This feature provides protocol independent UCMP support for all the routes which follow the IGP path provided there is no UCMP computation done at the protocol level itself. Enabling this feature allows for optimal bandwidth utilization over the links by considering link capacity for rationalizing weight among the nexthop members for all the routes which follow the IGP path.

802.1X is an IEEE standard protocol that prevents unauthorized devices from gaining access to the network.

This feature supports to upgrade Aboot firmware via an Aboot Update File (AUF). The aim is to be able to provide a signed

Starting from 4.27.2F, IPFIX sampling introduced the capability to report BGP metadata for routes resolving over various tunnel types (ISIS-SR tunnels, NexthopGroups, etc).  For example BGP over ISIS-SR - BGP nexthop reported: 100.0.0.1

Agile ports allow users to connect 40G interfaces on 7130 products utilizing multiple SFP ports per 40G capable interface. This enables 40G capable applications, such as MetaConnect and MetaWatch, to operate at that speed.

EOS currently supports BGP message authentication via the TCP MD5 Signature (TCP MD5) option (RFC 2385) to protect the BGP sessions from spoofed TCP segments. However, research has shown many concerns that the TCP MD5 algorithm is cryptographically ineffective with a just simple keyed hash for authentication.

As Ethernet technologies made their way into the Metropolitan Area Networks ( MAN ) and the Wide Area Networks ( WAN ), from the conventional enterprise level usage, they are now widely being used by service providers to provide end-to-end connectivity to customers. Such service provider networks are typically spread across large geographical areas. Additionally, the service providers themselves may be relying on certain internet backbone providers, referred to as “operators”, to provide connectivity in case the geographical area to be covered is too huge.

Support for DHCPv4 (RFC 2131)  and DHCPv6 Server (RFC 8415) was added to EOS-4.22.1 and EOS-4.23.0 respectively. EOS DHCP server leverages ISC Kea as backend. The router with DHCP Server enabled acts as a server that allocates and delivers network addresses with desired configuration parameters to its hosts.

DirectFlow runs alongside the existing layer 2/3 forwarding plane, enabling a network architecture that incorporates new capabilities, such as TAP aggregation and custom traffic engineering, alongside traditional forwarding models. DirectFlow allows users to define flows that consist of match conditions and actions to perform that are a superset of the OpenFlow 1.0 specification. DirectFlow does not require a controller or any third party integration as flows can be installed via the CLI.

In the 7280R3/7500R3/7800R3 platform, EXP rewrite for IP-MPLS routed flows is derived from the DSCP of the packet. Using Qos Policy map , DSCP can be set as needed. But in this process, the egress IP TOS was also changed, which may cause issues later at customer edge. 

NDR switch sensor aka “monitor security awake” feature provides deep network analysis by doing deep packet inspection of some or all packets of traffic that's forwarded by the switch.

As Ethernet technologies made their way into the Metropolitan Area Networks (MAN) and the Wide Area Networks (WAN), from the conventional enterprise level usage, they are now widely being used by service providers to provide end-to-end connectivity to customers. Such service provider networks are typically spread across large geographical areas. Additionally, the service providers themselves may be relying on certain internet backbone providers, referred to as “operators”, to provide connectivity in case the geographical area to be covered is too huge. This mode of operation makes the task of Operations, Administration and Maintenance (OAM) of such networks to be far more challenging, and the ability of service providers to respond to such network faults swiftly directly impacts their competitiveness.

As Ethernet technologies made their way into the Metropolitan Area Networks (MAN) and the Wide Area Networks (WAN) from the conventional enterprise level usage, they are now widely being used by service providers to provide end-to-end connectivity to customers. Such service provider networks are typically spread across large geographical areas. Additionally, the service providers themselves may be relying on certain internet backbone providers, referred to as “operators”, to provide connectivity in case the geographical area to be covered is too huge. 

RFC7432 defines the MAC/IP advertisement NLRI (route type 2) for exchanging EVPN overlay end-hosts MAC addresses reachability information.  When an EVPN MAC/IP route contains more than one path to the same L2 destination, the EVPN MAC/IP best-path selection algorithm determines which of these paths should be considered as the best path to that L2 destination. 

Ethernet VPN (EVPN) is an extension of the BGP protocol introducing a new address family: L2VPN (address family

In the traditional data center design, inter-subnet forwarding is provided by a centralized router, where traffic traverses across the network to a centralized routing node and back again to its final destination. In a large multi-tenant data center environment this operational model can lead to inefficient use of bandwidth and sub-optimal forwarding.

