Although OpenFlow and Software Defined network SDN are mainly about data centers or carrier networks, this technology may be more useful for campus networks, especially for the improvement and improvement of BYOD built-in devices) security and Management.
Matt Davy, Chief network architect at Indiana University, believes that OpenFlow and Software Defined network can change his 0.1 million-port network, which has 5000 wireless access points (AP) and 0.12 million users, most of these users want to use personal mobile devices to access the network. Now, deploying security and access policies is a nightmare. The campus environment is like a small city with sports venues, medical laboratories, 15000 dormitories, restaurants, and water and electricity facilities.
"It is difficult for our network to be grouped by physical space. If I want to place a firewall in the lab, what should I do in the cafe in the lobby ?" Davy. Ideally, "the same group system is used and then managed according to Security Policies", even if they are located in different physical spaces. In this way, Davy's team can select security rules based on specific device types.
Davy believes that the network can be completely transitioned to an OpenFlow environment to achieve this ideal state. In this case, he can create a "virtual access layer" to map the physical access layer, but also manage it through the central SDN controller. Then, Davy's team can start virtual network segments across components in both wired and wireless networks, so that the SSID can be set for devices of specific groups. This means that engineers can control which users or devices access specific applications of specific network segments. Davy can also push inbound traffic to a specific device to specify the monitoring type or improve the performance of different devices.
Such a complete solution does not exist on the market, but Davy is testing available OpenFlow, SDN switches, and controllers. He has installed a 1700 OpenFlow-friendly HP switch that can run both OpenFlow and traditional switches. In the long run, this switch helps improve software to define campus LAN. However, these switches cannot support large-scale OpenFlow environments.
During this period, Davy's team was trying to use the OpenFlow-based Intrusion Detection System IDS) cluster. The System Maps information from each port of the network and routes the information to a unified place. With the OpenFlow top-level rack switch, data is balanced among about 30 IDS server groups. Davy did not spend $0.1 million to install IDS on the entire network, but spent $30 thousand to install an experimental system for intrusion detection. The next step is to integrate network access control (NAC) into the system and start to use OpenFlow to block traffic.
What promotes the use of OpenFlow and SDN on campus LAN?
Steve Brar, global product marketing manager of HP Network, said at the open network Summit held on April that three factors will drive the deployment of SDN in the campus LAN: better service quality of QoS is required) improves security and application-driven networks.
After SDN is deployed, network engineers can use flexible networks to replace inflexible physical networks and static policies, A flexible network can "dynamically allocate service quality to specific users and different applications ".
Brar wants network engineers to use SDN to divide physical campus networks into a series of Logical Networks. Each network has its own policies. This environment will change QoS because engineers can more easily prioritize specific applications on these virtual networks to improve performance.
SDN can also manage BYOD plans because network administrators will be able to allocate access policies based on device types or user groups and then optimize specific applications, such as videos.
"Wired and wireless user experience is different, but this is not the case in today's technical field ." Brar said, "we can avoid this problem through better programmability and more dynamic networks ."
The advantages of using SDN and OpenFlow on campus LAN are obvious, but the real deployment is still largely dependent on product and application development, which is a slow and continuous process.