Arista vEOS User manual

vEOS Router Configuration Guide
Arista Networks
www.arista.com
Arista vEOS version 4.20.6F
22 June 2018

ii 25 June 2018Quick Start Guide: 7500N Series Modular Switches
© Copyright 2015 Arista Networks, Inc. The information contained herein is subject to change without
notice. Arista Networks and the Arista logo are trademarks of Arista Networks, Inc in the United States
and other countries. Other product or service names may be trademarks or service marks of others.
Table 1
Headquarters
5453 Great America Parkway
Santa Clara, CA 95054
USA
408 547-5500
www.arista.com
Support
408 547-5502
866 476-0000
Sales
408 547-5501
866 497-0000
© Copyright 2018 Arista Networks, Inc. The information contained herein is subject to change without notice. Arista Networks
and the Arista logo are trademarks of Arista Networks, Inc., in the United States and other countries. Other product or service
names may be trademarks or service marks of others.
Headquarters
5453 Great America Parkway
Santa Clara, CA 95054
USA
(408) 547-5500
www.arista.com
Support
(408) 547-5502
(866) 476-0000
Sales
(408) 547-5501
(866) 497-0000

Contents
Chapter 1: Overview...................................................................................5
Chapter 2: vEOS Licensing........................................................................7
Chapter 3: Cloud High Availability .........................................................13
Cloud HA Topology.....................................................................................................................................13
Cloud HA Configuration .............................................................................................................................15
Configuring the Cloud Proxy....................................................................................................................16
Configuring the Cloud Provider................................................................................................................16
Configuring Cloud High Availability..........................................................................................................18
JSON-Based Cloud High Availability Configurations and Equivalent CLI Configurations...........................20
General Troubleshooting Tips.....................................................................................................................23
Caveats and Limitations..............................................................................................................................23
Cloud High Availability Commands.............................................................................................................24
Cloud High Availability CLIs.....................................................................................................................25
Chapter 4: Using vEOS Router on the AWS Platform ..........................39
vEOS Router Image Updates.....................................................................................................................39
Amazon Machine Image (AMI) Specifications............................................................................................39
Supported Instance Types..........................................................................................................................39
Methods for Launching vEOS Router Instances.........................................................................................40
Launching vEOS Router Instances Using AWS CloudFormation............................................................40
Launching vEOS Router Instances Using EC2 AWS Marketplace..........................................................44
Network Configuration Tasks for vEOS Router Instances........................................................................53
Using User-data for Configuration of Entities and vEOS Router Instances.............................................57
Chapter 5: Using the vEOS Router on Microsoft Azure.......................61
vEOS Router Image Updates.....................................................................................................................61
System Requirements................................................................................................................................61
Launching vEOS Router Azure Instance....................................................................................................61
Creating an Instance using the Portal Marketplace.................................................................................62
Creating an Instance under Azure CLI 2.0..............................................................................................66
Logging into Instance...............................................................................................................................67
vEOS Router Startup-Configuration using Instance Custom-Data.............................................................68
Sample Instance Custom-Data................................................................................................................69
Providing Startup-Configuration using Azure Custom-Data....................................................................69
Troubleshooting Instance............................................................................................................................69
Resources...................................................................................................................................................71
Chapter 6: Server Requirements............................................................73
VMware ESXi Hypervisor...........................................................................................................................74
KVM............................................................................................................................................................81
Chapter 7: IPsec Support.........................................................................95
Supported Tunnel Types..............................................................................................................................96
Requirements when Behind a NAT.............................................................................................................96
Using IPsec on vEOS Router Instances.....................................................................................................97
Topology..................................................................................................................................................97
Configuring IPsec Tunnels on vEOS Router Instances............................................................................97
Examples of Running-configurations for GRE-over-IPsec Tunnels........................................................100
Examples of Running-configurations for VTI IPsec Tunnels..................................................................101
Using IPsec on vEOS and Third Party Devices.....................................................................................103
iii

Topology................................................................................................................................................103
Interoperability Support..........................................................................................................................103
vEOS Router and Palo Alto Firewall VM...............................................................................................104
vEOS Router Show Commands............................................................................................................111
IPsec Show Commands.........................................................................................................................112
vEOS Routers and CSR...........................................................................................................................113
CSR Configuration.................................................................................................................................113
Sharing IPsec Connections...................................................................................................................114
IKEv1 Configuration...............................................................................................................................114
IKEv2 Configuration...............................................................................................................................115
vEOS Router (GRE-over-IPsec Tunnel).................................................................................................117
vEOS Router (VTI IPsec Tunnel)...........................................................................................................117
CSR Commands....................................................................................................................................118
CSR Router Show Commands..............................................................................................................118
vEOS Routers and AWS Specific Cloud Configuration............................................................................121
IPsec Between the vEOS Router and AWS Specific Cloud Configuration...........................................121
Running-configuration of the vEOS Router and AWS Specific Cloud ..................................................121
AWS Specific Cloud Configuration.......................................................................................................122
AWS Specific Cloud Configuration Modifications.................................................................................122
Chapter 8: ECMP.....................................................................................125
Adding ECMP...........................................................................................................................................125
vEOS Router Configuration Guideiv

Chapter 1
Overview
vEOS Router
Arista vEOS Router is a new platform release of EOS that is supported onAmazon Web Service (AWS), Microsoft
Azure and other public clouds. It is also supported on customer equipment running Linux and VMware hypervisors.
By bringing advanced network telemetry and secure IPSecVPN connectivity in a software-only package, vEOS Router
provides a consistent, secure and universal approach to hybrid cloud networking for any virtualized cloud deployment.
Use cases for vEOS Router include Secure Multi Cloud Connectivity, InterconnectingVPCs/VNets in the Public Cloud,
Multi-site VPN aggregation and Network Function Virtualization.
5


Chapter 2
vEOS Licensing
Licensing for vEOS
There are two licenses available as a software subscription which must be applied to the vEOS Router software after
an instance is launched for the activation of all capabilities:
• vEOS Router license -Unlocks the instance from the default performance limit of 80 Mbps.
• IPsec license
SS-VEOSR-IPSEC-500M-1M
The vEOS Router SW Subscription License for a single vEOS instance for 1-Month for up to 500Mbps throughput.
This includes base routing features, IPsec encryption and SW support.
SS-VEOSR-IPSEC-1G-1M
The vEOS Router SW Subscription License for a single vEOS instance for 1-Month for up to 1Gbps throughput. This
includes base routing features, IPsec encryption and SW support.
SS-VEOSR-IPSEC-10G-1M
The vEOS Router SW Subscription License for a single vEOS instance for 1-Month for up to 10Gbps throughput. This
includes base routing features, IPsec encryption and SW support.
If a valid license has never been installed,
• The performance of the instance is limited to 10Mbps.
• IPsec is not available without a license.
For purchased licenses, upon expiration or nearing expiration,
•Renew the license as you would renew a service agreement. (The performance of the vEOS Router and IPsec instance
are not impacted).
• If the license is renewed, there is no impact of service, provided there is an overlap of license dates.
Support for Bring-Your-Own-License (BYOL)
Bring your own license (BYOL) is only supported on AWS. The pricing onAWS includes both the AWS instance
cost and the Arista license fee.
7

Installing Licenses
Licenses are files that are imported via the CLI. Contact your local SE for assistance in obtaining a license. Use the
license import command to download a license file. Save the file to /mnt/flash/ or a server. For example purposes,
the licenses below are non-functional.
veos#license import flash:vEOSLic-1.json
veos#license import flash:IPSecLic-1.json
Verifying Installed Licenses
Use the show license command to display details regarding the active licenses and device-specific information
needed for licensing. For example purposes, the licenses below are non-functional.
veos#show license
System Serial number: 2BC6A772072B04BED43DCCF8777F036F
System MAC address: 06:1b:8a:48:8d:0c
Domain name: Unknown
License feature: IPSec
License parameter: None
Count: 1
Start: 2017-09-18 13:56:45
Expiration: 2017-12-30 16:00:00
Active: yes
License feature: vEOS - Virtualized EOS
License parameter: None
Count: 1
Start: 2017-10-08 17:00:00
Expiration: 2017-12-30 16:00:00
Active: yes
Update License (Optional)
Use the license update command to trigger an update of licenses in storage.
veos#license update
Obtaining and Installing Soft Expiry
Users can obtain licenses from Arista that extend the time for which the customer can use a certain feature without
any limitations. The license for the feature is considered expired, but the feature continues to work until the grace
period as mentioned in the license lapses.
For example, with a license such as the one below, customer can continue to use vEOS without any limitations for ten
days beyond expiry date.
{"LicenseFileVersion": "1.0",
"CustomerName": "Arista Test Customer",
"LicenseSerialNumber": "ARISTA-TEST-DAYSPAST1",
"Signature": {
"SigningCertPEM": "-----BEGIN
CERTIFICATE-----7brkfssZDrRIatxKEkv6Oc
\nh4kXO2mvvMJxQDf7VvGXEC3fSRURLwPz//6JMx942iOKsES8ZT9nT2q9MxJXfInn\n3EcKGmPWKQR4n2qH
fmq6sfk2eFBUYIrZBm9RUbVbyLZLCOv2KxJ7FFZ9LV1jp5An\nAyHLJUMQqqw/kvUUvUq1bI/PtEOlNc9Ndt
/3yeh+HByzIw8/f+gjKkUjQpVncuqS\nkFotBPNNj/LjbQD40R/tJ0z/8sPXCGJuo4mE9s/MwnWmkAHxpZyC
ccMBlNp3LkJk\nFHcsVb36Vclv5XWDe5AxU+0sQjEB4LGP7nYo8wjjvSZIpYXRiAmDRGuAGi/W/W3F\n6hEQ
661JK4KPJvoQsMqYaO/TkZPIXEAdgEDkmj0=\n-----END CERTIFICATE-----\n",
"Hash":
vEOS Router Configuration Guide8

"f076d2cac1eac2a8261915e0b2ce4cb547e9c98bda070d001140daf3c3bd3694",
"Signature":
"304502201ca6fab964d8a3aade43d306232fcf52b9503fc22f4552
d58fb5a95e1b9e13e6022100dff97ad4f37389b55887f0ec06c9ef29d55a75e668e4da654deaf8037633a9bd"
},
"Features": {
"vEOS": [
{"Count": 1,
"Value": "",
"Valid": {
"NotBefore": "2000-01-01T00:00:00Z",
"NotAfter": "2001-01-01T00:00:00Z"
},
"BehaviorModifier": {
"DaysAllowedPastExpiration": 10
}
}
]
},
"BindingInfo": {
"SystemMAC": "",
"DomainAddress": "",
"SerialNumber": "TestSerial"
}
}
--
Additional Licensing Show Commands
The following CLIs can be used to verify if a license is valid, when it expires, what licenses are installed and any
relevant information regarding a license. The show license commands do not list features that are unlocked by
external licenses or means and does not list the pay-as-you-go license provided by AWS.
Show License Files
Use the show license files command to display all information related to the active licenses installed. For
example purposes, the licenses below are non-functional.
veos#show license files
License name: 2017.11.02.08.23.23.053684_IPSecLic-1yr.json
Contents:
{
"BindingInfo": {
"DomainAddress": "",
"SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
"SystemMAC": "02:9c:a8:a5:51:5a"
},
"CustomerName": "Arista Test",
"Features": {
"IPSec": [
{"Count": 1,
"Valid": {
"NotAfter": "2018-12-31T00:00:00Z",
"NotBefore": "2017-11-02T15:21:22Z"
9
vEOS Licensing

},
"Value": ""
}
]
},
(truncated)
}
License name: 2017.11.03.12.27.24.016515_vEOSLic-1234.json
Contents:
{
"BindingInfo": {
"DomainAddress": "",
"SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
"SystemMAC": ""
},
"CustomerName": "Arista Test",
"Features": {
"vEOS": [
{"Count": 1,
"Valid": {
"NotAfter": "2018-12-31T00:00:00Z",
"NotBefore": "2017-11-02T00:00:00Z"
},
"Value": ""
}
]
},
"LicenseFileVersion": "1.0",
(truncated)
END CERTIFICATE-----\n"
show license files compressed
Use the show license files compressed command to display license information. In this example, the
files are zipped then base64 encoded. For example purposes, the licenses below are non-functional.
veos#show license files compressed
License name: 2017.11.02.08.23.23.053684_IPSecLic-1yr.json
Contents:
(truncated)
show license expired
Theshow license expired command willdisplaythesameas the show licensecommand,butwithexpired
licenses only displayed.
veos#show license expired
System Serial number: 2BC6A772072B04BED43DCCF8777F036F
System MAC address: 06:1b:8a:48:8d:0c
Domain name: Unknown
License feature: IPSec
License parameter: None
Count: 1
Start: 2017-10-05 21:49:13
Expiration: 2017-10-09 17:00:00
Active: expired
vEOS Router Configuration Guide10

License feature: vEOS - Virtualized EOS
License parameter: None
Count: 1
Start: 2017-10-05 21:47:34
Expiration: 2017-10-09 17:00:00
Active: expired
show license all
The show license all command will display all licenses that are active, expired or licenses that have not been
activated yet.
veos#show license all
System Serial number: 2BC6A772072B04BED43DCCF8777F036F
System MAC address: 06:1b:8a:48:8d:0c
Domain name: Unknown
License feature: IPSec
License parameter: None
Count: 1
Start: 2017-12-30 16:00:00
Expiration: 2018-12-30 16:00:00
Active: in future
License parameter: None
Count: 1
Start: 2017-09-18 13:56:45
Expiration: 2017-12-30 16:00:00
Active: yes
License parameter: None
Count: 1
Start: 2017-10-05 21:49:13
Expiration: 2017-10-09 17:00:00
Active: expired
License feature: vEOS - Virtualized EOS
License parameter: None
Count: 1
Start: 2017-10-08 17:00:00
Expiration: 2017-12-30 16:00:00
Active: yes
License parameter: None
Count: 1
Start: 2017-12-30 16:00:00
Expiration: 2018-12-30 16:00:00
Active: in future
License parameter: None
Count: 1
Start: 2017-10-05 21:47:34
Expiration: 2017-10-09 17:00:00
Active: expired
11
vEOS Licensing


Chapter 3
Cloud High Availability
In the cloud, resources can be deployed across different regions or multiple locations within a region for fault tolerance
reasons. AWS Availability Zones and AzureAvailability Sets (or Fault Domains;Azure currently supports different
resource groupings within a physical datacenter) are examples of cloud high availability offerings. When deploying
vEOS Routers to enhance your cloud's network capability, deploy the vEOS Routers as a high availability pair using
the vEOS Cloud High Availability feature that fits your cloud's high availability design.
The Cloud High Availability (Cloud HA) feature adds support to make the vEOS Router deployment more resilient
to various failure scenarios in the cloud, such as:
• vEOS Router instance goes down due to underlying cloud infrastructure issues.
• vEOS Router instance is unable to forward traffic due to connectivity issues in the cloud infrastructure.
• vEOS Router experiences an internal issue leading to unavailability.
vEOS Router HA pair with Cloud HA is an active-active deployment model for different cloud high availability design
in a region. Each vEOS Router in an HA pair provides enhanced routing capabilities as the gateway (or next-hop router
for certain destinations) for the subnets to which the vEOS routers connect. The two vEOS Router peers monitor the
liveliness of each other by using Bidirectional Forwarding Detection (BFD) between the router interfaces. In case of
the cloud infrastructure issues or vEOS router failure, the active vEOS router takes over as the gateway or next-hop
for the subnets that were connected to the peer router through cloud-specific API calls that modify the corresponding
cloud route table(s) according to pre-configured information.
Cloud HATopology
This diagram shows an example of a vEOS Router Cloud HA implementation.
13

Figure 1: Cloud high availability network topology with vEOS router instances
In the diagram above, a virtual network is a collection of resources that are in the same cloud region. Within this
virtual network, the resources, including vEOS routers, deploy into two cloud high availability zones (Availability
Zones for AWS and Fault Domain forAzure) for fault tolerance reasons.
Note: For ease of discussion, we will use availability zone 1 and 2 to reference the high availability design
in different clouds going forward.
Within each availability zone, the hosts/VMs and vEOS interfaces are connected to their corresponding subnets
when the network is operating normally. Each subnet associates to a route table within the cloud infrastructure.
Static routes are configured in the cloud route tables so the traffic from the hosts/VMs are routed to vEOS Routers
in the corresponding availability zone as gateway or next-hop to reach certain destinations. For example, configure
a default route (0.0.0.0/0) in the cloud route table with the next-hop as vEOS Router's cloud interface ID or IP
(varies depending on the cloud). The routing policy or protocol, such as BGP, on the vEOS Routers, are user
configurable based on user's network design.
vEOS Router Configuration Guide14

The two vEOS Routers in the diagram above are configured with the Cloud HA feature as HA peers. The Cloud
HA on the vEOS routers would establish a BFD peering session between the two devices through ethernet or
tunnel interfaces.
When BFD connectivity loss is detected by the active vEOS router, the existing routes in the backup route table
in the cloud would be updated through cloud-specific API to use the active vEOS router as the next-hop. For
example, if vEOS 2 detected BFD connectivity loss with its peer, vEOS 2 would update the routes in Route
Table 1 so traffic from hosts in Subnet 1 and Subnet 2 for vEOS 1 would be forwarded to next-hop ID or IP
owned by vEOS 2. Traffic from the hosts in availability zone 1 would first be forwarded to the corresponding
subnet gateways in the cloud. After that, the subnet gateways in the cloud would forward the traffic toward the
new next-hop interface ID or IP that exist on vEOS 2. When vEOS 2 received the traffic, it would forward the
traffic on according to its routing table.
What about traffic going toward the hosts in availability zone 1 while connectivity to vEOS 1 is down? When
connectivity to vEOS 1 is down, hosts behind Subnet 1 and Subnet 2 become unreachable to the other part of
the network (routes being withdrawn by routing protocols like BGP). Since Subnet 1 and Subnet 2 are not
directly connected to vEOS 2, a routing strategy for the two subnets as "backup" on vEOS 2 is to be considered
as part of your network design. A typical design would be to use static routes for the subnets connected to the
peer vEOS router and point them toward the cloud subnet gateways of the active vEOS router (for example,
static route for peer subnet 10.1.1.0/24 would be configured on the active vEOS router as ip route10.1.1.0/24
10.2.1.1 255 where 10.2.1.1 is the gateway/next-hop for one of the ethernet interfaces) with a high administrative
distance value (least preferred). The static routes would be redistributed or advertised when the original routes
with better administrative distance are withdrawn or removed by dynamic routing protocol (such as BGP).
When BFD peering session is restored to UP state upon recovery, each active vEOS router would restore its
locally controlled route table entries (per user configuration) to point to itself as primary gateway again.
Cloud HA Configuration
This example configuration is based on the Cloud HA implementation diagram. The point of reference of the
configuration is the vEOS Router instance vEOS 1 in the Gateway Virtual Network.
Note: Starting from Release 4.20.6, the Cloud HA configuration is only available through the CLI. The
JSON file from the previous vEOS version is deprecated.You must convert the JSON configuration to
CLI configuration after upgrading from any previous vEOS version. For information regarding the
conversion of the JSON configuration to CLI configuration, go to: JSON-Based Cloud High Availability
Configurations and Equivalent CLI Configurations on page 20.
Cloud HA Modes
The Cloud HA related configurations are divided into three separate configuration modes:
•Cloud Proxy - For proxy related configuration such as http and https.
•Cloud Provider - For cloud provider specific configuration such as region, credential, and proxy name.
•Cloud High-Availability - For configurations such as route, next-hop, BFD source interface, and peer.
The example includes specific configurations for various aspects of the Cloud HA implementation that are
configured prior to implementation. The specific configurations are:
•Configuring the Cloud Proxy on page 16
•Configuring the Cloud Provider on page 16
•Configuring Cloud High Availability on page 18
15
Cloud High Availability

Note: The last two configurations represent full Cloud HA implementation configurations, including one
full configuration for Cloud HA on theAWS Specific Cloud, and one for Cloud HA on Azure.
•AWS Specific for High Availability on page 19
•Azure Specific for High Availability on page 19
Configuring the Cloud Proxy
Optional proxies can be configured if used in a deployment. The configuration is applicable for any cloud type.
All web traffic for the underlying restful APIs for the Cloud provider SDK will use the configured proxies.
Multiple proxies can be configured but only one can be used at any given time from the Cloud High-Availability
configuration.
veos(config)#
veos(config)#cloud proxy test
veos(config-cloud-proxy-test)#
The following example configures the cloud proxy IP, port, and username and password for HTTP.
veos(config)#
veos(config)#cloud proxy test
veos(config-cloud-proxy-test)#http 1.2.3.4 1234 username test password 7
075E731F1A
veos(config-cloud-proxy-test)#
Configuring the Cloud Provider
The following describes configurations required for Cloud HA on different types of clouds.
Cloud Configuration
To have access to the cloud services, the vEOS Router must be provided with credentials. Additionally, a proxy
may be configured for the connection to the cloud services to go through.
AWS Specific Cloud
Complete the following tasks to configureAWS Specific Cloud services.
• Configure Credentials
• Access to AWS Specific Cloud API Server
• If vEOS is associated with a public IP address, no special configuration is required.
• If vEOS is not associated with an public IP address, either use AWS Private Link or Proxy configuration
Configure Credentials
In theAWS Specific Cloud configuration, a region must be specified. It is recommended to authorize the vEOS
Router by assigning it an IAM role, but an explicit credential can also be specified.
• IAM Role Configuration - No credentials. See Cloud Provider Helpful Tips on page 18 for additional
information.
• Explicit Credential Configuration
AWS Specific Cloud IAM Role Configuration
The IAM role should be configured on theAWS Specific as shown below. This is the recommended configuration.
• "Trust Relationships" has "ec2.amazonaws.com" as trusted entities.
vEOS Router Configuration Guide16

• "Policy" with "Permissions" for the network related EC2 actions.
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"ec2:AssociateRouteTable",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcs",
"ec2:ReplaceRoute",
"ec2:DisassociateRouteTable",
"ec2:ReplaceRouteTableAssociation",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstances",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
This is applicable only when running in AWS cloud environment and configures various aspects of Cloud HA
feature to interact with AWS web services.
Note: The access-key-id and secret access-key commands are either both configured or both are omitted. If
omitted, the Cloud HAAgent will try to useAWS IAM role for security tokens to access and control AWS route
tables. Verify the IAM role for the vEOS router Virtual Machine( VM ) is configured properly on the AWS
cloud. Refer to AWS documentation to configure IAM role.
veos(config)#
veos(config)#cloud provider aws
veos(config-cloud-aws)#access-key 0 ATPAILIL5E982IPT7P3R
veos(config-cloud-aws)#secret access-key 0 M0RRUtAA8I8wYxJB8
veos(config-cloud-aws)#region us-west-1
veos(config-cloud-aws)#proxy test
Configure the backup-gateway,primary-gateway, Route Table ID(rtb) and local interface for AWS.
The Route Table ID specifies for AWS the backup-gateway and primary gateway, then the destination selects
the individual route within the route table to control. The local-cloud-interface then points to the interface ID
eni-867caa86 (from AWS perspective) of the vEOS router that the traffic should be directed.
veos(config)#cloud high-availability
veos(config-cloud-ha)#peer veos2
veos(config-cloud-ha-peer-veos2)#aws
veos(config-cloud-ha-peer-veos2-aws)#backup-gateway rtb-40b72d24
0.0.0.0/0 local-cloud-interface eni-867caa86
veos(config-cloud-ha-peer-veos2-aws)#primary-gateway rtb-2843124c
0.0.0.0/0 local-cloud-interface eni-867caa86
Explicit Credential Configuration
The explicit credential should be configured as shown below.
veos(config)#cloud provider aws
veos(config-cloud-aws)#region us-west-1
veos(config-cloud-aws)#access-key 0 MYEXAMPLESECRETKEY
17
Cloud High Availability

veos(config-cloud-aws)#secret access-key 0 MYEXAMPLESECRETKEY
veos(config-cloud-aws)#exit
veos(config-cloud)#exit
Azure
There are two authorization models that can be used in Azure: SDK Auth Credentials and Active Directory
Credentials. SDK Auth Credentials are the recommended authorization model.
•SDK Auth Credentials
To generate SDK Auth Credentials, use the sdk authentication credential-file
flash:startup-config command in the config-cloud-azure configuration mode.
veos(config)#cloud provider azure
veos(config-cloud-azure)#sdk authentication credential-file
flash:startup-config
•Active Directory Credentials
The following example places the vEOS router into the config-cloud-azure configuration mode and sets the
active directory credentials.
veos(config)#cloud provider azure
veos(config-cloud-azure)#active-directory credential
email subscription-id ef16892c-aa46-4aba-ae9a-d4fhsb1c612c
Cloud Provider HelpfulTips
The following are needed for Cloud HighAvailability but are not part of the vEOS configuration on the vEOS
Router. These may change or can be another way to achieve the same effect without changing the vEOS Router.
AWS VPN Specific Cloud PrivateLink
AWS VPN Specific Cloud PrivateLink allows a private (no public IP address) vEOS instance to access services
offered byAWS (without using proxy).
The interfaceVPC endpoints enables a private vEOS instance to connect toAWSVPN Specific Cloud PrivateLink.
To configure Interface VPC Endpoints:
1. Open the Amazon VPC console and choose Endpoints in the navigation panel.
2. Select Create Endpoint.
3. Choose the AWS Services and select service name com.amazonaws.<your-region>.ec2.
4. Choose the VPC and the subnets in each availability zone for the InterfaceVPC endpoints.
5. Enable private DNS name and set security group accordingly.
6. Select Create Endpoint.
Once the Endpoint(s) is created, the EC2API IP associated with the domain-name will be updated to the endpoint
IP.
Additional interface VPC endpoints information can be found at:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpce-interface.html
Configuring Cloud High Availability
To enable the Cloud HA and its parameters, use the following configurations.
Enable Cloud High Availability
vEOS Router Configuration Guide18

The cloud high-availability command places the vEOS in the cloud-ha configuration mode. This example
enables cloud high-availability and configures the peer veos2.
veos(config)#cloud high-availability
veos(config-cloud-ha)#no shutdown
veos(config-cloud-ha)#peer veos2
veos(config-cloud-ha-peer-veos2)#
Configuring BFD
To configure the BFD link between the HA pair of vEOS Routers that is used to detect peer failure, the peer IP
address and local BFD source interface must be provided. The following example configures Tunnel 2 as a single
hop for the source interface for BFD.
veos(config)#cloud high-availability
veos(config-cloud-ha)#peer veos2
veos(config-cloud-ha-peer-veos2)#bfd source-interface tunnel 2 single-hop
Configuring the RecoveryTime
The recovery wait-time command in the cloud-ha configuration sub-mode configures the amount of time to
take back control of local route tables after failure recovery. The following example shows the wait time is
configured to 90 seconds.
veos(config-cloud-ha-peer-veos2)#recovery wait-time 90
Full Configurations
AWS VPN Specific Cloud Full Configuration
The followingAWS configuration is vaild for use with the IAM role.
cloud provider aws
region us-west-1
!
cloud high-availability
no shutdown
!
peer veos2
aws
backup-gateway rtb-40b72d24 0.0.0.0/0 local-cloud-interface eni-26cb1d27
backup-gateway rtb-17b32973 0.0.0.0/0 local-cloud-interface eni-1589e714
backup-gateway rtb-54503330 0.0.0.0/0 local-cloud-interface eni-56cf1957
primary-gateway rtb-a4be24c0 0.0.0.0/0 local-cloud-interface eni-26cb1d27
primary-gateway rtb-40b72d24 0.0.0.0/0 local-cloud-interface eni-56cf1957
primary-gateway rtb-63b02a07 0.0.0.0/0 local-cloud-interface eni-1589e714
peer address 10.2.201.149
recovery wait-time 5
bfd source-interface Ethernet1
!
Azure Full Configuration
19
Cloud High Availability

The followingAzure configuration is valid for the MSI.
cloud high-availability
no shutdown
!
peer veos2
azure
backup-gateway Subnet-2-vEOS-RouteTable 0.0.0.0/0 10.1.2.4 resource-group
CloudHaAzure
backup-gateway Subnet-2-vEOS-RouteTable 10.1.0.0/16 10.1.2.4 resource-group
CloudHaAzure
backup-gateway Subnet-3-vEOS-RouteTable 10.1.0.0/16 10.1.3.4 resource-group
CloudHaAzure
backup-gateway Subnet-3-vEOS-RouteTable 0.0.0.0/0 10.1.3.4 resource-group
CloudHaAzure
primary-gateway Subnet-1-vEOS-RouteTable 10.1.0.0/16 10.1.1.4
resource-group CloudHaAzure
primary-gateway Subnet-1-vEOS-RouteTable 0.0.0.0/0 10.1.1.4 resource-group
CloudHaAzure
peer address 10.1.0.5
recovery wait-time 10
bfd source-interface Ethernet1
JSON-Based Cloud High Availability Configurations and Equivalent CLI
Configurations
Note: Starting from 4.20.6, the Cloud HA configuration is only available through the CLI. The JSON
file from the previous vEOS version is deprecated.You must convert the JSON configuration to CLI
configuration after upgrading from any previous vEOS version.
Mapping JSON Config to the New CLI
Use the following to map the previous JSON file to the new CLI.
Mapping JSON Config to Cloud High-Availability
The following JSON Configurations are now available in Cloud High-Availability configuration mode.
• generalConfig
• bfdConfig
• awsConfig
• azureConfig
• awsLocal/PeerRoutingConfig
• azureLocal/PeerRoutingConfig
AWS JSON Configuration Example
"generalConfig" : {
"enable_optional" : "true",
"hysteresis_time_optional" : "10",
"source_ip_optional" : "10.10.1.1"
},
"bfdConfig" : {
"peerVeosIp" : "10.10.1.2",
"bfdSourceInterface" : "Tunnel1"
},
vEOS Router Configuration Guide20
Table of contents
Other Arista Network Router manuals