Tag :: TOI

With the 19.0 release, Access Points (AP) can seamlessly switch between LAN 1 and LAN 2 as the Uplink Port without disturbing the client connectivity and without any reboot. For the list of enhancements done for the same feature in the previous release, see the 18.0 TOI.

Fair Adaptive Dynamic thresholds (FADT) provides efficient allocation of shared packet buffer resources amongst various virtual output queues. FADT is useful when queues are getting congested and buffer resources should be allocated in a way tdat prioritizes certain queues while avoiding starvation of lower priority queues. the scheme works on each incoming packet by calculating instantaneous queue threshold based on available free resources. Queue buffer threshold is calculated as:

The 7280E and 7500E series are Virtual Output Queues (VOQs) based multi chip systems where there is a VOQ for all the

Fallback PBR policy enables an alternate policy to be active when PBR policy attached to an interface is being

Fast poll counters allow for rapid collection of a basic set of MAC counters on supported platforms at a very high frequency.

This feature is to permit rapid restoration of outbound traffic on ECMP groups that have a mix of ports from Supervisor1(Linecard1) and Supervisor2(Linecard2) cards. In the context of the supported platforms, these are referred to as Uplink ports and have names starting with Eth1/ or Ethernet1/ (Linecard1) and Eth2 or Ethernet2/ (Linecard2).

This feature is to permit rapid restoration of outbound traffic on LAG (port-channel) groups that have a mix of ports from Supervisor1(Linecard1) and Supervisor2(Linecard2) cards. In the context of the supported platforms, these are referred to as Uplink ports and have names starting with Eth1/ or Ethernet1/ (Linecard1) and Eth2 or Ethernet2/ (Linecard2).

This document describes the Fec Dampening feature. When hardware FEC / ECMP resources usage go above the platform limit, Ale (HW Abstraction layer ) deletes some routes in the anticipation of freeing up some more hardware FEC resources to allow newly created FEC to get programmed. The above logic of deleting/unprogramming the route may lead to unnecessary traffic drop in the following cases of transient FEC resources overflow.

The FEC (Forward Error Correction) traffic analyzer is designed to estimate the performance of the FEC layer, identify error statistics, and the source of correlated errors on physical interfaces.

FIPS is a US federal standard for computer systems and data security that mandates only compliant cryptographic algorithms and their implementations be used in a product’s cryptographic operations. A product is considered FIPS compliant if it uses verified crypto modules that have been certified by a laboratory approved by the National Institute of Standards and Technology (NIST). CloudVision has completed the FIPS certification process to allow users with both single-node and multi-node clusters to operate in FIPS mode. Intra-node communication is not yet certified and will follow in Phase 2.

In the 17.0 release, CV-CUE introduces FEED. FEED is a network dashboard that presents a timeline view of all the detected anomalies in the network. CV-CUE curates the FEED by continuously monitoring and proactively detecting anomalies in the network. It also analyzes the cause of the anomaly and provides dynamic suggestions to mitigate the issue. The administrator can analyze the issue, the AI-based recommended action, and then decide on the best approach to mitigate the issue. Feed also lets administrators go back in time and understand anomalies that occurred in the past.

FIB compression allows us to program routes into the hardware more efficiently. Routes are programmed in the route

This feature introduces a per-VRF table “FIB route count” for hardware FIB tables, and associated actions.

The Filter managed service action filters packets on the Service Node (SN) interface and supports optional VLAN tagging. Utilizing ACL rules, the system forwards or drops matched traffic. Traffic tagged with a VLAN exits the interface (Tx) after processing through the action chain. VLAN tagging specifically facilitates traffic steering in Switch-less SN deployments, where the forwarding plane relies on VLANs. This configuration produces no functional impact when the SN connects directly to a DMF switch within the fabric.

MPLSoGRE Filtered Mirroring is a specialized version of Mirroring to GRE Tunnel and Filtered Mirroring in which

Directed broadcast ACL allows inbound broadcast IP packets with source IP address as one of the permitted hosts and denies the rest of the directed broadcast traffic. Destination broadcast address of the IP packet should be the broadcast address of an interface with directed broadcast enabled. This feature gives a global command to configure sets of the permitted hosts via field-set. 

With the 19.0 release, you can apply filters to report data before generating or scheduling a report. Previously, you manually filtered out the relevant data from the generated report. Applying filters before generating a report helps streamline the data, speeds up report generation, and improves its readability. With filters, you can create a customized report based on your specific needs.

