The L2 EVPN MPLS feature is available when configuring BGP in the multi-agent routing protocol model. Ethernet VPN (EVPN) is an extension of the BGP protocol introducing a new address family: L2VPN (address family number 25) / EVPN (subsequent address family number 70). It is used to exchange overlay MAC and IP address reachability information between BGP peers.

802.1X is an IEEE standard protocol that prevents unauthorized devices from gaining access to the network.

Feature provides a way to set the Passive role in BFD session initialization. A system taking the Passive role does not begin sending BFD control packets for a particular session until it has received a BFD packet for that session, and thus has learned the remote system's discriminator value.

Stale routes are learned routes from adjacent BGP neighbors whose neighborship has been interrupted by session instability. This feature adds a mechanism to specify a stale policy route-map for which the stale routes from a gracefully restarting, or depending on the configuration of the feature, a non-gracefully restarting BGP peer will be processed.

This feature allows customers to make the status of a MPLS static route dependent on the state of a BGP peer. When this feature is enabled for a static route, it will be programmed only if the monitored BGP peer session is up. 

EOS currently supports BGP message authentication via the TCP MD5 Signature (TCP MD5) option (RFC 2385) to protect the BGP sessions from spoofed TCP segments. However, research has shown many concerns that the TCP MD5 algorithm is cryptographically ineffective with a just simple keyed hash for authentication.

This document presents Arista Macro-Segmentation Service - Firewall (MSS-FW) deployment in a network with multiple Virtual Routing and Forwarding (VRF) instances.

Arista’s DCS-7130LBR series of switches are powerful network devices designed for ultra latency applications along with a wealth of networking features.

Support for DHCPv4 (RFC 2131)  and DHCPv6 Server (RFC 8415) was added to EOS-4.22.1 and EOS-4.23.0 respectively. EOS DHCP server leverages ISC Kea as backend. The router with DHCP Server enabled acts as a server that allocates and delivers network addresses with desired configuration parameters to its hosts.

This feature allows users to change the scale of IPV6 and MAC subinterface ACLs by changing the port qualifier size (range used for ACL label allocation) through the tcam profile. Increasing the port qualifier size increases the ACL label range, thus allowing more number of ACLs vice versa.

Dynamic NAT connection limit is a feature which allows to limit the number of dynamic NAT connections.

The SRTE Policy metric is used as a tie-breaker when picking two policies with the same cost value, otherwise the cost determines the preferred policy, currently there are commands to manually configure metrics for each SRTE Policy as described in Configurable IGP Preference and Metric for SR-TE Policies

The feature allows to create a named TC to DSCP mapping that can be applied on an interface.DSCP of routed packets egressing out of the interface will be rewritten according to the map.

AVA switch sensor aka “monitor security awake” feature provides deep network analysis by doing deep packet inspection of some or all packets of traffic that's forwarded by the switch. It continuously monitors enterprise devices, users, and applications wherever they are, even as IP addresses change while maintaining a forensic record of past activities. This functionality can be enabled/disabled on the fly without impacting regular packet forwarding functionality.

This feature allows BGP speakers that support L2 EVPN to exchange system router MAC addresses of virtual gateway IP addresses configured on a SVI interface. The receiving device will treat these MAC addresses as local system router MAC addresses, if it has the same IP addresses configured as virtual IP addresses on the corresponding (Bridge ID) SVI interfaces.

E-Tree is an L2 EVPN service (defined in RFC8317) in which each attachment circuit (AC) is assigned a role of Root or Leaf.

Flexible cross-connect service is an extension of EVPN MPLS Virtual Private Wire Service (VPWS) (RFC 8214). It allows for multiplexing multiple attachment circuits across different Ethernet Segments and physical interfaces into a single EVPN VPWS service tunnel while still providing single-active and all-active multi-homing.

EOS supports the ability to match on a single VLAN tag (example: encapsulation dot1q vlan 10)  or a VLAN tag pair (example: encapsulation dot1q vlan 10 inner 20) to map matching packets to an interface. In this case, the encapsulation string is considered consumed by the mapped interface before forwarding, which means that the tags are effectively removed from the incoming packet for the purposes of any downstream forwarding.

Forwarding destination prediction enables visibility into how a packet is forwarded through the switch, allowing you to determine which interfaces a packet would egress out of. Typical use cases include, but are not limited to, determining egress members for Port-Channels and ECMPs.
Note that ECMPs and Port-Channels are essentially the same in terms of forwarding destinations.

This document is an extension to the decap group feature, that allows IPv4 addresses to be configured and used as part of a group. Now we will be able to configure IPv4 prefixes as a decap group.

This feature will allow the user to select whether port mirror destinations of type GRE tunnel include the optional “key” field in the GRE header on certain platforms.  The key field allows the user to uniquely identify a particular packet flow.  The feature also allows the user to specify the value of the 32 bit key field.  The format of the key field within the GRE header can be seen in RFC 1701 - Generic Routing Encapsulation (GRE).

A L2 sub-interface is a logical bridging endpoint associated with traffic on an interface distinguished by 802.1Q tags, where each <interface, 802.1q tag> tuple is treated as a first class bridging interface.


