• Blog

 
 

CVP Container and Configlet Design Guidelines

ContentsPlatforms:Purpose:Summary:Container and Configlet Design GuidelinesSample Switch Configuration CONFIGLETSExample Container Layout in CloudVisionAdditional Resources: Platforms: All CloudVision (CVP) versions supported Purpose: The purpose of this document is to provide a starting point for those wanting to take advantage of CloudVision’s provisioning capabilities through the use of shared configlets that are pushed out to devices under a particular container. Summary: CloudVision manages Arista Switch configurations through the use of Containers and Configlets.  The Container layout is completely arbitrary and allows the customer flexibility and alignment to their organization’s mode of operation.  Containers are a hierarchical structure of Parent-Child relationships, similar to Active-Directory.  Configlets...
Continue reading →

Forward TCPDump to Wireshark

ContentsDescriptionPlatform CompatibilityHow ToOne-StepWindowsMac/LinuxTwo-StepOn the Arista switchMac/LinuxResources Description Using TCPDump on an Arista switch is an impressive feature and can help with troubleshooting, security concerns, and much more. But if you need to watch a packet capture live using TCPDump can be tricky since you can’t use display filters, trace a packet, and use many different tools that are found in Wireshark. In this article, we will go over how we can forward our live TCPDump session to our local host computer running Wireshark. Please refer to this article to learn the basics of TCPDump on an Arista switch. Using tcpdump...
Continue reading →

Standalone BGP Origin Validation with RPKI

The Border Gateway Protocol (BGP) is the primary routing protocol used between the tens of thousands of different networks that make up the global Internet. Unfortunately, the original conception of BGP presumed a fundamental level of trust between all of the participating networks, which has repeatedly permitted both major and minor outages across the Internet due to networks accepting incorrect routing information. Either deliberately or accidentally, networks are able to advertise more specific prefix routing information for address space controlled by other networks to their peers over BGP, which causes that traffic to flow through their network instead of to...
Continue reading →

Configurations and Optimizations for Internet Edge Routing

ContentsIntroductionA Note on 32 vs. 64 Bit EOSArista Multi-Agent BGP ConfigurationArista FlexRoute ConfigurationChanging ACL ImplementationAdjusting show tech-support OutputsISP Peering Configurations and OptimizationValidating Hardware before AdvertisingEnabling Fast Failure Detection with BFDEnabling missing route-map handling (RFC 8212 behavior)Removing Private BGP ASNsEnabling BGP CommunitiesAdjusting community processing orderAdjusting BGP Maximum-Routes ValueFiltering Extraneous or Malicious RoutesBGP Prefix Independent ConvergenceResource Public Key InfrastructureIncreasing Network Visibility at the EdgesFlowBGP Monitoring ProtocolSummary Introduction For many years, network deployments for enterprise Internet edge environments have consisted of dedicated routing platforms and a switching or aggregation layer to distribute this to various network zones.  With the advances in merchant silicon...
Continue reading →

Arista EOS is not vulnerable to CVE-2020-9015

Recently a third party submission was made to MITRE’s CVE database about a possible vulnerability in Arista EOS products. This vulnerability was given the identifier CVE-2020-9015 and can be viewed here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9015. This post is to discuss how this CVE was submitted in error and clarify that Arista EOS is not vulnerable to the issue discussed in the CVE. Before discussing the issue itself, it is worth noting that the CVE database is a public database, which accepts submissions from anyone. If a report is disputed, as is the case with this one, MITRE will not attempt to take sides...
Continue reading →

A Simple Quality of Service Design Example

While there is plenty of documentation available discussing the individual mechanics of Quality of Service, such as Class of Service (CoS) or Differentiated Services Code Point (DSCP) markings and what they mean, there is not as much documentation available bridging the gap from those basic building blocks to a working network QoS deployment. There are some understandable reasons for that lack of documentation, because the design and implementation of a QoS policy on a network is so closely coupled to the specific network’s business objectives and policies that it’s hard to develop much of a QoS policy and have it...
Continue reading →

How to modify the session timeout for the CVP UI

ContentsDescription2020.1.x2019.1.x2018.2.3-2.52018.1.x Description By default the UI session timeout is 24 hours, in some environments security policies dictate a much lower value. This article will show you how to modify the default session timeout using the CLI (in future releases this will be available as a knob on the UI). 2020.1.x 1. Create a yaml file, let’s call it: sessionTimeout.yaml which will have the following content: sessionTimeout: X, where X is the number of seconds after which the session should time out, e.g.: # cat /cvpi/apps/cvp/conf/session.yaml sessionTimeout: 60 2. For local users like cvpadmin modify the - -oidc-config=/dev/null flag in the apiserver: configuration section in /cvpi/conf/components/aeris.multinode.yaml (on all nodes in case...
Continue reading →

