Arista Traffic Shunting

Hello everyone,

We have a bro cluster setup and running but we are getting a lot of packet loss from elephant flows. We’ve seen that a lot of people use an Arista switch to block these flows but we haven’t seen how to interface with Arista from bro. How do people do traffic shunting using Arista?

These are the sources where we’ve seen people shunting traffic with Arista:


Logan Miller

Network Security Engineer

Brigham Young University

Office of IT

I would also be interested to see what an implementation of this looks
like. From my very very limited understanding is they are using the
Arista's RESTful API. In the Berkley document the have the arista
switch configs and it includes '
management api http­commands'. Unsure how on the bro end they are
determining which flows to terminate and what logic controls that.


(While Justin and others chime in)

We are relying on : (this one has IPv6 support) Originally
we started with Justin's branch here:

On bro side there is a conn-bulk.bro and react framework


This ties bro with which talks with arista to apply and remove

If you need specific arista configurations, I can send you our arista configs


Oh, I merged in the ipv6 support over a year ago, so you should probably be running the upstream version.


I saw those github scripts and I wasn't sure where to put them in the bro directory and what bro configs had to be changed to make it them work. Where did you put the scripts? Also, as long as api management is enabled on the Arista switch, is there anything else on the switch that needs to be configured?

- Logan Miller

Here is how I have stuff setup:

1) in your site.bro:

@load conn-bulk.bro
@load react

redef GridFTP::size_threshold = 1048576; # 2 MB
redef Bulk::size_threshold = 134217728 ; # 128 MB

2) make sure react/dumbno.cfg has right values

3) then:

  a) ./ dumbno.cfg setup

  b) ./ dumbno.cfg >& /var/log/dumbno.log &
  c) ./ dumbno.cfg stats >& /var/log/dumbno.stats &

4) @load conn-bulk.bro and "@load react" should get bro to start
flagging and acting on fat flows.

tail on /var/log/dumbno.log should give you reasonable visibility into
on-going operations

Hope this helps,