Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN (2023)

Table of Contents
Assigning SGTs Topology Videos

Starting with Junos OS Release 22.4R1, the GBP feature has some enhancements. With Advanced GBP, you can do policy enforcement on the ingress endpoint and perform GBP-tagging on these enhanced match conditions.

Table 3 shows the supported GBP-tagging match conditions:

Table 3: Match Conditions
Match Conditions Description

ip-version ipv4 <ip address> | <prefix-list>

ip-version ipv6 <ip address> | <prefix-list>

Match IPv4 or IPv6 source or destinations addresses or prefix-lists.

mac-address<mac address>

Match source or destination MAC address.


vlan-id <vlan id>

Match a combination of VLAN identifier and port.


Not supported on the EX4100 switches

vlan-id<vlan id>

Match VLAN identifier.


Not supported on the EX4100 switches


Match interface name.
  • Assigning SGTs
  • Topology

Assigning SGTs

In this example we configure SGTs on a RADIUS server, and then use 802.1X access control on the EX4400 to receive them. RADIUS servers are commonly used in campus environments for access control and, for example, to govern the assignment of VLANs.


  • If you configure 802.1X authentication with multiple supplicant mode, then GBP tagging is MAC-based, if you configure 802.1X authentication with single supplicant mode then GBP tagging is port-based.

  • IP address, vlan-id, and vlan-id+port matches are not supported with 802.1X.

To accommodate the use of SGTs on the RADIUS server, we need to leverage vendor specific attribute (VSA), as supported by the AAA service framework (these VSA are carried as part of the standard RADIUS request reply message, and provide a built-in extension to handle implementation-specific information such as our SGTs). The exact syntax on the RADIUS server varies according to whether the authentication scheme is MAC or EAP based. For MAC based clients, the configuration looks like this:

For EAP based clients, the SGT is pushed from RADIUS server at the time of authentication. The configuration looks like this:

GBP-based filters are used as classifiers for GBP tagging. These filters classify incoming streams and assign a GBP tag.

You can see how this works in the following code samples. GBP firewall policies are framed on the basis of source and destination GBP tags. A source tag is the 16-bit field in the VXLAN header in the incoming packet and is derived from the address (IP/MAC/port and so on) lookup, while the destination tag is derived at the egress tunnel or ingress endpoint, according to the configured tag assignment.

(Video) Demo - Deploying Group-Based Policy at Scale with Juniper Microsegmentation

Let's say we have this configuration (shown below) on both the ingress and egress endpoints. We recommend that you have same GBP tag assignment configuration across the system. Packets from source MAC address 00:01:02:03:04:10:10 are assigned the tag 100, and packets from source MAC address 00:01:02:03:04:20:20 are assigned 200.

For packets with GBP tag 100 and a destination MAC address of 00:01:02:03:04:10:10, the destination group tag (gbp-dst-tag) will be 100, and it will match on term t10-100. Likewise, for packets with GBP tag 100 and a destination MAC address of 00:01:02:03:04:20:20, the destination group tag will be 200, and it will match term t10-200.

The same tag assignment used to map the source MAC address to the source tag is also used to map the destination MAC address to the destination tag. This is true for port based assignments as well.


The priority of GBP tagging is as follows with ip-version being the highest priority:

  • ip-version ipv4 <ip address> | <prefix-list>

  • ip-version ipv6<ip address> | <prefix-list>

  • mac-address<mac address>

  • interface<interface_name> vlan-id <vlan id>

  • vlan-id<vlan id>

  • interface<interface_name>

Let's look at another code sample, this time using a a GBP source tag of 300, and with packets from IPv4 address As you can see below, GBP source tag 300 is assigned and in egress direction, and 300 is also GBP destination group tag.

(Video) Segmentation in ISE using Group-Based Policies

Note that by default policy enforcement is done on the egress endpoint. If you want to do policy enforcement on the ingress leaf, see the section below. In addition, you must enable VXLAN-GBP globally on the ingress node, so it can perform the look-up on the matches and add SGT in the VXLAN header, and also on the egress node. Do this with the configuration command shown here:

Policy Enforcement Overview on the Ingress Endpoint

Starting with Junos Release 22.4R1, you can also perform the policy enforcement on the ingress endpoint. Ingress enforcement optimizes the network bandwidth. To support policy enforcing on the ingress, we have a mechanism to propagate the MAC and IP-MAC based tags across the network using Type 2 and Type 5 routes. See EVPN Type 2 and Type 5 routes for more information. With this, the destination GBP-based policy is enforced in nodes closer to the ingress for MAC and IP-based GBP matches. Tag propagation is always in context of MAC and IP-based GBP. For VLANs, Port, and Port+VLAN matches this is not applicable.


If the host route is installed with the type 2 route that has the GBP tag, then the GBP tag is added in the type 5 route. Type 2 to Type 5 GBP tag propagation is supported but Type 5 route to Type 2 route GBP tag propagation is not supported.

For multihoming topologies, keep the configuration identical across multihoming members.

You must enable the following statement to perform the policy enforcement at the ingress node. When ingress enforcement is enabled or disabled, the Packet Forwarding Engine (PFE) restarts.

Host-Originated Packets

When packets egress from an integrated routing and bridging (IRB) interface over a virtual tunnel endpoint (VTEP), the kernel inserts a source GBP tag in the VXLAN header and sends the packet. The source GBP tag value is configured using the following statement:

Before creating any rules, it can be helpful to organize your scheme by creating a table for all your endpoints (users and devices) and the assigned SGT value. The table below can be used to further simplify the logic and clarify your rules.

Table 4: Endpoints and Their SGT Values


Assigned SGT Value

Permanent Employee (PE)


Contractor (CON)


Security Staff (SS)


Security Cam (CAM)


Engineering Server (ES)


The relationship between the RADIUS server and SGTs, the EX4400 and VXLAN packet headers, and a central firewall filter to manage the access policy, is such that a matrix becomes a handy way to organize the values. In the following table, we list user roles down the first column and device types across the first row to create an access matrix. Each user role and device type is assigned an SGT and the RADIUS configuration has been updated with the information.

This example uses three types of employees, Permanent Employee (PE), Contractor (CON), and Security Staff (SS). It also uses two types of resources, Eng Server (ES) and security camera (CAM). We use Y to indicate access is permitted, and N to shown when access is blocked. The table serves as a useful resource when creating the various firewall rules in the policy and makes access mapping simple and clear.

Table 5: Access Matrix
ES (SGT 500) CAM (SGT 400) PE (SGT 100) CON (SGT 200) SS (SGT 300)
PE (SGT 100) Y N Y Y N
CON (SGT 200) N N Y N N
SS (SGT 300) N Y N N Y
(Video) Juniper Microsegmentation with GBP


For the sake of simplicity, all the configuration in this example is done on a single Juniper EX4400 series switch running Junos OS Release 22.4.1R1. The switch is connected to a RADIUS server for AAA. This switch functions as egress in this example. Recall that for SGTs you must define the firewall on the egress switch, whereas you would typically do it on the ingress VXLAN gateway for the access layer.

Figure 2: VXLAN GBP on an EX4400 Switch Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN (1)

  • Requirements
  • Configuration
  • Configuring a Stand-Alone Juniper EX4400 Switch for VXLAN-GBP
  • Limitations for EX switches and QFX switches:


Enhanced GBP is supported in Junos OS 22.4R1 on the following switches: EX4100, EX4400, EX4650, QFX5120-32C, and QFX5120-48Y.


VXLAN-GBP based segmentation:

  • Users log on to the network and are authenticated by the RADIUS server (on which SGTs are configured for all the endpoints).
  • Using firewall filters, the EX4400 selects traffic on the basis of the 802.1X authentication or MAC address, and then assigns a group tag to matching frames. (For dot1x authenticated clients, the static firewall configuration is not needed). The mechanics of this are performed using firewall as shown here: and
  • Tagged traffic passing through the EX4400 is evaluated on the basis SGT values, again, using the mechanics of the firewall filter.
    • First enable chassis forwarding-options vxlan-gbp-profile on the device.

      (Video) Juniper Apstra Demo: Group Based Policies for Increased Assurance and Segmentation

    • Use the gbp-dst-tag and/or gbp-src-tag match conditions to write your firewall rules, and include them in the routing policy on the egress switch you use for GBP micro segmentation.
    • If you want policy enforcement to take place at the ingress endpoint, you need to enable the set fowarding-options evpn gbp ingress-enforcement option.

Configuring a Stand-Alone Juniper EX4400 Switch for VXLAN-GBP

Use the following commands to configure VXLAN-GBP segmentation in a sandbox environment. Typically, you would create the firewall filter rules on the switch that serves as the (egress) VXLAN gateway for the access layer, but for the sake of simplicity, we’re using the same stand-alone EX4400 for both the firewall filter rules and the RADIUS server (EAP, here). The values we use in this example are taken from the previous tables.

The commands below include variables such as profile names and IP addresses, which must be adapted to make sense for your test environment.

  1. Configure the radius server:
  2. Configure the physical ports to support RADIUS authentication:
  3. Set up the SGT tags on the RADIUS server:
  4. Enable VXLAN-GBP on the switch:
  5. Create Firewall filter rules that leverage the SGTs (using values organized in the matrix):
  6. Run a commit check in Junos to verify that the commands and the variables you used are valid. When satisfied with your configuration commit the candidate configuration to make it active on the device. These commands are shown below. You can also review your configuration by typing run show configuration.

Limitations for EX switches and QFX switches:

  • The number of unique tags for the EX4400 and QFX5120 platforms is restricted to 1K.

  • The interface and VLAN GBP matches are not be supported on the EX4100 switches.

  • Multicast IP-based GBP tagging is not supported.

  • IP-based GBP is not applied for Layer 2 switching flows and MAC-based GBP is not applied for access-to-access Layer 3 routing flows.

  • IPACL is not supported when Port-based (interface) GBP is configured.

  • Policer and count action is supported only for MAC-based and IP-based GBP policy entries.

  • VLAN-based GBP is not supported for service provider style logical interfaces.

  • ARP packets are not subjected to GBP policies. However, subsequent packets between hosts are subjected to GBP policing.

    (Video) Group Based Segmentation Basics


1. Dynamic Segmentation VNBT Demo - AOS-CX Data Center VXLAN EVPN Series 15
(Airheads Broadcasting)
2. SD Access: Micro Segmentation Demonstration
(Cisco-Chioke-All things Cisco Security!)
3. Addressing Practical Challenges to Implementing Micro-segmentation
4. How to Make Segmentation Fast & Simple with a Single Policy | Guardicore Centra™ Security
5. Arista Multi-Domain Segmentation
(Arista Networks)
6. Silent Demo - SD-Access / Micro-Segmentation
Top Articles
Latest Posts
Article information

Author: Jeremiah Abshire

Last Updated: 06/26/2023

Views: 6373

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Jeremiah Abshire

Birthday: 1993-09-14

Address: Apt. 425 92748 Jannie Centers, Port Nikitaville, VT 82110

Phone: +8096210939894

Job: Lead Healthcare Manager

Hobby: Watching movies, Watching movies, Knapping, LARPing, Coffee roasting, Lacemaking, Gaming

Introduction: My name is Jeremiah Abshire, I am a outstanding, kind, clever, hilarious, curious, hilarious, outstanding person who loves writing and wants to share my knowledge and understanding with you.