CloudVision as-a-Service (CVaaS) Quick Start Guide Arista Networks www.arista.com September 2021 Headquarters Support Sales 5453 Great America Parkway +1 408 547-5502 +1 408 547-5501 Santa Clara, CA 95054 +1 866 476-0000 +1 866 497-0000 USA [email protected] [email protected] +1 408 547-5500 www.arista.com © Copyright 2021 Arista Networks, Inc. All rights reserved. The information contained herein is subject to change without notice. The trademarks, logos and service marks ("Marks") displayed in this documentation are the property of Arista Networks in the United States and other countries. Use of the Marks are subject to Arista Network’s Term of Use Policy, available at www.arista.com/en/terms-of-use. Use of marks belonging to other parties is for informational purposes only. ii Contents Contents 1 CloudVision as-a-Service....................................................................1 1.1 Onboarding at a Glance.........................................................................................................1 1.2 User Onboarding Prerequisites.............................................................................................. 3 1.2.1 Invitation URL........................................................................................................... 3 1.2.2 Authentication Details............................................................................................... 3 1.3 User Onboarding Workflow.................................................................................................... 4 1.3.1 Onboarding Authentication Providers....................................................................... 4 1.3.2 Onboarding SAML Providers.................................................................................... 6 1.3.3 Onboarding User Accounts.......................................................................................8 1.3.4 Login to CloudVision.................................................................................................9 1.4 Device Onboarding Prerequisites.........................................................................................10 1.5 Device Onboarding Workflow............................................................................................... 12 1.5.1 Onboarding Devices: ZTP as-a-Service................................................................. 12 1.5.2 Onboarding Devices: Token-Based Authentication................................................ 15 1.6 Troubleshooting.................................................................................................................... 18 1.6.1 Troubleshooting Connectivity Issues...................................................................... 18 1.6.2 Troubleshooting Device Onboarding Issues...........................................................19 1.6.3 Troubleshooting Streaming Telemetry Latency Issues...........................................19 1.6.4 Troubleshooting Switch Provisioning and Configuration Issues............................. 20 1.7 Automation with CloudVision as-a-Service...........................................................................21 1.8 CloudVision as-a-Service Support........................................................................................24 iii iv 1 CloudVision as-a-Service 1 CloudVision as-a-Service CloudVision as-a-Service is an SaaS-based delivery for the Arista CloudVision management plane platform offering modern telemetry and analytics, network-wide automation, and orchestration. As a complement to the on-premises offering, the CloudVision as-a-Service platform offers cloud-based onboarding and feature delivery, using secure state-streaming to an Arista managed cloud-native architecture. This document is intended to be a quick start guide for customers who seek to onboard to the CloudVision as-a-Service platform. 1.1 Onboarding at a Glance Use the following steps and checklist to simplify the onboarding process. 1. Configure the CloudVision as-a-Service specific information in the respective authentication provider portal. 2. Log into the CloudVision as-a-Service using the provided Invitation URL. 3. Onboard an Authentication Provider. 4. Onboard Users. 5. Onboard EOS Devices. Table 1: Checklist Checklist Item Description User Onboarding Configure the CloudVision Use the following information Prerequisites Service specific information in to provision the CloudVision the authentication system. as-a-Service in the supported authentication system. • Authorized origin: https:// www.arista.io • Authorized callback URL: https://www.arista.io/api/ v1/oauth Invitation URL Arista will provide you an invitation URL. Valid for only 48 hours. Authentication Details For Google and Microsoft, no additional details are needed. For OneLogin, Okta, and other OAuth providers, please refer to the Authentication Details section. Device Onboarding EOS 4.20+ Prerequisites TerminAttr 1.15.3+ 1 Checklist Item Description Connectivity Requirements: Port Refer to the Connectivity Details 443 access to apiserver.arista.io section for more information. & www.arista.io Valid NTP server configuration To configure NTP use the following command: switch(config)#ntp server <vrf> <vrf- name> <ntp server> https://www.arista.com/en/um- eos/eos-system-clock-and-time- protocols 2 1 CloudVision as-a-Service 1.2 User Onboarding Prerequisites 1.2.1 Invitation URL Use the Invitation URL provided by Arista for the initial login to the CloudVision as-a-Service. Note that this URL will only be accessible for up to 48 hours. Make sure to complete the authentication provider onboarding and user onboarding for the administrator account before the Invitation URL expires. Note: If the invitation URL expires, please send an email to: [email protected] 1.2.2 Authentication Details Your OAuth administrator will need to configure CloudVision as-a-Service using the following OAuth information in their respective auth provider portal: • Authorized origin: https://www.arista.io • Authorized callback URL: https://www.arista.io/api/v1/oauth For Okta, OneLogin and other OAuth providers, the following three pieces of information are required for successful CloudVision Service onboarding: • OAuth Endpoint • ClientID • ClientSecret Please refer to the respective OAuth provider documentation on how to obtain this information. 3 1.3 User Onboarding Workflow 1.3.1 Onboarding Authentication Providers 1. Once the CloudVision as-a-Service instance is set up, access the CloudVision Service using the provided Invitation URL 2. Select a preferred authentication provider from the list. Figure 1: Welcome Screen - Select Preferred Authentication Provider 4 1 CloudVision as-a-Service 3. For Okta, OneLogin & other authentication methods, please fill out the Endpoint/ClientID and ClientSecret information. Figure 2: Provider Details Note: To make changes to authentication providers after the initial onboarding process, navigate to Access Control > Providers and select the Add Provider button. Figure 3: Access Control - Providers 5 1.3.2 Onboarding SAML Providers Use the following procedure to add a SAML provider. 1. Get the CloudVision specific SAML metadata from your cluster by going to a URL:https:// www.arista.io/api/v1/saml_sp_metadata Note: To download this file you need to either already be logged into the CloudVision cluster or access the cluster through the Invitation URL. 2. In the metadata, you will need the entityID at the top of the file and the Location at the bottom of the file when configuring your SAML provider. Figure 4: Metadata 3. Proceed with your organization’s SAML provider configuration. Refer to the SAML provider documentation for further information. Use the Location URL and entityID URLs obtained in Step 2 to complete the registration process. For Example: In Octa fill out Single sign on URL with the Location URL and the Audience URL (SP Entity ID) with the entityID URL. 4. Gather the Identity Provider metadata from your SAML Provider configuration. You will need this information in the next step when setting up the SAML provider in CloudVision. 5. Navigate to Access Control > Providers. To add a new SAML provider, click the Add SAML Provider button. Figure 5: Providers 6 1 CloudVision as-a-Service 6. Fill out the other necessary information (from Step 4) to onboard the SAML provider. Figure 6: Add SAML Provider Note: To configure Launchpad as a Provider: Please use the following settings to configure “Launchpad” as a SAML provider. • Provider: launchpad • Identity Provider Issuer: https://login.mojonetworks.com/idp/shibboleth • Identity Provider Metadata URL: https://login.wifi.arista.com/casui/idp-metadata.xml •Email Attribute Name: User.email • Authorization Request Binding: HTTP-Redirect SAML protocol binding Note: To make changes to authentication providers after the initial onboarding process navigate to Access Control > Providers under the CloudVision Settings. Figure 7: Access Control - Providers 7 1.3.3 Onboarding User Accounts Once the authentication provider is set up, add the admin user account in the User Information screen. Make sure the email address matches with the email address maintained in the SSO. Figure 8: User Information Screen Note: To make changes or add new users to CloudVision after the initial on-boarding, navigate to Access Control > Users under the CloudVision Settings. Figure 9: Add User 8 1 CloudVision as-a-Service 1.3.4 Login to CloudVision 1. After selecting Finish you will get redirected to https://arista.io.