802.1X is an IEEE standard protocol that prevents unauthorized devices from gaining access to the network.

Filtered Mirroring allows certain packets to be selected for mirroring, rather than all packets ingressing or egressing a particular port.

In a VXLAN routing setup using VXLAN Controller Service (VCS), this feature will enable the following on a switch that is running as a VCS client.

Creating Traffic Policies that regulate control plane traffic from BGP peers by writing the list of BGP peer addresses statically in a field-set is error prone and difficult to update. Selecting only internal or external peers requires additional care. This feature automatically populates a field-set with IPv4 or IPv6 prefixes corresponding to iBGP or eBGP peers. 

BGP Traffic Policy EOS 4.29.2F

This feature provides a mechanism to mark specific routes as resilient ECMP (RECMP) eligible using BGP RCF policies. A policy based mechanism provides a lot of flexibility in choosing the RECMP eligible routes using criteria such as:

ECMP Resilient RECMP EOS 4.29.2F

This document describes the CLI introduced to change the default hardware FEC allocation scheme for IPv4/IPv6 attached routes. By default, level2 hardware FECs are allocated for attached IPv4/IPv6 routes. To change the default hardware FEC allocation scheme, this CLI can be used. 

Common Management Interface Specification (CMIS) defines, starting with revision 4.0, a standard mechanism for managing the firmware of compliant transceivers. This mechanism allows for transceivers’ firmware to be updated without having to remove the transceiver from the switch. Firmware updates may be necessary in a testing or production environment to resolve potential firmware bugs. Some transceivers may also support firmware management operations in a hitless manner (without impacting traffic).

DHCPv6 Prefix Delegation support enables a DHCP relay agent to program routes for addresses assigned by a DHCP server. The assigned prefixes could either be DHCPv6 IA_PD prefix delegation addresses, or DHCPv6 IA_NA global /128 addresses.

TOI 4.20.1F EOS 4.29.2F

NDR switch sensor aka “monitor security awake” feature provides deep network analysis by doing deep packet inspection of some or all packets of traffic that's forwarded by the switch.

EosSdkRpc is an agent built on top of the Arista EOS SDK. It uses gRPC as a mechanism to provide remote access to the EOS SDK. The gRPC interface that EosSdkRpc supports closely matches the interface provided by EOS SDK, and the intent is that the .proto interface can be publicly supported. EosSdkRpc allows for remote access and using protobuf to specify the interface isolates user code from the Linux ABI issues that come with building C++ applications on different compiler, libc, and kernel versions.

As Ethernet technologies made their way into the Metropolitan Area Networks (MAN) and the Wide Area Networks (WAN), from the conventional enterprise level usage, they are now widely being used by service providers to provide end-to-end connectivity to customers. Such service provider networks are typically spread across large geographical areas. Additionally, the service providers themselves may be relying on certain internet backbone providers, referred to as “operators”, to provide connectivity in case the geographical area to be covered is too huge. This mode of operation makes the task of Operations, Administration and Maintenance (OAM) of such networks to be far more challenging, and the ability of service providers to respond to such network faults swiftly directly impacts their competitiveness.

Multihoming in EVPN allows a single customer edge (CE) to connect to multiple provider edges (PE or tunnel endpoint). In any multihoming EVPN instance (EVI), for each ethernet segment a designated forwarder is elected using EVPN type 4 Ethernet Segment (ES) routes sent through BGP. In single-active mode, the designated forwarder (DF) is responsible for sending and receiving all traffic. In all-active mode, the DF is only used to determine whether broadcast, unknown

BGP EVPN Multi Homing EOS 4.29.2F

In the traditional data center design, inter-subnet forwarding is provided by a centralized router, where traffic traverses across the network to a centralized routing node and back again to its final destination. In a large multi-tenant data center environment this operational model can lead to inefficient use of bandwidth and sub-optimal forwarding.

This feature adds an “exec” command for tracing that incorporates a time limit. Such time limited traces can be executed like so: start trace AGENT setting TRACE timeout TIME ( seconds | minutes | hours ). This is in contrast to the “config” commands for tracing, which do not have a time limit.

EOS 4.29.2F

This feature allows exporting IP-in-IP tunnel counters through the OpenConfig AFT YANG models.This exporting IP-in-IP counters feature is supported on all platforms, however counting the IP-in-IP tunnel packets is supported only on DCS-7500R3, DCS-7280R3 and DCS-7800R3 series. 

The Segment security feature provides the convenience of applying policies on segments rather than interfaces or subnets. Hosts/networks are classified into segments based on prefixes. Grouping prefixes into segments allows for definition of policies that govern flow of traffic between segments.

