Upgrading or downgrading the Arista Extensible Operating System (EOS) is accomplished by
replacing the EOS image and reloading the switch. It may be
possible to minimize (or virtually eliminate) downtime and
packet loss during an upgrade, depending on the switch model and
the software change being made. There are two upgrade methods
for the EOS:
Smart System Upgrade: SSU significantly decreases
downtime and packet loss during upgrades. SSU is available on
selected platforms and is ideal for leaf switches and other
non-redundant deployments.
Standard Upgrades and Downgrades: In cases where an accelerated upgrade
is not needed or an option (such as software downgrades and on
unsupported platforms), performing a standard upgrade or
downgrade using the steps described here will minimize downtime
and packet loss.
Note: To upgrade the software on switches participating in an MLAG, see Upgrading MLAG Peers.
Smart System Upgrade (SSU) dramatically speeds up system upgrades and minimizes
network disruptions with:
Faster Reloads: SSU streamlines and optimizes the upgrade
process, significantly reducing the reload time.
Uninterrupted Connections: Even while the system reboots, SSU
keeps your network connections active by sending LACP PDUs. These
PDUs are essential signals that maintain port channels, ensuring
your devices stay connected.
Minimal Traffic Loss: SSU uses protocols that support "graceful
restart," allowing network services to restart without dropping
connections, preventing interruptions to your data flow.
Features capable of hitless restart under SSU include:
QinQ
802.3ad Link Aggregation/LACP
802.3x Flow Control
BGP (you must enable BGP graceful restart; refer to Configuring BGP.)
MP-BGP (you must enableBGP graceful restart; refer to Configuring BGP.)
128-way Equal Cost Multipath Routing (ECMP)
VRF
Route Maps
L2 MTU
QoS
Note: SSU and VRRP are not compatible. Use a different upgrade method if you have VRRP
configured on the switch.
Upgrading the EOS image with Smart System
Upgrade
Using SSU to upgrade the active EOS image requires a five-step process:
Note: Configuring BGP graceful restart resets BGP sessions. If configuring BGP graceful
restart as part of the SSU process, ensure you have stable BGP sessions are stable and
all BGP routing information has been learned and advertised before proceeding with
SSU.
Backing Up Critical Software
Before upgrading the EOS image, be sure you have copies of the currently running EOS
version and the running-config file available in case of
corruption during the upgrade process. To copy the
running-config file, use the copy
running-config command. In this example, the system copies the
running-config contents to a file on the switch
flash drive.
Determine the size of the new EOS image. Verify enough space exists on the flash
drive for two copies of this image, plus a recommended 240MB (if available) for
diagnostic information in case of a fatal error. Use the
dir command to check the bytes
free figure.
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
606638080 bytes total (602841088 bytes free)
switch# show interfaces status
Port Name Status Vlan Duplex Speed Type
Et3/1 notconnect 1 auto auto 1000BASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Ma1/1 connected routed unconf unconf Unknown
switch# ping 1.1.1.10
PING 172.22.26.1 (172.22.26.1) 72(100) bytes of data.
80 bytes from 1.1.1.10: icmp_seq=1 ttl=64 time=0.180 ms
80 bytes from 1.1.1.10: icmp_seq=2 ttl=64 time=0.076 ms
80 bytes from 1.1.1.10: icmp_seq=3 ttl=64 time=0.084 ms
80 bytes from 1.1.1.10: icmp_seq=4 ttl=64 time=0.073 ms
80 bytes from 1.1.1.10: icmp_seq=5 ttl=64 time=0.071 ms
Verifying Configuration
Verify the switch has a valid configuration for SSU using the show
reload fast-boot command. If parts of the configuration
block SSU execution, an error message displays explaining the issues. For SSU to
proceed, correct the configuration conflicts before issuing the reload
fast-boot command.
switch# show reload fast-boot
switch#'reload fast-boot' cannot proceed due to the following:
Spanning-tree portfast is not enabled for one or more ports
Spanning-tree BPDU guard is not enabled for one or more ports
switch#
Note: You can still use the show reload hitless and
reload hitless commands, but they have the same
effect as the commands shown earlier.
Configuring BGP
For hitless restart of BGP and MP-BGP, BGP graceful restart must first be enabled
using the graceful-restart command. The default restart
time value (300 seconds) is appropriate for most
configurations.
The BGP configuration mode issuing the graceful-restart
command determines which BGP connections will restart gracefully.
Note: Configuring BGP graceful restart resets BGP sessions. If configuring BGP graceful
restart as part of the SSU process, be sure you have stable BGP sessions and all BGP
routing information has been learned and advertised before proceeding with
SSU.
For all BGP connections, use the graceful-restart
command in BGP configuration mode:
After transferring the file, verify that it is present in the directory, then confirm
the MD5 checksum using the verify command. The MD5
checksum is available from the EOS download page of the Arista website.
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.14.2.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
-rwx 394559902 May 30 02:57 EOS4.13.1.swi
606638080 bytes total (208281186 bytes free)
switch# verify /md5 flash:EOS-4.14.4.swi
verify /md5 (flash:EOS-4.14.4.swi) =c277a965d0ed48534de6647b12a86991
Modify boot-config
After transferring and confirming the desired image file, use the boot
system command to update the
boot-config file to point to the
new EOS image.
This command changes the boot-config file to point to the
image file located in flash memory at
EOS-4.14.4.swi.
switch# configure terminal
switch(config)# boot system flash:/EOS-4.14.4.swi
Use the show boot-config command to verify that the
boot-config file is correct:
Save the configuration to the startup-config file with the
write command.
switch# write
Start the SSU Process
After updating the boot-config file, verify that your
configuration supports SSU (if you have not already done so) using the
show reload fast-boot
command. If parts of the configuration are blocking SSU execution, an error
message will be displayed explaining what they are.
switch# show reload fast-boot
switch#'reload fast-boot' cannot proceed due to the following:
Spanning-tree portfast is not enabled for one or more ports
Spanning-tree BPDU guard is not enabled for one or more ports
Start the SSU process using the reload fast-boot command to
reload the switch and activate the new image. The CLI will identify any
changes that must be made to the configuration before starting SSU, prompt
the saving of any modifications to the system configuration, and request
confirmation before reloading.
switch# reload fast-boot
System configuration has been modified. Save? [yes/no/cancel/diff]:y
Copy completed successfully.
Proceed with reload? [confirm]y
Note: You can still use the show reload hitless and
reload hitless commands, but they
have the same effect as the commands shown earlier.
Verify Success of the Upgrade
Before making any configuration changes to the switch after reloading, verify that the
SSU process is complete using the command show boot stages
log. If it is, the last message should be
Hitless boot stages
complete.
switch# show boot stages log
Timestamp Delta Begin Msg
2022-10-03 12:42:06 000.000000 Asu Hitless boot stages started
2022-10-03 12:42:06 000.001592 stage CriticalAgent started
2022-10-03 12:42:06 000.001834 event CriticalAgent:PhyEthtool completed
[ . . . ]
2022-10-03 12:43:02 056.316874 stage BootSanityCheck is complete
2022-10-03 12:43:02 056.317491 Asu Hitless boot stages complete
You can also verify the completion of the SSU process by checking the syslog for the
following message:
To verify whether the SSU upgrade was successful, use the show reload
cause command. Suppose a fatal error occurred
during the upgrade process. In that case, the switch will have completely
rebooted, and the fatal error details will be displayed along with the
directory containing the diagnostic information.
If the SSU upgrade has succeeded, it will read Hitless reload
requested by the user.
Fatal Error Display
switch# show reload cause
Reload Cause 1:
-------------------
Fatal error occurred during Asu Hitless boot. (stageMgr - LinkStatusUpdate timed out)
Reload Time:
------------
Reload occurred at Sun Oct 02 12:06:37 2022 PDT.
Recommended Action:
-------------------
The system rebooted due to a fatal error.
If the problem persists, contact your customer support representative.
Debugging Information:
-------------------------------
/mnt/flash/persist/fatalError-2022-10-02_120637
Successful Upgrade Display
switch# show reload cause
Reload Cause 1:
-------------------
Hitless reload requested by the user.
Reload Time:
------------
Reload occurred at Mon Oct 03 13:29:31 2022 PDT.
Recommended Action:
-------------------
No action necessary.
Debugging Information:
-------------------------------
None available.
The show version command confirms whether the correct image
is loaded. The Software image
version: line displays the
version of the active image file.
switch# show version
Arista DCS-7050QX-32-F
Hardware version: 02.00
Serial number: JPE14071098
System MAC address: 001c.7355.556f
Software image version: 4.14.5F-2353054.EOS4145F
Architecture: i386
Internal build version: 4.14.5F-2353054.EOS4145F
Internal build ID: e8748ea7-916d-4217-878f-4bfe2adc7122
Uptime: 4 minutes
Total memory: 3981328 kB
Free memory: 1342408 kB
Note: If a fatal error occurs during the SSU process, the new EOS image will
still be loaded and booted.
Scheduling an SSU
SSU supports scheduling an upgrade with the reload fast-boot in command. If the switch has unsaved configuration changes, or saved
configuration changes that block an SSU upgrade, the scheduled reload stops at the scheduled time.
Configuring a Scheduled SSU Upgrade
Use the reload fast-boot in command to schedule the upgrade at a specific time. The switch detects any unsaved configuration
and prompts you to save the changes first. Replying no exits the command and the scheduled upgrade does not proceed.
switch# reload fast-boot in 10:00
System configuration has been modified. Save? [yes/no/cancel/diff]:yes
Copy completed successfully.
Proceed with reload? [confirm]y
Reload scheduled for Mon Jan 20 19:31:09 2025 (in 9 hours 59 minutes)
No warnings or unsupported configuration found.
Specify the time to reboot in hours, for example, 10:00, as shown in the example.
Override the confirmation prompt by adding the optional parameter
force and specify a reason using the
reason.
switch# reload fast-boot in 10:00 force reason scheduled maintenance
Copy completed successfully.
Reload scheduled for Mon Jun 17 19:38:12 2024 (in 9 hours 59 minutes)
Reload reason: scheduled maintenance
No warnings or unsupported configuration found.
Note: EOS supports only one pending scheduled SSU, either normal or scheduled, at a time. To schedule a new SSU, cancel the existing scheduled SSU.
Canceling a Scheduled SSU
To cancel a scheduled SSU reload, use the reload cancel command:
switch# reload cancel
Scheduled reload has been canceled.
Displaying Scheduled SSU Information
Use the following command to display information about scheduled SSU configurations:
switch# show reload fast-boot
Reload scheduled for Mon Jan 20 19:31:09 2025 (in 9 hours 59 minutes)
Reload reason: scheduled maintenance
No warnings or unsupported configuration found.
If no scheduled reload exists on the switch, the command returns the following output:
switch# show reload fast-boot
No reload is scheduled
No warnings or unsupported configuration found.
Standard software upgrades and downgrades on Arista switches are accomplished by installing a
different EOS image and reloading the switch. On switches with redundant supervisors, you must
install the EOS image on both supervisors. Using the following procedures will minimize packet
loss during a standard upgrade or downgrade.
These sections describe standard switch upgrade and downgrade procedures:
Note: Configuring BGP graceful restart resets BGP sessions. If configuring BGP graceful
restart as part of the SSU process, ensure you have stable BGP sessions are stable and
all BGP routing information has been learned and advertised before proceeding with
SSU.
Backing Up Critical Software
Before upgrading the EOS image, be sure you have copies of the currently running EOS
version and the running-config file available in case of
corruption during the upgrade process. To copy the
running-config file, use the copy
running-config command. In this example, the system copies the
running-config contents to a file on the switch
flash drive.
Determine the size of the new EOS image. Verify enough space exists on the flash
drive for two copies of this image, plus a recommended 240MB (if available) for
diagnostic information in case of a fatal error. Use the
dir command to check the bytes
free figure.
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
606638080 bytes total (602841088 bytes free)
switch# show interfaces status
Port Name Status Vlan Duplex Speed Type
Et3/1 notconnect 1 auto auto 1000BASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Ma1/1 connected routed unconf unconf Unknown
switch# ping 1.1.1.10
PING 172.22.26.1 (172.22.26.1) 72(100) bytes of data.
80 bytes from 1.1.1.10: icmp_seq=1 ttl=64 time=0.180 ms
80 bytes from 1.1.1.10: icmp_seq=2 ttl=64 time=0.076 ms
80 bytes from 1.1.1.10: icmp_seq=3 ttl=64 time=0.084 ms
80 bytes from 1.1.1.10: icmp_seq=4 ttl=64 time=0.073 ms
80 bytes from 1.1.1.10: icmp_seq=5 ttl=64 time=0.071 ms
Verifying Configuration
Verify the switch has a valid configuration for SSU using the show
reload fast-boot command. If parts of the configuration
block SSU execution, an error message displays explaining the issues. For SSU to
proceed, correct the configuration conflicts before issuing the reload
fast-boot command.
switch# show reload fast-boot
switch#'reload fast-boot' cannot proceed due to the following:
Spanning-tree portfast is not enabled for one or more ports
Spanning-tree BPDU guard is not enabled for one or more ports
switch#
Note: You can still use the show reload hitless and
reload hitless commands, but they have the same
effect as the commands shown earlier.
Configuring BGP
For hitless restart of BGP and MP-BGP, BGP graceful restart must first be enabled
using the graceful-restart command. The default restart
time value (300 seconds) is appropriate for most
configurations.
The BGP configuration mode issuing the graceful-restart
command determines which BGP connections will restart gracefully.
Note: Configuring BGP graceful restart resets BGP sessions. If configuring BGP graceful
restart as part of the SSU process, be sure you have stable BGP sessions and all BGP
routing information has been learned and advertised before proceeding with
SSU.
For all BGP connections, use the graceful-restart
command in BGP configuration mode:
The target image must be copied to the file system on the switch, typically onto the flash drive.
After verifying that there is space for the image, use the CLI
copy command to copy the image to the flash drive,
then confirm that the system transferred the new image file correctly.
The following command examples illustrate transferring an image file from various locations to
the flash drive.
After transferring the file, verify that it is present in the directory, then confirm
the MD5 checksum using the verify command. The MD5
checksum is available from the EOS download page of the Arista website.
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
-rwx 394559902 May 30 02:57 EOS-4.12.2.swi
606638080 bytes total (208281186 bytes free)
switch#53# verify /md5 flash:EOS-4.13.2.swi
verify /md5 (flash:EOS-4.13.2.swi) =c277a965d0ed48534de6647b12a86991
Modify boot-config for Single-Supervisor Switch
After transferring and confirming the desired image file, use the boot
system command to update the
boot-config file to point to the new EOS image.
This command changes the boot-config file to point to the
image file located in flash memory at EOS-4.12.2.swi.
switch# configure terminal
switch(config)# boot system flash:/EOS-4.13.2.swi
Use the show boot-config command to verify that the
boot-config file is correct:
Save the configuration to the startup-config file with the
write command.
switch# write
Reload
After updating the boot-config file, reset the switch to
activate the new image. The reload command
resets the switch, resulting in temporary downtime and packet loss on single
supervisor switches.
The terminal displays all rebooting messages when reloading from the console port. From
any port except the console, the CLI displays this text:
switch# reload
The system is going down for reboot NOW!
Note: The EOS boot process makes a copy of the .swi
image file in the internal flash while booting, so sufficient space for
two copies must be present when loading the
new EOS image. If the switch reloads without adequate space on the flash
drive, it boots to the Aboot prompt from which you can delete files from
/mnt/flash to free up additional
space. Exiting Aboot begins the boot process again.
Verify the New Image for Single-Supervisor Switch
After the switch finishes reloading, log into the switch and use the show
version command to confirm the correct image is loaded. The
Software image version line displays the
version of the active image file.
switch# show version
Arista DCS-7150S-64-CL-F
Hardware version: 01.01
Serial number: JPE13120819
System MAC address: 001c.7326.fd0c
Software image version: 4.13.2F
Architecture: i386
Internal build version: 4.13.2F-1649184.4132F.2
Internal build ID: eeb3c212-b4bd-4c19-ba34-1b0aa36e43f1
Uptime: 14 hours and 48 minutes
Total memory: 4017088 kB
Free memory: 1569760 kB
Upgrading or Downgrading the
EOS on a Dual-Supervisor Switch
Modifying the active EOS image is a four-step process:
Note: Due to a change
in the supervisor heartbeat timeout, booting one supervisor with a
post-SSO image (version 4.10.0-SSO,
4.11.X and later) while the other supervisor
is running a pre-SSO image will cause the supervisor running the pre-SSO
image to reload. This causes a disruption as both supervisors are
inactive for a short time. To minimize downtime, upgrade the images on
both supervisors and reload the entire chassis using the install command.
Prepare the Switch for Dual-Supervisor Switch
To prepare the switch for an EOS upgrade, take the following steps:
Back up all essential files.
Address and ensure the following:
You are logged in to the primary supervisor.
Confirm that the primary supervisor is reachable and that the management
interfaces are configured.
There is enough room on both supervisors for the new image file.
Any extensions running on the active supervisor are also available on the
standby.
Before upgrading the EOS image, ensure that backup copies of the currently running EOS
version and the running-config file are available in case of
corruption during the upgrade process. To copy the
running-config file, use the copy
running-config command. In the following example, the
running-config file is copied to a file called
backup2 on the flash drive.
Be sure you log into the primary supervisor, not the standby. Use the show
redundancy status command, and verify that
my status reads
ACTIVE and not
STANDBY.
switch# show redundancy status
my status = Active
peer state = STANDBY HOT
Unit = Secondary
Unit ID = 1
Redundancy Protocol (Operational) = Stateful Switchover
Redundancy Protocol (Configured) = Stateful Switchover
Communications = Up
Ready for switchover
Last switchover time = 25 days, 19:51:34 ago
Last switchover reason = Other supervisor stopped sending heartbeats
Note: If the management VRF interface is used, use the virtual management interface
(management 0) instead of the IP address on the physical management
interface.
switch# show interfaces status
Port Name Status Vlan Duplex Speed Type
Et3/1 notconnect 1 auto auto 1000BASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Ma1/1 connected routed unconf unconf Unknown
switch# ping 1.1.1.10
PING 172.22.26.1 (172.22.26.1) 72(100) bytes of data.
80 bytes from 1.1.1.10: icmp_seq=1 ttl=64 time=0.180 ms
80 bytes from 1.1.1.10: icmp_seq=2 ttl=64 time=0.076 ms
80 bytes from 1.1.1.10: icmp_seq=3 ttl=64 time=0.084 ms
80 bytes from 1.1.1.10: icmp_seq=4 ttl=64 time=0.073 ms
80 bytes from 1.1.1.10: icmp_seq=5 ttl=64 time=0.071 ms
Determine the size of the new EOS image. Then verify that there is enough space available
on the flash drive for two copies of this image (use the dir
command to check the bytes free figure).
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
<-------OUTPUT OMITTED FROM EXAMPLE-------->
606638080 bytes total (602841088 bytes free)
Standby supervisor:
switch# dir supervisor-peer:mnt/flash/
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
<-------OUTPUT OMITTED FROM EXAMPLE-------->
606638080 bytes total (602841088 bytes free)
Finally, ensure that any extensions running on the primary supervisor are also available
on the secondary supervisor.
Transfer the Image File to
the Primary Supervisor
Load the desired image to the file system on the primary supervisor, typically into the flash.
Use the CLI copy command to load files to the
flash on the primary supervisor, then confirm that the system transferred
the new image file correctly.
The following command examples illustrate transferring an image file from various locations to
the flash drive.
After transferring the file, verify that it is present in the directory, then confirm
the MD5 checksum using the verify command.
The MD5 checksum for each available image can be found on the EOS
download page of the Arista website.
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
-rwx 394559902 May 30 02:57 EOS-4.12.2.swi
<-------OUTPUT OMITTED FROM EXAMPLE-------->
606638080 bytes total (208281186 bytes free)
switch#53# verify /md5 flash:EOS-4.13.2.swi
verify /md5 (flash:EOS-4.13.2.swi) =c277a965d0ed48534de6647b12a86991
Install the New EOS Image
After the EOS image has been copied to the primary supervisor's flash drive, use the
install command to update the
boot-config, copy the new image to the
secondary supervisor, and reload both supervisors. Both supervisors will
briefly be unavailable when upgrading to a new image; using the
install command minimizes packet
loss during reload.
switch(config)# install source EOS-4.13.2.swi reload
Preparing new boot-config... done.
Copying new software image to standby supervisor... done.
Copying new boot-config to standby supervisor... done.
Committing changes on standby supervisor... done.
Reloading standby supervisor... done.
Committing changes on this supervisor... done.
Reloading this supervisor...
Verify the New Image
After the switch finishes reloading, log in to the switch and use the show
version command to confirm the correct image
is loaded. The Software image version
line displays the version of the active image file.
switch# show version
Arista DCS-7504
Hardware version: 01.01
Serial number: JPE13120819
System MAC address: 001c.7326.fd0c
Software image version: 4.13.2F
Architecture: i386
Internal build version: 4.13.2F-1649184.4132F.2
Internal build ID: eeb3c212-b4bd-4c19-ba34-1b0aa36e43f1
Uptime: 1 hour and 36 minutes
Total memory: 4017088 kB
Free memory: 1473280 kB
switch#
The installcommand copies the specified EOS image onto the switch if the source is
external, configures the boot-config file to point to the specified
EOS image, copies the image to the standby supervisor on dual-supervisor switches,
and optionally reloads the switch to run the new EOS.
source_path - Specify the file path and name of
EOS image. If no file path specified, the switch looks for the image on the
flash drive of the primary supervisor.
destination destination_path - Specify the destination file
path and name of the EOS image. If no destination or name specified, the EOS
image stores on the flash drive with its original file name.
now - Specify to execute the command immediately
without further prompts.
reload - Reload the supervisorafter installing
the image and updated boot-config file. On dual-supervisor
switches, reloads both supervisors, after which control returns to the
primary supervisor.
Example
This command updates the boot-config file to point to the
EOS.swi file on the primary supervisors flash
drive, copies the image and boot-config file to the secondary
supervisor, and reboots
both.
switch(config)# install source EOS.swi reload
Preparing new boot-config... done.
Copying new software image to standby supervisor... done.
Copying new boot-config to standby supervisor... done.
Committing changes on standby supervisor... done.
Reloading standby supervisor... done.
Committing changes on this supervisor... done.
Reloading this supervisor...
reload fast-boot
Smart System Upgrade (SSU) allows critical switches to be upgraded with minimal
downtime and packet loss by optimizing the reload procedure and leveraging protocols
capable of graceful restart. The reload fast-boot command
starts the SSU process using the EOS image specified by the
boot-config file configured by the boot
system command.
When entering the reload fast-boot command, the switch
sends a message prompting the user to save the configuration if it contains unsaved
modifications, then asks the user to confirm the reload request.
Command Mode
Privileged EXEC
Command Syntax
reload fast-boot
Guidelines
SSUsupports upgrades and not downgrades.
EOS does not support SSU if the EOS upgrade requires an FPGA upgrade.
Enough free space must be available on the flash drive to store two copies
of the target EOS image. Arista also recommends that an additional 240MB be
available to store diagnostic information.
Examples
Use the following command to start the Smart Software Upgrade
process.
switch# reload fast-boot
Proceed with reload? [confirm]
If the current switch configuration has issues that prevent SSU from
performing, the switch lists the changes that must be made before SSU can
begin..
switch# reload fast-boot
switch#'reload fast-boot' cannot proceed due to the following:
Spanning-tree portfast is not enabled for one or more ports
Spanning-tree BPDU guard is not enabled for one or more ports
After entering the reload fast-boot command, the
switch sends a message prompting the user to save the configuration if it
contains unsaved modifications, then asks the user to confirm the reload
request.
switch# reload fast-boot
System configuration has been modified. Save? [yes/no/cancel/diff]:y
Copy completed successfully.
Proceed with reload? [confirm]y
reload hitless
The reload hitless command is a legacy command now identical to the reload
fast-boot command. It starts the Smart System Upgrade
(SSU) process using the EOS image specified by the boot-config file
configured by the using the boot system command.
Command Mode
Privileged EXEC
Command Syntax
reload hitless
Examples
This command starts the SSU
process.
switch# reload hitless
Proceed with reload? [confirm]
If the current switch configuration has issues that prevent SSU from
performing, the switch lists the changes that must be made before SSU can
begin.
switch# reload hitless
switch#'reload hitless' cannot proceed due to the following:
Spanning-tree portfast is not enabled for one or more ports
Spanning-tree BPDU guard is not enabled for one or more ports
When you enter the reload hitless command, the
switch returns a message prompting to save the configuration if it contains
unsaved modifications, then asks you to confirm the reload
request.
switch# reload hitless
System configuration has been modified. Save? [yes/no/cancel/diff]:y
Copy completed successfully.
Proceed with reload? [confirm]y
Transport Layer Security (TLS), the successor to Secure Sockets Layer (SSL), is a security protocol used to communicate between client and server. It establishes an encrypted communication channel to secure data.
By default, EOS uses a self-signed certificate for client and server connections. However, some browsers or TLS libraries may refuse connections to the default self-signed certificates on EOS, and in such cases, Arista recommends installing the TLS server certificates that meet the following criteria:
RSA key sizes must be greater than or equal to 2048 bits.
There must be less than 825 days to expiry.
The certificate must use the SHA-2 family of hashing functions.
Note: Although Arista switches use TLS, the terms TLS and SSL are used interchangeably in this document.
The following are the two main components used by TLS for the authentication of identity before any communication starts.
Certificate
Key
An SSL certificate is required to establish a secure connection between the client and server. The certificate includes all of the details necessary for authentication. Cryptographic keys are used to provide a secure channel of communication. TLS uses two cryptographic keys: a private key known only to the server and a public key embedded in the certificate. The keys are used to validate the certificate.
We can manage and configure SSL certificates, keys, and profiles with the SSL certificate, key, and profile management framework. SSL is an application-layer protocol that transfers the data securely between the client and server using a combination of authentication, encryption, and data integrity. SSL uses certificates and private-public key pairs to provide this security. A user can configure an SSL profile, which includes a certificate, key, and trusted CA certificates used in SSL communication. A user can manage certificates, keys, and also multiple SSL profiles. An SSL profile can be configured and attached to any other EOS configuration which supports SSL communication. The individual EOS configuration using this framework includes details of using the SSL profile in their configuration.
The only private keys supported are those using the RSA algorithm. Encode both the certificate and keys in the Privacy Enhanced Mail (PEM) format.
Example
This is a code sample of a PEM encoded certificate.
The copy file: certificate: command copies the certificate to the certificate: file system from any supported source URLs of the copy command. The source file may contain multiple PEM-encoded certificates but must not contain other entities such as keys.
Example
This command copies a server.crt certificate to the certificate: file system.
The PEM-encoded entities in the source file must all be certificates. If the source file contains different types of entities (e.g., a certificate and a key), the copy fails and displays an error message.
switch(config)# copy file:tmp/ssl/mixed.crt certificate:
% Error copying file:tmp/ssl/mixed.crt to certificate: (Multiple types of entities in
certificate file not supported)
switch(config)#
The source file must contain valid PEM-encoded certificates. If the file contains invalid certificates, the copy fails and displays an error message.
Only certificates with RSA public keys are supported. The copy fails if the certificate does not have an RSA public key and displays an error message.
switch(config)# copy file:tmp/ssl/dsa.crt certificate:
% Error copying file:tmp/ssl/dsa.crt to certificate: (Certificate does not have RSA key)
switch(config)#
Deleting a Certificate
The delete certificate command deletes a certificate configuration from the certificate: file system on the switch.
Example
This command deletes the server.crt certificate from the switch.
The following commands help the user to generate a self-signed certificate or Certificate Signing Request (CSR).
Examples
This command creates either a self-signed certificate or a Certificate Signing Request (CSR). The following example demonstrates using the existing private key test.key for certificate generation. During this process, the system prompts you to provide details like the common name, two-letter country code, etc. A common-name entry is mandatory. While you can view the generated CSR directly on the CLI, a self-signed certificate gets saved to the designated certificate: file system location.
switch# security pki certificate generate self-signed test.crt key test.key
Common Name for use in subject: test
[...]
certificate:test.crt generated
switch#
This command specifies the digest and the certificate's validity (in days). The validity applies only to self-signed certificates.
switch# security pki certificate generate signing-request key test.key digest sha256 validity 365
Common Name for use in subject: test
[...]
certificate:test.crt generated
switch#
This command adds the certificate parameters such as common-name, country, email, and others.
switch# security pki certificate generate signing-request key test.key parameters common-name Test [country US ...]
certificate:test.crt generated
switch#
Configuring Keys
Copying a Key to the Switch
The copy command copies an RSA key to the sslkey: file system. The key can be copied from any supported source URLs of the copy command. The source file must contain only one key. Password-protected keys are not supported.
Example
This command copies a server.key RSA key to the sslkey: file system.
Configuring a certificate with a RSA key in SSL Profile
An SSL profile is configured with a certificate and its corresponding RSA key. The public key information in the certificate must match the RSA key. This certificate and RSA key pair are used to authenticate to the peer during SSL negotiation. The individual EOS features that use SSL profile configuration will decide whether the certificate and key configuration is optional or mandatory.
In this case, if the RSA key configured in the SSL profile does not match with the configured certificate, the SSL profile state becomes invalid, and an error message is displayed.
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key client.key
switch(config-mgmt-sec-ssl-profile-server)# show management security ssl profile
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'server.crt' does not match
with key
Configuring SSL Profile with a Certificate Authority (CA)
During SSL negotiation with mutual authentication, the peer (or client) certificate is verified by checking if it is signed by one of these trusted certificates. The full bundle of certificates leading to the trusted certificates must be included for peer certificates that do not have a chain to a trusted certificate. The individual EOS features that use SSL profile configuration will decide whether the trusted certificate configuration is optional or mandatory.
Certificate chains establish a chain of trust for the SSL Profile server certificate, ensuring its authenticity to a remote party. Several chain certificate commands can be issued to build a certificate chain with many intermediate CAs, regardless of the order. Use the chain certificate command to configure the certificate chain for an SSL profile. The no form of the command deletes the certificate configuration.
Examples
Assume that server.crt is issued by an intermediate CA intermediate.crt and intermediate.crt itself is issued by the root CA ca.crt, as shown in the following figure.
Figure 1. Certificate Chain Example
These commands configure the certificate chain shown schematically in the preceding figure.
To check the revocation status of the server certificate chain, the client can add the Certificate Revocation List (CRLs) to its SSL profile configuration. One CRL needs to be specified for every CA in the chain, even if it's not revoking any certificate.
Note: Both the chain certificate and crl commands look into the certificate: file system to find the right PEM file.
Several chain certificate commands can be used to build a certificate chain with multiple intermediate CAs, regardless of the order. The following diagram shows an example certificate chain.
Figure 2. Certificate Chain Example 2
Configure this SSL profile in the following way. Note that the order of intermediate CAs does not matter.
You can divide a certificate chain into two segments, each configured on a separate peer. As long as this division occurs somewhere between the client and the server, they can collaborate to assemble a complete chain. The provided example illustrates precisely this scenario, demonstrating how to configure server and client SSL profiles with a split certificate chain.
EOS conducts various checks on the certificates in an SSL profile before allowing its use. You can modify, add to, or relax these checks locally. Here are some checks EOS performs before communicating with the peer:
Examples
Check whether the certificate has an extended key usage attribute:
Displaying SSL profile status and SSL profile errors
The show management security ssl profile command displays the SSL profile status information. To view a specific SSL profile status, use the name of the SSL profile. Otherwise, all SSL profile statuses are displayed.
Example
This command displays the status of the SSL profile server.
switch# show management security ssl profile server
Profile State
------------- -----------
server valid
If the SSL profile contains errors, an invalid state is displayed, and the errors are listed in the third column. After fixing the error, the SSL profile becomes valid.
Examples
When the certificate server.crt does not match with the key, EOS displays the following error message.
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'server.crt' does not match
with key
EOS displays the following error message when a trusted certificate ca2.crt does not exist.
switch# show management security ssl profile server
Profile State Error
------------- ------------- -------------------------------------
server invalid Certificate 'ca2.crt' does not exist
EOS displays the following error message when a trusted certificate foo.crt is not a self-signed root certificate.
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'foo.crt' is trusted and not
a root certificate
When the certificate server.crt is expired, EOS displays the following error message.
switch# show management security ssl profile server
Profile State Error
------------- ------------- -------------------------------------
server invalid Certificate 'server.crt' has expired
EOS displays the following error message when the certificate chain is missing an intermediate certificate.
switch# show management security ssl profile server
Profile State Error
-------------- ------------- ---------------------------------------------
server invalid Profile has invalid certificate chain
Certificate 'intermediate.crt' does not exist
Rotating Certificate and Key Pair
The SSL profile uses a certificate and key pair. Rotation commands can rotate the certificate and key pair. For example, to rotate cert.pem and key.pem in the SSL profile profile01, use the following commands.
Using the command security pki certificate generate signing-request rotation ssl profile, generate a new key and signing request for SSL profile profile01. The command also generates a unique rotation ID for later certificate import.
The following example illustrates the command's complete syntax. The import-timeout argument specifies the timeout period for the rotation ID. If the system does not import a certificate within this period, the rotation ID expires and the system deletes it.
Use the show security pki certificate rotation command to view the status of rotation IDs.
Example
switch# show security pki certificate rotation
Rotation ID Profile Name State Expiry
--------------------------------- ------------ --------------- -------------------
2ad7771e8cbc11ebbba37483ef8d9c4b profile01 Import Pending 2021-03-24 10:15:37
Copy the Certificate Signing Request (CSR) and submit the CSR to a trusted Certificate Authority (CA) for signing. Import the signed certificate using the security pki certificate rotation import <rotation-id> command. Use the previously generated rotation ID with the signing request.
switch# security pki certificate rotation import 2ad7771e8cbc11ebbba37483ef8d9c4b
Enter TEXT certificate. Type 'EOF' on its own line to end.
-----BEGIN CERTIFICATE-----
MIICnTCCAYWgAwIBAgIJANzHst3ljdWfMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV
BAMMA2ZvbzAeFw0yMTAzMjQxNjAyMDdaFw0yMjAzMjQxNjAyMDdaMA4xDDAKBgNV
BAMMA2ZvbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2LhqPnQ3Oz
1Pg1PB5toNyCNB60IdCDUVXZcwmyCgS6ifwBYgmw/mCq3iOFncEilaCNIkaFKiWf
b7s43jQd9tmAbnnQw3xUO8jDweus+yCumMNjLLQApbTOZDE4zDonmbWh6kswh8qI
batiz9wR7l5K1bPbbmQx6nO28LrcLCuFSZWrw4R2nprQxdoo5eAotMsGDQdh2vn7
k4yD0CQGVCquVzKI+iVgW7yIfiZ9cwWdFTAlTmkrqQsq+edZmvnuNcOaZm22R5Sb
aPy9osv82oZk8iMX+oDYddY2wMQzLd7ByWlAh4bzCJxNMPIz8hrxU84up0I4srXi
xDVXdL1d2JsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADkjfobxF7BAVFdIjyWHL
ID+9D1t96JvCe+PDUyggow6iZE8ROq2fIFHuXhXMrd/neN3WtxqtjvGBnS49t4fa
qIcjerkIPwLaBSwWdpm/1FrIFejYqU0symRE3bKJULLBEdQhyox37D2uqPm71ado
5rXCX9pSu2oNOThd/877QKxtrKa5pekx1acxEa4E0QJ0/YPwkA5nCzM9jy7DZlH2
+cdtCxREeqlhOJUJxQ2354LyykU2fOXe6AGGdVE9hdIOJDnG26VVb+gFt2qaKD5+
3D3/Gd1pm4P3+9aENlhAcr0PUoL3xUApeIdkEf7n8KHiNP+gmlPyVDTCAudwHnwq
Vg==
-----END CERTIFICATE-----
EOF
Success
Commit the rotation ID using the security pki certificate rotation commit <rotation-id> command. This command will rotate cert.pem and key.pem of SSL profile profile01 with new certificate and key.
Note: For keys generated outside of EOS, use the following command to rotate the certificate and key pairs in place of the earlier workflow:
switch# security pki certificate rotation commit ssl profile profile01
Enter TEXT private key. Type 'EOF' on its own line to end.
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCti4aj50Nzs9T4
NTwebaDcgjQetCHQg1FV2XMJsgoEuon8AWIJsP5gqt4jhZ3BIpWgjSJGhSoln2+7
ON40HfbZgG550MN8VDvIw8HrrPsgrpjDYyy0AKW0zmQxOMw6J5m1oepLMIfKiG2r
Ys/cEe5eStWz225kMepztvC63CwrhUmVq8OEdp6a0MXaKOXgKLTLBg0HYdr5+5OM
g9AkBlQqrlcyiPolYFu8iH4mfXMFnRUwJU5pK6kLKvnnWZr57jXDmmZttkeUm2j8
vaLL/NqGZPIjF/qA2HXWNsDEMy3ewclpQIeG8wicTTDyM/Ia8VPOLqdCOLK14sQ1
V3S9XdibAgMBAAECggEAEdDMLSD4HTVzDFoBW8mlpQ10G/TNBd1Sk7gY0FV9JCLM
OIPMfzHdeKoB15lcv691DIArP8cQM8A21ab5tKr2JOTuMnDaffXIagyikzb0/tQT
1qhaFeHaHCTFP4yBQKBgQDczahFFYJRP0joT4HuiywlkhbyOHV7b9xuPPhqwQxFY
qHvEE0qBnmjBzXujbpdb+V18QFGyl0uH4mHr+ltizcyAbEx5YL/y5Vu08bITZr0m
UxS0ZkDXg6n6GKJVIPUH05xSZb/eqtSFIq/DsBQYSwu6WzOj4dNpEQAeD8jMmGAl
wKBgQDJNWTNyC2JgDYmF039gwNEOY+UuJQ3v/JoEi2IHG4ISxVlZc9lZgLuWHDyS
6zNOIeSAYIzDVSsRAGH9sWaK4E4Yno4KHptRC5FMEbtnrojTO2ANC9JcWo2EgP31
r1OJolFpKUiPhOEAzdEYd/sdp9tWEusszTrn8fbPHvSHUFknQKBgDe8VhByOH4Hy
oCRqUusp80oDlDAPa+V8f+FtnNEHbPaDORKqh/EmKm1ZUC9V+DEIRjfaCIVbOX6o
f21Quga7yjZUoA03hdxrVvXa2Mea9H4bFKvg79c27g4qb7erZQ6/tML72i370z90
HQf5h2kGcIRvBx8EHxhzaSMtetNiV0rAoGAP3QzQiJrGf3xFborwlNa6F0uxrwfI
iXKkL+K1G4C1WK4cK3W5idxrTD/DaqH6IB3YLhRE0CU/27C/Nn6H1CxA9MqsCMz2
NmzreY3uCBim1dbXx8V+pdl439y+Ooj8U195RSzb0UcanmJKGulbrFKPfWmh+RMQ
DK3mJBOjEjlopECgYAr6F+60TZ7ZAvA0vZ9PlrntzvY7GhopJgJfAvfi5nBXPS+f
kdKtWzOmhW1jon1ka0fEeRQnQjB7DSYB4zldufPKiD+EXgJtQbhSqfdtgL7QlhVr
pO/s5tUrPE/KRu/yLGtEWruQlDCawpMPA63eP4XER/MHVXBkqbWy85vx46SisOBA
nuEum0yMngru5fARoBKO1aV7G94FI7Eu5rDqeVYsE5jrdnWJTZTgpHf9RYUOlz8R
wwbD/xUs+cKbM1qhaFeHaHCTFP4yBQKBgQDczahFFYJRP0joT4HuiywlkhbyOHV7
b9xuPPhqwQxFYqHvEE0qBnmjBzXujbpdb+V18QFGyl0uH4mHr+ltizcyAbEx5YL/
y5Vu08bITZr0mUxS0ZkDXg6n6GKJVIPUH05xSZb/eqtSFIq/DsBQYSwu6WzOj4dN
pEQAeD8jMmGAlwKBgQDJNWTNyC2JgDYmF039gwNEOY+UuJQ3v/JoEi2IHG4ISxVl
Zc9lZgLuWHDyS6zNOIeSAYIzDVSsRAGH9sWaK4E4Yno4KHptRC5FMEbtnrojTO2A
NC9JcWo2EgP31r1OJolFpKUiPhOEAzdEYd/sdp9tWEusszTrn8fbPHvSHUFknQKB
gDe8VhByOH4HyoCRqUusp80oDlDAPa+V8f+FtnNEHbPaDORKqh/EmKm1ZUC9V+DE
IRjfaCIVbOX6of21Quga7yjZUoA03hdxrVvXa2Mea9H4bFKvg79c27g4qb7erZQ6
/tML72i370z90HQf5h2kGcIRvBx8EHxhzaSMtetNiV0rAoGAP3QzQiJrGf3xFbor
wlNa6F0uxrwfIiXKkL+K1G4C1WK4cK3W5idxrTD/DaqH6IB3YLhRE0CU/27C/Nn6
H1CxA9MqsCMz2NmzreY3uCBim1dbXx8V+pdl439y+Ooj8U195RSzb0UcanmJKGul
brFKPfWmh+RMQDK3mJBOjEjlopECgYAr6F+60TZ7ZAvA0vZ9PlrntzvY7GhopJgJ
fGr1GYQPJi38DJ5NR/w64js21t5X2yJ4xcCB3H7R0QWJ9EE+fc+7nBYFJlaDzSRB
bES24yGh4n4Vc6luYW9A+YJR3EaElE6RMWyzIY8J8kV2xuTaK9xepdM9x1J1kIm2
rA1mcO4Xqw==
-----END PRIVATE KEY-----
EOF
Enter TEXT certificate. Type 'EOF' on its own line to end.
-----BEGIN CERTIFICATE-----
MIICnTCCAYWgAwIBAgIJANzHst3ljdWfMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV
BAMMA2ZvbzAeFw0yMTAzMjQxNjAyMDdaFw0yMjAzMjQxNjAyMDdaMA4xDDAKBgNV
BAMMA2ZvbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2LhqPnQ3Oz
1Pg1PB5toNyCNB60IdCDUVXZcwmyCgS6ifwBYgmw/mCq3iOFncEilaCNIkaFKiWf
b7s43jQd9tmAbnnQw3xUO8jDweus+yCumMNjLLQApbTOZDE4zDonmbWh6kswh8qI
batiz9wR7l5K1bPbbmQx6nO28LrcLCuFSZWrw4R2nprQxdoo5eAotMsGDQdh2vn7
k4yD0CQGVCquVzKI+iVgW7yIfiZ9cwWdFTAlTmkrqQsq+edZmvnuNcOaZm22R5Sb
aPy9osv82oZk8iMX+oDYddY2wMQzLd7ByWlAh4bzCJxNMPIz8hrxU84up0I4srXi
xDVXdL1d2JsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADkjfobxF7BAVFdIjyWHL
ID+9D1t96JvCe+PDUyggow6iZE8ROq2fIFHuXhXMrd/neN3WtxqtjvGBnS49t4fa
qIcjerkIPwLaBSwWdpm/1FrIFejYqU0symRE3bKJULLBEdQhyox37D2uqPm71ado
5rXCX9pSu2oNOThd/877QKxtrKa5pekx1acxEa4E0QJ0/YPwkA5nCzM9jy7DZlH2
+cdtCxREeqlhOJUJxQ2354LyykU2fOXe6AGGdVE9hdIOJDnG26VVb+gFt2qaKD5+
3D3/Gd1pm4P3+9aENlhAcr0PUoL3xUApeIdkEf7n8KHiNP+gmlPyVDTCAudwHnwq
Vg==
-----END CERTIFICATE-----
EOF
Success
After rotating the certificate and key pair, use the show management security ssl certificate cert.pem and show management security ssl key key.pem commands to display the new contents.
Resetting Diffie-Hellman Parameters
The Diffie-Hellman parameters file facilitates the exchange of symmetric keys during SSL negotiations. When the system is booted, it auto-generates a Diffie-Hellman parameters file if one does not exist. Use the reset command to reset the auto-generated Diffie-Hellman parameters file. The individual features that use SSL profile configuration will decide whether they also use the Diffie-Hellman parameters file. The switch uses 2048-bit Diffie-Hellman parameters with no options to select the size.
Note: Not all features that use SSL profile configuration will use the Diffie-Hellman parameters file.
Example
This command resets the Diffie-Hellman parameters file.
switch# reset ssl diffie-hellman parameters
Displaying the Diffie-Hellman parameters
The show management security ssl diffie-hellman command displays the Diffie-Hellman parameters.
Example
This command displays the Diffie-Hellman parameters.
switch# show management security ssl diffie-hellman
Last successful reset on Apr 10 16:18:08 2015
Diffie-Hellman Parameters 1024 bits
Generator: 2
Prime: dc47b5edc0d2b41451432f79f45efab452bba7b1ab118c194d671d6752ed1c550
664ed8f052ad0fdad623c1d54ae5aee5e728d2bd7a6221636b787a4c08d1fef8c
6dcd10759d38f8b70b47d1c7972d69b0b295a2ee6ab44cfc7352cb133e85197c8
9f1fc27aac7e8e02afb4fb01ca1cb05558a7bef505b73a8d06cdfe403576b
Configuring the TLS Handshake Settings
During a TLS handshake, both peers send each other a list of the TLS versions they support to agree on and use the highest common version. The following allowable versions can be configured in an SSL profile using the tls versions command. By default, TLSv1, TLSv1.1, and TLSv1.2 are enabled.
Examples
This command forces the use of TLSv1.2. If the other peer does not support this version, the TLS handshake fails.
The TLS handshake establishes a secure communication channel by negotiating the cipher suite and the TLS version. The client initiates this process by providing the server a list of supported cipher suites. Based on the client's list and capabilities, the server selects a mutually supported cipher suite. This selection ensures both parties utilize the same cryptographic algorithms for secure data exchange.
The default cipher-list setting employs an OpenSSL cipher string (HIGH:!eNULL:!aNULL:!MD5). This configuration permits only key lengths longer than 128 bits and excludes cipher suites using MD5.
To view the complete list of cipher suites included in this setting, execute the following shell command: openssl ciphers HIGH:!eNULL:!aNULL:!MD5.
Enabling the Federal Information Processing Standards (FIPS) Mode
Federal Information Processing Standards (FIPS) is a cryptographic standard that restricts the cryptographic functions and protocol versions used by OpenSSL.
Example
This command enables the FIPS mode for a SSL profile.
switch(config-mgmt-sec-ssl-profile-client)# fips restrictions
Syslog with TLS Support
Collecting syslog information on a remote syslog server requires defining an SSL profile. This profile ensures the secure transmission of syslog data to the server over a TLS connection.
Configuring Syslog with TLS Support
The following command configures a remote syslog server with an SSL profile. It configures a syslog server with the hostname test.example.com using the SSL profile (test-profile) for communications over port 1234.
The following commands set up a minimal profile to support remote logging over TLS. Ensure the proper configuration of the remote server to enable TLS communication.
The dir command displays the directory output of certificate file systems.
Example
This command displays the directory output of certificate: file-system.
switch# dir certificate:
Directory of certificate:/
-rw- 3319 Apr 10 11:50 server.crt
No space information available
Displaying the certificate information
The show management security ssl certificate command displays the certificate information. To display a specific certificate, specify the certificate name. Omitting a name displays all available certificates.
Example
This command displays the server.crt certificate information.
switch# show management security ssl certificate server.crt
Certificate server.crt:
Version: 1
Serial Number: 9
Issuer:
Common name: ca
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Validity:
Not before: Aug 11 21:44:17 2014 GMT
Not After: May 14 21:44:17 2069 GMT
Subject:
Common name: server
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Subject public key info:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
635a831d5ec96d841
Displaying Certificate Revocation List (CRL) Information
The show management security ssl crl command displays the installed Certificate Revocation List (CRL) information. To view a specific CRL, use its name. Omitting a name displays all the CRLs.
Example
This command displays the intermediate.crl information.
switch# show management security ssl crl intermediate.crl
CRL intermediate.crl:
CRL Number: 11
Issuer:
Common name: intermediate
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
State: CA
Country: US
Validity:
Last Update: Jul 19 19:27:34 2016 GMT
Next Update: Dec 05 19:27:34 2043 GMT
Displaying Key Information
Displaying the Directory Information
The dir command displays the directory output of SSL key file systems.
Example
This command displays the directory output of sslkey: file-system.
switch# dir sslkey:
Directory of sslkey:/
-rw- 1675 Apr 10 12:55 server.key
No space information available
Displaying the RSA Key Information
The show management security ssl key command displays the RSA key information. To view a specific RSA key, use the name of the key; otherwise, all the keys are displayed. For security reasons, only the public part of the key is displayed.
Example
This command displays the server.key key information.
The copy file: certificate: command copies the certificate to the certificate: file system. The certificate can be copied from any supported source URL of the copy command.
Command Mode
Global Configuration
Command Syntax
copy file:file_namecertificate:
Parameter
file_name location or the path of the file or the directory to save the certificate.
Guidelines
The following requirements apply to copying certificates:
A single source file can contain multiple PEM encoded entities, but they must all be certificates. If including other types such as SSL keys, the copy fails and displays an error message.
switch(config)# copy file:tmp/ssl/mixed.crt certificate:
% Error copying file:tmp/ssl/mixed.crt to certificate: (Multiple types of entities in certificate file not supported)
switch(config)#
The source file must contain valid PEM encoded certificates. If the file contains invalid certificates, the copy fails and displays an error message.
EOS only supports certificates with RSA public keys. If the certificate does not have an RSA public key, the copy fails and displays an error message.
switch(config)# copy file:tmp/ssl/dsa.crt certificate:
% Error copying file:tmp/ssl/dsa.crt to certificate: (Certificate does not have RSA key)
switch(config)#
This command copies a server.crt certificate to the certificate: file system.
The security pki certificate generate command generates a self-signed certificate or a Certificate Signing Request (CSR) certificate. The CLI displays the generated CSR, and a self-signed certificate saves to the certificate: file system.
Many other parameters can be entered and applied to the certificate as shown in the following examples.
certificate_name - name of the certificate to generate. Options include the following:
Self-signed request to generate self-signed certificate.
Signing-request request to generate signing-request.
digest - Signs the certificate or key with the following cryptographic hash algorithm (sha256, sha384, sha512).
key_name - Name of the key to modify.
parameters - Signing request parameters for a certificate. Option include the following:
common-name - Common name to use in the subject.
country- Two-letter country code to use in the subject.
email - Email address to use in the subject.
locality - Locality name to use in the subject.
organization - Organization name to use in the subject.
organization-unit - Organization Unit Name for use in the subject.
state - State to use in the subject.
subject-alternative-name - Subject alternative name extension.
rotation - Generate a unique rotation ID.
validity- Validity of the certificate in days. Value ranges from 1 to 30000.
Examples
This command generates a self-signed certificate or CSR certificate. This example uses an existing private key (test.key) to generate the certificates.
The show management security ssl certificate command displays information about the certificate. Provide the name of the certificate to view more information about the certificate. If you do not provide a name, this command displays information about all of the certificates.
Command Mode
EXEC
Command Syntax
show management security ssl certificate [certificate_name]
Parameter
certificate_name - The name of the certificate (optional).
Example
This command displays the server.crt certificate information.
switch# show management security ssl certificate server.crt
Certificate server.crt:
Version: 1
Serial Number: 9
Issuer:
Common name: ca
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Myorg Org
Organization: Myorg
Locality: SC
State: CA
Country: US
Validity:
Not before: Aug 11 21:44:17 2014 GMT
Not After: May 14 21:44:17 2069 GMT
Subject:
Common name: server
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Org Org
Organization: ORg
Locality: SC
State: CA
Country: US
Subject public key info:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
635a831d5ec96d841
show management security ssl crl
The show management security ssl crl command displays the basic information about the installed Certificate Revocation List (CRLs). To view information of a specific CRL provide the name of the CRL. If you do not provide a name, this command displaysinformation about all of the CRLs.
Note: The command only displays basic information and does not display any information on the revocation status of certificates.
Command Mode
EXEC
Command Syntax
show management security ssl crl
Example
This command displays the basic information of the intermediate.crl CRL.
switch# show management security ssl crl intermediate.crl
CRL intermediate.crl:
CRL Number: 11
Issuer:
Common name: intermediate
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: mycompany Org
Organization: mycompany
State: CA
Country: US
Validity:
Last Update: Jul 19 19:27:34 2016 GMT
Next Update: Dec 05 19:27:34 2043 GMT
show management security ssl diffie-hellman
The show management security ssl diffie-hellman command displays the Diffie-Hellman parameter information.
Command Mode
EXEC
Command Syntax
show management security ssl diffie-hellman
Example
This command displays the Diffie-Hellman parameter information.
switch# show management security ssl diffie-hellman
Last successful reset on Apr 10 16:18:08 2015
Diffie-Hellman Parameters 1024 bits
Generator: 2
Prime: dc47b5edc0d2b41451432f79f45efab452bba7b1ab118c194d671d6752ed1c550
664ed8f052ad0fdad623c1d54ae5aee5e728d2bd7a6221636b787a4c08d1fef8c
6dcd10759d38f8b70b47d1c7972d69b0b295a2ee6ab44cfc7352cb133e85197c8
9f1fc27aac7e8e02afb4fb01ca1cb05558a7bef505b73a8d06cdfe403576b
show management security ssl key
The show management security ssl key command displays the RSA key information. To view information of a specific key, provide the name of the key in the command. If you do not provide a name, this command displays information about all of the keys.
Note: For security reasons, the output displays only the public part of the key.
Command Mode
EXEC
Command Syntax
show management security ssl key [key_name]
Parameter
key_name name of the key (optional).
Example
This command displays the server.key key information.
The show management security ssl profile command displays the SSL profile status information. To display information about a specific SSL profile, provide the name of the profile. If you do not provide a name, this command displays profile status of all the SSL profiles.
If the SSL profile contains errors, the state displays as invalid and lists the errors are listed in the third column.
Command Mode
EXEC
Command Syntax
show management security ssl profile [profile_name]
Parameter
profile_name - Name of the SSL profile (optional).
Examples
This command displays the SSL profile status of profile server.
switch# show management security ssl profile server
Profile State
------------- -----------
server valid
If the certificate server.crt does not match with the key, the following error displays.
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'server.crt' does not match
with key
If a trusted certificate ca2.crt does not exist ,the following error displays.
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'ca2.crt' does not exist
If a trusted certificate mycert.crt is not a self-signed root certificate, the following error displays.
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'mycert.crt' is trusted and not
a root certificate
Ifthe certificate server.crt expired,the following error displays.
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'server.crt' has expired
If the certificate chain is missing an intermediate certificate, the following error occurs.
switch# show management security ssl profile server
Profile State Error
-------------- ------------- ---------------------------------------------
server invalid Profile has invalid certificate chain
Certificate 'intermediate.crt' does not exist
ssl profile
The ssl profile command places the switch in the SSL profile configuration mode. Various SSL profile management configurations are allowed in this mode. For example, this mode allows to configure a SSL profile with a certificate and its corresponding RSA key.
Similarly, other configurations such as trust certificate, chain certificate, crl, tls, cipher-list can be configured to a SSL profile in this mode.
The no form of the command deletes the SSL profile management configuration from running-config.
Command Mode
Management Security Mode
SSL Profile Mode
Command Syntax
ssl profileprofile_name
Parameter
profile_name name of the profile.
Examples
These commands place the switch in SSL profile mode.
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#
These commands configure SSL profile server with a certificate and its corresponding RSA key. The no command deletes the certificate configuration.
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key
switch(config-mgmt-sec-ssl-profile-server)# no certificate server.crt key server.key
These commands configure the trust certificate ca1.crt to an SSL profile. The no command deletes a trusted certificate configuration.
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# trust certificate ca1.crt
switch(config-mgmt-sec-ssl-profile-server)# no trust certificate ca1.crt
These commands configure the intermediate.crt chain certificate to an SSL profile. The no command deletes a chain certificate configuration.
These commands provides Certificate Revocation List (CRL) to a SSL profile to check the revocation status of the certificate chain. The no command deletes the CRL configuration.
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# crl intermediate.crl
switch(config-mgmt-sec-ssl-profile-server)# crl ca.crl
switch(config-mgmt-sec-ssl-profile-server)# no crl ca.crl
These commands configure TLSv1.2 to be used in the SSL profile.
These commands check that all the trusted certificates or certificates in the chain have a CA basic constraints set to true.
switch(config-mgmt-sec-ssl-profile-client)# trust certificate requirement basic-constraints ca true
switch(config-mgmt-sec-ssl-profile-client)# chain certificate requirement basic-constraints ca true
This command enables the Federal Information Processing Standards (FIPS) mode for a SSL profile.
switch(config-mgmt-sec-ssl-profile-client)# fips restrictions
802.1X Port Security
This section explains the basic concepts behind 802.1X port security, including switch roles, how the switches communicate, and the procedure used for authenticating clients.
802.1X is an IEEE standard protocol that prevents unauthorized devices from accessing the network.
802.1X defines three device roles,
Supplicant (client).
Authenticator (switch).
Authentication server (RADIUS).
Before authentication can succeed, the switch port is in unauthorized mode and blocks all traffic, but after authentication has succeeded, normal data can flow through the switch port.
Port security controls who can send or receive traffic from an individual switch port. An end node cannot send or receive traffic through a port until a RADIUS server authenticates the node.
This security prevents unauthorized individuals from connecting to a switch port to access the network. Only designated valid users on a RADIUS server can use the switch to access the network.
Overview of 802.1X Port Security
802.1X port security controls can send traffic through and receive traffic from the individual switch ports. A supplicant must authenticate using EAPOL packets with the switch before obtaining full access to the port. Arista switches act as an authenticator, passing the messages from 802.1X supplicants through to the RADIUS server and vice versa. 802.1X can operate in three different modes:
Single Host Mode - Once the 802.1X supplicant authenticates on the port, the port only allows the traffic from the supplicant's MAC address.
Multi-Host Mode: Once the 802.1X supplicant authenticates on the port, the port allows any traffic from any source MAC.
Multi-Host Authenticated Mode - Allows multiple 802.1X supplicants and allows the incoming traffic from all authenticated supplicants MAC addresses through the port.
The Single Host and the Multi-Host modes allow only one 802.1X supplicant to authenticate for one port. After successfully authenticating, no other 802.1X supplicant can authenticate unless the current one logs off. However, the Multi-Host Authenticated Mode allows multiple 802.1X supplicants to authenticate and provide access to the network.