IS-IS troubleshooting

ContentsObjectiveConfigurationIS-IS neighborship issuesAddress-family configuration mismatchMTU mismatchIP subnet mismatchLevel-1/Level-2 configuration and IS-IS area mismatchUnique system ID even though the areas are differentAuthentication mismatchIS-IS metric style mismatchRoutes learned by IS-IS, but not seen in hardwareSub-optimal forwardingLogs collectionCapturing IS-IS control packets Objective The objective of this article is to outline the common issues faced when using IS-IS and provide troubleshooting commands which could be helpful. Configuration To enable IS-IS on a router we need to use the commands below. 1. Configure IS-IS routing instance on the router: R1(config)#router isis <instance name> vrf <VRF name> 2. Define the current IS-IS area address and the...
Continue reading →

Modifying the Timeout Value for Image Upgrades Done Using CVP (CloudVision Portal)

Description Traditionally, network image upgrades have been done manually on a device-by-device basis.  With Arista’s CloudVision Portal this arduous task has been greatly simplified.  Multiple groups of devices can be upgraded with a few simple clicks by modifying the applied image bundle in the Network Provisioning page. The tedious task of manually uploading device images is handled entirely by CVP.  For a majority of use cases, the default settings of CVP will not need any sort of modification.  However, if device upgrades will be done over slower WAN links it is recommended that the image upload timeout value within CVP...
Continue reading →

Troubleshooting STP instability 

ContentsSpanning Tree Protocol Objective Understanding STP Domain and causes of Topology Change STP Domain Topology ChangesArista Switch on receiving TC flag set BPDUTracing TCNs STEP 1 : STEP 2 :  Syslog Messages :How to avoid unnecessary flooding and unexpected TC events in the network Spanning Tree Protocol  A Layer 2 network protocol that ensures a loop-free topology for any bridged Ethernet LAN. The Spanning tree protocol allows the network to include redundant links as automatic backup paths that are available when an active link fails without creating loops or requiring manual intervention. The original STP is standardized as IEEE 802.1D. There are several variations to the...
Continue reading →

PVST BPDUs as data plane for MST

ContentsIntroductionObjectivePVST BPDUs in MST RegionHow to Prevent flooding of PVST BPDUs in the MST regionMAC Access ListMSTP PVST Interoperability Introduction Arista Switches support the leading spanning tree protocols: RSTP, MSTP, and Rapid-PVST. Multiple Spanning Tree Protocol (MSTP/802.1s) is used by default. However, Rapid Spanning Tree Protocol (RSTP/802.1w), as well as Rapid Per-VLAN Spanning Tree (Rapid-PVST) are configurable. Objective This article is to provide an understanding of how PVST BPDUs are processed on Arista switches running MSTP. PVST BPDUs in MST Region In the case of Rapid PVST To interact properly with the Common Spanning Tree (CST), IEEE BPDUs are sent...
Continue reading →

DCS-7280SR2K with FLEXROUTE – A real world use case

When Arista introduced R-series back in 2015 (publicly announced, available in 2016), it was a game changer. For the first time in networking history, a switch with merchant-silicon chips was capable to absorb full IPv4 and IPv6 internet tables. This valuable capability opened a full set of new addressable use cases to all vendors which leveraged off-the-shelf ASICs to implement the device forwarding plane. Since then, two more generations have been released, namely the R2 and R3 platforms and these platforms further enhanced both performances and, more relevant to our discussion, scaling. Arista Networks has several routers to address Internet...
Continue reading →

Configuring Traffic Flows using sFlow in CVP (Cloudvision Portal) 2019.1.x

ContentsIntroductionRequirementsConfigurationBefore You StartConfigure sFlow on the switchesSample sFlow switch configurationCloudvision Portal Traffic Flows (Chart Display) Introduction Many users rely on 3rd party flow tools to enable greater visibility into the network and generate alerts when irregular flows have been detected.  However, with the growing number of tools being used to provide this visibility, each with their own strengths, the user may experience tool sprawl.   In order to ease the number of tools required within an environment and move towards the goal of a “Single Pane of Glass” to manage our networks, Cloudvision Portal 2019.1.x provides a built-in IPFIX/sFlow collector that...
Continue reading →

Configuration Change Email Notification

Using Event-Handler Feature, you can send an email notification whenever the Startup Configuration has been modified.  Below is the basic setup required to configure the email client and Event-Handler. Email Client The following email client configuration utilizes Gmail as the SMTP server with user itnetops@example.com as the authorized user to send emails.  It also uses TLS as the transport to Gmail.  Any valid SMTP server can be used for this function. email   from-user itnetops@example.com   server smtp.gmail.com   auth username itnetops@example.com   auth password <password>   tls You may also specify a different host port to the server (server host:port) if needed.   Event-Handler...
Continue reading →

Selective Packet Truncation in Tap Aggregation

ContentsSelective Packet Truncation in Tap AggregationSolutionConfigurationResultsSummary Selective Packet Truncation in Tap Aggregation Packet Truncation in tap aggregation mode allows tapped traffic to be truncated to a smaller size before being transmitted. It can be used to reduce the amount of traffic received by analysis devices, if only the headers are to be analyzed while the payload of the packets is irrelevant or unwanted for practical or legal reasons. Truncation is applied either at the tap or tool port. This means that all traffic either arriving from a source or sent to a tool is subject to the truncation setting. In...
Continue reading →

Sending Telemetry Data from TerminAttr to Multiple CVP instances

ContentsSending Telemetry Data from TerminAttr toMultiple CVP instancesOverviewIntroductionLab SetupResource ConsiderationsSummary Sending Telemetry Data from TerminAttr to Multiple CVP instances Overview This article will explore the ability of the CloudVision Telemetry agent to send data to more than one CloudVision Portal (CVP) instance or CloudVision and a third party application.     The configuration used in this lab was also used as part of the “Synchronising CloudVision Portal Configlets with Ansible” POC lab to enable both CloudVision instances to receive Telemetry data from all the switches. The article for “Synchronising CloudVision Portal Configlets with Ansible” can be found here : https://eos.arista.com/synchronising-cloudvision-portal-configlets-with-ansible/...
Continue reading →

Migrating from legacy DC design to EVPN VXLAN Fabric

ContentsIntroductionScopeMigrating Legacy 3-tier L2 architecture to EVPN VXLAN Fabric using Leaf-Spine designKey Considerations/Strategy for MigrationMigration ProcedureMigration StepsMigrating Static VXLAN to BGP EVPN VXLAN control planeKey aspects of this migration approachMigration Procedure Introduction This document is intended to provide a reference of steps and sequence followed for:  (1) migrating a legacy 3-tier L2 network to EVPN based VXLAN environment using Leaf & Spine design (2) migrating an L2 Leaf & Spine network with VXLAN using CVX as the control plane to EVPN based control plane (3) migrating an L2 Leaf & Spine network with VXLAN using static VXLAN as the control...
Continue reading →

Arista products not affected by CVE-2019-15126 (Kr00k vulnerability)

Arista products are not affected by CVE-2019-15126 (Kr00k vulnerability) Kr00k – also known as CVE-2019-15126 – is a vulnerability in certain Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Arista Networks Wifi products AP and management systems are not exploitable by the above mentioned CVEs. The vulnerability affects all unpatched devices with Broadcom and Cypress FullMac Wi-Fi chips. Devices using Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink and Mediatek do not exhibit this vulnerability. Arista networks APs do not use the Wi-Fi chips that are affected.  The vulnerability exploits a bug in the WiFi chipset that...
Continue reading →

Arista EOS – IPv6 RFC Compliance

Arista EOS Software is in compliance with the following IPv6 RFCs: RFC 8200 – Internet Protocol, Version 6 (IPv6) Specification RFC 4861 – Neighbor Discovery for IP version 6 (IPv6) RFC 4862 – IPv6 Stateless Address Autoconfiguration RFC 4443 – Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification RFC 8504* – IPv6 Node Requirements * Arista adheres to the best practices guidelines for the functionality supported in EOS

Introduction to the Network Time Protocol

This document covers the use of the Network Time Protocol (NTP) to synchronize the system clocks on Arista switches. While each switch does have a local clock which can keep time without NTP, each device’s clock will slowly drift out of sync, causing issues including incorrect timestamps on event logs, which can make it difficult to correlate events between devices on the network, an inability to correctly verify the validity of cryptographic certificates for protocols such as TLS or DNSSEC, etc. EOS comes with support to act as both an NTP client and an NTP server; this document will only...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: