Cisco Turns Routers Into Linux App Servers

symbolset writes "InternetNews is reporting that Cisco's new Application eXtension Platform turns several models of Cisco switches into Linux application servers. With certified libraries in C, Java and Perl, developers will be able to use a downloadable SDK to build their apps. The AXP server is just another module in a Cisco switch running Cisco's own derivation of a modern Linux distro (Kernel 2.6.x) specifically hardened to run on that particular hardware. Modules will include up to 1.4-GHz Intel Pentiums with 2 GB RAM and a 160 GB hard drive."

Cue the beowulf cluster jokes

[symbolset]

Yes, it runs linux.

Yes, I know they're switches, not routers.

Now... anybody got any interesting applications for this?

Re:Cue the beowulf cluster jokes

Imagine a baowulf cluster of these...

Re:Cue the beowulf cluster jokes

[unforkable]

Applications? Just imagine a single "appliance" integrating switching features with (for example) asterisk soft pbx, apache for web-based management, iptables and snort for security... I mean this is just an example... the power of linux is in its adapdability to (almost) all situations and needs.

Re:Cue the beowulf cluster jokes

Well Cisco has a broad portfolio of PBX, management, firewall and IDS/IPS products, so I bet they're not in need of Asterisk, Apache, Iptables or Snort.

Re:Cue the beowulf cluster jokes

[arivanov]

The power of linux is mostly irrelevant here. OK, fine, a blade, and so what? It is more expensive than most 1U servers out there.

Now the power of having an API into the Cisco hardware and software is a completely different story. That may be something that is really interesting. It will allow moving many tasks that are now exclusive to big closed and expensive OSS systems to the frontline where they really belong.

By the way, this has been long coming. The first time I heard about this was circa 2003. Nice to see it finally making the light of day.

Re:Cue the beowulf cluster jokes

[klapaucjusz]

Now... anybody got any interesting applications for this?

Enhancing Cisco's bottom line?

See, there's a lot of network engineers that are trained to mindlessly buy from Cisco whatever the cost. Right now, they're buying switches and routers from Cisco, but application servers from other suppliers. If Cisco starts making servers, they will buy the servers from Cisco, no matter whether they are twice as expensive as the same hardware from Dell.

Re:Cue the beowulf cluster jokes

[Constantine+XVI]

Imagine using one to netboot/control a bunch of machines for a Beowulf cluster

Re:Cue the beowulf cluster jokes

[witherstaff]

It could be a way to cheaply implement openCALEA. Of course, openCALEA would need to be a complete solution too. Realtime, remote packet sniffing in a wacky protocol. The cheapest units I've seen that fully meet the requirements are 5 - 10K.

With anything that falls under an "ISP" label needing to be CALEA compliant there is a huge need - even if you're just a small coffee shop that wants to give a WIFI hotspot you need to be compliant.

Ok so

[aztektum]

I've read the marketing release. Now I ask /.

What can you do with this?

Re:Ok so

Imagine a Beowulf cluster of Cisco Linux cards. It would be like a blade computer chassis, only 10 times more expensive. Bravo! My IT department will surely love this.

AXP environment require an authorization key

check this out

Q. How does one develop an application for the AXP service module?

A. Both existing and newly developed applications must be ported to the AXP runtime environment by packaging them using the AXP SDK, which ships with the AXP hardware and software. The SDK package tool creates installation packages that can be loaded on the AXP blade. AXP developers are authorized by Cisco using the AXP Development Partner Program and require an authorization key in order to perform packaging of software.

http://www.cisco.com/en/US/prod/collateral/routers/ps9701/qa_c67_463943.html

Re:AXP environment require an authorization key

[IdleTime]

Time until first 419-scam server is loaded after the first one is placed on the net: less than 42 seconds...

Re:AXP environment require an authorization key

I love context. Now consider how similar the terms of this are to say the iPhone SDK. People are in an uproar about that because it's a phone. Maybe google will open on switches for the masses? Thought not.

oops

[symbolset]

Yes, I know they're switches, not routers.

That was routers, not switches.

Err in haste, repent at leisure.

Re:oops

[alex4u2nv]

Actually neither routers, nor switches: a hybrid application server that routes traffic or vice versa.

NSLU2 is cool

[bcrowell]

Another Cisco gadget that's cool as a cheap linux box is the NSLU2. For $80, you get a pretty full-featured Linux system. It's the size of a paperback, and draws a negligible amount of power. I use mine as a music server. There's a very lively and helpful user community on IRC. There are various options for modifying or replacing the system it ships with to get a more general-purpose linux box, running off of an external flash drive.

Re:NSLU2 is cool

Don't get fooled into thinking an NSLU2 is going to replace your Linux server though. Mine barely manages to serve up files via SMB, much less run anything even remotely CPU or memory intensive (the thing only has 16 megs of RAM). File transfer performance is absolutely abysmal... less than 10 Mbps. Fine if this was 1993, but I expect at least 500 Mbps out of my NAS devices in this day and age.

router, not switch

This allows apps to run on a module plugged into a Cisco _router_ , not a switch.

Before we get too excited

[symbolset]

It might be interesting to read the data sheet.

10/100/1000 Gigabit Ethernet connectivity to router backplane

meh.

Re:Before we get too excited

[LarsG]

Yeah, backplane is kinda bummer.

As generic blade it looks like fail. Only one OS supported, probably expensive, Cisco license needed to build application packages.

Could be useful for making network appliances. Datasheet mentions IOS integration.

Re:Before we get too excited

[BridgeBum]

Yeah - it would be much more exciting if they came out with something similar for their 6500 series switches with a big backplane. The ISR routers are intended for branch offices, they aren't big power houses.

Re:Before we get too excited

[aproposofwhat]

Given the proposed specs of these (1.4 GHz processor, 160GB HDD, 2GB RAM), I doubt whether the app server could benefit from direct backplane connection.

Now if they were to stick a Niagra on one of these babies, then I could see a massively multithreaded application benefiting, but that isn't likely to happen anytime soon.

Re:Before we get too excited

[anss123]

A Niagra is a wee bit more costly than an old Pentium. Doubt we'll ever see server oriented chips in office routers - app server or not.

What I want from Cisco

[Midnight+Thunder]

Great and I applaud them for doing something truly nerdy. What I am still waiting for is proper for a CISCO VPN client that works well under Linux and MacOS X, and not just Windows. It is irritating to enable firewall requirements, only to find that the only version that supports it is CISCO VPN Client for Windows.

Rant over, now you may mod me down.

Re:What I want from Cisco

[zx-15]

vpnc works pretty good under linux

Re:What I want from Cisco

[caseih]

The open source vpnc works pretty well on my linux box. I'm permanently vpn'd into my work's Cisco VPN concentrator. Granted it still can't do key rotation, so I have to reconnect it every 8 hours or so.

Cisco's linux support sucks in general, though. Their management software won't support it in any way. Ironic, really, since most work gets done in a terminal on cisco hardware. At least a serial port can't be made to be linux-incompatible.

Re:What I want from Cisco

Ummm, it's called WebVPN or SSH-VPN. All you need is an SSH-enabled browser. Works with MS, Apple, Linux, BSD, whatever. You don't need a VPN client anymore... that's sooo 2005

Re:What I want from Cisco

[nicc777]

The Linux Cisco VPN works 100% - the only irritating thing for me is that you need to compile it - it's not in the standard repositories.

Re:What I want from Cisco

[QuoteMstr]

Why TCP over TCP is a bad idea

Re:What I want from Cisco

Read his journal - the guy is an idiot.

Re:What I want from Cisco

[judo_badger]

We're using it on all three platforms. It works very well on Mac and Linux for us.

Re:What I want from Cisco

[PingXao]

Have you looked at Broadcom lately? They make Cisco look like God's gift to Linux. They are absolutely paranoid, anal even, about releasing any technical information about any of their chips. And Broadcom is everywhere.

Re:What I want from Cisco

[lukas84]

The points are absolutely valid for a site-to-site vpn. But they don't matter in a road warrior setup, where Firewall traversal is more important than performance.

Re:What I want from Cisco

[Dr_Barnowl]

No it doesn't. It doesn't support the firewall requirement ; as the GP poster said.

For those not familiar, this requires that your VPN client firewalls itself off from its local network and only participates as a network node in the VPN.

The Linux client doesn't support this. This is presumably because if you have source that supports it (your reply seems to indicate that you have source for the base client, but AFAIK it doesn't include this feature), you could compile a client which claimed it complied, but didn't. Or because the user has so much control over a Linux environment that Cisco doesn't feel safe claiming that it could.

The only way you can assure the firewall requirement is in place is with a closed binary, preferably cryptographically signed, running in a closed environment. AKA, Windows.

Personally, I find the firewall requirement deeply frustrating, because it prevents you from using your locally networked resources ; you might have a printer, a gateway that's faster than using a remote gateway over VPN, etc. But I can understand it, because the administrators who enable it have obviously learned the hard way (or just heard tales from those who have) - Windows is not a secure network OS, and they have to defend their networks from people ill-informed enough to put Windows on a naked internet connection.

Re:What I want from Cisco

I have no problem with Cisco VPN 4.9 on my mac.

Re:What I want from Cisco

[ckaminski]

CiscoVPN 4.6 works great under both Windows and Mac OS X.

Too bad I have to stop using it because we're turning on network access control and Cisco Clean Access Agent isn't available on Mac OS X. My Macbook users are PISSED. :(

Re:What I want from Cisco

[GXTi]

And Broadcom is everywhere. Especially in my laptop, where the disgusting heap of silicon they call a wireless chipset can't even connect to an AP 15 feet away without me reloading the firmware 8 times and bouncing the interface as if it were a broken VGA cable.

Re:What I want from Cisco

[Midnight+Thunder]

If the router has a client firewall requirement, then it fails. I have even tried vpnc and this confirms what I learnt from the official client:

  concentrator configured to require a firewall
  this locks out even Cisco clients on any platform expect windows
  which is an obvious security improvment. There is no workaround (yet).
I have tried both on Linux and MacOS X, and the only client that seems to work consistently is the Windows client. This does not mean that I have never got the Mac or Linux clients to work, its just they don't work with every Cisco router configuration out there.

Re:What I want from Cisco

[Midnight+Thunder]

The only way you can assure the firewall requirement is in place is with a closed binary, preferably cryptographically signed, running in a closed environment. AKA, Windows.

This could also be achieved on MacOS X 10.5, where signing of binaries is supported and even recommended. Additionally I am sure it could be possible for the server side of the VPN to probe the client to see if a suitable configuration is in place. The way I could imagine this happening is for the server to do a routing probe and see if it succeeds. If the server can't contact the router on the local network or connect out of the network, then is probably safe enough - granted I haven't thought of every scenario, but its a possibility.

Re:What I want from Cisco

[Constantine+XVI]

Forgive my extremely limited understanding of the software, but our uni uses Clean Access, and both my Eee (Ubuntu) and my friend's PowerBook haven't had a problem logging in via their web login

Re:What I want from Cisco

[Abalamahalamatandra]

They are getting there, though - I recently put in a new ASA 5540 pair set up for the AnyConnect SSL VPN client, which all of the documentation says "supports Linux". I had a problem getting the client working on Ubuntu, but when I opened up a TAC ticket they got me an early release version that did the trick. The AnyConnect client works well on Ubuntu other than the fact that the installer tries to set the vpnagentd to start up at system start and fails, so you have to start it manually from a command prompt.

Now, Secure Desktop is the next hurdle - when I enable that my client never connects. Have to work through that one as well.

VPNC works well for me too, except for the key rotation part which sucks.

Re:What I want from Cisco

[Kalriath]

The concentrator also refuses to let Vista clients connect too. Not surprising really, just another app on the list of "not supported by Vista" programs.

Re:What I want from Cisco

[QuoteMstr]

openvpn uses plain old UDP so works just fine over a firewall. It even supports ethernet bridging. Who exactly is modern here?

Re:What I want from Cisco

So broadcom documentation describes a chip with a lot of unused pins, yet we find chips broadcasting clock signals down these pins. To make things interesting, it's only on the chips we receive from Broadcom. From another lab/project, these same pins are dead. I'm pretty sure Broadcom is acting like Monsanto and enforcing their draconian NDA by watching the customers developers. If they suspect they are releasing even the slightest bit of information to the public, they turn ">around and sue that company.

Yes, Broadcom has a stranghold.. but they're cheap.

Re:What I want from Cisco

[ckaminski]

Interesting. I'm wondering if they are in "warning" mode as opposed to enforcement mode? Do you get warning when you perform a login?

Re:What I want from Cisco

[Constantine+XVI]

Nope, and I don't think they force anyone to use CAA. Every non-lab machine I've seen just logs in via web, and the lab machines will fallback to the web login if we try to use the network before CAA kicks in. I even connected from a Win laptop with firewall and AV explicitly disabled, and it let it right on through.

(PS: Just a student, have no idea what's actually going on in the sausage factory, just observations)

Re:What I want from Cisco

[helixcode123]

What sort of problems are you having? I've been using the cisco VPN client for Linux for years now, first under Mand(rake|riva) and under Ubuntu for the last 2 years or so.

Re:What I want from Cisco

[analog_line]

What I don't understand is why Cisco dumped the 5000 series concentrator, which was technically superior in every way I could find, and had client support for just about everything (including MacOS, pre X) for the craptastic 3000 series, which supported Windows only, supported fewer tunnels at less speed, and had a really, really bad UI. I was working with a team of other contractors to spec a big VPN network for a very big company, had been working with Cisco for months on it, and delivered our spec for 5000 series concentrators, just as the Cisco SEs came in and let us know that they were dropping the 5000 line. They didn't know (or wouldn't tell us) why, and appeared to not be very happy with it themselves (especially after working pretty damn hard with us to get us test hardware). Even the hardware VPN modules for the 1000 and 7000 series routers were better than any of the 3000 series boxes we had.

Re:What I want from Cisco

[bensode]

Huh? I installed Cisco's v4.8 linux vpn client for 32bit and 64bit systems without a hitch for both PIX and ASA Cisco devices ... what I see are tons of complaints about just the opposite. The Vista client is unstable and there is no 64bit working client for XP or Vista.

Re:What I want from Cisco

Duelling congestion avoidance (or control) planes have been known since TCP over LAP-B (X.25), about 25 years ago.

ACK clocking, and RFC 1323 timestamping, almost completely eliminates srtt/rto stretching in modern TCP implementations; the remaining problem is in the clocking out of the inner TCP's transmit queue after an RTO propagating burstiness to the outer TCP, if the outer TCP has a more aggressive ssthresh and less aggressive srtt (which is common).

Appropriate Byte Counting (RFC 3465) dramatically improves TCP in the presence of a competing congestion avoidance/control loop whether the effective L2 protocol guarantees reliable delivery or not.

The final stumbling block for TCP is guaranteed delivery that does not preserve segment ordering. There are real cases of this now, so adapting to it is useful now, but more importantly eliminating the in-order requirement (which is hard to do, since we would have to track fine-grained timings instead) would make growing core bandwidths by using parallel links a much cheaper option, which from time to time (not always) would make many-parallel-line upgrades more attractive from a cost perspective than fatter-bitsynchronous-pipes.

There is lots of research into building a better TCP, since TCP dynamics are at the root of the Internet's remarkable cost-effectiveness compared to other grossly different network models, which tend to compete only in the limit of extremely high delay, high loss, and low bandwidth conditions.

Only "authorized" apps... means not a full server

[justsomecomputerguy]

Requiring authorization will probably cripple its usefulness as a Linux App Server...

BUT! whoever sells/buys this gets to say both "Yes, we're running Linux too" and "But were not really because its all locked down" depending on which constituency they are talking too: The pro open source crowd or the pro security through obscurity crowd.

Reminds me of way back in the days when Novell used to claim Netware 4.x-6.5 was an App Server too: It was a GREAT File and Print Server, with GREAT Directory Services (eDirectory compared to early Active Directory), but it sure was NOT a great App Server.

I don't get it

[seanadams.com]

So this is a whole hardware server module that you stuff into a switch? Why?

A switch (or router, whatever) chassis is a ridiculously valuable piece of real estate... why would you want to spend that slot space plugging in PCs when they could just as easily be somewhere else, on the end of an ethernet cable?

Or is this intended for some highly specialized application where the linux system in tightly integrated with the host hardware in some way?

Re:I don't get it

[menace3society]

I think it's Cisco trying to muscle in on the server market. When you think servers, you don't think Cisco. You think Sun, IBM, HP, Dell, etc. But when you think routers and switches, you think Cisco. So if a Cisco rep can come along and say, "Hey, look, this is a piece of networking hardware, not a server, but it can do everything a server can for less money. Plus if you get this it's one less piece of equipment that can fail on you," they can start getting orders for these. If you were a PHB, would you rather have two boxes that each do one thing, or one box that does everything, and is super-cool "new" gear to boot?

It's like DEC with the PDP-1. Everyone *knew* in those days that a "computer" was a big, room-sized monstrosity that cost upwards of a million dollars and required a staff of dozens just to run; people figured there was only demand for 10 or so of those things on the planet. But DEC didn't sell "computers," they sold "Programmable Digital Processors," so companies bought them. The rest is history, and I guess Cisco is banking on being able to pull off the same thing with their new gear.

Re:I don't get it

[Zerth]

More like they realized they couldn't shrink the size of the switch enclosure without making it look "cheap"(much like that oversized WalMart linux PC). So they stuck a bunch of blades in the switch and said "here, run software on these instead of buying a real server, it's a feature!"

Re:I don't get it

It's simple, Intel wants to be in all networked equipment. Since Cisco is well spread around the globe, now you'll have Intel processors inside Cisco routers too. That completes the strategy of Intel of taking over the world.

"What would we do tonight? The same thing we do all nights..."

