Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

list Table of Contents

Configuring Security Policies for a VRF Routing Instance

date_range 28-Nov-23

Overview

A security policy is a set of statements that controls traffic from a specified source to a specified destination using a specified service. A policy permits, denies, or tunnels specified types of traffic unidirectionally between two points. Security policies enforce a set of rules for transit traffic, identifying which traffic can pass through the firewall and the actions taken on the traffic as it passes through the firewall. Actions for traffic matching the specified criteria include permit and deny.

When an SRX Series Firewall receives a packet that matches the specifications, it performs the action specified in the policy.

Controlling Traffic in SD-WAN Architecture

In an SD-WAN, the SRX Series Firewall can be configured in a hub and spoke location. You can permit or deny virtual routing and forwarding (VRF) based traffic that enters the device from overlay tunnels by applying firewall policies. You can configure the SRX Series Firewall to permit or deny traffic that is sent to a VRF instance. Configuring the device at the hub location enables you to control all traffic at one location, and provide access to specific network services by applying firewall policies.

Junos OS Release 19.1R1 supports MPLS-based SDWAN deployment on SRX1500, SRX4100, SRX4200, SRX4600 devices.

Starting in Junos OS Release 22.2R1, we support MPLS-based SDWAN deployment for SRX5400, SRX5600, and SRX5800 devices.

Each security policy consists of:

  • A unique name for the policy.

  • A from-zone and a to-zone, for example: user@host# set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone.

  • A set of match criteria defining the conditions that must be satisfied to apply the policy rule. The match criteria are based on a source IP address, destination IP address, and applications. The user identity firewall provides greater granularity by including an additional tuple, such as source-identity, as part of the policy statement.

  • A set of actions to be performed in case of a match—permit or deny.

  • A set of source VRF group.

  • A set of destination VRF group.

Note:

The configuration options for the source and destination VRF instances are optional. You can configure either the source VRF or a destination VRF, but we recommend that you do not configure both source VRF and destination VRF. The main reason for configuring the source VRF or destination VRF is to differentiate different MPLS labels going through a shared physical network interface.

Table 1 lists when to configure the source VRF and destination VRF.

Table 1: Recommendations for Configuring VRF Options

Network Type from Source to Destination

Recommended to Configure Source VRF

Recommended to Configure Destination VRF

VRF Policy Differentiated By

IP network to IP network

No

No

Zones

IP network to MPLS network

No

Yes

Destination VRF

MPLS network to IP network

Yes

No

Source VRF

MPLS network to MPLS network without destination NAT

Yes

No

Source VRF

MPLS network to MPLS network with destination NAT

Yes

Yes

Source VRF and Destination VRF

Understanding Security Policy Rules

A security policy applies security rules to the transit traffic within a context (from-zone to to-zone). Each policy is uniquely identified by its name. The traffic is classified by matching its source and destination zones, the source and destination addresses, the application, the source VRF, and the destination VRF that the traffic carries in its protocol headers with the policy database in the data plane.

Each policy is associated with the following characteristics:

  • A source zone

  • A destination zone

  • One or many source address names or address set names

  • One or many destination address names or address set names

  • One or many application names or application set names

  • One or many source VRF instances, for example, the VRF routing instance associated with an incoming packet

  • One or many destination VRF instances in which the MPLS next hop or destination address route is located

These characteristics are called the match criteria. Each policy also has actions associated with it: permit, deny, and reject. You have to specify the match condition arguments when you configure a policy, source address, destination address, application name, source VRF, and destination VRF.

You can configure either source VRF or destination VRF, but not recommended to configure both source VRF and destination VRF. The main reason for configuring source VRF and destination VR is to differentiate different MPLS labels going through a shared physical network interface. If the source VRF and destination VRF are not configured, then the device determines the source and destination VRF as any.

Example: Configuring a Security Policy to Permit or Deny VRF-Based Traffic from MPLS Network to an IP Network

This example shows how to configure a security policy to permit traffic and deny traffic using the source VRF.

Requirements

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 1, an SRX Series Firewall is deployed in an SD-WAN to control traffic using the source VRF. Traffic from the MPLS network is sent to site A and site B of the IP network. As per the network requirement, site A traffic should be denied, and only site B traffic should be permitted.

This configuration example shows how to:

  • Deny traffic to VRF-a (from GRE_Zone-GE_Zone to GRE_Zone)

  • Permit traffic to VRF-b (from GRE_Zone-GE_Zone to GRE_Zone)

In this example, the source VRF is configured. We recommend that you configure the source VRF when the destination network points to the MPLS network.

Figure 1: Permitting or Denying VRF-Based Traffic from MPLS Network to an IP NetworkPermitting or Denying VRF-Based Traffic from MPLS Network to an IP Network

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set routing-instances VRF-a instance-type vrf
set routing-instances VRF-a route-distinguisher 10:200
set routing-instances VRF-a vrf-target target:100:100
set routing-instances VRF-a vrf-table-label
set routing-instances VRF-b instance-type vrf
set routing-instances VRF-b route-distinguisher 20:200
set routing-instances VRF-b vrf-target target:200:100
set routing-instances VRF-b vrf-table-label
set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone policy vrf-a_policy match source-address any 
set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone policy vrf-a_policy match destination-address any 
set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone policy vrf-a_policy match application any 
set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone policy vrf-a_policy match source-l3vpn-vrf-group  VRF-a 
set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone policy vrf-a_policy then deny 
set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone policy vrf-b_policy match source-address any  
set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone policy vrf-b_policy match destination-address any 
set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone policy vrf-b_policy match application any 
set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone policy vrf-b_policy match source-l3vpn-vrf-group VRF-b 
set security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone policy vrf-b_policy then permit
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a instance-type vrf
    user@host# set VRF-b instance-type vrf
    
  2. Assign a route distinguisher to the routing instance.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a route-distinguisher 10:200
    user@host# set VRF-b route-distinguisher 20:200
    
  3. Create a community policy to import or export all routes.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a vrf-target target:100:100
    user@host# set VRF-b vrf-target target:200:100
    
  4. Assign a single VPN label for all the routes in the VRF.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a vrf-table-label
    user@host# set VRF-b vrf-table-label
    
  5. Create a security policy to deny VRF-a traffic.

    content_copy zoom_out_map
    [edit security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone]
    user@host# set policy vrf-a_policy match source-address any
    user@host# set policy vrf-a_policy match destination-address any
    user@host# set policy vrf-a_policy match application any
    user@host# set policy vrf-a_policy match  source-l3vpn-vrf-group VRF-a
    user@host# set policy vrf-a_policy then deny
    
  6. Create a security policy to permit VRF-b traffic.

    content_copy zoom_out_map
    [edit security policies from-zone GRE_Zone-GE_Zone to-zone GRE_Zone]
    user@host# set policy vrf-b_policy match source-address any
    user@host# set policy vrf-b_policy match destination-address any
    user@host# set policy vrf-b_policy match application any
    user@host# set policy vrf-b_policy match source-l3vpn-vrf-group  VRF-b
    user@host# set policy vrf-b_policy then permit
    
    Note:

    If no destination VRF group is configured then the device considers the traffic passes from VRF-a to any-vrf.

Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security policies
from-zone GRE_Zone-GE_Zone to-zone GRE_Zone {
    policy vrf-a_policy {
        match {
            source-address any;
            destination-address any;
            application any;
            source-l3vpn-vrf-group VRF-a;
        }
        then {
            deny;
        }
    }
    policy vrf-b_policy {
        match {
            source-address any;
            destination-address any;
            application any;
            source-l3vpn-vrf-group VRF-b;
        }
        then {
            permit;
        }
    }
content_copy zoom_out_map
[edit]
user@host# show routing-instances
    VRF-a {
        instance-type vrf;
        route-distinguisher 10:200;
        vrf-target target:100:100;
        vrf-table-label;
    }
    VRF-b {
        instance-type vrf;
        route-distinguisher 20:200;
        vrf-target target:200:100;
        vrf-table-label;
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration
Purpose

Verify information about security policies.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

content_copy zoom_out_map
user@root> show security policies
Default policy: permit-all
From zone: GRE_Zone-GE_Zone, To zone: GRE_Zone
  Policy: vrf-a_policy, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source vrf: VRF-a
    destination vrf: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: deny
  Policy: vrf-b_policy, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
    Source vrf: VRF-b
    destination vrf: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit

Example: Configuring a Security Policy to Permit VRF-Based Traffic from an IP Network to an MPLS Network

This example shows how to configure a security policy to permit traffic using the destination VRF.

