Demo - Deploying Group-Based Policy at Scale with Juniper Microsegmentation
![Kanika Atri headshot](/content/dam/www/assets/mediaportal/speakers-hosts/2022/kanika-atri.jpg/jcr:content/renditions/cq5dam.web.1280.1280.jpeg)
![The screenshot shows a slide with ‘WHAT HAVE WE LAUNCHED’ vertically on the left hand side, ‘Paragon Automation as a Service, Sustainable Operations: AI-Enabled, Cloud-Delivered Automation’ across the top middle with a small picture of Kanika Atri, Sr. Director, Product Management, Juniper Networks in the upper right hand corner. There is a diagram illustrating Pragon aaS features.](https://i.ytimg.com/vi/eCSH3fWS9fQ/hqdefault.jpg)
It is time to rethink current metro design beyond connectivity.
Cloud Metro represents an exciting new market category, which is highly distinct from the traditional Retro Metro across a range of attributes. Juniper is the only vendor in the market that delivers a truly compelling and differentiated portfolio that unlocks the advantages of the Cloud Metro for service providers.
AI-ops-driven automation, future-proof network systems, transport (100GE, 400GE), service assurance, and network security, are service providers' topmost metro requirements to build a future metro infrastructure and deliver differentiated user experiences.
You’ll learn
Juniper Cloud Metro sets service providers on the path to sustainable outcomes
What comprises a sustainable architecture
Who is this for?
Host
![Kanika Atri headshot](/content/dam/www/assets/mediaportal/speakers-hosts/2022/kanika-atri.jpg/jcr:content/renditions/cq5dam.web.1280.1280.jpeg)
Transcript
0:08 well there was a lot of questions on
0:10 group based policy uh that's why we
0:12 wanted to spend some time on uh
0:15 group-based policy and what when would
0:17 you use it who would want to use this uh
0:19 we'll talk about group based policies
0:21 and how we get to this
0:23 group based policy is GBP in short uh it
0:27 is it sits it's a simple tag it sits in
0:30 the vxlan header uh we are able to
0:33 actually say uh we know in in the
0:36 traditional firewall filters uh you
0:37 could do you know uh segmentation based
0:40 on vlans IP subnets that that resulted
0:42 in a lot of uh firewall rules and then
0:45 you started hitting you know tcam uh
0:48 places so how can we make this simpler
0:51 and also solve for the most important
0:53 problem micro segmentation is a lot of
0:55 larger terminology I think if we take a
0:57 couple of Point use cases which can come
0:59 into mind there's influx of iot devices
1:02 that are plugging into the wired
1:04 switching Network now uh there's a
1:07 school year School District that I work
1:09 with very closely and uh initially they
1:11 said okay we're going to move everything
1:13 to Wi-Fi uh there's going to be much
1:15 lesser switches when they said they
1:16 would refresh turns out the host of
1:18 devices that's on their Network now IP
1:21 clocks uh you know cameras you name the
1:23 lots of things require power lights all
1:27 of these things require power they would
1:29 want to control them you know when they
1:30 want it to be turned on turned off all
1:31 of that remotely so you can you're green
1:34 as well uh and now there's a host of
1:37 devices on the network now that also
1:38 means host of devices through which you
1:41 can get into the network so how do we
1:43 actually say what what are the things
1:45 that these devices can talk to
1:46 especially at the layer 2 level would we
1:48 want them to communicate to each other
1:50 and instantiate the DDOS attack rather
1:52 or not so for example cameras there was
1:54 a there was a attack of that nature how
1:57 can we prevent uh devices or isolate
2:00 devices from talking to each other's uh
2:02 use case of that would be you know
2:04 whenever they are on board whatever your
2:06 favorite way of tagging is we'll talk
2:07 about the different ways of tagging tag
2:09 them and say if cameras cannot talk to
2:12 cameras say camera attack cannot talk to
2:13 camera tag that's and then say and the
2:16 next policy say cameras can only talk to
2:18 their controller which is an IP address
2:20 or it could be another tag also that's a
2:22 simple use Point use case to say when
2:24 this could be really powerful you do not
2:27 even want their broadcast to be
2:28 exchanged between each other and that's
2:30 the true power of micro segmentation so
2:32 they're not talking to each other in any
2:33 form
2:35 um
2:36 that's that's uh you know overall how
