Data Center Design Guide 4 2

Presentation name - 1

Internet Data Center Solution Design

Alteon IDC Solution Design

IDC Network Infrastructure Design

IDC Network WAN Backbone Design

IDC Network Firewall & CDN Design

IDC Network LAN Backbone Design

IDC Network User Access Network Design

IDC Network User Network Design

IDC Network Management System DesignA Sample IDC Network Design


IDC Network Design – Security & CDN

Security Layer

Internet ( International/ Local)

Internet Backbone Connection

Firewall & Security (VPN)

HostingCustomer

Internet Data Center Backbone Switch

Hosting Access Switch / BMW

HostingCustomer


HostingCustomer

HostingCustomer


HostingCustomer

HostingCustomer

NetworkManagement

System

• Protect IDC Internal Network with scalable Firewall

• Secure e-Business transaction with SSL

• Support Intelligent Content Distribution with Cache system

ACE 180E

ACE 180E

ACE 180E

ACE 180E

Firewall

SSL Service

SSL Service

SSL Service

SSL Service

Cache Server

Cache Server

Cache Server

Cache Server

Firewall


Web Cache RedirectionOrigin Servers

Internet

Access

Cache Server

Filt 100/sip any/dip any/proto tcp/sport any/dport 80/act redir/rport 80/group 1


Active-Standby WCR Design

Active VIP #1VIP = 205.178.13.226

Standby VIP #2VIP = 205.178.13.240

Active VIP #3VIP = 205.178.13.110

Standby VIP #1VIP = 205.178.13.226

Active VIP #2VIP = 205.178.13.240

Standby VIP #3VIP = 205.178.13.110

…….

Active Standby

Active – used for Web traffic

Standby – used for another service

Internet Backbone

Cache Cache


Hot Standby WCR Design

Internet Backbone

…….

Active VIP #1VIP = 205.178.13.226

Active VIP #2VIP = 205.178.13.240

Active VIP #3VIP = 205.178.13.110

Standby VIP #1VIP = 205.178.13.226

Standby VIP #2VIP = 205.178.13.240

Standby VIP #3VIP = 205.178.13.110

ActiveHot

Standby

L2 Switch

CacheCache


Firewall Load Balancing • Works with any firewall

– Both bridging and routing firewalls– Firewall software on UNIX, NT, ... – Users select best-of-class firewalls

without trading off performance

• Transparent solution– No additional software required on

firewalls– Avoids software compatibility issues– Preserve flow states while load balancing

• Scalable

– Up to hundreds of firewalls can share load

• Low cost– No need for huge, expensive firewalls– Same switches can load balance other

servers

Firewall Farm

VPN Server Farm

Internet Backbone


Tow Switch FLB Design

• Web switch redirects “any” traffic to a defined “server group”

–Real servers are the IP interfaces on opposing switch

–No SAT on redirection; only MAC address substitution

• Use “Hash” load balancing metric

• Use firewall IP addresses as gateways to health check entire paths from dirty-side to clean-side

• Static routes on Web switch force traffic through same firewall

Clean

Dirty

I/F A1

I/F A2

I/F B1

I/F B2

FW1

FW2

Redir any (src, dest, proto) to I/F group on opposing switch (B1, B2)

Static routes: I/F B1 ----> FW1 I/F B2 ----> FW2

Redir any (src, dest, proto) to IF group on opposing switch (A1, A2)

Static routes: I/F A1 ----> FW1 I/F A2 ----> FW2


Four Switch Fully Redundant FLB

CLEAN

I/F A11

I/F A21

I/F A12

I/F A22

A1

A2 B2

FW1

FW2

B1

» Interfaces on secondary opposing switch are backups for interfaces on primary opposing switch

» Real servers consist of all primary and secondary IP interfaces on opposing switch

» Static routes on switch for primary/secondary interface pair to route through same firewall

I/F B11

I/F B21

I/F B12

I/F B22

Real servers = B11, B21, B12, B22Static routes: I/F B11 ----> FW1

I/F B21 ----> FW1 I/F B12 ----> FW2 I/F B22 ----> FW2

Primary Primary

Secondary Secondary

Real servers = A11, A21, A12, A22Static routes: I/F A11 ----> FW1

I/F A21 ----> FW1 I/F A12 ----> FW2 I/F A22 ----> FW2


Four Switch Burch Box FLB

CLEAN

I/F A11

I/F A22

A1

A2 B2

FW1

FW2

B1

» Interfaces on secondary opposing switch are backups for interfaces on primary opposing switch

» Real servers consist of all primary and secondary IP interfaces on opposing switch

» Static routes on switch for primary/secondary interface pair to route through same firewall

I/F B11

I/F B22

Real servers = B11, B22Static routes: I/F B11 ----> FW1

I/F B22 ----> FW2

Primary Primary

Secondary Secondary

Real servers = A11, A22Static routes: I/F A11 ----> FW1

I/F A22 ----> FW2


SSL Offload for HTTPS Operation

7. iSD-SSL encrypts session and sends HTTPS response to client

2. Switch redirects requests on port 443 to iSD-SSL VIP or group

1. Client sends a HTTPS request.

3. iSD-SSL Completes SSL hand shake

4. iSD-SSL initiates HTTP connection (port 80) to server VIP 6. Server responds to HTTP

request and replies to the iSD-SSL VIP

5. Switch selects real server based on configured LB policy

HTTP-S HTTP


Active-Standby iSD Design

Active VIP #1VIP = 205.178.13.226

Standby VIP #2VIP = 205.178.13.240

Active VIP #3VIP = 205.178.13.110

Standby VIP #1VIP = 205.178.13.226

Active VIP #2VIP = 205.178.13.240

Standby VIP #3VIP = 205.178.13.110

…….

Active Standby

Active – used for Web traffic

Standby – used for another service

Internet Backbone


Hot Standby iSD Design

Internet Backbone

…….

Active VIP #1VIP = 205.178.13.226

Active VIP #2VIP = 205.178.13.240

Active VIP #3VIP = 205.178.13.110

Standby VIP #1VIP = 205.178.13.226

Standby VIP #2VIP = 205.178.13.240

Standby VIP #3VIP = 205.178.13.110

ActiveHot

Standby

L2 Switch


IDC Network Design – LAN Backbone

LAN Backbone




HostingCustomer



HostingCustomer


HostingCustomer

HostingCustomer


HostingCustomer

HostingCustomer

NetworkManagement

System

• Largest IP LAN backbone networks using Gigabit Ethernet technology as a Layer 2 switch to scale in anticipation of customer demand

• MultiLine LAN connection provide failover protection for continuous connectivity and added bandwidth.

• Scalable LAN architecture to keep with customer’s bandwidth incensement

•Ethernet (10 Mbps) connections •Fast Ethernet (100 Mbps) connections •Gigabit Ethernet (1000Mbps)connections •Dedicated switch port connections


IDC LAN Backbone Design

10/100Mbps SwitchWith Gigabit uplink

HUB HUB

10Mbps DedicatedSystem Service

10Mbps SharedSystem service

100Mbps DedicateSystem Service

Gigabit Ethernet Backbone

L2 Switching Fabric

Legends:Gigabit Ethernet100Mbps Ethernet10Mbps Ethernet

IDC User Access




HUB HUB





Using STP to Prevent Bridging Loop

Internet

Bridging Loop


Using VLANs to Prevent Bridging Loop

Internet

VLAN 1

VLAN 2

VLAN 3


IDC Network Design – User Access

User Access




HostingCustomer



HostingCustomer


HostingCustomer

HostingCustomer


HostingCustomer

HostingCustomer

NetworkManagement

System

VIP 10.10.10.10

10.10.10.1

10.10.10.2

10.10.10.3

HTTP 20% Multimedia 30% ERP 50%

• Flexible bandwidth service to guarantee IDC customer preferred base bandwidth for their business.

• Fix bandwidth• Usage based bandwidth • Application based bandwidth

• Scalable IDC customer’s service performance by using server load balancing

• TCP/UDP L4 server load balancing• HTTP L7 server load balancing• Global server load balancing


SLB Technology Highlight

• “Virtual Server” with a VIP address » Packets to VIP are load balanced

» Entire session bound to best server at session request

» Half or full network address translation (NAT)» Flexible real/virtual server memberships and access» Accounting/usage statistics on real and virtual servers

• Load balancing Methods» Round-robin, least-connections, response time*» Persistent handling: IP hashing, SSL-ID, cookie*» URL load balancing for server optimization

• Server Monitoring» Server, application and content health checking» WebOS API for customization

10.1 10.2

A.com A.com

VIP 100.2.2.2 RIP1=10.1 RIP2=10.2

A.com = 100.2.2.2

DNSTo 100.2.2.2

Internet Backbone


Server Load Balancing policies

Persistence Optimizedpolicies

Content Intelligent policy

URL-based Load balancing- URL content based- HTTP header based- Cookie based preferential services

Cookie Based- rewrite and passive modes

SSL Session ID Based - on any TCP port

“Best Available”Server policies

Least Connections- Weights- Max connections- Backup/Overflow

Round Robin- Weights- Max connections- Backup/Overflow

Client IP Based- Source IP binding- Hash- Minmiss


Server Group Health Checking Options

Only proves that webprocess is up.

Only proves OS andnetwork is up.

Web operation is normal.

PING

TCP/80

Get index.html

ICMP-level

TCP-level

Application-level

Health Check Packet


User Scriptable Health Checks

• Example of scriptopen port 80send GET /script.cgi /HTTP1.1\n\

rHost:www.alteon.com\n\rexpect HTTP/1.0 200*send GET /index.html HTTP1.1\n\

rHOST:www.alteon1.com\n\r expect HTTP/1.0 200*…closeopen port 443…close

Benefit Dynamically execute a series oftests to check for application and content availability

Features- Ability to send multiple commands

- Check for any return string

- Test availability of different

applications

AD2, AD3, AD4180, 180e, 184


BWM-Fairness based on application

Internet

E-Mail Service

E-mail:CIR = 5 SL = 20 HL = 20

WEB Services

WEB:CIR = 30 SL = 60 HL = 60A.com


Multiple Site For Global Presence

Web Server

H

Data Base Server

H9000

Application Server

Shanghai

Beijing

JiangSu

Internet

Client

Client

Client

Web Server

H

Data Base Server

H9000

Application Server

GuangZhou

Web Server

H

Data Base Server

H9000

Application Server

GSLB


L4 VRRP for High Reliable SLB

Internet Backbone

VIP VIPVSR=VIP

Identical VIP isconfigured on

both Web Switches.

VRRP


L4 Hot-Standby SLB Redundancy

Internet Backbone

…….

Active VIP #1VIP = 205.178.13.226

Active VIP #2VIP = 205.178.13.227

ActiveHot

Standby

VIP #1 VIP #2

Standby VIP #1VIP = 205.178.13.226

Standby VIP #2VIP = 205.178.13.227

Link with traffic

Link without traffic


L4 Active-Standby SLB Redundancy

Internet Backbone

…….

Active VIP #1VIP = 205.178.13.226

Standby VIP #2VIP = 205.178.13.227

Active Active

VIP #1 VIP #2

Standby VIP #1VIP = 205.178.13.226

Active VIP #2VIP = 205.178.13.227

Link with traffic

Link without traffic


Active VIP #1VIP = 205.178.13.100

Active VIP #2VIP = 205.178.13.200

Layer 4 Active-Active Redundancy

Internet Backbone

Active VIP #1VIP = 205.178.13.100

Active VIP #2VIP = 205.178.13.200

VIPs on both switchesare active at the sametime

…….

Active “Virtual” L4 Interfaces

VSR1=205.178.13.100

VSR2= 205.178.13.200

VIP #1 VIP #2


IDC Network Design – User Networks

User Site




HostingCustomer



HostingCustomer


HostingCustomer

HostingCustomer


HostingCustomer

HostingCustomer

NetworkManagement

System

• IDC customer can built their network under IDC network infrastructure

• lease IDC Internet connection• lease IDC dedicate bandwidth• lease IDC server load balancing service• lease IDC SSL offload service• lease IDC intelligent content distribute service• and more …


IDC Customer Network (Option 1)

184

180E 180E

Firewall Firewall

180E 180E

FWLB Function Cache Service

FWLBL4/L7 LB Function, SSL Service

SSL Service

SSL Service

SSL Service

SSL Service

To servers

Gigabit dedicated bandwidth connection

100Mbps dedicatedbandwidth connection

10Mbps dedicated bandwidth connection

Cache Server

Cache ServerCache Server

Cache Server

184

180E180E 180E180E

Firewall Firewall

180E180E 180E180E

GSLB and BWM Function

FWLBL4/L7 LB Function, SSL Service

SSL ServiceSSL Service




To servers

Gigabit dedicated bandwidth connectionGigabit dedicated bandwidth connection

100Mbps dedicatedbandwidth connection100Mbps dedicatedbandwidth connection

10Mbps dedicated bandwidth connection10Mbps dedicated bandwidth connection

IDC Network Infrastructure

Cache Server


Cache Server



180E

AD3

Firewall Firewall

AD3

GSLB and BWM Function

FWLB Function Cache Service

SSL Service SSL Service

To servers








180E

Firewall

GSLB , SLB, iSD

Firewall

SSL Service

To servers






IDC Network Design – Management

ManagementInternet ( International/

Local)



HostingCustomer



HostingCustomer


HostingCustomer

HostingCustomer


HostingCustomer

HostingCustomer

NetworkManagement

System

• Keeping IDC customer’s mission-critical Internet operations up and running by

• Network management and monitoring• URL monitoring and events log• Reboot service for fail over• System administration

• Network and Web site security management to protect IDC customer’s business.

• Intrude detection• Vulnerability Analysis• Firewall management


Alteon Command Line Interface (CLI)

• Setup utility for first time use

• Direct, modem, and Telnet access

• Password protected

• Administrator, layer 4-only and user level access

Alteon Web SwitchConsole

HyperTerminalCom19600bps8bitsNone parity1 stopNone flow control


Alteon Web UI Management Interface

Feature Navigation Tree

Feature Navigation Tree

Action ToolbarAction Toolbar

Display FrameDisplay Frame

Rotating Status Messages Rotating Status Messages


Secure Alteon Switch Management

• Authentication of remote administrators– Administrator identification using NAME/PASSWORD– RADIUS – Based on RFC 2058

• Authorization of remote administrators– Determine the user’s rights– Customize service for individual administrators

• Encryption of management information and configuration up/download - AD4 and 184 only– Messages between remote administrator and switch are encrypted– Secure Shell (SSH)– Secure Copy (SCP)

RADIUS

SSH

SCP


Alteon Management Tools Overview

• CLI – Command Line Interface

• BBI – Browser Based Interface

• SNMP (Standard & Proprietary MIBs)

• Syslog

• EventLog


Integrate Alteon Management in HPOV

– HP OpenView Integration • (UNIX, Windows NT)

•HPOV Integration system»Data collectors, stats and graphs display for all functions»Icons to represent switch on map»Trap integration»WebUI launch point










IDC Network Management System Design

A Sample IDC Network Design


A Sample IDC Network Design IDC Network Infrastructure

Internet Backbone


HUB HUB

10Mbps DedicatedSystem Service


100Mbps DedicateSystem Service

BWM function

L4/L7 LB functionCache/ SSLService

Gigabit Ethernet Backbone

L2 Switching Fabric


IDC User Access




HUB HUB




L2 Switch L2 Switch

iSD-SSL

iSD-SSLCache

Cache


IDC L2 Network Design VLAN Design

Internet Backbone


HUB HUB





HUB HUB

L2 Switch L2 SwitchiSD-SSL

iSD-SSL

Cache

Cache

port3

port1

port2

port1 port1

port2 port2port3 port3port4 port4

Alteon 4

Alteon 3Alteon 2

Alteon 1

If1 10.1.1.2/24-vlan1If2 10.1.2.2/24-vlan2If3 10.1.3.2/24-vlan3If4 10.1.4.2/24-vlan4

If1 10.1.1.3/24-vlan1If2 10.1.2.3/24-vlan2If3 10.1.3.3/24-vlan3If4 10.1.4.3/24-vlan4

