Network Computing Security

While I was visiting Juniper in early December, I got a chance to sit down with the QFabric folks to discuss some of issues with QFabric and what I saw as a proprietary—with all the badness that word implies—product set in search of a reason. While QFabric is proprietary because of how the components are interconnected, I came away with the impression that the overall design and capacity looks extremely powerful, and I think the upsides of the QFabric product set far outweigh the downsides. Give a month's time between visiting Juniper and now, I'd say that all my ballyhoo about being proprietary was a non-issue. My bad.

Juniper's QFabric, in a nutshell, distributes the traditional chassis switch into discrete components. The top-of-rack (ToR) switches, called QFNodes, are line cards. The QFinterconnect, which the QFNodes are connected to via OM-4 or OM-5 fiber, is the back plane, and the QFdirector(s) are the supervisors (in Cisco parlance), or managers. Each QF node is connected to between two and four QFInterconnects via 40-Gbit links, and there are two QFDirectors that are connected to QFNodes and interconnect via an out-of-band 1-Gbit link.

Greg Ferro, who does network design and consultation for large organizations and also contributes to Network Computing, has written a nice explanation of QFabric and explains some benefits.

Here's why I like it. It's operationally simple. The distributed chassis metaphor is apt and means that multi-switch management is greatly simplified. You can manage up to 128 switches as if they were a single switch, which for all intents and purposes, they are. Think about that for a moment. You don't have to maintain credentials across 128 switches or authentication configuration if you are using RADIUS or some other authentication server.

You don't have to integrate 128 devices into your network management system (NMS), hypervisor management system or other IT systems. Even with scripting or an NMS, making sweeping changes to 128 individual switches in a network is dicey. Granted, you can aggregate multidevice management to simulate a single pane of glass, but that means introducing more servers and management protocols that can get in the way or breakdown. As the number of things you need to manage grows, the simpler your management framework needs to be.

Traffic-wise, you don't have to worry about multiple paths, spanning tree, building N-tiers, or deciding where to set-up routing since QFabric also routes (although Juniper is quick to point out that you likely wouldn't replace your edge or core router with a QFabric, just like you wouldn't replace them with a 1U ToR L2/L3 switch). Any two points in the QFabric is a mere 5 microseconds away. Unless your company requires ultra low latency, anything below 1 millisecond (typically, the granularity that latency is measured and reported in enterprise switches) is probably fine. But, hey, less is better in any case. If you need more capacity at the edge, you can add additional switches fairly cost effectively, as Ferro points out.

Bear in mind that, currently, each QFNode 3500 can be oversubscribed at 3 to 1, based on 48 10-Gbit ports facing the access devices and 4 by 40 gigabit uplink ports facing the QFInterconnects. 480 Gbits inbound going into a 160-Gbit uplink makes 3-to-1. However, engineers at Juniper said the limitation today is the interface speed of the uplink ports. There is no limitation to the QFInterconnect, so speeds can increase in the future provided Juniper ships QFInterconnect cards and QFNodes that support higher capacities.What gets interesting with QFabric is the migration path to and from QFabric, and how QFabric can fit into the data center. In a fit of whiteboard craziness, we mapped out some scenarios. A couple of things come clear:

• To the rest of the network, QFabric is just a L2/L3 switch. It's one bridge in a spanning tree, and outside QFabric, it's just Ethernet. That means you can plug a QFfabric into the rest of your network and it will be loop-free.
• All the rest of your L2/L3 network will behave just fine, and you can run any other network equipment, like a Cisco Nexus side-by-side.
• Any requirements such as reaching hosts defined by routes on an external router or passing traffic through a load balancer mean traffic many have to pass out and back in to QFabric.

If you have already invested in Juniper's QF 3500s, the EX line is not supported and you want to migrate to QFabric, you need a QFInterconnect and a QFDirector, although Juniper recommends pairs for redundancy. You can cable to your existing QF 3500s and they become part of the Qfabric. Take them out of the QFabric, and they become l2/L3 switches. Pretty nice investment protection.

I like it. QFabric is a fairly simple design—simple is good. No need to worry about mutlipath Ethernet protocols like TRILL, SPB, LAG or MLAG. It only scales to 6,144 10-Gbit ports with over subscription, 2,048 if you want non-blocking (that's 16 10-Gbit ports per QFNode). If you dual-home your servers, that only 3,072 servers. I say only tongue in cheek. That's a lot of servers for most organizations, and I will go out on a limb and assume that if you're looking at that kind of scale, it's either a special-purpose computing center or a hosting or cloud provider.

The other elephant in the room is cost. That's a topic I will take up later, as well as digging a little deeper into the design scaling issues. Of course, there are a number of other things to consider, like distance limitations of the OM-4 cable, cable layout and designing the L2/L3 network within QFabric. But if you are looking at upgrading from a 1-Gbit to a 10-Gbit network and you want to take advantage of the new features that network fabrics such as Brocade's VCS, Cisco's Fabricpath and Juniper's QFabric offer, it's worth a long hard look. And I bet the proprietary features will be less important the deeper you look.

Disclosure. I traveled to Sunnyvale on my company's dime. Juniper fed me a hamburger, chips and a soda, and gave me a pen.

Thinking back on the 1987 movie "Spaceballs," I picture a comical Dark Helmet standing on the bridge of his ship. In my mind, he holds a smartphone and contemplates the latest buzz on mobile network speeds, fresh from the International Telecommunications Union. As he ponders the 100-Mbps data speeds soon to be delivered by his preferred carrier, he utters the order, "Prepare for ludicrous speed," and the ship IMT-Advanced warps off to hyperspace at an impossibly crazy velocity. Speeds in the mobile data world are about to get quite exciting.

To read the various analyses of what the International Telecommunications Union (ITU) has recently approved in its IMT-Advanced announcement is to be schooled on what 3G and 4G really are, and are not, as well as to get a look at where mobile wireless is heading. And where it's heading is impressive.

Where a present-day good 3G connection will yield a respectable few megabits-per-second connectivity (if you’re not moving), IMT-Advanced will make 3G feel like a dial-up modem. Current LTE networks that claim 4G-ness measure and market their speeds in the double-digit megabits per second, but there is a lot of variability across carriers and conditions required to get to top speeds.

Regardless of the current marketing campaigns and the decent speeds that the carriers are giving us on their "4G" networks, the ITU says that we have yet to see true 4G networks by its technical definition. To really be 4G, a network must deliver speeds of 100 Mbps when in motion at vehicle speeds and 1 Gbps (yes, gig speeds from mobile networks) when not moving. Marketing being what it is, nothing we have in the United States from LTE or WiMax comes close to these lofty requirements, despite of all of the 4G hype taking root. So far, 4G isn't really 4G. But when we get there, it will be ludicrous.

So what did the ITU do for the mobile network space during its meeting in Switzerland that commands so much interest? The communications governing body approved two technologies--LTE-Advanced and WiMax 2--as the path forward to mind-blowing mobile networks under the heading of IMT-Advanced. Now that the declaration has been made, development and manufacturing can proceed. Though it will likely take a couple-few years for IMT-Advanced network and handset build-out, it stands to reason that IMT-Advanced will stay on people's minds as they contemplate their future mobile strategies.

All guesses about how IMT-Advanced will truly impact the mobile network space are on the table. As more individuals and businesses alike make mobile data a priority, carriers today are using strategies like data plan terms and WiFi offload to prevent network saturation, which also gets interesting through the lens of IMT-Advanced. Though network speed is easy to get excited about, you can’t get blazingly fast without modulation and antenna techniques that make for better cells and higher capacity for everyone, even legacy non-IMT–Advanced users. Higher speeds and better cells mean better general traffic-handling capability, which has to have some impact on how service plans will be structured.

There is little doubt that IMT-Advanced will certainly come to be recognized as a disruptive technology and will likely challenge notions of traditional networking in many areas yet to see broadband. Testing with early IMT-Advanced components is already well under way in Europe and China, and Internet videos showing beta efforts and results for IMT-Advanced are simply captivating if you follow mobile network development.

Gigabit mobile broadband? Even Dark Helmet would approve.

At the time this was written, I was not being paid by any vendors or organizations mentioned.

IBM and NEC are collaborating on high-performance OpenFlow deployments. OpenFlow, developed at Stanford University, has enjoyed acceptance in university networks because an OpenFlow network can run alongside the campus production network without impacting it. In 2011, OpenFlow broke out of its education niche into the mainstream with announcements from Big Switch, Fulcrum and NEC. IBM's and NEC's announcement is a proof point that OpenFlow has a role in enterprise IT and can be used in high-performance applications.

There are a number of myths surrounding OpenFlow, including that there is a delay on the first packet of a flow to perform a lookup and that the controller is a single point of failure. Both are easily addressed through sound management practices. In fact, the upsides of using OpenFlow--such as simplified traffic management, policy-based networking that creates paths through the network based on higher-level decisions than the destination address, and software-defined networking where there is tight integration between applications and network configuration--can far outweigh any downsides. The IBM and NEC announcement describes how enterprises are overcoming these obstacles in OpenFlow on their production networks

One customer of the combined IBM and NEC products is Selerity which provides financial information from primary sources to their subscribers. Their service-level commitments are on the order of microseconds, required so that all subscribers receive the same information at the same time. In addition, Selerity has to manage subscription entitlements to its customers to ensure they are getting what they paid for. Selerity's entitlement application needs to make those decisions and dispatch the data in near real time. The challenge Selerity faces in meeting all of those competing goals is in maintaining low latency and traffic separation.

Selerity satisfied those requirements using a convoluted set of VLANs and high-end firewalls to forward traffic to the proper locations, or by using an application-level process to make the forwarding decisions. In either case, the solution was complex, inflexible and expensive. Adding a new subscription to a customer meant making a number of changes to networking equipment, which took time and was error-prone.

Using OpenFlow on NEC's Programmable Flow Controller, Selerity was able to move the forwarding decision off the servers and firewall/switch layer into an OpenFlow-controlled network. Using flow rules defined once on the Programmable Flow Controller, the UDP packets coming from Selerity's servers are rewritten, added to a multicast group and forwarded to the destination ports corresponding with individual customers in a few micro-seconds. Selerity ensures that the correct data goes only to intended customers and that all of the customers receive the data at the same time. Selerity was also able to easily add more redundancy to its delivery network since an OpenFlow network isn't hobbled by Ethernet constraints like having a loop-free network.

Selerity's application and SLA requirements are unique to the financial industry, but many enterprises have similar demands that could be addressed using an OpenFlow-managed network.

IBM and NEC also described unnamed customers using OpenFlow to solve common issues such as forwarding network traffic to multiple analysis devices and forwarding traffic to load balancers. Companies like Anue Systems, Gigamon and NetOptics offer in-line network taps that can combine many network connections into a single output or split a single input into many outputs, either replicating all frames across all output ports or slicing the output stream based on data in the frame like addresses and port numbers. These taps work well but are expensive and require that they sit in-line with the monitored link. The security customer connected taps and switch span ports to an IBM G8264 OpenFlow switch, ran the traffic though a deep packet inspection engine and then forwarded the flows to one or more analysis tools. The monitoring is much more flexible than a fixed tap.

More vendors are hopping on the OpenFlow bandwagon, including networking giants Cisco and HP. Juniper Networks added OpenFlow to its Junos SDK in 2011, while OpenFlow controller vendor Big Switch introduced an open source OpenFlow controller early this year. We will continue to see interesting use cases of OpenFlow in production environments.

Learn more about OpenFlow vs. Traditional Networks by subscribing to Network Computing Pro Reports (free, registration required).

News that Cisco Systems may release proprietary networking products implementing software-defined networking (SDN) technology, but not necessarily based on the emerging OpenFlow protocol, has executives at rival HP complaining about another Cisco vendor lock-in play. At a news event at HP Thursday, at which the company announced OpenFlow capability available for 16 HP networking product lines, executives were asked to comment on a news report from the Cisco Live event going on this week in London.

There, Cisco chief technology officer Padmasree Warrior reportedly outlined Cisco's SDN strategy, but did not mention OpenFlow as the protocol on which it would be based. "It appears Cisco will go proprietary on its SDN strategy," according to a report. The report also quoted another Cisco executive saying that "at this point we don't think [OpenFlow] is production ready."

Asked to respond, Bethany Mayer, interim senior vice president and general manager of the HP Networking business, said Cisco and HP have very strong differences on support for standards-based versus proprietary technology.

"It is at the heart of a philosophy at HP that we remain open with open standards so that we can be interoperable with the other networking vendors in the industry. If they have decided to go the proprietary route, frankly that's bad for the customers," said Mayer.

OpenFlow is a protocol developed at Stanford University and HP Labs was present at the creation in 2007, working alongside Stanford researchers, said Charles Clark, an HP distinguished technologist and director of research in HP Networking. The idea behind it is that the intelligence in the network -- to route packets, prioritize traffic, minimize latency, enforce quality of service (QoS) policies and provide security -- is moved from network switches and routers to a software-based controller. Hence, the term software-defined networks.

The Open Network Foundation (ONF) is a community of academic researchers, networking vendors and companies that manage their enterprise networks, that is developing the OpenFlow protocol, evangelizing it, and helping to bring it to market.

At the HP event in Cupertino, Calif., Dan Pitt, executive director of the ONF, said Cisco is also a member of the group, as are other networking vendors, and that "everybody is contributing in good faith.""This is a movement that is happening and vendors will react to it in different ways over time, but I don't think the movement itself is stoppable," Pitt said, adding that Cisco or any other company can bring to market both a proprietary product and one built to industry standards.

But he and the HP people think OpenFlow is proven technology and that HP is the first networking vendor to offer OpenFlow over such a wide array of its networking products.

HP is offering a free download of OpenFlow to enable SDN on 16 switching product lines that are deployed by service providers, in data centers, on campus networks and in branch offices, said Dan Montesanto, worldwide product manager for data center network solutions integration at HP. Those 16 product lines represent an installed based of 250,000 devices with a combined total of about 10 million ports that can be SDN-enabled.

IBM and NEC jointly announced on Jan. 24 the introduction of an IBM switch coupled with an NEC network controller based on OpenFlow, but Montesanto noted that is only one switch that is SDN-enabled. Both IBM and NEC are also members of the ONF.

The CEO of a new vendor in the OpenFlow space, Big Switch Networks, says more OpenFlow products still in beta testing are expected to come out in 2012.

At an OpenFlow conference last fall Cisco was asked if the intelligence is moved from the switches to the network control layer, wouldn't that make switches more commodity products, selling for less money and making less profit for switch vendors? David Meyer, a Cisco fellow, said the company is aware of the situation and is preparing to deal with it. "Folks get this and how to react to it is what's being formulated right now."

He said it's very obvious to everyone that something's going on here, and the question is how to react to it in a way that everybody can live with. "When you have a big company like Cisco, you've got to socialize those kinds of things." Meyer added that he was pushing people inside Cisco "to start thinking about it."

Responding to the same question on Thursday, HP's Saar Gillai, vice president of the Advanced Technology Group within the networking division, replied that OpenFlow/SDN is not a "commodity play."

"This is a simplification play," he said. "If you look at where HP is deployed today, we're solving customer problems. If you look historically when things like this have happened, typically the same vendor who is providing the value in one place is now providing value some place else."

Cisco did not reply to a request for comment for this story but it will be updated when and if it does.

Learn more about Research: IT Pro Ranking: Data Center Networking by subscribing to Network Computing Pro Reports (free, registration required).

Mainstream network players and those chasing them are out to erase the lines between wireless and wired networking. As the network edge gets redefined and the cloud makes its presence felt in LAN and WLAN spaces, announcements like Meraki's latest update are getting to be more commonplace--and exciting. With a number of interesting product updates to share, Meraki is starting 2012 with a bang.

As mentioned before in this blog, I am a single-site Meraki customer. Though my main wired and wireless networks are built on Cisco gear, last year I opted to run with Meraki in one of my overseas locations for a campus deployment that features site-to-site VPN back to our main campus, routing and 35 access points in a framework that is all-Meraki except for the handful of Cisco edge switches that handle Layer 2 duties. The Meraki deployment has been rock-solid and reliable, but soon will be even better.

Meraki has just announced new hardware and features that bode well for existing and prospective customers, and for the industry in general as a sign of things to come. In my own little corner of the Meraki cloud-managed world, I manage wired and wireless networks via a common dashboard on the Web. Though this has been effective, I have found areas where Meraki could do better by its customers. One of these minor pain points is in managing my site-to-site VPN, as the current UI is pretty sparse on relevant information for this important function. Thankfully, the latest incarnation of the Meraki cloud-based management system rectifies this with two-click site-to-site VPN configuration and welcome details on each tunnel's latency and status.

Even bigger to me, no-extra-cost WAN acceleration has come to the Meraki MX series. Legacy customers like me who use the MX 50 or 70 will see modest gains in WAN acceleration after our free and automatic code upgrade, but customers who get in on the latest MX hardware series also get the benefit of increased processing, memory and a 1-Tbyte hard disk cache for what Meraki estimates to be "up to 197 times improved" WAN transfer times. As enterprises like mine continue to globalize, squeezing the most from site-connecting over-the-Internet WAN links is of paramount importance. That you get WAN optimization as part of the MX purchase without additional licensing is huge.

Also part of the latest release, Meraki is introducing its new cloud-managed Layer 2/3 switches with Power over Ethernet. In my own current deployment, I can manage my Meraki MX appliances (routing, security, DHCP, traffic classification and control, guest access, etc.) and wireless APs, but not my Cisco switches through my cloud-based dashboard. When I rolled out my environment, Meraki did not offer an edge switch. The new MS series switch comes in branch and campus network flavors, and other than not having redundant and field-replaceable fans and power supplies (hint to Meraki), it seems to have good feature parity with the big expensive competitors and some nice trouble-shooting value-adds not typically found in other switching products. The beauty here is that wired and wireless users alike are identified, classified, controlled and supported through the same administrative dashboard, regardless of whether they use a patch cable or wireless adapter to connect.

Given that wireless networking is fast coming to equaling or even surpass Ethernet in terms of criticality for user access across different business networks, it's not surprising that vendors are moving into even deeper "whole solution managed under single pain of glass" waters. Meraki may not be the biggest fish in the networking pond, but I can speak first-hand about its effectiveness at providing a turn-key, cloud-managed solution that makes managing a network easy. (And, in my case, it's a network on another continent that tightly integrates with my main network.) I'm tickled that a good thing is getting even better with Meraki's latest announcements, and am hopeful that others in the networking space are working on similar strategies.

Gone should be the days of thinking of wired and wireless networking as unique spaces, and needing racks full of appliances to gain VPN and enterprise-class security capabilities. Meraki has proven that for the right environments, a tremendous amount can be done with minimal box requirements, and that installation and management don't need a team of IT pros to accomplish. Here's hoping we see more of the same from the competition.

Disclaimer: I am a single-site Meraki customer.

Cisco Systems is introducing new switches with 40 and 100 Gigabit Ethernet (GbE) capabilities, which are the coming new standards for switching speeds on networks. The 40GbE capacity is now available on its Catalyst 6500 switching line for campus networks, while 100GbE is available on the Nexus 7000 line for data center and service provider networks. The company also announced two new fixed-configuration platforms providing high-density 10GbE switching, which is the fastest growing category of switches today.

Like other networking vendors, Cisco is adding these higher-capacity switches to meet network demands for cloud computing, wider use of video, the increased use of mobile devices and the explosion of data flowing on those networks. According to the latest market data, sales of 10GbE switches are expected to reach $13 billion by 2016 and will constitute nearly half of a total $28 billion Ethernet switch market by then. That year sales of 40 and 100GbE products will amount to $3 billion. Other vendors in this market include Alcatel-Lucent, Avaya, Brocade, Extreme Networks, Dell, HP, IBM, and Juniper Networks.

Cisco is also introducing a capability it calls Easy Virtual Networking, which simplifies network virtualization functionality for its Catalyst 6500, 4500 and ASR 1000 product lines. A new Nexus 1010-X appliance enables scalable virtual services in a data center environment.

"We aren't just throwing bandwidth at the problem and saying everything is going to be sunshine and roses," said Shashi Kiran, senior director of marketing for Cisco Data Center and Enterprise switching. "We are helping customers to utilize that bandwidth in a much more resource-intelligent manner and, with ease of use, reduce complexity."

Cisco's domination of the network market continues, but a new report from Information Week Analytics indicates that the people who buy networking equipment are considering other vendors, such as Dell, HP or IBM, as an alternative. In addition, 49 percent of respondents said they were not considering switching vendors at all, a decline from 60 percent in the October survey.

Cisco earned the highest score among the seven vendors represented in the survey, scoring 77 percent out of a possible 100 percent. However, IBM came in a very close second with a performance rating of 76 percent, while HP and Dell both came in at 75 percent. Juniper and Brocade also scored generally well, just three and four percentage points respectively behind Cisco. Avaya earned a performance ranking of 70 percent.Cisco has been feeling the competitive pressure from rivals such as HP, which acquired networking vendor 3Com in 2010, and Dell, which late last year acquired Force 10 Networks. But Cisco's Kiran says the company is maintaining its market share lead measured either by revenue or the number of ports sold. Its revenue share was 71.8 percent in the third quarter of 2011, up from 68.6 percent in the previous quarter, and port share was 51.7 percent in the third quarter, up from 49.8 percent in the second. The figures are from the networking equipment research firm Dell'Oro Group. Meanwhile, Gartner research shows Cisco's share of the fast-growing 10GbE market is 76 percent based on port count.

"There's a lot of noise out there in the market today, a perception that Cisco is losing its port or revenue market share and the facts say otherwise," said Kiran. "Despite all this noise we're in a very strong position."

The Catalyst 6500, becoming available in April, supports 44 ports of 40GbE and 176 ports of 10GbE connectivity. The Nexus 7000 line, available sometime in the second quarter of this year, offers 96 ports of 40GbE and 32 ports of 100GbE connectivity.

Also new and available now is a Catalyst 4500-X switch that offers 40 ports of 10GbE connectivity and up to 1.6 terabits (TB) capacity. It is designed for deployment on campus networks. Coming in March is a Nexus 3064-X switch supporting 40GbE connectivity and targeted at data center deployments for high-frequency trading, big data or Web 2.0 environments.

Pricing information was not shared.

Learn more about Research: IT Pro Ranking: Data Center Networking by subscribing to Network Computing Pro Reports (free, registration required).

Boys and girls, today's homework assignment is a thought experiment. I want you all to put yourselves in the shoes of the CXO team making a decision to move to private cloud. There is, of course, one catch: You may not factor in ROI. We're dropping ROI because it clouds the subject (bad pun intended.) Let's skip the why-should-I-do-this experiment; I'd, of course, default to, "Because I told you so."

Let's work through this together; it may be a tough one. Many of us have been trained to make all IT-related decisions based on ROI. Some of this is self-induced, some may come from vendors with ROI spreadsheets utilizing amazing formulas, industry data and handfuls of pixie dust to show how much money you'll save over the next three years with widget X.15. For whatever reason, ROI is a big part of most IT-related decisions.

IT decisions weren't originally made this way. Instead, they were made based on the business value that would be gained from an IT system. IT was purchased based on how it would enable the business to increase profits, build better products or better service its customers. That's really what the technology should be about.

The decision to move to private cloud should be based on the competitive advantage it can provide. If we can justify that private cloud can give us the ability to do something better, faster or at lower cost than the competition, we're halfway there. Let's take a look at gaining competitive advantage with private cloud.

Let's start with some example numbers for the time it takes to bring a new service online:

1 week - Design and validate a BOM (bill of materials)

1 week - Receive approvals and submit PO

2 weeks - Wait on required gear

1 week - Rack, stack, cable and configure

3 weeks - Build service, test and validate

2 months - Total time

This is just an example; some of these times may be laughably short or long depending on your organization. Using these example numbers you have a two-month period between identifying a new service that will enable your business and having that service online. This doesn't take into account rollout of and training on the service once online. If you could cut that time in half, would that provide competitive advantage?

By using a private cloud model for delivery of IT services, this process can be trimmed to three weeks (using the same example numbers.) The infrastructure would be in place, carved into flexible pools and the tools to automate deployment of the required subset would be available to IT staff, developers or both. Through a self-service portal the first four steps above can take place in minutes.

Additionally, scale is simplified through standardized infrastructure components. Rather than deciding on which server, storage or switch is required per project, pre-defined components are purchased and plugged into the resource pools as capacity is required. Is your network at capacity? Add a switch to the mesh. The hardware itself becomes nothing more than CPU, RAM, storage and I/O capacity for the delivery model you've built.

The flip side of the above model is removing old or under-performing services. When an application or service is removed from the cloud, the resources are returned to the pools. In a legacy data center build, it is difficult to repurpose hardware when a service is no longer needed, and as such often doesn't happen. Scaling down occurs, and services are eventually retired. This model allows for seamless return of the underlying hardware resources to the cloud.

The last piece of competitive advantage is of course cost. Any reduction in cost without a reduction in revenue will inherently increase profits. This is why the ROI model persists so strongly. Private cloud can, and does in many cases, reduce costs, but this depends on how mature your IT organization is at the onset. Much of private cloud's cost reduction comes from the virtualization of the underlying hardware; automation and orchestration are not required for that, but help provide the business value shown here.

While cost is always quite important, it should not be the first or most important criteria. Cost is more easily modeled and budgeted for once the end goal has been defined. If you begin with an attempt to show ROI, you end up with models of very subjective soft costs showing savings over time. These are not solid foundations for such a large change. Define the advantages private cloud can provide your organization, decide whether they provide enough value to embark on the journey, and then model the costs into your budget.

Brocade introduced a new application delivery controller that enables service providers to manage application delivery in a way that servers or endpoint devices no longer can. A key feature of the Brocade ADX 12.4 is what the company calls an OpenScript Engine, which enables enterprise service providers to build customized versions of network applications using the open-source Perl programming language to deliver networking capabilities unique to their needs.

The ADX 12.4 is designed to address a shift in the role of networks in delivering applications. Because of the proliferation of various endpoint devices to which applications are delivered, no one optimization will suffice. For service providers such as ISPs, that range of devices includes laptops, smartphones, tablets, gaming consoles and Internet-enabled TVs. Because applications are also delivered via the cloud, traditional server-based application controls come up short.

The OpenScript Engine feature in ADX 12.4 is a Perl-based platform for customizing applications for a service provider's unique needs, such as improving network infrastructure, security, acceleration or monitoring. Brocade is a supporter of the Comprehensive Perl Archive Network (CPAN), a community of app developers who share extensive libraries of scripts that have already been created. A developer trying to accomplish one task may find the work of someone else in the community who already solved the problem, so efforts aren't duplicated.

Although other application delivery vendors also offer scripting engines, Brocade's support of Perl is laudable because it's a well-known and widely used scripting language, says Sam Barnett, directing analyst for data center and cloud research at the research firm Infonetics. Barnett is also a veteran of the networking industry, running startups that worked with Brocade and Foundry Networks, which Brocade acquired in 2008.

A particularly impressive feature of the OpenScript Engine, Barnett says, is the Application Performance Estimator, which, as its name implies, predicts how an application will run on a network as it's currently configured, before the application is actually deployed.

"The service provider community didn't really know what a new application or service delivery platform was going to do on the network because they didn't really understand how it was going to be used," he says. "This [Estimator] gives you ... a really good understanding of where your pain points are going to be before you introduce something completely unknown onto your network."

ADX 12.4 also streamlines the transition from the IPv4-based network to the IPv6 network. It will help maintain service parity on both networks, which in a typical situation will run in parallel. IPv6 is a new standard for assigning IP addresses because the worldwide supply of IPv4 address is running out.

Learn more about Strategy: OpenFlow vs. Traditional Networks by subscribing to Network Computing Pro Reports (free, registration required).

Riverbed Technology has introduced Cascade 9.5, an upgraded version of its network management tool that aggregates information from a number of Riverbed network appliances--physical and virtual--into a single management console. Among the new features of Cascade 9.5 is Virtual Cascade Shark, the virtual version of Riverbed's physical appliance, which sees into the virtual switching layer within a virtual machine environment in a way the physical Shark appliance cannot, says Riverbed.

The new version of Cascade comes just two months after the WAN optimization market leader released a major upgrade to the RiOS 7--the software that powers its line of Steelhead application acceleration appliances--and Steelhead Mobile client software, adding optimizations for video, disaster recovery applications, ICA over SSL and enterprise applications, as well as IPv6.

The new features include tight integration with Riverbed's Stingray traffic manager and F5's BipIP so that Cascade can perform multisegment analysis correlating individual connections to a virtual IP (VIP) address associated with connections to hosts in a server pool. With multisegment analysis, IT can correlate traffic issues like dropped packets, delay and other issues with an end user session. Without such correlation, monitoring application performance across the load balancer is difficult. Other load balancers are supported, but the configuration in Stingray is a manual process.

The need to manage the growth and increasing complexity of networks is driving demand for network performance management technology that can monitor traffic, identify possible bottlenecks and intervene to clear them up. As use of IT grows in enterprises so does demand on IT to deliver more capacity and speed over the WAN and to be able to prioritize traffic. For example, video gets priority over a simple email, but a VoIP call gets priority over video if the video in question is something frivolous on You Tube.

The data center is undergoing a radical transformation. Data centers are being consolidated as virtualization technology is more widely adopted. Network pipelines need to expand to handle more traffic, particularly high-bandwidth video. And as applications are increasingly being distributed over the Web, more attention has to be paid to how well the network delivers those apps.

Wrap all of this with a virtualization layer, and application performance management and monitoring gets difficult. Virtual Cascade Shark, which currently runs only on VMware ESX hypervisors, is a virtualized version of Cascade, offering visibility into traffic flows between virtual machines in a hypervisor. Cascade Virtual Shark pricing starts at $1,200. The Cascade Shark appliance now integrates with intelligent taps from companies like Gigamon, cTap and VSS, relying on their timestamps for latency measurements.

All of that is happening at the same time, and network administrators are pushed to understand the applications that run over the network and how well they are performing. While virtualization has greatly improved the efficiency of data centers by increasing server utilization, it has created "another blind spot for network managers," says Jim Frey, managing research director at Enterprise Management Associates (EMA).

"There could be traffic that goes on inside a hypervisor between multiple virtual machines, and unless you have a means for gaining visibility into that hypervisor, you have no way to understand what's happening in terms of the traffic between those VMs," Frey says.

Other Riverbed management appliances that interact with Cascade 9.5 include the Stingray application delivery controller--which the company said is more commonly known and a load balancer--the Whitewater cloud storage gateway and the Steelhead WAN optimization appliance.

Steelhead appliances could sit on the network at various branch offices and send WAN performance data to be aggregated by another Steelhead appliance in the data center, with the results then presented in the Cascade management console.

The network performance management solutions market is "pretty healthy and growing," says EMA's Frey, with startups seeing revenue growth of 20% to 40% or more annually and even more mature firms--publicly traded companies like Riverbed and NetScout Systems--reporting low double-digit revenue increases.

Learn more about Strategy: OpenFlow vs. Traditional Networks by subscribing to Network Computing Pro Reports (free, registration required).

System Center 2012 can do bare-metal provisioning using IPMI. Relying heavily on templates through System Center 2012, you define the skeleton options--such as MAC address, networking and storage--which are resolved either at runtime, such as an IP address via DHCP, or are taken from a template like a host name. What is interesting is that System Center can discover server hardware and make it available.

Inside Virtual Machine Manager, we defined our new hardware host and applied it to a server. You can readily track the progress of the deployment.In the lab, the hardware wasn't actually available, so it failed. However, you can drill into the task and see exactly which step failed and which steps remain. In our case, PXE boot failed, so we couldn't talk to the server. Note that VMM used BMC to power on the host.Cloud creation is performed after you define the templates for the underlying hardware. A cloud is just a set of resources that are grouped into a unit. You can then assign them to users and roles. In our case, PrivateCloud20 is using a logical network called Contoso and the lb01.contoso.com load balancer.

We set the capacity for this cloud offering at 12 Gbytes of RAM, total, unlimited storage, and a maximum of 10 virtual machines. All the VMs for this cloud service are based on Hyper-V, but cloud has included Citrix Xen or VMware.

Microsoft's private cloud offering is multitenant by its very nature. IT defines the capacity of a cloud service, and then users and roles are assigned capacity and rights within that cloud. You can define many cloud services that are ultimately shared across the physical infrastructure.Using quotas, you can offer control how cloud resources are consumed. In this case, this particular role is allowed as much virtual CPU, RAM or storage as needed, but the role is limited to five VMs. That means the role can run only five VMs, regardless of how many users are in the role.

Quotas can be further restricted on a per-user basis. In our case, each member of the role can use 1,024 bytes of RAM and may use only a single VM. This leaves room for other role members to use VMs, and allows us to add additional roles that can use the same cloud service.

Quota management is very dynamic, and administrators with the right access privileges can change these quotas at any time. You will have to think about your quota strategy so that you are managing your resources effectively.Users can also be restricted to the actions they can take with the cloud service. Consumers of your cloud service should be allowed only limited access, to start and stop their VMs and deploy software. Different administrative roles can be defined. Access controls like these mean IT can delegate cloud management to distributed staff and offload workflows.Once we defined the hardware templates, we configured the OS images to deploy. If you have ever installed Windows Server 2008, or any Windows server, for that matter, these options will be familiar to you. Tick off what you want. Fill in the server name (which itself can be pre-defined via a template), and you have a stock golden image ready to deploy. What is interesting is that you can patch and reconfigure the image and, when it is active, you can deploy it to your cloud--automatically, if you desire.This is where we begin to see the dynamism of the System Center. We define the underlying OS and assign an application template, defined elsewhere, to the host. The application template can also have user submitted fields that are filled out when requesting a new service or can be defined for the application.Must of the output from System Center 2012 is behind-the-scenes, Powershell scripts that that get executed. From what I saw, there is no need to ever look at a script, which is great for those who don't know Powershell. If you do, however, you can customize the scripts to suit your needs. In fact, with Powershell, you can do anything in the GUI in a script, giving IT the potential for deep integration with existing IT systems without relying on third parties. Writing your own Powershell scripts isn't for everyone, however.In the VMM Service Template, you can visually arrange the various services and customize the options for them quickly and easily. This is one of the final steps before publishing the service in the service catalog and self-service portal. All of the components are already built; here, we are just putting them together. You can easily add more applications as needed.

Bear in mind that we are simply arranging systems together and not affecting application code in any way. The application code has to be written to talk amongst the various services. The best practice is to use names for systems and services, and never to hard-code dependencies. The templates should be able to build and resolve service names and locations dynamically.

While we don't show it, when we publish this application to the self-service portal, users can come to the portal, request an application and fill just a few relevant bits of information such as application name. The tehcincal bits should all be buried out of site. When they request the service, their permissions are validated and the request kicks off a workflow. That work flow could be fully automated or at any point, you could interject a person to take actions. It's entirely up to you.

A few years ago, Brad O'Neill, then an analyst with the Taneja Group, coined the term FAN (file area network) to describe a virtualized file storage system. Organizations that build FANs that integrate multiple heterogeneous file stores presenting a single unified, optimized name space should be able to save a significant amount of time, effort and money. The collapse this month of AutoVirt is just another example of how this promising technology has never gained any traction with paying customers.

Having spent much of my career bringing order to the chaos of mismanaged SME data centers, I've been excited by the idea of FANs ever since I saw a demo of the Z-Force switch, which not only distributed files across multiple file servers but distributed data RAID-like across multiple filers so a dozen little one-drive SNAP servers could deliver 1,000 IOPs.

After all, a FAN would let me transparently migrate data from an old NAS to a new one, even as users access the data. Without a FAN, migrating several million files from one NAS system to another, especially if the new NAS is from a different vendor, is a major project involving late nights running ROBOCOPY while the users are locked out of their stuff.

Even better, a FAN can consolidate files from multiple departmental file servers to a new file store while preserving their UNCs. That way, all the embedded links in the spreadsheet from hell that accounting uses to close the quarter will still work even though we've long retired the file servers called HAN and CHEWIE. The FAN's global name space also means the FAN can spread data across multiple file stores while it looks like a single big filer.

Finally, I can run a policy engine in the FAN that puts the low-value data, like the home directories of all the folks that no longer work at FunCo, on a low-cost tier device that won't need to be backed up as frequently as the active data stores.

Despite all those advantages, sales of FAN systems have been exceptionally unsuccessful. Even if we don't count data classification/ILM vendors like Abrevity and Scentric, the graveyard of FAN companies is well populated. Several tried the hardware approach, building server/switches that sat in front of file stores--Z-Force, Attune, which was built from the ashes of Z-Force, NeoPath Networks, which was bought by Cisco and immediately shut down, and Acopia, which was acquired by F5 to create its last-man-standing ARX file virtualization platform. EMC bought Rainfinity and basically gave it to its professional services group to use during migration projects. Rainfinity's tech recently reappeared in EMC's Cloud Tiering Appliance, which FAN-like migrates data to a storage cloud. AutoVirt isn't the first FAN software vendor to go to boot hill, either. NuView's StorageX was snapped up by Brocade in one of its early attempts to diversify beyond Fibre Channel, but it lasted only about a year as a Brocade product.

In AutoVirt's short life (the company was founded in 2007), it used its reported $25 million in venture money to develop AutoMigrate, a migration tool, and AutoManage, a full-blown policy-driven FAN implementation. Unfortunately, the company never sold enough software to make money and is going to the FAN graveyard.

ESG's Steve Duplessie blogged that AutoVirt's crucial mistake was targeting Windows file servers and their data. That meant that their tools made life easy for the Windows admins, and no one in management was going to spend money for that. He may be right.

Have you considered a FAN? If so, what kept you from pulling the trigger?

Disclaimer: Josh Klein and Klavs Landberg of AutoVirt spent a few of those VC dollars to buy me meals and drinks. Brocade and EMC are clients of DeepStorage. The rest of the companies mentioned are dead.

There are five configurations a network administrator should apply to a newly provisioned switch or router. Although application of these configurations may seem like common sense, 90% of devices I see are missing at least one of these settings, and about 75% are missing two or more. Use this checklist as an action item to verify your existing devices have these settings, at minimum, and integrate these in to any templates or provisioning documents you use. You'll appreciate the results of the consistency this adds to your network management and monitoring.

Define a default gateway or default route
Let's start with the fantastically easy one--a management IP and default gateway. Obviously, you can't manage a device across the network unless it has, at bare minimum, a management IP address. Instead of harping on the obvious, instead take note that many times when edge devices are provisioned, an IP address is configured but the default gateway or default route is forgotten or omitted.

What happens when this configuration is missing? Those edge switches will hum along happily until one of three things happens:

1. Your management tool is installed or moved to a different subnet.
2. You try to manage the switch from a different network or subnet.
3. You begin adding other VLANs or subnets to the switch.

Without a default gateway or route off of the network the switch is using, traffic may reach the switch, but it won't find its way back off that network. You won't believe how many edge devices are in the wild with this grievous omission, often resulting in the switch becoming unmanaged, by virtue of the management tools not able to see it.

Cisco & HP Networking:
# ip default-gateway
# ip route 0.0.0.0 0.0.0.0

Set the time
If I could ask administrators to set only one configuration out of the box after the basic IP settings, I'd ask for this: the correct time. Correct time on a switch is vital when troubleshooting the device. A string of log entries dated 1/1/90 are useless to network administrators troubleshooting a problem.

The three most popular ways to set time on a device are manual time settings, TimeP or Network Time Protocol (NTP), and Simple NTP (SNTP). You should really have a time server in your environment to keep the network all in sync. If you don't have a time server now, you can very easily add one. In Windows Server environments, a few clicks will have you up and running with SNTP in less than 5 minutes. You can also use public (Internet-hosted) time servers, although you shouldn't put yourself in a position to force each switch to call out over the Internet for time. As a last resort, set the time manually, but, by all means, set it somehow.

Cisco:
# ntp server
# clock timezone
# show clock

HP Networking:
# ip timep manual
# timesync timep
# clock timezone
Or
# sntp server
# sntp unicast
# timsync sntp
# show time

Enable neighbor discovery
Neighbor discovery protocols are essential for network administrators and management tools to accurately construct a view of the network topology. Each manufacturer has its own supported mix of neighbor discovery protocols, loosely based on how standards-focused that vendor is and how much it wants to pay in royalties to use proprietary protocols. The two most widely used are LLDP (Link Layer Discovery Protocol), an IEEE standard, and CDP (Cisco Discovery Protocol). Support varies by brand and at times even by model or firmware versions. What you may see in some devices is LLDP supported for listening and talking, but only the only CDP support is for listening. Others may offer equal capabilities for both protocols.

Enabling all supported neighbor discovery methods is highly recommended. The information it provides lets you immediately locate neighboring switches and even media endpoints such as phones and access points that use LLDP-MED, an extension of LLDP. Not only can you see where these devices are connected, you can get details of the device type, its host name, IP address and even what port it's connected to on the other end. In a similar fashion, your network monitoring and management tools will use these protocols to crawl the network, discover new devices, and correctly identify and show interswitch links.

Cisco: CDP is enabled by default, Enable LLDP
# lldp run
# show lldp neighbors <+ optional details>

HP Networking: LLDP is enabled by default. Enable CDP receive only support
# show lldp info remote <+ optional details>
# show cdp neighbors <+ optional details>

Configure logging and traps
Notifications of events on the network are a critical component of monitoring, troubleshooting and real-time alerting. Most switches offer two primary means of sending this data to a central repository: logging events via syslog and trap events via SNMP ((Simple Network Management Protocol). Configuration of both is simple, usually varying minimally from switch to switch and even from brand to brand.

Most organizations have a syslog server or a management tool configured to receive SNMP traps. If yours doesn't have such an application, I'd strongly encourage you to use this opportunity to investigate your options. If you don't have budget or time, look at your existing management tools and you'll likely find something you can use already in production. If not, there are a variety of free syslog and SNMP tools; just make sure you download free tools from a source you trust.

Cisco & HP Networking:
# logging
# snmp-server host

Add custom SNMP communities
SNMP is used to manage or monitor all types of devices in a network, including switches, servers and even desktops. SNMP allows us to define different community strings that are mapped to different access rights. Most simply, we have a read-only string and a read-write string. The read-only string lets monitoring tools see and gather information from the device, whereas the read-write string allows management tools to make modifications and configuration changes to the device. By default, switches most often have either no predefined strings or they use a combination of public and private.

Some of you may feel this should be included with the full management configuration (defining local users or RADIUS/TACACS authentication, enabling secure management with SSH and HTTPS), but I define it as one of the recommended out-of-the-box settings. Within an organization, you likely have only a set or two of custom SNMP community strings, and these strings aren't going to change from the time you order the switch, unbox it and then deploy it. Initial omission of the strings is usually an oversight, or network admins consciously leave it out and figure they'll go back and add it later. Your management tools should already be set to talk to your devices using your custom SNMP strings, so go ahead and start off on the right foot by setting it early on the device. Remember, they are case-sensitive, and you'll avoid the frustration of typos if you include these in a template or at least copy-paste from a base text document. Incorrect SNMP strings are frustrating, especially in larger environments. Correct strings will let your device be seen and managed immediately by all your management and monitoring applications.

Cisco:
# snmp-server community ro
# snmp-server community rw
# show snmp

HP Networking:
# snmp-server community operator restricted
# snmp-server community manager unrestricted
# show snmp-server

There are many other configurations recommended in a production environment, including secure encrypted management and file transfers, as well as SNMPv3 in certain networks. These five settings are a quick start to ensuring consistent management of your infrastructure devices across the enterprise.

Learn more about IT PRO Report: Data Center Networking (free, registration required).

In all the technical discussions about network routers, switches, throughput, packets and the alphabet soup of acronyms that apply, it may be easy to forget that network downtime can have life-or-death consequences. For two NetFlow users, the requirements for the network monitoring technology were less dire, but the results were still compelling.

Jhune Rosario is the network systems administrator for Puget Sound Blood Center, which operates 17 sites where blood is drawn from donors and 51 hospitals that use that blood supply to treat patients. Some of those sites are a three-hour drive from Puget Sound but have only a T1 line connecting them, so the implications of that connection going down are significant.

"Recently I met a family whose son had leukemia and they had to do almost two transfusions a week. If they don't get that transfusion, that child could be in a very difficult situation," Rosario says.

The child could be waiting for blood, but with the network down, lab technicians can't confirm whether a donor in, say, Bellingham, Wash., is the right blood type for the patient, he says.

While Puget Sound is a nonprofit without the budget to replace a T1 line with a 10-Gbps connection, it has benefited from adopting NetFlow technology to monitor its network and proactively troubleshoot problems before they cause an outage. Puget Sound Blood Center, which uses NetFlow technology from Lancope, has saved $22,680 in costs for each hour of network downtime it suffered.

The blood center is one of several examples Lancope cited in a recent report on "The State of NetFlow."

NetFlow is a network protocol developed by Cisco Systems in 1996 to collect IP traffic information and provide visibility into a network. IT professionals monitoring their networks with NetFlow can see where situations like network congestion or a mis-configured switch are occurring and intervene to fix those problems. Variations of NetFlow are now widely used in networking gear from such companies as Alcatel-Lucent, Cisco, HP's 3Com and Huawei Technology. Other flow-based technologies like SFlow are used by Juniper and Extreme networks. The IETF's IP Flow Information Export (IP-FIX) standardizes the flow reporting protocol, but has yet to see wide spread adoption.Puget Sound Blood Center has seen network uptime improve since introducing NetFlow, Rosario says: "On our old system we always had to react to a situation. Now our help desk can see that the system is running slow, then they can proactively look up that information and alert the folks who can start solving the issue."

The problem was different at Grafisch Lyceum-Rotterdam (GSR), a university in the Netherlands. The university was hampered by existing firewall technology and an embedded intrusion detection and intrusion prevention system (IDS/IPS) that could only inspect a portion of network traffic and did not provide visibility into the school's high-speed internal and virtual network. Using Lancope's StealthWatch NetFlow technology, GSR gained wider visibility into its Internet gateway traffic and the internal and virtual network. GSR also reported faster time to resolution for network problems and a 75% cost savings compared to what it had before.

For AirTran Airways, the network challenge was maintaining Payment Card Industry (PCI) compliance across a widely distributed network serving about 10,000 end users. Because it's billed as a low-cost airline, AirTran needed a cost-effective and scalable network monitoring system to enable employees to take credit cards from wherever possible--at any gate, ticket counter or kiosk. Its deployment of StealthWatch enabled the airline to improve PCI compliance, increase network visibility, and better identify and address anomalies to improve network security.

A recent Lancope-sponsored study by Enterprise Management Associates found that the most popular current uses of flow data are traffic monitoring (76%) and security monitoring (61%). Other key findings include: 47% of respondents leverage flow data for understanding services consumption; 46% use flow data for planning/engineering; 96% say they expect to maintain or expand their use of flow data during the next 12 to 18 months; and NetFlow is the most popular type of flow data, used by 70% of respondents.

Learn more about Strategy: OpenFlow vs. Traditional Networks by subscribing to Network Computing Pro Reports (free, registration required).

As more consumers prowl store aisles equipped with smartphones, retailers have multiple reasons to want to harness the capabilities of these user endpoints for their own benefit. Nearbuy Systems is bringing an interesting tool set to merchants that should also benefit tech-savvy shoppers with its new Captive Portal and analytics utilities.

Nearbuy Sytems is a relative newcomer to the technology world, and is interested in the sweet spot where retail can benefit from the proliferation of smartphones across the private consumer space. I've talked with Nearbuy CEO and co-founder Bryan Wargo in the past about his company's location-based mobile shopping apps (including ridiculously accurate in-store device tracking that presents various sale offers based on where a shopper is standing on the sales floor), but Nearbuy's new Captive Portal offers functionality to both large retail environments and those too small to be interested in location services.

The premise behind Nearbuy's new in-store guest wireless offering is simple. I log into the store wireless network through a simple captive portal, and as I use my smartphone while shopping, my activities are being logged. Add that data to my activities on different days or in a merchant's other branches, and trends can be gleaned. Combine my usage information with that of other shoppers in an easy-to use analytics UI, and large data sets will hopefully yield valuable information about what consumers are actually buying or not, and what websites are being used for comparison shopping from the store's own network.

Citing predictions from Forrester Research and Deloitte, Wargo believed that about 25% of all North American big-box retailers were offering free Wi-Fi access to consumers by the end of 2011. Wargo also noted that through 2014, 90% of all retail transactions are still expected to occur in-store, but with more than half of these being influenced by what multichannel consumers see on the web about their intended purchases. Considering that smartphone sales continue to skyrocket and that pending family data plans may get even more consumers into the Nearbuy target demographic, things get interesting in this unique space.

After explaining the why, Wargo took me through the how of Nearbuy's analytics framework. One of Nearbuy's major selling points is that it leverages a store's existing WLAN, whether it be a one-access-point Starbuck's or a big building supply house with many APs. Nearbuy provides an add-on captive portal appliance (or a software enhancement to existing Motorola NX appliances) in each store. The Captive Portal is shoppers' front door to free wireless in the store. They can typically log in with an email address or social media credentials, and once terms of usage are accepted, the Nearbuy-enabled consumer connectivity experience is off and running.

While Wargo says that no sensitive consumer data or credit card information is passed through or stored on Nearbuy servers, target offers and other enticements specifically aimed at store wireless users can be leveraged to get shoppers to opt in. Each store pipes a range of analytically significant data off to Nearbuy's data center for aggregation, including types of devices used, activity history, Web traffic volume, top products browsed and purchased both in store and online, dollar values of items purchased, and more.

Nearbuy Systems certainly taps an interesting opportunity with an impressive utility suite, but there are a couple of points that Wargo yielded as we discussed the merits of his new baby. Some smartphone users simply leave the Wi-Fi side of their devices off most of the time in favor of their data plans. And then there are hit-and-run consumers who simply don't want to fish their phones out of their pockets while they shop, as it can lead to more time in a store than they might really want to spend. (I consider myself to be somewhere in the middle of both of these.). Then there are the feature-phone-only folks who simply can't get online from their device. Nearbuy has nothing to offer any of these groups. Regardless of those who can't, or by choice, won't use Nearbuy-enabled wireless, Wargo knows that the retail space is certainly evolving.

Will enough merchants and consumers buy in to make Nearbuy viable? Time will tell. Meanwhile, you can get a demo of the Nearbuy System's Captive Portal and a peek at the company's analytics capabilities at http://www.youtube.com/watch?v=XG05jJIatWA

Disclaimer: Lee has no business relationship with Nearbuy Systems

Sales of 10-Gbit per second (Gbps) Ethernet switches are expected to reach $13 billion by 2016 and will constitute nearly half of a total $28 billion Ethernet switch market by then, a forecast from the research firm Dell'Oro Group states. And even as data center operators upgrade from 1-Gbit Ethernet switches to 10-Gbit Ethernet to handle exponentially larger volumes of network data traffic, sales of even faster 40-Gbit Ethernet and 100-Gbit Ethernet switches will also be picking up.

By 2016, sales of 40-Gbit Ethernet and 100-Gbit Ethernet products will amount to $3 billion, Dell'Oro said in its five-year forecast for the Ethernet switch market. The company, which is focused exclusively on networking and telecommunications equipment market research, expects the strongest growth in 10-Gbit Ethernet in 2013 and 2014 as enterprise data centers invest in the technology for server access through a mix of connectivity options for blade and rack-mounted servers.

Growth in 10-Gbit Ethernet deployments will be driven by continued adoption of virtualization, meaning servers will be running at higher utilization rates than will non-virtualized servers, said Alan Weckel, senior director at Dell'Oro Group. Another driver is expected to be the expected server refresh cycle prompted by the release of Intel's new Romley microprocessor platform, which will provide the faster server throughput that is needed for virtualization.

"Romley comes out in the first half of 2012, so 2012 is going to be the time that enterprises go through qualification tests of the new servers and new switches. The hockey stick up is [in] 2013," Weckel said.

Vendors in this burgeoning market include Alcatel-Lucent, Avaya, Brocade, Cisco Systems, Extreme Networks, Dell, HP, IBM, and Juniper Networks, but Weckel declined to say which specific vendors Dell'Oro thinks will benefit more from 10-Gbit Ethernet sales than others.

Vendors are seeing the same pick-up that Dell'Oro sees.

"This is the year of 10 gig," said Arpit Joshipura, chief marketing officer for Force 10 Networks, which was acquired by Dell in August 2011. "All of a sudden, this year we will see a lot more 10-Gbit deployments, and it's already starting to happen in our customer base."

Joshipura, who came to Dell from Force 10, said Force 10 developed the first 10-Gbit Ethernet switches about 10 years ago and would have hoped the technology would have caught on sooner, but is nonetheless happy that sales are picking up. However, while the rate of growth of 10-Gbit Ethernet switch sales is strong, Dell still sells far more 1-Gbit Ethernet switches than 10-Gbit Ethernet ones. Based on unit sales, he estimated 90% of sales are of the previous-generation 1-Gbit Ethernet products.

Likewise, Cisco Systems sees strong growth in the 10-Gbit Ethernet market and crossed the 10 million unit sales mark in December 2011, said Shashi Kiran, senior director of data center and enterprise networking at Cisco.

Kiran said Cisco currently enjoys a 76% share of the 10-Gbit Ethernet market and that, although the majority of its sales are also still of 1-Gbit Ethernet products, the growth rate for 10-Gbit Ethernet is higher. He also said that as more 10-Gbit Ethernet switches are deployed, Cisco is acting proactively to see what other points on a network may appear as "choke points" for the faster 10-Gbit Ethernet traffic.

Kiran also said unit sales of 10-Gbit Ethernet products are driven by declining prices, which makes it easier for customers to justify purchasing 10 Gbit Ethernet to replace 1 Gbit Ethernet on their networks.

Dell'Oro's Weckel provided some specifics: Across all vendors, the average selling price of a 10-Gbit Ethernet product was $388 per port in 2011, down from $818 per port in 2008.

Learn more about IT PRO Report: Data Center Networking by subscribing to Network Computing Pro Reports (free, registration required).

Network equipment vendor Enterasys is tackling the growing problem of managing wired and wireless devices with the latest addition to its suite of fabric network management technology, the OneFabric Edge Architecture. The combined wired-wireless management fabric relieves a number of network management headaches, especially in situations where the wired network is often managed by one vendor and the wireless network by another, says the company.

"Wired is a pain in the butt now," says Craig Mathias, a principal analyst at Farpoint Group. With wireless devices ubiquitous in the workplace, Mathias wonders, why anyone would use a wired network?

For now, though, wired and wireless networks have to work together and need to be merged. "The idea of thinking of the network as a single unified entity ... is one of the key emerging themes that I think you're going to see a lot of emphasis on over the next couple of years," Mathias says.

The OneFabric Edge features an end-to-end integration of the WLAN and the wired infrastructure, and integrates Enterasys' security and management features with application-aware capabilities that aid compliance and service level agreements (SLAs). The product introduces what Enterasys calls the Wireless Services Engine (WiSE), a WLAN controller for application services that the company says gives customers greater flexibility for deploying edge access in virtual, physical and cloud environments.

Lastly, the OneFabric Edge introduces the K-Series modular switch, which provides visibility into network traffic to determine location, identification and overall management capabilities of the converged wired and wireless network. Enterasys says the K-Series switch helps manage environments in which employees bring their own wireless devices into work to run on the corporate network.

Both the Enterasys data center fabric and edge fabric systems are jointly managed by the OneFabric Control Center management console.

While applauding Enterasys' innovation, Mathias says it faces considerable competition in the data center fabric space from companies such as Cisco Systems, Juniper Networks and Brocade, as well as in the edge network space.Although network and edge fabric technology from these and other vendors is catching on, a recent survey of the people who buy networking equipment showed some caution about embracing new technology too soon. InformationWeek Analytics released a survey earlier this month that showed that IT buyers favored products built to industry standards over those with the latest innovation, including network fabrics.

The report noted "a general wariness of proprietary features, where many cutting-edge capabilities are in flux--either the standards aren't complete or are yet to be widely adopted."

Those kinds of reservations are warranted, but Enterasy says its approach to fabric computing is different from that of competitors, noting that it uses an open architecture based on networking standards and that its fabric offerings are compatible with other vendors' legacy systems, something fabric competitors can't always say.

The difference between Enterasys and competitors is also based on different definitions of the term "fabric," adds Mark Townsend, director of solutions architecture for Enterasys. Enterasys endorses the research firm Gartner's definition of a network fabric as "taking a collection of resources, such as a network, and [unifying] those under a single control plane to deliver an application," he says.

Other vendors define fabric in terms of a "topology," he adds, referring to the multipath connections between switches and routers designed to make networks run faster and more efficiently and to be flatter.

"If you look at our competition, they are looking at fabric as a topology and the topologies that they are talking about are based on proprietary protocols," Townsend says.

While buyers may be wary of fabric technology, this happens all the time when new technology is introduced, particularly in networking, says Mathias. "There's always a degree of risk when you shift from the old modes of thought to the new modes of thought," he says, adding that vendors need to better educate prospective customers to overcome their reservations.

Learn more about Optimize Your Mobile Infrastructure by subscribing to Network Computing Pro Reports (free, registration required).

Intel, which played a key role in the creation of the InfiniBand high-speed networking standard a decade ago, has come full circle and bought the IB assets of Qlogic, one of the two remaining companies still actively pushing the technology. While $125 million is chump change for a company that netted $3.4 billion in profits last quarter, Intel says the acquisition will enhance its networking portfolio and provide scalable high-performance computing (HPC) fabric technology, as well as support the company's vision of innovating on fabric architectures to achieve ExaFLOP/s performance by 2018. At a hundred times faster than today's fastest supercomputers, it's an aggressive move, seeking to accelerate performance to a quintillion computer operations per second.

The InfiniBand specification defines a low-latency, high-bandwidth input/output architecture used to interconnect servers, communications infrastructure equipment, storage and embedded systems. It is a true fabric architecture that leverages switched, point-to-point channels with data transfers today at up to 120 Gbits per second, both in chassis backplane applications as well as through external copper and optical fiber connections.

Last year the InfiniBand Trade Association reported the technology is seeing continued growth on the TOP500 list of supercomputing sites. InfiniBand connects the majority of the top 100 with 61%, the top 200 with 58% and the top 300 with 51%. The total number of InfiniBand-connected CPU cores on the TOP500 list has grown 65%, from 1.4 million in November 2009 to 2.3 million in November 2010.

IDC says the HPC market was worth $19 billion in 2010, up 10%, and expected to see 7% growth through 2015. While Ethernet remains the leader, the research company predicts InfiniBand will continue to take market share from proprietary interconnects.

Supercomputing is the key to the deal, says Intel. While the percentage of HPC CPU shipments will drop from 15% to 12% between 2010 and 2015, it still represents a sizable chunk of the total market. However, next year the top 100 supercomputing CPU (total addressable market) will reach 1 million units, double in 2015, and reach 8 million units by 2019.

Intel says InfiniBand was seen as the missing piece to developing a scalable fabric by 2018. The acquisition also rounds out the company's Ethernet portfolio, it says. HPC is one of the two key pillars of growth within Intel's data center business, along with cloud.

The other company remaining in the IB market is Mellanox Technologies), which, along with Qlogic, has been an Intel partner. Oracle uses InfiniBand technology in its database appliances and bought a 10.2% share of Mellanox in late 2010.

The Qlogic deal, which is is expected to close this quarter, involves the product lines of and certain assets related to its InfiniBand business. A significant number of the employees associated with this business are expected to join Intel's network and communications unit.

Learn more about OpenFlow vs Traditional Networks by subscribing to Network Computing Pro Reports (free, registration required).

Arguing that multiple point appliances intended to secure a network only add to complexity without providing the intended protection, F5 Networks is introducing what it calls a Data Center Firewall to combine multiple security solutions into one appliance. The appliance, called BIG-IP model 11050 and carrying a starting price of $129,995, delivers such security features as dynamic threat defense, DDoS protection, protocol security, SSL termination and a network firewall.

"The current environment just doesn't scale, it doesn't extend, and it doesn't respond. We think this model is broken and it's very, very real in our customer base today," said Mark Vondemkamp, director of product management for F5.

ICSA Labs, an industry accreditation body for network firewall solution, certified the F5 BIG-IP product family as a secure socket layer (SSL), transport layer security (TLS) and virtual private network (VPN)-compliant appliance line.

The appliance is designed to respond to some of the latest types of attacks on networks, Vondemkamp said, such as dedicated denial of service (DDoS) attacks where websites are pinged millions of times to bring them down. Lately this has been done for political reasons such as the attacks on sites targeted in the wake of the WikiLeaks document dumps of U.S. State Department cables in 2011.

F5 has also seen a rise in the number of blended threats on the Internet, combining a DDoS attack with an application-level attack. Lastly, the BIG-IP appliance protects against zero day attacks, in which a vulnerability in a software program, such as Microsoft or Adobe, is discovered before a patch for it can be developed and deployed.

The array of point solutions to address these threats--network firewalls, DDoS appliances, domain name server (DNS) appliances, web application firewalls and load balancers--are difficult to manage, can be a drag on network performance and can result in multiple points of failure, said Vandemkamp.

"The traditional approach needs to be replaced by a unified security architecture," he said.

F5, in the leaders quadrant in the Gartner research Magic Quadrant analysis of SSL and VPN security vendors released in December 2011, shares the top spots with Cisco Systems and Juniper Networks, while competitor Citrix Systems is identified as a viable "challenger."

However, in its analysis of vendors, Gartner faults F5 for lacking an Internet Protocol Security (IPsec) capability in its products. IPsec is a protocol for securing IP communications by authenticating and encrypting each IP packet in a communications session."F5 faces an uphill contest with vendors that offer both SSL and IPsec, and should reconsider whether to build or acquire client-based IPsec support," Gartner reported.

That aside, the F5 approach of combining different point solutions into one powerful data center firewall is a viable approach, said Jeff Wilson, a principal security analyst at Infonetics research.

Even though the typical enterprise data center may not be as much of a target of a malicious DDoS attack as would a financial institution or a government agency, data centers are still high-value assets that need enhanced protection for today's threats, Wilson said.

"Since data centers typically process a lot of traffic, have high bandwidth connections and have a lot of high-capacity gear, when attacks are aimed at them they tend to be very fast attacks, but the typical firewall isn't designed to handle a DDoS attack," he said. "The scale of the attacks is really what's at issue in a data center."

F5 compared its BIG-IP 11050 to the Juniper SRX 3400 on throughput, connections per second and the number of concurrent connections it can support. Wilson says that's because Juniper has a significant foothold in the data center and, like F5 and other network security vendors, is trying to expand its presence in those data centers. He identified HP's Tipping Point and CheckPoint as among other vendors going up against F5.

Learn more about Data Encryption by subscribing to Network Computing Pro Reports (free, registration required).

Migration to Windows 8 won't be a sure thing, with a number of issues remaining to be addressed before Microsoft can expect the majority of its users to migrate to the new version of the operating system. A new survey from InformationWeek Analytics, Research: Windows 8, finds that the migration strategy appears to be predicated on people migrating from Windows 7 to Windows 8, when it is clear that a significant number of existing users are still running Windows XP. This demonstrates the sort of problem that Microsoft is facing. The new operating system is scheduled to come out in beta in February and for final shipment in the second half of the year.

According to the survey of 973 business technology professionals, 90% still have Windows XP and 81% have Windows 7. Just over half, 52%, plan to upgrade, while 48% will not. Of those planning to upgrade, 82% will be upgrading from Windows 7 and 54% will be upgrading from Windows XP. Half plan to stay with Windows XP, while 30% plan to stick with Windows XP. And even those who do plan to upgrade, 28%, the largest percentage, have not yet established a timetable for when they will be upgrading. Moreover, 21% said they do not plan to deploy Windows 8 on mobile devices.

Issues cited by the survey respondents included having to redesign applications to support the new Metro tile-based touch user interface, the requirement for touch devices and monitors to take advantage of the new interface, Windows 8 compatibility among different browsers, and the requirement to develop back-end systems that can service a variety of devices.

Barriers to upgrades cited by respondents include other IT projects with higher priorities, compatibility issues, testing requirements, a lack of business drivers or ROI, training requirements, lack of staff, lack of money, and the fact that they're still in the process of migrating to Windows 7.

Another survey, InformationWeek's 2012 forecast, found the prospects are good for Windows 8 Server and not so bright for Win Mobile. At the end of 2011, 63% of respondents said they'll run Windows 8 on at least 50% of their servers. Only 30% of respondents say they'll run the phone/tablet version on that fraction of these devices, which was considered surprisingly high.

Migrating from Windows 7 to Windows 8 is supposed to be seamless, but migrating from Windows XP to Windows 8 will be another issue, since, like the migration to Windows 7, it will require a clean install. "Essentially, you have to save your data, do the install and migrate your data in," says analyst Roger Kay, owner of Endpoint Technologies Associates. Moreover, Windows XP users may find they need more memory or processing power to support Windows 8.

"If a system is more than two or three years old, it might not have the processing power to make Windows 8 work correctly," says Charles King, principal analyst for Pund-IT.

However, users who migrate from Windows 7 may see improvements, says Rob Enderle, principal analyst for the Enderle Group. While Windows 8 has the same memory requirements as Windows 7, it is less resource-intensive. "The cheapest systems that run Windows 7 or Vista should be as fast or faster with Windows 8," he says. Systems should have at least 2 Gbytes of memory, though Kay suggests that 4 Gbytes would be better.

Learn more about Research: Windows 8 by subscribing to Network Computing Pro Reports (free, registration required).

HTML5 is the new "it" protocol on the Internet. Among other things, it is an alternative to Adobe's Flash for displaying content through a Web browser. No less an industry authority than the late Steve Jobs declared in 2010 that browsers on Apple devices such as the iPad would support HTML5 and not Flash. But as HTML5 gains wider adoption, some of its security flaws are beginning to get noticed, including the WebSocket specification that renders Web pages more quickly than does Flash.

"Anything new comes with some new security concerns," says Joe Bulman, systems architect for Wedge Networks, a network security company specializing in what it calls "deep content inspection" of traffic on Web networks.

HTML5 security issues have drawn the attention of the European Network and Information Security Agency (ENISA), which studied 13 HTML5 specifications, defined by the World Wide Web Consortium (W3C), and identified 51 security threats.

A recent alert from security vendor Sophos stated HTML5 provides far more access to the computer's resources than its predecessor, offering capabilities like location awareness, local data storage, graphics rendering and system information queries that are built in and quite powerful. However, the alert cautions that while the enhancements are great, "they radically change the attack model for the browser. We always hope new technologies can close old avenues of attack. Unfortunately, they can also present new opportunities for cybercriminals."

Bulman identified four main concerns. First is the problem of cross-origin resource sharing (CORS), in which a Web server can allow its resources to be accessed by a Web page from a different domain. While useful in aggregating content from several sites, he says, there is a risk that some content may be shared that shouldn't be. Second is the problem of click-jacking, in which malicious code is surreptitiously placed on a Web page image behind a digital mask that makes an item appear to be safe and invites the user to click on it. Third, HTML5 has unique geolocation and privacy issues that need to be addressed, although he adds that HTML5 standards bodies as well as browser vendors are addressing them.

In fact, to its credit, the HTML5 community is responsive and "transparent" in how it operates, he says. Also, HTML5 applications have more restricted access to system resources than with Flash, while HTML5 protocol updates are delivered through browser updates so they're more likely to be applied. All the major browser vendors are working on HTML5 security issues, and the HTML5 community enjoys the support of the Internet's biggest brands, including Facebook, Google, PayPal and Bing. This means that use of HTML5 should be on a strong growth curve.The fourth potential flaw relates to one of the HTML5's best features. The WebSocket API enables two-way communication over one transmission control protocol (TCP) socket. The Websocket.org web site uses the example of a stock ticker Web application to explain how WebSocket works. In a traditional HTTP designed browser, in order to display the most current price for a stock, the browser constantly pings the Web server for new information, a process called "polling." Because that wastes time and compute resources, WebSocket allows the web server to push the information out to the browser only when it has new information to share.

The feature, called asynchronous full duplex communication, drastically reduces the amount of unnecessary traffic between server and browser, says Bulman. In the example of the stock ticker app accessed by 10,000 end users in the experiment, the data traffic reduction ratio was 500 to 1.

The downside is that WebSocket disables a number of important network security tools. It takes over key network ports such as Port 80 that screen packets for any maladies and, in a WebSocket port, the packets lack the traditional headers that would be seen by a web application firewall to block suspicious packets. Reputation-based defenses also fail with WebSocket deployed.

Wedge Networks' solution to this dilemma is an approach it calls "deep content inspection," a feature, introduced in November 2011, of its WedgeOS operating system that powers its security appliances.

"We judge the content, the structure and the intent of the data in motion," says Hongwen Zhang, CEO of Wedge Networks.

Wedge offers a "unique architecture" to deliver high performance deep packet inspection, wrote Chenxi Wang, a Forrester analyst, in a report providing a market overview for the content security space for the third quarter of 2011.

"Using this deep content inspection engine, customers can conduct in-depth malware detection, DLP processing and content classification at line speed," Wang notes.

But Wedge competes with a number of well-known players in this space, including Cisco, Google, McAfee, Microsoft, Sophos and Symantec, among others, she said.

Learn more about Data Encryption by subscribing to Network Computing Pro Reports (free, registration required).