Most of my Arista experience has been Data Center. However, I had the opportunity to explore Aristas campus and mobility side of the things for the first time during the Mobility Field Day 8 event. Two main things that caught my attention last time were MSSG and Live Trace. Since then, I have had a little more familiarity with their Cognitive Campus architecture, so seeing their name as one of the presenters, I was looking forward to their presentation and announcements.
Sriram Venkiteswaran (Director of Product Management) started the Arista presentation, “What’s New with Arista Cognitive Campus.
AGNI – Arista Guardian for Network Identity:
When I first heard that the Cloud NAC Solution from Arista is called “Agni”, my immediate thought was “Fire”; which is what the word “Agni” means in Sanskrit. My brain started to relate it with the Firewall icon that we normally see in topology diagrams. But it actually is an acronym for “Arista Guardian for Network Identity“. Pretty creative in my opinion.
While the legacy NAC solutions are expensive and complicated to deploy, Arista focused on simplicity while keeping it scalable and secure.
For starters AGNI offers all the features of a modern cloud architecture, such as Micro services and Globally distributed high availability, integration with multiple cloud providers and cloud directory services such as Okta, Azure etc.
- AGNI has multi vendor support,
- Offers different options for the devices (Switches and Access Points).
- For all Arista switches and access points it will use RadSec.
- For other vendors switches and APs that support RadSec AGNI can have a direct connection.
What happens when a legacy device (Switch/AP) does not support RadSec? Any Arista switch can act as a RadSec proxy. NOTE: I would like to point out that Bhagya Prasad mentioned a module that needs to be purchased to accomplish this if you are trying to use an Arista switch as a Proxy for RadSec.
AGNI is a cloud based solution, which means if there is no cloud connectivity due to a circuit failure and/or latency, technical teams must understand what will happen to their clients. Arista team explained Authentication Survivability. What happens when the WAN link goes down?
Note the light green check mark; these features are currently not available. I had a conversation with Sriram Venkiteswaran on these scenarios and here are some of my notes to further elaborate:
- Distributed cache/Smart control plane
- Wherever the client was connected last will hold the cache
- No central location for caching
- Consider a user was connected to AP#13 on the second floor when he closed his laptop.
- That AP#13 will cache the key for 12 hours
- When device roams, this key will be provided to the other access points (provided, user reconnects within 12 hour time period)
- NOTE: AGNI is scheduled to be GA approximately in July.
Logs, session details, debugging, are very crucial when troubleshooting issues, but running debugging sessions on production systems can impact the performance of an overall system. Since Arista AGNI is a cloud based NAC solution, it can leverage the computing power available in the cloud to run these sessions without impacting any system performance.
Each vendor has a solution that uses different PSKs for the clients. Arista calls it UPSK (Unique PSK). Arista UPSK has two different flavors:
- Each client will have their own passphrase.
- UPSK Can be without segmentation or with segmentation
- Group of devices can use the same UPSK
- Shared Client.
- If UPSK is isolating clients and you want to share a printer or a scanner. It can be marked as a shared client (think shared resources, printers, scanners, faxes etc). This will allow other clients to communicate with this “Shared Device”.
WPA3 – UPSK Solution:
There was decent interest from the delegates and the online community on WPA3 support with UPSK . Arista mentioned that they were able to achieve this without downgrading to WPA2.
Arista has taken a creative approach and accomplishes this using SSO, every user gets their own portal to manage their devices. Here is a high level diagram of the process.
For headless devices, users will need to log into the portal and manually add them in the portal.
Jatin Parekh, Robert Ferruolo presented an updated on Arista WIPS. Previously, legacy way to handle and prevent clients connecting to unauthorized APs or rogue APs that are not on the wire was to send deauth frames. WPA3 and encrypted management frames (802.11w), makes this impossible.
How is Arista doing this ? It is part of the CV-CUE, using the dedicated Multi-function radio. Arista Uses a different frame/parameters to force a target client to disassociate from un-authorized WPA3 SSID. Further technical details are not available currently since the solution is patent pending. Robert did show a quick demo of WIPS in action disconnecting a WPA3 client.
All Arista access points come with a multi-function radio which plays a vital role towards the Root Cause Analysis and troubleshooting. It also plays a key role for the WIPS. One feature of this radio was its ability to act as a client and perform end to end testing. I’d love to see this in action and test it out myself.
Arista Cognitive Campus Unified Wired + Wireless Architecture:
Kumar Narayanan presented Campus United Wired and Wireless Architecture. What really sparked my interest during this presentation was Arista APs ability to terminate IPSec tunnels to any standard IPSec firewall.
This wall plate access point from Arista C318 is able to build IPSec tunnel back, supports NAT. I can see this as an excellent use case for a small branch office and/or remote work.
My final thoughts and wish list:
Impressive presentation from team Arista and all the new features that were announced, particularly, AGNI, WPA3/UPSK and WIPS. As I’ve gotten more familiar with the Arista story, here are few things I’d love to see from Arista.
- An enterprise firewall solution, integrated with CV-CUE
- SD-WAN Solution integrated in CV-CUE
- Ability to search NAC logs
- Switch stacking
- Mesh and Point to Point connectivity configuration and easy deployment
- Outdoor 6E access point once AFC approval is complete.
Lastly, can I have one in black also? Thank you.