802.1X is an IEEE standard protocol that prevents unauthorized devices from gaining access to the network.

In a VXLAN routing setup using VXLAN Controller Service (VCS), this feature will enable the following on a switch that is running as a VCS client.

EOS devices can accept gNMI Get requests with CLI commands as paths. Such requests must have the "origin" field of the path set to “cli”. When the “encoding” field of a Get request is set to “JSON” or “JSON_IETF”, or is not set, the output is returned as the eAPI model of the command, serialized as JSON. For example (using the command “show interfaces Ethernet1/1 status”): 

Creating Traffic Policies that regulate control plane traffic from BGP peers by writing the list of BGP peer addresses statically in a field-set is error prone and difficult to update. Selecting only internal or external peers requires additional care. This feature automatically populates a field-set with IPv4 or IPv6 prefixes corresponding to iBGP or eBGP peers. 

This feature provides a mechanism to mark specific routes as resilient ECMP (RECMP) eligible using BGP RCF policies. A policy based mechanism provides a lot of flexibility in choosing the RECMP eligible routes using criteria such as:

This document describes the CLI introduced to change the default hardware FEC allocation scheme for IPv4/IPv6 attached routes. By default, level2 hardware FECs are allocated for attached IPv4/IPv6 routes. To change the default hardware FEC allocation scheme, this CLI can be used. 

Common Management Interface Specification (CMIS) defines, starting with revision 4.0, a standard mechanism for managing the firmware of compliant transceivers. This mechanism allows for transceivers’ firmware to be updated without having to remove the transceiver from the switch. Firmware updates may be necessary in a testing or production environment to resolve potential firmware bugs. Some transceivers may also support firmware management operations in a hitless manner (without impacting traffic).

DHCPv6 Prefix Delegation support enables a DHCP relay agent to program routes for addresses assigned by a DHCP server. The assigned prefixes could either be DHCPv6 IA_PD prefix delegation addresses, or DHCPv6 IA_NA global /128 addresses.

NDR switch sensor aka “monitor security awake” feature provides deep network analysis by doing deep packet inspection of some or all packets of traffic that's forwarded by the switch.

EosSdkRpc is an agent built on top of the Arista EOS SDK. It uses gRPC as a mechanism to provide remote access to the EOS SDK. The gRPC interface that EosSdkRpc supports closely matches the interface provided by EOS SDK, and the intent is that the .proto interface can be publically supported. EosSdkRpc allows for remote access and using protobuf to specify the interface isolates user code from the Linux ABI issues that come with building C++ applications on different compiler, libc, and kernel versions. EosSdkRpc is built using C++ but supports clients written in any of the languages currently supported by the gRPC framework.

As Ethernet technologies made their way into the Metropolitan Area Networks (MAN) and the Wide Area Networks (WAN), from the conventional enterprise level usage, they are now widely being used by service providers to provide end-to-end connectivity to customers. Such service provider networks are typically spread across large geographical areas. Additionally, the service providers themselves may be relying on certain internet backbone providers, referred to as “operators”, to provide connectivity in case the geographical area to be covered is too huge. This mode of operation makes the task of Operations, Administration and Maintenance (OAM) of such networks to be far more challenging, and the ability of service providers to respond to such network faults swiftly directly impacts their competitiveness.

Multihoming in EVPN allows a single customer edge (CE) to connect to multiple provider edges (PE or tunnel endpoint). In any multihoming EVPN instance (EVI), for each ethernet segment a designated forwarder is elected using EVPN type 4 Ethernet Segment (ES) routes sent through BGP. In single-active mode, the designated forwarder (DF) is responsible for sending and receiving all traffic. In all-active mode, the DF is only used to determine whether broadcast, unknown

In the traditional data center design, inter-subnet forwarding is provided by a centralized router, where traffic traverses across the network to a centralized routing node and back again to its final destination. In a large multi-tenant data center environment this operational model can lead to inefficient use of bandwidth and sub-optimal forwarding.

This feature adds an “exec” command for tracing that incorporates a time limit. Such time limited traces can be executed like so: start trace AGENT setting TRACE timeout TIME ( seconds | minutes | hours ). This is in contrast to the “config” commands for tracing, which do not have a time limit.

Generic UDP Encapsulation (GUE) is a general method for encapsulating packets of arbitrary IP protocols within a UDP tunnel. GUE provides an extensible header format with optional data. In this release, decap capability of GUE packets of variant 1 header format has been added. This variant allows direct encapsulation using the UDP header without the GUE header. The inner payload could be one of IPv4, IPv6, or MPLS.

The Segment security feature provides the convenience of applying policies on segments rather than interfaces or subnets. Hosts/networks are classified into segments based on prefixes. Grouping prefixes into segments allows for definition of policies that govern flow of traffic between segments.

This feature enables the user to configure a list or range of BGP attributes to be ignored by the router on receipt of a BGP update message. The BGP attributes are discarded from the BGP update message, and unless the action of discarding an attribute causes the update message to trigger error handling, then the update message is parsed as normal.

For network monitoring and troubleshooting flow related issues, it is desirable to know the path, latency, queue and congestion information for flows at different times. The inband telemetry feature(INT), based on Inband Flow Analyzer RFC draft -IFA 2.0 and IFA 1.0(on some platforms) , is used to gather per flow telemetry information like path, per hop latency and congestion. INT is supported for both IPv4 and IPv6 traffic.

The document describes the support for dedicated and group ingress policing on interfaces without using QoS policy-maps to match on the traffic and apply policing.

IPv6 routes of certain prefix lengths can be optimized for enhanced route scale on R/R2 series platforms. This TOI explains the usage of these optimizations.

IPv6 routes of certain prefix lengths can be optimized for enhanced route scale on R3. This TOI explains the usage of these optimizations.

Traffic Engineering (TE) provides a mechanism to network administrators to control the path that a data packet takes, bypassing the standard routing model which uses routes along the shortest path. Traffic engineered paths are generally computed on the head-end routers of the topology based on various constraints (e.g. minimum bandwidth, affinity) configured for those paths and attributes (e.g available bandwidth, color) received from devices in the network topology. IS-IS Traffic Engineering (IS-IS TE) feature extends IS-IS protocol in EOS to carry TE attributes as part of its Link State Protocol Data Units (LSPs).  Note that IS-IS in EOS only acts as a carrier for TE attributes and it is not used by any processing (e.g. SPF).

At a high level, L1 profiles are a set of configurations which allow EOS users to change the numbering scheme and default L1 configurations of all front panel interfaces across their network switch.

Loop protection is a loop detection and prevention method which is independent of Spanning Tree Protocol (STP) and is not disabled when the switch is in switchport backup mode or port is in discarding state. The LoopProtect agent has a method to detect loops and take action based on the configuration by the user. In order to find loops in the system, a loop detection frame is sent out periodically on each interface that loop protection is enabled on. The frame carries broadcast destination MAC address, bridge MAC source address, OUI Extended EtherType 0x88b7 as well as information to specify the origins of the packet.

A layer 3 subinterface is a logical endpoint associated with traffic on an interface distinguished by 802.1Q tags, where each interface, 802.1Q tag tuple, is treated as a routing interface.

A “boot extension” is an extension that gets installed automatically at switch boot time. This feature introduces a new CLI command boot extension <EXTENSION> to simplify the boot extension management and EOS upgrade/downgrade process.

Arista switches provide several mirroring features. Filtered mirroring to CPU adds a special destination to the mirroring features that allows the mirrored traffic to be sent to the switch supervisor. The traffic can then be monitored and analyzed locally without the need of a remote port analyzer. Use case of this feature is for debugging and troubleshooting purposes.

Mirroring to a GRE tunnel allows mirrored packets to transit to a L3 network using GRE encapsulation.

From the 4.29.2F release of EOS, proactive probing of servers is supported. Using this feature Arista switches can continuously probe configured servers to check their liveliness and use the information obtained from these probes while sending out requests to the servers.

When a GRE tunnel is configured, and a GRE-encapped MPLS packet arrives on decap-groups, the traffic-class is derived based on the packet outer DSCP value. This feature aims to allow the user to derive the traffic-class based on the MPLS traffic-class from the payload of the IPv4 GRE packet, using the existing MPLS-exp to TC mapping defined in global QoS maps.

Dynamic resizing of nexthop groups, allows a nexthop group to adjust its size in the hardware based on tunnel resolution. When there is a change in tunnel resolution, the hardware is automatically programmed with only those entries that are fully resolved. However, if the tunnel endpoint corresponding to a nexthop group entry becomes unreachable, the entry remains in use and any traffic destined for the endpoint gets blackholed.

The on boot link override feature adds support for keeping interfaces down at switch boot until the correct interface state can be determined by feature agents. Keeping the interfaces down through device boot will protect against transient traffic loss by preventing downstream peers from detecting a transient interface up and sending traffic to the device. 

By default, when an SVI is configured on a VXLAN VLAN, then broadcast, unknown unicast, and unknown multicast (BUM) traffic received from the tunnel are punted to CPU. However, sending unknown unicast and unknown multicast traffic to CPU is unnecessary and could have negative side effects. Specifically, these packets take the L2Broadcast CoPP queue to the CPU. 

This feature introduces metric profiles to OSPF metric configurations. Metric profiles allow multiple metric configurations to be applied on the interface at the same time. When the interface speed drops below certain thresholds, the interface will automatically change the metric it uses based on the configurations in the metric profile.

This document describes a new CLI command to help debug how and why policy permits and denies paths. The aim of this CLI command is for the user to debug a route map or RCF (Routing Control Functions) function by specifying as input a prefix for which BGP has reachability for, either via a BGP peer or a redistribute source.

The postcard telemetry (GreenT - GRE Encapsulated Telemetry) feature is used to gather per flow telemetry information like path and per hop latency. For network monitoring and troubleshooting flow related issues, it is desirable to know the path, latency and congestion information for flows at different times.

Precoding is used to help reduce the burst error length of DFE (Decision Feedback Equalizer) error events with PAM-4 modulation

This feature allows the network administrator to set a flag to allow the Explicit Congestion Notification (ECN) headers of a packet be preserved and copied to inner or outer packets when the packet is decapsulated or encapsulated on a Vxlan Tunnel Endpoint (VTEP).

Media Access Control Security (MACsec) is an industry-standard encryption mechanism that protects all traffic flowing on the Ethernet links. MACsec is based on IEEE 802.1X and IEEE 802.1AE standards.

This TOI document describes the supported Precision Time Protocol (PTP) functionality on the CCS-750X platforms. Due to the nature of the hardware for these products, the supported PTP functionality and interoperation with other features may differ from other Arista products.

Routing control functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion.

Routing Control Functions (RCF) is a language that can express route filtering and attribute modification logic in a powerful and programmatic fashion.The document covers: Configurations of a RCF function for BGP points of application

This feature adds support to interface traffic policies for routing matched unicast IPv4 or IPv6 traffic which ingresses on L3 interfaces according to the routing table of a secondary VRF.

RSVP-TE, the Resource Reservation Protocol (RSVP) for Traffic Engineering (TE), is used to distribute MPLS labels for steering traffic and reserving bandwidth. The Label Edge Router (LER) feature implements the headend functionality, i.e., RSVP-TE tunnels can originate at an LER which can steer traffic into the tunnel.

NAT has been supported in DCS-7150 for many years. Starting at EOS 4.21.6F, NAT functionality is supported on certain 7050X3 platforms.

Interface reflectors are useful to make sure a service provided to customers is working as expected and it's within SLA constraints. Now, we are extending the support to configure subinterfaces as ethernet reflector. The Subinterface Interface Reflector feature allows performing certain actions (such as source/destination MAC address swap) on packets reaching subinterfaces patched to Pseudowire that are reflected back to the source interface. It is useful to test properties and SLAs before deploying the service for a customer.

This feature introduces a new CLI command (agent Bgp snapshot mrt received routes [ VRF ] FILE) which generates an MRT file containing the peers, prefixes and path attributes received by a switch running multi-agent routing m

Dynamic NAT is a feature which dynamically allocates an IP address to an incoming or outgoing flow. This address will replace source or destination IP for all packets of the flow.

This feature enables L3 reachability for the PTP on the switch using one or more shared “Loopback” interfaces.

Leaf Smart System Upgrade (SSU) provides the ability to upgrade the EOS image with minimal traffic disruption. To perform the SSU, Spanning Tree Protocol (STP) should either be disabled or configured as MSTP. Meanwhile, all ports should be configured with admin edge ports (i.e., all ports are supposed to connect to host only) and the BPDU guard should be enabled for all edge ports.