Today’s applications strain organizations’ networks with their constantly changing bandwidth and latency requirements. Nowhere is this truer than for wide area networks (“WANs”) that: (a) are geographically diverse; (b) use many technologies from a variety of service providers; and (c) are stressed by increasing use of video and cloud application services.
Guest article by Dr. Stefan Dietrich, Vice President of Product Strategy, Glue Networks
Of particular interest here are hybrid WAN architectures with advanced application-level traffic routing. They combine the reliability of private lines for critical business applications with the cost-effectiveness of broadband/Internet connectivity for non-critical traffic.
Architectures of this type need to be deployed at scale over the network, but most of today’s network management tools are inadequate for that task. Most of them still apply blocks of configuration data to network devices to enable features that in turn enable an overall network policy.
To allow adjustment of configuration data to address differences in hardware and OS/firmware levels, those scripts use “wildcards” replacing certain configuration data. These scripts are heavily tested, carefully curated, and subject to stringent change management procedures. The tiniest mistake can bring a network down, resulting in potentially disastrous business losses.
Network operations teams experience the limits to this approach with the deployment of hybrid WAN architectures and application-specific routing. Even if the existing hardware already supports all the functionality required, existing network configurations that reflect past user requirements are rarely well-understood.
As each business unit is asking for specific requirements to ensure that their applications run optimally on the network, networks need to be continuously updated and optimized. Such tasks range from a simple adjustment of the configuration parameters to more complex changes of the underlying network architecture, such as removing and installing upgraded circuits, replacing hardware, or even deploying new network architectures.
To determine potential risk of unintentional consequences on the existing network for these tasks, significant involvement by senior network architects is required – but waiting for the next change maintenance window may no longer be an acceptable option. Businesses are not concerned with the details — they want the networks to simply “work.”
The Next Network Phase
Standard network management tools are mature and well-understood. Network architects and implementation teams are familiar with them, including all of the limitations and difficulties, and any potential change of these tools is immediately vetted against the additional learning curve required vis-à-vis potential benefits in managing the network.
The best-case scenario is for network policies to be defined without regard for implementation or operational concerns. It starts with mapping of the required functionality into a logical model, assembling these models into one overall network policy, verifying interdependencies and inconsistencies, and deploying and maintaining them consistently throughout the network life cycle.
Several industry-initiated activities to improve network management are in play, but those initiatives are still maturing. For example, YANG is a data modeling language for the NETCONF network configuration protocol. OpenStack Networking (Neutron) is providing an extensible framework to manage networks and IP addresses within the larger realm of cloud computing, focusing on network services such as intrusion detection systems (IDS), load balancing, firewalls, and virtual private networks (VPN) to enable multi-tenancy and massive scalability. But neither approach can proactively detect interdependencies or inconsistencies, and both require network engineers to dive into programming, for example, to manage data entry and storage.
In response, fully integrated solutions are on offer from some providers, built on appliances managed through a proprietary network management tool. This approach allows businesses to deploy solutions quickly, at the cost of additional training, but they have limited capability for customization and new hardware purchases.
This is a good start, but for true transformation to occur, new network management capabilities have to be focused on assembling complete network policies from individual device-specific features, detecting inconsistencies and dependencies, and allowing deployment and ongoing network management. Simply updating wildcards in custom configuration templates and deploying them onto devices is no longer sufficient.
Going forward, routing protocol changes or network architectures may need to be changed on live production networks. Managing such changes at large scale is difficult or even infeasible, especially in large organizations where any change will always have to be validated by security. This creates unacceptable delays for implementation.
Creating Comprehensive Network Policies
Network professionals will need to take a step back to develop an end-to-end approach on how to create complete network policies from abstract device-based network features, including interdependency checking, deployment, and secure lifecycle management. Network features and related policies can be mapped using these four constructs:
- Domains – Consistently apply configuration settings across multiple devices. A good example is a QoS configuration which may be different by business units. Hence, different QoS domains would allow network engineers to assign QoS policies across all devices associated with specific business units in each region.
- Features – Provide the configuration settings for a single device at a time, enabling functionality that the device can provide by itself. A good example is the configuration of a device-specific routing table where the device should forward incoming traffic.
- Custom – Customizing will sometimes be acceptable, especially in regard to specific exceptions to single devices only – for example, a specific set of Access Control Lists (ACLs) needed on a single device. For these cases where no other dependencies with other features exist, simply applying configuration data to a device may be acceptable.
- Globals – These are configuration settings that apply throughout the network and are the same for every device in the network. A good example is NTP (network time protocol) where the central architecture team is defining the only NTP servers permissible for the network.
Any network policy can be built, then, by using a combination of these constructs. Inherent interdependencies can be flagged by network engineers early, so that a network management system can deploy them in the correct sequential order, optimally applying these features to individual devices as well as across the network to create the target policy.
Abstracting network functionality into these types of models allows network engineers to re-focus on the actual network architecture and less on the mechanics of the management of configuration data. This leads to a number of inherent benefits:
- Community exchange: By using the logical constructs to model networks, a wide exchange of best-practice reference designs based on common user requirements is possible. Different teams of architects can exchange information about the models they use for specific network functionalities ,without having to revert to low-level configuration settings. This opens the possibility of creating network engineering communities that exchange specific models based on their desired use cases, with clearly defined interdependencies and conflict resolution against other models.
- A focus on function: The functionality of how a device should perform, by itself or in concert with other devices, now determines the configuration of that device. As a result, the actual hardware itself, its specific OS/firmware, or even the manufacturer no longer matters, as long as the device is capable of performing the desired functionality.
- Easier collaboration: Implementation and maintenance (DevOps) is logically separated from network architecture and design (NetOps). For example, architects can define the features, domains, and global settings needed for a given network infrastructure, assemble them into logical groups, and resolve any interdependencies. They can then be tested and validated by, for example, the security team. The assembled features, domains, and globals are handed over to the operational team, who will deploy them onto the network and manage them over their lifecycle.
Creating Today’s Network
In order to make a network management tool suitable for today’s demands, network professionals need a sophisticated network-aware orchestration engine that is able to detect any interdependencies, resolve them, and deploy network policies automatically over the network.
Several non-technical challenges have to be considered in order to achieve this:
- NetOps and DevOps teams may be skeptical to trust device configuration to a new management tool, so be sure to obtain buy-in from them.
- The primary focus of network engineers is on proper device configurations and ensuring the device is performing as intended; they are typically not programmers, nor do they aspire to be. Any next-generation tools have been designed with a network engineering focus in mind, allowing network engineers to use the system with a much shorter learning curve and minimal programming expertise.
- User confidence that the logical network model will indeed result in the correct configuration of all devices in the network. Many network engineers are still most comfortable with command line interface (CLI) created from scripts and templates.
The next generation of management tools should include, from a technical perspective:
- Allowing dry runs of new configurations to understand all changes that may have to be performed, even on other network devices when needed, by conducting a configuration preview
- Zero-touch provisioning to make the onboarding of new devices into the system as fluid as possible, allowing generalist IT staff to install routers and trigger device provisioning automatically
- Flagging or limiting unauthorized manual device configuration changes with automatic remediation when needed
- The ability to manage the high degree of customization needed
- Verification for every step of device provisioning actions with automatic revert on errors
Future-proofing the Network
A good example of how enterprises can truly transform their networks are tools that provide complete abstraction of network functions, while providing deeply integrated model interdependency verification, deployment previews, and layer-by-layer provisioning.
For example, replacing an existing device with a newer model, even if it’s from a different vendor, can be detected and automatically provisioned. Such solutions that can resolve any potential conflicts and interdependencies, even across vendors, are becoming increasingly important as network devices are virtualized on common platforms, and the individual strength of vendor-specific solutions are combined into one multi-vendor solution.
To meet the demands of today’s application landscape, a new approach to network modeling and management is needed — a full-stack approach that enables better integration with clearly defined handoff points between architecture and implementation teams. Business requirements will be implemented more quickly, reliability will improve, and companies will recover from network outages faster.
Dr. Stefan Dietrich brings more than 20 years of experience to Glue Networks, defining innovative strategies and delivering complex technology solutions. Before joining Glue Networks, Stefan was Managing Director of Technology Strategy at AXA Technology Services, introducing advanced new technologies to AXA globally, and held senior IT management positions at Reuters and Deutsche Bank. Stefan received a Ph.D. in Aerospace Engineering and Computer Science from the University of Stuttgart and served as a Postdoctoral Fellow and faculty member at Cornell University.