Layer-4 Switch Technology and Application

With the increasing popularity of Mbit/s, Gbit/s, and even Mbit/s local area networks, broadband MAN networks and even broadband wide area networks are widely used. Whether it is Intranet, exclusive, or residential intelligent networks, it is increasingly expanding to massive amounts of information, it is forcing people to transmit audio, video, data and other information in the network system more and more demanding. With the rapid development of Internet, the use of e-commerce, e-government, e-trade, e-futures and other online trading methods accelerates logistics and capital flow turnover while accelerating the rapid increase of information, this puts a great deal of pressure on the Network Information Center servers, so that the general need to ease the pressure on the network core system is too high. To this end, the industry has to begin to consider the fourth-layer switch concept to meet the requirements of policy-based networking, advanced QoSQuality of Service: Service quality) and other Service improvements. The huge market potential has greatly stimulated significant investment by manufacturers in key network equipment, so that in a very short period of time, the emergence of a traditional second-layer switch, to the Advanced Layer-3 Switch, to the latest layer-4 or even layer-7 switch product.
When a layer-4 switch differs from a layer-3 switch, it not only applies the IP exchange technology in the layer-3 switch, but also stands at a higher level, you can view the content of the source address and destination address of the third-level data packet header. You can take corresponding actions based on the observed information, implement the key functions of bandwidth allocation, fault diagnosis, and access control over TCP/IP application data streams. Obviously, layer-4 switches can optimize the network/server interface while assigning tasks and balancing loads to improve server reliability and scalability, it also provides detailed traffic statistics and accounting information to solve network congestion, network security, and network management issues at the network application layer level, making the network more "intelligent" and manageable.
Establishing an internal external network system that is high-speed, broadband, stable, reliable, and able to integrate new demands such as security and confidentiality is the current trend of enterprise network development. High-speed LAN applications have easily integrated voice, video, and other communication types that require high latency, jitter, and packet loss into the same data network for transmission. The most ideal preventive measure for security threats within the enterprise network is to control the permissions of different users to prevent unauthorized communication. Do not be suspicious. All of these require the support of all-new LAN switches. In addition, from the perspective of improving service quality, although we have an effective and simple method of increasing network bandwidth, no matter how high the bandwidth of the vswitch's backboard, no matter how big the packet forwarding rate of the vswitch is, no matter how fast the data transmission rate is, network congestion always exists in the network. This tells us from one side that the absence of Service Quality Control also means that data packets may be lost and the latency may increase.
It can be seen that working on switches at a higher level, supporting quality services, relying on software operation and high-level management is an important position in modern enterprise networks. Next we will briefly introduce the performance, technology, application fields and development trends of the layer-4 switch.

I. What is a layer-4 switch?

To understand the layer-4 switch, you must first understand the basic working principle and performance of the traditional layer-2 switch and the currently widely used layer-3 switch, only then can you identify the layer-4 switch.
As we all know, the second layer switch performs end-to-end data exchange based on the MAC address of the second layer data link layer and the route selection through the station table. Because the establishment and maintenance of the station table is automatically completed by the switch, and the router is a layer-3 device, the addressing process is based on IP address addressing and generated through the route table and routing protocol. Therefore, the biggest advantage of the second-layer switch is that the data transmission speed is fast, because it only needs to identify the MAC address in the data frame, and the algorithm for directly generating the forwarding Port Based on the MAC address is very simple, it is easy to use ASIC dedicated chips. Obviously, the second-layer switch solution is actually a cheap solution of "switch everywhere". Although this solution can also divide subnets, restrict broadcasting, and establish VLANs, however, it has little control capability and is not flexible enough, and cannot control the traffic of various information points. It lacks generic and convenient routing functions.
The layer-3 Switch directly performs end-to-end data exchange based on the layer-3 network layer IP address. On the surface, layer-3 switches are the combination of layer-2 switches and routers. However, this combination is not a simple physical combination, but a logical combination of strengths. When the first data stream of a certain information source performs layer-3 switching, the routing system generates a MAC ing table between the MAC address and IP address, the table is stored. When subsequent data streams from the same information source enter the switching environment again, the switch will map the table based on the address generated and saved for the first time, the second layer is directly transmitted from the source address to the destination address, which is no longer processed by the third route system. This eliminates the network delay caused by Route Selection and improves the packet forwarding efficiency, this solves the speed bottleneck caused by routes when inter-network information is transmitted. Therefore, the layer-3 switch can complete both the port switching function of the layer-2 switch and the routing function of some routers. That is, the switch solution of the layer-3 switch is actually a solution that supports multi-layer dynamic integration, although this multi-layer dynamic integration function can also be carried out by traditional routers and second-layer switches to some extent, compared with the three-layer switch, not only does it require more device configurations, more space, more wiring, and higher costs, but also significantly lower data transmission performance, because in massive data transmission, the router in the carrying solution cannot overcome the bottleneck of the route transmission rate.
Apparently, both layer-2 and layer-3 switches are end-to-end exchange processes based on port addresses. Although this vswitch technology is based on MAC addresses and IP addresses, it can greatly improve the data transmission rate between nodes, but cannot determine or dynamically limit the port exchange process and data traffic according to the application requirements of the port host, that is, there is a lack of layer-4 intelligent application exchange requirements. The layer-4 switch not only performs end-to-end switching, but also determines or limits the switching traffic based on the Application Characteristics of the port host. To put it simply, the layer-4 switch is based on the packet exchange process at the transport layer. It is a new type of LAN switch based on the Application exchange requirements at the TCP/IP application layer. The layer-4 switch supports all protocols below the layer-4 of TCP/UDP. It can identify the packet header length of at least 80 bytes and distinguish the application type of data packets based on the TCP/UDP port number, in this way, access control at the application layer and service quality assurance are achieved. Therefore, a layer-4 switch is not so much a hardware network device as a software network management system. That is to say, the layer-4 switch is a kind of network management switching equipment that focuses on software technology and supplemented by hardware technology.
It is worth noting that some people still have some vague concepts to varying degrees, the layer-4 switch adds the ability to identify the layer-4 protocol port on the layer-3 switch, and only adds some value-added software on the layer-3 switch, as a result, it does not work on the transmission layer, but still performs exchange operations on the third layer, but is more sensitive to the third layer exchange. It fundamentally denies the key technology and role of the fourth layer exchange. We know that the layer-2 802.1p field of the data packet or the layer-3 IP ToS field can be used to distinguish the priority of the data packet itself. We say that the layer-4 switch is based on the layer-4 Data Packet Exchange, this means that it can analyze the data packet application type based on the layer-4 TCP/UDP port number, that is, the layer-4 switch not only has all the switching functions and performance of the layer-3 switch, it also supports smart functions that are impossible for layer-3 switches to control network traffic and service quality.

Ii. What are the important technologies supported by layer-4 vswitches?

As mentioned above, layer-2 switching devices rely on the MAC address and VLAN tag information of the 802.1Q protocol to complete the link layer switching process, layer-3 switching/routing devices use IP address information for network path selection to complete the switching process, the layer-4 switching device uses the packet header information of the transport layer to help information exchange and transmission. That is to say, the specific content described in the switch information of the layer-4 switch is essentially all the protocols or processes contained in each IP packet, such as HTTP for Web transmission and FTP for file transmission, telnet for terminal communication, SSL for secure communication, and other protocols. In this way, the layer-4 Exchange Protocol is generally used in an IP network, in fact, TCP is used for connection-based conversations, such as FTP) and UDP is used for connectionless communication, for example, SNMP or SMTP.
Because the packet headers of TCP and UDP packets not only include the domain "port number", it also specifies the type of network data of the packets being transmitted, using this information port number related to a specific application), you can complete a large number of quality services related to network data and information transmission and exchange, among them, the following five important application technologies are worth noting, because they are the main technologies widely used by layer-4 switches.
(1) packet filtering/Security Control: In most routers, using layer-4 Information to define filtering rules has become the default standard. Therefore, many routers are used as packet filtering firewalls, this firewall not only allows or disables connections between IP subnets, but also controls the communication between specified TCP and UDP ports. Unlike traditional software-based routers, layer-4 switching is different from layer-3 switching, that is, this filtering capability is implemented in ASIC dedicated high-speed chips, so that the security filtering control mechanism can be implemented at full speed, greatly improving the packet filtering rate.
(2) Service Quality: in the hierarchy of the network system, the layer-4 TCP/UDP information is often used to establish application-level communication priority permissions. Without the layer-4 switch concept, the service quality/service level must be subject to the information provided by layer-2 and layer-3, such as the MAC address, switching port, IP subnet, or VLAN. Obviously, in information communication, priority of emergency applications cannot be discussed because of the lack of layer-4 Information, which will greatly prevent the rapid transmission of emergency applications on the network. The layer-4 vswitch allows a combination of application services based on the destination address and destination port number to differentiate the priority. Therefore, an emergency application can obtain high-level services of the network.
(3) Server Load balancer: layer-4 information is crucial when multiple servers with similar service content provide balanced traffic load support. Therefore, layer-4 switches are an important application in the core network system for server load balancing. The server load balancing method supported by the layer-4 switch is to attach an IP address of the Server Load balancer service to a set of different physical servers to provide the same service together, and define it as a separate virtual server. This virtual server is a logic server with a separate IP address. User data streams only point to the IP address of the virtual server, instead of directly communicating with the real IP address of the physical server. Only after the network address is converted to NAT by the switch), the server that has not registered an IP address can be accessed. Another advantage of this definition of virtual server is that, after hiding the actual IP address of the server, it can effectively prevent unauthorized access.
The virtual server is defined based on the layer-4 TCP/UDP port number of the application service, so that the independent server can be a member of the virtual server. Using the layer-4 dialog mark information, the layer-4 switch can use many Load Balancing Methods to convert communication traffic in the virtual server group, among them, OSPF, RIP, VRRP and other protocols are consistent with line rate switching and load balancing. The layer-4 switch can also use the complex mechanism provided by the TRLTransaction Rate Limiting function to curb or reject services of different application types based on traffic characteristics. You can use the CRLConnections Rate Limiting function to enable the network administrator to specify the number of connections allowed within the specified time to ensure QoS. You can also use the SYN-Guard function to make sure that valid connections that meet the TCP protocol can be used to query network services.
(4) host backup connection: the host backup connection provides redundant connections for Port Devices to effectively protect the system in the event of a switch failure. This service allows you to define a Master/Slave switch, as defined by a virtual server, they have the same configuration parameters. Because the layer-4 switch shares the same MAC address, the backup switch receives the same data as the master unit. This enables the backup switch to monitor the communication content of the master switch service. The primary switch continuously notifies the backup switch of data, MAC data, and its power status at Layer 4. When the primary switch fails, the backup switch automatically takes over without interrupting the conversation or connection.
Layer 4 switch provides more detailed statistics by querying Layer 4 data packets. Because the administrator can collect more detailed information about which IP address to communicate with, and even collect communication information based on which Application Layer Service is involved in the communication. When the server supports multiple services, these statistics are particularly effective for examining the load of each application on the server. The added statistical service is also useful for Server Load balancer connections using vswitches.

Iii. layer-4 switch Application Analysis
Layer-4 switches can be used flexibly in the network. They can be either a collection point device in the network center or an edge access point in the LAN distribution layer, even working groups support switching to desktops. Especially in terms of performance and functions, the fourth layer switch of the working group level, which is considered to be weak, can not only achieve end-to-end service quality in the network, but also be applied to network edge recognition, it can also mark the priority of data packets, such as running the 802.1Q and IP DiffServ protocols. In terms of congestion control, congestion avoidance, and data shaping, although some layer-3 switches also support queuing congestion control and 802.3x protocol, layer-4 switches also support application layer protocols such as WRR, WRED, RED, and CAR, which are widely used on routers and rarely used on layer-3 switches.
The performance of layer-4 switches in terms of service quality control is greatly improved compared with that of layer-2 switches. For example, in terms of priority, the original Gigabit access switch, each MB port only supports two queues, and the next generation smart edge layer-4 switch can support four; in the classification and identification of QoS, although the L2 Switch also supports the 802.1p protocol, data priority can be determined by identifying ports, MAC addresses, and vids, layer-3 switches can identify IP address information to determine switch priority settings, which can identify the IP DiffServ field and rewrite the field information. However, layer-4 switches can not only recognize port numbers, you can also provide services based on the priority policy.
In traditional user access systems, distributed structure email systems usually use front-end proxy, DNS round robin, or layer-4 switching to achieve complex sharing. The use of layer-4 switches is more efficient, especially the layer-4 switches using Gigabit Ethernet technology, which can greatly improve the system efficiency. Because, in the Internet, Intranet, and excompute systems, the mail system is an important application field of the layer-4 switch.
We say that in a enterprise network application supported by a server group, it is often necessary to consider providing robust connections for emergency services. The layer-4 switch becomes the key, make it an essential and important application device. Because the layer-4 switch that supports Server group connection has a unique way to enhance the Networking capability, it is mainly reflected in the following aspects.
(1) improve security: the packet filter of the layer-4 switch can provide protection standards for the networks and servers under its jurisdiction, these protection standards can be used to deal with unauthorized access to specific applications from a specific IP address or subnet. That is, the package filter can prohibit a specific group of users or subnets from accessing the server, or vice versa, it can give a group of users or subnet access rights.
(2) Improve the quality of service for emergency tasks: to provide HTTP-based applications with higher service levels than other services supported by Server Clusters, you can define the quality of communication priority service at the application layer ). All data sent to the server whose destination port is the HTTP port can obtain a higher priority than the data sent to other ports of the server. Because we can now obtain the layer-4 switch that applies to the edge and core of the network, this type of switch can be fully used to provide high-level services for Web Data Stream-based servers throughout the network.
(3) optimal access capability: server load balancing is used to distribute the Web traffic to each server fairly based on the user's needs. servers with high performance can receive more conversations, otherwise, you can limit the number of dialogs that provide services on a specific server. To achieve this, you need to define a virtual server group that includes multiple servers and set the corresponding Server Load balancer scale on it. These are the unique support capabilities of layer-4 switches.
(4) enhanced network scalability: The Hot Backup feature established by layer-4 switches can improve the scalability of Server clusters. After the server is connected to two switches separately as a dual-host, the status of these switches is equal. They have common IP addresses and MAC addresses. If the primary switch fails, the secondary switch can take over the work immediately because it is always operating on the primary switch.
Administrators can use the statistical features supported by layer-4 switches to obtain more management information about the data in the server group. The administrator can not only track data between the server and the client, but also track important information such as the Application Service's work, server activity, and number of opened conversations, therefore, the network management performance can be enhanced.

Iv. Development Trend of High-Rise Switches

The "Content-based identification network" that the IT industry has been pursuing for a long time is actually the network management from the transport layer to the application layer from Layer 4 to Layer 7. If a vswitch can unlock each layer encapsulation of each data packet and identify the deepest information, it has the content recognition function. Obviously, it is an important way for high-level switches to have great development potential to resolve the problems of distinguishing applications, dynamic resource allocation, user billing, and other top-level applications that people hope to use networks to identify device distribution business traffic. This type of network management system, which was first introduced in the market, is a content recognition device implemented by software. Although these devices have not achieved the expected results, however, it provides a solid technical foundation for High-level application switches using silicon hardware technology. Although this technology is under development, it actually solves the problem ~ The performance of layer-7 switches is difficult.
Currently, there are three types of devices that use software to implement content recognition networks: devices built on the PC platform, third-layer switches with General CPUs, and systems based on network processors. If only simple traffic exchange functions are completed, the performance of these products can still be accepted by users. However, these simple network management functions cannot allow network administrators to adjust the network to achieve profitable application management. The key to the problem is that the information required to complete these functions is buried inside the data packet, which only appears once when a network session is established. This requires software-based content recognition devices to be able to peat the interior of each packet in each session, resulting in serious latency and performance deterioration. Therefore, software-based content recognition devices that rely on general-purpose CPUs or network processors cannot mobilize computing capabilities in any near real-time manner to complete switching tasks, it quickly becomes a new bottleneck.
In terms of the development direction of high-level switching equipment, there is another Application Technology worth noting, Extreme Application exchange Technology ). The so-called Extreme application exchange technology is actually a new technology based on PxSilicon, and PxSilicon is actually a unique and superior performance chipset, that is, the previously mentioned silicon technology. Compared with traditional software technologies, PxSilicon has a performance of several orders of magnitude higher, because the solution for implementing content recognition using software can only rely on the combination of complex software with a general CPU or network processor, to complete the same load balancing task. With Extreme application exchange technology, you can fully implement network functions, including line rate Gigabit TCP session analysis, termination, initiation, and even modification, all of which can be implemented by hardware, this removes the need for complex software, general-purpose CPUs, and network processors.
The transfer of Intelligent Network Management from software to hardware silicon technology is not a new idea. The transfer from a software-based router in the late 1990s s to an ASIC-based layer-4 switch that is being promoted today is a good proof. In addition, when the network technology is integrated into a silicon wafer, the performance will be significantly improved, and the corresponding total cost of ownership will be greatly reduced. The result of the application of hardware silicon technology is that service providers and enterprise users can, without sacrificing the performance of gigabit bits, you can freely set the rules required by network applications and services.
The first platform to use hardware silicon technology is the Extreme SummitPx1 Application Switch. In terms of structure and function, SummitPx1 application switch is a type of Layer 7 switch that supports a completely complementary Layer 7 Application layer switch function, the vswitch provides the ability to analyze the syntax of webpage requests and redirect connections to the most suitable webpage Server Based on the requested content and server capabilities. On the Layer 7 Application Switch of SummitPx1, no matter how many content-related forwarding rules you set, it can maintain the gigabit-Bit performance of the device's line rate. In addition, the server selection algorithm of the layer 7 Application Switch of SummitPx1 also includes loops, weighted loops, least connections, and weighted least connections, it can also track the client's IP records, set cookies for the client's status, perform operations, automatically detect and track cookies, and process cookies for server recognition, and supports continuous SSL (Secure Sockets Layer) session ID) and other new technologies.
In short, the development momentum of High-Rise switches will become increasingly fierce. The result is that the current high-rise software exchange technology is replaced by dedicated hardware technologies, or new technologies combined with hardware and software technologies. That is to say, in the future, high-rise switches will focus on the ISO layer-7 Standard and unify traditional network discrete devices, this not only greatly improves the data distribution, transmission and exchange capability and speed of the network system, but also reduces equipment costs, simplifies network management, and optimizes the networking process, the layer-7 Application layer plays an important role in the management and control functions of high-level switches.