1

Building the Secure Resilient Data Center

Brad Black
Dan DeBacker
Enterprise Solutions Engineering
Enterprise CTO Office
February 2007

2
Abstract

• Leveraging industry-leading solutions in resiliency and

security, the Nortel Secure Resilient Data Center Solution
Architecture is designed to meet the goals of Enterprises
and Service Providers as they deploy business-critical
applications and services to both internal and external
application users. The architecture centers around the
ability to provide security, high availability, flexibility, and
application awareness and intelligence.

3
Industry Trends*

Consolidation / Centralization:
• Drivers: Cost, Complexity, Regulatory Compliance, Security
• Challenges:
• Enhance capacity of: Networking, Redundancy, Computing, Storage
and Management
• Deliver applications to remote users without compromising experience
Growth:
• Servers: 11% per year
• Storage: 22% per year
• Challenges: Space, Power, Cooling, Flexibility
Availability:
• Drivers: The Data Center *is* the Business… 24x7x365
• Challenges: Natural Disasters & Need for Multi-Site Redundancy
Operational Efficiency:
• Drivers: Reduce Cost, Compliance (COBIT, ITIL), Time to Service
• Challenges: See Above !
4 *Nemertes April 2006
Resource Usage & Virtualization

• Even as IT consolidates and centralizes application and storage

resources…
• Independent servers and storage deployed for each architectural tier
and for each IT project and application

Payroll CRM ERP

Web or Front Web or Front Web or Front

- End Tier - End Tier - End Tier

App Server App Server App Server

Tier Tier Tier

Database Database Database

Tier Tier Tier

Storage Tier Storage Tier Storage Tier

5
Result: Under-Utilization & Over-Provisioning

Utilization Utilization Utilization

Utilization Utilization Utilization

= 10% = 22% = 5%
Utilization Utilization Utilization
= 10% = 22% = 5%

= 12% = 17% = 10% Utilization

= 7% = 22% Utilization Utilization
= 5%

= 12% = 17% = 7%
= 10% = 22% = 5%
= 7% = 14% = 12% = 28% = 17% = 7%

= 7% = 14% = 28%
= 12% = 17% = 7%
= 16% = 9% = 11%
= 7% = 14% = 28%
= 16% = 9% = 11%
Avg: = 11% Avg: = 16% Avg:==7%
13% = 14% = 28%
= 16% = 9% = 11%
HA / DR Avg: = 11% Avg: = 16% Avg: = 13%

Production = 16% = 9% = 11%

Avg: = 11% Avg: = 16% Avg: = 13%

Development Avg: = 11% Avg: = 16% Avg: = 13%

5-10x CAPEX / OPEX !! Test

6
Solution: Virtualization

APPS
OS
VM 1 VM 2

VM 3 VM 4

VM 5 VM 6

• Multiple Virtual Machines on • Data Center Networking,

each physical server Security and Application
Services Architecture must
7
support this trend
Secure Resilient Data Center Goals
• Security
• Layered Defense
• Threat Protection
• Closed Loop – Policy Audit, Vulnerability Assessment, Asset/Service Awareness
• High Availability
• Resilient 24x7, 5x9’s Approach
• Switch Clustering eliminates any single point of failure
• Efficient: Active-Active links with fast failover
• Flexibility
• Modular
• Scalable
• Virtualized
• Application Awareness and Intelligence
• Identify, Accelerate, Optimize, and Prioritize Applications
• Intelligent Traffic Management and Application Acceleration
• Application Switching and Load Balancing
8
 Data Center Architecture

9
Data Center Architecture
Resilient View IP WAN

1 Core Switching
• Terabit Cluster
• High Availability
• OSPF/RIP/ BGP/RSMLT
Terabit Cluster
4 Server Access
SMLT/RSMLT
• Rack Switch
2 • Row Chassis Switch
3
• 1GbE / 10GbE Uplinks

SMLT
• QoS / Policing / Shaping • SMLT/NIC Team/802.3ad
… Security /
Application
Switch Cluster Terabit Cluster Services

2 Distribution Layer
• 1GbE / 10GbE Uplinks
• SMLT for resiliency
• Scaleable Switch Clusters
• Layer 2 / Layer 3
SMLT
5 Server Groups
4
• Secure Multimedia Zone
Stackable Ethernet Switch Cluster Modular Ethernet • App / DB / Web Services
Routing Switch Routing Switch • Core Services
• DNS / DHCP / LDAP
Trunk/SMLT

5
3 Security / Application 6 SAN
Secure
Services Core Multimedia App/DB/Web
• Threat Protection Services Zone Services • Storage Extension
• Switched Firewall / NAT • Disaster Recovery
• Intelligent Traffic Mgmt • Multi-service
• Application Acceleration Fiber Storage Area • Data Center Virtualization
• SSL Offload Channel Network
Switch BCS 6
• Server Load Balancing
10
Data Center Architecture
Security & Application
IP WAN
Services View

1 Core Switching
• Routing Protocol Security
• Anti-Spoofing Filters
Terabit Cluster
4 Server Access
SMLT/RSMLT
• VLAN Isolation
2 3 • ARP Spoofing Protection

SMLT
• Screening ACLs • Distributed IDS Sensors
… Security /
Application
Switch Cluster Terabit Cluster Services

SMLT
2 Distribution Layer
5 Server Groups
4
• Traffic Shaping / Policing • Host IDS
• Trunking to Security Svcs Stackable Ethernet Switch Cluster Modular Ethernet • Patch Management
• VLAN Isolation Routing Switch Routing Switch • Vulnerability Assessment
• Host/Service Profiling
Trunk/SMLT

5
3 Security / Application 6 SAN
Secure
Services Core Multimedia App/DB/Web
• Threat Protection Services Zone Services • Storage Extension
• Switched Firewall / NAT • Disaster Recovery
• Intelligent Traffic Mgmt • Multi-service
• Application Acceleration Fiber Storage Area • Data Center Virtualization
• SSL Offload Channel Network
Switch BCS 6
• Server Load Balancing
11
Nortel Switch Clustering

•Switch Clustering
• N-1 Resiliency Model Switch Clustering
• Split Multilink Trunking (SMLT)
• Interoperable with ANY 3rd party edge

•Combines Resiliency & Performance

• All links passing traffic
• Sub second stateful failover Trunks Trunks
distributed distributed
• No Spanning Tree between between slots
switches in a
stack
•Virtual “Switch” Fabric
• Centralized or distributed
• Increased performance using full
capacity
• No Single point of failure
Trunks distributed
•Scalable between switches in a
cluster
• Standalone / Stackable / Modular
Chassis
Virtual Switching Fabric
• Single pair / Square / Full Mesh
12• Mbps  Gbps  Tbps
Nortel Appliance Clustering

• Cluster supports up to 255 nodes Appliance Clustering

• Master nodes
MASTER/MASTER
• Up to 4 (MIP owner)
• Read/Write allows config changes Masters
• Slaves nodes
• Read only receives config change from Masters
• MIP - cluster management IP
• https://mipcluster.com
• SSI - Single System Image
• Keeps all cluster member configs synchronized
• Automatic config/image software management
• Distributed alarm and event management Slaves
• Benefits:
• Massive Scalability ... ...
• Superior Resiliency
• Operational Simplicity

… to Nortel’s credit …clustering their boxes was also a painless process. (Network World)
13
Server Load Balancing
• Used when a single physical
application/web/database server cannot
support adequate Simultaneous Users,
Throughput, Transaction Rate or Resiliency Server Load Balancing
• Uses Metrics to Intelligently Distribute Load:
(Response Time, Number of Connections,
Bandwidth, Dynamic Metrics) while Users
maintaining “persistence” to ensure that user
sessions use same physical server
Virtual Server app1.example.com
• Health checks continually monitor server & Addresses: app2.example.com
end-to-end application
Redundant Active/Active
• Multiple Services/Applications on a single Server Application
Application Switch Connections Switches

• Significant Security Benefits and Traffic

Management Features
• Reduced planned and unplanned downtime -
Facilitates in-service maintenance s1-app1 s1-app2 s3-app1 s1-app2 s1-app3 s3-app3

• Each Application’s Physical Infrastructure is

Seamlessly
Virtualized as A Single High-Capacity, Grow Capacity Zero Impact for Application
Highly-Available Service Server Intelligent
Maintenance Performance
• Concept equally applies to network devices and Failure Metrics
such as VPN Gateways, Firewalls, IDS
Sensors
14
Application Acceleration

Application Acceleration
• Improves end-user quality of experience
(fingertips to eyeballs response) by improving
Application
Accelerator web-based application performance 5-20x.
SSL Acceleration
HTTP
Web • Allows centralization of applications in the data
Compression
Browser Cache
Server
Farm
center or regional branch to reduce TCO.
Offload
Delta Encoding
• Reduces the load and optimizes the
Connection Pooling
performance of the application servers to
HTTP Redirection improve application server efficiency and
Server Load Balancing minimize application server investment.
Denial of Service
Protection • Reduces bandwidth requirements for network
End-User
Network
Application
Switch
Intelligent Traffic
Management
links.
• Deployed asymmetrically (in the data center
Inbound Acceleration only with no branch office component) so the
Outbound Acceleration
solution is very manageable and cost effective.
• Deployed near the application servers so that
a single deployment can serve many end-
Web
Application
Database points including branch office users, road
Farm warriors, remote users and customers.

15
 Storage Extension/Virtualization
Primary Data Center

Tape Drives
Storage
Arrays

Storage Area Network Secondary Data Center

Fibre Channel

0 to >1000 Km
Backup
Servers FC Switch

Data Center MAN / WAN

LAN Ethernet / WDM
L3 Switch BCS 3000 BCS 3000
Database Storage Networking Storage Networking
Servers
Application
Servers

SAN Requirements
•Data Center to Data Center connectivity for Fiber Channel & Gigabit Ethernet
• Multiple storage networks adds cost with point solution conversion appliances and WAN technologies
• Storage replication, migration, backup requires low latency, high performance WAN links regardless of protocol
• Storage application bandwidth requirements vary depending on the time of day

Storage Virtualization
• Critical component to overall Data Center Virtualization
• Must virtualize storage without requirement for complex management of local storage resources
• Eliminate WAN latency and bandwidth constraints
• Automate
16 failover decisions
 Data Center Components

17
Multi-Tier Architecture
Ethernet Infrastructure
Internet Edge / Terabit Switch Cluster Core Switching
Core Switching • 10/100/1000/10Gbe
Layer • SMLT for resiliency
• Layer 3 Connectivity
• High Availability
• Campus and Internet Connectivity

Resilient Terabit / Switch Cluster

Distribution
Layer
Security / Application Services
• Switched Firewall
• Threat Protection System
• Server Load Balancing
• Intelligent Traffic Mgmt
• SSL Acceleration
• Application Acceleration
• 10/100/1000/10Gbe
• SMLT for resiliency
Resilient Distribution Layer
• Layer 2 VLAN Isolation
• Resilient Layer 3 Routing
• Security Services

Server
Access
Layer

Server Access Layer

• Dual-homed Server Connectivity
Row Switch Rack Switch Rack Switch Stack Rack Switch Stack Switch Cluster • 10/100/1000/10GbE
384 10/100/1000 48 10/100/1000 96 10/100/1000 48 10/100/1000 SMLT to Servers • TPS for Intrusion Detection
nx1 Gig SMLT 2x1 Gig SMLT 4x1 Gig SMLT 4x10Gig SMLT 48-384 Servers
Uplinks Uplinks Uplinks Uplinks nx1 Gig/10Gig
1 Gig Mirrored 1 Gig Mirrored 1 Gig Mirrored 1 Gig Mirrored SMLT Uplinks
TPS Sensor TPS Sensor TPS Sensor TPS Sensor

18
Two Tier Architecture
Ethernet Infrastructure
Internet Edge / Terabit Switch Cluster Core Switching
Core Switching • 10/100/1000/10Gbe
Layer • SMLT for resiliency • Layer 3 Connectivity
• High Availability
• Campus and Internet Connectivity

Resilient
Distribution /
Terabit / Switch Cluster Resilient Distribution / Server Access Layer
• 10/100/1000/10Gbe
Server Access • SMLT for resiliency • Collapse Distribution / Server Access Layers
Layer
Security / Application Services • Layer 2 VLAN Isolation
• Switched Firewall • Resilient Layer 3 Routing
• Threat Protection System • Security Services
• Server Load Balancing
• Intelligent Traffic Mgmt • Dual-homed Server Connectivity
• SSL Acceleration • 10/100/1000/10GbE
• Application Acceleration • TPS for Intrusion Detection

Ideal for Data Centers with 200 or Fewer Servers

• All Servers can be Dual-Homed for Ultimate Resiliency
• Security and Application Services  Building Block Approach
Scalable Solution
• Can Create Server Access Layer as Requirements Increase
• No Need to Change Overall Data Center Architecture

19
Internet Edge / Core Switching
Ethernet Infrastructure
Resilient Distribution Layer

1 GbE or 10GbE Links •Security Services

•Server Access
•Server Zones Core  IP WAN
• Redundant physical paths
• Layer 3 (RIP OSPF BGP Static)
IP WAN
• Protocols - IP WAN dependent

…
Core  Distribution Layer
• Redundant physical paths
•Security Services • Switch Clustering (SMLT)
Ethernet
•Server Access • Square or Full Mesh
Routing
•Server Zones • Layer 3 (RIP OSPF Static)
Switch
• RSMLT (Layer 3 Resiliency)
Terabit
Cluster

Scalability
• 1GbE or 10GbE uplinks into Resilient Distribution Layer (non-blocking wire speed)
• Replicate Clusters in Distribution Layer to accommodate scaling number of connections
• Allows for virtualization of security services across Server Access Layer
Resiliency
• SMLT Terabit Cluster Distribution Layer into Terabit Switching Core
• Sub 100ms failover upon link failure
• Single Cluster can scale to support 20 Distribution Clusters – 10GbE non-blocking
20
Resilient Distribution Layer
Ethernet Infrastructure
Resilient Distribution Layer

VPN Gateway
Ethernet
TPS Sensor Routing Distribution Layer
Switch • Flexibility per Cluster
• 10/100/1000
• 1GbE Fiber
Application Server • 10GbE Fiber
Accelerator Access Layer
Distribution  Server Access
1 GbE or 10GbE Links • Redundant physical paths
Layer 2 Connectivity • Switch Clustering (SMLT)
Application Switch • Layer 2
with
Intelligent Traffic
Management
Switched Firewall
Cluster

Scalability
• Replicate ERS Clusters to accommodate scaling number of connections
• Cluster Security and Application Services for scalability / resiliency / Active-Active configurations
• Allows for virtualization of security services across Server Access Layer
Resiliency
• SMLT Terabit Cluster Distribution Layer into Terabit Switching Core and Server Access Layer
• Dual connect all Security Services
21 • Sub 100ms failover upon link failure
 Resilient Distribution Layer
Security & Application Services
Security Services tied to the Distribution Layer providing flexible multi-Gigabit,
zone-based security application of “Zone” specific policies and security
processing
Nortel Switched Firewall
•Separate Clean/Dirty Trunks (4-8GbE) using 802.1Q Tagging
•Accelerated CheckPoint Firewall and NAT
VPN Gateway
•Scales to 200+ VLANs/Interfaces for multiple server subnets / zones
Ethernet
TPS Sensor Routing VPN Gateway
Switch •Enable Secure Remote Management via VPN Capability
•SSL and/or IPSec
•Seamlessly Cluster with or without Application Switch
Application
Threat Protection System
Accelerator
•Real-Time Threat Intelligence Sensors profile Data Center Assets:
•Host OS Type, Vendor, Version, Services, Server Process Versions
•Map to Host Vulnerability Database and correlate to IDS/IPS events
•Intrusion Sensor Placement
•Distributed Model at Server Access Layer
Application Switch •Centralized Model at Distribution Layer
with
Intelligent Traffic Nortel Application Switch / ITM
Management •Advanced, High-Performance DoS Protection & Traffic Management
•Symantec First Attack Protection (Scalable, High-Confidence IPS)
•Application / Server / Appliance Load Balancing (local & global)
Switched Firewall Cluster
Application Accelerator
•Accelerates web-based application performance (5-20x)
•High Performance SSL Solution – 1Gbps / 4000TPS
•Simplify SSL Certificate Management and Reduce Cost
22
Resilient Distribution Layer
Security & Application Services – Logical View

• Virtualize Security Services

• VLAN Isolation in Distribution Layer Distribution
• Map VLANs thru Security/Application Layer Load Balancing:
Services to isolate traffic • VPN Gateway Clusters
Application Switch • Switched Firewall Clusters
• TPS Sensors
• Resiliency • Web & Application Servers
• Clustering for box redundancy • Application Accelerators

• Trunking at Physical Layer

• Load balancing at Service and
Application Layer
• Scalability … …
• Services can be
VPN Application
added without Gateway Accelerators
impacting overall Cluster
design
Switched Switched
• Performance (device) Firewall
Cluster
… Firewall
Cluster
• 7 Gbps FW TPS
• 4 Gbps IPS Sensors
• 1 Gbps SSL
23
Resilient Server Access Layer
Ethernet Infrastructure
Scalability
SMLT/NIC Team to Access Layer Switch Cluster
ERS 8600 Chassis
Ethernet Routing • Use for Switch Cluster or Row Switch
Switch • 10GbE uplinks to Distribution Layer
SMLT SMLT
• SMLT to NIC Team Server Connections
• 384 ports 10/100/1000
• 240 ports Small Form Pluggable (SFP)
Distribution • 24 ports 10GbE
Layer Server
ERS 5530 Stackable
GbE/10GbE 10/100/1000/10GbE • Use for Row Switch (stack) or Rack Switch
• 10GbE Uplinks to Distribution Layer
• SMLT or DMLT to NIC Team Server Connections
DMLT/NIC Team to Single Access Layer Switch • 96 ports 10/100/1000 + 96 ports SFP + 16 ports 10GbE
ERS 8300 Chassis
SMLT Ethernet Routing NIC Team
• Use for Row Switch
Switch • 1GbE Uplinks to Distribution Layer
• SMLT or DMLT to NIC Team Server Connections
Distribution
• 384 ports 10/100/1000
Layer

GbE/10GbE 10/100/1000/10GbE Resiliency

SMLT to Servers and Distribution Layer
Single Server NIC to Single Access Layer Switch • All links active and no Spanning Tree
• Sub-second to Sub-100ms Failover
SMLT Ethernet Routing Chassis Solutions provide Dual Active Switch Fabrics
Switch Stackable Solutions provide Resilient Stacking Architecture

Distribution
Layer
Bandwidth
ERS 8600 Terabit Cluster  1.2Tb Switching Capacity
GbE/10GbE 10/100/1000/10GbE ERS 8300 Switch Cluster  640Gb Switching Capacity
ERS 5500  160Gb Switch Fabric w/ 640Gb Stack Capacity
24
Resilient Server Access Layer
Security Services
SMLT/NIC Team to Access Layer Switch Cluster
Ethernet Routing
Switch
SMLT Server Zones
Provide the ability to segregate servers into logical groupings
based on security access requirements, functionality, or bandwidth
requirements.
Server • Secure Multimedia
TPS Sensor • Network Services (RADIUS, DNS, DHCP, NTP, etc.)
10/100/1000/10GbE • Mission Critical Applications (ERP, HR, etc.)
• Normal Enterprise Applications

DMLT/NIC Team to Single Access Layer Switch TPS Deployment

Flexible deployment options for Intrusion Sensors based on Access
Ethernet Routing NIC Team
Layer connectivity for Server Zones. Row switch supports multiple
Switch servers in a physical row (multiple racks). Rack switch supports all
servers in a single rack.
Row Switch
TPS Sensor • Maximize Blade Center Uplinks
10/100/1000/10GbE • Port Mirror Uplink Ports (Tx/Rx) to Distribution Layer
• Select VLANs to Monitor
Single Server NIC to Single Access Layer Switch • Scale as Needed
Rack Switch
Ethernet Routing • Single Gbps TPS Sensor per Rack
Switch • Mirror ERS Rack Switch Using Two Sensing NICS on TPS
• Central Management / Analysis from Defense Center
• Active Response
TPS Sensor •Nortel Switched Firewall
10/100/1000/10GbE •Nortel Application Switch
25
Vertical Stacking
Ethernet Infrastructure – Server Access Layer

Scalable Multilink Trunking into Switch Cluster

2GbE to 80GbE
Uplinks

“Normal” Vertical Stacking

• Low latency between servers (9µs)
• Highly resilient stacking technology with scalable
uplinks
• Must run cables to servers – difficult to manage
26
Horizontal Stacking
Ethernet Infrastructure – Server Access Layer

Extend a stack across 8 cabinets – total stack distance up to 35 meters

640 Gbps
Resilient
Switching
Capacity

2GbE to 80GbE
Uplinks
Fault-Tolerant or Load-Sharing NIC-Teaming into Stack

Scalable Multilink Trunking into Switch Cluster

Horizontal Stacking
• Low latency between servers (9µs)
• Flexibility to spread across multiple data cabinets (100s of servers)
• Highly resilient stacking technology with scalable uplinks
• Ideal for Grid Computing and High-Performance Computing Solutions: Very
High Node-to-Node Communications Bandwidth

27
Security & Applications Services
Physical Traffic Separation Logical Flow IP WAN

• Traffic Flow can be physically Core Routing

isolated through some or all layers VLAN

of the Data Center Virtual Server VLANs

reside on separate
Tier VLANs reside
on separate Row/
• Separate Switch Clusters for Switch Cluster Rack Switch

each segregated area Firewall

• Separate Server Access Layer Virtual Server

TPS Sensor
Virtual Server

Switches VLAN
Traffic
Mirror
Traffic
VLAN
Mirror
• Separate Security / Application Application
Layer Services Switch

• Firewall SSL Offload SSL Offload

• Application Switch Web

Tier VLAN
Web
Tier VLAN

• SSL Offload
Web Web
• Firewalls between different tiers of Application
Server Server
Application
VLANs Tier VLAN Tier VLAN

• No server to server direct

access between tiers Data Base
Application
Server
Application
Server
Data Base
• Server traffic in same tier can Tier VLAN Tier VLAN

be physically or virtually isolated

Data Base Data Base
28
Server Server
Security & Applications Services
Virtualized Traffic Separation Logical Flow
IP WAN

• Virtualization can isolate traffic flow

through all layers of the Data Center Core Routing
VLAN
• Shared physical resources at
each layer allow for better Virtual Server VLANs Server VLANs may
overall utilization and lower reside on same reside on same Row/
Switch Cluster
TCO while maintaining security Rack Switch

• Firewall Firewall

• Application Switch TPS Sensor

Virtual Server
• SSL Offload VLAN Traffic Traffic
Virtual Server
VLAN
Mirror Mirror
• Firewalls between different tiers
of VLANs Application Switch SSL Offload

• Same result as when using physical

isolation, however, virtualization allows
use of shared resource Web Tier Application Data Base

• Map VLANs from Server Access Layer VLAN Tier VLAN Tier VLAN

back through to Firewall to maintain

security and isolation

Web Server Application Server Data Base Server

29
Dependability Analysis – Results

30
Best Practices
• Create an Architecture that will be
• Secure
• Resilient
• Scalable
• Positioned for Service Virtualization
• Security in the Architecture:
• Layered Defense
• Building Block Approach
• Control Access into and out of the Data Center
• Service Availability in the Architecture:
• Nortel Switch Clustering providing resilient Ethernet infrastructure
• Security and Application Clustering providing resilient security services
• Intelligent Load-Balancing providing resiliency and better resource utilization
• Dual home all Server Connections providing resiliency and increased bandwidth
• Scalability in the Architecture:
• Utilize a two tier or three tier architecture where appropriate
• Plan for future service expansion  physical devices or virtualized
• Create the long term plan and build to it – don’t want to re-design on the fly
• Virtualization in the Architecture:
• Determine level of virtualization versus physical traffic separation to be deployed
• Use VLANs to virtualize traffic separation where appropriate
• More virtualization will provide increased operational flexibility without compromising security
• Resource optimization increases with virtualization

31
 Customer Case Studies

32
Communications Service Provider
Server Farm Challenges

• Consolidation of Server Footprint:

• Standardizing on Blade Servers for new Applications
• Need for 4 x 1GbE resilient trunking per chassis and scale for >
100 chassis
• High Performance
• Scalability
• Highly Resilient/Non-Stop Access to Mission Critical
Applications
• Simplification

33
Communications Service Provider
Resilient Terabit Server Farm Architecture

4-8p GbE
MLT 4-8p 10GbE NML
Blade Center Servers SMLT
Terabit Service Cluster

ONMS / JDM / ASEM

NAS
3408

..
. 10 GbE
SMLT Cluster
Intranet/
Internet

NVG
3050

Application Switch 3408

ERS 8600
ERS 5510
VPN Gateway 3070 (SSL Acceleration)

Legacy Servers Ethernet Routing Switch 8600

34
Communications Service Provider
Meeting Server Farm Challenges
• Consolidation of Server Footprint
• Introduction of Blade Severs (note App. Switch integration)
• Consolidation of certificates
• High Performance
• State of the art server platforms
• Gig Multi-Link fanout
• Server load balancing
• SSL off load
• Scalability
• 128+ Blade Server Chassis to support Service PoP application requirements
• ERS8600: High Density L2/L3 switch (384GbE ports – 720Gbps per switch)
• 10Gig Split-MLT Cluster for active-active connections to Blade Servers with sub-second
failover
• SSL Offload
• Highly Resilient/Non-Stop Access to Mission Critical Applications
• Sub second failover on Terabit core
• Active-active connections to Blade Servers with sub-second failover
• Application Switch health checks
• DoS, Symantec, Rate Limiting
• Simplification
• Use of Split Multi-Link Trunking to eliminate STP
• Traffic Reporting/Bandwidth Management
• Consolidated Network Management
35
Diversified Financial Services Company
DMZ / Data Center Challenges

• Multi-Site: 4 High-Availability Internet/Customer Facing

Application Service Data Centers
• Same network design replicated at all four sites
• High Security Requirements
• Applications hosted for External and Internal use
• Comprehensive vendor analysis
• Nortel chosen based on performance, resiliency and
complete solution

36
Diversified Financial Services Company
Resilient Terabit Server Farm Architecture

NML
MLT
Servers
Nortel Application
Switch 2424
JDM / ASEM
CheckPoint EMC

..
Servers .
Intranet/
Internet

Servers

ERS 8600 Switched

ERS 5510
Firewall 5700

37
Communications Service Provider
DMZ Challenges

• Simplification
• Complexity is costly and reduces ability to respond to business requirements
• Performance
• New applications and new types of applications require higher performance solutions
• Enhanced Security
• Recent technologies allow for a layered security solution that addresses all aspects of
security internal and external, wired and wireless, from perimeter to end-point
• Multimedia
• Ability to effectively handle growing multimedia traffic requirements is essential to the
ongoing effectiveness of the DMZ architecture in meeting the enterprise business
requirements
• Survivability/Reliability
• Simplification of the design significantly enhances the ability to maintain a non-stop high
performance solution with full disaster recovery through back-up site
• Application aware
• Ability to manage, report and act at the application layer is key to delivering performance,
persistence and security
• Migration/cutover
• The DMZ is mission critical and the cutover had to be well planned, vetted with a capable
partner and flawlessly executed

38
Communications Service Provider
DMZ Re-Architecture
DMZ Re-Architecture Release
solved the challenges of Internet
performance, simplification and the
hitless Migration from the old DMZ Nortel Nortel
architecture. It also formed the Application
Switch
Application
Switch
1
basis for future Releases
2

1 Nortel Application Switches Nortel Switched Nortel Switched

• Session Persistence Firewall Firewall

• Active/Standby
• Load Balancing of
Servers and VPN Routers
• Health Checks 3

2 Nortel Switched Firewall File/Application Nortel Nortel VPN

Cache Cache
• Only Accelerated Servers VPN Router Router
IPsec VPN Access
CheckPoint solution
available today
• Multi Gigabit Performance
• Active/Standby
Redundancy
• 1 Million Sessions

3 Nortel VPN Router 5000

Nortel Switched
Nortel Nortel
Nortel Switched
Application Application
• Secure Remote Access Firewall Switch Switch Firewall
• IPSec and SSL
Intranet
• Easily integrated with
39
Secure ID
Communications Service Provider
Meeting the Challenges
• Simplification
• Overall reduction in foot print – fewer firewalls, fewer apps switches etc.
• Load balanced firewall sandwich and it complexities removed from design entirely and replaced with simpler
Gigabit switched firewall architecture
• Proxy IP removed from the design
• Fewer Gig Interfaces vs. multiple 10/100
• Performance Enhancement
• 7 Gig of throughput, 1Million sessions, up to 100K sessions/second
• Accelerated Firewalls vs. old Server based solution
• Plug and play scalability for session capacity (firewall director)
• Significant increase in Application switch performance
• Enhanced Security
• DoS Protection, Stateful Filtering, Anti-Spoofing
• Multimedia
• Significant increase in the overall capacity and reduced latency of the DMZ
• QOS on VPN Router/Client
• Survivability/Reliability
• Load Balanced, Health Checks on Servers and VPN Routers
• Full Redundancy through out
• Simplified network design is less prone to problems
• Application aware
• Server Persistence
• Application Redirection
• Migration/cutover
• The DMZ was successfully cutover in both Ontario and Quebec in a 6 hour maintenance window without
40 interruption to internal and external end-users and the mission critical applications
 Reference / Backup

41
Resilient Server Access Layer
Microsoft Network Load Balancing
• Microsoft Clustering Technology
• Part of Windows 2000 / Windows 2003 Server
• Uses distributed algorithm to load balance traffic across multiple hosts
• Provides high availability
• Detects host failures
• Automatically redistributes traffic to remaining operational hosts
• Can utilize single or multiple NICs in Servers
• Modes of Operation
• Unicast Mode
• Virtual IP address for Cluster
• Single cluster MAC
Ethernet LAN
• Multicast Mode
• Virtual IP address for Cluster
• Single Cluster Multicast MAC
Application B
x.x.x.20
Application A Application C
x.x.x.10 x.x.x.30
For detailed information on NLB, please refer to Nortel Document
42
Technical Configuration Guide for Microsoft Network Load Balancing
Resilient Server Access Layer
Microsoft Network Load Balancing
• Nortel Ethernet Switch NLB Support
Unicast Mode Unicast Mode Multicast Mode Multicast Mode
Ethernet Switch
Layer 2 Layer 3 Layer 2 Layer 3
ERS 5500 Yes No 2 Yes 1 No 3

ERS 8300 Yes No 2 Yes 1 No

ERS 8600 Yes Yes Yes 1 Yes 4

Note 1 – By default Windows 2003 Servers implement IGMPv3 which is not presently
supported on Nortel switches. If multicast flood suppression is desired the Windows 2003
servers registry can be modified to support IGMPv1 or IGMPv2.

Note 2 – The Ethernet Routing Switch models 5500 and 8300 can provide unicast support in
certain routing scenarios as long as the Network Load Balancing cluster of servers are
connected to a subtended to a Layer 2 switch.

Note 3 – The Ethernet Routing Switch 5500 can provide multicast support in certain routing
scenarios as long as the Network Load Balancing cluster of servers are connected to a
subtended to a Layer 2 switch. The ERS 5500 supports the ability to create a static ARP entry
where a Multicast MAC address is mapped to a Unicast IP address.

Note 4 – The Ethernet Routing Switch 8600 does not provide support for multicast mode with
IGMP flood suppression when the Network Load Balancing cluster of servers and clients are
directly connected to the switch and the switch is performing IP routing.
43
Layered Defense Network

VPN Router
Core Network Security Teleworker Partner
Perimeter Security
Secure Communications
Endpoint Security
Internet
VPN Router

Branch
Wireless
Road Warrior Mesh WLAN
Access Point
WLAN WAN

Wireless Switched Firewall Intranet

Security Switch DMZ
Threat
Protection
System VPN Router
Intrusion
Sensor Threat
Threat Threat Protection
Protection Protection Application Web Servers System
System System Switch Defense
Intrusion Intrusion Center
Sensor Sensor
Configuration
Application Application VPN Manager
Switch Switch Gateway Email Servers
Enterprise
Multimedia Threat Policy
Communication Protection Manager
Sever System
Intrusion Security
Communication Sensor Users
Guests Event
File/Application Sever 1000 Voice Manager
Ethernet
Servers Routing Ethernet Switch Remediation
Secure Switch Security
Data Center Multimedia Zone LAN VLANs Operations Center

44
45