Posted on August 9, 2019 6:30 am
 |  Asked by MinSeok Sung
Print Friendly, PDF & Email

Dear Arista.

I want to use two uplinks in metaprotect.

is this possible?

I want to test it by separating zones like VLANs on switches.

If possible please ask a sample guide.

Please also provide latency information after zone separation.


Posted by Ciaran
Answered on August 12, 2019 12:31 pm

It is possible to MetaProtect in this way to apply ACL’s on two separate uplinks. Up to 32 firewall instances may be configured at 10G, and each instance can have ACL’s applied.

ACL’s are a numbered list of rules (up to 510) that are applied to firewall instances. In the case of
MetaProtect Firewall, the rules are based on Source and Destination IP, IPv4 Protocol and Source OR Destination
Port. Rules are searched for each packet and the action associated with the first rule match is applied. If no rule matches, there is an implied opposite rule. That is, if the ACL has a defined permit on rule match, deny
will be implied when there is no matching rule.

The MetaProtect user guide is available here:

Posted by Manas Moothedath
Answered on August 13, 2019 1:42 am

Hi Minseok,

Let me try to add some more context to your question.

To take a quick moment to explain the Arista MetaProtect device and in extension the app running on the device – MetaProtect,

There are 48 SFP+ ports that go up to 10G on the device and they are completely non-blocking in nature.

Coming to the latency added to the flow, this is dependant directly on
The number of rules in the ACL
The location of the data being filtered within the ‘Ethernet Frame’

In other words, the best case scenario for latency would be a line permitting everything and worst case would be a fully populated ACL = 510 lines. 

The latency numbers are published in the Manual that was referenced by Ciaran above but to summarize quickly for you,

Best Case – 
Minimum: 106ns Maximum: 119ns

Worst Case – Minimum: 181ns Maximum: 194ns

Note: The above numbers are based on running the version 0.2.1. For the latest information, always refer to the MetaProtect userguide.

Anything that you configure would likely lie between those numbers. 

The topology that you have provided looks like you want to set up MetaProtect in-line between those four devices.

Let us break this down a bit more – to get you started with this flow.

I’ve edited your attached image to give it some interface names.

Let us say that your et1 and et2 connect to your devices in Area1 as you have called it and et3,4 connect to the ones in Area2

We essentially tie/patch the ports together using the commands,

connect interfaces et1 et 2
connect interfaces et3 et 4

After you make the above configuration, your ports et1-4 should look like,

show run interface et1-4
interface et1
source et2
interface et2
source et1
interface et3
source et4
interface et4
source et3

The above would make traffic coming into each port go out the other – this generates the topology that you had sent. Now to create the filters.

As you might be aware, the Meta-applications have internal application ports that you have map to the physical ports as well.

You need to create access-lists that you would use to filter the traffic. Then map these access-lists to the application firewalls generated by the application.

There are detailed exampled on the manual about how to configure ACLs and apply them to the correct application(ap) interfaces.
I would encourage you to review the manual to understand this better. 

I hope that helps get you started. 

If you run into issues while configuring your MetaProtect – feel free to reach out to Arista support at and someone can assist you further.

Post your Answer

You must be logged in to post an answer.