null  null
ONE NET DCN Data Center Solution
V100R001C01
Technical Proposal
Issue
01
Date
2012-05-15
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address:
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
[email protected]
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i
ONE NET DCN Data Center Solution
Technical Proposal
Contents
Contents
1 Data Center Network Overview ................................................................................................ 1
1.1 Introduction to a Data Center ........................................................................................................................... 1
1.2 Services Transmitted on Data Center Networks ............................................................................................... 1
1.2.1 Data Service ............................................................................................................................................ 2
1.2.2 Web Service ............................................................................................................................................ 3
1.2.3 Computing Service.................................................................................................................................. 6
1.3 Overall Requirement for the DC Network ....................................................................................................... 7
1.4 DC Network Solution ....................................................................................................................................... 8
1.4.1 Design Principles of a DC Network ........................................................................................................ 8
1.4.2 Solution Overview .................................................................................................................................. 9
1.5 Advantages of the DC Network Solution ....................................................................................................... 10
2 Data Center Network Solution ................................................................................................. 13
2.1 Data Center Network Architecture ................................................................................................................. 13
2.1.1 Overview ............................................................................................................................................... 13
2.1.2 Data Center Logical Architecture.......................................................................................................... 14
2.1.3 Physical Network Architecture ............................................................................................................. 15
2.2 Core Zone Networking Planning .................................................................................................................... 16
2.2.1 Physical Networking Planning .............................................................................................................. 16
2.2.2 Physical Networking Planning in the Data Center Core Zone of Internet Enterprises.......................... 18
2.2.3 Reliability Planning .............................................................................................................................. 19
2.2.4 Security Planning .................................................................................................................................. 21
2.3 Server Zone Networking Planning ................................................................................................................. 21
2.3.1 Physical Networking Planning .............................................................................................................. 21
2.3.2 Channel Separating on Servers ............................................................................................................. 23
2.3.3 Server FCoE Access Design ................................................................................................................. 26
2.3.4 Reliability Planning .............................................................................................................................. 27
2.3.5 Traffic Model Planning ......................................................................................................................... 29
2.3.6 Security Planning .................................................................................................................................. 30
2.3.7 Service Load Balancing Planning ......................................................................................................... 31
2.4 Storage Zone Networking Planning ............................................................................................................... 36
2.4.1 Physical Networking Planning .............................................................................................................. 36
2.4.2 Basic Planning for the Storage Zone ..................................................................................................... 36
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
ONE NET DCN Data Center Solution
Technical Proposal
Contents
2.4.3 Reliability Planning .............................................................................................................................. 37
2.4.4 Security Planning .................................................................................................................................. 37
2.5 Interconnection Zone Networking Planning .................................................................................................. 38
2.5.1 Physical Networking Planning .............................................................................................................. 38
2.5.2 Internet Access Zone ............................................................................................................................. 39
2.5.3 Extranet Zone ........................................................................................................................................ 43
2.5.4 Intranet Zone ......................................................................................................................................... 45
2.5.5 Branch Access Planning ........................................................................................................................ 46
2.5.6 Remote Access Planning ....................................................................................................................... 46
2.6 Management Zone Networking Planning ....................................................................................................... 47
2.6.1 Physical Networking Planning .............................................................................................................. 47
2.6.2 Reliability Planning .............................................................................................................................. 48
2.6.3 Security Planning .................................................................................................................................. 48
2.7 R&D and Test Zone Planning......................................................................................................................... 49
2.7.1 Physical Network .................................................................................................................................. 49
2.7.2 Recommendation .................................................................................................................................. 50
2.8 VLAN Planning.............................................................................................................................................. 50
2.8.1 VLAN Overview ................................................................................................................................... 50
2.8.2 Principles .............................................................................................................................................. 50
2.8.3 Recommendation .................................................................................................................................. 51
2.9 IP Planning ..................................................................................................................................................... 51
2.9.1 IP Address Planning .............................................................................................................................. 51
2.9.2 DHCP Planning ..................................................................................................................................... 52
2.9.3 DNS Planning ....................................................................................................................................... 53
2.10 Route Planning ............................................................................................................................................. 56
2.10.1 Routing Overview ............................................................................................................................... 56
2.10.2 IGP Design .......................................................................................................................................... 57
2.10.3 BGP Design......................................................................................................................................... 58
2.11 VPN Planning ............................................................................................................................................... 59
2.11.1 VPN Overview .................................................................................................................................... 59
2.11.2 Intranet VPN Service Isolation............................................................................................................ 59
2.12 QoS Planning ............................................................................................................................................... 60
2.12.1 QoS Overview ..................................................................................................................................... 60
2.12.2 QoS Planning Concerning Collaborative Computing ......................................................................... 60
2.12.3 QoS Planning for Different Data Flows .............................................................................................. 62
3 Security Solution ......................................................................................................................... 63
3.1 Security Overview .......................................................................................................................................... 63
3.2 Security Design .............................................................................................................................................. 64
3.3 Security Network Structure ............................................................................................................................ 66
3.4 Firewall Deployment ...................................................................................................................................... 68
3.5 Virtual Firewall .............................................................................................................................................. 69
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iii
ONE NET DCN Data Center Solution
Technical Proposal
Contents
3.6 Traffic Cleaning.............................................................................................................................................. 69
3.6.1 DPI ........................................................................................................................................................ 69
3.6.2 Layered Traffic Cleaning ...................................................................................................................... 70
3.6.3 Malformed Packet Attack Defense........................................................................................................ 71
3.6.4 Flood Type Attack Defense ................................................................................................................... 71
3.6.5 Packet Type Attack Defense.................................................................................................................. 72
4 Suggestions on Planning Multiple DCs ................................................................................. 74
4.1 Inter-DC Connection ...................................................................................................................................... 74
4.2 Network Architecture of Multiple DCs .......................................................................................................... 75
4.3 Inter-DC Layer 2 Connection Planning .......................................................................................................... 76
4.3.1 Inter-DC Layer 2 Connection................................................................................................................ 76
4.3.2 Fiber Interconnection Solution.............................................................................................................. 77
4.3.3 VPLS Interconnection Solution ............................................................................................................ 78
4.4 Inter-DC Layer 3 Interconnection Planning ................................................................................................... 79
4.4.1 Inter-DC Layer 3 Interconnection ......................................................................................................... 79
4.4.2 L3VPN Interconnection Solution .......................................................................................................... 79
4.4.3 Route Planning ...................................................................................................................................... 80
4.4.4 BGP Design........................................................................................................................................... 80
4.5 Network Reliability Planning ......................................................................................................................... 82
4.5.1 Network Reliability Between Regional DCs and Global DCs .............................................................. 82
4.5.2 Network Reliability Between a Country/Region Branch and Regional DCs ........................................ 83
4.6 Application Acceleration Planning ................................................................................................................. 84
4.6.1 Application Acceleration Overview ...................................................................................................... 84
4.6.2 Application Acceleration Technologies ................................................................................................. 85
4.6.3 Application Acceleration Design........................................................................................................... 86
4.7 Disaster Recovery Planning ........................................................................................................................... 87
4.7.1 Disaster Recovery Overview ................................................................................................................ 87
4.7.2 Disaster Recovery Overview ................................................................................................................ 90
4.7.3 Disaster Recovery Network Planning ................................................................................................... 94
4.7.4 Service Planning for Disaster Recovery................................................................................................ 96
4.8 Service Distribution Planning ........................................................................................................................ 97
4.8.1 Service Distribution Overview.............................................................................................................. 97
4.8.2 Service Distribution Planning ............................................................................................................... 97
5 DC Network Maintenance Recommendations ................................................................... 100
5.1 Network Management .................................................................................................................................. 100
5.1.1 NMS Overview ................................................................................................................................... 100
5.1.2 Networking Mode ............................................................................................................................... 100
5.1.3 eSight Highlights ................................................................................................................................ 103
5.1.4 Network Routine Maintenance ........................................................................................................... 104
5.1.5 Customization of Third-Party Devices ................................................................................................ 106
5.1.6 Software Upgrade and Patch Loading................................................................................................. 106
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iv
ONE NET DCN Data Center Solution
Technical Proposal
Contents
5.1.7 Network Traffic Analysis .................................................................................................................... 108
5.2 Troubleshooting............................................................................................................................................ 109
5.2.1 Troubleshooting Network Devices...................................................................................................... 109
5.2.2 Troubleshooting Servers ..................................................................................................................... 110
5.3 Network Expansion ...................................................................................................................................... 111
5.3.1 Overview ............................................................................................................................................. 111
5.3.2 Server Expansion ................................................................................................................................ 111
5.3.3 Device Expansion ............................................................................................................................... 112
5.3.4 Link Bandwidth Expansion ................................................................................................................. 114
5.4 Disaster Emergency Maintenance ................................................................................................................ 114
6 Recommended Products .......................................................................................................... 115
6.1 S9300 Series Core Switches ......................................................................................................................... 115
6.1.1 Product Overview ............................................................................................................................... 115
6.1.2 Product Model..................................................................................................................................... 115
6.1.3 Product Characteristics ....................................................................................................................... 117
6.1.4 Specifications ...................................................................................................................................... 118
6.2 S6700 Series Access Switches ..................................................................................................................... 120
6.2.1 Product Overview ............................................................................................................................... 120
6.2.2 Product Model..................................................................................................................................... 120
6.2.3 Product Characteristics ....................................................................................................................... 121
6.2.4 Main Specifications ............................................................................................................................ 123
6.3 S5700 Series Access Switches ..................................................................................................................... 127
6.3.1 Product Overview ............................................................................................................................... 127
6.3.2 Appearance.......................................................................................................................................... 127
6.3.3 Product Characteristics ....................................................................................................................... 129
6.3.4 Product Specifications......................................................................................................................... 132
6.4 E8000E-X Series Firewall ............................................................................................................................ 136
6.4.1 Product Overview ............................................................................................................................... 136
6.4.2 Product Model..................................................................................................................................... 137
6.4.3 Product Characteristics ....................................................................................................................... 138
6.4.4 Technical Specifications...................................................................................................................... 140
6.5 E1000E-X Series Firewall ............................................................................................................................ 140
6.5.1 Product Overview ............................................................................................................................... 140
6.5.2 Product Model..................................................................................................................................... 141
6.5.3 Product Characteristics ....................................................................................................................... 141
6.5.4 Technical Specifications...................................................................................................................... 142
6.6 OSN 1800 Compact Multi-Service Edge Optical Transport Platform ......................................................... 143
6.6.1 Product Overview ............................................................................................................................... 143
6.6.2 Product Characteristics ....................................................................................................................... 144
6.6.3 Technical Specifications...................................................................................................................... 145
7 Data Center Success Stories .................................................................................................... 149
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
v
ONE NET DCN Data Center Solution
Technical Proposal
Contents
7.1 Data Center for Beijing Branch of Bank of China ....................................................................................... 149
7.2 Baidu Data Center ........................................................................................................................................ 151
7.3 Huawei Data Center ..................................................................................................................................... 152
7.4 Disaster Recovery System for Brazil Santander Bank ................................................................................. 153
7.5 Disaster Recovery System for KPN in Netherlands ..................................................................................... 154
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
vi
ONE NET DCN Data Center Solution
Technical Proposal
1
1 Data Center Network Overview
Data Center Network Overview
1.1 Introduction to a Data Center
Information is key to an enterprise's competitiveness. As network and communication
technologies develop at an ever increasing rate, data centers (DCs) have become the core of
the information an enterprise needs to do business. A well-designed data center will improve
efficiency and development of enterprises.
The DC of an enterprise is the important as it hosts key service systems, and is a center where
the key data of the enterprise is managed. It controls user access, filters packets for security,
processes service applications, computes information, and stores data for backup.
A DC consists of the following components:
z
Equipment room
z
Power supply system
z
Network devices including devices on the data network, computing network, and storage
network
z
Servers including operating systems and application software
z
Storage devices
z
Security system
z
Operation, administration, and maintenance (OAM) system
For enterprises, the trend is to integrate services and data in multiple DCs. This requires the
enterprise network to have high level of performance and reliability.
The Huawei DC network solution provides a high performance, secure, and reliable network,
which allows the DC to transmit high-quality services.
1.2 Services Transmitted on Data Center Networks
A DC deploys various service systems in a centralized mode to integrate them. This helps to
analyze services, make decisions, and maximize the information production capability.
A DC also provides web portals, which help to establish channels with customers and improve
the enterprise's brand awareness, product promotion, and customer service. With the web
portals, the enterprise can implement ecommerce and other Internet-based businesses.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
In addition, a DC provides high-performance computing services, such as 3D rendering,
medicine research, gene analysis, and web search.
In an enterprise, a DC may provide all the preceding services concurrently. These services
may be independent of each other or be integrated into a large service system. You must
analyze the real situation when planning a network for the DC.
1.2.1 Data Service
Overview
The data service is the most basic service in a DC. Typical data services in an enterprise
include file storage, mail service, and enterprise resource planning (ERP). The client/server
(C/S) model is the basic service model.
Figure 1-1 Client/Server service mode
The C/S model consists of the following two parts:
z
Client (usually a PC). A client is deployed on a campus network or an enterprise branch.
SQL requests are sent from a fat client to the server and SQL responses from the server
are displayed on the App GUI.
z
Server. A server is deployed in a DC and stores data in a dedicated storage device. As
shown in Figure 1-1, a server used by the database is called DB server, a server used by
applications is called App server, and data in the database is stored in a dedicated storage
device (not displayed in the figure).
The data service is processed as follows:
1.
The client sends a request.
2.
The server and the storage device receive and process the request.
3.
The server sends a response to the client.
Network Requirements of the Data Service
The network requirements include:
z
Traffic requirement
Traffic is generated by requests and responses between the client and the server. Traffic
is unbalanced and becomes high during peak hours on special dates or periods. The
network bandwidth must be planned to accommodate peak traffic times, and certain
bandwidth must be reserved for future growth and improvements.
The number of clients and concurrent services must be also considered for network
bandwidth planning. The number of concurrent services is used to configure the
bandwidth convergence ratio between network devices at different layers, because no
network traffic is transmitted between servers.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
For example, the peak hour of each service falls on the closing date of a service or event,
such as the closing date of production, a sale, or attendance services. If these closing
dates fall on different dates, use the highest peak traffic rate of the three as the network
bandwidth peak. If the closing dates of these services fall on the same date, use the total
peak traffic rate of three services as the network bandwidth peak.
The data service has no special requirements for delay as long as the user experience is
met. In most cases, the response time of a database is less than 2 seconds. The
forwarding delay of the DC network is less than 1 millisecond, occupying a small
proportion of the total response time. The forwarding delay of WAN is about 300
milliseconds and the time for processing data is tens of milliseconds. Some special
services require short delays, for example, the stock exchange requires the network
forwarding delay to be less than 5 milliseconds.
z
Security requirement
A DC is an integrated IT application environment where a large amount of data is stored.
It requires the highest security in the IT system.
In an enterprise, key services such as the financial service are transmitted as a data
service and require high security. In addition to physical security measures, protection
measures are also required on the network, including isolating different services,
identifying and handling the traffic and virus attacks. Services are isolated, enabling
terminals to access only servers of specified services.
z
Reliability requirement
The data reliability is required and varies according to the service type (internal service
and external service) on the network.
The internal service system does not require high network reliability. A fault occurring in
a DC internal part recovers within 20 minutes to 30 minutes, and a fault occurring in the
entire DC recovers within 4 hours to 8 hours during which services are implemented
from the backup DC.
The external service system requires high network reliability. A fault occurring in a DC
internal part recovers automatically or can be manually rectified within 10 minutes,
while a fault occurring in the entire DC recovers within 2 hours during which services
are implemented from the disaster recovery center.
z
Cloud-computing requirement
In most cases, service systems of the data service do not operate concurrently. To
efficiently utilize the server resources, deploy multiple virtual servers on a physical
server to host different service systems. This is the easiest way to apply cloud computing.
When deploying multiple virtual servers on a physical server, consider the bandwidth
requirement of each service to prevent one service from occupying the bandwidth of
other services on the same server.
In a word, the network requirements of the data service guarantee bandwidth and security.
1.2.2 Web Service
Overview
As the Internet flourishes, the web service takes up a larger proportion in enterprise services.
The following two reasons accounts for the popularity of web service in enterprises. The web
service provides a convenient way for users to access the information and perform the
e-commerce on the Internet. The web service also solves problems in the C/S model, such as
large workload due to client software maintenance.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
Figure 1-2 Web service model
App Server
WEB Server
WEB browser
DB Server
As shown in Figure 1-2, the web service model adds a web server and an App server to form a
three-layer structure. Services are processed in the following process:
1.
The App server (App Server in Figure 1-2) processes services sent from the client on the
web browser using HTML or HTTP.
2.
The DB server and storage system provide DB services.
3.
The web server displays information for users.
The three-layer structure enhances flexibility of the service system. You can modify the
service system on the web server, application server, or DB server. Users only need to refresh
the web page on the web browser to view the modification.
Network Requirements of the Web Service
Unlike the data service, the web service requires a web server and an application in the DC.
Traffic is transmitted between the web and application servers, and between the application
server and DB server.
The network requirements include:
z
Traffic requirement
The web service traffic (such as requests and responses) is transmitted between the
clients and servers, and also between the servers. The web service traffic, however, is
unbalanced just like the data service traffic.
You need to learn about deployment modes before planning bandwidth. The web service
can be deployed in layered and flattened modes, as shown in Figure 1-3 and Figure 1-4.
Issue 01 (2012-05-15)
−
To deploy a large number of web servers, application servers, and DB servers in a
large DC, you can deploy them in layered mode.
−
To deploy a small number of servers in a small- or mid-scale DC, Huawei
recommends the flattened deployment mode.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
Figure 1-3 Layered deployment mode
iStack
iStack
Web
Web
iStack
APP
APP
iStack
DB
DB
Figure 1-4 Flattened deployment mode
iStack
Web
APP
DB
In the layered deployment mode, bandwidth is planned for each layer. In the flattened
deployment mode, traffic between servers is aggregated to one server and bandwidth is
planned based on the total traffic volume. The traffic between clients and DC is much
smaller than that within the DC.
The web service traffic is transmitted through more servers and network devices than the
data service traffic. Therefore, the web service requires a shorter network delay. The web
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
service interaction process is different from the data service interaction process. The web
server responds to the request from a client. The application server and DB server then
process the request. Finally, request information is displayed on web pages.
Therefore, the delay of the web server's response to the requests from clients must be
short.
z
Security requirement
In the web service mode, the client and DB server are isolated by the web server and
application serve. This enhances the security of the DB server and data. Traffic is
transmitted among the web server, application server, and DB server hop by hop over the
network channels, which is vulnerable to hop-by-hop attacks.
Web services, especially services for Internet users, are faced with more threats because:
z
−
The attack sources are well organized and industrialized. Attacks may come from
anywhere on the Internet.
−
The service system is more complex. Security holes may exist in the operating
system, web server, application server, and DB. A hole in one system may cause other
systems to be corrupted one by one.
−
When internal users are accessing the Internet, they may be intruded by unauthorized
users and used for attacks.
Reliability requirement
In a three-layer structure, the web service is processed by servers at three layers together
and interactions between servers are more frequent, so higher network reliability is
required. The overall fault recovery time is not prolonged; however, the network
reliability must improve so that the DC availability can remain unchanged in such a
serial system.
The link error rate of the link between a switch and a server is 1 h/1000 h. In web service
mode, a switch is connected to the web server, application server, and DB server and
three links are available. Therefore, the link error rate is 1 – (1 – 1 h/1000 h)3 ≈ 3 h/1000
h. If you want to keep the error rate of the entire service at 1 h/1000 h, reduce the link
error rate to 20 min/1000 h.
In conclusion, the web service requires network bandwidth guarantee and security.
1.2.3 Computing Service
Overview
The computing service is a service requiring high computing performance, such as 3D
rendering, medicine research, gene analysis, and web search.
In the computing service mode, a large number of common servers work collaboratively as a
cluster to process a computing task.
Network Requirements of the Computing Service
The computing service traffic is transmitted between servers, as shown in Figure 1-5.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
Figure 1-5 Traffic of the computing service (server cluster)
Server cluster
APP
DB
DB
DB
DB
DB
DB
DB
DB
DB
DB
DB
DB
The application server distributes the computing service to a large number of DB severs, and
the DB servers return the results to the application server. The network requirements include:
z
Instantaneous traffic buffering capability
The application server must have a scheduling mechanism to distribute services.
Otherwise, the results sent from the DB servers arrive at the application server in a short
time period. The burst traffic rate exceeds the interface bandwidth on the application
server. If the network cannot buffer the traffic, packets are lost and the application server
cannot process all the services. This leads to more frequent interactions between the
application server and DB servers and prolongs the overall processing time. Therefore,
the network must be capable of buffering packets to eliminate packet lost.
z
Non-blocking network
Different from the preceding cluster model, another cluster model requires servers to
connect to each other. The service system needs to use the point-to-point communication
mode, and any two servers may need to establish a connection.
Any two servers may need to exchange services. Therefore, during network bandwidth
planning, forwarding performance needs to be independent of device location, that is,
non-blocking network is required.
1.3 Overall Requirement for the DC Network
A DC has a large number of servers deployed and is not only the logical center of an
enterprise network but also the source of services. Therefore, a DC should provide abundant
bandwidth resources, secure and reliable devices, high-quality network management, and
comprehensive value-added services. To create as much value as possible based on limited
bandwidth when designing and constructing the DC network, focus on the following
requirements:
Reliability
High reliability ensures successful operations of the DC. If the user experience on enterprise
services (such as e-commerce or video services) deteriorates due to DC network faults, the
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
service expansion of an enterprise will be hindered, and users will not use the services,
decreasing the profits. Reliability is an important aspect when designing an enterprise DC
network.
The reliability design is achieved through redundant links, key devices, and key service
modules.
Scalability
Each layer of the DC uses devices with a high port density to prepare for the DC expansion.
Devices on the Internet layer, intranet layer, core layer, and aggregation layer adopt the
modular design so that capacities of these devices can be expanded flexibly with the
development of the DC network.
The scalability of functions enables the DC to support value-added services. The DC provides
functions such as load balancing, dynamic content replication, and VLAN to support
value-added service expansion.
Manageability
A manageable network is the prerequisite for successful operation of the DC. The DC
provides:
z
Various optimized manageable information
z
Complete QoS functions
z
Integrated SLA management system
z
Capability to manage devices of different vendors
z
Independent background management platform for the DC and users to manage the
networks
Security
As a concern of DC users especially e-commerce users, security is a key factor during DC
construction. DC security is ensured by security control for the physical space and network.
The DC provides an integrated security policy control system to ensure DC security.
1.4 DC Network Solution
1.4.1 Design Principles of a DC Network
The DC network design is based on the following principles:
z
Modular architecture
The network is deployed in modular architecture that can expand for service adjustment
and development.
z
High reliability
The network implements redundant backup of key devices and links. Highly reliable key
devices are made up of hot swappable boards and modules, and support redundancy of
control modules and power supplies. Network layers are reduced to simplify network
architecture and enhance networking reliability.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
Secure isolation
z
The DC network adopts effective security control policies that logically isolate data
based on services and rights, and uses physical isolation methods to ensure security of
important service data.
Services such as server-centered services, IP storage and backup services, and
management services are isolated logically. The management network is isolated from
other networks physically.
Manageability and maintainability
z
The network is highly manageable. To facilitate maintenance, use integrated products
with universal modules.
1.4.2 Solution Overview
As shown in Figure 1-6 to enhance the security, scalability, and maintainability of the network,
the Huawei DC solution is divided into the service network, management network, and
storage network.
Figure 1-6 Networking for the DC network solution
Cam pus and braches
R esidential
netw ork
Large branch
Sm all branch
Carrier 1
VPN
C arrier 2
Internet
Cam pus
netw ork
C am pus netw ork
B uilding
Cam pus
core
C am pus core
Building
W AN
DM Z
Extranet zone
Backup
Extranet
/D M Z
D isaster recovery
center
A ctive D C netw ork
LB
M AN
FW
UTM
LB
iS tack
LB
C om bined core layer
LB
LB
iS tack
FW
C SS
Com bined core layer
LB
LB
DN S
C SS
FW
Em ail W eb A PP
LB
Server
iS tack
iS tack
iStack
W eb
W eb
C ontrol servers
Backup control zone
DB
DB
W eb
A PP
DB
Server
iStack
iStack
Non-Web application design
AP P
iStack
iS tack
iStack
Simplified multi-layer design
AP P
iS tack
FW
Expanded multi-layer design
iStack
W eb A PP
DB
IP storage zone
SD H/W D M
FC sw itch
FC sw itch
FC storage zone
DC m anagem ent zone
C ore sw itch
Aggregation
sw itch
SD H device
AP
Access sw itch
G E link
FC sw itch
Low-level router
10G E link
W AN link
High-level router
Load balancing
Firew all/IPS
Server
Storage
device
Stacking line
z
The service network consists of network access modules and server access modules.
z
The management network consists of background management modules.
z
The storage network consists of the storage system and the storage area network (SAN).
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
This technical proposal focuses on the service network and management network.
Network access modules include routers, switches, firewalls, load balancers, and unified
threat management (UTM) system which contains the firewall, intrusion detection/protection
system (IDS/IPS), antivirus, URL filtering, and SSL VPN. These modules provide network a
high quality infrastructure with, density, availability, and security.
Server access modules are divided into different service zones based on the types and
characteristics of the services provided to the user. The service zones are separated from each
other logically or physically.
1.5 Advantages of the DC Network Solution
Using Cloud Network as the core concept, Huawei DC solution is sustainable and supports
evolution, availability, pooling, and visualization. Customers can use these features to
systematically cope with the challenges of the cloud-computing era.
Figure 1-7 Advantages of the DC network solution
Sustainable cloud network
Concept
Cloud
computing
Service
requirements
Advantages
Technologies
Products
Disaster
recovery
Virtualization
Evolution
Availability
1. 400G cloud platform
2. BRAS fine-grained
management
3. Hardware-based
virtualization switching
4. Layer 2 virtual network
Switching
Multi-tenant
service
Reliability
Pooling
Resource
management
Visualization
1. Unified IP and IT
1. Loop free reliable
2. End-to-end large buffer 1. Horizontal virtualization management
3. IP+optical multi-level 2. Vertical virutalization 2. Visualized topology
management
disaster recovery
3. Graphic NetStream
analysis
Routing
Transmission
Management
Security
z
Evolution: ready for cloud computing and virtual DC
z
Availability: loop free reliable (LFR) Ethernet for non-stop DCs
z
Pooling: network resources pool for on-demand scheduling
z
Visualization: intelligent and visualized NMS for unified IP&IT management
z
Cloud network platform with a rate of 400 Gbit/s
Evolution
The core switches for Huawei sustainable DC solution use the 10 Tbit/s non-blocking
common lisp object system (CLOS) architecture, which can be upgraded to the 400
Gbit/s. These core switches support high-density 40*10GE service boards and 100GE
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
ports, and are fully capable of satisfying capacity requirements of
cloud-computing-based ultra-broadband DCs.
z
Virtualization evolution
Huawei switches support virtual switching and policy detection defined in the IEEE
802.1Qbg VEPA standard. These functions dramatically improve performance of virtual
machines (VMs), provide a clear management model and make traffic manageable and
controllable. Huawei switches also support the Intermediate System-To-Intermediate
System (IS-IS)-based transparent routing bridge protocols such as IEEE802.1AQ and
IETF TRILL. All these enhance network evolution capabilities and make it possible to
seamlessly transfer VMs on a large scale.
z
Desktop cloud fine-grained management
Huawei has introduced the carrier-class BRAS deployment practices to desktop cloud
DCs. These desktop cloud DCs support access and management of massive desktop
cloud VMs and provide fine-grained bandwidth control and SLA-based hierarchical
quality of service (HQoS) for VM users and services.
Availability
z
End-to-end high-reliability architecture
Huawei sustainable DC solution uses the end-to-end high-reliability architecture that
achieves 200 ms convergence time, ensuring business and service continuity for DCs.
The LFR Ethernet technology is used to form a fast-convergence loop-free network,
implementing Layer 2 switching from the aggregation layer to the access layer.
Carrier-class bidirectional forwarding detection (BFD) and fast reroute (FRR)
technologies are used for Layer 3 routing at the core layer and the upper layers. These
technologies together with the equipment-level in-service software upgrade (ISSU) and
redundant backup of key components create a continuous DC.
z
LFR Ethernet
Switches used in Huawei sustainable DC solution use CSS+LAG+iStack technologies,
which establish an LFR Ethernet network. This network has the reliable physical-layer
hard cluster, the convergence time of 200 ms, and the cluster bandwidth of 256 Gbit/s.
z
Flattened no-packet loss network
High-end switches used in Huawei sustainable DC solution buffer data on 10GE/GE
interfaces within 200 ms. The S12700 core switch and the S9300 switch (for EOR access)
provide the following functions:
z
−
Constitute a flattened network
−
Implement end-to-end large-buffer deployment
−
Bring low delay and prevent packet loss triggered by burst traffic for services such as
distributed computing services.
IP+optical multi-level disaster recovery
The Huawei DC solution integrates optical transport devices and routers to provide a
complete range of data- and service-level disaster recovery and backup capabilities. The
optical transport network (OTN) devices provide 14 types of specialized storage
interfaces such as FC, FICON, and ESCON interfaces. These interfaces support real-time
hardware backup between DCs and their disaster recovery centers. NE40E routers
provide flexible network interconnections and an IP SAN between DCs.
Pooling
z
Issue 01 (2012-05-15)
On-demand resources scheduling
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
ONE NET DCN Data Center Solution
Technical Proposal
1 Data Center Network Overview
Multiple switches are virtualized into one logical switch using CSS and iStack
technologies so that 100% of the network resources are shared. This is more efficient
than the switch using the conventional STP technology where only 50% of the network
resources are shared. A series of multi-instance technologies such as MPLS VPN and
MCE ensure that resources in the network resources pool can be flexibly scheduled as
required by services.
z
Simplified network structure
One logical switch that is virtualized from multiple switches serves as one network
element (NE) on the NMS. This simplifies network architecture and reduces
management and configuration workloads.
z
Effective service isolation
The multi-instance technologies such as MPLS VPN and MCE ensure isolation and
security of DC services. In addition, access from multiple departments to DC servers can
be controlled by flexibly configuring VPN access policies.
Visualization
z
Unified IP&IT management
The eSight, an intelligent NMS, can uniformly manage multiple devices and associate
systems in DCs, such as network devices, servers, and enterprise application systems. It
reduces costs and improves operation and maintenance efficiency. It provides open
platforms that allow deep integration and wide collaboration with market-leading IT
vendors such as IBM, HP, and Oracle.
For details about Huawei OSS partners, visit the website
http://www.huawei.com/partners/integrated_with_oss.do.
z
Visualized topology management
The eSight provides network topologies and service views, making service deployment
and network configuration more visualized and convenient.
z
Graphical NetStream analysis
Switches and routers provide embedded NetStream boards or modules to monitor
distribution of DC services in real time. Using eSight, users can obtain graphical
NetStream analysis reports and also easily make service plans.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2
Data Center Network Solution
2.1 Data Center Network Architecture
2.1.1 Overview
Traditional data center networks were constructed based on services, spaces, or buildings, and
devices were deployed based on requirements. As a result, servers, storage devices, cabling,
power supply, and cooling systems cannot be correctly allocated or effectively controlled.
This complicates service expansion.
Currently, a data center network is partitioned into different zones based on services and
security levels, and each zone is connected to the service core. Inside a zone, the modular PoD
design is used for network layout in accordance with the TIA-942 standard. Based on past
experience in data center network construction, the TIA-942 standard imposes strict
requirements for data center environment construction, standardizing data center network
construction.
PoD Modularization
Point of Delivery (PoD) is a mature design concept and method. PoD can be a modular,
physical, or logical data center functional module. As required by enterprises, each PoD must
include chassis, server, network device, and infrastructure.
Modular deployment has the following advantages:
z
Uses the scalable and flexible modular design, ensuring expansion based on service
requirements and shortening the plan and deployment period.
z
Improves investment efficiency and reduces the maintenance cost.
z
Separates hot air from cold air, improving energy efficiency.
Zone Partition
z
Definition of zone partition
Servers are added into different zones based on enterprise characteristics and scale,
relationship between service systems, and requirements of security and management.
z
Zone components
A zone has aggregation switches, firewalls, and load balancing devices. Each zone
connects to the core switching device of a data center.
z
Issue 01 (2012-05-15)
Zone partition mode
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
A data center is often partitioned based on server type, preferentially considering cabling
and infrastructure requirements and is further partitioned based on service application
layer and type. In practice, a data center is partitioned based on enterprise requirements
using multiple modes.
2.1.2 Data Center Logical Architecture
Figure 2-1 shows the logical architecture of a DC.
Figure 2-1 Logical architecture of a DC
External user
Partner
Internet
Branch
Disaster recovery/other DCs
MAN
DWDM
WAN
Access zone
OAM zone
Basic
service zone
DMZ
Internet
access zone
Intranet
access zone
Extranet
access zone
DC
connection zone
Inband
management
Core switching
Server
zone1
PODs
Server
zone2
PODs
Server
zoneN
PODs
Host
zone PODs
Test
host zone
PODs
…
Test
server
zone
PODs
Outband
management
Test zone
Service zone
Storage zone
z
Core network zone
This zone is the core of the DC network, and connects the inner server zone, enterprise
intranet, partner enterprise network, disaster recovery center, and external user network.
z
Server zone
Servers and application systems are deployed in this zone. Based on security and
scalability, the server zone is divided into the production service zone, office service
zone, testing service zone, and the demilitarized zone (DMZ) and other service zones.
z
Storage zone
Storage devices for the fiber channel (FC) SAN and IP SAN are deployed in this zone.
z
Interconnection zone
In this zone, internal and external enterprise users are connected to the DC. Based on
security and scalability, the Internet zone is divided into the enterprise intranet, enterprise
extranet, and the Internet.
Issue 01 (2012-05-15)
−
The intranet interconnects the headquarters and branches through the enterprise
campus network and the wide area network (WAN).
−
The enterprise extranet connects the partner enterprise network using the
metropolitan area network (MAN) and the WAN leased lines.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
ONE NET DCN Data Center Solution
Technical Proposal
−
z
2 Data Center Network Solution
The Internet allows public users, staff on a business trip, and office users without a
WAN network to access the Internet safely.
Disaster recovery center Internet zone
In this zone, the disaster recovery centers in the same city are interconnected by
transmission devices and disaster recovery centers in different cities are interconnected
by the WAN leased line.
z
OAM zone
The network, server, application system, and storage devices are managed in this zone.
The functions of the OAM zone include fault management, system configuration, device
performance, and data security management.
2.1.3 Physical Network Architecture
Figure 2-2 Physical architecture of a DC
Internet
user
Enterprise
campus
Enterprise
branch
Partner
enterprise
Extranet
extranet
Disaster
recovery
network
Enterprise
intranet
Internet
Partner
enterprise
Disaster
recovery center
LLB
Active DC
FW
UTM
iStack
LB
Combined
core layer
LB
LB
iStack
FW
CSS
LB
DNS
Email Web APP
Server
iStack
iStack
iStack
Web
Web
FW
iStack
iStack
iStack
iStack
APP
APP
iStack
Web APP
Control server
DB
Server
Backup control zone
DB
DB
IP storage zone
FC Switch
In the modular data center architecture shown in Figure 2-2, the star topology with the core
node as the root node is partitioned into five zones (core zone, server zone, storage zone,
interconnection zone, and management zone), each of which expands independently.
z
Issue 01 (2012-05-15)
Core zone as the traffic hub
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
15
ONE NET DCN Data Center Solution
Technical Proposal
z
z
z
z
2 Data Center Network Solution
−
The core zone employs core switches with a large capacity and high performance.
−
High-density 10GE ports are deployed in this zone.
Service zones and management zones
−
Service zones can be extended independently.
−
Server-centered networks for data, management, and storage can be extended
independently.
Interconnection zones
−
The four interconnection zones can be extended independently.
−
The disaster recovery interconnection network ensures that services can be smoothly
migrated to other DCs.
Storage zone
−
Multiple access modes, Fiber Channel over Ethernet (FCoE), IP, and optical fiber, are
supported.
−
Multiple storage modes are supported.
Disaster recovery zone
−
Multiple disaster recovery modes are available, differentiating disaster recovery
priorities.
−
Multiple interconnection and disaster recovery modes are supported, ensuring
uninterrupted services.
2.2 Core Zone Networking Planning
The core zone is the center of the whole DC network, and connects the server zone and the
interconnection zone. The core zone transmits internal and external data traffic, and becomes
the logical center for network reliability and security design.
2.2.1 Physical Networking Planning
The physical network is established in the following two methods to connect the core zone to
the server zone: one is a Layer 3 design that deploys the core layer, aggregation layer, and
access layer, the other is a flattened design that integrates the core layer with the aggregation
layer.
Layer 3 Networking
Figure 2-3 shows the Layer 3 networking diagram. The core layer and the aggregation layer
are separated in this networking. Each aggregation zone has security devices such as firewalls
deployed.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
16
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-3 Layer 3 networking
Egress
layer
Core
layer
Convergence
layer
Access
layer
CSS
FW
FW
iStack
10GE
iStack
Stack cable
FW
FW
iStack
iStack
GE
Flattened Networking
Figure 2-4 shows the flattened networking diagram. In the flattened networking, devices in
the core zone and the aggregation zone are replaced by two large-capacity switches in a
combined core zone. Security devices such as firewalls of large capacities are deployed in this
zone.
Huawei recommends the flattened networking, which simplifies the network topology and
improves data transmission efficiency.
Figure 2-4 Flattened networking in the core zone
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
17
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.2.2 Physical Networking Planning in the Data Center Core Zone
of Internet Enterprises
Internet enterprises mainly use computer services such as the searching service, have a high
volume of east-to-west traffic in the data center and a small oversubscription ratio. In addition,
service types are limited. The 2-layer flattened fat-tree architecture is used for networking.
Two networking solutions: 3-layer interconnection and TRILL interconnection can be used for
core interconnection.
Layer 3 Interconnection for a Flattened Network
This solution uses Layer 3 networking, in which the multi-plane fat tree architecture is formed
between the core and aggregation layers. This solution supports large-scale GE and 10GE
server access.
To implement this solution, a high-efficiency, balanced, and non-blocking network is required.
This solution applies to the applications and collaborative computing services in
Software-as-a-Service (SaaS) and Platform as a Service (PaaS) cloud computing environment,
such as hadoop, and provides a small traffic oversubscription ratio (1:1 to 2:1).
Figure 2-5 Layer 3 interconnection networking for a flattened network
OSPF or IS-IS
L3
routing
…
This solution has the following characteristics:
z
No more than three devices are required for communication between any two servers.
z
IP routing-based ECMP supports 5-key Hash to implement flow-based load balancing,
ensuring high link efficiency.
z
Networks are scalable. A network can be extended to provide a maximum of 16 planes,
and then the network hierarchy can be increased to further expand the network.
TRILL Interconnection for a Flattened Network
This solution uses the TRILL technology. A non-blocking network is comprised of the core
layer and aggregation/access layer, on which TRILL is deployed at the TOR edge to
implement Layer 2 switching of data center services. This solution uses the TRILL and
gateway cascading technologies and has the same networking as a traditional Layer 2 solution.
The Huawei TRILL OAM scheme is used to provide a flattened network with the same
convenient maintenance as an IP network.
This solution applies to scenarios where large-scale Layer 2 networks need to be built, for
example, enterprise networks on which a large number of resources need to be shared and a
large number of virtual machines need to be transferred.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
18
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-6 TRILL interconnection networking for a flattened network
L3 routing
L2
switching
NickName
MAC
。。。
Load
vSwitch
MAC
VM1
Load
vSwitch
vSwitch
VM3
VM2
This solution has the following characteristics:
z
Builds a large Layer 2 network, supports multi-path load balancing, and improves
network efficiency.
z
Supports resource sharing and virtual machine transfer on the entire network.
z
Uses the TRILL and gateway cascading technologies, saving additional gateways and
reducing the network construction cost.
2.2.3 Reliability Planning
As shown in Figure 2-3 and Figure 2-4, redundancy of devices and links ensure reliability of
the DC network.
If the access layer runs Layer 3 routing protocols and communicates with the core layer
through Layer 3 routing, Bidirectional Forwarding Detection (BFD) and equal-cost paths are
deployed to implement fast fault detection and switchover and improve usage of redundant
links.
In most cases, Layer 3 routing protocols run at the core layer, which causes Layer 2 loops
between the access layer and the core layer. Figure 2-7 shows the design to protest the
network against Layer 2 loops using Spanning Tree Protocol (STP) and Virtual Router
Redundancy Protocol (VRRP).
Figure 2-7 STP networking
FW
FW
LB
LB
Triangular
loop
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
19
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
As shown in Figure 2-7, dotted lines represent links that are blocked by STP. This plan uses
the standard STP protocol to integrate devices from multiple vendors into a hybrid network.
The disadvantages of the plan are:
z
Long convergence time
The traditional STP technology makes the network converge slowly. It takes more than
10 seconds to restore services after a fault occurs. RSTP increases the convergence speed
to some extent, but the convergence still takes several seconds. A service interruption for
several seconds lowers user experience.
z
Low link usage
If servers in the same rack belong to the same VLAN, the bandwidth of an uplink cannot
be used. In this case, the bandwidth usage is only 50%. The Multiple Spanning Tree
Protocol (MSTP) optimizes the bandwidth usage based on VLANs but it cannot solve
the problem completely.
z
Complex configuration that is difficult to maintain, and frequently occurred faults on the
network
Every access switch or aggregation switch needs to run the STP protocol. When more
access switches are added to the network, the STP processing becomes more complicated,
which reduces the network reliability.
Loop-free networking with cluster and stacking is used to overcome these disadvantages.
Figure 2-8 Loop-free networking
Cluster
FW
FW
CSS
LB
LB
Stack
iStack
iStack
10GE
Stack cables
iStack
GE
The combined core layer uses two framed switches as a cluster. The access layer uses box
switches to form a stack system. Links between switches at the access layer and the combined
core layer form an Eth-Trunk.
The loop-free networking design has the following advantages:
z
Simplified management and configuration
The cluster and stacking networking reduces managed nodes by more than a half.
In addition, it simplifies the network topology and configuration because it does not need
complex protocols such as STP, Smart Link, and VRRP.
z
Issue 01 (2012-05-15)
Fast convergence
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
20
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
The convergence time is less than 10 ms after a fault occurs, which significantly reduces
the impact on services caused by faults on links and nodes.
z
High bandwidth usage
Links form a trunk so that the bandwidth usage reaches 100%.
z
Easy to expand the capacity, saving investment
When new services are provided, the enterprise can add devices directly to upgrade the
network. The network capacity can be expanded without changing the network
configuration, saving users' investments.
The loop-free networking improves the network reliability rate from 99.9% to 99.9999%. The
fault rate on a single link is reduced from 1 hour to 3.6 seconds in 1000 hours.
Framed switches are provided in the core zone to ensure network reliability in the following
ways:
z
The MPUs work in backup mode.
z
The power supplies work in backup mode.
z
Modular design of fans is provided, in which a single-fan failure does not affect system
running.
z
All modules are hot swappable.
z
The CPU defense function is configured.
z
Complete alarm functions are provided.
2.2.4 Security Planning
Firewalls are provided in the core zone to ensure network security in the following ways:
z
Restrict communication between server zones to isolate services.
z
Restrict the communication between the enterprise campus network and server zones to
ensure access security between clients and servers.
z
Restrict the communication between the enterprise branch network and server zones to
ensure access security between clients and servers.
2.3 Server Zone Networking Planning
2.3.1 Physical Networking Planning
Access switches are placed in server racks or in independent network cabinets to provide
Layer 2 switching functions. Switches in server racks are top of rack (TOR) switches, and
those in independent network cabinets are end of row (EOR) switches.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
21
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-9 TOR/EOR networking diagram
Cabling panel
Cabling panel
Cabling panel
Access switch
Access switch
Access switch
Access switch
server
server
…
Cabling panel
…
Aggregation
switch
Cabling panel
Cabling panel
server
server
…
…
Aggregation
switch
server
server
server
server
The TOR access mode is applicable to high-density rack servers, and the EOR access mode is
applicable to low-density cabinet servers, such as small servers. Table 2-1 shows the
differences between the two modes.
Table 2-1 Differences between EOR and TOR access modes
Item
TOR
EOR/MOR
Server type
1RU rack server
1RU rack server, blade server,
minicomputer
Server
quantity
15 to 30 servers
8 to 12 servers
Scenario
High-density server cabinet
Low-density server cabinet,
server cabinet, and network
cabinet
Cabling
Simplified cabling between server
cabinet and network cabinet
Complex cabling
Maintenance
Complex management and
maintenance because there are many
access devices
Simple maintenance because there
are a small number of access
devices
Simple cable maintenance and good
scalability
Complex cable maintenance
Servers access the network in the following ways:
z
A large number of middle- and low-level rack servers access the network using access
switches.
z
A small number of high-level servers are connected directly to core/aggregation switches
to ensure bandwidth.
z
Blade servers without built-in switches access the network using access switches.
z
Blade servers with built-in switches directly connect to core/aggregation switches to
reduce the number of network layers and improve network performance.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
22
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-10 Access modes for servers
CSS
iStack
iStack
Middle and
low level
rack servers
10GE
Blade servers
without built-in
switches
Stack cables
Blade servers
with built-in
switches
GE
High level
server and
large switch
2.3.2 Channel Separating on Servers
The processing capacity of the CPU on a server has been significantly improved since the
CPU processor has developed from single core to 128 cores. Compared with the CPU, the IO
capacity is still limited. The IO development becomes a bottleneck in the network. To fully
use the high-performance CPU, a server must work in multiple channels and use multiple
network ports that are physically isolated.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
23
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-11 Multiple channels on a server
Foreground
service network
Inband NMS
NMS
Backup and
IP storage
network
Out- of - band
NMS
HBA
SAN network
Figure 2-11 shows multiple channels on a server. A server has four types of ports that are used
to access the following networks:
z
Service network
z
Network management and the keyboard video mouse (KVM) network
z
SAN network
z
Backup and IP storage network
A server working in multiple channels has the following advantages:
z
Improves the IO capacity.
z
Separates traffic of different services safely.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
24
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-12 shows the logical networking architecture of multiple channels on a server.
Figure 2-12 Separated networks
DC backbone
network
Management
network
One
channel
Service
network
Backup and IP
storage network
Multiple
channels
One
channel
FC storage
network
One
channel
The server zone is divided into four physically isolated networks: the service, management,
storage, and backup networks. The server accesses different networks using network interface
cards (NICs).
Figure 2-13 shows the physical network topology.
Figure 2-13 Physical network topology
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
25
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.3.3 Server FCoE Access Design
In most cases, servers need to access multiple networks to provide service transmission,
storage, and computing services. Management and cabling of the server zone are complex. As
the server input/output (I/O) technology such as 10GE develops, the server I/0 performance is
no longer a bottleneck. Therefore, integration of multiple access networks is a trend in the
server design. Fiber Channel over Ethernet (FCoE) is a technology that integrates the storage
FC network with service network.
FCoE transmits fiber channels (storage services) over Ethernet. FCoE requires 10GE
networks without packet loss.
In FCoE, CNA network cards are installed on servers to allow servers to access storage
networks over Ethernet. Ethernet ensures no packet loss using the Data Center Bridging (DCB)
protocol. DCB includes the following key technologies:
z
Priority-based Flow Control (PFC): allows high-priority services to preferentially use
network bandwidth, ensuring no packet loss for storage services over integrated links.
z
Enhanced Transmission Selection (ETS): ensures minimum bandwidth for different
services.
Figure 2-14 FCoE design
CE12800
FCF
FCF
SAN
SAN
CE6800
FSB
FSB
FC Storage
SAN
FC Storage
SAN
CNA
CNA
Common Ethernet link
CNA
FCoE link
CNA
FC link
Figure 2-14 shows an FCoE solution:
z
Servers connect to switches (TORs) through CAN network cards.
z
TORs implement service isolation and transmit FC services to FC switches to the storage
network.
z
FIP snooping is configured on TORs to prevent unauthorized users from accessing the
storage zone, which improves FCoE network security.
z
Using the dual-plane topology design of the storage network, servers connect to different
TORs through dual network cards and finally connect to different fiber planes.
In the server zone, FCoE is used to integrate access services to a storage network. FCoE
access has the following advantages:
z
Reduces the number of interface cards on servers, the number of cables and access
devices, and the data center investment.
z
Simplifies cabling in the server zone.
z
Saves management and maintenance costs in the server zone.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
26
ONE NET DCN Data Center Solution
Technical Proposal
z
2 Data Center Network Solution
Reduces power consumption in the server zone.
2.3.4 Reliability Planning
Overall Reliability Planning
Server zone reliability includes reliability of the network, devices, and servers.
z
Loop-free cluster and stacking network ensures network reliability.
z
Access switches are stacked to ensure device reliability.
z
Dual NICs ensure server reliability.
The network drive binds multiple NICs into a virtual NIC. The virtual NIC has a unique
IP address to communicate with external devices. The server supports NIC teaming. If an
NIC fails, the standby NIC shares its MAC address. The two NICs working in
active/standby mode or in load balancing mode improves reliability.
Dual NICs in Active /Standby Mode
The two NICs in active/standby mode have the same MAC address (such as MAC1 in Figure
2-15). When the active NIC fails, the server switches the traffic to the standby NIC and sends
a gratuitous ARP packet from the standby NIC. Network devices must properly process
gratuitous ARP packets to switch the traffic to a new directory.
Figure 2-15 Networking for server reliability
Cluster
Combined core layer
Access layer
Active NIC
MAC1
MAC1
NIC1
NIC2
Stack
MAC2
NIC1
Load balancing mode
MAC2
NIC2
Figure 2-16 shows the change of the data transmission route. Data is transmitted in the green
route using the active NIC. If the active NIC fails, the data transmission route is changed from
the green one to the purple one.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
27
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-16 Change of the data transmission route using active and standby NICs
Cluster
Combined core layer
Access layer
Stack
Active NIC
Standby NIC
MAC1
NIC1
MAC1
NIC2
When the access switch receives a gratuitous ARP packet, it changes the outbound interface
matching MAC1 to the link connected to the standby NIC. You need to add the two ports of
active and standby NICs to the same VLAN and bundle the links so that the outbound
interface can be updated when a switchover occurs.
Switches at the combined core layer do not detect route changes at the access layer when
receiving gratuitous ARP packets because they connect to access switches through trunk links.
Dual NICs in Load Balancing Mode
The two NICs in load balancing mode have the same MAC address (such as MAC2 in Figure
2-17). Both NICs can transmit and receive data. To shield the flapping of the MAC address
between ports of switches, stack the access switches and bundle the links on ports of the
active and standby NICs.
Figure 2-17 shows the change in data transmission routes. Data is transmitted in the green
routes using both NICs. If an NIC fails, data transmission routes are changed from green ones
to purple ones.
Figure 2-17 Change in data transmission routes in load balancing NICs
Cluster
Combined core layer
Stack
Access layer
MAC2
NIC1
Load balancing mode
MAC2
NIC2
Switches at the combined core layer do not detect route changes at the access layer because
they are connected to access switches through trunk links. Therefore, data is still sent to the
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
28
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
access switch on the left, forwarded to the switch on the right through the stacking link, and
then forwarded to the server.
2.3.5 Traffic Model Planning
Traffic in a data center includes south-to-north traffic and east-to-west traffic.
z
South-to-north traffic is the traffic exchanged between internal servers in a data center
and external clients, which is also called client/server traffic. Client/server traffic is data
requests and responses exchanged between external clients and internal servers, as
indicated by the blue curved line in Figure 2-18.
z
East-to-west traffic is the traffic exchanged between internal servers in a data center,
which is also called server/server traffic as indicated by the purple curved line in Figure
2-18.
Figure 2-18 Traffic analysis within a data center
Core layer
Aggregation
layer
Access
layer
Access
device
The service traffic model determines the network deployment model used by a data center.
The following uses the web service as an example. Generally, two deployment models are
available: hierarchical deployment model and flat deployment model.
z
In a large data center, there are many web, application, and database servers, which can
be deployed in different zones. In this case, the hierarchical deployment model is
recommended.
z
The flat deployment model is recommended for a small- and medium-scale data center
that has a small number of servers.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
29
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-19 Service traffic model
SQL request
Fat Client
App GUI
App
Server
SQL response
DB
Server
WEB
browser
HTTP
HTTPS
App
Server
web
Server
DB
Server
Figure 2-19 shows the traffic model in web-APP-DB application mode. The traffic model
determines the device model. Different devices can meet different traffic performance
requirements.
z
Switches and routers perform Layer 2 and Layer 3 packet forwarding, without dealing
with connections or sessions. Major traffic indicators include the throughput, delay, and
packet loss rate.
z
Firewalls and load balancing devices deal with connections and sessions. Major traffic
indicators include the rate at which new connections are created and total number of
concurrent connections. Connections are categorized into short connections and long
connections by the connection duration.
−
A short duration often lasts several seconds, such as HTTP access. Short connections
have requirements for a device's capability to process new connections.
−
A long connection often lasts more than 15 seconds, even several minutes, hours, or
days, such as Telnet connection, FTP connection for large file, and online video
connection. Long connections have requirements for a device's capability to process
concurrent connections.
2.3.6 Security Planning
Planning Roadmap
The service zone faces risks of unauthorized access and intrusions from hackers. Security
planning for the service zone includes the following items:
z
Access control
Access control includes restricting unauthorized access to internal servers and
implementing service isolation.
z
−
You can configure ACLs on the access switches or firewalls connected to internal
servers to restrict access to internal servers from unauthorized IP addresses.
−
You can configure ACLs or VLANs to isolate different services. You are also advised
to use VLANs to isolate web, application, and database servers of the same service.
Transmission security
Transmission security can be ensured using encryption technologies such as SSL VPN or
ACLs.
z
Management security
To ensure management security, managing devices and managed devices use high
security communication protocols, such as SSH, IPSec, and SNMPv3.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
30
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Deployment Suggestions
Suggestions on security deployment in the server zone are as follows:
z
Configure service isolation on aggregation devices.
Configure VLANs on aggregation devices to isolate different services in the server zone,
such as web service and application service. In addition, configure ACLs to restrict
access from unauthorized IP addresses so as to prevent unauthorized access between
different services.
z
Deploy NetStream to analyze and manage traffic.
Generally, you can use the outband management mode, configure dedicated NetStream
cards to detect the traffic to servers, adjust security, management, or routing policies.
This helps learn service requirements and make servers work properly.
z
Deploy high performance firewalls in bypass mode at the aggregation layer.
−
Firewalls can be chassis devices or firewall clusters.
−
Firewalls often work in Layer 3 mode and use IGPs.
−
Untrusted traffic is directed to firewalls for policy control, whereas trusted traffic is
directly forwarded by switches.
−
A firewall can be virtualized into multiple firewalls, which are then assigned to
different VPNs to protect different services.
z
Deploy IPS on the core server that processes key services to defend against application
layer attacks.
z
Dual-system hot backup is used on firewalls and IPS devices.
2.3.7 Service Load Balancing Planning
Overview
Service load balancing is often implemented using the server load balance (SLB) technology.
SLB provides the load balancing service for servers in a group. Servers in a group are often
deployed in the same data center and provide same or similar services.
SLB is the most popular networking model used by the data center. SLB extends the lifetime
of servers by distributing traffic across multiple servers, reducing server hardware upgrade
expenditures. In addition, SLB prevents service interruption caused by single-server failures,
improving service availability.
According to the load balancing mode, SLB is classified into the NAT mode and triangulation
mode. The NAT mode can be classified into the destination NAT mode and client NAT mode.
Destination NAT Mode
In destination NAT (DNAT) mode, load balancing devices perform load balancing based on
the destination IP address of access requests.
In DNAT mode, the servers in a group have the same virtual server IP address (VSIP), and the
destination address of all access requests is this VSIP. NAT needs to be performed on load
balancing devices to translate the VSIP in access requests to the actual IP address of a server,
and then access requests are sent to this server.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
31
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-20 DNAT load balancing
VSIP 202.16.3.1
Source
Destination
Client IP
VSIP
Random Port
VIP Port
Client
IP Network
LB
Source
Destination
Client IP
Server IP
Random Port
Server Port
Switch
Server
IP 172.16.0.1
Server
IP 172.16.0.2
Server
IP 172.16.0.3
Table 2-2 shows the load balancing process in DNAT mode.
Table 2-2 Load balancing process in DNAT mode
Procedure
Description
Source IP
Address
Destination
IP Address
1
The client sends a service request packet.
Client IP
VSIP
2
The load balancing device distributes the
service request packet to a server according
to the load balancing algorithm and DNAT
technology.
Client IP
Server IP
3
The server receives and processes the request
packet, and returns a response packet.
Server IP
Client IP
4
After receiving the response packet, the load
balancing device translates the source IP
address and forwards the packet.
VSIP
Client IP
In DNAT mode, the response packet replied by a server must pass through a load balancing
device; otherwise, the client discards the response packet because the packet has an invalid
source IP address. Both the request and response packets need to be forwarded by the load
balancing device. When the load balancing device has low throughput, the throughput
becomes a bottleneck in network performance.
Client NAT Mode
The client NAT mode and DNAT mode are similar in implementation, which requires the
destination IP address of the access request sent by a client to be translated from a VSIP to an
actual IP address of a server.
Different from the DNAT mode, the client NAT mode also translates the source IP address.
Therefore, the return traffic from a server must be forwarded by a load balancing device. The
server does not need to have routes to the client, but must have routes to the load balancing
device.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
32
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-21 Load balancing in client NAT mode
VSIP 202.16.3.1
Source
Destination
Client IP
VSIP
Random Port
VSIP Port
LB
Source
Destination
LB IP
Server IP
Random Port
Server Port
LB IP 172.16.5.1
Client
IP Network
Switch
Server
IP 172.16.0.1
Server
IP 172.16.0.2
Server
IP 172.16.0.3
Table 2-3 shows the load balancing process in client NAT mode.
Table 2-3 Load balancing process in client NAT mode
Procedure
Description
Source IP
Address
Destination
IP Address
1
The client sends a service request packet.
Client IP
VSIP
2
The load balancing device distributes the
service request packet to a server according to
the load balancing algorithm and client NAT
technology.
LB IP
Server IP
3
The server receives and processes the request
packet, and returns a response packet.
Server IP
LB IP
4
After receiving the response packet, the load
balancing device translates the source and
destination IP addresses and forwards the
packet.
VSIP
Client IP
Triangulation Mode
In triangulation mode, a load balancing device only balances access request traffic, whereas a
switch directly forwards return traffic, as shown in Figure 2-22.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
33
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-22 Load balancing in triangulation mode
VSIP 202.16.3.1
Source
Destination
Client MAC
Next-hop MAC
Client IP
VSIP
Random Port
VIP Port
Client
IP Network
LB
Source
Destination
LB MAC
Server MAC
Client IP
VSIP
Random Port
Random Port
LB IP 172.16.0.254
Switch
Server
IP 172.16.0.1
VSIP202.16.3.1
Server
IP 172.16.0.2
VSIP202.16.3.1
Server
IP 172.16.0.2
VSIP202.16.3.1
Table 2-4 shows the load balancing process in triangulation mode.
Table 2-4 Load balancing process in triangulation mode
Procedure
Description
Remarks
1
The client sends a service request
packet.
The source IP address is the IP
address of the client and the
destination IP address is the VSIP.
2
The load balancing device obtains a
server MAC address through ARP and
distributes the service request packet
to a server according to the load
balancing algorithm.
The source IP address is the IP
address of the client, the destination
IP address is the VSIP, and the
destination MAC address is the
MAC address of the server.
3
The server receives and processes the
request packet, and directly returns a
response packet to the client, without
sending it to the load balancing device.
The source IP address is the VSIP,
and the destination IP address is the
IP address of the client.
In triangulation mode, the traffic from the client and server has a different path. The path of
the traffic between the client and server is client --> LB --> server --> client, which forms a
triangle. The return traffic of the server does not pass through the load balancing device,
indicating that the load balancing device performance will not become a network bottleneck.
This triangulation mode applies to video on demand (VoD) service. On the server, in addition
to configuring a private IP address on the same network segment as the load balancing device,
you still need to configure a loopback interface and a VSIP. The configuration is complex.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
34
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
SLB Deployment Suggestions
Figure 2-23 Deployment location
Egress router
Core layer
Aggregation
layer
Server zone A
Server zone B
A load balancing device is usually deployed in the following modes:
z
The load balancing device is deployed on a core switch in bypass mode, allowing servers
in all zones to share the load balancing function.
In this networking, only the NAT load balancing mode can be used, which requires the
round-trip traffic of the load balancing service to pass through the load balancing device.
Therefore, high load balancing device performance is required. A small- and
medium-scale data center or an entire data center requires a Layer 2 network
environment, in which a load balancing device is suitable to be deployed on a core
switch.
z
The load balancing device is deployed on an aggregation switch in bypass mode,
allowing load balancing devices to be deployed for each zone.
Deploying load balancing devices for each zone reduces requirements for load balancing
devices and provides higher reliability. Server gateways can be deployed on aggregation
switches or load balancing devices.
z
The load balancing device is deployed at the access layer, which applies to the scenario
where complicated engines need to be used by some services. These services highly
associate with the load balancing service. The load balancing devices dedicated to these
services are maintained by server administrators.
In the scenarios requiring high reliability, you can also configure dual-node hot standby for
load balancing devices in active/active or active/standby mode.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
35
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.4 Storage Zone Networking Planning
2.4.1 Physical Networking Planning
The storage zone covers the IP storage network and the SAN storage network.
The IP storage network transmits traffic for services that are saved in the network attached
storage (NAS). The NAS transmits:
z
Data traffic generated between a specified application server and the NAS
z
Large amounts of network traffic generated for virtualized services
Figure 2-24 Network architecture for the storage zone
2.4.2 Basic Planning for the Storage Zone
Basic planning for the storage zone is as follows:
z
Small-scale switch zone: This zone is an isolated zone.
z
Open application platform:
−
The open application platform has two arrays, and each array has two core switches
to ensure availability.
−
Edge devices and core devices are connected to one another by multiple links to
prevent traffic overload.
z
Integrated storage zone: Devices are classified based on service class in this zone.
z
IP storage zone:
The IP storage zone is separated from other zones. Devices are deployed in this zone to
compress traffic transmitted in the Entire Fiber Channel Frame over IP (FCIP) channel
and accelerate data transmission. Data is synchronized and saved through an
IP/Multiprotocol Label Switching (MPLS) network. Implementation of virtualization
speeds up data transmission between servers and storage devices.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
36
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
z
Management zone: Operators allocate and manage storage network and storage resources
in this zone.
z
Disaster backup in the same city:
The active DC and the disaster recovery center in the same city are connected through
the dense wavelength division multiplexing (DWDM) network.
Use the following configuration to implement real-time or quasi real-time data exchange
between the active DC and backup DC:
z
Use the carrier's MPLS VPN or virtual leased line based on the virtual private LAN
service (VPLS) to transmit data traffic between servers on the IP storage network in the
active DC and backup DC.
z
Use bare optical fibers or a DWDM network to transmit data between SAN storage
networks in the active DC and backup DC. This implements quasi real-time data
transmission at a high speed and a short delay.
Virtualization increases data exchange between servers and storage devices, so switches must
access the NAS storage network through a 10G link.
2.4.3 Reliability Planning
The IP storage network uses loop-free networking with cluster and stacking to enhance
reliability. For details on loop-free networking with cluster and stacking, see section 2.3
"Server Zone Networking Planning."
2.4.4 Security Planning
The SAN storage zones are isolated by the specialized technology.
To restrict network access, the IP storage network is divided into separate zones through
VLAN or VPN technology.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
37
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.5 Interconnection Zone Networking Planning
2.5.1 Physical Networking Planning
Figure 2-25 Networking in the interconnection zone
The interconnection zone is divided into the following connection zones based on access
modes and services:
z
Intranet zone
Intranet users access the DC through the WAN or the LAN.
z
Internet zone
External users access the DC through the Internet.
z
Extranet zone
Extranet users access the DC through the WAN or the LAN.
You can assign an isolated zone for the VPN users in the Internet zone.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
38
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.5.2 Internet Access Zone
Figure 2-26 Networking in the Internet zone
Internet user
Internet
DMZ
Active DC
LLB
UTM
iStack
LB
LB
DNS Email Web APP
Combined
core layer
FW
CSS
LB
SSL IPSec
VPN VPN
Figure 2-26 shows the Internet zone devices, such as routers, link load balancers, and unified
threat management (UTM) devices. The UTM devices must provide firewall and intrusion
prevention system (IPS) functions.
Reliability Planning
The firewall and the IPS are important network devices, which are located at the network
egress. The location and functions of the firewall and the IPS require that they should provide
high reliability.
To ensure Internet zone reliability, deploy devices in pairs, such as routers, link load balancers,
and UTM devices (including firewalls and the IPS). These pairs of devices can be configured
to work in load balancing mode or active/standby mode. When one device fails, the other
device can work independently, minimizing the impact of a fault on services.
Security Planning
An Internet access zone is vulnerable to DDoS attacks, unauthorized service access, network
intrusions, and abnormal traffic attacks. To defend against these threats, first deploy devices to
defend against DDoS attacks and then configure firewall security policies to defend against
unauthorized service access, network intrusions, and abnormal traffic attacks. Alternatively,
deploy both the IPS and firewall so that the IPS can instruct the firewall to take actions once
the IPS detects attacks.
The following deployment scheme is recommended:
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
39
ONE NET DCN Data Center Solution
Technical Proposal
z
z
z
2 Data Center Network Solution
Deploy an anti-DDoS device at the Internet egress to filter out attack traffic.
−
Deploy the anti-DDoS device in bypass or inline mode.
−
When the anti-DDoS device is deployed in bypass mode, import traffic using
mirroring or optical splitters on an egress router.
−
Associate the IPS with a firewall and deploy the cleaning center to defend against
DDoS attacks.
Deploy two layers of firewalls in the Internet access zone.
−
Deploy the two layers of firewalls in inline mode, and configure dual-node hot
standby for each layer of firewalls.
−
The first layer of firewalls isolate the Internet access zone from external networks and
must have strong attack defense capabilities. Firewalls can be associated with
anti-DDoS or IDS devices to filter out unauthorized traffic.
−
The second layer of firewalls isolate the Internet access zone from the data center
service zone and must have high performance. In most cases, only traffic from the
DMZ is allowed to pass through the firewalls, preventing unauthorized access.
Configure the NAT function on firewalls.
The NAT function can translate an external IP address to an internal IP address so that an
external user can access an internal server or the other data center zones, hiding the
internal network structure of a data center.
z
Deploy an IDS device within a firewall.
The IDS device detects malicious codes, attack behaviors, and attacks in application data
traffic. If the IDS device detects an attack, it instructs a firewall to defend against this
attack.
z
Deploy VPN gateways to ensure secure access for mobile users.
−
You can deploy SSL VPN gateways and IPSec VPN gateways. IPSec VPN gateways
apply to site-to-site access, whereas SSL VPN gateways apply to web-based
client-to-site access.
−
You can deploy independent IPSec VPN and SSL VPN gateways or deploy a firewall
for unified access.
Load Balancing Planning
When a data center accesses the Internet through multiple ISPs, a link load balancing (LLB)
device is often used to implement load balancing of incoming and outgoing traffic.
Compared to route load balancing, LLB can implement load balancing without requiring
complex routing protocols. Additionally, LLB implements dynamic intelligent load balancing.
In addition to implementing link sharing, LLB can distribute incoming and outgoing traffic to
the optical link according to the destination network, solving the problem of poor service
experience caused by slow carrier interconnection.
LLB can be implemented in inbound and outbound directions:
z
Outbound LLB: uses the SmartNAT technology.
z
Inbound LLB: uses the SmartDNS technology.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
40
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-27 Outbound load balancing
ISP1
ISP2
DMZ zone
LLB selects
different
egress links
according to
policy
LLB
UTM
Table 2-5 Outbound load balancing process
Procedure
Description
Remarks
1
The internal server in a data center sends a
request packet, which passes through the LLB
device.
-
2
The LLB device selects the router connected
to ISP2 as the egress gateway according to the
configured load balancing algorithm, and
translates an internal IP address to an external
IP address assigned by ISP2 using SmartNAT.
Multiple default gateway IP
addresses can be configured
for the LLB device to
comprise a default gateway
pool.
3
The Internet server receives and processes the
request packet and returns a response packet
along the original path to the LLB device.
The internal IP address of
outgoing traffic is translated
to an external IP address, and
therefore return traffic is also
returned along the original
path.
4
The LLB device receives the response packet,
translates the external IP address to an internal
IP address, and then forwards the packet to an
internal server in the DMZ.
-
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
41
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Using an LLB device to implement outbound load balancing has the following advantages:
z
An LLB device can detect link availability and attenuation to provide reliable WAN
connections and dynamic load balancing.
z
An LLB device can detect the optimal link using multiple load balancing algorithms
based on static IP address segments, response time, and link quality, and distributes user
traffic to this link, ensuring high-quality connections for services.
z
The SmartNAT technology automatically translates the ISP source address according to
the outbound path, ensuring the consistency of the return path.
Figure 2-28 Inbound load balancing
abc.com in VIP2
4
1
ISP1
5
NDS
ISP2
6
2
3
DMZ zone
SmartDNS
abc.com<-> VIP1
abc.com<-> VIP2
LLB
UTM
VIP1
VIP2
Table 2-6 Inbound load balancing process
Procedure
Description
Remarks
1
The PC client initiates a request to access
www.abc.com.
The PC initiates a DNS request
to the local DNS server.
2
The DNS server requests the IP address
translation result of www.abc.com with
the LLB device.
Using the recursive algorithm,
the local DNS server learns that
the DNS request result needs to
be provided by the LLB device.
3
The LLB device provides the DNS
service and returns VSIP2 to the local
DNS server (nearest) according to the
load balancing policy.
-
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
42
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Procedure
Description
Remarks
4
The local DNS server returns the IP
address translation result (VSIP2) of
www.abc.com to the PC.
-
5
The PC enters the DMZ from ISP1 using
VSIP2 to access the related server.
-
6
The server returns response data, and the
LLB device selects a corresponding
outbound interface according to the
selected ISP router to ensure that the
response data is returned from the same
ISP.
-
The SmartDNS technology binds public IP addresses of multiple ISPs to respond to DNS
requests from Internet users. An LLB device dynamically selects the optimal link using the
SmartDNS technology and load balancing policy and allows external users to access internal
resources to implement multilink dynamic load balancing for incoming traffic.
Additionally, the LLB device monitors each link. When detecting that a fault occurs on an ISP
link, the LLB device does not resolve the IP address of the ISP to users, ensuring 24/7
non-stop service.
2.5.3 Extranet Zone
Physical Networking
Figure 2-29 shows the networking in the extranet connection zone.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
43
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-29 Networking in the extranet zone
Extranet users can access the extranet connection zone. This zone is an unreliable zone,
similar to the demilitarized zone (DMZ), and cannot be connected to the inner DC. Extranet
users can access only the extranet connection and DMZ zones. Authority control on the
Intranet must be strict.
Security Planning
Major threats to the extranet zone are unauthorized server access, virus attacks, and worm
attacks. To protect the extranet zone against these threats, you are advised to deploy security
functions as follows:
z
Deploy two layers of firewalls in the extranet zone.
−
Deploy firewalls in front of servers. Configure security policies such as ACLs on
servers to prevent unauthorized server access, and configure defense against virus
and worm attacks.
−
Deploy firewalls behind servers to isolate the intranet and extranet.
−
Dual firewall backup is recommended to ensure service reliability.
z
Configure NAT on the first layer of firewalls to hide the internal network structure.
z
Deploy an IDS device within a firewall as required to detect application layer attacks.
z
Deploy VPN gateways as required to allow partners to access through the Internet. VPN
gateways can be deployed independently or on a firewall.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
44
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.5.4 Intranet Zone
Physical Networking
Intranet users access the DC through the WAN or the LAN, as shown in Figure 2-30.
Figure 2-30 Networking in the intranet zone
Corporate campus and enterprise branch
Carrier 1
VPN
Carrier 2
Internet
Family network
Small organization
Corporate campus network
Corporate campus network
Building
Core network
Core network
Building
WAN
Large enterprise branch network
Disaster backup center
MAN
Active DC
Combined
core layer
CSS
FW
LB
This zone uses dual-homed routes and redundancy backup of routes and devices.
Network connection reliability between branches of an enterprise is ensured through backup
of multiple egress links, backup of routes, and load balancing. QoS needs to be configured on
WAN link to guarantee quality of links and services.
Reliability Planning
Independent access devices and two backup devices are required to ensure device reliability.
Security Planning
The intranet is a safe zone with low security risks which are mainly caused by intranet users
who access or save data without authorization. Data access between the enterprise branch
networks is restricted based on users' actual requirements.
You are advised to configure VPN on routers to implement service isolation. Additionally, you
can deploy firewalls and configure ACLs to restrict unauthorized access to service zones and
enable defense against viruses and worms for attack defense.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
45
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.5.5 Branch Access Planning
Enterprise branches (such as external scientific research institutions and representative offices)
connect to the enterprise's headquarters through the private network, MPLS VPN, or public
network.
Branch access is usually implemented using the private network, MPLS VPN, or public
network.
Private Network
Enterprise branches communicate with each other through the WAN constructed by the
enterprises. This mode is applicable to large or ultra-large enterprises that have their own
backbone networks.
MPLS VPN
An enterprise leases carriers' MPLS VPN services (L2VPN or L3VPN services) to enable
branches to communicate with each other. This access mode is cost-effective and applicable to
enterprises that have branches but no self-built WAN.
Public Network
Enterprises enable branches to communicate with the headquarters using the Internet without
leasing carriers' VPN services. This access mode is applicable to small enterprises and SOHO.
Because branches access the enterprise campus network through the Internet, data security
must be protected. Point-to-point VPNs are built between branches and the enterprise campus
network gateway to ensure secure and reliable data transmission using tunnels.
In public network access, GRE over IPSec is used on branches. GRE is a generic tunneling
protocol that encapsulates a wide variety of protocol packets inside IP tunnels and is good at
transmitting remote access data. GRE, however, provides only simple password
authentication but not data encryption. IPSec provides data encryption but cannot transmit
routing protocol packets, which limits VPN scalability. If GRE works with IPSec, remote
access data can be transmitted securely.
2.5.6 Remote Access Planning
In public places, such as hotels and airports, traveling staff or partners connect to the
enterprise campus network through the public network (such as the Internet) to access internal
resources of the campus network. This process is called remote access.
In remote access, traveling staff or partners access the enterprise campus network through the
public network, which is insecure. Therefore, a major concern in remote access is security.
Point-to-point VPNs are built between user terminals and the campus network gateway to
ensure secure and reliable data transmission using tunnels.
Remote access is implemented using the following VPN technologies.
L2TP over IPSec
L2TP is a VPN tunneling protocol that allows remote clients to use the public IP network to
securely communicate with private enterprise network servers. L2TP provides the user
authentication function but does not provide the data encryption function. If L2TP works with
IPSec, remote access data can be transmitted securely.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
46
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
SSL VPN
SSL VPN is an HTTPS-based VPN technology that operates between the transport layer and
application layer. SSL VPN uses data encryption, user identity authentication, and message
integrity check mechanisms of the SSL protocol to establish secure connections for
communication between applications.
SSL VPN is widely used in web-based remote access to ensure secure access to enterprise
intranets.
2.6 Management Zone Networking Planning
2.6.1 Physical Networking Planning
Overall requirements are:
z
Out-of-band management
z
Authorization-based access
z
Security auditing
Figure 2-31 Management zone networking
Figure 2-31 shows the networking in the management zone. The management network
connects all devices by the management interfaces and the KVM switches, and provides
functions such as network management, data collection, and real-time surveillance.
Only administrators can access the management network that connects the inner DC using
isolation measures such as VPNs and firewalls. Administrators are granted rights to access
specified network devices.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
47
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-32 KVM management network
Front-End Network
…
DNS
Web
Proxy
Public Service Zone
Internal OA System
Ministry Zones
Internal Service Zone
KVM Switch
Aggregation Switch
KVM Authentication
Server
Firewall
Access
Switch
Access
Switch
VPN
Router
VPN
Remote Access
Network Monitor
Network management functions include:
z
Network management:
This module manages network devices such as switches, routers, and firewalls in the
aspects of the topology, configuration, asset, fault, performance, event, traffic, and
report.
z
Traffic management
This module provides functions such as traffic monitoring, traffic threshold setting,
protocol analysis, and web access behaviors audit. It works with the NetFlow analyzer to
implement more refined and convenient traffic analysis.
z
Application management
This module monitors the website and manages systems and upper-level applications
such as the database, mail server, web server, application server, operating system, and
website surveillance.
2.6.2 Reliability Planning
The reliability planning for management zone is the same as the reliability planning for server
zone. The reliability solution is "CSS/iStack + Eth-Trunk." For details, see section 2.3.4
"Reliability Planning."
2.6.3 Security Planning
The management zone has the following security requirements:
z
Unauthorized service access prevention, shared account security, operation audit
z
Effective security device management and quick security troubleshooting
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
48
ONE NET DCN Data Center Solution
Technical Proposal
z
2 Data Center Network Solution
Eliminating information security silos, managing mass security logs, and carrying out
comprehensive security trend analysis
Security planning for management zone involves four aspects:
z
Centralized authentication and authorization are required.
When managing devices, users need to perform authentication and authorization. Users
are allocated different management rights. The KVM authentication server grants users
different access permissions according to their roles so that the users can only access the
specified devices.
z
Only authorized users can access the management zone.
Only administrators can access the management network. The administrators are
allocated different access permissions based on their roles so that they can only access
the specified devices. The ACL rules configured on the firewall prevents unauthorized IP
addresses from accessing the management zone. Remote users are authenticated so that
unauthorized users cannot access the management zone.
z
The management zone cannot access the data center service zone.
Bastion hosts provide a unique entrance to the management zone, centrally manage user
accounts, and strictly control user account rights. The ACL rules configured on the
firewall or VPNs prevents the management zone from accessing the service zone. Only
the bastion hosts, NMS, and SoC can access the service zone.
z
Unified security audit is required.
The SoC collects security logs and alarms to audit the security environment of the data
center. It can detect security issues and risks in real time. The SoC and bastion hosts
provide security prealarms, security operation and maintenance, and security audit
functions and provide comprehensive and accurate security reports.
2.7 R&D and Test Zone Planning
2.7.1 Physical Network
The R&D and test zone is responsible for software development, software commissioning,
simulation test, function test, and performance test before production (such as EPR). Figure
2-33 shows the network structure of the R&D and test zone.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
49
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-33 R&D and test zone structure
2.7.2 Recommendation
The security policy for this zone aims at preventing the data in the zone from flowing to the
data center. The high traffic volume may affect the data center services.
This zone can be separated from other zones physically or using a firewall. By default, a
firewall restricts all traffic; however, in the test, some service zones can be opened with the
minimum authorization.
In the test zone, Layer 2 and Layer 3 networks can be deployed and various services are
provided to perform simulation test. Additionally, the LB and firewall can be configured to
test server performance with different service traffic volumes.
2.8 VLAN Planning
2.8.1 VLAN Overview
Devices on a LAN are logically grouped into segments, regardless of their physical locations.
VLANs isolate broadcast domains on a LAN, reduce broadcast storms, and enhance
information security. As the network expands, a fault on the local network affects the entire
network. The VLAN technology can limit the network faults within a VLAN, and enhances
the network robustness.
2.8.2 Principles
Observe the following principles when configuring VLANs:
z
Differentiate service VLAN, management VLAN, and interconnection VLAN.
z
Add interfaces to different VLANs based on service zones.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
50
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
z
Add interfaces to different VLANs based on service types for the same service (such as
the web, application, and database).
z
Distribute each VLAN consecutively to properly use VLAN resources.
z
Reserve some VLANs for further expansion.
2.8.3 Recommendation
Figure 2-34 VLAN planning
Enterprise branch
Partner enterprise
Enterprise
Enterprise
Intranet
Intranet
Enterprise
Intranet
VLAN:
2000–2199
Manage
ment
VLAN:
3000–
3999
External users Disaster recovery center
Partner
enterprise
Extranet
Internet
Enterprise
Extranet
VLAN:
2200–2299
Internet
VLAN:
2300–2399
Disaster
backup center
Disaster recovery
center network
VLAN:
2400–2999
Core network
VLAN: 100–199
Product
service zone
VLAN:
200–399
Office
service zone
VLAN:
400–599
Other service
zone
VLAN:
600–799
...
DMZ service
zone
VLAN:
800–999
Storage zone
Configure VLAN ranges based on different zones as shown in Figure 2-34.
Core zone: 100–199
Server zone: 200–999, reserved VLANs: 1000–1999
Access network: 2000–2999
Management network: 3000–3999
2.9 IP Planning
A few devices in the Internet connection zone use public IP addresses, but devices in the
intranet use private IP address. IP addresses in the intranet are easy to manage because private
IP address space is large, for example, 10.0.0.0 is a class-A address.
2.9.1 IP Address Planning
Plan so that the system IP address will be:
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
51
ONE NET DCN Data Center Solution
Technical Proposal
z
2 Data Center Network Solution
Unique
Hosts on an IP network must use different IP addresses. Assign different IP addresses to
hosts even if the MPLS/VPN technology supporting IP address overlapping is used.
z
Consecutive IP addresses
Consecutive IP addresses facilitate routing aggregation on a hierarchical network, which
greatly reduces the number of routing entries and improves route calculation efficiency.
z
Scalable
IP addresses need to be reserved at each layer. When the network expands, IP addresses
continuity is ensured.
z
Meaningful
If the IP addresses are planned properly, you can identify the device that corresponds to
an IP address by the IP address.
2.9.2 DHCP Planning
DHCP Usage Scenarios
DHCP is applicable to the following scenarios:
z
On a large network, manual configurations take a long time and bring difficulties to
centralized management over the entire network.
z
Hosts on the network are more than available IP addresses. Thus, not every host has a
fixed IP address. Many hosts need to dynamically obtain IP addresses through the DHCP
server. In addition, the number of concurrent IP address requests is limited.
z
Only a few hosts in the network require fixed IP addresses.
IP Address Allocation
z
IP address allocation policy
Different hosts require different leases of IP addresses. For example, servers may need to
occupy fixed IP addresses for a long time; some enterprise hosts may need to occupy
dynamically allocated IP addresses for a long time; some clients may need only
temporary IP addresses.
To meet the preceding requirements, the DHCP server provides the following IP address
allocation policies:
z
−
Manual address allocation: An administrator allocates fixed IP addresses to a few
specific hosts, such as the WWW server.
−
Automatic address allocation: The DHCP server allocates fixed IP addresses to the
hosts that access the network for the first time. These IP addresses can be used by the
hosts for a long time.
−
Dynamic address allocation: The DHCP server leases IP addresses to clients. The
clients need to apply for new IP addresses when the leases expire. This address
allocation policy is widely used.
IP address allocation sequence
The DHCP server allocates an IP address to a client in the following sequence:
Issue 01 (2012-05-15)
−
IP address that is in the database of the DHCP server and is statically bound to the
MAC address of the client
−
IP address that has been allocated to the client before, that is, the IP address in the
Requested IP Addr Option of the DHCP_DISCOVER packet sent by the client
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
52
ONE NET DCN Data Center Solution
Technical Proposal
−
2 Data Center Network Solution
IP address that is first found when the DHCP server searches the DHCP address pool
for available IP addresses
If the DHCP address pool has no available IP address, the DHCP server searches the
expired IP addresses and conflicting IP addresses, and then allocates a valid IP address to
the client. If all the IP addresses are in use, an error is reported.
2.9.3 DNS Planning
DNS Server Roles
A domain name system (DNS) server plays the following roles in the DNS system:
z
Master server
The master server manages the DNS system, and is used to add, modify, or delete a
domain name. The domain information that is changed on a master server is
synchronized to a slave server. One master server is deployed in the DNS system.
z
Slave server
The slave server obtains the domain name information from the master server, and forms
a server cluster by connecting multiple servers with hardware-based load balancers to
provide DNS services. Two slave servers are deployed in the DNS system.
z
Cache server
The cache server is deployed on the slave server to cache results of intranet users' DNS
requests and to speed up network access.
IP Address of the DNS Server
IP addresses are allocated as follows:
z
The master server uses a private IP address.
z
The slave server is allocated a private IP address, and has a virtue private address on the
load balancer.
The Internet domain names and IP addresses are deployed in the following ways:
z
Configure NAT mapping on the firewall to convert the virtue IP address of the slave
server into a public IP address for Internet users to use for accessing the intranet.
z
Provide services for Internet users using intelligent DNSs on load balancers.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
53
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Providing DNS Services for Internet Users Using the Slave Server
Figure 2-35 DNS deployment in the DC
Active DNS: 10.0.3.10
Standby DNS: 10.0.2.5
DNS query
Internet user
Internet
Carrier’s
DNS server
Intranet user
Corporate
campus
network
NAT
External: Internet
IP address
Internal: 10.0.3.10
Virtue IP address
of the DNS:
10.0.3.10
DMZ
LLB
UTM
iStack
LB
LB
Server
cluster
Slave
Slave
Master
DNS2
DNS1
DNS server
server server
10.0.2.5
172.16.0.6 172.16.0.5
Combined
core layer
FW
CSS
LB
Active DC
The blue dotted line marked in Figure 2-35 shows how the slave server is used to provide
DNS services for Internet users.
The slave servers DNS1 and DNS2 use virtue IP addresses on the load balancer to function as
master DNS servers for Internet users and slave DNS servers for intranet users.
The master DNS, slave DNS1, and slave DNS2 servers are all deployed in the DMZ.
The process to handle DNS requests with reliable design is as follows:
1.
Intranet users send DNS requests to the master DNS server that communicates with the
carrier's DNS server to resolve Internet domain names. If the master DNS server is faulty,
the slave DNS servers provide services.
2.
Internet users send DNS requests to the carrier's DNS server to resolve the enterprise
domain name, such as Huawei.com, and relay the further resolution results, such as
www.huawei.com, to the enterprise DNS server.
3.
The DNS requests are evenly distributed between slave DNS1 and slave DNS2 servers.
If slave DNS 1 server is faulty, all DNS requests are sent to slave DNS2 server. If both
slave DNS servers are faulty, the master DNS server provides services.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
54
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Providing Services for Internet Users Using the Intelligent DNS Server
Figure 2-36 shows how the intelligent server is used to provide DNS services for Internet
users.
Figure 2-36 Intelligent DNS deployment
Master DNS: 10.0.3.10
Slave DNS: 10.0.2.5
DNS query
Internet user
Internet
Carrier’s
DNS server
Intranet user
Corporate
campus
network
DMZ
LLB
Virtue IP address
of the DNS:
10.0.3.10
UTM
iStack
LB
LB
Combined
core layer
FW
CSS
LB
Server
Slave Slave cluster
Master
DNS server DNS2 DNS1
server server
10.0.2.5
172.16.0.6 172.16.0.5
Active DC
The Internet users send requests (such as www.huawei.com) to the carrier's DNS server to
query the domain name of Huawei. The carrier's DNS server identifies the information
(huawei.com), and sends the request to the DNS server in Huawei DC to resolve the domain
name. The blue dotted line displays this process.
The intelligent DNS server in the link load balancer receives the request, and finishes the
DNS resolution.
The intelligent DNS server recognizes user sources and resolves domain names to different IP
addresses. The DNS policy resolution server resolves the domain name to the related Netcom
IP address for a China Netcom user and the related Telecom IP address for a China Telecom
user.
Meanwhile, the intelligent DNS server monitors carrier link quality. If a carrier's link is
interrupted, the intelligent DNS server returns another carrier's IP address to ensure service
continuity.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
55
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.10 Route Planning
2.10.1 Routing Overview
Huawei recommends that the boundary between routing and switching be located on the
combined core layer switches, as shown in Figure 2-37.
z
Layer 2 switching is used at the layer below the combined core layer.
z
Layer 3 routing is used at the layer above the combined core layer.
Figure 2-37 Boundary between routing and switching
Internet
WAN
OSPF
Combined
core layer
FW
LB
L3 router
CSS
L2 switch
iStack
iStack
Web Web
FW
iStack
iStack
iStack
APP APP
iStack
Web APP
DB
Server
DB
DB
Simplified multi-layer design
Non-Web-based application design
Expandable multi-layer design
This design has the following advantages:
z
Simple route configuration
Routes need to be configured only on two combined core layer switches. Access
switches perform only Layer 2 switching, simplifying the configuration. Users can use
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
56
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
the automatic configuration functions of access switches to reduce the maintenance
workload.
Scalability
z
You can easily increase the number of servers on a core/aggregation switch.
A new service server can be deployed in any rack. The IP address of the new server is
contiguous with the IP address of the original service system.
When the position of a server changes due to a service change, the carrier does not need
to reconfigure the servers and the network, and the servers can be used immediately after
being installed in the new position. A large Layer 2 network is needed when the next
generation virtual servers are used to move servers without interrupting services.
2.10.2 IGP Design
To manage and maintain the network conveniently inside the data center, the OSPF dynamic
routing protocol is recommended to ensure network stability and fast convergence of routes.
As shown in Figure 2-38, the yellow devices are core switches locate in the backbone area,
area 0.
Figure 2-38 Router planning for DCs
Corporate campus and enterprise branch
Carrier 1
VPN
Carrier 2
Internet
Family network
Small organization
Corporate campus network
Building
Corporate campus network
Core network
Core network
Building
WAN
Large enterprise branch network
Backup
Extranet
/DMZ
Extranet
DMZ
Active DC
LLB
MAN
FW
UTM
iStack
LB
LB
Combined
core layer
FW
CSS
LB
Disaster
backup
center
LB
iStack
LB
Combined
core layer
LB
FW
CSS
DNS Email Web APP
LB
Server
iStack
iStack
iStack
Web Web
FW
iStack
iStack
iStack
iStack
iStack
iStack
APP APP
iStack
Web APP
Backup control area
Web APP DB
DB
Control server
Server
DB
DB
Simplified multi-layer design
Non-Web-based application design
IP storage area
Expandable multi-layer design
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
57
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.10.3 BGP Design
The external Border Gateway Protocol (EBGP) is established between the branch DC and
disaster recovery center using network access routers, which advertise routes to both centers.
Figure 2-39 shows the network topology among the active DC, backup DC, branch DC, and
disaster recovery center.
Figure 2-39 Active and standby path planning for DCs
Branch center
Disaster recovery center
Product service link
Disaster recovery data link
Product service link
Disaster recovery data link
Active DC
Backup DC
Normal access route
Alternative route 1
Alternative route 2
Alternative route 3
As shown in Figure 2-39, the active DC has four paths to reach the branch DC. Priorities of
four paths are as follows:
z
Highest priority (normal access route): The active DC is connected to the branch DC
directly.
z
Second highest priority (alternative route 1): The active DC reaches the branch DC
through the backup DC.
z
Third highest priority (alternative route 2): The active DC reaches the branch DC
through the disaster recovery center.
z
Lowest priority (alternative route 3): The active DC reaches the branch DC through the
backup DC and the disaster recovery center.
The priorities of the links are determined by the EBGP AS-Path and multi-exit discriminator
(MED) attributes.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
58
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.11 VPN Planning
2.11.1 VPN Overview
The VPNs in data centers are classified into L2TP VPN, IPSec VPN, SSL VPN, MPLS
L3VPN, and MPLS L2VPN.
L2TP VPN, IPSec VPN, and SSL VPN are used for remote or branch access. For details, see
section 2.5.5 "Branch Access Planning." MPLS L3VPN and MPLS L2VPN are used for
service isolation, access control, and security isolation. MPLS L3VPN is most widely used.
2.11.2 Intranet VPN Service Isolation
As shown in Figure 2-40, users and servers are separated and grouped into different VPNs. By
default, routers for user A, user B, server I, server II, and server III are isolated so that these
users and servers cannot communicate with each other.
User VPN and server VPN can import routes from each other based on the user and server
control policy. The imported routes among user A (VPN A), VPN I, and VPN III allow user A
to access the VPN I, and VPN III servers.
Figure 2-40 Server isolation plan based on routes
Corporate
campus
network
User class A
VPN A
User class B
VPN B
Routerimported
mode
VPN Ⅰ
Server classⅠ
VPN Ⅱ
Server classⅡ
VPN Ⅲ
Server class Ⅲ
DC network
As shown in Figure 2-41, firewalls are used to accurately control the rights of server groups.
The security policy is configured based on the table for rights of the user groups and server
groups. By default, the firewalls are disabled. Users can access the server only after a security
policy is configured to enable the firewalls.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
59
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-41 Server isolation plan based on firewalls
User class A
User
group 1
User
group 2
Firewall
Server
Server
group 1
group N
Server classⅠ
Deny all users or servers
Permit user group 1 and server group 1
Permit user group 1 and server group 2
Permit server group 1 and Server group 2
2.12 QoS Planning
2.12.1 QoS Overview
The DC planning guarantees peak-traffic services, which requires no QoS processing. The
QoS planning, however, is needed in collaborative computing and Multi-Tenancy
applications.
The multi-tenant applications are used to manage bandwidth and are not in the initial version.
QoS planning for multi-tenancy applications can be complemented and optimized in the
subsequent operations.
2.12.2 QoS Planning Concerning Collaborative Computing
Collaborative computing is used in when complicated calculations are involved. Examples of
this are the computing involved for search engines, petroleum exploration, and meteorology.
In collaborative computing, multiple servers may send calculation results to one server at the
same time, which brings a traffic burst, which could result in data congestion on an outbound
interface and packet loss.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
60
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
Figure 2-42 Congestion on an outbound interface when multiple servers send data to one server
Internet
WAN
As shown in Figure 2-42, servers send data to the yellow server and congestion occurs in the
stared node. Packets are lost if queues are not sufficient in the nodes that forward data.
To solve the problem, install large-capacity line cards on the EOR switch and the core switch
to cache burst data and prevent packet loss.
Figure 2-43 Large-capacity line cards on the EOR switch and the core switch to prevent packet
loss
Internet
WAN
Positions where largecapacity line cards
are depolyed
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
61
ONE NET DCN Data Center Solution
Technical Proposal
2 Data Center Network Solution
2.12.3 QoS Planning for Different Data Flows
Different data flows may have different priorities. When traffic volume exceeds bandwidth,
the Diff-Serv model is required to forward the data flows with higher priorities. This prevents
impact on key services.
The access device, such as an access switch, marks priorities on service packets. Depending
on the network type, 802.1p or DSCP priorities can be used. The voice and video services are
marked high priority, and data service is marked low priority.
The devices on the backbone network, such as a core switch, schedule the data flows based on
the priorities. The PQ or WFQ scheduling mode can be selected to ensure that the data flows
with high priority are forwarded first. Thus quality of service is guaranteed.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
62
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
3
Security Solution
3.1 Security Overview
Overview
A data center consists of multiple zones, for example, the interconnection zone, intranet zone,
extranet zone, management zone, server zone, core zone, storage zone, and R&D and test
zone. Users access some zones through the Internet. The Internet has a lot of security risks, so
security issues have become the focus of organizations and enterprises.
A data center can use the following security measures:
z
Strict management system, such as access permission, registration, and operation record
z
Access authority control, for example, minimum authorization and service classification
z
Security training and strict security policy, which prevent or reduce accidents
z
Complicated password to prevent password embezzling
This chapter describes the network security solution.
Security Issues
Network security issues are classified into:
z
Network attacks: includes DDoS attack, scanning attack, snooping attacks, and
malformed packet attacks
z
Vulnerability attacks: attacks aiming at the vulnerabilities in operating system, database,
and web server
z
Virus attacks: virus threatening data center servers
z
Internal attacks: for example, unauthorized permission within the intranet and data
interception
Security Risks
The data center manages all data of an enterprise, so it must process a large amount of data
and is important for an enterprise. Therefore, the data center is prone to attacks. Protection
measures must be taken for the data center based on zones.
All layers, from the physical layer to the application layer, on a network may bring security
threats to the data center. Corresponding measures must be taken based on the security risk
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
63
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
characteristics at each layer, including content deep protection, Layer 2-7 protection, access
control, protocol stack protection, and Layer 2-4 protection.
Figure 3-1 shows the security risks in each zone.
Figure 3-1 Security risks in each zone
3.2 Security Design
Table 3-1 describes six security design principles for data center.
Table 3-1 Security design principles for data center
Principle
Description
Reliability and
stability
Single-point failures should be prevented on security devices. The
security devices and network must operate properly.
Scalability
The modular structure is used to add and delete functions flexibly.
Zone-based
management
Different security policies are used for different zones to improve
protection efficiency.
Minimum authority
The security protection principle is "deny by default." Users are
granted only necessary access rights. Data integrity, security, and
usability are ensured.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
64
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
Principle
Description
Security
management
The associated events are analyzed and security status is evaluated,
facilitating security policy adjustment.
Operation and
maintenance audit
The resource risks should be eliminated and responsible should be
determined.
The following functions must be considered in security design.
Table 3-2 Functions to be considered in security design
Function
Description
Defense
To protect the data center against external attacks, zones with
different priorities must be divided in the data center. Access
control is required and security tunnels can be set up for some
services.
Immunity
The data center is protected against internal attacks. To eliminate
risks caused by internal terminals, the terminals must be authorized.
The documents are managed and controlled.
Manageability
The operation and maintenance terminals are authenticated and
authorized. The operation and maintenance operations can be
upgraded and security issues can be analyzed.
Table 3-3 lists the recommendations on security protection for each zone shown in Figure 3-1.
Table 3-3 Security protection recommendations for each zone
Zone
Issues and Risks
Trust or
Not
Recommended
Devices
Benefit
Intranet
access zone
Unauthorized access
Trust
Firewall
Prevent
unauthorized
access from
internal users.
WAN access
zone
Unauthorized access
Trust
Firewall
Prevent
unauthorized
access from
branches.
Internet
access zone
DDoS attack on the
Internet
Not trust
Anti-DDoS
Defend against
DDoS attacks,
prevent
unauthorized
access, and
ensure secure
remote access
Unauthorized
access, NAT
Firewall
SSL VPN device
VPN access
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
65
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
Zone
Issues and Risks
Trust or
Not
Recommended
Devices
Benefit
Partner access
zone
VPN access
Partially
trust
Two layers of
firewalls
Prevent
unauthorized
service access.
Unauthorized access
Data center
services can be
accessed through
the VPN.
Service server
zone
Unauthorized access
Network
management
zone
Unauthorized access
Trust
Hacker
Lack of security
issue management
Lack of security
device management
Lack of operation
and maintenance
audit
Firewall
IPS device
Trust
Firewall
SoC
Security device
management
system
Bastion host
Prevent
unauthorized
access and
defend against
hacker attacks.
Prevent
unauthorized
access and
provide
associated
security event
analysis, security
device
management and
audit.
3.3 Security Network Structure
Figure 3-2 shows the security network structure for a data center based on the security risks,
security design principles, protection measures, and recommended products.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
66
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
Figure 3-2 Security network structure
Partner
WAN
access
Extranet
DMZ
Front
FW
Anti-DDoS
Anti-DDoS
FW
Front
FW
FW
VPN
gateway
FW &
VPN
gateway
VPN
gateway
FW &
VPN
gateway
Extranet Background Background
FW
FW
servers
DMZ servers
FW
Intranet
Campus
FW
Network
management
zone
Intranet
FW
FW
FW
IPS
FW
FW
FW
IPS
IPS
IPS
Bastion
host
Key servers
Servers
Key servers
Servers
FW: Eudemon1000E/8000E Anti-DDoS: Eudemon1000E-D/I
NMS
iSoC
VPN gateway: SVN3000 IPS: NIP200/1000
Due to service characteristics difference, the actual data center structure may have difference
from the preceding figure. You can add or remove some security devices based on security
threat types. For example, if the DMZ size is small, the independent VPN gateway is not
required, and the firewall functions as the VPN gateway.
Different zones can be allocated different security levels, and protection and management
policies are enforced based on their security levels.
z
High security level: branches, WAN, and campus network
z
Middle security level: partner and traveling staff access zone
z
Low security level: Internet access zone
For security design in each zone, see chapter 2 "Data Center Network Solution."
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
67
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
3.4 Firewall Deployment
Firewalls can be deployed in inline mode and bypass mode based on physical networks, as
shown in Figure 3-3.
If all traffic between the core layer and aggregation layer needs to be filtered by the firewalls,
the firewalls are connected in inline mode. If only some traffic needs to be filtered, the
firewalls can be connected in bypass mode. In bypass mode, traffic is imported to the
firewalls and sent back to the switches.
Figure 3-3 Firewall connection modes
Depending on traffic processing mode, firewall deployment modes are classified into routing
mode, transparent mode, and hybrid mode.
z
Routing mode
Firewalls are connected to switches at Layer 3, and all interfaces need IP addresses. A
firewall is equivalent to a router and forwards traffic based on the routing table.
z
Transparent mode
Firewalls are connected to switches at Layer 2, and no interface needs an IP address.
Users and routers are unaware of the firewalls.
z
Hybrid mode
A firewall has both routing interface (with IP addresses) and transparent interfaces
(without IP addresses).
When a firewall works in routing mode and the upstream and downstream devices are Layer 2
devices, the firewall can run VRRP. If the upstream and downstream devices are Layer 3
devices, the firewall can run OSPF. Firewalls can work in active/standby mode or load
balancing mode.
Transparent firewalls can work in active/standby mode or load balancing mode.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
68
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
3.5 Virtual Firewall
A firewall can be logically divided into multiple virtual firewalls, and each of them provides
security protection for each zone. A virtual firewall integrates VPN instance, security instance,
and configuration instance. It provides private routing service, security service, and
configuration management service for users.
z
VPN instance
The VPN instance provides separated VPN routes for the users under each virtual
firewall. These VPN routes are used to forward the packets received by each virtual
firewall.
z
Security instance
The security instance provides separated security services for the users under each virtual
firewall. The security instance contains private interfaces, zones, interzones, ACL rules,
and NAT address pools. In addition, it provides the security services such as address
binding, blacklist, packet filtering, attack defense, ASPF, and NAT for the users under
the virtual firewalls.
z
Configuration instance
The configuration instance provides separated configuration management services for
the users under each virtual firewall. It allows users to log in to the correct virtual
firewall to manage and maintain private VPN routes and security instances.
z
Virtual firewall administrator
To distinguish the virtual firewalls and physical firewalls, the physical firewalls are
called root firewalls. Each virtual firewall can be allocated an administrator, security
policy, and routes.
z
Data forwarding in virtual firewall
After a virtual firewall is created, a zone also needs to be created. Additionally, the
interfaces on the virtual firewalls must be added to the zone (or the default zone).
Policies need to be configured to implement communication on the virtual firewall.
The subnets connected to different virtual firewalls can belong to different network
segments or the same network segment. That is, the IP addresses on virtual firewalls can
overlap. The routes of virtual firewalls and root firewalls are separated, so static routes
must be configured to implement communication between the root firewall and virtual
firewall.
3.6 Traffic Cleaning
3.6.1 DPI
DPI is the key technology for traffic cleaning. DPI uses deep packet detection and protocol
coding technologies. It performs 1:1 analysis on network traffic, and identifies Layer 4-7
packets. DPI can efficiently identify the attack packets at the application layer.
DPI detection delay is short (1-2 minutes after an attack occurs) and provides small detection
granularity (within 50 Mbit/s). In addition, DPI provides low traffic volume detection based
on application layer. After detecting an attack, DPI creates attack fingerprint for attack packets,
which instructs the traffic cleaning device to discard attack packets.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
69
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
Figure 3-4 DPI
App
Web app
L5-7: app layer
DPI
Web server
L4: transport
layer
OSs
L3: network layer
Traditional
firewall
Router
L2: link layer
Layer 4-7
deep
detection
TCP/IP
NIC
L1: physical
layer
3.6.2 Layered Traffic Cleaning
Huawei DDoS cleaning solution uses layered traffic cleaning and fingerprint identification
technology to prevent traffic attacks and application-layer attacks.
Traffic is classified into normal and abnormal traffic based on traffic characteristics. In
addition to Flood and DoS attacks, DPI can identify UDP, CC, and botnet attacks.
As shown in Figure 3-5, layered cleaning and fingerprint technologies are used. Fingerprint is
generated after user traffic is inspected, and the traffic matching the fingerprint will be filtered
out. Complex attack traffic can be deleted and cleaned.
Figure 3-5 Layered traffic cleaning
Attack
Service
traffic
Malformed
packet
attack
aiming at
protocol
vulnerability
Static
filtering
Special
packet
control
Dynamic
statistics
Charact
eristics
identifica
tion
Traffic
shaping
for specific
packets
Bypass
LAND attack
Fraggle attack
WinNuke attack
Ping of Death attack
TearDrop attack
TCP Flag attack
Issue 01 (2012-05-15)
IP Option
Large ICMP
ICMP
redirection
ICMP
unreachable
Tracert
App traffic model baseline
learning
Virus identification
TCP Flood defense
UDP Flood defense
ICMP Flood defense
DNS Query Flood
defense
CC defense
HTTP Get Flood defense
BGP Attack defense
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Traffic shaping
Congestion
avoidance
70
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
3.6.3 Malformed Packet Attack Defense
LAND Attack Defense
The SYN packets of which the source and destination addresses are the same and the SYN
packets using the loopback address as source address are attack packets. These SYN packets
are directly discarded.
Fraggle Attack Defense
The packets with attack characteristics are discarded and unnecessary services are disabled.
Ping Of Death Attack Defense
The ICMP echo request packets with more than 65535 bytes are attack packets. These packets
are discarded and recorded in the log.
TearDrop Attack Defense
When a packet is longer than the MTU of the interface, the packet must be fragmented. The
initial fragment is cached and other fragments are checked.
WinNuke Attack Defense
The destination port number of attack packets is 139 and URG bit is set to 1. The attack
packets are discarded.
TCP Packet Attack Defense
The packets with attack characteristics are discarded.
IP Spoofing Attack Defense
The source and destination addresses of incoming packets on all interfaces are checked. The
device checks the source addresses against routing table. The packets of which the inbound
interfaces are different from the optimal outbound interfaces are attack packets. The attack
packets are discarded and recorded in the log.
3.6.4 Flood Type Attack Defense
Smurf Attack Defense
If the destination address of an ICMP echo request is a subnet broadcast address or subnet
address, the packet is an attack packet. The attack packet is discarded and recorded in the log.
SYN Flood Attack Defense
When the path and return path of packets are the same, the firewall intercepts all connection
requests as a TCP proxy. The firewall sets up a connection with the client as a server and with
the server as a client. When the two connections are set up successfully, the firewall
exchanges packets between the client and server. When the path and return path of packets are
different, the firewall verifies the packet source using the TCP reverse detection technique. If
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
71
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
the source is valid, the firewall adds the source to the whitelist; otherwise, the firewall
discards the packets.
TCP Flood Attack Defense
The firewall identifies traffic by learning dynamic traffic baseline and fingerprint, and
restricts traffic. This technology efficiently prevents flooding and protects transmission links.
The firewall monitors connection status based on source IP addresses. If it detects an empty
connection, it sends an RST packet to the server to end the connection. If there are a large
number of empty connections, the firewall can prevent access from the source temporarily.
UDP Flood Attack Defense
The firewall learns characteristics of UDP packets, quickly identifies attack traffic, and cleans
attack traffic without affecting service traffic.
ICMP Flood Attack Defense
The firewall identifies abnormal traffic based on fingerprint. It identifies abnormal traffic
based on rate and number of connections. Thus the firewall can limit bandwidth for ICMP
packets sent to a certain destination.
HTTP Get Flood Attack Defense
The firewall identifies and filters out attack packets based on credit, user behaviors, and
application-layer packet characteristics.
DNS Query Flood Attack Defense
The firewall provides the following functions:
z
Creates high-speed DNS cache and responds based on resolved IP addresses.
z
Verifies packet sources and sets up credit mechanism.
z
Analyzes the behaviors of DNS packets from each source.
z
Limits the number of domain name resolution requests sent by each source per second.
z
Limits bandwidth for the source that sends burst resolution requests at a long interval.
3.6.5 Packet Type Attack Defense
ICMP Redirect
If ICMP redirect restriction function is enabled, the firewall discards ICMP redirect packets
(type 5); otherwise, the firewall forwards the packets. When discarding ICMP redirect packets,
a log is recorded.
ICMP Unreachable
If ICMP unreachable restriction function is enabled, the firewall discards ICMP unreachable
packets (type 3); otherwise, the firewall forwards the packets. When discarding ICMP
unreachable packets, a log is recorded.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
72
ONE NET DCN Data Center Solution
Technical Proposal
3 Security Solution
IP Source Routing Option
The firewall checks whether the packets arriving at the router contains the IP source routing
option. If so, the firewall discards the packets and records a log.
IP Record Route Option
The firewall checks whether the packets arriving at the router contains the IP record route
option. If so, the firewall discards the packets and records a log.
Tracert
The firewall checks whether the packets are ICMP timeout (type 11) or unreachable (type 3)
packets. If so, the firewall discards or forwards the packets. When discarding tracert packets, a
log is recorded.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
73
ONE NET DCN Data Center Solution
Technical Proposal
4
4 Suggestions on Planning Multiple DCs
Suggestions on Planning Multiple DCs
4.1 Inter-DC Connection
A DC transmits key services of an enterprise and stores a large amount of service data. To
ensure reliability, a DC needs to provide 24/7 non-stop services. A large-sized enterprise may
build multiple DCs in different places to meet the following requirements:
z
Convenient expansion
If an enterprise has only one DC, the power supply, cooling, and space in the equipment
room may be limited. Deploying multiple DCs can solve these issues.
z
Nearby access
Users can access local DCs to reduce loads on the active DC, conserve WAN bandwidth,
and shorten service response time. Additionally, if the active DC is faulty, services in
other DCs are not affected.
z
Risk avoidance
Multiple DCs work in backup mode to avoid damage to the DC caused by human
activities (such as war) or disasters (such as earthquake), ensuring smooth operation of
services.
When multiple DCs need to be deployed for an enterprise, the following types of physical
connections are available:
z
Self-built transmission system
The enterprise sets up its own transmission system using fibers (or leasing fibers from
the carrier). This method requires high costs, but provides high reliability. It does not
depend on the carrier's network. Networks are easy to connect, manage, and control.
z
Leasing carrier's transmission resources
The DC network's WAN interfaces connect to the transmission device leased from the
carrier. The enterprise leases the transmission resources, such as a wave in the DWDM
system, to connect the DCs. This method requires medium costs, and provides high
reliability. Network connection deployment, management, and control are implemented
by the enterprise. However, this method partially depends on the transmission network of
the carrier.
z
Leasing carrier's VPN services
Data centers connect to the carrier's IP/MPLS network through WAN interfaces. The
enterprise leases the VPN (MPLS L2VPN, MPLS L3VPN, or GRE VPN) from the
carrier to connect the DCs. This method requires low costs, but provides low reliability.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
74
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
It completely depends on the carrier's network. Network connection deployment,
management, and control are implemented by the carrier.
The roadmap for building multiple DCs for an enterprise is as follows:
z
Build a backup DC within 50 km away from the active DC of an enterprise in the same
city to copy service data in real time through a leased line or on a transmission device.
z
In addition to copying service data, the backup DC transmits some services migrated
from the active DC, implementing the active/active backup of DCs.
Considering the devastation of natural disasters (such as earthquake) to cities, an enterprise is
recommended to build a disaster recovery center in another city more than 400 km away to
provide a backup for the active and backup DCs and synchronize the data from the production
center and disaster recovery center within the same city in real time. This method minimizes
damage to important data in the case of a disaster. The enterprise can use backup data in the
remote disaster recovery center to restore services.
4.2 Network Architecture of Multiple DCs
Figure 4-1 shows the network architecture of multiple DCs.
Figure 4-1 Network architecture of three centers in two areas
Disaster recovery center in the same city
Production center
LAN
LAN
IP/MPLS
Synchronous backup
FC SAN
FC SAN
Bare optical fiber
Production array
WDM
WAN
WDM
Disaster recvery
array in the same city
WAN
Remote disaster
recovery array
Asynchronous backup
IP link
FC link
LAN
Remote disaster recovery center
As more services are deployed in the enterprise, the network architecture of three centers in
two areas cannot meet the requirements for service development. The architecture of multiple
centers with different levels has emerged to replace the original network architecture. If DCs
with different levels are established in a region, the load of global DCs is lessened, the WAN
bandwidth is saved, and the response time of regional services is shortened. In addition, if a
fault occurs in a region, services in other regions are not affected.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
75
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Figure 4-2 shows the network architecture of multiple centers with different levels.
Figure 4-2 Network architecture of multiple centers with different levels
Brazil America
Sweden
Venezuela
America
regional center
France
England
Bahrain
Canada
Disaster
backup
center in the
same city
Active
center
Provinces
in China
Remote
disaster China regional center
Russia
backup
center
United Arab Emirates
Egypt
Turkey
Europe
regional center
Beijing
South
Africa
Shanghai
CIS regional center
Global center
Asia Pacific center
Nigeria
Japan
Malaysia
India
Indonesia
4.3 Inter-DC Layer 2 Connection Planning
4.3.1 Inter-DC Layer 2 Connection
As prompted by the IT technologies, cloud computing, for example, the server cluster
technology that was initially used only in high-end computing of military universities has
been widely used in data centers of enterprises. The server cluster technology uses the cluster
software to associate multiple servers on a network together, which then become one logical
server, and uses the scale out method to improve computing capabilities. The
high-performance computing cluster network gradually transitions to the Ethernet by means
of technologies such as InifiniBand.
The cluster software of most vendors (including HP, IBM, Microsoft, and Veritas) requires
Layer 2 connection between servers. Servers in the cluster can be deployed in different data
centers to implement inter-DC application system disaster recovery. The processes of the
cluster software communicate (heartbeat and session synchronization) at the link layer.
Therefore, servers in the cluster require Layer 2 connection.
When a data center needs to be expanded or migrated, physical servers need to be migrated
from one data center to another data center. After the data center is expanded, the same
service is often deployed in two data centers, requiring Layer 2 connection between data
centers. During a server migration, only some servers in the cluster can be migrated to the
new data center. To ensure service continuity, an inter-DC server cluster needs to be built. In
this manner, building an inter-DC Layer 2 network can implement smooth server migration.
During the establishment of multiple data centers, determine how to expand a Layer 2
network between multiple data centers.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
76
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
There are a variety of methods to expand a Layer 2 network between data centers. The
following describes two common solutions: fiber interconnection solution and VPLS
interconnection solution.
4.3.2 Fiber Interconnection Solution
The fiber interconnection solution applies to data center interconnection within the same city
where data centers are less than 80 km away from each other. As shown in Figure 4-3, four
data centers within the same city form an OTN ring. Two core switches connect to each other,
implementing inter-DC Layer 2 connection.
Figure 4-3 Fiber interconnection design
…
…
…
Access
…
Aggregation
Aggregation
…
…
Access
…
…
To ensure service reliability and link efficiency, the connected core switches must support the
cluster switch system (CSS). Aggregation switches in data centers use the stacking/cluster
technology and connect to the core switches through multiple links. The multiple links are
bundled using Link Aggregation Group (LAG).
The fiber interconnection solution has the following advantages:
z
Implements end-to-end fault detection. The Ethernet and optical network use the OAM
mechanism to ensure service reliability.
z
Manages optical devices OTNs and switches in a unified manner, simplifying network
management and maintenance.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
77
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
z
Uses OTN devices that support fiber channel (FC), Ethernet, and fiber connection
(FICON), facilitating service expansion.
z
Supports various service protection modes, implementing service switchover within 50
ms.
This solution is easy to deploy and provides high link bandwidth and a low delay in
communication between data centers. This solution applies to the scenarios where high
service quality is required and multiple data centers work in active/active mode. However, the
solution requires self-built transmission system and fiber resources, increasing networking
costs.
4.3.3 VPLS Interconnection Solution
Virtual Private LAN Service (VPLS) is an L2VPN technology based on MPLS and Ethernet
technologies. VPLS connects multiple Ethernet LANs across a public network so that these
Ethernet LANs can function as a single LAN as shown in Figure 4-4.
Data centers perform Layer 2 interconnection through VPLS. An enterprise can implement
inter-DC Layer 2 connection by leasing the VPLS service from the carrier or by building an
IP/MPLS backbone network or a VPLS network. This VPLS interconnection solution applies
to most enterprises, supports long-distance Layer 2 communication, and requires low
networking costs.
Figure 4-4 VPLS interconnection design
…
Access
…
…
Aggregation
Access
…
Aggregation
VSI A
Data center1
CSS
iStack
VPLS network
LSP tunnel
VSI A
Data center2
Aggregation
Access
Issue 01 (2012-05-15)
LSP tunnel
CSS
iStack
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
78
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
As shown in Figure 4-4, data center egress routers functions as PEs, and aggregation switches
functions as CEs to connect to the PEs. PEs connect to each other through the VPLS of the
carrier or WAN leased line (SDH/MSTP leased line).
If a data center has a large scale and many aggregation areas, add core devices to aggregate
these aggregation areas. Core devices then connect to the PEs through Eth-Trunks. This
method can aggregate multiple aggregation areas into a single VPLS site, simplifying VPLS
deployment.
If there are a variety of Layer 2 services between data centers, HQoS must be configured on
the PEs to ensure QoS for key services.
4.4 Inter-DC Layer 3 Interconnection Planning
4.4.1 Inter-DC Layer 3 Interconnection
Deploying Layer 3 interconnection between multiple data centers is flexible and ensures
service scalability, facilitating network expansion within data centers. Inter-DC Layer 3
connection can be implemented in multiple modes. The following describes the L3VPN
interconnection solution, which provides flexible, secure, and reliable service deployment.
4.4.2 L3VPN Interconnection Solution
In the L3VPN interconnection solution, an enterprise can lease the MPLS L3VPN service of a
carrier or build an IP/MPLS backbone network and an L3VPN for interconnection.
When an enterprise leases the carrier's MPLS L3VPN to implement inter-DC connection, core
switches in each DC function as CEs to connect to carrier's PEs. Carrier's PEs establish the
MPLS L3VPN to implement inter-DC Layer 3 connection as shown in Figure 4-5.
When an enterprise builds an IP/MPLS backbone network to implement Layer 3
interconnection, egress routers in each DC function as PEs, and core switches function as CEs
to connect to the PEs. The PEs establish the MPLS L3VPN to implement inter-DC Layer 3
connection as shown in Figure 4-6.
Figure 4-5 Inter-DC Layer 3 connection by leasing carrier's MPLS L3VPN
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
79
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Figure 4-6 Inter-DC Layer 3 connection by building an IP/MPLS backbone network
There are various services between data centers, including store, OA, production, and web
services. Each service has different requirements for security level and service quality. The
L3VPN technology can implement secure service isolation and work with HQoS to ensure
service quality.
4.4.3 Route Planning
Generally, you only need to deploy Interior Gateway Protocols (IGPs) including Open
Shortest Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS) in the DC.
To manage and maintain the network conveniently, it is recommended that you use the OSPF
dynamic routing protocol to ensure network stability and fast convergence of routes. BGP is
used to advertise routes between DCs. With a powerful routing control capability and
abundant routing policies, BGP is applicable to interconnection between large networks.
4.4.4 BGP Design
After regional DCs and global DCs are interconnected, each DC is defined as an AS. ASs
advertise their routes using EBGP. As shown in Figure 4-7, the AS-Path and MED attributes
are used to control and select routes with EBGP, enhancing link reliability.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
80
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Figure 4-7 BGP AS-Path route selection
Global active
DC
AS 1
Production service link
Global standby
DC
AS 2
Disaster recovery link
10.1/16
AS 2 1
10.1/16
AS 1
AS 3
10.1/16 AS 4 1
AS 4
10.1/16 AS 4 2 1
Production service link
Regional active
DC
Disaster recovery link
Active path
Standby path 2
Regional standby
DC
Standby path 1
Standby path 3
EBGP prefers the route with the shortest AS-Path. As shown in Figure 4-7, AS 3 receives
information on route 10.1/16 from AS 1, AS 2, and AS 4. The AS-Paths of these routes are AS
1, AS 2 1, AS 4 1, and AS 4 2 1.
z
The route advertised from AS 1 (active path) has the shortest AS-Path. Therefore, it has
the highest priority and is selected.
z
The route advertised from AS 4 2 1 (standby path 3) has the longest AS-Path. Therefore,
it has the lowest priority.
z
The routes advertised from AS 2 1 (standby path 2) and AS 4 1 (standby path 1) have the
same AS-Path. The BGP MED attribute is needed to distinguish their priorities. As
shown in Figure 4-8, the MED value of route 10.1/16 advertised from AS 4 is 100,
smaller than that of the route advertised from AS 2. Therefore, standby path 1 has a
higher priority than standby path 2.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
81
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Figure 4-8 BGP MED route selection
Global active
DC
AS 1
Production service link
Global standby
DC
AS 2
Disaster recovery data link
10.1/16
MED200
10.1/16 MED 100
AS 3
AS 4
Production service link
Disaster
recovery data link Regional standby
Regional active
DC
DC
Active path
Standby path 1
Standby path 2
Standby path 3
BGP has powerful routing control and selection capabilities. By controlling the BGP AS-Path
and MED attributes, you can effectively solve the route selection and link reliability problems
in multiple DCs.
4.5 Network Reliability Planning
4.5.1 Network Reliability Between Regional DCs and Global DCs
The global active DC is connected to the global disaster recovery center using two
independent links: a production service link and a disaster backup link. The two links are
isolated to guarantee bandwidth.
The regional active DC is connected to the regional disaster recovery center using two
independent links: a production service link and a disaster backup link. The regional active
DC is connected to the global active DC and the regional disaster recovery center is connected
to the global disaster recovery center.
Figure 4-9 shows the network topology between global DCs and regional DCs.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
82
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Figure 4-9 Plan for active and standby paths connecting DCs
Global active
DC
Production service link
Global standby
DC
Disaster recovery link
Production service link
Disaster recovery link
Regional active
DC
Active path
Standby path 2
Regional standby
DC
Standby path 1
Standby path 3
Four DCs are defined as four autonomous systems (ASs). They advertise routes using EBGP.
As shown in Figure 4-9, the regional active DC has four paths to the global active DC.
Priorities of four paths are as follows:
z
Highest priority: active path. If the link is normal, the regional active DC is directly
connected to the global active DC.
z
Second highest priority: standby path 1. If the gateway or the outbound link of the
regional active DC is faulty, the regional active DC is connected to the global active DC
through the regional backup DC.
z
Third highest priority: standby path 2. If the access device of the global active DC is
faulty, the regional active DC is connected to the global active DC through the global
disaster recovery center.
z
Lowest priority: standby path 3. If the preceding errors occur concurrently, the regional
active DC is connected to the global active DC through the regional backup DC and then
global disaster recovery center.
The priorities of the links are determined by the EBGP AS-Path and MED attributes.
4.5.2 Network Reliability Between a Country/Region Branch and
Regional DCs
A country/region branch is connected to the regional active/backup DCs by using
active/standby links from different carrier. Figure 4-10 shows the network topology between a
country/region branch and regional centers.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
83
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Figure 4-10 Country/region branch's connection to regional DCs
Regional active
DC
Production service link
Regional standby
DC
Disaster recovery link
Country/region branch
Active path
Standby path 1
Standby path 2
The active link of the country/region branch is connected to the regional active DC and the
standby link to the regional backup DC. The regional active DC, regional backup DC, and
country/region branch are defined as different ASs by EBGP.
z
Active path. Generally, the country/region branch is directly connected to the regional
active DC using the active access link.
z
Standby path 1. If the active access link is faulty, the country/region branch is connected
to the regional active DC through the regional backup DC using the standby access link.
z
Standby path 2. If the regional active DC is faulty, the traffic is switched to the standby
path 2 on the application layer using the domain name system (DNS) mechanism.
4.6 Application Acceleration Planning
4.6.1 Application Acceleration Overview
When branch users, remote users, or partners access the data center, they are connected to the
data center through the WAN. The WAN has limited bandwidth, long delay, and low reliability.
As a result, there is a delay in responding to real-time services and connections are unstable.
Users' service experience is degraded.
For example, in the desktop clouding service, if the data center needs to provide the same user
experience as the local PC, the system response period (from the time for a user to perform an
action to the time information is updated on the screen) must be within 41 ms. However, the
average delay of global WANs is longer than 250 ms. Such a long delay cannot meet seamless
service experience requirements.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
84
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
To improve user experience over WANs, there are two ways. The first way is to improve
WAN performance, for example, increasing bandwidth, optimizing network topology, and
performing QoS scheduling. However, this method is not suitable for most enterprises
because they lease carriers' WANs.
Another way is to deploy application acceleration systems on the two communicating ends
(such as branches and data center) and use WOA technology as shown in Figure 4-11.
Figure 4-11 Application acceleration deployment
4.6.2 Application Acceleration Technologies
Insufficient bandwidth and long delay are major problems of WANs. The possible causes of
long delay include:
z
Low efficient transport protocols, such as TCP handshake and small slide window
z
Low efficient application layer protocols, such as repeated requests, interaction/waiting
mechanisms, and small fragments
For example, to open a 5 MB Word document, the system needs to process 700 requests,
including 550 read requests and 150 other requests. It takes 250 ms for the system to respond
to one request, so the total response time exceeds 175 seconds, which is too long for users.
Application acceleration technology optimizes network performance in the following aspects
listed in Table 4-1.
Table 4-1 Application acceleration technologies on WANs
Technology
Description
Results
Data
optimization
Compresses and caches data, and avoids
retransmission to save bandwidth.
WAN bandwidth
consumption is reduced
by 60% to 95%.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
85
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Technology
Description
Results
Transmission
optimization
Optimizes the TCP slow start mechanism,
congestion management mechanism,
ACK/retransmission mechanism, slide window,
TCP reuse, and SSL to speed up network
transmission.
Applications are
accelerated by up to
100 times.
Application
optimization
Optimizes interaction mechanisms of common
applications, such as CIFS, MAPI, NFS, HTTP,
HTTPS, and FTP to improve protocol efficiency
and application processing speed. The
technologies such as local proxy, local response,
data caching, and preview/pre-read/write can be
used.
The number of times
packets are exchanged
is reduced by up to
98%.
Management
optimization
Implements transparent deployment, centralized
management, and service virtualization of
branches.
Less IT resources are
used, and the
infrastructure of
branches is simplified.
4.6.3 Application Acceleration Design
Figure 4-12 shows the application acceleration system design.
Figure 4-12 Application acceleration design
Branch1
Mobile user
Internet
Data center
Regional center
WAN acceleration device
The application acceleration design covers the following:
z
Establish connections between data centers and branches through a WAN.
z
Deploy WAN acceleration devices in the data centers and branches. Deploy
high-specification WAN acceleration devices in the data centers.
z
Deploy WAN acceleration devices in data centers. WAN acceleration devices can be
deployed in the following modes:
−
Issue 01 (2012-05-15)
Connect WAN acceleration devices to core or aggregation switches in bypass mode.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
86
ONE NET DCN Data Center Solution
Technical Proposal
z
4 Suggestions on Planning Multiple DCs
−
Connect WAN acceleration devices to egress routers in bypass mode.
−
Deploy WAN acceleration devices behind egress routers in inline mode.
Enable mobile users to use the client software for application acceleration.
The application acceleration design has the following advantages:
z
Reduces the investment in leasing WAN links and maximizes the return on investment.
z
Reduces dependence of application system deployment on networks.
z
Improves application system availability and IT satisfaction.
4.7 Disaster Recovery Planning
4.7.1 Disaster Recovery Overview
The disaster recovery center is a computer network system established as a backup to the
production center. When the production center stops working due to a disaster, the disaster
recovery center takes over all or some of the services in the production center in a timely
manner, which minimizes or avoids losses caused by the disaster. Therefore, the disaster
recovery center can provide comprehensive and high-quality services for enterprises.
The disaster recovery system is classified into the following seven tiers according to the
international standard Share 78, as shown in Table 4-2.
Table 4-2 Disaster recovery tiers defined in Share 78
Disaster Recovery Tier
Description
Tier 0
No off-side data
Tier 1
Pickup Truck Access Method (PTAM)
Tier 2
PTAM + hot standby center
Tier 3
Electronic Vaulting
Tier 4
Active secondary center
Tier 5
Two-Site Two-Phase Commit
Tier 6
Zero Data Loss
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
87
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Huawei classifies disaster recovery into three levels by data and service characteristics as
shown in Table 4-3.
Table 4-3 Huawei defined disaster recovery levels
Disaster
Recovery Level
Description
Backup-level
Backup-level disaster recovery corresponds to tiers 0 to 2 in Share 78.
A backup data center is set up in another city or place. It does not back
up applications and data in real time. When an accident occurs,
services are manually switched to the backup data center. During
backup, services may be interrupted.
Data-level
Data-level disaster recovery corresponds to tiers 3 to 5 in Share 78.
A backup data center is set up in another city or place. It replicates key
application data from the active data center in real time. When an
accident occurs, the backup data center quickly takes over services.
Services will not be interrupted.
Application-level
Application-level disaster recovery corresponds to tier 6 in Share 78.
A backup data center which is the same as the active data center is set
up in another city or place. It is the backup for the active data center or
works together with the active data center. When an accident occurs,
the backup data center quickly takes over services.
Figure 4-13 shows the service framework of data-level disaster recovery and application-level
disaster recovery.
Figure 4-13 Disaster recovery service classification
Process switchover
Application level
disaster recovery
Service system
Service system
Application software
Application software
Database system Remote database replication
Volume management
software
Data level
disaster recovery
Database system
Volume management
software
Remote software mirror
System software
System software
Storage controller Remote hardware replication
Storage controller
Storage device
Production center
Storage device
Disaster recovery center
Two technical specifications are used to measure disaster recovery:
z
Recovery point objective (RPO): acceptable amount of data loss
z
Recovery time objective (RTO): acceptable longest duration within which services are
interrupted or the shortest duration between the time when a disaster occurs and the time
when services are restored
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
88
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
RPO measures data loss, while RTO measures service loss. RPO and RTO are not necessarily
related. RTO and RPO vary according to services and enterprises, and are calculated based on
service requirements after risk analysis and service influence analysis are performed.
Table 4-4 lists network requirements of disaster recovery tiers. Disaster recovery tiers 6 and 7
have the same network requirements.
Table 4-4 Network requirements of disaster recovery tiers
Item
Tier 6
Tier 5
Tier 3-4
Tier 2
Tier 1
RTO
=0
≤ 2h
≤ 4h
> 4h
> 48h
RPO
=0
≤ 15m
≤ 4h
> 4h
> 24h
Data backup
system
Highest
Higher
Medium
Low
Low
Backup
infrastructure
Highest
Highest
Highest/m
edium
Low
Backup network
system
Highest
Highest
Highest/m
edium
Low
Backup data
system
Highest
Highest
Highest/lo
w
Low
Technical
support
Highest
Higher
Higher/M
edium
Operation,
maintenance, and
management
Highest
Higher
Higher
Medium
Low
Disaster recovery
plan
Highest
Highest
Highest
Highest
Highest
Network
requirements
Application-level disaster
recovery
Issue 01 (2012-05-15)
z
Construction of the disaster
recovery center and data center
z
Backup of all services or key
services
z
Remote disaster recovery with
the distance of over 1000 km
z
SAN connection, bandwidth,
and delay
z
High reliability and routing
performance
Low
Data-level disaster recovery
z
The disaster recovery center
only provides the storage
system.
z
Service data backup
z
Disaster recovery in the same
city or different cities
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
89
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Item
Tier 6
Tier 5
Tier 3-4
Service
requirements
Remote
real-time
backup
Real-time
transmission
Core data backup
Data integrity
Tier 2
Tier 1
Data backup in the same city or
different cities
No data loss
Seamless
switching
4.7.2 Disaster Recovery Overview
In most cases, Huawei recommends that two DCs (active and backup) be built for remote
disaster recovery. Applications run on the computer system of the active DC and data is stored
on the storage system of the active DC. When the active DC stops working due to a disaster
such as power outage, fire or earthquake, traffic is switched to network cables and PSTN lines
connected to the backup DC where applications are restarted.
It takes a short time to finish the switchover. This type of recovery ensures the continuity and
integrity of data in both centers.
The traditional tape backup is performed at a fixed point. If the system corrupts, data
communicated from latest backup to the disaster occurrence is lost and cannot be recovered.
In this backup mode, the backup speed is slow and the backup process is not performed in real
time. Therefore, it cannot meet requirements for recovering a large amount of data, database
continuity, and real-time performance.
The mainstream disaster recovery solution is real-time backup. A real-time data recovery can
replicate updated data from the active DC to the backup DC through communications links,
ensuring synchronization between the active and backup DCs. If the active DC cannot work
properly, the backup DC takes over services of the active DC and maintains data integrity.
Layered Data Replication Technologies
Based on different layers in the information system, different IT technologies can be used to
synchronize or replicate data. The information system is divided into six layers:
z
Mirror-based replication technology
The core of this technology is to replicate production data remotely using the storage
array's disk-array-to-disk-array data block replication technology, which ensures the
security of the production data in a disaster. If a disaster occurs in the active DC, data in
the disaster recovery center can be used to establish an operating environment to provide
IT support for services. Data in the disaster recovery center can also be used to recover
the service system of the active DC to recover services quickly.
The mirror replication between disk arrays does not occupy the system CPU, memory,
and I/O resources, and has little impact on the application system because it does not
involve the host operating system. This is the most mature and widely used disaster
recovery technology. However, it requires that the same type of storage devices from the
same manufacturer be used in the production center and disaster recovery center.
Storage devices of mainstream manufacturers provide the disk array-level mirror
replication technology, such as EMC DMX SRDF, EMC CX MirrorView, IBM DS8000
MetroMirror, IBM DS8000 GlobalMirror, IBM DS4000 ERM, HP XP
ContinuousAccess, and HDS USP TrueCopy.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
90
ONE NET DCN Data Center Solution
Technical Proposal
z
4 Suggestions on Planning Multiple DCs
SAN-based replication technology
This new technology has emerged in recent years. On a SAN network, a virtual storage
management device is deployed in a direct or bypass manner depending on
manufactures.
The SAN-based technology is applicable to heterogeneous storage devices and
transparent to the host. You can use this technology when disk arrays from many
manufactures exist in one DC, but it is immature and has an impact on the background
I/O storage speed
The products that provide this technology now include IBM SVC, EMC Invista, and
Falcon Ipstor.
z
Volume manager-based replication technology
This technology functions at the volume manager layer and it mirrors or replicates disk
volumes to implement disaster recovery. This technology does not require the same
storage devices on both production centers and disaster recovery centers, but it occupies
system CPU resources and has a great impact on the system performance. Therefore, it
has poor scalability and running performance. This technology is based on the host, so
unexpected unauthorized access to the protected data may occur, affecting system
stability and security.
Commonly used volume replication software includes Symantec Veritas Volume
Replicator.
z
File system-based replication technology
This technology replicates data files from the production center to the disaster recovery
center to implement data recovery. This technology functions in the file-based storage
systems, such as file servers, NAS, NAS devices, or file virtualization combinations.
The file-based replication technology is widely used for backing up data. The following
two reasons account for its popularity:
z
−
This technology is easy to deploy and supports standard protocols. In addition to its
own replication functions, it can work with multiple driver technologies to provide
more replication functions.
−
This technology provides enterprises with methods for using storage resources
properly, sharing resource across media servers, and configuring storage capacity for
media servers in a timely manner when the enterprises are running the block-based
storage system.
Database-based replication technology
This logical replication technology supports heterogeneous storage and operating system
platforms. After analyzing redo logs of the production database, this technology
generates universal or private SQL statements and transmits these statements to the
backup database for application.
The replication process does not involve the lower-layer storage. The replication is
performed across platforms at a high speed, but it occupies system resources, does not
support some special data formats and data description language (DDL) statements, and
cannot guarantee data consistency when random data is generated in the service system.
The common products that provide this technology include Oracle DataGuard, Oracle
Stream, Quest SharePlex for Oracle, DSG RealSync for Oracle, and IBM DB2 HA/DR.
z
Application system-based replication technology
The application system must support transaction distribution when the application
system-based replication technology is used. This technology uses transaction
middleware to back up online transaction concurrently in the production center and
disaster recovery center, or to transmit updated data from the active DC to the backup
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
91
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
DC, ensuring data consistency between the production center and disaster recovery
center.
This technology requires low bandwidth, but existing current applications can only
implement this technology after you modify these applications.
Data Backup Mode
Data can be backed up in both local and remote ends. Based on protection mechanisms of
different levels, two data backup modes are available.
z
Synchronous mode
Before the next write operation is performed on disks, updated data in the last write
operation must be replicated to both local and remote volumes. The synchronous mode
provides the highest protection level, but application performance is affected due to the
time delay caused by data transmission between arrays in local and remote ends.
z
Asynchronous mode
Local volumes can continue the write operation even if the remote volumes are not
updated. Remote volumes are updated after a period of delay. This mode ensures high
application performance, but data that is not updated to remote volumes will be lost if a
disaster occurs.
Based on the data backup design, four data backup modes are available:
z
Cold standby
In cold standby mode, the production system database is periodically backed up to the
remote data center and medium such as tape. The backup data remains in inactive state
until a fault occurs. When the production database system becomes unavailable because
of a fault, the backup data is activated.
The timeliness of data backed up in cold standby mode depends on the latest database
backup. The database cold standby period is long.
Figure 4-14 Cold standby mode
Active DC
Disaster recovery center
Inactive
Storage
Issue 01 (2012-05-15)
FC/IP
SAN
DWDM
Wavelength division device
Wavelength division device
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
FC/IP
SAN
Active
92
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Warm standby
z
The warm standby mode requires a backup database system. The warm standby mode is
similar to the cold standby mode except that data of the backup database can be used to
restore services when the production database fails. Therefore, the data recovery time
required by warm standby is much shorter than that required by cold standby.
The warm standby mode is implemented by loading logs of the production database to
the backup database. The timeliness of data backed up in warm standby mode also
depends on the latest database backup. The schematic diagram of warm standby is
similar to that of cold standby.
Hot standby
z
The hot standby mode is the highest-level database backup mode. The hot standby mode
requires a backup database that is in the same active state as the production database. In
addition, the production database and backup database are in synchronization state, and
all modifications to the production database are also made to the backup database.
Implementing the hot standby mode often requires complex hardware and software
technologies. Therefore, data recovery in hot standby mode requires higher costs than
that in cold standby or warm standby mode. Among the four data backup modes, the hot
standby mode provides fastest data recovery, which is essential to some important
service systems.
Figure 4-15 Hot standby mode
Active DC
Disaster recovery center
Each application
has a unique IP
address
Active
Application 1
(active)
Storage
z
Application 2 (active)
Application 2(backup)
FC/IP
SAN
DWDM
Wavelength division device
Wavelength division
device
FC/IP
SAN
Application 1
(backup)
Active
Active/active mode
When the active/active mode is used in the data center network architecture, two data
centers can serve users simultaneously. The data center often uses the multilayer
application architecture, including the web layer, application server layer, and database
layer. Implementing the active/active mode on each of the three layers has different
requirements.
At the web layer, services are not based on status; therefore, applications can connect to
the web layer of any data center. At the application server layer, the active/active mode
can be implemented on non-status-based applications. The databases in the cluster
cannot be far from each other. A long distance between the databases will hinder
database access and implementation of synchronization policies. Therefore, it is difficult
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
93
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
to implement the active/active mode at the database layer when data centers are far from
each other.
Figure 4-16 Active/active mode
Internet
ISPA
ISPB
DNS server/global load balancer
Data center network
Storage
Application1
Applicaiton2
Application1
FC/IP
SAN
Wavelength division device
Wavelength division device
Data backup network
Application2
FC/IP
SAN
Disaster recovery center
Active DC
Table 4-5 Comparisons between the four data backup modes
Data Backup
Mode
Reliability
Solution
Disaster
Recovery
Data Backup
Requirements
Data
Backup Tier
Active/active
Load balancing
Automatic
Synchronous backup
(< 100 km)
6
Hot standby
Cluster
Automatic
Synchronous backup
(100 km)
5/6
Warm standby
Manual
intervention
Manual
Asynchronous
backup (> 100 km)
4/5
Cold standby
Strong manual
intervention
Manual
Asynchronous
backup (> 100 km)
1/2
4.7.3 Disaster Recovery Network Planning
According to the disaster recovery network design, two disaster recovery modes are available:
intra-city real-time disaster recovery and inter-city backup disaster recovery as shown in
Figure 4-17.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
94
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Figure 4-17 Networking planning for intra-city and inter-city disaster recovery
Core layer
Production/disaster recovery
Core layer center in the same city
Production center
Core layer
Remote disaster
discovery center
WAN
Access layer
Access layer
Server
Server
Access layer
Server
SDH
SAN
FC
SAN
DWDM
DWDM
Storage
SAN
Storage
FC
SAN
Application
acceleration
SDH
Application
acceleration
SAN
FC
SAN
Storage
Disaster Recovery in the Same City
In the metro disaster recovery solution, Huawei recommends that core service data be backed
up in synchronous or asynchronous mode based on the physical distance between the disaster
recovery center and the production center.
On the FC SAN network, the Wavelength Division Multiplexing/Synchronous Digital
Hierarchy (WDM/SDH) technology can be used to back up the network remotely, and the
mirror-based replication technology can be used to synchronize data in real time.
If the distance between the disaster recovery center and the production center is within 100
km and two centers are connected using optical fibers, some core service data can be backed
up in synchronous mode while the others in asynchronous mode with regard of transmission
delay of optical fiber signals.
If two centers are connected using IP data links, the IP SAN-based communication protocols
can be used to transmit data, such as Fiber Channel over IP (FCIP), Internet Fiber Channel
Protocol (iFCP), Infiniband, and Internet Small Computer System Interface (iSCSI). Huawei
recommends the asynchronous mode.
Remote Disaster Recovery
In the remote disaster recovery solution, data is backed up through leased lines and on the
asynchronous transfer mode (ATM) network.
If users have sufficient capital, it is recommended that users use point-to-point leased lines
and WAN acceleration devices to decrease the leased WAN bandwidth, providing high-speed
and efficient data backup services at minimum costs.
Data is backed up in the asynchronous mode, which meets requirements for bandwidth and
transmission delay in remote disaster recovery. If the amount of data exceeds the threshold in
the disaster recovery center, the overflow data is backed up to the tape library or CD-ROM
library using the snapshot technology.
Data transmission delay exists between the remote disaster recovery center and local
production center and varies with the adopted technologies, bandwidth, distance, and
characteristics of data flows. The software-based replication technologies can easily
implement queuing and resumable transmission mechanisms, ensuring data consistency if a
disaster occurs.
Compared with the synchronous mode, the asynchronous mode has low requirements for
bandwidth and distance. It requires that all data can be replicated from the local end to the
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
95
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
remote end within a certain period of time and does not affect application system performance.
If a disaster occurs in the local production center, however, data on the remote end will be
temporarily lost (if the transmission rate is low and data is not transmitted completely on
WAN), but data consistency is not affected, similar to what happens if the local host is
abnormally shut down.
4.7.4 Service Planning for Disaster Recovery
Based on real-time synchronization, automatic switchover and active/active load balancing
can be implemented for services. As shown in Figure 4-18, intelligent DNS servers (global
load balancers) monitor the status of web servers and local load balancers, and provide DNS
resolution results based on the status.
If a web server fails in the active DC, the local load balancer switches services on this web
server to the other web server in the center. If the whole active DC fails, the global load
balancer switches services in the center to the disaster recovery center.
Figure 4-18 Automatic switchover and active/active load balancing implemented based on the
active/backup intelligent DNS/GSLB
Disaster recovery DC
Active DC
Web server
Web server
1
Local load
balancer
Local load
balancer
2
Intelligent DNS
(global load
balancer)
Intelligent DNS
(global load
balancer)
3
Carrier
DNS
Normal access
Backup access
Monitoring the status of servers and load balancers
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
96
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
The DNS service has a great impact on services in the DC, so disaster recovery for DNS
servers must be taken into consideration. In multiple DCs, it is recommended that you deploy
the slave DNS server in the active DC, and master DNS server in the backup DC. This
guarantees the proper operation of DNS services when the whole active DC fails.
In addition, the manual switchover mode can be used for disaster recovery. When the DC
experiences a disaster, the network segment of the disaster recovery center can be manually
opened so that users and branches can connect to the disaster recovery center without
performing any operations. The reachable route import mode can also be used. In most cases,
the active DC advertises low-cost routes, whereas the backup DC advertises high-cost routes.
When both the active and backup DCs are working properly, a user receives two host routes
with different costs after sending a connection request. Normally, the user selects the route
with a lower cost to connect to the active DC. When the active DC experiences a disaster, the
user can only receive a route with high cost from the backup DC, so the user can only connect
to the backup DC using this route.
Table 4-6 shows the comparisons between the three common switchover modes.
Table 4-6 Comparisons between service recovery modes
Service
Recovery
Mode
Applicable
Disaster Recovery
Mode
Switchover
Speed
Required
Device
Scalability
(Multiple DCs)
Manual mode
Cold standby
Minutes
None
Low
DNS mode
Hot standby,
active/active
Minutes
DNS
server
High
Route
convergence
mode
Hot standby
Seconds
Load
balancer
Medium
4.8 Service Distribution Planning
4.8.1 Service Distribution Overview
With the development and expansion of enterprises, the deployment mode of DCs evolves
from single-center mode to three-center-in-two-area mode and multiple-center mode. Services
are hosted in active DCs or regional DCs as required.
Based on user experience and service characteristics, services have different requirements for
bandwidth and transmission delay. Therefore, the related DCs are deployed in different modes.
For example, office automation (OA) services such as Notes and Email, are sensitive to
transmission delay and require high bandwidth. Therefore, they are deployed in distributed
mode, which reduces bandwidth on leased lines of regional DCs and active DCs.
4.8.2 Service Distribution Planning
Services in DCs are deployed in the centralized and distributed manner to meet operators'
network requirements and increase user satisfaction. The following table lists characteristics
of some application services in DCs and recommendations on their deployment modes.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
97
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
Table 4-7 Centralized and distributed deployment modes of application services
Application
Service
Architecture
Characteristics
Deployment Mode
OA services
(such as Notes
and Email)
C/S
Interactive operation:
sensitive to delay
Distributed deployment:
Web service
B/S
Large-amount-of-data
operation: sensitive to
bandwidth and delay
OA services are deployed in
global active DCs and regional
DCs in the distributed mode.
Interactive operation:
sensitive to delay
Centralized and distributed
deployment:
Large-amount-of-data
operation: sensitive to
bandwidth and delay
Database servers and
application servers are
deployed in centralized mode.
HTTP servers are deployed in
distributed mode.
ERP
Video
B/S
-
VoIP
Sensitive to delay and
error codes
Centralized deployment:
Sensitive to
bandwidth and jitter
Centralized and distributed
deployment:
ERP is distributed in global
active DCs in centralized
mode.
Gatekeepers (GKs) are
deployed in centralized mode.
Multipoint Control Units
(MCUs) are deployed in
distributed mode.
Interactive
production
services
-
Interactive operation
and low bandwidth
Interactive production services
are deployed in DCs in
centralized mode
Centralized and distributed deployment modes are applicable to the services in Table 4-8
Table 4-8 Services deployed in the centralized/distributed mode
Deployment
Mode
Applicable To
Distributed
deployment
z
Services distributed in regions
z
Services limited within regions
z
Services with heavy traffic and frequent interactions
z
Services with light traffic, such as services in the early development
stage
z
Services of great importance and requiring surveillance by headquarters
Centralized
deployment
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
98
ONE NET DCN Data Center Solution
Technical Proposal
4 Suggestions on Planning Multiple DCs
With the global load balancing technology, distributed services meet requirements of the
nearest enterprises, back up data in DCs for each other in multiple locations, and perform load
balancing among multiple DCs.
Currently, the GSLB technologies are implemented based on DNS, application redirection, IP
address spoofing (triangulation), and host route import. The last three implementation modes
have many limitations or poor performance, and DNS-based GSLB is the current mainstream
technology.
Figure 4-19 shows the principle of DNS-based GSLB.
Figure 4-19 DNS-based GSLB
Step 1 A user needs to access http://www.abc.com and sends a DNS request for the IP address of
www.abc.com to the corresponding carrier's local DNS server.
Step 2 The local DNS server finds the primary and secondary DNS servers of abc.com using the
recursive algorithm.
Step 3 The GSLB device that receives the DNS request checks whether there is a most matching
entry for the local DNS server. If so, the GSLB device returns the most matching server IP
address to the local DNS server. If not, the GSLB device instructs another GSLB device to
search for a most matching entry for the local DNS server.
Step 4 The two GSLB devices detect the local DNS server separately. The GSLB device at the DR
site finds that the RTT time of the local DNS server is 300 ms, whereas the GSLB device at
the main site finds that the RTT time of the local DNS server is 150 ms. Then the matching
entries for the local DNS server are generated on the two GSLB devices.
Step 5 The GSLB device that receives the local DNS request returns the corresponding server IP
address to the local DNS server according to the matching entries for the local DNS server.
Step 6 After obtaining a server IP address, the local DNS server sends the IP address to the user.
Step 7 The user accesses the website www.abc.com.
----End
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
99
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
5
DC Network Maintenance
Recommendations
5.1 Network Management
5.1.1 NMS Overview
As the growing increase in the scale and complexity of DC networks, the DC network
topology becomes complex. How to obtain network changes and operating status and network
resource information in time has become a major concern to DC network administrators.
Huawei eSight is a new generation of NMS targeting the enterprise campus and DC. It can
uniformly manage enterprise resources, services, and users.
The eSight manages all IT devices, IP devices, and third-party devices, intelligently analyzes
network traffic and access users' roles, and automatically adjust network control polices to
ensure enterprise network security. In addition, it provides a flexible and open platform based
on which enterprises can develop their intelligent management systems.
In DC scenarios, Huawei eSight provides a variety of application and management functions:
z
Manages various Huawei and non-Huawei devices.
z
Manages all DC resources.
z
Provides the visual DC unified view.
z
Supports comprehensive fault monitoring.
z
Performs delicacy management on equipment room.
z
Monitors and manages DC network performance.
z
Performs right- area- and time-based user management.
Using eSight, you can view the network topology, know the network topology, configure
system information, and manage network devices.
5.1.2 Networking Mode
Centralized Deployment
eSight works in browser/server (B/S) mode and allows multiple browsers to access
simultaneously.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
100
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
Figure 5-1 Centralized deployment
Core zone
Management zone
Firewall
DSM
System administrator
eSight
Hierarchical Deployment
eSight supports hierarchical management to allow an enterprise headquarters to manage
branches. eSight allows you to add the low-level NMS to the upper-level NMS and provides
the link to open the low-level NMS page. When users click the low-level NMS link, a new
browser window is popped out. Users can open the low-level NMS page without logging in to
the page.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
101
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
Figure 5-2 eSight hierarchical management
Core layer network
eSight professional version
Aggregation layer network
eSight professional version
Access layer network
eSight standard version
Integrated with the OSS
eSight can integrate with the OSS. eSight reports network alarms using SNMP to work with
the OSS alarm system.
Figure 5-3 eSight integrated with the OSS
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
102
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
5.1.3 eSight Highlights
Oriented towards enterprise networks, eSight can manage network devices, servers, and IT
applications. A single eSight can manage devices from multiple vendors. eSight provides
required information for operation and maintenance personnel, which reduces the workload of
the operation and maintenance personnel. eSight provides various management functions and
flexible maintenance measures, which makes it easy to perform routine maintenance. eSight
has the following advantages.
Lightweight and Componentized Architecture
The Browser/Server (B/S) structure, fit client, and componentized decoupling of functional
modules allow eSight to meet requirements in different enterprise network scenarios,
providing management for enterprise networks in a wide range.
Device Adaptation Technology
The device adaptation technology aims to load different adaptation packages on a stable
eSight edition to manage various devices. This ensures stability of core functions and
implements quick adaptation of new device types and versions.
Multiple Editions
Different eSight editions are provided to meet requirements of different enterprises with
different network scales, both low-end and mid-range network management requirements of
small and medium enterprises and high-end network management requirements of large
enterprises.
Secondary Development Capability
Because there are a great number of enterprises, eSight AppBase must provide secondary
development capability for agents or cooperators to conduct secondary development and
customization, satisfying requirements of different customers in different scenarios. eSight
AppBase must provide stable interfaces and mechanism for easily integrating with third-party
systems.
Multi-service Management
eSight provides the following management functions: topology management, fault
management, performance management, configuration management, and security
management. In addition, eSight functions as a platform for other service management
components to enhance overall management functions. eSight provides instructions on the
GUI on how to use its functions.
By using the WLAN service to manage hosts, eSight helps customers quickly deploy wireless
networks, providing integrated wired and wireless management for network devices and
WLAN devices. This lays a foundation for routine network maintenance and network
adjustment, considerably improving network management efficiency. BGP/MPLS VPN
service management allows eSight to monitor and manage VPN services.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
103
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
5.1.4 Network Routine Maintenance
Overview
Routine maintenance is complex and the workload is heavy. The following tasks are involved
in maintenance:
z
Monitoring topology objects
z
Monitoring network elements
z
Configuring network elements
z
Monitoring services
z
Diagnosing faults
z
Monitoring performance
z
Checking resources
z
Generating reports
Huawei eSight can quickly and accurately provide required information for network
administrators, which significantly relieves workload. The eSight provides abundant
management functions and various maintenance methods for operators to implement routine
maintenance easily.
Managing Topologies
The eSight topology view displays the navigation tree on the left and the view on the right.
The navigation tree displays the hierarchy of the network structure while the view displays
hierarchical objects in different coordinates so that users can learn about the object
deployment in a clear and direct way.
The eSight topology view provides the following functions:
z
Adding, deleting, modifying, and querying subnets, network elements (NEs), links, and
virtual NEs
z
Moving elements on the topology
z
Displaying the alarm status and tips
z
Arranging NEs, viewing NE attributes, zooming in or zooming out the NE icons, and
printing the topology view.
z
Providing shortcut access interfaces, such as the shortcut to accessing the NE manager or
viewing device alarms
Monitoring NEs
The homepage of the NE manager displays basic information about NE devices, TOPN
alarms, interface traffic, bandwidth usage, CPU, and memory in tables. Users can determine
whether to display these performance tables as required.
Configuring NEs
The eSight configures a single NE in the following ways:
z
The eSight configures interfaces and routes using the simple configuration frame.
z
The eSight configures a single NE using the smart configuration tool.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
104
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
z
The eSight configures switches, access routers, and security devices using the web NMS.
z
During new deployment and network maintenance, users need to configure services for
devices deployed in centralized mode in batches. In this case, users are recommended to
use the smart configuration tool to configure services for multiple devices in batches,
which significantly improves operation and maintenance efficiency.
Managing Alarms
eSight monitors exceptions on the network in real time and provides measures such as the
alarm panel, alarm browsing, alarm operations, alarm rule setting (alarm suppression rule and
audio setting), and remote alarm notification rules. This helps the network administrator take
measures to recover network operation.
You can set remote alarm notification rules, alarm suppression rules, and audios, helping
administrators to optimize network management.
Monitoring Services
The eSight monitors services in real time and collects traffic statistics and other information
based on the service type, which helps the maintenance personnel to monitor services.
Monitoring Network Performance
The eSight can monitor the key performance indexes (KPIs) of a network and collects
performance statistics. Users can manage network performance on the eSight graphical user
interfaces (GUIs).
Users can query the collected performance data displayed in GUI in the performance
monitoring view to learn the network performance within a specified period and predict the
network performance change.
Querying Resources and Managing Reports
The eSight provides various resources and predefined reports and the easy-to-use report
design function so that users can design reports based on the industry features and OAM
requirements.
Managing Configuration Files
The eSight can manage configuration files to help users quickly save files and log in to the
device. In addition, the eSight provides a tool to inspect devices periodically, lessening the
workload of the maintenance personnel.
Intelligent Configuration
eSight smart configuration tool provides service configuration and profile-based and plan
sheet-based batch configuration for Huawei NEs.
z
Profile deployment
A profile is used for delivering the same service configuration to multiple NEs. You can
configure a profile to batch deliver the service configuration to Huawei NEs, or
customize a profile to deliver the configuration using a configuration wizard and verify
the commands.
z
Issue 01 (2012-05-15)
Plan sheet deployment
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
105
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
A plan sheet is used for delivering similar service configuration to multiple NEs. To use
the plan sheet for batch configuration delivery, set parameters in the exported plan sheet,
export the parameters in the smart configuration tool, and deliver the configuration using
a configuration wizard.
5.1.5 Customization of Third-Party Devices
Network devices in a DC are from different manufactures and cannot be managed in a
uniformly pre-integrated manner. Therefore, customization capabilities are required. If
network devices are managed by their NMS, the maintenance cost will be higher and
workload of the maintenance personnel will be heavier.
Huawei eSight provides customization capabilities for users to manage third-party devices.
Users can configure the following information to manage third-party devices as required:
z
Configuring manufacturers
The eSight can configure the name and contact information of a manufacturer. The
configured manufacturer information is used in the subsequent configuration of device
models.
z
Configuring device models
The eSight can configure the description, icon, and web link for a device model. The
configured icon is displayed on the topology.
z
Customizing alarms
The eSight can customize reported alarms. The customized alarms can be parsed and are
displayed on the alarm management page.
z
Customizing performance indexes
The eSight can customize performance indexes of devices. The customized performance
indexes are collected by the performance statistics task and displayed on the performance
page.
z
Customizing device panels
The eSight can customize the simulation images of subracks, boards, subcards, and ports.
The customized panel will display the new simulation images.
z
Customizing configuration files
The eSight can customize commands to back up, restore, or restart configuration files so
that configuration files can be automatically backed up.
z
Customizing reports
The eSight can make report designs by modifying predefined report design files.
5.1.6 Software Upgrade and Patch Loading
Overview
A DC has many network devices. Therefore, it is time consuming to upgrade software or load
patches on these devices one by one and upgrade failures may occur due to human factors.
Huawei recommends you upgrade software and load all patches remotely at one time. This
method significantly lessens the workload of maintenance personnel and avoids failures
caused by human factors.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
106
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
Upgrading Software
The eSight provides a function to upgrade software remotely at one time. Figure 5-4 shows
the operation guide to upgrade devices. If the upgrade fails, the eSight provides
troubleshooting methods to ensure that devices run in normal status.
Figure 5-4 Software upgrade flowchart
Start
Configure FTP/TFTP/
SFTP servers (optional)
Configure backup/load path
(optional)
Prepare application files
Create and execute the
upgrade task
Query the execution result
Is the upgrade
successful
No
Troubleshoot the fault
Yes
End
Loading Patches
The eSight provides a function to load patches remotely at one time. Figure 5-5 shows the
operation flow to load patches. The eSight also provides the patch rollback function to restore
the NE to the previous status.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
107
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
Figure 5-5 Patch update flowchart
Start
Load patches
Activate patches
Confirm (optional)
End
5.1.7 Network Traffic Analysis
Port mirroring and NetStream are used to analyze network traffic.
Port Mirroring
Port mirroring, also called port scanning or port monitoring, is used on a network switch to
send a copy of network packets on one switch interface to a network connection on another
switch interface. Port mirroring copies data on all switch interfaces to one interface.
Port mirroring is implemented through switches. Because data on all interface needs to be
copied to the monitoring interface, the switch burden is increased and switch performance
deteriorates. Port mirroring is often deployed on the egress switch. For example, port
mirroring can be used to monitor Internet connections of employers.
NetStream
Because consecutive data packets can be aggregated, NetStream uses the cache mechanism to
analyze packets. When NetStream is enabled on a router or switch interface, the router or
switch analyzes received packet header to obtain traffic information and aggregates all the
received data packets into flows for analysis.
NetStream occupies less bandwidth and collects complete data, and is often applied to
large-scale enterprise networks, greatly reducing switch burden.
Figure 5-6 shows the NetStream networking.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
108
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
Figure 5-6 NetStream networking
5.2 Troubleshooting
The DC network system consists of network devices, links between devices, and servers. If
the network system is faulty, you can locate the fault by checking the link status, device status,
or server status, or by detecting virus attacks. The upper layer application cannot work
properly if any one of these components is faulty.
5.2.1 Troubleshooting Network Devices
Network devices may encounter the following faults:
z
A device is down: The power indicator or other indicators on the device are off and no
sound is generated.
z
The CPU usage of a device is too high: The CPU usage is too high and related
applications responds slowly when a user runs the monitoring software or logs in to the
device.
z
An error message is displayed: An error message is generated on the server when a user
views the log server or logs in to the device.
z
An alarm is reported: The status indicator of the device is red, indicating that an alarm is
reported.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
109
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
A Device Is Down
If a device is down, check the power cable and power supply in the equipment room first.
If the power cable is connected properly and the power supply is normal, call the device
vendor or service provider for help immediately. If the hardware is faulty, ask the device
vendor or service provider to replace parts as soon as possible.
The CPU Usage of a Device Is Too High
Report the problem to the service provider immediately. Help the technical support engineers
to locate the cause. In most cases, the problem is caused by the virus attack.
An Error Message Is Displayed
Send the error message to the service provider and track the troubleshooting progress. The
service provider will provide the cause to the problem after analyzing the error message. If the
device has a potential fault, prepare an emergency trouble shooting scheme or replace the
device.
An Alarm Is Reported
Send the alarm to the device vendor and service provider, and ask them to troubleshoot the
fault or replace parts.
5.2.2 Troubleshooting Servers
Servers related to a network system are Dynamic Host Configuration Protocol (DHCP) server,
access control system (ACS) server, and agent server on the external network. Faults that
often occur are as follows:
z
Failure to obtain an IP address.
z
Failure to log in to the network device.
z
Failure to access the Internet through an agent server.
Fail to Obtain an IP Address
To troubleshoot the fault, proceed as follows:
Step 1 Perform the ping operation to check the connectivity of the DHCP server.
Step 2 If the DHCP server is connected properly, log in to the DHCP server to check whether the
DHCP service is normal. If it is normal, verify that the DHCP request times out due to the
virus attack.
Step 3 If the DHCP server fails, replace it with the backup server.
Step 4 Configure a static IP address manually for the computer to access the network before the
DHCP server recovers.
----End
Fail to Log In to the Network Device
Step 1 Perform a ping operation to check the connectivity of the network device.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
110
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
Step 2 If the device is connected properly, log in to the ACS server to check whether the ACS
service is normal.
Step 3 If the ACS service is abnormal, log in to the network device through the console port, disable
the authentication, authorization, and accounting (AAA) authentication, and enable the local
authentication based on the built-in database.
----End
Fail to Access the Internet Through an Agent Server
Step 1 Check the network connectivity by accessing other applications. Then, perform a ping
operation to check the connectivity of the agent server.
Step 2 If the agent server is connected correctly, log in to the agent server to check whether the agent
service and related system services are normal. If any service is abnormal, restart the service
or the agent server.
Step 3 If the fault persists, check whether the key hardware (such as NIC) of the agent server is
faulty.
Step 4 If the hardware or system is faulty, replace the agent server with the backup agent server.
Step 5 If there are no problems with the agent server, ping the DNS gateway and Internet service
provider (ISP) gateway to check the Internet access. If the DNS gateway or ISP gateway
cannot be pinged, contact the ISP to rectify the fault.
Step 6 If the link provided by the ISP is faulty, access the Internet through the backup link.
----End
5.3 Network Expansion
5.3.1 Overview
With increasing expansion of services and scale of a DC, an existing network capacity cannot
meet the requirements of long-term development. Therefore, network expansion is important.
A smooth expansion is essential to the network expansion because services are not affected
during the expansion.
The network expansion is implemented in three ways:
z
Server expansion
z
Device expansion
z
Link bandwidth expansion
Use a proper expansion policy as required by expansion scenarios to expand the network
capacity smoothly without affecting services.
5.3.2 Server Expansion
Server expansion is implemented by expanding servers in an original area or creating servers
in a new area. The expansion policies of each are different.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
111
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
Figure 5-7 Internal architecture of the DC
E n te rp ris e b ra n c h
E n te rp ris e
in tra n e t
E n te rp ris e
access
n e tw o rk
V L A N:
2 0 0 0 to 2 1 9 9
C o lla b o ra tiv e u n it
C o lla b o ra tiv e
u n it d e d ic a te d
n e tw o rk
C o lla b o ra tiv e
u n it a c c e s s
n e tw o rk
VLAN :
2 2 0 0 to 2 2 9 9
M anagem ent
VLAN:
3 0 0 0 to 3 9 9 9
V L A N:
2 0 0 to 3 9 9
D is a s te r
re c o v e ry
n e tw o rk
In te rn e t
D is a s te r
b a c k u p c e n te r
a c c e s s n e tw o rk
V L A N:
2 4 0 0 to 2 4 9 9
In te rn e t
a c c e s s n e tw o rk
V L A N:
2 3 0 0 to 2 3 9 9
V L A N:
1 0 0 to 1 9 9
C o re n e tw o rk
P ro d u c tio n
zone
R e m o te d is a s te r
re c o v e ry c e n te r
E x te rn a l u s e r
O ffic e z o n e
O th e r z o n e s
V L A N:
4 0 0 to 5 9 9
V L A N:
6 0 0 to 7 9 9
D M Z zone
...
V L A N:
8 0 0 to 9 9 9
S to ra g e z o n e
z
Expand servers in an original area
With the development of production services, servers in the production zone need to be
expanded to meet service requirements. The servers must be expanded smoothly based
on the previously planned VLANs and IP addresses, which ensures VLAN continuity,
requires no change to the upstream router or firewall policy, facilitates the network
maintenance, and relieves the expansion workload.
z
Create servers in a new area
If the demilitarized zone (DMZ) is a newly created area, you need to allocate VLANs
and IP addresses and plan a router and a firewall policy for this area. In this way, the
existing services will be expanded smoothly without being affected, and the new area is
easy to maintain and manage.
5.3.3 Device Expansion
Figure 5-8 shows common network architecture of a DC. Many ring networks exist at the
access layer and aggregation layer. Once you add servers, you need to deploy routers at the
access layer and connect them to the combined core layer, which makes the network more
complex and requires a loop-prevention technology. Therefore, services on the existing
network will be affected.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
112
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
Figure 5-8 Common network architecture of a DC
Internet
WAN
10GE
OSPF
Aggregation/
core layer
Rack
Access layer
To avoid affecting services while expanding, Huawei recommends cluster and stacking
technologies in planning the network architecture of a DC, as shown in Figure 5-9. Cluster
and stacking technologies tear down the loop prevention protocol, simplifies the network
architecture, and facilitates the device expansion.
Figure 5-9 Network architecture of a DC deployed in the cluster and stacking mode
Internet
WAN
10GE
OSPF
Aggregation
/core layer
Trunk
Rack
Access layer
After the network is planned in the cluster and stacking mode, the network changes from a
ring topology to a tree topology which is easy to maintain. When you expand devices, you
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
113
ONE NET DCN Data Center Solution
Technical Proposal
5 DC Network Maintenance Recommendations
only need to add new devices to the stacking system to implement smooth expansion, which
has no impact on the network architecture and does not add physical links at the combined
core layer.
5.3.4 Link Bandwidth Expansion
With the development of services, link bandwidth will increase and may become a bottleneck.
You can use high-performance and high-bandwidth (for example, replace the GE board to
10GE board, or replace the 10GE board to 40GE board) boards or use the link binding
technology to implement smooth expansion without affecting network services.
5.4 Disaster Emergency Maintenance
Overview
Disaster emergency maintenance requires designers to consider, during the network design,
how to take emergency maintenance measures, how to recover services, and how to minimize
service losses if a disaster occurs (such as an earthquake or fire) at a DC.
Suggestions on Disaster Emergency Maintenance
The three-center-in-two-area solution has taken unexpected disasters into consideration. For
details about how to store data between the active center, backup center, and disaster recovery
center and how to switch services if a disaster occurs, see 4 "Suggestions on Planning
Multiple DCs."
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
114
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
6
Recommended Products
The data center solution is made up of the following products:
z
Core switch: S9300 series core switches
z
Access switch: S6700 series access switches
z
Access switch: S5700 series access switches
z
Firewall: E8000E-X/E1000E-X series firewalls
z
Mini optical transport network (OTN): Optical OSN 1800
6.1 S9300 Series Core Switches
6.1.1 Product Overview
The Quidway S9300, which is a carrier-class core switch (S9300 for short), is a
next-generation high-performance core routing switch developed by Huawei. The S9300 has a
large switching capacity, a high port density, and can forward Layer 2 to Layer 4 packets at
wire speed. In addition, the S9300 provides powerful multicast functions, a comprehensive
QoS guarantee, an effective security management mechanism, and high reliability to meet the
requirements of VIP users for multi-service, high reliability, large capacity, and modulation.
This reduces costs in network construction and maintenance.
The S9300 can be deployed at the core and aggregation layers on various types of campus
networks. It can also be used as an aggregation switch on some large campus networks that
require high performance and port density.
6.1.2 Product Model
The S9300 series switches include the following models:
Table 6-1 S9300 product model
Product Model
Description
S9303
z
LPU: 3
z
Switch fabric capacity: 1440 Gbit/s
z
Backplane capacity: 3 Tbit/s
z
Forwarding performance: 540 Mpps
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
115
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Product Model
Description
S9306
z
LPU: 6
z
Switch fabric capacity: 2 Tbit/s
z
Backplane capacity: 6 Tbit/s
z
Forwarding capacity: 1320 Mpps
z
LPU: 12
z
Switch fabric capacity: 2 Tbit/s
z
Backplane capacity: 12 Tbit/s
z
Forwarding capacity: 1320 Mpps
S9312
Figure 6-1 The S9303
Figure 6-2 The S9306
Figure 6-3 The S9312
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
116
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
6.1.3 Product Characteristics
Advanced Architecture, High Performance, and Flexible Configuration
The S9300 adopts the advanced and distributed architecture and the latest hardware
forwarding engine technology. The services on all interfaces can be forwarded at wire speed,
including IPv4 services, MPLS services, and Layer 2 forwarding services. The S9300 can use
the ACL to forward packets at wire speed.
The hardware of the S9300 implements two-level packet replication to forward multicast
packets at wire speed:
The SFU replicates multicast packets to the LPU.
Then the forwarding engine of the LPU replicates the multicast packets to the interfaces on
the LPU.
The S9300 supports 2 Tbit/s switching capacity and various high-density boards to meet
requirements for the large capacity and high-density interfaces of core and aggregation layer
devices. It can meet users' increasing requirements for the bandwidth and protect and save the
maximum amount of the users' investment.
Comprehensive Security Measures
The S9300 supports Authentication, Authorization, and Accounting (AAA). It performs AAA
for access users based on policies. In addition, the S9300 supports 802.1x, portal, guest
VLAN, and dynamic user access authentication. Therefore, it can work well with the network
admission control (NAC) produced by other mainstream manufacturers.
The S9300 supports the routing protocol encryption, lawful interception, MAC address
filtering, dynamic ARP detection, and ACLs to protect data for service providers and end
users. Hardware-based packet filtering and sampling guarantee high performance and high
scalability of the system.
The S9300 is the industry leader in integrated security solutions. It uses a 2-level CPU
protection mechanism and supports 1K CPU queues, and protects the CPU by separating the
data plane and control plane. In addition, the S9300 defends against DoS attacks, prevents
unauthorized access, and prevents control plane overloading.
High Reliability
Huawei's carrier-class high reliability design ensures that the S9300 is 99.999% reliable,
which meets and exceeds carrier-class operation requirements. The S9300 provides redundant
backup for key components, including MPUs, power supply units, and fans, all of which are
hot swappable. Based on distributed hardware forwarding architecture, the routing plane is
separated from the switching plane to ensure service continuity.
The S9300 provides 3.3 ms hardware-based Ethernet operation, administration, and
maintenance (OAM) function, which can quickly detect and locate faults. By using the
Ethernet OAM technology and switchover technologies, the S9300 can provide
millisecond-level protection for networks.
The service traffic can be switched between active and standby components without rebooting
the equipment. The S9300 also supports the in-service software upgrade (ISSU), further
reducing service interruption.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
117
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
The S9300 supports the link aggregation defined in IEEE 802.3ad, the IEEE 802.1s/w
standard, and Virtual Router Redundancy Protocol (VRRP). In addition, it supports various
millisecond switchover technologies, such as Rapid Ring Protection Protocol (RRPP), Smart
Link, IP fast reroute (FRR), traffic engineering (TE) FRR, and virtual private network (VPN)
FRR. These features improve the reliability of data transmission.
6.1.4 Specifications
The following table lists the specifications of the S9300 series switches.
Table 6-2 Main specifications of the S9300 series switches
Specifications
S9303
S9306
S9312
Backplane
capacity (Tbit/s)
1.2
2.4
4.8
Service slot
3
6
12
GE port density
144
288
576
10G port density
120
240
480
VLAN
z
Access, trunk, and hybrid interfaces
z
Default VLAN
z
VLAN switching
z
QinQ and enhanced selective QinQ
z
Automatic learning and aging of MAC addresses
z
Static, dynamic, and blackhole MAC address entries
z
Packet filtering based on source MAC addresses
z
MAC address learning limitation based on interfaces and VLANs
z
STP, RSTP, and MSTP
z
Bridge protocol data unit (BPDU) protection, root protection, and
loop protection
z
BDPU tunnels
z
IPv4 dynamic routing protocols, such as, RIP, OSPF, IS-IS, and
BGP
z
IPv6 dynamic routing protocols, such as, RIPng, OSPFv3, ISISv6,
and BGPv4
z
IGMP snooping
z
IGMP fast leave
z
Multicast traffic control
z
Multicast queries
z
Suppression on multicast packets
z
Multicast ACL
MAC address
STP
IP routing
Multicast
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
118
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Specifications
S9303
MPLS
z
Basic MPLS functions
z
MPLS OAM
z
MPLS traffic engineering (TE)
z
MPLS VPN, VLL, and VPLS
z
Synchronous Ethernet clock
z
IEEE 1588v2
z
Traffic classification based on the Layer 2 protocol header, Layer 3
protocol, Layer 4 protocol, and 802.1p priority
z
Actions such as ACL, CAR, remark, and schedule
z
Queue scheduling styles such as PQ, WRR, DRR, PQ+WRR, and
PQ+DRR
z
Congestion avoidance mechanisms such as Weighted Random
Early Detection (WRED) and tail drop
z
Traffic shaping
z
Terminal services such as Console, Telnet, and SSH
z
Network management protocols such as SNMPv1/v2/v3
z
Uploading and downloading of files using FTP and TFTP
z
BootROM upgrade and remote online upgrade
z
Hot patches
z
User operation logs
z
802.1x authentication and portal authentication
z
RADIUS and HWTACACS authentication for login users
z
Hierarchical protection for commands to prevent unauthorized users
from accessing the device
z
Protection against DoS attacks, SYN flood attacks of TCP, UDP
flood attacks, broadcast storms, and large-traffic attacks
z
CPU channel protection
z
Ping and traceroute
z
RMON
Clock
QoS
Configuration and
maintenance
Security and
management
Chassis dimension
S9306
S9312
442 mm x 476 mm x
175 mm
442 mm x 476 mm x
441.7 mm
442 mm x 476 mm x
663.95 mm
Chassis weight
(empty)
< 22 kg
< 42 kg
< 70 kg
Working voltage
DC power supply: –38.4 V to –72 V
(H x W x D)
AC power supply: 90 V to 264 V
Typical power
consumption
Issue 01 (2012-05-15)
180 W
< 350 W
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< 650 W
119
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Specifications
S9303
S9306
S9312
Power supply
capability of the
device
800 W
1600 W
1600 W
(PoE not
included)
6.2 S6700 Series Access Switches
6.2.1 Product Overview
The Quidway S6700 (S6700) is a next-generation 10GE box-shaped switch developed by
Huawei. The S6700 can serve as access switches in the data center to access the 10GE server,
aggregation switches on a metropolitan area network (MAN), and core switches on a campus
network.
As one of the class-A switches in the industry, the S6700 provides a maximum of 24 or 48
10GE interfaces at wire speed, which enables the high-density 10GE access and high-density
10GE aggregation on the campus network. The S6700 provides rich service features, a
comprehensive security control policy, and various QoS mechanisms to meet the requirements
for extensibility, reliability, manageability, and security of the data center.
6.2.2 Product Model
The S6700 series switches include two models.
z
S6748-EI: provides 48 GE small form-factor pluggable (SFP)/10GE small form-factor
pluggable plus (SFP+) ports, two slots for power supplies, and a USB port.
z
S6724-EI: provides 24 GE SFP/10GE SFP+ ports, two slots for power supplies, and a
USB port.
Figure 6-4 The S6748-EI
Figure 6-5 The S6724-EI
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
120
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
6.2.3 Product Characteristics
High-Density 10GE Flexible Access
With the increasing bandwidth required by the clients, the 10GE network interface cards on
the server are widely used. The switch in the data center provides higher forwarding
performance and 10GE interface extensibility. Compared with other similar switches in the
industry, the S6700 box-shape switch has the highest 10GE port density and largest switching
capacity. An S6700 can support packet forwarding at wire speed on a maximum of 48 10GE
interfaces.
The GE/10GE interfaces support flexible access and can automatically identify the type of an
installed optical module. The S6700 can access the optical/electrical interfaces on the GE
server. This saves the users' investments and ensures flexible usage of the S6700.
To meet the requirements for heavy traffic and non-blocking transmission, the S6700 provides
large buffer capacity and uses advanced buffer scheduling mechanisms to maximize the
effective usage of buffer capacity.
Comprehensive Security Measures
The S6700 provides various security measures. It can defend against Denial of Service (DoS)
attacks, attacks to networks, and attacks to users. DoS attacks include SYN Flood attacks,
Land attacks, Smurf attacks, and ICMP Flood attacks. Attacks to networks refer to STP
BPDU/root attacks. Attacks to users include bogus DHCP server attacks, man-in-the-middle
attacks, IP/MAC spoofing attacks, DHCP request flood attacks, and DoS attacks by changing
the CHADDR field of packets.
The S6700 listens to information about the MAC or IP address of an access user, IP address
lease, VLAN ID, and interface by establishing and maintaining a DHCP snooping binding
table. The S6700 directly discards invalid packets such as ARP spoofing packets and packets
with bogus IP addresses that do not match binding entries. In this manner, hackers or attackers
are prevented from carrying out the man-in-the-middle attacks by using ARP packets on
campus networks. The trusted interface feature of DHCP snooping ensures the validity of the
DHCP server.
The S6700 supports strict learning of ARP entries to prevent ARP spoofing attackers from
exhausting ARP entries so that authorized users can access the Internet. The S6700 supports
IP source check to prevent DoS attacks caused by MAC address spoofing, IP address spoofing,
and MAC/IP spoofing. Unicast reverse path forwarding (URPF) provided by the S6700 can
reverse check packet transmission path to authenticate packets, which can protect the network
against increasing source address spoofing attacks.
The S6700 supports the integrated MAC address authentication and 802.1x authentication.
User information, such as the user name, IP address, MAC address, VLAN ID, access
interface, and a flag indicating whether antivirus software is installed on the client, can be
bound statically or dynamically, and policies (VLAN, QoS, and ACL) can be delivered
dynamically.
The S6700 can limit the number of MAC addresses learned on an interface to prevent
attackers from exhausting MAC address entries by using bogus source MAC addresses. In
this way, MAC addresses of authorized users can be learned and flooding is prevented.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
121
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
High Reliability
The S6700 supports dual power supplies for backup and can use an AC power supply and a
DC power supply at the same time. Users can select a single power supply or dual power
supplies to improve device reliability. The switch provides two built-in fans to improve
operating stability and has a long mean time between failure (MTBF).
Enhancing STP, RSTP, and MSTP, the S6700 supports the MSTP multi-process that greatly
increases the number of sub-ring instances. It supports enhanced Ethernet technologies such
as Smart Link and RRPP to implement millisecond-level protective switchover, improving
network reliability. Smart Link and RRPP both support multi-instance to implement load
balancing among links, further improving bandwidth usage.
The S6700 supports enhanced trunk (E-Trunk). When a client edge (CE) is dual homed to a
VPLS, VLL, or PWE3 network, an E-Trunk can be configured to protect the links between
the CEs and provider edges (PEs) and implement backup between PEs. The E-trunk can
implement link aggregation across devices to upgrade the link reliability to device level.
The S6700 supports Smart Ethernet Protection (SEP) protocol, a ring network protocol
applied to the link layer of an Ethernet network. SEP is applicable to open ring networks and
can be deployed on upper-layer aggregation devices to provide millisecond-level switchover
without interrupting services. Huawei devices have implemented Ethernet link management
using SEP. SEP features simplicity, high reliability, high switchover performance, convenient
maintenance, and flexible topology and enables users to conveniently manage and plan
networks.
The S6700 supports VRRP to keep the communication continuity and reliability, ensuring a
stable network. Multiple equal-cost routes can be configured on the S6700 to implement route
redundancy. When the active uplink route is faulty, traffic is automatically switched to a
backup route. This feature implements multi-level backup for uplink routes.
Rich QoS Capabilities
The S6700 can implement complex traffic classification based on information such as the
5-tuple, IP preference, ToS, DSCP, IP protocol type, ICMP type, TCP source port, VLAN, the
protocol type of an Ethernet frame, and CoS. The S6700 supports inbound and outbound
ACLs. The S6700 supports the flow-based two-rate and three-color CAR. Each interface
supports eight priority queues, multiple queue scheduling algorithms such as WRR, DRR, SP,
WRR+SP, and DRR+SP, and WRED congestion avoidance mechanism, which ensures the
quality of network services such as voice, video and data services.
High Extensibility
The S6700 supports long-distance intelligence stacking (iStack). A common interface can be
configured as a stack interface at the CLI, enabling flexible interface usage. The optical fibers
can be used for stacking, greatly increasing the distance between stacked devices. Compared
with a single device, intelligent stacking features powerful extensibility, reliability, and
performance.
When customers need to expand the device or replace a single faulty device, they can add new
devices without interrupting services. Compared with chassis switches, the performance and
port density of intelligent stacking are not restricted by the hardware architecture. Multiple
stacked devices can be considered as a logical device, which simplifies the network
management and configuration.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
122
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Convenient Operation and Maintenance
The S6700 supports automatic configuration, plug-and-play, deployment from USB devices,
and batch remote upgrade. Upgrade and delivery of the S6700 can be completed at one time,
which simplifies management and maintenance. Maintenance costs are greatly reduced.
The S6700 supports diversified management and maintenance modes such as SNMPv1/v2/v3,
CLI, web network management, Telnet, and Huawei Group Multicast Protocol (HGMP),
which makes device management more flexible. In addition, the S6700 supports NTP,
SSHv2.0, TACACS+, RMON, multi-log host, interface-based traffic statistics, and NQA,
which helps to better deploy and adjust networks.
The S6700 supports the GARP VLAN Registration Protocol (GVRP). The GVRP technology
implements dynamic configuration of VLANs. In a complicated networking environment,
GVRP can simplify VLAN configuration and reduce network communication faults caused by
incorrect configuration of VLANs. This reduces the manual configurations of network
managers and ensures correct VLAN configurations.
The S6700 supports MUX VLAN. The MUX VLAN function is used to isolate Layer 2 traffic
between interfaces on a VLAN. Subordinate VLANs can communicate with the MUX VLAN
but cannot communicate with each other. MUX VLAN is usually used on enterprise intranets.
With this function, a user interface can communicate with a server interface but cannot
communicate with other user interfaces. MUX VLAN prevents communication between
network devices connected to some interfaces or interface groups but allows these devices to
communicate with the default gateway. This function ensures resource sharing and secure
communication in an enterprise.
The S6700 supports BFD and provides millisecond-level detection for protocols such as
OSPF, IS-IS, VRRP, and PIM to improve network reliability. Complying with IEEE 802.3ah
and 802.1ag, the S6700 supports point-to-point Ethernet fault management. It can detect faults
on user links. Ethernet OAM improves the network management and maintenance capabilities
on the Ethernet and ensures a stable network.
Rich IPv6 Features
The S6700 supports IPv4/IPv6 protocol stack and can be smoothly upgraded. The S6700
hardware supports the IPv4/IPv6 protocol stack, IPv6 over IPv4 tunnels (including manual
tunnels, 6to4 tunnels, and ISATAP tunnels), and Layer 3 wire-speed forwarding. Therefore,
the S6700 can be deployed on IPv4 networks, IPv6 networks, and networks that run IPv4 and
IPv6 simultaneously. This makes the networking flexible and meets the requirements for the
network transition from IPv4 to IPv6.
The S6700 supports various IPv6 routing protocols including RIPng and OSPFv3. It uses the
IPv6 Neighbor Discovery Protocol (NDP) to manage packets exchanged between neighbors.
It also provides the Path MTU Discovery (PMTU) mechanism to select a proper MTU on the
path from the source to the destination, optimizing network resources and obtaining the
maximum throughput.
6.2.4 Main Specifications
Table 6-3 Main specifications of the S6700 series products
Item
S6724-EI
S6748-EI
Port description
24 GE SFP/10GE SFP+
ports
48 GE SFP/10GE SFP+ ports
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
123
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Item
S6724-EI
S6748-EI
Forwarding performance
(PPS)
358 Mbit/s
715 Mbit/s
Interface switching
capacity (bit/s)
480 Gbit/s
960 Gbit/s
MAC address table
z
Capacity of 128K MAC addresses
z
Automatic learning and aging of MAC addresses
z
Static, dynamic, and blackhole MAC address entries
z
Packet filtering based on source MAC addresses
z
4K VLANs
z
Guest VLANs and voice VLANs
z
VLANs based on MAC addresses, protocols, IP subnets,
policies, and interfaces.
z
1:1 and N:1 VLAN switching
z
QinQ and selective QinQ
z
Static route, RIPv1, RIPv2, ECMP, and URPF
z
OSPF, IS-IS, and BGP
z
VRRP
z
Policy-based routing
z
Routing policy
z
Static route
z
RIPng
z
Manual tunnels
z
Six-to-four tunnels
z
ISTAP tunnels
z
Neighbor Discovery (ND)
z
PMTU
z
IPv6 Ping, IPv6 Tracert, and IPv6 Telnet
z
Six-to-four tunnels, ISATAP tunnels, and manually
configured tunnels
z
ACLs based on the source IPv6 address, destination IPv6
address, Layer 4 interface, or protocol type
z
MLDv1/v2 snooping
VLAN
IPv4 route
IPv6 route
IPv6 features
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
124
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Item
S6724-EI
Multicast
z
Static Layer 2 multicast MAC address
z
MAC address-based multicast forwarding
z
IGMP snooping and IGMP fast leave
z
Multicast VLAN
z
MLD snooping
z
IGMP proxy
z
Controllable multicast
z
Interface-based multicast traffic statistics
z
IGMP v1/v2/v3
z
PIM-SM, PIM-DM, and PIM-SSM
z
MSDP
z
Rate limit on packets sent and received by an interface
z
Packet redirection
z
Port-based traffic policing and two-rate and three-color CAR
z
Eight queues on each port
z
WRR, DRR, SP, WRR+SP, and DRR+SP queue scheduling
algorithms
z
WRED
z
Re-marking of the 802.1p priority and DSCP priority of
packets
z
Packet filtering on Layer 2 to Layer 4, filtering out invalid
frames based on the source MAC address, destination MAC
address, source IP address, destination IP address, port
number, protocol, and VLAN ID
z
Queue-based rate limit and port-based traffic shaping
z
STP, RSTP, and MSTP
z
BPDU protection, root protection, and loop protection
z
RRPP topology and RRPP multi-instance
z
Smart Link tree topology, Smart Link multi-instance, and the
millisecond-level protection
z
SEP
z
BFD for OSPF, IS-IS, VRRP, and PIM
z
Enhanced trunk (E-trunk)
QoS/ACL
Reliability
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
S6748-EI
125
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Item
S6724-EI
Security
z
Hierarchical user management and password protection
z
DoS attack defense, ARP attack defense, and ICMP attack
defense
z
Binding of the IP address, MAC address, interface, and
VLAN
z
Interface isolation, interface security, and sticky MAC
addresses
z
Blackhole MAC addresses
z
Limit on the number of learned MAC addresses
z
IEEE 802.1x authentication and limit on the number of users
on an interface
z
Multiple authentication methods including AAA, RADIUS,
TACACS+, and NAC authentication
z
SSH v2.0
z
Hypertext Transfer Protocol Secure (HTTPS)
z
CPU protection
z
Blacklist and whitelist
z
Stack function on service interfaces
z
MAC forced forwarding (MFF)
z
Virtual cable detection (VCT)
z
Ethernet OAM (IEEE 802.3ah and 802.1ag)
z
Local port mirroring, remote switched port analyzer
(RSPAN) and the packet forwarding on observing ports
z
Remote configuration and maintenance using Telnet
z
SNMPv1/v2/v3
z
RMON
z
Network management system (NMS) and web NMS
z
HGMP
z
System logs and multi-level alarms
z
GVRP
z
MUX VLAN
z
802.3az Energy Efficient Ethernet (EEE)
Working environment
z
Working temperature: 0°C to 45°C (long term); -5°C to 50°C
(short term); relative humidity: 10% to 90%
(non-condensing)
Input voltage
AC power supply
Management and
maintenance
z
Rated voltage: 100 V to 240 V, 50/60 Hz
z
Maximum voltage: 90 V to 264 V, 50/60 Hz
Dimensions (H x W x D)
43.6 mm x 442 mm x 420 mm
Power consumption
165 W
Issue 01 (2012-05-15)
S6748-EI
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
237 W
126
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
6.3 S5700 Series Access Switches
6.3.1 Product Overview
The Quidway S5700 (S5700) is a next-generation GE switch developed by Huawei to meet
the requirements for high-bandwidth access and Ethernet multi-service aggregation, providing
powerful Ethernet functions for carriers and enterprise customers. Based on the
next-generation high-performance hardware and Huawei Versatile Routing Platform (VRP)
software, the S5700 features large capacity and high-density GE interfaces, and provides 10
Gbit/s uplinks for customers. The S5700 can meet the requirements of multiple scenarios such
as service aggregation on campus networks and enterprise networks, GE access to IDC, and
the GE desktop access to the enterprise network.
The S5700 is a box-shaped device with a chassis of 1 U high, providing a limited version (LI),
a standard version (SI), an enhanced version (EI), and an advanced version (HI). LI provides
various Layer 2 functions while SI supports Layer 2 functions and basic Layer 3 functions. EI
supports all routing protocols and service features. In addition to the functions of EI, HI
supports some advanced functions such as MPLS and hardware OAM.
6.3.2 Appearance
The following table lists models of the S5700.
Table 6-4 Models of S5700
Model
S5706TP-LI
S5724TP-SI
S5724TP-PWR-SI
S5748TP-SI
Issue 01 (2012-05-15)
Appearance
Description
z
Four 10/100/1000Base-T ports
z
Two 1000 Mbit/s combo ports
z
AC power supply
z
20 10/100/1000Base-T ports
z
Four 100/1000Base-X 1000M combo ports
z
AC/DC power supply
z
RPS 12 V power supply backup
z
USB port
z
20 10/100/1000Base-T ports
z
Four 100/1000Base-X 1000M combo ports
z
Pluggable dual AC power supplies
z
PoE
z
USB port
z
44 10/100/1000Base-T ports
z
Four 100/1000Base-X 1000M combo ports
z
AC/DC power supply
z
RPS 12 V power supply backup
z
USB port
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
127
ONE NET DCN Data Center Solution
Technical Proposal
Model
S5748TP-PWR-SI
S5728C-SI
S5728C-PWR-SI
S5752C-SI
S5752C-PWR-SI
S5728C-EI
Issue 01 (2012-05-15)
Appearance
6 Recommended Products
Description
z
44 10/100/1000Base-T ports
z
Four 100/1000Base-X 1000M combo ports
z
AC power supply
z
PoE
z
USB port
z
24 10/100/1000Base-T ports
z
Four 100/1000Base-X 1000M combo ports
z
Two 10GE XFP uplink ports, four 1000Base-X
SFP uplink ports, two 10GE SFP+ uplink ports,
or four 10GE SFP+ subcards
z
Dual pluggable power supplies
z
USB port
z
24 10/100/1000Base-T ports
z
Four 100/1000Base-X 1000M combo ports
z
Two 10GE XFP uplink ports, four 1000Base-X
SFP uplink ports, two 10GE SFP+ uplink ports,
or four 10GE SFP+ subcards
z
Dual pluggable AC power supplies
z
PoE
z
USB port
z
48 10/100/1000Base-T ports
z
Two 10GE XFP uplink ports, four 1000Base-X
SFP uplink ports, two 10GE SFP+ uplink ports,
or four 10GE SFP+ subcards
z
Dual pluggable power supplies
z
USB port
z
48 10/100/1000Base-T ports
z
Two 10GE XFP uplink ports, four 1000Base-X
SFP uplink ports, two 10GE SFP+ uplink ports,
or four 10GE SFP+ subcards
z
Dual pluggable AC power supplies
z
PoE
z
USB port
z
24 10/100/1000Base-T ports
z
Two 10GE XFP uplink ports, four 1000Base-X
SFP uplink ports, two 10GE SFP+ uplink ports,
or four 10GE SFP+ subcards
z
Dual pluggable power supplies
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
128
ONE NET DCN Data Center Solution
Technical Proposal
Model
6 Recommended Products
Appearance
Description
S5728C-PWR-EI

S5728C-EI-24S
S5752C-EI
S5752C-PWR-EI
S5728C-HI
S5728C-HI-24S
z
24 10/100/1000Base-T ports
z
Two 10GE XFP uplink ports, four 1000Base-X
SFP uplink ports, or two 10GE SFP+ subcards
z
Dual pluggable AC power supplies
z
PoE
z
24 100/1000Base-X ports
z
Four 10/100/1000Base-T GE combo ports, two
10GE XFP uplink ports, four 1000Base-X SFP
uplink ports, two 10GE SFP+ uplink ports, or
four 10GE SFP+ subcards
z
Dual pluggable power supplies
z
48 10/100/1000Base-T ports
z
Two 10GE XFP uplink ports, four 1000Base-X
SFP uplink ports, two 10GE SFP+ uplink ports,
or four 10GE SFP+ subcards
z
Dual pluggable power supplies
z
48 10/100/1000Base-T ports
z
Two 10GE XFP uplink ports, four 1000Base-X
SFP uplink ports, or two 10GE SFP+ subcards
z
Dual pluggable AC power supplies
z
PoE
z
24 10/100/1000Base-T ports
z
Four 1000Base-X SFP uplink ports, two 10GE
SFP+ uplink ports, or four 10GE SFP+ subcards
z
Dual pluggable power supplies
z
24 100/1000Base-X ports
z
Four 1000Base-X SFP uplink ports, two 10GE
SFP+ uplink ports, or four 10GE SFP+ subcards
z
Dual pluggable power supplies
6.3.3 Product Characteristics
High Extensibility
The S5700 supports intelligent stacking (iStack). Multiple S5700s constructs a virtual switch
automatically after being connected by stacking cables.
Compared with a single device, intelligent stacking features powerful extensibility, reliability,
and performance. When customers need to expand the device or replace a single faulty device,
they can add new devices without interrupting services. Compared with chassis switches, the
performance and port density of intelligent stacking are not restricted by the hardware
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
129
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
architecture. Multiple stacked devices can be considered as a logical device, which simplifies
the network management and configuration.
Powerful Service Support
The S5700 supports the enhanced selective QinQ to add outer VLAN tags to packets, without
occupying ACL resources, which meets requirements for multi-service provisioning.
The S5700 supports IGMPv1/v2/v3, IGMP snooping, IGMP filter, IGMP fast leave, and
IGMP proxy. It supports wire-speed multicast VLAN replication, multicast load balancing in
an Eth-Trunk, and controllable multicast. These multicast features provide high-quality video
services for users.
The S5700 supports multi-VPN-instance CE (MCE) to isolate users on different VPNs on a
device, ensuring the user's data security and saving the user's investments.
The S5700HI switches are cost-effective box-shaped MPLS switches. They support basic
MPLS and VLL functions and can be used as high-quality access devices to provide leased
line services for enterprises. The S5700HI can help customers to construct an MPLS edge
network.
The S5700 provides multiple devices that support PoE and comply with IEEE802.3af and
802.3at (POE+) standards. By using the Ethernet, the S5700 can supply power to standard PD
devices such as the IP Phone, WLAN AP, and Bluetooth AP. Each interface provides 30 W
power. This reduces the power cable layout and management cost for terminal devices. The
S5700 can also be configured to provide power for PDs at specified times as required.
High Reliability
The S5700 supports dual power supplies for backup and can use an AC power supply and a
DC power supply at the same time. Users can select a single power supply or dual power
supplies to improve device reliability. The switch provides three built-in fans to improve
stability and has a long MTBF.
Enhancing STP, RSTP, and MSTP, the S5700 supports the MSTP multi-process that greatly
increases the number of sub-ring instances. It supports enhanced Ethernet technologies such
as Smart Link and RRPP to implement millisecond-level protective switchover, improving
network reliability. Smart Link and RRPP both support multi-instance to implement load
balancing among links, further improving bandwidth usage.
The S5700 supports E-Trunk. When a CE is dual homed to a VPLS, VLL, or PWE3 network,
an E-Trunk can be configured to protect the links between the CEs and PEs and implement
backup between PEs. The E-trunk can implement link aggregation across devices to upgrade
the link reliability to device level.
The S5700 supports SEP, a ring network protocol applied to the link layer of an Ethernet
network. SEP is applicable to open ring networks and can be deployed on upper-layer
aggregation devices to provide millisecond-level switchover without interrupting services.
Huawei devices have implemented Ethernet link management using SEP. SEP features
simplicity, high reliability, high switchover performance, convenient maintenance, and
flexible topology and enables users to manage and plan networks conveniently.
The S5700 supports VRRP to keep the communication continuity and reliability, ensuring a
stable network. Multiple equal-cost routes can be configured on the S5700 to implement route
redundancy. When the active uplink route is faulty, traffic is automatically switched to a
backup route. This feature implements multi-level backup for uplink routes.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
130
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Rich Security Measures and QoS Policies
The S5700 provides various security measures. It can defend against DoS attacks, attacks to
networks, and attacks to users. DoS attacks include SYN Flood attacks, Land attacks, Smurf
attacks, and ICMP Flood attacks. Attacks to networks refer to STP BPDU/root attacks.
Attacks to users include bogus DHCP server attacks, man-in-the-middle attacks, IP/MAC
spoofing attacks, DHCP request flood attacks, and DoS attacks by changing the CHADDR
field of packets.
The S5700 listens to information about the MAC or IP address of an access user, IP address
lease, VLAN ID, and interface by establishing and maintaining a DHCP snooping binding
table. The S5700 directly discards invalid packets such as ARP spoofing packets and packets
with bogus IP addresses that do not match binding entries. In this manner, hackers or attackers
are prevented from carrying out the man-in-the-middle attacks by using ARP packets on
campus networks. The trusted interface feature of DHCP snooping ensures the validity of the
DHCP server.
The S5700 supports strict learning of ARP entries to prevent ARP spoofing attackers from
exhausting ARP entries so that authorized users can access the Internet. The S5700 supports
IP source check to prevent DoS attacks caused by MAC address spoofing, IP address spoofing,
and MAC/IP spoofing. URRF provided by the S5700 can reverse check the packet
transmission path to authenticate packets, which can protect the network against increasing
source address spoofing attacks.
The S5700 supports the integrated MAC address authentication and 802.1x authentication.
User information, such as the user name, IP address, MAC address, VLAN ID, access
interface, and a flag indicating whether antivirus software is installed on the client, can be
bound statically or dynamically, and policies (VLAN, QoS, and ACL) can be delivered
dynamically.
The S5700 can limit the number of MAC addresses learned on an interface to prevent
attackers from exhausting MAC address entries by using bogus source MAC addresses. In
this way, MAC addresses of authorized users can be learned and flooding is prevented.
The S5700 can implement complex traffic classification based on information such as the
5-tuple, IP preference, ToS, DSCP, IP protocol type, ICMP type, TCP source port, VLAN, the
protocol type of an Ethernet frame, and CoS. The S6700 supports inbound and outbound
ACLs. The S5700 supports the flow-based two-rate and three-color CAR. Each interface
supports eight priority queues and multiple queue scheduling algorithms such as WRR, DRR,
SP, WRR+SP, and DRR+SP, which ensures the quality of network services such as voice,
video and data services.
Convenient Operation and Maintenance
The S5700 supports automatic configuration, plug-and-play, deployment from USB devices,
and batch remote upgrade. Upgrade and delivery of the S5700 can be completed at one time,
which simplifies management and maintenance. Maintenance costs are greatly reduced. The
S5700 supports diversified management and maintenance modes such as SNMPv1/v2/v3, CLI,
web network management, Telnet, and HGMP, which makes device management more
flexible. In addition, the S5700 supports NTP, SSHv2.0, TACACS+, RMON, multi-log host,
interface-based traffic statistics, and NQA, which helps to better deploy and adjust networks.
The S5700 supports GVRP. The GVRP technology implements dynamic configuration of
VLANs. In a complicated networking environment, GVRP can simplify VLAN configuration
and reduce network communication faults caused by incorrect configuration of VLANs. This
reduces the manual configurations of network managers and ensures correct VLAN
configurations.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
131
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
The S5700 supports MUX VLAN. The MUX VLAN function is used to isolate Layer 2 traffic
between interfaces on a VLAN. Subordinate VLANs can communicate with the MUX VLAN
but cannot communicate with each other. MUX VLAN is usually used on enterprise intranets.
With this function, a user interface can communicate with a server interface but cannot
communicate with other user interfaces. MUX VLAN prevents communication between
network devices connected to some interfaces or interface groups but allows these devices to
communicate with the default gateway. This function ensures resource sharing and secure
communication in an enterprise.
The S5700 supports BFD and provides millisecond-level detection for protocols such as
OSPF, IS-IS, VRRP, and PIM to improve network reliability. Complying with IEEE 802.3ah
and 802.1ag, the S5700 supports point-to-point Ethernet fault management. It can detect faults
on user links. Ethernet OAM improves the network management and maintenance capabilities
on the Ethernet and ensures a stable network.
The S5700HI and the S5706 provide 3.3 ms hardware-based Ethernet OAM function and
Y.1731, which can quickly detect and locate faults. By using the Ethernet OAM technology
and switchover technologies, the S5700 can provide millisecond-level protection for
networks.
Rich IPv6 Features
The S5700 supports IPv4/IPv6 protocol stack and can be upgraded smoothly. The S5700
hardware supports the IPv4/IPv6 protocol stack, IPv6 over IPv4 tunnels (including manual
tunnels, 6to4 tunnels, and ISATAP tunnels), and Layer 3 wire-speed forwarding. Therefore,
the S5700 can be deployed on IPv4 networks, IPv6 networks, and networks that
simultaneously run IPv4 and IPv6. This makes the networking flexible and meets the
requirements for the network transition from IPv4 to IPv6.
The S5700 supports various IPv6 routing protocols including RIPng and OSPFv3. It uses the
IPv6 NDP to manage packets exchanged between neighbors. It also provides the PMTU
mechanism to select a proper MTU on the path from the source to the destination, optimizing
network resources and obtaining the maximum throughput.
6.3.4 Product Specifications
Table 6-5 Main specifications of the S5700 series products
Item
S5706TP-LI
Extended slot
z
The S5706 has no extended slot.
z
The 5700TP provides a stacking extended slot.
z
The S5700C provides two extended slots. One supports subcards and the
other supports stacking cards.
z
The S5700HI provides an extended slot that supports subcards.
z
S5706: 9 Mbit/s
z
S5724TP-SI/S5724TP-PWR-SI: 36 Mbit/s
z
S5748TP-SI/S5748TP-PWR-SI: 72 Mbit/s
z
S5728C-SI/S5728C-PWR-SI/S5728C-EI/S5728C-PWR-EI/
S5728C-EI-24S/S57HI: 96 Mbit/s
z
S5752C-SI/S5752C-PWR-SI/ S5752C-EI/S5752C-PWR-EI: 132 Mbit/s
Forwarding
performance
(PPS)
Issue 01 (2012-05-15)
S5700-SI
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
S5700-EI
S5700HI
132
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Item
S5706TP-LI
S5700-SI
S5700-EI
S5700HI
Interface
switching
capacity
(bit/s)
z
S5706: 12 Gbit/s
z
S5724TP-SI/S5724TP-PWR-SI: 48 Gbit/s
z
S5748TP-SI/S5748TP-PWR-SI: 96 Gbit/s
z
S5728C-SI/S5728C-PWR-SI/S5728C-EI/S5728C-PWR-EI/
S5728C-EI-24S/S57HI: 128 Gbit/s
z
S5752C-SI/S5752C-PWR-SI/ S5752C-EI/S5752C-PWR-EI: 176 Gbit/s
Backplane
switching
capacity
256 Gbit/s
MAC address
table
z
LI/SI: 16K; EI/HI: 32K
z
Automatic learning and aging of MAC addresses
z
Static, dynamic, and blackhole MAC address entries
z
Packet filtering based on source MAC addresses
z
4K VLANs
z
Guest VLANs and voice VLANs
z
VLANs based on MAC addresses, protocols, IP subnets, policies, and
interfaces.
z
1:1 and N:1 VLAN switching
z
QinQ and selective QinQ
VLAN
MPLS
features
IPv4 route
IPv6 route
Issue 01 (2012-05-15)
Not supported.
Static route
Static route
Not supported.
Static route,
RIPv1, RIPv2,
ECMP, and
URPF
Not supported.
z
OSPF, IS-IS,
and BGP
z
VRRP
z
Policy-based
routing
z
Routing
policy
z
The same as
those of the
SI
z
RIPng
z
OSPFv3
z
Manual
tunnels
z
z
6to4 tunnels
The same as
those of the
SI
z
ISTAP tunnels
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
z
Support
basic MPLS
functions.
z
Support
MPLS VLL.
Same as those
of the EI
Same as those
of the EI
133
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Item
S5706TP-LI
IPv6 features
z
ND
z
PMTU
z
IPv6 Ping, IPv6 Tracert, and IPv6 Telnet
z
6to4 tunnels, ISATAP tunnels, and manually configured tunnels
z
ACLs based on the source IPv6 address, destination IPv6 address, Layer
4 interface, or protocol type
z
MLDv1/v2 snooping
z
Static Layer 2
multicast MAC
address
z
MAC
address-based
multicast
forwarding
Multicast
QoS/ACL
Reliability
Issue 01 (2012-05-15)
S5700-SI
z
IGMP
snooping and
IGMP fast
leave
S5700-EI
z
IGMP
v1/v2/v3
z
PIM-SM,
PIM-DM,
and
PIM-SSM
z
Multicast
VLAN
z
MLD snooping
z
MSDP
z
IGMP proxy
z
z
Controllable
multicast
The same as
those of the
SI
z
Interface-base
d multicast
traffic statistics
S5700HI
Same as those
of the EI
z
Rate limit on packets sent and received by an interface
z
Packet redirection
z
Port-based traffic policing and two-rate and three-color CAR
z
Eight queues on each port
z
WRR, DRR, SP, WRR+SP, and DRR+SP queue scheduling algorithms
z
WRED (supported by the S5706 and the S5700HI)
z
Re-marking of the 802.1p priority and DSCP priority of packets
z
Packet filtering on Layer 2 to Layer 4, filtering out invalid frames based
on the source MAC address, destination MAC address, source IP
address, destination IP address, port number, protocol, and VLAN ID
z
Queue-based rate limit and port-based traffic shaping
z
STP, RSTP, and MSTP
z
BPDU protection, root protection, and loop protection
z
RRPP topology and RRPP multi-instance
z
Smart Link tree topology, Smart Link multi-instance, and the
millisecond-level protection
z
SEP
z
BFD for OSPF, BFD for IS-IS, BFD for VRRP, and BFD for PIM
(supported by the 5700EI/HI series)
z
E-trunk
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
134
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Item
S5706TP-LI
Security
z
Hierarchical user management and password protection
z
DoS attack defense, ARP attack defense, and ICMP attack defense
z
Binding of the IP address, MAC address, interface, and VLAN
z
Interface isolation, interface security, and sticky MAC addresses
z
Blackhole MAC addresses
z
Limit on the number of learned MAC addresses
z
IEEE 802.1x authentication and limit on the number of users on an
interface
z
Multiple authentication methods including AAA, RADIUS, TACACS+,
and NAC authentication
z
SSH v2.0
z
CPU protection
z
Blacklist and whitelist
z
Hardware
implementation
z
EFM OAM
z
z
OAM
Management
and
maintenance
Issue 01 (2012-05-15)
S5700-SI
S5700-EI
S5700HI
z
Hardware
implementati
on
CFM OAM
z
EFM OAM
Y.1731
performance test
supports
hardware-level
delay and jitter
detection
z
CFM OAM
z
Y.1731
performance
test supports
hardware-lev
el delay and
jitter
detection
Software
implementation
Software
implementation
z
Intelligent stacking (excluding the S5700HI and the S5706)
z
MFF
z
Virtual cable test
z
Ethernet OAM (IEEE 802.3ah and 802.1ag)
z
Local port mirroring, remote switched port analyzer (RSPAN) and the
packet forwarding on observing ports
z
Remote configuration and maintenance using Telnet
z
SNMPv1/v2/v3
z
RMON
z
Network management system (NMS) and web NMS
z
HGMP
z
System logs and multi-level alarms
z
Dying gasp power-off alarm (supported only by the S5706)
z
GVRP
z
MUX VLAN
z
HTTPS
z
802.3az EEE (supported only by the S5700HI and the S5706)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
135
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Item
S5706TP-LI
Working
environment
z
Working temperature: 0°C to 50°C (long term); –5°C to 55°C (short
term)
z
Relative humidity: 10% to 90% (non-condensing)
Input voltage
S5700-SI
S5700-EI
S5700HI
AC power supply
z
Rated voltage: 100 V to 240 V, 50/60 Hz
z
Maximum voltage: 90 V to 264 V, 50/60 Hz
DC power supply
z
Rated voltage range: –48 V to –60 V
z
Maximum voltage: –36 V to –72 V
Note: Models supporting the PoE supply do not use DC power supplies.
Dimensions
(H x W x D)
Power
consumption
z
S5706: 250 mm x180 mm x 43.6 mm
z
S5724TP-SI/S5724TP-PWR-SI/S57HI: 442 mm x 220 mm x 43.6 mm
z
Others: 43.6 mm x 442 mm x 420 mm
S5706: < 40 W
z
S5724TP-SI: <
40 W
z
S5728C-EI:
< 60 W
z
S5724TP-PW
R-SI: < 455 W
z
z
S5748TP-SI: <
64 W
S5728C-PW
R-EI: < 472
W
z
S5748TP-PW
R-SI: < 907 W
S5728C-EI-2
4S: < 63 W
z
S5728C-SI: <
56 W
S5752C-EI:
< 88 W
z
S5752C-PW
R-EI: < 930
W
z
z
z
S5728C-PWRSI: < 891 W
z
S5752C-SI: <
78 W
z
S5752C-PWRSI: < 917 W
S57HI: < 93
W
6.4 E8000E-X Series Firewall
6.4.1 Product Overview
Eudemon8000E-X (E8000E-X for short) is a next-generation high-performance firewall and
is applicable to carrier backbone networks, large-scale IDCs, and high-end industry users.
E8000E-X uses the distributed multi-core processor and network processor together with
specialized modular security software platform to provide high performance and service
flexibility, meeting requirements for future high-end network security devices.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
136
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
6.4.2 Product Model
E8000E-X is available in the following models:
z
E8000E-X3
z
E8000E-X8
z
E8000E-X16
E8000E-X3 contains AC and DC models.
Figure 6-6 E8000E-X appearance
Table 6-6 System configuration of E8000E-X models
Item
E8000E-X3
E8000E-X8
E8000E-X16
MPU CPU processing capability
Dominant
frequency: 1
GHz
Dominant
frequency: 1.5
GHz
Dominant
frequency: 1.5
GHz
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
137
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Item
E8000E-X3
E8000E-X8
E8000E-X16
MPU BootROM capacity
1 MB
8 MB
8 MB
MPU SDRAM capacity
2 GB
4 GB
4 GB
MPU NVRAM capacity
1 MB
4 MB
4 MB
CF card
2 GB
2 GB
2 GB
MPU slot quantity
2
2
2
SFU slot quantity
-
1
4
LPU slot quantity
3
8
16
Switching capacity
1.08 Tbit/s
1.44 Tbit/s
2.56Tbit/s
Port capacity
40 Gbit/s
120 Gbit/s
240 Gbit/s
Maximum throughput supported
by the SPU
2 x 10 Gbit/s
Maximum port rate supported
by the LPU
4 x 10 Gbit/s
6.4.3 Product Characteristics
Industry No. 1 Performance, Coping with Surging Traffic
E8000E-X provides industry-level performance:
z
The 10-Gigabit line-speed forwarding and the performance of up to 200 Gbit/s easily
address the challenges brought by Web 2.0 and promote commercial use.
z
With up to 80,000,000 concurrent connections per second and coordinated overall
performance with connection quality, E8000E-X supports Web 2.0 applications.
z
With up to 5,000,000 new connections per second, E8000E-X easily meets the
challenges of burst problems such as surging traffic in rush hours and DDoS attacks to
ensure a smooth network.
With the overall penetration of wireless services, the number of mobile subscribers grows
rapidly. The concurrent access of numerous mobile subscribers imposes a higher requirement
for device performance. In addition, security problems in the transmission of wireless network
information become increasingly pressing. VPN devices are facing new challenges of stronger
processing capability and larger capacity. E8000E-X provides the best VPN performance in
the industry:
z
Up to 320,000 VPN concurrent tunnels
z
Up to 96 Gbps (3DES/DES) encryption performance
E8000E-X supports IKEv2 and enhances functions of user authentication, packet
authentication, and NAT traversal. E8000E-X removes potential risks of man-in-the-middle
attacks and DDoS attacks and supports wireless authentication protocols, such as EAP-SIM
and EAP-AKA. In addition, E8000E-X supports PKI/CA, and can authorize and authenticate
VPN access devices. All these features effectively safeguard wireless networks.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
138
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Distributed and Scalable Architecture, Improving the ROI
E8000E-X uses the distributed and scalable architecture with independent service processing
units (SPUs) and line interface processing units (LPUs), which can be configured as per
requirements. E8000E-X has flexible scalability, satisfying the demand of increasing service
traffic, and improving the ROI.
E8000E-X overall performance including the throughput, number of concurrent connections,
number of connections established per second, and other indexes increases linearly as the
number of SPUs grows.
End-to-End Reliability, Ensuring Service Continuity
E8000E-X provides comprehensive end-to-end reliability solution. With reliability of
high-end router level, E8000E-X ensures service continuity:
z
z
z
Device-level reliability
−
Dual-Main Processing Unit (MPU) backup supports a smooth switchover between
MPUs.
−
N+1 backup of Switch Fabric Units (SFUs) enables inter-board data exchange and
load balancing.
−
Load balancing and hot backup can be performed among SPUs of E8000E-X. When
an SPU is faulty, the system switches service traffic to other SPUs to ensure nonstop
service transmission.
−
E8000E-X has redundant components. In addition, the power modules and fan
modules are hot-swappable.
Network-level reliability
−
E8000E-X supports dual-system hot backup in active/standby backup or load
balancing mode based on the Huawei Redundancy Protocol (HRP). HRP backs up
key configuration commands and information about session table status from the
active device to the standby device so that services are switched smoothly.
−
E8000E-X can connect to dedicated external bypass devices. When E8000E-X is
faulty, network traffic can be forwarded by the bypass device in a timely manner to
ensure service continuity.
Link-level reliability
−
E8000E-X supports inter-board interface binding to load balance traffic, improving
link availability and increasing bandwidth.
−
E8000E-X supports Bidirectional Forwarding Detection (BFD) to detect network
connectivity.
One-box Deployment, Lowering CAPEX
E8000E-X supports the following SPUs:
z
Firewall SPUs
z
IPS SPUs
z
Anti-DDoS SPUs, including DDoS detecting SPUs and DDos cleaning SPUs
Various SPUs can be installed on E8000E-X to enable integrated multi-service deployment.
This enhances network security and reduces the CAPEX.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
139
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
E8000E-X can have different LPUs configured to provide various models, which are applied
to different security solutions:
z
Security protection solution
Provides isolated network planes for carriers, large IDCs, and enterprises.
z
CGN solution
Provides a smooth and mature transition solution from IPv4 to IPv6 for carriers.
z
ATIC solution
Provides an advanced anti-DDoS and flexible operation solution at the large-scale IDC
and MAN egress.
6.4.4 Technical Specifications
Table 6-7 E8000E-X technical specifications
Item
E8000E-X3
E8000E-X8
E8000E-X16
Maximum throughput
of each SPU
20 Gbit/s
Maximum throughput
of each LPU
40 Gbit/s
Maximum-throughput
configuration of the
system
1 x LPU+2 x SPU
3 x LPU+5 x SPU
6 x LPU+10 x SPU
Maximum throughput
of the system
40 Gbit/s
100 Gbit/s
200 Gbit/s
Number of concurrent
connections
16,000,000
(8,000,000 x 2)
40,000,000
(8,000,000 x 5)
80,000,000
(8,000,000 x 10)
Number of new
connections per
second
1,000,000
(500,000 x 2)
2,500,000 (500,000
x 5)
5,000,000 (500,000
x 10)
Maximum number of
ACL rules
128000
Mean time between
failures
25 years
6.5 E1000E-X Series Firewall
6.5.1 Product Overview
Eudemon1000E-X is a next-generation carrier-class firewall for large and medium-sized
enterprises and carriers. It can be deployed at borders of carrier, enterprise, government,
finance, energy, and campus networks, suiting requirements for Gigabit and 10-Gigabit
firewalls.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
140
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
E1000E-X is deployed at the egress of the enterprise network to limit the bandwidth, defend
against hacker attacks and DDoS attacks, prevent internal users from accessing unauthorized
websites, and provide a secure and reliable network.
6.5.2 Product Model
E1000E-X is available in three models: E1000E-X3, E1000E-X5, and E1000E-X6.
E1000E-X3/X5 is 1 U high and supports FIC/DFIC card slots. E1000E-X6 is 3 U high, and
supports FIC/DFIC and MIC/DMIC card slots.
Figure 6-7 E1000E-X series
6.5.3 Product Characteristics
Carrier-Class Reliability Design
E1000E-X provides power supply backup, fan backup, link bypass, and dual-system hot
backup and link backup, ensuring high reliability.
Advanced Performance
E1000E-X uses multi-core processor-based hardware architecture. With the multithreaded
processing design, E1000E-X provides excellent forwarding performance.
High-Density Interfaces
In addition to providing multiple fixed interfaces, E1000E-X supports interface cards for
expansion, featuring high interface density.
Excellent Networking Adaptability
E1000E-X supports Layer 2 and Layer 3 networking, various routing protocols, and the
virtual firewall function, which flexibly adapts to networks.
Diversified NAT Applications
E1000E-X supports multiple NAT functions, such as source IP address-based NAT for
Internet access through private IP addresses, NAT server, and NAT ALG, enabling mutual
access between private and public networks.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
141
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Extensive Authentication and Access Control Modes
E1000E-X provides multiple authentication and access control modes to manage access in
centralized manner.
Powerful Attack Defense Capability
E1000E-X supports enhanced packet filtering, stateful inspection, blacklist for filtering
malicious hosts, IP-MAC address binding, and powerful attack defense capabilities.
Powerful GTP Protection Function
E1000E-X provides a GTP solution with GPRS Support Node (GSN) products to safeguard
data transmission on the General Packet Radio Service (GPRS) network.
Secure VPN Applications
E1000E-X supports multiple VPN technologies, including IPSec, L2TP, GRE, and SSL VPN,
to provide secure communication tunnels for enterprises and users in different physical
locations.
Effective Online Behavior Management
E1000E-X uses the Deep Packet Inspection (DPI) technology to perform in-depth inspection
on packets, identify application-layer protocols, and control traffic of specific type. E1000E-X
analyzes received packets, compares them with signatures in the knowledge base, classifies
game, stock, P2P, IM, and VoIP traffic, and controls traffic of different protocols accordingly.
Enhanced UTM Functions
Based on sophisticated application-layer analysis fruits, E1000E-X integrates application
layer attack defense functions, such as IPS, antivirus, and URL filtering, to deal with various
network security threats.
Comprehensive QoS Mechanism
E1000E-X supports multiple QoS mechanisms, such as traffic policing, traffic shaping, traffic
re-marking, congestion avoidance, and congestion management, as well as IP address-based
connection number and bandwidth limiting.
Integrated IPv4/IPv6 Solution
E1000E-X supports multiple IPv6 over IPv4 and IPv4 over IPv6 tunnels, and diversified IPv6
routing protocols.
6.5.4 Technical Specifications
Table 6-8 E1000E-X technical specifications
Model
E1000E-X3
E1000E-X5
E1000E-X6
Performance
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
142
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Throughput
6 Gbps
10 Gbps
15 Gbps
64-byte packet forwarding
performance
1.5 Gbps
2 Gbps
3 Gbps
IPSec VPN performance
3 Gbps
5 Gbps
7 Gbps
Number of new connections
established per second
100,000/s
150,000/s
200,000/s
Maximum number of concurrent
sessions
2,000,000
3,000,000
4,000,000
Maximum number of security policies
30,000
30,000
30,000
Maximum number of users
Unlimited
Unlimited
Unlimited
Expansion and I/O
Standard interfaces
4*GE electrical + 4*GE
combo
4*GE electrical +
4*GE combo +
8*GE optical
Expansion slots
2*FIC
2*MIC+6*FIC
Interface module type
10GE/GE electrical/GE optical/BYPASS card
6.6 OSN 1800 Compact Multi-Service Edge Optical
Transport Platform
6.6.1 Product Overview
The OptiX OSN 1800 Multi-Service Mini-WDM/OTN System (OptiX OSN 1800 for short)
combines the OTN and WDM features and enables operators to integrate multiple access
transport networks into a single network for energy, education, government, and large-scale
enterprise industries. This helps solve many problems faced by access transport networks. It
extends ITU-T G.709 OTN to 10 M to 10 G.
OSN 1800 reduces network construction and operation costs. PON over OTN solves the
problem of high rents because of many FTTx sites and facilitates maintenance. It helps you to
construct the network where fewer nodes are used and nodes are manged in centralized
manner.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
143
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Figure 6-8 OptiX OSN 1800
6.6.2 Product Characteristics
Transmission of All Services over a Single Network
z
Integrated service transmission and simplified networking
All over WDM/OTN: The OptiX OSN 1800 encapsulates services at a low rate (such as
E1) and those with large bandwidth (such as 10G) into OTN frames for transmission. It
applies to DSL, FTTx, and leased line services.
z
Long-distance transmission with fewer nodes
G.709 OTN is applied to the WDM system for the first time in industry. The standard
OTN interface supports the FEC function. After the OTN technology is applied to the
traditional CWDM system, transmission up to 120 km (33 dB) is supported.
z
Powerful service aggregation and integration, reducing the device quantity
OSN 1800 supports 2xGE+2xFE, 2xGE+2xSTM-1, 4xGE, 8xGE, 4xAny, 8xAny,
8xEPON, and 4xGPON. All boards occupy only one slot. Boards at a rate of less than 5
Gbit/s have configured with a protection mechanism. This mechanism uses two
interfaces to send traffic and one optimal interface to receive traffic.
Lower Maintenance Cost and Operation Cost
z
Simplified networking, reducing fees on nodes
Multi-service, long-distance, and large-capacity transmission helps simplify the network
structure. The service processing and switching equipment, network management system
(NMS), and OSS system are configured at the central node. The equipment with
simplified transport functions is deployed in unattended equipment rooms. Such
networking improves maintenance efficiency and reduces maintenance workload.
z
OTN ESC
OSN 1800 supports the optical supervisory channel (OSC) and G.709 OTN ESC.
Without any investments on the NMS, all SDH and WDM/OTN devices are managed
and maintained uniformly. NMS information does not pass through the IP network to
ensure security.
z
Fan-free design, relieving maintenance
Such design improves reliability because there is no fan module fault.
Energy Saving and Reduced Power Consumption
z
Unified networking, reducing power consumption
With multi-service transmission, OSN 1800 integrates multiple transport networks into a
network. This greatly reduces power consumption on the entire network.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
144
ONE NET DCN Data Center Solution
Technical Proposal
z
6 Recommended Products
Fewer nodes
The All over WDM/OTN technology allows service devices deployed at a large site to
remotely connect to clients, reducing intermediate nodes by 30% to 90%. This also
reduces node construction and management expenses.
z
Table lamp low consumption design
The 1 U device with 2*GE interfaces at a single site has less than 25 W power
consumption, which is less than the power consumption of a table lamp.
Smooth Upgrade, Protecting Investments
z
OSN 1800 allows expansion for single-wavelength, 18-wavelength CWDM, and
40-wavelength DWDM, meeting requirements for network capacity and protecting
investments.
z
Optical modules are hot swappable, reducing spare part expenses.
6.6.3 Technical Specifications
Chassis Specifications
OptiX OSN 1800 series include OptiX OSN 1800 I chassis, OptiX OSN 1800 II chassis, and
OptiX OSN 1800 OADM frame. OptiX OSN 1800 can be equipped with different functional
boards to implement wavelength conversion, multiplexer/demultiplexer, add/drop
wavelengths, and amplify optical power.
OptiX OSN 1800 OADM cannot be used independently and can only be used as the
expansion frame of the OptiX OSN 1800 I chassis or OptiX OSN 1800 II chassis to add the
number of wavelengths and implement low-cost networking.
z
OptiX OSN 1800 I chassis
Table 6-9 Technical specifications of the OptiX OSN 1800 I DC chassis
Item
Specifications
Dimensions (H x W x D)
44 mm x 442 mm x 220 mm
Weight (empty chassis)
4.5 kg
Maximum power consumption
150 W
Rated current
3A
Working voltage
–48 V to –60 V DC
Table 6-10 Technical specifications of the OptiX OSN 1800 I AC chassis
Item
Specifications
Dimensions (H x W x D)
44 mm x 442 mm x 220 mm
Weight (empty chassis)
4.5 kg
Typical power consumption
100 W
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
145
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Item
Specifications
Rated current
1A
Working voltage
100 V to 240 V AC
z
OptiX OSN 1800 II chassis
Table 6-11 Technical specifications of the OptiX OSN 1800 II DC chassis
Item
Specifications
Dimensions (H x W x D)
88 mm x 442 mm x 220 mm
Weight (empty chassis)
7 kg
Maximum power consumption
300 W
Rated current
6A
Working voltage
–48 V to –60 V DC
Table 6-12 Technical specifications of the OptiX OSN 1800 II AC chassis
Item
Specifications
Dimensions (H x W x D)
88 mm x 442 mm x 220 mm
Weight (empty chassis)
7 kg
Typical power consumption
200 W
Rated current
2.5 A
Working voltage
100 V to 240 V AC
z
OptiX OSN 1800 OADM frame
Table 6-13 Technical specifications of the OptiX OSN 1800 OADM frame
Item
Specifications
Dimensions (H x W x D)
44 mm x 442 mm x 220 mm
Weight (empty chassis)
4.5 kg
Maximum power consumption
<3.6 W
Rated current
0.3 A
Working voltage
12 V DC
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
146
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Main Optical Path Specifications
The following describes the characteristic of the optical interface at points MPI-S or S' and
MPI-R or R' as well as the main optical path parameters.
The 16-wavelength system at a rate of 2.5 Gbit/s and 10 Gbit/s supports 1x36 dB
transmission.
Main optical path parameters of the DWDM system (G.652 fiber) (single span
with the amplifier)
Item
Unit
Performance Indicator
Span of line
-
7x22 dB
6x22 dB
Number of channels
-
16
16
Maximum bit rate of
channel
Gbit/s
2.5
10
Optical interface at points MPI-S and S'
Channel output power
dBm
≥1 dBm
≥1 dBm
Maximum total output
power
dBm
17
17
Maximum channel power
difference at point MPI-S
dB
8
8
Optical path (MPI-S - MPI-R)
Maximum optical path
penalty
dB
≤2
≤2
Line dispersion tolerance
-
11200 ps/nm
9600 ps/nm
Maximum discrete
reflectance
dB
-27
-27
-30 dBm (2.5 Gbit/s
APD)
-22 dBm (10 Gbit/s
APD)
-21 dBm (2.5 Gbit/s
PIN)
-16 dBm (10 Gbit/s
PIN)
Optical interface at points MPI and R'
Receiver sensitivity of
each channel
dBm
Minimum channel optical
signal-to-noise ratio at
point MPI-R
dB
15
20
Maximum channel power
difference at point
MPI-R
dB
10
10
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
147
ONE NET DCN Data Center Solution
Technical Proposal
6 Recommended Products
Table 6-14 Main optical path parameters of the CWDM system (G.652 fiber)
Item
Unit
Performance Indicator
Span of line
-
1x27 dB
1x21 dB
1x16 dB
Number of
channels
-
8
8
2
Maximum bit rate
of channel
Gbit/s
2.5
5
10
Optical interface at points MPI-S and S'
Channel output
power
dBm
≥2 dBm
≥1 dBm
≥1 dBm
Maximum total
output power
dBm
14
14
6
Maximum
channel power
difference at
point MPI-S
dB
5
5
5
Optical path (MPI-S - MPI-R)
Maximum optical
path penalty
dB
≤2
≤2
≤2
Line dispersion
tolerance
-
2000 ps/nm
1400 ps/nm
1200 ps/nm
Maximum
discrete
reflectance
dB
-27
-23
-27
-28 dBm (5 Gbit/s
APD)
-24 dBm (10
Gbit/s APD)
5
5
Optical interface at points MPI-R and R'
Receiver
sensitivity of
each channel
dBm
Maximum
channel power
difference at
point MPI-R
dB
Issue 01 (2012-05-15)
-30 dBm (2.5
Gbit/s APD)
-21 dBm (2.5
Gbit/s PIN)
5
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
148
ONE NET DCN Data Center Solution
Technical Proposal
7 Data Center Success Stories
7
Data Center Success Stories
7.1 Data Center for Beijing Branch of Bank of China
Project Description
Figure 7-1 Data center for Beijing Branch of Bank of China
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
149
ONE NET DCN Data Center Solution
Technical Proposal
7 Data Center Success Stories
Beijing Data Center for Bank of China
3D-3: two 9303
edge switches
3D-1: two 9303
edge switches
OSPF100 Area0
S9312-1
S9312-2
S9303
2A: two 9303
edge switches
S9303
3A: four 9303
edge switches
3C: four 9303
Edge switches
Requirements
z
When data and services develop rapidly, network performance bottleneck becomes a
problem.
z
The equipment room and rack space are insufficient.
z
Power consumption and maintenance costs need to be reduced.
z
Use area-based design to transmit core NAS services.
z
Use the best aggregation layer design. Multiple S9300s construct a non-blocking cluster,
simplifying networking and management.
z
Use energy saving design.
Solution
Customer Benefits
z
High-performance devices meet requirements for switching of a large amount of data.
z
The aggregation layer design and energy saving design save rack resources and reduce
30% power consumption.
z
The non-blocking cluster implements carrier-class reliability and simplifies management.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
150
ONE NET DCN Data Center Solution
Technical Proposal
7 Data Center Success Stories
7.2 Baidu Data Center
Project Description
Figure 7-2 Baidu data center
Requirements
z
Service access increases and more than 100,000 servers are added every year. Servers
perform calculation concurrently, requiring high reliability.
z
Access and aggregation devices are required to provide high switching capacity and
packet forwarding rate.
z
The core and aggregation layers use S9300s and the access layer uses S5700s to
construct 10G line-speed data center network, meeting requirements for traffic bursts and
peak bursts.
z
The switches work with storage devices and servers to provide an end-to-end
high-reliability solution.
Solution
Customer Benefits
z
High-performance and large-capacity network devices meet requirements for switching
of a large amount of data.
z
The data center network is highly reliability and energy saving with low delay,
improving user experience and reducing the TCO.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
151
ONE NET DCN Data Center Solution
Technical Proposal
7 Data Center Success Stories
7.3 Huawei Data Center
Project Description
Figure 7-3 Huawei data center
Requirements
z
A large-scale data center is required, covering more than 100,000 employers, 250
branches around the world, 4000 services, and 2000 racks.
z
R&D data must be protected.
z
NE80E routers are used as core nodes. China and areas outside China use NE40 routers
as aggregation nodes. Representative offices are connected using leased lines.
z
MPLS VPN is used to isolate R&D and non R&D services.
z
The data center use S9300 switches to forward services.
Solution
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
152
ONE NET DCN Data Center Solution
Technical Proposal
7 Data Center Success Stories
Customer Benefits
z
The data center provides full support for core services such as ERP and ISC, and
implements product management, financial management, sales management, and partner
management.
z
The data center is secure and reliable.
7.4 Disaster Recovery System for Brazil Santander Bank
Project Description
Figure 7-4 Disaster recovery system for Brazil Santander bank
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
153
ONE NET DCN Data Center Solution
Technical Proposal
7 Data Center Success Stories
Requirements
z
Data and storage services require secure and reliable transmission.
z
The system needs to be upgraded smoothly.
z
Huawei OSN6800 is used to construct the SAN.
z
Boards transmitting FC (FICON/ESCON) storage services and GE data services are
provided.
Solution
Customer Benefits
z
The network provides security for real-time data transmission.
z
Flexible solutions meet requirements for the capacity, services, and distances.
z
The system can be upgraded by increasing the wavelength quantity.
7.5 Disaster Recovery System for KPN in Netherlands
Project Description
Figure 7-5 Disaster recovery system for KPN in Netherlands
Requirements
z
Data and storage services require secure and reliable transmission.
z
The system needs to be upgraded smoothly.
z
Huawei large-capacity 10G WDM devices establish an FC of long distance.
z
FC100/FC200/GE services are transmitted over a single wavelength.
Solution
Customer Benefits
z
Core services are transmitted with high security and reliability.
z
FC storage and IP services are transmitted uniformly, reducing the TCO.
Issue 01 (2012-05-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
154
ONE NET DCN Data Center Solution
Technical Proposal
z
Issue 01 (2012-05-15)
7 Data Center Success Stories
The system provides high-performance transmission and smooth upgrade.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
155
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement