This document presents Arista Macro-Segmentation Service - Firewall (MSS-FW) deployment in a network with multiple Virtual Routing and Forwarding (VRF) instances.

The Segment security feature provides the convenience of applying policies on segments rather than interfaces or subnets. Hosts/networks are classified into segments based on prefixes. Grouping prefixes into segments allows for definition of policies that govern flow of traffic between segments.

This document presents how Arista Macro Segmentation Service (MSS) can be deployed in a brownfield environment with

Macro Segmentation Service with Layer 3 firewall (MSS FW) provides a mechanism to offload policy enforcement on TORs

Macro Segmentation Service with Layer 3 firewall (MSS FW) enforces all security policies bi directionally by

This can be done with multiple groups today, as long as we have enough unique group entries in hardware. In the absence of this configuration ( default behavior ), bridged traffic will be assigned to the default VRF and policies of default VRF will be applied to bridged traffic. With this feature, bridged traffic is never subject to MSS-G configuration.

Security Segmentation EOS 4.31.1F

For Macro Segmentation Service Group (MSS-G) configurations, if only the segmentation model for OpenConfig is required, then it is possible to disable all other models for OpenConfig. This feature allows access to only the /segmentation path in the OpenConfig YANG tree. This significantly reduces the OpenConfig agent’s memory usage.