• Blog

 
 

Arista CloudEOS MultiCloud – CloudEOS Router in GCP Deployment Guide

ContentsIntroductionOverviewPrerequisitesTopologyGCP LoginVPC and its componentsCreate ‘Edge1’, ‘Leaf1’ and ‘Leaf2’ VPCsAdd Firewall RulesCreate VPC PeeringsArista CloudEOS Instances and its ComponentsCreate a New SSH KeyInstantiate a CloudEOS Router instanceInstantiate Linux instancesUpdate Routing TablesConnect to the CloudEOS Router instances and Linux VM’sCloudEOS Router configuration Introduction In this document we demonstrate deployment of Arista’s CloudEOS Router in Google Cloud Platform (GCP).  Sections of this document have been set forth based on order of execution, hence it is pertinent that the order is maintained for successful deployment of Arista’s CloudEOS Router. Overview Arista’s cloud infrastructure both public and private offers significant efficiencies that make it...
Continue reading →

CloudVision Portal Hardening Guide

ContentsIntroductionCVP Default SettingsChoosing of passwordsPassword selection for SSH loginForcing root login via SSH keyPassword selection for CVP UI loginRestrict Listening PortsDefault Listening PortsOptional Services to RestrictLogon BannerSecuring Web and gRPC AccessChoosing TLS CertificatesRestrict TLS CiphersuitesRestrict TLS VersionGenerate Diffie-Hellman ParametersDisable older TLS ProtocolsRole Based Access Control for CVP user interfaceAppendix 1Open Ports in CVP ClusterOpen Ports used by Prometheus Scraper for Health Monitoring Introduction This guide is provided as a starting point for securing CloudVision Portal, also known as CVP. In the below sections various best practices such as non-default configurations, setup instructions, and discussions of other monitoring systems are discussed. ...
Continue reading →

Hardening and Security

Overview An organisation’s communications infrastructure and the tools that surround it carry business critical, high value commercially sensitive information and are obvious targets for malicious actors to attempt to compromise and organisation or exfiltrate its intellectual property. Arista Networks takes its role in ensuring ongoing security extremely seriously through both secure manufacturing and supply as well as an ongoing commitment to vulnerability detection, mitigation and remediation. Product security must also be complemented by the implementation of product hardening best practices during the installation and operation of the infrastructure. The links provided below offer the latest best practise advice on a...
Continue reading →

Pause – Revisit the Fundamentals – Rehearse, Rehearse, Rehearse

ContentsWhy?Measure the ExistingExperimentRehearse, Rehearse, RehearseHave Whiteboard, Will TravelSweet SuccessSummary Why? I’d like to think of this as a chapter in the manual of “CoNE.” Code of Network Ethics. OK, so I made that up. But it should be a thing, right? How many outages have you experienced where the original problem wasn’t nearly as impactful as the attempted fix? We have all experienced maintenance windows where we tried a fall-forward approach because we didn’t want to back-out the change. And the fall- or fail-forward method cost us an extended maintenance window that bled into the production time. The impact of...
Continue reading →

Pause – Revisit the Fundamentals – Know Your Tools

ContentsIntroductionWhyTools and Arista SwitchestcpdumpiPERFConnectivity Monitor – Cloud TracerEvent-MonitorSummaryReferences Introduction Please. Pretty please. Pretty please with sugar on top. Do these pleas sound familiar when trying to buy tools for your network? Making a purchase for moving Production traffic is easier. You may be able to quantify how much time can be saved with the purchase of a tool for automation. Or for a tool with an integration focus. Easiest of all may be when proposing a self-service tool that unburdens the thin IT staff. How do you justify spending money on tools for a rainy day when the sun is...
Continue reading →

Deploying Cloudvision Portal (CVP) on Proxmox VE

ContentsIntroductionRequirementsPreparing ImagesDeploying Cloudvision Portal (CVP) on Proxmox VEKnown Limitations Introduction Proxmox is an open source server virtualization solution based on QEMU/KVM and LXC.  You can manage virtual machines, containers, high availability clusters, storage and networks with an integrated, easy-to-use web interface or via CLI. The purpose of this article is to assist in deployment of Arista’s Cloudvision Portal (CVP) within Proxmox VE.  The benefit of utilizing CVP within Proxmox VE is that it offers an open source, subscription free option for those who may not be able to afford proper VMware licensing for lab/demo deployments and/or would like to utilize...
Continue reading →

Automate a Layer 3 MLAG Campus Stack With In-Band Management and Telemetry Using CVP

ContentsOverviewIntroductionPrerequisitesAssumptions for Running AutomationRunning the AutomationConfiglet ImportCVP Network Provisioning PreparationCreate ContainersAssign the ConfigletBuilder to the top level containerConfiglet Builder Dialog for MLAG Stack PeersConfiglet Builder Dialog for MLAG Stack Members Overview One of the advantages Arista offers for campus switches is an automated approach to grouping campus closet switches together into a virtual stack via CloudVision Portal (CVP).  This article covers a Configlet Builder that will automate the building of a Layer 3 Leaf Spine (L3LS) architecture integrated into the data center. Introduction In a Data Center, switches are traditionally managed out-of-band where the forwarding of management information is in...
Continue reading →

Real-time DDoS Mitigation

ContentsIntroductionLeveraging Open-Source ToolsTopologySample ConfigurationExternal Reference Introduction Arista has introduced BGP FlowSpec support to EOS in addition to its long supported sFlow feature. This article demonstrates real-time DDoS mitigation using BGP Remote Triggered Black Hole (RTBH) and FlowSpec. Leveraging Open-Source Tools DDoS Protect is an open source application running on the sFlow-RT real-time analytics engine. The software uses streaming analytics to rapidly detect and characterize DDoS flood attacks and automatically applies BGP remote triggered black hole (RTBH) and/or FlowSpec controls to mitigate their impact. The total time to detect and mitigate an attack is in the order of a second. The combination of  standard telemetry (sFlow) and...
Continue reading →

Troubleshooting filesystem full issues

ContentsObjectiveIntroductionScenariosContinuous agent restarts on the systemA single agent file has grown too large/mnt/flash becomes full due to a large output in tech-supportDeleted file contributing to filesystem getting full Objective The document aims at describing scenarios that cause filesystems to get full and suggests ways to free up space in the occupied directories.   Introduction At times it is observed that after logging into the switch, EOS may display a warning message as follows: Warning: the following filesystems have less than 10% free space left: tmpfs (on /var/core) 0% (0 Available) tmpfs (on /var/log) 0% (0 Available) Please remove configuration such as...
Continue reading →

Achieving Optimal Timestamp Accuracy on 7150 Platforms

Background The launch of the Arista 7150S in 2012 delivered the industry’s first product to offer high speed networking with high granularity packet time stamping in an Ethernet switch/router platform. This article will review how time stamping has evolved since. Arista first conceived of the capability to leverage the 7150S to intersect with an emerging network monitoring market requirement that would improve the ability to capture the proper order of traffic captured by network analysis tools over the out of band (OOB) tap aggregation (aka network packet broker) infrastructure. Applying timestamps to packets at the network ingress ports of the...
Continue reading →

Pause – Revisit the Fundamentals – OOB

ContentsIntroductionWhat was it?What should it be?What might it look like?Example DiagramThe BasicsAccess to the OOBVPN to the OOB NetworkOOB DependenciesLeveling UpCaring for the OOB networkSummaryReferences Introduction From your manager; “We have a greenfield data center project heading our way. I need you to start working on a design for two data centers. Each data center will be 10,000 square feet in size. We’ll need full network redundancy. It needs to support virtualized compute, physical compute, IP Storage, load balancers, firewalls, an oversubscription ration of 3:1 or better, horizontal cabling based on MMF and a set of Data Center Interconnect links...
Continue reading →

Use CVP to Automate a POE L2 MLAG Stack with In-Band Management and Telemetry

ContentsOverviewIntroductionPrerequisitesAssumptions for Running AutomationRunning the AutomationConfiglet ImportCVP Network Provisioning PreparationCreate ContainersAssign Configlets to containersConfiglet Builder Dialog for MLAG Stack PeersConfiglet Builder Dialog for MLAG Stack Members Overview One of the advantages Arista offers for campus switches is an automated approach to stacking via CloudVision Portal (CVP), and this article covers a Configlet Builder that will allow for this automation in a Layer 2 Leaf Spine architecture. Introduction In a Data Center, switches are traditionally managed out-of-band where the forwarding of management information is in a separate data path than the actual data center traffic.  The management connections are via a...
Continue reading →

VMWare NSX-T 3.0 EVPN Type 5 Integration with Arista Gateways

ContentsIntroductionTest SetupDeploy vEOS Arista EVPN/VXLAN fabric and ESXi hostsDeploy NSX-T Manager on ESXi3Deploy NSX-T Edge VMConfigure BGP peeringConfigure BGP Route Re-DistributionConfigure BGP peering on EOS external GatewayControl Plane VerificationData Plane VerificationUseful Links Introduction VMWare NSX-T 3.0 introduced support for EVPN Type-5 integration which allows efficient multi-tenant L3 exchange between VMWare NSX-T Edge and external gateways. The following graph should visualize life before and after the EVPN Type5 support: Instead of having 802.1q trunk interface with L3 sub-interface per VRF, we now can have a single routed interface with just a single BGP EVPN session. This greatly reduces configuration overhead on...
Continue reading →

