For networking pros who want to segment and secure internal traffic, the Firewall Services Module (FWSM) for the Catalyst 6500 chassis has been a workhorse. But given that it’s based on Cisco’s old PIX firewall products, it’s no surprise that its days are numbered. Network engineers have been lamenting its pending demise ever since Cisco made it clear that the Nexus 7000 is the future of its data center switching line.
Given the angst over the FWSM, I was surprised to see how little fanfare Cisco gave the unveiling of its new ASA (Adaptive Security Appliance) Services Module for the Catalyst 6500. It merited a one sentence reference in Cisco’s press release and just a bullet point in the slide-deck I was shown this week as Cisco rolled out a huge slate of new data center technologies. Cisco gave more publicity to a new Application Control Engine (ACE) module for the 6500 that can do dynamic load balancing of VM workloads across data centers.
The ASA Services Module has 20 Gbps of maximum firewall throughput and it supports 300,000 connections per second, 10 million concurrent connections and 1,000 VLANs. You can install four of them in a single Catalyst 6500.
It’s nice to see these new service modules for the Catalyst 6500, but customers want to see comparable products for the Nexus 7000 products. Cisco hasn’t offered any guidance on what the future holds for bringing such functionality to its newer switch line. However, Cisco has developed a Virtual Security Gateway product which runs as software on the Nexus 1010 box, a command and control appliance for the Nexus 1000v virtual switch. Perhaps Cisco plans on doing all this stuff in software rather than hardware with Nexus.
Asked multiple times at the Cisco Partner Summit last week what the channel and users should do about the fact that Cisco switches are more expensive than the competition, Cisco execs basically said: Live with it. After all, Cisco products are better than the competition, are part of a big-picture architecture, and they shouldn’t be commoditized. So there.
“Ninety percent of our products are the best in the industry,” said Cisco CEO John Chambers during a press question-and-answer session last week, adding that this was the case across all technology segments from routing and switching to data center, video and collaboration.
Now it’s up to partners to avoid selling standalone products and instead show “how these products work together” and “how they will future proof the architecture,” Chambers said.
“If you’re a partner and you’re selling a commodity product that is not a good [strategy],” said Chambers.
Competitors that are asking partners to sell commodity products are “asking them to commoditize their businesses,” said Rob Lloyd, Cisco executive vice president of worldwide operations.
That said, journalists reminded Cisco execs of the company’s slipping share of the switching market (Cisco’s switching revenue has declined while Hewlett-Packard Networking’s has risen), executives agreed the message around the role of switching in an overall architectural play may need to be better communicated.
“We have more work to do both internally and with our partners to accentuate architectural differences,” said Lloyd. “John made the point that our portfolio has never been stronger … our 2960 switches and 3750s have never been better … we need to do a better job in emphasizing the role that Medianet plays and that TrustSec plays and that new applications will play.”
Cisco has introduced a major refresh of every part of its switching line in the past couple of years – and analysts have said the transition was poorly managed. Cisco execs admitted that the company introduced more product at once than it was prepared to handle on the marketing or business side.
“Rob and I never had the chance to add more than one switching product per year,” said Chambers. “When you suddenly transition everything from the 7000 to the 5000 all the way down to the Nexus line, and you look at what we’re doing with the 3000, and the ramp-up speed of how quickly they were accepted … When you bring out new product it always takes four or five years to catch up with margins … It’s just that we’ve never had so much innovation [at once].”
Chambers continued, “Make no mistake about this, we will control the market transition … We’re very well positioned from the data center all the way down.”
Looks like the Cisco supply chain shortage is an epidemic. HP Networking sent a memo to channel partners dated Jan 21, 2011 outlining a backlog of Power over Ethernet (PoE) access switches due to a chipset shortage. Production of these switches won’t resume until June, the memo says.
HP will use what little inventory it has left to fill backlogged orders first. It is unclear how long partners and users have already been waiting on these switches.
HP Networking’s market share has grown steadily this year while Cisco has seen its share of the Ethernet switching market decline 7%. HP’s growth has largely been due to competitively priced switches and lifetime warranties that Cisco can’t meet. But now some wonder whether that competitive pricing and increased market share also contributed to the current backlog.
One channel partner who works with both HP and Cisco believes the backlog is due to the same shortages that have hit many networking and wireless vendors. However, he confirmed a rapid growth in his company’s HP switch sales, which have been spurred by HP’s competitive pricing and customer push-back against Cisco’s SmartNet requirements.
Backlogged products include:
- J9299A: HP E2520-24G-PoE Switch
- J9137A: HP E2520-8-PoE Switch
- J9138A: HP E2520-24-PoE Switch
- JD877A : HP V1905-8-PoE Switch
- JD050A: HP NJ1000G IntelliJack
- JD051A: HP NJ1000G IntelliJack 20-pack
- JD057A: HP NJ2000G Intellijack
- JD058A: HP NJ2000G Intellijack 20-pack
As an alternative to these switches, HP’s memo suggests users consider buying step-up switches in the same lines or the non-PoE equivalents.
HP did not return calls to for comment. In the memo, the company wrote that it is “working earnestly to pull in the delivery dates” from its supplier.
In data centers virtualization has created a bit of a network security black hole for engineers. Firewalls have no problem applying and enforcing security policies to server-to-server traffic in a data center, but traffic between virtual machines (VMs) on a virtualized server is another story.
A few months ago I reported about how vendors like Cisco and Check Point have created software that essentially extends the reach of physical firewalls into a server’s hypervisor. At the time, Juniper was developing the same capability by partnering with virtualization security startup Altor Networks. Not long after I wrote that story, Juniper bought Altor. Now just a couple months after the deal Juniper has announced that it’s integrated Altor’s technology with its firewalls, the SRX Series Services Gateway products. Juniper’s new vGW Virtual Gateway is a hypervisor-level firewall based on Altor’s technology. Network engineers can deploy vGW on every virtualized server in a data center and then manage and enforce security on the VMs on those servers through the SRX hardware.
“Typically we see the data center carved up into different [security] zones,” said Peter Lunk, director of product marketing at Juniper. “We’ve done integration so that the vGW can pull down zone information from the SRX and then it can populate and place individual VMs sitting on that server into the different zones assigned by the SRX. Then it can push that information up to the SRX. Now you can see all the way down to the VM level and see which virtual machines are sitting in which zone. Now [engineers] have control over whether you can move VMs in and out of those zones. And if you’re turning up a new VM, [engineers can control] which zone it needs to be attached to. If someone is trying to change the VM we have some control over that as well.”
A product like this gives network security engineers renewed visibility and control over what’s happening within virtual infrastructure. It should also have plenty of application in cloud computing environments as well.
The vGW can also mirror traffic within hypervisors up to the SRX so that the SRX can perform deep analysis on packets and basic reporting on any anomalies. Lunk said Juniper will expand on this mirroring capability in the future. He declined to offer details, but undoubtedly Juniper will add some automated security response features to the SRX for traffic mirrored by the vGW.
Lunk said Juniper has also done some engineering work to make Altor’s syslogs compatible with its own, so that the vGW can report into Juniper’s Security Threat Response Manager (STRM).
As the IETF and the IEEE finish baking their similar, but competing standards – Transparent Interconnects of Lots of Links (TRILL) and Shortest Path Bridging (NPB) – Extreme Networks is offering a software upgrade that delivers one of the benefits of TRILL and SPB today, without any hardware replacement.
TRILL and SPB promise to solve several architectural issues in data center networks today. Extreme aims to emulate just one of the benefits of the emerging standards. TRILL and SPB free up unused bandwidth in a network caused by spanning tree protocol (STP). STP prevents loops from forming in a network topology by closing off redundant paths. Those redundant paths only open if the primary link fails. TRILL and SPB allow all redundant links to be open, which allows Ethernet frames to take the shortest path to their destination. SPB and TRILL also allow multiple links to be in active-active mode, with data traffic aggregating across them.
Both TRILL and SPB are available today in a small amount of pre-standard products from some vendors. The use of TRILL and SPB will require hardware upgrades, so enterprises that want to benefit from the technology will have to replace their network infrastructure.
Extreme Networks has introduced a software upgrade across its switching portfolio that can give enterprises a portion of the functionality TRILL and SPB promises. And it delivers this capability without requiring new hardware.
Extreme has combined its Direct Attach Virtual Machine switching feature with its Multi-System Link Aggregation (M-LAG) feature to deliver a new “M-LAG Direct Attach” architecture. Basically, this software upgrade allows a customer to set pairs of upstream links in active-active mode, which enables upstream link aggregation.
“This provides enterprises the ability to have an active-active path in the data center today,” said Shehzad Merchant is the Senior Director of Strategy for Extreme. “Link aggregation technology has been around a long time. We’ve taken that technology and extend it. Now you can take a server with two NICs and bond those NICs with link aggregation and dual-home those into two upstream switches. If one switch or one NIC goes down, traffic automatically migrates to the second link. But if both are up, traffic aggregates across both those links.”
Unlike TRILL and SPB’s ability to work with arbitrary, multi-homed topologies, Exteme’s M-LAG Direct Attach only works with dual-homed links. M-LAG Direct Attach is also a proprietary technology, so you will need Extreme switches both upstream and downstream to make it work.
Apparently attendees at Gartner’s Data Center Summit held in Las Vegas last month weren’t too enthusiastic on Fibre Channel over Ethernet (FCoE) as an avenue toward data center network convergence. In a brief note based on findings at the meeting, “Data Center Summit Attendees Cast Doubts on Breadth of FCoE Deployments,” Gartner analysts Joe Skorupa and Robert Passmore say that more attendees were looking at IP-based storage protocol iSCSI or network-attached storage (NAS) as alternatives to FCoE for I/O convergence.
Of the 100 attendees the analysts surveyed at the show 27% said they are already converging with NAS and iSCSI, 23% are planning to use NAS and iSCSI and 32% plan to use FCoE in the next three years. No one reported using FCoE today.
In the conversations I’ve had with data center and networking pros, it sounds like the convergence path a company takes will mostly depend on the infrastructure they already have in place. Fibre Channel shops will want to use FCoE in order to get more out of their storage area network investments. iSCSI shops will see no reason to invest in FCoE. They’ll just upgrade to lossless 10 Gigabit Ethernet and converge iSCSI and production traffic onto the same wire.
Is TRILL a “terrible idea?” Does Shortest Path Bridging rule? I have no clue.
TRILL (Transparent Interonnection of Lots of Links) and 802.1aq (AKA Shortest Path Bridging or SPB) are very similar standards from two different governing bodies – the IETF and IEEE, respectively. Both standards aim to replace spanning tree protocol, which has become inhibitory in advanced data center networks today. Both standards seek to expand Layer 2 Ethernet domains and to provide multipathing and resiliency capabilities that are just not possible with spanning tree.
Vendors and pundits often gloss over the intricate differences between the two standards, probably because most of us in the media lack the technical knowledge to grasp the finer points involved. Vendors are embracing one standard or the other and it remains to be seen what the consequences of this divergence will be.
It was with this in mind that I reviewed with great interest the the PDF slide deck for a panel discussion held at the NANOG50 meeting in Atlanta last October, “The Great Debate: TRILL versus 802.1aq (SPB),” After reading through the slides, I really wish I was there for this talk.
The first 50 slides consist of a extremely technical exploration of the competing standards. After that, the slides move into a head-to-head comparison between the two standards, with advocates of each standard giving their own version of the history behind how we got to this point. In slides that appear to be attributed to Donald E. Eastlake III, co-chair of the IETF TRILL working group, things appear to get a little contentious.
Slide 57 describes how Dr. Radia Perlman, inventor of spanning tree protocol (STP), proposed the idea for TRILL to the IEEE 802.1 working group originally. The idea was rejected because the working group didn’t see a problem with STP. The slide claims that the working group thought TRILL was a “terrible idea,” that the idea of routing in Layer 2 “sucks” and that hop counts are “evil.”
After that, Perlman brought her proposal to the IETF, which embraced the idea and started its own working group. Meanwhile, the 802.1 group eventually recognized that STP did present some problems to the evolving data center industry, and so it launched SPB (802.1aq). The slides claims that the 802.1aq working group originally started out trying to build a replacement for STP that took an approach that differed from TRILL, but gradually SPB evolved into something that looks extremely similar to TRILL.
In subsequent slides that present the IEEE view, but whose specific attribution is unclear, the 802.1aq point of view is that TRILL will require new hardware and a new Ethernet OAM (Operations, Administration and Maintenance) standard. Shortest Path Bridging, on the other hand, can use existing Ethernet ASICs.
I wonder what the tone of this talk was like. Were the disagreements friendly and tongue-in-cheek, or are there really hard feelings on this issue? Perhaps we would have found out in the question and answer period at the end of the talk. The first question posed on slide 64 reads: “Why can’t the IEEE and IETF work together and finalize one solution?”
It’s a good question. Perhaps it will all be rendered moot by the market, as vendors decide which standard has real traction.
In trying to figure out which vendor to choose when it comes to converging data center and storage networks, network managers might just find the answer lies in the provider that lets you to use the infrastructure you already have.
For International Computerware Inc. (ICI), a channel partner to both Cisco and Brocade, the answer for customers looking to converge the disparate Fibre Channel and Ethernet networks they’ve already invest in, is the Brocade VDX fabric switch.
“We go to market with Cisco UCS for our server and virtualization strategy,” said Jamie Shepard, ICI executive vice president of technology solutions, explaining that UCS is the most common choice for greenfield projects. “But when a company says to me, ‘we have an existing data center and we’re all over the place. How do I bring all this together?’ That’s VDX.”
Brocade VDX switches, launched last November, use the emerging IETF protocol Transparent Interconnection of Lots of Links (TRILL) to create multipath Layer 2 Ethernet fabrics so that large groups of switches can be managed as one – in some scenarios even in a multi-vendor environment.
“Brocade is saying ‘we’re going to put in this virtual network layer that talks to everything heterogeneously,” said Shepard. “It creates a virtual picture of the back end so you can manage all IP and Fibre Channel under one unit.” ICI recently used Brocade VDX switches to combine management of a Brocade Fibre Channel network and a Cisco IP network at a large pharmaceutical firm.
Cisco also has a Layer 2 fabric plan called FabricPath, which aims to enable better manage converged networks and virtual machine migration. Cisco says FabricPath is based on TRILL, but users must choose between TRILL and FabricPath, and the strategy does not necessarily support multi-vendor environments. That said, even investing in Brocade’s strategy can be considered risky considering TRILL has not yet been ratified and is up against other protocols, namely 802.1a.q.
Brocade is ramping up its VDX go-to-market strategy, launching additions to its channel partner program this week to include the Virtualized Fabric Partner Specialization and the Certified Ethernet Fabric Engineer (BCEFE) Certification for partners specializing in the delivery of Ethernet fabric technologies. Brocade has also added the Application Delivery Partner Specialization for partners focusing on application load balancing and optimization in converged networks.
We’ve heard more than once that certification does not necessarily make a real networking pro. That said at a time when networking engineers and admins are asked to have their fingers in multiple pots in the data center (read server virtualization and storage among others) it may be worth keeping an eye on a new storage networking certification being jointly developed by CompTIA and the Storage Networking Industry Association (SNIA).
The certification, CompTIA Storage+ Powered by SNIA, will focus on skills related to data storage, storage networking, data protection and underlying interconnect technologies. The associations will release a beta of the certification exam this quarter and the certification will officially launch in the second half of 2011.
There’s no shortage of storage certifications for networking professionals already in existence – including a storage networking certification from the SNIA. So what’s the difference here? The alliance with CompTIA will likely make storage skills more accessible to professionals across IT. In other words, this is a stab at proving that storage skills can no longer be confined to storage teams alone.
Network Hardware Resale (NHR), the leading reseller of used Cisco gear, says that companies are unfreezing their budgets and investing in new networks. The firm thinks that this is an early indicator of accelerated economic growth.
Chris Stone, NHR’s brokerage and acquisitions manager, told me he’s seen some interesting trends in recent quarters.
- Enterprises are selling NHR tons of Catalyst chassis switches, particularly the 6509-E. For NHR, this means they can sell the 6509-Es and other boxes for very cheap. For the larger market, this tells him that many companies are upgrading their data center core and aggregation switches — whether it be the Nexus 7000 series from Cisco or something from Juniper, HP Networking, or one of the smaller vendors. Those used Catalyst switches could help you build out your campus LAN on the cheap.
- 10 Gigabit Ethernet (GbE) upgrades are on the rise. Stone said sales of used 10 GbE line cards, particularly Cisco’s WS-X6704-10GE for the Catalyst 6500 line, grew by 82% in 2010. The WS-X6704 is Cisco’s lower density Catalyst 10 GbE line card, with 4 ports. Cisco now offers a couple of 8-port cards that double the port density of the 6500 series.
- Enterprises are gearing up for more spending in 2011. Stone said the fourth quarter is traditionally the busiest time of year for his firm as enterprises look to maximize the remainder of their budgets by selling used equipment and/or buying used equipment. He said 4Q10 is no exception, but based on what he’s hearing from customers this busy period of sales will continue into the new year. Enterprises are poised to continue unloading a lot of used equipment as they refresh their networks early next year. Stone said he saw a similar flood of used gear coming into NHR about a decade ago as the economy emerged from the recession brought on by the dot-com bubble burst. He said ths is a sign that enterprises are spending on infrastructure again.