Arista WAN Routing

Content shared under NDA

partners.arista.com
Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Disclaimer

This presentation contains confidential and proprietary Arista information and is

intended to educate resellers on Arista product offerings. The development,
release, and timing of any feature or functionality described is subject to change
and remains at Arista's sole discretion.

Any information contained in this presentation regarding third parties has been
obtained from publicly available sources.

The intent of this presentation is for educational purposes only. Per Arista’s Partner
Agreement this NDA material cannot be shared externally, without written consent
from Arista.

2 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Slide
Disclaimer Notes

Before we begin, please review this disclaimer. Arista does everything possible to ensure
all the information provided in this deck is accurate and up to date. Please do not share
any of this information outside your organization without Arista’s written permission.

3 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Partner Technical Education Options
START FINISH

Arista Technical Technical Enablement Virtual Arista Labs Training & Certification
Accreditation (ATA) Arista technical education Full curriculum of deep dive
Baseline technical focused on the needs of our See our products in action by technical courses with
accreditation on Data Center, Channel Partners, run by using labs in our virtual Certification aligned with the
Campus & more Arista’s Channel SE team environment content

Today
’s Foc
us

https://learn.arista.com/local/learn/dashboard.php https://labs.arista.com/ https://www.arista.com/en/support/hands-on-training

4 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Slide
Partner Technical Education Options Notes

This learning module can be leveraged two ways:

1. as a pure learning module for a better understanding of Arista
2. as a training module for receiving Arista Technical Accreditation.

5 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Techtorial Topics
100 Level (Basic) 200 Level (Intermediate) 300 Level (Advanced)

Arista Technology Differentiators Arista Campus Architectures Arista Internet Peering

Arista Extensible Operating System (EOS) Arista CloudVision VXLAN

Arista Macro Segmentation Services

Arista Data Center Switching Platforms Arista Universal Cloud Architectures
Firewall MSS-FW Overview
Arista Campus Wired and Wireless Arista Leaf Spine Topologies with
Arista WAN Routing
Products Multi-Link Aggregation (MLAG)
Arista Guardian for Network Identity
Arista's Platform Licensing Simplified Arista CloudVision Studios
(AGNI)

Arista DMF Edge Threat Management

Arista Automation

Network Detection and Response

6 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Techtorial Topics Slide
Notes

The Pre-Sales techtorials are grouped by the level of technical depth

● The 100 series presentations provide a basic understanding of Arista networking product and
solution offerings
● The 200 level dives deeper technically, discusses technical differentiators and explains how to
respond to common questions and objections
● The 300 series presentations are the most advanced and are intended to help you understand
sophisticated topics related to routing, firewalls, security threat detection/mitigation and
constructing automated workflows (configuration automation)

The 100-300 series covers innovations, and best practices for

● Data Center switching focusing on Leaf-Spine Architectures
● Enterprise class campus networks (leveraging data center and cloud architectures). This includes
wired and wireless technologies
● Deep Packet Analytics
● Automation
● Zero Trust Security
● Security Threat Hunting and Mitigation

7 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Techtorials Learning Objectives

8 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Techtorial Learning Objectives

● EOS Routing Building Blocks

● Common Routing Use Cases
9
● Modern WAN Routing with SD-WAN

9
Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks

10 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks
Simplification

11 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks Slide
Notes

The first building block in EOS Routing is Simplification.

The Layer 3 Leaf and Spine (L3LS) topology is the foundation of Arista’s Universal Cloud
Network Architecture. Legacy routing would isolate Data Center interconnects and Internet
connections through routers dedicated to each function. They would then connect into the
core switching environment, to the distribution switches, and finally down to the access
layer switches.

12 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks
Merchant Silicon
• Look at the routing market • Lines are blurring with latest Merchant silicon
- The domain of the network vendor’s own - Jericho chipset design for routing deployments
in-house ASIC - Market leading performance and 100G/400G density
- Due to complexity of functionality and table - Internet scale, multiple encap, deep label stack, VoQ
scale requirements

Routin
g Fe
Comp ature
lexity
🡪
Capability

on
S ilic
nt es
rc ha biliti
a
Me cap

Time 🡪

13 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks Slide
Notes

The second building block in EOS Routing is Merchant Silicon.

By adopting a merchant silicon approach to switch design, architects are now able to design networks
that have predictable traffic patterns, low latency, minimal oversubscription, and the flexibility to scale
without changing the overall architecture. Legacy designs often incorporated more than two tiers to
overcome density and oversubscription limitations.

For many years, network deployments for enterprise Internet-edge environments have
consisted of dedicated routing platforms and a switching or aggregation layer to distribute this to
various network zones.

Since 2012, merchant silicon has successfully followed Moore’s Law: throughput and density have
doubled every ~18 months, along with delivering more features and capabilities. This has reduced the
overall cost and power consumption per bit to now successfully deliver cost-effective 100G & 400G
hardware routing platforms.

14 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks
Extensible Operating System

A better architecture leads to a more reliable switch

• Linux kernel – Standard and fully Key Benefits:

open
Fault Isolation
• Agent – completely isolated no other processes or data plane impacted
processes Fault Repair
immediately restart a failed agent
• NetDB – contains all state data
ISSU
• Publish / Subscribe model install RPMs, bug fixes, or field upgrades with
no downtime
- NetDB delivers state between all
agents Third-Party Integration
seamless integration with third-party tools
• Hardware Abstraction
- One binary for all hardware platforms One binary image for all platforms
15 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks Slide
Notes

The third building block in EOS Routing is Extensible Operating System.

The key to EOS benefits is its unique multi-process state-sharing architecture, consisting of multiple processes
interacting with a central shared-state repository called Sysdb (system database).

EOS derives its benefits from the essential characteristics of this architecture:
• Unmodified Linux kernel.
• Each switch function is in a separate address space, including each CLI session, each hardware device
driver, and each protocol daemon such as routing protocols, Spanning Tree, and LACP.
• State Separation: All processes in own user space.
• State in SysDB: publish-subscribe state sharing.
• No death-by-slow-memory-leak.
• Hardened for Cosmic Radiation: parity errors detection & correction.
• Programmable at all layers.
• User scripts for event changes.
• Integrates with NetOps & DevOps.
• Network services: applications built on EOS.

16 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks
Network-Wide Centralized
Single Device State Database EOS Network Data Lake
State Database
Third
AVA CV
Party
AI-Assist Apps
Apps
Network-Wide State- NetDB
Logs SNMP CLI Telemetry

Logs SNMP CLI Telemetry

Single API Surface
APIs Flows AAA Packets APIs Flows AAA Packets

Packet Flow
NetDB Identity
Data Data

EOS Network Data Lake - NetDL

EOS
EOS
Device State EOS x86/ Third
Platforms Sensor Party
Centralized In-Memory State Database on each One Database for ALL Network State One EOS, One Data Lake for all network
EOS device has significantly improved network Data. Platform for Application and state, packet, flow, and operational data.
reliability and development. Ecosystem Development Enables broad ecosystem value

17 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks Slide
Notes

Rather than being optimized for transactions, NetDB is designed for synchronizing states among processes, also called
‘EOS agents’, by notifying interested agents when there is a state change.

Each EOS agent subscribes to NetDB to be notified when the state of other related agents changes within NetDB. When
a state change occurs within an agent, updates are then published to NetDB, which in turn notifies the subscribed
agents interested in the change. As state changes, not only are the subscribed agents notified; CloudVision also
receives the notification.

This centralized database approach to passing states throughout the system and the automated way the NetDB code is
generated reduce system overhead and simplifies inter-process communication to significantly reduce risk and error. By
removing interprocess dependency and direct communication between agents, the architecture also improves software
feature velocity and quality and provides openness for customers wishing to build their own applications. Customers can
use the same in-built APIs to receive notifications from NetDB both for state visibility and feature customization.
Today, Arista combines NetDB with Packet, Identity and Flow Data for an EcoSystem called EOS Network Data Lake.
This rich data provides proactive and predictive monitoring, enabling prescriptive insights.

18 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks
Automation Infrastructure as Code (IaC) - Network CI

CLI CLI + CV AVD + CV Open CI + CV API/DIY

Doesn’t scale, Automated Arista CI with Full CI Workflow, Dedicated

high risk for changes, AVD Model in Multi-vendor, PS automation
changes. No telemetry, CV, ACT testing Intensive, Open team, difficult to
testing, just risk. ZTP/ZTR, CLI reduces risk Source hire & maintain.
Config Foundation and Generally takes
Automation Reference Model 25+ FTEs
AVD+CV and EOS API
EOS CLI Focus CV Focus Integration Eng PS Led and (OpenConfig and
Focus Focus eAPI) Focus

19 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS Routing Building Blocks Slide
Notes

A key cornerstone to the success of Arista routing deployments is the ease of automation, service orchestration, and the
ability to provide proactive, cognitive, closed-loop network-wide visibility. These are complex software challenges that
are only amplified by traditional routing solutions which provide inconsistent APIs, OS architectures, and telemetry
models across a multitude of different hardware architectures.

Arista’s cloud-grade routing solution takes a unique approach: solving the problem by providing a single programmable
state-drive operating system (EOS) that is supported across all Arista platforms including the R-Series routing platforms.

This single EOS approach ensures consistent automation, service orchestration, and a state-driven telemetry model,
regardless of the platform or the platform’s role within the overall topology.

As the network evolves and grows over time and next-generation platforms are introduced into the solution, the
automation, service orchestration, and telemetry models remain consistent and new product onboarding is streamlined.

20 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
From “R” Series to CloudEOS and the “AWE” Platform

Secure Remote Site Service Edge Service Edge Secure Service Secure Service
& Agg Edge (Fixed 1G-to-100G) (Fixed 10G-to-100G) Edge & Core Edge & Core
(DPDK 1G to 100G*) (Fixed 10G-to-400G) (Modular 10G-to-400G)
• High-density, med-throughput • Internet Route scale
• Low-density, remote/Agg Site • Internet Route scale • Internet Route scale
• MPLS L2 & 3 VPNs • MPLS L2 & 3 VPNs
• Internet route scale • MPLS L2 & 3 VPNs • MPLS L2 & 3 VPNs
• SR/RSVP traffic engineering • SR/RSVP traffic engineering
• IPsec with AutoVPN • SR/RSVP traffic engineering • SR/RSVP traffic engineering
• CPE routing • Line-rate 100G/400G IPsec • Line-rate 100G/400G IPsec

AWE 5000 7020R 7280R3 7280R3A 7800R3A

1G to 10Gbps 1G/10G/25G to 100Gbps 10G/25G to 100Gbps 10G/25G to 400G 10G/25G to 400G

IPSec up to 50Gbps Max Throughput: 1Tbps Max Throughput: 4Tbps Max IPsec: 21.6 Tbps Max IPsec: 460Tbps
Throughput: 100Gbps Max Throughput: 21.6Tbps Max Throughput: 460Tbps

21 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
From “R” Series to CloudEOS and the “AWE” Platform Slide
Notes

With advances in merchant silicon forwarding engines and the software expertise put into Arista’s Extensible Operating
System (EOS), we can now fully replace this legacy architecture with a collapsed routing and switching layer using Arista
R Series platforms.

The 7020R is usually architected in the Site Service Edge: its ports support 1/10/25Gbps as well as two 100Gbps ports,
up to a total max throughput of 1Tbps to allow for future growth of bandwidth.

The 7820R3 is often seen in the Service Edge as it is scaled to handle Internet Routes. The platform has a max
throughput of 4Tbps and is fixed between 10Gbps and 100Gbps. Expanding off of that model is the 7820R3A with five
times the maximum throughput and line rates of up to 400Gbps. The “R” Series Platform is rounded out with the
7800R3A, which is a modular version of the 7280R3A.

Arista’s Routing Portfolio also includes a new AWE Series (Arista WAN Edge) hardware platform. In deployments where a
large number of ports are not required, AWE can be an ideal solution.

Finally, CloudEOS is a Virtual Router that can be installed in a container, as a VM, or natively in any cloud offering.

22 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Enterprise Routing Modes
Operating Modes

Arista CloudVision Pathfinder Service

AWE 5000 Series
● Enables SD-WAN features across routed
and standards-based WAN
● Simplifies traffic engineering and
application awareness
● Automatically builds device configurations
and deploys new systems and services
Arista 5310 Routing System

Traditional WAN Routing

● Multi Gig speed, small footprint router
Arista 5510 Routing System ● Lower-cost, CPU-based architecture
● Support for 50Gbps throughput with IPsec
● Full WAN protocol support with Arista EOS
● Branch CPE or low Gig speed CE router

23 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
Enterprise Routing Modes Slide
Notes

Arista WAN Edge, along with CloudEOS, can be deployed in two operating modes:
1. Traditional WAN Routing. This mode is CPU-based, so support is up to 50Gbps with IPsec (as
opposed to 400Gbps in the “R” Series).
2. Using CloudVision Pathfinder Service. This mode enables SD-WAN features and simplifies traffic
engineering. It automatically builds the devices configurations and simplifies cloud presence.

24 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Software Forwarding Architecture with x86
What is SFE / BESS / DPDK ?
● SFE stands for Software Forwarding Engine
○ Arista EOS Forwarding Agent for AWE-5000 and CloudEOS platforms.
● BESS is Berkeley Extensible Software Switch (open source)
○ Framework for development of packet processing software
○ Defines forwarding pipeline as a set of modules
● DPDK is Data Plane Development Kit (open source)
○ Managed by Linux Foundations
○ Set of fast libraries for packet processing (C Code) on x86, ARM, PowerPC
○ BESSd links against DPDK
○ CPU always running at 100% percent
● BESS is used in conjunction with DPDK - BESS/DPDK
● In simple terms:
○ BESS provides the packet forwarding pipeline, just like the pipeline within an ASIC
○ DPDK provides a mechanism to use the pipeline, like SDK for the ASIC
○ SFE controls and executes I/O into pipeline, like the platform agents in other products (e.g., sand/strata)

25 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Is SFE Fast?

• SFE can do packet forwarding at:

- 5.2 Mpps per core
- That’s 10X faster than Kernel Forwarding
- To put that in perspective: at 1500 byte frames, a single CPU can theoretically do
L3 Routing at 62.4 Gbps
- At small packet sizes (64 bytes), that is much less impressive at 2.6 Gbps per core

• How is it so fast?
- Runs in user-space (kernel scheduler is bypassed by Arista scheduler)
- Follow run-to-completion model
- CPU cores dedicated to data plane forwarding always run at 100%.

• Note: The general consensus among Linux networking stack developers

is that hyperthreading leads to better overall performance.

26 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 EOS and Linux networking - SFE / bessd

CPU allocations: more threads for dataplane = more throughput!

Components Total CPU Cores Data-plane(*) Control-Plane(*)
Arista 5310 8 6 2
Arista 5510 20 16 4
CloudEOS 8 6 2
CloudEOS 4 3 1
CloudEOS 2 1 1

The chart shows the number of CPU cores in various platforms, along with the number dedicated to
Data-Plane and Control-Plane functions.

27 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Enterprise Routing Use Cases

28 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Enterprise Routing – Common Use Cases

Remote & Agg Edge

(DPDK 1G to 100G*)
CPE Edge Routing Internet Peering Appliance Route Reflector
• Low-density remote Site
• CPE IP Routing Route Reflector
MPLS Public Peering
• Internet route scale
• IPsec for Encryption Private Peering
Public Peering
• DPS for AutoVPN

Site DC
AWE 5000

Site-to-Site VPN (IPsec) VPN (IPsec) Concentrator AutoVPN with DPS

Campus Data Center

DC Site
1G to 10Gbps
Third
IPsec 1 to 50Gbps party
Site DC Site Campus
Throughput: 100Gbps Campus

29 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
Enterprise Routing – Common Use Cases Slide
Notes

Common use cases include: Cloud Provider Edge Routing, Internet Peering, Route Reflector,
Site-to-Site VPN, VPN Concentrator, and AutoVPN with Dynamic Path Selection.

Internet Peering is an example where both the “R” Series and “AWE” Series could be a good fit, where
AutoVPN with DPS would be a better fit for the “AWE” Series or CloudEOS.

30 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: Customer Provided Equipment Edge Routing
Large Data Center The edge of the network is
CPE Edge
where external entities are
Routing
Data Center - Small connected. Edge computing
/ PoP locations
environments operate
CE successfully by having high
CE
throughput and fast speeds.
MPLS
PE PE PE
PE
CE

MPLS
Branch DC PE
PE

CE CE

Providing CE routing
capabilities at the
edge of the
enterprise network. Branch Campus

31 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Edge Router: Router at the edge of a Network

Campus/Branch/Edge CE Edge Router Cloud Services

Carrier Neutral
Transit Hub
G
LTE/5
Internet SaaS Services

MP Data Center
LS

Carrier Neutral
Transit Hub

Security Overlay

Network Edge Cloud and Telco Enabled WAN Data, Apps, Services

32 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
Edge Router: Router at the edge of a Network Slide
Notes

This diagram identifies where this type of routing occurs. The Network Edge accepts many different
connections, via multiple protocols to the Internet, or directly to other locations.

In this diagram, we are illustrating an Enterprise organization connecting to Internet providers. While
four different Internet links may seem to be overkill for some, we will use them for our discussion.

As of January 2024, there are almost 988,000 IPv4 and close to 203,000 IPv6 prefixes and this number
continues to grow.

This illustrates our first challenge in Internet Edge design: scale, to be able to handle this number of
routes and allow for future growth.

33 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: Internet Peering
Internet Internet feed advertised by each peer
Peering

ISP

eBGP eBGP
Internet
Peering
- ~988K IPv4 prefixes +
Internet Peer Router
- ~203K IPv6 prefixes (Jan. 2024)
Traffic to prefixes
- (source: http://bgp.potaroo.net/)

Internet peering with

full Internet route
scale. Enterprise Topology

34 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
Arista FlexRoute Engine
Enabling Internet IP Routing with lowest power footprint

Merchant Silicon with Arista Innovations Arista EOS NetDB Evolution

• Internet Routing table (with headroom) • Hundreds of BGP peers
• 2.5M+ Routes in hardware • Scales to millions of routes
• Lower power consumption • Faster convergence
FlexRoute Enables switches to be deployed in Internet Edge Router
scenarios
35 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Arista FlexRoute Engine Slide
Notes
FlexRoute is an Arista hardware and software innovation. The Arista FlexRoute Engine is a
hardware-based routing engine that provides support for the full Internet routing table, in hardware,
with IP forwarding at Layer 3 and with sufficient headroom for future growth in both IPv4 and IPv6 route
scale to more than 2.5 million routes. It is a key enabler in calling Arista's 7500R3/7800R3 and 7280R3
Universal Spine and Leaf platforms “routers”.

The FlexRoute Engine is based on a patented algorithmic approach to building layer-3 forwarding
tables. This approach allows the engine to efficiently build and maintain large routing tables, even with
frequent updates. The engine also supports a variety of routing protocols, including BGP, OSPF, and
IS-IS.

The FlexRoute Engine offers a number of benefits, including:

● High scalability: The engine can support up to 2.5 million routes in hardware, with sufficient
headroom for future growth.
● High performance: The engine can build and maintain large routing tables efficiently, even with
frequent updates.

36 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
Arista FlexRoute

• Both hardware and software innovation:

- EOS’ superior software architecture for programming tables
- A more efficient way of doing L3 forwarding in hardware, requiring lower power and fewer
transistors
- A better way of programming hardware tables, extracting more out of the underlying silicon
TCAM Trie

Entire table searched on Least amount of ‘active’ silicon Least amount of ‘active’ silicon
every access • Needs multiple lookups so can • Most efficient use of storage
be in-efficient

High Power Low Density Low Power High Density

37 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Arista FlexRoute Slide
Notes

FlexRoute is an Arista innovation, which has allowed our platforms to scale to this level and enables us
to better utilize available hardware resources. It is innovations such as this that keep Arista in the lead
with respect to Internet-scale routing in merchant silicon.

On the hardware side, FlexRoute performs a longest-prefix-match (LPM) layer 3 lookups for IPv4 and
IPv6 as part of the ingress packet processing.

● TCAM (Ternary Content Addressable Memory): Search the table in a single lookup cycle. Fast and
flexible lookup but high power & low scale. Low density. TCAM takes significant silicon space.
● Using trie is one solution to find the longest match prefix. Trie is a data structure whose nodes
have a part of the prefix. LPM (Longest Prefix Match) table has all prefix-lengths (/0 to /128)
non-host routes. Trie Search often has multiple lookups so can be inefficient.

38 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Internet Route Scale Requirements

Internet Growth vs. Growth of Arista Silicon FIB

Future-Proofed Routing Scale

● One million routes in 2021, beyond

the scope of legacy systems
● 5G and IOT drives address increase
○ Full Internet table to exceed
1.5M entries in 2024
○ 2M+ routes required for next
generation peering solutions
39
• Arista R3K-Series L3 Profile supports
2.5M IPv4/v6 routes
Source: https://labs.apnic.net/?p=1195

Arista R3-Series provides Internet full table route capacity

39 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Internet Route Scale Requirements Slide
Notes

The total route resource is the IPv4 prefixes + 2x IPv6, as v6 requires 2 entries per prefix.

Let’s take a quick look at how the Internet is scaling over time and what the requirements are likely to
be over time in order to be able to support this type of scale.

Internet peering edge: large IP tables are required; high-density low-cost Ethernet to accommodate
high-speed connectivity to external networks.

Arista hardware is already capable of supporting 2.5 million routes in the forwarding plane and 15
million in the control plane.

It is here that one of Arista’s innovations in terms of software engineering has allowed our platforms to
scale to this level with the development of FlexRoute, which enables us to better utilize available
hardware resources.

40 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: Site to Site Encryption
Data Center Cloud
Other DCs
Site-to-Site
Encryption

7280R3
7280R3
Campus MACSec with
DC over DCI
IPsec
Other DCs

Internet or MPLS
MPLS Internet
Independence

IPsec

Council Bluffs
Branch

7280R3
Interconnect small with
number of sites using IPsec
static point-to-point
IPsec tunnels. Branch Campus

41 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: Site to Site Encryption Slide
Notes
Why IPsec?
- Confidentiality: only sender and receiver can read the data
- Integrity: no one can modify the data (hashing algorithm). Sender and receiver can detect if data
have been altered
- Authentication: sender and receiver will authenticate each other
- Anti-replay: with sequence number, IPsec will not transmit any duplicated packet. Sender and
receiver can reject old or duplicate packets to defeat replay attacks
- Interoperable: IPsec is a well-established standard, compatible with nearly anything that connects
to the Internet.
IKE Phases: separate negotiation from transport
- IKE phase 1: ISAKMP tunnel or IKE phase 1 tunnel
≫ negotiation between sender and receiver (authentication, encryption, etc.)
≫ Security Association (SA)
- IKE phase 2: IPsec tunnel
≫ Used for data transport
≫ Authentication Header (AH)
≫ Encapsulation Security Payload (ESP)
≫ Tunnel (use new IP header) or transport mode (use original IP header)

42 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: Route Reflector
Route
Reflector

n
io
ss
iBGP Session Se
GP
iB
Route Reflector
AS1

PE PE
PE
P Without a
PE
P P
With a Route
Route
P
SP
BackBone
Reflector
PE
Network Reflector

High scale (16M)

route reflector
deployment for
SP backbone or
DC EVPN
deployment

43 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: Route Reflector Slide
Notes

To understand what a Route Reflector does, let’s first look at how BGP peering works. Each
BGP router creates an iBGP Session to every other router, creating a full mesh. As an
environment grows, the control plane overhead grows exponentially as well. This is where the
BGP Route Reflector comes in.

A Route Reflector reduces the number of iBGP Sessions as each router now only has to speak
to the Route Reflector, rather than to individual BGP peers. It can be thought of as a manager
and distributor of routes.

44 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: Route Reflector
Route
Reflector

Client
Non-Client
Route Reflector

PE PE RR
PE
P
PE
P P Client
SP
P BackBone
Network
PE

High scale (16M) Non-Client

route reflector
deployment for Client
SP backbone or
DC EVPN
deployment

45 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: Route Reflector Slide
Notes

Routers that are part of the Route Reflector Cluster are called Clients.

The Clients only have an iBGP session to the RR (Route Reflector).

Routers that are not part of the Cluster are called Non-Clients.

Non-Clients still form mesh links to each other, but only have to create an iBGP session to the RR in the
Cluster, not each Client in it.

46 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: AutoVPN
AutoVPN
with DPS
Auto-VPN

Automatic
IPsec Customers
device
management networks
discovery

RR cluster

overlay
RR RR

DC Campus
Internet

MPLS-1
MPLS-2
MPLS-1
Branch

MPLS-1

Internet
Interconnect large Edge-1 Edge-n
number of sites using
auto discovery
multipoint to multipoint
VPN with encryption.

47 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: AutoVPN Slide
Notes

Providing encryption at scale across numerous sites presents a major challenge with regards to scaling key
exchange, dynamically on-boarding new sites, and optimizing the available bandwidth at each site. Arista
AutoVPN with DPS is a next-generation AutoVPN solution designed from the ground up to support scalable,
automated point-to-multipoint IPsec tunnels with application and bandwidth awareness.

AutoVPN with BGP: The major challenge when building an IPsec infrastructure at scale is scaling the key
exchange. The Arista AutoVPN solution addresses this scaling and operational challenge by using a
standards-based BGP control plane. Secure EVPN with resilient route-reflectors (RR) acts as the centralized
controller within the architecture for key distribution. With this distributed approach, each site only establishes a
secure signaling channel (IKE phase 1) with the RR nodes, running a BGP session over this secure channel for
the distribution and learning of IPsec keying material of peer sites to allow IKE phase 2 negotiation between
sites.

AutoVPN uses a BGP Route Reflector (RR). It is Arista EOS, with no hardware-specific binary. It can run on
CloudEOS (VM) or on any Arista AWE 5000 series platform.

48 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: AutoVPN Slide
Notes

AutoVPN ensures:
- Manual or automatic device discovery running DPS data plane
- IPsec tunnel autoconfiguration with secure material creation and rotation
- Connects Customer VRF and networks

It is all about standards for network engineers!

- STUN service
- BGP route-reflector model
- Standardized BGP addresses families
≫ Path-selection
≫ Secure EVPN

49 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: VPN Concentrator
Data Center

VPN
Concentrator

Data Center

7280
with IPsec Third
party
router
Branch Campus Partner
7280 with IPsec
Micro Edge Third- party
IPsec tunnel termination router
with high scale number
of tunnels with low
throughput. Remote Branch Campus SOHO Partner
endpoint could be any IPsec
third-party device.

50 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Use Case: VPN Concentrator Slide
Notes

VPN Concentrators are a standard, proven concept with a long history. In the Arista Routing Use Case,
the Router terminates IPsec VPN Tunnels from any of the “R” Series, “AWE” Series, CloudEOS or even
third-party software.

This is commonly used in Branch, Campus, Small or Home Office settings or for integration with other
business partners.

51 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Visibility with CloudVision

52 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Arista CloudVision

53 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Modern WAN - SDWAN

54 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Modern WAN Routing Architecture

MPLS
MPL
S

Eth1 IP 11 Eth1 IP 21
Eth2 IP 12 Interne
Internet Eth2 IP 22
Eth3 IP 13 t Eth3 IP 23
172.16.0.0/16 172.17.0.0/16

Campus Datacenter

P2P
FIBER

Traditional WAN routing Modern WAN routing needs

• Non-Application Aware • Path selection based on end-to-end application needs
• Load-balancing – active/standby - PBR • End-to-end traffic segmentation
• Non-Bandwidth aware • Load-balancing across multiple paths
• Path Telemetry – none – using IP SLA • Encrypted traffic wherever needed (e.g. Internet)
• Bandwidth aware

55 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Modern WAN Routing Architecture Slide
Notes

Traditional WAN routing sent packets from Point A to Point B; every packet was sent with equal
weighting and priority, regardless of the content of the packets. Connections were not able to weigh
available bandwidth & latency of WAN connections to ensure the best quality of service.

As technology progressed, it was determined that there is a lot more information that can be utilized to
more effectively manage WAN traffic. This brings us to Software-Defined WAN, or SD-WAN.

Today’s modern WAN Routing is specifically engineered to route based on an applications need.
Routing systems can segment traffic and load balance across multiple paths.

Traffic is encrypted and considers the bandwidth of each segment to ensure bandwidth-intensive
applications are able to perform as expected while latency-sensitive applications are not impacted by
poor-performing links.

56 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 https://www.arista.com/en/cg-veos-router/veos-router-dynamic-path-selection

Dynamic Path Selection (DPS)

• Path
- A “path” represents a pair of interfaces (or their IP addresses): a source interface and a destination interface through which traffic can flow from
site to site.
• Path-Group: collection of paths with their characteristics:
- “static” or “dynamic” paths
- which paths are valid among the available paths
- specific policies applied to all members of a path group, such as:
≫ apply encryption for all Internet paths
≫ load balance policy
• DPS/VXLAN interfaces
- The DPS interface is the “glue” between the “private VTEP IP” and the WAN physical interfaces
- The VXLAN interface is handling the router “private” IP (never announced by default)
• Policies: applied to path group
- Application: application identification via Deep Packet Inspection engine
- Load balancing: latency, packet loss, jitter all affect link quality
Path-Group Paths
MPLS path group
INTERNET path group (encrypted) “Private” Internet (encrypted) IP12 -- IP22
IP12 -- IP23
DPS (MPLS) IP13 -- IP23
IP13 -- IP22
network
MPLS (non-encrypted) IP11 -- IP21

IP11 IP21

Vx1 Dps1 IP12 ISP-1 IP22 Dps1 Vx1

VTEP-IP IP13 IP23
VTEP-IP

CloudEOS device CloudEOS device

ISP-2 ISP-3

57 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Dynamic Path Selection (DPS) Slide
Notes

A key principle in Modern WAN routing is Dynamic Path Selection or DPS. This enables dynamic routes based on changes to
link attributes” Jitter, Latency, Load, Packet Loss, and so on.

In the Arista EOS Model, DPS is comprised of four items. The first is a “Path”. A Path is the link between two Interfaces or IPs,
one being a source and the other the destination. The path illustrates the route traffic will take between these endpoints.

“Path Groups” are a collection of Paths, each having the same Characteristics. For example, Internet-facing links may all be
grouped together while MPLS links are separated into a different Path Group.

The third facet is “DPS/VXLAN Interfaces”. Virtual eXtensible Local Area Network (VXLAN) is a framework for overlaying
virtualized layer-2 networks over layer-3 networks. VXLAN encapsulates a MAC frame for transport across an IP network,
creating a tunnel between two tunnel endpoints or VTEPs (VXLAN Tunnel Endpoints). In the SD-WAN solution, the DPS
Interface bonds the private side VTEP to the WAN’s physical interface, while the VXLAN interface handles the router’s private
IP. This creates an overlay on the WAN, containing the “Private” network traffic.

The last aspect is Policies, which defines how the traffic is managed. By using DPI (Deep Packet Inspection), the system will
identify the application generating the traffic and then determine how this application’s traffic should be routed. Path Groups
can also be load balanced using Policies. Thresholds are set to help determine which paths are viable or most efficient: low
latency, low packet loss, and low jitter can be set as favorable conditions for a given Path or Path Group. Isolating different
types of traffic enables the admin to best establish quality of service for each.

58 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 CloudVision Pathfinder Cloud
Services DC
Campus

Sales
Guests Branch

Environment Isolation
Separating different environments for multiple Cloud
business groups on a shared WAN infrastructure Services Guest Network DC

Business Group 2
Branch
Business Group 1 Sales

Creating unique Tenants for variable business

environments and organizations Guests
Campus

Voice AVT Critical App AVT Guest Network AVT

full mesh, lowest latency, dscp(46) hub/spoke, firewall for compliance, best effort, access the Internet
best performing path with cloud locally (save WAN bandwidth)
transit as backup
Within a Tenant, use Adaptive Virtual
Topologies to further define the application
and traffic engineering requirements for
different applications

59 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 CloudVision Pathfinder Slide
Notes

Arista’s SD-WAN product is called Pathfinder and this diagram lays out the main principles in its
architecture and decision-making process.

The first step is to separate the network environment into different groups, such as Guest or
Employee traffic.

The business side may want to be segmented into multiple business groups such as Developers,
Executive, and Staff. It could also be Employees and Contractors or simply left as a single segment.
Within each of these will be an AVT or Adaptive Virtual Topology.

These take the business environments that were segmented and break them down into virtual
topologies such as Teleconferencing, Voice, or Critical Applications.

60 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Optimizing User & Application Experience with Transit Hubs
Application Experience CV Pathfinder uses INT to determine the best
performing path throughout the network and
Critical real-time call center applications need to be
delivered on the lowest latency link to deliver the automatically traffic engineers the virtual
best operator and client experience. topology.

Reliability CV Pathfinder computes the path proactively

to quickly react to network changes.
During an network outage or performance
degradation, traffic needs to be rerouted for better Transit router uses FRR (Fast-ReRoute) for
experience. middle hop or link failures.

Latency 36 ms
Cloud Transit
Backbone

US-West US-East
Transit Hub
Latency 45 ms Transit Hub
Internet

Call Center Data Center

Latency 75 ms Ashburn
California
Private MPLS
Latency 32 ms

61 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Optimizing User & Application Experience with Transit Hubs
Slide
Optimizing traffic takes into consideration both the Application Experience and Reliability.
Notes
Application experience ensures that each application uses a path which meets the
minimum requirements for optimal use. Reliability, ensures that alternate paths are taken
when the preferred path is unavailable or degraded.
CloudVision Pathfinder will continuously monitor the telemetry and make decisions based on this data.
In this diagram, packets from the Call Center going to the Data Center have multiple path options. The
Cloud Backbone is one path, and has a latency of 36ms. Using a Transit Hub across something like
Equinix, we may see 45ms latency and in a private MPLS circuit, 75ms. If the packets are routed based
on a policy simply defining latency, Pathfinder would us the Cloud Transit Backbone path. Other factors
could be defined: e.g., available bandwidth, jitter, or packet loss on each path. Certain paths could even
be defined as preferred, prioritizing its use regardless of other conditions. In the use case illustrated here,
one connection may be metered, increasing costs when it is used; that connection could be allowed, but
set with a lower preference so it is sparingly used.

CloudVision Pathfinder’s adaptive, intelligent path selection make it ideal for Modern WAN Routing
requirements.

62 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Guest Network Access
Data Center

Guest Network Tenant - Guest Network provides Guest App

Guest App
connectivity between guest users and
Providing network access for guest,
contractor and partner access using the applications in Data Center or public
existing WAN infrastructure. clouds, on existing routers.

Network Security Putting Guest traffic into a dedicate

Protect corporate resources and assets Tenant ensures separation from
corporate traffic.
from being accessed by external users. Internet

NAT

Increasing WAN Efficiency Local Internet Exit avoids backhauling

the traffic to Data Center, saving WAN
Reduce suboptimal traffic pattern bandwidth for corporate use.
Guest Employee

Branch

63 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Guest Network Access Slide
Notes

Looking at Guest access & traffic, it’s easy to see the advantages of a solution like
CV-Pathfinder.

The Tenant is defined and the network is secured by putting the Guest traffic into that
Tenant. Traffic can be defined to take the Local Internet Exit to avoid adding additional
overhead to the bandwidth already on the WAN.

This can reduce costs by reducing bandwidth required on WAN circuits or by avoiding
metered links.

64 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Internet Access

Internet
Service Insertion with on-prem Applications
Firewall at the DC or transit hub, All Internet-bound traffic needs to be
where all Internet-bound traffic is inspected by an on-prem firewall for
being inspected. compliance reasons

Cloud Security

Ent. App
Remote Internet Exit with SASE Employees
Transit Hub Data Center (Zscaler, Prisma Access) or through a
Transit Hub with Firewall locally Remove backhauling traffic without
deployed. compromising security

Local Internet Exit: the router is Guest Networks

providing NAT for Internet-bound Least protected, get off the WAN as quickly
traffic. as possible
Data Center

Guest Employee

Branch

65 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Slide
Internet Access Notes

CV-Pathfinder also allows for Service Insertion: additional services provided by Arista or third
parties can be added into the system’s logic and decisions made based on their presence.

Internet Access is a good example: consider Guest and Employee users. Guests may be sent
directly to the internet as those devices are not managed and their traffic is isolated from the
network. Bypassing Cloud Security can reduce licensing costs and at times, even avoid liability.
Employees could have multiple paths: one to exit to the Internet directly through a Transit Hub and
another to use a third-party Cloud Security ssolution.

There are numerous examples of WAN routing difficulties and Arista’s WAN Routing System has a
solution for each. Routers can change operational modes from traditional WAN Routing to
SD-WAN on the fly, enabling a simple replacement of an existing traditional WAN solution. As
networks grow and change, Arista WAN Routing system enables an easy switch into SD-WAN to
accommodate both current and future needs.

66 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Resources

67 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Arista Partner Portal - Technical Resources

https://partners.arista.com/English/Partners/home.aspx

68 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.
 Thank You

69 Arista Channels NOW! Confidential. Copyright © Arista 2024. All rights reserved.