Professional Documents
Culture Documents
1.2 6 - Multi-Switch CLI
1.2 6 - Multi-Switch CLI
Multi-Switch CLI
Multi-Switch CLI Concepts
Multi-Switch CLI
• Single point of administration, monitoring and management across Arista Network infrastructure
• XMPP (RFC 3920, 3921) standard-based
• Enables CLI commands to be sent participating switch or group of switches
• Manage your network with XMMP client running in your mobile device of computer
XMPP
• Architecture is known to scale well (10,000+ switches)
• Authentication from XMPP
• Authorization from local switch or external AAA (Radius or TACACS+)
• SSL/TLS is supported to encrypt connection
• Every command and response are logged
• Real-time and Free!
Multi-Switch CLI Concepts
Switch Groups
• can be based on functions, models or locations
• Task can be based on information gathering – EOS version, MAC, IP, LLDP neighbors
• Task can be based on troubleshooting – correlate events across multiple switches
• Task can be based on Configuration – QoS, ACL, VLANs, force to ZTP etc
Requirements
• Ejabberd or any XMPP server.
• Multiple XMPP servers can be set up in active-active mode for redundancy
• EOS version is pre 4.12.3, required to install CloudVision.swix
• EOS version is post 4.12.3, no swix required
Multi-Switch CLI Operations
Authentication Authorization and Accounting (AAA)
1. The domain of the incoming message is checked if it belongs to the same domain
2. Messages from outside domain are not accepted and result in the switch error message back to the user
3. The incoming command messages are executed on the switch with a default privilege level of 1 or whatever the
session privilege configuration is set to. If no AAA is configured and the switch is configured to connect to the XMPP
client, any message received is executed with privilege level 1 by default.
4. If integrated with AAA, the user id is stripped from the request (leaf-01@zurien.com) will result in a lookup of user
(leaf-01) and the AAA agent of the switch is consulted in order to obtain the user's privilege level and role
5. If the user doesn't exist locally or remotely (when group "tacacs" or "radius" is used), the command fails authorization.
If the user does exist (for group "local", via the "username" command), their XMPP session is authorized.
6. The local user and group information is obtained as configured, and the XMPP agent switches to that User ID/Group ID
for the duration of the user's command(s).
Multi-Switch CLI Configuration
a518 5d47 39cc 7294
10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4
all@conference.zurien.com
e1 e2 e3 e4
Management
e20
Linux Host
XMPP Server XMPP Server Configuration
zuiren.com
Domain
leaf-01 / Arista
Username / Passwords leaf-02 / Arista
10.0.0.100 leaf-03 / Arista
leaf-04 / Arista
Multi-Switch CLI Configuration
Connecting to XMPP Server
Leaf-01(config)#management xmpp
Leaf-01(config-mgmt-xmpp)#no shut
Leaf-01(config-mgmt-xmpp)#server 10.0.0.100
Leaf-01(config-mgmt-xmpp)#domain zurien.com
Leaf-01(config-mgmt-xmpp)#user leaf-01 password Arista
Leaf-01(config-mgmt-xmpp)#exit
Joining a Group
Leaf-01(config)#management xmpp
Leaf-01(config-mgmt-xmpp)#switch-group all@conference.zurien.com password Arista
Leaf-01(config-mgmt-xmpp)#exit
Multi-Switch CLI Configuration
Add Session privilege
Leaf-01(config)#management xmpp
Leaf-01(config-mgmt-xmpp)#session privilege 15
Leaf-01(config-mgmt-xmpp)#exit
hostname leaf-02
xmpp-leaf-02#