Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS EVPN User Guide EVPN-VXLAN Tunnel Traffic Inspection on SRX Series Devices

EVPN User Guide

keyboard_arrow_up
close
keyboard_arrow_left
EVPN User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Tunnel Inspection for EVPN-VXLAN by SRX Series Devices

date_range 20-Dec-24
arrow_backward
arrow_forward

Read this topic to understand how to setup your security device to perform tunnel inspection for EVPN-VXLAN to provide embedded security.

Overview

(Ethernet VPN) EVPN-(Virtual Extensible LAN) VXLAN provides enterprises a common framework used to manage their campus and data center networks.

The rapidly increasing usage of mobile and IoT devices adds a large number of endpoints to a network. Modern enterprise networks must scale rapidly to provide immediate access to devices and to extend security and control for these endpoints.

To provide endpoint flexibility, EVPN-VXLAN decouples the underlay network (physical topology) from the overlay network (virtual topology). By using overlays, you gain the flexibility of providing Layer 2/Layer 3 connectivity between endpoints across campus and data centers, while maintaining a consistent underlay architecture.

You can use SRX Series Firewalls in your EVPN-VXLAN solution to connect end-points in your campus, data center, branch and public cloud environments while providing embedded security.

Starting in Junos OS Release 21.1R1, the SRX Series Firewall can also apply following Layer 4/Layer 7 security services to the EVPN-VXLAN tunnel traffic:

  • Application Identification

  • IDP

  • Juniper ATP (formerly known as ATP Cloud)

  • Content Security

Figure 1 shows a typical deployment scenario of EVPN-VXLAN fabric based on Edge-routed bridging (ERB) with SRX Series Firewalls functioning in an enhanced border leaf (EBL) role. EBL enhances the traditional role of a border leaf with the ability to perform inspection of traffic in VXLAN tunnels.

Figure 1: EVPN-VXLAN Architecture with SRX Series DeviceEVPN-VXLAN Architecture with SRX Series Device

In the figure VXLAN traffic originating at the leaf 1 device traverses through the SRX Series Firewalls that function as EBLs. In this use case, the SRX Series Firewall is placed at the border, that is, at the entry and exit point of the campus or data center, to provide stateful inspection to the VXLAN encapsulated packets traversing through it.

In the architecture diagram, you can notice that an SRX Series Firewall is placed between two VTEP devices (devices that perform VXLAN encapsulation and decapsulation for the network traffic). The SRX Series Firewall performs stateful inspection when you enable the tunnel inspection feature with an appropriate security policy.

Benefits

Adding SRX Series Firewall in EVPN VXLAN provides:

  • Added security with the capabilities of an enterprise grade firewall in the EVPN-VXLAN overlay.
  • Enhanced tunnel inspection for VXLAN encapsulated traffic with Layer 4/Layer 7 security services.

Example - Configure Security Policies for EVPN-VXLAN Tunnel Inspection

Use this example to configure the security policies that enable inspection of EVPN EVPN-VXLAN tunnel traffic on your SRX Series Firewalls.

Requirements

This example uses the following hardware and software components:

  • An SRX Series Firewall or vSRX Virtual Firewall
  • Junos OS Release 20.4R1

This example assumes that you already have an EVPN-VXLAN based network and want to enable tunnel inspection on SRX Series Firewall.

Before you Begin

  • Ensure you have a valid application identification feature license on your SRX Series Firewall and installed application signature pack on the device.
  • Make sure you understand how EVPN and VXLAN works. See EVPN-VXLAN Campus Architectures to detail understanding EVPN-VXLAN

  • This example assumes that you already have an EVPN-VXLAN based network fabric and want to enable tunnel inspection on the SRX Series Firewall. You can see the sample configuration of leaf and spine devices used in this example at Complete Device Configurations.

Overview

In this example, we are focusing on configuring the SRX Series Firewall which is a part of a working EVPN-VXLAN network that consist of two DC locations each with an IP fabric. The SRX Series Firewall is placed in a Data Center Interconnect (DCI) role between the two DCs. In this configuration, the SRX Series Firewall performs stateful inspection of VXLAN encapsulated traffic flowing between the DCs when you enable tunnel inspection.

We are using the topology shown in Figure 2 in this example.

Figure 2: Topology for VXLAN Tunnel Inspection Topology for VXLAN Tunnel Inspection

As given in the topology, the SRX Series Firewall is inspecting transit VLAN encapsulated traffic from the VXLAN tunnel endpoint (VTEP) on the leaves in both the DC-1 and DC-2 data centers. Any Juniper Networks device, both physical and virtual, that functions as a Layer 2 or Layer 3 VXLAN gateway can act as VTEP device to perform encapsulation and de-encapsulation.

Upon receipt of a Layer 2 or Layer 3 data packet from server 1, The leaf 1 VTEP adds the appropriate VXLAN header and then encapsulates the packet with a IPv4 outer header to facilitate tunneling the packet through the IPv4 underlay network. The remote VTEP at leaf 2 then de-encapsulates the traffic and forwards the original packet towards the destination host. With the Junos software release 20.4 SRX Series Firewalls are able to perform tunnel inspection for VXLAN encapsulated overlay traffic passing through it.

In this example, you’ll create a security policy to enable inspection for traffic that is encapsulated in a VXLAN tunnel . We're using the parameters described Table 1 in this example.

Table 1: Configuration Parameters
Parameter Description Parameter Name
Security policy Policy to create a flow session triggered by VXLAN overlay traffic. This policy references the outer IP source and destination address. That is, the IP addresses of the source and destination VTEPs. In this example this is the loopback address of the leaves. P1
Policy set Policy for the inspection of inner traffic. This policy operates on the contents of matching VXLAN tunnel traffic. PSET-1
Tunnel inspection profile Specifies parameters for security inspection on VXLAN tunnels. TP-1
Name of a VXLAN network identifier (VNI) list or range Used to uniquely identify a list or range of VXLAN tunnel IDs. VLAN-100
VXLAN tunnel identifier name. Used to symbolically name a VXLAN tunnel in a tunnel inspection profile. VNI-1100

When you configure tunnel inspection security policies on the SRX Series Firewall, it decapsulates the packet to access the inner header when a packet matches a security policy. Next, it applies the tunnel inspection profile to determine if the inner traffic is permitted. The security device uses inner packet content and the applied tunnel inspection profile parameters to do a policy lookup and to then perform stateful inspection for the inner session.

Configuration

In this example, you'll configure the following functionality on the SRX Series Firewall:

  1. Define a trust and untrust zone to permit all host traffic. This supports the BGP session to the spine devices and allow SSH etc from either zone (DC).
  2. Inspect traffic flowing from DC1 to DC2 in VNI 1100 (Layer 2 stretched for VLAN 100) for all hosts in the 192.168.100.0/24 subnet. Your policy should permit pings but deny all other traffic.
  3. Allow all return traffic from DC2 to DC1 with no tunnel inspection.
  4. Allow all other underlay and overlay traffic without VXLAN tunnel inspection from DC1 to DC2.

Use the following steps to enable tunnel inspection on your security device in a VXLAN-EVPN environment:

Note:

Complete functional configurations for all devices used in this example are provided Complete Device Configurations to assist the reader in testing this example.

This example focuses on the configuration steps needed to enable and validate the VXLAN tunnel inspection feature. The SRX Series Firewall is presumed to be configured with interface addressing, BGP peering, and policy to support its DCI role.

CLI Quick Configuration

To quickly configure this example on your SRX Series Firewall , copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Configuration on SRX Series Device

content_copy zoom_out_map
set system host-name r4-dci-ebr
set security address-book global address vtep-untrust 10.255.2.0/24
set security address-book global address vtep-trust 10.255.1.0/24
set security address-book global address vlan100 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy P1 match source-address vtep-trust
set security policies from-zone trust to-zone untrust policy P1 match destination-address vtep-untrust
set security policies from-zone trust to-zone untrust policy P1 match application junos-vxlan
set security policies from-zone trust to-zone untrust policy P1 then permit tunnel-inspection TP-1
set security policies from-zone untrust to-zone trust policy accept-all-dc2 match source-address any
set security policies from-zone untrust to-zone trust policy accept-all-dc2 match destination-address any
set security policies from-zone untrust to-zone trust policy accept-all-dc2 match application any
set security policies from-zone untrust to-zone trust policy accept-all-dc2 then permit
set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100
set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100
set security policies policy-set PSET-1 policy PSET-1-P1 match application junos-icmp-all
set security policies policy-set PSET-1 policy PSET-1-P1 then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/1.0
set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 policy-set PSET-1
set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 vni VLAN-100
set security tunnel-inspection vni VLAN-100 vni-id 1100
set interfaces ge-0/0/0 description "Link to DC1 Spine 1"
set interfaces ge-0/0/0 mtu 9000
set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30
set interfaces ge-0/0/1 description "Link to DC2 Spine 1"
set interfaces ge-0/0/1 mtu 9000
set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30

Step-by-Step Procedure

  1. Configure security zones, interfaces, and address-books.
    content_copy zoom_out_map
    [edit]
user@@r4-dci-ebr# set security zones security-zone trust 
user@@r4-dci-ebr# set security zones security-zone untrust
user@@r4-dci-ebr# set interfaces ge-0/0/0 description "Link to DC1 Spine 1"
user@@r4-dci-ebr# set interfaces ge-0/0/0 mtu 9000
user@@r4-dci-ebr# set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30
user@@r4-dci-ebr# set interfaces ge-0/0/1 description "Link to DC2 Spine 1"
user@@r4-dci-ebr# set interfaces ge-0/0/1 mtu 9000
user@@r4-dci-ebr# set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30
user@@r4-dci-ebr# set security zones security-zone trust host-inbound-traffic system-services all
user@@r4-dci-ebr# set security zones security-zone trust host-inbound-traffic protocols all
user@@r4-dci-ebr# set security zones security-zone trust interfaces ge-0/0/0.0
user@@r4-dci-ebr# set security zones security-zone untrust host-inbound-traffic system-services all
user@@r4-dci-ebr# set security zones security-zone untrust host-inbound-traffic protocols all
user@@r4-dci-ebr# set security zones security-zone untrust interfaces ge-0/0/1.0
user@@r4-dci-ebr# set security address-book global address vtep-untrust 10.255.2.0/24
user@@r4-dci-ebr# set security address-book global address vtep-trust 10.255.1.0/24
user@@r4-dci-ebr# set security address-book global address vlan100 192.168.100.0/24
    Note that /24 prefix lengths are used to specify the outer (VTEP) and inner (server) addresses. While you could use /32 host routes for this simple example, using a /24 will match traffic from other leaves (VTEPs) or hosts in the 192.168.100/0/24 subnet.

  2. Define the tunnel-inspection profile. You can specify a range or a list of VNIs that should be inspected.

    content_copy zoom_out_map
    [edit]
user@@r4-dci-ebr# set security tunnel-inspection vni VLAN-100 vni-id 1100
user@@r4-dci-ebr# set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 vni VLAN-100
user@@r4-dci-ebr# set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 policy-set PSET-1

    In this example only one VNI is needed so the vni-id keyword is used instead of the vni-range option.

    The tunnel inspection profile links to both the VNI list/range as well as to the related policy that should be applied to VXLAN tunnel with matching VNIs.
  3. Create a security policy to match on the outer session.
    content_copy zoom_out_map
    [edit]
user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy P1 match source-address vtep-trust
user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy P1 match destination-address vtep-untrust
user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy P1 match application junos-vxlan
user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy P1 then permit tunnel-inspection TP-1
    This policy refers to the global address book entries you defined earlier to match source and destination VTEP addresses. These addresses are used in the underlay to support VXLAN tunnels in the overlay. Matching traffic is directed to the TP-1 tunnel inspection profile you defined in the previous step. In this example the goal is to inspect VXLAN tunnels that originate in DC1 and terminate in DC2. As a result a second policy to match on return traffic (with DC2 Leaf 1 the source VTEP) is not needed.

  4. Create the policy-set for the inner session.

    content_copy zoom_out_map
    [edit]
user@@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100
user@@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100
user@@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match application junos-icmp-all
user@@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit

    This policy performs security inspection against the payload of matching VXLAN traffic. In this example this is the traffic sent from Server 1 on VLAN 100 in DC1 to Server 1 in DC2. By specifying the junos-icmp-all match condition you ensure that both ping request and replies can pass from server 1 ion DC1 to server 1 in DC2. If you specify junos-icmp-ping only pings that originate from DC1 will be permitted.

    Recall that in this example only ping is permitted to help facilitate testing of the resulting functionality. You can match on application any to permit all traffic, or alter the match criteria to suit your specific security needs.

  5. Define the policies needed to accept all other traffic between the data centers without any tunnel inspection.

    content_copy zoom_out_map
    [edit]
user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy accept-rest match source-address any
user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy accept-rest match destination-address any
user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy accept-rest match application any
user@@r4-dci-ebr# set security policies from-zone trust to-zone untrust policy accept-rest then permit
user@@r4-dci-ebr# set security policies from-zone untrust to-zone trust policy accept-all-dc2 match source-address any
user@@r4-dci-ebr# set security policies from-zone untrust to-zone trust policy accept-all-dc2 match destination-address any
user@@r4-dci-ebr# set security policies from-zone untrust to-zone trust policy accept-all-dc2 match application any
user@@r4-dci-ebr# set security policies from-zone untrust to-zone trust policy accept-all-dc2 then permit

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]

user@host# show security

content_copy zoom_out_map
address-book {
    global {
        address vtep-untrust 10.255.2.0/24;
        address vtep-trust 10.255.1.0/24;
        address vlan100 192.168.100.0/24;
    }
}
policies {
    from-zone trust to-zone untrust {
        policy P1 {
            match {
                source-address vtep-trust;
                destination-address vtep-untrust;
                application junos-vxlan;
            }
            then {
                permit {
                    tunnel-inspection {
                        TP-1;
                    }
                }
            }
        }
        policy accept-rest {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {                      
                permit;
            }
        }
    }
    from-zone untrust to-zone trust {
        policy accept-all-dc2 {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    policy-set PSET-1 {
        policy PSET-1-P1 {
            match {
                source-address vlan100;
                destination-address vlan100;
                application junos-icmp-all;
            }
            then {
                permit;
            }
        }
    }
}                                       
zones {
    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/0.0;
        }
    }
    security-zone untrust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/1.0;
        }
    }
}
tunnel-inspection {                     
    inspection-profile TP-1 {
        vxlan VNI-1100 {
            policy-set PSET-1;
            vni VLAN-100;
        }
    }
    vni VLAN-100 {
        vni-id 1100;
    }
}

If you are done configuring the feature on your device, enter commit from configuration mode.

