Using the vEOS Router on KVM and ESXi

 

This chapter describes the system requirements, installation, and configuration procedures for vEOS router on hypervisor.

Server

A server can be either a hardware or software entity.

A hardware server is the physical computer that executes the virtual machine manager or hypervisor and all the virtual machines, also known as the host machine.

A software server is the hypervisor or virtual machine manager that hosts and manages the virtual machines. It is also sometimes referred to as the host.

VMware ESXi Minimum Server Requirements

x86-64 Server class CPU (32-bit CPUs are not supported) with

  • Ethernet NICs must be SR-IOV capable
  • BIOS / System Firmware support for SR-IOV
  • 8 GB free disk space
  • 16 GB RAM
  • 4 cores running a minimum 2.4GHz or greater and 16 GB memory
  • Intel VT-x and VT-d support
Note: To ensure compatibility, upgrade the ESXi NIC drivers to the latest version provided from VMware.
VMware ESXi SR-IOV based deployment
  • Ethernet NICs must be SR-IOV capable
  • BIOS / System Firmware support for SR-IOV

KVM Requirements

vEOS is must be deployed on an x86-64 architecture server running KVM hypervisor.

KVM Minimum Server Requirements

8 GB free disk space

16 GB RAM

x86-64 Server class CPU (32-bit CPUs are not supported) with

  • Intel VT-x or AMD-V support for CPU Virtualization
  • Intel VT-d or AMD-IOMMU support for PCIe passthrough
  • Intel AES-NI support
  • 4 CPU cores running at 2.4GHz.

KVM SR-IOV Based Deployment

  • Ethernet NICs must be SR-IOV capable
  • BIOS / System Firmware support for SR-IOV

Supported Topologies

The following scenarios are described in the Hypervisor Chapter

  • Launching ESXi using vSphere Web Client
  • Launching vEOS on KVM with Linux bridge
  • Launching vEOS on KVM with SR-IOV
  • Launching vEOS on KVM with PCI-Passthrough
This chapter includes the following sections:

VMware ESXi Hypervisor

Describes the launch sequence for VMware ESXi 6.0 and 6.5.

Launching VMware ESXi 6.0 and 6.5

How to launch VMWare ESXi 6 and ESXi 6.5 for vEOS.

There are different ESXi user interfaces for managing the ESXi host, such as the vSphere Web Client and the ESXi Web Client. The following task is required to launch VMware 6.0 and 6.5 and provides a general guideline on the steps involved in deploying virtual machines with an OVF/OVA template.

Note: Arista support suggests using only the Vsphere Web client. The ESXi Web Client may have untested issues.
Note: Make sure the VMWare/ESXi Client used for OVA deployment supports the SHA256 hashing algorithm.

1. From the vCenter Server WEB-UI navigator, select Deploy OVF template.

2. Select the OVA file from the local machine.

3. Select the name and location for vEOS deployment.

4. Select the host, cluster, resource pool or VAPP.

5. Verify the template details.

6. Select Thick provision eager zeroed from the datastore.

7. Select the default network.

8. Complete the launch process.

9. Under the Recent Tasks tab at the bottom of the page, the progress of deployment displays. Once the deployment is complete, power-on the machine.

Enabling SR-IOV or PCI Passthrough on ESXi

Describes how to enable single route input/output vitalization (SR-IOV) or PCI passthough on VMware ESXi.

To enable SR-IOV or PCI passthrough on ESXi, complete the following steps.

  1. Navigate to the ESXi host's Manage , then select the Hardware tab.
  2. Locate and select your PIC device/NIC.
  3. Use either the Toggle passthrough or the Configure SR-IOV selection to activate the mode.

     

  4. Reboot the ESXi host for the configuration to take effect.
  5. After reboot, the NIC reflects the changes. For SR-IOV, new virtual function devices (VF) is created.
  6. Edit the VM and select Add other device, then select PIC Device to create the New PIC Device for the VM.
  7. Select the New PIC Device to use the SR-IOV VF or PIC Passthrough device.

KVM

This section describes the system requirements, installation and configuration procedures for CloudEOS and vEOS.

Server

A server can be either a hardware or software entity.

A hardware server is the physical computer that executes the virtual machine manager or hypervisor and all the virtual machines. This is also known as the host machine.

A software server is the hypervisor or virtual machine manager that hosts and manages the virtual machines. It is also sometimes referred to as the host. In this document specifically, the software server is comprised of RedHat Linux with virtualization support (KVM).

System Requirements

Below are the minimum system requirements for using KVM.

Minimum Server Requirements

Any VMware supported ESXi server hardware.

Hypervisor support
  • RedHat 7x with virtualization support. Please see below for virtualization https://wiki.centos.org/HowTos/KVM.
  • Libvirt is installed by executing virsh list which should return without errors. Python 2.7+ is required to run the installation script vSphere 6.0.
vEOS Virtual Machine

Minimum requirements:

  • 2 vCPUs
  • 4GB Memory
  • 8G Free disk space

Maximum capacities

  • 16 vCPUs
  • 8 network interfaces
Supported Images
 
Image Name File Name Details
KVM vEOS image EOS.qcow2 Image Hard Disk that contains vEOS. This file can grow as agents in vEOS generates logs/traces, etc.

Using Libvirt to Manage CloudEOS and vEOS VM on KVM

Libvirt is an open source library which provides CloudEOS and vEOS management of Virtual Machines.

Libvirt supports many functions such as creation, update, and deletion and of VMs.

The complete Libvirt command reference can be found at http://libvirt.org/virshcmdref.html

Define a new VM

Define a domain from an XML file, by using the virsh define <vm-definition-file.xml > command. This defines the domain, but it does not start the domain.

The definition file has vm-name, CPU, memory, network connectivity, and a path to the image. The parameters can be found at https://libvirt.org/formatdomain.html. There is a sample CloudEOS and vEOS file in the example below.

Undefine the Inactive Domain

Undefine the configuration for the inactive domain by using the virsh undefine <vm-name> and specifying its domain name.

Start VM

Start a previously defined or inactive domain by using the virsh start <vm-name> command.

Stop VM

Terminate a domain immediately by using the virsh destroy <vm-name> command

Managing Networks

The XML definition format for networks is defined at https://libvirt.org/formatnetwork.html. These commands are similar to the VM, but with a prefix 'net-' :

The virsh net-define <network-definition-file.xml> command.

The virsh net-undefine network-name command removes an inactive virtual network from the libvirt configuration.

The virsh start network-name command manually starts a virtual network that is not running.

The virsh destroy network-name command shuts down a running virtual network.

Launching vEOS in LinuxBridge Mode

 

Use the script SetupLinuxBridge.pyc usage python SetupLinuxBridge.pyc <bridge- name>

Cut and paste the following XML template into a file (veos.xml) and customize the elements that are in bold below.

  • virsh define <veos define file say veos.xml>
  • virsh start <veos-name>
  • virsh console <veos-name>
<domain type='kvm'>
<!-- veos name, cpu and memory settings -->
<name>kvs1-veos1</name>
<memory unit='MiB'>4096</memory>
<currentMemory unit='MiB'>4096</currentMemory>
<vcpu placement='static'>2</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<cpu mode='host-model'/>
<os>
<type arch='x86_64'>hvm</type>
<boot dev='cdrom'/>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
 <emulator>/usr/bin/qemu-system-x86_64</emulator>
 <disk type='file' device='disk'>
<driver name='qemu' type='qcow2' cache='directsync'/>
<source file='/path_to_file/CloudEOS.qcow2'/>
<target dev='hda' bus='ide'/>
<alias name='ide0-0-0'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
 </disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/path_to_file/Aboot-veos-serial.iso'/>
<target dev='hdc' bus='ide'/>
<readonly/>
<alias name='ide0-1-0'/>
<address type='drive' controller='0' bus='1' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'>
<alias name='usb0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'>
<alias name='pci0'/>
</controller>
<controller type='ide' index='0'>
<alias name='ide0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<!-- In this case management is connected to linux bridge -->
<interface type='bridge'>
<source bridge='brMgmt'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<serial type='pty'>
<source path='/dev/pts/4'/>
<target port='0'/>
<alias name='serial0'/>
<target port='0'/>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/4'>
<source path='/dev/pts/4'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
<input type='mouse' bus='ps2'/>
<graphics type='vnc' port='5903' autoport='yes' listen='127.0.0.1'>
<listen type='address' address='127.0.0.1'/>
</graphics>
<video>
<model type='cirrus' vram='9216' heads='1'/>
<alias name='video0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<memballoon model='virtio'>
<alias name='balloon0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</memballoon>
<!-- Has two data ports on different vlans
Cut and paste the more interface elements for more interfaces but increment the slot number.
Note that brWAN and brLAN bridges need to be created beforehand -->
<interface type='bridge'>
<source bridge='brWAN'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='5' function='0x0'/>
</interface>
<interface type='bridge'>
<source bridge='brLAN'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='6' function='0x0'/>
</interface>
</devices>
</domain>

Example Deployment

VIRTIO & Linux Bridging Deployment

vEOS can employ para-virtualized network I/O interfaces, which in Linux KVM is also known as Virtio . Each NIC is connected to a unique underlying Linux layer-2 bridge in the hypervisor which in-turn provides access to an uplink.

In this example,

  • Ethernet1 connects to the physical Ethernet port that connects to the WAN through a LinuxBridge. The Router is configured with a WAN IP address on this port.
  • Ethernet2 connects to the physical ethernet port that connects to the LAN through a LinuxBridge.
  • Server IP address in the diagram is assumed to be configured on the LAN LinuxBridge device.

Note: Arista recommends using Ethernet1 for WAN and Ethernet2 for LAN. However, any vEOS port can be used.

Figure 1. Linux Bridge and Virtio-based Deployment

Setting Up the Host for Single Root I/O Virtualization (SR-IOV)

Single Root I/O Virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple physical devices to the hypervisor.

The following tasks are required to set up the host for SR-IOV.

1. Verify the IOMMU Support.

Use the virt-host-validate Linux command to check IOMMU (input/output memory management unit) support. If it does not "PASS" for IOMMU, check the BIOS setting and kernel settings.

The example below is what should be displayed.

[arista@solution]$ virt-host-validate
QEMU: Checking for device assignment IOMMU support : PASS
QEMU: Checking if IOMMU is enabled by kernel : PASS

2. Verify the Drivers are Supported.

Ensure the PCI device with SR-IOV capabilities is detected. In the example below, an INTEL 82599 ES network interface card is detected which supports SR-IOV.

Verify the ports and NIC IDs that are in bold in the lspci | grep Ethernet Linux command output below.

# lspci | grep Ethernet
01:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
01:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
01:00.2 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
01:00.3 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
81:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
81:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
81:00.2 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
81:00.3 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
82:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
82:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
83:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
83:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
3. Verify the driver kernel is active.

After confirming the device support, the driver kernel module should load automatically by the kernel. To verify the driver kernel is active, use the lsmod | grep igb Linux command.

[root@kvmsolution]# lsmod | grep igb
igb 1973280
ptp192312 igb,ixgbe
dca151302 igb,ixgbe
i2c_algo_bit 134132 ast,igb
i2c_core 407566 ast,drm,igb,i2c_i801,drm_kms_helper,i2c_algo_bit

4. Activate Virtual Functions (VFs).

The maximum number of supported virtual functions depends on the type of card. To activate the VFs use [arista@localhost]$ /sys/class/net/<Device_Name>/device/sriov_numvfs or the method shown in the example below, it shows that the PF identifier 82:00.0 supports a total of 63 VFs.

Example

[arista@localhost]$ cat/sys/bus/pci/devices/0000\:82\:00.0/sriov_totalvfs 63

To activate the seven VFs per PFs and make them persistent after reboot, add the line options igb max_vfs=7 in ixgbe.conf and the sriov.conf files in /etc/modprobe.d

Use the rmmod ixgbe and modprobe ixgbe Linux commands to unload and reload the module.

5. Verify the VFs are detected.

Verify the VFs are detected by using the lspci | grep Ethernet Linux command. For the two identifiers 82:00.0 and 82:00.1, 14 VFs are detected.

# lspci | grep Ethernet
82:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
82:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
82:10.0 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:10.1 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:10.2 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:10.3 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:10.4 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:10.5 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:10.6 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:10.7 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:11.0 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:11.1 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:11.2 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:11.3 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:11.4 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)
82:11.5 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)

6. Locate the serial numbers for the PFs and VRFs.

Locate the serial numbers for the PFs and VFs. The Linux virsh nodedev-list | grep 82 command below displays the serial number for identifiers 82:00.0 and 82:00.1. The first two numbers are the serial numbers for the PFs and the remaining are the serial numbers for the VFs.

# virsh nodedev-list | grep 82
pci_0000_82_00_0
pci_0000_82_00_1
pci_0000_82_10_0
pci_0000_82_10_1
pci_0000_82_10_2
pci_0000_82_10_3
pci_0000_82_10_4
pci_0000_82_10_5
pci_0000_82_10_6
pci_0000_82_10_7
pci_0000_82_11_0
pci_0000_82_11_1
pci_0000_82_11_2
pci_0000_82_11_3
pci_0000_82_11_4
pci_0000_82_11_5

7. Select the serial number of the VF.

Select the serial number of the VF that will attach to the VM (vEOS). Using the Linux virsh nodedev-dumpxml <serial number> command, locate the bus, slot, and function parameters. For example, serial number: pci_0000_82_11_1 displays the following details.

# virsh nodedev-dumpxmlpci_0000_82_11_1
<device>
<name>pci_0000_82_11_1</name>
<path>/sys/devices/pci0000:80/0000:80:02.0/0000:82:11.1</path>
<parent>computer</parent>
<driver>
<name>ixgbevf</name>
</driver>
<capability type='pci'>
<domain>0</domain>
<bus>130</bus>
<slot>17</slot>
<function>1</function>
<product id='0x10ed'>82599 Ethernet Controller Virtual Function</product>
<vendor id='0x8086'>Intel Corporation</vendor>
<capability type='phys_function'>
<address domain='0x0000' bus='0x82' slot='0x00' function='0x1'/>
</capability>
<iommuGroup number='71'>
<address domain='0x0000' bus='0x82' slot='0x11' function='0x1'/>
</iommuGroup>
<numa node='1'/>
<pci-express>
<link validity='cap' port='0' width='0'/>
<link validity='sta' width='0'/>
</pci-express>
</capability>
</device>

8. Create a new Interface.

Shutdown the vEOS VM if it is already running. Open the XML file for the specific vEOS VM for editing using the Linux command virsh edit <vm-name>. In the interface section, create a new interface by adding the details as shown below. The bus, slot, and function values are in the hexadecimal format of the decimal values found in step 7.

<interface type='hostdev' managed='yes'>
<source>
<address type='pci' domain='0x0000' bus='0x82' slot='0x11' function='0x1'/>
</source>
</interface>

9. Start the vEOS VM. Verify there is an added interface on the VM. Using the command ethtool -i et9 to verify that the driver for the added interface is ixgbevf .

switch(config)#show interface status
Port NameStatus Vlan Duplex SpeedType Flags
 Et9 notconnect routed unconfunconf 10/100/1000
 Ma1 connectedrouted a-fulla-1G 10/100/1000

[admin@vEOS]$ ethtool -i et9
driver: ixgbevf
version: 2.12.1-k
firmware-version:
bus-info: 0000:00:0c.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no

 

Launching SR-IOV

vEOS can also use PCIE SRI-OV I/O interfaces. Each SRI-OV NIC is passed-through to the VM such that network I/O does not hit the hypervisor. In this model, the hypervisor and multiple VMs can share the same NIC card.

 

SR-IOV has the following advantages over LinuxBridge:

  • Higher Performance ~ 2x.
  • Better latency and jitter characteristics.
  • vEOS directly receives physical port state indications from the virtual device.
  • Using SR-IOV virtualize the NIC.
  • The NICs have a built-in bridge to do basic bridging.
  • Avoids software handling of the packets in the kernel.
Figure 2. Linux SRIOV PCI Passthough-based Deployment

Setting Up the Host and Launching PCI Pass-through

Set up a networking device to use PCI pass-through.

When sharing resources are not efficient, or packets are consumed by a virtualized switch before reaching the VM (vEOS), implementing PCI Pass-through for NIC provides dedicated and non-filtered network resources to the VM.

1. Identify Available Physical Functions.

Similar to the SR-IOV, identify an available physical function (a NIC in this scenario) and its identifier. Use the lspci | grep Ethernet Linux command to display the available physical functions.

In this example, 82:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection is the physical function and 82:00.0 is the device identification code.

# lspci | grep Ethernet
01:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
01:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
01:00.2 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
01:00.3 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
81:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
81:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
81:00.2 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
81:00.3 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
82:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
82:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
83:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
83:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)

2. Verify Available Physical Functions.

Verify the available physical functions by using the virsh Linux commands.

[arista@solution]$ virsh nodedev-list | grep 82_00_0
pci_0000_82_00_0
[arista@solution]$ virsh nodedev-dumpxml pci_0000_82_00_0
<device>
<name>pci_0000_82_00_0</name>
<path>/sys/devices/pci0000:80/0000:80:02.0/0000:82:00.0</path>
<parent>pci_0000_80_02_0</parent>
<driver>
<name>vfio-pci</name>
</driver>
<capability type='pci'>
<domain>0</domain>
<bus>130</bus>
<slot>0</slot>
<function>0</function>
<product id='0x10fb'>82599ES 10-Gigabit SFI/SFP+ Network Connection</product>
<vendor id='0x8086'>Intel Corporation</vendor>
<capability type='virt_functions' maxCount='64'/>

In this example, the domain is 0 (Hex domain=0x0), the bus is 130 (Hex bus=0x82), the slot is 0 (Hex slot=0x0), and function is 0 (Hex function=0x0).

With the domain, bus, slot, and function information, construct the device entry and add it into the VMs XML configuration.

 <devices>
...
  <hostdev mode='subsystem' type='pci' managed='yes'>
<source>
<address domain='0x0000' bus='0x82' slot='0x00' function='0x0'/>
</source>
</hostdev>

3. Verify the NIC was detected by the VM.

When starting the VM (vEOS in this case), the VM should detect NIC.

switch#bash
 
Arista Networks EOS shell
 
[admin@veos1 ~]$ lspci | grep Ethernet
00:03.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01)
00:05.0 Ethernet controller: Red Hat, Inc Virtio network device
[admin@veos ~]$

4. Verify Driver Requirements.

If the NIC is supported by the vEOS and any other driver requirements are met, the corresponding ethernet interfaces are available to use on the vEOS. Use the show interface command to display the available vEOS Ethernet interfaces.

switch#show interfacestatus 
Port Name Status Vlan Duplex SpeedType Flags
 Et1connectedrouted full10G10/100/1000 
 Ma1connectedrouted a-fulla-1G 10/100/1000 
 
switch#bash
bash-4.3# ethtool -i et1
driver: ixgbe
version: 4.2.1-k
firmware-version: 0x18b30001
bus-info: 0000:00:03.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no

Example Deployment

vEOS can use passthrough I/O interfaces where the network I/O does not hit the hypervisor. In this model, the VM owns the entire network card, thus fully bypassing the hypervisor.

Setting up SR-IOV is initially more involved. Arista recommends starting out with LinuxBridge.

  • SR-IOV has the following advantages over LinuxBridge Higher Performance ~ 2x
  • Better latency and jitter characteristics
  • vEOS directly receives physical port state indications from the virtual device.
Figure 3. Linux PCI Passthrough-based Deployment

 

Using the CloudEOS and vEOS Router on Microsoft Azure

The CloudEOS and vEOS Router, which is based on the Arista EOS, runs as a virtual machine instance on Azure. Use the CloudEOS and vEOS Router to create the various types of virtual machine router instances you need for your Azure deployment. For example, gateway routers and transit routers.

CloudEOS and vEOS Router Image Updates

The process you use to update CloudEOS and vEOS Router images is the standard update process used for EOS images.

For details on the steps to use, refer to the Arista EOS User Manual (see https://www.arista.com/en/support/product-documentation).

Launching CloudEOS and vEOS Router Azure Instance

There are two methods which can be used to launch a CloudEOS and vEOS Router instance.

Below is a summary of each method.

  • Portal Marketplace This method launches an instance using the Azure Portal Marketplace UI.
    Note: Arista recommends using only the v2 instance type for better pricing and performance while creating an instance using Azure Marketplace. Also, make sure to enable Accelerated Networking on all the interfaces while creating an instance.
  • Azure CLI 2.0: This method launches an instance using a custom template through the Azure CLI 2.0. The primary advantage of a CLI deployment is the ability to include custom-data and customize your deployment.

Do not deploy the same template twice into a single resource group, because this creates name conflicts. To deploy multiple instances into the same resource group, modify the template, so all resources are renamed, and all IP addresses are unique.

Creating an Instance using the Portal Marketplace

To create an instance using the Portal Marketplace, complete the following steps.

Note: Arista recommends using only the v2 instance type for better pricing and performance while creating an instance using Azure Marketplace. Also, make sure to enable Accelerated Networking on all the interfaces while creating an instance.
  1. In the Azure portal, select the green '+' button in the top left of the screen.
  2. In the search bar, type "Arista" and press enter.
    Figure 1. Type '"Arista"
  3. Select the Arista offer you are interested in.
    Figure 2. Arista selection
  4. Select "Create".
    Figure 3. Select "Create"
  5. Fill out the required information and press "OK".
    Figure 4. Required information
  6. Configure the VNet and press "OK".
    Figure 5. Configuring the VNet
  7. Configure the subnets and press "OK".
    Figure 6. Configuring the subnets
  8. Verify the information is correct and press "OK".
    Figure 7. Verification
  9. Read the Terms and Conditions, then press "Purchase".
    Figure 8. Terms and Conditions

Creating an Instance under Azure CLI 2.0

To create an instance under Azure CLI 2.0, complete the following steps.

  1. Install Azure CLI 2.0 ( https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest).
  2. Run az login and follow the prompts to authorize the machine.
  3. Download the template and parameters files from the GitHub repository. https://github.com/Azure/azure-quickstart-templates
  4. Open <prefix>-parameters.json:. Locate the ./single_line_json.sh user_data.txt script.
  5. Copy and paste the generated output into the customData value field of the JSON parameters file.
  6. Use the script as in the following example: 
    #!/usr/bin/bash
cat $1 | python -c 'import json, sys; print( json.dumps( sys.stdin.read() ) )'
  7. Use the template and parameters JSON files to launch a CloudEOS and vEOS Router instance in Azure using the Azure CLI 2.0. 
    $ az group create --name ExampleGroup --location "Central US"
    Note: You must use the same location as the storage account where the VHD image is uploaded.
    $ az group deployment create \
--name ExampleDeployment \
--resource-group ExampleGroup \
--template-file <prefix>-template.json \
--parameters @<prefix>-parameters.json
    Note: If you are using a newer version of the Azure CLI 2.0, you may encounter a parameter file parsing bug. To fix this, remove the @ symbol before the parameters filename.

Logging into Instance

To log into an instance, complete the following steps.

  1. Select the resource group containing your CloudEOS and vEOS Router deployment from the Resource groups list.
  2. Select the item publicIP.
    Figure 9. Selecting the PublicIP
  3. Locate the IP address and DNS name found on the Overview page.
    Figure 10. Locating the IP address and DNS
    NOTE: If either of these fields is not populated, your instance still deploys. Refresh the page after a couple of minutes.
  4. Secure Shell (SSH) to your Virtual Machine (VM) using the IP address or Domain Name Server (DNS) name found in the previous step, using the credentials you gave when you initially setup the VM. 
    bash# ssh This email address is being protected from spambots. You need JavaScript enabled to view it..1
Password: *********
    NOTE: It may take between 5-10 minutes for the instance to become reachable after the deployment starts. Refer to the section Troubleshooting Instance for additional information.

CloudEOS Router Startup-Configuration using Instance Custom-Data

Describes launch employing custom-data information.

During the initial launching of the vEOS Router Instance, Azure provides a feature to upload custom-data. The administrator can upload vEOS Router configuration using custom-data at the time of the launching of the vEOS Router Instance.

Custom-data can be used to pass in configuration for multiple entities. Currently, only the EOS configuration is supported in Azure. This configuration must be separated by start and end markers.

 

Entity

Markers

File Path
EOS CLI configuration file 
%EOS-STARTUP-CONFIG-START%
%EOS-STARTUP-CONFIG-END%
 N/A

EOS CLI configuration file

Use: %FORCE_USER_DATA% will forcibly apply the Arista startup configs in the user custom data under the %EOS-STARTUP-CONFIG-START% and%EOS-STARTUP-CONFIG-END% ) even when it is not a first time boot of the instance.

 %FORCE_USER_DATA% N/A

Note, the following regarding the custom-data.

  • Markers must be at the beginning of the line.
  • The user is expected to have tested the configurations on a live system before using the configurations to deploy the new vEOS Router. Mis-configuration may result in an unrecoverable instance.
  • EOS configuration for all interfaces can be passed in during deployment. The configuration takes effect as the new instances attach to the vEOS Router.

Sample Instance Custom-Data

Illustrates a sample Instance with custom-data.

%EOS-STARTUP-CONFIG-START%
! EOS startup config
username admin nopassword
username admin sshkey file flash:key.pub
%EOS-STARTUP-CONFIG-END%

Providing Startup-Configuration using Azure Custom-Data

Adding custom-data to an instance.

Currently, custom-data can only be used on instances deployed using the Azure CLI 2.0.

In order to add custom-data to an instance, the custom-data must be provided as a single-line value with '\n' delimiting newlines.

Use the single_line_json.sh script to convert your custom-data into this format.

#!/usr/bin/bash
cat $1 | python -c 'import json, sys; print( json.dumps( sys.stdin.read() ) )'

Usage of the script is as follows:

./single_line_json.sh user_data.txt

Copy and paste the generated output into the customData value field of the JSON parameters file.

Troubleshooting Instance

To troubleshoot the instance, complete the following steps.

  1. Select the resource group containing your CloudEOS and vEOS Router deployment from the Resource groups list.
  2. Select the item CloudEOS and vEOS Router.
    Figure 11. Select the CloudEOS and vEOS Router
  3. Note the status of the VM. It should either be "Creating", "Starting", or "Running".
    Figure 12. Status of the VM
  4. Check the boot diagnostics for any error messages or warnings.
    Figure 13. Error messages and warnings

Using CloudEOS and vEOS Router on the AWS Platform

The CloudEOS and vEOS Router, based on the Arista EOS, runs as a virtual machine instance on AWS EC2. Use the CloudEOS and vEOS Router to create the various types of virtual machine router instances for AWS deployment, for example, gateway routers and transit routers.

CloudEOS and vEOS Router Image Updates

The process to update CloudEOS and vEOS Router images is the standard update process used for EOS images.

For details on the steps to use, refer to the Arista EOS User Manual (see https://www.arista.com/en/support/product-documentation).

Amazon Machine Image (AMI) Specifications

The AMI provided by Arista utilizes the architecture, type of root device, virtualization type, and interface type required to configure the CloudEOS and vEOS Router for a robust AWS deployment.

The specifications of the Arista AMI are:

Methods for Launching CloudEOS and vEOS Router Instances

The CloudEOS and vEOS Router supports the use of various methods for launching router instances needed in a typical AWS deployment.

The supported methods are:

Launching CloudEOS and vEOS Router Instances Using AWS CloudFormation

 

Using AWS CloudFormation to launch CloudEOS and vEOS Router instances involves creating a CloudFormation stack to use to launch the instance. The created stack provides the base configuration for the instance. As part of this task, select a stack template, which defines the base configuration of the instance.

Make sure to select the stack template that provides the resources required for the instances that are launching. Templates can be obtained from https://github.com/aristanetworks. For more information about AWS CloudFormation stacks and using stack templates, refer to the AWS documentation (see https://aws.amazon.com/documentation/cloudformation/).

Complete these steps to launch CloudEOS and vEOS Router instances using AWS CloudFormation.

  1. Log in to the Amazon Management Console.
  2. Choose Services > CloudFormation.
    The CloudFormation page appears showing the current stacks available to use.
  3. Click on the Create Stack button.
    The page refreshes to show the templates that are available to use to create a new stack.
  4. Select a nic template for upload, and then click on the Next button.
    Note: Templates can be found in the docs directory. Press Select to choose the desired AMI.
    The page refreshes showing the options for specifying the details for the stack.
  5. Enter the Stack Name, Subnet IP Block for each interface, VPC ID, KeyPair Name, UserData in base64 format, AMI ID. (To convert UserData from text to base64 format, use a base64 command on MacOS or Linux machine.) 
    # base64
%EOS-STARTUP-CONFIG-START%
hostname myhost
%EOS-STARTUP-CONFIG-END%
<Press CTRL+D>
JUVPUy1TVEFSVFVQLUNPTkZJRy1TVEFSVCUKaG9zdG5hbWUgbXlob3N0CiVFT1MtU
1RBUlRVUC1DT05GSUctRU5EJQo=
     
  6. Review the details and make changes if needed.
  7. Click the Create button to create the stack.
  8. Wait for the stack creation to complete. Resources created as part of the stack creation process can be viewed in the Resource tab.
  9. Click on the CloudEOS and vEOS Router instance ID to view the status of CloudEOS and vEOS Router instance. The instance ID is shown in the Physical ID column of the Resources tab.

    Recommended Usage

    AWS cannot auto-assign a public IPv4 address if an EC2 instance is launched or started from the stopped state with multiple network interfaces attached to it. In such cases, the user cannot connect to the instance over IPv4 unless an Elastic IP address is assigned to the primary network interface (eth0). If the user does not want to associate an Elastic IP address with the CloudEOS and vEOS Router instance, then it is recommended to attach any additional interface only when the instance is in running state and never to stop and start your instance from thereon. The user may reboot the instance either from AWS console or from within CloudEOS and vEOS Router using the CLI or bash commands because the instance reboot does not cause the public IPv4 address to be released as opposed to instance stop. To associate Elastic IP address to your instance or primary network interface, refer to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

Launching CloudEOS and vEOS Router Instances Using EC2 AWS Marketplace

 

Launching CloudEOS and vEOS Router instances using the EC2 AWS Marketplace gives the ability to create and configure CloudEOS and vEOS Router instances in the VPCs of your AWS deployment. This method utilizes Amazon Machine Images (AMIs) to configure the operating system of the instance. Obtain the AMI needed for the instance from the AWS Marketplace. This task involves creating an EC2 key pair, selecting the AMI to configure the operating system of the instance, selecting the instance type, and if needed, configuring advanced details (options) for the instance.

Available Options

During this configuration procedure, choose to configure some options to take advantage of certain features. These optional configuration items are:
  • Assigning an IAM role to the instance
    To enable AWS services on the instance (for example, AWS CloudWatch logs) assign an IAM role to the instance during this procedure. Assign an IAM role to the instance by:
  • Using instance user-data to configure the instance

    CloudEOS and vEOS supports the use of CloudEOS and vEOS Router instance user-data to configure CloudEOS and vEOS Router instances at launch. This involves uploading instance user-data to the instance by way of the Advanced Details dialog. There is an option of copying and pasting a configuration into the dialog or attaching a configuration file.

    For details on composing user data for CloudEOS and vEOS Router, see Using User-data for Configuration of Entities and CloudEOS and vEOS Router Instances.

Complete the following steps to launch a CloudEOS and vEOS Router instances.

  1. Log in to the Amazon Management Console.
  2. Create an EC2 key pair and download the .pem file that contains the private key. (The .pem file may download automatically.)

    To create an EC2 pair, go to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html.

  3. Go to the EC2 Dashboard.
  4. From the EC2 Dashboard, click Instances in the left pane.
    The Launch Instance page appears.
  5. Click on the Launch Instance button.
    The page appears for you to select an AMI.
  6. Click on AWS Marketplace in the left pane.
    Search for Arista CloudEOS and vEOS Router in the search field to bring up the available CloudEOS and vEOS AMIs to use. Select the appropriate AMI for launching.
  7. A screen appears showing the user highlights, pricing details and instance types available. Press the Continue button to advance.
  8. Click in the left pane.
    The Choose an Instance Type page appears.
  9. Select an instance type that meets the requirements for the CloudEOS and vEOS Router instance.
  10. Click on the Next: Configure Instance Details button (lower right part of the page).
    The Configure Instance Details page appears.
  11. (Optional) Create a new IAM role or select an existing IAM role. (This is required to enable AWS services on the instance, for example, AWS CloudWatch logs.)
  12. (Optional) To configure advanced details for the instance, scroll down to the bottom of the page and click on the Advanced Details button.
    The Advanced Details dialog appears. You use the dialog to upload user-data to configure the instance.

    Do one of the following to configure the instance using user-data:

    • Choose the Text option, and then copy-and-paste startup-config in the text box.

    • Attach the configuration as a file by clicking on the file, and then choose the configuration file to be uploaded.

    For details on composing user data for CloudEOS and vEOS Router, see Using User-data for Configuration of Entities and CloudEOS and vEOS Router Instances.

  13. From the Configure Instance Details page, click the Review and Launch button.
    The Review Instance Launch page appears.
  14. Click on the Launch button.
    A dialog appears for selecting a key pair.
  15. Using the Select a key pair menu, select the key pair created earlier in the procedure. In this example, the key pair is named "systest."
  16. Select the acknowledgment (near the bottom of the dialog), and then click on the Launch Instances button.
    The Launch Status page appears showing the status of the instance. The deployment takes a few minutes to complete.
  17. Click on the blue link to the instance to view details about the instance. (The link is in the "Your instances are now launching" box near the top of the page.)
    The page shows the details for the instance.
  18. Make sure the Instance State shows running. Wait for the status to update to running.
  19. (Optional) To use the existing subnet and security group for the instance, record the subnet and security group. This information is required when configuring the network interfaces to be attached to the instance.
  20. (Optional) Click on the Connect button near the top of the page.
    The Connect to Your Instance dialog appears.
  21. Connect to the instance using the public or private IP address of the instance. The correct syntax is: ssh -i <privateKey.pem> This email address is being protected from spambots. You need JavaScript enabled to view it.
    Example: 
    #ssh -i <privateKey.pem> This email address is being protected from spambots. You need JavaScript enabled to view it.

Complete the networking tasks for the CloudEOS and vEOS Router instances in the gateway topology (see Network Configuration Tasks for CloudEOS and vEOS Router Instances).

Configuring the AWS CloudWatch Logs Agent

 

The AWS CloudWatch Logs Agent is the mechanism that publishes CloudEOS and vEOS Router logs to AWS CloudWatch. Configuring the AWS CloudWatch Logs Agent ensures that the CloudEOS and vEOS Router logs published to AWS CloudWatch conform to the selected requirements. The AWS CloudWatch Logs Agent is packaged with the awslogs.swix CloudEOS and vEOS extension, which is installed and enabled by default when the CloudEOS and vEOS Router instances launch through the AWS Marketplace.

Refer to the “AWS CloudWatch Quick Start Guide” to make sure that the CloudEOS and vEOS Router instance has the right credentials for logging in to AWS.

Note: To manually install or uninstall the awslogs.swix CloudEOS and vEOS extension, see https://aristanetworks.force.com/AristaCommunity/s/article/packaging-and-installing-eos-extensions. To obtain the awslogs.swix CloudEOS and vEOS extension, contact Arista TAC if required.
Where to find CloudEOS and vEOS Router logs

The location where CloudEOS and vEOS Router logs are published to depends on the AWS CloudWatch Logs configuration. By default, the logs are located under CloudWatch, "log group, name CloudEOS and vEOSlogs.

Modifying AWS log configuration
Modify the AWS log configuration by:
  • Editing configuration files under the /mnt/flash/awslogs/ directory.
  • Passing instance user-data. Make sure to use the correct start and end markers, which are: 
    
%AWSLOGS-CONFIG-START% 
 #configuration here 
 %AWSLOGS-CONFIG-END% 
 %AWS-PROXY-START% 
 #configuration here 
 %AWS-PROXY-END%
    Note: Restart awslogs using sudo systemctl restart awslogs under bash. The reconfiguration does not take effect until awslogs restarts.
CloudEOS and vEOS Router log filenames

By default, the hostname of the CloudEOS and vEOS Router instance is the filename of all CloudEOS and vEOS Router logs for that instance.

Network Configuration Tasks for CloudEOS and vEOS Router Instances

Complete additional configuration tasks to ensure that the CloudEOS and vEOS Router instances launched have the required networking configuration. The configuration tasks include creating the additional network interfaces required by the topology, attaching the new interfaces to CloudEOS and vEOS Router instances, and configuring the route table of the AWS Specific Cloud Router.

Creating the Additional Network Interfaces

Creating the additional network interfaces required for the topology ensures that there are interfaces available to attach to CloudEOS and vEOS Router instances. When creating the new network interfaces, there is the option of using the subnet and security groups that were automatically assigned to the instance, or specify a different subnet and security groups for the instance.

Pre-requisites:

To use the existing subnet and security group for the CloudEOS and vEOS Router instance, make sure to have the following information:
  • Subnet ID
  • Names of the security groups
Obtain this information by viewing the instance details.

Procedure

Complete these steps to create network interfaces.

  1. Go to the EC2 Dashboard.
  2. In the NETWORK & SECURITY menu on the left part of the page, select Network Interfaces.
    The page refreshes to show all of the current network interfaces.
  3. Select the Create Network Interface button.
    The Create Network Interface dialog appears.
  4. Do the following:
    1. Enter a description for the network interface.
    2. Select the subnet for the network interface. (This can be the existing subnet for the CloudEOS and vEOS Router instance or a different subnet.)
    3. Type the names of the security groups for the network interface. (Specify the existing security groups for the CloudEOS and vEOS Router instance, or different security groups.)
  5. Select the Yes, Create button.
    The new network interface is added to the list of interfaces on the page.
  6. Repeat steps 3 through 5 to create additional interfaces as needed.
  7. For each network interface created, complete steps a and b:
    1. Select the interface, then choose Actions > Change Source/Dest Check.
      The Change Source/Dest Check dialog appears showing the selected name of the network interface.
    2. Select the Disabled option, then click on the Save button.

Attach the new network interface to a CloudEOS and vEOS Router instance (see Attaching the New Network Interfaces to Instances).

Attaching the New Network Interfaces to Instances

 

Attaching the new network interfaces to CloudEOS and vEOS Router instances is the second networking configuration task. This task involves selecting the new network interfaces created in the previous procedure and then attaching the interfaces to CloudEOS and vEOS Router instances.

Complete these steps to attach the new network interfaces to CloudEOS and vEOS Router instances.

  1. Go to the EC2 Dashboard.
  2. Open the INSTANCES menu on the left side of the page, then click Instances.
    The page lists all of the current network interfaces.
  3. Select the CloudEOS and vEOS Router instance to attach a newly created network interface.
  4. Choose Actions > Networking > Attach Network Interface.
    The Attach Network Interface dialog appears.
  5. Using the Network Interface menu, select the new network interface created to attach to the instance.
  6. Click the Attach button.
  7. Use the show interfaces command on the CloudEOS and vEOS Router instance to view the new network interfaces created.
    Example 
    CloudEOS and switch#show interfaces
Ethernet1 is up, line protocol is up (connected)
 Hardware is Ethernet, address is 0235.4079.d2a8 (bia 0235.4079.d2a8)
 Ethernet mtu 8973 bytes, BW 10000000 kbit
 Full-duplex, 10Gb/s, auto negotiation: off, uni-link: n/a
 Up 20 minutes, 42 seconds
 [...]
Ethernet2 is up, line protocol is up (connected)
 Hardware is Ethernet, address is 0287.4ba7.1f88 (bia 0287.4ba7.1f88)
 Ethernet mtu 8973 bytes, BW 10000000 kbit
 Full-duplex, 10Gb/s, auto negotiation: off, uni-link: n/a
 Up 20 minutes, 42 seconds
  8. Repeat steps 1 through 7 as needed to attach new network interfaces to instances.

Configure the route table of the AWS Router (see Configuring the Route Table of the AWS Router).

Configuring the Route Table of the AWS Router

 

To take advantage of the advanced services provided by CloudEOS and vEOS, configure the route table of the AWS Router so that traffic is forwarded from the AWS Router to CloudEOS and vEOS Router instances. This task involves logging into the AWS Router and modifying route table entries for the CloudEOS and vEOS Router instances to which you want traffic forwarded.

Complete these steps to configure the route table of the AWS router.

  1. Log in to the AWS Router.
  2. Select the network interface that is attached to a CloudEOS and vEOS Router instance.
  3. Obtain the Subnet ID and the route table ID that corresponds to the subnet in which the CloudEOS and vEOS Router instance resides.
    Example:
    Subnet ID (subnet-1c68b744).
    Route table ID (rtb-934cf9f7).
  4. Edit the route table entry so that it points to the corresponding interface of the CloudEOS and vEOS Router in that subnet.
    Example
    To reach any subnet other than 10.2.0.0/24, enter the Target to be the network interface ID of the locally connected interface of the CloudEOS and vEOS Router.
  5. (Optional) Repeat steps 2 through 4 to modify route table entries for additional CloudEOS and vEOS Router instances.

Configure the AWS CloudWatch Logs Agent (see Configuring the AWS CloudWatch Logs Agent). Configuring the Agent ensures that the CloudEOS and vEOS Router logs publish to AWS.

CloudEOS Router Startup-Configuration using Instance Custom-Data

CloudEOS and vEOS supports configuration of startup-configuration, AWS CloudWatch, and Cloud HA through the use of user-data. Because user-data can be used to pass in configurations; administrators can take advantage of this feature to quickly configure CloudEOS and vEOS Router instances, AWS CloudWatch, and Cloud HA.

Note: It is recommended to test CloudEOS and vEOS Router configurations on a CloudEOS and vEOS Router or EOS device before using them to deploy a new CloudEOS and vEOS Router.
Requirements for Uploading User-data

To ensure that the user-data is accepted on upload, make sure the user-data meets the following requirements:

  • The configuration must be separated by start and end markers.
  • Markers are required at the beginning of the line.
  • You must upload either text or configuration files (these are the types of files supported by CloudEOS and vEOS Router).

EOS configuration for all interfaces can be passed in during deployment. The configuration takes effect as new interfaces attach to the CloudEOS and vEOS Router.

List of Start and End Markers to Use

This table lists the start and end markers to use when configuring the EOS, AWS, Cloudwatch, and Cloud HA entities. For each specific entity, the configuration file and the location (file path) of the configuration file are given.

Table 1. List of Start and End Markers to Use
Entity / Configuration File / Use Markers File Path

Entity: EOS

File: EOS CLI configuration file

Use: Configure CloudEOS and vEOS Router

 %EOS-STARTUP-CONFIG-START%

 

%EOS-STARTUP-CONFIG-END%		 N/A

Entity: EOS

File: EOS CLI configuration file

Use: %FORCE_USER_DATA% will forcibly apply the Arista startup configs in the user custom data under the %EOS-STARTUP-CONFIG-START% and%EOS-STARTUP-CONFIG-END% ) even when it is not a first time boot of the instance.

 %FORCE_USER_DATA% N/A

Entity: AWS Logs

File: aws.conf

Use: Set up AWS region

 %AWS-CONFIG-START%

 

%AWS-CONFIG-END%		 /mnt/flash/awslogs/aws.conf

Entity: AWS Logs

File: awslogs.conf

Use: Configure logging parameters

 %AWSLOGS-CONFIG-START%

 

%AWSLOGS-CONFIG-END%		 /mnt/flash/awslogs/awsconf.conf

Entity: AWS Logs

File: proxy.conf

Use: Configure proxy settings

 %AWS-PROXY-START%

 

%AWS-PROXY-END%		 /mnt/flash/awslogs/proxy.conf

Sample Instance User-data

The following sample user-data contains lines to startup the instance and to configure various entities.

The sample contains lines to configure:

  • AWS CloudWatch logs (for the us-east-1 region)
  • AWS logging parameters
  • AWS proxy settings

Sample


%EOS-STARTUP-CONFIG-START%
! EOS startup config
hostname my-veos
username admin nopassword
username admin sshkey file flash:key.pub
%EOS-STARTUP-CONFIG-END%

%AWS-CONFIG-START%
[plugins]
cwlogs = cwlogs
[default]
region = us-east-1
%AWS-CONFIG-END%

%AWSLOGS-CONFIG-START%
[general]
state_file = /var/awslogs/state/agent-state
[/var/log/messages]
datetime_format = %b %d %H:%M:%S
file = /var/log/messages
buffer_duration = 5000
log_group_name = veoslogs
log_stream_name = {hostname}
initial_position = start_of_file
%AWSLOGS-CONFIG-END%

%AWS-PROXY-START%
HTTP_PROXY=http://<your_proxy>:<your_proxy_port>
HTTPS_PROXY=http://<your_proxy>:<your_proxy_port>
NO_PROXY=169.254.169.254
%AWS-PROXY-END%

Overview

Arista CloudEOS and vEOS Router is supported on Amazon Web Service (AWS), Microsoft Azure and Google Cloud Platform, and on-premises deployment.

CloudEOS and vEOS Router

Arista CloudEOS and vEOS Router is a new platform release of EOS that is supported on Amazon Web Service (AWS), Microsoft Azure and other public clouds. It is also supported on customer equipment running Linux and VMware hypervisors. By bringing advanced network telemetry and secure IPSec VPN connectivity in a software-only package, CloudEOS and vEOS Router provides a consistent, secure and universal approach to hybrid cloud networking for any virtualized cloud deployment. Use cases for CloudEOS and vEOS Router include Secure Multi Cloud Connectivity, Interconnecting VPCs/VNets in the Public Cloud, Multi-site VPN aggregation and Network Function Virtualization.

Note: Arista CloudEOS Router is a new product with additional capabilities, it replaces the existing vEOS router. User can now upgrade existing vEOS router deployment to CloudEOS router following the information provided in the chapter Upgrade/Downgrade. CloudEOS Router and vEOS Router can be used interchangeably in this guide.

License Management

This section describes the procedure for managing CloudEOS and vEOS license files.

Pay-As-You-Go (PAYG) in Cloud

This section of the document provides a high level overview about verifying the Pay-as-you-go (PAYG) instance installed on the CloudEOS and vEOS Router products on various supported public platform.

Overview

Pay-as-you-go (PAYG) is a software consumption model supported by various public cloud provider to charge the consumer based on the usage. Other software consumption model on public cloud provider is Bring-your-own License(BYOL). Each vendor who publish their product on public cloud imposes a license requirement for the real usage of their product in which case, the consumer needs to get the BYOL from the vendor in order to use the product in the public cloud.

One of the major benefits of the PAYG method is that there are no wasted resources and consumer only pays for the services procured rather than provisioning for a fixed amount of resources that may or may not be used. Another advantage of PAYG is that, consumers can quickly deploy the product on the public cloud without the need to contact the vendor for license. Normally public cloud provider distinguish each published product by vendor with a unique ID. This unique ID is stored in the cloud provider metadata server. Vendor product should check for the unique ID to distinguish its products from BYOL and PAYG, and allow consumers to use without the requirement of license from vendor.

License Verification

The following commands are used to verify if an SFE and IPsec licenses are installed in PAYG mode for CloudEOS and vEOS.

Note: The show license command does not show licenses installed through PAYG feature.

Example show output for SFE

If SFE license is installed and validated, the following output is displayed -

switch# show platform sfe licensing

Licensing Information
---------------------
 License TC created: no
 Number of throttled interfaces: 0

If SFE license is not installed the following output is displayed -

switch# show platform sfe licensing

Licensing Information
---------------------
License TC created: yes
Number of throttled interfaces: 1
Interfaces throttled:
Ethernet1: 80 Mbps"

Example show output for IPsec

If IPsec is not installed the following output is displayed. 

switch# show ip sec connection
! No valid IPsec license found. IPsec is disabled.

If IPsec is installed the following output is displayed.


switch# show ip sec connection
TunnelSource DestStatusUptime Input Output RekeyTime
Tunnel63 1.0.0.1 1.0.0.2 Established 22 minutes 0 bytes0 bytes34 minutes
If no valid certificate is installed, it displays configured IPsec connections.

Troubleshooting

The following $curl command is used to verify the if an AWS / Azure instance is an PAYG instance. This command is executed under Bash mode.

PAYG support for AWS

The step shown in the example below is used to verify if an AWS instance is an PAYG instance. AWS customers can verify the product code of their PAYG instance by querying instance identity document from their running CloudEOS and vEOS Router instance.

  • To retrieve the instance identity document, use the following command from your running instance:
 
[switch]$ curl http://169.254.169.254/latest/dynamic/instance-identity/document
{
"accountId" : "083837402522",
"architecture" : "x86_64",
"availabilityZone" : "us-west-1b",
"billingProducts" : null,
"devpayProductCodes" : null,
"marketplaceProductCodes" : [ "cdcwmm26cap8fqlnkwuqte405" ],
"imageId" : "ami-017900c328c2edfbe",
"instanceId" : "i-058ebba29bd475e8b",
"instanceType" : "c5.xlarge",
"kernelId" : null,
"pendingTime" : "2020-05-01T06:53:42Z",
"privateIp" : "11.0.4.101",
"ramdiskId" : null,
"region" : "us-west-1",
"version" : "2017-09-30"
}

PAYG support for Azure

The step shown in the example below is used to verify if an Azure instance is an PAYG instance.

Example metadata showing the SKU:

[switch]$ curl -H Metadata:true "http://169.254.169.254/metadata/instance/compute?api-version=2017-08-01"
{"location":"westus",
"name":"adhip-test",
"offer":"cloudeos-router-payg",
"osType":"Linux",
"placementGroupId":"",
"platformFaultDomain":"0",
"platformUpdateDomain":"0",
"publisher":"arista-networks",
"resourceGroupName":"adhip2",
"sku":"cloudeos-4_23_0-payg",
"subscriptionId":"ba0583bb-4130-4d7b-bfe4-0c7597857323",
"tags":"","version":"4.23.0",
"vmId":"c23a7526-44c5-43af-bcf5-8b2419105393",
"vmSize":"Standard_D4_v3"
$

PAYG support for GCP

The Arista CloudEOS instance needs network connectivity and DNS resolution to use the GCP metadata server "metadata.google.internal" for various services including license validation. Normally the CloudEOS automatically picks up and configures the default route and DNS server( GCP default DNS server: 169.254.169.254) through DHCP during the initial instance bringup. However, to make sure the instance is able to access the DNS server and reach GCP metadata server properly, use the below CLI command as well as the license ID matches 3403635045915687054 for the PAYG image. 
cloudEos#bash curl http://metadata.google.internal/computeMetadata/v1/instance/licenses/0/id -H "Metadata-Flavor:Google"
3403635045915687054
Note: If you are using your own DNS server and/or DHCP server, please make sure that the above commands work properly by setting up the proper DNS resolution/routes.
The following Cloud EOS commands helps in licensing to bypass the DNS/network connectivity issues in case of issues due to custom DHCP/DNS setup: 
cloudeos-router-payg-router-vm# ip host metadata.google.internal 169.254.169.254
cloudeos-router-payg-router-vmr# ip route 169.254.169.254/32 Ethernet1 <default_vpc_router>

where <default_vpc_router> is the second address in the primary IP range for the subnet in which Ethernet1 resides. For example, default_vpc_router is 10.1.2.1 in 10.1.2.0/24 subnet belonging to Ethernet1 in the google cloud.

However, note that, other features which needs access to the cloud provider web APIs like CloudHA, may still have issues with your own DNS/DHCP setup unless carefully planned. If you are using your own DNS/DHCP servers, please see details at https://cloud.google.com/compute/docs/internal-dns.

Bring-Your-Own-License (BYOL) in Cloud and On-Prem

License files for CloudEOS and vEOS

CloudEOS and vEOS license files are available to unlock performance limitations and enable IPSec.

Installing License Files

License files are files that are imported via the CLI. Contact your local SE for assistance in obtaining a license. Use the license import command to download a license file. Save the file to /mnt/flash/ or a server. For example purposes, the licenses below are non-functional.


switch#license import flash:vEOSLic-1.json
switch#license import flash:IPSecLic-1.json

License files may also be imported via http. The following example illustrates the structure of the licence files import.

http:some-url/license.json

Verifying Installed License Files

Use the show license command to display details regarding the active licenses and device-specific information needed for licensing. For example purposes, the licenses below are non-functional.

switch#show license
Customer name: Arista Test Customer
System Serial number: 6FF552005130CB93A1048182A0FE585C
System MAC address: 5254.0062.ab2e
Domain name: Unknown
Platform: CloudEOS-KVM

License feature: IPSec
License parameter: None
Count: 1
Start: 2018-01-31 00:43:31
Expiration: 2026-12-30 16:00:00
Active: yes

License feature: CloudEOS - Virtualized EOS
Throughput: Not Throttled
Count: 1
Start: 2018-01-31 00:42:48
Expiration: 2026-12-30 16:00:00
Active: yes

 

Update License Files (Optional)

Use the license update command forces the system to evaluate the license files already present in the license store.

switch#license update

Obtaining and Installing Soft Expiry

Users can obtain license files from Arista that extend the time for which the customer can use a certain feature without any limitations. The license for the feature is considered expired, but the feature continues to work until the grace period as mentioned in the license file lapses.

For example, with a license file such as the one below, customer can continue to use vEOS without any limitations for ten days beyond expiry date.

{
"LicenseFileVersion": "1.0",
"CustomerName": "Arista Test Customer",
"LicenseSerialNumber": "ARISTA-TEST-DAYSPAST1",
"Signature": {
"SigningCertPEM": "-----BEGIN CERTIFICATE-----7brkfssZDrRIatxKEkv6Oc
\nh4kXO2mvvMJxQDf7VvGXEC3fSRURLwPz//6JMx942iOKsES8ZT9nT2q9MxJXfInn\n3EcKGmPWKQR4n2qH
fmq6sfk2eFBUYIrZBm9RUbVbyLZLCOv2KxJ7FFZ9LV1jp5An\nAyHLJUMQqqw/kvUUvUq1bI/PtEOlNc9Ndt
/3yeh+HByzIw8/f+gjKkUjQpVncuqS\nkFotBPNNj/LjbQD40R/tJ0z/8sPXCGJuo4mE9s/MwnWmkAHxpZyC
ccMBlNp3LkJk\nFHcsVb36Vclv5XWDe5AxU+0sQjEB4LGP7nYo8wjjvSZIpYXRiAmDRGuAGi/W/W3F\n6hEQ
661JK4KPJvoQsMqYaO/TkZPIXEAdgEDkmj0=\n-----END CERTIFICATE-----\n",
"Hash": "f076d2cac1eac2a8261915e0b2ce4cb547e9c98bda070d001140daf3c3bd3694",
"Signature": "304502201ca6fab964d8a3aade43d306232fcf52b9503fc22f4552
d58fb5a95e1b9e13e6022100dff97ad4f37389b55887f0ec06c9ef29d55a75e668e4da654deaf8037633a9bd"
},
"Features": {
"vEOS": [
{
"Count": 1,
"Value": "",
"Valid": {
"NotBefore": "2000-01-01T00:00:00Z",
"NotAfter": "2001-01-01T00:00:00Z"
},
"BehaviorModifier": {
"DaysAllowedPastExpiration": 10
}
}
]
},
"BindingInfo": {
"SystemMAC": "",
"DomainAddress": "",
"SerialNumber": "2BC6A772072B04BED43DCCF8777F036F"
}
}



--

Additional Licensing Show Commands

The following CLIs can be used to verify if a license file is valid, when it expires, what license files are installed and any relevant information regarding a license. The show license commands do not list features that are unlocked by external license files or means.

 

Show License Files

Use the show license files command to display all information related to the active licenses installed. For example purposes, the licenses below are non-functional.

switch#show license files

License name:2017.11.02.08.23.23.053684_IPSecLic-1yr.json
Contents:
{
"BindingInfo": {
"DomainAddress": "",
"SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
"SystemMAC": "02:9c:a8:a5:51:5a"
},
"CustomerName": "Arista Test",
"Features": {
"IPSec": [
{
"Count": 1,
"Valid": {
"NotAfter": "2018-12-31T00:00:00Z",
"NotBefore": "2017-11-02T15:21:22Z"
},
"Value": ""
}
]
},
 (truncated)
}

License name:2017.11.03.12.27.24.016515_vEOSLic-1234.json
Contents:
{
"BindingInfo": {
"DomainAddress": "",
"SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
"SystemMAC": ""
},
"CustomerName": "Arista Test",
"Features": {
"CloudEOS": [
{
"Count": 1,
"Valid": {
"NotAfter": "2018-12-31T00:00:00Z",
"NotBefore": "2017-11-02T00:00:00Z"
},
"Value": ""
}
]
},
"LicenseFileVersion": "1.0",
(truncated)
END CERTIFICATE-----\n"

 

show license expired

The show license expired command will display the same as the show license command, but only displays expired license files.

switch#show license expired
System Serial number:2BC6A772072B04BED43DCCF8777F036F
System MAC address:06:1b:8a:48:8d:0c
Domain name: Unknown

License feature:IPSec
	License parameter:None
	Count:1
	Start:2017-10-05 21:49:13
	Expiration: 2017-10-09 17:00:00
	Active: expired


License feature:CloudEOS-Virtualized EOS
	License parameter:None
	Count:1
	Start:2017-10-05 21:47:34
	Expiration: 2017-10-09 17:00:00
	Active: expired

 

show license all

The show license all command will display all license files that are active, expired or license files that have not yet been activated.

switch#show license all
System Serial number:2BC6A772072B04BED43DCCF8777F036F
System MAC address:06:1b:8a:48:8d:0c
Domain name: Unknown

License feature:IPSec
	License parameter:None
	Count:1
	Start:2017-12-30 16:00:00
	Expiration: 2018-12-30 16:00:00
	Active: in future

	License parameter:None
	Count:1
	Start:2017-09-18 13:56:45
	Expiration: 2017-12-30 16:00:00
	Active: yes

	License parameter:None
	Count:1
	Start:2017-10-05 21:49:13
	Expiration: 2017-10-09 17:00:00
	Active: expired


License feature:CloudEOS-Virtualized EOS
	License parameter:None
	Count:1
	Start:2017-10-08 17:00:00
	Expiration: 2017-12-30 16:00:00
	Active: yes

	License parameter:None
	Count:1
	Start:2017-12-30 16:00:00
	Expiration: 2018-12-30 16:00:00
	Active: in future

	License parameter:None
	Count:1
	Start:2017-10-05 21:47:34
	Expiration: 2017-10-09 17:00:00
	Active: expired

CloudEOS and vEOS Router
Configuration Guide
Arista Networks

www.arista.com

Arista CloudEOS and vEOS Router version 4.31.2F
DOC-03496-17

Headquarters
5453 Great America Parkway
Santa Clara, CA 95054, USA
+1-408 547-5500
www.arista.com
Support
+1-408 547-5502
+1-866 476-0000
This email address is being protected from spambots. You need JavaScript enabled to view it.
Sales
+1-408 547-5501
+1-866 497-0000
This email address is being protected from spambots. You need JavaScript enabled to view it.
© Copyright 2024 Arista Networks, Inc. All rights reserved. The information contained herein is subject to change without notice. The trademarks, logos and service marks ("Marks") displayed in this documentation are the property of Arista Networks in the United States and other countries. Use of the Marks are subject to Arista Network's Term of Use Policy. Use of marks belonging to other parties is for informational purposes only.