• Tag : 4.21.1F

 
 

Macsec Proxy For Vxlan

Description This feature enables MacSec service over VxLAN . Macsec over Vxlan is provided by mapping a VNI, Remote VTEP Ip to a Macsec proxy sub interface. Any packets routed to the macsec proxy sub interface will be encrypted and tunneled to the remote VTEP. On the receive path packets will be decrypted, then decapped and forwarded. MKA negotiates and renews encryption keys. A MACsec capable front panel port has to be dedicated for this purpose and cannot be plugged in as it will be used to recycle packets being encrypted and decrypted. Platform compatibility 7280SRAM-48C6 7280CR2M-30 7500R2M-36CQ-LC Configuration The...
Continue reading →

IPV4 Ingress acl support on 7160 platform

Description 7160 platform supports 2 different profiles, algomatch and tcam-acl-ipv4-ingress for configuring ACLs: algomatch: Hash-based implementation for security ACLs. tcam-acl-ipv4-ingress: TCAM based implementation for security ACLs. Supports up to 12K ACL rules in the system. Algomatch is the default profile The following TCAM features will NOT be functional in tcam-acl-ipv4-ingress profile mode: PBR IPv6 INGRESS ACLS IPv4/IPv6 EGRESS ACLS QoS ACLS Platform compatibility (No internal code-names for platforms, releases or projects) DCS-7160 Configuration The following is the CLI for configuring profiles: switch(config)#platform xp profile ?   algomatch              algomatch pipeline profile   tcam-acl-ipv4-ingress  tcam-acl-ipv4-ingress pipeline profile switch(config)#platform...
Continue reading →

Port Vlan Scaling in DCS-7160

Description In the 7160 platform, the hardware uses a Port-Vlan table for storing the configuration on a per port/vlan combination. The platform support a max of 128 ports. As there can be a maximum of 4K vlans configured, the number of Port / Vlan combinations possible is very high ( 512 K ).  The Port-Vlan table supports only 64K entries and hence this introduces a limitation. If the customer configures all vlans and enables all ports, the configuration will not fit in the table.. Based on customer request, this feature allows the admin to configure beyond this limitation by bypassing...
Continue reading →

Support for MACsec Key Retirement Immediate

Description Support for Media Access Control Security (MACsec) was added in EOS-4.15.4. It introduced the concept of configuring two keys for MKA negotiation: Primary and Fallback (as a backup). Given a mac security profile configured on an interface,  there is an actor created per key which is responsible for MKA negotiation with the other peer. When a new primary key  is configured, old primary key’s actor is retained in the system till the time MKA session becomes successful with the configured new primary key. Same holds good for fallback key as well. This feature introduces an optional configuration which, if...
Continue reading →

MACsec fallback to unprotected traffic

Description If MACsec is enabled on an interface, it tries to establish MACsec Key Agreement ( MKA ) session(s) with its peer. If no MKA sessions can be successfully established, then the interface can continue to protect traffic with the last known negotiated key, and if such a key does not exist then it will block the traffic. This feature introduces an optional configuration which, if provided, allows unprotected traffic whenever there is no successful MKA session with the peer – If MACsec is enabled on an interface with this feature configured, then the interface allows unprotected traffic immediately without waiting...
Continue reading →

MSS Clamping

Introduction The feature involves clamping the maximum segment size (MSS) in the TCP header of TCP SYN packets, if it exceeds the configured MSS ceiling limit for the interface. Clamping MSS value helps in avoiding IP fragmentation in tunnel scenarios by ensuring that MSS is small enough to accommodate the extra overhead of GRE and tunnel outer IP headers. One of the most common use cases for this feature is connectivity towards Cloud providers via GRE which require asymmetric routing (for example DDoS protection). Platform compatibility TCP MSS clamping feature is supported on the following platforms: DCS-7020R series DCS-7280R series...
Continue reading →

Match Vlan ID in Mirroring ACLs on Strata based platforms ( RFE268621 )

Description Added support to match on vlan ID in mirroring ACLs ( ipv4, ipv6 and mac acls ). Platform compatibility – All 7050X, 7050X2, 7050X3, 7060X, 7260X, 7060X2, 7260X3, 7060X3, 7260X3 series platforms Usage Create an ACL with a VLAN qualifier a.  permit vlan <vlanId> <vlanMask> ip any any Apply this acl to the mirroring session a.  monitor session <sessionName> source <srcName> rx <aclType> access-group <aclName> This feature can optionally be used to mirror traffic from a subinterface by programming the internal vlan id of the subinterface in the ACL. However, this has some limitations due to the caveats below....
Continue reading →

ECN Counters per tx-Queue

Description This feature supports counting ECN marked packets on a per egress port per tx-queue basis. The feature can be used to gather per port per tx-queue ECN marked packet counts via CLI or SNMP. There are two cases that ECN (congestion) marked packet is seen on the egress port/queue: a) ECN marked packet ingress on certain port and egress to a port/queue, ie, ECN marked bit is preserved from ingress to egress. b) Ingress packet without ECN congestion marked but switch marked packet ( ie, change ECN bit from b’01 or b’10 to b’11 ) due to congestion and...
Continue reading →

MacSec EAP-FAST support

MacSec EAP-FAST support Support for Media Access Control Security (MACsec) with static keys was added in EOS-4.15.4. This feature brings support for dynamic Mac Security keys. To derive Mac Security keys dynamically, both peers must be configured for 802.1x authentication. One peer must be configured to be the ‘Authenticator’ and the other peer to be the ‘Supplicant’. Upon a successful 802.1X authentication sequence between the peers, keying material is generated by both the authenticator and the supplicant. This keying material is then used to derive Mac Security keys to establish a MACSec Key Agreement (MKA) protocol session. The following diagram...
Continue reading →

PFC Watchdog Enhancements

Platform capability DCS-7050X/X2/X3 series DCS-7060X/X2/X3 series Supported Schedulers In previous releases, PFC Watchdog supported only queues configured with guaranteed bandwidth. Now, it supports all types of schedulers. Forced recovery of queues The Watchdog supports below mechanisms to recover a stuck queue: Auto Recovery – recover queue(s) after the PFC storm ceases Forced Recovery – recover queue(s) after a fixed duration, irrespective of PFC storm being received The default recovery mode is “auto”. Configuration Forced recovery can be enabled with the below CLI command: switch(config) #priority-flow-control pause watchdog default recovery-time <0.01 - 60.0 seconds> forced Syslog Existing syslog for recovery time has...
Continue reading →

GRE Tunneling support

This feature introduces the hardware forwarding support for IPv4 over IPv4 GRE tunnel interfaces in Arista Switches. The GRE tunnel interfaces acts as logical interface which performs the GRE encapsulation or decapsulation. Platform compatibility Hardware forwarding of GRE tunnel interface is supported on the below Arista switches DCS-7020R DCS-7280R DCS-7500R The hardware forwarding of GRE tunnel interface on DCS-7500R  is supported only if all the Linecards on the system have Jericho family chipset. Configuration Configuration for creating a GRE tunnel interface On Local Arista Switch arista1(config)#ip routing arista1(config)#interface Tunnel 10 arista1(config-if-Tu10)#tunnel mode gre arista1(config-if-Tu10)#ip address 192.168.1.1/24 arista1(config-if-Tu10)#tunnel source 10.1.1.1 arista1(config-if-Tu10)#tunnel...
Continue reading →

ASN-mode regular expressions for BGP AS_PATH attributes

Description AS path access lists use regular expressions to filter AS_PATH attributes of BGP routes. EOS offers two modes for the regular expressions: string mode and ASN mode.  The string mode uses POSIX regular expressions and is not discussed here.  This TOI focuses on the ASN-mode regular expressions. Configuration The ASN mode is the default mode and it can be explicitly enabled with ip as-path regex-mode command: ip as-path regex-mode asn The ip as-path access-list command takes a regular expression that is used to filter BGP routes: ip as-path access-list <name> <permit|deny> <regex> [<origin>] ASN-Mode Regular Expressions Base Elements Base elements...
Continue reading →

BGP Support Multiple Community or Extcommunity Matches in a Single Route Map Sequence

Description Currently, a single route-map sequence can have a “match community”, and a “match extcommunity” clause. However, only one community list can be used with each. This results in the need to specify multiple route-map sequences with deny statements to match multiple community lists in a route-map. Supporting multiple community lists per “match community/extcommunity” clause simplifies policy configuration. For example, consider the following: route-map GLOBAL-PEER-OUT permit 100     match community ALL-RR     continue 300 route-map GLOBAL-PEER-OUT deny 200 route-map GLOBAL-PEER-OUT permit 300     match community PREPEND1-BILATERAL-AS15169-EXTERNAL     set metric 0     set as-path prepend 15169 ...
Continue reading →

EOS-4.21.1F TOI Index Page

BGP Support Multiple Community or Extcommunity Matches in a Single Route Map Sequence ASN-mode regular expressions for BGP AS_PATH attributes PFC Watchdog Enhancements ECN Counters per tx-Queue Match Vlan ID in Mirroring ACLs on Strata based platforms ( RFE268621 ) GRE Tunneling support MSS Clamping Macsec Proxy For Vxlan MACsec fallback to unprotected traffic IPV4 Ingress acl support on 7160 platform Port Vlan Scaling in DCS-7160 Support for MACsec Key Retirement Immediate MacSec EAP-FAST support

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: