Thursday 31 October 2019

Configuring ZTP on Arista EOS

ZTP
  • CLIs:
    • zerotouch cancel - cancel this time
    • zerotouch disable - distable ztp permanently
    • bash vi /mnt/flash/zerotouch-config
  • DHCPd config:
    • see below
  • Supported version:
    • Fixed - v3.7
    • Chassis - v4.10
  • If no startup-config the switch will default to ZTP, if not disable ZTP, the switch will not function properly.  
  • automatic configuration based on DHCP
    • configure all eth and management ports with "no switchport" to allow DHCP
    • can use dhcpd on the Linux
    • below bootfile can be either config or script
DHCPd config:
option subnet-mask 255.255.255.0
option broadcast-address 192.168.1.255

option routers 192.168.1.1
option domain-name-server 192.168.1.200, 192.168.1.205
option domain-name "gad.net"

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.160 192.168.1.167;
}

host Arista1 {
 option dhcp-client-identifier 00:1c:73:08:91:33;
 fixed-address 192.168.1.170
 option bootfile-name "http://www2.gad.net/config/Arista1-ZTP"
}

ZTP Script:
#!/usr/bin/Cli -p2
enable
copy http://<url>/arista1-startup flash:startup-config
copy http://<url>/EOS-4.9.3.swi flash:
config
boot system flash:EOS-4.9.3.swi
Posted by at No comments:
Labels: ,

Thursday 24 October 2019

Awesome Tcpdump Hack for Arista EOS to send to Wireshark

These below commands allow anyone to live stream the packet info to wireshark application on their Mac without having to capture on their device and then copy to mac...


To send tcpdump directly to wireshark:
ssh root@mt701 "tcpdump -s 0 -Un -w - -i vlan100" | wireshark -k -i -

The above command will:
- Tcpdump on the Arista EOS device mt701
- Capture packets of vlan100 (change to your desired interface)
- Pipe the output to Wireshark application on your Mac/Desktop


Tcpdump on a different VRF-"dhcpvrf"
ssh root@mc327 "ip netns exec ns-dhcpvrf tcpdump -i vlan10 port 67 or port 68 " | wireshark -k -i -

The main command telling the VRF info is: "ip netns exec ns-dhcpvrf tcpdump -i vlan2 port 67 or port 68"

The above command will:
- Tcpdump on the Arista EOS device mc327
- Capture packets on VRF "dhcpvrf" (change name to your desired vrf name)
- Capture packets of vlan2 (change to your desired interface)
- Capture packets on Port 67 or Port 68 only
- Pipe the output to Wireshark application on your Mac/Desktop
Posted by at 1 comment:
Labels: , , ,

Thursday 17 October 2019

VLAN Translation

VLAN Translation is used to encapsulate one vlan (doq1q) in another vlan (dot1q)

So, it is also called q-in-q encapsulation

The original vlan is called C-VLAN (customer) and the translated vlan is called S-VLAN (standard-vlan)

To use vlan translation, 2 ways are there:
  1. Use vlan mapping both ways .ie.any traffic coming with vlan X will be converted to vlan Y and those with vlan Y will be converted to Vlan X

interface Ethernet14
   switchport mode trunk
   switchport vlan mapping 80 280
   switchport port-security maximum 4
   switchport port-security violation protect log
interface Ethernet16
   switchport trunk native vlan 80
   switchport mode trunk
   switchport vlan mapping 280 80

In above case, any traffic coming with vlan 80 on et14 will be converted to vlan 280. On et16, any traffic coming with vlan 280 will be converted to vlan 80 (both ingressing and egressing)

NOTE: In et14, compulsorily vlan280 must be allowed and on et16, compulsorily vlan 80 must be allowed since vlan translation ahppens very initially in pipeline. So, any traffic with original vlan will be converted to new vlan before any sort of processing happens.


  1. Another way is to use only 'in' and 'out' words in the mapping configuration, so that, only incoming or outgoing packets will be translated. Not other way around.

interface Ethernet14
   switchport mode trunk
y
   switchport port-security maximum 4
   switchport port-security violation protect log
interface Ethernet16
   switchport mode trunk
   switchport vlan mapping 280 80
   switchport vlan mapping out 280 80

In this case, on et 14, only incoming packets with vlan 80 will be translated to vlan 280. But, if a vlan 80 packet has to go out from et14,  it will be sent as vlan 80 only. Similarly, on et16, only egressing packets will be translated. So, if vlan 280 packet has to go out from et16, it will be translated to vlan80. But, if a incoming packet with vlan 280 hits et16, it will not be translated.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)