This document presents Arista Macro-Segmentation Service - Firewall (MSS-FW) deployment in a network with multiple Virtual Routing and Forwarding (VRF) instances.

The Segment security feature provides the convenience of applying policies on segments rather than interfaces or subnets. Hosts/networks are classified into segments based on prefixes. Grouping prefixes into segments allows for definition of policies that govern flow of traffic between segments. Policies define inter-segment or intra-segment communication rules, e.g. segment A can communicate with segment B but hosts in segment B can not communicate with each other.

This document presents how Arista Macro Segmentation Service (MSS) can be deployed in a brownfield environment with

Macro Segmentation Service with Layer 3 firewall (MSS FW) provides a mechanism to offload policy enforcement on TORs

Macro Segmentation Service with Layer 3 firewall (MSS FW) enforces all security policies bi directionally by