Technical Forum

Introducing Arista Macro-Segmentation

Autumn 2015

Technical Forum

Definitions

Micro-Segmentation• Inserting services in the path of inter-VM traffic (e.g. intra-tenant)• Policies defined by VMware NSX for each workload• Enforced in the Distributed vSwitch based application, tag, etc.,

Macro-SegmentationTM

• Inserting services between workgroups (inter-tenant) in the physical network by defining inter-workgroup policies

Arista Macro-Segmentation Security (MSSTM)• An extension in EOS that utilizes CloudVision to automate security service

insertion in the network• Integration with leading next-generation firewalls

Technical Forum

Micro-Segmentation

§ Enabled by partners – e.g. VMware NSX § Provides fine-grained security policies at virtual switch

level § Works great!

• Provided all hosts and devices are virtualized, and there’s a single vSwitch variant

§ Some security vendors (e.g. Palo Alto) are onboard• Virtual security appliance embedded with virtual switch

with centralized policy and reporting § Unfortunately, many challenges around physical devices

• e.g. non-virtualized, different hypervisor/vSwitch, appliance devices, storage

• Existing estate

In ternet

Security Policy

Security Admin

TrafficSteering

Technical Forum

Current Approaches for DC Security

§ Focus is on Perimeter Security e.g. north-south flows only

§ Scaling challenges – e.g. firewall active/standby HA pairs

§ Security policy dependent on network topology –and vice versa

• Network & security administration are co-dependent

§ Limited or no security of east-west flows, especially for physical devices

§ Little or no coordination between vSwitch security and physical firewalling

Active Active/Standby

vSwitch vSwitch

Current approaches ill-suited to the needs of the Software Driven Cloud Data Center

Technical Forum

Arista Macro-Segmentation

§ Enabled by Arista CloudVision

• Understands physical topology and location of every device

• Full visibility of any adds, moves and changes

• 2-way exchange of information with overlay controllers – knows all virtual device locations

§ Provides network service physical device integration e.g. Palo Alto Firewalls

• Service device can be anywhere in the network

• Devices to serviced can be anywhere

• Non-proprietary, standard-bases, existing frame/packet formats

Cloud Orchestrators

Overlay Controllers

www.arista.comNetworkServices

Technical Forum

Arista Macro-Segmentation

§ No new tagging or encapsulation

§ One point of control – e.g. the security policy manager• For both physical and virtual

firewalls

§ Directly maps to security model – zones etc.

§ No server reconfiguration

§ No per application overheadVirtual Virtual

Physical FirewallsPhysical Servers

& Storage

Transparent Insertion of Firewall/ Service

Technical Forum

Macro-Segmentation with Palo Alto NetworkSecurity Admin owns the

security policies

No Network Admin involvement required

Network Admin owns the network configuration.

PAN service is enabled within CloudVision, which:

• Learns security policies and associated end devices

• Logically instantiates them in the neetwork

Technical Forum

Arista Macro-SegmentationExisting Approaches With Arista Macro-Segmentation

Perimeter (“North-South”Traffic) Only Logically instantiated anywhere in the network

Scaling Limitations (e.g. only HA pairs of Firewalls) Scale out design – security admin can use multiple firewalls rather than larger central devices

Requires security & network admin to jointly architect solution

Topology independent – all devices covered

Limited protection “East-West” for physical devices Security for all points of the compass covered!

Separate solutions for physical and virtual firewalling and perimeter security (no P2V and P2P east-west

security)

Coordinated approach for V2V, P2V, P2P security

Technical Forum

Arista Macro-Segmentation

§ Delivers flexible services deployment in the network

§ No forklift upgrades

§ No proprietary lock-ins

§ Server virtualization and vSwitch agnostic

§ Uses Arista CloudVisionto coordinate policy across the entire network

Cloud Orchestrators

Overlay Controllers

www.arista.comNetworkServices

Technical Forum

Summary

Technical Forum

Thank you for joining us

§ Join us for ATF #9 in the spring§ Please invite your colleagues to this year’s remaining

events

3/11 – Paris10/11 – Zurich12/11 – Johannesburg17/11 – Cape Town

19/11 – Milan26/11 – UtrechtTBA – Warsaw, Moscow,

Dublin and Madrid

Technical Forum

Thank you – See you in the spring!

Technical Forum

Thank you for joining us

§ Feedback forms

§ Join us for drinks afterwards at …

Technical Forum

One last thing…..

Technical Forum

Reminder - SSU Leaf – Hitless Upgrade

SSU Hitless Upgrade§ Designed to provide simple, low risk upgrade options, for fixed configuration systems and single connected servers

§ Key feature for critical applications where maintenance windows are impossible to schedule

§ During reload, Data Plane remains fully operational and acts as a proxy for Control Plane

§ Traffic loss during an SSU Hitless Upgrade is unnoticeable to applications

5+ Minutes

ApplicationLoss Report

200ms

ApplicationLoss Report

Existing Approaches SSU Hitless Upgrade

✓✗

Technical Forum

Competition - Guess the outage

§ Arista 7050X running 4.15.2F• 8 reloads in 20 minutes

• 64-byte packets

§ TX count - 1,989,541,312§ RX count - 1,989,350,703§ Average 0.00958% Packet Loss

Average16ms

outage!

Technical Forum

Our winners …

§ I Won

§ A Nother

§ Lar Stwun

Technical Forum

Thank you – See you in the spring!