Posted on December 21, 2020 4:37 am
 |  Asked by Farshid Hajizeinalabedin
 |  286 views
RESOLVED
0
0
Print Friendly, PDF & Email

Hello,

we ahve 2x Arista 7050 in mlag mode and we want to have a IDS to detect the attacks by port mirroring, so my questions is :

  1. i should connect 1x 10g from ids to arista #1 and second 10g from ids to arista #2, in ids i should do LACP as well as arista side ? then monitor session from my uplinks(they are port channel) to this port channel which is connected to the ids?
  2. i am using arista 7050s , do they support mirroring from multiple source port-channel to one dst port channel? if not what should i do ?
  3. does mirror 6-7x port-channel to 1x port-channel impact on arista CPU ? or mirroring will done in switch hardware and not cpu ?
  4. can i safely run port mirror without worrying about impacting on CPU?
  5. if i want to use sflow instead of port mirroring it does not impact on control plane cpu ? even i face huge and volumetric ddos ?i want to choose 1:2048 packet sampling,

Thanks,

0
Posted by Sneha Rajeev
Answered on February 1, 2021 2:07 pm

Hello,

  1. You could configure a port-channel as mentioned. As it is a mlag port-channel, ensure that the port-channel number on the mlag peers is the same. Also, check if the same ‘mlag’ configuration is present on the port-channel interface of the mlag peer and is matched on both ends.
  2. Yes, these devices do support that. Please refer to the following article for more details: https://eos.arista.com/introduction-to-port-mirroring/#Platform_Port_Mirroring_Capabilities
  3. Port mirroring is performed in hardware on all Arista switch platforms.
  4. Same as point 3
  5. Running sflow with higher sampling rates will result in increased CPU utilization. We do support hardware Sflow on certain other platforms: https://eos.arista.com/eos-4-20-5f/hardware-accelerated-sflow/

Thanks,

Sneha

Post your Answer

You must be logged in to post an answer.