EVPN MPLS VPWS (RFC 8214) provides the ability to forward customer traffic to / from a given attachment circuit (AC) without any MAC lookup / learning. The basic advantage of VPWS over an L2 EVPN is the reduced control plane signalling due to not exchanging MAC address information. In contrast to LDP pseudowires, EVPN MPLS VPWS uses BGP for signalling. Port based and VLAN based services are supported.

EVPN gateway support for all-active (A-A) multihoming adds a new redundancy model to our multi-domain EVPN solution introduced in [1]. This deployment model introduces the concept of a WAN Interconnect Ethernet Segment identifier (WAN I-ESI). The WAN I-ESI allows the gateway’s EVPN neighbors to form L2 and L3 overlay ECMP on routes re-exported by the gateways. The identifier is shared by gateway nodes within the same domain (site) and set in MAC-IP routes that cross domain boundaries.

Introduced in EOS 4.31.0F, extended hashing can be configured to significantly reduce the chances of polarization by introducing additional entropy to the load balance keys used in LAG and ECMP based on an extended hashing seed.

The Segment security feature provides the convenience of applying policies on segments rather than interfaces or subnets. Hosts/networks are classified into segments based on prefixes. Grouping prefixes into segments allows for definition of policies that govern flow of traffic between segments.

IP Locking is an EOS feature configured on an Ethernet Layer 2 port.  When enabled, it ensures that a port will only permit IP and ARP packets with IP source addresses that have been authorized. As of EOS-4.25.0F release update, IP Locking can run in two modes - IPv4 Locking (which will be referred to as IP Locking) and IPv6 Locking, which can be configured using the commands mentioned in the below sections. IP Locking prevents another host on a different interface from claiming ownership of an IP address through either IP or ARP spoofing.

This feature makes a switch act as a neighbor discovery proxy for an IPv6 subnets. It can be used in conjunction with BUM

This feature allows encapsulating (and decapsulating) L2 traffic from a given interface or subinterface over a GRE tunnel. An MPLS label is added to identify the ingress interface (similar to MPLS pseudowires) and the GRE tunnel is used to transport the packets to a remote endpoint.

Log pruning is triggered every minute to examine the /var/log/agents directory for agent log files from repeated restarts of the agent and remove the “middle” log files to save storage and memory resources.  This is new behavior that is always enabled.

MetaWatch is an FPGA-based feature available for Arista 7130 Series platforms. It provides precise timestamping of packets, aggregation and deep buffering for Ethernet links. Timestamp information and other metadata such as device and port identifiers are appended to the end of the packet as a trailer.

Mirror on drop is a network visibility feature which allows monitoring of MPLS or IP flow drops occurring in the ingress pipeline. When such a drop is detected, it is sent to the control plane where it is processed and then sent to configured collectors. Additionally, CLI show commands provide general and detailed statistics and status.

The solution described in this document allows multicast traffic arriving on a VRF interface on a Provider’s Edge (PE) router to be delivered to Customer’s Edge (CE) routers with downstream receivers in the same VPN.

The ICMP protocol has a type of messages used to handle problematic situations in a network, like for example destination unreachable, packet's Time To Live exceeded, and others. They all contain the "original datagram" field which represents the leading octets of the datagram to which the ICMP message is a response. The original datagram consists of the IP header + at least 64 bits of the data.

The Arista OSFP-400G-SRBD and QDD-400G-SRBD modules (Sometimes referred to as “400G-BIDI” or “400G-SR4.2”) may be used with other 400G-BIDI / 400G-SR4.2 modules, or connected to four 100G-BiDi modules indicated below.

Policy-based routing (PBR) is a feature that is applied on routable ports, to preferentially route packets. Forwarding is based on a policy that is enforced at the ingress of the applied interface and overrides normal routing decisions. In addition to matches on regular ACLs, PBR policy-maps can also include “raw match” statements that look like a single entry of an ACL as a convenience for users.

Power management is a way to limit the total available power to be used for Power over Ethernet (PoE) ports. Without power management, the total amount of power that the power supply units (PSU) are able to provide is used. Power management can be used to create power redundancies. For example, if a system has 2 1050W PSUs, the feature can set the total available power to be 800W for PoE. With this configuration, 1 PSU is sufficient to power the system and the unused PSU acts as a backup source, thus giving the system a 1+1 redundancy.

Power over Ethernet (PoE) is a way of delivering power and data over the same Ethernet wires. There have been multiple IEEE standards for PoE over the years:

RFC8781 defines a new RA (router advertisement) option called ‘PREF64’, which allows the switch to communicate the IPv6 prefix that is used for NAT64 to hosts on the network, via Router Advertisements. This feature adds support for configuring the PREF64 option on a per-interface basis. 

Pseudo load sharing is a load sharing scheme for two power supply units (PSU) that do not have integrated load sharing. With pseudo load sharing, the system power is divided into two power domains, each with one PSU that is connected to a port group consisting of half of the system's Power over Ethernet (PoE) ports. When both PSUs are active, the power domains are independent and each PSU can only provide power to ports within the same power domain. Each port group can consume up to the maximum available power of the PSU in the same power domain. When only one PSU is active, the power switch between the two power domains can route power from the active PSU to all ports on the system.

PTP 1-step Boundary Clock (or 1-step BC) is similar to 2-step BC in function but doesn’t send the PTP Follow_Up message. The timestamp present in the PTP Follow_Up message’s preciseOriginTimestamp field is sent in the PTP Sync message’s originTimestamp field along with a non-zero correctionField. This allows us to support more PTP master ports because the control plane does not need to generate PTP Follow_Up messages anymore. PTP 1-step BC supports all the existing features supported by 2-step BC like G8275.1 profile, G8275.2 profile, etc unless otherwise specified in the limitations.

Routing control functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion.

Routing Control Functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion.The document covers: Configurations of a RCF function for BGP points of application

Network administrators require access to flow information that passes through various network elements, for the purpose of analyzing and monitoring their networks. This feature provides access to IP flow information by sampling traffic flows in ingress and/or egress directions on the interfaces on which it is configured.

Storm control enables traffic policing on floods of packets on L2 switching networks. Support was enabled for Front panel ports and Lag in eos-4-25-2f with storm-control-speed-rate-support. Now, storm control will be supported per subinterfaces( both ethernet and port-channel). Scale of subinterfaces is 4095. 

This document describes the route Flap Damping feature in multi-agent BGP.

EOS supports configuring and associating communities on static routes. These are carried into BGP on redistribution. 

By default, every Arista switch applies the read-only ACL (Access Control List) named "default-control-plane-acl" to control plane traffic in every VRF. This feature allows the user to configure a different ACL to override the system default applied to every VRF. VRF-specific control plane ACL configuration, if present, still takes precedence over the default ACL configured.

gNSI (gRPC Network Security Interface) defines a set of gRPC-based microservices for executing security-related operations on network devices.

This feature provides a cli command showing the list of mac addresses which could not be learned due to hash collision in the hardware table. A hash collision occurs when two or more distinct pieces of data map to the same entry ( or slot ) in the hardware table. It can happen when the hash function used to calculate the index for a given mac address results in the already occupied index, resulting in failure of inserting the later mac address to the hardware table.

This feature allows configuring a per-port PTP domain number, which may be different from the global PTP domain number, which will apply to PTP messages sent or received on that port. With this configuration applied, transmitted messages will contain the port-specific domain number and received messages will be accepted if they contain the port-specific or global domain number.

PimReg Filtering provides the ability to prevent unauthorized sources and groups from registering with a rendezvous-point (RP) router.  This is accomplished by adding the unauthorized source/group to a standard access-list. When the ACL is used on the RP, the RP inspects the source information on the PIM Register packet for a match before accepting/dropping the message.  

The PTP Boundary Clock advertises time based on its local clock, which is counting from an unsynchronized initial value. Hence a free running Boundary Clock would advertise PTP downstream based on counting from an unsynchronized initial value. The GrandMaster, with access to GPS, is however Temps Atomique International (TAI) based. Hence Boundary Clock, which was originally based on unsynchronized initial value, post synchronization with the GrandMaster becomes TAI based. This causes the Boundary Clock’s time and hence PTP advertised downstream, to change drastically.

Private VLAN is a feature that segregates a regular VLAN broadcast domain while maintaining all ports in the same IP subnet. There are three types of VLAN within a private VLAN

Prior to this feature, we supported a maximum of two levels of Forward Equivalence Class (FEC) hierarchies for vxlan routing tunnels in hardware.

Access Control Lists (ACL) use packet classification to mark certain packets going through the packet processor pipeline and then take configured action against them. Rules are defined based on various fields of packets and usually TCAM is used to match packets to rules. For example, there can be a rule to match the packet source IP address against a list of IP addresses, and drop the packet if there is a match. This will be expressed in TCAM with multiple entries matching the list of IP addresses. Number of entries is reduced by masking off bits, if possible. TCAM is a limited resource, so with classifiers having a large number of rules and a big field list, TCAM runs out of resources.