🔵 PART 1: VXLAN Security Design
VXLAN is a transport technology, not a security protocol.
Security must be implemented in multiple layers.
🟦 1️⃣ Underlay Network Security (IP Fabric)
This is the foundation of VXLAN.
Trusted devices only
OSPF / IS-IS authentication
Separate Management VRF
ACLs between Spine ↔ Leaf
Control-Plane Policing (CoPP)
🎯 Goal: Secure the transport layer
🟩 2️⃣ Control Plane Security (EVPN-BGP)
EVPN uses BGP to exchange MAC/IP routes.
BGP authentication (MD5 / TCP-AO)
Spine as Route Reflector
Leaf as EVPN Client
Strict RT/RD policies
🎯 Goal: Prevent fake route injection
🟨 3️⃣ Overlay Segmentation (Micro-Segmentation)
🚨 Most critical security layer
One Application = One VRF
Separate VNIs per tier
Example:
Frontend → VRF-A
Backend → VRF-B
Database → VRF-C
❌ No communication unless explicitly allowed
🎯 Goal: Limit blast radius
🟥 4️⃣ Distributed Firewall (Zero Trust)
Firewall on every Leaf
Policy based on IP, VM tags, security groups
Rules example:
Frontend ➝ Backend ✅
Frontend ➝ Database ❌
🎯 Goal: Zero-Trust inside the DC
🟪 5️⃣ Encryption & Visibility
MACsec / IPsec / TLS
Flow telemetry, EVPN monitoring
IDS / IPS integration
🎯 Goal: Secure & observe traffic
🌍 PART 2: BGP Security (Worldwide)
BGP authentication & GTSM
Strict route filtering
RPKI validation (Valid / Invalid / NotFound)
Secure Route Reflectors
Anycast, RTBH, DDoS mitigation
Policy-driven routing (Communities, Local-Pref)
🎯 Goal: Protect Internet routing
🏆 Reference Architecture
🌐 Internet
→ 🔐 Edge BGP
→ 🧱 Border Leaf
→ 🧠 Spine (RR)
→ 🔥 Leaf (VTEP + Firewall)
→ 🖥️ Applications
No comments:
Post a Comment