Cisco Turns Routers Into Linux App Servers

symbolset writes "InternetNews is reporting that Cisco's new Application eXtension Platform turns several models of Cisco switches into Linux application servers. With certified libraries in C, Java and Perl, developers will be able to use a downloadable SDK to build their apps. The AXP server is just another module in a Cisco switch running Cisco's own derivation of a modern Linux distro (Kernel 2.6.x) specifically hardened to run on that particular hardware. Modules will include up to 1.4-GHz Intel Pentiums with 2 GB RAM and a 160 GB hard drive."

Cue the beowulf cluster jokes

[symbolset (646467)]

Yes, it runs linux.

Yes, I know they're switches, not routers.

Now... anybody got any interesting applications for this?

Re:Cue the beowulf cluster jokes

[by Anonymous Coward]

Imagine a baowulf cluster of these...

Re:Cue the beowulf cluster jokes

[arivanov (12034)]

The power of linux is mostly irrelevant here. OK, fine, a blade, and so what? It is more expensive than most 1U servers out there.

Now the power of having an API into the Cisco hardware and software is a completely different story. That may be something that is really interesting. It will allow moving many tasks that are now exclusive to big closed and expensive OSS systems to the frontline where they really belong.

By the way, this has been long coming. The first time I heard about this was circa 2003. Nice to see it finally making the light of day.

Ok so

[aztektum (170569)]

I've read the marketing release. Now I ask /.

What can you do with this?

Before we get too excited

[symbolset (646467)]

It might be interesting to read the data sheet [cisco.com].

10/100/1000 Gigabit Ethernet connectivity to router backplane

meh.

Re:

[LarsG (31008)]

Yeah, backplane is kinda bummer.

As generic blade it looks like fail. Only one OS supported, probably expensive, Cisco license needed to build application packages.

Could be useful for making network appliances. Datasheet mentions IOS integration.

Re:

[BridgeBum (11413)]

Yeah - it would be much more exciting if they came out with something similar for their 6500 series switches with a big backplane. The ISR routers are intended for branch offices, they aren't big power houses.

AXP environment require an authorization key

[by Anonymous Coward]

check this out

Q. How does one develop an application for the AXP service module?

A. Both existing and newly developed applications must be ported to the AXP runtime environment by packaging them using the AXP SDK, which ships with the AXP hardware and software. The SDK package tool creates installation packages that can be loaded on the AXP blade. AXP developers are authorized by Cisco using the AXP Development Partner Program and require an authorization key in order to perform packaging of software.

http://www.cisco.com/en/US/prod/collateral/routers/ps9701/qa_c67_463943.html

Re:

[IdleTime (561841)]

Time until first 419-scam server is loaded after the first one is placed on the net: less than 42 seconds...

NSLU2 is cool

[bcrowell (177657)]

Another Cisco gadget that's cool as a cheap linux box is the NSLU2 [wikipedia.org]. For $80, you get a pretty full-featured Linux system. It's the size of a paperback, and draws a negligible amount of power. I use mine as a music server. There's a very lively and helpful user community on IRC. There are various options for modifying or replacing the system it ships with to get a more general-purpose linux box, running off of an external flash drive.

No, you don't get it.

[Ungrounded Lightning (62228)]

For $80, you get a pretty full-featured Linux system.

According to the Wikipedia entery you quote, its status is "Discontinued - no longer shipping."

Is this correct? Is there a followon to replace it?

Re:

[Briareos (21163)]

For $80, you get a pretty full-featured Linux system.
According to the Wikipedia entery you quote, its status is "Discontinued - no longer shipping."

Is this correct? Is there a followon to replace it?

That must be the page for the V1 model, since the NSLU2 is alive and well [linksys.com] on LinkSys' product pages.

np: Underworld - Spikee (Underworld 1992-2002 (Disc 1))

What I want from Cisco

[Midnight Thunder (17205)]

Great and I applaud them for doing something truly nerdy. What I am still waiting for is proper for a CISCO VPN client that works well under Linux and MacOS X, and not just Windows. It is irritating to enable firewall requirements, only to find that the only version that supports it is CISCO VPN Client for Windows.

Rant over, now you may mod me down.

Re:What I want from Cisco

[caseih (160668)]

The open source vpnc works pretty well on my linux box. I'm permanently vpn'd into my work's Cisco VPN concentrator. Granted it still can't do key rotation, so I have to reconnect it every 8 hours or so.

Cisco's linux support sucks in general, though. Their management software won't support it in any way. Ironic, really, since most work gets done in a terminal on cisco hardware. At least a serial port can't be made to be linux-incompatible.

Re:

[PingXao (153057)]

Have you looked at Broadcom lately? They make Cisco look like God's gift to Linux. They are absolutely paranoid, anal even, about releasing any technical information about any of their chips. And Broadcom is everywhere.

Re:

[Abalamahalamatandra (639919)]

They are getting there, though - I recently put in a new ASA 5540 pair set up for the AnyConnect SSL VPN client, which all of the documentation says "supports Linux". I had a problem getting the client working on Ubuntu, but when I opened up a TAC ticket they got me an early release version that did the trick. The AnyConnect client works well on Ubuntu other than the fact that the installer tries to set the vpnagentd to start up at system start and fails, so you have to start it manually from a command p

Re:

[ckaminski (82854)]

CiscoVPN 4.6 works great under both Windows and Mac OS X.

Too bad I have to stop using it because we're turning on network access control and Cisco Clean Access Agent isn't available on Mac OS X. My Macbook users are PISSED. :(

Re:

[QuoteMstr (55051)]

Why TCP over TCP is a bad idea [sites.inka.de]

Re:

[Dr_Barnowl (709838)]

No it doesn't. It doesn't support the firewall requirement ; as the GP poster said.

For those not familiar, this requires that your VPN client firewalls itself off from its local network and only participates as a network node in the VPN.

The Linux client doesn't support this. This is presumably because if you have source that supports it (your reply seems to indicate that you have source for the base client, but AFAIK it doesn't include this feature), you could compile a client which claimed it complied, but

Re:

[Midnight Thunder (17205)]

The only way you can assure the firewall requirement is in place is with a closed binary, preferably cryptographically signed, running in a closed environment. AKA, Windows.

This could also be achieved on MacOS X 10.5, where signing of binaries is supported and even recommended. Additionally I am sure it could be possible for the server side of the VPN to probe the client to see if a suitable configuration is in place. The way I could imagine this happening is for the server to do a routing probe and see if

Re:

[Midnight Thunder (17205)]

If the router has a client firewall requirement, then it fails. I have even tried vpnc and this confirms what I learnt from the official client:

concentrator configured to require a firewall
this locks out even Cisco clients on any platform expect windows
which is an obvious security improvment. There is no workaround (yet).
I have tried both on Linux and MacOS X, and the only client that seems to work consistently is the Windows client. This does not mean that I have never got the Mac o

I don't get it

[seanadams.com (463190)]

So this is a whole hardware server module that you stuff into a switch? Why?

A switch (or router, whatever) chassis is a ridiculously valuable piece of real estate... why would you want to spend that slot space plugging in PCs when they could just as easily be somewhere else, on the end of an ethernet cable?

Or is this intended for some highly specialized application where the linux system in tightly integrated with the host hardware in some way?

Re:I don't get it

[menace3society (768451)]

I think it's Cisco trying to muscle in on the server market. When you think servers, you don't think Cisco. You think Sun, IBM, HP, Dell, etc. But when you think routers and switches, you think Cisco. So if a Cisco rep can come along and say, "Hey, look, this is a piece of networking hardware, not a server, but it can do everything a server can for less money. Plus if you get this it's one less piece of equipment that can fail on you," they can start getting orders for these. If you were a PHB, would you rather have two boxes that each do one thing, or one box that does everything, and is super-cool "new" gear to boot?

It's like DEC with the PDP-1. Everyone *knew* in those days that a "computer" was a big, room-sized monstrosity that cost upwards of a million dollars and required a staff of dozens just to run; people figured there was only demand for 10 or so of those things on the planet. But DEC didn't sell "computers," they sold "Programmable Digital Processors," so companies bought them. The rest is history, and I guess Cisco is banking on being able to pull off the same thing with their new gear.

Re:

[CastrTroy (595695)]

Well, if I was a PHB, I probably would want one box that does everything. However, if I was a network admin, it might be nice to not put all my eggs in one basket. Having multiple boxes means that if one thing breaks, at least other stuff still works. Also, if one thing breaks, that one thing costs less than the box that does everything, and is cheaper to get everything back to working order.

Re:

[menace3society (768451)]

That's my point, the PHB mentality (as opposed to that of the admin who's really responsible for uptime) is to go for the all in one. I haven't decided if Cisco's apparent strategy is really clever, or really evil.

Re:

[Zerth (26112)]

More like they realized they couldn't shrink the size of the switch enclosure without making it look "cheap"(much like that oversized WalMart linux PC). So they stuck a bunch of blades in the switch and said "here, run software on these instead of buying a real server, it's a feature!"

Re:

[CastrTroy (595695)]

Why would you need a switch if everything is housed in a single box?

Mono?

[rhendershot (46429)]

see architecture pic: http://www.cisco.com/en/US/prod/collateral/routers/ps9701/images/white_paper_c11_459082-5.jpg [cisco.com]

It would seem that Mono could be a runtime for apps also. Anybody know why that might not work?

As to why you'd want this on the router, you already have a footprint in that space. Virtualization and Consolidation = decreased (branch) footprint.

Cisco says it this way: http://www.cisco.com/en/US/prod/collateral/routers/ps9701/white_paper_c11_459082.html [cisco.com]

Customer and Partner Value Propositions

Re:

[symbolset (646467)]

It would seem that Mono could be a runtime for apps also. Anybody know why that might not work?

Jesus, why don't you just run Vista on it if you want to fit your Microsoft crud into everything. Yeah... Vista -- in your router! Two gigs of RAM, a 1.2 GHz processor, plenty of storage! Vista oughta run just fine, eh?

"It looks like you're issuing a dynamic IP address. [cancel] [allow]?"

Re:

[mikkelm (1000451)]

How often do you really see fully equipped modular networking hardware at the distribution layer?

It's simple: Sandbox for third party "value added"

[Ungrounded Lightning (62228)]

So this is a whole hardware server module that you stuff into a switch? Why?

There are a bunch of things you'd like to do in a (non-backbone) router (i.e. and edge router or an enterprise router). Like high-intelligence packet filtering (such as malware detection). You'd like to do these in the routers at the edge of the ISP's network (where the packets for a customer finally come together after load-balancing multipathing), at the incoming firewall, and in the switches/routers within a campus LAN (i.e. to

Re:

[DarkOx (621550)]

I don't know where you have been but Cisco has used intel process in most of their equipment for a long time now. Pop the cover off pix sometime you will find a pentium. The same is true for most routers. I have not opened a switch up for a long time, those may or may not be intel.

The network is the computer

[bar-agent (698856)]

I didn't expect them to take the phrase "the network is the computer" quite so literally.

Copycat of 3Com OSN

[dwenger (470452)]

Looks like Cisco is copying a 3Com innovation that has been available for over a year. 3Com OSM's are not only available for their routers, but also their 5500G switches.

http://www.3com.com/osn/ [3com.com]

MTBF?

[lohphat (521572)]

The point on making the f/w an appliance is that it has a predictable operating profile and known MTBF and reliability.

By opening it up as an app server, you're encouraging turning your key gateway security device into a one-off, unique, unpredictable infrastructure component.

Money To Burn F*****

[leuk_he (194174)]

Why let a serious multi thousend dollar switch run a applation stack you can run on a 500euro desktopc pc? Well, there are 3 ways yo spend money:

-Women. Most expense one, but definity most fun.
-Gambling. Most unsure way to loose money.
-Computers, most sure way to spend a large amoutn of money.

PS, not sure what the F stands for in MTBF.

Re:

[Belial6 (794905)]

The reason you would do this is because you have already been authorized to spend a crap load of money on the Cisco switches. An extra $800 or $900 won't even get noticed. It you want to put the app on a $500 pc, you have to start from the beginning to get authorization. That's not even going to touch on the fact that you might have to rationalize new software on a PC, while it might only be considered a upgrade on the switch.

Stupid? Yes.
Does it happen? Yes.

Sir, they're hacking our network

[Cousarr (1117563)]

"Well, figure out where it's coming from"
"It's coming from the network sir"
"Of course it is, now where is it?"
"No, sir. The network is hacking itself. It's coming from one of the switches"

First it was printers that could run applications. Pop a tunneling app on the printer and remote in and now you're hacking them from their printer. Now switches can run apps too. Sure, a lot of problems related to this could be avoided by proper network administration but it's just one more thing to worry about if

Clear the Confusion

[greendeath (231782)]

Disclaimer- I work for Cisco as an Entrprise Sales Engineer

Lets clear a few terms up first-
Switch- Handles moving packets between endpoints on a single IP Subnet (layer 2 Device)

Router- Moves packets between different IP Subnets (Layer 3 Device)

Firewall- Applies security rules to routed packets

While the line is blurring physically between theses functions, as alot of switches can route and routers can switch, the logical functions are still the same. Your Standard Linksys/Dlink/netgear is a switch/router/firewall combined.

The AXP platform is a module that fits into our ISR router family, NOT into any switches.

Yes, the space in a router is valuable, that is exactly why companies want to get as much value as possible out of it. Most companies are looking for ways to consolidate and cetralize to reduce costs and ease management while adding features and functionality. Virtualization is the buzzword of the day.

Applications- Think about a company that has 200 remote offices that each have a server, if that server could be collapsed into a router blade (in combination with some other cisco technology like WAAS, that is possible) you reduce management, hardware and maintenance costs, electricity costs (green is also the word of the day) and provide the necessary services integrated into the heart of the network. Pretty cool.

It may be a little bit of "If you build it, they will come" so we built it, now let the programmers loose, change the game and build something cool.

Re:

[by Anonymous Coward]

Cabletron Systems had the same idea over 14 years ago:

http://www.google.com/search?q=cache:lUV1QODDQO8J:findarticles.com/p/articles/mi_qa3649/is_199406/ai_n8712161+Cabletron+PCMIM&hl=en&ct=clnk&cd=2&gl=us&client=firefox-a

"PCMIM is essentially a personal computer within a hub. It is an Intel Corp. 486DX/2-based processor that lets customers load applications--such as management, routing and communications softwareonto the hub rather than in on a separate PC attached to the hub."

I used to

Re:

[RazzleDazzle (442937)]

Why not go the other way and have good strong hardware to virtualize some routers using Cisco router simulators to run your IOS instead of Cisco hardware? As an example: http://www.ipflow.utc.fr/blog/ [ipflow.utc.fr]

I am guessing this would be way cheaper and would not be surprised if it violated some Cisco rules and doubtfully would be supported by Cisco if you needed to some help from their TAC.

Nah

[Colin Smith (2679)]

Sorry, nope.

If that server could be collapsed into a router blade (in combination with some other cisco technology like WAAS, that is possible) you reduce management, hardware and maintenance costs, electricity costs (green is also the word of the day)

Nah. there's just as much management cost, the service is still there.
Hardware cost? A Dell vs a Cisco router blade... Hmm...
Maintenance... A Dell vs a Cisco router... Hmm...

And integrating services into the "heart of the network"? The network should be a dumb connection. It shouldn't be running services.

Re:

[LarsG (31008)]

Think about a company that has 200 remote offices that each have a server, if that server could be collapsed into a router blade (in combination with some other cisco technology like WAAS, that is possible) you reduce management, hardware and maintenance costs, electricity costs (green is also the word of the day) and provide the necessary services integrated into the heart of the network. Pretty cool.

A Cisco blade will be cheaper than a Dell? Pull the other one. ;-p

The blade is limited to running one particular Linux distro and you can't load software on it without a Cisco certificate. That will seriously reduce the possibility for replacing branch servers with this blade.

Re:

[Doug Neal (195160)]

Are you sure? The Catalyst 6000 series does Layer 3 but is still classed as a switch.

Python not Perl

[bitMonster (189384)]

The APIs are available in C, Java, and Python. The article says this, but the summary is wrong.

Juniper already sells Linux-based systems

[Lennie (16154)]

Juniper's Linux IPS Hits 10Gb/sec [internetnews.com]

Re:

[Lennie (16154)]

I just pointed at the article to point out Juniper is also delivering products based on Linux.

I wasn't passing judgement about how well it works.

Ofcourse Cisco already did too, through the company they've bought, LinkSys.

Missing the point?

[4g1vn (840279)]

While I believe there is a need for consolidation of equipment to reduce the footprint/power consumption required in remote offices. I think some of us are missing the point here.

1) I know this has been identified in other posts but, these modules work with the ISR ROUTERS, not the switches. They include the 1800, 2800, and 3800 series.

2) The specifications of the modules (AIM/NM) are really not that impressive. The 3800 series NM (NME-APPRE-522-K9) is about the only one I would even consider if "runn

Hardened my ass

[Lord Kestrel (91395)]

Cisco claiming a piece of software they make is hardened is absurd. In the past, they've used Redhat 7.1 as the base for their appliances, shipping security software with 5 year old versions of openssh and Apache, and then tried to claim they were "hardened". After breaking in, they turn out to be off the shelf RH 7.1, just without cups running.

Cisco and software do not get along. They make ok hardware (overpriced, but it works), but they have never once made a good piece of software.

Re:

[Pavan_Gupta (624567)]

possible