Media Access Control Security (MACSec) is an industry standard encryption mechanism that protects all traffic flowing on the Ethernet links. MACSec is based on IEEE 802.1X and IEEE 802.1AE standards.

Media Access Control Security (MACSec) is an industry standard encryption mechanism to protect all traffic flowing on Ethernet links. Mac Security is described in IEEE 802.1X and IEEE 802.1AE standards.

Arista's 7130 Connect Series of Layer 1+ switches are powerful network devices designed for ultra low latency and offer a wealth of integrated management features and functionalities.

MetaMux is an FPGA-based feature available on Arista’s 7130 platforms. It performs ultra-low latency Ethernet packet multiplexing with or without packet contention queuing. The port to port latency is a function of the selected MetaMux profile, front panel ingress port, front panel egress port, FPGA connector ingress port, and platform being used.

MetaWatch is a FPGA-based feature available for Arista 7130 L-Series and LB-Series platforms. It provides precise timestamping of packets, aggregation and deep buffering for up to 48x Ethernet links at 10G. Timestamp information and other metadata such as device and port identifiers are appended to the end of the packet as a trailer.

This feature allows users to preserve IP TTL and MPLS EXP (also known as TC) value on MPLS routers, as well as add a user-specified TTL/EXP value when pushing new MPLS labels in pipe mode.

This feature extends the multi-domain EVPN VXLAN feature introduced to support interconnect with EVPN MPLS networks. The following diagram shows a multi-domain deployment with EVPN VXLAN in the data center and EVPN MPLS in the WAN. Note that this is the only supported deployment model, and that an EVPN MPLS network cannot peer with an EVPN MPLS network.

This feature adds streaming support for the IS-IS Link State Database OpenConfig model via gNMI. The current implementation supports a limited number of IS-IS TLVs and subTLVs.

Configure trust mode for trusting traffic from phone’s, but not any other traffic coming from the same interface.

This article is intended to discuss how to configure the Phone VLAN on an Arista switch.

This feature allows PIMv4 to work with Multiprotocol BGP (MP-BGP), where IPv4 prefix routes are reachable via IPv6 next-hops.

Allows the user to configure explicit QoS trust settings viz. trust mode, default cos and default dscp on subinterfaces, which may or may not be the same as the parent interface.

RFC2544 defines a number of benchmark tests that may be used to describe the performance characteristics of a network interconnecting device(s). Starting from 4.28.1F, Arista switches support throughput test belonging to a set of benchmark tests as defined in RFC2544. Starting from 4.29.0F, Arista switches support frame loss rate test.

The original IPv6 Neighbor Discovery specification in RFC4861 instructs all devices to discard any neighbor-advertisement (NA) message received from a neighbor, if there is no existing entry already present in the neighbor cache.

Routing control functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion.
This document serves as a reference guide for

Routing Control Functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion. This document covers Configurations of a RCF function for BGP points of application, CLI show commands to provide visibility into operational status, and the protocol attributes supported for BGP points of application.

RSVP-TE, the Resource Reservation Protocol (RSVP) for Traffic Engineering (TE), is used to distribute MPLS labels for steering traffic and reserving bandwidth. The Label Edge Router (LER) feature implements the headend functionality, i.e., RSVP-TE tunnels can originate at an LER which can steer traffic into the tunnel.

This feature allows the user to configure upto 1023 unique QoS Policy-maps per chip.

This document describes the support for authenticating users using SSH certificates and the authorized principals command in EOS. SSH certificate authentication was previously restricted to just using the authorized principals file. This file is populated by configuring authorized principals for each user. In order to login with a SSH certificate a user must present a certificate that includes at least one of their configured principals. The authorized principals command allows this list of configured principals to be generated by an executable dynamically at runtime. This provides a more flexible and scalable way to perform SSH certificate authentication.

Interface reflectors are useful to make sure a service provided to customers is working as expected and it's within SLA constraints.

Support for Media Access Control Security ( MACsec ) was added in EOS-4.15.4. MACsec defines a secure channel ( SC ) from one peer to another peer as a security relationship which provides security guarantees for the frames transmitted from the first peer to the second peer.

This feature adds support for configuring multiple area addresses in an IS-IS instance.

The feature allows the user to determine the rate of ingress packets on a class-map over a span of a specified interval. This specified interval is the global load-interval (default value is 5 minutes). 

Currently EOS supports redistribution into BGP at the global (instance) level. Also EOS supports redistribution in

Access Control Lists (ACL) use packet classification to mark certain packets going through the packet processor pipeline and then take configured action against them. Rules are defined based on various fields of packets and usually TCAM is used to match packets to rules. For example, there can be a rule to match the packet source IP address against a list of IP addresses, and drop the packet if there is a match.

Overlay IPv6 routing over VXLAN tunnel using an anycast gateway (direct routing) has been previously supported using the “ipv6 virtual-router” configuration for both the data-plane and EVPN (or CVX) control-plane learning environments. 

This feature allows customers to configure BFD intervals on a per BGP neighbor basis. We also have existing support for the configuration of BFD intervals on a per interface basis and the configuration of BFD intervals globally on the entire device.

SWIM (SWI Modularized) is a change to the format of EOS.swi. It is a feature that is mostly internal, but has a few customer visible side-effects one should be mindful of.