4 posts • joined 26 Jul 2012
Much more than just VLANs. The network uses Shortest Path Bridging (Avaya's marketing team call it FabricConnect) to provide a backbone with no blocked links anywhere, traffic balanced across available shortest paths and failover and failback on the order of tens of milliseconds. VLANs are only implemented at the very edge of the network to provide access.
There is some pretty funky stuff going on here; the IP multicast video feeds can be picked up anywhere on the fabric without any traditional multicast routing protocol (i.e. PIM) - FabricConnect handles multicast natively with traffic taking the shortest part from a source to receivers (in fact, unicast forwarding is basically treated as just a special case of multicast with one sender and one receiver). No rendezvous points, no unicast encapsulation, no duplication of traffic. Streams set up and tear down almost instantly.
In addition to the IPTV feeds, the fabric can also handle many-to-one multicast (which PIM is very bad at doing in a scalable way) for things like CCTV feeds. When you see a hundred CCTV feeds flick on in a fraction of a second, it's very impressive compared with a PIM network where the feeds come in one at a time over tens of seconds because of the inefficiency of the protocol.
I've deployed a few SPB networks now - it's almost boring how simple it is to configure and how well it works.
Re: NOT only Open Networks
WPA/WPA2-Enterprise is vulnerable to this kind of attack if the client is not properly configured. Assuming you are using a sensible EAP type (e.g. EAP-TLS, PEAP-EAP-TLS, PEAP-EAP-MSCHAPv2) you will have some form of mutual authentication. A bogus RADIUS server can very easily accept any connection, however the client should only connect to the network once it has confirmed that the SSL certificate that the RADIUS server has provided is signed by the expected certificate authority. In an Enterprise, this would normally by an Enterprise CA, but it could be signed by a public trusted CA so the client can and should also validate that the common name in the RADIUS server's certificate matches what it expects.
The problem is that a lot of people who are unclear on how SSL/TLS works (or are lazy) go and disable this validation in the connection settings for the SSID because it's easier than all that tedious faffing about with CA certificates and heck, we just want to get the device connected, right? It's scary how many "idiot's guides to WPA Enterprise" actually tell you to turn that check off!
For laptops that are members of an AD domain, the administrator can force the correct settings via Group Policy (and prevent the user from modifying them). For mobile devices, it is not so easy to enforce.
Combine this with the PNL implementation issues or hiding the SSID (yes, people still do this!) and your client will sit there sending probes out advertising "please can I connect to this SSID, please, pretty please" - practically a hacker's charter.
To what extent is this actually going on in the real world...very difficult to quantify.
It's all about the east-west
For the first time in a long time, there is starting to be a bit of buzz about the Ethernet switching market. Whatever your views on Ethernet as a technology (there are few other examples in IT of something as long-lived as Ethernet has been), we are starting to see some genuine innovation driving radical re-thinks of how Ethernet fits in a modern Enterprise.
It's definitely right to point out that the drive to 10 gig is not just about more bandwidth. Reduced latency is a massive benefit, especially for the transactional east-west traffic flows which we are increasingly seeing within data centre environments (due to application "fan out" from single user request to peer systems to pull in data from disparate sources relevant to that user request, amongst other trends). This change in traffic flows should be driving some redesign in data centre topologies; the tiered "top-of-rack" to "end-of-row" to "core" topology that some switch vendors continue to advocate (as it drives sales of the cash cow modular switch systems) stymies these kind of east-west traffic flows.
In the data centre, new tin is a by-product both of the drive to greater 10 gig densities and higher and a change in best-practice as far as data centre design goes. Fabric technologies such as Shortest Path Bridging (SPB) or FabricPath should be driving re-thinks in design, away from end-of-rack aggregation to meshes of interconnected, lower-cost top-of-rack systems that optimise the forwarding of layer-2 and layer-3 traffic between racks, rows and even data centres. This becomes even more relevant as the server guys push the network guys to support things like VXLAN - SPB in particular is suited to providing the scalable multicast environment that VXLAN requires; one of the many reasons why Avaya, Alcatel-Lucent, Huawei and others have gone down this route rather than the proprietary alternatives.
Moderately interesting times :)
Re: Anyone else noticed....
While the optical side of Nortel was sold to Ciena, the Enterprise data part which is the bulk of the heritage of the Synoptics/Wellfleet/Bay equipment (Chassis-based and stackable Ethernet Routing and Switching) was part of the (still profitable in and of itself at the time) NES business unit bought by Avaya who are actually investing in this part of the business and coming up with some pretty nice products again after years of being starved of R&D funds due to the financial situation of the wider Nortel. There's still a sizable and loyal install base and the product quality and innovation is back on track...so maybe we shouldn't completely write it off yet!