Networking

09:30 AM
Orhan Ergun
Orhan Ergun
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Edge Devices Are The Brains Of The Network

In any type of network, the edge is where all the action takes place. Think of the edge as the brains of the network, while the core is just the dumb muscle.

In the LAN, WAN, or datacenter network, edge devices do most of the work. The network edge has more features and performs more functions than other layers of the network topology.

As we move from the edge to the core, we expect more throughput but fewer features, because core devices should involve little except packet forwarding. Fewer protocols and features should be deployed, requiring less configuration and keeping control plane states at a minimum.

Datacenter networks, POPs, LANs, the branch, and the core can be thought of as different segments of networks. The features of these networks and their implementation might be different for enterprises, service providers, mobile operators, and for telcos, but the general theory remains the same. If we look at each segment separately, we can see why edge devices have to do more intelligent jobs, and why choosing the correct edge devices may be more critical than devices at other layers.

LAN edge
In the LAN, for example, we enable first-hop security on the access layer switches -- which make up the edge devices of the LAN. As a best practice, we also start to enable QoS as close as possible to the source. So implementing QoS policy at the edge of the network is important.

QoS might be implemented in different network segments for different reasons, but the place where you do it does not change. In the LAN, QoS might be implemented to protect voice traffic at the network edge. In the datacenter, you might use it at the virtualization layer to protect Fibre Channel traffic -- which is also at an edge of the network. In addition, we enable multicast features, such as IGMP and IGMP snooping, at the edge of the network. These are CPU-intensive processes if not handled by ASICs at the edge.

Access layer devices can supply power over Ethernet (PoE) to IP phones, wireless access points, and other devices in the LAN, so power negotiation is done at the edge of the network. If access lists, distribution lists, or filtering mechanisms need to be implemented, the best place again is the access layer. With the increased popularity of TrustSec and ISE deployments for user and device identification, this type of downloadable access list is a good example. Enforcement is done at the access layer, based on the policy on the ISE.

Service provider edge
When it comes to service providers, such as those supplying VPN services, provider edge (PE) devices always offer more in the way of configuration, policy, and control plane state. For MPLS VPN service, MP-BGP is necessary to distribute the VPN labels and neighborship between PE devices at the edge. The core of the network does not keep state, cannot be configured for BGP, and doesn't keep customer prefixes in its memory.

If a service provider offers multicast MPLS L3VPN service, let's say with Rosen GRE implementation, almost all the configuration is done at the PE devices.

We want core devices to be simple from a configuration point of view. When configuration increases, it's more likely that operational mistakes will increase as well. A higher mean time between mistakes increases your rate of high availability, so the KISS (Keep It Simple Stupid) principle should be kept in mind.

Datacenter edge
In the datacenter network, the edge may not be defined clearly, especially after virtualization. However, the edge can be thought of as the virtual access switch -- for example, a VMware distribution switch or Cisco Nexus 1000V. The general theory is the same for both.

Virtual PortChannel, FabricPath, or TRILL can be implemented at the aggregation layer and core of the network. But for all of these technologies, the aggregation layer must handle more processes and keep more states in the control and data plane, when compared to the core. For example, while the FabricPath leaf layer is implemented at the aggregation layer, the spine might be at the core. While the spine only knows how to route at Layer 2 to the leaf switches, the leaf nodes can learn the addresses from both the classical Ethernet side and from the FabricPath core.

Do you have questions about this topic? Ask me in the comments.

Orhan Ergun, CCIE, CCDE, is a network architect mostly focused on service providers, data centers, virtualization and security. He has more than 10 years in IT, and has worked on many network design and deployment projects. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
OrhanErgun
100%
0%
OrhanErgun,
User Rank: Moderator
4/24/2014 | 10:47:49 AM
Re: Where does security sit?
We often do this mistake while we are designing a network as well. Shifting complexity from one place of the network to another instead of trying to find simplest one.
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Strategist
4/24/2014 | 9:55:08 AM
Re: Where does security sit?
Jamescon, that's a very big question. As Orhan notes, security is often multi-layered, and that may be the way it continues to be. But what VMware is talking about is really interesting. We have a video of Martin Casado explaining how all functionality should move to the applications or edge. They want to expand that to security as well, which they say would make data essentially "invisible" on the network and invulnerable to attack. I'm not sure if just moving your attack point to a different location solves that much, but the advantage is that you have more control, at that point right?
Jamescon
50%
50%
Jamescon,
User Rank: Apprentice
4/24/2014 | 9:23:22 AM
Re: Where does security sit?
Thanks, Orhan. That helps.
aditshar1
50%
50%
aditshar1,
User Rank: Ninja
4/24/2014 | 3:35:51 AM
Re: Where does security sit?
I agree with author completely on Edge Devices Are The Brains Of The Network, every edge keeps relevance as PE is between one network service provider area and areas by other network providers.
OrhanErgun
50%
50%
OrhanErgun,
User Rank: Moderator
4/24/2014 | 1:35:26 AM
Re: Where does security sit?
IMO Whatever security prevention vendor takes at the host level, still you implement your control plane and data plane protection on your network. Control plane protection can be implemented to every layer and still you implement data plane protection at the edges as infrasturcture filtering. Also defense in depth may require protection at many layers. Hope to help.
Jamescon
100%
0%
Jamescon,
User Rank: Apprentice
4/23/2014 | 5:26:18 PM
Where does security sit?
Orhan. I agree that the edge is where things happen (including some pretty important things like access control). However, I'm curious what you think of VMware pitch to make the hypervisor sort of a key to security, working on the assumption that bad guys will get through the edge security anyway. Thoughts?
<<   <   Page 2 / 2
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed