practically
3:50 speaking I'm in the Juniper ecosystem to
3:53 leverage group based policies is that
3:54 fair yes okay yes
3:57 do you have a way within missed AI to
4:00 monitor tag to tag communication so
4:04 let's say I'm trying to build my
4:05 Baseline of what should talk to what I
4:07 want to see what's out there today and I
4:09 can determine how to write that policy
4:11 is there a way within Mist I can go in
4:14 and see like a matrix of hey these tags
4:17 are typically talking to these tags on
4:19 on these ports and protocols I'll
4:21 quickly get through the demo the
4:22 greatest question is it's a very good
4:24 question uh but we'll definitely
4:26 showcase that too
4:28 so that's a group based policy and what
4:31 we bring to the table Miss helps you uh
4:35 you know with one policy management
4:37 frame but now your actual implementation
4:40 of this happens locally at the switches
4:42 hopefully closest to the to the source
4:44 where you are at
4:46 we saw this uh being built right in
4:48 front of you here uh we want to just
4:50 take it up a notch with that we are
4:52 having communication between desktop one
4:53 and desktop two we don't want that to
4:55 happen and uh let's see how how to break
4:58 or how to take the communication
5:02 um
5:03 I want to talk about the the tag
5:06 Administration itself because that's
5:07 that's the most critical part of this
5:09 whole concept of uh you know group based
5:11 policies now in from from a perspective
5:14 of uh tagging uh if you see we've built
5:17 a bunch of tags in there already if you
5:19 say add GBP tags
5:22 um this is the missed UI again it's the
5:24 same template that they use to
5:25 administer the rest of the full campus
5:27 your networks your vlans all of these
5:29 pieces now we've just added uh the
5:31 ability for you to do group based
5:33 tagging as well
5:34 so the tags can either be dynamic or
5:38 static Dynamic is a way for you to say I
5:41 would like for this device to receive a
5:44 tag from a radius attribute value pair
5:46 and the attribute value pair is listed
5:47 there it says
5:49 um Juniper switching filter and apply
5:51 action you know the GBP tag itself so uh
5:54 depending upon how you posture your
5:55 clients how you onboard your clients you
5:58 can give a tag of of whatever the nature
6:01 is for anything that is a supplicant or
6:04 uh yeah any device that is a supplicant
6:06 that's reaching uh the the radius server
6:09 so that's you know for the volume set of
6:11 devices that you know that are usually
6:13 supplicants or even doing uh Mac oth can
6:16 all get the tags directly so that's
6:18 Dynamic that's easy to onboard so you're
6:21 not in the business of adding static
6:22 tags but sometimes you also have uh
6:26 devices that are outside your Fabric or
6:29 even subnets that are out here outside
6:31 your fabric but you still want to
6:32 administer them to say my employees of
6:34 net should not be talking to this
6:36 particular website and or this
6:38 particular IP scheme or IP subnet
6:40 whatever the reason is you could
6:42 statically say let me call it the uh you
6:45 can either say a particular Mac address
6:47 a network which is another VLAN you can
6:51 do VLAN to VLAN communication as fully
6:53 blocked and then add a policy to say
6:55 only to talk to a controller or you
6:57 could also IP subnet to say uh 192.168
7:00 0.1 or 0 0.0 16 is off limits for this
7:05 particular tag and that can also be
7:06 tagged statically so anything that's
7:09 outside the fabric usually uh or well
7:11 within the fabric that cannot do
7:13 supplicant uh nature then definitely
7:16 they are candidates for them to be
7:17 static tags all of these tags are
7:19 individually pushed down to individual
7:21 switches so they are all in the know of
7:23 what tag this belongs to that way we can
7:26 position Ingress tagging more and more
7:28 now from a policy perspective currently
7:31 as you can see desktop one is talking to
7:33 desktop too uh so you can go ahead and
7:36 hit uh block and then it'll go kill
7:38 let's set up the make sure we're pinging
7:40 these guys back here I think we are
7:42 blink doink
7:44 yes okay so they're picking across each
7:46 other
7:47 and we will change the policy to block
7:49 block and then you could save the
7:50 configuration and let's go back after
7:52 saving let's go back to the policy sets
7:54 itself so
8:01 so if you go down all the way to the
8:02 policy set real quick uh the tagging is
8:06 done here and their corresponding
8:08 policies are built here so you could
8:09 actually choose to use any of these tags
8:11 here on on your uh on on at the policy
8:15 itself this is where you define the
8:17 policy usage on a per device basis if
8:19 you go to the switches Tab and then go
8:21 to the access switch that we are
8:23 foreign
8:34 so if you saw we didn't build any of
8:36 these uh configurations on this
8:38 particular switch we inherited
8:39 everything from the template but we also
8:41 have the ability to pull usages uh this
8:44 is uh to answer your question which
8:46 policies are being hit more which
8:48 policies are being hit less uh this is a
8:51 constant dashboard where you can get to
8:53 so let's quickly look at the
8:55 uh and to add on to that do you so do
8:57 you have a way to tag devices without
8:59 doing the enforcement so you can just
9:01 see before I'm enforcing I want to make
9:04 sure I know what day-to-day
9:06 communication is so you could you could
9:08 have a policy to allow okay
9:11 and then you go deny them and say that's
9:13 a really good use case actually uh you
9:16 build the policy look at the usage if
9:18 it's only few or if it's a lot right
9:20 depending upon how you'd want to
9:21 implement and I might have missed it but
9:23 where in there
9:25 did it define whether the enforcement
9:28 was at Ingress or egress so from a
9:30 tagging perspective that's the beauty of
9:32 it at this point in time uh the tagging
9:34 is you know you can say desktop one to
9:36 desktop 2 is uh you don't have to
9:38 mention the direction yeah totally from
9:40 a tag perspective it's actually so
9:43 um this is irrelevant whether it's
9:45 Ingress or egress how it's tagged I mean
9:47 in other words the tagging policy itself
9:49 you tell the system through uh through a
9:52 command that I want to do Ingress policy
9:54 enforcement
9:55 okay right
9:56 so at this point you see the actual
9:59 device is no longer pinging uh this can
10:01 be expanded to as as further you would
10:03 want to take it right this is a simple
10:04 example of desktop one not talking to
10:06 desktop 2. this could be you tagging all
10:09 of your cameras and then a lot not
10:11 allowing camera to camera communication
10:13 only to controller communication
10:14 whatever the use case is it's
10:17 administered here in one place and it's
10:20 uh it's you can observe and then you can
10:23 push this down to thousands of switches
10:25 across across the entire segment can you
10:27 get back to your CLI and cancel it so I
10:29 can see it failed
10:31 can I get back to the CLS CLI and cancel
10:33 the pink so I can say oh sure yeah yeah
10:35 yeah
10:37 right now it's pinging at 90 packets
10:40 nothing thank you all right no problem
10:43 hold our feet as far I love it I love it
10:45 you got to right let's turn it back on
10:47 and we'll make sure we're we can turn
10:49 the policy back on and yeah or turn back
10:51 up oh yeah turn it back on I guess
10:52 awesome uh so that's GBP uh there's a
10:55 whole lot of use cases we can do with it
10:57 but we wanted to bring about you know
10:58 the the ease of which we can manage that
11:01 uh and uh how you can do pot and now
11:03 it's pinging back again
11:05 with