manualshive.com logo in svg

Arista vEOS, Configuration Manual, Page: 123 / 128

Share
Download
Arista vEOS Configuration Manual Download Page 123

The IPsec Encapsulating Security Payload (ESP) inserts additional headers to transmit the packets. These
headers require additional space, which reduces the amount of space available to transmit application data.
The following configuration is recommended on the customer gateway to limit the impact of this behavior:

• TCP MSS Adjustment: 1379 bytes

• Clear Don't fragment Bit: enabled

• Fragmentation: Before encryption

3. Tunnel Interface Configuration

Configure the customer gateway with a tunnel interface that associates with the IPsec tunnel. All traffic
transmitted to the tunnel interface is encrypted and transmitted to the virtual private gateway.

The customer gate and the virtual private gateway each have two addresses that relate to this IPsec tunnel.
Each one contains an outside address, where the encrypted traffic is exchanged. Both gateways also contain
an inside address associated with the tunnel interface. The customer gateway outside IP address is provided
upon creation of the customer gateway. To change the IP address of the customer gateway, create a new
customer gateway. The customer gateway inside IP address must be configured on the interface tunnel.

Outside IP Addresses:

• Customer Gateway: 52.165.228.195

• Virtual Private Gateway: 52.53.75.160

The customer gateway IP address is the IP address of the firewall that the vEOS instance in the DC with
NAT behind.

The virtual private gateway IP address is the external IP address of the AWS Specific Cloud.

Inside IP Addresses

• Customer Gateway: 169.254.11.162/30

• Virtual Private Gateway: 169.254.11.161/30

The virtual private gateway IP address is the tunnel IP address of the AWS Specific Cloud.

4. Static Routing Configuration

The router traffic between the internal network and the VPC an AWS Specific Cloud, add a static router to
the vEOS Router.

Next Hop: 169.254.11.162

Any subnet that requires a route to DC must have a route pointing to the AWS Specific Cloud tunnel IP
address.

For traffic destined to the Internet Network, add static routes on the VGW.

123

IPsec Support

Summary of Contents for vEOS

Page 1: ...vEOS Router Configuration Guide Arista Networks www arista com Arista vEOS version 4 20 6F 22 June 2018 ...

Page 2: ...54 USA 408 547 5500 www arista com Support 408 547 5502 866 476 0000 support arista com Sales 408 547 5501 866 497 0000 sales arista com Copyright 2018 Arista Networks Inc The information contained herein is subject to change without notice Arista Networks and the Arista logo are trademarks of Arista Networks Inc in the United States and other countries Other product or service names may be tradem...

Page 3: ...s for vEOS Router Instances 53 Using User data for Configuration of Entities and vEOS Router Instances 57 Chapter 5 Using the vEOS Router on Microsoft Azure 61 vEOS Router Image Updates 61 System Requirements 61 Launching vEOS Router Azure Instance 61 Creating an Instance using the Portal Marketplace 62 Creating an Instance under Azure CLI 2 0 66 Logging into Instance 67 vEOS Router Startup Config...

Page 4: ...EOS Router GRE over IPsec Tunnel 117 vEOS Router VTI IPsec Tunnel 117 CSR Commands 118 CSR Router Show Commands 118 vEOS Routers and AWS Specific Cloud Configuration 121 IPsec Between the vEOS Router and AWS Specific Cloud Configuration 121 Running configuration of the vEOS Router and AWS Specific Cloud 121 AWS Specific Cloud Configuration 122 AWS Specific Cloud Configuration Modifications 122 Cha...

Page 5: ...and VMware hypervisors By bringing advanced network telemetry and secure IPSecVPN connectivity in a software only package vEOS Router provides a consistent secure and universal approach to hybrid cloud networking for any virtualized cloud deployment Use cases for vEOS Router include Secure Multi Cloud Connectivity InterconnectingVPCs VNets in the Public Cloud Multi site VPN aggregation and Network...

Page 6: ......

Page 7: ...udes base routing features IPsec encryption and SW support SS VEOSR IPSEC 10G 1M The vEOS Router SW Subscription License for a single vEOS instance for 1 Month for up to 10Gbps throughput This includes base routing features IPsec encryption and SW support If a valid license has never been installed The performance of the instance is limited to 10Mbps IPsec is not available without a license For pu...

Page 8: ... yes Update License Optional Use the license update command to trigger an update of licenses in storage veos license update Obtaining and Installing Soft Expiry Users can obtain licenses from Arista that extend the time for which the customer can use a certain feature without any limitations The license for the feature is considered expired but the feature continues to work until the grace period ...

Page 9: ... what licenses are installed and any relevant information regarding a license The show license commands do not list features that are unlocked by external licenses or means and does not list the pay as you go license provided by AWS Show License Files Use the show license files command to display all information related to the active licenses installed For example purposes the licenses below are n...

Page 10: ...ple the files are zipped then base64 encoded For example purposes the licenses below are non functional veos show license files compressed License name 2017 11 02 08 23 23 053684_IPSecLic 1yr json Contents truncated show license expired The show license expired command will display the same as the show license command but with expired licenses only displayed veos show license expired System Serial...

Page 11: ...er None Count 1 Start 2017 12 30 16 00 00 Expiration 2018 12 30 16 00 00 Active in future License parameter None Count 1 Start 2017 09 18 13 56 45 Expiration 2017 12 30 16 00 00 Active yes License parameter None Count 1 Start 2017 10 05 21 49 13 Expiration 2017 10 09 17 00 00 Active expired License feature vEOS Virtualized EOS License parameter None Count 1 Start 2017 10 08 17 00 00 Expiration 201...

Page 12: ......

Page 13: ... vEOS Router instance is unable to forward traffic due to connectivity issues in the cloud infrastructure vEOS Router experiences an internal issue leading to unavailability vEOS Router HA pair with Cloud HA is an active active deployment model for different cloud high availability design in a region Each vEOS Router in an HA pair provides enhanced routing capabilities as the gateway or next hop r...

Page 14: ...vailability zone the hosts VMs and vEOS interfaces are connected to their corresponding subnets when the network is operating normally Each subnet associates to a route table within the cloud infrastructure Static routes are configured in the cloud route tables so the traffic from the hosts VMs are routed to vEOS Routers in the corresponding availability zone as gateway or next hop to reach certai...

Page 15: ...active vEOS router as ip route10 1 1 0 24 10 2 1 1 255 where 10 2 1 1 is the gateway next hop for one of the ethernet interfaces with a high administrative distance value least preferred The static routes would be redistributed or advertised when the original routes with better administrative distance are withdrawn or removed by dynamic routing protocol such as BGP When BFD peering session is rest...

Page 16: ...describes configurations required for Cloud HA on different types of clouds Cloud Configuration To have access to the cloud services the vEOS Router must be provided with credentials Additionally a proxy may be configured for the connection to the cloud services to go through AWS Specific Cloud Complete the following tasks to configure AWS Specific Cloud services Configure Credentials Access to AW...

Page 17: ...r aws veos config cloud aws access key 0 ATPAILIL5E982IPT7P3R veos config cloud aws secret access key 0 M0RRUtAA8I8wYxJB8 veos config cloud aws region us west 1 veos config cloud aws proxy test Configure the backup gateway primary gateway Route Table ID rtb and local interface for AWS The Route Table ID specifies for AWS the backup gateway and primary gateway then the destination selects the indiv...

Page 18: ...he vEOS Router These may change or can be another way to achieve the same effect without changing the vEOS Router AWS VPN Specific Cloud PrivateLink AWS VPN Specific Cloud PrivateLink allows a private no public IP address vEOS instance to access services offered by AWS without using proxy The interfaceVPC endpoints enables a private vEOS instance to connect toAWSVPN Specific Cloud PrivateLink To c...

Page 19: ...e configures the amount of time to take back control of local route tables after failure recovery The following example shows the wait time is configured to 90 seconds veos config cloud ha peer veos2 recovery wait time 90 Full Configurations AWS VPN Specific Cloud Full Configuration The following AWS configuration is vaild for use with the IAM role cloud provider aws region us west 1 cloud high av...

Page 20: ...hernet1 JSON Based Cloud High Availability Configurations and Equivalent CLI Configurations Note Starting from 4 20 6 the Cloud HA configuration is only available through the CLI The JSON file from the previous vEOS version is deprecated You must convert the JSON configuration to CLI configuration after upgrading from any previous vEOS version Mapping JSON Config to the New CLI Use the following t...

Page 21: ... 12345678 0 0 0 0 0 local cloud interface eni 12345678 peer address 10 10 1 2 recovery wait time 10 bfd source interface Tunnel1 single hop Azure JSON Configuration generalConfig enable_optional true hysteresis_time_optional 10 source_ip_optional 10 10 1 1 bfdConfig peerVeosIp 10 10 1 2 bfdSourceInterface Tunnel1 azureLocalRoutingConfig resourceGroupName resourceGroup1 routeTables routeTableName S...

Page 22: ...us west 1 aws_credentials_optional aws_access_key_id ABCDEFGHIJKLMNOPQRST aws_secret_access_key TSRQPONMLKJIHGFEDCBA AWS Equivalent CLI Configuration cloud provider aws region us west 1 access key id 7 1234567890ABCDEFGHIJKLMNOPQRST secret access key 7 1234567890TSRQPONMLKJIHGFEDCBA proxy proxy1 Mapping JSON Config to the Cloud Proxy The following JSON configurations are available in Cloud Proxy c...

Page 23: ...ovider s web services The access can also be via proxy or using feature like AWS private link The recovery wait time should not be configured less than 10 sec to avoid unnecessary route flapping when experiencing periodic instabilities The Cloud HA feature will completely validate all the provided cloud configuration to make sure it is consistent and has all required permissions However the admini...

Page 24: ... vEOS on page 33 Interface Azure active directory credential email subscription id active directory credential email subscription id vEOS Azure on page 26 Interface AWS access key id access key id vEOS AWS on page 25 region region vEOS AWS on page 34 secret access key secret access_key vEOS AWS on page 35 Cloud Proxy Commands Global cloud proxy cloud proxy vEOS on page 30 Interface http http vEOS ...

Page 25: ...S to global configuration mode Note Supported on AWS platform only Command Mode Cloud Provider AWS Configuration Command Syntax access key id Password_Type no access key id Password_Type Parameters Password_Type 0 access key id The password is a clear text string Equivalent to no parameter 7 encrypted_key The password is an encrypted string Text Example The following example configures the AWS acc...

Page 26: ... mode veos config cloud provider azure veos config cloud azure active directory credential email subscription id Example veos config cloud provider azure veos config cloud azure active directory credential email subscription id azure vEOS Azure The azure command in the cloud ha peer configuration sub mode accessible through the cloud ha configuration mode allows the user to configure cloud high av...

Page 27: ...e resource group name Example The following example configures the parameters for the Azure high availability peered cloud veos config cloud high availability veos config cloud ha peer veos2 veos config cloud ha peer veos2 azure veos config cloud ha peer veos2 azure backup gateway Rt1 10 10 1 1 10 1 1 1 1 resource group test Example The following example removes the backup gateway parameters for t...

Page 28: ...s the BFD configuration veos config cloud ha peer veos2 no bfd source interface cloud high availability vEOS The cloud high availability command places the vEOS in cloud ha configuration mode This configuration mode allows user to configure cloud high availability related parameters The exit command returns the switch to global configuration mode Command Mode Global Cloud High Availability Configu...

Page 29: ...cloud provider for AWS into the configuration mode veos config veos config cloud provider aws veos config cloud aws Example The following example returns to the global configuration mode veos config cloud aws exit veos config cloud provider azure vEOS The cloud provider azure command places the vEOS in cloud provider azure configuration mode This configuration mode allows user to configure cloud p...

Page 30: ...t no cloud proxy test veos config http vEOS The http command in the cloud proxy configuration submode configures the IP port username and password parameters The no http command removes the configured cloud proxy information for HTTP from the running config and returns the vEOS to the global configuration mode Command mode Global Cloud Proxy Configuration Command Syntax http PROXY_IP_PORT username...

Page 31: ...rd no https PROXY_IP_PORT username password Parameters PROXY_IP_PORT Port number to be used for the HTTP server Options include proxy ip IP address used for the HTTPs proxy Dotted decimal location proxy_port HTTPS proxy port Value ranges from 1 to 65535 username Name string password Password string 0 cleartext passwd Indicates the cleartext password is in clear text Equivalent to the no parameter ...

Page 32: ...bmode configures the cloud high availability resource group peer related parameters The no peer command removes the configuration from the vEOS running config The exit command returns the vEOS to the cloud ha configuration mode Command Mode Cloud High Availability Configuration Cloud High Availability Configuration Submode Command Syntax peer peer ip address no peer ip address Parameters Ip addres...

Page 33: ...e destination IP address local ip address The local IP address resource group Name Azure resource group name Example The following example configures the parameters for the Azure high availability peered cloud veos config cloud high availability veos config cloud ha peer veos2 veos config cloud ha peer veos2 azure veos config cloud ha peer veos2 azure primary gateway Rt1 10 10 1 1 10 1 1 1 1 resou...

Page 34: ... time period Parameters period The defined amount of time to take back control of local route tables after failure recovery Default is 30 seconds Example The following example shows the wait time is configured to 90 seconds veos config cloud ha peer1 recovery wait time 90 Example The following example removes the configured the wait time veos config cloud ha peer1 no recovery wait time Example The...

Page 35: ...ud provider aws configuration mode This configuration mode allows user to configure cloud provider aws secret access key command parameters The no secret access key command removes the configuration from the vEOS running config The exit command returns the vEOS to global configuration mode Note Supported on AWS platform only Command Mode Global Cloud Provider AWS configuration Command Syntax secre...

Page 36: ...cloud high availability Cloud HA Configuration Peer address 10 2 201 149 Source interface Ethernet1 Enabled True Failover recovery time 5 Status valid State ready Last failover time never Last recovery time never Last config validation start time 0 26 08 ago Last config validation end time 0 26 06 ago Failovers 0 show cloud high availability routes The show cloud high availability routes command d...

Page 37: ...ample The following example displays the primary and backup gateway information for the AWS cloud provider veos show run section cloud cloud provider aws us west 1 proxy test cloud high availability no shutdown peer vEOS12 aws backup gateway rtb 40b72d24 0 0 0 0 0 local cloud interface eni 26cb1d27 backup gateway rtb 17b32973 0 0 0 0 0 local cloud interface eni 1589e714 backup gateway rtb 54503330...

Page 38: ...splays the specific cloud proxy information for the named proxy Command Mode EXEC Command Syntax show cloud proxy proxy_name Parameters proxy_name Identifies the selected proxy by name Example This command displays the proxy information for the proxy named test veos show cloud proxy Cloud Proxy Configuration Proxy name test HTTP proxy test 075E731F1A 1 2 3 4 1234 HTTPS proxy 10 3 255 155 8888 This...

Page 39: ...entation Amazon Machine Image AMI Specifications The AMI provided by Arista utilizes the architecture type of root device virtualization type and interface type required to configure the vEOS Router for a robust AWS deployment The specifications of the Arista AMI are Architecture x86_64 Virtualization type HVM Root Device Type EBS Network Interface type SR IOV ENA Elastic Network Adapter Supported...

Page 40: ...Formation stack to use to launch the instance The created stack provides the base configuration for the instance As part of this task select a stack template which defines the base configuration of the instance Make sure to select the stack template that provides the resources required for the instances that are launching Templates can be obtained from https github com aristanetworks For more info...

Page 41: ... to create a new stack 4 Select a nic template for upload and then click on the Next button Note Templates can be found in the docs directory Select the appropriate AMI for launching The page refreshes showing the options for specifying the details for the stack 41 Using vEOS Router on the AWS Platform ...

Page 42: ...mat use a base64 command on MacOS or Linux machine base64 EOS STARTUP CONFIG START hostname myhost EOS STARTUP CONFIG END Press CTRL D JUVPUy1TVEFSVFVQLUNPTkZJRy1TVEFSVCUKaG9zdG5hbWUgbXlob3N0CiVFT1MtU 1RBUlRVUC1DT05GSUctRU5EJQo 6 Review the details and make changes if needed 7 Click the Create button to create the stack vEOS Router Configuration Guide 42 ...

Page 43: ... part of the stack creation process can be viewed in the Resource tab 9 Click on the vEOS Router instance ID to view the status of vEOS Router instance The instance ID is shown in the Physical ID column of the Resources tab 43 Using vEOS Router on the AWS Platform ...

Page 44: ...Using EC2 AWS Marketplace Launching vEOS Router instances using the EC2 AWS Marketplace gives the ability to create and configure vEOS Router instances in the VPCs of your AWS deployment This method utilizes Amazon Machine Images AMIs to configure the operating system of the instance Obtain the AMI needed for the instance from the AWS Marketplace This task involves creating an EC2 key pair selecti...

Page 45: ...g a configuration into the dialog or attaching a configuration file For details on composing user data for vEOS Router see Using User data for Configuration of Entities and vEOS Router Instances on page 57 Complete the following steps to launch a vEOS Router instances 1 Log in to the Amazon Management Console 2 Create an EC2 key pair and download the pem file that contains the private key The pem ...

Page 46: ...e appears for you to select an AMI 6 Click on AWS Marketplace in the left pane Search for Arista vEOS Router in the search field to bring up the available vEOS AMIs to use Select the appropriate AMI for launching vEOS Router Configuration Guide 46 ...

Page 47: ...s showing the user highlights pricing details and instance types available Press the Continue button to advance 8 Click in the left pane The Choose an Instance Type page appears 47 Using vEOS Router on the AWS Platform ...

Page 48: ...The supported instance types are C4 large C4 xlarge C4 2xlarge R4 large R4 xlarge R4 2xlarge R4 4xlarge T2 small T2 medium 10 Click on the Next Configure Instance Details button lower right part of the page The Configure Instance Details page appears vEOS Router Configuration Guide 48 ...

Page 49: ...figure the instance Do one of the following to configure the instance using user data Choose the Text option and then copy and paste startup config in the text box Attach the configuration as a file by clicking on the file and then choose the configuration file to be uploaded For details on composing user data for vEOS Router see Using User data for Configuration of Entities and vEOS Router Instan...

Page 50: ...nu select the key pair created earlier in the procedure In this example the key pair is named systest 16 Select the acknowledgment near the bottom of the dialog and then click on the Launch Instances button The Launch Status page appears showing the status of the instance vEOS Router Configuration Guide 50 ...

Page 51: ...nce State shows running Wait for the status to update to running 19 Optional To use the existing subnet and security group for the instance record the subnet and security group This information is required when configuring the network interfaces to be attached to the instance 20 Optional Click on the Connect button near the top of the page The Connect to Your Instance dialog appears 51 Using vEOS ...

Page 52: ...lled and enabled by default when the vEOS Router instances launch through the AWS Marketplace Refer to the AWS CloudWatch Quick Start Guide to make sure that the vEOS Router instance has the right credentials for logging in to AWS Note To manually install or uninstall the awslogs swix vEOS extension see https eos arista com packaging and installing eos extensions To obtain the awslogs swix vEOS ex...

Page 53: ...ing the route table of the AWS Specific Cloud Router Creating the Additional Network Interfaces Creating the additional network interfaces required for the topology ensures that there are interfaces available to attach to vEOS Router instances When creating the new network interfaces there is the option of using the subnet and security groups that were automatically assigned to the instance or spe...

Page 54: ...ork interface Specify the existing security groups for the vEOS Router instance or different security groups 5 Select the Yes Create button The new network interface is added to the list of interfaces on the page 6 Repeat steps 3 through 5 to create additional interfaces as needed 7 For each network interface created complete steps a and b a Select the interface then choose Actions Change Source D...

Page 55: ...er instances is the second networking configuration task This task involves selecting the new network interfaces created in the previous procedure and then attaching the interfaces to vEOS Router instances Complete these steps to attach the new network interfaces to vEOS Router instances 1 Go to the EC2 Dashboard 2 Open the INSTANCES menu on the left side of the page then click Instances The page ...

Page 56: ...rnet address is 0287 4ba7 1f88 bia 0287 4ba7 1f88 Ethernet mtu 8973 bytes BW 10000000 kbit Full duplex 10Gb s auto negotiation off uni link n a Up 20 minutes 42 seconds 8 Repeat steps 1 through 7 as needed to attach new network interfaces to instances Configure the route table of the AWS Router see Configuring the Route Table of the AWS Router on page 56 Configuring the Route Table of the AWS Rout...

Page 57: ...ports configuration of startup configuration AWS CloudWatch and Cloud HA through the use of user data Because user data can be used to pass in configurations administrators can take advantage of this feature to quickly configure vEOS Router instances AWS CloudWatch and Cloud HA Note It is recommended to test vEOS Router configurations on a vEOS Router or EOS device before using them to deploy a ne...

Page 58: ...gging parameters mnt flash awslogs proxy conf AWS PROXY START AWS PROXY END Entity AWS Logs File proxy conf Use Configure proxy settings mnt flash cloud_ha_config json CLOUDHA CONFIG START CLOUDHA CONFIG END Entity Cloud HA File cloud_ha_config json Use Configure vEOS Router for High Availability Sample Instance User data The following sample user data contains lines to startup the instance and to...

Page 59: ...uration 5000 log_group_name veoslogs log_stream_name hostname initial_position start_of_file AWSLOGS CONFIG END AWS PROXY START HTTP_PROXY http your_proxy your_proxy_port HTTPS_PROXY http your_proxy your_proxy_port NO_PROXY 169 254 169 254 AWS PROXY END 59 Using vEOS Router on the AWS Platform ...

Page 60: ......

Page 61: ...he following instance types D2_v3 with 2 cores 8 0GiB RAM 2 NICs 1 000 Mbps and a 4GB OS disk D4_v3 with 4 cores 16 0GiB RAM 2 NICs 2 000 Mbps and a 4GB OS disk D8_v3 with 8 cores 32 0GiB RAM 4 NICs 4 000 Mbps and a 4GB OS disk D16_v3 with 16 cores 64 0GiB RAM 8 NICs 8 000 Mbps and a 4GB OS disk D32_v3 with 32 cores 128 0GiB RAM 8 NICs 16 000 Mbps and a 4GB OS disk D64_v3 with 64 cores 256 0GiB RA...

Page 62: ...re renamed and all IP addresses are unique Creating an Instance using the Portal Marketplace To create an instance using the Portal Marketplace complete the following steps 1 In the Azure portal select the green button in the top left of the screen 2 In the search bar type Arista and press enter Figure 2 Type Arista 3 Select the Arista offer you are interested in vEOS Router Configuration Guide 62...

Page 63: ...Figure 3 Arista selection 4 Select Create Figure 4 Select Create 5 Fill out the required information and press OK 63 Using the vEOS Router on Microsoft Azure ...

Page 64: ...Figure 5 Required information 6 Configure the VNet and press OK Figure 6 Configuring the VNet 7 Configure the subnets and press OK vEOS Router Configuration Guide 64 ...