VLAN Traffic Mirroring on R Series Products

Traffic can be mirrored to ports using the monitor syntax, however the source of the mirrored traffic is limited to Ethernet and Port-channel interfaces. If there is a requirement to source a mirror from a specific VLAN across multiple ports, a different method is available as of EOS 4.20.5F or later on R series platforms utilizing DirectFlow. Before DirectFlow can be configured, a new TCAM profile must be configured and applied: hardware tcam    profile direct-flow-mirror-vlan       feature flow          key size limit 160          key field dst-mac ether-type in-port src-mac vlan...
Continue reading →

Streaming EOS telemetry states to InfluxDB

ContentsIntroductionPrerequisiteInstalling InfluxDB and GrafanaIf not using docker installationInstalling and Configuring octsdb for EOSOctsdb configuration fileConfiguring TerminAttr and octsdb daemonDefault VRF with CVPDefault VRF without CVPVRF management with CVPVRF management without CVPVRF management without CVP and authenticationFlags for TerminAttrFlags for octsdbVerifying the Telemetry data in InfluxDBConfiguring GrafanaCreating DashboardsTroubleshootingUseful linksExample Configuration files Introduction The aim of this document is to help you deploy and configure InfluxDB, Grafana, and Arista EOS, allowing you to send Telemetry states from the Arista switch to InfluxDB, using one of our OpenConfig connector application octsdb that you can find on our GitHub page. Please note, that these...
Continue reading →

NCClient Example with EOS

ContentsIntroductionConfiguring EOSExample Python FunctionExample RPCsConclusion Introduction Ncclient is a python library that provides a set of tools to interact with and manipulate devices supporting NETCONF server functionality. The goal of this article is to assist users to leverage ncclient effectively with EOS. This article will outline the use of  ncclient to configure Arista devices using EOS CLI commands, as well as YANG modelled data (and a combination of the two).  This article is not intended to be a full tutorial on YANG or EOS supported YANG models. Arista EOS strives to support open YANG models via support of OpenConfig models...
Continue reading →

Inter-VRF Local Route leaking using VRF-leak Agent

ContentsIntroductionPlatformsDescriptionConfigurationExample of Complete ConfigurationVerificationImportant NotesAdditional Resource Introduction The use of Virtual Routing Forwarding (VRF) to provide a level of segmentation is common practice. In order for traffic to communicate between VRFs, a firewall is generally part of the design. However, situations exist where it is not desirable to place the traffic load between VRFs on the firewall. This article provides a basic solution to leak routes from one VRF to another allowing select subnets to communicate directly. Platforms EOS Switch Versions 4.22F and above Description The Inter-VRF local route leaking feature allows the leaking of routes from one VRF to...
Continue reading →

Pause – Revisit the Fundamentals – ARP

ContentsIntroductionEvolving TechOverlaysStart with the RFCsReading beyond the RFCsARPOn the Wire2nd Level QuestionsSummaryContinued Reading – Arista TOIsContinued Reading – Other References Introduction Wow, networking technology really does continue to march along. If you wanted to be a lifelong learner you definitely picked a great speciality. And face it, we all know the cool kids are the Network Engineers. In this article we’re not going to take a bunch of packet captures nor analyze the outputs of a dozen ‘show’ commands. There are plenty of documents for that already. Rather, this document and the entire Pause series, looks to take a step...
Continue reading →

BGP peering configuration examples for service providers

Service providers proficiently use BGP to deliver their services to their customers and communicate witht their peers. This article features some design considerations and configuration examples to try to showcase how a service provider could use BGP and other functionality to operate their networks. Contents1 BGP peering configuration example for service providers1.1 Service provider edge1.2 Service provider edge considerations1.2.1 Route policies for received prefixes1.2.1.1 Prefixes directly connected inside peering partner and stub AS customers1.2.1.2 Prefixes seen from stub AS connected to a peering partner1.2.1.3 Prefixes seen from neighboring AS networks also peering with eachother1.2.2 Announcing prefixes1.2.2.1 Route maps, prefix lists...
Continue reading →

Internet BGP peering examples for enterprises

Enterprises seeking redundancy for their Internet connetivity and agility to change service provider when needed, greatly benefit from having their own AS number and IP addresses that can be announced using their own BGP routers. This article features some design considerations and configuration to achieve this in a common enterprise scenario. Contents1 Internet BGP peering examples for enterprises1.1 Enterprise edge1.2 Design choices1.2.1 Active/Active or Active/Passive1.2.2 Default route or full Internet table1.2.3 iBGP/IGP interaction or IGP default route originate1.2.4 Route reflector1.3 Enterprise BGP configuration examples1.3.1 Active/Passive with a full Internet table import1.3.2 Active/Passive with default route only from SPs1.3.3 Active/Active with...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: