Cisco Turns Routers Into Linux App Servers

symbolset writes "InternetNews is reporting that Cisco's new Application eXtension Platform turns several models of Cisco switches into Linux application servers. With certified libraries in C, Java and Perl, developers will be able to use a downloadable SDK to build their apps. The AXP server is just another module in a Cisco switch running Cisco's own derivation of a modern Linux distro (Kernel 2.6.x) specifically hardened to run on that particular hardware. Modules will include up to 1.4-GHz Intel Pentiums with 2 GB RAM and a 160 GB hard drive."

Cue the beowulf cluster jokes

[symbolset]

Yes, it runs linux.

Yes, I know they're switches, not routers.

Now... anybody got any interesting applications for this?

Re:Cue the beowulf cluster jokes

Imagine a baowulf cluster of these...

Re:Cue the beowulf cluster jokes

[arivanov]

The power of linux is mostly irrelevant here. OK, fine, a blade, and so what? It is more expensive than most 1U servers out there.

Now the power of having an API into the Cisco hardware and software is a completely different story. That may be something that is really interesting. It will allow moving many tasks that are now exclusive to big closed and expensive OSS systems to the frontline where they really belong.

By the way, this has been long coming. The first time I heard about this was circa 2003. Nice to see it finally making the light of day.

AXP environment require an authorization key

check this out

Q. How does one develop an application for the AXP service module?

A. Both existing and newly developed applications must be ported to the AXP runtime environment by packaging them using the AXP SDK, which ships with the AXP hardware and software. The SDK package tool creates installation packages that can be loaded on the AXP blade. AXP developers are authorized by Cisco using the AXP Development Partner Program and require an authorization key in order to perform packaging of software.

http://www.cisco.com/en/US/prod/collateral/routers/ps9701/qa_c67_463943.html

NSLU2 is cool

[bcrowell]

Another Cisco gadget that's cool as a cheap linux box is the NSLU2. For $80, you get a pretty full-featured Linux system. It's the size of a paperback, and draws a negligible amount of power. I use mine as a music server. There's a very lively and helpful user community on IRC. There are various options for modifying or replacing the system it ships with to get a more general-purpose linux box, running off of an external flash drive.

Before we get too excited

[symbolset]

It might be interesting to read the data sheet.

10/100/1000 Gigabit Ethernet connectivity to router backplane

meh.

Re:Before we get too excited

[LarsG]

Yeah, backplane is kinda bummer.

As generic blade it looks like fail. Only one OS supported, probably expensive, Cisco license needed to build application packages.

Could be useful for making network appliances. Datasheet mentions IOS integration.

What I want from Cisco

[Midnight+Thunder]

Great and I applaud them for doing something truly nerdy. What I am still waiting for is proper for a CISCO VPN client that works well under Linux and MacOS X, and not just Windows. It is irritating to enable firewall requirements, only to find that the only version that supports it is CISCO VPN Client for Windows.

Rant over, now you may mod me down.

Re:What I want from Cisco

[caseih]

The open source vpnc works pretty well on my linux box. I'm permanently vpn'd into my work's Cisco VPN concentrator. Granted it still can't do key rotation, so I have to reconnect it every 8 hours or so.

Cisco's linux support sucks in general, though. Their management software won't support it in any way. Ironic, really, since most work gets done in a terminal on cisco hardware. At least a serial port can't be made to be linux-incompatible.

Re:What I want from Cisco

[PingXao]

Have you looked at Broadcom lately? They make Cisco look like God's gift to Linux. They are absolutely paranoid, anal even, about releasing any technical information about any of their chips. And Broadcom is everywhere.

Re:What I want from Cisco

[Abalamahalamatandra]

They are getting there, though - I recently put in a new ASA 5540 pair set up for the AnyConnect SSL VPN client, which all of the documentation says "supports Linux". I had a problem getting the client working on Ubuntu, but when I opened up a TAC ticket they got me an early release version that did the trick. The AnyConnect client works well on Ubuntu other than the fact that the installer tries to set the vpnagentd to start up at system start and fails, so you have to start it manually from a command prompt.

Now, Secure Desktop is the next hurdle - when I enable that my client never connects. Have to work through that one as well.

VPNC works well for me too, except for the key rotation part which sucks.

Re:What I want from Cisco

[Kalriath]

The concentrator also refuses to let Vista clients connect too. Not surprising really, just another app on the list of "not supported by Vista" programs.

I don't get it

[seanadams.com]

So this is a whole hardware server module that you stuff into a switch? Why?

A switch (or router, whatever) chassis is a ridiculously valuable piece of real estate... why would you want to spend that slot space plugging in PCs when they could just as easily be somewhere else, on the end of an ethernet cable?

Or is this intended for some highly specialized application where the linux system in tightly integrated with the host hardware in some way?

Re:I don't get it

[menace3society]

I think it's Cisco trying to muscle in on the server market. When you think servers, you don't think Cisco. You think Sun, IBM, HP, Dell, etc. But when you think routers and switches, you think Cisco. So if a Cisco rep can come along and say, "Hey, look, this is a piece of networking hardware, not a server, but it can do everything a server can for less money. Plus if you get this it's one less piece of equipment that can fail on you," they can start getting orders for these. If you were a PHB, would you rather have two boxes that each do one thing, or one box that does everything, and is super-cool "new" gear to boot?

It's like DEC with the PDP-1. Everyone *knew* in those days that a "computer" was a big, room-sized monstrosity that cost upwards of a million dollars and required a staff of dozens just to run; people figured there was only demand for 10 or so of those things on the planet. But DEC didn't sell "computers," they sold "Programmable Digital Processors," so companies bought them. The rest is history, and I guess Cisco is banking on being able to pull off the same thing with their new gear.

Re:I don't get it

[CastrTroy]

Why would you need a switch if everything is housed in a single box?

The network is the computer

[bar-agent]

I didn't expect them to take the phrase "the network is the computer" quite so literally.

Copycat of 3Com OSN

[dwenger]

Looks like Cisco is copying a 3Com innovation that has been available for over a year. 3Com OSM's are not only available for their routers, but also their 5500G switches.

http://www.3com.com/osn/

MTBF?

[lohphat]

The point on making the f/w an appliance is that it has a predictable operating profile and known MTBF and reliability.

By opening it up as an app server, you're encouraging turning your key gateway security device into a one-off, unique, unpredictable infrastructure component.

Sir, they're hacking our network

[Cousarr]

"Well, figure out where it's coming from"
"It's coming from the network sir"
"Of course it is, now where is it?"
"No, sir. The network is hacking itself. It's coming from one of the switches"

First it was printers that could run applications. Pop a tunneling app on the printer and remote in and now you're hacking them from their printer. Now switches can run apps too. Sure, a lot of problems related to this could be avoided by proper network administration but it's just one more thing to worry about if the network admin gets the order from management to turn those switches into servers because there's not enough room in the budget for more servers.

No, you don't get it.

[Ungrounded+Lightning]

For $80, you get a pretty full-featured Linux system.

According to the Wikipedia entery you quote, its status is "Discontinued - no longer shipping."

Is this correct? Is there a followon to replace it?

Re:No, you don't get it.

[Briareos]

For $80, you get a pretty full-featured Linux system.
According to the Wikipedia entery you quote, its status is "Discontinued - no longer shipping."

Is this correct? Is there a followon to replace it? That must be the page for the V1 model, since the NSLU2 is alive and well on LinkSys' product pages.

np: Underworld - Spikee (Underworld 1992-2002 (Disc 1))

Clear the Confusion

[greendeath]

Disclaimer- I work for Cisco as an Entrprise Sales Engineer

Lets clear a few terms up first-
Switch- Handles moving packets between endpoints on a single IP Subnet (layer 2 Device)

Router- Moves packets between different IP Subnets (Layer 3 Device)

Firewall- Applies security rules to routed packets

While the line is blurring physically between theses functions, as alot of switches can route and routers can switch, the logical functions are still the same. Your Standard Linksys/Dlink/netgear is a switch/router/firewall combined.

The AXP platform is a module that fits into our ISR router family, NOT into any switches.

Yes, the space in a router is valuable, that is exactly why companies want to get as much value as possible out of it. Most companies are looking for ways to consolidate and cetralize to reduce costs and ease management while adding features and functionality. Virtualization is the buzzword of the day.

Applications- Think about a company that has 200 remote offices that each have a server, if that server could be collapsed into a router blade (in combination with some other cisco technology like WAAS, that is possible) you reduce management, hardware and maintenance costs, electricity costs (green is also the word of the day) and provide the necessary services integrated into the heart of the network. Pretty cool.

It may be a little bit of "If you build it, they will come" so we built it, now let the programmers loose, change the game and build something cool.

Re:Clear the Confusion

Cabletron Systems had the same idea over 14 years ago:

http://www.google.com/search?q=cache:lUV1QODDQO8J:findarticles.com/p/articles/mi_qa3649/is_199406/ai_n8712161+Cabletron+PCMIM&hl=en&ct=clnk&cd=2&gl=us&client=firefox-a

"PCMIM is essentially a personal computer within a hub. It is an Intel Corp. 486DX/2-based processor that lets customers load applications--such as management, routing and communications softwareonto the hub rather than in on a separate PC attached to the hub."

I used to work for Cabletron Systems and I'd have to say that I never saw too many folks with PCMIMs in use. It seemed like a cool idea and I used to play around in the labs (1996), throw Slackware Linux on them with Squid, OpenLDAP, sendmail, etc. to try to make a complete "office in a box".

One of the reasons why it wasn't so popular was that it was underpowered and overpriced. You miss out on economies of scale in comparison to the rest of the PC/server industry.

Maybe Cisco will have better luck with it than previous attempts.

Python not Perl

[bitMonster]

The APIs are available in C, Java, and Python. The article says this, but the summary is wrong.

Re:Mono?

[symbolset]

It would seem that Mono could be a runtime for apps also. Anybody know why that might not work?

Jesus, why don't you just run Vista on it if you want to fit your Microsoft crud into everything. Yeah... Vista -- in your router! Two gigs of RAM, a 1.2 GHz processor, plenty of storage! Vista oughta run just fine, eh?

"It looks like you're issuing a dynamic IP address. [cancel] [allow]?"

Juniper already sells Linux-based systems

[Lennie]

Juniper's Linux IPS Hits 10Gb/sec

Missing the point?

[4g1vn]

While I believe there is a need for consolidation of equipment to reduce the footprint/power consumption required in remote offices. I think some of us are missing the point here. 1) I know this has been identified in other posts but, these modules work with the ISR ROUTERS, not the switches. They include the 1800, 2800, and 3800 series. 2) The specifications of the modules (AIM/NM) are really not that impressive. The 3800 series NM (NME-APPRE-522-K9) is about the only one I would even consider if "running infrastructure/directory services". 3) Reliability: This is not an enterprise class server. Some of us know the reliability issues with the IDSM blade for the 6500 series switches. 4) The main point of this module is to integrate the network and application layers. Packet monitoring API. Applications can monitor selected packets flowing through the network for monitoring and analysis purposes. With AXP, the need for a dedicated span port and complex wiring is no longer necessary. Cisco IOS Software information API. Utilizing this API, an application can programmatically query the router to retrieve current configuration, statistics, routing information, and so on. All information available to the Cisco IOS Software CLI and Simple Network Management Protocol (SNMP) agents are accessible though this interface. Event trigger API. The event trigger API allows the application to react to changes or events that occur within the router. An application event can be triggered on events such as a router interface failing over, packet loss exceeding a certain threshold, changes to routing table state, and so on. Cisco IOS Software configuration API. The configuration API allows the application to dynamically change the configuration of the router. Used in conjunction with the monitoring, information, and event trigger APIs, an application can dynamically change the behavior of the router in real time. Serial device API. AXP provides an application to communicate directly with serial ports of the router. This provides the ability for the integrated services router to support connectivity to traditional and nonstandard devices.

It's simple: Sandbox for third party "value added"

[Ungrounded+Lightning]

So this is a whole hardware server module that you stuff into a switch? Why?

There are a bunch of things you'd like to do in a (non-backbone) router (i.e. and edge router or an enterprise router). Like high-intelligence packet filtering (such as malware detection). You'd like to do these in the routers at the edge of the ISP's network (where the packets for a customer finally come together after load-balancing multipathing), at the incoming firewall, and in the switches/routers within a campus LAN (i.e. to block the spread of viruses/worms once a behind-the-firewall machine is compromised.)

Some of the expertese to do this is in other companies than the router makers. It would cost a LOT to replicate this in a router company. (Example: The infrastructure to surveil for malware, analyze it, extract signatures, and maintain databases of them.) Better to partner with such companies, letting them provide the components they do well.

But there are a lot of potential problems with letting third parties build their software into the guts of the router:
- The processors and related infrastructure aren't optimized for performing this extra work.
- The amount of extra processing is enormous.
- Router internals don't provide a lot of protection from buggy - or malicious - code. Much of this is traded away for efficiency, minimizing the per-packet overhead. Major-league software QA substitutes for many hardware safeguards. Modules provided by third parties could break the router code, make it miss its performance requirements, and/or insert malware vulnerabilities in the routers themselves.
- Letting partners provide modules means giving them considerable visibility into the guts of the router. This means the router company's "secret sauce" recipies leave the building. The more partnering is done, the more potential leaks to the competition. (And the partners have much less incentive to protect the router company's secrets.)

A "resource card" design - a card fitting into a linecard slot, carrying the company's backplane routing interface plus commodity and/or special purpose processors, with their own API for plugging into the box's routing infrastructure, solves these problems.

- The box's routing code remains with the router company. It only needs to identify the packets requiring attention from the third-party resource, route them to the appropriate resource card, and route the result onward to the destination.
- The third party has an easy-to-understand environment that closely matches what they already work with and provides all the hooks they need. No "secret sauce" recipie required.
- The third party's code is compartmentalized - on hardware that provides security hooks as a given. Even if it is compromised the worst it can do is send malicious packets across the backplane to other line cards or across the control interface to the management processor(s) - and these can be alert for problems and protect themselves, just as they do from nasties arriving on network interfaces.

A switch (or router, whatever) chassis is a ridiculously valuable piece of real estate... why would you want to spend that slot space plugging in PCs when they could just as easily be somewhere else, on the end of an ethernet cable?

Because a backplane is SO much faster and a single box system SO much cheaper (especially in rack-unit rent) than a multi-box, router/server system.

For starters: A multi-box system doing any kind of filtering puts the packets through the switch TWICE, once on its way to the third-party resource, once on its way back. You'll need to chew up a slot or two just to provider enough networking bandwidth to exchange one slot's full line rate worth of traffic with the resource. So why fill the front of the card with interfaces and packet processors just for the handoff, when you could put the resource there in the first place and save a box?

Putting the resource in a

OS = Obese Software

[deanston]

The Point, though Cisco isn't bragging it, is about control. What part of the network do you want to exert control on applications and data? Traditional concept of "the network as the computer" as proposed by Sun or Oracle puts the OS in charge, commoditizing servers, and requiring only dumb network switches and routers. This is about taking back the leverage and power companies like Cisco, 3Com, and Juniper felt they have given away. And this development finally begin to make each network device intelligent. Just a first step. More power and greater capabilities are sure to come embedded on each new generation of routers and switches. For all the years Linux desktop market share struggle at 1-2%, we are finally seeing the flexibility of Linux take off in areas that will give Windows real trouble - in the low-cost laptops and directly on non-PC devices. While the Gartner boys may argue that Windows need to become more modular, the hardware makers are moving ahead already. Piece by piece they will take away the need to have an all encompassing OS like Windows that controls everything. If the network manages and controls the applications and data, and runs on VMs, then even a traditional OS is just a commodity application on the network. The modern OSs have commoditized servers. Now the h/w and VM makers are trying to commoditize the OS. Sure, Windows has the resources to respond. The relevance of Windows still lies in its 90% desktop software dominance, and parlaying that user dependency into the future of computing. When or whether that dominance will be slowly chipped away through these new developments in mobile and cloud computing advances, hard to say, but sure it's fun to watch all these tech companies fighting for a bigger stake in the ever changing new fields.

Hardened my ass

[Lord+Kestrel]

Cisco claiming a piece of software they make is hardened is absurd. In the past, they've used Redhat 7.1 as the base for their appliances, shipping security software with 5 year old versions of openssh and Apache, and then tried to claim they were "hardened". After breaking in, they turn out to be off the shelf RH 7.1, just without cups running.

Cisco and software do not get along. They make ok hardware (overpriced, but it works), but they have never once made a good piece of software.