Data Plane Security

IP NAT

Network address translation (NAT) is a router process that modifies address information of IP packets in transit. NAT is typically used to correlate address spaces between a local network and a remote, often public, network. Static NAT defines a one-to-one map between local and remote IP addresses. Static maps are configured manually through CLI commands. An interface can support multiple NAT commands, but each command must specify a unique local IP address-port location.

NAT is configured on routers that have interfaces connecting to the local networks and interfaces connecting to a remote network.

Inside and Outside Addresses

In NAT configurations, IP addresses are placed into one of two categories: inside or outside. Inside refers to IP addresses used within the organizational network. Outside refers to addresses on an external network outside the organizational network.

Static IP NAT

Static NAT configurations create a one-to-one mapping and translate a particular address to another address. This type of configuration creates a permanent entry in the NAT table as long as the configuration is present, and it enables both inside and outside hosts to initiate a connection.

Static NAT options include source NAT, destination NAT, and twice NAT.

  • Source NAT modifies the source address in the IP header of a packet exiting the interface, and can optionally change the source port referenced in the TCP/UDP headers.
  • Destination NAT modifies the destination address in the IP header of a packet entering the interface, and can optionally change the destination port referenced in the TCP/UDP headers.
  • Twice NAT modifies both the source and destination address of packets entering and exiting the interface, and can optionally change the L4 port information in the TCP/UDP headers. Twice NAT is generally used when inside network addresses overlap or otherwise conflict with outside network addresses. When a packet exits the interface, local source and destination addresses are translated to global source and destination addresses. When a packet enters the interface, global source and destination addresses are translated to local source and destination addresses.

Configuring Static NAT

Configuring Source NAT

Network address translation of a source address (source NAT) is enabled by the ip nat source static command for the configuration mode interface. Applying source NAT to interfaces that connect to local hosts shields the IP address of the host when sending IP packets to remote destinations.

This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

Note: The switch uses a common NAT table for the entire switch, not a per interface one. For example, if a customer has the same inside local address translated to different inside global addresses depending on which interface it exits. It might be translated to exit interface B’s inside global address even though it exits through interface A. A way to avoid this is to use an access list that differentiates based on the destination IP address.
Figure 1. Source NAT Example

Example:
These commands configure VLAN 201 to translate source address 10.24.1.10 to 168.32.14.15.
switch(config)#interface vlan 201
switch(config-if-Vl201)#ip nat source static 10.24.1.10 168.32.14.15
switch(config-if-Vl201)#

The ip nat source static command may include an ACL to limit packet translation. Only packets whose source IP address matches the ACL are cleared. ACLs configured for source NAT must specify a source IP address of any. Source port or protocol matching is not permitted. The destination may be an IP subnet. Commands referencing nonexistent ACLs are accepted by the CLI but not installed in hardware until the ACL is created. Modifying a referenced ACL causes the corresponding hardware entries to be replaced by entries that match the new command.

Example:
These commands configure VLAN 101 to translate the source address 10.24.1.10 to 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/32 subnet.
switch(config)#ip access-list ACL1
switch(config-acl-ACL1)#permit ip any 168.10.1.0/24
switch(config-acl-ACL1)#exit
switch(config)#interface vlan 101
switch(config-if-Vl101)#ip nat source static 168.32.14.15 access-list ACL1 
10.24.1.10
switch(config-if-Vl101)#
Configuring Destination NAT

Network address translation of a destination address (destination NAT) is enabled by the ip nat destination static command for the configuration mode interface. Applying destination NAT to interfaces that connect to remote hosts shields the IP address of the recipient host when receiving IP packets from remote destinations.

This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

Figure 2. Detination NAT Example

Example:
These commands configure VLAN 201 to translate destination address 168.32.14.15 to 10.24.1.10.
switch(config)#interface vlan 201
switch(config-if-Vl201)#ip nat destination static 168.32.14.15 10.24.1.10 
switch(config-if-Vl201)#

Theip nat destination static command may include an ACL to limit packet translation. Only packets whose source IP address matches the ACL are cleared. ACLs configured for destination NAT must specify a destination IP address of any. Destination port or protocol matching is not permitted. The source may be an IP subnet. Commands referencing nonexistent ACLs are accepted by the CLI but not installed in hardware until the ACL is created. Modifying a referenced ACL causes the corresponding hardware entries to be replaced by entries that match the new command.

Example:
These commands configure VLAN 201 to translate the destination address 168.32.14.15 to 10.24.1.10 for all packets with IP source addresses in the 168.10.1.4/32 subnet.
switch(config)#ip access-list ACL2
switch(config-acl-ACL2)#permit ip 168.10.1.4/32 any
switch(config-acl-ACL2)#exit
switch(config)#interface vlan 201
switch(config-if-Vl201)#ip nat destination static 168.32.14.15 access-list ACL2 
10.24.1.10
switch(config-if-Vl201)#
Configuring Twice NAT

Network address translation of both source and destination addresses on the same interface (twice NAT) is enabled by creating one source NAT rule and one destination NAT rule on the same interface and associating them through a NAT group using theip nat source static andip nat destination static commands.

The ip nat source static command translates the actual local source address to a source address which can be used outside the local network to reference the source. The ip nat destination static command translates an internally used destination address to the actual IP address that is the destination of the packet.

The source and destination NAT rules must reference the same NAT group, and both should either specify only IP addresses or specify both IP addresses and L4 port information. If L4 port information is configured in one rule but not in the other, an error message will be displayed.

Each NAT rule installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. Twice NAT does not support the use of access control lists to filter packets for translation.

Example:
These commands configure Ethernet interface 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.
switch(config)#interface ethernet 2
switch(config-if-Et2)#ip nat source static 10.24.1.10 168.32.14.15 group 3
switch(config-if-Et2)#ip nat destination static 10.68.104.3 168.25.10.7 group 3

Static NAT Configuration Considerations

Egress VLAN filter for static NAT

When a static source NAT is configured on an interface, the source IP translation happens only for those packets that is going 'out' of this interface. If a packet is egressing on an interface which does not have NAT configured, then the source IP is not translated.

When there are two interfaces on which static SNAT is configured then the translation specified for one interface can be applied to a packet going out on the other interface.

Examples:
  • In this example, the packets with source IP 20.1.1.1 going out of E1 will still have the source IP translated to 172.1.1.1 even though the rule is configured in E2 and not on E1.
    switch(config)#interface ethernet 1
    switch(config-if-Et1)#ip nat source static 10.1.1.1 171.1.1.1
    switch(config)#interface ethernet 2
    switch(config-if-Et2)#ip nat source static 20.1.1.1 172.1.1.1
  • To prevent this, use an ACL to filter the traffic that needs NAT on the interfaces.
    switch(config)#ip access-list acl1
    switch(config-acl-acl1)#permit ip any 171.1.1.0/24
    switch(config)#ip access-list acl2
    switch(config-acl-acl2)#permit ip any 172.1.1.0/24
    switch(config)#interface ethernet 1
    switch(config-if-Et1)#ip nat source static 10.1.1.1 access-list acl1 171.1.1.1
    switch(config)#interface ethernet 2
    switch(config-if-Et2)#ip nat source static 20.1.1.1 access-list acl2 172.1.1.1
    
  • ACL filtering is not supported when using twice NAT.

Dynamic NAT

Dynamic NAT can be used when fewer addresses are accessible than the number of hosts to be translated. A NAT table entry is created when the host starts a connection and establishes a one-to-one mapping between addresses. The mapping can vary and is dependent upon the registered addresses in the pool at the time of the communication. Dynamic NAT sessions are only allowed to be initiated only from inside networks. NAT should be configured on a Layer 3 interface, either a routed port or Switch Virtual Interface (SVI). If the host doesn't communicate for a specific period, dynamic NAT entries are removed from the translation table. The address will then returned to the pool for use by another host

Figure 3. Dynamic NAT Scenario

Dynamic NAT options:

  • Many-to-Many NAT

Maps local addresses to a global address that is selected from a pool of global addresses. After pool is configured, the first available address from the pool is picked dynamically on receiving the first packet.

  • Many-to-One NAT (PAT)

PAT is a form of dynamic NAT where multiple local addresses are mapped to a single global address (many-to-one) using different source ports. This method is also called NAT Overloading, NAPT (Network and Port address translation), and Masquerade. The global address can be the IP address configured on the outside interface.

Hardware entries that translate packets are created when the CLI command is processed. Entries for forward and reverse traffic are created for unicast traffic. The hardware entry for reverse traffic is not created for multicast traffic.

Commands may include ACLs to filter packets that are cleared. Source NAT use ACLs to filter packets based on destination IP address. Destination NAT use ACLs to filter packets based on source IP address. Upon using NAT, inside usually refers to a private network while outside usually refers to a public network.

A switch with NAT configured translates forwarded traffic between inside and outside interfaces, and the flow that matches the criteria specified for translation.

The same IP address can't be used for the NAT static configuration and in the pool for dynamic NAT configurations. Public IP addresses must be unique. The global addresses used in static translations aren't excluded with dynamic pools containing the same global addresses.

Hardware entries that translate packets are created when the CLI command is processed. Entries for forward and reverse traffic are created for unicast traffic. The hardware entry for reverse traffic is not created for multicast traffic.

Commands may include ACLs to filter packets that are cleared. Source NAT use ACLs to filter packets based on destination IP address. Destination NAT use ACLs to filter packets based on source IP address. When using NAT, inside usually refers to a private network while outside usually refers to a public network.

A switch with NAT configured translates forwarded traffic between inside and outside interfaces, and the flow that matches the criteria specified for translation.

Note: The same IP address can't be used for the NAT static configuration and in the pool for dynamic NAT configurations. Public IP addresses must be unique. The global addresses used in static translations aren't excluded with dynamic pools containing the same global addresses.

Configuring Dynamic NAT

Prerequisites
  • Configure an ACL to specify IP addresses allowed to be translated.
  • Determine if you should use an IP address as the translated source address.
  • Decide on a public IP address pool for address translation.
Configure the Address Pool

The addresses used for translation are configured by issuing the ip nat poolcommand in global configuration mode.

Example
This command configures the pool of addresses using start address, and end address.
switch(config)#ip nat pool p1 10.15.15.15 10.15.15.25 
switch(config)#
Set the IP Address

The ip address command configures VLAN 201 with an IP address.

Examples
  • This command configures an IPv4 address for VLAN 201.
    switch(config)#interface vlan 201
    switch(config-if-Vl201)#ip address 10.0.0.1/24
    switch(config-if-Vl201)#
  • This command configures the dynamic NAT source address and sets the NAT overload for pool P2.
    switch(config-if-Vl201)#ip nat source dynamic access-list ACL2 pool p2
    switch(config-if-Vl201)#
Define the NAT Source Address for Translation

The ip nat source dynamic command specifies a dynamic translation from the source IP address to the pool and to overload the pool address (or addresses).

Example
This command configures the dynamic NAT source address and sets the pool P2 NAT overload.
switch(config)#interface ethernet 3/1
switch(config-if-Et3/1)#ip nat source dynamic access-list ACL2 pool p2
switch(config-if-Et3/1)#
Specify the Timeout Values

The ip nat translation tcp-timeout or ip nat translation udp-timeout commands alter the translation timeout period for NAT translation table entries.

Examples
  • This command globally sets the timeout for TCP to 600 seconds.
    switch(config)#ip nat translation tcp-timeout 600
     switch(config)#
  • This command globally sets the timeout for UDP to 800 seconds.
    switch(config)#ip nat translation udp-timeout 800
     switch(config)#

Verify the NAT Configuration

Display the Address Pools

Theshow ip nat pool command displays the configuration of the address pool.

Example:
This command displays all the address pools configured on the switch.
switch#show ip nat pool

PoolStartIp EndIp Prefix
p110.15.15.15 10.15.15.25 24
p210.10.15.15 10.10.15.25 22
p310.12.15.15 10.12.15.25 12

switch#

Clearing IP NAT Table Entries

Use the clear ip nat flow translationcommand to remove all or the specified NAT table entries.

Example:
This command clears all dynamic entries from the NAT table.
switch#clear ip nat flow translation
switch#

Dynamic NAT Configuration Considerations

Configuring Dynamic NAT Using Pools in a L2 Adjacent Network

When many-to-one dynamic NAT is configured using a NAT pool, and the next hop router for the NAT device is on the same network (L2 adjacent), then you must configure the IP addresses in the NAT pool as a secondary address on the interface.

Example:

The IP addresses in the NAT pool are configured as the secondary address on the interface.

switch(config)#ip nat pool p1 10.1.1.1 10.1.1.4 prefix-length 24
switch(config)#interface ethernet 1
switch(config-if-Et1)#ip nat source dynamic access-list a1 pool p1
switch(config-if-Et1)#ip address 10.1.1.1/24 secondary
switch(config-if-Et1)#ip address 10.1.1.2/24 secondary
switch(config-if-Et1)#ip address 10.1.1.3/24 secondary
switch(config-if-Et1)#ip address 10.1.1.4/24 secondary
Configuring Dynamic NAT Using Pool in a L3 Network

If the next hop of the NAT device is on a different subnet, then you should configure a static Null route for the IP addresses in the NAT pool. Redistribute the static route using BGP/OSPF.

Examples:
  • Outside Interface

    switch(config)#interface port-channel 319
    switch(config-if-Po319)#ip nat source dynamic access-list dynamic-nat-m2m pool 
    natpl-dynamic-nat-m2m
    switch(config)#ip access-list dynamic-nat-m2m
    switch(config-acl-dynamic-nat-m2m)#10 permit ip 192.168.93.0/24 any
    switch(config)#ip nat pool natpl-dynamic-nat-m2m prefix-length 24
    switch(config-natpool-p1)#range 11.3.3.2 11.3.3.10
  • Static Null Route for Virtual IP
    switch(config)#ip route 11.0.0.0/8 Null0
    switch(config)#router ospf 1
    switch(config-router-ospf)#redistribute static
Configuring Dynamic NAT Using Overload with ECMP Routes

Dynamic many-to-one NAT using overload (PAT) should not be configured on interfaces that form an ECMP group. When one interface in the group goes down, the return packet for connections that are already established will continue to go to the IP address of the interface that went down and will not be forwarded to the inside host. For this type of scenario, use Dynamic NAT with pool configurations.

Dynamic NAT Peer State Synchronization

The NAT peer state synchronization provides redundancy and resiliency for dynamic NAT across a pair of devices to avoid single NAT device failure. Both devices in redundant pair are active and they track new sessions and create or delete NAT entries dynamically. Essentially, an active NAT entry is maintained on both devices irrespective of who created the NAT entry.

Configuring Dynamic NAT Peer State Synchronization

The following prerequisites should be fulfilled before configuring NAT peer state synchronization on devices in a redundant pair.

  • Both devices in redundant pair must be reachable across an IP address within the same subnet.
  • NAT version on both devices in redundant pair must be compatible.
  • Dynamic NAT configuration must be identical across both devices in redundant pair.

The following configuration output indicates a valid running configuration of the NAT peer state synchronization on one device.

ip nat pool POOL61 prefix-length 24
range 170.24.0.2 170.24.0.200


ip access-list NatACL61
10 permit ip 61.0.0.0/16 any


interface Port-Channel5
mtu 9214
no switchport
ip address 10.0.0.1/31
ip nat source dynamic access-list NatACL61 pool POOL61


ip nat synchronization
peer-address 11.11.11.1
local-interface Vlan1111
port-range 1024 2048

The following limitations are applicable during NAT peer state synchronization.

  • While configuring dynamic NAT peer state synchronization across peer switches, the port range values of the switches should always be disjoint to avoid virtual IP conflict.
  • NAT peer state synchronization does not support asymmetrical TCP setup (SYN - SYNACK - ACK should always be hashed to the same peer.)
  • The connection is only synchronized with a peer if the TCP state is established.

IP NAT Commands

clear ip nat flow translation

The clear ip nat flow translation command clears all or the specified NAT table entries.

Command Mode

Privileged EXEC

Command Syntax

clear ip nat flow translation [HOST_ADDR [DEST_ADDR]] [INTF][ PROT_TYPE]

Parameters

DEST_ADDR must immediately follow HOST_ADDR. All other parameters, including HOST_ADDR may be placed in any order.

  • HOST_ADDR Host address to be modified. Options include:

    • <no parameter> All packets with specified destination address are cleared.
    • address local_ipv4 IPv4 address.
    • address local_ipv4 local_port IPv4 address and port (port value ranges from 1 to 65535).
  • DEST_ADDR Destination address of translated packet. Destination address can be entered only when the HOST_ADDR is specified. Options include:

    • <no parameter> All packets with specified destination address are cleared.
    • global_ipv4 IPv4 address.
    • global_ipv4 global_port IPv4 address and port (port value ranges from 1 to 65535).
  • INTF Route source. Options include:

    • <no parameter> All packets with specified destination address are cleared.
    • interface ethernet e_num Ethernet interface specified by e_num.
    • interface loopback l_num Loopback interface specified by l_num.
    • interface management m_num Management interface specified by m_num.
    • interface port-channel p_num Port-channel interface specified by p_num.
    • interface vlan v_num VLAN interface specified by v_num.
  • PROT_TYPEFilters packets based on protocol type. Options include:

    • <no parameter> All packets with specified destination address are cleared.
    • tcp TCP packets with specified destination address are cleared.
    • udp UDP packets with specified destination address are cleared.

Examples:
  • This command clears all dynamic entries from the NAT translation table.
    switch#clear ip nat flow translation
    switch#
  • This command clears a specific NAT IP address 172.22.30.52.
    switch#clear ip nat flow translation address 172.22.30.52
    switch#
  • This command clears the inside entry that maps the private address 10.10.10.3 to Internet address 172.22.30.52.
    switch#clear ip nat flow translation address 172.22.30.52 10.10.10.3
    switch#

ip address

The ip address command configures the IPv4 address and connected subnet on the configuration mode interface. Each interface can have one primary address and multiple secondary addresses.

The no ip address and default ip address commands remove the IPv4 address assignment from the configuration mode interface. Entering the command without specifying an address removes the primary and all secondary addresses from the interface. The primary address cannot be deleted until all secondary addresses are removed from the interface.

Removing all IPv4 address assignments from an interface disables IPv4 processing on that port.

Command Mode

Interface-Ethernet Configuration

Interface-Loopback Configuration

Interface-Management Configuration

Interface-Port-channel Configuration

Interface-VLAN Configuration

Command Syntax

ip address [ipv4_subnet][PRIORITY]

no ip address [ipv4_subnet][PRIORITY]

default ip address [ipv4_subnet][PRIORITY]

Parameters

  • ipv4_subnet IPv4 and subnet address (CIDR or address-mask notation). Running-config stores value in CIDR notation.
  • PRIORITY interface priority. Options include:

    • <no parameter> The address is the primary IPv4 address for the interface.
    • secondary The address is the secondary IPv4 address for the interface.

Guidelines

The ip address command is supported on routable interfaces.

Example:
This command configures an IPv4 address for VLAN 200.
switch(config)#interface vlan 200
switch(config-if-Vl200)#ip address 10.0.0.1/24
switch(config-if-Vl200)#

ip address

The ip address command configures the IPv4 address and connected subnet on the configuration mode interface. Each interface can have one primary address and multiple secondary addresses.

The no ip address and default ip address commands remove the IPv4 address assignment from the configuration mode interface. Entering the command without specifying an address removes the primary and all secondary addresses from the interface. The primary address cannot be deleted until all secondary addresses are removed from the interface.

Removing all IPv4 address assignments from an interface disables IPv4 processing on that port.

Command Mode

Interface-Ethernet Configuration

Interface-Loopback Configuration

Interface-Management Configuration

Interface-Port-channel Configuration

Interface-VLAN Configuration

Command Syntax

ip address [ipv4_subnet][PRIORITY]

no ip address [ipv4_subnet][PRIORITY]

default ip address [ipv4_subnet][PRIORITY]

Parameters

  • ipv4_subnet IPv4 and subnet address (CIDR or address-mask notation). Running-config stores value in CIDR notation.
  • PRIORITY interface priority. Options include:

    • <no parameter> The address is the primary IPv4 address for the interface.
    • secondary The address is the secondary IPv4 address for the interface.

Guidelines

The ip address command is supported on routable interfaces.

Example:
This command configures an IPv4 address for VLAN 200.
switch(config)#interface vlan 200
switch(config-if-Vl200)#ip address 10.0.0.1/24
switch(config-if-Vl200)#

ip nat destination static

The ip nat destination static command enables NAT of a specified destination address for the configuration mode interface. This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

When configuring twice NAT, an arbitrary NAT group number is used to associate the source NAT and destination NAT rules. This number must be the same in both rules.

The no ip nat destination static and default ip nat destination static commands disables NAT translation of the specified destination address by removing the corresponding ip nat destination static command from running_config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Interface-VLAN Configuration

Command Syntax

ip nat destination static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE][group group_number]

no ip nat destination static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]

default ip nat destination static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE][group group_number]

Parameters

  • ORIGINAL Destination address to be modified. Options include:

    • local_ipv4 IPv4 address.
    • local_ipv4 local_port IPv4 address and port (port value ranges from 1 to 65535).
  • FILTER Access control list that filters packets. Options include:

    • <no parameter> All packets with specified destination address are cleared.
    • access-list list_name List that specifies the packets that are cleared. Not supported when configuring twice NAT.
  • TRANSLATED Destination address of translated packet. Options include:

    • global_ipv4 IPv4 address.
    • global_ipv4 global_port IPv4 address and port (port value ranges from 1 to 65535). When configuring twice NAT, source and destination NAT rules must either both specify a port translation or both not specify a port translation.
  • PROT_TYPE Filters packets based on protocol type. Options include:

    • <no parameter> All packets with specified destination address are cleared.
    • protocol tcp TCP packets with specified destination address are cleared.
    • protocol udp UDP packets with specified destination address are cleared.
  • group group_number Used only when configuring twice NAT, the NAT group number associates a source NAT rule with a destination NAT rule on the same interface. The group number (values range from 1 to 255) is arbitrary, but must be the same in both rules.

Examples:
  • These commands configure VLAN 201 to translate destination address 10.24.1.10 to 168.32.14.15.
    switch(config)#interface vlan 201
    switch(config-if-Vl201)#ip nat destination static 10.24.1.10 168.32.14.15
    switch(config-if-Vl201)#
  • These commands configure VLAN 201 to translate the source address 10.24.1.10 to 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/32 subnet.
    switch(config)#ip access-list ACL2
    switch(config-acl-ACL2)#permit ip 168.10.1.1/32 any
    switch(config-acl-ACL2)#exit
    switch(config)#interface vlan 201
    switch(config-if-Vl201)#
    switch(config-if-Vl201)#
  • These commands configure Ethernet interface 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.
    switch(config)#interface ethernet 2
    switch(config-if-Et2)#ip nat source static 10.24.1.10 168.32.14.15 group 3
    switch(config-if-Et2)#ip nat destination static 10.68.104.3 168.25.10.7 group 3
    

ip nat pool

The ip nat pool command identifies a pool of addresses using start address, end address, and either netmask or prefix length. If its starting IP address and ending IP address are the same, there is only one address in the address pool.

The no ip nat pool removes the ip nat pool command from running_config.

Command Mode

Global Configuration

Command Syntax

ip nat pool pool_name [ADDRESS_SPAN] SUBNET_SIZE

no ip nat pool pool_name

default ip nat pool pool_name

Parameters

  • pool_name Name of the IP address pool.
  • ADDRESS_SPAN Options include:

    • start_addr The first IP address in the address pool (IPv4 addresses in dotted decimal notation).
    • end_addr The last IP address in the address pool. (IPv4 addresses in dotted decimal notation).
  • SUBNET_SIZE This functions as a sanity check to ensure it is not a network or broadcast network. Options include:

    • netmask ipv4_addr The netmask of the address pool’s network (dotted decimal notation).
    • prefix-length <0 to 32> The number of bits of the netmask (of the address pool’s network) that are ones (how many bits of the address indicate network).

Examples:
  • This command configures the pool of addresses using start address, end address, and prefix length of 24.
    switch(config)#ip nat pool poo1 10.15.15.15 10.15.15.25 prefix-length 24
    switch(config)
  • This command removes the pool of addresses.
    switch(config)#no ip nat pool poo1 10.15.15.15 10.15.15.25 prefix-length 24
     switch(config)

ip nat source dynamic

The ip nat source dynamic command enables NAT of a specified source address for packets sent and received on the configuration mode interface. This command installs hardware translation entries for forward and reverse traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

The no ip nat source dynamic and default ip nat source dynamiccommands disables NAT translation of the specified destination address by removing the corresponding ip nat source dynamic command from running_config .

Note: Ethernet and Port-channel interfaces should be configured as routed ports.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Interface-VLAN Configuration

Command Syntax

ip nat source dynamic access-list acl_name POOL_TYPE

no ip nat source dynamic access-list acl_name

default ip nat source dynamic access-list acl_name

Parameters

  • acl_nameAccess control list that controls the internal network addresses eligible for NAT.
  • POOL_TYPE Options include:

    • overload Translates multiple local addresses to a single global address. When overloading is enabled, conversations using the same IP address are distinguished by their TCP or UDP port number.
    • pool pool_name The name of the IP address pool. The pool is defined using the ip nat pool command.

The pool option is required even if the pool has just one address. NAT uses that one address for all of the translations.

  • pool_fullconeEnables full cone NAT where all requests from the same internal IP address and port are mapped to the same external IP address and port.

Examples:
  • This command configures the dynamic NAT source address and sets the NAT overload for pool P2.
    switch(config)#interface ethernet 3/1
    switch(config-if-Et3/1)#ip nat source dynamic access-list ACL2 pool p2
    switch#
  • This command disables the NAT source translation on interface Ethernet 3/1.
    switch(config)#interface ethernet 3/1
    switch(config-if-Et3/1)#no ip nat source dynamic access-list ACL2 
    switch(config-if-Et3/1)# 

ip nat source static

The ip nat source static command enables NAT of a specified source address for the configuration mode interface. This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

When configuring twice NAT, an arbitrary NAT group number is used to associate the source NAT and destination NAT rules. This number must be the same in both rules.

The no ip nat source static and default ip nat source static commands disables NAT translation of the specified source address by removing the corresponding ip nat source command from running_config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Interface-VLAN Configuration

Command Syntax

ip nat source static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]

no ip nat source static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]

default ip nat source static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]

Parameters

  • ORIGINAL Source address to be modified. Options include:

    • original_ipv4 IPv4 address.
    • original_ipv4 original_port IPv4 address and port (port value ranges from 1 to 65535).
  • FILTER Access control list that filters packets. Options include:

    • <no parameter> All packets with specified source address are cleared.
    • access-list list_name List that specifies the packets that are cleared. Not supported when configuring twice NAT.
  • TRANSLATED Source address of translated packet. Options include:

    • translated_ipv4 IPv4 address.
    • translated_ipv4 translated_port IPv4 address and port (port value ranges from 1 to 65535). When configuring twice NAT, source and destination NAT rules must either both specify a port translation or both not specify a port translation.
  • PROT_TYPEFilters packets based on protocol type. Options include:

    • <no parameter> All packets with specified source address are cleared.
    • protocol tcp TCP packets with specified source address are cleared.
    • protocol udp UDP packets with specified source address are cleared.
  • group group_number Used only when configuring twice NAT, the NAT group number associates a source NAT rule with a destination NAT rule on the same interface. The group number (values range from 1 to 255) is arbitrary, but must be the same in both rules.

    Restrictions

  • IfORIGINAL includes a port, TRANSLATED must also include a port.
  • IfORIGINAL does not include a port, TRANSLATED cannot include a port.

Examples
  • These commands configure VLAN 101 to translate source address 10.24.1.10 to 168.32.14.15.
    switch(config)#interface vlan 101
    switch(config-if-Vl101)#ip nat source static 10.24.1.10 168.32.14.15
    switch(config-if-Vl101)#
  • These commands configure VLAN 101 to translate the source address 10.24.1.10 to access-list ACL1 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/32 subnet.
    switch(config)#ip access-list ACL1
    switch(config-acl-ACL1)#permit ip any 168.10.1.1/24
    switch(config-acl-ACL1)#exit
    switch(config)#interface vlan 101
    switch(config-if-Vl101)#ip nat source static 10.24.1.10 access-list ACL1 
    168.32.14.15
    switch(config-if-Vl101)#
  • These commands configure Ethernet interface 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.
    switch(config)#interface ethernet 2 
    switch(config-if-Et2)#ip nat source static 10.24.1.10 168.32.14.15 group 3
    switch(config-if-Et2)#ip nat destination static 10.68.104.3 168.25.10.7 group 3

ip nat translation counters

The ip nat translation counters command enables the feature to count packets that are translated by static and twice NAT rules in hardware. Once this feature is enabled, all current rules in hardware and new rules that are configured after running this command receive policers for counting packets.

The no ip nat translation counters and default ip nat translation counters commands disable the packet counter feature for static and twice NAT connections.

Command Mode

Global Configuration

Command Syntax

ip nat translation counters

no ip nat translation counters

default ip nat translation counters

Guidelines

The ip nat translation counters command is supported on the DCS-7150 series switches only. This command is solely intended to debug static and twice NAT translation failures in hardware. Disable this feature after completing troubleshooting. If this feature remains enabled even when the count of static connections exceed 275, it can cause unpredictable behavior including restart of FocalPointV2 agent. The restart of FocalPointV2 agent results in traffic disruption.

Example:
The ip nat translation counters command enables the packet counter feature for static and twice NAT connections. Using the show ip nat translation hardware detail and show ip nat translation twice hardware detail commands, you can verify the packet count.
switch(config)#ip nat translation counters
switch(config)#show ip nat translation hardware detail

Source IPDestination IPTranslated IPTGT Type Intf ProtoPacketsPackets Reply
----------------------------------------------------------------------------------------------
192.168.10.2:0- 20.1.10.2:0SRC STAT Vl2640 -2 1
192.168.110.2:0 - 20.1.110.2:0 SRC STAT Vl2640 -2 1

switch(config)#show ip nat translation twice hardware detail
Source IP Destination IPTranslated TranslatedIntf Group PacketsPackets 
 Src IP Dst IP Proto Reply
---------------------------------------------------------------------------------------------
192.16.50.2:010.1.50.2:0 20.1.50.2:010.1.60.2:0 Vl2922 2-21
19.16.150.2:010.1.150.2:020.1.150.2:0 10.1.160.2:0Vl2922 12 -2

ip nat translation low-mark

The ip nat translation low-mark command configures the minimum threshold that triggers the resumption of programming new NAT translation connections.

The ip nat translation max-entries command specifies the maximum number of NAT translation connections that can be stored. When this limit is reached, new connections are dropped instead of being programmed in hardware or software. At this point no new connections will be programmed until the number of stored entries drop below the configured low-mark, expressed as a percentage of the max-entries value. The default low mark value is 90%.

The no ip nat translation low-mark and default ip nat translation low-mark commands restores the default low-mark value by removing the ip nat translation low-mark command from running_config.

Command Mode

Global Configuration

Command Syntax

ip nat translation low-mark threshold

no ip nat translation low-mark

default ip nat translation low-mark

Parameters

  • threshold Percentage of maximum connection entries. Value ranges from 1 to 99. Default is 90.

Example:
This command globally sets the translation low mark of 93%.
switch(config)#ip nat translation low-mark 93
switch(config)#

ip nat translation max-entries

The ip nat translation max-entries command specifies maximum number of NAT translation connections. After this threshold is reached, new connections are dropped until the number of programmed connections is reduced below the level specified by the ip nat translation low-mark command.

The no ip nat translation max-entries and default ip nat translation max-entries commands removes the maximum connection limit and resets the parameter value to zero by removing the ip nat translation max-entries command from running_config.

Command Mode

Global Configuration

Command Syntax

ip nat translation max-entries connections

no ip nat translation max-entries

default ip nat translation max-entries

Parameters

  • connections The maximum number of NAT translation connections. Value ranges from 0 to 4294967295. Default value is 0, which removes the connection limit.

Example:
This command limits the number of NAT translation connections the switch can store to 3000.
switch(config)#ip nat translation max-entries 3000
switch(config)#

ip nat translation tcp-timeout

The ip nat translation tcp-timeout command specifies the translation timeout period for translation table entries. The timeout period specifies the interval during which the switch will attempt to reuse an existing TCP translation for devices specified by table entries.

The no ip nat translation tcp-timeout and default ip nat translation tcp-timeout commands reset the timeout to its default by removing the corresponding ip nat translation tcp-timeout command from running_config.

Command Mode

Global Configuration

Command Syntax

ip nat translation tcp-timeout period

no ip nat translation tcp-timeout

default ip nat translation tcp-timeout

Parameters

  • period Time-out period in seconds for port translations. Value ranges from 0 to 4294967295. Default value is 86400 (24 hours).

Examples:
  • This command sets the TCP timeout for translations to 600 seconds.
    switch(config)#ip nat translation tcp-timeout 600
    switch(config)#
  • This command removes the TCP translation timeout.
    switch(config)#no ip nat translation tcp-timeout 
    switch(config)#

ip nat translation udp-timeout

The ip nat translation udp-timeout command specifies the translation timeout period for translation table entries. The timeout period specifies the interval the switch attempts to establish a UDP connection with devices specified by table entries.

The no ip nat translation udp-timeout and default ip nat translation udp-timeout commands disables NAT translation of the specified destination address by removing the corresponding ip nat translation udp-timeout command from running_config.

Command Mode

Global Configuration

Command Syntax

ip nat translation udp-timeout period

no ip nat translation udp-timeout

default ip nat translation udp-timeout

Parameters

  • period Value ranges from 0 to 4294967295. Default value is 300 (5 minutes).

Examples:
  • This command globally sets the timeout for UDP to 800 seconds.
     switch(config)#ip nat translation udp-timeout 8 00
  • This command removes the timeout for UDP.
    switch(config)#no ip nat translation udp-timeout

show ip nat access-list interface

The show ip nat acl interface command displays the access control lists (ACLs) that are configured as source NAT or destination NAT filters. The display indicates ACL rules that do not comply with these NAT requirements:

  • Source IP address is any.
  • Destination IP address may use any mask size.
  • Source port matching is not allowed.
  • Protocol matching is not allowed.

Command Mode

EXEC

Command Syntax

show ip nat access-list [INTF][LISTS]

Parameters
  • INTF Filters NAT statements by interface. Options include:

    • <no parameter> Includes all statements on all interfaces.
    • interface ethernet e_num Statements on specified Ethernet interface.
    • interface loopback l_num Statements on specified Loopback interface.
    • interface management m_num Statements on specified Management interface.
    • interface port-channel p_num Statements on specified Port-Channel Interface.
    • interface vlan v_num Statements on specified VLAN interface.
    • interface vxlan vx_num Statements on specified VXLAN interface.
  • LISTS ACLs displayed by command. Options include:

    • <no parameter> All ACLs.
    • acl_name Specifies individual ACL.

Example:
These commands display the NAT command usage of the ACL1 and ACL2 access control lists.
switch>show ip nat acl ACL1

acl ACL1
(0.0.0.0/0, 168.10.1.1/32)
Interfaces using this ACL for Nat:
Vlan100

switch>show ip nat acl ACL2
acl ACL2
(168.10.1.1/32, 0.0.0.0/0)
Interfaces using this ACL for Nat:
Vlan201
switch>

show ip nat pool

The show ip nat pool command displays the configuration of the address pool.

Command Mode

EXEC

Command Syntax

show ip nat pool POOL_SET

Parameters
  • pool_name The name of the pool.
  • POOL_SET Options include:

    • <no parameter>All configured port channels.
    • pool_name The name of the pool.

Examples:
  • This command displays all the address pools configured on the switch.
    switch#show ip nat pool
    Pool StartIp EndIp Prefix
    p1 10.15.15.15 10.15.15.25 24
    p2 10.10.15.15 10.10.15.25 22
    p3 10.12.15.15 10.12.15.25 12
    switch#
  • These commands display specific information for the address pools configured on the switch.
    switch#show ip nat pool p1
    Pool StartIp EndIp Prefix
    p1 4.1.1.1 4.1.1.2 24
     1.1.1.1 1.1.1.2 24
     3.1.1.1 3.1.1.2 24
    switch#show ip nat pool p2
    Pool StartIp EndIp Prefix
    p2 10.1.1.110.1.1.216
    switch#

show ip nat synchronization advertised-translations

The show ip nat synchronization advertised-translations command displays the detailed status of devices that are advertised to a peer device.

Command Mode

EXEC

Command Syntax

show ip nat synchronization advertised-translations

Example:
This command displays details of devices that are advertised to a peer device.
switch#show ip nat synchronization advertised-translations

Source IP Destination IP Translated IPTGTType Intf
------------------------------------------------------------------------
61.0.0.15:6661100.0.0.2:80 192.170.230.171:6661SRCDYNEt5
61.0.0.41:2245100.0.0.2:80 192.170.230.170:2245SRCDYNEt5
61.0.0.48:22626 100.0.0.2:80 192.170.230.169:22626 SRCDYNEt5
61.0.0.41:22601 100.0.0.2:80 192.170.230.170:22601 SRCDYNEt5
61.0.0.41:16798 100.0.0.2:80 192.170.230.170:16798 SRCDYNEt5
61.0.0.18:22605 100.0.0.2:80 192.170.230.177:22605 SRCDYNEt5
61.0.0.16:2256100.0.0.2:80 192.170.230.166:2256SRCDYNEt5

show ip nat synchronization discovered-translations

The show ip nat synchronization discovered-translations command displays details of what has been advertised from a peer device.

Command Mode

EXEC

Command Syntax

show ip nat synchronization discovered-translations

Example:
This command displays details of devices that are advertised to a peer device.
switch#show ip nat synchronization discovered-translations

Source IP Destination IPTranslated IPTGTType Intf
-------------------------------------------------------------------------
61.0.2.229:63 100.0.0.2:63 170.24.86.180:63SRCDYNEt5
61.0.15.51:63 100.0.0.2:63 170.24.73.90:63 SRCDYNEt5
61.0.6.68:63100.0.0.2:63 170.24.110.128:63 SRCDYNEt5
61.0.7.163:63 100.0.0.2:63 170.24.104.35:63SRCDYNEt5

show ip nat synchronization peer

The show ip nat synchronization peer command displays the detailed status of a peer device.

Command Mode

EXEC

Command Syntax

show ip nat synchronization peer

Example:
This command displays details of a peer device with an IP address of 11.11.11.0 and interface Vlan 1111 that is used to connect to the peer device.
switch#show ip nat synchronization peer
Description : Value
Peer : 11.11.11.0
Connection Port : 4532
Connection Source : 0.0.0.0
Kernel Interface : vlan1111
Local Interface : Vlan1111
Established Time : 1969-12-31 16:00:00
Connection Attempts : 0
Oldest Supported Version : 1
Newest Supported Version : 1
Version Compatible : True
Connection State : connected
Shutdown State : False
Status Mount State : mountMounted
Version Mount State : mountMounted
Recover Mount State : mountMounted
Reboot Mount State : mountMounted

show ip nat translation

The show ip nat translation command displays configured NAT statements in the switch hardware.

Command Mode

EXEC

Command Syntax

show ip nat translation [address | address-only | destination | detail | dynamic | hardware | interface | kernel | max-entries | source | static | summary | twice]

Command position of all parameters are interchangeable.

Parameters
  • <no parameter> Displays all NAT connections installed in software.
  • address ipv4_addr Displays NAT connections of the specified IPv4 host address.
  • address-only ipv4_addr Displays address-only NAT connections of the specified IPv4 host address.
  • destination Displays destination NAT connections installed in software.
  • detail Displays detailed output of all NAT connections.
  • dynamic Displays dynamic NAT connections.
  • hardware Displays NAT connections installed in hardware.
  • interface Filters NAT connections by interface. Options include:

    • interface ethernet e_num Displays NAT connections of the specified ethernet interface.
    • interface port-channel p_num Displays NAT connections of the specified port-channel interface.
    • interface vlan v_num Displays NAT connections of the specified VLAN interface.
  • kernel Displays NAT connections installed in kernel.
  • max-entries Displays the configured NAT connection limits of a hardware.
  • source Displays source NAT connections installed in software.
  • static Displays static NAT connections.
  • summary Displays summary of all NAT connections.
  • twice Displays twice NAT connections.

Examples:
  • This command displays all configured NAT translations.
    switch>show ip nat translation
    
    Source IPDestination IP Translated IP TGT Type Intf
    ---------------------------------------------------------------------------
    192.168.1.10:62822 172.22.22.40:53172.17.254.161:62822SRC DYNVl3925
    192.152.1.10:20342 172.22.22.40:80172.17.254.161:22222SRC STAT Vl3945
    switch#
  • This command displays NAT connections of the specified ethernet interface.
    switch>show ip nat translation dynamic interface Ethernet 26
    
    Source IPDestination IPTranslated IP TGT Type Intf
    -------------------------------------------------------------------------
    192.168.1.2:8080 10.1.1.5:60020.1.1.5:8080 SRC DYNEt26
    
  • This command displays the configured NAT connection limits of a hardware.
    switch>show ip nat translation max-entries
    
    Global connection limit 100
    Global connection limit low mark90(90%)
    Hosts connection limit20
    Hosts connection limit low mark 18(90%)
    Total number of connections1
    
    Host Max-Entries Low-MarkConnections
    -----------------------------------------------------------------------
    10.1.1.1 109(90%)0
    

Media Access Control Security

This section explains the basic concepts about Media Access Control Security (MACsec) including overview, configuration, and the different MACsec commands that are used.

MACsec Overview

Media Access Control Security (MACsec) is an industry standard encryption mechanism that protects all traffic flowing on the Ethernet links. MACsec is based on IEEE 802.1X and IEEE 802.1AE standards.

The major benefits of MACsec are:

  • MACsec supports packet authentication by providing integrity checking so that packet data is not altered during a packet flow.
  • MACsec provides secure encryption at Layer 2 level by ensuring complete data confidentiality.
  • A high density MACsec solution for Cloud Data Centers is integrated with 7500R for highest density and performance in a modular platform.
  • Cost and performance is optimized for Data Center Interconnect to transport massive volumes of traffic through metro or long haul networks.
  • Secure transport of data over distance with MACsec encryption eliminating additional intermediate devices.

MACsec Terminology

MACsec Key Agreement Protocol (MKA) - It is the key agreement protocol for discovering MACsec peers and negotiating keys between MACsec peers (IEEE 802.1X-REV).

Connectivity Association Key (CAK) - Endpoints that share CAK are part of the same secure Connectivity Association (CA). This key can either be a static pre-shared key or dynamically derived when 802.1X authentication is used. CAK is a master key that is used to generate all other keys that are used for MACsec.

Connectivity Associations (CA) - CA is a security relationship between MACsec-capable devices. Endpoints that share CAK are part of the same CA. There can be more than two endpoints in a secure CA. Arista implementation is limited to 2 endpoints.

Primary Key- It is ideally the CAK for the MKA session in progress.

Fallback Key- In case the primary configured key does not establish its connection, the fallback key is used, so as to ensure no loss of traffic.

Secure Association Key (SAK) - The SAK is derived from the CAK and is the key used by the network device ports to encrypt traffic for a given session.

Key Server - One of the MACsec peers in the CA becomes the Key Server. The main role of the Key Server is to create and distribute Secure Association Keys (SAKs), which are used in actual data encryption.

MACsec Limitations

The limitations of MACsec are:

  • MACsec is supported only on point-to-point links.
  • When MACsec is enabled on an interface for the first time, interface flapping occurs for MACsec to take effect.
  • Until MKA protocol converges and negotiates encryption keys, the port does not forward any traffic. This occurs initially when MACsec is configured on a port.

Supported Devices

MACsec is supported on the following devices:

  • 7500E-6CFPX-LC
  • 7500R-8CFPX-LC
  • DCS-7500RM-36CQ-LC
  • DCS-7500R2M-36CQ-LC
  • DCS-7500R2AM-36CQ-LC
  • DCS-7280SRAM

MACsec Licensing

MACsec encryption is a eos licensed feature. A valid MACsec license must be configured on a switch. MACsec licenses are tied to a switch serial number and the licensee. Every switch running MACsec requires a separate license of its own.

Please contact your system engineer to acquire the required license codes before attempting to configure MACsec.

MACsec in FIPS mode

Federal Information Processing Standards (FIPS) are a set of standards defined by the United States federal government related to the processing of data in computer systems by non-military government agencies and government contractors. These standards define specific requirements for various purposes such as ensuring computer security and interoperability within and across the computer networking industry.

Arista devices are compliant with FIPS 140-2 Level 1. This set of standards govern the processing of data for cryptographic modules. FIPS is enabled using the CLI configuration.

Configuring MACsec

Basic steps to configuring MACsec on the switch:

  1. Enable MACsec on the switch using the mac security command.
    switch(config)#mac security
  2. Configure a valid MACsec license on the switch using the license command.
    MACsec licenses are tied to a switch. Every switch running MACsec requires a separate license of its own. Contact your system engineer to acquire the required license codes before attempting to configure MACsec.
    switch(config-mac-security)#license
  3. Create a MACsec profile using the profile command. Profiles are mandatory for MACsec to be provisioned.
    switch(config-mac-security)#profile <profile-name>
  4. Configure a valid MACsec cipher authentication on the switch using the cipher command.
    switch(config-mac-security-profile-test)#cipher
  5. Configure the primary key so that the MACsec profile is made active using the key command.
    switch(config-mac-security-profile-sampleProfile)#key 0abcd1 0 1234abcd
    Optionally a fallback CAK can also be configured on a profile. This CAK is picked up by MACsec to negotiate keys if the primary CAK fails. A CAK can be configured as a backup key using the fallback keyword with the key command.
    switch(config-mac-security-profile-sampleProfile)#key 1234 0 abcd fallback
  6. Configure a key server among the MACsec peers. The key server is responsible for generating and distributing encryption keys. The election of the key server can be influenced by configuring a key-server priority into a profile using the following command:
    switch(config-mac-security-profile-sampleProfile)#mka key-server priority <value>
    A lower value indicates higher priority. If the MACsec peers have identical priority, the peer with the lower MAC address is elected as the key server. The default key server priority is 16.
  7. Configure the period at which the SAK is refreshed. Since MACsec uses a Session Association Key (SAK) for encrypting data traffic, the SAK is derived from the CAK.
    switch(config-mac-security-profile-sampleProfile)#mka session rekey-period <period in seconds>
    The default session rekey-period is 0. The SAK is not refreshed periodically in the absence of the above configuration.
  8. Generate the cryptographic keys to strengthen the random number generator used by MACsec.
    switch(config-mgmt-security)#entropy source hardware

    Example

    mac security
     license productTest db7cf232
     !
     profile macsec-test
    cipher aes256-gcm-xpn
    key 0abc1234 7 06070E234E4D0A48544540585F507E
    key 0def5678 7 09484A0C1C0311475E5A527D7C7C70 fallback
    mka session rekey-period 30
    !
    
    interface Ethernet5/3/1
     mac security profile macsec-test
    !
    management security

    entropy source hardware

Configuring the FIPS mode

To configure the FIPS mode on the MACsec protocol, use the FIPS command.

  • This command configures the FIPS mode on the MACsec protocol.
    switch(config)#mac security 
    switch(config-mac-security)fips restrictions

Displaying MACsec Information

The following sections provide information about MACsec on a switch.

Displaying MACsec detailed information

Use the show mac security interface detail command to display detailed information about MACsec.

Example

switch#show mac security interface detail 
Interface: Ethernet4/1/1
SCI: 28:99:3a:82:6f:82::605
SSCI: 00000002
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

Interface: Ethernet4/3/1
SCI: 28:99:3a:82:6f:85::613
SSCI: 00000001
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

About the Output:

  • Interface: Name of the interface.
  • Secure Channel Identifier (SCI): Combination of MAC address and port number. Used to uniquely identify a Mac Security port.
  • Controlled Port: Indicates if Mac Security is enabled on the port. A value of True indicates that encryption is enabled on the port.
  • Key In Use: The SAK identifier currently in use. Combination of Key Servers message identifier (see below) and key number.
  • Key Server priority: Configured key server priority.
  • Session Rekey Period: Configured session rekey period.
  • Latest Key: Latest SAK being negotiated by Mac Security Key Agreement Protocol (MKA)
  • Old Key: The last SAK negotiated by Mac Security Key Agreement Protocol (MKA)
Note: Latest and Old key are MKA protocol specific terminology and are used to refer to the last two keys in use. For all practical purposes, Key In Use field is used to identify the current key.

Displaying MACsec participants

Use the show mac security participants command to display information about the MACsec participants.

Example
switch#show mac security participants 
Interface: Ethernet4/1/1
CKN: abcd
Message ID: 9d5bc0d3076ea4a08b99b9d9
Elected self: True
Success: True
Principal: True
Default: False

CKN: dead
Message ID: 4ef4cf009161bd551b5e7434
Elected self: True
Success: True
Principal: False
Default: True

Interface: Ethernet4/3/1
CKN: abcd
Message ID: c79ad8882c2dd3a8e838a691
Elected self: False
Success: True
Principal: True
Default: False

CKN: dead
Message ID: 3dfd4486b5f68a81014a37ec
Elected self: False
Success: True
Principal: False
Default: True

Displaying MACsec participants detailed information

Use the show mac security participants detail command to display detailed information about the MACsec participants.

Example

switch#show mac security participants detail
Interface: Ethernet4/1/1
CKN: abcd
Message ID: 9d5bc0d3076ea4a08b99b9d9
Elected self: True
Success: True
Principal: True
Default: False
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: True
LLPN exhaustion: 0
Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
Live peer list: ['c79ad8882c2dd3a8e838a691']
Potential peer list: []

CKN: dead
Message ID: 4ef4cf009161bd551b5e7434
Elected self: True
Success: True
Principal: False
Default: True
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: False
LLPN exhaustion: 0
Distributed key identifier: None
Live peer list: ['3dfd4486b5f68a81014a37ec']
Potential peer list: []

Interface: Ethernet4/3/1
CKN: abcd
Message ID: c79ad8882c2dd3a8e838a691
Elected self: False
Success: True
Principal: True
Default: False
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: True
LLPN exhaustion: 0
Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
Live peer list: ['9d5bc0d3076ea4a08b99b9d9']
Potential peer list: []

CKN: dead
Message ID: 3dfd4486b5f68a81014a37ec
Elected self: False
Success: True
Principal: False
Default: True
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: False
LLPN exhaustion: 0
Distributed key identifier: None
Live peer list: ['4ef4cf009161bd551b5e7434']
Potential peer list:

About the Output

  • Connectivity Association Key Name (CKN): Configured name of the key in use.
  • Message ID: A random 92 bit string used as an identifier for an MKA participant.
  • Elected Self: True if this participant is the elected key server.
  • Success: True if this participant is live and has at least one live peer.
  • Principal: True if this participant is the principal participant elected to distribute SAKs or if participant receives SAKs from key server.
  • Default: True if this participant is a fallback/backup participant (spawned when a fallback key is configured in a Mac Security profile).
  • Key Server SCI: The SCI of the key server.
  • SAK Transmit: True if the participant is ready to use the negotiated key for transmit.
  • LLPN Exhaustion: Increments if the number of data packets sent using the current key exceeds a certain threshold.
  • Distributed Key Identifier: Message ID + key number of the most recently generated SAK.
  • Live Peer List: Message IDs of all the live peers of the participant.
  • Potential Peer List: Message IDs of all the potential peers of the participant. These are peers which havent yet established mutual liveness but have sent out at least one control packet.

Displaying MACsec MKA Counters

Use the show mac security mka counters command to display information about the MACsec MKA counters.

Example

switch#show mac security mka counters 
Interface Rx SuccessRx FailureTx SuccessTx Failure
Ethernet4/1/1 287 0 288 0
Ethernet4/3/1 288 0 287 0

Displaying MACsec Security Counters Detailed Information

Use the show mac security counters detail command to display detailed information about the MACsec security counters.

Example

switch#show mac security counters detail 
Ethernet4/1/1 Counter NameCount
-------------------------------------------------------
outPktsEncrypted112
outOctetsEncrypted11984
outPktsUntagged 0
outPktsTooLong0
outPktCtrl224
inPktsDecrypted 2
inOctetsDecrypted 214
inPktsUnchecked 0
inPktsOK2
inPktsNotValid0
inPktsNotUsingSA0
inPktsCtrl223
inPktsNoTag 8
inPktsTagged0
inPktsBadTag0
inPktsNoSCI 0
inPktsLate0

Ethernet4/3/1 Counter NameCount
-------------------------------------------------------
outPktsEncrypted2
outOctetsEncrypted214
outPktsUntagged 0
outPktsTooLong0
outPktCtrl223
inPktsDecrypted 111
inOctetsDecrypted 11877
inPktsUnchecked 0
inPktsOK111
inPktsNotValid0
inPktsNotUsingSA0
inPktsCtrl224
inPktsNoTag 9
inPktsTagged0
inPktsBadTag0
inPktsNoSCI 0
inPktsLate0

Displaying MACsec Security Counters

Use the show mac security counters command to display information about the MACsec security counters.

Example

switch#show mac security counters 
Port InPktsDecryptedInOctetsDecryptedOutPktsEncrypted OutOctetsEncrypted
Et4/1/12214 10911663
Et4/3/110911663 2214

Displaying MACsec MKA Counters detailed information

Use the show mac security mka counters detail command to display detailed information about the MACsec MKA counters.

Example

switch#show mac security mka counters detail 
Interface: Ethernet4/1/1
Tx packet success: 290
Tx packet failure: 0
Tx invalid: 0
Rx packet success: 289
Rx packet failure: 0
Rx invalid: 0
Rx eapol error: 0
Rx basic parameter set error: 0
Rx unrecognized CKN error: 0
Rx ICV validation error: 0
Rx live peer list error: 0
Rx potential peer list error: 0
Rx SAK use set error: 0
Rx distributed SAK set error: 0
Rx distributed CAK set error: 0
Rx ICV Indicator error: 0
Rx unrecognized parameter set error: 0

Interface: Ethernet4/3/1
Tx packet success: 289
Tx packet failure: 0
Tx invalid: 0
Rx packet success: 290
Rx packet failure: 0
Rx invalid: 0
Rx eapol error: 0
Rx basic parameter set error: 0
Rx unrecognized CKN error: 0
Rx ICV validation error: 0
Rx live peer list error: 0
Rx potential peer list error: 0
Rx SAK use set error: 0
Rx distributed SAK set error: 0
Rx distributed CAK set error: 0
Rx ICV Indicator error: 0
Rx unrecognized parameter set error: 0

Displaying MACsec FIPS Status

Use show mac sec status command to display information about the MACsec FIPS status.

Example

switch(config)#mac security 
switch(config-mac-security)#show mac sec status
Active Profiles:1
FIPS Mode:Yes
Secured Interfaces: 2

MACsec Key Retirement Immediate

The MACsec uses the concept of configuring two keys for MKA negotiation: Primary and Fallback (as a backup). Given a mac security profile configured on an interface, there is an actor created per key which is responsible for MKA negotiation with the other peer. When a new primary key is configured, old primary keys actor is retained in the system till the time MKA session becomes successful with the configured new primary key. Same holds good for fallback key as well. When key retirement immediate command is used it removes the actor corresponding to old key, be it primary or fallback, from the system immediately.

MACsec Key Retirement Immediate Operations

  • If a new primary key is configured in a mac security profile, old primary keys actor is deleted from the system immediately.
  • If a new fallback key is configured in a mac security profile, old fallback keys actor is deleted from the system immediately.
  • Removing the feature configuration from mac security profile will just prevent cleaning up of old keys immediately when new keys are configured. It will not create old actor again.

    Note: The key retirement immediate command only deletes the actor corresponding to old key. It does not clean up the SAK programmed in the hardware until a new SAK is available to be programmed. However, as a side effect of deletion of actor, a new principal actor will be chosen (if an eligible actor is available) over which a new SAK will be distributed subsequently.

MACsec Key Retirement Immediate feature interactions

MACsec EAP-FAST Support

If Dynamic MAC Security keys is used with key retirement immediate, then on every new primary key derived from 802.1X, old primary keys actor will be deleted from the system. This will usually happen based on the reauth time interval configuration for 802.1X.

MACsec Fallback to Unprotected Traffic Support

The key retirement immediate is configured with Fallback to Unprotected Traffic feature, transition between unprotected traffic and protected traffic may become more frequent. This is because with Key Retirement Immediate feature, whenever a new key is configured, existing successful MKA session corresponding to the old key are not maintained, which might bring down the number of successful MKA sessions to zero, which eventually moves the interface to unprotected traffic state as per Fallback to Unprotected Traffic feature functionality.

MACsec Key Retirement Immediate Configuration

The show dot1x supplicant command is configured in mac security profile mode, the configuration needs to be present on both key server and non key server peers. Since key server decides the principal actor for SAK distribution, it is recommended that this configuration is present in key server for triggering the re-election of principal actor immediately.

If key retirement immediate is configured only on key server, non key server will still try to negotiate MKA over old primary key unnecessarily utilizing some system resources and some time even when not required.

If key retirement immediate is configured only on non key server, it will take 6 seconds (MKA Lifetime) for triggering any re-election on key server as a result of session failure.

switch(config-mac-security-profile-sampleProfile)#[no] key retirement immediate
Configuration Scenarios

When both Primary Key and Fallback Key configured: without configuring key retirement immediate, when a new primary is configured, the actor corresponding to the old actor will stay active till MKA session on the new primary becomes successful. With key retirement immediate, the actor corresponding to the old primary is deleted immediately. Since fallback is also configured, key server will choose it as the new principal actor, if eligible. Once a new principal actor is chosen, new SAK is distributed which will eventually get programmed and used for encryption & decryption.

When only Primary Key is configured: the behavior is same as above except the fact that no other actor will become principal until the new primary becomes successful. Till then hardware will continue to use SAK generated with old primary.

When Fallback is Principal actor: without key retirement immediate, when a new fallback key is configured, old fallback will stay in the system till the time new fallback becomes active or primary becomes active. With key retirement immediate, old fallback actor is deleted immediately. Till the time a new principal actor is elected, hardware will continue to use SAK generated with old fallback.

The show mac security participants command shows all the participants present in the system. When key retirement immediate is configured, the actor corresponding to old keys will no longer list up in the output of the above show command.

MACsec EAP-FAST Support

The Media Access Control Security (MACsec) with static keys feature brings support for dynamic Mac Security keys. To derive Mac Security keys dynamically, both peers must be configured for 802.1X authentication. One peer must be configured to be the Authenticator and the other peer to be the Supplicant. Upon a successful 802.1X authentication sequence between the peers, keying material is generated by both the authenticator and the supplicant. This keying material is then used to derive Mac Security keys to establish a MACsec Key Agreement (MKA) protocol session. This feature brings in support for Arista devices to act as the supplicant to derive Mac Security keys in a bidirectional fashion.

The following diagram illustrates a typical Mac Security + 802.1X topology:

Platform Compatibility

Mac Security dynamic key derivation is supported on all MACsec capable switches. This includes 7500E-6CFPX-LC, 7500R-8CFPX-LC, 7500RM-36CQ-LC, 7500R2M-36CQ-LC, 7280SRAM-48C6, 7280SRM-40CX2, and 7280CR2M-30.

Configuring MAC Security Dynamic Key Derivation

802.1X Authenticator Configuration

A new option is added to 802.1X authenticator configuration to make the authenticator more strong to unreliable authentication servers. By default, when an authentication server is unreachable, the authenticator blocks all traffic on the port and keeps the port as Unauthorized until it gets replies from the authentication server. The following option changes the behavior and maintains the port in its current state if the authentication server is not reachable:

Example

switch(config-if-Et1)#dot1x timeout reauth-timeout-ignore always
802.1X Supplicant Configuration

The 802.1X supplicant configurations are done through MACsec profiles. MACsec profile contain all the credentials necessary for 802.1X authentication to succeed.

Following are the steps to configure an 802.1X supplicant profile:

  1. Use dot1x command to enter the dot1x mode to configure a supplicant profile.
    switch(config)#dot1x
    switch(config-dot1x)#
  2. Use supplicant profile command to configure a 802.1X supplicant profile.
    switch(config)#supplicant profile <profileName>
    The following mandatory commands must be configured for a supplicant profile to be operational:
  3. An Extensible Authentication Protocol (EAP) method must be configured for the profile. The only method supported by Arista supplicants is EAP-FAST.
    switch(config-dot1x-supp-profile-test)#eap-method fast
    1. Configure EAP Identity which is used to authenticate the supplicant with the Radius server:

      switch(config-dot1x-supp-profile-test)#identity <user-identity>
    2. Configure EAP pass-phrase the password used to authenticate the supplicant with the Radius server:

      switch(config-dot1x-supp-profile-test)#passphrase <options>

    Example

    • This is an sample 802.1X supplicant profile:
      switch(config-dot1x-supp-profile-test)#show active 
      dot1x
       supplicant profile test
      identity arista
      passphrase 7 070E334D5D1D0B04
    1. Apply the supplicant profile by enabling it on the Mac Security interface:

      switch(config-if-Et6/1)#dot1x pae supplicant test

    Mac Security

    Mac Security configuration remains the same as described in the configuration guide with a single important difference. Instead of configuring manual keys, a Mac security profile must instead be configured to use dynamic keys:

    switch(config-mac-security-profile-test)#key source dot1x

Displaying 802.1X Supplicant Status

  • The show dot1x supplicant command displays the 802.1X supplicant status.

    switcb#show dot1x supplicant 
    Interface: Ethernet6/1
    Identity: arastra
    EAP method: fast
    Status: success
    Supplicant MAC: 44:4c:a8:34:bf:20
    Authenticator MAC: 00:1c:73:e0:d3:76
    

About the Output

Interface: The port on which the supplicant is running.

Identity: Configured supplicant identity.

EAP method: Configured EAP method (Currently just EAP-FAST)

Status: Supplicant Status. Can be one of the following:

  • Success Authentication has been successful.
  • Down Authentication sequence has not begun.
  • Failed Authentication has failed.
  • Connecting Authentication is in progress.
  • Unused Supplicant is uninitialized.

Supplicant MAC: MAC address of the supplicant.

Authenticator MAC: MAC address of the authenticator (peer).

Existing Mac Security show commands can be used to look at Mac Security status.

MACsec Proxy For VXLAN

The MACsec Proxy for VXLAN feature enables the MACsec service over VXLAN. MACsec over VXLAN is provided by mapping a Visual Networking Index (VNI), Remote VXLAN tunnel endpoint (VTEP) IP to a MACsec proxy sub interface.

Any packets routed to the MACsec proxy sub interface is encrypted and tunneled to the remote VTEP. On the receiving path the packets are decrypted, then decapsulated and forwarded. MKA negotiates and renews the encryption keys, for this purpose a MACsec capable front panel port has to be dedicated and cannot be plugged in as it will be used to recycle packets being encrypted and decrypted.

Configuring MACsec Proxy For VXLAN

The switch platforms which use this feature are:

  • 7280SRAM-48C6
  • 7280CR2M-30
  • 7500R2M-36CQ-LC

The mandatory steps to configure a MACsec proxy sub-interface on an Arista switch are:

  1. Configure the parent interface to be a routed port.
  2. Create a L3 sub-interface on the parent interface. This is the MACsec proxy sub-interface.
  3. Create a L2 sub-interface on the parent interface. This is the MACsec patch sub-interface.
  4. Configure and enable the MACsec proxy port on a sub-interface.
  5. Configure the VXLAN tunnel.
  6. Assign the forwarding VLAN ID for the MACsec patch sub-interface and VXLAN tunnel.

    Example Configurations

    1. Configure a 100g MACsec interface as a routed port.
      switch(config)#interface et49/1
      switch(config-if-Et49/1)#no switchport
    2. Create a new L3 sub-interface - et49/1.1
      switch(config-if-Et49/1)#interface et49/1.1
    3. Create a new L2 sub-interface - et49/1.2
      switch(config-if-Et49/1)#interface et49/1.2
    4. Configure the MACsec proxy port, and enable MACsec on the proxy port.
      switch(config)#interface et49/1.1
      switch(config-if-Et49/1.1)#mac security proxy patch Ethernet49/1.2
      switch(config-if-Et49/1.1)#mac security profile test1
      switch(config-if-Et49/1.1)#ip address 2.2.2.1/24
    5. Configure the VXLAN tunnel. The remote VTEP is provided as the flood VTEP.
      switch(config)#interface vxlan 1
      switch(config-if-Vx1)#vxlan source-interface Loopback0
      switch(config-if-Vx1)#vxlan udp-port 4789
      switch(config-if-Vx1)#vxlan vlan 20 vni 20
      switch(config-if-Vx1)#vxlan vlan 20 flood vtep 100.100.100.2
    6. Configure the L2 MACsec patch interface to be in the same VLAN as VXLAN.
      switch(config)#interface et49/1.2
      switch(config-if-Et49/1.2)#vlan id 20

Displaying MACsec Proxy For VXLAN Information

  • Use show mac security interface command to display the proxy sub-interface information.
Example
  • Use show mac security mka counters command to display the MACsec counters and detailed values.
switch(config)#show mac security interface
Interface SCI Controlled PortKey in Use
Ethernet4/1/1 28:99:3a:82:6f:82::605True 9d5bc0d3076ea4a08b99b9d9:1
Ethernet4/3/1 28:99:3a:82:6f:85::613True 9d5bc0d3076ea4a08b99b9d9:1
Example
switch(config)#show mac security mka counters
InterfaceRx SuccessRx FailureTx Success Tx Failure
Ethernet4/1/1287 02880
Ethernet4/3/1288 02870

switch(config)#show mac security mka counters ethernet 49/1.1 detail
Interface: Ethernet49/1.1
Tx packet success: 84
Tx packet failure: 0
Tx invalid: 0
Rx packet success: 82
Rx packet failure: 0
Rx invalid: 0
Rx eapol error: 0
Rx basic parameter set error: 0
Rx unrecognized CKN error: 0
Rx ICV validation error: 0
Rx live peer list error: 0
Rx potential peer list error: 0
Rx SAK use set error: 0
Rx distributed SAK set error: 0
Rx distributed CAK set error: 0
Rx ICV Indicator error: 0
Rx unrecognized parameter set error: 0

Limitations

When this feature is in use, following limitations can be noticed :

  • An interface while moving from allowing unprotected traffic to allowing only protected traffic can experience a traffic disruption of up to 4 seconds.
  • If the key server interface manages to establish a MKA session with its old credentials (CKN/CAK pair) while unprotected traffic was allowed, then traffic disruption for a duration of up to 6 seconds can be noticed in addition to the duration mentioned in the above point.

MACsec Fallback to Unprotected Traffic

When MACsec is enabled on an interface, it tries to establish MACsec Key Agreement ( MKA ) session(s) with its peer. If no MKA sessions is successfully established, then the interface can continue to protect the traffic with the last known negotiated key, and if such a key does not exist then it blocks the traffic. The MACsec Fallback to Unprotected Traffic feature introduces an optional configuration which, if provided, allows unprotected traffic whenever there is no successful MKA session with the peer in the following scenarios:

  • If MACsec is enabled on an interface with this feature configured, then the interface allows unprotected traffic immediately without waiting for MKA session establishment
  • If a MACsec enabled interface was blocking traffic as no MKA sessions were established and its corresponding MACsec profile is changed to enable this feature, the interface will start allowing unprotected traffic immediately.
  • If a MACsec enabled interface was allowing unprotected traffic and its corresponding MACsec profile is changed to disable this feature, the interface will block traffic immediately.
  • While an interface is allowing unprotected traffic, it will stop doing so when a new Secure Association Key (SAK) is generated (if this interface is key server) or when a SAK is received from the key-server (if this interface is not the key server).
  • If MACsec Fallback to Unprotected Traffic is configured and all MKA sessions between the peers fail, the peers will switch to unprotected traffic. If not configured, protected traffic could have continued with last known negotiated key.

To protect traffic between pairs, primary MKA session derived keys are given priority over Fallback MKA session. With this feature enabled, the priority order of traffic between peers is -

1. Protected using derived keys from primary MKA sessions

2. Protected using derived keys from Fallback MKA sessions

3. Unprotected traffic

Note: Arista allows a primary and a Fallback Connectivity Association Key (CAK) and Connectivity Association Key Name (CKN) pair to be configured on an interface. And interfaces tries to establish a MKA session with its peer corresponding to each CAK/CKN pair.

MACsec Fallback to Unprotected Traffic feature Interaction

This feature interacts with other related features in following way -

  • MACsec EAP-FAST Support- If dynamic MAC Security keys (derived from 802.1X authentication) are used, then the feature configuration has no effect.
  • MACsec Proxy Interfaces -This feature does not work with MACsec proxy sub interfaces.
  • Key Retirement Immediate - If this feature is configured withKey Retirement Immediate feature on an interface, transition between unprotected traffic and protected traffic may become more frequent. This is because with Key Retirement Immediate feature, whenever a new key is configured, existing successful MKA session corresponding to the old key is not maintained.

Limitations

When this feature is in use, following limitations can be noticed :

  • An interface while moving from allowing unprotected traffic to allowing only protected traffic can experience a traffic disruption of up to 4 seconds.
  • If the key server interface manages to establish a MKA session with its old credentials (CKN/CAK pair) while unprotected traffic was allowed, then traffic disruption for a duration of up to 6 seconds can be noticed in addition to the duration mentioned in the above point.

Configuring MACsec Fallback to Unprotected Traffic

This feature is supported on all MACsec capable cards except for 7500E-6CFPX-LC.

The MACsec Fallback to Unprotected Traffic feature is configured under MACsec profile mode using the [no] traffic unprotected allow command. The no form of the command removes the configuration from the switch. This configuration must be present in both the peers for the unprotected traffic to flow between them successfully.

Example
switch(config-mac-security-profile-sampleProfile)#no traffic unprotected allow

Displaying MACsec Fallback to Unprotected Traffic Information

The show mac security interface detail command can be used to verify if the interface is currently allowing unprotected traffic.

switch#show mac security interface Ethernet 6/1/1 detail
Interface: Ethernet4/1/1
SCI: 28:99:3a:82:6f:82::605
SSCI: 00000002
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Unprotected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

Interface: Ethernet4/3/1
SCI: 28:99:3a:82:6f:85::613
SSCI: 00000001
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

MACsec Commands

cipher

The cipher command configures the cipher authentication for MAC security on the switch.

Command Mode

MACsec Profile

Command Syntax

cipher <options>

Parameters

  • options The cipher authentication options.
    • aes128-gcm-xpn Advanced Encryption Standard (128 bit, Galois/Counter mode, Extended Packet Numbering)
    • aes256-gcm-xpn Advanced Encryption Standard (256 bit, Galois/Counter mode, Extended Packet Numbering)

Example

The following command configures the cipher aes128-gcm-xpn for MAC security on the switch for the MACsec profile called test.
switch(config-mac-security-profile-test)#cipher aes128-gcm-xpn

dot1x pae supplicant

The dot1x pae supplicant command applies the supplicant profile by enabling it on the Mac Security interface.

Command Mode

Interface Configuration

Command Syntax

dot1x pae supplicant

Example

The following command applies the supplicant profile test on the MACsec interface 6/1.
switch(config-if-Et6/1)#dot1x pae supplicant test

dot1x timeout reauth-timeout-ignore always

The dot1x timeout reauth-timeout-ignore always command retains the current port state without blocking it irrespective of when the authentication server is unreachable or in-case of supplicant time outs.

Command Mode

Interface Configuration

Command Syntax

dot1x timeout reauth-timeout-ignore always

Example

The following command retains the current port status of interface Ethernet 6/1 when there is authentication server timeout.
switch(config-if-Et6/1)#dot1x timeout reauth-timeout-ignore always

dot1x

The dot1x command places the switch in the dot1x mode. In this mode user is allowed to configure various MACsec configurations.

Command Mode

Global Configuration

Command Syntax

dot1x

Example

The following command places the switch in the dot1x mode.
switch(config)#dot1x
switch(config-dot1x)#

entropy source hardware

The entropy source hardware command generates the cryptographic keys to strengthen the random number generator used by MACsec.

Command Mode

Management Configuration

Command Syntax

entropy source hardware

Example

The following command configures the entropy source hardware and generates the cryptographic keys.
switch(config)#management security
switch(config-mgmt-security)#entropy source hardware

key (MACsec)

The key command configures the primary key so that the MACsec profile is activated.

Note: Optionally a fallback CAK can also be configured on a profile. This CAK is picked up by MACsec to negotiate keys if the primary CAK fails. A CAK can be configured as a backup key using the fallback keyword with the key command.

Command Mode

MACsec Profile Configuration

Command Syntax

key <options>

Parameter

  • CKN Connectivity association key name in hex octets. Options include.
    • 0Specifies that an UNENCRYPTED key will follow
    • 7Specifies that an HIDDEN key will follow
    • CAKConnectivity association key in hex octets
    • fallbackConfigure the key as a fallback
  • retirementRetire the key. Options include.
    • immediateRetire the key immediately
  • sourceList of sources to derive MAC security keys. Options include.
    • dot1xDerive MAC security keys from IEEE 802.1X based port authentication
    • group-cakDerive MAC security keys from Group CAK Distribution.

Examples

  • The following example configures the primary key for the profile called sample profile for MAC security on the switch.
    Switch(config)#mac security
    Switch(config-mac-security)#profile sample_Profile
    Switch(config-mac-security-profile-sample_Profile)#key 0abcd1 0 1234abcd
  • The following example configures the fallback CAK on a profile.
    Switch(config)#mac security
    Switch(config-mac-security)#profile sample_Profile
    Switch(config-mac-security-profile-sample_Profile)#key 0abcd1 0 1234abcd fallback

key retirement immediate

The key retirement immediate command configures the key retirement feature on the key server and assists the key server to decide the principal actor for SAK distribution by triggering the re-election of principal actor immediately. It is recommended that the key retirement is configured on both key server and non key server peers.

The no key retirement immediate command disable the key retirement function by removing the key retirement immediate command from running-config.

Command Mode

MACsec Profile

Command Syntax

key retirement immediate

Example

The following commands configures the key retirement immediate feature on a switch for a MACsec profile called sample.
Switch(config)#mac security
Switch(config-mac-security)#profile sample
Switch(config-mac-security-profile-sample)#key retirement immediate

license

The license command configures the license for MAC security on the switch. MACsec licenses are tied to a switch. Every switch running MACsec requires a separate license of its own.

Note: Contact your system engineer to acquire the required license codes before attempting to configure MACsec.

Command Mode

MACsec Profile

Command Syntax

license <options>

Parameters

  • options The options through which the license is configured.
    • WORD Licensee name.
    • importImport license from a URL. Options include.
      • 8-digit hex numberKey to authorize Mac security
      • alert-base:Path to license file
      • certificate:Path to license file
      • checkpoint:Path to license file
      • extension:Path to license file
      • file:Path to license file
      • flash:Path to license file
      • ftp:Path to license file
      • http:Path to license file
      • https:Path to license file
      • scp:Path to license file
      • sftp:Path to license file
      • system:Path to license file
      • terminal:Path to license file
      • tftp:Path to license file
    • updateTrigger a check for license. Option include.

      • 8-digit hex numberKey to authorize Mac security

Example

The following example configures the license for MAC security on the switch.
Switch(config)#mac security
Switch(config-mac-security)#
Switch(config-mac-security-profile-test)#license ABC RRGGBBAA

mac security

The mac security command enables MAC security provision on the switch.

The no mac security and default mac security commands restore the switch to its default state by removing the corresponding mac security command from running-config.

Command Mode

Global Configuration

Command Syntax

mac security

no mac security

default mac security

Example

The following command will place the switch in MAC security mode.
Switch(config)#mac security
Switch(config-mac-security)#

mka key-server

The mka key-server command configures key server among the MACsec peers.

Command Mode

MACsec Profile Configuration

Command Syntax

mka key-server priority <value>

Parameters

  • priorityMKA key server priority.
  • value Key server priority value. Value ranges from 0 to 255.

Example

The following example configures the key server value of 10 among the MACsec peers.
Switch(config)#mac security
Switch(config-mac-security)#profile sample_Profile
Switch(config-mac-security-sample_Profile)#mka key-server priority 10

mka session

The mka session command configures period at which the SAK is refreshed .

Command Mode

MACsec Profile Configuration

Command Syntax

mka session rekey-period <value>

Parameter

  • rekey-period Sets MKA session re-key period.
  • valueSession re-key period in seconds. Value ranges from 30 to 100000.

Example

  • The following example configures the mka session rekey-period time of 10 seconds at which the SAK is refreshed.
    Switch(config)#mac security
    Switch(config-mac-security)#profile sample_Profile
    Switch(config-mac-security-sample_Profile)#mka session rekey-period 10

profile

The profile command configures the MACsec profile for MAC security on the switch. Profiles are mandatory for MACsec to be provisioned.

Command Mode

MACsec Configuration

Command Syntax

profile <profile-name>

Parameter

profile-name Name of the MACsec profile.

Example

The following example configures the MACsec profile called sample profile for MAC security on the switch.
Switch(config)#mac security
Switch(config-mac-security)#profile sample_Profile

show dot1x supplicant

The show dot1x supplicant command displays the 802.1X supplicant status.

Command Mode

EXEC

Command Syntax

show dot1x supplicant

Example

The following example displays information about 802.1X supplicant status.
switcb#show dot1x supplicant 

Interface: Ethernet6/1
Identity: arastra
EAP method: fast
Status: success
Supplicant MAC: 44:4c:a8:34:bf:20
Authenticator MAC: 00:1c:73:e0:d3:76

About the Output

Interface: The port on which the supplicant is running.

Identity: Configured supplicant identity.

EAP method: Configured EAP method (Currently just EAP-FAST)

Status: Supplicant Status. Can be one of the following:

  • Success Authentication has been successful.
  • Down Authentication sequence has not begun.
  • Failed Authentication has failed.
  • Connecting Authentication is in progress.
  • Unused Supplicant is uninitialized.

Supplicant MAC: MAC address of the supplicant.

Authenticator MAC: MAC address of the authenticator (peer). Existing Mac Security show commands can be used to look at Mac Security status.

show mac security counters detail

The show mac security counters detail command to displays the detail information about the MACsec security counters.

Command Mode

EXEC

Command Syntax

show mac security counters detail

Example

The following example displays detail information about MACsec security counters.
switch#show mac security counters detail
Ethernet4/1/1 Counter NameCount
-------------------------------------------------------
outPktsEncrypted112
outOctetsEncrypted11984
outPktsUntagged 0
outPktsTooLong0
outPktCtrl224
inPktsDecrypted 2
inOctetsDecrypted 214
inPktsUnchecked 0
inPktsOK2
inPktsNotValid0
inPktsNotUsingSA0
inPktsCtrl223
inPktsNoTag 8
inPktsTagged0
inPktsBadTag0
inPktsNoSCI 0
inPktsLate0

Ethernet4/3/1 Counter NameCount
-------------------------------------------------------
outPktsEncrypted2
outOctetsEncrypted214
outPktsUntagged 0
outPktsTooLong0
outPktCtrl223
inPktsDecrypted 111
inOctetsDecrypted 11877
inPktsUnchecked 0
inPktsOK111
inPktsNotValid0
inPktsNotUsingSA0
inPktsCtrl224
inPktsNoTag 9
inPktsTagged0
inPktsBadTag0
inPktsNoSCI 0
inPktsLate0

show mac security counters

The show mac security counters command to displays information about the MACsec security counters.

Command Mode

EXEC

Command Syntax

show mac security counters

Example

The following example displays information about MACsec security counters.
switch#show mac security counters
Port InPktsDecryptedInOctetsDecryptedOutPktsEncrypted OutOctetsEncrypted
Et4/1/12214 10911663
Et4/3/110911663 2214

show mac security interface detail

The show mac security interface detail command displays the detail information about the MACsec on the interface.

Command Mode

EXEC

Command Syntax

show mac security interface detail

Example

The following example displays detail information about MACsec on the interface.
switch#show mac security interface detail
Interface: Ethernet4/1/1
SCI: 28:99:3a:82:6f:82::605
SSCI: 00000002
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

Interface: Ethernet4/3/1
SCI: 28:99:3a:82:6f:85::613
SSCI: 00000001
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

About the Output

  • Interface: Name of the interface.
  • Secure Channel Identifier (SCI): Combination of MAC address and port number. Used to uniquely identify a Mac Security port.
  • Controlled Port: Indicates if Mac Security is enabled on the port. A value of True indicates that encryption is enabled on the port.
  • Key In Use: The SAK identifier currently in use. Combination of Key Servers message identifier (see below) and key number.
  • Key Server priority: Configured key server priority.
  • Session Rekey Period: Configured session rekey period.
  • Latest Key: Latest SAK being negotiated by Mac Security Key Agreement Protocol (MKA)
  • Old Key: The last SAK negotiated by Mac Security Key Agreement Protocol (MKA)

    Note: Latest and Old key are MKA protocol specific terminology and are used to refer to the last two keys in use. For all practical purposes, Key In Use field is used to identify the current key.

show mac security interface

The show mac security interface command shows information about the MACsec on the interface.

Command Mode

EXEC

Command Syntax

show mac security interface

Example

The following example displays information about MACsec on the interface.
Switch#show mac security interface
Interface SCI Controlled Port Key in Use
Ethernet4/1/1 28:99:3a:82:6f:82::605True9d5bc0d3076ea4a08b99b9d9:1
Ethernet4/3/1 28:99:3a:82:6f:85::613True9d5bc0d3076ea4a08b99b9d9:1

show mac security mka counters

The show mac security mka counters command to display information about the MACsec MKA counters.

Command Mode

EXEC

Command Syntax

show mac security mka counters

Example

The following example displays information about MACsec MKA counters.
switch#show mac security mka counters
Interface Rx SuccessRx FailureTx SuccessTx Failure
Ethernet4/1/1 287 0 288 0
Ethernet4/3/1 288 0 287 00

show mac security participants detail

The show mac security participants detail command displays detail information about the MACsec participants.

Command Mode

EXEC

Command Syntax

show mac security participants detail

Example

The following example displays information about MACsec participants details.
switch#show mac security participants detail
Interface: Ethernet4/1/1
CKN: abcd
Message ID: 9d5bc0d3076ea4a08b99b9d9
Elected self: True
Success: True
Principal: True
Default: False
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: True
LLPN exhaustion: 0
Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
Live peer list: ['c79ad8882c2dd3a8e838a691']
Potential peer list: []

CKN: dead
Message ID: 4ef4cf009161bd551b5e7434
Elected self: True
Success: True
Principal: False
Default: True
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: False
LLPN exhaustion: 0
Distributed key identifier: None
Live peer list: ['3dfd4486b5f68a81014a37ec']
Potential peer list: []

Interface: Ethernet4/3/1
CKN: abcd
Message ID: c79ad8882c2dd3a8e838a691
Elected self: False
Success: True
Principal: True
Default: False
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: True
LLPN exhaustion: 0
Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
Live peer list: ['9d5bc0d3076ea4a08b99b9d9']
Potential peer list: []

CKN: dead
Message ID: 3dfd4486b5f68a81014a37ec
Elected self: False
Success: True
Principal: False
Default: True
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: False
LLPN exhaustion: 0
Distributed key identifier: None
Live peer list: ['4ef4cf009161bd551b5e7434']
Potential peer list:

About the Output

  • Connectivity Association Key Name (CKN): Configured name of the key in use.
  • Message ID: A random 92 bit string used as an identifier for an MKA participant.
  • Elected Self: True if this participant is the elected key server.
  • Success: True if this participant is live and has at least one live peer.
  • Principal: True if this participant is the principal participant elected to distribute SAKs.
  • Default: True if this participant is a fallback/backup participant (spawned when a fallback key is configured in a Mac Security profile).
  • Key Server SCI: The SCI of the key server.
  • SAK Transmit: True if the participant is ready to use the negotiated key for transmit.
  • LLPN Exhaustion: Increments if the number of data packets sent using the current key exceeds a certain threshold. Because we use a 64 bit packet number cipher suite, this should never increment.
  • Distributed Key Identifier: Message ID + key number of the most recently generated SAK.

show mac security participants

The show mac security participants interface command displays information about the MACsec participants.

Command Mode

EXEC

Command Syntax

show mac security interface

Example

The following example displays information about MACsec participants.
switch#show mac security participants
Interface: Ethernet4/1/1
CKN: abcd
Message ID: 9d5bc0d3076ea4a08b99b9d9
Elected self: True
Success: True
Principal: True
Default: False

CKN: dead
Message ID: 4ef4cf009161bd551b5e7434
Elected self: True
Success: True
Principal: False
Default: True

Interface: Ethernet4/3/1
CKN: abcd
Message ID: c79ad8882c2dd3a8e838a691
Elected self: False
Success: True
Principal: True
Default: False

CKN: dead
Message ID: 3dfd4486b5f68a81014a37ec
Elected self: False
Success: True
Principal: False
Default: True

show mac security status

The show mac security status command displays the MACsec status information on a switch.

Command Mode

EXEC

Command Syntax

show mac security status

Example

The following command displays the MACsec status information.
switch#show mac security status
Active Profiles:1
Data Delay Protection: No
FIPS Mode: No
Secured Interfaces: 2
License: Enabled

supplicant profile

The supplicant profile command configures the supplicant profile containing all the credentials necessary for 802.1X authentication to succeed.

Command Mode

dot1x Configuration

Command Syntax

supplicant profile <profile_name> <options>

Parameters

  • profile_nameName of the supplicant profile.
  • The following parameters can be included after entering the profile mode.
    • eap-methodExtensible Authentication Protocol (EAP) method. Option include.
      • fastEAPFlexible Authentication via Secure Tunneling (FAST)
    • identity Extensible Authentication Protocol (EAP) user identity. Option include.

      • WORD User identity name.
    • passphrase Extensible Authentication Protocol (EAP) password. Options include.
      • 0Specifies that an UNENCRYPTED key will follow.
      • 7 Specifies that an HIDDEN key will follow.
      • LINEThe UNENCRYPTED (clear-text) shared key.
Examples
  • The following commands place the switch in the supplicant profile mode.
    Switch(config)#dot1x
    Switch(config-dot1x)#supplicant profile test
    Switch(config-dot1x-supp-profile-test)#
  • The following commands configures the EAP FAST method for the supplicant profile called test profile for MAC security on the switch.
    Switch(config)#dot1x
    Switch(config-dot1x)#supplicant profile test
    Switch(config-dot1x-supp-profile-test)#eap-method fast
  • The following commands configures the Identity for the supplicant profile called test profile for MAC security on the switch.
    Switch(config)#dot1x
    Switch(config-dot1x)#supplicant profile test
    Switch(config-dot1x-supp-profile-test)#identity New_User
  • The following commands configures the passphrase for the supplicant profile called test profile for MAC security on the switch.
    Switch(config)#dot1x
    Switch(config-dot1x)#supplicant profile test
    Switch(config-dot1x-supp-profile-test)#passphrase 7 070E334D5D1D0B04

traffic unprotected allow

The traffic unprotected allow command configures the switch to allow the unprotected traffic whenever there is no successful MKA session established with the peer.

The no traffic unprotected allow command disable the MACsec Fallback to Unprotected Traffic function by removing the traffic unprotected allow command from running-config.

Command Mode

MACsec Profile

Command Syntax

traffic unprotected allow

no traffic unprotected allow

Example

The following commands configures the MACsec Fallback traffic unprotected allow feature on a switch for a MACsec profile called sample.
Switch(config)#mac security
Switch(config-mac-security)#profile sample
Switch(config-mac-security-profile-sample)#no traffic unprotected allow

Internet Protocol Security (IPsec)

This section describes Aristas IPsec implementation. Tpoicss in this section include:

IPsec Introduction

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents periodically during the session and negotiation of cryptographic keys to be used during the session. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

IPsec is used to protect data traffic between sites for example between Branch, HQ and Data center sites in an enterprise.

IPsec uses the following protocols to perform various functions:

  • Authentication Headers (AH): provides the connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks.
  • Encapsulating Security Payloads (ESP): provides the confidentiality, data-origin authentication, connectionless integrity and an anti-replay service (a form of partial sequence integrity).
  • Internet Key Exchange (IKE): is a key management protocol which provides security for virtual private networks' (VPNs) negotiations and network access to random hosts. It is also described as a method for exchanging keys for encryption and authentication over an unsecured medium, such as the Internet.

IPsec Overview

Security Associations

Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary for AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2) and other mechanisms. In order to decide what protection is to be provided for an outgoing packet, IPsec uses the Security Parameter Index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database.

Full bidirectional communication requires at least two SAs, one for each direction. SA is defined by the following parameters

  • Security Algorithms (AH) or Encapsulating Security Payloads (ESP) and keys
  • Mode: Tunnel or Transport
  • Key Management Method: Manual or IKE
  • Lifetime: Expressed in hours.

Mode of Operation

IPsec on Arista switches operates in tunnel mode. In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header.

Tunnel mode is used to create virtual private networks for network-to-network communications (for example, between routers to link sites). Tunnel mode is used for most network-to-network IPsec.

Key Management

Key management on Arista switches uses the Internet Key Exchange (IKE) method. Internet Key Exchange (IKE) supports automated generation and renegotiation of SAs (includes keys) between the devices at a configured interval so it is much more scalable and secure.

IPsec needs SAs to define the algorithms and keys to use for protecting traffic. IKE establishes the SA so IPsec can protect traffic.

There are two IKE versions, IKEv1 and IKEv2. IKEv2 builds on IKEv1 but both are still widely used today.

IKEv1

IKEv1 has two phases.

  • IKEv1 Phase 1
  • IKEv1 Phase 2
IKEv1 Phase 1
  • Uses main or aggressive mode exchange
  • Negotiates IKE SA
  • Used for control plane
  • Peer authentication

IKEv1 Phase 2

  • Uses quick mode exchange
  • Negotiates IPsec SAs

Note that there are two different SAs that are established. The IKE SA protects only the IKE key management session using the IKE policy defined. The policy should include the following parameters:

  • Encryption algorithm
  • Hash MAC (HMAC) algorithm
  • Peer authentication procedure
  • Diffie-Hellman group for initial key exchange
  • SA lifetime

IKE initially performs a Diffie-Hellman (DH) exchange at the start of the IKE session. A Diffie-Hellman (DH) exchange allows participants to produce a shared secret value. The strength of the technique is that it allows participants to create the secret value over an unsecured medium without passing the secret value through the wire. From that exchange, peers get shared keying material, which is then used for IKE encryption and integrity functions. The strength of that keying material can be used for faster performance, by choosing lower key sizes for Diffie-Hellman exchanges. The key length (strength) of Diffie-Hellman exchanges can be changed with the use of different DH groups.

When an IKE session�s lifetime expires, a new Diffie-Hellman exchange is performed between peers and the IKE SA is re-established.

The IPsec protection policy resulting in IPsec SAs, defines the protection of network traffic. These IPsec SAs are usually negotiated over IKE sessions. The parameters that define the IPsec protection policy are:

  • Encryption Algorithm
  • Hash MAC (HMAC) Algorithm

Note that the key material for IPsec SA (also called Child SA) is derived from keying material from IKEv1 phase 1.

There are two different modes for phase 1:

  • Main Mode
  • 6 packet exchange
  • Full identity protection and better anti-DoS protection
  • Aggressive Mode
  • 3 packet faster session establishment
  • Identities are exchanged in clear
  • Weak DoS protection
Authentication
  • Pre-Shared Keys (PSK)-As the name suggests, a shared secret is distributed out-of-band to the peers. The peers use this information and nonce parameters to create a hash that is used to authenticate messages.
  • PKI Certificates-Here, certificates of the peers are exchanged and hashes are calculated over these certificates to authenticate each other.
IKEv2

IKEv2 differs from IKEv1 in the following ways:

  • Faster setup because of reduced number of messages
  • More secure
  • ESP is reused for all IKEv2 messages
  • Suite-B support
  • There is no aggressive mode, so IKEv2 always provides identity protection
  • Additional authentication methods
  • Local and remote can use different authentication methods and use different pre-shared keys
  • Authentication is done unidirectionally in IKEv2

Certificate Management

There are many protocols and standards available now that ease the process of certificate enrollment, certificate request, and certificate status checking. Some popular ones are RSA Labs' PKCS #7, PKCS #10, Cisco's Simple Certificate Enrollment Protocol (SCEP), and Online Certificate Status Protocol (OCSP).

Certificate Enrollment

There are two methods for certificate enrollment:

  • SCEP Simple Certificate Enrollment Protocol. In this mode, eos will automatically enroll the certificate with the CA.
  • Manual This is used if the CA does not support SCEP or there is no network access from the device to the CA. The steps are as follows:
  1. Generate a Certificate Signing Request (CSR) and display on the terminal. CSR is represented as a Base64 encoded PKCS#10. The admin has to cut and paste the request into the CA to generate the certificate. The admin will have to specify the router FQDN and IP address.

    1. Import the certificate into eos.
Certificate Validation

To verify the validity of certificates, Arista switches use two mechanisms:

  • CRL Certificate Revocation List (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked. Entities presenting those (revoked) certificates should no longer be trusted. CRLs can be obtained through Simple Certificate Enrollment Protocol (SCEP).
  • OCSP The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. Since it is an online protocol it is accessed in real time and avoids the caching-related security problems CRLs pose. OCSP also reduces the load on all devices since they dont have to be updated on the entire CRL. However, the devices need to have access to the OCSP server.

Route-based VPN

A route-based VPN employs routed tunnel interfaces as the endpoints of the virtual network. All traffic passing through a tunnel interface is placed into the VPN. Rather than relying on an explicit policy to dictate which traffic enters the VPN, static and/or dynamic IP routes are formed to direct the desired traffic through the VPN tunnel interface.

Since route-based VPNs support dynamic routing information through VPN tunnels. eos supports only route based VPN for dynamic routing support and for easier configuration and management.

In route-based VPN, features like NAT, ACL, QoS is applied to packets before they are encrypted by applying these features to tunnel interface and can be applied to encrypted packets to applying these features on the physical interface carrying the tunnel traffic.

Virtual Template Interface (VTI)

A new tunnel interface type vti is introduced to represent the VPN tunnel. This tunnel interface will participate in the routing and any packets forwarded to it will be encrypted and forwarded to the other end of the tunnel. Note, that this does not add a new header to the packet.

Configuring IPsec

Complete the following steps to configure IPsec tunnels over the switch.

This configuration will use the default IKE version 2 procedure.

  1. Use ip security command to enter IP security mode.
    switch(config)#ip security
  2. To use IKE version 1, complete the following before completing the default IKE version the steps below.
    switch(config)#ip security
    switch(config-ipsec)#ike policy ike-peerRtr
    switch(config-ipsec-ike)#version 1
  3. Create an IKE Policy to be used to communicate with the peer to establish IKE. You have the option of configuring multiple IKE policies.

    The default IKE Policy values are:

    • Encryption- AES256 / AES128
    • Integrity - SHA256 / SHA128
    • DH group - Group 14
    • IKE lifetime - 8 hours
    switch(config-ipsec)#ike policy ike-router
    switch(config-ipsec-ike)#encryption aes256
    switch(config-ipsec-ike)#integrity sha256
    switch(config-ipsec-ike)#dh-group 24
    switch(config-ipsec-ike)#version 2
  4. If the router is behind a NAT, configure the local-id with the local public IP address. The public IP corresponds to the underlying interface over which the IKE communications are done with the peer.
    switch(config-ipsec-ike)#local-id <public ip address>
  5. Create an IPsec Security Association policy to be used in the data path for encryption and integrity. Use the option of enabling Perfect Forward Secrecy by configuring a DH group to the SA. In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14).
    switch(config-ipsec)#sa policy sa-vrouter
    switch(config-ipsec-sa)#esp encryption aes256
    switch(config-ipsec-sa)#esp integrity sha256
    switch(config-ipsec-sa)#pfs dh-group 14
    switch(config-ipsec-sa)#sa lifetime 2
    switch(config-ipsec-sa)#exit
  6. Bind or associate the IKE and SA policies together using an IPsec profile. Provide a shared-key, which must be common on both peers. The default profile assigns default values for all parameters that are not explicitly configured in the other profiles. In this example, the IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for more than 50 seconds. The peer peer-Rtr is set to be the responder.
    switch(config-ipsec)#profile default
    switch(config-ipsec-profile)#ike-policy ikedefault
    switch(config-ipsec-profile)#sa-policy sadefault
    switch(config-ipsec-profile)#shared-key arista
    switch(config-ipsec-profile)#connection start
    switch(config-ipsec)#profile vrouter
    switch(config-ipsec-profile)#ike-policy ike-vrouter
    switch(config-ipsec-profile)#sa-policy sa-vrouter
    switch(config-ipsec-profile)#dpd 10 50 clear
    switch(config-ipsec-profile)#connection add
  7. Configure the WAN interface to be the underlying interface for the tunnel. You must specify an L3 address for the tunnel. If you do not, the switch cannot route packets using the tunnel.
    switch(config)#interface Et1
    switch(config-if-Et1)#no switchport
    switch(config-if-Et1)#ip address 1.0.0.1/24
    switch(config-if-Et1)#mtu 1500
  8. Apply the IPsec profile to a new tunnel interface. You create the new tunnel interface as part of this step. You can configure the tunnel as a VTI IPsec tunnel. In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use IPsec. The other end of the tunnel also needs to be configured as a GRE-over-IPsec tunnel.
    switch(config)#interface tunnel0
    switch(config-if-Tu0)#ip address 1.0.3.1/24
    switch(config-if-Tu0)#mtu 1394
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2
    switch(config-if-Tu0)#tunnel ipsec profile vrouter

    Example Configuration

    ip security
    ike policy ikebranch1
    integrity sha256
    dh-group 15
    !
    sa policy sabranch1
    sa lifetime 2
    pfs dh-group 14
    !
    profile hq
    mode tunnel
    ike-policy ikebranch1
    sa-policy sabranch1
    connection add
    shared-key keyAristaHq
    dpd 10 50 clear
    !
    interface Tunnel1
    mtu 1404
    ip address 1.0.3.1/24
    tunnel source 1.0.0.1
    tunnel destination 1.0.0.2
    tunnel ipsec profile hq
    !
    interface Ethernet1
    no switchport
    ip address 1.0.0.1/24
    !

Displaying IPsec Information

  • Use the show ip security policy command to display the IPsec policy information.
    switch#show ip security policy
    Policy Name Authentication Encryption IntegrityLifetimeRekeyDH Group 
    ike-policyPre-shared 256-bit AES256bit Hash8 hours False3072 bit
  • Use the show ip security profile command to display the IP security profile information.
    switch#show ip security profile 
    Profile nameIKE Policy NameSA
    ipsec-profile ike-policy sa-policy 

IPsec Commands

ike policy

The ike policy command configures the Internet Security Association and Key Mgmt Protocol on the switch and related policies. The IKE policy is configured in IP security configuration mode.

The no ike policy command deletes the IKE policy configuration from the switch.

The exit command returns the switch to the global configuration mode.

Command Mode

IP Security Configuration

Command Syntax

ike policy <policy-name>

no ike policy <policy-name>

Parameters

  • policy-name Specifies the IKE policy name.

The following parameters are allowed to configure when the switch is placed in IKE policy configuration mode:

  • authentication specifies the authentication type.
  • dh-group specifies Diffie-Hellman Group value.
  • encryption specifies the encryption type.
  • ike-lifetime sets the ikeLifetime for ISAKMP security association. Expressed in hours.
  • integrity specifies the Integrity algorithm.
  • local-id specifies the local IKE identification.
  • remote-id remote peer IKE identification.
  • version specifies the IKE version.

Example

This command configures the IKE policy test for IP security configuration.
switch(config)#ike policy test
switch(config-ipsec-ike)#

interface tunnel (IPsec)

The interface tunnel command places the switch in the interface tunnel configuration mode.

Interface tunnel configuration mode is not a group change mode; running-config is changed immediately after commands are executed.

The no interface tunnel command deletes the interface tunnel configuration.

The exit command returns the switch to the global configuration mode.

Command Mode

Global Configuration

Command Syntax

interface tunnel <value>

no interface tunnel <value>

Parameter

value Tunnel interface number. The value ranges from 0 to 255.

Example

This command places the switch in interface tunnel configuration mode with a tunnel value 10.
switch(config)#interface tunnel 10
switch(config-if-Tu10)#

ip security

The ip security command places the switch in the IP security configuration mode.

IP security configuration mode is not a group change mode; running-config is changed immediately after commands are executed.

The no ip security command deletes the IP security configuration.

The exit command returns the switch to the global configuration mode.

Command Mode

Global Configuration

Command Syntax

ip security

no ip security

Example

This command places the switch in IP security configuration mode.
switch(config)#ip security
switch(config-ipsec)#ike policy IKE1
switch(config-ipsec-IKE1)#exit
switch(config-ipsec)#sa policy SA1
switch(config-SA1)#

profile (IPsec)

The profile command configures the IP security profile on the switch. The profile is configured in IP security configuration mode.

The no profile command deletes the IP security profile configuration from the switch.

The exit command returns the switch to the global configuration mode.

Command Mode

IP Security Configuration

Command Syntax

profile <profile-name>

no profile <profile-name>

Parameter

  • profile-name Specifies the IP security profile name.

The following parameters can be configured in SA policy configuration mode:

  • connection IPsec Connection (Initiator/Responder/Dynamic).
  • dpd Dead Peer Detection.
  • flow sets the flow.
  • ike-policy ISAKMP policy.
  • mode IP security mode type.
  • sa-policy security association name.
  • shared-key specifies key value.

Example

This command configures the IP security profile test for IP security configuration.
switch(config)#profile test
switch(config-ipsec-profile)#

sa policy

The sa policy command specifies a Security Association (SA) policy to be used for IPsec configuration, and enters IP security SA policy configuration mode to configure the named policy.

The no sa policy command deletes the specified SA policy configuration from the switch.

The exit command returns the switch to the global configuration mode.

Note: Arista eos 4.22.0F release supports two combinations of encapsulations only: "esp encryption aes128" with "esp integrity sha1" and "esp encryption aes256" with "esp integrity sha256".

Command Mode

IP Security Configuration

Command Syntax

sa policy <policy_name>

no sa policy <policy_name>

Parameter

  • policy_name Specifies the SA policy name.

The following parameters are configured in IP security SA policy configuration mode:

  • anti-replay IPsec duplicate IP datagram detection
  • esp Encapsulation Security Payload
  • pfs Perfect Forward Secrecy
  • sa Security Association

Example

This command applies the SA policy called test for IP security and enters IP security SA policy configuration mode for the test policy.
switch(config)#sa policy test
switch(config-ipsec-sa)#

show ip security applied-profile

Theshow ip security applied-profile command displays the IP security profile names and the interfaces on which they are applied.

Command Mode

EXEC

Command Syntax

show ip security applied-profile

Example

This command displays the IP security profile-1 and the interfaces on which it is applied.
switch#show ip sec applied-profile 
Profile Name Interface
ipsec-profile-1Tunnel1,
 Tunnel2,
 Tunnel3,
 Tunnel4,
 Tunnel5,
 Tunnel6,
 Tunnel7,
 Tunnel8,
 Tunnel9,
 Tunnel10,
 Tunnel11,
 Tunnel12,
 Tunnel13,
 Tunnel14,
 Tunnel15,
 Tunnel16,
 Tunnel17,
 Tunnel18,
 Tunnel19,
 Tunnel20,
 Tunnel21,
 Tunnel22,
 Tunnel23,
 Tunnel24,
 Tunnel25,
 Tunnel26,

show ip security connection

The show ip security connection command displays the IP security connection status information.

Command Mode

EXEC

Command Syntax

show ip security connection

Example

These commands display the IP security connection status information.
switch#show ip sec conn tunnel 1
Tunnel Source Dest Status Uptime InputOutputRekey Time
Tunnel111.1.1.1 11.2.1.1 Established19 hours 0 bytes0 bytes 4 hours
 0 pkts 62937679 pkts 

switch#show ip sec conn tunnel 1 detail
Tunnel1:
 source address 11.1.1.1, dest address 11.2.1.1
 state: Established
 uptime: 19 hours, 7 minutes, 23 seconds
 Inbound SPI 0xca5560f4:
request id 193, mode tunnel replay-window 16384, seq 0x0
stats errors:
 replay-window 0, replay 0, integrity_failed 0
lifetime config:
 softlimit 4534352933249 bytes, hardlimit 6442450944000 bytes
 softlimit 2077499095 pkts, hardlimit 4000000000 pkts
 expire add soft 85619 secs, hard 86400 secs
lifetime current:
 0 bytes, 0 pkts
 add time Mon May 13 17:33:54 2019, use time Mon May 13 17:33:54 2019
 Outbound SPI 0xc60da749:
request id 193, mode tunnel replay-window 16384, seq 0x0
stats errors:
 replay-window 0, replay 0, integrity_failed 0
lifetime config:
 softlimit 3286021368749 bytes, hardlimit 6442450944000 bytes
 softlimit 2480571031 pkts, hardlimit 4000000000 pkts
 expire add soft 85418 secs, hard 86400 secs
lifetime current:
 0 bytes, 62937679 pkts
 add time Mon May 13 17:33:54 2019, use time Mon May 13 18:06:42 2019

show ip security policy

The show ip security policy command displays the IP security policy information.

Command Mode

EXEC

Command Syntax

show ip security policy

Example

This command displays IP security policy configuration information.
switch#show ip security policy 
Policy Name AuthenticationEncryption IntegrityLifetimeRekeyDH Group
ike-policyPre-shared256-bit AES256bit Hash8 hours False3072 bit

show ip security profile

The show ip security profile command displays the IP security profile information.

Command Mode

EXEC

Command Syntax

show ip security profile

Example

This command displays IP security profile configuration information.
switch#show ip security profile 
Profile nameIKE Policy NameSA
ipsec-profile ike-policy sa-policy

show ip security security-association

The show ip security security-association command displays the IP security SA information.

Command Mode

EXEC

Command Syntax

show ip security security-association

Example

This command displays the IP security SA information.
switch#show ip sec security-association 
SA NameESP Encryption ESP IntegrityLifetimePFS Group 
sa-policy-1256-bit AES256bit Hash24 hours2k bit

Macro-Segmentation Service (CVX)

Arista MSS is designed as a service in CloudVision that provides the point of integration between individual vendor firewalls or a firewall manager and the Arista network fabric. MSS provides flexibility on where to place the service devices and workloads. It is specifically aimed at Physical-to-Physical (P-to-P) and Physical-to-Virtual (P-to-V) workloads.

Topics in this section include:

Overview

 

The advent of contemporary networking features such as mobile applications and the Internet of Things (IoT) bring in additional security challenges that are unprotected by legacy infrastructure. These security breaches cannot be handled by installing a firewall at the Internet edge. Arista Macro-Segmentation Service (MSS) addresses the security breach issue, besides securing access, protecting critical data and end-user privacy.

Arista MSS is designed as a service in CloudVision that provides the point of integration between individual vendor firewalls or a firewall manager and the Arista network fabric. MSS provides flexibility on where to place the service devices and workloads. It is specifically aimed at Physical-to-Physical (P-to-P) and Physical-to-Virtual (P-to-V) workloads.

MSS components include:

  • Arista leaf-spine switch fabric
  • Arista CloudVision
  • Vendor firewall attached to a spine or service leaf switches. Different vendor firewalls can be attached to different switches to enhance scalability.
The above component topology allows for consistency in application deployment, scale, manageability, and easier scalability of the network and service layers.

Usage Scenarios

The following usage scenarios describe a few major security challenges in todays data center that are successfully handled by MSS.

  1. Securing server-server traffic.

    This scenario provides information about the role of MSS in securing network traffic between physical-to-physical (P-to-P) and physical to virtual (P-to-V) servers. Prior to MSS, network infrastructure devices followed the firewall sandwich setup where firewalls were placed in line between the security zones. This setup would impact scalability and performance of the servers.

    Using MSS, this restriction on firewall placement is reduced. Firewalls are now attached to a service leaf switch in the network fabric and they still protect hosts without concern about their physical location. The following topology demonstrates the usage scenario.

    Figure 4. Securing server-server traffic
  2. Monitoring and securing management traffic.

    This usage scenario demonstrates how MSS successfully monitors and secures management interfaces in the data center.

    The modern data center caters to managing the application, storage, virtualization, network, analytics and other layers. With virtualization, the hypervisor management also needs to be secured to prevent unwanted access to a hypervisor management interface. In the event of a rogue access, Aristas MSS protects management interfaces. The explicitly allowed hosts can gain access through a jump host or administrator end-user computing instances. The following topology diagram illustrates the role of MSS in a data center.

    Figure 5. Monitoring and Securing management traffic

Benefits

 

MSS provides the following key benefits:

  • Enhanced security between any physical and virtual workloads in the data center.
  • The automatic and seamless service insertion ability of MSS eliminates manual steering of traffic for a workload or a tenant.
  • Security policies are applied to the host and application throughout the network.
  • MSS is flexible since there are no proprietary frame formats, tagging, or encapsulation.

 

Terminology

 

The following terms related to MSS are used to describe the MSS feature:

  • Intercept Switch/VTEP: TOR switch and VXLAN tunnel end-point connected to host from which traffic is intercepted. In the topology diagram, Intercept-1 and Intercept-2 are intercept switches.
  • Service Switch/VTEP: TOR switch and VXLAN tunnel end-point connected to a firewall. In the topology diagram, Service-1 is the service switch.
  • Service VNI: VXLAN tunnel created to redirect intercepted traffic to the service device (mapped to locally significant service VLAN).
  • Original VNI: Original VNI traffic (mapped to Original VLAN).
  • VXLAN: Virtual eXtensible LAN - a standards-based method of encapsulating Layer 2 traffic across a Layer 3 fabric.
  • CVX: Arista CloudVision eXchange (CVX) is a part of CloudVision and is a virtualized instance of the same Extensible Operating System (eos) that runs on physical switches. It functions as a point of integration between customer firewalls or firewall policy managers and the Arista network in order to steer traffic to the firewall.

 

How MSS Works

The following steps provide information about how MSS works as a service in the data center.

  1. MSS is enabled on the CloudVision eXchange (CVX) and the Arista switches are configured to stream their active state to CVX. This allows CVX to build a database of hosts and firewalls attached to the network and also to identify physical ports and IP addresses. CVX is also configured to communicate and synchronize policies from a vendor's firewall.
  2. CVX sends a request to the firewall or firewall manager to provide information about the security policies which are tagged for MSS usage. Accordingly, it will determine where traffic needs to be intercepted.
  3. CVX applies an intercept to steer the network traffic and pushes the intercept rules to the intercept switches where the server or applications are located.
    Figure 6. CVX intercept
  4. The leaf switch starts sending intercepted traffic to the service leaf when the intercept has been applied to the leaf switch.
    Figure 7. Leaf switches intercept
  5. Traffic is forwarded completely unmodified to the firewall after it enters the service leaf where the firewall is attached. Based on the configuration policy, the firewall applies the required actions such as inspection, log, allow, or deny.
  6. The service leaf switch sends the inspected traffic to its final destination or to the destination based on the firewall policy.

Configuration

 

The following sections provide detailed information about MSS configuration, system requirements, recommendations, and limitations.

The traffic flow below is an example of a typical MSS deployment with a 3-tiered application. The goal of this design is to limit access between hosts in the following zones: web-untrust, app-untrust, db-untrust, web-trust, app-trust, and db-trust.
Figure 8. Traffic flow in an MSS deployment

End users in the untrust zone access the web server through the TCP/443 port. Traffic flows through the active firewall to the web server interface in the web-untrust security zone. The web server interface in the web-trust security zone accesses the application server interface in the app-untrust security zone through port TCP/80 after traversing the firewall. From there, the application server interface in the app-trust security zone accesses the database through TCP/1433 in the db-untrust zone.

The following physical topology indicates the MSS setup.

The hosts are attached to a pair of intercept leaf switches. A firewall is connected to a service leaf switch using a pair of physical interfaces with a subinterface per zone or vWire.

Figure 9. Physical topology of the MSS
Recommendations and Limitations

System Requirements

 

The system requirements to effectively run MSS are listed below.

  • Arista CloudVision eXchange (CVX)
  • Arista 7050X, 7050X2, 7060X, and 7060X2 series top of rack (TOR) switches
  • Connected to the hosts to intercept traffic from the firewall devices
  • Connected to and monitored by CVX
  • The network must be a VXLAN-enabled fabric with CVX running the VXLAN Control Service (VCS)
  • Link Layer Discovery Protocol (LLDP) should be enabled on the firewall interfaces attached to the Arista TOR switches. Note that static mapping can be configured if required.

 

Recommendations and Limitations

 

TOR and CVX Switches

  • Service switches should be dedicated exclusively to firewalls and not to host connectivity.
  • In the event of an entry time-out, the server ARP entries are not re-learned on the service VTEP.

Firewall

  • The firewall policy name must not have any whitespace character in the name. As an example, PCI policy is an unacceptable policy name. An acceptable name would be PCI_policy.
  • When High Availability firewalls are used in the system, all links to switches must be port channels and a Multi-Chassis Link Aggregation (MLAG) bow-tie configuration should be used.

Configuring MSS

Deploying CVX

 

 

Deploy CloudVision and configure the Arista TOR switches to connect to it. A CVX cluster of 3 instances with host names of cvx01, cvx02, and cvx03 are configured as an example.

Note: As a best practice, always deploy the CV in a HA cluster with a minimum of three instances.
Enabling the VXLAN Control Service on CVX

Enable the VXLAN Control Service (VCS) on every CVX instance after the three Arista CVX instances have been deployed and the TOR switches are configured to be managed by them.

VCS allows hardware VXLAN Tunnel End Points (VTEPs) to share state with each other in order to establish VXLAN tunnels without the need for a multicast control plane.

Example

CVX instance cvx01

cvx01(config-cvx)#service vxlan 
cvx01(config-cvx-vxlan)#no shutdown

Similarly, VCS is enabled on the cvx02 and cvx03 devices.

 

Configuring the Access switches and the Service switch ports

Configure the switch ports that are connected to the hosts, whose traffic should be steered to the firewalls and the service switch ports which are connected to the firewalls.

Access switch configuration

The switch ports connected to the hosts, whose traffic needs to be intercepted, need to be configured as 802.1q trunks with the VLAN that is mapped to the VNI requiring interception. Unique VLAN IDs are configured for each tier of the application.

Access switch (intercept-1)

intercept-1# configure
intercept-1(config)# interface et10
intercept-1(config-if-Et10)# description web server
intercept-1(config-if-Et10)# switchport mode trunk 
intercept-1(config-if-Et10)# switchport trunk allowed vlan 100

intercept-1(config)# interface et16
intercept-1(config-if-Et16)# description app server
intercept-1(config-if-Et16)# switchport mode trunk
intercept-1(config-if-Et16)# switchport trunk allowed vlan 200

Access switch (intercept-2)

intercept-2# configure
intercept-2(config)# interface et10
intercept-2(config-if-Et1)# description db server
intercept-2(config-if-Et1)# switchport mode trunk
intercept-2(config-if-Et1)# switchport trunk allowed vlan 300
Note: For untagged traffic, configure a native VLAN on the port using the switchport trunk native vlan command.

Service switch (service-1)

service-1# configure
service-1(config)#interface port-channel 10
service-1(config-if-Po10)# description Far Interface
service-1(config-if-Po10)# switchport mode trunk
service-1(config-if-Po10)# switchport trunk allowed vlan none
service-1(config-if-Po10)# spanning-tree bpdufilter enable

service-1(config)#interface port-channel 20
service-1(config-if-Po20)# description Near Interface
service-1(config-if-Po20)# switchport mode trunk
service-1(config-if-Po20)# switchport trunk allowed vlan none
service-1(config-if-Po20)# spanning-tree bpdufilter enable
Note: Dynamically mapped VLANs are not shown in the switch port configuration. You can view them by running the show vlan command on the switch once a policy is applied.
Enabling directflow on access switches and service switches

Arista MSS uses directflow to intercept traffic while the VxLAN is used to carry tunnel traffic from the intercepted host to the firewall and back. directflow should be enabled on every intercept switch as well as the service switches.

Switch service-1

service-1# configure
service-1(config)# directflow
service-1(config-directflow)# no shutdown

Switch intercept-1

intercept-1# configure
intercept-1(config)# directflow
intercept-1(config-directflow)# no shutdown

Switch intercept-2

intercept-2# configure
intercept-2(config)# directflow
intercept-2(config-directflow)# no shutdown
Enabling VXLAN routing on the TOR switches

CVX uses Address Resolution Protocol (ARP) to determine where intercept hosts are physically located in the network. VXLAN routing should be configured on every TOR switch that will be intercepting traffic to ensure that CVX is aware of every host ARP entry.

The following configuration shows the routing configuration for each tier of the application, but not the entire VXLAN configuration. For more information on how to configure VXLAN and VXLAN routing, refer to the VXLAN section of the Arista eos Configuration Guide.

Switch intercept-1

intercept-1# configure
intercept-1(config)# ip routing
intercept-1(cofig)# interface vlan100
intercept-1(config-if-Vl100)# ip address virtual 10.0.10.254/24
intercept-1(config)# interface vlan200
intercept-1(config-if-Vl200)# ip address virtual 10.0.20.254/24
intercept-1(config)# interface vlan300
intercept-1(config-if-Vl300)# ip address virtual 10.0.30.254/24

Switch intercept-2

intercept-2# configure 
intercept-2(config)# ip routing 
intercept-2(cofig)# interface vlan100
intercept-2(config-if-Vl100)# ip address virtual 10.0.10.254/24
intercept-2(config)# interface vlan200
intercept-2(config-if-Vl200)# ip address virtual 10.0.20.254/24
intercept-2(config)# interface vlan300
intercept-2(config-if-Vl300)# ip address virtual 10.0.30.254/24

Switch service-1

service-1# configure
service-1(config)# ip routing
service-1(cofig)# interface vlan100
service-1(config-if-Vl100)# ip address virtual 10.0.10.254/24 
service-1(config)# interface vlan200
service-1(config-if-Vl200)# ip address virtual 10.0.20.254/24
service-1(config)# interface vlan300
service-1(config-if-Vl300)# ip address virtual 10.0.30.254/24
Configuring MSS on CVX

This step enables configuring Arista MSS on CVX. The topology diagram depicts three CVX instances in a cluster and the configuration is the same for every instance. The active and standby vendor firewalls are configured. If Panorama is used, only Panorama should be configured.

Example

In the example, the primary vendor firewall has a DNS name of fw-ha-node-1. The standby firewall has a DNS name of fw-ha-node-2. The username and password are set as admin.

CVX instance cvx01

cvx01# configure
cvx01(config)# cvx
cvx01(config-cvx)# no shutdown
cvx01(config-cvx)# service mss
cvx01(config-cvx-mss)# no shutdown
cvx01(config-cvx-mss)# vni range 20000-30000
cvx01(config-cvx-mss)# dynamic device-set panfw1
cvx01(config-cvx-mss-panfw1)# tag Arista_MSS
cvx01(config-cvx-mss-panfw1)# type palo-alto firewall
cvx01(config-cvx-mss-panfw1)# state active
cvx01(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx01(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin

CVX instance cvx02

cvx02# configure
cvx02(config)# cvx 
cvx02(config-cvx)# no shutdown
cvx02(config-cvx)# service mss
cvx02(config-cvx-mss)# no shutdown
cvx02(config-cvx-mss)# vni range 20000-30000
cvx02(config-cvx-mss)# dynamic device-set panfw1
cvx02(config-cvx-mss-panfw1)# tag Arista_MSS
cvx02(config-cvx-mss-panfw1)# type palo-alto firewall
cvx02(config-cvx-mss-panfw1)# state active
cvx02(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx02(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin

CVX instance cvx03

cvx03# configure
cvx03(config)# cvx
cvx03(config-cvx)# no shutdown 
cvx03(config-cvx)# service mss 
cvx03(config-cvx-mss)# no shutdown
cvx03(config-cvx-mss)# vni range 20000-30000
cvx03(config-cvx-mss)# dynamic device-set panfw1
cvx03(config-cvx-mss-panfw1)# tag Arista_MSS
cvx03(config-cvx-mss-panfw1)# type palo-alto firewall
cvx03(config-cvx-mss-panfw1)# state active
cvx03(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx03(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin 
Configuring the Firewall

Three policies are created in addition to the default implicit deny policy for inter-zone traffic. The implicit deny ensures that the inter-zone traffic is not allowed unless a policy explicitly allows for it.

The first policy untrust_to_web1 is from the untrust zone to the web1 zone, that allows HTTPS traffic from anywhere to the web server web.

The third policy web2_to_app1 is from the web2 zone to the app1 zone that allows HTTP traffic between the web server web and the application server app.

The fifth policy app2_to_db1 is from the app2 zone to the db1 zone that allows database traffic on port TCP/1433 between the application server app and the database server db.

The second, fourth, and sixth policies prevent the firewall to drop a session for which does not see the initial connection to the protected resource. This could happen if the protected resource has not sent any traffic previous to this point.

Refer to the following images for more clarity about the above policies and interface configuration.

Figure 10. Firewall policy configuration
Figure 11. Firewall interface configuration

Create a rule that Arista MSS will use to intercept and redirect traffic and add a firewall policy with the default Arista_MSS tag as shown in the example above. MSS intercepts all traffic from endpoints identified in policies that match the tag values configured in CVX. The firewall will apply all rules (tagged or untagged) to all traffic.

Note: LLDP should always be enabled on the firewall interfaces attached to the service switches. To minimize reconvergence time on the network changes, reduce the LLDP transmit interval and hold time multiples on the firewall, while keeping the LLDP hold time above the LLDP timer configured on the connected Arista switches.

Alternatively, the device interface map command can be used on CVX to manually map a device to Arista switch interfaces. To map multiple devices, add a mapping entry for each device.

dynamic device-set fw1
device dc-firewall-1
map device-interface ethernet1/1 switch 00:1c:73:7e:21:bb interface Ethernet1
map device-interface ethernet1/2 switch 00:1c:73:7e:21:bb interface Ethernet9

The first policy “untrust_to_web1” is from the untrust zone to the web1 zone, that allows HTTPS traffic from anywhere to the web server web.

The third policy “web2_to_app1” is from the web2 zone to the app1 zone that allows HTTP traffic between the web server web and the application server app.

The fifth policy “app2_to_db1” is from the app2 zone to the db1 zone that allows database traffic on port TCP/1433 between the application server app and the database server db.

The second, fourth, and sixth policies prevent the firewall to drop a session for which does not see the initial connection to the protected resource. This could happen if the protected resource has not sent any traffic previous to this point.

Refer to the following images for more clarity about the above policies and interface configuration.

Figure 12. Firewall policy configuration
Figure 13. Firewall interface configuration

Create a rule that Arista MSS will use to intercept and redirect traffic and add a firewall policy with the default “Arista_MSS” tag as shown in the example above. MSS intercepts all traffic from endpoints identified in policies that match the tag values configured in CVX. The firewall will apply all rules (tagged or untagged) to all traffic.

Note: LLDP should always be enabled on the firewall interfaces attached to the service switches. To minimize reconvergence time on the network changes, reduce the LLDP transmit interval and hold time multiples on the firewall, while keeping the LLDP hold time above the LLDP timer configured on the connected Arista switches.

Alternatively, the device interface map command can be used on CVX to manually map a device to Arista switch interfaces. To map multiple devices, add a mapping entry for each device.

dynamic device-set fw1
device dc-firewall-1
map device-interface ethernet1/1 switch 00:1c:73:7e:21:bb interface Ethernet1
map device-interface ethernet1/2 switch 00:1c:73:7e:21:bb interface Ethernet9

MSS Commands

dynamic device-set

 

The dynamic device-set command configures a device such as a firewall to communicate with the MSS in the MSS configuration mode.

The no dynamic device-set command removes a previously configured device from the MSS configuration and returns to the CVX mode.

Command Mode

MSS Configuration

Command Syntax

dynamic device-set device-set_name

no dynamic device-set device-set_name

Parameters

device-set_name a unique name for the device set.

Example

This example creates a set of firewalls with the name panfw1.
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#
Note: The vni range command configures a range of VXLAN Network Identifiers (VNI) that MSS uses to tunnel traffic to the firewall. If VNI range is not configured, the default VNIs in the range of 1 to 16777214 are used.

exception device

The exception device command bypasses or continues redirecting traffic to service device such as a firewall if the service device control-plane API is unreachable after initial policies have been processed.

The no exception device command.

Command Mode

MSS Configuration

Command Syntax

exception device unreachable [bypass | redirect]

no exception device unreachable [bypass | redirect]

default exception device unreachable bypass

Parameters

  • device: service device in the device set.
  • unreachable: service device control-plane API is unreachable.
  • bypass: bypass the service device.
  • redirect: continue redirecting traffic to the service device.

Example

This example redirects traffic to the service device.
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set fw
cvx(config-cvx-mss-fw)#device firewall-dc7
cvx(config-cvx-mss-fw)#username admin password 7 PKigsmo3IcnW5rqoZXWQ
cvx(config-cvx-mss-fw)#state active
cvx(config-cvx-mss-fw)#type palo-alto firewall
cvx(config-cvx-mss-fw)#exception device unreachable redirect

group

The group command configures the Panorama device group name to be used with MSS.

The no group command removes the group from the MSS configuration when the Panorama firewall manager is used.

See the type palo-altocommand for more information about the firewall manager.

Command Mode

Device-set mode

Command Syntax

group group_name

no group group_name

Parameters

group_name the name of the group.

Example

This command configures the group name as mssDevices.
cvx(config)#cvx
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#dynamic device-set pano2
cvx(config-cvx-mss-pano2)#type palo-alto panorama
cvx(config-cvx-mss-pano2)#device myPanorama
cvx(config-cvx-mss-pano2-myPanorama)#group mssDevices

name-resolution interval (CVX-OpenStack)

The name-resolution interval command specifies the period between consecutive requests that the OpenStack controller sends to the Keystone service for VM and tenant name updates. Keystone is OpenStack's authentication and authorization service.

The default period is 21600 seconds (6 hours).

The name-resolution force (CVX-OpenStack) command performs an immediate update, as opposed to waiting for the periodic update.

Command Mode

CVX-OpenStack Configuration

Command Syntax

name-resolution interval period

Parameters

  • period: Keystone identity service polling interval (seconds).

Comment

service openstack places the switch in CVX-OpenStack configuration mode.

Example

These commands set the name resolution interval period at five hours.
switch(config)#cvx
switch(config-cvx)#service openstack
switch(config-cvx-openstack)#name-resolution interval 18000
switch(config-cvx-openstack)#

service mss

 

The service mss command enters the MSS configuration sub-mode.

The no service mss command exits the MSS configuration mode and returns to the CVX mode.

Command Mode

CVX Configuration

Command Syntax

service mss

no service mss

default service mss

Example

This example enables MSS on CVX and enters the MSS config mode.
Note: The no shutdown command enables MSS on the CloudVision eXchange (CVX).
cvx# configure
cvx(config)# cvx
cvx(config-cvx)# no shutdown
cvx(config-cvx)# service mss
cvx(config-cvx-mss)# no shutdown

show service mss policy

The show service mss policy command displays generic information about the configuration and operational state of the macro-segmentation service (MSS) policies on a device.

Command Mode

EXEC

CVX Configuration

Command Syntax

show service mss policy [[device device_name] [name policy-name] [source (static | plugin_name)]]

Parameters

  • device device name defines the service device name.
  • name policy-name the filter policy name.
  • source the source of the policy.
  • static the policy configured using the command line interface.
  • plugin_name the service device type.

Related Commands

Example

This command displays information about the MSS policy policy1 enabled on the device.
cvx#show service mss policy name policy1
SourceDevicePolicyConfig Status 
----------------------------------------------------- 
vendorFirewallpan100policy1EnabledInitialized

The "Config" column indicates the configuration state of a policy. The different states are: Enabled, dry run, and disabled states.

The "Status" column indicates the operational state of a policy. The different status types are initialized, pending, initializing, active, reinitializing, dry-run Complete, and deactivating.

show service mss zone

The show service mss zone command displays information about the interfaces that are placed in a single zone by the service device. Along with the show service mss policy command, we can use this command to identify issues with the policy configuration.

Interfaces from multiple switches can be placed in the same zone by the device.

Command Mode

EXEC

CVX Configuration

Command Syntax

show service mss zone [[device device_name]|[name zone_name]| [source (static | dynamic_source)]]

Parameters

  • device device name defines the service device properties.
  • name policy-name the filter zone name.
  • source the source of the zone.
  • static the zone configured using the command line interface.
  • dynamic_source the service device type.

Related Commands

Example

This command displays information about interfaces that are placed in a zone by the device1.
switch#show service mss zone
Source: static
---------------------------------------
Device: device1
Zone: zone1
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet1/1
Allowed VLAN: 1000-1010
Port-Channel2/1:
Allowed VLAN: 1000-2000
Switch: 00:00:00:00:00:02
Hostname: switch2.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Zone: zone2
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Ethernet 20/1
Allowed VLAN: 1000-2000

show service mss dynamic device-set

 

The show service mss dynamic device-set command displays detailed information about a specific service device set. Information such as device group members, high availability, network, resource details are displayed.

Note: Interfaces from multiple switches can be placed in the same zone by the device.

Command Mode

EXEC

CVX Configuration

Command Syntax

show service mss dynamic device-set device_set_name [device device_name [group-members | high-availability | neighbors | network | policies | resources]]

Parameters

  • device_set_name defines the device set name.
  • device device name defines the service device properties such as the DNS hostname or IP address of the service device.
  • group members lists device-group members for an aggregation manager.
  • high-availability displays service device high availability information.
  • neighbors displays the service devices ethernet interface neighbor information.
  • network displays the service devices network interface information.
  • policies displays the list of policies read from service device that have the MSS tag.
  • resources displays the service devices system resource information.

Related Commands

Examples

  • This command displays information about interfaces that are placed in a zone by the device1.
switch#show service mss zone
Source: static
------------------------------------------------
Device: device1
  • This command displays information about interfaces that are placed in a zone by the device1.
switch#show service mss zone
Source: static
----------------------------------------------
Device: device1
Zone: zone1
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet1/1
Allowed VLAN: 1000-1010
Port-Channel2/1:
Allowed VLAN: 1000-2000
Switch: 00:00:00:00:00:02
Hostname: switch2.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Zone: zone2
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Ethernet 20/1
Allowed VLAN: 1000-2000

show service mss policy

 

The show service mss policy command displays generic information about the configuration and operational state of the macro-segmentation service (MSS) policies on a device.

Command Mode

EXEC

CVX Configuration

Command Syntax

show service mss policy [[device device_name] [name policy-name] [source (static | plugin_name)]]

Parameters

  • device device name defines the service device name.
  • name policy-name the filter policy name.
  • source the source of the policy.
  • static the policy configured using the command line interface.
  • plugin_name the service device type.

Related Commands

Example

This command displays information about the MSS policy policy1 enabled on the device.
cvx#show service mss policy name policy1
SourceDevicePolicyConfig Status 
----------------------------------------------------- 
vendorFirewallpan100policy1EnabledInitialized

The "Config" column indicates the configuration state of a policy. The different states are: Enabled, dry run, and disabled states.

The "Status" column indicates the operational state of a policy. The different status types are initialized, pending, initializing, active, reinitializing, dry-run Complete, and deactivating.

show service mss status

 

The show service mss status command displays the status of a macro-segmentation service (MSS) on the device.

Command Mode

EXEC

CVX Configuration

Command Syntax

show service mss status

Related Commands

Examples

  • This command displays the MSS status on the device as Enabled.
switch#show service mss status
State: Enabled
Service VNIs: 1500-1600,1800,1900-2000

 

  • This command displays the MSS status on the device as Disabled.
switch#show service mss status
State: Disabled
Service VNIs: 1-16777214

show service mss zone

 

The show service mss zone command displays information about the interfaces that are placed in a single zone by the service device. Along with the show service mss policy command, we can use this command to identify issues with the policy configuration.

Interfaces from multiple switches can be placed in the same zone by the device.

Command Mode

EXEC

CVX Configuration

Command Syntax

show service mss zone [[device device_name]|[name zone_name]| [source (static | dynamic_source)]]

Parameters

  • device device name defines the service device properties.
  • name policy-name the filter zone name.
  • source the source of the zone.
  • static the zone configured using the command line interface.
  • dynamic_source the service device type.

Related Commands

Example

This command displays information about interfaces that are placed in a zone by the device1.
switch#show service mss zone
Source: static
---------------------------------------
Device: device1
Zone: zone1
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet1/1
Allowed VLAN: 1000-1010
Port-Channel2/1:
Allowed VLAN: 1000-2000
Switch: 00:00:00:00:00:02
Hostname: switch2.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Zone: zone2
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Ethernet 20/1
Allowed VLAN: 1000-2000

state

 

The state command configures device set as active or disabled or suspended state.

The no state command disables the previously configured state of the device set.

Command Mode

MSS Configuration

Command Syntax

state [active | shutdown | suspend]

no state

Parameters

  • active: the active state of the device set. Policy monitoring and network traffic redirection are enabled.
  • shutdown: the disabled state of the device set. Policy monitoring and network traffic redirection is stopped.
  • suspend: the suspended state of the device set. Policy monitoring is suspended but there is no change in the existing traffic redirection.

Example

This output example configures the device set state as active.
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#tag Arista_MSS
cvx(config-cvx-mss-panfw1)#type palo-alto firewall
cvx(config-cvx-mss-panfw1)#state active

tag

The tag command specifies the tag or tags that MSS searches when it is reading the security policy from the firewall or firewall manager in the dynamic device-set configuration mode. You can specify more than one tag as well.

The no tag command removes the tag from the MSS configuration.

Note: The tag specified should always match with the firewall policy tags in the vendor firewall policy for the MSS to read the policy and set up the intercept.

Command Mode

MSS Configuration

Command Syntax

tag tag_name

no tag

default tag Arista_MSS

Parameters

tag_name: a unique name for the tag.

Examples

  • This command specifies the tag with the name Arista_MSS.
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#tag Arista_MSS
  • This command specifies multiple tags with names mss1, mss2, and mss3.
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#tag mss1 mss2 mss3

type palo-alto

The type palo-alto command configures the firewall type to be used in the MSS configuration.

The no type palo-alto command disables the firewall type from the MSS configuration.

Command Mode

MSS Configuration

Command Syntax

type palo-alto [firewall | panorama]

no type palo-alto

Parameters

  • firewall: the Palo Alto Networks firewall.
  • panorama: the Palo Alto Networks Panorama firewall manager.

Example

This command configures the Palo Alto Networks firewall type.
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#type palo-alto firewall