EOS 4.31.1F TOI

Media Access Control Security (MACsec) is an industry-standard encryption mechanism that protects all traffic flowing on the Ethernet links. MACsec is based on IEEE 802.1X and IEEE 802.1AE standards.

WRED/ECN are congestion management techniques, which work at queue level to drop/mark packets randomly after queue size exceeding the configured queue threshold. The queue size is determined using Exponentially weighted moving average (EWMA) technique with queue weight, previous queue size, current queue size as variables. 

Routing control functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion.

Routing Control Functions (RCF) is a language that can express route filtering and attribute modification logic in a powerful and programmatic fashion.The document covers: Configurations of a RCF function for BGP points of application

Routing control functions (RCF) is a language that can be used to express route filtering and attribute modification logic in a powerful and programmatic fashion. 

RSVP-TE, the Resource Reservation Protocol (RSVP) for Traffic Engineering (TE), is used to distribute MPLS labels for steering traffic and reserving bandwidth. The Label Edge Router (LER) feature implements the headend functionality, i.e., RSVP-TE tunnels can originate at an LER which can steer traffic into the tunnel.

RSVP-TE applies the Resource Reservation Protocol (RSVP) for Traffic Engineering (TE), i.e., to distribute MPLS labels for steering traffic and reserving bandwidth.

Network administrators require access to flow information that passes through various network elements, for the purpose of analyzing and monitoring their networks. This feature provides access to IP flow information by sampling traffic flows in ingress and/or egress directions on the interfaces on which it is configured. The samples are then used to create flow records, which are exported to the configured collectors in the IPFIX format. Egress Flow tracking is supported from EOS-4.29.0F on the DCS-7170B-64C series and supported on 7280, 7500 and 7800 series platforms from EOS-4.31.1".

Some configurations in NAT may have some trade-offs and even cause problems. The Show Configuration Consistency NAT CLI can check these configurations, and provide hints to change the configuration or the trade-offs to be considered. 

Smart System Upgrade (SSU) provides the ability to upgrade the EOS image with minimal traffic disruption. This is an existing feature on many fixed system products. This resource will outline the SSU feature in reference to CCS-720DP, CCS-722XPM, CCS-720XP-96ZC2 and DCS-7010TX.

gNSI (gRPC Network Security Interface) defines a set of gRPC-based microservices for executing security-related operations on network devices.

IPsec is a standard for enabling secure network communication between two devices using the Internet Protocol (IP) by way of an encrypted packet tunnel.Previous versions of Arista EOS have required that IPsec tunnels use the default VRF for underlay traffic.Starting with the release 4.31.0, this restriction is removed and EOS now supports IPsec tunnel interfaces using one or more non-default VRFs.

IPv4 Unicast Reverse Path Forwarding (uRPF) can help limit malicious IPv4 traffic on a network. uRPF works by enabling the router to verify reachability (routing) of the source IP address (SIP) in the packet being forwarded. If the SIP is determined to not be a valid address, the packet is dropped.

When MPLS (Multiprotocol Label Switching) LFIB (Label Forwarding Information Base) lookup fails, typical forwarding behavior is to drop such packets. This feature allows fallback IP lookup when MPLS lookup fails and forwards traffic to an IP path by looking up the packet’s destination IP address in the route table if the network topologies have labeled paths programmed & IP based routes are also available for the same destination. This feature is also supported with optimized IPv4 8-to-1 route scale compression.

IPv6 Unicast Reverse Path Forwarding (uRPF) can help limit malicious IPv6  traffic on a network. uRPF works by

Segment Routing provides a mechanism to define end-to-end paths within a topology by encoding paths as sequences of sub-paths or instructions. These sub-paths or instructions are referred to as “segments”. OSPF Segment Routing (henceforth referred to as OSPF SR) provides means to advertise such segments through OSPF protocol.

This feature allows for the configuration of password requirements when creating or modifying local user accounts. Specifically, policies can necessitate that passwords meet the following requirements:

This feature will enable the configuration of IPv6 static routes with IPv4 next-hops and a MPLS label value where the IPv4 next-hop is allowed to resolve only through tunnel RIB. This will allow users to install 6PE routes using static route configuration thereby connecting IPv6 islands over IPv4 MPLS cloud.

This TOI supplements the Ingress Traffic Policy applied on ingress interfaces. Please refer to that document for a description of Traffic Policies and field-sets. This TOI explains the Traffic Policies as applied in the egress direction on interfaces

This TOI supplements the Ingress Traffic Policy applied on ingress port interfaces. Please refer to that document for a description of Traffic Policies and field-sets. This TOI explains the Traffic Policies as applied in the ingress direction on VLAN interfaces.

In STP Rapid-PVST mode, when multiple VLANs are assigned to different interfaces using switchport mode access and these interfaces are interconnected, the VLANs perceive each other as part of the same VLAN, thereby forming a large single VLAN network.

This feature introduces hardware forwarding support of IPv4 multicast traffic over IPv4 GRE tunnel interfaces in Arista Switches. Multicast source traffic can reach the receivers which are separated by an IP cloud which is not configured for IP multicast routing by utilizing a GRE tunnel.

SwitchApp is an FPGA-based feature available on Arista’s 7130LB-Series and 7132LB-Series platforms. It performs ultra low latency Ethernet packet switching. Its packet switching feature set, port count, and port to port latency are a function of the selected SwitchApp profile. Detailed latency measurements are available in the userguide on the Arista Support site.

This feature is disabled by default. It can be enabled by a CLI toggle "logging transceiver communication" under the "monitor layer1" config mode. Note that “logging transceiver” will enable SMBus communication failure and digital optical monitoring syslogs.  See under Resources for more information on digital optical monitoring syslogs.

In TAP Aggregation mode, configuration options are provided to handle special packet types. When receiving a packet whose Frame Check Sequence (FCS) is corrupted, the default behavior is to replace the bad FCS with the correct value and forward it. Configuration options are available to control the FCS behavior, such as to discard errors, pass through the bad FCS, or append a new FCS.

The Unified Forwarding Table (UFT) is memory that is shared between Layer2 and Layer3 lookup tables with capabilities for variable partitions. Rather than separate Layer2 and Layer3 lookup tables of fixed size, the UFT may be partitioned to support user-requested combinations of Layer2 and Layer3 lookup table sizes.

Unicast reverse-path forwarding (uRPF) is a security feature that validates the source IP address of an incoming packet to ensure that the incoming packet has originated from a legitimate/valid source.  If validation of the source IP address fails, then the packet is dropped, thus preventing IP spoofing from illegitimate/invalid sources.

Unicast Reverse Path Forwarding (uRPF) can help limit malicious IPv4/IPv6 traffic on a network. uRPF works by enabling the router to verify reachability (routing) of the source IP address (SIP) in the packet being forwarded. If the SIP is determined to be an invalid address, the packet is dropped.

This feature allows Unicast Reverse Path Forwarding (uRPF) to be enabled along with Routes in Exact Match Table( REM/FlexRoute ). One prefix length can be selected to be in the Large Exact Match table (LEM) along with uRPF support.

This article describes how to configure a TCAM ( Ternary Content Addressable Memory ) profile for ingress filtered mirroring sessions. This profile allows mirroring sessions to use less TCAM resources by individually selecting the allowable match criteria.

Virtual Private LAN Service (VPLS) appears in (almost) all respects as an Ethernet type service to customers of a Service Provider (SP). A VPLS glues together several individual LANs across a packet switched network to appear and function as a single bridged LAN. This is accomplished by incorporating MAC address learning, flooding, and forwarding functions in the context of pseudowires that connect these individual LANs across the packet switched network. LDP signaling is used for the setup and teardown of the mesh of pseudowires that constitute a given VPLS instance.

With a static configured import and export route-target for a given vlan-aware-bundle, all its VLAN members share the same route-target value.  For example, EVPN uses the same route-target in the Type2 EVPN route advertisements for hosts residing in two different VLAN of the same bundle.  

VRF redirection often requires matching packets’ source addresses against one or more sets of IP prefixes.  This can become difficult to manage when the prefix sets need to be consistently maintained on several devices and either change too frequently or are very large.  When the prefixes for the prefix sets are learned by BGP, this feature provides an alternative to maintaining unwieldy sets of statically configured IP prefixes.

This document describes the VRF selection policy and VRF fallback feature. A VRF selection policy contains match rules that specify certain criteria (e.g. DSCP, IP protocol) as well as a resulting action to select a VRF in which to do the FIB lookup. The VRF fallback feature is an extension of these policies which allows users to optionally specify a “fallback” VRF for each VRF. The behavior is such that if the FIB lookup fails in a match rule’s selected VRF, another lookup will be attempted in the configured fallback VRF. Additionally, the fallback VRF itself can have yet another fallback VRF, such that if the lookup in the VRF and fallback VRF fail, the fallback-of-the-fallback VRF will be looked up (see the Configuration section for an example of this).

WRED ( Weighted Random Early Detection ) is one of the congestion management techniques.