Data Plane Security
IP NAT
Network address translation (NAT) is a router process that modifies address information of IP packets in transit. NAT is typically used to correlate address spaces between a local network and a remote, often public, network. Static NAT defines a one-to-one map between local and remote IP addresses. Static maps are configured manually through CLI commands. An interface can support multiple NAT commands, but each command must specify a unique local IP address-port location.
NAT is configured on routers that have interfaces connecting to the local networks and interfaces connecting to a remote network.
Inside and Outside Addresses
In NAT configurations, IP addresses are placed into one of two categories: inside or outside. Inside refers to IP addresses used within the organizational network. Outside refers to addresses on an external network outside the organizational network.
Static IP NAT
Static NAT configurations create a one-to-one mapping and translate a particular address to another address. This type of configuration creates a permanent entry in the NAT table as long as the configuration is present, and it enables both inside and outside hosts to initiate a connection.
Static NAT options include source NAT, destination NAT, and twice NAT.
- Source NAT modifies the source address in the IP header of a packet exiting the interface, and can optionally change the source port referenced in the TCP/UDP headers.
- Destination NAT modifies the destination address in the IP header of a packet entering the interface, and can optionally change the destination port referenced in the TCP/UDP headers.
- Twice NAT modifies both the source and destination address of packets entering and exiting the interface, and can optionally change the L4 port information in the TCP/UDP headers. Twice NAT is generally used when inside network addresses overlap or otherwise conflict with outside network addresses. When a packet exits the interface, local source and destination addresses are translated to global source and destination addresses. When a packet enters the interface, global source and destination addresses are translated to local source and destination addresses.
Configuring Static NAT
Configuring Source NAT
Network address translation of a source address (source NAT) is enabled by the ip nat source static command for the configuration mode interface. Applying source NAT to interfaces that connect to local hosts shields the IP address of the host when sending IP packets to remote destinations.
This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

switch(config)#interface vlan 201
switch(config-if-Vl201)#ip nat source static 10.24.1.10 168.32.14.15
switch(config-if-Vl201)#
The ip nat source static command may include an ACL to limit packet translation. Only packets whose source IP address matches the ACL are cleared. ACLs configured for source NAT must specify a source IP address of any. Source port or protocol matching is not permitted. The destination may be an IP subnet. Commands referencing nonexistent ACLs are accepted by the CLI but not installed in hardware until the ACL is created. Modifying a referenced ACL causes the corresponding hardware entries to be replaced by entries that match the new command.
switch(config)#ip access-list ACL1
switch(config-acl-ACL1)#permit ip any 168.10.1.0/24
switch(config-acl-ACL1)#exit
switch(config)#interface vlan 101
switch(config-if-Vl101)#ip nat source static 168.32.14.15 access-list ACL1
10.24.1.10
switch(config-if-Vl101)#
Configuring Destination NAT
Network address translation of a destination address (destination NAT) is enabled by the ip nat destination static command for the configuration mode interface. Applying destination NAT to interfaces that connect to remote hosts shields the IP address of the recipient host when receiving IP packets from remote destinations.
This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

switch(config)#interface vlan 201
switch(config-if-Vl201)#ip nat destination static 168.32.14.15 10.24.1.10
switch(config-if-Vl201)#
Theip nat destination static command may include an ACL to limit packet translation. Only packets whose source IP address matches the ACL are cleared. ACLs configured for destination NAT must specify a destination IP address of any. Destination port or protocol matching is not permitted. The source may be an IP subnet. Commands referencing nonexistent ACLs are accepted by the CLI but not installed in hardware until the ACL is created. Modifying a referenced ACL causes the corresponding hardware entries to be replaced by entries that match the new command.
switch(config)#ip access-list ACL2
switch(config-acl-ACL2)#permit ip 168.10.1.4/32 any
switch(config-acl-ACL2)#exit
switch(config)#interface vlan 201
switch(config-if-Vl201)#ip nat destination static 168.32.14.15 access-list ACL2
10.24.1.10
switch(config-if-Vl201)#
Configuring Twice NAT
Network address translation of both source and destination addresses on the same interface (twice NAT) is enabled by creating one source NAT rule and one destination NAT rule on the same interface and associating them through a NAT group using theip nat source static andip nat destination static commands.
The ip nat source static command translates the actual local source address to a source address which can be used outside the local network to reference the source. The ip nat destination static command translates an internally used destination address to the actual IP address that is the destination of the packet.
The source and destination NAT rules must reference the same NAT group, and both should either specify only IP addresses or specify both IP addresses and L4 port information. If L4 port information is configured in one rule but not in the other, an error message will be displayed.
Each NAT rule installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. Twice NAT does not support the use of access control lists to filter packets for translation.
switch(config)#interface ethernet 2
switch(config-if-Et2)#ip nat source static 10.24.1.10 168.32.14.15 group 3
switch(config-if-Et2)#ip nat destination static 10.68.104.3 168.25.10.7 group 3
Static NAT Configuration Considerations
Egress VLAN filter for static NAT
When a static source NAT is configured on an interface, the source IP translation happens only for those packets that is going 'out' of this interface. If a packet is egressing on an interface which does not have NAT configured, then the source IP is not translated.
When there are two interfaces on which static SNAT is configured then the translation specified for one interface can be applied to a packet going out on the other interface.
- In this example, the packets with source IP 20.1.1.1 going out of E1 will still have the source IP translated to 172.1.1.1 even though the rule is configured in E2 and not on E1.
switch(config)#interface ethernet 1 switch(config-if-Et1)#ip nat source static 10.1.1.1 171.1.1.1 switch(config)#interface ethernet 2 switch(config-if-Et2)#ip nat source static 20.1.1.1 172.1.1.1
- To prevent this, use an ACL to filter the traffic that needs NAT on the interfaces.
switch(config)#ip access-list acl1 switch(config-acl-acl1)#permit ip any 171.1.1.0/24 switch(config)#ip access-list acl2 switch(config-acl-acl2)#permit ip any 172.1.1.0/24 switch(config)#interface ethernet 1 switch(config-if-Et1)#ip nat source static 10.1.1.1 access-list acl1 171.1.1.1 switch(config)#interface ethernet 2 switch(config-if-Et2)#ip nat source static 20.1.1.1 access-list acl2 172.1.1.1
-
ACL filtering is not supported when using twice NAT.
Dynamic NAT
Dynamic NAT can be used when fewer addresses are accessible than the number of hosts to be translated. A NAT table entry is created when the host starts a connection and establishes a one-to-one mapping between addresses. The mapping can vary and is dependent upon the registered addresses in the pool at the time of the communication. Dynamic NAT sessions are only allowed to be initiated only from inside networks. NAT should be configured on a Layer 3 interface, either a routed port or Switch Virtual Interface (SVI). If the host doesn't communicate for a specific period, dynamic NAT entries are removed from the translation table. The address will then returned to the pool for use by another host

Dynamic NAT options:
- Many-to-Many NAT
Maps local addresses to a global address that is selected from a pool of global addresses. After pool is configured, the first available address from the pool is picked dynamically on receiving the first packet.
- Many-to-One NAT (PAT)
PAT is a form of dynamic NAT where multiple local addresses are mapped to a single global address (many-to-one) using different source ports. This method is also called NAT Overloading, NAPT (Network and Port address translation), and Masquerade. The global address can be the IP address configured on the outside interface.
Hardware entries that translate packets are created when the CLI command is processed. Entries for forward and reverse traffic are created for unicast traffic. The hardware entry for reverse traffic is not created for multicast traffic.
Commands may include ACLs to filter packets that are cleared. Source NAT use ACLs to filter packets based on destination IP address. Destination NAT use ACLs to filter packets based on source IP address. Upon using NAT, inside usually refers to a private network while outside usually refers to a public network.
A switch with NAT configured translates forwarded traffic between inside and outside interfaces, and the flow that matches the criteria specified for translation.
The same IP address can't be used for the NAT static configuration and in the pool for dynamic NAT configurations. Public IP addresses must be unique. The global addresses used in static translations aren't excluded with dynamic pools containing the same global addresses.
Hardware entries that translate packets are created when the CLI command is processed. Entries for forward and reverse traffic are created for unicast traffic. The hardware entry for reverse traffic is not created for multicast traffic.
Commands may include ACLs to filter packets that are cleared. Source NAT use ACLs to filter packets based on destination IP address. Destination NAT use ACLs to filter packets based on source IP address. When using NAT, inside usually refers to a private network while outside usually refers to a public network.
A switch with NAT configured translates forwarded traffic between inside and outside interfaces, and the flow that matches the criteria specified for translation.
Configuring Dynamic NAT
Prerequisites
- Configure an ACL to specify IP addresses allowed to be translated.
- Determine if you should use an IP address as the translated source address.
- Decide on a public IP address pool for address translation.
Configure the Address Pool
The addresses used for translation are configured by issuing the ip nat poolcommand in global configuration mode.
switch(config)#ip nat pool p1 10.15.15.15 10.15.15.25
switch(config)#
Set the IP Address
The ip address command configures VLAN 201 with an IP address.
- This command configures an IPv4 address for VLAN 201.
switch(config)#interface vlan 201 switch(config-if-Vl201)#ip address 10.0.0.1/24 switch(config-if-Vl201)#
- This command configures the dynamic NAT source address and sets the NAT overload for pool P2.
switch(config-if-Vl201)#ip nat source dynamic access-list ACL2 pool p2 switch(config-if-Vl201)#
Define the NAT Source Address for Translation
The ip nat source dynamic command specifies a dynamic translation from the source IP address to the pool and to overload the pool address (or addresses).
switch(config)#interface ethernet 3/1
switch(config-if-Et3/1)#ip nat source dynamic access-list ACL2 pool p2
switch(config-if-Et3/1)#
Specify the Timeout Values
The ip nat translation tcp-timeout or ip nat translation udp-timeout commands alter the translation timeout period for NAT translation table entries.
- This command globally sets the timeout for TCP to 600 seconds.
switch(config)#ip nat translation tcp-timeout 600 switch(config)#
- This command globally sets the timeout for UDP to 800 seconds.
switch(config)#ip nat translation udp-timeout 800 switch(config)#
Verify the NAT Configuration
Display the Address Pools
Theshow ip nat pool command displays the configuration of the address pool.
switch#show ip nat pool
PoolStartIp EndIp Prefix
p110.15.15.15 10.15.15.25 24
p210.10.15.15 10.10.15.25 22
p310.12.15.15 10.12.15.25 12
switch#
Clearing IP NAT Table Entries
Use the clear ip nat flow translationcommand to remove all or the specified NAT table entries.
switch#clear ip nat flow translation
switch#
Dynamic NAT Configuration Considerations
Configuring Dynamic NAT Using Pools in a L2 Adjacent Network
When many-to-one dynamic NAT is configured using a NAT pool, and the next hop router for the NAT device is on the same network (L2 adjacent), then you must configure the IP addresses in the NAT pool as a secondary address on the interface.
The IP addresses in the NAT pool are configured as the secondary address on the interface.
switch(config)#ip nat pool p1 10.1.1.1 10.1.1.4 prefix-length 24
switch(config)#interface ethernet 1
switch(config-if-Et1)#ip nat source dynamic access-list a1 pool p1
switch(config-if-Et1)#ip address 10.1.1.1/24 secondary
switch(config-if-Et1)#ip address 10.1.1.2/24 secondary
switch(config-if-Et1)#ip address 10.1.1.3/24 secondary
switch(config-if-Et1)#ip address 10.1.1.4/24 secondary
Configuring Dynamic NAT Using Pool in a L3 Network
If the next hop of the NAT device is on a different subnet, then you should configure a static Null route for the IP addresses in the NAT pool. Redistribute the static route using BGP/OSPF.
-
Outside Interface
switch(config)#interface port-channel 319 switch(config-if-Po319)#ip nat source dynamic access-list dynamic-nat-m2m pool natpl-dynamic-nat-m2m switch(config)#ip access-list dynamic-nat-m2m switch(config-acl-dynamic-nat-m2m)#10 permit ip 192.168.93.0/24 any switch(config)#ip nat pool natpl-dynamic-nat-m2m prefix-length 24 switch(config-natpool-p1)#range 11.3.3.2 11.3.3.10
-
Static Null Route for Virtual IP
switch(config)#ip route 11.0.0.0/8 Null0 switch(config)#router ospf 1 switch(config-router-ospf)#redistribute static
Configuring Dynamic NAT Using Overload with ECMP Routes
Dynamic many-to-one NAT using overload (PAT) should not be configured on interfaces that form an ECMP group. When one interface in the group goes down, the return packet for connections that are already established will continue to go to the IP address of the interface that went down and will not be forwarded to the inside host. For this type of scenario, use Dynamic NAT with pool configurations.
Dynamic NAT Peer State Synchronization
The NAT peer state synchronization provides redundancy and resiliency for dynamic NAT across a pair of devices to avoid single NAT device failure. Both devices in redundant pair are active and they track new sessions and create or delete NAT entries dynamically. Essentially, an active NAT entry is maintained on both devices irrespective of who created the NAT entry.
Configuring Dynamic NAT Peer State Synchronization
The following prerequisites should be fulfilled before configuring NAT peer state synchronization on devices in a redundant pair.
- Both devices in redundant pair must be reachable across an IP address within the same subnet.
- NAT version on both devices in redundant pair must be compatible.
- Dynamic NAT configuration must be identical across both devices in redundant pair.
The following configuration output indicates a valid running configuration of the NAT peer state synchronization on one device.
ip nat pool POOL61 prefix-length 24
range 170.24.0.2 170.24.0.200
ip access-list NatACL61
10 permit ip 61.0.0.0/16 any
interface Port-Channel5
mtu 9214
no switchport
ip address 10.0.0.1/31
ip nat source dynamic access-list NatACL61 pool POOL61
ip nat synchronization
peer-address 11.11.11.1
local-interface Vlan1111
port-range 1024 2048
The following limitations are applicable during NAT peer state synchronization.
- While configuring dynamic NAT peer state synchronization across peer switches, the port range values of the switches should always be disjoint to avoid virtual IP conflict.
- NAT peer state synchronization does not support asymmetrical TCP setup (SYN - SYNACK - ACK should always be hashed to the same peer.)
- The connection is only synchronized with a peer if the TCP state is established.
IP NAT Commands
- clear ip nat flow translation
- ip address
- ip nat destination static
- ip nat pool
- ip nat source dynamic
- ip nat source static
- ip nat translation counters
- ip nat translation low-mark
- ip nat translation max-entries
- ip nat translation tcp-timeout
- ip nat translation udp-timeout
- show ip nat access-list interface
- show ip nat pool
- show ip nat synchronization advertised-translations
- show ip nat synchronization discovered-translations
- show ip nat synchronization peer
- show ip nat translation
clear ip nat flow translation
The clear ip nat flow translation command clears all or the specified NAT table entries.
Command Mode
Privileged EXEC
Command Syntax
clear ip nat flow translation [HOST_ADDR [DEST_ADDR]] [INTF][ PROT_TYPE]
Parameters
DEST_ADDR must immediately follow HOST_ADDR. All other parameters, including HOST_ADDR may be placed in any order.
-
HOST_ADDR Host address to be modified. Options include:
- <no parameter> All packets with specified destination address are cleared.
- address local_ipv4 IPv4 address.
- address local_ipv4 local_port IPv4 address and port (port value ranges from 1 to 65535).
-
DEST_ADDR Destination address of translated packet. Destination address can be entered only when the HOST_ADDR is specified. Options include:
- <no parameter> All packets with specified destination address are cleared.
- global_ipv4 IPv4 address.
- global_ipv4 global_port IPv4 address and port (port value ranges from 1 to 65535).
-
INTF Route source. Options include:
- <no parameter> All packets with specified destination address are cleared.
- interface ethernet e_num Ethernet interface specified by e_num.
- interface loopback l_num Loopback interface specified by l_num.
- interface management m_num Management interface specified by m_num.
- interface port-channel p_num Port-channel interface specified by p_num.
- interface vlan v_num VLAN interface specified by v_num.
-
PROT_TYPEFilters packets based on protocol type. Options include:
- <no parameter> All packets with specified destination address are cleared.
- tcp TCP packets with specified destination address are cleared.
-
udp UDP packets with specified destination address are cleared.
- This command clears all dynamic entries from the NAT translation table.
switch#clear ip nat flow translation switch#
- This command clears a specific NAT IP address 172.22.30.52.
switch#clear ip nat flow translation address 172.22.30.52 switch#
- This command clears the inside entry that maps the private address 10.10.10.3 to Internet address 172.22.30.52.
switch#clear ip nat flow translation address 172.22.30.52 10.10.10.3 switch#
ip address
The ip address command configures the IPv4 address and connected subnet on the configuration mode interface. Each interface can have one primary address and multiple secondary addresses.
The no ip address and default ip address commands remove the IPv4 address assignment from the configuration mode interface. Entering the command without specifying an address removes the primary and all secondary addresses from the interface. The primary address cannot be deleted until all secondary addresses are removed from the interface.
Removing all IPv4 address assignments from an interface disables IPv4 processing on that port.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ip address [ipv4_subnet][PRIORITY]
no ip address [ipv4_subnet][PRIORITY]
default ip address [ipv4_subnet][PRIORITY]
Parameters
- ipv4_subnet IPv4 and subnet address (CIDR or address-mask notation). Running-config stores value in CIDR notation.
-
PRIORITY interface priority. Options include:
- <no parameter> The address is the primary IPv4 address for the interface.
-
secondary The address is the secondary IPv4 address for the interface.
Guidelines
The ip address command is supported on routable interfaces.
switch(config)#interface vlan 200
switch(config-if-Vl200)#ip address 10.0.0.1/24
switch(config-if-Vl200)#
ip address
The ip address command configures the IPv4 address and connected subnet on the configuration mode interface. Each interface can have one primary address and multiple secondary addresses.
The no ip address and default ip address commands remove the IPv4 address assignment from the configuration mode interface. Entering the command without specifying an address removes the primary and all secondary addresses from the interface. The primary address cannot be deleted until all secondary addresses are removed from the interface.
Removing all IPv4 address assignments from an interface disables IPv4 processing on that port.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ip address [ipv4_subnet][PRIORITY]
no ip address [ipv4_subnet][PRIORITY]
default ip address [ipv4_subnet][PRIORITY]
Parameters
- ipv4_subnet IPv4 and subnet address (CIDR or address-mask notation). Running-config stores value in CIDR notation.
-
PRIORITY interface priority. Options include:
- <no parameter> The address is the primary IPv4 address for the interface.
-
secondary The address is the secondary IPv4 address for the interface.
Guidelines
The ip address command is supported on routable interfaces.
switch(config)#interface vlan 200
switch(config-if-Vl200)#ip address 10.0.0.1/24
switch(config-if-Vl200)#
ip nat destination static
The ip nat destination static command enables NAT of a specified destination address for the configuration mode interface. This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.
When configuring twice NAT, an arbitrary NAT group number is used to associate the source NAT and destination NAT rules. This number must be the same in both rules.
The no ip nat destination static and default ip nat destination static commands disables NAT translation of the specified destination address by removing the corresponding ip nat destination static command from running_config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ip nat destination static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE][group group_number]
no ip nat destination static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]
default ip nat destination static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE][group group_number]
Parameters
-
ORIGINAL Destination address to be modified. Options include:
- local_ipv4 IPv4 address.
- local_ipv4 local_port IPv4 address and port (port value ranges from 1 to 65535).
-
FILTER Access control list that filters packets. Options include:
- <no parameter> All packets with specified destination address are cleared.
- access-list list_name List that specifies the packets that are cleared. Not supported when configuring twice NAT.
-
TRANSLATED Destination address of translated packet. Options include:
- global_ipv4 IPv4 address.
- global_ipv4 global_port IPv4 address and port (port value ranges from 1 to 65535). When configuring twice NAT, source and destination NAT rules must either both specify a port translation or both not specify a port translation.
-
PROT_TYPE Filters packets based on protocol type. Options include:
- <no parameter> All packets with specified destination address are cleared.
- protocol tcp TCP packets with specified destination address are cleared.
- protocol udp UDP packets with specified destination address are cleared.
-
group group_number Used only when configuring twice NAT, the NAT group number associates a source NAT rule with a destination NAT rule on the same interface. The group number (values range from 1 to 255) is arbitrary, but must be the same in both rules.
- These commands configure VLAN 201 to translate destination address 10.24.1.10 to 168.32.14.15.
switch(config)#interface vlan 201 switch(config-if-Vl201)#ip nat destination static 10.24.1.10 168.32.14.15 switch(config-if-Vl201)#
- These commands configure VLAN 201 to translate the source address 10.24.1.10 to 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/32 subnet.
switch(config)#ip access-list ACL2 switch(config-acl-ACL2)#permit ip 168.10.1.1/32 any switch(config-acl-ACL2)#exit switch(config)#interface vlan 201 switch(config-if-Vl201)# switch(config-if-Vl201)#
- These commands configure Ethernet interface 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.
switch(config)#interface ethernet 2 switch(config-if-Et2)#ip nat source static 10.24.1.10 168.32.14.15 group 3 switch(config-if-Et2)#ip nat destination static 10.68.104.3 168.25.10.7 group 3
ip nat pool
The ip nat pool command identifies a pool of addresses using start address, end address, and either netmask or prefix length. If its starting IP address and ending IP address are the same, there is only one address in the address pool.
The no ip nat pool removes the ip nat pool command from running_config.
Command Mode
Global Configuration
Command Syntax
ip nat pool pool_name [ADDRESS_SPAN] SUBNET_SIZE
no ip nat pool pool_name
default ip nat pool pool_name
Parameters
- pool_name Name of the IP address pool.
-
ADDRESS_SPAN Options include:
- start_addr The first IP address in the address pool (IPv4 addresses in dotted decimal notation).
- end_addr The last IP address in the address pool. (IPv4 addresses in dotted decimal notation).
-
SUBNET_SIZE This functions as a sanity check to ensure it is not a network or broadcast network. Options include:
- netmask ipv4_addr The netmask of the address pool’s network (dotted decimal notation).
-
prefix-length <0 to 32> The number of bits of the netmask (of the address pool’s network) that are ones (how many bits of the address indicate network).
- This command configures the pool of addresses using start address, end address, and prefix length of 24.
switch(config)#ip nat pool poo1 10.15.15.15 10.15.15.25 prefix-length 24 switch(config)
- This command removes the pool of addresses.
switch(config)#no ip nat pool poo1 10.15.15.15 10.15.15.25 prefix-length 24 switch(config)
ip nat source dynamic
The ip nat source dynamic command enables NAT of a specified source address for packets sent and received on the configuration mode interface. This command installs hardware translation entries for forward and reverse traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.
The no ip nat source dynamic and default ip nat source dynamiccommands disables NAT translation of the specified destination address by removing the corresponding ip nat source dynamic command from running_config .
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ip nat source dynamic access-list acl_name POOL_TYPE
no ip nat source dynamic access-list acl_name
default ip nat source dynamic access-list acl_name
Parameters
- acl_nameAccess control list that controls the internal network addresses eligible for NAT.
-
POOL_TYPE Options include:
- overload Translates multiple local addresses to a single global address. When overloading is enabled, conversations using the same IP address are distinguished by their TCP or UDP port number.
- pool pool_name The name of the IP address pool. The pool is defined using the ip nat pool command.
The pool option is required even if the pool has just one address. NAT uses that one address for all of the translations.
-
pool_fullconeEnables full cone NAT where all requests from the same internal IP address and port are mapped to the same external IP address and port.
- This command configures the dynamic NAT source address and sets the NAT overload for pool P2.
switch(config)#interface ethernet 3/1 switch(config-if-Et3/1)#ip nat source dynamic access-list ACL2 pool p2 switch#
- This command disables the NAT source translation on interface Ethernet 3/1.
switch(config)#interface ethernet 3/1 switch(config-if-Et3/1)#no ip nat source dynamic access-list ACL2 switch(config-if-Et3/1)#
ip nat source static
The ip nat source static command enables NAT of a specified source address for the configuration mode interface. This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.
When configuring twice NAT, an arbitrary NAT group number is used to associate the source NAT and destination NAT rules. This number must be the same in both rules.
The no ip nat source static and default ip nat source static commands disables NAT translation of the specified source address by removing the corresponding ip nat source command from running_config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ip nat source static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]
no ip nat source static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]
default ip nat source static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]
Parameters
-
ORIGINAL Source address to be modified. Options include:
- original_ipv4 IPv4 address.
- original_ipv4 original_port IPv4 address and port (port value ranges from 1 to 65535).
-
FILTER Access control list that filters packets. Options include:
- <no parameter> All packets with specified source address are cleared.
- access-list list_name List that specifies the packets that are cleared. Not supported when configuring twice NAT.
-
TRANSLATED Source address of translated packet. Options include:
- translated_ipv4 IPv4 address.
- translated_ipv4 translated_port IPv4 address and port (port value ranges from 1 to 65535). When configuring twice NAT, source and destination NAT rules must either both specify a port translation or both not specify a port translation.
-
PROT_TYPEFilters packets based on protocol type. Options include:
- <no parameter> All packets with specified source address are cleared.
- protocol tcp TCP packets with specified source address are cleared.
- protocol udp UDP packets with specified source address are cleared.
-
group group_number Used only when configuring twice NAT, the NAT group number associates a source NAT rule with a destination NAT rule on the same interface. The group number (values range from 1 to 255) is arbitrary, but must be the same in both rules.
Restrictions
- IfORIGINAL includes a port, TRANSLATED must also include a port.
-
IfORIGINAL does not include a port, TRANSLATED cannot include a port.
- These commands configure VLAN 101 to translate source address 10.24.1.10 to 168.32.14.15.
switch(config)#interface vlan 101 switch(config-if-Vl101)#ip nat source static 10.24.1.10 168.32.14.15 switch(config-if-Vl101)#
- These commands configure VLAN 101 to translate the source address 10.24.1.10 to access-list ACL1 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/32 subnet.
switch(config)#ip access-list ACL1 switch(config-acl-ACL1)#permit ip any 168.10.1.1/24 switch(config-acl-ACL1)#exit switch(config)#interface vlan 101 switch(config-if-Vl101)#ip nat source static 10.24.1.10 access-list ACL1 168.32.14.15 switch(config-if-Vl101)#
- These commands configure Ethernet interface 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.
switch(config)#interface ethernet 2 switch(config-if-Et2)#ip nat source static 10.24.1.10 168.32.14.15 group 3 switch(config-if-Et2)#ip nat destination static 10.68.104.3 168.25.10.7 group 3
ip nat translation counters
The ip nat translation counters command enables the feature to count packets that are translated by static and twice NAT rules in hardware. Once this feature is enabled, all current rules in hardware and new rules that are configured after running this command receive policers for counting packets.
The no ip nat translation counters and default ip nat translation counters commands disable the packet counter feature for static and twice NAT connections.
Command Mode
Global Configuration
Command Syntax
ip nat translation counters
no ip nat translation counters
default ip nat translation counters
Guidelines
The ip nat translation counters command is supported on the DCS-7150 series switches only. This command is solely intended to debug static and twice NAT translation failures in hardware. Disable this feature after completing troubleshooting. If this feature remains enabled even when the count of static connections exceed 275, it can cause unpredictable behavior including restart of FocalPointV2 agent. The restart of FocalPointV2 agent results in traffic disruption.
switch(config)#ip nat translation counters
switch(config)#show ip nat translation hardware detail
Source IPDestination IPTranslated IPTGT Type Intf ProtoPacketsPackets Reply
----------------------------------------------------------------------------------------------
192.168.10.2:0- 20.1.10.2:0SRC STAT Vl2640 -2 1
192.168.110.2:0 - 20.1.110.2:0 SRC STAT Vl2640 -2 1
switch(config)#show ip nat translation twice hardware detail
Source IP Destination IPTranslated TranslatedIntf Group PacketsPackets
Src IP Dst IP Proto Reply
---------------------------------------------------------------------------------------------
192.16.50.2:010.1.50.2:0 20.1.50.2:010.1.60.2:0 Vl2922 2-21
19.16.150.2:010.1.150.2:020.1.150.2:0 10.1.160.2:0Vl2922 12 -2
ip nat translation low-mark
The ip nat translation low-mark command configures the minimum threshold that triggers the resumption of programming new NAT translation connections.
The ip nat translation max-entries command specifies the maximum number of NAT translation connections that can be stored. When this limit is reached, new connections are dropped instead of being programmed in hardware or software. At this point no new connections will be programmed until the number of stored entries drop below the configured low-mark, expressed as a percentage of the max-entries value. The default low mark value is 90%.
The no ip nat translation low-mark and default ip nat translation low-mark commands restores the default low-mark value by removing the ip nat translation low-mark command from running_config.
Command Mode
Global Configuration
Command Syntax
ip nat translation low-mark threshold
no ip nat translation low-mark
default ip nat translation low-mark
Parameters
-
threshold Percentage of maximum connection entries. Value ranges from 1 to 99. Default is 90.
switch(config)#ip nat translation low-mark 93
switch(config)#
ip nat translation max-entries
The ip nat translation max-entries command specifies maximum number of NAT translation connections. After this threshold is reached, new connections are dropped until the number of programmed connections is reduced below the level specified by the ip nat translation low-mark command.
The no ip nat translation max-entries and default ip nat translation max-entries commands removes the maximum connection limit and resets the parameter value to zero by removing the ip nat translation max-entries command from running_config.
