Netvisor: Bare Metal Control Plane, Application level Analytics and Intrusion Detection
|
|
- Philip Rich
- 8 years ago
- Views:
Transcription
1 Netvisor: Bare Metal Control Plane, Application level Analytics and Intrusion Detection Sunay Tripathi Pluribus Networks, Inc Faber Rd, Palo Alto. CA Roger Chickering Pluribus Networks, Inc Faber Rd, Palo Alto. CA Jonathan Gainsley Pluribus Networks, Inc Faber Rd, Palo Alto. CA ABSTRACT In this paper, we describe the architecture of Netvisor, the new network hypervisor that runs on ethernet switches. Netvisor controls all hardware tables, TCAMS, BST, and the learning and switching behavior of the switch chip. By capitalizing on the PCI-Express control plane of the latest generation of commercial off-the-shelf switch chips, Netvisor can memory map the entire register space into software for high speed/low latency multithreaded access. The Intel Ivy Bridge control processors in the newer switch designs from white box vendors have enough power and bandwidth to run complex multi-gigabit control plane applications. This opens the door for a new breed of applications running directly on Netvisor-enabled switches including the SDN control plane, rich on-switch analytics, and intrusion detection. Categories and Subject Descriptors D.4.4 [Operating Systems]: Network Communications; C.2.4 [Computer Communications Networks]: Network operating systems General Terms Algorithms, Management, Performance, Design, Security. Keywords Netvisor, Network Hypervisor, Control Plane, Network Analytics, vflow, merchant silicon based switches, Network programming APIs 1. INTRODUCTION For two decades top of the rack switches did not see major changes. The speeds increased from 10Mbps to 40Gbps Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Copyright 2014 Pluribus Networks Inc. Sigcomm HotSDN 14, August, 2014, Chicago, Illinois, USA Copyright 2014 ACM /00/0004 $5.00. and many new protocols were added but operational behavior remained the same. Top of the rack switches were generally meant for switching packets at high speed with some human level static configuration via a command line interface. Each switch port was connected to a small number (typically one) of MAC addresses in a statically configured rack. As server virtualization and device mobility become ubiquitous, switches operate in a dynamic environment with hundreds of transient MAC addresses per physical port. MAC addresses migrate freely between different ports on the same switch as well as from switch to switch. Policy and isolation need to be applied dynamically on a MAC, IP address, or VLAN/VXLAN basis as virtual machines and mobile devices migrate through the network. Software intervention is required to manage these transient MAC addresses that roam throughout the network. The last decade also saw the growth of new web scale applications where a single client request results in a complex operation in the data center. Typically many servers coordinate complex searches, database queries, and advertisement placement to respond to a simple web request. This has caused huge growth in east-west traffic in addition to the traditional north-south traffic requiring change in deployment behavior and topologies. The above changes created the need for network programmability and the Software Defined Networking (SDN) movement. In this paper, we first take a look at issues with existing architecture and then discuss a Network Hypervisor that was implemented over the current generation of switches to address the issues with existing architecture. In section 4 we discuss some interesting new applications that are enabled by making the switch more programmable. The examples used throughout the paper are from a live production network running on switches controlled by Netvisor. Finally, we summarize the paper and describe our future direction.
2 2. ISSUES WITH EXISTING ARCHITECTURES In this section, we explore the issues with the existing top of the rack and edge switching architecture. 2.1 Control Plane Traffic in a Virtualized Environment In a modern data center containing thousands of virtual machines, ARP traffic alone can exceed 50Mbps. Network programmability requires control plane traffic, network address tables, and flow tables to be managed in software, which in turn requires a powerful platform with multiple CPU cores and enough memory to store the tables [5][4][6][3]. 2.2 Low Performance Control Processors Switch chips are becoming more and more powerful [1][2] and programmable but many switch vendors still use low powered processors with limited memory. Although the switch chips support multiple lanes of PCI-Express providing abundant bandwidth between the switch chip and the CPU, most current switch designs lack the memory and processing capability to implement a fully programmable software control plane on the switch itself. 2.3 Control Plane Decoupled from the Bare Metal Switch To add more programmability to switches, various controllers use Openflow [8] to decouple the control plane from the forwarding plane. To work around the issues described in sections 2.1 and 2.2, the various controllers are not implemented on the switch device but instead run on a connected server with adequate CPU and memory resources. Various efforts have been made to make the controllers distributed [7] and responsive. In principle, separating the control plane from the switch is a good way to side step the architectural issues of underpowered switch control planes. However, in data center virtualized environments the amount of control traffic (ARP, multicast setup, routing traffic, flow creation, etc.) between the switch and the controller is fairly high [11][12] and the delay in decision-making introduced by having the controller separated via the network from the switch introduces scaling issues even at a rack level and causes new challenges in terms of deployment models. 2.4 Growth of East-West Traffic and Cloud Computing Streaming, social media, and search are becoming the dominant applications driving the data center. A simple request from the client results in a complex operation in the data center where multiple servers coordinate with one another to generate a response. A leaf-and-spine architecture supports the increased east-west traffic better than the traditional fat tree architecture. The move towards the cloud and horizontally scaled applications is also forcing a change in the switching layer in the rack. There is a larger need to orchestrate the server, storage, and switch as one unit. This is forcing the switches to be more programmable and server-like so racks and pods of racks become the building blocks for next generation data centers. 2.5 Lack of Built-in Monitoring and Debugging Support Server operating systems and applications have built-in debugging capabilities. In contrast, many network switches have limited tools for understanding and debugging switching behavior. Network operators depend on physical probes and third party tools to debug their networks. Programmability and debugging go hand in hand and the lack of tools to debug and understand the network hampers the growth of programmability. 2.6 Intrusion From Within Intrusion has always been a big problem since the wide spread deployment of web infrastructure and Alan J. et. al. [9] have summarized the issue well. With virtualization, multi-tenancy, and bring your own device to work, the enterprise and data center is now becoming vulnerable to attack from within the network. Securing the programmable network requires forensics and intrusion detection inside the network in addition to at the edge. 3. NETVISOR ARCHITECTURE The goal of Netvisor is to make a switch programmable like a server. Netvisor leverages the new breed of switches by memory mapping the switch chip into the kernel over PCI-Express and taking advantage of powerful control processors, large amounts of memory, and storage built into the switch chassis. In the next sections we describe the Netvisor architecture and hardware platforms it can run on. 3.1 Bare Metal Network OS Netvisor integrates a switch chip into a server operating system over PCI-Express. The switch register space is memory mapped into the kernel where the kernel manages the MAC, IP and flow tables. There is no hardware MAC learning on the switch chip and when there is a MAC table miss in hardware the packet is forwarded to the kernel. The kernel keeps a much larger than is traditionally supported MAC table in main memory and uses the hardware table as a cache that is updated on a miss. The access into the switch for table updates is multi-threaded and protected by fine grain locks providing high bandwidth, low latency access for control plane operations and flow-related traffic. Figure 1 contrasts Netvisor on a Server-Switch using the current generation of switch chips with a traditional switch where the OS runs on a low powered control processor and low speed busses.
3 Figure 1: Server-Switch Compared to Traditional Switch 3.2 High Performance Flow Programming The 2-4 lanes of PCI-Express Gen2 connection between the CPU and the switch chip enables up to 8-16Gbps of bandwidth between the CPU and the switch. Coupling the switch chip to a modern Intel Ivy Bridge CPU over PCI- Express enables high performance network applications that run directly on the switch by creating flows to capture traffic relevant to the application and injecting packets into the switch from the CPU. Netvisor s vflow feature enables creation of flows that alter the behavior of the switch for packets that match a flow. Packets may be selected using any combination of L1-L4 attributes. Actions to apply to a matching flow include: Drop Redirect to CPU, port, or IP address Mirror to port or IP address Set VLAN or tunnel Copy to CPU Log statistics Log packets Set bandwidth minimum/maximum A flow may be created using Netvisor s CLI, C API, or Java API. Netvisor s control plane makes use of flows to redirect control plane traffic such as STP to the CPU. Netvisor processes control plane traffic, injecting packets into the switch as appropriate. Similarly, an application developer can create flows to redirect or copy selected traffic to an application for processing using Netvisor s C and Java APIs. The application can respond to redirected traffic by injecting packets into the switch, or the application can analyze or log copied traffic. Netvisor s OpenFlow [8] integration is implemented using the same APIs available to developers. The Netvisor C API may also be used to develop applications that run outside of the switch, using SSL to communicate with the Netvisor control plane. A REST API will be available in an upcoming version of Netvisor. 3.3 Hardware Platforms and Performance The current breed of switch designs based on Intel and Broadcom switch chips [1][2] have server-like characteristics. Some of these designs have been submitted to Open Compute Project [10] and many original design manufacturers are building switches based on OCP specifications that may be modified to include powerful multi-core control processors and 8-16GB or more of main memory. Such an enhanced design has the ability to run Netvisor. Figure 1 shows one such design with dual socket, server class control processors, 64GB RAM, and PCI- Express flash based storage where Netvisor can be a platform for large scale analytics, orchestration, and security applications. Table 1: Control Plane Data Transfer Per Second ipkts ibytes idrops opkts obytes odrops 8.91K 1.15M K 373K 0 The Table 1 shows the control plane I/O rates for a period of 1 second in a lightly virtualized rack. It shows the number of packets and bytes received and transmitted along with the number of dropped packets (none in this sample). The control traffic consists of software based MAC table to provide ARP suppression, congestion analytics, and application level analytics. The virtual machines were lightly loaded so application level traffic was at the level of a few thousand TCP sessions. ARP traffic was both sent and received by Netvisor to implement ARP suppression, while selected TCP traffic was copied to Netvisor to implement application analytics. Hence the lower transmit rate compared to receive rate. In a moderately loaded rack, the peak rates exceed 100K packets per second. 4. ANALYTICS The Netvisor architecture provides several advantages in the area of analytics. High bandwidth between the CPU and the switch allows deep visibility into the network data. Added memory and disk capacity enables a long history of network events. Powerful CPUs allow rich analytics to be applied to captured data. These factors are leveraged by Netvisor to provide the administrator with the data and tools needed to analyze network activity. 4.1 Congestion Analytics Netvisor tracks various port and system statistics over time, including congestion data that indicates when and where packets are dropped. Command 1 shows the congestion on port 41 between March 10, 10:06am and March 10, 10:12am, when network degradation was reported.
4 Command 1: Congestion on port 41 CLI> port-stats-show start-time 3-10,10:06 end-time 3-10,10:12 port 41 port timestamp obytes ocongdrops ,10:06: G ,10:07: G ,10:08: G 1.28M ,10:09: G 4.85M ,10:10: G ,10:11: G 0 Here we ve restricted the output to just the egress bytes and egress congestion drops for port 41, although many other counters may be displayed from the historical data. 4.2 Application Level Analytics Application level network activity is also tracked. Each TCP connection is logged, from client mac/ip/port to server mac/ip/port, along with the latency and bandwidth used by the connection. Command 2 shows the connections during the period congestion was seen. Command 2: Connection history CLI> connection-show start-time 3-18,10:06 end-time 3-18,10:12 sort-desc total-bytes client-ip server-ip port bytes http 138M http 96M http 16M http 10M http 4.51M nfs 3.39M https 2.62M https 2.16M http 2.16M http 1.28M http 1.22M http 1.18M http 1.16M http 1.12M https 1.09M https 1.08M http 1.08M The data shows primarily HTTP connections during the timeframe. It is sometimes difficult to discover the issue from looking at single connections, so Netvisor provides tools to perform analysis and sorting on the data. The sum-by argument allows the user to specify which endpoints to aggregate data for. The sort-desc sorts the output in descending order based on the specified field. Command 3 shows the use of these options to determine which server is fielding the most traffic. Command 3: Data reduction on connection history CLI> connection-show start-time 3-18,10:06 end-time 3-18,10:12 sum-by server-ip,port sort-desc total-bytes count server-ip port bytes http 18.1G http 16.5G http 10.4G http 6.71G https 1.50G http 555M http 339M http 192M https 162M https 152M https 133M https 130M http 120M http 119M The count column indicates the number of connections that were summed for the given server and port. The bytes transferred per connection were also summed to denote the total bytes transferred by the server during the specified timeframe. We could also query by client IP to find the client generating the most data or highest number of connections. The ability to specify which fields to sum by and which fields to sort on allow great flexibility in mining the data. Netvisor also compiles client-server relationships over time. In particular outstanding TCP SYN and completed TCP FIN counts are tracked to find misbehaving clients or network problems. Command 4 shows an example of the client-server relationships sorted by finished connections. Command 4: Client-server relationships CLI (network-admin@pn-dev02) > clientserver-stats-show sort-desc fin client-ip server-ip port syn fin K 21.9K K 21.8K ssh K http K https K http K ssh K ssh K ssh K ssh K http K ssh K nfs K
5 K nfs K Real-time analysis is also possible, and merely involves changing the time specification. Command 5 shows application level activity in the last five minutes. Command 5: Connections in the last five minutes CLI> connection-show within-last 5m client-ip server-ip port bytes age https 382 1s https 0 2s https 0 2s https 1.36K 2s https 0 2s nfs 74 2s https 5.41K 3s http 10.4K 13s https 7.88K 13s https 9.59K 13s nfs 74 16s 4.3 Packet Capture Netvisor s CLI includes a built-in application, vflow-snoop, which displays packets that match a flow or set of flows. Vflow-snoop is useful for troubleshooting. For example, to observe icmp traffic flowing through the switch the user runs the command: vflow-snoop scope local proto icmp action copy-to-cpu vflow-snoop prints metadata about each packet received including the ingress port and a timestamp, along with Ethernet and IP headers. Port 48 Size 82 Table 2. vflow-snoop output Time 22:02: Source Mac Destination Mac VLAN 1 Ethernet Type 00:00:24:d0:41:35 66:0e:94:21:f8:03 IP Source IP Destination IP Protocol ICMP Vflow may also be used to record packet capture to disk for later analysis. Packet captures are saved in a pcapcompatible format and may be accessed via nfs or sftp. 5. FUTURE WORK: INTRUSION DETECTION On-switch analytics and packet capture lay the groundwork for some future work in Netvisor: intrusion detection built into a switch. The persistent analytics connection history may be used to establish a baseline for what constitutes normal network activity[13]. To establish a baseline the connection-show and connection-stats-show commands are used to determine which hosts have communicated with each other and how much traffic has been handled by each host during a specified time interval. For a client host, the command: connection-show client-ip starttime duration 1d displays all of the connections that have originated from the client with IP address in the 24 hours starting at midnight on March 16, Similarly, the command: connection-show server-ip starttime duration 1d displays all of the server connections to in the same time period. The command: connection-show start-time duration 1d displays all TCP connections through the switch during the time interval and may be used to establish a comprehensive baseline for the entire network. Finer grained baselines based on traffic during shorter intervals throughout the day or week may be established by running a series of connection-show commands with starttime and duration parameters to pick out the activity during the intervals of interest. The connection-stat-show command displays the number of TCP connections and the amount of data handled by each host on the network. Connection-stat-show has start-time and duration arguments that may be used to gather data to establish baselines based on volume of traffic. Netvisor s C and Java APIs may be used by an application instead of the Netvisor CLI to gather baseline statistics. Once a baseline has been established, ongoing analytics may be monitored to detect deviations from the baseline by periodically running connection-show and connection-statshow or their C or Java API equivalents. As noted in Section 4.2 the connection-stats-show command can be used to detect imbalance between TCP SYN and FIN packets for detecting certain DDoS attacks. With sufficient memory and storage, the switch can run intrusion detection software such as Snort[14], Suricata [15] and Bro[16]. Vflows are established to capture packets
6 for inspection, which are fed into the intrusion detection software. When deviations from baseline activity or intrusions are detected, a variety of actions may be taken depending on the configuration established by the administrator. Actions include: Write a message to syslog Send an or text message to an administrator Create a new vflow to block suspicious traffic Create a new vflow to reduce the bandwidth available to suspicious traffic 6. CONCLUSION The Netvisor architecture presented in this paper introduces a novel approach to make switches more programmable and realize the vision of Software Defined Network. By offering a fully multithreaded, low latency and high bandwidth OS on the bare metal switch, a new class of applications are enabled. The switch can be orchestrated just like a server while physical and virtual applications are deployed on the switch itself. The core of the Netvisor architecture has been implemented over four years and entered production recently in different types of environments. Some inbuilt applications like Cluster-Fabric to treat multiple switches as one logical switch, ARP suppression to scale virtualized environments, and application level debugging and analytics are making users realize the power of software defined networks. Collaborative work is ongoing with researchers, developers, and partners to migrate existing applications and develop new applications on Netvisor in booth proofof-concept and production networks. 7. REFERENCES [1] Ozdag Recep. Intel Ethernet Switch FM6000. DOI= s/en/documents/white-papers/ethernet-switch-fm6000- sdn-paper.pdf. [2] Broadcom. Strata XGS Trident II Ethernet Switch Series. DOI= Data-Center/BCM56850-Series [3] G. Liao, D. Guo, L. Bhuyan, S. King Software techniques to improve virtualized I/O performance on multi-core systems. 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems. ACM, [4] S. Tripathi, N. Droux, T. Srinivasan, K. Belgaied. Crossbow: From H/W virtualized NICs to virtualized networks. Proceedings of the 1st ACM workshop on Virtualized infrastructure systems and architectures. VISA 2009, [5] R. N. Mysore, A. Pamboris, N. Farrington, N. Huang, P. Miri, S. Radhakrishnan, V. Subramanya, and A. Vahdat Portland: A scalable fault-tolerant layer 2 data center network fabric. ACM Sigcomm 2009 conference on Data Communications, [6] A. Greenberg, J. Hamilton, D.A.Maltz, and P.Patel The cost of the cloud: research problems in datacenter networks. SIGCOMM Computer Communication Review. ACM, [7] T.Koponen, M.Casado, N.Gude, J.Stribling, L.Poutievski, M.Zhu, R.Ramanathan, Y.Iwata, H.Inoue, T.Hama, and S.Shenker Onix: A distributed control platform for large scale production networks. In USENIX OSDI, [8] N.McKeown, T.Anderson, H.Balakrishnan, G.Parulkar, L.Peterson, J.Rexford, S.Shenker, and J.Turner Openflow: enabling innovation in campus networks. ACM Sigcomm CCR [9] Allen J., Christie A., Fithen W., McHugh J., Pickel J., Stoner E State of the Practice of Intrusion Detection Technologies. Technical Report CMU/SEI- 99-TR028. Carnegie Mellon University. [10] Open Computer Project. DOI= pecsanddesigns [11] A. Myers, E. Ng, and H. Zhang Rethinking the service model: scaling Ethernet to a million nodes. HotNets, November 2004 [12] Kim, Changhoon, Matthew Caesar, and Jennifer Rexford Floodless in seattle: a scalable ethernet architecture for large enterprises. ACM SIGCOMM Computer Communication Review. Vol. 38. No. 4. ACM, [13] Yu Gu, Andrew McCallum, Don Towsley. Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation. In Proceedings of USENIX Internet Measurement Conference 2005, pages , Berkeley. USENIX Association. [14] Martin Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of LISA '99: 13th Systems Administration Conference, pages , Seattle, USENIX Association. [15] Suricata Open Source IDS/IPS/NSM Engine. DOI= [16] Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, 1998.
Netvisor Software Defined Fabric Architecture
Netvisor Software Defined Fabric Architecture Netvisor Overview The Pluribus Networks network operating system, Netvisor, is designed to power a variety of network devices. The devices Netvisor powers
More informationPluribus Netvisor Solution Brief
Pluribus Netvisor Solution Brief Freedom Architecture Overview The Pluribus Freedom architecture presents a unique combination of switch, compute, storage and bare- metal hypervisor OS technologies, and
More informationIntegrated Analytics. A Key Element of Security-Driven Networking
Integrated Analytics A Key Element of Security-Driven Networking What if your network offered monitoring and visibility into both the overlay and the underlay? What if you could monitor all application
More informationPluribus Netvisor 2.0 Monitoring and Analytics Engine Features
Pluribus Netvisor 2.0 Monitoring and Analytics Engine Features Overview There are many areas of networking that can benefit from technological advances, including manageability and programmability. Also
More informationHow To Make A Vpc More Secure With A Cloud Network Overlay (Network) On A Vlan) On An Openstack Vlan On A Server On A Network On A 2D (Vlan) (Vpn) On Your Vlan
Centec s SDN Switch Built from the Ground Up to Deliver an Optimal Virtual Private Cloud Table of Contents Virtualization Fueling New Possibilities Virtual Private Cloud Offerings... 2 Current Approaches
More informationDefinition of a White Box. Benefits of White Boxes
Smart Network Processing for White Boxes Sandeep Shah Director, Systems Architecture EZchip Technologies sandeep@ezchip.com Linley Carrier Conference June 10-11, 2014 Santa Clara, CA 1 EZchip Overview
More informationRadhika Niranjan Mysore, Andreas Pamboris, Nathan Farrington, Nelson Huang, Pardis Miri, Sivasankar Radhakrishnan, Vikram Subramanya and Amin Vahdat
Radhika Niranjan Mysore, Andreas Pamboris, Nathan Farrington, Nelson Huang, Pardis Miri, Sivasankar Radhakrishnan, Vikram Subramanya and Amin Vahdat 1 PortLand In A Nutshell PortLand is a single logical
More informationPortLand:! A Scalable Fault-Tolerant Layer 2 Data Center Network Fabric
PortLand:! A Scalable Fault-Tolerant Layer 2 Data Center Network Fabric Radhika Niranjan Mysore, Andreas Pamboris, Nathan Farrington, Nelson Huang, Pardis Miri, Sivasankar Radhakrishnan, Vikram Subramanya,
More informationIntel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family
Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family White Paper June, 2008 Legal INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL
More informationFiber Channel Over Ethernet (FCoE)
Fiber Channel Over Ethernet (FCoE) Using Intel Ethernet Switch Family White Paper November, 2008 Legal INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR
More information基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器
基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器 楊 竹 星 教 授 國 立 成 功 大 學 電 機 工 程 學 系 Outline Introduction OpenFlow NetFPGA OpenFlow Switch on NetFPGA Development Cases Conclusion 2 Introduction With the proposal
