Installing DMF Switches

This chapter describes installing DANZ Monitoring Fabric (DMF) switches and performing initial setup and configuration.

DMF supports secure HTTPS connectivity for Controller-hosted URLs using ZTP.

Before DMF version 8.4, the Controller used HTTP to access ZTP install scripts and software images. HTTP does not provide the security required in today’s network environments, so the need for HTTPS support arose in those customer environments where all port 80 traffic (HTTP) is blocked. Blocking HTTP access makes the DHCP-based installation of Switch Light and other required software impossible. This new feature allows access to ZTP install scripts and software images via secure HTTPS.

HTTPS Support for Controller Hosted URLs using ZTP

DANZ Monitoring Fabric (DMF) supports secure HTTPS connectivity for Controller-hosted URLs using ZTP.

Before DMF version 8.4, the Controller used HTTP to access ZTP install scripts and software images. HTTP does not provide the security required in today’s network environments, so the need for HTTPS support arose in those customer environments where all port 80 traffic (HTTP) is blocked. Blocking HTTP access makes the DHCP-based installation of Switch Light and other required software impossible. This new feature allows access to ZTP install scripts and software images via secure HTTPS.

This feature does not require any special configuration.

Use the CLI show switch-image url command to display the URLs for the ZTP install script and images.

The output contains HTTP and HTTPS URLs for the script and each available image, as shown in the following example.

C1> show switch-image url
# FileUrlAlternative Url
-|-------------------------|------------------------------------------------------------|---------------|
1 arista-ztp-install-script http://<controller IP>/switchlight/arista-ztp-install-script
2 arista-ztp-install-script https://<controller IP>/switchlight/arista-ztp-install-script
3 install-amd64 http://<controller IP>/switchlight/install-amd64
4 install-amd64 https://<controller IP>/switchlight/install-amd64
5 update-amd64http://<controller IP>/switchlight/amd64
6 update-amd64https://<controller IP>/switchlight/amd64
7 update-aristaeoshttp://<controller IP>/eos/x86_64
8 update-aristaeoshttps://<controller IP>/eos/x86_64

Zero Touch Fabric Provisioning Modes

Complete the fabric switch installation using one of the following two modes:
  1. Layer 2 Zero Touch Fabric (L2ZTF, Auto-discovery switch provisioning mode): In this mode (which was the default up to DMF release 8.4), the switch ONIE software automatically discovers the Controller via IPv6 local link addresses and downloads and installs the appropriate Switch Light OS image from the Controller. This installation method requires all the fabric switches and the DMF Controller to be in the same Layer 2 network (IP subnet). If the fabric switches need IPv4 addresses to communicate with SNMP or other external services, configure IPAM, which provides the Controller with a range of IPv4 addresses to allocate to the fabric switches.
  2. Layer 3 Zero Touch Fabric (L3ZTF, Pre-configured switch provisioning mode): In this mode, which is the default starting from DMF release 8.5, when fabric switches are in a different Layer 2 network from the Controller, log in to each switch individually to configure network information and download the ZTF installer. Subsequently, the switch automatically downloads Switch Light OS from the Controller. This mode requires communication between the Controller and the fabric switches to occur using IPv4 addresses, and no IPAM configuration is required.
Note: For both switch installation modes, you must enter the following commands for every switch: 
controller-1(config)# switch <name>
controller-1(config-switch)# mac <mac-address>

The following table summarizes the requirements for installation using each mode:

Requirements Layer 2 mode Layer 3 mode
Any switch in a different subnet from the Controller? No Yes
IPAM configuration for SNMP and other IPv4 services? Yes No
IP address assignment IPv4 or IPv6 IPv4-only
Refer to this section Using L2 ZTF (Auto-Discovery) Provisioning Mode Changing to Layer 3 (Pre-Configured) Switch Provisioning Mode

Install all the fabric switches in a single fabric using the same mode. If there are any fabric switches in a different IP subnet than the Controller, DANZ Monitoring Fabric (DMF) requires using Layer 3 mode to install all the switches, even those in the same Layer 2 network as the Controller. Installing switches in mixed mode, with some switches using ZTF in the same Layer 2 network as the Controller, while other switches in a different subnet are installed manually or using DHCP is unsupported.

Using L2 ZTF (Auto-Discovery) Provisioning Mode

Layer 2 Zero Touch Fabric (L2 ZTF) is used to provision and install DANZ Monitoring Fabric (DMF) switches that are in the same Layer 2 management network as the DMF Controllers. ZTF uses the Open Network Install Environment (ONIE) boot loader to automate switch installation and configuration. Supported fabric switches are shipped with an ONIE network-enabled boot image. Refer to the DANZ Monitoring Fabric 8.5 Hardware Compatibility List for a list of supported monitoring fabric switches. During switch boot up, each switch gets the Switch Light OS software from the DMF Controller.
Note: DMF supports deploying switches from different vendors in the same fabric. However, using cables from different vendors to connect switches is not supported. Optics are required to interconnect switches from different vendors. See the Hardware Compatibility List for details on supported optics for each switch platform.
Note: If a switch is in a different subnet than the Controller, refer to the Changing to Layer 3 (Pre-Configured) Switch Provisioning Mode section for details about how to install it.

Requirements

Consider the following and perform each item when using ZTF to install fabric switches:
  • The DANZ Monitoring Fabric 8.5 Hardware Compatibility List lists the supported fabric switches.
  • Connect the management Ethernet interface of each physical switch to the management network and power it up.
  • Connect the DANZ Monitoring Fabric (DMF) Controller appliance management interface to the same Layer 2 management network as the management Ethernet interface of every physical switch.
  • When upgrading switches from a previous deployment, ensure the Switch Light OS image is compatible with your Controller version.
  • Designate a range of IPv4 addresses to be assigned using IPAM when switches must communicate with SNMP, NTP, syslog, or other IPv4 services.
Note: DMF implements ZTF using the IPv6 link-local address, which is auto-generated.
Warning: If a switch has an installed operating system, follow the instructions provided in the Removing the existing OS from a Switch topic before connecting the switch to a DMF Controller.

Switch Installation Procedure

This section describes using ZTF to perform a fresh installation of one or more supported DANZ Monitoring Fabric (DMF) switches using the Switch Light OS included with the Controller software.
The following figure illustrates a two-tier DMF out-of-band deployment with two switches connected to SPAN or TAP ports in a production network and a third switch connected to monitoring and analysis tools.
Figure 1. DMF Two Tier Out-of-Band Deployment

As shown in the illustration, services can be provided by the DMF Service Node Appliance or a third-party Network Packet Broker (NPB).

To use ZTF to bring up a DMF switch in this deployment, complete the following steps:

  1. Take note of the MAC address of the switch.
    Note: The MAC address is usually printed on the top surface of the switch.
    If it is not possible to view the switch label (it will not be visible for already racked switches), obtain the MAC address from the local console of each switch by entering one of the following commands.
    • In uboot mode, enter printenv ethaddr.
    • In ONIE mode, enter ifconfig to display the ONIE prompt, and type the following at the command prompt: 
      ``=> run onie_bootcmd``
  2. Register each switch on the Controller by entering the following commands.
    Note: A given switch can be connected to only one Controller cluster.
    controller-1(config)# switch Filter-1
controller-1(config-switch)# mac 70:72:cf:bc:c4:c4
controller-1(config-switch)# 

controller-1(config)# switch Filter-2
controller-1(config-switch)# mac 70:72:cf:ea:1b:bb
controller-1(config-switch)#

controller-1(config)# switch Delivery-1
controller-1(config-switch)# mac 70:72:cf:bd:54:24
controller-1(config-switch)#
    Note: Verify that the switch provisioning mode is configured for auto-discovery.

    Auto-discovery was the default mode of operation up to DMF release 8.4, pre-configured mode is the default starting from DMF release 8.5.0. After entering the show running-config command,deployment-mode auto-discovery should appear.

  3. Turn on or restart the fabric switch.
  4. Initiate the ONIE request on the switch.
    1. On the GNU GRUB menu, select ONIE.
      To get to the ONIE mode, during the reboot countdown, press any key when you see the prompt: “Hit any key to stop autoboot: 0”. The following command launches the ONIE install mode: 
      => run onie_bootcmd
GNU GRUB version 2.02~beta2+e4a1fe391
+-----------------------------------------------------------+
| Switch Light OS |
|*ONIE |
| |
| |
| |
+------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, ❵e' to edit the commands
before booting or ❵c' for a command-line.
    2. Select ONIE: Install OS.
      This selection puts the switch into the installer mode, and the rest of the process runs automatically, beginning with the following message. 
      ### START - switch console output for installer :
ONIE: OS Install Mode ...
...
      The switch discovers the Controller on the management plane as part of the installation process that occurs when it starts. The following figure illustrates the process after registering a connected fabric switch on the Controller.
      Figure 2. Switch Boot and ZTF Configuration

      When powering on a compatible switch, it boots using the U-boot service, which is pre-installed, and this starts the ONIE loader.

      The remainder of the steps in the installation and configuration process happen automatically after powering on the registered and physically connected switch. These automated steps are shown in the figure above and are summarized below.

    Note: Steps 5 through 7 below are performed automatically during the ZTF process and typically require no user intervention. If a switch is in a different subnet than the Controller, refer to the Changing to Layer 3 (Pre-Configured) Switch Provisioning Mode section for details about how to install it.
  5. The ONIE loader generates an IPv6 neighbor discovery message on the local network segment.
  6. Because the MAC address is already registered in Step 2 of the procedure described above, the Controller responds to the ONIE request from that switch and instructs the switch to download the Switch Light OS loader and begin the installation.
  7. After installing the Switch Light OS loader and rebooting, the loader broadcasts a ZTF request.
  8. (Not illustrated) The ZTF server (the active DMF Controller) sends the Switch Light OS image, manifest, and startup-config, or a URL to the location where the switch can download it.
    The switch downloads its startup-config from the Controller, which includes the following configuration information:
    • Hostname
    • Switch MAC address
    • Controller IP addresses
    • NTP, logging, and SNMP configuration mirrored from the Controller configuration
  9. When all the switches are powered up, enter the show switch command to verify the switch connectivity to the Controller. For example: 
    controller-1(config)# show switch

Arista Switch Installation Procedure for 7050X Series and 7260X Series

The initial installation of Switch Light OS on the Arista switch platforms must be performed manually in DANZ Monitoring Fabric (DMF). The initial boot process cannot be performed automatically in the same L2 domain like existing DMF-supported switches that are running ONIE.

The initial installation of Switch Light OS on the Arista platforms is accomplished by dropping it into the Aboot shell interface at boot time and telling it to boot the Switch Light switch image. This operation will install Switch Light on the system. This is a one-time extra step needed during the first installation of Switch Light OS in DMF. The boxes will subsequently boot as expected under Switch Light.

This procedure is also required for any Arista switches currently running EOS. Perform the following steps for the Arista switch to boot from the DMF Controller:

  1. Attach a console cable to the Arista switch and then turn on or reboot the switch.
  2. Interrupt the boot process with Control-C to drop into the Aboot shell. 
    Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
agesawrapper_amdinitearly() returned AGESA_SUCCESS
Watchdog enabled, will fire in 2 mins
CBFS: 'Master Header Locator' located CBFS at [200:ffffc0)
CBFS: Locating 'normal/romstage'
CBFS: Found @ offset 5b3d40 size 7b7c
Aboot 9.0.3-4core-14223577
Press Control-C now to enter Aboot shell
^CWelcome to Aboot.
Aboot#
Press Control-C now to enter Aboot shell
^CWelcome to Aboot.
Aboot#
  3. Configure an IP address for the switch’s ma1 management interface. Either configure ma1 statically or use DHCP.
    Note: To use DHCP, type udhcpc -i ma1.
    Aboot# udhcpc -i ma1
udhcpc (v1.18.1) started
Sending discover...
Sending discover...
Sending select for 10.6.3.237...
Lease of 10.6.3.237 obtained, lease time 534
    To configure ma1 statically, use the following command. Add the gateway IP address using the route add or ip route add command. 
    Aboot# ifconfig ma1 172.24.210.61 netmask 255.255.252.0
Aboot# route add default gateway 172.24.208.1 ma1
OR
Aboot# ip route add default via 172.24.208.1
  4. Identify the MAC address of the ma1 management interface of the switch. Use the ifconfig -a command. The HWaddr is the MAC address. A label on the rear of the switch contains the MAC address.
    Note: On switches with Aboot version 6.1.x, the HWAddr for interface ma1 can display 00:10:18:00:00:00 if there is any delay in entering the Aboot shell. To avoid this, press Control-C exactly at the prompt and not later. If there is a delay in entering the Aboot shell, do not use the MAC address 00:10:18:00:00:00 in the next step. Instead, use the MAC address printed on the rear of the switch or the System MAC address from the show version output in EOS.
    Aboot# ifconfig -a
lo Link encap:Local Loopback
LOOPBACK MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ma1 Link encap:Ethernet HWaddr C0:D6:82:18:00:3C
inet addr:172.24.210.61 Bcast:172.24.211.255 Mask:255.255.252.0
inet6 addr: fe80::c2d6:82ff:fe18:3c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:198 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:46514 (45.4 KiB) TX bytes:2258 (2.2 KiB)
Interrupt:37
  5. On a separate terminal window, log into the DMF Controller to configure the name of the Arista switch and its MAC address. In the following example, the switch is assigned the name filter-1. 
    DMF(config)# switch filter-1
DMF(config-switch)# mac c0:d6:82:18:00:3c
  6. On the DMF Controller, issue the command show switch-image url to obtain the Switch Light boot image URL. The required URL is Update-amd64. Please note this URL; the following steps need it. 
    DMF(config-switch)# show switch-image url
Install-amd64 : http://172.24.210.21/switchlight/install-amd64
Install-powerpc: http://172.24.210.21/switchlight/install-powerpc
Update-amd64 : http://172.24.210.21/switchlight/amd64
Update-powerpc : http://172.24.210.21/switchlight/powerpc
  7. Return to the switch Aboot shell and boot with the URL of the Switch Light image. The command is boot url. The following is the complete console log of a successful Switch Light OS installation in L2 ZTN mode. 
    Aboot# boot http://172.24.210.21/switchlight/amd64
Downloading http://172.24.210.21/switchlight/amd64
Connecting to 172.24.210.21 (172.24.210.21:80)
swi 100% |********************************| 316M 0:00:00 ETA
Secure Boot disabled, skipping check
SPI flash hardware write protection disabled
4444.69: Running SwitchLight install...
...
Aboot 9.0.3-4core-14223577
Press Control-C now to enter Aboot shell
Booting flash:aboot-chainloader.swi
Secure Boot disabled, skipping check
SPI flash hardware write protection disabled
11.24: SKU: DCS-7050SX3-48YC8
11.24: DCS-7050SX3-48YC8: kernel=kernel-4.9-lts-x86_64-all args=console=ttyS0,9600n8
platform=woodpecker scd.lpc_irq=13 scd.lpc_res_addr=0xf00000 scd.lpc_res_size=0x100000
sid=Marysville onl_mnt=/dev/mmcblk0p1 tsc=reliable pcie_ports=native reboot=p pti=off
reassign_prefmem amd_iommu_dump=1 platform=x86-64-arista-7050sx3-48yc8-r0
11.24: Loading kernel and initrd...
+ kexec --load --command-line 'console=ttyS0,9600n8 platform=woodpecker scd.lpc_irq=13 scd.
lpc_res_addr=0xf00000 scd.lpc_res_size=0x100000 sid[ 11.969258] kexec_core: Starting
new kernel
=Marysville onl_mnt=/dev/mmcblk0p1 tsc=reliable pcie_ports=native reboot=p pti=off
reassign_prefmem amd_iommu_dump=1 quiet=1 onl_platform=x86-64-arista-7050sx3-48yc8-r0
onl_sku=DCS-7050SX3-48YC8' --initrd /mnt/flash/onl/boot/x86-64-arista-7050sx3-48yc8-r0.
initrng: Linux Random Number Generator (RNG) early init
found interface name alias eth0 --> ma1
remapping interface eth0 --> ma1
No dynamic mount operations in unified mode.
No dynamic mount operations in unified mode.
INFO:PKI:Using existing private key.
INFO:PKI:Using existing certificate.
Setting up ma1 as bonded interface...
ma1 is now [ oma1 ]
************************************************************
*
* Switch Light OS Loader
*
* Version: SWL-OS-DMF-8.0.0(0)
* Id: 2020-08-27.14:06-dff2d80
*
* Platform: x86-64-arista-7050sx3-48yc8-r0
* ma1: c0:d6:82:18:00:3c
*
************************************************************
[ boot-config ]
NETDEV=ma1
NETAUTO=up
BOOTMODE=ztn
ZTNMODE=deferred
Press Control-C now to enter the interactive loader shell.
[ Starting Autoboot ]
[ Configuring Interfaces ]
Waiting for link on ma1...
ma1: up
[ BOOTMODE is ztn. ]
...
SLREST port is not ready....
Saving switch default settings...done.
Loading ZTN startup-config......done.
Saving last startup-config......done.
Stopping watchdog keepalive daemon....
Starting watchdog daemon....
Switch Light OS SWL-OS-DMF-8.0.0(0), 2020-08-27.14:06-dff2d80
filter-1 login:
  8. Once the switch has booted up successfully, the Arista switch will appear as connected under the State column when viewed from the DMF Controller using the show switch DMF-F1 command. For example: 
    DMF-CTRL(config)# show switch DMF-F1
#Switch NameIP Address State Pipeline Mode
- |----------- |--------------------------- |-------- |-------------------|
1 DMF-F1 fe80::7272:cfff:febd:dcbc%9connected l3-l4-match-push-vlan
DMF-CTRL(config)#

Allocating IPv4 Addresses to Fabric Switches

When using L2 ZTF, the DANZ Monitoring Fabric (DMF) Controllers and fabric switches use link-local IPv6 for communication. To enable switches to communicate with external (IPv4) services, configure IP address management (IPAM), which assigns IPv4 addresses to the switches in the fabric from a configured pool of addresses. This configuration enables a fabric switch in L2-ZTN mode to communicate with external services such as NTP, SNMP, and Syslog.

No IPv4 address is required for the switch to interact with the Controller for time synchronization (NTP) and logging (syslog).

Note: This procedure applies only to Layer 2 ZTF. Attempting to configure IPAM when the provisioning mode is set to Layer 3 (Preconfigured) results in the display of an error message.

Static IP Addresses

Static IPv4 addresses can be configured on switches in a fabric managed by IPAM.When IPAM is enabled, IPAM will automatically assign IPv4 addresses to switches on which a static IPv4 address has not been configured as long as there are allocated IP addresses available. DMF preserves both automatically and statically allocated IP addresses in the event of a reboot or Controller failure.

Using the GUI to Allocate IPv4 Addresses

To allocate a pool of IPv4 addresses for IPAM to assign to fabric switches, complete the following steps:
  1. Select Fabric > Switches from the main menu and click on the IP Address Allocation tab.
    Figure 3. Accessing the Switches Page
    The Switches page lists the switches connected to the DANZ Monitoring Fabric (DMF) Controller, and the IP Address Allocation tab provides controls for configuring a pool of IPv4 addresses for IPAM assignment to the fabric switches.
    Figure 4. Switches
  2. Click the Edit Configuration control at the top of the IP Address Allocation tab.
    Figure 5. IP Address Allocation Tab
  3. In the Edit Switch IP Address Allocation dialog, enable IPAM using the Status switch, and specify the Gateway, DNS Server, and Subnet Mask Length.
    Figure 6. Edit Switch IP Address Allocation Dialog
  4. Click the Provision (+) button next to IP Ranges to add IP ranges to be used for IPAM assignment. When finished adding IP address ranges to the pool, click Submit.
  5. To view the operational state of IPAM in the fabric and confirm the address range, select Fabric > Switches from the main menu and click on the IP Address Allocation tab. To view the IP address assignment for each switch, click on the + icon.
    Figure 7. Viewing Operational State
    Figure 8. Viewing IP Address Assignments

Using the CLI to Allocate IPv4 Addresses with IPAM

To allocate a pool of IPv4 addresses for IPAM to assign to fabric switches and configure the DNS server, default gateway, and subnet mask length, complete the following steps:
  1. Enter the config-ipam-switch submode using the ipam switch command. 
    controller-1(config)# ipam switch
controller-1(config-ipam-switch)#
  2. Identify the DNS server IP address to be used by the fabric switches using the dns-server command. 
    controller-1(config-ipam-switch)# dns-server 192.168.1.1
  3. Identify the default gateway server IP address to be used by the fabric switches using the gateway command. 
    controller-1(config-ipam-switch)# gateway 192.168.1.1
  4. Identify the range of IP addresses to be used by the fabric switches via the ip-range command. For multiple non-contiguous address ranges, repeat the command as needed. 
    controller-1(config-ipam-switch)# ip-range 192.168.1.100 192.168.1.200
controller-1(config-ipam-switch)# ip-range 192.168.3.100 192.168.3.200
    Note: This example allocates 100 addresses in the subnetwork 192.168.1.0 and 100 addresses in the subnetwork 192.168.3.0. To view the IP addresses allocated by IPAM, enter the show ipam switch command.
  5. Set the length of the subnet mask using the subnet-mask-length command.This mask length applies to all configured address ranges. 
    controller-1(config-ipam-switch)# subnet-mask-length 21
  6. Enable IPAM IPv4 address allocation to the fabric switches using the allocate command. 
    controller-1(config-ipam-switch)# allocate
  7. To display the static or automatic IP address configuration for all switches, use the show running-config switch command. The ip-address fields contain the newly introduced values. 
    controller-1(config-ipam-switch)# show running-config switch

! switch
switch core1
ip-address auto 10.0.0.2
mac 52:54:00:57:c9:3b

switch delivery1
ip-address auto 10.0.0.3
mac 52:54:00:c2:9c:24

switch filter1
ip-address auto 10.0.0.4
mac 52:54:00:ab:3a:e6
    Note: The address displayed does not necessarily mean that the specified IP address has been assigned to the switch. For an address to be automatically assigned, IPAM must be enabled and a corresponding IP range must be defined in the IPAM configuration. In the case of a static IP address, the IP address should exist within the defined IPAM subnet. Use the show ipam switch command to display actual allocations rather than the configuration.

Assigning Static IPv4 Addresses

If needed, a static IPv4 address can be assigned to a switch in a fabric managed by IPAM. Removing the assigned address will return the switch to IPAM address management, and an IPv4 address will be assigned to it from the allocated pool if one is available.

Using the GUI to Assign a Static IPv4 Address

To assign a static IPv4 address to a fabric switch, complete the following steps:
  1. Select Fabric > Switches from the main menu and select the IP Address Allocation tab.
    Figure 9. Accessing the Switches Page
  2. On the Switches tab, click the menu icon next to the switch to which the address will be assigned, and select Configure from the menu.
    Figure 10. Switches
    Figure 11. Configure
  3. In the Configure Switch dialog, set the IP Assignment Type to Manual and enter the desired IPv4 address for the switch.
    Figure 12. Configure Switch
    Note: The assigned static address must be in the defined IPAM subnet.
  4. Click Submit to assign the configured IPv4 address to the switch.
  5. To confirm the IP address assignment for the switch, select Fabric > Switches from the main menu and click on the IP Address Allocation tab, then click on the + icon to display IP addresses for all switches.
    Figure 13. Viewing IP Address Assignments

Using the CLI to Assign a Static IPv4 Address

 

When IPAM is enabled and there are enough IPv4 addresses allocated for assignment, it automatically assigns IPv4 addresses to each switch in the fabric. The show running-config command displays those addresses as auto as shown below: 
controller-1(config)# show running-config switch core1

! switch
switch core1
ip-address auto 10.0.0.2
mac 00:53:00:57:c9:3b
To assign a static IPv4 address to a fabric switch instead, complete the following steps:
  1. Enter switch configuration mode for the switch to which a static address will be assigned using the switch command. 
    controller-1(config)# switch core1 
controller-1(config-switch)#
  2. Set the IP address to static and configure the address using the ip-address static command.
    Note: The assigned IPv4 address must be within the defined IPAM subnet.
    controller-1(config-switch)# ip-address static 10.0.0.3
controller-1(config-switch)#
  3. To confirm the address assignment, use the show this and show ipam switch commands. 
    controller-1(config-switch)# show this

