Slashdot Mirror

← Back to Stories (view on slashdot.org)

IEEE Ethernet Specs Could Soothe Data Center Ills

Posted by CmdrTaco on from the i'm-on-pins-and-crimpers dept.

alphadogg writes "Cisco, HP and others are waging an epic battle to gain more control of the data center, but at the same time they are joining forces to push through new Ethernet standards that could greatly ease management of those increasingly virtualized IT nerve centers. The IEEE 802.1Qbg and 802.1Qbh specifications are designed to address serious management issues raised by the explosion of virtual machines in data centers that traditionally have been the purview of physical servers and switches. In a nutshell, the emerging standards would offload significant amounts of policy, security and management processing from virtual switches on network interface cards (NIC) and blade servers and put it back onto physical Ethernet switches connecting storage and compute resources. 'There needed to be a way to communicate between the hypervisor and the network,' says Jon Oltsik, an analyst at Enterprise Systems Group. 'When you start thinking about the complexities associated with running dozens of VMs on a physical server the sophistication of data center switching has to be there.'"

51 comments

  1. This is a big deal for cloud hosts. by Anonymous Coward · · Score: 3, Informative

    This is a huge deal for cloud hosts. We aren't a cloud provider, but we do offer similar services on our corporate network. We're using Xen to run over 5000 FreeBSD instances on a singe high-end server. When you're dealing with this many instances, all under constant use, the networking overhead becomes huge.

    At first we were using Linux, but it just couldn't offer the throughput that we need. We aren't in a position to acquire more hardware (which is, of course, why we are using virtualization so extensively), so we had to find a better software solution. We found that FreeBSD was compatible with our applications, but had a much more efficient network stack.

    1. Re:This is a big deal for cloud hosts. by GigaHurtsMyRobot · · Score: 1

      5000 virtual machine instances on one server? I must say, I think you're doing something wrong.

    2. Re:This is a big deal for cloud hosts. by Monkeedude1212 · · Score: 1

      I can think of a few scenarios where this would be useful.

    3. Re:This is a big deal for cloud hosts. by amorsen · · Score: 2, Interesting

      But 5000 FreeBSD instances with Xen? Surely you'd want a shared kernel solution for that many instances. If we assume that a minimal FreeBSD kernel can run in 2MB, that's 10GB just for the kernels before you hit user space. Unless Xen does memory deduplication, of course.

      --
      Finally! A year of moderation! Ready for 2019?
    4. Re:This is a big deal for cloud hosts. by Sir_Lewk · · Score: 2, Funny

      And getting yourself into one of those scenarios is most likely "doing it wrong" as well.

      --
      "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
    5. Re:This is a big deal for cloud hosts. by Anonymous Coward · · Score: 0

      Nah, there's nothing unusual about that many virtual machines on a single server. Back in the '80s we'd routinely have over 10,000 instances on some of the mid-range mainframes at the insurance company I worked for then.

      It should be even easier today, since we can pack tens or even hundreds of GB of RAM into high-end blade servers. Memory is typically the bottleneck, but a good hypervisor can manage to share a lot of the physical memory between instances, especially when they're all running essentially the same software.

    6. Re:This is a big deal for cloud hosts. by Sir_Lewk · · Score: 1

      who says they'd be using Xen?

      We're using Xen to run over 5000 FreeBSD instances on a singe high-end server.

      Try reading the original post next time.

      They definetly should be using freebsd jails, but are instead running thousands of seperate freebsd instances with Xen. If that is not the definition of "doing it wrong", I don't know what is.

      --
      "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
    7. Re:This is a big deal for cloud hosts. by christianT · · Score: 1

      Um.... the original poster said he is using Xen...

      We're using Xen to run over 5000 FreeBSD instances on a singe high-end server.

    8. Re:This is a big deal for cloud hosts. by Anonymous Coward · · Score: 0

      Sounds like a mainframe to me.

    9. Re:This is a big deal for cloud hosts. by kava_kicks · · Score: 1

      Can you please explain why you are doing this? What about redundancy for starters ... you lose that server and you lose 5,000 VMs!!!??? At least give us an idea of the industry you are in ...

    10. Re:This is a big deal for cloud hosts. by Slashcrap · · Score: 1

      I bet BSD advocates modded this shit up. They really are totally unable to spot when they are being trolled.

  2. Sounds like.... by FooAtWFU · · Score: 3, Funny

    Sounds like Cisco wants to sell you more expensive equipment.

    Who knows? It might be worth the six-figure price tag. :)

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
    1. Re:Sounds like.... by Wesley+Felter · · Score: 2, Insightful

      That's exactly what it is. If hypervisors got too smart you might be able to use cheaper switches, and the networking industry just can't have that. VEPA is designed to cripple hypervisors, ensuring that you'll have to keep buying enterprisey switches.

    2. Re:Sounds like.... by Anonymous Coward · · Score: 0

      You've nailed it. Projects like the Nexus 1000v and the open source Open vSwitch provide substantial switch functionality in the hypervisor, which makes advanced functionality in the top-of-rack switch unnecessary - not something that hardware vendors are very happy about.

  3. Cisco by nighty5 · · Score: 4, Informative

    Cisco / VMware has done some work in this space, abeit it is a Cisco / VMware solution.... The Nexus 1000V basically provides an overlay to the virtual networking stack from VMware and places it into an appliance with a Cisco CLI. It can then be hooked into the usual Cisco management suspects. The solution makes sense because it also gives back control of the network aspects back to netops, instead of the server ops/virtual ops... http://www.vmware.com/products/cisco-nexus-1000V/

    1. Re:Cisco by RulerOf · · Score: 2, Interesting

      Aye. I'm not a networking fellow myself, but when I went to the vSphere launch, my co-worker expressed serious interest in the 1000V portion of vSphere 4.

      The hardest part about evaluating VMWare in our datacenter at the time was definitely teaching myself enough about networking to ensure that the ESX Servers' network configs were correct to implement the scenarios we wanted to test. Being able to basically follow a standard setup procedure for the server infrastructure and then pass off an IP or a management console to a Cisco guy and know that it's in good hands... that's a godsend.

      --
      Boot Windows, Linux, and ESX over the network for free.
    2. Re:Cisco by Anonymous Coward · · Score: 0

      Actually. Thats your comment is incorrect. Its a complete Vswitch (DVS) switch replacement that runs its own OS instance on VMware. It has many more security, monitoring, and control features that are unavailable in the stock VMWare DVS. A simple overlay solution would not be able to do this.

  4. Skip it by Anonymous Coward · · Score: 0

    I'll hold out for IEEE 802.1WtfBBQ

  5. howto secure virtual machines by Euzechius · · Score: 5, Informative

    When using virtual machines you loose some control and visibility compared to the tradition pizza box server. A physical server is easy to pinpoint, easy to implement ACLs (ethernet/ip), Quality of Service, traffic monitoring or just to shut down a network port. :) Both VEPA and VN-link are technologies that allow you to better seperate different virtual machines on the same physical box.

    For VMware, Cisco developed a virtual switch ( YES, a downloadable switch! :) that integrates with VMware ESX 4 that offers all this network security, monitoring goodness. This virtual switch is called the Nexus 1000v and can be downloaded at http://www.cisco.com/en/US/products/ps9902/index.html ( 60-day trial ).

    About a year ago the ethernet specifications for data centers already got an extension called FCoE or Fibre Channel over Ethernet ( http://www.t11.org/fcoe ). Basically this allow you to use one ethernet network for both your lan and your storage san. And thus not needing to build out a seperate Fibre Channel SAN.

    1. Re:howto secure virtual machines by nsapc3f · · Score: 1

      Infiniband does this and has been doing this and has a path to 100 gigs. CISCO is smoking marginal profit crack.

      --
      Jim Hofmann
    2. Re:howto secure virtual machines by 7213 · · Score: 1

      FCoE does not allow you (yet) to ditch the fibre channel network. Very few (if any?) storage vendors are shipping native FCoE storage devices, right now your looking at iSCSI (worst of both worlds) or native FC. I wouldn't really trust FCoE for a large SAN without a CEE ('datacenter Ethernet') based LAN (lossless, in order 10Gb Ethernet standard, basicly the best of Ethernet & FC merged).

      The real problem with FCoE (& FC in general) is that it is a notoriously misbehaved technology when doing vendor interop. So basicly Cisco is using it's ethernet dominance to push what should fundamentally be a better solution (one network for all) in order to push out the market leader in the FC space (Brocade/McData). For the near/medium term your going to need a FC storage core for you legacy storage devices & your NOT going to plug a Brocade SAN into a Nexus & get good results..... basicly, I hope you either don't have a legacy SAN environment or you have MDS switches in it already if you want to go that route any time soon.

      Don't get me started on the silly political fallout of merging a network & SAN team in a large organization :-( (hint: the SAN team will lose as there are less of us)

      By the way, anybody want to hire a SAN guy with ~7 years experience who's drooling for some IP and/or VMWare experience ? ;-) Something tells me the value of my current skill set is about to expire.

       

    3. Re:howto secure virtual machines by pyite · · Score: 1

      Don't get me started on the silly political fallout of merging a network & SAN team in a large organization :-( (hint: the SAN team will lose as there are less of us)

      Not sure how it happened, but somehow, where I work (a large company), SAN was another networking product from day 1. A storage team handles the endpoints much like a server team handles the endpoints on the IP network. But, we manage all the MDS and maintain the relationship with Cisco as we do for Ethernet/IP. It works well.

      --

      "Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman

    4. Re:howto secure virtual machines by Anonymous Coward · · Score: 0

      Something tells me the value of my current skill set is about to expire.

      FCoE exists for the glory of Cisco and little else. It's a solution looking for a real problem. They list a lot of theoretical benefits, but the concrete benefit is that Cisco wins, everyone else loses.

      I feel your pain.

    5. Re:howto secure virtual machines by Anonymous Coward · · Score: 0

      This is not true, unless of course you are one of the legacy FC vendors about to be handed their shirt.

      On one hand you have the traditional FC and storage vendors who would love to see everything stay on native FC. FC is as closed an ecosystem as it gets. There are very few vendors and each of them controls a portion of the market (switches in the one corner, HBAs in another, storage end nodes in another). Interoperability requires months of testing in the lab and even then many of the advanced features do not work.

      A few years ago FC had a clear speed advantage with the ability to deliver packets in a lossless manner. But now its possible to achieve something similar with 10 GbE and the data center extensions. A converged network also means less cabling (half!) and switches at the edge, which is a significant issue in a large data center. Plus, you can ride the Ethernet price curve.

      The other FC advantage is its management framework. It helps to have trained administrators and best practices for managing large SANs. This is something that the iSCSI camp never got. You cannot manage a SAN by filtering TCP connections. FCoE keeps this framework intact, for better or worse, until something better comes along and that is a big advantage.

      Cisco clearly wants to make FC a service over Ethernet. There is opportunity for the other Ethernet vendors to help drive this towards a more open platform, but sadly there is no one at the table. The likes of Juniper and Extreme are missing from the discussion. But are you going to blame Cisco for that too?

    6. Re:howto secure virtual machines by Rorschach1 · · Score: 1

      That's great, but a VM Ethernet switch still doesn't offer the same gut satisfaction when it comes to shutting someone down.

      Back when I worked for the Air Force and the base I worked at was making the transition from a bunch of random little networks strung together with a 10 mbit CATV coax backbone and a single T1 line to a real campus with a fiber and a firewall, we had a Major in charge of our group (one of the few with real technical knowledge to ever hold that post) who's favorite policy enforcement tool was a pair of wire cutters.

      Yeah, it could have been done less dramatically, but sometimes a little showmanship is called for.

  6. Data Center IIIs? by Anonymous Coward · · Score: 0

    I'm still waiting for the Data Center IIs.

  7. Reasons for lack of HTTPS by jolyonr · · Score: 0, Offtopic

    In my experience this is down to

    1. belief that nothing of significant importance is being transmitted via HTTP anyway.

    2. complication/expense of setting up secure certificates. It's much cheaper than it used to be, but it's still quite complicated to install on your average server. Wildcard certificates are still a lot more expensive than they need to be (can anyone explain why these are so much more expensive - other than "because they can get away with charging that")

    3. inability for HTTPS to work with shared IP addresses. This is probably the major factor, many websites run as vhosts on the same IP, which is great for reducing our 'IP4 footprint' but not very good for HTTPS.

    4. Performance is obviously lower for HTTPS than HTTP, so for popular websites the hosting cost differences can be significant. Probably why google has put off shifting gmail to HTTPS for so long...

    None of these are justifications for NOT using HTTPS, just the usual problems I come up with when trying to persuade clients to switch to HTTPS.

    Jolyon

    --


    Please read my Canon EOS tech blog at http://www.everyothershot.com
    1. Re:Reasons for lack of HTTPS by quercus.aeternam · · Score: 1

      Don't you hate it when you post to the wrong thread?

    2. Re:Reasons for lack of HTTPS by jolyonr · · Score: 3, Informative

      buggeration!

      At least it was posted securely

      --


      Please read my Canon EOS tech blog at http://www.everyothershot.com
    3. Re:Reasons for lack of HTTPS by DiegoBravo · · Score: 1

      He just used the host' SAN IP address... so not off-topic.

  8. I blame the hypervisors... by Junta · · Score: 1

    For a large part, existing standards could still work, if the hypervisors would more fully embrace their role as 'edge switches'. Most problems already are addressed for edge management when the edge is a physical switch via various standards. The issue is that VMWare particularly doesn't bother to implement those, and as a consequence the networking industry has been applying various higher level hacks to gloss over it or work around it without actually having VMWare budge on their implementation.

    For example, VLAN membership. This is simple, we have GVRP/MVRP for standards based solution to the problem. There needs to be nothing special to virtualization here

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:I blame the hypervisors... by Anonymous Coward · · Score: 0

      There are three separate problems here.

      (a) Vmware does not understand networking nor do they want to get into the networking business more than they need to. Ergo, no native switch. And why stop at Vmware? How about xen or hyper v or whatever? Do you expect each to provide a fully capable virtual switch that would offer comparable features/performance to a real physical switch?

      (b) As a general case, server administrators don't necessarily understand networking and network administrators don't understand servers and OSes. Even if you could put a capable virtual switch in a server/hypervisor, they wouldn't agree on who and how it should be managed. This is a bigger issue than you may imagine in large setups.

      (c) Addition of thousands of virtual servers is a problem for physical edge switches. Services that they could offer per physical port and physical server no longer scale to virtual servers.

      So some new standards effort is required to address the above.

    2. Re:I blame the hypervisors... by butlerm · · Score: 1

      Comparable features? Yes. Comparable performance, not without hardware support. What you need in general is a (managed) switch on a NIC. Intel has hardware switch support on their latest (82576,82599 based) server NICs right now, although I don't think there is much in the way of switch function manageability. Most of the focus is around hardware NIC virtualization, so that network traffic doesn't have to be handled by the hypervisor.

  9. Wrong Question, Wrong Answer by Anonymous Coward · · Score: 3, Interesting

    Honestly, this entire thing is giving the wrong answer to the wrong question.

    Creating huge layer 2 networks and relying on elaborate management systems to try to keep your cloud system running is insane.

    I'm currently admining a system with several hundred servers, and a few thousand clients. Each of the servers is on it's own layer 3 network. There is some up front overhead, but ongoing operations of the entire thing, from a network point of view, is a breeze.

    DR is built in. It's the ultimate in flexibility. Feel like outsourcing an application? Move the network and VM to the outsourcer, and change the routing, done. Nothing changes from the app or users standpoint. The network becomes virtual with the servers and the applications. I have some servers that have multiple networks assigned to them (run multiple apps).

    Layer 2 is evil. STP is evil. VTP is the devil. Don't do evil. Virtualize the network with your servers. Do layer 3.

    moo

    1. Re:Wrong Question, Wrong Answer by Anonymous Coward · · Score: 1, Interesting

      How did you get Vmotion working over layer 3? I thought the overall concept of large l2 domains is NOT that everything is on the same subnet, but that any virtual machine workload can move to any location in the datacenter. Thus, any subnet to any rack. Layer 3 boundaries still exist for control and scaling across the DC.

    2. Re:Wrong Question, Wrong Answer by Anonymous Coward · · Score: 0

      Right, the whole VEPA standards effort is an effort by hardware makers to justify their expensive solutions in a virtual world.
      The same management, routing and control functions should be in the same virtual environment. BUT it means that would
      be a software based solution not a hardware based solution; and the Cisco's of the world want to keep the old
      proprietary hardware model.

    3. Re:Wrong Question, Wrong Answer by patniemeyer · · Score: 1

      I haven't studied this topic in detail, so maybe I'm wrong, but it does just seem on the surface like a desperate attempt by Cisco to get people to buy unnecessary, specialized hardware for cloud computing platforms. The whole point of the cloud is to scale everything on commodity hardware. If there is some overhead in routing inside the cloud then it would seem that the answer is to scale it up a small amount to accommodate that... Is there something magic in those Cisco boxes that can't be done in a generic machine?

    4. Re:Wrong Question, Wrong Answer by Anonymous Coward · · Score: 0

      It is called ASICS. The magic is the ability to do > 1Tb/s of low latency switching while applying security, monitoring and QoS services at deterministic performance while not loading down the host CPU so that it can concentrate on actually processing your application rather than moving packets across and outside VM. Let me know when you find a general purpose CPU that can do this.

    5. Re:Wrong Question, Wrong Answer by Anonymous Coward · · Score: 0

      At this time, wherever possible, each application is on it's own /29 (HSRP, dual router, plus app/server). In the case of a VM, usually it's one app per VM. We still have non-VM applications, but those are on /29's where possible as well.

      Obviously, Vmotion doesn't work across the layer 3 networks, but we're interested in Vmotion only within certain physically defined limits. The Vmotion, heart beat, layer two networks are unrouted vlans, without an v4 or v6 interface on the switch. Also, each vlan is contained on only 2 switches. Honestly, I've been surprised at how well that was handled by the server groups. Switch density is high enough now days that we can do this for the computing density we have at any of the data centers (Cisco 65/Nexus).

      In other words, we have all related Vmotion environments on the same pair of 10G switches. Connections from those switches to others are all layer 3. The only trunks in place are to the servers and between themselves. All server/blade connections are trunks.

      We have multiple datacenters, with SAN replication between those datacenters. The VM's are replicated via the SAN, so the DR plan at this time would be to simply bring up the VM's at one of the other DC's in the case of an outage, along with the networks.

      For the non-VM hardware, that data is replicated as well, but the DR plans are more involved, obviously.

      From the network viewpoint, DR'ing any DC is a matter of, cut, paste, no shut, go help the server/apps people start their stuff. This design is -so- much better in so many ways, it's amazing to me at times.

      From a non-DR point of view, it's performance, reliability, flexibility and management.

      Performance: Layer 3 has it completely. When you're the only thing on your vlan, you don't need to share the bandwidth. If I need to move an application from one network environment to another due to network utilization, it's not a big deal. Traffic is kept segmented, which allows better performance engineering.

      Reliability: Every server separated L3 from every other server creates very tight fault domains. The advantage should be obvious.

      Flexibility: Able to pick up a single application/server/vm and move it to any location, DC or not, insourced or outsourced, with no application changes, for any reason (DR, Business, performance).

      Management: This is obviously the only real "drawback". But it's hardly a drawback.

      You can throw security into this as well, they've had no complaints, since servers could be, with a relative amount of dynamism, moved so that each application into it's own security zone, if the need were to arise. Thankfully, they haven't come up with the concept of each server behind it's own firewall yet.

      moo

    6. Re:Wrong Question, Wrong Answer by badkarmadayaccount · · Score: 1

      CUDA. Or something like that.

      --
      I know tobacco is bad for you, so I smoke weed with crack.
    7. Re:Wrong Question, Wrong Answer by Anonymous Coward · · Score: 0

      Wrong paradigm. CUDA works for massively parallel tasks. Processing networking flows is more serialized than you may realize.

  10. AOE is nice for SANs by Anonymous Coward · · Score: 0

    Your post didn't even mention AOE. ATA-over-ethernet is where the bang for the buck is right now - fast, reliable, but there aren't knucklehead-tolerant toolsets yet so you have to actually know what you are doing if you want to do storage clustering, I/O fencing on shared storage, etc.

    AOE is clearly the path forward, though, from my experience. I ripped out all our FC except on the biggest HP-UX hosts, and all of our iSCSI. Been very happy for several years now!

  11. The End Game by butlerm · · Score: 1

    The end game for this is clearly not running all inter-VM traffic out to an external switch and then making a hairpin turn and sending it all back to the host. That is a workaround at best - it is a waste of hardware, a waste of energy, and a waste of bandwidth.

    One way or another this is going to be done on the host - either with appropriately enhanced switching support on the NIC or other advances in the CPU and the networking stack. Server CPUs should have inter-VM networking capability built into hardware, not an inter-VM Ethernet switch, but rather something more like an inter-VM RDMA engine. There is no point in using "Ethernet" to communicate between VMs on the same host other than portability.

    Breaking inter-VM communications down into little itty bitty packets, running them one by one through a virtual bridge table without the benefit of content addressable memory, and then back up through a virtual ethernet interface is not a particularly efficient use of resources.

    1. Re:The End Game by petermgreen · · Score: 1

      Breaking inter-VM communications down into little itty bitty packets, running them one by one through a virtual bridge table without the benefit of content addressable memory, and then back up through a virtual ethernet interface is not a particularly efficient use of resources.
      True, otoh making the physical and virtual networks one logical subnet makes the management much easier. Do you really want to have to reconfigure and possibly readdress everything just because you are moving a vm between host boxes to cope with demand?

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    2. Re:The End Game by butlerm · · Score: 1

      Do you really want to have to reconfigure and possibly readdress everything just because you are moving a vm between host boxes to cope with demand?

      No. What you do is use dynamic route updates so that if the the VM is located on the same host, IP traffic for the target VM is logically routed through the non-Ethernet virtual network. It doesn't even have to be numbered.

      Without hardware support, one could tweak the TCP stack to check if the destination is associated with a local VM and then ask the supervisor to "DMA" the whole TCP send into the receive buffers of the target TCP socket, or even better into the target application buffer (assuming there is a pending read). If the VM is relocated while there is still data waiting to be sent, the internal route will go away, and the remaining data can be transmitted through the physical ethernet interface as usual.

    3. Re:The End Game by Anonymous Coward · · Score: 0

      Many high performance apps do not use TCP, its not the best place to do this kind of a shortcut/zero copy transfer. But this could certainly be done at the IP layer. But IP itself is fairly low overhead, so once you agree to do it at the IP layer, there isn't much of a performance difference if you fall down to the Ethernet layer. And that's exactly what the SRIOV NICs are doing - Ethernet switching on a NIC.

  12. wtf is a cisco & vmware? by Anonymous Coward · · Score: 0

    Cisco are scared of becoming irrelevant, and VMWare have a third rate product to start with.

    Go play with xVM, use this:
    http://www.opensolaris.com/learn/features/networking/networkcrossbow/index.html

  13. Re: Software switches by butlerm · · Score: 1

    There is nothing new about software switches. Linux has had one for years. The nice part about the Cisco software switch is the addition of all the extra management and filtering features.

    The problem with software switches (or bridges) is that they aren't all that fast - anything in the data path that can't be offloaded to some sort of hardware is going to be relatively slow compared to a hardware switch. In fact, some of the latest Intel server NICs have built in hardware switches for inter-VM communications. I have no idea whether the Cisco VMware switch is able to leverage that. If not, it is going to be a *lot* slower. One might well wonder why Cisco doesn't get into the virtual Ethernet switch on a card market itself.