MFD9 – Arista lights up their session with AGNI

Posted on by mali

Most of my Arista experience has been Data Center. However, I had the opportunity to explore Aristas campus and mobility side of the things for the first time during the Mobility Field Day 8 event. Two main things that caught my attention last time were MSSG and Live Trace. Since then, I have had a little more familiarity with their Cognitive Campus architecture, so seeing their name as one of the presenters, I was looking forward to their presentation and announcements.

Sriram Venkiteswaran (Director of Product Management) started the Arista presentation, “What’s New with Arista Cognitive Campus.

AGNI – Arista Guardian for Network Identity:

When I first heard that the Cloud NAC Solution from Arista is called “Agni”, my immediate thought was “Fire”; which is what the word “Agni” means in Sanskrit. My brain started to relate it with the Firewall icon that we normally see in topology diagrams. But it actually is an acronym for “Arista Guardian for Network Identity“. Pretty creative in my opinion.

While the legacy NAC solutions are expensive and complicated to deploy, Arista focused on simplicity while keeping it scalable and secure.

MFD9 – Arista AGNI

For starters AGNI offers all the features of a modern cloud architecture, such as Micro services and Globally distributed high availability, integration with multiple cloud providers and cloud directory services such as Okta, Azure etc.

  • AGNI has multi vendor support,
  • Offers different options for the devices (Switches and Access Points).
  • For all Arista switches and access points it will use RadSec.
  • For other vendors switches and APs that support RadSec AGNI can have a direct connection.

What happens when a legacy device (Switch/AP) does not support RadSec? Any Arista switch can act as a RadSec proxy. NOTE: I would like to point out that Bhagya Prasad mentioned a module that needs to be purchased to accomplish this if you are trying to use an Arista switch as a Proxy for RadSec.

MFD9 – Bhagya Prasad NR presenting Arista AGNI
MFD9 – Arista AGNI – Capabilities

AGNI is a cloud based solution, which means if there is no cloud connectivity due to a circuit failure and/or latency, technical teams must understand what will happen to their clients. Arista team explained Authentication Survivability. What happens when the WAN link goes down?

MFD9 – Arista AGNI Auth Survivability

Note the light green check mark; these features are currently not available. I had a conversation with Sriram Venkiteswaran on these scenarios and here are some of my notes to further elaborate:

  • Distributed cache/Smart control plane
  • Wherever the client was connected last will hold the cache
    • No central location for caching
    • Consider a user was connected to AP#13 on the second floor when he closed his laptop.
    • That AP#13 will cache the key for 12 hours
    • When device roams, this key will be provided to the other access points (provided, user reconnects within 12 hour time period)
  • NOTE: AGNI is scheduled to be GA approximately in July.

Logs, session details, debugging, are very crucial when troubleshooting issues, but running debugging sessions on production systems can impact the performance of an overall system. Since Arista AGNI is a cloud based NAC solution, it can leverage the computing power available in the cloud to run these sessions without impacting any system performance.

MFD9 – Arista AGNI Debugging
MFD9 – Arista presents AGNI

Arista UPSK:

Each vendor has a solution that uses different PSKs for the clients. Arista calls it UPSK (Unique PSK). Arista UPSK has two different flavors:

  • UPSK.
    • Each client will have their own passphrase.
    • UPSK Can be without segmentation or with segmentation
    • Group of devices can use the same UPSK
  •  Shared Client.
    • If UPSK is isolating clients and you want to share a printer or a scanner. It can be marked as a shared client (think shared resources, printers, scanners, faxes etc). This will allow other clients to communicate with this “Shared Device”.
MFD9 – Supara Dam discussing UPSKs

WPA3 – UPSK Solution:

There was decent interest from the delegates and the online community on WPA3 support with UPSK . Arista mentioned that they were able to achieve this without downgrading to WPA2.

Arista has taken a creative approach and accomplishes this using SSO, every user gets their own portal to manage their devices. Here is a high level diagram of the process.

MFD9 – Arista WPA3 UPSK with AGNI

For headless devices, users will need to log into the portal and manually add them in the portal.

MFD9 – Watch Arista AGNI and UPSK presentation

Arista WIPS:

Jatin ParekhRobert Ferruolo presented an updated on Arista WIPS. Previously, legacy way to handle and prevent clients connecting to unauthorized APs or rogue APs that are not on the wire was to send deauth frames. WPA3 and encrypted management frames (802.11w), makes this impossible.

MFD9 – Robert explaining Arista WIPs solution

How is Arista doing this ? It is part of the CV-CUE, using the dedicated Multi-function radio. Arista Uses a different frame/parameters to force a target client to disassociate from un-authorized WPA3 SSID. Further technical details are not available currently since the solution is patent pending. Robert did show a quick demo of WIPS in action disconnecting a WPA3 client.

MFD9 – Arista WIPS

Multi-function Radio:

All Arista access points come with a multi-function radio which plays a vital role towards the Root Cause Analysis and troubleshooting. It also plays a key role for the WIPS. One feature of this radio was its ability to act as a client and perform end to end testing. I’d love to see this in action and test it out myself.

MFD9 – Arista Multi Function Radio and AIOps

Arista Cognitive Campus Unified Wired + Wireless Architecture:

Kumar Narayanan presented Campus United Wired and Wireless Architecture. What really sparked my interest during this presentation was Arista APs ability to terminate IPSec tunnels to any standard IPSec firewall.

This wall plate access point from Arista C318 is able to build IPSec tunnel back, supports NAT. I can see this as an excellent use case for a small branch office and/or remote work.

MFD9 – Arista – Wi-Fi 6E 2×2 Wall Plate

My final thoughts and wish list:

Impressive presentation from team Arista and all the new features that were announced, particularly, AGNI, WPA3/UPSK and WIPS. As I’ve gotten more familiar with the Arista story, here are few things I’d love to see from Arista.

  • An enterprise firewall solution, integrated with CV-CUE
    • NOTE: I did see Edge Threat Management on their website that talked about the NGFW, but I am not familiar with the solution. I believe these are Arista NGFW devices.
  • SD-WAN Solution integrated in CV-CUE
  • Ability to search NAC logs
  • Switch stacking
  • Mesh and Point to Point connectivity configuration and easy deployment
  • Outdoor 6E access point once AFC approval is complete.

Lastly, can I have one in black also? Thank you.

MFD9 – Arista T Shirt
Category: Conferences and Meetings

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WordPress SEO