! switch
switch core1
ip-address static 10.0.0.3
mac 00:53:00:57:c9:3b

controller-1(config-ipam-switch)# show ipam switch 
~~~~~~~~~~~~~~~~ Allocated IP Addresses ~~~~~~~~~~~~~~~~
# Start IP End IP Count Used SwitchAllocated IP 
-|--------|----------|-----|----|---------|------------|
1 10.0.0.2 10.0.0.255 254 3delivery1 10.0.0.2
2 10.0.0.2 core1 10.0.0.3
3 10.0.0.2 filter1 10.0.0.4
  4. To remove a static IPv4 address assignment from an IPAM-managed fabric switch (restoring it to auto), use the no ip-address static command. 
    controller-1(config)# switch core1 
controller-1(config-switch)# no ip-address static 10.0.0.3
controller-1(config-switch)# show this

! switch
switch core1
ip-address auto 10.0.0.3
mac 52:54:00:01:b4:18
    Note: The switch IP address may not change when the static address is removed.In the previous example, DMF removed the static IP address 10.0.0.3; however, since IPAM is still enabled, a new IP address was immediately assigned from the IPAM IP range. The IP address 10.0.0.3 was the first available IP address in the pool and was therefore assigned to the switch.The address remains the same in this case, but the status changes to auto.

Static Address Assignment Troubleshooting and Limitations

Syslog Messages and Tracing

There are no syslog messages associated with this feature. To gain insight into the IPAM IP allocation process, enable tracing logs.

Note: In some cases, enabling tracing can seriously impact switch performance. Please use it cautiously and seek advice from an Arista Networks representative before enabling tracing in any production environment.
Enable more detailed tracing logs using the following commands: 
controller-1(config)#logging level org.projectfloodlight.core.ipalloc trace
controller-1(config)#logging level org.projectfloodlight.zerotouch.startupconfig trace
controller-1(config)#show logging controller | grep Ipam

Locate relevant log output in the floodlight syslog at /var/log/floodlight/floodlight.log.

Troubleshooting

When troubleshooting, be sure to use the show ipam switch command to display actual IP address allocations instead of the show running-config ipam switch command, which only displays the configuration and last used auto IP addresses of the switches.

If a switch does not receive the expected IP address allocation, ensure that:
  • IPAM is enabled.
    • Make sure that the allocate field is present in the IPAM configuration. If not, configure the deployment mode as shown below: 
      controller-1(config)#ipam switch
controller-1(config-ipam-switch)#allocate
    • Make sure that the ZTN deployment mode is set to auto-discovery.If not, configure the deployment mode as shown below: 
      controller-1(config)deployment-mode auto-discovery
  • For a configured s IP address, make sure that the address is in the defined IPAM subnet.
  • For an auto IP address, make sure that there are enough IP addresses in the defined IP address ranges for all switches.
    Note: An auto IP address in a switch configuration does not necessarily result in an actual IP address assignment and stays there even if the allocated IP address is unavailable, e.g., if IPAM is disabled or the corresponding IP address range is removed. If a configuration change (such as enabling IPAM or adding an IP address range that includes the allocated address), the switch will get this IP address, which was the last automatically allocated IP address, to promote IP stability.
  • You may cross-check the applied IP address on the running configuration of the switch as shown below: 
    controller-1#show switch core1 running-config | grep ip-address
swl interface ip-address 10.0.0.3 prefix 21
  • An alternative way to cross-check the IP address of the switch is to connect to it and then execute the ifconfig command to view the IP address of the interface: 
    > connect switch core1 
Switch Light OS SWL-OS-DMF-8.5.x(0), 2023-12-01.02:24-4be6844
Linux core1 4.19.296-OpenNetworkLinux #1 SMP Fri Dec 1 02:35:57 UTC 2023 x86_64

SwitchLight ZTN Manual Configuration. Type help or ? to list commands.

(ztn-config) debug bash
*****************************WARNING******************************

Any/All activities within bash mode are UNSUPPORTED
This is intended ONLY for additional debugging ONLY by Arista TAC.

 Please type "exit" or Ctrl-D to return to the CLI

*****************************WARNING******************************
root@core1:~# ifconfig -a
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu 1500
inet6 2001:0DB8:0:1:5054:ff:fe59:b9b6prefixlen 64scopeid 0x20<link>
...
ma1: flags=5187<UP,BROADCAST,RUNNING,MASTER,MULTICAST>mtu 1500
inet 10.0.0.2netmask 255.255.248.0broadcast 0.0.0.0
...

Limitations

  • Note that the show switch command does not display IPv4 addresses. To cross-check the assigned IPv4 number, examine the running config of the switch. (See Troubleshooting section.)
  • In order to enable IPAM, ZTN deployment mode must be configured as auto-discovery.
  • IPAM can only manage switch IP addresses in a single subnet, but multiple IP address ranges can be defined in that subnet.

Using L3 ZTN (Pre-Configured) Switch Provisioning Mode

When a switch is in a different subnet than the Controller, configure the network information in the switch, which enables the switch loader to download the correct Switch Light OS image from the Controller and install it on the switch via the ZTN process.
Note: DANZ Monitoring Fabric (DMF) supports deploying switches from different vendors in the same fabric. However, using cables from different vendors to connect switches is not supported. Optics are required to interconnect switches from different vendors. See the Hardware Compatibility List for details on supported optics for each switch platform.
Ensure the deployment-mode pre-configured command is entered on the DMF Controller to enable Layer 3 ZTF.
Note: In Layer 3 mode, ZTF uses TCP port 8843 for communication between the Controller and switches. This port must be allowed on the Controller and on any devices connecting the Controller to the fabric switches.

Installing a Switch Using L3 ZTF (Preconfigured) Provisioning Mode

To install a switch with the DANZ Monitoring Fabric (DMF) provisioning mode set to pre-configured, complete the following steps:
  1. Confirm that the switch has ONIE installed.
    Note: Power on the switch and connect to the switch console using the default baud rate. The default baud rate is 9600 for switches by Arista Networks. The default baud rate is 115200 for ONIE-enabled switches.

    The supported switches, listed in the DANZ Monitoring Fabric 8.5 Hardware Compatibility List, come with ONIE installed by the manufacturer.

  2. Verify that the switch management port is connected to the management network with an IP address assigned either manually or from a DHCP server. If an IP address in Step 2a is not assigned, follow Steps 2b and 2c. If an IP address is already set in Step 2a, skip to Step 3.
    1. Check IP addressing on the management port. 
      ONIE:/ # ifconfig
eth0 Link encap:Ethernet HWaddr 90:B1:1C:F4:CB:A9
inet addr:10.240.130.96 Bcast:10.240.130.127 Mask:255.255.255.128
inet6 addr: fe80::92b1:1cff:fef4:cba9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5550 errors:0 dropped:0 overruns:0 frame:0
TX packets:3937 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:728610 (711.5 KiB) TX bytes:563219 (550.0 KiB)
Interrupt:21 Memory:ff300000-ff320000
ONIE:/ #
    2. Manually assign an IP address to the management port. 
      ONIE:/ # ifconfig eth0 192.168.10.10 netmask 255.255.255.0
    3. Add the default gateway. 
      ONIE:/ # route add default gw 192.168.10.1 eth0
ONIE:/ # netstat -arn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.10.1 0.0.0.0 UG 0 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ONIE:/ #
    Note: To verify or change the IP address and gateway, use the ifconfig command.
  3. On a separate terminal window, log into the DMF Controller to configure the name of the Arista switch and its MAC address. In this example, the switch is assigned the name s1-s6100. 
    DMF(config)# switch s1-s6100
DMF(config-switch)# mac 4c:76:25:f6:c8:80
  4. On the DMF Controller, identify the switch image URL for the installation files by entering the show switch-image url command, as in the following example. 
    controller-1# show switch-image url
Install-amd64 : http://10.8.25.31/switchlight/install-amd64
Install-powerpc: http://10.8.25.31/switchlight/install-powerpc
Update-amd64 : http://10.8.25.31/switchlight/amd64
Update-powerpc : http://10.8.25.31/switchlight/powerpc
Update-powerpc : http://10.8.34.1/switchlight/powerpc
    For example, for a switch using amd-64 hardware, the URL would be http://10.8.25.31/switchlight/install-amd64.
  5. For AMD-64 platform boxes (for example, Dell S6100):
    1. Reboot and select ONIE from the GNU/GRUB menu.
    2. To get to the ONIE mode and during the reboot countdown, press any key when the prompt: Hit any key to stop autoboot: 0 appears. The following command enters the ONIE install mode: run onie_bootcmd
    3. Type onie-discovery-stop at the installer mode in ONIE. 
      ONIE:/ # onie-discovery-stop
  6. Verify the switch can ping the Controller IP address. 
    ONIE:/ # ping 10.8.25.31
PING 10.8.25.31 (10.8.25.31): 56 data bytes
64 bytes from 10.8.25.31: seq=0 ttl=63 time=0.398 ms
64 bytes from 10.8.25.31: seq=1 ttl=63 time=0.434 ms
  7. Use the image-url path from the Controller for the platform amd-64. 
    ONIE:/ # onie-nos-install http://10.8.25.31/switchlight/install-amd64

discover: Rescue mode detected. No discover stopped.
    Note: The switch now goes into ZTN discover. 
    INFO:PKI:Using existing certificate.
************************************************************
*
* Switch Light OS Loader
...
Press Control-C now to enter the interactive loader shell.
^C
Welcome to the shell.
Type 'help' for command help.
  8. Enter Control-C to drop into the loader mode. 
    Press Control-C now to enter the interactive loader shell.
^C
Welcome to the shell.
Type 'help' for command help.
loader#
  9. Enter zcsh to drop into ztn-config mode. 
    loader# zcsh
SwitchLight ZTN Manual Configuration. Type help or ? to list commands.
(ztn-config)
(ztn-config) help
Documented commands (type help <topic>):
========================================
controller debug dns help interface reboot setup show version
Undocumented commands:
======================
EOF exit quit
(ztn-config)
  10. Configure the static IP address on the switch. 
    (ztn-config) interface ma1 ip-address 10.8.67.135/24 gateway 10.8.67.1
    Note: Attempting to configure IPAM when the provisioning mode is set to Layer 3 (Preconfigured) results in an error message.
  11. Configure the IP address of the DMF Controller (ZTN server). 
    (ztn-config) controller set 10.8.25.31,10.8.25.32
  12. Set the DNS information. 
    (ztn-config) dns server 10.3.0.4
(ztn-config) dns domain qa.arista.com
  13. Enter the show command to verify the configuration. 
    (ztn-config) show
IP Option: Static
IP Address: 10.8.67.135
Netmask: 255.255.255.0
Gateway: 10.8.67.1
DNS Server: 10.3.0.4
DNS Domain: qa.arista.com
Controllers: 10.8.25.32,10.8.25.31
(ztn-config)
  14. Reboot the switch to activate the configuration. 
    (ztn-config) reboot
    Note: The switch now automatically downloads the SWI image from the Controller and boots up with the image.
    ###### Start - Switch Console output in DMF-L3 ZTN mode
...
Switch Light OS SWL-OS-DMF-7.0.0(0), 2018-01.21.00:19-784f432
###### END - Switch Console output in DMF-L3 ZTN mode
    Note: When the final messages appear, the installation is completed.
  15. To verify the installation, enter the following show commands on the Controller. 
    controller-1(config)# show switch s1-s6100 details
#Switch Name Mac addressSwitch DPID State 
- |---------- |----------------------- |---------------------- |-------- 
1 s1-s61004c:76:25:f6:c8:80 (Dell) 00:00:4c:76:25:f6:c8:80 connected
 Quarantine reason IP AddressTCP Port Connected SincePipeline Mode 
|---------------- |---------- |------- |----------------------------|-------------
10.8.67.135 380182018-10.01 11:27:48.663000 PST l3l4-push-vlan
    controller-1 (config)# show switch s1-s6100 zerotouch
Device : 4c:76:25:f6:c8:80 (Dell)
Zerotouch state : ok
Name : s1-s6100
Reload pending : False
Platform : x86-64-dell-s6100-c2538-r0
Serial number : CN0WKFYN7793164P0004
Ip address : 10.8.67.135
Dpid : 00:00:4c:76:25:f6:c8:80
Last update : 2018-10.01 15:06:13.619000 PST
Controller address : 10.8.25.31
controller-1 (config)#
  16. Log in to the switch and enter the show command to display the switch status when the following (ztn-config) prompt appears. 
    Switch Light OS SWL-OS-DMF-6.3.0(0), 2017-01-24.00:19-784f432
s1-s6100 login: admin
Password:
Linux s1-s6100 3.16.39-OpenNetworkLinux #1 SMP Tue Jan 24 08:38:28 UTC 2017 x86_64
SwitchLight ZTN Manual Configuration. Type help or ? to list commands.
(ztn-config) show
IP Option : Static
IP Address : 10.8.67.135
Netmask : 255.255.255.0
Gateway : 10.8.67.1
Controllers: 10.8.25.33,10.8.25.32,10.8.25.31

Installing Arista 7050X and 7260X Series Switch Using L3 ZTF (Preconfigured) Provisioning Mode

Perform the initial installation of Switch Light OS on the Arista platforms manually in the DANZ Monitoring Fabric (DMF), similarly to the requirements for ONIE-enabled switches. Use this guide for DMF Controllers configured for L3 ZTN mode.
Note: L3 ZTN means the Controller is set up for deployment-mode pre-configured.
The initial installation of Switch Light OS on the Arista switch is accomplished by dropping it to the Aboot shell interface at boot and telling it to boot the Switch Light switch image. This operation installs Switch Light on the system. This is a one-time extra step needed during the first installation of Switch Light in DMF. The boxes will subsequently boot as expected under Switch Light.
Note: This procedure is also required for any Arista switches running EOS.

Procedure

  1. Attach a console cable to the Arista switch and power on or reboot the switch.
  2. Interrupt the boot process with Control-C to drop into the Aboot shell. 
    Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
agesawrapper_amdinitearly() returned AGESA_SUCCESS
Watchdog enabled, will fire in 2 mins
CBFS: Locating 'normal/romstage'
CBFS: Found @ offset 5b3d40 size 7b7c
Aboot 9.0.3-4core-14223577
Press Control-C now to enter Aboot shell
^CWelcome to Aboot.
Aboot#
  3. Configure an IP address for the switch’s ma1 management interface. Configure ma1 statically or use DHCP.
  4. To use DHCP, type udhcpc -i ma1. 
    Aboot# udhcpc -i ma1
udhcpc (v1.18.1) started
Sending discover...
Sending discover...
Sending select for 10.6.3.237...
Lease of 10.6.3.237 obtained, lease time 534
  5. To configure ma1 statically. 
    Aboot# ifconfig ma1 172.24.210.61 netmask 255.255.252.0
Aboot# route add default gateway 172.24.208.1 ma1
OR
Aboot# ip route add default via 172.24.208.1
Tip: Please use the "route" command to verify the correct routing table.
  6. Identify the MAC address of the ma1 management interface of the switch. Use the ifconfig -a command. The HWaddr is the MAC address. A label on the rear of the switch contains the MAC address. 
    Aboot# ifconfig -a
lo Link encap:Local Loopback
LOOPBACK MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ma1 Link encap:Ethernet HWaddr C0:D6:82:18:00:3C
inet addr:172.24.210.61 Bcast:172.24.211.255 Mask:255.255.252.0
inet6 addr: fe80::c2d6:82ff:fe18:3c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:198 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:46514 (45.4 KiB) TX bytes:2258 (2.2 KiB)
Interrupt:37
  7. On a separate terminal window, log into the DMF Controller to configure the name of the Arista switch and its MAC address. In this example, the switch is assigned the name filter-1. 
    DMF(config)# switch filter-1
DMF(config-switch)# mac c0:d6:82:18:00:3c
  8. On the DMF Controller, issue the command show switch-image url to obtain the Switch Light boot image URL. The URL that is needed is Update-amd64. Please note this URL; the following steps need it. Do not use the other URLs. 
    DMF(config-switch)# show switch-image url
Install-amd64 : http://172.24.210.21/switchlight/install-amd64
Install-powerpc: http://172.24.210.21/switchlight/install-powerpc
Update-amd64 : http://172.24.210.21/switchlight/amd64
Update-powerpc : http://172.24.210.21/switchlight/powerpc
  9. Back on to the switch Aboot shell, boot with the URL of the Switch Light image. The command is boot url. 
    Aboot# boot http://172.24.210.21/switchlight/amd64
Downloading http://172.24.210.21/switchlight/amd64
Connecting to 172.24.210.21 (172.24.210.21:80)
swi 100% |********************************| 316M 0:00:00 ETA
Secure Boot disabled, skipping check
SPI flash hardware write protection disabled
93.50: Running SwitchLight install...
Archive: /tmp/swi
..
..
  10. Interrupt the Switch Light OS Loader with Control-C to drop into the interactive loader shell. 
    No dynamic mount operations in unified mode.
No dynamic mount operations in unified mode.
INFO:PKI:Using existing private key.
INFO:PKI:Using existing certificate.
Setting up ma1 as bonded interface...
ma1 is now [ oma1 ]
************************************************************
*
* Switch Light OS Loader
*
* Version: SWL-OS-DMF-8.0.0(0)
* Id: 2020-08-27.14:06-dff2d80
*
* Platform: x86-64-arista-7050sx3-48yc8-r0
* ma1: c0:d6:82:18:00:3c
*
************************************************************
[ boot-config ]
NETDEV=ma1
NETAUTO=up
BOOTMODE=ztn
ZTNMODE=deferred
Press Control-C now to enter the interactive loader shell.
^C
Welcome to the shell.
Type 'help' for command help.
loader#
  11. Type zcsh to start the Switch Light ZTN manual configuration. 
    loader# zcsh
SwitchLight ZTN Manual Configuration. Type help or ? to list commands.
(ztn-config)
  12. Type setup followed by Enter to begin interactive setup. 
    (ztn-config) setup
You are now running the interactive setup.
Press Enter to continue...
  13. Configure the IP address of the management interface on the switch. Choose DHCP or Static. Optionally configure the DNS parameters. The following example uses a static IP address. 
    Please choose an IP option:
(DHCP/Static)? Static
Please provide static IP settings:
IP Address: 172.24.210.64
Netmask: 255.255.252.0
Gateway: 172.24.208.1
Do you want to configure DNS settings?
(Yes/No)? yes
DNS Server: 10.3.0.4
DNS Domain: arista.com
  14. Configure the IP addresses of the primary and secondary DMF Controller. In this example, there is no secondary Controller. 
    Please provide the IP address of the controller:
Controller IP: 172.24.210.21
Do you have a second controller?
(Yes/No)? No
  15. Review the manual ZTN configuration. Type Yes to complete the Switch Light ZTN manual configuration. 
    Configuration Summary:
IP Option: Static
IP Address: 172.24.210.64
Netmask: 255.255.252.0
Gateway: 172.24.208.1
DNS Server: 10.3.0.4
DNS Domain: arista.com
Controller IP: 172.24.210.21
Please confirm that the above settings are correct:
(Yes/Reset)?
(Yes/Reset)? Yes
Interactive setup completed successfully.
(ztn-config)
  16. Type reboot. The Arista switch will reboot and complete the ZTN process using the previously configured boot parameters. 
    (ztn-config) reboot
Proceed with reboot [confirm]
Requesting system reboot
[ 2115.237162] reboot: Restarting system
coreboot-coreboot-unknown-Aboot-norcal9-9.0.3-4core-14223577 Wed Nov 13 22:08:55 UTC 2019
bootblock starting...
Family_Model: 00660f01
PMxC0 STATUS: 0x800
...
...
...
************************************************************
*
* Switch Light OS Loader
*
* Version: SWL-OS-DMF-8.0.0(0)
* Id: 2020-08-27.14:06-dff2d80
*
* Platform: x86-64-arista-7050sx3-48yc8-r0
* ma1: c0:d6:82:18:00:3c
*
************************************************************
[ boot-config ]
ZTNSERVERS=172.24.210.21
NETGW=172.24.208.1
NETDEV=ma1
NETDOMAIN=arista.com
BOOTMODE=ztn
NETMASK=255.255.252.0
NETIP=172.24.210.64
ZTNMODE=deferred
NETDNS=10.3.0.4
Press Control-C now to enter the interactive loader shell.
[ Starting Autoboot ]
[ Configuring Interfaces ]
[ BOOTMODE is ztn. ]
....
Saving switch default settings...done.
Loading ZTN startup-config......done.
Saving last startup-config......done.
Stopping watchdog keepalive daemon....
Starting watchdog daemon....
Switch Light OS SWL-OS-DMF-8.0.0(0), 2020-08-27.14:06-dff2d80
filter-1 login:
  17. Once the switch has booted up successfully, the Arista switch will appear as connected under the State column when viewed from the DMF Controller using the show switch command. For example: 
    DMF(config)# show switch
# Switch NameIP AddressStatePipeline Mode
- |----------- |------------ |--------- |-------------- |
1 filter-1 172.24.210.64 connectedl3-l4-push-vlan

Installing Arista 7280R Series Switch Using L3 ZTF (Preconfigured) Provisioning Mode

DANZ Monitoring Fabric (DMF) 8.1.0 is the first release to support the Arista 7280R, 7280R2, and 7280R3 series of switches. These switches use Arista Networks EOS operating system instead of running Switch Light OS while deployed in the DANZ Monitoring Fabric.
For all the 7280 series of switches, configure the Controller with deployment mode pre-configured (L3 ZTN). This is the default mode of operation starting in the DMF 8.5.0 release.
Note: L3 ZTN means the Controller is set up for deployment mode pre-configured.

This is a one-time setup needed to load the DMF-compatible EOS image. When set up, the next Controller upgrade will also automatically upgrade the switches.

Perform these steps on the 7280R Series switch to boot from the DMF Controller.

  1. On the DMF Controller, issue the command show switch-image url to obtain the URL for the boot image. The URL that is needed is update-aristaeos. Make a note of this URL, which will be required later when copying the image to the switch. Do not use the other URLs. 
    DMF(config)# show switch-image url
File Url
---------------- |---------------------------------------------- |
install-amd64http://172.24.210.21/switchlight/install-amd64
update-amd64 http://172.24.210.21/switchlight/amd64
  2. Attach a console connection to the Arista 7280R Series switch and turn on or reboot the switch.
  3. Interrupt the boot process with Control-C to drop into the Aboot shell. 
    Warning - AGESA callout: platform_PcieSlotResetControl not supported
agesawrapper_amdinitearly() returned AGESA_SUCCESS
Watchdog enabled, will fire in 2 mins
CBFS: 'Master Header Locator' located CBFS at [200:ffffc0)
CBFS: Locating 'normal/romstage'
CBFS: Found @ offset 5b3d40 size 7b7c
Aboot 9.0.3-4core-14223577
Press Control-C now to enter Aboot shell
^CWelcome to Aboot.
Aboot#
  4. Configure an IP address for the switch’s ma1 management interface. Configure ma1 statically or use DHCP.
  5. To use DHCP, type udhcpc -i ma1. 
    Aboot# udhcpc -i ma1
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: sending select for 172.24.208.123
udhcpc: lease of 172.24.208.123 obtained, lease time 86400
  6. To configure ma1 statically. 
    Aboot# ifconfig ma1 172.24.210.61 netmask 255.255.252.0
Aboot# route add default gateway 172.24.208.1 ma1
Tip: Please use the "route" command to verify the correct routing table.
  7. Change directory to /mnt/flash/ on the switch. 
    Aboot# cd /mnt/flash
Aboot#
Aboot# ls -l
-rw-rw-r-- 1 root 88 2541 Apr 29 19:29 AsuFastPktTransmit.log
drwxrwxr-x 2 root 88 4096 Oct 31 01:06 Fossil
-rw-rw-r-- 1 root 88 1562 Apr 29 19:29 SsuRestore.log
-rw-rw-r-- 1 root 88 1562 Apr 29 19:29 SsuRestoreLegacy.log
-rw-rwx--- 1 root 88 47 Apr 29 19:37 boot-config
-rw-rw-r-- 1 root 88 4 Apr 29 18:19 config_match
drwxrwx--- 3 root 88 4096 Apr 29 19:38 debug
drwxrwxr-x 2 root 88 4096 Oct 31 01:06 fastpkttx.backup
drwxrwx--- 2 root 88 16384 Oct 31 01:04 lost+found
drwxrwxr-x 3 root 88 4096 Apr 29 19:36 persist
drwxrwxr-x 3 root 88 4096 Oct 31 01:20 schedule
-rw-rw-r-- 1 root 88 0 Oct 31 01:20 startup-config
-rw-rw-r-- 1 root 88 0 Apr 29 19:30 zerotouch-config
  8. Use wget to copy the Arista EOS image from the DMF Controller. Use the update-aristaeos URL from the Step 1. The command is wget url. 
    Aboot# wget http://172.24.210.21/eos/x86_64
Connecting to 172.24.210.21 (172.24.210.21:80)
x86_64 100% |********************************| 933M 0:00:00 ETA
  9. Edit the /mnt/flash/boot-config file. Boot using the newly downloaded EOS image from the DMF Controller. 
    SWI=flash:/x86_64
  10. Verify the boot-config was saved. 
    Aboot# cat /mnt/flash/boot-config
SWI=flash:/x86_64
  11. Reboot the system. Type: reboot. 
    Aboot# reboot
Aboot# [ 1096.250482] sysrq: SysRq : Remount R/O
Requesting system reboot
Restarting system
coreboot-coreboot-unknown-Aboot-norcal9-9.0.3-4core-14223577 Wed Nov 13 22:08:55 UTC 2019
bootblock starting...
Family_Model: 00660f01
PMxC0 STATUS: 0x800
BIT11
agesawrapper_amdinitreset() entry
CBFS: 'Master Header Locator' located CBFS at [200:ffffc0)
CBFS: Locating 'AGESA'
CBFS: Found @ offset dffdc0 size 71786
Fch OEM config in INIT RESET Done
coreboot-coreboot-unknown-Aboot-norcal9-9.0.3-4core-14223577 Wed Nov 13 22:08:55 UTC 2019
bootblock starting...
Family_Model: 00660f01
PMxC0 STATUS: 0x80800
DoReset BIT11
agesawrapper_amdinitreset() entry
CBFS: 'Master Header Locator' located CBFS at [200:ffffc0)
CBFS: Locating 'AGESA'
CBFS: Found @ offset dffdc0 size 71786
Fch OEM config in INIT RESET Done
agesawrapper_amdinitreset() returned AGESA_SUCCESS
agesawrapper_amdinitearly() entry
Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
agesawrapper_amdinitearly() returned AGESA_SUCCESS
Watchdog enabled, will fire in 2 mins
CBFS: 'Master Header Locator' located CBFS at [200:ffffc0)
CBFS: Locating 'normal/romstage'
CBFS: Found @ offset 5b3d40 size 7b7c
Aboot 9.0.3-4core-14223577
Press Control-C now to enter Aboot shell
Booting flash:/x86_64
Secure Boot disabled, skipping check
SPI flash hardware write protection disabled
[ 12.590004] kexec_core: Starting new kernel
[ 0.972580] Running e2fsck on: /mnt/flash
[ 4.216655] Running e2fsck on: /mnt/crash
Switching rootfs
starting version 219
Welcome to Arista Networks EOS 4.26.0FX-DMF
New seat seat0.
Starting ProcMgr: Removing all files in all subdirs of /etc/ProcMgr.d/run
[ OK ]
Starting EOS initialization stage 1: [ OK ]
Starting NorCal initialization: [ OK ]
Starting EOS initialization stage 2: [ OK ]
Completing EOS initialization (press ESC to skip): [ OK ]
Model: DCS-7280CR3-32P4
Serial Number: JPE20383403
System RAM: 8147180 kB
Flash Memory size: 7.1G
Apr 29 19:59:55 localhost SandFapNi: %AGENT-6-INITIALIZED: Agent 'SandFapNi-FixedSystem'
initialized; pid=3054
Apr 29 19:59:55 localhost PowerManager: %PWRMGMT-4-INPUT_POWER_LOSS: PowerSupply1 has lost
input power.
Apr 29 19:59:55 localhost SandMcast: %AGENT-6-INITIALIZED: Agent 'SandMcast' initialized;
pid=3051
No startup-config was found.
The device is in Zero Touch Provisioning mode and is attempting to
download the startup-config from a remote system. The device will not
be fully functional until either a valid startup-config is downloaded
from a remote system or Zero Touch Provisioning is cancelled.
To cancel Zero Touch Provisioning, login as admin and type
'zerotouch cancel' at the CLI. Alternatively, to disable Zero Touch
Provisioning permanently, type 'zerotouch disable' at the CLI.
Note: The device will reload when these commands are issued.
localhost login:
  12. Log in as admin. From the enable mode, turn off Zero Touch Provisioning. The system will reload again. Type: zerotouch cancel. 
    localhost> en
localhost# zerotouch cancel
Apr 29 20:00:12 localhost ZeroTouch: %ZTP-6-CANCEL: Cancelling Zero Touch Provisioning
Apr 29 20:00:12 localhost ZeroTouch: %ZTP-6-RELOAD: Rebooting the system
localhost# Flushing AAA accounting queue: [ OK ]
Restarting system
[20:00:14] watchdog punch .
[20:00:14] watchdog punch .
[20:00:15] watchdog punch .
[20:00:16] watchdog punch .
[ 176.580458] sysrq: Remount R/O
[20:00:16] watchdog punch .
[20:00:16] watchdog punch .
[20:00:17] watchdog punch .
[20:00:18] watchdog punch .
coreboot-coreboot-unknown-Aboot-norcal9-9.0.3-4core-14223577 Wed Nov 13 22:08:55 UTC 2019
bootblock starting...
Family_Model: 00660f01
PMxC0 STATUS: 0x800
BIT11
agesawrapper_amdinitreset() entry
CBFS: 'Master Header Locator' located CBFS at [200:ffffc0)
CBFS: Locating 'AGESA'
CBFS: Found @ offset dffdc0 size 71786
Fch OEM config in INIT RESET Done
coreboot-coreboot-unknown-Aboot-norcal9-9.0.3-4core-14223577 Wed Nov 13 22:08:55 UTC 2019
bootblock starting...
Family_Model: 00660f01
PMxC0 STATUS: 0x80800
DoReset BIT11
agesawrapper_amdinitreset() entry
CBFS: 'Master Header Locator' located CBFS at [200:ffffc0)
CBFS: Locating 'AGESA'
CBFS: Found @ offset dffdc0 size 71786
Fch OEM config in INIT RESET Done
agesawrapper_amdinitreset() returned AGESA_SUCCESS
agesawrapper_amdinitearly() entry
Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
Warning - AGESA callout: platform_PcieSlotResetControl not supported
agesawrapper_amdinitearly() returned AGESA_SUCCESS
Watchdog enabled, will fire in 2 mins
CBFS: 'Master Header Locator' located CBFS at [200:ffffc0)
CBFS: Locating 'normal/romstage'
CBFS: Found @ offset 5b3d40 size 7b7c
Aboot 9.0.3-4core-14223577
Press Control-C now to enter Aboot shell
Booting flash:/x86_64
Secure Boot disabled, skipping check
SPI flash hardware write protection disabled
[ 12.512179] kexec_core: Starting new kernel
[ 0.976275] Running e2fsck on: /mnt/flash
[ 4.186065] Running e2fsck on: /mnt/crash
Switching rootfs
starting version 219
Welcome to Arista Networks EOS 4.26.0FX-DMF
New seat seat0.
Starting ProcMgr: Removing all files in all subdirs of /etc/ProcMgr.d/run
[ OK ]
Starting EOS initialization stage 1: [ OK ]
Starting NorCal initialization: [ OK ]
Starting EOS initialization stage 2: [ OK ]
Completing EOS initialization (press ESC to skip): [ OK ]
Model: DCS-7280CR3-32P4
Serial Number: JPE20383403
System RAM: 8147180 kB
Flash Memory size: 7.1G
localhost login:
  13. Log in to the switch as admin. Get the System MAC address of the switch from the show version command's output. Type: show version. In this example, the System MAC address is d4af.f754.195b. Obtain the MAC address located on the ID label on the rear of the 7280R Series switch. 
    localhost login: admin
Output to this terminal is being recorded for diagnostic purposes.
Note that only output that is visible on the console is recorded.
localhost> show version
Arista DCS-7280CR3-32P4-F
Hardware version: 12.25
Serial number: JPE20383403
Hardware MAC address: d4af.f754.195b
System MAC address: d4af.f754.195b
Software image version: 4.26.0FX-DMF-21985293.4260FXDMF (engineering build)
Architecture: x86_64
Internal build version: 4.26.0FX-DMF-21985293.4260FXDMF
Internal build ID: 568674e7-5c84-4fc6-8a42-8fb55d2fa639
Uptime: 0 weeks, 0 days, 0 hours and 27 minutes
Total memory: 8147180 kB
Free memory: 6097456 kB
  14. On the DMF Controller, assign a switch name and configure the System MAC address noted from the previous step. The MAC address must be entered in colon format, such as d4:af:f7:54:19:5b. 
    DMF(config)# switch filter-1
DMF(config-switch)# mac d4:af:f7:54:19:5b
  15. On the switch console, configure the IP address of the management interface. 
    localhost(config)# interface Management1
localhost(config-if-Ma1)# ip address 172.24.210.89/22
  16. Configure a route to the gateway using the following command. 
    localhost(config)# ip route 0.0.0.0/0 172.24.210.89
  17. On the switch console, configure the IP address(es) of the DMF Controllers. For dual Controllers, the syntax is: controller address controller#1 controller#2. In this example, there is only one Controller. ZTN configuration download will begin after configuring this part. 
    localhost(config-if-Ma1)# management dmf
localhost(config-mgmt-dmf)# controller address 172.24.210.21
localhost(config-mgmt-dmf)# no disabled
  18. Verify the switch is connected to the DMF Controller. From the switch console, type: show management dmf indigo. 
    filter-1(config)# show management dmf indigo
DMF: enabled
Indigo agent: active
TCAM profile programming status: success
Controllers:
IDIP AddressConnection State Connection Role
------- ------------------- ---------------------- ---------------
0 172.24.210.21 connectedactive
  19. The Arista switch will appear as connected under the State column when viewed from the DMF Controller using the show switch command. For example: 
    DMF(config-switch)# show switch
# Switch NameIP Address StatePipeline Mode
- |----------- |------------- |--------- |---------------------|
1 filter-1 172.24.210.89connectedl3-l4-match-push-vlan

Installing Arista 7800R3 Series Switch Using L3 ZTF (Preconfigured) Provisioning Mode

DANZ Monitoring Fabric (DMF) 8.6.0 is the first release to support the Arista 7800R3 modular chassis series of switches, which use the Arista Networks EOS operating system.

A chassis can have one or more line cards. From a Controller's perspective, a chassis-based switch with multiple line cards, each with its own application-specific integrated circuit (ASIC), is treated as a single switch. When connected, a chassis works like any other switch and requires no user intervention for this support to work. The Controller automatically recognizes the chassis, initiates a handshake, and reacts to any chassis events like line card addition and removal.

Show commands display the modules in each chassis slot, whether line cards or supervisors, display line card properties, and what redundancy mode is active.

Note: One important aspect of treating a chassis like a non-modular switch is that the Controller reconciles the line card ASICs' differences by picking the least capable ASIC to be used as a base for the entire chassis. This approach provides the functional requirements the Controller needs to make decisions based on the (least common denominator) ASIC type and capabilities: therefore, picking the least capable ASIC ensures that all line cards can handle any Controller decision.
Note: DMF Release 8.6.0 supports the following modular switches:

  • DCS-7804-CH

  • DCS-7808-CH

  • DCS-7812-CH

  • DCS-7816-CH

Note:These are the current limitations in the DMF support for chassis-based switches:

  • The maximum number of flows supported by the chassis is 8188 (in total for the entire system).

  • The SSO redundancy protocol is not supported.

For all the 7800R3 series of switches, configure the Controller with deployment mode pre-configured (L3 ZTN). This is the default mode of operation starting in the DMF 8.5.0 release.
Note: L3 ZTN means the Controller is set up for deployment mode pre-configured.

This is a one-time setup needed to load the DMF-compatible EOS image. When set up, the next Controller upgrade will also automatically upgrade the switches.

Perform these steps on a 7800R3 Series switch to boot from the DMF Controller:

  1. On the DMF Controller, issue the command show switch-image url to obtain the URL for the boot image. The URL that is needed is the one that corresponds to file update-aristaeos. Make a note of this URL, which will be required later when copying the image to the switch. Do not use the other URLs. 
    DMF(config)# sh switch-image url 
#FileUrlAlternative Url 
--|-------------------------|------------------------------------------------------------|---------------|
1arista-ztp-install-script http://10.240.189.244/switchlight/arista-ztp-install-script
2arista-ztp-install-script https://10.240.189.244/switchlight/arista-ztp-install-script
3install-amd64 http://10.240.189.244/switchlight/install-amd64
4install-amd64 https://10.240.189.244/switchlight/install-amd64
5update-amd64http://10.240.189.244/switchlight/amd64
6update-amd64https://10.240.189.244/switchlight/amd64
7update-aristaeoshttp://10.240.189.244/eos/x86_64
8update-aristaeoshttps://10.240.189.244/eos/x86_64
9update-aristaeos-strata http://10.240.189.244/eos/eft
10 update-aristaeos-strata https://10.240.189.244/eos/eft
  2. Attach a console connection to the Arista 7800R3 Series switch supervisor and turn on the switch or reboot the supervisor.
    Note: If there is a redundant supervisor card in the chassis, you must also repeat steps 2-11 on the redundant supervisor.
  3. Interrupt the boot process with Control-C to drop into the Aboot shell. 
    Aboot 7.1.11-33309652
Loading AUF data


Press Control-C now to enter Aboot shell
^CWelcome to Aboot.
  4. Configure an IP address for the switch’s ma1 management interface. Configure ma1 statically or use DHCP.
  5. To use DHCP, type udhcpc -i ma1. 
    Aboot# udhcpc -i ma1
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: sending select for 172.24.208.123
udhcpc: lease of 172.24.208.123 obtained, lease time 86400
  6. To configure ma1 statically. 
    Aboot# ifconfig ma1 10.240.179.44 netmask 255.255.254.0
Aboot# route add default gateway 10.240.178.1 ma1
Tip: Please use the "route" command to verify the correct routing table.
  7. Change the directory to /mnt/flash/ on the switch. 
    Aboot# cd /mnt/flash
Aboot#
Aboot# ls -l
-rw-rw-r-- 1 root 88 2541 Apr 29 19:29 AsuFastPktTransmit.log
drwxrwxr-x 2 root 88 4096 Oct 31 01:06 Fossil
-rw-rw-r-- 1 root 88 1562 Apr 29 19:29 SsuRestore.log
-rw-rw-r-- 1 root 88 1562 Apr 29 19:29 SsuRestoreLegacy.log
-rw-rwx--- 1 root 88 47 Apr 29 19:37 boot-config
-rw-rw-r-- 1 root 88 4 Apr 29 18:19 config_match
drwxrwx--- 3 root 88 4096 Apr 29 19:38 debug
drwxrwxr-x 2 root 88 4096 Oct 31 01:06 fastpkttx.backup
drwxrwx--- 2 root 88 16384 Oct 31 01:04 lost+found
drwxrwxr-x 3 root 88 4096 Apr 29 19:36 persist
drwxrwxr-x 3 root 88 4096 Oct 31 01:20 schedule
-rw-rw-r-- 1 root 88 0 Oct 31 01:20 startup-config
-rw-rw-r-- 1 root 88 0 Apr 29 19:30 zerotouch-config
  8. Use wget to copy the Arista EOS image from the DMF Controller. Use the update-aristaeos URL from Step 1. The command is wget url. 
    Aboot# wget http://10.240.189.244/eos/x86_64
Connecting to 10.240.189.244 (10.240.189.244:80)
x86_64 100% |********************************| 1324M0:00:00 ETA
  9. Edit the /mnt/flash/boot-config file. Boot using the newly downloaded EOS image from the DMF Controller. 
    SWI=flash:/x86_64
  10. Verify the boot-config was saved. 
    Aboot# cat /mnt/flash/boot-config
SWI=flash:/x86_64
  11. Reboot the system. Type: reboot. 
    Aboot# reboot
[760.531244] SysRq : Remount R/O
Requesting system reboot
Restarting system
[3.988971] Running e2fsck on: /mnt/flash
[4.050509] e2fsck on /mnt/flash took 0s
[4.149265] Running e2fsck on: /mnt/crash
[4.201869] e2fsck on /mnt/crash took 0s


Aboot 7.1.11-33309652
Loading AUF data


Press Control-C now to enter Aboot shell
Booting flash:/x86_64
Secure Boot disabled, skipping check
SPI flash hardware write protection disabled
[9.097555] sd 0:0:0:0: [sda] Synchronizing SCSI cache
[9.161536] Starting new kernel
[3.078215][T438] Running e2fsck on: /mnt/flash
[3.145683][T443] e2fsck on /mnt/flash took 0s
[3.327339][T511] Running e2fsck on: /mnt/crash
[3.388905][T516] e2fsck on /mnt/crash took 0s
Discovering SID and required optimization
SID OtterLake
optimization not required
Data in /mnt/flash/x86_64 differs from previous boot image on /mnt/flash.
Saving new boot image to /mnt/flash...
Mounting SWIM Filesystem
Optimization Default root squash found
Optimization Default all squashes found
Mounting optimization Default
Switching rootfs[ 14.363899][ T1248] tpm tpm0: [Firmware Bug]: TPM interrupt not working, polling instead

Welcome to Arista Networks EOS 4.31.3M
Architecture: x86_64
[ 24.727098] sh[2413]: Starting EOS initialization stage 1
Starting NorCal initialization: 
Configuration version in file is 10B008C.A00A3477 and in hardware is 1090063.A00A3475, updating...

Download status = 'Ready for download', background status = 'Idle'

Download status = 'Ready for download', background status = 'Done'

Download status = 'Ready for download', background status = 'Done'

Download status = 'Ready for download', background status = 'Done'

Download status = 'Ready for download', background status = 'Done'

Download status = 'Download complete, config. activation needed', background status = 'Idle'

File /usr/share/Microsemi/OtterLake.pmc downloaded.

Firmware version in file is 10B008C and in hardware is 1090063, updating...

Download status = 'Download complete, config. activation needed', background status = 'Idle'

Download status = 'Download complete, config. activation needed', background status = 'Done'

Download status = 'Download complete, config. activation needed', background status = 'Done'

Download status = 'Download complete, config. activation needed', background status = 'Done'

Download status = 'Download complete, config. activation needed', background status = 'Done'

Download status = 'Download complete, firmware activation needed', background status = 'Idle'

File /usr/share/Microsemi/firmware-1.B.8C.pmc downloaded.

Microsemi EEPROM Upgraded

Restarting system
[18:57:49] watchdog punch .
[18:57:49] watchdog punch .
[18:57:50] watchdog punch .
[18:57:50] watchdog punch .
[18:57:50] watchdog punch .
[18:57:51] watchdog punch .
[18:57:51] watchdog punch .
[18:57:52] watchdog punch .
'[3.983263] Running e2fsck on: /mnt/flash
[4.044660] e2fsck on /mnt/flash took 0s
[4.154619] Running e2fsck on: /mnt/crash
[4.208347] e2fsck on /mnt/crash took 0s


Aboot 7.1.11-33309652
Loading AUF data


Press Control-C now to enter Aboot shell
Booting flash:/x86_64
Secure Boot disabled, skipping check
SPI flash hardware write protection disabled
[9.126662] sd 0:0:0:0: [sda] Synchronizing SCSI cache
[9.190674] Starting new kernel
[3.066762][T439] Running e2fsck on: /mnt/flash
[3.134327][T444] e2fsck on /mnt/flash took 0s
[3.348235][T511] Running e2fsck on: /mnt/crash
[3.408605][T517] e2fsck on /mnt/crash took 0s
Discovering SID and required optimization
SID OtterLake
optimization not required
Mounting SWIM Filesystem
Optimization Default root squash found
Optimization Default all squashes found
Mounting optimization Default
Switching rootfs[7.615707][ T1216] tpm tpm0: [Firmware Bug]: TPM interrupt not working, polling instead

Welcome to Arista Networks EOS 4.31.3M
Architecture: x86_64
[ 18.256937] sh[2383]: Starting EOS initialization stage 1
Starting NorCal initialization: [OK]
[ 35.769095] sh[2826]: Starting EOS initialization stage 2
Completing EOS initialization (press ESC to skip): [OK]
Model: DCS-7800-SUP1A
Serial Number: FGN234503DR
System RAM: 65684540 kB
Flash Memory size:219G

localhost login:
  12. Log in as admin. From enable mode, turn off Zero Touch Provisioning, as shown below. Then the system may reload again. Type: zerotouch cancel. 
    localhost> enable
localhost# zerotouch cancel
Apr 29 20:00:12 localhost ZeroTouch: %ZTP-6-CANCEL: Cancelling Zero Touch Provisioning
Apr 29 20:00:12 localhost ZeroTouch: %ZTP-6-RELOAD: Rebooting the system
  13. Log in to the switch as admin. Get the System MAC address of the switch from the show version command's output. Type: show version. In this example, the System MAC address is e8ae.c5ff.faba. Obtain the MAC address located on the ID label on the rear of the 7800R3 Series switch. 
    localhost login: admin
Output to this terminal is being recorded for diagnostic purposes.
Note that only output that is visible on the console is recorded.
localhost> show version
Arista DCS-7808-CH
Hardware version: 12.10
Serial number: HNN23166835
Hardware MAC address: e8ae.c5ff.faba
System MAC address: e8ae.c5ff.faba

Software image version: 4.31.3M
Architecture: x86_64
Internal build version: 4.31.3M-36737551.4313M
Internal build ID: 2e80f044-7775-4e3d-968e-fa619089a514
Image format version: 3.0
Image optimization: Default

Uptime: 3 days, 21 hours and 46 minutes
Total memory: 65684540 kB
Free memory: 57729216 kB
  14. On the DMF Controller, assign a switch name and configure the System MAC address noted from the previous step. The MAC address must be entered in colon format, such as e8:ae:c5:ff:fa:ba. 
    DMF(config)# switch filter-1
DMF(config-switch)# mac e8:ae:c5:ff:fa:ba
  15. On the switch console, configure the IP address of the management interface. 
    localhost(config)# interface management 0
localhost(config-if-Ma0)# ip address 10.240.179.44/23
    Note: The Arista 7800R3 data center switches support configuring the management IP address on interface Management 1/1, Management 1/2, Management 2/1, or Management 2/2. However, for the 7800R3 series switch to connect with the DMF Controller, you must configure the management virtual IP address on interface Management0 of the active supervisor card only.
    Note:For the Controller's communication with the switch to work, you should use interface Management 1/1 on the active supervisor to connect to the out-of-band management network and, if a standby supervisor is present, you should also use interface Management 2/1 on the standby supervisor to connect to the management network. You cannot use Management 1/2 and 2/2 for communication with the Controller.
  16. Configure a route to the gateway using the following command. 
    localhost(config)# ip route 0.0.0.0/0 10.240.178.1
  17. On the switch console, configure the IP address(es) of the DMF Controllers. For dual Controllers, the syntax is: controller address controller#1 controller#2. ZTN configuration download begins after configuring this part. 
    localhost(config-if-Ma1)# management dmf
localhost(config-mgmt-dmf)# controller address 10.240.189.243 10.240.189.244
localhost(config-mgmt-dmf)# no disabled
  18. Verify the switch is connected to the DMF Controller. From the switch console, type: show management dmf indigo. 
    filter-1(config)# show management dmf indigo 
DMF: enabled
Indigo agent: active
TCAM profile programming status: success
Hardware counters status: success
Forwarding chip discovery: success

Controllers:

 ID IP Address Connection State Connection Role
------- -------------------- ---------------------- ---------------
0 10.240.189.243 connectedstandby
1 10.240.189.244 connectedactive
  19. The Arista switch appears as connected under the State column when viewed from the DMF Controller using the show switch command. For example: 
    DMF(config-switch)# show switch 
# Switch Name IP AddressState Pipeline Mode 
-|-----------|-------------|---------|---------------------|
1 filter-110.240.179.44 connected l3-l4-match-push-vlan

Configuring the Switch Static IP and Controller IP in Interactive ZTF Mode

To configure or change the static IP or Controller IP addressing from the zcsh CLI, complete the following steps:
  1. From the Switch Light OS prompt on the switch to be configured, enter Control-c to drop into the loader mode. 
    Press Control-C now to enter the interactive loader shell.
^C
Welcome to the shell.
Type 'help' for command help.
loader#
  2. Enter zcsh to drop to ztn-config mode. 
    loader# zcsh
SwitchLight ZTN Manual Configuration. Type help or ? to list commands.
(ztn-config)
SwitchLight ZTN Manual Configuration. Type help or ? to list commands.
  3. Enter the setup command. 
    (ztn-config) setup
You are now running the interactive setup.
Press Enter to continue...
  4. When prompted, type static and enter the IP address for the switch.
    Note: Additional settings for the DNS server and DNS domain options are available starting with DMF Release 6.3.1.
    Please choose an IP option:
(DHCP/Static)? static
Please provide static IP settings:
IP Address: 10.9.36.29
Netmask: 255.255.255.0
Gateway: 10.9.36.1
Do you want to configure DNS settings?
(Yes/No)? yes
DNS Server: 10.3.0.4
DNS Domain: 10.1.5.200
Please provide the IP address of the Controller:
Controller IP: 10.2.0.66
  5. If there is a second Controller, type yes when prompted and enter the IP address of the secondary Controller. 
    Do you have a second controller?
(Yes/No)? yes
Please provide the IP address of the second controller:
Second Controller IP: 10.8.25.32
IP Option : Static
IP Address : 10.8.39.203
Netmask : 255.255.192.0
Gateway : 10.8.0.1
DNS Server : 10.3.0.4
DNS Domain : qa.arista.com
Controller IP : 10.8.25.31
Second Controller IP: 10.8.25.32
Please confirm that the above settings are correct:
(Yes/Reset)? yes
Interactive setup completed successfully.
(ztn-config) reboot
Proceed with reboot [confirm]
Terminated
Requesting systRestarting system.

Installing Arista 7050X and 7260X Series using DHCP with bootfile-name option

Starting with DANZ Monitoring Fabric (DMF) 8.2, installing Switch Light OS on Arista switches can be automated using an Arista ZTP boot script available on the DMF Controller. The Arista switch models that support this procedure are the 7050CX3, 7050SX3, and 7260CX3.

The Arista ZTP boot script is served to the Arista switch using DHCP’s bootfile-name option (option #67). The Arista switch downloads and executes this Arista ZTP boot script during its ZTP (Zero Touch Provisioning) phase following boot. The Arista ZTP boot script copies the Switch Light OS files from the DMF Controller and configures the appropriate boot settings on the Arista switch.

Procedure

  1. Connect to the Arista switch to get the system MAC access. The system MAC address is the HWaddr for the management interface (ma1). The MAC in this example is 2C:DD:E9:7C:84:38. 
    localhost# show interfaces management 1
Management1 is up, line protocol is up (connected)
Hardware is Ethernet, address is 2cdd.e97c.8438 (bia 2cdd.e97c.8438)
IPv6 link-local address is fe80::2edd:e9ff:fe7c:8438/64
Address being determined by SLAAC
No IPv6 global unicast address is assigned
IP MTU 1500 bytes (default) , BW 1000000 kbit
Full-duplex, 1Gb/s, auto negotiation: on, uni-link: n/a
Up 3 hours, 50 minutes, 21 seconds
Loopback Mode : None
4 link status changes since last clear
Last clearing of "show interface" counters 3:53:44 ago
5 minutes input rate 4.71 kbps (0.0% with framing overhead), 5 packets/sec
5 minutes output rate 172 bps (0.0% with framing overhead), 0 packets/sec
65939 packets input, 8202861 bytes
Received 10799 broadcasts, 51269 multicast
0 runts, 0 giants
0 input errors, 0 CRC, 0 alignment, 0 symbol, 0 input discards
0 PAUSE input
1155 packets output, 303450 bytes
Sent 584 broadcasts, 470 multicast
0 output errors, 0 collisions
0 late collision, 0 deferred, 0 output discards
0 PAUSE output
localhost#
  2. On the DMF Controller, configure the name of the Arista switch and its MAC address. In this example, the switch is assigned the name DMF-F1. 
    switch DMF-F1
mac 2c:dd:e9:7c:84:38
  3. From the DMF Controller, obtain the Arista ZTP boot script URL. Run the command show switch-image url. The arista-ztp-install-script is the URL needed. 
    DMF-CTL2(config)# show switch-image url
FileUrl
------------------------- |---------------------------------------------------------
arista-ztp-install-script http://10.240.129.29/switchlight/arista-ztp-install-script
install-amd64 http://10.240.129.29/switchlight/install-amd64
update-amd64http://10.240.129.29/switchlight/amd64
update-aristaeoshttp://10.240.129.29/eos/x86_64
DMF-CTL2(config)#
  4. On the DHCP server, include the bootfile-name option. Use the URL of the Arista ZTP script from the previous step. In this example, the /etc/dhcp/dhcpd.conf file is from an ISC DHCP server. Bring up the DMF switches using either A) vendor-class-identifier or B) switch hardware address.
    Note: The edits required depend on the specific network environment and the type of switches.
    1. For a large DMF deployment, use the vendor-class-identifier as shown below. DMF switches should use a different subnet than UCN switches when using vendor-class-identifier. 
      subnet 10.240.130.0 netmask 255.255.255.128 {
range 10.240.130.61 10.240.130.64;
option domain-name-servers 10.240.48.6;
option subnet-mask 255.255.255.128;
option routers 10.240.130.1;
option broadcast-address 10.240.130.127;
class "Arista"{ match if substring (option vendor-class-identifier, 0, 6) =
"Arista";
option bootfile-name = "http://10.240.129.29/switchlight/
arista-ztp-install-script"; }
}
    2. If DMF switches are in the same subnet as UCN switches, use the host address on dhcpd.config to identify the DMF switches. 
      host 7050X3 {
hardware ethernet 2c:dd:e9:7c:84:38;
option bootfile-name = "http://10.240.129.29/switchlight/arista-ztp-
install-script";
}
  5. Restart the dhcp server process after editing the /etc/dhcp/dhcpd.conf file.
  6. The Arista ZTP boot script will be downloaded and executed at the ZTP phase.
  7. On the DMF Controller, verify the switch is connected using the show switch DMF-F1 command. 
    DMF-CTL2(config)# show switch DMF-F1
#Switch NameIP AddressStatePipeline Mode
- |----------- |-------------------------- |--------- |-------------------- |
1 DMF-F1 fe80::968e:d3ff:feaa:ad0e%9 connectedfull-match-push-vlan
DMF-CTL2(config)#

Installing Arista 7280R Series using DHCP with bootfile-name option

The installation of EOS on Arista SAND platforms (7280x) can be automated using an Arista ZTP boot script available on the DANZ Monitoring Fabric (DMF) Controller. This procedure applies to all Arista 7280R Series platforms that are supported in DMF.
The Arista ZTP boot script is served to the Arista switch using DHCP’s bootfile-name option (option #67). The Arista switch downloads and executes this Arista ZTP boot script during its ZTP (Zero Touch Provisioning) phase following boot. The Arista ZTP boot script copies the EOS SWI from the DMF Controller and configures the appropriate boot settings on the Arista switch.
Note: The Controller must be set up for deployment-mode pre-configured.
Procedure
  1. Connect to the Arista switch to get the system MAC address. The system MAC address is the HWaddr parameter of interface ma1 in Aboot. The MAC address in this example is D4:AF:F7:54:19:5A. 
    Aboot# ifconfig ma1
ma1 Link encap:Ethernet HWaddr D4:AF:F7:54:19:5A
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:37
  2. On the DMF Controller, configure the name of the Arista switch and its MAC address. In this example, the switch is assigned the name DMF-F1. 
    switch DMF-F1
mac d4:af:f7:54:19:5a
  3. From the DMF Controller, obtain the Arista ZTP boot script URL. Run the command show switch-image url. The arista-ztp-install-script is the URL needed. 
    DMF-CTL2(config)# show switch-image url
File Url
------------------------- |----------------------------------------------------------
arista-ztp-install-script http://10.240.129.29/switchlight/arista-ztp-install-script
install-amd64 http://10.240.129.29/switchlight/install-amd64
update-amd64http://10.240.129.29/switchlight/amd64
update-aristaeoshttp://10.240.129.29/eos/x86_64
DMF-CTL2(config)#
  4. On the DHCP server, include the bootfile-name option. Use the URL of the Arista ZTP script from the previous step. In this example, the /etc/dhcp/dhcpd.conf file is from an ISC DHCP server. Bring up the DMF switches using eitherA) vendor-class-identifier or B) switch hardware address.
    Note: The edits required depend on the specific network environment and the type of switches.
    1. For a large DMF deployment, use the vendor-class-identifier as shown below. DMF switches should use a different subnet than UCN switches when using vendor-class-identifier. 
      subnet 10.240.130.0 netmask 255.255.255.128 {
range 10.240.130.61 10.240.130.64;
option domain-name-servers 10.240.48.6;
option subnet-mask 255.255.255.128;
option routers 10.240.130.1;
option broadcast-address 10.240.130.127;
class "Arista"{ match if substring (option vendor-class-identifier, 0, 6) =
"Arista";
option bootfile-name = "http://10.240.129.29/switchlight/
arista-ztp-install-script"; }
}
    2. If DMF switches are in the same subnet as the UCN switches, use the host address on dhcpd.config to identify the DMF switches. 
      host 7050X3 {
hardware ethernet 2c:dd:e9:7c:84:38;
option bootfile-name = "http://10.240.129.29/switchlight/arista-ztp-
install-script";
}
  5. Restart the dhcp server process after editing the /etc/dhcp/dhcpd.conf file.
  6. The Arista ZTP boot script will be downloaded and executed at the ZTP phase.
  7. On the DMF Controller, verify the switch is connected using the show switch DMF-F1 command. 
    DMF-CTL2(config)# show switch DMF-F1
#Switch NameIP Address StatePipeline Mode
- |----------- |--------------------------- |--------- |-------------------
1DMF-F1 10.240.130.62connectedfull-match-push-vlan
DMF-CTL2(config)#

Using DHCP with Default URL for Switch Installation in Preconfigured Provisioning Mode

To install the Switch Light OS using a DHCP server, complete the following steps:
  1. Log in to the DHCP server serving the L2 segment where the monitoring fabric switches are connected.
  2. Edit the /etc/dhcp/dhcpd.conf file.
    Note: The edits required depend on your network environment and the type of switches you are connecting to the fabric. The example below shows how the dhcpd.conf file might look like when using fabric switches of the same architectural type, in this case, the PowerPC architecture.
    dhcpd.conf File (All Switches of the Same Type) 
    subnet 10.9.18.0 netmask 255.255.254.0 {
range 10.9.18.201 10.9.18.254;
option routers 10.9.18.1;
option domain-name-servers 10.3.0.4;
option domain-name "qa.arista.com";
option domain-search "qa.arista.com", ".com";
option default-url = "http://10.9.18.12/switchlight/install-powerpc";
filename "pxelinux.0";
next-server 10.8.0.3;
}
    Note: The URL points to the PowerPC install image on the Controller. The example below shows a DHCP configuration file with PowerPC and AMD64-based switches.
    dhcpd.conf File (Switches of Different Types) 
    class "onie-vendor-powerpc-class" {
match if substring(option vendor-class-identifier, 0, 19) = "onie_vendor:powerpc";
option default-url = "http://10.9.18.11/switchlight/install-powerpc";
}
class "onie-vendor-amd64-class" {
match if substring(option vendor-class-identifier, 0, 18) = "onie_vendor:x86_64";
option default-url = "http://10.9.18.11/switchlight/install-amd64";
}
subnet 10.9.18.0 netmask 255.255.254.0 {
pool {
allow members of "onie-vendor-powerpc-class";
range 10.9.18.120 10.9.18.150;
}
pool {
allow members of "onie-vendor-amd64-class";
range 10.9.18.151 10.9.18.200;
}
range 10.9.18.201 10.9.18.254;
option routers 10.9.18.1;
option domain-name-servers 10.3.0.4;
option domain-name "qa.arista.com";
option domain-search "qa.arista.com", "qa.arista.com";
filename "pxelinux.0";
next-server 10.8.0.3;
}
    Note: The URLs point to the PowerPC and AMD64 install images on the Controller. In the examples above, two DHCP options are supported to deliver ZTN Controller addresses to the switch.
    default-url
    • If the default-url option is set, the address from the URL will be extracted and used for ZTN transactions.
    • If the default-url option is used to support automatic installation via ONIE then the same setting can be used to indicate the initial Controller address against which L3 manifest transactions should be performed.
    next-server
    • This option is used to get the software images and configurations. In the case of DMF, this is optional as default-url provides for SWI and configurations.
  3. Restart the dhcp server process on the DHCP server.
  4. Restart the switch after the DHCP service restarts.

Registering a Switch After Initial Deployment

To add a switch to the fabric after initial deployment, register the name and MAC address of the switch with the active DANZ Monitoring Fabric (DMF) Controller. The switch downloads a compatible Switch Light OS image and configuration from the Controller and uses the registered switch name to refer to the switch in the CLI output and GUI displays.

Using the GUI to Register a Switch

Procedure
  1. Select Fabric > Switches from the main menu.
    Figure 14. Fabric Switches Option

    This page lists the switches connected to the DANZ Monitoring Fabric (DMF) Controller, with the current alias of the switch providing a link to the Switch View for the specified switch.

  2. To add an alias or change the existing alias, click the Menu control next to the switch name and select Configure from the pull-down menu that appears.
    Figure 15. Configure Switch (Page 1)

    This dialog provides the means to assign an alias and a MAC address, shut down or re-enable the switch, and change the password for direct remote connections to the switch.

  3. Type the alias for the switch in the Name field.
  4. Enter the MAC address and click Submit.
  5. This dialog also provides access to a series of dialogues used to override the default configuration pushed from the DMF Controller to the switch. To advance to another page, click the numbered link for the page or click Next.
    Figure 16. Continue Configuration

Using the CLI to Register a Switch

Enter the switch switch-name command to enter the config-switch submode, to associate the switch name with the MAC address of a physical switch. Replace switch-name with a unique alphanumeric text string. For example, the following commands assign the switch names core-sw-1, filter-sw-1, and delivery-sw-1 to three switches: 
controller-1(config)# switch DMF-CORE-SWITCH-1
controller-1(config-switch)# mac 00:00:00:00:00:09
controller-1(config-switch)# switch DMF-FILTER-SWITCH-1
controller-1(config-switch)# mac 00:00:00:00:00:0b
controller-1(config-switch)# switch DMF-DELIVERY-SWITCH-1
controller-1(config-switch)# mac 00:00:00:00:00:0e
To view the switches in the DANZ Monitoring Fabric (DMF), enter the show switch command from any mode, as in the following example: 
controller-1> show switch
# Switch NameIP Address StatePipeline Mode
- |--------------- |--------------------------- |--------- |---------------------
1 bigtap-switch-1fe80::ce37:abff:fe60:d474%2connectedbigtap-l3l4-push-vlan
2 bigtap-switch-2fe80::ce37:abff:fe60:cf8a%2connectedbigtap-l3l4-push-vlan
3 bigtap-switch-3fe80::ce37:abff:fea0:9071%2connectedbigtap-l3l4-push-vlan

The output shows the switch alias, IP address, state, and pipeline mode.

To associate a new name with an existing switch MAC address, remove the switch registration with the no switch command. 
controller-1(config)# no switch DMF-CORE-SWITCH-1
To view additional details about a switch, enter the show switch all detail command, as in the following example:

After removing the switch registration, perform a new switch registration using the new switch name.

Changing the ZTF Mode After Deployment

Changing to Layer 3 (Pre-Configured) Switch Provisioning Mode

ZTF cannot be used to install the switches when the switch management network connects the DANZ Monitoring Fabric (DMF) Controllers through a Layer 3 network. However, when a switch is in a different subnet than the Controller, manually configure the switches or use a DHCP server to download the Switch Light OS image to each fabric switch. To do this, change the switch provisioning mode to Pre-Configured.

If the switches and Controllers are in the same L2 broadcast domain, use the auto-discovery switch deployment mode for an L2-ZTF deployment. If the switches and Controllers are not in the same L2 broadcast domain, use the pre-configured provisioning mode to enable an L3-ZTF deployment. The entire fabric must be in a single provisioning mode; DMF only supports the auto-discovery provisioning mode if all the switches are in the same Layer 2 domain.

Using the GUI to Change the Switch Provisioning Mode

Complete the following steps to use the DANZ Monitoring Fabric (DMF) GUI to change the switch provisioning mode.

Procedure

  1. Click the DMF logo in the GUI Main menu to display the Controller landing page.
  2. Click the Settings control in the Features section on the Controller landing page.
    Figure 17. Changing the Switch Provisioning Mode
    Note: For information about the other options in this section, refer to the DMF User Guide.
  3. Click the Settings controller to the right of the Device Provisioning Mode option and click Submit.

    Control the configuration of this feature using the Edit icon by clicking on the pencil icon.

    Figure 18. Edit Device Deployment Mode
  4. Click on the downward arrow and choose from the drop-down options. There are two ways to modify the switch configuration. Select the Pre-Configured option, click on the Submit button, and confirm the operation when prompted. An error message is displayed if switches are already deployed using Auto Discovery mode.

Using the CLI to Change the Switch Provisioning Mode

Complete the following steps to use the CLI to change from Auto-discovery (L2-ZTF) Mode to preconfigured (L3-ZTF) Mode.

Procedure

  1. Disable IPAM by entering the following commands.
    Note: IPAM is supported only in L2-ZTF mode. Disable it before moving to L3-ZTF mode. However, before disabling IPAM, remove the IPAM configuration in the config-ipam-switch submode.
    controller-1(config-ipam-switch)# no dns-server
controller-1(config-ipam-switch)# no gateway
controller-1(config-ipam-switch)# no ip-range 10.8.39.81 10.8.39.90 subnet-mask-length 18
controller-1(config-ipam-switch)# (config-ipam-switch)# exit
controller-1(config-ipam-switch) (config)# no ipam switch
  2. Change the switch provisioning mode by entering the following command on the active DANZ Monitoring Fabric (DMF) Controller. 
    controller-1(config)# deployment-mode pre-configured
  3. Configure the switches using DHCP or static IP addresses.
    Note: If not using DHCP, assign a static IP using the switch CLI (PCLI) on each fabric switch.
  4. Configure the active and standby DMF Controller IP address on each fabric switch.
  5. Reboot each switch.
    If switches and Controllers are in the same L2 broadcast domain, use the auto-discovery switch deployment mode for an L2-ZTF deployment. If the switches and Controllers are not in the same L2 broadcast domain, use the pre-configured provisioning mode to enable an L3-ZTF deployment. The entire fabric must be in a single provisioning mode; DMF only supports the auto-discovery provisioning mode if all the switches are in the same Layer 2 domain.

Changing to Layer 3 ZTF (Preconfigured) Mode

Complete the following steps to change to Preconfigured (L3-ZTF) Mode from Auto Discovery (L2-ZTF) mode.

Procedure

  1. Change the configuration of each switch management (ma1) IP to DHCP or assign static IP. 
    (ztn-config) interface ma1 ip-address
Set the management interface address parameters. Possibilities are:
interface ma1 ip-address dhcp
interface ma1 ip-address <ip-address>/<prefix> gateway <gateway-address>
A) Setting ma1 interface of switch to use DHCP.
(ztn-config) interface ma1 ip-address dhcp
(ztn-config) show
IP Option: DHCP
Controllers: fe80::250:56ff:fea2:df9b
(ztn-config)
B) Setting ma1 interface of switch for static IP
(ztn-config) interface ma1 ip-address 192.168.10.10/25 gateway 192.168.10.1
(ztn-config) show
IP Option: Static
IP Address: 192.168.10.10
Netmask: 255.255.255.128
Gateway: 192.168.10.1
DNS Server: None
DNS Domain: None
Controllers: fe80::250:56ff:fea2:df9b
(ztn-config)
  2. At the ztn-config prompt, clear the Controller configuration and add the Controller IP (active and standby). 
    A) Clearing controller config on switch.
(ztn-config) controller clear
(ztn-config) show
IP Option: Static
IP Address: 10.240.130.13
Netmask: 255.255.255.128
Gateway: 10.240.130.1
DNS Server: None
DNS Domain: None
Controllers:
(ztn-config)
B) Adding controller IP.
(ztn-config) controller set 10.240.130.15,10.240.130.16
(ztn-config)
(ztn-config) show
IP Option: Static
IP Address: 10.240.130.13
Netmask: 255.255.255.128
Gateway: 10.240.130.1
DNS Server: None
DNS Domain: None
Controllers: 10.240.130.16,10.240.130.15
(ztn-config)
  3. At the ztn-config prompt, reboot each switch.
    Enter the deployment-mode pre-configured command on the DANZ Monitoring Fabric (DMF) Controller to enable Layer 3 mode switch installation, whether using the manual method or DHCP with the default URL method of installation.
    Note: In Layer 3 mode, ZTF uses TCP port 8843 for communication between the Controller and switches. This port must be allowed on the Controller and on any devices connecting the Controller to the fabric switches.

Changing to Layer 2 ZTF (Auto-Discovery) Mode

Complete the following steps to change to Auto-Discovery (L2-ZTF) Mode from Preconfigured (L3-ZTF) Mode.

Procedure

  1. Move the switches or Controllers into the same L2 broadcast domain if required.
    Note: L2-ZTF requires all the switches and Controllers to be in the same broadcast domain.
  2. Change the switch provisioning mode by entering the following command on the active DANZ Monitoring Fabric (DMF) Controller. 
    controller-1(config)# deployment-mode auto-discovery
  3. Login to each switch. At the ztn-config prompt, clear the ZTF configuration.
    In L2-ZTF mode, the Controllers are auto-discovered by switches. 
    (ztn-config) interface ma1 ip-address dhcp
(ztn-config) controller clear
(ztn-config) show
IP Option: DHCP
Controllers:
(ztn-config)
  4. At the ztn-config prompt, reboot each switch.

System Reinstall for an EOS Switch

Perform a system reinstall by removing the local startup-config/zerotouch-config on the switch so the DANZ Monitoring Fabric (DMF) Controller no longer manages it.

Rebooting the switch restarts the Arista-native ZTP process and requests a fresh image from the Controller.

Use the following command to perform a system reinstall:

C1# system reinstall switch eos-switch-name reboot
Note: There are other optional parameters (such as timeout and factory-default), but they do not apply to EOS switches.

The following is an example where the switch name is core1.

C1(config)# system reinstall switch core1 reboot
system switch reinstall: "deployment-mode pre-configured"
system switch reinstall: l3-ztn currently configured
system switch reinstall: l3-ztn implies switches are remote
system switch reinstall: l3-ztn and some switches may not rejoin
reinstall may cause service interruption
system switch reinstall ("y" or "yes" to continue): y

An optional parameter called reboot forces the switch to reboot and begin the re-installation process.

CLI Show Commands

When the switch is rebooting, ZTN cannot communicate with the switch, so a Zerotouch state error hint and Zerotouch state error msg appear when using the following show command:

(config)# show switch core1 zerotouch
Name : core1
Ip address : 10.243.254.25
Last update: 2023-06-02 07:18:35.749000 UTC
Zerotouch state: reloading
Zerotouch state error hint : Rest API Client problem
Zerotouch state error msg: Connect to 10.243.254.25:80 [/10.243.254.25] failed: Connection refused (Connection refused)

The error message changes after the switch has fully booted.

SM-InspiringPare-Broadwater-C1(config-crypto)# show switch core1 zerotouch
Name : core1
Ip address : 10.243.254.25
Last update: 2023-06-02 07:29:34.850000 UTC
Zerotouch state: reloading
Zerotouch state error hint : Rest API Client problem
Zerotouch state error msg: No route to host (Host unreachable)

At this point, the switch has booted up entirely. Still, the Controller cannot talk to the switch, as the necessary configuration is absent. Kick-start the DMF ZTN process on the switch again using the commands below:

(config)# management dmf
(config-mgmt-dmf)# controller address ip-address
(config-mgmt-dmf)# no disabled

Troubleshooting

Check the status using the command show switch switch-name zerotouch.

After performing the steps above for reconnecting an EOS switch, and if the state remains stuck in reloading (and there is a Zerotouch state error hint / Zerotouch state error msg output), please contact This email address is being protected from spambots. You need JavaScript enabled to view it..

SKU Reporting for EOS Switches

Like SwitchLight (SWL) OS switches, EOS switches now report their SKUs to the DANZ Monitoring Fabric (DMF) Controller.

View the EOS switch SKU using the DMF Controller CLI or GUI.

Using the CLI to Configure SKU Reporting for EOS Switches

Run the show fabric inventory command from the login mode to view the switch SKUs from the DMF Controller CLI.

The Switch Inventory table enumerates the switches associated with the DMF environment. The SKU column indicates the SKU of each switch. 
CONTROLLER-1> show fabric inventory 
~~~~~~~~~~~~~~~~~ Controller Inventory ~~~~~~~~~~~~~~~~~
# Node Id Hostname SKUSerial Number
-|-------|-------------------|-----------|-------------|
1 29617 CONTROLLER-1DCA-DM-C450FF99R52
2 23262 CONTROLLER-2DCA-DM-C4503W9D3Y2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Switch Inventory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Switch SKU Serial Number ManufacturerAsic
-|--------------------|-----------------|-------------|---------------|------------|
1 dmf-arista-7280SR2-2 DCS-7280SR2-48YC6 JPE22123192 Arista Networks jericho-plus
2 dmf-arista-7280CR3-1 DCS-7280CR3-32P4JPE20383391 Arista Networks jericho2
3 dmf-arista-7280SR3-1 DCS-7280SR3-48YC8 JPE22191168 Arista Networks jericho2c
4 dmf-arista-7280CR3-2 DCS-7280CR3-32P4JPE20383398 Arista Networks jericho2
5 dmf-arista-7280SR-1DCS-7280SR-48C6 SGD20370893 Arista Networks jericho
6 dmf-arista-7280SR2-1 DCS-7280SR2-48YC6 JPE20476226 Arista Networks jericho-plus

~~~~~~~~~ Recorder Node Inventory~~~~~~~~~
# Recorder NodeSKUSerial Number
-|-----------------|----------|-------------|
1 DMF-RECORDER-NODE DCA-DM-RA3 FLC1RN3

~~~~~~~~ Service Node Inventory~~~~~~~~
# Service NodeSKUSerial Number
-|-----------------|----------|-------------|
1 DMF-SERVICE-NODEDCA-DM-SDL GS11RN3

Using the GUI to Configure SKU Reporting for EOS Switches

To view the switch SKUs from the DMF Controller GUI, hover the mouse over the Fabric menu bar and select Switches.

Figure 19. Fabric > Switches

The Switches page loads.

Figure 20. Switches

The SKUs do not appear by default but display after enabling the SKU column. To enable the column, click the menu button in the table. In the menu, select Show/Hide Columns.

Figure 21. Show/Hide Columns

In the dialog box, select the SKU checkbox and click Save Preferences.

Figure 22. Configure Table Columns

The SKU column appears in the Switches table and displays the SKU of each switch.

Figure 23. SKU Column

DANZ Monitoring Fabric Deployment Topologies

This chapter describes the different topologies for out-of-band deployment of DANZ Monitoring Fabric.

 

DANZ Monitoring Fabric Topologies

DANZ Monitoring Fabric (DMF) supports the implementation of out-of-band monitoring using a single switch or with many switches for a scalable, high-availability topology. This topology supports thousands of filter and delivery ports.

This section provides a summary of the recommended deployments.

Single Switch Topology

The single switch topology is the most basic design for small-scale environments, where a single switch provides enough filter interfaces, delivery interfaces, and optional service interfaces for connecting to NPBs for various packet manipulation operations, such as time stamping and packet slicing.
Figure 1. DANZ Monitoring Fabric (DMF) Single Switch Topology
This design option is most useful in the following scenarios:
  • The environment does not need to scale beyond the interfaces provided by a single DMF Out-of-Band (OOB) switch.
  • A single switch topology improves cable management when filter and delivery ports are physically dispersed throughout the data center.

Two-Tier Topology

A two-tier design, shown in the figure below, is most useful in the following scenarios:
  • Medium-to-high port scalability requirements.
  • Production network TAPs are dispersed across the data center and require aggregation.
  • Tools are physically consolidated, and the traffic needs to be aggregated.
Figure 2. DANZ Monitoring Fabric (DMF) Two-Tier Topology
When deploying this topology, ensure the following requirements:
  • Only use core links between monitoring switches in different tiers. Depending on port availability and the bandwidth requirements, the core links can be 10, 25, 40, or 100 GbE.
  • Avoid connecting links between filter switches to help ensure efficient path computation.
  • Connect at least two links between tiers for link redundancy. The total number of physical links between the tiers will vary according to the amount of oversubscription in the design.
  • Service nodes should be connected to the delivery switch to send the aggregated traffic to the service nodes (NPBs).

Three-Tier Any-Tap-to-Any-Tool Topology

A three-tier design, as shown in the figure below, is most useful in the following scenarios:
  • Large-scale deployments where hundreds of TAP ports are installed across the data center.
  • Traffic from TAPs must be aggregated, and the aggregated traffic forwarded to analysis tools in different locations. This design provides any-TAP-to-any-tool connectivity.
Figure 3. DANZ Monitoring Fabric (DMF) Three-Tier (Any-TAP-to-Any-Tool) Topology

With this topology, ensure the following requirements are satisfied:
  • 40 or 100 GbE links are recommended to the core switches.
  • Connect each filter switch to at least two core tier switches for redundancy. Depending on the amount of oversubscription in the design and on port availability, more ports can be connected between tiers.
  • Service nodes should be connected to a core (aggregation) switch so that aggregated traffic can be delivered to the service nodes (NPBs).
  • Avoid connecting links between filter switches to help ensure efficient path computation.

Installing and Configuring the DMF Controller

This chapter describes the basic procedure for installing the DANZ Monitoring Fabric (DMF) Controller software.

Connecting to the Controller

The DANZ Monitoring Fabric (DMF) Controller can be deployed as a hardware appliance, a one-RU hardware device containing preloaded software, or as a Virtual Machine (VM).

Complete the initial setup of the Controller in any of the following ways:
  • Attach a monitor and keyboard to the appliance console port directly.
  • Use a terminal server to connect to the appliance console port and telnet to the terminal server.
  • When deploying the Controller as a VM, connect to the VM console.
Note: Arista Networks recommends having an iDRAC connection to the Controller, Service Node, Analytics Node, and Recorder Node appliances. This connection helps in easy troubleshooting of issues. Refer to the chapter Using iDRAC with a Dell R440 or R740 Server later in this guide for more details.

Connecting to the Controller Appliance Using a Terminal Server

After you connect the DANZ Monitoring Fabric (DMF) Controller appliance serial console to a terminal server, you can use telnet (or SSH if supported by your terminal server) to connect to the hardware appliance through the terminal server.

To connect the serial connection on a Controller appliance to a terminal server, complete the following steps:

  1. Obtain a serial console cable with a DB-9 connector on one end and an RJ-45 connector on the other.
  2. Connect the DB-9 connector to the hardware appliance DB-9 port (not the VGA port) and the RJ45 to the terminal server.
  3. Configure the terminal server port baud rate to 115200.
  4. Set the port baud rate of 115200 on the terminal server.
Note:
  • On some terminal servers, the saved configuration must be reloaded after changing the baud rate.
  • You should now be able to use Telnet or SSH to access the hardware appliance serial console through the terminal server.

Configuring the Active Controller Using the First Boot Script

After connecting to the Controller appliance to start the initial setup, the system runs the First Boot script. The following configuration information is required to configure the DANZ Monitoring Fabric (DMF) Controller:
  • IP address for the active and standby Controller
  • The subnet mask and the default gateway IP address
  • NTP server IP address
  • Host name
  • (Optional) DNS server IP address
  • (Optional) DNS search domain name
Note:The default serial console rate on DMF hardware appliances for releases before 6.1 was 9600. When upgrading an existing Controller appliance with a serial interface set to 9600 baud, change the terminal setting to 115200 after the upgrade.
To perform the initial configuration of the DMF Controller, complete the following steps:
  1. Insert the bootable USB drive into the Controller appliance USB port.
    Refer to Appendix B: Creating a USB Boot Image to make a bootable USB drive.
    Note: After powering on the hardware appliance for the active Controller, press Enter when prompted to begin the installation.
  2. Press Enter to begin the installation. 
    This product is governed by an End User License Agreement (EULA).
You must accept this EULA to continue using this product.
You can view this EULA from our website at:
https://www.arista.com/en/eula
Do you accept the EULA for this product? (Yes/No) [Yes] > Yes
Running system pre-check
Finished system pre-check
Starting first-time setup
Local Node Configuration
------------------------
  3. To accept the agreement, type the command: Yes.
    Refer to Appendix B: Creating a USB Boot Image to make a bootable USB drive.
    Note: When entering the command: No, the system prompts the user to log out. Accepting the EULA is mandatory to install the product.
    Enter the command: Yes to accept the EULA. The system prompts for a password to be used for emergency recovery of the Controller node, as shown below. 
    Emergency recovery user password >
  4. Set the recovery user password and confirm the entry. 
    Local Node Configuration
------------------------
Emergency recovery user password>
Emergency recovery user password (retype to confirm)>
Hostname> controller-1
  5. Choose the IP forwarding mode when prompted. 
    [1] IPv4 only
[2] IPv6 only
[3] IPv4 and IPv6
>3
  6. Choose the method for assigning IPv4 addresses. 
    Management network (IPv4) options:
[1] Manual
[2] Automatic via DHCP
[1] >
    Note: When using [2] Automatic via DHCP, Arista Networks recommends reserving the DHCP address for the MAC address of the Controller’s management port.
  7. Choose the method for assigning IPv6 addresses. 
    Management network (IPv6) options:
[1] Automatic via SLAAC & DHCPv6
[2] Manual
[1] >

    The DMF Controller Appliance allows IPv6 Stateless Address Auto-configuration for Controller IPv6 management.

    Note: Support for Jumbo Ethernet frames is enabled by default.
    When using [1] in Step 6 above, the system prompts the user to enter the IPv4 address and related configuration information for the Controller node. 
    IPv4 address [0.0.0.0/0]> 10.106.8.2/24
IPv4 gateway (Optional) > 10.106.8.1
DNS server 1 (Optional) > 10.3.0.4
DNS server 2 (Optional) > 10.1.5.200
DNS search domain (Optional) > qa.aristanetworks.com

    The IPv4 address configuration is applied to the Controller Management Interface (white-labeled ports) on the Controller appliance.

  8. Enter the IP address and optional information regarding the DNS server, as shown in the example.
    Note: Entering the IP address followed by a slash (/) and the number of bits in the subnet mask, the system does not prompt for the CIDR.
    The system prompts the user to create a new cluster or join an existing cluster. 
    DNS search domain (Optional) > bsn.sjc.aristanetworks.com
Clustering
----------
Controller cluster options:
[1] Start a new cluster
[2] Join an existing cluster
> 1
  9. Type 1 when configuring the active Controller.
    The system prompts the user to enter the cluster name and description and to set the password. 
    > 1
Cluster name > dmf-cluster
Cluster description (Optional) >
Cluster administrator password >
Cluster administrator password (retype to confirm) >
  10. Enter a name for the cluster and an optional description, and set the password for administrative access to the cluster.
    The system then prompts for the name of each NTP server to use to set the system time required for synchronizing between nodes in the cluster and fabric switches. 
    System Time
-----------
Default NTP servers:
- 0.bigswitch.pool.ntp.org
- 1.bigswitch.pool.ntp.org
- 2.bigswitch.pool.ntp.org
- 3.bigswitch.pool.ntp.org
NTP server options:
[1] Use default NTP servers
[2] Use custom NTP servers
[1] > 1
    Note: Fabric switches and nodes obtain their NTP service from the active Controller.
  11. Enter the IP address or fully qualified domain name of the NTP server for the network.
    Completing the initial configuration without specifying the NTP server is possible, but deploying the DMF Controller in a production environment requires a functioning NTP configuration.
    The system completes the configuration and displays the First Boot Menu. 
    [ 1] Apply settings
[ 2] Reset and start over
[ 3] Update Recovery password (*****)
[ 4] Update Hostname (controller-1)
[ 5] Update IP Option (IPv4 and IPv6)
[ 6] Update IPv6 Method (Automatic via SLAAC & DHCPv6)
[ 7] Update IPv4 Address (10.106.8.2/24)
[ 8] Update IPv4 Gateway (10.106.8.3)
[ 9] Update DNS Server 1 (10.3.0.4)
[10] Update DNS Server 2 (10.1.5.200)
[11] Update DNS Search Domain (qa.aristanetworks.com)
[12] Update Cluster Option (Start a new cluster)
[13] Update Cluster Name (dmf-cluster)
[14] Update Cluster Description (<none>)
[15] Update Admin Password (*****)
[16] Update NTP Option (Use default NTP servers)
[1] >
  12. To apply the configuration, type 1.
    Note: To change any previous configurations, type the appropriate menu option, make the required changes, and then type 1 to apply the settings when the system returns to this menu.

    After entering the option to apply the settings, the system applies the settings, starts the DMF Controller, and displays the Controller banner and login prompt.

    The system applies the settings and displays a series of prompts as each process completes. When successful, the system displays the following prompts. 
    [Stage 1] Initializing system
[Stage 2] Configuring controller
Waiting for network configuration
IP address on em1 is 10.106.8.3
Generating cryptographic keys
[Stage 3] Configuring system time
Initializing the system time by polling the NTP servers:
0.bigswitch.pool.ntp.org
1.bigswitch.pool.ntp.org
2.bigswitch.pool.ntp.org
3.bigswitch.pool.ntp.org
[Stage 4] Configuring cluster
Cluster configured successfully.
Current node ID is 10249
All cluster nodes:
Node 10249: fe80::1618:77ff:fe67:3f0c:6642
First-time setup is complete!
Press enter to continue >
DANZ Monitoring Fabric 8.4.0 (dmf-8.4.0 #11)
Log in as 'admin' to configure
controller-1 login:
    To login to the Controller, use the account name admin and the password set for the cluster during installation. Optionally, log in to the active Controller using SSH with the assigned IP address or use a web browser to connect to the IP address using HTTPS. 
    controller login: admin
This email address is being protected from spambots. You need JavaScript enabled to view it..8.2's password:
Login: admin, on Thu 2020-11-19 21:39:28 UTC, from 10.95.66.14
Last login: on Thu 2020-11-19 21:39:05 UTC, from 10.95.66.14
controller-1>

Configuring the Standby Controller

Joining Standby Controller to Existing Cluster

Arista Networks recommends deploying the DANZ Monitoring Fabric (DMF) in a two-node cluster for operational resilience. Set up the first (active) cluster node described above. Use the steps described here to configure a second Controller node and join it to the cluster as a standby node.
An active and standby Controller can be deployed in different L3 subnets, changing how Controllers communicate. Active and standby Controllers communicate using each Controller's management IPv4 address. This configuration enables the provisioning of active and standby Controllers in different IP subnets (L3 domains) or on the same subnet (L2 domain).
Note: Both nodes in a cluster must be running the same version of DMF Controller software. The standby node will not join the cluster if it is not running the same version as the active node. The maximum latency between active and standby Controllers should be less than 300ms.

Powering on the hardware appliance or the VM with the pre-installed DMF software prompts the user to log in as admin for the first-time configuration.

  1. Log in to the second appliance using the admin account.
    Note: Ports on the Controller-facing management-switch port must come up within 5 seconds.

    Powering on the hardware appliance for the active Controller prompts the user to press Enter to begin the installation.

  2. Press Enter to begin the installation.
  3. Log in to the standby Controller using the admin account.
    Use the default account (admin) without a password when the system is booting from the factory default image. The system displays the following prompt to accept the End User License Agreement (EULA). 
    This product is governed by an End User License Agreement (EULA).
You must accept this EULA to continue using this product.
You can view this EULA from our website at:
https://www.arista.com/en/eula
Do you accept the EULA for this product? (Yes/No) [Yes] > Yes
To read the agreement, type ``View``
  4. Accept the agreement.
    Note:When entering the command: No, the system prompts the user to log out. Accepting the EULA is mandatory to install the product.

    After typing Yes to accept the EULA, the system prompts for a password to be used for emergency recovery of the Controller node, as shown below.

    To read the agreement, type View.

    To accept the agreement, type Yes.

    Starting first-time setup
Local Node Configuration
------------------------
Password for emergency recovery user >
Retype Password for emergency recovery user >
  5. Set the recovery user password and confirm the entry. 
    Local Node Configuration
------------------------
Emergency recovery user password >
Emergency recovery user password (retype to confirm) >
Hostname > controller-2
  6. Choose the IP forwarding mode, when prompted. 
    Management network options:
[1] IPv4 only
[2] IPv6 only
[3] IPv4 and IPv6
> 3
  7. Choose the method for assigning IPv4 addresses. 
    Management network (IPv4) options:
[1] Manual
[2] Automatic via DHCP
[1] >
    Note: When using [2] Automatic via DHCP, Arista Networks recommends reserving the DHCP address for the MAC address of the Controller’s management port.
  8. Choose the method for assigning IPv6 addresses. 
    Management network (IPv6) options:
1] Automatic via SLAAC & DHCPv6
2] Manual
1] >

    The DMF Controller appliance allows IPv6 Stateless Address Auto-configuration for Controller IPv6 management.

  9. (Optional) When using[1] Manual in Step 7, the system prompts the user to enter the IPv4 address and related configuration information for the Controller node.
    Enter the IP address and optional information regarding the DNS server, as shown in this example.
    Note:Entering the IP address followed by a slash (/) and the number of bits in the subnet mask, the system may not prompt for the CIDR.
    IPv4 address [0.0.0.0/0] > 10.106.8.3/24
IPv4 gateway (Optional) > 10.106.8.1
DNS server 1 (Optional) > 10.3.0.4
DNS server 2 (Optional) > 10.1.5.200
DNS search domain (Optional) >qa.aristanetworks.com
    Note: The IP address configuration is applied to the Controller Management Interface on the Controller appliance.
  10. The system prompts the user wants to create a new cluster or join an existing cluster. 
    Controller Clustering
---------------------
Controller cluster options:
[1] Start a new cluster
[2] Join an existing cluster
> 2

    Type 2 to join the standby Controller to the existing cluster.

  11. The system prompts the user for the IPv4 address of the active Controller for the cluster the standby will join. 
    Existing Controller IP > 10.106.8.2

    The user is prompted to enter the IP address of the active Controller for the cluster.

  12. The user is prompted to enter and confirm the cluster password. 
    Cluster administrator password >
Cluster administrator password (retype to confirm) > Menu
  13. The system displays the First Boot Menu and all provided details for final verification. Press 1 to apply the settings and start the process of the standby Controller joining the DMF cluster. 
    :: Please choose an option: 
[ 1] Apply settings 
[ 2] Reset and start over 
[ 3] Update Recovery Password 
[ 4] Update Hostname 
[ 5] Update IP Option 
[ 6] Update IPv4 Address 
[ 7] Update IPv4 Gateway 
[ 8] Update DNS Server 1 
[ 9] Update DNS Server 2 
[10] Update DNS Search Domain 
[11] Update Cluster Option 
[12] Update Cluster to Join 
[13] Update Admin Password 
[1] > 1
  14. The system advises the current DMF cluster does not have secure control enabled. Enable this optional feature later, as required. Press 1 to resume connecting the standby Controller with the active Controller in the DMF cluster. 
    [Stage 1] Initializing system
[Stage 2] Configuring local node
Waiting for network configuration
IP address on ens4 is 10.2.0.185
Generating cryptographic keys
Please verify that:
Secure control plane is NOT configured.
You can verify the above by running "show secure control plane"
on the existing controller 10.2.1.90.
Options:
[1] Continue connecting (the above info is correct)
[2] Cancel and review parameters
> 1
[Stage 3] Configuring system time
Initializing the system time by polling the NTP servers:
0.bigswitch.pool.ntp.org
1.bigswitch.pool.ntp.org
2.bigswitch.pool.ntp.org
3.bigswitch.pool.ntp.org
[Stage 4] Configuring cluster
Cluster configured successfully.
Current node ID is 5302
All cluster nodes:
Node 5302: [fe80::5054:ff:fe6a:dd0f]:6642
Node 15674: [fe80::5054:ff:fec4:d1b8]:6642
First-time setup is complete!
Press enter to continue >
DANZ Monitoring Fabric 8.0.0 (dmf-8.0.0 #62)
Log in as 'admin' to configure
    Note: It is possible to connect to the DMF Controller using the IP address assigned to either the active or standby Controller. However, you can make configuration changes only when connected to the active Controller. In addition, statistics and other information will be more accurate and up-to-date when viewed on the active Controller.
    DANZ Monitoring Fabric 8.4.0 (dmf-8.4.0 #11)
Log in as 'admin' to configure
This email address is being protected from spambots. You need JavaScript enabled to view it..8.3's password:
Login: admin, on Fri 2020-11-20 05:06:19 UTC, from 10.95.66.14
Last login: on Fri 2020-11-20 05:06:09 UTC, from 10.95.66.14
======================== WARNING: STANDBY CONTROLLER =========================
This controller node is in standby mode.
This session should only be used for for troubleshooting.
Log in to the active to make configuration changes
and to access up-to-date operational data.
================================================================================.
standby controller-2>

Moving existing Standby Controller to different IPv4 subnet

To move an existing standby Controller to a different subnet, the standby Controller management IPv4 address must be changed before moving the appliance to a different subnet. Before making any changes, ensure the underlying network configuration is set up correctly for connectivity.
  1. Change the management IP address on the standby Controller. There are two methods to change the Controller management IP address.
    Method A: Using iDRAC or Controller console, remove the existing management IP address and add the new IP address. Go to config->>local node->>interface management->>ipv4 to change the Controller's management IP address. 
    Controller-2(config-local-if-ipv4)# no ip 192.168.39.44/24 gateway 192.168.39.1
192.168.39.44: currently in use: port 22: 192.168.39.1:54978, 192.168.39.1:54979
192.168.39.44: proceed ("y" or "yes" to continue): y
DMF-Controller-2(config-local-if-ipv4)# ip 192.168.39.45/24 gateway 192.168.39.1
    Method B: Use the REST API to replace the Controller's management IP address instead of removing and adding a new management IP address. When using this method, there is no need to use Controller iDRAC or console access to change the management IP address. You can use the REST API and parameters below to replace the Controller's management IP address: 
    /api/v1/data/controller/os/config/local/network/interface[name="management "]/ipv4/address' -X PUT -d '[{"ip-address": "192.168.39.45", "prefix": 24, "gateway": "192.168.39.1"}]’
  2. Move the standby Controller to the new subnet.

Moving an Existing Standby Controller to a Different Controller Cluster

Follow the procedure below to move an existing standby Controller to a different Controller cluster.

  1. Remove the standby Controller from the existing cluster.
  2. Connect to the Controller using iDRAC or Controller console.
  3. Run the boot factory-default command. 
    Controller-2# boot factory-default
  4. Perform the first-boot operation specified in the section Joining Standby Controller to Existing Cluster ** if joining an existing new Controller cluster or **Configuring the Active Controller Using the First Boot Script to create a new Controller cluster.

Accessing the DANZ Monitoring Fabric Controller

This section describes connecting to the DANZ Monitoring Fabric (DMF) Controller.

To access the active DMF Controller, use the IP address of the active Controller. If configured, use the cluster's Virtual IP (VIP) as described in the Configuring the Cluster Virtual IP section.

Refer to the Using Local Groups and Users to Manage DMF Controller Access section to manage administrative user accounts and passwords.

Using the DANZ Monitoring Fabric CLI

Once the DANZ Monitoring Fabric (DMF) Controllers are up and running, log in to the DMF Controller using the VM local console or SSH.

DMF divides CLI commands into modes and sub-modes, which restrict commands to the appropriate context. The main modes are as follows:
  • login mode: Commands available immediately after logging in, with the broadest possible context.
  • enable mode: Commands that are available only after entering the enable command.
  • config mode: Commands that significantly affect system configuration and are used after entering the configured command. Access sub-modes from this mode.

Enter sub-modes from config mode to provision specific monitoring fabric objects. For example, the switch command changes the CLI prompt to (config-switch)# to configure the switch identified by the switch DPID or alias.

After logging in, the CLI appears in the login mode where the default prompt is the system name followed by a greater than sign (>), as in the following example.

controller-1>
To change the CLI to enable mode, enter the enable command. The default prompt for enable mode is the system name followed by a pound sign (#), as shown below. 
controller-1> enable
controller-1#
To change to config mode, enter the configure command. The default prompt for config mode is the system name followed by (config)#, as shown below. 
controller-1> enable
controller-1# configure
controller-1(config)#
controller-1(config)# switch filter-1
controller-1(config-switch)#
To return to the enable mode, enter the end command, as shown below. 
controller-1(config)# end
controller1#

To view a list of the commands available from the current mode or submode, enter the help command. To view detailed online help for the command, enter the help command followed by the command name.

To display the options available for a command or keyword, enter the command or keyword followed by a question mark (?).

Capturing CLI Command Output

Pipe commands through other commands like grep for analysis and troubleshooting DANZ Monitoring Fabric (DMF) operations. View the contents of the output files by entering the show running-config command, as in the example below. 
controller-1> show running-config | grep <service unmanaged-service TSTS>
post-service pst2
pre-service pst
Copy files to an external FTP server, as in the example below. 
copy running-config scp://<username@scp_server>//<file>

Using the DANZ Monitoring Fabric GUI

The DANZ Monitoring Fabric (DMF) GUI performs similar CLI operations using a graphic user interface instead of text commands and options. DMF supports the use of the GUI with recent versions of any of the following supported browsers:
  • Firefox
  • Chrome
  • Internet Explorer
  • Safari
  • Microsoft Edge

To connect to the DMF GUI, use the IP address assigned to the DMF Controller. The following figure shows a browser connecting to the GUI using HTTPS at the IP address 192.168.17.233.

Figure 1. Accessing the DANZ Monitoring Fabric GUI
When connecting to the Controller for the first time, a prompt requesting a security exception may appear because the Controller HTTPS server uses an unknown (self-signed) certificate authority.
Note: While using Internet Explorer, the login attempt may fail if the system time is different than the Controller time. To fix this, ensure the system used to log in to the Controller is in sync with the Controller time.
After accepting the prompts, the system displays the login prompt, shown in the figure below.
Figure 2. DANZ Monitoring Fabric GUI Login Prompt

Use the admin username and password configured for DMF during installation or any user account and password configured with administrator privileges. A user in the read-only group will have access to options for monitoring fabric configuration and activity but cannot change the configuration.

The main menu for the DMF GUI appears in the following figure.
Figure 3. DANZ Monitoring Fabric GUI Main Menu
When logging in to the DMF GUI, a landing page appears. This page shows the DMF Controller Overview, dashboard, and a menu bar (pictured above) with sub-menus containing options for setting up DMF and monitoring network activity. The menu bar includes the following sub-menus:
  • Fabric: manage DMF switches and interfaces.
  • Monitoring: manage DMF policies, services, and interfaces.
  • Maintenance: configure fabric-wide settings (clock, SNMP, AAA, sFlow®*, Logging, Analytics Configuration).
  • Integration: manage the integration of vCenter instances to allow monitoring traffic using DMF.
  • Security: manage administrative access.
  • A profile page that displays or edits user preferences, the ability to change the password or sign out.

The newly designed dashboard displays information about the Controller, including switches, interfaces, policies, and Smart Nodes.

Managing the DMF Controller Cluster

This section describes configuring settings for a DANZ Monitoring Fabric (DMF) cluster or both active and standby Controllers. Most configuration occurs on the active Controller, which synchronizes the standby Controller.

Verifying Cluster Configuration

A DANZ Monitoring Fabric (DMF) Out-of-Band HA cluster consists of two Controller nodes, one active and one standby. Keep the following conditions in mind when configuring the cluster:
  • Both active and standby must be in the same IP subnet.
  • Firewall configurations are separate for active and standby, so manually keep the configuration consistent between the two nodes.
  • NTP service is required to establish a cluster. Starting with DMF 7.0.0, the active Controller provides the NTP service for the cluster and connected switches. The Controller should sync the time from an external NTP server for this service to work.
  • When SNMP service is enabled, it must be manually configured to be consistent on both nodes. To verify the cluster state, use the following commands:
  • Enter the show controller details command from either the active or standby Controller. 
    controller-1(config)# show controller details
Cluster Name : dmf-cluster
Cluster UID : 8ef968f80bd72d20d30df3bc4cb6b271a44de970
Cluster Virtual IP : 10.106.8.4
Redundancy Status : redundant
Redundancy Description : Cluster is Redundant
Last Role Change Time : 2020-11-19 18:12:49.699000 UTC
Cluster Uptime : 3 weeks, 1 day
# IP@Node IdDomain IdStateStatus Uptime
- |---------- |- |------- |--------- |------- |--------- |-------------------- |
1 10.106.8.3 5784 1standbyconnected11 hours, 6 minutes
2 10.106.8.2*253771active connected11 hours, 11 minutes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Failover History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# New ActiveTime completedNode Reason Description
- |---------- |------------------------------ |----- |--------------------- |------------------------------------------------------- |
1 25377 2020-11-19 18:12:38.299000 UTC25377cluster-config-changeChanged connection state: cluster configuration changed
controller-1(config)#
  • Enter the show controller command to display the current Controller roles from either the active or standby node, as in the following example. 
    controller-1(config)# show controller
Cluster Name : dmf-cluster
Cluster Virtual IP : 10.106.8.4
Redundancy Status : redundant
Last Role Change Time : 2020-11-19 18:12:49.699000 UTC
Failover Reason : Changed connection state: cluster configuration changed
Cluster Uptime : 3 weeks, 1 day
# IP@StateUptime
- |---------- |- |------- |-------------------- |
1 10.106.8.3 standby11 hours, 24 minutes
2 10.106.8.2*active 11 hours, 29 minutes
controller-1(config)#

Configuring the Cluster Virtual IP

Setting up the Virtual IP (VIP) for the cluster is a best practice for connecting to the management port of the active node using an IP address that does not change even if the active Controller fails over and the role of the standby Controller changes to active.
Note: VIP will not work if active and standby Controllers are in different IPv4 subnets. The active and standby Controllers have to be in the same L2 domain.
On the active Controller, enter the virtual-ip command from the config-controller submode. 
controller-1> enable
controller-1# config
controller-1(config)# controller
controller-1(config-controller)# virtual-ip 10.106.8.4
controller-1(config-controller)#

Verify the VIP by entering the show controller command.

controller-1(config)# show controller
Cluster Name : dmf-cluster
Cluster Virtual IP : 10.106.8.4
Redundancy Status : redundant
Last Role Change Time : 2020-11-19 18:12:49.699000 UTC
Failover Reason : Changed connection state: cluster configuration changed
Cluster Uptime : 3 weeks, 1 day
# IP@StateUptime
- |---------- |- |------- |-------------------- |
1 10.106.8.3 standby11 hours, 24 minutes
2 10.106.8.2*active 11 hourmvs, 29 minutes
controller-1(config)#
Note:Make sure you use a unique IP address for the VIP of the cluster. If you use the IP of the standby Controller by mistake, the nodes will form separate clusters. To resolve this problem, assign a unique IP address for the VIP.

Setting the Time Zone

It is essential that the switches, Controllers, hypervisors, VMs, and management systems in the DANZ Monitoring Fabric (DMF) have synchronized system clocks and all use the same time zones.
Note: The hypervisor and the virtual machine running the Controller using different time zones may cause problems with log files or access to the DMF GUI.

To view or change the current time zone on the DMF Controller, complete the following steps.

GUI Procedure

Select Maintenance > Time from the main menu.

The dashboard displays the last updated time on the system, information about the configured NTP server, and provides an option for refreshing the NTP synchronization with the NTP server running on the DMF Master Controller.

Figure 4. Maintenance Time
Time configuration tabs and features include:
  • NTP Servers
  • NTP Keys
  • Time Zone
Select the Time Zone tab and click Edit.
Figure 5. Edit Time Zone Configuration
Select the desired time zone from the drop-down list and click Submit.
Tip: Use the Reset button to clear a time zone entry and use the default UTC.
The dashboard displays the selected time zone.
Figure 6. Time Zone

CLI Procedure

To set the time zone for the Controller from the config-controller submode, use the set timezone command: 
[no] ntp time-zone <time-zone>

Replace time-zone with the specific string for the desired time zone. To see a list of supported values, press Tab after the clock set command. Certain values, such as America/, are followed by a slash (/). These values must be followed by a keyword for the specific time zone. View the supported time zones by pressing Tab again after selecting the first keyword.

For example, the following commands set the time zone for the current Controller to Pacific Standard Time (PST): 
controller-1( (config)# ntp time-zone America/Los_Angeles
Warning: Active REST API sessions will not be informed of updates to time-zone.
Warning: Please logout and login to any other active CLI sessions to
Warning: update the time-zone for those sessions.
controller-1( (config)#
Note: Changes in time zone are logged to the floodlight.log.
The following command removes the manually configured time zone setting and resets the Controller to the default (UTC). 
controller-1(config-controller)# no ntp time-zone
Warning: Manually setting the clock for the DMF Controller using the clock set command may affect database reconciliation between the nodes in a Controller cluster. Because time stamps are used to identify records that should be updated, Arista Networks recommends adjusting any time skew using the ntpdate command. Using an NTP server ensures accurate synchronization between the Controller clocks.

Viewing Controller and Cluster Status

To view the overall Controller status, click the DANZ Monitoring Fabric (DMF) logo in the left corner of the GUI Main menu. The system displays the DMF GUI landing page, shown in the following figure.
Figure 7. Cluster and Controller Status

This page also provides configuration options that let you view and change fabric-wide settings.

To view more details about the DMF cluster, select Maintenance > Cluster. Cluster configuration tabs and features include:
  • Cluster
    • Cluster Information
    • Node Information
    • Node Config State
    • Node Operational State
    • Failover History
  • Local Node
    • Local Node Interface - Management
    • Interfaces
    • Addresses of Interfaces
    • DNS Servers
Figure 8. Cluster Information - Node Information
Figure 9. Cluster - Node Config State, Operational State, Failover History
Select the Local Node tab to view local node details.
Figure 10. Cluster - Local Node

CLI Procedure

View the overall Controller status by entering the show controller command. 
controller-1(config)# show controller details
Cluster Name : dmf-cluster
Cluster UID : 8ef968f80bd72d20d30df3bc4cb6b271a44de970
Cluster Virtual IP : 10.106.8.4
Redundancy Status : redundant
Redundancy Description : Cluster is Redundant
Last Role Change Time : 2020-11-19 18:12:49.699000 UTC
Cluster Uptime : 3 weeks, 1 day
# IP@Node IdDomain IdStateStatus Uptime
- |---------- |- |------- |--------- |------- |--------- |-------------------- |
1 10.106.8.3 5784 1standbyconnected11 hours, 6 minutes
2 10.106.8.2*253771active connected11 hours, 11 minutes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Failover History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# New ActiveTime completedNode Reason Description
- |---------- |------------------------------ |----- |--------------------- |---------------------------- |
1 25377 2020-11-19 18:12:38.299000 UTC25377 cluster-config-changeChanged connection state:
cluster configuration changed
controller-1(config)#
Use the following commands to modify the Controller configuration:
  • access-control: Configure access control of the Controller
  • cluster-name: Configure cluster name
  • description: Configure cluster description
  • virtual-ip: Configure management virtual IP
To modify the hostname, IPv4 or v6 addresses, or SNMP server configuration, use the following commands:
  • hostname: Configure hostname for this host
  • interface: Configure controller network interface
  • snmp-server: Configure local SNMP attributes

Saving and Restoring Controller Configuration

A properly configured Controller requires no regular maintenance. However, Arista Networks recommends periodically saving a copy of the Controller running-config to a location outside the Controller. Use the copy command from the Controller to an FTP server.

# copy running-config scp://admin:admin@myserver/configs

The format for the remote server username, password, and path name is as follows: scp://<user>:<password>@<host>/<path_to_saved_config>

To restore the Controller configuration from a remote server, remove the standby Controller, then boot factory default on the active node to start a new cluster.

CLI Procedure

  1. Remove the standby node if present. 
    # show controller
Cluster Name : desktop-DMF
Cluster Virtual IP : 10.100.6.4
Redundancy Status : redundant
Last Role Change Time : 2018-10-01 10:43:51.582000 CDT
Failover Reason : Changed connection state: connected to node 15444
Cluster Uptime : 3 months, 2 weeks
# IP @ State Uptime
-|----------|-|-------|---------------|
1 10.100.6.3 * active 4 days, 2 hours
2 10.100.6.2 standby 4 days, 2 hours
# system remove node 10.100.6.2
  2. Reboot the DANZ Monitoring Fabric (DMF) Controller to the factory default by entering the following commands: 
    controller-1> enable
controller-1# boot factory-default
Re-setting controller to factory defaults...
Warning: This will reset your controller to factory-default state and reboot it.
You will lose all node/controller configuration and the logs
  3. Confirm the operation and enter the administrator password. 
    Do you want to continue [no]? yes ...
Removing existing log files ... Resetting system state ...
Current default time zone: 'Etc/UTC' ...
Enter NEW admin password:
...
boot: ...
localhost login:
  4. Rerun the first-time setup again to reconfigure the Controller.
  5. Copy the saved running config from the remote server to the DMF Controller by entering the following command. 
    # copy scp://<user>:<password>@<host>/<path_to_saved_config> running-config
  6. Restore the cluster.
    Remove the standby Controller, then boot factory default on the active node to start a new cluster.
Note: With the introduction of the Command Line Interface (CLI) to Managed Appliances (Service Node / Recorder Node), the CLI command boot factory-default has been extended to launch the first-boot setup process.

Reloading and Rebooting a Controller Using the DMF UI

To use the Reload or Reboot functions, navigate to the DANZ Monitoring Fabric (DMF) Maintenance -> Cluster page. Reload and Reboot appear under the Actions column in the Node Information table.

Note: As a precaution, DMF disables these functions by default. To enable them, click Unlock Power Actions.

To use the Reload and Reboot features, a logged-in DMF user requires read/write sysops permissions on the active cluster node.

For an active/standby cluster configuration, the user can reload or reboot the node.

When the active node is reloaded or rebooted, the standby node becomes the new active node. When the user logs in to the Virtual IP (VIP) address of an active/standby cluster configuration, the user can reload or reboot the active node. The VIP logs in to the new active node without the user changing IP addresses.

The new standby node will not have the Reload or Reboot functionality unless the user directly logs in to that node.

Figure 11. Cluster Page with Reload and Reboot Actions

Workflow

The following information describes the expected behavior of the Reload and Reboot functions based on the type of configuration:

Action Single Node
Reload Click the submit button -> Display submit button loading -> Redirects to login page.
Reboot Click the submit button -> Display submit button loading -> Redirects to the login page.
Action Two Node Cluster without Virtual IP (VIP)
Log into Active Log into Standby
Reload

Click the submit button -> Display submit button loading -> Redirect to the login page (it doesn’t redirect because the session is still active). This node now becomes the standby node).

 Click the submit button -> Display submit button loading -> Redirect to the login page (it doesn’t redirect because the session is still active. This node will remain the standby node).
Reboot

Same as above.

 Same as above.
Action Two Node Cluster with Virtual IP (VIP)
Log into VIP Log into Active Log into Standby
Reload

Click the submit button-> Display submit button loading -> Redirect to the login page. The active and standby nodes are swapped. The VIP has access to the new active node.

 Same behavior as active node without VIP. Same behavior as the standby node without VIP.
Reboot Same as above. Same behavior as active node without VIP. Same behavior as the standby node without VIP.
UI Notifications

The standby banner in the UI displays a link to the active node. This link appears when a user is logged in to the standby node.

Limitations

  1. Executing the power action on a node is only possible if the user logs in to that node. For example, if the user logs in to the active node, they will only be able to execute power actions on the active node; they will have to log in to the standby node to execute power actions on the standby node.
  2. The CLI supports a third power action: shutdown. The UI does not include shutdown support because of the previous limitation. When executing a shutdown on the currently logged-in node, the user loses connection with the UI and cannot view the updated status of the node.
  3. The CLI supports the reload and reboot functionalities for both the active and the standby nodes.

Copying Files Between a Workstation and a DMF Controller

Use the SCP command followed by the keywords shown below on a workstation connected to the DANZ Monitoring Fabric (DMF) Controller management network to copy the following types of files to the Controller:
  • Certificate (//cert)
  • Private key (//private-key/<name>)
  • Running configuration (//running-config)
  • Snapshots (//snapshot)
  • Controller image files (//image)
Copying into //snapshot on the controller overwrites the current running-config except the local
node configuration
Copying into //running-config merges the destination configuration to the running-config on the
controller
To copy, use the following syntax: 
scp <filename> admin@<controller-ip>://<keyword>
For example, the following command copies a Controller ISO image file from a workstation to the image file partition on the Controller to install it. 
scp DMF-8.0.0-Controller-Appliance-2020-12-21.iso This email address is being protected from spambots. You need JavaScript enabled to view it.://image

This example copies the DMF 8.0.0 ISO file from the local workstation or server to the image partition of the DMF Controller running at 10.2.1.183.

Use any user account belonging to the admin group. Replace the admin username in the example above with any other admin-group user, as in the following example. 
c:\>pscp -P 22 -scp DMF-8.0.0-Controller-Appliance-2020-12-21.iso This email address is being protected from spambots. You need JavaScript enabled to view it.://image
This example uses the user account admin-upgrade, which should be a member of the admin group. Use the PSCP command on a Windows workstation to copy the file to the Controller. 
c:\>pscp -P 22 -scp <filename> admin@<controller-ip>://<keyword>
Use the SCP command to get the following files from the Controller and copy them to the local file system of the server or workstation.
  • Running configuration (copy running-config <dest>)
  • Snapshots (copy snapshot:// <dest>)
Use the following commands to copy running-config/snapshot to the remote location: 
controller-1# copy snapshot:// scp://This email address is being protected from spambots. You need JavaScript enabled to view it.://anet/DMF-720.snp
controller-1# copy running-config scp://This email address is being protected from spambots. You need JavaScript enabled to view it.://anet/DMF-720.cfg

Merge and Replace Parameters of Copy Config

When copying a text-based configuration file with the copy <text config> running-config command, it is possible to specify either of two parameters: merge or replace.

Note: The default parameter is merge.

Replace:

The replace option applies a text-based configuration as a full override of the existing one. In other words, it erases the old configuration and applies the new one to a blank slate.

For example, if current_policy.txt is the current running-config on the Controller and policy_modified.txt is a configuration file with modified NTP time zone, NTP servers, recorder-node name, and other policy changes, it is possible first to verify the differences and then to replace the current configuration with a modified configuration file by using the following commands:


dmf-controller-1# compare file://current_policy.txt file://policy_modified.txt
3c3
< ! Current Time: 2024-06-03 22:48:14 UTC
---
> ! Current Time: 2024-06-03 22:44:04 UTC
8,12c8,10
< ntp time-zone America/Los_Angeles
< ntp server ntp1.aristanetworks.com
< ntp server ntp2.aristanetworks.com
< ntp server ntp3.aristanetworks.com
< ntp server ntp4.aristanetworks.com
---
> ntp time-zone UTC
> ntp server time.google.com
> ntp server time.windows.com
79c77
< recorder-node device rn1
---
> recorder-node device rn-modified
103c101
< description testone
---
> description testone-modified
134,135c132,133
< delivery-interface leaf-1-eth3
< filter-interface ixia-5-6
---
> delivery-interface leaf-1-eth3-modified
> filter-interface ixia-5-6-modified

dmf-controller-1# copy file://policy_modified.txt running-config replace
Applied Command: 4: ntp time-zone UTC:
Warning: Active REST API sessions will not be informed of updates to time-zone.
Applied Command: 4: ntp time-zone UTC:
Warning: Please logout and login to any other active CLI sessions to
Applied Command: 4: ntp time-zone UTC:
Warning: update the time-zone for those sessions.
Lines applied: 142, No Errors, Warnings: 3; Commit completed

dmf-controller-1# show run ntp

! ntp
ntp server time.google.com
ntp server time.windows.com

dmf-controller-1# show run ntp details

! ntp
ntp time-zone UTC
ntp server time.google.com
ntp server time.windows.com

dmf-controller-1# show run recorder-node

! recorder-node
recorder-node device rn-modified
mac 52:54:00:59:57:b0

dmf-controller-1# show run policy | grep modified
description testone-modified
delivery-interface leaf-1-eth3-modified
filter-interface ixia-5-6-modified

Merge:

The merge option applies a text-based configuration additively to an existing one. In other words, it adds a new configuration delta to the current configuration. In the case of the previous example, using the merge option would have failed because it would have added a conflicting Recorder Node with a duplicate MAC address, as shown below:


dmf-controller-1# copy file://policy_modified.txt running-config merge
Applied Command: 4: ntp time-zone UTC:
Warning: Active REST API sessions will not be informed of updates to time-zone.
Applied Command: 4: ntp time-zone UTC:
Warning: Please logout and login to any other active CLI sessions to
Applied Command: 4: ntp time-zone UTC:
Warning: update the time-zone for those sessions.
Error: Validation failed: Multiple devices (switch/service) specify 52:54:00:59:57:b0 as mac address
Lines applied: 142, No Errors, Warnings: 0; Commit: failed, changes rolled back

dmf-controller-1# show run recorder-node

! recorder-node
recorder-node device rn1
mac 52:54:00:59:57:b0

If you wanted to apply just a one-line configuration change (let's say, change only the NTP time zone), the one-line change would work with the merge option but not with the replace option, since replace requires a full valid configuration to be applied, as shown below:


dmf-controller-1# show run ntp details

! ntp
ntp time-zone UTC
ntp server ntp1.aristanetworks.com
ntp server ntp2.aristanetworks.com
ntp server ntp3.aristanetworks.com
ntp server ntp4.aristanetworks.com

dmf-controller-1# show file test.txt
ntp time-zone America/Los_Angeles

dmf-controller-1# copy file://test.txt running-config replace
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Applied Command: 3: ntp time-zone America/Los_Angeles:
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Warning: Active REST API sessions will not be informed of updates to time-zone.
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Applied Command: 3: ntp time-zone America/Los_Angeles:
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Warning: Please logout and login to any other active CLI sessions to
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Applied Command: 3: ntp time-zone America/Los_Angeles:
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Warning: update the time-zone for those sessions.
400.0% |**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Error: Validation failed: deletion of predefined admin group is not allowed.
Lines applied: 1, No Errors, Warnings: 0; Commit: failed, changes rolled back

Instead, using the (default) merge option to incrementally add a line would succeed, as shown below:


dmf-controller-1# show run ntp details

! ntp
ntp time-zone UTC
ntp server ntp1.aristanetworks.com
ntp server ntp2.aristanetworks.com
ntp server ntp3.aristanetworks.com
ntp server ntp4.aristanetworks.com

dmf-controller-1# show file test.txt
ntp time-zone America/Los_Angeles

dmf-controller-1# copy file://test.txt running-config
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Applied Command: 3: ntp time-zone America/Los_Angeles:
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Warning: Active REST API sessions will not be informed of updates to time-zone.
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Applied Command: 3: ntp time-zone America/Los_Angeles:
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Warning: Please logout and login to any other active CLI sessions to
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Applied Command: 3: ntp time-zone America/Los_Angeles:
300.0% |****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Warning: update the time-zone for those sessions.
400.0% |**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Lines applied: 1, No Errors, Warnings: 3; Commit completed

dmf-controller-1# show run ntp

! ntp
ntp time-zone America/Los_Angeles
ntp server ntp1.aristanetworks.com
ntp server ntp2.aristanetworks.com
ntp server ntp3.aristanetworks.com
ntp server ntp4.aristanetworks.com

Snapshot File Management Using REST API

Manage snapshots using the REST API. The API actions and their CLI equivalents are as follows:
  • Take: copy running-config snapshot://my-snapshot
  • Fetch: copy http[s]://snapshot-location snapshot://my-snapshot
  • Read: show snapshot my-snapshot
  • Apply: copy snapshot://my-snapshot running-config
  • List: show snapshot
  • Delete: delete snapshot my-snapshot

Take:

The following example saves the current running-config to snapshot://<file name>. 
curl -H -g -k "Cookie: session_cookie=<session-cookie>" https://<Controller IP>:8443/api/v1/rpc/
controller/snapshot/take -d '{"name": "snapshot://testsnap"}'

Fetch:

Retrieve a snapshot found at source-url and save it locally as testsnap. 
curl -g -k -H "Cookie: session_cookie=<session-cookie>" https://<Controller IP>:8443/api/v1/rpc/
controller/snapshot/fetch -d '{"source-url": "https://...", "name": "snapshot://testsnap"}'

Read:

View the contents of the snapshot named testsnap. The API action isn’t quite the same as the CLI command, since the CLI gives the snapshot contents translated into running-config style CLI commands whereas the API produces the raw, untranslated snapshot data.
Note: Using this API, the user can save the snapshot to a local file on a server. This is equivalent to copy snapshot://<filename> scp://<remote file location>.
To dump the content of snapshot file. 
curl -g -k -H "Cookie: session_cookie=<session-cookie>" https://<Controller IP>:8443/api/v1/
snapshot/testsnap/data
To save the content of snapshot to another file. 
curl -g -k -H "Cookie: session_cookie=<session-cookie>" https://<Controller IP>:8443/api/v1/
snapshot/testsnap/data --output testfile.snp

Above curl example reads the testsnap snapshot file from Controller IP and writes to a file named testfile.snp.

