Print

EOS 4.33.2F User Manual - NDR Sensor Print

NDR Sensor

The NDR switch sensor, also called the Monitor Security Awake feature, provides deep network analysis by doing deep packet inspection of some or all packets of traffic forwarded by the switch. NDR continuously monitors enterprise devices, users, and applications no matter the location, even as IP addresses change, while maintaining a forensic record of past activities. This functionality can be enabled or disabled on the fly without impacting regular packet forwarding functionality.

NDR Switch Sensor Extension

NDR switch sensor extends EOS telemetry for network threat detection. The FlowWatcher agent RPMs release as part of the NDRSensor.swix extension along with other RPMs that enable the NDR switch sensor functionality. Install the NDRSensor.swix extension on a system running a supported EOS version. After installing the extension, enable it using the monitor security awake command.

After enabling Monitor Security Awake, the FlowWatcher agent enables hardware flow tracking with filter-based packet sampling, IPv4 and IPv6 access lists, and mirroring features to receive the first few packets of every new flow and flow volume using IPFIX. It connects to the NDR Nucleus using SSL. The EOS FlowWatcher agent processes the most interesting packets of all the flows forwarded by the switch. The agent performs deep packet inspection (DPI) of the packets, computes flow volume using IPFIX data records, and generates activity records. The agent then sends the generated activity records to NDR Nucleus using Kafka over a TLS session. The NDR Nucleus then uses a combination of detection models to uncover malicious intent and provide the NDR functionality.

Platform Compatibility

  • CCS-720DF-48Y
  • CCS-720DP-24ZS
  • CCS-720DP-48ZS
  • CCS-720DP-48S
  • CCS-720DT-48S
  • CCS-720XP-24ZY4
  • CCS-720XP-24Y6
  • CCS-720XP-48Y6
  • CCS-720XP-48ZC2
  • CCS-720XP-96ZC2
  • CCS-722XPM-48Y4
  • CCS-722XPM-48Y8
  • CCS-755
  • CCS-758
  • DCS-7010TX

NDR Sensor Extension Installation

If the switch currently has the NDRSensor.swix installed, upgrade the EOS image or extension use the following the steps to uninstall an extension before proceeding to install a new extension. After the switch returns to an active state with a supported EOS.swi, copy and install the NDRSensor.swix extension.
switch# copy <source>/NDRSensor.swix extension:
switch# extension NDRSensor.swix

To show the status of extensions, use the following command.
switch# show extensions
Name                              Version/Release      Status      Extension
--------------------------------- -------------------- ----------- ---------
NDRSensor.swix                    4.30.1F/316201\      A, NI, B    8
                                  29.4301F

Optionally, copy NDRSensor.swix to boot-extensions.
switch# copy installed-extensions boot-extensions
Copy completed successfully.

Refer to Managing EOS Extensions for additional details on managing extensions on EOS.

Configuration

SSL Profile Configuration

To configure an SSL profile for communication with the AVA Nucleus, use the following commands: 
switch(config)# management security
switch(config-mgmt-security)# ssl profile profile-name
switch(config-mgmt-sec-ssl-profile-awake-nucleus1)# certificate certificate-name key key-name
switch(config-mgmt-sec-ssl-profile-awake-nucleus1)# trust certificate system

The AVA Nucleus certificate can be self-signed or signed by a third party. For the self-signed case, the certificate must be copied onto the switch certificate: directory and configured using the trust certificate <certificate> command under the SSL profile configuration. In case it’s signed by a third party, then the CA certificate of the third party needs to be copied onto the switch certificate: directory and configured using trust certificate <certificate>. If the third-party is a common CA and is present in the system-supplied list of trusted CAs (most cases), then the trust certificate system can be used, and no certificate needs to be copied over to the switch.

Refer to SSL certificate and key management for additional details on all SSL profile configuration parameters.

Generating SSL Key and Self-signed Certificate

Use these steps to set up a sensor and Nucleus SSL connection with self-signed certificates. For complete details on the EOS TLS security, refer to EOS user manual control plane security section.
  • To create an SSL key on the switch:
    switch# security pki key generate rsa 2048 key-name

  • To show the SSL key generated:
    switch# show management security ssl key key-name

  • To generate a self-signed certificate on the switch, use the following CLI.
    switch# security pki certificate generate self-signed certificate-name key key-name generate rsa 2048 [parameters … ]

    Enter the certificate parameters interactively or use the parameters option to specify them inline. Once the SSL key and certificate are generated, they can be used in the ssl profile.

  • The generated certificate needs to be copied to AVA Nucleus using either the more or copy command in the switch CLI.
    switch# more certificate:certificate-name  --> Will emit certificate on the switch console

    switch# copy certificate:certificate-name destination --> To copy certificate to external location

Configuring Monitor Security Awake

  • To configure the feature, enter the Monitor Security Awake Configuration Mode:
    switch(config)# monitor security awake

  • To configure the maximum flow table size as 20K entries, use the following command:
    switch(config-monitor-security-awake)# flow table size 20 entries
! The flow table size configuration change will cause the FlowWatcher agent restart and all active flows to be lost.
Do you wish to proceed with this command? [y/N]

    The default flow table size consists of 16,000 entries. A change in the flow table size configuration restarts the FlowWatcher Agent.

  • To configure Kafka topic name as MyKafkaTopic, use the following command:
    switch(config-monitor-security-awake)# topic MyKafkaTopic

    Monitor Security Awake uses packet-analysis-sessions as the default topic name.

  • To configure monitor-point identifier (MPID) to identify a campus or a site, use the following command:
    switch(config-monitor-security-awake)# monitor-point identifier 25

    Every NDR sensor must be configured with a unique monitor-point identifier and provisioned in the Nucleus. NDR uses 0 as the default monitor point ID.

    Multiple NDR switch sensors can be configured with the same monitor point identifier.

Displaying NDR Sensor Information

Use the show monitor security awake command:

switch# show monitor security awake
Monitor security awake status: active
Topic identifier: packet-analysis-sessions
Monitor point identifier: 0
Flow table size: 16384 entries
Flow table inactive timeout: 40.0 seconds
Active interfaces: Et37,39,49
            
Nucleus: nucleus1
Status: connected
VRF: default
Local interface: Management1 (172.28.134.144)
Destination: 10.243.93.139 port 9094
SSL profile: awake-nucleus1
Last established: 2 days, 19:58:23 ago

Configuring a Nucleus

  • To configure the Nucleus with the name MyNucleus, enter the Monitor Security Nucleus Configuration Mode: 
    switch(config-monitor-security-awake)# nucleus MyNucleus

  • To configure Nucleus IP address, 192.168.168.1, and port 9094, use the following command:
    switch(config-monitor-security-awake-nucleus-MyNucleus)# destination 192.168.168.1 port 9094

    The Nucleus uses port 9094 by default.

  • To configure the local interface for the source IP address, use the following VRF information:
    switch(config-monitor-security-awake-nucleus-MyNucleus)# local interface Eth1

  • Use the following command to configure an SSL profile with the name, MyNucleusSSL:
    switch(config-monitor-security-awake-nucleus-MyNucleus)# ssl profile MyNucleusSSL

Configuring an SSL Profile for a Nucleus Connection

Use the following commands to configure an SSL profile, MyNucleusSSL, with a self-signed certificate, MyCert, and a key, MyKey, on the switch:

switch(config)# managment security
switch(config-mgmt-security)# ssl profile MyNucleusSSL
switch(config-mgmt-sec-ssl-profile-MyNucleusSSL)# certificate MyCert key MyKey
switch(config-mgmt-sec-ssl-profile-MyNucleusSSL)# trust certificate system

Configuring a Loopback Interface

If at least one Nucleus doesn’t have a local interface configured, then you must configure Loopback0 interfaces with an IP address. Hardware flow tracking usesthe Loopback0 interface as a local interface for sending IPFIX records to the CPU.
switch(config)# interface Loopback0
switch(config-if-Lo0)# ip address 192.168.168.25

AVA Sensor Configuration Examples

The following steps configure an example AVA Sensor:
switch# Generate SSL client key
switch# security pki key generate rsa 2048 client-key
switch# show management security ssl key client-key
…
switch# Generate SSL client certificate
switch# security pki certificate generate self-signed client-cert key client-key generate rsa 2048 parameters common-name SwitchName country US state CA locality "Santa Clara" organization Arista organization-unit IT
certificate:client-cert generated
switch# show management security ssl certificate client-cert
…
switch# Copy SSL client certificate to AVA nucleus
switch# copy certificate:client-cert <destination> 

switch# Copy AVA nucleus certificate onto Switch
switch# copy terminal: certificate:ca-cert
enter input line by line; when done enter one or more control-d
….
Copy completed successfully.
switch# show management security ssl certificate ca-cert
…

# Create SSL profile with client-key, client-cert and ca-cert
switch(config)# management security
switch(config-mgmt-security)# ssl profile awake-nucleus
switch(config-mgmt-sec-ssl-profile-awake-nucleus)# certificate client-cert key client-key
switch(config-mgmt-sec-ssl-profile-awake-nucleus)# trust certificate ca-cert
switch(config-mgmt-sec-ssl-profile-awake-nucleus)# end

# Enable IP routing
switch# conf
switch(config)# ip routing
 
# Configure monitor security awake and enable
switch(config)# monitor security awake
switch(config-monitor-security-awake)# monitor-point identifier 1
switch(config-monitor-security-awake)# nucleus awake-nucleus
switch(config-monitor-security-awake-nucleus-awake-nucleus)# local interface Management 1
switch(config-monitor-security-awake-nucleus-awake-nucleus)# destination nucleus1.foo.com
switch(config-monitor-security-awake-nucleus-awake-nucleus)# ssl profile awake-nucleus
switch(config-monitor-security-awake-nucleus-awake-nucleus)# exit
switch(config-monitor-security-awake)# no disabled
switch(config-monitor-security-awake)# end

Display the running configuration:
…
management security
   ssl profile awake-nucleus
      certificate client-cert key client-key
      trust certificate ca-cert
…
ip routing
…
monitor security awake
   nucleus awake-nucleus
      local interface Management1
      destination nucleus1.foo.com
      ssl profile awake-nucleus
   no disabled

A sample configuration output with multiple profiles and Nucleus on a switch
management security
   ssl profile awake-nucleus1
      certificate client-cert key client-key1
      trust certificate system
   ssl profile awake-nucleus2
      certificate client-cert key client-key2
      trust certificate root-cert2

monitor security awake
   topic packet-analysis-sessions
   monitor-point identifier 10
   flow table size 153600 entries
   !
   nucleus nucleus1
      local interface Loopback10
      destination nucleus1.network.com
      ssl profile awake-nucleus1
   nucleus nucleus2
      local interface Management1
      destination nucleus2.network.com
      ssl profile awake-nucleus2
   no disabled

Upgrading EOS and/or NDRSensor.swix Extension

  1. Disable the AVA sensor by configuring disabled under monitor security awake. This stops the AVA switch sensor running on the switch.

  2. Uninstall NDRSensor.swix extension.
    switch# show installed-extensions
NDRSensor.swix

switch# no extension NDRSensor.swix
switch# show extensions
Name                              Version/Release      Status      Extension
--------------------------------- -------------------- ----------- ---------
NDRSensor.swix                    4.30.1F/316201\      A, NI, B    8
                                  29.4301F

  3. Remove NDRSensor.swix from boot extensions.
    switch# show boot-extensions
NDRSensor.swix # Old extension needs to be removed from boot-extension

switch# copy installed-extensions boot-extensions
Copy completed successfully.

switch# show boot
# boot-extensions empty.

  4. Upgrade the EOS image on the switch - Follow the steps to upgrade the EOS image on the device as described in the EOS Configuration Guide.

  5. Install the new NDRSensor.swix extension corresponding to the new EOS image and copy it to boot-extensions. This step is the same as in the NDR Sensor Extension Installation.

  6. Verify the AVA switch sensor as running by using the show monitor security awake command.

Show Commands

  • The following CLI command display the status of the Monitor security Awake feature:
    switch# show monitor security awake [nucleus <nucleus>]

    Example
    switch# show monitor security awake
Monitor security awake status: active
Topic identifier: packet-analysis-sessions
Monitor point identifier: 0
Flow table size: 16384 entries
Flow table inactive timeout: 40.0 seconds
Active interfaces: Et37,39,49

Nucleus: nucleus1
Status: connected
VRF: default
Local interface: Management1 (172.28.134.144)
Destination: 10.243.93.139 port 9094
SSL profile: awake-nucleus1
Last established: 2 days, 19:58:23 ago

  • The following CLI command shows the various counters of the Monitor security awake feature:
    switch# show monitor security awake counters [flows|ipfix|nucleus [<nucleus>]]

