The conflicted rise of software-defined networking

Some vendors crippled their SDN offerings to protect their hardware profits, but smarter providers are switching now

Software-defined networking (SDN) is becoming a huge deal. To many people, the term is opaque, almost to the point of being meaningless. After all, what part of anyone's network isn't software-dependent? Every firewall, router, and switch you run has software (firmware) to control it. But with SDN, the management and control planes aren't the only ones implemented in software -- the bulk of the data plane is as well.

Among the variety of important ramifications, one in particular stands out: With SDN, you're using commodity server hardware (typically on top of or within a virtualization hypervisor) to manage, control, and move your network's data. This is different from the pre-SDN approach of running management and control software on top of purpose-specific ASICs (specialty chips) that move the bits to and fro. This means you can deploy entire new network components, configure them, and bring them into production without touching a screwdriver or a piece of sheetmetal, thanks to SDN.

Early days for SDN

SDN is obviously popular in the context of server virtualization. The first SDN in fact might have been EMC VMware's vSwitch -- a simple way of isolating Layer 2 network segments in a virtualization host. Since then, SDN has grown to include virtualized firewalls, routers, fully functional switches, and intrusion detection and prevention systems (IDS/IPSs) -- essentially anything you deploy on your physical network, but run virtually.

However, SDN is new, so many of the largest networking vendors are still trying to figure out what to do with it. Instead of porting the capabilities of their physical networking appliances into similarly featured virtual equivalents, some vendors -- Cisco Systems, in particular -- have taken the teeth out of the virtual versions of their Layer 3 products. This has left a wide opening for "full SDN" competitors -- and several are hastily crashing through.

Know your SDN types

You'll find a range of SDN types out there. The first pieces of SDN, and some of the most mature today are Layer 2 virtual switches, such as VMware's Virtual Distributed Switch, Cisco's Nexus 1000V, and the open source Open vSwitch. These are all great pieces of software, and depending on your virtualization platform, budget, and design requirements, they can effectively replace an enormous stack of very expensive switching hardware, while offering substantially easier management.

However, these three great products do nothing in Layer 3. They are purely Layer 2 switches. If you need to do routing, firewalling, VPNs, IDS, IPS, or anything else along those lines, you have to look elsewhere. As you'd expect, there are solutions for many of these tasks, but unfortunately a lot of fine print is often involved if you want to use them in the SDN context.

For example, Cisco makes two security products that build on the Nexus 1000V virtual switch: the ASA 1000V Cloud Firewall and the Virtual Security Gateway (VSG). The ASA 1000V is a virtualized version of Cisco's hardware-based ASA 5500-series firewalls that can provide tenant-edge (north-south) security. VSG is a network security engine that uses VMware's vShield APIs to provide VM-to-VM-level internal security (east-west).

1 2 Page 1
Page 1 of 2