Apply:

Apply the snapshot named testsnap to the controller. 
curl -g -k -H "Cookie: session_cookie=<session-cookie>" https://<Controller IP>:8443/api/v1/rpc/
controller/snapshot/apply -d '{"name": "snapshot://testsnap"}'

List:

List all snapshots on a controller. 
curl -g -k -H "Cookie: session_cookie=<session-cookie>" https://<Controller IP>:8443/api/v1/data/
controller/snapshot/available

Delete:

Delete a snapshot named testsnap from the controller. 
curl -g -k -H "Cookie: session_cookie=<session-cookie>" 'https://<Controller IP>:8443/api/v1/data/
controller/snapshot/available[name="testsnap"]'

Convert a Text-based running-config into a Snapshot

A keyword is added to the copy running-config snapshot://sample command to convert text running-config commands into a JSON snapshot.

Use the keyword transaction to perform the conversion. The keyword can also create a snapshot with specific commands included.

While similar, the following workflows describe two applications of the copy running-config snapshot://sample command and the new transaction keyword.

Workflow - Create a Snapshot

Create a snapshot using the following command:

> copy file://text-commands snapshot://new-snapshot

Use this choice to convert a collection of text commands into a working snapshot. The resulting snapshot has several advantages over the collection of text commands:

  • Snapshots have version details as part of the file format, allowing the configuration to be rewritten based on changes in the new versions of the product.
  • REST APIs post the configuration in large chunks, applying snapshots more quickly. A single text command typically updates a specific amount of configuration parameters while writing the resulting modification to the persistent storage.

The conversion process will:

  • Create a new transaction with all the configuration parameters removed.
  • Replay each command and apply the configuration changes to the active transaction.
  • Invoke the snapshot REST API, which builds a snapshot from the current transaction.
  • Delete the current transaction, preventing any of the applied configuration changes from the replayed command from becoming active.
Note: The conversion requires that the syntax of the text command to be replayed works with the currently supported syntax where it will be applied.

Workflow - Create a Snapshot containing a Specific Configuration

Manually create a snapshot that contains a specific configuration using the following steps.

  1. Enter the configuration mode that supports changes to the configuration.
  2. Create a new transaction using an empty or a current configuration by running one of the following command options.
# begin transaction erase
# begin transaction append
Configuration changes applied while the transaction is active are performed against the transaction but do not update the configuration until the transaction is committed (using the commit transaction command). Several validation checks are postponed until after committing the changes. The commit does not post if validation errors are present.
Note: In this sample workflow, the objective is to create a new snapshot and not to update the system's configuration.
Various changes to the configuration include:
  • Add a new configuration, for example, new switches, new policies, new users, etc.
  • Modify the configuration.
  • Delete the configuration.
  • The local configuration should not be changed, as transactions do not currently manage it. The local system configuration (for example, the hostname) is updated immediately.

The new transaction keyword can be used with the copy command, requesting that the configuration within the transaction be copied or applied to the snapshot and not to the current system configuration. For example, using the following command:

# copy running-config snapshot//:sample transaction
Delete the transaction using the following command:
# delete transaction
Note: The snapshot is updated while the system configuration is not updated.

To check the active transaction on the system, use the following command:

# show transaction

Sample Sessions

The examples below will familiarize the reader with converting a text-based running-config into a snapshot.

Example One

Convert a collection of text commands into a working snapshot using the following command:

> copy file://text-commands snapshot://new-snapshot
Controller1(config)# show file
# Name Size Created
-|--------------------|----|-----------------------|
1 textcommands 3560 2023-08-15 21:37:44 UTC
Controller1(config)# copy file://textcommands snapshot://snap_textcommands
Lines applied: 175, snap_textcommands: Snapshot updated
Controller1(config)# show snapshot snap_textcommands
Note: Some command options listed below are hidden in the CLI since they are in beta in DMF 8.4.0.

Example Two

Manually create a snapshot containing a specific configuration to be added to the existing running configuration. The commands begin transaction or begin transaction append add the commands executed on the transaction to the existing running configuration.

Controller1(config)# begin transaction
id : 5gMoJ6uu7mcA3j3Gs5fGyLRT8ZJW7CI9
Controller1(config)#
Controller1config)#
Controller1(config)# policy policy15
Controller1(config-policy)# action forward
Controller1(config-policy)#
Controller1(config-policy)# exit
Controller1(config)# copyrunning-config snapshot://snap_policy15 transaction
Controller1(config)#
Controller1(config)# delete transaction
Controller1(config)# show snapshot snap_policy15
!
! Saved-Config snap_policy15
! Saved-Config version: 1.0
! Version: 8.4.0
! Appliance: bmf/dmf-8.4.x
! Build-Number 133
!
version 1.0
! ntp
ntp server ntp.aristanetworks.com
! snmp-server
snmp-server enable traps
snmp-server community ro 7 02161159070f0c
! local
local node
hostname Controller1
interface management
!
ipv4
ip 10.93.194.145/22 gateway 10.93.192.1
method manual
!
ipv6
method manual
! deployment-mode
deployment-mode pre-configured
! user
user admin
full-name 'Default admin'
hashed-password method=PBKDF2WithHmacSHA512,salt=qV-1YyqWIZsYc_SK1ajniQ,rounds=25000,ph=true,0vtPyup3h5JThGFLff-1zw-42-BV7tG7Sm99ROT1OmZCZjlzcWLJj9Lc28mxkQI1-assfW2e-OPDhZbu9qCE2Q
! group
group admin
associate user admin
group read-only
! aaa
aaa accounting exec default start-stop local
! controller
controller
cluster-name dmf204
virtual-ip 10.93.194.147
access-control
!
access-list api
10 permit from 10.93.194.145/32
15 permit from 10.93.194.146/32
!
access-list gui
1 permit from ::/0
2 permit from 0.0.0.0/0
!
access-list ntp
1 permit from ::/0
2 permit from 0.0.0.0/0
!
access-list snmp
1 permit from 0.0.0.0/0
!
access-list ssh
1 permit from ::/0
2 permit from 0.0.0.0/0
!
access-list sync
1 permit from ::/0
2 permit from 0.0.0.0/0
!
access-list vce-api
1 permit from ::/0
2 permit from 0.0.0.0/0
! auto-vlan-mode
auto-vlan-mode push-per-filter
! service-node
service-node dmf204-sn
mac e4:43:4b:48:58:ac
! switch
switch gt160
mac c4:ca:2b:47:97:bf
admin hashed-password $6$ppXOyA92$0hibVW63R0t1T3f7NRUFxPEWUb4b64l4dTGEayrrXcw5or/ZDxm/ZNvotQ7AQfVMo7OZ1I.yDLwrnlVXrZkV3.
!
interface Ethernet1
speed 10G
!
interface Ethernet5
speed 25G
switch hs160
mac c4:ca:2b:b7:44:83
admin hashed-password $6$McgvJd94$vRxDNkr2OSz3kiZSYPFCfuIbcaBuIcoC7ywlVeFFd7oAgLn1eVcV6NyEFZnykje4ILUjmJPWdWeu3LaF4sWzd/
!
interface Ethernet4
speed 10G
!
interface Ethernet47
role delivery interface-name veos2-delivery
!
interface Ethernet48
loopback-mode mac
speed 10G
role both-filter-and-delivery interface-name veos1-filter strip-no-vlan
switch smv160
mac 2c:dd:e9:4e:5e:f5
admin hashed-password $6$RyahYdXx$bUXeQCZ1bHNLcJBA9ZmoH/RmErwpDXvJE20UnEXKoLQffodjsyIlnZ1nG54X5Cq5qgb6uTGXs1TMYkqBWurLh1
!
interface Ethernet31/1
rate-limit 100
speed 10G
role delivery interface-name veos6-delivery ip-address 10.0.1.11 nexthop-ip 10.0.1.10 255.255.255.0
! crypto
crypto
!
http
cipher 1 ECDHE-ECDSA-AES128-GCM-SHA256
!
ssh
cipher 1 aes192-ctr
mac 1 hmac-sha1
! policy
policy policy15
action forward

Example Two

Manually create a snapshot that contains a specific configuration.

Controller1(config)# begin transaction erase
id : GAOGEuLS26I67bqJ7J2NcpOtORfflUn_
Controller1(config)#
Controller1(config)# policy policy16
Controller1(config-policy)# action forward
Controller1(config-policy)#
Controller1(config-policy)# exit
Controller1(config)#
Controller1(config)# copy running-config snapshot://snap_policy16 transaction
Controller1config)#
Controller1(config)#
Controller1(config)# delete transaction
Controller1(config)#
Controller1(config)# show snapshot snap_policy16
!
! Saved-Config snap_policy16
! Saved-Config version: 1.0
! Version: 8.4.0
! Appliance: bmf/dmf-8.4.x
! Build-Number 133
!
version 1.0
! local
local node
hostname Controller1
interface management
!
ipv4
ip 10.93.194.145/22 gateway 10.93.192.1
method manual
!
ipv6
method manual
! policy
policy policy16
action forward

Limitations

  • The text-command-to-snapshot conversion process requires that the syntax of the text command to be replayed works (i.e., be compatible) with the currently supported syntax where it is getting applied.
  • Only a global (i.e., cluster-wide) configuration can be managed with snapshots and transactions. View the local (non-global) configuration with the show running-config local command.
  • An error is displayed if the copy running-config snapshot://sample transaction command is performed without starting a new transaction.

Managing DMF Sessions

Complete the following steps to view and configure settings for remote sessions established to the DANZ Monitoring Fabric (DMF) Controller, switches, and managed appliances. Security Sessions configuration tabs and features include:
  • Configuration
    • Edit
  • Sessions
    • Actions - Delete Security Sessions
  1. Select Security > Sessions from the DMF main menu.
    Figure 12. Security Sessions
    The page displays the sessions currently established. To forcibly end a session, select Delete Security Sessions from the Actions control for the session.
    Note: All users should log out when finished to avoid blocked access. No new sessions are allowed if the number of existing sessions equals the limit configured.
  2. Under Configuration, click Edit to configure the default settings for remote connections to the Controller.
    Figure 13. Security Sessions Configurations

    This dialog lets you set an expiration time for sessions and the maximum number of sessions allowed for each user.

    Tip: Use the Reset button to clear the settings and return to the default values, if required.
  3. Make any changes required and click Submit.
    CLI Commands
    To limit the number of concurrent sessions allowed for each user, use the following command: 
    aaa concurrent-limit <number>
    For example, the following command limits the number of concurrent sessions to 5 for each user account. 
    controller-1(config)# aaa concurrent-limit 5

    This limit causes the sixth session connection attempt by the same user account to fail. The excess oldest sessions are closed if more than five are already open.

    This limit applies to sessions established through the GUI, CLI, or REST API, whether directed to the DANZ Monitoring Fabric switches, managed appliances, active or standby Controller, and the cluster virtual IP address.
    Note: All users should log out when finished to avoid blocked access. No new sessions are allowed if the number of existing sessions equals the limit configured.
    To set the expiration time for an AAA session, use the following command from config mode: 
    [no] aaa session-expiration <minutes>
    Replace minutes with an integer specifying the number of minutes for the session expiration. For example, the following command sets the AAAS session expiration to 10 minutes: 
    controller-1(config)# aaa session-expiration 10

Managing and Viewing Logs

By default, the DANZ Monitoring Fabric (DMF) fabric switches send syslog messages to both the active and standby Controllers. Syslog messages are disk persistent and only removed based on time and rotation policy.

After configuring an external syslog server, the Controllers send the syslog messages to the external server and keep a local copy of the syslog messages on the Controller. When configuring multiple external syslog servers, DMF sends the syslog messages to every server. Physical switch logs can be sent directly to an external syslog server instead of sending the logs to the DMF Controller.

Sending Logs to a Remote Syslog Server

With the external Syslog server configured and the logging switch-remote option enabled, the fabric switches send Syslog messages only to the configured external Syslog servers but not to the Controllers. When the logging switch-remote option is enabled, the Controller does not have a local copy of the switch logs.

The Controllers do not share their syslog with the other Controller in the cluster. In other words, the active Controller does not send its syslog messages to the standby Controller, and the standby Controller does not share its syslog messages with the active Controller. Access the individual Controller logs from either the active or standby node.

Using the GUI to Configure Remote Logging

To manage logging, complete the following steps:
  1. Select Maintenance > Logging from the main menu and click Remote Logging.
    Figure 14. Maintenance Logging
  2. To enable remote logging, identify a remote syslog server by clicking the Provision control (+) in the Remote Servers table.
    Note: Enabling remote logging causes syslog messages to be sent directly from the fabric switches to the specified server, bypassing the Controller. As a result, the Switch Light log files will not be available on the local Controller for analysis using the Analytics option.
    Figure 15. Create a Remote Server
  3. Enter the IP address of the remote server. If you are not using the default port (514), specify the port to use and click Save. The server appears on the Logging page.

Using the CLI to Configure Remote Logging

To configure the syslog server for a Controller node, enter the logging remote command using the following syntax:

..code-block:: none

logging remote <ip-address>

For example, the following command sets the syslog server address to 192.168.100.1: 
controller-1(config)# logging remote 192.168.100.1

This example exports the syslog entries from the Controller node to the syslog server at IP address 192.168.100.1.

Viewing Log Files on the Controller

Use the show logging command to view the log files for the different components of the DANZ Monitoring Fabric (DMF) Controller. The options for this command are as follows:
  • audit: Show audit file contents
  • controller: Show log contents for the Controller floodlight process
  • remote: Show remote logs
  • switch switch: Show logs for the specified switch
  • syslog: Show syslog file contents
  • web-access: Show content of the web server access log
  • web-error: Show content of the web server error log
For example, the following command shows the logs for the DMF Controller. 
controller-1> show logging controller
floodlight: WARN [MdnsResponder:Network Queue Processing Thread] ZTN4093: 1CC38M2._gm_idrac._tcp.
local.
2018-03-26T04:03:17.900-07:00 invalid/unrecognized SRV name 1CC38M2._gm_idrac._tcp.local.
floodlight: WARN [MdnsResponder:Network Queue Processing Thread] ZTN4093: 1CC38M2._gm_idrac._tcp.
local.
2018-03-26T04:03:17.900-07:00 invalid/unrecognized SRV name 1CC38M2._gm_idrac._tcp.local.
floodlight: WARN [MdnsResponder:Network Queue Processing Thread] ZTN4093: 1CC38M2._gm_idrac._tcp.
local.
2018-03-26T04:03:17.900-07:00 invalid/unrecognized SRV name 1CC38M2._gm_idrac._tcp.local.
...
controller-1>

Administrative Activity Logs

The DANZ Monitoring Fabric (DMF) Controller logs user activities to the floodlight log file, logging the following events:
  • CLI commands entered
  • Login and logout events
  • Queries to the REST server
  • RPC message summaries between components in the Controller

CLI Commands

Use grep with the show logging command to see the local accounting logs, as in the following example: 
controller-1# show logging controller | grep "cmd_args"
Sep 4 21:23:10 BT2 floodlight: INFO [net.bigdb.auth.AuditServer:Dispatcher-3] AUDIT EVENT: bigcli.
command application_id=bigcli cmd_args=enable
Sep 4 21:23:10 BT2 floodlight: INFO [net.bigdb.auth.AuditServer:Dispatcher-4] AUDIT EVENT: bigcli.
command application_id=bigcli cmd_args=configure
Sep 4 21:23:16 BT2 floodlight: INFO [net.bigdb.auth.AuditServer:Dispatcher-3] AUDIT EVENT: bigcli.
command application_id=bigcli cmd_args=bigtap policy policy3
Sep 4 21:23:20 BT2 floodlight: INFO [net.bigdb.auth.AuditServer:Dispatcher-6] AUDIT EVENT: bigcli.
command application_id=bigcli cmd_args=bigchain chain hohoh
Sep 4 21:23:22 BT2 floodlight: INFO [net.bigdb.auth.AuditServer:Dispatcher-3] AUDIT EVENT: bigcli.
command application_id=bigcli cmd_args=ext
Sep 4 21:23:24 BT2 floodlight: INFO [net.bigdb.auth.AuditServer:Dispatcher-3] AUDIT EVENT: bigcli.
command application_id=bigcli cmd_args=configure
Sep 4 21:23:30 BT2 floodlight: INFO [net.bigdb.auth.AuditServer:Dispatcher-5] AUDIT EVENT: bigcli.
command
To modify the accounting configuration, use the following commands. To start local accounting only, enter the following command: 
controller-1(config)# aaa accounting exec default start-stop local
To start remote accounting only, enter the following command: 
controller-1(config)# aaa accounting exec default start-stop {local [group tacacs+] | [group
            radius]}
To view audit records, enter the following command if local accounting is enabled: 
controller-1# show logging controller | grep AUDIT

If accounting is remote only, consult the administrator for the TACACS+ server for more information.

REST API Logging

Starting with the DANZ Monitoring Fabric 8.4 release, the REST API body can be logged into the audit.log file. Before the 8.4 release, REST API calls from GUI or REST clients were logged in the audit.log file without the request's data (or) body. In this release, the data and body of the REST API call can be logged.

To enable the audit logging, use the configuration below: 
aaa audit-logging log-request-leaf-values record-all-request-values
controller-1# config
controller-1(config)# aaa audit-logging log-request-leaf-values record-all-request-values
controller-1(config)#
To disable, use the no form of the command: 
no aaa audit-logging log-request-leaf-values record-all-request-values
Example of audit.log entry showing SNMP configuration from GUI: 
2022-11-16T12:18:05.106-08:00 floodlight: INFO LOCLAUD1001: AUDIT EVENT: DB_QUERY auth-
description="session/9d0a66315f7d9e0df8f2478fe7c0b3d77cec25e865e4e135f0f9e28237570b70"
user="admin" remote-address="fd7a:629f:52a4:20d0:1ca8:28ed:6f59:cd47" session-id=
"9d0a66315f7d9e0df8f2478fe7c0b3d77cec25e865e4e135f0f9e28237570b70" operation="REPLACE"
uri="https://[fdfd:5c41:712d:d080:5054:ff:fe57:5dba]/api/v1/data/controller/os/config/
global/snmp" http-method="PUT" request-leaf-values="{"contact":"Arista","location":"HQ",
"trap-enabled":false,"user[name=\"cvml\"]/auth-passphrase":"AUTH-STRING","user[name=\
"cvml\"]/name":"cvml","user[name=\"cvml\"]/priv-passphrase":"PRIV-STRING","user[name=\
"cvml\"]/priv-protocol":"aes"}" code="204"
To view the configuration: 
controller-# show run aaa
! aaa
aaa accounting exec default start-stop local
aaa audit-logging log-request-leaf-values record-all-request-values
controller-1#

Restricting Size of REST API Body

Users can restrict the maximum size of the REST API body being passed to a rest call using the following command. Unless configured, the max-body-size is 9223372036854775807 bytes. 
rest-api max-body-size <>
In the example below, the configuration restricts the body of the REST API call to 16K bytes. The REST API call is rejected if the body size exceeds 16K bytes. This feature can help remediate Denial of Service (DOS) attacks where an intruder tries to send a very large configuration repeatedly, attempting to keep the Controller busy parsing the information before applying. As needed, enable this configuration to the attack vector quickly before trying to find the culprits. 
controller-1(config)# rest-api max-body-size
<max-body-size> Integer between 16384 to max integer size
controller-1(config)# rest-api max-body-size
controller-1(config)# rest-api max-body-size 16384
controller-1(config)#
To disable, use the no form of the command: 
no rest-api max-body-size <>

Syslog Over TLS

This section describes how Syslog over TLS is implemented in DANZ Monitoring Fabric (DMF) and the configuration required to implement this feature.

Overview

Transport Layer Security (TLS) is used in DANZ Monitoring Fabric (DMF) to secure syslog messages, which may originate or traverse a non-secure network in transit to the syslog server. Using TLS helps mitigate the following primary threats:
  • Impersonation: An unauthorized sender may send messages to an authorized receiver, or an unauthorized receiver may try to deceive a sender.
  • Modification: An attacker may modify a syslog message in transit to the receiver.
  • Disclosure: An unauthorized entity could examine the contents of a syslog message. TLS, when used as a secure transport, reduces these threats by providing the following functionality.
  • Authentication counters impersonation.
  • Integrity-checking counters modifications to a message on a hop-by-hop basis.
  • Confidentiality works to prevent disclosure of message contents.

Starting from DMF Release 8.4, syslog over TLS is supported only for communication from Controllers to remote syslog servers. Switches and managed appliances such as Recorder Nodes and Service Nodes support plain unencrypted UDP-based syslog messages. To enable syslog over TLS on the Controller,refer to the next section.

Configuration

To enable TLS for syslog messaging, complete the following steps:
Note: The steps below are needed for mutual authentication between client and server. For non-mutual cases, users can skip importing the Controller's certificate and a private key and configuring them.
  1. Generate the certificates for the remote syslog servers and the DANZ Monitoring Fabric (DMF) Controller using the same trusted public or private CA.
  2. Copy the trusted CA root certificate, the Controller's certificate, and the Controller's private key to the DMF Controller. 
    controller-1# copy scp://user@x.x.x.x:/.../cacert.pem cert://
controller-1# copy scp://user@x.x.x.x:/.../dmf-controller-cert.pem cert://
controller-1# copy scp://user@x.x.x.x:/.../dmf-controller-privkey.pem private-key://dmf-privkey
  3. Copy the CA certificate and the syslog server certificates and keys to the respective syslog servers. TLS support should be enabled on the servers by following the prescribed steps for the syslog applications that they are running.
  4. On the active DMF Controller, identify the CA certificate to use with remote syslog servers. 
    controller-1(config)# logging secure ca <capath>
    Note: In the example in Step 2, it is cacert.pem.
  5. Identify a certificate for mutual authentication. 
    controller-1(config)# logging secure cert <certpath>
    Note: In the example in Step 2, it is dmf-controller-cert.pem.
  6. On the active DMF Controller, identify the key for mutual authentication. 
    controller-1(config)# logging secure private-key <keypath>
    Note: In the example in Step 2, it is dmf-privkey, the name given to the key during the copy procedure.
  7. On the active DMF Controller, enable secure logging. 
    controller-1(config)# logging secure tls
  8. To view the syslog messages, enter the following command. 
    controller-1# show logging
    Note: Syslog applications typically send logs to /var/log/messages, /var/log/dmesg, and /var/log/journal by default.

Creating a Support Bundle

A collection of running configuration and log files is critical to understanding the fabric behavior when the fabric is in a faulty state.

The DANZ Monitoring Fabric (DMF) CLI provides the commands to automate the collecting, archiving, and uploading of critical data. These commands cover all devices of the DMF fabric, such as Controllers, switches, DMF Service Node, and DMF Recorder Node.

