The L2 EVPN MPLS feature is available when configuring BGP in the multi-agent routing protocol model. Ethernet VPN (EVPN) is an extension of the BGP protocol introducing a new address family: L2VPN (address family number 25) / EVPN (subsequent address family number 70). It is used to exchange overlay MAC and IP address reachability information between BGP peers.

802.1X is an IEEE standard protocol that prevents unauthorized devices from gaining access to the network.

As per the mechanism suggested for MKA protocol, a new SAK generation, distribution and installation in all members of a connectivity association ( CA ) can be thought of happening in a number of steps

MacSec EOS 4.29.0F SAK Installation

Ingress policing provides the ability to monitor the data rates for a particular class of traffic and perform action when traffic exceeds user-configured values. This allows users to control ingress bandwidth based on packet classification.  Ingress policing is done by a policing meter which marks incoming traffic and performs actions based on the results of policing meters. 

ACL QoS EOS 4.23.2F POLICE EOS 4.29.0F

EOS 4.21.3F introduces support for BGP Flowspec, as defined in RFC5575 and RFC7674. The typical use case is to filter or redirect DDoS traffic on edge routers.

Class Based Forwarding (CBF) is a means for steering IP traffic into colored tunnels based on the ingress DSCP values.  CBF may be used with SR-TE Policy or RSVP-TE colored tunnels.

DHCP Relay feature forwards DHCP packets between client and server when the DHCP Server is not in the same broadcast domain as the client. DHCP Relay should be configured on the gateway interface (SVI/ L3 interface ) for the clients. DHCP Relay agent creates a new unicast DHCP packet and sets the giaddr field to the ‘primary’ IP address of the interface on which DHCP request packet is received. The modified request packet is then relayed to one or more configured DHCP servers. DHCP server assigns ip address to client from the pool corresponding to giaddr field.

Support for DHCPv4 (RFC 2131)  and DHCPv6 Server (RFC 8415) was added to EOS-4.22.1 and EOS-4.23.0 respectively. EOS DHCP server leverages ISC Kea as backend. The router with DHCP Server enabled acts as a server that allocates and delivers network addresses with desired configuration parameters to its hosts.

In the 7280R3/7500R3/7800R3 platform, EXP rewrite for IP-MPLS routed flows is derived from the DSCP of the packet. Using Qos Policy map , DSCP can be set as needed. But in this process, the egress IP TOS was also changed, which may cause issues later at customer edge. 

This feature can be divided into 3 parts. Enable support for different threshold per Color per TX queue  We

NDR switch sensor aka “monitor security awake” feature provides deep network analysis by doing deep packet inspection of some or all packets of traffic that's forwarded by the switch.

EosSdkRpc is an agent built on top of the Arista EOS SDK. It uses gRPC as a mechanism to provide remote access to the EOS SDK. The gRPC interface that EosSdkRpc supports closely matches the interface provided by EOS SDK, and the intent is that the .proto interface can be publically supported. EosSdkRpc allows for remote access and using protobuf to specify the interface isolates user code from the Linux ABI issues that come with building C++ applications on different compiler, libc, and kernel versions. EosSdkRpc is built using C++ but supports clients written in any of the languages currently supported by the gRPC framework.

As Ethernet technologies made their way into the Metropolitan Area Networks (MAN) and the Wide Area Networks (WAN) from the conventional enterprise level usage, they are now widely being used by service providers to provide end-to-end connectivity to customers. Such service provider networks are typically spread across large geographical areas. Additionally, the service providers themselves may be relying on certain internet backbone providers, referred to as “operators”, to provide connectivity in case the geographical area to be covered is too huge. 

In EVPN, an overlay index is a field in type-5 IP Prefix routes that indicates that they should resolve indirectly rather than using resolution information contained in the type-5 route itself. Depending on the type of overlay index, this resolution information may come from type-1 auto discovery or type-2 MAC+IP routes. For this feature the gateway IP address field of the type-5 NLRI is used as the overlay index, which matches the target IPv4 / IPv6 address in the type-2 NLRI.

EVPN EOS 4.29.0F Gateway IP

Flexible cross-connect service is an extension of EVPN MPLS Virtual Private Wire Service (VPWS) (RFC 8214). It allows for multiplexing multiple attachment circuits across different Ethernet Segments and physical interfaces into a single EVPN VPWS service tunnel while still providing single-active and all-active multi-homing.

