Intro

So this year I’ve had the opportunity to work with Arista quite extensively and finally check out what all the hype is about.

A year later, in a galaxy very close and very near, I’ve gotta say these boxes rock! ✨😎

There’s alot of cool things about Arista Extensible Operating System (EOS), but this time around I want to share something usable in day-to-day management for my fellow engineers doing config cleanup and MACD operations.

Let’s get started.


Setup & Basic Management

So local config management on these devices is pretty straight forward as you would expect. The drivers seat feels very much like Cisco IOS CLI, but in sport mode.

I’ve booted a fresh Arista, let’s get it on the network and pull our first config remotely.

Disable Zerotouch Provisioning

First thing to do is disable ZTP, we will be configuring this device manually.

localhost login: admin
localhost>en
localhost# zerotouch disable
localhost#
Jul 11 04:31:19 localhost ZeroTouch: %ZTP-6-RELOAD: Rebooting the system
...snip...

Device Pre-Config

localhost login: admin
localhost>en
localhost#
localhost# config t
localhost(config)# hostname SW1
! create vlan
SW1(config)# vlan 800
! create SVI and set ip address
SW1(config-vlan-800)# int vlan 800
SW1(config-if-Vl800)# ip address 10.0.0.50/24
! configure mgmt server access port
SW1(config-if-Vl800)# int e2
SW1(config-if-Et2)# switchport mode access
SW1(config-if-Et2)# switchport access vlan 800
! test connection
SW1(config-if-Et2)# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 72(100) bytes of data.
80 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=6.09 ms
80 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=4.85 ms
80 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=4.86 ms
80 bytes from 10.0.0.100: icmp_seq=4 ttl=64 time=4.80 ms
80 bytes from 10.0.0.100: icmp_seq=5 ttl=64 time=4.81 ms

--- 10.0.0.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 25ms
rtt min/avg/max/mdev = 4.804/5.085/6.091/0.509 ms, ipg/ewma 6.279/5.569 ms
! create user for remote login
SW1(config-if-Et2)# username admin privilege 15 secret PASSWORD
SW1(config-if-Et2)# end
SW1#

Very similar to Cisco IOS. Notice anything different ?

🛻💨 *Sport mode*

Pulling a Config

At this point in time, we are able to SSH in and pull our config. This is because SSH is the default! No extra config necessary 🙂.

root@ubuntu:~# ssh [email protected]
([email protected]) Password: 
Last login: Thu Jul 11 05:04:16 2024 from 10.0.0.100
SW1> en
SW1# show run 
! Command: show running-config
...snip...

Cool, but how fast can this really go ? Let’s try this.

root@ubuntu:~# ssh [email protected] "run enable; show run"
([email protected]) Password: 
>enable
#show run
! Command: show running-config
!
! boot system flash:/vEOS-lab.swi
!
no aaa root
!
username admin privilege 15 role network-admin secret sha512 
...snip...
end
root@ubuntu:~# 

Backup configs in one command, technically.. hehe.

That’s pretty cool. Now let’s check out some of the actual features for config management.


Config Checkpoints

You ever put together a risky change for a network maintenance that feels like a boss battle ? Well now you can use checkpoints lol.

No for real, check this out.

SW1# config checkpoint ?
  restore  Restore running-config from a previous checkpoint file
  save     Save running-config to a checkpoint file
SW1#
SW1# config checkpoint save PRE_CHG_12345
SW1# show configuration checkpoints 
Maximum number of checkpoints: 20
  Filename              Date             User
------------- ------------------------- -----
PRE_CHG_12345    2024-07-11 07:00:53    admin

SW1#
SW1# dir checkpoint:
Directory of checkpoint:/

       -rw-        1036           Jul 11 07:00  PRE_CHG_12345

No space information available
SW1#

We have a checkpoint! Now lets break something..

Suppose we have a BGP peering

SW1# show ip bgp sum
BGP summary information for VRF default
Router identifier 2.2.2.2, local AS number 2222
Neighbor Status Codes: m - Under maintenance
  Neighbor         V  AS           MsgRcvd   MsgSent  InQ OutQ  Up/Down State   PfxRcd PfxAcc
  1.1.1.1          4  1111              47        43    0    0 00:00:20 Estab   0      0
SW1#

and.. oops.

SW1# config t
Jul 11 07:12:04 SW1 ConfigAgent: %SYS-5-CONFIG_E: Enter configuration mode from console by admin on)
SW1(config)# no router bgp 2222
Jul 11 07:12:23 SW1 Rib: %BGP-3-NOTIFICATION: sent to neighbor 1.1.1.1 (AS 1111) 6/3 (Cease/peer de 
Jul 11 07:12:23 SW1 Rib: %BGP-5-ADJCHANGE: peer 1.1.1.1 (AS 1111) old state Established event Stop e
SW1(config)# end
Jul 11 07:12:29 SW1 ConfigAgent: %SYS-5-CONFIG_I: Configured from console by admin on con0 (0.0.0.0)
SW1#
SW1# show ip bgp sum
SW1#

no more BGP… now what ?

Press start -> Revert to last checkpoint.

SW1# config checkpoint restore PRE_CHG_12345
Jul 11 07:12:58 SW1 ConfigAgent: %SYS-5-CONFIG_REPLACE_SUCCESS: User admin replaced running configu)
Jul 11 07:12:59 SW1 Rib: %BGP-5-ADJCHANGE: peer 1.1.1.1 (AS 1111) old state OpenConfirm event Rd
Jul 11 07:12:59 SW1 Rib: %BGP-5-CONVERGED: BGP in VRF default has converged and its routes are in FB

SW1# show ip bgp sum
BGP summary information for VRF default
Router identifier 2.2.2.2, local AS number 2222
Neighbor Status Codes: m - Under maintenance
  Neighbor         V  AS           MsgRcvd   MsgSent  InQ OutQ  Up/Down State   PfxRcd PfxAcc
  1.1.1.1          4  1111               4         3    0    0 00:00:05 Estab   0      0
SW1#

and just like that we are back in business.

They are essentially files stored on disk under checkpoint: and can be managed with file operations as such; deleted after successful maintenance windows, etc.

Really useful when you are making changes to multiple devices at once throughout the network and you need to roll them all back to a definite point. Also very useful when staging multipart changes that reach milestones; you can have checkpoints for each important moment.


Config Sessions

Config Sessions take a different spin on configuration management.

Entering (or creating) a Config Session changes the behavior of the terminal to queue the changes in-session requiring the administrator to commit the change for actual implementation, just like Juniper and Palo Alto.

SW1# config session ?
  WORD           Name for session
  description    Session description
  pending-timer  Commit the session that is pending a commit timer
  <cr>           

SW1#

Let’s create a session and see how it works

SW1# config session IP_ADDR_CHANGE
Jul 11 08:05:56 SW1 ConfigAgent: %SYS-5-CONFIG_I: Configured from console by admin on con0 (0.0.0.0)
Jul 11 08:05:56 SW1 ConfigAgent: %SYS-5-CONFIG_SESSION_ENTERED: User admin entered configuration se)
SW1(config-s-IP_ADDR_CH)#
SW1(config-s-IP_ADDR_CH)# int e1
SW1(config-s-IP_ADDR_CH-if-Et1)# no ip address
SW1(config-s-IP_ADDR_CH-if-Et1)#

So we have removed the IP address of our only physically configured interface.

Let’s verify some things.

! show config in queue
SW1(config-s-IP_ADDR_CH-if-Et1)# show session-config diffs 
--- system:/running-config
+++ session:/IP_ADDR_CHANGE-session-config
interface Ethernet1
-   ip address 10.0.50.2/24
SW1(config-s-IP_ADDR_CH-if-Et1)#
! show running config
SW1(config-s-IP_ADDR_CH-if-Et1)# show run int e1
interface Ethernet1
   no switchport
   ip address 10.0.50.2/24
SW1(config-s-IP_ADDR_CH-if-Et1)#

Notice that our running-config is still untouched.

We can now commit or abort this session.

This is a great feature to minimize the footprint of impactful changes (like changing the IP address of the management interface). Committing a config effectively performs a merge to running-config.

There is another really cool thing built into Config Sessions, and that is the ability to timeout changes and automatically rollback.

SW1(config-s-IP_ADDR_CH)#commit ?
  timer  commit session with a timeout. If not committed within this time,
         config will be reverted.
  <cr> 
  
SW1(config-s-IP_ADDR_CH)# commit timer ?
  hh:mm:ss  timeout

SW1(config-s-IP_ADDR_CH)#

Suppose we are performing a risky change remotely that has potential to sever the connection. We can configure a timeout to roll things back in case the administrator gets locked out. A nice improvement to the ol’ reload in X trick.


Conclusion

Arista EOS is jam-packed with lots of features and quality-of-life improvements that ease the burden of daily administration. There is so much depth to these boxes that I couldn’t possibly cover them all, but these are among my favorite and are very handy for the important things.


Further Reading