Apstra’s Intent – What Do They Mean?

Disclaimer: I recently attended VMworld 2019 – US.  My flights and accommodation were paid for by Digital Sense, and VMware provided me with a free pass to the conference and various bits of swag. There is no requirement for me to blog about any of the content presented and I am not compensated by VMware for my time at the event.  Some materials presented were discussed under NDA and don’t form part of my blog posts, but could influence future discussions.

As part of my attendance at VMworld US 2019 I had the opportunity to attend Tech Field Day Extra sessions. You can view the videos from the Apstra session here, and download my rough notes from here.

 

More Than Meets The Eye

A lot of people like to talk about how organisations need to undertake “digital transformation”. One of the keys to success with this kind of transformation comes in the form of infrastructure transformation. The idea is that, if you’re doing it right, you can improve:

  • Business agility;
  • Application reliability; and
  • Control costs.

Apstra noted that “a lot of organisations start with choosing their hardware and all other choices are derived from that choice, including the software”. As a result of this, you’re constrained by the software you’ve bought from that vendor. The idea is you need to focus on business-oriented outcomes, which are then used to determine the technical direction you’ll need to take to achieve those outcomes.

But even if you’ve managed to get yourself a platform that helps you achieve the outcomes you’re after, if you don’t have an appropriate amount of automation and visibility in your environment, you’re going to struggle with deployments being slowed down. You’ll likely also find that that a lack of efficient automation can lead to:

  • Physical and logical topologies that are decoupled but dependent;
  • Error-prone deployments; and
  • No end to end validation.

When you’re in that situation, you’ll invariably find that you’ll struggle with reduced operational agility and a lack of visibility. This makes it hard to troubleshoot issues in the field, and people generally feel sad (I imagine).

 

Intent, Is That What You Mean?

So how can Apstra help? Will they magically make everything work the way you want it to? Not necessarily. There are a bunch of cool features available within the Apstra solution, but you need to do some work up front to understand what you’re trying to achieve in the first place. But once you have the framework in place, you can do some neat stuff, using AOS to accelerate initial and day 2 fabric configuration. You can, for example, deploy new racks and L2 / L3 fabric VLANs at scale in a few clicks:

  • Streamline new rack design and deployment;
  • Automate fabric VLAN deployment;
  • Closed-loop validation (endpoint configuration, EVPN routes expectations); and
  • Include jumbo frame configuration for overlay networks.

The idea behind intent-based networking (IBN) is fairly straightforward:

  • Collect intent;
  • Expose intent;
  • Validate; and
  • Remediate.

You can read a little more about IBN here. There’s a white paper on Intent-based DCs can be found here.

 

Thoughts

I don’t deal with complicated network deployments on a daily basis, but I do know some people who play that role on TV. Apstra delivered a really interesting session that had me thinking about the effectiveness of software solutions to control infrastructure architecture at scale. There’s been a lot of talk during conference keynotes about the importance of digital transformation in the enterprise and how we all need to be leveraging software-defined widgets to make our lives better. I’m all for widgets making life easier, but they’re only going to be able to do that when you’ve done a bit of work to understand what it is you’re trying to do with all of this technology. The thing that struck me about Apstra is that they seem to understand that, while they’re selling some magic software, it’s not going to be any good to you if you haven’t done some work to prepare yourself for it.

I rabbit on a lot about how technology organisations struggle to understand what “the business” is trying to achieve. This isn’t a one-way problem either, and the business frequently struggles with the idea that technology seems to be a constant drain on an organisation’s finances without necessarily adding value to the business. In most cases though, technology is doing some really cool stuff in the background to make businesses run better, and more efficiently. Apstra is a good example of using technology to deliver reliable services to the business. Whether you’re an enterprise networker, or toiling away at a cloud service provider, I recommend checking out how Apstra can make things easier when it comes to keeping your network under control.

Ixia Helps You See All The Stuff You Need To See

Disclaimer: I recently attended Tech Field Day 19.  My flights, accommodation and other expenses were paid for by Tech Field Day. There is no requirement for me to blog about any of the content presented and I am not compensated in any way for my time at the event.  Some materials presented were discussed under NDA and don’t form part of my blog posts, but could influence future discussions.

Ixia recently presented at Tech Field Day 19. You can see videos of their presentation here, and download my rough notes from here.

 

Overview

Recep Ozdag, VP of Product Management at Ixia, presented first on Ixia’s company overview and history. Here’s a bad photo of Recep.

Ixia were acquired by Keysight in 2017, but they’ve been around for an awfully long time.

  • 1939 – 1998 – the HP years
  • 1999 – 2013 – The Agilent Technologies years
  • 2014 – Keysight Technologies launched

In February 2019, they launched the Vision E1S with Hawkeye, and in June 2019 the Vision X was announced.

 

Ixia Visibility Solutions

So Ixia specialise in “network visibility”, but why is that important? What’s the real thing you need to know about on your network? Is it performance? That’s important, sure. But the really big thing that keeps network folks awake at night is security. It’s constantly changing and there’s always a lot of ground to cover. To wit, you have:

  • BYOD – uncontrolled devices on the network;
  • Encryption – hidden traffic means hidden threats;
  • IoT – billions more endpoints to protect; and
  • Cloud – secure data on or off-premises.

According to Ixia, every day there are approximately 5 million IoT devices being connected to networks. Some of these cheap security cameras are even sitting on shelves pre-installed with malware. Happy days! With better visibility you have the opportunity to enhance your existing investments. Within a bank, for example, there are 15 different tools doing stuff and they all want to see a different piece of the data.

So how does Ixia help to improve visibility inside your network? Network packet brokers.

[image courtesy of Ixia]

And what can these things do? All kinds of cool stuff, including “Context Aware” Data Processing:

  • Deduplication
  • Packet trimming
  • Adaptive packet filtering
  • Data masking
  • GRE tunnel termination
  • SSL decryption
  • Geo location
  • Netlog generation

 

The Struggle Is Real

As I mentioned before, securing your network can be a challenge, and every day things are changing and new threats are popping up. Keeping up with all of this stuff is a struggle. You’re looking at challenges with:

  • DDoS
  • SSL and IPsec
  • Data leakage
  • Advanced persistent threats
  • Malware and vulnerabilities
  • BYOD

Enter the Vision X

The Vision X is a network packet broker delivered via a modular platform. You can make it do anything you want it to do today, and add functionality as it’s developed.

High-density

  • 2 Terabits/sec per unit
  • 60 ports of 200Gb
  • 108 ports of 50Gb
  • 76 ports of 40Gb
  • 108 ports of 10Gb
  • 108 ports of 25 Gb

High availability

  • 5 redundant and hot swap fans
  • 4 redundant and hot swap power
  • 6.4TB per second switching capacity
  • 2Tb per second of PacketStack
  • NEBS 3 certification
  • Out of band and inline

PacketStack – intelligent packet filtering, manipulation and transport

  • Deduplication
  • Data masking
  • Time-stamping
  • Protocol trimming
  • Header stripping
  • GRE tunneling

NetStack – robust filtering, aggregation, replication, and more

  • Three stages of filtering
  • Dynamic filter compiler
  • Aggregation
  • Replication
  • Load balancing
  • VLAN tagging

But The Edge!

Ixia also have the Vision E1S (the E stands for Edge). As Ixia pointed out during their presentation, a lot of customer data doesn’t always traverse to the cloud or DC – it stays local. “If you want to monitor something – you monitor where the data is”.

 

Thoughts And Further Reading

One of my favourite things about attending Tech Field Day events is that I hear from companies that I don’t deal with on a daily basis. As anyone who’s worked with me can attest, my networking chops aren’t great at all. So hearing about things like network packet brokers has been really interesting.

One of the biggest challenges in both enterprise and service provider environments is visibility into what’s happening at various levels of infrastructure – be it storage, compute, network or application. Tools like the ones offered by Ixia seem to do a pretty comprehensive job of ensuring that visibility is not the reason that you don’t know what’s going on in your network. I was intrigued by the security theme of the presentation, and I agree wholeheartedly that security concerns should be at the forefront of everything we do from an infrastructure perspective. Managing your critical infrastructure isn’t just knowing about what’s happening in your environment, but also being able to keep up with threats as they arise. Network packet brokers don’t automagically make your environment more secure, nor do they increase your security posture as new threats arise. That said, the kind of visibility you’ll get with these kinds of solutions takes away the concern that you can’t see what’s going on.

Monitoring and visibility solutions come in all shapes and sizes, and they can make a system administrator’s life a lot simpler or add to the noise in the environment. Given that most all infrastructure depends on network connectivity to some point, and network connectivity can have such a big impact on the end user’s ability to do what they need to do to engage in their core business activities, it makes a lot of sense to look at solutions like network packet brokers to get a deeper understanding of what’s going on in any particular environment.

Ixia’s range of products seems to do a pretty good job of covering both the core DC and edge workload requirements (along with cloud), and coupled with their rich history in network visibility, they’re delivering a good story when it comes to improving visibility within your environment. If you’re struggling to understand what your East-West traffic looks like, or what your applications are doing, or if someone’s been silly and plonked a malware-ridden security camera in their office, you’d do well to check out what Ixia has to offer. For another view, check out Wes‘s take on Ixia’s portfolio here.

Kemp Keeps ECS Balanced

Disclaimer: I recently attended Dell Technologies World 2019.  My flights, accommodation and conference pass were paid for by Dell Technologies via the Media, Analysts and Influencers program. There is no requirement for me to blog about any of the content presented and I am not compensated in any way for my time at the event.  Some materials presented were discussed under NDA and don’t form part of my blog posts, but could influence future discussions.

As part of my attendance at Dell Technologies World 2019 I had the opportunity to attend Tech Field Day Extra sessions. You can view the videos from the Kemp session here, and download my rough notes from here.

 

Kemp Overview

Established early 2000s, Kemp has around 25000+ customers globally, with 60000+ app deployments in over 115 countries. Their main focus is an ADC (Application Delivery Controller) that you can think of as a “fancy load balancer”. Here’s a photo of Frank Yue telling us more about that.

Application Delivery – Why?

  • Availability – transparent failover when application resources fail
  • Scalability – easily add and remove application resources to meet changing demands
  • Security – authenticate users and protect applications against attack
  • Performance – offload security processing and content optimisation to Load Balancer
  • Control – visibility on application resource availability, health and performance

Product Overview

Kemp offer a

LoadMaster – scalable, secure apps

  • Load balancing
  • Traffic optimisation 
  • Security

There are a few different flavours of the LoadMaster, including cloud-native, virtual, and hardware-based.

360 Central – control, visibility

  • Management
  • Automation
  • Provisioning

360 Vision – Shorter MTTD / MTTR

  • Predictive analytics
  • Automated incident réponse
  • Observability

Yue made the point that “[l]oad balancing is not networking. And it’s not servers either. It’s somehow in between”. Kemp look to “[d]eal with the application from the networking perspective”.

 

Dell EMC ECS

So what’s Dell EMC ECS then? ECS stands for “Elastic Cloud Storage”, and it’s Dell EMC’s software-defined object storage offering. If you’re unfamiliar with it, here are a few points to note:

  • Objects are bundled data with metadata;
  • The object storage application manages the storage;
  • No real file system is needed;
  • Easily scale by just adding disks;
  • Delivers a low TCO.

It’s accessible via an API and offers the following services:

  • S3
  • Atmos
  • Swift
  • NFS

 

Kemp / Dell EMC ECS Solution

So how does a load balancing solution from Kemp help? One of the ideas behind object storage is that you can lower primary storage costs. You can also use it to accelerate cloud native apps. Kemp helps with your ECS deployment by:

  • Maximising value from infrastructure investment
  • Improving service availability and resilience
  • Enabling cloud storage scalability for next generation apps

Load Balancing Use Cases for ECS

High Availability

  • ECS Node redundancy in the event of failure
  • A load balancer is required to allow for automatic failover and event distribution of traffic

Global Balancing

[image courtesy of Kemp]

  • Multiple clusters across different DCs
  • Global Server Load Balancing provides distribution of connections across these clusters based on proximity

Security

  • Offloading encryption from the Dell EMC ECS nodes to Kemp LoadMaster can greatly increase performance and simplify the management of transport layer security certificates
  • IPv6 to IPv4 – Dell EMC ECS does not support IPv6 natively – Kemp will provide that translation to IPv4

 

Thoughts and Further Reading

The first thing that most people ask when seeing this solution is “Won’t the enterprise IT organisation already have a load-balancing solution in place? Why would they go to Kemp to help with their ECS deployment?”. It’s a valid point, but the value here is more that Dell EMC are recommending that customers use the Kemp solution over the built-in load balancer provided with ECS. I’ve witnessed plenty of (potentially frustrating) situations where enterprises deploy multiple load balancing solutions depending on the application requirements or where the project funding was coming from. Remember that things don’t always make sense when it comes to enterprise IT. But putting those issues aside, there are likely plenty of shops looking to deploy ECS in a resilient fashion that haven’t yet had the requirement to deploy a load balancer, and ECS is that first requirement. Kemp are clearly quite good at what they do, and have been in the load balancing game for a while now. The good news is if you adopt their solution for your ECS environment, you can look to leverage their other offerings to provide additional load balancing capabilities for other applications that might require it.

You can read the deployment guide from Dell EMC here, and check out Adam’s preparation post on Kemp here for more background information.

Google WiFi – A Few Notes

Like a lot of people who work in IT as their day job, the IT situation at my house is a bit of a mess. I think the real reason for this is because, once the working day is done, I don’t want to put any thought into doing this kind of stuff. As a result, like a lot of tech folk, I have way more devices and blinking lights in my house than I really need. And I’m always sure to pile on a good helping of technical debt any time I make any changes at home. It wouldn’t be any fun without random issues to deal with from time to time.

Some Background – Apple Airport

I’ve been running an Apple Airport Extreme and a number of Airport Express devices in my house for a while in a mesh network configuration. Our house is 2 storeys and it was too hard to wire up properly with Ethernet after we bought it. I liked the Apple devices primarily because of the easy to use interface (via browser or phone), and Airplay, in my mind at least, was a killer feature. So I’ve stuck with these things for some time, despite the frequent flakiness I experienced with the mesh network (I’d often end up connected to an isolated access point with no network access – a reboot of the base station seemed to fix this) and the sometimes frustrating lack of visibility into what was going on in the network. 

Enter Google Wifi

I had some Frequent Flier points available that meant I could get a 3-pack of Google access points for under $200 AU (I think that’s about $15 in US currency). I’d already put up the Christmas tree, so I figured I could waste a few hours on re-doing the home network. I’m not going to do a full review of the Google Wifi solution, but if you’re interested in that kind of thing, Josh Odgers does a great job of that here. In short, it took me about an hour to place the three access points in the house and get everything connected. I have about 30 – 40 devices running, some of which are hardwired to a switch connected to my ISP’s NBN gateway, and most of which connect wirelessly. 

So What’s The Problem?

The problem was that I’d kind of just jammed the primary Google Wifi point into the network (attached to a dumb switch downstream of the modem). As a result, everything connecting wirelessly via the Google network had an IP range of 192.168.86.x, and all of my other devices were in the existing 10.x.x.x range. This wasn’t a massive problem, as the Google solution does a great job of routing stuff between the “wan” and “lan” subnets, but I started to notice that my pi-hole device wasn’t picking up hostnames properly, and some devices were getting confused about which DNS to use. Oh, and my port mapping for Plex was a bit messed up too. I also had wired devices (i.e. my desktop machine) that couldn’t see Airplay devices on the wireless network without turning on Wifi.

The Solution?

After a lot of Googling, I found part of the solution via this Reddit thread. Basically, what I needed to do was follow a more structured topology, with my primary Google device hanging off my ISP’s switch (and connected via the “wan” port on the Google Wifi device). I then connected the “lan” port on the Google device to my downstream switch (the one with the pi-hole, NAS devices, and other stuff connected to it). 

Now the pi-hole could play nicely on the network, and I could point my devices to it as the DNS server via the Google interface. I also added a few more reservations into my existing list of hostnames on the pi-hole (instructions here) so that it could correctly identify any non-DHCP clients. I also changed the DHCP range on the Google Wifi to a single IP address (the one used by the pi-hole) and made sure that there was a reservation set for the pi-hole on the Google side of things. The reason for this (I think) is that you can’t disable DHCP on the Google Wifi device. To solve the Plex port mapping issue, I set a manual port mapping on my ISP modem and pointed it to the static IP address of the primary Google Wifi device. I then created a port mapping on the Google side of things to point to my Plex Media Server. It took a little while, but eventually everything started to work. 

It’s also worth noting that I was able to reconfigure the Airport Express devices connected to speakers to join the new Wifi network and I can still use Airplay around the house as I did before.

Conclusion 

This seems like a lot of mucking about for what is meant to be a plug and play wireless solution. In Google’s defence though, my home network topology is a bit more fiddly than the average punter’s would be. If I wasn’t so in love with pi-hole, and didn’t have devices that I wanted to use static IP addresses and DNS, then I wouldn’t have had as many problems as I did with the setup. From a performance and usability standpoint, I think the Google solution is excellent. Of course, this might all go to hell in a hand basket when I ramp up IPv6 in the house, but for now it’s been working well. Coupled with the fact that my networking skills are pretty subpar and we should all just be happy I was able to post this article on the Internet from my house.

Router Research – Kickstarter

I’m not a tech journalist, nor am I a product reviewer. And if you’ve seen my network at home you’ll know I’m not much of a network guy either. So I have no idea what makes for decent home gear, but I thought this project by Router Research on Kickstarter looked pretty cool. Unfortunately it doesn’t look like they’ll get the funding they’re after, so I have NFI what happens next. If nothing else, I like the concept.