The Apstra Values

Apstra Blog
The Apstra Values

The Apstra values are critical to our high performance standards. One of the first documents we wrote when we started the company was our values document which we share with prospective candidates and every Apstrktr signs on the first day of employment.

The Apstra values document describes the guiding principles by which all of us are expected to behave. Our leaders are expected to lead by example in the way they practice our values, and are also tasked to enforce our values. In that vein, our values have always played a big role in guiding rewards, promotions, and even discipline.

As you can read on our website, our top three values at Apstra are as follows:

Do the right thing
Collaborate and communicate
Strive for maximum competency and impact

Do the Right Thing

We’ve always heard dialogues in an office environment that go like this “this was the right decision — you did the right thing”. We intuitively have a feel of what the right thing is, but ultimately “doing the right thing” is simply not precise enough to measure.

At Apstra, “doing the right thing” means “making decisions in a manner that is consistent with a common set of values”. So, consequently, “Doing the right thing” means that we’re individually making decisions in a way that is consistent with our values.

Why is that so important? Being decisive is a critical trait in high-performance environments, and having a set of guidelines to make decisions simplifies this process greatly. I personally sleep well at night because I try hard to make the decisions that are compatible with the company values. Having the right framework for making decisions is critical for any leader, or any team member in a high performance environment.  Operating within these values also enables Apstrktrs to have greater autonomy to run the business, make self-directed decisions, and move quickly.

When team members make decisions, they do so in accordance with these values. These are examples:

Integrity first!
Exhibit honesty and candor
Value and practice work-life balance
Exhibit courage
Be open to coaching and feedback

Let’s take (c) “Value and practice work-life balance”. As an example, family emergencies take precedence over company related commitments — simple rule. In another example,  team members with kids are allowed to come into work after dropping their kids off at school. And team members may decide to leave early in the evening to spend time with their kids. Many of us log back in to do work after our kids are asleep.

Why do we believe that striking the right life-work balance is a critical component of “doing the right thing”? The reason is because we believe that long term success requires individuals to produce in a sustained manner over the long run. And a healthy family life is critical to our ability to sustain healthy productivity in the workplace over time.

World-class Healthcare

Another example of doing the right thing is that Apstra strives to provide world class health care to our employees. The reason this is critical is that for our team members to deliver at the best of their ability, they need to know that their families are taken care of if a medical issue arises. This is especially critical as healthcare coverage in the United States becomes more inadequate and more expensive with every day that passes.

Apstra has also taken another important step to provide world-class insurance to our employees. We are one of the first startups to take advantage of a law provision that allows employers to establish a Medical Reimbursement Plan to provide better insurance choices than are available on the market.

This is a great example of the Apstra values at work. It starts with a definition of a problem, which is that health insurance is very important to many of our top achievers, but the quality of typical health coverage has gone down drastically over the years and costs have gone up. We could have paid through the nose to provide sub-standard coverage to our employees – which is frankly what most startups do.

But instead our leadership along with our HR department was creative and looked at all options that were available to them. In doing so we realized that by establishing our own Medical Reimbursement Plan, we were able to purchase reasonably priced high deductible plans from the insurance company, yet provide industry leading plans to our employees. We realized that we could do this with minimum overhead through third party administrators. We also realized that doing so would likely also save the company money over the long term.

The company thus exhibited bias-to-action (a key Apstra value), and exhibited courage in doing something novel that we hadn’t tried before. We also exhibited courage in trusting Apstrktrs that they would do the right thing and spend company money like it’s their own.

So coming up and formalizing this world class health plan is a great example of Apstra values at  work – and the end result is a major win all around, for both Apstrktrs and the company.


Another critical value at Apstra is teamwork. “We collaborate and communicate. Teamwork is what enables the whole to be orders of magnitude greater than the sum of the parts. In fact, in every company I’ve been part of, and certainly at Apstra, I am amazed about what a team can produce that is far beyond what any individual can achieve on their own.

Teamwork is why good communication is essential. At Apstra, we remind team members that when in doubt, they should over-communicate. There is no downside in repeating an important piece of information, certainly there is a lot more downside if stakeholders were to miss learning about it!

This is why we emphasize that deal information is shared generously across — sales, product, marketing, but also and critically Engineering. At Apstra, we remind everyone that “we win together”. We succeed and fail as a team, indeed team success is more important than personal glory.

Be an A-player

And in a high-performance environment, good teamwork forces everyone to amp up their game. Which is why the third critical set of values relate to the expectation that we strive for maximum competency and impact in everything we do.  Any deliverable — a customer win, a major release of our software  requires coordination amongst many participants. For the company to deliver on its goal, every participant is required to deliver on their tasks with top quality and in time. Any delay could delay everyone else on the team; and a low quality product could either cause the product to fail, or cause major delays, as the task would have to be redone.

Indeed, doing the right thing in our decisions, collaborating and communicating, and striving for max competency and impact are the key tenets of the Apstra values.

I plan to write more about various aspects of our values, and provide more examples in future blogs. In the meantime, if you are the type of person that resonates with our values, then Apstra may well be for you. Please apply for our positions on our career page.

Why Have I Joined Apstra?

Apstra Blog
Why Have I Joined Apstra?

The short answer is quite simple — for the people and technology.

Let me elaborate on both:


Finding a group of like-minded people (who also happen to lead the company) who excel in their core competencies but are open to learn and listen to people who are stronger in theirs, sounds like a “mission impossible,” but, rephrasing an old saying – “those who seek, find.”

Talking about distributed systems with David Cheriton, discussing graph partitioning strategies with Sasha Ratkovic and future industry directions with Mansour Karam, amount and quality of knowledge they have got and willingness to share. But also – focus on execution, building the best product.

There’s very little else I could wish for a “perfect job.”


I got very excited about programmable networking in early 2010s, when the fact that we (networking industry) got stuck had become rather obvious.

A Little History

That initial excitement led me to focus on technologies that facilitated better knowledge about the network by extracting and then modeling structured data from and about the network. This, as one might expect, involved development of data distribution over existing channels such as link-state IGPs, BGP-LS, and new ones, such as Netconf (Restconf/gRPC) in addition to data modeling. This drew me into work on YANG efforts in IETF, Openconfig, and data modeling for networking with other organizations.

Very early in that phase I realized and began to promote the underlying principle that “we must decouple reachability from policies” which would allow us to scale both independently.  The premise of this idea was to leave reachability distributed in the network while logically centralizing policies, data stores reflecting the various states of the network, and telemetry validating those states. Russ White and I wrote the book Navigating Network Complexity which details the logic behind these principles.

The ultimate “distributed” reachability ideas manifested themselves in the IETF RIFT (Routing in Fat Tries) working group initiative.

Let’s Jump to Today

Looking back, we, as the networking industry did a great job building the data modeling layer with near real-time performance, at scale telemetry (gRPC and YANG Push), and using a standardized representation that facilitated programmable networking. So we now have enough data to actually do something tangible about it!

The missing part is obviously how to make the data actionable and how does one apply this, rather abstracted term to networking. Another missing element has been transforming business logic to networking with a continuous validation layer which Intent-Based Networking addresses.

Doing even simple correlation between the intended (intent) and operational (applied/derived) states is anything but trivial. Doing this at scale and including continuous validation makes it an extremely complicated problem to address. This is made even more complicated as networks continue to grow in size, scale and complexity (think 5G, Edge Computing and similar). A massively scalable platform with a high performing backend are “must have” attributes of a solution that can scale and be able to address these challenges. The need to combine this with a graph that will allow the system to query and reason about the data, rationalize its meaning and relevance, and incorporate highly flexible analytic probe pipelines, gives you just a few hints of the underlying sophistication of the solution required to solve this problem.

Apstra presented at NFD16 (Network Field Day) where I had the opportunity to be a panelist.  I was immediately impressed by the massively scalable and distributed design, the sophisticated in memory processing, and a pluggable architecture operating over sub-pub and API-driven logic. This all combined seamlessly with a graph infrastructure that represented and correlated states and events to make Apstra Intent-Based Data Center Automation uniquely capable of addressing and leading Intent-Based Networking and empowering the Intent-Based Data Center.

That is why I’m here, excited, building the future with the team one could only dream of!

How to Intentionally Build Security into a Network

Apstra Blog
How to Intentionally Build Security into a Network

October is Cybersecurity Awareness Month in the United States and other countries around the world. Chances are you’ll be hearing a lot more about security as many media outlets, security companies and organizations raise the awareness with employees, customers and the general public on cybersecurity risks. One area that continues to draw security attention is the network. This is especially true as businesses look at upgrading or evolving their network infrastructures with a move towards software-defined or newer approaches, such as Intent-Based Networking.

The Intent-Based Data Center (IBDC) incorporates Intent-Based Data Center Automation which is built on Intent-Based Networking, a distributed system architecture, and a vendor-agnostic overlay. These data centers establish a high level of application availability and reliability, simplified deployment and operation, and dramatically reduced costs.

Intent-Based Networking allows network designers to specify intent, and automatically configure the network to operate according to that intent, set expectations for its ongoing operations, and verify conformance to the intent.

IDC telecom and carrier IP networks research director, Rajesh Ghai says that Intent-Based Networking is a closed-loop continuous implementation of several steps:

Declaration of intent, where the network administrator defines what the network is supposed to do
Translation of intent into network design and configuration
Validation of the design using a model that decides if that configuration can actually be implemented
Propagation of that configuration into the network devices via APIs
Gather and study real-time telemetry from all the devices
Use machine learning to determine whether desired state of policy has been achieved. And then repeat.

Tips for Securing an Intent-Based Network

When it comes to security, the key aspect is that an Intent-Based Network management software layer continuously monitors the network and ensures network operation is compliant with the specified intent and thereby meets the operator’s expectations.

Expectations are representations of network state expressed as telemetry from network elements. For example, interface status, MAC addresses, ARP information and route information are some examples of raw telemetry that is collected from network elements. Since the network is represented as a graph by the Intent-Based Network management software, applications can use graph queries to get network state information.

In order to ensure that the network operates in compliance with the specified intent, the system collects telemetry from network elements and detects anomalies and processes those anomalies (remedial action) using the specified handlers. If there is a variation between the state and the intent, the handler raises the appropriate alarm. If the variation indicates an imminent hard-drive failure, raise the alarm to IT. If the variation indicates that an entity is making inappropriate DNS calls or port scans, the handler alerts the security information and event management (SIEM) system.

Once a network operator has specified an intent on the system, the Intent-Based Network operates the network for the user — and if the intent contains security parameters and policies, those are also baked into the design. For example, intent and expectations might be, “build a network with 25 racks and 20 servers in each rack with 10G links and 2:1 oversubscription. Ensure there is no SSH or FTP activity between a set of servers. Trigger alerts and deny access if there is a traffic burst from any server that violates the standard deviation of the ‘tx bytes’ by 30 percent.”

The system will build a reference design, and once deployed, the network will set up expectations based on the intent and trigger alerts and remedial actions, as specified.

Anomaly Denied

An Intent-Based Network should be able to specify intent based on network element artifacts like NOS version; patch level for software on switches, routers, or other devices; or other custom artifacts. Once those expectations are specified in the Intent-Based Network, any deviations will be tracked and reported as anomalies with associated remedial action, take the device offline, send an alert or trigger a patch update.

This is key in today’s environment where keeping network devices updated to have the right level of software and vulnerability patches is critical to network security. What makes an Intent-Based Network a secure system is its ability to specify intent and monitor for variations in the execution of that intent, in the same system.

For example, an Intent-Based Network provides built-in services that collect raw telemetry from network elements (e.g. MAC addresses, ARP tables, route tables, etc.,) sets up expectations, and then monitors the state of the network based on the collected telemetry.

Intent-Based Networking allows users to specify several security constructs for network activity in a data center network that is typically behind a firewall or in a secure zone. For example, an Intent-Based Network can facilitate detection of lateral movement inside the network, detect traffic flows that should not be present, movement of MAC addresses, interface statistics, and so on.

An Intent-Based Network can handle complex security tasks easily. Since an Intent-Based Network creates the network reference design and ensures operation of the network, it has the context to be able to respond to various questions about the network (regardless of the complexity) in the presence of constant change.This is a huge shift in the way networks are monitored. When Intent-Based Network management software contains built-in analytics capabilities, network operators can aggregate raw telemetry from network elements, and supports analytics constructs like thresholding and pipelines of data across processing stages.

Intent-based networking offers an opportunity to design security objectives right into a complex network. The current shipping of Apstra Operating System (AOS) provides the aforementioned capabilities, which is achieved by leveraging Apstra AOS Intent-Based Analytics.

To learn more about security in an intent-based networking world, check out this blog post I penned shortly after joining Apstra from Palo Alto Networks. Read more: Intent-Based Networking and Security.