In data centers virtualization has created a bit of a network security black hole for engineers. Firewalls have no problem applying and enforcing security policies to server-to-server traffic in a data center, but traffic between virtual machines (VMs) on a virtualized server is another story.
A few months ago I reported about how vendors like Cisco and Check Point have created software that essentially extends the reach of physical firewalls into a server’s hypervisor. At the time, Juniper was developing the same capability by partnering with virtualization security startup Altor Networks. Not long after I wrote that story, Juniper bought Altor. Now just a couple months after the deal Juniper has announced that it’s integrated Altor’s technology with its firewalls, the SRX Series Services Gateway products. Juniper’s new vGW Virtual Gateway is a hypervisor-level firewall based on Altor’s technology. Network engineers can deploy vGW on every virtualized server in a data center and then manage and enforce security on the VMs on those servers through the SRX hardware.
“Typically we see the data center carved up into different [security] zones,” said Peter Lunk, director of product marketing at Juniper. “We’ve done integration so that the vGW can pull down zone information from the SRX and then it can populate and place individual VMs sitting on that server into the different zones assigned by the SRX. Then it can push that information up to the SRX. Now you can see all the way down to the VM level and see which virtual machines are sitting in which zone. Now [engineers] have control over whether you can move VMs in and out of those zones. And if you’re turning up a new VM, [engineers can control] which zone it needs to be attached to. If someone is trying to change the VM we have some control over that as well.”
A product like this gives network security engineers renewed visibility and control over what’s happening within virtual infrastructure. It should also have plenty of application in cloud computing environments as well.
The vGW can also mirror traffic within hypervisors up to the SRX so that the SRX can perform deep analysis on packets and basic reporting on any anomalies. Lunk said Juniper will expand on this mirroring capability in the future. He declined to offer details, but undoubtedly Juniper will add some automated security response features to the SRX for traffic mirrored by the vGW.
Lunk said Juniper has also done some engineering work to make Altor’s syslogs compatible with its own, so that the vGW can report into Juniper’s Security Threat Response Manager (STRM).
As the IETF and the IEEE finish baking their similar, but competing standards – Transparent Interconnects of Lots of Links (TRILL) and Shortest Path Bridging (NPB) – Extreme Networks is offering a software upgrade that delivers one of the benefits of TRILL and SPB today, without any hardware replacement.
TRILL and SPB promise to solve several architectural issues in data center networks today. Extreme aims to emulate just one of the benefits of the emerging standards. TRILL and SPB free up unused bandwidth in a network caused by spanning tree protocol (STP). STP prevents loops from forming in a network topology by closing off redundant paths. Those redundant paths only open if the primary link fails. TRILL and SPB allow all redundant links to be open, which allows Ethernet frames to take the shortest path to their destination. SPB and TRILL also allow multiple links to be in active-active mode, with data traffic aggregating across them.
Both TRILL and SPB are available today in a small amount of pre-standard products from some vendors. The use of TRILL and SPB will require hardware upgrades, so enterprises that want to benefit from the technology will have to replace their network infrastructure.
Extreme Networks has introduced a software upgrade across its switching portfolio that can give enterprises a portion of the functionality TRILL and SPB promises. And it delivers this capability without requiring new hardware.
Extreme has combined its Direct Attach Virtual Machine switching feature with its Multi-System Link Aggregation (M-LAG) feature to deliver a new “M-LAG Direct Attach” architecture. Basically, this software upgrade allows a customer to set pairs of upstream links in active-active mode, which enables upstream link aggregation.
“This provides enterprises the ability to have an active-active path in the data center today,” said Shehzad Merchant is the Senior Director of Strategy for Extreme. “Link aggregation technology has been around a long time. We’ve taken that technology and extend it. Now you can take a server with two NICs and bond those NICs with link aggregation and dual-home those into two upstream switches. If one switch or one NIC goes down, traffic automatically migrates to the second link. But if both are up, traffic aggregates across both those links.”
Unlike TRILL and SPB’s ability to work with arbitrary, multi-homed topologies, Exteme’s M-LAG Direct Attach only works with dual-homed links. M-LAG Direct Attach is also a proprietary technology, so you will need Extreme switches both upstream and downstream to make it work.
Apparently attendees at Gartner’s Data Center Summit held in Las Vegas last month weren’t too enthusiastic on Fibre Channel over Ethernet (FCoE) as an avenue toward data center network convergence. In a brief note based on findings at the meeting, “Data Center Summit Attendees Cast Doubts on Breadth of FCoE Deployments,” Gartner analysts Joe Skorupa and Robert Passmore say that more attendees were looking at IP-based storage protocol iSCSI or network-attached storage (NAS) as alternatives to FCoE for I/O convergence.
Of the 100 attendees the analysts surveyed at the show 27% said they are already converging with NAS and iSCSI, 23% are planning to use NAS and iSCSI and 32% plan to use FCoE in the next three years. No one reported using FCoE today.
In the conversations I’ve had with data center and networking pros, it sounds like the convergence path a company takes will mostly depend on the infrastructure they already have in place. Fibre Channel shops will want to use FCoE in order to get more out of their storage area network investments. iSCSI shops will see no reason to invest in FCoE. They’ll just upgrade to lossless 10 Gigabit Ethernet and converge iSCSI and production traffic onto the same wire.
Is TRILL a “terrible idea?” Does Shortest Path Bridging rule? I have no clue.
TRILL (Transparent Interonnection of Lots of Links) and 802.1aq (AKA Shortest Path Bridging or SPB) are very similar standards from two different governing bodies – the IETF and IEEE, respectively. Both standards aim to replace spanning tree protocol, which has become inhibitory in advanced data center networks today. Both standards seek to expand Layer 2 Ethernet domains and to provide multipathing and resiliency capabilities that are just not possible with spanning tree.
Vendors and pundits often gloss over the intricate differences between the two standards, probably because most of us in the media lack the technical knowledge to grasp the finer points involved. Vendors are embracing one standard or the other and it remains to be seen what the consequences of this divergence will be.
It was with this in mind that I reviewed with great interest the the PDF slide deck for a panel discussion held at the NANOG50 meeting in Atlanta last October, “The Great Debate: TRILL versus 802.1aq (SPB),” After reading through the slides, I really wish I was there for this talk.
The first 50 slides consist of a extremely technical exploration of the competing standards. After that, the slides move into a head-to-head comparison between the two standards, with advocates of each standard giving their own version of the history behind how we got to this point. In slides that appear to be attributed to Donald E. Eastlake III, co-chair of the IETF TRILL working group, things appear to get a little contentious.
Slide 57 describes how Dr. Radia Perlman, inventor of spanning tree protocol (STP), proposed the idea for TRILL to the IEEE 802.1 working group originally. The idea was rejected because the working group didn’t see a problem with STP. The slide claims that the working group thought TRILL was a “terrible idea,” that the idea of routing in Layer 2 “sucks” and that hop counts are “evil.”
After that, Perlman brought her proposal to the IETF, which embraced the idea and started its own working group. Meanwhile, the 802.1 group eventually recognized that STP did present some problems to the evolving data center industry, and so it launched SPB (802.1aq). The slides claims that the 802.1aq working group originally started out trying to build a replacement for STP that took an approach that differed from TRILL, but gradually SPB evolved into something that looks extremely similar to TRILL.
In subsequent slides that present the IEEE view, but whose specific attribution is unclear, the 802.1aq point of view is that TRILL will require new hardware and a new Ethernet OAM (Operations, Administration and Maintenance) standard. Shortest Path Bridging, on the other hand, can use existing Ethernet ASICs.
I wonder what the tone of this talk was like. Were the disagreements friendly and tongue-in-cheek, or are there really hard feelings on this issue? Perhaps we would have found out in the question and answer period at the end of the talk. The first question posed on slide 64 reads: “Why can’t the IEEE and IETF work together and finalize one solution?”
It’s a good question. Perhaps it will all be rendered moot by the market, as vendors decide which standard has real traction.
In trying to figure out which vendor to choose when it comes to converging data center and storage networks, network managers might just find the answer lies in the provider that lets you to use the infrastructure you already have.
For International Computerware Inc. (ICI), a channel partner to both Cisco and Brocade, the answer for customers looking to converge the disparate Fibre Channel and Ethernet networks they’ve already invest in, is the Brocade VDX fabric switch.
“We go to market with Cisco UCS for our server and virtualization strategy,” said Jamie Shepard, ICI executive vice president of technology solutions, explaining that UCS is the most common choice for greenfield projects. “But when a company says to me, ‘we have an existing data center and we’re all over the place. How do I bring all this together?’ That’s VDX.”
Brocade VDX switches, launched last November, use the emerging IETF protocol Transparent Interconnection of Lots of Links (TRILL) to create multipath Layer 2 Ethernet fabrics so that large groups of switches can be managed as one – in some scenarios even in a multi-vendor environment.
“Brocade is saying ‘we’re going to put in this virtual network layer that talks to everything heterogeneously,” said Shepard. “It creates a virtual picture of the back end so you can manage all IP and Fibre Channel under one unit.” ICI recently used Brocade VDX switches to combine management of a Brocade Fibre Channel network and a Cisco IP network at a large pharmaceutical firm.
Cisco also has a Layer 2 fabric plan called FabricPath, which aims to enable better manage converged networks and virtual machine migration. Cisco says FabricPath is based on TRILL, but users must choose between TRILL and FabricPath, and the strategy does not necessarily support multi-vendor environments. That said, even investing in Brocade’s strategy can be considered risky considering TRILL has not yet been ratified and is up against other protocols, namely 802.1a.q.
Brocade is ramping up its VDX go-to-market strategy, launching additions to its channel partner program this week to include the Virtualized Fabric Partner Specialization and the Certified Ethernet Fabric Engineer (BCEFE) Certification for partners specializing in the delivery of Ethernet fabric technologies. Brocade has also added the Application Delivery Partner Specialization for partners focusing on application load balancing and optimization in converged networks.
We’ve heard more than once that certification does not necessarily make a real networking pro. That said at a time when networking engineers and admins are asked to have their fingers in multiple pots in the data center (read server virtualization and storage among others) it may be worth keeping an eye on a new storage networking certification being jointly developed by CompTIA and the Storage Networking Industry Association (SNIA).
The certification, CompTIA Storage+ Powered by SNIA, will focus on skills related to data storage, storage networking, data protection and underlying interconnect technologies. The associations will release a beta of the certification exam this quarter and the certification will officially launch in the second half of 2011.
There’s no shortage of storage certifications for networking professionals already in existence – including a storage networking certification from the SNIA. So what’s the difference here? The alliance with CompTIA will likely make storage skills more accessible to professionals across IT. In other words, this is a stab at proving that storage skills can no longer be confined to storage teams alone.
Network Hardware Resale (NHR), the leading reseller of used Cisco gear, says that companies are unfreezing their budgets and investing in new networks. The firm thinks that this is an early indicator of accelerated economic growth.
Chris Stone, NHR’s brokerage and acquisitions manager, told me he’s seen some interesting trends in recent quarters.
- Enterprises are selling NHR tons of Catalyst chassis switches, particularly the 6509-E. For NHR, this means they can sell the 6509-Es and other boxes for very cheap. For the larger market, this tells him that many companies are upgrading their data center core and aggregation switches — whether it be the Nexus 7000 series from Cisco or something from Juniper, HP Networking, or one of the smaller vendors. Those used Catalyst switches could help you build out your campus LAN on the cheap.
- 10 Gigabit Ethernet (GbE) upgrades are on the rise. Stone said sales of used 10 GbE line cards, particularly Cisco’s WS-X6704-10GE for the Catalyst 6500 line, grew by 82% in 2010. The WS-X6704 is Cisco’s lower density Catalyst 10 GbE line card, with 4 ports. Cisco now offers a couple of 8-port cards that double the port density of the 6500 series.
- Enterprises are gearing up for more spending in 2011. Stone said the fourth quarter is traditionally the busiest time of year for his firm as enterprises look to maximize the remainder of their budgets by selling used equipment and/or buying used equipment. He said 4Q10 is no exception, but based on what he’s hearing from customers this busy period of sales will continue into the new year. Enterprises are poised to continue unloading a lot of used equipment as they refresh their networks early next year. Stone said he saw a similar flood of used gear coming into NHR about a decade ago as the economy emerged from the recession brought on by the dot-com bubble burst. He said ths is a sign that enterprises are spending on infrastructure again.
Fortune magazine published a Q&A with Juniper Networks CEO Kevin Johnson that offered a several bits of information that I found interesting. Here’s what Johnson, a former Microsoft executive, had to say.
- Juniper’s share of the Ethernet switching market stands somewhere between 2% and 3%. Not a huge share, but very good for a company that entered the switching market in 2008.
- Juniper invested more than 20% of revenue into research and development this past year.
- Half of Juniper’s employees are engineers and 75% those engineers write software.
- When asked to compare the corporate cultures of Juniper and Microsoft, Johnson said Microsoft was conflict-oriented, where people challenged each other’s work in order to foster innovation. At Juniper, eh said, the focus is much more on collaboration.
Much of this information is out there already, I suppose. But I thought it all came together to make a nice snapshot of what’s happening inside Juniper right now.
Gartner’s Magic Quadrant for application delivery controllers has a few new faces this year and a new leader.
Application delivery controllers (ADCs) are Layer 4-7 devices that evolved out of the load balancer industry. ADCs optimize applications deployments within a data center, performing a variety of tasks such as SSL offloading, web application firewalling, and application acceleration. Websites use them extensively but enterprises also make broad use of them for big and complex enterprise applications like ERP systems.
Gartner’s Magic Quadrant (MQ) is a market assessment device used to evaluate both the ability of vendors to build effective and innovative products (completeness of vision) and their ability to market and sell those products (ability to execute).
The Leaders (high ratings in vision and execution): F5 Networks, Citrix Systems and Radware
F5 and Citrix remain leaders in the application delivery controller (ADC) market for yet another year. Citrix drew praise for being a leader in virtualized ADCs and its rich features and deep understanding of applications. Gartner sees good potential for Citrix to bundle its virtual ADC with its Xen hypervisor products.
F5 continues to dominate in both technology and sales. It has strong customer loyalty, due in part to its DevCentral user community portal and its iRules scripting language and iControl API — technologies that have made F5’sADCs extremely customizable. Gartner cautioned that F5 is very reliant on hardware innovation; whereas competitors are doing more in software. Some vendors, like Zeus Technology, doing nothing but software, relying on industry standard servers for deployments of their technology. Gartner claims F5 also has limited features and functionality in its lower-end hardware, forcing smaller customers to spend a lot of money to get the features they want.
Radware, meanwhile, has climbed into the leader category from the visionaries box, thanks in part to the successful integration of its Nortel Alteon acquisition. Analysts praised Radware’s vision for how ADCs fit into virtualized and cloud architectures.
Visionaries (high rating for vision): Zeus Technology, Strangeloop, ActivNetworks and Aptimize.
Here’s where things get a little interesting. Gartner has added three newbies to the MQ this year and all of them are here in the visionaries box, joining the software-based ADC vendor Zeus Technology. ActivNetworks, Aptimize and Strangeloop are the new players here and each of them has a unique specialty (Technically, Aptimize is straddling the line between visionary and niche player). ActivNetworks sells a virtual ADC that optimizes mobile traffic and video streaming. Aptimize focuses on messy, browser-based apps. Strangeloop specializes in HTTP optimization. Gartner says these new vendors, particularly Aptimize and Strangeloop, are often deployed in tandem with ADCs from one of the more advanced vendors on the market.
Challengers (high rating for execution): None, same as last year.
Niche Players (low ratings for vision and execution, but generally considered good and viable options for specific environments): Cisco Systems, A10 Networks, Brocade, Array Networks, Barracuda Networks and Crescendo Networks.
Despite holding the number two market share position, Cisco continues to remain in a niche player. Gartner says Cisco makes most of its money here in straightforward load balancing and it has limited application expertise compared to other vendors, which inhibits its ability to help with complex applications.
This week Cisco’s new cloud CTO Lew Tucker is traveling the country to meet with journalists in a coming-out party of sorts. This wouldn’t be so noteworthy for a new Cisco exec except that Tucker – who led the cloud initiative at Sun – embodies software culture and his presence is indicative of what Cisco is trying desperately to become – a cloud software player, and most definitely not your daddy’s network hardware company.
Tucker—who was a co-creator of Sun’s little-exposed open source network virtualization project Crossbow – refers to the network as a “distributed application” and tosses about terms like “orchestration” and “automation” in relation to the network. He laughs gently at the concept of hardware-driven networking folks learning to become part of development communities and he thinks networking pros “might like” to play with APIs. He even talks about Cisco’s participation in Open Stack – the open source cloud management software project. But don’t get too excited – Tuckers cautions that Cisco will be bringing thoughts to the Open Stack table not making its own software open.
Specifically Tucker is taking to town the message that Cisco will be a key provider of network management and automation software for the cloud. And in doing so, Cisco would like to be seen as the provider of the “virtual private data center” –a cordoned-off enterprise data center in a publicly hosted cloud. That would mean selling the automation and management software necessary to enable these clouds (see the acquisition of LineSider Technologies this week), as well as the high-performance networking components necessary to support them.
But if Cisco is aiming to help carriers and very large enterprises build these publicly hosted private clouds, won’t that ultimately lead to many fewer on-premise data center LANs? In that case, just what will Cisco sell? Does the company believe that network management and automation software licensing will transplant hardware component sales? And just how will that message sit with Cisco’s core networking audience? After all, that’s a group highly invested in building and managing their own networks.
With this in mind, Tucker has a very fragile line to walk. In addressing these quandaries, Tucker promises Cisco won’t abandon its hardware roots and has plenty of units to sell in both building out these clouds and enabling companies that are not yet moving to the cloud. In the meantime, Cisco will also be selling both software and hardware appliances that will enable management of both virtual and physical networks, and will increasingly move to a software licensing model for a host of offerings that range from automation to use of hosted unified communications.
To be sure, Cisco is ahead of its networking rivals when it comes to virtualization and cloud management. But Cisco has also received flack for diluting its core networking focus with investments in side businesses like Flip cams. In the meantime, HP’s networking market share is apparently soaring and companies like Arista are offering equipment that rivals Cisco’s at much cheaper prices. It will be interesting to watch Cisco’s balancing act in coming months.