AVA Sensor

AVA switch sensor, also known as the “monitor security awake” feature, provides deep network analysis by doing deep packet inspection of some or all packets of traffic forwarded by the switch. It continuously monitors enterprise devices, users, and applications wherever they are, even as IP addresses change, while maintaining a forensic record of past activities. This functionality can be enabled or disabled on the fly without impacting regular packet forwarding functionality.

AVA Switch Sensor Extension

AVA switch sensor extends eos telemetry for network threat detection. The FlowWatcher agent RPMs are released as part of the NDRSensor.swix extension along with other RPMs that enable the AVA switch sensor functionality. The user must install the NDRSensor.swix extension on a system running a supported eos version. After the extension is installed, it can be enabled using the monitor security awake command as described in the Configuration section.

When monitor security awake is enabled, the FlowWatcher agent enables hardware flow tracking with filter-based packet sampling, IP/IPv6 access lists, and mirroring features to receive the first few packets of every new flow and flow volume using IPFIX. It connects to the AVA Nucleus using SSL. The eos FlowWatcher agent processes the most interesting packets of all the flows that are forwarded by the switch. It does deep packet inspection (DPI) of the packets, computes flow volume using IPFIX data records, and generates activity records. The generated activity records are then sent to AVA Nucleus using Kafka over a TLS session. The AVA Nucleus uses a combination of detection models to uncover malicious intent and to provide the NDR functionality.

Platform Compatibility

  • CCS-720XP-96ZC2
  • CCS-720XP-48Y6
  • CCS-720XP-48ZC2
  • CCS-720XP-24ZY4
  • CCS-720XP-24Y6
  • CCS-720DP-48ZS

NDR Sensor Extension Installation

If the switch already has the NDRSensor.swix installed, to upgrade the eos image or extension follow the steps to uninstall an extension before proceeding to install a new extension. After the switch is up with a supported eos.swi, copy and install the NDRSensor.swix extension.
switch# copy <source>/NDRSensor.swix extension:
switch# extension NDRSensor.swix
To show the status of extensions, use the following command.
switch# show extensions
Name                              Version/Release      Status      Extension
--------------------------------- -------------------- ----------- ---------
NDRSensor.swix                    4.30.1F/316201\      A, NI, B    8
                                  29.4301F
Optionally, copy NDRSensor.swix to boot-extensions.
switch# copy installed-extensions boot-extensions
Copy completed successfully.

Refer to Managing eos Extensions for additional details on managing extensions on eos.

Configuration

SSL Profile Configuration

To configure an SSL profile for communication with the AVA Nucleus, use the following commands: 
switch(config)#management security
switch(config-mgmt-security)#ssl profile profile-name
switch(config-mgmt-sec-ssl-profile-awake-nucleus1)#certificate certificate-name key key-name
switch(config-mgmt-sec-ssl-profile-awake-nucleus1)#trust certificate system

The AVA Nucleus certificate can be self-signed or signed by a third party. For the self-signed case, the certificate must be copied onto the switch certificate: directory and configured using the trust certificate <certificate> command under the SSL profile configuration. In case it’s signed by a third party, then the CA certificate of the third party needs to be copied onto the switch certificate: directory and configured using trust certificate <certificate>. If the third-party is a common CA and is present in the system-supplied list of trusted CAs (most cases), then the trust certificate system can be used, and no certificate needs to be copied over to the switch.

Refer to SSL certificate and key management for additional details on all SSL profile configuration parameters.

Generating SSL Key and Self-signed Certificate

Use these steps to set up a sensor and Nucleus SSL connection with self-signed certificates. For complete details on the eos TLS security, refer to eos user manual control plane security section.
  • To create an SSL key on the switch:
    switch#security pki key generate rsa 2048 key-name
  • To show the SSL key generated:
    switch#show management security ssl key key-name
  • To generate a self-signed certificate on the switch, use the following CLI.
    switch#security pki certificate generate self-signed certificate-name key key-name generate rsa 2048 [parameters … ]

    Enter the certificate parameters interactively or use the parameters option to specify them inline. Once the SSL key and certificate are generated, they can be used in the ssl profile.

  • The generated certificate needs to be copied to AVA Nucleus using either the more or copy command in the switch CLI.
    switch#more certificate:certificate-name  --> Will emit certificate on the switch console
    Arista#copy certificate:certificate-name destination --> To copy certificate to external location

Monitor Security Awake Configuration

  • To configure the feature, enter monitor security awake mode:
    switch(config)# [no|default] monitor security awake
  • To enable Monitor security awake:
    switch(config-monitor-security-awake)# [no|default] disabled
  • To configure the maximum flow table size:
    switch(config-monitor-security-awake)# [no|default] flow table size <SIZE> entries
! The flow table size configuration change will cause the FlowWatcher agent restart and all active flows to be lost.
Do you wish to proceed with this command? [y/N]
    The default flow table size is 16k entries. A change in the flow table size configuration will restart the FlowWatcher agent.
  • To configure Kafka topic name:
    switch(config-monitor-security-awake)# [no|default] topic <name>
    The default topic name is packet-analysis-sessions
  • To configure monitor-point identifier (MPID) to identify campus/site:
    switch(config-monitor-security-awake)# [no|default] monitor-point identifier <id>

    Every AVA sensor must be configured with a unique monitor-point identifier and provisioned in the Nucleus. The default monitor point id used is 0.

Nucleus Configuration

  • To configure the Nucleus, enter nucleus mode:
    switch(config-monitor-security-awake)# [no|default] nucleus <name>
  • To configure Nucleus IP and port:
    switch(config-monitor-security-awake-nucleus)# [no|default] destination <ipv4 address>/<ipv6 address>/<dns> [port <port>]
    The default port is: 9094
  • To configure the local interface for source IP, VRF information:
    switch(config-monitor-security-awake-nucleus-<name>)# [no|default] local interface <local-interface>
  • To configure SSL profile:
    switch(config-monitor-security-awake-nucleus-<name>)# [no|default] ssl profile <profile-name>

Loopback Interface Configuration

If at least one Nucleus doesn’t have a local interface configured, then Loopback0 interfaces need to be configured with an IP address. Hardware flow tracking will use the Loopback0 interface as a local interface for sending IPFIX records to the CPU.
switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address <ip>[/n] [ip subnet mask]

Configuration Examples

Example configuration sequence:
switch# Generate SSL client key
switch# security pki key generate rsa 2048 client-key
switch# show management security ssl key client-key
…
switch# Generate SSL client certificate
switch# security pki certificate generate self-signed client-cert key client-key generate rsa 2048 parameters common-name SwitchName country US state CA locality "Santa Clara" organization Arista organization-unit IT
certificate:client-cert generated
switch# show management security ssl certificate client-cert
…
switch# Copy SSL client certificate to AVA nucleus
switch# copy certificate:client-cert <destination> 

switch# Copy AVA nucleus certificate onto Switch
switch# copy terminal: certificate:ca-cert
enter input line by line; when done enter one or more control-d
….
Copy completed successfully.
switch# show management security ssl certificate ca-cert
…

# Create SSL profile with client-key, client-cert and ca-cert
switch(config)# management security
switch(config-mgmt-security)# ssl profile awake-nucleus
switch(config-mgmt-sec-ssl-profile-awake-nucleus)# certificate client-cert key client-key
switch(config-mgmt-sec-ssl-profile-awake-nucleus)# trust certificate ca-cert
switch(config-mgmt-sec-ssl-profile-awake-nucleus)# end

# Enable IP routing
switch# conf
switch(config)# ip routing
 
# Configure monitor security awake and enable
switch(config)# monitor security awake
switch(config-monitor-security-awake)# monitor-point identifier 1
switch(config-monitor-security-awake)# nucleus awake-nucleus
switch(config-monitor-security-awake-nucleus-awake-nucleus)# local interface Management 1
switch(config-monitor-security-awake-nucleus-awake-nucleus)# destination nucleus1.foo.com
switch(config-monitor-security-awake-nucleus-awake-nucleus)# ssl profile awake-nucleus
switch(config-monitor-security-awake-nucleus-awake-nucleus)# exit
switch(config-monitor-security-awake)# no disabled
switch(config-monitor-security-awake)# end
Running configuration.
…
management security
   ssl profile awake-nucleus
      certificate client-cert key client-key
      trust certificate ca-cert
…
ip routing
…
monitor security awake
   nucleus awake-nucleus
      local interface Management1
      destination nucleus1.foo.com
      ssl profile awake-nucleus
   no disabled
Sample configuration with multiple profiles and Nucleus:
management security
   ssl profile awake-nucleus1
      certificate client-cert key client-key1
      trust certificate system
   ssl profile awake-nucleus2
      certificate client-cert key client-key2
      trust certificate root-cert2

monitor security awake
   topic packet-analysis-sessions
   monitor-point identifier 10
   flow table size 153600 entries
   !
   nucleus nucleus1
      local interface Loopback10
      destination nucleus1.foo.com
      ssl profile awake-nucleus1
   nucleus nucleus2
      local interface Management1
      destination nucleus2.foo.com
      ssl profile awake-nucleus2
   no disabled

Upgrade eos and/or NDRSensor.swix Extension

  1. Disable the AVA sensor by configuring disabled under monitor security awake. This will stop the AVA switch sensor running on the switch.
  2. Uninstall NDRSensor.swix extension.
    switch# show installed-extensions
NDRSensor.swix

switch# no extension NDRSensor.swix
switch# show extensions
Name                              Version/Release      Status      Extension
--------------------------------- -------------------- ----------- ---------
NDRSensor.swix                    4.30.1F/316201\      A, NI, B    8
                                  29.4301F
  3. Remove NDRSensor.swix from boot extensions.
    switch# show boot-extensions
NDRSensor.swix # Old extension needs to be removed from boot-extension

switch# copy installed-extensions boot-extensions
Copy completed successfully.

switch# show boot
# boot-extensions empty.
  4. Upgrade the eos image on the switch - Follow the steps to upgrade the eos image on the device as described in the eos configuration guide. Once the switch is back up and running.
  5. Install new NDRSensor.swix extension corresponding to the new eos image and copy it to boot-extensions. This step is the same as in the NDR Sensor Extension Installation
  6. Verify the AVA switch sensor is running by using the show monitor security awake command.

Show commands

  • The following CLI command shows the status of the Monitor security Awake feature:
    switch# show monitor security awake [nucleus <nucleus>]
    Example
    switch# show monitor security awake
Monitor security awake status: active
Topic identifier: packet-analysis-sessions
Monitor point identifier: 0
Flow table size: 16384 entries
Flow table inactive timeout: 40.0 seconds
Active interfaces: Et37,39,49

Nucleus: nucleus1
Status: connected
VRF: default
Local interface: Management1 (172.28.134.144)
Destination: 10.243.93.139 port 9094
SSL profile: awake-nucleus1
Last established: 2 days, 19:58:23 ago
  • The following CLI command shows the various counters of the Monitor security awake feature:
    switch# show monitor security awake counters [flows|ipfix|nucleus [<nucleus>]]
    Example
    switch# show monitor security awake counters
Active flows: 269, RX packets: 8.943M (8943077)
Flows created: 558.655K (558655), expired: 558.386K (558386)

ipv4 flows:
Application       Flows Active       Flows Created           Flows Expired
----------------- ------------------ ----------------------- -----------------
DHCP              9                  13.072K (13072)         13.063K (13063)
DNS               53                 279.857K (279857)       279.804K (279804)
HTTP              5                  34.759K (34759)         34.754K (34754)
LDAP              0                  15                      15
NetBios           0                  18                      18
SMB               0                  18                      18
TLS/SSL           45                 143.986K (143986)       143.941K (143941)
Other             157                86.93K (86930)          86.773K (86773)

IPv6 flows:
Application       Flows Active       Flows Created       Flows Expired
----------------- ------------------ ------------------- -------------

Nucleus: nucleus1
Activity records sent: 578.306K (578306), last sent 0:00:00 ago
Progress records sent: 172.057K (172057), last sent 0:00:00 ago
Last successful connection: 10:11:22 ago
Successful connections: 11
Last connection failure: 10:11:51 ago
Connection failures: 46
Activity records in queue: 0
Progress records in queue: 1

IPFIX counters:
Exporter: 172.22.197.142 Source port: 36582 Observation domain ID: 1
Messages received: 379.455K (379455)
Template records received: 208
Options template records received: 0
Data records received: 7.308M (7308225)
Options data records received: 0
Unknown template ID errors: 0
Invalid IPFIX messages received: 0
Flow record queue full: 0
  • The following CLI command shows the flow table snapshot of all the flows currently active in the FlowWatcher agent:
    switch# show monitor security awake flow-table [detail]

    This is a debugging command and can take some time to dump the snapshot of the current flow table.

    Example 1:
    switch# show monitor security awake flow-table
ipv4 flows: 5
Lower IP address     Higher IP address     Protocol                  Start Time  Packets      Bytes
-------------------- --------------------- --------- --------------------------- -------- ---------
10.8.3.102:58119     87.98.179.150:6893    UDP       2022-03-09 21:54:00.447260        1         71
10.3.1.31:58554      10.5.10.2:1999        UDP       2022-03-09 21:54:00.493157       11       1358
10.3.1.61:34703      10.5.7.2:1999         UDP       2022-03-09 21:54:11.586934       29      11460
10.3.1.63:52498      10.5.6.2:1999         UDP       2022-03-09 21:54:18.397906        9        637
10.3.1.81:47766      10.5.13.2:1999        UDP       2022-03-09 21:54:00.411780       25      12606

IPv6 flows: 2
Lower IP address                 Higher IP address Protocol                 Start Time Packets Bytes
-------------------------------- ----------------- -------- -------------------------- ------- -----
[fe80::10fd:3ded:b992:b0fe]:5353 [ff02::fb]:5353   UDP      2022-03-09 22:15:55.765183      14  3020
[fe80::186d:bd78:4904:679f]:5353 [ff02::fb]:5353   UDP      2022-03-09 22:15:55.765136      11  2647
    Example 2:
    switch# show monitor security awake flow-table detail
Flow table detail codes: L2H - Lower to higher IP address, H2L - Higher to lower IP address

ipv4 Flows: 2 
Flow: UDP 10.8.4.103:61591 - 87.98.179.248:6893
Start time: 2022-03-14 17:58:03.390968, Last packet time: 2022-03-14 17:58:10.874020
Packets L2H: 0, Bytes L2H: 0, Packets H2L: 1, Bytes H2L: 64

Flow: UDP 10.3.1.63:60835 - 10.5.12.2:1999
Start time: 2022-03-14 17:58:39.406626, Last packet time: 2022-03-14 17:58:40.207204
Packets L2H: 0, Bytes L2H: 0, Packets H2L: 35, Bytes H2L: 13692

IPv6 Flows: 2
Flow: UDP [fe80::7854:510f:c685:ff22]:57938 - [ff02::c]:3702
Start time: 2022-03-14 17:58:15.818269, Last packet time: 2022-03-14 17:58:15.818269
Packets L2H: 0, Bytes L2H: 0, Packets H2L: 1, Bytes H2L: 722

Flow: UDP [fe80::d065:deb9:d239:bed3]:61403 - [ff02::1:3]:5355
Start time: 2022-03-14 17:58:21.011325, Last packet time: 2022-03-14 17:58:21.011325
Packets L2H: 0, Bytes L2H: 0, Packets H2L: 2, Bytes H2L: 180

Limitations

  • NDRSensor.swix is supported on 32-bit and 64-bit eos versions.
  • In an MLAG setup, the AVA switch sensor does not correlate bidirectional flows that are hashed to different MLAG peers.
  • AVA switch sensor doesn’t correlate bidirectional flows that are NATed.
  • When the AVA switch sensor is enabled, the TerminAttr agent will also process IPFIX packets sent to the CPU, and the Traffic flows feature on the CloudVision portal is automatically enabled, which can cause additional CPU usage on the switch. If the "Traffic flows" feature is not required on ClouldVision, disable TerminAttr IPFIX processing by adding the -ipfix=false argument to exec /usr/bin/TerminAttr under the daemon TerminAttr configuration.

AVA Sensor commands

monitor security awake

When the monitor security awake command is enabled the FlowWatcher agent enables Hardware flow tracking with filter-based packet sampling, IP/IPv6 access lists, and mirroring features to receive the first few packets of every new flow and flow volume using IPFIX.

The no form of the monitor security awake command disables the monitor security awake feature from the running config.

Note: Before enabling the monitor security awake command, the user must have installed the NDRSensor.swix extension on the system running a supported eos version.

Command Mode

Global Configuration

Command Syntax

monitor security awake

no monitor security awake

default monitor security awake

Example
These commands create and enable a non-persistent DirectFlow flow.
switch(config)# monitor security awake 
switch(config-monitor-security-awake)#

show monitor security awake

The show monitor security awake command displays the status of the Monitor security Awake feature on the switch.

Command Mode

EXEC

Command Syntax

show monitor security awake [nucleus nucleus]

Example
This command displays the status of the Monitor security Awake feature on the switch.
switch# show monitor security awake
Monitor security awake status: active
Topic identifier: packet-analysis-sessions
Monitor point identifier: 0
Flow table size: 16384 entries
Flow table inactive timeout: 40.0 seconds
Active interfaces: Et37,39,49

Nucleus: nucleus1
Status: connected
VRF: default
Local interface: Management1 (172.28.134.144)
Destination: 10.243.93.139 port 9094
SSL profile: awake-nucleus1
Last established: 2 days, 19:58:23 ago

show monitor security awake counters

The show monitor security awake counters command displays the various counters of the Monitor security awake feature on the switch.

Command Mode

EXEC

Command Syntax

show monitor security awake counters [flows | ipfix | nucleus [nucleus<>]]

Example

This command displays the various counters of the Monitor security awake feature on the switch.
switch# show monitor security awake counters
Active flows: 269, RX packets: 8.943M (8943077)
Flows created: 558.655K (558655), expired: 558.386K (558386)

ipv4 flows:
Application       Flows Active       Flows Created           Flows Expired
----------------- ------------------ ----------------------- -----------------
DHCP              9                  13.072K (13072)         13.063K (13063)
DNS               53                 279.857K (279857)       279.804K (279804)
HTTP              5                  34.759K (34759)         34.754K (34754)
LDAP              0                  15                      15
NetBios           0                  18                      18
SMB               0                  18                      18
TLS/SSL           45                 143.986K (143986)       143.941K (143941)
Other             157                86.93K (86930)          86.773K (86773)

IPv6 flows:
Application       Flows Active       Flows Created       Flows Expired
----------------- ------------------ ------------------- -------------

Nucleus: nucleus1
Activity records sent: 578.306K (578306), last sent 0:00:00 ago
Progress records sent: 172.057K (172057), last sent 0:00:00 ago
Last successful connection: 10:11:22 ago
Successful connections: 11
Last connection failure: 10:11:51 ago
Connection failures: 46
Activity records in queue: 0
Progress records in queue: 1

IPFIX counters:
Exporter: 172.22.197.142 Source port: 36582 Observation domain ID: 1
Messages received: 379.455K (379455)
Template records received: 208
Options template records received: 0
Data records received: 7.308M (7308225)
Options data records received: 0
Unknown template ID errors: 0
Invalid IPFIX messages received: 0
Flow record queue full: 0