Requirements

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device.

In this example, an SRX Series Firewall is deployed in an SD-WAN architecture to control traffic using the destination VRF. You need to configure policies to control the traffic. The default policy does not support VRF options. Traffic from the IP network, that is site A and site B, is sent to the MPLS network. By configuring the policies, you can permit both the traffic from site A and site B to the MPLS network.

In Figure 2, the source VRF is not configured as the LAN interface does not belong to an MPLS network. We recommend that you configure the destination VRF when the destination network points to the MPLS network.

Figure 2: Permitting VRF-Based Traffic from an IP Network to an MPLS NetworkPermitting VRF-Based Traffic from an IP Network to an MPLS Network

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set routing-instances VRF-a’ instance-type vrf
set routing-instances VRF-a’ route-distinguisher 10:200
set routing-instances VRF-a’ vrf-target target:100:100
set routing-instances VRF-a’ vrf-table-label
set routing-instances VRF-b’ instance-type vrf
set routing-instances VRF-b’ route-distinguisher 20:200
set routing-instances VRF-b’ vrf-target target:200:100
set routing-instances VRF-b’ vrf-table-label
set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match source-address any 
set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match destination-address any 
set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match application any 
set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy match destination-l3vpn-vrf-group VRF-a’
set security policies from-zone LAN-a_Zone to-zone GRE_Zone policy vrf-a_policy then permit 
set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match source-address any 
set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match destination-address any 
set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match application any 
set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy match destination-l3vpn-vrf-group VRF-b’
set security policies from-zone LAN-b_Zone to-zone GRE_Zone policy vrf-b_policy then permit
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a policy to permit traffic from the IP network to the MPLS network using the destination VRF:

  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a’ instance-type vrf
    user@host# set VRF-b’ instance-type vrf
    
  2. Assign a route distinguisher to the routing instance.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a’ route-distinguisher 10:200
    user@host# set VRF-b’ route-distinguisher 20:200
    
  3. Create a community policy to import or export all routes.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a’ vrf-target target:100:100
    user@host# set VRF-b’ vrf-target target:200:100
    
  4. Assign a single VPN label for all the routes in the VRF.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a’ vrf-table-label
    user@host# set VRF-b’ vrf-table-label
    
  5. Create a security policy to permit VRF-a’ traffic from the IP network.

    content_copy zoom_out_map
    [edit security policies from-zone LAN-a_Zone to-zone GRE_Zone]
    user@host# set policy vrf-a_policy match source-address any 
    user@host# set policy vrf-a_policy match destination-address any 
    user@host# set policy policy vrf-a_policy match application any 
    user@host# set policy vrf-a_policy match destination-l3vpn-vrf-group VRF-a’
    user@host# set policy vrf-a_policy then permit 
    
  6. Create a security policy to permit VRF-b’ traffic from the IP network.

    content_copy zoom_out_map
    [edit security policies from-zone LAN-b_Zone to-zone GRE_Zone]
    user@host# set policy vrf-b_policy match source-address any
    user@host# set policy vrf-b_policy match destination-address any
    user@host# set policy vrf-b_policy match application any
    user@host# set policy vrf-b_policy match destination-l3vpn-vrf-group VRF-b’
    user@host# set policy vrf-b_policy then permit
    
Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security policies
    from-zone LAN-a_Zone to-zone GRE_Zone {
        policy vrf-a_policy {
            match {
                source-address any;
                destination-address any;
                application any;
                destination-l3vpn-vrf-group "VRF-a'";
            }
            then {
                permit;
            }
        }
    }
    from-zone LAN-b_Zone to-zone GRE_Zone {
        policy vrf-b_policy {
            match {
                source-address any;
                destination-address any;
                application any;
                destination-l3vpn-vrf-group "VRF-b'";
            }
            then {
                permit;
            }
        }
    }
content_copy zoom_out_map
[edit]
user@host# show routing-instances
    VRF-a’ {
        instance-type vrf;
        route-distinguisher 10:200;
        vrf-target target:100:100;
        vrf-table-label;
    }
    VRF-b’ {
        instance-type vrf;
        route-distinguisher 20:200;
        vrf-target target:200:100;
        vrf-table-label;
    }

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration
Purpose

Verify that the security policy permits VRF-based traffic from the IP network to the MPLS network.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

content_copy zoom_out_map
user@host> show security policies
From zone: LAN-a_Zone, To zone: GRE_Zone
  Policy: vrf-a_policy, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source vrf: any
    destination vrf: VRF-a'
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: LAN-b_Zone, To zone: GRE_Zone
  Policy: vrf-b_policy, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source vrf: any
    destination vrf: VRF-b'
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit

Example: Configuring a Security Policy to Permit VRF-Based Traffic from an MPLS Network to an MPLS Network over GRE without NAT

This example shows how to configure a security policy to permit traffic using the source VRF.

Requirements

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 3, an SRX Series Firewall is deployed in an SD-WAN architecture to control traffic using the source VRF. You need to configure policies to control the traffic. You can permit traffic from an MPLS network to another MPLS network by configuring policies.

We recommend that you configure both the source VRF and the destination VRF when the source and destination are from the MPLS network.

Figure 3: Permitting VRF-Based Traffic from an MPLS Network to an MPLS Network over GRE without NATPermitting VRF-Based Traffic from an MPLS Network to an MPLS Network over GRE without NAT

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set routing-instances VRF-a instance-type vrf
set routing-instances VRF-a route-distinguisher 10:200
set routing-instances VRF-a vrf-target target:100:100
set routing-instances VRF-a vrf-table-label
set routing-instances VRF-b instance-type vrf
set routing-instances VRF-b route-distinguisher 20:200
set routing-instances VRF-b vrf-target target:200:100
set routing-instances VRF-b vrf-table-label
set routing-instances VRF-a’ instance-type vrf
set routing-instances VRF-a’ route-distinguisher 30:200
set routing-instances VRF-a’ vrf-target target:300:100
set routing-instances VRF-a’ vrf-table-label
set routing-instances VRF-b’ instance-type vrf
set routing-instances VRF-b’ route-distinguisher 40:200
set routing-instances VRF-b’ vrf-target target:400:100
set routing-instances VRF-b’ vrf-table-label
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match source-address any 
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match destination-address any 
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match application any 
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match source-l3vpn-vrf-group  VRF-a 
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy match destination-l3vpn-vrf-group VRF-a’ 
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-a_policy then permit 
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match source-address any 
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match destination-address any 
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match application any 
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match source-l3vpn-vrf-group  VRF-b 
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy match destination-l3vpn-vrf-group VRF-b’
set security policies from-zone GRE-1_Zone to-zone GRE-2_Zone policy vrf-b_policy then permit
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a policy to permit traffic from an MPLS network to an MPLS network using source VRF:

  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a instance-type vrf
    user@host# set VRF-b instance-type vrf
    user@host# set VRF-a’ instance-type vrf
    user@host# set VRF-b’ instance-type vrf
    
  2. Assign a route distinguisher to the routing instance.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a route-distinguisher 10:200
    user@host# set VRF-b route-distinguisher 20:200
    user@host# set VRF-a’ route-distinguisher 30:200
    user@host# set VRF-b’ route-distinguisher 40:200
    
  3. Create a community policy to import or export all routes.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a vrf-target target:100:100
    user@host# set VRF-b vrf-target target:200:100
    user@host# set VRF-a’ vrf-target target:300:100
    user@host# set VRF-b’ vrf-target target:400:100
    
  4. Assign a single VPN label for all the routes in the VRF.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a vrf-table-label
    user@host# set VRF-a’ vrf-table-label
    user@host# set VRF-b vrf-table-label
    user@host# set VRF-b’ vrf-table-label
    
  5. Create a security policy to permit VRF-a traffic from the MPLS network.

    content_copy zoom_out_map
    [edit security policies from-zone GRE-1_Zone to-zone GRE-2_Zone]
    user@host# set policy vrf-a_policy match source-address any
    user@host# set policy vrf-a_policy match destination-address any
    user@host# set policy vrf-a_policy match application any
    user@host# set policy vrf-a_policy match source-l3vpn-vrf-group VRF-a
    user@host# set policy vrf-a_policy match destination-l3vpn-vrf-group VRF-a’
    user@host# set policy vrf-a_policy then permit 
    
  6. Create a security policy to permit VRF-b traffic from the MPLS network.

    content_copy zoom_out_map
    [edit security policies from-zone GRE-1_Zone to-zone GRE-2_Zone]
    user@host# set policy vrf-b_policy match source-address any
    user@host# set policy vrf-b_policy match destination-address any
    user@host# set policy vrf-b_policy match application any
    user@host# set policy vrf-b_policy match source-l3vpn-vrf-group VRF-b
    user@host# set policy vrf-b_policy match destination-l3vpn-vrf-group VRF-b’
    user@host# set policy vrf-b_policy then permit
    
Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security policies
    from-zone GRE-1_Zone to-zone GRE-2_Zone {
        policy vrf-a_policy {
            match {
                source-address any;
                destination-address any;
                application any;
                source-l3vpn-vrf-group  VRF-a;
                destination-l3vpn-vrf-group "VRF-a'";
            }
            then {
                permit;
            }
        }
        policy vrf-b_policy {
            match {
                source-address any;
                destination-address any;
                application any;
                source-l3vpn-vrf-grou  VRF-b;
                destination-l3vpn-vrf-group "VRF-b'";
            }
            then {
                permit;
            }
        }
    }
content_copy zoom_out_map
[edit]
user@host# show routing-instances
    VRF-a {
        instance-type vrf;
        route-distinguisher 10:200;
        vrf-target target:100:100;
        vrf-table-label;
    }
    VRF-b {
        instance-type vrf;
        route-distinguisher 20:200;
        vrf-target target:200:100;
        vrf-table-label;
    }
    VRF-a’ {
        instance-type vrf;
        route-distinguisher 30:200;
        vrf-target target:300:100;
        vrf-table-label;
    }
    VRF-b’ {
        instance-type vrf;
        route-distinguisher 40:200;
        vrf-target target:400:100;
        vrf-table-label;
    }

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration
Purpose

Verify that the security policy permits VRF based traffic from the IP network to the MPLS network.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

content_copy zoom_out_map
user@host> show security policies
From zone: GRE-1_Zone, To zone: GRE-2_Zone
  Policy: vrf-a_policy, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
    Source vrf: VRF-a
    destination vrf: VRF-a'
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
  Policy: vrf-b_policy, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
    Source vrf: VRF-b
    destination vrf: VRF-b'
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit

Example: Configuring Security Policies Using VRF Routing Instances in an MPLS Network

This example shows how to configure security policies using VRF routing instances.

Requirements

Overview

In this example, you create security policies using virtual routing and forwarding (VRF) instances to isolate traffic traversing in the following networks:

  • An MPLS to a private IP network

  • A Global IP to an MPLS network

MPLS Network to Private IP Network

Procedure

Step-by-Step Procedure
  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host#set VRF-a instance-type vrf
    user@host#set VRF-b instance-type vrf
    
  2. Assign a route distinguisher to the routing instance.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a route-distinguisher 10:200
    user@host# set VRF-b route-distinguisher 20:200
    
  3. Create a community policy to import or export all routes.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a vrf-target target:100:100
    user@host# set VRF-b vrf-target target:200:100
    
  4. Assign a single VPN label for all the routes in the VRF.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a vrf-table-label
    user@host# set VRF-b vrf-table-label
    
  5. Create a security policy to permit traffic from VRF-a destined for LAN A.

    content_copy zoom_out_map
    [edit security policies from-zone GRE_Zone to-zone LAN-a_Zone]
    set policy vrf-a_policy match source-address any
    set policy vrf-a_policy match destination-address any
    set policy vrf-a_policy match application any
    set policy vrf-a_policy match source-l3vpn-vrf-group  VRF-a
    set policy vrf-a_policy then permit
    
  6. Create a security policy to permit traffic from VRF-b destined for LAN B.

    content_copy zoom_out_map
    [edit security policies from-zone GRE_Zone to-zone LAN-b_Zone]
    set policy vrf-b_policy match source-address any
    set policy vrf-b_policy match destination-address any
    set policy vrf-b_policy match application any
    set policy vrf-b_policy match source-l3vpn-vrf-group  VRF-b
    set policy vrf-b_policy then permit
    
Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
user@host# show security policies 
from-zone GRE_Zone to-zone LAN-a_Zone {
    policy vrf-a_policy {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone GRE_Zone to-zone LAN-b_Zone {
    
    policy vrf-b_policy {
        match {
            source-address any;
            destination-address any;
            application any;
            
            source-l3vpn-vrf-group VRF-b;
        }
        then {
            permit;
        }
    }
}
content_copy zoom_out_map
[edit]
user@host# show routing-instances
    VRF-a {
        instance-type vrf;
        route-distinguisher 10:200;
        vrf-target target:100:100;
        vrf-table-label;
    }
    VRF-b {
        instance-type vrf;
        route-distinguisher 20:200;
        vrf-target target:200:100;
        vrf-table-label;
    }

If you are done configuring the device, enter commit from configuration mode.

Global IP Network to an MPLS Network

Procedure

Step-by-Step Procedure
  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a instance-type vrf
    user@host# set VRF-b instance-type vrf
    user@host# set VRF-a’ instance-type vrf
    user@host# set VRF-b’ instance-type vrf
    
  2. Assign a route distinguisher to the routing instance.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a route-distinguisher 10:200
    user@host# set VRF-b route-distinguisher 20:200
    user@host# set VRF-a’ route-distinguisher 30:200
    user@host# set VRF-b’ route-distinguisher 40:200
    
  3. Create a community policy to import or export all routes.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a vrf-target target:100:100
    user@host# set VRF-b vrf-target target:200:100
    user@host# set VRF-a’ vrf-target target:300:100
    user@host# set VRF-b’ vrf-target target:400:100
    
  4. Assign a single VPN label for all the routes in the VRF.

    content_copy zoom_out_map
    [edit routing-instances]
    user@host# set VRF-a vrf-table-label
    user@host# set VRF-a’ vrf-table-label
    user@host# set VRF-b vrf-table-label
    user@host# set VRF-b’ vrf-table-label
    
  5. Create the destination NAT pool.

    content_copy zoom_out_map
    [edit security nat destination]
    user@host# set pool vrf-a_p routing-instance VRF-a
    user@host# set pool vrf-a_p address 20.0.0.4/24
    user@host# set pool vrf-b_p routing-instance VRF-b 
    user@host# set pool vrf-b_p address 30.0.0.4/24
    
  6. Create a destination NAT rule set.

    content_copy zoom_out_map
    [edit security nat destination]
    user@host# set rule-set rs from interface ge-0/0/0.0
    user@host# set rule-set rs rule vrf-a_r match destination-address 40.0.0.4/24
    user@host# set rule-set rs rule vrf-a_r then destination-nat pool vrf-a_p 
    
  7. Configure a rule that matches packets and translates the destination address to the address in the pool.

    content_copy zoom_out_map
    [edit security nat destination]
    user@host# set rule-set rs from interface ge-0/0/1.0
    user@host# set rule-set rs rule vrf-b_r match destination-address 50.0.0.4/24
    user@host# set rule-set rs rule vrf-b_r then destination-nat pool vrf-b_p
    
  8. Configure a security policy that allows traffic from the untrust zone to the server in the trust zone.

    content_copy zoom_out_map
    [edit security policies from-zone internet to-zone trust]
    user@host# set policy vrf-a_policy match source-address any
    user@host# set policy vrf-a_policy match destination-address any
    user@host# set policy vrf-a_policy_policy match application any
    user@host# set policy vrf-a_policy match destination-l3vpn-vrf-group  VRF-a’
    user@host# set policy vrf-a_policy then permit
    user@host# set policy vrf-b_policy match source-address any
    user@host# set policy vrf-b_policy match destination-address any
    user@host# set policy vrf-b_policy match application any
    user@host# set policy vrf-b_policy match destination-l3vpn-vrf-group VRF-b’
    user@host# set policy vrf-b_policy then permit
    
Results

From configuration mode, confirm your configuration by entering the show security policies, show routing-instances, and the show security nat commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
user@host# show security policies 
from-zone internet to-zone trust {
    policy vrf-a_policy {
        match {
            source-address any;
            destination-address any;
            application any;
            destination-l3vpn-vrf-group VRF-a;
            
        }
        then {
            permit;
        }
    }
    
    policy vrf-b_policy {
        match {
            source-address any;
            destination-address any;
            application any;
            destination-l3vpn-vrf-group VRF-b;
        }
        then {
            permit;
        }
    }
}
content_copy zoom_out_map
[edit]
user@host# show routing-instances
    VRF-a {
        instance-type vrf;
        route-distinguisher 10:200;
        vrf-target target:100:100;
        vrf-table-label;
    }
    VRF-b {
        instance-type vrf;
        route-distinguisher 20:200;
        vrf-target target:200:100;
        vrf-table-label;
    }
    VRF-a’ {
        instance-type vrf;
        route-distinguisher 30:200;
        vrf-target target:300:100;
        vrf-table-label;
    }
    VRF-b’ {
        instance-type vrf;
        route-distinguisher 40:200;
        vrf-target target:400:100;
        vrf-table-label;
    }
content_copy zoom_out_map
user@host# show security nat destination 
pool vrf-a_p {
    routing-instance {
        VRF-a’;
    }
    address 20.0.0.4/24;
}
pool vrf-b_p {
    routing-instance {
        VRF-b’;
    }
    address 30.0.0.4/24;
}
rule-set rs {
    from interface [ ge-0/0/0.0 ge-0/0/1.0 ];
    rule vrf-a_r {
        match {
            destination-address 40.0.0.4/24;
        }
        then {
            destination-nat {
                pool {
                    vrf-a_p;
                }
            }
        }
    }
    rule vrf-b_r {
        match {
            destination-address 50.0.0.4/24;
        }
        then {
            destination-nat {
                pool {
                    vrf-b_p;
                }
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Destination NAT Rule
Purpose

Display information about all the destination NAT rules.

Action

From operational mode, enter the show security nat destination rule all command.

content_copy zoom_out_map
user@host> show security nat destination rule all
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 6/0
Destination NAT rule: rule1                  Rule-set: vrf-b_r
  Rule-Id                    : 2
  Rule position              : 2
  From routing instance      : vrf-b_r
  Destination addresses      : 50.0.0.4         - 50.0.0.4
  Action                     : vrf-b_p
  Translation hits           : 0
    Successful sessions      : 0
    Failed sessions          : 0
  Number of sessions         : 0

[...Output truncated...]

Meaning

The command displays the destination NAT rule. View the Translation hits field to check for traffic that matches the destination rule.

Verifying Flow Session
Purpose

Display information about all the currently active security sessions on the device.

Action

From operational mode, enter the show security flow session command.

content_copy zoom_out_map
user@host>show security flow session
Flow Sessions on FPC0 PIC1:
Session ID: 10115977, Policy name: SG/4, State: Active, Timeout: 62, Valid
In: 203.0.113.11/1000  203.0.113.1/2000;udp, Conn Tag: 0x0, If: reth1.1, VRF: VRF-a, Pkts: 1, Bytes: 86, CP Session ID: 10320276
Out: 203.0.113.1/2000  203.0.113.11/1000;udp, Conn Tag: 0x0, If: reth0.0, VRF: VRF-b, Pkts: 0, Bytes: 0, CP Session ID: 10320276

Meaning

The command displays details about all the active sessions. View the VRF field to check the VRF routing instance details in the flow.

external-footer-nav