lippisreport.com
Lippis Report 210:
HP Networking Is Poised to Capitalize on the
Software-Defined Networking Market Transition
By Nicholas John Lippis III
President, Lippis Consulting
HP has been an industry leader when it comes to Software-Defined Networking (SDN) as it sees an opportunity to accelerate its growth in the networking market during a fundamental transition point. HP’s SDN strategy spans from the data center to campus and branch office networking. Its strategy includes solutions across all three layers of the SDN architecture, including the infrastructure, control and
application layers.
HP’s SDN strategy is extended by inclusion of management as a critical element to enabling SDN adoption for greenfield and hybrid deployments. At the infrastructure layer, HP supports open programmable interfaces into its networking hardware portfolio. At the control layer, HP is releasing its Virtual Application Networks SDN controller in the second half of this year. At the application layer, HP has demonstrated and announced several
compelling applications and use cases with real customer deployments. HP Intelligent
Management Center (IMC) now also includes SDN management elements for each layer of the SDN architecture.
In this Lippis Report Research Note, we explore HP’s SDN strategy and offerings, and offer an approach to pilots and deployment.
HP’s SDN strategy and Approach
HP’s SDN strategy is based on open standards and building an open ecosystem to deliver SDN solutions. HP, a founding member of the Open Networking Foundation (ONF), has adopted the ONF’s standard definition of SDN. HP also participates in ETSI, OpenStack, the recently announced OpenDaylight consortium, among others.
HP is delivering SDN through a framework it has coined “Virtual Application Networks.” This framework incorporates the ONF-defined layers of the SDN architecture with a management layer that extends horizontally and vertically across infrastructure, control and applications. HP’s IMC will define its SDN management approach with a focus on a common control plane and orchestration point for physical and virtual networks. HP recently announced a SDN module for IMC that manages SDN configuration on switches, controller and applications.
HP Virtual Application Networks Framework HP’s SDN strategy is to provide enterprise class and ready networks with scale and resiliency attributes built in. Choice is another fundamental attribute to HP’s SDN strategy, as it promises its SDN offering will work in conjunction with
lippisreport.com
SDN Architecture Elements
HP is approaching SDN as a broad transition in networking that spans physical, logical and virtual networking.
HP was one of the first large networking vendors to announce support of the OpenFlow protocol on its Ethernet switches, which now includes over 40 OpenFlow-enabled switches,
representing 20 million plus ports already deployed. HP has implemented OpenFlow in hybrid mode allowing customers to incrementally deploy SDN solution on their existing networks. For overlay or virtualized networks, HP’s strategy includes support for VXLAN and
NVGRE. HP also plans on OpenFlow support for its virtual switch 5900V. In addition, HP is
developing an SDN application that has built-in cloud orchestration integration with OpenStack Quantum plug-in.
Tying both physical and virtual networking together is its Virtual Application Networks SDN controller that will provide a common,
centralized control plane across the network. HP’s SDN controller will ship in a software or appliance form factor later this year.
I cannot stress how important this part of HP’s strategy is: as overlay dominates, SDN
deployment and physical SDN lags. As the deployment adoption curves catch up to each other in the 2014 to 2015 time frame, those vendors that offer controllers that span both physical and virtual networking will be in a strategic position, as common orchestration will drive this market. HP promises that its SDN controller will offer topology discovery, application specific northbound APIs plus standard APIs such as RESTful.
One of the organizing principles of HP’s SDN strategy is to support multiple deployment options, which can be thought of as top down or bottom up.
From the bottom-up perspective, many IT organizations will be acquiring Ethernet
switching with OpenFlow built in. Case in point: HP’s expanded the number of switches with OpenFlow support continuously over the past couple of years and now has over 40
OpenFlow-enabled models, including some already
supporting OpenFlow 1.3. Therefore, OpenFlow will be increasingly built into physical networks even if SDN projects are not planned; it will just be there. This bottom-up approach prepares a network for the future of SDN. IT organizations are wise to buy Ethernet Switches with
OpenFlow support; as in HP’s case, there is no additional OpenFlow license to acquire. Further, even if an organization is not ready for SDN, acquiring Ethernet switches with OpenFlow support offers investment protection, thanks to an SDN-ready network infrastructure.
Top down refers to applications/workload down into the network, which is what’s driving overlay networks. HP believes that top-down
applications need an OpenFlow infrastructure so that applications can become network aware. In short, network attributes are exposed to
applications so that they may optimize user experience and performance. From this
perspective, it's the OpenFlow switch where top down meets bottom up. HP is developing top down as well with key SDN applications to solve key customers challenges. Below are a few SDN use cases and applications that HP has
demonstrated.
Cloud Networking Use Case
To gain a view of how HP’s SDN strategy will be available for enterprise IT organizations,
consider HP Cloud Services. HP developed its Virtual Cloud Network application for HP Cloud Services, addressing large public and private cloud providers. The HP virtual cloud network application provides an overlay, which offers cloud providers a way to enable their business model by allowing scalability that’s well beyond traditional hardware limits. The biggest time sink for cloud providers is network provisioning; it's the critical path to service activation. To speed up provisioning, HP Cloud Services, with the help and assistance of HP, has developed an SDN-based provisioning automation capability to fundamentally simplify network administration. Cloud providers’ infrastructure is very complex, thanks to the large number of tenants and the rate of new workload creation, which is the main contributor to the huge amount of daily
provisioning. Client change request requires numerous manual configuration steps on the network side. By using SDN, HP was able to help HP Cloud Services eliminate all manual command line configurations and automate provisioning from the application/workload through to the network.
This application is focused primarily on cloud service providers but the concept of
virtualization and overlay can be scaled down for traditional enterprise environments. This is a fundamental principle of HP’s SDN strategy that is automated provisioning through OpenStack to controller to provision both physical and virtual networks. The HP Cloud Services is a top-down deployment example.
SDN Security Use Case
One of the examples HP provided for a campus SDN use case was its Sentinel Security
application. When a new packet enters an OpenFlow switch, it forwards the packet to the HP SDN Controller where not only its flow is determined, but its security posture is assessed as well. Sentinel is a security appliance that mitigates threats based on reputation. All new flows are compared to a reputation database or RepDV before a flow is programmed into a switch and traffic permitted to flow. All DNS requests are also compared to the RepDV. Since malware, spyware, botnets in particular, etc., use a call-home feature to known C&C (command and control) servers that give task threats with orders, such as look for passwords, credit card numbers, etc., C&C servers can instruct threats to install backdoors so that specific intellectual property and other confidential data can be located and transferred to the C&C servers. Since call home relies upon resolving DNS, Sentinel can mitigate this hard-coded IP communication between threat and C&C. The Sentinel security application in an SDN context is a great bottom-up deployment example in that the controller and all OpenFlow switches become an enforcement mechanism to mitigate threats before they turn into flows. The Sentinel security application runs on the
controller providing real-time network threat
protection. Sentinel leverages HP TippingPoint intellectual property via its DV labs, which contains a reputation database. The Sentinel security application can protect an enterprise from over 1,000,000 different botnets, malware and spyware.
The Sentinel security application is an HP lead product developed across multiple HP groups as it contains TippingPoint intellectual property, integration with ArcSight to provide threat visibility and log entry correlation capability plus HP’s SDN controller. ArcSight alerts are
correlated across numerous network-attached devices so as to identify anomalistic behavior. The Sentinel security application will have both ArcSight anomalistic behavior identification plus reputation data from DV labs to mitigate threats at the point before a flow is created. One can see how this may evolve to add HP Fortify for triage and fix outbreaks quickly, for example. For a deeper dive, the Virtual Application Networks SDN controller will set up three flows per physical switch: one to forward DNS requests, one for IP-based flows and one to forward non-IP traffic.
So consider the implications of the new security architecture. At some point in time, the Sentinel security application will receive a feed that contains threat reputation data from the cloud with real-time updates of viruses, malware, botnets, etc., circulating around the internet and enterprise networks. It could use this whenever the controller receives a flow initiation request from any physical switch in the HP network. As packets enter the physical switch destined to any DNS or domain, the physical switch forwards the entry to the controller where the Sentinel application checks its reputation. If the traffic entering the physical switch is acceptable, the controller will allow the DNS query to be resolved and traffic will flow. If the traffic is not acceptable, then the controller doesn’t create a flow and the demarcation is unreachable, thus mitigating a threat. The Sentinel security application effectively creates an enforcement layer at every physical switch. Security
mitigation is centralized with a widely distributed enforcement plane.
lippisreport.com
The Sentinel security application doesn’t
eliminate the need for dedicated appliances, like TippingPoint IPS, but adds an initial layer of security protection and threat mitigation. What the Sentinel security application does is eliminate much traffic from having to flow through an IPS as threats are mitigated at the physical switch access layer. Note that Sentinel recently won best SDN solution at the NetEvents Ethernet Innovation Summit 2013.
An SDN Enabled Distributed Load Balancer Use Case
IT architects at CERN openlab, the European organization for Nuclear Research, developed their own load balancing application called Vision, thanks to an open API from HP. Vision is based on HP’s controller software to solve a unique challenge. CERN’s IT environment is very unique and challenging, thanks to the volume of data generated during research activities.
CERN wanted to turn an OpenFlow-enabled infrastructure into a large load balancer through orchestration automation. CERN is looking to automatically characterize traffic types and forward them to a variety of network resources. Open API’s enable this type of new innovation. For example, CERN could identify Internet-destined traffic and automatically distribute that load across various WAN interfaces or devices. Or CERN could analyze server traffic,
characterize it and then automatically distribute it across various server types. The key here is no manual configuration to distribute traffic in the way they wanted it forwarded.
In addition, CERN is looking to optimize traffic distribution with more intelligence. One
approach is to synchronize traffic distribution across load balancers, thanks to information sharing across load balancers, such as traffic load, plus load balancer CPU and memory utilization. What CERN shows are that the OpenFlow infrastructure can be programmed to be a large distributed load balancer that works
with or without load balancer appliances.
CERN also offers a view into HP’s strategy— that is, how customers, partners or third parties
can leverage its controller and network infrastructure to deliver their own SDN
application. CERN is a great proof point for HP in terms of demonstrating their openness, including API’s, its controller and how its SDN architecture will evolve.
Consider how this approach may evolve. CERN developed a distributed load balancer that can be applied across wide area networking, security services, servers, etc., to every area of a
network where resource contention is present. This model can be applied to web caching, WAN optimization, multipathing in a data center, etc. The key point is that SDN is able to deliver better utilization of resources through automated orchestration. Eventually CERN is looking to tap into the application layer during periods of low performance so as to reconfigure the SDN or distributed load balancers to mitigate network congestion causing poor application
performance.
SDN Unified Communications Use Case HP Unified Communications and Collaboration (UC&C) SDN application with the Microsoft® Lync SDN Proof of Concept (PoC) API was demonstrated at ONS this past April. This scenario provides insight into how HP will leverage SDN to deliver application value by linking applications directly to networks. In the SDN UC&C use case, HP’s UC&C SDN application interacts directly with Microsoft’s Lync via an SDN PoC API. This interaction drives the definition of a real-time flow that’s created by the HP VAN SDN Controller, which populates the forwarding tables of HP OpenFlow switches. The HP UC&C SDN Application dynamically provides the IP addresses/ports of the paired endpoints of a real-time flow to the HP VAN SDN Controller. This enables the network to define these UC&C flows with a CoS/QoS tag so that the flows are provided with proper network forwarding. These flows are thus identified as authorized real-time flows. Flows attempting to use this tag without the API
authorization are automatically re-tagged to best effort forwarding.
To see the value of this use case, consider a Lync UC&C connection between two colleagues where audio and screen sharing are being used—a typical scenario. Often the enterprise network is not configured property to deliver real time communications, resulting in poor
application performance and frustrated user experience. The HP SDN UC&C solution enables automated provisioning of network policy and quality of service between the two communicating parties so that a smooth, professional and productive experience is achieved.
What’s key here is that no network engineer has to send CLI commands to switches, and no user intervention is required.
How to Embark on SDN Journey From HP’s perspective, the first step in deploying an SDN is to OpenFlow enable the network infrastructure with physical switches. HP has done that today with its OpenFlow firmware. As the entire industry is focused upon delivering OpenFlow switches, we expect that OpenFlow will be just like SNMP; that is, all switches will support OpenFlow over time.
HP SDN Journey Customer Guidance
Controllers will increasingly support both virtual and physical networks. Clearly, this is a key design goal of HP as it provides automated provisioning of both physical and virtual
networks. In addition to overlay support, physical switches supporting both layer 2 and layer 3 forwarding plus flows will enable bridges between SDN and non-SDN implementations. Gateways, such as the VXLAN gateway and others, will facilitate the interconnection between L2/3 and flow-based networks.
As the use cases demonstrate, SDN is not only a data center and service provider technology, but will be systemic from data center to campus LANs to branch office networks. HP, with its large data center and application business, is in a unique position to take advantage of SDN’s attributes and deliver a complete SDN stack that spans applications/workload, VM, bare metal servers, controllers, network and storage. HP can offer applications that span data center, campus and branch office environments, provide the control plane, plus hardware innovation, all in an effort to lead the SDN industry.
HP clearly has invested in SDN and will continue to do so, offering a wide range of open
networking solutions as enterprise and service providers increasingly transition their computer networks toward open networking.
lippisreport.com About Nick Lippis
Nicholas J. Lippis III is a world-renowned authority on advanced IP networks, communications and their benefits to business objectives. He is the publisher of the Lippis Report, a resource for network and IT business decision makers to which over 35,000 executive IT business leaders subscribe. Its Lippis Report podcasts have been downloaded over 200,000 times; ITunes reports that listeners also download the Wall Street Journal’s Money Matters, Business Week’s Climbing the Ladder, The Economist and The Harvard Business Review’s IdeaCast. He is also the co-founder and conference chair of the Open Networking User Group, which sponsors a bi-annual meeting of over 200 IT business leaders of large enterprises. Mr. Lippis is currently working with clients to design their
private and public virtualized data center cloud computing network architectures with open networking technologies to reap maximum business value and outcome.
He has advised numerous Global 2000 firms on network architecture, design, implementation, vendor selection and budgeting, with clients including Barclays Bank, Eastman Kodak Company, Federal Deposit Insurance Corporation (FDIC), Hughes Aerospace, Liberty Mutual, Schering-Plough, Camp Dresser McKee, the state of Alaska, Microsoft, Kaiser Permanente, Sprint, Worldcom, Cisco Systems, Hewlett Packet, IBM, Avaya and many others. He works exclusively with CIOs and their direct reports. Mr. Lippis possesses a unique perspective of market forces and trends occurring within the computer networking industry derived from his experience with both supply- and demand-side clients.
Mr. Lippis received the prestigious Boston University College of Engineering Alumni award for advancing the profession. He has been named one of the top 40 most powerful and influential people in the
networking industry by Network World. TechTarget, an industry on-line publication, has named him a network design guru while Network Computing Magazine has called him a star IT guru.
Mr. Lippis founded Strategic Networks Consulting, Inc., a well-respected and influential computer networking industry-consulting concern, which was purchased by Softbank/Ziff-Davis in 1996. He is a frequent keynote speaker at industry events and is widely quoted in the business and industry press. He serves on the Dean of Boston University’s College of Engineering Board of Advisors as well as many start-up venture firms’ advisory boards. He delivered the commencement speech to Boston University College of Engineering graduates in 2007. Mr. Lippis received his Bachelor of Science in Electrical Engineering and his Master of Science in Systems Engineering from Boston University. His Masters’ thesis work included selected technical courses and advisors from Massachusetts Institute of