Apstra: Networking by Intent

Peter Welcher
Architect, Operations Technical Advisor

I was excited going into the Networking Field Day (#NFD16) session with Apstra. Apstra did a great job presenting on Intent-Based Networking at #NFD13. (My prior blog about it: NFD13: Apstra’s Unique Approach to Networking.) And the NFD16 session matched expectations.

Networking Field Day

To quote my pre-NFD16 blog (not quite eating my own words): “Apstra is generating a lot of market attention. Plus, I’m convinced that most organizations looking to do SDN need to buy a ‘canned’ user-friendly supported solution or at least framework, not put together rough snippets of unmaintainable code. We don’t all have the time to be coders!”

I see the future as consisting of solutions such as Apstra, supporting the deployment and management of a component: a datacenter or campus fabric. We no longer configure devices; we configure and manage the entire datacenter fabric as one entity. And do operational management at the same time. (Early days: That’s one aspect I haven’t seen too much of, other than basic device/link up/down tracking.)

After listening to Apstra, I remain convinced: It’s helpful to be a scripter, coder, and know how to work with coding tools, but most of us just want a supported way to get the job done.

Apstra’s Potential

Let’s start with some humor — networking (and I?) can always use a smattering of humor. Apparently Apstra is a little miffed that they started talking about “Intent-Based Networking” and then the big companies’ marketing jumped in on the newest cool thing. So Apstra found a way to push back with humor about “intent washing.” Recommended amusement value.

I suppose Cisco could push back. It seems like Cisco IOS led to everyone having a “network OS” — in Apstra’s case, AOS, which is viewed as an intent-based <appropriate sound effect here> distributed OS for a datacenter network.

More seriously, here is Apstra’s definition of intent:

Besides treating the fabric as a single managed entity, the other thing that impresses me with Apstra is the hardware neutrality (Cisco, Juniper, Arista, Cumulus, other), portability, and simple maintenance. Yes, APIs are cool, as are Yang models. But every vendor has lots of them! If you like the saying “the best thing about standards is there are so many of them,” then Yang and APIs are standards x 100. Another thing I’d rather not spend my time with — each vendor’s API variant of “how to create a VLAN.” Almost as bad as the CLI variations?

After watching Veriflow at NFD16 talk about auto-intent verification, and thinking about some of what I do in network assessments with Cisco configurations, it’s become clear that there’s a lot that a good network model buys you. Knowing interface state (up/down, L2 or L3, access or trunk, portfast/portfast trunk, speed, duplex, trunk allowed VLANs, BPDU Guard, subnet mask consistency, etc.) provides the basis for some good consistency and state checks. Knowing about neighbors lets you check both ends of a link. Whether the link is L2 or L3, that’s very helpful (e.g., HSRP consistency). What I see in the field is entropy (increased randomness): A lot of discrepancies creep into configurations.

The tie-in to Apstra? They know the relationship, the intended connectivity and state. They can ascertain or specify a lot of the other state, and check consistency, either by configuring and ongoing verification, or periodic spot-checking, or both. Human fingers cause entropy. Apstra keeps fingers off the CLI. Win!

Apstra at NFD16

The NFD16 talks and demonstrations were great. The focus was different: Instead of the operator perspective, they showed the developer POV. There is a lot of power under the Apstra hood!

From my notes: “Quick new features … feature velocity … sustainable code.” GraphQL in action! Device model, Jinja, device configuration. State tracking via Pub/Sub. Agents work in parallel for scalability. I thought for quite a while about how to go over the demo content for this blog — there’s just no way (writing time, blog page count).

So, I’m going to just point you to the streaming videos of the demos. A couple of streaming videos save a thousand words!

I should mention that the Apstra team has some fun with what they’re doing. During the demo, the group realized Damien had coded a Slack plug-in for some CLI interaction with the development tools. The whole demo sequence was conceptually neat: How do we extend the Apstra standard framework?

What really stood out here was the rapidity, power, and flexibility of the development environment and tools.

Fresh Apstra!

As of Tuesday, Oct. 3, Apstra announced AOS 2.0 with new features. Right now, the announcement literature is all over the Apstra main web page. I’ll attempt to summarize, and leave the reader to forage for details if they so desire.

Summary of the announcement:

  • AOS™ 2.0
  • Underlay/overlay: VXLAN within and across racks
  • Run L2 apps on scale-out L3 fabric
  • Network operator transition to leaf/spine architecture
  • Autonomous network operations
  • Tagged interfaces, workloads assigned to VXLAN segment
  • Constant state validation, route validation
  • “Intent-based analytics” (coming)
  • RBAC, HTTPS, headless operation
  • Still vendor-agnostic
  • Agility

All good!

Closing Thoughts

I’m much impressed with Apstra (if you can’t tell). They’ve come a long way in a short time.

When Apstra has time to widen their product focus (i.e., wish list item!), I think I’d like to see a L3-based fabric for campus LAN networks (one or several buildings). Adding VXLAN overlay support might be a way to grow that, for those interested in or requiring larger L2 domains with the added stability of routed underlay. Perhaps a simpler/multi-vendor version of what Cisco’s SD-Access will provide?



Comments are welcome, both in agreement or constructive disagreement about the above. I enjoy hearing from readers and carrying on deeper discussion via comments. Thanks in advance!

Disclosure Statement
Cisco Certified 20 Years

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.