Organizations may have multiple access points (APs) of different models operating with various firmware versions. As an organization, you may want to designate a specific version as a compliant firmware version for a certain model. Assigning a compliant firmware version helps network administrators identify non-compliant AP models by generating notification alerts.

Systems with support for Arista secure boot protect against tampering of the BIOS firmware & Aboot by write-protecting the BIOS SPI flash before EOS is loaded (refer to the “Security model” section in the secure boot TOI for details). While effective at protecting against unauthorized changes made from EOS, such a mechanism has limitations. For example, it is ineffective at protecting against physical reprogramming of the contents of the BIOS SPI flash, tampering through privileged serial console access, undiscovered security vulnerabilities in BIOS upgrade mechanism, etc.

This document describes the CLI introduced to reallocate ECMP FEC banks on different levels in a hierarchical FEC configuration. Users may run out of entries on a certain level with other levels having little to no usage, and this CLI reconfigures the ECMP FEC entries to meet the requirements of the user.

Disabling the flooding of broadcast, multicast, and unknown unicast traffic into the VXLAN fabric can significantly reduce bandwidth consumption in the VXLAN underlay. This is particularly beneficial in use cases where such traffic is unnecessary. This feature, exclusively supported with EVPN, allows for the selective flooding of ARP and/or ND traffic, offering further control over bandwidth usage.

With the 16.0 release, CloudVision Cognitive Unified Edge (CV-CUE) introduces the following enhancements to Floor Plans: 

Latency and drop information help determine if there is a loss in a particular flow and where the loss occurred. A Service Node action configured as a DANZ Monitoring Fabric (DMF) managed service has multiple separate taps or spans in the production network and can measure the latency of a flow traversing through any pair of these points. It can also detect packet drops between any two points in the network if the packet only appears on one point within a specified time frame, currently set to 200ms.

Latency and drop information help determine if there is a loss in a particular flow and where the loss occurred. A Service Node action configured as a DANZ Monitoring Fabric (DMF) managed service has multiple separate taps or spans in the production network and can measure the latency of a flow traversing through any pair of these points. It can also detect packet drops between any two points in the network if the packet only appears on one point within a specified time frame, currently set to 200ms.

This feature provides a way to distinguish groups of flows within encrypted GRE tunnels. That enables downstream forwarding devices to process multiple flows in parallel while maintaining packet order within individual flows. Parallel processing offers the opportunity for significant aggregate throughput improvement.

This feature provides a way to distinguish groups of flows within encrypted IPsec tunnels. That enables downstream forwarding devices to process multiple flows in parallel while maintaining packet order within individual flows. Parallel processing offers the opportunity for significant aggregate throughput improvement

Receive Side Scaling (RSS) which is also known as multi queue receive, distributes network receive flows across NIC card multiple hardware queues.

The agent DmaQueueMonitor provides visibility into packets coming up to the CPU via CPU queues. Packets are continuously sampled on monitored queues and kept available for reporting when a CPU congestion event occurs.

This feature enables detection of abnormal system flows (total in vs. out packet counters) by showing packet loss

Flow control is a data transmission option that temporarily stops a device from sending data because of a peer data overflow condition. If a device sends data faster than the receiver can accept it, the receiver's buffer can overflow. The receiving device then sends a PAUSE frame, instructing the sending device to halt transmission for a specified period.

Forced periodic ARP refresh adds support for a mechanism that allows forcing ARP/NDP refresh requests to be sent in periodic intervals independently of ARP/NDP entries' confirmed time in the kernel. By default, when a neighbor entry gets confirmed by various processes such as ARP synchronization between MLAG peers, an ARP refresh request is not sent for at least another duration of ARP aging timeout (or ND cache expiry time for the IPv6 case). This feature provides support for a configuration to force sending refresh requests at the configured ARP/ND aging timeout regardless of the last confirmed time.

With the 18.0 release, you can send a copy of DHCP Packets from Access Points (AP) to Network Access Control (NAC) solutions for profiling clients and assigning appropriate network segments. When you enable the packet forwarding option on the UI, the AP forwards a copy of the DHCP packets to Port 67 of the destination server.

Forwarding destination prediction enables visibility into how a packet is forwarded through the switch, allowing you to determine which interfaces a packet would egress out of. Typical use cases include, but are not limited to, determining egress members for Port-Channels and ECMPs.

