Rate limiting of mirrored traffic provides support to control the rate of mirrored traffic that can egress the switch. This feature can be applied to both regular port mirroring and encapsulated mirroring (e.g., mirroring to GRE tunnel), depending on the platform.

The goal of route prioritization is to improve overall network behavior by ensuring that routes classified as having a higher priority are processed and installed in a timely fashion. Activity for lower priority routes must not significantly delay high priority route processing. For example, when a network event affects a large number of BGP routes causing them to be reprogrammed, the programming of an important IGP route that provides underlay connectivity and is affected by a subsequent event should not have to be queued behind the BGP routes. Prioritizing the IGP route programming will improve network convergence. It may also eliminate duplicate work for other routes depending on it.

Routing Control Functions (RCF) is a language that can express route filtering and attribute modification logic in a powerful and programmatic fashion.The document covers: Configurations of a RCF function for BGP points of application

Sampled Mirroring is an extension of the Mirroring feature and sampling is a property of the individual mirroring session: when the session's sample rate N is specified, a packet eligible for mirroring will have a 1/N chance of being mirrored, that is, 1 packet is mirrored for every N packets.

This article describes the support for Filtered Mirroring using security ACL. The user can selectively mirror packets based on the statement in the configured IPv4, IPv6 or MAC ACL.

Segment Routing Traffic Engineering Policy (SR-TE) aka SR Policy makes use of Segment Routing (SR) to allow a headend to steer traffic along any path without maintaining per flow state in every node. A headend steers traffic into an SR Policy.

The sFlow VPLS extension adds support for providing VPLS-related information to sFlow packet samples, for VPLS forwarded traffic. Specifically, for customer traffic ingressing on a CE-facing PE interface in a VPLS deployment that uses statically configured LDP pseudowires, information such as the name of the VPLS instance and the ID of the pseudowire that the packet will egress over will be included in the sFlow datagram. 

This is an infrastructure that provides management of SSL certificates, keys and profiles. SSL/TLS is an application-layer protocol that provides secure transport between client and server through a combination of authentication, encryption and data integrity. SSL/TLS uses certificates and private-public key pairs to provide this security.

Interface reflectors are useful to make sure a service provided to customers is working as expected and it's within SLA constraints. Now, we are extending the support to configure subinterfaces as ethernet reflector. The Subinterface Interface Reflector feature allows performing certain actions (such as source/destination MAC address swap) on packets reaching subinterfaces patched to Pseudowire that are reflected back to the source interface. It is useful to test properties and SLAs before deploying the service for a customer.

This feature adds support for CPU traffic policy capable of matching and acting on IP traffic which would otherwise

This feature adds support for “Dynamic Load Balancing (DLB)” on Equal Cost Multi Path (ECMP) groups.
It is intended to help overcome the potential shortcomings of traditional hash-based load balancing by considering the traffic load of members of ECMP groups. DLB considers the state of the port while assigning egress ports to packets, resulting in a more even flow. The state of each port member is determined by measuring the amount of data transmitted from a given port and total number of packets enqueued to a given port.

gNSI (gRPC Network Security Interface) defines a set of gRPC-based microservices for executing security-related operations on network devices.

IPv6 Duplicate Address Detection Proxy is a proxy-based mechanism allowing the use of Duplicate Address Detection (DAD) by IPv6 nodes in a point-to-multipoint architecture with a "split-horizon" forwarding scheme. In Split-horizon scenario where the hosts can not directly communicate with each other, but only through a BNG (Broadband Network Gateway). 

GRE ( Generic Routing Encapsulation ) packet header has a Key extension which is used by Arista to carry packet metadata. Currently packets mirrored at egress to a GRE tunnel destination do not have this information. This feature could be used to enable metadata in egress mirrored packets to GRE destinations.

Private VLAN is a feature that segregates a regular VLAN broadcast domain while maintaining all ports in the same IP subnet. There are three types of VLAN within a private VLAN

This feature extends sampled flow tracker to support the selective sampling of certain traffic types (specified globally), such as routed IPv4, routed IPv6, and MPLS pop and route IPv4, per interface. The feature is applicable on interfaces, subinterfaces, port channels, and port channel subinterfaces.

Sub-interfaces can be grouped into logical units called scheduling groups, which are shaped as a single unit. Each scheduling group may be assigned a scheduling policy which defines a shape rate in kbps and optionally a guaranteed bandwidth, also in kbps.

The VLAN interface (SVI) counter feature allows the device to count packets received and sent by the device on a per SVI basis. By default, in a VXLAN routing scenario, packets are not counted on the "overlay" SVI. The platform CLI command described below allows for counting on the overlay SVI. When enabled, this feature still permits counting on underlay network SVIs

Support is added to use VRRP (Virtual Router Redundancy Protocol) virtual IP (Internet Protocol) address as an IPsec ( Internet Protocol Security) tunnel source or destination address. This allows for configurations that offer both security (provided by IPsec tunnels) and redundancy (provided by VRRP).

Topology Independent Fast Reroute, or TI-LFA, uses IS-IS SR to build loop-free alternate paths along the post-convergence path. These loop-free alternates provide fast convergence.

Access Control Lists (ACL) use packet classification to mark certain packets going through the packet processor pipeline and then take configured action against them. Rules are defined based on various fields of packets and usually TCAM is used to match packets to rules. For example, there can be a rule to match the packet source IP address against a list of IP addresses, and drop the packet if there is a match. This will be expressed in TCAM with multiple entries matching the list of IP addresses. Number of entries is reduced by masking off bits, if possible. TCAM is a limited resource, so with classifiers having a large number of rules and a big field list, TCAM runs out of resources.

This TOI supplements the Ingress Traffic Policy applied on ingress port interfaces. Please refer to that document for a description of Traffic Policies and field-sets. This TOI explains the Traffic Policies as applied in the ingress direction on VLAN interfaces.

This feature allows the export of IP FIB (Forwarding Information Base) through the OpenConfig AFT YANG models.

SwitchApp is an FPGA-based feature available on Arista’s 7130LB-Series and 7132LB-Series platforms. It performs ultra low latency Ethernet packet switching. Its packet switching feature set, port count, and port to port latency are a function of the selected SwitchApp profile. Detailed latency measurements are available in the userguide on the Arista Support site.

User-defined recovery policy is a type of reset that allows the customer to rollback a device to a previously saved state. A state can be saved by taking a snapshot of the configuration files that the customer wants to save.  Once a snapshot has been taken, the device can be reset either through push-button or through the command line interface. This feature provides a trivial way to get back to a tested and working version of EOS.swi with user-defined configs in case of failure.

Virtual Private LAN Service (VPLS) appears in (almost) all respects as an Ethernet type service to customers of a Service Provider (SP). A VPLS glues together several individual LANs across a packet switched network to appear and function as a single bridged LAN. This is accomplished by incorporating MAC address learning, flooding, and forwarding functions in the context of pseudowires that connect these individual LANs across the packet switched network. LDP signaling is used for the setup and teardown of the mesh of pseudowires that constitute a given VPLS instance.

This feature enables policer (using policy-map) on a VTEP to rate limit traffic per VLAN/VNI. The policer can be applied in both input and output directions to rate limit decapsulated and encapsulated VXLAN traffic, respectively. Prior to EOS-4.32.0F, the policers are not applicable on multicast traffic through the VTEP. For platforms supporting rate limiting of both bridged and routed encapsulated traffic, the rate limiting would be done on common policer limits.

This document describes the VRF selection policy and VRF fallback feature. A VRF selection policy contains match rules that specify certain criteria (e.g. DSCP, IP protocol) as well as a resulting action to select a VRF in which to do the FIB lookup. The VRF fallback feature is an extension of these policies which allows users to optionally specify a “fallback” VRF for each VRF. The behavior is such that if the FIB lookup fails in a match rule’s selected VRF, another lookup will be attempted in the configured fallback VRF. Additionally, the fallback VRF itself can have yet another fallback VRF, such that if the lookup in the VRF and fallback VRF fail, the fallback-of-the-fallback VRF will be looked up (see the Configuration section for an example of this).

WRED ( Weighted Random Early Detection ) is one of the congestion management techniques.