802.1X is an IEEE standard protocol that prevents unauthorized devices from gaining access to the network.

Accumulated IGP Metric (AIGP) is an optional non-transitive BGP attribute used to carry an IGP metric with BGP route advertisements. The AIGP attribute is useful for tie-breaking in BGP bestpath selection so that routing decisions can be made on the basis of shortest path/lowest IGP cost path amongst multiple BGP paths. This is particularly applicable in scenarios where a single administration is subdivided into multiple Autonomous Systems (AS) each with similar routing policies and the same IGP in use such that the IGP metric for a route can be propagated usefully between the ASes so as to let receiving BGP speakers make routing decisions based on the cumulative IGP cost of the route. This set of ASes in a common administrative domain in the context of advertising and receiving the AIGP attribute are referred to as an AIGP administrative domain.

The multicast boundary specifies subnets where the source traffic entering an interface is filtered to prevent the creation of mroute states on the interface. The multicast boundary can be specified through one standard ACL. However, when providing multicast services via a range of groups per service, an interface could potentially join arbitrary groups and, hence, need arbitrary combinations of ACL rules.

Support for offloading BFD sessions to hardware. This helps in achieving a high scale of BFD sessions (up to 16000) with aggressive intervals. Highlights of the feature include:

The BGP-LS extension allows IGPs (OSPF/IS-IS) link state database information to be injected into BGP. This is typically used in deployments where some external component, (like a controller or Path Computation Engine) can do centralized path computations by learning the entire IGP topology through BGP-LS. The controller can then communicate the computed paths based on the BGP-LS updates to the head end device in the network. The mechanism used by the controller to communicate the computed TE paths is outside the scope of this document. Using BGP-LS instead of an IGP peering with the controller to distribute IGP link state information has the following advantages.

RPKI provides a mechanism to validate the originating AS of an advertised prefix.

This feature allows failover to the backup path to occur in constant time per interface going down for features such as RSVP link protection, RSVP node protection, TI-LFA link protection, and BGP PIC. Without this feature enabled, it would take time proportional to the number of paths going over the interface experiencing the link down event to failover to the backup path. With this feature enabled, the failover time would be constant regardless of the number of paths.

Network Address Translation (NAT) is a feature used to obfuscate private internal addresses to the external world. The feature makes sure that private internal addresses are translated into a publicly visible address which is used by all external hosts and it also does the reverse translation of the public address to the private internal address.

Connectivity Monitor is an EOS feature that allows users to monitor their network resources from their Arista switches. The resources being monitored may or may not be Arista devices. Connectivity monitoring is unidirectional in nature.

When multiple IPv6 addresses are assigned to an interface, the source address selection is based on the rules in RFC6724. However, when the matching criteria is the same for all addresses, the selection address depends on the Kernel, which is likely to be the address that is added last. This feature allows addresses to be configured as least preferred so that source addresses can be selected in a more deterministic manner.

DirectFlow runs alongside the existing layer 2/3 forwarding plane, enabling a network architecture that incorporates new capabilities, such as TAP aggregation and custom traffic engineering, alongside traditional forwarding models. DirectFlow allows users to define flows that consist of match conditions and actions to perform that are a superset of the OpenFlow 1.0 specification. DirectFlow does not require a controller or any third party integration as flows can be installed via the CLI.

DirectFlow allows you to define flows consisting of conditions to match, and actions to perform. This enhancement adds to the packet match conditions by allowing for matching on a subset of http methods.

This feature supports counting ECN-marked packets (ECN = Explicit Congestion Notification) on a per egress port per tx-queue basis. The feature can be used to gather these packet counts via CLI or SNMP. There are two cases when an ECN-marked (congestion) packet is counted on the egress port/queue:

sFlow is a sampling technique which monitors incoming traffic on all interfaces without affecting network performance. Egress sFlow is a feature which samples the packets in the egress pipeline for analytical purposes. Currently egress sFlow is only software based on Arista switches.

Multiple dynamic counter features may be enabled simultaneously, primarily configured using the [no] hardware counter feature [feature] CLI commands. Compatibility of these features has been enhanced to allow for greater flexibility in simultaneously enabled counter features. Changes in counter feature compatibility across EOS releases is detailed below.

This feature extends the capabilities of event monitor to include NAT logging. The tracked events are NAT translations creations, NAT translations updates, NAT translations deletions and NAT translations deletion reasons (aging deletion, aging deletion(hw not programmed), peer deletion)

E-Tree is an L2 EVPN service (defined in RFC8317) in which each attachment circuit (AC) is assigned the role of Root or Leaf. Once roles are assigned, the following forwarding rules are enforced:

In network deployments, where border leaf or Superspine act as PEG and it is in the transit path to other multicast VTEPs, the multicast stream will not pass since the border leaf will decapsulate the packet even if it doesn't have a receiver. This transit node is called the Bud Node. The device should be able to send decapsulated packets to any local receivers as well as send the encapsulated packets to other VTEPs.