    Example
    switch# show monitor security awake counters
Active flows: 269, RX packets: 8.943M (8943077)
Flows created: 558.655K (558655), expired: 558.386K (558386)

IPv4 flows:
Application       Flows Active       Flows Created           Flows Expired
----------------- ------------------ ----------------------- -----------------
DHCP              9                  13.072K (13072)         13.063K (13063)
DNS               53                 279.857K (279857)       279.804K (279804)
HTTP              5                  34.759K (34759)         34.754K (34754)
LDAP              0                  15                      15
NetBios           0                  18                      18
SMB               0                  18                      18
TLS/SSL           45                 143.986K (143986)       143.941K (143941)
Other             157                86.93K (86930)          86.773K (86773)

IPv6 flows:
Application       Flows Active       Flows Created       Flows Expired
----------------- ------------------ ------------------- -------------

Nucleus: nucleus1
Activity records sent: 578.306K (578306), last sent 0:00:00 ago
Progress records sent: 172.057K (172057), last sent 0:00:00 ago
Last successful connection: 10:11:22 ago
Successful connections: 11
Last connection failure: 10:11:51 ago
Connection failures: 46
Activity records in queue: 0
Progress records in queue: 1

IPFIX counters:
Exporter: 172.22.197.142 Source port: 36582 Observation domain ID: 1
Messages received: 379.455K (379455)
Template records received: 208
Options template records received: 0
Data records received: 7.308M (7308225)
Options data records received: 0
Unknown template ID errors: 0
Invalid IPFIX messages received: 0
Flow record queue full: 0

  • The following CLI command shows the flow table snapshot of all the flows currently active in the FlowWatcher agent:
    switch# show monitor security awake flow-table [detail]

    Use the following debugging command and create a snapshot of the current flow table.

    Example
    switch# show monitor security awake flow-table
IPv4 flows: 5
Lower IP address     Higher IP address     Protocol                  Start Time  Packets      Bytes
-------------------- --------------------- --------- --------------------------- -------- ---------
10.8.3.102:58119     87.98.179.150:6893    UDP       2022-03-09 21:54:00.447260        1         71
10.3.1.31:58554      10.5.10.2:1999        UDP       2022-03-09 21:54:00.493157       11       1358
10.3.1.61:34703      10.5.7.2:1999         UDP       2022-03-09 21:54:11.586934       29      11460
10.3.1.63:52498      10.5.6.2:1999         UDP       2022-03-09 21:54:18.397906        9        637
10.3.1.81:47766      10.5.13.2:1999        UDP       2022-03-09 21:54:00.411780       25      12606

IPv6 flows: 2
Lower IP address                 Higher IP address Protocol                 Start Time Packets Bytes
-------------------------------- ----------------- -------- -------------------------- ------- -----
[fe80::10fd:3ded:b992:b0fe]:5353 [ff02::fb]:5353   UDP      2022-03-09 22:15:55.765183      14  3020
[fe80::186d:bd78:4904:679f]:5353 [ff02::fb]:5353   UDP      2022-03-09 22:15:55.765136      11  2647

    Example
    switch# show monitor security awake flow-table detail
Flow table detail codes: L2H - Lower to higher IP address, H2L - Higher to lower IP address

IPv4 Flows: 2 
Flow: UDP 10.8.4.103:61591 - 87.98.179.248:6893
Start time: 2022-03-14 17:58:03.390968, Last packet time: 2022-03-14 17:58:10.874020
Packets L2H: 0, Bytes L2H: 0, Packets H2L: 1, Bytes H2L: 64

Flow: UDP 10.3.1.63:60835 - 10.5.12.2:1999
Start time: 2022-03-14 17:58:39.406626, Last packet time: 2022-03-14 17:58:40.207204
Packets L2H: 0, Bytes L2H: 0, Packets H2L: 35, Bytes H2L: 13692

IPv6 Flows: 2
Flow: UDP [fe80::7854:510f:c685:ff22]:57938 - [ff02::c]:3702
Start time: 2022-03-14 17:58:15.818269, Last packet time: 2022-03-14 17:58:15.818269
Packets L2H: 0, Bytes L2H: 0, Packets H2L: 1, Bytes H2L: 722

Flow: UDP [fe80::d065:deb9:d239:bed3]:61403 - [ff02::1:3]:5355
Start time: 2022-03-14 17:58:21.011325, Last packet time: 2022-03-14 17:58:21.011325
Packets L2H: 0, Bytes L2H: 0, Packets H2L: 2, Bytes H2L: 180

Limitations

  • NDRSensor.swix is supported on 32-bit and 64-bit EOS versions.
  • In an MLAG setup, the AVA switch sensor does not correlate bidirectional flows hashed to different MLAG peers.
  • AVA switch sensor doesn’t correlate bidirectional flowsusing NAT.
  • After enabling the AVA switch sensor, the TerminAttr agent also processes IPFIX packets sent to the CPU, and automatically enables the Traffic flows feature on the CloudVision portal which can cause additional CPU usage on the switch. If you do not require traffic flow on ClouldVision, disable TerminAttr IPFIX processing by adding the -ipfix=false argument to exec /usr/bin/TerminAttr under the daemon TerminAttr configuration.

AVA Sensor Commands

monitor security awake

When the monitor security awake command is enabled the FlowWatcher agent enables Hardware flow tracking with filter-based packet sampling, IP/IPv6 access lists, and mirroring features to receive the first few packets of every new flow and flow volume using IPFIX.

The no form of the monitor security awake command disables the monitor security awake feature from the running config.

Note: Before enabling the monitor security awake command, you must have install the NDRSensor.swix extension on the system running a supported EOS version.

Command Mode

Global Configuration

Command Syntax

monitor security awake

no monitor security awake

default monitor security awake

Example

These commands create and enable a non-persistent DirectFlow flow.
switch(config)# monitor security awake 
switch(config-monitor-security-awake)#

show monitor security awake

The show monitor security awake command displays the status of the Monitor Security Awake feature on the switch.

Command Mode

EXEC

Command Syntax

show monitor security awake [nucleus nucleus]

Parameters

  • nucleus nucleus - Specify the Nucleus name to display information.

Example

This command displays the status of the Monitor security Awake feature on the switch.
switch# show monitor security awake
Monitor security awake status: active
Topic identifier: packet-analysis-sessions
Monitor point identifier: 0
Flow table size: 16384 entries
Flow table inactive timeout: 40.0 seconds
Active interfaces: Et37,39,49

Nucleus: nucleus1
Status: connected
VRF: default
Local interface: Management1 (172.28.134.144)
Destination: 10.243.93.139 port 9094
SSL profile: awake-nucleus1
Last established: 2 days, 19:58:23 ago

show monitor security awake counters

The show monitor security awake counters command displays the various counters of the Monitor Security Awake feature on the switch.

Command Mode

EXEC

Command Syntax

show monitor security awake counters [flows | ipfix | nucleus nucleus]

Parameters
  • flows - Displays information about flow counters.
  • ipfix - Displays information about IPFIX counters.
  • nucleus nucleus - Displays counters for a specified nucleus.

Example

This command displays the various counters of the Monitor Security Awake feature on the switch.
switch# show monitor security awake counters
Active flows: 269, RX packets: 8.943M (8943077)
Flows created: 558.655K (558655), expired: 558.386K (558386)

IPv4 flows:
Application       Flows Active       Flows Created           Flows Expired
----------------- ------------------ ----------------------- -----------------
DHCP              9                  13.072K (13072)         13.063K (13063)
DNS               53                 279.857K (279857)       279.804K (279804)
HTTP              5                  34.759K (34759)         34.754K (34754)
LDAP              0                  15                      15
NetBios           0                  18                      18
SMB               0                  18                      18
TLS/SSL           45                 143.986K (143986)       143.941K (143941)
Other             157                86.93K (86930)          86.773K (86773)

IPv6 flows:
Application       Flows Active       Flows Created       Flows Expired
----------------- ------------------ ------------------- -------------

Nucleus: nucleus1
Activity records sent: 578.306K (578306), last sent 0:00:00 ago
Progress records sent: 172.057K (172057), last sent 0:00:00 ago
Last successful connection: 10:11:22 ago
Successful connections: 11
Last connection failure: 10:11:51 ago
Connection failures: 46
Activity records in queue: 0
Progress records in queue: 1

IPFIX counters:
Exporter: 172.22.197.142 Source port: 36582 Observation domain ID: 1
Messages received: 379.455K (379455)
Template records received: 208
Options template records received: 0
Data records received: 7.308M (7308225)
Options data records received: 0
Unknown template ID errors: 0
Invalid IPFIX messages received: 0
Flow record queue full: 0
..