Re:I don't get it

[DarkOx]

I don't know where you have been but Cisco has used intel process in most of their equipment for a long time now. Pop the cover off pix sometime you will find a pentium. The same is true for most routers. I have not opened a switch up for a long time, those may or may not be intel.

Re:I don't get it

[CastrTroy]

Well, if I was a PHB, I probably would want one box that does everything. However, if I was a network admin, it might be nice to not put all my eggs in one basket. Having multiple boxes means that if one thing breaks, at least other stuff still works. Also, if one thing breaks, that one thing costs less than the box that does everything, and is cheaper to get everything back to working order.

Re:I don't get it

[CastrTroy]

Why would you need a switch if everything is housed in a single box?

Re:I don't get it

[ronocdh]

Plus if you get this it's one less piece of equipment that can fail on you.

This is partly a joke, but that sounds more to me like, "Hey, we made a bigger basket! Why not pile all those eggs on in there?"

Re:I don't get it

[mikkelm]

How often do you really see fully equipped modular networking hardware at the distribution layer?

Re:I don't get it

[menace3society]

That's my point, the PHB mentality (as opposed to that of the admin who's really responsible for uptime) is to go for the all in one. I haven't decided if Cisco's apparent strategy is really clever, or really evil.

Re:I don't get it

One reason is that in an infrastructure of a medium to large network that has centralized the majority of its resources there is still *some* need for local network resources. The router *has* to be there, integrating these features allows the IT organization to meet the local network needs while centralizing the majority of resources and limiting the very costly support (when looked at from the whole view) to one support contract with one device.

Cisco aims to have this device also be more network intelligent and so has supplied the SDK to boot.

Re:I don't get it

Wow, I haven't seen a single comment in this entire discussion that gets it. Cisco's core competency is being commoditized by companies like Vyatta. The only thing Cisco really has going for them going forward is momentum and brand loyalty. There's no way in hell they will maintain their lead on the functionality or performance front unless they appeal to the broad developer community using Linux. They will never compete on price, but this move will at least help them keep the wolves at bay a little bit longer.

Our biggest tech companies, like Microsoft and Cisco, were successful because they undercut the big guys. 80% of the features for 20% of the price. No one should be shocked to see history repeat itself.

Re:I don't get it

[Kizeh]

No. This is so the ISR can do wacky stuff that's more complex / third party developed than just the IOS / Firewall / LWAPP / VoIP feature set at remote office or smaller facilities. It's absolutely not going to try to replace a real server of any kind.

Re:I don't get it

[Anonymous+Psychopath]

So this is a whole hardware server module that you stuff into a switch? Why? A lot of Cisco's new stuff runs on a Linux kernel. Their call control server (CallManager or Unified Communications Manager, they changed the name last year and it hasn't stuck well) has run on a modified version of Red Hat since version 5.0 and they still OEM servers from HP and IBM for the hardware to run it on. It would be interesting if they could run integrate those servers into a redundant switch architecture instead, and reduce Cisco's dependencies on OEM manufacturers at the same time. I've not actually heard anything of the sort, but it makes some sense to me.

Also, Cisco has already been running OS on blades for many years, but it's been closed to third-party developers until this announcement. Their original Network Analysis Module ran on a NT kernel of all things.

Re:I don't get it

[Anonymous+Psychopath]

Intel CPUs are not common at all in Cisco routers, if they were ever used at all. Other than their server-based products, as far as I know they only used Intel CPUs in the PIX, and that series is end-of-sale. Most of the routers use Motorola CPUs.

I happen to have a Cisco ISR router open on the floor next to me while I'm typing this, and no Intel silicon is in sight.

Re:I don't get it

[BBandCMKRNL]

It's like DEC with the PDP-1. Everyone *knew* in those days that a "computer" was a big, room-sized monstrosity that cost upwards of a million dollars and required a staff of dozens just to run; people figured there was only demand for 10 or so of those things on the planet. But DEC didn't sell "computers," they sold "Programmable Digital Processors," so companies bought them. Close, but not quite right. From Wikipedia and consistent from what I was told when I was employed by DEC, "At the time, the VC market was hostile to computer companies, and investors shied from their plans. The original business plan named the company "Digital Computer Corporation," but AR&D required that the name be changed to DEC. Instead, DEC started building small digital "modules" such as flip flops, gates, and transformer drivers that could be combined to run scientific and engineering experiments. In 1959, Ben Gurley started design of the company's first computer, the PDP-1 (PDP being an initialism for Programmable Data Processor as a means of attracting VC funding. As he put it, "We aren't building computers, we're building 'Programmable Data Processors'.""

It was VC hostility towards computer companies that caused the funny names for things.

Re:I don't get it

[discogravy]

you (to your PHB): [all the stuff above about layered approach, not consolidating everything, eggs in 1 basket, etc etc]
boss (to you): good idea!

boss to saleshole: [all your ideas about not everything in 1 basket, multiple boxes]
saleshole to boss: of course! that's why we offer failover capabilities! you just need to buy 2 of everything!

boss to you: here's 2 of those everything-in-one machines. you're welcome. oh, and they cost a fortune multiplied by 2. so no raise for you.

exeunt boss

The network is the computer

[bar-agent]

I didn't expect them to take the phrase "the network is the computer" quite so literally.

Copycat of 3Com OSN

[dwenger]

Looks like Cisco is copying a 3Com innovation that has been available for over a year. 3Com OSM's are not only available for their routers, but also their 5500G switches.

http://www.3com.com/osn/

Re:Copycat of 3Com OSN

[Kizeh]

There have been basically linux-based blades in Cisco world ever since the Catalyst 5500 doing various security and service things. There's really nothing new in this story, apart from the opening of these things to third-party development. Saying that Cisco is copying 3Com is quite ironic, considering where 3Com gets most of its network gear.

Re:Copycat of 3Com OSN

[dwenger]

Linux-based blades for applications have been commonplace in the industry for years. The part that is newsworthy of both OSN and AXP is opening the platform to 3rd parties and potentially open-source applications. In looking at AXP, running Open Source applications doesn't look like much of an option, which is part of 3Com's key strategy. I'm also curious about your comment regarding where 3Com gets most of it's network gear, what was meant by that if I can ask?

Re:Copycat of 3Com OSN

[Kizeh]

3Com/Huawei vs. Cisco in patent dispute

Re:Copycat of 3Com OSN

[dwenger]

Old news, resolved long ago. 3Com now entirely owns the H3C joint venture that was started in 2003.

MTBF?

[lohphat]

The point on making the f/w an appliance is that it has a predictable operating profile and known MTBF and reliability.

By opening it up as an app server, you're encouraging turning your key gateway security device into a one-off, unique, unpredictable infrastructure component.

Mono?

[rhendershot]

see architecture pic: http://www.cisco.com/en/US/prod/collateral/routers/ps9701/images/white_paper_c11_459082-5.jpg

It would seem that Mono could be a runtime for apps also. Anybody know why that might not work?

As to why you'd want this on the router, you already have a footprint in that space. Virtualization and Consolidation = decreased (branch) footprint.

Cisco says it this way: http://www.cisco.com/en/US/prod/collateral/routers/ps9701/white_paper_c11_459082.html

Customer and Partner Value Propositions
      The nature of the Cisco AXP, that of openness and flexible support of application services, is a catalyst for new growth areas within IT and as far reaching as facilitation of new business processes and enhanced business models. The concept of having application services resident on a Cisco router is appealing to various parts of an organization, be it a desire to minimize physical footprint and maximize service consolidation to hosting a distributed component of an application to promote a new business model. In any case, it is the inherent capability of the Cisco AXP module to assume system-level responsibility of hosting/integrating applications into the network that facilitates these things.

Independent software vendor (ISV) value proposition:
- Addresses Cisco large installed base and use Cisco's well-established channel relationships.
- The Cisco ISR has industry-leading market share. It serves as an excellent platform to integrate applications with security, unified communications, and WAN optimization built in.
- Provides ISVs with a faster time to market.
- Uses Cisco brand name and multi-geography reach.

Channel partner and service provider value proposition:
- Provides additional revenue opportunities and facilitates higher margins.
- Helps move from a product centric approach to a solution centric approach.
- Increases customer penetration and stronger bonds across multiple categories of decision makers.
- Is backed by strong worldwide Cisco support, including Cisco Validated Designs (CVD), training material, documentation, and so on.
- For managed service providers, it further reduces management complexity and on-site administration needs.

Customer value proposition:
- Provides server consolidation and decreased branch footprint.
- Lowers TCO with less power consumption.
- Provides enhanced productivity, better management.
- Provides better network and application services integration.
- Is compliant to industry standards such as payment card industry (PCI), Health Insurance Portability and

Accountability Act (HIPAA), and so on.
- Is one vendor to contact.

Re:Mono?

[symbolset]

It would seem that Mono could be a runtime for apps also. Anybody know why that might not work?

Jesus, why don't you just run Vista on it if you want to fit your Microsoft crud into everything. Yeah... Vista -- in your router! Two gigs of RAM, a 1.2 GHz processor, plenty of storage! Vista oughta run just fine, eh?

"It looks like you're issuing a dynamic IP address. [cancel] [allow]?"

Sir, they're hacking our network

[Cousarr]

"Well, figure out where it's coming from"
"It's coming from the network sir"
"Of course it is, now where is it?"
"No, sir. The network is hacking itself. It's coming from one of the switches"

First it was printers that could run applications. Pop a tunneling app on the printer and remote in and now you're hacking them from their printer. Now switches can run apps too. Sure, a lot of problems related to this could be avoided by proper network administration but it's just one more thing to worry about if the network admin gets the order from management to turn those switches into servers because there's not enough room in the budget for more servers.

No, you don't get it.

[Ungrounded+Lightning]

For $80, you get a pretty full-featured Linux system.

According to the Wikipedia entery you quote, its status is "Discontinued - no longer shipping."

Is this correct? Is there a followon to replace it?

Re:No, you don't get it.

[Briareos]

For $80, you get a pretty full-featured Linux system.
According to the Wikipedia entery you quote, its status is "Discontinued - no longer shipping."

Is this correct? Is there a followon to replace it? That must be the page for the V1 model, since the NSLU2 is alive and well on LinkSys' product pages.

np: Underworld - Spikee (Underworld 1992-2002 (Disc 1))

Money To Burn F*****

[leuk_he]

Why let a serious multi thousend dollar switch run a applation stack you can run on a 500euro desktopc pc? Well, there are 3 ways yo spend money:

-Women. Most expense one, but definity most fun.
-Gambling. Most unsure way to loose money.
-Computers, most sure way to spend a large amoutn of money.

PS, not sure what the F stands for in MTBF.

Re:Money To Burn F*****

[Belial6]

The reason you would do this is because you have already been authorized to spend a crap load of money on the Cisco switches. An extra $800 or $900 won't even get noticed. It you want to put the app on a $500 pc, you have to start from the beginning to get authorization. That's not even going to touch on the fact that you might have to rationalize new software on a PC, while it might only be considered a upgrade on the switch.

Stupid? Yes.
Does it happen? Yes.

Re:Money To Burn F*****

[Kizeh]

Because you need functionality that integrates with the router. Or because you want something that can be tested and provisioned at HQ, then mailed down to a bunch of remote sites that don't have the facilities or expertise to set up a separate box, let alone reliably.
This isn't a "server" that's going to be running user-interactive tasks or application serving or email etc. It's a way for people to build business-specific applications into the router to tailor its functionality for a specific business.

Clear the Confusion

[greendeath]

Disclaimer- I work for Cisco as an Entrprise Sales Engineer

Lets clear a few terms up first-
Switch- Handles moving packets between endpoints on a single IP Subnet (layer 2 Device)

Router- Moves packets between different IP Subnets (Layer 3 Device)

Firewall- Applies security rules to routed packets

While the line is blurring physically between theses functions, as alot of switches can route and routers can switch, the logical functions are still the same. Your Standard Linksys/Dlink/netgear is a switch/router/firewall combined.

The AXP platform is a module that fits into our ISR router family, NOT into any switches.

Yes, the space in a router is valuable, that is exactly why companies want to get as much value as possible out of it. Most companies are looking for ways to consolidate and cetralize to reduce costs and ease management while adding features and functionality. Virtualization is the buzzword of the day.

Applications- Think about a company that has 200 remote offices that each have a server, if that server could be collapsed into a router blade (in combination with some other cisco technology like WAAS, that is possible) you reduce management, hardware and maintenance costs, electricity costs (green is also the word of the day) and provide the necessary services integrated into the heart of the network. Pretty cool.

It may be a little bit of "If you build it, they will come" so we built it, now let the programmers loose, change the game and build something cool.

Re:Clear the Confusion

Cabletron Systems had the same idea over 14 years ago:

http://www.google.com/search?q=cache:lUV1QODDQO8J:findarticles.com/p/articles/mi_qa3649/is_199406/ai_n8712161+Cabletron+PCMIM&hl=en&ct=clnk&cd=2&gl=us&client=firefox-a

"PCMIM is essentially a personal computer within a hub. It is an Intel Corp. 486DX/2-based processor that lets customers load applications--such as management, routing and communications softwareonto the hub rather than in on a separate PC attached to the hub."

I used to work for Cabletron Systems and I'd have to say that I never saw too many folks with PCMIMs in use. It seemed like a cool idea and I used to play around in the labs (1996), throw Slackware Linux on them with Squid, OpenLDAP, sendmail, etc. to try to make a complete "office in a box".

One of the reasons why it wasn't so popular was that it was underpowered and overpriced. You miss out on economies of scale in comparison to the rest of the PC/server industry.

Maybe Cisco will have better luck with it than previous attempts.

Re:Clear the Confusion

[RazzleDazzle]

Why not go the other way and have good strong hardware to virtualize some routers using Cisco router simulators to run your IOS instead of Cisco hardware? As an example: http://www.ipflow.utc.fr/blog/

I am guessing this would be way cheaper and would not be surprised if it violated some Cisco rules and doubtfully would be supported by Cisco if you needed to some help from their TAC.

Re:Clear the Confusion

[LarsG]

Think about a company that has 200 remote offices that each have a server, if that server could be collapsed into a router blade (in combination with some other cisco technology like WAAS, that is possible) you reduce management, hardware and maintenance costs, electricity costs (green is also the word of the day) and provide the necessary services integrated into the heart of the network. Pretty cool. A Cisco blade will be cheaper than a Dell? Pull the other one. ;-p

The blade is limited to running one particular Linux distro and you can't load software on it without a Cisco certificate. That will seriously reduce the possibility for replacing branch servers with this blade.

Re:Clear the Confusion

[Doug+Neal]

Are you sure? The Catalyst 6000 series does Layer 3 but is still classed as a switch.

Re:Clear the Confusion

[klapaucjusz]

Switch- Handles moving packets between endpoints on a single IP Subnet (layer 2 Device)

Yes, that's the terminology that honest people use. But Cisco's marketheads call "switch" anything that does forwarding in hardware, even if it's actually a router. Hence their somewhat quaint references to "layer 3 switches".

See them advertising their "Layer 3 switches".

Re:Clear the Confusion

[Big+Jason]

Switch- Handles moving packets between endpoints on a single IP Subnet (layer 2 Device)

A Layer 2 device is not IP aware, perhaps you meant "broadcast domain"?

Re:Clear the Confusion

[greendeath]

Are you sure? The Catalyst 6000 series does Layer 3 but is still classed as a switch

Yes, I sell, configure and support them everyday. The 6000 family are switches. Over the last 10 years or so, routing functions have moved into switching hardware and we now have "layer 3 switches". Forget that it is one box, the switching and routing functions are logically separate and still follow the same rules as stand alone devices, but by running them on the same hardware you can get performance and features that are not possible on separate physical devices.

Re:Clear the Confusion

[greendeath]

A Layer 2 device is not IP aware, perhaps you meant "broadcast domain"?

Yes, you are correct, but I was going for a simple explanation and didn't want to confuse things any more. And most of the time a single IP Subnet is also a single broadcast domain.

Re:Clear the Confusion

It's not a switch. cisco just calls it one because their marketing department is full of incompetent morons.

If something routes, then it is a router.

Re:Clear the Confusion

[LarsG]

routing functions have moved into switching hardware and we now have "layer 3 switches". Forget that it is one box, the switching and routing functions are logically separate and still follow the same rules as stand alone devices, but by running them on the same hardware you can get performance and features that are not possible on separate physical devices. Routing is routing whether it happens in software or in hardware. Yes, you can get performance and feature benefits by having both routing and switching done by a single device. But calling it a "layer 3 switch" still smells of marketese, it is mixing up L2 and L3 terminology.

Re:Clear the Confusion

We're doing the opposite :-). After all the first routers were computers.

It's far easier, not to mention cheaper, to get a standard Linux server/PC, add in the required Phy on a PCI card (sangoma for instance), and use Linux for routing/firewalling. Switches are cheap anyway.

For the price of this ISR, you'd get 4x the processing power, or for one-fourth the price get the same power consumption or form factor - you choose your price/performance/form factor.

Checkout www.elinanetworks.com

I'm confused.

[fuzzyfuzzyfungus]

So, this exciting new product is basically an underpowered and overpriced server blade that consumes slot space in your very expensive router? Well, at least it has a 10/100/1000 ethernet connection to the switch backplane, no way you could have a connection like that to a physically separate device.*snicker* Plus, it's locked down hard, and development requires Cisco's extra special blessing, that part makes me feel snuggly and secure!

Re:I'm confused.

[iamhigh]

if you could run untangle on it that would be cool. anybody know if that would be possible?

Re:I'm confused.

[Pavan_Gupta]

possible

Very old concept.

Cisco has become a slow giant.

MRV had that Zuma router switch (lightreef series) in 2K that did BGP routing, strong switching and you could plug in CPU blades (was PPC G3 and later G4), that ran Debian.

They also marketed it as a developer platform, but i just ran linux on it, one blade for L2 firewall, one blade for load balancer, one for VPN gateway, DNS, Radius etc...

Basically you can build a quick ISP in a box with that Z16 beauty.
For redundancy you just had 2 of them, still cost half than 1 Catalyst 6500 .

Here is an old news post about it from ITworld, since MRV doesnt sell it anymore:
http://www.itworld.com/Net/3089/NWW010507120431/

Sad they weren't called Cisco, they might have gotten some front page in Slashdot.

Python not Perl

[bitMonster]

The APIs are available in C, Java, and Python. The article says this, but the summary is wrong.

Nah

[Colin+Smith]

Sorry, nope.

If that server could be collapsed into a router blade (in combination with some other cisco technology like WAAS, that is possible) you reduce management, hardware and maintenance costs, electricity costs (green is also the word of the day) Nah. there's just as much management cost, the service is still there.
Hardware cost? A Dell vs a Cisco router blade... Hmm...
Maintenance... A Dell vs a Cisco router... Hmm...

And integrating services into the "heart of the network"? The network should be a dumb connection. It shouldn't be running services.

Juniper already sells Linux-based systems

[Lennie]

Juniper's Linux IPS Hits 10Gb/sec

Re:Juniper already sells Linux-based systems

Ask them what performance they get on small packets.

At RSA they were dodging all questions on this, but the box is a Xeon Dual Clovertown 8-core system, running linux, and the hw architecture still suffers badly with 64-byte packets. No one else is touting them at 10Gbps because it is only in an ideal UDP large packet case.

Re:Juniper already sells Linux-based systems

[Lennie]

I just pointed at the article to point out Juniper is also delivering products based on Linux.

I wasn't passing judgement about how well it works.

Ofcourse Cisco already did too, through the company they've bought, LinkSys.

Re:Juniper already sells Linux-based systems

[Anonymous+Psychopath]

There are also many non-Linksys products from Cisco that are built on a Linux kernel, mostly in their voice/messaging/video/presence application servers.

Re:Juniper already sells Linux-based systems

[discogravy]

not to mention that any of the filtering products (netscreen/FW/IDP) that they produce knock throughput down between 40-60% (depending on amount of traffic -- I have personally seen a 1 gig fiber link drop to 600megs just by passing through a juniper 5200 FW with deep packet inspection turned on (it's turned on by default). 10Gbps is still very far away for most vendors. IPv6 is /marginally/ closer.

For ISR Routers - not switches

[tlon]

FYI, the AXP solution is for Cisco Integrated Services Routers - the modular enterprise branch routers... Not for its switches. This is a branch play.

Missing the point?

[4g1vn]

While I believe there is a need for consolidation of equipment to reduce the footprint/power consumption required in remote offices. I think some of us are missing the point here. 1) I know this has been identified in other posts but, these modules work with the ISR ROUTERS, not the switches. They include the 1800, 2800, and 3800 series. 2) The specifications of the modules (AIM/NM) are really not that impressive. The 3800 series NM (NME-APPRE-522-K9) is about the only one I would even consider if "running infrastructure/directory services". 3) Reliability: This is not an enterprise class server. Some of us know the reliability issues with the IDSM blade for the 6500 series switches. 4) The main point of this module is to integrate the network and application layers. Packet monitoring API. Applications can monitor selected packets flowing through the network for monitoring and analysis purposes. With AXP, the need for a dedicated span port and complex wiring is no longer necessary. Cisco IOS Software information API. Utilizing this API, an application can programmatically query the router to retrieve current configuration, statistics, routing information, and so on. All information available to the Cisco IOS Software CLI and Simple Network Management Protocol (SNMP) agents are accessible though this interface. Event trigger API. The event trigger API allows the application to react to changes or events that occur within the router. An application event can be triggered on events such as a router interface failing over, packet loss exceeding a certain threshold, changes to routing table state, and so on. Cisco IOS Software configuration API. The configuration API allows the application to dynamically change the configuration of the router. Used in conjunction with the monitoring, information, and event trigger APIs, an application can dynamically change the behavior of the router in real time. Serial device API. AXP provides an application to communicate directly with serial ports of the router. This provides the ability for the integrated services router to support connectivity to traditional and nonstandard devices.

Database App front-end?

[haakondahl]

I don't know much about this, and the press release wasn't exactly illuminating, but said the APIs include Python. So if I have a SQL server hanging off of this AppServer/ISR, would that be a good place to deploy the front-end to a database?

It's simple: Sandbox for third party "value added"

[Ungrounded+Lightning]

So this is a whole hardware server module that you stuff into a switch? Why?

There are a bunch of things you'd like to do in a (non-backbone) router (i.e. and edge router or an enterprise router). Like high-intelligence packet filtering (such as malware detection). You'd like to do these in the routers at the edge of the ISP's network (where the packets for a customer finally come together after load-balancing multipathing), at the incoming firewall, and in the switches/routers within a campus LAN (i.e. to block the spread of viruses/worms once a behind-the-firewall machine is compromised.)

Some of the expertese to do this is in other companies than the router makers. It would cost a LOT to replicate this in a router company. (Example: The infrastructure to surveil for malware, analyze it, extract signatures, and maintain databases of them.) Better to partner with such companies, letting them provide the components they do well.

But there are a lot of potential problems with letting third parties build their software into the guts of the router:
- The processors and related infrastructure aren't optimized for performing this extra work.
- The amount of extra processing is enormous.
- Router internals don't provide a lot of protection from buggy - or malicious - code. Much of this is traded away for efficiency, minimizing the per-packet overhead. Major-league software QA substitutes for many hardware safeguards. Modules provided by third parties could break the router code, make it miss its performance requirements, and/or insert malware vulnerabilities in the routers themselves.
- Letting partners provide modules means giving them considerable visibility into the guts of the router. This means the router company's "secret sauce" recipies leave the building. The more partnering is done, the more potential leaks to the competition. (And the partners have much less incentive to protect the router company's secrets.)

A "resource card" design - a card fitting into a linecard slot, carrying the company's backplane routing interface plus commodity and/or special purpose processors, with their own API for plugging into the box's routing infrastructure, solves these problems.

- The box's routing code remains with the router company. It only needs to identify the packets requiring attention from the third-party resource, route them to the appropriate resource card, and route the result onward to the destination.
- The third party has an easy-to-understand environment that closely matches what they already work with and provides all the hooks they need. No "secret sauce" recipie required.
- The third party's code is compartmentalized - on hardware that provides security hooks as a given. Even if it is compromised the worst it can do is send malicious packets across the backplane to other line cards or across the control interface to the management processor(s) - and these can be alert for problems and protect themselves, just as they do from nasties arriving on network interfaces.

A switch (or router, whatever) chassis is a ridiculously valuable piece of real estate... why would you want to spend that slot space plugging in PCs when they could just as easily be somewhere else, on the end of an ethernet cable?

Because a backplane is SO much faster and a single box system SO much cheaper (especially in rack-unit rent) than a multi-box, router/server system.

For starters: A multi-box system doing any kind of filtering puts the packets through the switch TWICE, once on its way to the third-party resource, once on its way back. You'll need to chew up a slot or two just to provider enough networking bandwidth to exchange one slot's full line rate worth of traffic with the resource. So why fill the front of the card with interfaces and packet processors just for the handoff, when you could put the resource there in the first place and save a box?

Putting the resource in a

OS = Obese Software

[deanston]

The Point, though Cisco isn't bragging it, is about control. What part of the network do you want to exert control on applications and data? Traditional concept of "the network as the computer" as proposed by Sun or Oracle puts the OS in charge, commoditizing servers, and requiring only dumb network switches and routers. This is about taking back the leverage and power companies like Cisco, 3Com, and Juniper felt they have given away. And this development finally begin to make each network device intelligent. Just a first step. More power and greater capabilities are sure to come embedded on each new generation of routers and switches. For all the years Linux desktop market share struggle at 1-2%, we are finally seeing the flexibility of Linux take off in areas that will give Windows real trouble - in the low-cost laptops and directly on non-PC devices. While the Gartner boys may argue that Windows need to become more modular, the hardware makers are moving ahead already. Piece by piece they will take away the need to have an all encompassing OS like Windows that controls everything. If the network manages and controls the applications and data, and runs on VMs, then even a traditional OS is just a commodity application on the network. The modern OSs have commoditized servers. Now the h/w and VM makers are trying to commoditize the OS. Sure, Windows has the resources to respond. The relevance of Windows still lies in its 90% desktop software dominance, and parlaying that user dependency into the future of computing. When or whether that dominance will be slowly chipped away through these new developments in mobile and cloud computing advances, hard to say, but sure it's fun to watch all these tech companies fighting for a bigger stake in the ever changing new fields.

Its an iPhone in a switch

[argent]

Before an application can actually be deployed onto an AXP, a certification process must first be completed. Part of the process includes a license agreement from Cisco as well as a support contract. The certification also provides a mechanism to ensure that only certified applications are deployed on the AXP. Or maybe a Tivo in a switch?

Re:Its an iPhone in a switch

[technomom]

Yeah, that set of lines made me stop and think. What would they certify? Why of course, applications that don't compete with CISCO's own applications and services, silly!

Re:Its an iPhone in a switch

[argent]

Oh, I can see the logic. Having the code restricted to code that Cisco has certified will make it an easier sell for network administrators and consultants dealing with passive-aggressive IT managers, corporate standards, and so on.

If you want to run uncertified code in a Cisco switch there's already NetBSD and Linux ports to run on Cisco hardware. And don't forget that the PIX started out as basically a rack-mounted PC.

Some ideas on how to apply

[_ph1ux_]

What about using it as a departmental imaging server.

With a 160GB drive - put some images on the router - plug a machine into a VLAN and the machine could then boot off the network and be imaged with the system image for that department/VLAN.

It could be used for Caching and proxy services.

How about a web based chat channel. - jsut enter the IP of your default Gateway and you get a web based chat room. You can see all the other people on your subnet hanging from that device - and see its peers - you could then open channels to upstream routers as well - maybe the admins could control how many hops away you can see.

How about an integrated monitoring app. Go to the IP of the gateway and it will show you waht services it thinks your system is running (and the services of all the other machines directly attached) and you can configure monitoring and alerts for those services. Log in and tell it "this machine I am on is a web server - check this URL if you cant get to it email/SMS me"

I absolutely HATE the fact that there is no intrinsic bandwidth monitoring and reporting in many networking devices. I would want the machine to have integrated traffic reporting at every hub. (you know what I mean by hub). I should be able to look at all flows through a router/switch and see what/how much/who is doing what. And I shouldnt have to ahve some external app/license to do so.

Hardened my ass

[Lord+Kestrel]

Cisco claiming a piece of software they make is hardened is absurd. In the past, they've used Redhat 7.1 as the base for their appliances, shipping security software with 5 year old versions of openssh and Apache, and then tried to claim they were "hardened". After breaking in, they turn out to be off the shelf RH 7.1, just without cups running.

Cisco and software do not get along. They make ok hardware (overpriced, but it works), but they have never once made a good piece of software.

Interesting real-world use for AXP

[bterzic]

Well, I work for a company that has been developing an application that runs on AXP that I would consider somewhat interesting.

In Germany they have mandated a decentralised health care IT infrastructure that enables people to store and manage identity (X509 certificates) and health related information on a smartcard (think ePrescription, HMO contract data, emergency data).

This system has rather hard requirements to security that involve among other things a sort of dedicated hardware platform that mediates between patient and doctor smartcards and a secure backend.

Since the CISCO ISR brings with it the entire network stack and it has this AXP platform for deploying applications on Linux, it's a pretty good match. We write our software in Java, expose a web service to the doctor/pharmacy system, talk to card readers in the LAN and establish VPN tunnels to the backend.

Since you have a dedicated hardware box doing this with a certified firewall, hardened Linux and a certified application stack you are able to provide a pretty robust device that has near-zero maintenance overhead. You drop it in the physician's network, do an initial setup and then forget about it.

The only link I can come up with on the fly is this marketroid page that lists our "solution".