This feature introduces the show bgp evpn mac [ vni  VNI ] and the show bgp evpn arp [ vni VNI ] command. These commands display post imported EVPN type 2 routes. Both of these commands will only display paths that have been imported into a MAC-VRF. show bgp evpn mac displays post imported EVPN type 2 paths that do not have IP information and only have MAC information, while show bgp evpn arp only displays post imported EVPN type 2 routes that do have IP information.

Ethernet VPN (EVPN) networks normally require some measure of redundancy to reduce or eliminate the impact of outages and maintenance. RFC7432 describes four types of route to be exchanged through EVPN, with a built-in multihoming mechanism for redundancy. Prior to EOS 4.22.0F, MLAG was available as a redundancy option for EVPN with VXLAN, but not multihoming. EVPN multihoming is a multi-vendor standards-based redundancy solution that does not require a dedicated peer link and allows for more flexible configurations than MLAG, supporting peering on a per interface level rather than a per device level. It also supports a mass withdrawal mechanism to minimize traffic loss when a link goes down.

This feature enables ARPs learnt on an Port-channel and Ethernet interface to be converted into Host routes which can further be redistributed into BGP protocol to take part in the route selection decision process and to get advertised to the peers. These Host routes are not installed into the hardware and are only being generated for advertisement purposes. This feature works for both static and dynamic ARPs.

This document describes the FEC Dampening feature. When hardware FEC / ECMP resources usage go above the platform limit, Ale (HW Abstraction layer) deletes some routes in the anticipation of freeing up some more hardware FEC resources to allow newly created FEC to get programmed.

EOS supports the ability to match on a single VLAN tag (example: encapsulation dot1q vlan 10)  or a VLAN tag pair (example: encapsulation dot1q vlan 10 inner 20) to map matching packets to an interface. In this case, the encapsulation string is considered consumed by the mapped interface before forwarding, which means that the tags are effectively removed from the incoming packet for the purposes of any downstream forwarding.

EOS-4.24.0 adds support for hardware-accelerated sFlow on R3 systems. Without hardware acceleration, all sFlow processing is done in software, which means performance is heavily dependent on the capabilities of the host CPU. Aggressive sampling rates also decrease the amount of processing time available for other EOS applications.

On network devices, when a route is programmed, a certain portion of hardware resources is allocated and associated

IPSec tunnel mode support allows the customer to encrypt traffic transiting between two tunnel endpoints.

IS IS SR feature provides knobs to configure various types of segments which are distributed as part of IS IS LSPs (Link

IPv4 and IPv6 multicast routing, private VLANs, and egress VLAN translation are supported on EOS, but on prior releases and on certain platforms they did not work correctly when used in combination.  In those cases, routed multicast packets that egress on an interface with VLAN translation or on a private VLAN would not egress on the correct VLAN.  The configured VLAN translation or private VLAN would not be applied.

The command "show gnmi get PATH" provides a convenient way to send a Get request to a gNMI server running on the device and display the resulting values. This can be helpful during exploration or debugging when setting up gNMI monitoring.

MetaWatch is an FPGA-based feature available for Arista 7130 Series platforms. It provides precise timestamping of packets, aggregation and deep buffering for Ethernet links. Timestamp information and other metadata such as device and port identifiers are appended to the end of the packet as a trailer.

Mirror on drop is a network visibility feature which allows monitoring of MPLS or IP flow drops occurring in the ingress pipeline. When such a drop is detected, it is sent to the control plane where it is processed and then sent to configured collectors. Additionally, CLI show commands provide general and detailed statistics and status.

In an MLAG setup, routing on a switch (MLAG peer) is possible using its own bridge/system MAC, VARP MAC or VRRP MAC. When a peer receives an IP packet with destination MAC set to one of the aforementioned MACs, the packet gets routed if the hardware has enough information to route the packet. Before introducing this feature, if the destination MAC is peer’s bridge MAC, the packet is L2 bridged on the peer-link and the routing takes place on the peer. This behavior to use the peer-link to bridge the L3 traffic to the peer is undesirable especially when the MLAG peers can route the packets themselves.

This feature allows packets from MPLS and non MPLS flows with the same source and destination IP addresses to be hashed to the same output lag member in tap aggregation mode.

IP traceroute and path MTU (PMTU) discovery both require that routers send ICMP reply messages to the host that invokes each network function. When the route to the destination host traverses an MPLS label-switched path (LSP), the label switching routers (LSRs) will also need to send ICMP reply messages to the originating host.

This can be done with multiple groups today, as long as we have enough unique group entries in hardware. In the absence of this configuration ( default behavior ), bridged traffic will be assigned to the default VRF and policies of default VRF will be applied to bridged traffic. With this feature, bridged traffic is never subject to MSS-G configuration.

MultiAccess is an FPGA-based feature available on certain Arista 7130 platforms. It performs low-latency Ethernet multiplexing with optional packet contention queuing, storm control, VLAN tunneling, and packet access control. The interface to interface latency is a function of the selected MultiAccess profile, front panel interfaces, MultiAccess interfaces, configuration settings, and platform being used.

EOS secures the communication between EOS router instances using IPsec by employing control plane protocol Internet Key Exchange(IKEv1/IKEv2) and data plane protocol ESP(IPsec SA). IKE and IPsec Security Association(SA) use policies to ensure secure communication.

EOS allows the generation of the following SSH keys, which can be used as host keys with default names.

Support for egress IPv6 PACLs without using packet recirculation. The matching of ACLs can be done on routed packets, and the ACL can be applied to Front Panel Ports ( FPPs ), and also the match criteria in ACL rules are restricted to ipv6-next-header, and dscp ( traffic-class ).

Currently, in EOS Macsec, padding of partial keys internally prepends both the CAK and CKN hex strings with 0s to satisfy the requirement of Key Derivation Function.This feature allows users to configure the zero padding to either prepend or append the pre-shared CAK/CKN configured in mac security profile. In general, full length CAK/CKN are recommended to be configured. However, this CLI knob can be used in case of configuration of partial CAK/CKN results into issues with derived keys between the peers. Note that the CKN advertised in MACsec control frames will still be without any padding, even when partial CKN is configured.

Policing is typically done on the L2 packet size - that is, the size on the wire, excluding the Preamble, Start Frame Delimiter (SFD), and Interpacket Gap (IPG). To ensure that the policer polices the right amount of L2 packet size, a default packet size adjustment is configured, which is deducted from the size seen on wire.

One of the primary functions of a switch is to forward packets to the correct next hop. This necessitates knowing the unique MAC addresses of all connected hosts and switches to a network interface. In dynamic environments like campus networks, the hosts often come and go, which means the number of connected hosts that the switch knows about expands continuously. Therefore, it becomes necessary to have a mechanism for the switch to eventually discard information about MAC addresses that are no longer active in the network. 

The PHY test pattern CLI can be used to check the quality of the physical layer for an Ethernet interface. This is done by

The purpose of this feature is to mitigate multicast traffic loss when a switch that is using PIM sparse mode as its multicast routing protocol is going under maintenance.

Policy-based routing (PBR) is a feature that is applied on routable ports, to preferentially route packets. Forwarding is based on a policy that is enforced at the ingress of the applied interface and overrides normal routing decisions. In addition to matches on regular ACLs, PBR policy-maps can also include “raw match” statements that look like a single entry of an ACL as a convenience for users.

Power over Ethernet (PoE) is a way of delivering power and data over the same Ethernet wires. There have been multiple IEEE standards for PoE over the years:

WRED ( Weighted Random Early Detection ) is one of the congestion management techniques. It works at queue level to drop ECN capable and non ECN capable traffic randomly after reaching the given queue threshold even before the queue is full.

Pseudo load sharing is a load sharing scheme for two power supply units (PSU) that do not have integrated load sharing. With pseudo load sharing, the system power is divided into two power domains, each with one PSU that is connected to a port group consisting of half of the system's Power over Ethernet (PoE) ports. When both PSUs are active, the power domains are independent and each PSU can only provide power to ports within the same power domain. Each port group can consume up to the maximum available power of the PSU in the same power domain. When only one PSU is active, the power switch between the two power domains can route power from the active PSU to all ports on the system.

PTP 1-step Boundary Clock (or 1-step BC) is similar to 2-step BC in function but doesn’t send the PTP Follow_Up message. The timestamp present in the PTP Follow_Up message’s preciseOriginTimestamp field is sent in the PTP Sync message’s originTimestamp field along with a non-zero correctionField. This allows us to support more PTP master ports because the control plane does not need to generate PTP Follow_Up messages anymore. PTP 1-step BC supports all the existing features supported by 2-step BC like G8275.1 profile, G8275.2 profile, etc unless otherwise specified in the limitations.

Media Access Control Security (MACsec) is an industry-standard encryption mechanism that protects all traffic flowing on the Ethernet links. MACsec is based on IEEE 802.1X and IEEE 802.1AE standards.