I am mainly interested to know two things:
How is security enforced between devices that are part of the same VNI?
How is security enforced between devices that are part of different VNI’s?
Greetings, With the vrf-import statement you can limit the VNI's you want to allow on a certain device or system, also you can use firewall filters for block and allow inter-vni and intra-vni VNI traffic.
If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/
Lil DexxJNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB
No worries, glad to see you over here again, if you would like to use a firewall filter it is the same procedure when using firewall filters with IRB interfaces associated with a VLAN, you create the stateless firewall and apply it to the IRB, and this IRB is then associated to the VNI same procedure. these are the matching conditions for an EVPN/VXLAN set-up.
If you want to use a stateful firewall this is also possible, this type of design is called "Bridged Overlay" in this case the L3 gateways will be configured in the firewall and leaves are only acting as L2 gateways, with this approach you can reinforce security for all VLANs/VNI's, even within the same VRF.