General Troubleshooting Tips........................23 Caveats and Limitations..........................23 Cloud High Availability Commands......................24 Cloud High Availability CLIs........................25 Chapter 4: Using vEOS Router on the AWS Platform ......39 vEOS Router Image Updates........................39 Amazon Machine Image (AMI) Specifications....................39 Supported Instance Types..........................39 Methods for Launching vEOS Router Instances..................40 Launching vEOS Router Instances Using AWS CloudFormation............40...
Page 4
CSR Commands............................118 CSR Router Show Commands......................118 vEOS Routers and AWS Specific Cloud Configuration................121 IPsec Between the vEOS Router and AWS Specific Cloud Configuration...........121 Running-configuration of the vEOS Router and AWS Specific Cloud ..........121 AWS Specific Cloud Configuration.......................122 AWS Specific Cloud Configuration Modifications.................122 Chapter 8: ECMP..................125...
Overview vEOS Router Arista vEOS Router is a new platform release of EOS that is supported on Amazon Web Service (AWS), Microsoft Azure and other public clouds. It is also supported on customer equipment running Linux and VMware hypervisors. By bringing advanced network telemetry and secure IPSec VPN connectivity in a software-only package, vEOS Router provides a consistent, secure and universal approach to hybrid cloud networking for any virtualized cloud deployment.
• IPsec is not available without a license. For purchased licenses, upon expiration or nearing expiration, • Renew the license as you would renew a service agreement. (The performance of the vEOS Router and IPsec instance are not impacted). • If the license is renewed, there is no impact of service, provided there is an overlap of license dates.
Page 8
The license for the feature is considered expired, but the feature continues to work until the grace period as mentioned in the license lapses. For example, with a license such as the one below, customer can continue to use vEOS without any limitations for ten days beyond expiry date.
Page 9
AWS. Show License Files Use the show license files command to display all information related to the active licenses installed. For example purposes, the licenses below are non-functional. veos#show license files License name: 2017.11.02.08.23.23.053684_IPSecLic-1yr.json Contents: "BindingInfo": {...
Page 10
Use the show license files compressed command to display license information. In this example, the files are zipped then base64 encoded. For example purposes, the licenses below are non-functional. veos#show license files compressed License name: 2017.11.02.08.23.23.053684_IPSecLic-1yr.json...
Page 11
2017-10-09 17:00:00 Active: expired show license all The show license all command will display all licenses that are active, expired or licenses that have not been activated yet. veos#show license all System Serial number: 2BC6A772072B04BED43DCCF8777F036F System MAC address: 06:1b:8a:48:8d:0c Domain name:...
Router HA pair with Cloud HA is an active-active deployment model for different cloud high availability design in a region. Each vEOS Router in an HA pair provides enhanced routing capabilities as the gateway (or next-hop router for certain destinations) for the subnets to which the vEOS routers connect. The two vEOS Router peers monitor the liveliness of each other by using Bidirectional Forwarding Detection (BFD) between the router interfaces.
Page 14
Each subnet associates to a route table within the cloud infrastructure. Static routes are configured in the cloud route tables so the traffic from the hosts/VMs are routed to vEOS Routers in the corresponding availability zone as gateway or next-hop to reach certain destinations. For example, configure a default route (0.0.0.0/0) in the cloud route table with the next-hop as vEOS Router's cloud interface ID or IP...
2 detected BFD connectivity loss with its peer, vEOS 2 would update the routes in Route Table 1 so traffic from hosts in Subnet 1 and Subnet 2 for vEOS 1 would be forwarded to next-hop ID or IP owned by vEOS 2.
• Access to AWS Specific Cloud API Server • If vEOS is associated with a public IP address, no special configuration is required. • If vEOS is not associated with an public IP address, either use AWS Private Link or Proxy configuration Configure Credentials In the AWS Specific Cloud configuration, a region must be specified.
Page 17
Cloud HA Agent will try to use AWS IAM role for security tokens to access and control AWS route tables. Verify the IAM role for the vEOS router Virtual Machine( VM ) is configured properly on the AWS cloud.
Cloud Provider Helpful Tips The following are needed for Cloud High Availability but are not part of the vEOS configuration on the vEOS Router. These may change or can be another way to achieve the same effect without changing the vEOS Router.
Page 19
Configuring BFD To configure the BFD link between the HA pair of vEOS Routers that is used to detect peer failure, the peer IP address and local BFD source interface must be provided. The following example configures Tunnel 2 as a single hop for the source interface for BFD.
Note: Starting from 4.20.6, the Cloud HA configuration is only available through the CLI. The JSON file from the previous vEOS version is deprecated. You must convert the JSON configuration to CLI configuration after upgrading from any previous vEOS version.
Page 22
Note: In the Cloud HA CLI, the Cloud Proxy name must be referenced in the Cloud Provider Proxy configuration to use the proxy. JSON Configuration "http_proxy_optional": { "http_port_optional" : "443", "http_proxy_port_optional" : "8888", "http_proxy_optional" : "10.3.3.3", "http_proxy_user_optional" : "", "http_proxy_password_optional" : "" Equivalent CLI Configuration cloud proxy proxy1 https 10.3.3.3 8888 vEOS Router Configuration Guide...
• Make sure to use a corresponding BFD source interface on the peer vEOS instance. This makes sure that the BFD traffic ingress and egress are on the same interface on each instance.
• show cloud high-availability routes show cloud high-availability routes on page 36 • show cloud provider aws show cloud provider aws (vEOS - AWS) on page 37 • show cloud provider azure show cloud provider azure (vEOS - Azure) on page 38 •...
The following example configures the AWS access key to encrypted. veos(config)#cloud provider aws veos(config-cloud-aws)#access-key 0 565656 test Example: The following example removes the AWS access key and returns the vEOS to Global configuration mode. veos(config-cloud-aws)#access-key 0 565656 test veos(config-cloud-aws)#no access-key 0 565656 test veos(config)# Example: The following example returns the vEOS to Global configuration mode.
Page 26
The active-directory credential email subscription-id command configures Azure's cloud provider azure active-directory credential parameters. The no active-directory command removes the configuration from the vEOS running-config. The exit command returns the vEOS to global configuration mode. Note: Supported on Azure platform only.
Page 27
The cloud high-availability command in the cloud-ha submode assigns the backup gateway parameters for the Azure high availability peered cloud. The no backup-gateway command removes the configuration from the vEOS running-config. The exit command returns the vEOS to global configuration mode. Command Mode...
Page 28
The following example removes the BFD configuration. veos(config-cloud-ha-peer-veos2)#no bfd source-interface cloud high-availability (vEOS) The cloud high-availability command places the vEOS in cloud-ha configuration mode. This configuration mode allows user to configure cloud high-availability related parameters. The exit command returns the switch to global configuration mode.
Page 29
(vEOS) The cloud provider aws command places the vEOS in cloud-provider-aws configuration mode. This configuration mode allows user to configure cloud provider aws command parameters. The exit command returns the vEOS to global configuration mode. Note: Supported on AWS platform only.
Page 30
Example: This command disables the cloud proxy named "test" and returns the vEOS to global configuration mode. veos(config-cloud-proxy-test)# no cloud proxy test veos(config)# http (vEOS) The http command in the cloud-proxy configuration submode configures the IP, port, username, and password parameters.
Page 31
The https command in the command in the cloud-proxy configuration submode configures the IP, port, username and password parameters. The no https command removes the configured cloud proxy information for HTTPS from the running-config and returns the vEOS to global configuration mode. Command mode...
Page 32
The peer command in the cloud-ha configuration mode identifies which peer to configure by name. The peer command in the cloud-ha configuration submode configures the cloud high-availability resource group peer related parameters. The no peer command removes the configuration from the vEOS running-config. The exit command returns the vEOS to the cloud-ha configuration mode.
Page 33
(vEOS - Azure) The primary-gateway command in the cloud-ha submode assigns the primary gateway parameters for the Azure high availability peered cloud. The no primary-gateway command removes the configuration from the vEOS running-config. Note: Supported on Azure platform only.
Page 34
The cloud provider aws command places the vEOS in cloud-provider-aws configuration mode. This configuration mode allows user to configure AWS cloud provider region command parameters. The no region command removes the configuration from the vEOS running-config. The exit command returns the vEOS to global configuration mode.
Page 35
(vEOS - AWS) The cloud provider aws command places the vEOS in cloud-provider-aws configuration mode. This configuration mode allows user to configure cloud provider aws secret access-key command parameters. The no secret access-key command removes the configuration from the vEOS running-config. The exit command returns the vEOS to global configuration mode.
Page 36
Example: The following example removes the secret access key from the vEOS running-config. veos(config-cloud-aws)#no secret access-key 0 565656 test veos(config-cloud-aws)# Example: The following example returns the vEOS to Global configuration mode. veos(config-cloud-aws)#secret access-key 0 565656 test veos(config-cloud-aws)#exit veos(config)# show cloud high-availability (vEOS) The show cloud high-availability command displays the high availability configured settings.
Page 37
0.0.0.0/0 eni-e61d95e7 veos6 backup rtb-aca223c8 0.0.0.0/0 eni-69109868 show cloud provider aws (vEOS - AWS) The show cloud provider aws command displays cloud provider information for the AWS platform. Command Mode EXEC Command Syntax show cloud provider aws Example The following example displays the AWS cloud configuration.
Page 38
(vEOS - Azure) The show cloud provider azure command displays Azure cloud provider information. Command Mode EXEC Command Syntax show cloud provider azure Example The following example displays the Azure cloud configuration. veos#show cloud provider azure...
Using vEOS Router on the AWS Platform The vEOS Router, based on the Arista EOS, runs as a virtual machine instance on AWS EC2. Use the vEOS Router to create the various types of virtual machine router instances for AWS deployment, for example, gateway routers and transit routers.
For details on these AWS instance types, see Amazon's documentation (https://aws.amazon.com/ec2/instance-types/). Methods for Launching vEOS Router Instances The vEOS Router supports the use of various methods for launching router instances needed in a typical AWS deployment. The supported methods are: on page 40 •...
Page 41
Using vEOS Router on the AWS Platform 3. Click on the Create Stack button. The page refreshes to show the templates that are available to use to create a new stack. 4. Select a nic template for upload, and then click on the Next button.
Page 42
AMI ID. (To convert UserData from text to base64 format, use a base64 command on MacOS or Linux machine.) #base64 %EOS-STARTUP-CONFIG-START% hostname myhost %EOS-STARTUP-CONFIG-END% <Press CTRL+D> JUVPUy1TVEFSVFVQLUNPTkZJRy1TVEFSVCUKaG9zdG5hbWUgbXlob3N0CiVFT1MtU 1RBUlRVUC1DT05GSUctRU5EJQo= 6. Review the details and make changes if needed. 7. Click the Create button to create the stack. vEOS Router Configuration Guide...
Page 43
8. Wait for the stack creation to complete. Resources created as part of the stack creation process can be viewed in the Resource tab. 9. Click on the vEOS Router instance ID to view the status of vEOS Router instance. The instance ID is shown in the Physical ID column of the Resources tab.
IPv4 unless an Elastic IP address is assigned to the primary network interface (eth0). If the user does not want to associate an Elastic IP address with the vEOS Router instance, then it is recommended to attach any additional interface only when the instance is in running state and never to stop and start your instance from thereon.
Page 45
• Using instance user-data to configure the instance vEOS supports the use of vEOS Router instance user-data to configure vEOS Router instances at launch. This involves uploading instance user-data to the instance by way of the Advanced Details dialog. There is an option of copying and pasting a configuration into the dialog or attaching a configuration file.
Page 46
The page appears for you to select an AMI. 6. Click on AWS Marketplace in the left pane. Search for Arista vEOS Router in the search field to bring up the available vEOS AMIs to use. Select the appropriate AMI for launching.
Page 47
Using vEOS Router on the AWS Platform 7. A screen appears showing the user highlights, pricing details and instance types available. Press the Continue button to advance. 8. Click in the left pane. The Choose an Instance Type page appears.
Page 48
9. Select an instance type that meets the requirements for the vEOS Router instance. The supported instance types are: • C4.large • C4.xlarge • C4.2xlarge • R4.large • R4.xlarge • R4.2xlarge • R4.4xlarge • T2 small • T2 medium 10. Click on the Next: Configure Instance Details button (lower right part of the page).
Page 49
Attach the configuration as a file by clicking on the file, and then choose the configuration file to be uploaded. For details on composing user data for vEOS Router, see Using User-data for Configuration of Entities and vEOS Router Instances on page 57.
Page 50
15. Using the Select a key pair menu, select the key pair created earlier in the procedure. In this example, the key pair is named "systest." 16. Select the acknowledgment (near the bottom of the dialog), and then click on the Launch Instances button. The Launch Status page appears showing the status of the instance. vEOS Router Configuration Guide...
Page 51
Using vEOS Router on the AWS Platform 17. Click on the blue link to the instance to view details about the instance. (The link is in the "Your instances are now launching" box near the top of the page.) The page shows the details for the instance.
Page 52
Router instances launch through the AWS Marketplace. Refer to the “AWS CloudWatch Quick Start Guide” to make sure that the vEOS Router instance has the right credentials for logging in to AWS.
Router log filenames By default, the hostname of the vEOS Router instance is the filename of all vEOS Router logs for that instance. Network Configuration Tasks for vEOS Router Instances Complete additional configuration tasks to ensure that the vEOS Router instances launched have the required networking configuration.
Page 54
4. Do the following: a) Enter a description for the network interface. b) Select the subnet for the network interface. (This can be the existing subnet for the vEOS Router instance or a different subnet.) c) Type the names of the security groups for the network interface. (Specify the existing security groups for the vEOS Router instance, or different security groups.)
Page 55
55). Attaching the New Network Interfaces to Instances Attaching the new network interfaces to vEOS Router instances is the second networking configuration task. This task involves selecting the new network interfaces created in the previous procedure and then attaching the interfaces to vEOS Router instances.
Page 56
Configuring the Route Table of the AWS Router To take advantage of the advanced services provided by vEOS, configure the route table of the AWS Router so that traffic is forwarded from the AWS Router to vEOS Router instances. This task involves logging into the AWS Router and modifying route table entries for the vEOS Router instances to which you want traffic forwarded.
Using vEOS Router on the AWS Platform 3. Obtain the Subnet ID and the route table ID that corresponds to the subnet in which the vEOS Router instance resides. Example: Subnet ID (subnet-1c68b744). Route table ID (rtb-934cf9f7). 4. Edit the route table entry so that it points to the corresponding interface of the vEOS Router in that subnet.
Page 58
Entity: Cloud HA /mnt/flash/cloud_ha_config.json %CLOUDHA-CONFIG-END% cloud_ha_config.json File: Use: Configure vEOS Router for High Availability Sample Instance User-data The following sample user-data contains lines to startup the instance and to configure various entities. The sample contains lines to configure: • AWS CloudWatch logs (for the us-east-1 region) •...
Using the vEOS Router on Microsoft Azure The vEOS Router, which is based on the Arista EOS, runs as a virtual machine instance on Azure. Use the vEOS Router to create the various types of virtual machine router instances you need for your Azure deployment. For example, gateway routers and transit routers.
To create an instance using the Portal Marketplace, complete the following steps. 1. In the Azure portal, select the green '+' button in the top left of the screen. 2. In the search bar, type "Arista" and press enter. Figure 2: Type '"Arista"...
Page 63
Using the vEOS Router on Microsoft Azure Figure 3: Arista selection 4. Select "Create". Figure 4: Select "Create" 5. Fill out the required information and press "OK".
Page 64
Figure 5: Required information 6. Configure the VNet and press "OK". Figure 6: Configuring the VNet 7. Configure the subnets and press "OK". vEOS Router Configuration Guide...
Page 65
Using the vEOS Router on Microsoft Azure Figure 7: Configuring the subnets 8. Verify the information is correct and press "OK". Figure 8: Verification 9. Read the Terms and Conditions, then press "Purchase".
$1 | python -c 'import json, sys; print( json.dumps( sys.stdin.read() ) )' 7. Use the template and parameters JSON files to launch a vEOS Router instance in Azure using the Azure CLI 2.0. $ az group create --name ExampleGroup --location "Central US"...
To fix this, remove the @ symbol before the parameters filename. Logging into Instance To log into an instance, complete the following steps. 1. Select the resource group containing your vEOS Router deployment from the Resource groups list. 2. Select the item publicIP. Figure 10: Selecting the PublicIP...
Router Startup-Configuration using Instance Custom-Data Describes launch employing custom-data information. During the initial launching of the vEOS Router Instance, Azure provides a feature to upload custom-data. The administrator can upload vEOS Router configuration using custom-data at the time of the launching of the vEOS Router Instance.
Copy and paste the generated output into the customData value field of the JSON parameters file. Troubleshooting Instance To troubleshoot the instance, complete the following steps. 1. Select the resource group containing your vEOS Router deployment from the Resource groups list. 2. Select the item vEOS Router.
Page 70
Figure 12: Select the vEOS Router 3. Note the status of the VM. It should either be "Creating", "Starting", or "Running". Figure 13: Status of the VM 4. Check the boot diagnostics for any error messages or warnings. vEOS Router Configuration Guide...
Using the vEOS Router on Microsoft Azure Figure 14: Error messages and warnings Resources Additional resources. 1. How To: Deploy Azure Virtual Machines With An Azure Resource Manager (ARM) Template - https://www.youtube.com/watch?v=wi74jR0MRLg 2. How To Deploy Resources - https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy-cli...
• Ethernet NICs must be SR-IOV capable • BIOS / System Firmware support for SR-IOV KVM Requirements vEOS is must be deployed on an x86-64 architecture server running KVM hypervisor. KVM Minimum Server Requirements 8 GB free disk space 16 GB RAM x86-64 Server class CPU (32-bit CPUs are not supported) with •...
ESXi Web Client. The following task is required to launch VMware 6.0 and 6.5 and provides a general guideline on the steps involved in deploying virtual machines with an OVF/OVA template. Note: Arista support suggests using only the Vsphere Web client. The ESXi Web Client may have untested issues.
Page 75
Server Requirements 3. Select the name and location for vEOS deployment. 4. Select the host, cluster, resource pool or VAPP.
Page 76
5. Verify the template details. 6. Select Thick provision eager zeroed from the datastore. vEOS Router Configuration Guide...
Page 77
Server Requirements 7. Select the default network. 8. Complete the launch process.
Page 78
Describes how to enable single route input/output vitalization (SR-IOV) or PCI passthough on VMware ESXi. To enable SR-IOV or PCI passthrough on ESXi, complete the following steps. 1. Navigate to the ESXi host's Manage , then select the Hardware tab. vEOS Router Configuration Guide...
Page 79
Server Requirements 2. Locate and select your PIC device/NIC. 3. Use either the Toggle passthrough or the Configure SR-IOV selection to activate the mode. 4. Reboot the ESXi host for the configuration to take effect. 5. After reboot, the NIC reflects the changes. For SR-IOV, new virtual function devices (VF) is created.
Page 80
6. Edit the VM and select Add other device, then select PIC Device to create the New PIC Device for the 7. Select the New PIC Device to use the SR-IOV VF or PIC Passthrough device. vEOS Router Configuration Guide...
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware containing virtualization extensions. The vEOS is part of the Arista EOS that allows it to deploy as a virtual machine image. This document details the system requirements of vEOS on Linux KVM based hypervisors.
Page 82
Launching vEOS in LinuxBridge Mode Use the script SetupLinuxBridge.pyc usage python SetupLinuxBridge.pyc <bridge- name> Cut and paste the following XML template into a file (veos.xml) and customize the elements that are in bold below. • virsh define <veos define file say veos.xml>...
Page 85
Server Requirements <controller type='usb' index='0'> <alias name='usb0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0 </controller> <controller type='pci' index='0' model='pci-root'> <alias name='pci0'/> </controller> <controller type='ide' index='0'> <alias name='ide0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' funct </controller> <!-- In this case management is connected to linux bridge --> <interface type='bridge'>...
Page 86
VIRTIO & Linux Bridging Deployment vEOS can employ para-virtualized network I/O interfaces, which in Linux KVM is also known as Virtio . Each NIC is connected to a unique underlying Linux layer-2 bridge in the hypervisor which in-turn provides access to an uplink.
Page 87
If it does not "PASS" for IOMMU, check the BIOS setting and kernel settings. The example below is what should be displayed. [arista@solution]$ virt-host-validate QEMU: Checking for device assignment IOMMU support : PASS QEMU: Checking if IOMMU is enabled by kernel : PASS 2.
Page 88
82:00.0 and 82:00.1. The first two numbers are the serial numbers for the PFs and the remaining are the serial numbers for the VFs. # virsh nodedev-list | grep 82 pci_0000_82_00_0 vEOS Router Configuration Guide...
Page 89
8. Create a new Interface. Shutdown the vEOS VM if it is already running. Open the XML file for the specific vEOS VM for editing using the Linux command virsh edit <vm-name>. In the interface section, create a new interface by adding the details as shown below.
Page 90
</source> </interface> 9. Start the vEOS VM. Verify there is an added interface on the VM. Using the command ethtool -i et9 to verify that the driver for the added interface is ixgbevf . veos(config)#show interface status Port Name...
Page 91
Set up a networking device to use PCI pass-through. When sharing resources are not efficient, or packets are consumed by a virtualized switch before reaching the VM (vEOS), implementing PCI Pass-through for NIC provides dedicated and non-filtered network resources to the VM.
Page 92
83:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01) 2. Verify Available Physical Functions. Verify the available physical functions by using the virsh Linux commands. [arista@solution]$ virsh nodedev-list | grep 82_00_0 pci_0000_82_00_0 [arista@solution]$ virsh nodedev-dumpxml pci_0000_82_00_0 <device>...
Page 93
Example Deployment vEOS can use passthrough I/O interfaces where the network I/O does not hit the hypervisor. In this model, the VM owns the entire network card, thus fully bypassing the hypervisor. Setting up SR-IOV is initially more involved. Arista recommends starting out with LinuxBridge.
Router Release Notes. • Supported Tunnel Types on page 96 The vEOS Router supports the use of two basic types of IPsec tunnels. The tunnel types are determined based on the encapsulation mode. • Requirements when Behind a NAT on page 96 The vEOS Router supports the use of NAT-Traversal to communicate with the remote peer virtual router.
Supported Tunnel Types The vEOS Router supports the use of two basic types of IPsec tunnels. The tunnel types are determined based on the encapsulation mode. The supported tunnel types are: GRE-over-IPsec • In GRE-over-IPsec encapsulation mode, the application payload is first encapsulated within a GRE packet.
(steps 1 through 6 are the same). Step 7 is the step to select the tunnel type. Note: vEOS Router by default uses IKE version 2 for all IPsec tunnels. To configure a tunnel that uses IKE version 1, explicitly configure the vEOS Router to use IKE version 1.
Page 98
7. Configure the WAN interface to be the underlying interface for the tunnel. You must specify an L3 address for the tunnel. If you do not, the vEOS Router cannot route packets using the tunnel. vEOS Router Configuration Guide...
Page 99
1394 veos(config-if-Tu0)#tunnel source 1.0.0.1 veos(config-if-Tu0)#tunnel destination 1.0.0.2 veos(config-if-Tu0)#tunnel ipsec profile vrouter Optional Steps To move the tunnel interface to a different VRF, complete step 9. To achieve high throughput, complete step 9. Create the GRE-over-IPsec tunnel interface in a VRF using the vrf forwarding command. If a VRF is needed, create one then create and configure the GRE tunnel interface.
Examples of Running-configurations for GRE-over-IPsec Tunnels The following examples show the running configurations for two vEOS Router instances (vEOS1 and vEOS2). The instances are the tunnel endpoints of a GRE-over-IPsec tunnel. Running Configuration for vEOS1...
1.0.0.2/24 Examples of Running-configurations for VTI IPsec Tunnels The following examples show the running configurations for two vEOS Router instances (vEOS1 and vEOS2). The instances are the tunnel endpoints of a VTI IPsec tunnel. Running Configuration for vEOS1...
The vEOS Router establishes and maintains IPsec tunnels for the secure or encrypted communications between vEOS Router instances and third party device peer router instances. Below lists the types of IPsec tunnels to set up between vEOS Router instances and third party virtual router instances.
Note: The vEOS Router by default uses IKE version 2 for all IPsec tunnels. If you want to configure a GRE-over-IPsec tunnel that uses IKE version 1, explicitly configure the vEOS Router to use IKE version Procedure Complete the following steps to configure the vEOS Router instance to share a GRE-over IPsec tunnel.
Page 105
6. Configure the WAN interface to be the underlying interface for the tunnel. Specify an L3 address for the tunnel. If the L3 address is not specified, the vEOS Router cannot route packets using the tunnel.
Page 106
The vEOS Router gives the ability to configure VTI IPsec tunnels between a vEOS Router instance and a third party peer router instance (such as a Palo Alto firewall VM). First, complete the set up of the tunnel on the vEOS Router instance, then set up the other end of the tunnel on the third party peer router instance.
Page 107
Supported Tunnel Types Set up IPsec VTI tunnels when using the Palo Alto firewall VM as a peer router instance with a vEOS Router instance. IPsec GRE-over-IPsec tunnels using this combination of router instances as peers is not permitted.
Page 108
8. Commit (save) the configuration. vEOS and Palo Alto Firewall VM Pairing (VTI IPsec Tunnel) The following example shows a VTI IPsec tunnel between a vEOS Router instance and a third party Palo Alto firewall VM router instance. Running Configuration for vEOS1...
Page 110
Note: The vEOS Router by default uses IKE version 2 for all IPsec tunnels. To configure a VTI IPsec tunnel that uses IKE version 1, explicitly configure the vEOS Router instance to use IKE version 1.
107). vEOS Router Show Commands The vEOS Router has show commands to view IPsec connections and IPsec profiles on vEOS Router instances. View all Existing IPsec Connections Use the veos#show ip security connection command to view all existing IPsec connections.
Interface Arista Tunnel0 IPsec Show Commands The vEOS Router provides commands to view all current or established IPsec tunnels and to view all profiles currently in use by established tunnels. The show commands are: • show ip security connection • show ip security connection detail...
36 pkts The example below shows the use of the show ip security connection detail command to view the details for a specified IPsec tunnel. veos#show ip security connection detail source address 1.0.0.1, dest address 1.0.0.2 Inbound SPI 0x672F6CC3: request id 1, mode transport replay-window 32, seq 0x0...
1 1. Enter the configuration terminal mode to configure IPsec. CSR#config terminal 2. Configure a pre-shared key for the vEOS Router and CSR to authenticate each other. Create a keyring to hold the keys. CSR(config)#crypto keyring vrouter-keyring CSR(conf-keyring)#pre-shared-key address 1.0.0.2 key arista 3.
By default, the vEOS Router is configured to run in IKEv2 version. Make sure the version is not set to 1 under the ike policy. The configuration steps for CSR IKEv2 are a bit different to that of IKEv1.
Page 116
CSR(config)#crypto ikev2 profile vrouter-ikev2-profile CSR(config-ikev2-profile)#match fvrf any CSR(config-ikev2-profile)#match identity remote address 1.0.0.1 255.255.255.255 CSR(config-ikev2-profile)#authentication remote pre-share key arista CSR(config-ikev2-profile)#authentication local pre-share key arista CSR(config-ikev2-policy)#exit 6. Create the IPsec transform-set configuration settings. This step is similar to the step in IKEv1 configuration.
1.0.0.2 tunnel ipsec profile hq interface Ethernet1 no switchport ip address 1.0.0.1/24 vEOS Router (VTI IPsec Tunnel) The IPsec tunnels represented in these examples include VTI IPsec tunnels between vEOS Router instances and third party CSR router instances. Running Configuration for vEOS ip security...
Page 119
IPsec Support #send errors 0, #recv errors 0 local crypto endpt.: 1.0.0.2, remote crypto endpt.: 1.0.0.1 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2 current outbound spi: 0xCB8FB740(3415193408) PFS (Y/N): N, DH group: none Dummy packet: Initializing inbound esp sas: spi: 0x36383677(909653623) transform: esp-aes esp-sha-hmac ,...
Page 120
Remote next msg id: Local req queued: Remote req queued: Local window: Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled vEOS Router Configuration Guide...
IPsec Between the vEOS Router and AWS Specific Cloud Configuration Describes the steps and the running configuration for setting up an IPsec connection between the vEOS Router and the AWS Specific Cloud. The AWS Specific Cloud only supports IKE1 and not IKE2.
• Perfect Forward Secrecy: Diffie-Hellman Group2 The IPsec Dead Peer Detection (DPD) is enabled on the AWS Specific Cloud endpoint. Configure the DPD on your endpoint as follows: • DPD interval: 10 • DPD Retries: 3 vEOS Router Configuration Guide...
Page 123
• Customer Gateway: 52.165.228.195 • Virtual Private Gateway: 52.53.75.160 The customer gateway IP address is the IP address of the firewall that the vEOS instance in the DC with NAT behind. The virtual private gateway IP address is the external IP address of the AWS Specific Cloud.
1. Have the following line in a device's running-configuration. If an instance is created with an older, pre-vEOS 4.20.5 image, add the command line in the example below. If an instance is created with vEOS 4.20.5 or later image, there is no need for additional configuration changes because the command line appears in the configuration by default.
Page 126
5. To determine the route that the interface traffic takes to specific addresses, issue the bash ip route get <address> command to determine which link the traffic uses. In the following example, traffic to 10.4.3.5 takes Tunnel1, while traffic to 10.4.3.6 takes Tunnel3. veos#bash ip route get 10.4.3.5 10.4.3.5 via 190.19.11.2 dev tun1 src 190.19.11.1 cache veos#bash ip route get 10.4.3.6...
Page 127
(vEOS) 38 Tunnels 100 Supported Tunnel Types 96 http (vEOS) 30 Using IPsec on vEOS and Third Party Devices 103 https (vEOS) 31 Using IPsec on vEOS Router Instances 97 IPsec Show Commands 112 vEOS and Palo Alto Firewall VM 108...
Need help?
Do you have a question about the vEOS and is the answer not in the manual?
Questions and answers