Verification

At this time you should generate ping traffic between server 1 in DC1 to server 1 in DC2. The pings should succeed. Allow this test traffic to run in the background while you complete the verification tasks.

content_copy zoom_out_map
r5-dc1_server1> ping 192.168.100.102    
PING 192.168.100.102 (192.168.100.102): 56 data bytes
64 bytes from 192.168.100.102: icmp_seq=0 ttl=64 time=565.451 ms
64 bytes from 192.168.100.102: icmp_seq=1 ttl=64 time=541.035 ms
64 bytes from 192.168.100.102: icmp_seq=2 ttl=64 time=651.420 ms
64 bytes from 192.168.100.102: icmp_seq=3 ttl=64 time=303.533 ms
. . .

Verify Inner Policy Details

Purpose

Verify the details of the policy applied for the inner session.

Action

From operational mode, enter the show security policies policy-set PSET-1 command.

content_copy zoom_out_map
From zone: PSET-1, To zone: PSET-1
  Policy: PSET-1-P1, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    From zones: any
    To zones: any
    Source vrf group: any
    Destination vrf group: any
    Source addresses: vlan100
    Destination addresses: vlan100
    Applications: junos-icmp-all
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

Check Tunnel Inspection Traffic

Purpose

Display the tunnel inspection traffic details.

Action

From operational mode, enter the show security flow tunnel-inspection statistics command.

content_copy zoom_out_map
  Flow Tunnel-inspection statistics:
  Tunnel-inspection type VXLAN:
    overlay session active:             4
    overlay session create:           289
    overlay session close:            285
    underlay session active:            3
    underlay session create:           31
    underlay session close:            28
    input packets:          607
    input bytes:         171835
    output packets:         418
    output bytes:         75627
    bypass packets:           0
    bypass bytes:             0

Check Tunnel Inspection Profile and VNI

Purpose

Display the tunnel inspection profile and VNI details.

Action

From operational mode, enter the show security tunnel-inspection profiles command.

content_copy zoom_out_map
Logical system: root-logical-system
  Profile count: 1
  Profile: TP-1
    Type: VXLAN
    Vxlan count: 1
    Vxlan name: VXT-1
    VNI count: 1
      VNI:VNI-1
      Policy set: PSET-1
      Inspection level: 1

From operational mode, enter the show security tunnel-inspection vnis command.

content_copy zoom_out_map
Logical system: root-logical-system
  VNI count: 2
  VNI name: VLAN-100
      VNI id count: 1
      [1100 - 1100] 
  VNI name: VNI-1
      VNI id count: 1
      [1100 - 1100]

Check Security Flows

Purpose

Display VXLAN security flow information on the SRX to confirm that VXLAN tunnel inspection is working.

Action

From operational mode, enter the show security flow session vxlan-vni 1100 command.

content_copy zoom_out_map
Session ID: 3811, Policy name: PSET-1-P1/7, State: Stand-alone, Timeout: 2, Valid
  In: 192.168.100.101/47883 --> 192.168.100.102/82;icmp, Conn Tag: 0xfcd, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, 
  Type: VXLAN, VNI: 1100, Tunnel Session ID: 2193
  Out: 192.168.100.102/82 --> 192.168.100.101/47883;icmp, Conn Tag: 0xfcd, If: ge-0/0/1.0, Pkts: 0, Bytes: 0, 
  Type: VXLAN, VNI: 0, Tunnel Session ID: 0

Session ID: 3812, Policy name: PSET-1-P1/7, State: Stand-alone, Timeout: 2, Valid
  In: 192.168.100.101/47883 --> 192.168.100.102/83;icmp, Conn Tag: 0xfcd, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, 
  Type: VXLAN, VNI: 1100, Tunnel Session ID: 2193
  Out: 192.168.100.102/83 --> 192.168.100.101/47883;icmp, Conn Tag: 0xfcd, If: ge-0/0/1.0, Pkts: 0, Bytes: 0, 
  Type: VXLAN, VNI: 0, Tunnel Session ID: 0

. . .

Confirm That SSH is Blocked

Purpose

Try to establish an SSH session between server 1 in DC1 and server 2 in DC2. Based on the policy that allows only ping traffic this session should be blocked at the SRX.

Action

From operational mode, enter the show security flow session vxlan-vni 1100 command.

content_copy zoom_out_map
r5-dc1_server1> ssh 192.168.100.102
ssh: connect to host 192.168.100.102 port 22: Operation timed out
r5_dc1_server1>

Configuration for Zone-Level Inspection, IDP, Content Security and Advanced Anti-Malware for Tunnel Inspection

Use this step if you want to configure zone-level inspection, and apply layer 7 services such as IDP, Juniper ATP, Content Security, and advanced anti-malware to the tunnel traffic. This feature is supported from Junos OS Release 21.1R1 onwards.

This example uses the following hardware and software components:

  • An SRX Series Firewall or vSRX Virtual Firewall
  • Junos OS Release 21.1R1

We are using the same configuration of address-books, security zones, interfaces, tunnel inspection profile, and security policy for the outer session as created in Configuration

This step assumes that you have Enrolled your SRX Series Firewall with Juniper ATP. For details on how to enroll your SRX Series Firewall, see Enrolling an SRX Series Device With Juniper Advanced Threat Prevention Cloud.

In this configuration, you'll create a policy set for the inner session and apply IDP, Content Security, advanced antimalware to the tunnel traffic.

CLI Quick Configuration

To quickly configure this example on your SRX Series Firewall , copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Configuration on SRX Series Device

content_copy zoom_out_map
set system host-name r4-dci-ebr
set security address-book global address vtep-untrust 10.255.2.0/24
set security address-book global address vtep-trust 10.255.1.0/24
set security address-book global address vlan100 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy P1 match source-address vtep-trust
set security policies from-zone trust to-zone untrust policy P1 match destination-address vtep-untrust
set security policies from-zone trust to-zone untrust policy P1 match application junos-vxlan
set security policies from-zone trust to-zone untrust policy P1 then permit tunnel-inspection TP-1
set security policies from-zone untrust to-zone trust policy accept-all-dc2 match source-address any
set security policies from-zone untrust to-zone trust policy accept-all-dc2 match destination-address any
set security policies from-zone untrust to-zone trust policy accept-all-dc2 match application any
set security policies from-zone untrust to-zone trust policy accept-all-dc2 then permit
set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100
set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100
set security policies policy-set PSET-1 policy PSET-1-P1 match application junos-icmp-all
set security policies policy-set PSET-1 policy PSET-1-P1 match dynamic-application any
set security policies policy-set PSET-1 policy PSET-1-P1 match url-category any
set security policies policy-set PSET-1 policy PSET-1-P1 match from-zone trust
set security policies policy-set PSET-1 policy PSET-1-P1 match to-zone untrust
set security policies policy-set PSET-1 policy PSET-1-P1 then permit
set security policies policy-set PSET-1 policy PSET-1-P1 then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/1.0
set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 policy-set PSET-1
set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 vni VLAN-100
set security tunnel-inspection vni VLAN-100 vni-id 1100
set interfaces ge-0/0/0 description "Link to DC1 Spine 1"
set interfaces ge-0/0/0 mtu 9000
set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30
set interfaces ge-0/0/1 description "Link to DC2 Spine 1"
set interfaces ge-0/0/1 mtu 9000
set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30

Create Zone-Level Inspection for Tunnel Inspection

You can add zone-level policy control for EVPN-VXLAN tunnel inspection for the inner traffic. This policy performs security inspection against the payload of matching VXLAN traffic. In the following step, you'll specify from-zone and to-zone for the traffic.

  • content_copy zoom_out_map
    [edit]
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match application any
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match dynamic-application any
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match url-category any
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match from-zone trust
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match to-zone untrust
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit

Create IDP, Content Security and Advanced Anti-Malware for Tunnel Inspection

You can add security services such as IDP, advanced aniti-malware, Content Security, SSL proxy for the EVPN-VXLAN tunnel inspection for the inner traffic. This policy performs security inspection against the payload of matching VXLAN traffic.

In the following step, you'll enable service such as IDP, Content Security, SSL proxy, security-intelligence, advanced anti-malware services by specifying them in a security policy permit action, when the traffic matches the policy rule.

  • content_copy zoom_out_map
    [edit]
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 match application any
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-1
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services security-intelligence-policy secintel1
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services advanced-anti-malware-policy P3
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services idp-policy idp123
user@r4-dci-ebr# set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services utm-policy P1

The following steps show configuration snippets of Content Security, IDP, and advanced anti-malware policies at-glance.

  • Configure advanced anti-malware policy.

    content_copy zoom_out_map
    [edit]
user@r4-dci-ebr# set services advanced-anti-malware policy P3 http inspection-profile scripts  
user@r4-dci-ebr# set services advanced-anti-malware policy P3 http action block
user@r4-dci-ebr# set services advanced-anti-malware policy P3 http notification log
user@r4-dci-ebr# set services advanced-anti-malware policy P3 http client-notify message "AAMW Blocked!"
user@r4-dci-ebr# set services advanced-anti-malware policy P3 verdict-threshold recommended
user@r4-dci-ebr# set services advanced-anti-malware policy P3 fallback-options action permit
user@r4-dci-ebr# set services advanced-anti-malware policy P3 fallback-options notification log

  • Configure security intelligence profile.

    content_copy zoom_out_map
    [edit]
user@r4-dci-ebr# set services security-intelligence url https://cloudfeeds.argonqa.junipersecurity.net/api/manifest.xml
user@r4-dci-ebr# set services security-intelligence authentication tls-profile aamw-ssl
user@r4-dci-ebr# set services security-intelligence profile cc_profile category CC
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 1
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 2
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 4
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 5
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 6
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 7
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 8
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 9
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule match threat-level 10
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule then action block close
user@r4-dci-ebr# set services security-intelligence profile cc_profile rule cc_rule then log
user@r4-dci-ebr# set services security-intelligence profile ih_profile category Infected-Hosts
user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule match threat-level 7
user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule match threat-level 8
user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule match threat-level 9
user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule match threat-level 10
user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule then action block close http message "Blocked!"
user@r4-dci-ebr# set services security-intelligence profile ih_profile rule ih_rule then log
user@r4-dci-ebr# set services security-intelligence policy secintel1 CC cc_profile
user@r4-dci-ebr# set services security-intelligence policy secintel1 Infected-Hosts ih_profile

  • Configure IDP policy.

    content_copy zoom_out_map
    [edit]
user@r4-dci-ebr# set security idp idp-policy idp123 rulebase-ips rule rule1 match application junos-icmp-all
user@r4-dci-ebr# set security idp idp-policy idp123 rulebase-ips rule rule1 then action no-action

  • Configure Content Security policy.

    content_copy zoom_out_map
    [edit]
user@r4-dci-ebr# set security utm default-configuration anti-virus type sophos-engine 
user@r4-dci-ebr## set security utm utm-policy P1 anti-virus http-profile junos-sophos-av-defaults

  • Configure SSL profiles.

    content_copy zoom_out_map
    [edit]
user@r4-dci-ebr# set services ssl initiation profile aamw-ssl 
user@r4-dci-ebr# set services ssl proxy profile ssl-inspect-profile-1 root-ca VJSA

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]

user@host# show security

content_copy zoom_out_map
address-book {
    global {
        address vtep-untrust 10.255.2.0/24;
        address vtep-trust 10.255.1.0/24;
        address vlan100 192.168.100.0/24;
    }
}
policies {
    from-zone trust to-zone untrust {
        policy P1 {
            match {
                source-address vtep-trust;
                destination-address vtep-untrust;
                application junos-vxlan;
            }
            then {
                permit {
                    tunnel-inspection {
                        TP-1;
                    }
                }
            }
        }
        policy accept-rest {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {                      
                permit;
            }
        }
    }
    from-zone untrust to-zone trust {
        policy accept-all-dc2 {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    policy-set PSET-1 {
        policy PSET-1-P1 {
            match {
                source-address vlan100;
                destination-address vlan100;
                application junos-icmp-all;
                dynamic-application any;
                url-category any;
                from-zone trust;
                to-zone untrust;
            }
           then {
            permit {
                application-services {
                    idp-policy idp123;
                    ssl-proxy {
                        profile-name ssl-inspect-profile-1;
                    }
                    utm-policy P1;
                    security-intelligence-policy secintel1;
                    advanced-anti-malware-policy P3;
                }
            }
        }
            }
        }
    }
}                                       
zones {
    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/0.0;
        }
    }
    security-zone untrust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/1.0;
        }
    }
}
tunnel-inspection {                     
    inspection-profile TP-1 {
        vxlan VNI-1100 {
            policy-set PSET-1;
            vni VLAN-100;
        }
    }
    vni VLAN-100 {
        vni-id 1100;
    }
}

[edit]

user@host# show services

content_copy zoom_out_map
application-identification;
ssl {
    initiation {
        profile aamw-ssl;
    }
    proxy {
        profile ssl-inspect-profile-1 {
            root-ca VJSA;
        }
    }
}
advanced-anti-malware {
    policy P3 {
        http {
            inspection-profile scripts;
            action block;
            client-notify {
                message "AAMW Blocked!";
            }
            notification {
                log;
            }
        }
        verdict-threshold recommended;
        fallback-options {
            action permit;
            notification {
                log;                    
            }
        }
    }
}
security-intelligence {
    url https://cloudfeeds.argonqa.junipersecurity.net/api/manifest.xml;
    authentication {
        tls-profile aamw-ssl;
    }
    profile cc_profile {
        category CC;
        rule cc_rule {
            match {
                threat-level [ 1 2 4 5 6 7 8 9 10 ];
            }
            then {
                action {
                    block {
                        close;
                    }
                }
                log;
            }
        }
    }
    profile ih_profile {
        category Infected-Hosts;        
        rule ih_rule {
            match {
                threat-level [ 7 8 9 10 ];
            }
            then {
                action {
                    block {
                        close {
                            http {
                                message "Blocked!";
                            }
                        }
                    }
                }
                log;
            }
        }
    }
    policy secintel1 {
        CC {
            cc_profile;
        }
        Infected-Hosts {
            ih_profile;
        }
    }
}

If you are done configuring the feature on your device, enter commit from configuration mode.

Complete Device Configurations

Refer to these configurations to better understand or recreate the context of this example. They include the complete ERB based EVPN-VXLAN configurations for the QFX Series switches that form the DC fabrics, as well as the ending state of the SRX Series Firewall for both the basic and advanced VXLAN tunnel inspection examples.

Note:

The provided configurations do not show user login, system logging, or management related configuration as this varies by location is not related to the VXLAN tunnel inspection feature.

For more details and example on configuring EVPN-VXLAN, see the network configuration example at Configuring an EVPN-VXLAN Fabric for a Campus Network with ERB.

Configuration on Leaf 1 Device

content_copy zoom_out_map
set system host-name r0_dc1_leaf1
set interfaces xe-0/0/0 mtu 9000 
set interfaces xe-0/0/0 unit 0 family inet address 10.1.1.2/30
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members v100
set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members v50
set interfaces irb unit 50 virtual-gateway-accept-data
set interfaces irb unit 50 family inet address 192.168.50.3/24 preferred
set interfaces irb unit 50 family inet address 192.168.50.3/24 virtual-gateway-address 192.168.50.1
set interfaces irb unit 100 virtual-gateway-accept-data
set interfaces irb unit 100 family inet address 192.168.100.3/24 preferred
set interfaces irb unit 100 family inet address 192.168.100.3/24 virtual-gateway-address 192.168.100.1
set interfaces lo0 unit 0 family inet address 10.255.1.10/32
set interfaces lo0 unit 1 family inet address 10.255.10.10/32
set forwarding-options vxlan-routing next-hop 32768
set forwarding-options vxlan-routing overlay-ecmp
set policy-options policy-statement ECMP-POLICY then load-balance per-packet
set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0
set policy-options policy-statement FROM_Lo0 term 10 then accept
set policy-options policy-statement FROM_Lo0 term 20 then reject
set policy-options policy-statement OVERLAY_IMPORT term 5 from community comm_pod1
set policy-options policy-statement OVERLAY_IMPORT term 5 then accept
set policy-options policy-statement OVERLAY_IMPORT term 10 from community comm_pod2
set policy-options policy-statement OVERLAY_IMPORT term 10 then accept
set policy-options policy-statement OVERLAY_IMPORT term 20 from community shared_100_fm_pod2
set policy-options policy-statement OVERLAY_IMPORT term 20 from community shared_100_fm_pod1
set policy-options policy-statement OVERLAY_IMPORT term 20 then accept
set policy-options policy-statement T5_EXPORT term fm_direct from protocol direct
set policy-options policy-statement T5_EXPORT term fm_direct then accept
set policy-options policy-statement T5_EXPORT term fm_static from protocol static
set policy-options policy-statement T5_EXPORT term fm_static then accept
set policy-options policy-statement T5_EXPORT term fm_v4_host from protocol evpn
set policy-options policy-statement T5_EXPORT term fm_v4_host from route-filter 0.0.0.0/0 prefix-length-range /32-/32
set policy-options policy-statement T5_EXPORT term fm_v4_host then accept
set policy-options policy-statement VRF1_T5_RT_EXPORT term t1 then community add target_t5_pod1
set policy-options policy-statement VRF1_T5_RT_EXPORT term t1 then accept
set policy-options policy-statement VRF1_T5_RT_IMPORT term t1 from community target_t5_pod1
set policy-options policy-statement VRF1_T5_RT_IMPORT term t1 then accept
set policy-options policy-statement VRF1_T5_RT_IMPORT term t2 from community target_t5_pod2
set policy-options policy-statement VRF1_T5_RT_IMPORT term t2 then accept
set policy-options community comm_pod1 members target:65001:1
set policy-options community comm_pod2 members target:65002:2
set policy-options community shared_100_fm_pod1 members target:65001:100
set policy-options community shared_100_fm_pod2 members target:65002:100
set policy-options community target_t5_pod1 members target:65001:9999
set policy-options community target_t5_pod2 members target:65002:9999
set routing-instances TENANT_1_VRF routing-options multipath
set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes advertise direct-nexthop
set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes encapsulation vxlan
set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes vni 9999
set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes export T5_EXPORT
set routing-instances TENANT_1_VRF instance-type vrf
set routing-instances TENANT_1_VRF interface irb.50
set routing-instances TENANT_1_VRF interface irb.100
set routing-instances TENANT_1_VRF interface lo0.1
set routing-instances TENANT_1_VRF route-distinguisher 10.255.1.10:9999
set routing-instances TENANT_1_VRF vrf-import VRF1_T5_RT_IMPORT
set routing-instances TENANT_1_VRF vrf-export VRF1_T5_RT_EXPORT
set routing-instances TENANT_1_VRF vrf-table-label
set routing-options router-id 10.255.1.10
set routing-options autonomous-system 65001
set routing-options forwarding-table export ECMP-POLICY
set routing-options forwarding-table ecmp-fast-reroute
set routing-options forwarding-table chained-composite-next-hop ingress evpn
set protocols bgp group EVPN_FABRIC type internal
set protocols bgp group EVPN_FABRIC local-address 10.255.1.10
set protocols bgp group EVPN_FABRIC family evpn signaling
set protocols bgp group EVPN_FABRIC multipath
set protocols bgp group EVPN_FABRIC bfd-liveness-detection minimum-interval 1000
set protocols bgp group EVPN_FABRIC bfd-liveness-detection multiplier 3
set protocols bgp group EVPN_FABRIC neighbor 10.255.1.1
set protocols bgp group UNDERLAY type external
set protocols bgp group UNDERLAY family inet unicast
set protocols bgp group UNDERLAY export FROM_Lo0
set protocols bgp group UNDERLAY local-as 65510
set protocols bgp group UNDERLAY multipath multiple-as
set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350
set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3
set protocols bgp group UNDERLAY neighbor 10.1.1.1 peer-as 65511
set protocols evpn encapsulation vxlan
set protocols evpn default-gateway no-gateway-community
set protocols evpn vni-options vni 150 vrf-target target:65001:150
set protocols evpn vni-options vni 1100 vrf-target target:65001:100
set protocols evpn extended-vni-list 1100
set protocols evpn extended-vni-list 150
set protocols lldp interface all
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 10.255.1.10:1
set switch-options vrf-import OVERLAY_IMPORT
set switch-options vrf-target target:65001:1
set vlans v100 vlan-id 100
set vlans v100 l3-interface irb.100
set vlans v100 vxlan vni 1100
set vlans v50 vlan-id 50
set vlans v50 l3-interface irb.50
set vlans v50 vxlan vni 150

Configuration on Spine 1 Device

content_copy zoom_out_map
set system host-name r1_dc1_spine11
set interfaces xe-0/0/0 mtu 9000
set interfaces xe-0/0/0 unit 0 family inet address 10.1.1.1/30
set interfaces xe-0/0/1 mtu 9000
set interfaces xe-0/0/1 unit 0 family inet address 172.16.1.1/30
set interfaces lo0 unit 0 family inet address 10.255.1.1/32
set policy-options policy-statement ECMP-POLICY then load-balance per-packet
set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0
set policy-options policy-statement FROM_Lo0 term 10 then accept
set policy-options policy-statement FROM_Lo0 term 20 then reject
set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.255.0.0/16 orlonger
set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.1.0.0/16 orlonger
set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK then accept
set policy-options policy-statement UNDERLAY-EXPORT term DEFAULT then reject
set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.255.0.0/16 orlonger
set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.1.0.0/16 orlonger
set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK then accept
set policy-options policy-statement UNDERLAY-IMPORT term DEFAULT then reject
set routing-options autonomous-system 65001
set routing-options forwarding-table export ECMP-POLICY
set routing-options forwarding-table ecmp-fast-reroute
set protocols bgp group EVPN_FABRIC type internal
set protocols bgp group EVPN_FABRIC local-address 10.255.1.1
set protocols bgp group EVPN_FABRIC family evpn signaling
set protocols bgp group EVPN_FABRIC cluster 10.255.1.1
set protocols bgp group EVPN_FABRIC multipath
set protocols bgp group EVPN_FABRIC bfd-liveness-detection minimum-interval 1000
set protocols bgp group EVPN_FABRIC bfd-liveness-detection multiplier 3
set protocols bgp group EVPN_FABRIC neighbor 10.255.1.10
set protocols bgp group EVPN_FABRIC vpn-apply-export
set protocols bgp group UNDERLAY type external
set protocols bgp group UNDERLAY import UNDERLAY-IMPORT
set protocols bgp group UNDERLAY family inet unicast
set protocols bgp group UNDERLAY export UNDERLAY-EXPORT
set protocols bgp group UNDERLAY local-as 65511
set protocols bgp group UNDERLAY multipath multiple-as
set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350
set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3
set protocols bgp group UNDERLAY neighbor 10.1.1.2 peer-as 65510
set protocols bgp group UNDERLAY neighbor 172.16.1.2 peer-as 65012
set protocols bgp group OVERLAY_INTERDC type external
set protocols bgp group OVERLAY_INTERDC multihop no-nexthop-change
set protocols bgp group OVERLAY_INTERDC local-address 10.255.1.1
set protocols bgp group OVERLAY_INTERDC family evpn signaling
set protocols bgp group OVERLAY_INTERDC multipath multiple-as
set protocols bgp group OVERLAY_INTERDC neighbor 10.255.2.1 peer-as 65002
set protocols lldp interface all

Configuration on Leaf 2 Device

content_copy zoom_out_map
set system host-name r2_dc2_leaf1
set interfaces xe-0/0/0 mtu 9000
set interfaces xe-0/0/0 unit 0 family inet address 10.1.2.2/30
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members v100
set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members v60
set interfaces irb unit 60 virtual-gateway-accept-data
set interfaces irb unit 60 family inet address 192.168.60.3/24 preferred
set interfaces irb unit 60 family inet address 192.168.60.3/24 virtual-gateway-address 192.168.60.1
set interfaces irb unit 100 virtual-gateway-accept-data
set interfaces irb unit 100 family inet address 192.168.100.4/24 preferred
set interfaces irb unit 100 family inet address 192.168.100.4/24 virtual-gateway-address 192.168.100.1
set interfaces lo0 unit 0 family inet address 10.255.2.10/32
set interfaces lo0 unit 1 family inet address 10.255.20.10/32
set forwarding-options vxlan-routing next-hop 32768
set forwarding-options vxlan-routing overlay-ecmp
set policy-options policy-statement ECMP-POLICY then load-balance per-packet
set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0
set policy-options policy-statement FROM_Lo0 term 10 then accept
set policy-options policy-statement FROM_Lo0 term 20 then reject
set policy-options policy-statement OVERLAY_IMPORT term 5 from community comm_pod1
set policy-options policy-statement OVERLAY_IMPORT term 5 then accept
set policy-options policy-statement OVERLAY_IMPORT term 10 from community comm_pod2
set policy-options policy-statement OVERLAY_IMPORT term 10 then accept
set policy-options policy-statement OVERLAY_IMPORT term 20 from community shared_100_fm_pod2
set policy-options policy-statement OVERLAY_IMPORT term 20 from community shared_100_fm_pod1
set policy-options policy-statement OVERLAY_IMPORT term 20 then accept
set policy-options policy-statement T5_EXPORT term fm_direct from protocol direct
set policy-options policy-statement T5_EXPORT term fm_direct then accept
set policy-options policy-statement T5_EXPORT term fm_static from protocol static
set policy-options policy-statement T5_EXPORT term fm_static then accept
set policy-options policy-statement T5_EXPORT term fm_v4_host from protocol evpn
set policy-options policy-statement T5_EXPORT term fm_v4_host from route-filter 0.0.0.0/0 prefix-length-range /32-/32
set policy-options policy-statement T5_EXPORT term fm_v4_host then accept
set policy-options policy-statement VRF1_T5_RT_EXPORT term t1 then community add target_t5_pod1
set policy-options policy-statement VRF1_T5_RT_EXPORT term t1 then accept
set policy-options policy-statement VRF1_T5_RT_IMPORT term t1 from community target_t5_pod1
set policy-options policy-statement VRF1_T5_RT_IMPORT term t1 then accept
set policy-options policy-statement VRF1_T5_RT_IMPORT term t2 from community target_t5_pod2
set policy-options policy-statement VRF1_T5_RT_IMPORT term t2 then accept
set policy-options community comm_pod1 members target:65001:1
set policy-options community comm_pod2 members target:65002:2
set policy-options community shared_100_fm_pod1 members target:65001:100
set policy-options community shared_100_fm_pod2 members target:65002:100
set policy-options community target_t5_pod1 members target:65001:9999
set policy-options community target_t5_pod2 members target:65002:9999
set routing-instances TENANT_1_VRF routing-options multipath
set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes advertise direct-nexthop
set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes encapsulation vxlan
set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes vni 9999
set routing-instances TENANT_1_VRF protocols evpn ip-prefix-routes export T5_EXPORT
set routing-instances TENANT_1_VRF instance-type vrf
set routing-instances TENANT_1_VRF interface irb.60
set routing-instances TENANT_1_VRF interface irb.100
set routing-instances TENANT_1_VRF interface lo0.1
set routing-instances TENANT_1_VRF route-distinguisher 10.255.1.2:9999
set routing-instances TENANT_1_VRF vrf-import VRF1_T5_RT_IMPORT
set routing-instances TENANT_1_VRF vrf-export VRF1_T5_RT_EXPORT
set routing-instances TENANT_1_VRF vrf-table-label
set routing-options router-id 10.255.2.10
set routing-options autonomous-system 65002
set routing-options forwarding-table export ECMP-POLICY
set routing-options forwarding-table ecmp-fast-reroute
set routing-options forwarding-table chained-composite-next-hop ingress evpn
set protocols bgp group EVPN_FABRIC type internal
set protocols bgp group EVPN_FABRIC local-address 10.255.2.10
set protocols bgp group EVPN_FABRIC family evpn signaling
set protocols bgp group EVPN_FABRIC multipath
set protocols bgp group EVPN_FABRIC bfd-liveness-detection minimum-interval 1000
set protocols bgp group EVPN_FABRIC bfd-liveness-detection multiplier 3
set protocols bgp group EVPN_FABRIC neighbor 10.255.2.1
set protocols bgp group UNDERLAY type external
set protocols bgp group UNDERLAY family inet unicast
set protocols bgp group UNDERLAY export FROM_Lo0
set protocols bgp group UNDERLAY local-as 65522
set protocols bgp group UNDERLAY multipath multiple-as
set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350
set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3
set protocols bgp group UNDERLAY neighbor 10.1.2.1 peer-as 65523
set protocols evpn encapsulation vxlan
set protocols evpn default-gateway no-gateway-community
set protocols evpn vni-options vni 160 vrf-target target:65002:160
set protocols evpn vni-options vni 1100 vrf-target target:65002:100
set protocols evpn extended-vni-list 1100
set protocols evpn extended-vni-list 160
set protocols lldp interface all
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 10.255.2.10:1
set switch-options vrf-import OVERLAY_IMPORT
set switch-options vrf-target target:65002:1
set vlans v100 vlan-id 100
set vlans v100 l3-interface irb.100
set vlans v100 vxlan vni 1100
set vlans v60 vlan-id 60
set vlans v60 l3-interface irb.60
set vlans v60 vxlan vni 160

Configuration on Spine 2 Device

content_copy zoom_out_map
set system host-name r3_dc2_spine1
set interfaces xe-0/0/0 mtu 9000
set interfaces xe-0/0/0 unit 0 family inet address 10.1.2.1/30
set interfaces xe-0/0/1 mtu 9000
set interfaces xe-0/0/1 unit 0 family inet address 172.16.2.1/30
set interfaces lo0 unit 0 family inet address 10.255.2.1/32
set policy-options policy-statement ECMP-POLICY then load-balance per-packet
set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0
set policy-options policy-statement FROM_Lo0 term 10 then accept
set policy-options policy-statement FROM_Lo0 term 20 then reject
set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.255.0.0/16 orlonger
set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.1.0.0/16 orlonger
set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK then accept
set policy-options policy-statement UNDERLAY-EXPORT term DEFAULT then reject
set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.255.0.0/16 orlonger
set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.1.0.0/16 orlonger
set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK then accept
set policy-options policy-statement UNDERLAY-IMPORT term DEFAULT then reject
set routing-options autonomous-system 65002
set routing-options forwarding-table export ECMP-POLICY
set routing-options forwarding-table ecmp-fast-reroute
set protocols bgp group EVPN_FABRIC type internal
set protocols bgp group EVPN_FABRIC local-address 10.255.2.1
set protocols bgp group EVPN_FABRIC family evpn signaling
set protocols bgp group EVPN_FABRIC cluster 10.255.2.1
set protocols bgp group EVPN_FABRIC multipath
set protocols bgp group EVPN_FABRIC bfd-liveness-detection minimum-interval 1000
set protocols bgp group EVPN_FABRIC bfd-liveness-detection multiplier 3
set protocols bgp group EVPN_FABRIC neighbor 10.255.2.10
set protocols bgp group EVPN_FABRIC vpn-apply-export
set protocols bgp group UNDERLAY type external
set protocols bgp group UNDERLAY import UNDERLAY-IMPORT
set protocols bgp group UNDERLAY family inet unicast
set protocols bgp group UNDERLAY export UNDERLAY-EXPORT
set protocols bgp group UNDERLAY local-as 65523
set protocols bgp group UNDERLAY multipath multiple-as
set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350
set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3
set protocols bgp group UNDERLAY neighbor 10.1.2.2 peer-as 65522
set protocols bgp group UNDERLAY neighbor 172.16.2.2 peer-as 65012
set protocols bgp group OVERLAY_INTERDC type external
set protocols bgp group OVERLAY_INTERDC multihop no-nexthop-change
set protocols bgp group OVERLAY_INTERDC local-address 10.255.2.1
set protocols bgp group OVERLAY_INTERDC family evpn signaling
set protocols bgp group OVERLAY_INTERDC multipath multiple-as
set protocols bgp group OVERLAY_INTERDC neighbor 10.255.1.1 peer-as 65001
set protocols lldp interface all

Basic Tunnel Inspection Configuration on SRX Series Device

content_copy zoom_out_map
set system host-name r4-dci-ebr
set security address-book global address vtep-untrust 10.255.2.0/24
set security address-book global address vtep-trust 10.255.1.0/24
set security address-book global address vlan100 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy P1 match source-address vtep-trust
set security policies from-zone trust to-zone untrust policy P1 match destination-address vtep-untrust
set security policies from-zone trust to-zone untrust policy P1 match application junos-vxlan
set security policies from-zone trust to-zone untrust policy P1 then permit tunnel-inspection TP-1
set security policies from-zone trust to-zone untrust policy accept-rest match source-address any
set security policies from-zone trust to-zone untrust policy accept-rest match destination-address any
set security policies from-zone trust to-zone untrust policy accept-rest match application any
set security policies from-zone trust to-zone untrust policy accept-rest then permit
set security policies from-zone untrust to-zone trust policy accept-return match source-address any
set security policies from-zone untrust to-zone trust policy accept-return match destination-address any
set security policies from-zone untrust to-zone trust policy accept-return match application any
set security policies from-zone untrust to-zone trust policy accept-return then permit
set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100
set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100
set security policies policy-set PSET-1 policy PSET-1-P1 match application junos-icmp-all
set security policies policy-set PSET-1 policy PSET-1-P1 then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/1.0
set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 policy-set PSET-1
set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 vni VLAN-100
set security tunnel-inspection vni VLAN-100 vni-id 1100
set interfaces ge-0/0/0 description "Link to DC2 Spine 1"
set interfaces ge-0/0/0 mtu 9000
set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30
set interfaces ge-0/0/1 mtu 9000        
set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30
set policy-options policy-statement ECMP-POLICY then load-balance per-packet
set policy-options policy-statement dci term 1 from protocol direct
set policy-options policy-statement dci term 1 then accept
set protocols bgp group UNDERLAY export dci
set protocols bgp group UNDERLAY multipath multiple-as
set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350
set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3
set protocols bgp group UNDERLAY neighbor 172.16.1.1 peer-as 65511
set protocols bgp group UNDERLAY neighbor 172.16.2.1 peer-as 65523
set routing-options autonomous-system 65012
set routing-options forwarding-table export ECMP-POLICY

Tunnel Inspection Configuration on SRX Series Device with Layer 7 Security Services

content_copy zoom_out_map
set system host-name r4-dci-ebrset services application-identification
set services ssl initiation profile aamw-ssl
set services ssl proxy profile ssl-inspect-profile-1 root-ca VJSA
set services advanced-anti-malware policy P3 http inspection-profile scripts
set services advanced-anti-malware policy P3 http action block
set services advanced-anti-malware policy P3 http client-notify message "AAMW Blocked!"
set services advanced-anti-malware policy P3 http notification log
set services advanced-anti-malware policy P3 verdict-threshold recommended
set services advanced-anti-malware policy P3 fallback-options action permit
set services advanced-anti-malware policy P3 fallback-options notification log
set services security-intelligence url https://cloudfeeds.argonqa.junipersecurity.net/api/manifest.xml
set services security-intelligence authentication tls-profile aamw-ssl
set services security-intelligence profile cc_profile category CC
set services security-intelligence profile cc_profile rule cc_rule match threat-level 1
set services security-intelligence profile cc_profile rule cc_rule match threat-level 2
set services security-intelligence profile cc_profile rule cc_rule match threat-level 4
set services security-intelligence profile cc_profile rule cc_rule match threat-level 5
set services security-intelligence profile cc_profile rule cc_rule match threat-level 6
set services security-intelligence profile cc_profile rule cc_rule match threat-level 7
set services security-intelligence profile cc_profile rule cc_rule match threat-level 8
set services security-intelligence profile cc_profile rule cc_rule match threat-level 9
set services security-intelligence profile cc_profile rule cc_rule match threat-level 10
set services security-intelligence profile cc_profile rule cc_rule then action block close
set services security-intelligence profile cc_profile rule cc_rule then log
set services security-intelligence profile ih_profile category Infected-Hosts
set services security-intelligence profile ih_profile rule ih_rule match threat-level 7
set services security-intelligence profile ih_profile rule ih_rule match threat-level 8
set services security-intelligence profile ih_profile rule ih_rule match threat-level 9
set services security-intelligence profile ih_profile rule ih_rule match threat-level 10
set services security-intelligence profile ih_profile rule ih_rule then action block close http message "Blocked!"
set services security-intelligence profile ih_profile rule ih_rule then log
set services security-intelligence policy secintel1 CC cc_profile
set services security-intelligence policy secintel1 Infected-Hosts ih_profile
set security pki ca-profile aamw-ca ca-identity deviceCA
set security pki ca-profile aamw-ca enrollment url http://ca.junipersecurity.net:8080/ejbca/publicweb/apply/scep/SRX/pkiclient.exe
set security pki ca-profile aamw-ca revocation-check disable
set security pki ca-profile aamw-ca revocation-check crl url http://va.junipersecurity.net/ca/deviceCA.crl
set security pki ca-profile aamw-secintel-ca ca-identity JUNIPER
set security pki ca-profile aamw-secintel-ca revocation-check crl url http://va.junipersecurity.net/ca/current.crl
set security pki ca-profile aamw-cloud-ca ca-identity JUNIPER_CLOUD
set security pki ca-profile aamw-cloud-ca revocation-check crl url http://va.junipersecurity.net/ca/cloudCA.crl
set security idp idp-policy idp123 rulebase-ips rule rule1 match application junos-icmp-all
set security idp idp-policy idp123 rulebase-ips rule rule1 then action no-action
set security address-book global address vtep-untrust 10.255.2.0/24
set security address-book global address vtep-trust 10.255.1.0/24
set security address-book global address vlan100 192.168.100.0/24
set security utm default-configuration anti-virus type sophos-engine
set security utm utm-policy P1 anti-virus http-profile junos-sophos-av-defaults
set security policies from-zone trust to-zone untrust policy P1 match source-address vtep-trust
set security policies from-zone trust to-zone untrust policy P1 match destination-address vtep-untrust
set security policies from-zone trust to-zone untrust policy P1 match application junos-vxlan
set security policies from-zone trust to-zone untrust policy P1 then permit tunnel-inspection TP-1
set security policies from-zone trust to-zone untrust policy accept-rest match source-address any
set security policies from-zone trust to-zone untrust policy accept-rest match destination-address any
set security policies from-zone trust to-zone untrust policy accept-rest match application any
set security policies from-zone trust to-zone untrust policy accept-rest then permit
set security policies from-zone untrust to-zone trust policy accept-return match source-address any
set security policies from-zone untrust to-zone trust policy accept-return match destination-address any
set security policies from-zone untrust to-zone trust policy accept-return match application any
set security policies from-zone untrust to-zone trust policy accept-return then permit
set security policies policy-set PSET-1 policy PSET-1-P1 match source-address vlan100
set security policies policy-set PSET-1 policy PSET-1-P1 match destination-address vlan100
set security policies policy-set PSET-1 policy PSET-1-P1 match application any
set security policies policy-set PSET-1 policy PSET-1-P1 match dynamic-application any
set security policies policy-set PSET-1 policy PSET-1-P1 match url-category any
set security policies policy-set PSET-1 policy PSET-1-P1 match from-zone trust
set security policies policy-set PSET-1 policy PSET-1-P1 match to-zone untrust
set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services idp-policy idp123
set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-1
set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services utm-policy P1
set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services security-intelligence-policy secintel1
set security policies policy-set PSET-1 policy PSET-1-P1 then permit application-services advanced-anti-malware-policy P3
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/1.0
set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 policy-set PSET-1
set security tunnel-inspection inspection-profile TP-1 vxlan VNI-1100 vni VLAN-100
set security tunnel-inspection vni VLAN-100 vni-id 1100
set interfaces ge-0/0/0 description "Link to DC2 Spine 1"
set interfaces ge-0/0/0 mtu 9000
set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30
set interfaces ge-0/0/1 mtu 9000
set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30
set policy-options policy-statement ECMP-POLICY then load-balance per-packet
set policy-options policy-statement dci term 1 from protocol direct
set policy-options policy-statement dci term 1 then accept
set protocols bgp group UNDERLAY export dci
set protocols bgp group UNDERLAY multipath multiple-as
set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350
set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3
set protocols bgp group UNDERLAY neighbor 172.16.1.1 peer-as 65511
set protocols bgp group UNDERLAY neighbor 172.16.2.1 peer-as 65523
set routing-options autonomous-system 65012
set routing-options static route 0.0.0.0/0 next-hop 10.9.159.252
set routing-options forwarding-table export ECMP-POLICY
arrow_backward PREVIOUS Examples: Tunneling Q-in-Q Traffic in an EVPN-VXLAN Overlay Network
NEXT arrow_forward Understanding Overlay ping and traceroute Packet Support
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top