More informationLoad Balancing Mechanisms in Data Center Networks
Load Balancing Mechanisms in Data Center Networks Santosh Mahapatra Xin Yuan Department of Computer Science, Florida State University, Tallahassee, FL 33 {mahapatr,xyuan}@cs.fsu.edu Abstract We consider
More informationPortland: how to use the topology feature of the datacenter network to scale routing and forwarding
LECTURE 15: DATACENTER NETWORK: TOPOLOGY AND ROUTING Xiaowei Yang 1 OVERVIEW Portland: how to use the topology feature of the datacenter network to scale routing and forwarding ElasticTree: topology control
More informationZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy
ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy OVERVIEW The global communication and the continuous growth of services provided through the Internet or local infrastructure require to
More informationSDN. WHITE PAPER Intel Ethernet Switch FM6000 Series - Software Defined Networking. Recep Ozdag Intel Corporation
WHITE PAPER Intel Ethernet Switch FM6000 Series - Software Defined Networking Intel Ethernet Switch FM6000 Series - Software Defined Networking Recep Ozdag Intel Corporation Software Defined Networking
More informationInfrastructure for active and passive measurements at 10Gbps and beyond
Infrastructure for active and passive measurements at 10Gbps and beyond Best Practice Document Produced by UNINETT led working group on network monitoring (UFS 142) Author: Arne Øslebø August 2014 1 TERENA
More informationZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy
ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy OVERVIEW The global communication and the continuous growth of services provided through the Internet or local infrastructure require to
More informationNetwork Virtualization for Large-Scale Data Centers
Network Virtualization for Large-Scale Data Centers Tatsuhiro Ando Osamu Shimokuni Katsuhito Asano The growing use of cloud technology by large enterprises to support their business continuity planning
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationHow To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On
Michel Laterman We have a monitor set up that receives a mirror from the edge routers Monitor uses an ENDACE DAG 8.1SX card (10Gbps) & Bro to record connection level info about network usage Can t simply
More informationSoftware Defined Networking
Software Defined Networking Richard T. B. Ma School of Computing National University of Singapore Material from: Scott Shenker (UC Berkeley), Nick McKeown (Stanford), Jennifer Rexford (Princeton) CS 4226:
More informationOpenDaylight Project Proposal Dynamic Flow Management
OpenDaylight Project Proposal Dynamic Flow Management Ram (Ramki) Krishnan, Varma Bhupatiraju et al. (Brocade Communications) Sriganesh Kini et al. (Ericsson) Debo~ Dutta, Yathiraj Udupi (Cisco) 1 Table
More informationBROADCOM SDN SOLUTIONS OF-DPA (OPENFLOW DATA PLANE ABSTRACTION) SOFTWARE
BROADCOM SDN SOLUTIONS OF-DPA (OPENFLOW DATA PLANE ABSTRACTION) SOFTWARE Network Switch Business Unit Infrastructure and Networking Group 1 TOPICS SDN Principles Open Switch Options Introducing OF-DPA
More informationLecture 02b Cloud Computing II
Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,
More informationWhy Software Defined Networking (SDN)? Boyan Sotirov
Why Software Defined Networking (SDN)? Boyan Sotirov Agenda Current State of Networking Why What How When 2 Conventional Networking Many complex functions embedded into the infrastructure OSPF, BGP, Multicast,
More informationSoftware Defined Networks
Software Defined Networks Damiano Carra Università degli Studi di Verona Dipartimento di Informatica Acknowledgements! Credits Part of the course material is based on slides provided by the following authors
More informationEthernet Fabric Requirements for FCoE in the Data Center
Ethernet Fabric Requirements for FCoE in the Data Center Gary Lee Director of Product Marketing glee@fulcrummicro.com February 2010 1 FCoE Market Overview FC networks are relatively high cost solutions
More informationNetScaler VPX FAQ. Table of Contents
NetScaler VPX FAQ Table of Contents Feature and Functionality Frequently Asked Questions... 2 Pricing and Packaging Frequently Asked Questions... 4 NetScaler VPX Express Frequently Asked Questions... 5
More informationSoftware-Defined Networking for the Data Center. Dr. Peer Hasselmeyer NEC Laboratories Europe
Software-Defined Networking for the Data Center Dr. Peer Hasselmeyer NEC Laboratories Europe NW Technology Can t Cope with Current Needs We still use old technology... but we just pimp it To make it suitable
More informationCloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam
Cloud Networking Disruption with Software Defined Network Virtualization Ali Khayam In the next one hour Let s discuss two disruptive new paradigms in the world of networking: Network Virtualization Software
More informationNetwork Virtualization and Software-defined Networking. Chris Wright and Thomas Graf Red Hat June 14, 2013
Network Virtualization and Software-defined Networking Chris Wright and Thomas Graf Red Hat June 14, 2013 Agenda Problem Statement Definitions Solutions She can't take much more of this, captain! Challenges
More informationOpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks?
OpenFlow and Onix Bowei Xu boweixu@umich.edu [1] McKeown et al., "OpenFlow: Enabling Innovation in Campus Networks," ACM SIGCOMM CCR, 38(2):69-74, Apr. 2008. [2] Koponen et al., "Onix: a Distributed Control
More informationBrocade One Data Center Cloud-Optimized Networks
POSITION PAPER Brocade One Data Center Cloud-Optimized Networks Brocade s vision, captured in the Brocade One strategy, is a smooth transition to a world where information and applications reside anywhere
More informationEthernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心
Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心 1 SDN Introduction Decoupling of control plane from data plane
More informationSDN CENTRALIZED NETWORK COMMAND AND CONTROL
SDN CENTRALIZED NETWORK COMMAND AND CONTROL Software Defined Networking (SDN) is a hot topic in the data center and cloud community. The geniuses over at IDC predict a $2 billion market by 2016
More informationCisco Nexus 1000V Switch for Microsoft Hyper-V
Data Sheet Cisco Nexus 1000V Switch for Microsoft Hyper-V Product Overview Cisco Nexus 1000V Switches provide a comprehensive and extensible architectural platform for virtual machine and cloud networking.
More informationAxon: A Flexible Substrate for Source- routed Ethernet. Jeffrey Shafer Brent Stephens Michael Foss Sco6 Rixner Alan L. Cox
Axon: A Flexible Substrate for Source- routed Ethernet Jeffrey Shafer Brent Stephens Michael Foss Sco6 Rixner Alan L. Cox 2 Ethernet Tradeoffs Strengths Weaknesses Cheap Simple High data rate Ubiquitous
More informationSOFTWARE-DEFINED NETWORKING AND OPENFLOW
SOFTWARE-DEFINED NETWORKING AND OPENFLOW Freddie Örnebjär TREX Workshop 2012 2012 Brocade Communications Systems, Inc. 2012/09/14 Software-Defined Networking (SDN): Fundamental Control
More informationAdvanced Computer Networks. Datacenter Network Fabric
Advanced Computer Networks 263 3501 00 Datacenter Network Fabric Patrick Stuedi Spring Semester 2014 Oriana Riva, Department of Computer Science ETH Zürich 1 Outline Last week Today Supercomputer networking
More informationJ-Flow on J Series Services Routers and Branch SRX Series Services Gateways
APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring
More informationTen Things to Look for in an SDN Controller
Ten Things to Look for in an SDN Controller Executive Summary Over the last six months there has been significant growth in the interest that IT organizations have shown in Software-Defined Networking
More informationSoftware Defined Networking What is it, how does it work, and what is it good for?
Software Defined Networking What is it, how does it work, and what is it good for? slides stolen from Jennifer Rexford, Nick McKeown, Michael Schapira, Scott Shenker, Teemu Koponen, Yotam Harchol and David
More informationLimitations of Current Networking Architecture OpenFlow Architecture
CECS 572 Student Name Monday/Wednesday 5:00 PM Dr. Tracy Bradley Maples OpenFlow OpenFlow is the first open standard communications interface that enables Software Defined Networking (SDN) [6]. It was
More informationEnabling Technologies for Distributed Computing
Enabling Technologies for Distributed Computing Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF Multi-core CPUs and Multithreading Technologies
More informationOpenFlow and Software Defined Networking presented by Greg Ferro. OpenFlow Functions and Flow Tables
OpenFlow and Software Defined Networking presented by Greg Ferro OpenFlow Functions and Flow Tables would like to thank Greg Ferro and Ivan Pepelnjak for giving us the opportunity to sponsor to this educational
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion
More informationTHE CHANGING FACE OF SDN. Guido Appenzeller 2014
THE CHANGING FACE OF SDN Guido Appenzeller 2014 AGENDA Agenda: Why SDN? Origins of SDN Hypervisor Switches Bare Metal Switches Where is SDN today? 2013 BIG SWITCH NETWORKS, INC. WWW.BIGSWITCH.COM 2 CLOSED
More informationOpen Source Network: Software-Defined Networking (SDN) and OpenFlow
Open Source Network: Software-Defined Networking (SDN) and OpenFlow Insop Song, Ericsson LinuxCon North America, Aug. 2012, San Diego CA Objectives Overview of OpenFlow Overview of Software Defined Networking
More informationData Center Network Topologies: FatTree
Data Center Network Topologies: FatTree Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking September 22, 2014 Slides used and adapted judiciously
More informationOpenFlow based Load Balancing for Fat-Tree Networks with Multipath Support
OpenFlow based Load Balancing for Fat-Tree Networks with Multipath Support Yu Li and Deng Pan Florida International University Miami, FL Abstract Data center networks are designed for satisfying the data
More informationProgrammable Networking with Open vswitch
Programmable Networking with Open vswitch Jesse Gross LinuxCon September, 2013 2009 VMware Inc. All rights reserved Background: The Evolution of Data Centers Virtualization has created data center workloads
More informationFlexible SDN Transport Networks With Optical Circuit Switching
Flexible SDN Transport Networks With Optical Circuit Switching Multi-Layer, Multi-Vendor, Multi-Domain SDN Transport Optimization SDN AT LIGHT SPEED TM 2015 CALIENT Technologies 1 INTRODUCTION The economic
More informationSet Up a VM-Series Firewall on an ESXi Server
Set Up a VM-Series Firewall on an ESXi Server Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara,
More informationEnabling Technologies for Distributed and Cloud Computing
Enabling Technologies for Distributed and Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF Multi-core CPUs and Multithreading
More informationMicrosegmentation Using NSX Distributed Firewall: Getting Started
Microsegmentation Using NSX Distributed Firewall: VMware NSX for vsphere, release 6.0x REFERENCE PAPER Table of Contents Microsegmentation using NSX Distributed Firewall:...1 Introduction... 3 Use Case
More informationBURSTING DATA BETWEEN DATA CENTERS CASE FOR TRANSPORT SDN
BURSTING DATA BETWEEN DATA CENTERS CASE FOR TRANSPORT SDN Abhinava Sadasivarao, Sharfuddin Syed, Ping Pan, Chris Liou (Infinera) Inder Monga, Andrew Lake, Chin Guok Energy Sciences Network (ESnet) IEEE
More informationData Center Network Evolution: Increase the Value of IT in Your Organization
White Paper Data Center Network Evolution: Increase the Value of IT in Your Organization What You Will Learn New operating demands and technology trends are changing the role of IT and introducing new
More informationVXLAN: Scaling Data Center Capacity. White Paper
VXLAN: Scaling Data Center Capacity White Paper Virtual Extensible LAN (VXLAN) Overview This document provides an overview of how VXLAN works. It also provides criteria to help determine when and where
More informationThe Lagopus SDN Software Switch. 3.1 SDN and OpenFlow. 3. Cloud Computing Technology
3. The Lagopus SDN Software Switch Here we explain the capabilities of the new Lagopus software switch in detail, starting with the basics of SDN and OpenFlow. 3.1 SDN and OpenFlow Those engaged in network-related
More informationSecuring Local Area Network with OpenFlow
Securing Local Area Network with OpenFlow Master s Thesis Presentation Fahad B. H. Chowdhury Supervisor: Professor Jukka Manner Advisor: Timo Kiravuo Department of Communications and Networking Aalto University
More informationWhite Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.
White Paper Juniper Networks Solutions for VMware NSX Enabling Businesses to Deploy Virtualized Data Center Environments Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3
More informationWhere IT perceptions are reality. Test Report. OCe14000 Performance. Featuring Emulex OCe14102 Network Adapters Emulex XE100 Offload Engine
Where IT perceptions are reality Test Report OCe14000 Performance Featuring Emulex OCe14102 Network Adapters Emulex XE100 Offload Engine Document # TEST2014001 v9, October 2014 Copyright 2014 IT Brand
More informationGlobal Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com W H I T E P A P E R O r a c l e V i r t u a l N e t w o r k i n g D e l i v e r i n g F a b r i c
More informationHigh-performance vswitch of the user, by the user, for the user
A bird in cloud High-performance vswitch of the user, by the user, for the user Yoshihiro Nakajima, Wataru Ishida, Tomonori Fujita, Takahashi Hirokazu, Tomoya Hibi, Hitoshi Matsutahi, Katsuhiro Shimano
More informationWedge Networks: Transparent Service Insertion in SDNs Using OpenFlow
Wedge Networks: EXECUTIVE SUMMARY In this paper, we will describe a novel way to insert Wedge Network s multiple content security services (such as Anti-Virus, Anti-Spam, Web Filtering, Data Loss Prevention,
More informationVirtualization, SDN and NFV
Virtualization, SDN and NFV HOW DO THEY FIT TOGETHER? Traditional networks lack the flexibility to keep pace with dynamic computing and storage needs of today s data centers. In order to implement changes,
More informationSDN. What's Software Defined Networking? Angelo Capossele
SDN What's Software Defined Networking? Angelo Capossele Outline Introduction to SDN OpenFlow Network Functions Virtualization Some examples Opportunities Research problems Security Case study: LTE (Mini)Tutorial
More informationExtensible Network Configuration and Communication Framework
Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood Applied Research Laboratory Department of Computer Science and Engineering: Washington University in Saint Louis
More informationSDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network
SDN AND SECURITY: Why Take Over the s When You Can Take Over the Network SESSION ID: TECH0R03 Robert M. Hinden Check Point Fellow Check Point Software What are the SDN Security Challenges? Vulnerability
More informationPanel : Future Data Center Networks
Vijoy Pandey, Ph.D. CTO, Network IBM Distinguished Engineer vijoy.pandey@us.ibm.com Panel : Future Data Center Networks 2012 IBM Corporation Networking folks were poor Custom silicon or poor functionality
More informationREMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION
REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION The modern data centre has ever-increasing demands for throughput and performance, and the security infrastructure required to protect and segment the network
More informationThe Impact of Virtualization on Cloud Networking Arista Networks Whitepaper
Virtualization takes IT by storm The Impact of Virtualization on Cloud Networking The adoption of virtualization in data centers creates the need for a new class of networking designed to support elastic
More informationNetwork Security through Software Defined Networking: a Survey
jerome.francois@inria.fr 09/30/14 Network Security through Software Defined Networking: a Survey Jérôme François, Lautaro Dolberg, Olivier Festor, Thomas Engel 2 1 Introduction 2 Firewall 3 Monitoring
More informationBUILDING A NEXT-GENERATION DATA CENTER
BUILDING A NEXT-GENERATION DATA CENTER Data center networking has changed significantly during the last few years with the introduction of 10 Gigabit Ethernet (10GE), unified fabrics, highspeed non-blocking
More informationVCS Monitoring and Troubleshooting Using Brocade Network Advisor
VCS Monitoring and Troubleshooting Using Brocade Network Advisor Brocade Network Advisor is a unified network management platform to manage the entire Brocade network, including both SAN and IP products.
More informationThe Network Hypervisor
IBM Research Abstraction The Hypervisor David Hadas, Haifa Research Lab, Nov, 2010 Davidh@il.ibm.com 1 IBM 2010 Agenda New Requirements from DCNs ization Clouds Our roach: Building Abstracted s lication
More informationAnalyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard. January 2009. Cristian Velciov. ceo@andrisoft.com (+40) 721 250246
Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard January 2009 Cristian Velciov ceo@andrisoft.com (+40) 721 250246 Andrisoft Solution WANGuard Platform is an enterprise-grade Linux-based software
More informationHow To Orchestrate The Clouddusing Network With Andn
ORCHESTRATING THE CLOUD USING SDN Joerg Ammon Systems Engineer Service Provider 2013-09-10 2013 Brocade Communications Systems, Inc. Company Proprietary Information 1 SDN Update -
More informationNetwork Agent Quick Start
Network Agent Quick Start Topic 50500 Network Agent Quick Start Updated 17-Sep-2013 Applies To: Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.7 and 7.8 Websense
More informationA Coordinated. Enterprise Networks Software Defined. and Application Fluent Programmable Networks
A Coordinated Virtual Infrastructure for SDN in Enterprise Networks Software Defined Networking (SDN), OpenFlow and Application Fluent Programmable Networks Strategic White Paper Increasing agility and
More informationMulti-Gigabit Intrusion Detection with OpenFlow and Commodity Clusters
Multi-Gigabit Intrusion Detection with OpenFlow and Commodity Clusters Copyright Ali Khalfan / Keith Lehigh 2012. This work is the intellectual property of the authors. Permission is granted for this material
More informationExtending Networking to Fit the Cloud
VXLAN Extending Networking to Fit the Cloud Kamau WangŨ H Ũ Kamau Wangũhgũ is a Consulting Architect at VMware and a member of the Global Technical Service, Center of Excellence group. Kamau s focus at
More information50. DFN Betriebstagung
50. DFN Betriebstagung IPS Serial Clustering in 10GbE Environment Tuukka Helander, Stonesoft Germany GmbH Frank Brüggemann, RWTH Aachen Slide 1 Agenda Introduction Stonesoft clustering Firewall parallel
More informationLinux KVM Virtual Traffic Monitoring
Linux KVM Virtual Traffic Monitoring East-West traffic visibility Scott Harvey Director of Engineering October 7th, 2015 apcon.com Speaker Bio Scott Harvey Director of Engineering at APCON Responsible
More informationImpact of Virtualization on Cloud Networking Arista Networks Whitepaper
Overview: Virtualization takes IT by storm The adoption of virtualization in datacenters creates the need for a new class of networks designed to support elasticity of resource allocation, increasingly
More informationVM-Series Firewall Deployment Tech Note PAN-OS 5.0
VM-Series Firewall Deployment Tech Note PAN-OS 5.0 Revision A 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Supported Topologies... 3 Prerequisites... 4 Licensing... 5
More informationHow Solace Message Routers Reduce the Cost of IT Infrastructure
How Message Routers Reduce the Cost of IT Infrastructure This paper explains how s innovative solution can significantly reduce the total cost of ownership of your messaging middleware platform and IT
More informationOptimizing Data Center Networks for Cloud Computing
PRAMAK 1 Optimizing Data Center Networks for Cloud Computing Data Center networks have evolved over time as the nature of computing changed. They evolved to handle the computing models based on main-frames,
More informationCisco Bandwidth Quality Manager 3.1
Cisco Bandwidth Quality Manager 3.1 Product Overview Providing the required quality of service (QoS) to applications on a wide-area access network consistently and reliably is increasingly becoming a challenge.
More informationPRODUCTS & TECHNOLOGY
PRODUCTS & TECHNOLOGY DATA CENTER CLASS WAN OPTIMIZATION Today s major IT initiatives all have one thing in common: they require a well performing Wide Area Network (WAN). However, many enterprise WANs
More informationSet Up a VM-Series Firewall on the Citrix SDX Server
Set Up a VM-Series Firewall on the Citrix SDX Server Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.1 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa
More informationAccelerating Network Virtualization Overlays with QLogic Intelligent Ethernet Adapters
Enterprise Strategy Group Getting to the bigger truth. ESG Lab Review Accelerating Network Virtualization Overlays with QLogic Intelligent Ethernet Adapters Date: June 2016 Author: Jack Poller, Senior
More informationAPV9650. Application Delivery Controller
APV9650 D a t a S h e e t Application Delivery Controller Array Networks APV Series of Application Delivery Controllers optimizes the availability, user experience, performance, security and scalability
More informationAll-Flash Arrays Weren t Built for Dynamic Environments. Here s Why... This whitepaper is based on content originally posted at www.frankdenneman.
WHITE PAPER All-Flash Arrays Weren t Built for Dynamic Environments. Here s Why... This whitepaper is based on content originally posted at www.frankdenneman.nl 1 Monolithic shared storage architectures
More informationOracle Database Scalability in VMware ESX VMware ESX 3.5
Performance Study Oracle Database Scalability in VMware ESX VMware ESX 3.5 Database applications running on individual physical servers represent a large consolidation opportunity. However enterprises
More informationBEHAVIORAL SECURITY THREAT DETECTION STRATEGIES FOR DATA CENTER SWITCHES AND ROUTERS
BEHAVIORAL SECURITY THREAT DETECTION STRATEGIES FOR DATA CENTER SWITCHES AND ROUTERS Ram (Ramki) Krishnan, Brocade Communications Dilip Krishnaswamy, IBM Research Dave Mcdysan, Verizon AGENDA Introduction
More informationAerohive Networks Inc. Free Bonjour Gateway FAQ
Aerohive Networks Inc. Free Bonjour Gateway FAQ 1. About the Product... 1 2. Installation... 2 3. Management... 3 4. Troubleshooting... 4 1. About the Product What is the Aerohive s Free Bonjour Gateway?
More informationDatacenter Operating Systems
Datacenter Operating Systems CSE451 Simon Peter With thanks to Timothy Roscoe (ETH Zurich) Autumn 2015 This Lecture What s a datacenter Why datacenters Types of datacenters Hyperscale datacenters Major
More informationAn Oracle Technical White Paper November 2011. Oracle Solaris 11 Network Virtualization and Network Resource Management
An Oracle Technical White Paper November 2011 Oracle Solaris 11 Network Virtualization and Network Resource Management Executive Overview... 2 Introduction... 2 Network Virtualization... 2 Network Resource
More informationOVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS
OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS Matt Eclavea (meclavea@brocade.com) Senior Solutions Architect, Brocade Communications Inc. Jim Allen (jallen@llnw.com) Senior Architect, Limelight
More information