MSS-G with Dynamic Configuration from Forescout
Using Forescout, an MSS-G configuration can be pushed automatically to CloudVision. This section covers the use of Forescout eyeSegment for policy definition and eyeSight for segment assignment. These systems produce an MSS-G configuration that is dynamic, and while visible on CloudVision, it bypasses the CLI on switches and will therefore not show up in the device running config.
- host to segment mapping in the Forescout console’s Policy Manager
- segment policy definition in Forescout eyeSegment
Both integration points are described below. Before deploying this integration, note that there is a terminology overlap:
- Arista MSS-G uses the terms “group” and “segment” interchangeably.
- The segments defined in the Forescout console under Tools > Segment Manager are static ranges designed to indicate areas of the network managed by Forescout and are unrelated to Arista MSS-G segments.
- The groups defined in the Forescout console Policy Manager are for organizing host/user/device taxonomy.Although it is possible through the Forescout Policy Manager to map each Forescout Group to an Arista MSS-G group, it is neither automatic nor required. In the majority of use cases, Forescout Groups will be hierarchical and not map directly to Arista MSS-G groups; instead, Arista MSS-G groups will be defined by Forescout Policies that may consider hosts/users/devices across several Forescout Groups.
Requirements
To configure MSS-G with Dynamic Configuration from Forescout the system must meet the following requirements:
- EOS 4.27.1F+
- TerminAttr 1.22+
- CloudVision 2022.1.1+.
- On the Forescout side it’s GA for Continuum 8.4.0, eyeSegment 5.18.0 (recommend 5.19.0), and the Forescout Arista MSS-G 1.0.0 module.
On the Forescout side:
- Continuum 8.4.0
- eyeSegment 5.18.0 (recommend 5.19.0)
- Forescout Arista MSS-G 1.0.0 module.
Limitations
Note the following limitations before configuring MSS-G with Dynamic Configuration from Forescout.
- Port matching: Policies are enforced based on IP address, and at this time there is no support for port or protocol matching.
- 60-segment limit: Arista CloudVision and EOS switches support a maximum of 60 segments.
- Single segmentation domain: All EOS switches participating in MSS-G receive all host-to-segment assignments transmitted from Forescout eyeSight to Arista CloudVision.
- Single VRF: The integration supports just a single Virtual Routing and Forwarding instance, or VRF. That VRF is configurable, but by default it uses the default VRF.
- Initial sync time: The initial transmission of host-to-segment assignments from CounterACT to CloudVision could take up to an hour, depending on the number of hosts, the number of CounterACT appliances, and the latency between CounterACT and CloudVision. It can be made much faster by enabling dynamic configuration on participating switches after CloudVision has received all initial segmentation configuration.
- Host scale: The integration supports up to 25,000 hosts in its initial phase. Enforcement point scale: The integration supports up to 100 enforcement points. Note that not all switches must be used as enforcement points. As long as traffic flows through an MSS-G capable enforcement point, policies will be enforced.
- Supported actions: Currently, the supported actions are forward and drop.
- IPv6: IPv6 is not currently supported in this integration.
- Wifi endpoints: To make the integration work with wireless clients, access points must be configured to forward traffic in the clear to an enforcement point.
Install the Arista MSS-G Module
Forescout’s Arista MSS-G module adds the ability to connect to CloudVision and also assigns MSS-G segment ID in the policy manager.
The MSS-G module is an *.fpi file just like any other Forescout module.
Once installed, double-click on the Arista MSS-G module from the list and enter the CloudVision information:
Specify Group Assignments with Forescout Policy Manager
The Forescout Policy Manager can be used to assign a user/host/device to an Arista MSS-G segment. This function is available as an action inside any Forescout policy. The conditions for classifying an endpoint to a group within the Forescout policy manager can be advanced combinations of many pieces of data, including DHCP vendor class, DNS event, SNMP system uptime, OS version, Active Directory group, and many other factors. In the example below, other policies (not shown) have classified cameras into the “IOT-Camera'' Forescout group.
In the following example, another policy is defined that assigns the Arista Segment ID of “IOT-Camera” to all the members of the Forescout “IOT-Camera” group. Note that although the example shows a matching Forescout group and Arista MSS-G segment name, this is not required. However, if groups are defined on Forescout and segment policies are defined on CloudVision, then it is mandatory to have matching names.
Define segment policies in eyeSegment
The Forescout eyeSegment interface can be used to define Arista MSS-G Segment policies. The Zones listed in each eyeSegment policy must match with Arista MSS-G group names being used by Forescout Policy Manager or CloudVision to map IP addresses to groups. Forescout eyeSegment policies that are to be exported to CloudVision must use “All” in the services field.
Select Export to Arista MSS-G to export eyeSegment policies into CloudVision. Check that the appropriate segment-policies show up in CloudVision’s network-wide Network Segmentation view. All Forescout eyeSegment policies must be exported at the same time. If a subset of policies is exported, previously exported eyeSegment policies not currently selected will be removed.
Enable OpenConfig on Arista switches
On participating, segmentation-enabled Arista devices, enable OpenConfig with the following commands:
>en
#conf
(config)#management api gnmi
(config-mgmt-api-gnmi)#transport grpc default
(config-gnmi-transport-default)#no shutdown
Enable Dynamic Configuration on Arista switches
Add the flag -cvconfig=true
to the TerminAttr configuration on each
participating switch:
(config)#daemon TerminAttr
(config-daemon-TerminAttr)#exec /usr/bin/TerminAttr -ingestgrpcurl=<address>:<port> -cvcompression=gzip -ingestauth=token,/tmp/token … -cvconfig=true
(config-daemon-TerminAttr)#no shut
Forescout with Studios
You may add a segmentation configuration via both CVP Studios and Forescout, if desired. However, the configuration should be non-overlapping.
One use-case is defining default policies. Forescout allows you to associate known hosts with segments, and will push segment-policies to CloudVision. However, it does not provide you a way to describe the desired forwarding behavior for unknown hosts. This may be important if, for example, you want to define the desired forwarding behavior between known hosts in the network and the Internet. In this case, you may define a segment with an IP prefix that captures the desired set of unknown hosts (possibly 0.0.0.0/0) and specify segment-policies between this default segment and other defined segments.