2:38 you would want to do group based
2:40 policies and what are we bringing to the
2:41 table obviously this is a standard now
2:44 you have one point of policy management
2:46 in the form of mist we we configured the
2:49 entire campus fabric from the Miss
2:51 dashboard now we are also saying you can
2:54 configure policy at one point and that
2:57 could be templatized you're talking
2:58 thousands of switches that you manage
3:00 can we manage them simply using a same
3:02 form factor of templatization we said
3:04 you could templatize uh all pieces a
3:07 couple of quick questions you said it's
3:08 a standard but you got a draft URL up
3:10 there is it a standard NetSpend that's a
3:12 full RFC it is uh it is still a draft
3:16 standard it is written in 2017 to my
3:19 knowledge we are the only vendor who
3:21 actually utilizes utilizes it yeah the
3:23 the bit within the header itself and are
3:26 you able to read that in Hardware
3:28 yes okay yeah that's that's something
3:30 that was in just in in ex switches with
3:34 it is it is ex which is 5120s as well so
3:38 the so the ex 4400
3:40 the x4100
3:42 the qfx 5120 and 50 and 46.50 they all
3:46 support GBP at this level okay so we're
3:49 saying it's a standard practically
3:50 speaking I'm in the Juniper ecosystem to
3:53 leverage group based policies is that
3:54 fair yes okay yes
3:57 do you have a way within missed AI to
4:00 monitor tag to tag communication so
4:04 let's say I'm trying to build my
4:05 Baseline of what should talk to what I
4:07 want to see what's out there today and I
4:09 can determine how to write that policy
4:11 is there a way within Mist I can go in
4:14 and see like a matrix of hey these tags
4:17 are typically talking to these tags on
4:19 on these ports and protocols I'll
4:21 quickly get through the demo the
4:22 greatest question is it's a very good
4:24 question uh but we'll definitely
4:26 showcase that too
4:28 so that's a group based policy and what
4:31 we bring to the table Miss helps you uh
4:35 you know with one policy management
4:37 frame but now your actual implementation
4:40 of this happens locally at the switches
4:42 hopefully closest to the to the source
4:44 where you are at
4:46 we saw this uh being built right in
4:48 front of you here uh we want to just
4:50 take it up a notch with that we are
4:52 having communication between desktop one
4:53 and desktop two we don't want that to
4:55 happen and uh let's see how how to break
4:58 or how to take the communication
5:02 um
5:03 I want to talk about the the tag
5:06 Administration itself because that's
5:07 that's the most critical part of this
5:09 whole concept of uh you know group based
5:11 policies now in from from a perspective
5:14 of uh tagging uh if you see we've built
5:17 a bunch of tags in there already if you
5:19 say add GBP tags
5:22 um this is the missed UI again it's the
5:24 same template that they use to
5:25 administer the rest of the full campus
5:27 your networks your vlans all of these
5:29 pieces now we've just added uh the
5:31 ability for you to do group based
5:33 tagging as well
5:34 so the tags can either be dynamic or
5:38 static Dynamic is a way for you to say I
5:41 would like for this device to receive a
5:44 tag from a radius attribute value pair
5:46 and the attribute value pair is listed
5:47 there it says
5:49 um Juniper switching filter and apply
5:51 action you know the GBP tag itself so uh
5:54 depending upon how you posture your
5:55 clients how you onboard your clients you
5:58 can give a tag of of whatever the nature
6:01 is for anything that is a supplicant or
6:04 uh yeah any device that is a supplicant
6:06 that's reaching uh the the radius server
6:09 so that's you know for the volume set of
6:11 devices that you know that are usually
6:13 supplicants or even doing uh Mac oth can
6:16 all get the tags directly so that's
6:18 Dynamic that's easy to onboard so you're
6:21 not in the business of adding static
6:22 tags but sometimes you also have uh
6:26 devices that are outside your Fabric or
6:29 even subnets that are out here outside
6:31 your fabric but you still want to
6:32 administer them to say my employees of
6:34 net should not be talking to this
6:36 particular website and or this
6:38 particular IP scheme or IP subnet
6:40 whatever the reason is you could
6:42 statically say let me call it the uh you
6:45 can either say a particular Mac address
6:47 a network which is another VLAN you can
6:51 do VLAN to VLAN communication as fully
6:53 blocked and then add a policy to say
6:55 only to talk to a controller or you
6:57 could also IP subnet to say uh 192.168
7:00 0.1 or 0 0.0 16 is off limits for this
7:05 particular tag and that can also be
7:06 tagged statically so anything that's
7:09 outside the fabric usually uh or well
7:11 within the fabric that cannot do
7:13 supplicant uh nature then definitely
7:16 they are candidates for them to be
7:17 static tags all of these tags are
7:19 individually pushed down to individual
7:21 switches so they are all in the know of
7:23 what tag this belongs to that way we can
7:26 position Ingress tagging more and more
7:28 now from a policy perspective currently
7:31 as you can see desktop one is talking to
7:33 desktop too uh so you can go ahead and
7:36 hit uh block and then it'll go kill
7:38 let's set up the make sure we're pinging
7:40 these guys back here I think we are
7:42 blink doink
7:44 yes okay so they're picking across each
7:46 other
7:47 and we will change the policy to block
7:49 block and then you could save the
7:50 configuration and let's go back after
7:52 saving let's go back to the policy sets
7:54 itself so
8:01 so if you go down all the way to the
8:02 policy set real quick uh the tagging is
8:06 done here and their corresponding
8:08 policies are built here so you could
8:09 actually choose to use any of these tags
8:11 here on on your uh on on at the policy
8:15 itself this is where you define the
8:17 policy usage on a per device basis if
8:19 you go to the switches Tab and then go
8:21 to the access switch that we are
8:23 foreign
8:34 so if you saw we didn't build any of
8:36 these uh configurations on this
8:38 particular switch we inherited
8:39 everything from the template but we also
8:41 have the ability to pull usages uh this
8:44 is uh to answer your question which
8:46 policies are being hit more which
8:48 policies are being hit less uh this is a
8:51 constant dashboard where you can get to
8:53 so let's quickly look at the
8:55 uh and to add on to that do you so do
8:57 you have a way to tag devices without
8:59 doing the enforcement so you can just
9:01 see before I'm enforcing I want to make
9:04 sure I know what day-to-day
9:06 communication is so you could you could
9:08 have a policy to allow okay
9:11 and then you go deny them and say that's
9:13 a really good use case actually uh you
9:16 build the policy look at the usage if
9:18 it's only few or if it's a lot right
9:20 depending upon how you'd want to
9:21 implement and I might have missed it but
9:23 where in there
9:25 did it define whether the enforcement
9:28 was at Ingress or egress so from a
9:30 tagging perspective that's the beauty of
9:32 it at this point in time uh the tagging
9:34 is you know you can say desktop one to
9:36 desktop 2 is uh you don't have to
9:38 mention the direction yeah totally from
9:40 a tag perspective it's actually so
9:43 um this is irrelevant whether it's
9:45 Ingress or egress how it's tagged I mean
9:47 in other words the tagging policy itself
9:49 you tell the system through uh through a
9:52 command that I want to do Ingress policy
9:54 enforcement
9:55 okay right
9:56 so at this point you see the actual
9:59 device is no longer pinging uh this can
10:01 be expanded to as as further you would
10:03 want to take it right this is a simple
10:04 example of desktop one not talking to
10:06 desktop 2. this could be you tagging all
10:09 of your cameras and then a lot not
10:11 allowing camera to camera communication
10:13 only to controller communication
10:14 whatever the use case is it's
10:17 administered here in one place and it's
10:20 uh it's you can observe and then you can
10:23 push this down to thousands of switches
10:25 across across the entire segment can you
10:27 get back to your CLI and cancel it so I
10:29 can see it failed
10:31 can I get back to the CLS CLI and cancel
10:33 the pink so I can say oh sure yeah yeah
10:35 yeah
10:37 right now it's pinging at 90 packets
10:40 nothing thank you all right no problem
10:43 hold our feet as far I love it I love it
10:45 you got to right let's turn it back on
10:47 and we'll make sure we're we can turn
10:49 the policy back on and yeah or turn back
10:51 up oh yeah turn it back on I guess
10:52 awesome uh so that's GBP uh there's a
10:55 whole lot of use cases we can do with it
10:57 but we wanted to bring about you know
10:58 the the ease of which we can manage that
11:01 uh and uh how you can do pot and now
11:03 it's pinging back again
11:05 with