• Author : Alexis Dacquay

 
 

BGP Peering – Configuration Best Practices – Security and Manageability

      BGP Peering – Configuration Best Practices – – – – – – – – – – – – – – – – Security and Manageability       1) Introduction This article provides suggestions of BGP peering configuration, with general best practices and some particular considerations for manageability and security.     2) Arista EOS Security – General   It is recommended to approach security not only specifically for BGP but to englobe other aspects of security for Arista EOS. More global security topics are covered in other articles, listed below. The present article focuses solely on...
Continue reading →

Monitoring some agent’s memory utilisation

  Monitoring some agent’s memory utilisation   This article develops further https://eos.arista.com/introduction-to-managing-eos-devices-memory-utilisation/ authored by Colin MacGiollaEain to bring the context to a specific agent’s memory utilisation and how to remediate.   1) Introduction Monitoring the memory usage of specific EOS processes maybe useful to detect which features consume the control-plane resources, as a first step to clarify whether it is a normal behaviour or not. In abnormal circumstances the overall system may be running low on memory, in which case some culprit agent may be restarted, or some other agent may suffer a restart too (collateral damage) by the process scheduler. Examples...
Continue reading →

Verify EOS 3rd party software versions

  EOS includes a Linux kernel, GNU tools, and other 3rd party software. EOS make use of some of such 3rd party software and you might want to verify the version they run. Note: not every 3rd party software is actively used by default. If you have a particular concern in mind regarding 3rd party software version then you must refer to the Arista security advisories page: https://www.arista.com/en/support/advisories-notices/security-advisories   3rd party software Bash CLI command to verify the version EOS version 4.15.1F 4.17.1F 4.18.2F 4.20.10M  4.21.0F Bash bash –version 4.1.16(1) 4.3.42(1) 4.3.42(1) 4.3.42(1) 4.3.42(1) DNSmasq dnsmasq -v 2.59 2.59 2.59 2.77 2.77...
Continue reading →

Reachability Health Checks

  1) Introduction 1.1) does_it_live.py This article describes a script called does_it_live, used to monitor the health of network targets, by testing IP reachability (by ICMP) and name resolution (by DNS). While some people might understand the Python code and find it self-explanatory and well documented, this articles aims at making the use of the script more accessible without digging into reading the script itself.   1.2) Purpose Ping is commonly used for manual health check across a network, and in particular from a network device itself to have a good picture of a network health from its perspective. Obviously...
Continue reading →

Alias – Simple yet powerful

Alias – Simple yet powerful   About: Alias mySimpleAlias <a maybe complicated command you would never remember>     Alias commands can be composed of multiple lines and embed variables. Below is an example of alias used as configuration template for automating configuration with just few arguments. Sunch template can satisfy complex configurations and be highly reusable. This high-level scripting or command bundling is simple to implement yet powerful.     The below example is a multi-line alias with variables (%<x>)   alias set-baremetal !! Syntax : set-baremetal <INTF> <Po ID> <DESCR> <VLAN> !! Example: set-baremetal e1,2 po1 “To Server...
Continue reading →

Troubleshooting congestion – Investigating and taking corrective steps

  1) Introduction Congestion might not be obvious, it can be discovered reactively in disastrous situations, or proactively by collecting statistics off equipment and investigating symptoms demonstrated by the applications and systems.   Deep buffers on switches is a blanket and effortless solution to the problem, but it might not be materially possible or justifiable everywhere on a network. This document discusses design considerations in case of congestion.     2) Measuring The first step (which might seem obvious) for understanding some potential issues is to translate the symptoms such as slow, unresponsive, poor performance, into measurable and baselined metrics...
Continue reading →

VXLAN Without Controller for Network Virtualization with Arista physical VTEPs

  1) Introduction This article assumed an understanding of the VXLAN concepts. This article aims at guiding the design and implementation of network virtualization with VXLAN, employing physical VTEPs. This controller-less design provides Layer2 communication across a Layer3 network for any Layer2 Ethernet device. This solution guide resolves network virtualization for network teams that might not have yet a network virtualisation controller, or cloud management platform (CMP), but want to benefit now from all the advantages of VXLAN. Without network controller, the virtual switches will not participate natively in the VXLAN overlay setup, they would be configured the traditional way...
Continue reading →

Hint – Naming ACLs for easier contextual help and auto-complete

You might like to name your ACLs with a suffix “ACL-” or  similar, so that when you type question mark  (‘?’) or TAB for auto-complete, you would automatically get the ACL name, without having to remember it (often cause of typos): Example: Arista(config)#show ip access-lists ? <==== asking for ACL name <WORD>; not listing all the ACLs by default as there could be too many WORD Access-list name summary Access list summary > Redirect output to URL >> Append redirected output to URL | Output modifiers <cr> Arista(config)#show ip access-lists ACL? <==== the contextual help now lists all the ACL...
Continue reading →

Understanding Deduplication in Tap Aggregation (NPB)

  1) What is deduplication ? Deduplication in the context of packet broker networks (Tap Aggregation) is the ability to detect duplicates of a packet, allowing only the first packet and dropping other iterations of the same packet.   2) Hardware impacts the Deduplication performance Deduplication, like many features, requires certain hardware characteristics to be supported by the silicon (network processor), which is the foundation of hardware packet processing and forwarding in networking/Ethernet equipment. It allows matching packet, manipulating, and making forwarding decisions in hardware.   2.1) Processing performance The Arista switches are based on high performance network processors of different...
Continue reading →

Tap solutions for Arista Tap Aggregation – Network Packet Broker

  Arista Tap Aggregators are agnostic to the taps capturing the light signal, although optical budget should remain a careful consideration, like in any optical media. The below is a selection of Tap vendors deployed by our customer based, in alphabetical order. Feel free to post a comment with your own favourite Tap supplier, if not listed here.   CableXpress http://www.cablexpress.com/solutions/port-replication/   Comcraft – ProfiTAP http://www.profitap.com/fiber-taps/   Corning Cable Systems – Pretium EDGE Tap module http://catalog.corning.com/opcomm/en-US/catalog/MasterProduct.aspx?cid=pretium_EDGE_AO_module_web&pid=114264   Enlight Data http://www.enlightdata.com/products.html     Garland Technology http://www.garlandtechnology.com/products/network-taps   M2 Optics http://www.m2optics.com/products/network-taps   Mimetrix http://www.mimetrix.com/optical-taps.php   Tapics http://www.tapics.us    

Tip for Arista vEOS on VMware ESX 6

Note: This tip was discovered and shared by Sandy Breeze at Claranet   Arista provide the EOS network operating system for test/lab virtual environment under the form of vEOS, either as a VMDK or a SWI (software image to install on an existing vEOS). With the vEOS VMDK as currently provided, in thin provisioning for saving on the file size, ESX4 and 5 would work fine, but upon booting the vEOS VM under ESX6, it will report “LZMA data is corrupt”,  and “system halted”, despite the image not being corrupted (you could verify the checksum). This issue may also manifest itself with an...
Continue reading →

7150S NAT – Practical Guide – Source NAT – Dynamic

Introduction This article presents Dynamic Source NAT, as part of a series of articles about Source NAT on the Arista 7150S with practical examples. It assumes an understanding of NAT and Source NAT. See the article Static Source NAT as foundation to the present Dynamic Source NAT article The following topics are covered in this article: Dynamic Source NAT with Pool Dynamic Source NAT Overload   The following additional topics are covered in other articles: Static Source NAT Source NAT – Baseline Static Source NAT – Unicast and multicast with routed ports Static Source NAT – with SVI Static Source NAT + ACL...
Continue reading →

MTP12 Cheat Sheet for QSFP 40G SR4 Optical Cabling (and 100GBASE SR4)

  1) Overview This document explains the optical connectivity involved in 40G optical QSFP for short reach (40GBASE-SR4), on multimode fibres. The standard specifies MPO12 (or MTP12) as connector to the SR4 QSFP, which employs traditionally 12 fibres, but 40G only need 8 (4 pairs) to carry the 4 parallels bidirectional paths. You might know that QSFPs can be programmed to operate as 4 x 10G.     2) QSFP to QSFP light path on MTP12 cables Notice in the below QSFP 40G SR4 transceiver that the connector is not LC but a MPO/MTP12 receptacle. You may also notice the...
Continue reading →

LANZ – Tuning packet buffer monitoring thresholds – Gain the most adequate visibility to you

This article introduces LANZ briefly, and then concentrate on explaining how you may want to tune the threshold. Threshold tuning allow you to have the right level of visibility for your environment.     1) LANZ Introduction LANZ on the Arista 7150S and other platforms provide trigger-based micro-burst visibility. This guarantees capturing congestion events, even the shortest, as compared with any hit-and-miss polling mechanisms. For some other platform families whose hardware does not support trigger-based detection, the polling LANZ-lite alternative is available, still very useful but simply not as accurate. Refer to the manual for LANZ differences.   LANZ generated...
Continue reading →

sFlow Generation for Legacy Networks with Tap Aggregation (NPB / Matrix switch)

  sFlow is a standard hadware sampling available on all the Arista platforms, providing rich statistical information on all ports. sFlow is available in Tap Aggregation mode, allowing additional use cases of Tap Aggregation than traffic analysis on analyzer tools: Retro-fitting sFlow to legacy infrastructure Distributed analysis This article focuses on Retro-fitting sFlow to legacy infrastructure.   1) sFlow vs Netflow sFlow is a sampling mechanism implemented in hardware: Widely available on non-legacy platforms, and widely supported on collectors/monitoring software sFlow requires minimal local processing which contrast with Netflow that is very CPU-intensive, making Netflow poorly suitable for any high performance...
Continue reading →

DANZ – Tap Aggregation optics / transceivers selection

This articles clarifies certain criteria that are important to consider in the design of a Network Packet Broker (NPB) aggregating traffic from various sources. For distance reasons, the main type of media used in tap aggregation is optical (multimode or single mode), therefore this article mainly focuses on these media.   1) Understanding Optical Budgets Multiple factors contribute to the degradation of optical signals Fiber attenuation Insertion loss (e.g. connectors, patch panels and splices) Fiber type mismatch (e.g. connecting 50/125MMF to 62.5/125MMF) Over-bending of fibre plant Intermediate passive devices (e.g. taps, attenuators or mode filters)   Media Type Approximate Loss...
Continue reading →

DANZ Tap Aggregation – Basic settings – Before you start

Several Arista switches support DANZ feature set for Tap Aggregation. The tap aggregation mode is a mere configuration (1-2 lines) that transform a high performance L2/L3 switch into a Tap Aggregator (NPB). This mode require certain considerations: 1) Tap aggregation – How to selecting the exclusive mode That tap aggregation mode is exclusive to part of a switch of the whole switch. Parts of the switch that are excluded from the Tap Aggregation mode can work either in fully L2/L3 forwarding mode (normal switching mode), or in simple hub mode. The options available vary per platforms, as per the below list....
Continue reading →

Script example – Automating VXLAN deployments with EAPI

  1) Introduction This article describes briefly what is required to deploy overlay networks with VXLAN, but we assume a good understanding of the VXLAN fundamentals. To achieve such VXLAN deployments, multiple options exist, from simple but manual, to fully automated service chaining (orchestration) at the cost of having to also set a Cloud Management Platform or a network virtualization controler This article focuses on an easy option that is a good balance between simplicity of operation (automation), and simplicity of  setting up (script ready to go)   2) Working towards automation: it is an evolution This article is not providing...
Continue reading →

DANZ Tap Aggregation – Filtering on inner Q-in-Q header, and stripping outer header – At the same time

  This article documents the ability, for the Arista 7150S in Tap Aggregation mode, to selectively filter on inner Q-in-Q header, and also strip the outer  header on egress, effectively allowing a granular selection of what Q-tagged traffic tools will be receiving. Let’s take as traffic example some Q-in-Q traffic: Outer Q-header (Eth-type 0x88a8) – STAG – VLAN ID = 100 Inner Q-header (Eth-type 0x8100) – CTAG – VLAN ID = 101, 102   Packet capture example for this Q-in-Q traffic:   7150S(config)#bash sudo tcpdump -nni mirror0 [...] 22:23:44.040896 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q-QinQ (0x88a8), length 1020: vlan 100, p...
Continue reading →

7150S NAT – Practical Guide – Source NAT – Static

    Introduction This article presents Static Source NAT, as part of a series of articles about Source NAT on the Arista 7150S with practical examples. The following topics are covered in this article: Source NAT – Baseline Static Source NAT – Unicast and multicast with routed ports Static Source NAT – with SVI Static Source NAT + ACL Match Static Source NAT + PAT   The following additional topics are covered in other articles: Dynamic Source NAT with Pool Dynamic Source NAT Overload Static Twice NAT Static Twice NAT – With SVI Troubleshooting Tuning NAT     1) Source NAT –...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: