Home

Arista Campus Workshop¶

Welcome to our Arista hands-on campus workshop! 🚀

Welcome to an immersive exploration of Arista's comprehensive campus networking solutions. This intensive workshop provides hands-on experience with enterprise-grade hardware and software platforms deployed in production environments worldwide.

Our carefully structured lab exercises mirror real-world implementation scenarios, enabling you to develop practical expertise across the complete campus network lifecycle. From initial device provisioning and configuration management to advanced network operations and client connectivity troubleshooting, each module builds upon foundational concepts while introducing industry best practices.

Through direct interaction with Arista's CloudVision platform, EOS operating system, and integrated campus solutions, you'll gain the technical proficiency and operational confidence essential for successful enterprise network deployments.

Hands-On Experience

ARISTA

Campus Workshop

Master Modern Campus Networking Solutions
Real Hardware • Real Scenarios • Real Results

🔌

Wired Solutions

EOS, ZTP, CloudVision Studios

📡

Wireless Edge

CV-CUE, WiFi 6E/7, AGNI

🛡️

Security

EAP-TLS, UPSK, Zero Trust

📊

Observability

Monitoring, Analytics, AI Insights

Lab Access

Your instructor will guide you with more details, but feel free to jump right in and understand what you have in front of you!

Let's get started!

Wired Guides¶

A01-Lab: Explore EOS

Get familiar with Arista's Extensible Operating System using the CLI

Hop into A-01

A02-ATD-Lab: Day 1 Operations - Virtual Lab

Experience campus fabric provisioning using Arista Test Drive (ATD) virtual lab environment with CloudVision Studios.

Hop into A-02-ATD
A03-Lab: Day 2 Operations

Continue with day 2 operations, using CloudVision to manage campus port profiles, access port configuration, and streamlined task execution.

Hop into A-03
A04-Lab: Operations and Monitoring

The campus is deployed, explore the CloudVision observability, altering, troubleshooting, and more!

Hop into A-04

Wireless Guides¶

B01-Lab: Wireless Setup

Deploy and explore the features of CloudVision Cognitive Unified Edge (CV-CUE)

Hop into B-01
B02-Lab: Troubleshooting WiFi

Explore the wireless client troubleshooting tools like packet capture and client testing

Hop into B-02
B03-Lab: Guest WiFi with AGNI

Configure a guest WiFi SSID with a captive guest portal and tunnel wireless traffic

Hop into B-03
B04-Lab: Smart System Upgrade

Using Arista EOS Smart System Upgrade (SSU) we can avoid downtime when upgrading our wired network!

Hop into B-04

Security Guides¶

C01-Lab: EAP-TLS Wireless Policy

Use Arista AGNI to enforce wireless access via dot1x EAP-TLS policy on a given SSID

Hop into C-01
C02-Lab: UPSK Wireless Policy

Configure unique pre-shared keys for an SSID and get familiar with device groupings

Hop into C-02
C03-Lab: EAP-TLS Wired Policy

Using Arista AGNI to enforce wired access via dot1x EAP-TLS policy

Hop into C-03

Tools For The Job¶

D01-Lab: Iris Design, Configuration and Pricing

Use Intangi Iris to design, configurre and price Arista campus products and solutions

Hop into D-01

Lab Access¶

Welcome to the Arista Campus Workshop! This page provides you with the necessary information to access your lab environment.

Lab Environment¶

Each participant will be assigned a dedicated lab environment with the following components:

Student Pod: Your assigned pod number
Lab Assignment: Your student designation (student1, student2, etc.)

Important Notes¶

Please use only your assigned lab environment
Do not interfere with other participants' lab setups
If you encounter any issues, please notify your instructor immediately

Lab Credentials¶

Your instructor will provide you with the necessary credentials to access:

CloudVision-as-a-Service (CVaaS): For switch management and configuration
CV-CUE (CloudVision WiFi): For wireless management and monitoring
AGNI Portal: For wireless policy management
Lab Switches: Direct CLI access when needed

Topology¶

Lab Assignment¶

Email	Lab Assignment	Student Pod #
dane.newman@ahead.com	student1	pod01
charles.hall@ahead.com	student2	pod02
apsmith@cspire.com	student3	pod03
cjones@udtonline.com	student4	pod04
jfowler@udtonline.com	student5	pod05
sgrainger@adapture.com	student6	pod06
bryan.deverell@cumberland.com	student7	pod07
erick.sanchez@cumberland.com	student8	pod08
wallace.pederson@computacenter.com	student9	pod09
dan.crews@computacenter.com	student10	pod10
jpucciariello@bulloch.solutions	student11	pod11
jbryant@bulloch.solutions	student12	pod12
stephen.norton@nwn.ai	student13	pod13
cgordon@dgrsystems.com	student14	pod14
-	student15	pod15
-	student16	pod16
-	student17	pod17
-	student18	pod18
-	student19	pod19
mbalagot+cws@arista.com	student20	pod20

Wired Lab Guides

A-01 | Explore EOS¶

Overview¶

In this lab, you'll learn how to log into an Arista switch and explore configuration. All Arista switches, whether they’re used in data center, campus, WAN, or other environments, run on Arista's Extensible Operating System (EOS). We’ll also cover MLAG, how to configure it, and how to troubleshoot issues!

Let’s take a closer look at the EOS interface—while it might feel familiar, it’s also distinctly unique!

Completely Different, Totally Familiar¶

Let's log into the workshop spine switches.

I have a console cable or WiFi

If you have a console cable, feel free to console into your switch. The switch is in ZTP, you can explore the same commands! You may also use the WiFi to connect to the spine switches. The spine switch is running configuration your switch will not contain, but login using admin, hit Enter and type in enable to start exploring

Login to the spine using the address below and the username student#, password Arista123.
```
# Student 1
ssh student1@10.1.100.2

# Student 2
ssh student2@10.1.100.3
```

First thing, let's validate you are on the spine switch and explore the hardware.

show version

Example Output

Arista CCS-722XPM-48ZY8-F #(1)!
Hardware version: 11.01
Serial number: HBG23270736 #(2)!
Hardware MAC address: ac3d.9450.afc6
System MAC address: ac3d.9450.afc6

Software image version: 4.31.5M #(3)!
Architecture: i686 #(4)!
Internal build version: 4.31.5M-38783123.4315M
Internal build ID: a514fb70-598b-4084-975c-4f5978421b10
Image format version: 3.0
Image optimization: Strata-4GB

Uptime: 4 hours and 58 minutes #(5)!
Total memory: 3952960 kB
Free memory: 2054376 kB

The full switch model
The serial number of the switch
Current EOS image running
This EOS software is a 32-bit version, Arista EOS is also provided in a 64-bit version
The current uptime

Let's explore the hardware in a bit more detail. Text output is great, but imagine you have been asked to pull all device information programmatically. Tools like TextFSM are common to parse unstructured data, wouldn't it be great if this data was structured? Try validating this command will also render as json.

show inventory
show inventory | json

Example Output

System information
    Model                    Description
    ------------------------ ----------------------------------------------------
    CCS-722XPM-48ZY8         48 2.5GBase-T PoE & 8-port SFP28 MacSec Switch #(1)!

    HW Version  Serial Number  Mfg Date   Epoch
    ----------- -------------- ---------- -----
    11.01       HBG23270736    2023-07-14 01.00 #(2)!

System has 2 power supply slots
    Slot Model            Serial Number
    ---- ---------------- ----------------
    1    PWR-1021-AC-RED  GGJT36P13J0 #(3)!
    2    Not Inserted

System has 3 fan modules
    Module  Number of Fans  Model            Serial Number
    ------- --------------- ---------------- ----------------
    1       1               FAN-7000-F       N/A
    2       1               FAN-7000-F       N/A
    3       1               FAN-7000-F       N/A

System has 65 ports
    Type               Count
    ------------------ ----
    Management         1
    Switched           52
    SwitchedBootstrap  4
    Fabric             8

System has 56 switched transceiver slots
    Port Manufacturer     Model            Serial Number    Rev
    ---- ---------------- ---------------- ---------------- ----
    1    Arista Networks  CCS-722XPM-48ZY8
    2    Arista Networks  CCS-722XPM-48ZY8
    ...
    49   Arista Networks  SFP-10G-SR       ACW1710002F0     20
    50   Not Present
    51   Arista Networks  SFP-10G-SR       XTH16080010E     0002 #(5)!
    52   Not Present
    53   Not Present
    54   Not Present
    55   Not Present
    56   Not Present

System has 1 storage device
    Mount      Type Model                Serial Number Rev Size (GB)
    ---------- ---- -------------------- ------------- --- ---------
    /mnt/flash eMMC Smart Modular 16GP1A 801f4198      1.0 8

More information about this switch platform capabilities
You can see when this switch was manufactured and hardware versioning
Power supply details, like model and serial number
If you have fan modules, similar detail to that of power supplies
Get optics manufacturer, serial number, and model

Let's explore the interfaces and what's connected. Take note

Your pod has one connection to the spine (we're not in a full mesh)
Workshop access point and raspberry pi (lab guides) are connected
MLAG interfaces
Your POD is configured as part of a Port-Channel

show interfaces status

Example Output

Port       Name       Status       Vlan      Duplex Speed  Type         Flags Encapsulation
Et1        POD01      connected    in Po101  a-full a-1G   2.5GBASE-T
Et2        POD01      notconnect   in Po101  auto   auto   2.5GBASE-T
Et3        POD02      connected    trunk     auto   auto   2.5GBASE-T
Et4        POD02      notconnect   trunk     auto   auto   2.5GBASE-T
Et5        POD03      connected    trunk     auto   auto   2.5GBASE-T
Et6        POD03      notconnect   trunk     auto   auto   2.5GBASE-T
Et7        POD04      connected    trunk     auto   auto   2.5GBASE-T
Et8        POD04      notconnect   trunk     auto   auto   2.5GBASE-T
Et9        POD05      connected    trunk     auto   auto   2.5GBASE-T
Et10       POD05      notconnect   trunk     auto   auto   2.5GBASE-T
Et11       POD06      connected    trunk     auto   auto   2.5GBASE-T
Et12       POD06      notconnect   trunk     auto   auto   2.5GBASE-T
Et13       POD07      connected    trunk     auto   auto   2.5GBASE-T
Et14       POD07      notconnect   trunk     auto   auto   2.5GBASE-T
Et15       POD08      connected    trunk     auto   auto   2.5GBASE-T
Et16       POD08      notconnect   trunk     auto   auto   2.5GBASE-T
Et17       POD09      connected    trunk     auto   auto   2.5GBASE-T
Et18       POD09      notconnect   trunk     auto   auto   2.5GBASE-T
Et19       POD10      connected    trunk     auto   auto   2.5GBASE-T
Et20       POD10      notconnect   trunk     auto   auto   2.5GBASE-T
Et21       POD11      connected    trunk     auto   auto   2.5GBASE-T
Et22       POD11      notconnect   trunk     auto   auto   2.5GBASE-T
Et23       POD12      connected    trunk     auto   auto   2.5GBASE-T
Et24       POD12      notconnect   trunk     auto   auto   2.5GBASE-T
Et25       POD13      connected    trunk     auto   auto   2.5GBASE-T
Et26       POD13      notconnect   trunk     auto   auto   2.5GBASE-T
...
Et33       ATD_WiFi   disabled     100       auto   auto   2.5GBASE-T
Et34       ATD_PI     disabled     100       auto   auto   2.5GBASE-T
...
Et47       MLAG       connected    in Po1000 auto   auto   5GBASE-T
Et48       MLAG       connected    in Po1000 auto   auto   5GBASE-T
...
Po101      POD01      connected    trunk     full   2G     N/A
Po102      POD02      connected    trunk     full   unconf N/A
Po103      POD03      connected    trunk     full   unconf N/A
Po104      POD04      connected    trunk     full   unconf N/A
Po105      POD05      connected    trunk     full   unconf N/A
Po106      POD06      connected    trunk     full   unconf N/A
Po107      POD07      connected    trunk     full   unconf N/A
Po108      POD08      connected    trunk     full   unconf N/A
Po109      POD09      connected    trunk     full   unconf N/A
Po110      POD10      connected    trunk     full   unconf N/A
Po111      POD11      connected    trunk     full   unconf N/A
Po112      POD12      connected    trunk     full   unconf N/A
Po113      POD13      connected    trunk     full   unconf N/A
Po1000     MLAG       connected    trunk     full   20G    N/A

Try some filtering of our output, there are some familiar filtering options like include, exclude, begin, etc, but as we go through this workshop we will explore further!

Read Only Mode

You have read only on the spines, which excludes access to EOS' underlying Linux subsystem. You will have full access to this in the workshop, where you can leverage tools like grep, awk, sed, etc to filter content further.

show interfaces status | ?
show interfaces status | inc POD01
show interfaces | inc MTU|Eth
show interfaces | sec Ethernet(25|26)

Example Output

LINE      Filter command by common Linux tools such as grep/awk/sed/wc
append    Append redirected output to URL
begin     Start output at the first matching line
exclude   Do not print lines matching the given pattern
include   Print lines matching the given pattern
json      Produce JSON output for this command
no-more   Disable pagination for this command
nz        Include only non-zero counters
redirect  Redirect output to URL
section   Include sections that match
tee       Copy output to URL

The spines in this workshop will act as our gateway for the various pods, let's validate our ip addressing and the virtual router addresses (gateways).

show ip interface brief
show ip virtual-router

Example Output

Example Output: interface brief

                                                                                Address
Interface         IP Address             Status       Protocol           MTU    Owner
----------------- ---------------------- ------------ -------------- ---------- -------
Ethernet49        192.168.254.1/31       up           up                9214
Management1       unassigned             down         down              1500
Vlan100           10.1.100.2/24          up           up                9214
Vlan101           10.1.1.2/24            up           up                9214
Vlan102           10.1.2.2/24            up           up                9214
Vlan103           10.1.3.2/24            up           up                9214
Vlan104           10.1.4.2/24            up           up                9214
Vlan105           10.1.5.2/24            up           up                9214
Vlan106           10.1.6.2/24            up           up                9214
Vlan107           10.1.7.2/24            up           up                9214
Vlan108           10.1.8.2/24            up           up                9214
Vlan109           10.1.9.2/24            up           up                9214
Vlan110           10.1.10.2/24           up           up                9214
Vlan111           10.1.11.2/24           up           up                9214
Vlan112           10.1.12.2/24           up           up                9214
Vlan113           10.1.13.2/24           up           up                9214
Vlan4094          192.168.255.1/30       up           up                9214

Example Output: virtual-router

IP virtual router is configured with MAC address: 00:1c:73:00:00:01
IP virtual router address subnet routes not enabled
IP router is not configured with Mlag peer MAC address
MAC address advertisement interval: 30 seconds

Protocol: U - Up, D - Down, T - Testing, UN - Unknown
        NP - Not Present, LLD - Lower Layer Down

Interface       Vrf           Virtual IP Address       Protocol       State
--------------- ------------- ------------------------ -------------- ------
Vl100           default       10.1.100.1               U              active
Vl101           default       10.1.1.1                 U              active
Vl102           default       10.1.2.1                 U              active
Vl103           default       10.1.3.1                 U              active
Vl104           default       10.1.4.1                 U              active
Vl105           default       10.1.5.1                 U              active
Vl106           default       10.1.6.1                 U              active
Vl107           default       10.1.7.1                 U              active
Vl108           default       10.1.8.1                 U              active
Vl109           default       10.1.9.1                 U              active
Vl110           default       10.1.10.1                U              active
Vl111           default       10.1.11.1                U              active
Vl112           default       10.1.12.1                U              active
Vl113           default       10.1.13.1                U              active

Ok, let's look at all the LLDP information, note the models and EOS version details and interesting command atdpods. Explore the aliases configured on this device.

show lldp neighbors detail
acwspods
show aliases

Example Output

Example Output: LLDP Detail

Last table change time   : 0:00:02 ago

Number of table inserts  : 51
Number of table deletes  : 35
Number of table drops    : 0
Number of table age-outs : 0

Port          Neighbor Device ID       Neighbor Port ID    TTL
---------- ------------------------ ---------------------- ---
Et1           sw-10.1.1.51             Ethernet15          120
Et3           sw-10.1.2.42             Ethernet15          120
Et5           sw-10.1.3.40             Ethernet15          120
Et7           sw-10.1.4.41             Ethernet15          120
Et9           sw-10.1.5.40             Ethernet15          120
Et11          sw-10.1.6.41             Ethernet15          120
Et13          sw-10.1.7.41             Ethernet15          120
Et15          sw-10.1.8.40             Ethernet15          120
Et17          sw-10.1.9.41             Ethernet15          120
Et19          sw-10.1.10.41            Ethernet15          120
Et21          sw-10.1.11.40            Ethernet15          120
Et23          sw-10.1.12.40            Ethernet15          120
Et25          sw-10.1.13.40            Ethernet15          120
Et33          Arista_18:66:BF          3086.2d18.66bf      120
Et47          SPINE02                  Ethernet47          120
Et48          SPINE02                  Ethernet48          120
Et49          CORE01                   Ethernet49          120

Example Output: atdpods

Interface Ethernet1 detected 1 LLDP neighbors:
   - System Description: "Arista Networks EOS version 4.31.6M running on an Arista Networks CCS-710P-12"
Interface Ethernet51 detected 1 LLDP neighbors:
   - System Description: "Arista Networks EOS version 4.31.6M running on an Arista Networks CCS-720XP-48ZC2"
Interface Ethernet52 detected 1 LLDP neighbors:
   - System Description: "Arista Networks EOS version 4.31.6M running on an Arista Networks CCS-720XP-48ZC2"

Example Output: aliases

acwspods        sh lldp neighbors detail | inc (detected 1|System Descr)
c               bash clear
sh-acg          trace monitor acg
sh-streaming    show agent TerminAttr logs | tail

Let's look at traffic on our interfaces, let's also leverage the watch command with the nz (non-zero) command to monitor rates.
```
show int counters rates
show int counters rates | nz
watch 1 diff show int counters rates | nz
```
Sometimes it's the little things that make a big difference! This was a brief introduction into the CLI. All features start in EOS, with respective show and configuration commands. We'll further explore the symbiotic relationship between EOS and CloudVision!
Wait! There's more!

If you're interested in exploring more fun EOS commands, we published the Arista EOS Tips for Network Operators. If you would like access, ask your Arista team for more information!

There are many more commands like:
- Configuration sessions
- CLI command finder
- Event handlers
- Event monitor
- Packet captures
- Scheduler
- Tech Support Bundles/Checkpoints
- So much more

MLAG & VARP¶

Arista's Multi-Chassis Link Aggregation (MLAG) is a technology that allows two physical switches to act as a single logical switch. By syncing the control plane without the need for proprietary cabling or protocols, it provides an active-active, non-blocking redundancy between multiple pairs of switches.

Let's explore the configuration and how to troubleshoot

From the switch run the show mlag command to validate the high level state

show mlag

Example Output

MLAG Configuration:
domain-id                          :                MLAG
local-interface                    :            Vlan4094
peer-address                       :       192.168.255.2
peer-link                          :      Port-Channel11
hb-peer-address                    :             0.0.0.0
peer-config                        :          consistent

MLAG Status:
state                              :              Active
negotiation status                 :           Connected
peer-link status                   :                  Up
local-int status                   :                  Up
system-id                          :   ae:3d:94:50:af:c6
dual-primary detection             :            Disabled
dual-primary interface errdisabled :               False

MLAG Ports:
Disabled                           :                   0
Configured                         :                   0
Inactive                           :                  13
Active-partial                     :                   0
Active-full                        :                   0

You can also dive deeper in using the show mlag detail

show mlag detail

Example Output

...
MLAG Detailed Status:
State                           :              primary
Peer State                      :            secondary
State changes                   :                    2
Last state change time          :          4:56:38 ago
Hardware ready                  :                 True
Failover                        :                False
Failover Cause(s)               :              Unknown
Last failover change time       :                never
Secondary from failover         :                False
Peer MAC address                :    ac:3d:94:50:d2:aa
Peer MAC routing supported      :                 True
Reload delay                    :          300 seconds
Non-MLAG reload delay           :          300 seconds
Peer ports errdisabled          :                False
Lacp standby                    :                False
Configured heartbeat interval   :              4000 ms
Effective heartbeat interval    :              4000 ms
Heartbeat timeout               :             60000 ms
Last heartbeat timeout          :                never
Heartbeat timeouts since reboot :                    0
UDP heartbeat alive             :                 True
Heartbeats sent/received        :            4499/4450
Peer monotonic clock offset     :   -56.025806 seconds
Agent should be running         :                 True
P2p mount state changes         :                    1
Fast MAC redirection enabled    :                 True
Interface activation interlock  :         unconfigured

Let's look at the configuration to enable MLAG, first run the command to show the block of mlag configuration
```
show running-config section mlag configuration
```
Example Output
Example Output
```
mlag configuration
    domain-id MLAG #(1)!
    local-interface Vlan4094 #(2)!
    peer-address 169.254.0.0 #(3)!
    peer-address heartbeat 10.1.1.4 #(4)!
    peer-link Port-Channel11 #(5)!
    dual-primary detection delay 5 action errdisable all-interfaces
    reload-delay mlag 300
    reload-delay non-mlag 330
```
1. MLAG domain is locally significant to the MLAG pair of switches, this can be any descriptor. Whether it's simply MLAG like shown or the name of say a pod: POD01
2. The local interface used to peer to the MLAG neighbor, this will always be an SVI
3. The MLAG neighbors address that resides within the local-interface subnet
4. This is an optional configuration called Dual Primary Detection, you can read more on this topic.
5. The peer link is the layer 2 port-channel used to trunk our MLAG vlans, we'll explore below how that's configured.

Let's take a closer look at the peer link itself

run show run interface Eth25-26; show run int Port-Channel1000; show port-channel 1000 detailed

Example Output

!
interface Ethernet25
    description MLAG
    channel-group 25mode active
!
interface Ethernet26
    description MLAG
    channel-group 25 mode active
!
interface Port-Channel25
    description MLAG_spine2_Ethernet25
    switchport mode trunk
    switchport trunk group MLAG
!
Port Channel Port-Channel25 (Fallback State: Unconfigured):
Minimum links: unconfigured
Minimum speed: unconfigured
Current weight/Max weight: 2/8
Active Ports:
    Port             Time Became Active       Protocol       Mode         Weight    State
    ---------------- ------------------------ -------------- ------------ ------------ -----
    Ethernet25       11:51:27                 LACP           Active         1       Rx,Tx
    Ethernet26       9:24:02                  LACP           Active         1       Rx,Tx

The port-channel is using a trunk group, lets look at that trunk group

Linux Sub-system

On top of the typical includes, section, begin, etc we commonly use to filter output. You also have access to many of the linux sub-system commands like grep, sed, awk, etc to filter and manipulate the output.
```
show vlan trunk group | grep -E "MLAG|Groups|-"
```
Example Output
```
VLAN     Trunk Groups
----     ----------------------------------------------------------------------
4094     MLAG
```
Note that vlan 4094 is a part of that trunk group, trunk groups are used to ensure those vlans assigned to trunk group MLAG are pruned from all interfaces except those explicitly configured. In this case Port-Channel11 is assigned the trunk group, therefore it's the only interface forwarding Vlan 4094.
Let's look at the peering SVI Vlan4094
```
show running-config interfaces vlan 4094
```
Example Output: SPINE01
```
interface Vlan4094
    description MLAG_PEER
    mtu 9200
    no autostate #(1)!
    ip address 169.254.0.0/31 #(2)!
```
1. We disable autostate to force the VLAN to be active
2. This peering address is only locally significant, it's common to use an APIPA IP address range (/31) that's repeated across all MLAG pairs. The neighbor address is used in the mlag configuration to peer over the trunk.
In the previous show mlag section we got a brief overview of status. During troubleshooting steps, there is a built in command to ensure MLAG configuration parity between the two devices. Run the following command to validate configuration matches between the two devices
```
show mlag config-sanity
```
Example Output
```
No global configuration inconsistencies found.

No per interface configuration inconsistencies found.
```

Looking at the interfaces down to the POD, let's validate the interface configuration

show run interface Ethernet 1-2
show run interface Port-Channel101

Example Output

!
interface Ethernet1
    description POD01
    switchport mode trunk
    channel-group 101 mode active
    lldp tlv transmit ztp vlan 101
!
interface Ethernet2
    description POD01
    switchport mode trunk
    channel-group 101 mode active
    lldp tlv transmit ztp vlan 101
!
interface Port-Channel101
    description POD01
    switchport trunk allowed vlan 101,201
    switchport mode trunk
    port-channel lacp fallback individual
    port-channel lacp fallback timeout 20
    mlag 101
!

If we do detect issues or want to verify the MLAG interfaces upstream/downstream are up/up we can validate

show mlag interfaces

Example Output

SPINE01#show mlag interfaces
                                                        local/remote
mlag       desc           state       local       remote          status
---------- ----------- -------------- ----------- ------------ ------------
101       POD01       inactive       Po101        Po101       down/down
102       POD02       inactive       Po102        Po102       down/down
103       POD03       inactive       Po103        Po103       down/down
104       POD04       inactive       Po104        Po104       down/down
105       POD05       inactive       Po105        Po105       down/down
106       POD06       inactive       Po106        Po106       down/down
107       POD07       inactive       Po107        Po107       down/down
108       POD08       inactive       Po108        Po108       down/down
109       POD09       inactive       Po109        Po109       down/down
110       POD10       inactive       Po110        Po110       down/down
111       POD11       inactive       Po111        Po111       down/down
112       POD12       inactive       Po112        Po112       down/down
113       POD13       inactive       Po113        Po113       down/down

Lastly, how do we maintain active/active forwarding with MLAG, this where VARP comes in. A virtual router address and common MAC is all it takes.

show run sec virtual-router
show ip virtual-router

Example Output

!
interface Vlan101
    ip virtual-router address 10.1.1.1 #(1)!
interface Vlan102
    ip virtual-router address 10.1.2.1
interface Vlan103
    ip virtual-router address 10.1.3.1
...
!
ip virtual-router mac-address 00:1c:73:00:00:01 #(2)!
!

IP virtual router is configured with MAC address: feed.dead.beef
IP virtual router address subnet routes not enabled
IP router is not configured with Mlag peer MAC address
MAC address advertisement interval: 30 seconds

Protocol: U - Up, D - Down, T - Testing, UN - Unknown
        NP - Not Present, LLD - Lower Layer Down

Interface       Vrf           Virtual IP Address       Protocol       State
--------------- ------------- ------------------------ -------------- ------
Vl1             default       192.168.3.1              U              active
Vl100           default       10.1.100.1               U              active
Vl101           default       10.1.1.1                 U              active
Vl102           default       10.1.2.1                 U              active
Vl103           default       10.1.3.1                 U              active
Vl104           default       10.1.4.1                 U              active
Vl105           default       10.1.5.1                 U              active
Vl106           default       10.1.6.1                 U              active
Vl107           default       10.1.7.1                 U              active
Vl108           default       10.1.8.1                 U              active
Vl109           default       10.1.9.1                 U              active
Vl110           default       10.1.10.1                U              active
Vl111           default       10.1.11.1                U              active
Vl112           default       10.1.12.1                U              active
Vl113           default       10.1.13.1                U              active

This is the virtual IP address configured on both MLAG pairs.
This vMAC will be used as the gateway vMAC associated with the Gateway VIP configured with either ip address virtual or ip virtual-router address (vARP). This vMAC will be consistent across all SVIs configured with a VIP.

That's it for this lab, you should have a bit better understanding of how MLAG is configured

Closing Out¶

Streaming Telemetry¶

Let's take a look at the steaming telemetry agent that communicates back to CloudVision. You may not be able to do this on you switch (current in zero-touch). Feel free to come back to this section to explore, your instructor will showcase this.

Let's view the telemetry agent daemon

show running-config section TerminAttr

Example Output

daemon TerminAttr
    exec /usr/bin/TerminAttr
        -disableaaa
        -cvaddr=apiserver.cv-prod-us-central1-b.arista.io:443
        -taillogs
        -cvproxy=
        -cvauth=certs,/persist/secure/ssl/terminattr/primary/certs/client.crt,/persist/secure/ssl/terminattr/primary/keys/client.key
        -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata
    no shutdown

Now let's see this in action, login to CloudVision and navigate to the Devices > Inventory
Make a change to the hostname using a configuration session
```
!
configure session namechange #(1)!
hostname SOMEONEWASHERE
!
show session-config diffs #(2)!
!
commit timer 00:05:00 #(3)!
```
1. Create a configuration session, similar to branching in git, this will stage changes and wait for a commit to apply as a replace in configuration
2. Show the differences of designed vs what's configured
3. Commit the configuration to roll back in 5 minutes (hh:mm:ss), if you do not commit after the fact, this will roll back.
Session Configuration Diff
```
SPINE01[16:13:56](config-s-namechange)#show session-config diffs
--- system:/running-config
+++ session:/namechange-session-config
-hostname SPINE01
+hostname SOMEONEWASHERE
```
You should see the hostname change immediately inside CloudVision! This is not a poll... this is a continuous stream of state from device to CloudVision.

Additional Fun Commands¶

There are few other commands you can explore in your lab after deployment. As we move away from the CLI, remember all interactions with Arista EOS both via terminal or automation are leveraging the same commands.

Bash

Access to the underlying Linux system is available. Quick example is exploring the flash
```
bash
cd /mnt/flash/
ls -latr
```
Packet Capture

You have the ability to capture traffic, capturing control plane traffic or mirroring data plane to CPU.
```
bash
tcpdump -vvvnei et1
```
AAA Logs

Validate what commands have been run on the switch
```
show aaa accounting logs | tail
```
Configuration Session

Leverage a configuration session to stage config, commit as a full replace, and even configure a timed rollback.
```
configure session ATD
!
hostname IWASHERE
!
show session-config diffs
!
commit timer 00:00:30
!
show conf sessions
!
```

🤖 AI Lab Assistant¶

Want to automate all the commands above? Use our embedded AI agent to execute the entire lab automatically!

🚀 A01 Lab Automation Agent

Let the AI handle the typing while you focus on learning the concepts!

Select Student: Execution Mode:

Ready to start...

Command Output

🎉 CONGRATS! You have completed this lab! 🎉

LET'S GO TO THE NEXT LAB!

A-02-ATD | Provisioning a Campus Fabric - Virtual Lab¶

Overview¶

In this lab you will be using Arista Test Drive (ATD) to simulate a campus leaf switch using CloudVision Studios, adding your new campus leaf switch to an existing Campus Fabric using Arista's Test Drive (ATD) virtual lab environment.

ATD provides a fully virtualized network topology that mirrors real-world campus deployments, allowing you to experience Arista's campus solutions without physical hardware. Your virtual environment includes:

Pre-configured Campus Infrastructure: Virtual spine switches acting as your campus core
Virtual Leaf Switches: Simulated campus access switches already onboarded with CloudVision
CloudVision Integration: Full access to CloudVision Studios for fabric management
Realistic Network Scenarios: Experience the same workflows you'd use in production

Your environment has been pre-configured with a sample Campus to assist with these new concepts. Studios is equipped with flexible constructs that give you the ability to describe your campus footprint. These will be common throughout this workshop:

ATD Lab Access¶

To begin this lab, you'll need to access your assigned ATD (Arista Test Drive) virtual lab environment.

Navigate to your assigned ATD Token lab URL provided by your instructor

Student and Pod Assignment¶

Email	Lab Assignment	Student Pod #	ATD Token
dane.newman@ahead.com	student1	pod01	🚀 ATD Lab 1
charles.hall@ahead.com	student2	pod02	🚀 ATD Lab 2
apsmith@cspire.com	student3	pod03	🚀 ATD Lab 3
cjones@udtonline.com	student4	pod04	🚀 ATD Lab 4
jfowler@udtonline.com	student5	pod05	🚀 ATD Lab 5
sgrainger@adapture.com	student6	pod06	🚀 ATD Lab 6
bryan.deverell@cumberland.com	student7	pod07	🚀 ATD Lab 7
erick.sanchez@cumberland.com	student8	pod08	🚀 ATD Lab 8
wallace.pederson@computacenter.com	student9	pod09	🚀 ATD Lab 9
dan.crews@computacenter.com	student10	pod10	🚀 ATD Lab 10
jpucciariello@bulloch.solutions	student11	pod11	🚀 ATD Lab 11
jbryant@bulloch.solutions	student12	pod12	🚀 ATD Lab 12
stephen.norton@nwn.ai	student13	pod13	🚀 ATD Lab 13
cgordon@dgrsystems.com	student14	pod14	🚀 ATD Lab 14
-	student15	pod15	🚀 ATD Lab 15
-	student16	pod16	🚀 ATD Lab 16
-	student17	pod17	🚀 ATD Lab 17
-	student18	pod18	🚀 ATD Lab 18
-	student19	pod19	-
mbalagot+cws@arista.com	student20	pod20	-

Login using the credentials provided for your lab instance
Once logged in, you should see the ATD welcome screen similar to the example below. Click on the "Click Here to Access Topology" button to enter the lab environment.
To access the lab guides within your virtual environment, look for the vertical navigation bar on the left side of the screen and click on "Lab Guides" as shown below. You'll also find your lab credentials provided at the bottom of the page.
Choose the "CloudVision Studios - L2LS" labs to access the specific lab instructions for this exercise. Follow the lab instructions to complete all the steps required to create a campus fabric.

The ATD environment provides you with a complete virtual campus network topology where you can practice the same provisioning workflows used in production environments.

🎉 CONGRATS! You have completed this lab! 🎉

A-03 | Switch Onboarding with Inventory Studio & Access Interface Configuration¶

Overview¶

This lab combines two essential CloudVision workflows: onboarding switches using Inventory Studio and configuring access interfaces. You'll learn to use CloudVision's visual interface to add new devices and then configure port profiles for connected hosts.

Topology¶

Lab Topology

If you're not already logged into CloudVision (CVaaS), navigate to the Arista CVaaS for your lab.

Open CVaaS

Part 1: Switch Onboarding with Inventory Studio¶

Video Walkthrough¶

Before we begin the hands-on portion, watch this demonstration video that shows the complete switch onboarding process using Inventory Studio:

🔍 Click to zoom

Onboarding Your Switch¶

Now that you've seen the process, let's onboard your assigned switch using the same workflow demonstrated in the video.

Single Workspace

Make sure you complete this in a single workspace.

Step 1: Access Inventory Studio¶

Navigate to Studios from the main CloudVision menu
Locate and click on Inventory Studio
Create a new workspace or use an existing one

Step 2: Identify Your Device¶

In the Inventory Studio interface, look for devices in the "Network Updates" section
Identify your assigned switch using the serial number from your lab assignment
Your device should appear with a hostname like sw-X.X.X.X indicating it's in ZTP mode
Select your device by checking the box next to it. Click on Accept Updates, then click Accept in the confirmation dialog
Complete the Workspace as shown in the video walkthrough

Video Walkthrough - Applying base configuration¶

🔍 Click to zoom

Following the video demonstration:

Step 3: Apply Base Network Configuration¶

In Static Configuration studio, Click on Configlet Library
Search for your base config: base-pod## (where ## is your pod number)
Optionally review it
Create SubContainer for your device and tag base_config and value pod##
Note: Studios will prompt you to build the Workspace several times. Click on Build Workspace
Apply the base configuration to your device as shown in the video
Click Review Workspace
Click Submit Workspace
Click View Change Control
Click Review and Approve
Toggle Execute Immediately and click Approve and Execute

Verification¶

After the onboarding process completes:

Navigate to Devices > Inventory to verify your switch appears with the correct hostname
Check that the device status shows as Active and Streaming
Verify the device appears in the correct location within your campus hierarchy

Troubleshooting¶

Switch Onboarding Issues¶

If you encounter issues during onboarding:

Ensure your device is properly connected to the network
Verify the device is receiving DHCP and can reach CloudVision

Part 2: Access Interface Configuration¶

Now that your switches are onboarded, let's configure port profiles and apply them to interfaces in your network. But first, let's build the campus fabric.

Video Walkthrough - Build the Campus Fabric¶

🔍 Click to zoom

Step 1: Build the Campus Fabric¶

Navigate to Studios from the main CloudVision menu
Locate and click on Campus Fabric (L2/L3/EVPN)
Click on + Add Campus Fabric. Type Workshop and click + Create "Workshop"
On Workspace Review, click Submit Workspace Review, click X to close the window. You will be taken back to the main Campus Fabric page.
Click on > to expand the Workshop campus fabric
Click on + Add Campus Pod. Type Home Office and click + Create "Home Office"
Click on > to expand the Home Office campus pod
Under the Campus Type, click on Select and select L2 from the dropdown
Scroll down to + Add Access Pod. Type IDF1 and click + Create "IDF1"
Click on > to expand the IDF1 access pod
At the bottom of the page, Updating tag Campus Fabric, click Review
On Workspace Review, click Submit Workspace
On Workspace Submitted, click Clear Workspace

Creating Port Profiles¶

From the Studios home page, disable the Active Studios toggle to display all available CloudVision Studios (which when enabled will only show used/active Studios).

The toggle may already be in the disabled position

Let's create two port profiles using the Access Interface Configuration studio that will be used to provision connected hosts.

Launch the Access Interface Configuration
Click + Add Port Profile, name it Wireless-Access Point, and click the arrow on the right

Enter the following values on this configuration page, you can leave all other configuration items left as default. See the settings are configured in the screenshot below

*VLAN pod numbers between 01-20 that was assigned to your lab/Pod. Example: Pod01 is VLAN101, Pod13 is VLAN113

Wireless-Access Point"AP

Key	Value
Description	`Wireless-Access Point`
Enable	Yes
Mode	Access
VLANS	`1##` where `##` is your 2 digit pod number*
Portfast	Edge
POE Reboot Action	Maintain
POE Link Down Action	Maintain
POE Shutdown Action	Power-Off

*VLAN pod numbers between 01-20 that was assigned to your lab/Pod. Example: Pod01 is VLAN101, Pod13 is VLAN113

Once you are done with configuration, navigate back to Access interface Configuration near the top of the page, under the Quick Actions

Let's add another port profile for our Raspberry Pi, click Add Port Profile, name it Wired-RasPi, and click the arrow on the right

Wired-RasPi

Key	Value
Description	`Wired-RasPi`
Enable	Yes
Mode	Access
VLANS	`1##` where `##` is your 2 digit pod number*
Portfast	Edge
802.1X	Enabled
MAC Based Authentication	Yes
POE Reboot Action	Maintain
POE Link Down Action	Maintain
POE Shutdown Action	Power-Off

*VLAN pod numbers between 01-20 that was assigned to your lab/Pod. Example: Pod01 is VLAN101, Pod13 is VLAN113

Our port profiles have been staged, click Review Workspace
We can see the only studio changed is the Access Interface Configuration, no configuration on the devices has changed.
Go ahead and Submit the Workspace when you ready

Note that device configuration has NOT changed after submitting this workspace. If you see something different, create a new workspace and try again or reach out to the event staff.

Assigning Port Profiles¶

No Workspace

Now that you have port profiles, you can each individually configure ports on your assigned switch! No workspace required here 😄

We are going to assign our new port profiles to our switch, specifically assign ports for
1. Ethernet1: our access port for the Raspberry Pi
2. Ethernet7: our access port for the Access Point
3. Ethernet9: our access port for the Access Point
Let's configure our Access Point port, make sure you identify your assigned switch pod<##>-leaf1

Your Device

NOTE: You will see a slightly different front panel layout, this is the difference between the 710P-12P and the 710P-16P you have in front of you.
Student 1
1. Click on port Ethernet7 on your assigned switch
2. Choose the Port Profile of WAP
3. Click Yes radio button under Enabled
4. Repeat steps 1-3 for port Ethernet9
5. Click Review
You can review the configuration before pushing, but all in the same workflow. Hit Confirm to push the access port config when ready!
Once the Change Control has been executed, click Configure Additional Inputs to configure another access port
Let's now configure our Raspberry Pi port, make sure you identify your assigned switch pod<##>-leaf1

Your Device

Make sure to select your device, see the tabs below!

NOTE: You will see a slightly different front panel layout, this is the difference between the 710P-12P and the 710P-16P you have in front of you.

Student 1
This time Click Submit
This has pushed the configuration without review! This streamlined the process for low risk changes like access port changes. Once Change Control has been executed, click Finish
Quick actions is using the same CloudVision Change Control workflow, the exception here is it's auto approved to allow low risk/impact changes easier. You can view this change control in the Change Control tab and see the generated task.

Adding a VLAN¶

Adding a VLAN is a common provisioning task. Let’s use the existing Campus Fabric Studio to add an incremental configuration (add a VLAN). This VLAN will be specific to your pod and not routable outside.

Single Workspace

You and your fellow student will work together to create a new VLAN in your campus fabric using a single workspace.

Once the workspace is created, open the existing Campus Fabric (L2/L3/EVPN) studio.
1. Validate that the Device Selection still applies to All Devices
2. Within the Campus Services (Non-VXLAN) navigate to Campus: Workshop > Campus-Pod: Home Office using the arrow on the right
WorkshopHome Office
We are going to add a new VLAN and add to the Home Office Campus POD.
1. Click the + Add VLAN button
2. Add the VLAN 2##, where ## is your pod number and click the right arrow
3. Customize the new VLAN by giving it a Name
4. Add the VLAN to the Access-Pod by clicking + Add Pod and selecting IDF1
5. Let's click Review Workspace to submit the staged changes.
Review and Submit Workspace
1. Notice that the Studio is adding the VLAN to the two devices within the Pod.
  
  Pruning VLANS
  
  Outside of this lab topology, when you add vlans to a Layer 2 leaf like this, Studios will generate the necessary configuration to trunk the new VLAN to the spines or upstream MLAG pair when using LSS.
  
  No changes?!
  
  If you are not seeing any proposed changes, make sure you selected an Access-Pod within the VLAN configuration. (See step 2e)
2. Once you review the changes, click Submit Workspace
3. Click View Change Control
4. Review the Change Control and select Review and Approve
5. Toggle the Execute Immediately button and select Approve and Execute
Verify the VLAN has been added to the device configuration by using the Device Comparison function.
1. Click Devices, the click on Comparison, and select a Time Comparison
2. Choose a device from the list, such as leaf1a
3. Select a time period, for example 30 minutes ago and click the Compare button
4. The first screen presented shows the overview, navigate to the Configuration tab on the left
5. Select the Configuration section
  
  Timeseries in CloudVision
  
  We expect the configuration changed within the last 30 minutes, but all streaming data from the switch (including configuration) is stored in a timeseries database. So anything from routing table, MAC, ARP, and more is accessible for historical review and comparisons like this!
Lab section completed! In the next lab section you will see how to roll back a previous change control

Rollback a Change Control¶

There is no question at some point in your career, there has been a situation you've been asked to roll back a configuration change and restore back to previous state. You may need to do this for all devices affected by a change, or only a subset of devices under troubleshooting.

CloudVision Change Controls are built with this flexibility in mind, granular change management per device or fleet-wide. Specifically targeting actions or tasks that have taken place can be identified and rolled back when needed.

Let’s roll back the change control we used to add a VLAN via Studios.
First go to Provisioning then Change Control. Select the change control corresponding to your VLAN addition
Click the Rollback button
In the next screen, select the top list check mark to select all the devices and click Create Rollback Change Control
Verify the Configuration Changes section by clicking Diff Summary Once you have reviewed the change, click the Review and Approve button
Again, you'll be presented with one more opportunity to review the changes. Select Execute Immediately if not already toggled on and Approve and Execute
Monitor the change control for completion to ensure the added VLAN is cleaned up on all switches.

StartFinish
You have now successfully added a VLAN through Studios and then rolled back that change across all switches.

🎉 CONGRATS! You have completed this lab! 🎉

Your switch is now successfully onboarded and ready for further configuration. You've also learned how to create and assign port profiles for access interfaces.

LET'S GO TO THE NEXT LAB!

A-04 | Operations, Dashboards, and Events¶

Overview¶

In this lab we will explore some of the features of CloudVision to manage and operate your campus network.

Intro to Network Hierarchy¶

Campus networks can be rather extensive in size and their reach, including many sites, buildings, and floors where your precious network gear is deployed. The Network Hierarchy view aligns closely with the same way you'll manage your wireless access points in CV-CUE:

Click on the Network Hierarchy tab on the left
Note your Network contains the workshop campus, campus pod, and access-pod as you drill down.
Click on Workshop to view a summary of all the devices deployed under the top level campus Workshop
Click on IDF1 and note we now get more detail about the switches and clients connected to those devices in the Overview tab.
Click on the Front Panel tab to view more detail about what's connected, the capabilities of your switches in the stack, and access to quick actions to make changes on the interfaces.
Let's now use Network Hierarchy to drill down into a compliance issue.

Configuration Compliance¶

The Network Hierarchy view is one of many ways to visualize your campus, namely to drill down to a specific area of the network to configure or troubleshoot an issue.

to showcase compliance panel and 2 devices should flagged (due to rollback above). This will open the compliance dashboard and we can sync the config from there via Change Control.

If you're not already on the Network Hierarchy page, click the tab on the left.
Click the top level Network object, and take note of the Compliance panel on the right
We have 2 devices that are violating the Configuration compliance item
Click on Compliance and you should see the Compliance Overview with our 2 devices out of configuration compliance
Let's select your device below and click Sync Config
This will create a Change Control with our two devices
Click on the Review and Approve

Why is our configuration out of sync?!

Recall CloudVision is designed to act as the "Source of Truth" for your configuration. It contains a designed configuration it considers the standard, driven through configuration in Studios. When we added our Vlan in the previous step, we rolled that change back, and now there is a discrepancy.

This could be a real life scenario where a VLAN was added, rolled back due to an unforeseen issue, and scheduled to be added at a later date. We need that vlan, we are reminded the device is out of compliance, and possibly for a good reason!
Click on Approve and Execute when you're ready
This is pushing the designed configuration back to the device
Let's go back to our Network Hierarchy or Devices > Compliance Overview and we should see are switches are not in compliance again.

Network HierarchyCompliance Overview

Dashboards¶

Dashboards are an important way to visualize commonly requested information, we've already seen the Campus Health Dashboard a few times in previous labs. This lab section shows you how to navigate the built-in dashboards and customize your own.

Campus Health Overview¶

Open the Dashboards Section and we will see the Campus Health Overview dashboard is set to our home dashboard.

Dashboard Home Page

CloudVision has a couple features that customize a users experience. There is a built in profile for Campus Monitoring that can be applied to a user role, this will set the "Campus Health Overview" dashboard as the primary dashboard. A user can also select any built-in or custom dashboard as the home/primary dashboard.
You’ll be presented with a curated selection of common campus related monitoring tools
Feel free to explore the Campus Health dashboard briefly and then navigate back to the Dashboards landing page by selecting Dashboards in the upper left.

Device Health¶

Next, Select the Device Hardware dashboard
By default, this dashboard selects all devices.
Change the dashboard to select only leaf1a or leaf1b by changing from device: * to device: to match a single device. Once you’ve selected an individual device, the dashboard will filter to results for only this device.
Navigate back to the Dashboards landing page by clicking Dashboards in upper left.

Custom Dashboard¶

Next, let’s add a new customized dashboard. There are three main constructs we will touch on here:

Metrics (Devices): telemetry data specific to a device
Metrics (Interfaces): telemetry data specific to the interfaces of a device
Summaries: a metric or set of metrics summarized into a single view

There is a lot to unpack in dashboards as you have a significant amount of power in customizing the data and look of your dashboard. See how dashboards are quickly created before we get started.

Let's get started:

Click the + New Dashboard button.
Provide a useful Name for the Dashboard, such as Pod##-Student#
Next, let’s add a combination of visualizations that we want to capture
First, click the drop down on the upper right and change from Metrics to Summaries
Within the Summaries list, click on, or drag the Events widget into the dashboard canvas
Within the Events tile now added to your dashboard, click the Configure button
Within the right side menu bar, select the following:

Dashboard Settings

Key Value

View Mode Severity Timeline

Show Active Only True

Dataset Access-Pod: IDF1
Dismiss the customization menu by clicking the in upper right corner
Next, change the Summaries menu back to Metrics
Within the Metrics menu, click and drag a Table and a Horizon Graph to the canvas

Drag the tiles

You can drag the tiles around by the respective menu bars and resize each tile using the lower right corner handles.
Let's configure the Table first by clicking the then click the three-dots menu and click Configure

Table Settings

Key Value

Data Source Devices

Metrics #1 802.1X Interface Count

Metrics #2 CPU Utilization

Metrics #3 Total Power Granted

Metrics #4 ARP Table Size

Metrics #5 Boot Time
Dismiss the customization menu with the button in upper right

Now let's configure the Horizon Graph by clicking the then click the three-dots menu and click Configure

Horizon Graph Settings

Target your student device below!

Key	Value
Data Source	Interfaces
View Type	Multiple Metrics for One Source
Interface (device)	`pod##-leaf1`
Interface (interface)	`Ethernet1`
Metrics #1	Bitrate In
Metrics #2	Bitrate Out
Metrics #3	Operational Status
Metrics #4	Interface Authentication State

Dismiss the customization menu with the button in upper right
You can resize and drag the components around, but you should have a new dashboard that looks something like this.
Save and completed the dashboard customization by clicking the Done button in upper menu bar

Events¶

In this section, we will explore the Events stream and the tools and filters to help process and manage critical errors versus informational data.

First, open Events from the menu bar
Next, select a different time frame for the summary visualization, click the current time selection and change this to 1 Hour
You can also toggle between a bar graph and event count display

Events GraphEvents Table
Focusing on the Event List next, Note the Export button to download the current Event list as CSV. Notice you can download All Events or only Selected
Next, select the Gear icon to toggle Event List Roll Up. This setting combines repeated events into groups. Toggle this On and Off, watch the effect this has on the list of Events.
Next, utilizing the Event Filters on the right pane is important to reduce the amount of data displayed.

Filter Settings

Key Value

Severity Critical, Error

Type #1 `Unexpected Link Shutdown

Type #2 Device Clock Out of Sync
Acknowledge and Unacknowledging events
1. To acknowledge from the filtered event list, select specific events and Acknowledge them.
2. Adding a note is optional, select the Acknowledge button to mark these selected events.
3. Acknowledged events are not deleted from the event list, only flagged as acknowledged and can be referenced by changing the filtered Acknowledgement State. Click Acknowledgement State and select Acknowledged
4. Un-acknowledging an event can be done in the same way, click the box to the left of the Acknowledged event, and click Unacknowledge at the top of the event list.
Events and filtering lab section complete!

Customize Notifications¶

In this lab, you will configure CloudVision to send an email alert to an email address using the built-in “SendGrid” email service. There are other notification systems natively supported in CloudVision, but we'll focus on email for this lab (Example: email, chat, SNMP, Syslog, etc).

Configure SendGrid email service.
If you are not already, click on the Events menu option.
Click on the Notifications button in the top right of the screen.
Check the system status for the Config back-end and Relay back-end

Status Unknown!?

Before receivers and notifications are configured, the status will be “Unknown”.

Status UnknownStatus Ready
Now, configure the SendGrid receiver by clicking on Receivers in the menu, then click on the Add Receiver button. Name the receiver SendGrid for Campus ATD, then click the Add Configuration button and select SendGrid from the menu options.
Type in cvaas-alerts@arista.com in the email address field. This is a shared email address that you can receive emails at during this lab and check the Send notification when events are resolved checkbox. Click the Save button in the upper right hand side of the screen to save your new receiver.
Once you are happy with receiver’s configuration, click the Save button at the top of the screen
Next, configure a Rule to use the new receiver. Click on the Rules menu option, then click Add Rule
Configure Rule Conditions for this rule. Click on the + Device button, then choose your switch from the Device drop down box.

Add DeviceSelect Device
Now click on the + Event Type button. Add Event Types by choosing them from the drop down box as shown in the image below:

Add EventSelect Event
Select all of the severity options by clicking on the + Severity button and choosing the options from the drop down box.
Next, choose your new SendGrid for Campus ATD receiver from the Receiver dropdown box, select the Continue Checking Rules box, and save your changes by clicking on the Save button.

SAVE the changes!!

Make sure to save your changes in this screen with the Save button along the top of your screen.
Now lets test your new receiver and rule
Click on the Status menu option. Configure the Test Notification Sender by changing the Event Type to be Device Stopped Streaming and selecting your switch from the Device drop down box. Click the Send Test Notification button.

Send NotificationNotification Sent
After a minute or two, you should receive the email alert at the email address you configured in the Receiver
You can remove your event receiver to avoid additional emails before continuing!

🎉 CONGRATS! You have completed the Wired labs! 🎉

Wireless Lab Guides

B-01 | Arista Wireless Setup¶

Overview¶

In this lab we are going to explore the Arista Launchpad in more depth, explain how Access Points are onboarded, configured, and troubleshot in a live environment.

Topology¶

Lab Topology

If you're not already logged into CV-CUE, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and click Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into CV-CUE (CloudVision WiFi) tile to begin this lab.

Arista Launchpad¶

Launchpad is the portal to access your Arista cloud services including WiFi Management (CV-CUE) and AGNI (Network Access Control). When you open the launcher, you are presented with management applications on theDashboard menu and access controls with theAdmin menu.

When you open the launcher, you are presented with multiple applications. Each is included with the subscription (as is support).

:cvp: CV-CUE CloudVision-WiFi: Wireless Manager.
Guest Manager: looks at the users and how they are interacting with your environment.
Nano: manage your environment from your smartphone
Packets: an online .pcap debug allowing you to examine the packet information.
WiFi Resources" includes documentation and over 6 ½ hours of online training, also included.
WiFi Device Registration: application for importing APs into your account
:agni: AGNI: network access control
:cvp: CVP Staging (CloudVision Portal): switch Management and staging Environment

Add a User and Assign Privileges¶

First, use the Admin menu to add a user.
Click on the Admin Tab at the top of the Launchpad window:
Overview of Launchpad Admin menu:
1. Users - Assign Access to users with different access levels as well as to specific folders
2. Keys - Used with API integrations
3. Profiles - Defines Access levels to CV-CUE, LaunchPad, and Guest Manager
4. Logs - Download User Action Logs
5. Settings - Lockout Policy, Password Policy, and 2-Factor settings

Authentication

CloudVision CUE authenticates users via SAML directory integration or via the Launchpad identity providers. These can be customized with local users in Launchpad or directory single-sign-on users. More information on Arista Communities, Integrating Third-Party SAML Authentication Providers

AP Registration¶

Reference Information

For this lab, these steps have already been done for you by event staff.

Arista AP serial numbers are automatically assigned to the user’s CV-CUE staging area when purchased. In addition, specific devices can be registered for management using the WiFi Device Registration function, accessible from Launchpad Dashboard.

Let’s click on the Dashboard menu option on the left hand side of the screen. This opens the Dashboard Overview screen which provides us with numerous metrics for our wireless environment.
Within the Import function you can provide individual AP serials and keys or upload a CSV.
Assign Access points to Wireless Manager Service

CV-CUE CloudVision WiFi Access¶

CloudVision CUE - Cognitive Unified Edge, provides the management plane and monitoring functions for the Arista WiFi solution.

Click on the CV-CUE (CloudVision WiFi) Tile in the LaunchPad from the Dashboard menu.
When the CV-CUE interface launches, you are presented with an initial dashboard to monitor your wireless environment at a glance, we will revisit these metrics later in the lab. Since this is a new setup the initial dashboard screen will be mostly empty.
Use the left menu bar to select monitoring and configuration functions.
The primary menu navigation functions are the following:
1. Dashboard - Alerts, Client Access, Infrastructure health, Application Experience, and WIPS
2. Monitor - Monitor and explore Clients, APs, Radios, SSIDs, Application traffic, Tunnels
3. Configure - WiFi SSIDs, APs and Radios, Tunnels, RADIUS, and WIPS settings
4. Troubleshoot - Client connection test, packet trace, live debug logs, historic logging
5. Engage - User insights, Presence, Usage, 3^rd party integrations
6. Floor Plans - Floor layouts and AP location map view
7. Reports - Detailed information for Infrastructure APs/Radios, Client Connectivity and Experience, WIPS detections
8. System - Locations Hierarchy, AP Groups, 3^rd party server settings, keys and certificates
In addition to the menu bar navigation and Locations Hierarchy, the UI provides a common Search bar, Metric summary, and Help button throughout workflows.

Assign AP Name¶

Access points that successfully receive an IP address, DNS, and default gateway via DHCP, and have connectivity over HTTPS/TCP/443 to CV-CUE.

Using the left navigation bar in CV-CUE, navigate to Monitor > WiFi.
Select the Access Points section and observe the discovered AP and default name Arista_ and the last 3 bytes of the MAC address.
Customize the AP’s name by clicking the 3-dots menu and Rename
Give the AP a name such as: POD##-AP1 or POD##-AP2 where ## is a 2 digit character between 01-12 that was assigned to your lab/Pod.

Managing the Configuration Hierarchy¶

Within CV-CUE, much of the configuration is hierarchical, so everything you configure will be inherited from that level and it's children.

Moving AP to Location¶

Expand the Locations pane by clicking on the hamburger icon . Now select the three dots to the left of Locations and click on Manage Navigator.

Manage Navigator is where you create Folders, Floors, and Groups.
1. Folders typically represent a company, branch office name or division.
2. Floors are straightforward and are where maps are placed.
3. Groups are a way to make a configuration more granular. Let’s say you want a branch location to have all of the same configuration but Outdoor APs need to vary from that. You would create a group for the Outdoor APs, put the APs into that group and override the part of the configuration that is unique. Think of your company and how you would want to lay it out.
Add a Folder for your Company Name. In the Navigator, select the 3 dots next to Locations. Select Add Folder/Floor
Add a new folder using the settings below, depending on your student assignment

Folder Name

Student Folder Name

student## ACorp
Next, create a Floor called 1st Floor. Click on the word ACorp to expose the 3 dots menu.

Add Multiple Floors

It’s also possible to add multiple floors at once using the Add Multiple Folders/Floors menu option

Use the * key to create floors instead of folders
Next, move your AP into the 1st Floor you created. To move your AP from the staging area, Alternate click on the Staging Area folder, and select Show Available Devices.
Next, right click on the AP name, select Move and then select the 1st Floor folder you created earlier, and then click the Move button at the bottom of the screen.

Step 1: AP MoveStep 2: AP MoveStep 3: AP Move
You’ll see a pop-up message to confirm the move. Click Move again to finish the process
You can verify the move by selecting the 1st Floor folder and then Show Available Devices.

Adjusting Power/Channels¶

For this workshop event, we will be reducing WiFi Radio channel width and transmit power levels to avoid interference with the hosting facility.

To customize these power settings: Navigate to the Configure > Device > Access Points menu
Once in that menu, ensure that ACorp is selected from the tree structure on the left. If you do not see the tree structure, click the hamburger icon next to Locations in the top left to expose the tree.

Set the following parameters under the WiFi Radios tab and 5GHz (you can ignore 2.4GHz) and you will override the following:

Channel Selection: Select Manual and see the "Channel Settings" table below.
Channel Width: 20MHz
Transmit Power: Manual to 4bBm

My settings are greyed out

At the bottom of your screen you may need to select to override the inheritance policy. It should state: Click here to enable editing and customize the policy.

Find your pod number and assigned student number, set the Candidate Channel

All Channel Settings

Pod	Student	2.4 GHz	5.GHz	Channel Width	Transmit Power
01	1	Disabled	52	20MHz	4dBm
02	2	Disabled	56	20MHz	4dBm
03	3	Disabled	60	20MHz	4dBm
04	4	Disabled	64	20MHz	4dBm
05	5	Disabled	100	20MHz	4dBm
06	6	Disabled	105	20MHz	4dBm
07	7	Disabled	108	20MHz	4dBm
08	8	Disabled	112	20MHz	4dBm
09	9	Disabled	116	20MHz	4dBm
10	10	Disabled	120	20MHz	4dBm
11	11	Disabled	124	20MHz	4dBm
12	12	Disabled	128	20MHz	4dBm
13	13	Disabled	132	20MHz	4dBm
14	14	Disabled	136	20MHz	4dBm
15	15	Disabled	140	20MHz	4dBm
16	16	Disabled	144	20MHz	4dBm
17	17	Disabled	149	20MHz	4dBm
18	18	Disabled	153	20MHz	4dBm
19	19	Disabled	157	20MHz	4dBm
20	20	Disabled	161	20MHz	4dBm

Click Save at the bottom of the page then click Continue to confirm.
Click Continue to commit changes

Assign Floor Plan¶

Let's assign a floor plan to our 1st Floor for our respective corporation. Depending on the lab guide format, you can either save the image here or download from the email. We are going to use this image and import it into CV-CUE.

Download MkDocs Site

If you are viewing this guide as a MkDocs site, simply right click the image below and Save Image As to your Desktop.

Use your favorite snip program

On your Mac, Command+Shitt+5 and snip the image here and save that image to your computer. On Windows, use your favorite snip program to capture the image below and save it to your computer.

In the left hand menu, click on Floor Maps. Make sure to set the location level to be CorpA - 1st Floor. Click the Add Floor Plan button in the upper right corner of the screen.
Enter floor name as 1st Floor, click the Upload Image button to import the floor plan image, and use the following dimensions: Floor Plan Dimensions: Unit: Feet, Length: 120, Width: 60

Floor Plan Settings

Key Value

Unit Feet

Length 120

Width 60
Click Save at the bottom of the screen.
Next, drag the AP onto the map, from the right hand side menu, to see how easy placing APs is. Choose Place Access Points.

I don't see my AP?

If you do not see an AP, it is because your AP is assigned to another location (folder) and you’ll need to move it to the 1st Floor folder (see steps above). Or, you may have the incorrect menu selected in the upper right hand corner of the screen.

Screenshots
Hover over the AP image to get more information and then right-click on the AP image to see more options.
Next, explore the other menu options like Start LED Blinking (in the menu on the right hand side of the screen).
Try exploring the Event Logs under the Troubleshoot menu

Creating a PSK SSID¶

The Configure section of CV-CUE is broken into several parts, including WiFi, Device,Network Profiles, WIPS, and Alerts.

In this section of the lab, we will be working in the WiFi configuration area. We will create an SSID with a WPA2 PSK for you CorpA/B site.

Hover your cursor over the Configure menu option on the left side of the screen, then click WiFi.
At the top of the screen, you will see where you are in the location hierarchy. Click on the three lines next to Locations to expand the hierarchy and choose/highlight the CorpA folder. Now click the Add SSID button on the right hand side of the screen.

Hierarchy CollapsedHierarchy Expanded
Once on the SSID page, configuration sub-category menu options will appear across the top of the page related to WiFi (the defaults are Basic, Security, and Network). You can click on these sub-category names to change configuration items related to that area of the configuration.
To make additional categories visible, click on the 3 dots next to Network and you can see the other categories that are available to configure (Wifi7,Access Controls, Captive Portal, etc.).

Walk through the steps (tabs) below to configure the SSID

Step 1: SSIDBasicStep 2: SSID SecurityStep 3: SSID Network

In the Basic sub-category option, name the SSID ATD-##A-PSK (where ## is the pod number you were assigned). The Profile Name is used to describe the SSID and should have been auto-filled for you.

Since this is our corporate SSID, leave the Select SSID Type set to Private

Guest SSID

Note: this is where you would change it to Guest if needed.

In the Security sub-category, change the following settings, then select Next at the bottom of the screen.

In the Network configuration sub-category, we’ll leave the VLAN ID set to 0, which means it will use the native VLAN. If the switchport the AP is attached to is trunked, you could change this setting to whichever VLAN you want the traffic dropped off on. We are using Bridged mode in this lab. You could use the following for specific scenarios:

NAT: often done for Guest
L2 Tunnel / L3 Tunnel: as you would see for a Guest Anchor or tunneled corporate traffic

SSID Name

Student	Student 1	Student 2
SSID Name	`ATD-##-PSK`	`ATD-##-PSK`
Profile Name	Auto Fill	Auto Fill
Association Type (drop down)	WPA2	WPA2
Authentication (radio button)	PSK	PSK
Passphrase	`Wireless!123`	`Wireless!123`

The rest of the settings can be left at the default values.
Click the Save & Turn SSID On button at the bottom of the page.
You will be prompted to customize before enabling, check the Customize button
Only select the 5 GHz option on the next screen (un-check the 2.4 GHz box), then click Turn SSID On.
After you turn on the SSID, hover your cursor over Monitor in the left hand side menu, and then click WiFi.
Now, in the menu options at the top of the page, look at the Radios menu option. Is the 5 GHz radio (Up) and 2.4 GHz radio (down)?

It may take a minute or two for the radio to become active.
Next, go ahead and connect your phone to the SSID (PSK is Wireless!123). Navigate to the Clients menu at the top of the screen and you should see your device.

🎉 CONGRATS! You have completed this lab! 🎉

LET'S GO TO THE NEXT LAB!

B-02 | WiFi Troubleshooting¶

Overview¶

Explore the wireless troubleshooting features.

Client Troubleshooting¶

Make sure you are at your correct folder (ACorp) in the hierarchy
Hover over Troubleshoot in the left hand menu, then click Packet Trace.
On the top right hand side of the window, click Auto Packet Trace and select the checkbox for the SSID you created earlier (ATD-##-PSK).
Click Save at the bottom of the window.

I don't see my AP?

If you don’t see the SSID listed, make sure you are in the correct folder in the navigation pane.
Next, connect your device to the AP and type in the wrong PSK.
Hover your cursor over the Monitor menu on the left hand side of the screen, then click WiFi.
Now click on Clients at the top of the page. You should see your device trying to connect.
Select on the three dots next to the device name and select Start Live Client Debugging.
Select 30 Minutes in the Time Duration drop down box, select the Discard Logs radio button, then click Start.
Next, try connecting the device again with the Wrong PSK. Watch and review the Live Client Debugging Log.
After that fails, try again with the correct PSK (Wireless!123) and review the logs.
Once your device has successfully connected to the AP, click on the client name to learn more about the client (on the previous browser tab).
After you click on the client name you can gather additional information such as:
1. Root Cause Analysis
2. Client Events
3. Data Rate
4. Top Apps by Traffic
5. Client Traffic Volume
6. Application Experience
7. etc.
Scroll down a little to the Client Events section select the icon to Switch to Table View.
Here you can see the success/failure messages, DHCP information, and other events.
Scroll down to the failed incorrect PSK entry and select View Packet Trace in the Packet Capture column (you may have to scroll to the right).
You should see a packet trace that you can download. Click on View Packet Trace.
Select Open to open the file right within CV-CUE or the Packets Application. You will be in the Visualize section of Packets.
You can also download the trace and view it with WireShark if you have it installed.
Click on Time View and Frames to look through the data and at the trace to see how Arista can help you troubleshoot.
Next, click on the back arrow icon to look at the “Analyze” feature.
Explore the Analyze feature by clicking on the various menu options and reviewing the data.

🎉 CONGRATS! You have completed this lab! 🎉

LET'S GO TO THE NEXT LAB!

🤖 AI Lab Assistant¶

Want to automate all the commands above? Use our embedded AI agent to execute the entire lab automatically!

🚀 B02 Lab Automation Agent

Let the AI handle the navigation while you focus on learning the concepts!

Select Student: Execution Mode:

Ready to start...

🖥️ Lab Execution Output

B-03 | Guest Wireless with AGNI¶

Overview¶

If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and clieck Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.

AGNI Guest Captive Portal¶

Let's configure a Guest Captive Portal using AGNI for wireless clients. To configure the guest portal, you must configure both AGNI and CV-CUE.

🔥 CRITICAL PREREQUISITE 🔥

⚠️ MANDATORY: Your access points need to be onboarded in AGNI with RadSec before proceeding.

📖 Follow the steps here - This step cannot be skipped!

RadSec | Installing the AP Certificate¶

What is RadSec?¶

RadSec is a protocol that supports RADIUS over TCP and TLS. For mutual authentication it is required to install a client certificate with corresponding private key as well as your AGNI CA certificate.

With the proliferation of IoT devices, mobile users, and remote access, networks have become more complex and diverse, making traditional RADIUS susceptible to eavesdropping and man-in-the-middle attacks. RadSec's integration of secure Transport Layer Security (TLS) encryption addresses these vulnerabilities, providing a robust defense against unauthorized access, data interception, and tampering.

Arista Switches can form a RadSec tunnel using SSL encryption with AGNI:

AGNI integrates with network infrastructure devices (wired switches and wireless access points) through a RadSec tunnel over Port 2083
The highly secure and encrypted tunnel offers complete protection to the communications that happen in a distributed network environment. This mechanism offers much greater security to AAA workflows when compared with traditional unencrypted RADIUS workflows.

More information on RadSec

Open AGNI and CV-CUE

When applying the Certificate to the AP it is recommended to have both the CV-CUE and AGNI windows opened side by side. - Login to CV-CUE - Login to AGNI

Configure RadSec¶

It's important to identify if the wired or wireless device you are configuring is manufactured with a Trusted Platform Module (TPM) chip. This chip contains the required certificate used for RadSec. However, if the TPM chip does not exist, CV-CUE supports Custom Certificate Management for Access Points.

More information on TPM

Summary¶

Launchpad Add AP and assign the Service
CV-CUE Create a Folder and move the AP
CV-CUE Generate CSR TAG and then Download CSR .zip.
AGNI Add the device as a new AP under Access Devices
AGNI Click on your AP and then select Get Client Certificate
AGNI Upload the CSR and Generate Certificate
CV-CUE Click on your AP and Upload Device Certificate and select TAG and AP.pem file
AGNI Under Administration click on RadSec settings and download Cert and copy hostname
CV-CUE In your Folder, Create a RADIUS RadSec server and apply the RadSec Cert from AGNI and Select your CSR TAG -> FQDN: radsec.beta.agni.arista.io
CV-CUE Create an SSID and point to the RADIUS client you created using WPA2 802.1X RadSec.
AGNI Create a User Account
AGNI Add Client
AGNI Under Networks, recommend starting with just a MAC auth example to make sure everything is running like you expected and point it to your SSID

Detailed Steps¶

CV-CUE
1. First we Generate a CSR. Click on Monitor > WiFi Access Points
2. On right hand side on top and click on Certificate Actions
3. Next, right click on the AP and select Generate CSR and select your Add New Certificate Tag. Type in a name for your Certificate Tag. Click on Generate.
4. Next, right click on the AP and select Download CSR and select your Certificate Tag.

AGNI

Click on Access Devices and click on + Add or Import. Specify the following in the table below. Click on Add Device when done.

Field	Value	Notes
Choose Action	`Add Device`	Select radio button
Name	`Your AP Name`	Enter descriptive name for the AP
MAC Address	`xx:xx:xx:xx:xx:xx`	Optional - Enter AP MAC address
Vendor	`Arista WiFi`	Select from dropdown
Serial Number	`Your AP Serial`	Required for RadSec - Enter AP serial number
IP Address	`Your AP IP`	Optional - Enter AP IP address
Access Device Group	`Select Group`	Optional - Choose appropriate group
Location	`Your Location`	Optional - Example: Global/America/California/Site-1

Access Devices → Devices → Select AP → Get Client Certificate
Next, select Generate Certificate: Use CSR (Single Device), and select Action: Upload CSR File, and browse to and select the CSR zip file.
Select Generate Certificate and the AP Client Certificate will be created and downloaded to your device.
Under System -> RadSec Settings copy the Radsec Server Hostname and Download Certificate at the bottom.

🚨 CRITICAL STEP - DO NOT SKIP!

⚠️ MANDATORY: You MUST download the RadSec certificate from AGNI before proceeding to CV-CUE configuration.

📥 Download Certificate - This certificate is required for the RadSec tunnel to work properly.

🔗 Copy Hostname - The RadSec Server Hostname is needed for CV-CUE RADIUS server configuration.

Upload the Device Certificate
Go to Monitor → WiFi → Access Points → Select AP → Certificate → Upload Device Certificate, and upload the Client/Device Certificate that was downloaded to your device. Use the same Certificate Tag as when you Downloaded the CSR above.
Configuring AGNI RadSec Server.
Go to Configure → Network Profiles → RADIUS and create a new RADIUS Server.

Select Add RADIUS Server. Specify the following in the table below.

Field	Value
Server Name	`AGNI-01`
Server Address	`radsec.beta.agni.arista.io`
Radsec	`ON`
Radsec Port	`2083`
Add CA Certificate	`Downloaded from AGNI`
Certificate Tag	`Select your tag created in Step 1`

CV-CUE

Select Save to commit the changes.

AGNI
1. Click on Access Devices and then Devices look at the RadSec Status.
2. 🟢 Green dot means connected and an active SSID is using AGNI.

Navigate to Guest > Portals under the section Identity.
Click + Add Guest Portal and configure the following

Network Settings

Field Student 1 Student 2

Portal Name ATD-##-GUEST ATD-##-GUEST

Authentication Types Clickthrough Clickthrough

Re-Authuthenticate Guest Always Always

CAPTCHA Disabled Disabled
Click the Customization tab to customize the portal settings, and notice the elements. When done, click Add Guest Portal. The portal gets listed in the portal listing.
- Page
- Login Toggle
- Terms of Use and Privacy Policy
- Logo
- Guest Login Submit Button
- Etc
Click Back
Navigate to the Networks under the section Access Control. Click on + Add Network

Add a new network with following settings

Network Settings

Field	Student 1	Student 2
Name	`ATD-##-GUEST`	`ATD-##-GUEST`
Connection Type	Wireless	Wireless
SSID	`ATD-##-GUEST`	`ATD-##-GUEST`
Authentication Type	Captive Portal	Captive Portal
Captive Portal Type	Internal	Internal
Select Internal Portal	`ATD-##-GUEST`	`ATD-##-GUEST`
Internal Role for Portal Authentication	`Portal ## Role`	`Portal ## Role`

Click Add Network.
Copy the portal URL at the bottom of the page.

AGNI URL

Make sure to copy the AGNI Guest Portal URL, we are going to use this in CV-CUE for Guest Portal Redirection.

If you're not already logged into CV-CUE, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and click Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into CV-CUE (CloudVision WiFi) tile to begin this lab.

Role Profile (CV-CUE)¶

Let's configure two role profiles and the SSID settings. This will ensure our guest SSID we will create is enabled with redirection to AGNI captive portal. These roles are

Portal (A/B) Role: This role will be assigned initially to ensure captive portal redirection
Guest (A/B) Role: This role will be assigned by AGNI to drop our client into a "Guest Role" where we can further define policy

Portal Role Profile¶

Log in to CV-CUE and navigate to Configure > Network Profiles > Role Profile.

Add a Role Profile using the setting below

Network Settings

Field	Student 1	Student 2
Role Name	`Portal ## Role`	`Portal ## Role`
Profile Name	`Portal ## Role`	`Portal ## Role`
Redirection	Enabled	Enabled
Redirection Type	Static Redirection	Static Redirection
Redirect URL	`<Copied from AGNI>`	`<Copied from AGNI>`
HTTPS Redirection	Enabled	Enabled
Common Name	www.arista.com	www.arista.com
Organization	Arista Networks	Arista Networks
Organization Unit	Arista Networks	Arista Networks

Click Save at the bottom of the page.

Guest Role Profile¶

Next, we’ll configure a Guest Role in CV-CUE to assign to Guest Users post authentication.

In CV-CUE, navigate back to Configure > Network Profiles > Role Profile.
Click Add Role Profile.
Add the Role Name as follows, this role is simple, but see the additional information below to explore some of the options you have with roles.

Network Profiles

Field Student 1 Student 2

Role Name Guest ## Role Guest ## Role
Click Save at the bottom of the page
You should now have two roles, we will refer back to these roles in both the AGNI and CUE SSID configuration.

Additional Information¶

VLAN

In this lab the VLAN is set to 0. In production networks you would define the Guest VLAN ID or Name that you want to assign to the Guest Users.
Firewall

Layer 3-4 and Application Firewall Rules can be assigned to the Guest User Role.
User Bandwidth Control

Upload and Download Bandwidth Limits can be assigned to the Guest User Role.

Portal Segment (AGNI)¶

Next, we’ll configure a Segment in AGNI to assign the Guest Role Profile post authentication.

Go back to AGNI and navigate to the Access Control > Segments.

Add a new Segment by clicking on + Add Segment

Conditions for segments must MATCH ALL conditions line by line.

Network Settings

Field	Student 1	Student 2
Name	`ATD-##-GUEST`	`ATD-##-GUEST`
Condition	`Network:Name is ATD-##-GUEST`	`Network:Name is ATD-##-GUEST`
Action	`Arista-WiFi:Assign Role Profile`	`Arista-WiFi:Assign Role Profile`
Action Role Profile	`Guest ## Role`	`Guest ## Role`

Click Add Segment at the bottom of the page.
Let's now add the Guest SSID

Guest Portal SSID (CV-CUE)¶

Lastly, we’ll configure and enable the Guest Captive Portal SSID and assign the pre and post authentication roles.

Let's navigate back to CV-CUE
Select Correct location ACorp

CV-CUE Locations

Reminder, make sure you have selected your appropriate corporation before creating the SSID!
Navigate to Configure > WiFi and click on Add SSID
Configure the SSID Basic settings using the settings below

SSID Basic Settings

Setting Student 1 Student 2

SSID Name ATD-##-GUEST ATD-##-GUEST

SSID Type Private Private

Click the 3 dots and select Access Control tab and configure using the settings below

SSID Access Control Settings

Setting	Value	Notes
Client Authentication
Authentication Type	Radius MAC Authentication
RadSec
Authentication Server	`AGNI-01`	AGNI Radsec Server was configured already
Accounting Server	`AGNI-01`
Role Based Control
Rule Type	802.1X Default VSA
Operand	Match
Assign Role	Select All	Created in previous section
Send DHCP Options and HTTP User Agent

Once all settings have been set, Click the Save & Turn SSID On button at the bottom of the page.
You will be prompted to customize before enabling, select the 5 GHz option on the next screen (un-check the 2.4 GHz box if it’s checked), then click Turn SSID On.
Join the new WiFi and verify connectivity in CUE and AGNI

Join the guest WiFi!

Give it a moment for the new SSID to come up, but once it's up try and join the WiFi! You should be prompted with a captive portal, click on the a

CV-CUEAGNI

Navigate to Monitor > Clients in CV-CUE

Navigate to Sessions in AGNI

Tunneling Guest Traffic¶

To highlight Arista's Controller-less Architecture we will use the labs spine MLAG switches to terminate the AP tunnel with VXLAN configured and tunnel guest traffic.

Create Tunnel Profile (CV-CUE)¶

Under the Configure section, click on Network Profiles > Tunnels
Select the correct location in your hierarchy
Select Add Tunnel Interface

Network Profiles

Setting Value

Tunnel Interface Name tunnel-##

Tunnel Type VXLAN

Remote Endpoint 1.1.1.1

Local Endpoint VLAN 0

VXLAN VNI Offset 10200
Click Save

Assign SSID to Tunnel Profile¶

Under the Configure section, click on WiFi
Select the correct location in your hierarchy
Select the pencil to edit Guest SSID
Select Network
Change Network Mode to L2 Tunnel
Select the tunnel-##
Click Save

Monitor Tunnels¶

Under the Monitor section, click on WiFi
Verify your location in the hierarchy
Click on Tunnels or the tunnel icon on the top row

Notice the client IP Address is now using network 10.1.200.##
Verify if the Tunnels are green

Review VXLAN on spine1 or spine2 in CVaas¶

Screenshot shows VLAN200 mapped to VNI10200 and VXLAN clients with VLAN200 IPs

🎉 CONGRATS! You have completed this lab! 🎉

LET'S GO TO THE NEXT LAB!

B-04 | Arista Smart System Upgrade (SSU)¶

Overview¶

Arista's Smart System Upgrade (SSU) is a feature to minimize traffic loss when upgrading from one SSU-supported EOS version to a newer SSU-supported EOS version. SSU is also referred to as ‘hitless’ upgrades. The SSU feature allows a switch to maintain packet forwarding (Data Plane) while the Management and Control plane perform the OS upgrade.

Arista Smart System Upgrade

Additional information about this feature can be found in the Arista TOI for Smart System Upgrade

In our workshop lab topology you will see that each leaf in your pod is directly connected to the access point and RaspberryPi client. Traditionally, a firmware upgrade on the lead in the pod would cause the access point, wireless clients connected to the access point, and the raspberry pi client to lose network connectivity. In this lab, we will use Arista SSU on the leaf switch in your pod to perform a firmware upgrade minimizing any network disruptions for both wired and wireless clients.

Prerequisites¶

Continuous POE should be configured to maintain POE power delivery to connected devices.
Must be running an EOS version that includes the SSU feature.
Must be upgrading to a new EOS version that also includes the SSU feature.
Spanning-tree must be running in MST mode or disabled.
Spanning-tree edge ports must have portfast and BPDUGuard enabled.
Switches running BGP must be configured with graceful-restart otherwise routes are lost and the hardware may fail to forward traffic.

Caveats¶

As you can imagine, disconnecting the Control and Management plane off the data plane will come with some caveats depending on what features you are running! While that's the case, most instances where SSU is valuable is where we have no resiliency or ability to "route around" the switch in maintenance.

SSU only supports upgrades. Hitless image downgrades are not supported.
If a new EOS version includes an FPGA upgrade, the FPGA upgrade will be suppressed. FPGA upgrades require a full reboot of a switch to apply.
Some switch features, when in use, will prevent SSU from starting. See the Arista TOI for more details

First, download the desired EOS image to the switch flash storage using CloudVision Change Control.

For detailed instructions on using the Action Download File feature in Change Control, see the Change Control Action Download File Guide.

Perform Arista SSU¶

Let's begin the hands-on portion of this lab. SSU can be triggered on the command line or via CloudVision. For this lab we will be triggering an SSU upgrade using the command line, preferably using the serial port of the switch. As in

Console via SSH

Using the console we will get a more in depth look at the logs as the switch upgrades. However, SSH is fine if you do not have a console cable. There is example output below you can refer to.

Connect to the pod<##>-leaf1 switch serial port (where ## is a 2 digit character between 01-20 that was assigned to your lab/Pod). The login username/password is arista/arista. Type enable to enter privileged mode.
Example Output
```
pod00-leaf1 login: arista
Last login: Tue Jul 30 22:16:56 on ttyS0
pod00-leaf1>enable
pod00-leaf1#
```

Type show version to show the current running version of the switch.

EOS Version

Smart System Upgrade (SSU) is supported on EOS versions 4.31.5M and later on CCS-710P-12/16P switches. In this example, the switch is currently running EOS-4.34.0F. This is a supported EOS version for Arista SSU.

show version

Example Output

        Arista CCS-710P-16P
        Hardware version: 11.02
        Serial number: WTW22220037
        Hardware MAC address: 2cdd.e9fd.af50
        System MAC address: 2cdd.e9fd.af50

        Software image version: 4.34.0F
        Architecture: i686
        Internal build version: 4.34.0F-41661064.4340F
        Internal build ID: 8346ed5e-061a-4a70-9c36-b6eee6fc0848
        Image format version: 3.0
        Image optimization: Strata-4GB

        Uptime: 2 hours and 5 minutes
        Total memory: 3952472 kB
        Free memory: 2193016 kB

Type dir to show the list of files in the flash: filesystem. You should note that there are some EOS image versions already on the flash storage of the leaf1a switch. Choose the latest EOS image version which is our target update version for this lab.

dir

Example Output

    Directory of flash:/

    -rw-    25449761           Jul 21  2024  AristaCloudGateway-1.0.0-1.swix
    -rw-    32184348           Apr 14 21:54  AristaCloudGateway-1.0.2-1.swix
    -rw-    32566624            Jun 6 13:20  AristaCloudGateway-1.0.3-1.swix
    -rw-       18480            Jul 2 05:51  AsuFastPktTransmit.log
    -rw-   783781597            Dec 6  2021  EOS-4.29.1FX-710P-DHCP.swi
    -rwx   834335804            Jul 1 03:33  EOS-4.31.6M.swi
    -rwx   894262536            May 5 14:16  EOS-4.34.0F.swi
    -rw-  1531686247            Jul 2 03:42  EOS-4.34.1F.swi
    drwx        4096           Jun 15 00:24  Fossil
    -rw-       11360            Jul 2 05:51  SsuRestore.log
    -rw-       11360            Jul 2 05:51  SsuRestoreLegacy.log
    drwx        4096            Dec 6  2021  aboot
    -rw-          27            Jul 2 05:47  boot-config
    -rw-          32            Jul 2 05:47  boot-extensions
    drwx        4096            Jul 2 08:01  debug
    drwx        4096            Feb 4  2023  fastpkttx.backup
    drwx       16384            Dec 6  2021  lost+found
    drwx        4096            Jul 2 08:00  persist
    drwx        4096            Feb 4  2023  schedule
    -rw-        5224            Jul 2 05:47  startup-config
    drwx        4096           Jul 21  2024  tpm-data
    -rw-           0           Jun 29 20:50  zerotouch-config
    drwx        4096           Jun 23 20:34  ztp-debug

    7527178240 bytes total (2043318272 bytes free) on flash:

Type show reload fast-boot. This command will show you an output of warnings or incompatibilities with the current configuration of the switch. As mentioned in the prerequisites section above, if any configuration is set in a way that prevents SSU from starting, the reasons will be listed here.

show reload fast-boot ```

Example Output when SSU will proceed with caution. In this case, MLAG is compatible

    pod00-leaf1a#show reload fast-boot
    Warnings in the current configuration detected:
    If you are performing an upgrade, and the Release Notes for the new version of EOS indicate that MLAG is not backwards-compatible with the currently installed version (4.34.1F), the upgrade will result in packet loss.
    Mlag is configured

Example Output when SSU will proceed without caution

    pod00-leaf1a#show reload fast-boot
    No warnings or unsupported configuration found.

Now that we have confirmed our configuration is ready to allow SSU, let's prepare the switch for the upgrade process by setting the new boot image in the configuration of the switch. Issue the following commands:

⏲ Setting the boot flash will take a few seconds!

configure boot system flash:EOS-4.34.1F.swi exit write
Example Output
```
    pod00-leaf1#configure
    pod00-leaf1(config)#boot system flash:EOS-4.34.1F.swi
    pod00-leaf1(config)#exit
    pod00-leaf1#write
    Copy completed successfully.
```
Before we apply the new firmware, let's start a ping test which will run during the switch upgrade process. We will see that the ping traffic will continue to flow through the switch even while its software is being upgraded.
1. Please make sure that your laptop is connected to the wireless network called ATD-##-PSK. Use the PSK you configured in the previous lab to associate with this wireless network.
2. Open a terminal and ping your gateway using the commands below. If you want to increase the interval to get more granular results, feel free!
  MAC OS
  
  Open Terminal and run the following, please replace ## with your pod number (1-12)
```
ping 10.1.##.1
```
  Windows
  
  Open Command Prompt and run the following, please replace ## with your pod number (1-12)
```
ping -t 10.1.##.1
```
3. Now leave this window open for the following steps. We will see ping packets being sent and received every second. You are now pinging the gateway IP address for your pod from your wireless device connected to your pods access point. The ping traffic must traverse the leaf1switch to reach the gateway. We should be able to observe how traffic is affected while the switch is upgrading during SSU.
Now, in a standard firmware upgrade process, you would issue a normal reload command. However, in this lab, we want to trigger a SSU upgrade. This is where we use the command below, go ahead and issue that command now. 🚀
REMINDER

During this test, do not plug in or unplug devices from the switch. Recall, the control plane will effectively be down, so changes or updates to the switch at a hardware level (like populating MAC add/removals) are unavailable.
```
    reload fast-boot now
```
As the SSU process proceeds, you can watch the output on the serial console showing the switch preparing itself for reboot. The switch will reboot shortly, and you should see the normal output of a switch reboot.

ASU vs SSU

During the SSU reboot process, you may see messages referring to Arista Smart Upgrade, or ASU. ASU is a previous version of SSU, and some references to ASU still exist in code for the SSU process.
When you see the following message in your serial console of the switch, the switch is now rebooting. # yaml reloading /mnt/flash/EOS-4.34.1F.swi ```
SSH to the switch is not possible since the management plane of the switch is rebooting. However, the dataplane is still functional. Open the ping terminal window we started in step 6 and note that ping packets are still being sent and received even though the switch is in the middle of its reboot process.

Below is the output of the full process, with highlights on terminal messages indicating the progress of the upgrade.

Example Output

    pod00-leaf1#reload fast-boot now
    Running AsuPatchDb:doPatch( version=4.34.0F-38783123.4315M, model=Strata ) #(1)!
    Optimizing image for current system - this may take a minute...
    No warnings or unsupported configuration found.
    2024-07-31 17:51:14.459848 Kernel Files /mnt/flash/EOS-4.34.1F.swi extracted from SWI #(2)!
    2024-07-31 17:51:16.439052 ProcOutput passed to Kernel ['crashkernel=512-4G:45M,4G-8G:59M,8G-32G:89M,32G-:121M', 'nmi_watchdog=panic', 'tsc=reliable', 'pcie_ports=native', 'reboot=p', 'usb-storage.delay_use=0', 'pti=off', 'crash_kexec_post_notifiers', 'watchdog.stop_on_reboot=0', 'mds=off', 'nohz=off', 'printk.console_no_auto_verbose=1', 'CONSOLESPEED=9600', 'console=ttyS0', 'gpt', 'Aboot=Aboot-norcal6-6.2.1-2-25288791', 'net_ma1=pci0000:00/0000:00:12.0/usb1/.*$', 'platform=raspberryisland', 'scd.lpc_irq=3', 'scd.lpc_res_addr=0xf00000', 'scd.lpc_res_size=0x100000', 'block_flash=pci0000:00/0000:00:14.7/mmc_host/.*$', 'block_usb1=pci0000:00/0000:00:12.0/usb1/1-1/1-1.1/.*$', 'block_usb2=pci0000:00/0000:00:12.0/usb1/1-1/1-1.4/.*$', 'block_drive=pci0000:00/0000:00:11.0/.*host./target.:0:0/.*$', 'sid=RaspberryIsland16', 'log_buf_len=2M', 'systemd.show_status=0', 'sdhci.append_quirks2=0x40', 'amd_iommu=off', 'nvme_core.default_ps_max_latency_us=0', 'SWI=/mnt/flash/EOS-4.34.1F.swi', 'arista.asu_hitless']
    Proceeding with reload
    No qualified FPGAs to upgrade #(3)!
    waiting for platform processing ..........................................................ok
    Shutting down packet drivers
    2024-07-31 17:52:54.117479 bringing fab down
    2024-07-31 17:52:54.437128 bringing fifo down
    reloading /mnt/flash/EOS-4.34.1F.swi #(4)!
    Shutting down management interface(s)
    1 block
    umount: /mnt/flash: target is busy.
    [71576.090602][T15227] kexec_core: Starting new kernel
    [    2.363505][  T296] Running e2fsck on: /mnt/flash
    [    2.803117][  T303] e2fsck on /mnt/flash took 1s
    [    3.116739][  T370] Running e2fsck on: /mnt/crash
    [    3.181814][  T375] e2fsck on /mnt/crash took 0s
    Mounting SWIM Filesystem
    Optimization Strata-4GB root squash found
    Optimization Strata-4GB all squashes found
    Mounting optimization Strata-4GB #(5)!
    Switching rootfs
    Welcome to Arista Networks EOS 4.34.1F
    Architecture: i386
    [   43.938521] sh[2099]: Starting EOS initialization stage 1
    Starting NorCal initialization: [  OK  ]
    [   48.023047] sh[2181]: Starting EOS initialization stage 2
    Completing EOS initialization (press ESC to skip): [  OK  ]
    Model: CCS-710P-16P
    Serial Number: WTW22200366
    System RAM: 3952504 kB
    Flash Memory size:  7.1G

    pod00-leaf1 login:



    Wait for the SSU process to complete. This can take up to 10 minute.  When you see the following console message, the switch management plane has finished its reboot.


    pod00-leaf1 login:

Remember the mention, there may still be some mention of ASU in the code. This is the SSU process kicking off.
Extracting the boot image we configured
No FPGAs to upgrade, recall if there were, this would require a full reload!
Reloading the management and control plane to the new software image
Mounting the software on to the hardware, Strata in this case is the family of ASICs

You can now login with the username/password and type enable to get back to privileged commands mode. Check the new current running version of the switch with the command show version. You should see the switch has upgraded to EOS-4.34.1F

Example Output

Arista CCS-710P-16P
Hardware version: 11.04
Serial number: WTW23350461
Hardware MAC address: 2cdd.e9f6.e9f2
System MAC address: 2cdd.e9f6.e9f2

Software image version: 4.34.1F
Architecture: i686
Internal build version: 4.34.1F-37710335.4314M
Internal build ID: d26721db-c526-41ec-bf9d-0a14b4edfcf5
Image format version: 3.0
Image optimization: Strata-4GB

Uptime: 5 minutes
Total memory: 3952504 kB
Free memory: 2880904 kB

After the management plane boots up, there are still some processes running before SSU can be considered successful. Run the following command to watch for the log message indicating SSU is fully successful. You should see the message reload hitless reconciliation complete about 2 minutes after the switch completes its reload.

show log follow | inc hitless
Example Output
```
campus-pod11-leaf1a#show log follow | inc hitless
Aug  8 19:51:59 campus-pod11-leaf1a StageMgr: %LAUNCHER-6-BOOT_STATUS: 'reload hitless' reconciliation complete.
```

As our final step, take another look at the terminal window that was running the consistent pings. You should see pings continue to flow without issue during the upgrade. Only towards the end of the process you may see 1 or 2 pings lost as the ASIC reconnects to the updated management plane.

800 ms Cutover 🏎️

The below example output was sending pings every 100ms, as you see below the cutover time to the new EOS image disrupted the dataplane for all of 700-800ms!! This is fast enough you may not even notice the disruption on an active zoom call!

Example Output

me@MacBook-Pro ~ % ping -i 0.1 10.0.111.1
64 bytes from 9.9.9.9: icmp_seq=0 ttl=51 time=10.974 ms
64 bytes from 9.9.9.9: icmp_seq=1 ttl=51 time=10.147 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=51 time=10.583 ms
64 bytes from 9.9.9.9: icmp_seq=3 ttl=51 time=10.657 ms
... truncated for brevity
64 bytes from 9.9.9.9: icmp_seq=4885 ttl=51 time=10.586 ms
64 bytes from 9.9.9.9: icmp_seq=4886 ttl=51 time=10.954 ms
64 bytes from 9.9.9.9: icmp_seq=4887 ttl=51 time=10.632 ms
Request timeout for icmp_seq 4888
Request timeout for icmp_seq 4889
Request timeout for icmp_seq 4890
Request timeout for icmp_seq 4891
Request timeout for icmp_seq 4892
Request timeout for icmp_seq 4893
Request timeout for icmp_seq 4894
Request timeout for icmp_seq 4895
64 bytes from 9.9.9.9: icmp_seq=4896 ttl=51 time=11.481 ms
64 bytes from 9.9.9.9: icmp_seq=4897 ttl=51 time=11.637 ms
64 bytes from 9.9.9.9: icmp_seq=4898 ttl=51 time=11.237 ms
64 bytes from 9.9.9.9: icmp_seq=4899 ttl=51 time=10.859 ms
64 bytes from 9.9.9.9: icmp_seq=4900 ttl=51 time=10.595 ms
64 bytes from 9.9.9.9: icmp_seq=4901 ttl=51 time=10.516 ms

We see from this example output above, only 8 pings were lost (100 ms each) at the end of the process near the 10 minute mark after starting the ping test. If you we're pinging at 1 per second, you should see 1 maybe 2 pings drop.

As a last item to leave you with, you can validate your reload reason to confirm why the switch last reloaded using the command below.

show reload cause

Example Output

Reload Cause 1:
-------------------
Hitless reload requested by the user.

Reload Time:
------------
Reload occurred at Thu Jan 23 11:08:51 2025 CST.

Recommended Action:
-------------------
No action necessary.

Debugging Information:
-------------------------------
None available.

🤖 AI Lab Assistant¶

Want to automate all the commands above? Use our embedded AI agent to execute the entire lab automatically!

🚀 B04 Lab Automation Agent

Let the AI handle the SSU upgrade while you focus on learning the concepts!

Select Student: Execution Mode:

Ready to start...

🖥️ SSU Lab Execution Output

Security Lab Guides

C-01 | AGNI and WiFi EAP-TLS 802.1X¶

Overview¶

In this lab we will be working within the WiFi configuration section of CV-CUE. Create an SSID (WPA2 802.1X) with your ATD-##-EAP as the name (where ## is a 2 digit character between 01-12 that was assigned to your lab/Pod).

If you're not already logged into CV-CUE, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and click Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into CV-CUE (CloudVision WiFi) tile to begin this lab.

Create an EAP-TLS SSID¶

The Configure section of CV-CUE is composed of multiple parts, including WiFi, Alerts, WIPS, etc. In this lab we are focused on the WiFi section.

Other configuration sections

Alerts: Where syslog and other alert related settings are configured
WIPS: Where the policies are configured for the WIPS sensor.

Let's go through the steps to create a new SSID

Step 1Step 2Step 3Step 4

Hover your cursor over the Configure menu option on the left side of the screen, then click WiFi

At the top of the screen, you will see where you are in the location hierarchy. Click on your respective Corp (ACorp or BCorp),

Expand Hierarchy

If you do not see the hierarchy, click on the three lines next to Locations to expand choose/highlight the appropriate Corp folder.

Let's disable the previous SSIDs from the prior labs bey toggling the On/Off button

Now click the Add SSID button on the right hand side of the screen.
Once on the “SSID” page, configuration sub-category menu options will appear across the top of the page related to WiFi (the defaults are Basic, Security, and Network). You can click on these sub-category names to change configuration items related to that area of the configuration.
To make additional categories visible, click on the 3 dots next to Network and you can see the other categories that are available to configure (Analytics, Captive Portal, etc.).
In the Basic sub-category option, name the SSID using the settings below. The Profile Name is used to describe the SSID and should have been auto-filled for you.

Settings

Student Name

Student 1 ATD-##-EAP

Student 2 ATD-##-EAP

where ## is a 2 digit character between 01-20 that was assigned to your lab/Pod
Since this is our corporate SSID, leave the Select SSID Type set to Private
Select Next at the bottom.
In the Security sub-category, set the following select WPA2 and change the association type to “802.1X”.

Settings

Field Value

Security Method WPA2 / 802.1X

Radius Settings Select RadSec

Authentication Server AGNI-##

Accounting Server AGNI-##
Select Next at the bottom of the screen.
In the Network configuration sub-category, we’ll leave the VLAN ID set to 0, which means it will use the native VLAN. If the switchport the AP is attached to is trunked, you could change this setting to whichever VLAN you want the traffic mapped to. The rest of the settings can be left at the default values.

Alternative Settings

Instead of Bridged You could use NAT (often done for Guest) or L2 Tunnel / L3 Tunnel, as we completed in the wireless lab.
Click the Save & Turn SSID On button at the bottom of the page.
Only select the 5 GHz option on the next screen (deselect the 2.4 GHz box if it’s checked), then click Turn SSID On.
After you turn on the SSID, hover your cursor over Monitor in the left hand side menu, and then click WiFi.
Now, in the menu options at the top of the page, look at the Radios menu option. Is the 5 GHz radio (Up) and 2.4 GHz radio (down)? It may take a minute or two for the radio to become active.
Check the Active SSIDs menu at the top of the screen. Is your SSID listed?
Now that we have a 802.1X backed SSID, let's go to AGNI to configure the policy.

CloudVision AGNI Access¶

If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and clieck Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.

Create AGNI Networks & Segments for the EAP-TLS Wireless Policy¶

Click on Networks and select + Add Network

Configure the network with the following settings

Network Settings

Field	Student 1	Student 2
Name	`ATD-##-SSID-EAP-TLS`	`ATD-##-SSID-EAP-TLS`
Connection Type	Wireless	Wireless
SSID	`ATD-##-EAP`	`ATD-##-EAP`
Authentication Type	Client Certificate (EAP-TLS)	Client Certificate (EAP-TLS)

Click on Add Network at the bottom of the screen.
Next, click on Segments and then + Add Segment
Configure the segment with the following settings

Network Settings

Field Student 1 Student 2

Name ATD-##-SSID-EAP-TLS ATD-##-SSID-EAP-TLS

Description ATD-##-SSID-EAP-TLS ATD-##-SSID-EAP-TLS
Next, let’s add two conditions to match the network we've defined (tied to the SSID) and the authentication type

Conditions

Conditions for segments must MATCH ALL conditions line by line.
1. Select, Network, Name, is, ATD-##X-SSID-EAP-TLS from the drop down lists. Chose your A or B policy accordingly.
2. Select, Network, Authentication Type, is, Client Certificate (EAP-TLS) from the drop down lists.
3. Your Conditions should now look like this.
Under Actions select Add Action and select Allow Access
Finally, select Add Segment at the bottom of the page.
You should now be able to expand and review your segment.
Next, click on Sessions to see if your ATD Raspberry Pi has a connection via the Wireless connection.

Client Connectivity

The Client Certificate has already been applied to the Raspberry Pi and is configured to connect to the SSID ATD-##A-EAP.
Click on the session and explore the information we learn about the client, we're going to come back to this in more detail later.
If you don’t see any new sessions within 2 minutes AGNI, power cycle the Raspberry Pi.

🎉 CONGRATS! You have completed this lab! 🎉

LET'S GO TO THE NEXT LAB!

C-02 | AGNI UPSK Wireless Policy¶

Overview¶

In this lab we're going to explore the power of Unique Pre-Shared Keys (UPSK),

If you're not already logged into CV-CUE, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and click Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into CV-CUE (CloudVision WiFi) tile to begin this lab.

Create Identity UPSK SSID¶

Let's create our new UPSK SSID by copying/modifying the PSK SSID we created in the CV-CUE lab.

While on your CorpA folder, Click on Configure and then WiFi
Next, click on the and select Create a Copy on your specific SSID

Your SSID

Student Name

Student 1 ATD-##-PSK

Student 2 ATD-##-PSK

where ## is a 2 digit character between 01-12 that was assigned to your lab/Pod
Select Currently Selected Folders and then Continue.
Click on the new SSID and select Edit
On the Basic Tab rename the SSID to the following

Settings

Student Student 1 Student 2

Name ATD-##-UPSK ATD-##-UPSK

Profile Name ATD-##-UPSK ATD-##-UPSK
Next, click on the Security tab and configure the following

UPSK Information

For more information on UPSK visit the article on Unique PSK

Settings

Field Value

Security Method WPA2 / UPSK

UPSK Identity Lookup Enabled

Next, click on the Access Control tab and configure the following

Settings

Field	Value
Radius Settings	Select `RadSec`
Authentication Server	`AGNI-##`
Accounting Server	`AGNI-##`
Username and Password	MAC Address without Delimiter
Call Station ID	`%m-%s`
Change of Authorization	Enabled

Finally, Save and turn on the SSID and Save SSID
Only select the 5 GHz option on the next screen (deselect the 2.4 GHz box if it’s checked), then click Turn SSID On.

If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and clieck Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.

Create UPSK Network and Segment¶

In this section we are going to configure AGNI for our new SSID network and apply segmentation policy to enforce UPSK.

Click on Networks and then + Add Network.
Add the following:

Settings

Field Student 1 Student 2

Name ATD-##-UPSK ATD-##-UPSK

Connection Type Wireless Wireless

SSID ATD-##-UPSK ATD-##-UPSK

Authentication Type Unique PSK (UPSK) Unique PSK (UPSK)
Finally, click Add Network
You should now see this listed in your Networks.
Next, we will add the Segment.
Under Access Control, click on Segments and then + Add Segment

Configure the following:

Segment Conditions

If there are multiple conditions, they must MATCH ALL.

Settings

Field	Student 1	Student 2
Name	`ATD-##-UPSK`	`ATD-##-UPSK`
Description	`ATD-##-UPSK`	`ATD-##-UPSK`
Condition #1	`Network:Name is ATD-##-UPSK`	`Network:Name is ATD-##-UPSK`
Condition #2	`Network:Authentication Type is UPSK`	`Network:Authentication Type is UPSK`
Action #1	`Allow Access`	`Allow Access`

Finally, click on Add Segment.
You should now see your new segment in the list of segments.

Enroll Personal Device with Local User¶

In this section you will create a local user and enroll the MAC of your device.

In AGNI, under Identity, click on User and then + Add User.

Fill out the fields for a new user

Settings

Field	Student 1	Student 2
Name	whatever_you_want	whatever_you_want
UserId	whatever_you_want	whatever_you_want
Password	`Arista!123`	`Arista!123`
User must change password at next login	Disabled	Disabled

Click Add User
You will notice that Password has now changed to UPSK Passphrase
Copy and write down or save to text file the new UPSK Passphrase.
Next, connect your client to ATD-##A/B-UPSK using your UPSK Passphrase.
Click on Sessions and validate your device connection.
Next, validate your device by clicking on User and then Users. Select your user.
Click on Show Clients

Create an AGNI Client Group¶

In this section, you will simulate your device as an IoT device.

Disable and forget previously saved lab networks so your wireless connection on your test device does not auto connect.
In AGNI under your User Clients list, Delete your Device.
Next, you will add your client device as an IoT device in a Client Group.
First, we will need to create the Client Group.
In AGNI, under Identity, click on Clients > Client Groups and then + Add Client Group.

Configure the following

Settings

Field	Student 1	Student 2
Name	`CorpA Approved Devices`	`CorpA Approved Devices`
Description	`CorpA Approved Devices`	`CorpA Approved Devices`
User Association	Not user associated	Not user associated
Group UPSK	Enabled	Enabled

Copy the UPSK Passphrase and click on Add Group
Next, connect your client to ATD-##-UPSK using the Client Group UPSK Passphrase.
Click on Sessions and validate your device connection.
Next Click on your Client.
Notice your Client Group. Here you have the option to change the Client Group your device belongs to.

🎉 CONGRATS! You have completed this lab! 🎉

LET'S GO TO THE NEXT LAB!

C-03 | AGNI and Wired EAP-TLS 802.1X¶

Overview¶

In this lab we enhance the port security to our Raspberry Pi! We will do the following:

Update our port profile
Configure our switch to communicate over RadSec to AGNI
Configure the AGNI EAP-TLS wired policy
Verify it all works!

Topology¶

Lab Topology

Important: Your switches need to be onboarded in AGNI with RadSec before proceeding. Follow the steps here

Configuring RadSec on EOS¶

Arista Switches can form a RadSec tunnel using SSL encryption with AGNI. RadSec is a protocol that supports RADIUS over TCP and TLS. For mutual authentication it is required to install a client certificate with corresponding private key as well as your AGNI CA certificate. The steps below assumes the use of AGNI's internal PKI.

Follow the steps to create, upload and establish the RadSec tunnel.

Generate private key and CSR
Generate client certificate for the Switch in AGNI.
Upload the Certificate to the Switch.
Configure an SSL profile and and RadSec profile

If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and clieck Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.

Configuration Steps¶

Generate the key pair

security pki key generate rsa 2048 switch.key

Generate the certificate signing request using the key just created.

Common Name must correspond to the Switch MAC address and the DNS needs to match the hostname of the switch

security pki certificate generate signing-request key switch.key

Certificate Signing Request

Common Name for use in subject: 2c:dd:e9:fe:cd:68 
Two-Letter Country Code for use in subject: US 
State for use in subject: FL 
Locality Name for use in subject: NFM 
Organization Name for use in subject: Arista 
Organization Unit Name for use in subject: acws 
Email address for use in subject:
IP addresses (space separated) for use in subject-alternative-name:
DNS names (space separated) for use in subject-alternative-name: pod00-leaf1a 
Email addresses (space separated) for use in subject-alternative-name:
URIs (space separated) for use in subject-alternative-name:
-----BEGIN CERTIFICATE REQUEST-----
MIIC0DCCAbgCAQAwYTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkZMMQwwCgYDVQQH
DANORk0xDTALBgNVBAoMBGFjd3MxDDAKBgNVBAsMA2NzZTEaMBgGA1UEAwwRMmM6
ZGQ6ZTk6ZmY6MzI6YjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1
UDFDsidF4qhGzIEgNUlcNPtfvAGic/hQelaD9MgvOUbbVUhEg0hcbA/LLcyZQ+f/
B0f/UK7eyuNhtS3lTYf7A1TqCQ7md8d4opcKbiP7vFg6+dpvAXT8giBlstv790LY
wEpuCKX4igkLx+jMlNNOP7tKnuX2tuK/EYi20O2a0e4LR77ebBZpztiia9prCyvk
neNhtAPMeb/O/kUBnmPwpPDy4jtpPhp8I+xX9zo4nRNjVlFcRRNao/N72kIpnmX8
nnAXIcG/I1bLsgspWIwwiV3MUL3pOKUNqXaKf824/ZJgPAtUA2zgp9JayMbbddOE
A3dKTwBkGOXihZkVDTnrAgMBAAGgKjAoBgkqhkiG9w0BCQ4xGzAZMBcGA1UdEQQQ
MA6CDHBvZDAwLWxlYWYxYTANBgkqhkiG9w0BAQsFAAOCAQEAp8pxdX1qJ8uPFrQW
ZmMmOZ+RM3lEDOJkhNA2aRVonWeejp0bz5qToT8E41RPyLIdQ56Pa+zeGx5occg8
3nK3aFAu1ARPR1EJ8E04656c9v6zpF9np3juwLJm0uiM16XgUMvEmQd1anRELndn
r53jlXKAcsKdFMSaW0MqXY6DN8a1PmI3KL0zzOKpwtcRSjvAXFTN8viSPOL/vrRL
XTqVaa+P1d7PgRBoSi5DFY6U9nwHD42yP0kCbq98wxDrLyTfMV20ymY083XHdKPz
Y4dI+YfHeK48QLBSLUKB9CrOC0XyhIMtCxBGkJ+umZy3wktZHCCkvDej7NoiNZal
4uEbIg==
-----END CERTIFICATE REQUEST-----

Copy the certificate including the text “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”
Select your Access Device from the list and select Get Client Certificate.
Select Use CSR (Single Device) and Paste CSR.

Note 1: CSR can also be uploaded from file by selecting action Upload CSR File

Note 2: For signing multiple CSRs select Upload Zip with multiple CSRs
Click Generate Certificate. A certificate pod00-leaf1a.pem will be generated and downloaded. Rename this file to switch.pem
Go to RadSec Setting in the Navigator under Administration section to download the CA certificate.
Download the RadSec CA certificate (radsec_ca_certificate.pem) by clicking Download Certificate.

In AGNI Click on Configuration → System → RadSec Settings on the left hand side.

Copy the FQDN radsec.beta.agni.arista.io and Download the Certificate at the bottom.
Copy certificates to the switch The certificate and root certificate need to be copied to the switch flash using SCP. Prerequisites: Settings on switch to be able to SCP over the certs. Provide a username and password with network-admin role. Ensure the following settings are configured on the switch:
```
aaa authentication login console local
aaa authorization exec default local
```

Copy the certificates to the switch flash using SCP.

scp switch.pem radsec_ca_certificate.pem arista@<switch_ip>:/mnt/flash:

Login to your switch using the arista user credentials and verify the certificates are present in the flash.
```
dir
```

Copy the certificates to the certificate store.

copy flash:switch.pem certificate:switch.pem
copy flash:radsec_ca_certificate.pem certificate:radsec_ca_certificate.pem
dir certificate:

Verify the certificate validity.

show management security ssl profile agni-server

    Profile     State
    ----------- -----
    agni-server valid

Reminder on logging in and creating a workspace

If you're not already logged into CloudVision (CVaaS), navigate to the Arista CVaaS for your lab.

Open CVaaS

Create a Workspace¶

We are going to create a workspace to propose changes to the Network Infrastructure. A workspace acts as a sandbox where you can stage your configuration changes before deploying them.

What is a Workspace?

To make a comparison, a workspace is like a configuration session in EOS or a branch in Git!

Studios Step 1Studios Step 2

Click on the Provisioning on the left side, then choose Studios.

Click Create a Workspace, give it any name you would like and click Create.

Update Port Profile¶

Here we will update our existing raspberry pi port profile to enable 802.1X

Single Workspace

You and your fellow student will work together to create the port profile for your campus fabric in a single workspace.

From the Studios home page, disable the Active Studios toggle to display all available CloudVision Studios (which when enabled will only show used/active Studios).

The toggle may already be in the disabled position
Let's update the Wired-RasPi port profile for our Raspberry Pi and enable 802.1x, click the arrow on the right and enable the following:

Wired-RasPi

Key Value

802.1X Enabled

MAC Based Authentication Yes
Our port profiles have been staged, click Review Workspace
We can see the only studio changed is the Access Interface Configuration, we will see the ports assigned are updated.
Go ahead and Submit the Workspace when you ready
Click View Change Control
Review the Change Control and select Review and Approve
Toggle the Execute Immediately button and select Approve and Execute
The port is now enabled for 802.1X, let's now get your switch talking back to AGNI.

Enable RadSec¶

In this lab you will be configuring RadSec on your lab switches by adding the RadSec configuration to the switches via the Static Configuration Studio.

Click on the Provisioning menu option, then choose Studios.
Let's open the Static Configuration Studio

Select your respective switch
In the Device Container window, click on + Configlet followed by Configlet Library.

Select the configlet named for your switch, should be radsec and click Assign to add the configlet to the switch

Click Review Workspace to review all the changes proposed to the CloudVision Studio
Review the workspace details showing the summary of modified studios, the build status, and the proposed configuration changes for each device. When ready click Submit Workspace
What does this configuration do?!

Click below on the lines to understand what each line does
```
!
management security
    ssl profile agni-server #(1)!
        certificate pod00-leaf1a.crt key agni-private.key #(2)!
        trust certificate radsec_ca_certificate.pem #(3)!
!
radius-server host radsec.beta.agni.arista.io tls ssl-profile agni-server #(4)!
!
aaa group server radius agni-server-group #(5)!
    server radsec.beta.agni.arista.io tls
!
aaa authentication dot1x default group agni-server-group
aaa accounting dot1x default start-stop group agni-server-group
!
```
1. Create an SSL profile
2. This is the switch key and certificate, this certificate was generated on EOS, signed by AGNI, and installed in the store.
3. This is the trusted certificate downloaded from AGNI and installed on the EOS certificate store
4. This enabled RadSec on the device, configured to using our SSL profile
5. Create the AAA radius server group, we use this to enforce client authentication via dot1x later on in this lab
Click View Change Control and review the Change Control, hit Review and Approve when ready.
Select Execute immediately and click Approve and Execute

The change control will execute and apply all the RadSec configuration changes to the device. This will enable RadSec connectivity between the switch and AGNI.

<!-- !!! tip "Automating Certificates"

The switch and AGNI certs were generated, signed, and installed using automation before hand. Specifically ansible and leveraging both the switch eAPI and AGNI API. You can read more on how this role works [EOS AGNI Radsec (GitHub)](https://github.com/carl-baillargeon/eos_agni_radsec/tree/main){target="_blank"}

See the Configuring RadSec in EOS for additional information. →

AGNI Login¶

If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and clieck Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.

Create Wired EAP-TLS Network and Segment¶

Click on Access Devices > Devices to confirm the RadSec connection is up.
In this section we will create a Network and Segment in CloudVision AGNI to utilize a certificate based TLS authentication method on a wired connection with a Raspberry Pi.
Click on Networks and select + Add Network
Before configuring the network, see Access Device Group, click on the + to create a new device group.

Network Settings

Field Student 1 Student 2

Name WIRED-A WIRED-A

Description WIRED-A WIRED-A

Available Devices (+ Add) pod##-leaf1 pod##-leaf1

Fill in and select the Following fields on the Add Network page.

Network Settings

Field	Student 1	Student 2
Name	ATD-##-WIRED	ATD-##-WIRED
Connection Type	Wired	Wired
Access Device Group	WIRED-A	WIRED-A
Status	Enabled	Enabled
Authentication type	Client Certificate (EAP-TLS)	Client Certificate (EAP-TLS)
Fallback to mac Authentication	Enabled	Enabled
MAC Authentication Type	Allow Registered Clients Only	Allow Registered Clients Only
Onboarding	Enabled	Enabled
Authorized User Groups	Arista	Arista

When done, click on Add Network at the bottom of the screen.
Next, click on Segments and then + Add Segment

Configure the network segment with the following settings:

Segment Settings

Field	Student 1	Student 2
Name	ATD-##-WIRED	ATD-##-WIRED
Description	ATD-##-WIRED	ATD-##-WIRED
Condition #1	`Network:Name is ATD-##A-WIRED`	`Network:Name is ATD-##-WIRED`
Condition #2	`Network:Authentication Type is Client Certificate (EAP-TLS)`	`Network:Authentication Type is Client Certificate (EAP-TLS)`
Action #1	`Allow Access`	`Allow Access`

Finally, select Add Segment at the bottom of the page.
You should now be able to expand and review your segment.
Next, click on Sessions to see if your ATD Raspberry Pi has a connection via the Wired connection.

Client Certificate

The Client Certificate has already been applied to the Raspberry Pi.

Validate and Verify Wired EAP-TLS Device¶

AGNI¶

Once the device is connected you will be able to view the status of the connection and additional session details if you click on the Eye to the right of the device.
AGNI will then display more in depth session information regarding the device and connection.

CloudVision Endpoint Overview¶

Show Endpoint Overview, search for a device on the students pod, sflow will be enabled, should be able to see more info about authentication, traffic flows, and

EOS CLI¶

You can also validate the session on the switch by issuing the following commands in the switch CLI

show dot1x host
show dot1x host mac d83a.dd98.6183 detail

pod00-leaf1a#show dot1x host
Port      Supplicant MAC Auth  State                   Fallback               VLAN
--------- -------------- ----- ----------------------- ---------------------- ----
Et2       d83a.dd98.6183 EAPOL SUCCESS                 NONE

pod00-leaf1a#show dot1x host mac d83a.dd98.6183 detail
Operational:
Supplicant MAC: d83a.dd98.6183
User name: aristaatd01@outlook.com
Interface: Ethernet2
Authentication method: EAPOL
Supplicant state: SUCCESS
Fallback applied: NONE
Calling-Station-Id: D8-3A-DD-98-61-83
Reauthentication behaviour: DO-NOT-RE-AUTH
Reauthentication interval: 0 seconds
VLAN ID:
Accounting-Session-Id: 1x00000004
Captive portal:
AAA Server Returned:
Arista-WebAuth:
Class: Rcnlkerh9ci3s72u197e0|C4151a596-baab-444b-a4fd-ad40946d8b5f
Filter-Id:
Framed-IP-Address: 192.168.101.21 sourceArp
NAS-Filter-Rule:
Service-Type: None
Session-Timeout: 86400 seconds
Termination-Action: RADIUS-REQUEST
Tunnel-Private-GroupId:
Arista-PeriodicIdentity:

🎉 CONGRATS! You have completed the Security labs! 🎉

References

General

Campus Workshop Agenda¶

Time	Activity
Day 1	Wired and Wireless
1:00 - 1:25	Intros
1:30-2:00	Overview of Arista Campus Architecture
2:00-2:30	Labs: Arista CloudVision for Campus - Build the Campus Fabric
Wired Lab	A-03: Access Interface Configuration
2:30 - 3:30	Labs: Arista Wireless with CV-CUE - Build the Wireless Fabric
Wireless Lab	B-01: Wireless Setup
Wireless Lab	B-02: Troubleshooting WiFi
Overview of Arista Zero Trust Networking Security
3:30 - 5:00	Labs: Guest Wireless and Hitless Upgrade
Wireless Lab	B-03: Guest WiFi with AGNI
Wireless Lab	B-04: Smart System Upgrade (SSU)
Optional Labs	CloudVision Telemetry and EOS CLI
Wired Lab	A-04: Operations, Dashboards and Events
Wired Lab	A-01: Explore EOS
5:00 - 6:00	Happy Hour - Location TBD
6:00 - 8:00	Team Dinner
Day 2	Security and Design
8:30 - 8:55	Q&A and Recap of Day 1
9:00 - 9:25	Overview of Arista Network Access Control (NAC) with AGNI
9:30 - 10:25	Labs: AGNI - Enforce Network Access Policies - Wireless
AGNI Lab	C-01: AGNI and WiFi EAP-TLS 802.1X
AGNI Lab	C-02: AGNI and Unique Pre-Shared Keys (UPSK)
10:30 - 10:55	Labs: AGNI - Enforce Network Access Policies - Wired
AGNI Lab	C-03: AGNI and Wired EAP-TLS
11:00 - 11:25	Overview of Intangi Iris
11:30 - 11:55	Labs: Iris - Design, Configure and Price Out Your Network
Iris Lab	D-00: Iris Design, Configuration and Pricing
12:00 - 12:50pm	Lunch and Q&A
1:00 - 2:00	Till next time!

Topology¶

Fabric Switches and Management IP¶

POD	Type	Node	Management IP	Platform	Provisioned in CloudVision
WORKSHOP	spine	spine1	10.1.100.2/24	CCS-720XP-24Z	Provisioned
WORKSHOP	spine	spine2	10.1.100.3/24	CCS-720XP-24Z	Provisioned

Online Lab Guides¶

Accesible from your browser¶

On the web Arista Campus Workshop Lab Guides

Wireless¶

SSID: `Arista-Workshop`¶

Password: `AristaRox!` (case sensitive)¶

If you're not already logged into CloudVision (CVaaS), navigate to the Arista CVaaS for your lab.

Open CVaaS

Atlanta Lab Assignment - November 11-12, 2025¶

Access Points and Switches Serial Numbers¶

Email	AP#1	AP#2	Switch
dane.newman@ahead.com	30862D496F5F	30862D4975EF	-
charles.hall@ahead.com	30862D497A0F	30862D497CAF	-
apsmith@cspire.com	30862D4979DF	30862D497B2F	-
cjones@udtonline.com	30862D496FEF	30862D49794F	-
jfowler@udtonline.com	30862D497A3F	30862D497ACF	-
sgrainger@adapture.com	30862D497D9F	30862D6CE2DF	-
bryan.deverell@cumberland.com	30862D49701F	30862D497D3F	-
erick.sanchez@cumberland.com	30862D4979AF	30862D497B5F	-
wallace.pederson@computacenter.com	30862D496E0F	30862D497AFF	-
dan.crews@computacenter.com	30862D49797F	30862D497D6F	-
jpucciariello@bulloch.solutions	30862D497CDF	30862D496FBF	-
jbryant@bulloch.solutions	30862D497A9F	30862D497A6F	-
stephen.norton@nwn.ai	30862D497D0F	30862D496F2F	-
cgordon@dgrsystems.com	30862D496F8F	30862D6CE30F	-
-	-	-	-
-	-	-	-
-	-	-	-
-	-	-	-
-	-	-	-
mbalagot+cws@arista.com	-	-	-

Student and Pod Assignment with ATD Access¶

ATD Token Access

Click the 🚀 ATD Lab links below to access your Arista Test Drive topology. Each link will open in a new browser tab for easy access.

Email	Lab Assignment	Student Pod #	CV-CUE ATN	ATD Token
dane.newman@ahead.com	student1	pod01	ATN570829	🚀 ATD Lab 1
charles.hall@ahead.com	student2	pod02	ATN570830	🚀 ATD Lab 2
apsmith@cspire.com	student3	pod03	ATN570831	🚀 ATD Lab 3
cjones@udtonline.com	student4	pod04	ATN570832	🚀 ATD Lab 4
jfowler@udtonline.com	student5	pod05	ATN570833	🚀 ATD Lab 5
sgrainger@adapture.com	student6	pod06	ATN570834	🚀 ATD Lab 6
bryan.deverell@cumberland.com	student7	pod07	ATN570835	🚀 ATD Lab 7
erick.sanchez@cumberland.com	student8	pod08	ATN570836	🚀 ATD Lab 8
wallace.pederson@computacenter.com	student9	pod09	ATN570837	🚀 ATD Lab 9
dan.crews@computacenter.com	student10	pod10	ATN570838	🚀 ATD Lab 10
jpucciariello@bulloch.solutions	student11	pod11	ATN570839	🚀 ATD Lab 11
jbryant@bulloch.solutions	student12	pod12	ATN570840	🚀 ATD Lab 12
stephen.norton@nwn.ai	student13	pod13	ATN570841	🚀 ATD Lab 13
cgordon@dgrsystems.com	student14	pod14	ATN570842	🚀 ATD Lab 14
-	student15	pod15	-	🚀 ATD Lab 15
-	student16	pod16	-	🚀 ATD Lab 16
-	student17	pod17	-	🚀 ATD Lab 17
-	student18	pod18	-	🚀 ATD Lab 18
-	student19	pod19	-	-
mbalagot+cws@arista.com	student20	pod20	ATN570238	-

Topology¶

Quick Access Guide¶

🚀 ATD (Arista Test Drive) Access¶

Click any ATD Lab link in the table above
New browser tab will open with your topology
Login with your provided credentials
Start your lab exercises immediately

📧 Support¶

If you experience any issues with ATD access: - Verify your internet connection - Try refreshing the ATD page - Contact the workshop instructor for assistance

Arista Configuration Tools

Intangi Iris Configuration Tool¶

Overview¶

This lab is intended for the Campus Workshop and to showcase the partner tool to design, configure and price out Arista campus products and solutions. Authorized Arista partners are able to download and access the tool at intangi.com/support website. They are required to login with their corporate email address. Contact iris-help-ext@arista.com for assistance. There are many online resources available which includes videos, documentation, and more at intangi.com/support.

Iris Dashboard¶

Upon successful login, you will be presented with the Iris dashboard. Click on the Arista catalog to start.

Arista Catalog at a glance¶

Expand the catalog to view the various devices and features available

Design, Configure and Price Out Your Network¶

You are now ready to create a new network design.

Under the Start section, click on New System Provide a name for your system, accept all defaults and click `OK.

Select the Arista price list. Navigate to Tools on the horizontal menu bar, select Subscriptions then select Manage Subscriptions. Select the Arista price list and click Enable. Optionally click on Price Lists to view the price list details. USD and EUR price lists are available. Click OK to continue.

Create a new site. Navigate to Sites and click on New Site. Provide a name for your site, select the desired Power. Contact, Description are optional and click OK continue. Double-click on your workshop name on the map. A clean worshop space will be provided.

Choose a desired spine switch from the catalog. Double-click on the 7050X Switch Series, select one of the pre-configured 7050SX3-24YC2-F bundles. -F is with front-to-back fan trays, -R is rear-to-front. Cut-and-paste the device on the site workspace to build a two-switch spine network layer.

Interconnect the spine switches using the Connect tool. Select the spine switch and then the other spine switch. Choose the 100G DAC interface for the connection. We are pre-configuring the spine switches with MLAG

Edit the quantity multipler of 100G DAC to 2

Using the same method of choosing the right Arista products for your design, select 720XP-48ZC2 POE switches for the leaf layer. Add two switches for each leaf layer.

Connect the spine and leaf layer together using the Connect tool. Select the spine switch and then the leaf switch. Repeat for the second leaf switch.

Add an wireless access point to the leaf layer. Double-click on the Wireless Access Points and select the C-460 WiFi7 model. Cut-and-paste the device on the site workspace to build a two-switch active-active wireless layer.

Connect the wireless access point to the leaf layer using the Connect tool. Select the leaf switch and then the wireless access point.

Create a Bill Of Material (BOM)¶

Iris can generate a Bill Of Material (BOM) for your design.

Navigate to Quotation or press Ctrl+Q
The Quotation Composite View will appear. You can see the devices and features selected for your design. You can also see the price for each device and feature. The total price is also displayed. Hover your cursor over the Export menu and select Export to Excel to download the BOM.

🎉 CONGRATS! You have completed the Iris labs! 🎉

Arista Advance EOS

EOS Overview and Tips for Network Operators¶

Overview¶

Arista EOS (Extensible Operating System) is built on a foundation of quality, reliability, and programmability. This guide covers essential EOS features and practical tips for network operators.

EOS Architecture¶

EOS features a unique architecture with several key advantages:

Decoupled State from Process: Self-healing processes ensure system stability
Live Patching: Updates without downtime
Unmodified Linux Kernel: Full Linux compatibility
Industry Standard CLI: Familiar command-line interface
Consistent API: eAPI for automation
Access to Bash: Direct Linux shell access

Platform Flexibility¶

EOS runs across multiple deployment models:

Platform	Use Case	Description
Standard EOS	Production Networks	Hardware + Software bundled solution
vEOS	Lab Simulation	EOS in a virtual machine
cEOS	Container Networks	EOS in a container
CloudEOS	Cloud Native	Multi-hypervisor cloud deployment

Quality Metrics¶

Over approximately 12 years of development:

1 OS version across all switching & routing platforms
8 Software regression bugs
30 Security advisories (CVEs)
2 Security advisories requiring downtime
~1,000 Quality control testbeds
230,000+ Auto-tests per day
<1% EOS defect rate

EOS Lifecycle¶

Release Types¶

F Releases (New Feature Phase)¶

Introduces new features and/or platforms
Multiple releases for ongoing development
Active development phase

M Releases (Maintenance Phase)¶

Identified with "M" in version number
Incremental fixes only
No new functionality added
Periodic releases as needed
30 months support duration

Support Only Phase¶

Software upgrade required for bug fixes
6 months duration before end-of-life

Basic System Commands¶

System Information¶

Show Version¶

SWITCH#show version

Example output:

Arista CCS-720XP-48ZC2-F
Hardware version: 10.50
Serial number: JPE19181588
Hardware MAC address: fcbd.670f.3c31
System MAC address: fcbd.670f.3c31
Software image version: 4.31.3M
Architecture: i686
Internal build version: 4.31.3M-36737551.4313M
Internal build ID: c8d3a574-c649-455d-90a4-b2510051cf0d
Image format version: 3.0
Image optimization: Strata-4GB
Uptime: 8 hours and 4 minutes
Total memory: 3952980 kB
Free memory: 2220948 kB

System Environment¶

SWITCH#show system environment all

Interface Status¶

SWITCH#show interface ethernet1

Configuration Management¶

Save Configuration¶

# Save running config to startup config
SWITCH#copy running-config startup-config

# Alternative method
SWITCH#write memory

# Short form
SWITCH#wr mem

Erase Startup Configuration¶

SWITCH#erase startup-config

EOS Upgrades¶

Installation Process¶

Copy new EOS image to flash:

# Verify current boot configuration
EOS1#show boot-config

Install new image:

EOS1(config)#install system flash:EOS-4.31.3M.swi

Reload the switch:
```
EOS1(config)#reload
```

Advanced CLI Features¶

Show Active Configuration¶

View configuration for current context instead of full running-config:

SWITCH(config-if-Et1)#show active

Example output:

interface Ethernet1
   description EOS1
   mtu 9216
   no switchport
   ip address 10.1.18.18/24

Event Monitor¶

Monitor changes to system tables in real-time:

Enable Event Monitor¶

SWITCH(config)#event-monitor
SWITCH(config)#event-monitor sync

View Event Monitor Data¶

SWITCH#show event-monitor arp

Automatically stores changes to: - ARP tables - IGMP snooping - LACP - MAC address tables - Multicast routes - Routes (IPv4/IPv6) - Spanning Tree Protocol

Watch Command¶

Real-time monitoring of command output:

Basic Watch¶

# Update every 2 seconds (default)
SWITCH#watch show ip arp

# Update every 1 second with diff highlighting
SWITCH#watch 1 diff show ip arp

Advanced Watch Example¶

# Watch MAC address table changes
SWITCH#watch 1 diff show mac address-table

Command History¶

View command history for current session:

SWITCH#show history | begin conf

CLI Command Discovery¶

Find available commands with grep filtering:

# Show all commands containing "distance"
SWITCH#show cli commands all-modes | grep -i distance

CLI Scheduler¶

Default Tech-Support Collection¶

EOS automatically runs tech-support every 60 minutes:

SWITCH#show schedule tech-support

Custom Scheduler Examples¶

Basic Interface Monitoring:

SWITCH(config)#schedule show-int interval 10 max-log-files 10 command show interface counters

Automated Backup with TFTP:

SWITCH(config)#schedule backup-config interval 30 timeout 1 max-log-files 10 command bash sudo ip netns exec ns-MGMT tftp 172.31.0.8 -c put /mnt/flash/startup-config $(hostname)_$(date +%Y-%m-%d-%H%M.%S.txt)

Support Bundle Generation¶

Generate comprehensive support bundle for TAC:

# Basic support bundle to flash
SWITCH#send support-bundle flash:

# Support bundle with case number
SWITCH#send support-bundle flash: case-number 123456

# Available destinations
SWITCH#send support-bundle ?
# flash:, ftp:, http:, https:, scp:, sftp:, tftp:

Configuration Analysis Tools¶

Configuration Differences¶

Compare running and startup configurations:

SWITCH#show running-config diffs

Example output:

--- flash:/startup-config
+++ system:/running-config
@@ -70,7 +70,9 @@
 no switchport
 !
 interface Ethernet10
- no switchport
+ description Whoops...should have saved this
+ switchport mode trunk
+ switchport

Non-Zero Values Filter¶

Show only non-zero statistics:

SWITCH#show interfaces counters rates | nz

Sanitized Configuration¶

Remove passwords and sensitive data for sharing:

SWITCH#show running-config sanitized

Example:

# Before sanitization
SWITCH#show run sec snmp
snmp-server community asdf1234asdf ro

# After sanitization  
SWITCH#show run sanitized sec snmp
snmp-server community <removed> ro

Configuration Sessions¶

Configuration sessions allow batch application of changes:

Create Configuration Session¶

SWITCH#configure session MySession
SWITCH(config-s-mysess)#

Review Changes¶

SWITCH#show session-config diffs

Commit Changes¶

# Immediate commit
SWITCH(config-s-mysess)#commit

# Commit with auto-rollback timer
SWITCH(config-s-mysess)#commit timer 00:05:00

# Confirm commit (if timer was set)
SWITCH#configure session MySession commit

Configuration Checkpoints¶

List Previous Commits¶

SWITCH#show configuration checkpoints

View Previous Configuration¶

SWITCH#more checkpoint:ckp-20240513-0

Rollback to Previous Configuration¶

SWITCH#configure checkpoint restore ckp-20240513-0

Advanced CLI Techniques¶

Multiple Commands¶

Execute multiple commands in sequence:

SWITCH#run show version; show ip int brief; show int e5

Advanced Multi-Command with Watch¶

SWITCH#watch 1 diff run show int e48 counters rates | nz;!;!; show int e48 counters queue detail

Tip: Use ;!;! to create buffer space between command outputs

Structured Data Output¶

Convert command output to JSON format:

SWITCH#show version | json

Example JSON output:

{
  "mfgName": "Arista",
  "modelName": "DCS-7280SR3K-48YC8-F",
  "hardwareRevision": "11.02",
  "serialNumber": "JPE21043548",
  "systemMacAddress": "94:8e:d3:51:77:94",
  "version": "4.31.1F",
  "architecture": "x86_64",
  "uptime": 9452806.97,
  "memTotal": 65734516,
  "memFree": 61283092
}

VRF Context¶

Set CLI to operate within a specific VRF context:

SWITCH#cli vrf MGMT
SWITCH(vrf:MGMT)#show ip route
SWITCH(vrf:MGMT)#ping 172.31.0.1

Event Handlers¶

Event handlers allow automated responses to system events:

Event Handler Components¶

Trigger: Condition that activates the handler
Action: Response when trigger condition is met

Available Actions¶

SWITCH(config-handler-config-backup)#action ?
# bash    - Define BASH command action
# increment - Define INCREMENT command action  
# log     - Log a message when triggered

Available Triggers¶

SWITCH(config-handler-config-backup)#trigger ?
# on-boot           - System boot
# on-config         - Handler configuration
# on-counters       - Statistical counter evaluation
# on-intf           - Interface changes
# on-logging        - Log message regex match
# on-maintenance    - Maintenance operations
# on-startup-config - Startup config changes
# vm-tracer         - VmTracer events

Configuration Backup Example¶

Automatically backup configuration when user exits config mode:

SWITCH(config)#event-handler config-backup
SWITCH(config-handler-config-backup)#action bash
FastCli -p 15 -c 'copy running-config flash:staged_backup'
sudo ip netns exec ns-MGMT tftp 172.31.0.8 -c put /mnt/flash/staged_backup $(hostname)_$(date +%Y-%m-%d-%H%M.%S.txt)
EOF
SWITCH(config-handler-config-backup)#delay 1
SWITCH(config-handler-config-backup)#trigger on-logging
SWITCH(config-handler-config-backup-on-logging)#regex .*SYS-5-CONFIG_I.*Configured from.*

Command Aliases¶

Basic Alias Creation¶

SWITCH#alias whatsdiff show run diffs | include ^\+|^\-

Alias with Variables¶

SWITCH(config)#alias shporc show port-channel %1 detail

Usage:

SWITCH#shporc 10

Advanced Regex Aliases¶

# Port-channel summary alias
SWITCH(config)#alias "sh port-c sum"
SWITCH(config-alias-regex)#10 show port-channel dense

# VRF-aware interface brief
SWITCH(config)#alias "sh ip int br vrf (\w+)"
SWITCH(config-alias-regex)#10 show ip interface vrf %1 brief

Hardware Diagnostics¶

Cable Testing (Base-T)¶

Test Ethernet cables remotely:

SWITCH#test l1 cable base-t interfaces e17

View cable test results:

SWITCH#show interfaces e17 cable detail

Example output:

Ethernet17
Cable test runs: 1
Cable length accuracy: +/-10m
Current State Changes Last Change
Diagnostics status completed 2 0:00:07 ago
Cable status ok 1 0:00:07 ago
Length of pair A 47m 1 0:00:07 ago
Length of pair B 39m 1 0:00:07 ago

Note: Cable testing will cause the interface to flap

Transceiver Simulation¶

Simulate transceiver removal without physical access:

SWITCH(config-if-Et49/1)#transceiver diag simulate removed
SWITCH(config-if-Et49/1)#show interface e49/1 status

# Restore transceiver
SWITCH(config-if-Et49/1)#no transceiver diag simulate removed

LED Identification¶

Flash LEDs to identify hardware components:

# Flash interface LED
SWITCH#locator-led interface ethernet 1

# Flash fan tray LED
SWITCH#locator-led fantray 1

# Flash power supply LED  
SWITCH#locator-led powersupply 1

Interface Capabilities¶

View interface speed and feature capabilities:

# Show default capabilities
SWITCH#show int e9/1 hardware default

# Show current transceiver capabilities
SWITCH#show int e9/1 hardware

Monitoring and Troubleshooting¶

Command Audit Trail¶

View detailed command history with user attribution:

SWITCH#show aaa accounting logs

Filter by time range or username:

SWITCH#show aaa accounting logs username mitch

Real-time Log Monitoring¶

Follow system logs in real-time:

# Basic log following
SWITCH#show logging follow

# Filtered log following
SWITCH#show logging follow | grep -i ethernet

Packet Capture¶

Control-Plane Capture¶

All platforms support control-plane packet capture:

Create Monitor Session:

SWITCH(config)#monitor session test-sess source Ethernet2
SWITCH(config)#monitor session test-sess destination cpu

Verify Monitor Session:
```
SWITCH#show monitor session
```
Start Packet Capture:
```
SWITCH#tcpdump interface mirror0
```

Advanced Capture Options¶

SWITCH#tcpdump ?
# file          - Set output file
# filecount     - Number of output files
# filter        - Filtering expression
# interface     - Interface to monitor
# packet-count  - Limit number of packets
# size          - Maximum bytes per packet
# verbose       - Enable verbose mode

Remote Live Capture¶

Stream packet capture directly to Wireshark:

Windows:

plink -l admin -pw admin -batch 172.31.0.28 "bash sudo tcpdump -s 0 -Un -w - -i mirror0" | wireshark -k -i - -o "gui.window_title:Eth1"

macOS/Linux:

ssh admin@172.31.0.28 "bash sudo tcpdump -s 0 -Un -w - -i mirror0" | wireshark -k -i - -o "gui.window_title:Eth1"

Performance Testing¶

iPerf Network Testing¶

EOS includes iPerf for network performance testing:

SWITCH#bash
[arista@SWITCH ~]$ iperf --help
[arista@SWITCH ~]$ iperf --version

Note: Throughput is limited by CPU-to-ASIC interface capacity

Advanced Troubleshooting¶

Agent Logs¶

Access detailed per-agent logging:

List Available Agent Logs¶

SWITCH#bash ls /var/log/agents

View Specific Agent Log¶

SWITCH#bash more /var/log/agents/Acl-3671

QuickTrace Analysis¶

For detailed debugging (typically used with TAC support):

SWITCH#bash qtcat /var/log/qt/Acl.qt | more

Best Practices¶

Configuration Management¶

Always save configurations after changes: copy running-config startup-config
Use configuration sessions for complex changes
Test changes with commit timers for automatic rollback
Regular configuration backups using event handlers

Monitoring¶

Enable event monitoring for change tracking
Use scheduled commands for regular health checks
Implement custom aliases for frequently used command sequences
Leverage structured data output for automation

Troubleshooting¶

Use show active instead of full running-config in specific contexts
Filter outputs with nz for relevant non-zero values
Utilize real-time monitoring with watch command
Generate support bundles for TAC cases with complete system state

Security¶

Use sanitized output when sharing configurations
Implement command accounting for audit trails
Regular review of system logs with filtering
Proper access control and authentication

Conclusion¶

Arista EOS provides a comprehensive set of tools and features for network operation and troubleshooting. The combination of Linux-based architecture, extensive CLI capabilities, and built-in automation features makes EOS a powerful platform for modern network infrastructure.

Key advantages include: - Unmatched software quality and reliability - Extensive troubleshooting and monitoring capabilities - Flexible deployment options across physical and virtual environments - Rich automation and programmability features - Comprehensive support and diagnostic tools

For additional information and updates, refer to the official Arista documentation and support resources.

Arista @Home

Configuring your Arista Switch and Access Points for Home Use¶

Overview¶

This document provides a guide to configure your Arista switch for home use, including setting up wired and wirelesourss network connectivity and management access.

Prerequisites¶

An Arista switch (e.g., Arista 710P-12P)
Console cable or SSH access to the switch
Home network details (IP address, subnet mask, gateway IP, DNS server IP)

Step 1: Connect to the Switch¶

Connect your computer to the switch using a console cable or SSH.
Open a terminal emulator (e.g., PuTTY, Tera Term) and connect to the switch's console port or SSH into the switch.
Log in to the switch using the default username and password (arista/arista).

Step 2: Configure Basic Network Connectivity¶

Enter global configuration mode by typing configure.
Configure a VLAN for management access using the vlan command. For example:
```
vlan 10
name Management
```
Configure VLAN 20 and VLAN 30 for guest and IoT networks respectively:
```
vlan 20
name Guest
exit
vlan 30
name IoT
exit
```
Configure the switch's hostname using the hostname command. For example:
```
hostname MyAristaSwitch
```
Configure the switch's IP address, subnet mask, and default gateway using the interface ethernet5 command. For example:
```
interface ethernet5
switchport access vlan 10
```

Assign an IP address to the VLAN interface:

interface vlan 10
ip address 10.10.1.1 255.255.255.0
exit

Set the default gateway. This is your home router's IP address:
```
ip route 0.0.0.0/0 10.10.1.254
```
Save the configuration:
```
write
```

Step 3: Configure DHCP Services¶

Configure DHCP pool for VLAN 10:

dhcp server
dns server ipv4 8.8.8.8
subnet 10.10.1.0/24
  range 10.10.1.40 10.1.1.250
  lease time 0 days 12 hours 0 minutes
  default-gateway 10.10.1.1
exit

Enable DHCP pool for VLAN 20:

dhcp server
dns server ipv4 8.8.8.8
subnet 10.20.1.0/24
  range 10.20.1.40 10.20.1.250
  lease time 0 days 12 hours 0 minutes:
  default-gateway 10.20.1.1
exit

Enable DHCP pool for VLAN 30:

dhcp server
dns server ipv4 8.8.8.8
subnet 10.30.1.0/24
  range 10.30.1.40 10.30.1.250
  lease time 0 days 12 hours 0 minutes:
  default-gateway 10.30.1.1
exit

Save the configuration:
```
write
```

Step 4: Configure your access points¶

Connect your access points to the switch interface ethernet 7 or ethernet 9.

Configure interface ethernet 7 or ethernet 9 as a trunk port to allow multiple VLANs:

interface ethernet7
switchport mode trunk
switchport trunk allowed vlan add 10,20,30
exit

Save the configuration:
```
write
```

Login to the Arista Launchpad for your lab.
Click on the CV-CUE (CloudVision WiFi) Tile in the LaunchPad from the Dashboard menu.
Click on Configure > WiFi and click on Add SSID
Configure your SSID and security settings. Configure the SSID to use the appropriate VLAN (e.g., VLAN 10 for management, VLAN 20 for guest, VLAN 30 for IoT).
Click on Save to apply the changes.

CloudVision Demos

Change Control Action Download File Guide¶

Overview¶

This guide demonstrates how to use the Action Download File feature in Change Control to download image and extension files to device flash directories.

The action downloads files from CloudVision file store to device flash storage, using SHA512 checksums to avoid duplicate downloads and automatically managing flash space by removing unused SWI images.

Download File Action Process¶

Complete Walkthrough Demo¶

Watch this optimized 1:28 demonstration showing the complete Action Download File process from start to finish:

Change Control Action Download File - Complete Walkthrough (Optimized)

🔍 Click to zoom

Step 1: Initial Download Action¶

Navigate to your Change Control in Provisioning
Click on + Create Change Control in the toolbar
Select Download File from the available actions
Select the desired EOS File Image from the dropdown .eg. EOS-4.34.0F.swi
Select your device from the Run action against selected devices dropdown
Click Add to Change Control to proceed

Step 2: Review and Approve¶

Complete the Change Control review and approval process:

Click Review and Approve at the top right
Toggle Execute Immediately if not already selected
Click Approve and Execute to start the download process
Monitor the progress indicator for completion

File Download Options¶

The Action Download File feature downloads EOS software images to network devices.

Available File Type¶

EOS SWI Files - Arista EOS software image files for device upgrades and installations

Best Practice

Always download EOS image files before running the Change Control Download File action.

Download Complete!

Your switch now has the latest EOS image file that can be used for future upgrades or Smart System Upgrade (SSU) processes.

Working with Certificates

Copying Certificats using Cut-and-Paste Method¶

AGNI CA signed certificates¶

We will work with radsec_ca_certificate.pem and switch.pem certificatesfrom AGNI. The radsec cerficate is provided by AGNI and switch.pem is generated on the switch and signed by AGNI. You will need to copy these certificates to the switch flash storage. The following steps assume you have already downloaded the certificates to your local machine. Ensure that you are in the same directory as the certificates.

MAC OS

Open Terminal and run the following.
You will cut-and-paste the certificate contents of radsec_ca_certificate.pem and switch.pem to the switch's terminal.
Copy the content of the certficate from BEGIN and END CERTIFICATE lines.
```
ls -al *.pem
cat radsec_ca_certificate.pem
```

Login to your switch using the arista user credentials and paste the certificate. Hit return and control-d to exit.

copy terminal: flash:radsec_ca_certificate.pem
enter input line by line; when done enter one or more control-d

Repeat the previoussteps for the switch.pem certificate.
```
cat switch.pem
```
Login to your switch using the arista user credentials and paste the certificate. Hit return and control-d to exit.
```
copy terminal: flash:switch.pem
enter input line by line; when done enter one or more control-d
```

Copy the certificates to the certificate store.

copy flash:radsec_ca_certificate.pem certificate:radsec_ca_certificate.pem
copy flash:switch.pem certificate:switch.pem

Windows

Open Command Prompt and run the following.
You will cut-and-paste the certificate contents of radsec_ca_certificate.pem and switch.pem to the switch's terminal.
Copy the content of the certficate from BEGIN and END CERTIFICATE lines.
```
dir *.pem
type radsec_ca_certificate.pem
```

Login to your switch using the arista user credentials and paste the certificate. Hit return and control-d to exit.

copy terminal: flash:radsec_ca_certificate.pem
enter input line by line; when done enter one or more control-d

Repeat the previous steps for the switch.pem certificate.
```
type switch.pem
```
Login to your switch using the arista user credentials and paste the certificate. Hit return and control-d to exit.
```
copy terminal: flash:switch.pem
enter input line by line; when done enter one or more control-d
```
Copy the certificates to the certificate store.

copy flash:radsec_ca_certificate.pem certificate:radsec_ca_certificate.pem
copy flash:switch.pem certificate:switch.pem

Configuring RadSec on EOS¶

Arista Switches can form a RadSec tunnel using SSL encryption with AGNI. RadSec is a protocol that supports RADIUS over TCP and TLS. For mutual authentication it is required to install a client certificate with corresponding private key as well as your AGNI CA certificate. The steps below assumes the use of AGNI's internal PKI.

Follow the steps to create, upload and establish the RadSec tunnel.

Generate private key and CSR
Generate client certificate for the Switch in AGNI.
Upload the Certificate to the Switch.
Configure an SSL profile and and RadSec profile

If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and clieck Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.

Configuration Steps¶

Generate the key pair

security pki key generate rsa 2048 switch.key

2. Generate the certificate signing request using the key just created.

Common Name must correspond to the Switch MAC address and the DNS needs to match the hostname of the switch

security pki certificate generate signing-request key switch.key

Certificate Signing Request

Common Name for use in subject: 2c:dd:e9:fe:cd:68 
Two-Letter Country Code for use in subject: US 
State for use in subject: FL 
Locality Name for use in subject: NFM 
Organization Name for use in subject: Arista 
Organization Unit Name for use in subject: acws 
Email address for use in subject:
IP addresses (space separated) for use in subject-alternative-name:
DNS names (space separated) for use in subject-alternative-name: pod00-leaf1a 
Email addresses (space separated) for use in subject-alternative-name:
URIs (space separated) for use in subject-alternative-name:
-----BEGIN CERTIFICATE REQUEST-----
MIIC0DCCAbgCAQAwYTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkZMMQwwCgYDVQQH
DANORk0xDTALBgNVBAoMBGFjd3MxDDAKBgNVBAsMA2NzZTEaMBgGA1UEAwwRMmM6
ZGQ6ZTk6ZmY6MzI6YjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1
UDFDsidF4qhGzIEgNUlcNPtfvAGic/hQelaD9MgvOUbbVUhEg0hcbA/LLcyZQ+f/
B0f/UK7eyuNhtS3lTYf7A1TqCQ7md8d4opcKbiP7vFg6+dpvAXT8giBlstv790LY
wEpuCKX4igkLx+jMlNNOP7tKnuX2tuK/EYi20O2a0e4LR77ebBZpztiia9prCyvk
neNhtAPMeb/O/kUBnmPwpPDy4jtpPhp8I+xX9zo4nRNjVlFcRRNao/N72kIpnmX8
nnAXIcG/I1bLsgspWIwwiV3MUL3pOKUNqXaKf824/ZJgPAtUA2zgp9JayMbbddOE
A3dKTwBkGOXihZkVDTnrAgMBAAGgKjAoBgkqhkiG9w0BCQ4xGzAZMBcGA1UdEQQQ
MA6CDHBvZDAwLWxlYWYxYTANBgkqhkiG9w0BAQsFAAOCAQEAp8pxdX1qJ8uPFrQW
ZmMmOZ+RM3lEDOJkhNA2aRVonWeejp0bz5qToT8E41RPyLIdQ56Pa+zeGx5occg8
3nK3aFAu1ARPR1EJ8E04656c9v6zpF9np3juwLJm0uiM16XgUMvEmQd1anRELndn
r53jlXKAcsKdFMSaW0MqXY6DN8a1PmI3KL0zzOKpwtcRSjvAXFTN8viSPOL/vrRL
XTqVaa+P1d7PgRBoSi5DFY6U9nwHD42yP0kCbq98wxDrLyTfMV20ymY083XHdKPz
Y4dI+YfHeK48QLBSLUKB9CrOC0XyhIMtCxBGkJ+umZy3wktZHCCkvDej7NoiNZal
4uEbIg==
-----END CERTIFICATE REQUEST-----

Copy the certificate including the text “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”
Select your Access Device from the list and select Get Client Certificate.
Select Use CSR (Single Device) and Paste CSR.

Note 1: CSR can also be uploaded from file by selecting action Upload CSR File

Note 2: For signing multiple CSRs select Upload Zip with multiple CSRs
Click Generate Certificate. A certificate pod00-leaf1a.pem will be generated and downloaded. Rename this file to switch.pem
Go to RadSec Setting in the Navigator under Administration section to download the CA certificate.
Download the RadSec CA certificate (radsec_ca_certificate.pem) by clicking Download Certificate.

In AGNI Click on Configuration → System → RadSec Settings on the left hand side.

Copy the FQDN radsec.beta.agni.arista.io and Download the Certificate at the bottom.
Copy certificates to the switch The certificate and root certificate need to be copied to the switch flash using SCP. Prerequisites: Settings on switch to be able to SCP over the certs. Provide a username and password with network-admin role. Ensure the following settings are configured on the switch:
```
aaa authentication login console local
aaa authorization exec default local
```
10. Copy the certificates to the switch flash using SCP.
```
scp switch.pem radsec_ca_certificate.pem arista@<switch_ip>:/mnt/flash:
```
11. Login to your switch using the arista user credentials and verify the certificates are present in the flash.
```
dir
```
12. Copy the certificates to the certificate store.
```
copy flash:switch.pem certificate:switch.pem
copy flash:radsec_ca_certificate.pem certificate:radsec_ca_certificate.pem
dir certificate:
```
13. Verify the certificate validity.
```
show management security ssl profile agni-server
```
```
    Profile     State
    ----------- -----
    agni-server valid
```

Wired

CLoudVision Interface Diagnostics¶

Overview¶

The CloudVision Campus features are targeted at streamlining Campus operations, interface diagnostics are no exception to this! You have tools at your fingertips to troubleshoot wired endpoints.

Cable Test¶

Test your ethernet run between your devices or down to a connected endpoint like a desktop, phone, printer, etc. This can be helpful in validating the ethernet pairs are operating as expected, the length of the cable is not beyond specs, and you are able to transfer expected speeds.

Interface Cycle¶

Admin Down¶

Sometimes in troubleshooting a good bounce of the port will assist in triggering and endpoint to reauthenticate, power cycle, etc. Using the Administratively option to admin down the port and back up is an easy way to execute this action

PoE Cycle¶

There are situations where you simply want a PoE device to power cycle. Use the Power over Ethernet cycle to quickly reboot any PoE device.

Telemetry¶

We have telemetry data as you've seen throughout CloudVision and as expected, you are presented with relevant telmetry as these interfaces are tested. You can see here what the various cycles look like

Configuring AGNI Tacacs¶

Overview¶

This lab is intended to use the Campus Workshop to showcase how to configure TACACS+ with AGNI. There are many online resources available, this will only include the basics of what's required.

AGNI Configuration¶

Arista Cloud Gateway (AGNI)¶

Login into AGNI to begin this lab, you will create the Arista Cloud Gateway.

Under the Configuration section, click on Access Devices > Cloud Gateways
Add the gateway with the settings below

ACG Settings

Setting Student 1

Name ATD-POD01

Location Locations

TACACS+ Termination Enabled

Shared Secret Name Access

Value Arista!123
Be sure to copy the generated Token value, this will used in our EOS configuration

Token Generation

The token can only be viewed this one time, if you forget to copy you must regenerate the token.
Verify the settings and click Add Cloud Gateway when complete
That's it, there is now a ACG instance configured for all devices

ACG Connection (CVP)¶

Configuring your switches for Tacacs is easy as applying a configlet to all or select devices. We're going to use studios to demonstrate

Login to CloudVision
Navigate to Provisioning > Studios
Click on Create Workspace and name it whatever you'd like
Next, select Static Configuration
Select only your device and click + Configlet > Configlet Library, select the tacacs configuration

Apply to all devices

You could apply the configuration at the container Workshop. This container has the device tag Device: All Devices, this means all devices would inherit this configuration without the need to go to each device. You could also create your own container and leverage any tag query to target specific subset of devices.
1. Once the configlet is applied, click on Review Workspace
2. Validate the configuration is correct and Submit Workspace
3. Click on Change Control and Approve and Execute the change

ACG Connection (EOS)¶

Whil we used cloudvision to configure the device, you can also log directly into the switch

Login to the switch

Cloud Gateway should have been downloaded and installed on the switch. You can verify on EOS by running the following command

show extensions:
show boot-extensions:

POD00-LEAF1A[12:07:37]#show extensions
Name                                 Version/Release      Status       Extension
------------------------------------ -------------------- ------------ ---------
AristaCloudGateway-1.0.2-1.swix      1.0.2/1              A, I, B      1


A: available | NA: not available | I: installed | F: forced | B: install at boot
S: valid signature | NS: invalid signature
The extensions are stored on internal flash (flash:)

POD00-LEAF1A[12:07:38]#show boot-extensions
AristaCloudGateway-1.0.2-1.swix

Let's add the configuration to start the ACG daemon

daemon AristCloudGateway
    exec /usr/bin/acg
    option AGNI_API_TOKEN value {{ your_agni_acg_token }}
    no shutdown

Example Output

This is an EosSdk application
Full agent name is 'acg-AristCloudGateway'

You can verify the configuration works as expected

trace monitor acg

Example Output

POD00-LEAF1A[12:23:54]#trace monitor acg
--- Monitoring /var/log/agents/acg-AristCloudGateway-30753 ---
2025/02/04 12:23:58 DEBUG [swix] AGNI_API_TOKEN(md5sum) : 76938f1bb8fc5517c01c106d1febdaf0
2025/02/04 12:23:58 DEBUG [swix] ENABLE_DEBUG_LOG : false
2025/02/04 12:23:58 DEBUG [swix] AGNI_ACG_TACACS_PORT : 49
2025/02/04 12:23:58 DEBUG [swix] AGNI_ACG_ENABLE_DHCP : false
2025/02/04 12:23:58 DEBUG [swix] AGNI_ACG_VRF : default
2025/02/04 12:23:58 DEBUG [swix] acg service started
2025/02/04 12:23:58 DEBUG [swix] acg service started [pid=30809]
2025/02/04 18:24:03 INFO acg - dhcp module is disabled
2025/02/04 18:24:03 INFO tacacs - started gateway at 0.0.0.0:49
2025/02/04 18:24:03 INFO websocket - connected successfully to wss://beta.agni.arista.io/acg/connect

You can look in AGNI under the Access Devices > Cloud Gateways and now see the status is green

TACACS Configuration¶

TACACS Profile¶

Configure a Tacacs Profile under Device Administration > TACACS+ Profiles
Create a new profile with the basic settings

TACACS Profile Settings

Setting Value

Name network-admin

Description Network Administrator

Privilege Level 15

Allow Enabled Enabled

Action for unmatched commands Permit
Next add a Service Attribute using these settings

TACACS Profile Settings

Setting Value

Select Service shell

Attribute #1 priv-lvl = 15
Click Add TACACS+ Profile when complete

Access Policy¶

Configure a Access Policy under Device Administration > Access Policy
Create a new profile with the basic settings

TACACS Profile Settings

Setting Value

Enable Device Administration Enabled

Authorized User Groups Employees

Device Login Pass Validity 30
Next, create a policy by selecting Add Policy

TACACS Profile Settings

Setting Value

Name network-admin

Description Network Administrator

Policy Type TACACS+

Status Enabled

Condition User:Group is Employees

Action TACACSProfile network-admin
Click Add Policy
End of this section

User Add¶

Typically this would be populated via an identity management platform, here we will add a static user.

User > Users
Add User
User Groups
Add user to Employees
Update User Groups

EOS Tacacs Configuration¶

Use the following configuration

tacacs-server policy unknown-mandatory-attribute ignore
!
tacacs-server host 0.0.0.0 key Arista!123
!
aaa group server tacacs+ agni-tacacs
    server 0.0.0.0
!
aaa authentication login default local group agni-tacacs
aaa authorization exec default local group agni-tacacs
aaa authorization commands all default local group agni-tacacs

2.

show users detail

Wireless

Setup Radius RadSec Server¶

If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and clieck Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.

Configuration¶

In AGNI Click on Configuration → System → RadSec Settings on the left hand side.
Copy the FQDN radsec.beta.agni.arista.io and Download the Certificate at the bottom.
Next, go back to CV-CUE and let’s set up a RadSec Server.
Click on Add RADIUS Server
Navigate to Configure → Network Profiles → RADIUS

Tunnel Guest Traffic to Core Switch¶

Overview¶

To highlight Arista's Controllerless Architecture we will use the labs Core 720DP switch to termainate AP tunnels via VXLAN.

Tunnel Configuration¶

Arista CV-CUE¶

Login into CV-CUE to begin this lab, you will create the AP tunnel.

Under the Configure section, click on Network Profiles > Tunnels
Select the correct location in your hierarchy
Select Add Tunnel Interface

Network Profiles

Setting Value

Tunnel Interface Name tunnel-##

Tunnel Type VXLAN

Remote Endpoint 1.1.1.1

Local Endpoint VLAN 0

VXLAN VNI Offset 10200
Click Save

Assign SSID to Tunnel Profile¶

Under the Configure section, click on Wifi
Select the correct location in your hierarchy
Select the pencil to edit Guest SSID
Select Network
Change Network Mode to L2 Tunnel
Select the tunnel-##
Click Save

Monitor Tunnels¶

Under the Monitor section, click on Wifi
Verify your location in the hierarchy
Click on Tunnels or the tunnel icon on the top row

Notice the client IP Address is now using network 10.1.200.##
Verify if the Tunnels are green

RadSec | Installing the AP Certificate¶

What is RadSec?¶

RadSec is a protocol that supports RADIUS over TCP and TLS. For mutual authentication it is required to install a client certificate with corresponding private key as well as your AGNI CA certificate.

With the proliferation of IoT devices, mobile users, and remote access, networks have become more complex and diverse, making traditional RADIUS susceptible to eavesdropping and man-in-the-middle attacks. RadSec's integration of secure Transport Layer Security (TLS) encryption addresses these vulnerabilities, providing a robust defense against unauthorized access, data interception, and tampering.

Arista Switches can form a RadSec tunnel using SSL encryption with AGNI:

AGNI integrates with network infrastructure devices (wired switches and wireless access points) through a RadSec tunnel over Port 2083
The highly secure and encrypted tunnel offers complete protection to the communications that happen in a distributed network environment. This mechanism offers much greater security to AAA workflows when compared with traditional unencrypted RADIUS workflows.

More information on RadSec

Open AGNI and CV-CUE

When applying the Certificate to the AP it is recommended to have both the CV-CUE and AGNI windows opened side by side. - Login to CV-CUE - Login to AGNI

Configure RadSec¶

It's important to identify if the wired or wireless device you are configuring is manufactured with a Trusted Platform Module (TPM) chip. This chip contains the required certificate used for RadSec. However, if the TPM chip does not exist, CV-CUE supports Custom Certificate Management for Access Points.

More information on TPM

Summary¶

Launchpad Add AP and assign the Service
CV-CUE Create a Folder and move the AP
CV-CUE Generate CSR TAG and then Download CSR .zip.
AGNI Add the device as a new AP under Access Devices
AGNI Click on your AP and then select Get Client Certificate
AGNI Upload the CSR and Generate Certificate
CV-CUE Click on your AP and Upload Device Certificate and select TAG and AP.pem file
AGNI Under Administration click on RadSec settings and download Cert and copy hostname
CV-CUE In your Folder, Create a RADIUS RadSec server and apply the RadSec Cert from AGNI and Select your CSR TAG -> FQDN: radsec.beta.agni.arista.io
CV-CUE Create an SSID and point to the RADIUS client you created using WPA2 802.1X RadSec.
AGNI Create a User Account
AGNI Add Client
AGNI Under Networks, recommend starting with just a MAC auth example to make sure everything is running like you expected and point it to your SSID

Detailed Steps¶

CV-CUE
1. First we Generate a CSR. Click on Monitor > WiFi Access Points
2. On right hand side on top and click on Certificate Actions
3. Next, right click on the AP and select Generate CSR and select your Add New Certificate Tag. Type in a name for your Certificate Tag. Click on Generate.
4. Next, right click on the AP and select Download CSR and select your Certificate Tag.

AGNI

Click on Access Devices and click on + Add or Import. Specify the following in the table below. Click on Add Device when done.

Field	Value	Notes
Choose Action	`Add Device`	Select radio button
Name	`Your AP Name`	Enter descriptive name for the AP
MAC Address	`xx:xx:xx:xx:xx:xx`	Optional - Enter AP MAC address
Vendor	`Arista WiFi`	Select from dropdown
Serial Number	`Your AP Serial`	Required for RadSec - Enter AP serial number
IP Address	`Your AP IP`	Optional - Enter AP IP address
Access Device Group	`Select Group`	Optional - Choose appropriate group
Location	`Your Location`	Optional - Example: Global/America/California/Site-1

Access Devices → Devices → Select AP → Get Client Certificate
Next, select Generate Certificate: Use CSR (Single Device), and select Action: Upload CSR File, and browse to and select the CSR zip file.
Select Generate Certificate and the AP Client Certificate will be created and downloaded to your device.
Under System -> RadSec Settings copy the Radsec Server Hostname and Download Certificate at the bottom.

🚨 CRITICAL STEP - DO NOT SKIP!

⚠️ MANDATORY: You MUST download the RadSec certificate from AGNI before proceeding to CV-CUE configuration.

📥 Download Certificate - This certificate is required for the RadSec tunnel to work properly.

🔗 Copy Hostname - The RadSec Server Hostname is needed for CV-CUE RADIUS server configuration.

CV-CUE

Upload the Device Certificate
Go to Monitor → WiFi → Access Points → Select AP → Certificate → Upload Device Certificate, and upload the Client/Device Certificate that was downloaded to your device. Use the same Certificate Tag as when you Downloaded the CSR above.
Configuring AGNI RadSec Server.
Go to Configure → Network Profiles → RADIUS and create a new RADIUS Server.

Select Add RADIUS Server. Specify the following in the table below.

Field	Value
Server Name	`AGNI-01`
Server Address	`radsec.beta.agni.arista.io`
Radsec	`ON`
Radsec Port	`2083`
Add CA Certificate	`Downloaded from AGNI`
Certificate Tag	`Select your tag created in Step 1`

Select Save to commit the changes.

AGNI
1. Click on Access Devices and then Devices look at the RadSec Status.
2. 🟢 Green dot means connected and an active SSID is using AGNI.

C-04 | Best in Class WIPS¶

Overview¶

WIPS Wireless Intrusion Prevention System¶

Arista Wireless Intrusion Prevention System (WIPS) leverages RF broadcast and protocol properties including packet formats like probe requests and beacons common to all 802.11 standards(including 802.11ac and 802.11ax) to detect and prevent unauthorized access.

More Information

For more information about how Arista’s WIPS feature works, refer to this whitepaper: https://www.arista.com/assets/data/pdf/Whitepapers/Arista-Marker-Packet-Whitepaper.pdf

Wi-Fi threats include an ever changing landscape of vulnerabilities, such as:

Rogue APs
Unauthorized BYOD Client
Misconfigured APs
Client misassociation
Unauthorized association
Ad-hoc connections
Honeypot AP or evil twin “Pineapple”
AP MAC spoofing
DoS attack
Bridging client

Configure WIPS¶

Let's go ahead and configure WIPS on our Access Point

In the menu on the left hand side of the screen, navigate to Monitor > WIPS
Click on Access Points and Clients in the menu at the top of the screen and explore if any Rogue APs or Clients are connected to other APs in the area.
Access points that have been detected by WIPS but are not managed within Arista CV-CUE, they are designated as Rogue or External Access Points.
Next, let’s explore the information we can gather about the wireless environment using Arista’s WIPS.
Select Monitor > WIPS
In the simple lab environment, only your pod’s single AP is part of your managed wireless infrastructure. All of the other access points and clients on the network are like crowded neighbors or businesses in a shared office work space.
Under Monitor, WIPS, Access Points you can see all of the detected Rogue Access points. From this screen you can reclassify, set auto-prevention, add to ban list, name or move the AP.

Additional Information

Additional information about WIPS AP classification and Wireless Intrusion Prevention Techniques

Authorized APs

Access Points (APs) that are wired to the corporate network and are compliant with the Authorized Wireless LAN (WLAN) configuration defined by the Administrator in CV-CUE are classified as Authorized APs. Typically, these will be Arista APs, but the administrator can configure the Authorized WiFi policies for any AP vendors.

Rogue Access Point

APs that are wired to the corporate network and do not follow the Authorized WiFi configuration defined in CV-CUE are classified as Rogue APs.

Even if this AP is disconnected from the network, it will continue to be classified as a Rogue. These APs are a potential threat to the corporate environment and can be used for intrusion into the corporate network over Wi-Fi. It is recommended to enable Intrusion Prevention for Rogue APs so that Wi-Fi communication with these APs is always disrupted. Using the Location Tracking ability of Arista WIPS, Rogue APs should be tracked down and physically removed from the network. Rogue APs are displayed in Red rows on the console.

External Access Point

APs that are not wired to your corporate network are classified as External APs. Through the connectivity tests performed by the WIPS Sensors, Wireless Manager is able to determine that these APs are not connected to the wired network. These are neighboring APs that share the same spectrum as the Authorized APs and may cause interference with your Authorized WLAN. A site survey and channel optimization should be performed to reduce radio interference from the External APs. These APs are not always a threat and hence they should not be quarantined/prevented by default, as it would disrupt neighboring Wi-Fi activity. Intrusion Prevention policies can be configured to prevent Authorized clients from connecting to External APs.

A Rogue Access point can be reclassified, moved or named from the 3-dots menu for each detected AP.

Within an existing campus WiFi environment or one with a mix of wireless solutions, these discovered APs can be explicitly allowed to show the most accurate security profile.

For this lab you do not need to authorize any APs.

Classify and Prevent Individual client¶

Next, let’s use the WIPS system to identify and prevent an example problematic client from connecting to your network.

Navigate to WIPS > Clients
Find your smartphone device connected to the previous PSK SSID. Reconnect if it has been disconnected.
Since this client is associated with the correct PSK for the SSID, it is automatically classified as Authorized.
Next, click the 3-dots menu for the device, Change Classification, Rogue
Now, sort the clients menu by Classification column (left) and find the red marked Rogue device.
Next, Select the 3-dots menu for the Rogue client and click “Prevent This Device”
Click Prevent to start the WIPS prevention mechanism to disrupt the selected client from sending and receiving traffic.
Try to connect to a public website with your test client device with the prevention setting enabled versus disabled (be sure to disable backup wireless/LTE radios).
The test device should fail to connect to other devices through the protected WiFi network when prevention is active.
When you are finished, STOP the client prevention

STOP Client Protection

🛑 When you are finished, STOP the client prevention so that you can use this test device in upcoming labs, optionally. 🛑

Key	Value
View Mode	Severity Timeline
Show Active Only	True
Dataset	`Access-Pod: IDF1`

Key	Value
Data Source	Devices
Metrics #1	802.1X Interface Count
Metrics #2	CPU Utilization
Metrics #3	Total Power Granted
Metrics #4	ARP Table Size
Metrics #5	Boot Time

Key	Value
Severity	`Critical`, `Error`
Type #1	`Unexpected Link Shutdown
Type #2	`Device Clock Out of Sync`

Field	Student 1	Student 2
Portal Name	`ATD-##-GUEST`	`ATD-##-GUEST`
Authentication Types	Clickthrough	Clickthrough
Re-Authuthenticate Guest	Always	Always
CAPTCHA	Disabled	Disabled

Setting	Value
Tunnel Interface Name	tunnel-##
Tunnel Type	`VXLAN`
Remote Endpoint	1.1.1.1
Local Endpoint VLAN	0
VXLAN VNI Offset	10200

Field	Value
Security Method	WPA2 / 802.1X
Radius Settings	Select `RadSec`
Authentication Server	`AGNI-##`
Accounting Server	`AGNI-##`

Setting	Student 1
Name	`ATD-POD01`
Location	`Locations`
TACACS+ Termination	Enabled
Shared Secret Name	`Access`
Value	`Arista!123`

Setting	Value
Name	`network-admin`
Description	`Network Administrator`
Privilege Level	15
Allow Enabled	Enabled
Action for unmatched commands	Permit

Setting	Value
Enable Device Administration	Enabled
Authorized User Groups	Employees
Device Login Pass Validity	30

Setting	Value
Name	network-admin
Description	Network Administrator
Policy Type	TACACS+
Status	Enabled
Condition	`User:Group` `is` `Employees`
Action	`TACACSProfile` `network-admin`

Home

Arista Campus Workshop¶

Campus Workshop

Wired Guides¶

Wireless Guides¶

Security Guides¶

Tools For The Job¶

Lab Access¶

Lab Environment¶

Important Notes¶

Lab Credentials¶

Topology¶

Lab Assignment¶

Wired Lab Guides

A-01 | Explore EOS¶

Overview¶

Completely Different, Totally Familiar¶

MLAG & VARP¶

Closing Out¶

Streaming Telemetry¶

Additional Fun Commands¶

🤖 AI Lab Assistant¶

🚀 A01 Lab Automation Agent

A-02-ATD | Provisioning a Campus Fabric - Virtual Lab¶

Overview¶

ATD Lab Access¶

Student and Pod Assignment¶

A-03 | Switch Onboarding with Inventory Studio & Access Interface Configuration¶

Overview¶

Topology¶

CloudVision Login¶

Part 1: Switch Onboarding with Inventory Studio¶

Video Walkthrough¶

Onboarding Your Switch¶

Step 1: Access Inventory Studio¶

Step 2: Identify Your Device¶

Video Walkthrough - Applying base configuration¶

Step 3: Apply Base Network Configuration¶

Verification¶

Troubleshooting¶

Switch Onboarding Issues¶

Part 2: Access Interface Configuration¶

Video Walkthrough - Build the Campus Fabric¶

Step 1: Build the Campus Fabric¶

Creating Port Profiles¶

Assigning Port Profiles¶

Adding a VLAN¶

Rollback a Change Control¶

A-04 | Operations, Dashboards, and Events¶

Overview¶

Intro to Network Hierarchy¶

Configuration Compliance¶

Dashboards¶

Campus Health Overview¶

Device Health¶

Custom Dashboard¶

Events¶

Customize Notifications¶

Wireless Lab Guides

B-01 | Arista Wireless Setup¶

Overview¶

Topology¶

CV-CUE Login¶

Arista Launchpad¶

Add a User and Assign Privileges¶

AP Registration¶

CV-CUE CloudVision WiFi Access¶

Assign AP Name¶

Managing the Configuration Hierarchy¶

Moving AP to Location¶

Adjusting Power/Channels¶

Assign Floor Plan¶

Creating a PSK SSID¶

B-02 | WiFi Troubleshooting¶

Overview¶

Client Troubleshooting¶

🤖 AI Lab Assistant¶

🚀 B02 Lab Automation Agent

🖥️ Lab Execution Output

B-03 | Guest Wireless with AGNI¶