The following are the commands to configure the Support Bundle data upload: 
controller-1> enable
controller-1# configure
controller-1(config)# service
controller-1(config-service)# support auto-upload
Enabled diagnostic data bundle upload
Use "diagnose upload support" to verify upload server connectivity
To check if the auto-upload is enabled: 
controller-1# show run service
! service
service
support auto-upload
controller-1#
The following is the command to launch the Support Bundle collection. Once the support bundle is collected, it will automatically be uploaded, as seen in the output. Provide the bundle ID to support personnel. 
controller-1# support
Generating diagnostic data bundle for technical support. This may take several minutes...
Support Bundle ID: SGPVW-BZ3MM
Switchlight collection completed after 14.2s. Collected 1 switch (8.56 MB)
Local cli collection completed after 38.2s. Collected 75 commands (0.32 MB)
Local rest collection completed after 0.1s. Collected 3 endpoints (0.43 MB)
Local bash collection completed after 10.0s. Collected 127 commands (4.74 MB)
Local file collection completed after 15.5s. Collected 39 paths (1753.31 MB)
Cluster collection completed after 138.2s. Collected 1 node (1764.50 MB)
Collection completed. Signing and compressing bundle...
Support bundle created successfully
00:04:03: Completed
Generated Support Bundle Information:
Name : anet-support--DMF-Controller--2020-11-24--18-31-39Z--SGPVW-BZ3MM.tar.gz
Size : 893MB
File System Path : /var/lib/floodlight/support/anet-support--DMF-Controller--2020-11-24--18-31-39Z--
SGPVW-BZ3MM.tar.gz
Url : https://10.2.1.103:8443/api/v1/support/anet-support--DMF-Controller--2020-11-24--
18-31-39Z--SGPVW-BZ3MM.tar.gz
Bundle id : SGPVW-BZ3MM
Auto-uploading support anet-support--DMF-Controller--2020-11-24--18-31-39Z--SGPVW-BZ3MM.tar.gz
Transfer complete, finalizing upload
Please provide the bundle ID SGPVW-BZ3MM to your support representative.
00:00:48: Completed
controller-1#
The show support command shows the status of the automatic upload. 
controller-1# show support
# Bundle Bundle idSize Last modified Upload status
- |----------------------------------------------------------------------- |----------- |----- |------------------------------ |---------------- |
1 anet-support--DMF-Controller--2020-11-24--18-31-39Z--SGPVW-BZ3MM.tar.gzSGPVW-BZ3MM893MB2020-11-24 18:35:46.400000 UTCupload-completed
Use the diagnose upload support command to verify the reachability and health of the server used to receive the support bundle. Below is an example output of checks performed when running the command. When a support bundle upload fails, use the command to identify the possible causes. 
controller-1# diagnose upload support
Upload server version: diagus-master-43
Upload diagnostics completed successfully
00:00:02: Completed
Check : Resolving upload server hostname
Outcome : ok
Check : Communicating with upload server diagnostics endpoint
Outcome : ok
Check : Upload server healthcheck status
Outcome : ok
Check : Upload server trusts authority key
Outcome : ok
Check : Signature verification test
Outcome : ok
Check : Resolving objectstore-accelerate hostname
Outcome : ok
Check : Resolving objectstore-direct hostname
Outcome : ok
Check : Communicating with objectstore-accelerate
Outcome : ok
Check : Communicating with objectstore-direct
Outcome : ok
controller-1#
After resolving the issues, retry the upload using the upload support support bundle file name command. Use the same command if auto-upload was not configured before taking the support bundle. 
controller-1# upload support anet-support--DMF-Controller--2020-11-24--18-31-39Z--SGPVW-BZ3MM.tar.gz

The software provides the following options to reduce the amount of log entries collected in the support bundle:


controller-1# support
 logs-since-days Generate diagnostic data bundle
 sequentialUse sequential (non-parallel) fallback collection mode, which will be slower but use fewer resources.
 skip-clusterSkip cluster information from the collection.
 skip-jfr-dump Skip creating JFR information during collection.
 skip-recorder-nodes Skip Recorder Nodes information from the collection.
 skip-service-nodesSkip service nodes information from the collection.
 skip-switches Skip switches information from the collection.
 switchCopy a switch core dump
<Command-end><cr>: Return to execute command
 ; command separator
 | pipe to command
 > redirect
controller-1#

NIST 800-63b Password Compliance

This feature activates password compliance for local accounts on DANZ Monitoring Fabric (DMF) devices (Controller, switches, DMF Service Node, Arista Analytics Node, and DMF Recorder Node). The NIST 800-63b feature enforces that any newly chosen password fulfills the following requirements:

  • The password needs to be at least 8 characters long.
  • The password is not a known compromised password.
Note: Enabling NIST 800-63b compliance only enforces that password changes in the future will enforce the rules; it does not affect existing passwords. Updating all passwords after enabling NIST-800-63b compliance is strongly recommended.

Configuration

The NIST-800-63b compliance mode needs to be set separately on the Controller and the Arista Analytics Node to enforce password compliance for the entire DANZ Monitoring Fabric (DMF) cluster.

Enable NIST 800-63b password compliance 
Controller(config)# aaa authentication password-compliance nist-800-63b
Warning: A password compliance check has been enabled. This enforces compliance
Warning: rules for all newly chosen passwords, but it doesn't retroactively
Warning: apply to existing passwords. Please choose new passwords for
Warning: all local users, managed appliances, switches, and the recovery user.
Disable NIST 800-63b password compliance (non-FIPS) 
Controller(config)# no aaa authentication password-compliance

FIPS versions always enforce NIST 800-63b password compliance by default unless explicitly configured not to do so.

Disable NIST 800-63b password compliance (FIPS) 
Controller(config)# aaa authentication password-compliance no-check
Note: The NIST-800-63b compliance mode must be set separately on the Controller and the Arista Analytics Node to enforce password compliance for the entire DMF cluster.
View the NIST 800-63b password compliance configuration 
Controller(config)# show running-config aaa
! aaa
aaa authentication password-compliance nist-800-63b
Note: Upon activation of NIST 800-63b password compliance, updating local account passwords for DMF devices is recommended. Refer to the commands below to update the passwords.
Controller admin password update 
Controller# configure
Controller(config)# user admin
Controller(config-user)# password <nist-compliant-password>
Service Node admin password update 
Controller(config)# service-node <service-node-name>
Controller(config-service-node)# admin password <nist-compliant-password>
Recorder Node admin password update 
Controller(config)# recorder-node <recorder-name>
Controller(config-packet-recorder)# admin password <nist-compliant-password>
Switch admin password update 
Controller(config)# switch <switch-name>
Controller(config-switch)# admin password <nist-compliant-password>
Note: After upgrading to DMF-7.2.1 and above, existing user credentials continue to work. In the case of a FIPS image, password compliance is enabled by default, and this does not affect existing user accounts. Changing the recovery and local account passwords is recommended after upgrading from the previous FIPS image. In the first time installation of a FIPS image, the first-boot process enforces the NIST compliance standards for the recovery and admin accounts.

Custom Password Compliance

This feature activates password compliance for local accounts on DANZ Monitoring Fabric (DMF) devices (Controller, switches, DMF Service Node, Arista Analytics Node, and DMF Recorder Node).

DMF supports custom password requirements for local users.

To enable the custom password compliance method, use the following command: 
aaa authentication password-compliance custom-check
controller-1(config)# aaa authentication password-compliance custom-check
Warning: A password compliance check has been enabled. This enforces compliance
Warning: rules for all newly chosen passwords, but it doesn't retroactively
Warning: apply to existing passwords. Please choose new passwords for
Warning: all local users, managed appliances, switches, and the recovery user.
controller-1(config)#
To disable, use the no form of the command: 
no aaa authentication password-compliance custom
Note: Enabling the custom password compliance does not apply to already configured user passwords. Arista Networks recommends resetting or reconfiguring the user password to adhere to the password requirements. Without configuring the custom password compliance, configuring the requirements is not effective. To use the feature configure the custom compliance method and set the password requirements.
Once the custom password compliance is enabled, configure the requirements for a password using the following commands: 
controller-1(config)# aaa authentication password-requirement
max-repeated-characters the maximum number of repeated characters allowed
max-sequential-characters the maximum number of sequential characters allowed
minimum-length the minimum required length for passwords
minimum-lowercase-letter the minimum number of lowercase characters required
minimum-numbers the minimum number of numerical characters required
minimum-special-characters the minimum number of special characters required
minimum-uppercase-letter the minimum number of uppercase characters required
reject-known-exposed-passwords check the password against known exposed passwords
controller-1(config)# aaa authentication password-requirement
For example, to set a password that requires 10 minimum characters, 1 minimum number, and 2 maximum repeated characters, do the following: 
controller-1(config)# aaa authentication password-requirement minimum-length 10
controller-1(config)# aaa authentication password-requirement minimum-numbers 1
controller-1(config)# aaa authentication password-requirement max-repeated-characters 2
Configuring or resetting a password that does not meet the requirements results in the following error message: 
controller-1# conf
controller-1(config)# user customPW
controller-1(config-user)# password admin
Error: the password needs to be at least 10 characters long
controller-1(config-user)#
To view the configured password compliance and requirements, use the show run aaa authentication command: 
controller-1# show run aaa authentication
! aaa
aaa authentication password-compliance custom-check
aaa authentication password-requirement max-repeated-characters 2
aaa authentication password-requirement minimum-length 10
aaa authentication password-requirement minimum-numbers 1
controller-1#
To remove the requirements configured, use no form of the commands: 
controller-1(config)# no aaa authentication password-requirement minimum-length 10
controller-1(config)# no aaa authentication password-requirement minimum-numbers 1
controller-1(config)# no aaa authentication password-requirement max-repeated-characters 2

Switch/Managed Appliance Management Interfaces Not Mirroring Controller Management Interface ACLs

Use this feature to configure Access Control Lists (ACLs) on a managed device that do not directly reflect the ACLs configured on the Controller.

Specifically, a user can override the user-configured ACLs on the Controller (generally inherited by the managed devices) so that ACLs allowing specific types of traffic from the Controller only are pushed to managed devices.

The user performs this action on a per-managed-device basis or globally for all managed devices on the CLI. The Controller and analytics node are excluded from receiving this configuration type (when performed globally).

The feature introduces a new CLI mode to address this configuration type on the Controller. That is, the configuration used for pushing to all managed devices exclusively (excluding the Controller) unless overrides exist.

A managed device is a device whose life cycle ZTN manages.

The total set of managed devices is as follows:

  • Managed Appliances

    • Service Node

    • Recorder Node

  • Switches

    • SWL

    • EOS

Note: The analytics node is not in this set since the ZTN mechanisms on the Controller do not manage its life cycle.

Configuration using the CLI

Configure the following on the Controller to enforce Intra-Fabric Only Access (IFOA) for the API service (i.e., port 8443) on all managed devices.

C1> en
C1# conf
C1(config)# managed-devices
C1(config-managed-devices)# access-control
C1(config-managed-devices-access)# service api
C1(config-managed-devices-access-service)# intra-fabric-only-access
Reminder: IP address/method of the management interface cannot be changed,
when a service has intra-fabric only access enforced.
Note: A warning is displayed outlining that the management interface's IP address cannot be changed once any of the services have IFOA enforced for any managed devices. To change the management interface's IP address, disable IFOA for all services.

Several services can have IFOA enforced on them. The list of services and their corresponding ports are shown in the table below. An ❌ means enforcing IFOA on that port on that managed device type is impossible.

Conversely, an ✅ means enforcing IFOA on that port on that managed device type is possible. There may be some information beside the ✅ indicating what runs on that port on the managed device.

Protocol Service Node Recorder Node SWL EOS
SSH (22, TCP)
WEB (80, TCP) ✅ (SLRest, plain-text) ✅ (cAPI)
HTTPS (443, TCP) ✅ (nginx reverse proxies to 1234, for the stenographer) ✅ (SLRest, encrypted)
API (8443, TCP) ✅ (BigDB) ✅ (BigDB) ✅ (BigDB)
To override this global/default config (i.e., config applied to all managed devices) for a specific managed device, use the following config and push it to the Controller. 
C1(config)# switch switch-name
C1(config-switch)# access-control override-global
C1(config-switch)# access-control
C1(config-switch-access)# service api
C1(config-switch-access-service)# no intra-fabric-only-access

As illustrated below, push a similar configuration for the managed appliances, i.e., the Recorder and Service nodes.

Recorder Node

C1(config)# recorder-node device rn1
C1(config-recorder-node)#
C1(config-recorder-node)# access-control override-global
C1(config-recorder-node)# access-control
C1(config-recorder-node-access)# service api
C1(config-recorder-node-access-service)# no intra-fabric-only-access

Service Node

C1(config)# service-node sn1
C1(config-service-node)#
C1(config-service-node)# access-control override-global
C1(config-service-node)# access-control
C1(config-service-node-access)# service api
C1(config-service-node-access-service)# no intra-fabric-only-access

It is also possible to push a configuration that does not override the entire configuration under managed devices but instead merges with it on a per-service basis, for example:

C1(config)# switch core1
C1(config-switch)# access-control merge-global
C1(config-switch)# access-control
C1(config-switch-access)# service api
C1(config-switch-access-service)# no intra-fabric-only-access

This action will merge the global/default config specified under the config-managed-devices CLI submode with the config set for this specific managed device (in this case, the device is a switch, and its name on the Controller is core1).

CLI Show Commands

There are several helpful show commands.

When merging the global/default access-control configuration with the device-specific configuration, understanding the effective configuration (the configuration used in generating the appropriate ACLs) may not be obvious. To see the effective configuration for a specific device, perform the following command:

C1(config)# show effective-config switch core1
! switch
switch core1
access-control
!
service api
intra-fabric-only-access

While displaying the managed device's effective configuration, check the running-config generated by ZTN (the configuration sent to the device), confirming the configuration pushed to the managed device.

C1(config)# show service-node rn1 running-config
.
.
.
interface ma1 acl subnet 10.243.254.20/32 proto tcp port 8443 accept
interface ma1 acl subnet fe80::5054:ff:fef8:b844/128 proto tcp port 8443 accept
interface ma1 acl subnet 0.0.0.0/0 proto tcp port 8443 drop
interface ma1 acl subnet ::/0 proto tcp port 8443 drop
interface ma1 acl subnet ::/0 proto udp port 161 accept
interface ma1 acl subnet 0.0.0.0/0 proto udp port 161 accept
interface ma1 acl subnet 0.0.0.0/0 proto udp port 161 drop
interface ma1 acl subnet ::/0 proto udp port 161 drop
interface ma1 acl subnet 10.243.254.20/32 proto tcp port 22 accept
interface ma1 acl subnet fe80::5054:ff:fef8:b844/128 proto tcp port 22 accept
interface ma1 acl subnet ::/0 proto tcp port 22 accept
interface ma1 acl subnet 0.0.0.0/0 proto tcp port 22 accept
interface ma1 acl subnet 0.0.0.0/0 proto tcp port 22 drop
interface ma1 acl subnet ::/0 proto tcp port 22 drop
interface ma1 acl default accept
.
.
.
Note: For API (port 8443), the system only pushes ACLs that permit IPv4/LLv6 traffic from the Controller and drops everything else. Other ACLs (SSH/SNMP) are not generated from the managed devices' access control configuration on the CLI. They are generated from access-rules configuration for the Controller that gets used or inherited by the managed devices.
Note: The same show command exists for Recorder Nodes and Service Nodes, i.e.: Recorder Nodes
  • show effective-config recorder-node rn1
  • show recorder-node rn1 running-config
Service Nodes
  • show effective-config service-node rn1
  • show service-node rn1 running-config

Limitations

The main limitation of this feature is the inability to change the management interface's IP address (on the CLI) once enforcing IFOA for any of the services on any managed devices so that the Controller does not inadvertently get locked out from the managed devices.

Note: Changing the management IP address via the REST API without getting blocked is possible. However, Arista Networks advises against doing so when enforcing IFOA for any service on any managed device.

Recovery Procedure

This section describes the recovery procedure when one or both Controllers go down.

Recovery from a Single Controller Failure

Procedure
  1. Log in to the remaining (online) Controller and enter the system remove-node failed controller command.
  2. Start a new Controller and complete the first boot process.
  3. When prompted, join the existing/remaining Controller (the configuration syncs to the new Controller as soon as it joins the cluster).
    Note: This step restores only the running configuration. It does not restore user files from the failed Controller.

Recovery from a Dual Controller Failure

The following procedure assumes that the Controllers have the same IP addresses as the failed Controllers.

Procedure

  1. Archive the current running configuration as a database snapshot and save it to the SCP server. Enter the following command from enable mode. 
    controller-1# copy running-config snapshot://current.snp
controller-1# copy snapshot://current.snp scp://This email address is being protected from spambots. You need JavaScript enabled to view it./home/anetadmin/
                  controller.snp
This email address is being protected from spambots. You need JavaScript enabled to view it.'s password:
controller.snp 5.05KB -00:00
controller-1#
  2. Install the first Controller and complete the first boot process.
  3. Restore the archived version of the running configuration by entering the following command from enable mode. 
    new-controller-1# copy scp://This email address is being protected from spambots. You need JavaScript enabled to view it./home/anetadmin/controller.snp
                  snapshot://controller.snp
This email address is being protected from spambots. You need JavaScript enabled to view it.'s password:
controller.snp
5.05KB - 00:00
new-controller-1# copy snapshot://controller. running-config
new-controller-1#
    Note: This step only restores the running configuration. It does not restore all user files from the previously running Controller.
  4. Install the second Controller and complete the first boot process.
  5. When prompted, join the first Controller to form a cluster.
  6. The configuration between Controllers synchronizes as soon as the standby Controller joins the cluster.
    Note: This step only restores the running configuration. It does not restore user files from the failed Controller.
  7. If the new Controllers are running a different version than the previous set of Controllers, reboot the switches to obtain a compatible switch image from the Controller. Enter the following command from enable mode: 
    new-controller-1# system reboot switch switch
*sFlow® is a registered trademark of Inmon Corp.

Getting Started

This chapter describes the software and hardware requirements and summarizes the steps for deploying the DANZ Monitoring Fabric (DMF) Controller.

 

DMF Installation Prerequisites

Follow the prerequisite steps below:

Table 1. DANZ Monitoring Fabric (DMF) Prerequisites
Task Description Comments
1. Connect the management port of the DMF switches to the management network switch.  
2. Connect the DMF switch console port to the console server. The default baud rate is 9600 for Arista Networks switches. The default baud rate is 115200 for ONIE-enabled switches.  
3. Connect the DMF Controller, Service Node, Recorder Node, and Analytics Node Ethernet port to the management network switch.  
4. For the DMF Controller, Service Node, Recorder Node, and Analytics Node, connect the iDRAC port to the management network (if possible, to a different subnet). Assign an iDRAC IP and validate the DMF Controller, Service Node, Recorder Node and, Analytics Node iDRAC are reachable. The default password for iDRAC should be at the bottom of the Service Tag.  
5. Connect the DMF Service Node and Recorder Node data ports to the DMF switch per customer-designed topology. Refer to Overview for Service Node data ports and Overview for Recorder Node data port.  
6. On the management network switch, ensure that spanning-tree mode edge or spanning-tree mode portfast is enabled for all the ports to which the DMF appliances and switches are connected.  
7. On management network switch ensure that IGMP snooping is disabled.  
8 On the management network switch ensure IPv6 communication in the L2 domain.  
9. Verify reachability to NTP, DNS, and default gateway IP address for the management network.  
10. For L3 deployment (where Controller, DMF switches, DMF Service Node, or DMF Recorder Node are in different subnets), ensure the correct ports on the firewall are open. Refer to Management Plane Security (Protocol Access Required for the DMF Controller) for a list of ports on the firewall to open.  

Downloading Software

The Arista Support Portal provides links to software packages and documentation for DANZ Monitoring Fabric (DMF) products.

To download the DMF software or documentation, click the DMF (BMF) / CCF (BCF) tab and expand the DANZ Monitoring Fabric (DMF) - Big Monitoring Fabric (BMF) folder tree.

Download the appropriate release documents from the DMF - BMF Product Documentation folder tree.

To download software, expand the DMF - BMF Software Downloads folder tree and locate the required software from either DMF - BMF Latest Recommended Release, DMF - BMF Prior Recommended Release, or DMF - BMF All Releases folder trees.

Figure 1. Downloading Software

Where to Start

The following table identifies the documents that provide information and procedures for common tasks when deploying DANZ Monitoring Fabric (DMF).

Task Document
1. Identify new features and any software or upgrade issues for the current release. Release Notes
2. Verify the compatibility of any hardware components used in your deployment. Hardware Compatibility List
3. Explore features and identify the configuration required. DMF User Guide and Analytics User Guide
4. Other tasks as needed. See Documentation Summary
Note: The Documentation Summary identifies other documents to help perform tasks after initial deployment.

Documentation Summary

The following documents help perform tasks after initial deployment:
  • Analytics User Guide - Configuring and using Arista Analytics.
  • Deployment Guide - Procedures for installation, upgrade, and initial DMF Controller configuration common to all DMF features and use cases.
  • Hardware Compatibility List - Lists software and hardware tested for interoperability with the current DMF release.
  • Hardware Guide - Describes the LEDs and ports for DMF supported switch and appliance hardware.
  • DMF User Guide - Configuring and using DANZ Monitoring Fabric features.
  • Release Notes - New features, upgrade issues, open and resolved issues in the current release, SW behavior changes, and known limitations.
  • REST API Guide - General Guidelines using REST API and a list of REST API calls.
  • SNMP MIB Reference Guide - Supported MIBs.
  • Verified Scale - Tested and verified scaling for DMF.

DMF Software and Hardware

This section lists the Controller and switch requirements for deploying the DANZ Monitoring Fabric (DMF).
  • DMF Controller:
    • Controller Software.
    • Controller Hardware Appliance or KVM/ESX Virtual Machine (For VM requirements, refer to Installing a Controller VM.
  • Switch Requirements
    • Refer to the DANZ Monitoring Fabric 8.4 Hardware Compatibility List for the supported switch hardware.
    • Switch software.
The figure below shows the interfaces provided by the DMF Controller hardware.
Figure 2. DMF Controller Hardware Appliance
The following table describes the interfaces:
Table 2. DMF Controller Interfaces
Port Set Function Where It is Connected
Controller Management Ports

2 x 1G white-labeled ports

 Administrative access to the DMF Controller using CLI, GUI, or REST. Connect both ports for redundancy. Customer management network.
Controller iDRAC green-labeled port For remote management of DMF Controller Appliance. Connect green-labeled 1Gb port to DMF management network.
Packet Capture Ports-10Gb

First 10G orange-labeled ports

 For Packet Capturing Feature on DMF Controller Appliance. Connect the first orange-labeled 10Gb port to DMF fabric switches.

DANZ Monitoring Fabric Quick Start

Configuration CLI Example GUI Option Documentation
Active and Standby DANZ Monitoring Fabric (DMF) Controllers. Complete the First boot script. 
# show controller
Controller View Installing and Configuring the DMF Controller
Monitoring Fabric Switches
  • Name and MAC address.
 
# switch switch-1 
mac <mac-address>
 Fabric > Switches Installing DMF Switches
DMF Service Node
  • Name and MAC address.
  • Connect it to the DMF fabric and management network.
  • First boot and initial setup.
  • Managed services.
 
# service-node <name>
mac <mac-address>
Fabric > Switches Monitoring > Managed Services Installing and Upgrading the DMF Service Node
DMF Recorder Node
  • Register name and MAC address.
  • Define recorder instance and interface.
  • Assign a recorder interface to policy.
 
# recorder-node device <recorder-name> 
mac <mac-address> 

# recorder-fabric interface <name>
recorder-interface switch <switch name> <interface used for recording>
 Monitoring > Recorder Node Monitoring > Policies Installing and Configuring the DMF Recorder Node
Out-of-Band policies
  • Assign filter interface role to port connected to SPAN or Tap interfaces.
  • Assign delivery interface role to ports connected to tools.
  • Match interesting traffic and forward traffic to tools connected to delivery ports.
 
# switch switch-1
interface ethernet1
role filter interface-name span-tap-1

# switch switch-1
interface ethernet2
role delivery interface-name tool-1

# policy p1
10 match tcp
action forward
filter-interface span-tap-1
delivery-interface tool-1
 Monitoring > Interfaces Monitoring > Policies

DANZ Monitoring Fabric 8.4 User Guide

Arista Analytics Complete the First boot script and perform initial configuration Settings > Analytics Configuration

Arista Analytics 8.4 User Guide

DANZ Monitoring Fabric
Deployment Guide
Arista Networks

www.arista.com

DANZ Monitoring Fabric Deployment Guide

Version 8.6

DOC-06958-01

 

Headquarters
5453 Great America Parkway
Santa Clara, CA 95054, USA
+1-408 547-5500
www.arista.com
Support
+1-408 547-5502
+1-866 476-0000
This email address is being protected from spambots. You need JavaScript enabled to view it.
Sales
+1-408 547-5501
+1-866 497-0000
This email address is being protected from spambots. You need JavaScript enabled to view it.
© Copyright 2024 Arista Networks, Inc. The information contained herein is subject to change without notice. Arista Networks and the Arista logo are trademarks of Arista Networks, Inc., in the United States and other countries. Other product or service names may be trademarks or service marks of others.