Securing OpenFlow with stunnel (TLS Proxy)

Do you have an OpenFlow controller that supports communication channel encryption via TLS and you’d like to take advantage of that option with an Arista switch? No problem! Just follow these simple steps and in mere minutes you’ll have a secure TLS connection up and running. Just imagine the look of shock and amazement on the faces of your friends, family and coworkers as you extend the capabilities of your EOS powered switch in near real time! 1) Please download Stunnel from here: http://dl.fedoraproject.org/pub/archive/fedora/linux/releases/14/Fedora/i386/os/Packages/stunnel-4.33-1.fc14.i686.rpm 2) Copy it to flash on the switch: switch#copy scp://@//stunnel-4.33-1.fc14.i686.rpm flash: 3) Install the RPM as...
Continue reading →

Ansible playbook for CVX and VXLAN configuration.

Purpose: This playbook allows an administrator to easily configure Cloud Vision Exchange (CVX)  and Virtual Extensible LAN (VXLAN) between two Arista switches. It is ideally suited for test environments and administrators wanting to test CVX and VXLAN functionality. The playbook can be modified for more advanced deployments. Running the playbook: From the cli under the /etc/ansible directory run: ansible-playbook cvx_vxlan_playbook.yaml Prerequisites: An Ansible server (http://docs.ansible.com/ansible/intro_installation.html) arista.eos roles for Ansible v1.0.1. To install run # sudo ansible-galaxy install arista.eos on the Ansible server. Rename the following files under /etc/ansible/roles/arista.eos/library to not have a .py extension i.e eos_config.py becomes eos_config.  # cp...
Continue reading →

Installing Puppet on EOS

ContentsGetting started with Puppet and EOS isn’t a difficult process. It involves taking advantage of the extensible nature of EOS. There are two primary extensions that need to be loaded in EOS in order for an Arista network element to be included in the Puppet ecosystem.InstallationConfiguring PuppetConfiguring Name ResolutionConfiguring eAPIConfiguring puppet.confCreate puppet aliasSSL CertificatesSummary Getting started with Puppet and EOS isn’t a difficult process. It involves taking advantage of the extensible nature of EOS. There are two primary extensions that need to be loaded in EOS in order for an Arista network element to be included in the Puppet ecosystem. Installation Installation...
Continue reading →

Interface Auto-Description with Detailed LLDP Info

Still writing interface descriptions manually? No fun at all; not to mention the task is prone to typos and human error. Why not let LLDP help you out! Mark Berly originally authored a handy little script that used ‘show lldp neighbors’ to dynamically build your local interface descriptions based upon a few simple key/value pairs. But what if you wanted a little bit more data only found in `show lldp neighbors detail`? PortAutoDescription v3 With this updated version, you can access a majority of the data only available in ‘show lldp neighbors detail’ with an easy to use dictionary: {...
Continue reading →

Why Java APIs and Industry-Standard CLIs are Different

In the past few years, the tech industry has watched with increasing concern as various entrenched participants have brandished copyright law as a weapon to stifle competition and innovation. Recently, we have been treated to yet another novel claim: that after over a decade of broad adoption, the industry-standard set of commands that a user types into a command line interface (or CLI) to configure a network device is subject to copyright. This startling claim raises many questions, but today I want to address one in particular: What effect, if any, does the recent decision in Oracle v. Google have...
Continue reading →

VXLAN Routing with MLAG

ContentsIntroductionVirtual eXtensible LAN  (VXLAN) OverviewVXLAN RoutingVXLAN Routing TopologiesDirect routing model with MLAGAnyCast IP address Virtual VTEP with the Anycast IP addressDirect Routing configuration Introduction This document describes the operation and configuration of  VXLAN routing on an Arista platform in conjunction with MLAG for redundancy. The configuration and guidance within the document unless specifically noted is based on the platforms and EOS releases noted in the table below.   Arista’s Multi-Chassis LAG (MLAG) technology provides the ability to build a loop free active-active layer 2 topology. The technology operates by allowing two physical Arista switches to appear as a single logical switch...
Continue reading →

