1 / 21

BNL PDN Enhancements

BNL PDN Enhancements. Perimeter Load Balancers. Scaleable Performance Fault Tolerance Server Maintainability User Convenience Perimeter Security. Cisco Content Sensitive Switches. Dual Cisco 11506 units for fault tolerance Dual Cisco 4506 switches for proxies

lainey
Download Presentation

BNL PDN Enhancements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BNL PDN Enhancements

  2. Perimeter Load Balancers Scaleable Performance Fault Tolerance Server Maintainability User Convenience Perimeter Security

  3. Cisco Content Sensitive Switches • Dual Cisco 11506 units for fault tolerance • Dual Cisco 4506 switches for proxies • Rated at 40GB/Sec. Maximum throughput • Virtualizes site perimeter services • Extreme scaleable and flexibility • High availability and redundancy

  4. Content Switches cont. • ACL based proxy service access (secure) • Provides expandable pools of servers and services • Transparent to end users • A single IP address / DNS name for all servers in the service pool (Virtual IP) • Load balanced user access to proxies based on Least Number of Connections algorithm

  5. Content Switches cont. • Proxies assigned RFC 1918 (Private IP) space (additional isolation) • Linear scalability • Individual servers can be added to or removed from the service pool at will. This facilitates software upgrades, maintenance, and patch support for the actual servers.

  6. CSS VIP Security • Behavior similar to Pix Firewall • Outbound traffic permitted by default • Inbound traffic subject to ACLoptional • Protects all pool services • Internet scans show no or minimal services (Only the advertised services)

  7. Performance Overview • Services virtualized and “Pooled” together • Approximately Linear Scalability • / 28 for individual service pools 14 slaves max • Separate management and load traffic paths

  8. Proxy Services Virtual IP’s • SMTP 1.1.1.1 • HTTP 1.1.1.2 • SSH 1.1.1.3 • TELNET 1.1.1.4 • HTTP/Reverse 1.1.1.5 • FTP 1.1.1.6 • Others as we grow

  9. Management Server Configuration • IEEE 802.1q Trunk Format (LB Monitor Interface) • Custom Linux Kernel Configuration Parameters • Subset of NIC cards, Intel EEPro 100 with Intel Driver • Vconfig utility to create vlan (IEEE 802.1q tag) interfaces Example eth0.310 Link encap:Ethernet HWaddr 00:03:47:DB:6D:6B inet addr:172.16.1.13 Bcast:172.16.1.15 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1945993 errors:0 dropped:0 overruns:0 frame:0 TX packets:214508 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:91180210 (86.9 MiB) TX bytes:14828768 (14.1 MiB)

  10. Performance Tests single test [SUM] 0.0-253.6 sec 15.2 GBytes 516 Mbits/sec psudo double test smtpvip2:~#iperf -c 198.124.238.14 -n 209715200 -t 300 -P5 ------------------------------------------------------------ Client connecting to 198.124.238.14, TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------ [ 5] local 172.16.129.66 port 32832 connected with 198.124.238.14 port 5001 [ 6] local 172.16.129.66 port 32833 connected with 198.124.238.14 port 5001 [ 7] local 172.16.129.66 port 32834 connected with 198.124.238.14 port 5001 [ 8] local 172.16.129.66 port 32835 connected with 198.124.238.14 port 5001 [ 9] local 172.16.129.66 port 32836 connected with 198.124.238.14 port 5001 [ ID] Interval Transfer Bandwidth [ 8] 0.0-300.1 sec 1.89 GBytes 54.2 Mbits/sec [ 6] 0.0-300.1 sec 1.85 GBytes 53.0 Mbits/sec [ 5] 0.0-300.1 sec 1.87 GBytes 53.6 Mbits/sec [ 9] 0.0-300.2 sec 1.76 GBytes 50.3 Mbits/sec [ 7] 0.0-300.2 sec 1.84 GBytes 52.7 Mbits/sec [SUM] 0.0-300.2 sec 9.22 GBytes 264 Mbits/sec [ ID] Interval Transfer Bandwidth [ 7] 0.0-300.1 sec 1.78 GBytes 51.0 Mbits/sec [ 9] 0.0-300.2 sec 1.86 GBytes 53.3 Mbits/sec [ 5] 0.0-300.7 sec 2.00 GBytes 57.0 Mbits/sec [ 8] 0.0-300.7 sec 1.68 GBytes 48.1 Mbits/sec [ 6] 0.0-301.0 sec 1.82 GBytes 52.0 Mbits/sec [SUM] 0.0-301.0 sec 9.14 GBytes 261 Mbits/sec

  11. 2 runs of a single machine in the VIP, 2 runs 2 machines in the VIP

  12. Confirmation from different measuring tool

  13. netmon:~# nmap -P0 1.1.1.1-5 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-07-12 15:11 EDT All 1659 scanned ports on csssm1 (1.1.1.1) are: filtered …... Interesting ports on smtpgateway (1.1.1.2): (The 1656 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 25/tcp open smtp 79/tcp open finger 113/tcp open auth All 1659 scanned ports on httpgateway (1.1.1.3) are: filtered Interesting ports on cecache (1.1.1.4): (The 1655 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 443/tcp open https 563/tcp open snews 8080/tcp open http-proxy All 1659 scanned ports on 1.1.1.5 are: filtered

  14. Summary • Cisco CSS provides a high throughput scalable solution for most BNL perimeter services • Security enhancements are additional features

  15. IP v6 Test Bed Deployment Campus Network and Host Security Low Cost

  16. Built from “recycled” 7513 free Separate Infrastructure IPv6 802.1q Trunk Encapsulation EUI-64 /64 subnets HTTP and FTP servers Next Step: Fix DNS NatPT or dual stack

More Related