Network Computingwww.networkcomputing.com

Configuration and management options abound for any network device. Most content switches provide a CLI (command-line interface) and some sort of GUI--either browser-based or via a traditional client/server architecture. The question is not whether the device provides the capability but what connectivity and security mechanisms are used.

CLI access is often provided via a direct console connection, which is the most secure access since it requires physical access to the device. The same CLI is also available via telnet (not so secure) or SSH (more secure than telnet) connectivity where ACLs (access-control lists) provide some security. GUIs are common, and traditional client/server configuration and management applications provide better control over access than do browser-based clients--though both can often be secured with ACLs (IP- and user-ID-based).

For truly remote configuration access, browser-based access is a relatively secure solution. A secure connection via SSL is often employed, with user-based authentication ostensibly preventing access by unwanted parties. SSH is preferred for remote connectivity to the CLI because it can be locked down and provides a measure of security by encrypting the connection.

Once your solution is in place, management and monitoring are next. Your content switch should be able to notify you of failures via pager/e-mail directly or by tossing out an SNMP trap that can be used by a third-party network-management solution. Most vendors offer direct contact, SNMP traps or both.

Another management consideration is the method by which you're notified when a server within the cluster needs attention. You'll want to know when a server is out of commission and when it's serving up invalid content. Content switches serve content based on URL, and if the server to which a request is directed is no longer serving the correct content, your site is broken.

Content-aware health checks, which verify the availability of each server and provide validation of the content of each server, are paramount in ensuring the health of your site. In a global load-balancing situation, this is even more important as content is updated and pushed to distributed clusters around the world. Most content-switch vendors provide this capability, but always check carefully--this is a feature you don't want to be without.

Few admins want to think about logging. Each server in the cluster can perform logging. But for analysis and reporting, all the logs in the cluster must be consolidated--an unwieldy task. Some content switches provide a consolidated logging feature, which provides a single log for the entire cluster. This feature is a blessing for those who spend hours (or even days) pulling together hundreds of disparate logs to generate a management report.

The Extras

Vendors provide extra features in the hopes of getting you off the fence when you're deciding between two products. Some of these features are quickly becoming a commodity--such as SSL termination--while others are still just cool.

SSL termination is a must-have extra for any e-commerce site. The ability to terminate the SSL session is required for a content switch. Without it there's no way for the switch to examine the URL and route traffic according to the rules you've set. Luckily, most vendors--ClickArray, F5 and Intel--provide SSL termination as a part of their product while others offer separate products to provide these services, albeit generally at an additional cost.

Some appliance vendors, such as ClickArray, are integrating more than just Layer 7 capabilities into their products. Rudimentary firewalls are more prevalent than ever. While switch vendors like Nortel have always offered packet-filtering capabilities, most appliance-based content switches do not yet have this feature. Is it necessary? That depends on your network architecture. If your single point of entry is an overburdened firewall, you might want to consider a content switch that can provide packet filtering and segment it off to balance the load. But be careful: Closely examine the firewall features of the switch before using it as the primary source of protection for your clusters and don't overburden a single device.

In this speed-conscious world, you need cache redirection. This provides the content switch with the ability to offer content from a caching device rather than requesting it from the cluster. This functionality is imperative for high-volume sites to reduce strain on the clusters. It also improves your site's performance from the end user's perspective--and that is enough of an argument for cache redirection.

Support for 802.1p QoS is one of the just-plain-cool features. 802.1p packet priority is an extension to the standard MAC (Media Access Control) and includes a three-bit value used to establish packet priority. Based on this value, content switches can further prioritize packets and ensure a higher level of service for a given set of customers. This feature's availability is limited, but if you feel it's important, definitely seek it out.

More and Faster

The number of ports on a switch differs greatly from product to product. Appliance-based content switches, such as F5's Big-IP, generally provide only two ports--this assumes your farm is behind a Layer 2/3 switch. Other products, such as those from Nortel, are switch-based and provide eight or more ports that can connect to a Layer 2/3 switch or directly to servers. Port density is often a deciding factor as data-center space is costly.

Most cluster topologies involve the content switch and at least one other Layer 2/3 switch to support the high number of servers comprising the cluster. The issue isn't necessarily the number of ports (though we all know that more is better) but the speed of those ports. Most vendors provide 10/100 Fast Ethernet ports, and a few offer optional gigabit--copper or fiber--ports for high-volume data center needs.

Even if you don't need gigabit speed today, determine if your product choice offers the option of upgrading to gigabit. You'll likely need the higher throughput later, and you don't want to have to change your content switches.

Last but not least, consider how the product looks in your rack. You'd be amazed how much happier techs are when they can sit in a dark room and easily see all the blinking lights.