Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Atf 3 q15-8 - introducing macro-segementation


Published on


Published in: Internet
  • Be the first to comment

  • Be the first to like this

Atf 3 q15-8 - introducing macro-segementation

  1. 1. Technical Forum Introducing Arista Macro-Segmentation Autumn 2015
  2. 2. Technical Forum Definitions Micro-Segmentation • Inserting services in the path of inter-VM traffic (e.g. intra-tenant) • Policies defined byVMware NSX for each workload • Enforced in the Distributed vSwitch based application, tag,etc., Macro-SegmentationTM • Inserting services between workgroups (inter-tenant) in the physical network by defining inter-workgroup policies Arista Macro-Segmentation Security (MSSTM) • An extension in EOS that utilizes CloudVision to automate security service insertion in the network • Integration with leading next-generation firewalls
  3. 3. Technical Forum Micro-Segmentation § Enabled by partners – e.g.VMware NSX § Provides fine-grained security policies at virtual switch level § Works great! • Provided all hosts and devices are virtualized,and there’s a single vSwitch variant § Some security vendors (e.g. Palo Alto) are onboard • Virtual security appliance embedded with virtual switch with centralized policy and reporting § Unfortunately,many challenges around physical devices • e.g. non-virtualized,different hypervisor/vSwitch, appliance devices,storage • Existing estate Internet Security Policy Security Admin Traffic Steering
  4. 4. Technical Forum Current Approaches for DC Security § Focus is on Perimeter Security e.g. north-south flows only § Scaling challenges – e.g. firewall active/standby HA pairs § Security policy dependent on network topology – and vice versa • Network & security administration are co-dependent § Limited or no security of east-west flows, especially for physical devices § Little or no coordination between vSwitch security and physical firewalling Active Active/Standby vSwitch vSwitch Current approaches ill-suited to the needs of the Software Driven Cloud Data Center
  5. 5. Technical Forum Arista Macro-Segmentation § Enabled byArista CloudVision • Understands physical topology and location of every device • Full visibility of any adds,moves and changes • 2-way exchange of information with overlay controllers – knows all virtual device locations § Provides network service physical device integration e.g. Palo Alto Firewalls • Service device can be anywhere in the network • Devices to serviced can be anywhere • Non-proprietary,standard-bases,existing frame/packet formats Cloud Orchestrators Overlay Controllers Network Services
  6. 6. Technical Forum Arista Macro-Segmentation § No new tagging or encapsulation § One point of control – e.g. the security policy manager • For both physical and virtual firewalls § Directly maps to security model – zones etc. § No server reconfiguration § No per application overhead Virtual Virtual Physical Firewalls Physical Servers & Storage Transparent Insertion of Firewall/ Service
  7. 7. Technical Forum Macro-Segmentation with Palo Alto Network Security Admin owns the security policies No Network Admin involvement required Network Admin owns the network configuration. PAN service is enabled within CloudVision, which: • Learns security policies and associated end devices • Logically instantiates them in the neetwork
  8. 8. Technical Forum Arista Macro-Segmentation Existing Approaches With Arista Macro-Segmentation Perimeter (“North-South”Traffic) Only Logically instantiated anywhere in the network Scaling Limitations (e.g. only HA pairs of Firewalls) Scale out design – security admin can use multiple firewalls rather than larger central devices Requires security & network admin to jointly architect solution Topology independent – all devices covered Limited protection “East-West” for physical devices Security for all points of the compass covered! Separate solutions for physical and virtual firewalling and perimeter security (no P2V and P2P east-west security) Coordinated approach forV2V,P2V,P2P security
  9. 9. Technical Forum Arista Macro-Segmentation § Delivers flexible services deployment in the network § No forklift upgrades § No proprietary lock-ins § Server virtualization and vSwitch agnostic § Uses Arista CloudVision to coordinate policy across the entire network Cloud Orchestrators Overlay Controllers Network Services
  10. 10. Technical Forum Summary
  11. 11. Technical Forum Thank you for joining us § Join us forATF #9 in the spring § Please invite your colleagues to this year’s remaining events 3/11 – Paris 10/11 – Zurich 12/11 – Johannesburg 17/11 – CapeTown 19/11 – Milan 26/11 – Utrecht TBA – Warsaw, Moscow, Dublin and Madrid
  12. 12. Technical Forum Thank you – See you in the spring!
  13. 13. Technical Forum Thank you for joining us § Feedback forms § Join us for drinks afterwards at …
  14. 14. Technical Forum One last thing…..
  15. 15. Technical Forum Reminder - SSU Leaf – Hitless Upgrade SSU Hitless Upgrade § Designed to provide simple,low risk upgrade options,for fixed configuration systems and single connected servers § Key feature for critical applications where maintenance windows are impossible to schedule § During reload,Data Plane remains fully operational and acts as a proxy for Control Plane § Traffic loss during an SSU Hitless Upgrade is unnoticeable to applications 5+ Minutes Application Loss Report 200ms Application Loss Report Existing Approaches SSU Hitless Upgrade ✓✗
  16. 16. Technical Forum Competition - Guess the outage § Arista 7050X running 4.15.2F • 8 reloads in 20 minutes • 64-byte packets § TX count - 1,989,541,312 § RX count - 1,989,350,703 § Average 0.00958% Packet Loss Average 16ms outage!
  17. 17. Technical Forum Our winners … § IWon § A Nother § Lar Stwun
  18. 18. Technical Forum Thank you – See you in the spring!