CloudVision

Configuration Guide

Arista Networks
www.arista.com

CloudVision, version 2023.1.0 V2.0

July 2023
 Headquarters Support Sales
5453 Great America Parkway +1 408 547-5502 +1 408 547-5501
Santa Clara, CA 95054 +1 866 476-0000 +1 866 497-0000
USA [email protected] [email protected]
+1 408 547-5500
www.arista.com

© Copyright 2023 Arista Networks, Inc. All rights reserved. The information contained
herein is subject to change without notice. The trademarks, logos and service marks
("Marks") displayed in this documentation are the property of Arista Networks in the
United States and other countries. Use of the Marks are subject to Arista Network’s Term of
Use Policy, available at www.arista.com/en/terms-of-use. Use of marks belonging to other
parties is for informational purposes only.

ii Configuration Guide: CloudVision version 2023.1.0

 Contents

Contents

Chapter 1: Introduction to CloudVision........................................................1

Chapter 2: CloudVision Portal (CVP) Overview........................................... 3

2.1 CV-CUE............................................................................................................................................. 4
2.1.1 CV-CUE HA Mode Operation..............................................................................................4
2.1.2 Key Features of CV-CUE on CV.........................................................................................5
2.1.3 Capacity of CV-CUE on CV................................................................................................ 5
2.2 CVP Cluster Mechanism................................................................................................................... 5
2.3 System Requirements....................................................................................................................... 6
2.4 Key CVP Terms................................................................................................................................ 7
2.5 CVP Virtual Appliance....................................................................................................................... 9

Chapter 3: CloudVision Portal (CVP) Setup............................................... 11

3.1 Deploying CVP OVA on ESX..........................................................................................................12
3.1.1 VMware vMotion and Snapshot Support...........................................................................17
3.2 Deploying CVP on KVM..................................................................................................................18
3.2.1 Downloading and extracting the CVP KVM tarball (.tgz archive)...................................... 18
3.2.2 Creating Virtual Bridge and Network Interface Cards (NIC).............................................. 19
3.2.3 Generating the XML file that defines the CVP VM............................................................20
3.2.4 Defining and Launching the CVP VM............................................................................... 20
3.3 Set Up CV-CUE on CV...................................................................................................................21
3.3.1 Setup CV-CUE on a Standalone CV.................................................................................21
3.3.2 Set Up CV-CUE on a CV Cluster..................................................................................... 22
3.4 Shell-based Configuration............................................................................................................... 23
3.4.1 Configuring a Single-Node CVP Instance using CVP Shell.............................................. 23
3.4.2 Configuring Multi-node CVP Instances Using the CVP Shell............................................ 27
3.5 Shell Reconfiguration of Single-node, Multi-node Systems............................................................ 40
3.5.1 Single-node Shell Reconfiguration.................................................................................... 40
3.5.2 Multi-node Shell Reconfiguration.......................................................................................40
3.6 ISO-based Configuration................................................................................................................. 43
3.6.1 Create a YAML Document................................................................................................ 43
3.6.2 Feed the YAML File into the geniso.py Tool.....................................................................44
3.6.3 Map ISO to the VM's CD-ROM Drive................................................................................45
3.7 Certificate-Based TerminAttr Authentication....................................................................................49
3.7.1 Enabling Certificate-Based TerminAttr Authentication.......................................................49
3.7.2 Switching the Authentication from Certificates to Shared Keys.........................................50
3.7.3 Switching the Authentication from Shared Keys to Certificates.........................................51
3.7.4 Reboarding Existing Devices.............................................................................................52
3.7.5 Re-ZTP On-Boarded Devices............................................................................................53
3.8 NAT Support.................................................................................................................................... 54
3.8.1 NAT Support Pre 2021.3.0................................................................................................ 54
3.8.2 NAT Support Post 2021.3.0.............................................................................................. 55
3.8.3 Known Caveats..................................................................................................................56

Chapter 4: CloudVision as-a-Service.......................................................... 57

4.1 Prerequisites.................................................................................................................................... 57

iii
 4.1.1 Software Requirements..................................................................................................... 57
4.1.2 Connectivity Requirements................................................................................................ 57
4.1.3 Authentication Requirements............................................................................................. 58
4.2 Onboarding Procedures...................................................................................................................59
4.2.1 Onboarding Authentication Providers................................................................................ 59
4.2.2 Onboarding Devices: Token-Based Authentication........................................................... 61
4.2.3 Subscribing to CloudVision as-a-Service updates.............................................................65
4.3 AAA Providers................................................................................................................................. 65
4.3.1 Requirements..................................................................................................................... 65
4.3.2 Setting up an OAuth and SAML Providers in CloudVision................................................ 66
4.3.3 Setting up CloudVision with Identity Provider....................................................................71
4.3.4 Logging in with a Provider.................................................................................................71
4.3.5 Adding Launchpad as a Provider...................................................................................... 71

Chapter 5: Getting Started (CVP)................................................................ 75

5.1 Accessing the CVP Login Page...................................................................................................... 75
5.2 Accessing the Home Page..............................................................................................................76
5.3 Omnibox...........................................................................................................................................77
5.4 Customizing the Home Screen and Dashboard Logo.....................................................................79
5.5 Accessing CV-CUE..........................................................................................................................80
5.6 Key CV-CUE Operations and Directories....................................................................................... 82
5.6.1 Wifimanager Directories.....................................................................................................83
5.7 Wifimanager CLI Commands.......................................................................................................... 83

Chapter 6: General Customizations............................................................ 89

6.1 Column Customization.....................................................................................................................89
6.2 Pagination Controls......................................................................................................................... 90

Chapter 7: Device Management...................................................................91

7.1 Requirements...................................................................................................................................91
7.2 Limitations........................................................................................................................................ 92
7.3 Features........................................................................................................................................... 92
7.3.1 Supported Features........................................................................................................... 92
7.3.2 Unsupported Features....................................................................................................... 94
7.4 Telemetry Platform Components.....................................................................................................94
7.4.1 NetDB State Streaming Component..................................................................................94
7.4.2 CloudVision Analytics Engine Component........................................................................ 94
7.5 Supplementary Services: Splunk.....................................................................................................95
7.5.1 Requirement.......................................................................................................................95
7.5.2 Installation.......................................................................................................................... 95
7.5.3 Quick Start......................................................................................................................... 96
7.6 Architecture...................................................................................................................................... 96
7.7 Accessing the Telemetry Browser Screen...................................................................................... 97
7.8 Viewing Devices.............................................................................................................................. 98
7.8.1 Tiles View.......................................................................................................................... 98
7.8.2 Tabular View...................................................................................................................... 99
7.9 Viewing Device Details....................................................................................................................99
7.9.1 Device Overview.............................................................................................................. 101
7.9.2 System Information.......................................................................................................... 103
7.9.3 Compliance...................................................................................................................... 103
7.9.4 Environment Details.........................................................................................................104
7.9.5 Switching Information.......................................................................................................104
7.9.6 Routing Information..........................................................................................................105

iv
 Contents

7.9.7 802.1X Metrics................................................................................................................. 105

7.9.8 Viewing Traffic Flows.......................................................................................................107
7.9.9 Address Search............................................................................................................... 116
7.9.10 Status of Interfaces........................................................................................................118
7.10 Viewing Connected Endpoints.....................................................................................................120
Enabling DHCP Collector..........................................................................................................120
Accessing the Connected Endpoints Summary Screen........................................................... 120
7.11 Connectivity Monitor and CloudTracer........................................................................................ 121
7.11.1 Accessing the Connectivity Monitor and CloudTracer Screen.......................................122
7.11.2 Connectivity Monitor with VRF Support.........................................................................123
7.12 Managing Tags............................................................................................................................ 125
7.12.1 Creating and Assigning Tags........................................................................................ 125
7.12.2 Deleting Assigned Tags.................................................................................................126
7.12.3 Adding Tags to Multiple Devices................................................................................... 127
7.12.4 Removing Tags from Multiple Devices.......................................................................... 128
7.12.5 Deleting Unassigned Tags.............................................................................................130
7.13 Accessing Dashboards................................................................................................................ 131
7.13.1 Dashboard Manager...................................................................................................... 131
7.13.2 Editing and Creating Dashboards..................................................................................132
7.13.3 Syslog Panel.................................................................................................................. 133
7.13.4 Dashboards with Custom Query Language widget....................................................... 134
7.13.5 Dashboard Preview........................................................................................................134
7.14 Topology View............................................................................................................................. 134
7.14.1 Setup.............................................................................................................................. 134
7.14.2 Overlays......................................................................................................................... 135
7.14.3 Custom Topology Views................................................................................................ 136
7.14.4 Changing the Node Type.............................................................................................. 138
7.14.5 Nodes and Features...................................................................................................... 139
7.15 Accessing Events........................................................................................................................ 139
7.15.1 Events Summary Screen............................................................................................... 140
7.15.2 Event Details Screen..................................................................................................... 142
7.15.3 Configuring Event Generations......................................................................................145
7.15.4 Custom Syslog Events...................................................................................................151
7.15.5 Managing Events........................................................................................................... 155
7.15.6 Acknowledging Events...................................................................................................157
7.15.7 Configuring Notifications................................................................................................ 158
7.16 Events App.................................................................................................................................. 164
7.16.1 Event Summary............................................................................................................. 164
7.16.2 Events Table.................................................................................................................. 166
7.16.3 Event Filters................................................................................................................... 166
7.17 Packaging.................................................................................................................................... 167
7.17.1 Create a Package..........................................................................................................168
7.17.2 Installing a Package...................................................................................................... 169
7.17.3 Updating a Package...................................................................................................... 170
7.18 Troubleshooting........................................................................................................................... 170
7.18.1 General Troubleshooting............................................................................................... 170
7.18.2 Troubleshooting the NetDB State Streaming Agent...................................................... 171
7.18.3 Checking the Status of the Ingest Port......................................................................... 172

Chapter 8: Device Comparison Application............................................. 173

8.1 Comparison Dashboard.................................................................................................................173
8.1.1 Accessing the Comparison Browser Screen................................................................... 173
8.2 Running Configuration................................................................................................................... 175
8.2.1 Supported Snapshots...................................................................................................... 175
8.3 Snapshots...................................................................................................................................... 176

v
 8.4 ARP Table..................................................................................................................................... 176
8.5 Comparing NDP Table.................................................................................................................. 177
8.6 MAC Address Table...................................................................................................................... 178
8.7 VXLAN Table................................................................................................................................. 180
8.8 Viewing Device IPv4 Routing Table..............................................................................................182
8.9 Viewing Device IPv6 Routing Table..............................................................................................183
8.10 Comparing IPv4 Multicast Table................................................................................................. 184

Chapter 9: Network Compliance (CVP).....................................................187

9.1 Device Compliance........................................................................................................................189
9.1.1 Device Compliance Status Indicators.............................................................................. 189
9.1.2 Device Compliance Checks.............................................................................................192
9.1.3 Device Access Alerts....................................................................................................... 192
9.2 Notifications for Container-level Compliance Checks and Reconciles.......................................... 193
9.3 Compliance Dashboard................................................................................................................. 194
9.4 Print Compliance Dashboard.........................................................................................................198
9.5 Setup for Automatic Sync of Compliance Bug Database..............................................................199

Chapter 10: Network Provisioning (CVP)................................................. 201

10.1 Network Provisioning View.......................................................................................................... 202
10.1.1 Network Provisioning Screen Options........................................................................... 202
10.1.2 Changing Between Network Provisioning View and List View...................................... 204
10.2 Container Level Actions.............................................................................................................. 205
10.2.1 Creating a Container..................................................................................................... 205
10.2.2 Deleting a Container...................................................................................................... 205
10.2.3 Renaming a Container...................................................................................................206
10.3 Device Bootstrap Process........................................................................................................... 206
10.4 Device-level Actions.................................................................................................................... 206
10.4.1 Adding Devices (from Undefined Container)................................................................. 209
10.4.2 Deploying vEOS Routers...............................................................................................210
10.4.3 Registering Devices....................................................................................................... 218
10.4.4 Moving Devices from one Container to Another Container........................................... 221
10.4.5 Removing a Device from a Container........................................................................... 223
10.4.6 Device Factory Reset.................................................................................................... 226
10.5 Replacing Switches Using the ZTR Feature............................................................................... 228
10.6 Managing Configurations.............................................................................................................231
10.6.1 Applying Configurations to Containers.......................................................................... 231
10.6.2 Applying Configurations to a Device............................................................................. 231
10.6.3 Viewing the Configuration Applied to Devices...............................................................232
10.6.4 Rolling Back Configurations Assigned to a Device....................................................... 233
10.7 Configuration Validation...............................................................................................................233
10.8 Using Hashed Passwords for Configuration Tasks.....................................................................233
10.9 Reconciling Configuration Differences........................................................................................ 234
10.9.1 Key Terms......................................................................................................................234
10.9.2 Reconciling Device Configurations Differences at the Container Level......................... 234
10.9.3 Reconciling Device Configurations at the Device Level................................................ 236
10.10 Managing EOS Images Applied to Devices.............................................................................. 237
10.10.1 Applying an Image Bundle to a Container...................................................................238
10.10.2 Viewing the Image Bundle Assigned to Devices......................................................... 238
10.10.3 Applying an Image Bundle to a Device....................................................................... 239
10.10.4 Setting up an Image Bundle as the default for ZTP.................................................... 239
10.11 Rolling Back Images and Configurations.................................................................................. 239
10.11.1 Rolling Back Container Images and Configurations.................................................... 240
10.11.2 Rolling Back Device Images and Configurations.........................................................240

vi
 Contents

10.11.3 Rolling Back Configurations Assigned to a Device..................................................... 242

10.12 Device Labels............................................................................................................................ 242
10.12.1 System Labels............................................................................................................. 242
10.12.2 Custom Device Labels.................................................................................................242
10.12.3 Left Pane Behavior in Network Provisioning View...................................................... 245
10.13 Viewing Containers and Devices...............................................................................................245
10.13.1 Expanding and Collapsing Containers.........................................................................246
10.13.2 Show From Here......................................................................................................... 246
10.13.3 Show Full Topology..................................................................................................... 246
10.14 Network Search......................................................................................................................... 247
10.14.1 Search Behavior in Topology and List View................................................................247
10.14.2 Topology Search..........................................................................................................247
10.14.3 List View Search..........................................................................................................247
10.14.4 Search in Other Grids..................................................................................................248
10.14.5 Label Search................................................................................................................248
10.14.6 Preview Option.............................................................................................................249
10.15 Management IP......................................................................................................................... 250
10.15.1 Changing A Device's Management IP.........................................................................250
10.15.2 Setting Proposed Management IP...............................................................................251
10.15.3 Changing Current Management IP.............................................................................. 252

Chapter 11: Configlet Management (CVP)................................................255

11.1 Creating Configlets...................................................................................................................... 256
11.1.1 About the Configlet Builder Feature.............................................................................. 256
11.1.2 Creating Configlets Using the Configlet Builder............................................................ 257
11.1.3 Using the Provided Configlet Builder Examples............................................................ 266
11.1.4 Python Execution Environment......................................................................................268
11.1.5 Creating Configlets Manually.........................................................................................270
11.2 Configlet Information Page.......................................................................................................... 271
11.2.1 Tabs in Configlet Information Page............................................................................... 271
11.3 Editing Configlets.........................................................................................................................275
11.4 Tips for Applying Profiles to the Interfaces................................................................................. 276
11.5 Deleting Configlets.......................................................................................................................276
11.6 Importing and Exporting Configlets............................................................................................. 276
11.6.1 Protection from Overwriting Configlets or Configlet Builders.........................................277
11.6.2 Importing Configlets or Configlet Builders..................................................................... 277
11.6.3 Exporting Configlets or Configlet Builders..................................................................... 278

Chapter 12: Image Management (CVP)..................................................... 279

12.1 Image Management Page........................................................................................................... 279
12.2 Validating Images........................................................................................................................ 280
12.2.1 Alerts Indicating Unsupported EOS Image Versions..................................................... 280
12.3 Upgrading Extensible Operating System (EOS) Images.............................................................281
12.3.1 Example of Image Association...................................................................................... 281
12.3.2 Tip for Handling Multiple Image Association Tasks.......................................................282
12.4 Creating Image Bundles..............................................................................................................284
12.4.1 Creating a Bundle by Tagging Existing Image Bundles................................................ 284
12.4.2 Creating a Bundle by Uploading a New Image............................................................. 285
12.4.3 Adding EOS Extensions to Image Bundles................................................................... 286
12.5 The Bundle Information Page..................................................................................................... 287
12.5.1 Summary Tab................................................................................................................ 288
12.5.2 Logs Tab........................................................................................................................ 288
12.5.3 Applied Containers Tab................................................................................................. 289
12.5.4 Applied Devices Tab......................................................................................................289

vii
 12.5.5 Updating Bundles...........................................................................................................289
12.5.6 Deleting Bundles............................................................................................................290

Chapter 13: Partial Configuration Management.......................................293

13.1 Filters for Categorizing Sections in the Configuration................................................................. 294
13.1.1 Filter Pattern.................................................................................................................. 294
13.1.2 Filter Type...................................................................................................................... 296
13.2 Enabling Partial Configuration Management............................................................................... 297
13.3 Filter Management.......................................................................................................................298
13.4 Creating a New Filter.................................................................................................................. 299
13.5 Implications of Applied Filters..................................................................................................... 300
13.6 Examples of Filter Management................................................................................................. 301

Chapter 14: Change Control...................................................................... 305

14.1 Basic Options for Handling Tasks...............................................................................................305
14.1.1 Creating Tasks...............................................................................................................305
14.2 Using the Tasks Module..............................................................................................................306
14.2.1 Accessing the Tasks Summary Screen.........................................................................306
14.2.2 Creating Change Controls from the Tasks Summary Screen........................................307
14.2.3 Creating Change Controls from the Change Controls Summary Screen.......................308
14.2.4 Accessing the Tasks Details Screen............................................................................. 310
14.2.5 Task Status.................................................................................................................... 311
14.3 Using the Change Control Module..............................................................................................312
14.3.1 Accessing the Change Control Summary Screen......................................................... 313
14.3.2 Accessing the Open Change Control Details Screen....................................................314
14.3.3 Creating Change Controls from the Change Controls Summary Screen.......................318
14.3.4 Accessing the Open Change Control Details Screen....................................................320
14.4 Non-Author Change Control Review........................................................................................... 329
14.5 Change Control Template........................................................................................................... 331
14.5.1 Action Bundles............................................................................................................... 331
14.5.2 Templates.......................................................................................................................336

Chapter 15: Authentication & Authorization (CVP)................................. 341

15.1 Access Requirements for Image Bundle Upgrades.................................................................... 341
15.2 Managing AAA Servers............................................................................................................... 342
15.2.1 Adding AAA Servers...................................................................................................... 342
15.2.2 Modifying AAA Servers..................................................................................................343
15.2.3 Removing AAA Servers................................................................................................. 346
15.3 About Users and Roles............................................................................................................... 348
15.3.1 Default Roles................................................................................................................. 349
15.4 Managing User Accounts............................................................................................................ 349
15.4.1 Adding New User Accounts...........................................................................................349
15.4.2 Modifying User Accounts............................................................................................... 351
15.4.3 Removing User Accounts.............................................................................................. 351
15.5 Managing User Roles..................................................................................................................352
15.5.1 Adding New User Roles................................................................................................ 352
15.5.2 Modifying User Roles.................................................................................................... 354
15.5.3 Removing User Roles....................................................................................................355
15.6 Service Accounts......................................................................................................................... 355
15.6.1 Adding Service Accounts...............................................................................................356
15.6.2 Editing Service Accounts............................................................................................... 357
15.6.3 Adding Tokens to Service Accounts..............................................................................357
15.6.4 Deleting Service Account Tokens..................................................................................358

viii
 Contents

15.7 Viewing Activity Logs...................................................................................................................360

15.8 Advanced Login Options............................................................................................................. 360
15.9 Access to the Access Control Page............................................................................................361

Chapter 16: CloudVision Topology........................................................... 363

16.1 Main Panel of the Topology Screen............................................................................................364
16.2 Topology Overview...................................................................................................................... 367
16.3 Topology Layout Pane................................................................................................................ 368
16.4 Topology Options Pane...............................................................................................................369
16.5 Container Details Pane............................................................................................................... 371
16.6 Device Details Pane.................................................................................................................... 372
16.7 Link Details Panel........................................................................................................................373
16.8 Flow Visibility............................................................................................................................... 374

Chapter 17: CloudVision Studios.............................................................. 379

17.1 Getting Started with Studios........................................................................................................380
17.2 Accessing Studios....................................................................................................................... 381
17.2.1 Per-Studio Role Based Access Control.........................................................................382
17.3 Workflow Overview...................................................................................................................... 387
17.3.1 Commissioning Devices for Use in Studios...................................................................387
17.3.2 Creating a Workspace................................................................................................... 388
17.3.3 Configuring an Existing Studio...................................................................................... 388
17.3.4 Creating a New Studio.................................................................................................. 390
17.3.5 Submitting a Workspace................................................................................................392
17.4 Studio Elements and Functions.................................................................................................. 393
17.4.1 Reviewing a Workspace................................................................................................ 393
17.4.2 Tags............................................................................................................................... 396
17.4.3 Schema.......................................................................................................................... 399
17.4.4 Template........................................................................................................................ 400
17.4.5 Importing and Exporting Studios................................................................................... 401
17.5 Built-In Studios.............................................................................................................................401
17.5.1 Inventory and Topology................................................................................................. 402
17.5.2 Connectivity Monitor...................................................................................................... 403
17.5.3 Date and Time............................................................................................................... 405
17.5.4 Interface Configuration...................................................................................................407
17.5.5 Streaming Telemetry Agent........................................................................................... 409
17.5.6 Campus Fabric...............................................................................................................411
17.5.7 Layer 3 Leaf-Spine........................................................................................................ 414
17.5.8 EVPN Services.............................................................................................................. 418
17.5.9 Segment Security...........................................................................................................424
17.6 MSS-G with Dynamic Configuration from Forescout.................................................................. 425
17.6.1 Deployment Guidelines.................................................................................................. 426
17.6.2 Install the Arista MSS-G Module................................................................................... 427
17.6.3 Specify Group Assignments with Forescout Policy Manager........................................ 428
17.6.4 Define segment policies in eyeSegment....................................................................... 429
17.6.5 Forescout with Studios.................................................................................................. 430
17.7 ISE/MSS-G Integration................................................................................................................ 430
17.7.1 Prerequisites.................................................................................................................. 430
17.7.2 Certificates for pxGrid integration.................................................................................. 431
17.7.3 Configuring the ISE Collector........................................................................................ 431

Chapter 18: Using Snapshots to Monitor Devices.................................. 433

18.1 About Snapshots......................................................................................................................... 433

ix
 18.2 Standard Information in Snapshots............................................................................................. 433
18.3 How to Use Snapshots............................................................................................................... 434
18.4 Accessing Snapshots.................................................................................................................. 434
18.5 Accessing Snapshot Configurations............................................................................................435
18.6 Defining Custom Snapshot Templates........................................................................................435
18.7 Editing Custom Snapshot Templates.......................................................................................... 437
18.8 Viewing Snapshots Differences...................................................................................................437

Chapter 19: Backup & Restore, Upgrades, DNS NTP Server

Migration...................................................................................................441
19.1 Backup and Restore....................................................................................................................441
19.1.1 Requirements for Multi-node Installations..................................................................... 441
19.1.2 Using CVPI Commands to Backup and Restore CV-CUE Data....................................441
19.1.3 Using CVPI Commands to Backup and Restore CVP Provisioning Data...................... 442
19.2 Upgrading CloudVision Portal (CVP).......................................................................................... 444
19.2.1 Upgrades........................................................................................................................445
19.2.2 CVP Node RMA.............................................................................................................446
19.2.3 CVP / EOS Dependencies.............................................................................................453
19.2.4 Upgrade CV-CUE As Part of a CV Upgrade.................................................................453
19.3 DNS / NTP Server Migration....................................................................................................... 453
19.3.1 How to Modify the DNS and NTP Configuration........................................................... 454

Chapter 20: Supplementary Services........................................................455

20.1 HTTPS Certificates Setup........................................................................................................... 456
20.1.1 Generating and Installing Self-Signed Certificate.......................................................... 458
20.1.2 Installing Public Certificate.............................................................................................459
20.1.3 Creating a CSR............................................................................................................. 459
20.1.4 Renewing the Certificate Authority................................................................................ 463
20.2 Customizing TLS and SSH Ciphers............................................................................................464
20.2.1 Configuring Custom TLS Ciphers..................................................................................464
20.2.2 Configuring Custom SSH Cipher...................................................................................464
20.3 DHCP Service for Zero Touch Provisioning (ZTP) Setup........................................................... 464
20.4 RADIUS or TACACS Authentication Setup.................................................................................465
20.5 Background Tasks....................................................................................................................... 466
20.5.1 Scheduling and Viewing Cronjobs.................................................................................467
20.6 Resetting cvpadmin Password.................................................................................................... 467
20.7 Optional SAN IP field in CVP Certificate.................................................................................... 468
20.7.1 Creating a certificate without SAN IP............................................................................ 468

Chapter 21: Troubleshooting and Health Checks....................................469

21.1 System Recovery.........................................................................................................................469
21.1.1 CVP Re-Install without VM Redeployment.................................................................... 469
21.2 VM Redeployment....................................................................................................................... 471
21.3 Health Checks............................................................................................................................. 471
21.3.1 Running Health Checks................................................................................................. 472
21.4 Resource Checks........................................................................................................................ 473
21.4.1 Running CVP node VM Resource Checks....................................................................473
21.4.2 Increasing Disk Size of VMs Upgraded to CVP Version 2017.2.0.................................474
21.4.3 Increasing CVP Node VM Memory Allocation............................................................... 475

x
 Chapter 1

Introduction to CloudVision
CloudVision is a turnkey solution for network-wide workload orchestration and work flow automation. It was
specifically designed to complement SDN (virtualization) controller solutions that orchestrate virtual network
overlays, by focusing on work flow visibility, automation tasks, and initial or ongoing network provisioning
across the underlying physical network.
CloudVision components are packaged as a virtual appliance and operate as a highly available cluster with
role based privileges integrated into existing authentication tools (AAA, RADIUS, TACACS). For maximum
operational flexibility, CloudVision can be managed with the interactive CVP command line interface (CLI), the
open API for granular programmatic access, or a web-based portal interface.
The foundation of CloudVision is an infrastructure service, sharing, and aggregating working state of physical
switches running EOS to provide network visibility and central coordination. State from each participating
EOS node is registered to CloudVision using the same publish/subscribe architecture of the EOS system
database (SysDB). By communicating to each participating switch instance using a high performance binary
API, CloudVision will actively synchronize state relevant to network-wide operational tasks.
The CloudVision web-based portal combines the most common operational tasks into a dashboard view
decoupled from the underlying hardware. Workflow automation in CloudVision permits operators to execute
common deployment and configuration tasks from a single visual touch point. The portal includes a
turnkey solution for Arista's Zero Touch Provisioning (ZTP) and extends that from automating initial device
provisioning to also include automating ongoing change controls over the operational life cycle of the device.
Using CloudVision, operators can organize devices in logical hierarchies through the use of containers and
list of configlets for rapid categorization of devices by role, type, or other specification. Configurations can
be broken down into more manageable configlets that are built and stored directly on CloudVision, ready for
network-wide or group-specific provisioning. The CloudVision database also keeps historical data, including a
history of network state, configuration and software versions. This state can be used for taking a network-wide
snapshot for change control verification of the network, helping to simplify the change management process
and reduce maintenance window times.
For more information, see:
• CloudVision Portal (CVP) Overview
• CloudVision Portal (CVP) Setup
• Getting Started (CVP)

1
2
 Chapter 2

CloudVision Portal (CVP) Overview

CloudVision Portal (CVP) is the web-based GUI for the CloudVision platform.
The Portal provides a turnkey solution for automating network operations, including network device
provisioning, compliance, change management, and network monitoring. It communicates southbound to
Arista switches via eAPI and has open standard APIs northbound for integration with 3rd-party or inhouse
service management suites.
CloudVision Portal (CVP) overview shows CloudVision as the network control point between the physical
infrastructure (network layer) and the layer of service management.
Figure 1: CloudVision Portal (CVP) overview

Sections in this chapter include:

• CV-CUE
• CVP Cluster Mechanism
• System Requirements
• Key CVP Terms
• CVP Virtual Appliance

3
2.1 CV-CUE
The CV-CUE service is available as a container on the Arista CloudVision platform. Once you activate the
CV-CUE service, you can configure, monitor, troubleshoot, and upgrade Arista WiFi access points using the
cognitive CV-CUE UI.
CV-CUE Architecture provides a conceptual overview of the Arista CV-CUE solution.
Figure 2: CV-CUE Architecture

CV-CUE is containerized within the CV whether it's CVA (CV on a CV appliance) or a standalone CV VM. The
CV-CUE service runs on both single-node CV and CV cluster. In case of a CV cluster, CV-CUE operates as a
single logical instance in High Availability mode (HA-mode).
• CV-CUE HA Mode Operation
• Key Features of CV-CUE on CV
• Capacity of CV-CUE on CV

2.1.1 CV-CUE HA Mode Operation

When setting up CV-CUE for the first time, it must be enabled on all the nodes of a cluster. Once CV-CUE
is enabled, then at boot time, the CV-CUE service on the primary node automatically becomes the Active
instance, and the one on the secondary node becomes the Standby instance. The HA failover and recovery
mechanisms work exactly as expected. That is, if the primary node goes down, the CV-CUE instance on the
secondary node becomes active. When the primary node rejoins the cluster, a split-brain recovery kicks in
and re-elects the new active and standby containers.

4
 CloudVision Portal (CVP) Overview

2.1.2 Key Features of CV-CUE on CV

Except for OS and kernel processes, the CV-CUE service on CV runs all the application processes required
to manage Arista CV-CUE and wireless intrusion prevention system (WIPS). Some key features of the CV-
CUE service are as follows:
• CV-CUE uses ports 3851 and 161 (both UDP) for all CV communication with external entities. These ports
need to be opened in your network.
• CV-CUE consists of two key components:
• wifimanager, the server that manages the CV-CUE network.
• aware, the cognitive CV-CUE UI of the server.

2.1.3 Capacity of CV-CUE on CV

The table below shows the number of access points (APs) that a CV-CUE container supports for the given
CPU, RAM, and hard disk settings. The CPU and RAM values displayed in this table are the default settings
for a DCA-200 device; the actual capacity may vary based on deployment, environment, and load.

Table 1: Capacity of CV-CUE on CV

Setting Up to 5000 APs

CPU 8 Core
RAM 32 GB
Hard Disk 250 GB

2.2 CVP Cluster Mechanism

CVP consists of distributed components such as Zookeeper, Hadoop/HDFS and HBase. Zookeeper provides
consensus and configuration tracking mechanism across a cluster. Hadoop/HDFS is a distributed and
redundant data store while HBase is a distributed key/value store. Running these services in a reliable
fashion on multiple nodes require a quorum mechanism which is subject to limitations imposed by that
mechanism.

CVP Cluster and Single Node Failure Tolerance

In absence of a quorum or a quorum leader, each node assumes itself to be the cluster leader in a three-node
cluster leading to chaos and even data corruption. This leads to the quorum constraint for CVP cluster where
only single node failure can survive. For example, a single node is allowed to form a cluster in a three-node
cluster. In such cases, if cluster nodes cannot communicate with each other, all three nodes assume itself
to be the lone survivor and operate accordingly. This is called a split-brain scenario where the original three-
node cluster has split into multiple parts.
In real scenarios, assume only two nodes are active after a reboot and they failed to connect with each other.
As no quorum is required, each node elects itself as the cluster leader. Now two clusters are formed where
each cluster captures different data. For example, devices can be deleted from one cluster but not from the
other. Device status is in compliance in one cluster but not on the other, etc. Additionally, services that store
zookeeper configuration now has two copies with different data. Consequently, there is no effective way to
reconcile the data when these nodes re-establish communication.
Let's consider HBase component in CVP. HBase is a distributed key-value store and splits its data across
all cluster nodes. Let's assume that one node splits off from other two. If a single node can form a cluster,
this single node forms one cluster and the other two together forms another cluster. It means that there are 2
HBase masters. That is the process which keeps track of metadata for all key/value pairs in HBase. In other

5
 words, HBase creates two independent sets of metadata which can even frustrate manual reconciliation.
In essence, distributed infrastructure pieces must meet mandatory quorum requirements and which in turn
means we cannot survive more than a single node failure.
Another reason to not tolerate dual node failures in a three-node CVP cluster is that all nodes are not made
the same and total capacity of the cluster is more than what a single node can handle. Some services might
be configured to run only on two of the three nodes and will fail when attempted to run on another. The total
configured capacity of CVP cluster is 2 times that of a single node. That means in a three-node cluster, two
nodes will have the capacity to run everything but one node cannot. Hence in a cluster of three CVP nodes,
the cluster can survive only one CVP node failure.

2.3 System Requirements

The CloudVision Portal is deployed as a virtual or physical appliance.
Note: As of 2022.2.0, production instances of CloudVision should be deployed in a 3-node cluster.
Single-node clusters must be used only for lab deployments.

Table 2: Minimum System Requirements

Required Hardware
Lab Deployment (< 25 devices) Production Deployment

Single node instances of CVP are supported only
in lab environments. The minimum hardware
requirements to use CVP in a lab environment are:
• CPUs: 16 cores
• RAM: 32 GB
• Disk: 1 TB GB (use RPM installer)
• Disk Throughput: 20 MB/s
A 3-node cluster must be used for production
deployment. Each node must be configured to
meet the minimum system requirements. The
recommended hardware required per node to
deploy CVP in a production environment (3-node
cluster) are:
• CPUs: 28 cores
• RAM: Recommended 52 GB
• Disk: 1 TB
• Disk Throughput: 40 MB/s

Note: For production deployments, information about device scale is available in the release specific
version of the product release notes. For more information on throughput, refer to Troubleshooting and
Health Checks.
Note: Deploying a single node instance in a production environment does not provide load sharing
or redundancy capabilities; which, in node failure scenarios could lead to data loss or data corruption.
Due to these reasons, single node deployments will no longer be supported starting CVP release
2022.1.0. Cloud service deployment model of CloudVision (CVaaS) is recommended for production
environments with smaller device scale.

6
 CloudVision Portal (CVP) Overview

Table 3: Latency Requirements

Latency Requirements

• The latency between two CVP nodes must be up to 10 ms (recommended 5 ms or less).

• The latency from a CVP node to an EOS device must be up to 500 ms.
• All three nodes must be installed in the same physical location and on the same local area network.
• Physical appliances should be installed in the same rack so that traffic can flow between the appliances
while only traversing a top-of-rack switch (or a redundant pair preferably).
• Physical appliances can be installed in adjacent locations but the latency between devices should be
minimized, enough bandwidth must be available, and no firewall devices should be placed in between
the appliances.
• Virtual appliances should be deployed as part of the same/local virtual infrastructure instance with low
latency and no restrictions on traffic between the cluster nodes.

Table 4: Required Software Versions

Required Software Versions

The software versions compatible with CVP are:
• EOS license: Z license
• CVP license: Full subscription license
Note: For updates on compatible EOS switches, supported browsers, and supported TerminAttr
versions, refer to the release specific version of the product release notes available at https://
www.arista.com/en/support/software-download.

Note: CVP 2020.1.0 and future releases support host-to-host vmotion where the storage is shared
between ESXI hosts. Only one host can be in vMotion at a given time.
Related topics:
• Key CVP Terms
• CVP Virtual Appliance

2.4 Key CVP Terms

Make sure you are familiar with the following key CloudVision Portal (CVP) terms. These terms are used
throughout this guide to describe the various CVP features, and the CVP user interface contains icons that
represent each of the key terms.

7
 Icon Term Definition
Device Devices managed by the
CloudVision Portal.

Container Containers are a logical entity

used to group network devices,
and define a hierarchy to which
user configuration can be applied.
Device Devices define the subset of
available devices.

Configlet Configlets define a subset of a

device's configuration.

Image Images define the software

running on a given device.

Label Labels are arbitrary tags defined

by the user and applied to devices
for identification and filtering
purposes.
Notification Notifications are system messages
providing the list of on-going,
completed and canceled activities
that are not tracked by tasks.

Task Tasks are work orders for taking

an action against a given device.

N/A Export to CSV Downloads the table in csv format

to your local drive.
Note:
Replaces hyphen (-)
with N/A where hyphen
indicates empty data.
Replaces cells using
the (unknown) string
with empty cells where
(unknown) indicates data
missing due to an error(s).

Related topics:
• CVP Virtual Appliance
• System Requirements

8
 CloudVision Portal (CVP) Overview

2.5 CVP Virtual Appliance

The CVP virtual appliance is a packaged ova file that consists of Base OS packages, Hadoop, HBase,
Apache Tomcat, JAVA jdk and the CVP web application.
You can deploy the virtual appliance as either a single-node (standalone) cluster or a multi-node cluster
(cluster of three nodes). A multi-node cluster provides more benefits over a single-node cluster as specified in
the table below.

Table 5: Single-Node and Multi-Node Cluster Comparison

Single-Node Cluster Multi-Node Cluster

Low Scale High Scale

• Supports 250 devices and 10k interfaces
• Increasing resources may not mandatorily help due
to bottlenecks of components
• Scalability is 6x times higher than single-node
clusters
• Supports multiple containers in components
• Loads the share across nodes
• Optimization, speed, and availability are higher
than single-node clusters

No Redundancy - Does not support telemetry Redundancy

provisioning and streaming when the node goes down
• Supports 2N+1 redundancy
Note: If a node goes down, kubernetes
schedules the lost node pods on the other
two nodes.
• Provides uninterrupted telemetry provisioning and
streaming
• Provides Return Merchandise Authorization
(RMA) when a node fails
• Each state has three replicas

Corruption Management Corruption Management

• No recovery is available for lost data • Automatically fixes issues 99% of the time
• Need manual intervention to fix hbase issues • The feature to share load across nodes provides a
• Must remotely copy backups to a server everyday faster and smoother experience
for restoring the node when the disk gets corrupted

The different deployment options will be discussed later on in this section, but for production deployments it is
recommended that the cluster option is chosen. The single VM instance is recommended for testing purposes
as it provides a simpler setup and requires less resources.

9
10
 Chapter 3

CloudVision Portal (CVP) Setup

CloudVision Portal (CVP) can be run on ESX or KVM hypervisors. Before you can begin using the CVP, you
must complete the CVP setup process which, involves the following:
1. Deploying CVP
2. Configuring CVP
Sections in this chapter include:
• Deploying CVP OVA on ESX
• Deploying CVP on KVM
• Set Up CV-CUE on CV
• Shell-based Configuration
• Shell Reconfiguration of Single-node, Multi-node Systems
• ISO-based Configuration
• Certificate-Based TerminAttr Authentication
There are two different deployment procedures. One for deploying CVP on ESX, and one for deploying
CVP on KVM. After you complete the deployment procedures, you then configure CVP. The deployment
procedures are:
• Deploying CVP OVA on ESX
• Deploying CVP on KVM
There are two configuration methods for the CloudVision Portal (CVP): shell-based and ISO-based. Both
of these methods eliminate the need to directly modify system and CVP configuration files. This simplifies
the setup process and reduces the potential for issues.
The configuration methods enable you to configure CVP in both single-node systems and multi-node
systems. The configuration methods are:
• Shell-based Configuration (recommended)
• ISO-based Configuration
Note: Reconfiguration is limited to certain parameters on a deployed CVP multi-node cluster.

11
3.1 Deploying CVP OVA on ESX
Deploying the CVP OVA file should be the first step in any setup. After the CVP OVA file is deployed, you can
choose between the two configuration methods for CloudVision Portal (CVP).
Note: Arista does not support VMware Snapshots on CloudVision virtual machines. For more
information, refer to VMware vMotion and Snapshot Support.
Pre-requisites:
Use of the Deploy OVF Template requires the VMware Client Integration plugin, which is not supported by the
Chrome browser after versions 42.
1. The OVA file can be deployed as a VM in a VMware environment by using the drop menu under the
Actions heading and selecting Deploy the OVF template.
Note: For multi-node setups, the following steps must be completed once for each VM, three times
to launch three VMs.
Figure 3: Deploy the OVF template

12
 CloudVision Portal (CVP) Setup

2. Having selected the Deploy OVF Template option, VCenter will prompt for the location of the OVA file; this
can be either on a local hard disk, network share, or Internet URL. The location of the OVA file should be
entered or selected.
Figure 4: Location of the OVA file

3. Click Next to go to the next task.

4. Type the name for the VM in the Name field and select the folder for the OVA file.
Figure 5: Select name and folder location for the VM file

5. Click Next to go to the next task.

13
 6. Select the resource where you want the deployed template (OVA file) to be run.
Figure 6: Select the resource

7. Click Next to go to the next task.

8. Review the OVF template details.
Figure 7: Review OVF template details

9. Click Next to go to the next task.

14
 CloudVision Portal (CVP) Setup

10. Select the storage location where you want the files for the deployed template to be stored.
Figure 8: Select the destination storage

Note:
It is recommended to select Thick provision lazy zeroed under the Select virtual disk format
dropdown menu.
11. Click Next to go to the next task.
12. Setup the networks that the deployed template should use.
Figure 9: Setup the networks

13. Click Next.

VCenter loads the OVA and displays the configuration settings.

15
 14. Review the configuration settings, and click Finish to accept and save the configuration.
Figure 10: Select the Finish button to accept these settings

VCenter begins to deploy the virtual appliance. Once the appliance is deployed, you can configure the
CVP application using either Shell-based Configuration or ISO-based Configuration.

16
 CloudVision Portal (CVP) Setup

3.1.1 VMware vMotion and Snapshot Support

CloudVision includes the following infrastructure components that are used as the basis for the application
services and database. This is not an exhaustive list, but the key components as it relates to this topic.
• Hadoop - open source framework from Apache that is used to store and process large datasets distributed
across a cluster of servers
• Hbase - open source database from Apache that runs on Hadoop cluster
• Zookeeper - centralized service for maintaining configuration information, naming, providing distributed
synchronization, and providing group services
The CloudVision database (hbase/hadoop) is deployed across the three nodes within the CloudVision cluster.
The integrity of this database is critical to the correct functioning of CloudVision, and thus, there are specific
requirements on the hypervisor and storage for these virtual machines forming these nodes.

VMware Snapshots
Within the CloudVision infrastructure, data is constantly being written to Apache hadoop by all nodes. Disk
snapshots used by VMware have no hooks into the hbase quiesce states, meaning a snapshot of a disk state
would almost always be inconsistent and lead to database corruption during a restore process. This results in
a snapshot having no meaningful use as a restore point due to the nature of the database, which is typical for
database application performance using VMware Snapshots (VMware reference).
VMware Snapshots are very I/O intensive, leaving almost no I/O for the virtual machines during the snapshot
process. Impact on resources, such as disk, can lead to hbase and zookeeper failures. These symptoms
are evident in multiple cases where the support team has identified snapshots that were in progress before
failures.
VMware does not recommend using VM Snapshots as backups (https://kb.vmware.com/s/article/1025279),
therefore other backup mechanisms are recommended by Arista as outlined below.
Note: For these reasons, Arista does not support VMware Snapshots on CloudVision virtual
machines.

VMware vMotion
CloudVision supports VMware vMotion under specific configuration and operational criteria as follows:
• The virtual machine disks are shared between the source and target ESXi host
• Latency between ESXi hosts is less than 5ms
• Only one CloudVision node may be vMotioned at a time
Note: CVP 2020.1.0 and future releases support host-to-host vmotion where the storage is shared
between ESXI hosts. Only one host can be in vMotion at a given time.

Backup Solutions for CloudVision

Daily backups of the CloudVision provisioning data are automatically scheduled to be taken at 2AM UTC. This
backup file is stored locally on the CloudVision cluster. Common practice by customers is to schedule a copy
of this backup file from the CloudVision cluster to some external data store.
There is an example script to help automate the copying of the backup file available on the Arista Github site
(link).
CloudVision telemetry data received from switches is replicated between the CloudVision clusters. In the
event a single node becomes unavailable and a new node is added to the cluster, this telemetry data is
replicated to the new node.
Arista EOS with the Streaming Telemetry agent (TerminAttr v1.7.1 and later) supports establishing
connections to multiple CloudVision clusters. This enables the user to send the telemetry data to a backup
CloudVision instance, to maintain an up-to-date redundant store.

17
 There is a detailed explanation of this deployment model available on the Arista EOS Central site (link), which
would assist with the design and deployment of this HA solution.

3.2 Deploying CVP on KVM

In standard KVM environments, deploying a CVP VM involves the following tasks:
• Downloading and extracting the CVP KVM tarball (.tgz archive)
• Creating Virtual Bridge and Network Interface Cards (NIC)
• Generating the XML file that defines the CVP VM
• Defining and Launching the CVP VM
Once you complete these tasks, you can configure the CVP VM.

3.2.1 Downloading and extracting the CVP KVM tarball (.tgz archive)
The first task in the deployment process involves downloading and extracting the CVP KVM tarball. The
tarball is a .tgz archive that contains:
• The CVP VM
• Disk images for the CVP application
• The files used to configure CVP VM.
You download the tarball to the host server that is configured for KVM. The files contained in the .tgz archive
include:

Filename Description
1 disk1.qcow2 VM disk image for the CVP
application.
2 disk2.qcow2 Data disk image for the CVP
application.
3 cvpTemplate.xml A template for creating the XML
file for libvirt domain specification.
4 generateXmlForKvm.py A script for generating the CVP
VM definition XML based on the
XML template.
5 createNwBridges.py A script for creating the network
interfaces for the CVP VM.

Complete the following steps to download and extract the CVP VM .tgz archive:
1. Go to the Arista software downloads webpage and download the CVP VM tarball (cvp-<version>-
kvm.tgz) to the host server set up for KVM.
2. Extract the tarball (cvp-<version>-kvm.tgz).
The following example shows extracting the CVP KVM .tgz archive.

[arastra@kvm1 vms]# cd cvpTests

[arastra@kvm1 cvpTests]# ls
cvp-2022.3.0-kvm.tar
[arastra@kvm1 cvpTests]#tar -xvf cvp-2022.3.0-kvm.tar
addIsoToVM.py
createNwBridges.py
cvpTemplate.xml
disk1.qcow2

18
 CloudVision Portal (CVP) Setup

disk2.qcow2
generateXmlForKvm.py

3.2.2 Creating Virtual Bridge and Network Interface Cards (NIC)

The second task in deploying CVP for KVM involves creating the bridges and interfaces that provide network
connectivity for the CVP VM. You use the CreateNwBridges.py script you extracted in the previous task to
create the required bridges and interfaces.
Note: If the required network interfaces for CVP already exist, you do not have to complete this task.
Go directly to Generating the XML file that defines the CVP VM
You have the option of deploying CVP with either two bridge interfaces or a single bridge interface.
• Two interfaces (the cluster bridge interface and the device bridge interface).
• Single interface (the device bridge interface).
Complete the following steps to create the network interfaces for CVP KVM connectivity:
1. (Optional) Use the ./createNwBridges.py -help command to view a list of all the parameters
available in the script.
Note: Install the net-tools library using the yum -y install net-tools command before
running the script.
2. Use the ./createNwBridges.py to create the device bridge (or bridges) and interfaces needed.
The figure below shows an example of creating a single device bridge for a single-node deployment.
Figure 11: Creating a device bridge (single node deployment)

3. (Optional) Use the brctl show command to verify that the bridges were successfully created.
4. (Optional) Use the ip address show command to verify that the IP addresses have been allocated. In
this example the one IP address for the br1 bridge.
The following output is an example of verifying bridge creation and IP address allocation. In this example,
a bridge br1 was created, and one IP address has been allocated for the bridge.

[arastra@kvm1 ~]# ip address show br1

6: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default qlen 1000
link/ether d0:94:66:4f:56:48 brd ff:ff:ff:ff:ff:ff
inet 172.31.6.78/16 brd 172.31.255.255 scope global br1
valid_lft forever preferred_lft forever
inet6 fe80::d294:66ff:fe4f:5648/64 scope link
valid_lft forever preferred_lft forever
[arastra@kvm1 ~]# ip route show
default via 172.31.0.1 dev br1
172.31.0.0/16 dev br1 proto kernel scope link src 172.31.0.1
[arastra@kvm1 ~]#

19
3.2.3 Generating the XML file that defines the CVP VM
The third task in deploying CVP for KVM involves generating the XML file that you use to define the CVP VM.
You use generateXmlForKvm.py script and the cvpTemplate.xml file you extracted previously to generate the
XML file you use to define the CVP VM.
The cvpTemplate.xml file is a template that defines wildcard values that are filled by the other parameters
that are specified when you execute the script.
Complete the following steps to generate the XML file:
1. (Optional) Use the python generateXmlForKvm.py -help command to view a list of all the
parameters available in the script.
2. Run the python generateXmlForKvm.py script using the XML template (cvpTemplate.xml) as one
of the inputs.
Generation of XML file used to define CVP VM shows an example of an XML being generated that can
be used to define a CVP VM named cvpTest. The generated XML file is named qemuout.xml.
Figure 12: Generation of XML file used to define CVP VM

3.2.4 Defining and Launching the CVP VM

The last task in deploying CVP for KVM is to define and launch the CVP VM. You use the XML file you
generated in the previous task to define the CVP VM.
Complete the following steps to define and launch the CVP VM:
1. Run the virsh define command to define the CVP VM (specify the generated XML file).
2. Run the virsh start command to launch the newly defined CVP VM.
3. Run the virsh console command to attach (connect) to the CVP VM console.

20
 CloudVision Portal (CVP) Setup

Defining and Launching the CVP VM shows an example of the use of the commands to define and
launch a CVP VM named cvpTest. The XML file used to define the CVP VM is named qemuout.xml.
Figure 13: Defining and Launching the CVP VM

You can now login as cvpadmin and complete the configuration of the CVP application. See Configuring a
Single-Node CVP Instance using CVP Shell for the steps used to complete the configuration.
Related topics:
• Shell-based Configuration
• ISO-based Configuration
• Deploying CVP OVA on ESX

3.3 Set Up CV-CUE on CV

This section describes the process to:
• Setup CV-CUE on a Standalone CV
• Set Up CV-CUE on a CV Cluster

3.3.1 Setup CV-CUE on a Standalone CV

CV-CUE is disabled by default.
To enable CV-CUE, perform the following steps:
1. Log in to the CV admin shell via the cvpadmin user.
2. Enter e to edit the settings. The CV configuration wizard is launched.
Note: If you are setting up CV for the first time, you need to enter the values for all the settings
(DNS, IP addresses, etc.) in the configuration wizard. Refer to the Shell-based Configuration for
information on these settings. If you have already set up or just upgraded CV, and you only want to
enable CV-CUE, go to Step 3.

21
 3. Set the CV-CUE Enabled option to Yes.
4. Once the cursor is at the bottom of the configuration wizard, enter a to apply the configuration changes.

3.3.2 Set Up CV-CUE on a CV Cluster

A few important points about the CV-CUE service in a cluster deployment:
• CV-CUE is disabled by default.
• For a CV cluster, you first need to Enable CV-CUE on Primary Node and then Set Up CV-CUE on
Secondary and Tertiary Nodes .
Note: The CV-CUE service runs only on the primary and secondary nodes, but you need to apply
the configuration changes to all the nodes, including the tertiary node. The CV-CUE service starts
on both nodes only after the setup on all the nodes (including the tertiary node) of the cluster has
been completed.
• The CV configuration wizard consists of two parts (Enable CV-CUE on Primary Node ):
• common configuration: Settings common to all the nodes in the cluster (For example, DNS and
services such as CV-CUE).
• node configuration: Settings specific to a node (For example, Hostname and IP settings).

3.3.2.1 Enable CV-CUE on Primary Node

To enable CV-CUE on the primary node, perform the following steps:
1. Log in to the CV admin shell via the cvpadmin user.
2. Enter e to edit the settings. The CV configuration wizard is launched.
Note: If you are setting up CV for the first time, you need to enter the values for all the settings
(those belonging to the common configuration as well as the node configuration). Refer to Shell-
based Configuration and Shell Reconfiguration of Single-node, Multi-node Systems for information
on these settings. If you have already set up or just upgraded CV, and you only want to enable CV-
CUE, go to Step 3.
3. You can optionally assign a CV-CUE HA Cluster IP.
Note: CV-CUE in HA mode configures an optional IP address, known as HA cluster IP that is
automatically assigned to the active node in a cluster. Ensure that the HA Cluster IP address is
different from the IP addresses of the actual device and cluster interfaces; but belongs to the same
subnet as the Device Interface IP addresses of primary and secondary nodes. If HA cluster IP is
not configured, IP addresses of both primary and secondary nodes must be configured on access
points.
4. Set the CV-CUE Enabled option to Yes.

3.3.2.2 Set Up CV-CUE on Secondary and Tertiary Nodes

To set up CV-CUE on the secondary and tertiary nodes, perform the following steps on the respective nodes:
1. Log in to the CV admin shell via the cvpadmin user.
2. Enter e to edit the settings. The CV configuration wizard is launched.
Note: The Shell-based Configuration settings are not editable on the secondary and tertiary
nodes. If you are setting up CV for the first time, you need to enter the values for all the Shell
Reconfiguration of Single-node, Multi-node Systems settings. If you have already set up or just
upgraded CV, and you only want to enable CV-CUE, go to Step 3.
3. Press Enter until the cursor reaches the bottom of the configuration wizard, past all the settings.
4. Once the cursor is at the bottom of the configuration wizard, enter a to apply the configuration changes.

22
 CloudVision Portal (CVP) Setup

Note: Whether CV-CUE Enabled is set to Yes or No, applying the configuration changes causes
the secondary and tertiary nodes to update their settings based on the primary node. This will start
the CV-CUE service on the primary and secondary nodes.

3.4 Shell-based Configuration

The shell-based configuration can be used to set up either a single-node CVP instance or multi-node CVP
instances. The steps you use vary depending on whether you are setting up a single-node instance or a multi-
node instance.
Cluster and device interfaces
A cluster interface is the interface that is able to reach the other two nodes in a multi-node installation. A
device interface is the interface used by managed devices to connect to CVP. The ZTP configuration file
is served over this interface. These two parameters are optional and default to eth0. Configuring these two
interfaces is useful in deployments where a private network is used between the managed devices and a
public-facing network is used to reach the other two cluster nodes and the GUI.
• Configuring a Single-Node CVP Instance using CVP Shell
• Configuring Multi-node CVP Instances Using the CVP Shell

3.4.1 Configuring a Single-Node CVP Instance using CVP Shell

After initial bootup, CVP can be configured at the VM's console using the CVP config shell. At points during
the configuration, you must start the network, NTPD, and CVP services. Starting these services may take
some time to complete before moving on to the next step in the process.
Pre-requisites:
Before you begin the configuration process, make sure that you:
• Launch the VM (see Deploying CVP OVA on ESX , or Deploying CVP on KVM.)
To configure CVP using the CVP config shell:
1. Login at the VM console as cvpadmin.
2. Enter your configuration and apply it (see the following example).
In this example, the root password is not set (it is not set by default). In this example of a CVP shell, the
bold text is entered by the cvpadmin user.
Accept the default or choose a custom internal cluster network, for the internal kubernetes clustering.
Note: To skip NAT and static routes, simply press Enter when prompted.

localhost login: cvpadmin

Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
CVP Installation Menu
────────────────────────────────────────────
[q]uit [p]rint [s]inglenode [m]ultinode [r]eplace [u]pgrade
>s
Enter the configuration for CloudVision Portal and apply it when done.
Entries marked with '*' are required.

Common Configuration:
────────────────────────────────────────────
CloudVision Deployment Model [d]efault [w]ifi_analytics: d

23
 DNS Server Addresses (IPv4 Only): 172.22.22.40

DNS Domain Search List: sjc.aristanetworks.com, ire.aristanetworks.com

Number of NTP Servers: 1
NTP Server Address (IPv4 or FQDN) #1: ntp.aristanetworks.com
Is Auth enabled for NTP Server #1: no
Cluster Interface Name: eth0
Device Interface Name: eth0
CloudVision WiFi Enabled: no

*Enter a private IP range for the internal cluster network (overlay):

10.42.0.0/16
*FIPS mode: no
Node Configuration:
─────────────────────────────────────────────
*Hostname (FQDN): cvp80.sjc.aristanetworks.com
*IP Address of eth0: 172.31.0.168
*Netmask of eth0: 255.255.0.0
NAT IP Address of eth0:
*Default Gateway: 172.31.0.1 Number of Static Routes: 1
Route for Static Route #1: 1.1.1.0
TACACS Server IP Address:

Singlenode Configuration Menu

────────────────────────────────────────────
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose
>v
Valid config format.
Applying proposed config for network verification.
saved config to /cvpi/cvp-config.yaml
Running : cvpConfig.py tool...
[ 189.568543] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9 vectors
allocated
[ 189.576571] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[ 203.860624] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9 vectors
allocated
[ 203.863878] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[ 204.865253] Ebtables v2.0 unregistered
[ 205.312888] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 205.331703] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 205.355522] Ebtables v2.0 registered
[ 205.398575] nf_conntrack version 0.5.0 (65536 buckets, 262144 max)
Stopping: network
Running : /bin/sudo /sbin/service network stop
Running : /bin/sudo /bin/systemctl is-active network
Starting: network
Running : /bin/sudo /bin/systemctl start network.service
[ 206.856170] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9 vectors
allocated
[ 206.858797] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[ 206.860627] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 207.096883] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 211.086390] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9 vectors
allocated
[ 211.089157] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[ 211.091084] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 211.092424] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[ 211.245437] warning: `/bin/ping' has both setuid-root and effective
capabilities. Therefore not raising all capabilities.
Warning: External interfaces, ['eth1'], are discovered under /etc/sysconfig/
network-scripts
These interfaces are not managed by CVP.
Please ensure that the configurations for these interfaces are correct.

24
 CloudVision Portal (CVP) Setup

Otherwise, actions from the CVP shell may fail.

Valid config.
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose

Validating the Configuration

>v
Valid config format.
Applying proposed config for network verification.
saved config to /cvpi/cvp-config.yaml
Running : cvpConfig.py tool...
Stopping: network
Running : /bin/sudo /bin/systemctl stop network
Running : /bin/sudo /bin/systemctl is-active network
Running : /bin/sudo /bin/systemctl is-active network
Starting: network
Running : /bin/sudo /bin/systemctl start network
Warning: External interfaces, ['eth1'], are discovered under /etc/sysconfig/
network-scripts
These interfaces are not managed by CVP.
Please ensure that the configurations for these interfaces are correct.
Otherwise, actions from the CVP shell may fail.

Valid config.

Applying the Configuration

>a
Valid config format.
saved config to /cvpi/cvp-config.yaml
Applying proposed config for network verification.
saved config to /cvpi/cvp-config.yaml
Running : cvpConfig.py tool...
Stopping: network
Running : /bin/sudo /bin/systemctl stop network
Running : /bin/sudo /bin/systemctl is-active network
Running : /bin/sudo /bin/systemctl is-active network
Starting: network
Running : /bin/sudo /bin/systemctl start network
Warning: External interfaces, ['eth1'], are discovered under /etc/sysconfig/
network-scripts
These interfaces are not managed by CVP.
Please ensure that the configurations for these interfaces are correct.
Otherwise, actions from the CVP shell may fail.

Valid config.
Running : cvpConfig.py tool...
Stopping: network
Running : /bin/sudo /bin/systemctl stop network
Running : /bin/sudo /bin/systemctl is-active network
Running : /bin/sudo /bin/systemctl is-active network
Starting: network
Running : /bin/sudo /bin/systemctl start network
Running : /bin/sudo /bin/systemctl is-active etcd
Internal error, unknown service 'etcd'
Running : /bin/sudo /bin/systemctl stop kube-cluster.path on 172.30.41.190
Running : /bin/sudo /bin/systemctl stop kube-cluster.service on
172.30.41.190
Checking if interface flannelbr0 is present

25
 Run cmd: sudo -u cvp -- ssh 172.30.41.190 /usr/sbin/ip link show flannelbr0
0.18
Checking if interface flannel.1 is present
Run cmd: sudo -u cvp -- ssh 172.30.41.190 /usr/sbin/ip link show flannel.1
0.17
Running : /bin/sudo /bin/systemctl is-active zookeeper
Starting: systemd services
Running : cvpConfig.py tool...
Stopping: cvpi
Running : /bin/sudo /bin/systemctl stop cvpi
Running : /bin/sudo /bin/systemctl is-active cvpi
Running : /bin/sudo /bin/systemctl is-active cvpi
Stopping: cvpi-config
Running : /bin/sudo /bin/systemctl stop cvpi-config
Running : /bin/sudo /bin/systemctl is-active cvpi-config
Running : /bin/sudo /bin/systemctl is-active cvpi-config
Stopping: zookeeper
Running : /bin/sudo /bin/systemctl stop zookeeper
Running : /bin/sudo /bin/systemctl is-active zookeeper
Running : /bin/sudo /bin/systemctl is-active zookeeper
Stopping: cvpi-check
Running : /bin/sudo /bin/systemctl stop cvpi-check
Running : /bin/sudo /bin/systemctl is-active cvpi-check
Running : /bin/sudo /bin/systemctl is-active cvpi-check
Stopping: ntpd
Running : /bin/sudo /bin/systemctl stop ntpd
Running : /bin/sudo /bin/systemctl is-active ntpd
Running : /bin/sudo /bin/systemctl is-active ntpd
Starting: ntpd
Running : /bin/sudo /bin/systemctl start ntpd
Starting: cvpi-check
Running : /bin/sudo /bin/systemctl start cvpi-check
Starting: zookeeper
Running : /bin/sudo /bin/systemctl start zookeeper
Starting: cvpi-config
Running : /bin/sudo /bin/systemctl start cvpi-config
Starting: cvpi
Running : /bin/sudo /bin/systemctl start cvpi
Running : /bin/sudo /bin/systemctl start cvpi-watchdog.timer
Running : /bin/sudo /bin/systemctl enable cert-rotate.timer
Running : /bin/sudo /bin/systemctl start cert-rotate.timer
Running : /bin/sudo /bin/systemctl enable ambassador-cert-rotate.timer
Running : /bin/sudo /bin/systemctl start ambassador-cert-rotate.timer
Running : /bin/sudo /bin/systemctl enable ssl-cert-expiry.timer
Running : /bin/sudo /bin/systemctl start ssl-cert-expiry.timer
Running : /bin/sudo /bin/systemctl enable docker containerd
Running : /bin/sudo /bin/systemctl start docker containerd
Running : /bin/sudo /bin/systemctl enable kube-cluster.path on
172.30.41.190
Running : /bin/sudo /bin/systemctl start kube-cluster.path on 172.30.41.190
Waiting for all components to start. This may take few minutes.
Still waiting for flannel coredns descheduler fluent-bit mutating-webhook-
server mutating-webhook clickhouse namenode datanode nfs3 ... (total 217)
Still waiting for clickhouse hbasemaster regionserver hbase kafka dispatcher
apiserver nginx-init-V1 nginx-app apiserver-www ... (total 203)
Still waiting for dispatcher apiserver nginx-init-V1 nginx-app apiserver-www
local-provider radius-provider tacacs-provider aaa disk-usage-monitor ...
(total 198)
Still waiting for nginx-app apiserver-www local-provider radius-provid
er tacacs-provider aaa disk-usage-monitor ingest elasticsearch-server
elasticsearch-exporter ... (total 195)
Still waiting for nginx-app apiserver-www local-provider radius-provider
tacacs-provider aaa ingest elasticsearch-server elasticsearch-exporter
elasticsearch-dispatcher ... (total 194)

26
 CloudVision Portal (CVP) Setup

Still waiting for apiserver-www aaa ingest elasticsearch-server

elasticsearch-exporter elasticsearch-dispatcher elasticsearch-recorder
service-accesscontrol aerisdiskmonitor ambassador ... (total 190)
Still waiting for ingest enroll-www turbine-accumulator-seg-sec-1m turbine-
aggregate-connectivity-monitor-15m turbine-aggregate-counter-rate-15m
turbine-aggregate-counter-rate-1m turbine-aggregate-dom-metrics-15m
turbine-aggregate-dom-metrics-sfp-1m turbine-aggregate-hardware-table-
usage-15m turbine-aggregate-hardware-table-usage-1m ... (total 92)
Still waiting for ingest enroll-www turbine-count-dot1x-auth-status-per-int
f turbine-device-aggregate-seg-sec-count-1m turbine-entities-dot1x-wired
turbine-eos-links turbine-event-cusum-stats-connectivity-monitor turbine-
event-ipsec-connectivity-down turbine-event-lin-predictor-stats-hardware
turbine-event-threshold-analytics-errors ... (total 82)
Still waiting for ingest enroll-www turbine-network-node-event-mapper
turbine-network-topology-tagger turbine-network-vxlan-neighbors turbine-
rate-bandwidth turbine-rate-intf-counters turbine-rate-openconfig-intf-
counters turbine-rate-port-channel-counters turbine-rate-seg-sec-count
ers ... (total 53)
Still waiting for ingest enroll-www turbine-windfarm-count-bgp-peer turbine-
windfarm-count-intf-roles turbine-windfarm-device-resource-aggregate
turbine-windfarm-dom-metrics-qsfp turbine-windfarm-dom-metrics-sfp turbine-
windfarm-eos-version turbine-windfarm-event-change-control turbine-windfarm-
event-intf-status ... (total 24)
Still waiting for kube-apiserver kube-controller-manager kube-proxy kube-
scheduler kubelet ingest docker enroll-www etcd turbine-windfarm-lanz-
data ... (total 19)
Running : cvpConfig.py tool...
Stopping wifimanager
Running : su - cvp -c "cvpi stop wifimanager 2>&1"
Stopping aware
Running : su - cvp -c "cvpi stop aware 2>&1"
Disabling wifimanager
Running : su - cvp -c "cvpi disable wifimanager 2>&1"
Disabling aware
Running : su - cvp -c "cvpi disable aware 2>&1"
CVP installation successful

3.4.2 Configuring Multi-node CVP Instances Using the CVP Shell

Use this procedure to configure multi-node CVP instances using the CVP shell. This procedure includes
the steps to set up a primary, secondary, and tertiary node, which is the number of nodes required for
redundancy. It also includes the steps to verify and apply the configuration of each node.
The sequence of steps in this procedure follow the process described in the basic steps in the process
Pre-requisites:
Before you begin the configuration process, make sure that you:
• Launch the VM (see Deploying CVP OVA on ESX , or Deploying CVP on KVM.)
• Login to the VM console for each of the three(3) nodes (login as cvpadmin on each node).
Complete the following steps to configure multi-node CVP instances:
1. Login at the VM console for the primary node as cvpadmin.
2. At the cvp installation mode prompt, type m to select a multi-node configuration.
3. At the prompt to select a role for the node, type p to select primary node.
Note: You must select primary first. You cannot configure one of the other nodes before you
configure the primary node.
4. Follow the CloudVision Portal prompts to specify the configuration options for the primary node. All options
with an asterisk (*) are required. The options include:

27
 • Root password (*)
• Default route (*)
• DNS (*)
• NTP (*)
• Telemetry Ingest Key
• Cluster interface name (*)
• Device interface name (*)
• Hostname (*)
• IP address (*)
• Netmask (*)
• Number of static routes
• Route for each static route
• Interface for static route
• TACACS server ip address
• TACACS server key/port
• IP address of primary (*) for secondary/tertiary only
Note: If there are separate cluster and device interfaces (the interfaces have different IP
addresses), make sure that you enter the hostname of the cluster interface. If the cluster and
device interface are the same (for example, they are eth0), make sure you enter the IP address of
eth0 for the hostname.
Note: The following is an example of the configuration information that requires verification. A
CVP cluster MUST be able to resolve A and PTR records in DNS for each cluster node. This
forward and reverse DNS lookup MUST be verified. Perform nslookup to verify the forward and
reverse lookup. This is an important step to CVP forming the cluster during initial setup. For more
information on how to use nslookup, refer to Connectivity Requirements.
Note: NTP synchronization is important for CVP cluster nodes, and for EOS streaming telemetry
to CVP. NTP service verified using a tool such as ntpdate. For more information on how to use
ntpdate, refer to Connectivity Requirements.
5. At the following prompt, type v to verify the configuration.

