With the holiday season upon us, SearchNetworking asked network engineers to tell us about their 2014 technology...
wish lists. Call it a letter to Santa Claus. Call it an airing of Festivus grievances. However you want to describe it, network engineers would like to see some changes in 2014. So stand up your Festivus pole and join us in exploring what network vendors need to do better in the year to come.
Cloud providers need to be enterprise-network-savvy
While line-of-business managers often buy services directly from Software as a Service (SaaS) providers, it's the network engineers who get blamed when those SaaS services don't perform well on the network. The first item on one network engineer's technology wish list would be better visibility into the IP address scheme of SaaS providers.
"Most SaaS providers … want to do things by URL or DNS name, and routers and firewalls don't work that way," said Forrest Schroth, network manager at Randstad US, an Atlanta-based staffing and recruiting agency. "If I'm going to prioritize, shape and secure traffic that's coming to you as a SaaS provider, you need to tell me which IP [addresses] are important and which ones aren't. If you send traffic to Google, you don't know which IP space it is going to because it goes to a DNS name. It could be YouTube, it could be email, it could be DropBox, it could be encrypted video, it could be a Google call. They will not tell you where your traffic is going, other than it's going to Google and they'll handle it."
Technology wish list: Cheaper ports please
We know the law of supply and demand will eventually work its magic, but network engineers need cheaper high-bandwidth ports -- and they want them now.
"We're looking at backbone upgrades to 100 Gb and the prices are just astronomical still," said Joe Rogers, senior network engineer at the University of South Florida. "I think only time will solve that, but when optics are still $50,000 a piece list price, that's just crazy. I wish other people would start buying it and help drive the price down."
Even 10 Gigabit Ethernet port price tags remain too high for many companies. "With VMware, we're moving to 10 Gb NICs on all the servers because we're just chewing up too many gigabit ports in our data centers," said John Iraci, vice president of enterprise infrastructure at DJO Global, a medical device manufacturer. "Now we're chewing up two or three 10 Gb ports per server so it does start to add up."
Network software doesn't need to be this hard
The world perceives network vendors as the purveyors of black boxes because they have forever been hardware specialists. But companies like Cisco, Juniper Networks and Arista Networks -- along with a legion of software-defined networking startups -- are pushing the notion that they are software companies, too, with all the agility and service velocity that such a moniker entails. Unfortunately, network vendors have a legacy of messy, draconian code management and control.
Software bugs remain a universal issue. "Between Juniper, Cisco and Brocade, from firewalls to switches and wireless, we always ask for better code stability," Rogers said. "It's a feature velocity problem. We're asking them to add all these features, but then we also say we want our code to be stable. So if you keep adding these features and changing your code constantly, yeah, it's going to be difficult. But I'm sure there are better code management practices and better ways to validate code before it makes it out the door."
Software updates are also too complex for engineers, Iraci said.
"We spend a lot of time doing updates of code on different devices. I'd like to see systems go to a more automatic update that's more foolproof," he said. Iraci's team struggles to keep its routers and firewalls at a consistent code level because so many of the devices are in remote locations where engineers don't have hands-on access.
"Everybody seems to have their own little system [for network software updates]," said Mark Kelly, a network engineer on Iraci's team. "I'd like to see something more global, because all you're really doing is TFTP [Trivial File Transfer Protocol]. Usually when we do an upgrade, we do our switches, routers, firewalls, Riverbeds all at the same time. We end up going from one management system to another, or plugging in and doing TFTP manually. From a management standpoint, it's really horrible."
Network vendors could reduce much of this complexity if they relied a little more on open source software and less on building operating systems from scratch, said Teren Bryson, a network engineer and IT director for an industrial equipment manufacturer. Every vendor not only has its own management systems, but its own fair share of software bugs. They also require their own specialized skillset from engineers.
"If I need to hire a network engineer, odds are they're going to be very familiar with Cisco and IOS," Bryson said" They can sit down with a Cisco device and do a bunch of stuff. Then you have companies like Juniper, who make really good stuff at a good price, but they did not copy that interface. So if I want to do something with Juniper, I have to hire someone who knows Juniper, or I have to [retrain] someone who is really good with Cisco."
Bryson would like network vendors to focus less on their core operating systems and more on the added value they can offer around those systems. Companies don't compete on command-line interfaces. "I should be able to move from Cisco to Arista to Juniper to HP to Brocade and have a common interface. The value differentiator is not in the interface. It's all the other features, speeds and feeds. That's what really makes you buy one product over another, not the particular commands you type.
"Open source is one way to do this because Cisco is not going to develop an operating system and give it to Juniper. Everyone is using Linux for everything behind the scenes," Bryson said. "It's a really good platform to build on. It's a pie in the sky, but I would like to see more of that type of thing."
Cisco needs to step up its firewall game
No vendor is perfect. Engineers have their gripes with all of them. But it's clear that Cisco needs to reboot its firewall business.
"My biggest gripe with Cisco is that they need to come up with a next-generation firewall," Schroth said.
Schroth said Cisco's Adaptive Security Appliance (ASA) 5500-X series, which the company promotes as a next-generation firewall, does not measure up to products from Palo Alto Networks and Check Point Software Technologies. Cisco has packed too many functions onto the ASA platform, creating a lot of complexity.
Bryson agreed that adding the ASA lacks the robustness of those other firewalls. Palo Alto, for instance, is much more integrated with user identity, which makes it easier for engineers to enforce policy. "[Cisco ASA is] still not flexible enough. It tends to have these rigid rules you set. If people move around, you still have to do a lot of manual coding and changing of rules."
Schroth said the ASA also falls short of competitors like Juniper because it lacks basic routing functions. "If I set the [ASA] as a default route, I can't send stuff out of it in a way that makes sense. I have to send all my traffic to a router and send it from the router to a firewall, whereas, with any other firewall product, [I] can do some basic routing."
Vendors need to get real about IPv6 feature parity
IPv6 is still far from the world's dominant IP protocol, but the clock is ticking. Early adopters need network vendors to deliver universal IPv6 support and feature parity with IPv4.
"We are an early adopter of IPv6," said Rogers of the University of South Florida. "We push IPv6 management to all new switches that we deploy. We've enabled IPv6 on client networks. But some of the tools aren't there yet."
For instance, IPv6 NLB (network load balancing) multicast doesn't work on a lot of network platforms, Rogers said. Also, Cisco's wireless LAN products are only halfway to IPv6. While the access points (APs) support IPv6 clients, communication between APs and controllers is still strictly IPv4.
"We push everything we can management-wise onto IPv6," he said. "Any modern switch has decent feature parity, but some wireless technologies aren't there. And, VPN technology: Juniper's VPN product is just now getting IPv6 support. We're like, 'Come on guys! IPv6 has been around for a while.' We would love to see more universal support."