Plexxi?

NetworkGroover · August 17, 2015, 01:57:23 PM

Have you guys heard of them? I rarely ever do, just curious if you have, if you've used them, and what was your experience with them? Thanks.

that1guy15 · August 17, 2015, 03:33:09 PM

They hit the scene pretty hard a few years back and made a ton of noise. I was very impressed with their product line and how they meshed their switches. Affinity also seems interesting. I would sto;; like to see more out of these guys but Im not hearing anyone talk about them anymore. Nor have I heard of anyone deploying Plexxi either.

Their Network Field Day videos are pretty good and give a good insight into what they where doing. Should be a good place to start
http://techfieldday.com/companies/plexxi/

deanwebb · August 17, 2015, 03:48:33 PM

Their address is 100 Innovative Way. They might be Innovative.

Just saw an article that said that they make SDN switches to work with Cisco's ACI.

There are a LOT of buzzwords on their webpage.

Found this: http://dailycloud.info/plexxi-goes-beyond-hype-to-find-successful-business-models/

Plexxi is plowing straight into Cisco's switching market... but supporting ACI? Sounds like the ACI support is a trojan feature. "You'll get your Cisco ACI, without dealing with Cisco licensing!"

Then, this: https://www.sdxcentral.com/articles/news/plexxi-switch-2-series-adds-a-layer-1-wormhole/2015/07/

Layer 1 switching? MADNESS! But the HFT Flash Boys will buy that up faster than you can say "Rigged LIBOR Market". 50 nanosecond latency... duuuuuude!

that1guy15 · August 17, 2015, 04:17:52 PM

In a nutshell they are using DWDM technologies to form a mesh while all switches are physically connected in a ring. The optics used pass all channels through unless they are configured to terminate on the local switch. Pretty much just like a DWDM/CWDM ring setup. The network controller and software tools are used to simplify this set up and dynamically adjust the fabric based on load and traffic patterns. Affinity is their token and they are pushing this as the future of their company from what I understand.

deanwebb · August 17, 2015, 04:37:14 PM

Quote from: that1guy15 on August 17, 2015, 04:17:52 PM
In a nutshell they are using DWDM technologies to form a mesh while all switches are physically connected in a ring. The optics used pass all channels through unless they are configured to terminate on the local switch. Pretty much just like a DWDM/CWDM ring setup. The network controller and software tools are used to simplify this set up and dynamically adjust the fabric based on load and traffic patterns. Affinity is their token and they are pushing this as the future of their company from what I understand.

Good summary... so now I wonder where the security goes in that ring... no, that would degrade performance. Can't have that. Guess security sets up outside the ring. No, that would degrade performance as well... so security has to go *in* the ring, via Cisco ACI.

That's an interesting hitch in the giddyup, as it means that the customer will need Cisco ISE to handle network access. So is Plexxi planning to cut Cisco's switching market by boosting their security presence? No messing around with Cisco licensing on the switches, but loads of licensing mess with the security? This seems to be where the Cisco sales rep will get the company to buy ISE - because they need it for ACI, right? - and then, once that deal is inked, show them a HUUUUUUUUUUUUUUUUUUGE discount on switches, just to keep Cisco gear in the data center.

NetworkGroover · August 17, 2015, 05:48:21 PM

From what I understand their solution is pretty closed and not a heck of a lot of interoperability... so you won't see much integration there, Dean. I guess they're banking on what their CEO said in one of his presentations that in 10 years we'll see more Plexxi networks and less of Cisco, Juniper, Arista, etc... because "they're all the same switch with different paint colors". Time will tell.

You're spot-on that1guy15. Everything is centralized around their Affinity API. I watched a couple videos and I just don't get it. It seems they're trying to re-invent the wheel with a SDN spin and I feel that depending on what kind of bandwidth you're looking at, you're going to see some undesirable oversubscription at some point. And with Trident2 ASICs and their 12MB of buffering... curious to see what their performance will be at scale. And then, does this eliminate almost all senses of deterministic behavior? How do you troubleshoot this? Are you completely dependent on the controller?

that1guy15 · August 17, 2015, 07:14:52 PM

Yup all good questions Steven!

Dean for the security stuff I would focus in on Affinity and how it is leveraged. Security is built into the software side of SDN. If I understand it correctly its similar to how ACI is claming and how NSX have integrated firewalls.

deanwebb · August 17, 2015, 08:26:28 PM

Well, I'm going off the comment made that they were embracing ACI... but, anyway, it's still going to involve going to the AD in an organization for permissions. That's already happening with file and folder permissions, so I see blocking traffic based on an account permission as running extra CPU cycles on the switch/router to keep that traffic off the network - traffic that, once it gets to the server, would be rejected anyway by a server spinning *its* CPU to handle that deny. That packet being modified for whatever SDN security is in place is basically adding one more envelope that has to be looked at by every device in the path, and then a decision made on it by that same device. Instead of just taking it off one wire and dumping it on another, there's that introduction of latency. And, again, if the traffic gets to the server and then is dumped by a decision made at that server, then all that time used to make that decision in the network devices gets forwarded to the server, where it is consolidated in one big decision.

Now I have to ask... how is the SDN security itself secure? Is there encryption in it? Are there anti-playback and anti-repeat features in it? How is integrity of the security information assured? Because if I can have a device listen to the wire (or wireless), pick up a packet or two, and then use the security info in it to emulate the permissions needed to arrive at a remote target, then I reach that target to do what I can do.

And now I also have to ask, how does this SDN work with wireless? Maybe this should all be in separate threads, I dunno... But a ubiquity of connections in wireless becomes either one-way broadcast or jamming in my imagination.

that1guy15 · August 17, 2015, 08:43:52 PM

Whew, this is a pretty broad topic in an arena where most people cant agree on what SDN is or means more or less HTF do we secure it!?!

But WTH Ill give it my best go.

ACI, Plexxi, Big Switch, and several other "SDN/NFV" vendors out there have dropped the idea of vlans and lumping devices together based on those VLANs/subnets. Instead they are building the network up based on flows. When setting up any of these vendors you establish rules for traffic flows. An example would be a flow would be need for App servers needing to talk to the DB cluster or the Web tier needing to hit the app cluster. Each vendor has their own way of controlling flows and what is allowed and denied and from who. Pretty much a stateless firewall at each source interface which is all managed through the central controller.

That is where I see security taking its place in this space. No more having to kick all traffic to the firewall for proper inspection before passing it to the destination. Each interface has a distributed firewall w/ policies directly attached.

Another thing I have observed with these vendors is IPS/IDS and capture/SPAN visibility is great enhanced. Each of these vendors (I think) can quickly spin up a packet capute or monitor of a specific flow, interface or area of the network. Want a good example check out Big Switch's "Big Tap" monitoring fabirc. http://www.bigswitch.com/products/big-tap-monitoring-fabric

Big switch also has a very good online lab of their product that give a great view of what I just went over. Its free and I highly recommend jumping in and playing around.
http://labs.bigswitch.com/users/login

icecream-guy · August 18, 2015, 07:12:06 AM

Quote from: that1guy15 on August 17, 2015, 08:43:52 PM
.

ACI, Plexxi, Big Switch, and several other "SDN/NFV" vendors out there have dropped the idea of vlans and lumping devices together based on those VLANs/subnets. Instead they are building the network up based on flows. When setting up any of these vendors you establish rules for traffic flows. An example would be a flow would be need for App servers needing to talk to the DB cluster or the Web tier needing to hit the app cluster. Each vendor has their own way of controlling flows and what is allowed and denied and from who. Pretty much a stateless firewall at each source interface which is all managed through the central controller.

That is where I see security taking its place in this space. No more having to kick all traffic to the firewall for proper inspection before passing it to the destination. Each interface has a distributed firewall w/ policies directly attached.

Ivan Pepelnjak, has an interesting take on why SDN will not solve real life problems, here.

http://blog.ipspace.net/2015/08/sdn-will-not-solve-real-life-enterprise.html

Interesting read.

Also, we had Brocade in here last week, giving their take on SDN, built on the OpenDaylight platform https://www.opendaylight.org and based on the Vyatta controller. It was pretty interesting, although they really did push the integration with VMWare and NSX, it's basically the same thing, but not requiring proprietary hardware to run an open system such as cisco.

Free trial for Brocase SDN here
http://www1.brocade.com/forms/jsp/sdn-controller/index.jsp?src=WS&lsd=BRCD&lst=Banner&cn=SDN-GDG-15Q1-EVAL-Vyatta-Controller&intcp=lp_vyatta_controller_download_pd_bn_00001

that1guy15 · August 18, 2015, 08:10:56 AM

Yeah caught that post the other week. He makes very good points. IMO I dont see most of this getting any traction outside of the DC. Even then for most small/medium DCs, these type of solutions are overkill.

I was present at one of Broacades first presentations on their controller. I think they are doing some good stuff and their solution is in the top3 for me to stand up and play with after my CCIE. Its not my favorite because of its complexity. I might be off but other solutions have a much cleaner, simpler user experience and I am all about simplicity

Sorry Steven, this thread went way off into the deep-end

...
..
.
Plexxi... Yeah they have really kick ass socks that I need to try and figure out how to get my hands on more!!

SimonV · August 18, 2015, 08:19:36 AM

Quote from: ristau5741 on August 18, 2015, 07:12:06 AM
Ivan Pepelnjak, has an interesting take on why SDN will not solve real life problems, here.

http://blog.ipspace.net/2015/08/sdn-will-not-solve-real-life-enterprise.html

Interesting read.

Loved the article in the comments!

http://www.crn.com/news/networking/300077381/united-airlines-flight-delaying-network-issues-would-be-fixed-by-sdn-vars-say.htm

deanwebb · August 18, 2015, 09:33:26 AM

Ivan's article is great, as are the comments... if you put developers in charge of the network, I guarantee that they'll commit all the fallacies of distributed computing:
1. The network is reliable.
2. Latency is zero.
3. Bandwidth is infinite.
4. The network is secure.
5. Topology doesn't change.
6. There is one administrator.
7. Transport cost is zero.
8. The network is homogeneous.

And, of course, the fallacies of network security:
1. The network can be made completely secure.
2. It hasn't been a problem before.
3. Monitoring is overkill.
4. Syslog information can be easily reviewed.
5. Alerts are sufficient warning of malicious behavior.
6. Our competition is honest.
7. Our users will not make mistakes that will jeopardize or breach security.
8. A perimeter is sufficient.
9. I don't need security because nobody would want to hack me.
10. Time correlation amongst devices is not that important.
11. If nobody knows about a vulnerability, it's not a vulnerability.

If a developer doesn't understand that the essence of networking is transmitting electric signals along a conductor, he's going to think that everything will always move at the speed of light through a vacuum and that processing packets introduces no overhead considerations. Put another way, SDN makes every network device a firewall with IPS module running... and these packets aren't going to be custom-designed to fly through at 10Gb/sec.

NetworkGroover · August 18, 2015, 12:23:09 PM

Holy sweet jesus this blew up.

NetworkGroover · August 18, 2015, 12:27:18 PM

Quote from: that1guy15 on August 18, 2015, 08:10:56 AM
Yeah caught that post the other week. He makes very good points. IMO I dont see most of this getting any traction outside of the DC. Even then for most small/medium DCs, these type of solutions are overkill.

In its current form, I'd agree with you. It's very bleeding edge right now. Just like back in the day only rich dudes had cell phones. As it matures though, I think we will see change - you'll see 12 year olds managing Facebook data centers from their iPad2000S.

Security is another matter, but SDN also helps there, like Arista's DirectFlow Assist to offload processing from a Palo Alto firewall, for example. Unfortunately there's just way too much in the world for one vendor to do it all, so I think the right approach (bias, I know) is to stay in your lane, and work to integrate with best-of-breed security products.