LAN switches are still commonly used. So I studied the problems encountered in the development of LAN switches. I would like to share them with you here, hoping to help you. Traditional LAN switches are preparing for major improvement. The focus of improvement is obviously on intelligence rather than aesthetics. The next-generation switch not only provides embedded smart security functions, such as firewall, IDS, IPS, and ssl vpn, but also performs various application optimization tasks, such as Web applications, Server Load balancer/cache, and WAN optimization. The real question for IT managers is how to integrate these features?
When can such products be obtained? The cost cannot be too high. Joel Conover, Chief infrastructure analyst at Current Analysis, said, "The real next-generation LAN switch will not be available next year. You can regard it as a module, but it will not appear in all LAN switches. This type of switch is too expensive, the processor is too sensitive, and the purpose is too simple ." He also said that in the next 2 ~ In three years, some real changes will begin to enter the next generation switch platform. There is likely to be a new generation of line cards, many security processing technologies such as deep packet inspection) will be migrated directly to these line cards.
With the data flow
Many vendors have their own names for the "deeper understanding" feature of next-generation devices, for example, 3Com is called a Control blade, Cisco calls it an application-aware network, and Juniper calls it "application fluency" and "Enterasys" is called a content network. Regardless of the name, the true meaning of the switch is the same, that is, the manufacturers are trying to make the switch have better capabilities, so that it can not only check and send packets as appropriate, it can also check all application streams or packet streams, and take appropriate actions on these streams, while making full use of this capability to achieve better security and application performance.
"In the future, LAN switches and routers can perceive session streams, not just a single packet," said John Roese, chief technology officer of Enterasys, "they focus more on not only the quality of such data packets, but also on whether the sequence of such data packets is suitable for the total session. In case of exceptions, they can take corrective actions accordingly."
Device integration is meaningful.
This series of new features fall into two different categories: security and application optimization, both of which are now addressed by related equipment in their respective fields. The problem is that these devices are often purchased by different departments of the user, for example, server departments purchase Server Load balancer or Web accelerators, security departments purchase firewalls and intrusion monitoring systems, and network departments purchase virtual private networks. "Someone may install a compression drive on the Web server, but what if a similar service runs on the LAN switch ?" "These two devices will eventually conflict with each other," said Abner Germanow, IDC's enterprise network project manager ." This situation may lead to "political" conflicts unrelated to technology.
Too many devices may cause terrible management problems, especially in remote branch offices. There may be too many devices in the branch office. From the management and technical point of view, it is meaningful to merge these devices into a switch or a few devices.
Performance concerns
However, integrating all these functions into a vswitch also affects the performance. "This will definitely impact performance," said Doug Gourley, Cisco's marketing director. In fact, we need to face the following question: do you want to create the world's lowest-performance, most messy Line Card Service? Or want to create something that only has the original speed and density and does not provide any service? Or we want to strike a balance between the two, but where to start is another problem ."
Cisco provides users with flexible options. Users can maintain high network performance at the network core, without adding more network services, but at the network edge, applications, services, firewalls, and other functions can all be implemented here, solving the problem of having abundant service capabilities while maintaining satisfactory performance. Because the Cisco switch uses the same basic platform and service module, you can configure it based on the required changes, whether at the core layer, distribution layer, or wiring room.
This method is based on the blade suitable for the bottom layer of LAN switches, rather than the existing embedded technology. In the future, Cisco hopes to introduce some technologies, such as IDS/IPS and Deep Packet detection technologies, to this line card. "This is our goal," Gourley said. "If we consider the security of data centers, people will deploy firewalls, Server Load balancer devices, and SSL terminal devices. In the past, there may be a series of related modules, and users must configure them in the way they can interoperate and in the order they fit, in this way, it becomes more like a line card to be fully utilized to provide multi-service capabilities."
Cisco also believes that these services will become generic and integrated into devices. Something like Deep Packet detection may be a good example, which enables LAN switches to check HTTP headers and XML patterns to route them as appropriate. This is what Cisco wants to do with its application-oriented network AON technology. "However, the application-oriented network is more coupled by an order of magnitude than the security elements we will see in the next generation switch," said Conover of Current Analysis ."
Diverse methods
Other vendors adopt different methods to solve the cost-effectiveness problem. For example, Enterasys is directly integrating its Dragon IDS/IPS and network-based exception detection technology into its N Series LAN switches, which are available early this year. The LAN switch first determines whether the traffic is suspicious and only sends packets that require in-depth detection, rather than sending all network traffic through embedded devices. This is only a temporary measure before the next generation of silicon technology makes it more cost-effective and practical for Deep Packet detection of all traffic.
Enterasys includes the accelerator Card concept in the N Series, which essentially allows the system to redirect specific traffic that meets the specific ceiling to the Deep Packet detection engine, and a device that can run IDS, IPS, and network-based exception detection. This work is achieved through strategies that take into account a variety of factors, including identity, role and location in the Organization. If something in the communication traffic exceeds the upper limit, it is redirected to IDS/IPS only at this time.