Desperate search for Arista EOS firmware

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Yarik Dot

Active Member
Apr 13, 2015
220
110
43
47
Anyone with current version? I just bought 2 pieces of 7010T and one contains 4.14, the second one 4.19.

Interesting here is that the later has issue with fans (one fan is not reporting correstly). I hope newer eos will fix this.
 

Yarik Dot

Active Member
Apr 13, 2015
220
110
43
47
currently looking for EOS-4.18-12M.swi as it should be latest working on 7050S series. There are some bugs on lower versions such as: Arista Networks EOS Linux Kernel TCP Multiple DoS (SA0041)

I currently have these if needed:

6dabd9f831f5d72e52bab74ff332e25d EOS-4.13.7.2M.swi
9a75f9ac87500c3f24e36e019c0c9338 EOS-4.14.6M.swi
73435f0db3af785011f88743f4c01abd EOS-4.18.0F.swi
8b7783a710f0716e75972e939b1f8ce7 EOS-4.18.11M.swi
23a04b1a009215f82312d868b7fc4989 EOS-4.19.3F.swi
a9523e7bcb442612b3e9f3de5b396176 EOS-4.19.5M.swi
6f4c2947e191210ed52510fe3a7f12aa EOS-4.20.7M.swi
c64c95bc162b21ecebc9777a3c950359 EOS-4.21.5F.swi
73abb50203ec88c8fcbb2b74ff4a8806 EOS-4.22.0F.swi
eb0255b8882f4af01681333d3ad1f6a3 EOS-4.22.1F.swi
4e2da97d988cf421873e3e4ec7e042eb EOS-4.23.1F.swi
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,727
3,075
113
33
fohdeesha.com
4.18-12M doesn't actually exist, they never released it

(at least it didn't when that advisory was originally released two months ago, I can check again when I'm back at work)
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,727
3,075
113
33
fohdeesha.com
looked on arista's support portal and anything 4.18.x or previous is completely gone - only thing available for download is 4.19 and up - I'd imagine to get 4.18.12 you'd have to have to personally contact TAC and show them the support contract of a switch that old
 

Yarik Dot

Active Member
Apr 13, 2015
220
110
43
47
I got this information from another source as well. Last 4.18 version is 4.18.11M. So, it is time to start using them as L2 switches only.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,727
3,075
113
33
fohdeesha.com
So, it is time to start using them as L2 switches only.
That's quite an extreme overreaction, there's thousands of these switches in telecom networks without issue. The linked issue is with DDoS attacks to management IPs on the switch, eg IPs assigned to the underlying linux install. You should *never* have these exposed to the public internet in the first place, so the attack shouldn't be possible. They should be on a separate VLAN entirely, or better yet, a completely isolated management VRF
 

Yarik Dot

Active Member
Apr 13, 2015
220
110
43
47
That's quite an extreme overreaction, there's thousands of these switches in telecom networks without issue. The linked issue is with DDoS attacks to management IPs on the switch, eg IPs assigned to the underlying linux install. You should *never* have these exposed to the public internet in the first place, so the attack shouldn't be possible. They should be on a separate VLAN entirely, or better yet, a completely isolated management VRF
There is something I might not understand to and I would appreciate explanation to better undestand it.

Let's take a look at the example of our configuration:

Code:
vrf definition mgmt
   rd 64512:1
!

interface Management1
   vrf forwarding mgmt
   ipv6 address 2001:db8:1:2::1:1/64
!

interface Vlan5
   description Servers
   ipv6 address 2001:db8:ffff::1/64
!

interface Ethernet1
   description Uplink
   ipv6 address 2001:db8:150::2/64
!

interface Ethernet35
   switchport access vlan 5
!

ip routing
!

ipv6 unicast-routing
!

ipv6 route ::/0 2001:db8:150::1
ipv6 route vrf mgmt ::/0 2001:db8:1:2::1

management ssh
   shutdown
   !
   vrf mgmt
      no shutdown
!
end
Management port has it's own network 2001:db8:1:2::/64 protected by a statefull firewall, which is between the switch and the internet and as long as the firewall is configured correctly, it should be safe.

Rest of the ports are connected directly to the internet. As I understand it, as long as IP is assigned to any interface on that switch, everything that goes to the address is processed by management CPU, not the ASIC. So if I send those malicious packets to 2001:db8:150::2 or 2001:db8:ffff::1, it still should be effective, shouldn't it?
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,727
3,075
113
33
fohdeesha.com
As I understand it, as long as IP is assigned to any interface on that switch, everything that goes to the address is processed by management CPU, not the ASIC
It goes to the ASIC, there's no way the little embedded AMD cpu in these things would be capable of routing the 10gbps+ of traffic that hits it's layer 3 interfaces. If traffic is directed to it's IP address on a port where a service is running, like SSH, then it's forwarded to the cpu/linux. You need to create a management VRF and bind all services like ssh and snmp to it, and unbind them from your default VRF, then routing interfaces in your default VRF have no way of getting traffic to the underlying OS Arista management VRF setup – Vodka RedBull Please

There's some caveats, like certain routing daemons like BGP will require traffic to still hit linux etc, but you should have enough ACL rules etc in place that a malicious actor shouldn't be able to get BGP (or whatever) packets to your control plane in the first place -ensure they are only allowed from your transit providers etc
 
Last edited:
  • Like
Reactions: Yarik Dot

Yarik Dot

Active Member
Apr 13, 2015
220
110
43
47
It goes to the ASIC, there's no way the little embedded AMD cpu in these things would be capable of routing the 10gbps+ of traffic that hits it's layer 3 interfaces. If traffic is directed to it's IP address on a port where a service is running, like SSH, then it's forwarded to the cpu/linux. You need to create a management VRF and bind all services like ssh and snmp to it, and unbind them from your default VRF, then routing interfaces in your default VRF have no way of getting traffic to the underlying OS Arista management VRF setup – Vodka RedBull Please

There's some caveats, like certain routing daemons like BGP will require traffic to still hit linux etc, but you should have enough ACL rules etc in place that a malicious actor shouldn't be able to get BGP (or whatever) packets to your control plane in the first place -ensure they are only allowed from your transit providers etc
That's exactly how I understand it.

So if I craft the packets correctly and send it to the switch, there is a chance I take it down, right?
 

MrMaster2k

New Member
Apr 22, 2020
1
1
1
Does anyone have eos-4.15.10M ? I have a 7048T-A that i'd like to get upgraded.
Hi All - New to Arista switching, however I see the go to guy for this software version appears to be fohdeesha.

I know this is a very old thread - but thanks to everyone that can help!

Stay safe!
 
  • Like
Reactions: Yarik Dot

Gooogast

New Member
Sep 5, 2020
9
0
1
Hello. Does anybody have the latest EOS firmware ? (for 7050QX)

My current firmware 4.21.5F