EVPN gateway support for all-active (A-A) multihoming adds a new redundancy model to our multi-domain EVPN solution introduced in [1]. This deployment model introduces the concept of a WAN Interconnect Ethernet Segment identifier (WAN I-ESI). The WAN I-ESI allows the gateway’s EVPN neighbors to form L2 and L3 overlay ECMP on routes re-exported by the gateways. The identifier is shared by gateway nodes within the same domain (site) and set in MAC-IP routes that cross domain boundaries.

EOS supports the ability to match on a single VLAN tag (example: encapsulation dot1q vlan 10)  or a VLAN tag pair (example: encapsulation dot1q vlan 10 inner 20) to map matching packets to an interface. In this case, the encapsulation string is considered consumed by the mapped interface before forwarding, which means that the tags are effectively removed from the incoming packet for the purposes of any downstream forwarding.

An introduction to Nexthop-groups can be seen in the Nexthop-Group section of eos.With this feature, IP packets matching a static Nexthop-Group route can be encapsulated with a GRE tunnel and forwarded.

GRE EOS 4.22.0F EOS 4.29.0F

This feature allows the logging of the packets matching permit rules in ingress ACLs. This behavior can be enabled by using the log keyword when configuring an ACL permit rule. A copy of the packet matching those ACL rules is sent to the control plane, where a syslog entry of the packet header is being generated.

sFlow is a sampling technique which monitors the incoming traffic on all the interfaces without affecting the network performance.

The document describes the support for dedicated and group ingress policing on interfaces without using QoS policy-maps to match on the traffic and apply policing.

IPSec tunnel mode support allows the customer to encrypt traffic transiting between two tunnel endpoints.

This feature helps in figuring out if there are multiple nodes in the network with the same System-ID. A non-unique node leads to the failure of all subsequent functions of the IS-IS protocol, like LSP origination (leading to LSP constant flooding issue), SPF calculation and so on.

EOS 4.29.0F

Segment Routing provides mechanism to define end-to-end paths within a topology by encoding paths as sequences of sub-paths or instructions. These sub-paths or instructions are referred to as “segments”. IS-IS Segment Routing (henceforth referred to as IS-IS SR) provides means to advertise such segments through IS-IS protocol.

Normally, a switch traps L2 protocol frames to the CPU. However, certain use-cases may require these frames to be forwarded or dropped. And in cases where the L2 protocol frames are forwarded (eg: Pseudowire), we may require the frames to be trapped to the CPU or dropped. The L2 Protocol Forwarding feature provides a mechanism to control the behavior of L2 protocol frames received on a port or subinterface.

Line system commands are used to apply configuration and query the status of line system modules in EOS. The supported line system modules are the OSFP-AMP-ZR and the QSFP-AMP-ZR.

OSFP LS Line System EOS 4.29.0F

Arista's 7130 Connect Series of Layer 1+ switches are powerful network devices designed for ultra low latency and offer a wealth of integrated management features and functionalities.

MetaMux is an FPGA-based feature available on Arista’s 7130 platforms. It performs ultra-low latency Ethernet packet multiplexing with or without packet contention queuing. The port to port latency is a function of the selected MetaMux profile, front panel ingress port, front panel egress port, FPGA connector ingress port, and platform being used.

Arista switches provide several mirroring features. Filtered mirroring to CPU adds a special destination to the mirroring features that allows the mirrored traffic to be sent to the switch supervisor. The traffic can then be monitored and analyzed locally without the need of a remote port analyzer. Use case of this feature is for debugging and troubleshooting purposes.

In order to achieve split horizon and prevent double-delivery of packets in an MLAG setup, egress ACLs are installed on all active MLAG interfaces so that BUM traffic received on the MLAG peer-link cannot get forwarded out any MLAG interfaces. When only one half of an MLAG interface is active, this egress ACL is removed to allow BUM traffic from the peer-link to be forwarded out MLAG interfaces.

Mlag EOS 4.29.0F split-horizon

MPLS-over-GRE encapsulation support in EOS 4.17.0 enables tunneling IPv4 packets over MPLS over GRE tunnels. This feature leverages next-hop group support in EOS. With this feature, IPv4 routes may be resolved via MPLS-over-GRE next-hop group to be able to push one MPLS label and then GRE encapsulate the resulting labelled IPv4 packet before sending out of the egress interface.

TOI 4.17.0F MPLS GRE EOS 4.29.0F

Before 4.29.0F, the next hop self option could only be configured for a neighbor in global router mode and would apply to all address families. Attempting to configure next-hop-self in address family mode would silently move the configuration to global mode (for the specified neighbor).

EOS 4.29.0F EOS 4.29.1F

Policy-based routing (PBR) is a feature that is applied on routable ports, to preferentially route packets. Forwarding is based on a policy that is enforced at the ingress of the applied interface and overrides normal routing decisions. In addition to matches on regular ACLs, PBR policy-maps can also include “raw match” statements that look like a single entry of an ACL as a convenience for users.

The postcard telemetry (GreenT - GRE Encapsulated Telemetry) feature is used to gather per flow telemetry information like path and per hop latency. For network monitoring and troubleshooting flow related issues, it is desirable to know the path, latency and congestion information for flows at different times.

RFC2544 defines a number of benchmark tests that may be used to describe the performance characteristics of a network interconnecting device(s). Starting from 4.28.1F, Arista switches support throughput test belonging to a set of benchmark tests as defined in RFC2544. Starting from 4.29.0F, Arista switches support frame loss rate test.

Routing control functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion. 

Sampled flow tracking with IPFIX export is supported on most of the Arista platforms. User configured sampling rate is used for sampling in ingress and/or egress direction on the configured interfaces. An EOS software agent on CPU processes samples received from hardware, samples are used to create flow records that are exported to IPFIX collectors. Refer to Sampled flow tracking TOI for additional details.

Network administrators require access to flow information that passes through various network elements, for the purpose of analyzing and monitoring their networks. This feature provides access to IP flow information by sampling traffic flows in ingress and/or egress directions on the interfaces on which it is configured. The samples are then used to create flow records, which are exported to the configured collectors in the IPFIX format. Egress Flow tracking is supported from EOS-4.29.0F on the DCS-7170B-64C series and supported on 7280, 7500 and 7800 series platforms from EOS-4.31.1".

This feature allows a SBFD initiator to request a SBFD reflector to respond to the status of an auxiliary path. This is very useful when an SBFD session couldn’t be established with an endpoint. In such a case the SBFD initiator could establish a session to a router in the path ( ex. ASBR ) to respond to the health of the remaining path ( ex. endpoint connected to the ASBR ). 

EOS 4.29.0F

Bidirectional Forwarding Detection (BFD) is a protocol that provides low-overhead, short-duration detection of failures of arbitrary paths between two systems.

Unicast Reverse Path Forwarding (uRPF) can help limit malicious IPv4/IPv6 traffic on a network. uRPF works by enabling the router to verify reachability (routing) of the source IP address (SIP) in the packet being forwarded. If the SIP is determined to be an invalid address, the packet is dropped.

IPv6 URPF IPv4 URPF URPF EOS 4.29.0F

Spanning Tree Protocol requires each interface to have a unique port number ranging from 1 through 4095.  Arista STP typically assigns port numbers to port-channel interfaces in the order in which they are configured.

BGP Monitoring Protocol (BMP) allows a monitoring station to connect to a router and collect all of the BGP announcements received from the router’s BGP peers. The announcements are sent to the station in the form of BMP Route Monitoring messages generated from path information in the router’s BGP Adj-Rib-In tables.

BGP BMP EOS 4.29.0F

This feature adds support for “Dynamic Load Balancing (DLB)” on Link Aggregation Group (LAG). It is intended to help overcome the potential shortcomings of traditional hash-based load balancing by considering the traffic load of members of LAG groups.

EOS 4.29.0F

A L2 sub-interface is a logical bridging endpoint associated with traffic on an interface distinguished by 802.1Q tags, where each <interface, 802.1Q tag> tuple is treated as a first-class bridging interface. 

This feature enables Tap Aggregation generic header removal on a tap port.

Topology Independent Fast Reroute, or TI-LFA, uses IS-IS SR to build loop-free alternate paths along the post-convergence path. These loop-free alternates provide fast convergence.

Access Control Lists (ACL) use packet classification to mark certain packets going through the packet processor pipeline and then take configured action against them. Rules are defined based on various fields of packets and usually TCAM is used to match packets to rules. For example, there can be a rule to match the packet source IP address against a list of IP addresses, and drop the packet if there is a match. This will be expressed in TCAM with multiple entries matching the list of IP addresses. Number of entries is reduced by masking off bits, if possible. TCAM is a limited resource, so with classifiers having a large number of rules and a big field list, TCAM runs out of resources.

Internal recirculation interfaces, IR interfaces, can be used to internally loop-back packets for a second pass through the packet forwarding pipeline. This is particularly useful with Tap Aggregation because some combinations of advanced Tap Aggregation features cannot be simultaneously applied to a packet. Using an IR interface however, a user can apply multiple Tap Aggregation egress editing features, overcoming previous limitations.

This article describes how to customize TCAM ( Ternary Content Addressable Memory ) lookup for each feature which uses TCAM.