Lippis Report 199: IBM and HP Offer Software-Defined Networking Controllers
It’s been a few months since VMware acquired Nicira and Cisco launched Cisco ONE. But at the sleepy Interop NY show, IBM and HP expanded their SDN portfolios with the addition of SDN controllers. To date, there are just a few firms with controllers, including VMware, Big Switch Networks, Cisco, HP, IBM, NEC and Nebula. VMware put a value on SDN overlay controllers at $1.26B, which peaked the interest of every venture capitalist as well as network executive; so there’s no surprise to see more controllers entering the market. But what’s occurring is that the controller market is segmenting into OpenFlow and Overlay controllers with little to no awareness and/or interoperability between the two control plains. In this Lippis Report Research Note, we examine the new SDN controllers from Cisco, IBM, Big Switch Networks and HP with an analysis of their evolution.
A Realistic Approach To Dynamic Workload Scaling
IBM System Networking launched the Programmable Network Controller or PNC, an OpenFlow controller that creates flows across OpenFlow switches while HP Networks launched its Virtual Application Networks SDN Controller. Cisco launched its Cisco SDN controller in June. Before we dive into each supplier’s controllers, a quick review of the different controller markets is in order.
SDN Overlay Network Controllers
SDN Overlays are at the heart of network virtualization in that networks are virtualized or segmented; network services such as firewalls, load balancers, WAN Optimization, IPS, etc., are virtualized; and applications call upon these resources through “developing” APIs above the hyperstack. In essence, the overlay controller creates virtualized networks by layer 2 tunneling through physical Ethernet switches, which allows them to be ignorant of the physical network topology or design. There are a few L2 tunneling protocols being proposed, including VXLAN, SST, GRE, NVGRE.
Smarter Networking Webcast: How Software-Defined Networking Can Transform Network Performance
One can argue that the vSwitch started the SDN and network virtualization journey. Cisco’s Nexus 1000V portfolio, VMware’s distributed virtual switches (vDS) and IBM’s Distributed Virtual Switch 5000V (DVS 5000V) enable pooling of network ports across clusters via aggregation of vSwitches. To extend or overlay layer 2 virtual networks over layer 3 boundaries, Cisco, Arista Networks, RedHat, Citrix, Intel, VMware, et al, developed VXLAN, and is now a draft IETF RFC. VXLAN extends large layer 2 VM domains well beyond the 4K VLAN limit to 16 million logically isolated virtual subnets. VXLAN is touted as a key standard that avoids proprietary overlay networks plus allowing VM domains to span virtual and physical networks. VXLAN gateways connect VXLANs to VLANs extending virtual networks across switches that do not support VXLAN.
Cisco To Offer Campus Slicing via SDN/OpenFlow
On a technical note, it’s not clear if Nicira will support VXLAN or continue to offer virtualized networks via its STT tunneling protocol. In addition to STT, Microsoft has been promoting its NVGRE, layer 2 protocol, and earlier versions of Nicira’s Network Virtualization Platform utilized Cisco developed GRE. While there are multiple L2 tunnels, it’s a good bet that VXLAN will win out here, at least over the next 18 to 24 months.
To add network services to virtualized networks, there is a huge movement to virtualize firewalls, load balancers, WAN Optimization, IPS, etc. The reason is so that applications contained within the virtualized network will not have to leave the virtualization domain to receive network services, eliminating the need for appliance-based network services, a huge expense in modern corporate networks.
Cisco’s Nexus 1000V-based Programmable Virtual Network Overlays
vArmour offers a distributed firewall, Embrane’s heleos software platform provides on-demand layer 4-7 virtualized network services, Radware offers a load balancer and firewall, LineRate an ADC (Application Delivery Controller). Vyatta offers layer 3 and security virtualized appliances, and don’t forget Cisco, F5, Brocade and many others that have virtualized their layer 4-7 appliances.
Cisco offers virtualized network services via its Nexus 1000V and vPath as part of its virtualization stack offering while IBM delivers this value via its DOVE or Distributed Overlay Virtual Ethernet offering. VMware’s vShield, supports virtual firewalls, load balancing, VPN, IPAM, hybrid cloud extensions, and the ability to logically insert partner services, like IDS/IPS and WOC or WAN Optimization controllers. These large firms are offering platforms while start-ups focus on performance.
Cisco’s LISP For Workload Mobility in Multi-Data Center and Cloud Use Cases Explained
To drastically reduce the operational cost of running overlay networks, the above technology is abstracted or simplified through Application Programmable Interfaces or APIs being championed by the networking and computer industries. These APIs seek to allow programmers and/or the applications to call upon the network to provision virtual networks with appropriate network services in response to a new VM container spinning up or down. From a networking perspective, the SDN Overlay approach places control or intelligence into the virtualization domain with layer 2 tunnels flowing between Ethernet switches. Currently, there is no OpenFlow in this model.
802.11ac: The Fifth Generation of Wi-Fi
OpenFlow controllers, such as the new Cisco SDN Controller, IBM PNC, HP VAN SDN Controller, NEC ProgrammableFlow Controller, utilize the OpenFlow protocol as a means to update the forwarding tables of OpenFlow switches. Switches that support OpenFlow are sometimes called hybrid switches in the fact that they support both traditional layer 2/3 forwarding and OpenFlow simultaneously; we’ll just call them OpenFlow switches where hybrid is assumed. Thus far, IBM, HP, Brocade and Cisco offer OpenFlow agents upon select switches.
The OpenFlow Controller operates in a south-north SDN approach vs. Overlay’s north-south. What I mean by north-south is that virtual networks are created from the application down or from north to south. In OpenFlow, a packet enters a switch, and if the switch does not know how to forward the packet, it sends it to the controller. The controller then provides a route through the network and sends it to the switches involved in the forwarding operation. That is, it’s a south-north operation.
VXLAN Bridges Virtual and Physical Networks to the Cloud
What’s interesting about the OpenFlow approach is that during the route calculation by the controller, it then has an opportunity to add network services to that flow such as firewall, WAN optimization, IPS, load balancing, etc. That is, each flow can be assigned a policy at the controller level that the OpenFlow switches in its path implements. The implications are huge in that every application or every employee, guest, supplier, contractor can be assigned a unique policy that the controller assigns.
With this in mind, IBM and HP introduced the following capabilities last week.
Moving to an Open Data Center with an Interoperable Network
IBM System Networking Programmable Network Controller (PNC)
The IBM PNC is software that runs on Red Hat Enterprise Linux or RHEL 6.1 on x86_64 compute hardware and sits in the data center. Its main job is to manage flows and topology awareness so that it can create flows and distribute them to OpenFlow switches. Flow tables reside in IBM RackSwitch G8264 ToR switches, which are securely transmitted via OpenFlow between PNC and RackSwitch G8264.
From a network design point of view, the PNC enables a flat, multitenant OpenFlow fabric. It is programmable and as such, eliminates the need for network protocols like spanning tree, TRILL and SPB that are being used today to manage and control complex networks. Other attributes include a barrier-free virtual machine migration, multipathing, programmable filter/redirect and clustered configuration
Software-Defined Networking and its Applicability to Enterprise WANs
Operations is simplified as design, deploy, monitor and management of the entire network can be performed from a single pane of glass as well as network intelligence has been moved to a centralized control point.
HP Virtual Application Networks SDN Controller
HP Networks expanded the number of switches with OpenFlow support to the HP 3800 in addition to the 8200, 5400 and 3500. According to HP, it now has 25 OpenFlow-enabled switch models with over 15 million OpenFlow-enabled switch ports in the market.
While details of HP’s Virtual Application Networks SDN controller are not available yet, HP provided examples of SDN applications and customer use cases that afforded insight into some of its anticipated functionality. First, the HP SDN Controller implements the OpenFlow protocol and is designed to deliver applications for data center network virtualization, Campus and branch networks. HP is working on northbound open APIs so that third party application development can take place on its SDN controller. HP’s SDN controller will ship in a software or appliance form factor.
The best example HP provided for campus SDN use case was how the controller will work with its Sentinel Security application. When a new packet enters an OpenFlow switch, it forwards the packet to the HP SDN Controller where not only its flow is determined, but its security posture is assessed as well. Since many threats are DNS based, the controller will consult with HP’s Sentinel Security application to assure that a threat signature is not within the packet. If there is no threat signature and thus the flow is legitimate, than the HP SDN Controller proceeds with distributing the flows to OpenFlow switches.
OpenFlow and Overlay Controller Evolution
Both Cisco ONE and IBM ODIN (Open Datacenter with an Interoperable Network) are broad SDN offerings that include both overlay and OpenFlow approaches. In today’s market, however, vendors either support Overlay, OpenFlow or both approaches, but there is no interoperability between them. A network can support OpenFlow-based flows and layer 2 tunneled virtualized networks simultaneously, with each passing each other like ships in the night. With two control plans creating flows the opportunity to optimize and manage network resources may be lost. Troubleshooting, management and monitoring tools will emerge around each approach vs. an integrated SDN.
A multi-protocol controller that supports both OpenFlow and layer 2 tunnels is the obvious solution where the controller can build virtualized networks with either OpenFlow or Layer 2 tunnels or some combination of each. The adoption of OpenFlow agents on Ethernet switches will take some time, so it’s only logical that the implementation of overlay networks will occur quicker. But merchant silicon vendors, such s Broadcom, are adding OpenFlow support to their chip sets that will increase the use of OpenFlow-based networks while large networking concerns add OpenFlow to their ASCI as well as offer software-based OpenFlow agents. The question for the SDN Overlay approach is will layer 2 tunnels scale even though VXLAN can support some 16 million of them? When VLANs were first introduced, their biggest challenge was lack of visibility, troubleshooting and management. In short, VLANs looked like spaghetti to network engineers when they were trying to isolate a trouble. VXLAN may look like spaghetti buried in a thick red sauce.
If SDN is to deliver on its promise of drastically lower operational cost with newly-found flexibility, then its controllers will have to create manageable virtual networks, be it via L2 tunnels or OpenFlow or more likely both. One can envision south-north OpenFlow-based flows coexisting with north-south-based overlay flows with a controller or set of controllers having full visibility of the entire SDN. That sounds like a network that can scale, be flexible and offer a new low-cost operational model. Hopefully, this is what Big Switch Networks will offer as its first commercial product.