HP SDN Applications and SDN Approach

The source for this blog post is taken from Ivan Pepelnjak’s Software Gone Wild Podcast on OpenFlow on HP Campus Solutions.

It takes too long to provision network services for an application. The network is lacking agility and making any changes is still, a manual process. Usually, when an application is rolled out you have to reconfigure every device with a command CLI interface. This type of manual configuration cannot accommodate today’s application requirement. Static rollout frameworks prohibit dynamic changes to the network, blocking the full potential that applications can bring to the business. Software Defined Networking (SDN) aims to take rigidity out of networks and give you the visibility to make real-time changes and responses. The HP SDN Application Suite changes the way the network responds to business needs by programming the network in a different way.

Hewlett Packard (HP) has taken a different approach to SDN. They do not want to recreate every wheel invented and roll out a blanket greenfield OpenFlow solution. Routing has worked for 40 years so we cannot expect to see some revolutionary change to routing as it’s simply not there. Consider how complicated distributed systems are? It is near to impossible to rebuild all Layer 2 and Layer 3 protocols with OpenFlow.

Layer 2 switches learn MAC addresses automatically, building a table which, can be used to selectively forward packets. Why is there a need to replace how switches learn via Layer 2? Layer 2-learning mechanism works fine and there is no real driver to replace it. Potential drivers exist for Spanning Tree Protocol (STP) replacement as it is simply dangerous, but there is no reason to replace the layer 2-learning mechanism. So, why attempt this with OpenFlow?

 

HP Targets Network Edge

OpenFlow comes with its challenges. It derives from Stanford and is very academic. It’s hard to use and deploy in its pure form. HP adds to it and makes it more usable. They tune its implementation to match today’s network requirements by using parts of OpenFlow and parts of traditional routing. OpenFlow is generally not good by itself, but certain narrow niche cases exist where it can be used. Campus networks are one of those niches and HP are marketing their product set for this niche. Their SDN product set markets the network edge and leave the core to what it does best. This allows an easy migration path by starting at the edge and moving in gradually to the core ( if need be ). This type of migration path keeps the potential blast radius to a minimum. Initial migration strategy by starting at the edge with SDN islands sounds appealing.

 

HO SDN conroller1

 

HP Controller – SDN VAN Controller

HP removed the North-South bottleneck communication. They are not sending anything to the controller. Any packets that miss an OpenFlow rule hit what is known as the last rule and are sent with normal packet processing via traditional methods.

The last rule “Forward match all – forward normal” reverts back to the normal forwarding plane and the network does what it’s always done. If no OpenFlow match exists packets are forwarded via traditional means. They use traditional distributed control plane so it can scale. If you consider a controller that has to learn the topology, compute the best path through a topology; then, controller-based “routing” is almost certainly more complex than distributed routing protocols. HP SDN design does not do this and they combine the best from OpenFlow and Routing.

OpenFlow rules take precedent over most of the control plane elements. However, the majority of Layer 2-control plane protocols are left to traditional methods. As a general rule, things that are time critical such as Link Aggregation Control Protocol (LACP) and Bidirectional Forwarding Detection (BFD) you keep with traditional methods and other controls that are not as time critical can be done with OpenFlow.

 

They are using Openflow to glean and not to modify the forwarding plane.

 

The controller can work in a number of modes. The first is Hybrid mode that forwards with OpenFlow rules. If all OpenFlow rules are not matched it will fall back to normal processing. The second mode is Discovery. This is where the local SDN switches send copies of ARP and DHCP packets to the controller. By analyzing this information, the controller knows where all the hosts are and can build a network topology map. Centralized view of the network topology is a big benefit to SDN. They also use BBDP, which is similar to LLDP. It uses a broadcast domain and is not just link level enabling it to fly through switches that are OpenFlow-enabled. The controller is not directly participating in influencing forwarding, it scans the topology by listening to endpoint discovery information. Controller now contains a view of what the topology should look like, but there is no intercepting or redirecting traffic. It provides endpoint visibility across the network.

HP have started to integrate their SDN controller with Microsoft Active Directory. This gives the controller a different layer of visibility, which is not just IP and Subnet based. It now gives you have a higher-level language to control your network. It is making decisions based on users and groups, not subnets.

 

Network Protector SDN APP 

There are a lot of issues around Malware and Spyware and HP Protector product can help with these challenges. It enables real-time assessment and security across all SDN devices.

 

 

HP OPENFLOW

 

The App pushes down one rule – UDP 53 redirect to the controller. It intercepts UDP 53 and can push down ACL rules to block certain types of traffic. They extract DNS traffic on the edge of the network and pass it to the controller. Application features rank the reputation of an external site and determine how likely you are going to get something nasty if you go to that site. This lets the network admin keep track of who is requesting what with additional hit count capability. If a host is requesting 3000 DNS request per second it is considered infected hosts and quarantined by sending down additional OpenFlow rules.

 

Network Visualizer SDN APP

SDN app for network admins that assists troubleshooting by defining where the traffic is and where it is going. The network admin can select traffic, make copies of it and send it to a location. Similar to tapping except quicker and easier to roll out. Now, your network traffic is viewable on any port and any switch. This app lets you go the wire straight away. As it is now integrated with Active Directory when a user calls up and says he has a network problem you can extract his traffic by user ID and debug it remotely. All you need is the User ID and under 30 seconds you can see his packets. This is a level of visibility previously not available. HP gives you a level of network traffic detail incapable in the past. You could also grab ingress OSPF for analysis. This is not something you could do in the past. You can mirror LSA’s and recreate the entire topology. You just need access to one switch in the OSPF area.

 

Network Optimizer SDN APP

This app is used for Microsoft LYNC and SKYPE for business. It provides automated provisioning of network policy and quality of service to endpoints. Lync and Microsoft created a diagnostic API called SDN API. This diagnostic API sends out a bunch of information about the calls, username, IP, and port number on both sides – ingress and egress. It can reach the ingress switch on each side and remark the Differentiated Services Code Point (DSCP) on each side for the ingress flows. This is how SDN applications should work. SDN implementations should be where the application request service from the network and the network responds. With ACL and QOS we were at Layer 4 and not the Layer 7 application. Now, with HP Network Optimizer the application can notify the network and the network can respond.

 

Closing SDN Comments

HP SDN suite is about adding value to the edge of the network. Where do you allow the dynamic value of SDN to give value is up to customers risk appetite. Keep the dynamic SDN to the edge while keeping the core static is a big value of SDN and a great migration strategy. The SDN concept takes information that is otherwise out of the network to the network. Additional information on HP at IPspace.net

 

About Matt Conran

Matt Conran has created 169 entries.

2 Comments

  • Jeremy

    Hi,
    Do you see the role of the network support engineer disappearing as the world moves towards SDN and network, compute and storage continue to converge?

    Traditionally in enterprise scenarios you would have a 1st/2nd/3rd line help desk dealing with BAU incidents (although usually their sphere of influence is limited to the compute and apps space). For specialist areas (network, backup, storage etc) incidents usually get routed to a separate team, e.g the network support team, or the SAN support team etc.

    In the world of SDN, where a 3rd line support engineer can now view, diagnose and even manage the network all from his web based graphical toolset (with not a Cisco certification in sight), what happens to the role of the highly skilled network support guy?

    Come to think of it, the same question goes for the network architect – do network architects now need to understand further north of the rack, possibly as far up as the apps layer if that’s where the management and orchestration is now done?

    Cheers,
    Jeremy

    • Matt Conran

      Networking guys are not going away anytime soon! I know some that make a very good living having a skill set suitesfor old networks, for example ATM. Some networks, especially for governments are based on old reliable technologies and there is no business requirements for much of a change. As long as they are fit for purpose for that business unit and are not end of life, it’s ok to leave ? We all don’t want to move to the cloud

      I see a lot of skill sets getting added to the network guys armory. If you look at our remit we work with major core network, storage , cloud and now a bit of programming ☺

      Networking is changing and some of the bad stuff is getting removed such as layer 2 from Microsoft Azure Cloud. This doesn’t scare me it just means my mind set for layer 2 segmentation is now network security groups (NSG)

      However if all you do is create and delete VLANS for a living you have about 10-15 years left

Leave a Reply