Tuesday, August 9, 2016

Opengear and the Evolution and Consolidation of Network Devices

Opengear at Tech Field Day Extra 2016

I recently attended Cisco Live 2016 in Las Vegas and was invited to attend Tech Field Day Extra as a delegate. The first presenter was Opengear, a maker of console access servers and remote management gateways. They describe their products as "next generation Smart Solutions for managing and protecting critical IT and communications infrastructure."

While the term "next generation" is frequently overused, I can't argue with Opengear. Opengear extends the functionality of a console access server into a more complete out-of-band management solution. First, the Opengear presentation made me reevaluate what I should look for in an a console access server. What should it do? What shouldn't it do, and what roles should be held by separate devices?

A bit of a tangent...

To answer this, let's first look at trends in the networking industry as a whole. Over the past fifteen or so years, we have seen the role of network devices change dramatically. Switches are routers. Routers are firewalls. Firewalls are routers (hopefully in a limited capacity) as well as IDS/IPS devices, VPN concentrators, and possibly a number of other roles. Virtualization made NFV possible, and now, for certain use cases, the roles of many network devices can be done purely in software.

Before this trend to extend functionality and consolidate network devices, I believe the core philosophy of networking hardware and software was very similar to the Unix philosophy. Doug McIlroy, a key figure in the Unix community, summarized the Unix philosophy as "Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface."

Now replace programs with network devices and text streams with frames/packets.
  • Do one thing and do it well
  • Work together
  • Handle frames/packets

For years, this accurately described most network devices. A router routed, a switch switched, and a firewall provided basic stateful packet inspection. Additional dedicated hardware performed specialized roles: IDS/IPS, VPN concentrator, web proxy, load balancer, and the list goes on. However, this has been changing. Instead of network devices doing one thing well and working together with other network devices, network devices are often designed to do much more. This generally leads to simplified network topologies at the expense of more complex network devices.

Complexity is the enemy of stability. Many engineers strive to minimize complexity in their designs. However, some level of complexity is inevitable. Should we strive to avoid a single complex product, or a complex architecture tying together multiple simple products? I recently read a great post by Ethan Banks (@ecbanks) about network complexity. Ethan makes some great points about device complexity and uses VSS as an example. VSS is a perfect example of a technology designed to minimize architectural complexity at the expense of adding network device complexity. As is often the case, there are inherent trade-offs with either solution.

Regardless, the industry has been moving toward more complex "next gen" products consolidating network device roles rather than tying together multiple products. The ASA is a great example. Over ten years ago, the ASA 5500 series replaced the PIX 500, Cisco IPS 4200, and Cisco VPN 3000 series concentrators. Today, the ASA-X with FirePOWER services now takes this even further by essentially embedding a Linux VM with Sourcefire technology in the ASA and redirecting traffic through it. Are we wrong to consolidate multiple network device roles into a single box, or to use technologies such as VSS to simplify network topologies? I don't think there is a definitive answer here. As is the case when engineering any solution, the pros and cons should be weighed for each specific use case.

This brings me back to Opengear.

Opengear built a console access server and turned it into a complete out-of-band management solution. Opengear can act as a DHCP, ZTP, and TFTP server to automatically provision other equipment in the data center. It can proactively monitor network devices and roll back configs if fault conditions are detected. Certain models even contain embedded 4G LTE router for dedicated out-of-band remote access. Here is a brief list of the roles and features of Opengear products compared to a typical legacy out-of-band management solution:

Opengear Box:

  • Roles
    • 4G LTE router
    • Console access server (including USB console support)
    • TFTP server
    • ZTP (zero touch provisioning) server to provision other devices
    • DHCP server
  • Features
    • ZTP provisioning of Opengear itself (including over WiFi)
    • Quagga (runs BGP and OSPF)
    • Programmatic interfaces
    • Ability to monitor and detect faults
    • Ability to respond to the faults
    • Ability to install agents and utilities

Legacy out-of-band management:

  • Dedicated internet connection or POTS line
  • Console access server providing serial connectivity

All very cool stuff. Given that most of the console servers I've worked with did nothing more than provide serial access, the first question for me was "do I want to rely upon my console server to do all this?"

Do I want my console server to do all this?

In my opinion, yes. After taking a closer look at the Opengear solution and what most companies currently use for out-of-band management systems, I realized Opengear isn't consolidating multiple existing roles into an overly complex device. Many companies don't already have a robust out-of-band management solution and often still use nothing more than POTS lines and a basic console access server. Opengear is adding relevant functionality to their product based upon specific customer needs.

Here is how Opengear summarized their customers' view of console access servers in their data centers:

"This is a device that sits in every row in my data center and attaches to every single one of my network pieces of equipment. And maybe there's some other things that I can do with it beyond just serial over IP."

The idea is that if you have out-of-band management equipment in every rack in a data center or every remote site in an enterprise, Opengear might as well take advantage of the opportunity and build in more advanced functionality. The embedded 4G LTE connectivity and the ability to proactively monitor network devices and automate config rollbacks are particularly useful. While I haven't yet had a chance to explore all of Opengear's features, I think the product looks promising, and I will definitely be taking a closer look at Opengear in the future.

Disclosure: There is no requirement for me to blog about any of the content presented at Tech Field Day Extra, and I was not compensated in any way for my time at the event. However, while writing this blog post, I contacted Opengear to ask additional questions about their products. They did a great job answering my questions and generously offered to send me a unit. I look forward to testing some of the advanced functionality when the unit arrives.

No comments:

Post a Comment