OKTOBER 2010 CONSOLIDATING MULTIPLE NETWORK APPLIANCES



Similar documents
Consolidating Multiple Network Appliances

TIME TO RETHINK SDN AND NFV

TIME TO RETHINK REAL-TIME BIG DATA ANALYTICS

TIME TO RETHINK NETWORK SECURITY

Consolidating network appliances with virtualization. By Dan Joe Barry, Napatech

Getting More Performance and Efficiency in the Application Delivery Network

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

WHITE PAPER. Extending Network Monitoring Tool Performance

FlexNetwork Architecture Delivers Higher Speed, Lower Downtime With HP IRF Technology. August 2011

PRODUCTS & TECHNOLOGY

WHITE PAPER. Data Center Fabrics. Why the Right Choice is so Important to Your Business

This document describes how the Meraki Cloud Controller system enables the construction of large-scale, cost-effective wireless networks.

I/O Virtualization Using Mellanox InfiniBand And Channel I/O Virtualization (CIOV) Technology

Integration Guide. EMC Data Domain and Silver Peak VXOA Integration Guide

Virtualized Security: The Next Generation of Consolidation

Secure Access Complete Visibility

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Technical Brief. DualNet with Teaming Advanced Networking. October 2006 TB _v02

VMware View 4 with PCoIP I N F O R M AT I O N G U I D E

QRadar Security Intelligence Platform Appliances

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

Intel Network Builders: Lanner and Intel Building the Best Network Security Platforms

Silver Peak s Virtual Acceleration Open Architecture (VXOA)

Solving Monitoring Challenges in the Data Center

Cisco Application Networking for Citrix Presentation Server

COMPUTING. Centellis Virtualization Platform An open hardware and software platform for implementing virtualized applications

Unified Computing Systems

Stingray Traffic Manager Sizing Guide

HIGH-PERFORMANCE SOLUTIONS FOR MONITORING AND SECURING YOUR NETWORK A Next-Generation Intelligent Network Access Guide OPEN UP TO THE OPPORTUNITIES

WanVelocity. WAN Optimization & Acceleration

Network Function Virtualization Using Data Plane Developer s Kit

Intel Data Direct I/O Technology (Intel DDIO): A Primer >

Addressing Scaling Challenges in the Data Center

COUNTERSNIPE

A10 ADC Return On Investment

How Network Transparency Affects Application Acceleration Deployment

An Oracle White Paper June Oracle Database Firewall 5.0 Sizing Best Practices

Cisco Application Networking for BEA WebLogic

Windows Embedded Security and Surveillance Solutions

Cisco Application Networking for IBM WebSphere

7 Ways OpenStack Enables Automation & Agility for KVM Environments

Over the past few years organizations have been adopting server virtualization

Choosing the Best Network Interface Card for Cloud Mellanox ConnectX -3 Pro EN vs. Intel XL710

Deploying F5 BIG-IP Virtual Editions in a Hyper-Converged Infrastructure

Saisei and Intel Maximizing WAN Bandwidth

Broadcom Ethernet Network Controller Enhanced Virtualization Functionality

Backup for branch offices and compartment backups. Måns Höiom & Rikard Lindkvist

Securing the Intelligent Network

Load Balancing Security Gateways WHITE PAPER

NETWORK FUNCTIONS VIRTUALIZATION. The Top Five Virtualization Mistakes

Optimizing Data Center Networks for Cloud Computing

How To Monitor And Test An Ethernet Network On A Computer Or Network Card

Lab Testing Summary Report

Security and the Mitel Teleworker Solution

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model: MX60 MX60W MX80 MX100 MX400 MX600

Business Case for Data Center Network Consolidation

ETM System SIP Trunk Support Technical Discussion

Accelerating Data Compression with Intel Multi-Core Processors

Comparing Multi-Core Processors for Server Virtualization

How To Use An Ibm Cloud Server For Business

OmniCube. SimpliVity OmniCube and Multi Federation ROBO Reference Architecture. White Paper. Authors: Bob Gropman

THE VX 9000: THE WORLD S FIRST SCALABLE, VIRTUALIZED WLAN CONTROLLER BRINGS A NEW LEVEL OF SCALABILITY, COST-EFFICIENCY AND RELIABILITY TO THE WLAN

Windows Server 2008 R2 Hyper-V Live Migration

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Business case for VoIP Readiness Network Assessment

Achieve Deeper Network Security

Best Practices for Network Monitoring How a Network Monitoring Switch Helps IT Teams Stay Proactive

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model: MX64 MX64W MX84 MX100 MX400 MX600

Flexibility in Services. Simplicity in Implementation. Lintasarta Managed WAN Optimizer

Solving I/O Bottlenecks to Enable Superior Cloud Efficiency

Intelligent Data Access Networking TM

100 Gigabit Ethernet is Here!

Unified Threat Management Throughput Performance

How To Make Money From A Network Connection

5 Easy Steps to Implementing Application Load Balancing for Non-Stop Availability and Higher Performance

WAN optimization and acceleration products reduce cost and bandwidth requirements while speeding throughput.

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Broadband Bonding Network Appliance TRUFFLE BBNA6401

How Solace Message Routers Reduce the Cost of IT Infrastructure

AKAMAI WHITE PAPER. The Challenges of Connecting Globally in the Pharmaceutical Industry

Net Optics and Cisco NAM

VMware Horizon Mirage Load Balancing

WHITE PAPER. Protecting Your Network From the Inside-Out. Internal Segmentation Firewall (ISFW)

WHITE PAPER. Protecting Your Network From the Inside-Out. Internal Segmentation Firewall (ISFW)

The Revival of Direct Attached Storage for Oracle Databases

A Business Case for Scaling the Next-Generation Network with the Cisco ASR 9000 System: Now with Converged Services. Key Takeaways.

Choosing the Best Network Interface Card Mellanox ConnectX -3 Pro EN vs. Intel X520

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Transcription:

OKTOBER 2010 CONSOLIDATING MULTIPLE NETWORK APPLIANCES

It is possible to consolidate multiple network appliances into a single server using intelligent flow distribution, data sharing and virtualization Disclaimer: This document is intended for informational purposes only. Any information herein is believed to be reliable. However, Napatech assumes no responsibility for the accuracy of the information. Napatech reserves the right to change the document and the products described without notice. Napatech and the authors disclaim any and all liabilities. Napatech is a trademark used under license by Napatech A/S. All other logos, trademarks and service marks are the property of the respective third parties. Copyright Napatech A/S 2014. All rights reserved.

CONSOLIDATING MULTIPLE NETWORK APPLIANCES THE NEED FOR CONSOLIDATION OF NETWORK APPLIANCES More and more network appliances are being used to monitor, manage, test and secure IP networks. Network appliances are dedicated, built for purpose systems that provide value by off-loading data- and compute-intensive operations from IP routers. However, this comes at the cost of several extra systems to support. One of the major costs associated with installing multiple network appliances is space and power costs. Many network appliances are based on standard servers, so installing a new network appliance has the same space and power cost as installing a new server. This is typically 500W per server. In data centers with several hundred thousand servers, power cost is an issue, but so is space and power budget. Many data centers already struggle with power supply issues there is simply no more power to be had! It is for this reason that consolidation of application servers using virtualization is one of the main initiatives for data centers. But what about consolidation of network appliances? How can this be achieved and how can we reduce the number of systems to be supported while still ensuring that we have access to the valuable information that these systems provide? This paper will investigate alternatives for consolidating multiple network monitoring applications. WHAT IS A NETWORK APPLIANCE? A network appliance is a dedicated, built-for-purpose system designed to analyze data in real time. Network appliances differ in their application, which can be: Network and application performance monitoring Network test and measurement Network security Network optimization Depending on the application, the network appliance is installed at critical points in the network where data needs to be analyzed. For example, network firewalls and Intrusion Prevention Systems (IPS) are installed where the enterprise Local Area Network (LAN) connects to the carrier s Wide Area Network (WAN). The Firewall and the IPS analyze data traffic from the WAN to ensure that there are no security threats entering the LAN. A common requirement for network appliances is a need to analyze all the data on a connection. For example, for a network measurement application it can be crucial that no IP packets or Ethernet frames are lost. The architecture of a network appliance is straightforward in most cases: A (GUI) for presentation, reporting and configuration of the network appliance software implementing the data analysis algorithms Hardware platform for processing data Network interfaces for receiving and (possibly) transmitting data The hardware platform can either be custom-built or based on a standard PC server. The data input/output can thus be custom-built or based on network adapters that conform to standards used in PC servers (e.g. PCI-Express). Network appliances can either be installed off-line in packet capture mode or in-line as part of the connection (Figure 2). Examples of off-line packet capture network appliances are network analysis and troubleshooting systems, network performance monitors, Intrusion Detection Systems (IDS), lawful intercept systems, latency measurement systems, etc. Examples of in-line packet analysis network appliances are firewalls, IPS, policy enforcement systems, etc. DN-0431 Rev. 2 3

Off-line Packet Capture In-line Packet Analysis Network Firewall Network IPS FIGURE 2 Off-line packet capture and in-line packet analysis FIGURE 3 Examples of in-line network appliances MULTIPLE NETWORK APPLIANCES Since each network appliance provides specific functionality, there is often a need for several different types of network appliance at the same location. Often these network appliances need to operate on the same data at the same time. For in-line applications, the network appliances can be serially connected with each appliance working on the data in turn. For example, firewalls and IPS are usually installed with the firewall closest to the edge router followed by the IPS. However, for off-line packet capture network appliances, each network appliance needs to analyze the same data at the same time. Therefore, the data to be analyzed must be distributed to the different network appliances using a separate system, typically a load balancer. This is an effective means of distributing data amongst multiple network appliances, but is it efficient? ADVANTAGES AND DISADVANTAGES OF LOAD BALANCING APPROACH Load balancing provides multiple applications with access to the same data at the same time. It can also filter data so that network appliances need only receive the data they require, rather than all data. This can be an advantage in reducing the data load for each network appliance. It also allows each network appliance to be independent. Load balancing can also be used to support redundant network appliances. However, load balancers can only balance the load across physical servers and ports. If a server is supporting multiple applications, a load balancer cannot balance the load intelligently across these applications. This type of application load balancing requires intelligence within the physical server itself. There is also the potential issue of overloading network appliances. Consider an example where five network appliances each with 2 x 1 Gbps ports. The line being monitored is a 10 Gbps line. This configuration works as long as the amount of data that each network appliance has to analyze does not exceed 2 Gbps. However, if the traffic pattern changes and 80% of the traffic needs to be analyzed by one of the network appliances, then this network appliance will be overloaded (i.e. anything above 2 Gbps will be dropped). Another major disadvantage of the load balancing approach is that it introduces an extra box into the solution. This is adding to the space and power concerns already mentioned. Let s look at these in more detail. 4

Off-line Packet Capture Data distribution to multiple appliances Load Balancer The challenge is therefore to find a solution that will allow multiple network appliances to be consolidated into a single solution thereby optimizing space and power requirements for these devices. CONSOLIDATING NETWORK APPLIANCES There are two basic approaches to consolidating network appliances: 1. Functionality consolidation: develop super network appliances that can address multiple applications at the same time 2. Appliance consolidation: consolidate multiple independent network appliances on to a single hardware platform FIGURE 4 Load balancing network appliances Functionality consolidation involves the development of super network appliances that include a super-set of features that can address many applications. Examples of such solutions include Universal Threat Management (UTM) systems, which combine firewall, IPS and various other network security functions in a single solution. SPACE AND POWER CONCERNS As mentioned earlier, there are more and more network appliances being introduced into networks to allow efficient network monitoring, management, measurement and security. However, each of these network appliances take up space and consume power and this is a major concern for many organizations. According to Eaton 1, a typical 2U standard PC server in 2007 consumed 370 Watts of power. By June 2009, this had risen to 530 Watts or an increase of 43% in 2 years. Incidentally, for blade servers, the consumption can be up to 5000 Watts. According to Gartner 2, servers only account for 15% of the direct energy in data centers, but have a knock-on effect on cooling requirements leading to a far larger in-direct energy requirement. servers are typically under-utilized (i.e. typically less than 15%), but the servers themselves still consume 60% to 70% of their total power consumption even at these low rates 3. Gartner has estimated that virtualization, and thereby consolidation of application servers, can reduce server energy consumption by up to 82% and floor space consumption by up to 85% 4. However, the span of applications for network appliances is so wide that creating a single network appliance that can be used for all conceivable applications is difficult to achieve in the short term. As the UTM example shows, this approach is best used when addressing related applications. Appliance consolidation, on the other hand, focuses on the appliance application software level. The focus here is to consolidate multiple applications within a single hardware platform. Each application can remain independent, which allows porting of existing applications from stand-alone network appliances to a consolidated platform. We will focus on appliance consolidation and look at alternatives for implementing such a solution. It is assumed that the consolidated hardware platform is based on a standard server, which is the case for many network appliances. It is also assumed that an intelligent network adapter is used. It is capable of capturing packet data at full line-rate without packet loss and with a low CPU load. This is why virtualization has proven to be a popular solution in these environments, as it not only reduces the number of servers required, but optimizes use of those servers remaining allowing the most efficient use of space and power. 1. The Vector Approach to Data Center Power Planning, Eaton, June 2009 2. Data Center Power, Cooling and Space: A Worrisome Outlook for the Next Two Years, Gartner, May 2010 3./4. Energy Savings via Virtualization: Green IT on a Budget, Gartner, November 2008 5

Intelligent flow distribution to multiple applications Intelligent flow distribution to multiple applications PC Server Hardware PC Server Hardware Same App 1 App 2 s running on 1 or more CPU cores Virtulization SW (e.g. VMware) 1 App 1 2 App 2 s running on 1 or more virtual machines App 3 App 4 s based on same operating system 3 App 3 4 App 4 Virtual machines emulate different including legacy Intelligent Network Adapter Intelligent network adapter distributes required data to each application Intelligent Network Adapter Intelligent network adapter distributes required data to each application FIGURE 5 Using intelligent flow distribution to multiple applications FIGURE 6 Using virtualization to distribute to multiple applications In the first instance, we will look at off-line packet capture scenarios, where multiple applications need to access the same data at the same time. APPLIANCE CONSOLIDATION Supporting multiple applications on the same server is possible today thanks to the multiple Central Processing Unit (CPU) cores in modern servers. s can be run at the same time or assigned an affinity to one or more dedicated CPU cores. Intelligent network adapters can provide intelligent flow identification and distribution features that can provide multiple applications running on different CPU cores with exactly the data they require. For example, a VoIP monitoring application can receive only VoIP frames, an IPTV monitoring application can receive only IPTV frames, etc. The example shown in Figure 5 above is for a packet capture scenario where each application is working on its own set of data. It is equally applicable to in-line scenarios. This solution works well for applications running on the same Operating System () (e.g. Linux, FreeBSD or Windows). However, what about applications running on different or legacy operating systems? This is where virtualization is ideal, as Virtual Machines (VM) can be created to emulate the and environment that each application expects. In Figure 6, a solution is described based on the generic principles of virtualization (i.e. the ability to accommodate applications based on different operating systems each working on their own set of data). Indeed, data separation is a key principle of virtualization solutions. Virtualization solutions, such as VMware, KVM and others, are ideal for situations where the network appliance application software cannot easily be ported to a single server solution as described above. Virtualization can therefore provide a means of supporting multiple and even legacy making consolidation of existing network appliances easier. Several vendors are currently working on implementing such a solution. SHARING DATA BETWEEN MULTIPLE APPLICATIONS In the examples thus far, the assumption has been that each application will analyze its own set of data. In other words, there is no need to share data between applications. However, this is not always the case for network appliances. Since network appliances are dedicated to a specific network monitoring, analysis, measurement, security or optimization task, it is common that multiple applications need to access the same data, at the same time, at the same location. In the section Multiple network appliances, we saw how load balancers are used to distribute traffic to multiple appliances. Load balancers can also be used to replicate data to these network appliances, which is often a primary use case for load balancers. 6

Data sharing to multiple applications Data flow distribution to multiple applications PC Server Hardware PC Server Hardware Same Virtulization SW (e.g. VMware) App 1 App 2 1 App 1 2 App 2 App 3 App 4 s running on 1 or more CPU cores 3 App 3 4 App 4 s running on 1 or more Virtual Machines Data Sharing Intelligent Network Adapter s based on same operating system Data sharing SW allows all applications to see the same data at the same time Data Distribution Intelligent Network Adapter s based on different operating systems Data distribution SW provides required data to each application FIGURE 7 Using data sharing to distribute to multiple applications FIGURE 8 Using virtualization and data distribution to multiple applications Nevertheless, in order to consolidate these multiple network appliances onto the same hardware platform, we need to find a mechanism within the physical server of sharing data between multiple applications. There are two ways in which this can be achieved: 1. Data sharing allowing multiple applications on the same to access the same data at the same time 2. Virtualization allowing multiple applications on different to access the same data at the same time DATA SHARING TO MULTIPLE APPLICATIONS BASED ON SAME In the data sharing solution, data traffic is captured and stored in a single memory buffer. Instead of copying this buffer for each application that needs to analyze the data, a data sharing mechanism is implemented whereby each application can access the single memory buffer at the same time. Each application runs on one or more CPU cores and has access to the captured packet data in a common memory cache. Using this approach, application software that previously was installed on multiple servers can be installed on a single server. The scale of the solution is limited by the processing power required by each application and the available CPU cores in the server. VIRTUALIZATION FOR SUPPORT OF MULTIPLE APPLICATIONS BASED ON DIFFERENT The solution in this case is to use Virtual Machines (VM) running on one of more CPU cores to emulate the operating system required for the network appliance application software in question. This allows the hardware platform to run the latest operating system independent of the various applications to be supported. In this scenario, the data sharing software is replaced by data distribution software used to provide dedicated data to each virtual machine and supported application. This software requires a dedicated CPU core, but all other CPU cores are available to support virtual machines. The data input/output hardware (intelligent network adapter) ensures that the packet data is provided to the memory cache in real time with zero packet loss. The data sharing is managed either by the adapter software or separate application software. This solution is ideal for organizations that are dependent on network appliances that are difficult to upgrade and require their own environment and operating system. 7

IN-LINE CONSOLIDATION In-line consolidation can use the same approaches as above. However, in-line network appliances introduce some additional concerns that should be taken into consideration: Typically, there is a desire to reduce latency as much as possible in in-line devices. Therefore, serial transfer of data between applications can lengthen latency. Equally, shared data access can lead to longer latency, as the total latency will be dictated by the slowest application (i.e. the frame will not be re-transmitted until the last application is finished analyzing the frame). Most in-line applications require a large amount of computing power in order to process and analyze frames as quickly as possible. Therefore, throughput can be affected if these applications are lacking processing power when they need it. CONSOLIDATION PSIBLE, BUT BEWARE We have now shown that it is possible to consolidate multiple network appliances into a single server using intelligent flow distribution, data sharing and virtualization. Nevertheless, one should carefully consider which network appliances should be consolidated. Consolidation is ideal when the connections being monitored/tested/secured are of low-bandwidth (i.e. up to 1 Gbps) or have low lineutilization. As mentioned earlier, the reason why virtualization provides tangible benefits for application servers is due to the fact that there are typically very low levels of utilization on these servers. These network appliances can be consolidated into much larger servers, but the benefit of this needs to be analyzed in relation to power and space savings. Therefore, consolidation is a good solution for lowerbandwidth network appliance applications that are not compute-intensive, but for higher speed rates and more demanding network appliances, a dedicated system approach is still recommended. COMPANY PROFILE Napatech is the world leader in accelerating network management and security applications. As data volume and complexity grow, the performance of these applications needs to stay ahead of the speed of networks in order to do their jobs. We make this possible, for even the most demanding financial, telecom, corporate and government networks. Now and in the future, we enable our customers applications to run faster than the networks they need to manage and protect. Napatech. FASTER THAN THE FUTURE However, if network appliances are analyzing high bandwidth connections with high utilization, literally millions of frames need to be analyzed per second. This typically consumes the available bandwidth and processing power of high-end network appliances. EUROPE, MIDDLE EAST AND AFRICA Napatech A/S Copenhagen, Denmark Tel. +45 4596 1500 ntemeasales@napatech.com www.napatech.com NORTH AMERICA Napatech Inc. Boston, Massachusetts Mountain View, California Washington D.C. Tel. +1 888 318 8288 ntamericassales@napatech.com www.napatech.com SOUTH AMERICA Napatech São Paulo, Brazil Tel. +55 11 2127 0782 ntsouthamericasales@napatech.com www.napatech.com APAC Napatech Japan K.K. Tokyo, Japan Tel. +81 3 5326 3374 Napatech Korea Seoul, South Korea Tel. +82 2 6001 3545 ntapacsales@napatech.com www.napatech.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information