In addition to 802.1X authentication, EOS supports MAC-Based Authentication (MBA) and allows devices without 802.1X to access the network. The authenticator uses the MAC address of such devices as username/password in its RADIUS request packets. Depending on the MAC-Based Authentication configuration on the RADIUS server, the server permits or denies authentication to the supplicant. Unlike 802.1X supplicants, a single port allows multiple MBA supplicants. The MBA configuration does not require the 802.1X host modes. MBA supplicants permit or reject unauthenticated traffic based on the host mode.
EOS also supports Dynamic VLAN assignment, which permits the RADIUS server to assign the desired VLAN for the supplicant, using the tunnel attributes with the Access-Accept message. The RADIUS server assigns VLANs to the 802.1X and MBA supplicants. EOS supports only one VLAN per port. When the first host authenticates, the authenticator port assigns the respective VLAN through dynamic VLAN assignment, and subsequently, all other hosts must belong to that VLAN as well.
802.1X features support 802.1Q trunk ports that permit the user to use Port-Based Network Access Control (PNAC) on a port. With this feature, traffic arriving at an 802.1X-enabled port with a VLAN tag authenticates the 802.1X and MBA supplicants.
By default, traffic from any unauthenticated device on an 802.1X-enabled port drops. However, by configuring the Authentication Failure VLAN on the authenticator switch, the 802.1X or MBA supplicant traffic can be put into a specific VLAN, if the supplicant fails to authenticate via the RADIUS server.
Note: EOS supports one configurable VLAN for failure events such as failure due to server timeout, server unreachable, server AUTH-FAIL, or Quarantine.
Switch Roles for 802.1X Configurations
The 802.1X standard specifies the roles of Supplicant (client), Authenticator, and Authentication Server in a network. Switch Roles for 802.1X Configurations illustrates these roles.
Authentication Server- The switch that validates the client and specifies if the client may access services on the switch. The switch supports Authentication Servers running RADIUS.
Authenticator - The switch that controls access to the network. In an 802.1X configuration, the switch serves as the Authenticator. As the Authenticator, it moves messages between the client and the Authentication Server. The Authenticator either grants or does not grant network access to the client based on the identity data provided by the client, and the authentication data provided by the Authentication Server.
Supplicant/Client - The client provides a username or password data to the Authenticator. The Authenticator sends this data to the Authentication Server. Based on the supplicants information, the Authentication Server determines whether the supplicant can use services given by the Authenticator. The Authentication Server sends this data to the Authenticator, which then provides services to the client, based on the authentication result.
Figure 3. Authenticator, Supplicant, and Authentication Server in an 802.1X configuration
Authentication Process
The authentication that occurs between a supplicant, authenticator, and authentication server include the following processes.
Either the authenticator (a switch port) or the supplicant starts an authentication message exchange. The switch starts an exchange when it detects a change in the status of a port, or if it gets a packet on the port with a source MAC address that is not included in the MAC address table.
An authenticator starts the negotiation by sending an EAP-Request/Identity packet. A supplicant starts the negotiation with an EAPOL-Start packet, to which the authenticator answers with a EAP-Request/Identity packet.
The supplicant answers with an EAP-Response/Identity packet to the authentication server via the authenticator.
The authentication server responds with an EAP-Request packet to the supplicant via the authenticator.
The supplicant responds with an EAP-Response.
The authentication server transmits either an EAP-Success packet or EAP-Reject packet to the supplicant.
If an EAP-Reject is received, the supplicant will receive an EAP-Reject message and their traffic will not be forwarded.
Communication Between the Switches
802.1X port security uses the Extensible Authentication Protocol (EAP), defined in RFC 2284 and the RADIUS authentication protocol For communication between the switches.
The 802.1X standard defines a method for encapsulating and sendingEAP messages over a LAN. This type of encapsulated EAP is known as EAP over LAN (EAPOL). The standard also specifies a method for transferring the EAPOL information between the client or Supplicant, Authenticator, and Authentication Server.
Supplicants and Authenticators pass the EAPOL messages between the Port Access Entity (PAE). The following figure displays the relationship between the Authenticator PAE and the Supplicant PAE.
Figure 4. Authenticator PAE and Supplicant PAE
Authenticator PAE - The Authenticator PAE communicates with the Supplicant PAE to receive the Supplicants identifying information. Behaving as a RADIUS client, the Authenticator PAE passes the Supplicants information to the Authentication Server, which decides whether to grant the Supplicant access. If the Supplicant passes authentication, the Authenticator PAE allows it access to the port.
Supplicant PAE - The Supplicant PAE provides information about the client to the Authenticator PAE and replies to requests from the Authenticator PAE. The Supplicant PAE may initiate the authentication procedure with the Authenticator PAE, as well as send logoff messages.
Dot1x Dropped Counters
The Dot1x Dropped Counters count the packets dropped by dot1x interfaces. The dropped counter will not represent all the dropped packets in case of high volume dropping, and the CPU queue drop counter will reflect the rest of the dropped packet counter. This is due to the fact that EOS limits the bandwidth for the packets that get sent to the CPU.
The following counters are supported and increment depending on the dot1x interface configuration mode:
EAPOL unauthorized port (indicates the dropped packet number due to the unauthorized EAPOL port when Mac Base Authorization is disabled).
EAPOL unauthorized host ( indicates the dropped packet number due to the unauthorized EAPOL host).
MBA unauthorized host (counts the dropped packet due to the unauthorized host when Mac Base Authorization is enabled.)
Enabling 802.1X Port Control
To enable 802.1X port authentication on the switch, use the following command:
switch(config)# dot1x system-auth-control
Port mode can be set to access or trunk port and 802.1X port access entity set to authenticator:
A physical port on the switch used with 802.1X has two virtual access points that include a controlled port and an uncontrolled port. The controlled port grants full access to the network. The uncontrolled port only gives access for EAPOL traffic between the client and the Authentication Server. When a client is authenticated successfully, the controlled port is opened to the client.
Figure 5. Ports Before and After Client Authentication
Control Port State
Before authenticating the port, the port is unauthorized. In this state, the 802.1X agent only processes EAPOL packets and drops all other packets. After the port successfully authenticates, the port becomes authorized and allows all packets to pass. The authentication exchange controls the state transition between the supplicant and the authentication server. However, you can control the state by using any one of the following commands:
dot1x port-controlforce-authorized
force-authorized - disables 802.1X authentication and directly put the port to the authorized state. This is the default setting.
dot1x port-controlforce-unauthorized
force-unauthorized - also disables 802.1X authentication and directly put the port to unauthorized state, ignoring all attempts by the client to authenticate.
dot1x port-controlauto
auto - enables 802.1X authentication and put the port to unauthorized state first. The port state remains in an unauthorized state or transit to authorized state according to authentication result and configuration.
Uncontrolled Port State
The Authenticator only opens one uncontrolled port before authenticating a client. The client and the Authentication Server swap EAPOL frames through the uncontrolled port. No other traffic passes through the controlled port in the unauthorized state.
During authentication, the Supplicant PAE and the Authenticator PAE exchange EAPOL messages, and the Authenticator PAE and the Authentication Server exchange RADIUS messages. If the client successfully authenticates, the controlled port becomes authorized, and traffic from the client can flow through the port normally.
By default, all controlled ports on the switch become authorized and allow all traffic. When initially authenticating, the controlled port on the interface initially sets to the unauthorized state. If a client connected to the port authenticates successfully, the controlled port sets in the authorized state.
Message Exchange During Authentication
The following figure illustrates an exchange of messages between an 802.1X-enabled client, an Authenticator switch, and a RADIUS server operating as an Authentication Server.
Arista switches support MD5-challenge TLS and other EAP-encapsulated authentication types in EAP Request or Response messages. In other words, the switches are transparent to the authentication scheme used.
Figure 6. Message Exchange During Authentication
Authenticating Multiple Clients Connected to the Same Port
Arista switches support 802.1X authentication for ports with more than one client connected to them. Figure 7 illustrates a sample configuration where multiple clients are connected to a single 802.1X port. 802.1X authentication may use multi-host mode, or, on selected switches, single-host mode. In both modes, the port authenticates the packets received from any one client, and drops the packets received from other clients, until authentication of the connected client by the RADIUS server.
Single-host Mode
In single-host mode, the 802.1X client has authenticated on the RADIUS server and does not require further authentication. However, the port accepts packets only from the MAC address of the authenticated client.
Multi-Host Mode
In multi-host mode, once the 802.1X client authenticates with the RADIUS server, the port accepts all packets from any connected client, and these packets do not require any authentication.
802.1X MAC-based Authentication
802.1X MAC-based authentication allows programming a set of MAC addresses into the RADIUS server. These MAC addresses (MAC-based authentication supplicants) do not connect to 802.1X profiles but are still allowed access to the network. The authenticator identifies devices that do not support 802.1X and uses the MAC address of these devices as username and password in its RADIUS request packets.
In MAC-based authentication, every supplicant attempting to access the authenticator port individually authenticates, as opposed to authenticating just one supplicant on a given VLAN or port with 802.1X. Different behavior occurs for MAC-based authentication supplicants when an 802.1X supplicant authenticates in single-host and multi-host 802.1X modes.
To enable Mac-based authentication, use the following command:
switch(config)#dot1x mac based authentication
Note: By adding this command to the existing 802.1X configuration on the port, a typical 802.1X interface configuration with MAC-Based Authentication enabled may look something like this:
switch(config-if-Et1/1)# show active
speed forced 1000full
dot1x pae authenticator
dot1x port-control auto
dot1x mac based authentication
Figure 7. Multiple clients connected to a 802.1X-enabled port
Mac-Based Authentication Delay
Use the mac based authentication delay command to configure a MAC-based Authentication delay. By default, the delay triggers after 5 seconds.
Command Syntax
mac based authenticationdelay0-300seconds
Mac-based Authentication Hold-Period
When an AAA server rejects a MAC-based Authentication, a default hold period of 60 seconds occurs before the MAC-based Authentication retries again even if the host continues to send traffic. However, the hold-period can be configured manually using the mac based authentication hold period command.
Command Syntax
mac based authenticationhold period0-300seconds
Note: Configuring a low value for the hold-period can significantly increase the load on a AAA server when MAC-based Authentication is not enabled for a host.
Dot1x Web Authentication FQDN Allowlist
When using dot1x captive portal authentication, supplicants receive the WEB-AUTH-START page to begin redirecting the HTTPS requests to a captive portal as a second step in the authentication process. The Dot1x Web Authentication Fully Qualified Domain Name (FQDN) Allowlist provides a list of FQDN masks that bypass the redirection and allows the supplicant to access URLs on these hosts before completing the second step of the authentication process.
The Dot1x Web Authentication captures the IP address that the supplicant attempts to access and performs a reverse DNS resolution to check if the FQDN matches an entry on the configured Allowlist.
802.1X AAA Unresponsive VLAN
Overview
Devices connected to 802.1X controlled ports must perform authentication before their generic traffic is allowed into the network. During this process, the switch contacts a configured AAA server that determines if the device’s access to the network is accepted or denied. When the AAA server is unresponsive, the default behavior is to deny all authentication attempts. The AAA Unresponsive VLAN feature allows the user to specify different behavior for this case, accepting authentication attempts and assigning devices to the native VLAN or a specified VLAN. As in other failure scenarios, the switch tries to authenticate the supplicant after the quiet period has passed.
Configuring 802.1X AAA Unresponsive VLAN
Configure the aaa unresponsive action traffic allow vlan command to enable the dot1x AAA unresponsive VLAN feature on the switch. When configured, the switch changes the action taken with authentication attempts when the AAA server becomes unresponsive. Unresponsiveness occurs when the AAA communication times out.
Example
These commands places the switch in the dot1x configuration mode and enables the dot1x AAA unresponsive VLAN feature on the switch.
AAA unresponsive VLAN does not act on devices that tried to authenticate using VLAN-tagged frames.
When AAA unresponsive VLAN is enabled without a VLAN, devices get assigned to the native VLAN – even phones that would otherwise be assigned to the phone VLAN. If phones should be assigned to the phone VLAN when AAA is unavailable, the knob aaa unresponsive phone vlan action allow should be additionally used.
802.1X Web Authentication
The 802.1X Web authentication feature provides authentication for a supplicant through a Web page, referred to as a captive portal. Redirection to a captive portal provides support for guest devices or supplicants where 802.1X is not sufficient and an additional Web based authentication is required.
Configuring 802.1X Web Authentication
Use the following global command under the 802.1X node to enable the 802.1X Web authentication:
captive portalurlURL][ssl profileprofile]
Enabling the 802.1X Web authentication starts the redirection agent (Dot1xWeb) and the internal HTTP redirector. Then, 802.1X acts on the RADIUS web-auth-start VSAs. If specifying a URL, the URL redirects the authentication when AAA does not provide a specific URL. If providing a valid SSL profile, the 802.1X Web internal HTTPS redirector uses the configured certificate and key.
For ACL based Web Authentication, an additional parameter provides more functionality:
An ACL can be defined locally on the switch and be configured to use for Web Authentication, for cases, when AAA is not able to send ACL with web auth = start.
Here are the details about the radius VSAs.
AttributeName
Attribute ID
Type
Value
Arista-WebAuth
6
integer
start = 1
complete = 2
Arista-Captive-Portal
10
string
any valid url
Show Commands
The show commands that display the state of a host includes the new values for WebAuth stage as well.
Example
switch(config)# show dot1x hosts
Interface: Ethernet36
Supplicant MAC Auth Method State VLAN Id
-------------- ----------- ----- -------
00:1c:73:73:f9:38 MAC-BASED-AUTH WEB-AUTH-START
00:1c:73:73:f9:39 MAC-BASED-AUTH WEB-AUTH-FAILED
Limitations
The following limitations apply to the 802.1X feature.
Only one device per port is supported (MAC ACLs are not supported), connected in wired fashion.
HTTPS redirection is only attempted when the connection is to the default TCP port 443.
Limitations present in versions lower than RIO RELEASE.
HTTPS is not supported.
Limitations present in versions EOS Release 4.25.0 and 4.25.1:
There is no downloadable ACL support - only implicit ACL support is available. This might not suffice if there is a need to allow multiple intranet websites.
There is only support of one Captive portal at a time.
Limitations in version EOS Release 4.25.0:
IPv4 Management IP needs to be configured on the management interface. If the management ip address is changed, then captive portal configuration needs to be reconfigured.
SVI needs to be configured for the VLAN where the host is going to be after the first phase of authentication - be it EAPOL or MBA.
Configuring 802.1X Port Security
Basic steps to implementing 802.1X Port-based Network Access Control and RADIUS accounting on the switch:
A RADIUS server is required on one or more of your network servers or management stations. 802.1X is not supported with the TACACS+ authentication protocol.
You must create supplicant accounts on the RADIUS server:
The account for a supplicant connected to an authenticator port must have a username and password combination when set to the 802.1X authentication mode.
An account for the supplicant connected to an authenticator port and placed in the MAC address-based authentication mode needs use the MAC address of the node as both the username and password.
Connected clients to an 802.1X authenticator port will require 802.1X client software.
The RADIUS client must be configured by entering the IP addresses and encryption keys of the authentication servers on your network.
The port access control settings must be configured on the switch. This includes the following:
Do not set a port that is connected to a RADIUS authentication server to the authenticator role as an authentication server cannot authenticate itself.
A supplicant connected to an authenticator port set to the 802.1X username and password authentication method must have 802.1X client software.
To prevent unauthorized individuals from accessing the network through unattended network workstations, end users of 802.1X port-based network access control should always log off when they are finished with a work session.
The RADIUS client should be configured on the switch before activating port-based access control.
Configuring 802.1X Authentication Methods
Configure external client authentication methods for IEEE 802.1X port security. Arista currently supports RADIUS authentication. Use the aaa authentication dot1x command to configure the switch to use a RADIUS server for client authentication.
Example
This command configures the switch to use RADIUS authentication.
switch(config)# aaa authentication dot1x default group radius
switch(config)#
Configuring Dot1x Dropped Counters
Use the statistics packets dropped command to configure the dot1x dropped counters on the switch in the dot1x configuration mode. By default, EOS turns off the dot1x dropped counters. The no form of the command disables them from the running configuration.
Example
These commands places the switch in the dot1x mode and enables the dot1x dropped counters.
switch(config-dot1x)# statistics packets dropped
Globally Enabling IEEE 802.1X
To enable IEEE 802.1X port authentication globally on the switch, use the dot1x system-auth-control command.
Example
This command enables IEEE 802.1X globally on the switch.
For ports to act as authenticator ports to connected supplicants, those ports must be designated using the dot1x port-control command.
The auto option of the dot1x port-control command designates an authenticator port for immediate use, blocking all traffic that is not authenticated by the AAA server.
Example
This command configures Ethernet 1 to immediately begin functioning as an authenticator port.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x port-control auto
switch(config-if-Et1)#
The force-authorized option of the dot1x port-control command sets the state of the port to authorized without authentication, allowing traffic to continue uninterrupted.
Example
These commands designate Ethernet 1 as an authenticator port that forwards packets without authentication.
To designate a port as an authenticator but prevent it from authorizing any traffic, use the force-unauthorized option of the dot1x port-control command.
Example
The force-unauthorized option of the dot1x port-control command places the specified port in the unauthorized state, which will deny any access requests from users of the ports.
Specifying the Authentication Mode for Multiple Clients
By default, Arista switches authenticate in multi-host mode, allowing packets from any source MAC address once 802.1X authentication has taken place. To configure the switch for single-host mode (allowing traffic only from the authenticated clients MAC address), use the dot1x host-mode command.
Example
These commands configure Ethernet interface 1 to use single-host mode for 802.1X authentication.
These commands deactivate re-authentication on the Ethernet interface 1.
switch(config)# interface Ethernet 1
switch(config-if-Et1)# no dot1x reauthentication
switch(config-if-Et1)#
Setting the EAP Request Maximum
The dot1x reauthorization request limit command configures the number of times the switch retransmits an 802.1X Extensible Authentication Protocol (EAP) request packet before ending the conversation and restarting authentication.
Example
These commands set the number of times the authenticator sends an EAP request packet to the client before restarting authentication.
To disable authentication on an authenticator port, use the no form of the dot1x port-control command.
Example
These commands disable authentication on Ethernet interface 1.
switch(config)# interface ethernet 1
switch(config-if-Et1)# no dot1x port-control
switch(config-if-Et1)#
Setting the Quiet Period
If the switch fails to immediately authenticate the client, the dot1x timeout quiet-period command specifies the time the switch waits before trying again. This timer also indicates how long a client that failed authentication is blocked.
Example
These commands set the 802.1X quiet period for Ethernet interface 1 to 30 seconds.
The dot1x timeout reauth-period command specifies the time period in seconds that the configuration mode interface waits before requiring re-authentication from clients.
Example
These commands configure the timeout reauth-period to 21600 seconds.
The authenticator sends an Extensible Authentication Protocol (EAP) request to the supplicant, and the supplicant sends a response that the authenticator forwards to an authentication server. If the authenticator doesn't receive a reply to the EAP request, it waits a specified time before retransmitting the request. To configure the wait time, use the dot1x timeout tx-period command.
Example
These commands configure Ethernet interface 1 to wait 30 seconds before retransmitting EAP requests to the supplicant.
Configure Authentication Failure VLAN on a dot1x-enabled port using the dot1x authentication failure action traffic allowCLI command under the interface-config mode. Set VLAN10 as authentication failure VLAN:
When configuring a VLAN with no authentication failure VLAN on a dot1x-enabled port, the default action drops any unauthorized traffic on the port. This behavior can also be specified using the following command:
Example
switch(config-if-Et1/1)# dot1x authentication failure action traffic drop
802.1X Guest VLANs
802.1X provides a guest VLAN that allows access to hosts unable to communicate over EAPoL and then perform actions to become EAPoL capable. Then, the host can move out of the guest VLAN. A typical use case includes situations where hosts perform PXE booting and become capable of responding to EAPoL requests.
Note: You cannot configure Guest VLANs and MBA on the same network.
Example
To configure a guest VLAN on Ethernet6/1 and VLAN 25, use the following commands:
Repeat the configuration statement to add more FQDNs to the list. The wildcard * can be used once at the start of the FQDN and must be followed by a dot, for example *.myfqdn.com.
Example
Use the following commands to add the FQDN, *.mycompany.com to the FQDN Allowlist:
switch# show captive-portal bypass
Captive portal bypass:
*.eng.mycompany.com matched by 10.0.1.3, 1.0.2.4
web5.it.mycompany.com matched by 10.0.5.7
Use the show captive-portal resolutions command to display all reverse DNS resolution entries in use by the captive portal, including redirected IP addresses.
This command displays the dot1x dropped counters for all the dot1x interfaces.
switch# show dot1x all statistics
Dot1X Authenticator Port Statistics for Ethernet51/1
-------------------------------------------------
RX start = 1 RX logoff = 0 RX response ID = 1
RX response = 10 RX invalid = 0 RX total = 12
TX request ID = 2 TX request = 11 TX total = 13
RX version = 2 Last RX src MAC = ded6.404b.ec94
Data packet drop counters:
EAPOL unauthorized port = 2
EAPOL unauthorized host = 1
MBA unauthorized host = 0
Dot1X Authenticator Port Statistics for Ethernet49
-------------------------------------------------
RX start = 1 RX logoff = 0 RX response ID = 1
RX response = 10 RX invalid = 0 RX total = 12
TX request ID = 2 TX request = 11 TX total = 13
RX version = 2 Last RX src MAC = ded6.404b.ec94
Data packet drop counters:
EAPOL unauthorized port = 2
EAPOL unauthorized host = 1
MBA unauthorized host = 0
Displaying 802.1X supplicant information
Use the show dot1x hosts command to display information for all the supplicants.
Example
This command displays 802.1X supplicant information.
switch# show dot1x hosts
Interface: Ethernet1/1
Supplicant MAC Auth Method State VLAN Id
-------------- ----------- ----- -------
e2:29:cb:11:2f:4a EAPOL SUCCESS 300
e2:29:cb:11:2f:4b MAC-BASED-AUTH SUCCESS 300
Displaying MAC Address Tables
Use the show mac address-table command to display the MAC address of the supplicants allowed to pass the traffic through the port.
Example
switch# show mac address-table
Mac Address Table
------------------------------------------------------------------
Vlan Mac Address Type Ports Moves Last Move
---- ----------- ---- ----- ----- ---------
300 e229.cb11.2f4a STATIC Et1/1
300 e229.cb11.2f4b STATIC Et1/1
Total Mac Addresses for this criterion: 2
Displaying Port Security Configuration Information
The show dot1x command shows information about the 802.1X configuration on the specified port or ports.
Example
This commands displays IEEE 802.1X configuration information for Ethernet interface 5.
switch# show dot1x interface ethernet 5
Dot1X Information for Ethernet5
--------------------------------------------
PortControl : auto
QuietPeriod : 60 seconds
TxPeriod : 5 seconds
ReauthPeriod : 3600 seconds
MaxReauthReq : 2
switch#
Displaying the Status of the 802.1X Attributes for each Port
Use the show dotx1 interfaceinterface-id command to display the status of the 802x1 attributes for each port.
Example
switch(config-if-Et1/1)# show dot1x interface ethernet1/1
Dot1X Information for Ethernet1
--------------------------------------------
PortControl : force-authorized
HostMode : multi-host
QuietPeriod : 60 seconds
TxPeriod : 5 seconds
ReauthPeriod : 0 seconds
MaxReauthReq : 2
ReauthTimeoutIgnore : No
AuthFailVlan : 10
Displaying 802.1X Information for all Ports
Use the show dot1x all brief command to display IEEE 802.1X status for all ports.
Example
The following commands display a summary of IEEE 802.1X status.
switch# show dot1x all brief
Interface Client Status
---------- -------- -------------
Ethernet5 None Unauthorized
switch#
Displaying VLANS
Use the show vlan command to display dynamically assigned VLANs on the port.
Example
switch# show vlan
VLAN Name Status Ports
----- ------------- --------- ----------------------------------
1 default active
2 VLAN0002 active Et7, Et17, Et18, Et41
300* VLAN0300 active Et1/1, Et6, Et19, Et20, Et29
Et30, Et31, Et32, Et42, Et43, Et44
* indicates a Dynamic VLAN
Displaying EAPOL Fallback to MBA Authentication and MBA Timeout Information
Use the show dotx1 interfaceinterface IDdetails command to display information about the EAPOL fallback to MBA authentication and MBA timeout details.
Example
switch(config-if-Et1)# show dot1x interface Ethernet1 details
Dot1X Information for Ethernet1
--------------------------------------------
Port control: auto
Host mode: multi-host authenticated
Quiet period: 60 seconds
TX period: 5 seconds
Maximum reauth requests: 2
Ignore reauth timeout: No
Auth failure VLAN: 101
Unauthorized access VLAN egress: Yes
Unauthorized native VLAN egress: Yes
EAPOL: enabled
MAC-based authentication: disabled
EAPOL authentication failure fallback: MBA, timeout 200 seconds
Dot1X Authenticator Client
Port status: Authorized
Supplicant MAC Reauth Period (in seconds)
-------------- --------------------------
0022.0100.0001 120
no captive portalurlURLssl profileprofileaccess-list ipv4ACL namebypassfqdn_wildcardrequest timeoutseconds
Parameters
url - Configure captive portal URL.
ssl - Configure SSL related option.
access-list - Configure access control list.
bypass - Configure Fully Qualified Domain Names (FQDN) for the redirection bypass list.
request timeoutseconds - Configure the request timeout from 1 to 120 seconds. By default, the configuration uses 60 seconds. Specifies the time that the agent waits for an HTTP/HTTPS GET request.
Examples
This command enables 802.1X Web Authentication on the switch.
interface managementm_num Management interface specified by m_num.
interface port-channelp_num Port-Channel Interface specified by p_num.
interface vlanv_num VLAN interface specified by v_num.
Example
This command resets the 802.1X counters on all interfaces.
switch# clear dot1x statistics all
switch#
dot1x eapol
The dot1x eapol command places the switch into 802.1X Configuration Mode and configures the EAPoL actions for Guest VLAN access. The [no | default] options reverts the configuration to match the global configuration.
The dot1x mac based authentication command enables MAC-based authentication on the existing 802.1X authenticator port.
The no dot1x mac based authentication and the default dot1x mac based authentication commands restore the switch default by disabling the corresponding dot1x mac based authentication command for the specific 802.1X authenticator port.
These commands configure MAC-based authentication on Ethernet interface 1.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x mac based authentication
switch(config-if-Et1)#
dot1x mac based authentication delay
The dot1x mac based authentication delay command enables MAC-based authentication delay. By default, the delay is triggered after 5 seconds.
The no dot1x mac based authentication delay and the default dot1x mac based authentication delay commands restore the switch default by disabling the corresponding dot1x mac based authentication delay command.
Command Mode
Dot1x Configuration
Command Syntax
dot1x mac based authentication delaydelay-timeseconds
no dot1x mac based authentication delay
default dot1x mac based authentication delay
Parameters
delay-time Delay in seconds. The value is from 0 to 300.
seconds Unit in seconds.
Example
These commands configure a MAC-based authentication delay of 30 seconds on a switch.
switch(config)# dot1x
switch(config-dot1x)# mac based authentication delay 30 seconds
dot1x mac based authentication hold period
The dot1x mac based authentication hold period command enables MAC-based authentication hold period. By default, the hold period is 60 seconds.
The no dot1x mac based authentication hold period and the default dot1x mac based authentication hold period commands restore the switch default by disabling the corresponding dot1x mac based authentication hold period command.
Command Mode
Dot1x Configuration
Command Syntax
dot1x mac based authentication hold periodhold period-timeseconds
no dot1x mac based authentication hold period
default dot1x mac based authentication hold period
Parameters
hold period-time Hold period in seconds. The value is from 1 to 300 in seconds.
seconds Unit in seconds.
Example
These commands configure a MAC-based authentication hold period of 100 seconds on a switch.
switch(config)# dot1x
switch(config-dot1x)# mac based authentication hold period 100 seconds
dot1x pae authenticator
The dot1x pae authenticator command sets the port access entity (PAE) type of the configuration mode interface to authenticator, which enables IEEE 802.1X on the port. EOS disables IEEE 802.1X on all ports by default.
The no dot1x pae authenticator and default dot1x pae authenticator commands restore the switch default by deleting the corresponding dot1x pae authenticator command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x pae authenticator
no dot1x pae authenticator
default dot1x pae authenticator
Examples
These commands configure interface ethernet 2 as a port access entity (PAE) authenticator, enabling IEEE 802.1X on the port.
These commands disable IEEE 802.1X authentication on interface ethernet 2.
switch(config-if-Et1)# interface ethernet 2
switch(config-if-Et1)# no dot1x pae authenticator
switch(config-if-Et1)#
dot1x reauthentication
The dot1x reauthentication command configures the configuration mode interface to require re-authentication from clients at regular intervals. Use the dot1x timeout reauth-period command to set the interval.
The no dot1x reauthentication and default dot1x reauthentication commands restore the default setting by deleting the corresponding dot1x reauthentication command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x reauthentication
no dot1x reauthentication
default dot1x reauthentication
Example
These commands configure the interface Ethernet 1 authenticator to require periodic re-authentication from clients.
The dot1x reauthorization request limit command configures how often the switch retransmits an 802.1X Extensible Authentication Protocol (EAP) request packet before ending the conversation and restarting authentication.
The no dot1x reauthorization request limit and default dot1x reauthorization request limit commands restore the default value of 2 by deleting the corresponding dot1x reauthorization request limit command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x reauthorization request limitattempts
no dot1x reauthorization request limit
default dot1x reauthorization request limit
Parameter
attempts Maximum number of attempts. Values range from 1 to 10; default value is 2.
Examples
This command sets the 802.1X EAP-request retransmit limit to 6.
The dot1x system-auth-control command enables 802.1X authentication on the switch.
The no dot1x system-auth-control and default dot1x system-auth-control commands disables 802.1X authentication by removing the dot1x system-auth-control command from running-config.
Command Mode
Global Configuration
Command Syntax
dot1x system-auth-control
no dot1x system-auth-control
default dot1x system-auth-control
Examples
This command enables 802.1X authentication on the switch.
This command disables 802.1X authentication on the switch.
switch(config)# no dot1x system-auth-control
switch(config)#
dot1x timeout quiet-period
If the switch fails to immediately authenticate the client, the switch waits a specified time configured with thedot1x timeout quiet-period command. This timer also indicates the blocked time for a client with failed authentication.
The no dot1x timeout quiet-period and default dot1x timeout quiet-period commands restore the default quiet period of 60 seconds by removing the corresponding dot1x timeout quiet-period command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x timeout quiet-periodquiet_time
no dot1x timeout quiet-period
default dot1x timeout quiet-period
Parameter
quiet_time Interval in seconds. Values range from 1 to 65535. Default value is 60.
Example
These commands set the 802.1X quiet period for Ethernet interface 1 to 30 seconds.
The dot1x timeout reauth-period command specifies the time period that the configuration mode interface waits before requiring re-authentication from clients.
The no dot1x timeout reauth-period and default dot1x timeout reauth-period commands restore the default period of 60 minutes by removing the corresponding dot1x timeout reauth-period command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x timeout reauth-periodreauth_time
no dot1x timeout reauth-period
default dot1x timeout reauth-period
Parameter
reauth_time The number of seconds the interface passes traffic before requiring re-authentication. Values range from 1 to 65535. Default value is 3600.
Example
These commands configure the interface Ethernet 1 authenticator to require re-authentication from clients every 6 hours (21600 seconds).
The authenticator establishes authentication and re-authentication by sending Extensible Authentication Protocol (EAP) requests to the supplicant, and the supplicant sends a reply which the authenticator forwards to an authentication server. If the authenticator does not receive a reply to the EAP request, it waits a specified time before retransmitting the request. The dot1x timeout tx-period command configures the wait time.
The no dot1x timeout tx-period and default dot1x timeout tx-period commands restore the default wait time by removing the corresponding dot1x timeout tx-period command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x timeout tx-periodtx_time
no dot1x timeout tx-period
default dot1x timeout tx-period
Parameter
tx_time Values range from 1 to 65535. Default value is 5.
Example
These commands configure interface Ethernet 1 to wait 30 seconds before retransmitting EAP requests to the supplicant.
When multiple clients are connected to an Ethernet interface providing 802.1X authentication, the port can accept packets from all MAC addresses once the supplicant has been authenticated (multi-host mode), or it can accept only those packets originating from the MAC address of the authenticated client (single-host mode) or ultiple authenticated clients (multi-host authenticated mode) . The dot1x host-mode command specifies the host mode for authentication of multiple clients on the configuration mode interface.
The no dot1x host-mode and default dot1x host-mode commands restore the switch default (multi-host mode) by removing the corresponding dot1x host-mode command for the configuration mode interface.
The dot1x port-control command configures the configuration mode interface as an authenticator port and specifies whether it will authenticate traffic.
The no dot1x port-control and default dot1x port-control commands configure the port to pass traffic without authorization by removing the corresponding dot1x port-control command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x port-controlSTATE
no dot1x port-control
default dot1x port-control
Parameters
STATE Specifies whether the interface will authenticate traffic. The default value is force-authorized. Options include:
auto Configures the port to authenticate traffic using Extensible Authentication Protocol messages.
force-authorized Configures the port to pass traffic without authentication.
force-unauthorized Configures the port to block all traffic regardless of authentication.
Examples
These commands configure interface Ethernet 1 to pass traffic without authentication. This is the default setting.
The show dot1x command displays 802.1X information for the specified interface.
Command Mode
EXEC
Command Syntax
show dot1xINTERFACE_NAMEINFO
Parameters
INTERFACE_NAME Interface type and number. Options include:
all Display information for all interfaces.
ethernete_num Ethernet interface specified by e_num.
loopbackl_num Loopback interface specified by l_num.
managementm_num Management interface specified by m_num.
port-channelp_num Port-Channel Interface specified by p_num.
vlanv_num VLAN interface specified by v_num.
INFO Type of information the command displays. Values include:
no parameter displays summary of the specified interface.
detail displays all 802.1X information for the specified interface.
Examples
This command displays 802.1X summary information for interface ethernet 5.
switch# show dot1x interface ethernet 5
Dot1X Information for Ethernet5
--------------------------------------------
PortControl : auto
QuietPeriod : 60 seconds
TxPeriod : 5 seconds
ReauthPeriod : 3600 seconds
MaxReauthReq : 2
switch#
This command displays detailed 802.1X information for interface ethernet 5.
switch# show dot1x interface ethernet 5 detail
Dot1X Information for Ethernet5
--------------------------------------------
PortControl : auto
QuietPeriod : 60 seconds
TxPeriod : 5 seconds
ReauthPeriod : 3600 seconds
MaxReauthReq : 2
Dot1X Authenticator Client
Port Status : Unauthorized
switch#
show dot1x captive-portal bypass
The show dot1x captive-portal bypass command displays information about dot1x captive portal bypass configurations.
Command Mode
EXEC
Command Syntax
show dot1x captive-portal bypassaddress [ipv4 | ipv6]
Parameters
[ipv4 | ipv6] - Display dot1x captive portal bypass information for a specific IP address.
Use the following command to display information about dot1x captive portal bypass entries:
switch# show captive-portal bypass
Captive portal bypass:
*.eng.mycompany.com matched by 10.0.1.3, 1.0.2.4
web5.it.mycompany.com matched by 10.0.5.7
show dot1x captive-portal resolutions
The show dot1x captive-portal resolutions command displays information for all reverse DNS resolution entries in use by the captive portal.
Command Mode
EXEC
Command Syntax
show dot1x captive-portal resolutions address [ipv4 | ipv6]
Parameters
[ipv4 | ipv6] - Display dot1x captive portal resolutions information for a specific IP address.
The table displays the following information:
Address - Displays the IP address the supplicant attempted to access and used to find the hostname through reverse DNS.
Hostnames - Displays the hostnames reported by the DNS server. The entry displays pending if the resolution has not completed, and - if the resolution completed but no hostname found or if the resolution timed out.
Expiration - The DNS server provided a valid resolution and provided a time-to-live (TTL) before updating the resolution.
Use the following command to display information about dot1x captive portal resolution entries:
The statistics packets droppedcommand to configure the dot1x dropped counters on the switch in the dot1x configuration mode. By default, EOS disable the dot1x dropped counters. The no form of the command disables the dot1x dropped counters from the running configuration.
The no statistics packets dropped command disables the dot1x dropped counters from the running configuration.
Command Mode
Dot1x Configuration
Command Syntax
statistics packets dropped
no statistics packets dropped
Example
These commands places the switch in the dot1x mode and enables the dot1x dropped counters.
Network Address Translation (NAT) is a router process that modifies the address information of IP packets in transit. NAT is typically used to correlate address spaces between a local network and a remote, often public, network. Static NAT defines a one-to-one map between local and remote IP addresses. Static maps are configured manually through CLI commands. An interface can support multiple NAT commands, but each command must specify a unique local IP address-port location.
NAT is configured on routers with interfaces connecting to the local networks and interfaces connecting to a remote network.
Inside and Outside Addresses
NAT configurations categorize IP addresses into one of two categories: inside or outside. Inside refers to IP addresses used within the organizational network, while outside refers to addresses on an external network outside the organizational network.
Static IP NAT
Static NAT configurations create a one-to-one mapping and translate a particular address to another address. This type of configuration creates a permanent entry in the NAT table as long as the configuration is present, enabling both inside and outside hosts to initiate a connection.
Static NAT options include source NAT, destination NAT, and Twice Network Address Translation (Twice NAT).
Source NAT modifies the source address in the IP header of a packet exiting the interface and can optionally change the source port referenced in the TCP/UDP headers.
Destination NAT modifies the destination address in the IP header of a packet entering the interface and can optionally change the destination port referenced in the TCP/UDP headers.
Twice NAT modifies both the source and destination IP addresses of packets traversing the interface. The process optionally changes L4 port information within TCP/UDP headers. Implement Twice NAT to prevent conflicts when inside network addresses overlap with outside network addresses. When a packet exits the interface, local source and destination addresses are translated to global source and destination addresses. When a packet enters the interface, global source and destination addresses are translated to local source and destination addresses.
Configuring Static NAT
Configuring Source NAT
Enable the NAT of a source address (source NAT) using the ip nat source static command for the configuration mode interface. Applying source NAT to interfaces that connect to local hosts shields the hosts' IP address when sending IP packets to remote destinations.
This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.
Note: The switch uses a common NAT table for the entire switch, not a per interface. For example, if a customer has the same inside local address translated to different inside global addresses depending on which interface it exits. It might be translated to exit interface B’s inside global address even though it exits through interface A. The way to avoid this is to use an access list that differentiates based on the destination IP address.
Figure 1. Source NAT Example
Example
These commands configure VLAN 201 to translate source address 10.24.1.10 to 168.32.14.15.
The ip nat source static command may include an ACL to limit packet translation. Only packets whose source IP address matches the ACL are cleared. ACLs configured for source NAT must specify a source IP address of any. Source port or protocol matching is not permitted. The destination may be an IP subnet. Commands referencing nonexistent ACLs are accepted by the CLI but only installed in hardware once the ACL is created. Modifying a referenced ACL causes the corresponding hardware entries to be replaced by entries that match the new command.
Example
These commands configure VLAN 101 to translate the source address 10.24.1.10 to 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/24 subnet.
switch(config)# ip access-list ACL1
switch(config-acl-ACL1)# permit ip any 168.10.1.0/24
switch(config-acl-ACL1)# exit
switch(config)# interface vlan 101
switch(config-if-Vl101)# ip nat source static 10.24.1.10 access-list ACL1 168.32.14.15
switch(config-if-Vl101)#
Configuring Destination NAT
Enable the NAT of a destination address (destination NAT) using the ip nat destination static command for the configuration mode interface. Applying destination NAT to interfaces that connect to remote hosts shields the IP address of the recipient host when receiving IP packets from remote destinations.
This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.
Figure 2. Destination NAT Example
Example
These commands configure VLAN 201 to translate destination address 168.32.14.15 to 10.24.1.10.
The ip nat destination static command may include an ACL to limit packet translation. Only packets whose source IP address matches the ACL are cleared. ACLs configured for destination NAT must specify a destination IP address of any. Destination port or protocol matching is not permitted. The source may be an IP subnet. Commands referencing nonexistent ACLs are accepted by the CLI but not installed in hardware until the ACL is created. Modifying a referenced ACL causes the corresponding hardware entries to be replaced by entries that match the new command.
Example
These commands configure VLAN 201 to translate the destination address 168.32.14.15 to 10.24.1.10 for all packets with the source of host 168.10.1.4.
switch(config)# ip access-list ACL2
switch(config-acl-ACL2)# permit ip 168.10.1.4/32 any
switch(config-acl-ACL2)# exit
switch(config)# interface vlan 201
switch(config-if-Vl201)# ip nat destination static 168.32.14.15 access-list ACL2 10.24.1.10
switch(config-if-Vl201)#
Configuring Twice NAT
Network address translation of both source and destination addresses on the same interface (twice NAT) is enabled by creating one source NAT rule and one destination NAT rule on the same interface and associating them through a NAT group using the ip nat source static and ip nat destination static commands.
The ip nat source static command translates the actual local source address to a source address, which can be used outside the local network to reference the source. The ip nat destination static command translates an internally used destination address to the actual IP address that is the packet's destination.
The source and destination NAT rules must reference the same NAT group, and both should either specify only IP addresses or specify both IP addresses and L4 port information. An error message will be displayed if L4 port information is configured in one rule but not in the other.
Each NAT rule installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. Twice NAT does not support using access control lists to filter packets for translation.
Example
These commands configure interface ethernet 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.
switch(config)# interface ethernet 2
switch(config-if-Et2)# ip nat source static 10.24.1.10 168.32.14.15 group 3
switch(config-if-Et2)# ip nat destination static 10.68.104.3 168.25.10.7 group 3
Static NAT Configuration Considerations
Egress VLAN Filter for Static NAT
When a static source NAT is configured on an interface, the source IP translation happens only for those packets going 'out' of this interface. If a packet is egressing on an interface that does not have NAT configured, then the source IP is not translated.
When static SNAT is configured on two interfaces, the translation specified for one interface can be applied to a packet going out on the other interface.
Examples
In this example, the packets with source IP 20.1.1.1 going out of E1 will still have the source IP translated to 172.1.1.1 even though the rule is configured in E2 and not on E1.
To prevent this, use an ACL to filter the traffic that needs NAT on the interfaces.
switch(config)# ip access-list acl1
switch(config-acl-acl1)# permit ip any 171.1.1.0/24
switch(config)# ip access-list acl2
switch(config-acl-acl2)# permit ip any 172.1.1.0/24
switch(config)# interface ethernet 1
switch(config-if-Et1)# ip nat source static 10.1.1.1 access-list acl1 171.1.1.1
switch(config)# interface ethernet 2
switch(config-if-Et2)# ip nat source static 20.1.1.1 access-list acl2 172.1.1.1
ACL filtering is not supported when using twice NAT.
Dynamic NAT
Dynamic NAT offers a solution when fewer outside addresses are available than the number of internal hosts requiring external access. The process creates a dynamic entry in the NAT table when a host initiates an outbound connection. This entry establishes a one-to-one mapping between the internal private address and the available outside address. The specific outside address assigned to a host can vary and depends on the addresses available in the pool at the time of the connection request. Dynamic NAT sessions initiate only from inside networks. NAT should be configured on a Layer 3 interface, either a routed port or a Switch Virtual Interface (SVI). Dynamic NAT entries are removed from the translation table if the host doesn't communicate for a specific period. The address returns to the pool for use by another host.
Figure 3. Dynamic NAT Scenario
Dynamic NAT options:
Many-to-Many NAT
Many-to-Many NAT maps local addresses to a global address selected from a pool of global addresses. After the pool is configured, the first available address from the pool is picked dynamically on receiving the first packet.
Many-to-One NAT (PAT)
PAT is a form of dynamic NAT where multiple local addresses are mapped to a single global address (many-to-one) using different source ports. This method is also called NAT Overloading, Network Address Port Translation (NAPT), and Masquerade. The global address can be the IP address configured on the outside interface.
Hardware entries that translate packets are created when the CLI command is processed. Entries for forward and reverse traffic are created for unicast traffic. The hardware entry for reverse traffic is not created for multicast traffic.
Commands may include ACLs to filter packets that are cleared. Source NAT uses ACLs to filter packets based on the destination IP address, while destination NAT uses ACLs to filter packets based on the source IP address. When using NAT, inside usually refers to a private network, while outside usually refers to a public network.
A switch with NAT configured translates forwarded traffic between inside and outside interfaces and the flow that matches the criteria specified for translation.
The same IP address can't be used for the NAT static configuration and in the pool for dynamic NAT configurations. Public IP addresses must be unique. The global addresses used in static translations aren't excluded from dynamic pools containing the same global addresses.
Commands may include ACLs to filter packets that are cleared. Source NAT uses ACLs to filter packets based on destination IP address. Destination NAT uses ACLs to filter packets based on source IP address. When using NAT, inside usually refers to a private network, while outside usually refers to a public network.
A switch with NAT configured translates forwarded traffic between inside and outside interfaces and the flow that matches the criteria specified for translation.
Note: The same IP address can't be used for the NAT static configuration and in the pool for dynamic NAT configurations. Public IP addresses must be unique. The global addresses used in static translations aren't excluded from dynamic pools containing the same global addresses.
Note: Dynamic NAT with ACL destination port is not supported on the 7050SX3 switch.
Configuring Dynamic NAT
Prerequisites
Configure an ACL to specify IP addresses for translation.
Determine if you should use an IP address as the translated source address.
Decide on a public IP address pool for address translation.
Configure the Address Pool
The addresses used for translation are configured by issuing the ip nat pool command in global configuration mode.
Example
This command configures the pool of addresses using start address, and end address.
switch(config)# ip nat pool p1 10.15.15.15 10.15.15.25
switch(config)#
Set the IP Address
The ip address command configures VLAN 201 with an IP address.
Examples
This command configures an IPv4 address for VLAN 201.
switch(config)# interface vlan 201
switch(config-if-Vl201)# ip address 10.0.0.1/24
switch(config-if-Vl201)#
This command configures the dynamic NAT source address and sets the NAT overload for pool P2.
switch(config-if-Vl201)# ip nat source dynamic access-list ACL2 pool p2
switch(config-if-Vl201)#
Configuring Dynamic NAT Priority
For each Dynamic NAT configuration, you can specify the priority from lowest to highest in an interface mode. The ip nat source dynamic command allows you to configure dynamic NAT priority from the source IP address. Multiple dynamic NAT configurations have the same priority irrespective of the order. If a priority is not specified in NAT rule, by default, the priority is 0 (lowest priority).
Service FTP dynamic NAT rules with a single IP in the pool are considered to be of the highest priority.
Note: Priorities in address-only and non-address-only NAT rules are independent of each other.
Example
This command configures the dynamic NAT priority of the access-list in the pool with the order a5 > a4 > a3 > a2 > a1 > a0.
switch(config)# interface vlan 201
switch(config-if-Vl201)# ip address 10.0.0.1/24
switch(config-if-Vl201)# ip nat source dynamic access-list a0 pool p0
switch(config-if-Vl201)# ip nat source dynamic access-list a1 pool p1 priority 1
switch(config-if-Vl201)# ip nat source dynamic access-list a2 pool p2 priority 2
switch(config-if-Vl201)# ip nat source dynamic access-list a3 pool p3 priority 3
switch(config-if-Vl201)# ip nat source dynamic access-list a4 pool p4 priority 4
switch(config-if-Vl201)# ip nat source dynamic access-list a5 pool p5 priority 5
switch(config-if-Vl201)#
Configuring Dynamic NAT with Overload
The following configures a dynamic NAT profile with overload.
Example
This command configures the dynamic NAT for overload.
ip nat profile patName
ip nat source dynamic access-list accessList1 overload
!
ip access-list accessList1
20 permit ip host 1.1.1.2 any log
Define the NAT Source Address for Translation
The ip nat source dynamic command specifies a dynamic translation from the source IP address to the pool and to overload the pool address (or addresses).
Example
This command configures the dynamic NAT source address and sets the pool P2 NAT overload.
switch(config)# interface ethernet 3/1
switch(config-if-Et3/1)# ip nat source dynamic access-list ACL2 pool p2
switch(config-if-Et3/1)#
This command clears all dynamic entries from the NAT table.
switch# clear ip nat flow translation
switch#
Dynamic NAT Configuration Considerations
Configuring Dynamic NAT Using Pools in a L2 Adjacent Network
When configuring many-to-one dynamic NAT using a NAT pool, and the next hop router for the NAT device is on the same network (L2 adjacent), you must configure the IP addresses in the NAT pool as a secondary address on the interface.
Example:
The IP addresses in the NAT pool are configured as the secondary address on the interface.
switch(config)# ip nat pool p1 10.1.1.1 10.1.1.4 prefix-length 24
switch(config)# interface ethernet 1
switch(config-if-Et1)# ip nat source dynamic access-list a1 pool p1
switch(config-if-Et1)# ip address 10.1.1.1/24 secondary
switch(config-if-Et1)# ip address 10.1.1.2/24 secondary
switch(config-if-Et1)# ip address 10.1.1.3/24 secondary
switch(config-if-Et1)# ip address 10.1.1.4/24 secondary
Configuring Dynamic NAT Using Pool in a L3 Network
If the next hop of the NAT device is on a different subnet, configure a static Null route for the IP addresses in the NAT pool. Redistribute the static route using BGP/OSPF.
Examples
Outside Interface
switch(config)# interface port-channel 319
switch(config-if-Po319)# ip nat source dynamic access-list dynamic-nat-m2m pool natpl-dynamic-nat-m2m
switch(config)# ip access-list dynamic-nat-m2m
switch(config-acl-dynamic-nat-m2m)# 10 permit ip 192.168.93.0/24 any
switch(config)# ip nat pool natpl-dynamic-nat-m2m prefix-length 24
switch(config-natpool-p1)# range 11.3.3.2 11.3.3.10
Configuring Dynamic NAT Using Overload with ECMP Routes
Do not configure Dynamic many-to-one NAT using overload (PAT) on interfaces that form an ECMP group. When one interface in the group goes down, the return packet for established connections will continue to go to the IP address of the interface that went down and will not be forwarded to the inside host. For this type of scenario, use Dynamic NAT with pool configurations.
Dynamic NAT Peer State Synchronization
The NAT peer state synchronization provides redundancy and resiliency for dynamic NAT across a pair of devices to avoid a single NAT device failure. Both devices in redundant pair are active and they track new sessions and create or delete NAT entries dynamically. Essentially, an active NAT entry is maintained on both devices, irrespective of who created the NAT entry.
Configuring Dynamic NAT Peer State Synchronization
Ensure the following prerequisites are in place before configuring NAT peer state synchronization on devices in a redundant pair.
Both devices in redundant pairs must be reachable across an IP address within the same subnet.
NAT version on both devices in redundant pair must be compatible.
Dynamic NAT configuration must be identical across both devices in redundant pairs.
The following configuration output indicates a valid running configuration of the NAT peer state synchronization on one device.
ip nat pool POOL61 prefix-length 24
range 170.24.0.2 170.24.0.200
ip access-list NatACL61
10 permit ip 61.0.0.0/16 any
interface Port-Channel5
mtu 9214
no switchport
ip address 10.0.0.1/31
ip nat source dynamic access-list NatACL61 pool POOL61
ip nat synchronization
peer-address 11.11.11.1
local-interface Vlan1111
port-range 1024 2048
The following limitations are applicable during NAT peer state synchronization.
To prevent virtual IP address conflicts during dynamic NAT peer state synchronization, ensure the configured port ranges for each switch are disjoint, meaning they do not overlap.
NAT peer state synchronization does not support asymmetrical TCP setup (SYN—SYNACK—ACK should always be hashed to the same peer).
Peer state synchronization for NAT only occurs for connections in the TCP-established state.
The following command specifies the description of the device itself.
switch(config)# ip nat synchronization
switch(config-nat-synchronization)# description <description>
The following command specifies the time the switch waits before timing out existing connections.
switch(config)# ip nat synchronization
switch(config-nat-synchronization)# expiry-interval 6
The following command specifies the IP address of the peer device from where the synchronization is coming.
switch(config)# ip nat synchronization
switch(config-nat-synchronization)# peer address 202.1.1.2
This command displays details of the connections of advertised translations to peer devices.
switch(config)# show ip nat synchronization advertised-translations
Source IP Destination IP Translated IP TGT Type Interface/Profile
--------------------------------------------------------------------------------------------
10.1.3.10:21800 191.1.1.10:80 139.1.1.1:21800 SRC DYN Port-Channel100
10.1.2.10:13750 191.1.1.10:80 139.1.1.1:13750 SRC DYN Port-Channel100
10.1.2.10:33757 191.1.1.10:80 139.1.1.1:5951 SRC DYN Port-Channel100
10.1.5.10:37111 191.1.1.10:80 139.1.1.1:7561 SRC DYN Port-Channel100
The following command displays the details of discovered translations advertised by the peer devices.
switch(config)# show ip nat synchronization discovered-translations
Source IP Destination IP Translated IP TGT Type Interface/Profile
--------------------------------------------------------------------------------------------
10.1.3.10:28606 191.1.1.10:80 139.1.1.1:28606 SRC DYN Port-Channel100
10.1.6.10:39697 191.1.1.10:80 139.1.1.1:39697 SRC DYN Port-Channel100
10.1.6.10:20583 191.1.1.10:80 139.1.1.1:31683 SRC DYN Port-Channel100
10.1.6.10:28419 191.1.1.10:80 139.1.1.1:28419 SRC DYN Port-Channel100
Applying NAT profile on a Tunnel Interface
The following commands apply the configured NAT profile on a tunnel interface.
Example
This command applies the NAT configuration profile natNameProfile to the tunnel Tunnel0.
interface Tunnel0
ip address 10.1.1.1/24
tunnel source 2.1.1.1
tunnel destination 2.1.1.2
ip nat service-profile natNameProfile
The clear ip nat flow translation command clears all or the specified NAT table entries.
Command Mode
Privileged EXEC
Command Syntax
clear ip nat flow translation [HOST_ADDR [DEST_ADDR]][INTF][PROT_TYPE]
Parameters
DEST_ADDR must immediately follow HOST_ADDR. All other parameters, including HOST_ADDR may be placed in any order.
HOST_ADDR Host address to be modified. Options include:
no parameter All packets with specified destination address are cleared.
addresslocal_ipv4 IPv4 address.
addresslocal_ipv4local_port IPv4 address and port (port value ranges from 1 to 65535).
DEST_ADDR Destination address of translated packet. Destination address can be entered only when the HOST_ADDR is specified. Options include:
no parameter All packets with specified destination address are cleared.
global_ipv4 IPv4 address.
global_ipv4global_port IPv4 address and port (port value ranges from 1 to 65535).
INTF Route source. Options include:
no parameter All packets with specified destination address are cleared.
interface ethernete_num Ethernet interface specified by e_num.
interface loopbackl_num Loopback interface specified by l_num.
interface managementm_num Management interface specified by m_num.
interface port-channelp_num Port-channel interface specified by p_num.
interface vlanv_num VLAN interface specified by v_num.
PROT_TYPEFilters packets based on protocol type. Options include:
no parameter All packets with specified destination address are cleared.
tcp TCP packets with specified destination address are cleared.
udp UDP packets with specified destination address are cleared.
Examples
This command clears all dynamic entries from the NAT translation table.
switch# clear ip nat flow translation
switch#
This command clears a specific NAT IP address 172.22.30.52.
switch# clear ip nat flow translation address 172.22.30.52
switch#
This command clears the inside entry that maps the private address 10.10.10.3 to Internet address 172.22.30.52.
switch# clear ip nat flow translation address 172.22.30.52 10.10.10.3
switch#
ip address
The ip address command configures the IPv4 address and connected subnet on the configuration mode interface. Each interface can have one primary address and multiple secondary addresses.
The no ip address and default ip address commands remove the IPv4 address assignment from the configuration mode interface. Entering the command without specifying an address removes the primary and all secondary addresses from the interface. The primary address cannot be deleted until all secondary addresses are removed from the interface.
Removing all IPv4 address assignments from an interface disables IPv4 processing on that port.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ip address [ipv4_subnet][PRIORITY]
no ip address [ipv4_subnet][PRIORITY]
default ip address [ipv4_subnet][PRIORITY]
Parameters
ipv4_subnet IPv4 and subnet address (CIDR or address-mask notation). Running-config stores value in CIDR notation.
PRIORITY interface priority. Options include:
no parameter The address is the primary IPv4 address for the interface.
secondary The address is the secondary IPv4 address for the interface.
Guidelines
The ip address command is supported on routable interfaces.
Example
This command configures an IPv4 address for VLAN 200.
switch(config)# interface vlan 200
switch(config-if-Vl200)# ip address 10.0.0.1/24
switch(config-if-Vl200)#
ip nat destination static
The ip nat destination static command enables NAT of a specified destination address for the configuration mode interface. This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.
When configuring twice NAT, an arbitrary NAT group number is used to associate the source NAT and destination NAT rules. This number must be the same in both rules.
The no ip nat destination static and default ip nat destination static commands disables NAT translation of the specified destination address by removing the corresponding ip nat destination static command from running_config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ip nat destination staticORIGINAL [FILTER] TRANSLATED [PROT_TYPE][groupgroup_number]
no ip nat destination staticORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [groupgroup_number]
default ip nat destination staticORIGINAL [FILTER] TRANSLATED [PROT_TYPE][groupgroup_number]
Parameters
ORIGINAL Destination address to be modified. Options include:
local_ipv4 IPv4 address.
local_ipv4local_port IPv4 address and port (port value ranges from 1 to 65535)
FILTER Access control list that filters packets. Options include:
no parameter All packets with specified destination address are cleared.
access-listlist_name List that specifies the packets that are cleared. Not supported when configuring twice NAT.
TRANSLATED Destination address of translated packet. Options include:
global_ipv4 IPv4 address.
global_ipv4global_port IPv4 address and port (port value ranges from 1 to 65535). When configuring twice NAT, source and destination NAT rules must either both specify a port translation or both not specify a port translation.
PROT_TYPE Filters packets based on protocol type. Options include:
no parameter All packets with specified destination address are cleared.
protocol tcp TCP packets with specified destination address are cleared.
protocol udp UDP packets with specified destination address are cleared.
groupgroup_number Used only when configuring twice NAT, the NAT group number associates a source NAT rule with a destination NAT rule on the same interface. The group number (values range from 1 to 255) is arbitrary, but must be the same in both rules.
Examples
These commands configure VLAN 201 to translate destination address 10.24.1.10 to 168.32.14.15.
These commands configure VLAN 201 to translate the source address 10.24.1.10 to 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/32 subnet.
switch(config)# ip access-list ACL2
switch(config-acl-ACL2)# permit ip 168.10.1.1/32 any
switch(config-acl-ACL2)# exit
switch(config)# interface vlan 201
switch(config-if-Vl201)#
switch(config-if-Vl201)#
These commands configure interface Ethernet 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.
switch(config)# interface ethernet 2
switch(config-if-Et2)# ip nat source static 10.24.1.10 168.32.14.15 group 3
switch(config-if-Et2)# ip nat destination static 10.68.104.3 168.25.10.7 group 3
ip nat pool
The ip nat pool command identifies a pool of addresses using start address, end address, and either netmask or prefix length. If its starting IP address and ending IP address are the same, there is only one address in the address pool.
The no ip nat pool removes the ip nat pool command from running_config.
Command Mode
Global Configuration
Command Syntax
ip nat poolpool_name [ADDRESS_SPAN] SUBNET_SIZE
no ip nat poolpool_name
default ip nat poolpool_name
Parameters
pool_name Name of the IP address pool.
ADDRESS_SPAN Options include:
start_addr The first IP address in the address pool (IPv4 addresses in dotted decimal notation).
end_addr The last IP address in the address pool. (IPv4 addresses in dotted decimal notation).
SUBNET_SIZE This functions as a sanity check to ensure it is not a network or broadcast network. Options include:
netmaskipv4_addr The netmask of the address pool’s network (dotted decimal notation).
prefix-length0 to 32 The number of bits of the netmask (of the address pool’s network) that are ones (how many bits of the address indicate network).
Examples
This command configures the pool of addresses using start address, end address, and prefix length of 24.
switch(config)# ip nat pool poo1 10.15.15.15 10.15.15.25 prefix-length 24
switch(config)
This command removes the pool of addresses.
switch(config)# no ip nat pool poo1 10.15.15.15 10.15.15.25 prefix-length 24
switch(config)
ip nat source dynamic
The ip nat source dynamic command enables NAT of a specified source address for packets sent and received on the configuration mode interface. This command installs hardware translation entries for forward and reverse traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.
The no ip nat source dynamic and default ip nat source dynamic commands disables NAT translation of the specified destination address by removing the corresponding ip nat source dynamic command from running_config .
Note: Ethernet and Port-channel interfaces should be configured as routed ports.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ip nat source dynamic access-listacl_name POOL_TYPE
no ip nat source dynamic access-listacl_name
default ip nat source dynamic access-listacl_name
Parameters
acl_name Access control list that controls the internal network addresses eligible for NAT.
POOL_TYPE Options include:
overload Translates multiple local addresses to a single global address. When overloading is enabled, conversations using the same IP address are distinguished by their TCP or UDP port number.
pool pool_name The name of the IP address pool. The pool is defined using the ip nat pool command.
The pool option is required even if the pool has just one address. NAT uses that one address for all of the translations.
pool_fullcone Enables full cone NAT where all requests from the same internal IP address and port are mapped to the same external IP address and port.
Examples
This command configures the dynamic NAT source address and sets the NAT overload for pool P2.
switch(config)# interface ethernet 3/1
switch(config-if-Et3/1)# ip nat source dynamic access-list ACL2 pool p2
switch(config-if-Et3/1)#
This command disables the NAT source translation on interface Ethernet 3/1.
switch(config)# interface ethernet 3/1
switch(config-if-Et3/1)# no ip nat source dynamic access-list ACL2
switch(config-if-Et3/1)#
ip nat source static
The ip nat source static command enables NAT of a specified source address for the configuration mode interface. This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.
When configuring twice NAT, an arbitrary NAT group number is used to associate the source NAT and destination NAT rules. This number must be the same in both rules.
The no ip nat source static and default ip nat source static commands disables NAT translation of the specified source address by removing the corresponding ip nat source command from running_config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ip nat source staticORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [groupgroup_number]
no ip nat source staticORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [groupgroup_number]
default ip nat source staticORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [groupgroup_number]
Parameters
ORIGINAL Source address to be modified. Options include:
original_ipv4 IPv4 address.
original_ipv4original_port IPv4 address and port (port value ranges from 1 to 65535).
FILTER Access control list that filters packets. Options include:
no parameter All packets with specified source address are cleared.
access-listlist_name List that specifies the packets that are cleared. Not supported when configuring twice NAT.
TRANSLATED Source address of translated packet. Options include:
translated_ipv4 IPv4 address.
translated_ipv4translated_port IPv4 address and port (port value ranges from 1 to 65535). When configuring twice NAT, source and destination NAT rules must either both specify a port translation or both not specify a port translation.
PROT_TYPE Filters packets based on protocol type. Options include:
no parameter All packets with specified source address are cleared.
protocol tcp TCP packets with specified source address are cleared.
protocol udp UDP packets with specified source address are cleared.
group group_number Used only when configuring twice NAT, the NAT group number associates a source NAT rule with a destination NAT rule on the same interface. The group number (values range from 1 to 255) is arbitrary, but must be the same in both rules.
Restrictions
If ORIGINAL includes a port, TRANSLATED must also include a port.
If ORIGINAL does not include a port, TRANSLATED cannot include a port.
Examples
These commands configure VLAN 101 to translate source address 10.24.1.10 to 168.32.14.15.
These commands configure VLAN 101 to translate the source address 10.24.1.10 to access-list ACL1 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/32 subnet.
switch(config)# ip access-list ACL1
switch(config-acl-ACL1)# permit ip any 168.10.1.1/24
switch(config-acl-ACL1)# exit
switch(config)# interface vlan 101
switch(config-if-Vl101)# ip nat source static 10.24.1.10 access-list ACL1
168.32.14.15
switch(config-if-Vl101)#
These commands configure Ethernet interface 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.
switch(config)# interface ethernet 2
switch(config-if-Et2)# ip nat source static 10.24.1.10 168.32.14.15 group 3
switch(config-if-Et2)# ip nat destination static 10.68.104.3 168.25.10.7 group 3
ip nat translation counters
The ip nat translation counters command enables the feature to count packets that are translated by static and twice NAT rules in hardware. Once this feature is enabled, all current rules in hardware and new rules that are configured after running this command receive policers for counting packets.
The no ip nat translation counters and default ip nat translation counters commands disable the packet counter feature for static and twice NAT connections.
Command Mode
Global Configuration
Command Syntax
ip nat translation counters
no ip nat translation counters
default ip nat translation counters
Guidelines
The ip nat translation counters command is supported on the DCS-7150 series switches only. This command is solely intended to debug static and twice NAT translation failures in hardware. Disable this feature after completing troubleshooting. If this feature remains enabled even when the count of static connections exceed 275, it can cause unpredictable behavior including restart of FocalPointV2 agent. The restart of FocalPointV2 agent results in traffic disruption.
Example
The ip nat translation counters command enables the packet counter feature for static and twice NAT connections. Using the show ip nat translation hardware detail and the show ip nat translation twice hardware detail commands, you can verify the packet count.
switch(config)# ip nat translation counters
switch(config)# show ip nat translation hardware detail
Source IP Destination IP Translated IP TGT Type Intf Proto Packets Packets Reply
----------------------------------------------------------------------------------------------
192.168.10.2:0 - 20.1.10.2:0 SRC STAT Vl2640 - 2 1
192.168.110.2:0 - 20.1.110.2:0 SRC STAT Vl2640 - 2 1
switch(config)# show ip nat translation twice hardware detail
Source IP Destination IP Translated Translated Intf Group Packets Packets
Src IP Dst IP Proto Reply
---------------------------------------------------------------------------------------------
192.16.50.2:0 10.1.50.2:0 20.1.50.2:0 10.1.60.2:0 Vl2922 2 - 2 1
19.16.150.2:0 10.1.150.2:0 20.1.150.2:0 10.1.160.2:0 Vl2922 12 - 2
ip nat translation low-mark
The ip nat translation low-mark command configures the minimum threshold that triggers the resumption of programming new NAT translation connections.
The ip nat translation max-entries command specifies the maximum number of NAT translation connections that can be stored. When this limit is reached, new connections are dropped instead of being programmed in hardware or software. At this point no new connections will be programmed until the number of stored entries drop below the configured low-mark, expressed as a percentage of the max-entries value. The default low mark value is 90%.
The no ip nat translation low-mark and default ip nat translation low-mark commands restores the default low-mark value by removing the ip nat translation low-mark command from running_config.
Command Mode
Global Configuration
Command Syntax
ip nat translation low-markthreshold
no ip nat translation low-mark
default ip nat translation low-mark
Parameter
threshold Percentage of maximum connection entries. Value ranges from 1 to 99. Default is 90.
Example
This command globally sets the translation low mark of 93%.
switch(config)# ip nat translation low-mark 93
switch(config)#
ip nat translation max-entries
The ip nat translation max-entries command specifies maximum number of NAT translation connections. After this threshold is reached, new connections are dropped until the number of programmed connections is reduced below the level specified by the ip nat translation low-mark command.
The no ip nat translation max-entries and default ip nat translation max-entries commands removes the maximum connection limit and resets the parameter value to zero by removing the ip nat translation max-entries command from running_config.
Command Mode
Global Configuration
Command Syntax
ip nat translation max-entriesconnections
no ip nat translation max-entries
default ip nat translation max-entries
Parameters
connections The maximum number of NAT translation connections. Value ranges from 0 to 4294967295. Default value is 0, which removes the connection limit.
Example
This command limits the number of NAT translation connections the switch can store to 3000.
switch(config)# ip nat translation max-entries 3000
switch(config)#
ip nat translation tcp-timeout
The ip nat translation tcp-timeout command specifies the translation timeout period for translation table entries. The timeout period specifies the interval during which the switch will attempt to reuse an existing TCP translation for devices specified by table entries.
The no ip nat translation tcp-timeout and default ip nat translation tcp-timeout commands reset the timeout to its default by removing the corresponding ip nat translation tcp-timeout command from running_config.
Command Mode
Global Configuration
Command Syntax
ip nat translation tcp-timeoutperiod
no ip nat translation tcp-timeout
default ip nat translation tcp-timeout
Parameter
period Time-out period in seconds for port translations. Value ranges from 0 to 4294967295. Default value is 86400 (24 hours).
Examples
This command sets the TCP timeout for translations to 600 seconds.
switch(config)# ip nat translation tcp-timeout 600
switch(config)#
This command removes the TCP translation timeout.
switch(config)# no ip nat translation tcp-timeout
switch(config)#
ip nat translation udp-timeout
The ip nat translation udp-timeout command specifies the translation timeout period for translation table entries. The timeout period specifies the interval the switch attempts to establish a UDP connection with devices specified by table entries.
The no ip nat translation udp-timeout and default ip nat translation udp-timeout commands disables NAT translation of the specified destination address by removing the corresponding ip nat translation udp-timeout command from running_config.
Command Mode
Global Configuration
Command Syntax
ip nat translation udp-timeoutperiod
no ip nat translation udp-timeout
default ip nat translation udp-timeout
Parameter
period Value ranges from 0 to 4294967295. Default value is 300 (5 minutes).
Examples
This command globally sets the timeout for UDP to 800 seconds.
switch(config)# ip nat translation udp-timeout 800
This command removes the timeout for UDP.
switch(config)# no ip nat translation udp-timeout
show ip nat access-list interface
The show ip nat acl interface command displays the access control lists (ACLs) that are configured as source NAT or destination NAT filters. The display indicates ACL rules that do not comply with these NAT requirements:
Source IP address is any.
Destination IP address may use any mask size.
Source port matching is not allowed.
Protocol matching is not allowed.
Command Mode
EXEC
Command Syntax
show ip nat access-list interface [INTF][LISTS]
Parameters
INTF Filters NAT statements by interface. Options include:
no parameter Includes all statements on all interfaces.
interface ethernete_num Statements on specified Ethernet interface.
interface loopbackl_num Statements on specified Loopback interface.
interface managementm_num Statements on specified Management interface.
interface port-channelp_num Statements on specified Port-Channel Interface.
interface vlanv_num Statements on specified VLAN interface.
interface VXLANvx_num Statements on specified VXLAN interface.
LISTS ACLs displayed by command. Options include:
no parameter All ACLs.
acl_name Specifies individual ACL.
Example
These commands display the NAT command usage of the ACL1 and ACL2 access control lists.
switch> show ip nat acl ACL1
acl ACL1
(0.0.0.0/0, 168.10.1.1/32)
Interfaces using this ACL for Nat:
Vlan100
switch> show ip nat acl ACL2
acl ACL2
(168.10.1.1/32, 0.0.0.0/0)
Interfaces using this ACL for Nat:
Vlan201
switch>
show ip nat pool
The show ip nat pool command displays the configuration of the address pool.
Command Mode
EXEC
Command Syntax
show ip nat poolPOOL_SET
Parameters
pool_name The name of the pool.
POOL_SET Options include:
no parameter All configured port channels.
pool_name The name of the pool.
Examples
This command displays all the address pools configured on the switch.
switch# show ip nat pool
Pool StartIp EndIp Prefix
p1 10.15.15.15 10.15.15.25 24
p2 10.10.15.15 10.10.15.25 22
p3 10.12.15.15 10.12.15.25 12
switch#
These commands display specific information for the address pools configured on the switch.
switch# show ip nat pool p1
Pool StartIp EndIp Prefix
p1 4.1.1.1 4.1.1.2 24
1.1.1.1 1.1.1.2 24
3.1.1.1 3.1.1.2 24
switch# show ip nat pool p2
Pool StartIp EndIp Prefix
p2 10.1.1.1 10.1.1.2 16
switch#
show ip nat synchronization advertised-translations
The show ip nat synchronization advertised-translations command displays the detailed status of devices that are advertised to a peer device.
Command Mode
EXEC
Command Syntax
show ip nat synchronization advertised-translations
Example
This command displays details of devices that are advertised to a peer device.
switch# show ip nat synchronization advertised-translations
Source IP Destination IP Translated IP TGT Type Intf
------------------------------------------------------------------------
61.0.0.15:6661 100.0.0.2:80 192.170.230.171:6661 SRC DYN Et5
61.0.0.41:2245 100.0.0.2:80 192.170.230.170:2245 SRC DYN Et5
61.0.0.48:22626 100.0.0.2:80 192.170.230.169:22626 SRC DYN Et5
61.0.0.41:22601 100.0.0.2:80 192.170.230.170:22601 SRC DYN Et5
61.0.0.41:16798 100.0.0.2:80 192.170.230.170:16798 SRC DYN Et5
61.0.0.18:22605 100.0.0.2:80 192.170.230.177:22605 SRC DYN Et5
61.0.0.16:2256 100.0.0.2:80 192.170.230.166:2256 SRC DYN Et5
show ip nat synchronization discovered-translations
The show ip nat synchronization discovered-translations command displays details of what has been advertised from a peer device.
Command Mode
EXEC
Command Syntax
show ip nat synchronization discovered-translations
Example
This command displays details of devices that are advertised to a peer device.
switch# show ip nat synchronization discovered-translations
Source IP Destination IP Translated IP TGT Type Intf
-------------------------------------------------------------------------
61.0.2.229:63 100.0.0.2:63 170.24.86.180:63 SRC DYN Et5
61.0.15.51:63 100.0.0.2:63 170.24.73.90:63 SRC DYN Et5
61.0.6.68:63 100.0.0.2:63 170.24.110.128:63 SRC DYN Et5
61.0.7.163:63 100.0.0.2:63 170.24.104.35:63 SRC DYN Et5
show ip nat synchronization peer
The show ip nat synchronization peer command displays the detailed status of a peer device.
Command Mode
EXEC
Command Syntax
show ip nat synchronization peer
Example
This command displays details of a peer device with an IP address of 11.11.11.0 and interface VLAN 1111 that is used to connect to the peer device.
switch# show ip nat synchronization peer
Description : Value
Peer : 11.11.11.0
Connection Port : 4532
Connection Source : 0.0.0.0
Kernel Interface : vlan1111
Local Interface : Vlan1111
Established Time : 1969-12-31 16:00:00
Connection Attempts : 0
Oldest Supported Version : 1
Newest Supported Version : 1
Version Compatible : True
Connection State : connected
Shutdown State : False
Status Mount State : mountMounted
Version Mount State : mountMounted
Recover Mount State : mountMounted
Reboot Mount State : mountMounted
show ip nat translation
The show ip nat translation command displays configured NAT statements in the switch hardware.
The command position of all parameters are interchangeable.
Parameters
no parameter Displays all NAT connections installed in software.
address ipv4_addr Displays NAT connections of the specified IPv4 host address.
address-onlyipv4_addr Displays address-only NAT connections of the specified IPv4 host address.
destination Displays destination NAT connections installed in software.
detail Displays detailed output of all NAT connections.
dynamic Displays dynamic NAT connections.
hardware Displays NAT connections installed in hardware.
interface Filters NAT connections by interface. Options include:
interface ethernete_num Displays NAT connections of the specified ethernet interface.
interface port-channelp_num Displays NAT connections of the specified port-channel interface.
interface vlan v_num Displays NAT connections of the specified VLAN interface.
kernel Displays NAT connections installed in kernel.
max-entries Displays the configured NAT connection limits of a hardware.
source Displays source NAT connections installed in software.
static Displays static NAT connections.
summary Displays summary of all NAT connections.
twice Displays twice NAT connections.
Examples
This command displays all configured NAT translations.
switch> show ip nat translation
Source IP Destination IP Translated IP TGT Type Intf
---------------------------------------------------------------------------
192.168.1.10:62822 172.22.22.40:53 172.17.254.161:62822 SRC DYN Vl3925
192.152.1.10:20342 172.22.22.40:80 172.17.254.161:22222 SRC STAT Vl3945
switch#
This command displays NAT connections of the specified ethernet interface.
switch> show ip nat translation dynamic interface Ethernet 26
Source IP Destination IP Translated IP TGT Type Intf
-------------------------------------------------------------------------
192.168.1.2:8080 10.1.1.5:600 20.1.1.5:8080 SRC DYN Et26
This command displays the configured NAT connection limits of a hardware.
switch> show ip nat translation max-entries
Global connection limit 100
Global connection limit low mark 90(90%)
Hosts connection limit 20
Hosts connection limit low mark 18(90%)
Total number of connections 1
Host Max-Entries Low-Mark Connections
-----------------------------------------------------------------------
10.1.1.1 10 9(90%) 0
Media Access Control Security
This section explains the basic concepts of Media Access Control Security (MACsec) including overview, configuration, and the different MACsec commands used.
Media Access Control Security (MACsec) is an industry-standard encryption mechanism that protects all traffic flowing on Ethernet links. MACsec is based on IEEE 802.1X and IEEE 802.1AE standards.
The major benefits of MACsec include the following:
MACsec supports packet authentication by providing integrity checking so that packet data cannot be altered during a packet flow.
MACsec provides secure encryption at the Layer 2 level by ensuring complete data confidentiality.
Integrating a high-density MACsec solution for Cloud Data Centers using the 7500R switch for the highest density and performance in a modular platform.
Optimizing the cost and performance of the Data Center Interconnect to transport massive traffic volumes through metro or long haul networks.
Securing data transport over distance with MACsec encryption, eliminating additional intermediate devices.
MACsec Terminology
MACsec Key Agreement Protocol (MKA) - provides the key agreement protocol for discovering MACsec peers and negotiating keys between MACsec peers (IEEE 802.1X-REV).
Connectivity Association (CA) - allows a security relationship between MACsec-capable devices (endpoints). Endpoints in the same CA share a Connectivity Association Key (CAK). The Arista implementation supports 2 endpoints.
Connectivity Association Key (CAK) - contains a master key used to generate all other keys that are used for MACsec. Endpoints in the same secure Connectivity Association (CA) share a CAK. This key can either be a static pre-shared key or dynamically derived using 802.1X authentication.
Primary Key - contains the CAK for the MKA session in progress. The Primary key consists of a combination of the key name and the actual key. For example, when a configuration uses 0abcd1 0 1234abcd as a primary key, 0abcd1 is the hex key name, while 1234abcd is the actual key.
Note: A key name must be in hex format. The operator 0 means the entered key is unencrypted (or unhashed), versus 7 meaning the hashed version of the entered key in cases where the configuration replays on the switch.
Fallback Key- When the configured primary key does not establish a connection, the fallback key establishes the session to ensure no traffic loss.
Secure Association Key (SAK) -derived from the CAK andused by the network device ports to encrypt traffic for a given session.
Key Server - One of the MACsec peers in the CA becomes the Key Server. The Key Server creates and distributes SAKs and uses them for data encryption.
Static Secure Association Key (SAK) - a SAK configured directly on a switch and used with unidirectional links when the MKA protocol is not feasible. Static SAKs require using eXtended Packet Numbering (XPN) cipher suites.
MACsec Limitations
The following are the limitations of MACsec:
EOS supports MACsec only on point-to-point links unless static SAK is enabled.
When enabling MACsec on an interface for the first time, interface flapping occurs until MACsec takes effect.
A port configured with MACsec and without a statically configured SAK will remain blocked, preventing data forwarding until the MKA protocol successfully negotiates encryption keys.
MACsec Licensing
MACsec encryption is an EOS-licensed feature that requires a valid MACsec license on a switch. MACsec licenses are based on a switch's serial number and the licensee. Every switch running MACsec requires a separate license.
Use one of the following methods to configure a MACsec license:
Use the command licenselicensee_namelicense_value in MACsec mode. The license value is an 8-digit hexadecimal number. This method of license configuration supports backward compatibility.
Use the command licenseimport license_file_path in Global configuration mode. All new licenses generated on the license portal are JSON-based.
Contact your system engineer to acquire the required license codes before attempting to configure MACsec.
MACsec in FIPS mode
Federal Information Processing Standards (FIPS) are a set of standards defined by the United States federal government related to data processing in computer systems by non-military government agencies and government contractors. These standards define specific requirements for various purposes, such as ensuring computer security and interoperability within and across the computer networking industry.
Arista devices are compliant with FIPS 140. The FIPS 140 enforces the use of a "FIPS Crypto Module." This implementation ensures that the algorithms are correct and restricts the set of allowed algorithms to those approved by the FIPS standard. These are the FIPS-supported algorithms AES-128/256, SHA-256/512, RSA with 2048 bit keys, a subset of Elliptic Curve Digital Signature Algorithm (ECDSA). MACsec has both the AES-128-GCM and AES-256-GCM algorithms certified for the data plane. The FIPS mode is enabled using the fips restrictions command, which, when enabled, filters out any unapproved algorithms and warns you if you try to set them.
VLAN Tagged MACsec
Media Access Control Security (MACsec) is configured on subinterfaces using the mac security profile command. Since subinterfaces are logical interfaces that send and receive VLAN tagged traffic, encryption/decryption is applied per VLAN tag.
MACsec Using Static Secure Association Key
MAC security uses the MACsec Key Agreement (MKA) protocol to negotiate between peers using keys (CAKs and CKNs) which are either pre-shared or derived from an 802.1X session and derives a Secure Association Key (SAK) based on the MKA negotiation. This SAK is then programmed in hardware and used for encrypting and decrypting data traffic. In cases where MKA negotiation is not feasible but encryption and decryption of traffic is required (such as unidirectional links), MACsec can instead be configured to use static Secure Association Keys (SAK) configured separately on transmitting and receiving peers. Each peer can have up to four receiving secure keys and one transmitting key.
Configuring MACsec
These sections describe basic MACsec configuration steps:
Use the mac security command to enable MACsec and enter the MAC Security Configuration Mode, followed by the profile command to create a profile and enter the MAC Security Profile Configuration Mode.
The following commands are available for detailed configuration:
These commands enable MACsec and enter MAC Security Configuration Mode, then create a profile named "MACsec_test" and enter MAC Security Profile Configuration Mode.
switch(config)# mac security
switch(config-mac-security)# profile MACsec_test
switch(config-mac-security-profile-MACsec_test)#
Configuring MACsec for MKA
By default, MAC security (MACsec) uses the MACsec Key Agreement (MKA) protocol to negotiate and exchange encryption keys among peers. To complete a typical MACsec configuration:
Use the cipher command to select a valid encryption standard.
Use the key (MACsec) command to enter a Connectivity Association Key (CAK).
Use the fallback option to add a fallback CAK if the primary CAK fails.
The key server is responsible for generating and distributing encryption keys. Run the mka key-server priority command on a peer to change its priority. The peer with the lowest priority is elected as the key server. If multiple peers have the same priority, the system chooses the peer with the lowest MAC address. Priority values range from 0 to 255; the default priority is 16.
Configure the refresh period for the Secure Association Key (SAK) using the mka session rekey-period command. MACsec uses an SAK to encrypt data traffic and derives this SAK from the CAK. The rekey-period values range from 30 to 100000 seconds. The system does not enforce a session rekey period by default and does not refresh the SAK periodically.
To improve the randomness of the numbers used to generate MACsec's cryptographic keys, add a source of entropy with the entropy source command in the Management Security Configuration Mode.
Examples
These commands configure MACsec to use the AES256-GCM-XPN cipher and add a key and a fallback key. For MKA with a pre-shared key configuration, keys of any length are allowed to work. However, for a 256-bit cipher, use keys with 64 hexadecimal digits in length.
These commands apply the "test" profile to Ethernet interface 5/3/1.
switch(config-mgmt-security)# interface ethernet 5/3/1
switch(config-if-Et5/3/1)# mac security profile test
switch(config-if-Et5/3/1)#
Configuring the FIPS mode
To configure the FIPS mode on the MACsec protocol, use the FIPS command.
Example
This command configures the FIPS mode on the MACsec protocol.
switch(config)# mac security
switch(config-mac-security) fips restrictions
Configuring the Layer 2 Protocol Processing Mode
To configure the Layer 2 (L2) Protocol Processing mode on the MACsec protocol, use the l2-protocol command.
Example
Use this command to configure the L2 Protocol Processing mode to bypass encryption and send traffic without protection.
switch(config)# mac security
switch(config-mac-security) l2-protocol ethernet-flow-control bypass
Configuring MACsec Profile on a Subinterface
Use the following commands to configure a MACsec profile on a subinterface.
Example
The following example enables MAC security on a subinterface with a predefined MACsec profile test-profile.
switch(config)# interface ethernet1
switch(config-if-Et1)# no switchport
switch(config-if-Et1)# interface ethernet1.10
switch(config-if-Et1.10)# encapsulation dot1q vlan 20
switch(config-if-Et1.10)# mac security profile test-profile
Configuring MACsec Using Static SAK
Static SAK is configured separately for receive (Rx) and transmit (Tx) directions. In the Rx direction, multiple SAKs can be configured. For the Tx direction, only one SAK is allowed at a time. An SAK configured for Rx on the local peer should match the SAK configured for Tx on the connected peer and vice versa. Configure the Rx direction first on all the MACsec peers, then configure the Tx direction.Use the cipher command to select a cipher suite. You must choose an eXtended Packet Number (XPN) cipher suite, such as AES128-GCM-XPN or AES256-GCM-XPN. Static SAK will not work with a non-XPN cipher.
Examples
These commands select the AES256-GCM-XPN cipher suite for the MACsec profile rx_test on the receiving peer (Rx).
switch(config)# mac security
switch(config-mac-security)# profile rx_test
switch(config-mac-security-profile-rx_test)# cipher aes128gcm-xpn
switch(config-mac-security-profile-rx_test)#
This command configures the key source as static SAK.
These commands configure a secure channel identifier (SCI) on the receiving peer. The SCI is a MAC address with six hexadecimal octets and a decimal port number.
This command configures an SAK and assigns it an association number (AN) of 0.
switch(config-mac-security-profile-rx_test-sak-static-rx)# an 0 key 0 11112222333344445555666677778888
switch(config-mac-security-profile-rx_test-sak-static-rx)#
This command configures another SAK and its association number. Up to four associations can be configured.
switch(config-mac-security-profile-rx_test-sak-static-rx)# an 1 key 0 9999aaaabbbbccccddddeeeeffff0000
switch(config-mac-security-profile-rx_test-sak-static-rx)#
These commands configure the secure channel on a transmitting peer using the profile tx_test. Only one SAK can be configured per transmitting peer. This will encrypt traffic in the Tx direction, so the receiving peer must be configured with a matching SAK to decrypt this traffic.
Configure the L2 MACsec patch interface to be in the same VLAN as VXLAN.
switch(config)# interface et49/1.2
switch(config-if-Et49/1.2)# vlan id 20
Configuring MAC Security Dynamic Key Derivation
802.1X Authenticator Configuration
A new option is added to the 802.1X authenticator configuration to make the authenticator stronger for unreliable authentication servers. By default, when an authentication server is unreachable, the authenticator blocks all traffic on the port and keeps the port as Unauthorized until it gets replies from the authentication server. The following option changes the behavior and maintains the port in its current state if the authentication server is not reachable:
The 802.1X supplicant configurations are done through MACsec profiles. The MACsec profile contains all the credentials necessary for 802.1X authentication to succeed.
Perform the following steps to configure an 802.1X supplicant profile:
Use dot1x command to enter the dot1x mode to configure a supplicant profile.
switch(config)# dot1x
switch(config-dot1x)#
Use supplicant profile command to configure a 802.1X supplicant profile.
switch(config)# supplicant profile <profileName>
The following mandatory commands must be configured for a supplicant profile to be operational:
Configure the Extensible Authentication Protocol (EAP) method for the profile. The only method supported by Arista supplicants is EAP-FAST.
switch(config-dot1x-supp-profile-test)# eap-method fast
Configure EAP Identity which is used to authenticate the supplicant with the Radius server:
switch(config-dot1x-supp-profile-test)# show active
dot1x
supplicant profile test
identity arista
passphrase 7 070E334D5D1D0B04
Apply the supplicant profile by enabling it on the Mac Security interface:
switch(config-if-Et6/1)# dot1x pae supplicant test
Mac Security
Mac Security configuration remains the same as described in the configuration guide, but there is one important difference. Instead of configuring manual keys, configure the Mac security profile to use dynamic keys:
Interface: The port on which the supplicant is running.
Identity: Configured supplicant identity.
EAP method: Configured EAP method (Currently just EAP-FAST).
Status: Supplicant Status. Can be one of the following:
Success Authentication has been successful.
Down Authentication sequence has not begun.
Failed Authentication has failed.
Connecting Authentication is in progress.
Unused Supplicant is uninitialized.
Supplicant MAC: MAC address of the supplicant.
Authenticator MAC: MAC address of the authenticator (peer).
Existing Mac Security: Show commands can be used to look at Mac Security status.
Configuring MACsec Fallback to Unprotected Traffic
EOS supports this feature on all MACsec capable cards except the 7500E-6CFPX-LC.
The MACsec Fallback to Unprotected Traffic feature is configured under MACsec profile mode using the traffic unprotected allow command. The no form of the command removes the configuration from the switch. This configuration must be present in both the peers for the unprotected traffic to flow between them successfully.
Example
switch(config-mac-security-profile-sampleProfile)# no traffic unprotected allow
Displaying MACsec Information
The following sections provide information about MACsec on a switch.
The show mac security interface command shows information about the MACsec on the interface.
Example
switch# show mac security interface
Interface SCI Controlled Port Key in Use
Ethernet4/1/1 28:99:3a:82:6f:82::605 True 9d5bc0d3076ea4a08b99b9d9:1
Ethernet4/3/1 28:99:3a:82:6f:85::613 True 9d5bc0d3076ea4a08b99b9d9:1
Displaying MACsec Detailed Information
Use the show mac security interface detail command to display detailed information about MACsec.
Example
switch# show mac security interface detail
Interface: Ethernet4/1/1
SCI: 28:99:3a:82:6f:82::605
SSCI: 00000002
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)
Interface: Ethernet4/3/1
SCI: 28:99:3a:82:6f:85::613
SSCI: 00000001
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)
About the Output:
Interface: Name of the interface.
Secure Channel Identifier (SCI): Combination of MAC address and port number. Used to uniquely identify a Mac Security port.
Controlled Port: Indicates if Mac Security is enabled on the port. A value of True indicates that encryption is enabled on the port.
Key In Use: The SAK identifier currently in use. Combination of Key Servers message identifier (see below) and key number.
Key Server Priority: Configured key server priority.
Latest Key: Latest SAK being negotiated by Mac Security Key Agreement Protocol (MKA)
Old Key: The last SAK negotiated by Mac Security Key Agreement Protocol (MKA)
Note: Latest and Old key are MKA protocol specific terminology and are used to refer to the last two keys in use. For all practical purposes, Key In Use field is used to identify the current key.
Displaying MACsec Participants
Use the show mac security participants command to display information about the MACsec participants.
Example
switch# show mac security participants
Interface: Ethernet4/1/1
CKN: abcd
Message ID: 9d5bc0d3076ea4a08b99b9d9
Elected self: True
Success: True
Principal: True
Default: False
CKN: dead
Message ID: 4ef4cf009161bd551b5e7434
Elected self: True
Success: True
Principal: False
Default: True
Interface: Ethernet4/3/1
CKN: abcd
Message ID: c79ad8882c2dd3a8e838a691
Elected self: False
Success: True
Principal: True
Default: False
CKN: dead
Message ID: 3dfd4486b5f68a81014a37ec
Elected self: False
Success: True
Principal: False
Default: True
Displaying MACsec Participants Detailed Information
Use the show mac security participants detail command to display detailed information about the MACsec participants.
Connectivity Association Key Name (CKN): Configured name of the key in use.
Message ID: A random 92 bit string used as an identifier for an MKA participant.
Elected Self: True if this participant is the elected key server.
Success: True if this participant is live and has at least one live peer.
Principal: True if this participant is the principal participant elected to distribute SAKs or if participant receives SAKs from key server.
Default: True if this participant is a fallback/backup participant (spawned when a fallback key is configured in a Mac Security profile).
Key Server SCI: The SCI of the key server.
SAK Transmit: True if the participant is ready to use the negotiated key for transmit.
LLPN Exhaustion: Increments if the number of data packets sent using the current key exceeds a certain threshold.
Distributed Key Identifier: Message ID + key number of the most recently generated SAK.
Live Peer List: Message IDs of all the live peers of the participant.
Potential Peer List: Message IDs of all the potential peers of the participant. These are peers which have not yet established mutual liveness but have sent out at least one control packet.
Displaying MACsec MKA Counters
Use the show mac security mka counters command to display information about the MACsec MKA counters.
Use the show mac security counters command to display information about the MACsec security counters.
Example
switch# show mac security counters
Port InPktsDecrypted InOctetsDecrypted OutPktsEncrypted OutOctetsEncrypted
Et4/1/1 2 214 109 11663
Et4/3/1 109 11663 2 214
Displaying MACsec MKA Counters Detailed Information
Use the show mac security mka counters detail command to display detailed information about the MACsec MKA counters.
Example
switch# show mac security mka counters detail
Interface: Ethernet4/1/1
Tx packet success: 290
Tx packet failure: 0
Tx invalid: 0
Rx packet success: 289
Rx packet failure: 0
Rx invalid: 0
Rx eapol error: 0
Rx basic parameter set error: 0
Rx unrecognized CKN error: 0
Rx ICV validation error: 0
Rx live peer list error: 0
Rx potential peer list error: 0
Rx SAK use set error: 0
Rx distributed SAK set error: 0
Rx distributed CAK set error: 0
Rx ICV Indicator error: 0
Rx unrecognized parameter set error: 0
Interface: Ethernet4/3/1
Tx packet success: 289
Tx packet failure: 0
Tx invalid: 0
Rx packet success: 290
Rx packet failure: 0
Rx invalid: 0
Rx eapol error: 0
Rx basic parameter set error: 0
Rx unrecognized CKN error: 0
Rx ICV validation error: 0
Rx live peer list error: 0
Rx potential peer list error: 0
Rx SAK use set error: 0
Rx distributed SAK set error: 0
Rx distributed CAK set error: 0
Rx ICV Indicator error: 0
Rx unrecognized parameter set error: 0
Displaying MACsec FIPS Status
Use the show mac sec status command to display information about the MACsec FIPS status.
Example
switch(config)# mac security
switch(config-mac-security)# show mac sec status
Active Profiles: 1
FIPS Mode: Yes
Secured Interfaces: 2
Displaying Information for MACsec Using Static Secure Association Key
If MACsec is configured to use static SAKs, these commands will show additional information related to static SAKs:
show active
In MAC Security configuration mode, the show active command displays the MAC security key source. If one or more static SAKs are configured, this key source will be shown as "key source sak static."
show mac security interface
With a static SAK configured, the show mac security interface command shows the association numbers for SAKs which are programmed for Rx and Tx. Show commands never display actual SAK values.
If a unidirectional link is configured with a static SAK, the Rx side will show the SCI as "00:00:00:00:00:00::0," and only the Rx AN will be shown. On the Tx side, the configured SCI and Tx AN will be shown.
show mac security sak
If one or more SAKs are configured in the switch, the show mac security sak command will show SAK-related details.
MACsec Key Retirement Immediate
The MACsec configures two keys for MKA negotiation: Primary and Fallback (as a backup). For a given MAC security profile configured on an interface, an actor is created per key and is responsible for MKA negotiation with the other peer. After configuring a new primary key, the old primary key actor is retained in the system until the MKA session succeeds with the configured new primary key. The same holds for the fallback key. Using the key retirement immediate command immediately removes the actor corresponding to the old key, be it primary or fallback, from the system.
MACsec Key Retirement Immediate Operations
After configuring a new primary key in a MAC security profile, the old primary key actor is deleted from the system immediately.
After configuring a new fallback key in a MAC security profile, the old fallback key actor is deleted from the system immediately.
Removing the feature configuration from the MAC security profile will only prevent cleaning up old keys immediately when configuring new keys. It will not create old actors again.
Note: The key retirement immediate command only deletes the actor corresponding to the old key. It only cleans up the SAK programmed in the hardware after a new SAK is available to be programmed. However, as a side effect of deleting an actor, the system chooses a new principal actor (if an eligible actor is available), over which a new SAK will be distributed.
When using Dynamic MAC Security keys with key retirement immediate, then with every new primary key derived from 802.1X, the system deletes the old primary key actor. This action usually happens based on the reauth time interval configuration for 802.1X.
MACsec Fallback to Unprotected Traffic Support
The key retirement immediate is configured with the Fallback to Unprotected Traffic feature, and the transition between unprotected and protected traffic may become more frequent. This is because with the Key Retirement Immediate feature, whenever a new key is configured, existing successful MKA sessions corresponding to the old key are not maintained, which might bring down the number of successful MKA sessions to zero, eventually moving the interface to an unprotected traffic state as per the Fallback to Unprotected Traffic feature functionality.
MACsec Key Retirement Immediate Configuration
The show dot1x supplicant command is configured in the mac security profile mode. The configuration must be present on both key server and non-key server peers. Since the key server decides the principal actor for SAK distribution, it is recommended that this configuration be present in the key server to trigger the re-election of the principal actor immediately.
If key retirement immediate is configured only on the key server, the non-key server will still try to negotiate MKA over the old primary key, unnecessarily utilizing some system resources and some time even when not required.
If key retirement immediate is configured only on the non-key server, it will take 6 seconds (MKA Lifetime) to trigger any re-election on the key server due to session failure.
Configuring both Primary Key and Fallback Key without configuring key retirement immediate: When configuring a new primary, the actor corresponding to the old actor stays active until the MKA session succeeds on the new primary. With key retirement immediate, the system immediately deletes the actor corresponding to the old primary. Since Fallback is also configured, the key server will choose it as the new principal actor if it is eligible. After choosing a new principal actor, a new SAK is distributed, which will eventually be programmed and used for encryption and decryption.
When only the Primary Key is configured, the behavior is the same as described earlier, except no other actor will become principal until the new primary becomes successful. Until then, hardware will continue to use SAK generated with the old primary.
When the Fallback is a Principal actor and configured without immediate key retirement, when configuring a new fallback key, the old Fallback will stay in the system until the new Fallback becomes active or the primary becomes active. With immediate key retirement, the system deletes the fallback actor immediately. Until a new principal actor is elected, hardware will continue to use SAK generated with the old Fallback.
The show mac security participants command shows all the participants present in the system. When key retirement immediate is configured, the actor corresponding to old keys will no longer appear in the command output.
MACsec EAP-FAST Support
The Media Access Control Security (MACsec) with static keys feature supports dynamic Mac Security keys. Configure both peers for 802.1X authentication to derive Mac Security keys dynamically. Configure one peer as the Authenticator and the other peer as the Supplicant.
Upon a successful 802.1X authentication sequence between the peers, both the Authenticator and the Supplicant generate keying material. This keying material is then used to derive Mac Security keys to establish a MACsec Key Agreement (MKA) protocol session. This feature supports Arista devices acting as the Supplicant to derive Mac Security keys bidirectionally.
The following diagram illustrates a typical Mac Security over 802.1X topology:
MACsec Proxy For VXLAN
The MACsec Proxy for VXLAN feature enables the MACsec service over VXLAN. MACsec over VXLAN is provided by mapping a Visual Networking Index (VNI), Remote VXLAN Tunnel Endpoint (VTEP) IP to a MACsec proxy subinterface.
Any packets routed to the MACsec proxy subinterface are encrypted and tunneled to the remote VTEP. On the receiving path, the packets are decrypted, then decapsulated, and forwarded. MKA negotiates and renews the encryption keys. For this purpose, a MACsec-capable front panel port has to be dedicated and cannot be plugged in, as it will be used to recycle packets being encrypted and decrypted.
Configuring MACsec Proxy For VXLAN
The switch platforms that use this feature are:
7280SRAM-48C6
7280CR2M-30
7500R2M-36CQ-LC
The mandatory steps to configure a MACsec proxy sub-interface on an Arista switch are:
Configure the parent interface to be a routed port.
Create a L3 sub-interface on the parent interface. This is the MACsec proxy sub-interface.
Create a L2 sub-interface on the parent interface. This is the MACsec patch sub-interface.
Configure and enable the MACsec proxy port on a sub-interface.
Configure the VXLAN tunnel.
Assign the forwarding VLAN ID for the MACsec patch sub-interface and VXLAN tunnel.
Example Configurations
Configure a 100g MACsec interface as a routed port.
switch(config)# interface et49/1
switch(config-if-Et49/1)# no switchport
Create a new L3 sub-interface - et49/1.1.
switch(config-if-Et49/1)# interface et49/1.1
Create a new L2 sub-interface - et49/1.2.
switch(config-if-Et49/1)# interface et49/1.2
Configure the MACsec proxy port, and enable MACsec on the proxy port.
switch(config)# interface et49/1.1
switch(config-if-Et49/1.1)# mac security proxy patch Ethernet49/1.2
switch(config-if-Et49/1.1)# mac security profile test1
switch(config-if-Et49/1.1)# ip address 2.2.2.1/24
Configure the VXLAN tunnel. The remote VTEP is provided as the flood VTEP.
Configure the L2 MACsec patch interface to be in the same VLAN as VXLAN.
switch(config)# interface et49/1.2
switch(config-if-Et49/1.2)# vlan id 20
Displaying MACsec Proxy For VXLAN Information
Use show mac security interface command to display the proxy sub-interface information.
Examples
Use show mac security mka counters command to display the MACsec counters and detailed values.
switch(config)# show mac security interface
Interface SCI Controlled Port Key in Use
Ethernet4/1/1 28:99:3a:82:6f:82::605 True 9d5bc0d3076ea4a08b99b9d9:1
Ethernet4/3/1 28:99:3a:82:6f:85::613 True 9d5bc0d3076ea4a08b99b9d9:1
switch(config)# show mac security mka counters
Interface Rx Success Rx Failure Tx Success Tx Failure
Ethernet4/1/1 287 0 288 0
Ethernet4/3/1 288 0 287 0
switch(config)# show mac security mka counters ethernet 49/1.1 detail
Interface: Ethernet49/1.1
Tx packet success: 84
Tx packet failure: 0
Tx invalid: 0
Rx packet success: 82
Rx packet failure: 0
Rx invalid: 0
Rx eapol error: 0
Rx basic parameter set error: 0
Rx unrecognized CKN error: 0
Rx ICV validation error: 0
Rx live peer list error: 0
Rx potential peer list error: 0
Rx SAK use set error: 0
Rx distributed SAK set error: 0
Rx distributed CAK set error: 0
Rx ICV Indicator error: 0
Rx unrecognized parameter set error: 0
Limitations
The following limitations may apply when using this feature:
An interface that switches from allowing unprotected traffic to allowing only protected traffic can experience a traffic disruption of up to 4 seconds.
If the key server interface manages to establish an MKA session with its old credentials (CKN/CAK pair) while allowing unprotected traffic, a traffic disruption lasting up to 6 seconds may occur in addition to the duration mentioned earlier.
MACsec Fallback to Unprotected Traffic
When MACsec is enabled on an interface, it tries to establish MACsec Key Agreement ( MKA ) session(s) with its peer. If there are no successfully established MKA sessions, the interface can continue to protect the traffic with the last known negotiated key, and if such a key does not exist, it blocks the traffic. The MACsec Fallback to Unprotected Traffic feature introduces an optional configuration which, if provided, allows unprotected traffic whenever there is no successful MKA session with the peer in the following scenarios:
If MACsec is enabled on an interface with this feature configured, the interface allows unprotected traffic immediately without waiting for the establishment of an MKA session.
If a MACsec-enabled interface was blocking traffic because no MKA sessions were established, and its corresponding MACsec profile is changed to enable this feature, the interface will start allowing unprotected traffic immediately.
If a MACsec-enabled interface previously allowed unprotected traffic and its corresponding MACsec profile is changed to disable this feature, the interface will block traffic immediately.
While an interface is allowing unprotected traffic, it will stop doing so when a new Secure Association Key (SAK) is generated (if this interface is the key server) or when a SAK is received from the key server (if this interface is not the key server).
If MACsec Fallback to Unprotected Traffic is configured and all MKA sessions between the peers fail, the peers will switch to unprotected traffic. If not configured, protected traffic could have continued with the last known negotiated key.
Primary MKA session-derived keys are prioritized over fallback MKA sessions to protect traffic between pairs. With this feature enabled, the priority order of traffic between peers is:
Protected using derived keys from primary MKA sessions.
Protected using derived keys from Fallback MKA sessions.
Unprotected traffic.
Note: Arista allows the configuration of a primary and a Fallback Connectivity Association Key (CAK) and Connectivity Association Key Name (CKN) pair on an interface. The interface attempts to establish an MKA session with its peer corresponding to each CAK/CKN pair.
MACsec Fallback to Unprotected Traffic Feature Interaction
This feature interacts with other related features in the following way:
MACsec EAP-FAST Support: The feature configuration has no effect if using dynamic MAC Security keys (derived from 802.1X authentication).
MACsec Proxy Interfaces: This feature does not work with MACsec proxy subinterfaces.
Key Retirement Immediate: When configuring this feature with the Key Retirement Immediate feature on an interface, the transition between unprotected and protected traffic may become more frequent. This is because with the Key Retirement Immediate feature, the existing successful MKA session corresponding to the old key is not maintained whenever a new key is configured.
Limitations
The following limitations may apply when using this feature:
An interface that switches from allowing unprotected traffic to allowing only protected traffic can experience a traffic disruption of up to 4 seconds.
If the key server interface manages to establish an MKA session with its old credentials (CKN/CAK pair) while allowing unprotected traffic, a traffic disruption lasting up to 6 seconds may occur in addition to the duration mentioned earlier.
Configuring MACsec Fallback to Unprotected Traffic
EOS supports this feature on all MACsec capable cards except the 7500E-6CFPX-LC.
The MACsec Fallback to Unprotected Traffic feature is configured under MACsec profile mode using the traffic unprotected allow command. The no form of the command removes the configuration from the switch. This configuration must be present in both the peers for the unprotected traffic to flow between them successfully.
Example
switch(config-mac-security-profile-sampleProfile)# no traffic unprotected allow
Displaying MACsec Fallback to Unprotected Traffic Information
The show mac security interface detail command can be used to verify if the interface is currently allowing unprotected traffic.
switch# show mac security interface Ethernet 6/1/1 detail
Interface: Ethernet4/1/1
SCI: 28:99:3a:82:6f:82::605
SSCI: 00000002
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Unprotected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)
Interface: Ethernet4/3/1
SCI: 28:99:3a:82:6f:85::613
SSCI: 00000001
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)
The an command defines an Association Number (AN) and a Secure Association Key (SAK) for use in the selected channel in MACsec. Up to 4 SAKs can be configured in the Rx direction, with ANs ranging from 0 to 3. The Tx channel can only have one AN and one SAK. The no an and default an commands remove the specified AN and its SAK from running-config.
Command Mode
MAC Security Profile SAK Static Secure Channel Configuration
Command Syntax
anan_numberkeykey_typekey_string
no anan_number
default anan_number
Parameters
an_number The Association Number. For the Rx channel, values range from 0 to 3. For the Tx channel, the only allowed value is 0. There is no default value.
key_type The type of string specifying the SAK. There are three valid key types:
0 indicates that the key string which follows is not encrypted.
7 indicates that the key string which follows is hidden or obfuscated.
8a The following key is encrypted with AES-256-GCM.
key_string The Secure Association Key itself, in hexadecimal octets.
Example
These commands add a static SAK with AN 1 to the Rx channel for profile test.
switch(config)# mac security
switch(config-mac-security)# profile test
switch(config-mac-security-profile-test)# key source sak static
switch(config-mac-security-profile-test-sak-static)# secure channel rx
switch(config-mac-security-profile-test-sak-static-rx)# an 1 key 0 11112222333344445555666677778888
switch(config-mac-security-profile-test-sak-static-rx)#
cipher
The cipher command configures the cipher authentication for MAC security on the switch.
Command Mode
MACsec Profile
Command Syntax
cipherencryption_standard
Parameters
encryption_standard The cipher authentication options.
aes128-gcm-xpn Advanced Encryption Standard (128-bit, Galois/Counter mode, Extended Packet Numbering).
aes256-gcm-xpn Advanced Encryption Standard (256-bit, Galois/Counter mode, Extended Packet Numbering).
Example
The following command configures the cipher aes128-gcm-xpn for MAC security on the switch for the MACsec profile called test.
The dot1x pae supplicant command applies the supplicant profile by enabling it on the Mac Security interface.
Command Mode
Interface Configuration
Command Syntax
dot1x pae supplicant
Example
The following command applies the supplicant profile test on the MACsec interface 6/1.
switch(config-if-Et6/1)# dot1x pae supplicant test
dot1x timeout reauth-timeout-ignore always
The dot1x timeout reauth-timeout-ignore always command retains the current port state without blocking it, irrespective of when the authentication server is unreachable or in case of supplicant timeouts.
Command Mode
Interface Configuration
Command Syntax
dot1x timeout reauth-timeout-ignore always
Example
The following command retains the port status of interface Ethernet 6/1 when there is an authentication server timeout.
The identifier command defines a Secure Channel Identifier (SCI) for the Rx or Tx secure channel for use with MACsec static Secure Association Keys (SAKs). The SCI is a MAC address in the format H:H:H:H:H:H::P, where H is a hexadecimal octet and P is a decimal integer. The no identifier and default identifier commands remove the channel's SCI from running-config.
Command Mode
MAC Security Profile SAK Static Secure Channel Configuration
Command Syntax
identifierMAC_address
no identifier
default identifier
Parameter
MAC_address The MAC address identifying the secure channel.
Example
These commands add the SCI 01:02:03:04:05:06::1234 to the Rx channel for profile "test."
switch(config)# mac security
switch(config-mac-security)# profile test
switch(config-mac-security-profile-test)# key source sak static
switch(config-mac-security-profile-test-sak-static)# secure channel rx
switch(config-mac-security-profile-test-sak-static-rx)# identifier 01:02:03:04:05:06::1234
switch(config-mac-security-profile-test-sak-static-rx)#
key (MACsec)
The key command configuresthe primary key to activate the MACsec profile
Note: Optionally a fallback CAK can also be configured on a profile. This CAK is picked up by MACsec to negotiate keys if the primary CAK fails. A CAK can be configured as a backup key using the fallback keyword with the key command.
Command Mode
MACsec Profile Configuration
Command Syntax
key<options>
Parameters
CKN Connectivity association key name in hex octets. Options include:
0Specifies that an UNENCRYPTED key will follow.
7Specifies that an HIDDEN key will follow.
CAKConnectivity association key in hex octets.
fallback Configure the key as a fallback.
retirement Retire the key. Options include:
immediate Retire the key immediately.
source List of sources to derive MAC security keys. Options include:
dot1xDerive MAC security keys from IEEE 802.1X-based port authentication
group-cak Derive MAC security keys from Group CAK Distribution.
sak static Enter
Examples
The following example configures the primary key for the sample profile for MAC security on the switch.
The key retirement immediate command configures the key retirement feature on the key server and assists the key server to decide the principal actor for SAK distribution by triggering the re-election of principal actor immediately. It is recommended that the key retirement is configured on both key server and non key server peers.
The no key retirement immediate command disable the key retirement function by removing the key retirement immediate command from the running-config.
Command Mode
MACsec Profile
Command Syntax
key retirement immediate
Example
The following commands configures the key retirement immediate feature on a switch for a MACsec profile called sample.
switch(config)# mac security
switch(config-mac-security)# profile sample
switch(config-mac-security-profile-sample)# key retirement immediate
license (Global Mode)
The license command configures EOS licenses on the switch under the global configuration mode. These licenses include the MACsec license.
Note: Contact your system engineer to acquire the required license codes before attempting to configure MACsec.
Command Mode
Global Configuration
Command Syntax
license [[importURL] | update]
Parameters
import Import license from a URL.
URL The URL from which to import a license.
update Trigger a check for licenses.
Example
The following example configures the MACsec license on the switch using a JSON file as shown.
The license command configures the MACsec license on the switch under the MAC Security configuration mode using a hex key.
The no license and default license commands delete the current license from running-config.
Note: This method of license configuration is no longer being used except for backward compatibility.
Command Mode
MAC Security
Command Syntax
licenselicensee_namelicense_value
Parameters
licensee_name Name of the licensee.
license_value 8 digit hexadecimal key to authorize MAC security.
Example
The following example configures the MACsec license on the switch using an 8 digit hexadecimal key.
switch(config)# mac security
switch(config-mac-security)# license Test-LICNC AABBCCDD
switch(config-mac-security)#
l2-protocol
The command l2-protocol configures the Layer 2 protocol processing for MACsec. The no l2-protocol and the default l2-protocol remove the command from the configuration.
The mac security command enables MAC security provision on the switch.
The no mac security and default mac security commands restore the switch to its default state by removing the corresponding mac security command from running-config.
Command Mode
Global Configuration
Command Syntax
mac security
no mac security
default mac security
Example
The following command places the switch in MAC security mode.
switch(config)# mac security
switch(config-mac-security)#
mac security profile
The mac security profile command applies a MACsec profile to an interface or subinterface.
The no mac security profile and default mac security profile commands remove the MACsec profile, disabling MACsec on the configuration-mode interface.
Command Mode
Interface Ethernet Configuration Mode
Command Syntax
mac security profileprofile-name
no mac security profileprofile-name
default mac security profileprofile-name
Parameter
profile-name the MACsec profile name.
Example
The following commands enable MACsec on Ethernet subinterface 1.10 by applying the MACsec profile called test-profile.
switch(config)# interface ethernet1
switch(config-if-Et1)# no switchport
switch(config-if-Et1)# interface ethernet1.10
switch(config-if-Et1.10)# encapsulation dot1q vlan 20
switch(config-if-Et1.10)# mac security profile test-profile
mka key-server
The mka key-server command configures key server among the MACsec peers.
Command Mode
MACsec Profile Configuration
Command Syntax
mka key-server [priorityvalue]
Parameters
priority MKA key server priority.
value Key server priority value. Value ranges from 0 to 255.
Example
The following example configures the key server value of 10 among the MACsec peers.
The profile command places the switch in MAC Security Profile configuration mode and creates a MACsec profile if a profile of the specified name does not already exist. MACsec profiles contain the configuration information needed to establish a MACsec connection, and are applied to interfaces using the mac security profile command.
Command Mode
MAC Security Configuration
Command Syntax
profileprofile-name
Parameter
profile-name Name of the MACsec profile.
Commands Available in MAC Security Profile Configuration Mode
The following commands create a MACsec profile called test and place the switch in MAC Security Profile configuration mode for that profile.
switch(config)# mac security
switch(config-mac-security)# profile test
switch(config-mac-security-profile-test)#
replay
The replay command configures the action to be taken when packets received are not in order, based on their packet numbers. The window size in replay protection specifies the window size within which out-of-order packets are allowed. This command is configured under the MACsec Profile configuration mode.
The no and default form of the command removes all the configurations related to replay command from the running configuration on the switch.
Command Mode
MACsec Profile
Command Syntax
replayprotection {disabled | windowwindow_size}
no replayprotection {disabled | windowwindow_size}
protection Specifies the action to be taken when packets received are not in order, based on their packet numbers..
disabled Disables replay protection.
window Specifies the allowable window within which an out-of-order packet can be received.
window_size The allowable value ranges from 0 tthrough 4294967295.
Example
The following commands configures a MACsec profile called TEST and a replay protection with a window size of 100 is configured on the switch.
switch(config)# mac security
switch(config-mac-security)# profile TEST
switch(config-mac-security-profile-TEST)# replay protection window 100
sci
The sci command add a Secure Channel Identifier (SCI) in data packets for MACsec on the switch. Each MACsec device has a Secure Channel (SC) used to send traffic to other device. Each channel has an 8-byte Secure Channel Identifier (SCI). The first 6 bytes match the MAC address of the device transmitting through that channel. The remaining 2 bytes are a Port Identifier used to distinguish between multiple channels from the same device. The command is configured under the MACsec profile configuration mode.
Command Mode
MACsec Profile
Command Syntax
sci
Example
The following commands place the switch on MACsec profile configuration mode and add a SCI for the MACsec profile called TEST.
switch(config)# mac security
switch(config-mac-security)# profile TEST
switch(config-mac-security-profile-TEST)# sci
secure channel (MACsec)
The secure channel command enters MAC Security Profile Static SAK Secure Channel configuration mode. In this mode, you can add Association Numbers (AN) and Secure Channel Identifiers (SCI) for the specified channel. The available channels are Rx (receive) and Tx (transmit).
Command Mode
MAC Security Profile Static SAK Configuration Mode
Command Syntax
secure channel {Rx|Tx}
Parameters
Rx Enter the configuration mode for the Rx channel.
Tx Enter the configuration mode for the Tx channel.
Latest Key: Latest SAK being negotiated by Mac Security Key Agreement Protocol (MKA).
Old Key: The last SAK negotiated by Mac Security Key Agreement Protocol (MKA).
Note: Latest and Old key are MKA protocol specific terminology and are used to refer to the last two keys in use. For all practical purposes, Key In Use field is used to identify the current key.
show mac security interface
The show mac security interface command shows information aboutMACsec on the interface.
Command Mode
EXEC
Command Syntax
show mac security interface
Examples
The following example displays information about MACsec on the interface.
switch# show mac security interface
Interface SCI Controlled Port Key in Use
Ethernet4/1/1 28:99:3a:82:6f:82::605 True 9d5bc0d3076ea4a08b99b9d9:1
Ethernet4/3/1 28:99:3a:82:6f:85::613 True 9d5bc0d3076ea4a08b99b9d9:1
switch#
The following example displays the association numbers (ANs) of SAKs for both Rx and Tx on the interface Ethernet9/1. Actual SAK values are never displayed in show command output.
switch# show mac security interface
Interface SCI Controlled Port Key in Use
Ethernet9/1 01:02:03:04:05:06::1235 True static SAK: Rx AN: 0,1 Tx AN: 0
switch#
The following example displays MACsec information for a unidirectional link. On the Rx side, the SCI is shown as 00:00:00:00:00:00::0, and only the Rx AN is shown.
switch# show mac security interface
Interface SCI Controlled Port Key in Use
Ethernet9/1 00:00:00:00:00:00::0000 True static SAK: Rx AN: 0
switch#
The following example displays MACsec information on the Tx side of a unidirectional link. In this case, the configured SCI is shown, along with the Tx AN.
switch(config)# show mac security interface
Interface SCI Controlled Port Key in Use
Ethernet9/1 01:02:03:04:05:06::1235 True static SAK: Tx AN: 0
show mac security mka counters
The show mac security mka counters command to display information about the MACsec MKA counters.
Command Mode
EXEC
Command Syntax
show mac security mka counters
Example
The following example displays information about MACsec MKA counters.
Connectivity Association Key Name (CKN): Configured name of the key in use.
Message ID: A random 92 bit string used as an identifier for an MKA participant.
Elected Self: True if this participant is the elected key server.
Success: True if this participant is live and has at least one live peer.
Principal: True if this participant is the principal participant elected to distribute SAKs.
Default: True if this participant is a fallback/backup participant (spawned when a fallback key is configured in a Mac Security profile).
Key Server SCI: The SCI of the key server.
SAK Transmit: True if the participant is ready to use the negotiated key for transmit.
LLPN Exhaustion: Increments if the number of data packets sent using the current key exceeds a certain threshold. Because we use a 64 bit packet number cipher suite, this should never increment.
Distributed Key Identifier: Message ID + key number of the most recently generated SAK.
show mac security participants
The show mac security participants interface command displays information about the MACsec participants.
Command Mode
EXEC
Command Syntax
show mac security interface
Example
The following example displays information about MACsec participants.
switch# show mac security participants
Interface: Ethernet4/1/1
CKN: abcd
Message ID: 9d5bc0d3076ea4a08b99b9d9
Elected self: True
Success: True
Principal: True
Default: False
CKN: dead
Message ID: 4ef4cf009161bd551b5e7434
Elected self: True
Success: True
Principal: False
Default: True
Interface: Ethernet4/3/1
CKN: abcd
Message ID: c79ad8882c2dd3a8e838a691
Elected self: False
Success: True
Principal: True
Default: False
CKN: dead
Message ID: 3dfd4486b5f68a81014a37ec
Elected self: False
Success: True
Principal: False
Default: True
show mac security profile
The show mac security profile command displays information about the specified MACsec profile. If no profile is specified, information about all profiles is shown.
Command Mode
EXEC
Command Syntax
show mac security profile [profile_name]
Parameters
profile_name The MACsec profile to show information about.
Example
The following command shows information for the MACsec profile test.
switch# show mac security profile
Profile: test
Cipher: aes256-gcm-xpn
Primary CKN:
Primary CAK SHA-256 hash:
Fallback CKN:
Fallback CAK SHA-256 hash:
Source: cli
Priority: 100
SCI Inclusion: disabled
Key retirement policy: delayed
Unprotected traffic policy: allow active-sak
MKA lifetime: 6 seconds
MKA key server priority: 16
Session rekey period: 0
Bypassed protocols:
Max AN value of SAK: 3
Configured on:
switch#
show mac security sak
The show mac security sak command displays information about MACsec static secure association key (SAK) status for the specified Ethernet interface. If no interface is specified, all interfaces are shown. The following information is shown for each Ethernet interface.
The name of the Ethernet interface.
The installed SAK IDs.
The SAK profile name.
The total number of SAKs generated.
The number of SAKs generated due to a new live peer.
The number of SAKs generated due to a rekey timer.
The number of SAKs generated due to packet number exhaustion.
The SAK installation time in seconds in each direction.
The number of forced new Tx SAK installations.
Command Mode
EXEC
Command Syntax
show mac security sak [interface ethernetEthernet_interface]
Parameters
interface ethernet Show SAK status information about the specified Ethernet interface. If this option is omitted, information for all Ethernet interfaces is shown.
Ethernet_interface The Ethernet interface to show SAK status for.
Example
The following command displays the MACsec SAK status for the Ethernet interface Ethernet9/1.
switch(config-mac-security-profile-test)# show mac security sak
Interface: Ethernet9/1
Installed SAK ID: static SAK: Rx AN: 0,1 Tx AN: 0
Installed SAK from: static-SA
Total SAK generated: 0
SAK generated due to new live peer: 0
SAK generated due to rekey timer: 0
SAK generated due to packet number exhaustion: 0
SAK installation time( in seconds ):
Direction 0-1 1-2 2-3 3+
---------- ----- ----- ----- -----
Rx 1 0 0 0
Tx 1 0 0 0
Maximum Rx installation time: 0.0884998080001 seconds
Maximum Tx installation time: 0.0884941590002 seconds
Forced new Tx SAK installation count: 0
show mac security status
The show mac security status command displays the MACsec status information on a switch.
Command Mode
EXEC
Command Syntax
show mac security status
Example
The following command displays the MACsec status information.
switch# show mac security status
Active Profiles: 1
Data Delay Protection: No
FIPS Mode: No
Secured Interfaces: 2
License: Enabled
supplicant profile
The supplicant profile command configures the supplicant profile containing all the credentials necessary for 802.1X authentication to succeed.
Command Mode
dot1x Configuration
Command Syntax
supplicant profileprofile_nameoptions
Parameters
profile_name Name of the supplicant profile.
The following parameters can be included after entering the profile mode:
The following commands place the switch in the supplicant profile mode.
switch(config)# dot1x
switch(config-dot1x)# supplicant profile test
switch(config-dot1x-supp-profile-test)#
The following commands configures the EAP FAST method for the supplicant profile called test profile for MAC security on the switch.
switch(config)# dot1x
switch(config-dot1x)# supplicant profile test
switch(config-dot1x-supp-profile-test)#eap-method fast
The following commands configures the Identity for the supplicant profile called test profile for MAC security on the switch.
switch(config)# dot1x
switch(config-dot1x)# supplicant profile test
switch(config-dot1x-supp-profile-test)# identity New_User
The following commands configures the passphrase for the supplicant profile called test profile for MAC security on the switch.
switch(config)# dot1x
switch(config-dot1x)# supplicant profile test
switch(config-dot1x-supp-profile-test)# passphrase 7 070E334D5D1D0B04
traffic unprotected allow
The traffic unprotected allow command configures the switch to allow the unprotected traffic whenever there is no successful MKA session established with the peer.
The no traffic unprotected allow command disable the MACsec Fallback to Unprotected Traffic function by removing the traffic unprotected allow command from running-config.
Command Mode
MACsec Profile
Command Syntax
traffic unprotected allow
no traffic unprotected allow
Example
The following commands configures the MACsec Fallback traffic unprotected allow feature on a switch for a MACsec profile called sample.
Switch(config)# mac security
Switch(config-mac-security)# profile sample
Switch(config-mac-security-profile-sample)# no traffic unprotected allow
Internet Protocol Security (IPsec)
This section describes Arista's IPsec implementation. Topics in this section include:
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents periodically during the session and negotiation of cryptographic keys to be used during the session. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
IPsec protects data traffic between sites, such as between an enterprise's Branch, HQ, and Data center sites.
IPsec uses the following protocols to perform various functions:
Authentication Headers (AH) provide connectionless integrity and data origin authentication for IP datagrams and protect against replay attacks.
Encapsulating Security Payloads (ESP) provides confidentiality, data origin authentication, connectionless integrity, and an anti-replay service (a form of partial sequence integrity).
Internet Key Exchange (IKE) is a key management protocol that provides security for virtual private networks (VPNs) negotiations and network access to random hosts. It is also described as a method for exchanging keys for encryption and authentication over an unsecured medium, such as the Internet.
IPsec Overview
Security Associations
Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary for AH and ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), and other mechanisms.
IPsec uses the Security Parameter Index (SPI) and the destination address in the packet header to determine the necessary protection for an outgoing packet. The SPI is an index to the security association database (SADB). The SPI uniquely identifies a security association for the packet in combination with the destination address.
The system performs a similar procedure for an incoming packet, where IPsec gathers decryption and verification keys from the security association database.
Full bidirectional communication requires at least two SAs, one for each direction. The following parameters define SA:
Security Algorithms (AH) or Encapsulating Security Payloads (ESP) and keys.
Mode: Tunnel or Transport.
Key Management Method: Manual or IKE.
Lifetime: Expressed in hours or minutes (minimum configurable value is 10 minutes).
Mode of Operation
IPsec on Arista switches operates in tunnel mode. In tunnel mode, the entire IP packet is encrypted and authenticated, then encapsulated into a new IP packet with a new IP header.
IPsec uses tunnel mode to create virtual private networks (VPN) for network-to-network communications, such as secure connections between routers across different sites. Tunnel mode serves as the foundation for the majority of network-to-network IPsec implementations.
Key Management
Key management on Arista switches uses the Internet Key Exchange (IKE) method. Internet Key Exchange (IKE) supports automated generation and renegotiation of SAs (includes keys) between the devices at a configured interval, making it much more scalable and secure.
IPsec needs SAs to define the algorithms and keys to protect traffic. IKE establishes the SA so IPsec can protect traffic.
There are two IKE versions, IKEv1 and IKEv2. IKEv2 builds on IKEv1, but both are still widely used today.
IKEv1
IKEv1 has two phases.
IKEv1 Phase 1
IKEv1 Phase 2
IKEv1 Phase 1
Uses main or aggressive mode exchange
Negotiates IKE SA
Used for control plane
Peer authentication
IKEv1 Phase 2
Uses quick mode exchange
Negotiates IPsec SAs
Note: There are two different SAs established. The IKE SA protects only the IKE key management session using the IKE policy defined. The policy should include the following parameters:
Encryption algorithm
Hash MAC (HMAC) algorithm
Peer authentication procedure
Diffie-Hellman group for initial key exchange
SA lifetime
IKE initially performs a Diffie-Hellman (DH) exchange at the start of the IKE session. A Diffie-Hellman (DH) exchange allows participants to produce a shared secret value. The strength of the technique is that it allows participants to create the secret value over an unsecured medium without passing the secret value through the wire. From that exchange, peers get shared keying material, which is then used for IKE encryption and integrity functions. The strength of that keying material is that it can be used for faster performance by choosing lower key sizes for Diffie-Hellman exchanges. Diffie-Hellman exchanges' key length (strength) can be changed using different DH groups.
When an IKE session's lifetime expires, a new Diffie-Hellman exchange is performed between peers, and the IKE SA is re-established.
The IPsec protection policy, resulting in IPsec SAs, defines network traffic protection. These IPsec SAs are usually negotiated over IKE sessions. The parameters that define the IPsec protection policy are:
Encryption Algorithm
Hash MAC (HMAC) Algorithm
The key material for IPsec SA (also called Child SA) is derived from keying material from IKEv1 phase 1.
There are two different modes for phase 1:
Main Mode
6 packet exchange
Full identity protection and better anti-DoS protection
Aggressive Mode
3 packet faster session establishment
Identities are exchanged in clear
Weak DoS protection
Authentication
Pre-Shared Keys (PSK): As the name suggests, a shared secret is distributed out-of-band to the peers. The peers use this information and nonce parameters to create a hash to authenticate messages.
PKI Certificates: Here, peers' certificates are exchanged, and hashes are calculated over these certificates to authenticate each other.
IKEv2
IKEv2 differs from IKEv1 in the following ways:
Faster set up because of the reduced number of messages.
More secure.
ESP is reused for all IKEv2 messages.
Suite-B support.
There is no aggressive mode, so IKEv2 always provides identity protection.
Additional authentication methods.
Local and remote can use different authentication methods and use different pre-shared keys.
Authentication is done unidirectionally in IKEv2.
Route-based VPN
A route-based VPN employs routed tunnel interfaces as the virtual network's endpoints. All traffic passing through a tunnel interface traverses the VPN. Rather than relying on an explicit policy to dictate which traffic enters the VPN, static and dynamic IP routes are formed to direct the desired traffic through the VPN tunnel interface.
Since route-based VPNs support dynamic routing information through VPN tunnels, EOS supports only route-based VPNs for dynamic routing support and easier configuration and management.
In route-based VPN, features like NAT, ACL, and QoS are applied to packets before they are encrypted by applying these features to the tunnel interface and can be applied to encrypted packets by applying these features on the physical interface carrying the tunnel traffic.
Virtual Template Interface (VTI)
A new tunnel interface type, vti, represents the VPN tunnel. This tunnel interface will participate in the routing, and any packets forwarded to it will be encrypted and forwarded to the other end of the tunnel. Note that this does not add a new header to the packet.
Configuring IPsec
Complete the following steps to configure IPsec tunnels over the switch.
This configuration uses the default IKE version 2 procedure.
Use ip security command to enter IP security mode.
switch(config)# ip security
To use IKE version 1, complete the following before completing the default IKE version the steps below.
switch(config)# ip security
switch(config-ipsec)# ike policy ike-peerRtr
switch(config-ipsec-ike)# version 1
Create an IKE Policy to be used to communicate with the peer to establish IKE. You have the option of configuring multiple IKE policies.
The default IKE Policy values are:
Encryption: AES256 / AES128
Integrity: SHA256 / SHA128
DH group: Group 14
IKE lifetime: 8 hours
switch(config-ipsec)# ike policy ike-router
switch(config-ipsec-ike)# encryption aes256
switch(config-ipsec-ike)# integrity sha256
switch(config-ipsec-ike)# dh-group 24
switch(config-ipsec-ike)# version 2
If the router is behind a NAT, configure the local-id with the local public IP address. The public IP corresponds to the underlying interface over which the IKE communications are done with the peer.
switch(config-ipsec-ike)# local-id <public ip address>
Create an IPsec Security Association policy to be used in the data path for encryption and integrity. Use the option of enabling Perfect Forward Secrecy by configuring a DH group to the SA. In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14).
Bind or associate the IKE and SA policies together using an IPsec profile. Provide a shared-key, which must be common on both peers. The default profile assigns default values for all parameters that are not explicitly configured in the other profiles. In this example, the IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for more than 50 seconds. The peer peer-Rtr is set to be the responder.
Configure the WAN interface to be the underlying interface for the tunnel. You must specify an L3 address for the tunnel. If you do not, the switch cannot route packets using the tunnel.
switch(config)# interface Et1
switch(config-if-Et1)# no switchport
switch(config-if-Et1)# ip address 1.0.0.1/24
switch(config-if-Et1)# mtu 1500
Apply the IPsec profile to a new tunnel interface. You create the new tunnel interface as part of this step and configure the tunnel as a VTI IPsec tunnel. In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use IPsec. The other end of the tunnel also needs to be configured as a GRE-over-IPsec tunnel.
switch# show ip security policy
Policy Name Authentication Encryption Integrity Lifetime Rekey DH Group
ike-policy Pre-shared 256-bit AES 256bit Hash 8 hours False 3072 bit
When configuring IPsec, consider the following information:
For PKI, each rekey performs reauthentication.
DPS paths always use the VTEP-IP as the ID when configuring a local ID for each IKE policy.
If the IKE policy does not have a local ID, the ID comes from the certificate subject name (SN).
If the IKE policy has a local ID, the certificate used in the corresponding PKI profile should contain this ID in the Subject Alternative Names (SAN) field. If the local ID contains the FQDN, it must be present in the DNS or email field in the SAN depending on if the FQDN contains a domain address or email-ID.
Multiple connections on one device can use the same certificate by specifying all of the IDs for each connection in the certificate SAN.
For tunnels sharing a common endpoint, use different certificates for each tunnel or configure a unique local ID for each tunnel. This avoids duplicate connections.
switch#show ip security policy
Policy Name Authentication Crypto Suite Encryption Integrity Lifetime Rekey DH Group
----------- -------------- ------------ ---------- --------- -------- ----- --------
a Pre-shared - 128-bit AES 256bit Hash 8 hours False 3072 bit
MyPKI PKI - 128-bit AES 256bit Hash 8 hours False 3072 bit
Use the show ip security profile to display information about PKI profile configured for an IPsec profile.
switch#show ip security profile
Profile name IKE Policy Name SA PKI Profile
------------- ----------------- --------- ------------
MyPKI ike-xyz sa-xyz pki-xyz
The ike policy command configures the Internet Security Association and Key Management Protocol on the switch and related policies. Configure the IKE policy in IP security configuration mode.
The no ike policy command deletes the IKE policy configuration from the switch.
The exit command returns the switch to the global configuration mode.
Command Mode
IP Security Configuration
Command Syntax
ike policypolicy-name
no ike policypolicy-name
Parameters
policy-name - Specify the IKE policy name.
The policy-name uses the following parameters to configure the policy after placing the in IKE policy configuration mode:
authentication - Specify the authentication type.
crypto - Specify a crypto algorithm suite type.
dh-group - Specify the Diffie-Hellman Group value.
encryption - Specify the encryption type.
ike-lifetime - Sets the IkeLifetime for an ISAKMP security association. Specify a value in hours or minutes with a minimum of 10 minutes.
integrity - Specify the Integrity algorithm.
local-id - Specify the local IKE identification.
remote-id - Specify the remote peer IKE identification.
version - Specify the IKE version.
Example
This command configures the IKE policy MyIKEPolicy for IP security configuration.
switch(config)# ip security
switch(config-ipsec)# ike policy MyIKEPolicy
interface tunnel (IPsec)
The interface tunnel command places the switch in the Interface Tunnel Configuration Mode.
Interface tunnel configuration mode does not provide a group change mode. The running-config changes immediately after executing the commands.
The no interface tunnel command deletes the interface tunnel configuration.
The exit command returns the switch to the global configuration mode.
Command Mode
Global Configuration
Command Syntax
interface tunnelvalue
no interface tunnelvalue
Parameter
value - Specify the tunnel interface number. The value ranges from 0 to 255.
Example
This command places the switch in Interface Tunnel Configuration Mode with a tunnel value of 10.
The ip security command places the switch in the IP Security Configuration Mode.
IP security configuration mode is not a group change mode. The running-config changes immediately after executing the commands.
The no ip security command deletes the IP security configuration.
The exit command returns the switch to the global configuration mode.
Command Mode
Global Configuration
Command Syntax
ip security
no ip security
Example
This command places the switch in IP security configuration mode.
switch(config)# ip security
switch(config-ipsec)# ike policy IKE1
switch(config-ipsec-IKE1)# exit
switch(config-ipsec)# sa policy SA1
switch(config-SA1)#
profile (IPsec)
The profile command configures the IP security profile on the switch. Configure the profile in IP security configuration mode.
The no profile command deletes the IP security profile configuration from the switch.
The exit command returns the switch to the global configuration mode.
Command Mode
IP Security Configuration
Command Syntax
profileprofile-name
no profileprofile-name
Parameters
profile-name Specifies the IP security profile name.
The following parameters can be configured in SA policy configuration mode:
connection - Specify the type ofIPsec Connection (Initiator/Responder/Dynamic).
dpd - Specify the Dead Peer Detection in an interval between 2 and 3600 seconds.
flow - Specify to set the flow in parallel.
ike-policy- Specify the ISAKMP policy.
mode- Specify the IP security mode type.
sa-policy - Specify the name of the security association.
shared-key - Specify a shared key value.
Example
This command configures the IP security profile test for IP security configuration.
switch(config)# ip security
switch(config-ipsec)# profile test
switch(config-ipsec-profile)#
sa policy
The sa policy command specifies a Security Association (SA) policy used for IPsec configuration, and enters IP security SA policy configuration mode to configure the named policy.
The no sa policy command deletes the specified SA policy configuration from the switch.
The exit command returns the switch to the global configuration mode.
Command Mode
IP Security Configuration
Command Syntax
sa policypolicy_name
no sa policypolicy_name
Parameters
policy_name - Specifies the SA policy name.
Configure the following parameters in IP security SA policy configuration mode:
anti-replay - Specify the IPsec duplicate IP datagram detection mode.
esp - Specify the type of Encapsulation Security Payload.
pfs - Add Perfect Forward Secrecy.
sa lifetime - Specify a lifetime for the Security Association. Configure the lifetime in hours or minutes.
Example
This command applies the SA policy called test and adds a lifetime of 30 minutes for IP security and enters IP security SA policy configuration mode for the test policy.
switch(config)# sa policy test
switch(config-ipsec-sa)# sa lifetime 30 minutes
show ip security applied-profile
The show ip security applied-profile command displays the IP security profile names and the corresponding interfaces with the profile.
Command Mode
EXEC
Command Syntax
show ip security applied-profile
Example
This command displays the IP security profile-1 and the corresponding interfaces with the profile.
The show ip security connection command displays the IP security connection status information.
Command Mode
EXEC
Command Syntax
show ip security connection
Example
These commands display the IP security connection status information.
switch# show ip sec conn tunnel 1
Tunnel Source Dest Status Uptime Input Output Rekey Time
Tunnel1 11.1.1.1 11.2.1.1 Established 19 hours 0 bytes 0 bytes 4 hours
0 pkts 62937679 pkts
switch# show ip sec conn tunnel 1 detail
Tunnel1:
source address 11.1.1.1, dest address 11.2.1.1
state: Established
uptime: 19 hours, 7 minutes, 23 seconds
Inbound SPI 0xca5560f4:
request id 193, mode tunnel replay-window 16384, seq 0x0
stats errors:
replay-window 0, replay 0, integrity_failed 0
lifetime config:
softlimit 4534352933249 bytes, hardlimit 6442450944000 bytes
softlimit 2077499095 pkts, hardlimit 4000000000 pkts
expire add soft 85619 secs, hard 86400 secs
lifetime current:
0 bytes, 0 pkts
add time Mon May 13 17:33:54 2019, use time Mon May 13 17:33:54 2019
Outbound SPI 0xc60da749:
request id 193, mode tunnel replay-window 16384, seq 0x0
stats errors:
replay-window 0, replay 0, integrity_failed 0
lifetime config:
softlimit 3286021368749 bytes, hardlimit 6442450944000 bytes
softlimit 2480571031 pkts, hardlimit 4000000000 pkts
expire add soft 85418 secs, hard 86400 secs
lifetime current:
0 bytes, 62937679 pkts
add time Mon May 13 17:33:54 2019, use time Mon May 13 18:06:42 2019
show ip security policy
The show ip security policy command displays the IP security policy information.
Command Mode
EXEC
Command Syntax
show ip security policy
Example
This command displays IP security policy configuration information.
switch# show ip security policy
Policy Name Authentication Encryption Integrity Lifetime Rekey DH Group
ike-policy Pre-shared 256-bit AES 256bit Hash 8 hours False 3072 bit
show ip security profile
The show ip security profile command displays the IP security profile information.
Command Mode
EXEC
Command Syntax
show ip security profile
Example
This command displays IP security profile configuration information.
switch# show ip security profile
Profile name IKE Policy Name SA
ipsec-profile ike-policy sa-policy
show ip security security-association
The show ip security security-association command displays the IP security SA information.
Command Mode
EXEC
Command Syntax
show ip security security-association
Example
This command displays the IP security SA information.
switch# show ip sec security-association
SA Name ESP Encryption ESP Integrity Lifetime PFS Group
sa-policy-1 256-bit AES 256bit Hash 24 hours 2k bit
Macro-Segmentation Service (CVX)
Arista Macro-Segmentation Service (MSS) is a CloudVision-based service that supports the integration of vendor firewalls with the Arista network fabric.
The advent of contemporary networking features such as mobile applications and the Internet of Things (IoT) brings additional security challenges that are unprotected by legacy infrastructure. These security breaches cannot be handled by installing a firewall at the Internet edge. Arista Macro-Segmentation Service (MSS) addresses the security breach issue by securing access, protecting critical data, and ensuring end-user privacy.
Arista MSS is a CloudVision-based service that provides the point of integration between individual vendor firewalls or a firewall manager and the Arista network fabric. MSS supports flexibility on where to place the service devices and workloads: Physical-to-Physical (P-to-P) and Physical-to-Virtual (P-to-V).
MSS components include:
Arista leaf-spine switch fabric.
Arista CloudVision.
Vendor firewall attached to a spine or service leaf switches. Different vendor firewalls can be attached to different switches to enhance scalability.
The component topology supports consistency in application deployment, scale, manageability, and scalability of the network and service layers. For details, see:
MSS provides enhanced security between physical and virtual workloads in the data center.
MSS's automatic and seamless service insertion ability eliminates manual traffic steering for workloads or tenants.
MSS applies the security policies to the host and application throughout the network.
MSS is flexible as there are no proprietary frame formats, tagging, or encapsulation.
Terminology
Familiarize with the following MSS terminology:
Intercept Switch/VTEP: The TOR switch and VXLAN tunnel endpoint connected to the host, from which traffic gets intercepted. In the topology diagram, Intercept-1 and Intercept-2 are intercept switches.
Service Switch/VTEP: The TOR switch and VXLAN tunnel endpoint connected to a firewall. In the topology diagram, Service-1 is the service switch.
VXLAN: Virtual eXtensible LAN - a standards-based method of encapsulating Layer 2 traffic across a Layer 3 fabric.
CVX: Arista CloudVision eXchange (CVX) is part of CloudVision and is a virtualized instance of the same Extensible Operating System (EOS) that runs on physical switches. It functions as a point of integration between customer firewalls or firewall policy managers and the Arista network to steer traffic to the firewall.
Usage Scenarios
The following usage scenarios describe a few major security challenges in today’s data center that are successfully handled by MSS.
Securing server-to-server traffic.
This scenario provides information about the role of MSS in securing network traffic between physical-to-physical (P-to-P) and physical to virtual (P-to-V) servers. Prior to MSS, network infrastructure devices followed the firewall sandwich setup where firewalls were placed in line between the security zones. This setup would impact scalability and performance of the servers.
Using MSS, this restriction on firewall placement is reduced. Firewalls are now attached to a service leaf switch in the network fabric and they still protect hosts without concern about their physical location. The following topology demonstrates the usage scenario.
Figure 4. Securing server-server traffic
Monitoring and securing management traffic.
This usage scenario demonstrates how MSS successfully monitors and secures management interfaces in the data center.
The modern data center caters to managing the application, storage, virtualization, network, analytics and other layers. With virtualization, the hypervisor management also needs to be secured to prevent unwanted access to a hypervisor management interface. In the event of a rogue access, Arista's MSS protects management interfaces. The explicitly allowed hosts can gain access through a jump host or administrator end-user computing instances. The following topology diagram illustrates the role of MSS in a data center.
Figure 5. Monitoring and Securing management traffic
How MSS Works
The following steps provide information about how MSS works as a service in the data center.
MSS is enabled on the CloudVision eXchange (CVX) and the Arista switches are configured to stream their active state to CVX. This allows CVX to build a database of hosts and firewalls attached to the network and also to identify physical ports and IP addresses. CVX is also configured to communicate and synchronize policies from a vendor's firewall.
CVX sends a request to the firewall or firewall manager to provide information about the security policies which are tagged for MSS usage.
The MSS service on CVX determines the flow based forwarding rules to be pushed to the switches in the network.
Figure 6. CVX intercept
The leaf switch starts sending intercepted traffic to the service leaf when the intercept has been applied to the leaf switch.
Figure 7. Leaf switches intercept
Traffic is forwarded completely unmodified to the firewall after it enters the service leaf where the firewall is attached. Based on the configuration policy, the firewall applies the required actions such as inspection, log, allow, or deny.
The service leaf switch sends the inspected traffic to its final destination or to the destination based on the firewall policy.
Configuration
The following sections provide detailed information about MSS configuration, system requirements, recommendations, and limitations.
The traffic flow below is an example of a typical MSS deployment with a 3-tiered application. The goal of this design is to limit access between hosts in the following zones: web-untrust, app-untrust, db-untrust, web-trust, app-trust, and db-trust.
Figure 8. Traffic flow in an MSS deployment
End users in the untrust zone access the web server through the TCP/443 port. Traffic flows through the active firewall to the web server interface in the web-untrust security zone. The web server interface in the web-trust security zone accesses the application server interface in the app-untrust security zone through port TCP/80 after traversing the firewall. From there, the application server interface in the app-trust security zone accesses the database through TCP/1433 in the db-untrust zone.
The following physical topology indicates the MSS setup.
The hosts are attached to a pair of intercept leaf switches. A firewall is connected to a service leaf switch using a pair of physical interfaces with a subinterface per zone or vWire.
The system requirements to effectively run MSS are listed below.
Arista CloudVision eXchange (CVX).
Arista 7280SR, 7280TR, 7280CR, 7020SR, 7020TR series switches; 7050X, 7050X2, 7060X, and 7060X2 series top of rack (TOR) switches.
Connected to the hosts to intercept traffic from the firewall devices.
The network must be a VXLAN-enabled fabric with CVX running the VXLAN Control Service (VCS) or EVPN.
Recommendations and Limitations
Firewall
The firewall policy name must not have any whitespace character in the name. As an example, PCI policy is an unacceptable policy name. An acceptable name would be PCI_policy.
Deploy CloudVision and configure the Arista TOR switches to connect to it. A CVX cluster of three instances with host names of cvx01, cvx02, and cvx03 are configured as an example.
Note: As a best practice, always deploy the CV in a HA cluster with a minimum of three instances.
Enabling the VXLAN Control Service on CVX
Enable the VXLAN Control Service (VCS) on every CVX instance after the three Arista CVX instances have been deployed and the TOR switches are configured to be managed by them.
VCS allows hardware VXLAN Tunnel End Points (VTEPs) to share state with each other in order to establish VXLAN tunnels without the need for a multicast control plane.
Example
CVX instance cvx01
cvx01(config-cvx)# service VXLAN
cvx01(config-cvx-VXLAN)# no shutdown
Similarly, VCS is enabled on the cvx02 and cvx03 devices.
Configuring the Access Switches and the Service Switch Ports
Configure the switch ports that are connected to the hosts, whose traffic should be steered to the firewalls and the service switch ports which are connected to the firewalls.
Access Switch Configuration
The switch ports connected to the hosts, whose traffic needs to be intercepted, need to be configured as 802.1q trunks with the VLAN that is mapped to the VNI requiring interception. Unique VLAN IDs are configured for each tier of the application.
Note: Dynamically mapped VLANs are not shown in the switch port configuration. You can view them by running the show vlan command on the switch once a policy is applied.
Enabling DirectFlow on Access Switches and Service Switches
Arista MSS uses DirectFlow to intercept traffic while the VXLAN is used to carry tunnel traffic from the intercepted host to the firewall and back. DirectFlow should be enabled on every intercept switch as well as the service switches.
Switch Service-1
service-1# configure
service-1(config)# directflow
service-1(config-directflow)# no shutdown
Switch Intercept-1
intercept-1# configure
intercept-1(config)# directflow
intercept-1(config-directflow)# no shutdown
Switch Intercept-2
intercept-2# configure
intercept-2(config)# directflow
intercept-2(config-directflow)# no shutdown
Enabling VXLAN routing on the TOR switches
CVX uses Address Resolution Protocol (ARP) to determine where intercept hosts are physically located in the network. VXLAN routing should be configured on every TOR switch that will be intercepting traffic to ensure that CVX is aware of every host ARP entry.
The following configuration shows the routing configuration for each tier of the application, but not the entire VXLAN configuration. For more information on how to configure VXLAN and VXLAN routing, refer to the VXLAN section of the Arista EOS Configuration Guide.
Switch Intercept-1
intercept-1# configure
intercept-1(config)# ip routing
intercept-1(cofig)# interface vlan100
intercept-1(config-if-Vl100)# ip address virtual 10.0.10.254/24
intercept-1(config)# interface vlan200
intercept-1(config-if-Vl200)# ip address virtual 10.0.20.254/24
intercept-1(config)# interface vlan300
intercept-1(config-if-Vl300)# ip address virtual 10.0.30.254/24
Switch Intercept-2
intercept-2# configure
intercept-2(config)# ip routing
intercept-2(cofig)# interface vlan100
intercept-2(config-if-Vl100)# ip address virtual 10.0.10.254/24
intercept-2(config)# interface vlan200
intercept-2(config-if-Vl200)# ip address virtual 10.0.20.254/24
intercept-2(config)# interface vlan300
intercept-2(config-if-Vl300)# ip address virtual 10.0.30.254/24
Switch Service-1
service-1# configure
service-1(config)# ip routing
service-1(cofig)# interface vlan100
service-1(config-if-Vl100)# ip address virtual 10.0.10.254/24
service-1(config)# interface vlan200
service-1(config-if-Vl200)# ip address virtual 10.0.20.254/24
service-1(config)# interface vlan300
service-1(config-if-Vl300)# ip address virtual 10.0.30.254/24
Configuring MSS on CVX
This step enables configuring Arista MSS on CVX. The topology diagram depicts three CVX instances in a cluster and the configuration is the same for every instance. The active and standby vendor firewalls are configured. If Panorama is used, only Panorama should be configured.
Example
In the example, the primary vendor firewall has a DNS name of fw-ha-node-1. The standby firewall has a DNS name of fw-ha-node-2. The username and password are set as admin.
CVX instance cvx01
cvx01# configure
cvx01(config)# cvx
cvx01(config-cvx)# no shutdown
cvx01(config-cvx)# service mss
cvx01(config-cvx-mss)# no shutdown
cvx01(config-cvx-mss)# vni range 20000-30000
cvx01(config-cvx-mss)# dynamic device-set panfw1
cvx01(config-cvx-mss-panfw1)# tag Arista_MSS
cvx01(config-cvx-mss-panfw1)# type palo-alto firewall
cvx01(config-cvx-mss-panfw1)# state active
cvx01(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx01(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin
CVX instance cvx02
cvx02# configure
cvx02(config)# cvx
cvx02(config-cvx)# no shutdown
cvx02(config-cvx)# service mss
cvx02(config-cvx-mss)# no shutdown
cvx02(config-cvx-mss)# vni range 20000-30000
cvx02(config-cvx-mss)# dynamic device-set panfw1
cvx02(config-cvx-mss-panfw1)# tag Arista_MSS
cvx02(config-cvx-mss-panfw1)# type palo-alto firewall
cvx02(config-cvx-mss-panfw1)# state active
cvx02(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx02(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin
CVX instance cvx03
cvx03# configure
cvx03(config)# cvx
cvx03(config-cvx)# no shutdown
cvx03(config-cvx)# service mss
cvx03(config-cvx-mss)# no shutdown
cvx03(config-cvx-mss)# vni range 20000-30000
cvx03(config-cvx-mss)# dynamic device-set panfw1
cvx03(config-cvx-mss-panfw1)# tag Arista_MSS
cvx03(config-cvx-mss-panfw1)# type palo-alto firewall
cvx03(config-cvx-mss-panfw1)# state active
cvx03(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx03(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin
Configuring the Firewall
Three policies are created in addition to the default implicit deny policy for inter-zone traffic. The implicit deny ensures that the inter-zone traffic is not allowed unless a policy explicitly allows for it.
The first policy untrust_to_web1 is from the untrust zone to the web1 zone, that allows HTTPS traffic from anywhere to the web server web.
The third policy web2_to_app1 is from the web2 zone to the app1 zone that allows HTTP traffic between the web server web and the application server app.
The fifth policy app2_to_db1 is from the app2 zone to the db1 zone that allows database traffic on port TCP/1433 between the application server app and the database server db.
The second, fourth, and sixth policies prevent the firewall to drop a session for which does not see the initial connection to the protected resource. This could happen if the protected resource has not sent any traffic previous to this point.
Refer to the following images for more clarity about the above policies and interface configuration.
Figure 10. Firewall Policy Configuration
Figure 11. Firewall Interface Configuration
Create a rule that Arista MSS will use to intercept and redirect traffic and add a firewall policy with the default Arista_MSS tag as shown in the example above. MSS intercepts all traffic from endpoints identified in policies that match the tag values configured in CVX. The firewall will apply all rules (tagged or untagged) to all traffic.
Note: LLDP should always be enabled on the firewall interfaces attached to the service switches. To minimize reconvergence time on the network changes, reduce the LLDP transmit interval and hold time multiples on the firewall, while keeping the LLDP hold time above the LLDP timer configured on the connected Arista switches.
Alternatively, the device interface map command can be used on CVX to manually map a device to Arista switch interfaces. To map multiple devices, add a mapping entry for each device.
The first policy untrust_to_web1 is from the untrust zone to the web1 zone, that allows HTTPS traffic from anywhere to the web server web.
The third policy web2_to_app1 is from the web2 zone to the app1 zone that allows HTTP traffic between the web server web and the application server app.
The fifth policy app2_to_db1 is from the app2 zone to the db1 zone that allows database traffic on port TCP/1433 between the application server app and the database server db.
The second, fourth, and sixth policies prevent the firewall to drop a session for which does not see the initial connection to the protected resource. This could happen if the protected resource has not sent any traffic previous to this point.
Refer to the following images for more clarity about the above policies and interface configuration.
Figure 12. Firewall Policy Configuration
Figure 13. Firewall Interface Configuration
Create a rule that Arista MSS will use to intercept and redirect traffic and add a firewall policy with the default Arista_MSS tag as shown in the example above. MSS intercepts all traffic from endpoints identified in policies that match the tag values configured in CVX. The firewall will apply all rules (tagged or untagged) to all traffic.
Note: LLDP should always be enabled on the firewall interfaces attached to the service switches. To minimize reconvergence time on the network changes, reduce the LLDP transmit interval and hold time multiples on the firewall, while keeping the LLDP hold time above the LLDP timer configured on the connected Arista switches.
Alternatively, the device interface map command can be used on CVX to manually map a device to Arista switch interfaces. To map multiple devices, add a mapping entry for each device.
Macro Segmentation Service (MSS) is configurable for Check Point Software Technologies (Check Point) Firewalls. The configuration and deployment requires the use of Check Point Management Server (Gaia), a security management platform which allows central management of Check Point gateway security devices.
Requirements
The following requirements apply to the deployment.
MSS version R80.30 version 1.5 and above and a special URL access on the Management Server using a Gateway API provided by Check Point.
Gateway version R80.30 with API version 1.2 and above.
Check Point Management Server release R31 and above.
Configuration and Deployment
The following components of the solution require configuration:
Check Point Gateway firewalls
Check Point Management Server
Arista leaf switches
CVX
Check Point Firewalls (Gateways)
Interface Configuration
Configure IPv4 addresses on the routed L3 interfaces on the firewall interfaces connected to the Arista TORs.
IPv4 Static Routes Configuration
Configure IPv4 static routes to include routes to all subnets of the hosts which MSS will be intercepting either using a WebUI or CLI as shown below. The nexthop gateway addresses are the gateway of the subnet to which the firewall interfaces. The static route information is used by MSS to identify which firewall interface is connected to the subnet to which the intercepted traffic needs to be forwarded.
set static-route 192.0.2.0/24 nexthop gateway address 192.0.2.155 on
The following displays the configuration.
gateway1> show route static
Codes: C - Connect ed, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive
S 0.0.0.0/0 via 172.2.18.12, Mgmt, cost 0, age 3134690
S 10.6.10.0/24 via 10.6.100.2, eth1, cost 0, age 3134690
S 10.6.20.0/24 via 10.6.200.2, eth2, cost 0, age 3134690
Check Point Management Server Configuration
The Check Point firewall devices intended to be used with Arista MSS must be registered and fully manageable via a Check Point Management Server.
Identify or define a new security policy network layer to be considered by MSS where 'TestPolicy' is the security policy network layer that is referenced in the CVX configuration.
Create firewall access rules (to be used by Arista MSS).
In the access rule, the supported source and destination object types are Host, Network, and Security Zone.
In the “Services & Applications,” the following services are supported: 1: ICMP, IGMP, IPv4, TCP, EGP, UDP, IPv6, RSVP, GRE, OSPFIGP, SCTP.
Add tags in the policy comments/description field in this format: "tags( <tag1>, <tag2>, ... )", e.g. “tags( Arista_MSS1, Arista_MSS2 )”
Arista MSS inspects management server access rules that have an embedded "tags( )" string in the comments field. Individual tags are extracted from within the enclosing parentheses and compared with the tags configured in the Arista MSS device-set on CVX.
1-to-1 HA Cluster Configuration
The following figure shows the 1-to-1 HA cluster. The HA interface pairs connected to the Arista switches should have Virtual IP addresses where the intercepted traffic will be forwarded. The active firewall sends out a GARP with its own MAC to indicate where traffic sent to the VIP should be forwarded.
Arista Leaf Switches Configuration
The following configures the switch interfaces connected to the firewall.
The following displays the CVX configuration with Standalone Check Point firewall.
!! Standalone firewall
cvx
no shutdown
service mss
no shutdown
!
dynamic device-set chkpt
device <management-server-ip-or-dnsName>
username admin password 7 PKigsm//o3IcnW5rqoZXWQ==
protocol https 4434 (or the configured https port like 443)
group <management-server-network-layer>
!
device member <checkpoint-device-name>
map device-interface eth1 switch 00:1c:73:7e:28:11 interface Ethernet39
map device-interface eth2 switch 00:1c:73:7e:28:11 interface Ethernet40
type check-point management-server
policy tag offload Arista_MSS_offload
policy tag redirect Arista_MSS
state active
The checkpoint-device-name used in the device member command is the name used in the Management Server to identify that firewall. A sample CVX configuration with Check Point firewalls in 1-to-1 High Availability cluster configuration will include more than one device member as follows:
!! HA Active/Passive firewall pair
cvx
no shutdown
service mss
no shutdown
!
dynamic device-set chkpt
device <management-server-ip-or-dnsName>
username admin password 7 PKigsm//o3IcnW5rqoZXWQ==
protocol https 4434 (or the configured https port like 443)
group <management-server-network-layer>
!
device member <checkpoint-device1-name>
map device-interface eth1 switch 00:1c:73:7e:28:11 interface Ethernet39
map device-interface eth2 switch 00:1c:73:7e:28:11 interface Ethernet40
device member <checkpoint-device2-name>
map device-interface eth1 switch 00:1c:73:7e:28:11 interface Ethernet41
map device-interface eth2 switch 00:1c:73:7e:28:11 interface Ethernet42
type check-point management-server
policy tag offload Arista_MSS_offload
policy tag redirect Arista_MSS
state active
MSS for Layer 3 Firewall Enhancements
The verbatim qualifier enhances the Macro Segmentation Service (MSS) with two policy actions: redirect and offload. For firewall policies tagged with the redirect tag, MSS extracts IP addresses from the policy and forwards all traffic destined to or generated from that set of IP addresses to the firewall. The additional verbatim tag, redirecting bidirectional traffic is restricted to the subset that matches the additional qualifiers of a firewall policy to a firewall (such as the source, destination IP addresses or subnets, protocol, L4 ports).
The verbatim tag can also be paired with the offload tag for a policy which installs necessary DirectFlow rules at the TORs to drop or allow the traffic matching the exact qualifiers in the policy definition. If the verbatim tag is not used with the offload tag, the behavior is to offload enforcement for all traffic matching the specific policy rule, while redirecting the remainder of the (non-matching) traffic to the firewall to ensure the security policy for the protected host remains in compliance. The addition of the verbatim tag removes this implicit redirection
Configuring for Verbatim Use
Firewall Configuration
The verbatim is a modifier of the original policy enforcement scheme and works with multiple firewalls such as those from Palo Alto Networks and Fortinet.
Policy Semantics
IP address extraction for redirect or redirect tag:
If IP addresses are specified in source or destination field, Mss extracts those for redirection.
If no IP addresses are specified, then Mss extracts the subnets corresponding to the source and destination zone for redirection.
If no zones are specified, then Mss extracts all subnets in the default virtual-router for redirection.
Constraints on offload tag policies:
Must have IP address specified in source or destination field if the corresponding zone is an external zone (zone towards default route).
Constraints on redirect verbatim tag policies:
Must have IP address specified in source or destination field if the corresponding zone is an external zone (zone towards default route).
Must have either zone or IP specified in both source and destination field. ‘Any’, ‘All’, or similar constructs are not supported for source or destination fields.
Policies with broadcast or multicast destination:
Only offload and offloadverbatim tags are supported for policies with IPv4 broadcast or IPv4 multicast destination.
CVX Configuration
The following configuration commands set 'tag-list' as the verbatim modifier on a per device basis for the redirect and offload tags.
cvx
service mss
dynamic device-set <device-set-name>
device <device-name>
[no | default] policy tag redirect <tag-list>
[no | default] policy tag offload <tag-list>
[no | default] policy tag modifier verbatim <tag-list>
TCAM Profile Configuration
The following depicts a recommended TCAM profile to be used with MSS.
Note: This is an example for some of the devices that are currently supported.
The following displays the profile. The platform does not support any arbitrarily created PMF profile. If the PMF profile cannot be programmed, the show command will print ‘ERROR’ in the status column.
switch# show hardware tcam profile
Configuration Status
FixedSystem direct-flow-mssl3-VXLAN direct-flow-mssl3-VXLAN
Limitations
DirectFlow needs to be enabled at the TOR so that the policies enforced by MSS are correctly programmed.
Group option is available only for some switches.
Deployments with a mix of switches require special considerations. The following table summarizes supported configurations in different deployment models.
Table 1. Configuration Summary
Both compute and service TORs: DCS-7050X, DCS-7050X2, DCS-7050X3, DCS-7060X, DCS-7060X2
group, verbatim
redirect
offload
redirect, verbatim
offload, verbatim
Both compute and service TORs: DCS-7020R, DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2
verbatim
redirect, verbatim
offload, verbatim
Both compute and service TORs: DCS-7050X, DCS-7050X2, DCS-7050X3, DCS-7060X, DCS-7060X2, DCS-7020R, DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2
verbatim
redirect, verbatim
offload, verbatim
DCS-7050X, DCS-7050X2, DCS-7050X3, DCS-7060X, DCS-7060X2 as compute TOR and other series as service TOR (with no intercepted hosts connected).
group, verbatim
redirect
offload
redirect, verbatim
offload, verbatim
Backward Compatibility and Other Considerations
For existing deployments, (where any of DCS-7020R, DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2 switch platforms are used in the service rack), in order to upgrade hitlessly, upgrade the CVX cluster first and execute the following command prior to upgrading EOS on any switch:
cvx
service mss
policy enforcement rules group verbatim
The following displays the status of the mss policy.
switch# show service mss policy
<--snip-->
Macro-Segmentation L3 Policy Table
-------------------------------------------------------------------------------
Source Device Policy Offload Redirect Unconverged
status status IPs
---------------- --------- ---------- ---------- ----------- ----------
PaloAltoFirewall fwpan1 policy1 N/A Active N/A
PaloAltoFirewall fwpan1 policy2 Active N/A N/A
PaloAltoFirewall fwpan1 policy3 Active Active 0 of 2
PaloAltoFirewall fwpan1 policy4 N/A Active 0 of 2
The following displays the status of the mss policy in more detail.
switch# show service mss policy detail
-------------------------------------------------------------------
Source: PaloAltoFirewall
-------------------------------------------------------------------
Device: fwpan1
Policy (L3): policy1
Offload Status: N/A
Redirect Status: Active
Tags: MSS_redirect, MSS_verbatim
Policy Modifier: Verbatim
VRF: default
Policy (L3): policy2
Offload Status: Active
Redirect Status: N/A
Tags: MSS_offload, MSS_verbatim
Policy Modifier: Verbatim
VRF: default
Policy (L3): policy3
Offload Status: Active
Redirect Status: Active
Tags: MSS_offload
VRF: default
IP Addresses:
Active: 10.10.10.1
Active: 10.10.20.1
Policy (L3): policy4
Offload Status: N/A
Redirect Status: Active
Tags: MSS_redirect
VRF: default
IP Addresses:
Active: 10.10.10.1
Active: 10.10.10.2
The dynamic device-set command configures a device such as a firewall to communicate with the MSS in the MSS configuration mode.
The no dynamic device-set command removes a previously configured device from the MSS configuration and returns to the CVX mode.
Command Mode
MSS Configuration
Command Syntax
dynamic device-setdevice-set_name
no dynamic device-setdevice-set_name
Parameter
device-set_name a unique name for the device set.
Example
This example creates a set of firewalls with the name panfw1.
cvx# configure
cvx(config)# cvx
cvx(config-cvx)# no shutdown
cvx(config-cvx)# service mss
cvx(config-cvx-mss)# no shutdown
cvx(config-cvx-mss)# vni range 30000-40000
cvx(config-cvx-mss)# dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#
Note: The vni range command configures a range of VXLAN Network Identifiers (VNI) that MSS uses to tunnel traffic to the firewall. If VNI range is not configured, the default VNIs in the range of 1 to 16777214 are used.
exception device
The exception device command bypasses or continues redirecting traffic to service device such as a firewall if the service device control-plane API is unreachable after initial policies have been processed.
The no exception device command.
Command Mode
MSS Configuration
Command Syntax
exception device unreachable [bypass | redirect]
no exception device unreachable [bypass | redirect]
default exception device unreachable bypass
Parameters
bypass: bypass the service device.
redirect: continue redirecting traffic to the service device.
Example
This example redirects traffic to the service device.
cvx# configure
cvx(config)# cvx
cvx(config-cvx)# no shutdown
cvx(config-cvx)# service mss
cvx(config-cvx-mss)# no shutdown
cvx(config-cvx-mss)# vni range 30000-40000
cvx(config-cvx-mss)# dynamic device-set fw
cvx(config-cvx-mss-fw)# device firewall-dc7
cvx(config-cvx-mss-fw)# username admin password 7 PKigsmo3IcnW5rqoZXWQ
cvx(config-cvx-mss-fw)# state active
cvx(config-cvx-mss-fw)# type palo-alto firewall
cvx(config-cvx-mss-fw)# exception device unreachable redirect
group
The group command configures the Panorama device group name to be used with MSS.
The no group command removes the group from the MSS configuration when the Panorama firewall manager is used.
See the type Palo-Alto command for more information about the firewall manager.
Command Mode
Device-set mode
Command Syntax
groupgroup_name
no groupgroup_name
Parameters
group_name the name of the group.
Example
This command configures the group name as mssDevices.
cvx(config)# cvx
cvx(config-cvx)# service mss
cvx(config-cvx-mss)# dynamic device-set pano2
cvx(config-cvx-mss-pano2)# type palo-alto panorama
cvx(config-cvx-mss-pano2)# device myPanorama
cvx(config-cvx-mss-pano2-myPanorama)# group mssDevices
name-resolution interval (CVX-OpenStack)
The name-resolution interval command specifies the period between consecutive requests that the OpenStack controller sends to the Keystone service for VM and tenant name updates. Keystone is OpenStack's authentication and authorization service.
The default period is 21600 seconds (6 hours).
The name-resolution force (CVX-OpenStack) command performs an immediate update, as opposed to waiting for the periodic update.
Command Mode
CVX-OpenStack Configuration
Command Syntax
name-resolution intervalperiod
Parameters
period: Keystone identity service polling interval (seconds).
Comment
service openstack places the switch in CVX-OpenStack configuration mode.
Example
These commands set the name resolution interval period at five hours.
switch(config)# cvx
switch(config-cvx)# service openstack
switch(config-cvx-openstack)# name-resolution interval 18000
switch(config-cvx-openstack)#
service mss
The service mss command enters the MSS configuration sub-mode.
The no service mss command exits the MSS configuration mode and returns to the CVX mode.
Command Mode
CVX Configuration
Command Syntax
service mss
no service mss
default service mss
Example
This example enables MSS on CVX and enters the MSS config mode.
Note: The no shutdown command enables MSS on the CloudVision eXchange (CVX).
cvx# configure
cvx(config)# cvx
cvx(config-cvx)# no shutdown
cvx(config-cvx)# service mss
cvx(config-cvx-mss)# no shutdown
show service mss dynamic device-set
The show service mss dynamic device-set command displays detailed information about a specific service device set. Information such as device group members, high availability, network, resource details are displayed.
Note: Interfaces from multiple switches can be placed in the same zone by the device.
Command Mode
EXEC
CVX Configuration
Command Syntax
show service mss dynamic device-setdevice_set_name [devicedevice_name [group-members | high-availability | neighbors | network | policies | resources]]
Parameters
device_set_name defines the device set name.
devicedevice name defines the service device properties such as the DNS hostname or IP address of the service device.
group members lists device-group members for an aggregation manager.
high-availability displays service device high availability information.
neighbors displays the service devices ethernet interface neighbor information.
network displays the service devices network interface information.
policies displays the list of policies read from service device that have the MSS tag.
resources displays the service devices system resource information.
The show service mss policy command displays generic information about the configuration and operational state of the macro-segmentation service (MSS) policies on a device.
Command Mode
EXEC
CVX Configuration
Command Syntax
show service mss policy [[devicedevice_name][namepolicy-name][source (static | plugin_name)]]
Parameters
devicedevice name defines the service device name.
namepolicy-name the filter policy name.
source the source of the policy.
static the policy configured using the command line interface.
This command displays information about the MSS policy policy1 enabled on the device.
cvx# show service mss policy name policy1
Source Device Policy Config Status
------ -------- ------ ------- ------------- -------------
vendor Firewall pan100 policy1 Enabled Initialized
The Config column indicates the configuration state of a policy. The different states are: Enabled, dry run, and disabled states.
The Status column indicates the operational state of a policy. The different status types are initialized, pending, initializing, active, reinitializing, dry-run Complete, and deactivating.
show service mss status
The show service mss status command displays the status of a macro-segmentation service (MSS) on the device.
This command displays the MSS status on the device as Enabled.
switch# show service mss status
State: Enabled
Service VNIs: 1500-1600,1800,1900-2000
This command displays the MSS status on the device as Disabled.
switch# show service mss status
State: Disabled
Service VNIs: 1-16777214
show service mss zone
The show service mss zone command displays information about the interfaces that are placed in a single zone by the service device. Along with the show service mss policy command, we can use this command to identify issues with the policy configuration.
Interfaces from multiple switches can be placed in the same zone by the device.
Command Mode
EXEC
CVX Configuration
Command Syntax
show service mss zone [[devicedevice_name]|[namezone_name]|[source (static | dynamic_source)]]
Parameters
devicedevice name defines the service device properties.
namepolicy-name the filter zone name.
source the source of the zone.
static the zone configured using the command line interface.
The state command configures device set as active or disabled or suspended state.
The no state command disables the previously configured state of the device set.
Command Mode
MSS Configuration
Command Syntax
state [active | shutdown | suspend]
no state
Parameters
active: the active state of the device set. Policy monitoring and network traffic redirection are enabled.
shutdown: the disabled state of the device set. Policy monitoring and network traffic redirection is stopped.
suspend: the suspended state of the device set. Policy monitoring is suspended but there is no change in the existing traffic redirection.
Example
This output example configures the device set state as active.
cvx# configure
cvx(config)# cvx
cvx(config-cvx)# no shutdown
cvx(config-cvx)# service mss
cvx(config-cvx-mss)# no shutdown
cvx(config-cvx-mss)# vni range 30000-40000
cvx(config-cvx-mss)# dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)# tag Arista_MSS
cvx(config-cvx-mss-panfw1)# type palo-alto firewall
cvx(config-cvx-mss-panfw1)# state active
tag
The tag command specifies the tag or tags that MSS searches when it is reading the security policy from the firewall or firewall manager in the dynamic device-set configuration mode. You can specify more than one tag as well.
The no tag command removes the tag from the MSS configuration.
Note: The tag specified should always match with the firewall policy tags in the vendor firewall policy for the MSS to read the policy and set up the intercept.
Command Mode
MSS Configuration
Command Syntax
tagtag_name
no tag
default tag
Parameter
tag_name: a unique name for the tag.
Examples
This command specifies the tag with the name Arista_MSS.
cvx# configure
cvx(config)# cvx
cvx(config-cvx)# no shutdown
cvx(config-cvx)# service mss
cvx(config-cvx-mss)# no shutdown
cvx(config-cvx-mss)# vni range 30000-40000
cvx(config-cvx-mss)# dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)# tag Arista_MSS
This command specifies multiple tags with names mss1, mss2, and mss3.
cvx# configure
cvx(config)# cvx
cvx(config-cvx)# no shutdown
cvx(config-cvx)# service mss
cvx(config-cvx-mss)# no shutdown
cvx(config-cvx-mss)# vni range 30000-40000
cvx(config-cvx-mss)# dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)# tag mss1 mss2 mss3
type palo-alto
The type palo-alto command configures the firewall type to be used in the MSS configuration.
The no type palo-alto command disables the firewall type from the MSS configuration.
Command Mode
MSS Configuration
Command Syntax
type palo-alto [firewall | panorama]
no type palo-alto
Parameters
firewall: the Palo Alto Networks firewall.
panorama: the Palo Alto Networks Panorama firewall manager.
Example
This command configures the Palo Alto Networks firewall type.
cvx# configure
cvx(config)# cvx
cvx(config-cvx)# service mss
cvx(config-cvx-mss)# dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)# type palo-alto firewall
This chapter describes Arista’s Quality of Service (QoS) implementation and Traffic Management, including configuration instructions and command descriptions. Topics covered by this chapter include:
/Securing%20server-server%20traffic.png)
/Monitoring%20and%20Securing%20management%20traffic.png)
/CVX%20Intercept.png)
/Leaf%20Switches%20Intercept.png)
/Traffic%20flow%20in%20an%20MSS%20deployment.png)
/Physical%20topology%20of%20the%20MSS.png)
/Firewall%20Policy%20Configuration.png)
/Firewall%20interface%20configuration.png)