[Zeek] Issue with Arista symmetric hashing in 4.20
Avila, Kay
kayavila at illinois.edu
Mon Jan 14 06:59:07 PST 2019
I'd like to share an issue that could impact anyone using tool ports on an Arista in a port-channel to a Bro cluster. Upgrading to 4.20.x from 4.19 broke our symmetric hashing (fixable with a config change), creating a lot of half-duplex connections in Bro.
In 4.19, the hashing algorithm for output port selection in a port-channel could use either a layer 2 mode (MAC) or a layer 3 and 4 mode (IP and TCP/UDP). In 4.20, both modes can be used simultaneously, and both are enabled by default. During our upgrade, our layer 3 and 4 load-balancing policy was converted to use both modes. That broke symmetric hashing, and leading to many of the connections having the two sides of their flows sent to different Bro nodes.
I haven't established yet with Arista whether the problem is the MAC hashing or having both enabled simultaneously, but layer 2 mode is fairly useless for us anyway as we tap link between routers. Changing the hashing algorithm back to layer 3/4 only solved the issue for us.
Kay Avila
Senior Security Engineer, Cybersecurity and Networking Division
National Center for Supercomputing Applications (NCSA)
University of Illinois, Urbana-Champaign
P: (217) 300-1754 F: (217) 244-1987
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190114/c1d736b3/attachment.html
More information about the Zeek
mailing list