[Zeek] Dropping packets

Michał Purzyński michalpurzynski1 at gmail.com
Sat Feb 29 20:56:55 PST 2020 

Arista doesn’t dedup anything automatically. But it’s like 10x cheaper than solutions that do.

You can (and I did) write
- ACLs and attach them as ingress to tap ports ( hardware supported)
- ACLs and attach them as egrees to tool ports (hardware supported)
- drop packets by creating classes and policies and send them nowhere (software only, I did that when Arista was fighting for life with Cisco and had to ban hardware ACLs for a while)

Some people also double-tag  traffic, with the outer-most tag identifying the tap port. You can then use that when writing policies and ACLs.

> On Feb 25, 2020, at 5:50 AM, Joseph Fischetti <Joseph.Fischetti at marist.edu> wrote:
> 
> 
> The imbalance in traffic on the interfaces is apparently due to the way the Arista switches are physically connected.  Networking is going to change that:
> 
> We have span ports on 2 different links feeding 2 different Arista switches.  One Arista switch goes to one set of interfaces (eth4 on both boxes).  And the other Arista switch goes to the other set of interfaces (eth5 on both boxes).  One link is used as primary so it sees a lot more traffic than the other.  In addition to that, the Arista switch with the heavy link has span ports from the core.
>  
> We’re going to move the core spans over to the Arista with the light link… that should hopefully work to rebalance things.
>  
> That said… Will the Arista switches do any dedup on the packets that they’re getting?  I was uninvolved on the design/setup of the system.  It would seem to me that if we have some vlans spanning to the Aristas, and ports from the edge spanning to the Aristas…. Packets that go through the edge and through those vlans in the core will both be spanned to the Arista (and sent to zeek).
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200229/bdb47628/attachment.html

More information about the Zeek mailing list