Junos

Blog

Group Based Policy

From RFC VXLAN Group Policy Option draft-smith-vxlan-group-policy-04:

The VXLAN Group Based Policy Extension (VXLAN-GBP) header is defined
   as:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |G|R|R|R|I|R|R|R|R|D|R|R|A|R|R|R|        Group Policy ID        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          VXLAN Network Identifier (VNI)       |   Reserved    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 1: VXLAN-GBP Extension

   The following bits are defined in addition to the existing VXLAN
   fields:

   G Bit: Bit 0 of the initial word is defined as the G (Group Based
   Policy Extension) bit.

      G = 1 indicates that the source TSI Group membership is being
      carried within the Group Policy ID field as defined in this
      document.

      G = 0 indicates that the Group Policy ID is not being carried, and
      the G Bit MUST be set to 0 as specified in [RFC7348].

   D bit: Bit 9 of the initial word is defined as the Don't Learn bit.
   When set, this bit indicates that the egress VTEP MUST NOT learn the
   source address of the encapsulated frame.

   A Bit: Bit 12 of the initial word is defined as the A (Policy
   Applied) bit.  This bit is only defined as the A bit when the G bit
   is set to 1.
   
      A = 1 indicates that the group policy has already been applied to
      this packet.  Policies MUST NOT be applied by devices when the A
      bit is set.

      A = 0 indicates that the group policy has not been applied to this
      packet.  Group policies MUST be applied by devices when the A bit
      is set to 0 and the destination Group has been determined.
      Devices that apply the Group policy MUST set the A bit to 1 after
      the policy has been applied.

   Group Policy ID: 16 bit identifier that indicates the source TSI
   Group membership being encapsulated by VXLAN.  The allocation of
   Group Policy ID values is outside the scope of this document.

In Junos GBP can be defined with either MAC, Subnet (IP Prefix), or VLAN. Here are some sample configs generated by Mist Wired Assurance (Campus Fabric IPClos Topology)

By Subnet

set groups top firewall family any filter gbp_tags_by_ip micro-segmentation
set groups top firewall family any filter gbp_tags_by_ip term 01 then gbp-tag 10
set groups top firewall family any filter gbp_tags_by_ip term 01 from ip-version ipv4 address 10.20.30.0/24
set groups top firewall family any filter gbp_SwitchPolicy1 term 01 from gbp-src-tag 10
set groups top firewall family any filter gbp_SwitchPolicy1 term 01 from gbp-dst-tag 10
set groups top firewall family any filter gbp_SwitchPolicy1 term 01 then discard
set groups top chassis forwarding-options vxlan-gbp-profile

By VLAN

set groups top firewall family any filter gbp_tags_by_vlan micro-segmentation
set groups top firewall family any filter gbp_tags_by_vlan term 01 then gbp-tag 11
set groups top firewall family any filter gbp_tags_by_vlan term 01 from vlan-id 1234
set groups top firewall family any filter gbp_SwitchPolicy2 term 01 from gbp-src-tag 11
set groups top firewall family any filter gbp_SwitchPolicy2 term 01 from gbp-dst-tag 11
set groups top firewall family any filter gbp_SwitchPolicy2 term 01 then discard
set groups top chassis forwarding-options vxlan-gbp-profile

By MAC

set groups top firewall family any filter gbp_tags_by_mac micro-segmentation
set groups top firewall family any filter gbp_tags_by_mac term 01 then gbp-tag 20
set groups top firewall family any filter gbp_tags_by_mac term 01 from mac-address 005054a8b0c1
set groups top firewall family any filter gbp_tags_by_mac term 02 then gbp-tag 30
set groups top firewall family any filter gbp_tags_by_mac term 02 from mac-address 005054a8f0d2
set groups top firewall family any filter gbp_SwitchPolicy3 term 01 from gbp-src-tag 20
set groups top firewall family any filter gbp_SwitchPolicy3 term 01 from gbp-dst-tag 30
set groups top firewall family any filter gbp_SwitchPolicy3 term 01 then discard
set groups top chassis forwarding-options vxlan-gbp-profile

Enforcement

set groups top chassis forwarding-options vxlan-gbp-profile
set groups top forwarding-options evpn-vxlan gbp ingress-enforcement
set apply-groups top
Back to Top ↑

You May Also Enjoy

Queues - Python

less than 1 minute read

Queues using Python

Stacks - Python

less than 1 minute read

Stacks using Python

Python Functions Default Arguments

1 minute read

Python Functions Default Arguments Default arguments are evaluated once, specifically when the module is loaded, and are shared across all callers. As a rule...