[Zeek] Issue with Arista symmetric hashing in 4.20

Avila, Kay kayavila at illinois.edu
Mon Jan 14 06:59:07 PST 2019


I'd like to share an issue that could impact anyone using tool ports on an Arista in a port-channel to a Bro cluster.  Upgrading to 4.20.x from 4.19 broke our symmetric hashing (fixable with a config change), creating a lot of half-duplex connections in Bro.

In 4.19, the hashing algorithm for output port selection in a port-channel could use either a layer 2 mode (MAC) or a layer 3 and 4 mode (IP and TCP/UDP).  In 4.20, both modes can be used simultaneously, and both are enabled by default.  During our upgrade, our layer 3 and 4 load-balancing policy was converted to use both modes.   That broke symmetric hashing, and leading to many of the connections having the two sides of their flows sent to different Bro nodes.

I haven't established yet with Arista whether the problem is the MAC hashing or having both enabled simultaneously, but layer 2 mode is fairly useless for us anyway as we tap link between routers.  Changing the hashing algorithm back to layer 3/4 only solved the issue for us.

Kay Avila
Senior Security Engineer, Cybersecurity and Networking Division
National Center for Supercomputing Applications (NCSA)
University of Illinois, Urbana-Champaign
P: (217) 300-1754   F: (217) 244-1987

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190114/c1d736b3/attachment.html 


More information about the Zeek mailing list