Initial Setup and Configuration

This section is structured to provide a clear, step-by-step approach, ensuring a smooth and accurate initial setup. It covers essential procedures from the initial deployment to the integration of key components.

Getting Started

MSS brings microperimeter segmentation and enforcement to CloudVision. Use new tools like the MSS Studio, Policy Manager, Policy Monitor, and Policy Builder to create groups used to define microperimeters and configure security policy rules that govern how traffic is forwarded among groups.

This end-to-end guide will help you get the most out of CloudVision’s MSS functionality. You'll begin by onboarding EOS devices with MSS capability and the ZTX monitor node, then use the MSS Studio to define static groups and policy rules. Next, onboard data sources for dynamic group discovery and review and accept groups in the Policy Manager for use in policy building. Finally, configure a monitoring rule in the MSS Studio to enable you to generate and accept policy recommendations in the Policy Builder.

Requirements

To deploy MSS a combination of the following hardware is required:

Hardware
  • TOR Switches
    • CCS-720XP, CCS-720D, CCS-722XPM
    • DCS-7010TX
    • DCS-7050X3
    • DCS-7280R3/R3A
  • ZTX Appliances
    • ZTX-7250S-16S
    • vZTX Appliance
Note: vZTX is currently supported on KVM/ESXi VMs only.

Management and Visibility

  • CVP or CVaaS for management and visibility.
    • CVP (with MSS Manager)
Note: CVP must be a three-node cluster.
Important: Enable Network Security - MSS in CVP and CVaaS by navigating to Settings > Features as shown in the following example.
Figure 1. CVP Settings - Features Network Security MSS

Configuration

Note: For CVP and EOS supported versions, please refer to the Arista MSS Datasheet - Arista MSS Datasheet.

TOR Configuration

Perform the following configuration steps to prepare the devices for MSS using the CLI. Several configuration steps are required on all supported platforms, while others are unique to specific SKUs.

Refer to the specific Strata and Sand sections for SKU-specific configuration information.

Note: These common and unique configurations on Sand and Strata devices can be added manually via CLI and reconciled to CVP or added as a configlet in CVP and pushed to the devices.
Common Configurations for Sand and Strata

For the devices to be able to stream to CVP and receive information from CVP, enable gRPC Network Management Interface (gNMI) on the devices:

ld459.12:57:58(config)# management api gnmi
ld459.12:58:13(config-mgmt-api-gnmi)# transport grpc default
ld459.12:58:20(config-gnmi-transport-default)# no shutdown

If the management is in a user-defined vrf, for example vrf mgmt tenable gNMI in that user-defined vrf.

ld459.12:59:16(config)# management api gnmi
ld459.12:59:18(config-mgmt-api-gnmi)# transport grpc default
ld459.12:59:25(config-gnmi-transport-default)# vrf mgmt
ld459.12:59:40(config-gnmi-transport-default)# no shutdown

For devices to receive dynamic group information from CVP, enter the following parameters at the end ofthe TerminAttr configuration:

ld459.13:00:28(config)# daemon TerminAttr
ld459.13:00:29(config-daemon-TerminAttr)# exec /usr/bin/TerminAttr -smashexcludes=ale,flexCounter,hardware,
kni,pulse,strata -cvaddr=10.248.18.240:9910,10.248.18.241:9910,10.248.18.242:9910 -cvauth=token,/tmp/token
-cvvrf=default -taillogs -cvtargetconfigs arista/traffic-policy
! New daemon configuration will only take effect after restarting the daemon by doing 'shutdown/no shutdown'.
ld459.13:00:39(config-daemon-TerminAttr)# no shutdown

 

Traffic Policy Configuration

As part of enforcing MSS policies, CloudVision configures the traffic policy rules for individual EOS devices.

If required, refer to the Arista EOS System Configuration Guide for more information on traffic policies.

Strata Configuration

Perform the following configuration steps to prepare the devices for MSS using the CLI. Several unique configuration steps are required on the Strata platform. These apply to:

  • DCS-7050X3
  • CCS-720DP (excluding 720DP-24S)
  • CCD-720DT (excluding 720DT-24S)
  • CCS-720DF
  • CCS-720XP (excluding 720XP-96ZC2, 720XP-48TXH-2C-S)
  • CCS-722XPM (excluding 722XPM-48ZY8)
  • DCS-7010TX

Refer to the specific Strata and Sand sections for detailed information.

Note: These common and unique configurations on Sand and Strata devices can be added manually via CLI and reconciled to CVP or added as a configlet in CVP and pushed to the devices.

On Strata devices (7050S, 720S, and 722S platforms) add the following configuration to enable MSS:

ld459.13:02:20(config)# traffic-policies
ld459.13:04:57(config-traffic-policies)# transforms interface prefix common source-destination
Attention: After adding transforms via the CLI you must reboot the device.
Important: Enable IP routing on Strata devices when using MSS.
Sand Configuration

Perform the following configuration steps to prepare the devices for MSS using the CLI. Several unique configuration steps are required on the Sand platform. These apply to:

  • DCS-7280R3/R3A (except 7280SR3-40YC6, 7280SR3E-40YC6 and 7280TR3-40C6)

Refer to the specific Strata and Sand sections for detailed information.

Note: These common and unique configurations on Sand and Strata devices can be manually added via CLI, reconciled to CVP, or added as a configlet in CVP and pushed to the devices.

On Sand devices (7280R3 platforms), use the MSS Base Profile. The base profile supports:

  • L4-Port Transforms: Allows the configuration of L4-port-based match rules.
  • Self-IP Support: Allows the configuration of a self-IP-based rule if the policy contains deny any any at the end to save Control Plane packets from hitting this deny any any rule.
  • Mirror Action: Allows the creation ofMonitor sessions to achieve ZTX monitoring node functionality.
Configuring the TCAM profile

TCAM profiles should follow a specific flow and order, addressing required features, key fields, and important actions, as follows:

Required Features

  1. feature traffic-policy port ipv4
  2. feature traffic-policy port ipv6
  3. feature traffic-policy vlan-interface ipv4
  4. feature traffic-policy vlan-interface ipv6

Important Key Fields

  1. dst-port
  2. dst-ip-label
  3. src-ip-label
  4. ip-protocol
  5. l4-dst-port-label
  6. l4-src-port-label
  7. vxlan-decapsulated

Important Actions

  1. count
  2. drop
  3. mirror
  4. redirect
Important: Based on the specific requirements, removing some actions and adding others may be necessary. For example, to have the action log (not MSS use case), remove the redirect/mirror action and add the log action.

The feature traffic-policy port ipv4 and feature traffic-policy port ipv6 commands define the IPv4 and IPv6 traffic-policy lookups, respectively. In the later example, the key fields include dst-ip-label, src-ip-label, dst-ipv6-label, and src-ipv6-label. This means the hardware is programmed to first do a lookup on the dst-ip, src-ip, etc., to generate a label that is then used in the rules TCAM lookup.

The example shown in TCAM Profile Supported Systems includes l4-src-port and l4-dst-port in the key field, which means the l4 source and destination port are directly used in the rules TCAM lookup.

Alternatively, as shown in the following snippet, if the key field contains l4-src-port-label and l4-dst-port-label instead of l4-src-port and l4-dst-port, this would mean there is a hardware lookup to transform the l4 source and destination ports into labels that are then used in the rules TCAM lookup.

Since the l4 source and destination port lookups consume a TCAM bank each, changing a profile will result in using two extra banks for the port transform tables. However, depending on the actual traffic policy, this might result in lower TCAM utilization for the rules TCAM lookup. The system must analyze the actual utilization of the TCAM banks for a given TCAM profile and its traffic-policy configuration before choosing the TCAM profile configuration.

TCAM profiles are supported on 7280R3 and 7500R3. If you are using another platform, skip this section.

lyv571.13:02:41(config)# hardware tcam
lyv571.13:02:48(config-tcam)# profile mss-traffic-policy-l4-xform
lyv571.13:02:51(config-tcam-profile-mss-traffic-policy-l4-xform)#

Configure the TCAM profile as required. ForMSS, configure the TCAM features using the MSS Base Profile.

MSS Base Profile

TCAM Profile on 7280R3 platforms.

hardware tcam
 profile mss-traffic-policy-l4-xform
feature acl port mac
 key field dst-mac ether-type src-mac
 action count drop mirror
 packet ipv4 forwarding bridged
 packet ipv4 forwarding routed
 packet ipv4 forwarding routed multicast
 packet ipv4 mpls ipv4 forwarding mpls decap
 packet ipv4 mpls ipv6 forwarding mpls decap
 packet ipv4 non-vxlan forwarding routed decap
 packet ipv4 vxlan forwarding bridged decap
 packet ipv6 forwarding bridged
 packet ipv6 forwarding routed
 packet ipv6 forwarding routed decap
 packet ipv6 forwarding routed multicast
 packet ipv6 ipv6 forwarding routed decap
 packet mpls forwarding bridged decap
 packet mpls ipv4 forwarding mpls
 packet mpls ipv6 forwarding mpls
 packet mpls non-ip forwarding mpls
 packet non-ip forwarding bridged
 sequence 55
 key size limit 160
feature forwarding-destination mpls
 sequence 100
feature mirror ip
key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip tcp-control
 action count mirror set-policer
 packet ipv4 forwarding bridged
 packet ipv4 forwarding routed
 packet ipv4 forwarding routed multicast
 packet ipv4 non-vxlan forwarding routed decap
 sequence 80
 key size limit 160
feature mpls
 action drop redirect set-ecn
 packet ipv4 mpls ipv4 forwarding mpls decap
 packet ipv4 mpls ipv6 forwarding mpls decap
 packet mpls ipv4 forwarding mpls
 packet mpls ipv6 forwarding mpls
 packet mpls non-ip forwarding mpls
 sequence 5
 key size limit 160
feature mpls pop ingress
 sequence 90
feature qos ip
key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip tcp-control
 action set-dscp set-policer set-tc
 packet ipv4 forwarding routed
 packet ipv4 forwarding routed multicast
 packet ipv4 mpls ipv4 forwarding mpls decap
 packet ipv4 mpls ipv6 forwarding mpls decap
 packet ipv4 non-vxlan forwarding routed decap
 sequence 75
 key size limit 160
feature qos ipv6
 key field dst-ipv6 ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-high src-ipv6-low
 action set-dscp set-policer set-tc
 packet ipv6 forwarding routed
 sequence 70
feature traffic-policy port ipv4
 key field dst-port dscp dst-ip-label ip-frag ip-fragment-offset ip-length ip-protocol l4-dst-port-label l4-src-port-label src-ip-label tcp-control ttl vxlan-decapsulated
 action count drop mirror redirect
 packet ipv4 forwarding bridged
 packet ipv4 forwarding routed
 packet ipv4 mpls ipv4 forwarding mpls decap
 packet ipv4 non-vxlan forwarding routed decap
 packet mpls ipv4 forwarding bridged
 packet mpls ipv4 forwarding mpls
 sequence 45
 key size limit 160
feature traffic-policy port ipv4 egress
 key field dscp dst-ip-label ip-frag ip-protocol l4-dst-port l4-src-port src-ip-label tcp-control
 action count drop log
 packet ipv4 forwarding routed
 packet mpls ipv4 forwarding mpls
 key size limit 160
feature traffic-policy port ipv6
 key field dst-port dst-ipv6-label hop-limit ipv6-length ipv6-next-header ipv6-traffic-class l4-dst-port-label l4-src-port-label src-ipv6-label tcp-control
 action count drop mirror redirect
 packet ipv4 mpls ipv6 forwarding mpls decap
 packet ipv6 forwarding bridged
 packet ipv6 forwarding routed
 packet ipv6 forwarding routed decap
 packet mpls ipv6 forwarding bridged
 packet mpls ipv6 forwarding mpls
 sequence 25
feature traffic-policy port ipv6 egress
 key field dscp dst-ipv6-label ipv6-next-header l4-dst-port l4-src-port src-ipv6-label tcp-control
 action count drop log
 packet ipv6 forwarding routed
 packet mpls ipv6 forwarding mpls
feature traffic-policy vlan-interface ipv4
 key field dst-port dscp dst-ip-label ip-frag ip-fragment-offset ip-length ip-protocol l4-dst-port-label l4-src-port-label src-ip-label tcp-control ttl vxlan-decapsulated
 action count drop mirror redirect
 packet ipv4 forwarding routed
 packet ipv4 forwarding bridged
 key size limit 160
feature traffic-policy vlan-interface ipv6
 key field dst-port dst-ipv6-label hop-limit ipv6-length ipv6-next-header ipv6-traffic-class l4-dst-port-label l4-src-port-label src-ipv6-label tcp-control
 action count drop mirror redirect
 packet ipv6 forwarding routed
 packet ipv6 forwarding bridged
 key size limit 160
feature tunnel vxlan
 packet ipv4 vxlan eth ipv4 forwarding routed decap
 packet ipv4 vxlan forwarding bridged decap
 sequence 50
 key size limit 160
Note: The TCAM Base Profile supports mirror and redirect actions.
Important: A known issue in some PDF viewers can cause a character anomaly when copying code. Specifically, a dash (-) at the end of a line of code may be interpreted as a line-continuation hyphen, and the character may be dropped when pasted into a text editor or IDE. To avoid syntax errors, please verify the integrity of the pasted code or, preferably, type the code examples manually.
TCAM Profile Supported Systems

TCAM Profile on 7500R3 and 7800R3 systems.

The following is an example of a custom profile with interface traffic policy supported:

