Blog Posts in June 2011
I had to check the Microsoft clustering terminology a few days ago, so I used Google to find the most relevant pages for “Windows cluster” and landed on the Failover clustering home page where the Multisite Clustering link immediately caught my attention. Dreading the humongous amount of layer-2 DCI stupidities that could lurk hidden behind such a concept, I barely dared to click on the link ... which unveiled one of the most pleasant surprises I’ve got from an IT vendor in a very long time. Microsoft actually understands that some people prefer to keep their IT infrastructure stable and supported multi-subnet clusters for quite some time. What a revolutionary concept for the L2-crazed flat-earth world some other vendors are busy promoting.
With the latest software release (12.3.01) the ServerIron ADX, Brocade’s load balancer product, supports the real NAT64 (not 6-to-4 load balancing). Even more, it supports all of the features I would like to see in a NAT64 box plus a few more:
True NAT64 support, mapping the whole IPv4 address space into an IPv6 prefix that can be reached by IPv6 clients. One would truly hope the implementation is conformant with RFC 6146, but the RFC is not mentioned in the documentation and I had no means of checking the actual behavior. DNS64 is not included, but that’s not a major omission as BIND 9.8.0 supports it.
Every time I write about lack of commercial NAT64 products (yeah, I know Juniper had one for a long time and Brocade just rolled out ADX code), someone tells me that company X has field-proven NAT64 product ... only most of them are really 6-to-4 load balancers. Let’s see what the difference is.
J Michel Metz brought out an interesting aspect of the dense/sparse mode FCoE design dilemma in a comment to my FCoE over Trill ... this time from Juniper post: FC-focused troubleshooting. I have to mention that he happens to be working for a company that has the only dense-mode FCoE solution, but the comment does stand on its own.
Before reading this post you might want to read the definition of dense- and sparse-mode FCoE and a few more technical details.
Martin Casado and his team have published a great series of blog articles describing hypervisor switching (for the VMware-focused details, check out my VMware Networking Deep Dive). It starts with an overview of Open vSwitch (the open source alternative for VMware’s vSwitch, commonly used in Xen/KVM environments), describes the basics of hypervisor-based switching and addresses some of the performance myths. There’s also an interesting response from Intel setting straight the SR-IOV facts.
It’s a foggy rainy day in my part of the world and most of Europe is enjoying a very long weekend ... a perfect day to straighten out some of the long-neglected paperwork issues. Finally I scraped together enough willpower to complete the list of my articles published over the last few years.
In early autumn of 2010, a “DRAFT on Cisco Nexus 1000V LISP Configuration Guide” appeared on CCO. It’s gone now (and unfortunately I haven’t saved a copy), but the possibilities made me really excited – with LISP in Nexus 1000V, we could do close-to-perfect vMotion over any IP infrastructure (including inter-DC vMotion that requires stretched VLANs and L2 DCI today). Here’s what I had to say on this topic during my Data Center Interconnect webinar (buy a recording).
You probably know the old saying – if the mountain doesn’t want to come to you, you have to go out there and climb it. vCider, a brand-new startup launching their product at Gigaom Structure Launchpad, decided to do something similar in the server virtualization (Infrastructure-as-a-Service; IaaS) space – its software allows IaaS customers to build their own virtual layer-2 networks (let’s call then vSubnets) on top of IaaS provider’s IP infrastructure; you can even build a vSubnets between VMs running within your enterprise network (private cloud in the cloudy lingo) and those running within Amazon EC2 or Rackspace.
Full disclosure: Chris Marino from vCider got in touch with me in early June. I found the idea interesting, he helped me understand their product (even offered a test run, but I chose to trust the technical information available on their web site and passed to me in e-mails and phone calls), and I decided to write about it. That’s it.
I got a really interesting question from one of my readers (slightly paraphrased):
Is this a correct statement: QoS on a WAN router will always be on if there are packets on the wire as the line is either 100% utilized or otherwise nothing is being transmitted. Comments like “QoS will kick in when there is congestion, but there is always congestion if the link is 100% utilized on a per moment basis” are confusing.
Well, QoS is more than just queuing. First you have to classify the packets; then you can perform any combination of marking, policing, shaping, queuing and dropping.
2011-06-23: Added description of various link efficiency mechanisms.
One of the implications of Virtual Machine (VM) mobility (as implemented by VMware’s vMotion or Microsoft’s Live Migration) is the need to have the same VLAN configured on the access ports connected to the source and the target hypervisor hosts. EVB (802.1Qbg) provides a perfect solution, but it’s questionable when it will leave the dreamland domain. In the meantime, most environments have to deploy stretched VLANs ... or you might be able to use hypervisor-aware features of your edge switches, for example VM Tracer implemented in Arista EOS.
Two vSwitch portgroup-related questions:
- Can you configure the same VLAN on two portgroups in the same vSwitch? How about vDS?
- Can VMs attached to two different portgroups in the same ESX host talk to each other directly or do they have to go communicate through an external switch (or L3 device)?
Got your answers? Now click the Read more ... link.
I got a question along these lines from a friend working in SP environment:
Customer wants to upgrade a 7200 with PA-A3-OC3SMI to ASR1001. Can they use ASR1001-2XOC3POS interfaces or are those different from “normal ATM interfaces”?
Both interfaces (PA-A3-OC3SMI for the 7200 and 2XOC3POS for the ASR1001) use SONET framing on layer 1, so you can connect them to the same SONET (layer-1) gear.
New DMVPN features in IOS release 15.x is obviously a topic without a broad audience ... although Cisco did introduce some nifty new things that can help you scale a large DMVPN network or make a DMVPN network more manageable.
A tweet from J Michel Metz has alerted me to a “Why TRILL won't work for data center network architecture” article by Anjan Venkatramani, Juniper’s VP of Product Management. Most of the long article could be condensed in two short sentences my readers are very familiar about: Bridging does not scale and TRILL does not solve the traffic trombone issues (hidden implication: QFabric will solve all your problems)... but the author couldn’t resist throwing “FCoE over TRILL” bone into the mix.
Got this question a few days ago:
I have a large DMVPN network (~ 1000 sites) using variety of DSL, cable modem, and wireless connections. In all of these cases the bandwidth is extremely dissimilar and even varies with time. How can I handle this in a scalable way? Also, do you know of any product or facility that I can use to better measure the bandwidth from hub to spoke and better set the QOS values?
The last question is the easy part: one of the products that does that is NIL Monitor service where the remote probes can measure the actual end-to-end bandwidth. NIL Monitor software can also log into routers and change configurations if needed ... but what should you change?
Last week’s first session of the VMware Networking webinar (next session is in September; you can also buy a recording) was running way better than I expected and so far it seems like I managed to make a single major blunder – Nexus 1000V supports class-based queuing in the latest software release. The webinar is describing VMware-focused networking solutions from six different vendors (a few more are mentioned and I will probably add one or two in the September session) and I couldn’t possibly make it work without significant help from vendors’ experts.
Article of the week: “What OpenFlow is (and more importantly, what it’s not)” by Martin Casado, CTO of Nicira Networks and consulting professor at Stanford. It’s so refreshing to see someone deeply involved with OpenFlow having almost the same perspective as I do.
Another highly relevant article: “You’re solving the wrong problem” Read it every time someone tells you to build layer-2 DC interconnects to support stretched clusters.
Some people are changing round wheels to heptagonal format because they will roll better. Some other people are building stretched high-availability clusters – clusters of servers stretched over multiple data centers. Unfortunately only one of these claims is false.
Similar to the stretched firewalls design, stretched tightly coupled HA clusters are vulnerable – you lose the inter-DC link for long enough time (depending on how the cluster heartbeat is configured, a few seconds could be enough) and you have a total disaster on your hands.
Sometime around the Open Networking Foundation launch, Paul McNab VP/CTO of the Data Center Switching and Services Group, supposedly said “[OpenFlow] would be built into the NX-OS operating system of high end Nexus switches.” A bit later, the story changed to “I prefer not to pre-announce.” As I wrote before, I don’t think Cisco’s first move will be to implement OpenFlow API in NX7K and allow third parties to replace NX-OS and/or mess up the NX7K TCAM. So what could it be?
Nexus 1000V makes a lot of people unfamiliar with the virtualization intricacies mightily confused (more so as Cisco usually discusses it together with hardware-based switches like Nexus 5000 and Nexus 7000). These are the typical questions I get from my readers:
What exactly is the Nexus 1000V? It sits in the VMware host, but how do the servers connect into it? Is it a software connection spilled out into hardware at the 1000V egress? Do you somehow track what traffic belongs to each server and put polices against them like a normal switch would?
Nexus 1000V is a replacement for VMware’s distributed switch; it’s a software-only layer-2 switch sitting inside the VMware hypervisor kernel.
I got a long list of MPLS-related follow-up questions from one of the attendees of my Enterprise MPLS/VPN Deployment webinar (register for a live session or buy a recording) and thought it might be a good idea to share them (and the answers) with you.
You said that the golden rule in simple VPN topologies is RD = export RT = import RT. Are there any other “generic rules”? How would you setup this RD&RT association for hub&spoke VPN scenario?
Common services VPN topologies could be implemented in two ways (on top of existing simple VPN topology):
When I started developing the VMware networking webinar (register here), I planned to cover VMware’s products (including vShield and vCloud Director) and Cisco’s Nexus 1000V, but then the early reviewers pointed out numerous other interesting products around vSphere:
- Firewalls: HP’s TippingPoint vController, Juniper’s vGW Virtual Gateway and Cisco’s Virtual Security Gateway;
- Access switch solutions: VM Tracer from Arista and HyperLink from Force10;
- Virtual appliances from F5, Vyatta and Zeus.
All of them are now described in the webinar (to be honest, the appliances got an honorable mention), as is Cisco’s Adapter FEX (VN-Tag), VM-FEX (VN-Link) and (to make it balanced) the EVB/VEPA standard.
A few years ago Cisco introduced an interesting concept to the data center networking: fabric extenders, devices acting like remote linecards of a central switch (Juniper’s “revolutionary” QFabric looks very similar from a distance; the only major difference seems to be local switching in the QF/Nodes). Cisco’s proprietary technology used in its FEX products became the basis for 802.1Qbh, an IEEE draft that is supposed to standardize the port extender architecture.
If you’re not familiar with the FEX products, read my “Port or Fabric Extenders?” article before continuing ... and disregard most of what it says about 802.1Qbh.
In a few minutes Jan Žorž, a true IPv6 evangelist, will open the Fifth Slovenian IP Summit. The event is focused on the World IPv6 Day and I decided to use a hypothetical case study: imagine your CIO just came back from an off-site social networking event where everyone got all hyped up about the World IPv6 Day.
Next thing you know, you’re in his office and he’s telling you the PR gurus have decided your organization simply has to participate in this revolutionary event. Assuming you haven’t invested in IPv6 yet, my presentation might serve as a short survival guide (hint: you have only 6 days left).
Three months after the QFabric launch, the details remain shrouded in mystical clouds, so let’s try to speculate what they could be hiding. We have two well-known facts:
- QFabric has three components: QF/Node (edge device), QF/Interconnect (high-speed core device) and QF/Director (the brains).
- Juniper is strong in the Service Provider technologies, including MPLS, MPLS/VPN, VPLS and BGP. It’s also touting its BGP MPLS-based MAC VPN technology (too long to write more than once, let’s call it BMMV).