Cisco IronPort AsyncOS version 7.1 and Management version 7.2

In recent years have seen a revolutionary technology and displayed as to obtain a considerable reduction of capital investment: the virtualization system. Who today has not heard of solutions like VMWare or Hyper-V, allowing a single physical server to run multiple servers full optimizing the best use of material resources often under-exploited machines? The server becomes a file and an accurate memory, easily manipulated by the administrator and provides management flexibility and high availability features significant.

However, this concept is not really innovative in itself, as already present in different fields such as networks such for years, with for example the concept of VLANs that can, within the same physical equipment, to define networks them waterproof. The principle is the same, but the support network necessary for the implementation of such solutions of a system perspective is often neglected. This issue follows from the combination of several factors that make the development of such an architecture can quickly complicate the tasks of administration and operating daily.

The organization of many companies is such that today the roles and responsibilities of IT staff are well identified, and their perimeter little removable. This remains on the company size, but from a certain size it often finds a team dedicated to managing systems and another for network management. Now normally, this border is already relatively thin which necessarily implies recoveries and potentially an area of soft focus around which the positioning of each may be more complex.

Take, for example traditional infrastructure services such as DHCP, or DNS, now managed by a team and sometimes by another. Virtualization, by its very structure, tend to exacerbate this problem by incorporating virtual components, integrated solution designed to be deployed and managed the systems side. The main example that illustrates this point is the presence in certain solutions “Virtual Switches”, working in close communication with the virtualization solution but also requiring interconnection with the physical network of the company to benefit from access necessary . In addition, these switches have a limited software engine, advanced debug features such as the aptly named SPAN at Cisco are not present and can not be analyzed quickly and efficiently exchanged data incident. The network administrator already becomes a little more limited in its range of possible actions.

Moreover, the complexity increases with the combination of this virtual infrastructure with physical machines such as “blade”, to obtain a higher concentration of servers within a bay and, consequently, limit the wiring necessary the operation of the toplogie. The first point here is that this concentration, although beneficial in terms of allocating space in the datacenter, can quickly become problematic because the volume of data exchanged at the interconnection points with the physical network . The design originally planned will be invalid if the very short term did not take into account these parameters. The other point is that these servers, often managed by teams systems, integrate with most integrated switching elements owners. It follows therefore directly using addins hardware optimized for all need not be interconnected with the elements of the existing network infrastructure (VLANs via VTP propagation of Infrastructure and Cisco EtherChannel management …). These facilities, if they are not chosen method, may therefore result in additional operating cost because they require updates and a very specific time training teams to apprehend or longer.

Finally, although today‘s virtualization solutions ensure a complete seal at the areas of shared memory, adding this layer undoubtedly involves adding an additional security risk. Found any reason for this is that the components of the virtual infrastructure requires a patch management and software upgrades rigorous, because beyond the purely on the embedded operating system, compromising access to a virtual machine running on a virtual server infrastructure with security flaws for example, allow the attacker to bounce on other machines more simply. This is also why the design of the virtual architecture must not overlook the fact that network security perimeters must be properly respected, including the famous trust zones spread over different DMZ to minimize this type threat. The objective here is not to bias sound evidence for several years, such as seals 802.1q protocol with application installed in the virtual environment.

These few points discussed above are therefore pressing for the fact that this type of project requires a close collaboration teams, to allow a smooth evolution of the network infrastructure and support the needs expressed by virtualization. This is especially true that addressing these few elements upstream of such a project can be studied with precision the steps involved in setting up the base station, and why not rethink the data center in its whole. In a more general, this is what such solutions as proposed by the Cisco Nexus range, allowing both to provide an infrastructure for the deployment and support of virtualization while providing its share innovations based on the convergence of SAN and LAN (Data Center 3.0 vision by Cisco).
And you, what is your experience feedback on this?

Leave a Comment