Peter Christy

Cisco announced some of the anticipated fruits of their partnership with VMware and their acquisition of Nuova (remember that Nuova's CTO Ed Bugnion was a VMware founder). As Ed says so well, server virtualization didn't break the applications but it certainly broke the infrastructure. A switch and network management system that can't see the virtual NIC's on virtual servers isn't very useful, so in this tranche of announcements Cisco remedied a lot of those problems with the introduction of a distributed virtual switch (software) that the physical Cisco data center switches can see and manage. It's an important step forward for virtual infrastructure, although we suspect just the first step.

 Despite the name this isn't what might be found by Steve Ballmer's most recent colonoscopy. Instead it stands for Protocol Optimization Licensing Program and it's how Cisco, Riverbed and others work with Microsoft and develop optimization solutions for key Microsoft protocols (e.g., MAPI) without the risk (technical and legal) of having to reverse engineering the base protocol. Riverbed's recent press release talked of this as a "partnership" but that's probably not quite the right word to use (in fact these protocol license documents explicitly say they aren't partnerships because that has specific meaning in Washington State commercial law). Although Microsoft provides access to these protocols they still pretty much control things because of the many patents underlying the protocols. Understanding the protocol doesn't mean you can implement it (because of the patents) nor build "derivative" works (what has to be done for WAN optimization). That only comes with an explicit license agreement (e.g., POLP) that includes a nominal payment and more to the point also gives MS forgiveness on any patent violation they might have doing their own version of the optimized protocol (cross licensing). I'm not sure I would call that a "partnership."

Cisco held a press/analyst day just before RSA that included a very interesting customer visit to (and dinner with) Esurance, the Web-based auto insurance company with the flashy cartoon ads. The event started with a "big" announcement of a partnership with RSA (specifically integrating information from EMC's Infoscape technology -- where the Tablus DLP content analysis stuff ended up) with the Cisco Security Agent (so the user would be notified when they were about to do inappropriate stuff with sensitive files). The cooperation makes sense and the basic ideas are noteworthy but on balance the discussion seemed sort of premature because what was actually being committed to was vague and sounded more like a "Barney" announcement ("I love you, you love me, we're a happy family!). There was more than enough "side story" to make up for any holes however. Richard Palmer, the long term Cisco security SVP and GM is moving off to run the edge router group (a $6-7 B business!) and Scott Weiss, the GM and previous head of IronPort is going to take over the larger security effort. The IronPort guys certainly think of security well out of the network box so it will be interesting to see how they change direction and speed.

Cisco and Microsoft, each a powerful competitor and market leader have also shown that they can work together when so "encouraged" by their large mutual customers. The most impressive example at least in our bailiwick is the recent announcement of the addition of Windows Server services to Cisco WAAS acceleration appliances. In addition to "WAN acceleration" many customers need basic Windows services in branch offices, and the fact of the matter is that no one does Windows like Microsoft (I guess we shouldn't be surprised). So, leveraging virtualization, Cisco is supporting a virtualized version of Windows Server 2008 running as a guest O/S on top of the Cisco WAAS solution that is built on LINUX. Once enabled, these WS2008 guests are discoverable and manageable by Microsoft's System Center. This initial implementation is pragmatic and accomplished by use of the KVM module in LINUX rather than the virtualization of the WAAS system itself so further interesting shoes may yet fall. In the same timeframe Riverbed announced the Riverbed Services platform on a similar path. In the first release the RSP is even more pragmatic enabling the protected execution of LINUX code from partners, but the second phase due at the end of the year is said to be much like what Cisco has done.

Cisco is a remarkably vibrant $40B company doing business in a challenging industry where product prices are rapidly commoditized. Networking equipment is highly standardized and there is no shortage of vendors that are happy to sell at a lower (than Cisco) price. Through this all Cisco continues to transform, evolve and delivery innovative products to the market. Today Cisco introduced the Nexus family of switches. In December Cisco introduced the TrustSec architecture, both of which we describe briefly here and cover more thoroughly in reports for our clients. Both are excellent and fascinating examples of what a vibrant company with dominating market share (Cisco probably prefers we don’t use that term but let’s call a spade a spade) can do even in such a constrained market space.

Today Cisco announced the NEXUS switch family, a remarkable redefinition of data center switching. Over the last five years the data center has become more and more of an IT focus driven by these forces:

1. The increased deployment and use of shared, server-based applications and services,

2. The desire to improve IT cost efficiency (through consolidation),

3. The need to more carefully govern and control IT activities (regulatory compliance) and

4. The need to protect sensitive and private data.

The increased focus on the data center has in turn made it a fertile ground for innovation and yielded technology-enabled breakthroughs such as data center virtualization. As data center technologies and architectures evolved the network stood out as much as a limitation as an enabler in ways that seemed difficult to fix with just improved features.

From this perspective we can see that what Cisco has done with Nexus is an impressive systematic improvement to data center switching. Some of the elements we have seen before (what Cisco calls switch “virtualization” for example). We knew that Cisco was working with Nuova to improve Ethernet so that it could serve as a transport for fiber channel SAN protocols. We had already seen in the Catalyst offering how Cisco has evolved the product line for customer investment protection assuring that essentially all the components in the switch can be upgraded independently -- new control processors, new data backplane, and of course new line cards -- and that the old line cards had firmware flexibility to adapt to evolution in other parts of the switch. We knew that Cisco could and liked to do high-speed custom silicon (a great barrier to entry). NEXUS has all of that built into what is really a completely new network system for data center applications.

NEXUS represents a large and expensive product development effort for Cisco which we won’t try to describe in any real detail, but here are the key aspects:

1. Evolve switching so that Fiber Channel SAN traffic can use the same network fabric. NEXUS not only carries LAN and SAN traffic over the same switch but can use a single port for both. Converging these networks simplifies the data center infrastructure, reduces CapEX and OpEx and according to Cisco’s numbers saves an amazing amount of power when you consider the reduced number of server adaptors required.

2. Create a data center network architecture where all ports are equal and minimize the need for any physical network moves and changes or re-cabling while supporting the IT agility inherent in a virtualized data center (the ability to move applications between servers at will).

3. Reduce CapEx while providing very high availability. This is where the switch virtualization yields high returns by eliminating the need for “standby” devices and using them in the network fulltime.

4. Improve network availability by greatly improving the network re-convergence time after failure. Cisco makes heavy use of Level 2 coordination of the devices thereby avoiding the recovery delays that come with traditional spanning tree algorithms and also thereby flattening the topology toward the goals of having all ports equal for all tasks.

The net result over time is a data center network that is faster, more reliable and cheaper, hence what we think of a real step forward. Along the way the feeds and speeds improve a lot. Having enough backplane capacity to assure that the backplane is never the limitation was key to the integration of FC SAN traffic. The switch uses a new operating system derived from the SAN-OS used in the MDS 9000 SAN switching products. FC requires assured delivery which is quite different from traditional packet best effort delivery. Since a lot of the features required in WAN routing don’t need to be supported in the data center it made sense to move to an O/S platform with these key SAN primitives.

Cisco says that they set about rethinking data center switching when they began this effort quite a few years ago. Typically “rethinking” is added by the marketing people when a project is done but in this case we think it’s probably true. The kind of wholesale systematic redesign is something only Cisco can do in enterprise networking (remember they own 70%+ market share to their nearest competitors 7%). Most dominating companies get lethargic and spend more time resting on their laurels and improving the bottom line a little by constraining R&D spending. We’re delighted that Cisco is still driving progress so aggressively.

Cisco’s TrustSec architecture significantly advances the state-of-the-art in network-provided security. Security was much easier when the action was primarily at the enterprise headquarters. We had a “perimeter” model of security. If a user was inside the perimeter (local) then they were trusted. Access from outside the perimeter was not trusted. Life was very simple.

But over the last five years the perimeter has pretty much become useless as a means of judging or enforcing security. Most enterprise users are no longer within the headquarters network. Compliance, security and privacy issues require that we “distrust” internal users. Where the user is doesn’t particularly help, while at the same time securing applications and data is increasingly important. What should we do?

IRG has long believed that the right answer categorically is an evolution to “identity-based” networking where the identity of the user is the prime determinant, not just their network location, but how should this be implemented? Historically the prime means of defense were various forms of firewall rules typically keyed off of source and destination IP number (network location again) augmented by some understanding about the specific flow (the application related to the traffic). Firewall rules were at best complicated (at worst incomprehensible) especially considering that firewalls were typically located in the “middle” of the network where there was a lot work to be done because of the diversity of flows that transited the network at that part -- sorting out what all the traffic was and then looking for the rules that were specific to that traffic. The difficulty of the approach was compounded by the challenge of fully understanding how traffic flows in a network and assuring that there aren’t any unanticipated network sneak paths that bypass the security devices.

A set of vendors including Nevis, Consentry and Vernier attacked this problem by putting much more intelligence at the network ingress points (e.g., where users connected to the network), and then using the user’s identity to determine the specific rules governing what they could do on the network. The difficulty in this approach is that it requires use of a new class of access switches with a great deal of security functionality on each port.

Cisco TrustSec re-factors the problem very creatively. The architecture encompasses these ideas:

1. Make the enterprise network more trustable (increase the confidence about the data that has transited the network);

2. When traffic enters the network tag each packet with an identifier that signifies what is known about it and do so in a way that most directly reflects how that data can be trusted.

3. Filter the data on exit from the network (e.g., at the point the network connects to a server) by acting on the tags.

TrustSec represents a long and large investment for Cisco; we can’t describe the details adequately here and won’t try. But the 50,000 foot view is relatively simple. We make the network trustable by (a) authenticating network devices before we let them join the network -- the device equivalent of NAC for people. For example, we can check the device serial number, the revision level of the firmware, and assure that the signature of the firmware is authentic, and only authenticate the device if all those tests pass. Then (b) we encrypt the links between authenticated devices so that the data cannot be snooped and more importantly can’t be modified by some “man in the middle” attack. This encryption is done link-by-link using certificates receives as part of the authentication process.

With a trustable network in place we next annotate traffic as it enters the network with what we know about it from a security perspective. Because the network is trustable we can confidently act on that tagging when the data exits the network because we know it hasn’t been modified. To simplify the filtering at the egress point, TrustSec is designed so that the tags used for the data identify the trust category (Cisco uses the term role) so the filtering task is as simple as possible since there aren’t complex IP-number-based rules to evaluate later on. A server only has to understand what level of trusted data to pass.

Finally, in a TrustSec based implementation, we need a way of tagging the data on entry. Cisco has announced a new family of edge switches capable of doing this tagging at line rates (a much simpler task than the challenge Nevis and Consentry had of doing full traffic identification and firewalling at line rate). An evolved version of NAC is used to authenticate the user and identify the suitable trust class (role) to assign to that user’s traffic. Anticipating the fact that Cisco customers aren’t going to do a wholesale refresh of their edge switches to implement TrustSec, there is a form of implementation in which the tagging is done by a switch inward from the edge coordinated with edge implemented NAC via out-of-band control plane communication.

The net result of this is to greatly diminish the role of traditional firewalls for this kind of security while emphasizing NAC and data center switching all of which makes sense given Cisco’s market strength. So we give Cisco two thumbs up for TrustSec for significantly advancing the state of network-enforced security!

We usually don't pay a lot of attention to Cisco organization changes as long as John Chambers is still in place at the top, but the recent engineering changes caught our eye. It starts with the Chief Development Officer -- Charlie Giancarlo -- leaving to join a Private Equity firm. The plot gets somewhat more interesting if you add in the fact that Chambers just hired Padmasree Warrior as CTO (she had been Motorola's quite visible CTO prior). Cisco's CTO role had been open since last held by Charlie, and not very visible since Judy Estrin left in 2000. Warrior will report directly to Chambers as will the engineering functions. The other interesting change is that Chambers has built a software group led by Don Proctor and including the other major software development organizations. From our perspective software is at the core of Cisco's future given the system nature of most of Cisco's strategic initiatives. We look forward to seeing what Proctor decides to do.

We had a number of interesting briefings from Cisco recently. Maybe we're just getting older (undeniable fact) but it's really exhausting to try and keep up with Cisco innovation, and from time to time you wish they would get smug and self-contented and just back down for a while. One briefing was about the empowered branch (every possible gizmo for your ISR router you could hope for). The second was about the Campus network fabric. We're told that CMO Sue Bostrom is working hard to make Cisco focus more on the value proposition and less on the feeds and speeds when marketing is done. Can't come a minute too soon if you ask us. The Campus fabric announcement is a great example: Cisco improved the switch software so pairs of switches could share state and be managed as a single switch. That seems to have been quite an engineering accomplishment. But the impact to the customer is simple and dramatic because all of a sudden standby switches can share load and you get a 2X cost-performance improvement. You would think that would be on slide #1; not the case. And to add insult to injury Cisco calls this switch "virtualization" because that's the term used in the network community, as if "virtualization" wasn't overloaded enough already. Since we doubt that Cisco will slow down innovation and engineering anytime soon we're rooting for Sue's team to simplify the explanations so our aging heads won't hurt so much (or in this case should it be "routing"?)

(Or maybe it was just a little stroke). We've been skeptical about the real business behind Web 2.0 but over time it appears a little more real. Cisco probably is an ideal test to look at. Chambers believes in eating the dog food and then helping customers from that "been there, done that" perspective. Furthermore John thinks that network-enabled collaboration will be the next big economic boost. Most importantly Cisco is deeply into the concept (collaboration dog food), having created twenty strategic thrusts which wouldn't be possible without a lot of collaboration to bring together world-wide teams (that's a hideous over simplification but probably captures the basic idea). It's in this context that the potential for "Web 2.0" should be considered. The good news is that it seems real and potentially revolutionary (don't have room for the details but that's the conclusion). The bad news is that the value of Web 2.0 seems to depend to a large degree on understanding the need for organizational transformation, something that ain't easy and that Cisco has been tinkering with for a decade now. And if that weren't bad enough ask a compliance officer what they think of Web 2.0 and user constructed mashups for building business applications. It's hard enough to transform corporate ERP and wire in all the employees but that seems to be easy compared to really embracing Web 2.0. So: neat stuff but organizationally challenging. Hopefully Cisco will really succeed and in doing so light the fire under the followers.