This document introduces Arista's Macro-Segmentation technology. It defines micro-segmentation as fine-grained security policies within a virtual switch, while macro-segmentation inserts services between workgroups in the physical network. Arista's solution utilizes CloudVision to automate security service insertion across physical and virtual networks in a coordinated way, providing security for east-west traffic without proprietary requirements. It scales out firewall deployment rather than requiring larger centralized devices.
2. Technical Forum
Definitions
Micro-Segmentation
• Inserting services in the path of inter-VM traffic (e.g. intra-tenant)
• Policies defined byVMware NSX for each workload
• Enforced in the Distributed vSwitch based application, tag,etc.,
Macro-SegmentationTM
• Inserting services between workgroups (inter-tenant) in the physical network
by defining inter-workgroup policies
Arista Macro-Segmentation Security (MSSTM)
• An extension in EOS that utilizes CloudVision to automate security service
insertion in the network
• Integration with leading next-generation firewalls
3. Technical Forum
Micro-Segmentation
§ Enabled by partners – e.g.VMware NSX
§ Provides fine-grained security policies at virtual switch
level
§ Works great!
• Provided all hosts and devices are virtualized,and there’s a single
vSwitch variant
§ Some security vendors (e.g. Palo Alto) are onboard
• Virtual security appliance embedded with virtual switch
with centralized policy and reporting
§ Unfortunately,many challenges around physical devices
• e.g. non-virtualized,different hypervisor/vSwitch, appliance
devices,storage
• Existing estate
Internet
Security Policy
Security
Admin
Traffic
Steering
4. Technical Forum
Current Approaches for DC Security
§ Focus is on Perimeter Security e.g. north-south
flows only
§ Scaling challenges – e.g. firewall active/standby HA
pairs
§ Security policy dependent on network topology –
and vice versa
• Network & security administration are co-dependent
§ Limited or no security of east-west flows,
especially for physical devices
§ Little or no coordination between vSwitch
security and physical firewalling
Active Active/Standby
vSwitch vSwitch
Current approaches ill-suited to the needs of the Software Driven Cloud Data Center
5. Technical Forum
Arista Macro-Segmentation
§ Enabled byArista CloudVision
• Understands physical topology and location of
every device
• Full visibility of any adds,moves and changes
• 2-way exchange of information with overlay
controllers – knows all virtual device locations
§ Provides network service physical device
integration e.g. Palo Alto Firewalls
• Service device can be anywhere in the network
• Devices to serviced can be anywhere
• Non-proprietary,standard-bases,existing
frame/packet formats
Cloud
Orchestrators
Overlay
Controllers
www.arista.com
Network
Services
6. Technical Forum
Arista Macro-Segmentation
§ No new tagging or encapsulation
§ One point of control – e.g. the
security policy manager
• For both physical and virtual
firewalls
§ Directly maps to security model
– zones etc.
§ No server reconfiguration
§ No per application overhead
Virtual Virtual
Physical Firewalls
Physical Servers
& Storage
Transparent Insertion of Firewall/ Service
7. Technical Forum
Macro-Segmentation with Palo Alto Network
Security Admin owns the
security policies
No Network Admin
involvement required
Network Admin owns the network configuration.
PAN service is enabled within CloudVision, which:
• Learns security policies and associated end devices
• Logically instantiates them in the neetwork
8. Technical Forum
Arista Macro-Segmentation
Existing Approaches With Arista Macro-Segmentation
Perimeter (“North-South”Traffic) Only Logically instantiated anywhere in the network
Scaling Limitations (e.g. only HA pairs of Firewalls) Scale out design – security admin can use multiple
firewalls rather than larger central devices
Requires security & network admin to jointly architect
solution
Topology independent – all devices covered
Limited protection “East-West” for physical devices Security for all points of the compass covered!
Separate solutions for physical and virtual firewalling
and perimeter security (no P2V and P2P east-west
security)
Coordinated approach forV2V,P2V,P2P security
9. Technical Forum
Arista Macro-Segmentation
§ Delivers flexible services
deployment in the network
§ No forklift upgrades
§ No proprietary lock-ins
§ Server virtualization and
vSwitch agnostic
§ Uses Arista CloudVision
to coordinate policy across the
entire network
Cloud
Orchestrators
Overlay
Controllers
www.arista.com
Network
Services
11. Technical Forum
Thank you for joining us
§ Join us forATF #9 in the spring
§ Please invite your colleagues to this year’s remaining
events
3/11 – Paris
10/11 – Zurich
12/11 – Johannesburg
17/11 – CapeTown
19/11 – Milan
26/11 – Utrecht
TBA – Warsaw, Moscow,
Dublin and Madrid
15. Technical Forum
Reminder - SSU Leaf – Hitless Upgrade
SSU Hitless Upgrade
§ Designed to provide simple,low risk upgrade options,for fixed configuration systems and single connected servers
§ Key feature for critical applications where maintenance windows are impossible to schedule
§ During reload,Data Plane remains fully operational and acts as a proxy for Control Plane
§ Traffic loss during an SSU Hitless Upgrade is unnoticeable to applications
5+ Minutes
Application
Loss Report
200ms
Application
Loss Report
Existing Approaches SSU Hitless Upgrade
✓✗
16. Technical Forum
Competition - Guess the outage
§ Arista 7050X running 4.15.2F
• 8 reloads in 20 minutes
• 64-byte packets
§ TX count - 1,989,541,312
§ RX count - 1,989,350,703
§ Average 0.00958% Packet Loss
Average
16ms
outage!