At HP Discover Barcelona 2014, the Packet Pushers had the chance to chat with Heather Giovanni, Craig Mills, and Chris Young about the HP 5400R and SDN in the campus. HP has a full line of switches and routers that some know about, and some just haven’t yet explored. The 5400R is a multi-slot chassis offering an array of blade choices, including switch ports and an x86 blade running a hypervisor such as VMware’s vSphere. That allows the single 5400R chassis to be a branch-in-a-box solution, or a way to hang interesting network services right off of the chassis backplane.
The 5400R is also interesting in that HP is positioning it, in part, for software defined networking (SDN) in the campus. SDN in the campus doesn’t get much air time – SDN in the data center gets much more of the attention. But for enterprises, SDN in the campus represents some interesting opportunities.
Starting with SDN in the campus, say between buildings or major network segments, is less risky than SDN in the data center. The “blast radius” if something goes wrong is a bit smaller. Data center issues tend to affect everyone, while segmented campus networks offer naturally isolated boundaries. The idea here is to start with SDN in the campus, sort out what works and what doesn’t work, and then start rolling out the winning SDN features into the data center as a known quantity.
There are several use-cases for SDN in the campus that have emerged.
- Policy management. The word “policy” might be the next overused IT buzzword, right up there with “cloud.” But, the notion of policy is important. In a real world network engineering sense, policy is the idea of both knowing who is using the network and what they are allowed to do when connected. “Who” could mean a person, but could also mean an application. In the context of switching, an application that is used to define policy translates the wishes of a business into access lists, forwarding paths, and access controls. Therefore, policy is enforced for a traffic flow through the network because of the way the switch has been programmed to manage them. In HP’s case, this is done using OpenFlow.
- Security. One obvious application of policy is security. How is this traffic behaving? Does this traffic match a particular pattern that suggests malware or other risky influence? Then direct those specific traffic flows to areas of the network where they can do no harm, or perhaps be examined in more detail.
- Programmatic identity control. What is this device that’s connected to the network, and who is using it? Those are the big questions behind identity control. Knowing what a device is, what software that device is running, and who the user is accessing the network through that device is data that can drive what can be accessed on the network by traffic originating from that device.
A natural question that comes up in the mind of network engineers around SDN as related to policy is how, exactly, is the security enforced by a switch? We’ve talked a lot about OpenFlow on Packet Pushers over the last few years, so you might have heard that OF as originally deployed had a scaling problem. Many thought OF would be a replacement for traditional packet forwarding methods, replacing OSPF, BGP, spanning-tree, etc. The challenge comes in trying to manage network flows in hardware across a data center. If using TCAM to program specific flow entries, a common ASIC limitation was roughly 8K entries – not very many in a data center of any size. While several strategies exist to deal with this issue, HP’s solution is what they call hybrid SDN.
The idea of hybrid SDN is to place a single OpenFlow entry at the top of the list that matches all flows, and instructs the switch to process the flow “normally.” That is to say, forward the flow using the protocols networks have been using for years. Out of the gate, that’s the behavior of an HP switch running in OF mode. All traffic matches this global wildcard OF entry, and is forwarded normally. Now, let’s say there’s a policy that translates all suspicious traffic to be directed to an IDS for further inspection. As suspicious traffic is identified, new OF entries can be added above the global wildcard OF entry, directing those flows to leave the switch via a port that eventually deliver the traffic to the IDS. I like to think of this as “exception processing.” Hey, there’s something unusual happening on the network, so let’s take these unusual flows and do something out of ordinary with them.
HP’s hybrid SDN approach is one way to deliver policy across a campus environment. What’s perhaps most interesting to me about this strategy is that a long list of HP switches can run OpenFlow and participate in this scheme. OpenFlow is not limited to only brand new switches. There is a strong chance that if you have an HP switch on your network, you’ll be able to upgrade it to run OpenFlow via software, and without an unusual licensing charge. An SDN controller is still needed of course, but the point is that you can get to a point of useful SDN without a wholesale replacement of your network hardware.
Lots of great content in this podcast from some really smart HP folks that dive right into the details.
Links from HP
- Networking – The main gateway to all HP Networking solutions information.
- SDN Solutions – An end-to-end solution to automate the network from data center to campus and branch.
- SDN App Store – Discover, learn and download SDN applications and solve the transition to the new style of IT.
- Network Virtualization Solutions – A completely new operational model for networking that breaks through current physical network barriers allowing data center operators to achieve order of magnitude better speed, economics and choice.
- CTO Mark Pearson and VMware’s Scott Lowe discussing the VMware-HP software-defined network (SDN) solution
- HP-VMware Technical demo
- HP-VMware Technical White Paper
- HP Unified Wired and Wireless Solutions – a single optimized and scalable unified network for secure and consistent access to business critical applications.
- IMC – a comprehensive wired and wireless network management tool.
- Wireless – a secure and reliable network that unifies access, scales as needed, and optimizes your wireless performance to handle a growing number of mobile devices.
- OpenStack & Helion – boosts your organization’s productivity, so you can make the most of your IT budget and give your developers the power to deploy new applications faster than ever.
- BDDP Protocol