Arista vEOS Configuration Manual

Page 1
vEOS Router Configuration Guide
Arista Networks
www.arista.com
Arista vEOS version 4.20.6F
22 June 2018
Page 2
Headquarters
5453 Great America Parkway Santa Clara, CA 95054 USA
(408) 547-5500
www.arista.com
Table 1
Support
(408) 547-5502 (866) 476-0000
support@arista.com
Sales
(408) 547-5501 (866) 497-0000
sales@arista.com
Headquarters
5453 Great America Parkway
© Copyright 2018 Arista Networks, Inc. The information contained herein is subject to change without notice. Arista Networks and the Arista logo are trademarks of Arista Networks, Inc., in the United States and other countries. Other product or service names may be trademarks or service marks of others.
ii 25 June 2018Quick Start Guide: 7500N Series Modular Switches
Santa Clara, CA 95054 USA
408 547-5500
www.arista.com
© Copyright 2015 Arista Networks, Inc. The information contained herein is subject to change without notice. Arista Networks and the Arista logo are trademarks of Arista Networks, Inc in the United States and other countries. Other product or service names may be trademarks or service marks of others.
Support
408 547-5502 866 476-0000
support@arista.com
Sales
408 547-5501 866 497-0000
sales@arista.com
Page 3
Contents
Chapter 1: Overview...................................................................................5
Chapter 2: vEOS Licensing........................................................................7
Chapter 3: Cloud High Availability .........................................................13
Cloud HA Topology.....................................................................................................................................13
Cloud HA Configuration .............................................................................................................................15
Configuring the Configuring the
Configuring Cloud High Availability..........................................................................................................18
JSON-Based Cloud High Availability Configurations and Equivalent CLI Configurations...........................20
General Troubleshooting Tips.....................................................................................................................23
Caveats and Limitations..............................................................................................................................23
Cloud High Availability Commands.............................................................................................................24
Cloud High Availability CLIs.....................................................................................................................25
Chapter 4: Using vEOS Router on the AWS Platform ..........................39
vEOS Router Image Updates.....................................................................................................................39
Amazon Machine Image (AMI) Specifications............................................................................................39
Supported Instance Types..........................................................................................................................39
Methods for Launching vEOS Router Instances.........................................................................................40
Launching vEOS Router Instances Using AWS CloudFormation............................................................40
Launching vEOS Router Instances Using EC2 AWS Marketplace..........................................................44
Network Configuration Tasks for vEOS Router Instances........................................................................53
Using User-data for Configuration of Entities and vEOS Router Instances.............................................57
Cloud Proxy....................................................................................................................16
Cloud Provider................................................................................................................16
Chapter 5: Using the vEOS Router on Microsoft Azure.......................61
vEOS Router Image Updates.....................................................................................................................61
System Requirements................................................................................................................................61
Launching vEOS Router Azure Instance....................................................................................................61
Creating an Instance using the Portal Marketplace.................................................................................62
Creating an Instance under Azure CLI 2.0..............................................................................................66
Logging into Instance...............................................................................................................................67
vEOS Router Startup-Configuration using Instance Custom-Data.............................................................68
Sample Instance Custom-Data................................................................................................................69
Providing Startup-Configuration using Azure Custom-Data....................................................................69
Troubleshooting Instance............................................................................................................................69
Resources...................................................................................................................................................71
Chapter 6: Server Requirements............................................................73
VMware ESXi Hypervisor...........................................................................................................................74
KVM............................................................................................................................................................81
Chapter 7: IPsec Support.........................................................................95
Supported Tunnel Types..............................................................................................................................96
Requirements when Behind a NAT.............................................................................................................96
Using IPsec on vEOS Router Instances.....................................................................................................97
Topology..................................................................................................................................................97
Configuring IPsec Tunnels on vEOS Router Instances............................................................................97
Examples of Running-configurations for GRE-over-IPsec Tunnels........................................................100
Examples of Running-configurations for VTI IPsec Tunnels..................................................................101
Using IPsec on vEOS and Third Party Devices.....................................................................................103
iii
Page 4
Topology................................................................................................................................................103
Interoperability Support..........................................................................................................................103
vEOS Router and Palo Alto Firewall VM...............................................................................................104
vEOS Router Show Commands............................................................................................................111
IPsec Show Commands.........................................................................................................................112
vEOS Routers and CSR...........................................................................................................................113
CSR Configuration.................................................................................................................................113
Sharing IPsec Connections...................................................................................................................114
IKEv1 Configuration...............................................................................................................................114
IKEv2 Configuration...............................................................................................................................115
vEOS Router (GRE-over-IPsec Tunnel).................................................................................................117
vEOS Router (VTI IPsec Tunnel)...........................................................................................................117
CSR Commands....................................................................................................................................118
CSR Router Show Commands..............................................................................................................118
vEOS Routers and AWS Specific Cloud Configuration............................................................................121
IPsec Between the vEOS Router and AWS Specific Cloud Configuration...........................................121
Running-configuration of the vEOS Router and AWS Specific Cloud ..................................................121
AWS Specific Cloud Configuration.......................................................................................................122
AWS Specific Cloud Configuration Modifications.................................................................................122
Chapter 8: ECMP.....................................................................................125
Adding ECMP...........................................................................................................................................125
vEOS Router Configuration Guideiv
Page 5
Chapter 1
Overview
vEOS Router
Arista vEOS Router is a new platform release of EOS that is supported on Amazon Web Service (AWS), Microsoft Azure and other public clouds. It is also supported on customer equipment running Linux and VMware hypervisors. By bringing advanced network telemetry and secure IPSec VPN connectivity in a software-only package, vEOS Router provides a consistent, secure and universal approach to hybrid cloud netw orking for any virtualized cloud deployment. Use cases for vEOS Router include Secure Multi Cloud Connectivity , Interconnecting VPCs/VNets in the Public Cloud, Multi-site VPN aggregation and Network Function Virtualization.
5
Page 6
Page 7
Chapter 2
vEOS Licensing
Licensing for vEOS
There are two licenses available as a software subscription which must be applied to the vEOS Router software after an instance is launched for the activation of all capabilities:
• vEOS Router license -Unlocks the instance from the default performance limit of 80 Mbps.
