Arista’s campus networking story is better than you think.

If you haven’t yet had the chance, go check out Arista’s presentation at Mobility Field Day 8. Here’s a link to the playlist. Go ahead. I’ll wait. (Disclaimer: I was very much honored to be a delegate to this event and so you’ll see me in the videos rocking a beard situation that does need addressing.)

I’ll just come out and say it: I don’t think Arista did a great job of telling their story. There were a lot of things in the presentation that didn’t really seem relevant to wireless engineers (can I waterski on a data lake?) I’m going to give you my take on the parts of their story that I like and why I think it’s a great story for campus networking. Warning, this is a long one and depending how familiar you are with Arista and/or data center networking some of it may be things you already know.

Arista’s approach to campus networking is based on VXLAN and EVPN. I know, I know – folks hate being linked to RFCs but I’m going to give a VERY basic and high level overview for folks, especially wireless engineers, who may not have been exposed to these technologies.

VXLAN is a protocol that allows you to take a layer 2 frame, wrap it in a UDP packet, and send it across a layer 3 network, and then unrwap it. It lets you have a VLAN that is able to appear on multiple switches that don’t have links carrying that VLAN at layer 2. No 802.1q tagging. It is the breakout example of what “software defined networking” means.

The reasons this matters is that large L2/STP networks can be fragile. As I noted once at Airheads on a customer panel: There are two types of network engineers. Those whose networks HAVE BEEN taken down by spanning tree, and those whose networks WILL BE taken down by spanning tree. (When I dropped that hot take I had no idea that Keith Parsons was in the audience and listening to me.) VXLAN allows you to do all the things an L2 VLAN-based network does but it runs on top of a L3 network and your loop-free L3 network isn’t at risk of bridging loops (or spanning tree meltdowns).

EVPN uses Mutliprotocol BGP (MP-BGP) to act as the control plane for the network. (All that MP-BGP means is that it’s BGP that’s been enhanced to carry multiple “address families” namely IPv6, MPLS, and Ethernet VPN.) EVPN lets you use BGP to carry data about the VXLANs, MAC addresses, host routes, and anything you would need to transport an encapsulated ethernet frame from its source to its destination. The network that connects all of the switches together is called the “underlay” and the encapsulated traffic being transported is called the “overlay”.

This technology basically gives you a standards-based SDN solution for a campus. If your entire campus network is an underlay and your user traffic is in the overlay then you can do everything you would do with an L2 campus – you can have a VLAN in multiple buildings, etc – without the risks of a giant spanning tree network. VXLAN/EVPN scales better than any SDN technology I have seen and unlike other vendor-specific approaches to campus SDN it is all based on open standards. In theory one can mix and match vendors as needed. Even Cisco is talking about this SDN approach in the campus.

Arista has one of the strongest plays in this model. They have been doing VXLAN/EVPN networking for a very long time. Their hardware and software are built around it. You don’t need to search a feature sheet – everything they sell does it. And the simplicity of their product line makes it very easy to pick your building blocks. They don’t have “campus” switches and “data center” switches. They have switches with POE and then switches without POE. They had broad MACSEC (and now VXLANSEC) support. It’s a full featured product line that doesn’t overwhelm you with niche plays.

And now their APs speak VXLAN as well.

This is a very interesting solution to a common problem. Tunneling traffic is something that often has to happen in a wireless deployment. It is one way to handle guest traffic for example. We often use a tunneling protocol to backhaul guest traffic to where the security policy enforcement happens. If you’re running a Cisco network it’s likely to be CAPWAP with some sort of anchor controller. If you’re an Aruba customer it might be GRE. If you’re a Juniper customer it’s L2TPv3 with a Mist Edge. But these are all either proprietary or uncommon protocols. Arista is doing it with a common open protocol. I think that’s very cool. (Note, it’s just VXLAN – the APs are not running BGP although that would be pretty epic albeit unnecessary.)

There is one little caveat here regarding roaming. BGP scales but it doesn’t always converge as fast as we would like. The issue all depends on which EVPN-speaker the client’s AP is talking to. If you’re hopping from AP to AP and those APs are connected to the same switch you’re fine. It’s when we need to send out updates that a MAC address has moved from one switch to another switch that we can see latency because it happens via BGP updates and they aren’t always as fast as we would like. If a user is on a call, for example, they very likely will experience a “blip” of sorts. Depending on your environment that may be an edge case or it might be common.

By evolving their campus networking solution out of their data center networking origins Arista then can bring their “secret sauce” to the table. Their management and automation platform (CVP in all it’s various flavors) can automate building out these EVPN topologies for you. Their wired streaming telemetry works very well and CVP can ingest that for you and provide you with analysis. You can do all of this with open source tools and the open protocols that Arista supports but you don’t have to.

For example, even after all of this talk about campus SDN you don’t even have to do any of that – if you want to replicate a traditional controller-based architecture (at least as far as the data plane is concerned) you can. You just need a pair of Arista switches to terminate VXLAN tunnels on. Even their least-capable switch can handle 4,000 APs. And none of the switches between the APs and the tunnel termination switches need to be VXLAN aware and they can be from any vendor.

And I’ll be honest – I love their campus switches. The 720 is a solid 1RU POE switch but these days I just straight out prefer the 722. It has better configurations for AP deployments and you get MACSEC for just a tiny bit more. The 750 is a beast – 384 ports of mutli-gig ports with proper 100G uplinks (if needed). Even the 710 is fun and might be proper successor my beloved 3560CX-8XPD-S. (Although I wish it had 10G ports instead of 5G.)

That is the “story” I would love to hear Arista tell. They don’t try to lock in their customers with proprietary protocols and creating incompatibility. They win customers by building better products and letting you make your own choices. You can buy their hardware and never touch their software if you want. You can use parts of it that make sense for you and ignore parts that don’t. Their commitment to open standards is one of the reason I’m a fan.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.