Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Atf 3 q15-8 - introducing macro-segementation

376 views

Published on

a

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Atf 3 q15-8 - introducing macro-segementation

  1. 1. Technical Forum Introducing Arista Macro-Segmentation Autumn 2015
  2. 2. Technical Forum Definitions Micro-Segmentation • Inserting services in the path of inter-VM traffic (e.g. intra-tenant) • Policies defined byVMware NSX for each workload • Enforced in the Distributed vSwitch based application, tag,etc., Macro-SegmentationTM • Inserting services between workgroups (inter-tenant) in the physical network by defining inter-workgroup policies Arista Macro-Segmentation Security (MSSTM) • An extension in EOS that utilizes CloudVision to automate security service insertion in the network • Integration with leading next-generation firewalls
  3. 3. Technical Forum Micro-Segmentation § Enabled by partners – e.g.VMware NSX § Provides fine-grained security policies at virtual switch level § Works great! • Provided all hosts and devices are virtualized,and there’s a single vSwitch variant § Some security vendors (e.g. Palo Alto) are onboard • Virtual security appliance embedded with virtual switch with centralized policy and reporting § Unfortunately,many challenges around physical devices • e.g. non-virtualized,different hypervisor/vSwitch, appliance devices,storage • Existing estate Internet Security Policy Security Admin Traffic Steering
  4. 4. Technical Forum Current Approaches for DC Security § Focus is on Perimeter Security e.g. north-south flows only § Scaling challenges – e.g. firewall active/standby HA pairs § Security policy dependent on network topology – and vice versa • Network & security administration are co-dependent § Limited or no security of east-west flows, especially for physical devices § Little or no coordination between vSwitch security and physical firewalling Active Active/Standby vSwitch vSwitch Current approaches ill-suited to the needs of the Software Driven Cloud Data Center
  5. 5. Technical Forum Arista Macro-Segmentation § Enabled byArista CloudVision • Understands physical topology and location of every device • Full visibility of any adds,moves and changes • 2-way exchange of information with overlay controllers – knows all virtual device locations § Provides network service physical device integration e.g. Palo Alto Firewalls • Service device can be anywhere in the network • Devices to serviced can be anywhere • Non-proprietary,standard-bases,existing frame/packet formats Cloud Orchestrators Overlay Controllers www.arista.com Network Services
  6. 6. Technical Forum Arista Macro-Segmentation § No new tagging or encapsulation § One point of control – e.g. the security policy manager • For both physical and virtual firewalls § Directly maps to security model – zones etc. § No server reconfiguration § No per application overhead Virtual Virtual Physical Firewalls Physical Servers & Storage Transparent Insertion of Firewall/ Service
  7. 7. Technical Forum Macro-Segmentation with Palo Alto Network Security Admin owns the security policies No Network Admin involvement required Network Admin owns the network configuration. PAN service is enabled within CloudVision, which: • Learns security policies and associated end devices • Logically instantiates them in the neetwork
  8. 8. Technical Forum Arista Macro-Segmentation Existing Approaches With Arista Macro-Segmentation Perimeter (“North-South”Traffic) Only Logically instantiated anywhere in the network Scaling Limitations (e.g. only HA pairs of Firewalls) Scale out design – security admin can use multiple firewalls rather than larger central devices Requires security & network admin to jointly architect solution Topology independent – all devices covered Limited protection “East-West” for physical devices Security for all points of the compass covered! Separate solutions for physical and virtual firewalling and perimeter security (no P2V and P2P east-west security) Coordinated approach forV2V,P2V,P2P security
  9. 9. Technical Forum Arista Macro-Segmentation § Delivers flexible services deployment in the network § No forklift upgrades § No proprietary lock-ins § Server virtualization and vSwitch agnostic § Uses Arista CloudVision to coordinate policy across the entire network Cloud Orchestrators Overlay Controllers www.arista.com Network Services
  10. 10. Technical Forum Summary
  11. 11. Technical Forum Thank you for joining us § Join us forATF #9 in the spring § Please invite your colleagues to this year’s remaining events 3/11 – Paris 10/11 – Zurich 12/11 – Johannesburg 17/11 – CapeTown 19/11 – Milan 26/11 – Utrecht TBA – Warsaw, Moscow, Dublin and Madrid
  12. 12. Technical Forum Thank you – See you in the spring!
  13. 13. Technical Forum Thank you for joining us § Feedback forms § Join us for drinks afterwards at …
  14. 14. Technical Forum One last thing…..
  15. 15. Technical Forum Reminder - SSU Leaf – Hitless Upgrade SSU Hitless Upgrade § Designed to provide simple,low risk upgrade options,for fixed configuration systems and single connected servers § Key feature for critical applications where maintenance windows are impossible to schedule § During reload,Data Plane remains fully operational and acts as a proxy for Control Plane § Traffic loss during an SSU Hitless Upgrade is unnoticeable to applications 5+ Minutes Application Loss Report 200ms Application Loss Report Existing Approaches SSU Hitless Upgrade ✓✗
  16. 16. Technical Forum Competition - Guess the outage § Arista 7050X running 4.15.2F • 8 reloads in 20 minutes • 64-byte packets § TX count - 1,989,541,312 § RX count - 1,989,350,703 § Average 0.00958% Packet Loss Average 16ms outage!
  17. 17. Technical Forum Our winners … § IWon § A Nother § Lar Stwun
  18. 18. Technical Forum Thank you – See you in the spring!

×