No one likes to make changes to a complex network, enterprises included. To add or move any device, an IT team must touch multiple switches, routers, firewalls, Web authentication portals, etc. and update ACLs, VLANs, QoS, and other mechanisms using device-level management tools. In addition, network topology, vendor switch model, and software version all must be taken into account. The more tiresome manual work is needed, the greater the risk of small, hard to locate but potentially disruptive errors.
If IT wants to implement a network-wide policy, staff may have to configure thousands of devices and mechanisms. Every time a new virtual machine is brought up, it can take hours, in some cases days, to reconfigure ACLs across the network, for example. This low-level configuration has made it increasingly difficult for network operators to configure networks correctly and on schedule. In a familiar scenario, an IT manager confided recently that a single “finger fumble” on a firewall filter had shut down their data center for one and a half hours (and much of the organization for even longer). Likewise, it’s currently nearly impossible to validate high-level policies. Because even a small change can have a major unintended impact, networks tend to be static, even brittle —which impedes business flexibility and innovation.
As I’ve mentioned before, SDN can facilitate all the network operations, by automating configuration and other routine management tasks now done manually. The goal of SDN is to make networks as programmable and manageable as computers. The OpenFlow® protocol is a major first step toward that goal, allowing for control over network devices in a vendor-agnostic way. The SDN controller exposes the network as a single, logical switch; network administrators can programmatically configure this simplified abstraction rather than having to hand-code tens of thousands of lines of configuration scattered among thousands of devices.
Third parties will deliver SDN control applications over the coming years, but enterprises with savvy IT shops can begin using OpenFlow-enabled switches and controllers today to reduce operational overhead and better control traffic flows. With these SDN technologies, enterprise IT can:
● Reduce configuration overhead and errors: SDN makes it possible for IT to define high-level configuration and policy statements, which are then translated down to the infrastructure via OpenFlow. SDN with OpenFlow® eliminates the need to individually configure network devices each time an end point, service, or application is added or moved, or a policy changes. Enterprises benefit from more dynamic configuration, fewer errors, and improved configuration consistency, which in turn boost network uptime – resulting in fewer beepers in the night for IT.
● Simplify policy creation and distribution: Currently, network policy is entwined with the physical network topology, so if the topology changes--for example a link fails or a mobile user moves--the policy changes. This leads to fragile network policies and static networks. SDN lets IT staff define policies using a high-level policy language which in turn uses OpenFlow® to automatically configure switches and routers with the appropriate filters and other forwarding rules. Enterprises benefit from faster implementation of networking changes to sustain the business and consistent policy enforcement.
● Expand traffic engineering: Enterprise managers know which applications are mission critical to their business and need to be prioritized, and can use SDN and OpenFlow® to prioritize traffic flows, steer particular traffic over specific routes, or otherwise engineer traffic flows across the network to meet business needs. Traffic engineering can be automated based on specified traffic types and network conditions, or quickly implemented for a particular use case.
● Application-aware, user-aware and location-aware networking: Enterprise IT can use OpenFlow® directly to augment the capabilities of a device’s native control plane as well as to implement new functionality. For example, IT can use OpenFlow® to assign a traffic flow to a specific VLAN based on who the user is and what they’re doing. Similarly, IT could use OpenFlow® to implement per-user network access control that applies to a user regardless of where or how they connect to the network.
Because SDN allows IT to modify the network in minutes, rather than hours or days, the network is more dynamic. As a result, IT is better able to keep pace with user requirements and be more responsive to business needs, allowing for more rapid innovation while keeping TCO under control. Industry standard protocols such as OpenFlow® will ensure SDN remains open at every level, giving enterprises the greatest range of capabilities and vendor flexibility, much as they have today with data center servers.
--Dan Pitt
For more information on this, see part one of this two part series on OpenFlow® and the Enterprise.