Traffic Steering using User-Defined Fields

This article describes the TAP Aggregation User-Defined Fields feature. The purpose of the User-Defined Fields feature is to provide custom offset pattern matching to be used in TAP Aggregation Traffic Steering. This allows for deeper packet inspection of up to 128 bytes. User-Defined Fields, or UDFs, are defined as part of an access-list filter and are comprised of an offset, length and pattern match. This describes a single portion of any incoming packet to match the provided value upon. Access-list filters containing a UDF are then applied as usual as part of a TAP Aggregation Traffic Steering policy. Platform Compatibility DCS-7280E DCS-7280R DCS-7500E...
Continue reading →

Understanding Deduplication in Tap Aggregation (NPB)

  1) What is deduplication ? Deduplication in the context of packet broker networks (Tap Aggregation) is the ability to detect duplicates of a packet, allowing only the first packet and dropping other iterations of the same packet.   2) Hardware impacts the Deduplication performance Deduplication, like many features, requires certain hardware characteristics to be supported by the silicon (network processor), which is the foundation of hardware packet processing and forwarding in networking/Ethernet equipment. It allows matching packet, manipulating, and making forwarding decisions in hardware.   2.1) Processing performance The Arista switches are based on high performance network processors of different...
Continue reading →

Latency Analyzer (LANZ) Architectures and Configuration

Introduction   Arista Latency Analyzer, or LANZ, is a technology that tracks and logs buffer congestion and latency in real time.  The visibility provided by LANZ of network hot-spots and microburst oversubscription gives the network operator greater insight into when problems are occurring on the network and why.  With LANZ you will know when congestion happened, track the sources of congestion, and be able to export real-time events to external applications.  LANZ also shows the effect of packet buffering on an application as well as monitors and records packet drops during network congestion.  It is an invaluable tool which allows...
Continue reading →

sFlow Generation for Legacy Networks with Tap Aggregation (NPB / Matrix switch)

  sFlow is a standard hadware sampling available on all the Arista platforms, providing rich statistical information on all ports. sFlow is available in Tap Aggregation mode, allowing additional use cases of Tap Aggregation than traffic analysis on analyzer tools: Retro-fitting sFlow to legacy infrastructure Distributed analysis This article focuses on Retro-fitting sFlow to legacy infrastructure.   1) sFlow vs Netflow sFlow is a sampling mechanism implemented in hardware: Widely available on non-legacy platforms, and widely supported on collectors/monitoring software sFlow requires minimal local processing which contrast with Netflow that is very CPU-intensive, making Netflow poorly suitable for any high performance...
Continue reading →

DANZ – Tap Aggregation optics / transceivers selection

This articles clarifies certain criteria that are important to consider in the design of a Network Packet Broker (NPB) aggregating traffic from various sources. For distance reasons, the main type of media used in tap aggregation is optical (multimode or single mode), therefore this article mainly focuses on these media.   1) Understanding Optical Budgets Multiple factors contribute to the degradation of optical signals Fiber attenuation Insertion loss (e.g. connectors, patch panels and splices) Fiber type mismatch (e.g. connecting 50/125MMF to 62.5/125MMF) Over-bending of fibre plant Intermediate passive devices (e.g. taps, attenuators or mode filters)   Media Type Approximate Loss...
Continue reading →

DANZ Tap Aggregation – Basic settings – Before you start

Several Arista switches support DANZ feature set for Tap Aggregation. The tap aggregation mode is a mere configuration (1-2 lines) that transform a high performance L2/L3 switch into a Tap Aggregator (NPB). This mode require certain considerations: 1) Tap aggregation – How to selecting the exclusive mode That tap aggregation mode is exclusive to part of a switch of the whole switch. Parts of the switch that are excluded from the Tap Aggregation mode can work either in fully L2/L3 forwarding mode (normal switching mode), or in simple hub mode. The options available vary per platforms, as per the below list....
Continue reading →

Script example – Automating VXLAN deployments with EAPI

  1) Introduction This article describes briefly what is required to deploy overlay networks with VXLAN, but we assume a good understanding of the VXLAN fundamentals. To achieve such VXLAN deployments, multiple options exist, from simple but manual, to fully automated service chaining (orchestration) at the cost of having to also set a Cloud Management Platform or a network virtualization controler This article focuses on an easy option that is a good balance between simplicity of operation (automation), and simplicity of  setting up (script ready to go)   2) Working towards automation: it is an evolution This article is not providing...
Continue reading →

Deep Packet Inspection with Tap Aggregation

Introduction In this article we will focus on the Deep Packet Inspection access list enhancements available in Tap Aggregation Exclusive mode on the Arista 7150 series switches. Deep Packet Inspection (DPI) is an Access List enhancement that was introduced in EOS 4.14.0.F. This feature allows the administrator to inspect and match additional bytes in the packet header after the Layer 2, Layer 3 or Layer 4 header. DPI was designed to be utilized while in Tap Aggregation exclusive mode. Typical Use cases for DPI are: Identifying custom fields in Day zero attacks SLA Enforcement via identifying illegal content Behavioural targeting...
Continue reading →

DANZ Table of Contents

Tap Aggregation Introduction to Tap Aggregation Basic Use of Aggregation Groups Tab Aggregation Basic Settings Before You Start Filtering with Port ACLs Tap Aggregation VLAN List Filtering Tap Aggregation Traffic Steering Deep Packet Inspection Truncation on Tap and Tool Ports LLDP on Tap Ports Common Challenges with TapAgg TapAgg Glossary Advanced Mirroring Introduction to Port Mirroring Filtering with Port ACLs Latency Analyzer (LANZ) LANZ Architectures and Configuration LANZ Buffer Tuning Timestamping TimeStamping on the 7150 Timestamping Deep Dive and Frequent Questions Optics Tap Aggregation Optics Selection  

Data Analyzer (DANZ) Glossary

Access List (ACL) The switch configuration used for the purpose of filtering Layer 2, Layer 3, or Layer 4 traffic. See Filtering with Port ACLs Advanced Mirroring An Arista feature set which includes support for filtered, multi-destination mirroring, mirroring to EOS of data plane traffic, advanced load-sharing, and packet truncation.   Aggregation Group A configuration or grouping of Tap and Tool ports together where traffic from all Tap ports in a group will be replicated to all Tool ports in the same group.  A tool port can be a member of multiple aggregation groups whereas a tap port is allowed...
Continue reading →

DANZ Tap Aggregation – Filtering on inner Q-in-Q header, and stripping outer header – At the same time

  This article documents the ability, for the Arista 7150S in Tap Aggregation mode, to selectively filter on inner Q-in-Q header, and also strip the outer  header on egress, effectively allowing a granular selection of what Q-tagged traffic tools will be receiving. Let’s take as traffic example some Q-in-Q traffic: Outer Q-header (Eth-type 0x88a8) – STAG – VLAN ID = 100 Inner Q-header (Eth-type 0x8100) – CTAG – VLAN ID = 101, 102   Packet capture example for this Q-in-Q traffic:   7150S(config)#bash sudo tcpdump -nni mirror0 [...] 22:23:44.040896 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q-QinQ (0x88a8), length 1020: vlan 100, p...
Continue reading →

Basic Use of Aggregation Groups

Introduction Aggregation groups provide a means of grouping tool ports to simplify the mapping of a tap port to multiple tools and allow grouping of alike applications. In current releases, each tap port can only be bound to one default aggregation group at any time. A tool port however, can simultaneously be a member of multiple aggregation groups. This is important as it allows multiple tools or tool servers to receive any of the multiple traffic flows input to the tap ports. The Tap Aggregation operator can for example have an IDS/IPS tool receiving the same traffic as an application...
Continue reading →

Common challenges with TAP aggregation

Introduction Capturing raw network packet data, whether it be from a mirror port or through an aggregation infrastructure, is often perceived to be a complex task. In reality, most of the anomalies or limitations faced by those starting out with capture have simple explanations and are usually not due to problems with the source devices but instead the capturing tool. This article provides a brief of commonly reported issues and some suggested avenues of investigation. Timestamping Timestamps missing or corrupt Check timestamping is configured correctly to match the hosts’ expectations (i.e. is the host looking in the right place for...
Continue reading →

Truncation on Tap and Tool Ports

Introduction EOS supports truncation on ingress and egress. In this article we will focus on how it can be applied in tap aggregation exclusive mode, on the Arista 7150 line of switches. Please refer to the supported features matrix for other hardware platforms. Truncation is the ability to remove unwanted or unneeded bytes from the packet at a configurable or fixed starting byte position, it may also be referred to as ‘Packet Slicing’. This is useful in situations where the data of interest is contained within the headers or early in the packet payload. It can be used to remove...
Continue reading →

LLDP on Tap ports

Introduction As of EOS 4.14.0F, users of the tap aggregation features of the Arista 7150S line of switches can benefit from visibility gained from LLDP on tap ports. Neighbor information will now be processed by the CPU and made available via the EOS CLI. Allows the tap aggregation administrator to view neighbor information for verification and troubleshooting. This article details the use of LLDP neighbor information on tap ports in tap aggregation exclusive mode. Show LLDP commands work in Tap Aggregation Exlcusive mode as they do in normal switching mode, no configuration is required. Since tap ports can only receive...
Continue reading →

Introduction to TAP aggregation

Introduction Traditional approaches to network monitoring rely on the ongoing collection of generic, high level statistics such as interface utilization from a selection of network devices to detect trends or anomalies in service availability. Such metrics are naturally limited in the level of granularity they can provide and often only provide a hint of real underlying network conditions without providing any visibility into per-application activity or performance. Traditionally, reactive and localized packet capture would be employed to determine the cause of the performance degradation.  However the manual nature of needing to configure packet capture and mirroring and then physically attach...
Continue reading →

TAP Aggregation – Traffic Steering

Introduction This article details the ability of the Tap Aggregator to redirect, or steer, traffic away from the aggregation group that the Tap port belongs to.  This capability allows for a more granular focus and control on individual, or multiple, traffic flows ingressing the Tap Aggregator. The traffic steering capability uses MQC (QoS style) policy and class maps combined with standard access-lists to perform this function.  The feature also allows for the configuration of an identity VLAN different from the identity VLAN associated with the Tap port.  This article details the configuration steps necessary to achieve this functionality. The following...
Continue reading →

Leveraging Deep Inspection and Traffic Steering for monitoring SIP environments

Introduction With the expansion of SIP (Session Initiation Protocol) and RTP (Real-time Transport Protocol) for IP based telephony applications, enterprises and carriers alike have a requirement to track and capture calls or parts of calls for the purposes of performance analysis and forensic/legal monitoring requirements. This post documents a powerful use for Deep Inspection and Traffic Steering features to deliver a highly scaleable yet cost effective solution for stateful load-sharing of monitored VoIP services, avoiding the need for proprietary hardware (such as FPGA based accelerator modules). As the volumes of calls grow, it is clear that traffic will need to...
Continue reading →

Tap Aggregation – Filtering with Port ACLs

  1) Introduction   This article details the filtering of traffic across the Tap Aggregator by using port ACL. The filters allow granular selection of Layer2, Layer3, and Layer4 traffic on a per-port basis. The following other features might also be of interest, but are out of scope of this article: VLAN membership filters Traffic Steering   2) Filtering Overview   The well known MAC and IP Access-List filtering is used to filter traffic in Tap Aggregation mode, just like it does in switching mode. The Layer2/3/4 ACLs can be applied on Tap ports, ingress on Tool ports, egress  ...
Continue reading →

Tap Aggregation – VLAN List Filtering

  1) Introduction   A list of allowed VLANs simply specifies, under an interface in Tap Aggregation mode, which VLAN traffic is allowed. Removing VLANs from the allowed list means those VLANs would be blocked. It allows filtering traffic in a flexible manner, directly from the interface command, without creating ACLs or steering policies. This article details how to configure the VLAN list, and combine them to achieve multi-stage VLAN filtering.   2) Allowed VLAN List Definition   An allowed VLAN list is simply a definition of VLAN IDs. By default, all VLANs are allowed. The below commands illustrate the...
Continue reading →

Timestamping Deep Dive – Frequent Questions and Tips on Integration

  Introduction Accurate packet timestamps are essential for network event correlation and performance analysis. The Arista 7150S provides hardware timestamping with nanosecond granularity and ≤10ns precision. Timestamping is applied in hardware on all packets, at line rate in parallel. The timestamping format and implementation is detail is this article: https://eos.arista.com/timestamping-on-the-7150-series/ The present article explains in more details the internals of timestamping on the 7150S, and provides an overview of expected behaviours, as well as tips for integrating with your tooling environment.   1) How does Timestamping work ?   Timestamping on the Arista 7150S is a function of the MAC...
Continue reading →

DANZ TAP Aggregation Configuration: Quick Start

TAP Aggregation Overview TAP Aggregation enables N:M packet replication, unlike SPAN/mirror ports, which have limited filtering capability and only a few ports with which to mirror to. Besides that, Arista’s TAP aggregation offering enables users to leverage the extensibility of EOS – click here for a more in depth overview of TAP aggregation or contact your local account team for an in depth overview of DANZ. Enabling Tap Aggregation By default, Arista switches operate in normal switching mode. To place the switch into TAP aggregation mode, the following configuration must be added: tap aggregation   mode exclusive This configuration disables all ports...
Continue reading →

Introduction to Port Mirroring

Introduction Arista EOS enables many flexible capabilities for both control plane and data plane monitoring. Port Mirroring is one of the data plane monitoring facilities. Port Mirroring is used to send a copy of packets seen on one port to a network monitoring connection on another switch port. Port Mirroring is commonly used with network probes or other monitoring devices, for example intrusion detection devices, latency analyzers or packet capture and protocol analysis tools. These dedicated devices can be used for the identification of security breaches, capacity and performance related matters or for analyzing the network traffic. They are usually...
Continue reading →