Adding Interface DHCP Support with an Event Handler

While EOS does not support DHCP on interfaces natively from the CLI, it is easy to leverage the underlying Linux operating system along with event-handlers to add this support yourself! dhclient is available natively within EOS. The trick is that you need to first get dhclient to run for a given interface you want to DHCP an address for, and then you need to take the result from dhclient and apply that to the CLI as if it were a static configured IP address. The following script (installed at /mnt/flash/dhcpintf) can be run out of an interface event-handler to start/stop...
Continue reading →

My journey with Ansible and Arista

Before I joined the ranks of Arista, my primary focus was technical refreshes and configuration documentation to support a PVST+ and OSPF architecture.  Yes – PVST+.  Yes – not RSTP.  I don’t say that to knock the place, I say that to give you an idea of where I’m coming from.  I was completely focused on spanning tree and routing protocols – primarily OSPF.  I had blinders on and didn’t want to do anything but routing and switching in a certain vendor’s world. Needless to say, transitioning from that place to working for Arista Networks was like Charlie stepping into...
Continue reading →

Tap solutions for Arista Tap Aggregation – Network Packet Broker

  Arista Tap Aggregators are agnostic to the taps capturing the light signal, although optical budget should remain a careful consideration, like in any optical media. The below is a selection of Tap vendors deployed by our customer based, in alphabetical order. Feel free to post a comment with your own favourite Tap supplier, if not listed here.   CableXpress http://www.cablexpress.com/solutions/port-replication/   Comcraft – ProfiTAP http://www.profitap.com/fiber-taps/   Corning Cable Systems – Pretium EDGE Tap module http://catalog.corning.com/opcomm/en-US/catalog/MasterProduct.aspx?cid=pretium_EDGE_AO_module_web&pid=114264   Enlight Data http://www.enlightdata.com/products.html     Garland Technology http://www.garlandtechnology.com/products/network-taps   M2 Optics http://www.m2optics.com/products/network-taps   Mimetrix http://www.mimetrix.com/optical-taps.php   Tapics http://www.tapics.us    

L2 Trace Route Another Example of EOS Extensibility

Introduction EOS is indeed very extensible. With native Linux tools already installed, a JSON interface for structured switch communication and Python libraries available, the sky is the limit on what you can do. Of course installing additional RPMs to leverage ‘off the shelf’ packages can also be utilized to open up other extensibility options. A few weeks ago a customer with a large layer 2 environment asked if Arista has a layer 2 trace route tool. The answer was no, not natively, but it could be built with a little scripting in Python. Thus l2tracert.py was born. The l2tracert script...
Continue reading →

Arista’s EOS Innovation Enabling Ecosystem Partner Software Development

Network software automation and intelligence is a passion we share as network engineering software developers at Intelligent Visibility, Inc. Creating innovative software solutions in the rising world of software-defined networking (SDN) can prove challenging. The source data that we require for our software is mostly located within the network device’s operating system. In the past accessing this source data has been a serious time investment mainly due to inconsistent API implementation types across different operating systems for many different hardware platforms.

Find the next free VLAN id

If you have a lot of VLANs to manage, finding unused, available VLAN ids can be a challenge. Here’s a short alias to do exactly that (with the help of our customer Mateusz Blaszczyk): alias next-vlan show vlan | awk -v a=`echo %1 ` '$1 ~ /[0-9]/ && $1==a { ++a }; END { print a }' alias next-vlan-h bash echo -e "\nUsage: next-vlan <STARTING-ID>\n\nWhere <STARTING-ID> is the VLAN id to start looking for unused VLAN ids\n"   Description: The script analyses the output of the “show vlan” command for consequently rising VLAN ids, starting with the given one. It...
Continue reading →

VXLAN bridging with MLAG

ContentsVXLAN bridging with MLAGIntroductionVXLAN with MLAGVXLAN with MLAG configurationTraffic Forwarding BehaviourTraffic Failover Behaviour VXLAN bridging with MLAG Introduction This document describes the operation and configuration of VXLAN within an Multi-Chassis LAG (MLAG) deployment. The configuration and guidance within the document is based on the platforms and EOS release of table 1.0 Arista MLAG technologyTable 1.0 Arista’s Multi-Chassis LAG (MLAG) technology provides the ability to build a loop free active-active layer 2 topology. The technology operates by allowing two physical Arista switches to appear as a single logical switch (MLAG domain), third-party switches, servers or neighbouring Arista switches connect to the logical switch...
Continue reading →

How to keep last X startup configs

If you would like to keep track of last 10 (or more, or less) configuration changes, here’s the event-handler code to do that: event-handler config-versioning    trigger on-startup-config action bash FN=/mnt/flash/startup-config; LFN="`ls -1 $FN.*-* | tail -n 1`"; if [ -z "$LFN" -o -n "`diff -I 'last modified' $FN $LFN`" ]; then cp $FN $FN.`date +%Y%m%d-%H%M%S`; ls -1r $FN.*-* | tail -n +11 | xargs -I % rm %; fi    delay 0 Description: Every time the startup config gets changed, this event handler will be executed (“trigger on-startup-config”). You could increase the delay, if you wish, but now it’s engaged immediately...
Continue reading →

Tip for Arista vEOS on VMware ESX 6

Note: This tip was discovered and shared by Sandy Breeze at Claranet   Arista provide the EOS network operating system for test/lab virtual environment under the form of vEOS, either as a VMDK or a SWI (software image to install on an existing vEOS). With the vEOS VMDK as currently provided, in thin provisioning for saving on the file size, ESX4 and 5 would work fine, but upon booting the vEOS VM under ESX6, it will report “LZMA data is corrupt”,  and “system halted”, despite the image not being corrupted (you could verify the checksum). This issue may also manifest itself with an...
Continue reading →

eAPI and Unix Domain Socket

Introduction Today’s data centers cry out for automation. There are many approaches that Network Operators can leverage, but one method that is very powerful is using Arista’s eAPI command interface. When eAPI is enabled, the switch accepts commands using Arista’s CLI syntax, and responds with machine-readable output and errors serialized in JSON, served over HTTP or HTTPS. It’s very easy to use and exceptionally powerful. Other blogs and articles have discussed the usage of eAPI for scripts. The purpose of this article is to cover a new access method introduced in EOS 4.14.5, which allows local access to the eAPI...
Continue reading →

Securing eAPI

ContentsIntroductionTurning on/off eAPIHTTPS CertificateChanging the PortUsers Control by ACLVRF Command control via AAAOn-box Programming Introduction In this article we will talk about a few tips to secure our eAPI access, for example, HTTPS, changing port, certificate, ACL, on-box, AAA, vrf etc. Turning on/off eAPI First of all, the most secure way is turning off eAPI, which is by default. myswitch#configure myswitch(config)#management api http-commands myswitch(config-mgmt-api-http-cmds)#shutdown To turn eAPI on by “no shutdown”, by default the HTTPS protocol is running and HTTP is turned off for secure purpose, because HTTP send user and password in clear text. HTTP can be used by “protocol http”, however, we recommend...
Continue reading →

7150S NAT – Practical Guide – Source NAT – Dynamic

ContentsIntroduction1) Dynamic Source NAT with pool1.1) Differences with Static Source NAT1.2) Dynamic Source NAT exampleBaseline configuration (reminder)Resulting translation 2.2) Configuration for Dynamic Source NAT – with pool2.3) Verification outputs for  Dynamic Source NAT – with pool2) Dynamic Source NAT Overload (Many to one)2.1 ) Overload Example2.2) Configuration for Dynamic Source NAT Overload2.3) Verification output for Dynamic Source NAT Overload3) Dynamic Source NAT Overload + Specific ACL3.1) Example4.2) Configuration for Dynamic Source NAT Overload + Specific ACL4.3) Verification outputs for Dynamic Source NAT Overload + specific ACL Introduction This article presents Dynamic Source NAT, as part of a series of articles about Source NAT on the Arista 7150S with practical examples. It assumes...
Continue reading →

MTP12 Cheat Sheet for QSFP 40G SR4 Optical Cabling

  Contents1) Overview2) QSFP to QSFP light path on MTP12 cables3) What to be careful about4) Mistake examples4.1) Polarity mistake4.1) Wrong connector gender 1) Overview This document explains the optical connectivity involved in 40G optical QSFP for short reach (40GBASE-SR4), on multimode fibres. The standard specifies MPO12 (or MTP12) as connector to the SR4 QSFP, which employs traditionally 12 fibres, but 40G only need 8 (4 pairs) to carry the 4 parallels bidirectional paths. You might know that QSFPs can be programmed to operate as 4 x 10G.     2) QSFP to QSFP light path on MTP12 cables Notice...
Continue reading →

ZTPServer – Benchmarking the Webserver Gateway Interface

ContentsIntroductionObjectiveConsiderationsBenchmark TestingTesting with FunkloadBenching ProfilesProfile A: Provision Static Nodes (existing node directory)ResultsProfile B: Use Neighbordb to Dynamically Provision Nodes (without SWI download)ResultsProfile C: EOS+ CS MagicResults Introduction ZTPServer provides a bootstrap environment for Arista EOS based products. It is written mostly in Python and leverages standard protocols like DHCP (for boot functions), HTTP (for bi-directional transport), and XMPP/syslog (for logging). Most of the configuration files are YAML based [ documentation ]. We will benchmark the performance of the ZTPServer by using funkload, which will simulate EOS nodes being provisioned. Objective The purpose of this post is to evaluate the performance...
Continue reading →

Latency Analyzer (LANZ) Architectures and Configuration

ContentsIntroduction1) Enabling Latency Analyzer 2) Setting LANZ Thresholds3) Viewing LANZ Output4) LANZ Traffic Sampling5) LANZ lite (7500 and 7048T) Introduction   Arista Latency Analyzer, or LANZ, is a technology that tracks and logs buffer congestion and latency in real time.  The visibility provided by LANZ of network hot-spots and microburst oversubscription gives the network operator greater insight into when problems are occurring on the network and why.  With LANZ you will know when congestion happened, track the sources of congestion, and be able to export real-time events to external applications.  LANZ also shows the effect of packet buffering on an...
Continue reading →

LANZ – Tuning packet buffer monitoring thresholds – Gain the most adequate visibility to you

This article introduces LANZ briefly, and then concentrate on explaining how you may want to tune the threshold. Threshold tuning allow you to have the right level of visibility for your environment.     Contents1) LANZ IntroductionLANZ generated outputs2) LANZ Thresholds2.1) Microburst2.2) When microburst exceeds a threshold2.3) Microburst visibility – benefits2.4) Differentiating thresholds in relation to time lapse2.5) Know your network and applications3) Finding the right LANZ buffer threshold for you3.1) How much information ?Conclusion on information quantity3.2) Empirical approach: starting with the default3.2.1) Starting with the default3.2.2) Lower to 1/5th or 1/10th of the default3.2.3) Lower to a further...
Continue reading →

EOS Extension – autoipcfg

With the release of the pyeapi library, its even easier to use the EOS eAPI interface to write some custom functionality to help with deployments, provisioning, configurations and many other things. Arista’s EOS+ organization has developed a full turn-key solution for provisioning new nodes on your network, known as ZTP server.  This is a full featured server that provides a bootstrap environment for Arista switches.  Its highly customizable and if you are looking for a lot of bells and whistles this would be the way to go. However the eAPI interface allows for extensions to be written really quickly if...
Continue reading →

sFlow Generation for Legacy Networks with Tap Aggregation (NPB / Matrix switch)

  sFlow is a standard hadware sampling available on all the Arista platforms, providing rich statistical information on all ports. sFlow is available in Tap Aggregation mode, allowing additional use cases of Tap Aggregation than traffic analysis on analyzer tools: Retro-fitting sFlow to legacy infrastructure Distributed analysis This article focuses on Retro-fitting sFlow to legacy infrastructure.   1) sFlow vs Netflow sFlow is a sampling mechanism implemented in hardware: Widely available on non-legacy platforms, and widely supported on collectors/monitoring software sFlow requires minimal local processing which contrast with Netflow that is very CPU-intensive, making Netflow poorly suitable for any high performance...
Continue reading →

DANZ – Tap Aggregation optics / transceivers selection

This articles clarifies certain criteria that are important to consider in the design of a Network Packet Broker (NPB) aggregating traffic from various sources. For distance reasons, the main type of media used in tap aggregation is optical (multimode or single mode), therefore this article mainly focuses on these media.   Contents1) Understanding Optical Budgets2) Estimating Insertion Losses3) Optical Splitter Operation4) Port usage on Tap Agg Switch5) Overcoming optical loss with wideband optics on tap portsWhat about standard compatibility?Details on wideband opticsHighlight of the wideband optics benefits:6) Tapping High Speed Links (40G / 100G) 1) Understanding Optical Budgets Multiple factors...
Continue reading →

DANZ Tap Aggregation – Basic settings – Before you start

Several Arista switches support DANZ feature set for Tap Aggregation. The tap aggregation mode is a mere configuration (1-2 lines) that transform a high performance L2/L3 switch into a Tap Aggregator (NPB). This mode require certain considerations: Contents1) Tap aggregation – How to selecting the exclusive mode3) Undesired protocolsSpanning-TreeIGMP SnoopingLACPQoS 1) Tap aggregation – How to selecting the exclusive mode That tap aggregation mode is exclusive to part of a switch of the whole switch. Parts of the switch that are excluded from the Tap Aggregation mode can work either in fully L2/L3 forwarding mode (normal switching mode), or in simple...
Continue reading →

Script example – Automating VXLAN deployments with EAPI

  Contents1) Introduction2) Working towards automation: it is an evolution3) Deployment methods4) Deployment elements5) EAPI Script5.1) Arguments handling5.2) VXLAN configuration5.3) Example of resulting configuration6) Script 1) Introduction This article describes briefly what is required to deploy overlay networks with VXLAN, but we assume a good understanding of the VXLAN fundamentals. To achieve such VXLAN deployments, multiple options exist, from simple but manual, to fully automated service chaining (orchestration) at the cost of having to also set a Cloud Management Platform or a network virtualization controler This article focuses on an easy option that is a good balance between simplicity of operation...
Continue reading →

ZTPServer v1.3

ZTPServer version 1.3 adds a couple of new features and enhancements to which are primarily focused on new actions, improved testing and documentation, and the addition of handlers for startup-config PUT requests. For details, please see http://ztpserver.readthedocs.org/en/master/support.html#releases. ZTPServer version 1.3.1 adds some additional bug fixes and it is the recommended release for all customers.

BGP Multipath

BGP Multipath allows multiple next-hop entries for the same prefix to be installed in the routing table. This enables the load sharing of traffic, providing Equal Cost Multi-Pathing (ECMP) functionality. By default, BGP Multipath is disabled and the path selection algorithm will continue until one path is preferred. To enable the BGP Multipath option, the following must be configured under the BGP process: maximum-paths paths [ecmp ecmp_paths] paths  – maximum number of parallel routes in the routing table. Default value is 1. ecmp_paths – maximum number of ECMP paths stored in the forwarding table for each route. Default is maximum value. Value for...
Continue reading →

Working with the Python eAPI Client

This article builds on the Introduction to the Python Client for eAPI by taking a look at the pyeapi client a little deeper.  The client module provides a number of functions for making it easier to build connectivity to Arista EOS nodes running eAPI. To get started, lets begin by simply importing the pyeapi client in Python and review the how to build a node object. >>> import pyeapi >>> node = pyeapi.connect_to('veos01') As discussed in the introduction article, the above will search for and load the eapi.conf file.  Once the configuration file has been found and loaded by pyeapi,...
Continue reading →

Fabric Visibility

A leaf and spine fabric is challenging to monitor. The fabric spreads traffic across all the switches and links in order to maximize bandwidth. Unlike traditional hierarchical network designs, where a small number of links can be monitored to provide visibility, a leaf and spine network has no special links or switches where running CLI commands or attaching a probe would provide visibility. Even if it were possible to attach probes, the effective bandwidth of a leaf and spine network can be as high as a Petabit/second, well beyond the capabilities of current generation monitoring tools. The 2 minute video...
Continue reading →

Introducing the Python Client for eAPI (pyeapi)

The Arista EOS command API (eAPI) has been available in versions of EOS since the release of version 4.12.  It has proven to be an invaluable tool for building management plane applications, making it easy to develop solutions that interface with the device configuration and state information.  Building on the capabilities of eAPI, this article introduces the initial release of the Python Client for eAPI (pyeapi). The Python Client for eAPI (pyeapi) is a language specific client to make working eAPI even easier.  It is designed to assist network engineers, operators and devops teams to build eAPI applications faster without...
Continue reading →

Quick and Easy vEOS Lab Setup (VMware or VirtualBox)

Introduction A local vEOS lab is always helpful when trying out new features or validating configuration. So how would you like to be able to setup a 4-node spine/leaf virtual lab pictured below with one simple command? user:packer-veos user$ ./create-veos.py -H virtualbox And what if you wanted to try out the ZTPServer with this new set of nodes? user:packer-ztpserver user$ ./create-ztpserver.py -H virtualbox -o fedora This is possible with the help of the EOS+ Consulting Services Github projects: packer-veos packer-ztpserver Follow the READMEs at those individual repos to setup your virtual machines, but here’s a quick overview of the process....
Continue reading →

MLAG – Advanced Configuration

Fully meshed MLAG enables efficient, unprecedented spine to host scaling in dense active-active topologies. Overview While dual-homing individual devices such as servers and top of rack switches using MLAG provides fault-tolerant, active-active connectivity across a single device pair, larger networks require two tier architectures to provide fully meshed capacity both between the spine and leaf layers of the network and for onward connection to servers. MLAG’s simple yet versatile implementation makes it possible to provide high levels of redundancy with scalability of up to 64 interfaces per channel between multiple pairs of devices enabling significant network expansion without resorting to...
Continue reading →

Using AAA to log all commands from users on Arista EOS

Introduction Some users of Arista Networks EOS may want to log all commands executed on a switch. This article explains how to use AAA without TACACS or RADIUS to provide accounting of all commands to the system log. The log can then be sent off to a syslog server or even sent to Splunk using the Arista EOS splunk extension. For more information about the Splunk app for Arista EOS click here. Setup First, it is important to create a user account for each switch administrator. Without a separate account for each administrator it will be impossible to retain accurate...
Continue reading →

Deep Packet Inspection with Tap Aggregation

ContentsIntroductionCommand ExamplesInitial ConfigurationDPI Access ListClass Maps and Policy MapsInterface ConfigurationGUI Example Introduction In this article we will focus on the Deep Packet Inspection access list enhancements available in Tap Aggregation Exclusive mode on the Arista 7150 series switches. Deep Packet Inspection (DPI) is an Access List enhancement that was introduced in EOS 4.14.0.F. This feature allows the administrator to inspect and match additional bytes in the packet header after the Layer 2, Layer 3 or Layer 4 header. DPI was designed to be utilized while in Tap Aggregation exclusive mode. Typical Use cases for DPI are: Identifying custom fields in...
Continue reading →

DANZ Table of Contents

Tap Aggregation Introduction to Tap Aggregation Basic Use of Aggregation Groups Tab Aggregation Basic Settings Before You Start Filtering with Port ACLs Tap Aggregation VLAN List Filtering Tap Aggregation Traffic Steering Deep Packet Inspection Truncation on Tap and Tool Ports LLDP on Tap Ports Common Challenges with TapAgg TapAgg Glossary Advanced Mirroring Introduction to Port Mirroring Filtering with Port ACLs Latency Analyzer (LANZ) LANZ Architectures and Configuration LANZ Buffer Tuning Timestamping TimeStamping on the 7150 Timestamping Deep Dive and Frequent Questions Optics Tap Aggregation Optics Selection  

Data Analyzer (DANZ) Glossary

Access List (ACL) The switch configuration used for the purpose of filtering Layer 2, Layer 3, or Layer 4 traffic. See Filtering with Port ACLs Advanced Mirroring An Arista feature set which includes support for filtered, multi-destination mirroring, mirroring to EOS of data plane traffic, advanced load-sharing, and packet truncation.   Aggregation Group A configuration or grouping of Tap and Tool ports together where traffic from all Tap ports in a group will be replicated to all Tool ports in the same group.  A tool port can be a member of multiple aggregation groups whereas a tap port is allowed...
Continue reading →

Arista eAPI 101

In this article, you will get some quick ideas to use Arista eAPI to configure the switch via JSON-RPC remotely. Here is one Youtube video on eAPI if you prefer to watch something live: EOS Bits & Bytes – Episode 3 “Command API” The Arista Command eAPI is a simple and complete API that allows you to configure and monitor your Arista switches. Once the API is enabled, the switch accepts HTTP(S)  requests containing a list of industry standard CLI commands, and responds with machine-readable output and errors serialized in JSON (served over HTTP or HTTPS). eAPI was first introduced in...
Continue reading →

DANZ Tap Aggregation – Filtering on inner Q-in-Q header, and stripping outer header – At the same time

  This article documents the ability, for the Arista 7150S in Tap Aggregation mode, to selectively filter on inner Q-in-Q header, and also strip the outer  header on egress, effectively allowing a granular selection of what Q-tagged traffic tools will be receiving. Let’s take as traffic example some Q-in-Q traffic: Outer Q-header (Eth-type 0x88a8) – STAG – VLAN ID = 100 Inner Q-header (Eth-type 0x8100) – CTAG – VLAN ID = 101, 102   Packet capture example for this Q-in-Q traffic:   7150S(config)#bash sudo tcpdump -nni mirror0 [...] 22:23:44.040896 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q-QinQ (0x88a8), length 1020: vlan 100, p...
Continue reading →

7150S NAT – Practical Guide – Source NAT – Static

    ContentsIntroduction1) Source NAT – BaselineBaseline configurationBaseline verificationLab/Test Artefacts2) Static Source NAT – Unicast and multicast with routed ports2.1) Static Source NAT – Overview 2.2) Configuration for Static Source NAT – Unicast and Multicast2.3) Verification outputs for  Static Source NAT – Unicast and Multicast2.4) Static Source NAT – Details on Unicast reverse rule2.5) Static Source NAT – Troubleshooting direction3) Static Source NAT – With SVIs instead of L3 ports3.1) SVIs vs Layer3 interface: the same3.2) Configuration output for Source NAT with SVIs3.3) Verification output for Source NAT with SVIs4) Static Source NAT with ACL Match4.1) Static Source NAT with ACL Match – 1 rule4.2) Static Source NAT with ACL...
Continue reading →

Basic Use of Aggregation Groups

Introduction Aggregation groups provide a means of grouping tool ports to simplify the mapping of a tap port to multiple tools and allow grouping of alike applications. In current releases, each tap port can only be bound to one default aggregation group at any time. A tool port however, can simultaneously be a member of multiple aggregation groups. This is important as it allows multiple tools or tool servers to receive any of the multiple traffic flows input to the tap ports. The Tap Aggregation operator can for example have an IDS/IPS tool receiving the same traffic as an application...
Continue reading →

Common challenges with TAP aggregation

ContentsIntroductionTimestampingTimestamps missing or corruptTimestamps appear on some packets but not othersPacket Corruption/OrderingPackets received out of orderPackets received without VLAN tagPackets received with VLAN tag but ID Tag missingPackets received out of orderPackets received without VLAN tagPackets received with VLAN tag but ID Tag missingMy <access-list | policy> is not being correctly appliedPerformance and Physical LayerLatency between mirror port and tool seems highTAP interfaces do not come up on the aggregatorConfigurationMy port-channel (load balancing group) does not come upI can see LLDP neighbors on Tap ports but not on Tool ports Introduction Capturing raw network packet data, whether it be from...
Continue reading →

Truncation on Tap and Tool Ports

ContentsIntroductionCommand ExamplesExample oneExample 2GUI examplesExample 1Example 2 Introduction EOS supports truncation on ingress and egress. In this article we will focus on how it can be applied in tap aggregation exclusive mode, on the Arista 7150 line of switches. Please refer to the supported features matrix for other hardware platforms. Truncation is the ability to remove unwanted or unneeded bytes from the packet at a configurable or fixed starting byte position, it may also be referred to as ‘Packet Slicing’. This is useful in situations where the data of interest is contained within the headers or early in the packet...
Continue reading →

LLDP on Tap ports

Introduction As of EOS 4.14.0F, users of the tap aggregation features of the Arista 7150S line of switches can benefit from visibility gained from LLDP on tap ports. Neighbor information will now be processed by the CPU and made available via the EOS CLI. Allows the tap aggregation administrator to view neighbor information for verification and troubleshooting. This article details the use of LLDP neighbor information on tap ports in tap aggregation exclusive mode. Show LLDP commands work in Tap Aggregation Exlcusive mode as they do in normal switching mode, no configuration is required. Since tap ports can only receive...
Continue reading →

Introduction to TAP aggregation

Introduction Traditional approaches to network monitoring rely on the ongoing collection of generic, high level statistics such as interface utilization from a selection of network devices to detect trends or anomalies in service availability. Such metrics are naturally limited in the level of granularity they can provide and often only provide a hint of real underlying network conditions without providing any visibility into per-application activity or performance. Traditionally, reactive and localized packet capture would be employed to determine the cause of the performance degradation.  However the manual nature of needing to configure packet capture and mirroring and then physically attach...
Continue reading →

TAP Aggregation – Traffic Steering

ContentsIntroductionAccess-list overviewClass-map overviewPolicy-map overviewInterface applicationExamplesClassification and filtering decision treeLimitations Introduction This article details the ability of the Tap Aggregator to redirect, or steer, traffic away from the aggregation group that the Tap port belongs to.  This capability allows for a more granular focus and control on individual, or multiple, traffic flows ingressing the Tap Aggregator. The traffic steering capability uses MQC (QoS style) policy and class maps combined with standard access-lists to perform this function.  The feature also allows for the configuration of an identity VLAN different from the identity VLAN associated with the Tap port.  This article details the...
Continue reading →

Leveraging Deep Inspection and Traffic Steering for monitoring SIP environments

ContentsIntroductionComponents of VOIP callsDistribution strategiesHigh level overview of distribution strategiesPort-Block basedRound-robin basedConstructing Deep Inspection filters to match L4 port pairsIntroduction to the userl4 fieldDefining discontiguous masksExample 1Example 2Example 3Example 4Example 5Building a ConfigurationConfigurationFunctional logicEnhancementsFunctional logicFinal tuningLimiting to a certain PBXOptimizing for different numbers of toolsSummary Introduction With the expansion of SIP (Session Initiation Protocol) and RTP (Real-time Transport Protocol) for IP based telephony applications, enterprises and carriers alike have a requirement to track and capture calls or parts of calls for the purposes of performance analysis and forensic/legal monitoring requirements. This post documents a powerful use for Deep Inspection and...
Continue reading →

System and Process Logging

In addition to the log provided by the ‘show logging’ CLI command, EOS, being a linux based OS, provides users with the ability to access the underlying Linux system logs as well as the individual EOS agent process logs for multiple agent instances (due to reconfiguration or in-service stateful repair). These logs can be accessed via invoking the bash Linux shell directly via the EOS CLI as follows: Arista#bash sudo tail /var/log/messages Feb 17 20:01:01 Arista CROND[32288]: (root) CMD (run-parts /etc/cron.hourly) Feb 17 20:01:01 Arista run-parts(/etc/cron.hourly)[32288]: starting 0anacron Feb 17 20:01:01 Arista run-parts(/etc/cron.hourly)[32297]: finished 0anacron Feb 17 20:01:01 Arista run-parts(/etc/cron.hourly)[32288]:...
Continue reading →

Automating the collection of system logs using logGrab

Typically when a support case is opened the first item requested by the support engineer is more data.  If all necessary data can be provided when a support case is opened it allows the support engineer to immediately begin looking at a customer issue, however it is often difficult to know exactly which information will be required.  logGrab aims to simplify this complexity by automating the process reducing the typical time to resolution of service requests. logGrab is a simple bash script, when executed it collects all data typically required by TAC engineers and places it into a single timestamped ZIP...
Continue reading →