[q]uit, [p]rint, [e]dit, [v]erify, [s]ave, [a]pply, [h]elp ve[r]bose.

If the configuration is valid, the system shows a Valid config status message.
6. Type a to apply the configuration for the primary node and wait for the line Waiting for other nodes to send
their hostname and ip with spinning wheel.
The system automatically saves the configuration as a YAML document and shows the configuration
settings in pane 1 of the shell.)
7. When Waiting for other nodes to send their hostname and ip line is printed by the
primary node, go to the shell for the secondary node, and specify the configuration settings for the
secondary node (All options with an asterisk (*) are required, including primary node IP address)
8. At the following prompt, type v to verify the configuration.

[q]uit, [p]rint, [e]dit, [v]erify, [s]ave, [a]pply, [h]elp ve[r]bose.

If the configuration is valid, the system shows a Valid config status message.
9. Type a to apply the configuration for the primary node and wait for the line Waiting for other nodes to send
their hostname and IP.
The system automatically saves the configuration as a YAML document and displays the configuration
settings in pane 1 of the shell.
10. At the Primary's root password prompt, type (enter) the password for the primary node, and then press
Enter.

28
 CloudVision Portal (CVP) Setup

11. Go to the shell for the tertiary node, and specify the configuration settings for the node. (All options with
an asterisk (*) are required.)
12. At the following prompt, type v to verify the configuration.

[q]uit, [p]rint, [e]dit, [v]erify, [s]ave, [a]pply, [h]elp ve[r]bose.

If the configuration is valid, the system shows a Valid config status message.
13. At the Primary IP prompt, type the IP address of the primary node.
14. At the Primarys root password prompt, press Enter.
The system automatically completes the CVP installation for all nodes (this is done by the primary node).
A message appears indicating that the other nodes are waiting for the primary node to complete the CVP
installation.
When the CVP installation is successfully completed for a particular node, a message appears in the
appropriate pane to indicate the installation was successful. (This message is repeated in each pane.)
15. Go to shell for the primary node, and type q to quit the installation.
16. At the cvp login prompt, login as root.
17. At the [root@cvplogin]# prompt, switch to the cvp user account by typing su cvp, and then press Enter.
18. Run the cvpi status all command, and press Enter.
The system automatically checks the status of the installation for each node and provides status
information in each pane for CVP. The information shown includes some of the configuration settings for
each node.
For more information about the process, see:
• Rules for the Number and Type of Nodes
• The Basic Steps in the Process
• The CVP Shell
• Examples

3.4.2.1 Rules for the Number and Type of Nodes

Three nodes are required for multi-node CVP instances, where a node is identified as either the primary,
secondary, or tertiary. You define the node type (primary, secondary, or tertiary) for each node during the
configuration.

3.4.2.2 The Basic Steps in the Process

All multi-node configurations follow the same basic process. The basic steps are:
1. Specify the settings for the nodes in the following sequence (you apply the configuration later in the
process):
• Primary node
• Secondary node
• Tertiary node
2. Verify and then apply the configuration for the primary node. (During this step, the system automatically
saves the configuration for the primary node as a YAML document. In addition, the system shows the
configuration settings.)
Once the system applies the configuration for the primary node, the other nodes need to send their
hostname and IP address to the primary node.
3. Verify and then apply the configuration for the secondary node.
As part of this step, the system automatically pushes the hostname, IP address, and public key of the
secondary node to the primary node. The primary node also sends a consolidated YAML to the secondary
node, which is required to complete the configuration of the secondary node.

29
 Note: To ensure the environment variables are generated, only apply configuration when the
following messages are displayed.
Only apply the secondary and tertiary nodes if the primary has finished its configuration and
displays: "Waiting for other nodes to send their hostname and ip."
The secondary and tertiary nodes will display the following message: "Please wait for primary to
show "Waiting for other nodes to send their hostname and ip" before applying."
If the configuration is applied before the message is displayed, the environment variables will not
be generated.
4. The previous step (verifying and applying the configuration) is repeated for the tertiary node. (The
automated processing of data described for the secondary node is also repeated for the tertiary node.)
Once the configuration for all nodes has been applied (steps 1 through 4 above), the system automatically
attempts to complete the CVP installation for all nodes (this is done by the primary node). A message
appears indicating that the other nodes are waiting for the primary node to complete the CVP installation.
5. You quit the installation, then login as root and check the status of CVP.
The system automatically checks the status and provides status information in each pane for the CVP
service.

3.4.2.3 The CVP Shell

For multi-node configurations, you need to open 3 CVP consoles (one for each node). Each console is shown
in it's own pane. You use each console to configure one of the nodes (primary, secondary, or tertiary).
The system also provides status messages and all of the options required to complete the multi-node
configuration. The status messages and options are presented in the panes of the shell that correspond to the
node type.
Figure 14: CVP Console Shells for Multi-node Configurations shows three CVP Console shells for multi-node
configurations. Each shell corresponds to a CVP Console for each node being configured.

Figure 14: CVP Console Shells for Multi-node Configurations

3.4.2.4 Examples

30
 CloudVision Portal (CVP) Setup

The following examples show the commands used to configure (set up) the primary, secondary, and tertiary
nodes, and apply the configurations to the nodes. Examples are also included of the system output shown as
CVP completes the installation for each of the nodes.
• Primary Node Configuration
• Secondary Node Configuration
• Tertiary Node Configuration
• Verifying the Primary Node Configuration and Applying it to the Node
• Verifying the Tertiary Node Configurations and Applying them to the Nodes
• Waiting for the Primary Node Installation to Finish
• Waiting for the Secondary and Tertiary Node Installation to Finish

3.4.2.4.1 Primary Node Configuration

This example shows the commands used to configure (set up) the primary node.

localhost login: cvpadmin

Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Enter a command
[q]uit [p]rint [s]inglenode [m]ultinode [r]eplace [u]pgrade
>m
Choose a role for the node, roles should be mutually exclusive
[p]rimary [s]econdary [t]ertiary
>p

Enter the configuration for CloudVision Portal and apply it when done.
Entries marked with '*' are required.

common configuration:
dns: 172.22.22.40, 172.22.22.10
DNS domains: sjc.aristanetworks.com, ire.aristanetworks.com
ntp: ntp.aristanetworks.com
Telemetry Ingest Key: arista
CV-CUE Enabled: no
CV-CUE HA cluster IP:
Cluster Interface name: eth0
Device Interface name: eth0
node configuration:
*hostname (fqdn): cvp57.sjc.aristanetworks.com
*default route: 172.31.0.1
Number of Static Routes:
TACACS server ip address:
*IP address of eth0: 172.31.0.186
*Netmask of eth0: 255.255.0.0
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose
>

3.4.2.4.2 Secondary Node Configuration

This example shows the commands used to configure (set up) the secondary node.
Note: To ensure the environment variables are generated, only apply configuration when the
following messages are displayed.

31
 Only apply the secondary and tertiary nodes if the primary has finished its configuration and displays:
"Waiting for other nodes to send their hostname and ip."
The secondary and tertiary nodes will display the following message: "Please wait for primary to show
"Waiting for other nodes to send their hostname and ip" before applying." S
If the configuration is applied before the message is displayed, the environment variables will not be
generated.

localhost login: cvpadmin

Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Enter a command
[q]uit [p]rint [s]inglenode [m]ultinode [r]eplace [u]pgrade
>m
Choose a role for the node, roles should be mutually exclusive
[p]rimary [s]econdary [t]ertiary
>s

Enter the configuration for CloudVision Portal and apply it when done.
Entries marked with '*' are required.

common configuration:
dns: 172.22.22.40, 172.22.22.10
DNS domains: sjc.aristanetworks.com, ire.aristanetworks.com
ntp: ntp.aristanetworks.com
Telemetry Ingest Key: arista
CV-CUE Enabled: no
CV-CUE HA cluster IP:
Cluster Interface name: eth0
Device Interface name: eth0
*IP address of primary: 172.31.0.186
node configuration:
*hostname (fqdn): cvp65.sjc.aristanetworks.com
*default route: 172.31.0.1
Number of Static Routes:
TACACS server ip address:
*IP address of eth0: 172.31.0.153
*Netmask of eth0: 255.255.0.0
>

3.4.2.4.3 Tertiary Node Configuration

This example shows the commands used to configure (set up) the tertiary node.
Note: To ensure the environment variables are generated, only apply configuration when the
following messages are displayed.
Only apply the secondary and tertiary nodes if the primary has finished its configuration and displays:
"Waiting for other nodes to send their hostname and ip."
The secondary and tertiary nodes will display the following message: "Please wait for primary to show
"Waiting for other nodes to send their hostname and ip" before applying."

32
 CloudVision Portal (CVP) Setup

If the configuration is applied before the message is displayed, the environment variables will not be
generated.

Changing password for user root.

New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Enter a command
[q]uit [p]rint [s]inglenode [m]ultinode [r]eplace [u]pgrade
>m
Choose a role for the node, roles should be mutually exclusive
[p]rimary [s]econdary [t]ertiary
>t

Enter the configuration for CloudVision Portal and apply it when done.
Entries marked with '*' are required.

common configuration:
dns: 172.22.22.40, 172.22.22.10
DNS domains: sjc.aristanetworks.com, ire.aristanetworks.com
ntp: ntp.aristanetworks.com
Telemetry Ingest Key: arista
Cluster Interface name: eth0
Device Interface name: eth0
*IP address of primary: 172.31.0.186
node configuration:
hostname (fqdn): cvp84.sjc.aristanetworks.com
*default route: 172.31.0.1
Number of Static Routes:
TACACS server ip address:
*IP address of eth0: 172.31.0.213
*Netmask of eth0: 255.255.0.0
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose
>

3.4.2.4.4 Verifying the Primary Node Configuration and Applying it to the Node
This example shows the commands used to verify the configuration of the primary node and apply the
configuration to the node.

[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose

>v
Valid config format.
Applying proposed config for network verification.
saved config to /cvpi/cvp-config.yaml
Running : cvpConfig.py tool...
[ 8608.509056] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[ 8608.520693] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[ 8622.807169] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9
vectors allocated
[ 8622.810214] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
Stopping: network
Running : /bin/sudo /sbin/service network stop
Running : /bin/sudo /bin/systemctl is-active network
Starting: network
Running : /bin/sudo /bin/systemctl start network.service

33
 [ 8624.027029] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[ 8624.030254] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[ 8624.032643] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 8624.238995] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 8638.294690] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9
vectors allocated
[ 8638.297973] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[ 8638.300454] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 8638.302186] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[ 8638.489266] warning: `/bin/ping' has both setuid-root and effective
capabilities. Therefore not raising all capabilities.
Warning: External interfaces, ['eth1'], are discovered under /etc/
sysconfig/network-scripts
These interfaces are not managed by CVP.
Please ensure that the configurations for these interfaces are
correct.
Otherwise, actions from the CVP shell may fail.

Valid config.
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose
>

3.4.2.4.5 Verifying the Tertiary Node Configurations and Applying them to the Nodes
This example shows the commands used to verify the configurations of the tertiary nodes and apply the
configurations to the nodes.

[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose

>v
Valid config format.
Applying proposed config for network verification.
saved config to /cvpi/cvp-config.yaml
Running : cvpConfig.py tool...
[ 9195.362192] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[ 9195.365069] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[ 9195.367043] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 9195.652382] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 9209.588173] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9
vectors allocated
[ 9209.590896] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[ 9209.592887] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 9209.594222] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Stopping: network
Running : /bin/sudo /sbin/service network stop
Running : /bin/sudo /bin/systemctl is-active network
Starting: network
Running : /bin/sudo /bin/systemctl start network.service
[ 9210.561940] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[ 9210.564602] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[ 9224.805267] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9
vectors allocated
[ 9224.808891] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[ 9224.811150] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 9224.812899] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Warning: External interfaces, ['eth1'], are discovered under /etc/
sysconfig/network-scripts

34
 CloudVision Portal (CVP) Setup

These interfaces are not managed by CVP.

Please ensure that the configurations for these interfaces are
correct.
Otherwise, actions from the CVP shell may fail.

Valid config.
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose
>

3.4.2.4.6 Waiting for the Primary Node Installation to Finish

These examples show the system output shown as CVP completes the installation for the primary node.
• Waiting for primary node installation to pause until other nodes send files

[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose

>a
Valid config format.
saved config to /cvpi/cvp-config.yaml
Applying proposed config for network verification.
saved config to /cvpi/cvp-config.yaml
Running : cvpConfig.py tool...
[15266.575899] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9 vectors
allocated
[15266.588500] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15266.591751] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[15266.672644] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[15280.937599] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9 vectors
allocated
[15280.941764] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15280.944883] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15280.947038] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Stopping: network
Running : /bin/sudo /sbin/service network stop
Running : /bin/sudo /bin/systemctl is-active network
Starting: network
Running : /bin/sudo /bin/systemctl start network.service
[15282.581713] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9 vectors
allocated
[15282.585367] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15282.588072] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[15282.948613] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[15296.871658] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9 vectors
allocated
[15296.875871] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15296.879003] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15296.881456] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Warning: External interfaces, ['eth1'], are discovered under /etc/sysconfig/
network-scripts
These interfaces are not managed by CVP.
Please ensure that the configurations for these interfaces are correct.
Otherwise, actions from the CVP shell may fail.

Valid config.
Running : cvpConfig.py tool...
[15324.884887] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9 vectors
allocated
[15324.889169] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15324.893217] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[15324.981682] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

35
 [15339.240237] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9 vectors
allocated
[15339.243999] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15339.247119] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15339.249370] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Stopping: network
Running : /bin/sudo /sbin/service network stop
Running : /bin/sudo /bin/systemctl is-active network
Starting: network
Running : /bin/sudo /bin/systemctl start network.service
[15340.946583] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9 vectors
allocated
[15340.950891] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15340.953786] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[15341.251648] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[15355.225649] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9 vectors
allocated
[15355.229400] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15355.232674] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15355.234725] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Waiting for other nodes to send their hostname and ip
\
• Waiting for the primary node installation to finish

Waiting for other nodes to send their hostname and ip

-
Running : cvpConfig.py tool...
[15707.665618] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[15707.669167] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15707.672109] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[15708.643628] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[15722.985876] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9
vectors allocated
[15722.990116] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15722.993221] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15722.995325] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[15724.245523] Ebtables v2.0 unregistered
[15724.940390] ip_tables: (C) 2000-2006 Netfilter Core Team
[15724.971820] ip6_tables: (C) 2000-2006 Netfilter Core Team
[15725.011963] Ebtables v2.0 registered
[15725.077660] nf_conntrack version 0.5.0 (65536 buckets, 262144 max)
Stopping: ntpd
Running : /bin/sudo /sbin/service ntpd stop
Running : /bin/sudo /bin/systemctl is-active ntpd
Starting: ntpd
Running : /bin/sudo /bin/systemctl start ntpd.service
--
Verifying configuration on the secondary node
Verifying configuration on the tertiary node
Starting: systemd services
Starting: cvpi-check
Running : /bin/sudo /bin/systemctl start cvpi-check.service
Starting: zookeeper
Running : /bin/sudo /bin/systemctl start zookeeper.service
Starting: cvpi-config
Running : /bin/sudo /bin/systemctl start cvpi-config.service
Starting: cvpi
Running : /bin/sudo /bin/systemctl start cvpi.service
Running : /bin/sudo /bin/systemctl enable zookeeper
Running : /bin/sudo /bin/systemctl start cvpi-watchdog.timer
Running : /bin/sudo /bin/systemctl enable docker
Running : /bin/sudo /bin/systemctl start docker

36
 CloudVision Portal (CVP) Setup

Running : /bin/sudo /bin/systemctl enable kube-cluster.path

Running : /bin/sudo /bin/systemctl start kube-cluster.path
Waiting for all components to start. This may take few minutes.
Still waiting for aaa aeriadiakmonitor alertmanager-multinode-service
ambassador apiserver apiserver-www apiserver-www apiserver-www audit
aware ... {total 271)
Still waiting for aaa aerisdisknonitor alertmanager-multinode-service
anbassador apiserver apiserver-www apiserver-www apiserver-www audit
bapmaintmode ... (total 235)
Still waiting for asa aerisdiskmonitor alertmanager-multinode-service
ambassador apiserver apiserver-www spiserver-www apiserver-www audit
bgpmaintmode ... (total 236)
Still waiting for aaa aerisdiskmonitor alertmanager-multinode-service
ambassador apiserver apiserver-www apiserver-www apiserver-www audit
bgpmaintmode ... {total 235)
Still waiting for aaa aerisdiskmonitor alertmanager-multinode-service
ambassador apiserver apiserver-www apiserver-www apiserver-www audit
bgpmaintmode ... {total 235)
Still waiting for aaa aeriasdiskmonitor alertmanager-multinode-service
ambassador apiserver apiserver-www apiserver-www apiserver-www audit
bgpmaintmode ... (total 235)
Still waiting for aaa aerisdisknenitor alertmanager-multinode-service
ambassador apiserver apiserver-www apiserver-www apiserver-wwww audit
bgpmaintmode ... (total 236)
Still waiting for eae aerisdiskmonitor alertmanager-multinode-service
ambassador apiserver apiserver-www apiserver-wrw apiserver-www audit
bgpmaintmode ... (total 229)
Still waiting for aaa aerisdisknonitor alertmanager-multinode-service
ambassador apiserver apiserver-www apiserver-www apiserver-www audit
bgpmaintmode ... (total 228)
Still waiting for aaa aerisdiskmonitor alertmanager-multinode-service
ambassador apiserver apiserver-www apiserver-www apiserver-www audit
bgpmaintmode ... (total 213)
Still waiting for aaa alertmanager-multinode-service ambassador apiserver
apiserver-www apiserver-www apiserver-www audit bgpmaintmode bugalerts-que
ry-tagger ... (total 199)
Still waiting for aaa alertmanager-multinode-service ambassador apiserver
apiaserver apiserver apiserver-www apiserver-www apiserver-www audit ...
(total 181)
Still waiting for ase ambassador spisercver-www apiserver-www episerver-www
audit bgpmaintmode bugalerts-update ccapi cemgr ... (total 121)
Still waiting for aaa ambassador apiserver-www apiserver-www apiserver-www
audit bgpmaintmode ccapi ccmgr certs ... (total 78)
Still waiting for saa ambassador apiserver-www apiserver-www apiserver-www
audit certs cloudmanager compliance cvp-backend ... (total 44)
Still waiting for aaa ambassador apiserver-www apiserver-www apiserver-www
certs cloudmanager cloudmanager cloudmanager compliance ... (total 35)
Still waiting for aaa cvp-frontend cvp-frontend cvp-frontend cvp-www cvp-www
cvp-www inventory ztp
Still waiting for aaa cvp-frontend cvp-frontend cvp-frontend cvp-www cvp-www
cvp-www inventory ztp
Still waiting for aaa cvp-frontend cvp-frontend cvp-frontend cvp-www cvp-www
cvp-www inventory ztp
Still waiting for aaa cvp-frontend cvp-frontend cvp-frontend cvp-www cvp-www
cvp-www inventory ztp
Still waiting for aaa cvp-frontend cvp-frontend cvp-frontend cvp-www cvp-www
cvp-www inventory ztp
Still waiting for aaa cvp-frontend cvp-frontend cvp-frontend cvp-www cvp-www
cvp-www inventory ztp
Still waiting for aaa evp-frontend evp-frontend evp-frontend cvp-www evp-www
cvp-www inventory ztp
Still waiting for cvp-frontend cvp-frontend cvp-frontend
CVP installation successful
Running : cvpConfig.py tool...

37
 Stopping wifimanager
Running : su - cvp -c "cvpi stop wifimanager"
Stopping aware
Running : su - cvp -c "cvpi stop aware"
Disabling wifimanager
Running : su - cvp -c "cvpi disable wifimanager"
Disabling aware
Running 1 su - cvp -c "cvpi disable aware"

[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r)bose

3.4.2.4.7 Waiting for the Secondary and Tertiary Node Installation to Finish
This example shows the system output displayed as CVP completes the installation for the secondary and
tertiary nodes.

[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose

>a
Valid config format.
saved config to /cvpi/cvp-config.yaml
Applying proposed config for network verification.
saved config to /cvpi/cvp-config.yaml
Running : cvpConfig.py tool...
[15492.903419] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[15492.908473] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15492.910297] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[15493.289569] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[15507.118778] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9
vectors allocated
[15507.121579] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15507.123648] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15507.125051] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Stopping: network
Running : /bin/sudo /sbin/service network stop
Running : /bin/sudo /bin/systemctl is-active network
Starting: network
Running : /bin/sudo /bin/systemctl start network.service
[15508.105909] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[15508.108752] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15522.301114] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9
vectors allocated
[15522.303766] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15522.305580] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15522.306866] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Warning: External interfaces, ['eth1'], are discovered under /etc/
sysconfig/network-scripts
These interfaces are not managed by CVP.
Please ensure that the configurations for these interfaces are
correct.
Otherwise, actions from the CVP shell may fail.

Valid config.
Running : cvpConfig.py tool...
[15549.664989] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[15549.667899] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15549.669783] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[15550.046552] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

38
 CloudVision Portal (CVP) Setup

[15563.933328] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9

vectors allocated
[15563.937507] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15563.940501] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15563.942113] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Stopping: network
Running : /bin/sudo /sbin/service network stop
Running : /bin/sudo /bin/systemctl is-active network
Starting: network
Running : /bin/sudo /bin/systemctl start network.service
[15565.218666] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[15565.222324] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15565.225193] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[15565.945531] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[15579.419911] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9
vectors allocated
[15579.422707] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15579.424636] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15579.425962] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Running : cvpConfig.py tool...
[15600.608075] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[15600.610946] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15600.613687] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[15600.986529] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[15615.840426] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9
vectors allocated
[15615.843207] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15615.845197] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15615.846633] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[15616.732733] Ebtables v2.0 unregistered
[15617.213057] ip_tables: (C) 2000-2006 Netfilter Core Team
[15617.233688] ip6_tables: (C) 2000-2006 Netfilter Core Team
[15617.261149] Ebtables v2.0 registered
[15617.309743] nf_conntrack version 0.5.0 (65536 buckets, 262144 max)
Stopping: ntpd
Running : /bin/sudo /sbin/service ntpd stop
Running : /bin/sudo /bin/systemctl is-active ntpd
Starting: ntpd
Running : /bin/sudo /bin/systemctl start ntpd.service
Pushing hostname, ip address and public key to the primary node
Primary's root password:
Transferred files
Receiving public key of the primary node
-
Waiting for primary to send consolidated yaml
-
Received authorized keys and consolidated yaml files
Running : /bin/sudo /bin/systemctl start cvpi-watchdog.timer
Running : cvpConfig.py tool...
[15748.205170] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9
vectors allocated
[15748.208393] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[15748.210206] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[15748.591559] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[15752.406867] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9
vectors allocated
[15752.409789] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[15752.412015] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[15752.413603] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Stopping: zookeeper
Running : /bin/sudo /sbin/service zookeeper stop
Running : /bin/sudo /bin/systemctl is-active zookeeper

39
 Stopping: cvpi-check
Running : /bin/sudo /sbin/service cvpi-check stop
Running : /bin/sudo /bin/systemctl is-active cvpi-check
Stopping: ntpd
Running : /bin/sudo /sbin/service ntpd stop
Running : /bin/sudo /bin/systemctl is-active ntpd
Starting: ntpd
Running : /bin/sudo /bin/systemctl start ntpd.service
Starting: cvpi-check
Running : /bin/sudo /bin/systemctl start cvpi-check.service
Starting: zookeeper
Running : /bin/sudo /bin/systemctl start zookeeper.service
Running : /bin/sudo /bin/systemctl enable docker
Running : /bin/sudo /bin/systemctl start docker
Running : /bin/sudo /bin/systemctl enable kube-cluster.path
Running : /bin/sudo /bin/systemctl start kube-cluster.path
Running : /bin/sudo /bin/systemctl enable zookeeper
Running : /bin/sudo /bin/systemctl enable cvpi
Waiting for primary to finish configuring cvp.
-
Please wait for primary to complete cvp installation.
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose
>

Related concepts
Getting Started (CVP)
The login screen is displayed when you first connect to the application using a web browser.

3.5 Shell Reconfiguration of Single-node, Multi-node Systems

The configuration of single-node systems and multi-node systems can be reconfigured using the CVP shell,
even after the installation is complete. The reconfiguration process brings down the applications and CVPI for
a brief period of time until reconfiguration is complete.
• Single-node Shell Reconfiguration
• Multi-node Shell Reconfiguration

3.5.1 Single-node Shell Reconfiguration

The process for reconfiguring a single-node system is based on the process used to complete the initial
installation. You can change any of the configuration settings during the reconfiguration.
Note: The system must be in healthy state before reconfiguration is attempted.

To change an existing single-node configuration, do the following:

1. Follow the same steps you use for an initial single-node, shell-based install (see Configuring a Single-
Node CVP Instance using CVP Shell ).
2. When prompted with the message Are you sure you want to replace config and restart? yes/no: enter
yes, and then press Enter. (Make sure there are no configuration errors.)
This system automatically completes the configuration.

3.5.2 Multi-node Shell Reconfiguration

The process for reconfiguring a multi-node system is based on the process used to complete the initial
installation. Just like initial installations, you can only edit the configuration of the node you are logged into.

40
 CloudVision Portal (CVP) Setup

• Configurable and Read-only Parameters

• Shifting Parameters
• Example of Primary Node Reconfiguration
• Procedure

3.5.2.1 Configurable and Read-only Parameters

You can change some, but not all of the configuration settings during the reconfiguration. The configuration
parameters you cannot change are read-only after the initial configuration.
The configurable and read-only parameters are:
• Configurable parameters
• default route (gateway)
• dns
• ntp
• aeris ingest key
• TACACS server IP address
• TACACS server key/port
•
• Read-only parameters
• Cluster interface name
• Device interface name
• hostname (fqdn)
• ip address
• netmask
• Number of static routes
• Route for each static route
• Interface for static route
• Primary IP address (use current primary ip address)
Note: The cluster must be in healthy state before reconfiguration is attempted. Also, do not edit
cvp-config.yaml directly. Make sure you use the shell-based install to reconfigure it.

3.5.2.2 Shifting Parameters

You have the option of shifting common-level parameters (parameters that apply to the cluster), down to the
node-level section, and from the node-level section up to the common-level. One example of a common-level
parameters you can shift down is default gateway.
Note: If you shift parameters from one level to the other, you may encounter the “Incomplete config”
warning during the verify section. If this happens, acknowledge the warning by typing “Y” at the
prompt, and then continue with the install.
This example shows the “Incomplete config” warning:

>v
Incomplete config - Missing
secondary:
- default route
tertiary:
- default route

Override warnings? [Y/n] : Y

Valid config format

41
3.5.2.3 Example of Primary Node Reconfiguration

localhost login: cvpadmin

Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Enter a command
[q]uit [p]rint [s]inglenode [m]ultinode [r]eplace [u]pgrade
>m
Choose a role for the node, roles should be mutually exclusive
[p]rimary [s]econdary [t]ertiary
>p
...
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose
>e
CVP service is configured and may be running,
reconfigure may be limited to certain parameters
common configuration:
dns: 172.22.22.40
ntp: ntp.aristanetworks.com
Telemetry Ingest Key: modified_ingest_key_for_telemetry <-- modified key
Cluster Interface name: eth0
Device Interface name: eth0
node configuration:
*hostname (fqdn): cvp57.sjc.aristanetworks.com
*default route: 172.31.0.1
Number of Static Routes:
TACACS server ip address:
*IP address of eth0: 172.31.0.186
*Netmask of eth0: 255.255.0.0
>v
Valid config format.
Using existing settings for new proposed network verification.
Warning: External interfaces, ['eth1'], are discovered under /etc/sysconfig/
network-scripts
These interfaces are not managed by CVP.
Please ensure that the configurations for these interfaces are correct.
Otherwise, actions from the CVP shell may fail.

Valid config.
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose
>a
Valid config format.
saved config to /cvpi/cvp-config.yaml
Using existing settings for new proposed network verification.
Warning: External interfaces, ['eth1'], are discovered under /etc/sysconfig/
network-scripts
These interfaces are not managed by CVP.
Please ensure that the configurations for these interfaces are correct.
Otherwise, actions from the CVP shell may fail.

Valid config.
Are you sure you want to replace config and restart? yes/no: no

3.5.2.4 Procedure
To change an existing multi-node configuration, do the following:
1. Follow the same steps you use for an initial multi-node, shell-based install (see Configuring Multi-node
CVP Instances Using the CVP Shell).

42
 CloudVision Portal (CVP) Setup

2. When prompted with the message Are you sure you want to replace config and restart? yes/no: enter
yes, and then press Enter. (Make sure there are no configuration errors.)
Note: You will also be prompted for primary node ip address and root passwords during
reconfiguration.
Related concepts
Getting Started (CVP)
The login screen is displayed when you first connect to the application using a web browser.

3.6 ISO-based Configuration

The ISO-based configuration can be used to set up either a single-node or multi-node CVP instance(s).
Before configuring and starting CVP, the following tasks must be completed.
Quick Start Steps:
• Launch the VM (see Deploying CVP OVA on ESX or Deploying CVP on KVM).
• Create a YAML Document
• Feed the YAML File into the geniso.py Tool
• Map ISO to the VM's CD-ROM Drive
• Verify the host name, reachability of the name server, and VM connectivity.

3.6.1 Create a YAML Document

Create a YAML document describing the node(s) (one or three) in your CVP deployment. When creating a
YAML document, the following should be considered:
• The version field is required and must be 2.
• The dns and ntp entries are lists of values.
• The mode parameter is required. Options are: mode: singlenode or mode: multinode
• The dns, and ntp parameters are optional, but recommended to use.
Note: The parameters, which are the same for all nodes, can be specified only once in the
common section of the YAML. For example, default_route can be specified only once in the
common section and not three times, once for each node.
Example:
The following example of a YAML document shows the use of separate (different) interfaces for cluster
and device-facing networks. These parameters are explained in the previous section. For a single-node
deployment, remove the sections for node2 and node3 (assuming all nodes are on the same subnet and
have the same default route).

>cat multinode.yaml
version: 2
common:
aeris_ingest_key: magickey
cluster_interface: eth0
default_route: 172.31.0.1
mode: multinode
device_interface: eth0
dns:
- 172.22.22.40
ntp:
- ntp.aristanetworks.com
node1:
hostname: cvp6.sjc.aristanetworks.com
interfaces:
eth0:

43
 ip_address: 172.31.3.236
netmask: 255.255.0.0
vmname: cvp6

node2:
vmname: cvp9
hostname : cvp9.sjc.aristanetworks.com
interfaces:
eth0:
ip_address: 172.31.3.239
netmask: 255.255.0.0
eth1:
ip_address: 10.0.0.2
netmask: 255.255.255.0
node3:
vmname: cvp10
hostname: cvp10.sjc.aristanetworks.com
interfaces:
eth0:
ip_address: 172.31.3.240
netmask: 255.255.0.0
eth1:
ip_address: 10.0.0.3
netmask: 255.255.255.0

3.6.2 Feed the YAML File into the geniso.py Tool

Once you have created the YAML file, you are ready to feed it into the tool so that you can generate the ISO
files for the CVP nodes. The root password can be provided at the command line or prompted from the user.
If password is empty, no password will be set for root.
Note: The geniso.py tool is provided by cvp-tools-1.0.1.tgz which can be found at https://
www.arista.com/en/support/software-download. The package also contains a README file with more
details and requirements for geniso.py.
Complete the following steps:
1. Run the yum install mkisofs command.
2. Feed the YAML document into the geniso.py tool.
The system generates the ISO files for the nodes using the input of the YAML document.
Example:
• In this example, you are prompted for the root password.

> mkdir tools

> tar zxf cvp-tools-1.0.1.tgz -C tools
> cd tools

...<edit multinode.yaml>...

> ./geniso.py -y multinode.yaml

Please enter a password for root user on cvp
Password:
Please re-enter the password:
Building ISO for node1 cvp1: cvp.iso.2015-11-04_00:16:23/node1-cvp1.iso
Building ISO for node2 cvp2: cvp.iso.2015-11-04_00:16:23/node2-cvp2.iso
Building ISO for node3 cvp3: cvp.iso.2015-11-04_00:16:23/node3-cvp3.iso
3. In case of using KVM as a hypervisor in a multi-node setup, copy the following ISO files to the
corresponding nodes:

44
 CloudVision Portal (CVP) Setup

• SCP node2's ISO to node 2

[root@localhost cvp]# scp node2-cvp-appliance-2.iso [email protected]://

data/cvp/
[email protected]'s password:
node2-cvp-appliance-2.iso

100% 360KB 57.5MB/s 00:00

• SCP node3's ISO to node 3

[root@localhost cvp]# scp node3-cvp-appliance-3.iso [email protected]://

data/cvp/
[email protected]'s password:
node3-cvp-appliance-3.iso

100% 360KB 54.7MB/s 00:00

Note: The script has to be run on one machine only. This generates three ISO images which
contains the same ssh keys, thus allowing the nodes to send files without a password. If
the script is run individually on each node, it result in images containing different ssh keys
and the deployment process fails, until the user manually adds the ssh keys in ~/.ssh/
authorized_keys.

3.6.3 Map ISO to the VM's CD-ROM Drive

You can map the ISO to the VM's CD-ROM drive through either ESXi or KVM.
Note: The following script was created with Python 2.7.

On all hosts:
1. Create the folder where the ISO will be stored.

mkdir -p /data/ISO
2. Create the folder where the VM will be stored. (If this procedure is used to re-install a CVP cluster on CVA
appliances then make sure to remove old files from the /data/cvp folder)

mkdir -p /data/cvp
cd /data/cvp
3. Download the CVP image you want to deploy.

wget http://dist/release/cvp/2018.2.5/final/cvp-2018.2.5-kvm.tgz
4. Unarchive it.

tar -xvf cvp-2018.2.5-kvm.tgz

5. Download the CVP tools.

wget http://dist/release/cvp/2018.2.5/final/cvp-tools-2018.2.5.tgz
6. Unarchive it.

tar -xvf cvp-tools-2018.2.5.tgz

On the primary:

45
 1. Modify the multinode.yaml file extracted from cvp-tools. It should look something like:

common:
cluster_interface: eth0
device_interface: eth0
dns:
- 172.22.22.10
ntp:
- 172.22.22.50
node1:
default_route: 172.28.160.1
hostname: cvp-applicance-1.sjc.aristanetworks.com
interfaces:
eth0:
ip_address: 172.28.161.168
netmask: 255.255.252.0
vmname: cvp-appliance-1
node2:
default_route: 172.28.160.1
hostname: cvp-applicance-2.sjc.aristanetworks.com
interfaces:
eth0:
ip_address: 172.28.161.169
netmask: 255.255.252.0
vmname: cvp-appliance-2
node3:
default_route: 172.28.160.1
hostname: cvp-applicance-3.sjc.aristanetworks.com
interfaces:
eth0:
ip_address: 172.28.161.170
netmask: 255.255.252.0
vmname: cvp-appliance-3
version: 2

Note: The example above is from CVP 2018.2.5, more recent versions might have different key
value pairs so it is always best to log into an existing VM and check /cvpi/cvp-config.yaml.
2. Use the geniso.py script extracted from CVP-tools to generate the images for ISO based installation and
feed the yaml file into it:

[root@localhost cvp]# ./geniso.py -y multinode.yaml

Please enter a password for root user on cvp
Password:
Please re-enter the password:
Building ISO for node1 cvp-appliance-1: cvp.iso.2019-07-26_17:01:14/node1-
cvp-appliance-1.iso
Building ISO for node2 cvp-appliance-2: cvp.iso.2019-07-26_17:01:14/node2-
cvp-appliance-2.iso
Building ISO for node3 cvp-appliance-3: cvp.iso.2019-07-26_17:01:14/node3-
cvp-appliance-3.iso
3. SCP the generated ISOs to the corresponding nodes.

mv node1-cvp-appliance-1.iso /data/ISO
scp node2-cvp-appliance-2.iso [email protected]://data/ISO/
scp node3-cvp-appliance-3.iso [email protected]://data/ISO/
4. On each node generate the xml file for KVM.

./generateXmlForKvm.py -n cvp --device-bridge devicebr -k 1 -i

cvpTemplate.xml -o qemuout.xml -x "/data/cvp/disk1.qcow2" -y
"/data/cvp/disk2.qcow2" -b 22528 -p 8 -e "/usr/libexec/qemu-kvm"

46
 CloudVision Portal (CVP) Setup

Note: The above will generate the VM specs with 8 CPU and 22GB of RAM, for production use
please refer to our Release Notes.
To use both bridges (devicebr and clusterbr) the command would look like this:

./generateXmlForKvm.py -n cvp --device-bridge devicebr

--cluster-bridge clusterbr -k 1 -i cvpTemplate.xml -o
qemuout.xml -x "/data/cvp/disk1.qcow2" -y
"/data/cvp/disk2.qcow2" -b 54525 -p 28 -e "/usr/libexec/qemu-kvm
5. Define the VM.

virsh define qemuout.xml

6. Start the VM.

virsh start cvp

7. Add the ISO image to the VM.
a. Node1

./addIsoToVM.py -n cvp -c /data/ISO/node1-cvp-appliance-1.iso

b. Node2

./addIsoToVM.py -n cvp -c /data/ISO/node2-cvp-appliance-2.iso

c. Node3

./addIsoToVM.py -n cvp -c /data/ISO/node3-cvp-appliance-3.iso

The VM will be rebooted and configured automatically, so you just have to login and wait until the
components come up

virsh console cvp

[root@localhost cvp]# virsh console cvp

Connected to domain cvp
Escape character is ^]
[ 30.729182] Ebtables v2.0 unregistered
[ 31.253141] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 31.290314] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 31.338226] Ebtables v2.0 registered
[ 31.401887] nf_conntrack version 0.5.0 (65536 buckets, 262144 max)
[ 124.829593] FS-Cache: Loaded
[ 124.881829] FS-Cache: Netfs 'nfs' registered for caching

CentOS Linux 7 (Core)

Kernel 3.10.0-957.1.3.el7.x86_64 on an x86_64

cvp-applicance-1 login:
CentOS Linux 7 (Core)
Kernel 3.10.0-957.1.3.el7.x86_64 on an x86_64

cvp-applicance-1 login:
CentOS Linux 7 (Core)
Kernel 3.10.0-957.1.3.el7.x86_64 on an x86_64

cvp-applicance-1 login: root

Password:
[root@cvp-applicance-1 ~]# su cvp

47
 c[cvp@cvp-applicance-1 root]$ cvpi status all

Current Running Command: [/cvpi/bin/cvpi -v=3 start all]

Current Command Running Node: primary
Executing command. This may take a few seconds...
primary 18/75 components running, 57 failed
secondary 16/86 components running, 70 failed
tertiary 13/42 components running, 29 failed

A few minutes later:

[cvp@cvp-applicance-1 root]$ cvpi status all

Current Running Command: None

Executing command. This may take a few seconds...
primary 75/75 components running
secondary 86/86 components running
tertiary 42/42 components running

48
 CloudVision Portal (CVP) Setup

3.7 Certificate-Based TerminAttr Authentication

Arista/EOS switches use TerminAttr for streaming network data to CVP in the following network
configurations:
• Firewalls or dynamic NAT is deployed between CloudVision and EOS devices
• Multi-Factor Authentication (MFA) or One-Time-Passwords (OTPs) are used for authentication
Note: When terminattr authentication is enabled, CVP does not require EAPI-over-HTTPS
connections. Any CVP authenticated user is also authenticated with the devices that CVP manages.
Each TerminAttr connection must be authenticated using either shared keys or certificate. The certificate-
based TerminAttr authentication provides the following additional security features:
• Eliminates the shared key from the switch's configuration
• Uniquely authenticates each TerminAttr connection between the switch and CVP
Note: Third party devices can use only the shared key authentication. The minimum required version
of TerminAttr to use this feature is v1.6.1.
The following sections describes configuring devices with certificate-based TerminAttr authentication:
• Enabling Certificate-Based TerminAttr Authentication
• Reboarding Existing Devices
• Re-ZTP On-Boarded Devices
• Switching the Authentication from Shared Keys to Certificates
• Switching the Authentication from Certificates to Shared Keys

3.7.1 Enabling Certificate-Based TerminAttr Authentication

When on-boarding a device through Zero Touch Provisioning (ZTP) or direct import, the certificate-
based TerminAttr authentication uses a temporary token to enroll client certificates from CVP. The
SYS_TelemetryBuilderV3 generates the TerminAttr configuration that uses certificate-based TerminAttr
authentication.
Note: Cerificate-based TerminAttr authentication is used as the default method as of version
2021.2.0, but can be changed to shared key if needed. Shared key authentication support is not
supported in version 2023.1.0 and newer.
Perform the following steps to enable certificate-based TerminAttr authentication:
1. In CloudVision portal, click the gear icon at the upper right corner of the page.
The system displays the Settings screen.

49
 2. Under the Cluster Management pane, enable Device authentication via certificates using the toggle
button.
Figure 15: Enable Device Authentication via Certificates

3.7.2 Switching the Authentication from Certificates to Shared Keys

Perform the following steps for switching the authentication from certificates to shared keys:
1. Disable the Device authentication via certificates option on the settings page.
See Enabling Certificate-Based TerminAttr Authentication.
2. Regenerate the configlets for all devices using SYS_TelemetryV3 builder.
The generated configlets starts using shared key authentication.
3. Execute resulting tasks.

50
 CloudVision Portal (CVP) Setup

3.7.3 Switching the Authentication from Shared Keys to Certificates

Perform the following steps for switching the authentication from shared keys to certificates:
Note: As of version 2021.2.0, Certificate Authentication is enabled by default for all new on-prem
installations. For previous releases, the TerminAttr certificate authentication can be turned ON by
enabling the Device authentication via certificates setting in the Settings page.
Note: No action is required if the setting is no longer visible in a cluster running version 2022.2 or
newer. If the setting is visible in a cluster running version 2022.2 release or newer, then a warning will
be displayed during the upgrade process to warn about this deprecated feature. CloudVision users are
encouraged to move all the devices to use certificate authentication.
Figure 16: General Settings

The following procedure will enable certificate-based authentication for TerminAttr when there are devices
already devices provisioned.

51
 1. Select Devices and the Device Registration tab. Within Device Onboarding select Onboard
Provisioned EOS Devices.
Figure 17: Devices - Device Registration

2. If you have a large list, the Auth Type column can be sorted by selecting the column header.
3. Select all the devices with“Auth Type as Ingest Key and then select Register n devices.
4. The Auth Type of the device will change to Certificates.
5. The device needs to be reconciled because it is out of compliance. Go to Provisioning and select
Network Provisioning. A topographical view of your device will be displayed.
6. Select the device that is out of compliance (yellow in color). Click on Manage and then Configlet.
7. Select SYS_TelemetryBuilderV4 and then click Generate to generate the configuration. When complete
click Validate. ( If VRF is used on the management interface then select VRF before generating the
configuration ).
8. Click Save. The configuration is applied and the device will be compliant now.

3.7.4 Reboarding Existing Devices

You must reboard a device when the certificate-based TerminAttr authentication fails due to missing or invalid
client certificates.
Perform the following steps to reboard devices:
1. In CloudVision portal, click the Devices tab.

52
 CloudVision Portal (CVP) Setup

The system displays the Inventory screen.

Figure 18: Inventory Screen

2. Select Onboard Devices from the Add Device drop-down menu at the upper right corner of the
Inventory screen.
The system displays the Onboard Devices pop-up window.
3. Click the Existing Device Registration tab at the lower end of the Onboard Devices pop-up window.
Figure 19: Existing Device Registration Tab

Note: To view all devices, disable the Show only inactive devices option using the toggle button.

4. Select the required device.

5. Click Register n Device(s) where n is the count of selected devices.
The system refreshes the selected device with new certificates, returns to the last provisioning state, and
resumes streaming to CVP.

3.7.5 Re-ZTP On-Boarded Devices

Manual intervention is required to re-ZTP on-boarded devices after enabling the certificate-based TerminAttr
authentication. This prevents unauthorized or malicious software from spoofing previously on-boarded
devices.

53
 Perform the following steps to re-ZTP devices:
1. In CloudVision portal, click the Devices tab.
The system displays the Inventory screen.
2. Select Re-ZTP Devices from the Add Device drop-down menu at the upper right corner of the Inventory
screen.
The system displays the Re-ZTP Devices pop-up window.
Figure 20: Re-ZTP Devices Pop-Up Window

Note: To view all devices, disable the Show only inactive devices option using the toggle button.

3. Select the required device.

4. (Optional) Click the time next to Global ZTP Deadline and configure the preferred time to re-ZTP selected
devices.
5. Click Grant ZTP Access to n Device(s) where n is the count of selected devices.
Devices must complete their re-ZTP before the enrollment window closes.

3.8 NAT Support

CloudVision cluster can be deployed behind a network address translation (NAT) box in which a different
public IP address is exposed towards devices streaming to the cluster. The devices can only reach the
CloudVision cluster via the public NAT IP. Enabling the feature involves assigning the NAT public IP address
to the nodes.

3.8.1 NAT Support Pre 2021.3.0

Add the interfaces/eth0/nat_ip_address parameter in the configuration while installing the cluster.
The interface name can be Ethernet interface(eth0, eth1, eth2, ...). The internal IP addresses are assigned in
the ip_address field (marked in bold).

node1:
default_route: 172.XX.XX.X
hostname: dummy.comNAT
interfaces:
eth0:
ip_address: 172.XX.XX.XXX
netmask: 255.XX.XX.XX
interfaces/eth0/nat_ip_address: 172.XX.XX.X (Public NAT IP)
node2:
default_route: 172.XX.XX.X
hostname: dummy.com
interfaces:

54
 CloudVision Portal (CVP) Setup

eth0:
ip_address: 172.XX.XX.XXX
netmask: 255.XX.XX.XX
interfaces/eth0/nat_ip_address: 172.XX.XX.X
node3:
default_route: 172.XX.XX.X
hostname: dummy.com
interfaces:
eth0:
ip_address: 172.XX.XX.XXX
netmask: 255.XX.XX.XX
interfaces/eth0/nat_ip_address: 172.XX.XX.X

3.8.2 NAT Support Post 2021.3.0

Add interfaces/eth0/nat_ip_address parameter in the configuration while installing the cluster. The interface
name can be Ethernet interface(eth0, eth1, eth2, ...). The internal Ip addresses are assigned in the
ip_address field.
This can be configured via the CVP Shell using the NAT IP address prompt.
CVP Installation Menu

[root@localhost ~]# su cvpadmin

CVP Installation Menu

────────────────────────────────────────────
[q]uit [p]rint [s]inglenode [m]ultinode [r]eplace [u]pgrade
>s
Enter the configuration for CloudVision Portal and apply it when done.
Entries marked with '*' are required.

Common Configuration:
────────────────────────────────────────────
CloudVision Deployment Model [d]efault [w]ifi_analytics: d
DNS Server Addresses (IPv4 Only): 172.22.22.40
DNS Domain Search List: sjc.aristanetworks.com, ire.aristanetworks.com
Number of NTP Servers: 1
NTP Server Address (IPv4 or FQDN) #1: ntp.aristanetworks.com
Cluster Interface Name: eth0
Device Interface Name: eth0
CloudVision WiFi Enabled: no
*Enter a private IP range for the internal cluster network (overlay):
10.42.0.0/16
*FIPS mode: no

Node Configuration:
─────────────────────────────────────────────
*Hostname (FQDN): cvp80.sjc.aristanetworks.com
*IP Address of eth0: 172.31.0.168
*Netmask of eth0: 255.255.0.0
NAT IP Address of eth0:
*Default Gateway: 172.31.0.1
DNS Domain Search List:
Number of NTP Servers:
Number of static Routes:
TACACS Server IP Address:

Singlenode Configuration Menu

────────────────────────────────────────────
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose

55
 Singlenode Configuration Menu

Singlenode Configuration Menu

────────────────────────────────────────────
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose
>p
common:
cluster_interface: eth0
cv_wifi_enabled: 'no'
deployment_model: DEFAULT
device_interface: eth0
dns:
- 8.8.8.8

3.8.3 Known Caveats

When CVP is behind NAT and some of their devices are in the same network as CVP and some outside, this
feature may not work.
When both the device and the CVP cluster are inside the same NAT network, configuring TerminAttr (TA) on
the devices to reach the cluster’s public NAT IP address may not work in all cases. (This will depend on how
NAT is configured.)

56
 Chapter 4

CloudVision as-a-Service
CloudVision as-a-Service is an Arista-managed, multi-tenant cloud service deployed in tier one public cloud
providers. CloudVision as-a-Service features include secure state-streaming and analytics on top of an Arista
managed multi-tenant scale-out architecture. Customers are assigned to a unique organization (tenant)
in a specific region. All devices and users of that customer are part of this organization. Organizations are
isolated from each other and a user in one organization cannot access any data from other organizations.
Authentication is tied to the customer’s AAA provider. CloudVision as-a-Service provides device provisioning
workflows and state streaming.
Sections in this chapter include:
• Prerequisites
• Onboarding Procedures
• AAA Providers

4.1 Prerequisites
Verify the following requirements before installing CloudVision as-a-Service.
• Software Requirements
• Connectivity Requirements
• Authentication Requirements

4.1.1 Software Requirements

Minimum software requirements are:
• EOS 4.20 or newer
• TerminAttr 1.19.5 or newer

4.1.2 Connectivity Requirements

EOS devices need to be able to connect to arista.io on port 443 (apiserver.arista.io:443).
Note: CloudVision as-a-Service only needs port 443 to be opened to initiate a secure connection to
an EOS device.
To verify proper connectivity to apiserver.arista.io:443 use the following commands:
1. Verify proper DNS resolution.

switch#bash nslookup apiserver.arista.io

Note: If this is unsuccessful please check your DNS server configuration. If no DNS servers are
available, add the ip name-server configuration as follows:

switch(config)# ip name-server 8.8.8.8

2. Verify connectivity to CloudVision Service using the curl command:

switch# bash

57
 [admin@switch]$ curl apiserver.arista.io:443
curl: (52) Empty reply from server

If multiple VRFs are configured, first change the VRF context:

switch# bash
[admin@switch]$ sudo ip netns exec ns-MGMT curl apiserver.arista.io:443

4.1.3 Authentication Requirements

CloudVision as-a-Service supports OAuth 2.0 for authorization. OAuth is one of the most common methods
used to pass authorization from a single sign-on (SSO) service to another cloud application. While there are
many OAuth providers in the market today, CloudVision as-a-Service supports Google OAuth, OneLogin,
Okta & Microsoft Azure AD.
Note that CloudVision as-a-Service is transparent to 3rd party MFA (Multi-Factor Authentication) Providers.
As long as the customer is using one of the above listed OAuth Providers for identity management,
CloudVision Service should be able to authorize against that OAuth provider.
Authentication options:
• Using Google OAuth or Microsoft Azure AD
• Not using Google OAuth or Microsoft Azure AD
• AAA Providers

4.1.3.1 Using Google OAuth or Microsoft Azure AD

Only admin email addresses are required when using Google OAuth or Azure AD as a provider. Select the
Sign in with Google or Sign in with Microsoft link at: https://www.arista.io/cv

4.1.3.2 Not using Google OAuth or Microsoft Azure AD

If you are using Okta, OneLogin, or another OAuth Provider, the following information is required to onboard
CloudVision as-a-Service:
• OAuth Endpoint
• ClientID
• ClientSecret
Refer to the respective OAuth Provider documentation for information about obtaining this information.
Your OneLogin or Okta administrator will use this information to add CloudVision to their authorized
applications and adjust user permissions to allow access to the service. If you experience any OAuth errors,
open an Arista TAC support request for assistance. Provide a the full URL and a screen capture of the output,
Note: Email IDs are case sensitive when used for CloudVision Service login. If the case is
[email protected], it will need to match exactly to the CloudVision Service login.
Once the CloudVision Service account is set up, an Invitation URL will be provided by Arista to login to the
CloudVision Service.
For further onboarding procedures see Onboarding Authentication Providers.

58
 CloudVision as-a-Service

4.2 Onboarding Procedures

This section contains:
• Onboarding Authentication Providers
• Onboarding Devices: Token-Based Authentication
• Subscribing to CloudVision as-a-Service updates

4.2.1 Onboarding Authentication Providers

Once the CloudVision as-a-Service instance is set up, use the following procedure to add a preferred
authentication provider.
To add a preferred authentication provider:
1. Navigate to Settings using the gear icon. Verify under the Features section OAuth Providers is toggled
on.
Figure 21: OAuth Providers

2. Navigate to Access Control and then Providers. To add a new authentication provider, click the 'Add
Provider' button.
Figure 22: Add Provider

59
 3. Select a provider that your organization uses.
Figure 23: Shared Provider

Note that currently Google and Microsoft are supported as a Shared Providers. Shared Providers use an
Arista-provided set of credentials so no other information is required from the customer for the onboarding.
Other providers are currently supported as non-shared providers. Additional required form fields will
appear upon selecting these providers. These fields will need to be filled out with credentials specific to
your account with that provider.
Figure 24: Non-shared Provider

60
 CloudVision as-a-Service

4. Saving the provider will send a registration request to the CloudVision Service backend along with the
related information.
5. Once the authentication provider is set up, make sure to add the admin email address and verify the login
process before the Invitation URL expires. To add a user account navigate to Users and then the Add
User screen.
Figure 25: Add User

4.2.2 Onboarding Devices: Token-Based Authentication

To onboard the devices using token-based authentication.

1. To onboard the devices navigate to Devices and then Inventory and then Add Devices and then
Onboard Devices.
Figure 26: Onboarding Devices

2. Details on how to create a token, and using that token to onboard the devices are listed under the
Onboard Devices. Please follow the directions to create a token and onboard your devices to CloudVision
Service.

61
 Note: You can use the same token to onboard multiple devices. CloudVision Service will use the
device serial number to identify a device.
Figure 27: Onboarding Devices

62
 CloudVision as-a-Service

3. Once you successfully onboard the devices you should be able to see them under the Devices tab.
Figure 28: Device Inventory Screen

63
 4. Click on the wrench icon (#) to provision the device. This will take you to the device-specific page. Select
the Device Overview tab and then select Provision Device to provision the device in CloudVision
Service.
Figure 29: Device Overview

Note: Prior to Provision Device make sure the user account exists in the EOS device. For
example:
Assuming [email protected] is the email address used for OAuth authentication you need to have
john.smith as a user (for Arista Demo you will need to use

[email protected]):
sw(config)#username john.smith privilege 15 <nopassword/secret>

If you have TACACS+ configured for authentication, in order for CloudVision as-a-Service to properly
provision the device, the exact user account should already exist in the TACACS+ Server.
If you have a Radius server for EOS authentication, you need to add the --disableaaa argument into
the TerminaAttr config.
For additional information on migrating an EOS device with a TACACS+/Radius authentication to the
CloudVision Service, please refer to Authentication Prerequisites.

64
 CloudVision as-a-Service

4.2.3 Subscribing to CloudVision as-a-Service updates

You can monitor CloudVision Service live status through https://status.arista.io . You can also subscribe to
CloudVision Service notification via email/text using Subscribe to CloudVision.
Following are informational and disruption notification examples you would get after subscribing to
CloudVision Service updates:
Figure 30: Informational Notification

4.3 AAA Providers

Authentication And Authorization (AAA) Providers create and log in to CloudVision through any provider. The
OAuth and SAMLproviders are pre-configured and require additional information to create the provider.
The following sections describe procedures to configure AAA providers:
1. Requirements
2. Setting up an OAuth/SAML Provider in CloudVision
3. Setting up CloudVision with Identity Provider
4. Logging in with a Provider
5. Adding Launchpad as a Provider

4.3.1 Requirements
Pre-requisites:
• The device must have internet access.
• To create the OAuth or SAML provider, you must be registered with and have access to the Service
Provider (SP) credentials.
Perform the following steps to create and edit SAML Providers:

65
 1. Click on the gear icon.
Figure 31: General Settings Screen

2. On the General Settings page, under Features, enable SAML Providers (Beta) using the toggle button.

4.3.2 Setting up an OAuth and SAML Providers in CloudVision

You can setup an OAuth or SAML provider in CloudVision through the Providers screen. To open the
Providers screen, click on the gear icon and navigate to Access Control > Providers. This screen
lists current registered OAuth and SAML providers in corresponding tables and provides the following
functionalities:
• Adding OAuth Providers
• Adding SAML Providers
• Removing OAuth Providers
• Removing SAML Providers
Note: The Shared Provider column lists the providers where Arista has a special account for
CloudVision-as-a-Service (CVaaS).

4.3.2.1 Adding OAuth Providers

Pre-requisites:
• Shared providers does not require the additional information like endpoint, client ID, and client secret. This
functionality is not supported on-prem or on the custom providers.
• The link at the bottom of the Add OAuth Providers window explains how the selected provider uses
OAuth and where you can find the information required by the form.
• You can use the Custom OAuth option if your provider is not listed under the Provider drop-down menu.
Perform the following steps to add an OAuth provider:
1. Click the + Add OAuth Provider tab.

66
 CloudVision as-a-Service

The system opens the Add OAuth Provider screen.

Figure 32: Add OAuth Provider Screen

2. Select the required OAuth provider from the Provider drop-down menu.
Figure 33: Add OAuth Provider Screen to Configure a Provider

3. In the Endpoint field, type the provider URL where the Client ID and Client Secret are used to authorize
the client.
4. In the Client ID field, type the unique public identifier the provider assigns to the client at the time of
registration.
5. In the Client Secret field, type the unique private identifier the provider assigns to the client at the time of
registration.
6. Click Add.
The system registers the new OAuth provider and lists it in the OAuth providers table.

4.3.2.2 Adding SAML Providers

Pre-requisites:
• The link at the bottom of the Add SAML Providers window explains how the selected provider uses
SAML and where you can find the information required by the form. The only provider that does not have
this information is Launchpad.

67
 • You can use the Custom SAML option if your provider is not listed under the Provider drop-down menu.
Perform the following steps to add an SAML provider:
1. Click the + Add SAML Provider tab.
The system opens the Add SAML Provider window.
Figure 34: Add SAML Provider Screen

2. Select the required SAML provider from the Provider drop-down menu.
Figure 35: Add SAML Provider Screen to Configure a Provider

3. In the Identity Provider Issuer field, type the Issuer or Entity ID.
Note: An Issuer or Entity ID is a URL that uniquely identifies a SAML identity provider.

68
 CloudVision as-a-Service

4. In the Identity Provider Metadata URL field, type the URL to fetch identity provider metadata.
5. In the Email Attribute Name field, type the attribute name for the email ID in SAML.
6. In the Authorization Request Binding field, select the protocol binding used for the SAML authentication
request to the identity provider.
7. Click Add.
The system registers the new SAML provider and lists it in the SAML providers table.

4.3.2.3 Removing OAuth Providers

Perform the following steps to remove an OAuth provider:
1. On the Providers screen, under OAuth Providers, select the redundant provider from the OAuth provider
table.
Figure 36: Removing OAuth Provider(s)

2. Click the Remove OAuth Provider button.

69
 The system opens the Confirm screen.
Figure 37: Remove OAuth Provider(s) Confirm Screen

3. Click Remove to confirm the removal.

The system permanently removes the OAuth provider.

4.3.2.4 Removing SAML Providers

Perform the following steps to remove an SAML provider:
1. On the Providers screen, under SAML Providers, select the redundant provider from the SAML provider
table.
Figure 38: Removing SAML Provider(s)

2. Click the Remove SAML Provider button.

70
 CloudVision as-a-Service

The system opens the Confirm screen.

Figure 39: Remove SAML Provider(s) Confirm Screen

3. Click Remove to confirm the removal.

The system permanently removes the SAML provider.

4.3.3 Setting up CloudVision with Identity Provider

You must setup CloudVision with your Identity Provider.
For instructions on setting up CloudVision with identity providers, refer to the CloudVision as a Service
(CVaaS) Quick Start Guide at https://www.arista.com/en/support/product-documentation or reference
documentation at https://eos.arista.com/toi/cvp-2021-2-0/aaa-providers-oauth-and-saml-support/.

4.3.4 Logging in with a Provider

You can use your registered providers on the CloudVision login screen to log in to cloud and on-premise
CloudVision deployments. Click on the provider that has been created to log in through that provider.
Note: The login screen of the CloudVision with Cloud Deployments displays all supported providers
regardless of which ones were created. Whereas, the login screen of the CloudVision with Cloud
Deployments only displays providers that have been created.

4.3.5 Adding Launchpad as a Provider

You can add a launchpad using one of the following methods as per your requirement:
• Adding a Launchpad for CVaaS Deployments
• Adding a Launchpad for On-Premise Deployments
• Adding a Launchpad for CVaaS and On-Premise Deployments

4.3.5.1 Adding a Launchpad for CVaaS Deployments

This section applies to non-CV-CUE customers who want to use launchpad as an identity provider.

71
 To add launchpad as a shared provider for CVaas deployments, request the list of users to be created in
launchpad by emailing to wifi-cloudops-tickets@
Note:
• For cv-dev and cv-play, use the following information to configure Launchpad in Cloudvision:
Provider: launchpad Identity Provider Issuer: https://mojoonedemo.airtightnw.com/
idp/shibboleth Identity Provider Metadata URL: https://
mojoonedemo.airtightnw.com/idp/shibboleth Email Attribute Name: User.email
Authorization Request Binding: HTTP-Redirect SAML protocol binding
• For cv-staging and production, use the following information to configure Launchpad in Cloudvision:
Provider: launchpad Identity Provider Issuer: https://login.mojonetworks.com/idp/
shibboleth Identity Provider Metadata URL: https://login.wifi.arista.com/casui/
idp-metadata.xml Email Attribute Name: User.email Authorization Request Binding: HTTP-
Redirect SAML protocol binding

4.3.5.2 Adding a Launchpad for On-Premise Deployments

Perform the following steps to add a launchpad for on-premise deployments:
1. Log into the tenant/cluster and get the SAML metadata from the desired cluster by going to the
CLUSTER_URL/api/v1/saml_sp_metadata URL.
Note:

2. Email the metadata obtained in Step 1 to wifi-cloudops-tickets@ requesting to create the first user account
in Launchpad and to get Launchpad configured with the SAML metadata to trust this CloudVision cluster.
Note: Other accounts for this customer/org can be created by the first account created for this org
by the cloudops team.
3. Get the IdentityProvider Issuer URL, Identity Provider Metadata URL and the Email attribute name from
Launchpad.

4.3.5.3 Adding a Launchpad for CVaaS and On-Premise Deployments

Perform the following steps to add a launchpad for CVaaS and on-premise deployments:
1. Log in to the CVP.
2. Click on the gear icon.
3. On the General Settings screen, under Features, enable SAML Providers (Beta).
4. Navigate to Access Control > Providers and click the + Add SAML Provider button.

72
 CloudVision as-a-Service

5. Select Launchpad (SAML) from the Provider drop-down menu.

Figure 40: Add SAML Provider Screen to Configure Launchpad

6. In the Identity Provider Issuer field, type the Issuer or Entity ID.
Note: An Issuer or Entity ID is a URL that uniquely identifies a SAML identity provider.

7. In the Identity Provider Metadata URL field, type the URL to fetch identity provider metadata.
8. In the Email Attribute Name field, type the attribute name for the email ID in SAML.
9. In the Authorization Request Binding field, select the protocol binding used for the SAML authentication
request to the identity provider.
10. Click Add.
11. Under Access Control in the left pane, click Users.
The system opens the Users screen.
Figure 41: Users Screen

12. On the Users screen, click + Add User.

73
 The system opens the Add User screen.
Figure 42: Add User Screen

13. Provide the required information in corresponding fields.

Note:
• CloudVision usernames and EOS switch usernames must match for CloudVision to manage
configuration and images on the switches.
• Type the email address which you used to sign up with Launchpad in the Email Address field.
14. Click Add.
15. Logout from the CVP.
16. Login to your account via launchpad.

74
 Chapter 5

Getting Started (CVP)

The login screen is displayed when you first connect to the application using a web browser.
The CloudVision Portal (CVP) application is accessible after the CVP service has been started on the
appliance. The login screen is displayed when you first connect to the application using a web browser.
JavaScript must be enabled in the browser for the web application to work.
Sections in this chapter include:
• Accessing the CVP Login Page
• Accessing the Home Page
• Omnibox
• Customizing the Home Screen and Dashboard Logo
• Accessing CV-CUE
• Key CV-CUE Operations and Directories
• Wifimanager CLI Commands

5.1 Accessing the CVP Login Page

1. To access the login page, point your browser to the CloudVision Portal (http://HOSTNAME or https://
HOSTNAME).The system opens the CVP login page.
Figure 43: CVP Login Page

75
 2. Enter login credentials in the CVP login section.
Figure 44: Login Section

Note:
The username and passwords required will depend on the authentication method and accounts
previously set up. Login using the username and password created when CVP was installed. If
you chose the local authentication and authorization options, login initially using cvpadmin for the
username and password.
3. Click Login. The system opens the CVP home page.

5.2 Accessing the Home Page

All features including Devices, Events, Provisioning, Dashboards, and Topology are displayed on the home
panel.
Note: You must have required privileges to access a switch.

Figure 45: Home Page

The home page provides the following selections.

76
 Getting Started (CVP)

• Devices: View all devices across multiple topologies.

• Events: View multiple events on multiple devices.
• Provisioning: Hierarchical tree structure of the network is maintained here. All the configuration and
image assignment to the network switches are made via this module.
• Dashboards: View multiple metrics across multiple devices. Select at least one metric and one device to
begin.
• Topology: View the location of devices in individual topologies.

5.3 Omnibox
The omnibox performs a search and displays results from all sections in CloudVision. You must select a result
for navigating to the corresponding CloudVision section.
Click the search icon at the upper-right corner of the CVP screen to access the omnibox.
Figure 46: Omnibox

Note:
• You can refine search results by adding more keywords to the query.
• Omnibox hotkeys are Command # + K in Mac; and Ctrl + K in Windows.
The Omnibox provides a variety of results classifying them by the section it belongs to, an associated device
or section name, and sometimes a description that explains what kind of result it is.The list of potential search
result modules are:
• Devices
• Matching devices
• Sections of matching devices
• Events
• Matching event types
• If a keyword matches a device hostname, it provides an option to view all events on that device
• Matching event configurations
• Metrics
• Matching metrics
• Matching metric dashboards
• Topology - Matching devices in topology
• Provisioning - Matching Provisioning sections
• Settings - Matching Settings sections
Note: Multiple results from the same section are grouped together.

77
 CloudVision displays matching results from Devices and Topology sections when a search is
performed using the JPE keyword.
Figure 47: Omnibox Search with JPE Keyword

Note:
• If you select athens from the Devices section, CloudVision displays the Device
Overview screen of athens.
• If you select athens from the Topology section, CloudVision displays athens
node in the Topology view.

If a search is performed with the athens keyword, CloudVision displays results from Devices,
Event, Metrics, and Topology sections.
Figure 48: Omnibox Search with Athens Keyword

78
 Getting Started (CVP)

5.4 Customizing the Home Screen and Dashboard Logo

CloudVision enables you to customize the visible options and dashboard logo shown on the home page. You
change the visible options and dashboard logo by customizing them from the Settings page.
By default, no dashboard logo is selected. The image you select for the logo appears in the dashboard next to
the notifications icon.

Note: Note Any image you select for either the Home screen background or dashboard logo must not
exceed 200 KB for each image. In addition, the images must JPG, PNG, or GIF.
Complete the following steps to customize the visible and dashboard logo:
1. Login to CVP.
2. Click the gear icon at the upper right corner of the page.

3. Click Settings in the left menu.

4. Select the required options provided under Basic Settings, Beta Features, Cluster Management, and
Troubleshooting sections.
Figure 49: Default Settings for Home Page and Dashboard Logo

5. To customize the dashboard logo, perform the following steps:

• Click the image box next to the logo field.
• In the Upload logo dialog, Click Select file.
• Navigate to the desired image, and click Open. (The imported image is displayed next the Select file
box.)
• Click Upload.

79
5.5 Accessing CV-CUE
You can access the CV-CUE service via either the CLI Access or the UI Access.

CLI Access
To log in to the wifimanager container using CLI, run the /cvpi/apps/wifimanager/bin/
wifimanager.sh cli 2>/dev/null command on the primary or the secondary node.
Figure 50: CLI Access

You can now run wifimanager commands. See the Wifimanager CLI Commands for a list of wifimanager CLI
commands and their descriptions.

UI Access
The URL to access the wifimanager UI is http(s)://<CVP-IP>/wifi/wifimanager is where CVP-IP refers to the
actual CloudVision Portal (CVP) IP/domain name.
The URL to access the cognitive Wifi UI is http(s)://<CVP-IP>/wifi/aware where CVP-IP refers to either the
actual CVP IP or domain name.
For example, if the IP address of CVP is 10.12.3.4, then the URL to access the wifimanager UI is
https://10.2.3.4/wifi.wifimanager and the cognitive Wifi UI is https:////10.12.3.4/wifi/aware.

80
 Getting Started (CVP)

You can access CV-CUE UI by clicking on the WiFi tab in the CVP UI, or you can access it directly using the
URLs of either wifimanager UI or Wifi UI.
Figure 51: UI Access

When you access the UI for the first time, you need to apply the CV-CUE service license.
Figure 52: CV-CUE Service License

Note:
• For the license file, please write an email to [email protected]
• Use the ifconfig command on the CV root shell to get the eth0 MAC addresses of the primary
and secondary CV servers (you need not access the wifimanager CLI for this). You need to include
both these MAC addresses when you email support to request a license. One license is generated
for the two (primary and secondary) MAC addresses.
Once you apply the license, you must log in to the CV-CUE UI using the following default credentials:
Username: admin
Password: admin
You can then change the password and add other users.
Note: You can now also connect Arista access points to the server.

81
5.6 Key CV-CUE Operations and Directories
CV-CUE is containerized as a service on CV. See the Wifimanager CLI Commands section for a list of CV-
CUE CLI commands and their descriptions.
For details on how to configure, monitor, and troubleshoot WiFi using CV-CUE, see the CV-CUE User Guide
on the Arista CV-CUE Support Portal at https://www.arista.com/support/customer-portal. You can access the
portal from the WiFi - Support Portal tile on your dashboard. For details and credentials to access the portal,
contact [email protected].
CVPI Commands for CV-CUE
The following table lists the operations you can perform on wifimanager and the corresponding CVPI
commands used.

Table 6: CVPI Commands

Operation CVPI Command

start cvpi start wifimanager
stop cvpi stop wifimanager
status cvpi status wifimanager
restart cvpi restart wifimanager
reset cvpi reset wifimanager
backup cvpi backup wifimanager
restore cvpi restore wifimanager </path/to/backup/file>
debug cvpi debug wifimanager

Note: The backup restore fails if the user running the restore command does not have access to the
path where the backup file is stored.
The restart command restarts the wifimanager service, whereas the reset command resets wifimanager
settings and data to factory default values. The debug command generates a debug bundle containing log
files and configuration files that can be used to troubleshoot issues.
The following table lists the operations you can perform on aware and the corresponding CVPI commands
used.

Table 7: Aware CVPI Commands

Operation CVPI Command

start cvpi start aware
stop cvpi stop aware
status cvpi status aware

82
 Getting Started (CVP)

5.6.1 Wifimanager Directories

CV-CUE stores its data in docker volumes that reside under the /data/wifimanager directory on the CV. The
following table lists the important wifimanager directories and the information they contain.

Table 8: Contents of wifimanager Directories

Directory on CV Contains
/data/wifimanager/log/glog Application logs
/data/wifimanager/data/conf Configuration files
/data/wifimanager/data/data System data files/directories
/data/wifimanager/data/instances Customer data files/directories
/data/wifimanager/data/pgsql_data Postgres data
/data/wifimanager/log/slog System logs
/data/wifimanager/backup On-demand backups

5.7 Wifimanager CLI Commands

The following table provides the list of wifimanager CLI commands and their descriptions.

83
 Table 9: Wifimanager CLI Commands

Command Description
db backup Backs up the database to the specified remote
server.

db clean Cleans up resources without disrupting services.

db restore Restores the database from a previous backup on a

remote server.
db reset Resets the database to factory defaults but maintains
network settings.
get cert Generates a self-signed certificate.
get openconfig mode Displays current OpenConfig mode.
get cors Displays the current status of CORS support.
get certreq Generates a Certificate Signing Request.
get db backup info Displays scheduled DB backup information.
get debug Creates a debug information tarball file. This file can
be used for debugging.
get debug verbose Creates a basic debug information tarball.
get debug ondemand Displays the debug information.
get device upgrade bundles Displays information about device upgrade bundles
available in the local repository.
get device repo config Displays configuration (Mode and Hostnames) for
repositories that store upgrade bundles and device
capability information.
get idle timeout Displays the current idle timeout value. A value of 0
indicates no timeout.
get integrity status Checks the integrity of critical server components.
get ha Displays High Availability (HA) Pair configuration and
service status.
get lldp Displays the LLDP configuration.
get remote logging Displays the remote logging configuration.
get log config Displays the logger configuration.
get log level gui Displays log levels of GUI modules.
get log level aruba Displays the log level of Aruba Mobility Controller
Adapter module.
get log level wlc Displays the log level of the Cisco WLC Adapter
module.
get log level msmcontroller Displays the log level of HP MSM Controller
Integration.
get msmcontroller cert Generates a self-signed certificate for HP Adapter.

84
 Getting Started (CVP)

Command Description
get msmcontroller certreq Generates a Certificate Signing Request for HP
Adapter.
get access address Shows access IP Address/Hostname of this server.
get server config Displays complete server configuration.
get server cert Uploads server certificate to a remote host.
get server check Runs a server consistency check and displays
results. If any fatal item fails, a failure result is
recorded.
get server tag Displays the custom tag set by the user.
get serverid Displays the server ID.
get sensor debug logs Uploads AP debug logs to the specified upload URL.
get sensor list Displays the list of APs.
get sensor reset button Displays the state of the AP's pinhole reset button.
get status Displays the status of server processes.
get ssh Displays the SSH server status.
get version Displays the version and build of all the server
components.
get packet capture Captures packets on Public and HA/Management
network interface(s).
set scan config Modify AP background scanning parameters.
set openconfig mode Enable/disable OpenConfig mode.
set cert Installs a signed SSL certificate.
set cors Enables or disables CORS support.
set dbserver Starts/stops database server.
set db backup info Sets scheduled DB backup information.
set device capability Updates the device capability information.
set device upgrade bundles Upload/delete device upgrade bundles in the local
repository.
set device repo config Sets configuration (Mode and Hostnames) for
repositories that store upgrade bundles and device
capability information.
set erase Configures the backspace key.
set ha dead time Changes the Dead Time of High Availability (HA)
service.
set ha link timeout Sets the timeout in seconds to signal Data Sync Link
failure.
set idle timeout <timeout-in-minutes> Sets the idle timeout for the command shell. A value
of 0 disables the idle timeout.

85
 Command
set lldp
set remote logging
set log config
set log level gui
set log level aruba
set log level wlc
set log level msmcontroller
set msmcontroller cert
set loginid case sensitivity
set server
set server discovery
set server tag
set access address
set serverid
set ssh
set communication passphrase
set communication key
set communication key default
set sensor legacy authentication
set sensor reset button
set smart device oui
set webserver
set wlc mapper
exit
ping <Hostname/IP Address>
reset locked gui
86
Description
Sets LLDP configuration.
Sets remote logging configuration.
Sets the configuration of the logger.
Sets log levels of GUI modules.
Sets the log level of Aruba Mobility Controller
Adapter Module.
Sets log level of Cisco WLC Adapter Module.
Sets log level of HP MSM Controller Integration.
Installs a signed SSL certificate for HP Adapter.
Toggles login ID case sensitivity.
Starts/stops application server.
Changes server discovery settings on given AP(s).
Configure a custom tag for files generated by this
server.
Sets access IP Address/Hostname of the server.
Sets server ID.
Starts/stops SSH access to the server.
Sets the communication passphrase used for
AP-server authentication and to encrypt the
communication between APs and the server.
Sets the communication key used for AP-server
authentication and to encrypt the communication
between APs and the server.
Resets the communication key used for AP-server
authentication and to encrypt the communication
between APs and the server.
This allows/disallows APs running on versions lower
than 6.2 to connect to the server.
Sets the state of the AP's pinhole reset button (select
AP models only).
Add, remove MAC OUI's for specific smart device
type IDs.
Starts/stops web server.
Manage Cisco WLC Custom Mapper file.
Exits the config shell session.
Ping a host.
Unlocks Graphical User Interface (GUI) account for
the "admin" user.

Command
reset password gui
upload db backup
application signature update
Getting Started (CVP)
Description
Sets Graphical User Interface (GUI) password for the
"admin" user to factory default value.
Uploads successful DB backup(s) to an external
server.
Updates app visibility signature.
87
88
 Chapter 6

General Customizations

CloudVision Portal (CVP) enables you to customize the grid columns of CVP graphical user interface (GUI)
pages. You can customize the grid columns of all CVP GUI grids.
CVP also enables you to easily paginate (navigate) through the pages of the grids of the GUI. The pagination
controls are available in all grids.
• Column Customization
• Pagination Controls

6.1 Column Customization

CloudVision Portal (CVP) enables you to customize the columns of the grids of CVP graphical user interface
(GUI) pages. You can customize columns of any grid of the CVP GUI.
You use the Columns Settings dialog to customize the columns of the active grid. You can open the
Columns Settings dialog by clicking the column customization icon, which is available of every page of the
GUI.
Figure 53: Configlet Management page

Complete these steps to customize grid columns.

1. Go to a page that has the grid you want to customize.

89
 2. Click the column customization icon.
Figure 54: Column Settings dialog

3. Use the arrow icons to rearrange the columns of the grid as needed.
4. Once you are done rearranging the grid columns, click OK to save the changes.

6.2 Pagination Controls

The pagination controls you use to navigate through the pages of grids are available for each grid. The
controls enable you to:
• Go to the previous page of the grid
• Go to the next page of the grid
• Go to the first page of the grid
• Go to the last page of the grid
• Go to directly to a specific page
Figure 55: Pagination controls of the CVP GUI grids

90
 Chapter 7

Device Management
CloudVision Portal (CVP) provides a powerful, event-driven, streaming analytics platform that enables you to
monitor the state of all devices currently managed by CVP.
By configuring devices to stream device-state data to CVP, you can manage all of the devices in your current
inventory of devices to gain valuable insights into the state of your devices, including real-time updates about
changes in device state.
The device inventory is comprised of all devices that you have imported into CVP. After a device is imported
into CVP, it can be configured and monitored using the various CVP modules.
• Requirements
• Limitations
• Features
• Telemetry Platform Components
• Supplementary Services: Splunk
• Architecture
• Accessing the Telemetry Browser Screen
• Viewing Devices
• Viewing Device Details
• Viewing Connected Endpoints
• Connectivity Monitor and CloudTracer
• Managing Tags
• Accessing Dashboards
• Topology View
• Accessing Events
• Events App
• Troubleshooting

7.1 Requirements
Make sure you review the software and hardware requirements for deploying and using the Telemetry
platform before you begin deploying the platform.
System Requirements
Note: If you upgraded from a previous version of CVP, you must verify that all of the CVP node VMs
on which you want to enable Telemetry have the required resources to use Telemetry. See Resource
Checks for details on how to check CVP node VM resources and perform any modifications needed to
increase the current CVP node VM resources.
Verify the clocks on the switches are synchronized to an NTP server.
• If a clock on a device is not synched to an NTP server on the switches and the clock difference between
CVP and the device is larger than 300 seconds, onboarding will fail.
• Streaming latency which must be less than 500ms as per our system requirements. Streaming latency
is the time difference between the TerminAttr agent receiving the state change on a device and the
notification being processed by the CloudVision Analytics backend after storage in NetDB. Without NTP
the relative streaming latency between devices streaming to CVP can exceed limits and state changes

91
 happening on different switches may appear to be incorrectly ordered within CVP. For more information
refer to: https://www.arista.com/en/cg-cv/cv-system-requirements

7.2 Limitations
The following table lists the current limitations of the Telemetry platform. Review the limitations to ensure you
do not inadvertently attempt configurations that exceed the limitations.

Table 10: CVP Telemetry Platform Limitations

Limitations
Maximum number of devices This represents the total number of devices currently configured to stream
Telemetry data.
Device-state data Streaming of LANZ data is not enabled by default. You must enable it on
devices.
Secret configuration If "enable secret" or "enable password" is configured, the secret must be
the same as the Cloudvision user's password.

7.3 Features
The list the current supported and unsupported Telemetry platform features are provided in the following
topics:

• Supported Features
• Unsupported Features

7.3.1 Supported Features

The CVP Telemetry Supported Features table lists the supported features. Review the supported features to
ensure you are aware of the features available to you to monitor devices using Telemetry data.

92

Table 11: CVP Telemetry Supported Features
Real-time monitoring of
devices
Instant state change updates
Full state change data
Analytics engine
Telemetry events
High performance database
Disk space protection
Data management
Device Management
Supported Feature
The Telemetry platform provides interfaces for viewing real-time updates
about changes in device state as well as events. You can also view
trends in device-state metrics and queries of historical device-state data.
Changes in the state of a device are instantly streamed to CVP.
All changes in device-state are captured and streamed to CVP for
viewing. Types of device-state include:
• All SysDB state (except state under /Sysdb/cell/*).
• All SMASH tables.
• Process and kernel data (for example, CPU and memory usage).
• System log messages
The Telemetry platform provides a robust analytics engine that
aggregates the streamed device-state data across devices, monitors
device state, and generates events to indicate issues. It also normalizes
data so it is easier for other applications to use.
Device-state and system environment event types are streamed to CVP:
• Informational (updates about changes in device state).
• Warning (for example, unsupported EOS version on a device)
• Errors (data discards or input errors on interfaces, and more).
• Critical (system environment issues such as overheating).
The Telemetry platform utilizes a high performance Hbase database to
store device-state data, including events. Data is stored in compressed
format without a loss of resolution.
• The data storage capacity is approximately:
• 43200 records worth of raw data per path
• 5 days of 10 second aggregated data
• 4 weeks of 60 second aggregated data
• 3 months worth of 15 minute aggregated data
To prevent telemetry data from consuming too much disk space in the
CVP cluster, the Telemetry platform automatically blocks the ingest
port for the entire cluster if disk usage exceeds 85% on any node of the
cluster.
Once the ingest port is blocked, it remains blocked until disk usage
drops below 80% on all nodes in the cluster.
To ensure that the most relevant data is given priority, the Telemetry
platform provides automated data management, including:
• Maximum time limit on stored device-state data (1 month).
• Current and the most recent device-state updates are always stored
(given priority over older state updates).
Periodic clean-up jobs are executed weekly (Saturday at 11:00 P.M.).
Old device-state data is purged.
93
 Command support Several commands are provided for:
• Checking status of the Telemetry components.
• Enabling and disabling of Telemetry platform components.
• Starting and stopping Telemetry components.
• Viewing the debug log for Telemetry components.
• Troubleshooting the Telemetry components, including checking to
see that logs are being created for the component.
• To display granular information on disk space usage of telemetry data
and delete telemetry data selectively.

7.3.2 Unsupported Features

The CVP Telemetry Unsupported Features table lists the unsupported features. Review the limitations to
ensure you do not inadvertently attempt to configure or use unsupported Telemetry features.

Table 12: CVP Telemetry Unsupported Features

Unsupported Feature
Streamed device-state data Flexroute is not supported.

7.4 Telemetry Platform Components

Arista's streaming Telemetry platform consists of a set of components, all of which are essential to the proper
operation of the platform.
The components of the Telemetry platform are:
• NetDB State Streaming Component
• CloudVision Analytics Engine Component
• REST and Websocket based APIs are available to programatically get data from the CloudVision Analytics
Engine. Contact your Arista Sales Engineer for more information.

7.4.1 NetDB State Streaming Component

The NetDB State Streaming component is an agent that runs on Arista switches. It is the Telemetry platform
component that streams device-state data from devices to the CloudVision Analytics Engine, which is the
back-end component of platform.

7.4.2 CloudVision Analytics Engine Component

The CloudVision Analytics Engine is the back-end component of the Telemetry platform. It is a set of
processes that run on CVP. Collectively, the processes perform the following operations:
• Receives all of the device-state data streamed by the NetDB State Streaming component from devices
that have been configured to stream device-state data.
• Runs automated data analysis on the device-state data received from the NetDB State Streaming
component. The analytics processes aggregate the device-state data across devices, monitor device
state, and generate events if something goes wrong. The processes also normalize data so it is easier for
other applications to use.
• Stores all of the streamed device-state data received from the NetDB State Streaming component, and
then makes the stored data available in CloudVision.

94
 Device Management

• Provides CloudVision Analytics Engine Viewer, which is referred to as the Aeris Browser. You use it to
directly view device-state data received from devices that have been configured to stream device-state
data. The Aeris Browser enables you to view raw device-state data.
• REST and Websocket based APIs are available to programatically get data from the CloudVision Analytics
Engine. Contact your Arista Sales Engineer for more information.

7.5 Supplementary Services: Splunk

For more information on the requirements for CVP to manage Splunk extensions on EOS devices, go to
https://www.arista.com/en/support/software-download and download the PDF from Extensions > Splunk >
AristaTelemetry.pdf.
Related topics:
• Requirement
• Installation
• Quick Start

7.5.1 Requirement
EOS 4.15.2 or later is required.

7.5.2 Installation
You can access the Splunk Telemetry App directly from CVP by completing the following steps. From your
browser.
1. Copy the RPM to and install it on the switch.

show extensions
Name Version/Release Status RPMs
2. Install the Splunk Universal Forwarder RPM on EOS.

copy <source>/splunkforwarder-6.1.4-233537.i386.rpm extension:

extension splunkforwarder-6.1.4-233537.i386.rpm
3. Install the AristaAppForSplunk on EOS.

copy <source>/AristaAppForSplunk-1.3.2.swix extension:

extension AristaAppForSplunk-1.3.2.swix

Note: Extensions must be installed on all supervisors.

Restart the SuperServer agent.

(config)# agent SuperServer shutdown

(config-mgmt-api-http-cmds)# no agent SuperServer shutdown
4. Verify the extensions are loaded.

show extensions
Name Version/Release Status RPMs
------------------------------------------ ------------------------- ---
AristaAppForSplunk-<version>.swix <version>/1.fc14 A, I 3
splunkforwarder-6.1.4-233537.i386.rpm 6.1.4/233537 A, I 1
EosSdk-1.7.0-4.15.2F.i686.rpm 1.7.0/2692966.gaevanseoss A, I 1
A: available | NA: not available | I: installed | NI: not installed | F: f

95
7.5.3 Quick Start
1. Use the configuration to enable forwarding to the Splunk indexer. This assumes that a username/
password and eAPI have been configured for the AristaAppForSplunk extension previously.

daemon SplunkForwarder
exec /usr/bin/SplunkAgent
no shutdown
2. Configure and turn on the desired indexes for data collection. The credentials must match 'username
<name> secret <passphrase>' configured on the switch.

option eapi_username value <username>

option eapi_password value 7 <encrypted-password>
option eapi_protocol value https
3. Turn on desired indexes for data collection.

option index-inventory value on

option index-interface-counters value on
option index-lanz value on
option index-topology value on
option index-syslog value on
option index-data value <index-name
4. Configure Splunk server IP and destination port.

option splunk-server value <Server-IP:Port>

5. Start Splunk data forwarding.

option shutdown value off

7.6 Architecture
Telemetry Platform Architecture shows the architecture of the Telemetry platform, including all of the platform
components and the data path of the streamed device-state data.
Figure 56: Telemetry Platform Architecture

96
 Device Management

7.7 Accessing the Telemetry Browser Screen

You can access the CloudVision Telemetry Browser screen directly from CVP by completing the following
steps. Open your browser.
1. Point your browser to the CVP IP address or hostname.
2. Login to CVP.
The CVP Home screen appears.
Figure 57: CVP Home Screen

3. Click the gear icon at the upper right corner of the screen.
Figure 58: Gear Icon

4. Click Telemetry Browser in the left pane.

97
 The system opens the Telemetry Browser screen that allows exploring the raw data stored in CVP
telemetry.
Figure 59: CloudVision Telemetry Browser Screen

7.8 Viewing Devices

You can quickly view information about devices that are currently configured to stream device-state data to
CVP. Starting with 2018.2.0, the inventory management screen is available under Devices in the CVP user
interface.
Related topics:
• Tiles View
• Tabular View

7.8.1 Tiles View

The tiles view allows search by device hostname, serial number, or EOS version. The screen updates to
show all of the devices currently configured to stream device-state data to CVP. For each device, the name
and the version of the EOS image are shown on the Devices screen.
Figure 60: Viewing Devices (View Showing all Devices)

98
 Device Management

7.8.2 Tabular View

The tabular view lists device status, model, software, TerminAttr agent, IP address, MAC address, and serial
number. You can search for devices based on device hostname, serial number, or EOS version.
Note: In the status column, hover the cursor over the following images for specified tasks:
• Check and exclamatory marks to view streaming status
• Bug image to view the count of available vulnerability updates
• Hourglass to view the End Of Life (EOL) status
An amber hourglass signifies that the end of life is within 6 months, a red hourglass signifies that
the End of Life has been reached.
Figure 61: Device Inventory

7.9 Viewing Device Details

From the Inventory screen, you can quickly drill down to view details about a particular device by clicking the
device icon. In the tabular view, click the device name to view the corresponding device details.

99
 The screen refreshes to show the device-state data streamed from the device to CVP.
Figure 62: Viewing Devices Details (Single Device)

Device details include the information on overview, system, compliance, environment, switching, routing, and
interfaces.
Related topics:
• Device Overview
• System Information
• Compliance
• Environment Details
• Switching Information
• Routing Information
• Status of Interfaces

100
 Device Management

7.9.1 Device Overview

The Device Overview section provides an overview of system details, telemetry status, and interface counts.
Click More to reach corresponding sections for detailed information.
Figure 63: Device Overview Section

The Historical Comparison sub-section provides the information on EOS version, 5-minute CPU load average,
MLAG status, IPv4 attached routes, IPV4 learned routes, configured BGP, IPv6 attached routes, IPV6 learned
routes, and MAC addresses learned.

101
 The system displays only Device Overview and System information for third-party devices.
Figure 64: Third-Party Device Overview

102
 Device Management

7.9.2 System Information

The System section provides an overview of device details, telemetry status, and PTP status.
Figure 65: System Section

Sub-sections provide information on processes, storage, log messages, hardware capacity, running config,
and snapshots.

7.9.3 Compliance
The Compliance section provides information on vulnerability to known bugs.
Figure 66: Compliance Section

103
7.9.4 Environment Details
The Environment section provides statistics on temperature, fan speeds, and output power.
Figure 67: Environment Section

7.9.5 Switching Information

The Switching section provides the count of VLANs in which MAC address learning is enabled, count of total
VLANs, count of configured VLANs, and detailed information on configured VLANs.
Figure 68: Switching Section

Sub-sections provide switching data like ARP table, NDP table, bridging capability, MAC address table,
MLAG, and VXLAN.

104
 Device Management

7.9.6 Routing Information

The Routing section provides statistics on IPV4 route count by type, IPv6 route count by type, and routing
statistics by VRF.
Figure 69: Routing Section

Sub-sections provide routing data like IPv4 and IPv6 routing tables, routing table changes, multicast data like
sparse mode PIM and static, and BGP information.

7.9.7 802.1X Metrics

802.1X information shows which endpoints have authenticated, are undergoing authentication, or have failed
to authenticate to the network. This information is available to view primarily from the 802.1X page in the
Devices application.

105
 Accessing 802.1X Metrics
To access 802.1X Metrics From the Inventory screen in the Devices tab, select a device. In the scrolling
menu on the left side of the page, select 801.X. The 801.X Metrics page is displayed.
Figure 70: 802.1X Metrics

The graphs display the total number of interfaces and the status of each.
The table lists all of the endpoints with additional information. The columns show the following:
• Identity: the MAC address of the endpoint. The username, if provided, is displayed in parenthesis.
• IP Address: the IP address of the endpoint.
• Interface: which interface the endpoint is on. Selecting the interface will display a table showing all of the
endpoints on that specific interface.
• Host Mode: the host mode of the endpoint (Single-Host, Multi-Host, Multi-Host Authenticated) with an
optional Mac-Based VLAN Assignment. Place the cursor over Mac-Based VLAN Assignment to display the
full name.
• Auth Status: the authentication status of the endpoint.
• Auth Mode: how the endpoint is authenticated.
• VLAN: the VLAN the endpoint is on.
• VLAN Type: the type of VLAN being used.

106
 Device Management

802.1X Dashboard View

802.1X metrics is also available from the Dashboard View. Refer to Dashboards for more information about
creating a dashboard.
Figure 71: 802.1X Dashboard View

7.9.8 Viewing Traffic Flows

CloudVision lets you analyze the network traffic routed through a single device or through all devices that
have flow tracking configured.
Note: Traffic flows return tunneled flows when the inner packet headers matches the user's query.

You can drill down into the details of global and device specific network flow activities using bar charts,
stacked time series graphs, and tables of usage statistics. See Accessing the Global Traffic Flows Screen
and Accessing the Device Specific Traffic Flows Screen.
Note: You can drill down the details of device specific network flow activities using heatmaps also.

To view the data on traffic flows, you must enable traffic flow tracking in devices to get data. See Enabling
Traffic Flow Tracking.

7.9.8.1 Enabling Traffic Flow Tracking

Enabling flow tracking on a device allows CloudVision to provide a detailed breakdown of the forwarded
network traffic. Traffic flow tracking is enabled through either of the following methods:
• Enable sFlow Sampling on a Device
• Enable Hardware Based IPFIX Flow Tracking

Enable sFlow Sampling on a Device

Arista switches provide a single sFlow agent instance that samples ingress traffic from all Ethernet and port
channel interfaces.

107
 Run the following commands to enable sFlow sampling on a device:

switch(config)#sflow sample <sampling rate>

switch(config)#sflow polling-interval <polling interval>
switch(config)#sflow destination 127.0.0.1
switch(config)#sflow source-interface <source interface>
switch(config)#sflow run

sFlow monitors a random sample of packets at the configured sampling rate. Reported bandwidth and packet
measurements are scaled up using the sampling rate to provide estimates of actual bandwidth usage and
packet counts.

Enable Hardware Based IPFIX Flow Tracking

Arista switches also allow exporting flow information using the IPFIX format.
Run the following commands to enable hardware based IPFIX flow tracking:

switch(config)#flow tracking hardware

switch(config)#!
switch(config)#tracker <tracker name>
switch(config)#record export on inactive timeout <inactive timeout>
switch(config)#record export on interval <interval>
switch(config)#record format ipfix standard timestamps counters
switch(config)#!
switch(config)#exporter <exporter name>
switch(config)#collector <loopback interface ip>
switch(config)#local interface <loopback interface>
switch(config)#template interval <interval>
switch(config)#no shutdown
switch(config)#exit
switch(config)#interface <interface>
switch(config)#flow tracker hardware <tracker name>
switch(config)#no shutdown

7.9.8.2 Accessing the Global Traffic Flows Screen

To view the global traffic flows screen, navigate to Devices > Traffic Flows on the CloudVision portal. This
screen displays information about traffic flows captured by all devices on the network with flow monitoring
enabled. See the figure below.
Figure 72: Global Traffic Flows Screen

108
 Device Management

Note: This screen may present multiple values reported by different devices for the same flow or flow
category.
Use the following search filters for customised presentation of the traffic flows data:
• Host filters
• Source Hosts
• Show autocomplete field - Provide hostnames, IP addresses, or subnets in CIDR notation of the
source host that needs to be displayed
• Hide autocomplete field - Provide hostnames, IP addresses, or subnets in CIDR notation of the
source host that needs to be concealed
• Destination Hosts
• Show autocomplete field - Provide hostnames, IP addresses, or subnets in CIDR notation of the
destination host that needs to be displayed
• Hide autocomplete field - Provide hostnames, IP addresses, or subnets in CIDR notation of the
destination host that needs to be concealed
• Bidirectional checkbox - Select the checkbox to view the traffic flows between specified hosts.
Note: When you select the Bidirectional checkbox, the Source Hosts and Destination Hosts
fields change to Hosts and To/From Hosts.
• Port filters
• Source Ports autocomplete field - Provide port numbers or service names of the source port
• Destination Ports autocomplete field - Provide port numbers or service names of the destination port
• Show/Hide dropdown - Select either Show or Hide to view or conceal the traffic flow data of specified
source and destination ports respectively.
• Bidirectional checkbox - Select the checkbox to view the traffic flows between specified ports.
Note: When you select the Bidirectional checkbox, the Source Ports and Destination Ports
fields change to Ports and To/From Ports.
• Protocol filter - Provide IP protocols of the required traffic flow data in the autocomplete field.
Select either Show or Hide to view or conceal the traffic flow data of specified protocols respectively.
• More filters
• Locality - Select Public and Private checkboxes to view traffic flows of corresponding networks
• Fragmentation checkbox - Selecting the checkbox displays only flows with fragmented packets
• Clear all filters - Clears all specified filters
• Top dropdown menu - As per your selection, the top n items are displayed for each break down.
• by dropdown menu - Select the required method to measure traffic.
The global traffic flows dashboard provides the following display types for analyzing the flow data in different
ways:
• Charts View
• Summary Table View
• Flow Records View
Note:
• Click the View in Topology link to see the data from the perspective of the topology flows view.
• The refresh icon provides countdown in seconds for refreshing the traffic flow data. The data in live
mode gets updated every 30 seconds.

109
Charts View
The Charts display option presents the summary of global traffic flows in charts. The traffic flow data is
arranged based on the breakdown selected from the dropdown list. See the figure below.
Figure 73: Global Traffic Flow Summary in Charts

Bar charts represent the device specific traffic flows over the selected time period. The bar length represents
the traffic flow of a device with highest usage.
Note:
• Click on a bar in the bar chart in the stacked graph to set the clicked-on item as a filter wherever it
is possible. For example, hosts or ports of source and destination.
• Hover the cursor on the dot in a bar to find the observing device.

Summary Table View

The Summary Table display option presents the summary of global traffic flows in a tabular format. See the
figure below.
Figure 74: Global Traffic Flow Summary in Table

110
 Device Management

The traffic flow data is grouped based on the selected breakdowns. If multiple options are selected in the
Group By field, the table displays a summary of usage statistics that is broken down according to the
selected criteria. The summary can be sorted by bytes, packets, or flows in descending order.
Note: Click on a device name to view the traffic flows for the respective device.

Flow Records View

The Flow Records display option presents the record of all traffic flows in a tabular format. See the figure
below.
Figure 75: Global Traffic Flow Record

Note: Click on a device name to view the traffic flows for the respective device.

7.9.8.3 Accessing the Device Specific Traffic Flows Screen

On the CloudVision portal, navigate to Devices > Inventory > Device_Name > Traffic Flows to view the
Traffic Flows screen. See the figure below.
Figure 76: Inband Telemetry

111
 This screen displays the summary of flows, bandwidth, packets, active hosts, and sampling rate. Provide the
following details to view custom information of traffic flows:
• Inband Telemetry Data
• Flow tracking (sFlow or IPFIX)
• Inband telemetry
• Host filters
• Source Hosts
• Show autocomplete field - Provide hostnames, IP addresses, or subnets in CIDR notation of the
source host that needs to be displayed
• Hide autocomplete field - Provide hostnames, IP addresses, or subnets in CIDR notation of the
source host that needs to be concealed
• Destination Hosts
• Show autocomplete field - Provide hostnames, IP addresses, or subnets in CIDR notation of the
destination host that needs to be displayed
• Hide autocomplete field - Provide hostnames, IP addresses, or subnets in CIDR notation of the
destination host that needs to be concealed
• Port filters
• Source Ports autocomplete field - Provide port numbers or service names of the source port
• Destination Ports autocomplete field - Provide port numbers or service names of the destination port
• Show/Hide dropdown - Select either Show or Hide to view or conceal the traffic flow data of specified
source and destination ports respectively.
• Protocol filter - Provide IP protocols of the required traffic flow data in the autocomplete field.
Select either Show or Hide to view or conceal the traffic flow data of specified protocols respectively
• Interface filters
• Show autocomplete field - Select the interfaces of which the traffic flow needs to be displayed
• Hide autocomplete field - Select the interfaces of which the traffic flow needs to be concealed
• More filters
• Locality - Select Public and Private checkboxes to view traffic flows of corresponding networks
• Fragmentation checkbox - Selecting the checkbox displays only flows with fragmented packets
• Clear all filters - Clears all specified filters
• Top dropdown menu - As per your selection, the top n items are displayed for each break down.
• by dropdown menu - Select the required method to measure traffic.
The device specific traffic flows dashboard provides the following display types for analyzing the flow data in
different ways:
• Figure 78: Device Specific Traffic Flow Summary in Charts
• Heatmap View
• Summary Table View
• Flow Records View
Note:
• Click the View in Topology link to see the data from the perspective of the topology flows view.
• The refresh icon provides countdown in seconds for refreshing the traffic flow data. The data in live
mode gets updated every 30 seconds.

112
 Device Management

Charts View
The Charts display option presents the summary of device specific traffic flows in charts. The traffic flow data
is arranged based on the breakdown selected from the dropdown list. See the figure below.
Figure 77: Device Specific Traffic Flow Summary in Charts

The following information is provided for each break down:

• Bar charts that display the total usage over the time period for items
Note: Clicking on a bar in the bar chart or a time series in the stacked graph sets the clicked-on
item as a filter wherever it is possible. For example, hosts or ports of source and destination.
• Stacked time series graphs that provide the following information:
• The rate of usage vs. time
Note: This information is provided only when the Sort By option is either Bandwidth (bytes) or
Packets.
• The number of flows active vs. time
Note: This information is provided only when the Sort By option is Flow Count.

113
Charts View
The Charts display option presents the summary of device specific traffic flows in charts. The traffic flow data
is arranged based on the breakdown selected from the dropdown list. See the figure below.
Figure 78: Device Specific Traffic Flow Summary in Charts

The following information is provided for each break down:

• Bar charts that display the total usage over the time period for items
Note: Clicking on a bar in the bar chart or a time series in the stacked graph sets the clicked-on
item as a filter wherever it is possible. For example, hosts or ports of source and destination.
• Stacked time series graphs that provide the following information:
• The rate of usage vs. time
Note: This information is provided only when the Sort By option is either Bandwidth (bytes) or
Packets.
• The number of flows active vs. time
Note: This information is provided only when the Sort By option is Flow Count.

114
 Device Management

Heatmap View
The Heatmap display option presents the summary of device specific traffic flows in a heatmap. See the
figure below.
Figure 79: Device Specific Traffic Flow Summary in Heatmap

The heatmap plots two breakdowns against each other. For example, the user selects top 20 source hosts
vs. top 20 destination hosts. The system displays the top 20 destination hosts that communicated with any of
those top 20 source hosts.
Each pairing of source host and destination host is shown as a cell in the grid. Cells are displayed in various
shades of green based on their usage. The higher the usage, the darker the green shade.
Note: The system displays an empty cell if there is no usage.

Summary Table View

The Summary Table display option presents the summary of device specific traffic flows in a table. See the
figure below.
Figure 80: Device Specific Traffic Flow Summary in Table

115
 The traffic flow data is grouped based on the selected breakdowns. If multiple options are selected in the
Group By field, the table displays a summary of usage statistics that is broken down according to the
selected criteria. The summary can be sorted by bytes, packets, or flows in descending order.

Flow Records View

The Flow Records display option presents the record of device specific traffic flows in a tabular format. See
the figure below.
When viewing individual flow records, the path of a flow, complete with ingress and egress interfaces, TTLs
and latencies for each hop, can be inspected using the Hops column.
Figure 81: Flow Records View

Note: Filters and fields related to packet fragmentation, tunnelling, and user identity are not available
for inband telemetry data.

7.9.9 Address Search

Address Search supports searching MAC addresses, IP addresses of all formats, device IDs, and hostnames
of inventory devices.
The Address Search page can be found in the primary Devices view on the sidebar. Navigating to it will open
the Address Search page.
Figure 82: Address Search Page

116
 Device Management

Enter the search information and press Enter to view the search results.
Figure 83: Address Search Results

There are two tabs available in the search results view.

• Network Location is the default view. This view displays detailed information from the MAC, ARP, and
LLDP Tables.
• Flow Visibility view displays the traffic that is being sent and received by all IP addresses associated with
the search result.

117
7.9.10 Status of Interfaces
The Interfaces section provides status of Ethernet interfaces, VLAN interfaces, IP interfaces, and port
channels.
Figure 84: Interfaces Section

Sub-sections provide detailed information on Ethernet interfaces, routed ports, port channels, traffic counters,
LLDP neighbors, and Power Over Ethernet.

7.9.10.1 Power Over Ethernet

Power Over Ethernet (PoE) is a technology for delivering electrical power along with network data over
physical Ethernet connections. Some benefits of PoE are provided below:
• Reduces the need of extension cables and additional outlets
• Provides a reliable power source on difficult terrain
• Prevents data transmission hiccups
• Substantial reductions in space usage, cost, and time

118
 Device Management

In CloudVision, the Power Over Ethernet screen provides a summary of all interfaces along with information
on each interface.
Figure 85: Power Over Ethernet Screen

The Power Over Ethernet screen displays the following information:

• Summary of All Interfaces
• Total Approved Power - Sum of the approved maximum power amounts configured for each Ethernet
port
• Total Granted Power - Sum of the approved power amounts minus power loss to transmission over
Ethernet cables
• Total Output Power - Sum of actual power amounts delivered to each powered Ethernet device
• Information on Individual Interfaces
• Interface - Interface name
• Port Class - Maximum power in watts (W)
• Port State - Operational status of a PoE device connected to the port
• Approved Power - Configured maximum power output in watts (W) for the interface
• Granted Power - Maximum power available to the device
• Output Power - Power drawn by the device
• Output Current - Current available on the PoE link in milliamps (mA)
• Output Voltage - Voltage available over the PoE link in volts (V)
Note: PoE metrics are also available in the Metrics Explorer and can be built into custom metrics
dashboards. Data on individual interfaces is available under the Interfaces metric type.

119
7.10 Viewing Connected Endpoints
Connected Endpoints are identified by DHCP collector. By default, the DHCP collector is enabled in
TerminAttr. You must enable it on VLANs where you would like to identify connected endpoints. See Enabling
DHCP Collector.
Once it is enabled, the Connected Endpoints summary screen provides information on all connected
endpoints. See Accessing the Connected Endpoints Summary Screen.

Enabling DHCP Collector

As of TerminAttr v.1.6.0, the ECO DHCP Collector is enabled by default and listens on 127.0.0.1:67 for UDP
traffic. Add 127.0.0.1 as an IP helper address on VLANs to capture device identification.

switch(config)# interface vlan100

switch(config-if-Vl100)# ip helper-address dhcp_server_address
switch(config-if-Vl100)# ip helper-address 127.0.0.1
switch(config-if-Vl100)# exit
switch(config)# ip dhcp snooping
switch(config)# ip dhcp snooping information option
switch(config)# ip dhcp snooping vlan 100

Accessing the Connected Endpoints Summary Screen

On the CloudVision portal, navigate to Devices > Connected Endpoints to view the Connected Endpoints
Summary screen.This screen provides the classified summary of all endpoints along with the detailed
information of each endpoint. See the figure below.
Figure 86: Connected Endpoints Summary Screen

Note: To reset to all endpoints, click the refresh icon (next to selected endpoint in breadcrumbs) that
is displayed after selecting a particular endpoint.
This screen provides the following functionalities:
• Classification drop-down menu - Click and select the required classification.
• Endpoints Counts by Type pane - This pane provides a summary of the selected classification through the
following groups:

120
 Device Management

• Legend - Hover the cursor on Legend to view color classifications used for various categories.
• Sunburst graph - Provides the summarized view of all endpoints in various categories, hierarchies, and
counts.
Note: Clicking on a category sets the appropriate category as the new active classification.

• Classification - Displays selected classification in bread crumbs

Note: Clicking a breadcrumb link sets the appropriate classification as the new active
classification.
• Sub-Types (Optional) - Displays the count of sub-types under classification
Note: Clicking a sub-type link sets the appropriate sub-type as the new active classification

• All selected classification Endpoints pane - This pane provides the specified information of each endpoint
in selected classification under the following categories:
• Device Type
• Device Name
• MAC Address
• Last Seen

7.11 Connectivity Monitor and CloudTracer

The Connectivity Monitor includes Cloud Tracer to monitor metrics streamed from EOS devices. This section
includes:
• Accessing the CloudTracer Screen
• CloudTracer Latency Anomaly Events
• Connectivity Monitor with VRF Support

121
7.11.1 Accessing the Connectivity Monitor and CloudTracer Screen
To view data metrics, open to the Connectivity Monitor and CloudTracer by selecting the Devices tab and
selcting Connectivity Monitor from the left-side menu bar.
Figure 87: CloudTracer Screen

Figure 88: Connectivity Monitor and CloudTracer Screen

This screen is divided into the following two panels:

• Right Panel of the CloudTracer Screen
• Left Panel of the CloudTracer Screen

7.11.1.1 Right Panel of the CloudTracer Screen

This panel provides the following metric options:
• Metric pane - Click any of the following entities to view the corresponding current metric for n connections
where n is the count of selected devices and hosts:
• HTTP Response Time
• Jitter
• Latency
• Packet Loss
• Connections pane
• Device or host search string - Type the device or host name for a quick search
• Configured devices - Select the required devices and hosts to view corresponding metrics

7.11.1.2 Left Panel of the CloudTracer Screen

This panel displays metrics of selected options in the following ways:
• Current information of the selected metric type from selected devices and hosts

122
 Device Management

Note: Metrics are streamed whenever data is gathered on EOS switches. The default interval to
query metrics data is five seconds.
• Click on a metric to view detailed information.
• Double click on a metric to view a graph of a selected metric. From the graph you can select to view:
• Metric History
• Data Table
• Data Paths
• Statistics
• Related Metrics

7.11.2 Connectivity Monitor with VRF Support

Connectivity Monitor with VRF support allows you to configure multiple VRFs for each host and multiple
source interfaces within each host on each device.

Enabling Connectivity Monitor with VRF Support

To enable Connectivity Monitor with VRF support, the feature must be enabled from the Settings page.
1. Select the Setting icon to open the General Settings page.
2. Select the toggle for Connectivity Monitor VRFs and Interfaces (Beta).

123
 Viewing Connectivity Monitor with VRF Support
To view Connectivity Monitor with VRF Support, select Connectivity Monitor from the Devices tab.
Figure 89: Viewing VRF Results in Connectivity Monitor

You can select individual host/VRF/interface combinations to view latency/jitter etc. information for just the
selection. Selection options include:
• Selecting the checkbox next to a VRF name will select all source interfaces on the VRF.
• Selecting the checkbox next to the name of the host will select all VRFs and all source interfaces within
each VRF.
• Selecting the checkbox next to the device name will select every host configuration available on the
device.

124
 Device Management

7.12 Managing Tags

On the CloudVision portal, navigate to Provisioning > Tags to view the Tags Management screen. See the
figure below.
Figure 90: Tags Management Screen

This screen provides the following functionalities:

• Search device or tags field under the Devices column - Type either the required device name, tags
category, or tag name for a quick search of devices and tags.
• Search device, interface, or tags field under the Interface column - Type either the required device
name, tags category, tag name, or interface name for a quick search of device, interface, or tags.
• Select All checkbox - Select the checkbox to choose all devices simultaneously.
• Edit tags button - Click to delete unassigned tags. See Deleting Unassigned Tags.

7.12.1 Creating and Assigning Tags

Perform the following steps to create and assign a tag to a device:
1. On CVP, click Provisioning > Tags.
The system displays the tags screen.
2. On the Device pane, select device(s) to which you want to create and assign a tag.

125
 The system opens the Assigned tags pane. See the figure below.
Figure 91: Create and Assign

Note:
• Optionally, use the search bar for searching required devices.
• To manage interface tags, click the Interface tab and perform required tasks.
3. Type the new tag in the search field under User Tags > Add or create tags > Type the label then the
value separated by a colon.
Note:
• Tags should be of the form <label>: <value>. For example, owner: Bill.
• The System Tags pane displays tags that are automatically created and assigned by the
system.
4. Click Create and Assign.
Note: If you had selected multiple devices, the new tag will be simultaneously assigned to all
selected devices.
The new tag is displayed under Manage assigned tags.

7.12.2 Deleting Assigned Tags

Perform the following steps to delete an assigned tag:
1. On CVP, click Provisioning > Tags.
The system displays the tags screen.
2. On the Device pane, select the device(s) which is associated with the tag that needs to be removed.

126
 Device Management

The system displays all tags assiged to the selected device(s) under Manage assigned tags.
Figure 92: Associated with Selected Devices

Note:
• Optionally, use the search bar for searching required devices or tags.
• Hovering the cursor on the number next to the tag name, lists the devices to which the current
tag is assigned.
3. Click the tag that needs to be removed.
The system displays plus and minus signs when the tag is clicked.
4. Click the minus sign to delete the selected tag.
5. Click Save Edits.

7.12.3 Adding Tags to Multiple Devices

Perform the following steps to add a tag to multiple devices simultaneously:
1. On the main pane of the tags screen, select the device to which the tag has already been assigned to; and
new devices to which the tag needs to be assigned.
Under Manage Assigned Tags on the right pane, CVP lists tags that are assigned to selected devices.

127
 Note: Hovering the cursor on the number next to the tag name, lists the devices to which the
current tag is assigned. See the figure below.
Figure 93: Tag Assigned to Multiple Devices

2. Click the desired tag.

The system pops up plus and minus signs beneath the tag.
3. Click the plus sign to add this tag to all selected devices.
4. Click Save Edits.

7.12.4 Removing Tags from Multiple Devices

Perform the following steps to remove a tag from multiple device simultaneously:
1. On the main pane of the tags screen, select devices that are assigned with the tag that needs to be
removed.
Note: Alternatively, search the tag that needs to be removed. CVP lists all devices to which the tag
is assigned to. To remove the tag from few devices, select only devices from which the tag needs
to be removed. If you select all devices, the tag will be removed from all devices.
Under Manage Assigned Tags on the right pane, the system lists tags that are assigned to selected
devices.
2. Click the tag that needs to be removed.

128
 Device Management

The system pops up plus and minus signs beneath the tag. See the figure below.
Figure 94: Remove Tag from Multiple Devices

3. Click the minus sign to remove the tag from all selected devices.
4. Click Save edits.

129
7.12.5 Deleting Unassigned Tags
Perform the following steps to manage unassigned tags:
1. On CVP, click Provisioning > Tags.
The system displays the tags screen.
2. On the main pane of the tags screen, click Edit tags.
The system lists all unassigned tags.
3. Click the tag that needs to be removed.
The clicked tag turns to red.
Figure 95: Delete Unassigned Tags

4. Click Delete.
The system deletes the tag from CVP.

130
 Device Management

7.13 Accessing Dashboards

The Dashboards application allows you to create customizable dashboards consisting of multiple metrics
across various datasets in different views. You can quickly resize and drag widgets on the grid to
accommodate various custom layouts views. Data gathered from devices configured for streaming telemetry
data to CVP.
• Dashboard Manager
• Editing and Creating Dashboards

7.13.1 Dashboard Manager

Dashboards Manager is where you are presented with the list of available dashboards. This screen can be
viewed in either a grid or table format.
Figure 96: Dashboard Manager

Each dashboard on the grid provides the dashboard name, description, and an approximate layout of the
dashboard. To perform actions on any of the dashboards, select one or more dashboards by selecting the
checkbox associated with each dashboard.

131
 Figure 97: Dashboard Actions Menu

7.13.2 Editing and Creating Dashboards

Creating a Dashboard
Perform the following steps to create a dashboard.
1. Select New Dashboard from the Dashboard Manager page.
2. Select one or more widgets to display information.
Figure 98: Dashboard Widgets

3. Select the widget in the main screen to configure and label the widget.
4. Enter a title and description of the new dashboard.
5. Select Save Changes to save the new dashboard.

Editing a Dashboard
Perform the following steps to edit a dashboard. Dashboard widgets can be added, removed, or configured
while in editing mode.
1. Select a dashboard to display from the Dashboard Manager page.

132
 Device Management

2. Select Edit Dashboard from the Dashboard Manager page.

Figure 99: Editing a Dashboard

3. Select a currently displayed widget in the main screen to edit or configure as needed.
4. To add a new widget, select from widgets tab.
5. To change the inputs, select the Inputs tab to configure as needed.
6. Select the pencil icons to edit the dashboard title and description.
7. Select Save Changes to save the changes.

7.13.3 Syslog Panel

The Syslog panel is a dashboard element that allows to you view log messages for the devices both in real-
time or a selected timeframe.

7.13.3.1 Creating a Syslog Panel

1. Create a new dashboard or edit an existing dashboard.

2. On the sidebar, select the Summaries category and select the Syslog panel .

7.13.3.2 Configuring a Syslog Panel

Follow this procedure to Filter log messages by tags (Optional). A single tag filter input is associated with one
tag. This can be a single device, or it could include many devices that grouped within a single tag.
1. On the sidebar, select Input category, and select Single Tag Filter.
2. Click on the ellipsis of the input and select Configure.
3. On the Settings Drawer, define a name for the input (Optional).
4. Select device input type.
5. Choose the tag label.
6. Close the settings drawer.
7. Click on the input to select its specific value. Select a tag value from the dropdown.
8. Click on the ellipsis of the Syslog panel and select Configure.
9. On the Settings Drawer, click on the Dashboard Inputs field to select the name of the single tag filter.
10. Close the settings drawer.
Log messages in the syslog panel will be now filtered by the specified tag.

133
7.13.4 Dashboards with Custom Query Language widget
The AQL panel is a dashboard element that allows you to create custom data displays using the CloudVision
Advanced Query Language (AQL). This gives you complete control over what data the panel displays
and how it displays it. You define the inputs and write the AQL query that feeds data to the panel. Further
customization is available through creating a color mapping for the panel’s display, defining units, and decimal
places among other options. You can create custom dashboards with AQL panels that are acutely relevant to
your organization.
There are three elements:
• Inputs: These are used by the AQL query to feed data to the AQL panel AQL
• Panel: This is the display item within your dashboard and which uses the AQL query and any inputs to
render a display AQL
• Panel Visualization: The AQL panel has five ways to display the data fed to it (Table, Single Value, Bar
Graph, Line Graph, and Donut), which each requires that the AQL query be formatted in a particular way.
Each visualization can be further customized to change how it displays its data
The AQL panel is currently in beta and needs to be enabled as a setting. To enable the AQL panel, go to
General Settings and turn on the toggle Beta Widgets under Features.
The Arista Support page titled Dashboards with Custom Query Language widget provides detailed
configuration instructions and a tutorial about CloudVision Advanced Query Language (AQL).

7.13.5 Dashboard Preview

You can preview dashboards from the main dashboards screen. A windowed version of the selected
dashboard can be viewed.
Preview any dashboard by accessing Dashboards and hover over the preview symbol to see a preview of a
dashboard. In the preview, you can hover over relevant information to obtain details. Select any part of the
preview to close the preview and load that dashboard.

7.14 Topology View

You can view the network hierarchy for the devices and subnetwork in real-time. The topology view is
available for devices running on LLDP including Arista switches and connected neighbors.
Related topics:
• Setup
• Overlays
• Custom Topology Views
• Changing the Node Type
• Nodes and Features

7.14.1 Setup
You can customize the topology by completing the following steps.
1. Click the Topology tab to view your network.
2. To enter layout hints, click on a device in the topology view and then click on the layout tab.

134
 Device Management

Following example shows the detail of a device.

Figure 100: CVP Detail Layout

7.14.2 Overlays
You can superimpose link-level metrics overlay onto the network topology. Use the Layers Panel to view
these overlays and color-codes based on the severity of that metric. Following are the overlays supported in
this release.
The following table lists the Overlays supported in this release.

135
 Table 13: Supported Overlays

Overlay Description
Bandwidth Utilization Shows the bitrate as a percentage of the speed of the link. It uses the
maximum bitrate in either direction on the link, averaged out over a one-
minute window. Light green indicates a small percent of the link is being used,
while darker greens indicate higher usage. Beyond 80% utilization, the links
show up in yellow or red.
Traffic Throughput Shows the bitrate of a link as an absolute number. Darker blues indicate
higher utilization.
Error Rates Show if either end of a link is registering input or output errors (for example,
CRC Errors). It uses a one-minute window, and displays severity in
increasingly dark reds.
Discard Rates Indicate that a link is dropping packets, likely due to congestion. Links
discarding more packets in a one-minute window are shown in darker red.
None Turns off all colors.

7.14.3 Custom Topology Views

From the Topology tab, you can perform the following steps to customize a view:

136
 Device Management

1. To move a rack to a different pod use the Pod field. For example, the switch called cv-demo-sw3 is set to
be in a pod 1.
Figure 101: User Layout Hints

137
 2. To setup the pod or rack names, apply a layout hint for switch with alternate name or pod hint for the spine
switch to rename the pod. Following example shows the top-of-rack switch cv-demo-sw3 default name
change via the rack layout hint.
Figure 102: Device Details in Layout

7.14.4 Changing the Node Type

The following table lists the node types supported by the Topology view.

138
 Device Management

Table 14: Supported Node Type

Node Type Description

Edge Device The device is an edge device, for example, leading to the
Internet or another network, or a similar function device.
Core Switch The device is at the core level switch (above spines) or similar
function device.
Spine Switch The device is a pod level (spine or aggregation) switch or
similar function device.
Leaf Switch The device is a top of rack switch or similar function device.
Endpoint Device The device is a server or similar endpoint device.

Setting the Node Type layout hint gives the Topology view of the type of device selected. Selecting skip
auto-generating forces the auto tagger to ignore the device and not assign or modify any of the hints.
Figure 103: Changing Node Type

7.14.5 Nodes and Features

Nodes are arranged in clusters. To expand a cluster, click on the representative Cluster-node. To collapse a
cluster, click on the minus (-) icon.
You can select various overlays on the graph for color coding links.
To see details about a node and its neighbors, click on the Node. You can also see the immediate neighbors
of the device and the metrics related to particular physical links between devices by clicking Neighbors List.

7.15 Accessing Events

You can access the following events screens:
• Events Summary Screen
• Event Details Screen
Related topics:
• Events Summary Screen
• Event Details Screen
• Configuring Event Generations
• Managing Events
• Disabling All Events of the Selected Type
• Disabling All Events of the Selected Type with Exceptions
• Acknowledging Events
• Configuring Notifications

139
 • Configuring Status
• Configuring Platforms
• Configuring Receivers
• Configuring Rules

7.15.1 Events Summary Screen

The events summary screen displays all events, and configures alerts and event generation. To view this
screen, click Events on the CloudVision portal. The figure below displays the events summary screen.
Figure 104: Events Summary Screen

The Events screen provides the following information and functionalities:

• Click the Event Generation button to configure generating new events. Refer to Configuring Event
Generations.
• Click the Notifications button to configure notifications. Refer to Configuring Notifications
• Left Pane
• Event Chart and Summary Tables tabs
• The Event Chart tab displays the bar graphs of all events.
Note: Hover the cursor over the different segments of the bar graph to view the count of
severity events.

140
 Device Management

• The Summary Tables tab displays Most Active Devices and Most Active Event Types in tabular
formats. See the figure below.
Figure 105: Event Summary Screen - Summary Tables

Note: The severity levels include critical, error, warning, and info.

• The Time Range dropdown menu to select the time span of events.
• The Acknowledge button to acknowledges selected events.
• The Un-Acknowledge button to renounce selected events.
• A list of all events with selection checkboxes in a tabular format.
• Click the Export Table to CSV button to download the table in csv format to your local drive.
• Right Pane
• The Reset Filters button to clear all filtering options.
• The Current Time date picker to select the event start date.
• Search field based on Title or Description and dropdown menus based on Event Type, Device,
Acknowlegement State, and Active State.
• Buttons to perform a search based on severity levels (Info, Warning, Error, and Critical)

141
7.15.2 Event Details Screen
An event details screen displays appropriate event details, acknowledges the event, and configures event
generation. To view this screen, click one of the events listed on the Events screen.
Figure 106: Event Details Screen

This screen provides the following information and functionalities in the right pane:
• Left arrow to return to the events summary screen
• Click the Event Generation button to configure generating new events. Refer to Configuring Event
Generations.
• Click the Notifications button to configure notifications. Refer to Configuring Notifications
• Displays the event description
• Time when event details were captured

142
 Device Management

• Hover the cursor on the event name. The system displays a popup window with event details.
Figure 107: Event Name Popup Window

The popup window provides the following options:

• Click View Events to view search results with the same event name.
Figure 108: Search Results with the Same Event Name

• Click Compare Metrics to navigate to the Explorer tab in Metrics app.

143
 • Hover the cursor on the event name. The system displays a popup window with device details in that
location.
Figure 109: Location Name Popup Window

The popup window provides the following options:

• Click View Events to view search results with the same location name.
Figure 110: Search Results with the Same Location Name

• Click Compare Metrics to navigate to the Explorer tab under Metrics.

• The Acknowledge button to acknowledge the appropriate event.
• The Configure Event Generation button to configure the generation of appropriate event.
• Metric details of the event

144
 Device Management

• A chronological history of all errors (shown at the bottom of the screen)

7.15.3 Configuring Event Generations

Configure rules and conditions to customize event generation.
Perform the following steps to configure the settings for generating events:
1. On the CloudVision portal, click the Events tab. The system displays the Events screen.
2. Click Configure Event Generation at the upper right corner of the Events section. The system displays
the Generation Configuration screen with all configurable events listed in the left pane.
Figure 111: Generation Configuration Screen

Note: Alternatively, you can go to an event details screen and click Configure Event Generation
to configure rules for generating events.
3. Click the required event in the left pane.

145
 4. Click Add Rule in the lower end of right pane. A new Condition pane is displayed on the screen.
Figure 112: Add Rule Pane in Generation Configuration

5. In the Condition pane, click on the search field. The system displays the list of configured devices tags.
Figure 113: List of Configured Device Tags

Note: Alternatively, you can type the required device tag in the search field for a quick search.

6. Select preferred devices tags from the displayed list.

Note: After you have selected the device, the system displays the count of matched devices. The
rule is applicable to all devices when you do not select any device tag.
7. Click on the Interfaces search field (available only for interface events).

146
 Device Management

The system displays the list of configured interface tags..

Figure 114: List of Configured Interface Tags

8. Select preferred interface tags from the displayed list.

Note: After you have selected an interface tag, the system displays the count of matching
interfaces. The rule is applicable to all interfaces when you do not select any interface tag.
9. Provide the following criteria required to generate events:
• Severity - Select the severity type from the drop-down menu. Options include Info, Warning, Critical,
and Error.
• Threshold (applicable only to threshold events) - Type the threshold value.
• Raise Time - Type the preferred wait time (seconds) to create an event after reaching the threshold
limit.
• Clear Time - Type the precise time (seconds) to delete an event after the current value goes below the
threshold limit.
Note: Select the Stop generating events and checking rules checkbox if you do not want to apply
further rules for selected tags. If no tags are selected, further rules are not applicable to any device.
10. Click Move up if you prefer to move this rule up in the priority list.
Note: Rules are processed sequentially. The default rule is applied only when an event does not
match any other rules. Click Delete rule to delete the corresponding rule. Click Move down in
configured rules to move the corresponding rule down in the priority list.
11. Click Save in the left pane.
Note: Click View Configuration Differences in the lower left pane to view differences in event
configurations.

7.15.3.1 Anomaly in Connectivity Monitor Latency

From the Events tab, select Anomaly in Connectivity Monitor Latency to configure event generation for
latency events between devices and configured hosts. The events are designed to alert the user when the
latency between a device and a configured host is outside of recent historical bounds.

147
 Figure 115: Anomaly Event View is a sample event view for one of these events between the device with
hostname `Oslo` and the cloudtracer host endpoint `www.bbc.co.uk`.
Figure 115: Anomaly Event View

Figure 116: Anomaly Event View Overlay explains various stages of this event.
Figure 116: Anomaly Event View Overlay

Prior to this event in Figure 116: Anomaly Event View Overlay, the latency metric (green line in upper graph)
is stable with minimal deviations. The historical bounds (blue shaded region) that determine when the metric
is in a normal state has a small range with both the upper and lower bounds near the historical mean (dark
blue line). The historical bounds are computed by adding and subtracting a fixed multiple of the current
latency standard deviation to the current mean.
The anomaly score starts to increase from zero when the latency value strays outside of the historical
bounds. The latency values that are outside the bounds are highlighted in red. The anomaly score is the total
number of standard deviations outside the historical bounds. The anomaly score is the positive cumulative
sum of the number of standard deviations outside of the historical bounds. For example, if the bounds
are set as 3 standard deviations outside of the mean and we get a value of the latency that is 5 times the
standard deviation away from the mean, the anomaly score will increase by 2. If the next latency value was
1.5 times the standard deviation outside of then mean then we would subtract 1.5 from the anomaly score.

148
 Device Management

The anomaly score therefore keeps track of the cumulative deviation of the latency outside of the historical
bounds. It is bounded below by zero.
Figure 117: Anomaly Score Computation provides a detailed explanation on computing the anomaly score.
Figure 117: Anomaly Score Computation

The event is generated when the anomaly score exceeds a threshold for a set period of time.
Note: You can configure the threshold and time duration in the event configuration rules.

The anomaly score starts to decrease when the latency values are inside the historical bounds. The historical
bounds have increased based on recent deviations in latency which makes the system less sensitive than
prior to the event. The event ends when the anomaly score is below the threshold for a set period of time.

149
 Figure 118: Decreasing of Anomaly Score provides a detailed explanation of the anomaly score decreasing
when an event ends.
Figure 118: Decreasing of Anomaly Score

At the end of the time range, historical bounds are narrowing as the latency has now returned to a stable
value with minimum deviations. The history needs approximately six hours to have negligible impact on the
statistics and bounds.
This screen also provides the following additional metrics of this event (see Figure 119: CloudTracer Event
Additional View):
• The other CloudTracer metrics are displayed for this device and host pair
• The latency metric between other devices and this host
• The latency metric between this device and other hosts
Figure 119: CloudTracer Event Additional View

150
 Device Management

7.15.4 Custom Syslog Events

The Custom Syslog Event creates syslog message events based on rule conditions. To end all similar
active events, you must update the configuration as per the recommended action provided in the EOS
System Message Guide.
An EOS System Message Guide is published with every EOS release. In the guide, you can find all the
common system messages generated by devices, including the syslog facility, mnemonic, severity, and log
message format. To download the guide, click https://www.arista.com/en/support/software-download and look
for SysMsgGuide under EOS release Docs.
Note: Rules are processed sequentially. Events that don't match user created rule conditions are
processed by default rule(s).
Perform the following steps to create a rule for generating syslog events:
1. On the CloudVision portal, click the Events tab. The system displays the Events screen.
2. Click Configure Event Generation at the upper right corner of the Events section.
Note: Alternatively, you can go to an event details screen and click Configure Event Generation
to configure rules for generating events.
The system displays the Generation Configuration screen with all configurable event types listed in the left
pane.
3. Click Custom Syslog Event.
Figure 120: Custom Syslog Event Screen

4. Click +Add Rule in the right pane.

151
 A new condition pane is displayed on the screen.
Figure 121: Conditions Pane for the Custom Syslog Event Rule

5. Provide the following information in specified fields:

• Active devices autocomplete field -
• Generate an event for these conditions checkbox -
6. Choose either Single Instance Events or Time Period Events using the toggle button.
7. Based on your choice between single instance events and time period events, provide the following
relevant conditions for generating a rule:
• Configuring Single Instance Events
• Configuring Time Period Events
Note: The corresponding fields appear after you choose the required event type.

8. Save Changes button - Click to save specified changes.

7.15.4.1 Configuring Single Instance Events

CVP creates a single instance event whenever either the specified syslog ID matches with the device syslog
ID or the specified syslog message matches with the device syslog message. See Figure 121: Conditions
Pane for the Custom Syslog Event Rule.
Provide the following information in specified fields to configure a single instance event:
• Syslog ID - Provide facility, severity, and mnemonic of a syslog with regular expressions in the following
fields:
• Facility field - Type the facility of syslog in either simple string or regular expression.
• All severities field - Select the severity of the device.
Note: If no severity is selected, CVP considers all available severities.

152
 Device Management

• Mnemonic field - CVP creates a single instance event when the log message specified in this field
matches with a device syslog message.
• Log Message field - The log message to match against the device syslog message.
Note: You must mandatorily configure either a syslog ID or a log message.

• Mute Period field - CVP does not create another similar event using this rule on a given device until the
time period specified in this field expires for the ongoing event.
Note: This prevents a large number of events generated for the same device within a short period
of time due to a repetitive syslog message.
• Event Title field - Type the event title.
• Severity From Syslog checkbox - Select the checkbox if you prefer CVP to select the severity of the
generated event to be derived from the syslog message severity.
Note: CVP uses the following syslog message severities to event severities:
• [0, 1, 2] - Critical event
• [3] - Error event
• [4] - Warning event
• [5,6,7,...] - Info event
• Severity dropdown menu - Select the preferred severity of the generated event. Severity is configurable
only when Severity From Syslog checkbox is not selected.
• Event Description field - Provide the event description.
• Ignore subsequent rules for selected devices checkbox - Select the checkbox to suppress generating
events for a specific syslog or override upcoming configurations.
• Move Up / Move Down buttons - Use this button to manage the sequence of configured syslog event
rules.
• Delete button - Click to delete the corresponding rule.
Note: Syslogs with high severities like 0 (Emergency), 1 (Alert), 2 (Critical), and 3 (Error) generate
events by default unless they are ignored by user configured rules.

7.15.4.2 Configuring Time Period Events

Events can also be configured to be time period events that remain active between the syslog message that
creates it and the syslog message that ends the event. See the figure below.
Figure 122: Configuring Time Period Event

Provide the following information in specified fields to configure a time period event:

153
 • Start Log Message field - CVP starts a time period event when the start log message specified in this
field matches with a device syslog message.
Note: The start log message must be a string without special characters.

• End Log Message field - CVP ends a time period event when the end log message specified in this field
matches with a device syslog message.
Note: The end log message must be a string without special characters.

• Parameter field - Type the variable that must be configured in log messages specified in the Start Log
Message and End Log Message fields.
• Value field - Type a variable for the specified parameter in either a simple string or a regular
expression.
• Add Value - Click to add another variable for the specified parameter.

Ethernet is a parameter with values as Ethernet1 and Ethernet2. See the figure below.
In this case, the specified log messages matches with Ethernet1 and Ethernet2 values for either starting or
ending an event.
Figure 123: Example1 of Parameter Variables

Ethernet is a parameter with a value as Ethernet.*. See the figure below.

In this case, the specified log messages matches with all ethernet values like Ethernet1, Ethernet1/2,
Ethernet1/3, and so on for either starting or ending an event.
Figure 124: Example2 of Parameter Variables

154
 Device Management

• Raise Time field - After a start rule matches, the starting of an event is delayed for the duration specified
in this field.
Note: If the end event log message arrives before this delay elapses, the event is not generated.
This option is useful in situations where you wish to generate an event only when a syslog
condition has persisted for at least some set period of time.
• Clear Time field - After an end rule matches, the ending of the ongoing event is delayed for the duration
specified in this field.
Note: If the start event log message arrives before this delay elapses, the event is not ended and
will continue as an active event. This option is useful in situations where you wish to generate a
long single event which may encompass several start/end conditions being met during a set period
of time.
• Event Title field - Type the event title.
• Severity From Syslog checkbox - Select the checkbox if you prefer CVP to select the severity of the
generated event to be derived from the syslog message severity.
Note: CVP uses the following syslog message severities to event severities:
• [0, 1, 2] - Critical event
• [3] - Error event
• [4] - Warning event
• [5,6,7,...] - Info event
• Severity dropdown menu - Select the preferred severity of the generated event. Severity is configurable
only when Severity From Syslog checkbox is not selected.
• Event Description field - Provide the event description.
• Ignore subsequent rules for selected devices checkbox - Select the checkbox to suppress generating
events for a specific syslog or override upcoming configurations.
• Move Up / Move Down buttons - Use this button to manage the sequence of configured syslog event
rules.
• Delete button - Click to delete the corresponding rule.
Note: A configuration change in the current rule ends all ongoing events.

7.15.5 Managing Events

You can manage an event by customizing event rules differently. Refer to the following examples:
• Disabling All Events of the Selected Type
• Disabling All Events of the Selected Type with Exception

7.15.5.1 Disabling All Events of the Selected Type

Perform the following steps to disable all events of the selected type:
1. Navigate to the Generation Configuration screen.
2. Click the required event type in the left pane.
3. In the right pane, Click the + Add Rule button.
Note: Retain only one rule with no values defined. To disable the event only for selected datasets,
select appropriate devices tags in the Devices field.
4. Select the Stop generating events and checking rules checkbox.

155
 The system disables all events of the selected event type.
Figure 125: Disable All Events of the Selected Type

5. Click Save in the left pane.

7.15.5.2 Disabling All Events of the Selected Type with Exception

Perform the following steps to disable all events of the selected type with exceptions:
1. Navigate to the Generation Configuration screen.
2. Click the required event type in the left pane.
3. In the right pane, Click the + Add Rule button.
4. In the Conditions pane, provide the device tags that you still want to generate an event for. The system
creates rule 1.
Note: If you need devices with different conditions, add another rule by repeating steps 3 and 4.

5. Click the + Add Rule button.

6. In the appropriate Conditions pane, select the Stop generating events and checking rules checkbox. The
system creates rule 3.

156
 Device Management

Note: If you skip steps 5 and 6, the system applies default rules to all device tags except the ones
that are defined in rules 1 and 2.
Figure 126: Disable All Events of the Selected Type with Exception

The system disables all events of the selected type except the ones that are defined in rules 1 and 2.

7.15.6 Acknowledging Events

Acknowledging an event confirms that you are aware of the corresponding event and its consequences. By
default, acknowledged events are hidden and do not send alerts.
Perform the following steps to acknowledge an event:
1. Click the Events tab. The system displays the Events screen.
2. Select preferred event(s) in the side panel.
3. Click Acknowledge n in the upper right corner of the side panel.
Note: n represents the count of selected events.

The system displays the Acknowledgment Event window.

Figure 127: Acknowledgment Event Pop-Up

4. (Optional) Type a note for other users explaining the reason for the acknowledgment.
5. Click Acknowledge n events where n represents the count of selected events.

157
 Note: For acknowledged events, the system replaces the Acknowledge button with Un-
Acknowledge button. To undo the acknowledgment activity, Click Un-Acknowledge in the side
panel of the acknowledged event.

7.15.7 Configuring Notifications

The event alerting system sends notifications for CVP events as they alert operating platforms that you have
set up. Once you have customized the topology view for your network, provide the required information to
configure the monitoring of notifications.
Perform the following steps to configure event alerts:
1. Click the Events tab.
2. Click Configure Notifications at the upper right corner of the Events section. The system displays the
Notification Configuration screen.
3. Configure the following entities:
• Configuring Status
• Configuring Platforms
• Configuring Receivers
• Configuring Rules
4. Click Save in the left pane

7.15.7.1 Configuring Status

The Status section configures monitoring the health of notification system.
Perform the following steps to configure the notification criteria:
1. Click Status. The system displays the Status screen.
Figure 128: Status Screen of Notification Configuration

2. On the Test Alert Sender pane, provide the required criterion in Severity, Event type, and Device drop-
down menus.
3. If required, click Send Test Notification to verify current configuration.

7.15.7.2 Configuring Platforms

The Platforms section specifies what platforms will receive notifications.

158
 Device Management

Perform the following steps to configure preferred platforms:

1. Click Platforms. The system displays the Platforms screen.
Figure 129: Platforms Screen of Notification Configuration

2. Configure any of the following platforms through which you prefer to receive notifications from CVP:
• Email
Provide the following information to receive email notifications:
• Type your SMTP servers hostname and port number separated by a colon in the SMTP Host field.
Note: Typically, the port numbers of SMTP and SMTP over TLS are 25 and 587.

• Select the Use TLS for SMTP checkbox if you prefer to encrypt notifications received from and sent
to the SMTP server.
• Type the email address that you prefer to display as a sender in the Email "From" Address field.
Note: We recommend an email address with the domain of your organization.

• Type the username of your SMTP account in the SMTP Username field.
• Type the password of your SMTP account in the SMTP Password field.
• Slack
Create a custom integration through the Incoming WebHooks Slack application and type the Webhook
URL in the Slack Webhook URL field.
• VictorOps
• In your VictorOps settings, add a new alert integration for Prometheus and type the Service API
Key in the VictorOps API Key field.
• If required, type a custom API URL in the VictorOps API URL field.
• PagerDuty
If required, type a custom API URL in the PagerDuty URL field.
• OpsGenie
• Create an API integration for your OpsGenie team and type the API key in the OpsGenie API Key
field.
• If required, type a custom API URL in the OpsGenie API URL field.
• Google Chat

159
 In Google Chat the Alerter will send a message containing one or more alerts and related information.
Follow the steps in the Google Chat for Developers Guide to create a webhook, use the webhook URL
to configure the Google Chat platform on CloudVision.
• Microsoft Teams
In MS Teams the Alerter will send a message containing one or more alerts and related information.
Follow the steps in the Microsoft Teams - Create Incoming Webhooks - document to create a webhook,
use the webhook URL to configure the Microsoft Teams platform on CloudVision.
• Zoom
In Zoom the Alerter will send a message containing one or more alerts and related information. Add
webhooks and get configuration information using the guide Using Zoom's Incoming Webhook Chatbot,
once you have the URL and verification token you can enter them into the Zoom platforms settings on
CloudVision.
• Sendgrid
Sendgrid is also available as an alternative to email. On CVaaS, Sendgrid requires no configuration,
while for on-prem installations Sendgrid requires an API key and from address. It uses the same
content templates as Email.
• Syslog
The Alerter will send a syslog message for each CVP event. The syslog facility must be set in
the configuration. The syslog priority is mapped from the CVP severity and this mapping may be
customized in the configuration.

Syslog messages are formatted with the following values:

• Timestamp: The time that the event fired/was resolved.
• Hostname: a comma-separated list of device hostnames from the devices the event is related to.
• Facility: from user configuration.
• Severity: mapped from CVP severity according to user configuration.
• Appname: tag from user configuration.
• Message: $devices: $eventType - $description, $time
• SNMP
The Alerter will send an SNMP trap for each CVP event, this supports SNMPv1, SNMPv2c and
SNMPv3. The OID of the SNMP Trap will use an OID from an Arista CloudVision Alerter specific MIB
ARISTA-CV-MIB.txt, the message is a string message containing the necessary information.

7.15.7.3 Configuring Receivers

The Receivers section configures a receiver for each preferred team to send notifications and link receivers to
notification platforms.
Perform the following steps to add new receivers:

160
 Device Management

1. Click Receivers. The system displays the Receivers screen.

Figure 130: Receivers Screen of Notification Configuration

2. Click Add Receivers at the end of the screen.

3. Type receiver's name in the Receiver Name field.
Figure 131: Add Receiver Pane

4. Click the Add Configuration drop-down menu.

5. Select any of the options in following table and provide the required information to link alert receivers with
alerting platforms.

161
 Table 15: Configuration Options

Configuration Options Required Information

Add Email Configuration • Type recipient's email address in the Recipient Email field.
• If required, select the Send alert when events are resolved
checkbox.

Add VictorOps Configuration • Type a routing key in the Routing Key field.
• If required, select the Send alert when events are resolved
checkbox.

Add PagerDuty Configuration • Type a routing key in the Integration Key field.
• If required, select the Send alert when events are resolved
checkbox.

Add OpsGenie Configuration Select the Send alert when events are resolved checkbox.
Add Slack Configuration • Type a channel in the Channel field.
• If required, select the Send alert when events are resolved
checkbox.

Add Pushover Configuration • Type a recipient's user key in the Recipient User Key field.
• Type a pushover API token in the Application API Token field.
• If required, select the Send alert when events are resolved
checkbox.

Add Webhook Configuration • Type the URL where you prefer to post event alerts in the
Target URL field.
• If required, select the Send alert when events are resolved
checkbox

Note: Click the recycle bin icon at the right end of corresponding fields if you prefer to delete
that configuration. Click Delete Receiver next to Add Configuration if you prefer to delete the
corresponding receiver.

7.15.7.4 Configuring Rules

The Rules section customizes notifications that are sent to receivers.
Perform the following steps to add a new rule:

162
 Device Management

1. Click Rules. The system displays the Rules screen.

Figure 132: Rules Screen of Notification Configuration

2. Click Add Rules. A new Rules Conditions pane is displayed on the screen.
Figure 133: Rule Conditions Pane

3. Next to Add Conditions, click Severity, Event Type, Device, and Device Tags to provide the criteria that
are used for monitoring the health of the alerting system.
Note: Click Remove at the end of a field to delete that configuration.

4. Select the required receiver from the Receiver drop-down menu.

5. Select required checkboxes among Severity, Event Type, Device, and Interface to group similar events
into a single alert.
6. Select the Continue checking lower rules checkbox to continue checking for alerts if this event matches
subsequent rules.
7. Click Move up if you prefer to move this rule up in the priority list.

163
 Note: Rules are processed sequentially. The default rule is applied only when an event does not
match any other rules. Click Delete rule to delete the corresponding rule. Click Move down in
configured rules to move the corresponding rule down in the priority list.

7.16 Events App

The Events app provides fast filtering results that are loaded 100 events at a time, improving loading times
and responsiveness compared to the existing Events app.

7.16.1 Event Summary

At the top of the app is the event summary. The summary has two tabs for the Event Chart and the Summary
Tables. There is also a time range duration picker that selects the start of the time range for the summary
results. The filters in the app sidebar also affect the summary views, allowing the request of specific summary
queries.
Figure 134: New Events App

Event Chart
The default summary view is the Events Chart. This chart displays the number of events that were created
in a time range, broken down by severity. Hovering over a colored section of a bar shows how many events
occurred with that given severity. A bar represents the events that were created within time range for that

164
 Device Management

bar. . The amount of time represented by a bar is dependent on the selected time range. Larger time ranges
will group more events into a single bar.
Figure 135: Event Chart Summary

Summary Tables
The Summary Tables tab displays the events of the Events Chart in a table format. Results can be filtered by
severity value, device, or event-type.
Figure 136: Summary Tables

Summary Time Picker

In the top-right corner of the summary there is a time range picker. This affects the summaries only. The end-
time of the summary window is determined by the Events Starting Before filter in the sidebar. The start-time

165
 is derived from the chosen time range. The range picker has a minimum duration of one hour and a maximum
of one week.
Figure 137: Summary Time Picker

7.16.2 Events Table

Events matching the selected filters are displayed in the table below the summary.
Figure 138: Events Tables

The newest 100 events are initially loaded. Subsequent events are fetched via automatic pagination. The
Ack(Acknowledgement) column only appears if the Show Acknowledged filter toggle is on. This allows other
columns to expand when acknowledgment information is not required.

Events Table Functionality

• When scrolling down through the table of events, older events are automatically fetched.
• If there are no events matching the selected filters, the events table will display an empty data message.
• To update the display with events that may have occurred while viewing the Events Table, select the
Show New Events button. The screen will be updated with the new data.
• To export the currently-loaded events, select the Export Table to CSV button.

Certificate Expiration Event

When the CloudVision SSL certificate is expiring an event will alert users 90 days in advance of certificate
expiration. Clicking on the event will provide further information. To clear the event, the SSL certificate must
be replaced.

7.16.3 Event Filters

Filter options are located in the sidebar. The selected filters affect the results in both the events summary
and the events table. Multiple filters can be selected to refine the results shown in these sections. Filters are
automatically applied as they are changed in the sidebar.

166
 Device Management

Events Starting Before

The Events Starting Before time selector defines the end cutoff time filter for events. Events that are created
after the selected time will not be shown. By default, the filter is set to the current time.
Select this filter to open the date-time picker, allowing an older time to be selected. Select Apply to update
with this new time filter. Select Use current time to show live events.

Severity
Selecting an event severity will display only the selected severity level.

Event Description
The Event Description filter allows events to be searched by arbitrary text in the event description field.

Event Type
When selected, the Event Types filter presents a list of all available event types. Selecting one or more
options filters the results to events of the selected types.

Device
When Selected, the Device filter presents a list of all streaming devices. Selecting one or more devices will
display events that occurred on the selected devices.

Show Acknowledged
Select Show Acknowledged to view events which have been previously acknowledged.

Active Events Only

Select Show Active Only to view events which are still active.

Resetting Filters
Select the Reset Filters button to place all Event filters to their default values.

7.17 Packaging
The Packaging feature is used to export custom change control actions from one CloudVision cluster and
install them in another. Package IDs and version numbers can be used to update existing packages with
version control.

167
 Accessing Packaging
The Packaging feature is available under Settings tab in the navigation bar.
Figure 139: Accessing Packaging

From the Packaging screen, you can create, install, and review packages. There are two main sections when
managing packages: Managed Packages and Created Packages.
Managed Packages have been imported from another CloudVision cluster and installed. Hover over the
package to review the description. The only available function is to unistall the selected package.
Created Packages are editable and available for export to another CloudVision cluster.
Note: Packages can only be edited and exported from,the cluster where they were created.

7.17.1 Create a Package

When creating a package you can select the components to be included. You can select studios, actions, and
dashboards to bundle and export. Additional actions to manage the installation and uninstallation of packages
and components can be added.
Creating a Package
1. From the Packaing screen, select Create Package.
2. Enter a package name.
3. Create a unique Package ID and enter a version number. The Package ID should be human readable.
The version number must be three digits (x.x.x).
Note: Make sure that the ID does not match the Package ID of an existing package, otherwise an
existing package may be overwriten.

168
 Device Management

4. Enter a description of the package.

Figure 140: Creating a Package

5. Click Add Component and use the dropdown to select actions to include in the package. Selected actions
will appear under Contents
Note: Actions may be executed at different speeds. Limit the number of components in a package
to those that are related and likely to change together, such as a pair of actions that run before and
after a process.
6. (Optional) Click Edit below any component name to create a unique Component ID.
7. Click Create Package. The package will appear under Created Packages.
8. Click Export on the package to download the .tar package file.
9. Save the file to the appropriate repository so that it can easily be located for import and installation in
another CloudVision cluster.

7.17.2 Installing a Package

Packages that have been exported as .tar files from another CloudVision cluster can be imported and
installed.
1. In the cluster that a packege is to be installed, open the Packaging screen and click Install Packages.
2. Select or drag-and-drop the appropriate .tar file into the modal. Multiple packages may be selected and
installed at the same time.

169
 Note: Check the version number and Package ID before installation to avoid overwriting an
existing package.
Figure 141: Installing Packages

3. Select Upload.

7.17.3 Updating a Package

Updating a package will overwrite an existing package.
1. Export the package to be overwritten.
2. If the package to be overwritten is listed under Created Packages it must be deleted.
3. Create a new package using the same name as the package to be updated.
4. Enter the package ID with the same package ID of the original package.
5. Increase the version number of the original package sequentially.
6. Proceed to follow the steps for uploading and installing a package,
Note: Before installing an updated package, verify that you select the .tar file with the appropriate
version number.

7.18 Troubleshooting
A number of commands are provided with the Telemetry platform that you can use to troubleshoot the
Telemetry platform components. The types of troubleshooting you can perform using the Telemetry platform
commands are:
• General Troubleshooting
• Troubleshooting the NetDB State Streaming Agent
• Checking the Status of the Ingest Port

7.18.1 General Troubleshooting

Telemetry commands are provided that enable you to troubleshoot the Telemetry platform components.
By default, debug log files are available for all of the Telemetry platform components, which you can view
using Telemetry commands. You can also use standard CVP commands to check the status of Telemetry
components and applications.

170
 Device Management

7.18.1.1 Viewing Debug Log Files

You can view debug log files for all platform components in a single log file, or for a particular platform
component.
Note: To use the commands, you must login as cvp user. You must also login as cvp user to execute
su cvp.
To view debug log files for all platform components in a single log file
Use the cvpi logs all command.
To view the location of debug log files for a particular platform component
Use the cvpi logs <component> command.
You must specify the component using the name of the component as it is specified in the component's yaml
file definition.
To create a zip archive (.tgz) containing debugging information
Use the cvpi debug command.
This command creates a .tgz archive on each CVP node that contains debugging information. The archive is
automatically saved to the /data/debug directory on each node. Files need to be collected manually.

7.18.1.2 Checking CVPI Status

You can use commands to check status of the Telemetry components and applications, and to check the
status of the entire CVP environment.
To check the status of CVPI
Use the cvpi status all command.
This command checks the status of CVPI, including the Telemetry components and applications.
To check the status of CVP environment
Use the cvpi check all command.
This command runs a check to ensure that the CVP environment is setup correctly. In a multi-node setup, it
checks to make sure that the nodes can communicate with to each other and have the same environments
and configuration.

7.18.2 Troubleshooting the NetDB State Streaming Agent

The Telemetry platform component provides commands you can use to troubleshoot issues you may
encounter with the installation or performance of the NetDB State Streaming Agent.
The commands enable you to:
• Inspect the agent's configuration
• Restart the agent
• View the agent's logs

7.18.2.1 Inspect the agent’s configuration

Run the following commands to view the agent’s configuration:

switch> enable
switch# config
switch (config)# daemon TerminAttr
switch (config-daemon-TerminAttr)# show active

171
 daemon TerminAttr
exec /usr/bin/TerminAttr -ingestgrpcurl=172.28.131.84:9910 -ingestauth=k
ey,ab27cf35f73543d2afe3b4c15c12e6a3 -taillogs
no shutdown

7.18.2.2 Restart the agent

Run the following commands to toggle the shutdown attribute:

switch (config-daemon-TerminAttr)# shutdown

switch (config-daemon-TerminAttr)# no shutdown

7.18.2.3 View the agent’s logs

On the switch or using the CLI shortcut, run the following command:

bash cat /var/log/agents/TerminAttr-`pidof TerminAttr`

7.18.3 Checking the Status of the Ingest Port

The Telemetry platform automatically blocks the ingest port for the entire CVP cluster if the disk usage on any
node of the cluster exceeds 85%. This feature prevents the potential for telemetry data to consume too much
disk space in the CVP cluster.
You can easily check to see if the ingest port is blocked using the cvpi status ingest-port command.
Example

[cvp@cvp109 bin]$ cvpi status ingest-port

[ingest-port:status] Executing...
[ingest-port:status] FAILED

COMPONENT ACTION NODE STATUS ERROR

ingest-port status primary NOT RUNNING command: Error running '/cvpi/

bin/ingest-port.sh status'...
ingest-port status secondary NOT RUNNING command: Error
running '/cvpi/bin/ingest-port.sh status': exit status 1
ingest-port status tertiary NOT RUNNING command: Error
running '/cvpi/bin/ingest-port.sh status': exit status 1
[cvp@cvp109 bin]$

172
 Chapter 8

Device Comparison Application

To gain valuable insights into the state of your devices, such as state changes and comparison with another
device, you can manage your inventory for real-time status updates.
The device comparison application gives information about the configuration running on the devices, the
VXLAN table, MAC addresses of the devices, IPv4 and IPv6 routing tables, etc.
• Comparison Dashboard
• Running Configuration
• Snapshots
• ARP Table
• Comparing NDP Table
• MAC Address Table
• VXLAN table
• Viewing Device IPv4 Routing Table
• Viewing Device IPv6 Routing Table
• Comparing IPv4 Multicast Table

8.1 Comparison Dashboard

The Comparison Dashboard from the Device tab explores the difference between devices or changes that
happened to devices over time. You can compare devices in the following categories:
• Two devices: Two devices at current time with live updates
• Two times: The state of a single device at two chosen times
• Advanced: Two devices at two chosen times
• Accessing the Comparison Browser Screen

8.1.1 Accessing the Comparison Browser Screen

You can access the Cloud Vision Telemetry Browser screen directly from CVP by completing the following
steps. Open your browser.

1. Point your browser to the CVP IP address or hostname.

2. Login to CVP. The CVP Home screen appears.
3. Click Devices.

173
 4. Click Comparison.
Figure 142: Start page for comparison of devices

For a particular device with two chosen times, select the Two times option.
Figure 143: Comparison of device at two chosen times

Comparing two devices at two chosen times, select the Advanced option:
Figure 144: Comparison of device advanced

174
 Device Comparison Application

8.2 Running Configuration

To compare the data for the Running configuration for different devices, select Running Config. You have an
option for current time comparison or chosen times comparison.
Figure 145: Comparison of Running configuration for two devices

• Supported Snapshots

8.2.1 Supported Snapshots

All Snapshots give the list of snapshots, its capture time and its last executioner in the following figure.
Figure 146: All Snapshots options

175
8.3 Snapshots
On the CloudVision portal, navigate to Devices > Comparison to Snapshots to view the snapshot for the
device.
Figure 147: Comparing snapshots

The screen provides the following functionalities:

• All Snapshots: Displays all current snapshots options
• Snapshots Filter: Select the required snapshot filter

8.4 ARP Table

On the Cloud Vision portal, navigate to Devices > Comparison to ARP Table to view the information about
ARP. Arista's device comparison platform for ARP table compares data between two devices at the same
time and at different time settings.
You can compare the following:
• Device's IP Address
• Device's MAC Address
• Interface
Figure 148: Comparing ARP table

176
 Device Comparison Application

8.5 Comparing NDP Table

On the Cloud Vision portal, navigate to Devices > Comparison to NDP Table to view the information about
NDP. Arista's device comparison platform for NDP table compares data between two devices at the same
time and at different time settings.
The components of the comparison are as follows:
• Device's IP Address
• Device's MAC Address
• Interface
• Static entry
Figure 149: Comparing NDP table

You can compare the status at the current time against the following times:
• 30 minutes
• 1 hour
• 2 hours
• 12 hours and
• 24 hours ago.
Figure 150: Comparing same device for NDP table for different times

177
8.6 MAC Address Table
On the Cloud Vision portal, navigate to Devices > Comparison to MAC AddressTable to view the information
about MAC addresses for the devices. Arista's device comparison platform for MAC Address table compares
data between two devices at the same time and at different time settings.
The components of the comparison are as follows:
• VLAN
• Device's MAC Address
• Type of the VLAN
• Port
• Number of moves on the Port
• Timing for last movement
Figure 151: Comparing MAC Address table for current time for two devices

Figure 152: Comparing MAC Address table for different times for two devices

You can compare the status at the current time against the following times:
• 30 minutes
• 1 hour
• 2 hours
• 12 hours and
• 24 hours ago.

178
 Device Comparison Application

Status is shown by added, removed and modified entries.

Figure 153: Comparing same device for different times and status

To show all entries for the devices, Click ALL.

Figure 154: Showing all entries for the Devices for MAC Address table

179
8.7 VXLAN Table
On the Cloud Vision portal, navigate to Devices > Comparison to VXLAN Table to view the information
about MAC addresses for the devices.
The components of the comparison are as follows:
• VLAN VNIs
• VXLAN MAC Address
Figure 155: Comparing VXLAN table for current time for two devices

Figure 156: Comparing VXLAN table for different times for two devices

You can compare the status at the current time against the following times:
• 30 minutes
• 1 hour
• 2 hours
• 12 hours and
• 24 hours ago.

180
 Device Comparison Application

Status is shown by added, removed and modified entries.

Figure 157: Comparing same device for different times and status

To show all entries for the devices, Click ALL.

Figure 158: Showing all entries for the Devices for VXLAN table

181
8.8 Viewing Device IPv4 Routing Table
From the Comparison screen, you can quickly drill down to view details about IPv4 Routing from different
devices. In tabular view, click the device names to compare the corresponding device details.
Figure 159: Comparing IPv4 routing table for different devices

The screen refreshes to show the status, IP address and functions it does for Nexthop. Status is generally
shown by Static, Martian, Connected, Receive and Receive Broadcast.
Figure 160: Comparing IPv4 Routing table for different times for two devices

You can compare the status at the current time against the following times:
• 30 minutes
• 1 hour
• 2 hours
• 12 hours and
• 24 hours ago.

182
 Device Comparison Application

Status is shown by added, removed and modified entries.

Figure 161: Comparing same device for different times and status

8.9 Viewing Device IPv6 Routing Table

From the Comparison screen, you can quickly drill down to view details about IPv6 Routing from different
devices. In tabular view, click the device names to compare the corresponding device details.
Figure 162: Comparing IPv6 routing table for different devices

The screen refreshes to show the status, IP address and functions it does for Nexthop. Status is generally
shown by Static, Martian, Connected, Receive and Receive Broadcast.
Figure 163: Comparing IPv6 Routing table for different times for two devices

You can compare the status at the current time against the following times:
• 30 minutes
• 1 hour
• 2 hours
• 12 hours and
• 24 hours ago.

183
 Status is shown by added, removed and modified entries.
Figure 164: Comparing same device for different times and status

8.10 Comparing IPv4 Multicast Table

On the Cloud Vision portal, navigate to Devices > Comparison to IPv4 Multicast Table to view the
information about Multicast. Arista's device comparison platform for IPv4 Multicast table compares data
between two devices at the same time and at different time settings.
The components of the comparison are as follows:
• Sparse Mode PIM
• Static
Figure 165: Comparing IPv4 Multicast table

You can compare the status at the current time against the following times:
• 30 minutes
• 1 hour
• 2 hours
• 12 hours and

184
 Device Comparison Application

• 24 hours ago.
Figure 166: Comparing same device for IPv4 Multicast table for different times

185
186
 Chapter 9

Network Compliance (CVP)

CloudVision continuously computes image and configuration compliances. If a device is either configuration,
image, or extension non-compliant, CVP automatically generates a non-compliant event on the Compliance
dashboard and flags the device as non-compliant on the Inventory screen.
Note: The event layout displays the running and designed configuration, related information about the
device compliance, and the device bug/security advisory exposure.
A device configuration compliance is triggered in the following circumstances:
• A configlet is assigned to either a device or Container
• Configlet content changes affect all devices to which the configlet has been mapped
• A device restarts streaming after you make the changes mentioned above
• A device is edited
Figure 167: Device Out of Config Compliance Event

Compliance statuses of image and switch configuration are computed when the following entities are edited:
• Running or designed configurations
• Extensions or EOS versions
Note: The compliance status of device and parent container icons update automatically.

An image configuration compliance is triggered in the following circumstances:

• An image bundle is either applied or removed from either device or container
• An image bundle content is edited
• EOS version is edited

187
 • EOS image version changes due to an image upgrade or downgrade
Figure 168: Device Out of Image Compliance Event

An extension configuration compliance is triggered when extensions are edited.

Figure 169: Device Out of Extension Compliance Event

The Compliance Overview dashboard from the Devices tab presents the number of devices and their
compliance status in the following categories:
• Bug Exposure
• Security Advisories
• Configuration Compliance
• Image Compliance
Sections in this chapter include:
• Device Compliance
• Notifications for Container-level Compliance Checks and Reconciles
• Compliance Dashboard
• Print Compliance Dashboard
• Setup for Automatic Sync of Compliance Bug Database

188
 Network Compliance (CVP)

9.1 Device Compliance

In CloudVision Portal (CVP), devices have a compliance status which indicates whether the running
configuration and image of a device is different from the designed (managed) configuration and image for the
device.
The possible device compliance statuses are:
• Compliant: Devices in which the running configuration and image are identical to the designed
configuration and image for the device.
• Non-compliant: Devices in which the running configuration or image are different from the designed
configuration or image for the device
When you edit running and designed configurations of provisioned devices, CloudVision automatically
computes the difference and updates the compliance status in response to changes in the network. CVP
provides device compliance status indicators to easily identify non-compliant devices and the functionality
required to bring non-compliant devices into compliance. One process used to resolve the difference in
running and designed configuration is referred to as reconciling.
For more information, see:
• Device Compliance Status Indicators
• Device Compliance Checks

9.1.1 Device Compliance Status Indicators

CloudVision Portal (CVP) provides device compliance status information in both the Network Provisioning
screen and the Inventory screen (list view).

9.1.1.1 Network Provisioning Screen Compliance Status Indicators

The Network Provisioning screen (topology view) utilizes color coding to indicate the presence of
compliance alerts on devices. A compliance alert on a device indicates that the running configuration or
image is different from the designed configuration or image for the device. This feature enables you to easily
see if a device has a compliance alert.
In addition to using color codes for device icons, CVP also uses color codes for container icons to indicate
that a device within the container has a compliance alert. If a device within a container has an active alert, the
container inherits the alert color of the device. For example, if a device within a container has a configuration
mismatch, the container inherits the alert color used to indicate a configuration mismatch.
This feature enables you to easily see if a device within a container has an alert, even if the device is not
visible. It also prevents you from having to open a container to see if a device within it has an alert.
Note: Containers only inherit the alert color of a device if the device is directly underneath the
container in the hierarchy. If the device is not directly underneath the container in the hierarchy, the
container does not show the alert notification color of the device.
For descriptions of the color codes used to indicate compliance status, see:
• Device Icon Compliance Status Color Codes
• Container Icon Compliance Status Color Codes

189
9.1.1.2 Representation Under Show All Devices
The image below shows the representation of device compliance status information for devices that are only
visible by accessing Show all devices. The statuses shown are the same as those shown using device icons
in the topology view.
Figure 170: Show All Devices display of device compliance status

9.1.1.3 Representation in List View

The image below shows the representation of device compliance status information when using the List
View. The statuses shown are the same as those shown using device icons in the Topology view.
Figure 171: List View display of device compliance status

9.1.1.4 Removing Compliance Indicators

The Network Provisioning screen shows non-compliance whenever there is a mismatch between the
running configuration or image and designed configuration or image of devices in the topology. To remove
compliance indicators, reconcile the configuration of any devices that have a configuration mismatch.
Note: Compliance indicators are removed from the display only when there is no configuration
mismatch.

190
 Network Compliance (CVP)

9.1.1.5 Representation Under Show All Devices

The image below shows the representation of device compliance status information for devices that are only
visible by accessing Show all devices. The statuses shown are the same as those shown using device icons
in the topology view.
Figure 172: Show All Devices display of device compliance status

9.1.1.6 Device Icon Compliance Status Color Codes

The color of the device icon indicates the compliance status of the device. This table lists and describes the
device icon color codes:

Icon Description

Gray
The compliance status is normal (no compliance alert).

Orange (no task)

The device has a configuration mismatch (the running configuration or image are
different from the designed configuration or image for the device).
No task to resolve the mismatch is associated with the device.

Orange (with task)

The device has a configuration mismatch (the running configuration or image are
different from the designed configuration or image for the device).
A task to resolve the mismatch is associated with the device.

See Representation Under Show All Devices for how this status is shown when using the Show All Devices
option.

9.1.1.7 Container Icon Compliance Status Color Codes

The figure below shows a container that has a device within it that has an alert. In this example, the alert color
is yellow, which indicates one of the following:
• A device within the container has a configuration mismatch.

191
 • A device within the container has a configuration mismatch, and there is a task associated with the device
to resolve the mismatch.
Figure 173: Container showing alert color

9.1.2 Device Compliance Checks

CloudVision Portal (CVP) enables you to see if devices are non-compliant by performing compliance checks
at the device level and at the container level.

9.1.3 Device Access Alerts

The Network Provisioning screen shows device access alerts whenever a device is no longer reachable
by CVP. This enables you to easily identify unreachable devices in the screen. Any device that is no longer
reachable is represented on the screen using a color coded device icon.
This table lists and describes the color codes used for unreachable devices:

Icon Description

Red
The device is unreachable (CVP cannot connect to the device).

Like device compliance status alerts, CVP also uses color codes for container icons to indicate that a device
within the container is unreachable. If a device within a container has an access alert, the container inherits
the alert color of the device (red).
This feature enables you to easily see if a device within a container has an alert, even if the device is not
visible. It also prevents you from having to open a container to see if a device within it has an alert.
Note: Containers only inherit the alert color of a device if the device is directly underneath the
container in the hierarchy. If the device is not directly underneath the container in the hierarchy, the
container does not show the alert notification color of the device.

192
 Network Compliance (CVP)

9.2 Notifications for Container-level Compliance Checks and Reconciles

CloudVision Portal (CVP) provides notifications for container-level compliance checks and reconciles. When
a container-level compliance check or reconcile is completed, CVP automatically generates a notification
message, indicating that the action has occurred.
Because container-level compliance check or reconciles are not tracked by tasks, you track them using
automated notifications. The notifications can be accessed directly from the Network Provisioning screen by
clicking the Notifications icon. The presentation of the icon indicates whether there are unread notifications.
Figure 174: Read and Unread Notification Icons

The notification list provides the following information:

• Current actions in progress, with a progress bar.
• Unread notifications (shaded in blue).
• Previously viewed notifications (no shading). These are shown at the bottom of the list.
The type of action (Check Compliance or Reconcile) is indicated for each notification.
Figure 175: List of Notifications

Note: To view notifications for the previous CVP session, click the bell icon and choose View
History.
For information on container-level compliance checks and reconciles, see:
• Device Compliance Checks

193
9.3 Compliance Dashboard
When you edit running and designed configurations of provisioned devices, CloudVision automatically
computes the difference and updates the compliance status in response to changes in the network.
The Compliance dashboard displays the real-time summary view of image, configuration, and security
compliances for all managed devices. You can filter devices using All Devices, EOS Devices, and Wireless/
AP Devices dropdown options available next to breadcrumbs. See the figure below:
Figure 176: Compliance Dashboard - Managed Devices

The assessment uses bug details published on https://www.arista.com and leverages the network wide
database to compute the exposure based on hardware and software versions. The CVP 2020.2.0 release
comes packaged with a file named AlertBase.json which contains information about software defects and
security vulnerabilities.
The compliance dashboard table consists of Bugs and CVEs, Device Configuration, and End Of Life tabs.

Bugs and CVEs

The Bugs and CVEs tab displays graphical and tabular presentation of bug alerts. See the image below:
Figure 177: Compliance Dashboard- Bugs and CVEs

Note: You can filter bug alerts using All Alerts, Unacknowleged Alerts, and Acknowledged Alerts
dropdown options available next to the tab title.
The donuts display the count of devices exposed to bugs and security and advisories where green signifies
secured devices and red signifies exposed devices. Hover the cursor on the donut ring to view the count of
devices exposed, total count of devices, and the percentile of exposed devices.

194
 Network Compliance (CVP)

The table provides the following information:

• Identifier: Bug number for issues tracked.
Note: The checkmark next to identifier ID signifies acknowledged bugs.

• Type: Identifies the type of bug. Security vulnerabilities are tracked by type CVE. Software defects are
tracked by type Bug. This field can be used to filter on either of these types.
• Summary: Provides a description of the software defect/security vulnerability.
• Severity: Calls out the severity of the software defect.
• Device Count: Lists the number of devices impacted by the tracked issue.
Note:
• If a device is acknowledged in tracked issues, this count is decreased by one.
• If the bug is acknowledged, CVP displays zero.
• Unacknowledged actions undo these results.
• Exposed Devices: Lists the names of devices impacted by the software defect or security vulnerability.
Note:
• If a device is acknowledged in tracked issues, CVP does not list its name.
• If a bug is acknowledged, CVP displays None.
• Unacknowledged actions undo these results.
• CVP generates events for CVE bugs that are exposed on device(s). These events last until the
bug either is resolved on the device or is acknowledged.
Click the listed bug alert to view more details from the corresponding Bug Alert - Identifier ID pop-window.
See the figure below.
Figure 178: Bug Alert Pop-Up Window

You can fix listed bugs through one of the following ways:
• Upgrading your device to versions mentioned under Version(s) Fixed

195
 • Installing the hotfix available at https://www.arista.com/en/support/advisories-notices as either a part of an
image bundle or directly using the EOS CLI.
Note: You can search for hotfixes via identifier IDs.

Click the Acknowledge Bug on n Device(s) and Close button to hide the corresponding bug from bug info
in selected devices.
Note:
• n presents the count of selected devices.
• (Optional) Provide reasons for acknowledgement in the text box.
• To undo the acknowledgement, reopen the bug to select acknowledged devices and click the
Unacknowledge Bug on n Device(s) and Close button.
To acknowledge a bug for all current and future devices, select Always acknowledge instances of this
alert checkbox and click Save and Close button.
Note:
• (Optional) Provide reasons for acknowledgement in the text box.
• To undo the acknowledgement, reopen the bug, unselect the checkbox, and click Save and Close.

Device Configuration
The Device Configuration tab displays graphical and tabular presentation of image and configuration
compliances. See the image below:
Figure 179: Compliance Dashboard - Device Configuration

The donuts display the total count of devices available for image and configuration compliances where green
signifies compliant devices and red signifies non-compliant devices. Hover the cursor on the donut ring to
view the count of non-compliant devices, total count of devices, and the percentile of non-compliant devices..
The table displays the following information:
• Device - Lists the hostnames of devices.
Note: Clicking on a device name opens the Running Configuration screen.

• Status - Displays the device status on configuration compliance.

Note: CVP tracks out of sync status for configuration, image, and extensions.

196
 Network Compliance (CVP)

• Last Compliance Check - Displays the timestamp of the last compliance check.

End of Life
The End of Life tab displays graphical and tabular presentation of End Of Life (EOL) of devices . See the
image below:
Figure 180: Compliance Dashboard - End of Life

The donuts display the total count of devices where green signifies the percentile of devices with more than
6 months of life, amber signifies the percentile of devices that are approaching EOL, and red signifies the
percentile of devices that reached EOL. Hover the cursor on the donut ring to view the count and percentile of
devices with more than six months of life.
The table displays the following information:
• Device: Lists the hostnames of devices.
Note: Clicking on a device name displays the hardware inventory details of child devices.

• Type: Lists whether the device is a hardware or software.

• Component: List the device model numbers for hardware devices and version numbers for software
devices.
• End of Life: Lists the earliest date of EOL.

197
9.4 Print Compliance Dashboard
Perform the following steps to print the Compliance dashboard:
1. Select Print from the browser menu.
CVP displays the Print pop-up window. See the figure below.
Figure 181: Print Pop-Up Window

2. Select your printer from the Destination dropdown menu to print the screen.
Note: To save a print-friendly version of the screen, select Save as PDF from the Destination
dropdown menu. This PDF contains all rows of the compliance table.
3. Click Save.

198
 Network Compliance (CVP)

9.5 Setup for Automatic Sync of Compliance Bug Database

In order to keep the bug database up to date and receive real-time assessments on exposure to software
defects and security vulnerabilities, an automated sync can be configured between CVP and https://
www.arista.com using a token-based authentication and proxy URL.
Figure 182: Configuring Compliance Settings

The Compliance screen has a compliance section that accepts the following information:
• An authentication token generated by www.arista.com to enable CVP to keep its bug database up-to-date.
• Proxy URL to reach the update server at www.arista.com.
This token is generated per user and can be obtained from the user profile screen under the Portal Access
section on www.arista.com.
Figure 183: Compliance Portal Access

When this token is provided in the Compliance settings screen, it allows CVP to download the latest version
of the https://www.arista.com/en/login file that is available on the Software downloads page.
Note: To leverage automatic updates of the compliance bug database, connectivity to
www.arista.com should be ensured from the CVP VM.

199
 The version and release date of the compliance bug database in use can be viewed in the Settings
screen under Telemetry Browser > analytics > BugAlerts > update.
Figure 184: Telemetry Browser Screen

200
 Chapter 10

Network Provisioning (CVP)

The Network Provisioning Screen presents a hierarchical view of the network configuration.
It is not a network topology; it is a configuration tree view. The switches at the bottom of the tree inherit the
configuration specified in the containers above them as well as the configuration that is specific to them. The
containers and switches all have sub menus that are accessed by right mouse clicking on them. The main
features of the screen are described below.
Note: Switches that have been added to the network from new will ZTP boot using generic details
from CVP and appear in the Undefined container.
• Network Provisioning View
• Container Level Actions
• Device Bootstrap Process
• Device-level Actions
• Replacing Switches Using the ZTR Feature
• Managing Configurations
• Configuration Validation
• Using Hashed Passwords for Configuration Tasks
• Reconciling Configuration Differences
• Managing EOS Images Applied to Devices
• Rolling Back Images and Configurations
• Device Labels
• Viewing Containers and Devices
• Network Search
• Management IP

201
10.1 Network Provisioning View
The topology view of the Network Provisioning screen is a tree structure that consists of containers and
devices. This view represents the current groupings of devices (devices grouped by container) as well
individual devices.
By default, two types of containers are available in the topology view.
• Tenant: Top-most container.
• Undefined: Container for all devices that have registered themselves with the CloudVision Portal using
Zero Touch Provisioning (ZTP) and are awaiting configuration. Undefined containers are shown in the
view in a different color than defined containers.
The example shown below includes:
• One tenant container (there is always only one tenant container).
• Three containers under the tenant container (one of the three is an undefined container).
• Seven devices (one is under the undefined container, and 6are grouped under the container named
Vantage-DC (6)).
Figure 185: Network provisioning view showing tree structure

Note: Different color icons are used to indicate that devices have compliance alerts or access alerts.

For more information, see:

• Network Provisioning Screen Options
• Changing Between Network Provisioning View and List View
Related topics:
• Container Level Actions
• Device-level Actions
• Viewing Containers and Devices

10.1.1 Network Provisioning Screen Options

The following options are available from the Network Provisioning screen.
• Device Management Lists all the switches that reside below the selected container level, these could
belong to the selected container or reside in containers within the selected container.

202
 Network Provisioning (CVP)

• Configlet Management Lists the configlets associated with the selected container or if a switch is
selected all of the configlets applied to it both directly and inherited.
• Image Management Lists the EOS or vEOS software image associated with a container or switch.
Switches below the container selected will be loaded with this image.
• Label Management Lists the system or custom labels associated with the selected container or switch.
• Refresh and Listview Refresh the current screen to show any updates or changes to the switches or
devices. Listview changes the display from Topology View and displays the switches in a list.
• Containers Containers are the basic logical construct of the topology view. They are used to used group
devices and to apply configurations and deploy images to the device groups.
Container Right Click Options:
• Show From Here Changes the display to show only the containers and switches below the selected
container.
• Expand / Collapse toggles between shrinking or growing the tree topology below the selected container.
• Show All Devices Lists the switches that are associated with that specific container. The container turns
blue if it contains more than five switches and will only display 25 of the total number of switches in the
topology structure.
• Container: Add / Delete Create or remove a container that from the selected container.
• Device: Add / Manage Add a device to the selected container or manage the switches already
associated with the container. The manage option displays a list of switches which can be selected by
enabling the tick box on the left-hand side. The selected switches can then be moved to another container,
reset (returned to a ZTP boot state and associated with the undefined container), or removed from CVP
completely.
• Manage: Configlet / Image Bundle Allocate or remove a configlet or Image to or from a switch or
container.
• View Config View the configuration created from the combined configlets. At the container level this
shows the combined configlet configuration associated with that container.
• Check Compliance - To initiate a compliance check on all devices under the container.
• Reconcile - To initiate configuration reconcile on all devices under the container.
Device Right Click Options:
• Manage: Configlet / Image Bundle Allocate or remove a configlet or Image to or from a switch or
container.
• Labels Lists / assigns the user created labels associated with the selected switch.
• View Config View the configuration created from the combined configlets. At the switch level the entire
configuration that will be applied to the switch is shown.
• Check Compliance Compares the current running configuration on the switch against the designed
configuration in CVP. If they are out of sync the device change to an orange color.
• Move Allows a user to move a switch from one container to another.
• Factory Reset Erases the configuration on the switch then ZTP boots it. This will return it to the
undefined container on the provisioning screen.
• Remove Removes the switch from CVP. This stops CVP making changes to it and tracking its
configuration. The switch is left running with its current configuration on it.
• Replace - To perform a Zero Touch Replacement (ZTR) of the selected device.
Related topics:
• Changing Between Network Provisioning View and List View
• Container Level Actions
• Device-level Actions
• Viewing Containers and Devices

203
10.1.2 Changing Between Network Provisioning View and List View
Click the icons to toggle between the topology view and the list view of the Network Provisioning screen.
Changing to List View
Click the List icon for a list view.
Figure 186: Changing to List View

Changing to Topology View

Click the Topology icon for a topology view.
Figure 187: Changing to Topology View

Related topics:
• Network Provisioning Screen Options
• Container Level Actions
• Device-level Actions
• Viewing Containers and Devices

204
 Network Provisioning (CVP)

10.2 Container Level Actions

Containers are a logical entity used to group network devices and to define a hierarchy to which
configurations can be applied. When you apply a configlet to a container, the configlet is automatically applied
to all of the devices in the container's hierarchy.
Simple container implementations:
• Create a container for every datacenter.
• Within each datacenter container, create a container for every POD (leaf-spine deployment).
• Add devices that belong to each POD to the POD container. Tenant: Top-most container.
For details on how to create, rename, and delete containers, see:
• Creating a Container
• Deleting a Container
• Renaming a Container
Related topics:
• Device-level Actions
• Viewing Containers and Devices

10.2.1 Creating a Container

To create a container:

1. Select a parent container (the container to which you want to add a new container).
2. Right-click the container and choose Add > Container. The New Container dialog appears:
Figure 188: New Container Dialog

3. Enter the name of the new container and select OK to create the container.
4. Click Save to apply the changes.

10.2.2 Deleting a Container

Note: Only empty containers can be deleted.

1. Locate the container to be deleted.

2. Right-click the container and click Remove.

205
10.2.3 Renaming a Container
To rename a container in a topology:

1. Double-click the name field of the container to open the name field editor.
2. Enter a new, unique name for the container and click Enter to rename the container.
Figure 189: Rename Container

10.3 Device Bootstrap Process

The device bootstrap process is a process that automatically makes un-provisioned devices available for
configuration through CVP. Un-provisioned devices automatically boot up in Zero Touch Provisioning mode
and register themselves with the CloudVision Portal (CVP). Once they are registered with CVP, devices
become available for configuration in the Undefined Container.
1. Un-provisioned devices boot into Zero Touch Provisioning mode and send out a DHCP request.
2. The DHCP server then assigns the device an IP Address and returns a URL pointing to the CloudVision
portal in the bootfile-name option. The URL with IP address will be like this //ipaddress/ztp/bootstrap .
3. The device executes this bootstrap script and registers itself with the CloudVision Portal. At this point, the
device is available in the Undefined Container.
You can now add the device to the destination container of your choice and apply the correct image and
configuration to the device.
Related topics:
• Device-level Actions
• Viewing Containers and Devices

10.4 Device-level Actions

CloudVision Portal (CVP) enables you to provision devices as needed based on your current networking
requirements. Some examples of the types of actions you can perform include:
• Adding devices (use this action to add devices from the undefined container to defined containers)
• Moving devices (used this action to move devices from one defined container to another defined
container)
• Removing devices (removing devices from the CVP topology)
• Reset devices
• Replace devices
For details on the steps you use to perform these device level actions, see:
• Adding Devices (from Undefined Container)
• Registering Devices
• Moving Devices from one Container to Another Container
• Removing a Device from a Container
• Device Factory Reset
When resetting a device:
• The device will be removed from the parent container.

206
 Network Provisioning (CVP)

• The running configuration of the device will be flushed.

• Device will reboot with ZTP mode enabled.
• Device will be identified under undefined container.
There are three options you can use to move devices. They are:
• Option 1
• Option 2
• Option 3
Option 1:
1. Locate the device.
2. Right-click the device and choose Factory Reset.
Figure 190: Resetting the Device (option 1)

Option 2:
1. Locate the parent container.

207
 2. Right-click the container and choose Show All Devices. This will list all the devices under the container.
Figure 191: Showing all devices during factory reset (option 2)

3. Right-click the device and choose Factory Reset.

Figure 192: Resetting the device (option 2)

Option 3:
1. Locate the parent container.
2. Right-click the container and choose Manage > Device. This will load the inventory of all the child devices
under the container.

208
 Network Provisioning (CVP)

3. Select the checkbox of the device to be reset, and click the reset icon.
Figure 193: Selecting the device and resetting it (option 3)

On saving the session, a task will be spawned to reset the selected device.

10.4.1 Adding Devices (from Undefined Container)

Adding devices from the undefined container is the most common method for adding devices to a container
in the CVP topology. This method involves adding devices that are not part of the hierarchy of devices to
defined containers in the CVP topology. Containers that receive the added devices are called destination
containers.
Complete the following steps to add a device from the undefined container to a destination container:
1. Locate the container to which you want to add a device.
2. Right-click the container and choose Add > Device. The current inventory of undefined devices for the
selected container appears.
Figure 194: Adding a device

3. Select the device and click Add.

4. Save the session.
5. Execute the Device Add task using the Task Management module to add the device to destination
container.

209
10.4.2 Deploying vEOS Routers
CVP deploys and provisions vEOS routers from cloud and datacenter to Amazon Web Services (AWS) and
Microsoft Azure. Based on the requirement in vEOS deployment, configlets are assigned for push EOS
configuration along with deployment parameters such as AWS Virtual Private Cloud (VPC), subnets, and
security groups.
Note: When CVP is deployed behind NAT devices, the vEOS telemetry configuration needs to be
updated. You can view telemetry data coming from the deployed device when you configure the public
IP address of CVP.
Related Topics:
• Prerequisites
• Adding IPsec and vEOS Licenses
• Adding AWS to Public Cloud Accounts
• Deploying the vEOS Router to AWS
• Adding Microsoft Azure to Public Cloud Accounts
• Deploying a vEOS Router to Microsoft Azure

10.4.2.1 Prerequisites
The prerequisites to deploy vEOS routers within a cloud are:
• vEOS version 4.21.1.1F or later
• CVP 2018.2.0
• vEOS license
• Cloud (AWS/Microsoft Azure) credentials
• vEOS deployment parameters including VPC within which the vEOS has to be deployed, subnets and
security groups associated with vEOS
• IP connectivity from deployed vEOS to CVP

10.4.2.2 Adding IPSec and vEOS Licenses

The addition of an IPSec license is optional based on the deployment.
Perform the following steps to add IPSec and vEOS licenses:
1. Click the gear icon at the upper right corner of the CVP. The system displays the Settings screen.
2. Click EOS Feature Licenses in the left pane. The system displays the EOS Feature Licenses screen.
Figure 195: EOS Feature Licenses Screen

210
 Network Provisioning (CVP)

3. Click Add License in the right pane. The system displays the Add License window.
Figure 196: Add License Window

4. Click Select license file. The system displays the Windows Explorer.
5. Navigate to the required location and select the license.
6. Click Open.
7. Select the required option from the License type drop-down menu.
8. Click Upload. The system lists uploaded licenses in the EOS Feature Licenses screen.
Figure 197: Licenses Listed in EOS Feature Licenses Screen

10.4.2.3 Adding AWS to Public Cloud Accounts

AWS Security Token Service (STS) is required when adding an AWS account to public cloud accounts.
AWS STS gives CVP temporary access to your AWS environment with proper permissions. This allows CVP
to deploy the vEOS router and related resources in your AWS VPC.
CVP calls certain AWS APIs to query VPC information and creates a vEOS router Virtual Machine (VM) in
VPC. It needs an AWS IAM (Identity and Access Management) role with permissions as listed in the code
below .

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeImages",

211
 "ec2:DescribeAddresses",
"ec2:DescribeKeyPairs",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DetachNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:DisassociateAddress",
"ec2:ReleaseAddress",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}

Note: You receive the STS token after the IAM role is created.

Perform the following steps to add a AWS account to public cloud accounts:
1. Click Provisioning. The system displays the Network Provisioning screen.
2. Click Public Cloud Accounts in the left pane. The system displays the Public Cloud Accounts screen.
Figure 198: Public Cloud Accounts Screen

3. Click Add Credentials in the upper right corner of the right pane. The system displays the Add
Credentials window.

212
 Network Provisioning (CVP)

4. Select Amazon Web Services from the Provider drop-down menu.

Figure 199: Add Credentials Window for AWS

5. On the Provider Details pane, provide the access key, secret key, and token details in the corresponding
fields.
6. Click Save. The system displays the configured AWS account in the Public Cloud Accounts screen.
Figure 200: AWS Configured in Public Cloud Accounts

213
10.4.2.4 Deploying the vEOS Router to AWS
Perform the following steps to deploy the vEOS router to AWS:
1. Click Devices. The system displays the Inventory screen.
2. Click the Add Devices drop-down menu at the upper right corner of the right pane.
3. Select Deploy vEOS Router. The system displays the Deploy vEOS Router window.
Figure 201: Deploy vEOS Router Window

4. Provide the following IPSec details in the appropriate fields:

• Shared Secret Key (optional) - Pre-shared key for IPSec profile
• Tunnel Interface IP (optional) - IP address under tunnel interface
• Tunnel#1 Destination IP (optional) - Peer's (tunnel destination) IP address

214
 Network Provisioning (CVP)

5. Click the Select Provider drop-down menu and select AWS.

Figure 202: VM Details for AWS

6. Provide the following VM details in the appropriate fields:

• Name - The name of the vEOS router instance
• Access Key - The access key used in the public cloud account
• Region - The region that the vEOS router will be deployed in
• Instance Type - The type of vEOS router that the instance will run on
• Key Pair Name - The Elastic Compute Cloud (EC2) keypair used to log in to the vEOS router
• Amazon Machine Identifier - The vEOS AMIs on the AWS marketplace
• VPC ID - The VPC that the vEOS router will be deployed to
• Security Group - The security group that will be associated with the vEOS interface
• Availability Zone - The availability zone that vEOS will be deployed in
• Subnet #1 - The first subnet that vEOS puts Ethernet1 in
• Assign Public IP Address to Subnet #1 - Select Yes if you need a public IP address assigned to the
vEOS router; otherwise, select No
• Use Public IP Address as Local ID - The public IP address of the vEOS router
Note: The system displays the public IP address of the vEOS router after the VM is created.

• Subnet #2 (optional) - The second subnet that vEOS puts Ethernet2 in

• Configlet (optional) - The configlet to configure vEOS once it is active

215
 7. Click Create VM with vEOS. The system displays the status of vEOS deployment under the Progress
column on the Status pane.
Figure 203: Status of vEOS Deployment to AWS

You can also check the VM deployment process on your AWS Portal. Hover the mouse over the
corresponding information icon to view detailed information about the vEOS router deployment. After the
successful deployment of the vEOS router to AWS, you can use your AWS SSH Privacy Enhanced Mail
(PEM) key to login to vEOS.
Note: To make CVP manage vEOS routers, register this device using the instructions in
Registering Devices. Ensure that the AWS security group associated with vEOS router VM has
an ingress rule of allowing TCP port 9910 from CVP's IP address. You must configure AWS for
the vEOS router to function as a VPC gateway using the instructions in Using vEOS Router on the
AWS Platform.

10.4.2.5 Deploying a vEOS Router to Microsoft Azure

Perform the following steps to deploy a vEOS router to the Azure VNET:
1. Click Devices. The system displays the Inventory screen.
2. Click the Add Devices drop-down menu at the upper right corner of the right pane.
3. Select Deploy vEOS Router. The system displays the Deploy vEOS Router window.
4. Provide the following IPSec details in the appropriate fields:
• Shared Secret Key (optional) - Pre-shared key for IPSec profile
• Tunnel Interface IP (optional) - IP address under tunnel interface
• Tunnel#1 Destination IP (optional) - Peer's (tunnel destination) IP address
5. Select Azure from the Select Provider drop-down menu.
Figure 204: VM Details for Microsoft Azure

216
 Network Provisioning (CVP)

6. Provide the following VM details in the appropriate fields:

• Name - The name of the vEOS router instance.
• Subscription ID - The subscription that the vEOS router will be deployed to.
• Instance Size - The size of vEOS router that the instance will run on.
• Resource Group - The resource group that the vEOS router will be deployed to.
• Location - The Azure region that contains the VNET.
• Security Group - The network security group that will be associated with the vEOS interface.
• Virtual Network - The VNET that vEOS will be deployed in.
• Subnet #1 - The first subnet that vEOS puts Ethernet1 in.
• Assign Public IP Address to Subnet #1 - Select Yes if you need a public IP address assigned to
vEOS router, else select No.
• Use Public IP Address as Local ID - The public IP address of vEOS Router.
Note: The system displays the public IP address of vEOS router after the VM is created.

• Subnet #2 - The second subnet that vEOS puts Ethernet2 in.

• Configlet - The configlet to configure vEOS once it is up.
• EOS Image - The vEOS images on Azure marketplace.
7. Click Create VM with vEOS. The system displays the status of vEOS deployment under the Progress
column in the Status pane.
Figure 205: Status of vEOS Deployment to Microsoft Azure

You can also check the VM deployment process on your Microsoft Azure Portal. Hover the mouse over
the corresponding information icon to view detailed information about the vEOS router's deployment. It
contains the initial login credentials you can use to login to vEOS router, you can change the credentials
after logging into the device.
Note: To make CVP manage vEOS routers, register this device using the instructions in
Registering Devices. Ensure that the Azure network security group associated with vEOS router
VM has an ingress rule of allowing TCP port 9910 from CVP's IP address. You must configure
Microsoft Azure for the vEOS router to function as VNET gateway using the instructions in Using
the vEOS Router on Microsoft Azure.

10.4.2.6 Adding Microsoft Azure to Public Cloud Accounts

You need a subscription ID, a tenant ID, a client ID, and client server details in order to an azure account to
public cloud accounts.
To get these details, you must create an application in the Azure active directory and assign proper
permissions to CVP for authentication with Microsoft Azure environment to make API calls. CVP uses a few
APIs to create a vEOS router. Therefore, you must add a contributor role to the resource group that has either
Virtual Network Protocol (VNET) or the whole subscription.
Perform the following steps for adding the Microsoft Azure account to public cloud accounts:

1. Click Provisioning. The system displays the Network Provisioning screen.

2. Click Public Cloud Accounts in the left pane. The system displays the Public Cloud Accounts screen.

217
 3. Click Add Credentials in the upper right corner of the right pane. The system displays the Add
Credentials window.
Figure 206: Add Credentials Window for Microsoft Azure

4. Select Azure from the Provider drop-down menu.

5. Under the Provider Details pane, provide the subscription ID, tenant ID, client ID, and client server details
in the appropriate fields.
6. Click Save. The system displays the configured Microsoft Azure account in the Public Cloud Accounts
screen.
Figure 207: Microsoft Azure Configured in Public Cloud Accounts

10.4.3 Registering Devices

Registering is the method used for adding devices to CVP. As a part of registering devices, CloudVision
automatically enables streaming of the registered devices' state to the cluster by installing and configuring the
TerminAttr agent. Newly registered devices are always placed under an undefined container.
Note: Manual installation or configuration of streaming telemetry is not required prior to registration.

Complete the following steps to register devices with CVP:

1. Navigate to the Inventory screen.

218
 Network Provisioning (CVP)

2. Click the Add Device drop-down menu and select Register Existing Device. The Device Registration
pop-up window appears.
Figure 208: Add Device for Registration

3. Enter the host name or IPv4 addresses of the device(s) to be registered; and click Register.
Figure 209: Selecting Device for Registering

219
 The following figures show the device registration status through the registration process.
Figure 210: Registration Status

Figure 211: Registration Successful

The newly registered devices are now shown in the inventory.

Figure 212: List of Registered Devices

220
 Network Provisioning (CVP)

The newly registered devices are shown in the undefined container in the Network Provisioning view.
Figure 213: Registered Devices in the Network Provisioning View

10.4.4 Moving Devices from one Container to Another Container

Moving devices from one defined container to another is a method you can use to add devices to a container
in the CVP topology. You use this method when you want to add devices to a container, and the device you
want to add is currently under another container in the CVP topology. This method involves locating the
device to be moved, and then moving it to the destination container. Containers that receive the imported
devices are called destination containers.
There are three options you can use to move devices. They are:
• Option 1
• Option 2
• Option 3

10.4.4.1 Option 1

1. Locate the device.

221
 2. Right-click the device and choose Move.
Figure 214: Selecting the device to be moved (option 1)

3. Select the destination container from the drop-down menu.

4. Save the session to move the device to the destination container.

10.4.4.2 Option 2

1. Locate the container that has the device you want to move.
2. Right-click the container and choose Show All Devices. This will load the inventory of all the devices
under the container.
3. Locate the device to be moved.
4. Right-click the device and choose Move. After moving there will be a "T" icon to indicate the move has
been tasked. (The task won't automatically be executed.)
Figure 215: Device with pending move task (option 2)

5. Go to Tasks and explicitly execute the move task. After the task has been executed, the "T" icon is
removed.

10.4.4.3 Option 3

222
 Network Provisioning (CVP)

1. Locate the container that has the device you want to move.
2. Right-click the container and choose Manage > Device. This will load the inventory of all the devices
under the container.
3. Select the device to be moved and click <–> to choose the destination container.
4. From the popup menu, select the destination container and click OK. This will provision a move for the
device

10.4.5 Removing a Device from a Container

A device can be removed from a container. Removing a device from the container will:
• Remove the device from parent container.
• Clear all information about the device in the CloudVision Portal.
• Stop any monitoring of the device.
There are three options you can use to remove devices. They are:
• Option 1
• Option 2
• Option 3

10.4.5.1 Option 1
1. Locate the device.
2. Right-click the device and choose Remove.
Figure 216: Removing a device (option 1)

10.4.5.2 Option 2
This option is available only for topology views.
1. Locate the parent container.

223
 2. Right-click the container and choose Show All Devices. All the devices under the container are listed.
Figure 217: Selecting the device to be removed (option 2)

3. Select the device you want to remove.

224
 Network Provisioning (CVP)

4. Right-click the device and choose Remove. The device is removed from the Network Provisioning view.
Figure 218: Removing the device (option 2)

10.4.5.3 Option 3
This option is available only for the list view of the Network Provisioning screen.

1. Locate the parent container.

2. Right-click the container and choose Manage > Device. This will load the inventory of all the child devices
under the container.
Figure 219: Remove device from the container (option 3)

3. Select the device you want to remove and then click Remove. On saving the session, a task will be
spawned to reset the selected device.

225
10.4.6 Device Factory Reset
When resetting a device:
• The device will be removed from the parent container.
• The running configuration of the device will be flushed.
• Device will reboot with ZTP mode enabled.
• Device will be identified under undefined container.
There are three options you can use to move devices. They are:
• Option 1
• Option 2
• Option 3

10.4.6.1 Option 1

1. Locate the device.

2. Right-click the device and choose Factory Reset.
Figure 220: Resetting the device (option 1)

10.4.6.2 Option 2
1. Locate the parent container.

226
 Network Provisioning (CVP)

2. Right-click the container and choose Show All Devices. This will list all the devices under the container.
Figure 221: Showing all devices during factory reset (option 2)

3. Right-click the device and choose Factory Reset.

Figure 222: Resetting the device (option 2)

10.4.6.3 Option 3

1. Locate the parent container.

2. Right-click the container and choose Manage > Device. This will load the inventory of all the child devices
under the container.

227
 3. Select the checkbox of the device to be reset, and click the reset icon. On saving the session, a task will
be spawned to reset the selected device.
Figure 223: Selecting the device and resetting it (option 3)

10.5 Replacing Switches Using the ZTR Feature

The Zero Touch Replacement (ZTR) feature enables you to replace switches without having to configure the
new switch. When you replace a switch using this feature, the new switch assumes the identity (IP), image,
and configuration of the old switch. You use the Network Provisioning screen to replace switches using the
(ZTR) feature.
Pre-requisites: Before you can begin the process to replace a switch using ZTR, make you must complete
the following steps:
1. Make sure that the old switch is physically powered down and is not physically connected to the network.
2. Physically connect the new switch to the network exactly as the old switch was connected.
3. Power on the new switch.
4. Make sure the new switch comes up using ZTP, and that it shows up in the undefined container as an
available resource. The new switch must have a different IP address from the switch that is being replaced
at this point in the process.
Note: Verify the new switch has a different IP address from the switch that is being replaced.

Complete these steps to replace a switch using ZTP:

1. Go to the Network Provisioning screen.

228
 Network Provisioning (CVP)

2. Right-click on the old switch, and select Replace. This initiates ZTR, and opens the Undefined Device
screen.
Figure 224: Selecting the switch to be replaced

3. Select the new switch by checking the checkbox next to the Serial No. column, and then click Replace.
Figure 225: Selecting the new device and replacing the old device

229
 4. In the Network Provisioning screen, click Save. A task icon T shows on the old switch, indicating that a
task to replace it has been scheduled. Also, an R icon shows on the new switch, indicating that it is the
replacement switch for a scheduled ZTR task.
Figure 226: Topology view showing device with pending replace task

5. Go to the Tasks screen.

6. Select the task and click the play icon to execute the task.
While the task is executing, you can open the logs for the task to view how ZTR manages the
replacement. ZTR first pushes the old switches image and configuration to the new replacement switch,
and then initiates the reboot.
Figure 227: Task log showing processing of device replacement

230
 Network Provisioning (CVP)

10.6 Managing Configurations

CloudVision Portal (CVP) enables you to manage configurations by assigning configurations to containers
and to devices. Configurations that you assign to containers are applied to all devices under the container's
hierarchy. CVP also enables you to easily view the configuration currently assigned to containers and
devices.
• Applying Configurations to Containers
• Viewing the Configuration Applied to Devices
• Applying Configurations to a Device

10.6.1 Applying Configurations to Containers

Applying configurations to containers involves adding Configlets to containers or removing Configlets from
containers.
Adding Configlets
1. Locate the container.
2. Right-click the container and choose Manage >Configlet. This will open the window display the inventory
of configlets.
3. Select the configlet and click Update. This will provision configlet add for the container and all the devices
under it.
Removing Configlets
To remove the configlet inventory from a container.
1. Locate the container.
2. Right-click the container and choose Manage>Configlet .
3. Remove the configlets.
4. Click Update.
Figure 228: Remove the configlet and select Update

10.6.2 Applying Configurations to a Device

Applying configurations to devices involves adding Configlets to devices.

231
 Note: When you update a device configuration using configlets, CVP replaces the entire device
configuration with the Designed Configuration for the device. For new devices with pre-existing
configurations added into CVP, you must explicitly perform a one-time reconciliation to save the
desired device-specific running configuration in CVP. If you do not, that configuration may be lost, or
the configuration update task may fail (see Reconciling Device Configurations at the Device Level).
Adding Configlets
1. Select the device and choose Manage > Configlets.
This loads the configlet inventory screen.
2. Select the configlets.
You are required to validate the configuration.
3. To validate the configurations, select Validate.
The validation screen will be loaded.
4. Select Save to propose a Config Assign action.
When saving the session, this will spawn a Config Assign task.

10.6.3 Viewing the Configuration Applied to Devices

CloudVision Portal (CVP) enables you to use the Network Provisioning screen to view the configuration
(Confliglets) currently assigned to devices. When you view the Configlets, you can also see which Configlets
are inherited from Containers, and which are applied directly to the device.
Complete the following steps to view the Configlets applied to a device.
1. Go to the Network Provisioning screen.
2. Make sure you are using the topology view, not the list view.
3. Click on the device in the topology.
4. Click the Configlet icon.
The Configlets applied to the device are listed in a drop-down list.
• If a Configlet is inherited from a Container to which the device belongs, the Container icon appears in
front of the Configlet name.
• If a Configlet is directly applied to the device, no Container icon is shown next to the Configlet name.
Figure 229: Viewing the Configlets applied to a device

232
 Network Provisioning (CVP)

10.6.4 Rolling Back Configurations Assigned to a Device

CloudVision's Network Rollbacks feature enables you to restore a previous configuration to devices. You
can apply the rollback to all the devices in a container, or to single devices. When you rollback a container
or device, you select the date and time for the rollback and whether you want to rollback the configuration or
EOS image (or both).
See Rolling Back Images and Configurations for details.

10.7 Configuration Validation

The validation screen consists of three panes.
• Pane 1: Shows the proposed configuration.
• Pane 2: Shows the designed configuration. (This shows how a resulting running configuration will look like
after successful configuration push.)
• Pane 3: Shows the current running configuration of a device.
Figure 230: Validating your configurations

10.8 Using Hashed Passwords for Configuration Tasks

Some EOS commands take a password or a secret key as a parameter. There are usually two ways of
passing EOS command parameters:
• As plain text.
• As a hashed string.
Note: Because EOS always returns the hashed version of the command in its running configuration,
using the plain text version of commands in Configlets results in the following issues:
• CVP shows that there are configuration differences that need reconciling, even if there are none.
• Compliance checks show devices to be out of compliance.
To avoid these issues, you should use the hashed version of EOS commands in Configlets (for example,
use ntp authentication-key 11 md5 7 <key> instead of ntp authentication-key 11 md5 0
<key> ). Using the hashed versions of commands also keeps the real password hidden.

233
10.9 Reconciling Configuration Differences
CloudVision enables you to reconcile differences between the designed (managed) configuration and running
configuration on devices so that CVP is maintaining the full configuration of each device.
Related topics:
• Key Terms
• Reconciling Device Configurations at the Device Level
• Reconciling Device Configuration Differences at the Container Level

10.9.1 Key Terms

Reconcilable Configuration differences between the designed configuration and the running
differences configuration, which do not conflict with the configuration in any configlets, other
than the reconcile configlet.
Reconcile configlet A specially marked device configlet that is system generated and used to store
reconcilable differences in order for the designed configuration to match the
running configuration.

Reconciling device configuration differences does not require a task, because there is no configuration to be
pushed out to the device. Reconcilable differences are only adjusted in the reconcile configlet, to match the
running configuration. Because of this, there is no task pushed to change the running configuration.
When you reconcile device configuration differences, you add the reconcilable differences found in the
running configuration to the reconcile configlet of the designed configuration.
For details on reconciling device configuration differences, see:
• Reconciling Device Configurations at the Device Level
• Reconciling Device Configuration Differences at the Container Level

10.9.2 Reconciling Device Configurations Differences at the Container Level

CloudVision enables you to reconcile device configuration differences for all devices under the hierarchy of a
selected container, instead of having to initiate this device by device.
Note: The designed configurations of devices in the container that do not have reconcilable
differences are not changed.
For devices that have reconcilable differences, the lines or commands on the device that are not present in
the designed configuration are pulled into the reconcile configlet for that device in one of two ways:
• Using the existing reconcile configlet that is specific to that device.
• Creating a new reconcile configlet that is specific to that device. This is done when there is no existing
reconcile configlet specific for the device. The system automatically creates a unique name for the
configlet.
A green checkmark beside the configlet indicates it as the reconcile configlet for the device.

Complete the following steps to reconcile device configuration differences for a container:
1. Go to the Network Provisioning screen.

234
 Network Provisioning (CVP)

2. Locate the container in the topology where you want to reconcile the configurations of all devices under
that container hierarchy.
3. Right-click the container, hover the cursor on Reconcile, and click either Reconcile All or Reconcile New.
Figure 231: Device configuration reconciliation at the container level

The Reconcile New option reconciles only the configuration lines that exist on the device, but not in the
designed configuration.
The Reconcile All option reconciles new lines and also lines that differ in designed and running
configurations. This usually brings the device into compliance because the resulting designed
configuration will be identical to running configuration. However, there can be cases where in spite of
reconciling device configuration lines, the designed configuration may not end up identical to running
configuration. In these cases, no changes are made to the reconcile configlet. Arista recommends to go
through the device-level reconcile process (See Reconciling Device Configurations at the Device Level),
and select the desired lines.
Note: The bell icon in the upper right corner turns yellow to indicate unread notifications.

235
 4. (Optional) To view the notification for the reconciliation, click the bell icon. The notification list appears
showing the container-level configuration reconciliation, and any other unread notifications.
Figure 232: List of unread notifications

10.9.3 Reconciling Device Configurations at the Device Level

CloudVision enables you to reconcile device configuration differences at the device level (specific, individual
devices). Configuration differences at the device level occur when there are reconcilable differences in the
running configuration of the device.
The Configuration Validation screen shows details of the configuration differences. When the system
identifies a reconcilable difference, the Reconcile option becomes available, and the extra reconcilable
configuration is listed in a text editor on the screen.
Reconcile Configlets
You use a type of configlet called a reconcile configlet to reconcile device configuration differences at the
device level. A reconcile configlet is a configlet for a single specific device, and is explicitly marked as
the reconcile configlet for that device. The reconcile configlet for a device contains the additional running
configuration for that device.
Note: There is only one reconcile configlet for any device. It is the only configlet that contains the
additional running configuration for the device.
Every time a device-level or a container-level reconcile is performed, the reconcile configlet for each device
included in the reconcile action is modified to include the extra running configuration.
To reconcile device level configuration, perform the following steps:
1. If required, select additional lines from running configuration to reconcile.

236
 Network Provisioning (CVP)

2. Click the blue Reconcile button to add the reconcilable configuration in the running configuration to the
reconcile configlet of the designed configuration.
Figure 233: Configuration validation screen showing device-level configuration differences

3. (Optional) Click Edit next to the configlet name to edit or rename the reconciled configlet.
4. (Optional) Click the reconcile disk icon next to the configlet name to save the reconciled configlet with the
extra commands present in the running configuration.
Figure 234: Reconcile Disk icon

Note: CVP will not execute pushing a configuration that causes CVP to lose connectivity with the
device if the management interface or IP is missing in the configuration. When the task is executed,
it will fail.
5. Click Save.

10.10 Managing EOS Images Applied to Devices

CloudVision enables you to efficiently manage the EOS images of devices by assigning image bundles to
containers or devices in the current CloudVision network topology. An image bundle assigned to containers
are automatically applied to all devices under that container.
The image bundle you want to apply must already exist in the set of current EOS image bundles.
The following tasks are involved in managing the EOS image bundles assigned to devices:
• Applying an Image Bundle to a Container
• Viewing the Image Bundle Assigned to Devices
•
• Applying an Image Bundle to a Device
• Setting up an Image Bundle as the default for ZTP

237
10.10.1 Applying an Image Bundle to a Container
An image bundle can be added to, or removed from a container.
1. Select the container and choose Manage > Image Bundle. This will load image bundle inventory in
topology.
Figure 235: Image bundle inventory

2. Select the bundle to be assigned to the container.

3. Click Update to provision the bundle add for the container. This action will cause a task to be created for
each device in the container to upgrade it to the specified image bundle.

10.10.2 Viewing the Image Bundle Assigned to Devices

CloudVision Portal (CVP) enables you to use the Network Provisioning screen to view the image bundle
currently assigned to a device. You can also see if the image bundle is inherited from a Container or assigned
directly to the device.
Complete the following steps to view the image bundle applied to a device.
1. Go to the Network Provisioning screen.
2. Make sure you are using the topology view, not the list view.
3. Click on the device in the topology.
4. Click the image icon in the left pane.
The image bundle assigned to the device is shown in a pop-up box.
• If the image bundle is inherited from a Container to which the device belongs, the Container icon
appears in front of the image bundle name.

238
 Network Provisioning (CVP)

• If the image bundle is assigned directly to the device, there is no Container icon in front of the image
bundle name.
Figure 236: Viewing the Image Bundle assigned to a device

10.10.3 Applying an Image Bundle to a Device

1. Right-click the device, then choose Manage > Image Bundle. This will open the window display the
inventory of Image bundles.
Note: Only one image bundle can be selected and assigned to a device at a time.

2. Select the bundle to be assigned to the device.

3. Click Update to provision the bundle add for the device.
This action will cause a task to be created for that device to upgrade it to the specified image bundle.

10.10.4 Setting up an Image Bundle as the default for ZTP

Since all devices must run this image, you must apply the image at the tenant level.

1. Go to the Network Provisioning screen.

2. Right-click the Tenant container and choose Manage > Image Bundle.
3. Select the bundle you created and click Update.
4. Click Preview to verify the changes before saving the changes.
5. Click Save to apply the changes.

10.11 Rolling Back Images and Configurations

CloudVision Network Rollbacks feature enables you to restore a previous EOS image and configuration to
containers and devices. You can apply the rollback to all the devices in a container, or to single devices.
When you rollback a container or device, you select the date and time for the rollback and whether you want
to rollback the EOS image or configuration (or both).
CloudVision supports rollback to any previous point in time irrespective of captured snapshots. However,
rollback is possible to a point that is far beyond the CloudVision Cluster update to 2018.2.0 only when your
devices are upgraded to TerminAttr 1.4+ long before that.

239
 Note: To help you select the desired rollback destination day and time, you can compare the image
and running configuration differences between current and rollback times of all effected devices. The
potential destination rollback date and time in the comparison is based on the destination rollback date
and time you select.

10.11.1 Rolling Back Container Images and Configurations

Complete the following steps to apply a network rollback in containers:

1. Go to the Network Provisioning screen.

2. Right-click on the container you want to rollback, and then choose Manage > Network Rollback.
Figure 237: Network Rollback Screen

3. Using the Rollback Type: options near the top of the screen, select the type of rollback. The options are:
• Configuration & Image Rollback (both the configuration and EOS image are rolled back)
• Configuration Rollback (only the configuration is rolled back)
• Image Rollback (only the EOS image is rolled back)
4. Either drag the vertical slider on the timeline to the desired date and select the time for rollback; or use
the Rollback to menu for selecting rollback date and time (directly above the configuration pane on the left
side).
5. Click the telemetry icon (directly above the configuration pane on the right side) for viewing the running
configuration differences between current and rollback times.
6. If required, change the destination date and time for the rollback.
7. Click Create CC to create a Change Control (CC) record for the network rollback. CloudVision
automatically creates a rollback task for each device in the rollback; and makes them part of CC.
Note: Rollback Change Controls are automatically assigned a unique name. You can rename the
Change Control record by editing the Change Control record. Once the Change Control is created,
it can be executed like any other Change Control.

10.11.2 Rolling Back Device Images and Configurations

Complete the following steps to apply a rollback in devices:
1. Go to the Network Provisioning screen.

240
 Network Provisioning (CVP)

2. Right-click on the device you want to rollback, and then choose Manage > Rollback.
Figure 238: Device Rollback Screen

3. Using the Rollback Type: options near the top of the screen, select the type of rollback. The options are:
• Configuration & Image Rollback (both the configuration and EOS image are rolled back)
• Configuration Rollback (only the configuration is rolled back)
• Image Rollback (only the EOS image is rolled back)
4. Either drag the vertical slider on the timeline to the desired date and select the time for rollback; or use the
Rollback to menu for selecting rollback date and time (directly above the configuration pane on the left
side).
5. Click the telemetry icon (directly above the configuration pane on the right side) for viewing the running
configuration differences between current and rollback times.
Figure 239: Differences in Running Configuration

The Unified tab displays running configuration differences in a single window with differences highlighted.
The Split tab displays running configurations in different windows with differences highlighted.
6. If required, change the destination date and time for the rollback.

241
 7. Click Save to create a task for the device rollback.

10.11.3 Rolling Back Configurations Assigned to a Device

CloudVision's Network Rollbacks feature enables you to restore a previous configuration to devices. You
can apply the rollback to all the devices in a container, or to single devices. When you rollback a container
or device, you select the date and time for the rollback and whether you want to rollback the configuration or
EOS image (or both).
See Rolling Back Images and Configurations for details.

10.12 Device Labels

A label is simply defined as Text Tags. There are two types of label:
• System labels: Assigned automatically by the system.
• Custom labels: Defined and assigned by the user.
• Users can assign custom labels to devices from the Network Provisioning screen.
• A device can be tagged with one or more custom labels.
• Labels can be used to filter the devices in the Network Provisioning screen.

10.12.1 System Labels

System labels are defined by the system and are automatically applied to and removed from devices based
on the following characteristics of that device:
• Software version
• Software bundle
• Product model and family
• Assigned configlet name
• DANZ enabled
• MLAG enabled
• Parent container name
Note: System labels cannot be modified or removed by the user.

10.12.2 Custom Device Labels

You can create custom device labels and assign them to devices. The device labels you assign to a device
show on the Network Provisioning screen next to the device.

10.12.2.1 Assigning an Existing Label to a Device

Complete these steps to assign an existing label to a device.
1. Select the device to be labeled.

242
 Network Provisioning (CVP)

2. Right-click the device and choose Labels.

Figure 240: Choose Labels

The Assign Label pop-up menu appears, showing the available device labels.
3. Select the label to be applied and click Save.
Figure 241: Assign Label

The selected label will be applied to the device.

10.12.2.2 Creating a Custom Label for a Device

Complete these steps to create a new, custom label to a device.
1. Select the device for which you want to create a new, custom label.

243
 2. Right-click the device and choose Labels.
Figure 242: Choose Labels

The Assign Label pop-up menu appears, showing the available device labels.
3. In the pop-up menu, click on CREATE LABEL.
Figure 243: Create label Pop-up

The Create Label dialog appears.

244
 Network Provisioning (CVP)

4. Type the new, custom label for the device, then click Save.
Figure 244: Create Label

The new label is created and is assigned to the device.

10.12.3 Left Pane Behavior in Network Provisioning View

The left pane in the topology view is used to display information on the resources assigned to a given device
or container.
Figure 245: Left pane view

Opening and Closing the Left Pane

1. Double click the container or device to open the left pane.
2. Click the X button to close it.

10.13 Viewing Containers and Devices

The Network Provisioning screen provides you with various options that enable you to easily control the
topology view so that you can view containers and devices based on your needs.
The options you use are:
• Expand / Collapse (see Expanding and Collapsing Containers).

245
 • Show From Here (see Show From Here).
• Show Full Topology (see Show Full Topology).
CloudVision Portal uses color coded icons to indicate compliance or access issues with devices.

10.13.1 Expanding and Collapsing Containers

Containers can be expanded and collapsed within the Network Provisioning topology view so that you can
change the view as needed based on your needs.
You use the Show From Here and Show Full Topology options to expand or collapse containers shown in
the Network Provisioning screen.
The Expand and Collapse option is only available for the Network Provisioning view. It is not available for
the List view.
The default view mode for containers is expanded. When you choose Expand/Collapse option for a
container, one of the following occurs, depending on the current view mode:
• A container currently in expanded (normal) view is collapsed.
• A container currently in collapsed mode is returned to expanded view mode (the default).
Complete these steps to expand or collapse a container view from the Network Provisioning screen.
Figure 246: Expanded and collapsed view of a container

1. Select a container.
2. Right-click it and select the Expand/Collapse option.

10.13.2 Show From Here

The Show From Here option displays the topology with the selected container as the root. The hierarchy
above the selected container will be hidden from the view allowing the user to only focus on the chosen
container and the tree below it.
1. Select a container.
2. Right click Show From Here to display the option. The hierarchy from the selected container will be
displayed.

10.13.3 Show Full Topology

The Show Full Topology option allows the user to get back to the full topology view. This option will be
enabled for a particular container once the user uses the show from here option on it.
1. Select a container.
2. Right-click Show Full Topology to view the option.

246
 Network Provisioning (CVP)

10.14 Network Search

In the Network Provisioning module, the user can use the search bar at the top of the module to find a given
device or container.

10.14.1 Search Behavior in Topology and List View

This search is very different from rest of other search options available in topology. On user starts to type, the
list of possible matches will be displayed below as an auto suggestion.

10.14.2 Topology Search

Figure 247: Using search

10.14.3 List View Search

The search behaves similar to the topology search.
For a single device search, the selected device will be listed in the grid.
Figure 248: List view search

247
10.14.4 Search in Other Grids
During a grid search, the user will not be provided with an auto suggest option. Only the records matching the
specified data entered will be filtered and displayed in the grid.
Figure 249: Grid searches

10.14.5 Label Search

Use the search bar from the Network Provisioning screen to filter the devices based on labels.
This is a contextual search.
To search a label:
1. Use the keyword Label: followed by the label name.

10.14.5.1 AND Operation

Lists all the devices which has both the labels present on it in the hierarchy.
Label: <Label Name> AND Label: <Label Name>
Figure 250: Search AND operation

10.14.5.2 OR Operation
Lists all the devices which has either one of the labels present on it in the hierarchy.

248
 Network Provisioning (CVP)

Label: <Label Name> OR Label: <Label Name>

Figure 251: Search OR operation

10.14.5.3 NOT Operation

Lists all the devices which has first label one the labels present on it in the hierarchy.
Label: Label Name AND NOT Label: Label Name
Figure 252: Search AND NOT operation

10.14.6 Preview Option

All the actions performed in Network Provisioning module can be previewed before saving the changes.
To access the preview screen:
1. Select the “Preview” button.
Figure 253: Preview option display

249
10.15 Management IP
The CloudVision Portal tracks the Management IP of each device to use in connecting to it. When this IP
address changes, the device becomes unreachable by the portal. You can manually change the IP address
used by the portal to communicate with a given device.

10.15.1 Changing A Device's Management IP

The management IP address of a device may change for one of the following reasons:
Reason 1:
When a device is provisioned using Zero Touch Provisioning, it may have been assigned a temporary
IP address via DHCP. The CloudVision Portal will use this IP address to provision the device. Once the
configuration is pushed and the device reboots, this IP address may change.
Reason 2:
1If you change the device IP address directly via the switch console, CloudVision cannot record the change,
and the device will become unreachable. Current management IP and proposed management IP can be
used to mitigate this potential issue.
Option 1:
Current Management IP: The IP address used by CloudVision to communicate with a device.
1. Set the proposed IP address before pushing the configlet. This way CloudVision will try to reach the device
with this IP address once configuration is pushed.
Option 2:
Proposed Management IP: The IP address that CloudVision uses after pushing the configlet.
1. In the Inventory Management screen and the topology, update the Management IP address. For any
unreachable device, set the IP address to bring it back to the network.

250
 Network Provisioning (CVP)

10.15.2 Setting Proposed Management IP

You can set the Proposed Management IP while adding configlets to the device using the Proposed
Management IP menu.
Figure 254: Location of menu for setting Proposed Management IP

If you do not set the Proposed Management IP, you cannot save the configuration as not setting Proposed
Management IP.
Figure 255: Setting the Proposed Management IP

1. Select the Proposed Management IP using the drop-down menu.

CloudVision lists the available Management IP, Loop back IP, VLAN IP, and Routed Ethernet IP.
2. Select the desired IP address.
3. Click Save.
A task is spawned to assign the new Proposed Management IP.

251
10.15.3 Changing Current Management IP
1. Go to the Network Provisioning screen.
2. Select a device from topology/list view.
3. Right-click the device and choose Manage > IP Address
Figure 256: Change Management IP

4. A pop up will appear allowing you to manually add a new IP address.

Figure 257: Change IP Address

252
 Network Provisioning (CVP)

5. Verify the reachability of new IP address.

Figure 258: Verify IP Address

253
254
 Chapter 11

Configlet Management (CVP)

Configlets are portion of configuration that CLOUDVISION user codes and maintains independently under
Configlet Management inventory. These Configlets can be later applied to devices or containers in the
topology.
Sections in this chapter include:
• Creating Configlets
• Configlet Information Page
• Editing Configlets
• Deleting Configlets
• Importing and Exporting Configlets

255
11.1 Creating Configlets
CloudVision Portal (CVP) enables you to create Configlets using two different methods. You can create
Configlets using the CVP Configlet Builder feature, or you can create them manually. You should use the
method that is best suited to your intended use of the Configlet.
Note: The Configlet Builder feature is designed to help you create Configlets dynamically based on
variables.
For more information, see:
• About the Configlet Builder Feature
• Creating Configlets Using the Configlet Builder
• Using the Provided Configlet Builder Examples
• Python Execution Environment
• Creating Configlets Manually

11.1.1 About the Configlet Builder Feature

The Configlet Builder feature enables you to programatically create device configurations (Configlets) for
devices that have relatively dynamic configuration requirements. This helps to prevent you from having to
manually code Configlets.
The Configlet Builder feature is essentially a set of user interface (UI) widgets and a python script, that when
used together, programatically generate Configlets for a device. The python script is embedded into a python
interpreter, which is the component that generates Configlets. The UI widgets are essential if you want to use
the feature to generate Configlets with user input.
Note: Using UI widgets associated with a Configlet Builder are optional. If the UI widgets are used,
the generated Configlets require user input to be created.
The Configlet Builder can be used to create Configlets for both devices or containers, in the same way that
static Configlets can be used with devices or containers. Configlets that are created using the Configlet
Builder are executed (including the generation of Configlets) at the point when the Configlet Builder is applied
to a device or container, or when a device is added to a container that contains a Configlet Builder.

256
 Configlet Management (CVP)

11.1.2 Creating Configlets Using the Configlet Builder

The Configlet Builder enables you to create Configlets (device configurations). The following Configlet Builder
example configures the management interface based on input from the use of UI widgets.
Complete the following steps to create Configlets using the Configlet Builder:
1. Create a Configlet Builder from the Configlet page.
Figure 259: Creating a Configlet Builder

2. (Optional) Define the UI widgets to be associated with the Configlet Builder.

Figure 260: Configlet UI Widgets

The widget types are:

• Text Box – Use for single line text entries (for example, descriptions, host name).
• Text Area – Use for multiple lines of text (for example, MOTD, or login banner).
• Drop Down – Use to select a value from a menu as defined in the Value Field.
• Tick Box – Use to select a value from a tick list as defined in the Value Field.
• Radio Button – Use to select one option from a set of options as defined in Value Field.
• IP Address – Use to specify an IP address (this is a Dotted Decimal Address field).

257
 • Password – Use to specify a single line of text (characters are hidden as they are entered).
3. Write a Python script that reads the inputs you entered in the previous step and then generates the
Configlet.
Note: The figures listed in this table show examples of the steps involved in writing a script,
including an example of use of standard Python syntax to build components of the Configlet.

Figure Example of Description

Example (Showing Import of
CVP-Specific Internal Libraries)
Example (Showing Specification
of Field IDs Defined in the Form
Builder)
Example (Showing Use Of
Standard Python Script Syntax)
Example (Showing Print Output)
Importing CVP-specific
internal libraries into the
script
Specification of field IDs
defined in the Form Builder
Use of standard Python
syntax
Print output (Configlet
content)
The CVP-specific internal libraries
are used by the script to access form
fields and CVP variables.
You must specify the IDs of fields you
defined in the Form Builder in Step 2.
The fields you specify are included in
the Configlet content generated by the
script.
The Configlet Builder supports the
use of standard Python syntax to
build parts of the Configlet. You can
also make calls to external files and
database.
The script automatically produces
print output from the CVP internal
libraries you imported and the fields
you have defined in the script. The
print output is the content of the
Configlet.

258
 Configlet Management (CVP)

Figure 261: Example (Showing Import of CVP-Specific Internal Libraries)

Figure 262: Example (Showing Specification of Field IDs Defined in the Form Builder)

Figure 263: Example (Showing Use Of Standard Python Script Syntax)

Figure 264: Example (Showing Print Output)

259
 Note: Complete steps 4 and 5 to test the script to make sure it can generate Configlet content.

4. Fill in the Form Design fields.

Figure 265: Filling in the Design Fields

5. Click Generate.
The Configlet content is generated and shows in the Built Configlet pane.

260
 Configlet Management (CVP)

Note: If it is necessary to select a device to generate the Configlet, then select a device from the
list of devices under Form Design.
Figure 266: Selecting a Device from the List of Devices Under Form Design

Figure 267: Example (Generating Configlet Content)

6. Validate the generated Configlet on the device by clicking the Tick icon at the upper-right of the page.
The Validate Device dialog appears.

261
 7. In the Validate Device pop-up dialog, click Validate.
Figure 268: Example Script (Validating Device)

If the device cannot be validated, the error (or errors) are listed in the Validate Device dialog.
8. (If needed) Correct any errors and repeat step 7 to validate the device.
The Validate Device dialog shows a message to indicate a successful validation.
Figure 269: Example Script (Re-Validating Device after Correction)

9. To apply the new Configlet to the container, do the following:

a. Go the Network Provisioning page.

262
 Configlet Management (CVP)

b. Right-click the container and choose Manage > Configlet.

Figure 270: Select the Container to Apply the New Configlet

The list of available Configlets appears on the Configlet page.

10. Select the Configlet to apply to the device by clicking the checkbox next to the name of the Configlet.
Figure 271: Select Configlet on Configlet Page

11. To add devices to the container, do the following:

a. Go the Network Provisioning page.

263
 b. Right-click the container and choose Device > Add.
Figure 272: Adding Devices to the Container

12. Do one of the following:

• Click Yes to apply the Configlet you selected to all of the devices in the hierarchy.
• Click No if you do not want to apply the Configlet you selected to all of the devices in the hierarchy.
Figure 273: Message Indicating Selection of Hierarchical Container

The Configlet page appears showing the Configlet you selected to apply to the container.
13. To assign the Configlet Builder to the container you selected, select (click) the Configlet Builder.
Figure 274: Selecting the Configlet to Assign to the Container

264
 Configlet Management (CVP)

The page loads a form.

Figure 275: Form Loaded on Page after you Select the Configlet Builder

14. Complete (fill in) the form and then click Generate.
The Configlet Builder creates the new, device-specific Configlet, and the Configlet is shown in the Built
Configlet pane.
Figure 276: Configlet Page Showing New, Device-Specific Configlet

265
11.1.3 Using the Provided Configlet Builder Examples
CloudVision Portal (CVP) provides some Configlet Builder examples to help you get started using this feature.
You can load the examples to your CVP instance using the following commands:
• Log into the primary node's Linux shell as root user.
• Change directory to /cvpi/tools and import the example Configlets using the cvptool.

./cvptool.py --host <host> --user <user> --password <pass> --objects

Configlets --action restore --tarFile examples.tar.

The provided examples include:

• Example 1: Form-based management interface Configlet Builder
• Example 2: eAPI-based management interface Configlet Builder
• Example 3: SSH-based management interface Configlet Builder
• Example 4: MySQL-based management interface Configlet Builder
• Example 5: Device library based management interface Configlet Builder

11.1.3.1 Example 1: Form-based management interface Configlet Builder

This example uses the form to input the management interface configuration, and generates a new Configlet
to preserve the configuration.
Figure 277: Example 1

11.1.3.2 Example 2: eAPI-based management interface Configlet Builder

This example uses eAPI to read the management interface configuration that the device received from the
DHCP server during the ZTP boot, and generates a new Configlet to preserve the configuration.

266
 Configlet Management (CVP)

Note: No UI widgets are associated with the Configlet Builder in this example.

Figure 278: Example 2

11.1.3.3 Example 3: SSH-based management interface Configlet Builder

This example uses SSH to read the management interface configuration that the device received from the
DHCP server during the ZTP boot, and generates a new Configlet to preserve the configuration.
Figure 279: Example 3

11.1.3.4 Example 4: MySQL-based management interface Configlet Builder

In this example, the Configlet Builder uses the device’s MAC address to lookup up its Management IP
address, netmask, default route, and host name, which are stored on external MySQL server, and generates
a new Configlet to preserve the configuration.

267
 Note: No UI widgets are associated with the Configlet Builder in this example.

Figure 280: Example 4

11.1.3.5 Example 5: Device library based management interface Configlet Builder

This example uses Device library to read the management interface configuration that the device received
from the DHCP server during the ZTP boot, and generates a new Configlet to preserve the configuration.
Figure 281: Example 5

11.1.4 Python Execution Environment

The CloudVision Portal (CVP) python execution is supported by several CVP-specific libraries. These libraries
provide access to the various CVP services and device state.

11.1.4.1 CVP Form

This library provides access to the user interface (UI) widgets that can be associated with a Configlet Builder
(see the provided examples for usage details).

268
 Configlet Management (CVP)

The supported methods are:

from cvplibrary import Form

obj = Form.getFieldById( ‘id' );
print obj.getValue()

obj.getFieldById( ‘id' ); - Used to get the UI widget by id

obj.getValue() - To get the value
obj.getFieldID() - To get the unique id
obj.isMandatory() - Gets whether the field is mandatory or not
obj.getHelpText() - To get the help text
obj.getDependsOn() - To get the depends on
obj.getType() - To get the type (TextBox, Dropdown,etc)
obj.getDataValidation() - To get the Data validation

11.1.4.2 CVP Global Variables and Supported Methods

This library give access to the current execution context for Configlet Builders (see the provided examples for
usage details).
The supplied global variables are:

from cvplibrary import CVPGlobalVariables, GlobalVariableNames

CVPGlobalVariables.getValue(GlobalVariableNames.CVP_USERNAME)

Supported GlobalVariableNames:
CVP_USERNAME - Username of the current user
CVP_PASSWORD - Password of the current user
CVP_IP - IP address of the current device
CVP_MAC - MAC of the current device
CVP_SERIAL - Serial number of the current device
CVP_SESSION_ID - Session id of current cvp user
ZTP_STATE - ZTP state of the device (true/false)
ZTP_USERNAME - Default username to login to ztp enabled device
ZTP_PASSWORD - Password to login to ztp enabled device
CVP_ALL_LABELS - Labels associated to current device
CVP_CUSTOM_LABELS - Custom labels associated to current device
CVP_SYSTEM_LABELS - System/Auto generated labels associated to current
device

11.1.4.3 CVP Rest Client

This library allows a Configlet Builder to access any CVP API endpoint. The following is an example:

from cvplibrary import RestClient

url='http://localhost/cvpservice/inventory/devices';
method= 'GET';
client= RestClient(url,method);
if client.connect():
print client.getResponse()

If no certificates are installed on the server, then add the following lines to ignore ssl warnings:

import ssl
ssl._create_default_https_context = ssl._create_unverified_contex

269
11.1.5 Creating Configlets Manually
CloudVision Portal (CVP) enables you to create Configlet manually. This method should be used to create
Configlets that are relatively static.
Note: If you need to create Configlets that require less user input, you may want to use the Configlet
Builder feature.
Complete these steps to manually create Configlets:
1. Select the “+” icon in the grid.
2. The Create Configlet page appears.
Figure 282: Create Configlet Page

3. Click Save to save the Configlet.

4. This will list the Configlet in the Configlet Management grid.

11.1.5.1 Validating a Configlet During Creation

CloudVision provides a facility to enter the Configlet code and validate it before saving the codes.
1. Enter the Configlet codes in the field provided.
2. On the right pane, there is a drop-down menu listing all the switches in CLOUDVISION.
3. Search for the device to be validated.
Figure 283: Validate-Search Device

4. Select the switch to validate.

Figure 284: Select Device

270
 Configlet Management (CVP)

5. Select Validate.
On successful validation, the message Successfully Validated is displayed.
Figure 285: Validate-Success

When an error occurs, the message error will be displayed.

Figure 286: Validation Error

Related topics:
• Configlet Information Page
• Editing Configlets
• Deleting Configlets
• Importing and Exporting Configlets

11.2 Configlet Information Page

1. Select the name of the Configlet from the grid to access the Configlet information page.
Figure 287: Configlet Information Page

11.2.1 Tabs in Configlet Information Page

The Configlet Information page consists of:

271
 • Summary Tab
• Logs Tab
• Change History Tab
• Applied Containers Tab
• Applied Devices Tab

11.2.1.1 Summary Tab

The Configlet “Summary” tab provides information about the Configlet. This tab is used to show static
Configlets, and Configlet Builder Configlets.
Figure 288: Summary Tab Page for Static Configlets

Figure 289: Configlet Summary Tab Page for Configlet Builder

272
 Configlet Management (CVP)

11.2.1.2 Logs Tab

The “Logs” tab provides complete information on the Configlet assignment to devices and execution details.
Figure 290: Configlet Logs Page

11.2.1.3 Change History Tab

Any change in the Configlets will be recorded in the History tab.
1. Select the View option.
A popup window is opened comparing the last version of the Configlet with the edited version (Figure 291:
Configlet History Page).
Figure 291: Configlet History Page

273
11.2.1.4 Applied Containers Tab
This tab gives the details on the containers to which the Configlet is assigned. This also shows the name of
the user who made the assignment (Figure 292: Applied Container Page).
Figure 292: Applied Container Page

11.2.1.5 Applied Devices Tab

The Applied Devices tab displays the details on the devices to which the Configlet is associated in addition
to other information such as Parent container, Applied by, and Applied date.
Figure 293: Applied Devices Page

When a Configlet is removed from any device through the Network Provisioning module, the device will be
removed from the list.
Related topics:
• Editing Configlets
• Deleting Configlets
• Importing and Exporting Configlets
• Creating Configlets

274
 Configlet Management (CVP)

11.3 Editing Configlets

You edit Configlets through the Configlet “Summary” page. When you save the edited Configlet, it will update
the all the associated tasks and devices in CLOUDVISION.
• Configuration assign tasks which are waiting to be executed in task management that are using the edited
Configlet are considered as associated tasks.
• Saving the edited Configlet affects all the associated tasks as follows:

Pending tasks: Tasks in pending state are auto updated. The

spawned configuration points to the updated
Configlet.
Failed tasks: Tasks in a failed state are auto canceled. A new
configuration push task is spawned.
Save As: The edited Configlet can be saved as a new
Configlet. Give the new Configlet a unique name.

1. Select the Edit (pen) icon in the page.

Figure 294: Configlet Summary Page

2. Validate the Configlet with the Validation pane.

Figure 295: Edit Configlet Summary

3. Do one of the following:

• Click Save to save the edited configlet.

275
 • Click Save As to save the edited configlet as a new Configlet (the name Configlet).
Related topics:
• Deleting Configlets
• Importing and Exporting Configlets
• Creating Configlets
• Configlet Information Page

11.4 Tips for Applying Profiles to the Interfaces

When interface profiles are added to configlets, the user should ensure the interface profiles are first applied
to all the interfaces, and only after that the interface profile is completed.
Apply empty profiles to the interface first and then fill out the profile. The commands should look similar to the
following:

```
interface et1-49
profile test
!
interface profile test
command description test
```

Note: If the profile is created first and then applied to the interfaces, the config validation and commit
can take several minutes as opposed to just a few seconds if the profile is first applied and then
created.

11.5 Deleting Configlets

Only unused Configlets can be deleted. If a Configlet is assigned to a device or a container, it cannot be
deleted from the inventory. To delete a specific Configlet, its association should be removed from the devices
and container.
1. Select a Configlet in the grid. A “trash can” icon will appear.
2. Click the Trash icon to delete the Configlet.
Related topics:
• Importing and Exporting Configlets
• Creating Configlets
• Configlet Information Page
• Editing Configlets

11.6 Importing and Exporting Configlets

You can import and export Configlets using the CloudVision graphical user interface (GUI). This enables you
to easily share Configlets with others and back up specific Configlets.
For Configlets shared with you by another system user, you import Configlets from your desktop. When you
share Configlets with another system user, you export Configlets to your desktop. You use the Configlets
page to import and export Configlets or Configlet Builders.
Note: Both Configlets and Configlet Builders can be imported and exported using the GUI.

276
 Configlet Management (CVP)

For more information, see:

• Protection from Overwriting Configlets or Configlet Builders
• Importing Configlets or Configlet Builders
• Exporting Configlets or Configlet Builders

11.6.1 Protection from Overwriting Configlets or Configlet Builders

CloudVision provides protection from accidentally overwriting exiting Configlets or Configlet Builders when
importing a Configlet or Configlet Builder.
If you import a file that contains one or more Configlets or Configlet Builders that are named the same as
Configlets or Configlet Builders already in CVP, the system automatically adds a suffix to the names of the
items you are importing. The suffix that is added is in the format of “<number>”.

11.6.2 Importing Configlets or Configlet Builders

You import Configlets or Configlet Builders into CVP when another system user has shared a Configlet or
Configlet Builder with you. Once you import Configlets or Configlet Builders, the imported items are available
for use in CVP. You import Configlets or Configlet Builders from your desktop using the Configlets page.
Complete the following steps to import Configlets or Configlet Builders.
1. Open the Configlets page.
2. Click the Import icon, located in the upper right of the page.
Figure 296: Configlets Page Showing Import Icon

A dialog appears that you use to select the file that contains the Configlets or Configlet Builders you want
to import.
Figure 297: Selecting Configlets or Configlet Builders to be Imported

277
 3. Select the file that contains the items you want to import.
4. Click Open.
The Configlets or Configlet Builders in the file you selected are imported into CVP.

11.6.3 Exporting Configlets or Configlet Builders

You export Configlets or Configlet Builders when you want to share them with another system user. Once you
export Configlets or Configlet Builders, the exported items are available to be sent to and then imported by
the other system user. You export Configlets or Configlet Builders to your desktop using the Configlets page.
Complete the following steps to export Configlets or Configlet Builders.
1. Open the Configlets page.
2. Select the checkbox of each Configlet and Configlet Builder you want to export.
Figure 298: Configlets Page Showing Items Selected to be Exported

3. Click the Export icon (located in the upper right of the page).
A single file (.zip archive) that contains all of the items you selected is automatically downloaded to your
desktop.
4. (Optional) You can rename the downloaded file and make a copy of it before sharing it.
5. Share the file with one or more system users.
Note: The items you share can be imported only on systems that support the import of Configlets
and Configlet Builders (the Import icon on the Configlets page indicates support for this feature).
Related topics:
• Creating Configlets
• Configlet Information Page
• Editing Configlets
• Deleting Configlets

278
 Chapter 12

Image Management (CVP)

The Extensible Operating System (EOS) used by the switches are uploaded into CloudVision, and details
about them are maintained in the Image Management Inventory.
The main purpose of the Image Management module is to enable you to manage the EOS operating system
images across the devices in your current CloudVision environment. It provides you with the functionality
required to:
• Validate images
• Upload EOS images to CloudVision
• Maintain the inventory of available EOS images
• Assign images to devices in your CloudVision environment
Sections in this chapter include:
• Image Management Page
• Validating Images
• Upgrading Extensible Operating System (EOS) Images
• Creating Image Bundles
• The Bundle Information Page

12.1 Image Management Page

The Image Management page shows the current operating system images that are available for upload to
CloudVision. Once uploaded, they can be assigned to devices.
You can navigate to the Image Management page through Provisioning > Image Management.
Figure 299: Image Management page

Related topics:
• Validating Images
• Upgrading Extensible Operating System (EOS) Images
• Creating Image Bundles
• The Bundle Information Page

279
12.2 Validating Images
CloudVision Portal (CVP) provides automatic EOS image validation. This automated validation process helps
to ensure that all devices in your CVP environment have EOS images that are supported by CVP.
The automatic validation of EOS images takes place whenever you:
• Upload images to CVP or add images to images bundles.
• Add devices to your CVP environment.
The automatic image validation ensures that images that are available to be included in image bundles and
assigned to devices are supported by CVP.
Note: EOS images that are not supported cannot be added to an image bundle, or assigned to
devices.

12.2.1 Alerts Indicating Unsupported EOS Image Versions

If you attempt to include an unsupported version of an EOS image when creating an image bundle, CVP
alerts you with an error to let you know that the upload cannot be done, because the version of the EOS
image you are trying to upload is not supported.
Figure 300: Alerts

If you attempt to add a device to CVP that has an unsupported EOS image, the Status column of the
Inventory page indicates that an upgrade is required.
The Network Provisioning page also indicate that the device is running an unsupported image (this alert
shows only when placing your cursor over the device icon).
Related topics:
• Upgrading Extensible Operating System (EOS) Images
• Creating Image Bundles
• The Bundle Information Page
• Image Management Page

280
 Image Management (CVP)

12.3 Upgrading Extensible Operating System (EOS) Images

CloudVision Portal (CVP) provides the functionality to upgrade the EOS image on a device. Typically, you
upgrade the image on a device to change the version of the image from an unsupported image version to a
supported image version.
You upgrade device images by associating an EOS image with a device or a container (the association is
referred to as an image association). Image associations follow the same container inheritance rules as
configlet associations. This means that the image you select to be associated is automatically inherited
(assigned) to all devices under the level in the hierarchy at which you associate the image.
Note: When performing an image push, CloudVision checks if the target EOS image is already
present on flash. If the .swi file is available, CloudVision uses the same file instead of downloading a
new image from the network. This reduces network costs and time incurred during image upgrades.
For more information, see:
• Example of Image Association
• Tip for Handling Multiple Image Association Tasks

12.3.1 Example of Image Association

This example shows the behavior of image associations in a multi-level network hierarchy. The hierarchy
in this example contains a tenant container named Demo-Lab. The Demo-Lab container has five child
containers named CVX, Host-TOR1, Leaf, Spine, and TOR2.
Figure 301: Same Task Scheduled for Every Device in CVX Container

Based on the rules for image association inheritance, the Demo-Lab container could have selected the
4.18.8M device EOS image.
Figure 302: Example of image Association (Example 1)

281
 The CVX container could override that image selection (4.18.8M image) for its devices by selecting the
4.20.7M image. As a result, all of the devices under CVX are assigned the 4.20.7M image, and the devices
under Host-TOR1, Leaf, Spine and TOR2 inherit the 4.18.8M image from the Demo-Lab container.
Figure 303: Example of Image Association (Example 2)

If an image association is changed at any level, and the change is saved in the Network Provisioning page,
the following occurs:
• The change impacts all devices under that level.
• A task is automatically created to upgrade the impacted devices.
For example, if the image selection was removed at the CVX level, the following would occur:
• All of the devices under the CVX level would inherit the Demo-Lab image.
• A task would be scheduled for every device in CVX to use the Demo-Lab image.
Related topics:
• Tip for Handling Multiple Image Association Tasks
• Creating Image Bundles
• The Bundle Information Page
• Image Management Page
• Validating Images

12.3.2 Tip for Handling Multiple Image Association Tasks

When several image association tasks are scheduled to be completed, use the following steps to execute the
tasks. These steps help you to execute the tasks more efficiently.
1. Search for Pending in the Tasks page to find the tasks to be executed (status is “Pending”).
2. Select them all by clicking the checkbox next to the Task ID heading.

282
 Image Management (CVP)

If the search results returns multiple pages of tasks, then click the checkbox at the top of each page to
select the tasks so they can be executed.
Figure 304: Selecting Multiple Tasks to be Executed

3. Click the Play icon to execute the selected tasks all at once.
Related topics:
• Creating Image Bundles
• The Bundle Information Page
• Image Management Page
• Validating Images
• Example of Image Association

283
12.4 Creating Image Bundles
Creating image bundles is a key image management task. You create image bundles so that you have
supported image versions available to be assigned to devices in your CVP environment.
Note: An image bundle must have one .swi file. Extensions are optional (not required for image
bundles), but you can add one or more extensions to an image bundle.
Pre-requisite: To ensure that you include valid (supported) EOS images in the bundles you create, make
sure you validate the images you want to include in the bundle (see Validating Images).
Complete the following steps to create an image bundle:
1. Go to the Image Management page.
2. Click the “+” icon in the grid.
This loads the Create Image Bundle page.
Figure 305: Create Image Bundle page

For more information, see:

• Creating a Bundle by Tagging Existing Image Bundles
• Creating a Bundle by Uploading a New Image
• Adding EOS Extensions to Image Bundles

12.4.1 Creating a Bundle by Tagging Existing Image Bundles

CloudVision Portal (CVP) enables you to create a new image bundle by tagging existing image bundles. This
prevents you from having to import the same image again to create another bundle.
1. Go to the Image Management page.
2. Click the “+” icon and then the Disk icon.

284
 Image Management (CVP)

1. This opens the Images dialog, which lists all of the available images.
Figure 306: Images dialog

3. Search for the desired image.

4. Select the image and click Add to add the image to the bundle.
The image will be displayed in the grid of the Create Image Bundle page.
Figure 307: Added image shown in Create Image Bundle page

5. Click Save to create the new image bundle.

Related topics:
• Creating a Bundle by Uploading a New Image
• Adding EOS Extensions to Image Bundles

12.4.2 Creating a Bundle by Uploading a New Image

CloudVision Portal (CVP) enables you to create new image bundles by uploading new images to CVP.
1. Go to the Create Image Bundle page.
2. Click the upload from local icon available next to disk icon.

285
 This opens a dialog to search and upload .swi files from system.
3. Navigate to the desired .swi file and upload it to CVP.
The upload bar on the page shows the progress of the upload.
Figure 308: Uploading .swi files to CVP (upload in progress)

4. Click Save to create the new image bundle.

12.4.3 Adding EOS Extensions to Image Bundles

CloudVision Portal (CVP) enables you to add EOS extensions to image bundles along with .swi images.
Extensions are either .rpm files or .swix files. You upload .rpm or .swix files using the Images page.
Extensions are optional for image bundles
Note: All selected extensions automatically checked to be installed and running on the device. The
results are available for viewing under the Compliance Overview tab on Devices page.
Complete these steps to add EOS extensions to an image bundle:
1. Go to the Create Image Bundle page.
2. Click the upload from local icon.
This opens a dialog to search and upload EOS extensions (.rpm or .swix files) from the system
3. Navigate to the desired .rpm or .swix files and upload them.

286
 Image Management (CVP)

The upload bar on the page shows the progress of the upload. The extensions you uploaded are shown in
the Create Image Bundle page
Figure 309: Create Image Bundle showing uploaded extensions

4. Select Reboot Required check-boxes for all extensions that require a reboot.
5. Click Save. The extensions are added to the image bundle.
Once the image bundle is assigned to a device, a reboot task will be generated. The newly added
extensions are installed on the device when the reboot task is executed. Any extensions that were
previously installed but are not part of the current bundle are removed from the device.

12.5 The Bundle Information Page

The Image Management page provides high-level information about an image bundle (for example, the
number of containers to which an image bundle is associated, and the number of devices to which an image
bundle is assigned).
To view more detailed information about image bundles, use the Bundle Information page, which you can
open from the Image Management page.
Complete these steps to open the Bundle Information page.
1. Go to the Image Management page.
2. Click the name of image bundle for which you want to view information.
Figure 310: Opening the Bundle Information page

The Bundle Information page appears, showing information for the selected image bundle. Use the following
tabs to view specific information about the selected image bundle.

287
 • Summary Tab
• Logs Tab
• Applied Containers Tab
• Applied Devices Tab

12.5.1 Summary Tab

The Summary tab provides basic information about the Image Bundle. It also provides options to go back to
the Image Management page, to open the dialog used to update image bundles, and to delete corresponding
image bundle and its extensions.
Figure 311: Summary tab

For details on the steps used to edit image bundles and delete image bundles, see:
• Updating Bundles
• Deleting Bundles

12.5.2 Logs Tab

The Logs tab provides complete information on the image assignment to devices and execution details. It also
provides the option to go back to the Image Management page.
Figure 312: Logs tab

288
 Image Management (CVP)

12.5.3 Applied Containers Tab

The Applied Containers tab displays the details on the containers to which the bundle has been applied. It
also displays the name of the user that applied the bundle and the date it was applied.
Figure 313: Applied Container tab

12.5.4 Applied Devices Tab

The Applied Devices tab displays the details on the devices to which the bundle is assigned, along with
other information such as the parent container for the device, and the name of the user that applied the
bundle and the date it was applied.
Figure 314: Applied Devices tab

Related topics:
• Summary Tab
• Logs Tab
• Applied Containers Tab

12.5.5 Updating Bundles

Perform the following steps to update a bundle:
1. Go to the Image Management page.
2. Click the name of image bundle that you want to update.

289
 The system displays the Summary tab.
Figure 315: Summary page showing bundle selected for edit

3. Click on the image name to edit.

4. Edit the bundle as needed.
5. Click Save.
Related topics:
• Deleting Bundles

12.5.6 Deleting Bundles

Only unused bundles can be deleted. If a bundle is assigned to a device or a container, it cannot be deleted
from the inventory.
Perform the following steps to delete a bundle:
1. Go to the Image Management page.

290
 Image Management (CVP)

2. Click the name of image bundle that you want to delete.

Figure 316: Deleting Bundles

3. Click the trash icon to delete the selected bundle from the inventory.
The system prompts to confirm the deletion.
4. Click Yes to confirm deletion.
5. Click Save.
Note: The association can be removed only if a new bundle is assigned to device or container.

Note: When an image bundle is assigned to a container, no task will be spawned to the
subordinate devices.
Related topics:
• Updating Bundles

291
292
 Chapter 13

Partial Configuration Management

The partial configuration management feature specifies parts of configuration that should be managed by
CVP. Each line in the configuration is classified in the following three categories:
• Managed - These configuration lines must be managed only by CVP.
Note: Managed configuration lines are considered config compliant only when they synchronize
with the designed and running configuration. In other words, updating managed configuration lines
via non-CV sources will mark the device as non-compliant and cannot be reconciled by default.
Only the user can reconcile these lines.
• Unmanaged - These configuration lines can't be managed by CVP.
Note: Unmanaged configuration lines can be added to the running configuration via non-CVP
sources without marking the device as non-compliant. These lines are ignored by CV during
computation of configuration compliance and can never be reconciled.
• Unspecified - These configuration lines are by default managed and reconciled by CVP. They are not
marked as managed or unmanaged by CVP.

293
13.1 Filters for Categorizing Sections in the Configuration
You can filter commands by using regular expressions. Filter highlights required configuration lines
accordingly based on the following parameters:
• Filter Pattern
• Filter Type
Note: Level of a command represents the hierarchy of the configuration command.

13.1.1 Filter Pattern

A filter pattern is a list of section-aware configuration commands that can match the configuration on the
device. It may contain the following wild-cards:
• The wild-card * matches anything (non-negative number of characters) in their commands. Commands
are allowed to have multiple * in the same filter line as well.
• The wild-card $ is a special command that is used to match an entire block of commands under the
command matched till the previous level.
Note:
• CVP wild-cards are different from regular expression wild-cards. Filter pattern doesn’t support
regular expressions.
• A filter selects the whole block (all nested commands and sub-modes) from configuration which
matches the last command string in the filter spec at that particular level.

Relative Order of Blocks in Filter Pattern

Filter Pattern Matched Configuration

*ip *
ip routing
no ip routing

transceiver*
transceiver qsfp default-mode
$ 4x10G
load-balance policies
load-balance sand
profile Orange
no fields mac
no fields mpls
fields symmetric-hash

transceiver *
load-balance policies
load-balance policies load-balance sand
profile Orange
no fields mac
no fields mpls
fields symmetric-hash

The order of the patterns at the same level is irrelevant. Hence the following filters are equivalent.

294
 Partial Configuration Management

Note: $ should be the last character in a configuration block. That is, adding
commands after $ inside the block triggers an error.

Filter 1 Filter 2 Filter 3

transceiver* Interface Interface

load* Management1 Management1
ip * ipv6 *
Interface ipv6 * ip *
Management1
ip * transceiver* transceiver*
ipv6 * load* load*

295
13.1.2 Filter Type
A filter can be either managed or unmanaged.

13.1.2.1 Specific Filters

When multiple filters are applied for matching specified configuration lines, the filter with maximum levels
specified is chosen for comparison.
Note: CVP highlights the managed lines in yellow and unmanaged lines in grey. In the example
below, the bold text represents managed lines and the italic text represents unmanaged lines.

Filter 1 (Managed) Filter 2 (Unmanaged)

transceiver* transceiver*

$ load-balance*

Here, Filter 1 has only 1 level of command in the pattern whereas Filter 2 has 2 levels of
command.
Note: $ is a special character and is not counted as a command. In other words,
Filter 2 matches a more specific set of lines as shown below.
Configuration

transceiver qsfp default-mode 4x10G

load-balance policies
load-balance sand profile Orange
no fields mac

Matched configuration for Filter 1

transceiver qsfp default-mode 4x10G

load-balance policies
load-balance sand profile Orange
no fields mac

Matched configuration for Filter 2

load-balance policies
load-balance sand profile Orange
no fields mac

Thus, the combined result of the two filters would be:

transceiver qsfp default-mode 4x10G

load-balance policies
load-balance sand profile Orange
no fields mac

13.1.2.2 Conflicting Filters

When two filters of different types match the same line and neither of them is more specific, they are said to
be conflicting filters.

296
 Partial Configuration Management

Note: CVP highlights the managed lines in yellow and unmanaged lines in grey. In the example
below, the bold text represents managed lines and the italic text represents unmanaged lines.

Filter 1 (Managed) Filter 2 (Unmanaged) Configuration

transceiver* transceiver* transceiver qsfp

load* load-balance* default-mode 4x10G

load-balance
policies
load-balance
sand profile
Orange
no fields
mac

These filters have conflicting patterns load* and load-balance*. CVP displays an error when
conflicting filters are assigned to devices. If conflicting filters are assigned to a device, you must
correct all filters for applying them correctly to the device.

13.2 Enabling Partial Configuration Management

Perform the following steps if you do not find the Filter Management option under the Provisioning tab of
the CVP screen:
1. Click the gear icon at the upper right corner of the screen.
The browser displays the General Settings screen.
Figure 317: Enabling Partial Configuration Management

2. Under Features, enable Partial Configuration Management (Beta) using the toggle button.

297
13.3 Filter Management
The Filter Management screen lists all existing filters with all the fields associated with a filter. See the figure
below.
Figure 318: Filter Management Screen

It provides options to perform the following tasks:

• Creating a filter
• Updating a filter
• Deleting a filter
• Enabling or disabling a filter
• Customizing the partial configuration management
To open the Filter Management screen, navigate to Provisioning > Filter Management. This screen
provides brief information of current filters with the associated fields in a tabular format. See the following
figure.
You can perform the following actions on this screen:
• On the upper right corner of the screen, click + Create Filter to create a new filter. See Creating a New
Filter.
• Under the Pattern Preview column, hover the cursor on the exclamatory mark to view the number of lines
in the filter pattern.
• Under the Status column, green dots signify active filters and red dots signify inactive filters.
• Under the Actions column:
• Click the edit icon to edit the corresponding filter.
CVP opens the filter details screen for editing a filter. See Creating a New Filter.
• Click the delete icon to delete the corresponding filter.

298
 Partial Configuration Management

Click Confirm when CVP opens the Confirm dialog box prompting to confirm the deletion.
Figure 319: Delete Filter Confirmation Dialog Box

Note: Only inactive filters can be deleted.

• Click Export to CSV for downloading the table contents to your local drive.

13.4 Creating a New Filter

Perform the following tasks to create a new filter:
Note: If you are editing an existing filter, proceed to step 3.

1. Navigate to Provisioning > Filter Management.

CVP opens the Filter Management screen.
2. Click + Create Filter.
CVP opens the screen for creating a new filter.
Figure 320: Screen for Creating a New Filter

3. Provide the required filter details in corresponding fields:

• Filter Details pane - Provides the following options to add filter details:
• Name field - Type a unique filter name.
Note: The filter name must not be blank.

• Type dropdown menu - Select the filter type.

• Description field - Provide brief information about the filter.
• Apply to all devices checkbox - Select the checkbox to mark this filter as active else this filter is
considered inactive.

299
 Note:
•
If the Apply to all devices checkbox is selected, the current filter (filter being added/
edited) and all other active filters are validated against the running configuration of the
selected device. This verifies if there are any conflicting filters.
• If the Apply to all devices checkbox is not selected, only the current filter (filter being
added/edited) is validated against the running configuration of the selected device.
• Designed Pattern pane - Provide the tailored pattern for this filter.
Note: Applying the filter can change the managed configuration in designed configuration
which results in non-compliance until it is pushed to the running configuration.
• Running Config pane - Displays the current configuration and provides the option to select the
required device.
Note:
• Managed lines are highlighted in yellow and unmanaged lines are highlighted in grey color.
• If an unmanaged configuration line being added matches with an assigned configlet of the
selected device (including reconcile configlet) or if an added configuration line results in
conflict with a configuration line in the existing configlets assigned to the device, the device
will be marked out of compliance
• Device dropdown menu - This drop down lists all available devices against which the filter can be
validated.
4. Click Save Filter.

13.5 Implications of Applied Filters

The implications of applied filters in partial configuration management are:
• Configuration Compliance
• Provisioning
• Change Control Approval
• Task Execution
• Reconcile
• Studios and Workspaces

Configuration Compliance
Filter modification can change managed/unmanaged portions of designed and running configuration due to
which configuration compliance status of some devices may get updated. In context of partial configuration
management, the following logics determine the configuration compliance status of the device:
• Managed configuration lines and Unspecified configuration lines have the same compliance implications
and they have to be in sync in the designed and running configuration for configuration compliance to be
true. Which means changing such configuration lines outside CVP will mark the device out of compliance.
Similarly modifying the designed configuration with addition/deletion of such configuration lines will result
in out of compliance until they are pushed to the running configuration.
• Unmanaged configuration lines in the designed configuration will always result in configuration out of
compliance. On the other hand, such configuration lines can be added to the running configuration outside
CVP without causing the device to go out of compliance.
• Conflicting filters matching device’s designed or running configuration will mark the device out of
compliance.

300
 Partial Configuration Management

Provisioning
• Configlet management at device level -- Applied filters of `unmanaged` type can restrict CVP to modify
corresponding unmanaged configuration lines. Configlets containing unmanaged configuration lines
cannot be applied to a device. Validation of such proposed configuration will result in an error.
• Configlet management at container level -- Since this flow is not associated with a configuration validation
process, it can result in making some unmanaged configuration lines part of the designed configuration.
Hence, applying configlets containing unmanaged lines at container level will mark the underlying devices
out of compliance. This can even create configuration push tasks, but they would fail later at the time of
execution.

Change Control Approval

• Change controls with execute configuration task as one of their actions cannot be approved if the task diff
contains unmanaged configuration lines in the designed configuration.
• Already approved change controls may get unapproved if filters associated with the underlying devices get
changed.

Task Execution
Tasks with unmanaged configuration lines in the designed configuration will fail on execution. While viewing a
task diff, inline errors will indicate the problematic lines and the relevant filters associated with the error.

Reconcile
• Reconcile at device level -- Unmanaged configuration lines from running configuration cannot be
reconciled (tick boxes will not appear against those lines ). Whereas managed lines from running
configuration are not reconciled by default (tick boxes will be there, but not marked by default), but if the
user wants, they can be reconciled explicitly by marking the tick boxes manually.
• Reconcile at container level -- Reconcile process at container level will never reconcile managed or
unmanaged configuration lines from running configuration. Thus, it will only add unspecified lines from the
running configuration to reconcile configlets. It can also delete existing managed lines from the reconciled
configlet and thereby affect the configuration compliance status of the device. Hence it is recommended
to have dedicated configlets for the managed configuration lines and not to keep them as part of the
reconciled configlets.

Studios and Workspaces

• Workspace build will fail at the configuration validation step if the proposed configuration has unmanaged
configuration lines or there are conflicting filters assigned to devices mapped to the workspace.
• Any change in filters mapped to affected devices in a workspace will not affect workspace submission. So
any errors introduced by filter changes will only be seen in the Change Control created by workspace.
• Reverts in workspace will not change the state of filters.

13.6 Examples of Filter Management

Note: CVP highlights the managed lines in yellow and unmanaged lines in grey. In the example
below, the bold text represents managed lines and the italic text represents unmanaged lines.

Config 1

router multicast
ipv4
routing
route 232.1.1.1 192.168.0.1 iif Ethernet6 oif Ethernet20
!

301
 vrf test
ipv4
routing
route 238.1.1.1 2.2.2.2 iif Ethernet4 oif Ethernet41
route 239.1.1.1 2.2.2.2 iif Ethernet4 oif Ethernet41
route 239.3.3.3 3.3.3.3 iif Ethernet4 oif Ethernet5
route 239.4.4.4 1.1.1.1 iif Ethernet42 oif Ethernet45

Filters Result

router multicast router multicast

$ ipv4
routing
router multicast route 232.1.1.1
vrf test 192.168.0.1 iif Ethernet6 oif
ipv4 Ethernet20
route 239* !
vrf test
ipv4
routing
route 238.1.1.1
2.2.2.2 iif Ethernet4 oif
Ethernet41
route 239.1.1.1
2.2.2.2 iif Ethernet4 oif
Ethernet41
route 239.3.3.3
3.3.3.3 iif Ethernet4 oif
Ethernet5
route 239.4.4.4
1.1.1.1 iif Ethernet42 oif
Ethernet45

router multicast router multicast

ipv4 ipv4
route* routing
vrf test route 232.1.1.1
ipv4 192.168.0.1 iif Ethernet6 oif
route 238* Ethernet20
router multicast !
vrf test vrf test
ipv4 ipv4
route 239* routing
route 238.1.1.1
2.2.2.2 iif Ethernet4 oif
Ethernet41
route 239.1.1.1
2.2.2.2 iif Ethernet4 oif
Ethernet41
route 239.3.3.3
3.3.3.3 iif Ethernet4 oif
Ethernet5
route 239.4.4.4
1.1.1.1 iif Ethernet42 oif
Ethernet45

302
 Partial Configuration Management

Config 2

transceiver qsfp default-mode 4x10G

load-balance policies
load-balance sand profile Orange
no fields mac
load-balance sand profile Blue
no fields mac

Filters Result

transceiver * transceiver qsfp default-mode

load-balance policies 4x10G
load-balance sand load-balance policies
profile * load-balance sand
no fields mac profile Orange
no fields mac
load-balance sand
profile Blue
no fields mac

transceiver * transceiver qsfp default-mode

load-balance policies 4x10G
load-balance sand load-balance policies
profile Orange load-balance sand
no fields mac profile Orange
no fields mac
load-balance sand
profile Blue
no fields mac

303
304
 Chapter 14

Change Control
Task Management is an inventory of all the tasks generated in CloudVision. You can create a Change Control
or cancel a task in task management.
Sections in this chapter include:
• Basic Options for Handling Tasks
• Using the Tasks Module
• Using the Change Control Module
• Non-Author Change Control Review
• Change Control Template

14.1 Basic Options for Handling Tasks

CloudVision provides two basic ways to handle tasks. You can handle tasks individually (task by task), or by
groups of tasks.
To view and cancel tasks individually, use the Task Management module, which you can access by
navigating to Provisioning > Tasks from the CloudVision Portal. For detailed information on the Tasks
module, see Using the Tasks Module.
To execute grouped tasks (multiple tasks in the same group), use the Change Control module from either
Tasks or Change Control screens. To access the Change Control screen, navigate to Provisioning >
Change Control from the CloudVision Portal. For detailed information on the Change Control module, see
Using the Change Control Module.

14.1.1 Creating Tasks

The following actions that affect the performance of devices are automatically generated as tasks:
• Assigning Configuration (assigning a configuration to a device or container)
• Adding Devices (adding a device from the undefined container to a defined container)
• Managing Devices (moving or removing devices from a container)

14.1.1.1 Assigning Configuration

1. Go to the Network Provisioning screen.
2. Select a device or container.
3. Assign configuration.
4. Save the topology to generate the task.
Note: Editing a configlet also generates a task.

14.1.1.2 Adding Devices

1. Go to the Network provisioning screen.
2. Select a container.
3. Add devices to the container.

305
 4. Save the topology to generate the task.
Note: If the hierarchy of the container has images or configlets, the created task will also include
image push and configuration push tasks.

14.1.1.3 Managing Devices

1. Go to the Network provisioning screen.
2. Select a container.
3. Move or remove devices from the container.
4. Save the topology to generate the task.

14.2 Using the Tasks Module

This module covers the following sections:
• Accessing the Tasks Summary Screen
• Creating Change Controls from the Tasks Summary Screen
• Creating Change Controls from the Change Controls Summary Screen
• Accessing the Tasks Details Screen
• Task Status

14.2.1 Accessing the Tasks Summary Screen

Use the Tasks Summary screen to create Change Controls, cancel tasks, view assignable and assigned
tasks, navigate to the appropriate task details screen, and navigate to the device overview screen. See Task
Screen below.
Figure 321: Tasks Screen

To access the Tasks Summary screen, go to the Provisioning screen and click Tasks in the left menu.
The Tasks Summary screen consists of the following entities:
• + Create Change Control button - Click this button to create a Change Control
• Cancel Task(s) button - Click this button to cancel selected assignable tasks
• Assignable Tasks Table - Lists assignable tasks with the following information:
• Task ID - Displays the task ID.
Click the Task ID go to the appropriate task details screen.
• Device - Displays the device name on which this task is performed.

306
 Change Control

Click the device name to open the appropriate Device Overview screen.
• Created By - Displays who created the task.
• Type - Displays the task type.
• Last Updated - Displays when the task was last updated.
• Status - Displays the task status.
• Assigned Tasks Table - Lists assigned tasks with the following information:
• Task ID - Displays the task ID.
Click the task ID go to the appropriate task details screen.
• Device - Displays the device name on which this task is performed.
Click the device name to open the appropriate Device Overview screen.
• Created By - Displays who created the task.
• Type - Displays the task type.
• Last Updated - Displays when the task was last updated.
• Status - Displays the task status.
• Change Control - Displays the Change Control name.
Click the Change Control name to go to the appropriate Change Control Details screen.

14.2.2 Creating Change Controls from the Tasks Summary Screen

The Change Control module selects and executes a group of tasks that you want to process simultaneously.
While creating a Change Control, you add tasks with pending or failed status to the Change Control.
Complete the following steps to create a Change Control from the tasks summary screen:
1. On the CloudVision Portal, click Provisioning > Tasks.
The system displays the tasks summary screen.
2. Under the Assignable Tasks table, select tasks you want to include in the Change Control by selecting
appropriate checkboxes.
Note: If you do not select any tasks, the system creates a Change Control without tasks.

3. Click + Create Change Control with n tasks where n is the count of selected tasks.
Figure 322: Create Change Control Button

The system displays the appropriate Change Control details screen.

307
14.2.3 Creating Change Controls from the Change Controls Summary Screen
The first step involved in using the Change Control module to manage tasks is to create a Change Control.
While creating a Change Control, you add tasks with pending or failed status to the Change Control. By
default, all tasks in the same Change Control are added in parallel. If you want to change the execution order,
you can drag and drop the action cards on the Change Control Details screen. You can execute grouped
tasks after a Change Control is created, reviewed, and approved.
Note: If you do not add any tasks, the system creates a Change Control without tasks.

Complete the following steps to create a Change Control from the Change Control Summary screen:
1. On the CloudVision Portal, click Provisioning > Change Control.
The system displays the Change Control Summary screen.
Figure 323: Change Control Summary Screen

2. Click + Create Change Control button at the upper right corner.

308
 Change Control

The system displays the Assignable Tasks dialog box.

Figure 324: Assignable Tasks Dialog Box with No Tasks Selected

3. Select tasks you want to include in the Change Control by selecting appropriate checkboxes.
Note: If you do not select any tasks, the system creates a Change Control without tasks.

4. Click + Create Change Control with n tasks where n is the count of selected tasks.
Figure 325: Assignable Tasks Dialog Box with Tasks Selected

The system displays the appropriate Change Control Details screen.

309
14.2.4 Accessing the Tasks Details Screen
The Tasks details screen provides detailed information for any given task. To access the Tasks details
screen, click the task ID under the Task ID column in the Tasks summary screen.
Figure 326: Task Details Screen

The Tasks Details screen provides the specified information in following tabs:
• Pending tasks icon - Displays the count of pending tasks
• Notifications - Displays the count of unread notifications.
• Logs tab - Displays logs of the appropriate task.
Note: This tab is displayed only for completed tasks.

• View Image tab - Provides detailed information on image changes.

Figure 327: View Image Tab

310
 Change Control

• View Config tab - Displays provisioned, designed, and running configuration changes.
Figure 328: View Config Tab

14.2.5 Task Status

All CloudVision Portal (CVP) tasks are automatically assigned a specific status by the system. The system
automatically updates tasks status to indicate the current status of a task.
The task statuses are:
• Pending
• In-Progress
• Completed
• Failed
• Canceled

14.2.5.1 Pending
Any new task is generated with a 'Pending' status. This means that the task has been generated but not
executed. You can execute a pending task at any time. Once the task is successfully executed (completed
without failure), the status of the task changes to Completed.

14.2.5.2 In-Progress
A task being executed moves to “In-progress” state.
• Config assign, pushes the configuration on the device.
• Image assign, copies the image from CLOUDVISION to the device.
• In-Progress tasks can be canceled.
Various statuses during the Change Control execution are:
• Execution In Progress
• Device Reboot In Progress
• Task Update In Progress
• Configlet Push In Progress
• Image Push In Progress
• Rollback Config Push In Progress
• Rollback Image Push In Progress

311
 • Cancel In Progress
• ZTR Replacement In Progress

14.2.5.3 Completed
A task that has been completed. Upon completion, the status changes to Completed. Tasks with Completed
status can't be executed or canceled.

14.2.5.4 Failed
A task moves to failed state due to multiple reasons such as:
• Device not reachable
• Wrong configuration
• Application problem

14.2.5.5 Canceled
A task that is removed from the queue of pending tasks. Tasks with the status of Completed or tasks that
have already been canceled, cannot be canceled. Tasks with any status other than Canceled or Completed
can be selected and canceled.

14.3 Using the Change Control Module

The Change Control module selects and executes a group of tasks that you want to process simultaneously.
Selecting tasks and creating Change Controls function similarly in Change Control and Task Management
modules.
Change Controls provides the following benefits:
• Sequencing tasks
• Adding unlimited snapshots to every device impacted by the Change Control execution
• Adding custom actions
• Pushing images via Multi-Chassis Link Aggregation (MLAG) In-Service Software Upgrade (ISSU) or
Border Gateway Protocol (BGP) maintenance mode
• Reviewing the entire set of changes to approve Change Controls
Note: Snapshots display the state of impacted devices before and after the execution.

For more information about Change Controls, see:

• Accessing the Change Control Summary Screen
• Accessing the Open Change Control Details Screen
• Creating Change Controls from the Change Controls Summary Screen
• Accessing the Open Change Control Details Screen

312
 Change Control

14.3.1 Accessing the Change Control Summary Screen

The Change Control summary screen is used to manage Change Controls.
Figure 329: Change Control Summary Screen

To access the Change Control screen, go to the Provisioning screen, and click Change Control in the left
menu.
The Change Control screen consists of the following entities:
• Open Change Controls and Executed Change Controls tables - Lists corresponding Change Controls
with the following information:
• Name - Displays the Change Control name
Click the Change Control name to go to the appropriate Change Control details screen.
• Devices - Displays devices used in the Change Control
Click the device name to go to the appropriate Device Overview screen.
• Action - Displays types of actions to be executed by the Change Control
• Last Updated - Displays when the Change Control was last updated
• Status - Displays the Change Control status
Note:
• Under the Status column of the Open Change Controls table, a pending Change Controls
is represented with a doc-edit icon and an approved Change Controls is represented with a
user-check icon.
• Under the Status column of the Open Change Controls table, a failed Change Control is
represented with a cross mark and a completed Change Control is represented with a tick
mark.
• Hover the cursor on the status icon in Open Change Controls table to view how long ago
the current approval status was updated. When you hover the cursor on the status icon in
Executed Change Controls table, it also displays the approver's name.
• In the Open Change Controls table, click Delete to delete the appropriate Change Control.
Note: After you delete an open Change Control, the system returns any tasks used by the deleted
Change Control to the assignable tasks pool for reallocation.
• Recent Activity pane - Lists most recent activities like updated, executed, and deleted Change Controls.
Note: Click on the Change Control name to go to the appropriate Change Control details screen.

• + Create Change Control - Click this button to create a Change Control

313
 • Export to CSV - Exports the summary data to a CSV file.

14.3.2 Accessing the Open Change Control Details Screen

The open Change Control details screen performs the following functions:
• Displays Change Control information
• Adds actions to Change Control
• Adds, edits, and deletes child stages
• Reviews and approves Change Control
Perform the following steps to access the Change Control details screen:
1. On the CloudVision Portal, click Provisioning > Change Control.
The system displays the Change Control summary screen.
2. Under the Open Change Controls table, click one of the listed Change Controls.
The system displays the Change Control details screen.
Figure 330: Change Control Details Screen

The Change Control details screen consists of the following panels:

• Header Panel
• Main Panel
• Edit Panel

Header Panel
This primary panel provides the following basic information on the Change Control:
• Edit icon to update the Change Control name
• Change Control information -
• The open Change Control details screen displays the status, scheduled date, last editor, count of
affected devices, and Universally Unique Identifier (UUID).
Note:
• Click the Scheduled for field and select the date to run the Change Control.
• Hover the mouse cursor over the clock icon to view the last time of action.

314
 Change Control

• Hover the cursor on the count of affected devices to view their list. Clicking on an affected
device opens the corresponding Device Overview screen.
• Clicking the copy icon next to the UUID copies the UUID to the clipboard.
• The executed Change Control details screen displays the status, approver, time of start, last editor, and
count of affected devices.
Note:
• Click Review next to the status for details on review and approve process.
• Review and Approve - Click Review and Approve in open Change Controls for assessing Change
Control updates. These updates include configuration differences, and image bundle changes when
appropriate.
Figure 331: Review and Approve Pop-Up Window

Click Approve to accept Change Control updates.

Note: (Optional) Approver can leave comments in the Notes: field.

• On the approved Change Control details screen, click Unapprove to revert the approval status and
Execute Change Control to run approved Change Controls.
Figure 332: Approved Change Control

Note: CVP executes Change Controls in the following ways:

• Runs approved Change Controls immediately if sufficient privileges are set for the Change
Control Management permission.
• Stops the change automatically if an action fails.
• Runs actions in progress until complete.

315
 • On the failed Change Control details screen, click Rerun to repeat the execution of a completed but failed
Change Control. This creates a new Change Control that must be approved again.
Figure 333: Rerun Change Control

Note: Click Remove when CVP prompts you with Remove all actions for devices that have no
failures? for skipping the rerun of completed actions.
• Click Rollback in executed Change Controls to open the Rollback Change Control pop-up window. To
create a rollback after evaluating the executed Change Control, select tasks to rollback from the table and
click Create Rollback Change Control.
Figure 334: Rollback Pop-Up Window

Note: CVP rolls back only completed configuration updates and image upgrade tasks.

Main Panel
This main panel consists of the following entities:
• Search bar - Enter a string to perform a search in the Change Control tree.
• Expand icon - Click to expand all stages.
• Collapse icon - Click to collapse all stages.
• Information icon - Click to get help on Change Control.
• Change Control tree - Change Controls are composed of actions and stages. Action types include tasks,
CLI snapshots, health checks, custom scripts, enter BGP maintenance mode, and exit BGP maintenance
mode, and other custom actions.
Note: Different icons represent various task types like adding a new device, updating configuration
on a device, and updating software image bundle on a device. Actions are represented with a bolt
symbol.
Actions are grouped and nested within stages via drag and drop.
Note:

316
 Change Control

• Tasks being executed in parallel do not block subsequent actions in that branch.
• In a series execution, the Change Control execution starts from the first item and works its way
from top to bottom. The next action starts only when the previous action completed successfully.
• You can toggle the option by clicking the stage type dropdown menu in the edit panel.

Edit Panel
This panel edits stages and actions.
• Edit a stage - Click the required stage in the main panel. The edit panel provides the following options:
• Show details icon - Click to view associated configuration differences, image bundle changes, and
action details.
• Remove icon - Click to delete the stage.
Note: Select multiple tasks to view details and delete multiple tasks simultaneously. Use
command-click or Ctrl-click to select multiple items. To select a range of items, click the first
item and then Shift-click the last item.
• Group icon - Select multiple tasks to group them into sub-stages.
• Edit icon - Click to edit the stage name.
• Change Control stage type dropdown menu - Click to select the Change Control stage type.
Note: By default, all tasks and actions execute in series.

• Plus icon - Click to add a child stage.

• Status - Displays telemetry of each device in the stage.
Note:
• Hover the cursor on n metric group to view selected devices.
Note: n represents the count of selected metric groups.

• Hover the cursor on n device(s) to view selected metric groups.

Note: n represents the count of selected devices.

• Add actions - Adds actions to open Change Control. Select the required action and placement from
corresponding dropdown menus; and click Add to change control to update selected changes.
Figure 335: Add Actions to Change Control

317
 • Logs - Displays logs of each update in the executed Change Control process.
Figure 336: Change Control Logs

Note:
• Use the search logs bar for filtering logs based on a string.
• Click the download icon to download logs to your local drive.

14.3.3 Creating Change Controls from the Change Controls Summary Screen
The first step involved in using the Change Control module to manage tasks is to create a Change Control.
While creating a Change Control, you add tasks with pending or failed status to the Change Control. By
default, all tasks in the same Change Control are added in parallel. If you want to change the execution order,
you can drag and drop the action cards on the Change Control Details screen. You can execute grouped
tasks after a Change Control is created, reviewed, and approved.
Note: If you do not add any tasks, the system creates a Change Control without tasks.

Complete the following steps to create a Change Control from the Change Control Summary screen:
1. On the CloudVision Portal, click Provisioning > Change Control.

318
 Change Control

The system displays the Change Control Summary screen.

Figure 337: Change Control Summary Screen

2. Click + Create Change Control button at the upper right corner.

The system displays the Assignable Tasks dialog box.
Figure 338: Assignable Tasks Dialog Box with No Tasks Selected

3. Select tasks you want to include in the Change Control by selecting appropriate checkboxes.
Note: If you do not select any tasks, the system creates a Change Control without tasks.

319
 4. Click + Create Change Control with n tasks where n is the count of selected tasks.
Figure 339: Assignable Tasks Dialog Box with Tasks Selected

The system displays the appropriate Change Control Details screen.

14.3.4 Accessing the Open Change Control Details Screen

The open Change Control details screen performs the following functions:
• Displays Change Control information
• Adds actions to Change Control
• Adds, edits, and deletes child stages
• Reviews and approves Change Control
Perform the following steps to access the Change Control details screen:
1. On the CloudVision Portal, click Provisioning > Change Control.
The system displays the Change Control summary screen.
2. Under the Open Change Controls table, click one of the listed Change Controls.

320
 Change Control

The system displays the Change Control details screen.

Figure 340: Change Control Details Screen

The Change Control details screen consists of the following panels:

• Header Panel
• Main Panel
• Edit Panel

Header Panel
This primary panel provides the following basic information on the Change Control:
• Edit icon to update the Change Control name
• Change Control information -
• The open Change Control details screen displays the status, scheduled date, last editor, count of
affected devices, and Universally Unique Identifier (UUID).
Note:
• Click the Scheduled for field and select the date to run the Change Control.
• Hover the mouse cursor over the clock icon to view the last time of action.
• Hover the cursor on the count of affected devices to view their list. Clicking on an affected
device opens the corresponding Device Overview screen.
• Clicking the copy icon next to the UUID copies the UUID to the clipboard.
• The executed Change Control details screen displays the status, approver, time of start, last editor, and
count of affected devices.
Note:
• Click Review next to the status for details on review and approve process.

321
 • Review and Approve - Click Review and Approve in open Change Controls for assessing Change
Control updates. These updates include configuration differences, and image bundle changes when
appropriate.
Figure 341: Review and Approve Pop-Up Window

Click Approve to accept Change Control updates.

Note: (Optional) Approver can leave comments in the Notes: field.

• On the approved Change Control details screen, click Unapprove to revert the approval status and
Execute Change Control to run approved Change Controls.
Figure 342: Approved Change Control

Note: CVP executes Change Controls in the following ways:

• Runs approved Change Controls immediately if sufficient privileges are set for the Change
Control Management permission.
• Stops the change automatically if an action fails.
• Runs actions in progress until complete.

322
 Change Control

• On the failed Change Control details screen, click Rerun to repeat the execution of a completed but failed
Change Control. This creates a new Change Control that must be approved again.
Figure 343: Rerun Change Control

Note: Click Remove when CVP prompts you with Remove all actions for devices that have no
failures? for skipping the rerun of completed actions.
• Click Rollback in executed Change Controls to open the Rollback Change Control pop-up window. To
create a rollback after evaluating the executed Change Control, select tasks to rollback from the table and
click Create Rollback Change Control.
Figure 344: Rollback Pop-Up Window

Note: CVP rolls back only completed configuration updates and image upgrade tasks.

Main Panel
This main panel consists of the following entities:
• Search bar - Enter a string to perform a search in the Change Control tree.
• Expand icon - Click to expand all stages.
• Collapse icon - Click to collapse all stages.
• Information icon - Click to get help on Change Control.
• Change Control tree - Change Controls are composed of actions and stages. Action types include tasks,
CLI snapshots, health checks, custom scripts, enter BGP maintenance mode, and exit BGP maintenance
mode, and other custom actions.
Note: Different icons represent various task types like adding a new device, updating configuration
on a device, and updating software image bundle on a device. Actions are represented with a bolt
symbol.
Actions are grouped and nested within stages via drag and drop.
Note:

323
 • Tasks being executed in parallel do not block subsequent actions in that branch.
• In a series execution, the Change Control execution starts from the first item and works its way
from top to bottom. The next action starts only when the previous action completed successfully.
• You can toggle the option by clicking the stage type dropdown menu in the edit panel.

Edit Panel
This panel edits stages and actions.
• Edit a stage - Click the required stage in the main panel. The edit panel provides the following options:
• Show details icon - Click to view associated configuration differences, image bundle changes, and
action details.
• Remove icon - Click to delete the stage.
Note: Select multiple tasks to view details and delete multiple tasks simultaneously. Use
command-click or Ctrl-click to select multiple items. To select a range of items, click the first
item and then Shift-click the last item.
• Group icon - Select multiple tasks to group them into sub-stages.
• Edit icon - Click to edit the stage name.
• Change Control stage type dropdown menu - Click to select the Change Control stage type.
Note: By default, all tasks and actions execute in series.

• Plus icon - Click to add a child stage.

• Status - Displays telemetry of each device in the stage.
Note:
• Hover the cursor on n metric group to view selected devices.
Note: n represents the count of selected metric groups.

• Hover the cursor on n device(s) to view selected metric groups.

Note: n represents the count of selected devices.

• Add actions - Adds actions to open Change Control. Select the required action and placement from
corresponding dropdown menus; and click Add to change control to update selected changes.
Figure 345: Add Actions to Change Control

324
 Change Control

• Logs - Displays logs of each update in the executed Change Control process.
Figure 346: Change Control Logs

Note:
• Use the search logs bar for filtering logs based on a string.
• Click the download icon to download logs to your local drive.

14.3.4.1 Change Control Drop-Down Menu

Click the Change Control drop-down menu to select another Change Control.

14.3.4.2 Change Control Stages

These panes consists of the following entities:
• Change Control stage name - Click either the Change Control name or the corresponding edit icon to
update the name.
• Add a stage icon - Click the plus icon at the upper right corner of the stage to add a stage.
• Delete a stage icon - Click the appropriate trash icon at the upper right corner of the stage to delete the
corresponding stage.
• Edit actions icon - Click the thunder icon within a card to edit or view the appropriate leaf.

325
 • For open Change Controls, the system displays the actions window to edit the appropriate leaf.
Figure 347: Info Tab in Edit Actions

Note: For completed Change Controls, the system displays the actions window to view the
appropriate leaf.
This window consists of the following entities:
• Info tab - This tab lists the actions to be run, edits actions, and displays action details.
Click the edit icon to reorder and edit actions.
Figure 348: Reorder and Edit Actions Screen

• Click the select action drop-down menu and select the required action.
Note: The system displays selected actions beneath the select action drop-down menu.

• Click Clear at the end of a field to delete the appropriate action.

326
 Change Control

Note: This option is available only for a card with multiple actions. The main action in a card
is not available to clear.
• Click the check-mark to save changes.
Note: Here, actions comprise of provisioning, Border Gateway Protocol (BGP) maintenance,
health checks, and snapshots.
• Configuration Changes tab - For tasks, this tab displays any configuration or image differences that
will be applied as part of the task.
Figure 349: Configuration Changes Tab in Edit Actions

• Logs tab - This tab displays log information of completed Change Controls.
Figure 350: Logs Tab in Edit Actions

• Remove from Change Control button - Click Remove from Change Control to remove this task from the
stage.
Note: Click Remove on the Confirm pop-up dialog box to confirm the deletion.

• Done button - Click Done to save changes.

• Trashbin icon - Click the trashbin icon at the upper right corner of the pane to delete the stage.

327
14.3.4.3 Review and Approve
Click the Review and Approve button at the upper right corner of the Change Control screen to review and
approve the Change Control. This button displays the Review and Approve dialog box for the selected
Change Control.
Figure 351: Review and Approve Dialog Box

This window consists of a device search field and a list of changes by Change Control stages.
Type the device name in the search field and if available, the system displays the list of changes for the
specified device.
The expanded Change Control stage list displays details of the actions to be executed in each stage, grouped
by a device.
If you are happy with configuration changes, click the Approve button at the lower right corner of the dialog
box to approve the Change Control.

14.3.4.4 Execute Change Control

After approval, the Review and Approve button is replaced with the Execute Change Control button.
Figure 352: Execute Change Control Button

328
 Change Control

Click the Execute Change Control button to execute the Change Control.
Note: A Change Control is executed until all actions are either completed or there is a failure in one or
more of the actions.

14.3.4.5 Stop Change Control

While the system is executing changes specified in Change Control, it replaces the Execute Change Control
button with the Stop Change Control button.
Figure 353: Stop Change Control Button

Click the Stop Change Control button to stop the execution of Change Control.
Note: Clicking the Stop Change Control button returns failed and incomplete tasks to the assignable
tasks pool for reallocation.
If a Change Control has revertible actions, the system replaces the Stop Change Control button with the
Rollback Change button after the execution of all actions.
Figure 354: Rollback Change Button

Click the Rollback Change button to rollback the execution of Change Control.

14.4 Non-Author Change Control Review

The non-author change control review feature enforces change control reviews by someone other than the
author. This ensures that two separate people have reviewed a change before it is approved and can be
rolled out onto the network.
Enabling Non-Author Change Control Review

329
 Note: This feature can only be enabled from the Cluster Management role.

From the General Settings menu, select the Non-author Change Control review toggle to enable the
feature.
Figure 355: Enabling Non-Author Change Control Review

Pending and approved changes are displayed in the Change Control screen located in the Provisioning tab.
When the feature is enabled, the user making the change (author) will not be allowed to modify the approval
status (approve/disapprove) of their own changes.

330
 Change Control

14.5 Change Control Template

Change Control Template allows you to build and structure common change control operations, and to repeat
them without having to rebuild or re-specify the actions and sequences. The template is easily modified which
enables you to execute evolving change control operations quickly and efficiently.
To configure a Change Control Template, use the Action Bundle and Stage Rule tools. Each Stage Rule
depends on an Action Bundle for its content, so at least one Action Bundle must be created before you can
start using Change Control Templates.

Stage Rules
A Template is defined by a list of Stage Rules. Stage Rules can be executed in Series or Parallel at the root
of the change control. Each Stage Rule is linked to one Action Bundle, which supplies the content for that
stage.

Action Bundles
An Action Bundle is a specific sequence of actions that contain up to one task action and a limitless number
of non-task actions. Action Bundles are reusable across multiple Templates and allow you to construct a
specific sequence of actions without defining the tasks or devices that they will be applied to.

Workflow
Creating and implementing a change control event with a Template, requires five basic steps:
1. Create or select one or more Action Bundles.
2. Assign each Action Bundle to a Stage Rule.
3. Configure the Stage Rules of the Template.
4. Save the Template.
5. Apply the Template in Change Control.
Once the Template has been saved, it will be available to apply repeatedly. For future change control
operations with the same actions and sequence, you will only need to follow Step 5.

14.5.1 Action Bundles

Action Bundles are a determined sequence of actions that can include up to one task action and an unlimited
number of non-task actions. The Action Bundles are assigned them to the Stage Rules of a Template, which
means that you will want to create, edit, and delete Action Bundles.

14.5.1.1 Accessing Action Bundles

331
 You can manage Action Bundles by selecting Provisioning in the navigation bar and then selecting Action
Bundles.
Figure 356: Action Bundles

14.5.1.2 Creating a New Action Bundle

When creating a new Action Bundle, one task action and unlimited non-task actions can be added.
1. Click + Action Bundle
2. In the side panel that opens, enter a bundle name and an optional description and then click the Add
Action menu.
3. Select an action from the available list.
Figure 357: Select an Action

332
 Change Control

Note: Every action except for Execute Task is a non-task action. You can only add one task action
for each Action Bundle.
4. Depending on the action type selected, you may have some additional options for what devices you can
assign the action to.
Note: The task action will always have its device assigned in the Stage Rule of the Template that
the Action Bundle is applied to. For more information on these options, see Device Placeholders
and Static Arguments.
5. Select the actions of this Action Bundle to be executed in series or parallel.
6. Review the list of actions, and click Save. The Action Bundle will now be available to be assigned in the
Stages Rules of Templates.

14.5.1.3 Editing an Action Bundle

To edit an Action Bundle.
Note: Upon saving the edits, any template that the Action Bundle is a component of will be updated.

1. Click Edit on the Action Bundle to be modified.

Figure 358: Editing an Action Bundle

2. From the side panel, add new actions, modify the order of existing actions, or delete existing actions.
3. Click Save to update the Action Bundle.

14.5.1.4 Deleting an Action Bundle

Note: The following procedure does not remove the Action Bundle from any assigned Template.

1. Select Delete.
Figure 359: Deleting an Action Bundle

2. A modal that will ask you to cancel or remove. Click Remove.

14.5.1.5 Device Placeholders and Static Arguments

333
 When creating or editing the actions of an Action Bundle, you can assign device placeholders instead of
specific devices to the action. These placeholders are then defined when the Action Bundle is added to
the Stage Rule of a Template. This gives you the flexibility to assign the same Action Bundle to multiple
Templates.
The following is a complete list of device placeholders, along with a sample list of devices you can statically
apply the action to:
Figure 360: Device Placeholders

The placeholders available to you vary based upon the combination of action types that you have already
selected. Consequently, additional placeholders may become available for an action after you have added
more actions to the Action Bundle. Specifically, ‘Match task device’ and ‘MLAG peer of selected task’ only
appear when the Action Bundle contains a task.

Provide via Template

When this action is assigned as a placeholder, you will configure it when building the Template. You can use
the Device Filter field in the Stage Rule that the Action Bundle is applied to.
Figure 361: Provide via Template

Select one of the following options:

• All Devices in Change Control: This option matches all devices associated with the change control
(defined by which tasks are linked to the change control)
• Regular Expression: This option allows you to select certain devices from Change Control by defining a
regular expression to evaluate against the device hostname

Match Task Device

An Action Bundle can contain a maximum of one task action. The device of the task is assigned in the
Template using the Device Filter field.
When configuring the Action Bundle, a non-task action with the placeholder Match Task Device can be
assigned. This means that the device associated with the task will be applied to the non-task action.

334
 Change Control

MLAG Peer of Selected Task

This placeholder enables you to sequence MLAG upgrades. You can run non-task actions on the MLAG peer
of the device that the task in the Action Bundle is assigned to.
By using this placeholder, the MLAG Health Check can be run against the MLAG peer before running the
task.
The following figure is an example of how actions can be arranged so that the MLAG health of both the task
device and the task device’s MLAG peer are checked before running the task. The last action checks the
MLAG health of the task device after the task has been performed.
Figure 362: MLAG Peer of Selected Task

Static Action Arguments

Static arguments can be applied in an Action Bundle by assigning certain non-task actions with a specific
device. This enables you to always have a particular action run against a specific device when the Action
Bundle is applied to a Stage Rule in a template.
Figure 363: Static Action Arguments

335
14.5.2 Templates
Action Bundles will be assigned to a Template. With the Template you will bundle and sequence specific
actions and group those action bundles into stages to define the upgrade sequence.
Note: Applying a Template to a change control is a single operation. The Template is not permanently
linked to the change control; therefore, making changes to a Template after it has been applied to a
change control will have no effect on the existing change control.
• A Template can be applied multiple times. Each time the existing structure will be completely
overwritten, and only the tasks will remain as the sole input to the Template.
• This feature cannot be used to craft arbitrarily complex change controls, and advanced users may
want to leverage the Change Control API to construct custom layouts.

Accessing Templates
Select Provisioning and select Templates. The following screen will be displayed.
Figure 364: Accessing Templates

14.5.2.1 Create a New Template

When creating a new Template, an unlimited number of Stages Rules can be added using at least one Action
Bundle.
1. Select + Template from the Templates screen.
2. Each Stage Rule is associated with a single Action Bundle. Select an Action Bundle from the menu or
create a new one.
Figure 365: Create a New Template

3. Once you have assigned an Action Bundle, complete any additional fields associated with the specific
Action Bundle.
Note: If the Action Bundle contains device placeholders, a Device Filter will appear. This is used to
define which devices will be applied to this Action Bundle.

336
 Change Control

4. A sub-stage will be created for every populated Action Bundle. Arrange the sub-stages in Series or
Parallel.
Figure 366: Stage Rule

5. You can repeat Steps 2-4 to create a Stage Rule for each Action Bundle to be added to the Template, and
then arrange the order of the Stage Rules.
Figure 367: Order Stage Rules

Note: The same Action Bundle can be applied to multiple stages, each with a unique Device Filter.

337
 6. Set the Stage Rules to execute in Series or Parallel.
Figure 368: Set Stage Rule

7. When done, select Save Template.

14.5.2.2 Edit a Template

Note: Any changes made to a Template will not be updated for any change control operations it has
been applied to. The Template will need to be reapplied.
1. Click Edit on the Template to modify. The Template screen will display its current Stage Rules and details,
how they are ordered, and the manner in which they will be executed.
Figure 369: Edit a Template

2. Edit any of the details by amending the fields, using the up and down arrows, or deleting Stage Rules.
3. Click Save Template when done.

14.5.2.3 Delete a Template

338
 Change Control

1. Click Delete on the Template you wish to remove.

Figure 370: Delete a Template

Note: Deleting a template will not affect change controls that were previously generated using that
template.

14.5.2.4 Creating a New Change Control with a Template

Follow these instructions to create a change control and apply a Template at the same time.
1. Select Tasks or Change Control under the Provisioning tab, and click Create Change Control.
2. In the screen that is displayed, enter a name for the change control and select the tasks that should be
included in the change control.
3. To build the change control with a Template, click Template.
Figure 371: Creating a New Change Control with a Template

4. From the menu, select a Template and select Create Change Control.
5. The Change Control screen will be displayed. Revise to the change control format, review and approve the
proposed changes as needed. When done execute the network changes.

14.5.2.5 Applying a Template to an Existing Change Control

If a change control has been created but not approved or executed, you can apply a Template to it.
1. Select Change Control, and select the desired change control from the Open Change Control list.
2. The Change Control edit screen of the selected change control is displayed. Click Select a Template to
open up a menu of your Templates.
3. Select the Template that you want to apply to the change control and click Apply Template.The Template
configuration will be added to the change control for review and approval.

339
 Note: Applying a Template to a change control operation is a single operation. Any changes made
to the Template will not be automatically applied to the change control.

340
 Chapter 15

Authentication & Authorization (CVP)

Authentication determines if the provided user credentials (username/password) are correct. If authentication
succeeds, the user is logged in.
Authorization determines what operations the user can perform after login. Authorization can be for no
access, read access, or read and write access.
In the Access Control page, the type of Authentication and Authorization can be defined. AAA servers are
defined in this page.
This module guides account management administrators to manage AAA servers, user accounts, and user
roles. It provides the functionality required to manage all aspects of user accounts.
Note: Only account management administrators have the permissions to manage accounts.

Sections in this chapter include:

• Access Requirements for Image Bundle Upgrades
• Managing AAA Servers
• About Users and Roles
• Managing User Accounts
• Managing User Roles
• Service Accounts
• Viewing Activity Logs
• Advanced Login Options
• Access to the Access Control Page

15.1 Access Requirements for Image Bundle Upgrades

If AAA is configured (enabled) on the switch, you must have certain access rights before you can perform
image bundle upgrades on the switch.
The specific access rights required to perform image bundle upgrades when AAA is configured are:
• Config session
• Bash
The access rights to execute bash commands is required because the following bash command must be
executed to upgrade image bundles:

bash timeout 10 sudo rm -f /mnt/flash/boot-extensions && echo -e '' > /mnt/

flash/boot-extensions

Note: If AAA is enabled and you attempt to perform image bundle upgrades without having these
required access rights, the upgrade will fail and the following error occurs:

Jul 11 11:36:45 cd342 Aaa: %AAA-4-CMD_AUTHZ_FAILED: User cvpadmin failed

authorization to execute command 'bash timeout 10 sudo rm -f
/mnt/flash/boot-extensions && echo -e '' > /mnt/flash/boot-extensions

341
15.2 Managing AAA Servers
The system uses the following functionalities to manage AAA servers:
• Adding AAA Servers
• Modifying AAA Servers
• Removing AAA Servers

15.2.1 Adding AAA Servers

1. Navigate to the Access Control Page.

2. Click the Authentication source drop-down menu and select either RADIUS or TACACS.
The Access Control page lists all current servers. See Access to the Access Control Page.
3. Click + New Server at the upper right corner of the Servers section.
Figure 372: + New Server in Access Control Page

The system pops-up the New Server window.

Figure 373: New Server Pop-Up Window

4. Provide the required Information in corresponding fields.

5. If required, click Test for testing the new configuration. Else, skip to step 8.

342
 Authentication & Authorization (CVP)

6. Enter your credentials when the Test Server pop-up prompts for it.
Figure 374: Test Server Pop-Up Window

7. Click Run Test.

The system displays test results. If required, modify the configuration based on the test result.
8. Click Save.
The server is added to the list of servers in the AAA grid.
Related topics:
• Access to the Access Control Page
• Modifying AAA Servers
• Removing AAA Servers

15.2.2 Modifying AAA Servers

1. Navigate to the Access Control Page.

2. Select desired modes from Authentication source and Authorization source drop-down menus
The system lists all registered servers of the selected AAA server type. See Access to the Access Control
Page.
3. Click the edit icon available next to IP address of the corresponding server.
The system pops-up the Edit Server window.
Figure 375: Edit Server Pop-Up Window

343
 4. Modify the required information.
5. If required, click Test to verify latest changes.
6. Click Save.
Note: To apply external authentication, there should be at least one enabled server listed in the
page.

15.2.2.1 Adding Vendor Specific Codes to AAA Servers

You can add vendor specific codes to AAA servers for the following:
• RADIUS
• TACACS+
• CISCO ACS

15.2.2.1.1 RADIUS
Arista Vendor Specific Code: add it to the RADIUS dictionary.

VENDOR Arista 30065

BEGIN-VENDOR Arista
ATTRIBUTE Arista-AVPair 1 string
END-VENDOR Arista

To specify role for a user

"bob" Cleartext-Password := "Pa$sW04d"

Arista-AVPair = "shell:cvp-roles=network-admin",
Service-Type = NAS-Prompt-User

15.2.2.1.2 TACACS+
For TACACS+ there is no vendor specific code, just different strings.
Note: CloudVision support for TACACS+ servers can be affected with the setting of the “service”
parameter. Some TACACS servers may require "service = shell" instead of "service = exec" in the
TACACS+ configuration (tacacs.conf).
This example configures user “bob” in the admin group and specifies certain attributes. It specifies a "cvp-
roles" attribute for the CloudVision role name (it can also be a list of roles).

A. tacacs.conf
group = admingroup {
default service = deny
service = exec {
default attribute = permit
priv-lvl = 15
cvp-roles = network-admin
}
enable = nopassword

}
user = bob {
login = cleartext "secret"
member = admingroup
}
B. CVP AAA settings
C. Switch AAA configlet

344
 Authentication & Authorization (CVP)

15.2.2.1.3 CISCO ACS

To ensure that authentication and authorization work properly, complete the following procedures.
• Creating Identity Groups and Users
• Creating a Shell Profile using ACS
• Creating and Mofiying Access Policy

15.2.2.1.3.1Creating Identity Groups and Users

1. Select Users and Identity Stores, and then select Identity Groups.
2. Make sure a group named <user-group> exists. If this group does not exist, add it.
3. Add new users under the group named <user-group>.

15.2.2.1.3.2Creating a Shell Profile using ACS

1. Go to the Policy Elements page.
2. Select Device Administration > Shell Profiles.
3. Click the Create button to create a new shell profile.
4. Select the Custom Attributes tab, and then add a new mandatory attribute named “cvp-roles”.
5. Specify one or more of the following values to the new “cvp-roles” attribute:
• network-admin
• network-operator
Note: If you have created custom role(s) under CVP Account Management, you can use them.

6. Check to make sure that under the “Common Tasks Attributes” table, “Assigned Privilege Level” and “Max
Privilege Level” are added by default with and the specified value is 15. Also, verify that requirement is set
“Mandatory.”

15.2.2.1.3.3Creating and Modifying Access Policy

1. Go to the Access Policies section and select the Default Device Admin policy.
2. Make sure that “Allow PAP/ASCII” option in the Authorization section is enabled (selected).
3. In the Authorization section, create a new rule named “Rule-1”.
4. Make sure that the status of the new rule (“Rule-1”) is Enabled, and set the identity group as “<user-
group>”.
5. Select the shell profile that outlines the cvp-roles for all users under the group named <user-group>.
Note: Alternatively, you can set add shell profile in the “default rule” section.

6. Make sure that “Service Selection Rules” (under the “Access Policies” section), is using the policy named
“Default Device Admin”. The policy should be listed in the “Results” column of “Service Selection Policy”
table, and the “status” column should be green, indicating that the policy is enabled.
The shell profile should be automatically applied to all users under the ground named <user-group>.

15.2.2.1.4 Supported TACACS Types

CloudVision Portal (CVP) supports different types of TACACS. Table Supported TACACS Types lists the
supported types of TACACS, including the following information for each TACACS type:
• Supported version
• Service shell (whether it is supported for each type)
• Service exec (only the following attributes are supported):
• acl

345
 • default
• double-quote-values
• message
• optional
• protocol
• return
• script
• set

Table 16: Supported TACACS Types

TACACS Type Supported Version Service Shell Service Exec

tac_plus (Shruberry) F4.0.4.26 Not Applicable Supported
tac_plus (Probono) 201706241310 Supported Supported

201503290942/DES

CISCO ACS 4.4.0.46 Supported Not Applicable

5.3.0.40

Related topics:
• Access to the Access Control Page
• Adding AAA Servers
• Removing AAA Servers

15.2.3 Removing AAA Servers

Complete these steps to remove AAA servers:
1. Navigate to the Access Control page.
2. Select required options from Authentication source and Authorization source drop-down menus.
The systems lists all current servers.
3. Select required servers for removal.
4. Click Remove Server(s) at the upper right corner of the Servers section.
The systems lists all current servers.
Figure 376: Remove AAA Servers

5. Click Delete.
The system deletes selected AAA servers.

346
 Authentication & Authorization (CVP)

Related Topics:
• Access to the Access Control Page
• Adding AAA Servers
• Modifying AAA Servers

347
15.3 About Users and Roles
Account management is based on users and roles. In the CloudVision Portal, users and roles have specific
meaning.

Users A user is a person who uses the CVP application

and is authenticated by the system through the use
of account credentials (username and password).
which is maintained by CVP or external enterprise
servers. Only the users with account management
module credentials (Account management
administrator) can create and manage users.
The account management administrator specifies
the authentication credentials, name and contact
information, status, and CVP permissions when
creating user accounts for new users.
Account management administrators control which
CVP modules users are authorized to use by
assigning roles to users (the role assignments can
be changed as needed at any time).
Note: Activity of CVP users is logged and
can be viewed in the Audit Logs page.

Roles A role is a set of read and write module permissions

that defines user authorization to modules in
CloudVision Portal. The account management
administrator specifies the read and write
permissions of each module when they create roles.
Only account management administrators can create
and manage roles.
Roles enable account management administrators
to efficiently manage user permissions by assigning
roles to users, and by changing the role assigned to
users.
CloudVision Portal provides two default roles, one for
the system administrator (network-admin) and one
for a basic operator (network-operator).

348
 Authentication & Authorization (CVP)

15.3.1 Default Roles

CloudVision Portal provides two default roles. These default roles can be assigned to users as needed.

network-admin A user with the default “network-admin” role has

read and write permissions for all CVP modules.
In addition, this role has both device-level write
permissions and database-level write permissions.
network-operator A user with the default “network-operator” role has
only read permissions for all CVP modules. Users
with this role cannot make changes to the CVP
database.

Note: The read and write permissions cannot be changed for the default roles. But, custom roles can
be created where read and write permissions can be modified.
For more information, see Managing User Accounts.

15.4 Managing User Accounts

The system uses the following functionalities to manage user accounts:
• Adding New User Accounts
• Modifying User Accounts
• Removing User Accounts

15.4.1 Adding New User Accounts

When you create a new user account, you specify the login information (authentication credentials) of a
person that needs to use one or more CVP modules. Personal information for the new user account is
optional and can be specified when you create the new user or at a later time.
By default, new user accounts are enabled. The new user is able to use the CVP modules they are permitted
to use, based on the role assigned to them. If you do not want the new user to use CVP at this time, select
the Disable option (a Status option). You can enable the user account at a later time.
Note: As an alternative to creating user accounts in CVP, you can point CVP to an external AAA
server that automatically creates users and maps them to roles during first login.
Complete these steps to create a new user:
1. Navigate to the Access Control page.
2. Under Access Control in the left menu, click Users.

349
 The Users page lists all current users.
Figure 377: Users Page

3. Click + New User at the upper right corner of the Users page.
The system pops-up the New User window.
Note: The New User pop-up window creates users only with the ‘Local’ authentication type.

Figure 378: New User Pop-Up Window

4. Provide the required information in corresponding fields.

5. Click Save.
The new user account is created.
Note: If the specified role is unavailable in the local CVP, then the network-operator role is
automatically assigned to either the RADIUS or TACACS user. Unless you set the account status
to disabled, the new user is active using CVP modules based on the role assigned to the user. If
user roles conflict when multiple roles are assigned to a user account, the user role with higher
privileges is applied to the user account.
Related topics:
• Modifying User Accounts
• Removing User Accounts
• Viewing Activity Logs

350
 Authentication & Authorization (CVP)

15.4.2 Modifying User Accounts

Modifying user accounts enables you to change the following aspects of existing user accounts:
• Login information (password)
• Contact information (email address)
• Status (enabled or disabled)
• Role(s) (the CVP role(s) assigned to the user)
• Personal information (first and last names)
Note: Once changes are saved, they are implemented immediately.

Complete these steps to modify a user account.

1. Navigate to the Access Control page.
2. Under Access Control, click Users.
3. In the Users page, click the edit icon available next to the corresponding user name.
The system pops-up the Edit User window displaying all information related to the corresponding user.
Figure 379: Edit User Pop-Up Window

4. Modify the required information.

5. Click Save.
Related Topics:
• Adding New User Accounts
• Removing User Accounts
• Viewing Activity Logs

15.4.3 Removing User Accounts

Complete these steps to remove a user account:
1. Navigate to the Access Control page.
2. Under Access Control in the left, click Users.
The Users page appears displays all current user accounts.
3. Select the users for removal.
4. Click Remove User/Remove Users at the upper right corner of the Users page.

351
 The system prompts to confirm deletion.
Figure 380: Remove User Account

5. Click Delete.
The system deletes selected user accounts.
Related Topics:
• Adding New User Accounts
• Modifying User Accounts
• Viewing Activity Logs

15.5 Managing User Roles

The system uses the following functionalities to manage user roles:
• Adding New User Roles
• Modifying User Roles
• Removing User Roles

15.5.1 Adding New User Roles

CloudVision Portal enables you to create new roles as needed to ensure that you are able to efficiently
manage CVP user permissions. When you create a new role, you specify the read and write permissions for
each CVP module.
Once a role has been created, it is automatically added to the list of Available roles, and you can assign it to
users that should have the permissions defined in the role. When you assign the role to a user, they inherit
the read and write permissions defined in the role.
Complete the following steps to create new roles:
1. Navigate to the Access Control page.
2. Under Access Control in the left menu, click Roles.

352
 Authentication & Authorization (CVP)

The Roles page lists all current roles.

Figure 381: Roles Page

3. Click + New Role at the upper right corner of the Roles page.
The system pops-up the New Role window.
Figure 382: New Role Pop-Up Window

4. Provide the required information in corresponding fields.

5. Click Save.

353
 The new role is saved to the CVP database and is available to be assigned to users.
Note: The roles created can be assigned to locally created users or by the external AAA server to
its known users.
Related topics:
• Adding New User Roles
• Modifying User Roles
• Viewing Activity Logs

15.5.2 Modifying User Roles

CloudVision Portal provides the functionality required to change the permissions of an existing role. This
enables you to efficiently change the permissions of all users that are assigned the role. After you modify the
role, all users assigned the role inherit the read and write permissions defined in the new version of the role.
Complete the following steps to modify an existing role:
1. Navigate to the Access Control page.
2. Under in the left menu, click Roles.
3. In the Roles page, click the edit icon available next to the corresponding role name.
The system pops-up the Edit Role window displaying all information related to the corresponding role.
Figure 383: Edit Role Pop-Up Window

354
 Authentication & Authorization (CVP)

4. Modify the required Information.

5. Click Save.
The new version of the role is saved to the CVP database.
Note: All users assigned the role inherit the read and write permissions defined in the new version
of the role.
Related topics:
• Adding New User Roles
• Removing User Roles
• Viewing Activity Logs

15.5.3 Removing User Roles

Complete these steps to remove a user role:
1. Navigate to the Access Control page.
2. Under Access Control in the left menu, click Roles.
The Roles page lists all current user roles.
3. Select the required user roles for removal.
4. Click Remove Role/Remove Roles at the upper right corner of the Roles page.
The system prompts to confirm removal.
Figure 384: Remove User Role

5. Click Delete.
The system deletes selected user roles.
Note: A role assigned to user(s) cannot be deleted.

Related topics:
• Adding New User Roles
• Modifying User Roles
• Viewing Activity Logs

15.6 Service Accounts

The service accounts in CloudVision access APIs in a controlled manner. You must create authentication
tokens for service accounts to validate APIs.

355
 To access the Service Accounts screen, navigate to the Settings screen (Click the gear icon at the upper right
corner of the screen) > Access Control > Service Accounts.
The Service Accounts screen provides brief information of all service accounts in a tabular format. See the
figure below.
Figure 385: Service Accounts Screen

Note: The red exclamation mark on service accounts indicates expired tokens. Hovering the cursor
on the red exclamation mark displays the count of expired tokens.
You can perform the following tasks from this screen:
• Adding Service Accounts
• Editing Service Accounts
• Adding Tokens to Service Accounts
• Deleting Service Account Tokens

15.6.1 Adding Service Accounts

Perform the following steps to add a service account:
1. On the Service Accounts screen, click + Add Service Account.
The system displays the Add Service Account screen.
Figure 386: Add Service Account Screen

2. Type the service account name and description in respective fields.

3. Select preferred roles (optional) and status from respective dropdown menus.

356
 Authentication & Authorization (CVP)

Note:
• Enabled service accounts must have one or more roles assigned to it.
• Disabled service accounts may not have any roles assigned to it.
4. Click Save.
Note: If the Service Accounts screen does not display the new service account, Click Refresh.

15.6.2 Editing Service Accounts

Perform the following steps to edit a service account:
1. On the Service Accounts screen, click the required service account listed in the table.
CVP opens the Edit Service Account: service_name screen.
Figure 387: Edit Service Account Screen

Note: Alternatively, select the checkbox of required service account and click + Add Token to
Service Account.
2. Update required changes in the Description field, Roles dropdown and Status dropdown.
Note:
• Enabled service accounts must have one or more roles assigned to it.
• Disabled service accounts may not have any roles assigned to it.
3. Click Save.

15.6.3 Adding Tokens to Service Accounts

Perform the following steps to create a token for service accounts:
1. On the Service Accounts screen, click the required service account listed in the table.
CVP opens the Edit Service Account: service_name screen.
Note: Alternatively, select the checkbox of required service account and click + Add Token to
Service Account.
2. Under Generate Service Account Token, type brief summary in the Description field.

357
 See the figure below.
Figure 388: Generate Service Account Token

3. Click Pick Time and select the expiry date.

Note: The maximum duration for validity is one year.

4. Click Generate.
Note: If the table under Current Service Account Tokens does not display the new token, click
Refresh. The new token gets access to APIs based on roles selected for the service account.

15.6.4 Deleting Service Account Tokens

Perform the following steps to delete a service account:
1. On the Service Accounts screen, click the required service account listed in the table.
CVP opens the Edit Service Account: service_name screen. Tokens associated to this service accounts
are listed in the table under Current Service Account Tokens.
Note: Alternatively, select the checkbox of the required service account and click + Add Token to
Service Account.
2. Select token(s) to be deleted.
3. Click Remove Token(s).

358
 Authentication & Authorization (CVP)

See the figure below.

Figure 389: Delete Service Account Tokens

CVP prompts to confirm the initiated task.

4. Click Remove on the confirmation box.
See the figure below.
Figure 390: CVP Confirmation to Delete Tokens

5. Click Save.
Note:
• If the table continues to display deleted token(s), click Refresh.

359
 • To simultaneously delete all expired tokens across all service accounts, click Remove all
Expired tokens (n) on the Service Accounts screen where n stands for the number of expired
tokens.

15.7 Viewing Activity Logs

The Audit Logs page displays activity logs of user accounts and user roles.
Complete these steps to view activity logs:
1. Click the gear icon at the upper right corner of the CVP page.
2. Click Audit Logs on the left menu.
The system displays the Audit Logs page.
3. Select desired options from View logs for drop-down menus.
The system displays corresponding logs.
Figure 391: Audit Logs Page

15.8 Advanced Login Options

Multi-Factor Authentication (MFA) and One-Time Passwords authenticate all CVP managed devices when
you authenticate with CVP. CVP runs CLIs on managed devices by sending eAPI requests over the gRPC
connection established by TerminAttr.
Note:
• Under Cluster Management on the settings screen, enable Advanced login options for device
provisioning to use MFA and one-time passwords.
• CVP needs TACACS to perform command authorization and accounting as per EOS configuration.
• Use the new Device class to make eAPI requests for using this mechanism in Configlet Builder
python scripts.
Pre-requisities to install this feature are:
• Devices must run CVP 2018.2.3 or later releases
• Managed devices must have TerminAttr version 1.5.0 or later versions
Note: TerminAttr is included with EOS, but may be a version earlier than v1.5.0. Newer versions
are available as an extension (swix)
Refer to CVP and TerminAttr release notes available at https://www.arista.com/en/support/software-
download for detailed information on compatible TerminAttr versions with CVP and EOS.

360
 Authentication & Authorization (CVP)

• Ensure that the eAPI unix domain socket is enabled with management api http-commands and
protocol unix-socket configurations in devices running EOS releases prior to 4.20
To enable MFA and One-Time Passwords authentication, enable Advanced login options for device
provisioning using the toggle button under Cluster Management on the Settings page. See the figure
below.
Figure 392: Advanced Login Options for Device Provisioning Toggle Button

15.9 Access to the Access Control Page

To gain access to the Access Control Page, complete the following:
1. Click the gear icon on the home page.
Figure 393: Gear Icon

2. Click Access Control in the left menu.

The system displays the Initial Access Control screen.
Figure 394: Initial Access Control Page

361
 The system displays the Servers section when either RADIUS or TACACS is selected as Authentication
source.
Figure 395: AAA Access Control Page

• If the authentication is local, the authorization must be done locally.

• If the authentication is done externally, the authorization can be done locally or externally.

Table 17: Server Authentication and Authorization

Authentication Authorization
Local Local
RADIUS Local
RADIUS

TACACS Local
TACACS

Note: External servers supported by CloudVision are RADIUS and TACACS.

Related topics:
• Managing AAA Servers
• Managing User Accounts
• Managing User Roles
• Access Requirements for Image Bundle Upgrades

362
 Chapter 16

CloudVision Topology
The CloudVision Topology screen provides an explicit visual representation of the connectivity of your
network, allowing you to understand your network's structure and performance more easily. It provides the
following benefits:
• Easily understand parts of your network by collapsing or filtering out irrelevant parts
• Explore the historical state and performance of your network or watch it update live
• Support for both datacenter and campus style network connectivity
CloudVision topology provides Virtual Extensible LAN (VXLAN), Internet Protocol Security (IPsec), Distributed
Path Selection (DPS), and Link Layer Discovery Protocol (LLDP) network links between endpoints.
Note:
• Information and Statistics for each member link is accessed from the side panel. See Topology
Overview.
• If this screen does not display any devices, refer to the CVP release notes at https://
www.arista.com/en/support/software-download for compatibility issues.
To view the Topology screen, click the Topology tab on the CloudVision Portal.
Figure 396: Topology Screen

This screen is divided into main and side panels. The main panel displays the main topology visualization.
Devices are drawn with paths to connect them if they share at least one network connection. They are
grouped into containers that can be expanded or collapsed to control which portions of the network are
displayed in detail. See Main Panel of the Topology Screen .
The side panel provides the following panes to perform the specified functionalities:
• To customize the network view:
• Topology Overview
• Topology Layout Pane

363
 • Topology Options Pane
• To view the component information:
• Container Details Pane
• Device Details Pane
• Link Details Panel
• Flow Visibility

16.1 Main Panel of the Topology Screen

The main panel displays the network topology where devices are grouped into containers according to their
connectivity or assigned role in the network.
The icons in the following table represents specified containers:

Table 18: Icons Used in Network Topology

Cloud Datacenter Campus

Building Floor Pod

Rack Spine

The icons in the following table represents specified devices:

364
 CloudVision Topology

Table 19: Device Icons

Switch Wireless Access Point Management Device Badge

Note: Blue WAP

represents managed
devices. Gray WAP Note: This badge next to
represents unmanaged a device icon represents a
devices. management device.

Computer Third Party Device Telephone

This panel provides the following options for a detailed view:

• Zoom to fit icon - Click to fit the topology on the screen.
• Expand containers icon - Click to expand all containers in the topology.
• Collapse containers icon - Click to collapse all containers in the topology.
• Alternatively, right-click on the main panel to get Expand Network, Expand All, and Collapse All options.
Figure 397: Right-Click on a Device

Note: Right-click on a cluster to get cluster specific context menu options.

• Download icon - Click to open the Export Preview pop-up window. Click Export for downloading the
current topology image to your local drive in either PNG or SVG formats with selected image resolution.

365
 Note: We recommend to select higher resolutions for readable device labels in bigger topologies.

Figure 398: Export Preview Pop-Up Window

• Double-click on a container to expand it.

• To collapse a container, hover the cursor on a dotted rectangular box and click on the displayed hyphen
symbol.
Figure 399: Collapse a Container

• Click container component(s) to view corresponding information on the left panel.

• Selected components are highlighted with dashed frame.
Note: Press and hold the shift key while selecting multiple devices. Press and hold the shift key
while dragging to select a region.
• Hover the cursor on a topology component to view the count of corresponding events.
Note: You must enable the option to view events.

366
 CloudVision Topology

16.2 Topology Overview

The Topology Overview pane provides the following options:
• Layout - Click to view the Topology Layout pane. See Topology Layout Pane.
• Options - Click to view the Topology Options pane. See Topology Options Pane.
• Network Filters - Provides the following options to filter networks:
• Tags - To view desired tags by name and value. The main Topology view will be updated and only
devices with the chosen tags will be displayed.
• Management network - Display or hide management networks using the toggle button.
• VLAN membership - To view desired VLAN(s), type either a VLAN ID or a range of VLANs.
Figure 400: VLANs in Topology

Note: The right panel displays selected VLAN(s) distinguished with various colors.

• Link Overlay drop-down menu - Select an overlay to color each link based on selected metric type.
Options include:
• Active Events
• Bandwidth Utilization
• Discard Rate
• Error Rate
• Traffic Throughput
• VLANs
• None
• Devices
• Search field - Type the device name, MAC address, or model to perform a quick search.
• List of devices - Click on a device to view the detailed information of corresponding device. See Device
Details Pane.

367
16.3 Topology Layout Pane
On the Topology Overview pane, click Layout and select a container component from the topology on the
right panel to edit layout hints of multiple device(s) in the Topology Layout pane.
Figure 401: Topology Layout Pane

Topology automatically tries to guess a layout with specified containers and roles for your devices based on
their connectivity and advertised LLDP capabilities. However, you might sometimes find that the automatic
categorization is incorrect, or you simply want a custom layout different from what was originally envisioned.
The Layout pane lets you override the automatic categorizations and control the layout more directly.
The layout works on the basis of hints that describe the role of a device, whether it exists within a datacenter
or campus network, and where it should go in that network. Devices with similar roles and positions in the
hierarchy are grouped together. Parallel hierarchies like network pods or racks are created if different names
are used.

Examples
• A device named athens is a datacenter leaf switch, but it has no rack server connections yet
and is miscategorized as an edge switch. You can click on athens and then select Node type
as leaf to force it to take on a leaf role. It moves into the leaf position inside its datacenter
hierarchy.
• To partition your network into New York and San Francisco datacenters, multi-select the
devices or containers that must go in the New York datacenter, type New York in the
Datacenter field, and confirm it. Repeat the same process for San Francisco. Now, your
network is divided between these two datacenters, and you can expand or collapse New York
and San Francisco datacenters independently to view only one datacenter at a time.

This pane provides the following selections:

• Network type drop-down menu - Select the network type that most closely matches your network
arrangement. It provides the following options:
• Campus - Devices are manually arranged in containers for different buildings and floors. It provides the
following options:
• Node type drop-down menu - Select the preferred device type or roles.

368
 CloudVision Topology

• Building drop-down menu - Select the building name that the selected device preferred to be
placed into.
• Floor drop-down menu - Select the preferred floor number in the selected building.
• Devices drop-down menu (Optional) - Set a name to be used to group devices in the selected floor.
• Datacenter - Aspine-and-leaf type layout is used and devices are arranged into pods and racks. It
provides the following options:
• Node Type drop-down menu - Select the preferred device type or roles.
• Pod drop-down menu - Select the pod name that the selected device preferred to be placed into.
Note: Devices in different pods of the same datacenter appear in different pod containers
that can be expanded and collapsed independently.
• Rack drop-down menu - Select the name of a rack similar to pod.
• Show Advanced - Click to view the Skip Auto-Generated Classifications drop-down menu.
Note: Click Hide Advanced to hide the Skip Auto-Generated Classifications drop-down menu.
If the Skip Auto-Generated Classifications option is enabled, CVP does not automatically
identifies the device(s). Only manually-provided layout hints affect the layout of the selected
device(s).
• Set all to Auto - Use the automatic layout classification exclusively; all manually-specified layout hints are
removed from selected devices.
• Save button - Click to save latest changes.

16.4 Topology Options Pane

On the Topology Overview pane, click Options to edit display settings of topology.
Figure 402: Topology Options Screen

This pane provides the following selections:

• Show active events: toggle button - If this option is enabled, active events are shown as badges on
devices. These are the same events that are displayed on the Events page. If the same device has
multiple events, the badge type of the highest severity event is displayed. Containers also show badges
if they contain any devices with active events. This allows you to quickly find active events anywhere in a
large network.
Note: This option is enabled by default.

369
 • Use device images: toggle button - Enable this option to view photorealistic device images for identified
devices. If this option is disabled, icons are used instead. See Figure 403: Network Hierarchy Tree with
Images.
Figure 403: Network Hierarchy Tree with Images

• Auto-detect management devices: - If this option is disabled, CVP will not attempt to automatically
identify management devices. Devices are considered management devices if they are known to have a
relatively high number of connections over a management interface.
• Auto tagger hints pane - Influences the way devices are arranged. If a device’s hostname matches
the provided text string or regular expression, it will automatically be tagged with the given role. Options
include:
• Spine Hint: - Type a text string that is used to identify matching spine devices.
• Leaf Hint: - Type a text string that is used to identify matching leaf devices.
• Save button - Click to save latest changes.

370
 CloudVision Topology

16.5 Container Details Pane

To view more information about a device or the devices in a container, click the corresponding device or
container on the right panel.
Figure 404: Container Pane

This screen provides the following functionalities:

• Expand - Expands the selected container.
• Collapse - Collapses the selected container.
• Layout - Edits layout hints of the selected container. See Topology Layout Pane.
• Neighbors - Displays the list of connected devices from neighboring container.
Note: Click on any neighboring device name to view the corresponding device pane. See Device
Details Pane.
• Members - Displays the list of container members. Each entry provides the following options:
• Device name - Click to view the corresponding device pane. See Device Details Pane.
• View Connectivity - Click to view the connectivity between selected device and neighboring device.
See Link Details Panel.
• Active Events (Optional) - Displays events of the selected container. Click on an event link to view the
corresponding event details screen.
Note: This option is available only when the Show active events option is enabled in the
Topology Options pane. See Topology Options Pane.

371
16.6 Device Details Pane
To get a device pane, click on a device (switch, wireless access point, server, or telephone) on the right
panel. See Figure 405: Device Details Pane.
Figure 405: Device Details Pane

This screen provides the following functionalities:

• Additional information on the device.
• Device Overview - Click to view the Interface Overview screen. Device Overview
• Events - Click to view the Events summary screen. See Events Summary Screen.
• Layout - Click to edit layout hints of the selected device. See Topology Layout Pane.
• Neighbors - Displays the neighbors list of selected device. Each entry provides the following options:
• Device name - Click to view the corresponding device pane.
• View Connectivity - Click to view the connectivity between selected device and neighboring device.
See Link Details Panel.
• Active Events (Optional) - Displays events of the selected device. Click on an event link to view the
corresponding Event Details screen.
Note: This option is available only when the Show active events option is enabled in the Topology
Options pane. See Topology Options Pane.

372
 CloudVision Topology

16.7 Link Details Panel

To view the links panel, click on a connectivity link between two components on the right panel.
Figure 406: Links Panel

Links represent connections between devices or clusters of devices. If two devices or clusters have at least
one network connection, a link is drawn to connect them. If they have many network connections, they
still have a single link in the topology view and information provided for the link is aggregated over those
connections. Expanding and collapsing containers expand and collapse links; you may sometimes want to
expand containers to see links in greater detail.
This screen provides the following information of the selected connectivity link:
• Click on a device name to view the corresponding device panel.
• Metrics - Displays statistics of traffic throughput, bandwidth utilization, discard rate, and error rate.
Note: Hover the cursor on the metrics to view metrics at the corresponding time.

• Member Links - Displays the list of connected ports.

Note: Click on any connected port link to view the corresponding Interface Overview screen.

• Flows - Displays traffic flows active on the selected connectivity link.

Note: Clicking on a listed traffic flow link provides information on connected devices.

• Events - Displays events of the selected connectivity link. Click on an event link to view the corresponding
Event Details screen.
Note: This option is available only when the Show active events option is enabled in the
Topology Options panel. See Topology Options Pane.

373
16.8 Flow Visibility
On the Topology Overview pane, click Flows to open the Topology Flows panel. This screen displays traffic
flows detected by EOS devices on the network.
Figure 407: Topology Flow Search

Note:
• CVP displays traffic flows only when SFLOW or IPFIX are configured on EOS devices.
• For complete flow visibility, flow collectors are required on all devices along the traffic flow path.
The Topology Flows panel provides search filters.
Search for traffic flows the following filters:
• Data source (Flow Tracking (sFlow or IPFIX) or Inband telemetry
• IP address
• Host
• Port
• Protocol
• VRF
• Latency
• Locality
Use the Color links with total bytes in flows toggle button to view aggregated bytes or packets of a traffic
flow on a single link.
Note:
• The color of the link depends on the corresponding flow metric as displayed on the color chart.
• Hover the cursor on a topology flow to view the flow metric of the corresponding link.
You can limit the count of displayed flows via the options available in the Top menu. Traffic flows sorted
by the selected metric (Bytes, Packets, Mean Latency, Max Latency, and Min Latency from the results
sorted by menu are displayed on the top of the list.

374
 CloudVision Topology

The listed traffic flows in the side panel displays the five-tuple information. The arrow indicates the direction of
traffic flow.

Figure 408: Topology Host showing Flows

In this example, TCP protocol is used in the traffic flowing from p4-
proxy101.sjc.aristanetworks.com via 1666 port to bs332.sjc.aristanetworks.com via 37150 port.
36.6GB of data is flown over the given time window.

Flows are displayed based on the timeline selected at the bottom of the Window. To search previous flows,
select an earlier time by either using the timeline's time selector, or by dragging the displayed time window to
a different position.
Note: Live view updates the data every 60 seconds.

Flow Highlight
Clicking on a listed traffic flow result highlights the nodes and edges in the graph where the flow has been
seen. Animated dots indicate the direction of the traffic flow.
Figure 409: Highlighted Traffic Flow

Note:
• In environments that capture flow data through sFlow, devices may not capture short-lived or small
flows, especially if the selected time window is small.
• This highlight does not guarantee to capture the exact path; it just displays all the devices and links
where that flow was seen in the given time window.
The Devices Reporting Matching Flows section displays the five-tuple information and lists devices that
reported the flow. Each device entry includes the ingress and egress port-channels, ingress and egress
interface, packets, bytes and the timestamp when this flow was seen given the time window.

375
 Click on the following entities to view the corresponding specified information:
• Eye icon to magnify the device on the main panel
• Device hostname to view the Device Overview page
• Interface to view the Interface Overview page
• Explore button to view this flow on the Traffic Flows section

Flow Animation
To view traffic flow animation, click Settings on the Topology Overview panel and enable it using the
Enable traffic flows animation toggle button.
Figure 410: Enabling Traffic Flow Animation in Settings

Note: Few browsers consume high amounts of CPU to render traffic flow animations.

If traffic flow animation is disabled, animated dots are replaced with static arrows indicating the direction of
flow.
Figure 411: Topology with Disabled Traffic Flow Animation

376
 CloudVision Topology

Links Panel
The Links panel is accessible via clicking the Links tab and displays the topology connections where the top
traffic flows have been seen.
Figure 412: Links Panel

377
378
 Chapter 17

CloudVision Studios

CloudVision Studios is a powerful tool for managing the configuration of network features. The intuitive
interface is fully customizable, meaning that you can create and edit your own network features for
configuration. This gives you complete control over the configuration of your network.

Requirements
To use Studios, the following requirements must be installed:
• CloudVision minimum version: 2021.2.0

Features
The following features are available:
• Out-of-the-box support for common workflow configurations
• Unified Day-1 and Day-2 workflows
• Customizable Studios for bespoke workflow configuration
• In-depth and accessible change control
• Simultaneous configuration and management of separate network features
• First-class gRPC + REST APIs that easily integrate third-party resources

Known Limitations
The following is a list of known limitations in the beta-version of CloudVision Studios:
• Configuration-reconciliation: this is handled by the Network Provisioning UI
• CloudVision Studios cannot be applied to devices in an undefined container
• Studios rollback: once a Workspace and its configuration have been submitted, a user will need to undo
those changes by creating and submitting a new Workspace
• Studio input actions: scripts that automatically complete Studio inputs on a user's behalf (e.g. integrating
with an IPAM) are not yet supported
• Per-Studio or per-device RBAC: Phase 1 will include per-user roles and permission management that let
users read and write Studio data, but do not limit user roles to specific Studios
• Users should only have one Workspace open at a time. If users have two open Workspaces that contain
conflicts with one another and submit one of those Workspaces, the other may not be able to build
correctly. Consequently, that second Workspace may need to be abandoned or reconfigured
• Workspaces should not be created on CloudVision clusters that manage more than 100 devices

379
17.1 Getting Started with Studios
Before using Studios, it is important to understand the two main elements: the Studios and Workspaces. You
will use the two of these together to make changes to the mainline configuration of your network.

Studio
A Studio is an input template for a particular aspect or feature of a network. It defines the attributes of any
devices belonging to that feature. All your Studios are visible on the Studios home screen.
When you visit Studios for the first time, you will see that there are already several built-in Studios. These
cover some common network features, and each is explained separately in the section Built-In Studios. You
can create your own custom-built Studios so that you can determine a new network feature for configuration.

Workspace
A Workspace is what you use to create, configure, or edit a Studio’s inputs, and to tag the devices that
a Studio affects. It can be used to configure one or more Studios, which means that you can implement
configuration changes across multiple network features at the same time.
There are three states a Workspace can have:
• Submitted: A Workspace that has configured one or more Studios and been submitted for approval in
Change Control
• Open: A Workspace that has been created but not yet submitted
• Abandoned: A Workspace that has been discarded before submission
Note: Give any Workspace or Studio you create a relevant name and description, describing how it
relates to the configuration of your network.

380
 CloudVision Studios

17.2 Accessing Studios

Studios is currently in beta-version and needs to be enabled in the CloudVision settings before it can be used.
To enable Studios
1. Select the Settings icon in the top-right of CloudVision and browse the list of features for Studios (Beta).
Switch the toggle to the ON position.
Figure 413: Enabling Studios

2. Once you have enabled Studios, click on the Provisioning tab.

Figure 414: Provisioning Tab

381
 3. Select Studios on the sidebar.
Figure 415: Selecting Studios from the sidebar

4.
The Studios home screen is displayed. This is where you will initiate all your configurations. You can view
your Workspaces and see their statuses by selecting on Workspaces under Studios.

17.2.1 Per-Studio Role Based Access Control

Per-Studio Role Based Access Control (RBAC) provides CloudVision users with granular control over
access permissions for individual studios. A relevant user can grant differing permissions to other users for
both management and input configuration of individual studios. Management includes the studio creation
and deletion, its template, and its schema; input configuration includes the assignment of tags and the
configuration of a studio’s inputs.
A user’s permissions are controlled and assigned through the use of roles in Access Control. Each role is
configured with separate No Access, Read Only, or Read and Write access for the Management and Input
Configuration permissions of a studio.
By default there are no per-studio permissions for CloudVision built-in roles.

Role Permissions
On a per-studio basis, the permissions have the following effect:

Table 20: Role Permissions

Permission Management Input Configuration

No Access The user will not be able to access
the studio’s schema and template
or be able to delete the studio
Read Only The user will only be able view a
studios schema and template, and
will not be able to delete the studio
Read and Write The user can edit the schema
and template of a studio
and can delete the studio
The user will not be able to
see the studio in Studios
A user can only view the input
configuration and device
assignment of the studio
A user can configure
the device assignment
and inputs of the studio

382
 CloudVision Studios

Users may encounter on-screen errors when configuring roles if the permissions set for Management and
Input Configuration do not result in a valid combination. A summary of the valid combinations is available
here:

Table 21: Valid Role Based Combinations

Management Input Configuration

No Access No Access
Read Only • No Access
• Read Only
• Read and Write

Read and Write Read and Write

Related Topics:
• Enabling and Accessing Per-Studio Permissions
• Configuring Permissions for Studios Role Based Access Control
• Updating Workspace Permissions

17.2.1.1 Enabling and Accessing Per-Studio Permissions

The Studio Role Based Access Control must be enabled before it can be accessed.

Enabling Per-Studio Permissions

Per-Studio Role Based Access Control must be enabled in the Features section of General Settings.
1. Select the Setting icon to open the General Settings page.
2. Select the toggle for Studios Enhanced RBAC (Beta).
Figure 416: General Settings

Figure 417: Studios Role Based Access Control (RBAC) Toggle

383
 Accessing Per-Studio Permissions
Once Studios Role Based Access Control (RBAC) is enabled, any existing roles can be edited with per-studio
permissions or new roles can be created with those permissions and assigned to users.
The permissions can be accessed through Roles in Access Control when editing or creating a role. Scroll
down to Studios, which can be expanded to show the Per-Studio Permissions.
Figure 418: General Settings - Access Control - Roles

Figure 419: Roles Screen

Each studio available in Studios can be added and permissions assigned to the role for that studio. Any studio
that is not added to the list will have the global permissions defined above.

17.2.1.2 Configuring Permissions for Studios Role Based Access Control

Create a new role or edit an existing role, which will bring up the permissions modal. Scroll down to Studios
and expand it. You will then begin the process by configuring the default (global) permissions. After the
default permissions are set, you will configure the per-studio permissions.

1. Select a role from the list or select Add Role.

Figure 420: Roles List

384
 CloudVision Studios

2. From Module Access menu, open Studios.

Figure 421: Module Access Menu

3. Configure the default settings for Studios, which apply to all studios.
Note: The default permissions will be overridden by any per-studio permissions you assign for a
selected studio.
Figure 422: Studios Default Permissions

385
 4. Open the Per-Studio Permissions section of the menu.
Figure 423: Per-Studio Permissions

5. Select a Studio from the list or select Add Studio,

6. Set the Management and Input Configuration for the Studio.
Note: The permissions are set by default to the default permissions for Studios. Changing the
permissions will override the default permissions for the selected Studio.
7. You can add more Studios and configure the per-studio permissions for each. When you are finished
select Save.

17.2.1.3 Updating Workspace Permissions

The permissions for Workspaces are impacted by any per-studio permissions.
A user with Read and Write permissions for any studios will not be able to create or manage workspaces if
they do not have Read and Write permissions for Workspace Management. This means another user with the
relevant permissions will need to create and build workspaces. Similarly, a user must have Read and Write
access to Workspace Submission in order to submit a workspace. If a user has Read and Write access for a
studio, they will be unable to submit any workspaces they use to configure the studio.
An error will be displayed when the user’s per-studio permissions conflict with their Workspace Submission
permission.

386
 CloudVision Studios

17.3 Workflow Overview

Whenever you use Studios, you will begin by either creating a new Workspace or selecting an open
Workspace. You will use a Workspace to implement any changes you want to make to one or more Studios.
Once you have configured the changes, you will submit the Workspace. It will then be available in Change
Control for the relevant user to approve or reject.
If you aree using Studios for the first time, create a Workspace and then select the Inventory and Topology
Studio to commission devices for use in Studios.
Figure 424: Studios Workflow

Note: Once a Workspace has been submitted, it cannot be used again. If you wish to make further
changes to a Studio, you’ll need to create a new Workspace or select an open Workspace.

17.3.1 Commissioning Devices for Use in Studios

To configure any devices in Studios and Workspaces, you will first need to commission them for use in
Studios. This is the purpose of the Inventory and Topology Studio.
To commission devices, you will first create a Workspace and then select the Inventory and Topology Studio.
There you will add devices and configure their interface connections. These devices can then be assigned to
another Studio using tags.
Note: You will not be able to assign devices to any Studios until you have commissioned devices
using the Inventory and Topology Studio.

387
17.3.2 Creating a Workspace
1. Click Create Workspace, which will bring up the Create New Workspace modal.
Figure 425: Create a Workspace

2. Give your new Workspace a name and a description, and then click Create.
Figure 426: Name and Describe the Workspace

The Workplace you have created can now be used to manage the configuration of one or more Studios. It
will be available for use in the Workspace dropdown menu.

17.3.3 Configuring an Existing Studio

To begin the process of configuring a Studio, you will need to either create a Workspace or already have an
open Workspace available for use.

388
 CloudVision Studios

1. Create a Workspace or click the Workspace dropdown menu and select the open Workspace that you
want to configure the Studio inputs with.
Figure 427: Selecting a Workspace

2. Click on the existing Studio that you want to edit.

3. Manage the devices the Studio is assigned to by clicking Tag Assignment and selecting Assign Tags.
Figure 428: Tag Assignment

For more information on how to use Tags, see Tags.

Note: If the devices you wish to use for the Studio are not available for selection, you will need to
commission them for Studios with the Inventory and Topology Studio.
4. Navigate through the Studio interface and configure your new input values.
If you want to add or remove the input variables themselves, see Editing a Studio’s Schema.

389
 5. Once all the changes have been made, you can click Review Workspace.
Figure 429: Review Workspace

You will now be brought to the Build Screen that forms part of the Workspace submission process.
Note: If you want to make changes to multiple Studios with the same Workspace, do not click
Review Workspace at Step 4. Return to the Studios home screen and repeat Steps 1-3, selecting
the same Workspace for each Studio you want to configure.

17.3.4 Creating a New Studio

A new Studio will add a custom network feature to your Studio Suite, which you can then configure by
defining its inputs. When creating a new Studio, you select these inputs and build its interface with the use of
Schema.
1. Click the Workspace menu and select the Workspace you want to use to create the new Studio.
Figure 430: Select Workspace

390
 CloudVision Studios

2. Click the New Studio button in the header.

Figure 431: Create New Studio

3. The Edit screen is displayed. You must enter a name and description for the new Studio.
4. After providing the Studio a name and description, you can configure the data that the Studio will collect as
inputs. First click Schema then click Add Root Input.
Figure 432: Add Root Input

391
 5. Select one of the inputs to configure a variable of the Studio from the section labelled Add New Input. For
an explanation of schema inputs, see Input Types.
Figure 433: Add New Input

Note: You can configure the Schema input as a CLI configuration by using the Template function
once you have created the new input with Schema.
6. Once all the changes have been made, click Review Workspace to begin the build process. Once that is
completed, the Studio will appear in your Studio Suite.

17.3.5 Submitting a Workspace

1. Click the Review Workspace button in the header.

Figure 434: Review Workspace

2. The Workspace will be automatically built for submission, which includes input validation, compiling the
configuration, and the validation of the configuration. On the Build screen, you will be able to review the
proposed configuration changes.
Note: The Workspace is automatically built only for the first time that you click Review
Workspace. Any subsequent changes made after that will require that you re-build the Workspace
by clicking Build.

392
 CloudVision Studios

3. Once satisfied, you can click Submit Workspace.

Figure 435: Submit Workspace

4. You will be presented with a modal that will bring you to Change Control.
Figure 436: Workspace Submitted

The relevant user will then be able to approve the Workspace, and its configuration will then become part
of the mainline configuration of your network.

17.4 Studio Elements and Functions

To make the most of Studios, you will need to know a little more about the tools you have control over. This
section explains the full use of the different components that make up the Studios interface, which all either
form a part of or enhance the workflows.

17.4.1 Reviewing a Workspace

The Workspace build screen appears after you have clicked Review Workspace. It provides you with
important information on the Workspace’s configuration before submitting to Change Control for approval.

393
 There are several elements in the screen.
Figure 437: Reviewing a Workspace

17.4.1.1 Build Progress

The most important element for indicating if there are any problems with the Workspace configuration is
the Build Progress section. It shows you if the Workspace configuration contains any conflicts and if device
configlets have been compiled correctly. It is composed of three components:
• Input Validation: Checks whether the values of the inputs follow the schema rules.
• Configlet Compilation: Identifies any coding errors.
• Config Validation: Determines whether the affected devices can support the proposed configuration.
Figure 438: Build Progress

By clicking View Build Details, you can see each of these components for the individual devices that the
configuration affects.

This shows you the build progress for each device, and it helps you identify the devices the build progress
has failed on.

17.4.1.2 Workspace Summary

394
 CloudVision Studios

The Workspace Summary table provides a brief overview of the type of modifications that a Workspace will
make.
Figure 439: Workspace Summary

On the left-hand side, you can see each of the Studios that the configuration affects. On the right is displayed
the type of change that has been made with the Workspace. By clicking on the type of configuration change,
you will be brought to the screen in which that change was implemented.
Click View All Modification Details, to view all the configuration changes displayed together in the manner
of Schema inputs.

17.4.1.3 Proposed Configuration Changes

Review the Proposed Configuration Changes to compare the Workspace configuration changes with what
currently exists in the network.
Figure 440: Proposed Configuration Changes

This is shown for each individual device, and clicking on the device name will show you its proposed
configuration.
Figure 441: Proposed Configuration - Compare

On the left are your proposed changes and on the right is the existing configuration. It is color-coded for easy
reference:

395
 • Green = additions
• Blue = modifications
• Red = deletion

17.4.2 Tags
A tag is a value-label pair that you apply to a device or an interface. User Tags allows you to group devices or
interfaces that share a common characteristic under a tag. By way of example, you could have:
Role: Spine or DC: New York
With Studios, you can then use these User Tags to create a separate configuration for different groups of
devices. For instance, if you wish to separately configure the spines and leafs of a data center fabric, you can
do so by tagging the relevant devices as spines or leafs.
Note: User Tags are not just for Studios, they have already been implemented for use with Event
Customization, Event Notification, and Dashboard Configuration.

17.4.2.1 User Tags and System Tags

Only User Tags are supported in Studios, which are tags created and defined by a user of CloudVision
through the following process.
System Tags are created by CloudVision and based upon characteristics or attributes of devices. These tags
cannot be created or edited by you or any other CloudVision user. System tags are not static and could affect
the stability of any Workspace configurations you create. For this reason, only User Tags are available in
Studios.
Any changes made to User Tags can impact the configuration of devices. For this reason, User Tags can only
be deployed inside a Workspace. When you build the Workspace and review its changes, you will then see
any impact the tags have on the Workspace proposed configuration and can rectify it accordingly.

17.4.2.2 Creating Tags

To tag devices with User Tags, you will need to leave the Studios environment:
1. Click on the Provisioning tab, if necessary.
Figure 442: Provisioning Tab

396
 CloudVision Studios

2. Click on Tags.
Figure 443: Tags

3. Click Create Workspace or select an open Workspace from the dropdown menu.
Figure 444: Create Workspace

4. Select one or more devices or interfaces, and then enter a value under Add or Create Tags.
Figure 445: Add or Create Tags

5. Click Create and Assign to give the tag to the selected device or devices.

17.4.2.3 Applying Tags in Studios

397
 You will use User Tags in two places in Studios: as the field data for a resolver input, and when assigning a
Studio to devices.

Resolver Input
Resolver Input is a Container Type that allows you to apply the input variables associated with it to a selection
of devices. The following is an example of a resolver input, which, in this case, allows you to select tagged
devices that you will assign to an NTP server.
Figure 446: Resolver Input

Studio Tag Assignment

Within each Studio, with the exception of Inventory and Topology, there is a Tag Assignment option.
Figure 447: Tag Assignment

You will use Tag Assignment to specify the devices that any given Studio configuration affects. All of the
tagged devices you select must already have been commissioned for use in Studios with the Inventory and
Topology Studio. In order to assign devices, click Assign Tags and then enter a device tag query.
Figure 448: Tag Assignment

398
 CloudVision Studios

You can edit these tagged devices at any point with a Workspace by clicking the pencil icon to the right of the
last tag.
You can use tags to apply an entire Studio to a selected group of devices. For example, you may want the
configuration of a Studio to relate only to devices in a particular data center. All devices in that data center
can be tagged under a label, and you can assign that Studio to that tag label.

17.4.3 Schema
Schema are the input variables of a Studio and are used to collect data from a CloudVision User. They are
defined when either Creating a New Studio or editing an existing Studio. You do this by selecting an input
type in the Studio Edit screen and then completing a form.
Figure 449: Schema

17.4.3.1 Editing a Studio Schema

Only custom Studios can be edited.
Note: Built-in Studio schemas cannot be edited.

To edit a custom Studio Schema, create a new Workspace or select an open Workspace and then click the
Edit button within a Studio.
Figure 450: Editing a Studio Schema

At the Studio Edit screen, you can select Schema and the process will be the same as creating a new Studio.

399
 Note: While you cannot edit built-in Studios, you can export and then import the Studio as a clone
that you can edit.

17.4.3.2 Input Types

Schema inputs can be broadly classified into two categories:Base Types and Container Types.
Base Types are inputs that hold a real value and have a defined format. In general, these inputs can be
validated to ensure that their value matches the defined format. You can also add constraints that restrict the
values that can be entered in their fields.
Container Types are inputs that group one or more Base Types into a unit. They can be used to assign a set
of inputs to a specific group of devices, allow a Studio to provide multiple values for a given input, or to group
multiple Base Types and make them into an input unit.
Each input type is further divided into different data types:
Base Types consist of:
• String
• Integer
• Float
• Boolean
Container Types consist of:
• Resolver
• Collection
• Group
You can find a full description of each data type in Appendix 2: Schema Input Types.

17.4.4 Template
Once you have defined an the variables for an input under Schema, you can use Template to convert the
input into a CLI configuration. You can click on the input you want to configure, and then click Template.
Figure 451: Template

17.4.4.1 Mark-Up Language

You have a choice of two languages when writing a Template, Mako or Jinja2. The default setting is Mako,
but you can select Jinja2 or change back to Mako by using the below toggle:

400
 CloudVision Studios

Both Mako and Jinja2 have a lightweight syntax that allows you to leverage the underlying Python of Studios
to create an effective Template.
You can find a primer on Mako syntax here and for Jinja2 here. There is also a short guide for using Mako for
Template in Appendix 1: Mako Syntax.

17.4.5 Importing and Exporting Studios

Studios are saved and distributed as .yaml files. The file contains the entire schema definition, template, and
input values. You can easily import and export Studios using CloudVision.

Importing
1. Click Create Workspace or select an open Workspace from the dropdown menu.
2. Click Import.
Figure 452: Import

3. On the Import Studio modal, select the Studio file and then click Import.
The imported Studio will now be part of your Studio Suite.

Exporting
1. From your Studio Suite, select the Studio you wish to export.
2. Within the Studio screen, click Export.
Figure 453: Export

3. A pop-up box will appear, which will ask you the details for downloading the file. Enter the details and click
Download or Save.

17.5 Built-In Studios

There are currently seven built-in Studios in the beta-version, which each relate to a network feature. You can
create your own custom-built Studios by following the Creating a New Studio instructions.
Any devices you wish to include in a Workspace configuration must already have been commissioned by
using the Inventory and Topology Studio. Consequently, this is the first Studio that you should use and which
enables the use of all other Studios.

401
 When using any Studio, except for Inventory and Topology, it is important to remember that you need to
assign User Tags to the Studio. These tags relate to devices commissioned with the Inventory and Topology
Studio. Only devices tagged to a Studio will be affected by any proposed configuration.
When you open up any Studio, other than Inventory and Topology, you will see the tag assignment option.
Click Assign Tags and enter the User Tags for the devices you want the Studio to affect.
Figure 454: Tag Assignment

17.5.1 Inventory and Topology

This will be the first Studio that you’ll use, because it is responsible for making devices and their interfaces
available for configuration in Studios. It serves as a control point for separating or combining your wider
network topology with the topology that Studios configures.
With the Inventory and Topology Studio, you can accept devices and interface changes in your wider network
topology and incorporate those devices and changes into Studios configuration. You can also use it to
manually add devices and configure their interfaces for use in Studios.
Note: The Updates tab is the easiest way to commission devices for Studios, and is what you should
use most often. The Updates tab receives and displays device and interface changes in your wider
network, which you can quickly accept or ignore for use in Studios.

17.5.1.1 Adding a Device and Configuring its Interfaces

When you click on Inventory and Topology, the Inventory and Topology page is displayed.
Figure 455: Inventory and Topology

From the Inventory and Topology page you can add devices and then configure their interfaces. Any device
added here will be made available for use in other Studios. Once the information for each device has been

402
 CloudVision Studios

entered, click View. This will display the Devices page, which shows the interfaces on a selected device.
From this page you can add device interfaces and configure their connections to other device interfaces
Figure 456: Inventory and Topology - Device Interfaces

Note: All connections are bidirectional. It is not possible to create unidirectional connections.

17.5.1.2 Managing Updates to the Network Topology

Select the Updates tab, to view new devices and amendments to device connections in your network. You
can quickly add any device or interface changes in your network by using Updates.
Figure 457: Devices - Updates Tab

All updates and their type will be listed here, and you can choose to accept these updates or ignore them.
Accepting adds devices and their interfaces for use in Studios and updates any configuration in Studios the
device relates to. Ignoring the updates will omit them from being configured in any Studio.
Note: In the beta-version, clicking Ignore for Now will result in updates remaining in the Review
Updates list.

17.5.2 Connectivity Monitor

The Connectivity Monitor Studio configures an EOS feature to send probes to a remote host. EOS will then
report latency, jitter, round-trip times, and HTTP connectivity to those remote hosts. The corresponding
telemetry for the monitored hosts can be found under Devices and Dashboards.

403
 With Connectivity Monitor, you can set up or update the hosts and set which hosts should be monitored.
Select the Connectivity Monitor Studio to display the following screen.
Figure 458: Connectivity Monitor

From the Connectivity Monitor screen, the hosts that the probes will monitor can be defined. Enter a name for
the device followed by the IP address and a description for the host. Enter an optional HTTP URL, which will
configure the EOS to measure the HTTP response time for that URL.
Groups of devices can be defined for monitoring by an EOS probe using Host Monitoring. Use device tags to
define the host groups.
Figure 459: Host Monitoring

After one or more device tags have been defined, click on the arrow to the right. This will allow you to add
hosts to the tagged group for monitoring. These hosts must already have been defined in the previous Hosts
section.
Figure 460: Host Monitoring - Monitored Hosts

404
 CloudVision Studios

After the Studio has been configured, review the Workspace and submit to Change Control. Once it has been
approved, the results of the configured monitoring can be viewed by selecting the Connectivity Monitor under
Devices.
Figure 461: Devices - Connectivity Monitor

17.5.3 Date and Time

The Date and Time Studio is used to set the device time zones and to assign devices to NTP servers.

17.5.3.1 Setting a Device Time Zone

You can assign time zones to a set of tagged devices, and set a default time zone that is applied to all
assigned devices not specified with a device tag query.
To set a time zone, click Add Device Time Zone or Add Default Rule. If relevant, enter a device tag, and
then select a time zone from the drop down menu.

405
 Time zones are ordered alphabetically. If the desired time zone is not in the list, select Other and enter a
name for that time zone in the Other Time Zone field.
Figure 462: Setting a Device Time Zone

Once you have assigned time zones to devices and optionally set the default time zone, review and submit
the Workspace. Once it is approved and executed in Change Control, the new settings will come into effect
on your network.

17.5.3.2 Configuring the NTP Settings

You can assign devices to an NTP server using device tags. Click Add NTP Setting and then enter a device
tag to select devices with that tag. When done, click the arrow on the right.
Figure 463: Configuring the NTP Settings

Add NTP servers for these tagged devices by clicking Add NTP Server. Multiple servers can be added for
the selected device tag, but only one server should be set as preferred. You can also enable iburst, which

406
 CloudVision Studios

will send eight packets to the NTP server on start-up instead of a single packet. This will allow for faster
synchronization.
Figure 464: Configuring Additional NTP Settings

When you have assigned NTP servers to all the device tags, review and submit the Workspace. Once it is
approved and executed in Change Control, the NTP settings will come into effect on your network.

17.5.4 Interface Configuration

The Interface Configuration Studio is used to provision interfaces that have been defined elsewhere. With it,
you can configure interface speed, switchport mode, access VLAN or tagged VLANs, and enable or disable
the interface. You can set up profiles with configurations for these attributes, which can then be applied
to multiple interfaces. The use of profiles means that you do not need to separately configure repeating
attributes for each device.
Select Interface Configuration to display the following screen.
Figure 465: Interface Configuration

You can either configure an interface belonging to an individual device, or you can configure an interface
profile.

407
17.5.4.1 Configure a Device
All devices that have been commissioned for Studios using Inventory and Topology Studio will be listed under
Device. Select the device to configure one or more interfaces for by clicking the arrow on the right.
Figure 466: Configure a device

The list of interfaces that can be configured on this device and the available options are displayed. Scroll to
the right to see all of the available options.
There is also a profile option, which can be used to assign a profile to the device. If you assign a profile, you
do not need to enter a value for any other inputs; any values that you do enter for other inputs will override the
values of the profile.
Note: If a device you want to configure is not available for selection, add it using the Inventory and
Topology Studio.

17.5.4.2 Configuring a Profile

Profiles are used to avoid having to configure each device interface separately. You can create profiles
with different characteristics and then assign a single profile to a device interface, which will apply the
configuration associated with that profile to the interface of the device.

408
 CloudVision Studios

On the homescreen of Interface Configuration, click Add Profile. Enter a profile name and click the arrow on
the right. The following screen is displayed.
Figure 467: Configuring a Profile

From the Profile screen, the speed, the switchport mode, the VLAN access, or tagged VLANs can be set.
The mode selected for the interface may present you with more input options. When entering a description for
the profile, enter “$1” which will pull the individual interface’s description into the description when applied to
a device. For instance, you could give the profile description “Floor 3 phone ports: $1”; when you apply this
profile to a device interface with the description “Office 1”, the full description of the interface will then be read
elsewhere as: “Floor 3 Phone Ports: Office 1”.
When the profile has been configured, apply it to device interfaces by selecting a device to configure. The
profile can be applied to multiple interfaces across multiple devices. If you enter any individual interface
parameters with a profile selected, the individual parameters will override those of the profile.

17.5.5 Streaming Telemetry Agent

The Streaming Telemetry Agent Studio enables you to define the streaming telemetry agent (TerminAttr)
configuration for EOS devices streaming to CloudVision. The streaming telemetry agent is integral to the
communication of state between network devices and CloudVision.

409
 When you open the Studio, the following screen will be displayed.
Figure 468: Streaming Telemetry Agent

17.5.5.1 Authentication
The first input determines how device streaming should be authenticated. There are two ways for the CVP
server to authenticate the device sending the telemetry information:
• Certificate
• Ingest key

If you select No, the ingest key will be used, which is a shared cleartext key. This key is defined as part of the
CloudVision set up process.
By selecting Yes, certificates are used for streaming authentication. CloudVision generates a JSON Web
Token (JWT) that is then saved to a temporary location (e.g. /tmp/token). This token is used by TerminAttr
for the initial secure authentication, and once authentication is successful, TerminAttr generates a certificate
signing request (CSR) and sends it to the CloudVision server, which then signs the CSR with its own CA
certificate and provides the generated client certificate to TerminAttr and stores it in the certificate partition
on EOS. After this, TerminAttr will switch to using the client certificate and key, and renames the token by
appending .backup to the filename and will not use it anymore.

17.5.5.2 VRF Assignment

410
 CloudVision Studios

Once you have selected the mode for authenticating the data, the VRF assignment can be selected. Here you
will select devices with a tag query and then assign them to a VRF.
Figure 469: VRF Assignment

17.5.5.3 Device AAA Settings

You can select devices using a tag query and disable elements of AAA for them.
Figure 470: Device AAA Settings

When disabling AAA, you are disabling authorization and accounting for eAPI commands sent by CloudVision
to TerminAttr only when the Advanced Login setting is used. This does not affect AAA for other transports,
such as SSH or eAPI over HTTPS.
The Advanced Login setting has been the default login method since version 2021.2.0. It can use multi-
factor authentication and one-time passcodes to authenticate all CloudVision managed devices when you
authenticate with CloudVision. When you select Yes, all eAPI requests are sent over the gRPC session
established by TerminAttr instead of eAPI over HTTPS.
Disabling AAA is required in situations when the Advanced login setting is enabled and users are
authenticated with certain RADIUS servers, where the server does not support authorization requests that do
not have a preceding authentication request.

17.5.6 Campus Fabric

The Campus Fabric Studio provides a single point of control over the configuration of a campus network. The
Studio is designed to allow the user to deploy and manage campus devices within the network using design
patterns consistent with Arista best practices.

411
 The Studio supports two common campus fabric designs. These designs are illustrated below, with support in
beta-version for the L2 MLAG fabric.
Figure 471: Campus Fabric

17.5.6.1 Deploying and Configuring a Campus

Select Campus Fabric to display the Campus Fabric screen.
Figure 472: Campus Fabric

To create a new campus, click Add Campus and enter a name for the campus network. When done, click the
arrow on the right.
The main configuration screen for the campus will be displayed.
Figure 473: Tag Assignment

To assign devices that belong to this campus, cick the dropdown arrow beside Tag Assignment and click
Assign Tags. You can now add devices with a tag query to this campus network. If a desired device is not
present, add it using the Inventory and Topology Studio or, if the tag is not present, create a new User Tag.

412
 CloudVision Studios

Next, configure the parameters and aspects of the L2 MLAG fabric. These parameters are used throughout
the campus network when an MLAG pair exists. Configure the VLANs that will be defined for the campus
network. A special management network may be defined when in-band management of the switches is
required. The SVI virtual address is used as the anycast gateway across the campus Spline switches, as well
as an IP helper address for DHCP relay functionality.
Central to the configuration of a campus network is assigning the roles to the selected devices in its fabric.
They can be either campus Spline devices or leaf devices within a pod.
Figure 474: Assigning Roles

A campus Spline device may be used for both connecting downstream campus leaf switches, as well as
connecting hosts. The campus Spline device will often have links toward networks external to the campus
fabric.
A pod is a collection of leaf devices that connect to a campus Spline pair of switches. Each pod consists of
one or more switches and may be used to form an MLAG stack. Some examples of campus pods are shown
below:
Figure 475: Examples of Campus Pods

The selection of devices available to assign either as campus Splines or as members of a pod are those that
you defined earlier on this screen as belonging to the campus.
The connections between devices are configured in the Inventory and Topology Studio. If the devices are
already wired-up in your network, they will be shown there. If not, the intended connections can be specified
in that Studio, and configuration for those interfaces will be generated.

413
 To build a campus network, you’ll need the following connections:
• Between campus Splines: all interfaces connecting to the two Splines will be configured as an MLAG peer-
link port channel.
• Between Splines and campus pod primary and secondary: these connections are referred to as “uplinks”
and “downlinks”. They should be arranged according to the L2 MLAG design shown above. Configure
these connections as multi-chassis link aggregation (MLAG) port channels.
• Between the campus pod primary and secondary: all interfaces of the two leaf switches will be configured
as an MLAG peer link port channel.
• Between pod primary and secondary and pod members: the connections between these devices are
configured as multi-chassis link aggregation (MLAG) port channels
Once the configurations of your campus fabric have been set, submit the Workspace and your campus
network will be available for review and approval in Change Control.

17.5.7 Layer 3 Leaf-Spine

You’ll use this Studio along with EVPN Services to build a layer 3 leaf-spine network. The L3 Leaf-Spine
Studio configures Day 1 deployment of the network, and EVPN Services configures Day 2 operations.
Note: In its beta-version, the Studio only supports BGP EVPN-VXLAN fabrics. It does not currently
support the configuration of super-spines, multiple parallel transit connections between the same leaf
and spine switches, detect/set speed on interfaces, and doesn’t support recirc channels on platforms
that require them for VXLAN routing.
The Studio has been designed to support the following Arista validated L3 leaf-spine design:
Figure 476: Layer 3 Leaf-Spine

Note: In order to build this design, you’ll first need to use the Inventory and Topology Studio to either
accept the LLDP derived topology connections or manually add devices and interface connections.

17.5.7.1 Layer 3 Leaf-Spine - Required Tags

The following device tags must be in place before configuring the inputs in this Studio. You can create these
tags within the same Workspace by accessing Tags.

414
 CloudVision Studios

Table 22: Leaf-Spine Required Tags

Tag Example Description

DC DC: DC1 DC defines the data center that is
being configured.
DC-Pod DC-Pod: DC1 Data center pod name.
Role Role: Leaf Device Role. Can either be a leaf
or spine.
Role: Spine

Spine-Number Spine-Number: 1 The number for a spine device.

Each spine must have a unique
number.

Leaf-Domain Leaf-Domain: 1 Specifies the leafs within a

common AS, which is usually an
MLAG pair of leafs. The value
must be an integer.

Leaf-Number Leaf-Number: 1 The number for a leaf device.

Each leaf must have a unique
number.
Leaf pairs are assumed to be
numbered consecutively starting
with an odd number (e.g. the
device tagged Leaf-Number:9 and
the device tagged Leaf-Number:10
are two devices in an MLAG pair
of leafs).
If a leaf is not part of an MLAG
pair, just use one number of the
odd-even pair and do not use the
other number for another leaf (e.g.
the device tagged Leaf-Number:1
will be configured as a standalone
leaf if no other device is tagged
Leaf-Number:2).

415
 The tag placement is illustrated in the following diagram:
Figure 477: Layer 3 Leaf-Spine - Required Tags

17.5.7.2 Configuring the Fabric

Once tags are in place, you can create a data center in the Studio using the Data Center (DC) tag.
Figure 478: Configuring the Fabric

416
 CloudVision Studios

After a data center is in place, then create and configure its pods. Each pod is a leaf-spine module inside the
data center fabric. Use the DC-Pod tag to assign devices to a pod.
Figure 479: Configuring the Fabric - Pods

Next, you will be presented with pre-filled values for the fabric of this pod, along with sections that allow you to
add leaf and spine devices. Change the fabric configuration for the pod as needed.
Figure 480: Configuring the Fabric - Pod Configuration

417
 You can add spine and leaf devices by using the Role tag. When adding a leaf device, you can further specify
an ASN that will override the ASN number set at the pod level. You’ll also be able to see on this screen a
summary of all the devices in this domain.
Figure 481: Configuring the Fabric - Summary

Once you have configured all the data centers, pods, and their devices, review and submit the Workspace.
A change control containing the configuration updates associated with the changes from the Workspace
will be created. Review, approve, and execute the change control for the fabric configuration defined in the
Workspace to take effect in the network.
Note: You can then stretch VLANs and VRFs across the newly deployed pods by using the EVPN
Services Studio.

17.5.8 EVPN Services

The EVPN Services Studio allows you to deploy L2 and L3 network services. These services are applied to
tenants that you create. Each tenant shares a common Virtual Network Identifier (VNI) range for MAC-VRF
assignment.
Note: EVPN Services Studio is designed to implement Day 2 operations on top of the Day 1 fabric
created with the Layer 3 Leaf-Spine Studio.

17.5.8.1 EVPN Services - Required Tags

The following tags are required for this Studio. They will already be in place if you have deployed an L3 leaf-
spine fabric with the Layer 3 Leaf-Spine Fabric Studio.

418
 CloudVision Studios

Table 23: Required Tags

Tag Example Description

router_bgp.as
router_bgp.router_id
mlag_configuration.peer_link
router_bgp.as:65050
router_bgp.router_id:172.16.0.1
mlag_configuration.peer_link:Port- Specifies the MLAG peer link used
Channel2000
Defines the BGP ASN that the
switch will use when configuring
overlay VRFs, VLANs, and VLAN
aware bundles.
Defines the BGP Router ID used
on the switch and makes up part
of the route-distinguisher and
route-target fields.
on a switch that has an MLAG
peer.
Note: This tag is only
necessary for MLAG peer
relevant configuration.

Leaf-Domain Leaf-Domain:1 Specifies the leafs within a

common AS, which are usually an
MLAG pair of Leafs.
The value must be an integer.
Note: This tag is only
necessary for MLAG peer
relevant configuration.

Leaf-Number Leaf-Number:1 For a leaf device, its number.

Each leaf must have a unique
number.
Leaf pairs are assumed to be
numbered consecutively starting
with an odd number (e.g. the
device tagged Leaf-Number:9 and
the device tagged Leaf-Number:10
are two devices in an MLAG pair
of leafs).
If a leaf is not part of an MLAG
pair, just use one number of the
odd-even pair and don’t use the
other number for another leaf (e.g.
the device tagged Leaf-Number:1
will be configured as a standalone
leaf if no other device is tagged
Leaf-Number:2).
Note: This tag is only
necessary for MLAG peer
relevant configuration.

Note: If you do not want to use the L3 Leaf-Spine Fabric Studio, then you will need to create these
tags before configuring the EVPN Services Studio.

419
17.5.8.2 Configuring EVPN Services
When you open EVPN Services, the following screen will be displayed. From this screen, tenants are created
and the default VRF and MAC-VRF attributes for all tenants are created.
Figure 482: Configuring EVPN Services

420
 CloudVision Studios

When creating a tenant or selecting an existing tenant to configure, you can create VRFs and VLANs for use
within this tenant. You will also determine the base number used to generate VNIs.
Figure 483: Configuring EVPN Tenants

17.5.8.3 VRFs

421
 When configuring a VRF, always specify a VNI. The remaining fields are all optional and their use depends
upon how you are configuring your network.
Figure 484: VRFs

The iBGP Detail fields are necessary when a VTEP is composed of a pair of leaf switches that have a host
(or hosts) connected to only one switch in an MLAG pair. If incoming traffic arrives at the leaf switch in the
pair that the host is not connected to, the leaf switch will drop that packet. By configuring a VLAN and SVI to
establish an IBGP peering on for this VRF, both switches in an MLAG pair are aware of all host connections
including those connected to only one switch.
NAT Source Details are used to configure a virtual source NAT address for the VRF. It is used mainly for
troubleshooting, because all VTEPs share the same IP address and MAC address for each SVI. This means
that pings to workloads behind remote VTEPs or local workloads (e.g. MLAG VTEPs) may not be successful
because the reply cannot be returned. When the destination host responds to either an ARP request or
ICMP echo request, the reply is processed by the first VTEP it arrives at, which is because all VTEPs have
the same IP and MAC address. In order for each VTEP to successfully ping a workload, configuring a NAT
source address enables a dedicated loopback interface that can be used as the source address for pings
within a VRF.
The Override VRF Attributes section allows you to override the default VRF attributes associated with this
VRF.

17.5.8.4 VLANs

422
 CloudVision Studios

A name must be provided for each VLAN that is created. Then select whether it is applied to a routed or
bridged setting.
Figure 485: VLANs

By default, the toggle is set to routed. You can also provide details of a DHCP server and provide a default
gateway by entering a Switched Virtual Interface (SVI) virtual IP address, which are options only available
with a routed VLAN.
The last two options, Devices and Override Attributes, are shared with a bridged VLAN, where devices can be
assigned to this VLAN and override the default values generated for configuration elements associated with
this VLAN.
Note: When assigning devices to a VLAN, make sure to toggle the value for the Apply column to Yes
to configure that VLAN.

17.5.8.5 VLAN Aware Bundles

423
 You can bundle VLANs that have already been created within a tenant into VLAN aware bundles. Each
bundle consists of a range of VLANs that share the same MAC-VRF attributes, which you can define by
overriding the default MAC-VRF attributes shared across tenants.
Figure 486: VLAN Aware Bundles

17.5.9 Segment Security

The Segment Security Studio enables you to separate your network into logical domains. Each domain
contains a set of segments and policies that determine the forwarding behavior between segments. A
segment describes a set of endpoints with identical security policies and network access privileges.
Figure 487: Segment Security

424
 CloudVision Studios

To create a segmentation domain, click Add Domain and enter a device tag query. A segmentation domain
is identified by device tags, which gives you the ability to select a group of switches that form the domain. All
devices in the same domain will be configured with identical segmentation policies.
Figure 488: Segment Security - Add Domain

Once you have created the domain, click the arrow on the right, and the Policies screen will be displayed.
Figure 489: Segment Security - Policies

Enter a segment a name and identify its members. The segment membership is based upon either IPv4 or
IPv6 prefixes, or both.
Next, set the security policies between segments. These policies apply to a single VRF. Configure segment
policies for the VRF by clicking View underneath the Policies heading. Determine the relationship between
pairs of segments inside the domain and the forwarding behavior of traffic between them.

17.6 MSS-G with Dynamic Configuration from Forescout

Using Forescout, an MSS-G configuration can be pushed automatically to CloudVision. This section covers
the use of Forescout eyeSegment for policy definition and eyeSight for segment assignment. These systems
produce an MSS-G configuration that is dynamic, and while visible on CloudVision, it bypasses the CLI on
switches and will therefore not show up in the device running config.
There are two integration points from Forescout into Arista MSS-G:
• host to segment mapping in the Forescout console’s Policy Manager
• segment policy definition in Forescout eyeSegment
Both integration points are described below. Before deploying this integration, note that there is a terminology
overlap:

425
 • Arista MSS-G uses the terms “group” and “segment” interchangeably.
• The segments defined in the Forescout console under Tools > Segment Manager are static ranges
designed to indicate areas of the network managed by Forescout and are unrelated to Arista MSS-G
segments.
• The groups defined in the Forescout console Policy Manager are for organizing host/user/device
taxonomy. Although it is possible through the Forescout Policy Manager to map each Forescout Group
to an Arista MSS-G group, it is neither automatic nor required. In the majority of use cases, Forescout
Groups will be hierarchical and not map directly to Arista MSS-G groups; instead, Arista MSS-G groups
will be defined by Forescout Policies that may consider hosts/users/devices across several Forescout
Groups.

Requirements
To configure MSS-G with Dynamic Configuration from Forescout the system must meet the following
requirements:
On the Arista side:
• EOS 4.27.1F+
• TerminAttr 1.22+
• CloudVision 2022.1.1+.
• On the Forescout side it’s GA for Continuum 8.4.0, eyeSegment 5.18.0 (recommend 5.19.0), and the
Forescout Arista MSS-G 1.0.0 module.
On the Forescout side:
• Continuum 8.4.0
• eyeSegment 5.18.0 (recommend 5.19.0)
• Forescout Arista MSS-G 1.0.0 module.

Limitations
Note the following limitations before configuring MSS-G with Dynamic Configuration from Forescout.
• Port matching: Policies are enforced based on IP address, and at this time there is no support for port or
protocol matching.
• 60-segment limit: Arista CloudVision and EOS switches support a maximum of 60 segments.
• Single segmentation domain: All EOS switches participating in MSS-G receive all host-to-segment
assignments transmitted from Forescout eyeSight to Arista CloudVision.
• Single VRF: The integration supports just a single Virtual Routing and Forwarding instance, or VRF. That
VRF is configurable, but by default it uses the default VRF.
• Initial sync time: The initial transmission of host-to-segment assignments from CounterACT to CloudVision
could take up to an hour, depending on the number of hosts, the number of CounterACT appliances,
and the latency between CounterACT and CloudVision. It can be made much faster by enabling dynamic
configuration on participating switches after CloudVision has received all initial segmentation configuration.
• Host scale: The integration supports up to 25,000 hosts in its initial phase. Enforcement point scale: The
integration supports up to 100 enforcement points. Note that not all switches must be used as enforcement
points. As long as traffic flows through an MSS-G capable enforcement point, policies will be enforced.
• Supported actions: Currently, the supported actions are forward and drop.
• IPv6: IPv6 is not currently supported in this integration.
• Wifi endpoints: To make the integration work with wireless clients, access points must be configured to
forward traffic in the clear to an enforcement point.

17.6.1 Deployment Guidelines

• Subnets: eyeSight applies policies to single hosts, but users may assign all hosts within a subnet to a
single segment using CloudVision Studios.

426
 CloudVision Studios

• Default forwarding behavior: Policies are enforced based on destination address. There are three cases.
• The source and destination address each belong to a segment, and there is a segment-policy defined
that determines the forwarding behavior for the packet. In this case, participating switches will enforce
the configured segment policy.
• The destination address does not belong to any segment. In this case, there is no MSS-G configuration
to enforce, and the switch’s actions will reflect whatever non-MSS-G configuration exists on the switch.
• The destination address belongs to a segment, but either the source address does not or there is
no segment policy to determine what action the switch should take. In this case the switch uses
an “unspecified policy action” default, which could be DROP or FORWARD. This can be set in the
eyeSegment MSS-G plugin.
• One segment per host: A host IP address can exist in only one Arista segment (e.g., an IT admin user
cannot be in both a “user” and an “admin” segment simultaneously).
• Flat segment-policy hierarchy: eyeSegment policies destined for export to Arista CloudVision must not
contain exceptions or make use of the “Any” group, eyeSegment virtual zones (e.g., Internal), or deleted
zones. Improperly formed policies won’t be exported.
• Bidirectional segment policies: Users should typically construct policies to forward or drop traffic in
mirrored fashion (e.g., Zone A to Zone B Allow All and Zone B to Zone A Allow All). It is not strictly
necessary to define rules both ways, but given the probability of bidirectional traffic, users will usually want
to configure policies bidirectionally.
• Export to CloudVision: The export to CloudVision is disabled by default until eyeSegment version 5.19, but
can be enabled via the fstool command. Starting with version 5.19 it is enabled by default.
• Resynchronization: Users must configure resynchronization per host-to-segment assignment policy or else
CounterACT will never transmit host-to-segment assignments for hosts it learns while its connection to
CloudVision is down. All deployments should use resync. Instructions for setting up resync can be found in
the policy template.
• Policy export flap: Exporting policies from eyeSegment to MSS-G may result in a brief period of forwarding
disruption as switches remove and then re-apply policies.
• Switch forwarding table partition: The EOS switches must have forwarding table partitions in place that
allow for the desired host scale.
• A CloudVision certificate should be imported into Forescout Continuum’s trusted certificates in order to
secure the connection between Forescout Continuum and CloudVision.
• On 4GB switches there may not be sufficient memory to run dynamic MSS-G and sFlow.

17.6.2 Install the Arista MSS-G Module

Forescout’s Arista MSS-G module adds the ability to connect to CloudVision and also assigns MSS-G
segment ID in the policy manager.
The MSS-G module is an *.fpi file just like any other Forescout module.
Figure 490: Forescout MSS-G Module

427
 Once installed, double-click on the Arista MSS-G module from the list and enter the CloudVision information:
Figure 491: Forescout - Arista MSS-G Plug-in

17.6.3 Specify Group Assignments with Forescout Policy Manager

The Forescout Policy Manager can be used to assign a user/host/device to an Arista MSS-G segment. This
function is available as an action inside any Forescout policy. The conditions for classifying an endpoint to a
group within the Forescout policy manager can be advanced combinations of many pieces of data, including
DHCP vendor class, DNS event, SNMP system uptime, OS version, Active Directory group, and many other
factors. In the example below, other policies (not shown) have classified cameras into the “IOT-Camera''
Forescout group.
In the following example, another policy is defined that assigns the Arista Segment ID of “IOT-Camera” to
all the members of the Forescout “IOT-Camera” group. Note that although the example shows a matching
Forescout group and Arista MSS-G segment name, this is not required. However, if groups are defined on
Forescout and segment policies are defined on CloudVision, then it is mandatory to have matching names.

428
 CloudVision Studios

Note: Group names configured on Forescout should not contain spaces.

Figure 492: Defining a Segment Policy

17.6.4 Define segment policies in eyeSegment

The Forescout eyeSegment interface can be used to define Arista MSS-G Segment policies. The Zones
listed in each eyeSegment policy must match with Arista MSS-G group names being used by Forescout
Policy Manager or CloudVision to map IP addresses to groups. Forescout eyeSegment policies that are to be
exported to CloudVision must use “All” in the services field.
Figure 493: Exporting eyeSegment policies into CloudVision

Select Export to Arista MSS-G to export eyeSegment policies into CloudVision. Check that the appropriate
segment-policies show up in CloudVision’s network-wide Network Segmentation view. All Forescout

429
 eyeSegment policies must be exported at the same time. If a subset of policies is exported, previously
exported eyeSegment policies not currently selected will be removed.

Enable OpenConfig on Arista switches

On participating, segmentation-enabled Arista devices, enable OpenConfig with the following commands:

>en
#conf
(config)#management api gnmi
(config-mgmt-api-gnmi)#transport grpc default
(config-gnmi-transport-default)#no shutdown

Enable Dynamic Configuration on Arista switches

Add the flag -cvconfig=true to the TerminAttr configuration on each participating switch:

(config)#daemon TerminAttr
(config-daemon-TerminAttr)#exec /usr/bin/TerminAttr -ingestgrpcurl=<address>:<
port> -cvcompression=gzip -ingestauth=token,/tmp/token … -cvconfig=true
(config-daemon-TerminAttr)#no shut

17.6.5 Forescout with Studios

You may add a segmentation configuration via both CVP Studios and Forescout, if desired. However, the
configuration should be non-overlapping.
One use-case is defining default policies. Forescout allows you to associate known hosts with segments, and
will push segment-policies to CloudVision. However, it does not provide you a way to describe the desired
forwarding behavior for unknown hosts. This may be important if, for example, you want to define the desired
forwarding behavior between known hosts in the network and the Internet. In this case, you may define a
segment with an IP prefix that captures the desired set of unknown hosts (possibly 0.0.0.0/0) and specify
segment-policies between this default segment and other defined segments.

17.7 ISE/MSS-G Integration

ISE/MSS-G integration uses TrustSec data from Cisco ISE to create an MSS-G configuration to distribute
to switches via CloudVision. The integration is implemented by an ISE provider that runs in the third-party
collector. It maps TrustSec Security Groups (SGTs), Access Control Lists, and policies into MSS-Segments
and policies. The integration is built on top of Cisco ISE’s External RESTful Services (ERS) and pxGrid APIs.
Most of the integration is based on pxGrid and some information that is not available through pxGrid is loaded
using the ERS REST APIs.

17.7.1 Prerequisites
The integration requires a few configurations in Cisco ISE. Refer to Cisco ISE documentation for configuration
information.
• A pxGrid compatible license is necessary.
• The pxGrid service must be enabled.
• The ERS service must be enabled.
• There must be a user with ERS access permission.
• ISE certificates must contain Subject Alternative Name (SAN). Common Name based certificates will be
rejected.

430
 CloudVision Studios

Note: Skipping CA validation is possible and may be used as a workaround if necessary.

Known Limitations
• Both ERS and pxGrid are needed.
• Dynamic IP prefix updates and rule changes may take up to 30 seconds to be updated in CloudVision.
• Layer-4 policies are not supported. Policies must be either accept-all or deny-all. ACL rules are limited to
only permit ip and deny ip.
• Hostnames are not supported, i.e., static ISE configuration that is specified using hostnames will not be
applied to CloudVision or to the switches and may cause issues to the integration.
• Setting up the ISE collector will clear all existing segmentation configuration in CloudVision.
• ISE SGT Mapping Groups are not supported.
• The MONITOR egress cell option is not supported.
• Only one Matrix configuration is supported.

17.7.2 Certificates for pxGrid integration

The ISE collector uses pxGrid as part of the integration with Cisco ISE. Client certificates are necessary to
communicate with pxGrid. The certificates can be generated in the Cisco ISE web interface.
Verifying pxGrid is enabled in ISE:
1. Login as an administrator to the Cisco ISE web interface.
2. Navigate to Administration # Deployment.
3. Check the box called pxGrid.
4. Save changes.

Generating a Certificate
For information and instructions to generate certificates, refer to the official Cisco ISE documentation.

17.7.3 Configuring the ISE Collector

Before the ISE collector can be configured, it must be onboarded and enabled.

Enable Third Party Device Onboarding

1. Navigate to Settings (Gear icon on top right) # General Settings.
2. Enable Third Party Device Onboarding.
3. Enable Onboard Cisco ISE Devices.
4. Enable Inventory Resource API. This will show the onboarding in the User Interface.
From the Onboarding interface.
1. Navigate to Device # Device Registration.
2. Select the first tab Device Onboarding.
3. Under Onboard Non-EOS and Third Party Devices, select the template Cisco ISE.

Onboarding ISE
Complete the form and select Onboard.
• Cisco ISE URL (including protocol): https://ise-host.com
Note: Use the fully qualified hostname. Include the protocol, such as https://.

• Cisco ISE Cert File: Upload the file COMMON_NAME_.cer

431
 • Cisco ISE Key File: Upload the file client.key (decrypted)
• Cisco ISE CA File: Upload chain.cer
Note: If deployment fails due to errors in validating the certificate, it may be because the Cisco ISE
certificates do not specify the Subject Alternative Name option, which is required.
• pxGrid Port: Leave the default value (8910) or provide the port configured in ISE.
• pxGrid User: arista-ise-integration
• ERS Username: user_with_ers_permission
• ERS Password: password_for_user_above
Upon successful onboarding, the collector client will appear in the Cisco ISE user interface.
1. From Administration navigate to pxGrid Services and select All Clients.
2. Find the username in the table.
3. Check the relevant row.
4. Click Approve at the top of the table.
5. Allow up to one minute for the collector to notice the approval.
6. Data will start streaming to CloudVision. This may be checked in the telemetry browser in CloudVision:
Dataset: analytics
Path: /yang/arista/segmentation/config/domain
7. Devices onboarded to CloudVision with OpenConfig and MSS-G enabled will receive and apply the
configurations.

432
 Chapter 18

Using Snapshots to Monitor Devices

CloudVision enables you to monitor changes in the state of the devices in your network over time through the
use of snapshots.
Note: Starting from 2018.2.0 release, snapshots UI is available as part of the Device View in
Telemetry.
Sections in this chapter include:
• About Snapshots
• Standard Information in Snapshots
• How to Use Snapshots
• Accessing Snapshots
• Accessing Snapshot Configurations
• Defining Custom Snapshot Templates
• Editing Custom Snapshot Templates
• Viewing Snapshots Differences

18.1 About Snapshots

In CloudVision, the snapshot service runs as a scheduler to capture device snapshots periodically.
The information recorded in snapshots provides you with insights on the configuration, EOS image, and other
aspects of the device. Snapshots are captured for individual devices (single switches) only.

18.2 Standard Information in Snapshots

The information recorded in the snapshot reflects the state of the device at the time snapshot was captured. A
snapshot only contains outputs of custom commands that are part of a snapshot template. (You must select
a snapshot template when you capture a snapshot.) See Defining Custom Snapshot Templates and Editing
Custom Snapshot Templates for information on using snapshot templates.
When upgrading to the 2018.2 train, only snapshot templates are migrated but not previous snapshots.
CloudVision stores migrated templates without any device list associated with them. Hence, they are marked
as unscheduled. However, these templates can be used to capture snapshots before and after change
controls.

433
18.3 How to Use Snapshots
In CloudVision, snapshot service schedules and periodically captures the outputs of commands that are
specified in the template. The frequency of capturing command outputs is based on the scheduling frequency
mentioned in the snapshot template. The information recorded in snapshots can provide you with insights on
the configuration, EOS image, and other aspects of the device. Snapshots are captured for individual devices
(single switches) only.
The main uses of snapshots are:
• Viewing snapshots to understand the state of a device at a given time, or over time.
• Comparing snapshots to see the change in state of a device between two points in time.
• Comparing snapshots to see the state of a device before and after a change control.

18.4 Accessing Snapshots

Snapshots are stored under the CVP dataset, which you can access any time for detailed analysis. The
Snapshots page displays all valid snapshots created over time. Each valid snapshot provides the following
additional information:
• Name - The name of the template (you assign the name when you create the template).
• Capture Time - The date and time when the snapshot was last captured.
• Last Executed By - The user that captured the snapshot.
It also allows navigating to snapshots of the corresponding snapshot template.
Figure 494: Snapshots Page

You can navigate to the Snapshots page through one of the following paths:
• Inventory > Device_ID > Snapshots
• Network Provisioning > Right-click on the required device > Snapshot.

434
 Using Snapshots to Monitor Devices

18.5 Accessing Snapshot Configurations

The Snapshot Configuration page displays all snapshot templates created over time. It further allows you
to edit current snapshot configuration, navigate to the Snapshots page, view the status of each snapshot
configuration, and create a new custom snapshot configuration.
Figure 495: Snapshot Configuration Page

You can navigate to the Snapshot Configuration page through one of the following paths:
• Inventory > Device_ID > Snapshots > Snapshot Configuration
• Network Provisioning > Right-click on the required device > Snapshot > Snapshot Configuration.

18.6 Defining Custom Snapshot Templates

To ensure that snapshots contain the information you need for effectively monitoring changes in the state of
devices over a certain period of time, CloudVision allows you to define custom snapshot templates.
A snapshot template defines commands, outputs of which need to be captured as part of the snapshot
using that template. When you create a snapshot template, associate a list of devices, and set an execution
frequency with it, the snapshot service starts capturing and storing snapshots for that template based on the
scheduled frequency.
Complete the following steps to define a new custom snapshot template:
1. Navigate to Inventory > Device_ID > Snapshots > Snapshot Configuration.
The Snapshot Configuration page displays currently available snapshot templates.
2. Click the (or create a new configuration) hyperlink at the lower right side of the page.

435
 The Snapshot Configuration page displays the Add Snapshot Configuration section.
Figure 496: Add Snapshot Configuration Section

3. In the Name field, type the name of the custom snapshot template.
4. In the Commands field, enter the EOS CLI commands to be executed by the snapshot.
5. If necessary, click the Devices drop-down and select required devices.
6. Under Interval, Specify the frequency for capturing snapshots in either minutes, hours, or days.
7. Click Save.
The Snapshot Configuration page immediately displays the latest configuration along with the list of
current configurations.
Note: A snapshot configuration that is created without a device is saved and marked as
unscheduled. Snapshot templates with bash commands are marked as invalid. However, these
unscheduled and invalid templates can still be selected while creating a Change Control to capture
pre and post change control snapshots.

436
 Using Snapshots to Monitor Devices

18.7 Editing Custom Snapshot Templates

Complete the following steps to go to defined templates:
1. Navigate to Inventory > Device_ID > Snapshots > Snapshot Configuration.
The Snapshot Configuration page displays currently available snapshot templates.
2. Click the snapshot name for editing the corresponding snapshot template..
Figure 497: Edit Snapshot Configuration Section

3. Modify the required information in corresponding fields.

4. Click Save.

18.8 Viewing Snapshots Differences

You can take snapshots of single devices only. The exact set of information and presentation of the
information in the snapshot is determined by the snapshot template you choose when capturing the snapshot.
Complete the following steps to view snapshots of a device:
1. Go to the Network Provisioning page.
2. Locate the device for which you want to view snapshots.

437
 3. Right-click on the device icon, then click Snapshot.
Figure 498: Initiate Viewing Snapshot

The All Snapshots page displays all valid snapshots.

Note:
You can also navigate to the All Snapshots page through Telemetry > Devices > Device_ID >
Snapshots.
4. Click on the snapshot template name for viewing the corresponding snapshot.
Figure 499: All Snapshots Page

438
 Using Snapshots to Monitor Devices

5. Click the date and time breadcrumb for viewing all snapshots of the corresponding template.
Figure 500: View All Snapshots

6. Click the required snapshot to view the corresponding output.

Figure 501: Select Snapshot

7. Click Compare against a previous time for viewing corresponding snapshot differences.

439
 8. The page displays corresponding snapshot differences.
Figure 502: Compare Snapshots

Note: Snapshot differences are displayed in color codes to quickly identify significant changes in
the state of the device over time. Click the Split tab for viewing snapshot differences in different
windows.

440
 Chapter 19

Backup & Restore, Upgrades, DNS NTP Server Migration

This document provides details on how to perform backup and restore operations and upgrading CloudVision
Portal (CVP).
• Backup and Restore
• Upgrading CloudVision Portal (CVP)
• DNS / NTP Server Migration

19.1 Backup and Restore

CloudVision Portal (CVP) enables you to backup and restore the complete CVP provisioning dataset,
including containers, devices, configlets, images, and configlet / image assignments. You can use commands
to backup and restore CVP data.
Arista provides a simple script at /cvpi/tools/backup.py which is scheduled by default to run daily to backup
CVP data, and retain the last 5 backups in /data/cvpbackup/. Backing up and restoring data saves information
about the CVP instance to a tgz file, and then restores the information from the tgz file to a new CVP
instance. The CVP commands provide all of the functionality required to complete backup and restore
operations.
Note: It is a good practice to regularly create and export backups to ensure that you have an
adequate supply of backup files available to you that you can use to restore CVP data.
Note: There is no backup or restore of the Telemetry analytics dataset.

The current CVP release does not support restoring backups taken from previous CVP releases. If you
would like to restore a backup from a previous CVP release, install the previous release, restore the backup,
and then upgrade to the current release. After you have successfully upgraded to the current release, take
another backup so that you can directly restore that into current main release in the future.
For more information, see:
• Requirements for Multi-node Installations
• Using CVPI Commands to Backup and Restore CV-CUE Data
• Using CVPI Commands to Backup and Restore CVP Provisioning Data

19.1.1 Requirements for Multi-node Installations

The basic requirements for backup and restore operations are the same for single-node installations and
multi-node installations.

19.1.2 Using CVPI Commands to Backup and Restore CV-CUE Data

Arista recommends to back up wifimanager regularly and especially before performing any upgrades.
• Restore CV-CUE Data
• RMA

441
19.1.2.1 Restore CV-CUE Data
You can restore wifimanager from a backup using the cvpi restore wifimanager </path/to/
backup/file> command.
Figure 503: Restore CV-CUE Data

Note: For a CV cluster, you can run this command only on the primary node. If no backup was carried
out before the upgrade, you can use a scheduled backup under the /data/wifimanager/data/
data/backup directory to restore wifimanager.

19.1.2.2 RMA
For RMA or recovery issues, contact [email protected].
Note: Back up wifimanager on any node before submitting it for an RMA. When the node is re-
deployed post-RMA, you can restore earlier wifimanager data from a backup that you have stored
elsewhere.

19.1.3 Using CVPI Commands to Backup and Restore CVP Provisioning Data
Backup and restore are CVPI functionalities of CVPI components.
Note:
The default directory to save and restore backup data files is /data/cvpbackup.
The default directory for backup/restore log files is /cvpi/logs/cvpbackup.
The default directory for temporary files during backup/restore is /data/tmp/cvpbackup.
The following commands are used to backup and then restore the containers, devices, configlets, images,
and configlet or image assignments that are defined in CVP.
Note: When restoring devices, use the username and password that can access the devices being
registered.

19.1.3.1 Backup CVP Provisioning Data

Use the cvpi backup command for saving a copy of CVP data as backup.

cvpi backup cvp

Note: To check the progress of the backup, read the latest backup_cvp.*.log file in /cvpi/
logs/cvpbackup.

442
 Backup & Restore, Upgrades, DNS NTP Server Migration

This command creates the backup files for the CVP component.

[cvp@cvp108 bin]$ cvpi backup cvp

19.1.3.2 Restore CVP Provisioning Data

Use the cvpi restore command to restore backup files for the CVP component.

cvpi restore cvp cvp.timestamp.tgz eosimages.timestamp.tgz

The cvp.<timestamp>.tgz parameter contains provisioning data from the DataBase (DB) of the CVP
application. The cvp.eosimages.<timestamp>.tgz parameter contains EOS images and extensions
stored in the DataBase (DB) of the CVP application.
Note: To check the progress of the restore, read the latest restore_cvp.*.log file in /
cvpi/logs/cvpbackup.

This command restores the backup files of the CVP component.

[cvp@cvp108 bin]$ cvpi restore cvp cvp.2019.1.0.tgz cvp.eosimages

.2019.1.0.tgz

Note:
To check the progress of the backup, tail -f/cvpi/logs/cvpbackup/
backup_cvp.20190606020011.log.
CVP backup creates two backup files in the /data/cvpbackup directory for restoration. The
eosimages.tgz is generated only when it differs from the currently available copy of the
eosimages.tgz, and is an optional parameter for restore if the CVP system already contains the
same EOS image.
The cvpi backup command can be run anytime and does not disrupt the cvp application. However,
the cvpi restore command will stop the cvp application and disrupt the service for the duration of
the restore. If the restore is from a backup on a different CVP system to a new CVP system, it may
also be required to on-board the EOS devices or restart the Terminattr daemons on the EOS devices
after the restore.

19.1.3.2.1 Troubleshooting CVP Restore Failure of Provisioning Data

If the cvpbackup directory does not exist in /data when copying the restore files to a newly built VM, you must
create it and assign the ownership to the cvp user and group in either of the following two ways:
• Login as cvp user and create the cvpbackup directory
Use the su cvp command to login as cvp user and the mkdir -p /data/cvpbackup command to
create the cvpbackup directory.
• Create the folder as root and change the ownership
Use the mkdir -p /data/cvpbackup command to create the folder as root and the chown -R
cvp:cvp /data/cvpbackup/ command to change the ownership of cvpbackup directory and its files to
cvp user and group.

443
Verifying the Ownership of cvpbackup Directory
Use one of the following commands to verify the ownership of cvpbackup directory:
• ls
This example verifies the ownership of cvpbackup directory using the ls command.

[root@cvp-2019 data]# ls -l /data/ | grep cvpbackup

drwxrwxr-x. 2 cvp cvp 236 Mar 16 02:01 cvpbackup
• stat
This example verifies the ownership of cvpbackup directory using the stat command.

[root@cvp-2019 data]# stat /data/cvpbackup/ | grep Access

Access: (0775/drwxrwxr-x) Uid: (10010/ cvp) Gid: (10010/ cvp)

Verifying the Ownership of Files Inside the cvpbackup Directory

The following example verifies the ownership of files inside the cvpbackup directory using the ls command:

[root@cvp-2019 data]# ls -l /data/cvpbackup

total 18863972
-rw-rw-r-- 1 cvp cvp 6650171 Mar 14 02:01 cvp.20200314020004.tgz
-rw-rw-r-- 1 cvp cvp 9642441292 Mar 14 02:08 cvp.eosimages.20200314020002.tgz

Correcting the Ownership of cvpbackup Directory Files

Use the chown command to correct the ownership of cvpbackup directory files.

chown cvp:cvp cvp.<timestamp>.tgz cvp.eosimages.<timestamp>.tgz

The cvp.<timestamp>.tgz parameter contains provisioning data from the DataBase (DB) of the CVP
application. The cvp.eosimages.<timestamp>.tgz parameter contains EOS images and extensions
stored in the DataBase (DB) of the CVP application.
This example changes the ownership of all cvpbackup directory files.

[root@cvp-2019 data]# chown cvp:cvp cvp.20200319020002.tgz cvp.eosimages

.20200314020002.tgz

19.2 Upgrading CloudVision Portal (CVP)

Note: While upgrading CVP, refer to the latest release notes available at Arista Software Download
page; and upgrade procedures.
Devices under management must:
• be running supported EOS version
• have supported TerminAttr version installed
• have the TerminAttr agent enabled and successfully streaming telemetry to CVP.
The following steps can be taken at any point on an existing cluster as part of preparing for an upgrade to the
current version:
1. Upgrade existing CVP clusters to the latest CVP release
2. Upgrade all EOS devices under management to the supported release train.

444
 Backup & Restore, Upgrades, DNS NTP Server Migration

3. For devices running EOS releases prior to 4.20, ensure that the eAPI unix domain socket is enabled with
the following configuration:

management api http-commands

protocol unix-socket
4. Install supported TerminAttr on all EOS devices under management.
5. Enable state streaming from all EOS devices under management by applying the
SYS_StreamingTelemetry configlet and pushing the required configuration to all devices.
6. Ensure that all devices are successfully streaming to the CVP cluster.
7. Ensure that all devices are in image and config compliance.
8. Complete regular backups. Complete a final backup prior to upgrade.
9. Ensure that all tasks are in a terminal state (Success, Failed, or Canceled).
10. Ensure that all Change Controls are in a terminal state.
Note: After the cluster is upgraded to the latest CVP release, systems running unsupported
TerminAttr versions fail to connect to the CVP cluster. These devices will have to be first upgraded
to a supported TerminAttr version by re-onboarding them from the CloudVision UI. You cannot
rollback a device to a time before it was running the supported TerminAttr version.
The upgrade from the previous CVP release to the current CVP release trains include data migrations that
can take several hours on larger scale systems.
• Upgrades
• CVP Node RMA
• CVP / EOS Dependencies
• Upgrade CV-CUE As Part of a CV Upgrade

19.2.1 Upgrades
Upgrades do not require that the VMs be redeployed, and do not result in the loss of logs. .
The CVP cluster must be functional and running to successfully complete an upgrade. As a precaution
against the loss of CVP data, it is recommended that you backup the CVP data before performing an
upgrade. To upgrade CVP to the current release, you must first upgrade CVP to the supported release that
supports an upgrade to the current release. For more information, refer the CVP release notes at Arista
Software Download page.
Note: Centos updates (yum update commands) outside of CVP upgrades are not supported.

• Verifying the health of CVP before performing upgrades

• Upgrading from version 2018.1.2 (or later)

19.2.1.1 Verifying the Health of CVP before Performing Upgrades

Upgrades should only be performed on healthy and fully functional CVP systems. Before performing the
upgrade, make sure that you verify that the CVP system is healthy.
Complete the following steps to verify the health of CVP.
1. Enter into the Linux shell of the primary node as cvp user.
2. Execute the cvpi status all command on your CVP:
This shows the status of all CVP components.
3. Confirm that all CVP components are running.
4. Log into the CVP system to check functionality.
Once you have verified the health of your CVP installation, you can begin the upgrade process.
• Upgrading CloudVision Portal (CVP)

445
19.2.1.2 Upgrading from version 2018.1.2 (or later)
Use this procedure to complete the fast upgrade of CVP to the current version of CVP.
Pre-requisites:
Before you begin the upgrade procedure, make sure that you have:
• Verified the health of your CVP installation (see Verifying the health of CVP before performing upgrades.
• Verified that you are running version 2018.1.2 or later.
Complete the following steps to perform the upgrade.
1. SSH as root into the primary node.
2. Run these commands:
a. rm -rf /tmp/upgrade (to remove data from old upgrades if already present)
b. mkdir /data/upgrade
c. ln -s /data/upgrade /tmp/upgrade
d. scp/wget cvp-upgrade-<version>.tgz to the /data/upgrade directory.
3. Run the su cvpadmin command to trigger the shell.
4. Select the upgrade option from the shell.
Note: On a multi-node cluster, upgrade can be performed only on the primary node. Upgrading to
the current version may take up to 30 minutes.
Note: If an issue occurs during an upgrade, you will be prompted to continue the upgrade once the
issue is resolved.
Note: Upgrade to 2021.1.0 and newer requires the configuration of a kubernetes cluster network.
You will be prompted during the upgrade to enter the private IP range for the kubernetes cluster
network. For this reason, a separate, unused network addressing should be provided when
configuring CVP.
Users will see this prompt while running the upgrade:

This upgrade requires to configure kubernetes cluster network.

Please enter private ip range for kubernetes cluster network :

The cvpi env command will show kubernetes cluster related parameters. KUBE_POD_NETWORK
and KUBE_SERVICE_NETWORK are the two subnetworks derived from KUBE_CLUSTER_NETWORK.
KUBE_CLUSTER_DNS is the second IP address from KUBE_SERVICE_NETWORK.
Note: KUBE_CLUSTER_NETWORK is the kubernetes private IP range and this should not
conflict with CVP nodes, device interface IPs, cluster interface IPs, or switch IPs. In addition, do
not use link-local or the subnet reserved for loopback purposes or any multicast IP addresses. The
subnet length for KUBE_CLUSTER_NETWORK needs to be less than or equal to 20.

19.2.2 CVP Node RMA

Use this procedure to replace any node of a multi-node cluster. Replacing nodes of multi-node cluster
involves removing the node you want to replace, waiting for the remaining cluster nodes to recover, powering
on the replacement node, and applying the cluster configuration to the new node.
When you replace cluster nodes, you must replace only one node at a time. If you plan to replace more than
one node of a cluster, you must complete the entire procedure for each node to be replaced.
When replacing a node the CloudVision VM that comes with the new CVA might not be the same version as
the one running on the other nodes. For more information on redeploying with the correct version refer to:
https://www.arista.com/en/qsg-cva-200cv-250cv/cva-200cv-250cv-redeploy-cvp-vm-tool
Check that the XML file is similar as on the other appliances. This can be checked using the virsh
dumpxml cvp command.

446
 Backup & Restore, Upgrades, DNS NTP Server Migration

Note: It is recommended that you save the CVP cluster configuration to a temporary file, or
write down the configuration on a worksheet. The configuration can be found in /cvpi/cvp-
config.yaml.
1. Power off the node you want to replace (primary, secondary, or tertiary).
2. Remove the node to be replaced.
3. Allow all components of the remaining nodes to recover.
The remaining nodes need to be up and settled before continuing to step 4.
4. Use the cvpi status all command to ensure that remaining nodes are healthy. You will see some
services are reported as “NOT RUNNING” due to not all pods for those services being online. This is
expected while a node is offline.

[root@node2 ~]# cvpi status all

Executing command. This may take some time...

Completed 227/227 discovered actions

secondary components total:147 running:108 disabled:12 not running:27

tertiary components total:112 running:103 disabled:9
primary NODE DOWN

Action Output
-------------

COMPONENT ACTION NODE STATUS

ERROR

aaa status secondary NOT

RUNNING Only 2/3 pod(s) ready

ambassador status secondary NOT

RUNNING Only 2/3 pod(s) ready

apiserver status secondary NOT

RUNNING Only 2/3 pod(s) ready

audit status secondary NOT

RUNNING Only 2/3 pod(s) ready

clickhouse status secondary NOT

RUNNING Only 2/3 pod(s) ready

cloudmanager status secondary NOT

RUNNING Only 2/3 pod(s) ready

coredns status secondary NOT

RUNNING Only 2/3 pod(s) ready

device-interaction status secondary NOT

RUNNING Only 2/3 pod(s) ready

elasticsearch-recorder status secondary NOT

RUNNING Only 2/3 pod(s) ready

elasticsearch-server status secondary NOT

RUNNING Only 2/3 pod(s) ready

enroll status secondary NOT

RUNNING Only 2/3 pod(s) ready

447
 flannel status secondary NOT
RUNNING Only 2/3 pod(s) ready

ingest status secondary NOT

RUNNING Only 2/3 pod(s) ready

inventory status secondary NOT

RUNNING Only 2/3 pod(s) ready

kafka status secondary NOT

RUNNING Only 2/3 pod(s) ready

label status secondary NOT

RUNNING Only 2/3 pod(s) ready

local-provider status secondary NOT

RUNNING Only 2/3 pod(s) ready

nginx-app status secondary NOT

RUNNING Only 2/3 pod(s) ready

prometheus-node-exporter status secondary NOT

RUNNING Only 2/3 pod(s) ready

prometheus-server status secondary NOT

RUNNING Only 0/1 pod(s) ready

radius-provider status secondary NOT

RUNNING Only 2/3 pod(s) ready

script-executor status secondary NOT

RUNNING Only 2/3 pod(s) ready

script-executor-v2 status secondary NOT

RUNNING Only 2/3 pod(s) ready

service-clover status secondary NOT

RUNNING Only 2/3 pod(s) ready

snapshot status secondary NOT

RUNNING Only 2/3 pod(s) ready

tacacs-provider status secondary NOT

RUNNING Only 2/3 pod(s) ready

task status secondary NOT

RUNNING Only 2/3 pod(s) ready
5. Power on the replacement node.
6. Log in as cvpadmin.
7. Enter the cvp cluster configuration.

CentOS Linux 7 (Core)

Kernel 3.10.0-957.1.3.el7.x86_64 on an x86_64

localhost login: cvpadmin

Last login: Fri Mar 15 12:24:45 on ttyS0
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Enter a command
[q]uit [p]rint [s]inglenode [m]ultinode [r]eplace [u]pgrade

448
 Backup & Restore, Upgrades, DNS NTP Server Migration

>r
Please enter minimum configuration to connect to the other peers
*Ethernet interface for the cluster network: eth0
*IP address of eth0: 172.31.0.216
*Netmask of eth0: 255.255.0.0
*Default route: 172.31.0.1
*IP address of one of the two active cluster nodes: 172.31.0.161
Root password of 172.31.0.161:
8. Wait for the RMA process to complete. No action is required.

Root password of 172.31.0.161:

External interfaces, ['eth1'], are discovered under /etc/sysconfig/network-
scripts
These interfaces are not managed by CVP.
Please ensure that the configurations for these interfaces are correct.
Otherwise, actions from the CVP shell may fail.
Running : /bin/sudo /sbin/service network restart
[ 334.001886] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9 vectors
allocated
[ 334.004577] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[ 334.006315] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 334.267535] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 348.252323] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9 vectors
allocated
[ 348.254925] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[ 348.256504] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 348.258035] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Fetching version information
Run cmd: sudo -u cvp -- ssh 172.31.0.156 cat /cvpi/property/version.txt 0.18
Fetching version information
Run cmd: sudo -u cvp -- ssh 172.31.0.216 cat /cvpi/property/version.txt
10.19
Fetching version information
Run cmd: sudo -u cvp -- ssh 172.31.0.161 cat /cvpi/property/version.txt 0.16
Running : cvpConfig.py tool...
[ 392.941983] vmxnet3 0000:0b:00.0 eth0: intr type 3, mode 0, 9 vectors
allocated
[ 392.944739] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[ 392.946388] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 393.169460] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 407.229180] vmxnet3 0000:13:00.0 eth1: intr type 3, mode 0, 9 vectors
allocated
[ 407.232306] vmxnet3 0000:13:00.0 eth1: NIC Link is Up 10000 Mbps
[ 407.233940] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 407.235728] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[ 408.447642] Ebtables v2.0 unregistered
[ 408.935626] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 408.956578] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 408.982927] Ebtables v2.0 registered
[ 409.029603] nf_conntrack version 0.5.0 (65536 buckets, 262144 max)
Stopping: ntpd
Running : /bin/sudo /sbin/service ntpd stop
Running : /bin/sudo /bin/systemctl is-active ntpd
Starting: ntpd
Running : /bin/sudo /bin/systemctl start ntpd.service
Waiting for all components to start. This may take few minutes.
Run cmd: su - cvp -c '/cvpi/bin/cvpi -v=3 status zookeeper' 0.45
Run cmd: su - cvp -c '/cvpi/bin/cvpi -v=3 status zookeeper' 0.33
Checking if third party applications exist
Run cmd: su - cvp -c '/cvpi/zookeeper/bin/zkCli.sh ls /apps | tail -1' 0.72
Running : cvpConfig.py tool...
Stopping: cvpi-check
Running : /bin/sudo /sbin/service cvpi-check stop

449
 Running : /bin/sudo /bin/systemctl is-active cvpi-check
Starting: cvpi-check
Running : /bin/sudo /bin/systemctl start cvpi-check.service
9. Continue waiting for the RMA process to complete. No action is required.

[Fri Mar 15 20:26:28 UTC 2019] :

Executing command. This may take some time...

(E) => Enabled

(D) => Disabled
(?) => Zookeeper Down

Action Output
-------------
COMPONENT ACTION NODE STATUS
ERROR
hadoop cluster tertiary (E) DONE

hbase cluster tertiary (E) DONE

Executing command. This may take some time...

(E) => Enabled

(D) => Disabled
(?) => Zookeeper Down

Action Output
-------------
COMPONENT ACTION NODE STATUS
ERROR
aerisdiskmonitor config primary (E) DONE

aerisdiskmonitor config secondary (E) DONE

aerisdiskmonitor config tertiary (E) DONE

apiserver config primary (E) DONE

apiserver config secondary (E) DONE

apiserver config tertiary (E) DONE

cvp-backend config primary (E) DONE

cvp-backend config secondary (E) DONE

cvp-backend config tertiary (E) DONE

cvp-frontend config primary (E) DONE

cvp-frontend config secondary (E) DONE

cvp-frontend config tertiary (E) DONE

geiger config primary (E) DONE

geiger config secondary (E) DONE

geiger config tertiary (E) DONE

hadoop config primary (E) DONE

450
 Backup & Restore, Upgrades, DNS NTP Server Migration

hadoop config secondary (E) DONE

hadoop config tertiary (E) DONE

hbase config primary (E) DONE

hbase config secondary (E) DONE

hbase config tertiary (E) DONE

kafka config primary (E) DONE

kafka config secondary (E) DONE

kafka config tertiary (E) DONE

zookeeper config primary (E) DONE

zookeeper config secondary (E) DONE

zookeeper config tertiary (E) DONE

Executing command. This may take some time...

secondary 89/89 components running
primary 78/78 components running
Executing command. This may take some time...
COMPONENT ACTION NODE STATUS
ERROR
Including: /cvpi/tls/certs/cvp.crt
Including: /cvpi/tls/certs/cvp.key
Including: /etc/cvpi/cvpi.key
Including: /cvpi/tls/certs/kube-cert.pem
Including: /data/journalnode/mycluster/current/VERSION
Including: /data/journalnode/mycluster/current/last-writer-epoch
Including: /data/journalnode/mycluster/current/last-promised-epoch
Including: /data/journalnode/mycluster/current/paxos
Including: /cvpi/tls/certs/ca.crt
Including: /cvpi/tls/certs/ca.key
Including: /cvpi/tls/certs/server.crt
Including: /cvpi/tls/certs/server.key
mkdir -p /cvpi/tls/certs
mkdir -p /data/journalnode/mycluster/current
mkdir -p /cvpi/tls/certs
mkdir -p /etc/cvpi
mkdir -p /cvpi/tls/certs
mkdir -p /cvpi/tls/certs
mkdir -p /cvpi/tls/certs
mkdir -p /data/journalnode/mycluster/current
mkdir -p /cvpi/tls/certs
mkdir -p /data/journalnode/mycluster/current
mkdir -p /data/journalnode/mycluster/current
mkdir -p /cvpi/tls/certs
Copying: /etc/cvpi/cvpi.key from secondary
rsync -rtvp 172.31.0.161:/etc/cvpi/cvpi.key /etc/cvpi
Copying: /cvpi/tls/certs/cvp.crt from secondary
rsync -rtvp 172.31.0.161:/cvpi/tls/certs/cvp.crt /cvpi/tls/certs
Copying: /cvpi/tls/certs/server.key from secondary
rsync -rtvp 172.31.0.161:/cvpi/tls/certs/server.key /cvpi/tls/certs
Copying: /cvpi/tls/certs/ca.crt from secondary
rsync -rtvp 172.31.0.161:/cvpi/tls/certs/ca.crt /cvpi/tls/certs
Copying: /cvpi/tls/certs/cvp.key from secondary
rsync -rtvp 172.31.0.161:/cvpi/tls/certs/cvp.key /cvpi/tls/certs
Copying: /cvpi/tls/certs/ca.key from secondary
rsync -rtvp 172.31.0.161:/cvpi/tls/certs/ca.key /cvpi/tls/certs

451
 Copying: /data/journalnode/mycluster/current/last-writer-epoch from
secondary
rsync -rtvp 172.31.0.161:/data/journalnode/mycluster/current/last-writer-
epoch /data/journalnode/mycluster/current
Copying: /cvpi/tls/certs/kube-cert.pem from secondary
Copying: /cvpi/tls/certs/server.crt from secondary
rsync -rtvp 172.31.0.161:/cvpi/tls/certs/server.crt /cvpi/tls/certs
Copying: /data/journalnode/mycluster/current/VERSION from secondary
rsync -rtvp 172.31.0.161:/data/journalnode/mycluster/current/VERSION /data/
journalnode/mycluster/current
Copying: /data/journalnode/mycluster/current/paxos from secondary
rsync -rtvp 172.31.0.161:/data/journalnode/mycluster/current/paxos /data/
journalnode/mycluster/current
Copying: /data/journalnode/mycluster/current/last-promised-epoch from
secondary
rsync -rtvp 172.31.0.161:/data/journalnode/mycluster/current/last-promised-
epoch /data/journalnode/mycluster/current
rsync -rtvp 172.31.0.161:/cvpi/tls/certs/kube-cert.pem /cvpi/tls/certs
Starting: cvpi-config
Running : /bin/sudo /bin/systemctl start cvpi-config.service
Starting: cvpi
Running : /bin/sudo /bin/systemctl start cvpi.service
Running : /bin/sudo /bin/systemctl start cvpi-watchdog.timer
Running : /bin/sudo /bin/systemctl enable docker
Running : /bin/sudo /bin/systemctl start docker
Running : /bin/sudo /bin/systemctl enable kube-cluster.path
10. Enter "q" to quit the process after the RMA process is complete! message is displayed.

Waiting for all components to start. This may take few minutes.
[ 560.918749] FS-Cache: Loaded
[ 560.978183] FS-Cache: Netfs 'nfs' registered for caching
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 48.20
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.73
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 7.77
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.55
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.23
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.64
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.59
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.07
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.70
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.51
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.57
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.40
Run cmd: su - cvp -c '/cvpi/bin/cvpi status all --cluster' 2.24
Waiting for all components to start. This may take few minutes.
Run cmd: su - cvp -c '/cvpi/bin/cvpi -v=3 status all' 9.68
RMA process is complete!
[q]uit [p]rint [e]dit [v]erify [s]ave [a]pply [h]elp ve[r]bose
>q
11. Use the cvpi status all command to ensure that the cluster is healthy.

[cvp@cvp87 ~]$ cvpi status all

Executing command. This may take some time...

Completed 215/215 discovered actions
primary components total:112 running:104 disabled:8
secondary components total:122 running:114 disabled:8
tertiary components total:97 running:91 disabled:6

452
 Backup & Restore, Upgrades, DNS NTP Server Migration

When a node is RMA'd, the other nodes will replicate their state via HDFS to the new node. We can track
this in real time by issuing the following command:

watch -n 30 "hdfs dfsadmin -report | grep 'Under replicated'"

Once the count of "Under replicated" blocks hits 0, data synchronization to the new node is complete.
The disk usage on the new node will also grow as the blocks are replicated and the RMA'd node will have
a similar disk space utilization as the other nodes once the operation has finished successfully.

19.2.3 CVP / EOS Dependencies

To ensure that CVP can provide a base level of management, all EOS devices must be running at least EOS
versions 4.17.3F or later. To ensure device compatibility supported EOS version advice should be sought
from the Arista account team.
CVP should not require any additional EOS upgrades to support the standard features and functions in later
versions of the appliance. Newer features and enhancements to CVP may not be available for devices on
older code versions.
Refer to the latest Release Notes for additional upgrade/downgrade guidance.
Related topics:
• Upgrades
• CVP Node RMA

19.2.4 Upgrade CV-CUE As Part of a CV Upgrade

In case of a CV upgrade, services go through the following steps:
1. Services or service containers (such as CV-CUE) are stopped.
2. Existing container images are deleted.
3. New component RPMs are installed.
4. The server is rebooted and all services are started again.
A service on CV is upgraded only if its version is different from the pre-upgrade version (CV stores its
pre-upgrade state to decide this). The wifimanager component follows a similar process. When CV boots
up after an upgrade, wifimanager starts and upgrades only if the CV upgrade has resulted in a new
wifimanager version. The following actions precede every wifimanager start operation:
a. load: Loads the wifimanager container image into docker when CV boots up for the first time after an
upgrade.
b. init: Initializes wifimanager before the start. The wifimanager init is versioned init-8.8.0-01, for
example. The init-<version> handler initiates a wifimanager upgrade if needed. Thus, if the
wifimanager version has not changed after the CV upgrade, the wifimanager upgrade is not invoked. If
the wifimanager version has changed, then a wifimanager upgrade is called before its start.
Note: Load and init are internal actions to the wifimanager start operation; they are not run
separately. The CV-CUE service might take longer to start than other CV services.

19.3 DNS / NTP Server Migration

You can migrate your DNS / NTP server after you have completed your initial deployment of CloudVision.
Migrating the DNS / NTP server is typically done if you want to or need to change the DNS / NTP server that
CloudVision currently uses.
For example, if the current CloudVision DNS / NTP server was intentionally isolated during the initial
CloudVision installation, you need to migrate the server to make it accessible by external resources.

453
 • Migrating the DNS and NTP Server
Note: Following the DNS / NTP Server Migration procedure may cause the CVP server to be
unavailable for some time after using the commands.

19.3.1 How to Modify the DNS and NTP Configuration

The process for modifying the DNS / NTP server after the completion of the initial CloudVision installation
involves updating the DNS and NTP server entries on each cluster node and modifying the /cvpi/cvp-
config.yaml file (on each node) to reflect the updates to the server entries.
Pre-requisites
Before you begin the migration process, make sure that:
• The IP addresses and hostnames (fqdn) of the nodes must not change.
• For each node, make sure that:
• At least one DNS server entry is present in the /cvpi/cvp-config.yaml file.
• The DNS server that corresponds to the DNS server entry in the /cvpi/cvp-config.yaml file can
be accessed by the cluster throughout the migration process. (The reason for this is that any changes
made to resolv.conf take effect immediately upon saving the file.)
• The time difference between the old NTP server and new NTP server should be negligible.
• The old NTP server and new NTP server should be in same time zone.
Note: Following the DNS / NTP Server Migration procedure may cause the CVP server to be
unavailable for some time after using the commands.
Complete these steps to modify the DNS / NTP server.
1. On each node, edit the /cvpi/cvp-config.yaml file to reflect the changes to the DNS and NTP server
entries that need to be made,
2. To read the /cvpi/cvp-config.yaml file and restart the network service, run the /cvpi/tools/
cvpConfig.py -y /cvpi/cvp-config.yaml -n nodeX command on each node where X is the
respective node number.
3. Restart the CVP components for all kubernetes pods to re-mount the /etc/resolv.conf file: cvpi -
v=3 stop all && cvpi -v=3 start all
Related topics:
• Backup and Restore

454
 Chapter 20

Supplementary Services
This document provides configurations steps and examples for supplementary setup procedures for
CloudVision Portal (CVP).
• HTTPS Certificates Setup
• Customizing TLS and SSH Ciphers
• DHCP Service for Zero Touch Provisioning (ZTP) Setup
• RADIUS or TACACS Authentication Setup
• Background Tasks
• Resetting cvpadmin Password System Recovery
• Optional SAN IP field in CVP Certificate

455
20.1 HTTPS Certificates Setup
CVP uses nginx to front and terminate all HTTPS connections. To support HTTPS, the server must be
configured with a certificate. A self-signed certificate is generated at first bootup.
The guidelines to import a certificate are:
• Correctly fill the Subject Alternate Name (SAN) IP and DNS fields in both signed and self-signed
certificates:
• The SAN IP field must contain the IP addresses of all CVP cluster nodes; and the IP address of any IP
load balancer used in front of CVP.
• The SAN DNS field must contain the Fully Qualified Domain Name (FQDN) of the following elements:
• All CVP cluster nodes
• Any Canonical Names (CNAMES) and round-robin DNS names
• Any IP load balancer used in front of CVP
Note: Zerotouch Provisioning (ZTP) and REST API calls can fail if signed certificates are uploaded
without appropriate data in SAN fields.
• When importing a CVP certificate signed by an internal Certificate Authority (CA), the uploaded file
must sequentially contain the full trust chain of PEM-encoded certificates like a server certificate, all
intermediate certificates (if available), and a root certificate.
• Leave an empty line between every two certificates when importing multiple certificates into a single file.
Note: Do not leave an empty line at the end of the file.

• If the server certificate is self-signed then the server and root certificates are one-and-the-same, so only
that single certificate is required.
• CVP does not support wildcard certificates.
To install an HTTPS certificate, navigate to the Settings page (Click on the gear icon) > Certificates (See the
figure below).
Figure 504: Certificates Page

Install the certificate using one of the following methods:

456
 Supplementary Services

• Generating and Installing Self-Signed Certificate

• Installing Public Certificate
• Creating a CSR

457
20.1.1 Generating and Installing Self-Signed Certificate
Perform the following steps to generate and install a self-signed certificate:
1. On the Certificates page, click + Add.
CVP opens the Add CVP Certificate pop-up window. See the figure below.
Figure 505: Add CVP Certificate Pop-Up Window

2. Select Self Signed Certificate from the Certificate Type drop-down menu.
3. Provide the required information.
4. Click Add.
CVP opens the Confirm pop-up window informing that the existing certificate will be replaced. See the
figure below.
Figure 506: Confirm Pop-Up Window

5. Click OK.
CVP replaces the certificate and restarts the nginx service.

458
 Supplementary Services

Note: When CVP is restarted, add an exception in the browser for the new certificate.

20.1.2 Installing Public Certificate

Perform the following steps to install a public certificate:
1. On the Certificates page, click Import.
CVP opens the Import CVP Certificate pop-up window. See the figure below.
Figure 507: Import CVP Certificate Pop-Up Window

2. Select Available Certificate from the Import type drop-down menu.

3. Upload private key and public certificate.
4. (Optional) Provide passphrase.
5. Click Import.
CVP replaces the certificate and restarts the nginx service.
Note: When CVP is restarted, add an exception in the browser for the new certificate.

20.1.3 Creating a CSR

A server Certificate Signing Request (CSR) file can be created by either your internal CA (along with an
associated server key) or via CVP.
Perform the following steps to create a CSR:
1. On the Certificates page, click + Add.
CVP opens the Add CVP Certificate pop-up window.
2. Select Certificate Signing Request from the Certificate Type drop-down menu.

459
 See the figure below.
Figure 508: Add CVP Certificate Dialogbox for CSR

3. Provide the required information in all fields.

4. Click Add.

460
 Supplementary Services

CVP opens the Add CVP Certificate dialog box displaying the complete CSR information. See the figure
below.
Figure 509: Add CVP Certificate Dialogbox with CSR Details

5. Click Download to download the CSR file.

Note: The CA provides the root key (For example, myCA.key) and and root certificate (For
example, myCA.pem).
6. Create a configuration file to define the SAN fields.
Example:

bash-4.2# cat cvp100.nh.aristanetworks.com.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherm
ent
subjectAltName = @alt_names

[alt_names]
DNS.1 = cvp100.nh.aristanetworks.com
DNS.2 = cvp100.nh
DNS.3 = cvp11.nh.aristanetworks.com
DNS.4 = cvp11.nh
DNS.5 = cvp12.nh.aristanetworks.com
DNS.6 = cvp12.nh
DNS.7 = cvp13.nh.aristanetworks.com
DNS.8 = cvp13.nh
IP.1 = 10.81.45.243
IP.2 = 10.81.45.247
IP.3 = 10.81.45.251

461
 7. Run the following command to generate a signed certificate from the downloaded CSR file.

openssl x509 -req -in downloaded_file -CA root_certificate -CAkey root_key -

CAcreateserial

-out updated_certificate_filename -days validity_period_in_days -sha256 -

extfile SAN_DNS_IP_ext_filename

Example:

openssl x509 -req -in CSR.csr -CA myCA.pem -CAkey myCA.key -CAcreateseri
al -out cvp100.nh.aristanetworks.com.gui2.crt -days 365 -sha256 -extfile
cvp100.nh.aristanetworks.com.ext
8. Edit the new certificate file to add the root certificate at the end of the file.
Example:

bash-4.2# cat cvp100.nh.aristanetworks.com.gui2.crt

-----BEGIN CERTIFICATE-----
MIIEqz2N2cDEzLm5oLmFyaXN0YW5ldHdvcmtzLmNvbYIIY3ZwMTMubmiHBApRLfOH
[snip]
Ta7HF9MPgnc5XOlVN2PRWkEuPN1JFEuj7xute41NuTBmnqoAeuhdTbVpxuBEeoY=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIID6zCCAtOgAwIBAgIJANW5kelAXMzhMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
[snip]
2QoyIITDLQor1I/2z+RDHWCx8wEiYrsYkyzZDm/7NeGqfygXjnVJwfJBjtjpB8Y=
-----END CERTIFICATE-----
bash-4.2#

Note: In case of intermediate certificates, add them between the new certificate and the root
certificate.
9. In the CVP, click on the gear icon > Certificates.
10. Click Import.

462
 Supplementary Services

CVP opens the Import CVP Certificate dialog box.

Figure 510: Import CVP Certificate to Bind with CSR

11. Select Bind with CSR in the Import type dropdown menu.
12. In the Public Certificate section, click Select files.
13. Navigate and select the edited crt file.
14. Click Import.

20.1.4 Renewing the Certificate Authority

Note: The device communication will be disrupted when these steps are executed.

The Certificate Authority (CA) in the on-premise CVP can be renewed with the following steps:
1. SSH into the primary.
2. Reset the Certificate Authority (CA) and stop apiserver and ingest with the following commands.

yes | cvpi reset ca-init-v1

cvpi stop ingest
cvpi stop apiserver
3. Renew CA and aeris admin certificates with the following commands.

cvpi init ca-init-v1

/cvpi/apps/aeris/bin/create-admin-cert.sh
4. Restart all stopped components.

cvpi start all

5. Re-onboard all devices from the Device Onboarding page.

463
20.2 Customizing TLS and SSH Ciphers
CVP uses nginx to front and terminate all HTTPS connections. To support HTTPS, the server must be
configured with a certificate. A selfsigned certificate is generated at first bootup.
• Configuring Custom TLS Ciphers
• Configuring Custom SSH Ciphers

20.2.1 Configuring Custom TLS Ciphers

Complete these steps to configure custom TLS ciphers.
Nginx, the web server software, uses TLS ciphersuites that are considered safe to use, but may not meet the
security standards of certain organizations. It is possible to change the settings used by adding or changing
ssl_ciphers in /etc/nginx/conf.d/cvpi-server.conf (pre 2021.2.0) or /etc/nginx/conf.d/servers/cvpi-
server.conf (post 2021.2.0) under the server block.
1. Using the appropriate path for your version of CloudVision, create a file that contains all of the SSL ciphers
you need. Any open SSL cipher string can be used.
• /etc/nginx/conf.d/cvpi-server.conf (pre 2021.2.0)
• /etc/nginx/conf.d/servers/cvpi-server.conf (post 2021.2.0)
2. Run the following command to make sure the configuration does not contain any errors:

/usr/sbin/nginx -t -c /etc/nginx/conf.d/cvpi-server.conf

or

/usr/sbin/nginx -t -c /etc/nginx/conf.d/servers/cvpi-server.conf

3. Run the following command to reload nginx with the updated configuration.

systemctl reload nginx

20.2.2 Configuring Custom SSH Cipher

Complete these steps to configure custom SSH ciphers.
Note: Upgrading CVP removes custom SSH ciphers. You must reconfigure SSH ciphers after the
upgrade.
1. Edit the /etc/cvpi/sshd_config to include custom ciphers and MAC definitions.
2. Run the following command to make sure the configuration does not contain any errors:

sshd -t -f /etc/cvpi/sshd_config
3. Run the following command to reload sshd with the updated configuration.

systemctl reload sshd

20.3 DHCP Service for Zero Touch Provisioning (ZTP) Setup

The ZTP process relies on a DHCP server to get devices registered with CVP. The DHCP server can be on
the CVP, but is more commonly an external DHCP server.

464
 Supplementary Services

1. Ensure the DHCP server is installed (it is installed by default in CVP).

rpm -qa | grep dhcp

dhcp-common-4.1.1-43.P1.el6.x86_64
dhcp-4.1.1-43.P1.el6.x86_64
2. Edit the /etc/dhcp/dhcpd.conf file to include the option bootfile-name, which provides the location of
the script that starts the ZTP process between CVP and the device.
In this example, DHCP is serving the 172.31.0.0/16 subnet.
Note: The 172.31.5.60 is the IP address of a CVP node, and it is recommended to use the HTTPS
URL to point to the bootstrap file. This ensures that the specified devices, after they ZTP, will show
up under the undefined container of the specified CVP.

[root@cvp1-dhcp dhcp]# cat dhcpd.conf

#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
# see 'man 5 dhcpd.conf'
#
subnet 172.31.0.0 netmask 255.255.0.0 {
range 172.31.3.212 172.31.5.214;
option domain-name "sjc.aristanetworks.com";
}
host esx21-vm20 {
option dhcp-client-identifier 00:0c:29:f9:21:99;
fixed-address 172.31.3.211;
option bootfile-name "https://172.31.5.60/ztp/bootstrap";
}
host esx21-vm22 {
option dhcp-client-identifier 00:0c:29:d1:64:e1;
fixed-address 172.31.3.213;
option bootfile-name "https://172.31.5.60/ztp/bootstrap";
}
3. Restart the DHCP service after any configuration changes with the service dhcpd restart
command.
4. Configure dhcpd to start on system boot with the chkconfig dhcpd on command.
Related topics:
• RADIUS or TACACS Authentication Setup
• Background Tasks
• Resetting cvpadmin Password
• HTTPS Certificates Setup

20.4 RADIUS or TACACS Authentication Setup

1. Edit the client file /etc/raddb/clients.conf by adding the following:

# CVP
client 172.31.0.0/16 {
secret = cvpsecret
2. To add more, enter the following.

# Arista Networks
client 172.17.0.0/16 {
secret = cvpsecret
}

465
 client 172.18.0.0/16 {
secret = cvpsecret
}
client 172.20.0.0/16 {
secret = cvpsecret
}
client 172.22.0.0/16 {
secret = cvpsecret
}

The default clients.conf file will have a section for local host. The user should either delete the whole
section or comment it out. If CVP will be connecting to RADIUS on local host. You have to add a client entry
for 127.0.0.0/16 (same as above).
1. Edit the users file /etc/raddb/users by adding the following:

# CVP
cvpuser Cleartext-Password := "cvpuser"
Service-Type = NAS-Prompt-User

start radiusd: sudo service radiusd start

enable radiusd on boot: sudo chkconfig radiusd on
2. If RADIUS is not working, run the server in debug mode.

# service radiusd stop

# /usr/sbin/radiusd -X -f

RADIUS will now run on the terminal with verbose output. This will let you know if RADIUS is receiving auth
requests and what failure is being hit for the request. After you are done debugging, Control-C the process
and start radiusd as a service.
Note: You may have to either disable iptables or firewall.serviced depending on the OS version. You
could also configure it to allow traffic on ports 1812 and 1813 on the Radius server.
Related topics:
• Background Tasks
• Resetting cvpadmin Password
• HTTPS Certificates Setup
• DHCP Service for Zero Touch Provisioning (ZTP) Setup

20.5 Background Tasks

CloudVision provides command-line tools that can be executed from the linux shell or scheduled as cronjobs
either on a CVP node or on an external server, for the following tasks:
• Compliance checks
• Snapshots
• Backups
The tools are available by default on the CVP nodes in the /cvpi/tools/ directory. The tools can be used
on an external linux server by downloading the cvp-tools-<version> .tgz from https://www.arista.com
to the external linux server.
Detailed help on the tool is available by using the –h option with the tool:

cvpi/tools/compliance.py –h
cvpi/tools/backup.py –h

466
 Supplementary Services

Related topics:
• Resetting cvpadmin Password
• HTTPS Certificates Setup
• DHCP Service for Zero Touch Provisioning (ZTP) Setup
• RADIUS or TACACS Authentication Setup

20.5.1 Scheduling and Viewing Cronjobs

To schedule cronjobs to perform periodic compliance checks or snapshots, insert commands into the crontab
using the following command:

crontab -e

Note: When inserting commands to schedule cronjobs, you only need to do this on one node of the
cluster.
Example
To schedule a periodic compliance check and snapshot to be performed hourly on the tenant container, and a
backup to be performed daily at 2:00 am, insert the following lines into the crontab file on the primary node if
not already present. In this example, the user is named “me” and the password is “pwd”.

0 * * * * /cvpi/tools/compliance.py --user me --password pwd --containers

tenant
0 2 * * * /cvpi/tools/backup.py --limit 5

To see the active cronjobs, use the following command:

crontab –l

To view the console outputs of the cronjobs tail, view (open) the following log file:

tail –f /var/log/cron

Related topics:
• Resetting cvpadmin Password
• HTTPS Certificates Setup
• DHCP Service for Zero Touch Provisioning (ZTP) Setup
• RADIUS or TACACS Authentication Setup

20.6 Resetting cvpadmin Password

If the cvpadmin password is lost or forgotten, you can reset it from any of the CVP nodes using the following
steps.

1. Log into a CVP node Linux shell as root user.

2. Execute the following command:

/cvpi/tools/update-mgmt-password -password <new password>

Note: Do not set the new password to the string "cvpadmin".

Related topics:
• HTTPS Certificates Setup

467
 • DHCP Service for Zero Touch Provisioning (ZTP) Setup
• RADIUS or TACACS Authentication Setup
• Background Tasks

20.7 Optional SAN IP field in CVP Certificate

ZTP boot can be done without specifying the SAN IP in the certificate’s field. If the certificate is issued by a
public CA without a SAN IP, it will require us to use CVP’s FQDN to set up a secure connection. Using an IP
address you can set up a secure connection with CVP, because the ZTP app now resolves the DNS name to
the correct IP address. Although the SAN IP field in the certificate is now optional, DNS is still mandatory.

20.7.1 Creating a certificate without SAN IP

Go to settings and click on certificate Click on +Add, to add the new certificate Certificate form, asking for
details will appear Fill the details without specifying SAN IPs

1. From Settings select Certificate.

2. Click on +Add, to add the new certificate.
3. Complete the Certificate form, without specifying a SAN IP address.
4. Click OK at the prompt will confirming that a SAN IP has not been provided.
5. Clicking OK on the next prompt stating the existing certificate will be replaced.
6. Proceed with the ZTP boot process.

468
 Chapter 21

Troubleshooting and Health Checks

If you encounter an issue when using CloudVision appliance, check to see if there are troubleshooting
steps for the issue.
• System Recovery
• VM Redeployment
• Health Checks
• Resource Checks

21.1 System Recovery

System recovery should be used only when the CVP cluster has become unusable and other steps, such
as performing a cvpi watchdog off, cvpi stop all, and then, cvpi start all, cvpi
watchdog on have failed. For example, situations in which, regardless of restarts, a cvpi status all
continues to show some components as having a status of UNHEALTHY or NOT RUNNING.
There are two ways to completely recover a CVP cluster:
• VM Redeployment
• CVP Re-Install without VM Redeployment
Note: A good backup is required to proceed with either of these system recoveries.

21.1.1 CVP Re-Install without VM Redeployment

Complete these steps:
1. Run cvpReInstall from the Linux shell of the primary node. This may take 15 minutes to complete.

[root@cvp99 ~]# cvpReInstall

0.Log directory is /tmp/cvpReinstall_17_02_23_01_59_48
Existing /cvpi/cvp-config.yaml will be backed up here.
….
….
Complete!

CVP configuration not backed up, please use cvpShell to setup the cluster

CVP Re-install complete, you can now configure the cluster

469
 2. Re-configure using the procedure in Shell-based Configuration. Log into the Linux shell of each node as
cvpadmin or su cvpadmin.
Figure 511: cvp-shell-login

3. Issue a cvpi status all command to ensure all components are running.
Figure 512: Example output of cvpi status all command

4. Login to the CVP GUI as cvpadmin/cvpadmin to set the cvpadmin password.

5. From the Backup & Restore tab on the Setting page, restore from the backup.
Related topics:
• Health Checks
• Resource Checks

470
 Troubleshooting and Health Checks

21.2 VM Redeployment
Complete the following steps:
1. Delete all the CVP VMs.
2. Redeploy the VMs using the procedures in CloudVision Portal (CVP) Setup.
3. Issue a cvpi status all command to ensure all components are running.
4. Login to the CVP GUI as cvpadmin/cvpadmin to set the cvpadmin password.
5. From the Backup & Restore tab on the Setting page, restore from the backup.

21.3 Health Checks

The following table lists the different types of CVP health checks you can run, including the steps to use to run
each check and the expected result for each check.

Component Steps to Use Expected Result

Network connectivity
HBase
Check time is in sync between
nodes
I/O slowness issues
ping -f across all nodes
hbase hbck 2>&1 | grep
"Status\|Table"
On all nodes run date +%s
The disk I/O throughput is at an
unhealthy level (too low).
No packet loss, network is healthy.
The status is provided. A
good system will return a
status of "okay" 2021-11-11
15:06:31,066 INFO
[main] util.HBaseFsck:
getTableDescriptors ==
tableNames => [__test-
table_ne652.aristanetworks.com__,
aeris_v2,
hbase:namespace]
Number of Tables: 3
Table hbase:meta is
okay. Table _test-
table_ne652.aristanetworks.com_
is okay. Table
aeris_v2 is okay. Table
hbase:namespace is okay.
Status: OK
UTC time should be within a few
seconds of each other (typically
less than one second). Up to 10
seconds is allowable.
Use the cvpi resources
command to find out whether the
disk I/O throughput is at a healthy
level or unhealthy level. The
disk I/O throughput reported in the
command output is measured by
the Virtual Machine.
See Running Health Checks for an
example of the output of the cvpi
resources command.

471
 • Running Health Checks

21.3.1 Running Health Checks

Run the cvpi resources command to execute a health check on disk bandwidth. The output of the
command indicates whether the disk bandwidth is at a healthy level or unhealthy level. The threshold for
healthy disk bandwith is 20MBS.
The possible health statuses are:
• Healthy - Disk bandwidth above 20MBs
• Unhealthy - Disk bandwidth at or below 20MBs
The output is color coded to make it easy to interpret the output. Green indicates a healthy level, and red
indicates an unhealthy level (see the example below).

This example shows output of the cvpi resources command. In this example, the disk
bandwidth status is healthy (above the 20MBs threshold).
Figure 513: Example output of cvpi resources command

Related topics
• Resource Checks

472
 Troubleshooting and Health Checks

21.4 Resource Checks

CloudVision Portal (CVP) enables you to run resource checks on CVP node VMs. You can run checks
to determine the current data disk size of VMs that you have upgraded to CVP version 2017.2.0, and to
determine the current memory allocation for each CVP node VM.
Performing these resource checks is important to ensure that the CVP node VMs in your deployment have
the recommended data disk size and memory allocation for using the Telemetry feature. If the resource
checks show that the CVP node VM data disk size or memory allocation (RAM) are below the recommended
levels, you can increase the data disk size and memory allocation.
These procedures provide detailed instructions on how to perform the resource checks and if needed, how to
increase the CVP node VM data disk size and CVP node VM memory allocation.
• Running CVP node VM Resource Checks
• Increasing Disk Size of VMs Upgraded to CVP Version 2017.2.0
• Increasing CVP Node VM Memory Allocation

21.4.1 Running CVP node VM Resource Checks

CloudVision Portal (CVP) enables you to quickly and easily check the current resources of the primary,
secondary, and tertiary nodes of a cluster by running a single command. The command you use is the cvpi
resources command.
Use this command to check the following CVP node VM resources:
• Memory allocation
• Data disk size (storage capacity)
• Disk throughput (in MB per second)
• Number of CPUs
Complete the following steps to run the CVP node VM resource check.
1. Login to one of the CVP nodes as root.
2. Execute the cvpi resources command.
The output shows the current resources for each CVP node VM
• If the total size of sdb1 (or vdb1) is approximately 120G or less, you can increase the disk size to 1TB
(seeIncreasing Disk Size of VMs Upgraded to CVP Version 2017.2.0 ).
• If the memory allocation is the default of 16GB, you can increase the RAM memory allocation (see
Increasing CVP Node VM Memory Allocation).
Figure 514: Using the cvpi resource command to run CVP node VM resource checks

473
21.4.2 Increasing Disk Size of VMs Upgraded to CVP Version 2017.2.0
If you already upgraded any CVP node VMs running an older version of CVP to version 2017.2.0, you may
need to increase the size of the data disk of the VMs so that the data disks have the 1TB disk image that is
used on current CVP node VMs
CVP node VM data disks that you upgraded to version 2017.2.0 may still have the original disk image (120GB
data image), because the standard upgrade procedure did not upgrade the data disk image. The standard
upgrade procedure updated only the root disk, which contains the Centos image along with rpms for CVPI,
CVP, and Telemetry.
Note: It is recommended that each CVP node have 1TB of disk space reserved for enabling CVP
Telemetry. If the CVP nodes in your current environment do not have the recommended reserved disk
space of 1TB, complete the procedure below for increasing the disk size of CVP node VMs.
Pre-requisites
Before you begin the procedure, make sure that you:
• Have upgraded to version 2017.2.0. You cannot increase the data disk size until you have completed the
upgrade to version 2017.2.0 (see How to Modify the DNS and NTP Configuration ).
• Have performed the resource check to verify that the CVP node VMs have the data disk size image of
previous CVP versions (approximately 120GB or less). See Running CVP node VM Resource Checks.
Procedure
Complete the following steps to increase the data disk size.
1. Turn off cvpi service by executing the systemctl stop cvpi command on all nodes in the cluster. (For
a single-node installation, run this command on the node.)
2. Run the cvpi -v=3 stop all on the primary node.
3. Perform a graceful power-off of all VMs.
Note: You do not need to unregister and re-register VMs from vSphere Client or undefine and
redefine VMs from kvm hypervisor.
4. Do the following to increase the size of the data disk to 1TB using the hypervisor:
• ESX: Using vSphere client, do the following:
a. Select the Virtual Hardware tab, and then select hard disk 2.
b. Change the setting from 120GB to 1TB.
c. Click OK.

474
 Troubleshooting and Health Checks

• KVM: Use the qemu-img resize command to resize the data disk from 120GB to 1TB. Be sure to
select disk2.qcow2.
Figure 515: Using vSphere to increase data disk size

5. Power on all CVP node VMs, and wait for all services to start.
6. Use the cvpi status all command to verify that all the cvpi services are running.
7. Run the /cvpi/tools/diskResize.py command on the primary node. (Do not run this command on
the secondary and tertiary nodes.)
8. Run the df -h /data command on all nodes to verify that the /data is increased to approximately 1TB.
9. Wait for all services to start.
10. Use the cvpi -v=3 status all command to verify the status of services.
11. Use the systemctl status cvpi to ensure that cvpi service is running.

21.4.3 Increasing CVP Node VM Memory Allocation

If the CVP Open Virtual Appliance (OVA) template currently specifies the default of 16GB of memory
allocated for the CVP node VMs in the CVP cluster, you need to increase the RAM to ensure that the CVP
node VMs have adequate memory allocated for using the Telemetry feature.
Note: It is recommended that CVP node VMs have 32GB of RAM allocated for deployments in which
Telemetry is enabled.
You can perform a rolling modification to increase the RAM allocation of every node in the cluster. If you want
to keep the service up and available while you are performing the rolling modification, make sure that you
perform the procedure on only one CVP node VM at a time.
Once you have completed the procedure on a node, you repeat the procedure on another node in the cluster.
You must complete the procedure once for every node in the cluster.
Pre-requisites

475
 Before you begin the procedure, make sure that you:
• Have performed the resource check to verify that the CVP node VMs have the default RAM memory
allocation of 16GB (see Running CVP node VM Resource Checks).
• Make sure that you perform a GUI-based backup of the CVP system and copy the backup to a safe
location (a location off of the CVP node VMs). The CVP GUI enables you to create a backup you can use
to restore CVP data.
Procedure
Complete the following steps to increase the RAM memory allocation of the CVP node VMs.
1. Login to a CVP node of the cluster as cvp user.
2. Using the cvpi status cvp shell command, make sure that all nodes in the cluster are operational.
Figure 516: cvpi status cvp shell command

3. Using vSphere client, shutdown one CVP node VM by selecting the node in the left pane, and then click
the Power off the virtual machine option.
Figure 517: Power off the virtual machine

476
 Troubleshooting and Health Checks

4. Click to confirm powering off the virtual machine.

Figure 518: Powering off confirmation

5. On the CVP node VM, increase the memory allocation to 32GB by right-clicking the node icon, and then
choose Edit Settings.
Figure 519: Edit Settings

477
 The Edit Resource Settings dialog appears.
Figure 520: Edit Resources Settings

6. Do the following to increase the memory allocation for the CVP node VM:
• Using the Memory option, click the up arrow to increase the size to 32GB.
• Click the OK button.
The memory allocation for the CVP node VM is changed to 32GB. The page refreshes, showing options to
power on the VM or continue making edits to the VM properties.

478
 Troubleshooting and Health Checks

7. Click the Power on the virtual machine option.

Figure 521: Power on the virtual machine

8. Wait for the cluster to reform.

9. Once the cluster is reformed, repeat step 1 through step 7 one node at a time on each of the remaining
CVP node VMs in the cluster.
Related topics:
• System Recovery
• Health Checks

479
480