Apstra Device Agents
The Apstra Device Agents function in one of two ways: Onbox or Offbox.
Option 1: Apstra Agent installed on the switch (Onbox)
In this case the Apstra Agent has been installed onto the device either via the ZTP boot process or using the Apstra Device Installer. Once the agent is installed it will always run, including after reboots. Communication between the agent and the Apstra Server are done over a highly optimized binary protocol.
The Apstra Agent package installs the following processes within the Network Operating System (NOS) namespace to create an isolated runtime environment:
- Counter Agent: Responsible for retrieving counters from a device and sending them upstream to the Apstra Server. The majority of traffic is normally generated by this agent.
- Deployment Agent: Responsible for accepting configuration pushed down from the Apstra Server and applying it to the device. This agent is idle most of the time.
- Telemetry Agent: Responsible for retrieving LLDP, routing, interface information and other telemetry and sending it upstream to the Apstra Server. This agent is idle most of the time, except when important events occur.
- Local Process Spawner: Responsible for instantiation of the agent.
- Local SysDB: Each device maintains a localized version of the SysDB process to store intent for local purposes.
The port used to connect to devices can be adjusted in the Apstra server. The default ports for this protocol are:
Agent <==> MetaDB (TCP dst port 29731)
Agent <==> SysDB (TCP dst port 29732)
Agent <==> CentralDB (TCP dst port 29730) (future)
Agent ⇐=> TelemetrySysDB (TCP dst port 29733)
The Apstra agents are installed inside of a protected guestshell or userland in each vendor device. The agent processes are isolated from the underlying switch hardware and software, Apstra does not directly talk to the forwarding/data plane or control plane.
Option 2: Apstra Proxy Agent (offbox) connects to the device via the vendor’s standard API or CLI/SSH
The Proxy Agent makes connections on the defined API port (typically 80/443/9443) or standard SSH (typically 22). Connections are initiated by the proxy agent and this happens on a set time interval or when updates occur in Apstra. This agent runs as a container directly on the Apstra server.
Apstra implements SSH to secure management data between the product management interface. This product makes use of the SSH protocol using 3DES, Blowfish, Twofish, CAST-128, IDEA, ARCFOUR.
SSL/SSH Key Exchange
For the SSL and SSH implementations this product uses RSA with a key modulus up to and including 2048-bits and Diffie-Hellman with a key modulus of up to and including 2048-bits for key exchange.