The arena of enterprise networking has been struggling to balance two major issues. First, such environments have an inherently large-scale, shared infrastructure, yet the network architecture is typically static in nature. When IT on-boards a new application or equipment upgrades are made or simply scaled up, this is where problems can start. Applications can break, logjams occur, compliance falls over and SLAs aren’t met. A whole lot of finger pointing starts. On top of that, virtualised computing and storage have only upped the ante. A second issue is the overall lack of application awareness amongst IT staff and the difficulty of supporting advanced networking and security services.
The obvious solution to overcoming the resulting bottlenecks is to eliminate hierarchically-orientated designs, an initiative in which we have seen partial success over recent months. Some IT groups have eliminated switch-based network segmentation and instituted a flat Layer 3 network with more routing. Others have leveraged overlay networks by encapsulating IP traffic within IP. Flattening the network makes it more flexible and better able to handle virtualised computing, but does not go far enough.
The upshot is a network that does not have the ability to automatically change traffic flows in a dynamic way. High level visibility to forward packets based on the nature of the traffic present is missing. Administrators are required to manually deploy, configure and maintain numerous elements with ever-changing needs. To make matters worse, organisations must massively overprovision their ‘static’ network to handle transient spikes and therefore run at maximum capacity at all times, regardless of actual need.
Looking to SDN
Making the move to Software Defined Networks (SDN) is the key to solving this conundrum. SDN promises the ability to better utilise assets, dynamically adapt to throughput needs and to perform traffic engineering with an end-to-end view of the network. In legacy topologies, control and forwarding functions are inextricably coupled within the network routers and switches resulting in inflexible designs.
By separating forwarding and management functions, SDN provides the ability to scale resources and substantially improve agility while lowering costs. In decoupling the data plane from the control plane, the data plane can now be directly programmed, support open, standards-based APIs and can use lower-cost white box routers, switches and other elements. Network operators can centrally configure, manage and monitor resources with a network that is programmed based on the distinctive needs of the specific applications and traffic profiles present.
Security and ‘App Aware’ Networks
App visibility unlocks the potential of your software-defined datacenter, through deployment of networking and security services. Adding Application Delivery Controllers (ADC), next generation firewalls and web security gateways can help realise the goal of a dynamic ‘app aware’ network with advanced capabilities.
ADCs integrate the following in one scalable, high capacity appliance based device: load balancing and content switching to ensure server availability and eliminate server sprawl; compression, caching, and WAN protocol optimisation methods to accelerate content delivery while shrinking bandwidth needs; and advanced security through revealing SSL encrypted malware, blocking application layer attacks and providing site-to-site IPsec VPNs.
Next generation ADCs are in effect a new ‘Application Router’ that provide a top level blueprint that is both user- and application-centric. These systems parse usage patterns in the context of user identities, applications in use, type of access device and even time of day to build granular context-aware access control. SDN enables administrators to leverage service insertion and service chaining to dynamically steer traffic flows through a sequence of physical or virtual ADCs with these L4-7 services. Additionally, this approach overcomes the added expense and the error-prone process of cobbling together disparate point product solutions.
Leading ADC vendors also support infrastructure automation by combining with cloud orchestration platforms. Plug-in service modules are leveraged to instantiate, configure and monitor the ADCs; which in turn enable automated L4-7 services provisioning by integrating with cloud orchestration solutions such as those based on OpenStack, Microsoft System Center Virtual Machine Manager (SCVMM), and VMware vCloud Director. These modules allow dynamic enforcement of centralised tenant policy as new workloads and application services are created.
Empower your workforce
To ensure a cohesive ecosystem, networking and security platforms need to support open and standards-based programmability. Comprehensive management and monitoring should be accessible from vendor neutral APIs – providing interoperability with automation, orchestration and analytics. If application networking platforms support RESTful APIs, then administrators can quickly integrate them with other services and management systems. ADCs can allow network engineers and system architects to write their own policies or provision scripts themselves. This empowers IT to tailor automation policies for their application needs. For example, an administrator can use SDN orchestration tools to direct users with mobile browsers to mobile application servers. As new mobile application servers are brought online, the load balancers could adapt and forward mobile traffic to those new servers.
Application and service delivery solutions must be capable of integration into real world SDN environments, comprised of programmable routers and switches, including those based on OpenFlow, and a variety of controllers, such as those from Cisco APIC, VMware NSX, IBM SDN -VE and NEC PFC. Such interaction allows for dynamic scaling of ADCs where user-flows are redistributed on-the-fly among the available ADCs when they get added or removed.
The available ADCs are fully synchronised and aware of one another’s flows, able to instruct the SDN controller to distribute the user traffic amongst them. If an ADC is presented with a flow that causes it to work at near-maximum capacity, it can instruct the controller to temporarily reduce traffic and send new flows to other ADCs in the network.
As traffic demands grow, the controller can instantly spin up a new ADC instance while keeping the existing physical or virtual appliances in place and the controller balances new flows according to their capacity. In the end the network is balanced and flows more effectively, which in turn reduces risks of a failing system or threats to enterprise security.
Duncan Hughes is a systems engineering director at A10 Networks.