• Blog

 
 

Onboarding a switch in CVP

ContentsDescriptionPlatform compatibilityConfigurationShow CommandsHow to onboard a switch using CVP GUI?What goes on during the onboarding process? Troubleshooting onboarding/registration failures1. Switch unreachable via eAPI 2. Unauthorized user3. EOF4. No route to host5. Unable to reach CVP from the device in any VRF6. “Error received from device” and “Timed out waiting for response from device” Description This article will talk about how to onboard a switch in CVP 2019.1.x/2020.1.x and will deep-dive into the process involved during the registration process. In addition, we will also include the troubleshooting steps that can be taken in case the registration process fails.  Platform compatibility This feature...
Continue reading →

Launching CloudEOS in Azure with Terraform

ContentsLaunching CloudEOS in Azure with TerraformIntroductionDiagramPrerequisitesProvider DefinitionResource Group DefinitionVNet DefinitionSubnet DefinitionSecurity GroupsSecurity Group DefinitionSecurity Group AssociationPublic IPNetwork Interface DefinitionRoute Table and RoutesDefine Route Tables and RoutesAssociate Subnets to the Route TablesCloudEOS DefinitionCloudEOS InstanceSample Bootstrap Configuration for the CloudEOS InstanceHostSample Bootstrap Configuration for the HostOutputRunning the Terraform ScriptAdditional Arista Terraform Example Material Launching CloudEOS in Azure with Terraform Introduction Enterprise cloud organizations are orchestrating environments in the cloud.  This can be done with cloud native tools such as AWS CloudFormation or Azure Resource Manager Templates.  However, Terraform is winning enterprise mindshare as a cross-cloud orchestration system, and this post is an...
Continue reading →

Launching CloudEOS in AWS with Terraform

ContentsLaunching CloudEOS in AWS with TerraformIntroductionDiagramPrerequisitesProvider DefinitionVPC DefinitionSubnet DefinitionInternet GatewaySecurity Group DefinitionNetwork Interface DefinitionRoute Table and RoutesDefine the Route TableDefine the RoutesAssociate Subnets to the Route TablesEIPCloudEOS DefinitionCloudEOS InstanceSample Bootstrap Configuration for the CloudEOS InstanceHostSample Bootstrap Configuration for the HostOutputRunning the Terraform ScriptAdditional Arista Terraform Example Material Launching CloudEOS in AWS with Terraform Introduction Enterprise cloud organizations are orchestrating environments in the cloud.  This can be done with cloud native tools such as AWS CloudFormation or Azure Resource Manager Templates.  However, Terraform is winning enterprise mindshare as a cross-cloud orchestration system, and this post is an example of a simple...
Continue reading →

Streaming EOS telemetry states to ELK stack using openconfigbeat

ContentsIntroductionPrerequisiteAdaptersConfiguring ELK StackInstalling and Configuring openconfigbeat for EOSConfiguration file for openconfigbeatopenconfigbeat.yml file permissionsConfiguring TerminAttr and openconfigbeat daemonDefault VRF without CVPDefault VRF with CVPVRF management without CVPVRF management with CVPVRF management without CVP and authenticationSetting up Kibana index patternUsing native OpenConfig CLI and gRPC transportDefault VRFVRF managementTroubleshootingExample Configuration files Introduction The purpose of this document is to help you to set up an ELK (Elasticsearch/Logstash/Kibana) stack and stream EOS Telemetry states from an Arista Switch using openconfigbeat that can stream gRPC updates from OpenConfig or TerminAttr directly into Elasticsearch. Please note, that this app was written as a proof-of-concept and is...
Continue reading →

Commit Signing with Git at Enterprise Scale

ContentsCommit Signing with Git at Enterprise ScaleWhat Does Git Need for Commit Signing at an “Enterprise” Scale?What is commit signing like with Git today?What Does Enterprise Scale Commit Signing Look Like?How were the new features implemented?Central Key ManagementValidation of SignaturesAuditability of Signed CommitsPost-Mortem Commit Signing with Git at Enterprise Scale Git is one of the most ubiquitous version control systems used today, seeing extensive usage in projects both around the world and within Arista. Everyday numerous Arista employees, located around the world, make commits to the codebase to fix bugs, add features, and save works in progress. The same scenario...
Continue reading →

How to build and install DPDKCap

ContentsIntroductionAssumptionsSystem used to validate performanceBuild steps Introduction DPDKCap is high performance packet capture tool based on DPDK. This guide explains how to build, install and use DPDKCap on a CentOS 7 based system. Arista Fork : https://github.com/aristanetworks/dpdkcap Assumptions CentOS 7 Linux NVMe capture drive (not mandatory but recommended for line rate capture) Running as root user CPU & NIC combination that supports DPDK System used to validate performance Manufacturer: Supermicro Part number: SYS-E300-8D Processor: Intel Xeon CPU D-1518 Memory: 2x Micron 9ASF1G72PZ-2G3A1 8GB DIMMs HDD: Samsung 860 PRO SSD 4TB NVMe: Samsung 960 EVO 1TB Build steps Create a directory...
Continue reading →

Syslog message generation on MAC table changes

This feature provides the ability to generate Syslog messages for the events related to mac address entries being learnt or removed from the mac address-table on the switch. Here we will leverage following two key features of EOS: Event Monitor Event Handler ContentsPlatform compatibilityConfigurationResultMAC LearningMAC movesMAC deletionLimitation Platform compatibility This feature is supported on all platforms.   Configuration The following shows how to configure the event monitor and event-handler for generating syslog messages for each mac address entry learnt or removed from the eventmon database.   1) First of all, enable the event monitor on the switch with the help...
Continue reading →

Arista CloudEOS MultiCloud – CloudEOS Router in GCP Deployment Guide

ContentsIntroductionOverviewPrerequisitesTopologyGCP LoginVPC and its componentsCreate ‘Edge1’, ‘Leaf1’ and ‘Leaf2’ VPCsAdd Firewall RulesCreate VPC PeeringsArista CloudEOS Instances and its ComponentsCreate a New SSH KeyInstantiate a CloudEOS Router instanceInstantiate Linux instancesUpdate Routing TablesConnect to the CloudEOS Router instances and Linux VM’sCloudEOS Router configuration Introduction In this document we demonstrate deployment of Arista’s CloudEOS Router in Google Cloud Platform (GCP).  Sections of this document have been set forth based on order of execution, hence it is pertinent that the order is maintained for successful deployment of Arista’s CloudEOS Router. Overview Arista’s cloud infrastructure both public and private offers significant efficiencies that make it...
Continue reading →

CloudVision Portal Hardening Guide

ContentsIntroductionCVP Default SettingsChoosing of passwordsPassword selection for SSH loginForcing root login via SSH keyPassword selection for CVP UI loginRestrict Listening PortsDefault Listening PortsOptional Services to RestrictLogon BannerSecuring Web and gRPC AccessChoosing TLS CertificatesRestrict TLS CiphersuitesRestrict TLS VersionGenerate Diffie-Hellman ParametersDisable older TLS ProtocolsRole Based Access Control for CVP user interfaceAppendix 1Open Ports in CVP ClusterOpen Ports used by Prometheus Scraper for Health Monitoring Introduction This guide is provided as a starting point for securing CloudVision Portal, also known as CVP. In the below sections various best practices such as non-default configurations, setup instructions, and discussions of other monitoring systems are discussed. ...
Continue reading →

Hardening and Security

ContentsOverviewHardening GuidesOther Security Topics Overview An organisation’s communications infrastructure and the tools that surround it carry business critical, high value commercially sensitive information and are obvious targets for malicious actors to attempt to compromise and organisation or exfiltrate its intellectual property. Arista Networks takes its role in ensuring ongoing security extremely seriously through both secure manufacturing and supply as well as an ongoing commitment to vulnerability detection, mitigation and remediation. Product security must also be complemented by the implementation of product hardening best practices during the installation and operation of the infrastructure. The links provided below offer the latest best...
Continue reading →

Pause – Revisit the Fundamentals – Rehearse, Rehearse, Rehearse

ContentsWhy?Measure the ExistingExperimentRehearse, Rehearse, RehearseHave Whiteboard, Will TravelSweet SuccessSummary Why? I’d like to think of this as a chapter in the manual of “CoNE.” Code of Network Ethics. OK, so I made that up. But it should be a thing, right? How many outages have you experienced where the original problem wasn’t nearly as impactful as the attempted fix? We have all experienced maintenance windows where we tried a fall-forward approach because we didn’t want to back-out the change. And the fall- or fail-forward method cost us an extended maintenance window that bled into the production time. The impact of...
Continue reading →

Pause – Revisit the Fundamentals – Know Your Tools

ContentsIntroductionWhyTools and Arista SwitchestcpdumpiPERFConnectivity Monitor – Cloud TracerEvent-MonitorSummaryReferences Introduction Please. Pretty please. Pretty please with sugar on top. Do these pleas sound familiar when trying to buy tools for your network? Making a purchase for moving Production traffic is easier. You may be able to quantify how much time can be saved with the purchase of a tool for automation. Or for a tool with an integration focus. Easiest of all may be when proposing a self-service tool that unburdens the thin IT staff. How do you justify spending money on tools for a rainy day when the sun is...
Continue reading →

Deploying Cloudvision Portal (CVP) on Proxmox VE

ContentsIntroductionRequirementsPreparing ImagesDeploying Cloudvision Portal (CVP) on Proxmox VEKnown Limitations Introduction Proxmox is an open source server virtualization solution based on QEMU/KVM and LXC.  You can manage virtual machines, containers, high availability clusters, storage and networks with an integrated, easy-to-use web interface or via CLI. The purpose of this article is to assist in deployment of Arista’s Cloudvision Portal (CVP) within Proxmox VE.  The benefit of utilizing CVP within Proxmox VE is that it offers an open source, subscription free option for those who may not be able to afford proper VMware licensing for lab/demo deployments and/or would like to utilize...
Continue reading →

Automate a Layer 3 MLAG Campus Stack With In-Band Management and Telemetry Using CVP

ContentsOverviewIntroductionPrerequisitesAssumptions for Running AutomationRunning the AutomationConfiglet ImportCVP Network Provisioning PreparationCreate ContainersAssign the ConfigletBuilder to the top level containerConfiglet Builder Dialog for MLAG Stack PeersConfiglet Builder Dialog for MLAG Stack Members Overview One of the advantages Arista offers for campus switches is an automated approach to grouping campus closet switches together into a virtual stack via CloudVision Portal (CVP).  This article covers a Configlet Builder that will automate the building of a Layer 3 Leaf Spine (L3LS) architecture integrated into the data center. Introduction In a Data Center, switches are traditionally managed out-of-band where the forwarding of management information is in...
Continue reading →

Real-time DDoS Mitigation

ContentsIntroductionLeveraging Open-Source ToolsTopologySample ConfigurationExternal Reference Introduction Arista has introduced BGP FlowSpec support to EOS in addition to its long supported sFlow feature. This article demonstrates real-time DDoS mitigation using BGP Remote Triggered Black Hole (RTBH) and FlowSpec. Leveraging Open-Source Tools DDoS Protect is an open source application running on the sFlow-RT real-time analytics engine. The software uses streaming analytics to rapidly detect and characterize DDoS flood attacks and automatically applies BGP remote triggered black hole (RTBH) and/or FlowSpec controls to mitigate their impact. The total time to detect and mitigate an attack is in the order of a second. The combination of  standard telemetry (sFlow) and...
Continue reading →

Troubleshooting filesystem full issues

ContentsObjectiveIntroductionScenariosContinuous agent restarts on the systemA single agent file has grown too large/mnt/flash becomes full due to a large output in tech-supportDeleted file contributing to filesystem getting full Objective The document aims at describing scenarios that cause filesystems to get full and suggests ways to free up space in the occupied directories.   Introduction At times it is observed that after logging into the switch, EOS may display a warning message as follows: Warning: the following filesystems have less than 10% free space left: tmpfs (on /var/core) 0% (0 Available) tmpfs (on /var/log) 0% (0 Available) Please remove configuration such as...
Continue reading →

Achieving Optimal Timestamp Accuracy on 7150 Platforms

ContentsBackgroundEvolution of Time stampingRecommendation Background The launch of the Arista 7150S in 2012 delivered the industry’s first product to offer high speed networking with high granularity packet time stamping in an Ethernet switch/router platform. This article will review how time stamping has evolved since. Arista first conceived of the capability to leverage the 7150S to intersect with an emerging network monitoring market requirement that would improve the ability to capture the proper order of traffic captured by network analysis tools over the out of band (OOB) tap aggregation (aka network packet broker) infrastructure. Applying timestamps to packets at the network...
Continue reading →

Pause – Revisit the Fundamentals – OOB

ContentsIntroductionWhat was it?What should it be?What might it look like?Example DiagramThe BasicsAccess to the OOBVPN to the OOB NetworkOOB DependenciesLeveling UpCaring for the OOB networkSummaryReferences Introduction From your manager; “We have a greenfield data center project heading our way. I need you to start working on a design for two data centers. Each data center will be 10,000 square feet in size. We’ll need full network redundancy. It needs to support virtualized compute, physical compute, IP Storage, load balancers, firewalls, an oversubscription ration of 3:1 or better, horizontal cabling based on MMF and a set of Data Center Interconnect links...
Continue reading →

Use CVP to Automate a POE L2 MLAG Stack with In-Band Management and Telemetry

ContentsOverviewIntroductionPrerequisitesAssumptions for Running AutomationRunning the AutomationConfiglet ImportCVP Network Provisioning PreparationCreate ContainersAssign Configlets to containersConfiglet Builder Dialog for MLAG Stack PeersConfiglet Builder Dialog for MLAG Stack Members Overview One of the advantages Arista offers for campus switches is an automated approach to stacking via CloudVision Portal (CVP), and this article covers a Configlet Builder that will allow for this automation in a Layer 2 Leaf Spine architecture. Introduction In a Data Center, switches are traditionally managed out-of-band where the forwarding of management information is in a separate data path than the actual data center traffic.  The management connections are via a...
Continue reading →

VMWare NSX-T 3.0 EVPN Type 5 Integration with Arista Gateways

ContentsIntroductionTest SetupDeploy vEOS Arista EVPN/VXLAN fabric and ESXi hostsDeploy NSX-T Manager on ESXi3Deploy NSX-T Edge VMConfigure BGP peeringConfigure BGP Route Re-DistributionConfigure BGP peering on EOS external GatewayControl Plane VerificationData Plane VerificationUseful Links Introduction VMWare NSX-T 3.0 introduced support for EVPN Type-5 integration which allows efficient multi-tenant L3 exchange between VMWare NSX-T Edge and external gateways. The following graph should visualize life before and after the EVPN Type5 support: Instead of having 802.1q trunk interface with L3 sub-interface per VRF, we now can have a single routed interface with just a single BGP EVPN session. This greatly reduces configuration overhead on...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: