• Author : Arup Raton Roy

 
 

MSS-FW: Unidirectional Policy Enforcement

Description Macro-Segmentation Service with Layer 3 firewall (MSS-FW) enforces all security policies bi-directionally by default by creating flows that match forward and reverse direction traffic based on the tagged policy. This enhancement provides unidirectional enforcement as an option for verbatim policies. For such policies, MSS enforces the security objective (drop, allow, or redirect) only for the forward direction traffic. This will also result in better utilization of the hardware resources in such scenarios. Usage The following scenarios can be benefited by using this feature: Blocking certain client subnets to connect to a server at the top of rack switch using...
Continue reading →

Macro-Segmentation Service deployment in a Brownfield Environment

Description This document presents how Arista Macro-Segmentation Service (MSS) can be deployed in a brownfield environment with a mix of non-Arista switches. This solution targets a VXLAN based network where both Arista and non-Arista Virtual Tunnel Endpoints (VTEPs) share the overlay reachability using the EVPN control plane.The following figure depicts such setup: In order to enable security enforcement with MSS, the user can put the resources that they would want to protect behind Arista VTEPs and express the security objectives using firewall policies. Moreover, this feature allows the user to enable MSS in a multiple datacenter (DC) environment where a...
Continue reading →

Consistent Policy Enforcement and Multi-VRF support for Macro-Segmentation Service

Description This document presents Arista Macro-Segmentation Service (MSS) deployment in a network with multiple Virtual Routing and Forwarding (VRF) instances. MSS can ensure more granular segmentation within a VRF, either by attracting a subset of east-west traffic to the firewall or enforcing the security objective at the top-of-rack (TOR) switches. This document also explains the policy enforcement guarantee that MSS provides in the presence of switches with varying hardware resources. Summary of Enhancements This section briefly describes the enhancements made to the current set of MSS features in this release: MSS now can be enabled in a non-default VRF in...
Continue reading →

EVPN Control Plane Support for MSS

Description This feature enables support for Macro Segmentation Service (MSS) to insert security devices into the traffic path for VXLAN networks using an EVPN control plane. With this feature enabled, CVX will continue to monitor the network via NetDB state and will initiate intercept and offload rules. With this feature enabled, MAC and IP reachability information will be learned and distributed in user configured L2 domains via EVPN. There are two options for pairing MSS and EVPN: Option 1: MSS + EVPN asymmetric IRB Option 2: MSS + EVPN symmetric IRB with VXLAN bridging to firewall (see https://eos.arista.com/eos-4-20-1f/evpn-irb-with-vxlan-underlay/ for details...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: