Aruba Pensando Policy and Services Manager 1.62.3-T User guide

Type
User guide
AMD Pensando
Policy and Services Manager
for Aruba CX 10000:
User Guide
October 2023
PSM for Aruba CX 10000 User Guide 2
Disclaimer
The information presented in this document is for informational purposes only and may contain technical
inaccuracies, omissions, and typographical errors. The information contained herein is subject to change and
may be rendered inaccurate for many reasons, including but not limited to product and roadmap changes,
component and motherboard version changes, new model and/or product releases, product differences
between differing manufacturers, software changes, BIOS flashes, firmware upgrades, or the like. Any
computer system has risks of security vulnerabilities that cannot be completely prevented or mitigated. AMD
assumes no obligation to update or otherwise correct or revise this information. However, AMD reserves the
right to revise this information and to make changes from time to time to the content hereof without obligation
of AMD to notify any person of such revisions or changes.
THIS INFORMATION IS PROVIDED ‘AS IS.” AMD MAKES NO REPRESENTATIONS OR WARRANTIES
WITH RESPECT TO THE CONTENTS HEREOF AND ASSUMES NO RESPONSIBILITY FOR ANY
INACCURACIES, ERRORS, OR OMISSIONS THAT MAY APPEAR IN THIS INFORMATION. AMD
SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL AMD BE
LIABLE TO ANY PERSON FOR ANY RELIANCE, DIRECT, INDIRECT, SPECIAL, OR OTHER
CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF ANY INFORMATION CONTAINED HEREIN,
EVEN IF AMD IS EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
AMD, the AMD Arrow logo, Pensando and combinations thereof are trademarks of Advanced Micro Devices,
Inc. Microsoft® and Hyper-V® are registered trademarks of Microsoft Corporation in the US or other
jurisdictions. VMware ESXi, VMware vSphere® vMotion® and VMware vCenter® are trademarks of VMware.
Other product names used in this publication are for identification purposes only and may be trademarks of
their respective companies.
© 2022 2023 Advanced Micro Devices, Inc. All Rights Reserved.
amd.com/pensando
PPD22002
PSM for Aruba CX 10000 User Guide 3
Revision History
Version
Description
Date
1.0
First release
February 9, 2022
1.1
Miscellaneous updates
February 25, 2022
1.3
1.49.1-T
June 13, 2022
1.5
1.49.2-T
August 11, 2022
1.6
1.49.3-T: minor corrections,
caveat on disabling vSphere
DRS
September 2022
1.7
1.54.1-T: new features (see
Release Notes)
December 2022
1.7.1
1.54.2-T: minor errata fixes to
guide; no new functionality
February 2023
1.9
1.62.1-T: new features,
including policy distribution
targets, network address
translation (NAT), IP
collections.
May 2023
1.11
1.62.2-T Release: IPsec VPN
Tunnels
August 2023
1.12
1.62.3-T release: new
features including PSM
Hyper-V support, IPSec
MTU, session re-use, IPFIX
enhancements
October 2023
PSM for Aruba CX 10000 User Guide 4
Contents
Revision History 3
Introduction 11
Key Features 11
Related Documentation 12
Glossary 13
PSM Overview 15
Initial Deployment Workflow: High-Level Overview 17
PSM Object Model 17
Firewall Objects 17
Apps, Network Security Policy 18
Key PSM Objects 19
Labels 20
PSM Installation 21
Storage Considerations 21
Data Retention 22
PSM Installation on ESXi 23
PSM Installation on KVM 24
PSM Installation on Hyper-V 27
Installation Using Hyper-V Manager 27
Installation Using Windows Admin Center 36
Post-Installation on Hyper-V 36
Bootstrap the PSM Cluster 37
The PSM Graphical User Interface 40
Online Help 40
Searching 41
Global Icons 42
Server Certificate 44
API Capture 44
Create PSM User Authentication Policy and Users 46
PSM for Aruba CX 10000 User Guide 5
User Authentication Policy 46
Local User Lockout Policy 48
Role-Based Access Control (RBAC) 48
Roles 49
Role Binding 51
System Upgrade 52
AFC Upgrade 52
PSM Upgrade 52
Upload PSM Upgrade Bundle 52
Create Rollout 54
AOS-CX Upgrade 55
Configuration Snapshots 56
Associating a DSS with the PSM 57
AOS-CX CLI 57
ZTP 58
AFC 59
Verification 59
Decommissioning a DSS 60
Associating the PSM to Aruba Fabric Composer 63
Firewall Policy Functionality and Configuration 64
Considerations 64
VSX and Firewall High Availability 66
Supported Topologies 67
Connection Tracking 68
Firewall Policy Configuration 69
Create a VRF 69
Create a Network Security Policy 70
Rule Overlap Detection 72
Attach Policy to a Network 75
Create VRF on AOS-CX 75
Create VLAN on AOS-CX 76
PSM for Aruba CX 10000 User Guide 6
Understanding Firewall Policy Scaling Profiles 77
Switch Policy Scaling Profile 77
Verifying the Number of Rules Consumed in the Data Plane 81
Understanding Hierarchical Security Policy 88
Policy Enforcement 90
Configuration and Verification 93
Enable/Disable Individual Firewall Rules 95
Firewall Logging 97
Firewall Log Export Policy Configuration 98
Bind Export Policy to DSS 99
Firewall Log Record Format 101
Firewall Syslog Message Examples 103
Deduplication for Firewall Logs 105
Flow Export (IPFIX) 107
Step 1a: Enable Flow Export feature globally on the switch: 107
Step 1b: Set the source IP address of the exported IPFIX packet: 107
Step 2a: Configure the Flow Export policies under the “Tenants” -> “Flow Exportmenu in
PSM. 108
Step 2b: Applying a flow export policy at the DSS level 109
Step 2c: Apply the defined IPFIX flow-export-policy at the VRF level 110
Guidelines 111
Considerations 111
IP Flow Information Export (IE) Entities (1/3) 112
IP Flow Information Export (IE) Entities (2/3) 113
IP Flow Information Export (IE) Entities (3/3) 114
Configuring Apps 115
Protocol And Ports 116
ALG 117
DDoS Detection and Alerting: Maximum Sessions and CPS Limits 118
Maximum Session Limit 118
Maximum CPS 119
PSM for Aruba CX 10000 User Guide 7
Min and Max Values 120
Configuring the Maximum Sessions / CPS on a VRF via the PSM UI 120
Configuring the Maximum Sessions/CPS on a Network via the PSM UI 121
API Examples 122
Behavior on Reaching the Maximum Session Limit 124
Behavior on Reaching the Maximum CPS Limit 125
Implication of Configuring session-limit on an Active System 127
VSX Implications 127
Multiple ALG Types/Apps/Protocols in Firewall Policy Rules 129
Steps To Configure Rules With Multiple Proto-Ports Via the PSM UI 129
Steps to configure rules with multiple ALG types via the PSM UI: 129
API Examples 130
API Example: Policy with Rule Referencing Multiple ALG Types: 131
IP Protocols Support for Firewall Policy 132
UI Examples 133
API Examples 134
Session Reuse 136
Policy Distribution Targets 137
Adding a Switch to a PDT 138
IP Collections 139
Defining an IP Collection 139
Using an IP Collection 139
Caveats 141
Network Address Translation (NAT) 142
NAT in Data Center Design 142
NAT Policy Direction 142
Ingress NAT Policy 143
Egress NAT policy 143
Supported NAT Operations 143
Supported Static One-to-One NAT Types 144
Source NAT 144
PSM for Aruba CX 10000 User Guide 8
Destination NAT 145
Twice NAT 147
Configure NAT Policy on the PSM 148
Switch-Side Configuration: 148
Step 1: Preparing the DSS to be in border leaf mode 148
Step 2: Configuring interface persona 149
Step 3: Advertise the post NATed addresses in IGP 149
Step 1: Defining a policy distribution target (PDT) containing the border-leaf DSS
devices 150
On the PSM UI: 150
Step 2: Define and apply source NAT policies 151
Step 2a: Define a required NAT policy 151
Step 2b: Apply the NAT policy on the VRF 152
Considerations 152
Example: SNAT Flow on DSM 153
Example: NAT Rule Statistics 153
Step 3: Defining and applying destination NAT 154
Step 3a: Defining a destination NAT policy 154
Step 3b: Apply the NAT policy on the VRF 155
Step 3c: Defining a destination NAT policy with both DIP and DPORT translation 156
Step 3d: Apply the defined DNAT policy on the VRF for enforcement 156
Step 3e: Defining a twice NAT policy with SIP, DIP and DPORT translation 158
Caveats 159
Stateful Firewall Flow Migration with vMotion 160
Considerations for Multi-Homed ESX Servers 161
Behavior with Flow Logs and Flow Statistics 161
Configuration 162
DSS Required AOS-CX CLI Configuration 163
Caveats 164
Configuring IPsec VPN Tunnels 165
Overview 165
PSM for Aruba CX 10000 User Guide 9
IPsec Functionality Overview 165
IPsec Topology Designs 165
IPsec Active/Active with VSX: 166
IPsec Active/Standby with VSX 167
IPsec Supported Modes and Crypto Options 168
Order of Operation with Service Chaining of FW, NAT and IPsec services 170
IPsec Configuration Workflow 171
Prerequisite Configuration On the Switch 171
Configure IPsec VPN Tunnel on standalone switch (no-HA mode) 173
VSX Requirement For IPsec 177
Configure IPsec VPN With Active Standby Failover 177
Configure IPsec VPN With Active/Active Failover 184
QoS Support over IPsec VPN Tunnels 187
QoS classification 187
Encrypt direction 187
Decrypt direction 187
Inner DSCP to outer DSCP copy 188
QoS Policing 188
QoS Shaping 189
Monitor IPsec VPN Tunnels with the PSM 189
Troubleshooting IPsec VPN Tunnels With the PSM 195
Duplicate SAs Scenarios 197
Caveats 197
Monitoring the DSM via the PSM UI 200
Metrics Charts 203
Alerts and Events 207
PSM Automation 208
Python Language Bindings 208
Ansible Modules 208
REST API 210
Tech Support Collection 211
PSM for Aruba CX 10000 User Guide 10
Appendix A: PSM Quorum High Availability 213
Appendix B: PSM Operational Network Ports 213
Appendix C: Configuring Microsegmentation in Non-AFC Environments 217
Topology 217
Configuration on the DSS 218
Global Config Mapping the Primary and Secondary VLAN 218
Host-Facing Interface Configured as Regular Trunk, Allowing Both Primary and
Secondary VLAN 218
SVI Config on Primary with Local Proxy ARP 219
Configuring VMware (ESXi) 219
Configuration on the PSM 219
Appendix D: Saving the PSM Recovery Key 220
Saving the Key 221
Recovering the Cluster 221
Appendix E: Using the PSM Network Graph to Create Security Policies 223
First Method 223
Second Method 233
PSM for Aruba CX 10000 User Guide 11
Introduction
This guide describes how to install and operate the AMD Pensando Policy and Services
Manager (PSM) to manage the stateful services of the Aruba CX 10000 with AMD Pensando
distributed services switch (abbreviated as either CX 10000 or DSS).
The PSM can be accessed via the IP address or host name of any of the PSM cluster nodes
or, if a load balancer is being used, the IP address or host name presented by the load
balancer. In this document, the PSM address will be referenced as either $PSMaddr when
used in the context of shell commands or scripts, or as PSMaddr in other examples.
The PSM is managed through either its browser-based GUI or its secure RESTful API. Most
examples in this document show the GUI, which is accessible at the URI
https://PSMaddr .
Key Features
Core functionality supported includes:
Distributed stateful firewall
Microsegmentation (using PVLAN)
DDoS detection and alerting
Firewall logging and metrics
Network address translation (NAT)
IPsec VPN Tunnels
IPFIX
Full AOS-CX routing and switching feature set
(see AOS-CX documentation for further details)
1
Fabric and services orchestration with AFC and PSM
1
https://www.arubanetworks.com/techdocs/AOS-CX/help_portal/Content/ArubaTopics/Switches/10000.htm
PSM for Aruba CX 10000 User Guide 12
Related Documentation
Aruba CX 10000 Switch Series Installation and Getting Started Guide
PSM Release Notes
Release notes for AOS-CX and Aruba Fabric Composer (AFC)
Aruba Fabric Composer User Guide
AOS-CX Feature Guides
Aruba transceiver data sheet
Aruba documentation can be found at the Aruba 10000 Switch Series documentation portal.
See the Aruba Support Portal for details on feature support.
Review the PSM release notes for details and information about new features, known issues,
fixed bugs, and supported servers, cables, and switches.
PSM for Aruba CX 10000 User Guide 13
Glossary
Name
AFC
AOS-CX
BFD
CoPP
Data traffic
DSE
DSM
DSS
Egress
Ingress
ISL
Management and control traffic
Table 1: Glossary of terms (1/2)
PSM for Aruba CX 10000 User Guide 14
Name
Persona
PVLAN
PSM
VHD
VRF
VSX
ZTP
Table 1: Glossary of terms (2/2)
PSM for Aruba CX 10000 User Guide 15
PSM Overview
The AMD Pensando Policy and Services Manager is a programmable, secure, highly
available, centralized system for managing infrastructure policy, with capabilities for:
Deploying and controlling distributed firewall security, IPsec, NAT and other functions
Telemetry and analytics
Troubleshooting
Operations and maintenance: events, alerts, technical support
Authentication, authorization, and accounting (AAA)
The PSM is designed to establish and manage consistent policies for a number of Distributed
Services Switches. (Refer to the Aruba CX 10000 Release Notes for current support limits.)
The PSM operates as a 3-node quorum-based cluster running on virtual machines (VMs)
hosted on multiple servers for fault tolerance. A PSM cluster can tolerate the loss of one
controller node and continue to maintain full service. The PSM cluster is not involved in data
path operations; if it becomes unreachable or multiple nodes fail, there will be no impact on
data traffic and stateful services on the DSSes it manages.
Figure 1 is a diagram of the interconnection between the PSM and the switches it manages;
interactions take place through an IP network.
Figure 1. PSM/DSS management plane
PSM for Aruba CX 10000 User Guide 16
Each DSS is configured with an IP address that is used for communication with its associated
PSM over any IP network. This is referred to as its management address.
Each DSS runs an agent which constantly watches for incoming configuration changes upon
which it must take action.
The PSM employs an intent-based configuration management structure, similar to Kubernetes.
Any configuration changes are continuously monitored within the PSM until it has been
confirmed that the changes have been propagated to all DSSes. The PSM resends
configuration requests until the desired state is reported back from each DSS, as shown in
Figure 2:
Figure 2. Working principles of intent-based configuration
Intent is expressed in terms of policies established for firewall and flow telemetry.
PSM for Aruba CX 10000 User Guide 17
Initial Deployment Workflow: High-Level Overview
This is an outline of the steps necessary for initial deployment of a PSM cluster and its
associated DSSes. Detailed steps are provided further below in this document.
Install the PSM
Install the PSM software on either an ESX-based or KVM-based 3-node cluster.
Configure the PSM using the bootstrap_PSM.py utility.
Save a copy of the PSM recovery key on a different server from PSM, in case the
PSM needs to be rebuilt later as part of disaster recovery. (Refer to Appendix D
for more details)
Set the PSM user authentication policy, and create PSM users with appropriate
roles.
DSS Configuration
For each DSS:
Plan for one additional IP address allocated to each DSS as a management
interface, configured either from its host or via DHCP.
Associate each DSS to the PSM
Admit the DSS into its PSM cluster. The PSM can be configured to do this
automatically.
Installation of the PSM cluster is a one-time activity; other procedures may be performed
during initial installation, but will also be part of the standard operation of the PSM, performed
as more DSSes are added.
PSM Object Model
The PSM’s intent-based paradigm relies on the PSM object model described in this section.
Firewall Objects
The primary firewall objects are illustrated in Figure 3. The NSPRule (Network Security Policy
Rule) specifies the firewall behavior, but is not a managed object itself. Instead, the
NetworkSecurityPolicy
2
is the managed object that contains an array of NSPRule
specifications.
2
Refer to the Release Notes for the number of NetworkSecurityPolicy objects supported.
PSM for Aruba CX 10000 User Guide 18
Figure 3. PSM primary firewall objects: NetworkSecurityPolicy, NSPRule, and App
Apps, Network Security Policy
In PSM terminology, an App is a service defined either by a protocol/port pair, or by an
application level gateway (ALG) for any of several predefined apps. A Network Security Policy
is a collection of firewall rules governing App connectivity.
PSM for Aruba CX 10000 User Guide 19
Key PSM Objects
Table 3 contains sample key PSM objects. For a complete list, refer to the REST API online
help available through the PSM GUI.
Object
Description
Distributed
Services
Entity
Entity is a synonym for switch identified by switchname,
automatically assigned when a DSS is admitted. Each DSS
contains two Distributed Services Modules (DSM).
Tenant
Individual tenant, supporting future multi-tenancy. Currently
only “defaultis supported.
VRF
Virtual Routing and Forwarding. Collection of subnets.
Identified by name
Network
A Network object represents a subnet for which security policy
is defined and enforced
Identified by a name
Contains a VRF, a VLAN ID and the associated ingress/egress
security policies to be enforced.
PolicyDistribu
tionTarget
Is defined by a list of switches to which a policy can be
selectively distributed to
Security
Policy
Stateful firewall security policies, defined between network
endpoints (IP:port:protocol or apps)
Identified by policy name
Contains one or more firewall rules
Firewall rules can contain IP collections
NAT Policy
Policy containing one or more NAT rules for SNAT, DNAT or
twice NAT defined in a static 1:1 format
Identified by policy name
Attached to VRF object with ingress/egress VRF attachment
options
IPsec Policy
Policy containing HA options for active-active and active-
standby
Identified by pair of tunnel definitions
Each tunnel contains crypto parameters for IKE and IPsec
Table 3. PSM objects (part 1/2)
PSM for Aruba CX 10000 User Guide 20
Object
Description
App
Describes the networking specification of an application,
service or traffic
Identified by name
Contains either:
List of Ports/Protocols
Application Layer Gateway (ALG)
Both
An App object is subsequently referred to by a SecurityPolicy
object
Firewall
Export Policy
Syslog destination for firewall logs
FlowExport
Policy
Provides the ability to export FW logs in IPFIX format to
external destination/IPFIX collector
Firewall
Profiles
Provides the ability to modify session idle timeout (stateless)
and TCP timeout (stateful)
Alert Policies
A collection of conditions that trigger operator alerts of a given
severity type. Triggered alerts are then sent to designated
syslog destinations
Event
Policies
The Event stream captures all configuration changes as well as
system state changes. All Events can be streamed to
designated syslog destinations.
Table 3. PSM objects (part 2/2)
Labels
Each object can be associated with one or more labels that can be used to refer to a group of
objects, which is a very effective way to enable “administration at scale”.
Note: Labels that begin with io.pensando are reserved for system use,
and cannot be created or modified by the user. if the user attempts to create
or modify an object's labels with a system label, the label will be silently
removed from the user configuration.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244

Aruba Pensando Policy and Services Manager 1.62.3-T User guide

Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI