EOS 4.35.1F TOI

A layer 3 subinterface is a logical endpoint associated with traffic on an interface distinguished by 802.1Q tags, where each interface, 802.1Q tag tuple, is treated as a routing interface.

For various peering applications, there is a need to support the assignment of a MAC address on routed interfaces.

This feature allows setting the desired maximum VOQ latency. Drop probabilities are adjusted in hardware to meet this limit.

Measured boot is a tamper-detection mechanism that records a system's boot process. It calculates cryptographic hashes of system components and configurations, which are then securely stored in the Platform Configuration Registers (PCRs) of a Trusted Platform Module (TPM) chip. This process creates a secure "hash chain" of the boot sequence. After the system starts, the TPM Quote operation, along with the PCR extension records, can be used to verify the PCR values, confirming that the system components are unchanged and the software is trusted.

MetaMux is an FPGA-based feature available on Arista’s 7130 platforms. It performs ultra-low latency Ethernet packet multiplexing with or without packet contention queuing. The port to port latency is a function of the selected MetaMux profile, front panel ingress port, front panel egress port, FPGA connector ingress port, and platform being used.

MetaWatch is an FPGA-based feature available for Arista 7130 Series platforms. It provides precise timestamping of packets, aggregation and deep buffering for Ethernet links. Timestamp information and other metadata such as device and port identifiers are appended to the end of the packet as a trailer.

Mirroring to a GRE tunnel allows mirrored packets to transit to a L3 network using GRE encapsulation.

From the 4.29.2F release of EOS, proactive probing of servers is supported. Using this feature Arista switches can continuously probe configured servers to check their liveliness and use the information obtained from these probes while sending out requests to the servers.

In EVPN, an overlay index is a field in type-5 IP Prefix routes that indicates that they should resolve indirectly rather than using resolution information contained in the type-5 route itself. Depending on the type of overlay index, this resolution information may come from type-1 auto discovery or type-2 MAC+IP routes. For this feature the gateway IP address field of the type-5 NLRI is used as the overlay index, which matches the target IPv4 / IPv6 address in the type-2 NLRI. Other types of overlay index are described in RFC9136, but these are currently unsupported.

This solution allows delivery of multicast traffic in an IP-VRF using multicast in the underlay network. It builds on top of [L2-EVPN], adding support for L3 VPNs and Integrated Routing and Bridging (IRB).  The protocol used to build multicast trees in the underlay network is PIM Sparse Mode.

Evpn multicast IRB allows multicast traffic from the external Pim domain to flow through the EVPN network via PIM EVPN Gateway Designated Router (PEG-DR). The solution won’t work when the external Pim source or RP is not connected to PEG-DR in the external Pim domain. EVPN Multicast Transit solves the issue by allowing any PEG with transit configured (PEG-Transit) to act as PEG-DR.

The solution described in this document allows multicast traffic arriving on a VRF interface on a Provider’s Edge (PE) router to be delivered to Customer’s Edge (CE) routers with downstream receivers in the same VPN.

This feature adds all-active (A-A) multihoming support on the multi-domain EVPN VXLAN-MPLS gateway. It allows L2 and L3 ECMP to form between the multihoming gateways on the TOR devices inside the site and on the gateways in the remote sites. Therefore, traffic can be load-balanced to the multi-homing gateway and redundancy and fast convergence can be achieved.

NAT peer state synchronization feature provides redundancy and resiliency for dynamic NAT across a pair of devices in an attempt to mitigate the risk of single NAT device failure. The main motivation is that since the NAT state is shared between two switches, the failure of one switch can be tolerated since the other switch will retain the translations.

An introduction to Nexthop-groups can be seen in the Nexthop-Group section of EOS. With this feature, IP packets matching a static Nexthop-Group route can be encapsulated with a GRE tunnel and forwarded.

EOS supports reading and streaming various OpenConfig configuration and state models over gNMI (gRPC Network Management Interface), RESTCONF, and NETCONF transports. A subset of the configuration models may also be modified over these transports

Priority-flow-control (PFC) buffer and history counters provide information on both present PFC pause conditions and past pause events. These buffer counters (since EOS-4.34.2F) and history counters (since EOS-4.35.0F) are available via OpenConfig in addition to the show commands that have existed in previous versions.