Generic UDP Encapsulation (GUE) is a general method for encapsulating packets of arbitrary IP protocols within a UDP tunnel. GUE provides an extensible header format with optional data. In this release, decap capability of GUE packets of variant 1 header format has been added. This variant allows direct encapsulation using the UDP header without the GUE header. The inner payload could be one of IPv4, IPv6, or MPLS.

 

This feature enables the user to configure a list or range of BGP attributes to be ignored by the router on receipt of a BGP update message. The BGP attributes are discarded from the BGP update message, and unless the action of discarding an attribute causes the update message to trigger error handling, then the update message is parsed as normal.

Routing BGP EOS 4.29.2F

For network monitoring and troubleshooting flow related issues, it is desirable to know the path, latency, queue and congestion information for flows at different times. The inband telemetry feature(INT), based on Inband Flow Analyzer RFC draft -IFA 2.0 and IFA 1.0(on some platforms) , is used to gather per flow telemetry information like path, per hop latency and congestion. INT is supported for both IPv4 and IPv6 traffic.

The document describes the support for dedicated and group ingress policing on interfaces without using QoS policy-maps to match on the traffic and apply policing.

IPv6 routes of certain prefix lengths can be optimized for enhanced route scale on R/R2 series platforms. This TOI explains the usage of these optimizations.

EOS 4.15.2F EOS 4.29.2F

IPv6 routes of certain prefix lengths can be optimized for enhanced route scale on R3. This TOI explains the usage of these optimizations.

EOS 4.26.2F EOS 4.29.2F

At a high level, L1 profiles are a set of configurations which allow EOS users to change the numbering scheme and default L1 configurations of all front panel interfaces across their network switch.

 

Loop protection is a loop detection and prevention method which is independent of Spanning Tree Protocol (STP) and is not disabled when the switch is in switchport backup mode or port is in discarding state. The LoopProtect agent has a method to detect loops and take action based on the configuration by the user. In order to find loops in the system, a loop detection frame is sent out periodically on each interface that loop protection is enabled on. The frame carries broadcast destination MAC address, bridge MAC source address, OUI Extended EtherType 0x88b7 as well as information to specify the origins of the packet.

A layer 3 subinterface is a logical endpoint associated with traffic on an interface distinguished by 802.1Q tags, where each interface, 802.1Q tag tuple, is treated as a routing interface.

Subinterfaces EOS 4.29.2F

A “boot extension” is an extension that gets installed automatically at switch boot time. This feature introduces a new CLI command boot extension <EXTENSION> to simplify the boot extension management and EOS upgrade/downgrade process.

Swix EOS 4.29.2F Boot Extension

Arista switches provide several mirroring features. Filtered mirroring to CPU adds a special destination to the mirroring features that allows the mirrored traffic to be sent to the switch supervisor. The traffic can then be monitored and analyzed locally without the need of a remote port analyzer. Use case of this feature is for debugging and troubleshooting purposes.

TOI EOS 4.15.2F EOS 4.29.2F

Mirroring to GRE tunnel allows mirrored packets to transit a L3 network using GRE encapsulation.

EOS 4.29.1F EOS 4.29.2F EOS 4.30.2F

From the 4.29.2F release of EOS, proactive probing of servers is supported. Using this feature Arista switches can continuously probe configured servers to check their liveliness and use the information obtained from these probes while sending out requests to the servers.

EOS 4.29.2F EOS 4.30.0F

When a GRE tunnel is configured, and a GRE-encapped MPLS packet arrives on decap-groups, the traffic-class is derived based on the packet outer DSCP value. This feature aims to allow the user to derive the traffic-class based on the MPLS traffic-class from the payload of the IPv4 GRE packet, using the existing MPLS-exp to TC mapping defined in global QoS maps.

Dynamic resizing of nexthop groups, allows a nexthop group to adjust its size in the hardware based on tunnel resolution. When there is a change in tunnel resolution, the hardware is automatically programmed with only those entries that are fully resolved. However, if the tunnel endpoint corresponding to a nexthop group entry becomes unreachable, the entry remains in use and any traffic destined for the endpoint gets blackholed.

EOS 4.29.2F

The on boot link override feature adds support for keeping interfaces down at switch boot until the correct interface state can be determined by feature agents. Keeping the interfaces down through device boot will protect against transient traffic loss by preventing downstream peers from detecting a transient interface up and sending traffic to the device. 

L1 EOS 4.29.2F Boot Interface

By default, when an SVI is configured on a VXLAN VLAN, then broadcast, unknown unicast, and unknown multicast (BUM) traffic received from the tunnel are punted to CPU. However, sending unknown unicast and unknown multicast traffic to CPU is unnecessary and could have negative side effects. Specifically, these packets take the L2Broadcast CoPP queue to the CPU. 

CPU VXLAN EOS 4.29.2F BUM

This feature introduces metric profiles to OSPF metric configurations. Metric profiles allow multiple metric configurations to be applied on the interface at the same time. When the interface speed drops below certain thresholds, the interface will automatically change the metric it uses based on the configurations in the metric profile.

OSPF EOS 4.29.2F

The postcard telemetry(GreenT - GRE Encapsulated Telemetry) feature is used to gather per flow telemetry information like path and per hop latency. For network monitoring and troubleshooting flow related issues, it is desirable to know the path, latency and congestion information for flows at different times.

Precoding is used to help reduce the burst error length of DFE (Decision Feedback Equalizer) error events with PAM-4 modulation

EOS 4.29.2F Precoding EOS 4.30.0F

This feature allows the network administrator to set a flag to allow the Explicit Congestion Notification (ECN) headers of a packet be preserved and copied to inner or outer packets when the packet is decapsulated or encapsulated on a Vxlan Tunnel Endpoint (VTEP).

EOS 4.29.2F

Media Access Control Security (MACsec) is an industry-standard encryption mechanism that protects all traffic flowing on the Ethernet links. MACsec is based on IEEE 802.1X and IEEE 802.1AE standards.

This TOI document describes the supported Precision Time Protocol (PTP) functionality on the CCS-750X platforms. Due to the nature of the hardware for these products, the supported PTP functionality and interoperation with other features may differ from other Arista products.

This feature adds support to interface traffic policies for routing matched unicast IPv4 or IPv6 traffic which ingresses on L3 interfaces according to the routing table of a secondary VRF.

RSVP-TE, the Resource Reservation Protocol (RSVP) for Traffic Engineering (TE), is used to distribute MPLS labels for steering traffic and reserving bandwidth. The Label Edge Router (LER) feature implements the headend functionality, i.e., RSVP-TE tunnels can originate at an LER which can steer traffic into the tunnel.

NAT has been supported in DCS-7150 for many years. Starting at EOS 4.21.6F, NAT functionality is supported on certain 7050X3 platforms.

Nat EOS 4.29.2F EOS 4.31.2F

This feature introduces a new CLI command (agent Bgp snapshot mrt received routes [ VRF ] FILE) which generates an MRT file containing the peers, prefixes and path attributes received by a switch running multi-agent routing m

BGP Multi Agent EOS 4.29.2F

Dynamic NAT is a feature which dynamically allocates an IP address to an incoming or outgoing flow. This address will replace source or destination IP for all packets of the flow.

This feature enables L3 reachability for the PTP on the switch using one or more shared “Loopback” interfaces.

Ptp EOS 4.29.2F

Leaf Smart System Upgrade (SSU) provides the ability to upgrade the EOS image with minimal traffic disruption. To perform the SSU, Spanning Tree Protocol (STP) should either be disabled or configured as MSTP. Meanwhile, all ports should be configured with admin edge ports (i.e., all ports are supposed to connect to host only) and the BPDU guard should be enabled for all edge ports.

SSU STP EOS 4.29.2F MSTP

This feature allows for the configuration of password requirements when creating or modifying local user accounts. Specifically, policies can necessitate that passwords meet the following requirements:

Nat EOS 4.29.2F EOS 4.31.1F

A L2 sub-interface is a logical bridging endpoint associated with traffic on an interface distinguished by 802.1Q tags, where each <interface, 802.1Q tag> tuple is treated as a first-class bridging interface. 

This feature terminates GRE packets on a TapAgg switch by stripping the GRE header and then letting the decapped packets go through the normal TapAgg path. With this feature, we can use an L3 GRE tunnel to transit tapped traffic to the TapAgg switch over an L3 network. That would widely extend the available use cases for TapAgg.

Access Control Lists (ACL) use packet classification to mark certain packets going through the packet processor pipeline and then take configured action against them. Rules are defined based on various fields of packets and usually TCAM is used to match packets to rules. For example, there can be a rule to match the packet source IP address against a list of IP addresses, and drop the packet if there is a match. This will be expressed in TCAM with multiple entries matching the list of IP addresses. Number of entries is reduced by masking off bits, if possible. TCAM is a limited resource, so with classifiers having a large number of rules and a big field list, TCAM runs out of resources.