Command Mode
Global Configuration
Command Syntax
ip nat translation max-entries connections
no ip nat translation max-entries
default ip nat translation max-entries
Parameters
-
connections The maximum number of NAT translation connections. Value ranges from 0 to 4294967295. Default value is 0, which removes the connection limit.
switch(config)#ip nat translation max-entries 3000
switch(config)#
ip nat translation tcp-timeout
The ip nat translation tcp-timeout command specifies the translation timeout period for translation table entries. The timeout period specifies the interval during which the switch will attempt to reuse an existing TCP translation for devices specified by table entries.
The no ip nat translation tcp-timeout and default ip nat translation tcp-timeout commands reset the timeout to its default by removing the corresponding ip nat translation tcp-timeout command from running_config.
Command Mode
Global Configuration
Command Syntax
ip nat translation tcp-timeout period
no ip nat translation tcp-timeout
default ip nat translation tcp-timeout
Parameters
-
period Time-out period in seconds for port translations. Value ranges from 0 to 4294967295. Default value is 86400 (24 hours).
- This command sets the TCP timeout for translations to 600 seconds.
switch(config)#ip nat translation tcp-timeout 600 switch(config)#
- This command removes the TCP translation timeout.
switch(config)#no ip nat translation tcp-timeout switch(config)#
ip nat translation udp-timeout
The ip nat translation udp-timeout command specifies the translation timeout period for translation table entries. The timeout period specifies the interval the switch attempts to establish a UDP connection with devices specified by table entries.
The no ip nat translation udp-timeout and default ip nat translation udp-timeout commands disables NAT translation of the specified destination address by removing the corresponding ip nat translation udp-timeout command from running_config.
Command Mode
Global Configuration
Command Syntax
ip nat translation udp-timeout period
no ip nat translation udp-timeout
default ip nat translation udp-timeout
Parameters
-
period Value ranges from 0 to 4294967295. Default value is 300 (5 minutes).
- This command globally sets the timeout for UDP to 800 seconds.
switch(config)#ip nat translation udp-timeout 8 00
- This command removes the timeout for UDP.
switch(config)#no ip nat translation udp-timeout
show ip nat access-list interface
The show ip nat acl interface command displays the access control lists (ACLs) that are configured as source NAT or destination NAT filters. The display indicates ACL rules that do not comply with these NAT requirements:
- Source IP address is any.
- Destination IP address may use any mask size.
- Source port matching is not allowed.
-
Protocol matching is not allowed.
Command Mode
EXEC
Command Syntax
show ip nat access-list [INTF][LISTS]
-
INTF Filters NAT statements by interface. Options include:
- <no parameter> Includes all statements on all interfaces.
- interface ethernet e_num Statements on specified Ethernet interface.
- interface loopback l_num Statements on specified Loopback interface.
- interface management m_num Statements on specified Management interface.
- interface port-channel p_num Statements on specified Port-Channel Interface.
- interface vlan v_num Statements on specified VLAN interface.
- interface vxlan vx_num Statements on specified VXLAN interface.
-
LISTS ACLs displayed by command. Options include:
- <no parameter> All ACLs.
-
acl_name Specifies individual ACL.
switch>show ip nat acl ACL1
acl ACL1
(0.0.0.0/0, 168.10.1.1/32)
Interfaces using this ACL for Nat:
Vlan100
switch>show ip nat acl ACL2
acl ACL2
(168.10.1.1/32, 0.0.0.0/0)
Interfaces using this ACL for Nat:
Vlan201
switch>
show ip nat pool
The show ip nat pool command displays the configuration of the address pool.
Command Mode
EXEC
Command Syntax
show ip nat pool POOL_SET
- pool_name The name of the pool.
-
POOL_SET Options include:
- <no parameter>All configured port channels.
-
pool_name The name of the pool.
- This command displays all the address pools configured on the switch.
switch#show ip nat pool Pool StartIp EndIp Prefix p1 10.15.15.15 10.15.15.25 24 p2 10.10.15.15 10.10.15.25 22 p3 10.12.15.15 10.12.15.25 12 switch#
- These commands display specific information for the address pools configured on the switch.
switch#show ip nat pool p1 Pool StartIp EndIp Prefix p1 4.1.1.1 4.1.1.2 24 1.1.1.1 1.1.1.2 24 3.1.1.1 3.1.1.2 24 switch#show ip nat pool p2 Pool StartIp EndIp Prefix p2 10.1.1.110.1.1.216 switch#
show ip nat synchronization advertised-translations
The show ip nat synchronization advertised-translations command displays the detailed status of devices that are advertised to a peer device.
Command Mode
EXEC
Command Syntax
show ip nat synchronization advertised-translations
switch#show ip nat synchronization advertised-translations
Source IP Destination IP Translated IPTGTType Intf
------------------------------------------------------------------------
61.0.0.15:6661100.0.0.2:80 192.170.230.171:6661SRCDYNEt5
61.0.0.41:2245100.0.0.2:80 192.170.230.170:2245SRCDYNEt5
61.0.0.48:22626 100.0.0.2:80 192.170.230.169:22626 SRCDYNEt5
61.0.0.41:22601 100.0.0.2:80 192.170.230.170:22601 SRCDYNEt5
61.0.0.41:16798 100.0.0.2:80 192.170.230.170:16798 SRCDYNEt5
61.0.0.18:22605 100.0.0.2:80 192.170.230.177:22605 SRCDYNEt5
61.0.0.16:2256100.0.0.2:80 192.170.230.166:2256SRCDYNEt5
show ip nat synchronization discovered-translations
The show ip nat synchronization discovered-translations command displays details of what has been advertised from a peer device.
Command Mode
EXEC
Command Syntax
show ip nat synchronization discovered-translations
switch#show ip nat synchronization discovered-translations
Source IP Destination IPTranslated IPTGTType Intf
-------------------------------------------------------------------------
61.0.2.229:63 100.0.0.2:63 170.24.86.180:63SRCDYNEt5
61.0.15.51:63 100.0.0.2:63 170.24.73.90:63 SRCDYNEt5
61.0.6.68:63100.0.0.2:63 170.24.110.128:63 SRCDYNEt5
61.0.7.163:63 100.0.0.2:63 170.24.104.35:63SRCDYNEt5
show ip nat synchronization peer
The show ip nat synchronization peer command displays the detailed status of a peer device.
Command Mode
EXEC
Command Syntax
show ip nat synchronization peer
switch#show ip nat synchronization peer
Description : Value
Peer : 11.11.11.0
Connection Port : 4532
Connection Source : 0.0.0.0
Kernel Interface : vlan1111
Local Interface : Vlan1111
Established Time : 1969-12-31 16:00:00
Connection Attempts : 0
Oldest Supported Version : 1
Newest Supported Version : 1
Version Compatible : True
Connection State : connected
Shutdown State : False
Status Mount State : mountMounted
Version Mount State : mountMounted
Recover Mount State : mountMounted
Reboot Mount State : mountMounted
show ip nat translation
The show ip nat translation command displays configured NAT statements in the switch hardware.
Command Mode
EXEC
Command Syntax
show ip nat translation [address | address-only | destination | detail | dynamic | hardware | interface | kernel | max-entries | source | static | summary | twice]
Command position of all parameters are interchangeable.
- <no parameter> Displays all NAT connections installed in software.
- address ipv4_addr Displays NAT connections of the specified IPv4 host address.
- address-only ipv4_addr Displays address-only NAT connections of the specified IPv4 host address.
- destination Displays destination NAT connections installed in software.
- detail Displays detailed output of all NAT connections.
- dynamic Displays dynamic NAT connections.
- hardware Displays NAT connections installed in hardware.
-
interface Filters NAT connections by interface. Options include:
- interface ethernet e_num Displays NAT connections of the specified ethernet interface.
- interface port-channel p_num Displays NAT connections of the specified port-channel interface.
- interface vlan v_num Displays NAT connections of the specified VLAN interface.
- kernel Displays NAT connections installed in kernel.
- max-entries Displays the configured NAT connection limits of a hardware.
- source Displays source NAT connections installed in software.
- static Displays static NAT connections.
- summary Displays summary of all NAT connections.
-
twice Displays twice NAT connections.
- This command displays all configured NAT translations.
switch>show ip nat translation Source IPDestination IP Translated IP TGT Type Intf --------------------------------------------------------------------------- 192.168.1.10:62822 172.22.22.40:53172.17.254.161:62822SRC DYNVl3925 192.152.1.10:20342 172.22.22.40:80172.17.254.161:22222SRC STAT Vl3945 switch#
- This command displays NAT connections of the specified ethernet interface.
switch>show ip nat translation dynamic interface Ethernet 26 Source IPDestination IPTranslated IP TGT Type Intf ------------------------------------------------------------------------- 192.168.1.2:8080 10.1.1.5:60020.1.1.5:8080 SRC DYNEt26
- This command displays the configured NAT connection limits of a hardware.
switch>show ip nat translation max-entries Global connection limit 100 Global connection limit low mark90(90%) Hosts connection limit20 Hosts connection limit low mark 18(90%) Total number of connections1 Host Max-Entries Low-MarkConnections ----------------------------------------------------------------------- 10.1.1.1 109(90%)0
Media Access Control Security
This section explains the basic concepts about Media Access Control Security (MACsec) including overview, configuration, and the different MACsec commands that are used.
MACsec Overview
Media Access Control Security (MACsec) is an industry standard encryption mechanism that protects all traffic flowing on the Ethernet links. MACsec is based on IEEE 802.1X and IEEE 802.1AE standards.
The major benefits of MACsec are:
- MACsec supports packet authentication by providing integrity checking so that packet data is not altered during a packet flow.
- MACsec provides secure encryption at Layer 2 level by ensuring complete data confidentiality.
- A high density MACsec solution for Cloud Data Centers is integrated with 7500R for highest density and performance in a modular platform.
- Cost and performance is optimized for Data Center Interconnect to transport massive volumes of traffic through metro or long haul networks.
- Secure transport of data over distance with MACsec encryption eliminating additional intermediate devices.
MACsec Terminology
MACsec Key Agreement Protocol (MKA) - It is the key agreement protocol for discovering MACsec peers and negotiating keys between MACsec peers (IEEE 802.1X-REV).
Connectivity Association Key (CAK) - Endpoints that share CAK are part of the same secure Connectivity Association (CA). This key can either be a static pre-shared key or dynamically derived when 802.1X authentication is used. CAK is a master key that is used to generate all other keys that are used for MACsec.
Connectivity Associations (CA) - CA is a security relationship between MACsec-capable devices. Endpoints that share CAK are part of the same CA. There can be more than two endpoints in a secure CA. Arista implementation is limited to 2 endpoints.
Primary Key- It is ideally the CAK for the MKA session in progress.
Fallback Key- In case the primary configured key does not establish its connection, the fallback key is used, so as to ensure no loss of traffic.
Secure Association Key (SAK) - The SAK is derived from the CAK and is the key used by the network device ports to encrypt traffic for a given session.
Key Server - One of the MACsec peers in the CA becomes the Key Server. The main role of the Key Server is to create and distribute Secure Association Keys (SAKs), which are used in actual data encryption.
MACsec Limitations
The limitations of MACsec are:
- MACsec is supported only on point-to-point links.
- When MACsec is enabled on an interface for the first time, interface flapping occurs for MACsec to take effect.
- Until MKA protocol converges and negotiates encryption keys, the port does not forward any traffic. This occurs initially when MACsec is configured on a port.
Supported Devices
MACsec is supported on the following devices:
- 7500E-6CFPX-LC
- 7500R-8CFPX-LC
- DCS-7500RM-36CQ-LC
- DCS-7500R2M-36CQ-LC
- DCS-7500R2AM-36CQ-LC
- DCS-7280SRAM
MACsec Licensing
MACsec encryption is a eos licensed feature. A valid MACsec license must be configured on a switch. MACsec licenses are tied to a switch serial number and the licensee. Every switch running MACsec requires a separate license of its own.
Please contact your system engineer to acquire the required license codes before attempting to configure MACsec.
MACsec in FIPS mode
Federal Information Processing Standards (FIPS) are a set of standards defined by the United States federal government related to the processing of data in computer systems by non-military government agencies and government contractors. These standards define specific requirements for various purposes such as ensuring computer security and interoperability within and across the computer networking industry.
Arista devices are compliant with FIPS 140-2 Level 1. This set of standards govern the processing of data for cryptographic modules. FIPS is enabled using the CLI configuration.
Configuring MACsec
Basic steps to configuring MACsec on the switch:
Configuring the FIPS mode
To configure the FIPS mode on the MACsec protocol, use the FIPS command.
- This command configures the FIPS mode on the MACsec protocol.
switch(config)#mac security switch(config-mac-security)fips restrictions
Displaying MACsec Information
The following sections provide information about MACsec on a switch.
Displaying MACsec detailed information
Use the show mac security interface detail command to display detailed information about MACsec.
Example
switch#show mac security interface detail
Interface: Ethernet4/1/1
SCI: 28:99:3a:82:6f:82::605
SSCI: 00000002
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)
Interface: Ethernet4/3/1
SCI: 28:99:3a:82:6f:85::613
SSCI: 00000001
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)
About the Output:
- Interface: Name of the interface.
- Secure Channel Identifier (SCI): Combination of MAC address and port number. Used to uniquely identify a Mac Security port.
- Controlled Port: Indicates if Mac Security is enabled on the port. A value of True indicates that encryption is enabled on the port.
- Key In Use: The SAK identifier currently in use. Combination of Key Servers message identifier (see below) and key number.
- Key Server priority: Configured key server priority.
- Session Rekey Period: Configured session rekey period.
- Latest Key: Latest SAK being negotiated by Mac Security Key Agreement Protocol (MKA)
- Old Key: The last SAK negotiated by Mac Security Key Agreement Protocol (MKA)
Displaying MACsec participants
Use the show mac security participants command to display information about the MACsec participants.
switch#show mac security participants
Interface: Ethernet4/1/1
CKN: abcd
Message ID: 9d5bc0d3076ea4a08b99b9d9
Elected self: True
Success: True
Principal: True
Default: False
CKN: dead
Message ID: 4ef4cf009161bd551b5e7434
Elected self: True
Success: True
Principal: False
Default: True
Interface: Ethernet4/3/1
CKN: abcd
Message ID: c79ad8882c2dd3a8e838a691
Elected self: False
Success: True
Principal: True
Default: False
CKN: dead
Message ID: 3dfd4486b5f68a81014a37ec
Elected self: False
Success: True
Principal: False
Default: True
Displaying MACsec participants detailed information
Use the show mac security participants detail command to display detailed information about the MACsec participants.
Example
switch#show mac security participants detail
Interface: Ethernet4/1/1
CKN: abcd
Message ID: 9d5bc0d3076ea4a08b99b9d9
Elected self: True
Success: True
Principal: True
Default: False
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: True
LLPN exhaustion: 0
Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
Live peer list: ['c79ad8882c2dd3a8e838a691']
Potential peer list: []
CKN: dead
Message ID: 4ef4cf009161bd551b5e7434
Elected self: True
Success: True
Principal: False
Default: True
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: False
LLPN exhaustion: 0
Distributed key identifier: None
Live peer list: ['3dfd4486b5f68a81014a37ec']
Potential peer list: []
Interface: Ethernet4/3/1
CKN: abcd
Message ID: c79ad8882c2dd3a8e838a691
Elected self: False
Success: True
Principal: True
Default: False
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: True
LLPN exhaustion: 0
Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
Live peer list: ['9d5bc0d3076ea4a08b99b9d9']
Potential peer list: []
CKN: dead
Message ID: 3dfd4486b5f68a81014a37ec
Elected self: False
Success: True
Principal: False
Default: True
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: False
LLPN exhaustion: 0
Distributed key identifier: None
Live peer list: ['4ef4cf009161bd551b5e7434']
Potential peer list:
About the Output
- Connectivity Association Key Name (CKN): Configured name of the key in use.
- Message ID: A random 92 bit string used as an identifier for an MKA participant.
- Elected Self: True if this participant is the elected key server.
- Success: True if this participant is live and has at least one live peer.
- Principal: True if this participant is the principal participant elected to distribute SAKs or if participant receives SAKs from key server.
- Default: True if this participant is a fallback/backup participant (spawned when a fallback key is configured in a Mac Security profile).
- Key Server SCI: The SCI of the key server.
- SAK Transmit: True if the participant is ready to use the negotiated key for transmit.
- LLPN Exhaustion: Increments if the number of data packets sent using the current key exceeds a certain threshold.
- Distributed Key Identifier: Message ID + key number of the most recently generated SAK.
- Live Peer List: Message IDs of all the live peers of the participant.
- Potential Peer List: Message IDs of all the potential peers of the participant. These are peers which havent yet established mutual liveness but have sent out at least one control packet.
Displaying MACsec MKA Counters
Use the show mac security mka counters command to display information about the MACsec MKA counters.
Example
switch#show mac security mka counters
Interface Rx SuccessRx FailureTx SuccessTx Failure
Ethernet4/1/1 287 0 288 0
Ethernet4/3/1 288 0 287 0
Displaying MACsec Security Counters Detailed Information
Use the show mac security counters detail command to display detailed information about the MACsec security counters.
Example
switch#show mac security counters detail
Ethernet4/1/1 Counter NameCount
-------------------------------------------------------
outPktsEncrypted112
outOctetsEncrypted11984
outPktsUntagged 0
outPktsTooLong0
outPktCtrl224
inPktsDecrypted 2
inOctetsDecrypted 214
inPktsUnchecked 0
inPktsOK2
inPktsNotValid0
inPktsNotUsingSA0
inPktsCtrl223
inPktsNoTag 8
inPktsTagged0
inPktsBadTag0
inPktsNoSCI 0
inPktsLate0
Ethernet4/3/1 Counter NameCount
-------------------------------------------------------
outPktsEncrypted2
outOctetsEncrypted214
outPktsUntagged 0
outPktsTooLong0
outPktCtrl223
inPktsDecrypted 111
inOctetsDecrypted 11877
inPktsUnchecked 0
inPktsOK111
inPktsNotValid0
inPktsNotUsingSA0
inPktsCtrl224
inPktsNoTag 9
inPktsTagged0
inPktsBadTag0
inPktsNoSCI 0
inPktsLate0
Displaying MACsec Security Counters
Use the show mac security counters command to display information about the MACsec security counters.
Example
switch#show mac security counters
Port InPktsDecryptedInOctetsDecryptedOutPktsEncrypted OutOctetsEncrypted
Et4/1/12214 10911663
Et4/3/110911663 2214
Displaying MACsec MKA Counters detailed information
Use the show mac security mka counters detail command to display detailed information about the MACsec MKA counters.
Example
switch#show mac security mka counters detail
Interface: Ethernet4/1/1
Tx packet success: 290
Tx packet failure: 0
Tx invalid: 0
Rx packet success: 289
Rx packet failure: 0
Rx invalid: 0
Rx eapol error: 0
Rx basic parameter set error: 0
Rx unrecognized CKN error: 0
Rx ICV validation error: 0
Rx live peer list error: 0
Rx potential peer list error: 0
Rx SAK use set error: 0
Rx distributed SAK set error: 0
Rx distributed CAK set error: 0
Rx ICV Indicator error: 0
Rx unrecognized parameter set error: 0
Interface: Ethernet4/3/1
Tx packet success: 289
Tx packet failure: 0
Tx invalid: 0
Rx packet success: 290
Rx packet failure: 0
Rx invalid: 0
Rx eapol error: 0
Rx basic parameter set error: 0
Rx unrecognized CKN error: 0
Rx ICV validation error: 0
Rx live peer list error: 0
Rx potential peer list error: 0
Rx SAK use set error: 0
Rx distributed SAK set error: 0
Rx distributed CAK set error: 0
Rx ICV Indicator error: 0
Rx unrecognized parameter set error: 0
Displaying MACsec FIPS Status
Use show mac sec status command to display information about the MACsec FIPS status.
Example
switch(config)#mac security
switch(config-mac-security)#show mac sec status
Active Profiles:1
FIPS Mode:Yes
Secured Interfaces: 2
MACsec Key Retirement Immediate
The MACsec uses the concept of configuring two keys for MKA negotiation: Primary and Fallback (as a backup). Given a mac security profile configured on an interface, there is an actor created per key which is responsible for MKA negotiation with the other peer. When a new primary key is configured, old primary keys actor is retained in the system till the time MKA session becomes successful with the configured new primary key. Same holds good for fallback key as well. When key retirement immediate command is used it removes the actor corresponding to old key, be it primary or fallback, from the system immediately.
MACsec Key Retirement Immediate Operations
- If a new primary key is configured in a mac security profile, old primary keys actor is deleted from the system immediately.
- If a new fallback key is configured in a mac security profile, old fallback keys actor is deleted from the system immediately.
-
Removing the feature configuration from mac security profile will just prevent cleaning up of old keys immediately when new keys are configured. It will not create old actor again.
Note: The key retirement immediate command only deletes the actor corresponding to old key. It does not clean up the SAK programmed in the hardware until a new SAK is available to be programmed. However, as a side effect of deletion of actor, a new principal actor will be chosen (if an eligible actor is available) over which a new SAK will be distributed subsequently.
MACsec Key Retirement Immediate feature interactions
MACsec EAP-FAST Support
If Dynamic MAC Security keys is used with key retirement immediate, then on every new primary key derived from 802.1X, old primary keys actor will be deleted from the system. This will usually happen based on the reauth time interval configuration for 802.1X.
MACsec Fallback to Unprotected Traffic Support
The key retirement immediate is configured with Fallback to Unprotected Traffic feature, transition between unprotected traffic and protected traffic may become more frequent. This is because with Key Retirement Immediate feature, whenever a new key is configured, existing successful MKA session corresponding to the old key are not maintained, which might bring down the number of successful MKA sessions to zero, which eventually moves the interface to unprotected traffic state as per Fallback to Unprotected Traffic feature functionality.
MACsec Key Retirement Immediate Configuration
The show dot1x supplicant command is configured in mac security profile mode, the configuration needs to be present on both key server and non key server peers. Since key server decides the principal actor for SAK distribution, it is recommended that this configuration is present in key server for triggering the re-election of principal actor immediately.
If key retirement immediate is configured only on key server, non key server will still try to negotiate MKA over old primary key unnecessarily utilizing some system resources and some time even when not required.
If key retirement immediate is configured only on non key server, it will take 6 seconds (MKA Lifetime) for triggering any re-election on key server as a result of session failure.
switch(config-mac-security-profile-sampleProfile)#[no] key retirement immediate
Configuration Scenarios
When both Primary Key and Fallback Key configured: without configuring key retirement immediate, when a new primary is configured, the actor corresponding to the old actor will stay active till MKA session on the new primary becomes successful. With key retirement immediate, the actor corresponding to the old primary is deleted immediately. Since fallback is also configured, key server will choose it as the new principal actor, if eligible. Once a new principal actor is chosen, new SAK is distributed which will eventually get programmed and used for encryption & decryption.
When only Primary Key is configured: the behavior is same as above except the fact that no other actor will become principal until the new primary becomes successful. Till then hardware will continue to use SAK generated with old primary.
When Fallback is Principal actor: without key retirement immediate, when a new fallback key is configured, old fallback will stay in the system till the time new fallback becomes active or primary becomes active. With key retirement immediate, old fallback actor is deleted immediately. Till the time a new principal actor is elected, hardware will continue to use SAK generated with old fallback.
The show mac security participants command shows all the participants present in the system. When key retirement immediate is configured, the actor corresponding to old keys will no longer list up in the output of the above show command.
MACsec EAP-FAST Support
The Media Access Control Security (MACsec) with static keys feature brings support for dynamic Mac Security keys. To derive Mac Security keys dynamically, both peers must be configured for 802.1X authentication. One peer must be configured to be the Authenticator and the other peer to be the Supplicant. Upon a successful 802.1X authentication sequence between the peers, keying material is generated by both the authenticator and the supplicant. This keying material is then used to derive Mac Security keys to establish a MACsec Key Agreement (MKA) protocol session. This feature brings in support for Arista devices to act as the supplicant to derive Mac Security keys in a bidirectional fashion.
The following diagram illustrates a typical Mac Security + 802.1X topology:

Platform Compatibility
Mac Security dynamic key derivation is supported on all MACsec capable switches. This includes 7500E-6CFPX-LC, 7500R-8CFPX-LC, 7500RM-36CQ-LC, 7500R2M-36CQ-LC, 7280SRAM-48C6, 7280SRM-40CX2, and 7280CR2M-30.
Configuring MAC Security Dynamic Key Derivation
802.1X Authenticator Configuration
A new option is added to 802.1X authenticator configuration to make the authenticator more strong to unreliable authentication servers. By default, when an authentication server is unreachable, the authenticator blocks all traffic on the port and keeps the port as Unauthorized until it gets replies from the authentication server. The following option changes the behavior and maintains the port in its current state if the authentication server is not reachable:
Example
switch(config-if-Et1)#dot1x timeout reauth-timeout-ignore always
802.1X Supplicant Configuration
The 802.1X supplicant configurations are done through MACsec profiles. MACsec profile contain all the credentials necessary for 802.1X authentication to succeed.
Following are the steps to configure an 802.1X supplicant profile:
Displaying 802.1X Supplicant Status
-
The show dot1x supplicant command displays the 802.1X supplicant status.
switcb#show dot1x supplicant Interface: Ethernet6/1 Identity: arastra EAP method: fast Status: success Supplicant MAC: 44:4c:a8:34:bf:20 Authenticator MAC: 00:1c:73:e0:d3:76
About the Output
Interface: The port on which the supplicant is running.
Identity: Configured supplicant identity.
EAP method: Configured EAP method (Currently just EAP-FAST)
Status: Supplicant Status. Can be one of the following:
- Success Authentication has been successful.
- Down Authentication sequence has not begun.
- Failed Authentication has failed.
- Connecting Authentication is in progress.
- Unused Supplicant is uninitialized.
Supplicant MAC: MAC address of the supplicant.
Authenticator MAC: MAC address of the authenticator (peer).
Existing Mac Security show commands can be used to look at Mac Security status.
MACsec Proxy For VXLAN
The MACsec Proxy for VXLAN feature enables the MACsec service over VXLAN. MACsec over VXLAN is provided by mapping a Visual Networking Index (VNI), Remote VXLAN tunnel endpoint (VTEP) IP to a MACsec proxy sub interface.
Any packets routed to the MACsec proxy sub interface is encrypted and tunneled to the remote VTEP. On the receiving path the packets are decrypted, then decapsulated and forwarded. MKA negotiates and renews the encryption keys, for this purpose a MACsec capable front panel port has to be dedicated and cannot be plugged in as it will be used to recycle packets being encrypted and decrypted.
Configuring MACsec Proxy For VXLAN
The switch platforms which use this feature are:
- 7280SRAM-48C6
- 7280CR2M-30
- 7500R2M-36CQ-LC
The mandatory steps to configure a MACsec proxy sub-interface on an Arista switch are:
Displaying MACsec Proxy For VXLAN Information
- Use show mac security interface command to display the proxy sub-interface information.
- Use show mac security mka counters command to display the MACsec counters and detailed values.
switch(config)#show mac security interface
Interface SCI Controlled PortKey in Use
Ethernet4/1/1 28:99:3a:82:6f:82::605True 9d5bc0d3076ea4a08b99b9d9:1
Ethernet4/3/1 28:99:3a:82:6f:85::613True 9d5bc0d3076ea4a08b99b9d9:1
switch(config)#show mac security mka counters
InterfaceRx SuccessRx FailureTx Success Tx Failure
Ethernet4/1/1287 02880
Ethernet4/3/1288 02870
switch(config)#show mac security mka counters ethernet 49/1.1 detail
Interface: Ethernet49/1.1
Tx packet success: 84
Tx packet failure: 0
Tx invalid: 0
Rx packet success: 82
Rx packet failure: 0
Rx invalid: 0
Rx eapol error: 0
Rx basic parameter set error: 0
Rx unrecognized CKN error: 0
Rx ICV validation error: 0
Rx live peer list error: 0
Rx potential peer list error: 0
Rx SAK use set error: 0
Rx distributed SAK set error: 0
Rx distributed CAK set error: 0
Rx ICV Indicator error: 0
Rx unrecognized parameter set error: 0
Limitations
When this feature is in use, following limitations can be noticed :
- An interface while moving from allowing unprotected traffic to allowing only protected traffic can experience a traffic disruption of up to 4 seconds.
- If the key server interface manages to establish a MKA session with its old credentials (CKN/CAK pair) while unprotected traffic was allowed, then traffic disruption for a duration of up to 6 seconds can be noticed in addition to the duration mentioned in the above point.
MACsec Fallback to Unprotected Traffic
When MACsec is enabled on an interface, it tries to establish MACsec Key Agreement ( MKA ) session(s) with its peer. If no MKA sessions is successfully established, then the interface can continue to protect the traffic with the last known negotiated key, and if such a key does not exist then it blocks the traffic. The MACsec Fallback to Unprotected Traffic feature introduces an optional configuration which, if provided, allows unprotected traffic whenever there is no successful MKA session with the peer in the following scenarios:
- If MACsec is enabled on an interface with this feature configured, then the interface allows unprotected traffic immediately without waiting for MKA session establishment
- If a MACsec enabled interface was blocking traffic as no MKA sessions were established and its corresponding MACsec profile is changed to enable this feature, the interface will start allowing unprotected traffic immediately.
- If a MACsec enabled interface was allowing unprotected traffic and its corresponding MACsec profile is changed to disable this feature, the interface will block traffic immediately.
- While an interface is allowing unprotected traffic, it will stop doing so when a new Secure Association Key (SAK) is generated (if this interface is key server) or when a SAK is received from the key-server (if this interface is not the key server).
- If MACsec Fallback to Unprotected Traffic is configured and all MKA sessions between the peers fail, the peers will switch to unprotected traffic. If not configured, protected traffic could have continued with last known negotiated key.
To protect traffic between pairs, primary MKA session derived keys are given priority over Fallback MKA session. With this feature enabled, the priority order of traffic between peers is -
1. Protected using derived keys from primary MKA sessions
2. Protected using derived keys from Fallback MKA sessions
3. Unprotected traffic
MACsec Fallback to Unprotected Traffic feature Interaction
This feature interacts with other related features in following way -
- MACsec EAP-FAST Support- If dynamic MAC Security keys (derived from 802.1X authentication) are used, then the feature configuration has no effect.
- MACsec Proxy Interfaces -This feature does not work with MACsec proxy sub interfaces.
- Key Retirement Immediate - If this feature is configured withKey Retirement Immediate feature on an interface, transition between unprotected traffic and protected traffic may become more frequent. This is because with Key Retirement Immediate feature, whenever a new key is configured, existing successful MKA session corresponding to the old key is not maintained.
Limitations
When this feature is in use, following limitations can be noticed :
- An interface while moving from allowing unprotected traffic to allowing only protected traffic can experience a traffic disruption of up to 4 seconds.
- If the key server interface manages to establish a MKA session with its old credentials (CKN/CAK pair) while unprotected traffic was allowed, then traffic disruption for a duration of up to 6 seconds can be noticed in addition to the duration mentioned in the above point.
Configuring MACsec Fallback to Unprotected Traffic
This feature is supported on all MACsec capable cards except for 7500E-6CFPX-LC.
The MACsec Fallback to Unprotected Traffic feature is configured under MACsec profile mode using the [no] traffic unprotected allow command. The no form of the command removes the configuration from the switch. This configuration must be present in both the peers for the unprotected traffic to flow between them successfully.
switch(config-mac-security-profile-sampleProfile)#no traffic unprotected allow
Displaying MACsec Fallback to Unprotected Traffic Information
The show mac security interface detail command can be used to verify if the interface is currently allowing unprotected traffic.
switch#show mac security interface Ethernet 6/1/1 detail
Interface: Ethernet4/1/1
SCI: 28:99:3a:82:6f:82::605
SSCI: 00000002
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Unprotected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)
Interface: Ethernet4/3/1
SCI: 28:99:3a:82:6f:85::613
SSCI: 00000001
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)
MACsec Commands
MACsec Configuration Commands
MACsec Key Retirement Immediate Commands
MACsec Show Commands
MACsec EAP FAST Support Commands
MACsec Fallback to Unprotected Traffic
cipher
The cipher command configures the cipher authentication for MAC security on the switch.
Command Mode
MACsec Profile
Command Syntax
cipher <options>
Parameters
- options The cipher authentication options.
- aes128-gcm-xpn Advanced Encryption Standard (128 bit, Galois/Counter mode, Extended Packet Numbering)
- aes256-gcm-xpn Advanced Encryption Standard (256 bit, Galois/Counter mode, Extended Packet Numbering)
Example
switch(config-mac-security-profile-test)#cipher aes128-gcm-xpn
dot1x pae supplicant
The dot1x pae supplicant command applies the supplicant profile by enabling it on the Mac Security interface.
Command Mode
Interface Configuration
Command Syntax
dot1x pae supplicant
Example
switch(config-if-Et6/1)#dot1x pae supplicant test
dot1x timeout reauth-timeout-ignore always
The dot1x timeout reauth-timeout-ignore always command retains the current port state without blocking it irrespective of when the authentication server is unreachable or in-case of supplicant time outs.
Command Mode
Interface Configuration
Command Syntax
dot1x timeout reauth-timeout-ignore always
Example
switch(config-if-Et6/1)#dot1x timeout reauth-timeout-ignore always
dot1x
The dot1x command places the switch in the dot1x mode. In this mode user is allowed to configure various MACsec configurations.
Command Mode
Global Configuration
Command Syntax
dot1x
Example
switch(config)#dot1x
switch(config-dot1x)#
entropy source hardware
The entropy source hardware command generates the cryptographic keys to strengthen the random number generator used by MACsec.
Command Mode
Management Configuration
Command Syntax
entropy source hardware
Example
switch(config)#management security
switch(config-mgmt-security)#entropy source hardware
key (MACsec)
The key command configures the primary key so that the MACsec profile is activated.
Command Mode
MACsec Profile Configuration
Command Syntax
key <options>
Parameter
- CKN Connectivity association key name in hex octets. Options include.
- 0Specifies that an UNENCRYPTED key will follow
- 7Specifies that an HIDDEN key will follow
- CAKConnectivity association key in hex octets
- fallbackConfigure the key as a fallback
- retirementRetire the key. Options include.
- immediateRetire the key immediately
- sourceList of sources to derive MAC security keys. Options include.
- dot1xDerive MAC security keys from IEEE 802.1X based port authentication
- group-cakDerive MAC security keys from Group CAK Distribution.
Examples
- The following example configures the primary key for the profile called sample profile for MAC security on the switch.
Switch(config)#mac security Switch(config-mac-security)#profile sample_Profile Switch(config-mac-security-profile-sample_Profile)#key 0abcd1 0 1234abcd
- The following example configures the fallback CAK on a profile.
Switch(config)#mac security Switch(config-mac-security)#profile sample_Profile Switch(config-mac-security-profile-sample_Profile)#key 0abcd1 0 1234abcd fallback
key retirement immediate
The key retirement immediate command configures the key retirement feature on the key server and assists the key server to decide the principal actor for SAK distribution by triggering the re-election of principal actor immediately. It is recommended that the key retirement is configured on both key server and non key server peers.
The no key retirement immediate command disable the key retirement function by removing the key retirement immediate command from running-config.
Command Mode
MACsec Profile
Command Syntax
key retirement immediate
Example
Switch(config)#mac security
Switch(config-mac-security)#profile sample
Switch(config-mac-security-profile-sample)#key retirement immediate
license
The license command configures the license for MAC security on the switch. MACsec licenses are tied to a switch. Every switch running MACsec requires a separate license of its own.
Command Mode
MACsec Profile
Command Syntax
license <options>
Parameters
- options The options through which the license is configured.
- WORD Licensee name.
- importImport license from a URL. Options include.
- 8-digit hex numberKey to authorize Mac security
- alert-base:Path to license file
- certificate:Path to license file
- checkpoint:Path to license file
- extension:Path to license file
- file:Path to license file
- flash:Path to license file
- ftp:Path to license file
- http:Path to license file
- https:Path to license file
- scp:Path to license file
- sftp:Path to license file
- system:Path to license file
- terminal:Path to license file
- tftp:Path to license file
-
updateTrigger a check for license. Option include.
-
8-digit hex numberKey to authorize Mac security
-
Example
Switch(config)#mac security
Switch(config-mac-security)#
Switch(config-mac-security-profile-test)#license ABC RRGGBBAA
mac security
The mac security command enables MAC security provision on the switch.
The no mac security and default mac security commands restore the switch to its default state by removing the corresponding mac security command from running-config.
Command Mode
Global Configuration
Command Syntax
mac security
no mac security
default mac security
Example
Switch(config)#mac security
Switch(config-mac-security)#
mka key-server
The mka key-server command configures key server among the MACsec peers.
Command Mode
MACsec Profile Configuration
Command Syntax
mka key-server priority <value>
Parameters
- priorityMKA key server priority.
- value Key server priority value. Value ranges from 0 to 255.
Example
Switch(config)#mac security
Switch(config-mac-security)#profile sample_Profile
Switch(config-mac-security-sample_Profile)#mka key-server priority 10
mka session
The mka session command configures period at which the SAK is refreshed .
Command Mode
MACsec Profile Configuration
Command Syntax
mka session rekey-period <value>
Parameter
- rekey-period Sets MKA session re-key period.
- valueSession re-key period in seconds. Value ranges from 30 to 100000.
Example
- The following example configures the mka session rekey-period time of 10 seconds at which the SAK is refreshed.
Switch(config)#mac security Switch(config-mac-security)#profile sample_Profile Switch(config-mac-security-sample_Profile)#mka session rekey-period 10
profile
The profile command configures the MACsec profile for MAC security on the switch. Profiles are mandatory for MACsec to be provisioned.
Command Mode
MACsec Configuration
Command Syntax
profile <profile-name>
Parameter
profile-name Name of the MACsec profile.
Example
Switch(config)#mac security
Switch(config-mac-security)#profile sample_Profile
show dot1x supplicant
The show dot1x supplicant command displays the 802.1X supplicant status.
Command Mode
EXEC
Command Syntax
show dot1x supplicant
Example
switcb#show dot1x supplicant
Interface: Ethernet6/1
Identity: arastra
EAP method: fast
Status: success
Supplicant MAC: 44:4c:a8:34:bf:20
Authenticator MAC: 00:1c:73:e0:d3:76
About the Output
Interface: The port on which the supplicant is running.
Identity: Configured supplicant identity.
EAP method: Configured EAP method (Currently just EAP-FAST)
Status: Supplicant Status. Can be one of the following:
- Success Authentication has been successful.
- Down Authentication sequence has not begun.
- Failed Authentication has failed.
- Connecting Authentication is in progress.
- Unused Supplicant is uninitialized.
Supplicant MAC: MAC address of the supplicant.
Authenticator MAC: MAC address of the authenticator (peer). Existing Mac Security show commands can be used to look at Mac Security status.
show mac security counters detail
The show mac security counters detail command to displays the detail information about the MACsec security counters.
Command Mode
EXEC
Command Syntax
show mac security counters detail
Example
switch#show mac security counters detail
Ethernet4/1/1 Counter NameCount
-------------------------------------------------------
outPktsEncrypted112
outOctetsEncrypted11984
outPktsUntagged 0
outPktsTooLong0
outPktCtrl224
inPktsDecrypted 2
inOctetsDecrypted 214
inPktsUnchecked 0
inPktsOK2
inPktsNotValid0
inPktsNotUsingSA0
inPktsCtrl223
inPktsNoTag 8
inPktsTagged0
inPktsBadTag0
inPktsNoSCI 0
inPktsLate0
Ethernet4/3/1 Counter NameCount
-------------------------------------------------------
outPktsEncrypted2
outOctetsEncrypted214
outPktsUntagged 0
outPktsTooLong0
outPktCtrl223
inPktsDecrypted 111
inOctetsDecrypted 11877
inPktsUnchecked 0
inPktsOK111
inPktsNotValid0
inPktsNotUsingSA0
inPktsCtrl224
inPktsNoTag 9
inPktsTagged0
inPktsBadTag0
inPktsNoSCI 0
inPktsLate0
show mac security counters
The show mac security counters command to displays information about the MACsec security counters.
Command Mode
EXEC
Command Syntax
show mac security counters
Example
switch#show mac security counters
Port InPktsDecryptedInOctetsDecryptedOutPktsEncrypted OutOctetsEncrypted
Et4/1/12214 10911663
Et4/3/110911663 2214
show mac security interface detail
The show mac security interface detail command displays the detail information about the MACsec on the interface.
Command Mode
EXEC
Command Syntax
show mac security interface detail
Example
switch#show mac security interface detail
Interface: Ethernet4/1/1
SCI: 28:99:3a:82:6f:82::605
SSCI: 00000002
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)
Interface: Ethernet4/3/1
SCI: 28:99:3a:82:6f:85::613
SSCI: 00000001
Controlled port: True
Key server priority: 16
Session rekey period: 0
Traffic: Protected
Key in use: 9d5bc0d3076ea4a08b99b9d9:1
Latest key: None
Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)
About the Output
- Interface: Name of the interface.
- Secure Channel Identifier (SCI): Combination of MAC address and port number. Used to uniquely identify a Mac Security port.
- Controlled Port: Indicates if Mac Security is enabled on the port. A value of True indicates that encryption is enabled on the port.
- Key In Use: The SAK identifier currently in use. Combination of Key Servers message identifier (see below) and key number.
- Key Server priority: Configured key server priority.
- Session Rekey Period: Configured session rekey period.
- Latest Key: Latest SAK being negotiated by Mac Security Key Agreement Protocol (MKA)
-
Old Key: The last SAK negotiated by Mac Security Key Agreement Protocol (MKA)
Note: Latest and Old key are MKA protocol specific terminology and are used to refer to the last two keys in use. For all practical purposes, Key In Use field is used to identify the current key.
show mac security interface
The show mac security interface command shows information about the MACsec on the interface.
Command Mode
EXEC
Command Syntax
show mac security interface
Example
Switch#show mac security interface
Interface SCI Controlled Port Key in Use
Ethernet4/1/1 28:99:3a:82:6f:82::605True9d5bc0d3076ea4a08b99b9d9:1
Ethernet4/3/1 28:99:3a:82:6f:85::613True9d5bc0d3076ea4a08b99b9d9:1
show mac security mka counters
The show mac security mka counters command to display information about the MACsec MKA counters.
Command Mode
EXEC
Command Syntax
show mac security mka counters
Example
switch#show mac security mka counters
Interface Rx SuccessRx FailureTx SuccessTx Failure
Ethernet4/1/1 287 0 288 0
Ethernet4/3/1 288 0 287 00
show mac security participants detail
The show mac security participants detail command displays detail information about the MACsec participants.
Command Mode
EXEC
Command Syntax
show mac security participants detail
Example
switch#show mac security participants detail
Interface: Ethernet4/1/1
CKN: abcd
Message ID: 9d5bc0d3076ea4a08b99b9d9
Elected self: True
Success: True
Principal: True
Default: False
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: True
LLPN exhaustion: 0
Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
Live peer list: ['c79ad8882c2dd3a8e838a691']
Potential peer list: []
CKN: dead
Message ID: 4ef4cf009161bd551b5e7434
Elected self: True
Success: True
Principal: False
Default: True
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: False
LLPN exhaustion: 0
Distributed key identifier: None
Live peer list: ['3dfd4486b5f68a81014a37ec']
Potential peer list: []
Interface: Ethernet4/3/1
CKN: abcd
Message ID: c79ad8882c2dd3a8e838a691
Elected self: False
Success: True
Principal: True
Default: False
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: True
LLPN exhaustion: 0
Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
Live peer list: ['9d5bc0d3076ea4a08b99b9d9']
Potential peer list: []
CKN: dead
Message ID: 3dfd4486b5f68a81014a37ec
Elected self: False
Success: True
Principal: False
Default: True
KeyServer SCI: 28:99:3a:82:6f:82::605
SAK transmit: False
LLPN exhaustion: 0
Distributed key identifier: None
Live peer list: ['4ef4cf009161bd551b5e7434']
Potential peer list:
About the Output
- Connectivity Association Key Name (CKN): Configured name of the key in use.
- Message ID: A random 92 bit string used as an identifier for an MKA participant.
- Elected Self: True if this participant is the elected key server.
- Success: True if this participant is live and has at least one live peer.
- Principal: True if this participant is the principal participant elected to distribute SAKs.
- Default: True if this participant is a fallback/backup participant (spawned when a fallback key is configured in a Mac Security profile).
- Key Server SCI: The SCI of the key server.
- SAK Transmit: True if the participant is ready to use the negotiated key for transmit.
- LLPN Exhaustion: Increments if the number of data packets sent using the current key exceeds a certain threshold. Because we use a 64 bit packet number cipher suite, this should never increment.
- Distributed Key Identifier: Message ID + key number of the most recently generated SAK.
show mac security participants
The show mac security participants interface command displays information about the MACsec participants.
Command Mode
EXEC
Command Syntax
show mac security interface
Example
switch#show mac security participants
Interface: Ethernet4/1/1
CKN: abcd
Message ID: 9d5bc0d3076ea4a08b99b9d9
Elected self: True
Success: True
Principal: True
Default: False
CKN: dead
Message ID: 4ef4cf009161bd551b5e7434
Elected self: True
Success: True
Principal: False
Default: True
Interface: Ethernet4/3/1
CKN: abcd
Message ID: c79ad8882c2dd3a8e838a691
Elected self: False
Success: True
Principal: True
Default: False
CKN: dead
Message ID: 3dfd4486b5f68a81014a37ec
Elected self: False
Success: True
Principal: False
Default: True
show mac security status
The show mac security status command displays the MACsec status information on a switch.
Command Mode
EXEC
Command Syntax
show mac security status
Example
switch#show mac security status
Active Profiles:1
Data Delay Protection: No
FIPS Mode: No
Secured Interfaces: 2
License: Enabled
supplicant profile
The supplicant profile command configures the supplicant profile containing all the credentials necessary for 802.1X authentication to succeed.
Command Mode
dot1x Configuration
Command Syntax
supplicant profile <profile_name> <options>
Parameters
- profile_nameName of the supplicant profile.
- The following parameters can be included after entering the profile mode.
- eap-methodExtensible Authentication Protocol (EAP) method. Option include.
- fastEAPFlexible Authentication via Secure Tunneling (FAST)
-
identity Extensible Authentication Protocol (EAP) user identity. Option include.
- WORD User identity name.
- passphrase Extensible Authentication Protocol (EAP) password. Options include.
- 0Specifies that an UNENCRYPTED key will follow.
- 7 Specifies that an HIDDEN key will follow.
- LINEThe UNENCRYPTED (clear-text) shared key.
- eap-methodExtensible Authentication Protocol (EAP) method. Option include.
- The following commands place the switch in the supplicant profile mode.
Switch(config)#dot1x Switch(config-dot1x)#supplicant profile test Switch(config-dot1x-supp-profile-test)#
- The following commands configures the EAP FAST method for the supplicant profile called test profile for MAC security on the switch.
Switch(config)#dot1x Switch(config-dot1x)#supplicant profile test Switch(config-dot1x-supp-profile-test)#eap-method fast
- The following commands configures the Identity for the supplicant profile called test profile for MAC security on the switch.
Switch(config)#dot1x Switch(config-dot1x)#supplicant profile test Switch(config-dot1x-supp-profile-test)#identity New_User
- The following commands configures the passphrase for the supplicant profile called test profile for MAC security on the switch.
Switch(config)#dot1x Switch(config-dot1x)#supplicant profile test Switch(config-dot1x-supp-profile-test)#passphrase 7 070E334D5D1D0B04
traffic unprotected allow
The traffic unprotected allow command configures the switch to allow the unprotected traffic whenever there is no successful MKA session established with the peer.
The no traffic unprotected allow command disable the MACsec Fallback to Unprotected Traffic function by removing the traffic unprotected allow command from running-config.
Command Mode
MACsec Profile
Command Syntax
traffic unprotected allow
no traffic unprotected allow
Example
Switch(config)#mac security
Switch(config-mac-security)#profile sample
Switch(config-mac-security-profile-sample)#no traffic unprotected allow
Internet Protocol Security (IPsec)
This section describes Aristas IPsec implementation. Tpoicss in this section include:
IPsec Introduction
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents periodically during the session and negotiation of cryptographic keys to be used during the session. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
IPsec is used to protect data traffic between sites for example between Branch, HQ and Data center sites in an enterprise.
IPsec uses the following protocols to perform various functions:
- Authentication Headers (AH): provides the connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks.
- Encapsulating Security Payloads (ESP): provides the confidentiality, data-origin authentication, connectionless integrity and an anti-replay service (a form of partial sequence integrity).
- Internet Key Exchange (IKE): is a key management protocol which provides security for virtual private networks' (VPNs) negotiations and network access to random hosts. It is also described as a method for exchanging keys for encryption and authentication over an unsecured medium, such as the Internet.
IPsec Overview
Security Associations
Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary for AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2) and other mechanisms. In order to decide what protection is to be provided for an outgoing packet, IPsec uses the Security Parameter Index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database.
Full bidirectional communication requires at least two SAs, one for each direction. SA is defined by the following parameters
- Security Algorithms (AH) or Encapsulating Security Payloads (ESP) and keys
- Mode: Tunnel or Transport
- Key Management Method: Manual or IKE
- Lifetime: Expressed in hours.
Mode of Operation
IPsec on Arista switches operates in tunnel mode. In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header.
Tunnel mode is used to create virtual private networks for network-to-network communications (for example, between routers to link sites). Tunnel mode is used for most network-to-network IPsec.
Key Management
Key management on Arista switches uses the Internet Key Exchange (IKE) method. Internet Key Exchange (IKE) supports automated generation and renegotiation of SAs (includes keys) between the devices at a configured interval so it is much more scalable and secure.
IPsec needs SAs to define the algorithms and keys to use for protecting traffic. IKE establishes the SA so IPsec can protect traffic.
There are two IKE versions, IKEv1 and IKEv2. IKEv2 builds on IKEv1 but both are still widely used today.
IKEv1
IKEv1 has two phases.
- IKEv1 Phase 1
- IKEv1 Phase 2
IKEv1 Phase 1
- Uses main or aggressive mode exchange
- Negotiates IKE SA
- Used for control plane
- Peer authentication
IKEv1 Phase 2
- Uses quick mode exchange
- Negotiates IPsec SAs
Note that there are two different SAs that are established. The IKE SA protects only the IKE key management session using the IKE policy defined. The policy should include the following parameters:
- Encryption algorithm
- Hash MAC (HMAC) algorithm
- Peer authentication procedure
- Diffie-Hellman group for initial key exchange
- SA lifetime
IKE initially performs a Diffie-Hellman (DH) exchange at the start of the IKE session. A Diffie-Hellman (DH) exchange allows participants to produce a shared secret value. The strength of the technique is that it allows participants to create the secret value over an unsecured medium without passing the secret value through the wire. From that exchange, peers get shared keying material, which is then used for IKE encryption and integrity functions. The strength of that keying material can be used for faster performance, by choosing lower key sizes for Diffie-Hellman exchanges. The key length (strength) of Diffie-Hellman exchanges can be changed with the use of different DH groups.
When an IKE session�s lifetime expires, a new Diffie-Hellman exchange is performed between peers and the IKE SA is re-established.
The IPsec protection policy resulting in IPsec SAs, defines the protection of network traffic. These IPsec SAs are usually negotiated over IKE sessions. The parameters that define the IPsec protection policy are:
- Encryption Algorithm
- Hash MAC (HMAC) Algorithm
Note that the key material for IPsec SA (also called Child SA) is derived from keying material from IKEv1 phase 1.
There are two different modes for phase 1:
- Main Mode
- 6 packet exchange
- Full identity protection and better anti-DoS protection
- Aggressive Mode
- 3 packet faster session establishment
- Identities are exchanged in clear
- Weak DoS protection
Authentication
- Pre-Shared Keys (PSK)-As the name suggests, a shared secret is distributed out-of-band to the peers. The peers use this information and nonce parameters to create a hash that is used to authenticate messages.
- PKI Certificates-Here, certificates of the peers are exchanged and hashes are calculated over these certificates to authenticate each other.
IKEv2
IKEv2 differs from IKEv1 in the following ways:
- Faster setup because of reduced number of messages
- More secure
- ESP is reused for all IKEv2 messages
- Suite-B support
- There is no aggressive mode, so IKEv2 always provides identity protection
- Additional authentication methods
- Local and remote can use different authentication methods and use different pre-shared keys
- Authentication is done unidirectionally in IKEv2
Certificate Management
There are many protocols and standards available now that ease the process of certificate enrollment, certificate request, and certificate status checking. Some popular ones are RSA Labs' PKCS #7, PKCS #10, Cisco's Simple Certificate Enrollment Protocol (SCEP), and Online Certificate Status Protocol (OCSP).
Certificate Enrollment
There are two methods for certificate enrollment:
- SCEP Simple Certificate Enrollment Protocol. In this mode, eos will automatically enroll the certificate with the CA.
- Manual This is used if the CA does not support SCEP or there is no network access from the device to the CA. The steps are as follows:
-
Generate a Certificate Signing Request (CSR) and display on the terminal. CSR is represented as a Base64 encoded PKCS#10. The admin has to cut and paste the request into the CA to generate the certificate. The admin will have to specify the router FQDN and IP address.
- Import the certificate into eos.
Certificate Validation
To verify the validity of certificates, Arista switches use two mechanisms:
- CRL Certificate Revocation List (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked. Entities presenting those (revoked) certificates should no longer be trusted. CRLs can be obtained through Simple Certificate Enrollment Protocol (SCEP).
- OCSP The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. Since it is an online protocol it is accessed in real time and avoids the caching-related security problems CRLs pose. OCSP also reduces the load on all devices since they dont have to be updated on the entire CRL. However, the devices need to have access to the OCSP server.
Route-based VPN
A route-based VPN employs routed tunnel interfaces as the endpoints of the virtual network. All traffic passing through a tunnel interface is placed into the VPN. Rather than relying on an explicit policy to dictate which traffic enters the VPN, static and/or dynamic IP routes are formed to direct the desired traffic through the VPN tunnel interface.
Since route-based VPNs support dynamic routing information through VPN tunnels. eos supports only route based VPN for dynamic routing support and for easier configuration and management.
In route-based VPN, features like NAT, ACL, QoS is applied to packets before they are encrypted by applying these features to tunnel interface and can be applied to encrypted packets to applying these features on the physical interface carrying the tunnel traffic.
Virtual Template Interface (VTI)
A new tunnel interface type vti is introduced to represent the VPN tunnel. This tunnel interface will participate in the routing and any packets forwarded to it will be encrypted and forwarded to the other end of the tunnel. Note, that this does not add a new header to the packet.
Configuring IPsec
Complete the following steps to configure IPsec tunnels over the switch.
This configuration will use the default IKE version 2 procedure.
Displaying IPsec Information
- Use the show ip security policy command to display the IPsec policy information.
switch#show ip security policy Policy Name Authentication Encryption IntegrityLifetimeRekeyDH Group ike-policyPre-shared 256-bit AES256bit Hash8 hours False3072 bit
- Use the show ip security profile command to display the IP security profile information.
switch#show ip security profile Profile nameIKE Policy NameSA ipsec-profile ike-policy sa-policy
IPsec Commands
ike policy
The ike policy command configures the Internet Security Association and Key Mgmt Protocol on the switch and related policies. The IKE policy is configured in IP security configuration mode.
The no ike policy command deletes the IKE policy configuration from the switch.
The exit command returns the switch to the global configuration mode.
Command Mode
IP Security Configuration
Command Syntax
ike policy <policy-name>
no ike policy <policy-name>
Parameters
- policy-name Specifies the IKE policy name.
The following parameters are allowed to configure when the switch is placed in IKE policy configuration mode:
- authentication specifies the authentication type.
- dh-group specifies Diffie-Hellman Group value.
- encryption specifies the encryption type.
- ike-lifetime sets the ikeLifetime for ISAKMP security association. Expressed in hours.
- integrity specifies the Integrity algorithm.
- local-id specifies the local IKE identification.
- remote-id remote peer IKE identification.
- version specifies the IKE version.
Example
switch(config)#ike policy test
switch(config-ipsec-ike)#
interface tunnel (IPsec)
The interface tunnel command places the switch in the interface tunnel configuration mode.
Interface tunnel configuration mode is not a group change mode; running-config is changed immediately after commands are executed.
The no interface tunnel command deletes the interface tunnel configuration.
The exit command returns the switch to the global configuration mode.
Command Mode
Global Configuration
Command Syntax
interface tunnel <value>
no interface tunnel <value>
Parameter
value Tunnel interface number. The value ranges from 0 to 255.
Example
switch(config)#interface tunnel 10
switch(config-if-Tu10)#
ip security
The ip security command places the switch in the IP security configuration mode.
IP security configuration mode is not a group change mode; running-config is changed immediately after commands are executed.
The no ip security command deletes the IP security configuration.
The exit command returns the switch to the global configuration mode.
Command Mode
Global Configuration
Command Syntax
ip security
no ip security
Example
switch(config)#ip security
switch(config-ipsec)#ike policy IKE1
switch(config-ipsec-IKE1)#exit
switch(config-ipsec)#sa policy SA1
switch(config-SA1)#
profile (IPsec)
The profile command configures the IP security profile on the switch. The profile is configured in IP security configuration mode.
The no profile command deletes the IP security profile configuration from the switch.
The exit command returns the switch to the global configuration mode.
Command Mode
IP Security Configuration
Command Syntax
profile <profile-name>
no profile <profile-name>
Parameter
- profile-name Specifies the IP security profile name.
The following parameters can be configured in SA policy configuration mode:
- connection IPsec Connection (Initiator/Responder/Dynamic).
- dpd Dead Peer Detection.
- flow sets the flow.
- ike-policy ISAKMP policy.
- mode IP security mode type.
- sa-policy security association name.
- shared-key specifies key value.
Example
switch(config)#profile test
switch(config-ipsec-profile)#
sa policy
The sa policy command specifies a Security Association (SA) policy to be used for IPsec configuration, and enters IP security SA policy configuration mode to configure the named policy.
The no sa policy command deletes the specified SA policy configuration from the switch.
The exit command returns the switch to the global configuration mode.
Command Mode
IP Security Configuration
Command Syntax
sa policy <policy_name>
no sa policy <policy_name>
Parameter
- policy_name Specifies the SA policy name.
The following parameters are configured in IP security SA policy configuration mode:
- anti-replay IPsec duplicate IP datagram detection
- esp Encapsulation Security Payload
- pfs Perfect Forward Secrecy
- sa Security Association
Example
switch(config)#sa policy test
switch(config-ipsec-sa)#
show ip security applied-profile
Theshow ip security applied-profile command displays the IP security profile names and the interfaces on which they are applied.
Command Mode
EXEC
Command Syntax
show ip security applied-profile
Example
switch#show ip sec applied-profile
Profile Name Interface
ipsec-profile-1Tunnel1,
Tunnel2,
Tunnel3,
Tunnel4,
Tunnel5,
Tunnel6,
Tunnel7,
Tunnel8,
Tunnel9,
Tunnel10,
Tunnel11,
Tunnel12,
Tunnel13,
Tunnel14,
Tunnel15,
Tunnel16,
Tunnel17,
Tunnel18,
Tunnel19,
Tunnel20,
Tunnel21,
Tunnel22,
Tunnel23,
Tunnel24,
Tunnel25,
Tunnel26,
show ip security connection
The show ip security connection command displays the IP security connection status information.
Command Mode
EXEC
Command Syntax
show ip security connection
Example
switch#show ip sec conn tunnel 1
Tunnel Source Dest Status Uptime InputOutputRekey Time
Tunnel111.1.1.1 11.2.1.1 Established19 hours 0 bytes0 bytes 4 hours
0 pkts 62937679 pkts
switch#show ip sec conn tunnel 1 detail
Tunnel1:
source address 11.1.1.1, dest address 11.2.1.1
state: Established
uptime: 19 hours, 7 minutes, 23 seconds
Inbound SPI 0xca5560f4:
request id 193, mode tunnel replay-window 16384, seq 0x0
stats errors:
replay-window 0, replay 0, integrity_failed 0
lifetime config:
softlimit 4534352933249 bytes, hardlimit 6442450944000 bytes
softlimit 2077499095 pkts, hardlimit 4000000000 pkts
expire add soft 85619 secs, hard 86400 secs
lifetime current:
0 bytes, 0 pkts
add time Mon May 13 17:33:54 2019, use time Mon May 13 17:33:54 2019
Outbound SPI 0xc60da749:
request id 193, mode tunnel replay-window 16384, seq 0x0
stats errors:
replay-window 0, replay 0, integrity_failed 0
lifetime config:
softlimit 3286021368749 bytes, hardlimit 6442450944000 bytes
softlimit 2480571031 pkts, hardlimit 4000000000 pkts
expire add soft 85418 secs, hard 86400 secs
lifetime current:
0 bytes, 62937679 pkts
add time Mon May 13 17:33:54 2019, use time Mon May 13 18:06:42 2019
show ip security policy
The show ip security policy command displays the IP security policy information.
Command Mode
EXEC
Command Syntax
show ip security policy
Example
switch#show ip security policy
Policy Name AuthenticationEncryption IntegrityLifetimeRekeyDH Group
ike-policyPre-shared256-bit AES256bit Hash8 hours False3072 bit
show ip security profile
The show ip security profile command displays the IP security profile information.
Command Mode
EXEC
Command Syntax
show ip security profile
Example
switch#show ip security profile
Profile nameIKE Policy NameSA
ipsec-profile ike-policy sa-policy
show ip security security-association
The show ip security security-association command displays the IP security SA information.
Command Mode
EXEC
Command Syntax
show ip security security-association
Example
switch#show ip sec security-association
SA NameESP Encryption ESP IntegrityLifetimePFS Group
sa-policy-1256-bit AES256bit Hash24 hours2k bit
Macro-Segmentation Service (CVX)
Arista MSS is designed as a service in CloudVision that provides the point of integration between individual vendor firewalls or a firewall manager and the Arista network fabric. MSS provides flexibility on where to place the service devices and workloads. It is specifically aimed at Physical-to-Physical (P-to-P) and Physical-to-Virtual (P-to-V) workloads.
Overview
The advent of contemporary networking features such as mobile applications and the Internet of Things (IoT) bring in additional security challenges that are unprotected by legacy infrastructure. These security breaches cannot be handled by installing a firewall at the Internet edge. Arista Macro-Segmentation Service (MSS) addresses the security breach issue, besides securing access, protecting critical data and end-user privacy.
Arista MSS is designed as a service in CloudVision that provides the point of integration between individual vendor firewalls or a firewall manager and the Arista network fabric. MSS provides flexibility on where to place the service devices and workloads. It is specifically aimed at Physical-to-Physical (P-to-P) and Physical-to-Virtual (P-to-V) workloads.
MSS components include:
- Arista leaf-spine switch fabric
- Arista CloudVision
- Vendor firewall attached to a spine or service leaf switches. Different vendor firewalls can be attached to different switches to enhance scalability.
Usage Scenarios
The following usage scenarios describe a few major security challenges in todays data center that are successfully handled by MSS.
- Securing server-server traffic.
This scenario provides information about the role of MSS in securing network traffic between physical-to-physical (P-to-P) and physical to virtual (P-to-V) servers. Prior to MSS, network infrastructure devices followed the firewall sandwich setup where firewalls were placed in line between the security zones. This setup would impact scalability and performance of the servers.
Using MSS, this restriction on firewall placement is reduced. Firewalls are now attached to a service leaf switch in the network fabric and they still protect hosts without concern about their physical location. The following topology demonstrates the usage scenario.
Figure 4. Securing server-server traffic - Monitoring and securing management traffic.
This usage scenario demonstrates how MSS successfully monitors and secures management interfaces in the data center.
The modern data center caters to managing the application, storage, virtualization, network, analytics and other layers. With virtualization, the hypervisor management also needs to be secured to prevent unwanted access to a hypervisor management interface. In the event of a rogue access, Aristas MSS protects management interfaces. The explicitly allowed hosts can gain access through a jump host or administrator end-user computing instances. The following topology diagram illustrates the role of MSS in a data center.
Figure 5. Monitoring and Securing management traffic
Benefits
MSS provides the following key benefits:
- Enhanced security between any physical and virtual workloads in the data center.
- The automatic and seamless service insertion ability of MSS eliminates manual steering of traffic for a workload or a tenant.
- Security policies are applied to the host and application throughout the network.
- MSS is flexible since there are no proprietary frame formats, tagging, or encapsulation.
Terminology
The following terms related to MSS are used to describe the MSS feature:
- Intercept Switch/VTEP: TOR switch and VXLAN tunnel end-point connected to host from which traffic is intercepted. In the topology diagram, Intercept-1 and Intercept-2 are intercept switches.
- Service Switch/VTEP: TOR switch and VXLAN tunnel end-point connected to a firewall. In the topology diagram, Service-1 is the service switch.
- Service VNI: VXLAN tunnel created to redirect intercepted traffic to the service device (mapped to locally significant service VLAN).
- Original VNI: Original VNI traffic (mapped to Original VLAN).
- VXLAN: Virtual eXtensible LAN - a standards-based method of encapsulating Layer 2 traffic across a Layer 3 fabric.
- CVX: Arista CloudVision eXchange (CVX) is a part of CloudVision and is a virtualized instance of the same Extensible Operating System (eos) that runs on physical switches. It functions as a point of integration between customer firewalls or firewall policy managers and the Arista network in order to steer traffic to the firewall.
How MSS Works
The following steps provide information about how MSS works as a service in the data center.
- MSS is enabled on the CloudVision eXchange (CVX) and the Arista switches are configured to stream their active state to CVX. This allows CVX to build a database of hosts and firewalls attached to the network and also to identify physical ports and IP addresses. CVX is also configured to communicate and synchronize policies from a vendor's firewall.
- CVX sends a request to the firewall or firewall manager to provide information about the security policies which are tagged for MSS usage. Accordingly, it will determine where traffic needs to be intercepted.
- CVX applies an intercept to steer the network traffic and pushes the intercept rules to the intercept switches where the server or applications are located.
Figure 6. CVX intercept - The leaf switch starts sending intercepted traffic to the service leaf when the intercept has been applied to the leaf switch.
Figure 7. Leaf switches intercept - Traffic is forwarded completely unmodified to the firewall after it enters the service leaf where the firewall is attached. Based on the configuration policy, the firewall applies the required actions such as inspection, log, allow, or deny.
- The service leaf switch sends the inspected traffic to its final destination or to the destination based on the firewall policy.
Configuration
The following sections provide detailed information about MSS configuration, system requirements, recommendations, and limitations.
/Traffic%20flow%20in%20an%20MSS%20deployment.png)
End users in the untrust zone access the web server through the TCP/443 port. Traffic flows through the active firewall to the web server interface in the web-untrust security zone. The web server interface in the web-trust security zone accesses the application server interface in the app-untrust security zone through port TCP/80 after traversing the firewall. From there, the application server interface in the app-trust security zone accesses the database through TCP/1433 in the db-untrust zone.
The following physical topology indicates the MSS setup.
The hosts are attached to a pair of intercept leaf switches. A firewall is connected to a service leaf switch using a pair of physical interfaces with a subinterface per zone or vWire.
/Physical%20topology%20of%20the%20MSS.png)
System Requirements
The system requirements to effectively run MSS are listed below.
- Arista CloudVision eXchange (CVX)
- Arista 7050X, 7050X2, 7060X, and 7060X2 series top of rack (TOR) switches
- Connected to the hosts to intercept traffic from the firewall devices
- Connected to and monitored by CVX
- The network must be a VXLAN-enabled fabric with CVX running the VXLAN Control Service (VCS)
- Link Layer Discovery Protocol (LLDP) should be enabled on the firewall interfaces attached to the Arista TOR switches. Note that static mapping can be configured if required.
Recommendations and Limitations
TOR and CVX Switches
- Service switches should be dedicated exclusively to firewalls and not to host connectivity.
- In the event of an entry time-out, the server ARP entries are not re-learned on the service VTEP.
Firewall
- The firewall policy name must not have any whitespace character in the name. As an example, PCI policy is an unacceptable policy name. An acceptable name would be PCI_policy.
- When High Availability firewalls are used in the system, all links to switches must be port channels and a Multi-Chassis Link Aggregation (MLAG) bow-tie configuration should be used.
Configuring MSS
These sections describe steps to configure MSS.
Deploying CVX
Deploy CloudVision and configure the Arista TOR switches to connect to it. A CVX cluster of 3 instances with host names of cvx01, cvx02, and cvx03 are configured as an example.
Enabling the VXLAN Control Service on CVX
Enable the VXLAN Control Service (VCS) on every CVX instance after the three Arista CVX instances have been deployed and the TOR switches are configured to be managed by them.
VCS allows hardware VXLAN Tunnel End Points (VTEPs) to share state with each other in order to establish VXLAN tunnels without the need for a multicast control plane.
Example
CVX instance cvx01
cvx01(config-cvx)#service vxlan
cvx01(config-cvx-vxlan)#no shutdown
Similarly, VCS is enabled on the cvx02 and cvx03 devices.
Configuring the Access switches and the Service switch ports
Configure the switch ports that are connected to the hosts, whose traffic should be steered to the firewalls and the service switch ports which are connected to the firewalls.
Access switch configuration
The switch ports connected to the hosts, whose traffic needs to be intercepted, need to be configured as 802.1q trunks with the VLAN that is mapped to the VNI requiring interception. Unique VLAN IDs are configured for each tier of the application.
Access switch (intercept-1)
intercept-1# configure
intercept-1(config)# interface et10
intercept-1(config-if-Et10)# description web server
intercept-1(config-if-Et10)# switchport mode trunk
intercept-1(config-if-Et10)# switchport trunk allowed vlan 100
intercept-1(config)# interface et16
intercept-1(config-if-Et16)# description app server
intercept-1(config-if-Et16)# switchport mode trunk
intercept-1(config-if-Et16)# switchport trunk allowed vlan 200
Access switch (intercept-2)
intercept-2# configure
intercept-2(config)# interface et10
intercept-2(config-if-Et1)# description db server
intercept-2(config-if-Et1)# switchport mode trunk
intercept-2(config-if-Et1)# switchport trunk allowed vlan 300
Service switch (service-1)
service-1# configure
service-1(config)#interface port-channel 10
service-1(config-if-Po10)# description Far Interface
service-1(config-if-Po10)# switchport mode trunk
service-1(config-if-Po10)# switchport trunk allowed vlan none
service-1(config-if-Po10)# spanning-tree bpdufilter enable
service-1(config)#interface port-channel 20
service-1(config-if-Po20)# description Near Interface
service-1(config-if-Po20)# switchport mode trunk
service-1(config-if-Po20)# switchport trunk allowed vlan none
service-1(config-if-Po20)# spanning-tree bpdufilter enable
Enabling directflow on access switches and service switches
Arista MSS uses directflow to intercept traffic while the VxLAN is used to carry tunnel traffic from the intercepted host to the firewall and back. directflow should be enabled on every intercept switch as well as the service switches.
Switch service-1
service-1# configure
service-1(config)# directflow
service-1(config-directflow)# no shutdown
Switch intercept-1
intercept-1# configure
intercept-1(config)# directflow
intercept-1(config-directflow)# no shutdown
Switch intercept-2
intercept-2# configure
intercept-2(config)# directflow
intercept-2(config-directflow)# no shutdown
Enabling VXLAN routing on the TOR switches
CVX uses Address Resolution Protocol (ARP) to determine where intercept hosts are physically located in the network. VXLAN routing should be configured on every TOR switch that will be intercepting traffic to ensure that CVX is aware of every host ARP entry.
The following configuration shows the routing configuration for each tier of the application, but not the entire VXLAN configuration. For more information on how to configure VXLAN and VXLAN routing, refer to the VXLAN section of the Arista eos Configuration Guide.
Switch intercept-1
intercept-1# configure
intercept-1(config)# ip routing
intercept-1(cofig)# interface vlan100
intercept-1(config-if-Vl100)# ip address virtual 10.0.10.254/24
intercept-1(config)# interface vlan200
intercept-1(config-if-Vl200)# ip address virtual 10.0.20.254/24
intercept-1(config)# interface vlan300
intercept-1(config-if-Vl300)# ip address virtual 10.0.30.254/24
Switch intercept-2
intercept-2# configure
intercept-2(config)# ip routing
intercept-2(cofig)# interface vlan100
intercept-2(config-if-Vl100)# ip address virtual 10.0.10.254/24
intercept-2(config)# interface vlan200
intercept-2(config-if-Vl200)# ip address virtual 10.0.20.254/24
intercept-2(config)# interface vlan300
intercept-2(config-if-Vl300)# ip address virtual 10.0.30.254/24
Switch service-1
service-1# configure
service-1(config)# ip routing
service-1(cofig)# interface vlan100
service-1(config-if-Vl100)# ip address virtual 10.0.10.254/24
service-1(config)# interface vlan200
service-1(config-if-Vl200)# ip address virtual 10.0.20.254/24
service-1(config)# interface vlan300
service-1(config-if-Vl300)# ip address virtual 10.0.30.254/24
Configuring MSS on CVX
This step enables configuring Arista MSS on CVX. The topology diagram depicts three CVX instances in a cluster and the configuration is the same for every instance. The active and standby vendor firewalls are configured. If Panorama is used, only Panorama should be configured.
Example
In the example, the primary vendor firewall has a DNS name of fw-ha-node-1. The standby firewall has a DNS name of fw-ha-node-2. The username and password are set as admin.
CVX instance cvx01
cvx01# configure
cvx01(config)# cvx
cvx01(config-cvx)# no shutdown
cvx01(config-cvx)# service mss
cvx01(config-cvx-mss)# no shutdown
cvx01(config-cvx-mss)# vni range 20000-30000
cvx01(config-cvx-mss)# dynamic device-set panfw1
cvx01(config-cvx-mss-panfw1)# tag Arista_MSS
cvx01(config-cvx-mss-panfw1)# type palo-alto firewall
cvx01(config-cvx-mss-panfw1)# state active
cvx01(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx01(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin
CVX instance cvx02
cvx02# configure
cvx02(config)# cvx
cvx02(config-cvx)# no shutdown
cvx02(config-cvx)# service mss
cvx02(config-cvx-mss)# no shutdown
cvx02(config-cvx-mss)# vni range 20000-30000
cvx02(config-cvx-mss)# dynamic device-set panfw1
cvx02(config-cvx-mss-panfw1)# tag Arista_MSS
cvx02(config-cvx-mss-panfw1)# type palo-alto firewall
cvx02(config-cvx-mss-panfw1)# state active
cvx02(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx02(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin
CVX instance cvx03
cvx03# configure
cvx03(config)# cvx
cvx03(config-cvx)# no shutdown
cvx03(config-cvx)# service mss
cvx03(config-cvx-mss)# no shutdown
cvx03(config-cvx-mss)# vni range 20000-30000
cvx03(config-cvx-mss)# dynamic device-set panfw1
cvx03(config-cvx-mss-panfw1)# tag Arista_MSS
cvx03(config-cvx-mss-panfw1)# type palo-alto firewall
cvx03(config-cvx-mss-panfw1)# state active
cvx03(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx03(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin
Configuring the Firewall
Three policies are created in addition to the default implicit deny policy for inter-zone traffic. The implicit deny ensures that the inter-zone traffic is not allowed unless a policy explicitly allows for it.
The first policy untrust_to_web1 is from the untrust zone to the web1 zone, that allows HTTPS traffic from anywhere to the web server web.
The third policy web2_to_app1 is from the web2 zone to the app1 zone that allows HTTP traffic between the web server web and the application server app.
The fifth policy app2_to_db1 is from the app2 zone to the db1 zone that allows database traffic on port TCP/1433 between the application server app and the database server db.
The second, fourth, and sixth policies prevent the firewall to drop a session for which does not see the initial connection to the protected resource. This could happen if the protected resource has not sent any traffic previous to this point.
Refer to the following images for more clarity about the above policies and interface configuration.
/Firewall%20Policy%20Configuration.png)
/Firewall%20interface%20configuration.png)
Create a rule that Arista MSS will use to intercept and redirect traffic and add a firewall policy with the default Arista_MSS tag as shown in the example above. MSS intercepts all traffic from endpoints identified in policies that match the tag values configured in CVX. The firewall will apply all rules (tagged or untagged) to all traffic.
Alternatively, the device interface map command can be used on CVX to manually map a device to Arista switch interfaces. To map multiple devices, add a mapping entry for each device.
dynamic device-set fw1
device dc-firewall-1
map device-interface ethernet1/1 switch 00:1c:73:7e:21:bb interface Ethernet1
map device-interface ethernet1/2 switch 00:1c:73:7e:21:bb interface Ethernet9
The first policy “untrust_to_web1” is from the untrust zone to the web1 zone, that allows HTTPS traffic from anywhere to the web server web.
The third policy “web2_to_app1” is from the web2 zone to the app1 zone that allows HTTP traffic between the web server web and the application server app.
The fifth policy “app2_to_db1” is from the app2 zone to the db1 zone that allows database traffic on port TCP/1433 between the application server app and the database server db.
The second, fourth, and sixth policies prevent the firewall to drop a session for which does not see the initial connection to the protected resource. This could happen if the protected resource has not sent any traffic previous to this point.
Refer to the following images for more clarity about the above policies and interface configuration.
/Firewall%20Policy%20Configuration.png)
/Firewall%20interface%20configuration.png)
Create a rule that Arista MSS will use to intercept and redirect traffic and add a firewall policy with the default “Arista_MSS” tag as shown in the example above. MSS intercepts all traffic from endpoints identified in policies that match the tag values configured in CVX. The firewall will apply all rules (tagged or untagged) to all traffic.
Alternatively, the device interface map command can be used on CVX to manually map a device to Arista switch interfaces. To map multiple devices, add a mapping entry for each device.
dynamic device-set fw1
device dc-firewall-1
map device-interface ethernet1/1 switch 00:1c:73:7e:21:bb interface Ethernet1
map device-interface ethernet1/2 switch 00:1c:73:7e:21:bb interface Ethernet9
MSS Commands
Configuration Commands
CVX Show Commands
dynamic device-set
The dynamic device-set command configures a device such as a firewall to communicate with the MSS in the MSS configuration mode.
The no dynamic device-set command removes a previously configured device from the MSS configuration and returns to the CVX mode.
Command Mode
MSS Configuration
Command Syntax
dynamic device-set device-set_name
no dynamic device-set device-set_name
Parameters
device-set_name a unique name for the device set.
Example
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#
exception device
The exception device command bypasses or continues redirecting traffic to service device such as a firewall if the service device control-plane API is unreachable after initial policies have been processed.
The no exception device command.
Command Mode
MSS Configuration
Command Syntax
exception device unreachable [bypass | redirect]
no exception device unreachable [bypass | redirect]
default exception device unreachable bypass
Parameters
- device: service device in the device set.
- unreachable: service device control-plane API is unreachable.
- bypass: bypass the service device.
- redirect: continue redirecting traffic to the service device.
Example
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set fw
cvx(config-cvx-mss-fw)#device firewall-dc7
cvx(config-cvx-mss-fw)#username admin password 7 PKigsmo3IcnW5rqoZXWQ
cvx(config-cvx-mss-fw)#state active
cvx(config-cvx-mss-fw)#type palo-alto firewall
cvx(config-cvx-mss-fw)#exception device unreachable redirect
group
The group command configures the Panorama device group name to be used with MSS.
The no group command removes the group from the MSS configuration when the Panorama firewall manager is used.
See the type palo-altocommand for more information about the firewall manager.
Command Mode
Device-set mode
Command Syntax
group group_name
no group group_name
Parameters
group_name the name of the group.
Example
cvx(config)#cvx
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#dynamic device-set pano2
cvx(config-cvx-mss-pano2)#type palo-alto panorama
cvx(config-cvx-mss-pano2)#device myPanorama
cvx(config-cvx-mss-pano2-myPanorama)#group mssDevices
name-resolution interval (CVX-OpenStack)
The name-resolution interval command specifies the period between consecutive requests that the OpenStack controller sends to the Keystone service for VM and tenant name updates. Keystone is OpenStack's authentication and authorization service.
The default period is 21600 seconds (6 hours).
The name-resolution force (CVX-OpenStack) command performs an immediate update, as opposed to waiting for the periodic update.
Command Mode
CVX-OpenStack Configuration
Command Syntax
name-resolution interval period
Parameters
- period: Keystone identity service polling interval (seconds).
Comment
service openstack places the switch in CVX-OpenStack configuration mode.Example
switch(config)#cvx
switch(config-cvx)#service openstack
switch(config-cvx-openstack)#name-resolution interval 18000
switch(config-cvx-openstack)#
service mss
The service mss command enters the MSS configuration sub-mode.
The no service mss command exits the MSS configuration mode and returns to the CVX mode.
Command Mode
CVX Configuration
Command Syntax
service mss
no service mss
default service mss
Example
cvx# configure
cvx(config)# cvx
cvx(config-cvx)# no shutdown
cvx(config-cvx)# service mss
cvx(config-cvx-mss)# no shutdown
show service mss policy
The show service mss policy command displays generic information about the configuration and operational state of the macro-segmentation service (MSS) policies on a device.
Command Mode
EXEC
CVX Configuration
Command Syntax
show service mss policy [[device device_name] [name policy-name] [source (static | plugin_name)]]
Parameters
- device device name defines the service device name.
- name policy-name the filter policy name.
- source the source of the policy.
- static the policy configured using the command line interface.
- plugin_name the service device type.
Related Commands
Example
cvx#show service mss policy name policy1
SourceDevicePolicyConfig Status
-----------------------------------------------------
vendorFirewallpan100policy1EnabledInitialized
The "Config" column indicates the configuration state of a policy. The different states are: Enabled, dry run, and disabled states.
The "Status" column indicates the operational state of a policy. The different status types are initialized, pending, initializing, active, reinitializing, dry-run Complete, and deactivating.
show service mss zone
The show service mss zone command displays information about the interfaces that are placed in a single zone by the service device. Along with the show service mss policy command, we can use this command to identify issues with the policy configuration.
Interfaces from multiple switches can be placed in the same zone by the device.
Command Mode
EXEC
CVX Configuration
Command Syntax
show service mss zone [[device device_name]|[name zone_name]| [source (static | dynamic_source)]]
Parameters
- device device name defines the service device properties.
- name policy-name the filter zone name.
- source the source of the zone.
- static the zone configured using the command line interface.
- dynamic_source the service device type.
Related Commands
Example
switch#show service mss zone
Source: static
---------------------------------------
Device: device1
Zone: zone1
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet1/1
Allowed VLAN: 1000-1010
Port-Channel2/1:
Allowed VLAN: 1000-2000
Switch: 00:00:00:00:00:02
Hostname: switch2.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Zone: zone2
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Ethernet 20/1
Allowed VLAN: 1000-2000
show service mss dynamic device-set
The show service mss dynamic device-set command displays detailed information about a specific service device set. Information such as device group members, high availability, network, resource details are displayed.
Command Mode
EXEC
CVX Configuration
Command Syntax
show service mss dynamic device-set device_set_name [device device_name [group-members | high-availability | neighbors | network | policies | resources]]
Parameters
- device_set_name defines the device set name.
- device device name defines the service device properties such as the DNS hostname or IP address of the service device.
- group members lists device-group members for an aggregation manager.
- high-availability displays service device high availability information.
- neighbors displays the service devices ethernet interface neighbor information.
- network displays the service devices network interface information.
- policies displays the list of policies read from service device that have the MSS tag.
- resources displays the service devices system resource information.
Related Commands
Examples
- This command displays information about interfaces that are placed in a zone by the device1.
switch#show service mss zone
Source: static
------------------------------------------------
Device: device1
- This command displays information about interfaces that are placed in a zone by the device1.
switch#show service mss zone
Source: static
----------------------------------------------
Device: device1
Zone: zone1
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet1/1
Allowed VLAN: 1000-1010
Port-Channel2/1:
Allowed VLAN: 1000-2000
Switch: 00:00:00:00:00:02
Hostname: switch2.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Zone: zone2
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Ethernet 20/1
Allowed VLAN: 1000-2000
show service mss policy
The show service mss policy command displays generic information about the configuration and operational state of the macro-segmentation service (MSS) policies on a device.
Command Mode
EXEC
CVX Configuration
Command Syntax
show service mss policy [[device device_name] [name policy-name] [source (static | plugin_name)]]
Parameters
- device device name defines the service device name.
- name policy-name the filter policy name.
- source the source of the policy.
- static the policy configured using the command line interface.
- plugin_name the service device type.
Related Commands
Example
cvx#show service mss policy name policy1
SourceDevicePolicyConfig Status
-----------------------------------------------------
vendorFirewallpan100policy1EnabledInitialized
The "Config" column indicates the configuration state of a policy. The different states are: Enabled, dry run, and disabled states.
The "Status" column indicates the operational state of a policy. The different status types are initialized, pending, initializing, active, reinitializing, dry-run Complete, and deactivating.
show service mss status
The show service mss status command displays the status of a macro-segmentation service (MSS) on the device.
Command Mode
EXEC
CVX Configuration
Command Syntax
show service mss status
Related Commands
Examples
- This command displays the MSS status on the device as Enabled.
switch#show service mss status
State: Enabled
Service VNIs: 1500-1600,1800,1900-2000
- This command displays the MSS status on the device as Disabled.
switch#show service mss status
State: Disabled
Service VNIs: 1-16777214
show service mss zone
The show service mss zone command displays information about the interfaces that are placed in a single zone by the service device. Along with the show service mss policy command, we can use this command to identify issues with the policy configuration.
Interfaces from multiple switches can be placed in the same zone by the device.
Command Mode
EXEC
CVX Configuration
Command Syntax
show service mss zone [[device device_name]|[name zone_name]| [source (static | dynamic_source)]]
Parameters
- device device name defines the service device properties.
- name policy-name the filter zone name.
- source the source of the zone.
- static the zone configured using the command line interface.
- dynamic_source the service device type.
Related Commands
Example
switch#show service mss zone
Source: static
---------------------------------------
Device: device1
Zone: zone1
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet1/1
Allowed VLAN: 1000-1010
Port-Channel2/1:
Allowed VLAN: 1000-2000
Switch: 00:00:00:00:00:02
Hostname: switch2.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Zone: zone2
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Ethernet 20/1
Allowed VLAN: 1000-2000
state
The state command configures device set as active or disabled or suspended state.
The no state command disables the previously configured state of the device set.
Command Mode
MSS Configuration
Command Syntax
state [active | shutdown | suspend]
no state
Parameters
- active: the active state of the device set. Policy monitoring and network traffic redirection are enabled.
- shutdown: the disabled state of the device set. Policy monitoring and network traffic redirection is stopped.
- suspend: the suspended state of the device set. Policy monitoring is suspended but there is no change in the existing traffic redirection.
Example
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#tag Arista_MSS
cvx(config-cvx-mss-panfw1)#type palo-alto firewall
cvx(config-cvx-mss-panfw1)#state active
tag
The tag command specifies the tag or tags that MSS searches when it is reading the security policy from the firewall or firewall manager in the dynamic device-set configuration mode. You can specify more than one tag as well.
The no tag command removes the tag from the MSS configuration.
Command Mode
MSS Configuration
Command Syntax
tag tag_name
no tag
default tag Arista_MSS
Parameters
tag_name: a unique name for the tag.
Examples
- This command specifies the tag with the name Arista_MSS.
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#tag Arista_MSS
- This command specifies multiple tags with names mss1, mss2, and mss3.
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#tag mss1 mss2 mss3
type palo-alto
The type palo-alto command configures the firewall type to be used in the MSS configuration.
The no type palo-alto command disables the firewall type from the MSS configuration.
Command Mode
MSS Configuration
Command Syntax
type palo-alto [firewall | panorama]
no type palo-alto
Parameters
- firewall: the Palo Alto Networks firewall.
- panorama: the Palo Alto Networks Panorama firewall manager.
Example
cvx#configure
cvx(config)#cvx
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#type palo-alto firewall