hardware tcam
 profile traffic-policy
feature acl port mac
 sequence 55
 key size limit 160
 key field dst-mac ether-type src-mac
 action count drop
 packet ipv4 forwarding bridged
 packet ipv4 forwarding routed
 packet ipv4 forwarding routed multicast
 packet ipv4 mpls ipv4 forwarding mpls decap
 packet ipv4 mpls ipv6 forwarding mpls decap
 packet ipv4 non-vxlan forwarding routed decap
 packet ipv4 vxlan forwarding bridged decap
 packet ipv6 forwarding bridged
 packet ipv6 forwarding routed
 packet ipv6 forwarding routed decap
 packet ipv6 forwarding routed multicast
 packet ipv6 ipv6 forwarding routed decap
 packet mpls forwarding bridged decap
 packet mpls ipv4 forwarding mpls
 packet mpls ipv6 forwarding mpls
 packet mpls non-ip forwarding mpls
 packet non-ip forwarding bridged
feature forwarding-destination mpls
 sequence 100
feature mirror ip
 sequence 80
 key size limit 160
 key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip tcp-control
action count mirror set-policer
packet ipv4 forwarding bridged
packet ipv4 forwarding routed
packet ipv4 forwarding routed multicast
packet ipv4 non-vxlan forwarding routed decap
feature mpls
sequence 5
key size limit 160
action drop redirect set-ecn
packet ipv4 mpls ipv4 forwarding mpls decap
packet ipv4 mpls ipv6 forwarding mpls decap
packet mpls ipv4 forwarding mpls
packet mpls ipv6 forwarding mpls
packet mpls non-ip forwarding mpls
feature pbr ip
sequence 60
key size limit 160
key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops-18b l4-src-port src-ip tcp-control
action count redirect
packet ipv4 forwarding routed
packet ipv4 mpls ipv4 forwarding mpls decap
packet ipv4 mpls ipv6 forwarding mpls decap
packet ipv4 non-vxlan forwarding routed decap
packet ipv4 vxlan forwarding bridged decap
feature pbr ipv6
sequence 30
key field dst-ipv6 ipv6-next-header l4-dst-port l4-src-port src-ipv6-high src-ipv6-low tcp-control
action count redirect
packet ipv6 forwarding routed
feature pbr mpls
sequence 65
key size limit 160
key field mpls-inner-ip-tos
action count drop redirect
packet mpls ipv4 forwarding mpls
packet mpls ipv6 forwarding mpls
packet mpls non-ip forwarding mpls
feature qos ip
sequence 75
key size limit 160
key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip tcp-control
action set-dscp set-policer set-tc
packet ipv4 forwarding routed
packet ipv4 forwarding routed multicast
packet ipv4 mpls ipv4 forwarding mpls decap
packet ipv4 mpls ipv6 forwarding mpls decap
packet ipv4 non-vxlan forwarding routed decap
feature qos ipv6
sequence 70
key field dst-ipv6 ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-high src-ipv6-low
action set-dscp set-policer set-tc
packet ipv6 forwarding routed
feature traffic-policy port ipv4
sequence 45
key size limit 160
key field dscp dst-ip-label icmp-type-code ip-frag ip-fragment-offset ip-length ip-protocol l4-dst-port l4-src-port src-ip-label tcp-control ttl
action count drop log set-dscp set-tc
packet ipv4 forwarding routed
feature traffic-policy port ipv6
sequence 25
key field dst-ipv6-label hop-limit icmp-type-code ipv6-length ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-label tcp-control
action count drop log set-dscp set-tc
packet ipv6 forwarding routed
feature tunnel vxlan
sequence 50
key size limit 160
packet ipv4 vxlan eth ipv4 forwarding routed decap
packet ipv4 vxlan forwarding bridged decap
Important: A known issue in some PDF viewers can cause a character anomaly when copying code. Specifically, a dash (-) at the end of a line of code may be interpreted as a line-continuation hyphen, and the character may be dropped when pasted into a text editor or IDE. To avoid syntax errors, please verify the integrity of the pasted code or, preferably, type the code examples manually.

ZTX Configuration Examples

This chapter provides several configuration examples that can be used to implement both out-of-band and in-band communication requirements for ZTX.

Out-of-band Configuration Prerequisites

As a prerequisite, the ZTX requires an IP address assigned to its management interface and an active Streaming Agent (TerminAttr) instance, in order to communicate with CloudVision. Refer to the documentation to understand the different options to onboard an Arista device in CloudVision.

This example assumes that:

  • The CloudVision cluster uses the following IP addresses: 172.28.137.75, 172.28.130.47, 172.28.133.90

  • The ZTX device is provisioned with at least one valid NTP server and with the proper clock time-zone, for example: 
    ntp server my-ntp-server.mydomain.mycompany.com
!
clock timezone US/Pacific
!
  • The ZTX device is provisioned with a management address of 172.28.137.229/20 and a default gateway in the default VRF: 
    interface Management1/1
ip address 172.28.137.229/20
!
ip route 0.0.0.0/0 172.28.128.1
Note: The existing code referenced earlier reflects the IP addresses of CloudVision and the VRF value (default) of the management interface.

In-band Configuration - MLAG Peering and Static Routing

This example is based on the following topology diagram, where the ZTX is physically adjacent to a pair of Arista switches configured as MLAG peers, and a single port channel group is established between them.
Figure 2. Example - Topology LAG Peering and Static Routing

These are in summary the configuration steps for this example:

  1. A single port channel is provisioned on both the ZTX and MLAG pair.
  2. The ZTX is configured with a unique IP address in a specific subnet that is assigned to an SVI.
  3. The VLAN used by this SVI is configured on the port channel on both the ZTX and the MLAG pair.
  4. The same IP subnet is assigned to the corresponding SVI on the MLAG pair.
  5. The ZTX is configured with a static route in order to have reachability to the switches in the Security Domain.
  6. The MLAG pair communicates with the rest of the IP network with a dynamic protocol of choice and advertises the local subnet of the SVI to provide reachability to the ZTX IP address.
  7. The ARP timeout of the ZTX is tuned to achieve peer adjacency persistence.
The following are the configuration step details:
  1. A single port channel is provisioned on both the ZTX and MLAG pair.
    On ZTX: 
    interface Port-Channel16
!
interface Ethernet1/1 - Ethernet1/16
channel-group 16 mode active
!

    On MLAG left and right switches:

    interface Port-Channel8
mlag 8
!
interface Ethernet11/1 - 4
speed forced 10000full
channel-group 8 mode active
!
interface Ethernet13/1 - 4
speed forced 10000full
channel-group 8 mode active
!
  2. The ZTX is configured with a unique IP address in a specific subnet that is assigned to an SVI. 
    vlan 1016
!
interface vlan1016
ip address 10.10.16.4/29
!
  3. The VLAN used by this SVI is configured on the port channel on both the ZTX and the MLAG pair.

    On the ZTX:

    interface Port-Channel16
switchport access vlan 1016
!

    On the MLAG switch pair:

    vlan 1016
!
interface Port-Channel8
switchport access vlan 1016
!
  4. The same IP subnet is assigned to the corresponding SVI on the MLAG pair.

    On both left and right switch:

    interface vlan1016
ip virtual address 10.10.16.1/29
!
  5. The ZTX is configured with a static route in order to have reachability to the switches in the Security Domain.

    Assuming these switches use addresses taken from a 10.10.0.0/19 aggregate subnet:

    ip routing
!
ip route 10.0.0.0/19 10.10.16.1
  6. The MLAG pair communicates with the rest of the IP network with a dynamic protocol of choice and advertises the locally connected subnet of the SVI to provide reachability to the ZTX IP address.

    For example, using OSPF:

    router ospf 10
redistribute connected
!
  7. The ARP timeout of the ZTX is tuned to achieve peer adjacency persistence This step is recommended with static routing and ensures that the layer-2 adjacency does not expire in case monitoring is inactive and peer links are idle. 
    arp aging timeout default 180

In-band Configuration - Dynamic Routing

This example is based on the following topology diagram, where the ZTX is physically adjacent to two or more Arista switches, and one channel group per switch is established between them. In case the peering switches are two, they can optionally form an MLAG pair.
Figure 3. Example - Topology of Layer-3 Peering and Dynamic Routing

These are in summary the configuration steps for this example:

  1. A single routed port channel is provisioned on the ZTX and each peering switch, and configured with a point-to-point subnet.
  2. The ZTX is configured with a unique host IP address that is assigned to a loopback interface.
  3. The ZTX is configured with a dynamic routing protocol and peering with the adjacent switches, in order to have mutual reachability between its loopback address and those assigned to the switches in the Security Domain.

The following are the configuration step details:

  1. A single routed port channel is provisioned on the ZTX and each peering switch, and configured with a point-to-point subnet. 
    interface Port-Channel8
no switchport
ip address 192.168.100.101/31
!
interface Ethernet1/1 - Ethernet1/8
channel-group 8 mode active
!
interface Port-Channel16
no switchport
ip address 192.168.100.103/31
!
interface Ethernet1/9 - Ethernet1/16
channel-group 16 mode active
!

    On left peering switch:

    interface Port-Channel8
no switchport
ip address 192.168.100.100/31
!
interface Ethernet11/1 - 4
speed forced 10000full
channel-group 8 mode active
!
interface Ethernet13/1 - 4
speed forced 10000full
channel-group 8 mode active
!

    On right peering switch:

    interface Port-Channel16
no switchport
ip address 192.168.100.102/31
!
interface Ethernet11/1 - 4
speed forced 10000full
channel-group 16 mode active
!
interface Ethernet13/1 - 4
speed forced 10000full
channel-group 16 mode active
!
  2. The ZTX is configured with a unique host IP address that is assigned to a loopback interface. 
    interface Loopback0
description router-id
ip address 10.135.2.16/32
!
  3. The ZTX is configured with a dynamic routing protocol, in this example BGP, and peering with the adjacent switches, in order to have mutual reachability between its loopback address and those assigned to the switches in the Security Domain.

    On ZTX:

    router bgp 64516
router-id 10.135.2.16
distance bgp 20 200 200
maximum-paths 2
neighbor UNDERLAY peer group
neighbor UNDERLAY maximum-routes 120
neighbor 192.168.100.100 peer group UNDERLAY
neighbor 192.168.100.100 remote-as 64504
neighbor 192.168.100.100 description SwitchLeft
neighbor 192.168.100.102 peer group UNDERLAY
neighbor 192.168.100.102 remote-as 64504
neighbor 192.168.100.102 description SwitchRight
redistribute connected
!
address-family ipv4
neighbor UNDERLAY activate
!

    On left peering switch:

    router bgp 64504
network 10.135.2.0/24
neighbor ZTX peer group
neighbor ZTX route-map LOOPBACKS out
neighbor 192.168.100.101 peer group ZTX
neighbor 192.168.100.101 remote-as 64516
neighbor 192.168.100.101 description ZTX-1
!
address-family ipv4
neighbor ZTX activate
!
route-map LOOPBACKS permit 10
match ip address prefix-list LOOPBACKS
!
ip prefix-list LOOPBACKS seq 5 permit 10.135.2.0/24
!

    On right peering switch:

    router bgp 64504
network 10.135.2.0/24
neighbor ZTX peer group
neighbor ZTX peer group
neighbor ZTX route-map LOOPBACKS out
neighbor 192.168.100.103 peer group ZTX
neighbor 192.168.100.103 remote-as 64516
neighbor 192.168.100.103 description ZTX-1
!
address-family ipv4
neighbor ZTX activate
!
route-map LOOPBACKS permit 10
match ip address prefix-list LOOPBACKS
!
ip prefix-list LOOPBACKS seq 5 permit 10.135.2.0/24
!

CloudVision Workflow

CloudVision Portal (CVP) is your turnkey solution for managing, monitoring, and maintaining your network devices. Once you've onboarded your switches in CVP review the following steps and procedures.

Note: The following workflow also applies when using CloudVision-as-a-Service (CVaaS).
Figure 4. Workflow

Use following the QR Code or the links to locate the relevant CVP sections providing detailed configuration information.

Figure 5. CVP Documentation QR Code

CVP Documentation Link - https://www.arista.io/help/articles/b3ZlcnZpZXcubXNzLmdldHRpbmdTdGFydGVk

Security Domains - Under Security Domains, select Add Security Domain and enter a title for the domain.

Onboarding a Data Source - A data source is a third-party device or management system that streams data to CloudVision. The required configuration is managed in CloudVision.

Create Policies - Static and Dynamic - Under Policies, select Add Policy and enter a policy name and then apply the policy on the security domain VRF.

Onboard Devices

Onboard 7280R3 and 7050X3/720/722-series EOS devices with MSS capability and the ZTX 7250S monitor appliance and register them for use in Studios.
  1. Onboard 7280R3 and 7050X3/720/722-series devices and the ZTX monitor appliance.
    Note: If the End-to-End Provisioning toggle is enabled in General Settings, newly-onboarded devices will automatically be available to be registered for use in Studios.
  2. Register devices in Studios

    Once you’ve onboarded relevant EOS devices, you’ll register them in the Inventory and Topology Studio for use in Studios.

    • Navigate to the Inventory and Topology Studio and click Network Updates.
    • Enable the checkbox next to the onboarded device or devices and click Accept Updates.

You'll now be able to use these devices in the MSS Studio where you'll configure static security domain groups and security policy rules.

Reconciling Device Configuration

Reconcile is used to resolve differences between device designed configuration and the device running configuration. This is typically required when a device's running config has been updated via CLI instead of CloudVision.

Building the workspace will detect if any device configuration is non-compliant and needs to be reconciled.

  1. Select Reconcile.
    Figure 6. Reconcile Tab
    Devices detected with non-compliant running configuration will be displayed.
  2. Select Start Build.
    Figure 7. Start Build
    This will update the list of devices that are out of compliance.
  3. Select one or more devices.
    Figure 8. Select Devices
    Choose the lines from the running configuration to include or overwrite the designed configuration using the checkboxes.
    Tip: Select Auto-Reconcile to reconcile all devices with one action.
  4. Select Reconcile.
    Figure 9. Reconcile Multiple Devices

    The workspace is rebuilt, and a new container in the Container Tree called Reconciled Configlets is displayed.

    Figure 10. Configlets
    The order of configuration is important. Ensure that the reconciled configuration follows the established EOS hierarchy both within the configlet and in the order of containers.
  5. Select Review Workspace and submit the workspace to change control.
    When the associated change control is executed, the running configuration and the designed configuration will be synchronized, bringing the running configuration of the device into compliance.

Installing the ZTX Monitor Node Appliance

For Installation and Configuration of the MSS Monitor Node appliance (ZTX-72XXS), refer to the Quick Start Guide on the Arista documentation page.

Deploying the ZTX Monitor Node Workflow

On deploying a ZTX monitor node and following the user workflow to trigger mirroring traffic to the node, the solution does the following:
  1. CVP configures mirroring: CVP installs MSS rules on the ingress TORs to mirror traffic from selected network VRFs or network devices towards the ZTX node.
  2. ITORs mirror traffic to the ZTX node: Once the mirroring configuration is active, selected traffic is mirrored from the ingress TOR via a GRE tunnel to the ZTX node.
  3. ZTX node summarizes session: Upon receiving mirrored traffic from the ingress TORs, the ZTX node tracks and aggregates sessions bidirectionally.
  4. ZTX node exports summarized sessions to CVP: The ZTX node exports the summarized session information to CVP
  5. CVP associates summarized session data with meta data to suggest policy that the user can then review and modify.
  6. CVP suggests a permit action to create MSS rules based on these summarized session records. However, upon review, the policy action can be modified and pushed to the ITOR switches, enforcing the rules.

Configuration

The ZTX appliance is managed primarily through CloudVision's MSS Service Studio once the device has been onboarded and bootstrapped with configuration pushed through the Static Configuration Studio. Device onboarding is described by the following Device Onboarding instructions. Since MSS Service will manage the device at runtime, this configuration section will primarily focus on the necessary bootstrap configuration that is pushed through Static Configlets Studio. Configuration pushed through MSS Service can also be validated.

Static Configuration Studio

Static Configuration Studio can be leveraged to build the initial configurations on the ZTX node and include provisioning loopback, ethernet and port-channel interface and IP connectivity to other devices in the network. Additional details about Static Configlet Studios are available on the Arista CloudVision Help Center Static Configuration Studio site.

Ports from the ZTX device used as uplinks to the MLAG Service TOR should all be members of a single port-channel to achieve maximum throughput with the service TOR. A loopback interface is needed to act as the GRE tunnel endpoint to terminate mirrored packets. The following is a sample configuration that can be pushed from Static Configuration Studio to bootstrap the device so that it can be managed by MSS Service.

ZTX# show running-config
!
! Port-Channel with member ports connected to MLAG Service TOR.
! MLAG service TOR peers should have an IP address in the same network
interface Port-Channel1
no switchport
ip address 10.10.250.1/24
!
interface Ethernet1/1
speed forced 10000full
no switchport
channel-group 1 mode active
!
interface Ethernet1/2
speed forced 10000full
no switchport
channel-group 1 mode active
!
! Loopback Interface used as GRE tunnel endpoint.
interface Loopback0
ip address 10.10.254.1/32
!
! Default static route for reachability of GRE mirror source
ip route 0.0.0.0/0 10.10.250.2

CloudVision MSS Service

Use the MSS Service to configure the ZTX device and the mirroring session on the MSS TOR. The following section describes the configuration that MSS Service will push and how the configurations contribute to the overall solution, aside from show commands for debugging the user is not expected to actively manage the ZTX device after the onboarding and bootstrap stage are complete.

The following configuration puts the ZTX device into monitor mode.

ZTX# show running-config
!
firewall distributed instance
mode monitor
no disabled
!

The following configuration exports the flows observed by the monitoring device to CV using IPFIX as the transport. Note that TA is acting as IPFIX collector listening on 127.0.0.1 for IPFIX records and then streaming that data to CV for ingest to provide telemetry and policy recommendations.

ZTX# show running-config
!
flow tracking firewall distributed
tracker flowtrkr
exporter exp
collector 127.0.0.1
local interface Loopback0
no shutdown
!

Tunnels are configured to terminate each GRE tunnel created from a TOR’s monitor sessions, and flow tracker is enabled on all the tunnels. The tunnel source is always set to the IP address of the loopback interface created during the bootstrap process The tunnel destination corresponds to the GRE tunnel endpoint of the TOR that originated the mirror session. Note that mirrored traffic terminated at the ZTX device and is always dropped so the reverse GRE tunnel is never utilized.

ZTX# show running-config
!
interface Tunnel0
flow tracker firewall distributed flowtrkr
tunnel mode gre
tunnel source 10.10.254.1
tunnel destination 10.10.254.2
!
Note: Configurations of tunnel interface and flow tracker come from CVP MSS Service. However, configurations for interfaces connecting to STOR and Loopback Interface should be done via CLI/Static Configlets Studio as a prerequisite to using MSS Service.

ZTX Monitor Node Software Deployment

 

Deploying the ZTX Monitor Node

Deploying the ZTX Monitor Node in an Arista Network

This chapter describes how the ZTX can be physically and logically inserted in an Arista network and provides reference configuration examples.

IP Communication Requirements
As represented in the following logical diagram, there are two fundamental IP communication requirements for the ZTX Traffic Mapper:
 
Figure 11. ZTX IP Communication Requirements
  1. The ZTX requires bidirectional IP communication with Arista Cloud Vision instance, using the out-of-band management interface, in order to:
    1. export traffic metadata in IPFIX format.
    2. receive provisioning settings over HTTP.
  2. It also requires bidirectional IP communication over the in-band interfaces with the Arista switches that compose an MSS Security Domain, in order to:
    1. receive monitored traffic from the switches over L2oGRE.
    2. maintain the healthiness of L2oGRE tunnels.
In-band Connectivity Requirements

The ZTX Monitor Node throughput is used for extracting and exporting communication session metadata from mirrored traffic received by the switches that compose one - and one only - Security Domain. The traffic received by the ZTX consists of a copy (mirror) of the original layer-2 traffic packets that match one or more monitor rules, truncated to the first 256 or 192 bytes1 and embedded into a L2GRE envelope, which adds 24 bytes of overhead.

Centralized Configuration
Figure 12. ZTX Topology Centralized Design

 

  • Centralized: The ZTX is placed within a service pod and its interfaces are physically connected to a pair of switches that have IP connectivity to the Security Domain.

    This option is based on the best practice of using a dedicated self-contained unit in the network to provide all required network services with optimal scalability, efficiency and simplicity.

    With this approach, the planned network throughput of the service pod, needs to account for the theoretical inbound capacity of the ZTX, unless further rate limiters are applied in the data path from the Security Domain.

The physical links of the ZTX that connect to the same physical device or, in case the peer devices use multi-chassis link aggregation, to the same device pair, can be grouped in a port channel. This choice may depend also on the selected routing design, which is discussed next.

IP Routing Requirements

To satisfy its in-band communication requirements, the ZTX must be provisioned with a distinct IP address, which needs to be reachable by the switches part of the Security Domain in order to create L2GRE tunnels that use the ZTX address as destination. The IP address of the ZTX can be advertised to the adjacent switches via dynamic routing, or the adjacent switches can be configured with a specific static route that the adjacent switches can redistribute in their current routing protocol.

From an outbound routing direction perspective, the ZTX requires in its routing table either every loopback address of the switches of the Security Domain or an aggregate prefix that includes them. This information is needed for the sole purpose of a GRE tunnel health check, and can be also provided via dynamic or static routing.

In case the ZTX is physically adjacent to a pair of switches that support MLAG, the choice of using dynamic vs. static routing influences the decision on how to bundle the ZTX interfaces into one or two port channels.

VRF and Security Zone Awareness

Monitoring rules are elements of MSS policies, configured on the Security Domain switches, which apply to a specific VRF, representing a determined security zone. On the ZTX, the VRF is identified via a GRE keyword field, present in the mirrored packet, and does not require to be declared in the device configuration.

L2GRE Tunnel Provisioning

The provisioning of L2GRE tunnels on the ZTX and the Security Domain switches is automatic and triggered by creating or modifying monitoring rules and other MSS objects in CloudVision.

Managing ZTX with CloudVision

Once the ZTX device has been onboarded to CloudVision and the in-band communication with the Security Domain is complete, the next step is to associate it with a MSS Monitor Object in CloudVision, so it can be referenced by one or more policy rules.

An MSS Monitor Object is a structure that defines how a ZTX device can communicate with a Security Domain.

The definition of a Monitor Object is possible from the MSS Service, which, once enabled in General Settings, is available under Network Services in the Studios pane, as shown in the screenshot below.
Figure 13. CloudVision - MSS Service Studio Selection
As for any other studio, before making any edit to the MSS objects, a change-control workspace needs to be created, as shown in the following image.
Figure 14. Create Workspace
The studio form presents most of the MSS objects structured in a multi-level tabular format. Monitor Objects are listed in a dedicated table in the bottom portion of the studio. A new object can be defined using Add Monitor Object, as shown in the following image:
Figure 15. Add Monitor Object
 
Parameter Description Recommended Value
Name Unique string identifying the Monitor Object that can be referenced by a policy rule  
Monitor Node Associated ZTX device among those present in the device inventory  
Exporter Interface Interface name on the ZTX that is used as IPFIX exporter and L2GRE tunnel termination  
Active Timeout Active timeout period in ms for exporting IPFIX reports

long-term setting: 30000 – 300000 ms

 

temporarily for initial deployment:

3000 - 30000 ms
Tunnel Destination IP IP address of the ZTX used as L2GRE tunnel destination on switches part of the Security Domain  
Tunnel Source Interface The interface name on the Security Domain switches is used as an L2GRE tunnel source.
Note: All switches consistently use the same interface name.
Important: Tunnel Source Interface IP should be unique to each TOR. In the MLAG deployment scenario, specify the Tunnel Source Interface IP unique to each MLAG peer device rather than specifying interfaces with shared IP addresses.
  
Truncation Boolean field, indicating if mirrored traffic is truncated or not Yes
Rate Limit Rate limiter expressed in Mbps applied on Security Domain switches to mirrored traffic per VRF sent to the ZTX 10,000

Once a new Monitor Object entry has been populated with all required values, it is possible to select it inside the field Monitor Name in multiple policy rules part of the same policy.

The same Monitor Object can be concurrently referred to by multiple policies, while a policy (associated to a security zone) can only use one Monitor Object.

First, it is necessary to navigate in the studio form to the Policies table, and from there, by clicking on the desired policy entry in the Rules column, it is possible to view and edit the corresponding policy rules. The following two images are provided as a reference.
Figure 16. CloudVision - Policies Table
Figure 17. CloudVision - Rules Table
Once a new Monitor Object entry has been created, it is necessary to validate its parameters by clicking on Autofill on the studio form, as shown in the following image:
Figure 18. CloudVision - Autofill

If no errors are reported, the change-control workspace can be reviewed, using Review Workspace, and subsequently executed, following the same workflow used by other studios.

1This value is TOR hardware dependent and is not user configurable.