Professional Documents
Culture Documents
Building The Secure Resilient Data Center 2D Feb 2007
Building The Secure Resilient Data Center 2D Feb 2007
Building The Secure Resilient Data Center 2D Feb 2007
Brad Black
Dan DeBacker
Enterprise Solutions Engineering
Enterprise CTO Office
February 2007
2
Abstract
3
Industry Trends*
Consolidation / Centralization:
• Drivers: Cost, Complexity, Regulatory Compliance, Security
• Challenges:
• Enhance capacity of: Networking, Redundancy, Computing, Storage
and Management
• Deliver applications to remote users without compromising experience
Growth:
• Servers: 11% per year
• Storage: 22% per year
• Challenges: Space, Power, Cooling, Flexibility
Availability:
• Drivers: The Data Center *is* the Business… 24x7x365
• Challenges: Natural Disasters & Need for Multi-Site Redundancy
Operational Efficiency:
• Drivers: Reduce Cost, Compliance (COBIT, ITIL), Time to Service
• Challenges: See Above !
4 *Nemertes April 2006
Resource Usage & Virtualization
5
Result: Under-Utilization & Over-Provisioning
= 12% = 17% = 7%
= 10% = 22% = 5%
= 7% = 14% = 12% = 28% = 17% = 7%
= 7% = 14% = 28%
= 12% = 17% = 7%
= 16% = 9% = 11%
= 7% = 14% = 28%
= 16% = 9% = 11%
Avg: = 11% Avg: = 16% Avg:==7%
13% = 14% = 28%
= 16% = 9% = 11%
HA / DR Avg: = 11% Avg: = 16% Avg: = 13%
APPS
OS
VM 1 VM 2
VM 3 VM 4
VM 5 VM 6
9
Data Center Architecture
Resilient View IP WAN
Terabit Cluster
1 Core Switching 4 Server Access
SMLT/RSMLT
• Terabit Cluster • Rack Switch
• High Availability 2 • Row Chassis Switch
3
• OSPF/RIP/ BGP/RSMLT • 1GbE / 10GbE Uplinks
SMLT
• QoS / Policing / Shaping • SMLT/NIC Team/802.3ad
… Security /
Application
Switch Cluster Terabit Cluster Services
SMLT
2 Distribution Layer 5 Server Groups
4
• 1GbE / 10GbE Uplinks • Secure Multimedia Zone
• SMLT for resiliency Stackable Ethernet Switch Cluster Modular Ethernet • App / DB / Web Services
• Scaleable Switch Clusters Routing Switch Routing Switch • Core Services
• Layer 2 / Layer 3 • DNS / DHCP / LDAP
Trunk/SMLT
5
3 Security / Application 6 SAN
Secure
Services Core Multimedia App/DB/Web
• Threat Protection Services Zone Services • Storage Extension
• Switched Firewall / NAT • Disaster Recovery
• Intelligent Traffic Mgmt • Multi-service
• Application Acceleration Fiber Storage Area • Data Center Virtualization
• SSL Offload Channel Network
Switch BCS 6
• Server Load Balancing
10
Data Center Architecture
Security & Application
IP WAN
Services View
Terabit Cluster
1 Core Switching 4 Server Access
SMLT/RSMLT
• Routing Protocol Security • VLAN Isolation
• Anti-Spoofing Filters 2 3 • ARP Spoofing Protection
SMLT
• Screening ACLs • Distributed IDS Sensors
… Security /
Application
Switch Cluster Terabit Cluster Services
SMLT
2 Distribution Layer
5 Server Groups
4
• Traffic Shaping / Policing • Host IDS
• Trunking to Security Svcs Stackable Ethernet Switch Cluster Modular Ethernet • Patch Management
• VLAN Isolation Routing Switch Routing Switch • Vulnerability Assessment
• Host/Service Profiling
Trunk/SMLT
5
3 Security / Application 6 SAN
Secure
Services Core Multimedia App/DB/Web
• Threat Protection Services Zone Services • Storage Extension
• Switched Firewall / NAT • Disaster Recovery
• Intelligent Traffic Mgmt • Multi-service
• Application Acceleration Fiber Storage Area • Data Center Virtualization
• SSL Offload Channel Network
Switch BCS 6
• Server Load Balancing
11
Nortel Switch Clustering
•Switch Clustering
• N-1 Resiliency Model Switch Clustering
• Split Multilink Trunking (SMLT)
• Interoperable with ANY 3rd party edge
… to Nortel’s credit …clustering their boxes was also a painless process. (Network World)
13
Server Load Balancing
• Used when a single physical
application/web/database server cannot
support adequate Simultaneous Users,
Throughput, Transaction Rate or Resiliency Server Load Balancing
• Uses Metrics to Intelligently Distribute Load:
(Response Time, Number of Connections,
Bandwidth, Dynamic Metrics) while Users
maintaining “persistence” to ensure that user
sessions use same physical server
Virtual Server app1.example.com
• Health checks continually monitor server & Addresses: app2.example.com
end-to-end application
Redundant Active/Active
• Multiple Services/Applications on a single Server Application
Application Switch Connections Switches
Application Acceleration
• Improves end-user quality of experience
(fingertips to eyeballs response) by improving
Application
Accelerator web-based application performance 5-20x.
SSL Acceleration
HTTP
Web • Allows centralization of applications in the data
Compression
Browser Cache
Server
Farm
center or regional branch to reduce TCO.
Offload
Delta Encoding
• Reduces the load and optimizes the
Connection Pooling
performance of the application servers to
HTTP Redirection improve application server efficiency and
Server Load Balancing minimize application server investment.
Denial of Service
Protection • Reduces bandwidth requirements for network
End-User
Network
Application
Switch
Intelligent Traffic
Management
links.
• Deployed asymmetrically (in the data center
Inbound Acceleration only with no branch office component) so the
Outbound Acceleration
solution is very manageable and cost effective.
• Deployed near the application servers so that
a single deployment can serve many end-
Web
Application
Database points including branch office users, road
Farm warriors, remote users and customers.
15
Storage Extension/Virtualization
Primary Data Center
Tape Drives
Storage
Arrays
0 to >1000 Km
Backup
Servers FC Switch
SAN Requirements
•Data Center to Data Center connectivity for Fiber Channel & Gigabit Ethernet
• Multiple storage networks adds cost with point solution conversion appliances and WAN technologies
• Storage replication, migration, backup requires low latency, high performance WAN links regardless of protocol
• Storage application bandwidth requirements vary depending on the time of day
Storage Virtualization
• Critical component to overall Data Center Virtualization
• Must virtualize storage without requirement for complex management of local storage resources
• Eliminate WAN latency and bandwidth constraints
• Automate
16 failover decisions
Data Center Components
17
Multi-Tier Architecture
Ethernet Infrastructure
Internet Edge / Terabit Switch Cluster Core Switching
Core Switching • 10/100/1000/10Gbe
Layer • SMLT for resiliency
• Layer 3 Connectivity
• High Availability
• Campus and Internet Connectivity
Server
Access
Layer
18
Two Tier Architecture
Ethernet Infrastructure
Internet Edge / Terabit Switch Cluster Core Switching
Core Switching • 10/100/1000/10Gbe
Layer • SMLT for resiliency • Layer 3 Connectivity
• High Availability
• Campus and Internet Connectivity
Resilient
Distribution /
Terabit / Switch Cluster Resilient Distribution / Server Access Layer
• 10/100/1000/10Gbe
Server Access • SMLT for resiliency • Collapse Distribution / Server Access Layers
Layer
Security / Application Services • Layer 2 VLAN Isolation
• Switched Firewall • Resilient Layer 3 Routing
• Threat Protection System • Security Services
• Server Load Balancing
• Intelligent Traffic Mgmt • Dual-homed Server Connectivity
• SSL Acceleration • 10/100/1000/10GbE
• Application Acceleration • TPS for Intrusion Detection
19
Internet Edge / Core Switching
Ethernet Infrastructure
Resilient Distribution Layer
…
Core Distribution Layer
• Redundant physical paths
•Security Services • Switch Clustering (SMLT)
Ethernet
•Server Access • Square or Full Mesh
Routing
•Server Zones • Layer 3 (RIP OSPF Static)
Switch
• RSMLT (Layer 3 Resiliency)
Terabit
Cluster
Scalability
• 1GbE or 10GbE uplinks into Resilient Distribution Layer (non-blocking wire speed)
• Replicate Clusters in Distribution Layer to accommodate scaling number of connections
• Allows for virtualization of security services across Server Access Layer
Resiliency
• SMLT Terabit Cluster Distribution Layer into Terabit Switching Core
• Sub 100ms failover upon link failure
• Single Cluster can scale to support 20 Distribution Clusters – 10GbE non-blocking
20
Resilient Distribution Layer
Ethernet Infrastructure
Resilient Distribution Layer
VPN Gateway
Ethernet
TPS Sensor Routing Distribution Layer
Switch • Flexibility per Cluster
• 10/100/1000
• 1GbE Fiber
Application Server • 10GbE Fiber
Accelerator Access Layer
Distribution Server Access
1 GbE or 10GbE Links • Redundant physical paths
Layer 2 Connectivity • Switch Clustering (SMLT)
Application Switch • Layer 2
with
Intelligent Traffic
Management
Switched Firewall
Cluster
Scalability
• Replicate ERS Clusters to accommodate scaling number of connections
• Cluster Security and Application Services for scalability / resiliency / Active-Active configurations
• Allows for virtualization of security services across Server Access Layer
Resiliency
• SMLT Terabit Cluster Distribution Layer into Terabit Switching Core and Server Access Layer
• Dual connect all Security Services
21 • Sub 100ms failover upon link failure
Resilient Distribution Layer
Security & Application Services
Security Services tied to the Distribution Layer providing flexible multi-Gigabit,
zone-based security application of “Zone” specific policies and security
processing
Nortel Switched Firewall
•Separate Clean/Dirty Trunks (4-8GbE) using 802.1Q Tagging
•Accelerated CheckPoint Firewall and NAT
VPN Gateway
•Scales to 200+ VLANs/Interfaces for multiple server subnets / zones
Ethernet
TPS Sensor Routing VPN Gateway
Switch •Enable Secure Remote Management via VPN Capability
•SSL and/or IPSec
•Seamlessly Cluster with or without Application Switch
Application
Threat Protection System
Accelerator
•Real-Time Threat Intelligence Sensors profile Data Center Assets:
•Host OS Type, Vendor, Version, Services, Server Process Versions
•Map to Host Vulnerability Database and correlate to IDS/IPS events
•Intrusion Sensor Placement
•Distributed Model at Server Access Layer
Application Switch •Centralized Model at Distribution Layer
with
Intelligent Traffic Nortel Application Switch / ITM
Management •Advanced, High-Performance DoS Protection & Traffic Management
•Symantec First Attack Protection (Scalable, High-Confidence IPS)
•Application / Server / Appliance Load Balancing (local & global)
Switched Firewall Cluster
Application Accelerator
•Accelerates web-based application performance (5-20x)
•High Performance SSL Solution – 1Gbps / 4000TPS
•Simplify SSL Certificate Management and Reduce Cost
22
Resilient Distribution Layer
Security & Application Services – Logical View
Distribution
Layer
Bandwidth
ERS 8600 Terabit Cluster 1.2Tb Switching Capacity
GbE/10GbE 10/100/1000/10GbE ERS 8300 Switch Cluster 640Gb Switching Capacity
ERS 5500 160Gb Switch Fabric w/ 640Gb Stack Capacity
24
Resilient Server Access Layer
Security Services
SMLT/NIC Team to Access Layer Switch Cluster
Ethernet Routing
Switch
SMLT Server Zones
Provide the ability to segregate servers into logical groupings
based on security access requirements, functionality, or bandwidth
requirements.
Server • Secure Multimedia
TPS Sensor • Network Services (RADIUS, DNS, DHCP, NTP, etc.)
10/100/1000/10GbE • Mission Critical Applications (ERP, HR, etc.)
• Normal Enterprise Applications
2GbE to 80GbE
Uplinks
640 Gbps
Resilient
Switching
Capacity
2GbE to 80GbE
Uplinks
Fault-Tolerant or Load-Sharing NIC-Teaming into Stack
Horizontal Stacking
• Low latency between servers (9µs)
• Flexibility to spread across multiple data cabinets (100s of servers)
• Highly resilient stacking technology with scalable uplinks
• Ideal for Grid Computing and High-Performance Computing Solutions: Very
High Node-to-Node Communications Bandwidth
27
Security & Applications Services
Physical Traffic Separation Logical Flow IP WAN
Switches VLAN
Traffic
Mirror
Traffic
VLAN
Mirror
• Separate Security / Application Application
Layer Services Switch
• SSL Offload
Web Web
• Firewalls between different tiers of Application
Server Server
Application
VLANs Tier VLAN Tier VLAN
• Firewall Firewall
• Map VLANs from Server Access Layer VLAN Tier VLAN Tier VLAN
30
Best Practices
• Create an Architecture that will be
• Secure
• Resilient
• Scalable
• Positioned for Service Virtualization
• Security in the Architecture:
• Layered Defense
• Building Block Approach
• Control Access into and out of the Data Center
• Service Availability in the Architecture:
• Nortel Switch Clustering providing resilient Ethernet infrastructure
• Security and Application Clustering providing resilient security services
• Intelligent Load-Balancing providing resiliency and better resource utilization
• Dual home all Server Connections providing resiliency and increased bandwidth
• Scalability in the Architecture:
• Utilize a two tier or three tier architecture where appropriate
• Plan for future service expansion physical devices or virtualized
• Create the long term plan and build to it – don’t want to re-design on the fly
• Virtualization in the Architecture:
• Determine level of virtualization versus physical traffic separation to be deployed
• Use VLANs to virtualize traffic separation where appropriate
• More virtualization will provide increased operational flexibility without compromising security
• Resource optimization increases with virtualization
31
Customer Case Studies
32
Communications Service Provider
Server Farm Challenges
33
Communications Service Provider
Resilient Terabit Server Farm Architecture
4-8p GbE
MLT 4-8p 10GbE NML
Blade Center Servers SMLT
Terabit Service Cluster
NAS
3408
..
. 10 GbE
SMLT Cluster
Intranet/
Internet
NVG
3050
34
Communications Service Provider
Meeting Server Farm Challenges
• Consolidation of Server Footprint
• Introduction of Blade Severs (note App. Switch integration)
• Consolidation of certificates
• High Performance
• State of the art server platforms
• Gig Multi-Link fanout
• Server load balancing
• SSL off load
• Scalability
• 128+ Blade Server Chassis to support Service PoP application requirements
• ERS8600: High Density L2/L3 switch (384GbE ports – 720Gbps per switch)
• 10Gig Split-MLT Cluster for active-active connections to Blade Servers with sub-second
failover
• SSL Offload
• Highly Resilient/Non-Stop Access to Mission Critical Applications
• Sub second failover on Terabit core
• Active-active connections to Blade Servers with sub-second failover
• Application Switch health checks
• DoS, Symantec, Rate Limiting
• Simplification
• Use of Split Multi-Link Trunking to eliminate STP
• Traffic Reporting/Bandwidth Management
• Consolidated Network Management
35
Diversified Financial Services Company
DMZ / Data Center Challenges
36
Diversified Financial Services Company
Resilient Terabit Server Farm Architecture
NML
MLT
Servers
Nortel Application
Switch 2424
JDM / ASEM
CheckPoint EMC
..
Servers .
Intranet/
Internet
Servers
37
Communications Service Provider
DMZ Challenges
• Simplification
• Complexity is costly and reduces ability to respond to business requirements
• Performance
• New applications and new types of applications require higher performance solutions
• Enhanced Security
• Recent technologies allow for a layered security solution that addresses all aspects of
security internal and external, wired and wireless, from perimeter to end-point
• Multimedia
• Ability to effectively handle growing multimedia traffic requirements is essential to the
ongoing effectiveness of the DMZ architecture in meeting the enterprise business
requirements
• Survivability/Reliability
• Simplification of the design significantly enhances the ability to maintain a non-stop high
performance solution with full disaster recovery through back-up site
• Application aware
• Ability to manage, report and act at the application layer is key to delivering performance,
persistence and security
• Migration/cutover
• The DMZ is mission critical and the cutover had to be well planned, vetted with a capable
partner and flawlessly executed
38
Communications Service Provider
DMZ Re-Architecture
DMZ Re-Architecture Release
solved the challenges of Internet
performance, simplification and the
hitless Migration from the old DMZ Nortel Nortel
architecture. It also formed the Application
Switch
Application
Switch
1
basis for future Releases
2
• Active/Standby
• Load Balancing of
Servers and VPN Routers
• Health Checks 3
41
Resilient Server Access Layer
Microsoft Network Load Balancing
• Microsoft Clustering Technology
• Part of Windows 2000 / Windows 2003 Server
• Uses distributed algorithm to load balance traffic across multiple hosts
• Provides high availability
• Detects host failures
• Automatically redistributes traffic to remaining operational hosts
• Can utilize single or multiple NICs in Servers
• Modes of Operation
• Unicast Mode
• Virtual IP address for Cluster
• Single cluster MAC
Ethernet LAN
• Multicast Mode
• Virtual IP address for Cluster
• Single Cluster Multicast MAC
Application B
x.x.x.20
Application A Application C
x.x.x.10 x.x.x.30
For detailed information on NLB, please refer to Nortel Document
42
Technical Configuration Guide for Microsoft Network Load Balancing
Resilient Server Access Layer
Microsoft Network Load Balancing
• Nortel Ethernet Switch NLB Support
Unicast Mode Unicast Mode Multicast Mode Multicast Mode
Ethernet Switch
Layer 2 Layer 3 Layer 2 Layer 3
ERS 5500 Yes No 2 Yes 1 No 3
Note 1 – By default Windows 2003 Servers implement IGMPv3 which is not presently
supported on Nortel switches. If multicast flood suppression is desired the Windows 2003
servers registry can be modified to support IGMPv1 or IGMPv2.
Note 2 – The Ethernet Routing Switch models 5500 and 8300 can provide unicast support in
certain routing scenarios as long as the Network Load Balancing cluster of servers are
connected to a subtended to a Layer 2 switch.
Note 3 – The Ethernet Routing Switch 5500 can provide multicast support in certain routing
scenarios as long as the Network Load Balancing cluster of servers are connected to a
subtended to a Layer 2 switch. The ERS 5500 supports the ability to create a static ARP entry
where a Multicast MAC address is mapped to a Unicast IP address.
Note 4 – The Ethernet Routing Switch 8600 does not provide support for multicast mode with
IGMP flood suppression when the Network Load Balancing cluster of servers and clients are
directly connected to the switch and the switch is performing IP routing.
43
Layered Defense Network
VPN Router
Core Network Security Teleworker Partner
Perimeter Security
Secure Communications
Endpoint Security
Internet
VPN Router
Branch
Wireless
Road Warrior Mesh WLAN
Access Point
WLAN WAN
44
45