MSS-G with Dynamic Configuration from Forescout

Using Forescout, an MSS-G configuration can be pushed automatically to CloudVision. This section covers the use of Forescout eyeSegment for policy definition and eyeSight for segment assignment. These systems produce an MSS-G configuration that is dynamic, and while visible on CloudVision, it bypasses the CLI on switches and will therefore not show up in the device running config.

There are two integration points from Forescout into Arista MSS-G:
  • host to segment mapping in the Forescout console’s Policy Manager
  • segment policy definition in Forescout eyeSegment

Both integration points are described below. Before deploying this integration, note that there is a terminology overlap:

  • Arista MSS-G uses the terms “group” and “segment” interchangeably.
  • The segments defined in the Forescout console under Tools > Segment Manager are static ranges designed to indicate areas of the network managed by Forescout and are unrelated to Arista MSS-G segments.
  • The groups defined in the Forescout console Policy Manager are for organizing host/user/device taxonomy.Although it is possible through the Forescout Policy Manager to map each Forescout Group to an Arista MSS-G group, it is neither automatic nor required. In the majority of use cases, Forescout Groups will be hierarchical and not map directly to Arista MSS-G groups; instead, Arista MSS-G groups will be defined by Forescout Policies that may consider hosts/users/devices across several Forescout Groups.

Requirements

To configure MSS-G with Dynamic Configuration from Forescout the system must meet the following requirements:

On the Arista side:
  • EOS 4.27.1F+
  • TerminAttr 1.22+
  • CloudVision 2022.1.1+.
  • On the Forescout side it’s GA for Continuum 8.4.0, eyeSegment 5.18.0 (recommend 5.19.0), and the Forescout Arista MSS-G 1.0.0 module.

On the Forescout side:

  • Continuum 8.4.0
  • eyeSegment 5.18.0 (recommend 5.19.0)
  • Forescout Arista MSS-G 1.0.0 module.

Limitations

Note the following limitations before configuring MSS-G with Dynamic Configuration from Forescout.

  • Port matching: Policies are enforced based on IP address, and at this time there is no support for port or protocol matching.
  • 60-segment limit: Arista CloudVision and EOS switches support a maximum of 60 segments.
  • Single segmentation domain: All EOS switches participating in MSS-G receive all host-to-segment assignments transmitted from Forescout eyeSight to Arista CloudVision.
  • Single VRF: The integration supports just a single Virtual Routing and Forwarding instance, or VRF. That VRF is configurable, but by default it uses the default VRF.
  • Initial sync time: The initial transmission of host-to-segment assignments from CounterACT to CloudVision could take up to an hour, depending on the number of hosts, the number of CounterACT appliances, and the latency between CounterACT and CloudVision. It can be made much faster by enabling dynamic configuration on participating switches after CloudVision has received all initial segmentation configuration.
  • Host scale: The integration supports up to 25,000 hosts in its initial phase. Enforcement point scale: The integration supports up to 100 enforcement points. Note that not all switches must be used as enforcement points. As long as traffic flows through an MSS-G capable enforcement point, policies will be enforced.
  • Supported actions: Currently, the supported actions are forward and drop.
  • IPv6: IPv6 is not currently supported in this integration.
  • Wifi endpoints: To make the integration work with wireless clients, access points must be configured to forward traffic in the clear to an enforcement point.