While most OpenFlow and software-defined networking (SDN) talk focuses on data center or carrier networks, the technology may have a more immediate role in the campus network, especially when it comes to improving security and managing bring your own device (BYOD).
Indiana University chief network architect Matt Davy believes OpenFlow and software-defined networking could transform his 100,000-port network, which includes 5,000 wireless Access Points (APs) and serves 120,000 users, most of whom expect to connect using personal mobile devices. Today, implementing security and access policy is a potential nightmare, considering the community is more like a small city with a sports complex, medical labs, 15,000 dorm dwellers, restaurants, and its own water and electric utilities.
"Our networks are not easily grouped by physical space. If I want to put a firewall in a lab, what about the coffee shop in the lobby?" Davy explained. The ideal situation would be to "group systems that are alike and then manage them that way for security policy" even if they are in different physical spaces. That would enable his team to push down sets of security rules to specific types of devices.
Davy believes he can do that by completely transitioning his network to an OpenFlow environment. In that scenario, he will to create a "virtualized access layer" that mirrors the physical access layer, but can be managed through a centralized SDN controller. Then Davy's team can spin up virtual network segments that stretch across components in both wired and wireless networks, enabling, for example, SSIDs to be set up for specific groups of devices. That means engineers have granular control over which users or devices can access specific applications on specific network segments. It also enables Davy to push incoming traffic to specific devices in order to specify the type of monitoring that is done or to improve performance on various appliances.
No such complete solution exists on the market, but Davy is in the process of testing out available OpenFlow or SDN-based switches and controllers. He's already installed 1700 OpenFlow-friendly HP switches that have the ability to run both OpenFlow and traditional switching and could contribute to this vision of a software-defined campus LAN in the long term. For now, these switches are not powering a large-scale OpenFlow environment.
In the meantime, Davy's team is experimenting with a homespun OpenFlow-based Intrusion Detection System (IDS) cluster. That system mirrors feeds from ports across the network, routing the information into a centralized box. Using an OpenFlow-injected, top-of-rack switch, the data is load balanced across a group of about 30 IDS servers. Rather than installing IDS appliances throughout the entire network at a cost of about $100,000, Davy's experimental system pulls off intrusion detection for about $30,000. The next step will be to integrate Network Access Control (NAC) into the system to be able to "start blocking traffic using OpenFlow," he said.
What's driving OpenFlow and SDN in the campus LAN?
Vendors are banking on the idea that organizations with simpler needs than those of Indiana University will find uses for OpenFlow and SDN in the campus LAN. Speaking at the Open Networking Summit in April, Steve Brar, HP Networking global product marketing manager, said three factors will drive SDN uptake and programmability in the campus LAN: the need for better Quality of Service (QoS), improved security and application-driven networking.
Once SDN is implemented, network engineers can replace inflexible physical networks and static policies with flexible networks that can "assign quality of service for [specific] users and for various applications dynamically."
Brar expects network engineers to use SDN to break the physical campus network into a series of logical networks, each with its own policy. This environment would transform QoS because engineers could prioritize specific applications more easily on these virtual networks, improving performance.
SDN will also have a role in managing bring your own device (BYOD) programs since network managers will be able to assign access policy by device type or user group and can then optimize specific applications -- such as video -- for mobile devices, Brar explained.
"There are inconsistent user experiences across wired and wireless realms and that shouldn't be happening with today's technologies," said Brar. "Perhaps with more progammablity and a network that is more dyanmic, we can avoid that."
While the potential is apparent, true uptake of SDN and OpenFlow still hinges on product and application development, which will be a slow and ongoing process.