• IPsec license
SS-VEOSR-IPSEC-500M-1M
The vEOS Router SW Subscription License for a single vEOS instance for 1-Month for up to 500Mbps throughput. This includes base routing features, IPsec encryption and SW support.
SS-VEOSR-IPSEC-1G-1M
The vEOS Router SW Subscription License for a single vEOS instance for 1-Month for up to 1Gbps throughput. This includes base routing features, IPsec encryption and SW support.
SS-VEOSR-IPSEC-10G-1M
The vEOS Router SW Subscription License for a single vEOS instance for 1-Month for up to 10Gbps throughput. This includes base routing features, IPsec encryption and SW support.
If a valid license has never been installed,
• The performance of the instance is limited to 10Mbps.
• IPsec is not available without a license. For purchased licenses, upon expiration or nearing expiration,
• Renew the license as you would renew a service agreement. (The performance of the vEOS Router and IPsec instance are not impacted).
• If the license is renewed, there is no impact of service, provided there is an overlap of license dates.
Support for Bring-Your-Own-License (BYOL)
Bring your own license (BYOL) is only supported on AWS. The pricing on AWS includes both the AWS instance cost and the Arista license fee.
7
Page 8
Installing Licenses
Licenses are files that are imported via the CLI. Contact your local SE for assistance in obtaining a license. Use the license import command to download a license file. Save the file to /mnt/flash/ or a serv er . For example purposes, the licenses below are non-functional.
veos#license import flash:vEOSLic-1.json veos#license import flash:IPSecLic-1.json
Verifying Installed Licenses
Use the show license command to display details regarding the active licenses and device-specific information needed for licensing. For example purposes, the licenses below are non-functional.
veos#show license System Serial number: 2BC6A772072B04BED43DCCF8777F036F System MAC address: 06:1b:8a:48:8d:0c Domain name: Unknown
License feature: IPSec License parameter: None Count: 1 Start: 2017-09-18 13:56:45 Expiration: 2017-12-30 16:00:00 Active: yes
License feature: vEOS - Virtualized EOS License parameter: None Count: 1 Start: 2017-10-08 17:00:00 Expiration: 2017-12-30 16:00:00 Active: yes
Update License (Optional)
Use the license update command to trigger an update of licenses in storage.
veos#license update
Obtaining and Installing Soft Expiry
Users can obtain licenses from Arista that extend the time for which the customer can use a certain feature without any limitations. The license for the feature is considered expired, but the feature continues to work until the grace period as mentioned in the license lapses.
For example, with a license such as the one below, customer can continue to use vEOS without any limitations for ten days beyond expiry date.
{
"LicenseFileVersion": "1.0", "CustomerName": "Arista Test Customer", "LicenseSerialNumber": "ARISTA-TEST-DAYSPAST1", "Signature": {
"SigningCertPEM": "-----BEGIN CERTIFICATE-----7brkfssZDrRIatxKEkv6Oc \nh4kXO2mvvMJxQDf7VvGXEC3fSRURLwPz//6JMx942iOKsES8ZT9nT2q9MxJXfInn\n3EcKGmPWKQR4n2qH fmq6sfk2eFBUYIrZBm9RUbVbyLZLCOv2KxJ7FFZ9LV1jp5An\nAyHLJUMQqqw/kvUUvUq1bI/PtEOlNc9Ndt /3yeh+HByzIw8/f+gjKkUjQpVncuqS\nkFotBPNNj/LjbQD40R/tJ0z/8sPXCGJuo4mE9s/MwnWmkAHxpZyC ccMBlNp3LkJk\nFHcsVb36Vclv5XWDe5AxU+0sQjEB4LGP7nYo8wjjvSZIpYXRiAmDRGuAGi/W/W3F\n6hEQ 661JK4KPJvoQsMqYaO/TkZPIXEAdgEDkmj0=\n-----END CERTIFICATE-----\n",
"Hash":
vEOS Router Configuration Guide8
Page 9
vEOS Licensing
"f076d2cac1eac2a8261915e0b2ce4cb547e9c98bda070d001140daf3c3bd3694",
"Signature": "304502201ca6fab964d8a3aade43d306232fcf52b9503fc22f4552 d58fb5a95e1b9e13e6022100dff97ad4f37389b55887f0ec06c9ef29d55a75e668e4da654deaf8037633a9bd"
}, "Features": {
"vEOS": [
{
"Count": 1, "Value": "", "Valid": {
"NotBefore": "2000-01-01T00:00:00Z",
"NotAfter": "2001-01-01T00:00:00Z" }, "BehaviorModifier": {
"DaysAllowedPastExpiration": 10
}
}
] }, "BindingInfo": {
"SystemMAC": "",
"DomainAddress": "",
"SerialNumber": "TestSerial" }
}
--
Additional Licensing Show Commands
The following CLIs can be used to verify if a license is valid, when it expires, what licenses are installed and any relevant information regarding a license. The show license commands do not list features that are unlocked by external licenses or means and does not list the pay-as-you-go license provided by AWS.
Show License Files
Use the show license files command to display all information related to the active licenses installed. For example purposes, the licenses below are non-functional.
veos#show license files
License name: 2017.11.02.08.23.23.053684_IPSecLic-1yr.json Contents: { "BindingInfo": {
"DomainAddress": "", "SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4", "SystemMAC": "02:9c:a8:a5:51:5a"
}, "CustomerName": "Arista Test", "Features": {
"IPSec": [
{
"Count": 1,
"Valid": {
"NotAfter": "2018-12-31T00:00:00Z", "NotBefore": "2017-11-02T15:21:22Z"
9
Page 10
}, "Value": ""
}
] }, (truncated) }
License name: 2017.11.03.12.27.24.016515_vEOSLic-1234.json Contents: { "BindingInfo": {
"DomainAddress": "",
"SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
"SystemMAC": "" }, "CustomerName": "Arista Test", "Features": {
"vEOS": [
{
"Count": 1, "Valid": {
"NotAfter": "2018-12-31T00:00:00Z",
"NotBefore": "2017-11-02T00:00:00Z" }, "Value": ""
}
] }, "LicenseFileVersion": "1.0", (truncated) END CERTIFICATE-----\n"
show license files compressed
Use the show license files compressed command to display license information. In this example, the files are zipped then base64 encoded. For example purposes, the licenses below are non-functional.
veos#show license files compressed
License name: 2017.11.02.08.23.23.053684_IPSecLic-1yr.json Contents: (truncated)
show license expired
The show license expired command will display the same as the show license command, but with expired licenses only displayed.
veos#show license expired System Serial number: 2BC6A772072B04BED43DCCF8777F036F System MAC address: 06:1b:8a:48:8d:0c Domain name: Unknown
License feature: IPSec License parameter: None Count: 1 Start: 2017-10-05 21:49:13 Expiration: 2017-10-09 17:00:00 Active: expired
vEOS Router Configuration Guide10
Page 11
vEOS Licensing
License feature: vEOS - Virtualized EOS License parameter: None Count: 1 Start: 2017-10-05 21:47:34 Expiration: 2017-10-09 17:00:00 Active: expired
show license all
The show license all command will display all licenses that are active, expired or licenses that have not been activated yet.
veos#show license all System Serial number: 2BC6A772072B04BED43DCCF8777F036F System MAC address: 06:1b:8a:48:8d:0c Domain name: Unknown
License feature: IPSec License parameter: None Count: 1 Start: 2017-12-30 16:00:00 Expiration: 2018-12-30 16:00:00 Active: in future
License parameter: None Count: 1 Start: 2017-09-18 13:56:45 Expiration: 2017-12-30 16:00:00 Active: yes
License parameter: None Count: 1 Start: 2017-10-05 21:49:13 Expiration: 2017-10-09 17:00:00 Active: expired
License feature: vEOS - Virtualized EOS License parameter: None Count: 1 Start: 2017-10-08 17:00:00 Expiration: 2017-12-30 16:00:00 Active: yes
License parameter: None Count: 1 Start: 2017-12-30 16:00:00 Expiration: 2018-12-30 16:00:00 Active: in future
License parameter: None Count: 1 Start: 2017-10-05 21:47:34 Expiration: 2017-10-09 17:00:00 Active: expired
11
Page 12
Page 13
Chapter 3
Cloud High Availability
In the cloud, resources can be deployed across different regions or multiple locations within a region for f ault tolerance reasons. AWS Availability Zones and Azure Availability Sets (or Fault Domains; Azure currently supports different resource groupings within a physical datacenter) are examples of cloud high availability offerings. When deploying vEOS Routers to enhance your cloud's network capability, deploy the vEOS Routers as a high availability pair using the vEOS Cloud High Availability feature that fits your cloud's high availability design.
The Cloud High Availability (Cloud HA) feature adds support to make the vEOS Router deployment more resilient to various failure scenarios in the cloud, such as:
• vEOS Router instance goes down due to underlying cloud infrastructure issues.
• vEOS Router instance is unable to forward traffic due to connectivity issues in the cloud infrastructure.
• vEOS Router experiences an internal issue leading to unavailability. vEOS Router HA pair with Cloud HA is an active-activ e deployment model for dif ferent cloud high av ailability design
in a region. Each vEOS Router in an HA pair provides enhanced routing capabilities as the gatew ay (or next-hop router for certain destinations) for the subnets to which the vEOS routers connect. The two vEOS Router peers monitor the liveliness of each other by using Bidirectional Forwarding Detection (BFD) between the router interfaces. In case of the cloud infrastructure issues or vEOS router failure, the active vEOS router takes over as the gateway or next-hop for the subnets that were connected to the peer router through cloud-specific API calls that modify the corresponding cloud route table(s) according to pre-configured information.
Cloud HA Topology
This diagram shows an example of a vEOS Router Cloud HA implementation.
13
Page 14
Figure 1: Cloud high availability network topology with vEOS router instances
In the diagram above, a virtual network is a collection of resources that are in the same cloud region. Within this virtual network, the resources, including vEOS routers, deploy into two cloud high av ailability zones (A vailability Zones for AWS and Fault Domain for Azure) for fault tolerance reasons.
Note: For ease of discussion, we will use availability zone 1 and 2 to reference the high a vailability design in different clouds going forward.
Within each availability zone, the hosts/VMs and vEOS interfaces are connected to their corresponding subnets when the network is operating normally. Each subnet associates to a route table within the cloud infrastructure. Static routes are configured in the cloud route tables so the traffic from the hosts/VMs are routed to vEOS Routers in the corresponding availability zone as gate way or next-hop to reach certain destinations. For e xample, configure a default route (0.0.0.0/0) in the cloud route table with the next-hop as vEOS Router's cloud interface ID or IP (varies depending on the cloud). The routing policy or protocol, such as BGP, on the vEOS Routers, are user configurable based on user's network design.
vEOS Router Configuration Guide14
Page 15
Cloud High Availability
The two vEOS Routers in the diagram above are configured with the Cloud HA feature as HA peers. The Cloud HA on the vEOS routers would establish a BFD peering session between the two devices through ethernet or tunnel interfaces.
When BFD connectivity loss is detected by the active vEOS router, the existing routes in the backup route table in the cloud would be updated through cloud-specific API to use the active vEOS router as the next-hop. For example, if vEOS 2 detected BFD connectivity loss with its peer, vEOS 2 would update the routes in Route Table 1 so traffic from hosts in Subnet 1 and Subnet 2 for vEOS 1 would be forwarded to next-hop ID or IP owned by vEOS 2. Traffic from the hosts in availability zone 1 would first be forwarded to the corresponding subnet gateways in the cloud. After that, the subnet gateways in the cloud would forward the traffic toward the new next-hop interface ID or IP that exist on vEOS 2. When vEOS 2 received the traffic, it would forward the traffic on according to its routing table.
What about traffic going toward the hosts in availability zone 1 while connectivity to vEOS 1 is down? When connectivity to vEOS 1 is down, hosts behind Subnet 1 and Subnet 2 become unreachable to the other part of the network (routes being withdrawn by routing protocols like BGP). Since Subnet 1 and Subnet 2 are not directly connected to vEOS 2, a routing strategy for the two subnets as "backup" on vEOS 2 is to be considered as part of your network design. A typical design would be to use static routes for the subnets connected to the peer vEOS router and point them toward the cloud subnet gateways of the active vEOS router (for example, static route for peer subnet 10.1.1.0/24 would be configured on the active vEOS router as ip route10.1.1.0/24
10.2.1.1 255 where 10.2.1.1 is the gateway/next-hop for one of the ethernet interfaces) with a high administrati ve distance value (least preferred). The static routes would be redistributed or advertised when the original routes with better administrative distance are withdrawn or removed by dynamic routing protocol (such as BGP).
When BFD peering session is restored to UP state upon recovery, each active vEOS router would restore its locally controlled route table entries (per user configuration) to point to itself as primary gateway again.
Cloud HA Configuration
This example configuration is based on the Cloud HA implementation diagram. The point of reference of the configuration is the vEOS Router instance vEOS 1 in the Gateway Virtual Network.
Note: Starting from Release 4.20.6, the Cloud HA configuration is only available through the CLI. The JSON file from the previous vEOS version is deprecated. You must convert the JSON configuration to CLI configuration after upgrading from any previous vEOS version. For information regarding the conversion of the JSON configuration to CLI configuration, go to: JSON-Based Cloud High Availability
Configurations and Equivalent CLI Configurations on page 20.
Cloud HA Modes
The Cloud HA related configurations are divided into three separate configuration modes:
Cloud Proxy - For proxy related configuration such as http and https.
Cloud Provider - For cloud provider specific configuration such as region, credential, and proxy name.
Cloud High-Availability - For configurations such as route, next-hop, BFD source interface, and peer. The example includes specific configurations for various aspects of the Cloud HA implementation that are
configured prior to implementation. The specific configurations are:
Configuring the Cloud Proxy on page 16
Configuring the Cloud Provider on page 16
Configuring Cloud High Availability on page 18
15
Page 16
Note: The last tw o configurations represent full Cloud HA implementation configurations, including one full configuration for Cloud HA on theAWS Specific Cloud, and one for Cloud HA on Azure.
AWS Specific for High Availability on page 19
Azure Specific for High Availability on page 19
Configuring the Cloud Proxy
Optional proxies can be configured if used in a deployment. The configuration is applicable for any cloud type. All web traffic for the underlying restful APIs for the Cloud provider SDK will use the configured proxies. Multiple proxies can be configured but only one can be used at any giv en time from the Cloud High-Availability configuration.
veos(config)# veos(config)#cloud proxy test veos(config-cloud-proxy-test)#
The following example configures the cloud proxy IP, port, and username and password for HTTP.
veos(config)# veos(config)#cloud proxy test veos(config-cloud-proxy-test)#http 1.2.3.4 1234 username test password 7
075E731F1A
veos(config-cloud-proxy-test)#
Configuring the Cloud Provider
The following describes configurations required for Cloud HA on different types of clouds.
Cloud Configuration
To have access to the cloud services, the vEOS Router must be provided with credentials. Additionally, a proxy may be configured for the connection to the cloud services to go through.
AWS Specific Cloud
Complete the following tasks to configure AWS Specific Cloud services.
• Configure Credentials
• Access to AWS Specific Cloud API Server
• If vEOS is associated with a public IP address, no special configuration is required.
• If vEOS is not associated with an public IP address, either use AWS Private Link or Proxy configuration
Configure Credentials
In the AWS Specific Cloud configuration, a region must be specified. It is recommended to authorize the vEOS Router by assigning it an IAM role, but an explicit credential can also be specified.
• IAM Role Configuration - No credentials. See Cloud Provider Helpful Tips on page 18 for additional information.
• Explicit Credential Configuration
AWS Specific Cloud IAM Role Configuration
The IAM role should be configured on the AWS Specific as shown below . This is the recommended configuration.
• "Trust Relationships" has "ec2.amazonaws.com" as trusted entities.
vEOS Router Configuration Guide16
Page 17
• "Policy" with "Permissions" for the network related EC2 actions.
{ "Version": "2012-10-17", "Statement": [
{
"Effect": "Allow", "Action": [
"ec2:AssociateRouteTable", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DescribeRouteTables", "ec2:DescribeVpcs", "ec2:ReplaceRoute", "ec2:DisassociateRouteTable", "ec2:ReplaceRouteTableAssociation", "ec2:DescribeNetworkInterfaces", "ec2:DescribeInstances",
"ec2:DescribeSubnets" ], "Resource": "*"
} ] }
Cloud High Availability
This is applicable only when running in AWS cloud environment and configures various aspects of Cloud HA feature to interact with AWS web services.
Note: The access-key-id and secret access-key commands are either both configured or both are omitted. If omitted, the Cloud HA Agent will try to use AWS IAM role for security tokens to access and control A WS route tables. Verify the IAM role for the vEOS router Virtual Machine( VM ) is configured properly on the AWS cloud. Refer to AWS documentation to configure IAM role.
veos(config)# veos(config)#cloud provider aws veos(config-cloud-aws)#access-key 0 ATPAILIL5E982IPT7P3R veos(config-cloud-aws)#secret access-key 0 M0RRUtAA8I8wYxJB8 veos(config-cloud-aws)#region us-west-1 veos(config-cloud-aws)#proxy test
Configure the backup-gateway, primary-gateway, Route Table ID(rtb) and local interface for AWS. The Route Table ID specifies for AWS the backup-gateway and primary gateway, then the destination selects
the individual route within the route table to control. The local-cloud-interface then points to the interface ID eni-867caa86 (from AWS perspective) of the vEOS router that the traffic should be directed.
veos(config)#cloud high-availability veos(config-cloud-ha)#peer veos2 veos(config-cloud-ha-peer-veos2)#aws veos(config-cloud-ha-peer-veos2-aws)#backup-gateway rtb-40b72d24
0.0.0.0/0 local-cloud-interface eni-867caa86 veos(config-cloud-ha-peer-veos2-aws)#primary-gateway rtb-2843124c
0.0.0.0/0 local-cloud-interface eni-867caa86
Explicit Credential Configuration
The explicit credential should be configured as shown below.
veos(config)#cloud provider aws veos(config-cloud-aws)#region us-west-1 veos(config-cloud-aws)#access-key 0 MYEXAMPLESECRETKEY
17
Page 18
veos(config-cloud-aws)#secret access-key 0 MYEXAMPLESECRETKEY veos(config-cloud-aws)#exit veos(config-cloud)#exit
Azure
There are two authorization models that can be used in Azure: SDK Auth Credentials and Active Directory Credentials. SDK Auth Credentials are the recommended authorization model.
SDK Auth Credentials
To generate SDK Auth Credentials, use the sdk authentication credential-file
flash:startup-config command in the config-cloud-azure configuration mode. veos(config)#cloud provider azure
veos(config-cloud-azure)#sdk authentication credential-file
flash:startup-config
Active Directory Credentials The following example places the vEOS router into the config-cloud-azure configuration mode and sets the
active directory credentials.
veos(config)#cloud provider azure veos(config-cloud-azure)#active-directory credential
email subscription-id ef16892c-aa46-4aba-ae9a-d4fhsb1c612c
Cloud Provider Helpful Tips
The following are needed for Cloud High Availability but are not part of the vEOS configuration on the vEOS Router. These may change or can be another way to achie v e the same ef fect without changing the vEOS Router.
AWS VPN Specific Cloud PrivateLink
AWS VPN Specific Cloud Pri vateLink allows a priv ate (no public IP address) vEOS instance to access services offered by AWS (without using proxy).
The interface VPC endpoints enables a pri vate vEOS instance to connect to AWS VPN Specific Cloud PrivateLink. To configure Interface VPC Endpoints:
1. Open the Amazon VPC console and choose Endpoints in the navigation panel.
2. Select Create Endpoint.
3. Choose the AWS Services and select service name com.amazonaws.<your-region>.ec2.
4. Choose the VPC and the subnets in each availability zone for the Interface VPC endpoints.
5. Enable private DNS name and set security group accordingly.
6. Select Create Endpoint.
Once the Endpoint(s) is created, the EC2 API IP associated with the domain-name will be updated to the endpoint IP.
Additional interface VPC endpoints information can be found at:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpce-interface.html
Configuring Cloud High Availability
To enable the Cloud HA and its parameters, use the following configurations.
Enable Cloud High Availability
vEOS Router Configuration Guide18
Page 19
Cloud High Availability
The cloud high-availability command places the vEOS in the cloud-ha configuration mode. This example enables cloud high-availability and configures the peer veos2.
veos(config)#cloud high-availability veos(config-cloud-ha)#no shutdown veos(config-cloud-ha)#peer veos2 veos(config-cloud-ha-peer-veos2)#
Configuring BFD
To configure the BFD link between the HA pair of vEOS Routers that is used to detect peer failure, the peer IP address and local BFD source interface must be provided. The follo wing example configures T unnel 2 as a single hop for the source interface for BFD.
veos(config)#cloud high-availability veos(config-cloud-ha)#peer veos2 veos(config-cloud-ha-peer-veos2)#bfd source-interface tunnel 2 single-hop
Configuring the Recovery Time
The recovery wait-time command in the cloud-ha configuration sub-mode configures the amount of time to take back control of local route tables after failure recovery. The following example shows the wait time is configured to 90 seconds.
veos(config-cloud-ha-peer-veos2)#recovery wait-time 90
Full Configurations
AWS VPN Specific Cloud Full Configuration
The following AWS configuration is vaild for use with the IAM role.
cloud provider aws region us-west-1 ! cloud high-availability no shutdown ! peer veos2 aws backup-gateway rtb-40b72d24 0.0.0.0/0 local-cloud-interface eni-26cb1d27
backup-gateway rtb-17b32973 0.0.0.0/0 local-cloud-interface eni-1589e714
backup-gateway rtb-54503330 0.0.0.0/0 local-cloud-interface eni-56cf1957
primary-gateway rtb-a4be24c0 0.0.0.0/0 local-cloud-interface eni-26cb1d27
primary-gateway rtb-40b72d24 0.0.0.0/0 local-cloud-interface eni-56cf1957
primary-gateway rtb-63b02a07 0.0.0.0/0 local-cloud-interface eni-1589e714
peer address 10.2.201.149 recovery wait-time 5 bfd source-interface Ethernet1 !
Azure Full Configuration
19
Page 20
The following Azure configuration is valid for the MSI.
cloud high-availability no shutdown ! peer veos2 azure backup-gateway Subnet-2-vEOS-RouteTable 0.0.0.0/0 10.1.2.4 resource-group CloudHaAzure backup-gateway Subnet-2-vEOS-RouteTable 10.1.0.0/16 10.1.2.4 resource-group CloudHaAzure backup-gateway Subnet-3-vEOS-RouteTable 10.1.0.0/16 10.1.3.4 resource-group CloudHaAzure backup-gateway Subnet-3-vEOS-RouteTable 0.0.0.0/0 10.1.3.4 resource-group CloudHaAzure primary-gateway Subnet-1-vEOS-RouteTable 10.1.0.0/16 10.1.1.4 resource-group CloudHaAzure primary-gateway Subnet-1-vEOS-RouteTable 0.0.0.0/0 10.1.1.4 resource-group CloudHaAzure
peer address 10.1.0.5 recovery wait-time 10 bfd source-interface Ethernet1
JSON-Based Cloud High Availability Configurations and Equivalent CLI Configurations
Note: Starting from 4.20.6, the Cloud HA configuration is only available through the CLI. The JSON file from the previous vEOS version is deprecated. You must convert the JSON configuration to CLI configuration after upgrading from any previous vEOS version.
Mapping JSON Config to the New CLI
Use the following to map the previous JSON file to the new CLI.
Mapping JSON Config to Cloud High-Availability
The following JSON Configurations are now available in Cloud High-Availability configuration mode.
• generalConfig
• bfdConfig
• awsConfig
• azureConfig
• awsLocal/PeerRoutingConfig
• azureLocal/PeerRoutingConfig
AWS JSON Configuration Example
"generalConfig" : {
"enable_optional" : "true", "hysteresis_time_optional" : "10",
"source_ip_optional" : "10.10.1.1" }, "bfdConfig" : {
"peerVeosIp" : "10.10.1.2",
"bfdSourceInterface" : "Tunnel1" },
vEOS Router Configuration Guide20
Page 21
"awsLocalRoutingConfig" : {
"routeTableIdAndRouteNetworkInterface" : [
{ "routeTableId" : "rtb-12345678", "destination" : "0.0.0.0/0",
"routeTarget" : "eni-12345678" }
] }, "awsPeerRoutingConfig" : {
"routeTableIdAndRouteNetworkInterface" : [
{ "routeTableId" : "rtb-87654321", "destination" : "0.0.0.0/0",
"routeTarget" : "eni-12345678" }
] }
AWS Equivalent CLI Configuration
cloud high-availability no shutdown ! peer veos2
aws
backup-gateway rtb-87654321 0.0.0.0/0 local-cloud-interface
eni-12345678
primary-gateway rtb-12345678 0.0.0.0/0 local-cloud-interface
eni-12345678
peer address 10.10.1.2 recovery wait-time 10 bfd source-interface Tunnel1 single-hop
Cloud High Availability
Azure JSON Configuration
"generalConfig" : {
"enable_optional" : "true",
"hysteresis_time_optional" : "10",
"source_ip_optional" : "10.10.1.1" }, "bfdConfig" : {
"peerVeosIp" : "10.10.1.2",
"bfdSourceInterface" : "Tunnel1" }, "azureLocalRoutingConfig" : {
"resourceGroupName" : "resourceGroup1",
"routeTables" : [
{
"routeTableName" : "Subnet-vEOS1-RouteTable", "routes" : [ { "prefix" : "0.0.0.0/0", "nextHopIp" :
"10.1.2.4" } ]
}
] }, "azurePeerRoutingConfig" : {
"resourceGroupName" : "resourceGroup1",
"routeTables" : [
{
"routeTableName" : "Subnet-vEOS2-RouteTable", "routes" : [ { "prefix" : "0.0.0.0/0", "nextHopIp" :
"10.1.2.4" } ]
}
] }
21
Page 22
Azure Equivalent CLI Configuration
cloud high-availability no shutdown ! peer veos2
aws
backup-gateway Subnet-vEOS2-RouteTable 0.0.0.0/0 10.1.2.4
resource-group resourceGroup1
primary-gateway Subnet-vEOS1-RouteTable 0.0.0.0/0 10.1.2.4
resource-group resourceGroup1
peer address 10.10.1.2 recovery wait-time 10 bfd source-interface Tunnel1 single-hop
Mapping JSON Config to the Cloud Provider
The following JSON configurations are now available in Cloud Provider configuration mode.
• region
• aws_credentials_optional
• azureSdkAuthCredentials The example below uses the AWS access key and proxy. AWS JSON Configuration
"region" : "us-west-1",
"aws_credentials_optional": {
"aws_access_key_id" : "ABCDEFGHIJKLMNOPQRST", "aws_secret_access_key" : "TSRQPONMLKJIHGFEDCBA"
AWS Equivalent CLI Configuration
cloud provider aws region us-west-1 access-key-id 7 1234567890ABCDEFGHIJKLMNOPQRST secret access-key 7 1234567890TSRQPONMLKJIHGFEDCBA proxy proxy1
Mapping JSON Config to the Cloud Proxy
The following JSON configurations are available in Cloud Proxy configuration mode. Note: In the Cloud HA CLI, the Cloud Proxy name must be referenced in the Cloud Provider Proxy configuration
to use the proxy. JSON Configuration
"http_proxy_optional": {
"http_port_optional" : "443", "http_proxy_port_optional" : "8888", "http_proxy_optional" : "10.3.3.3", "http_proxy_user_optional" : "", "http_proxy_password_optional" : ""
}
Equivalent CLI Configuration
cloud proxy proxy1 https 10.3.3.3 8888
vEOS Router Configuration Guide22
Page 23
Cloud High Availability
General Troubleshooting Tips
If the Cloud HA feature is not working as expected, follow these tips for debugging.
• Make sure that the network connectivity is there and DNS server is setup correctly for this feature to work.
• If using Proxy and IAM role under AWS, make sure that the HTTP traffic (TCP port 80) is not proxied to allow
for temporarily security credentials to be retrieved by vEOS instance.
• Make sure to use a corresponding BFD source interface on the peer vEOS instance. This makes sure that the
BFD traffic ingress and egress are on the same interface on each instance.
• For an AWS Specific Cloud, if the IAM role does not work, Arista recommends temporarily using access-key
id and secret access key with enough permissions to make sure the rest of the Cloud HA configuration is fine until you debug IAM role policy.
Caveats and Limitations
• This feature was introduced in EOS release 4.20.5F which uses /mnt/flash/cloud_ha_config.json file for Cloud
HA configuration without any CLI support. Starting from release 4.20.5.A1 onwards, Cloud HA feature supports CLI based configuration only. Deployments using JSON based config are not supported and will not work when the image is upgraded or downgraded. To upgrade image, the administrator must configure Cloud HA feature manually by converting the JSON config to equivalent CLI configuration. Downgrading will work as long as the older jJSON file is still present in /mnt/flash directory.
• Only a single resource-group is supported across all routing entries for Azure under Cloud specific config
HA configuration.
• Cloud HA feature currently supports only a single peer.
• The AWS IAM role or Azure MSI needs to be configured properly using cloud provider's management tools
and should give sufficient permissions to vEOS instance to access and update route table entries.
• The vEOS instance should have connectivity to the cloud provider's web services. The access can also be via
proxy or using feature like AWS private-link.
• The recovery wait-time should not be configured less than 10 sec to avoid unnecessary route flapping when
experiencing periodic instabilities.
• The Cloud HA feature will completely validate all the provided cloud configuration to make sure it is consistent
and has all required permissions. However, the administrator should not change the provider's network configuration afterwards to avoid any issues during fail-over.
• When there are BFD connectivity issues between the two vEOS peers, each instance will take over the other's
traffic. This cross traffic forwarding on provider's network should not have any adverse affect and still work as active-active even though both of the instance will report as Fail-over. After the network connectivity is resolved, the traffic pattern should revert to normal active-active mode.
• The user can adjust the BFD specific parameters for the session used by Cloud HA feature using normal BFD
commands such as multiplier, tx/rx intervals etc. The Cloud HA fail-over and traffic takeover time is directly correlated with BFD failure detection time. However, when using an overly aggressive BFD, the failover time may incur higher overhead as well may result in greater instability during traffic bursts. Arista recommends using the use default BFD interval which is currently 300 msec with multiplier as 3.
• The bfd source-interface used in Cloud HA configuration should not belong and/or routable via the route-tables
controlled by the vEOS router instance itself to avoid traffic looping issues.
• If the Cloud HA is in an invalid configuration state due to erroneous/mismatched configuration in the pro vider's
cloud, the administrator has to force update the Cloud HA configuration( for example by shut/no shut under Cloud HA mode) after updating the provider's cloud configuration. In other words, by itself the Cloud HA feature will not retry the back-end configuration check if it is found to be invalid at the time of configuration
23
Page 24
Cloud High Availability Commands
Global
cloud high availability cloud high-availability (vEOS) on page 28
cloud high availability shutdown cloud high-availability shutdown (vEOS) on page 28
cloud high availability peer cloud high-availability peer
Interface
backup-gatewaybackup-gateway (vEOS - Azure) on page 27
bfd-source_interface bfd source-interface (vEOS) on page 27
peer peerName peer (vEOS) on page 32
primary-gateway (Azure Submode) primary gateway (vEOS - Azure) on page 33
recovery-wait-time recovery wait-time (vEOS) on page 34
Cloud Provider Commands
Global
cloud provider azure cloud provider azure (vEOS) on page 29
cloud provider aws cloud provider aws (vEOS) on page 29
proxy proxy (vEOS) on page 33
Interface (Azure)
active-directory credential email subscription-id active-directory credential email subscription-id
(vEOS-Azure) on page 26
Interface (AWS)
access-key-id access-key-id (vEOS-AWS) on page 25
region region (vEOS - AWS) on page 34
secret access-key secret-access_key (vEOS - AWS) on page 35
Cloud Proxy Commands
Global
cloud proxy cloud proxy (vEOS) on page 30 Interface
http http (vEOS) on page 30
https https (vEOS) on page 31
proxy cloud proxy (vEOS) on page 30
Show Commands
EXEC
show cloud high-availability show cloud high-availability (vEOS) on page 36
show cloud high-availability routes show cloud high-availability routes on page 36
show cloud provider aws show cloud provider aws (vEOS - AWS) on page 37
show cloud provider azure show cloud provider azure (vEOS - Azure) on page 38
show cloud proxy show cloud proxy (vEOS) on page 38
vEOS Router Configuration Guide24
Page 25
Cloud High Availability
Cloud High Availability CLIs
The Cloud High Availability CLIs are divided into three separate configuration modes:
Cloud Proxy - For proxy related configuration such as http and https.
Cloud Provider - For cloud provider specific configuration such as region, credential, and proxy name.
Cloud High-Availability - For configurations such as route, next-hop, BFD source interface, and peer.
access-key-id (vEOS-AWS)
The cloud provider A WS command places the vEOS in cloud-provider -aws configuration mode. This configuration mode allows user to configure cloud provider aws access-key-id command parameters. The no access-key-id command removes the configuration from the vEOS running-config. The exit command returns the vEOS to global configuration mode.
Note: Supported on AWS platform only.
Command Mode
Cloud Provider AWS Configuration
Command Syntax access-key-id(Password_Type) no access-key-id(Password_Type) Parameters
Password_Type
0 access-key-id The password is a clear-text string. Equivalent to no parameter.
7 encrypted_key The password is an encrypted string.
• Text
Example:
The following example configures the AWS access key to encrypted.
veos(config)#cloud provider aws veos(config-cloud-aws)#access-key 0 565656 test
Example:
The following example removes the AWS access key and returns the vEOS to Global configuration mode.
veos(config-cloud-aws)#access-key 0 565656 test veos(config-cloud-aws)#no access-key 0 565656 test veos(config)#
Example:
The following example returns the vEOS to Global configuration mode.
veos(config-cloud-aws)#access-key 0 565656 test veos(config-cloud-aws)#exit veos(config)#
25
Page 26
active-directory credential email subscription-id (vEOS-Azure)
The active-directory credential email subscription-id command configures Azure's cloud provider azure active-directory credential parameters. The no active-directory command removes the configuration from the vEOS running-config. The exit command returns the vEOS to global configuration mode.
Note: Supported on Azure platform only.
Command Mode
Cloud Provider Azure Configuration
Command Syntax active-directory credential email subscription-id ID no active-directory credential email subscription-id Parameters
ID Defines the active directory subscription ID.
Example:
The following example places the cloud provider for Azure into the configuration mode.
veos(config)#cloud provider azure veos(config-cloud-azure)#active-directory credential email subscription-id
Example:
veos(config)#cloud provider azure veos(config-cloud-azure)#active-directory credential email subscription-id
azure (vEOS - Azure)
The azure command in the cloud-ha-peer configuration sub-mode, accessible through the cloud-ha configuration mode, allows the user to configure cloud high-availability peer related parameters. The exit command returns the vEOS to the to the cloud-ha-peer configuration mode.
Note: Supported on Azure platform only.
Command Mode
Global Cloud High Availability Peer Configuration Submode
Command Syntax azure Example:
The following example configures the peer related information for Azure.
veos(config)#cloud high-availability veos(config-cloud-ha)#peer p veos(config-cloud-ha-peer-veos2)#azure veos(config-cloud-ha-peer-veos2-azure)#
Example:
vEOS Router Configuration Guide26
Page 27
Cloud High Availability
The following example returns the vEOS to the cloud-ha configuration mode.
veos(config-cloud-ha-peer-veos2-azure)#exit veos(config-cloud-ha-peer-veos2)#
backup-gateway (vEOS - Azure)
The cloud high-availability command in the cloud-ha submode assigns the backup gatew ay parameters for the Azure high availability peered cloud. The no backup-gateway command removes the configuration from the vEOS running-config. The exit command returns the vEOS to global configuration mode.
Command Mode
Cloud HA azure configuration submode
Command Syntax backup-gateway [Azure Rt_Info]resource-group[Name] no backup-gateway [Azure Rt_Info] Parameters
Azure Rt_Info
azure-rt-name The azure route name.
dest-ip-address/mask The destination IP address.
local-ip-address The local IP address.
resource-group
Name Azure resource group name.
Example:
The following example configures the parameters for the Azure high availability peered cloud.
veos(config)#cloud high-availability veos(config-cloud-ha)#peer veos2 veos(config-cloud-ha-peer-veos2)#azure veos(config-cloud-ha-peer-veos2-azure)#backup-gateway Rt1 10.10.1.1/10
1.1.1.1 resource-group test
Example:
The following example removes the backup-gateway parameters for the Azure high availability peered cloud.
veos(config-cloud-ha-peer-veos2-azure)#no backup-gateway Rt1 10.10.1.1/10 veos(config-cloud-ha-peer-veos2-azure)#
bfd source-interface (vEOS)
The bfd source-interface command in the cloud-ha configuration submode configures BFD source interface parameters for the high availability peer . The no bfdsource-interface command removed the BFD configurations from the vEOS running-config.
Command Mode
Global Cloud HA peer configuration mode
Command Syntax #bfd source-interface [Interface_Type]single-hop #no bfd source-interface
27
Page 28
Parameters
• Interface_Type
Ethernet Ethernet Port number <1-4>.
Loopback Loopback interface <0-1000>.
Tunnel Tunnel interface <0-255>.
Single-hop Single hop BFD . Default is multi-hop.
Example:
The following example configures Ethernet 1 as the source interface for BFD and multi-hop set as the default .
veos(config)#cloud high-availability veos(config-cloud-ha)#peer veos2 veos(config-cloud-ha-peer-veos2)#bfd source-interface ethernet 1
Example:
The following example configures Tunnel 2 as a single hop the source interface for BFD.
veos(config)#cloud high-availability veos(config-cloud-ha)#peer veos2 veos(config-cloud-ha-peer-veos2)#bfd source-interface tunnel 2 single-hop
Example:
The following example removes the BFD configuration.
veos(config-cloud-ha-peer-veos2)#no bfd source-interface
cloud high-availability (vEOS)
The cloud high-availability command places the vEOS in cloud-ha configuration mode. This configuration mode allows user to configure cloud high-av ailability related parameters. The exit command returns the switch to global configuration mode.
Command Mode
Global Cloud High Availability Configuration
Command Syntax cloud high-availability Example:
The following example places the vEOS in the cloud high availability configuration mode.
veos(config)#cloud high-availability veos(config-cloud-ha)#
cloud high-availability shutdown (vEOS)
The shutdown command in the cloud-ha configuration mode disables High Availability for virtual EOS instances running in the cloud environment.
Command Mode
Cloud High Availability configuration
Command Syntax shutdown Example:
vEOS Router Configuration Guide28
Page 29
Cloud High Availability
The following example configures the peer and places it in the cloud high availability configuration mode.
veos(config)#cloud high-availability veos(config-cloud-ha)#shutdown
cloud provider aws (vEOS)
The cloud provider aws command places the vEOS in cloud-provider-aws configuration mode. This configuration mode allows user to configure cloud provider aws command parameters. The exit command returns the vEOS to global configuration mode.
Note: Supported on AWS platform only.
Command Mode
Global Configuration
Command Syntax cloud provider aws Example:
The following example places the cloud provider for AWS into the configuration mode.
veos#config veos(config)#cloud provider aws veos(config-cloud-aws)#
Example:
The following example returns to the global configuration mode.
veos(config-cloud-aws)#exit veos(config)#
cloud provider azure (vEOS)
The cloud provider azure command places the vEOS in cloud-provider-azure configuration mode. This configuration mode allows user to configure cloud provider azure command parameters. The exit command returns the vEOS to global configuration mode.
Note: Enabled for Azure platform only.
Command Mode
Global Configuration
Command Syntax cloud provider azure Example:
The following example places the cloud provider for Azure into the configuration mode.
veos(config)#cloud provider azure veos(config-cloud-azure)#
29
Page 30
cloud proxy (vEOS)
The cloud proxy command places the vEOS in cloud-proxyconfiguration mode. This configuration mode allows user to configure the cloud proxy command parameters. The no cloud proxy command disables the named proxy and returns the vEOS to global configuration mode.
Command mode
Global Configuration
Command Syntax cloud proxy proxy_name no cloud proxy proxy_name Parameters
proxy_name The proxy name to configure.
Example:
The following example configures the cloud proxy configuration setting for "test".
veos(config)# veos(config)#cloud proxy test veos(config-cloud-proxy-test)#
Example:
This command disables the cloud proxy named "test" and returns the vEOS to global configuration mode.
veos(config-cloud-proxy-test)# no cloud proxy test veos(config)#
http (vEOS)
The http command in the cloud-proxy configuration submode configures the IP, port, username, and password parameters. The no http command removes the configured cloud proxy information for HTTP from the running-config and returns the vEOS to the global configuration mode.
Command mode
Global Cloud Proxy Configuration
Command Syntax http[PROXY_IP_PORT][username][password] no http[PROXY_IP_PORT][username][password] Parameters
PROXY_IP_PORT Port number to be used for the HTTP server. Options include:
proxy-ip IP address used for the HTTPs proxy. Dotted decimal location.
proxy_port HTTPS proxy port. Value ranges from 1 to 65535.
username Name string.
password Password string.
0 cleartext-passwd Indicates the cleartext password is in clear text. Equivalent to the no parameter case.
7 encrypted_passwd Indicates encrypted password is md5 encrypted.
Example:
vEOS Router Configuration Guide30
Page 31
Cloud High Availability
The following example configures the cloud proxy IP, port and username and password for HTTP.
veos(config)# veos(config)#cloud proxy test veos(config-cloud-proxy-test)# http 1.2.3.4 1234 username test password 7
075E731F1A
veos(config-cloud-proxy-test)#
Example:
The following example removes the configured cloud proxy information for HTTP from the running-config.
veos(config-cloud-proxy-test)# no http 1.2.3.4 1234 username test password 7 075E731F1A
veos(config-cloud-proxy-test)#
https (vEOS)
The https command in the command in the cloud-proxy configuration submode configures the IP , port, username and password parameters. The no https command removes the configured cloud proxy information for HTTPS from the running-config and returns the vEOS to global configuration mode.
Command mode
Global Cloud Proxy Configuration
Command Syntax https [PROXY_IP_PORT]