AVA Sensor
AVA switch sensor, also known as the “monitor security awake” feature, provides deep network analysis by doing deep packet inspection of some or all packets of traffic forwarded by the switch. It continuously monitors enterprise devices, users, and applications wherever they are, even as IP addresses change, while maintaining a forensic record of past activities. This functionality can be enabled or disabled on the fly without impacting regular packet forwarding functionality.
AVA Switch Sensor Extension
AVA switch sensor extends eos telemetry for network threat detection. The FlowWatcher
agent RPMs are released as part of the NDRSensor.swix
extension
along with other RPMs that enable the AVA switch sensor functionality. The user must
install the NDRSensor.swix
extension on a system running a
supported eos version. After the extension is installed, it can be enabled using the
monitor security awake command as described in the
Configuration section.
When monitor security awake is enabled, the FlowWatcher agent enables hardware flow tracking with filter-based packet sampling, IP/IPv6 access lists, and mirroring features to receive the first few packets of every new flow and flow volume using IPFIX. It connects to the AVA Nucleus using SSL. The eos FlowWatcher agent processes the most interesting packets of all the flows that are forwarded by the switch. It does deep packet inspection (DPI) of the packets, computes flow volume using IPFIX data records, and generates activity records. The generated activity records are then sent to AVA Nucleus using Kafka over a TLS session. The AVA Nucleus uses a combination of detection models to uncover malicious intent and to provide the NDR functionality.
Platform Compatibility
- CCS-720XP-96ZC2
- CCS-720XP-48Y6
- CCS-720XP-48ZC2
- CCS-720XP-24ZY4
- CCS-720XP-24Y6
- CCS-720DP-48ZS
NDR Sensor Extension Installation
NDRSensor.swix
installed, to
upgrade the eos image or extension follow the steps to uninstall an extension before
proceeding to install a new extension. After the switch is up with a supported eos.swi,
copy and install the NDRSensor.swix
extension.switch# copy <source>/NDRSensor.swix extension:
switch# extension NDRSensor.swix
switch# show extensions
Name Version/Release Status Extension
--------------------------------- -------------------- ----------- ---------
NDRSensor.swix 4.30.1F/316201\ A, NI, B 8
29.4301F
NDRSensor.swix
to
boot-extensions.switch# copy installed-extensions boot-extensions
Copy completed successfully.
Refer to Managing eos Extensions for additional details on managing extensions on eos.
Configuration
SSL Profile Configuration
switch(config)# management security
switch(config-mgmt-security)# ssl profile profile-name
switch(config-mgmt-sec-ssl-profile-awake-nucleus1)# certificate certificate-name key key-name
switch(config-mgmt-sec-ssl-profile-awake-nucleus1)# trust certificate system
The AVA Nucleus certificate can be self-signed or signed by a third party. For the
self-signed case, the certificate must be copied onto the switch
certificate:
directory and configured using the
trust certificate <certificate>
command under the SSL
profile
configuration. In case it’s signed by a third
party, then the CA certificate of the third party needs to be copied onto the switch
certificate:
directory and configured using
trust certificate <certificate>
. If the third-party
is a common CA and is present in the system-supplied list of trusted CAs (most cases),
then the trust certificate system
can be used, and no
certificate needs to be copied over to the switch.
Refer to SSL certificate and key management for additional details on all SSL profile configuration parameters.
Generating SSL Key and Self-signed Certificate
- To create an SSL key on the
switch:
switch# security pki key generate rsa 2048 key-name
- To show the SSL key
generated:
switch# show management security ssl key key-name
- To generate a self-signed certificate on the switch, use the following
CLI.
switch# security pki certificate generate self-signed certificate-name key key-name generate rsa 2048 [parameters … ]
Enter the certificate parameters interactively or use the
parameters
option to specify them inline. Once the SSL key and certificate are generated, they can be used in thessl profile
. - The generated certificate needs to be copied to AVA Nucleus using either the
more or copy
command in the switch
CLI.
switch# more certificate:certificate-name --> Will emit certificate on the switch console
switch# copy certificate:certificate-name destination --> To copy certificate to external location
Monitor Security Awake Configuration
- To configure the feature, enter
monitor security awake
mode:switch(config)# [no|default] monitor security awake
- To enable Monitor security
awake:
switch(config-monitor-security-awake)# [no|default] disabled
- To configure the maximum flow table
size:
The default flow table size is 16k entries. A change in the flow table size configuration will restart the FlowWatcher agent.switch(config-monitor-security-awake)# [no|default] flow table size <SIZE> entries ! The flow table size configuration change will cause the FlowWatcher agent restart and all active flows to be lost. Do you wish to proceed with this command? [y/N]
- To configure Kafka topic
name:
The default topic name isswitch(config-monitor-security-awake)# [no|default] topic <name>
packet-analysis-sessions
- To configure monitor-point identifier (MPID) to identify
campus/site:
switch(config-monitor-security-awake)# [no|default] monitor-point identifier <id>
Every AVA sensor must be configured with a unique monitor-point identifier and provisioned in the Nucleus. The default monitor point id used is 0.
Nucleus Configuration
- To configure the Nucleus, enter nucleus
mode:
switch(config-monitor-security-awake)# [no|default] nucleus <name>
- To configure Nucleus IP and
port:
The default port is: 9094switch(config-monitor-security-awake-nucleus)# [no|default] destination <ipv4 address>/<ipv6 address>/<dns> [port <port>]
- To configure the local interface for source IP, VRF
information:
switch(config-monitor-security-awake-nucleus-<name>)# [no|default] local interface <local-interface>
- To configure SSL
profile:
switch(config-monitor-security-awake-nucleus-<name>)# [no|default] ssl profile <profile-name>
Loopback Interface Configuration
switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address <ip>[/n] [ip subnet mask]
Configuration Examples
switch# Generate SSL client key
switch# security pki key generate rsa 2048 client-key
switch# show management security ssl key client-key
…
switch# Generate SSL client certificate
switch# security pki certificate generate self-signed client-cert key client-key generate rsa 2048 parameters common-name SwitchName country US state CA locality "Santa Clara" organization Arista organization-unit IT
certificate:client-cert generated
switch# show management security ssl certificate client-cert
…
switch# Copy SSL client certificate to AVA nucleus
switch# copy certificate:client-cert <destination>
switch# Copy AVA nucleus certificate onto Switch
switch# copy terminal: certificate:ca-cert
enter input line by line; when done enter one or more control-d
….
Copy completed successfully.
switch# show management security ssl certificate ca-cert
…
# Create SSL profile with client-key, client-cert and ca-cert
switch(config)# management security
switch(config-mgmt-security)# ssl profile awake-nucleus
switch(config-mgmt-sec-ssl-profile-awake-nucleus)# certificate client-cert key client-key
switch(config-mgmt-sec-ssl-profile-awake-nucleus)# trust certificate ca-cert
switch(config-mgmt-sec-ssl-profile-awake-nucleus)# end
# Enable IP routing
switch# conf
switch(config)# ip routing
# Configure monitor security awake and enable
switch(config)# monitor security awake
switch(config-monitor-security-awake)# monitor-point identifier 1
switch(config-monitor-security-awake)# nucleus awake-nucleus
switch(config-monitor-security-awake-nucleus-awake-nucleus)# local interface Management 1
switch(config-monitor-security-awake-nucleus-awake-nucleus)# destination nucleus1.foo.com
switch(config-monitor-security-awake-nucleus-awake-nucleus)# ssl profile awake-nucleus
switch(config-monitor-security-awake-nucleus-awake-nucleus)# exit
switch(config-monitor-security-awake)# no disabled
switch(config-monitor-security-awake)# end
…
management security
ssl profile awake-nucleus
certificate client-cert key client-key
trust certificate ca-cert
…
ip routing
…
monitor security awake
nucleus awake-nucleus
local interface Management1
destination nucleus1.foo.com
ssl profile awake-nucleus
no disabled
management security
ssl profile awake-nucleus1
certificate client-cert key client-key1
trust certificate system
ssl profile awake-nucleus2
certificate client-cert key client-key2
trust certificate root-cert2
monitor security awake
topic packet-analysis-sessions
monitor-point identifier 10
flow table size 153600 entries
!
nucleus nucleus1
local interface Loopback10
destination nucleus1.foo.com
ssl profile awake-nucleus1
nucleus nucleus2
local interface Management1
destination nucleus2.foo.com
ssl profile awake-nucleus2
no disabled
Upgrade eos and/or NDRSensor.swix Extension
- Disable the AVA sensor by configuring disabled under monitor security awake. This will stop the AVA switch sensor running on the switch.
- Uninstall
NDRSensor.swix
extension.switch# show installed-extensions NDRSensor.swix switch# no extension NDRSensor.swix switch# show extensions Name Version/Release Status Extension --------------------------------- -------------------- ----------- --------- NDRSensor.swix 4.30.1F/316201\ A, NI, B 8 29.4301F
- Remove
NDRSensor.swix
from boot extensions.switch# show boot-extensions NDRSensor.swix # Old extension needs to be removed from boot-extension switch# copy installed-extensions boot-extensions Copy completed successfully. switch# show boot # boot-extensions empty.
- Upgrade the eos image on the switch - Follow the steps to upgrade the eos image on the device as described in the eos configuration guide. Once the switch is back up and running.
- Install new
NDRSensor.swix
extension corresponding to the new eos image and copy it to boot-extensions. This step is the same as in the NDR Sensor Extension Installation. - Verify the AVA switch sensor is running by using the show monitor security awake command.
Show commands
- The following CLI command shows the status of the Monitor security Awake
feature:
switch# show monitor security awake [nucleus <nucleus>]
Exampleswitch# show monitor security awake Monitor security awake status: active Topic identifier: packet-analysis-sessions Monitor point identifier: 0 Flow table size: 16384 entries Flow table inactive timeout: 40.0 seconds Active interfaces: Et37,39,49 Nucleus: nucleus1 Status: connected VRF: default Local interface: Management1 (172.28.134.144) Destination: 10.243.93.139 port 9094 SSL profile: awake-nucleus1 Last established: 2 days, 19:58:23 ago
- The following CLI command shows the various counters of the Monitor security awake
feature:
switch# show monitor security awake counters [flows|ipfix|nucleus [<nucleus>]]
Exampleswitch# show monitor security awake counters Active flows: 269, RX packets: 8.943M (8943077) Flows created: 558.655K (558655), expired: 558.386K (558386) ipv4 flows: Application Flows Active Flows Created Flows Expired ----------------- ------------------ ----------------------- ----------------- DHCP 9 13.072K (13072) 13.063K (13063) DNS 53 279.857K (279857) 279.804K (279804) HTTP 5 34.759K (34759) 34.754K (34754) LDAP 0 15 15 NetBios 0 18 18 SMB 0 18 18 TLS/SSL 45 143.986K (143986) 143.941K (143941) Other 157 86.93K (86930) 86.773K (86773) IPv6 flows: Application Flows Active Flows Created Flows Expired ----------------- ------------------ ------------------- ------------- Nucleus: nucleus1 Activity records sent: 578.306K (578306), last sent 0:00:00 ago Progress records sent: 172.057K (172057), last sent 0:00:00 ago Last successful connection: 10:11:22 ago Successful connections: 11 Last connection failure: 10:11:51 ago Connection failures: 46 Activity records in queue: 0 Progress records in queue: 1 IPFIX counters: Exporter: 172.22.197.142 Source port: 36582 Observation domain ID: 1 Messages received: 379.455K (379455) Template records received: 208 Options template records received: 0 Data records received: 7.308M (7308225) Options data records received: 0 Unknown template ID errors: 0 Invalid IPFIX messages received: 0 Flow record queue full: 0
- The following CLI command shows the flow table snapshot of all the flows currently
active in the FlowWatcher
agent:
switch# show monitor security awake flow-table [detail]
This is a debugging command and can take some time to dump the snapshot of the current flow table.
Example 1:switch# show monitor security awake flow-table ipv4 flows: 5 Lower IP address Higher IP address Protocol Start Time Packets Bytes -------------------- --------------------- --------- --------------------------- -------- --------- 10.8.3.102:58119 87.98.179.150:6893 UDP 2022-03-09 21:54:00.447260 1 71 10.3.1.31:58554 10.5.10.2:1999 UDP 2022-03-09 21:54:00.493157 11 1358 10.3.1.61:34703 10.5.7.2:1999 UDP 2022-03-09 21:54:11.586934 29 11460 10.3.1.63:52498 10.5.6.2:1999 UDP 2022-03-09 21:54:18.397906 9 637 10.3.1.81:47766 10.5.13.2:1999 UDP 2022-03-09 21:54:00.411780 25 12606 IPv6 flows: 2 Lower IP address Higher IP address Protocol Start Time Packets Bytes -------------------------------- ----------------- -------- -------------------------- ------- ----- [fe80::10fd:3ded:b992:b0fe]:5353 [ff02::fb]:5353 UDP 2022-03-09 22:15:55.765183 14 3020 [fe80::186d:bd78:4904:679f]:5353 [ff02::fb]:5353 UDP 2022-03-09 22:15:55.765136 11 2647
Example 2:switch# show monitor security awake flow-table detail Flow table detail codes: L2H - Lower to higher IP address, H2L - Higher to lower IP address ipv4 Flows: 2 Flow: UDP 10.8.4.103:61591 - 87.98.179.248:6893 Start time: 2022-03-14 17:58:03.390968, Last packet time: 2022-03-14 17:58:10.874020 Packets L2H: 0, Bytes L2H: 0, Packets H2L: 1, Bytes H2L: 64 Flow: UDP 10.3.1.63:60835 - 10.5.12.2:1999 Start time: 2022-03-14 17:58:39.406626, Last packet time: 2022-03-14 17:58:40.207204 Packets L2H: 0, Bytes L2H: 0, Packets H2L: 35, Bytes H2L: 13692 IPv6 Flows: 2 Flow: UDP [fe80::7854:510f:c685:ff22]:57938 - [ff02::c]:3702 Start time: 2022-03-14 17:58:15.818269, Last packet time: 2022-03-14 17:58:15.818269 Packets L2H: 0, Bytes L2H: 0, Packets H2L: 1, Bytes H2L: 722 Flow: UDP [fe80::d065:deb9:d239:bed3]:61403 - [ff02::1:3]:5355 Start time: 2022-03-14 17:58:21.011325, Last packet time: 2022-03-14 17:58:21.011325 Packets L2H: 0, Bytes L2H: 0, Packets H2L: 2, Bytes H2L: 180
Limitations
NDRSensor.swix
is supported on 32-bit and 64-bit eos versions.- In an MLAG setup, the AVA switch sensor does not correlate bidirectional flows that are hashed to different MLAG peers.
- AVA switch sensor doesn’t correlate bidirectional flows that are NATed.
- When the AVA switch sensor is enabled, the TerminAttr agent will also process IPFIX
packets sent to the CPU, and the Traffic flows feature on the CloudVision portal is
automatically enabled, which can cause additional CPU usage on the switch. If the
"Traffic flows" feature is not required on ClouldVision, disable TerminAttr IPFIX
processing by adding the
-ipfix=false
argument toexec /usr/bin/TerminAttr
under thedaemon TerminAttr
configuration.
AVA Sensor commands
monitor security awake
When the monitor security awake command is enabled the FlowWatcher agent enables Hardware flow tracking with filter-based packet sampling, IP/IPv6 access lists, and mirroring features to receive the first few packets of every new flow and flow volume using IPFIX.
The no form of the monitor security awake command disables the monitor security awake feature from the running config.
NDRSensor.swix
extension on the system running a
supported eos version.Command Mode
Global Configuration
Command Syntax
monitor security awake
no monitor security awake
default monitor security awake
Example
switch(config)# monitor security awake
switch(config-monitor-security-awake)#
show monitor security awake
The show monitor security awake command displays the status of the Monitor security Awake feature on the switch.
Command Mode
EXEC
Command Syntax
show monitor security awake [nucleus nucleus]
Example
switch# show monitor security awake
Monitor security awake status: active
Topic identifier: packet-analysis-sessions
Monitor point identifier: 0
Flow table size: 16384 entries
Flow table inactive timeout: 40.0 seconds
Active interfaces: Et37,39,49
Nucleus: nucleus1
Status: connected
VRF: default
Local interface: Management1 (172.28.134.144)
Destination: 10.243.93.139 port 9094
SSL profile: awake-nucleus1
Last established: 2 days, 19:58:23 ago
show monitor security awake counters
The show monitor security awake counters command displays the various counters of the Monitor security awake feature on the switch.
Command Mode
EXEC
Command Syntax
show monitor security awake counters [flows | ipfix | nucleus [nucleus<>]]
Example
switch# show monitor security awake counters
Active flows: 269, RX packets: 8.943M (8943077)
Flows created: 558.655K (558655), expired: 558.386K (558386)
ipv4 flows:
Application Flows Active Flows Created Flows Expired
----------------- ------------------ ----------------------- -----------------
DHCP 9 13.072K (13072) 13.063K (13063)
DNS 53 279.857K (279857) 279.804K (279804)
HTTP 5 34.759K (34759) 34.754K (34754)
LDAP 0 15 15
NetBios 0 18 18
SMB 0 18 18
TLS/SSL 45 143.986K (143986) 143.941K (143941)
Other 157 86.93K (86930) 86.773K (86773)
IPv6 flows:
Application Flows Active Flows Created Flows Expired
----------------- ------------------ ------------------- -------------
Nucleus: nucleus1
Activity records sent: 578.306K (578306), last sent 0:00:00 ago
Progress records sent: 172.057K (172057), last sent 0:00:00 ago
Last successful connection: 10:11:22 ago
Successful connections: 11
Last connection failure: 10:11:51 ago
Connection failures: 46
Activity records in queue: 0
Progress records in queue: 1
IPFIX counters:
Exporter: 172.22.197.142 Source port: 36582 Observation domain ID: 1
Messages received: 379.455K (379455)
Template records received: 208
Options template records received: 0
Data records received: 7.308M (7308225)
Options data records received: 0
Unknown template ID errors: 0
Invalid IPFIX messages received: 0
Flow record queue full: 0