If1 10.1.1.1/24-vlan1

If1 10.1.2.4/24 -vlan2

vlan2vlan1

vlan4vlan3


IDC High Reliable Network Design VRRP Design

Internet Backbone

10/100 Mbps SwitchWith Gigabit uplink

HUB HUB





HUB HUB

Vlan 1

Vlan 2

RIP110.1.2.101

RIP210.1.2.102

RIP310.1.2.103

RIP410.1.2.104

VIP for Virtual ServicesVR2-VIP1 10.1.1.10 for HTTPVR4-VIP2 10.1.1.11 for FTP

Server’s Default GWVR1 10.1.2.254VR3 10.1.2.253

Group 1 Group 2

HTTP Servers FTP Servers

Master for Virtual Router 1/2Backup for Virtual Router 3/4

Master for Virtual Router 3/4Backup for Virtual Router 1/2

Alteon 2

Alteon 1

Alteon 3


IDC Network Bandwidth Design Bandwidth Management Design

Internet Backbone


HUB HUB





HUB HUB

RIP110.1.2.101

RIP210.1.2.102

RIP310.1.2.103

RIP410.1.2.104

Group 1 Group 2HTTP Servers FTP Servers

policy 2hard 150Msoft 100M resv 50M

cont 2policy 2

filt 20Sip 10.1.1.11smask255.255.255.255dip anydmaskanyaction allowadv/cont 2

port 3/ filt enaadd 20

policy 1hard 350Msoft 300M resv 250M

cont 1policy 1

filt 10Sip 10.1.1.10smask255.255.255.255dip anydmaskanyaction allowadv/cont 1


Port2 Port3

Port1

VIP for Virtual ServicesVR2- VIP1 10.1.1.10 for HTTPVR4- VIP2 10.1.1.11 for FTP

Alteon1

Alteon3Alteon 2


IDC Network Content Cache Design WCR Design

INTERNET


HUB HUB





HUB HUB

L2 Switch

Cache

Cache

filt 100Sip anysmaskany dip anydmaskanyDport 80Rport 80action redirGroup 3


Port1Port1

RIP5 10.1.3.101

RIP5 10.1.3.102

Group 3 Cache Alteon3Alteon2

Alteon1


IDC Network e-Business Design SSL Offload Design

Internet Backbone


HUB HUBLegends:Gigabit Ethernet100Mbps Ethernet10Mbps Ethernet




HUB HUB

L2 Switch

iSD- SSL

iSD- SSL

filt 110Sip anysmaskany dip anydmaskanyDport 443Rport 81action redirGroup 255

port 1/filt enaadd 110

Port1Port1

RIP7 10.1.4.101

RIP8 10.1.4.102

Group 255 iSD(SSL Offload)

Alteon 2

Alteon 1

filt 120Sip anysmaskany dip anydmaskanySport 81

action redirGroup 255

port 7/filt enaadd 110

Port1

Alteon 3

Question & Answer

Thank You !


GSLB Working Process

1. Client’s DNS request for www.foo.com sent to local DNS

2. Local DNS queries upstream DNS

3. Switch at site C receives DNS request and determines that sites B and C are closest to user. Acting as Authoritative Name Server, switch selects the best site (B) and returns site B’s IP to client’s local DNS

4. Local DNS server responds to client with site B’s VIP

5. Client opens application session to 205.178.2.2 (site B)

www.foo.com205.178.2.2

www.foo.com172.168.13.10

www.foo.com162.113.25.20

Site health, response time and throughputexchanged between switches on a periodic or event-driven basis using encoded DSSP

A

B

C

DSSPUpdates

1 4

2

3

5

Rank Site %Traffic1 B 702 C 203 A 10

Rank Site Traffic1 B 802 C 203 A 10

Rank Site Traffic1 B 752 C 153 A 5

DNS


GSLB Static Tables for User Proximity

1. Client sends request to local DNS server 2. DNS request sent

to switch

DATABASE FIELDS

<IP ADDRESS> <NETMASK> <VIP_1> <VIP_2>

3.Switch looks at database and responds

4.Client request forwarded to nearest location

Data Center Design Guide 4 2

Technology

Transcript of Data Center Design Guide 4 2