atf 3 q15-8 - introducing macro-segementation
TRANSCRIPT
Technical Forum
Introducing Arista Macro-Segmentation
Autumn 2015
Technical Forum
Definitions
Micro-Segmentation• Inserting services in the path of inter-VM traffic (e.g. intra-tenant)• Policies defined by VMware NSX for each workload• Enforced in the Distributed vSwitch based application, tag, etc.,
Macro-SegmentationTM
• Inserting services between workgroups (inter-tenant) in the physical network by defining inter-workgroup policies
Arista Macro-Segmentation Security (MSSTM)• An extension in EOS that utilizes CloudVision to automate security service
insertion in the network• Integration with leading next-generation firewalls
Technical Forum
Micro-Segmentation
§ Enabled by partners – e.g. VMware NSX § Provides fine-grained security policies at virtual switch
level § Works great!
• Provided all hosts and devices are virtualized, and there’s a single vSwitch variant
§ Some security vendors (e.g. Palo Alto) are onboard• Virtual security appliance embedded with virtual switch
with centralized policy and reporting § Unfortunately, many challenges around physical devices
• e.g. non-virtualized, different hypervisor/vSwitch, appliance devices, storage
• Existing estate
In ternet
Security Policy
Security Admin
TrafficSteering
Technical Forum
Current Approaches for DC Security
§ Focus is on Perimeter Security e.g. north-south flows only
§ Scaling challenges – e.g. firewall active/standby HA pairs
§ Security policy dependent on network topology –and vice versa
• Network & security administration are co-dependent
§ Limited or no security of east-west flows, especially for physical devices
§ Little or no coordination between vSwitch security and physical firewalling
Active Active/Standby
vSwitch vSwitch
Current approaches ill-suited to the needs of the Software Driven Cloud Data Center
Technical Forum
Arista Macro-Segmentation
§ Enabled by Arista CloudVision
• Understands physical topology and location of every device
• Full visibility of any adds, moves and changes
• 2-way exchange of information with overlay controllers – knows all virtual device locations
§ Provides network service physical device integration e.g. Palo Alto Firewalls
• Service device can be anywhere in the network
• Devices to serviced can be anywhere
• Non-proprietary, standard-bases, existing frame/packet formats
Cloud Orchestrators
Overlay Controllers
www.arista.comNetworkServices
Technical Forum
Arista Macro-Segmentation
§ No new tagging or encapsulation
§ One point of control – e.g. the security policy manager• For both physical and virtual
firewalls
§ Directly maps to security model – zones etc.
§ No server reconfiguration
§ No per application overheadVirtual Virtual
Physical FirewallsPhysical Servers
& Storage
Transparent Insertion of Firewall/ Service
Technical Forum
Macro-Segmentation with Palo Alto NetworkSecurity Admin owns the
security policies
No Network Admin involvement required
Network Admin owns the network configuration.
PAN service is enabled within CloudVision, which:
• Learns security policies and associated end devices
• Logically instantiates them in the neetwork
Technical Forum
Arista Macro-SegmentationExisting Approaches With Arista Macro-Segmentation
Perimeter (“North-South”Traffic) Only Logically instantiated anywhere in the network
Scaling Limitations (e.g. only HA pairs of Firewalls) Scale out design – security admin can use multiple firewalls rather than larger central devices
Requires security & network admin to jointly architect solution
Topology independent – all devices covered
Limited protection “East-West” for physical devices Security for all points of the compass covered!
Separate solutions for physical and virtual firewalling and perimeter security (no P2V and P2P east-west
security)
Coordinated approach for V2V, P2V, P2P security
Technical Forum
Arista Macro-Segmentation
§ Delivers flexible services deployment in the network
§ No forklift upgrades
§ No proprietary lock-ins
§ Server virtualization and vSwitch agnostic
§ Uses Arista CloudVisionto coordinate policy across the entire network
Cloud Orchestrators
Overlay Controllers
www.arista.comNetworkServices
Technical Forum
Summary
Technical Forum
Thank you for joining us
§ Join us for ATF #9 in the spring§ Please invite your colleagues to this year’s remaining
events
3/11 – Paris10/11 – Zurich12/11 – Johannesburg17/11 – Cape Town
19/11 – Milan26/11 – UtrechtTBA – Warsaw, Moscow,
Dublin and Madrid
Technical Forum
Thank you – See you in the spring!
Technical Forum
Thank you for joining us
§ Feedback forms
§ Join us for drinks afterwards at …
Technical Forum
One last thing…..
Technical Forum
Reminder - SSU Leaf – Hitless Upgrade
SSU Hitless Upgrade§ Designed to provide simple, low risk upgrade options, for fixed configuration systems and single connected servers
§ Key feature for critical applications where maintenance windows are impossible to schedule
§ During reload, Data Plane remains fully operational and acts as a proxy for Control Plane
§ Traffic loss during an SSU Hitless Upgrade is unnoticeable to applications
5+ Minutes
ApplicationLoss Report
200ms
ApplicationLoss Report
Existing Approaches SSU Hitless Upgrade
✓✗
Technical Forum
Competition - Guess the outage
§ Arista 7050X running 4.15.2F• 8 reloads in 20 minutes
• 64-byte packets
§ TX count - 1,989,541,312§ RX count - 1,989,350,703§ Average 0.00958% Packet Loss
Average16ms
outage!
Technical Forum
Our winners …
§ I Won
§ A Nother
§ Lar Stwun
Technical Forum
Thank you – See you in the spring!