• Category : Security


User passwords with blank spaces

  Overview                 Arista EOS allows users to define local user accounts using the command “username <name> secret <password> “, where <password> is a plain text password. However, the Arista CLI does not accept blank spaces in the <password> portion of the command. This restriction is due to a limitation in the parsing algorithm EOS uses to find the password in the command. The parsing algorithm does not recognize blank spaces when parsing the password. To work around this issue a password with blank spaces can be manually converted to a SHA512 hash and the hash can be applied to...
Continue reading →

Tap Aggregration Tip: Popping MPLS tags for Untagged or VLAN based Tools

In Tap Aggregation scenarios common in WAN and Service Provider environments, MPLS tags are present.  Many of the analysis tools do not understand these tags and so the Arista DANZ feature set allows for these to be removed.  This functionality has been around since 4.15.0F however initially had the limitation that the traffic would always be sent out the Tool port with a VLAN tag.  However, some tools not only do not understand MPLS, but also VLAN tags, so this tip describes how to deal with both 802.1q and untagged scenarios. Step 1:  Configure MPLS pop/strip on the Tap port:...
Continue reading →

Arista Any Cloud Platform – Security Use Case

Introduction In this document we will demonstrate how to effectively leverage Arista’s vEOS Router in a Transit – Edge VPC model to satisfy a common security use case. As most companies look to move into the public cloud space, security vulnerabilities have gained more focus than ever before. Objective Provide a centralized security model within an AWS region, which will allow for ease of visibility and control. Deploying separate AWS Internet Gateways in every VPC, increases complexity and vulnerabilities in the public cloud space.  Prerequisites This document assumes that you have the following architecture deployed: A Transit – Edge VPC topology deployed...
Continue reading →

Using stunnel (TLS Proxy) to secure OpenFlow on EOS

Do you have an OpenFlow controller that supports communication channel encryption via TLS and you’d like to take advantage of that option with an Arista switch? No problem! Just follow these simple steps and in mere minutes you’ll have a secure TLS connection up and running. Just imagine the look of shock and amazement on the faces of your friends, family and coworkers as you extend the capabilities of your EOS powered switch in near real time! 1) Please download Stunnel from here: http://dl.fedoraproject.org/pub/archive/fedora/linux/releases/14/Fedora/i386/os/Packages/stunnel-4.33-1.fc14.i686.rpm   2) Copy it to flash on the switch: switch#copy scp://@//stunnel-4.33-1.fc14.i686.rpm flash:   3) Install the...
Continue reading →

VXLAN: security recommendations

Abstract This document provides recommendations that are advised to implement in order to increase the security in multitenant network environments built on Arista Networks devices using VXLAN. Introduction One of the crucial qualities of modern cloud network infrastructure is scalability. Scalability can’t be achieved if security of the network operations inside the cloud is compromised. As for example, load scalability is not achievable in environments where the VMs are not able to operate when the network between them is not working properly due to hijacked MAC-addresses. One of the technologies used nowadays to address the challenges with scalability inside the cloud networks...
Continue reading →

How to Install & Configure Arista’s DirectFlow Assist for Palo Alto Firewalls

Contents Summary Prerequisite Summary Prerequisite Concepts Configuring QoS Markings Configuring the DFA Modes DFA Installation Palo Alto Configuration Troubleshooting SUMMARY For the high level solution brief, view the Palo Alto Solution Brief. One of the many features of having an Arista switch is the ability to install extensions on the box. Remember that you can manage the Arista switch as if it was a Linux server (it actually is, but that’s outside the scope of this article) – and because of this we can install RPM packages. One of the packages we can install is Arista’s DirectFlow Assist (DFA), which...
Continue reading →


Get every new post on this blog delivered to your Inbox.

Join other followers: