+++
title = "Chapter 11: Zero Trust and Micro-Segmentation with VLANs/VXLAN"
topic = "networking"
date = 2026-01-24
draft = false
weight = 11
description = "Explore Zero Trust and micro-segmentation architectures, leveraging VLANs and VXLAN for enhanced security and granular network isolation in modern enterprise and cloud environments."
slug = "zero-trust-microsegmentation"
keywords = ["Zero Trust", "Micro-segmentation", "VLAN", "VXLAN", "Network Security", "Network Isolation", "Private VLAN", "EVPN", "Network Automation", "Cisco", "Juniper", "Arista"]
tags = ["Networking", "Security", "VLAN", "VXLAN", "Zero Trust", "Micro-segmentation", "Automation"]
categories = ["Networking"]
+++

## 11.1 Introduction

In an increasingly complex and threat-laden digital landscape, traditional perimeter-based security models are no longer sufficient. The rise of sophisticated cyberattacks, insider threats, and hybrid cloud architectures demands a more robust and adaptable security posture. This is where **Zero Trust** security principles and **micro-segmentation** emerge as indispensable strategies.

This chapter delves into the application of Zero Trust principles within network design, focusing on how **VLANs** (Virtual Local Area Networks) and **VXLAN** (Virtual Extensible LAN) facilitate powerful micro-segmentation. We will explore the technical underpinnings of these technologies, their architectural implications, and practical implementation across multi-vendor environments.

**What this chapter covers:**

*   The core tenets of Zero Trust and its relationship with network segmentation.
*   The evolution from broad VLAN segmentation to granular micro-segmentation.
*   Detailed technical concepts of Private VLANs (PVLANs) and VXLAN.
*   Multi-vendor configuration examples for implementing segmentation.
*   Leveraging automation tools like Ansible and Python for efficient deployment.
*   Comprehensive security considerations, attack vectors, and mitigation strategies.
*   Practical verification and troubleshooting techniques.
*   Performance optimization best practices.

**Why it's important:**

By understanding and implementing the concepts in this chapter, network engineers can design and manage highly secure, agile, and resilient networks that inherently limit the blast radius of security breaches, enforce least-privilege access, and meet stringent compliance requirements.

**What you'll be able to do after:**

Upon completing this chapter, you will be equipped to:

*   Articulate Zero Trust principles and their network engineering implications.
*   Design and implement VLAN-based and VXLAN-based micro-segmentation strategies.
*   Configure Private VLANs on enterprise networking equipment.
*   Understand and configure basic VXLAN overlay networks for data center and hybrid cloud scenarios.
*   Automate segmentation tasks using Python and Ansible.
*   Identify and mitigate common security risks associated with network segmentation.
*   Perform effective verification and troubleshooting of complex segmented environments.

---

## 11.2 Technical Concepts

### 11.2.1 Zero Trust Security Model

The Zero Trust security model, popularized by Forrester Research, operates on the fundamental principle of "never trust, always verify." It asserts that no user, device, or application should be inherently trusted, regardless of its location (inside or outside the network perimeter). All access requests must be authenticated, authorized, and continuously validated.

**Key Principles of Zero Trust:**

1.  **Verify Explicitly:** Authenticate and authorize every device and user, and continuously validate their access, regardless of network location.
2.  **Use Least Privilege Access:** Grant users and devices only the necessary access for a specific task and only for a limited time.
3.  **Assume Breach:** Design networks with the expectation that breaches will occur. Isolate systems and data to minimize impact.
4.  **Micro-segmentation:** Break down the network into small, isolated segments (workloads, applications, individual devices) and apply granular security policies to control traffic flow between them.
5.  **Multi-factor Authentication (MFA):** Mandate MFA for all user access.
6.  **Data Security:** Protect data at rest and in transit through encryption and other mechanisms.
7.  **Automation and Orchestration:** Automate security policy enforcement and incident response.

Micro-segmentation is a cornerstone of Zero Trust, enabling the "assume breach" principle by limiting lateral movement within the network.

### 11.2.2 Micro-segmentation: Granular Network Isolation

Micro-segmentation is the practice of dividing a network into distinct, isolated segments down to the workload level. Unlike traditional VLANs which segment at a broader Layer 2 domain, micro-segmentation applies security policies directly to individual applications, virtual machines (VMs), containers, or user groups, controlling traffic flow between them.

**Benefits of Micro-segmentation:**

*   **Reduced Attack Surface:** Limits lateral movement for attackers, confining them to a small segment if a breach occurs.
*   **Improved Compliance:** Easier to demonstrate regulatory compliance by isolating sensitive data and systems.
*   **Enhanced Security Posture:** Granular control over traffic flow allows for precise policy enforcement.
*   **Operational Agility:** Policies can be defined and automated for dynamic environments.
*   **Better Visibility:** Provides detailed insights into application and workload communication.

### 11.2.3 VLAN-based Micro-segmentation and Private VLANs (PVLANs)

Traditional VLANs provide logical isolation by segmenting broadcast domains. While effective for separating departments or traffic types (e.g., voice, data, guest Wi-Fi), they offer limited granularity for micro-segmentation *within* a VLAN. All devices within the same VLAN can communicate freely unless Layer 3 access control lists (ACLs) are applied via a router or firewall.

**Private VLANs (PVLANs)** enhance traditional VLAN capabilities by introducing sub-VLANs within a primary VLAN, providing Layer 2 isolation between devices that are otherwise in the same IP subnet. This allows for true micro-segmentation at Layer 2 without introducing additional Layer 3 routing complexities for internal-VLAN communication.

**PVLAN Components:**

*   **Primary VLAN:** The main VLAN that carries traffic for all member ports. It has an associated IP subnet.
*   **Secondary VLANs:** Sub-VLANs within the primary VLAN, providing different isolation types:
    *   **Isolated VLAN:** Ports assigned to an Isolated VLAN can only communicate with promiscuous ports and other devices outside the PVLAN domain (typically via the primary VLAN interface on a router/firewall). They cannot communicate with other isolated ports, even if they are in the same Isolated VLAN, or with community ports.
    *   **Community VLAN:** Ports assigned to a Community VLAN can communicate with other ports in the same Community VLAN and with promiscuous ports. They cannot communicate with isolated ports or with ports in different Community VLANs.
*   **Port Types:**
    *   **Promiscuous Port:** Can communicate with all other ports within the PVLAN, including isolated and community ports. Typically, this is the uplink to a router, firewall, or Layer 3 switch that provides inter-VLAN routing or internet access.
    *   **Isolated Port:** Can only communicate with promiscuous ports.
    *   **Community Port:** Can communicate with other community ports within the same community VLAN and with promiscuous ports.

**PVLAN Operation:**

PVLANs work by modifying the Layer 2 forwarding behavior of switch ports. When a frame arrives on an isolated or community port, the switch internally modifies its VLAN tag to the primary VLAN tag for forwarding to promiscuous ports. For frames between isolated or community ports, the switch enforces the PVLAN rules to drop traffic that is not allowed.

Here's a conceptual diagram of PVLANs:

```nwdiag
nwdiag {
  network "Primary VLAN 10 (10.0.0.0/24)" {
    color = "#ADD8E6"; // Light Blue
    description = "Allows communication to/from Promiscuous port";

    router_gateway [address = "10.0.0.1", shape = cloud];
  }

  network "Isolated VLAN 101" {
    color = "#FFCCCB"; // Light Red
    description = "Clients cannot talk to each other";

    server_A [address = "10.0.0.10", description = "Isolated Port"];
    server_B [address = "10.0.0.11", description = "Isolated Port"];
  }

  network "Community VLAN 102" {
    color = "#90EE90"; // Light Green
    description = "Clients can talk within this VLAN";

    client_C [address = "10.0.0.20", description = "Community Port"];
    client_D [address = "10.0.0.21", description = "Community Port"];
  }

  network "Community VLAN 103" {
    color = "#FFFFCC"; // Light Yellow
    description = "Clients can talk within this VLAN";

    client_E [address = "10.0.0.30", description = "Community Port"];
    client_F [address = "10.0.0.31", description = "Community Port"];
  }

  // Connections based on PVLAN rules (logical representation)
  router_gateway -- server_A [label = "Promiscuous"];
  router_gateway -- server_B [label = "Promiscuous"];
  router_gateway -- client_C [label = "Promiscuous"];
  router_gateway -- client_D [label = "Promiscuous"];
  router_gateway -- client_E [label = "Promiscuous"];
  router_gateway -- client_F [label = "Promiscuous"];

  client_C -- client_D [label = "Community"];
  client_E -- client_F [label = "Community"];
}

Limitations of PVLANs:

• Switch-dependent: PVLANs must be configured on every switch in the path and are not standard across all vendors or platforms.
• Scalability: While better than basic VLANs, managing a large number of PVLANs across many switches can become complex.
• Layer 2 restriction: Primarily for Layer 2 isolation within an IP subnet. Inter-PVLAN routing still relies on Layer 3 devices.
• Manual configuration: Often requires significant manual intervention or complex automation.

RFCs/Standards:

• IEEE 802.1Q-2022: Standard for VLAN Tagging. PVLANs are an enhancement built upon 802.1Q.
• IEEE 802.1ad: Often referred to as QinQ, allows for stacking multiple 802.1Q tags, useful in service provider networks, but not directly PVLANs. PVLANs are a feature within a single 802.1Q domain.

11.2.4 VXLAN for Advanced Micro-segmentation

For large-scale, dynamic environments like data centers and hybrid clouds, VXLAN (Virtual Extensible LAN) offers a more powerful and scalable solution for micro-segmentation. VXLAN is an overlay network technology that encapsulates Layer 2 Ethernet frames within Layer 3 UDP packets, allowing Layer 2 segments to be extended across any IP network.

Key VXLAN Concepts:

• Overlay Network: VXLAN creates a virtual Layer 2 network (overlay) that runs on top of an existing Layer 3 network (underlay).
• VNI (VXLAN Network Identifier): A 24-bit identifier that uniquely identifies a Layer 2 segment. This allows for up to 16 million unique segments, far exceeding the 4,094 limit of VLANs.
• VTEP (VXLAN Tunnel Endpoint): A network device (switch, router, server hypervisor) that performs VXLAN encapsulation and de-encapsulation. VTEPs have an IP address in the underlay network.
• Underlay Network: The physical Layer 3 IP network that provides connectivity between VTEPs. It’s responsible for routing the encapsulated VXLAN packets.
• Control Plane: Initially, VXLAN used data-plane learning (like traditional Layer 2 flooding for ARP), but modern deployments overwhelmingly use BGP EVPN (Ethernet VPN) as the control plane. EVPN distributes Layer 2 MAC addresses and Layer 3 IP routes (host routes) along with VNI mappings, eliminating the need for flooding and enabling efficient multi-tenancy.

VXLAN Packet Structure:

VXLAN encapsulates an Ethernet frame by adding a VXLAN header and an outer UDP/IP header.

packetdiag {
  colwidth = 32
  // Outer Ethernet Header (Underlay)
  0-7: DMAC
  8-15: SMAC
  16-17: EtherType (0x0800 for IP)

  // Outer IP Header (Underlay)
  18-21: Version / IHL / DSCP / ECN
  22-23: Total Length
  24-27: Identification / Flags / Fragment Offset
  28-28: TTL
  29-29: Protocol (17 for UDP)
  30-31: Header Checksum
  32-47: Source IP Address (VTEP)
  48-63: Destination IP Address (VTEP)

  // Outer UDP Header (Underlay)
  64-79: Source Port (usually high-order ephemeral)
  80-95: Destination Port (4789 for VXLAN)
  96-111: UDP Length
  112-127: UDP Checksum

  // VXLAN Header
  128-135: Flags (I-flag set for VNI)
  136-151: Reserved (24 bits)
  152-175: VNI (24 bits)
  176-191: Reserved (8 bits)

  // Inner Ethernet Header (Overlay)
  192-199: Inner DMAC
  200-207: Inner SMAC
  208-209: Inner EtherType

  // Original Ethernet Payload
  210-257: Original Payload (variable length)
  258-261: FCS (Frame Check Sequence)
}

VXLAN Benefits for Micro-segmentation:

• Massive Scalability: 16 million VNIs enable segmentation down to individual applications or tenants.
• Layer 2 Extension over L3: Decouples the logical network from the physical underlay, allowing segments to span across geographically dispersed data centers or cloud regions.
• Multi-tenancy: Naturally supports multiple isolated tenants on shared physical infrastructure.
• Policy Enforcement: Integrates well with SDN controllers and orchestration platforms (e.g., Cisco ACI, VMware NSX, OpenStack Neutron) for automated, granular policy application.
• ECMP (Equal-Cost Multi-Path): Leverages the underlying IP network’s routing capabilities for efficient load balancing and resiliency.

Control Plane vs. Data Plane in VXLAN:

• Data Plane (Encapsulation/Decapsulation): Performed by VTEPs (physical switches, virtual switches, hypervisors). This is where the actual packet transformation happens.
• Control Plane (MAC/IP/VNI Distribution):
  • Flood and Learn: Initial VXLAN deployments relied on flooding unknown unicast, broadcast, and multicast traffic (BUM traffic) to learn MAC addresses. This approach scales poorly.
  • BGP EVPN (RFC 7432, 8365): The industry-standard control plane for VXLAN. BGP EVPN peers exchange MAC addresses, IP host routes, and VNI mappings, providing efficient learning and preventing unnecessary flooding. This is critical for robust micro-segmentation at scale.

Comparison: VLAN vs. VXLAN for Micro-segmentation

RFCs/Standards for VXLAN:

• RFC 7348: Virtual Extensible LAN (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks.
• RFC 7432: BGP Ethernet VPN (EVPN). Defines how BGP is used to distribute MAC addresses and IP routes in an EVPN domain.
• RFC 8365: A Network Virtualization Overlay Solution using EVPN. Provides updated guidance and best practices for EVPN.

@startuml
!theme mars

' Define elements first
cloud "Underlay IP Network (routed)" as UNDERLAY {
    rectangle "Core Router 1" as CR1
    rectangle "Core Router 2" as CR2
}

node "VTEP 1 (Leaf Switch 1 / Hypervisor)" as VTEP1 {
    rectangle "VM A (VNI 1000)" as VMA
    rectangle "VM B (VNI 1000)" as VMB
}

node "VTEP 2 (Leaf Switch 2 / Hypervisor)" as VTEP2 {
    rectangle "VM C (VNI 1000)" as VMC
    rectangle "VM D (VNI 2000)" as VMD
}

node "External Gateway (L3/Border Leaf)" as GW {
    rectangle "External Network" as EXT_NET
}

' Connect elements
VTEP1 -- CR1
VTEP2 -- CR2
CR1 -- CR2

VTEP1 .. VTEP2 : Encapsulated L2 traffic (VXLAN Tunnel over L3)
VTEP1 -- VMA
VTEP1 -- VMB
VTEP2 -- VMC
VTEP2 -- VMD

(CR1, CR2) -- GW

GW -- EXT_NET : L3 Routing to external networks

note "VNI 1000 (Red Tenant)" as N1
note "VNI 2000 (Blue Tenant)" as N2

VMA -[hidden]-> N1
VMB -[hidden]-> N1
VMC -[hidden]-> N1
VMD -[hidden]-> N2

@enduml

11.3 Configuration Examples

11.3.1 Private VLAN (PVLAN) Configuration

PVLANs require careful planning of primary and secondary VLANs and port roles. Here are examples for Cisco and Arista. Juniper Junos OS typically achieves similar isolation via bridge domains and port modes with Layer 3 routing instances, rather than a direct PVLAN implementation, or through security features like MACsec or firewalls on interfaces.

Cisco IOS-XE/NX-OS PVLAN Configuration

Scenario: Primary VLAN 10 (IP subnet 10.0.0.0/24). Isolated VLAN 101 for Server_A and Server_B (cannot communicate with each other). Community VLAN 102 for Client_C and Client_D (can communicate with each other). Router_Gateway (10.0.0.1) is the promiscuous port for all PVLAN members.

! Configure Primary and Secondary VLANs
vlan 10
 private-vlan primary
 private-vlan association 101,102
!
vlan 101
 private-vlan isolated
!
vlan 102
 private-vlan community
!

! Configure the Layer 3 interface for the Primary VLAN (Router_Gateway)
interface Vlan10
 ip address 10.0.0.1 255.255.255.0
 private-vlan mapping 101,102
 no shutdown
!

! Configure Promiscuous Port (e.g., interface to router/firewall)
interface GigabitEthernet1/0/1
 switchport mode private-vlan promiscuous
 switchport private-vlan mapping 10 primary 101,102
 no shutdown
!

! Configure Isolated Ports (e.g., for Server_A and Server_B)
interface GigabitEthernet1/0/2
 switchport mode private-vlan host
 switchport private-vlan host-association 10 101
 no shutdown
!
interface GigabitEthernet1/0/3
 switchport mode private-vlan host
 switchport private-vlan host-association 10 101
 no shutdown
!

! Configure Community Ports (e.g., for Client_C and Client_D)
interface GigabitEthernet1/0/4
 switchport mode private-vlan host
 switchport private-vlan host-association 10 102
 no shutdown
!
interface GigabitEthernet1/0/5
 switchport mode private-vlan host
 switchport private-vlan host-association 10 102
 no shutdown
!

Verification Commands (Cisco):

show vlan private-vlan
show vlan private-vlan type
show vlan private-vlan association
show interface GigabitEthernet1/0/1 private-vlan

Expected Output Snippet:

Switch# show vlan private-vlan
Primary  Secondary  Type      Ports
-------  ---------  --------  --------------------------------------------------
10       101        isolated  Gi1/0/2, Gi1/0/3
10       102        community Gi1/0/4, Gi1/0/5

Switch# show vlan private-vlan type
VLAN Type Name                             Status
---- ----- -------------------------------- ------------
10   primary                               active
101  isolated                             active
102  community                            active

Arista EOS PVLAN Configuration

Arista EOS also supports Private VLANs with a similar conceptual model.

! Configure Primary and Secondary VLANs
vlan 10
  private-vlan primary
  private-vlan associate-secondary 101,102
!
vlan 101
  private-vlan isolated
!
vlan 102
  private-vlan community
!

! Configure the Layer 3 interface for the Primary VLAN (Router_Gateway)
interface Vlan10
  ip address 10.0.0.1/24
  private-vlan mapping 101,102
  no shutdown
!

! Configure Promiscuous Port (e.g., interface to router/firewall)
interface Ethernet1
  switchport mode private-vlan promiscuous
  switchport private-vlan mapping 10 secondary 101,102
  no shutdown
!

! Configure Isolated Ports (e.g., for Server_A and Server_B)
interface Ethernet2
  switchport mode private-vlan host
  switchport private-vlan host-association 10 101
  no shutdown
!
interface Ethernet3
  switchport mode private-vlan host
  switchport private-vlan host-association 10 101
  no shutdown
!

! Configure Community Ports (e.g., for Client_C and Client_D)
interface Ethernet4
  switchport mode private-vlan host
  switchport private-vlan host-association 10 102
  no shutdown
!
interface Ethernet5
  switchport mode private-vlan host
  switchport private-vlan host-association 10 102
  no shutdown
!

Verification Commands (Arista):

show private-vlan
show private-vlan mappings
show interfaces Ethernet1 private-vlan

Expected Output Snippet:

Arista# show private-vlan
Primary VLANs
--------------------------------------------------------------------------------
VLAN  Type     Secondary VLANs                     State   Ports
----  -------- ----------------------------------- ------- --------------------
10    primary  101 (isolated), 102 (community)    active  Et1

Secondary VLANs
--------------------------------------------------------------------------------
VLAN  Type     Primary VLAN  State   Ports
----  -------- ------------- ------- ------------------------------------------
101   isolated 10            active  Et2, Et3
102   community 10            active  Et4, Et5

11.3.2 Basic VXLAN with BGP EVPN Configuration (Overlay)

Configuring VXLAN with BGP EVPN is a more complex task, typically involving multiple network devices acting as VTEPs and a routed underlay. We will provide simplified examples focusing on the overlay configuration for a single VNI.

Underlay Pre-requisites:

• A routed IP network provides reachability between VTEP loopback interfaces.
• OSPF, IS-IS, or BGP can be used for underlay routing.
• Jumbo frames (MTU 9216 bytes) are typically required on all underlay links to accommodate the VXLAN encapsulation overhead.

Scenario: Two VTEPs (Leaf1, Leaf2) forming a VXLAN tunnel for VNI 10000, mapped to VLAN 10. Leaf1 VTEP IP: 10.0.0.1, Leaf2 VTEP IP: 10.0.0.2. Underlay routing ensures these loopbacks are reachable. BGP EVPN peers with a Route Reflector (or full mesh).

Cisco Nexus NX-OS VXLAN with EVPN Configuration (Simplified)

! Feature enablement
feature bgp
feature vn-segment-vlan-mapping
feature nv overlay
feature interface-vlan

! Ensure jumbo frames are enabled on all physical interfaces in the underlay
! Example:
! interface Ethernet1/1
!  mtu 9216
!  no shutdown

! Configure Loopback for VTEP IP
interface Loopback0
  description VTEP Source Interface
  ip address 10.0.0.1/32
!
! (On Leaf2, this would be 10.0.0.2/32)

! Create Vlan and Map to VNI
vlan 10
  vn-segment 10000
!

! Configure the Bridge Domain Interface (BDI) for L2 traffic
interface nve1
  no shutdown
  source-interface Loopback0
  host-reachability protocol bgp
  member vni 10000 associate-vrf
!

! Configure BGP EVPN
router bgp 65001
  router-id 10.0.0.1
  address-family l2vpn evpn
    retain route-target all
  neighbor 10.0.0.X remote-as 65001  ! Peer with Route Reflector or other VTEP
    update-source Loopback0
    address-family l2vpn evpn
      send-community extended
      route-map RM-TO-PEER out ! Apply route-map for specific prefixes/communities
!
! (On Leaf2, router-id 10.0.0.2, neighbor 10.0.0.1)

! Optional: Configure SVI for inter-VNI routing (for L3 micro-segmentation)
interface Vlan10
  no shutdown
  ip address 10.10.10.1/24
  no ip redirects
  fabric forwarding mode anycast-gateway
!
! (On Leaf2, ip address 10.10.10.2/24)

Verification Commands (Cisco NX-OS):

show nve interface nve1 detail
show nve peers
show vlan vn-segment
show bgp l2vpn evpn summary
show bgp l2vpn evpn route type 2 detail
show bgp l2vpn evpn route type 3 detail

Expected Output Snippet (show nve interface nve1 detail):

Interface: nve1, State: Up, Encapsulation: VXLAN
  IP DAD Enabled: No
  VLAN-backed VNIs:
    VNI: 10000   Admin State: Up   Oper State: Up   (VLAN 10)
  Source-interface: loopback0 (10.0.0.1)
  Host-reachability protocol: BGP

Arista EOS VXLAN with EVPN Configuration (Simplified)

! Feature enablement
service routing protocols model pure ip
feature vlan
feature vxlan
feature interface-vlan
feature bgp

! Ensure jumbo frames are enabled on all physical interfaces in the underlay
! Example:
! interface Ethernet1
!  mtu 9216
!  no shutdown

! Configure Loopback for VTEP IP
interface Loopback0
  description VTEP Source Interface
  ip address 10.0.0.1/32
!
! (On Leaf2, this would be 10.0.0.2/32)

! Create Vlan and Map to VNI
vlan 10
  vxlan vni 10000
!

! Configure the VXLAN interface
interface Vxlan1
  vxlan source-interface Loopback0
  vxlan udp-port 4789
  vxlan vlan 10 vni 10000
!

! Configure BGP EVPN
router bgp 65001
  router-id 10.0.0.1
  !
  address-family evpn
    neighbor 10.0.0.X remote-as 65001  ! Peer with Route Reflector or other VTEP
      description BGP EVPN Peer
      update-source Loopback0
      send-extended-community
      !
  vrf default
    ! Configure route-target/route-distinguisher for specific VRFs/VNIs if needed
    ! For simple L2 VNI, this might be handled globally or implicitly
!
! (On Leaf2, router-id 10.0.0.2, neighbor 10.0.0.1)

! Optional: Configure SVI for inter-VNI routing (for L3 micro-segmentation)
interface Vlan10
  ip address 10.10.10.1/24
  no shutdown
  !
  ! if using an Anycast Gateway setup:
  ! ip virtual-router address 10.10.10.254
!
! (On Leaf2, ip address 10.10.10.2/24)

Verification Commands (Arista EOS):

show vxlan
show vxlan address-table
show evpn peers
show bgp evpn summary
show bgp evpn route
show interface vxlan 1

Expected Output Snippet (show vxlan):

Arista# show vxlan
VxLAN interface Vxlan1
  Source interface: Loopback0 (10.0.0.1)
  UDP port: 4789
  Encapsulation: Vxlan
  VNI mapping:
    VLAN 10: VNI 10000

Juniper Junos OS VXLAN with EVPN Configuration (Simplified)

# Set system-wide MTU for jumbo frames
set system services extension-service request-response grpc clear-text
set system services extension-service request-response grpc skip-authentication
# Example physical interface configuration (apply to all underlay interfaces)
# set interfaces et-0/0/0 mtu 9216

# Configure Loopback for VTEP IP
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
# (On Leaf2, this would be 10.0.0.2/32)

# Create Bridge Domain (maps VLAN to VNI)
set routing-instances EVPN-VXLAN instance-type evpn
set routing-instances EVPN-VXLAN protocols evpn encapsulation vxlan
set routing-instances EVPN-VXLAN protocols evpn default-gateway no-local-binding
set routing-instances EVPN-VXLAN interface irb.10 # This will be created later
set routing-instances EVPN-VXLAN route-distinguisher 65001:10
set routing-instances EVPN-VXLAN vrf-target target:65001:10
set routing-instances EVPN-VXLAN bridge-domains BD_VLAN10 domain-type bridge
set routing-instances EVPN-VXLAN bridge-domains BD_VLAN10 vlan-id 10
set routing-instances EVPN-VXLAN bridge-domains BD_VLAN10 vxlan vni 10000
set routing-instances EVPN-VXLAN bridge-domains BD_VLAN10 interface xe-0/0/X.0  # Access port for VLAN 10

# Configure an IRB (Integrated Routing and Bridging) interface for L3 routing
set interfaces irb unit 10 family inet address 10.10.10.1/24
# (On Leaf2, this would be 10.10.10.2/24)

# Configure VXLAN Tunnel Interface
set interfaces vtep unit 0 encapsulation vxlan
set interfaces vtep unit 0 family bridge interface-mode access
set interfaces vtep unit 0 vxlan-properties vni 10000

# Configure BGP EVPN
set routing-options router-id 10.0.0.1
set protocols bgp group EVPN type external
set protocols bgp group EVPN local-address 10.0.0.1
set protocols bgp group EVPN neighbor 10.0.0.X peer-as 65001 # Peer with Route Reflector or other VTEP
set protocols bgp group EVPN family evpn signaling

Verification Commands (Juniper Junos OS):

show evpn database
show evpn instance
show interfaces vtep
show bgp summary
show bgp evpn route

Expected Output Snippet (show evpn database):

Routing instance: EVPN-VXLAN
VLAN  VNI   Type   MAC address         Logical Interface      Age  Static
10    10000 Bridge 00:50:56:88:99:AA    vtep.0.10000           -    No

11.4 Automation Examples

Network automation is crucial for managing the complexity of micro-segmentation, especially with VXLAN deployments. Here we demonstrate basic VLAN configuration using Ansible and a Python script for verification. Terraform is excellent for provisioning the underlying infrastructure (e.g., cloud VPCs, compute instances for VTEPs) but a full VXLAN overlay deployment in Terraform is quite extensive.

11.4.1 Ansible Playbook for VLAN and Interface Configuration

This Ansible playbook automates the creation of VLANs and assigns them to access ports on Cisco, Juniper, and Arista switches.

---
- name: Configure VLANs and Access Ports for Micro-segmentation
  hosts: network_devices
  gather_facts: no
  connection: network_cli

  vars:
    new_vlans:
      - id: 20
        name: "WEB_AP_TIER"
      - id: 30
        name: "DB_TIER"
      - id: 40
        name: "DEV_ENV"
    
    interface_assignments:
      - name: "GigabitEthernet1/0/1" # Cisco
        vlan: 20
      - name: "GigabitEthernet1/0/2" # Cisco
        vlan: 30
      - name: "Ethernet1"           # Arista
        vlan: 20
      - name: "Ethernet2"           # Arista
        vlan: 30
      - name: "xe-0/0/0"            # Juniper
        vlan: 20
      - name: "xe-0/0/1"            # Juniper
        vlan: 30

  tasks:
    - name: Configure VLANs on Cisco devices
      when: ansible_network_os == 'ios' or ansible_network_os == 'nxos'
      cisco.ios.ios_vlans: # Or cisco.nxos.nxos_vlans for NX-OS
        config: ""
        state: merged
      tags: cisco_vlans

    - name: Configure VLANs on Arista devices
      when: ansible_network_os == 'eos'
      arista.eos.vlans:
        config: ""
        state: merged
      tags: arista_vlans

    - name: Configure VLANs on Juniper devices
      when: ansible_network_os == 'junos'
      junipernetworks.junos.vlans:
        config: ""
        state: merged
      tags: juniper_vlans

    - name: Configure Access Ports on Cisco devices
      when: ansible_network_os == 'ios' or ansible_network_os == 'nxos'
      cisco.ios.ios_interfaces: # Or cisco.nxos.nxos_interfaces
        config:
          - name: ""
            enabled: true
            mode: access
            access_vlan: ""
        state: merged
      loop: ""
      loop_control:
        label: "Cisco:  to VLAN "
      tags: cisco_interfaces

    - name: Configure Access Ports on Arista devices
      when: ansible_network_os == 'eos'
      arista.eos.interfaces:
        config:
          - name: ""
            enabled: true
            switchport:
              mode: access
              access_vlan: ""
        state: merged
      loop: ""
      loop_control:
        label: "Arista:  to VLAN "
      tags: arista_interfaces

    - name: Configure Access Ports on Juniper devices
      when: ansible_network_os == 'junos'
      junipernetworks.junos.interfaces:
        config:
          - name: ""
            unit: 0
            description: "Access Port for VLAN "
            vlan_mode: access
            vlan_id: ""
        state: merged
      loop: ""
      loop_control:
        label: "Juniper:  to VLAN "
      tags: juniper_interfaces

  handlers:
    - name: Save running configuration (Cisco/Arista)
      block:
        - name: Save on Cisco
          when: ansible_network_os == 'ios' or ansible_network_os == 'nxos'
          ansible.builtin.command: "write memory"
          changed_when: false
        - name: Save on Arista
          when: ansible_network_os == 'eos'
          ansible.builtin.command: "write memory"
          changed_when: false
      listen: "save config"

    - name: Save running configuration (Juniper)
      when: ansible_network_os == 'junos'
      junipernetworks.junos.cli:
        command: "save"
        format: "text"
      changed_when: false
      listen: "save config"

11.4.2 Python Script for VLAN Verification (Netmiko)

This Python script uses Netmiko to connect to network devices and verify VLAN configurations.

import os
from netmiko import ConnectHandler
from getpass import getpass

# Device details (replace with your actual device information)
# This example uses placeholder values. In production, use a proper inventory system.
devices = [
    {
        "device_type": "cisco_ios",
        "host": "cisco-switch-1.example.com",
        "username": "admin",
        "password": os.getenv("NETMIKO_PASSWORD"), # Get from environment variable
    },
    {
        "device_type": "arista_eos",
        "host": "arista-leaf-1.example.com",
        "username": "admin",
        "password": os.getenv("NETMIKO_PASSWORD"),
    },
    {
        "device_type": "juniper_junos",
        "host": "juniper-srx-1.example.com",
        "username": "admin",
        "password": os.getenv("NETMIKO_PASSWORD"),
    },
]

# Ensure password is set in environment or prompt
if not os.getenv("NETMIKO_PASSWORD"):
    for device in devices:
        device["password"] = getpass(f"Enter password for {device['host']}: ")

def verify_vlans(device_params):
    """Connects to a device and verifies VLAN configuration."""
    print(f"\n--- Connecting to {device_params['host']} ({device_params['device_type']}) ---")
    try:
        with ConnectHandler(**device_params) as net_connect:
            if "cisco" in device_params["device_type"]:
                command = "show vlan brief"
            elif "arista" in device_params["device_type"]:
                command = "show vlan"
            elif "juniper" in device_params["device_type"]:
                command = "show vlans"
            else:
                print(f"Unsupported device type: {device_params['device_type']}")
                return

            output = net_connect.send_command(command, use_textfsm=True)
            print(f"VLANs on {device_params['host']}:")
            if output:
                # TextFSM output is a list of dictionaries
                if "cisco" in device_params["device_type"]:
                    for vlan in output:
                        print(f"  ID: {vlan['vlan_id']}, Name: {vlan['name']}, Status: {vlan['status']}, Ports: {', '.join(vlan['interfaces'])}")
                elif "arista" in device_params["device_type"]:
                     for vlan in output:
                        print(f"  ID: {vlan['vlan_id']}, Name: {vlan['name']}, Status: {vlan['status']}, Ports: {', '.join(vlan['interfaces'])}")
                elif "juniper" in device_params["device_type"]:
                    for vlan in output:
                        print(f"  Name: {vlan['name']}, ID: {vlan['vlan_id']}, Interfaces: {', '.join(vlan['interfaces'])}")
            else:
                print("  No VLAN information found or parse error.")

    except Exception as e:
        print(f"Error connecting to {device_params['host']}: {e}")

if __name__ == "__main__":
    for device in devices:
        verify_vlans(device)

11.4.3 Terraform for Infrastructure Provisioning (Hybrid Cloud)

Terraform is primarily used for provisioning infrastructure, which forms the underlay for VXLAN. While VXLAN overlay configuration is often handled by a separate controller or device-specific automation, Terraform can provision the compute instances (VMs, containers) and network connectivity that become VTEPs in a hybrid cloud scenario.

Here’s an example of how Terraform might provision a basic VPC in AWS with subnets, which could then host VTEPs.

# main.tf for AWS VPC provisioning
provider "aws" {
  region = "us-east-1"
}

resource "aws_vpc" "hybrid_cloud_vpc" {
  cidr_block = "10.100.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
  tags = {
    Name        = "HybridCloudVPC"
    Environment = "Production"
  }
}

resource "aws_subnet" "public_subnet" {
  vpc_id            = aws_vpc.hybrid_cloud_vpc.id
  cidr_block        = "10.100.1.0/24"
  availability_zone = "us-east-1a"
  tags = {
    Name = "PublicSubnet"
  }
}

resource "aws_subnet" "private_vtep_subnet" {
  vpc_id            = aws_vpc.hybrid_cloud_vpc.id
  cidr_block        = "10.100.10.0/24"
  availability_zone = "us-east-1a"
  tags = {
    Name = "PrivateVTEPSubnet"
  }
}

resource "aws_internet_gateway" "gw" {
  vpc_id = aws_vpc.hybrid_cloud_vpc.id
  tags = {
    Name = "HybridCloudIGW"
  }
}

resource "aws_route_table" "public_rt" {
  vpc_id = aws_vpc.hybrid_cloud_vpc.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.gw.id
  }
}

resource "aws_route_table_association" "public_rt_assoc" {
  subnet_id      = aws_subnet.public_subnet.id
  route_table_id = aws_route_table.public_rt.id
}

output "vpc_id" {
  description = "The ID of the VPC"
  value       = aws_vpc.hybrid_cloud_vpc.id
}

output "private_vtep_subnet_id" {
  description = "The ID of the private VTEP subnet"
  value       = aws_subnet.private_vtep_subnet.id
}

11.5 Security Considerations

Implementing Zero Trust and micro-segmentation significantly enhances network security, but it also introduces new considerations and potential attack vectors if not properly secured.

11.5.1 Core Zero Trust Principles in Practice

• Identity-centric Security: All access decisions are based on the identity of the user, device, and application workload, verified through mechanisms like 802.1X, MFA, and strong authentication protocols.
• Least Privilege: Policies are designed to grant only the minimum necessary access. For micro-segmentation, this means meticulously crafted ACLs or firewall rules between segments.
• Continuous Monitoring: Constant monitoring of network traffic, user behavior, and system logs to detect anomalies and respond to threats in real-time.
• Contextual Policies: Access policies adapt based on dynamic context (user location, device posture, time of day, application sensitivity).

11.5.2 Attack Vectors and Mitigation Strategies

A. VLAN-Specific Attack Vectors

1. VLAN Hopping (DTP Spoofing / Double Tagging):

   • Attack: An attacker spoofs DTP (Dynamic Trunking Protocol) messages to force a switch port into trunking mode, gaining access to multiple VLANs. Double tagging involves embedding a hidden 802.1Q tag to bypass a native VLAN.
   • Mitigation:
     • Disable DTP: Configure all access ports as switchport mode access and all trunk ports as switchport mode trunk with switchport nonegotiate.
     • Change Native VLAN: Do not use VLAN 1 as the native VLAN. Assign an unused, dedicated VLAN as the native VLAN on trunks and ensure it’s not routed.
     • Prune unused VLANs: Use VLAN pruning to remove unnecessary VLANs from trunk links.
     • Private VLANs (PVLANs): Prevent direct communication between hosts in the same primary VLAN.

2. MAC Flooding:

   • Attack: Overwhelming a switch’s MAC address table, forcing it to behave like a hub and flood all traffic, allowing an attacker to intercept frames.
   • Mitigation:
     • Port Security: Limit the number of MAC addresses allowed on a port and specify actions (restrict, protect, shutdown) if the limit is exceeded.
     • DHCP Snooping / ARP Inspection: Prevent ARP spoofing and IP/MAC impersonation.

B. VXLAN-Specific Attack Vectors

1. Rogue VTEP:

   • Attack: An unauthorized device impersonates a legitimate VTEP, encapsulating malicious traffic and sending it into the VXLAN overlay.
   • Mitigation:
     • Authentication: Implement strong authentication (e.g., IPSec, MACsec) for VTEP-to-VTEP communication in the underlay.
     • Control Plane Security: Secure BGP EVPN with MD5 authentication, strict neighbor definitions, and proper route filtering.
     • Network Access Control (NAC): Authenticate and authorize all devices attempting to join the underlay network.

2. VNI Spoofing:

   • Attack: An attacker manipulates the VNI in encapsulated packets to gain access to unauthorized VXLAN segments.
   • Mitigation:
     • Strict VTEP Policy: Ensure only authorized VTEPs can encapsulate/de-encapsulate traffic for specific VNIs.
     • Firewalling: Implement firewalls at VTEPs or border leafs to inspect VXLAN traffic and enforce policies based on VNI and internal Layer 2/3 headers.
     • VXLAN Encryption: Encrypt VXLAN tunnels using IPSec (though computationally intensive).

3. Underlay Compromise:

   • Attack: Since VXLAN relies on the underlay IP network, compromise of the underlay routing or forwarding plane can lead to VXLAN disruption or traffic interception.
   • Mitigation:
     • Secure Underlay: Apply all standard routing security best practices (authenticate routing protocols, filter control plane traffic, secure management access).
     • Physical Security: Secure all physical network devices.
     • IPSec/MACsec: Encrypt underlay links to protect encapsulated VXLAN traffic.

C. General Micro-segmentation Security Best Practices

1. Policy Enforcement Points: Use dedicated security appliances (firewalls), Layer 3 switches with ACLs, or distributed firewall capabilities (e.g., hypervisor-based) as enforcement points.
2. Centralized Policy Management: Utilize SDN controllers (e.g., Cisco ACI, VMware NSX-T) or security policy managers for consistent and automated policy deployment across segments.
3. Traffic Visibility: Deploy network taps, NetFlow/IPFIX, or packet brokers to gain deep visibility into inter-segment traffic for monitoring and anomaly detection.
4. Regular Audits: Periodically review segmentation policies and network configurations to identify gaps and ensure continued compliance.
5. Secure Management Plane: Implement strong authentication, authorization, and accounting (AAA) for all network device management interfaces. Use out-of-band management where possible.

11.5.3 Compliance Requirements

Micro-segmentation is a powerful tool for meeting various regulatory compliance standards:

• PCI DSS (Payment Card Industry Data Security Standard): Helps isolate cardholder data environments (CDE) from the rest of the network, reducing the scope of compliance audits.
• HIPAA (Health Insurance Portability and Accountability Act): Facilitates the isolation of Electronic Protected Health Information (ePHI), controlling access to sensitive patient data.
• GDPR (General Data Protection Regulation): Supports data protection by design and by default principles by segregating personal data and restricting access.
• NIST Framework: Aligns with control families related to access control, network segregation, and incident response.

11.5.4 Security Configuration Examples

Cisco Port Security (VLAN security):

interface GigabitEthernet1/0/10
 switchport mode access
 switchport access vlan 20
 switchport port-security
 switchport port-security maximum 2     ! Allow up to 2 MAC addresses
 switchport port-security violation shutdown ! Shutdown port on violation
 switchport port-security mac-address sticky ! Dynamically learn and stick MACs
 no shutdown

Warning: shutdown violation mode can cause operational disruption if a legitimate device moves or multiple devices connect unexpectedly. Use restrict or protect for less aggressive responses, or carefully plan the maximum MACs.

Junos OS Firewall Filter (Basic Segmentation between VLANs on a Router/L3 Switch):

# Define firewall filter to restrict traffic between VLANs/subnets
set firewall family inet filter WEB_TO_DB_FILTER term 10 from source-address 10.0.0.0/24 # Web subnet
set firewall family inet filter WEB_TO_DB_FILTER term 10 from destination-address 10.0.1.0/24 # DB subnet
set firewall family inet filter WEB_TO_DB_FILTER term 10 from protocol tcp
set firewall family inet filter WEB_TO_DB_FILTER term 10 from destination-port 3306 # Allow only MySQL
set firewall family inet filter WEB_TO_DB_FILTER term 10 then accept
set firewall family inet filter WEB_TO_DB_FILTER term 20 then reject # Deny all other traffic between these subnets

# Apply filter to the IRB interface (VLAN 10 is web, VLAN 11 is DB)
set interfaces irb unit 10 family inet filter input WEB_TO_DB_FILTER

11.6 Verification & Troubleshooting

Effective verification and systematic troubleshooting are vital for ensuring micro-segmentation works as intended and to resolve connectivity issues promptly.

11.6.1 Verification Commands

A. VLAN/PVLAN Verification

Cisco IOS-XE/NX-OS:

show vlan brief                    ! Verify VLAN existence and port assignments
show vlan private-vlan             ! Verify PVLAN primary/secondary, ports
show interface status              ! Quick check of interface states and VLANs
show interface <interface-id> switchport ! Detailed switchport configuration
show mac address-table interface <interface-id> ! MAC address learned on port
ping <ip-address>                  ! Basic connectivity test
traceroute <ip-address>            ! Path analysis

Arista EOS:

show vlan                          ! Verify VLAN existence and port assignments
show private-vlan                  ! Verify PVLAN primary/secondary, ports
show interfaces status             ! Quick check of interface states and VLANs
show interfaces <interface-id> switchport ! Detailed switchport config
show mac address-table interface <interface-id> ! MAC address learned on port
ping <ip-address>                  ! Basic connectivity test
traceroute <ip-address>            ! Path analysis

Juniper Junos OS:

show vlans                         ! Verify VLAN existence and interfaces
show interfaces <interface-id>     ! Detailed interface configuration
show ethernet-switching table      ! MAC address table (for bridge domains)
ping <ip-address>                  ! Basic connectivity test
traceroute <ip-address>            ! Path analysis

B. VXLAN Verification (with BGP EVPN)

Cisco NX-OS:

show nve interface nve1 detail     ! VXLAN interface status, source, VNIs
show nve peers                     ! VTEP peer discovery and state
show vlan vn-segment               ! VLAN to VNI mapping
show bgp l2vpn evpn summary        ! BGP EVPN peering status
show bgp l2vpn evpn route type 2   ! MAC/IP routes learned via EVPN (Type 2)
show bgp l2vpn evpn route type 3   ! VNI Multicast routes learned via EVPN (Type 3)
show ip route vrf <vrf-name>       ! L3 routing within a VRF associated with VXLAN
show system internal nve <VNI> host-info ! Detailed host info per VNI

Arista EOS:

show vxlan                         ! VXLAN interface status, source, VNI mappings
show vxlan address-table           ! MAC address table for VXLAN (learned hosts)
show evpn peers                    ! EVPN peering status
show bgp evpn summary              ! BGP EVPN peering status
show bgp evpn route                ! EVPN routes (MAC/IP/VNI)
show interface vxlan 1             ! VXLAN interface details

Juniper Junos OS:

show evpn database                 ! MAC/IP/VNI bindings learned via EVPN
show evpn instance                 ! EVPN instance details
show interfaces vtep               ! VXLAN tunnel interface status
show bgp summary                   ! BGP EVPN peering status
show bgp evpn route                ! EVPN routes
show route table <instance-name>.evpn.0 ! EVPN routing instance routes

11.6.2 Common Issues and Resolution Steps

11.7 Performance Optimization

Optimizing performance in a micro-segmented network, especially with VXLAN, is crucial for maintaining high throughput and low latency.

1. Jumbo Frames:
   • Recommendation: Configure jumbo frames (MTU 9216 bytes) across the entire VXLAN underlay path, including all physical interfaces, virtual interfaces, and any intermediate routers.
   • Reason: VXLAN encapsulation adds about 50 bytes (IPv4) or 70 bytes (IPv6) of overhead. If the underlay MTU is not increased, it can lead to fragmentation, which significantly degrades performance.
2. ECMP (Equal-Cost Multi-Path) in Underlay:
   • Recommendation: Design the underlay network to leverage ECMP for load balancing traffic across multiple paths.
   • Reason: VXLAN packets are standard UDP/IP packets, allowing them to benefit from the load-balancing capabilities of the underlying routed network. This improves bandwidth utilization and provides path redundancy.
3. Hardware-based VTEPs:
   • Recommendation: Utilize network devices with hardware-accelerated VXLAN encapsulation/de-encapsulation.
   • Reason: Software-based VTEPs (e.g., in hypervisors or servers) can introduce CPU overhead and latency. Dedicated hardware VTEPs offload this processing for optimal performance.
4. Optimized BGP EVPN:
   • Recommendation: Use Route Reflectors in larger EVPN deployments to reduce the number of BGP peerings and improve control plane scalability.
   • Reason: A full mesh of BGP peers can become resource-intensive as the number of VTEPs grows.
5. VLAN Pruning:
   • Recommendation: For VLAN-based segments, implement VLAN pruning on trunks to prevent unnecessary broadcast, unknown unicast, and multicast (BUM) traffic from being forwarded to switches that do not have active ports for those VLANs.
   • Reason: Reduces bandwidth consumption and switch processing overhead.
6. QoS (Quality of Service):
   • Recommendation: Implement QoS policies on the underlay network to prioritize critical VXLAN control plane traffic (BGP EVPN) and sensitive application traffic within VXLAN tunnels.
   • Reason: Ensures consistent performance for critical applications, even during network congestion.
7. Traffic Engineering:
   • Recommendation: Use techniques like Segment Routing or MPLS Traffic Engineering in the underlay to optimize path selection and guarantee bandwidth for specific VXLAN tunnels.
   • Reason: Provides granular control over traffic flow, bypassing congested paths and ensuring predictable performance.
8. Monitoring:
   • Recommendation: Implement robust monitoring for VTEP health, underlay link utilization, BGP EVPN route churn, and per-VNI traffic statistics.
   • Reason: Proactive identification of performance bottlenecks and operational issues.

11.8 Hands-On Lab: Implementing PVLAN Micro-segmentation

This lab focuses on configuring Private VLANs on a single Cisco switch to demonstrate Layer 2 micro-segmentation within an IP subnet.

nwdiag {
  network "Internet/Perimeter" {
    router [address = "192.168.1.254"];
  }

  network "Primary VLAN 10 (10.0.0.0/24)" {
    description = "PVLAN Lab Switch - L3 Interface"
    switch_l3 [address = "10.0.0.1", shape = router]; // Represents SVI on the switch
  }

  network "Isolated VLAN 101" {
    description = "Server Tier (No Peer-to-Peer)"
    server_web [address = "10.0.0.10"];
    server_db [address = "10.0.0.11"];
  }

  network "Community VLAN 102" {
    description = "Client Tier (Can Peer)"
    client_hr [address = "10.0.0.20"];
    client_dev [address = "10.0.0.21"];
  }

  // Logical connections
  router -- switch_l3 [label = "Uplink (Promiscuous)"]; // Promiscuous to router or external
  switch_l3 -- server_web;
  switch_l3 -- server_db;
  switch_l3 -- client_hr;
  switch_l3 -- client_dev;

  // Internal PVLAN rules imply no direct arrows between isolated/community peers
  // unless explicitly allowed by community rules, which is handled by switch config.
}

Lab Objectives:

• Create a Primary VLAN and two Secondary VLANs (Isolated and Community).
• Configure the Layer 3 SVI for the Primary VLAN.
• Assign switch ports to different PVLAN types (promiscuous, isolated, community).
• Verify Layer 2 isolation and Layer 3 connectivity.

Equipment:

• One Cisco Catalyst switch (e.g., 3750, 3850, 9300, or a virtual equivalent in EVE-NG/GNS3).
• Four client devices (PCs, VMs, or loopback interfaces on the switch acting as hosts).

Step-by-Step Configuration (Cisco IOS-XE):

1. Clear existing configurations (optional but recommended for labs):

   erase startup-config
   delete flash:vlan.dat
   reload
   

2. Basic Setup:

   hostname PVLAN_LAB_SW
   enable secret cisco
   line con 0
    logging synchronous
    no exec-timeout
   line vty 0 15
    login local
    transport input ssh
   username admin privilege 15 secret cisco
   ip routing
   

3. Configure Primary and Secondary VLANs:

   vlan 10
    name PRIMARY_VLAN_APEX
    private-vlan primary
    private-vlan association 101,102
   !
   vlan 101
    name ISOLATED_SERVERS
    private-vlan isolated
   !
   vlan 102
    name COMMUNITY_CLIENTS
    private-vlan community
   !
   

4. Configure Layer 3 SVI for Primary VLAN: This interface serves as the gateway for all hosts in Primary VLAN 10.

   interface Vlan10
    description PVLAN_L3_Gateway
    ip address 10.0.0.1 255.255.255.0
    private-vlan mapping 101,102
    no shutdown
   !
   

5. Configure Promiscuous Port: This port typically connects to a router or firewall for external access. For this lab, we’ll imagine it connects to “Internet/Perimeter”.

   interface GigabitEthernet1/0/1
    description Uplink_Promiscuous_Port_to_Router
    switchport mode private-vlan promiscuous
    switchport private-vlan mapping 10 primary 101,102
    no shutdown
   !
   

6. Configure Isolated Ports (for Server_Web and Server_DB): These ports will host devices that cannot communicate with each other directly but can reach the promiscuous port (10.0.0.1).

   interface GigabitEthernet1/0/2
    description Server_Web_Isolated_Port
    switchport mode private-vlan host
    switchport private-vlan host-association 10 101
    no shutdown
   !
   interface GigabitEthernet1/0/3
    description Server_DB_Isolated_Port
    switchport mode private-vlan host
    switchport private-vlan host-association 10 101
    no shutdown
   !
   

7. Configure Community Ports (for Client_HR and Client_DEV): These ports will host devices that can communicate with each other and the promiscuous port.

   interface GigabitEthernet1/0/4
    description Client_HR_Community_Port
    switchport mode private-vlan host
    switchport private-vlan host-association 10 102
    no shutdown
   !
   interface GigabitEthernet1/0/5
    description Client_DEV_Community_Port
    switchport mode private-vlan host
    switchport private-vlan host-association 10 102
    no shutdown
   !
   

Verification Steps:

1. Verify PVLAN configuration:

   show vlan private-vlan
   show vlan private-vlan type
   show interface status
   

   Expected output should show VLAN 10 as primary, 101 as isolated, 102 as community, and ports assigned correctly.

2. Configure client devices (e.g., PCs or loopbacks) with IPs:

   • Server_Web (on Gi1/0/2): IP 10.0.0.10, Gateway 10.0.0.1
   • Server_DB (on Gi1/0/3): IP 10.0.0.11, Gateway 10.0.0.1
   • Client_HR (on Gi1/0/4): IP 10.0.0.20, Gateway 10.0.0.1
   • Client_DEV (on Gi1/0/5): IP 10.0.0.21, Gateway 10.0.0.1

3. Perform Connectivity Tests from Client Devices:

   • From Server_Web (10.0.0.10):
     • ping 10.0.0.1 (Should succeed - Promiscuous port reachable)
     • ping 10.0.0.11 (Should FAIL - Isolated ports cannot reach each other)
     • ping 10.0.0.20 (Should FAIL - Isolated ports cannot reach community ports)
   • From Client_HR (10.0.0.20):
     • ping 10.0.0.1 (Should succeed - Promiscuous port reachable)
     • ping 10.0.0.10 (Should FAIL - Community ports cannot reach isolated ports)
     • ping 10.0.0.21 (Should SUCCEED - Community ports within the same VLAN can reach each other)

Challenge Exercises:

1. Add another Isolated VLAN (VLAN 103) and assign a client to it. Verify its isolation properties.
2. Attempt to connect a device to a port configured as a PVLAN host port without an associated PVLAN. What happens?
3. Simulate a PVLAN configuration on an Arista switch if available, using the provided examples.

11.9 Best Practices Checklist

When implementing Zero Trust and micro-segmentation with VLANs/VXLAN, adhere to these best practices:

• Network Design:
  • Design the network for “assume breach” with granular segmentation as the default.
  • Plan VLAN/VNI allocations systematically (e.g., dedicated ranges for different security zones or applications).
  • For VXLAN, ensure the underlay is robust, fully routed (no STP), and supports jumbo frames.
  • Leverage BGP EVPN for VXLAN control plane for scalability and efficiency.
  • Use Anycast Gateways with VXLAN for resilient Layer 3 forwarding.
• Security Hardening:
  • Disable DTP on all switch ports.
  • Change native VLANs on trunks to an unused, non-routed VLAN (not VLAN 1).
  • Implement port security on all access ports to limit MAC addresses and prevent unauthorized devices.
  • Enable DHCP snooping, ARP inspection, and IP Source Guard.
  • Apply granular ACLs or firewall policies between all micro-segments, enforcing least privilege.
  • Secure BGP EVPN with MD5 authentication and strict neighbor definitions.
  • Consider MACsec or IPSec for underlay link encryption if high security is required.
  • Implement NAC (Network Access Control) for device and user authentication before granting network access.
  • Isolate management interfaces and use out-of-band management.
• Configuration & Automation:
  • Use infrastructure as code (Terraform) for underlay provisioning.
  • Automate VLAN/VXLAN configuration and policy deployment using Ansible, Python, or SDN controllers.
  • Employ configuration version control (Git) for all network device configurations and automation scripts.
  • Standardize configuration templates for consistency across devices and segments.
• Monitoring & Visibility:
  • Deploy centralized logging (Syslog, SIEM) for all network events, especially security-related ones.
  • Implement NetFlow/IPFIX for pervasive traffic visibility between segments.
  • Monitor VTEP health, VNI state, and BGP EVPN peering.
  • Regularly review firewall/ACL hit counts and denial logs.
• Documentation & Change Management:
  • Maintain up-to-date network diagrams (logical and physical) showing all segments and policy enforcement points.
  • Document all VLANs, VNIs, associated IP subnets, and security policies.
  • Establish a strict change management process for all segmentation policy modifications.

11.10 Reference Links

• IEEE 802.1Q-2022: Standard for Local and Metropolitan Area Networks—Bridges and Bridged Networks—VLANs and Link Aggregation. Available via IEEE standards portal.
• IEEE 802.1ad: Provider Bridges (QinQ). https://en.wikipedia.org/wiki/IEEE_802.1ad
• RFC 7348: Virtual Extensible LAN (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks. https://www.rfc-editor.org/rfc/rfc7348.html
• RFC 7432: BGP Ethernet VPN (EVPN). https://www.rfc-editor.org/rfc/rfc7432.html
• RFC 8365: A Network Virtualization Overlay Solution using EVPN. https://www.rfc-editor.org/rfc/rfc8365.html
• Cisco VXLAN EVPN Configuration Guides: Search Cisco Documentation for your specific NX-OS/IOS-XE version.
• Arista EOS VXLAN/EVPN Guides: https://www.arista.com/en/support/design-guides/vxlan-design-guide
• Juniper Junos OS EVPN-VXLAN: https://www.juniper.net/documentation/us/en/software/junos/evpn-vxlan/index.html
• Ansible Network Automation: https://docs.ansible.com/ansible/latest/network/index.html
• Netmiko Documentation: https://github.com/ktbyers/netmiko
• PlantUML Language Reference Guide: https://plantuml.com/guide
• blockdiag suite (nwdiag, packetdiag): http://blockdiag.com/en/index.html
• Graphviz DOT Language: https://graphviz.org/doc/info/lang.html

11.11 What’s Next

This chapter has provided a deep dive into Zero Trust principles and how VLANs and VXLAN facilitate micro-segmentation. You’ve learned about the technical distinctions, configuration across multiple vendors, automation strategies, and critical security considerations. The ability to granularly segment your network is paramount for a strong security posture in today’s dynamic IT environments.

In the next chapter, we will shift our focus to Chapter 12: Advanced VLAN Features and Multi-service Integration. This will explore additional VLAN capabilities, such as Voice VLANs, Data VLANs, VLAN Trunking Protocol (VTP) or Generic VLAN Registration Protocol (GVRP) (and their alternatives), and how VLANs integrate with other network services like QoS and multicast, building upon the foundational knowledge of segmentation you’ve gained here. You’ll learn how to extend VLAN functionality for specific application requirements and optimize network performance for diverse traffic types.