• Author : Tamas Plugor


TerminAttr most commonly used flags and sample configurations

Introduction TerminAttr is the EOS state streaming telemetry agent running as a single binary that can stream to both CloudVision and 3rd party applications using gNMI. It has been bundled with every EOS release from 4.17.0F and above and it’s also available as a SWIX extension which can be used to upgrade TerminAttr to the latest version. It is recommended to check the release notes for the latest recommended stable version and compatibility between EOS releases. How to check which version of TerminAttr is running on EOS As the release notes say, the minimum supported TerminAttr version on each EOS...
Continue reading →

CloudVision 2020.2.0 Release TOIs

Key highlights for the CloudVision Portal release 2020.2.0 are: Flow Visibility in Topology View – visualize traffic flows based on source and destination Host, source and destination Port and protocol Compliance Dashboard enhancements – Bug acknowledgement, EOS extension check, events for CVE releases where devices are affected and print friendly option for the compliance dashboard Resource APIs – state based, resource-oriented APIs modeled in protobuf and accessed over gRPC, documented and supported via github DPS IPSec Tunnels in Topology View Configuring CVP TerminAttr certificates (updated) eAPI over TerminAttr (updated) Updated Change Control UI and workflow – A more scalable and...
Continue reading →

CVP RPM Installer

Introduction With the 2018 release we introduced an installer script for CVP. The script will install CVP RPMs and initialize system services. The installer will deliver all packages to make a script-installed system identical to the corresponding OVA. Requirements Operating System CVP Version CentOS Version ISO filename 2018.2.0 – 2018.2.2 CentOS Minimal 7.5.1804 CentOS-7-x86_64-Minimal-1804.iso 2018.2.3 – 2020.1.2 CentOS Minimal 7.6.1810 CentOS-7-x86_64-Minimal-1810.iso 2020.2 – 2021.1 CentOS Minimal 7.7.1908 CentOS-7-x86_64-Minimal-1908.iso 2021.2 CentOS Minimal 7.9.2009 CentOS-7-x86_64-Minimal-2009.iso Please do not update packages after minimal installation, the installer ships with all required updated RPMs. Installation may fail if packages not delivered by minimal install are...
Continue reading →

How to modify the session timeout for the CVP UI

Description By default the UI session timeout is 24 hours, in some environments security policies dictate a much lower value. This article will show you how to modify the default session timeout using the CLI (in future releases this will be available as a knob on the UI). 2020.3.x+ 1. For local users like cvpadmin edit /cvpi/conf/kubernetes/apiserver.yaml and add -authnoption=sessontimeout=600 (10 minutes timeout) under the other -authnoption flags, e.g.: ... <ommited>        args:       ...                -authn=cert,session,certhdr                -authnoption=sessionkey=/aeris/cert/ca.key                -authnoption=servercert=/aeris/cert/server.crt                -authnoption=serverprivatekey=/aeris/cert/server.key                -authnoption=cacert=/aeris/cert/ca.crt                -authnoption=certheadercacert=/ambassador/cert/tls.crt                -authnoption=proxycn=ambassador-tls-origin                -authnoption=enckeyfile=/aeris/key/cvpi.key                -authnoption=sessontimeout=600 <ommited> Note due to BUG 581197 in 2020.3.0, 2020.3.1 and 2021.1.0 the options name is sessontimeout instead of...
Continue reading →

Understanding subscription paths for Open-source Telemetry streaming

Introduction   The purpose of this document is to understand how the subscription paths are constructed for our openconfig connector apps (ocprometheus, ockafka, octsdb, etc.) that communicate with TerminAttr and send telemetry data to 3rd party Telemetry backends (Kafka, Prometheus, TSDB, Redis, Graphite, etc.) All our OpenConfig connectors are publicly available and can be found on the goarista github repo: https://github.com/aristanetworks/goarista/tree/master/cmd Most of these OpenConfig connectors use a yaml or json file which contains the paths it is supposed to subscribe to. ocprometheus octsdb Others like ockafka, ocredis don’t support paths from a file, so you have to enumerate the...
Continue reading →

Streaming EOS telemetry states to Prometheus

Introduction Prometheus is one of the most popular open-source monitoring and alerting systems, which scrapes and stores numeric time series data over HTTP. It has a very flexible query language, can send alerts via alertmanager to various platform and can be integrated easily with many open-source tools. For more details and use cases, please visit https://prometheus.io/docs/introduction/overview/ The purpose of this article is to show how easy it is to deploy and configure Prometheus and Grafana and configure Arista switches to send telemetry states to Prometheus using TerminAttr ( EOS streaming telemetry agent ) and one of the OpenConfig connectors that...
Continue reading →

CVP AAA TACACS+ authorization with Cisco ISE

CVP AAA TACACS+ authorization with Cisco ISE Introduction We saw last time how to correctly integrate Aruba ClearPass CPPM with CVP so TACACS+ users can authenticate with the correct network role. The purpose of this document is to show the same for Cisco ISE (successor of ACS) TACACS+. Our goal is to make Cisco ISE send us the cvp-roles=network-admin attribute in the Authorization reply packet.   NOTE If you are running CVP versions 2018.2.0 and 2018.2.1 you might hit BUG 345723 due to which in tacacs-provider authorization we are not checking for TAC_PLUS_AUTHOR_STATUS_PASS_ADD flag. We can provide a binary patch...
Continue reading →

ClearPass TACACS+ Authorization with CVP

ClearPass TACACS+ Authorization with CVP Introduction The purpose of this article is to learn how to correctly set up the TACACS+ service in Aruba ClearPass in order to successfully authenticate on the CVP GUI as a network admin. Our goal is to configure ClearPass Policy Manager [CPPM] to send us the cvp-roles=network-admin attribute in the TACACS+ Authorization reply packet. By default this does not happen, because cvp-roles is a custom attribute that has to be added to the TACACS+ dictionary on any type of TACACS+ implementation. Without this, the default role of network-operator will be allocated to the user, that...
Continue reading →

Writing your own webhook relay – sending event alerts to Discord

Writing your own webhook relay – sending event alerts to Discord   Introduction Starting from version 2018.2.0, CVP supports configuring event alerts, where receivers can be email, Slack, PagerDuty, webhooks and others. The purpose of this article is to demonstrate how easy it is to write your own webhook relay app that will forward alerts to your favorite webhook endpoint, in my case, a Discord channel. Discord is getting more and more popular, not only amongst gamers, but also lots of companies started to use it. I’ve been using it for a couple of years now, and it made sense...
Continue reading →


Get every new post on this blog delivered to your Inbox.

Join other followers: