An Enterprise Approach to White Box Networking


White box – and branded white box (aka brite box) – switches running a modern, Linux-based network operating system (NOS), are disrupting the enterprise campus network market, providing a commercially proven alternative to customers who have spent decades bending to the will of their entrenched switch and router equipment vendors.

Similar to the virtual server concept, where the server software is abstracted from underlying hardware, with white box switches the network operating system itself is abstracted – or disaggregated – from the underlying switch hardware. This creates the potential for an “open,” portable NOS that can run on a wide variety of switches from multiple vendors. No longer is an enterprise permanently wedded to a single vendor’s hardware and software development cycle.

The white box networking movement is now proving to be just as beneficial to enterprise networks as virtual servers were when they first came on the scene. It delivers dramatically simplified network deployment, operations and support, along with increased flexibility in terms of optimized hardware and software, all at lower costs and with simplified deployment and management.

But not all approaches to white box networking are the same. Pica8, for example, takes an approach that squarely addresses large enterprise requirements. Its Threshold™ reference architecture is the first end-to-end, open networking solution capable of replacing entire legacy vendor enterprise networks with centrally managed, modern, disaggregated white/brite box-based alternatives. Threshold brings new levels of automation and operational simplicity to open networking, from initial switch deployment and configuration to ongoing operation and management. Threshold also includes an industry-first Open Intent-based Networking (OIBN) capability, with the ability to support Layer 2, Layer 3 and software defined networking (SDN) control planes simultaneously over the same switch ports – making possible new levels of security and policy management.

Powering Effective White Box Switches

At the hardware level, a white box switch is really no different from the switches enterprises have been buying for years from major vendors such as Cisco and Juniper. A handful of well-established manufacturers – including Accton, Delta Networks, Foxconn and Quanta Cloud Technology – supply their commodity hardware to both the white box market and the major switch vendors. Collectively, these manufacturers collect more than $25 billion in annual switching revenue – a sure sign of a healthy, well-established market.

Typically, the hardware consists of standard 1U, 48-port Ethernet switches and can support speeds from 1G to 100G. They are based on a choice of ASICs, again from well-established vendors such as Broadcom, Cavium, Intel, Marvell and Mellanox, all with long histories in producing network chipsets. Alternatively, a proprietary switch could use a custom ASIC to implement some desired, non-standard feature. Service providers, for example, may choose to go the custom route, but enterprises typically would have no such specialized ASIC requirements.

Chip vendors also supply an application programming interface (API), which is used by the NOS to control interactions with the ASIC. These vendors may also include an SDK (Software Development Kit) to program the ASIC, such as to set up a VLAN or ACL entry. Broadcom, for example, recently released SDK Logical Table (SDKLT), which is an open source SDK that’s intended to enable a high level of programmability for its chipsets.

The final component of a white box switch is the NOS itself. Here’s where the white box switches differ significantly from those of legacy switch vendors. A vendor such as Cisco or Juniper takes the same commodity hardware and loads its own, proprietary NOS on top. The white box alternative is to instead load an open, Linux-based NOS. It’s a similar approach to using Linux on a commodity server instead of, say, Windows Server.

Defining an “Open” Switch

It’s the choice of the NOS that makes a switch open – or not. Open networking software uses an open source Linux-based OS. The Open Compute Networking Project, for example, is an effort by the Open Compute Project (OCP) aimed at creating a set of disaggregated, open network technologies, including a Linux-based NOS and developer tools.

Similarly, the Open Network Install Environment (ONIE) is an open source initiative driven by a community of vendors to define an open “install environment” for white box switches. Also a project of the OCP, ONIE is intended to enable an ecosystem where end users can choose among different NOSs and install them on a common set of white box switches in the same manner that they provision servers. Open Network Linux, another OCP project, is one example of such an open source NOS that uses the ONIE install environment to install into a white box switch’s flash memory.

AT&T has also announced its own entry to the open networking community with its Disaggregated Networking Operating System (dNOS). The dNOS project provides a software framework to speed the adoption and use of white boxes in a service provider’s infrastructure, AT&T says. Given that AT&T has more than 100,000 IP/MPLS routers in its network, that is a significant vote of confidence for the concept of disaggregated networking and open NOSs. With this project, AT&T is following the lead of web-scale companies, such as Facebook and Google, that have already standardized their internal networks on white box switches running a Linux NOS.

The Myriad Benefits of Open, Disaggregated Networking

The collective vote of confidence from AT&T and the web-scale giants makes sense, because open, white box networking has proven itself in large data centers as a new best practice. Now those same benefits are penetrating enterprise campus and branch office networks, freeing company after company from the restrictive, closed network technology cycle that they’ve been saddled with for decades.


The idea behind using an open NOS is that it can be ported from one white box hardware platform to another. That means there’s no more vendor lock-in, in terms of hardware or software. As advances come along in software or hardware, enterprises are free to take advantage of them without the complexity involved in migrating from one proprietary switch vendor to another.


Pairing commodity hardware with open-standards-based disaggregated NOS software makes white box switches far less expensive than traditional legacy appliances in terms of capital costs. For example, the hardware/software list price for a fully configured white box version of a Cisco 6500-class chassis switch runs around 20 percent of the cost of the legacy Cisco switch – and the white box “replacement” provides significantly higher density and performance at that lower price. Additionally, Threshold’s simplified configuration and lifecycle management tools make ongoing operations far easier, significantly reducing ongoing operating costs. It all adds up to reduction in total cost of ownership that can easily exceed 50 percent.

Escape From The Data Center

Pica8 Brings Simplified Leaf-spine Architecture to the Rest of the Enterprise

Enterprise and data center networks traditionally used a three-tier model, with access switches closest to end users feeding larger aggregation switch/routers which, in turn, connect to larger core routers that form the network backbone.

In this architecture, network architects must configure redundant pathways to ensure resiliency, typically using the Spanning Tree Protocol (STP). A potential drawback is that STP deactivates all but the primary network route. Should that route fail, it will bring up a backup path, which is then used until the primary comes back online. While that does provide redundancy, it can also lead to bandwidth constraints should the primary (or backup) network path become congested.

An alternative architecture known as leaf-spine addresses those limitations.

The traditional leaf-spine is a two-tier architecture, in which the leaf switches connect to end devices, such as servers and firewalls, and the spine switches connect to leaf switches. This approach was first used in data center networks, as it is a good fit for the “east-west” nature of data center traffic.

Consider a data center rack full of servers. At the top of the rack may be a pair of switches, known as Top of Rack (ToR) switches because of their physical location. Each server in the rack connects to the two ToR switches, for redundancy. These ToR switches are the equivalent of leaf switches in a leaf-spine topology.

Each leaf switch then connects to multiple spine switches; in a data center, they likely connect to every spine switch. That means there’s no need for spine switches to connect to one another. Rather, all ports on a spine switch are used to connect to leaf switches, using either Layer 2 switched connections or Layer 3 routed links. From a logical perspective, all switches are the same distance from one another – reachable in a single “hop”.

But the PICOS technology from Pica8 takes leaf-spine to another level for enterprise switch stack and chassis switch replacements. It extracts all the complexity from traditional two-tier leaf-spine networks and flattens the network by managing both the leaves and the spines as though they were all a single, logical switch with no hierarchy. Pica8 has paved the way for the data center-proven leaf-spine architecture to extend to the wider enterprise by turning it into the simplest and easiest to deploy network architecture of any kind – able to be managed by any SysAdmin. PICOS maintains all the Layer 2/Layer 3 features of a traditional 3-tier design, including:

  • Resilient multi-path fabric ensuring the applications and users get the highest availability
  • A switching fabric capacity of 176 Gbps for 1 GbE and 1.28 Tbps for 10 GbE platforms
  • Simple and flexible scale-out topologies:* Up to 2,304 1 GbE access ports with 1.2:1 oversubscription ratio, up to 1,536 10 GbE access ports with 2:1 oversubscription ratio
  • Support for SDN protocols and external programmability, helping you drive towards agile network orchestration

It’s a highly scalable and secure network that’s also easy to upgrade, because it’s based on cost-effective, plug-and-play infrastructure.

* Recommended configurations using Pica8 pre-loaded systems. Actual customer configurations may vary depending on platforms and oversubscription ratios.

Download PDF


By using a switch-portable NOS, enterprises can select the switch that best matches each specific deployment in terms of redundancy, density, speeds, features, power profile, and port counts. Yet they will still have consistent and unified activation, programming, network management, monitoring, special features and behavior across their network infrastructure.


White box networks are also inherently more reliable than the legacy systems they replace, offering improved redundancy for a couple of reasons. One is the use of a higher-reliability chassis, with redundancy features built in. Such switches suddenly become more affordable given that enterprises can typically purchase two modern white box switches for automatic fail-over for the price of one (heavily discounted) switch from a legacy vendor. The other factor is that the disaggregated network concept, when used with an appropriate NOS, enables the deployment of a leaf-spine network architecture throughout the enterprise, not just in the data center. The leaf-spine architecture provides improved redundancy and availability, because every leaf switch has a direct connection to every spine switch (see sidebar).


An open NOS based on Linux borrows technology from the server realm that promotes ease of use, including zero touch provisioning (ZTP) and automated licensing. Once a switch is physically connected to the network, ZTP enables the automation of provisioning and configuration processes, typically using a Dynamic Host Control Protocol (DHCP) server.

ZTP routines can also take advantage of open source Linux tools such as Puppet and Chef, which began life as tools to automate server configuration tasks. These tools have now been adapted to provision switch configurations by the Open Source community. So, just as racks of servers and VMs are added to a cluster using Puppet or Chef, network switches and routers can be configured in the cluster by the same tools.

The Pica8 Approach: Enterprise-Ready

While the white box network concept initially found favor in data centers, where its leaf/spine architecture is ideal for handing east-west traffic, Pica8’s Threshold reference architecture encompasses unique technology that breaks the leaf-spine concept out of the data center and lets it flow across the entire enterprise.


It starts with the PICOS™ NOS, which is built on a stable, unmodified Debian Linux stack. The fact that it’s unmodified is important, because it means developers know exactly what they’re dealing with and can use all their traditional, familiar development tools and orchestration platforms, including Chef, Puppet and Salt Open. Regular Debian updates are also simple to install, using one of the many available automation routines.

PICOS runs standards-based Layer-2 and Layer-3 protocols while also providing full support for the broad palette of key enterprise features that are not found in data center white box solutions. This enterprise-specific feature set includes wide-ranging capabilities, such as support for voice VLANs, legacy Cisco phones, dumb VoIP phones, PVST, NAC, secure remote access, QoS, 1G/2.5G/5G, and more. (For example, PICOS interoperates with all major industry NAC solutions, including Cisco ISE and Aruba ClearPass.) All of this is controlled via a network Command Line Interface (CLI), which will be familiar to enterprise network administrators and is their preferred method for controlling enterprise network infrastructure. And PICOS is qualified to run on proven, high-performance hardware.


Another central pillar of Threshold is the AmpCon automation framework. Short for Amplified Control, AmpCon is the only available automation framework for campus networks running open networking infrastructure. AmpCon makes it simple to deploy, configure and manage an entire enterprise network of white box switches. It’s so easy to use an intern with no programming experience can turn on and configure thousands of switches at the push of a button.

AmpCon also executes ZTP via a GUI for white/brite box switch provisioning. It takes care of all Day 0 tasks – new switch turn-on, image load, switch configuration, license database update, and so on – as well as Day 1 tasks such as configuration validation, commit, rollback, and inventory. AmpCon also manages security and operational tasks, including global/regional configurations, compliance, remediation, license maintenance, RMA, status monitoring, role-based access control (RBAC), as well as offering configurable security controls.

While comparable in features to products like Cisco DNA Center, AmpCon is also priced to disrupt the legacy automation framework software market.


PICOS enables network managers to control dozens of multivendor white box switches as if they were a single, logical switch with a single, consolidated IP address. This new Pica8-only capability has multiple ramifications for enterprise networks.

For one, there’s no longer a need to invest in large, expensive switch chassis. Because PICOS solves all port aggregation network issues, you can now eliminate expensive chassis switches and switch stacks entirely, replacing them with more reliable – and easier to maintain – open switches.

The ability to manage many switches as one also slashes operational overhead. All configuration, policy and security changes are now far easier to implement, with a single update effectively applying to dozens of switches. It also reduces the number of individual network elements you need to manage by a factor of 10 to 50 times or more. Management headaches associated with all these individual network elements melt away with PICOS.

PICOS is also what enables the leaf-spine configuration to be deployed across the enterprise, not just in the data center. Leaf-spine is not only simpler than the traditional three-tier network architecture (access, aggregation, core), it provides better performance and resiliency (see sidebar).

PICOS-powered Ethernet switches use Multi-Chassis Link Aggregation (MLAG) technology to connect devices, enabling each one to connect to a pair of Pica8 switches with all links running active/active to improve resiliency. There’s no need to block certain links, as with the spanning tree protocol (STP), resulting in improved bandwidth utilization and performance. MLAG peer switches synchronize forwarding state between them, so if a leaf or spine switch fails, traffic is automatically rerouted for continuous uptime.


CrossFlow™ is another Pica-only innovation that breaks new networking ground. Previously, the state of the art in IP switching was hybrid Layer 2/Layer 3 switches, where some ports operated with the traditional L2/L3 stack software while others were under the control of a software defined network (SDN) controller. But, critically, each port supported just one or the other – L2/L3 or SDN, not both.

CrossFlow, however, enables each switch port to support L2/L3 traffic as well as SDN traffic at the same time, paving the way for OIBN while providing, in effect, a dedicated security policy control plane. Security updates, for example, can now be sent to a switch without touching switch ACLs (access control lists) or interrupting normal traffic. That can have important implications for large enterprise networks, by providing a dynamic way to insert policy into the network.

Say a large retailer notices suspicious activity at one of its stores coming from a certain set of MAC addresses, threatening to take down network service to the location. Using CrossFlow, its security operations team can push out a security policy change, instructing the switches at the location to either drop, mirror, or redirect traffic from the offending addresses to a security analytics platform – with no interruption to service anywhere in the network. Similarly, the capability can be used to conduct deep security monitoring on switch ports, again without interrupting traffic. Lastly, because PICOS includes native packet steering – another Pica8 exclusive for open networks – network operators can duplicate data streams and redirect them to security and/or analytics tools for further review.


All of these advanced capabilities work on your choice of hardware, from simple 1G switches, to 48-port PoE Multigig switches, to fully loaded 100G models, from vendors including Dell Technologies, with its extensive worldwide distribution and support capabilities. (See Pica8’s complete hardware compatibility list.)

Realize the Full Benefits of Pica8

White box and brite box open networking provides a welcome change to companies large and small that are looking for an alternative to the switching status quo: vendor lock-in with expensive legacy network providers. Pica8 is the first, and only, white box networking solution specifically tailored for use in large, dispersed enterprise networks. Its Threshold architecture includes all the tools needed to turn even the most complex network into one that is both easy to deploy and manage.

Built on an open, unmodified Debian Linux kernel, the PICOS NOS gives enterprise DevOps teams total control over their network destiny. With Pica8 automation is built in, while innovative features such as CrossFlow add SDN capabilities to make networking more flexible while also providing real-time security.

In addition to eliminating vendor lock-in, Pica8 enables enterprises to slash their network TCO by 50% or more thanks to drastically decreased short- and long-term OpEx and CapEx costs – even when compared to heavily discounted legacy solutions. It’s also important to note that Pica8’s open networking solutions for enterprise campus and access networks are fully backward compatible with legacy solutions. This allows customers to upgrade and modernize their networks incrementally or as budgets allow.

Learn more about how Pica8 PICOS can make your network operations team more productive. Download our white paper: “Simplifying Network Operations through Automation and Open Networking”