Image of Cortney & Jeremy

HP Networking Tech Day – Part 2

by Jeremy L. Gaddis on August 28, 2010 · 3 comments

in Events

Note: This is Part 2 of a three-part series. Also see Part 1 and Part 3.

Emerging Network Standards

Continuing on, Paul Congdon was up once again, this time to discuss vSwitches, Virtual Ethernet Bridge (VEB), and Virtual Ethernet Port Aggregation (VEPA), and give us a live demonstration.

Note: If you’re like me and new to this storage/virtual I/O thing, you might want to read this technology brief (PDF).

I’m not sure what the original purposes of VEB/VEPA were (maybe I wasn’t paying attention at that moment), but the biggest benefits seem to be added visibility into what is happening between servers in a virtualized environment. When Paul was discussing how VEB/VEPA worked, the first thoughts I had were with regard to security. In a typical virtualized environment, when two VMs on the same physical host are communicating with one another, that VM-to-VM traffic is forwarded by the software vSwitch and never actually hits the physical switch.

VEB provides “limited visibility and policy enforcement” while VEPA provides “full visibility and policy enforcement”:

Both are implemented on the server. The major difference (as far as I can tell — remember, this is new to me!) is that VEBs forward traffic in the server, while VEPAs actually dump the VM traffic out on the wire where it hits the physical network. Out of the two, it seems to me that VEPA would be much preferred, simply because of the ability to see the VM-to-VM traffic and act upon it where necessary (think rate-limiting, filtering, compliance, etc.). If you had the choice between VEB and VEPA, I’m not sure why you would choose VEB but, then again, I don’t really know much about this stuff. It seems that VEB would be a bit faster but with SR-IOV NICs and high-end, low-latency switches, this becomes less of an issue.

Remember that VEPA dumps the traffic on the physical network? My first thought, when considering traffic between two VMs on the same physical host, was “how is it going to get back to the other VM?” When a frame enters a switch, it will not be forwarded if both the source MAC address and destination MAC address were learned on the same interface — it will be silently dropped. About the time I was contemplating this, Dr. Congdon mentioned “hairpinning”.

Hairpinning involves the use of a “reflective relay” on the physical switch which, in a nutshell, allows it to forward a frame back out the same interface on which it arrived. The frame then hits the server NIC and re-enters the virtualized environment where it is forwarded on to its destination (another VM). According to Paul, most switches can be software upgraded to support hairpin mode. I asked if any of the E-series switches would be getting this feature, but never really got a straight answer.

Paul did an excellent job of explaining the technologies, but he went one step further and followed that up with a live demonstration, which was a tremendous help in solidifying my understanding.

Paul started out with the NIC in VEB mode. He fired up a CLI ping tool on each VM; each instance was pinging the others. By watching, it was apparent that the VM-to-VM traffic was never hitting the A6120 switch. He then ran a shell script which, as far as I can tell, simply flipped a VEB/VEPA bit (on the NIC), which caused the traffic to be dumped on the wire where it hits the switch.

There were three basic ACLs set up on the switch, none of which were actually applied. Once we could see the traffic hitting the switch, he enabled and disabled the ACLs. By watching the output of the ping application, we could verify that the ACLs were actually in effect and filtering traffic. To me, this was damn cool and I’m looking forward to when I can make use of these features.

Last, there’s a whitepaper that Paul wrote on VEB/VEPA benchmarking that is supposed to be released September 6th.

E- and V-series Overview

Mike Verdugo and Mark Hilton were up next, to give us an overview of the E- and V-series line. With regard to HP Networking, this is where most of my knowledge lies, as I am intimately familiar with the modular and fixed series switches in the E-series line.

The modular switches in the E-series line are the E4200vl, E5400zl, and E8200zl. The E4200vl switches are your basic layer 2 edge switches. The E5400zl adds common layer 3 functionality (OSPF, VRRP, PIM, etc.). The E8200zl is basically the same, with redundancy added (dual management modules, etc.). All three of these products run the same software (and, thus, the same bugs).

Here’s their slide about the E-series modular switches:

The E-series fixed configuration switches are divided up into three areas: layer 2 only, lite layer 3, and full layer 3. The differences between them are highlighted here:

They briefly touched on the E-series wireless, which are, if I’m not mistaken, mostly (all?) products that were acquired by HP’s purchase of Colubris a few years ago. This gave HP a wireless solution which featured centralized management (via the controllers). Yes, they had that before with the wireless services modules, but those sucked. The acquisition of Colubris gave them a viable wireless solution.

One key wireless product that HP talked about was the MSM317 Access Device, pictured here:

From the product page:

HP ProCurve MSM317 Access Device integrates wired and wireless connectivity into a small unit that can be quickly and discretely installed in a standard wall outlet box. It provides four Ethernet ports, a 2.4 GHz wireless access point, and a pass-through RJ-45 connection to support a range of service and user connectivity options.

They talked specifically about how a hotel chain (Marriott, if memory serves) was needing to roll out wireless access through their hotels, but a number of factors were complicating that. They were able to install the MSM317s and gained the ability to provide both wired and wireless network access. The access points operate in a “mesh” (my assumption is just an ESS) and if one happens to go down, the idea is that a client will automatically connect to an adjacent/nearby access point and not lose network access. In our environment, I could definitely see utilizing these (except that we’ve already made the decision to replace our existing HP wireless infrastructure with Meru Wireless gear).

The V-series consists of a number of low-end managed and unmanaged switches, wireless access points, and wireless routers, which I’m not going to spend any time writing about.

Next, we discussed AllianceONE and a handful of available products.

AllianceONE gives you the framework, tools and resources you need to have a successful collaborative relationship with HP. Building on a standards-based architecture across Microsoft® Windows®, Linux, HP-UX and NonStop, we can deliver leading solutions that seamlessly fit within the current data center or across the enterprise , while helping clients prepare for the future.

The ONE Services zl Module (available on the 5400zl & 8200zl chassis) is an add-on module sporting a Core 2 Duo CPU, 8GB of main memory, 4GB of flash memory, and up to two hard drives. The modules have 2x10Gbps Ethernet connections to the backplane and can run in transparent mode. There are currently a number of products built on top of this, including the HP Threat Management Services module (I demo’d one of these when they first came out and wasn’t impressed), and third-party products from inMon (Traffic Sentinel), Fortigate (UTM), and — coming soon — Microsoft (Survivable Branch Office Gateway) and Avaya (SBC). In addition, a Riverbed WAN acceleration module is coming sometime around October.

We were told that we could expect more product announcement in the E-series line in the future and that, in the next six months, there were “significant offerings” coming in the 5400zl product. I’m particularly interested in this, as I have a lot of 5400s deployed. I’m just hoping they’ll get the K.15.x software tested, tuned, stable and as bug-free as possible in the near future. There are some features that I want that are only available in the K.15.x train, but at this point it is waaaaay too “beta” for me.

“Shake and Bake” Lab Tour

Next up, we were taken on a tour of the “Shake and Bake” lab (officially called the HP Roseville Hardware Test Center) by Mike Avery. This is where HP subjects its products to a number of physical and environmental tests, hence the name. We got to hear about some of the tests that they do, but didn’t get to see any in action (which was a slight disappointment).

Competitive Discussion

We ended Day 1 at the HP campus with a “competitive discussion” or, as Greg Ferro put it, “a rather splendid vendor bitchfest.” =)

In this session, everyone present openly discussed the current market and HP’s competition. We discussed HP’s certification program, which I’ve written about recently. One thing I said is that it would be in HP’s best interests to increase their number of HP Certified Professionals and one great way to do that would be to subsidize the cost of the certification exams. Juniper saw tremendous growth when they began offering free test vouchers as part of their Fast Track Program (which yours truly took advantage of, to earn the JNCIA-ER certification) and that HP would be wise to do something similar. They acknowledged that they are working on their education program and that a “very large investment is being made” in that regard.

I did ask if HP would be extending their lifetime warranty to products in the A-series line-up, but I already knew the answer. HP has “no intention of doing that”.


After the Competitive Discussion, we left and returned to our hotel. Shortly afterwards, we met back up in the lobby and headed to Paul Martin’s American Bistro for dinner and drinks. As might be expected, the atmosphere was very relaxed and we all got to “mingle”. I got the opportunity to talk with Dom Wilde one-on-one regarding the A-series line.

A bit later, we moved inside and continued our “chatter” where I learned a few interesting things. HP apparently has intramural sports and Paul Congdon is on one of the softball teams, though his team lost Monday’s game. Also, Jennifer Lake, TippingPoint PR Manager, runs way too much. I was nearly exhausted after hearing her talk about running marathons.

We made our way back to the hotel once again, where a few of us stopped for a drink before heading off to bed to prepare for Day 2.

{ 1 comment… read it below or add one }

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: