An EOS extension for managing your network over XMPP
Arista Networks CloudVision is a framework based on open standards for providing a single point of administration, management, and monitoring across the entire datacenter. The CloudVision Multi-Switch CLI extension uses XMPP to provide a shared message bus for managing and configuring switches in your network.
XMPP is the eXtensible Messaging and Presence Protocol (RFC 3920, 3921). At its most basic it is a chat protocol, but the extensible part of the name refers to the protocol’s ability to transport arbitrary XML between nodes.
XMPP was built to be federated like e-mail, a username looks just like an e-mail address: firstname.lastname@example.org. This means that you can set up your own XMPP server that users in your organization can use to chat with each other. And, if you expose your server to the Internet then a user in your organization can now chat with other organizations like Gmail users (Gmail chat uses XMPP).
Arista has built an XMPP client that runs on our products and responds to CLI commands. This gives you the ability to manage your network with an XMPP client of your own running on your phone or computer, like iChat. This provides some convenience as is: a single login to your XMPP server gets you secure access to all your switches, and all accounting can be congregated at one place, the XMPP server. However, it gets really useful when you start using the group chat features of XMPP. You can configure any subset of your Arista switches to join chat rooms. Commands that you send in that chat room get executed on every switch in the room.
Here are some useful show commands to perform queries across your entire network:
Get all switches running EOS-4.6.1
show version | inc Software | inc 4.6.1
Find where a host is connected on your network
show mac address-table | inc 0011.2233.4455
Perform configuration multiple switches at once
config ip route 192.168.0.0/16 192.168.0.1
Quick Setup and User Guide
First time installation of the CloudVision extension
- Copy the CloudVision swix (found below) into the extensions directory of the switch using the copy command – copy SRCURL extension:CloudVision.swix
- Load the extension – extension CloudVision.swix
- If desired, set up the extension to be loaded at boot time – copy installed-extensions boot-extensions
- Once the extension has been installed, you will need to exit your current CLI session and reconnect before configuring XMPP.
Upgrading to a newer version of the CloudVision extension
- Copy the new CloudVision swix into the extensions directory of the switch using the copy command – copy SRCURL extension:CloudVision.swix
- Update /mnt/flash/boot-extensions if the extension name has changed
- Reload the system
NOTE: Upgrading to a newer version of the CloudVision extension requires a system reload.
Configuring your XMPP server
We’ve been using the ejabberd XMPP server in our testing, which is part of the standard Fedora Linux distribution.
- Quick setup guide: http://www.ejabberd.im/node/1051
- Configuration documentation: http://www.process-one.net/docs/ejabberd/guide_en.html
Recommended configuration: TLS and XMPP Ping
NOTE – TLS or SASL authentication is required. We do not currently support Non-SASL authentication (xep-0078), nor do we support the old SSL connection method.
Configuring XMPP management on your switch
All configuration happens in the xmpp management configuration mode:
(config)#management xmpp (config-mgmt-xmpp)#no shutdown (config-mgmt-xmpp)#server SERVER (config-mgmt-xmpp)#username USER@DOMAIN password PASSWORD
Validating the setup
Once XMPP has been configured, you can validate your xmpp connection using the show xmpp status command:
#show xmpp status XMPP Server: SERVERHOSTNAME port 5222 Client username: USER@DOMAIN Connection status: connected
If the connection state is connected, then you have successfully connected to the XMPP server. Once connected, you can view the client’s you’ve communicated with using the show xmpp neighbors command.
Running CLI commands on one switch directly from another
If two switches A and B are both connected via XMPP, you can run cli commands on A directly from B using the xmpp send cli command:
xmpp send USERNAME@DOMAIN command CLICOMMAND
A#xmpp send B@domain.com command show int Eth3 status Port Name Status Vlan Duplex Speed Type Et3 bs3 connected in Po3 a-full a-1000 10GBASE-SR
Using your own chat client, join a group that you have configured your switches to be a member of. Then, send Cli commands to the group to see the response from everyone in that group.
When an Arista Switch is in a room with another Arista Switch they will add each other as XMPP neighbors. You can view the status of a switch’s neighbors with ‘show xmpp neighbors‘
Interacting with a switch or switch group using xmpp session
Starting with version 1.2, you can interact with a switch or switch group directly from the CLI using the xmpp session command. This command allows you to interact in enable mode with a switch or switch group over XMPP using the standard CLI, with access to help and tab completion available. All commands are then executed remotely and the result is displayed on the screen.
localhost#xmpp session [SWITCH|SWITCHGROUP]
A#xmpp session all@conference.DOMAIN xmpp-all#show int Eth3 status response from: B@DOMAIN -------------------------------------------------- Port Name Status Vlan Duplex Speed Type Et3 bs3 connected in Po3 a-full a-1000 10GBASE-SR
Uninstalling the CloudVision extension requires a system reload. Remove the CloudVision extension from /mnt/flash/boot-extensions and then reload the system.
If using version 1.3.0 of the extension or later, the XMPP client can be configured to use your management VRF. For example, after the above is configured, to connect to an XMPP server in the VRF named mgmt:
To go back to connecting to a server in the default VRF, remove the VRF configuration in XMPP configuration mode, like so:
Here are some of the features we’re looking to add moving forward
- Integrate command authorization, and accounting into TACACS / RADIUS. All commands run over XMPP should be authorized and accounted for as if they were run at a standard CLI shell
- Integrate XMPP server into EOS, so that you can run it on the switch directly rather than in a separate VM
- Send log messages above a configurable severity over XMPP to a specific user or switch group, much in the same ways as you can configure a remote logging server. You could then receive critical log messages to your message client, and be able to directly start debugging the problem within that same client by running CLI commands to gather more information.
It can be really useful to see the XML messages being exchanged when debugging issues connecting to the XMPP server. To enable debugging:
- Enable tracing on the XMPP agent trace Xmpp filename xmppdebug trace Xmpp setting Xmpp*/*
- Debugging output can then be found in /tmp/xmppdebug
- Disable tracing once you are done to ensure that you do not fill up /tmp
Our XMPP client implementation is based on the open-source SleekXMPP project. You can find our SleekXMPP repository on github at http://github.com/aristanetworks/SleekXMPP.
Open source XMPP server we use, more information available at http://www.ejabberd.im/
The CloudVision extension is available from the Arista Networks support download site.
- EOS 4.8: CloudVision-1.1.0_4.8.swix
- CloudVision 1.2.2
- CloudVision 1.2.3
- CloudVision on EOS 4.11
- Users of EOS 4.11 should contact their account team to obtain the correct CloudVision XMPP extension for your EOS version.
- Alternatively, upgrading to EOS 4.12.3 or later will get an updated CloudVision CLI with new features and improvements, integrated right into EOS with no extension required.
- CloudVision on EOS 4.12 and later
- The CloudVision Multi-switch CLI is integrated in EOS release 4.12.3 and later. Further bug fixes and new features will be released via the main image and not via extensions.
We have just posted CloudVision Version 1.1.0! Along with bug fixes, it adds support for the “switch-group” command in management xmpp configuration mode. This allows you to configure each switch to join the specified rooms on startup.
To use the command go into management xmpp configuration mode and run
switch-group GROUP@conference.DOMAIN. For example:
tor” group will be created if it doesn’t exist. As always, don’t forget “
conference“. This is an XMPP convention to keep usernames from colliding with group names.
When in a chat group you can send commands to just a subset of the switches in the group by prepend the switch name and a comma to the beginning of the command. You can do this multiple times to include more switches. For example:
switch1, show version switch1, switch2, show version
Known Caveats Using capital letters in user name, group names, or domain names can cause the switch XMPP client to be dropped from rooms or disconnected from the XMPP server. Please use only lower-case.
CloudVision 1.2 adds the ability to interact with a switch or switch group directly from the CLI using the xmpp session [SWITCH|SWITCHGROUP] command. This command allows you to interact in enable mode with a switch or switch group over XMPP using the standard CLI, with access to help and tab completion available. All commands are then executed remotely and the result is displayed on the screen. There is now also a /usr/bin/XmppCli executable, similar to /usr/bin/Cli, which can be used for scripting.
Version 1.2 also contains a variety of bug fixes, including:
- Properly handle commands with quotes or other special characters in them, for example ‘show version | grep “Software”‘
- Retry the connection to the XMPP server on authorization failure (wrong username or password) so that we properly connect if the configuration is fixed on the server side
- Explicitly disallow uninstalling the CloudVision.swix extension without rebooting
Known Caveats Using capital letters in user name, group names, or domain names can cause the switch XMPP client to be dropped from rooms or disconnected from the XMPP server. Please use only lower-case. Note that the CloudVision Multi-Switch CLI extension is not supported with management VRFs in 4.10.0
Version 1.2.3 of the CloudVision multi-switch CLI extension fixes an issue where using the
xmpp send command caused some command strings to appear misquoted. The switch would indicate the command (quoted) did not exist in that case.
Known Caveats A switch may disconnect from the XMPP server after an extended period, and then not automatically reconnect. The work-around is to
no shutdown the CloudVision XMPP client in the
management xmpp configuration stanza.
CloudVision 1.3 adds support for management VRFs in EOS 4.11 and resolves existing caveats. EOS 4.11 is required to use this extension.
CloudVision in EOS 4.12.3 and later
CloudVision integrated into the EOS image brings AAA support, support for server hostnames with multiple IP addresses.