Cisco and the vSwitch - the Sergio Leone Treatment

Good post by Alan Murphy.  Worth a full read, particularly his take on "the good", "the possibly great, possibly not", and "the terrible."  His call for an enterprise-class virtual switch certainly resonates with me.

Cisco, VMworld, & the vSwitch: Half Good, Half "Run Away From Converged Switches!" | The Virtual Data Center

So my recommendation to Cisco would be: Stick with what you do really well, L2-L4 IP networking, and let the people that do storage networking well do storage networking. By all means extend that L2-L4 knowledge and expertise into the virtual platform arena by working with VMware on building a usable and robust vSwitch, but stop there. We need a virtual data center platform that includes an enterprise-class virtual switch. But on storage…there’s already going to be a push towards storage VM appliances in the next few years; let them fail on their own without you mudding up the waters by trying to manage the storage network underneath that.  ...

Network Management, VMware and Who's Coming to the Party?

In this post by David Davis, there are a number of good observations and a couple of issues worth pondering.   

First might be what it means to "manage and monitor" virtualized infrastructure.  If Packttrap or Solarwinds permits that part of the IT organization responsible for the network to manage virtual network componentry, at what point do they pull it all together into a unified view of "the network"?  How does this happen without the network guys encroaching on the territory usually reserved for the "server tribe"?

One might argue that Cisco's Nexus 1000V recreates for the network organization a distributed virtual switch that, for all intents and purposes, acts like and is acted upon in a manner with which the network guys are familiar.  The question will be whether this is ultimately a case of defining the use of new, disruptive technology (server virtualization) in terms of the old established technologies (physical switching a la IOS). (You can see one point of view here, in which Davis sets out his take on the 1000V.)

As for the challenges he lays out ... well, we think we know the answers to some of this, and intend to prove it.  Answering the question about whether to support VMware ESX only, or other platforms is an interesting commercial decision for most players and bespeaks an understanding of the customer base. (When does Hyper-V have enough of a market share to justify the attention? Do customers have a requirement to manage both ESX and Hyper-V in the SAME virtualized datacenter?)

Yeah ... by all means, stay tuned.

Does your network management utility manage VMware? - David’s Cisco Networking Blog

More and more of the typical “physical computer” management & monitoring tools are being retooled to manage the new virtual infrastructure. I have talked with both Packettrap and Solarwinds and both have rumored that they will soon offer versions of their well known network management tools that will now recognize, not only network devices and physical servers, but the virtual guest operating systems that are on those physical servers.

For example, your network management & monitoring tool could query either each individual ESX server using traditional SNMP calls or it could query the VMware Virtual Center server using VMware’s API to obtain an inventory of what virtual guest is on what physical server, performance statistics for both host and guest systems, and status of guest systems (ie: which are powered on or off).

There are a few challenges that these vendors face:

    * do you go directly to each virtual host or to a centralized management server?
    * do you support only VMware ESX Server or do you try to support other virtualization platforms such as Microsoft’s Hyper-V?
    * how do you learn about guest VMs that have been “VMotion’ed” (for lack of a better term) from one host system to another? And what about the performance statistics when the storage for a guest is “SVMotion’ed” from one datastore to another?

So, “stay tuned”, as they say, for physical tools to now recognize the virtual world. And, if your vendor isn’t already doing this or doesn’t have plans to do it, I recommend that you pressure that vendor to make their product “virutalization ready” (or else you may have to go find another vendor).

Next Generation Infrastructure ... and its Management

Greg Ness is extending and enlarging his theme regarding the demands that next generation datacenters and cloud computing make on infrastructure... and particularly network infrastructure.  Notwithstanding the fact that he's now employed by a vendor of appliances and technologies that offers network services (like DNS, DHCP, IPAM, RADIUS, ...), the theme has merit -- it's not just a salespitch, folks.   So, while I might argue with his analysis of VMware's fortunes, the basic message ... new approaches to infrastructure for next generation IT ... is dead on, and with it the requisite new approaches to infrastructure management.

The Cloud will need Infrastructure 2.0 « ARCHIMEDIUS

... While many pundits have their heads in the clouds proclaiming the next big thing, there are a few issues that need to be resolved first. And those issues promise to fuel new demand for new types of networking solutions.

These new demands of scale and complexity and availability were beyond the wildest dreams of the creators of the core network services that support today’s increasingly strained network infrastructure. Many of these services, like DNS and DHCP are decades old. They were created in simpler days, usually in silos and with no concept of a need for interoperability between the protocols. Those days are now gone. DHCP servers, for example, now do dynamic DNS updates.

Michael Morris on Cisco's Nexus 1000V

Michael Morris has a very succinct and informative post on Cisco's Nexus 1000V.  The overview puts into perspective VN-link and includes a short interview with Doug Gourlay who mentions a few additional technology initiatives and goodies that weren't mentioned during the VMworld 2008 presentation.

Cisco's First Software Switch - the Nexus 1000V | NetworkWorld.com Community

Conforming to the axiom that it's easier to join 'em than fight 'em, Cisco launched its first software based network switch this week - the Nexus 1000V - as an integrated component of VMware's ESX platform.

Bittman (Gartner) on VDC Infrastructure Management

Tom Bittman of Gartner has recently started blogging on cloud computing and virtualization. In a post made after the opening gun at VMworld 2008, he comments on two strategic shifts evident in the VMware story: infrastructure management (which he characterizes as throwing down the gauntlet with IBM, HP and MSFT) and cloud computing.

What interested me in the post are some of the presuppositions and his conclusions:
(a) it's inevitable that the datacenter becomes a virtualized
(b) in becoming virtualized, the virtual machine environment (in this case VDC OS) becomes the natural locus of end-to-end datacenter infrastructure management
(c) by adding service governance to the mix, one has a management system that competes directly with adaptive, utility computing management strategies promoted by IBM, HP and Microsoft

While this analysis of VMware's strategy makes sense on its face, it also seems to couch the competition in terms of failed or stalled initiatives at (some of) the competitors.  Bittman alludes to this in his commentary.  For some reason, when thinking about datacenter operation, administration and management, I would have been more likely to set the competition as being between VMware (and its hoped-for coterie of infrastructure management partners) and the Big 4 (and Little 4) systems management providers. 

The point worth noting: we need a more thorough discussion and definition of datacenter service governance (to use Gartner's terminology).  This becomes critical, for example, when considering the discussion of VMware and virtsec and even more so when reading Hoff's consideration of network issues in the virtualized datacenter.  Then, we'll be able to have a better conversation about how systems management in the datacenter actually comes to pass, and how VMware will compete with the Bigs.

VMware Strategy Reaches for the Clouds

VMware includes in their concept what Gartner calls a service governor, which adds policy-based management on top of a meta OS. Combined, these two create what Gartner calls a real-time infrastructure. The service governor is the real challenge for VMware, which is one reason they haven’t called it out.

What is interesting is that VMware is finally describing a larger strategy that is completely competitive with IBM (remember the On Demand Operating Environment?), HP (Adaptive Infrastructure) and Microsoft (Dynamic IT). The strategy is credible, but there are many, many gaps that need to be filled. In particular, while VMware is strong in virtualization, they are very weak in service management. Regardless, it will be difficult for IBM and HP to miss the competitive threat (which, of course, they should have seen starting in 2001). This is the only natural evolution for VMware, but the road is littered with challenges.

And, meanwhile, in Gotham City ...

Network World reports on a presentation at InterOp in New York by Joshua Corman, principal security analyst for IBM/ISS.  The major message seems to be that virtualization requires significantly greater attention to management discipline and the enforcement of policies.  Without this attention, virtualization in the datacenter represents a serious security risk.

In defining Replicate's products, this very issue ... the sociology and organizational impact of multiple management domains ... has played a big part in our thinking, as has the means by which to reduce the complexity inherent in managing the virtualized datacenter.  Corman's characterization of the tribal nature of the datacenter organizations is spot on, as is his assessment of the problems that result from it.

People a big security threat to virtualization, Interop speaker says - Network World

Just as teams of server, network, security and application specialists typically oversee the deployment of traditional physical server farms, the same group should plan virtual rollouts, Corman said. But often, the security team is left out and server administrators may inherit the responsibility without the proper expertise. “Before there was a healthy balance of skill sets distributed well [among a variety of administrators],” he said.

This lack of balance generates unproductive finger pointing when things go awry and in some cases creates grabs for power as IT staff recognizes a shift in how work is being distributed. In either case, security can suffer, Corman said.

Hoff's take on VMware and VirtSec

Chris Hoff has done a terrific job of putting in perspective the role of VMsafe as a fundament of VMware's  ecosystem in the next few years. Incidentally, it helps clarify the impression I took away from VMworld 2008 that security was the "dog that didn't bark."

The importance of FastPath and SlowPath in VMsafe were evident from the outset. But, as Chris points out, VMware seems now encouraging a mini-ecosystem to be built around VMsafe.  As I think about it, starting with Paul Maritz' keynote, there was a clear message encouraging a community of partners to make major use of VMsafe.  These invitations were usually couched in terms like "encouraging partners to embrace and enhance VDC OS infrastructure management" and took on real weight for me when I took in the extraordinarily GOOD job Cisco did in architecting their Nexus 1000V offer.

Thanks, Hoff. Great insights.

Rational Survivability: VMWare's VirtSec Vision...Virtual Validation?

...  What this ultimately means to me is that within the next 24 months with the delivery of VI4, a mature VMsafe API and shipping ISV code, we'll see some of the natural market consolidation activity occur and VMware will lock and load, snap up one or more of the emerging security players in the VirtSec space and bolster their platform's security capabilities.

Meanwhile Cisco will help secure VMware further in the enterprise with their integrated play and the remaining security ecosystem players will begrudgingly fight to stay on the good side of the fence...while they hedge their bets by supporting Microsoft and Hyper-V. ...

What will Cisco announce at VMworld?

Allen Leinwand makes an interesting prediction in GigaOM that Cisco will support VMware VMs on their networking hardware.  He then goes on to outline why it would be an important move for Cisco in their efforts to remain not only relevant, but central in the enterprise-class virtualized datacenter.  He also lays out some of the downside for enterprise customers -- most specifically the inability to leverate the Intel X86 server ecosystem to their complete advantage.

As I was pondering this, I noticed a "tweet" from Doug Gourlay (and I quote):

Allan Leinwand had a good guess on GigaOm, but not quite :). Keep 'em coming

OK, so that's "not quite" what Cisco has up its sleeve. 

What's my guess?  I don't think I have enough insight to put myself in the role of the product management powers-that-be at CSCO.  I'm not a network hardware guy.

What might make an interesting offer?  From my point of view, anything that Cisco can deliver that unifies the virtual network infrastructure now available within the VMware virtual machine environments and the physical (Cisco) server access network would be welcome. 

Hey... Where is that distributed virtual switch we heard about a little over a year ago?  Yeah... that would be interesting.  Oh, and while you're at it ... could you please make the virtual switch to which I associate VMs a "stackable" switch for the purpose of making network configuration for production computing more viable?

Well... hardly a prediction.  More a wishlist, isn't it?

Update:

I just saw this on the VMworld Underground site:

After the weekend the Nexsus 1000 will be launched by Cisco, this virtual switch has 255 ports and it's own IP-address. Eric Sloof

Hmmm.  Be careful what you wish for!

Cisco to Support VMware? - GigaOM

Cisco Systems will support VMware virtual machines on their networking hardware? There’s buzz around Silicon Valley that there will be a big announcement made at VMworld next week in Las Vegas, and that’s my prediction as to what it will be. The integration of virtual machines and networking, which was signaled last year when Cisco invested heavily in VMware just prior to the virtualization company’s IPO, would have numerous ramifications, not only for the two companies, but the networking industry overall.

If my prediction comes true, it would help Cisco remain relevant in the data center, allowing it to do more than move IP packets between servers. It would also entrench the company into the enterprise, distancing themselves even further from the likes of Juniper Networks and 3Com, both of whom have struggled against Cisco to gain some toehold in the enterprise infrastructure marketplace.

Cloud Parsing

More clarity (and practicality) is emerging in the conversation regarding cloud computing. Joe Weinman's response to my previous post goes straight to the heart of it: there are reasons why the pure, platonic form of cloud computing just won't satisfy the requirements or live within the constraints placed on corporate production computing.

Dan Woods has a very good article this morning at Forbes.com in which he identifies three issues that will bring complexity to the cloud-based solutions. He identifies them as (1) governments, (2) network topology and (3) quality of service.

With all respect to his choices, I'd probably use different terminology when laying out the issues for a geekier audience. (The column IS entitled JargonSpy !!)

(1) government regulation regarding the jurisdiction in which certain kinds of data must remain is a big issue. But there are a whole slew of industry standards (such as PCI DSS) and just "best practices" that recommend keeping close watch on where data lives and where it's processed. Compliance with regulation, industry standard or corporate best practice is a more inclusive concept.

(2) the network topology issue is really about latency rather than speed. (See Weinman's Cloudonomics Rule #8)

(3) quality of service is a loaded term for those of us with networking backgrounds. Woods' use of the term makes sense to the general readership. In fact, it's an amalgam of service properties that seem to rest primarily on reliability, availability, performance and security. Thrown in for good measure, we need to consider connectivity and resilience of the cloud.

This article is heartwarming, in that it starts to add some texture and the appropriate measure of sophistication into the thinking around cloud computing. Thanks, Dan.

(Thanks to OnSaas for pointing out the article.)

Parsing The Cloud - Forbes.com

Cloud computing is a rich vein of semantic ore for the JargonSpy because so much that is said about the cloud makes it all seem so simple. Most of the time, the story goes like this: We have an application like Salesforce.com or Google Apps, or an application programming interface to a service like Amazon.com's EC2 or S3, and we ask it to do stuff for us. Then, out there in the cloud, it all happens. We don't have to worry about what happens in the cloud, and we do not really care where it is, who else has their stuff there or how it all works.

The days of not caring are quickly coming to an end. The cloud as an abstract entity in a place you don't have to worry about will be replaced by clouds that have geographies, special purposes, other companies and rules that guarantee compliance with regulations. This week JargonSpy takes a look at how and why the cloud will transform from the simple to the complex. ...

Critically Under-damped Oscillations

Chris Hoff has a great, common-sense post on security and where in the data center it will eventually end up residing.  (If you don't want me to give away the plot, go directly to the post.  Don't read the snippet I've enclosed.)

Along with the "dampened oscillation" graphic that he alludes to (but doesn't actually draw), I'd like to add my two-cents about where security resides when dealing with server virtualization, and the network.  Server virtualization, and particularly hot migration (likeVMware's VMotion), has definitely changed the relative workload and tsuris (a technical term of art) experienced within the data center by the persons responsible for, respectively, server administration, storage administration, and network administration. 

In the days before widespread adoption of server virtualization, making a new application "production ready" was a PITA (another term of art) for the server admin, who had to specify servers, install the apps, move the appropriate data for use by the apps, test, stage, re-test, etc. 

The storage admin had a modest workload, requiring attention to allocation of storage space, setting quotas, setting policies, ... but once done at the planning stage, required modest tweaking thereafter. 

The network admin had it easiest (IMHO).  Over the course of the weeks (if not months) it took to arrange for a new application to be put into production, the network admin might have to allocate ports, set VLANs, set policies, and be present when doing the lash up with the network equipment.

Fast forward to the day when a new application goes through development, test, staging and cut-over into production ... ALL using server virtualization.  Besides the fact that the time horizon for the production deployment has likely been compressed from weeks to days, the relative workloads as this cut-over approaches is radically different from the one described above. 

• The server admin has a relative cakewalk: extend VME cluster, copy the image, or use a hot migration to herd the app into the new spot. 
• The storage admin has pretty much the same level of work in allocating space, setting quotas, etc.,  and will soon be using SAN "hot migration" (e.g. VMware's Storage VMotion).
  
• The network admin, however, just got a rude awakening.  If he's got SLAs to which his organization must commit, the network admin must allocate ports, set VLANs and VLAN policies, set up NIC teaming in both the virtual switches and physical server access switch, and set up trunking on the vSwitch and pSwitch.   Oh, and by the way... it has to be "right" for every physical server in the data center to which a virtualized application MIGHT migrate in the future.
  

Holy smoke, Chris!  It's not a single, oscillating signal.  It's (at least) three of 'em.  (... and if I were a better graphics hack, I'd drop in a jpg right about now.)

Rational Survivability: Security Will Not End Up In the Network...

... Here's the reality we actually already know and should not come to you as a surprise if you've been reading my blog: we will always need a blended investment in technology, people and process in order to manage our risk effectively.  From a technology perspective, some of this will take the form of controls embedded in the information itself, some will come from the OS and applications and some will come from the network.

Anyone who tells you differently has something to sell you or simply needs a towel for the back of his or her ears...