Packet trimming is a novel method for end-to-end congestion notification. When a packet is dropped in the MMU due to congestion, the dropped packet is trimmed and forwarded to the intended receiver with a new configured DSCP value. Upon receiving a trimmed packet, the receiver can perform appropriate handling to reduce transmission rate or retransmit any lost packets. The feature supports matching criteria via ingress traffic policy for selecting which packets should be trimmed when they get dropped in the MMU. Similarly, the rewritten DSCP is specified on a per egress port basis for trimmed packets egressing out of the switch to the intended destination. This per egress port DSCP overrides the global rewrite DSCP if configured. This feature is supported for protocols IPv4, IPv6 and SRv6.

Policy-map counters can be configured to display per-interface counters for all class-maps attached to all successfully programmed policy-maps. The feature is not enabled by default and has to be configured through the command line interface. When enabled, the output of the show command will display both per-interface and aggregate counters.

The Per-MAC ACL feature provides the functionality to apply an IPv4/IPv6 ACL to a 802.1x supplicant instead of applying them on the port that the supplicant is behind. This allows for more flexible and specific traffic policies to be defined for supplicants trying to access certain resources on the network.

This document covers the usage of port-breakout CLI to break a port evenly into multiple interfaces. In the context of this document, a port is a logical entity that holds a list of interfaces, in most cases this is equivalent to the front panel transceiver cage.

This article provides a general introduction to Precision Time Protocol (PTP) supported within EOS. PTP is aimed at distributing time with sub-microsecond accuracy. PTP support is based on the IEEE-1588 specification for version 2 of the protocol. 

Routing control functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion.This document serves as a reference guide for Routing protocol attributes, Operators for comparing and modifying attributes, built-in functions provided in RCF

Routing control functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion.This document serves as a reference guide for Bgp agent points of application:

Routing control functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion.

Routing control functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion. 

RSVP-TE, the Resource Reservation Protocol (RSVP) for Traffic Engineering (TE), is used to distribute MPLS labels for steering traffic and reserving bandwidth. The Label Edge Router (LER) feature implements the headend functionality, i.e., RSVP-TE tunnels can originate at an LER which can steer traffic into the tunnel.

This document outlines a new CLI command, send security-bundle. This feature is motivated by the need for a streamlined way to collect forensic and security-related artifacts from a switch for analysis by security teams. It parallels the existing send support-bundle command, which is used to gather troubleshooting data. It is suggested to use the security-bundle together with the support-bundle command in order to obtain all data necessary to support an incident.

Load Balancing on Service Leaf MLAG is a feature designed to support optimal load balancing of traffic sent to a ZTX Monitor Node cluster. The load balance functionality is essential to ensure that bi-directional flows land on the same ZTX Monitor Node in the cluster as all members of the ZTX Monitor Node cluster advertise a common anycast GRE endpoint.

The sFlow VLAN forwarding feature adds support for providing the VLAN by which the packet is bridged as opposed to the VLAN that is decoded from the Ethernet frame. The VLANs are reported in the sFlow extended switch header’s input VLAN and output VLAN fields, as defined in the sFlow extended switch data.

"Micro segment" (SRv6 uSID or uSID for short) is an extension of SRv6 architecture, specifically designed to represent SRv6 SIDs in an extremely compact way. It addresses the overhead of using full 128-bit IPv6 SIDs for routing. Instead of using a 128-bit address for single SID, multiple uSIDs are packed into a single 128-bit address. Each 128-bit address comprises a block value representing the domain followed by multiple uSIDs, each of the same bit length. If there are bits left they are filled with trailing zeros. This allows for a complete SRv6 path to be represented by a 128-bit IPv6 address. Like a regular SID, each uSID is associated with a specific behavior on the SRv6 capable node. SRv6 uN refers to the End behavior with uSIDs.

This is an infrastructure that provides management of SSL certificates, keys and profiles. SSL/TLS is an application-layer protocol that provides secure transport between client and server through a combination of authentication, encryption and data integrity. SSL/TLS uses certificates and private-public key pairs to provide this security. A user can manage certificates, keys and also multiple SSL profiles. An SSL profile is a configuration which includes certificate, key and trusted CA certificates used in SSL/TLS communication. An SSL profile configuration can be attached to another EOS configuration which supports SSL/TLS communication. Individual EOS features that use this infrastructure will document the details of using an SSL profile in their configuration.

A traffic storm is a flood of packets entering a network, resulting in excessive traffic and degraded performance. Storm control prevents network disruptions by limiting traffic beyond specified thresholds on individual physical LAN interfaces. Storm control monitors inbound traffic levels over one-second intervals and compares the traffic level with a specified benchmark. The storm-control command configures and enables storm control on the configuration mode physical interface

The aggregate address minimum contributors feature adds the capability to specify a minimum number of contributor routes that must be present and advertisable in order for the BGP speaker to generate the route for the aggregate address.

This feature adds support for “Dynamic Load Balancing (DLB)” on Equal Cost Multi Path (ECMP) groups.

Nexthop Group tunnels are a tunneling abstraction in EOS. A nexthop group tunnel consists of a tunnel endpoint (IP prefix) and a nexthop group name representing the underlying nexthop group that forwards the traffic. If the underlying nexthop group is not configured, the tunnel endpoint will be unreachable until the given nexthop group is configured.

Port isolation is a feature that segregates the ports in a VLAN broadcast domain into isolated and non-isolated ports and facilitates blocking traffic between ports marked as isolated. Isolated ports in a VLAN are the ports that cannot send/receive traffic from other isolated ports in the same VLAN. However, they should still be able to communicate with non-isolated ports

Private VLAN is a feature that segregates a regular VLAN broadcast domain while maintaining all ports in the same IP subnet. There are three types of VLAN within a private VLAN

Access Control Lists (ACL) use packet classification to mark certain packets going through the packet processor pipeline and then take configured action against them. Rules are defined based on various fields of packets and usually TCAM is used to match packets to rules. For example, there can be a rule to match the packet source IP address against a list of IP addresses, and drop the packet if there is a match. This will be expressed in TCAM with multiple entries matching the list of IP addresses. The number of entries is reduced by masking off bits, if possible. TCAM is a limited resource, so with classifiers having a large number of rules and a big field list, TCAM runs out of resources.

This TOI supplements the Ingress Traffic Policy applied on ingress port interfaces. Please refer to that document for a description of Traffic Policies and field-sets. This TOI explains the Traffic Policies as applied in the ingress direction on VLAN interfaces. For Traffic Policies on the egress direction of VLAN interfaces, see the Egress Traffic Policy TOI.

This feature enables the support of applying a policy-map in egress direction on an SVI interface. A policy-map is a QoS feature in which we have multiple class-maps each with a match criteria and an action. These class-maps match on the given criteria and the configured action is applied on the traffic which matches. We can apply these policy-maps on interfaces in both input and output directions which match on ingress and egress traffic respectively. This feature adds the support of applying such output policy-map on an SVI( Switch Virtual Interface ).

SWitch Aggregation Group (SWAG) is a feature in EOS that supports combining multiple physical switches into a single, powerful virtual switch, simplifying network management and increasing scalability. This document describes how to configure and troubleshoot a SWAG.

SwitchApp is an FPGA-based feature available on Arista’s 7130LB-Series and 7132LB-Series platforms. It performs ultra low latency Ethernet packet switching. Its packet switching feature set, port count, and port to port latency are a function of the selected SwitchApp profile. Detailed latency measurements are available in the user guide on the Arista Support site.

This article describes the TAP Aggregation 802.1Q (VLAN) tag stripping feature. This feature allows up to two of the outermost incoming 802.1Q tags to be stripped, and can be configured on a traffic steering policy or a tool port.

BGP routing information often contains more than one path to the same destination network. The BGP best-path selection algorithm determines which of these paths should be considered as the best path to that network

Secure boot is a security feature available in Aboot (Arista bootloader) that verifies the cryptographic signature of the EOS SWI (software image) before it is booted. Aboot embeds certificates that allow it to recognize and validate official EOS releases from Arista. If the signature verification is successful, the secure boot check passes and Aboot proceeds to boot the SWI. If the signature verification fails, the boot is aborted.

TX queue precision shaping allows improving accuracy of observed shape rates on interfaces relative to configured values, in particular when the configured rate is low.

Prior to EOS 4.24.1F, per-destination steering into an SR Policy was only supported for IP unicast BGP routes in the default VRF.

This guide details how to use Zero Touch Provisioning (ZTP) on Arista switches.

Support for matching of DSCP,ECN,VLAN is available under the QOS class-map configuration on Arista switches.