Forwarding destination prediction enables visibility into how a packet is forwarded through the switch and allows

Forwarding destination prediction allows users to determine which interface a given packet will egress out. This feature is enhanced to identify the TCAM bank and rule offset for the matched ACL rule responsible for the forwarding decision. This allows network operators to trace the egress result back to the exact rule that triggered the action.

This feature lets you freeze the channel and transmit power in the Auto mode to operate a specific radio at a specific channel number and transmit power. To switch to other channels, unfreeze the settings and select a custom channel and power, or enable the Auto mode to select the optimum channel and transmit power. Freeze and unfreeze Auto Channel Selection (ACS) and Transmit Power Control (TPC) configurations are configured for each radio. You can select multiple radios and freeze the ACS and TPC settings.

This feature adds support for the front panel Ethernet (Et) interface counters on the platforms listed below and enables the Et interfaces to dynamically adopt the counter values (packet and error) of interfaces (Switch, App interfaces etc.) related to the currently running FPGA application, based on user or default configuration. All Arista FPGA applications are supported. Both the receive and transmit packet counters can be independently configured for each interface, as desired. Counters are supported for interfaces of any speed including agile ports.

This feature enables the direct generation of public/private key pairs and TLS Certificate Signing Requests (CSRs) on Atlas appliances. The previous workflow required generating keys and CSRs externally, followed by importing the private key and CA-signed certificate. This enhancement simplifies the process by securely retaining the private key on the appliance, eliminating the need for external key management.

Generic UDP Encapsulation (GUE) is a general method for encapsulating packets of arbitrary IP protocols within a UDP tunnel. GUE provides an extensible header format with optional data. In this release, decap capability of GUE packets of variant 1 header format has been added. This variant allows direct encapsulation using the UDP header without the GUE header. The inner payload could be one of IPv4, IPv6, or MPLS.

When a user configures IPv6 ACLs, by default, the system automatically  includes two additional rules : a default

This feature provides a CLI to disable storm control policing on known multicast streams. By default, known multicast streams are policed by storm control policers and the behavior is consistent across all platforms supporting storm control feature. With the new CLI we can change the default policing behavior for known multicast streams.

Users can now define a global LAG hashing profile. The global LAG hashing profile will be applied to all linecards

This is an implementation of the gNOI Healthz RPCs (version 1.3.0). Note that RPC elements of the Healthz service are supported, and as of 4.33.1F, only the agent information is exposed in healthz yang component containers outlined as in the healthz service.

gNPSI is an OpenConfig protocol designed to act as a proxy between the sFlow agent and interested gRPC clients. The gNPSI server receives datagrams from sFlow, repackages the datagrams in the protobuf message format and forwards these messages onto any subscribed gRPC clients. The protobuf used for this feature is available at the link above.

In the 18.0 release, along with Slack, you can also subscribe to Google Chat and Microsoft Teams webhooks to receive alerts in your conversation channels whenever a network issue or anomaly is detected. Note: This is a BETA feature. Reach out to your Arista account manager to enable it.

This is an extension to the IKE policy and SA policy configuration options available in EOS. The key lifetimes for IKE policies and SA policies are specifiable in hours. This feature allows specifying the key lifetimes in minutes as well.

This feature introduces the support for IPv4 ACL configuration under GRE and IPsec tunnel interfaces and IPv6 ACL configuration under GRE tunnel interfaces. The configured ACL rules are applied to a tunnel terminated GRE packet i.e. any IPv4/v6-over-GRE-over-IPv4 that is decapsulated by the GRE tunnel-interface on which the ACL is applied, or a packet terminated on IPsec tunnel i.e, IPv4-over-ESP-over-encrypted-IPv4 packet that is decapsulated and decrypted by the IPsec tunnel interface on which the ACL is applied.

This is an addendum to the “IP in IP decapsulation” document.When GRE decapsulation is configured using decap groups, incoming packets with an outer IP header having IPProto=47 (GRE) and a destination IP that matches the configured value will be decapsulated. This means that the outer IP and GRE headers will be removed from the packet, and all subsequent decisions will be based on the inner IP header.

By default,  inner IP header of a GRE packet is used for LAG hashing. With this feature, LAGs can hash GRE traffic

The feature allows a GRE tunnel to be resolved over another GRE tunnel. The two GRE tunnels may be in the same VRF or different VRFs.