Page 65: ...Figure 7 Configuring the subnets 8 Verify the information is correct and press OK Figure 8 Verification 9 Read the Terms and Conditions then press Purchase 65 Using the vEOS Router on Microsoft Azure ...

Page 66: ..._json sh user_data txt script 5 Copy and paste the generated output into the customData value field of the JSON parameters file 6 Use the script as in the following example usr bin bash cat 1 python c import json sys print json dumps sys stdin read 7 Use the template and parameters JSON files to launch a vEOS Router instance in Azure using the Azure CLI 2 0 az group create name ExampleGroup locati...

Page 67: ...eters filename Logging into Instance To log into an instance complete the following steps 1 Select the resource group containing your vEOS Router deployment from the Resource groups list 2 Select the item publicIP Figure 10 Selecting the PublicIP 3 Locate the IP address and DNS name found on the Overview page 67 Using the vEOS Router on Microsoft Azure ...

Page 68: ...e deployment starts Refer to the section Troubleshooting Instance on page 69 for additional information vEOS Router Startup Configuration using Instance Custom Data Describes launch employing custom data information During the initial launching of the vEOS Router Instance Azure provides a feature to upload custom data The administrator can upload vEOS Router configuration using custom data at the ...

Page 69: ...name admin nopassword username admin sshkey file flash key pub EOS STARTUP CONFIG END Providing Startup Configuration using Azure Custom Data Adding custom data to an instance Currently custom data can only be used on instances deployed using the Azure CLI 2 0 In order to add custom data to an instance the custom data must be provided as a single line value with n delimiting newlines Use the singl...

Page 70: ...the vEOS Router 3 Note the status of the VM It should either be Creating Starting or Running Figure 13 Status of the VM 4 Check the boot diagnostics for any error messages or warnings vEOS Router Configuration Guide 70 ...

Page 71: ...Deploy Azure Virtual Machines With An Azure Resource Manager ARM Template https www youtube com watch v wi74jR0MRLg 2 How To Deploy Resources https docs microsoft com en us azure azure resource manager resource group template deploy cli 71 Using the vEOS Router on Microsoft Azure ...

Page 72: ......

Page 73: ...IOV capable BIOS System Firmware support for SR IOV 8 GB free disk space 16 GB RAM 4 cores running a minimum 2 4GHz or greater and 16 GB memory Intel VT x and VT d support VMware ESXi SR IOV based deployment Ethernet NICs must be SR IOV capable BIOS System Firmware support for SR IOV KVM Requirements vEOS is must be deployed on an x86 64 architecture server running KVM hypervisor KVM Minimum Serve...

Page 74: ...How to launch VMWare ESXi 6 and ESXi 6 5 for vEOS There are different ESXi user interfaces for managing the ESXi host such as the vSphere Web Client and the ESXi Web Client The following task is required to launch VMware 6 0 and 6 5 and provides a general guideline on the steps involved in deploying virtual machines with an OVF OVA template Note Arista support suggests using only theVsphere Web cl...

Page 75: ...3 Select the name and location for vEOS deployment 4 Select the host cluster resource pool or VAPP 75 Server Requirements ...

Page 76: ...5 Verify the template details 6 Select Thick provision eager zeroed from the datastore vEOS Router Configuration Guide 76 ...

Page 77: ...7 Select the default network 8 Complete the launch process 77 Server Requirements ...

Page 78: ... the machine Enabling SR IOV or PCI Passthrough on ESXi Describes how to enable single route input output vitalization SR IOV or PCI passthough on VMware ESXi To enable SR IOV or PCI passthrough on ESXi complete the following steps 1 Navigate to the ESXi host s Manage then select the Hardware tab vEOS Router Configuration Guide 78 ...

Page 79: ...e Toggle passthrough or the Configure SR IOV selection to activate the mode 4 Reboot the ESXi host for the configuration to take effect 5 After reboot the NIC reflects the changes For SR IOV new virtual function devices VF is created 79 Server Requirements ...

Page 80: ... the VM and select Add other device then select PIC Device to create the New PIC Device for the VM 7 Select the New PIC Device to use the SR IOV VF or PIC Passthrough device vEOS Router Configuration Guide 80 ...

Page 81: ... hypervisors Minimum Server Requirements Intel x86 Four cores running at 2 4GHz or greater 16 GB memory Intel VT d support For SR IOV based deployment the NICs need to be SR IOV capable Hypervisor support RedHat 7 with virtualization support See below for virtualization https wiki centos org HowTos KVM Make sure libvirt is installed by executing virsh list which should return without errors Python...

Page 82: ...he virsh net undefine network name command removes an inactive virtual network from the libvirt configuration The virsh start network name command manually starts a virtual network that is not running The virsh destroy network name command shuts down a running virtual network Launching vEOS in LinuxBridge Mode Use the script SetupLinuxBridge pyc usage python SetupLinuxBridge pyc bridge name Cut an...

Page 83: ...on 0 controller controller type pci index 0 model pci root alias name pci0 controller controller type ide index 0 alias name ide0 address type pci domain 0x0000 bus 0x00 slot 0x01 funct controller In this case management is connected to linux bridge interface type bridge source bridge brMgmt model type virtio address type pci domain 0x0000 bus 0x00 slot 0x03 funct interface serial type pty source ...

Page 84: ...mory unit MiB 4096 currentMemory vcpu placement static 2 vcpu resource partition machine partition resource cpu mode host model os type arch x86_64 hvm type boot dev cdrom boot dev hd os features acpi apic pae features clock offset utc on_poweroff destroy on_poweroff on_reboot restart on_reboot on_crash restart on_crash devices emulator usr bin qemu system x86_64 emulator disk type file device dis...

Page 85: ...ias name serial0 console input type mouse bus ps2 graphics type vnc port 5903 autoport yes listen 127 0 0 1 listen type address address 127 0 0 1 graphics video model type cirrus vram 9216 heads 1 alias name video0 address type pci domain 0x0000 bus 0x00 slot 0x02 funct video memballoon model virtio alias name balloon0 address type pci domain 0x0000 bus 0x00 slot 0x04 funct memballoon Has two data...

Page 86: ... to the physical Ethernet port that connects to the WAN through a LinuxBridge The Router is configured with a WAN IP address on this port Ethernet2 connects to the physical ethernet port that connects to the LAN through a LinuxBridge Server IP address in the diagram is assumed to be configured on the LAN LinuxBridge device Note Arista recommends using Ethernet1 for WAN and Ethernet2 for LAN Howeve...

Page 87: ...ration I350 Gigabit Network Connection rev 01 01 00 2 Ethernet controller Intel Corporation I350 Gigabit Network Connection rev 01 01 00 3 Ethernet controller Intel Corporation I350 Gigabit Network Connection rev 01 81 00 0 Ethernet controller Intel Corporation I350 Gigabit Network Connection rev 01 81 00 1 Ethernet controller Intel Corporation I350 Gigabit Network Connection rev 01 81 00 2 Ethern...

Page 88: ...1 82 10 3 Ethernet controller Intel Corporation 82599 Ethernet Controller Virtual Function rev 01 82 10 4 Ethernet controller Intel Corporation 82599 Ethernet Controller Virtual Function rev 01 82 10 5 Ethernet controller Intel Corporation 82599 Ethernet Controller Virtual Function rev 01 82 10 6 Ethernet controller Intel Corporation 82599 Ethernet Controller Virtual Function rev 01 82 10 7 Ethern...

Page 89: ... pci domain 0 domain bus 130 bus slot 17 slot function 1 function product id 0x10ed 82599 Ethernet Controller Virtual Function product vendor id 0x8086 Intel Corporation vendor capability type phys_function address domain 0x0000 bus 0x82 slot 0x00 function 0x1 capability iommuGroup number 71 address domain 0x0000 bus 0x82 slot 0x11 function 0x1 iommuGroup numa node 1 pci express link validity cap ...

Page 90: ...rts test yes supports eeprom access no supports register dump yes supports priv flags no Launching SR IOV vEOS can also use PCIE SRI OV I O interfaces Each SRI OV NIC is passed through to the VM such that network I O does not hit the hypervisor In this model the hypervisor and multiple VMs can share the same NIC card SR IOV has the following advantages over LinuxBridge Higher Performance 2x Better...

Page 91: ...onsumed by a virtualized switch before reaching the VM vEOS implementing PCI Pass through for NIC provides dedicated and non filtered network resources to the VM 1 Identify Available Physical Functions Similar to the SR IOV identify an available physical function a NIC in this scenario and its identifier Use the lspci grep Ethernet Linux command to display the available physical functions 91 Serve...

Page 92: ...on 82599ES 10 Gigabit SFI SFP Network Connection rev 01 83 00 0 Ethernet controller Intel Corporation 82599ES 10 Gigabit SFI SFP Network Connection rev 01 83 00 1 Ethernet controller Intel Corporation 82599ES 10 Gigabit SFI SFP Network Connection rev 01 2 Verify Available Physical Functions Verify the available physical functions by using the virsh Linux commands arista solution virsh nodedev list...

Page 93: ...w interface status Port Name Status Vlan Duplex Speed Type Flags Et1 connected routed full 10G 10 100 1000 Ma1 connected routed a full a 1G 10 100 1000 veos bash bash 4 3 ethtool i et1 driver ixgbe version 4 2 1 k firmware version 0x18b30001 bus info 0000 00 03 0 supports statistics yes supports test yes supports eeprom access yes supports register dump yes supports priv flags no Example Deploymen...

Page 94: ...Figure 17 Linux SRIOV PCI Passthrough based Deployment vEOS Router Configuration Guide 94 ...

Page 95: ...mmunicate with the remote peer virtual router To ensure that the tunnel configuration between the vEOS Router and peer router is successful make sure that vEOS Router tunnel configuration meets the requirements for using NAT Using IPsec on vEOS Router Instances on page 97 The vEOS Router enables you to establish and maintain GRE over IPsec andVTI IPsec tunnels for secure or encrypted communication...

Page 96: ... are encrypted When using VTI encapsulation mode set the IPsec mode to tunnel The transport option under the IPsec mode has no effect Requirements when Behind a NAT The vEOS Router supports the use of NAT Traversal to communicate with the remote peer behind a NAT Configure the tunnel source with the outgoing interface IP address on the router Flow Parallelization To achieve high throughput over an...

Page 97: ... establishing IKE with the peer Specifying the encryption integrity protocols for the Security Association SA Policy Apply IKE and SA policies to a given profile Apply the profile to a tunnel interface Configuring IPsec Tunnels on vEOS Router Instances Use this procedure to configure GRE over IPsec or VTI IPsec tunnels on peer vEOS Router instances The procedure provides all of the steps required ...

Page 98: ...4 veos config ipsec sa policy sa vrouter veos config ipsec sa esp encryption aes256 veos config ipsec sa esp integrity sha256 veos config ipsec sa pfs dh group 14 veos config ipsec sa sa lifetime 2 veos config ipsec sa exit 6 Bind or associate the IKE and SA policies together using an IPsec profile Provide a shared key which must be common on both peers The default profile assigns default values f...

Page 99: ... tunnel mode ipsec veos config if Tu0 mtu 1394 veos config if Tu0 tunnel source 1 0 0 1 veos config if Tu0 tunnel destination 1 0 0 2 veos config if Tu0 tunnel ipsec profile vrouter Optional Steps To move the tunnel interface to a different VRF complete step 9 To achieve high throughput complete step 10 9 Create the GRE over IPsec tunnel interface in a VRF using the vrf forwarding command If a VRF...

Page 100: ...nnection start veos config ipsec profile mode transport veos config ipsec profile flow parallelization encapsulation udp Example Applying IPsec profile to tunnel interface veos config interface tunnel0 veos config if Tu0 tunnel ipsec profile vrouter Note Repeat step 9 on the other end of the tunnel The IPsec flow parallelization feature must be enabled on both end of the tunnel Examples of Running...

Page 101: ... connection start shared key keyAristaHq dpd 10 50 clear interface Tunnel1 mtu 1404 ip address 1 0 3 2 24 tunnel mode gre tunnel source 1 0 0 2 tunnel destination 1 0 0 1 tunnel ipsec profile hq interface Ethernet2 no switchport ip address 1 0 0 2 24 Examples of Running configurations for VTI IPsec Tunnels The following examples show the running configurations for two vEOS Router instances vEOS1 a...

Page 102: ...nation 1 0 0 2 tunnel ipsec profile hq Running Configuration for vEOS2 ip security ike policy ikebranch1 integrity sha256 dh group 15 ike policy ikebranch2 dh group 15 version 1 local id 200 0 0 1 ike policy ikedefault sa policy sabranch1 sa lifetime 2 pfs dh group 14 profile hq mode tunnel ike policy ikebranch1 sa policy sabranch1 connection start shared key keyAristaHq dpd 10 50 clear interface ...

Page 103: ...y Use the vEOS Router to establish and maintain IPsec tunnels between vEOS Router instances and third party router instances in different topologies of varying complexity The following diagram represents a basic IPsec tunnel configuration in where a vEOS Router instance and a third party router instance is connected using an IPsec tunnel Figure 19 IPsec Interoperability Interoperability Support Th...

Page 104: ...uter instances and third party device peer router instances vEOS Router Configuration Use this procedure to configure GRE over IPsec tunnels on a vEOS Router instance Once the procedure is complete configure the other tunnel end point on the third party peer router Note The vEOS Router by default uses IKE version 2 for all IPsec tunnels If you want to configure a GRE over IPsec tunnel that uses IK...

Page 105: ...ipsec sa exit veos config ipsec sa policy sa default veos config ipsec sa exit 5 Bind or associate the IKE and SA policies together using a IPsec profile Provide a shared key which must be common on both peers The default profile assigns default values for all parameters that are not explicitly configured in the other profiles Example In this example tunnel mode is set to transport The IKE Policy ...

Page 106: ...c profile Example veos config vrf definition red veos config vrf red rd 1 3 veos config vrf red interface tunnel0 veos config if Tu0 ip address 1 0 3 1 24 veos config if Tu0 vrf forwarding red veos config if Tu0 tunnel mode gre veos config if Tu0 mtu 1400 veos config if Tu0 tunnel source 1 0 0 1 veos config if Tu0 tunnel destination 1 0 0 2 veos config if Tu0 tunnel key 100 veos config if Tu0 tunn...

Page 107: ...f the protocols allowed on the management interface Procedure 1 Create a new management profile Select all of the protocols allowed on the management interface 2 Create a new tunnel interface and specify the following parameters Name for example tunnel 1 Virtual router Select the existing virtual router Security Zone Select the layer 3 internal zone which is the zone from which the traffic origina...

Page 108: ...o Firewall VM Pairing VTI IPsec Tunnel The following example shows a VTI IPsec tunnel between a vEOS Router instance and a third party Palo Alto firewall VM router instance Running Configuration for vEOS1 ip security ike policy ikebranch1 integrity sha256 dh group 15 sa policy sabranch1 sa lifetime 2 pfs dh group 14 profile hq ike policy ikebranch1 sa policy sabranch1 connection add shared key key...

Page 109: ...ime hours 2 dh group group20 gateway entry name veos12 IKE Gateway authentication pre shared key key AQ ocHnGzxJ4JVLomPyHuZNlg84S7I BCiu0HIvFeFOSQOx gmhNQ protocol ikev1 dpd enable yes interval 100 retry 100 ike crypto profile veos12 IKE Phase1 ikev2 dpd enable yes ike crypto profile veos12 IKE Phase1 version ikev2 preferred tunnel ipsec entry name veos12 IPSEC Tunnel 109 IPsec Support ...

Page 110: ... VTI IPsec tunnel To use IKE version 1 complete the section below then continue with the steps below To use IKE version 2 which is the default version start with Step 1 below veos config ip security veos config ipsec ike policy ike peerRtr veos config ipsec ike version 1 1 Use this command to enter IP security mode veos config ip security 2 Create an IKE Policy to communicate with the peer to esta...

Page 111: ...uter PA veos config ipsec profile ike policy ike vrouter PA veos config ipsec profile sa policy sa vrouter PA veos config ipsec profile connection start veos config ipsec profile shared key Arista1234 veos config ipsec profile dpd 10 30 clear 6 Create a tunnel interface for the VTI tunnel When tunnel mode is set to IPsec configure a tunnel key on the vEOS Router instance to ensure that traffic can...

Page 112: ... 18446744073709551615 pkts expire add 0 secs hard 0 secs lifetime current 608 bytes 7 pkts add time Wed Aug 17 17 50 28 2016 use time Wed Aug 17 17 50 31 2016 View Profiles Currently Being Used by IPsec Connections Use the show ip sec applied profile command to view the IPsec profiles that have been applied to existing IPsec connections veos show ip sec applied profile Profile Name Interface Arist...

Page 113: ... 18446744073709551615 bytes softlimit 18446744073709551615 pkts hardlimit 18446744073709551615 pkts expire add 0 secs hard 0 secs lifetime current 608 bytes 7 pkts add time Wed Aug 17 17 50 28 2016 use time Wed Aug 17 17 50 31 2016 The example below shows the use of the show ip sec applied profile command to view all profiles currently in use by established tunnels veos show ip sec applied profile...

Page 114: ...CSR it needs to set the ikev1 version as follows veos config ip security veos config ipsec ike policy ike peerRtr veos config ipsec ike version 1 1 Enter the configuration terminal mode to configure IPsec CSR config terminal 2 Configure a pre shared key for the vEOS Router and CSR to authenticate each other Create a keyring to hold the keys CSR config crypto keyring vrouter keyring CSR conf keyrin...

Page 115: ...rnet2 CSR config if ip address 1 0 0 2 255 255 255 0 CSR config if mtu 9001 CSR config if negotiation auto 8 Apply the IPsec profile to a tunnel interface The example creates a tunnel interface Tunnel0 and configures the tunnel interface to use IPsec CSR config if exit CSR config interface Tunnel0 CSR config if ip address 1 0 3 1 255 255 255 0 CSR config if tunnel source 1 0 0 2 CSR config if tunn...

Page 116: ...thm for the child IPsec SA The example creates a transform set with AES cipher for the ESP encryption and SHA1 for the authentication The mode for the IPsec is set to the transport mode CSR config crypto ipsec transform set vrouter tset esp aes 256 esp sha hmac CSR cfg crypto trans mode transport 7 Create the IPsec profile similar to IKEv1 This profile includes the transform set SA idle time lifet...

Page 117: ...nel mode gre tunnel source 1 0 0 1 tunnel destination 1 0 0 2 tunnel ipsec profile hq interface Ethernet1 no switchport ip address 1 0 0 1 24 vEOS Router VTI IPsec Tunnel The IPsec tunnels represented in these examples include VTI IPsec tunnels between vEOS Router instances and third party CSR router instances Running Configuration for vEOS ip security ike policy ikebranch1 encryption aes256 dh gr...

Page 118: ...isakmp sa IPv4 Crypto ISAKMP SA dst src state conn id status 1 0 0 1 1 0 0 2 QM_IDLE 1331 ACTIVE vrouter ikev1 isakmp profile IPv6 Crypto ISAKMP SA View all Existing IPsec SAs Use the show crypto ipsec sa command to view the IPsec SAs for all existing or current IPsec connections Example CSR show crypto ipsec sa interface Tunnel0 Crypto map tag Tunnel0 head 0 local addr 1 0 0 2 protected vrf none ...

Page 119: ...p aes esp sha hmac in use settings Tunnel conn id 5288 flow_id CSR 3288 sibling_flags FFFFFFFF80004048 crypto map Tunnel0 head 0 sa timing remaining key lifetime k sec 4607999 3598 IV size 16 bytes replay detection support Y Status ACTIVE ACTIVE outbound ah sas outbound pcp sas CSR View Crypto Encryption Session Details Use the show crypto session detail command to view details about the crypto se...

Page 120: ...IPv6 Crypto IKEv2 SA View IKEv2 SA Details Use the show crypto ikev2 sa detailed command to view details about all IKE version 2 SAs in use by existing IPsec connections Example CSR show crypto ikev2 sa detailed IPv4 Crypto IKEv2 SA Tunnel id Local Remote fvrf ivrf Status 1 3 3 3 3 500 3 3 3 1 500 none none READY Encr AES CBC keysize 128 PRF sha256 Hash SHA96 DH Grp 14 Auth sign PSK Auth verify PS...

Page 121: ...OS Router and AWS Specific Cloud The sample configuration below sets up the running configuration of the vEOS Router andAWS Specific Cloud In the configuration the local id is the external IP of the router when it is behind a NAT device and the tunnel destination is the external IP of the AWS Specific Cloud ip security ike policy AWS IKE1 integrity sha1 version 1 local id 52 165 228 195 ike policy...

Page 122: ...at NAT traversal NAT T functions correctly add or update the firewall rule to allow UDP port 4500 Disable NAT T if the customer gateway is not behind a NAT gateway Use the following sample configuration files to set up an Internet key exchange SA configuration Authentication Method Pre shared Key Pre shard Key LwYbARmDJmpFGAOrAbPGk2uQiWwvbmfU Authentication Algorithm sha1 Encryption Algorithm aes ...

Page 123: ...he customer gateway outside IP address is provided upon creation of the customer gateway To change the IP address of the customer gateway create a new customer gateway The customer gateway inside IP address must be configured on the interface tunnel Outside IP Addresses Customer Gateway 52 165 228 195 Virtual Private Gateway 52 53 75 160 The customer gateway IP address is the IP address of the fir...

Page 124: ......

Page 125: ...RNELFIB_PROGRAM_ALL_ECMP true 2 Reload the device or restart the KernelFib agent via agent KernelFib terminate This step is needed only if the instance was created with an older pre vEOS 4 20 5 image 3 To enable ECMP in a routing protocol issue the maximum paths command inside the routing protocol used veos configure terminal veos config router bgp 65112 veos config router bgp maximum paths 16 4 W...

Page 126: ...wing example traffic to 10 4 3 5 takes Tunnel1 while traffic to 10 4 3 6 takes Tunnel3 veos bash ip route get 10 4 3 5 10 4 3 5 via 190 19 11 2 dev tun1 src 190 19 11 1 cache veos bash ip route get 10 4 3 6 10 4 3 6 via 190 19 11 102 dev tun3 src 190 19 11 101 cache For additional information regarding ECMP refer to the current release notes vEOS Router Configuration Guide 126 ...

Page 127: ...nnels 100 H http vEOS 30 https vEOS 31 I IPsec Show Commands 112 J JSON Based Cloud High Availability Configurations and Equivalent CLI 20 L Launching vEOS Router Instances Using AWS CloudFormation 40 Launching vEOS Router Instances Using EC2 AWS Marketplace 44 P peer vEOS 32 primary gateway vEOS Azure 33 proxy 33 R recovery cloud HA peer 31 recovery wait time vEOS 34 region vEOS AWS 34 Requiremen...

Page 128: ......

Reviews:

No comments