by John Gudmundson

Enterprise networking has been plagued by two significant concerns. First, such environments have an inherently large-scale, shared infrastructure, yet the network architecture is typically static in nature. When IT on-boards a new application or equipment upgrades are made or is simply scaled up, things may not go as planned. Applications can ‘break’, logjams occur, SLAs not get met and finger pointing starts. Virtualized computing and storage have only upped the ante. A second issue is the overall lack of application awareness and the difficulty of supporting advanced networking and security services.

Operations have partially overcome the resulting bottlenecks by eliminating hierarchical oriented designs. Some IT groups eliminated switch based network segmentation and instituted a flat Layer 3 network with more routing. Others leveraged overlay networks by encapsulating IP traffic within IP. Flattening the network makes it more flexible and better able to handle virtualized computing, but does not go far enough.

The upshot is a network that does not have the ability to automatically change traffic flows in a dynamic way. High level visibility to forward packets based on the nature of the traffic present is missing. Administrators are required to manually deploy, configure and maintain numerous elements with ever changing needs. To make matters worse, organizations must massively overprovision their ‘static’ network to handle transient spikes and therefore run at maximum capacity at all times; regardless of actual need.

SDN to the Rescue

A key to solving this conundrum is to move to Software Defined Networks (SDN). SDN promises the ability to better utilize assets, dynamically adapt to throughput needs and to perform traffic engineering with an end-to-end view of the network. In legacy topologies, control and forwarding functions are inextricably coupled within the network routers and switches resulting in inflexible designs. By separating the forwarding and management functions SDN provides the ability to scale resources and substantially improve agility while lowering costs. In decoupling the data plane from the control plane, the data plane can now be directly programmed, support open, standards-based APIs and can use lower cost white box routers, switches and other elements. Network operators can centrally configure, manage and monitor resources with a network that is programmed based on the distinctive needs of the specific applications and traffic profiles present.

‘App Aware’ Network and Security Services

To get the most out of your software defined datacenter you need to deploy networking and security services that have the requisite app visibility. Adding Application Delivery Controllers (ADC), next generation firewalls and web security gateways can help realize the goal of a dynamic ‘app aware’ network with advanced capabilities.

ADCs integrate the following in one scalable, high capacity appliance based device: Load balancing and content switching to ensure server availability and eliminate server sprawl; compression, caching, and WAN protocol optimization methods to accelerate content delivery while shrinking bandwidth needs; and advanced security through revealing SSL encrypted malware, blocking application layer attacks and providing site-to-site IPsec VPNs.

Next generation ADCs are in effect a new ‘Application Router’ that provide a top level blueprint that is both user and application centric. These systems parse usage patterns in the context of user identities, applications in use, type of access device and even time of day to build granular context-aware access control. SDN enables administrators to leverage service insertion and service chaining to dynamically steer traffic flows through a sequence of physical or virtual ADCs with these L4-7 services. Additionally, this approach overcomes the added expense and the error-prone process of cobbling together disparate point product solutions.

Leading ADC vendors also support infrastructure automation by combining with cloud orchestration platforms. Plug-in service modules are leveraged to instantiate, configure and monitor the ADCs; which in turn enable automated L4-7 services provisioning by integrating with cloud orchestration solutions such as those based on OpenStack, Microsoft System Center Virtual Machine Manager (SCVMM), and VMware vCloud Director. These modules allow dynamic enforcement of centralized tenant policy as new workloads and application services are created.

System Interoperability is Critical

To ensure a cohesive ecosystem, networking and security platforms need to support open and standards-based programmability. Comprehensive management and monitoring should be accessible from vendor neutral APIs – providing interoperability with automation, orchestration and analytics. If application networking platforms support RESTful APIs, then administrators can quickly integrate them with other services and management systems. ADCs can allow network engineers and system architects to write their own policies or provision scripts themselves. This empowers IT to tailor automation policies for their application needs. For example, an administrator can use SDN orchestration tools to direct users with mobile browsers to mobile application servers. As new mobile application servers are brought online, the load balancers could adapt and forward mobile traffic to those new servers.

Application and service delivery solutions must be capable of integration into real world SDN environments, comprised of programmable routers and switches, including those based on OpenFlow, and a variety of controllers, such as those from Cisco APIC, VMware NSX, IBM SDN -VE and NEC PFC. Such interaction allows for dynamic scaling of ADCs where user-flows are redistributed on-the-fly among the available ADCs when they get added or removed. The available ADCs are fully synchronized and are aware of one another’s flows, and instruct the SDN controller to distribute the user traffic amongst them. If an ADC suddenly is presented with a flow that causes it to work at near-maximum capacity, it can instruct the controller to temporarily reduce traffic and send new flows to other ADCs in the network. As traffic demands grow, the controller can instantly spin-up a new ADC instance while keeping the existing physical or virtual appliances in place and the controller balances new flows according to their capacity.

Cocktails on us!

Please join A10 Networks, one of the conference sponsors, at the ONUG Cocktail Reception on November 4 and hear Mr. Erwin Kim speak about this new paradigm. Learn more about SDN and Cloud Orchestration integration.

Author Bio

John Gudmundson manages product marketing for the aCloud Services Architecture and virtual Application Delivery Controller (ADC) appliance product groups at A10 Networks. He has over twenty years of advanced L4-7 networking and security experience including previous product marketing and product management roles at Citrix’s Cloud Networking Group (NetScaler), IntruGuard Devices (now part of Fortinet), and Integrated Telecom Express. John holds a MBA from the University of Southern California, a BSEE from UCLA and a BSBA from UC Berkeley.