• Blog

 
 

VLAN Traffic Mirroring on R Series Products

Traffic can be mirrored to ports using the monitor syntax, however the source of the mirrored traffic is limited to Ethernet and Port-channel interfaces. If there is a requirement to source a mirror from a specific VLAN across multiple ports, a different method is available as of EOS 4.20.5F or later on R series platforms utilizing DirectFlow. Before DirectFlow can be configured, a new TCAM profile must be configured and applied: hardware tcam    profile direct-flow-mirror-vlan       feature flow          key size limit 160          key field dst-mac ether-type in-port src-mac vlan...
Continue reading →

Streaming EOS telemetry states to InfluxDB

ContentsIntroductionPrerequisiteInstalling InfluxDB and GrafanaIf not using docker installationInstalling and Configuring octsdb for EOSOctsdb configuration fileConfiguring TerminAttr and octsdb daemonDefault VRF with CVPDefault VRF without CVPVRF management with CVPVRF management without CVPVRF management without CVP and authenticationFlags for TerminAttrFlags for octsdbVerifying the Telemetry data in InfluxDBConfiguring GrafanaCreating DashboardsTroubleshootingUseful linksExample Configuration files Introduction The aim of this document is to help you deploy and configure InfluxDB, Grafana, and Arista EOS, allowing you to send Telemetry states from the Arista switch to InfluxDB, using one of our OpenConfig connector application octsdb that you can find on our GitHub page. Please note, that these...
Continue reading →

NCClient Example with EOS

ContentsIntroductionConfiguring EOSExample Python FunctionExample RPCsConclusion Introduction Ncclient is a python library that provides a set of tools to interact with and manipulate devices supporting NETCONF server functionality. The goal of this article is to assist users to leverage ncclient effectively with EOS. This article will outline the use of  ncclient to configure Arista devices using EOS CLI commands, as well as YANG modelled data (and a combination of the two).  This article is not intended to be a full tutorial on YANG or EOS supported YANG models. Arista EOS strives to support open YANG models via support of OpenConfig models...
Continue reading →

Inter-VRF Local Route leaking using VRF-leak Agent

ContentsIntroductionPlatformsDescriptionConfigurationExample of Complete ConfigurationVerificationImportant NotesAdditional Resource Introduction The use of Virtual Routing Forwarding (VRF) to provide a level of segmentation is common practice. In order for traffic to communicate between VRFs, a firewall is generally part of the design. However, situations exist where it is not desirable to place the traffic load between VRFs on the firewall. This article provides a basic solution to leak routes from one VRF to another allowing select subnets to communicate directly. Platforms EOS Switch Versions 4.22F and above Description The Inter-VRF local route leaking feature allows the leaking of routes from one VRF to...
Continue reading →

Pause – Revisit the Fundamentals – ARP

ContentsIntroductionEvolving TechOverlaysStart with the RFCsReading beyond the RFCsARPOn the Wire2nd Level QuestionsSummaryContinued Reading – Arista TOIsContinued Reading – Other References Introduction Wow, networking technology really does continue to march along. If you wanted to be a lifelong learner you definitely picked a great speciality. And face it, we all know the cool kids are the Network Engineers. In this article we’re not going to take a bunch of packet captures nor analyze the outputs of a dozen ‘show’ commands. There are plenty of documents for that already. Rather, this document and the entire Pause series, looks to take a step...
Continue reading →

BGP peering configuration examples for service providers

Service providers proficiently use BGP to deliver their services to their customers and communicate witht their peers. This article features some design considerations and configuration examples to try to showcase how a service provider could use BGP and other functionality to operate their networks. Contents1 BGP peering configuration example for service providers1.1 Service provider edge1.2 Service provider edge considerations1.2.1 Route policies for received prefixes1.2.1.1 Prefixes directly connected inside peering partner and stub AS customers1.2.1.2 Prefixes seen from stub AS connected to a peering partner1.2.1.3 Prefixes seen from neighboring AS networks also peering with eachother1.2.2 Announcing prefixes1.2.2.1 Route maps, prefix lists...
Continue reading →

Internet BGP peering examples for enterprises

Enterprises seeking redundancy for their Internet connetivity and agility to change service provider when needed, greatly benefit from having their own AS number and IP addresses that can be announced using their own BGP routers. This article features some design considerations and configuration to achieve this in a common enterprise scenario. Contents1 Internet BGP peering examples for enterprises1.1 Enterprise edge1.2 Design choices1.2.1 Active/Active or Active/Passive1.2.2 Default route or full Internet table1.2.3 iBGP/IGP interaction or IGP default route originate1.2.4 Route reflector1.3 Enterprise BGP configuration examples1.3.1 Active/Passive with a full Internet table import1.3.2 Active/Passive with default route only from SPs1.3.3 Active/Active with...
Continue reading →

BGP primer for Internet peering

Internet is not one single network, it consists of a number of networks owned and operated by different commercial and non-commercial entities. Each network is considered its own autonomous system. To separate the networks from each other, each network has a number called autonomous system number (AS number). The delegation of AS numbers is done by the organizations ARIN (Americas), RIPE (Europe) and APIC (APAC). These organization also delegate IP addresses that each AS is allowed to use. To exchange routing information for IP addresses between each AS, a protocol is needed, aswell as a router with the role to...
Continue reading →

Setting up EVE-NG, CloudVision Portal and vEOS

ContentsIntroductionDeploy EVE-NG from an OVF file in VMWare ESXi 6.7.0 Update 3Bare-metal install EVE-NG on UbuntuEVE-NG Wizard for base configurationPrepare EVE-NG for the use of vEOS-lab switch imagesPrepare EVE-NG for the use of CloudVision imagesTest EVE-NG with the new Arista vEOS and CloudVision imagesAdd nodes using ZTP to CloudVision Introduction EVE-NG is a client-less multivendor network emulation software that enables network and security professionals to build out network topologies and simulate networking environments. Using EVE-NG, Arista vEOS and Arista CloudVision, it is possible to simulate from start to end, connecting and provisioning a datacenter network, test scripting for CloudVision and...
Continue reading →

CloudVision Appliance Deployment Recommendations (DCA-200-CV)

ContentsCloudVision Appliance (CVA) IntroductionDeployment RecommendationsResources CloudVision Appliance (CVA) Introduction CloudVision Appliance (DCA-200-CV) is a physical appliance that runs CentOS base image and hosts one instance of each CloudVision Portal (CVP) and CloudVision eXchange (CVX) using KVM hypervisor. It comes with 4X1G NICs and a separate 1G NIC for iDRAC. The virtual NICs on CVP, CVX VMs are mapped to the physical NICs 1-4 as follows: CloudVision Appliance quick start guide can be found here. Deployment Recommendations 1. Ensure that you are running the latest version of the host image; this provides updated OS packages and security patches. The current version...
Continue reading →

ZTP Boot Process with CloudVision

ContentsPlatforms:Summary:PrerequisitesExample SetupZTP Boot Process SummaryZTP Boot Process DetailsZTP Switch ConfigurationSample ZTP ConfigurationNote Platforms: EOS Switch Versions 4.17.3F and above CloudVision Versions 2018, 2019, 2020 Summary: Zerotouch Provisioning (ZTP) is available on all Arista switches and is enabled by default or after a factory reset.  CloudVision (CVP), Arista’s Configuration Management and Streaming Telemetry tool comes with ZTP installed.  The combination of ZTP and CVP provides a simplistic workflow to onboard new switches into your environment. Prerequisites CloudVision installed and running DHCP Service providing Option 67 Bootstrap information Switch in Factory Default mode (ZTP enabled) Network Reachability between Switch and CVP ZTP...
Continue reading →

CVP Container and Configlet Design Guidelines

ContentsPlatforms:Purpose:Summary:Container and Configlet Design GuidelinesSample Switch Configuration CONFIGLETSExample Container Layout in CloudVisionAdditional Resources: Platforms: All CloudVision (CVP) versions supported Purpose: The purpose of this document is to provide a starting point for those wanting to take advantage of CloudVision’s provisioning capabilities through the use of shared configlets that are pushed out to devices under a particular container. Summary: CloudVision manages Arista Switch configurations through the use of Containers and Configlets.  The Container layout is completely arbitrary and allows the customer flexibility and alignment to their organization’s mode of operation.  Containers are a hierarchical structure of Parent-Child relationships, similar to Active-Directory.  Configlets...
Continue reading →

Forward TCPDump to Wireshark

ContentsDescriptionPlatform CompatibilityHow ToOne-StepWindowsMac/LinuxTwo-StepOn the Arista switchMac/LinuxResources Description Using TCPDump on an Arista switch is an impressive feature and can help with troubleshooting, security concerns, and much more. But if you need to watch a packet capture live using TCPDump can be tricky since you can’t use display filters, trace a packet, and use many different tools that are found in Wireshark. In this article, we will go over how we can forward our live TCPDump session to our local host computer running Wireshark. Please refer to this article to learn the basics of TCPDump on an Arista switch. Using tcpdump...
Continue reading →

Standalone BGP Origin Validation with RPKI

The Border Gateway Protocol (BGP) is the primary routing protocol used between the tens of thousands of different networks that make up the global Internet. Unfortunately, the original conception of BGP presumed a fundamental level of trust between all of the participating networks, which has repeatedly permitted both major and minor outages across the Internet due to networks accepting incorrect routing information. Either deliberately or accidentally, networks are able to advertise more specific prefix routing information for address space controlled by other networks to their peers over BGP, which causes that traffic to flow through their network instead of to...
Continue reading →

Configurations and Optimizations for Internet Edge Routing

ContentsIntroductionA Note on 32 vs. 64 Bit EOSArista Multi-Agent BGP ConfigurationArista FlexRoute ConfigurationChanging ACL ImplementationAdjusting show tech-support OutputsISP Peering Configurations and OptimizationValidating Hardware before AdvertisingEnabling Fast Failure Detection with BFDEnabling missing route-map handling (RFC 8212 behavior)Removing Private BGP ASNsEnabling BGP CommunitiesAdjusting community processing orderAdjusting BGP Maximum-Routes ValueFiltering Extraneous or Malicious RoutesBGP Prefix Independent ConvergenceResource Public Key InfrastructureIncreasing Network Visibility at the EdgesFlowBGP Monitoring ProtocolSummary Introduction For many years, network deployments for enterprise Internet edge environments have consisted of dedicated routing platforms and a switching or aggregation layer to distribute this to various network zones.  With the advances in merchant silicon...
Continue reading →

Arista EOS is not vulnerable to CVE-2020-9015

Recently a third party submission was made to MITRE’s CVE database about a possible vulnerability in Arista EOS products. This vulnerability was given the identifier CVE-2020-9015 and can be viewed here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9015. This post is to discuss how this CVE was submitted in error and clarify that Arista EOS is not vulnerable to the issue discussed in the CVE. Before discussing the issue itself, it is worth noting that the CVE database is a public database, which accepts submissions from anyone. If a report is disputed, as is the case with this one, MITRE will not attempt to take sides...
Continue reading →

A Simple Quality of Service Design Example

While there is plenty of documentation available discussing the individual mechanics of Quality of Service, such as Class of Service (CoS) or Differentiated Services Code Point (DSCP) markings and what they mean, there is not as much documentation available bridging the gap from those basic building blocks to a working network QoS deployment. There are some understandable reasons for that lack of documentation, because the design and implementation of a QoS policy on a network is so closely coupled to the specific network’s business objectives and policies that it’s hard to develop much of a QoS policy and have it...
Continue reading →

How to modify the session timeout for the CVP UI

ContentsDescription2020.2.x2020.1.x2019.1.x2018.2.3-2.52018.1.x Description By default the UI session timeout is 24 hours, in some environments security policies dictate a much lower value. This article will show you how to modify the default session timeout using the CLI (in future releases this will be available as a knob on the UI). 2020.2.x 1. For local users like cvpadmin edit the /cvpi/conf/components/aeris.multinode.yaml (on all nodes in case of multi-node setup) or /cvpi/conf/components/aeris.singlenode.yaml (in case of single-node) and add the -authnoption=sessontimeout=<custom_timeout_in_seconds>(which is present from 2020.2.0) under the apiserver: -> start: -> command: section. . For example setting the timeout to 10 minutes, your config should look like below: apiserver: ... <ommited> ... start:...
Continue reading →

IS-IS troubleshooting

ContentsObjectiveConfigurationIS-IS neighborship issuesAddress-family configuration mismatchMTU mismatchIP subnet mismatchLevel-1/Level-2 configuration and IS-IS area mismatchUnique system ID even though the areas are differentAuthentication mismatchIS-IS metric style mismatchRoutes learned by IS-IS, but not seen in hardwareSub-optimal forwardingLogs collectionCapturing IS-IS control packets Objective The objective of this article is to outline the common issues faced when using IS-IS and provide troubleshooting commands which could be helpful. Configuration To enable IS-IS on a router we need to use the commands below. 1. Configure IS-IS routing instance on the router: R1(config)#router isis <instance name> vrf <VRF name> 2. Define the current IS-IS area address and the...
Continue reading →

Modifying the Timeout Value for Image Upgrades Done Using CVP (CloudVision Portal)

ContentsDescriptionConfigurationConclusion Description Traditionally, network image upgrades have been done manually on a device-by-device basis.  With Arista’s CloudVision Portal this arduous task has been greatly simplified.  Multiple groups of devices can be upgraded with a few simple clicks by modifying the applied image bundle in the Network Provisioning page. The tedious task of manually uploading device images is handled entirely by CVP.  For a majority of use cases, the default settings of CVP will not need any sort of modification.  However, if device upgrades will be done over slower WAN links it is recommended that the image upload timeout value within...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: