Internet Network Security Blog

It's December 29th and I have started to transfer personal DNS domains from GoDaddy. Their position on SOPA (Stop Online Piracy Act)—their reversal not withstanding—was the nudge that pushed me over the edge. Frankly, GoDaddy has been acting poorly over the last few years and I decided to move my domains elsewhere. So far, the transfers have gone well with nary a hiccup.

I don't have a problem with trying to curb piracy. Enforcing copyright is good for content creators, publishers, advertisers, stores—anyone involved with the creation and distribution of creative works. If you want to charge for your work, give it away for free while disallowing modification, give it away and let others modify and redistribute it, then you, as copyright holder, should be allowed to do so. For all the benefit of giving away the things you create, there are economic incentives to charge for work and if you are offended by that, too bad. Some of us want to get paid for our work, but a bad law is worse than no law and neither SOPA nor PIPA are good laws. I made a personal choice to not support companies that support bad laws. Leaving GoDaddy is just one recent example.

Regardless, If you want to transfer your domain now or at any point in the future, and there are many reasons why you might want to do so, there are some things you can do to ensure that the transfer will go smoothly.

• Make sure your contact information is current and correct. Sorry kids, but DNS is a public service and you have to provide accurate contact information if for no other reasons than if someone wants to contact you, like a lawyer or law enforcement before, during, or after taking action such as a DMCA takedown or notifications required under SOPA and PIPA, they can always find you through whois. If you are worried about leaking private information, use addresses, email accounts and phone numbers not associated with your personal or professional contact information but still allow you to be reached. Alternatively, you can use privacy services offered by your registrar to hide behind. Frankly, in the 10+ years I have had DNS names, I haven't received any spam or solicitations. Your mileage may vary.
• If you are using your registrars privacy services, you will need to uncloak during the transfer process. The receiving registrar needs to get your whois data and they can't if it is locked. Unlocking your whois data may require extra steps with your current registrar, so check first. It may delay the transfer, but you signed up for privacy so don't blame the registrar for executing on your wishes.
• Your authoritative DNS servers will not be affected by the transfer unless you are using your registrar's DNS servers for your domain names. In other words, of your domain name is registered through Acme Registrar and your how names like www and mail are managed through Acme Registrars service, then Acme will likely remove your domain name from their DNS servers after the transfer is complete. Set-up secondary DNS servers and ensure they have propagated before you initiate the transfer.
• Give it a few days to let the transfer complete. You will have to authorize the transfer (which is why you need a valid email), and wait for the registrars to handshake. Once it is started, you shouldn't need to do anything else unless there is a problem
• While you are transferring your domains, make sure you establish a strong password for your registrar. Make it long and complex, write it down and put it somewhere safe. That will keep attackers from guessing your password. Oh, and remember to lock your domains after the transfer is complete.

Update. The first of my domains are completing transfer. It took me about 2 minutes per domain, and about 5 hours for two registrars to do their thing. No blocking from GoDaddy. No phone calls pleading for my business. No drama. Maybe I am not important enough. Or maybe I am too important. I'll go with the latter. (ha ha) Have a great New Year.

After about eight or nine years of networking innovation stagnation, the number of new innovations starting in 2010 and exploding in 2011 is astounding. Speed and feeds are increasing, but the exciting work in 2011 occurred in new technologies to support initiatives like cloud computing, storage and data convergence, as well as migrating to IPv6. Here are the highlights.

Multipath Ethernet was all the rage in 2011. Protocols like Multichassis Link Aggregation (MLAG), Transparent Interconnection of Lots of Links (TRILL), Shortest Path Bridging (SPB) and proprietary protocols are all aimed at solving one of the thorniest issues in networking:getting rid of spanning tree and making use of all the interconnects between switches. The problem is that none of the multipath Ethernet product suites are standards-compatible. Part of the issue is that TRILL and SPB still aren’t fully ratified, so there isn’t a standard to conform to. But the other part is that early implementations of the current protocol drafts have gone far afield of what will likely be the final version. Brocade’s VCS uses only TRILL framing but not IS-IS, which is used by switches to form a coherent view of the network. Cisco’s FabricPath has taken TRILL and "enhanced" it to work better. Both Cisco and Brocade claim they will support standard TRILL after it is ratified.

Of course, the question has to be asked: Is multichassis link aggregation (MLAG) good enough? Unless you have an Internet-scale data center with tens of thousands of servers, you probably don’t have the port count, port density, nor strict SLAs that would require a partial or full mesh network that a TRILL-based network could provide. If all you need to do is to reduce the EoR/ToR switch to core oversubscription, then MLAG may be a workable choice. HP thinks that eschewing both TRILL and SPB in favor of MLAG is the way to go.

Juniper, for its part, went in a totally different direction with QFabric, by taking the chassis concept and distributing the components to a stand-alone director that acts as the brains of QFabric and ToR switches that connect to servers, as well as home-running back to a backplane chassis. It’s a bold move, and the proprietary approach is one that we have been critical of.

The question of whether multipath Ethernet standards will ever be implemented and, more importantly, whether various vendor products will interoperate is cloudy at best. Perhaps standards don’t matter and vendor choice does, because in all likelihood, if you are going to buy into a vendor’s fabric, you’re going all in.

All-in with OpenFlow

Software Defined Networking (SDN), which allows applications and stuff other than traditional network management systems to manipulate the network, builds on multipath Ethernet, converged networking and orchestration, have primarily been used to build private clouds in your own data center. The darling, of course, is OpenFlow, a protocol designed for controller-based flow management. The hyperbole around OpenFlow has been thick with claims that it will commoditize switching, make networks faster and more reliable, and treat male pattern baldness. The first two claims are just outrageous.

There is value in OpenFlow, and the promise of a programmable network that is both dynamic and robust is powerful, but let’s remember that Openflow made its commercial debut in 2011 with NEC and Fujisu announcing switch platforms at Interop 2011 and BigSwitch announcing a controller. The InteropNet Labs Openflow demonstration showed the tip of the iceberg of what can be accomplished with OpenFlow-based networking, but we have yet to see anything unique or innovative. That’s coming.

What is promising is the vendor backing of the Openflow Networking Foundation, an industry consortium founded by some of the largest Internet companies, including Deutsche Telekom, Facebook, Google, Microsoft, Verizon and Yahoo, and that includes participants from every major networking vendor.

IPv6 Out With A Wimper

You’ve been warned. In February, the IANA handed out the last of its IPv4 address space to the Regional Internet Authorities (RIR). There are no more to allocate, and the RIRs are parsimoniously allocating the remainder. While the IPocalypse is not a cause for panic, you’d be remiss if you haven’t been planning to migrate to IPv6 in the near future. There are going to be some challenges, mostly in supporting existing IPv4 servers and devices that will never have an IPv6 stack, as well as supporting any Internet-facing services. We’ve put together a resource page that we update to get you started.

What’s bigger news is that there is so little IPv6 adoption under way. It’s as if the lack of a hard deadline, like we had with Y2K, means that adoption can be pushed off indefinitely. The fact of the matter is that, despite products coming to the fore, moving to IPv6 presents some significant hurdles.

Today, not even network operators have fully deployed IPv6. When I announced that Network Computing was IPv6-ready, the reality was that the URL www.networkcomputing.com could be resolved to an IPv6 address, but all the components, such as images and ads, that are hosted on other servers were still on IPv4 largely because our hosting provider still hasn’t deployed IPv6 to our co-lo.

In 2010, the Interop conference announced it was giving back its IPv4 class A address space to IANA (potentially worth millions on the market) and moved to a dual-stack IPv4/IPv6 network for the show. While it went OK, the InteropNet team did have some lessons to learn. Everyone dealing with networks--engineers, support staff, end users, and so on--have grown accustomed to reading off IP addresses. But as the InteropNet engineers found out, that is untenable in IPv6 networking, where the address strings are long.

See more on this topic by subscribing to Network Computing Pro Reports Strategy: Inside OpenFlow (free, registration required).

As we wrap up another year of doing more with less – too often a lot more with a lot less – it's time to look back at the highs and lows of the vendors of IT products, services, panaceas and placebos. Based on the latest quarterly earnings, HP ($32.3 billion) had a comfortable lead over Apple ($28.27 billion) and third-place IBM ($26.2 billion). Microsoft ($17.37 billion) held down fourth place, followed by Dell ($15.4 billion), Intel ($14.2 billion), Cisco ($11.3 billion), Oracle ($8.4 billion) and EMC ($4.98 billion). Depending upon whose forecast you use, the top vendors accounted for more than a third (IDC) or a fifth (Gartner) of the total IT pie this year. Here are some of the news they made in 2011.

Back in the late 1980s, just prior to Lou Gerstner taking control of a beleaguered IBM, a noted analyst said Big Blue was facing two options: shoot itself in the foot or wait until the market shot it in the head. In other words, make the painful choices before customers and competitors made them for you. Fast forward to 2011 and a long-recovered IBM must have gotten a lot of enjoyment – and new customers – as HP appeared to get a garbled translation and tried blowing its own head off.

Trouble in paradise first came to light in June, when HP ousted two executives and gave a third a seat on its board. Out after 29 years at HP was Ann Livermore, head of HP Enterprise Services, as well as Pete Bocian, executive VP and chief administrative officer, and Randy Mott, executive VP and CIO.

Ex-SAP CEO Leo Apotheker's reign of terror as president and CEO of HP came to a close a month after he announced that the company was considering spinning off its Personal Systems Group, its PC business which accounts for almost a third of its total revenues. He was replaced by former eBay CEO Meg Whitman. In late October, she announced that HP had decided to stay in the PC business.

According to a Dell-sponsored study from IDG Research Services, 64% of current or potential HP customers with more than 500 employees were concerned by HP’s changes in business strategy and leadership. Another recent survey of 130 HP customers in the United States with at least 500 employees, by Technology Business Research, found that respondents were concerned with the direction the company was taking.

On a more positive note, this year IBM was focused on making things work better or cost less. What struck Janelle Hill, VP, business process management research, Gartner, as most significant at the kickoff to Impact 2011 was IBM's emphasis on helping business transformations, to position companies for growth and optimization of performance results with a much lower amount of emphasis on IBM technologies and product brands. "There is a significant amount of emphasis on the need for leadership and cultural change, not just technology," she says.

Microsoft tossed a curve ball in May when it pledged wider support for open source software. "Microsoft continues to work on becoming more open in how we develop solutions and work with the open source communities," wrote Sandy Gupta, general manager of the open solutions group at Microsoft in a blog post prior to his keynote address at the Open Source Business Conference (OSBC) 2011.

While Microsoft was talking about changing its spots, Dell was actually doing so. At its inaugural Dell Storage Forum in June, the company that originally started off as a storage vendor in Michael Dell's college dorm, highlighted its evolution from a storage reseller – mainly EMC – to a storage OEM. Dell is becoming a technology leader, at least as far as storage goes, said Terri McClure, senior analyst, Enterprise Strategy Group.

In October, Dell and EMC ended their 10-year multibillion-dollar OEM relationship, during which Dell accounted for 8% to 9% of EMC's annual revenue, while EMC contributed approximately half of Dell's storage revenue. At the time of the split Dell's own storage platforms grew revenue 15% year over year and represented nearly 80% of its storage revenues and more than 90% of its storage profits.

Like HP, Cisco also stumbled this year, announcing a major restructuring and reporting disappointing financial results. At the start of May, the networking giant announced it would streamline its sales, services and engineering organizations, and would focus on five areas: core routing, switching and services; collaboration; data center virtualization and cloud; video; and architectures for business transformation. A week later it announced income of $1.8 billion on net sales of $10.9 billion.

Chairman and CEO John Chambers said that the company has acknowledged its challenges: "We know what we have to do. We have a clear game plan, and we are a company with a track record of market-shaping innovation," he said in a statement.

Parting ways with Dell didn't seem to slow EMC down at all, which made a number of announcements in 2011, including announcing a focus on big data and the cloud. Charles King, principal analyst, Pund-IT Research, was impressed by EMC's focus on partnerships, as well as with the lack of "acrimony" that seems to increasingly characterize HP, Oracle and IBM. "They really made an effort to talk about the channel and their partners," he says.

The storage giant also boosted its SMB (Iomega) portfolio, expanding from its usual 25-50-user segment to the 100-250-user range, while still clearly differentiating itself from its entry-level VNX family. Their previous network solution offerings have mainly been SOHO focused, said Liz Conner, senior research analyst with IDC's storage systems and personal storage teams, but with its latest products, it is really looking to move full steam ahead into the SMB market, and bring with it enterprise features, but with the simplicity and price point more akin to personal storage.

Finally, Oracle continued to reinvent itself following its acquisition of Sun's hardware and software assets, and its acquisition in July of Pillar Data Systems. Oracle president Mark Hurd, Apotheker's predecessor at HP, said we think we can run applications 10 times faster using a 10th of the storage capacity. For its last quarter, the Sun hardware business brought in $1.2 billion, and while non-Sun storage was down significantly, Sun storage and tape grew very well.

See more on this topic by subscribing to Network Computing Pro Reports Strategy: Unified Computing Stack Wars (free, registration required).

We've come a long way since the early days of wireless networking. On the right 802.11n network today, you can see data rates of 300 Mbps and real throughput that tops Fast Ethernet speeds. But things change quickly in the wireless space, and after a recent conversation with chipmaker Broadcom, I can smell ridiculously fast wireless off in the distance.

Many wireless environments got started for real when supported data rates were along the lines of 1, 2, 5.5, and 11 Mbps. These are slow by today’s standards, but were enough to fertilize a burgeoning technology that became addictive to those who tried it. The portability advantage that came with early wireless was absolutely compelling, enhanced by the Wi-Fi Alliance’s world-class interoperability campaign that gave the wireless industry a unifying undercurrent. Many of us got our environments so hooked on wireless that going to expensive 54 Mbps-capable 11a and 11g dual band APs was a given when they hit the market. Wireless client device counts climbed and continue to climb, and 11n has sealed the deal that wireless is bigger than wired networking in many large and small environments. That’s the nickel history lesson, but again, things change fast in the wireless world.

Even as many large environments work on migrating to 11n, with its cool features like rate-boosting wide channels and MIMO antennas that make the once-evil multipath affect work on our behalf, there is much going on behind door number three. Like most IT folks living the wireless dream, the voices in my head are very fond of asking “what’s next”? To my delight, I was recently able to get that question answered by industry giant Broadcom, whose technical folks are in the thick of helping to shape both the pending 802.11ac wireless standard and the culture that will accompany it.

What follows here is my take-away from the conversation, and as you digest it please remember that 802.11ac is developing. It is not yet even a draft version of what it will become. At the same time, there is a lot to talk about. To address the wireless gee-whiz stuff straightway, the 11ac standard will allow for data rates up to 1000 Mbps in the 5 GHz spectrum using channel widths up to four times as wide as current 11n uses at its fastest. In other words, we will eventually see 160 Mhz wide channels. Impressive, yes- but initial product sets will ship as “pre-standard” in 2012 at half or below what the intent of the standard supports from a performance perspective. Even when the actual standard ratifies, which is expected in 2014, products will probably not be ready to deliver on full Gigabit data rates for some time afterwards.

At the same time, we are realistically using “Gigabit” and “wireless networking” in the same sentences, and that is significant in and of itself. And because 11ac works in 5 GHz and not in 2.4 GHz, we will finally get some relief from device manufacturers continuing to saturate the dirty 2.4 GHz space with even more noise makers, also very significant.

Back to Broadcom, and how 11ac will invade our collective conscience. Consumer-oriented, pre-standard products will hit shelves in 2012. The unquenchable thirst for ever-more video applications and delivery mechanisms will push 11ac along. Wireless home routers built on 11ac specs will have greater effective range, and client devices should see improved battery life over earlier wireless technologies, mostly because more data is being moved in the same time slice, says Broadcom. And when 11ac chipsets start to ship, expect them to be at a pretty frantic pace.

2012 will be the year of 11ac cutting teeth in the consumer space. Even though the Wi-Fi Alliance is expected to greatly hasten interoperability testing and certification for 11ac products compared to past standards, the enterprise faction of the wireless market will be slower to adopt and embrace draft versions of 11ac as it develops, until a version emerges that feels close enough to “baked’ for the wireless big guns to take a chance on. Look for this milestone in late 2013, several months ahead of 11ac becoming official.

Obviously, the 802.11ac story will get bigger in the months to come. Broadcom and others in the industry have done an amazing job in evolving the wireless space almost to high-performance ubiquity, and 11ac is the natural next step in the journey. Consumers will love it, while enterprise IT folks will eventually agonize over why and how to migrate their large networks to 11ac. Even though we won’t get to Gigabit wireless in 2012, it’s still a good bet that marketing folks will have a field day with outlandish claims of nonsensical coverage range and physics-defying speeds as early shadow versions of 11ac take root, and so the force remains in balance.

At the time of publication, Broadcom has no business relationship with Lee Badman.

Dear Santa: While I wouldn’t be upset to find a Mercedes SLK350 with a big ribbon on it parked in front of my apartment on Christmas morning, the best present Santa, and the networking industry, could give me is general availability of 10GBase-T across switches and NIC/CNAs. Once I can just order my 10gig network gear with 10Gbase-T, I can stop worrying about how to pay for optical transceivers at $350-$1,200 a pop, as well as the never ending compatibility problems with both optics and twin-ax direct connect cables.

Since 10Gbase-T runs over plan old twisted pair cable, there’s no way for a switch or CNA to interrogate the cable and reject it because it wasn’t blessed. Sure you have to make sure your cable plant is up to the higher data rate. In general, that means Cat6a unshielded twisted pair or Cat 7 shielded cable, though you can use Cat 6, or even Cat 5E, patch cables for short distances (30M or less).

Just as I was feeling that I had found a solution to the 10 Gigabit Ethernet cable conundrum, my friend Greg Ferro blogged that he thought twisted pair cable was a mistake for 10 gigabit Ethernet. He pointed out four problems he had with cat 6 for 10 gigabit traffic.

Greg’s first complaint and the biggest real down side to 10GBase-T is power consumption. Even with today’s 40nm PHY chips, driving a 10Gbase-T port will take 2-5 watts where a twin-ax DAC cable or 10Gbase-SR transceiver draws under a watt. Since I’ve spent much of my career working in data centers on the 34th floor of New York office buildings, I’m sensitive to the power limitations many data centers face.

But before you write off 10Gbase-T as a major cause of global climate change since it uses 4-5 times as much power, remember that we’re talking about 5 watts in the context of a server that’s probably drawing 3-500 watts. Unless you’re designing a system for a submarine, or one of my client’s over populated Manhattan data centers, 10GBase-T isn’t going to bust your power, or your financial budget.

Assuming a worst case situation where a 10GBase-T link would use 10 watts more than a fiber link, that’s only an additional 7.3 KWh/month. We use about as much power each year to cool our lab as the servers and storage inside the lab use and pay about 18 cents per KWh. At those rates a 10 watt link will cost us around $30 more a year to run while costing $700 less. Since most 10Gbase-T equipment will run in a roughly 2 watt mode for short cables (up to 30M which should cover most server-switch connections), we’re talking about a few dollars a year to run 10Gbase-T on a server.

Greg then objects to the size of Cat 6A cables. He has a point if we’re comparing Cat 6A to fiber, after all the 48 strand fiber cable that would serve a full rack of servers is just .6” in diameter where a 48 cable bundle of Cat6A cables could be over 3” in diameter. From where I sit it makes more sense to compare Cat 6A not to fiber but to the Cat 5E that it’s probably going to replace. Most Cat 5E cable is between .2 and .25” in diameter, where the Cat 6A standard allows cable to be up to .35”. However, vendors including Panduit, who Greg references in his post, and Belden are now making Cat6A cables that are under .3” so that 48 cable bundle will be around 2.5”. Yes bigger, but considering that we’re taking a typical server from 5-9 Cat 5E cables for 1GBase-T to three, two data one IPMI management, with cables in the 10 Gigabit era the total space twisted pair cables will take up will be less than we’ve used in the recent past.

Greg says, “This leaves the problems of mechanical and electrical performance over time. The basic problem I have is that Cat6A is close to the limit of what can be achieved with copper in terms of electrical performance. It was originally believed that 10GBaseT wouldn’t even be possible.”

Now Greg has a point that eventually we just won’t be able to squeeze higher and higher data rates through a twisted pair cable and 8x8 modular jacks. I myself once predicted that we’d never see gigabit Ethernet, since collision detection requires that the first bits of a packet reach the most distant node before the last bits are transmitted, a gigabit network could only be a few meters end to end. I was of course proven wrong as we adopted switching, and collision detection became a historical artifact.

However, I remember hearing almost exactly that same “Twisted pair isn’t up to carrying our really cool new fast tech” line when Synoptics introduced LattisNet Ethernet over twisted pair. People were so concerned that 2 twisted pairs couldn’t securely carry 100Mbps Ethernet that a four pair standard 100Base-T4 was ratified just in case. The pattern over the past several Ethernet speed upgrades has been for fiber to come first and for truly widespread acceptance to occur when twisted pair made it cost effective.

Greg worries that twisted pair cable is delicate, that the cable is weak where it enters a modular plug (more frequently referred to as RJ-45), that overinsertion of cables during cable assembly can cause problems, and that a kinked cable can cause data reflections. Having spent 20 years in data centers where twisted pair was the norm, I’ve always had the impression it was fiber, not twisted pair, that was fragile and hard to terminate. Maybe Greg thinks it’s better that the fiber in an optical cable snaps when slammed in a cabinet door so the problem is permanent not intermittent. I’ll just dress my cables so they can’t slam in the door.

Finally, Greg quotes a no longer available blog post that implied that 10Gbase-T has lower bit error rate specs than optical or DAC connections. I spent some time researching this and found not only that all 10 gigabit Ethernet PHYs (Physical layer implementations), and Fibre Channel have the same worst case BER of 1 in 10^12. My research shows real world BERs of more like 1 in 10^15 in the field. While some Fibre Channel folks have lobbied for higher standards, they’ve never made it into the spec.

When 10 gigabit Ethernet becomes standard on servers, it will almost certainly be 10Gbase-T because 10GBase-T ports can auto-negotiate down to 1GBase-T. Server vendors can sell 10GBase-T servers into data centers that haven’t yet upgraded their network gear but would have a smaller market for SFP+ on the motherboard. Now, if there were 10Gbase-T SFP+ modules like there are for 1GBase-T… but that would just get us into SFP+ checking again.

Disclaimer: I really do believe in fat guys with beards that give my kids presents.

When you are looking at your next network equipment refresh, be sure to take a long, deep look at the APIs the vendors are exporting and importing. Integration features should be near the top of your must-have feature list. I was out on the West Coast two weeks ago for a company meeting, and took an extra day to visit Arista, Juniper and Extreme. My visits reaffirmed what I already knew--speeds, feeds and port densities, while important, shouldn't be the deciding factor in your equipment purchase. Most of you will find that those features are comparable. It's the API and integration points that are differentiators.

While Arista and Juniper like to tout their high capacity and ultra-low-latency networking, the numbers they are tossing around simply don't matter to most organizations. Five microseconds of latency matters only in high-performance computing and financial (trading) segments. It's not that faster isn't better; I just don't think it is a critical decision point for most IT shops. What we are seeing is increasing integration of network equipment with other systems for automation, such as virtual machine moves/adds/deletes, and orchestration, such as deploying an entire application including the networking, storage, servers, operating system and software in one swoop.

SNMP and CLI screen scrapes aren't going to cut it for automation and orchestration. SNMP, even if it were a reliable protocol, doesn't have the access to many of the core switch and router configuration functions needed to automate actions. CLI emulation using something like Expect scripts are OK in some cases, but if you have ever had to maintain them during software upgrades (I have), you will find that they become very brittle over time unless you have a rock-solid testing methodology in place (I didn't). Even SDKs--libraries of language-specific code such as Junos SDK--are losing favor with ISVs and enterprises because they typically limit the languages that applications can be built in.

APIs, specifically RESTful APIs, that allow integration via familiar HTTP request and responses are where networking integration needs to head and is heading. This is something all the vendors are starting to support and are in various stages of implementation of. Arista, Juniper and Extreme are all working on RESTful APIs that customers and independent software vendors can use to integrate their software with the switch vendors' equipment. The power of a robust API is that you can easily--and I do mean easily--access data and execute commands using any programming tools you have on hand. It makes integration and maintenance simple and streamlined.

There are three lessons I learned:

1. 100% coverage is required. Many of the APIs in active development may not have coverage of all the features and functions available at the command line. You need to find out how much coverage they have, and if they don't have 100% coverage, when will they? Coverage is important because you can't predict today what you will need tomorrow. Don' t think you will ever need to change a syslog configuration? You probably will at some point, and if you want to automate that, you really want it covered in the API.
2. Vendors have to use their own API. One of the points Juniper's Mike Harding, VP of engineering, Junos Space Business Unit, made during our talk is that he is pushing Juniper's developers to use their own API versus the SDK for new development. His point being that Juniper's developers are demanding, and any issues with the API can be identified, resolved and updated--benefiting everyone. If a vendor doesn't use its own API for its own integration, why would you?
3. Don't be afraid to script on the switch. All three vendors I talked with have on-switch scripting, and there are times when you want to automate atomic actions like port configuration--something Extreme did early on with XOS. Both Arista's and Juniper's scripting support lets you use common languages like Python to perform nearly any task you can perform on the command line.

Lastly, I was tickled once again that Arista uses XMPP and a management protocol for multiple switches. XMPP provides multiunit access over SSL with access control and audit logging. It may sound silly at first to IM your switch, but when you see it in action, you get it.

Disclaimer: I traveled on my company's dime. Juniper bought me lunch, for about $9. Arista gave me a paper notebook and pen. Juniper, not to be outdone, took my Arista pen and gave me one of its pens. When Extreme's Shehzad Merchant saw my booty, he bolted from the room, returning with a purple pen. He did not have a purple notebook for me, however.

Even the best wireless networks can take a beating when RF interference is present. As anyone who has an understanding of Wi-Fi will tell you, interference is the one threat to the WLAN that you can't really do much to prevent from a configuration standpoint. When interference does show up, accurate classification and remediation can be the key to client success or frustration. Fluke Networks has just freshened up its AirMagnet Spectrum XT analysis tool as a leading weapon in the war on interference.

Wireless network admins have a larger problem set to deal with than their wired networking counterparts. Both are on the hook to solve issues for their connected client devices, but the wired-only folk have the luxury of having all of their bits tidily wrapped in the jacket of the UTP that makes up network wiring. The chances of external signals or electrical noise impacting properly installed Category 6 wire are fairly insignificant. But when your data is in the air, and especially when high data rates are in use, the possibility of interference directly impacting network performance is real and easily demonstrated.

An increasing number of wireless access point models have built-in interference detection capabilities, but they typically can't tell you the whole interference story. Their limitations include their fixed locations and limited interference signature detection abilities. Though getting limited interference detection from your access points is beneficial, most environments still benefit from an easily deployed tactical tool that has the benefit of frequent signature updates- like AirMagnet Spectrum XT 3.0.1.

Existing customers of Spectrum XT will appreciate the new capabilities of 3.0.1, while tire-kickers might find the latest feature set to be a differentiator over the likes of Cisco’s Spectrum Expert Wi-Fi tool (which I currently use). Most notable is what Fluke Networks calls “Zero Day Detection” for unknown interferers. While the name might be a little dramatic for what is actually being classified, the fact that new energy patterns can form the basis of custom RF signatures is compelling. Even if you can’t tell what the interference source is, there is certainly value in recognizing repeat unclassified offenders along with those that the tool can identify (like Bluetooth devices and Zigbee clients). In this regard, you may know that a signal is problematic, without necessarily knowing what is making the noise. Spectrum XT lets you define a signature on the fly, so if it comes up again you can realize that multiple devices of the same type are in play in your environment. This can be pivotal in eventually figuring out what you’re up against.

Also progressive for this type of tool, Spectrum XT 3.0.1 can make sense of Meru’s virtual cell architecture. It is not uncommon for wireless tools to only show a single MAC address for an entire Meru environment regardless of how many APs are in use (the virtual MAC), but Spectrum XT 3.0.1 will now show all Meru AP physical addresses.

There are a number of other enhancements to the latest version around reporting, improved multi-pane views, and support for specific Intel 802.11n adapters that may or may be of interest, depending on the needs of each given environment. I like that Spectrum XT 3.0.1 is USB-based and doesn’t require a PCMCIA slot, which means a lightweight netbook can be used instead of a full-sized laptop. Though I use other AirMagnet products, Spectrum XT 3.0.1 is not yet in my toolbox. But it is on my Christmas wish-list.

Other than being a customer, Lee Badman has no relationship with AirMagnet.

After my initial adventures with 10 gigabit Ethernet cabling, as recounted in The 10 Gigabit Ethernet Cable Conundrum, I realized I needed to research this matter further. I put together a few simple questions about 10 gigabit Ethernet connection technologies and sent them to some leading vendors to see what challenges a system administrator building a multi-vendor network would face in the real world.

To help me figure out the state of inter-vendor support I asked four simple questions:

Do your devices support both active and passive DAC cables?

Do your devices check the vendor ID on SFP modules and cables?

When a device identifies an unsupported vendor ID does it disable the port, post an error to the log and operate or just operate?

Do you have a list of tested cables and optics from vendors like Molex, Amphenol, Tyco, Gore, Finisar and JDSU?

When I drafted my initial email I fully expected that most vendors would either fail to respond or respond with answers that were carefully drafted to make even the most draconian of policies sound like they were created to protect the customer’s interest. Things like “Since converged networks carry mission critical storage data, our customers insist on the highest level of reliability. Were we to enable uncertified components in the data path it could, like crossing the streams of backpack mounted particle accelerators, lead to a reduction in the stability of the time-space continuum and even worse, data loss.”

Responses ranged from Extreme Networks who said 'yes', 'yes', 'logs a message but works' and 'we’ve tested Molex, Amphenol, Tyco and Gore cables', to lengthier missives from Cisco and HP. My personal favorite was the initial response from Cisco that said “At Cisco, we have a very straightforward view on cables – we’re against them! Specifically, we believe that data centers should deploy as few cables as possible.” A sentiment I can agree with completely.

The folks from HP made an interesting, and frankly rather depressing, statement saying “Most people believe that because there is an MSA, that a transceiver / DAC is a transceiver / DAC and that they all will equally interoperate. Nothing could be further from the truth. It turns out that there are a lot of little settings in a transceiver that can cause a transceiver to either function properly or fail in a given switch.”

My friend Greg Ferro commented on my original post saying that he blamed the storage industry, and the historically poor interoperability of Fibre Channel devices, for the whole mess. The Fibre Channel standards, in no small part because they, like most standards, were written by a committee made up mostly of vendor representatives with axes to grind, are loose enough that two compliant products may not interoperate. Of course, the storage industry isn’t the only offender here as anyone that’s tried to set up a multivendor IPSEC VPN can attest.

From where I sit in the user’s chair, a multiple source agreement for components like SFP+ transceivers is just as much an industry standard as RS-232 or Ethernet itself. If the standards are so loose as to require vendor tuning on components like transceivers and cables, the standard is mortally flawed to have more value to the vendors than the end users. Ethernet vendors have, with the notable exception of first generation auto-negotiation of link speed, managed to build interoperable gear for decades. I’m deeply disappointed that I can no longer assume I can connect any two Ethernet devices with an Ethernet cable and expect them to work.

As I promised the vendors, I’m posting the full text of their responses to my blog at DeepStorage.net starting at http://deepstorage.net/WP-Save/?p=732.

Disclaimer: HP is a client of DeepStorage.net, Extreme has provided switch gear over the years for DeepStorage labs.

Not content with more than half of the WAN optimization market, and more than twice the share of its closest competitor, Riverbed Technology is looking to broaden its lead with a major update to the software that powers its line of Steelhead application acceleration appliances and Steelhead Mobile client software. "RiOS (Riverbed Optimization System) 7 is a big release for us," says Naveen Prabhu, senior product marketing manager. "We're paying a lot of attention to enterprise video."

The company has added stream splitting for end-to-end video optimization capabilities, UDP optimization for disaster recovery applications and IPv6, ICA over SSL optimization for expanding acceleration and control for virtual desktop environments, and optimization support for additional enterprise applications.

Despite its dominant position, Riverbed has had its challenges. While crowned by Gartner as a leader in the WAN optimization controller market, last quarter's revenues fell far short of the estimates of $182.86 million and shares fell more than 20% in after-hours trading. In July the company also announced the acquisitions of Zeus Technology (United Kingdom), high-performance application delivery control for virtual and cloud environments, Aptimize (New Zealand), web content optimization.

Riverbed's last major RiOS upgrade (6.5), was announced in early February and focused on quality of service. New QoS-related features included Riverbed AppFlow Classification Engine with multiple techniques, including application signature matching, protocol dissection and behavior analysis, latency-aware QoS to prioritize applications and allocate bandwidth based on their sensitivity to latency, and Templated Scalable Management to simplify the process of provisioning QoS into three simple steps, leveraging the Riverbed Central Management Console (CMC), a single Web interface that enables enterprises to configure, monitor, report on and upgrade groups of Steelhead appliances.

Cindy Borovick, research VP for IDC’s enterprise communications and datacenter networks services, thinks that Riverbed has hit on a number of key trends with this announcement. “At IDC we believe that video has reached a point where the network manager has to 'accept' video. It is not just about allowing employees access out to Internet sites. Video is being used by the enterprise for use cases such as training, executive communications,corporate culture, customer service, marketing launches, communications to customers, partners, and suppliers and/or user-generated content to let experts share knowledge and best practices. As a result Riverbed is right in line with where customer requirements are.”

See more on this topic by subscribing to Network Computing Pro Reports Strategy: Bringing APM to the Cloud (free, registration required).

As we enter the 10Gbps Ethernet era in the datacenter, we're facing some difficulties regarding cables and optics. While I'm happy all the vendors have settled on SFP+, eliminating the nightmare of figuring out if a given device uses XFP, Xenpack or X2 optics, to make 10gig affordable we're going to have to use copper cables for the 10M or shorter connections within the data center. I just wish that was as easy as grabbing a cable that meets industry standard specs and plugging it in.

As I brought my Brocade 8000 switch up and started using it, I’ve had a few hiccups that lead me to believe things weren’t as simple as I hoped and frankly, vendors are at fault. 10Gbps twinax Direct Attach Copper (DAC) cables seemed to be the answer. When Brocade so kindly leant me the switch, they provided two Brocade branded cables and a handful of 10G-SR optics. Not wanting to be a piker, I ordered additional cables from Amphenol Cables On Demand, a major vendor.

When I tried using said cables, the switch said they were invalid SFPs. A little research showed that Brocade only supports Active DAC (they have a whitepaper) and I bought passive. After all, they were $100 each and the actives $150. I then read the Brocade 8000 FAQ, which said the 8000 only supports Brocade branded SFPs. I read this to mean that if I bought Molex active cables, which by the way are what Brocade sells though Brocade has Molex change the identifier to Brocade, they wouldn’t work either.

Further research has shown Emulex and Qlogic CNAs will make a best effort with whatever you plug into them, but my Intel X520 NIC’s driver crashes if I plug a Brocade optic in it. EMC seems to also enforce cable branding, as blogs indicate you can’t connect an FCoE Clariion to a Cisco switch with Cisco’s passive cable. Things have gotten so complicated that vendors like EMC are reduced to building compatibility matrices for their products and the switches and CNAs they OEM from other vendors, like this one created by Erik Smith of EMC.

If switch vendors enforce using their own cables, building any multi-vendor network will be an expensive proposition. Connecting the Dell, HP or IBM switch built into your blade chassis to your top of row switch might require not a $150 DAC cable but a $300-$1200 optic at each end, plus a $100 OM4 fiber cable.

Even if vendor's switches complain but send data anyway, as Cisco switches apparently do, users that, like my friend Stephen Foskett, stick to the HCL, will be spending thousands of dollars on fiber transceivers that could go to SSDs, server memory and other things that will actually matter. Once they decide to use optics, users will end up with little boxes of spare optics for each of their switches, occasionally delaying projects or repairs to order the right brand optics when they have competitor’s modules in the drawer.

All of which is even more annoying when you consider that most vendors don’t actually make optics or SFP+ DAC cables. They buy them from OEM vendors like JDSU and Finisar. The ultimate answer may be to live with 10Gbase-T’s higher power consumption and pray vendors can’t figure out a way to identify twisted pair cable by brand.

Disclaimer: Brocade and Emulex are clients of DeepStorage.net, though that might change after they read this blog post. Intel, Qlogic and frankly, most 10Gbps Ethernet NIC/CNA vendors have provided cards for use in the DeepStorage lab free of charge.