Cisco Turns Routers Into Linux App Servers

symbolset writes "InternetNews is reporting that Cisco's new Application eXtension Platform turns several models of Cisco switches into Linux application servers. With certified libraries in C, Java and Perl, developers will be able to use a downloadable SDK to build their apps. The AXP server is just another module in a Cisco switch running Cisco's own derivation of a modern Linux distro (Kernel 2.6.x) specifically hardened to run on that particular hardware. Modules will include up to 1.4-GHz Intel Pentiums with 2 GB RAM and a 160 GB hard drive."

Cue the beowulf cluster jokes

[symbolset]

Yes, it runs linux.

Yes, I know they're switches, not routers.

Now... anybody got any interesting applications for this?

NSLU2 is cool

[bcrowell]

Another Cisco gadget that's cool as a cheap linux box is the NSLU2 [wikipedia.org]. For $80, you get a pretty full-featured Linux system. It's the size of a paperback, and draws a negligible amount of power. I use mine as a music server. There's a very lively and helpful user community on IRC. There are various options for modifying or replacing the system it ships with to get a more general-purpose linux box, running off of an external flash drive.

Re:Before we get too excited

[LarsG]

Yeah, backplane is kinda bummer.

As generic blade it looks like fail. Only one OS supported, probably expensive, Cisco license needed to build application packages.

Could be useful for making network appliances. Datasheet mentions IOS integration.

Re:Cue the beowulf cluster jokes

[arivanov]

The power of linux is mostly irrelevant here. OK, fine, a blade, and so what? It is more expensive than most 1U servers out there.

Now the power of having an API into the Cisco hardware and software is a completely different story. That may be something that is really interesting. It will allow moving many tasks that are now exclusive to big closed and expensive OSS systems to the frontline where they really belong.

By the way, this has been long coming. The first time I heard about this was circa 2003. Nice to see it finally making the light of day.

Re:Clear the Confusion

[Anonymous Coward]

Cabletron Systems had the same idea over 14 years ago:

http://www.google.com/search?q=cache:lUV1QODDQO8J:findarticles.com/p/articles/mi_qa3649/is_199406/ai_n8712161+Cabletron+PCMIM&hl=en&ct=clnk&cd=2&gl=us&client=firefox-a

"PCMIM is essentially a personal computer within a hub. It is an Intel Corp. 486DX/2-based processor that lets customers load applications--such as management, routing and communications softwareonto the hub rather than in on a separate PC attached to the hub."

I used to work for Cabletron Systems and I'd have to say that I never saw too many folks with PCMIMs in use. It seemed like a cool idea and I used to play around in the labs (1996), throw Slackware Linux on them with Squid, OpenLDAP, sendmail, etc. to try to make a complete "office in a box".

One of the reasons why it wasn't so popular was that it was underpowered and overpriced. You miss out on economies of scale in comparison to the rest of the PC/server industry.

Maybe Cisco will have better luck with it than previous attempts.

Re:What I want from Cisco

[PingXao]

Have you looked at Broadcom lately? They make Cisco look like God's gift to Linux. They are absolutely paranoid, anal even, about releasing any technical information about any of their chips. And Broadcom is everywhere.

It's simple: Sandbox for third party "value added"

[Ungrounded Lightning]

So this is a whole hardware server module that you stuff into a switch? Why?

There are a bunch of things you'd like to do in a (non-backbone) router (i.e. and edge router or an enterprise router). Like high-intelligence packet filtering (such as malware detection). You'd like to do these in the routers at the edge of the ISP's network (where the packets for a customer finally come together after load-balancing multipathing), at the incoming firewall, and in the switches/routers within a campus LAN (i.e. to block the spread of viruses/worms once a behind-the-firewall machine is compromised.)

Some of the expertese to do this is in other companies than the router makers. It would cost a LOT to replicate this in a router company. (Example: The infrastructure to surveil for malware, analyze it, extract signatures, and maintain databases of them.) Better to partner with such companies, letting them provide the components they do well.

But there are a lot of potential problems with letting third parties build their software into the guts of the router:
- The processors and related infrastructure aren't optimized for performing this extra work.
- The amount of extra processing is enormous.
- Router internals don't provide a lot of protection from buggy - or malicious - code. Much of this is traded away for efficiency, minimizing the per-packet overhead. Major-league software QA substitutes for many hardware safeguards. Modules provided by third parties could break the router code, make it miss its performance requirements, and/or insert malware vulnerabilities in the routers themselves.
- Letting partners provide modules means giving them considerable visibility into the guts of the router. This means the router company's "secret sauce" recipies leave the building. The more partnering is done, the more potential leaks to the competition. (And the partners have much less incentive to protect the router company's secrets.)

A "resource card" design - a card fitting into a linecard slot, carrying the company's backplane routing interface plus commodity and/or special purpose processors, with their own API for plugging into the box's routing infrastructure, solves these problems.

- The box's routing code remains with the router company. It only needs to identify the packets requiring attention from the third-party resource, route them to the appropriate resource card, and route the result onward to the destination.
- The third party has an easy-to-understand environment that closely matches what they already work with and provides all the hooks they need. No "secret sauce" recipie required.
- The third party's code is compartmentalized - on hardware that provides security hooks as a given. Even if it is compromised the worst it can do is send malicious packets across the backplane to other line cards or across the control interface to the management processor(s) - and these can be alert for problems and protect themselves, just as they do from nasties arriving on network interfaces.

A switch (or router, whatever) chassis is a ridiculously valuable piece of real estate... why would you want to spend that slot space plugging in PCs when they could just as easily be somewhere else, on the end of an ethernet cable?

Because a backplane is SO much faster and a single box system SO much cheaper (especially in rack-unit rent) than a multi-box, router/server system.

For starters: A multi-box system doing any kind of filtering puts the packets through the switch TWICE, once on its way to the third-party resource, once on its way back. You'll need to chew up a slot or two just to provider enough networking bandwidth to exchange one slot's full line rate worth of traffic with the resource. So why fill the front of the card with interfaces and packet processors just for the handoff, when you could put the resource there in the first place and save a box?

Putting the resource in a

Re:What I want from Cisco

[Anonymous Coward]

So broadcom documentation describes a chip with a lot of unused pins, yet we find chips broadcasting clock signals down these pins. To make things interesting, it's only on the chips we receive from Broadcom. From another lab/project, these same pins are dead. I'm pretty sure Broadcom is acting like Monsanto and enforcing their draconian NDA by watching the customers developers. If they suspect they are releasing even the slightest [broadcom.com] bit of information to the public, they turn ">around and sue that company [zdnet.com].

Yes, Broadcom has a stranghold.. but they're cheap.

OS = Obese Software

[deanston]

The Point, though Cisco isn't bragging it, is about control. What part of the network do you want to exert control on applications and data? Traditional concept of "the network as the computer" as proposed by Sun or Oracle puts the OS in charge, commoditizing servers, and requiring only dumb network switches and routers. This is about taking back the leverage and power companies like Cisco, 3Com, and Juniper felt they have given away. And this development finally begin to make each network device intelligent. Just a first step. More power and greater capabilities are sure to come embedded on each new generation of routers and switches. For all the years Linux desktop market share struggle at 1-2%, we are finally seeing the flexibility of Linux take off in areas that will give Windows real trouble - in the low-cost laptops and directly on non-PC devices. While the Gartner boys may argue that Windows need to become more modular, the hardware makers are moving ahead already. Piece by piece they will take away the need to have an all encompassing OS like Windows that controls everything. If the network manages and controls the applications and data, and runs on VMs, then even a traditional OS is just a commodity application on the network. The modern OSs have commoditized servers. Now the h/w and VM makers are trying to commoditize the OS. Sure, Windows has the resources to respond. The relevance of Windows still lies in its 90% desktop software dominance, and parlaying that user dependency into the future of computing. When or whether that dominance will be slowly chipped away through these new developments in mobile and cloud computing advances, hard to say, but sure it's fun to watch all these tech companies fighting for a bigger stake in the ever changing new fields.