ONE NET DCN Data Center Solution V100R001C01 Technical Proposal Issue 01 Date 2012-05-15 HUAWEI TECHNOLOGIES CO., LTD. Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: [email protected] Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. i ONE NET DCN Data Center Solution Technical Proposal Contents Contents 1 Data Center Network Overview ................................................................................................ 1 1.1 Introduction to a Data Center ........................................................................................................................... 1 1.2 Services Transmitted on Data Center Networks ............................................................................................... 1 1.2.1 Data Service ............................................................................................................................................ 2 1.2.2 Web Service ............................................................................................................................................ 3 1.2.3 Computing Service.................................................................................................................................. 6 1.3 Overall Requirement for the DC Network ....................................................................................................... 7 1.4 DC Network Solution ....................................................................................................................................... 8 1.4.1 Design Principles of a DC Network ........................................................................................................ 8 1.4.2 Solution Overview .................................................................................................................................. 9 1.5 Advantages of the DC Network Solution ....................................................................................................... 10 2 Data Center Network Solution ................................................................................................. 13 2.1 Data Center Network Architecture ................................................................................................................. 13 2.1.1 Overview ............................................................................................................................................... 13 2.1.2 Data Center Logical Architecture.......................................................................................................... 14 2.1.3 Physical Network Architecture ............................................................................................................. 15 2.2 Core Zone Networking Planning .................................................................................................................... 16 2.2.1 Physical Networking Planning .............................................................................................................. 16 2.2.2 Physical Networking Planning in the Data Center Core Zone of Internet Enterprises.......................... 18 2.2.3 Reliability Planning .............................................................................................................................. 19 2.2.4 Security Planning .................................................................................................................................. 21 2.3 Server Zone Networking Planning ................................................................................................................. 21 2.3.1 Physical Networking Planning .............................................................................................................. 21 2.3.2 Channel Separating on Servers ............................................................................................................. 23 2.3.3 Server FCoE Access Design ................................................................................................................. 26 2.3.4 Reliability Planning .............................................................................................................................. 27 2.3.5 Traffic Model Planning ......................................................................................................................... 29 2.3.6 Security Planning .................................................................................................................................. 30 2.3.7 Service Load Balancing Planning ......................................................................................................... 31 2.4 Storage Zone Networking Planning ............................................................................................................... 36 2.4.1 Physical Networking Planning .............................................................................................................. 36 2.4.2 Basic Planning for the Storage Zone ..................................................................................................... 36 Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. ii ONE NET DCN Data Center Solution Technical Proposal Contents 2.4.3 Reliability Planning .............................................................................................................................. 37 2.4.4 Security Planning .................................................................................................................................. 37 2.5 Interconnection Zone Networking Planning .................................................................................................. 38 2.5.1 Physical Networking Planning .............................................................................................................. 38 2.5.2 Internet Access Zone ............................................................................................................................. 39 2.5.3 Extranet Zone ........................................................................................................................................ 43 2.5.4 Intranet Zone ......................................................................................................................................... 45 2.5.5 Branch Access Planning ........................................................................................................................ 46 2.5.6 Remote Access Planning ....................................................................................................................... 46 2.6 Management Zone Networking Planning ....................................................................................................... 47 2.6.1 Physical Networking Planning .............................................................................................................. 47 2.6.2 Reliability Planning .............................................................................................................................. 48 2.6.3 Security Planning .................................................................................................................................. 48 2.7 R&D and Test Zone Planning......................................................................................................................... 49 2.7.1 Physical Network .................................................................................................................................. 49 2.7.2 Recommendation .................................................................................................................................. 50 2.8 VLAN Planning.............................................................................................................................................. 50 2.8.1 VLAN Overview ................................................................................................................................... 50 2.8.2 Principles .............................................................................................................................................. 50 2.8.3 Recommendation .................................................................................................................................. 51 2.9 IP Planning ..................................................................................................................................................... 51 2.9.1 IP Address Planning .............................................................................................................................. 51 2.9.2 DHCP Planning ..................................................................................................................................... 52 2.9.3 DNS Planning ....................................................................................................................................... 53 2.10 Route Planning ............................................................................................................................................. 56 2.10.1 Routing Overview ............................................................................................................................... 56 2.10.2 IGP Design .......................................................................................................................................... 57 2.10.3 BGP Design......................................................................................................................................... 58 2.11 VPN Planning ............................................................................................................................................... 59 2.11.1 VPN Overview .................................................................................................................................... 59 2.11.2 Intranet VPN Service Isolation............................................................................................................ 59 2.12 QoS Planning ............................................................................................................................................... 60 2.12.1 QoS Overview ..................................................................................................................................... 60 2.12.2 QoS Planning Concerning Collaborative Computing ......................................................................... 60 2.12.3 QoS Planning for Different Data Flows .............................................................................................. 62 3 Security Solution ......................................................................................................................... 63 3.1 Security Overview .......................................................................................................................................... 63 3.2 Security Design .............................................................................................................................................. 64 3.3 Security Network Structure ............................................................................................................................ 66 3.4 Firewall Deployment ...................................................................................................................................... 68 3.5 Virtual Firewall .............................................................................................................................................. 69 Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iii ONE NET DCN Data Center Solution Technical Proposal Contents 3.6 Traffic Cleaning.............................................................................................................................................. 69 3.6.1 DPI ........................................................................................................................................................ 69 3.6.2 Layered Traffic Cleaning ...................................................................................................................... 70 3.6.3 Malformed Packet Attack Defense........................................................................................................ 71 3.6.4 Flood Type Attack Defense ................................................................................................................... 71 3.6.5 Packet Type Attack Defense.................................................................................................................. 72 4 Suggestions on Planning Multiple DCs ................................................................................. 74 4.1 Inter-DC Connection ...................................................................................................................................... 74 4.2 Network Architecture of Multiple DCs .......................................................................................................... 75 4.3 Inter-DC Layer 2 Connection Planning .......................................................................................................... 76 4.3.1 Inter-DC Layer 2 Connection................................................................................................................ 76 4.3.2 Fiber Interconnection Solution.............................................................................................................. 77 4.3.3 VPLS Interconnection Solution ............................................................................................................ 78 4.4 Inter-DC Layer 3 Interconnection Planning ................................................................................................... 79 4.4.1 Inter-DC Layer 3 Interconnection ......................................................................................................... 79 4.4.2 L3VPN Interconnection Solution .......................................................................................................... 79 4.4.3 Route Planning ...................................................................................................................................... 80 4.4.4 BGP Design........................................................................................................................................... 80 4.5 Network Reliability Planning ......................................................................................................................... 82 4.5.1 Network Reliability Between Regional DCs and Global DCs .............................................................. 82 4.5.2 Network Reliability Between a Country/Region Branch and Regional DCs ........................................ 83 4.6 Application Acceleration Planning ................................................................................................................. 84 4.6.1 Application Acceleration Overview ...................................................................................................... 84 4.6.2 Application Acceleration Technologies ................................................................................................. 85 4.6.3 Application Acceleration Design........................................................................................................... 86 4.7 Disaster Recovery Planning ........................................................................................................................... 87 4.7.1 Disaster Recovery Overview ................................................................................................................ 87 4.7.2 Disaster Recovery Overview ................................................................................................................ 90 4.7.3 Disaster Recovery Network Planning ................................................................................................... 94 4.7.4 Service Planning for Disaster Recovery................................................................................................ 96 4.8 Service Distribution Planning ........................................................................................................................ 97 4.8.1 Service Distribution Overview.............................................................................................................. 97 4.8.2 Service Distribution Planning ............................................................................................................... 97 5 DC Network Maintenance Recommendations ................................................................... 100 5.1 Network Management .................................................................................................................................. 100 5.1.1 NMS Overview ................................................................................................................................... 100 5.1.2 Networking Mode ............................................................................................................................... 100 5.1.3 eSight Highlights ................................................................................................................................ 103 5.1.4 Network Routine Maintenance ........................................................................................................... 104 5.1.5 Customization of Third-Party Devices ................................................................................................ 106 5.1.6 Software Upgrade and Patch Loading................................................................................................. 106 Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iv ONE NET DCN Data Center Solution Technical Proposal Contents 5.1.7 Network Traffic Analysis .................................................................................................................... 108 5.2 Troubleshooting............................................................................................................................................ 109 5.2.1 Troubleshooting Network Devices...................................................................................................... 109 5.2.2 Troubleshooting Servers ..................................................................................................................... 110 5.3 Network Expansion ...................................................................................................................................... 111 5.3.1 Overview ............................................................................................................................................. 111 5.3.2 Server Expansion ................................................................................................................................ 111 5.3.3 Device Expansion ............................................................................................................................... 112 5.3.4 Link Bandwidth Expansion ................................................................................................................. 114 5.4 Disaster Emergency Maintenance ................................................................................................................ 114 6 Recommended Products .......................................................................................................... 115 6.1 S9300 Series Core Switches ......................................................................................................................... 115 6.1.1 Product Overview ............................................................................................................................... 115 6.1.2 Product Model..................................................................................................................................... 115 6.1.3 Product Characteristics ....................................................................................................................... 117 6.1.4 Specifications ...................................................................................................................................... 118 6.2 S6700 Series Access Switches ..................................................................................................................... 120 6.2.1 Product Overview ............................................................................................................................... 120 6.2.2 Product Model..................................................................................................................................... 120 6.2.3 Product Characteristics ....................................................................................................................... 121 6.2.4 Main Specifications ............................................................................................................................ 123 6.3 S5700 Series Access Switches ..................................................................................................................... 127 6.3.1 Product Overview ............................................................................................................................... 127 6.3.2 Appearance.......................................................................................................................................... 127 6.3.3 Product Characteristics ....................................................................................................................... 129 6.3.4 Product Specifications......................................................................................................................... 132 6.4 E8000E-X Series Firewall ............................................................................................................................ 136 6.4.1 Product Overview ............................................................................................................................... 136 6.4.2 Product Model..................................................................................................................................... 137 6.4.3 Product Characteristics ....................................................................................................................... 138 6.4.4 Technical Specifications...................................................................................................................... 140 6.5 E1000E-X Series Firewall ............................................................................................................................ 140 6.5.1 Product Overview ............................................................................................................................... 140 6.5.2 Product Model..................................................................................................................................... 141 6.5.3 Product Characteristics ....................................................................................................................... 141 6.5.4 Technical Specifications...................................................................................................................... 142 6.6 OSN 1800 Compact Multi-Service Edge Optical Transport Platform ......................................................... 143 6.6.1 Product Overview ............................................................................................................................... 143 6.6.2 Product Characteristics ....................................................................................................................... 144 6.6.3 Technical Specifications...................................................................................................................... 145 7 Data Center Success Stories .................................................................................................... 149 Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. v ONE NET DCN Data Center Solution Technical Proposal Contents 7.1 Data Center for Beijing Branch of Bank of China ....................................................................................... 149 7.2 Baidu Data Center ........................................................................................................................................ 151 7.3 Huawei Data Center ..................................................................................................................................... 152 7.4 Disaster Recovery System for Brazil Santander Bank ................................................................................. 153 7.5 Disaster Recovery System for KPN in Netherlands ..................................................................................... 154 Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. vi ONE NET DCN Data Center Solution Technical Proposal 1 1 Data Center Network Overview Data Center Network Overview 1.1 Introduction to a Data Center Information is key to an enterprise's competitiveness. As network and communication technologies develop at an ever increasing rate, data centers (DCs) have become the core of the information an enterprise needs to do business. A well-designed data center will improve efficiency and development of enterprises. The DC of an enterprise is the important as it hosts key service systems, and is a center where the key data of the enterprise is managed. It controls user access, filters packets for security, processes service applications, computes information, and stores data for backup. A DC consists of the following components: z Equipment room z Power supply system z Network devices including devices on the data network, computing network, and storage network z Servers including operating systems and application software z Storage devices z Security system z Operation, administration, and maintenance (OAM) system For enterprises, the trend is to integrate services and data in multiple DCs. This requires the enterprise network to have high level of performance and reliability. The Huawei DC network solution provides a high performance, secure, and reliable network, which allows the DC to transmit high-quality services. 1.2 Services Transmitted on Data Center Networks A DC deploys various service systems in a centralized mode to integrate them. This helps to analyze services, make decisions, and maximize the information production capability. A DC also provides web portals, which help to establish channels with customers and improve the enterprise's brand awareness, product promotion, and customer service. With the web portals, the enterprise can implement ecommerce and other Internet-based businesses. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview In addition, a DC provides high-performance computing services, such as 3D rendering, medicine research, gene analysis, and web search. In an enterprise, a DC may provide all the preceding services concurrently. These services may be independent of each other or be integrated into a large service system. You must analyze the real situation when planning a network for the DC. 1.2.1 Data Service Overview The data service is the most basic service in a DC. Typical data services in an enterprise include file storage, mail service, and enterprise resource planning (ERP). The client/server (C/S) model is the basic service model. Figure 1-1 Client/Server service mode The C/S model consists of the following two parts: z Client (usually a PC). A client is deployed on a campus network or an enterprise branch. SQL requests are sent from a fat client to the server and SQL responses from the server are displayed on the App GUI. z Server. A server is deployed in a DC and stores data in a dedicated storage device. As shown in Figure 1-1, a server used by the database is called DB server, a server used by applications is called App server, and data in the database is stored in a dedicated storage device (not displayed in the figure). The data service is processed as follows: 1. The client sends a request. 2. The server and the storage device receive and process the request. 3. The server sends a response to the client. Network Requirements of the Data Service The network requirements include: z Traffic requirement Traffic is generated by requests and responses between the client and the server. Traffic is unbalanced and becomes high during peak hours on special dates or periods. The network bandwidth must be planned to accommodate peak traffic times, and certain bandwidth must be reserved for future growth and improvements. The number of clients and concurrent services must be also considered for network bandwidth planning. The number of concurrent services is used to configure the bandwidth convergence ratio between network devices at different layers, because no network traffic is transmitted between servers. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview For example, the peak hour of each service falls on the closing date of a service or event, such as the closing date of production, a sale, or attendance services. If these closing dates fall on different dates, use the highest peak traffic rate of the three as the network bandwidth peak. If the closing dates of these services fall on the same date, use the total peak traffic rate of three services as the network bandwidth peak. The data service has no special requirements for delay as long as the user experience is met. In most cases, the response time of a database is less than 2 seconds. The forwarding delay of the DC network is less than 1 millisecond, occupying a small proportion of the total response time. The forwarding delay of WAN is about 300 milliseconds and the time for processing data is tens of milliseconds. Some special services require short delays, for example, the stock exchange requires the network forwarding delay to be less than 5 milliseconds. z Security requirement A DC is an integrated IT application environment where a large amount of data is stored. It requires the highest security in the IT system. In an enterprise, key services such as the financial service are transmitted as a data service and require high security. In addition to physical security measures, protection measures are also required on the network, including isolating different services, identifying and handling the traffic and virus attacks. Services are isolated, enabling terminals to access only servers of specified services. z Reliability requirement The data reliability is required and varies according to the service type (internal service and external service) on the network. The internal service system does not require high network reliability. A fault occurring in a DC internal part recovers within 20 minutes to 30 minutes, and a fault occurring in the entire DC recovers within 4 hours to 8 hours during which services are implemented from the backup DC. The external service system requires high network reliability. A fault occurring in a DC internal part recovers automatically or can be manually rectified within 10 minutes, while a fault occurring in the entire DC recovers within 2 hours during which services are implemented from the disaster recovery center. z Cloud-computing requirement In most cases, service systems of the data service do not operate concurrently. To efficiently utilize the server resources, deploy multiple virtual servers on a physical server to host different service systems. This is the easiest way to apply cloud computing. When deploying multiple virtual servers on a physical server, consider the bandwidth requirement of each service to prevent one service from occupying the bandwidth of other services on the same server. In a word, the network requirements of the data service guarantee bandwidth and security. 1.2.2 Web Service Overview As the Internet flourishes, the web service takes up a larger proportion in enterprise services. The following two reasons accounts for the popularity of web service in enterprises. The web service provides a convenient way for users to access the information and perform the e-commerce on the Internet. The web service also solves problems in the C/S model, such as large workload due to client software maintenance. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 3 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview Figure 1-2 Web service model App Server WEB Server WEB browser DB Server As shown in Figure 1-2, the web service model adds a web server and an App server to form a three-layer structure. Services are processed in the following process: 1. The App server (App Server in Figure 1-2) processes services sent from the client on the web browser using HTML or HTTP. 2. The DB server and storage system provide DB services. 3. The web server displays information for users. The three-layer structure enhances flexibility of the service system. You can modify the service system on the web server, application server, or DB server. Users only need to refresh the web page on the web browser to view the modification. Network Requirements of the Web Service Unlike the data service, the web service requires a web server and an application in the DC. Traffic is transmitted between the web and application servers, and between the application server and DB server. The network requirements include: z Traffic requirement The web service traffic (such as requests and responses) is transmitted between the clients and servers, and also between the servers. The web service traffic, however, is unbalanced just like the data service traffic. You need to learn about deployment modes before planning bandwidth. The web service can be deployed in layered and flattened modes, as shown in Figure 1-3 and Figure 1-4. Issue 01 (2012-05-15) − To deploy a large number of web servers, application servers, and DB servers in a large DC, you can deploy them in layered mode. − To deploy a small number of servers in a small- or mid-scale DC, Huawei recommends the flattened deployment mode. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview Figure 1-3 Layered deployment mode iStack iStack Web Web iStack APP APP iStack DB DB Figure 1-4 Flattened deployment mode iStack Web APP DB In the layered deployment mode, bandwidth is planned for each layer. In the flattened deployment mode, traffic between servers is aggregated to one server and bandwidth is planned based on the total traffic volume. The traffic between clients and DC is much smaller than that within the DC. The web service traffic is transmitted through more servers and network devices than the data service traffic. Therefore, the web service requires a shorter network delay. The web Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview service interaction process is different from the data service interaction process. The web server responds to the request from a client. The application server and DB server then process the request. Finally, request information is displayed on web pages. Therefore, the delay of the web server's response to the requests from clients must be short. z Security requirement In the web service mode, the client and DB server are isolated by the web server and application serve. This enhances the security of the DB server and data. Traffic is transmitted among the web server, application server, and DB server hop by hop over the network channels, which is vulnerable to hop-by-hop attacks. Web services, especially services for Internet users, are faced with more threats because: z − The attack sources are well organized and industrialized. Attacks may come from anywhere on the Internet. − The service system is more complex. Security holes may exist in the operating system, web server, application server, and DB. A hole in one system may cause other systems to be corrupted one by one. − When internal users are accessing the Internet, they may be intruded by unauthorized users and used for attacks. Reliability requirement In a three-layer structure, the web service is processed by servers at three layers together and interactions between servers are more frequent, so higher network reliability is required. The overall fault recovery time is not prolonged; however, the network reliability must improve so that the DC availability can remain unchanged in such a serial system. The link error rate of the link between a switch and a server is 1 h/1000 h. In web service mode, a switch is connected to the web server, application server, and DB server and three links are available. Therefore, the link error rate is 1 – (1 – 1 h/1000 h)3 ≈ 3 h/1000 h. If you want to keep the error rate of the entire service at 1 h/1000 h, reduce the link error rate to 20 min/1000 h. In conclusion, the web service requires network bandwidth guarantee and security. 1.2.3 Computing Service Overview The computing service is a service requiring high computing performance, such as 3D rendering, medicine research, gene analysis, and web search. In the computing service mode, a large number of common servers work collaboratively as a cluster to process a computing task. Network Requirements of the Computing Service The computing service traffic is transmitted between servers, as shown in Figure 1-5. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview Figure 1-5 Traffic of the computing service (server cluster) Server cluster APP DB DB DB DB DB DB DB DB DB DB DB DB The application server distributes the computing service to a large number of DB severs, and the DB servers return the results to the application server. The network requirements include: z Instantaneous traffic buffering capability The application server must have a scheduling mechanism to distribute services. Otherwise, the results sent from the DB servers arrive at the application server in a short time period. The burst traffic rate exceeds the interface bandwidth on the application server. If the network cannot buffer the traffic, packets are lost and the application server cannot process all the services. This leads to more frequent interactions between the application server and DB servers and prolongs the overall processing time. Therefore, the network must be capable of buffering packets to eliminate packet lost. z Non-blocking network Different from the preceding cluster model, another cluster model requires servers to connect to each other. The service system needs to use the point-to-point communication mode, and any two servers may need to establish a connection. Any two servers may need to exchange services. Therefore, during network bandwidth planning, forwarding performance needs to be independent of device location, that is, non-blocking network is required. 1.3 Overall Requirement for the DC Network A DC has a large number of servers deployed and is not only the logical center of an enterprise network but also the source of services. Therefore, a DC should provide abundant bandwidth resources, secure and reliable devices, high-quality network management, and comprehensive value-added services. To create as much value as possible based on limited bandwidth when designing and constructing the DC network, focus on the following requirements: Reliability High reliability ensures successful operations of the DC. If the user experience on enterprise services (such as e-commerce or video services) deteriorates due to DC network faults, the Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview service expansion of an enterprise will be hindered, and users will not use the services, decreasing the profits. Reliability is an important aspect when designing an enterprise DC network. The reliability design is achieved through redundant links, key devices, and key service modules. Scalability Each layer of the DC uses devices with a high port density to prepare for the DC expansion. Devices on the Internet layer, intranet layer, core layer, and aggregation layer adopt the modular design so that capacities of these devices can be expanded flexibly with the development of the DC network. The scalability of functions enables the DC to support value-added services. The DC provides functions such as load balancing, dynamic content replication, and VLAN to support value-added service expansion. Manageability A manageable network is the prerequisite for successful operation of the DC. The DC provides: z Various optimized manageable information z Complete QoS functions z Integrated SLA management system z Capability to manage devices of different vendors z Independent background management platform for the DC and users to manage the networks Security As a concern of DC users especially e-commerce users, security is a key factor during DC construction. DC security is ensured by security control for the physical space and network. The DC provides an integrated security policy control system to ensure DC security. 1.4 DC Network Solution 1.4.1 Design Principles of a DC Network The DC network design is based on the following principles: z Modular architecture The network is deployed in modular architecture that can expand for service adjustment and development. z High reliability The network implements redundant backup of key devices and links. Highly reliable key devices are made up of hot swappable boards and modules, and support redundancy of control modules and power supplies. Network layers are reduced to simplify network architecture and enhance networking reliability. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview Secure isolation z The DC network adopts effective security control policies that logically isolate data based on services and rights, and uses physical isolation methods to ensure security of important service data. Services such as server-centered services, IP storage and backup services, and management services are isolated logically. The management network is isolated from other networks physically. Manageability and maintainability z The network is highly manageable. To facilitate maintenance, use integrated products with universal modules. 1.4.2 Solution Overview As shown in Figure 1-6 to enhance the security, scalability, and maintainability of the network, the Huawei DC solution is divided into the service network, management network, and storage network. Figure 1-6 Networking for the DC network solution Cam pus and braches R esidential netw ork Large branch Sm all branch Carrier 1 VPN C arrier 2 Internet Cam pus netw ork C am pus netw ork B uilding Cam pus core C am pus core Building W AN DM Z Extranet zone Backup Extranet /D M Z D isaster recovery center A ctive D C netw ork LB M AN FW UTM LB iS tack LB C om bined core layer LB LB iS tack FW C SS Com bined core layer LB LB DN S C SS FW Em ail W eb A PP LB Server iS tack iS tack iStack W eb W eb C ontrol servers Backup control zone DB DB W eb A PP DB Server iStack iStack Non-Web application design AP P iStack iS tack iStack Simplified multi-layer design AP P iS tack FW Expanded multi-layer design iStack W eb A PP DB IP storage zone SD H/W D M FC sw itch FC sw itch FC storage zone DC m anagem ent zone C ore sw itch Aggregation sw itch SD H device AP Access sw itch G E link FC sw itch Low-level router 10G E link W AN link High-level router Load balancing Firew all/IPS Server Storage device Stacking line z The service network consists of network access modules and server access modules. z The management network consists of background management modules. z The storage network consists of the storage system and the storage area network (SAN). Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview This technical proposal focuses on the service network and management network. Network access modules include routers, switches, firewalls, load balancers, and unified threat management (UTM) system which contains the firewall, intrusion detection/protection system (IDS/IPS), antivirus, URL filtering, and SSL VPN. These modules provide network a high quality infrastructure with, density, availability, and security. Server access modules are divided into different service zones based on the types and characteristics of the services provided to the user. The service zones are separated from each other logically or physically. 1.5 Advantages of the DC Network Solution Using Cloud Network as the core concept, Huawei DC solution is sustainable and supports evolution, availability, pooling, and visualization. Customers can use these features to systematically cope with the challenges of the cloud-computing era. Figure 1-7 Advantages of the DC network solution Sustainable cloud network Concept Cloud computing Service requirements Advantages Technologies Products Disaster recovery Virtualization Evolution Availability 1. 400G cloud platform 2. BRAS fine-grained management 3. Hardware-based virtualization switching 4. Layer 2 virtual network Switching Multi-tenant service Reliability Pooling Resource management Visualization 1. Unified IP and IT 1. Loop free reliable 2. End-to-end large buffer 1. Horizontal virtualization management 3. IP+optical multi-level 2. Vertical virutalization 2. Visualized topology management disaster recovery 3. Graphic NetStream analysis Routing Transmission Management Security z Evolution: ready for cloud computing and virtual DC z Availability: loop free reliable (LFR) Ethernet for non-stop DCs z Pooling: network resources pool for on-demand scheduling z Visualization: intelligent and visualized NMS for unified IP&IT management z Cloud network platform with a rate of 400 Gbit/s Evolution The core switches for Huawei sustainable DC solution use the 10 Tbit/s non-blocking common lisp object system (CLOS) architecture, which can be upgraded to the 400 Gbit/s. These core switches support high-density 40*10GE service boards and 100GE Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview ports, and are fully capable of satisfying capacity requirements of cloud-computing-based ultra-broadband DCs. z Virtualization evolution Huawei switches support virtual switching and policy detection defined in the IEEE 802.1Qbg VEPA standard. These functions dramatically improve performance of virtual machines (VMs), provide a clear management model and make traffic manageable and controllable. Huawei switches also support the Intermediate System-To-Intermediate System (IS-IS)-based transparent routing bridge protocols such as IEEE802.1AQ and IETF TRILL. All these enhance network evolution capabilities and make it possible to seamlessly transfer VMs on a large scale. z Desktop cloud fine-grained management Huawei has introduced the carrier-class BRAS deployment practices to desktop cloud DCs. These desktop cloud DCs support access and management of massive desktop cloud VMs and provide fine-grained bandwidth control and SLA-based hierarchical quality of service (HQoS) for VM users and services. Availability z End-to-end high-reliability architecture Huawei sustainable DC solution uses the end-to-end high-reliability architecture that achieves 200 ms convergence time, ensuring business and service continuity for DCs. The LFR Ethernet technology is used to form a fast-convergence loop-free network, implementing Layer 2 switching from the aggregation layer to the access layer. Carrier-class bidirectional forwarding detection (BFD) and fast reroute (FRR) technologies are used for Layer 3 routing at the core layer and the upper layers. These technologies together with the equipment-level in-service software upgrade (ISSU) and redundant backup of key components create a continuous DC. z LFR Ethernet Switches used in Huawei sustainable DC solution use CSS+LAG+iStack technologies, which establish an LFR Ethernet network. This network has the reliable physical-layer hard cluster, the convergence time of 200 ms, and the cluster bandwidth of 256 Gbit/s. z Flattened no-packet loss network High-end switches used in Huawei sustainable DC solution buffer data on 10GE/GE interfaces within 200 ms. The S12700 core switch and the S9300 switch (for EOR access) provide the following functions: z − Constitute a flattened network − Implement end-to-end large-buffer deployment − Bring low delay and prevent packet loss triggered by burst traffic for services such as distributed computing services. IP+optical multi-level disaster recovery The Huawei DC solution integrates optical transport devices and routers to provide a complete range of data- and service-level disaster recovery and backup capabilities. The optical transport network (OTN) devices provide 14 types of specialized storage interfaces such as FC, FICON, and ESCON interfaces. These interfaces support real-time hardware backup between DCs and their disaster recovery centers. NE40E routers provide flexible network interconnections and an IP SAN between DCs. Pooling z Issue 01 (2012-05-15) On-demand resources scheduling Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11 ONE NET DCN Data Center Solution Technical Proposal 1 Data Center Network Overview Multiple switches are virtualized into one logical switch using CSS and iStack technologies so that 100% of the network resources are shared. This is more efficient than the switch using the conventional STP technology where only 50% of the network resources are shared. A series of multi-instance technologies such as MPLS VPN and MCE ensure that resources in the network resources pool can be flexibly scheduled as required by services. z Simplified network structure One logical switch that is virtualized from multiple switches serves as one network element (NE) on the NMS. This simplifies network architecture and reduces management and configuration workloads. z Effective service isolation The multi-instance technologies such as MPLS VPN and MCE ensure isolation and security of DC services. In addition, access from multiple departments to DC servers can be controlled by flexibly configuring VPN access policies. Visualization z Unified IP&IT management The eSight, an intelligent NMS, can uniformly manage multiple devices and associate systems in DCs, such as network devices, servers, and enterprise application systems. It reduces costs and improves operation and maintenance efficiency. It provides open platforms that allow deep integration and wide collaboration with market-leading IT vendors such as IBM, HP, and Oracle. For details about Huawei OSS partners, visit the website http://www.huawei.com/partners/integrated_with_oss.do. z Visualized topology management The eSight provides network topologies and service views, making service deployment and network configuration more visualized and convenient. z Graphical NetStream analysis Switches and routers provide embedded NetStream boards or modules to monitor distribution of DC services in real time. Using eSight, users can obtain graphical NetStream analysis reports and also easily make service plans. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2 Data Center Network Solution 2.1 Data Center Network Architecture 2.1.1 Overview Traditional data center networks were constructed based on services, spaces, or buildings, and devices were deployed based on requirements. As a result, servers, storage devices, cabling, power supply, and cooling systems cannot be correctly allocated or effectively controlled. This complicates service expansion. Currently, a data center network is partitioned into different zones based on services and security levels, and each zone is connected to the service core. Inside a zone, the modular PoD design is used for network layout in accordance with the TIA-942 standard. Based on past experience in data center network construction, the TIA-942 standard imposes strict requirements for data center environment construction, standardizing data center network construction. PoD Modularization Point of Delivery (PoD) is a mature design concept and method. PoD can be a modular, physical, or logical data center functional module. As required by enterprises, each PoD must include chassis, server, network device, and infrastructure. Modular deployment has the following advantages: z Uses the scalable and flexible modular design, ensuring expansion based on service requirements and shortening the plan and deployment period. z Improves investment efficiency and reduces the maintenance cost. z Separates hot air from cold air, improving energy efficiency. Zone Partition z Definition of zone partition Servers are added into different zones based on enterprise characteristics and scale, relationship between service systems, and requirements of security and management. z Zone components A zone has aggregation switches, firewalls, and load balancing devices. Each zone connects to the core switching device of a data center. z Issue 01 (2012-05-15) Zone partition mode Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution A data center is often partitioned based on server type, preferentially considering cabling and infrastructure requirements and is further partitioned based on service application layer and type. In practice, a data center is partitioned based on enterprise requirements using multiple modes. 2.1.2 Data Center Logical Architecture Figure 2-1 shows the logical architecture of a DC. Figure 2-1 Logical architecture of a DC External user Partner Internet Branch Disaster recovery/other DCs MAN DWDM WAN Access zone OAM zone Basic service zone DMZ Internet access zone Intranet access zone Extranet access zone DC connection zone Inband management Core switching Server zone1 PODs Server zone2 PODs Server zoneN PODs Host zone PODs Test host zone PODs … Test server zone PODs Outband management Test zone Service zone Storage zone z Core network zone This zone is the core of the DC network, and connects the inner server zone, enterprise intranet, partner enterprise network, disaster recovery center, and external user network. z Server zone Servers and application systems are deployed in this zone. Based on security and scalability, the server zone is divided into the production service zone, office service zone, testing service zone, and the demilitarized zone (DMZ) and other service zones. z Storage zone Storage devices for the fiber channel (FC) SAN and IP SAN are deployed in this zone. z Interconnection zone In this zone, internal and external enterprise users are connected to the DC. Based on security and scalability, the Internet zone is divided into the enterprise intranet, enterprise extranet, and the Internet. Issue 01 (2012-05-15) − The intranet interconnects the headquarters and branches through the enterprise campus network and the wide area network (WAN). − The enterprise extranet connects the partner enterprise network using the metropolitan area network (MAN) and the WAN leased lines. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 14 ONE NET DCN Data Center Solution Technical Proposal − z 2 Data Center Network Solution The Internet allows public users, staff on a business trip, and office users without a WAN network to access the Internet safely. Disaster recovery center Internet zone In this zone, the disaster recovery centers in the same city are interconnected by transmission devices and disaster recovery centers in different cities are interconnected by the WAN leased line. z OAM zone The network, server, application system, and storage devices are managed in this zone. The functions of the OAM zone include fault management, system configuration, device performance, and data security management. 2.1.3 Physical Network Architecture Figure 2-2 Physical architecture of a DC Internet user Enterprise campus Enterprise branch Partner enterprise Extranet extranet Disaster recovery network Enterprise intranet Internet Partner enterprise Disaster recovery center LLB Active DC FW UTM iStack LB Combined core layer LB LB iStack FW CSS LB DNS Email Web APP Server iStack iStack iStack Web Web FW iStack iStack iStack iStack APP APP iStack Web APP Control server DB Server Backup control zone DB DB IP storage zone FC Switch In the modular data center architecture shown in Figure 2-2, the star topology with the core node as the root node is partitioned into five zones (core zone, server zone, storage zone, interconnection zone, and management zone), each of which expands independently. z Issue 01 (2012-05-15) Core zone as the traffic hub Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 15 ONE NET DCN Data Center Solution Technical Proposal z z z z 2 Data Center Network Solution − The core zone employs core switches with a large capacity and high performance. − High-density 10GE ports are deployed in this zone. Service zones and management zones − Service zones can be extended independently. − Server-centered networks for data, management, and storage can be extended independently. Interconnection zones − The four interconnection zones can be extended independently. − The disaster recovery interconnection network ensures that services can be smoothly migrated to other DCs. Storage zone − Multiple access modes, Fiber Channel over Ethernet (FCoE), IP, and optical fiber, are supported. − Multiple storage modes are supported. Disaster recovery zone − Multiple disaster recovery modes are available, differentiating disaster recovery priorities. − Multiple interconnection and disaster recovery modes are supported, ensuring uninterrupted services. 2.2 Core Zone Networking Planning The core zone is the center of the whole DC network, and connects the server zone and the interconnection zone. The core zone transmits internal and external data traffic, and becomes the logical center for network reliability and security design. 2.2.1 Physical Networking Planning The physical network is established in the following two methods to connect the core zone to the server zone: one is a Layer 3 design that deploys the core layer, aggregation layer, and access layer, the other is a flattened design that integrates the core layer with the aggregation layer. Layer 3 Networking Figure 2-3 shows the Layer 3 networking diagram. The core layer and the aggregation layer are separated in this networking. Each aggregation zone has security devices such as firewalls deployed. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 16 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-3 Layer 3 networking Egress layer Core layer Convergence layer Access layer CSS FW FW iStack 10GE iStack Stack cable FW FW iStack iStack GE Flattened Networking Figure 2-4 shows the flattened networking diagram. In the flattened networking, devices in the core zone and the aggregation zone are replaced by two large-capacity switches in a combined core zone. Security devices such as firewalls of large capacities are deployed in this zone. Huawei recommends the flattened networking, which simplifies the network topology and improves data transmission efficiency. Figure 2-4 Flattened networking in the core zone Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 17 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.2.2 Physical Networking Planning in the Data Center Core Zone of Internet Enterprises Internet enterprises mainly use computer services such as the searching service, have a high volume of east-to-west traffic in the data center and a small oversubscription ratio. In addition, service types are limited. The 2-layer flattened fat-tree architecture is used for networking. Two networking solutions: 3-layer interconnection and TRILL interconnection can be used for core interconnection. Layer 3 Interconnection for a Flattened Network This solution uses Layer 3 networking, in which the multi-plane fat tree architecture is formed between the core and aggregation layers. This solution supports large-scale GE and 10GE server access. To implement this solution, a high-efficiency, balanced, and non-blocking network is required. This solution applies to the applications and collaborative computing services in Software-as-a-Service (SaaS) and Platform as a Service (PaaS) cloud computing environment, such as hadoop, and provides a small traffic oversubscription ratio (1:1 to 2:1). Figure 2-5 Layer 3 interconnection networking for a flattened network OSPF or IS-IS L3 routing … This solution has the following characteristics: z No more than three devices are required for communication between any two servers. z IP routing-based ECMP supports 5-key Hash to implement flow-based load balancing, ensuring high link efficiency. z Networks are scalable. A network can be extended to provide a maximum of 16 planes, and then the network hierarchy can be increased to further expand the network. TRILL Interconnection for a Flattened Network This solution uses the TRILL technology. A non-blocking network is comprised of the core layer and aggregation/access layer, on which TRILL is deployed at the TOR edge to implement Layer 2 switching of data center services. This solution uses the TRILL and gateway cascading technologies and has the same networking as a traditional Layer 2 solution. The Huawei TRILL OAM scheme is used to provide a flattened network with the same convenient maintenance as an IP network. This solution applies to scenarios where large-scale Layer 2 networks need to be built, for example, enterprise networks on which a large number of resources need to be shared and a large number of virtual machines need to be transferred. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 18 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-6 TRILL interconnection networking for a flattened network L3 routing L2 switching NickName MAC 。。。 Load vSwitch MAC VM1 Load vSwitch vSwitch VM3 VM2 This solution has the following characteristics: z Builds a large Layer 2 network, supports multi-path load balancing, and improves network efficiency. z Supports resource sharing and virtual machine transfer on the entire network. z Uses the TRILL and gateway cascading technologies, saving additional gateways and reducing the network construction cost. 2.2.3 Reliability Planning As shown in Figure 2-3 and Figure 2-4, redundancy of devices and links ensure reliability of the DC network. If the access layer runs Layer 3 routing protocols and communicates with the core layer through Layer 3 routing, Bidirectional Forwarding Detection (BFD) and equal-cost paths are deployed to implement fast fault detection and switchover and improve usage of redundant links. In most cases, Layer 3 routing protocols run at the core layer, which causes Layer 2 loops between the access layer and the core layer. Figure 2-7 shows the design to protest the network against Layer 2 loops using Spanning Tree Protocol (STP) and Virtual Router Redundancy Protocol (VRRP). Figure 2-7 STP networking FW FW LB LB Triangular loop Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 19 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution As shown in Figure 2-7, dotted lines represent links that are blocked by STP. This plan uses the standard STP protocol to integrate devices from multiple vendors into a hybrid network. The disadvantages of the plan are: z Long convergence time The traditional STP technology makes the network converge slowly. It takes more than 10 seconds to restore services after a fault occurs. RSTP increases the convergence speed to some extent, but the convergence still takes several seconds. A service interruption for several seconds lowers user experience. z Low link usage If servers in the same rack belong to the same VLAN, the bandwidth of an uplink cannot be used. In this case, the bandwidth usage is only 50%. The Multiple Spanning Tree Protocol (MSTP) optimizes the bandwidth usage based on VLANs but it cannot solve the problem completely. z Complex configuration that is difficult to maintain, and frequently occurred faults on the network Every access switch or aggregation switch needs to run the STP protocol. When more access switches are added to the network, the STP processing becomes more complicated, which reduces the network reliability. Loop-free networking with cluster and stacking is used to overcome these disadvantages. Figure 2-8 Loop-free networking Cluster FW FW CSS LB LB Stack iStack iStack 10GE Stack cables iStack GE The combined core layer uses two framed switches as a cluster. The access layer uses box switches to form a stack system. Links between switches at the access layer and the combined core layer form an Eth-Trunk. The loop-free networking design has the following advantages: z Simplified management and configuration The cluster and stacking networking reduces managed nodes by more than a half. In addition, it simplifies the network topology and configuration because it does not need complex protocols such as STP, Smart Link, and VRRP. z Issue 01 (2012-05-15) Fast convergence Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 20 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution The convergence time is less than 10 ms after a fault occurs, which significantly reduces the impact on services caused by faults on links and nodes. z High bandwidth usage Links form a trunk so that the bandwidth usage reaches 100%. z Easy to expand the capacity, saving investment When new services are provided, the enterprise can add devices directly to upgrade the network. The network capacity can be expanded without changing the network configuration, saving users' investments. The loop-free networking improves the network reliability rate from 99.9% to 99.9999%. The fault rate on a single link is reduced from 1 hour to 3.6 seconds in 1000 hours. Framed switches are provided in the core zone to ensure network reliability in the following ways: z The MPUs work in backup mode. z The power supplies work in backup mode. z Modular design of fans is provided, in which a single-fan failure does not affect system running. z All modules are hot swappable. z The CPU defense function is configured. z Complete alarm functions are provided. 2.2.4 Security Planning Firewalls are provided in the core zone to ensure network security in the following ways: z Restrict communication between server zones to isolate services. z Restrict the communication between the enterprise campus network and server zones to ensure access security between clients and servers. z Restrict the communication between the enterprise branch network and server zones to ensure access security between clients and servers. 2.3 Server Zone Networking Planning 2.3.1 Physical Networking Planning Access switches are placed in server racks or in independent network cabinets to provide Layer 2 switching functions. Switches in server racks are top of rack (TOR) switches, and those in independent network cabinets are end of row (EOR) switches. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 21 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-9 TOR/EOR networking diagram Cabling panel Cabling panel Cabling panel Access switch Access switch Access switch Access switch server server … Cabling panel … Aggregation switch Cabling panel Cabling panel server server … … Aggregation switch server server server server The TOR access mode is applicable to high-density rack servers, and the EOR access mode is applicable to low-density cabinet servers, such as small servers. Table 2-1 shows the differences between the two modes. Table 2-1 Differences between EOR and TOR access modes Item TOR EOR/MOR Server type 1RU rack server 1RU rack server, blade server, minicomputer Server quantity 15 to 30 servers 8 to 12 servers Scenario High-density server cabinet Low-density server cabinet, server cabinet, and network cabinet Cabling Simplified cabling between server cabinet and network cabinet Complex cabling Maintenance Complex management and maintenance because there are many access devices Simple maintenance because there are a small number of access devices Simple cable maintenance and good scalability Complex cable maintenance Servers access the network in the following ways: z A large number of middle- and low-level rack servers access the network using access switches. z A small number of high-level servers are connected directly to core/aggregation switches to ensure bandwidth. z Blade servers without built-in switches access the network using access switches. z Blade servers with built-in switches directly connect to core/aggregation switches to reduce the number of network layers and improve network performance. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 22 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-10 Access modes for servers CSS iStack iStack Middle and low level rack servers 10GE Blade servers without built-in switches Stack cables Blade servers with built-in switches GE High level server and large switch 2.3.2 Channel Separating on Servers The processing capacity of the CPU on a server has been significantly improved since the CPU processor has developed from single core to 128 cores. Compared with the CPU, the IO capacity is still limited. The IO development becomes a bottleneck in the network. To fully use the high-performance CPU, a server must work in multiple channels and use multiple network ports that are physically isolated. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 23 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-11 Multiple channels on a server Foreground service network Inband NMS NMS Backup and IP storage network Out- of - band NMS HBA SAN network Figure 2-11 shows multiple channels on a server. A server has four types of ports that are used to access the following networks: z Service network z Network management and the keyboard video mouse (KVM) network z SAN network z Backup and IP storage network A server working in multiple channels has the following advantages: z Improves the IO capacity. z Separates traffic of different services safely. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 24 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-12 shows the logical networking architecture of multiple channels on a server. Figure 2-12 Separated networks DC backbone network Management network One channel Service network Backup and IP storage network Multiple channels One channel FC storage network One channel The server zone is divided into four physically isolated networks: the service, management, storage, and backup networks. The server accesses different networks using network interface cards (NICs). Figure 2-13 shows the physical network topology. Figure 2-13 Physical network topology Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 25 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.3.3 Server FCoE Access Design In most cases, servers need to access multiple networks to provide service transmission, storage, and computing services. Management and cabling of the server zone are complex. As the server input/output (I/O) technology such as 10GE develops, the server I/0 performance is no longer a bottleneck. Therefore, integration of multiple access networks is a trend in the server design. Fiber Channel over Ethernet (FCoE) is a technology that integrates the storage FC network with service network. FCoE transmits fiber channels (storage services) over Ethernet. FCoE requires 10GE networks without packet loss. In FCoE, CNA network cards are installed on servers to allow servers to access storage networks over Ethernet. Ethernet ensures no packet loss using the Data Center Bridging (DCB) protocol. DCB includes the following key technologies: z Priority-based Flow Control (PFC): allows high-priority services to preferentially use network bandwidth, ensuring no packet loss for storage services over integrated links. z Enhanced Transmission Selection (ETS): ensures minimum bandwidth for different services. Figure 2-14 FCoE design CE12800 FCF FCF SAN SAN CE6800 FSB FSB FC Storage SAN FC Storage SAN CNA CNA Common Ethernet link CNA FCoE link CNA FC link Figure 2-14 shows an FCoE solution: z Servers connect to switches (TORs) through CAN network cards. z TORs implement service isolation and transmit FC services to FC switches to the storage network. z FIP snooping is configured on TORs to prevent unauthorized users from accessing the storage zone, which improves FCoE network security. z Using the dual-plane topology design of the storage network, servers connect to different TORs through dual network cards and finally connect to different fiber planes. In the server zone, FCoE is used to integrate access services to a storage network. FCoE access has the following advantages: z Reduces the number of interface cards on servers, the number of cables and access devices, and the data center investment. z Simplifies cabling in the server zone. z Saves management and maintenance costs in the server zone. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 26 ONE NET DCN Data Center Solution Technical Proposal z 2 Data Center Network Solution Reduces power consumption in the server zone. 2.3.4 Reliability Planning Overall Reliability Planning Server zone reliability includes reliability of the network, devices, and servers. z Loop-free cluster and stacking network ensures network reliability. z Access switches are stacked to ensure device reliability. z Dual NICs ensure server reliability. The network drive binds multiple NICs into a virtual NIC. The virtual NIC has a unique IP address to communicate with external devices. The server supports NIC teaming. If an NIC fails, the standby NIC shares its MAC address. The two NICs working in active/standby mode or in load balancing mode improves reliability. Dual NICs in Active /Standby Mode The two NICs in active/standby mode have the same MAC address (such as MAC1 in Figure 2-15). When the active NIC fails, the server switches the traffic to the standby NIC and sends a gratuitous ARP packet from the standby NIC. Network devices must properly process gratuitous ARP packets to switch the traffic to a new directory. Figure 2-15 Networking for server reliability Cluster Combined core layer Access layer Active NIC MAC1 MAC1 NIC1 NIC2 Stack MAC2 NIC1 Load balancing mode MAC2 NIC2 Figure 2-16 shows the change of the data transmission route. Data is transmitted in the green route using the active NIC. If the active NIC fails, the data transmission route is changed from the green one to the purple one. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 27 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-16 Change of the data transmission route using active and standby NICs Cluster Combined core layer Access layer Stack Active NIC Standby NIC MAC1 NIC1 MAC1 NIC2 When the access switch receives a gratuitous ARP packet, it changes the outbound interface matching MAC1 to the link connected to the standby NIC. You need to add the two ports of active and standby NICs to the same VLAN and bundle the links so that the outbound interface can be updated when a switchover occurs. Switches at the combined core layer do not detect route changes at the access layer when receiving gratuitous ARP packets because they connect to access switches through trunk links. Dual NICs in Load Balancing Mode The two NICs in load balancing mode have the same MAC address (such as MAC2 in Figure 2-17). Both NICs can transmit and receive data. To shield the flapping of the MAC address between ports of switches, stack the access switches and bundle the links on ports of the active and standby NICs. Figure 2-17 shows the change in data transmission routes. Data is transmitted in the green routes using both NICs. If an NIC fails, data transmission routes are changed from green ones to purple ones. Figure 2-17 Change in data transmission routes in load balancing NICs Cluster Combined core layer Stack Access layer MAC2 NIC1 Load balancing mode MAC2 NIC2 Switches at the combined core layer do not detect route changes at the access layer because they are connected to access switches through trunk links. Therefore, data is still sent to the Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 28 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution access switch on the left, forwarded to the switch on the right through the stacking link, and then forwarded to the server. 2.3.5 Traffic Model Planning Traffic in a data center includes south-to-north traffic and east-to-west traffic. z South-to-north traffic is the traffic exchanged between internal servers in a data center and external clients, which is also called client/server traffic. Client/server traffic is data requests and responses exchanged between external clients and internal servers, as indicated by the blue curved line in Figure 2-18. z East-to-west traffic is the traffic exchanged between internal servers in a data center, which is also called server/server traffic as indicated by the purple curved line in Figure 2-18. Figure 2-18 Traffic analysis within a data center Core layer Aggregation layer Access layer Access device The service traffic model determines the network deployment model used by a data center. The following uses the web service as an example. Generally, two deployment models are available: hierarchical deployment model and flat deployment model. z In a large data center, there are many web, application, and database servers, which can be deployed in different zones. In this case, the hierarchical deployment model is recommended. z The flat deployment model is recommended for a small- and medium-scale data center that has a small number of servers. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 29 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-19 Service traffic model SQL request Fat Client App GUI App Server SQL response DB Server WEB browser HTTP HTTPS App Server web Server DB Server Figure 2-19 shows the traffic model in web-APP-DB application mode. The traffic model determines the device model. Different devices can meet different traffic performance requirements. z Switches and routers perform Layer 2 and Layer 3 packet forwarding, without dealing with connections or sessions. Major traffic indicators include the throughput, delay, and packet loss rate. z Firewalls and load balancing devices deal with connections and sessions. Major traffic indicators include the rate at which new connections are created and total number of concurrent connections. Connections are categorized into short connections and long connections by the connection duration. − A short duration often lasts several seconds, such as HTTP access. Short connections have requirements for a device's capability to process new connections. − A long connection often lasts more than 15 seconds, even several minutes, hours, or days, such as Telnet connection, FTP connection for large file, and online video connection. Long connections have requirements for a device's capability to process concurrent connections. 2.3.6 Security Planning Planning Roadmap The service zone faces risks of unauthorized access and intrusions from hackers. Security planning for the service zone includes the following items: z Access control Access control includes restricting unauthorized access to internal servers and implementing service isolation. z − You can configure ACLs on the access switches or firewalls connected to internal servers to restrict access to internal servers from unauthorized IP addresses. − You can configure ACLs or VLANs to isolate different services. You are also advised to use VLANs to isolate web, application, and database servers of the same service. Transmission security Transmission security can be ensured using encryption technologies such as SSL VPN or ACLs. z Management security To ensure management security, managing devices and managed devices use high security communication protocols, such as SSH, IPSec, and SNMPv3. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 30 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Deployment Suggestions Suggestions on security deployment in the server zone are as follows: z Configure service isolation on aggregation devices. Configure VLANs on aggregation devices to isolate different services in the server zone, such as web service and application service. In addition, configure ACLs to restrict access from unauthorized IP addresses so as to prevent unauthorized access between different services. z Deploy NetStream to analyze and manage traffic. Generally, you can use the outband management mode, configure dedicated NetStream cards to detect the traffic to servers, adjust security, management, or routing policies. This helps learn service requirements and make servers work properly. z Deploy high performance firewalls in bypass mode at the aggregation layer. − Firewalls can be chassis devices or firewall clusters. − Firewalls often work in Layer 3 mode and use IGPs. − Untrusted traffic is directed to firewalls for policy control, whereas trusted traffic is directly forwarded by switches. − A firewall can be virtualized into multiple firewalls, which are then assigned to different VPNs to protect different services. z Deploy IPS on the core server that processes key services to defend against application layer attacks. z Dual-system hot backup is used on firewalls and IPS devices. 2.3.7 Service Load Balancing Planning Overview Service load balancing is often implemented using the server load balance (SLB) technology. SLB provides the load balancing service for servers in a group. Servers in a group are often deployed in the same data center and provide same or similar services. SLB is the most popular networking model used by the data center. SLB extends the lifetime of servers by distributing traffic across multiple servers, reducing server hardware upgrade expenditures. In addition, SLB prevents service interruption caused by single-server failures, improving service availability. According to the load balancing mode, SLB is classified into the NAT mode and triangulation mode. The NAT mode can be classified into the destination NAT mode and client NAT mode. Destination NAT Mode In destination NAT (DNAT) mode, load balancing devices perform load balancing based on the destination IP address of access requests. In DNAT mode, the servers in a group have the same virtual server IP address (VSIP), and the destination address of all access requests is this VSIP. NAT needs to be performed on load balancing devices to translate the VSIP in access requests to the actual IP address of a server, and then access requests are sent to this server. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 31 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-20 DNAT load balancing VSIP 202.16.3.1 Source Destination Client IP VSIP Random Port VIP Port Client IP Network LB Source Destination Client IP Server IP Random Port Server Port Switch Server IP 172.16.0.1 Server IP 172.16.0.2 Server IP 172.16.0.3 Table 2-2 shows the load balancing process in DNAT mode. Table 2-2 Load balancing process in DNAT mode Procedure Description Source IP Address Destination IP Address 1 The client sends a service request packet. Client IP VSIP 2 The load balancing device distributes the service request packet to a server according to the load balancing algorithm and DNAT technology. Client IP Server IP 3 The server receives and processes the request packet, and returns a response packet. Server IP Client IP 4 After receiving the response packet, the load balancing device translates the source IP address and forwards the packet. VSIP Client IP In DNAT mode, the response packet replied by a server must pass through a load balancing device; otherwise, the client discards the response packet because the packet has an invalid source IP address. Both the request and response packets need to be forwarded by the load balancing device. When the load balancing device has low throughput, the throughput becomes a bottleneck in network performance. Client NAT Mode The client NAT mode and DNAT mode are similar in implementation, which requires the destination IP address of the access request sent by a client to be translated from a VSIP to an actual IP address of a server. Different from the DNAT mode, the client NAT mode also translates the source IP address. Therefore, the return traffic from a server must be forwarded by a load balancing device. The server does not need to have routes to the client, but must have routes to the load balancing device. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 32 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-21 Load balancing in client NAT mode VSIP 202.16.3.1 Source Destination Client IP VSIP Random Port VSIP Port LB Source Destination LB IP Server IP Random Port Server Port LB IP 172.16.5.1 Client IP Network Switch Server IP 172.16.0.1 Server IP 172.16.0.2 Server IP 172.16.0.3 Table 2-3 shows the load balancing process in client NAT mode. Table 2-3 Load balancing process in client NAT mode Procedure Description Source IP Address Destination IP Address 1 The client sends a service request packet. Client IP VSIP 2 The load balancing device distributes the service request packet to a server according to the load balancing algorithm and client NAT technology. LB IP Server IP 3 The server receives and processes the request packet, and returns a response packet. Server IP LB IP 4 After receiving the response packet, the load balancing device translates the source and destination IP addresses and forwards the packet. VSIP Client IP Triangulation Mode In triangulation mode, a load balancing device only balances access request traffic, whereas a switch directly forwards return traffic, as shown in Figure 2-22. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 33 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-22 Load balancing in triangulation mode VSIP 202.16.3.1 Source Destination Client MAC Next-hop MAC Client IP VSIP Random Port VIP Port Client IP Network LB Source Destination LB MAC Server MAC Client IP VSIP Random Port Random Port LB IP 172.16.0.254 Switch Server IP 172.16.0.1 VSIP202.16.3.1 Server IP 172.16.0.2 VSIP202.16.3.1 Server IP 172.16.0.2 VSIP202.16.3.1 Table 2-4 shows the load balancing process in triangulation mode. Table 2-4 Load balancing process in triangulation mode Procedure Description Remarks 1 The client sends a service request packet. The source IP address is the IP address of the client and the destination IP address is the VSIP. 2 The load balancing device obtains a server MAC address through ARP and distributes the service request packet to a server according to the load balancing algorithm. The source IP address is the IP address of the client, the destination IP address is the VSIP, and the destination MAC address is the MAC address of the server. 3 The server receives and processes the request packet, and directly returns a response packet to the client, without sending it to the load balancing device. The source IP address is the VSIP, and the destination IP address is the IP address of the client. In triangulation mode, the traffic from the client and server has a different path. The path of the traffic between the client and server is client --> LB --> server --> client, which forms a triangle. The return traffic of the server does not pass through the load balancing device, indicating that the load balancing device performance will not become a network bottleneck. This triangulation mode applies to video on demand (VoD) service. On the server, in addition to configuring a private IP address on the same network segment as the load balancing device, you still need to configure a loopback interface and a VSIP. The configuration is complex. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 34 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution SLB Deployment Suggestions Figure 2-23 Deployment location Egress router Core layer Aggregation layer Server zone A Server zone B A load balancing device is usually deployed in the following modes: z The load balancing device is deployed on a core switch in bypass mode, allowing servers in all zones to share the load balancing function. In this networking, only the NAT load balancing mode can be used, which requires the round-trip traffic of the load balancing service to pass through the load balancing device. Therefore, high load balancing device performance is required. A small- and medium-scale data center or an entire data center requires a Layer 2 network environment, in which a load balancing device is suitable to be deployed on a core switch. z The load balancing device is deployed on an aggregation switch in bypass mode, allowing load balancing devices to be deployed for each zone. Deploying load balancing devices for each zone reduces requirements for load balancing devices and provides higher reliability. Server gateways can be deployed on aggregation switches or load balancing devices. z The load balancing device is deployed at the access layer, which applies to the scenario where complicated engines need to be used by some services. These services highly associate with the load balancing service. The load balancing devices dedicated to these services are maintained by server administrators. In the scenarios requiring high reliability, you can also configure dual-node hot standby for load balancing devices in active/active or active/standby mode. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 35 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.4 Storage Zone Networking Planning 2.4.1 Physical Networking Planning The storage zone covers the IP storage network and the SAN storage network. The IP storage network transmits traffic for services that are saved in the network attached storage (NAS). The NAS transmits: z Data traffic generated between a specified application server and the NAS z Large amounts of network traffic generated for virtualized services Figure 2-24 Network architecture for the storage zone 2.4.2 Basic Planning for the Storage Zone Basic planning for the storage zone is as follows: z Small-scale switch zone: This zone is an isolated zone. z Open application platform: − The open application platform has two arrays, and each array has two core switches to ensure availability. − Edge devices and core devices are connected to one another by multiple links to prevent traffic overload. z Integrated storage zone: Devices are classified based on service class in this zone. z IP storage zone: The IP storage zone is separated from other zones. Devices are deployed in this zone to compress traffic transmitted in the Entire Fiber Channel Frame over IP (FCIP) channel and accelerate data transmission. Data is synchronized and saved through an IP/Multiprotocol Label Switching (MPLS) network. Implementation of virtualization speeds up data transmission between servers and storage devices. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 36 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution z Management zone: Operators allocate and manage storage network and storage resources in this zone. z Disaster backup in the same city: The active DC and the disaster recovery center in the same city are connected through the dense wavelength division multiplexing (DWDM) network. Use the following configuration to implement real-time or quasi real-time data exchange between the active DC and backup DC: z Use the carrier's MPLS VPN or virtual leased line based on the virtual private LAN service (VPLS) to transmit data traffic between servers on the IP storage network in the active DC and backup DC. z Use bare optical fibers or a DWDM network to transmit data between SAN storage networks in the active DC and backup DC. This implements quasi real-time data transmission at a high speed and a short delay. Virtualization increases data exchange between servers and storage devices, so switches must access the NAS storage network through a 10G link. 2.4.3 Reliability Planning The IP storage network uses loop-free networking with cluster and stacking to enhance reliability. For details on loop-free networking with cluster and stacking, see section 2.3 "Server Zone Networking Planning." 2.4.4 Security Planning The SAN storage zones are isolated by the specialized technology. To restrict network access, the IP storage network is divided into separate zones through VLAN or VPN technology. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 37 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.5 Interconnection Zone Networking Planning 2.5.1 Physical Networking Planning Figure 2-25 Networking in the interconnection zone The interconnection zone is divided into the following connection zones based on access modes and services: z Intranet zone Intranet users access the DC through the WAN or the LAN. z Internet zone External users access the DC through the Internet. z Extranet zone Extranet users access the DC through the WAN or the LAN. You can assign an isolated zone for the VPN users in the Internet zone. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 38 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.5.2 Internet Access Zone Figure 2-26 Networking in the Internet zone Internet user Internet DMZ Active DC LLB UTM iStack LB LB DNS Email Web APP Combined core layer FW CSS LB SSL IPSec VPN VPN Figure 2-26 shows the Internet zone devices, such as routers, link load balancers, and unified threat management (UTM) devices. The UTM devices must provide firewall and intrusion prevention system (IPS) functions. Reliability Planning The firewall and the IPS are important network devices, which are located at the network egress. The location and functions of the firewall and the IPS require that they should provide high reliability. To ensure Internet zone reliability, deploy devices in pairs, such as routers, link load balancers, and UTM devices (including firewalls and the IPS). These pairs of devices can be configured to work in load balancing mode or active/standby mode. When one device fails, the other device can work independently, minimizing the impact of a fault on services. Security Planning An Internet access zone is vulnerable to DDoS attacks, unauthorized service access, network intrusions, and abnormal traffic attacks. To defend against these threats, first deploy devices to defend against DDoS attacks and then configure firewall security policies to defend against unauthorized service access, network intrusions, and abnormal traffic attacks. Alternatively, deploy both the IPS and firewall so that the IPS can instruct the firewall to take actions once the IPS detects attacks. The following deployment scheme is recommended: Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 39 ONE NET DCN Data Center Solution Technical Proposal z z z 2 Data Center Network Solution Deploy an anti-DDoS device at the Internet egress to filter out attack traffic. − Deploy the anti-DDoS device in bypass or inline mode. − When the anti-DDoS device is deployed in bypass mode, import traffic using mirroring or optical splitters on an egress router. − Associate the IPS with a firewall and deploy the cleaning center to defend against DDoS attacks. Deploy two layers of firewalls in the Internet access zone. − Deploy the two layers of firewalls in inline mode, and configure dual-node hot standby for each layer of firewalls. − The first layer of firewalls isolate the Internet access zone from external networks and must have strong attack defense capabilities. Firewalls can be associated with anti-DDoS or IDS devices to filter out unauthorized traffic. − The second layer of firewalls isolate the Internet access zone from the data center service zone and must have high performance. In most cases, only traffic from the DMZ is allowed to pass through the firewalls, preventing unauthorized access. Configure the NAT function on firewalls. The NAT function can translate an external IP address to an internal IP address so that an external user can access an internal server or the other data center zones, hiding the internal network structure of a data center. z Deploy an IDS device within a firewall. The IDS device detects malicious codes, attack behaviors, and attacks in application data traffic. If the IDS device detects an attack, it instructs a firewall to defend against this attack. z Deploy VPN gateways to ensure secure access for mobile users. − You can deploy SSL VPN gateways and IPSec VPN gateways. IPSec VPN gateways apply to site-to-site access, whereas SSL VPN gateways apply to web-based client-to-site access. − You can deploy independent IPSec VPN and SSL VPN gateways or deploy a firewall for unified access. Load Balancing Planning When a data center accesses the Internet through multiple ISPs, a link load balancing (LLB) device is often used to implement load balancing of incoming and outgoing traffic. Compared to route load balancing, LLB can implement load balancing without requiring complex routing protocols. Additionally, LLB implements dynamic intelligent load balancing. In addition to implementing link sharing, LLB can distribute incoming and outgoing traffic to the optical link according to the destination network, solving the problem of poor service experience caused by slow carrier interconnection. LLB can be implemented in inbound and outbound directions: z Outbound LLB: uses the SmartNAT technology. z Inbound LLB: uses the SmartDNS technology. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 40 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-27 Outbound load balancing ISP1 ISP2 DMZ zone LLB selects different egress links according to policy LLB UTM Table 2-5 Outbound load balancing process Procedure Description Remarks 1 The internal server in a data center sends a request packet, which passes through the LLB device. - 2 The LLB device selects the router connected to ISP2 as the egress gateway according to the configured load balancing algorithm, and translates an internal IP address to an external IP address assigned by ISP2 using SmartNAT. Multiple default gateway IP addresses can be configured for the LLB device to comprise a default gateway pool. 3 The Internet server receives and processes the request packet and returns a response packet along the original path to the LLB device. The internal IP address of outgoing traffic is translated to an external IP address, and therefore return traffic is also returned along the original path. 4 The LLB device receives the response packet, translates the external IP address to an internal IP address, and then forwards the packet to an internal server in the DMZ. - Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 41 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Using an LLB device to implement outbound load balancing has the following advantages: z An LLB device can detect link availability and attenuation to provide reliable WAN connections and dynamic load balancing. z An LLB device can detect the optimal link using multiple load balancing algorithms based on static IP address segments, response time, and link quality, and distributes user traffic to this link, ensuring high-quality connections for services. z The SmartNAT technology automatically translates the ISP source address according to the outbound path, ensuring the consistency of the return path. Figure 2-28 Inbound load balancing abc.com in VIP2 4 1 ISP1 5 NDS ISP2 6 2 3 DMZ zone SmartDNS abc.com<-> VIP1 abc.com<-> VIP2 LLB UTM VIP1 VIP2 Table 2-6 Inbound load balancing process Procedure Description Remarks 1 The PC client initiates a request to access www.abc.com. The PC initiates a DNS request to the local DNS server. 2 The DNS server requests the IP address translation result of www.abc.com with the LLB device. Using the recursive algorithm, the local DNS server learns that the DNS request result needs to be provided by the LLB device. 3 The LLB device provides the DNS service and returns VSIP2 to the local DNS server (nearest) according to the load balancing policy. - Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 42 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Procedure Description Remarks 4 The local DNS server returns the IP address translation result (VSIP2) of www.abc.com to the PC. - 5 The PC enters the DMZ from ISP1 using VSIP2 to access the related server. - 6 The server returns response data, and the LLB device selects a corresponding outbound interface according to the selected ISP router to ensure that the response data is returned from the same ISP. - The SmartDNS technology binds public IP addresses of multiple ISPs to respond to DNS requests from Internet users. An LLB device dynamically selects the optimal link using the SmartDNS technology and load balancing policy and allows external users to access internal resources to implement multilink dynamic load balancing for incoming traffic. Additionally, the LLB device monitors each link. When detecting that a fault occurs on an ISP link, the LLB device does not resolve the IP address of the ISP to users, ensuring 24/7 non-stop service. 2.5.3 Extranet Zone Physical Networking Figure 2-29 shows the networking in the extranet connection zone. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 43 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-29 Networking in the extranet zone Extranet users can access the extranet connection zone. This zone is an unreliable zone, similar to the demilitarized zone (DMZ), and cannot be connected to the inner DC. Extranet users can access only the extranet connection and DMZ zones. Authority control on the Intranet must be strict. Security Planning Major threats to the extranet zone are unauthorized server access, virus attacks, and worm attacks. To protect the extranet zone against these threats, you are advised to deploy security functions as follows: z Deploy two layers of firewalls in the extranet zone. − Deploy firewalls in front of servers. Configure security policies such as ACLs on servers to prevent unauthorized server access, and configure defense against virus and worm attacks. − Deploy firewalls behind servers to isolate the intranet and extranet. − Dual firewall backup is recommended to ensure service reliability. z Configure NAT on the first layer of firewalls to hide the internal network structure. z Deploy an IDS device within a firewall as required to detect application layer attacks. z Deploy VPN gateways as required to allow partners to access through the Internet. VPN gateways can be deployed independently or on a firewall. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 44 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.5.4 Intranet Zone Physical Networking Intranet users access the DC through the WAN or the LAN, as shown in Figure 2-30. Figure 2-30 Networking in the intranet zone Corporate campus and enterprise branch Carrier 1 VPN Carrier 2 Internet Family network Small organization Corporate campus network Corporate campus network Building Core network Core network Building WAN Large enterprise branch network Disaster backup center MAN Active DC Combined core layer CSS FW LB This zone uses dual-homed routes and redundancy backup of routes and devices. Network connection reliability between branches of an enterprise is ensured through backup of multiple egress links, backup of routes, and load balancing. QoS needs to be configured on WAN link to guarantee quality of links and services. Reliability Planning Independent access devices and two backup devices are required to ensure device reliability. Security Planning The intranet is a safe zone with low security risks which are mainly caused by intranet users who access or save data without authorization. Data access between the enterprise branch networks is restricted based on users' actual requirements. You are advised to configure VPN on routers to implement service isolation. Additionally, you can deploy firewalls and configure ACLs to restrict unauthorized access to service zones and enable defense against viruses and worms for attack defense. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 45 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.5.5 Branch Access Planning Enterprise branches (such as external scientific research institutions and representative offices) connect to the enterprise's headquarters through the private network, MPLS VPN, or public network. Branch access is usually implemented using the private network, MPLS VPN, or public network. Private Network Enterprise branches communicate with each other through the WAN constructed by the enterprises. This mode is applicable to large or ultra-large enterprises that have their own backbone networks. MPLS VPN An enterprise leases carriers' MPLS VPN services (L2VPN or L3VPN services) to enable branches to communicate with each other. This access mode is cost-effective and applicable to enterprises that have branches but no self-built WAN. Public Network Enterprises enable branches to communicate with the headquarters using the Internet without leasing carriers' VPN services. This access mode is applicable to small enterprises and SOHO. Because branches access the enterprise campus network through the Internet, data security must be protected. Point-to-point VPNs are built between branches and the enterprise campus network gateway to ensure secure and reliable data transmission using tunnels. In public network access, GRE over IPSec is used on branches. GRE is a generic tunneling protocol that encapsulates a wide variety of protocol packets inside IP tunnels and is good at transmitting remote access data. GRE, however, provides only simple password authentication but not data encryption. IPSec provides data encryption but cannot transmit routing protocol packets, which limits VPN scalability. If GRE works with IPSec, remote access data can be transmitted securely. 2.5.6 Remote Access Planning In public places, such as hotels and airports, traveling staff or partners connect to the enterprise campus network through the public network (such as the Internet) to access internal resources of the campus network. This process is called remote access. In remote access, traveling staff or partners access the enterprise campus network through the public network, which is insecure. Therefore, a major concern in remote access is security. Point-to-point VPNs are built between user terminals and the campus network gateway to ensure secure and reliable data transmission using tunnels. Remote access is implemented using the following VPN technologies. L2TP over IPSec L2TP is a VPN tunneling protocol that allows remote clients to use the public IP network to securely communicate with private enterprise network servers. L2TP provides the user authentication function but does not provide the data encryption function. If L2TP works with IPSec, remote access data can be transmitted securely. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 46 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution SSL VPN SSL VPN is an HTTPS-based VPN technology that operates between the transport layer and application layer. SSL VPN uses data encryption, user identity authentication, and message integrity check mechanisms of the SSL protocol to establish secure connections for communication between applications. SSL VPN is widely used in web-based remote access to ensure secure access to enterprise intranets. 2.6 Management Zone Networking Planning 2.6.1 Physical Networking Planning Overall requirements are: z Out-of-band management z Authorization-based access z Security auditing Figure 2-31 Management zone networking Figure 2-31 shows the networking in the management zone. The management network connects all devices by the management interfaces and the KVM switches, and provides functions such as network management, data collection, and real-time surveillance. Only administrators can access the management network that connects the inner DC using isolation measures such as VPNs and firewalls. Administrators are granted rights to access specified network devices. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 47 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-32 KVM management network Front-End Network … DNS Web Proxy Public Service Zone Internal OA System Ministry Zones Internal Service Zone KVM Switch Aggregation Switch KVM Authentication Server Firewall Access Switch Access Switch VPN Router VPN Remote Access Network Monitor Network management functions include: z Network management: This module manages network devices such as switches, routers, and firewalls in the aspects of the topology, configuration, asset, fault, performance, event, traffic, and report. z Traffic management This module provides functions such as traffic monitoring, traffic threshold setting, protocol analysis, and web access behaviors audit. It works with the NetFlow analyzer to implement more refined and convenient traffic analysis. z Application management This module monitors the website and manages systems and upper-level applications such as the database, mail server, web server, application server, operating system, and website surveillance. 2.6.2 Reliability Planning The reliability planning for management zone is the same as the reliability planning for server zone. The reliability solution is "CSS/iStack + Eth-Trunk." For details, see section 2.3.4 "Reliability Planning." 2.6.3 Security Planning The management zone has the following security requirements: z Unauthorized service access prevention, shared account security, operation audit z Effective security device management and quick security troubleshooting Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 48 ONE NET DCN Data Center Solution Technical Proposal z 2 Data Center Network Solution Eliminating information security silos, managing mass security logs, and carrying out comprehensive security trend analysis Security planning for management zone involves four aspects: z Centralized authentication and authorization are required. When managing devices, users need to perform authentication and authorization. Users are allocated different management rights. The KVM authentication server grants users different access permissions according to their roles so that the users can only access the specified devices. z Only authorized users can access the management zone. Only administrators can access the management network. The administrators are allocated different access permissions based on their roles so that they can only access the specified devices. The ACL rules configured on the firewall prevents unauthorized IP addresses from accessing the management zone. Remote users are authenticated so that unauthorized users cannot access the management zone. z The management zone cannot access the data center service zone. Bastion hosts provide a unique entrance to the management zone, centrally manage user accounts, and strictly control user account rights. The ACL rules configured on the firewall or VPNs prevents the management zone from accessing the service zone. Only the bastion hosts, NMS, and SoC can access the service zone. z Unified security audit is required. The SoC collects security logs and alarms to audit the security environment of the data center. It can detect security issues and risks in real time. The SoC and bastion hosts provide security prealarms, security operation and maintenance, and security audit functions and provide comprehensive and accurate security reports. 2.7 R&D and Test Zone Planning 2.7.1 Physical Network The R&D and test zone is responsible for software development, software commissioning, simulation test, function test, and performance test before production (such as EPR). Figure 2-33 shows the network structure of the R&D and test zone. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 49 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-33 R&D and test zone structure 2.7.2 Recommendation The security policy for this zone aims at preventing the data in the zone from flowing to the data center. The high traffic volume may affect the data center services. This zone can be separated from other zones physically or using a firewall. By default, a firewall restricts all traffic; however, in the test, some service zones can be opened with the minimum authorization. In the test zone, Layer 2 and Layer 3 networks can be deployed and various services are provided to perform simulation test. Additionally, the LB and firewall can be configured to test server performance with different service traffic volumes. 2.8 VLAN Planning 2.8.1 VLAN Overview Devices on a LAN are logically grouped into segments, regardless of their physical locations. VLANs isolate broadcast domains on a LAN, reduce broadcast storms, and enhance information security. As the network expands, a fault on the local network affects the entire network. The VLAN technology can limit the network faults within a VLAN, and enhances the network robustness. 2.8.2 Principles Observe the following principles when configuring VLANs: z Differentiate service VLAN, management VLAN, and interconnection VLAN. z Add interfaces to different VLANs based on service zones. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 50 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution z Add interfaces to different VLANs based on service types for the same service (such as the web, application, and database). z Distribute each VLAN consecutively to properly use VLAN resources. z Reserve some VLANs for further expansion. 2.8.3 Recommendation Figure 2-34 VLAN planning Enterprise branch Partner enterprise Enterprise Enterprise Intranet Intranet Enterprise Intranet VLAN: 2000–2199 Manage ment VLAN: 3000– 3999 External users Disaster recovery center Partner enterprise Extranet Internet Enterprise Extranet VLAN: 2200–2299 Internet VLAN: 2300–2399 Disaster backup center Disaster recovery center network VLAN: 2400–2999 Core network VLAN: 100–199 Product service zone VLAN: 200–399 Office service zone VLAN: 400–599 Other service zone VLAN: 600–799 ... DMZ service zone VLAN: 800–999 Storage zone Configure VLAN ranges based on different zones as shown in Figure 2-34. Core zone: 100–199 Server zone: 200–999, reserved VLANs: 1000–1999 Access network: 2000–2999 Management network: 3000–3999 2.9 IP Planning A few devices in the Internet connection zone use public IP addresses, but devices in the intranet use private IP address. IP addresses in the intranet are easy to manage because private IP address space is large, for example, 10.0.0.0 is a class-A address. 2.9.1 IP Address Planning Plan so that the system IP address will be: Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 51 ONE NET DCN Data Center Solution Technical Proposal z 2 Data Center Network Solution Unique Hosts on an IP network must use different IP addresses. Assign different IP addresses to hosts even if the MPLS/VPN technology supporting IP address overlapping is used. z Consecutive IP addresses Consecutive IP addresses facilitate routing aggregation on a hierarchical network, which greatly reduces the number of routing entries and improves route calculation efficiency. z Scalable IP addresses need to be reserved at each layer. When the network expands, IP addresses continuity is ensured. z Meaningful If the IP addresses are planned properly, you can identify the device that corresponds to an IP address by the IP address. 2.9.2 DHCP Planning DHCP Usage Scenarios DHCP is applicable to the following scenarios: z On a large network, manual configurations take a long time and bring difficulties to centralized management over the entire network. z Hosts on the network are more than available IP addresses. Thus, not every host has a fixed IP address. Many hosts need to dynamically obtain IP addresses through the DHCP server. In addition, the number of concurrent IP address requests is limited. z Only a few hosts in the network require fixed IP addresses. IP Address Allocation z IP address allocation policy Different hosts require different leases of IP addresses. For example, servers may need to occupy fixed IP addresses for a long time; some enterprise hosts may need to occupy dynamically allocated IP addresses for a long time; some clients may need only temporary IP addresses. To meet the preceding requirements, the DHCP server provides the following IP address allocation policies: z − Manual address allocation: An administrator allocates fixed IP addresses to a few specific hosts, such as the WWW server. − Automatic address allocation: The DHCP server allocates fixed IP addresses to the hosts that access the network for the first time. These IP addresses can be used by the hosts for a long time. − Dynamic address allocation: The DHCP server leases IP addresses to clients. The clients need to apply for new IP addresses when the leases expire. This address allocation policy is widely used. IP address allocation sequence The DHCP server allocates an IP address to a client in the following sequence: Issue 01 (2012-05-15) − IP address that is in the database of the DHCP server and is statically bound to the MAC address of the client − IP address that has been allocated to the client before, that is, the IP address in the Requested IP Addr Option of the DHCP_DISCOVER packet sent by the client Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 52 ONE NET DCN Data Center Solution Technical Proposal − 2 Data Center Network Solution IP address that is first found when the DHCP server searches the DHCP address pool for available IP addresses If the DHCP address pool has no available IP address, the DHCP server searches the expired IP addresses and conflicting IP addresses, and then allocates a valid IP address to the client. If all the IP addresses are in use, an error is reported. 2.9.3 DNS Planning DNS Server Roles A domain name system (DNS) server plays the following roles in the DNS system: z Master server The master server manages the DNS system, and is used to add, modify, or delete a domain name. The domain information that is changed on a master server is synchronized to a slave server. One master server is deployed in the DNS system. z Slave server The slave server obtains the domain name information from the master server, and forms a server cluster by connecting multiple servers with hardware-based load balancers to provide DNS services. Two slave servers are deployed in the DNS system. z Cache server The cache server is deployed on the slave server to cache results of intranet users' DNS requests and to speed up network access. IP Address of the DNS Server IP addresses are allocated as follows: z The master server uses a private IP address. z The slave server is allocated a private IP address, and has a virtue private address on the load balancer. The Internet domain names and IP addresses are deployed in the following ways: z Configure NAT mapping on the firewall to convert the virtue IP address of the slave server into a public IP address for Internet users to use for accessing the intranet. z Provide services for Internet users using intelligent DNSs on load balancers. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 53 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Providing DNS Services for Internet Users Using the Slave Server Figure 2-35 DNS deployment in the DC Active DNS: 10.0.3.10 Standby DNS: 10.0.2.5 DNS query Internet user Internet Carrier’s DNS server Intranet user Corporate campus network NAT External: Internet IP address Internal: 10.0.3.10 Virtue IP address of the DNS: 10.0.3.10 DMZ LLB UTM iStack LB LB Server cluster Slave Slave Master DNS2 DNS1 DNS server server server 10.0.2.5 172.16.0.6 172.16.0.5 Combined core layer FW CSS LB Active DC The blue dotted line marked in Figure 2-35 shows how the slave server is used to provide DNS services for Internet users. The slave servers DNS1 and DNS2 use virtue IP addresses on the load balancer to function as master DNS servers for Internet users and slave DNS servers for intranet users. The master DNS, slave DNS1, and slave DNS2 servers are all deployed in the DMZ. The process to handle DNS requests with reliable design is as follows: 1. Intranet users send DNS requests to the master DNS server that communicates with the carrier's DNS server to resolve Internet domain names. If the master DNS server is faulty, the slave DNS servers provide services. 2. Internet users send DNS requests to the carrier's DNS server to resolve the enterprise domain name, such as Huawei.com, and relay the further resolution results, such as www.huawei.com, to the enterprise DNS server. 3. The DNS requests are evenly distributed between slave DNS1 and slave DNS2 servers. If slave DNS 1 server is faulty, all DNS requests are sent to slave DNS2 server. If both slave DNS servers are faulty, the master DNS server provides services. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 54 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Providing Services for Internet Users Using the Intelligent DNS Server Figure 2-36 shows how the intelligent server is used to provide DNS services for Internet users. Figure 2-36 Intelligent DNS deployment Master DNS: 10.0.3.10 Slave DNS: 10.0.2.5 DNS query Internet user Internet Carrier’s DNS server Intranet user Corporate campus network DMZ LLB Virtue IP address of the DNS: 10.0.3.10 UTM iStack LB LB Combined core layer FW CSS LB Server Slave Slave cluster Master DNS server DNS2 DNS1 server server 10.0.2.5 172.16.0.6 172.16.0.5 Active DC The Internet users send requests (such as www.huawei.com) to the carrier's DNS server to query the domain name of Huawei. The carrier's DNS server identifies the information (huawei.com), and sends the request to the DNS server in Huawei DC to resolve the domain name. The blue dotted line displays this process. The intelligent DNS server in the link load balancer receives the request, and finishes the DNS resolution. The intelligent DNS server recognizes user sources and resolves domain names to different IP addresses. The DNS policy resolution server resolves the domain name to the related Netcom IP address for a China Netcom user and the related Telecom IP address for a China Telecom user. Meanwhile, the intelligent DNS server monitors carrier link quality. If a carrier's link is interrupted, the intelligent DNS server returns another carrier's IP address to ensure service continuity. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 55 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.10 Route Planning 2.10.1 Routing Overview Huawei recommends that the boundary between routing and switching be located on the combined core layer switches, as shown in Figure 2-37. z Layer 2 switching is used at the layer below the combined core layer. z Layer 3 routing is used at the layer above the combined core layer. Figure 2-37 Boundary between routing and switching Internet WAN OSPF Combined core layer FW LB L3 router CSS L2 switch iStack iStack Web Web FW iStack iStack iStack APP APP iStack Web APP DB Server DB DB Simplified multi-layer design Non-Web-based application design Expandable multi-layer design This design has the following advantages: z Simple route configuration Routes need to be configured only on two combined core layer switches. Access switches perform only Layer 2 switching, simplifying the configuration. Users can use Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 56 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution the automatic configuration functions of access switches to reduce the maintenance workload. Scalability z You can easily increase the number of servers on a core/aggregation switch. A new service server can be deployed in any rack. The IP address of the new server is contiguous with the IP address of the original service system. When the position of a server changes due to a service change, the carrier does not need to reconfigure the servers and the network, and the servers can be used immediately after being installed in the new position. A large Layer 2 network is needed when the next generation virtual servers are used to move servers without interrupting services. 2.10.2 IGP Design To manage and maintain the network conveniently inside the data center, the OSPF dynamic routing protocol is recommended to ensure network stability and fast convergence of routes. As shown in Figure 2-38, the yellow devices are core switches locate in the backbone area, area 0. Figure 2-38 Router planning for DCs Corporate campus and enterprise branch Carrier 1 VPN Carrier 2 Internet Family network Small organization Corporate campus network Building Corporate campus network Core network Core network Building WAN Large enterprise branch network Backup Extranet /DMZ Extranet DMZ Active DC LLB MAN FW UTM iStack LB LB Combined core layer FW CSS LB Disaster backup center LB iStack LB Combined core layer LB FW CSS DNS Email Web APP LB Server iStack iStack iStack Web Web FW iStack iStack iStack iStack iStack iStack APP APP iStack Web APP Backup control area Web APP DB DB Control server Server DB DB Simplified multi-layer design Non-Web-based application design IP storage area Expandable multi-layer design Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 57 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.10.3 BGP Design The external Border Gateway Protocol (EBGP) is established between the branch DC and disaster recovery center using network access routers, which advertise routes to both centers. Figure 2-39 shows the network topology among the active DC, backup DC, branch DC, and disaster recovery center. Figure 2-39 Active and standby path planning for DCs Branch center Disaster recovery center Product service link Disaster recovery data link Product service link Disaster recovery data link Active DC Backup DC Normal access route Alternative route 1 Alternative route 2 Alternative route 3 As shown in Figure 2-39, the active DC has four paths to reach the branch DC. Priorities of four paths are as follows: z Highest priority (normal access route): The active DC is connected to the branch DC directly. z Second highest priority (alternative route 1): The active DC reaches the branch DC through the backup DC. z Third highest priority (alternative route 2): The active DC reaches the branch DC through the disaster recovery center. z Lowest priority (alternative route 3): The active DC reaches the branch DC through the backup DC and the disaster recovery center. The priorities of the links are determined by the EBGP AS-Path and multi-exit discriminator (MED) attributes. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 58 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.11 VPN Planning 2.11.1 VPN Overview The VPNs in data centers are classified into L2TP VPN, IPSec VPN, SSL VPN, MPLS L3VPN, and MPLS L2VPN. L2TP VPN, IPSec VPN, and SSL VPN are used for remote or branch access. For details, see section 2.5.5 "Branch Access Planning." MPLS L3VPN and MPLS L2VPN are used for service isolation, access control, and security isolation. MPLS L3VPN is most widely used. 2.11.2 Intranet VPN Service Isolation As shown in Figure 2-40, users and servers are separated and grouped into different VPNs. By default, routers for user A, user B, server I, server II, and server III are isolated so that these users and servers cannot communicate with each other. User VPN and server VPN can import routes from each other based on the user and server control policy. The imported routes among user A (VPN A), VPN I, and VPN III allow user A to access the VPN I, and VPN III servers. Figure 2-40 Server isolation plan based on routes Corporate campus network User class A VPN A User class B VPN B Routerimported mode VPN Ⅰ Server classⅠ VPN Ⅱ Server classⅡ VPN Ⅲ Server class Ⅲ DC network As shown in Figure 2-41, firewalls are used to accurately control the rights of server groups. The security policy is configured based on the table for rights of the user groups and server groups. By default, the firewalls are disabled. Users can access the server only after a security policy is configured to enable the firewalls. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 59 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-41 Server isolation plan based on firewalls User class A User group 1 User group 2 Firewall Server Server group 1 group N Server classⅠ Deny all users or servers Permit user group 1 and server group 1 Permit user group 1 and server group 2 Permit server group 1 and Server group 2 2.12 QoS Planning 2.12.1 QoS Overview The DC planning guarantees peak-traffic services, which requires no QoS processing. The QoS planning, however, is needed in collaborative computing and Multi-Tenancy applications. The multi-tenant applications are used to manage bandwidth and are not in the initial version. QoS planning for multi-tenancy applications can be complemented and optimized in the subsequent operations. 2.12.2 QoS Planning Concerning Collaborative Computing Collaborative computing is used in when complicated calculations are involved. Examples of this are the computing involved for search engines, petroleum exploration, and meteorology. In collaborative computing, multiple servers may send calculation results to one server at the same time, which brings a traffic burst, which could result in data congestion on an outbound interface and packet loss. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 60 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution Figure 2-42 Congestion on an outbound interface when multiple servers send data to one server Internet WAN As shown in Figure 2-42, servers send data to the yellow server and congestion occurs in the stared node. Packets are lost if queues are not sufficient in the nodes that forward data. To solve the problem, install large-capacity line cards on the EOR switch and the core switch to cache burst data and prevent packet loss. Figure 2-43 Large-capacity line cards on the EOR switch and the core switch to prevent packet loss Internet WAN Positions where largecapacity line cards are depolyed Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 61 ONE NET DCN Data Center Solution Technical Proposal 2 Data Center Network Solution 2.12.3 QoS Planning for Different Data Flows Different data flows may have different priorities. When traffic volume exceeds bandwidth, the Diff-Serv model is required to forward the data flows with higher priorities. This prevents impact on key services. The access device, such as an access switch, marks priorities on service packets. Depending on the network type, 802.1p or DSCP priorities can be used. The voice and video services are marked high priority, and data service is marked low priority. The devices on the backbone network, such as a core switch, schedule the data flows based on the priorities. The PQ or WFQ scheduling mode can be selected to ensure that the data flows with high priority are forwarded first. Thus quality of service is guaranteed. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 62 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution 3 Security Solution 3.1 Security Overview Overview A data center consists of multiple zones, for example, the interconnection zone, intranet zone, extranet zone, management zone, server zone, core zone, storage zone, and R&D and test zone. Users access some zones through the Internet. The Internet has a lot of security risks, so security issues have become the focus of organizations and enterprises. A data center can use the following security measures: z Strict management system, such as access permission, registration, and operation record z Access authority control, for example, minimum authorization and service classification z Security training and strict security policy, which prevent or reduce accidents z Complicated password to prevent password embezzling This chapter describes the network security solution. Security Issues Network security issues are classified into: z Network attacks: includes DDoS attack, scanning attack, snooping attacks, and malformed packet attacks z Vulnerability attacks: attacks aiming at the vulnerabilities in operating system, database, and web server z Virus attacks: virus threatening data center servers z Internal attacks: for example, unauthorized permission within the intranet and data interception Security Risks The data center manages all data of an enterprise, so it must process a large amount of data and is important for an enterprise. Therefore, the data center is prone to attacks. Protection measures must be taken for the data center based on zones. All layers, from the physical layer to the application layer, on a network may bring security threats to the data center. Corresponding measures must be taken based on the security risk Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 63 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution characteristics at each layer, including content deep protection, Layer 2-7 protection, access control, protocol stack protection, and Layer 2-4 protection. Figure 3-1 shows the security risks in each zone. Figure 3-1 Security risks in each zone 3.2 Security Design Table 3-1 describes six security design principles for data center. Table 3-1 Security design principles for data center Principle Description Reliability and stability Single-point failures should be prevented on security devices. The security devices and network must operate properly. Scalability The modular structure is used to add and delete functions flexibly. Zone-based management Different security policies are used for different zones to improve protection efficiency. Minimum authority The security protection principle is "deny by default." Users are granted only necessary access rights. Data integrity, security, and usability are ensured. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 64 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution Principle Description Security management The associated events are analyzed and security status is evaluated, facilitating security policy adjustment. Operation and maintenance audit The resource risks should be eliminated and responsible should be determined. The following functions must be considered in security design. Table 3-2 Functions to be considered in security design Function Description Defense To protect the data center against external attacks, zones with different priorities must be divided in the data center. Access control is required and security tunnels can be set up for some services. Immunity The data center is protected against internal attacks. To eliminate risks caused by internal terminals, the terminals must be authorized. The documents are managed and controlled. Manageability The operation and maintenance terminals are authenticated and authorized. The operation and maintenance operations can be upgraded and security issues can be analyzed. Table 3-3 lists the recommendations on security protection for each zone shown in Figure 3-1. Table 3-3 Security protection recommendations for each zone Zone Issues and Risks Trust or Not Recommended Devices Benefit Intranet access zone Unauthorized access Trust Firewall Prevent unauthorized access from internal users. WAN access zone Unauthorized access Trust Firewall Prevent unauthorized access from branches. Internet access zone DDoS attack on the Internet Not trust Anti-DDoS Defend against DDoS attacks, prevent unauthorized access, and ensure secure remote access Unauthorized access, NAT Firewall SSL VPN device VPN access Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 65 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution Zone Issues and Risks Trust or Not Recommended Devices Benefit Partner access zone VPN access Partially trust Two layers of firewalls Prevent unauthorized service access. Unauthorized access Data center services can be accessed through the VPN. Service server zone Unauthorized access Network management zone Unauthorized access Trust Hacker Lack of security issue management Lack of security device management Lack of operation and maintenance audit Firewall IPS device Trust Firewall SoC Security device management system Bastion host Prevent unauthorized access and defend against hacker attacks. Prevent unauthorized access and provide associated security event analysis, security device management and audit. 3.3 Security Network Structure Figure 3-2 shows the security network structure for a data center based on the security risks, security design principles, protection measures, and recommended products. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 66 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution Figure 3-2 Security network structure Partner WAN access Extranet DMZ Front FW Anti-DDoS Anti-DDoS FW Front FW FW VPN gateway FW & VPN gateway VPN gateway FW & VPN gateway Extranet Background Background FW FW servers DMZ servers FW Intranet Campus FW Network management zone Intranet FW FW FW IPS FW FW FW IPS IPS IPS Bastion host Key servers Servers Key servers Servers FW: Eudemon1000E/8000E Anti-DDoS: Eudemon1000E-D/I NMS iSoC VPN gateway: SVN3000 IPS: NIP200/1000 Due to service characteristics difference, the actual data center structure may have difference from the preceding figure. You can add or remove some security devices based on security threat types. For example, if the DMZ size is small, the independent VPN gateway is not required, and the firewall functions as the VPN gateway. Different zones can be allocated different security levels, and protection and management policies are enforced based on their security levels. z High security level: branches, WAN, and campus network z Middle security level: partner and traveling staff access zone z Low security level: Internet access zone For security design in each zone, see chapter 2 "Data Center Network Solution." Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 67 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution 3.4 Firewall Deployment Firewalls can be deployed in inline mode and bypass mode based on physical networks, as shown in Figure 3-3. If all traffic between the core layer and aggregation layer needs to be filtered by the firewalls, the firewalls are connected in inline mode. If only some traffic needs to be filtered, the firewalls can be connected in bypass mode. In bypass mode, traffic is imported to the firewalls and sent back to the switches. Figure 3-3 Firewall connection modes Depending on traffic processing mode, firewall deployment modes are classified into routing mode, transparent mode, and hybrid mode. z Routing mode Firewalls are connected to switches at Layer 3, and all interfaces need IP addresses. A firewall is equivalent to a router and forwards traffic based on the routing table. z Transparent mode Firewalls are connected to switches at Layer 2, and no interface needs an IP address. Users and routers are unaware of the firewalls. z Hybrid mode A firewall has both routing interface (with IP addresses) and transparent interfaces (without IP addresses). When a firewall works in routing mode and the upstream and downstream devices are Layer 2 devices, the firewall can run VRRP. If the upstream and downstream devices are Layer 3 devices, the firewall can run OSPF. Firewalls can work in active/standby mode or load balancing mode. Transparent firewalls can work in active/standby mode or load balancing mode. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 68 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution 3.5 Virtual Firewall A firewall can be logically divided into multiple virtual firewalls, and each of them provides security protection for each zone. A virtual firewall integrates VPN instance, security instance, and configuration instance. It provides private routing service, security service, and configuration management service for users. z VPN instance The VPN instance provides separated VPN routes for the users under each virtual firewall. These VPN routes are used to forward the packets received by each virtual firewall. z Security instance The security instance provides separated security services for the users under each virtual firewall. The security instance contains private interfaces, zones, interzones, ACL rules, and NAT address pools. In addition, it provides the security services such as address binding, blacklist, packet filtering, attack defense, ASPF, and NAT for the users under the virtual firewalls. z Configuration instance The configuration instance provides separated configuration management services for the users under each virtual firewall. It allows users to log in to the correct virtual firewall to manage and maintain private VPN routes and security instances. z Virtual firewall administrator To distinguish the virtual firewalls and physical firewalls, the physical firewalls are called root firewalls. Each virtual firewall can be allocated an administrator, security policy, and routes. z Data forwarding in virtual firewall After a virtual firewall is created, a zone also needs to be created. Additionally, the interfaces on the virtual firewalls must be added to the zone (or the default zone). Policies need to be configured to implement communication on the virtual firewall. The subnets connected to different virtual firewalls can belong to different network segments or the same network segment. That is, the IP addresses on virtual firewalls can overlap. The routes of virtual firewalls and root firewalls are separated, so static routes must be configured to implement communication between the root firewall and virtual firewall. 3.6 Traffic Cleaning 3.6.1 DPI DPI is the key technology for traffic cleaning. DPI uses deep packet detection and protocol coding technologies. It performs 1:1 analysis on network traffic, and identifies Layer 4-7 packets. DPI can efficiently identify the attack packets at the application layer. DPI detection delay is short (1-2 minutes after an attack occurs) and provides small detection granularity (within 50 Mbit/s). In addition, DPI provides low traffic volume detection based on application layer. After detecting an attack, DPI creates attack fingerprint for attack packets, which instructs the traffic cleaning device to discard attack packets. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 69 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution Figure 3-4 DPI App Web app L5-7: app layer DPI Web server L4: transport layer OSs L3: network layer Traditional firewall Router L2: link layer Layer 4-7 deep detection TCP/IP NIC L1: physical layer 3.6.2 Layered Traffic Cleaning Huawei DDoS cleaning solution uses layered traffic cleaning and fingerprint identification technology to prevent traffic attacks and application-layer attacks. Traffic is classified into normal and abnormal traffic based on traffic characteristics. In addition to Flood and DoS attacks, DPI can identify UDP, CC, and botnet attacks. As shown in Figure 3-5, layered cleaning and fingerprint technologies are used. Fingerprint is generated after user traffic is inspected, and the traffic matching the fingerprint will be filtered out. Complex attack traffic can be deleted and cleaned. Figure 3-5 Layered traffic cleaning Attack Service traffic Malformed packet attack aiming at protocol vulnerability Static filtering Special packet control Dynamic statistics Charact eristics identifica tion Traffic shaping for specific packets Bypass LAND attack Fraggle attack WinNuke attack Ping of Death attack TearDrop attack TCP Flag attack Issue 01 (2012-05-15) IP Option Large ICMP ICMP redirection ICMP unreachable Tracert App traffic model baseline learning Virus identification TCP Flood defense UDP Flood defense ICMP Flood defense DNS Query Flood defense CC defense HTTP Get Flood defense BGP Attack defense Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Traffic shaping Congestion avoidance 70 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution 3.6.3 Malformed Packet Attack Defense LAND Attack Defense The SYN packets of which the source and destination addresses are the same and the SYN packets using the loopback address as source address are attack packets. These SYN packets are directly discarded. Fraggle Attack Defense The packets with attack characteristics are discarded and unnecessary services are disabled. Ping Of Death Attack Defense The ICMP echo request packets with more than 65535 bytes are attack packets. These packets are discarded and recorded in the log. TearDrop Attack Defense When a packet is longer than the MTU of the interface, the packet must be fragmented. The initial fragment is cached and other fragments are checked. WinNuke Attack Defense The destination port number of attack packets is 139 and URG bit is set to 1. The attack packets are discarded. TCP Packet Attack Defense The packets with attack characteristics are discarded. IP Spoofing Attack Defense The source and destination addresses of incoming packets on all interfaces are checked. The device checks the source addresses against routing table. The packets of which the inbound interfaces are different from the optimal outbound interfaces are attack packets. The attack packets are discarded and recorded in the log. 3.6.4 Flood Type Attack Defense Smurf Attack Defense If the destination address of an ICMP echo request is a subnet broadcast address or subnet address, the packet is an attack packet. The attack packet is discarded and recorded in the log. SYN Flood Attack Defense When the path and return path of packets are the same, the firewall intercepts all connection requests as a TCP proxy. The firewall sets up a connection with the client as a server and with the server as a client. When the two connections are set up successfully, the firewall exchanges packets between the client and server. When the path and return path of packets are different, the firewall verifies the packet source using the TCP reverse detection technique. If Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 71 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution the source is valid, the firewall adds the source to the whitelist; otherwise, the firewall discards the packets. TCP Flood Attack Defense The firewall identifies traffic by learning dynamic traffic baseline and fingerprint, and restricts traffic. This technology efficiently prevents flooding and protects transmission links. The firewall monitors connection status based on source IP addresses. If it detects an empty connection, it sends an RST packet to the server to end the connection. If there are a large number of empty connections, the firewall can prevent access from the source temporarily. UDP Flood Attack Defense The firewall learns characteristics of UDP packets, quickly identifies attack traffic, and cleans attack traffic without affecting service traffic. ICMP Flood Attack Defense The firewall identifies abnormal traffic based on fingerprint. It identifies abnormal traffic based on rate and number of connections. Thus the firewall can limit bandwidth for ICMP packets sent to a certain destination. HTTP Get Flood Attack Defense The firewall identifies and filters out attack packets based on credit, user behaviors, and application-layer packet characteristics. DNS Query Flood Attack Defense The firewall provides the following functions: z Creates high-speed DNS cache and responds based on resolved IP addresses. z Verifies packet sources and sets up credit mechanism. z Analyzes the behaviors of DNS packets from each source. z Limits the number of domain name resolution requests sent by each source per second. z Limits bandwidth for the source that sends burst resolution requests at a long interval. 3.6.5 Packet Type Attack Defense ICMP Redirect If ICMP redirect restriction function is enabled, the firewall discards ICMP redirect packets (type 5); otherwise, the firewall forwards the packets. When discarding ICMP redirect packets, a log is recorded. ICMP Unreachable If ICMP unreachable restriction function is enabled, the firewall discards ICMP unreachable packets (type 3); otherwise, the firewall forwards the packets. When discarding ICMP unreachable packets, a log is recorded. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 72 ONE NET DCN Data Center Solution Technical Proposal 3 Security Solution IP Source Routing Option The firewall checks whether the packets arriving at the router contains the IP source routing option. If so, the firewall discards the packets and records a log. IP Record Route Option The firewall checks whether the packets arriving at the router contains the IP record route option. If so, the firewall discards the packets and records a log. Tracert The firewall checks whether the packets are ICMP timeout (type 11) or unreachable (type 3) packets. If so, the firewall discards or forwards the packets. When discarding tracert packets, a log is recorded. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 73 ONE NET DCN Data Center Solution Technical Proposal 4 4 Suggestions on Planning Multiple DCs Suggestions on Planning Multiple DCs 4.1 Inter-DC Connection A DC transmits key services of an enterprise and stores a large amount of service data. To ensure reliability, a DC needs to provide 24/7 non-stop services. A large-sized enterprise may build multiple DCs in different places to meet the following requirements: z Convenient expansion If an enterprise has only one DC, the power supply, cooling, and space in the equipment room may be limited. Deploying multiple DCs can solve these issues. z Nearby access Users can access local DCs to reduce loads on the active DC, conserve WAN bandwidth, and shorten service response time. Additionally, if the active DC is faulty, services in other DCs are not affected. z Risk avoidance Multiple DCs work in backup mode to avoid damage to the DC caused by human activities (such as war) or disasters (such as earthquake), ensuring smooth operation of services. When multiple DCs need to be deployed for an enterprise, the following types of physical connections are available: z Self-built transmission system The enterprise sets up its own transmission system using fibers (or leasing fibers from the carrier). This method requires high costs, but provides high reliability. It does not depend on the carrier's network. Networks are easy to connect, manage, and control. z Leasing carrier's transmission resources The DC network's WAN interfaces connect to the transmission device leased from the carrier. The enterprise leases the transmission resources, such as a wave in the DWDM system, to connect the DCs. This method requires medium costs, and provides high reliability. Network connection deployment, management, and control are implemented by the enterprise. However, this method partially depends on the transmission network of the carrier. z Leasing carrier's VPN services Data centers connect to the carrier's IP/MPLS network through WAN interfaces. The enterprise leases the VPN (MPLS L2VPN, MPLS L3VPN, or GRE VPN) from the carrier to connect the DCs. This method requires low costs, but provides low reliability. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 74 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs It completely depends on the carrier's network. Network connection deployment, management, and control are implemented by the carrier. The roadmap for building multiple DCs for an enterprise is as follows: z Build a backup DC within 50 km away from the active DC of an enterprise in the same city to copy service data in real time through a leased line or on a transmission device. z In addition to copying service data, the backup DC transmits some services migrated from the active DC, implementing the active/active backup of DCs. Considering the devastation of natural disasters (such as earthquake) to cities, an enterprise is recommended to build a disaster recovery center in another city more than 400 km away to provide a backup for the active and backup DCs and synchronize the data from the production center and disaster recovery center within the same city in real time. This method minimizes damage to important data in the case of a disaster. The enterprise can use backup data in the remote disaster recovery center to restore services. 4.2 Network Architecture of Multiple DCs Figure 4-1 shows the network architecture of multiple DCs. Figure 4-1 Network architecture of three centers in two areas Disaster recovery center in the same city Production center LAN LAN IP/MPLS Synchronous backup FC SAN FC SAN Bare optical fiber Production array WDM WAN WDM Disaster recvery array in the same city WAN Remote disaster recovery array Asynchronous backup IP link FC link LAN Remote disaster recovery center As more services are deployed in the enterprise, the network architecture of three centers in two areas cannot meet the requirements for service development. The architecture of multiple centers with different levels has emerged to replace the original network architecture. If DCs with different levels are established in a region, the load of global DCs is lessened, the WAN bandwidth is saved, and the response time of regional services is shortened. In addition, if a fault occurs in a region, services in other regions are not affected. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 75 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Figure 4-2 shows the network architecture of multiple centers with different levels. Figure 4-2 Network architecture of multiple centers with different levels Brazil America Sweden Venezuela America regional center France England Bahrain Canada Disaster backup center in the same city Active center Provinces in China Remote disaster China regional center Russia backup center United Arab Emirates Egypt Turkey Europe regional center Beijing South Africa Shanghai CIS regional center Global center Asia Pacific center Nigeria Japan Malaysia India Indonesia 4.3 Inter-DC Layer 2 Connection Planning 4.3.1 Inter-DC Layer 2 Connection As prompted by the IT technologies, cloud computing, for example, the server cluster technology that was initially used only in high-end computing of military universities has been widely used in data centers of enterprises. The server cluster technology uses the cluster software to associate multiple servers on a network together, which then become one logical server, and uses the scale out method to improve computing capabilities. The high-performance computing cluster network gradually transitions to the Ethernet by means of technologies such as InifiniBand. The cluster software of most vendors (including HP, IBM, Microsoft, and Veritas) requires Layer 2 connection between servers. Servers in the cluster can be deployed in different data centers to implement inter-DC application system disaster recovery. The processes of the cluster software communicate (heartbeat and session synchronization) at the link layer. Therefore, servers in the cluster require Layer 2 connection. When a data center needs to be expanded or migrated, physical servers need to be migrated from one data center to another data center. After the data center is expanded, the same service is often deployed in two data centers, requiring Layer 2 connection between data centers. During a server migration, only some servers in the cluster can be migrated to the new data center. To ensure service continuity, an inter-DC server cluster needs to be built. In this manner, building an inter-DC Layer 2 network can implement smooth server migration. During the establishment of multiple data centers, determine how to expand a Layer 2 network between multiple data centers. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 76 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs There are a variety of methods to expand a Layer 2 network between data centers. The following describes two common solutions: fiber interconnection solution and VPLS interconnection solution. 4.3.2 Fiber Interconnection Solution The fiber interconnection solution applies to data center interconnection within the same city where data centers are less than 80 km away from each other. As shown in Figure 4-3, four data centers within the same city form an OTN ring. Two core switches connect to each other, implementing inter-DC Layer 2 connection. Figure 4-3 Fiber interconnection design … … … Access … Aggregation Aggregation … … Access … … To ensure service reliability and link efficiency, the connected core switches must support the cluster switch system (CSS). Aggregation switches in data centers use the stacking/cluster technology and connect to the core switches through multiple links. The multiple links are bundled using Link Aggregation Group (LAG). The fiber interconnection solution has the following advantages: z Implements end-to-end fault detection. The Ethernet and optical network use the OAM mechanism to ensure service reliability. z Manages optical devices OTNs and switches in a unified manner, simplifying network management and maintenance. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 77 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs z Uses OTN devices that support fiber channel (FC), Ethernet, and fiber connection (FICON), facilitating service expansion. z Supports various service protection modes, implementing service switchover within 50 ms. This solution is easy to deploy and provides high link bandwidth and a low delay in communication between data centers. This solution applies to the scenarios where high service quality is required and multiple data centers work in active/active mode. However, the solution requires self-built transmission system and fiber resources, increasing networking costs. 4.3.3 VPLS Interconnection Solution Virtual Private LAN Service (VPLS) is an L2VPN technology based on MPLS and Ethernet technologies. VPLS connects multiple Ethernet LANs across a public network so that these Ethernet LANs can function as a single LAN as shown in Figure 4-4. Data centers perform Layer 2 interconnection through VPLS. An enterprise can implement inter-DC Layer 2 connection by leasing the VPLS service from the carrier or by building an IP/MPLS backbone network or a VPLS network. This VPLS interconnection solution applies to most enterprises, supports long-distance Layer 2 communication, and requires low networking costs. Figure 4-4 VPLS interconnection design … Access … … Aggregation Access … Aggregation VSI A Data center1 CSS iStack VPLS network LSP tunnel VSI A Data center2 Aggregation Access Issue 01 (2012-05-15) LSP tunnel CSS iStack Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 78 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs As shown in Figure 4-4, data center egress routers functions as PEs, and aggregation switches functions as CEs to connect to the PEs. PEs connect to each other through the VPLS of the carrier or WAN leased line (SDH/MSTP leased line). If a data center has a large scale and many aggregation areas, add core devices to aggregate these aggregation areas. Core devices then connect to the PEs through Eth-Trunks. This method can aggregate multiple aggregation areas into a single VPLS site, simplifying VPLS deployment. If there are a variety of Layer 2 services between data centers, HQoS must be configured on the PEs to ensure QoS for key services. 4.4 Inter-DC Layer 3 Interconnection Planning 4.4.1 Inter-DC Layer 3 Interconnection Deploying Layer 3 interconnection between multiple data centers is flexible and ensures service scalability, facilitating network expansion within data centers. Inter-DC Layer 3 connection can be implemented in multiple modes. The following describes the L3VPN interconnection solution, which provides flexible, secure, and reliable service deployment. 4.4.2 L3VPN Interconnection Solution In the L3VPN interconnection solution, an enterprise can lease the MPLS L3VPN service of a carrier or build an IP/MPLS backbone network and an L3VPN for interconnection. When an enterprise leases the carrier's MPLS L3VPN to implement inter-DC connection, core switches in each DC function as CEs to connect to carrier's PEs. Carrier's PEs establish the MPLS L3VPN to implement inter-DC Layer 3 connection as shown in Figure 4-5. When an enterprise builds an IP/MPLS backbone network to implement Layer 3 interconnection, egress routers in each DC function as PEs, and core switches function as CEs to connect to the PEs. The PEs establish the MPLS L3VPN to implement inter-DC Layer 3 connection as shown in Figure 4-6. Figure 4-5 Inter-DC Layer 3 connection by leasing carrier's MPLS L3VPN Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 79 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Figure 4-6 Inter-DC Layer 3 connection by building an IP/MPLS backbone network There are various services between data centers, including store, OA, production, and web services. Each service has different requirements for security level and service quality. The L3VPN technology can implement secure service isolation and work with HQoS to ensure service quality. 4.4.3 Route Planning Generally, you only need to deploy Interior Gateway Protocols (IGPs) including Open Shortest Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS) in the DC. To manage and maintain the network conveniently, it is recommended that you use the OSPF dynamic routing protocol to ensure network stability and fast convergence of routes. BGP is used to advertise routes between DCs. With a powerful routing control capability and abundant routing policies, BGP is applicable to interconnection between large networks. 4.4.4 BGP Design After regional DCs and global DCs are interconnected, each DC is defined as an AS. ASs advertise their routes using EBGP. As shown in Figure 4-7, the AS-Path and MED attributes are used to control and select routes with EBGP, enhancing link reliability. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 80 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Figure 4-7 BGP AS-Path route selection Global active DC AS 1 Production service link Global standby DC AS 2 Disaster recovery link 10.1/16 AS 2 1 10.1/16 AS 1 AS 3 10.1/16 AS 4 1 AS 4 10.1/16 AS 4 2 1 Production service link Regional active DC Disaster recovery link Active path Standby path 2 Regional standby DC Standby path 1 Standby path 3 EBGP prefers the route with the shortest AS-Path. As shown in Figure 4-7, AS 3 receives information on route 10.1/16 from AS 1, AS 2, and AS 4. The AS-Paths of these routes are AS 1, AS 2 1, AS 4 1, and AS 4 2 1. z The route advertised from AS 1 (active path) has the shortest AS-Path. Therefore, it has the highest priority and is selected. z The route advertised from AS 4 2 1 (standby path 3) has the longest AS-Path. Therefore, it has the lowest priority. z The routes advertised from AS 2 1 (standby path 2) and AS 4 1 (standby path 1) have the same AS-Path. The BGP MED attribute is needed to distinguish their priorities. As shown in Figure 4-8, the MED value of route 10.1/16 advertised from AS 4 is 100, smaller than that of the route advertised from AS 2. Therefore, standby path 1 has a higher priority than standby path 2. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 81 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Figure 4-8 BGP MED route selection Global active DC AS 1 Production service link Global standby DC AS 2 Disaster recovery data link 10.1/16 MED200 10.1/16 MED 100 AS 3 AS 4 Production service link Disaster recovery data link Regional standby Regional active DC DC Active path Standby path 1 Standby path 2 Standby path 3 BGP has powerful routing control and selection capabilities. By controlling the BGP AS-Path and MED attributes, you can effectively solve the route selection and link reliability problems in multiple DCs. 4.5 Network Reliability Planning 4.5.1 Network Reliability Between Regional DCs and Global DCs The global active DC is connected to the global disaster recovery center using two independent links: a production service link and a disaster backup link. The two links are isolated to guarantee bandwidth. The regional active DC is connected to the regional disaster recovery center using two independent links: a production service link and a disaster backup link. The regional active DC is connected to the global active DC and the regional disaster recovery center is connected to the global disaster recovery center. Figure 4-9 shows the network topology between global DCs and regional DCs. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 82 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Figure 4-9 Plan for active and standby paths connecting DCs Global active DC Production service link Global standby DC Disaster recovery link Production service link Disaster recovery link Regional active DC Active path Standby path 2 Regional standby DC Standby path 1 Standby path 3 Four DCs are defined as four autonomous systems (ASs). They advertise routes using EBGP. As shown in Figure 4-9, the regional active DC has four paths to the global active DC. Priorities of four paths are as follows: z Highest priority: active path. If the link is normal, the regional active DC is directly connected to the global active DC. z Second highest priority: standby path 1. If the gateway or the outbound link of the regional active DC is faulty, the regional active DC is connected to the global active DC through the regional backup DC. z Third highest priority: standby path 2. If the access device of the global active DC is faulty, the regional active DC is connected to the global active DC through the global disaster recovery center. z Lowest priority: standby path 3. If the preceding errors occur concurrently, the regional active DC is connected to the global active DC through the regional backup DC and then global disaster recovery center. The priorities of the links are determined by the EBGP AS-Path and MED attributes. 4.5.2 Network Reliability Between a Country/Region Branch and Regional DCs A country/region branch is connected to the regional active/backup DCs by using active/standby links from different carrier. Figure 4-10 shows the network topology between a country/region branch and regional centers. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 83 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Figure 4-10 Country/region branch's connection to regional DCs Regional active DC Production service link Regional standby DC Disaster recovery link Country/region branch Active path Standby path 1 Standby path 2 The active link of the country/region branch is connected to the regional active DC and the standby link to the regional backup DC. The regional active DC, regional backup DC, and country/region branch are defined as different ASs by EBGP. z Active path. Generally, the country/region branch is directly connected to the regional active DC using the active access link. z Standby path 1. If the active access link is faulty, the country/region branch is connected to the regional active DC through the regional backup DC using the standby access link. z Standby path 2. If the regional active DC is faulty, the traffic is switched to the standby path 2 on the application layer using the domain name system (DNS) mechanism. 4.6 Application Acceleration Planning 4.6.1 Application Acceleration Overview When branch users, remote users, or partners access the data center, they are connected to the data center through the WAN. The WAN has limited bandwidth, long delay, and low reliability. As a result, there is a delay in responding to real-time services and connections are unstable. Users' service experience is degraded. For example, in the desktop clouding service, if the data center needs to provide the same user experience as the local PC, the system response period (from the time for a user to perform an action to the time information is updated on the screen) must be within 41 ms. However, the average delay of global WANs is longer than 250 ms. Such a long delay cannot meet seamless service experience requirements. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 84 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs To improve user experience over WANs, there are two ways. The first way is to improve WAN performance, for example, increasing bandwidth, optimizing network topology, and performing QoS scheduling. However, this method is not suitable for most enterprises because they lease carriers' WANs. Another way is to deploy application acceleration systems on the two communicating ends (such as branches and data center) and use WOA technology as shown in Figure 4-11. Figure 4-11 Application acceleration deployment 4.6.2 Application Acceleration Technologies Insufficient bandwidth and long delay are major problems of WANs. The possible causes of long delay include: z Low efficient transport protocols, such as TCP handshake and small slide window z Low efficient application layer protocols, such as repeated requests, interaction/waiting mechanisms, and small fragments For example, to open a 5 MB Word document, the system needs to process 700 requests, including 550 read requests and 150 other requests. It takes 250 ms for the system to respond to one request, so the total response time exceeds 175 seconds, which is too long for users. Application acceleration technology optimizes network performance in the following aspects listed in Table 4-1. Table 4-1 Application acceleration technologies on WANs Technology Description Results Data optimization Compresses and caches data, and avoids retransmission to save bandwidth. WAN bandwidth consumption is reduced by 60% to 95%. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 85 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Technology Description Results Transmission optimization Optimizes the TCP slow start mechanism, congestion management mechanism, ACK/retransmission mechanism, slide window, TCP reuse, and SSL to speed up network transmission. Applications are accelerated by up to 100 times. Application optimization Optimizes interaction mechanisms of common applications, such as CIFS, MAPI, NFS, HTTP, HTTPS, and FTP to improve protocol efficiency and application processing speed. The technologies such as local proxy, local response, data caching, and preview/pre-read/write can be used. The number of times packets are exchanged is reduced by up to 98%. Management optimization Implements transparent deployment, centralized management, and service virtualization of branches. Less IT resources are used, and the infrastructure of branches is simplified. 4.6.3 Application Acceleration Design Figure 4-12 shows the application acceleration system design. Figure 4-12 Application acceleration design Branch1 Mobile user Internet Data center Regional center WAN acceleration device The application acceleration design covers the following: z Establish connections between data centers and branches through a WAN. z Deploy WAN acceleration devices in the data centers and branches. Deploy high-specification WAN acceleration devices in the data centers. z Deploy WAN acceleration devices in data centers. WAN acceleration devices can be deployed in the following modes: − Issue 01 (2012-05-15) Connect WAN acceleration devices to core or aggregation switches in bypass mode. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 86 ONE NET DCN Data Center Solution Technical Proposal z 4 Suggestions on Planning Multiple DCs − Connect WAN acceleration devices to egress routers in bypass mode. − Deploy WAN acceleration devices behind egress routers in inline mode. Enable mobile users to use the client software for application acceleration. The application acceleration design has the following advantages: z Reduces the investment in leasing WAN links and maximizes the return on investment. z Reduces dependence of application system deployment on networks. z Improves application system availability and IT satisfaction. 4.7 Disaster Recovery Planning 4.7.1 Disaster Recovery Overview The disaster recovery center is a computer network system established as a backup to the production center. When the production center stops working due to a disaster, the disaster recovery center takes over all or some of the services in the production center in a timely manner, which minimizes or avoids losses caused by the disaster. Therefore, the disaster recovery center can provide comprehensive and high-quality services for enterprises. The disaster recovery system is classified into the following seven tiers according to the international standard Share 78, as shown in Table 4-2. Table 4-2 Disaster recovery tiers defined in Share 78 Disaster Recovery Tier Description Tier 0 No off-side data Tier 1 Pickup Truck Access Method (PTAM) Tier 2 PTAM + hot standby center Tier 3 Electronic Vaulting Tier 4 Active secondary center Tier 5 Two-Site Two-Phase Commit Tier 6 Zero Data Loss Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 87 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Huawei classifies disaster recovery into three levels by data and service characteristics as shown in Table 4-3. Table 4-3 Huawei defined disaster recovery levels Disaster Recovery Level Description Backup-level Backup-level disaster recovery corresponds to tiers 0 to 2 in Share 78. A backup data center is set up in another city or place. It does not back up applications and data in real time. When an accident occurs, services are manually switched to the backup data center. During backup, services may be interrupted. Data-level Data-level disaster recovery corresponds to tiers 3 to 5 in Share 78. A backup data center is set up in another city or place. It replicates key application data from the active data center in real time. When an accident occurs, the backup data center quickly takes over services. Services will not be interrupted. Application-level Application-level disaster recovery corresponds to tier 6 in Share 78. A backup data center which is the same as the active data center is set up in another city or place. It is the backup for the active data center or works together with the active data center. When an accident occurs, the backup data center quickly takes over services. Figure 4-13 shows the service framework of data-level disaster recovery and application-level disaster recovery. Figure 4-13 Disaster recovery service classification Process switchover Application level disaster recovery Service system Service system Application software Application software Database system Remote database replication Volume management software Data level disaster recovery Database system Volume management software Remote software mirror System software System software Storage controller Remote hardware replication Storage controller Storage device Production center Storage device Disaster recovery center Two technical specifications are used to measure disaster recovery: z Recovery point objective (RPO): acceptable amount of data loss z Recovery time objective (RTO): acceptable longest duration within which services are interrupted or the shortest duration between the time when a disaster occurs and the time when services are restored Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 88 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs RPO measures data loss, while RTO measures service loss. RPO and RTO are not necessarily related. RTO and RPO vary according to services and enterprises, and are calculated based on service requirements after risk analysis and service influence analysis are performed. Table 4-4 lists network requirements of disaster recovery tiers. Disaster recovery tiers 6 and 7 have the same network requirements. Table 4-4 Network requirements of disaster recovery tiers Item Tier 6 Tier 5 Tier 3-4 Tier 2 Tier 1 RTO =0 ≤ 2h ≤ 4h > 4h > 48h RPO =0 ≤ 15m ≤ 4h > 4h > 24h Data backup system Highest Higher Medium Low Low Backup infrastructure Highest Highest Highest/m edium Low Backup network system Highest Highest Highest/m edium Low Backup data system Highest Highest Highest/lo w Low Technical support Highest Higher Higher/M edium Operation, maintenance, and management Highest Higher Higher Medium Low Disaster recovery plan Highest Highest Highest Highest Highest Network requirements Application-level disaster recovery Issue 01 (2012-05-15) z Construction of the disaster recovery center and data center z Backup of all services or key services z Remote disaster recovery with the distance of over 1000 km z SAN connection, bandwidth, and delay z High reliability and routing performance Low Data-level disaster recovery z The disaster recovery center only provides the storage system. z Service data backup z Disaster recovery in the same city or different cities Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 89 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Item Tier 6 Tier 5 Tier 3-4 Service requirements Remote real-time backup Real-time transmission Core data backup Data integrity Tier 2 Tier 1 Data backup in the same city or different cities No data loss Seamless switching 4.7.2 Disaster Recovery Overview In most cases, Huawei recommends that two DCs (active and backup) be built for remote disaster recovery. Applications run on the computer system of the active DC and data is stored on the storage system of the active DC. When the active DC stops working due to a disaster such as power outage, fire or earthquake, traffic is switched to network cables and PSTN lines connected to the backup DC where applications are restarted. It takes a short time to finish the switchover. This type of recovery ensures the continuity and integrity of data in both centers. The traditional tape backup is performed at a fixed point. If the system corrupts, data communicated from latest backup to the disaster occurrence is lost and cannot be recovered. In this backup mode, the backup speed is slow and the backup process is not performed in real time. Therefore, it cannot meet requirements for recovering a large amount of data, database continuity, and real-time performance. The mainstream disaster recovery solution is real-time backup. A real-time data recovery can replicate updated data from the active DC to the backup DC through communications links, ensuring synchronization between the active and backup DCs. If the active DC cannot work properly, the backup DC takes over services of the active DC and maintains data integrity. Layered Data Replication Technologies Based on different layers in the information system, different IT technologies can be used to synchronize or replicate data. The information system is divided into six layers: z Mirror-based replication technology The core of this technology is to replicate production data remotely using the storage array's disk-array-to-disk-array data block replication technology, which ensures the security of the production data in a disaster. If a disaster occurs in the active DC, data in the disaster recovery center can be used to establish an operating environment to provide IT support for services. Data in the disaster recovery center can also be used to recover the service system of the active DC to recover services quickly. The mirror replication between disk arrays does not occupy the system CPU, memory, and I/O resources, and has little impact on the application system because it does not involve the host operating system. This is the most mature and widely used disaster recovery technology. However, it requires that the same type of storage devices from the same manufacturer be used in the production center and disaster recovery center. Storage devices of mainstream manufacturers provide the disk array-level mirror replication technology, such as EMC DMX SRDF, EMC CX MirrorView, IBM DS8000 MetroMirror, IBM DS8000 GlobalMirror, IBM DS4000 ERM, HP XP ContinuousAccess, and HDS USP TrueCopy. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 90 ONE NET DCN Data Center Solution Technical Proposal z 4 Suggestions on Planning Multiple DCs SAN-based replication technology This new technology has emerged in recent years. On a SAN network, a virtual storage management device is deployed in a direct or bypass manner depending on manufactures. The SAN-based technology is applicable to heterogeneous storage devices and transparent to the host. You can use this technology when disk arrays from many manufactures exist in one DC, but it is immature and has an impact on the background I/O storage speed The products that provide this technology now include IBM SVC, EMC Invista, and Falcon Ipstor. z Volume manager-based replication technology This technology functions at the volume manager layer and it mirrors or replicates disk volumes to implement disaster recovery. This technology does not require the same storage devices on both production centers and disaster recovery centers, but it occupies system CPU resources and has a great impact on the system performance. Therefore, it has poor scalability and running performance. This technology is based on the host, so unexpected unauthorized access to the protected data may occur, affecting system stability and security. Commonly used volume replication software includes Symantec Veritas Volume Replicator. z File system-based replication technology This technology replicates data files from the production center to the disaster recovery center to implement data recovery. This technology functions in the file-based storage systems, such as file servers, NAS, NAS devices, or file virtualization combinations. The file-based replication technology is widely used for backing up data. The following two reasons account for its popularity: z − This technology is easy to deploy and supports standard protocols. In addition to its own replication functions, it can work with multiple driver technologies to provide more replication functions. − This technology provides enterprises with methods for using storage resources properly, sharing resource across media servers, and configuring storage capacity for media servers in a timely manner when the enterprises are running the block-based storage system. Database-based replication technology This logical replication technology supports heterogeneous storage and operating system platforms. After analyzing redo logs of the production database, this technology generates universal or private SQL statements and transmits these statements to the backup database for application. The replication process does not involve the lower-layer storage. The replication is performed across platforms at a high speed, but it occupies system resources, does not support some special data formats and data description language (DDL) statements, and cannot guarantee data consistency when random data is generated in the service system. The common products that provide this technology include Oracle DataGuard, Oracle Stream, Quest SharePlex for Oracle, DSG RealSync for Oracle, and IBM DB2 HA/DR. z Application system-based replication technology The application system must support transaction distribution when the application system-based replication technology is used. This technology uses transaction middleware to back up online transaction concurrently in the production center and disaster recovery center, or to transmit updated data from the active DC to the backup Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 91 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs DC, ensuring data consistency between the production center and disaster recovery center. This technology requires low bandwidth, but existing current applications can only implement this technology after you modify these applications. Data Backup Mode Data can be backed up in both local and remote ends. Based on protection mechanisms of different levels, two data backup modes are available. z Synchronous mode Before the next write operation is performed on disks, updated data in the last write operation must be replicated to both local and remote volumes. The synchronous mode provides the highest protection level, but application performance is affected due to the time delay caused by data transmission between arrays in local and remote ends. z Asynchronous mode Local volumes can continue the write operation even if the remote volumes are not updated. Remote volumes are updated after a period of delay. This mode ensures high application performance, but data that is not updated to remote volumes will be lost if a disaster occurs. Based on the data backup design, four data backup modes are available: z Cold standby In cold standby mode, the production system database is periodically backed up to the remote data center and medium such as tape. The backup data remains in inactive state until a fault occurs. When the production database system becomes unavailable because of a fault, the backup data is activated. The timeliness of data backed up in cold standby mode depends on the latest database backup. The database cold standby period is long. Figure 4-14 Cold standby mode Active DC Disaster recovery center Inactive Storage Issue 01 (2012-05-15) FC/IP SAN DWDM Wavelength division device Wavelength division device Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. FC/IP SAN Active 92 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Warm standby z The warm standby mode requires a backup database system. The warm standby mode is similar to the cold standby mode except that data of the backup database can be used to restore services when the production database fails. Therefore, the data recovery time required by warm standby is much shorter than that required by cold standby. The warm standby mode is implemented by loading logs of the production database to the backup database. The timeliness of data backed up in warm standby mode also depends on the latest database backup. The schematic diagram of warm standby is similar to that of cold standby. Hot standby z The hot standby mode is the highest-level database backup mode. The hot standby mode requires a backup database that is in the same active state as the production database. In addition, the production database and backup database are in synchronization state, and all modifications to the production database are also made to the backup database. Implementing the hot standby mode often requires complex hardware and software technologies. Therefore, data recovery in hot standby mode requires higher costs than that in cold standby or warm standby mode. Among the four data backup modes, the hot standby mode provides fastest data recovery, which is essential to some important service systems. Figure 4-15 Hot standby mode Active DC Disaster recovery center Each application has a unique IP address Active Application 1 (active) Storage z Application 2 (active) Application 2(backup) FC/IP SAN DWDM Wavelength division device Wavelength division device FC/IP SAN Application 1 (backup) Active Active/active mode When the active/active mode is used in the data center network architecture, two data centers can serve users simultaneously. The data center often uses the multilayer application architecture, including the web layer, application server layer, and database layer. Implementing the active/active mode on each of the three layers has different requirements. At the web layer, services are not based on status; therefore, applications can connect to the web layer of any data center. At the application server layer, the active/active mode can be implemented on non-status-based applications. The databases in the cluster cannot be far from each other. A long distance between the databases will hinder database access and implementation of synchronization policies. Therefore, it is difficult Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 93 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs to implement the active/active mode at the database layer when data centers are far from each other. Figure 4-16 Active/active mode Internet ISPA ISPB DNS server/global load balancer Data center network Storage Application1 Applicaiton2 Application1 FC/IP SAN Wavelength division device Wavelength division device Data backup network Application2 FC/IP SAN Disaster recovery center Active DC Table 4-5 Comparisons between the four data backup modes Data Backup Mode Reliability Solution Disaster Recovery Data Backup Requirements Data Backup Tier Active/active Load balancing Automatic Synchronous backup (< 100 km) 6 Hot standby Cluster Automatic Synchronous backup (100 km) 5/6 Warm standby Manual intervention Manual Asynchronous backup (> 100 km) 4/5 Cold standby Strong manual intervention Manual Asynchronous backup (> 100 km) 1/2 4.7.3 Disaster Recovery Network Planning According to the disaster recovery network design, two disaster recovery modes are available: intra-city real-time disaster recovery and inter-city backup disaster recovery as shown in Figure 4-17. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 94 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Figure 4-17 Networking planning for intra-city and inter-city disaster recovery Core layer Production/disaster recovery Core layer center in the same city Production center Core layer Remote disaster discovery center WAN Access layer Access layer Server Server Access layer Server SDH SAN FC SAN DWDM DWDM Storage SAN Storage FC SAN Application acceleration SDH Application acceleration SAN FC SAN Storage Disaster Recovery in the Same City In the metro disaster recovery solution, Huawei recommends that core service data be backed up in synchronous or asynchronous mode based on the physical distance between the disaster recovery center and the production center. On the FC SAN network, the Wavelength Division Multiplexing/Synchronous Digital Hierarchy (WDM/SDH) technology can be used to back up the network remotely, and the mirror-based replication technology can be used to synchronize data in real time. If the distance between the disaster recovery center and the production center is within 100 km and two centers are connected using optical fibers, some core service data can be backed up in synchronous mode while the others in asynchronous mode with regard of transmission delay of optical fiber signals. If two centers are connected using IP data links, the IP SAN-based communication protocols can be used to transmit data, such as Fiber Channel over IP (FCIP), Internet Fiber Channel Protocol (iFCP), Infiniband, and Internet Small Computer System Interface (iSCSI). Huawei recommends the asynchronous mode. Remote Disaster Recovery In the remote disaster recovery solution, data is backed up through leased lines and on the asynchronous transfer mode (ATM) network. If users have sufficient capital, it is recommended that users use point-to-point leased lines and WAN acceleration devices to decrease the leased WAN bandwidth, providing high-speed and efficient data backup services at minimum costs. Data is backed up in the asynchronous mode, which meets requirements for bandwidth and transmission delay in remote disaster recovery. If the amount of data exceeds the threshold in the disaster recovery center, the overflow data is backed up to the tape library or CD-ROM library using the snapshot technology. Data transmission delay exists between the remote disaster recovery center and local production center and varies with the adopted technologies, bandwidth, distance, and characteristics of data flows. The software-based replication technologies can easily implement queuing and resumable transmission mechanisms, ensuring data consistency if a disaster occurs. Compared with the synchronous mode, the asynchronous mode has low requirements for bandwidth and distance. It requires that all data can be replicated from the local end to the Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 95 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs remote end within a certain period of time and does not affect application system performance. If a disaster occurs in the local production center, however, data on the remote end will be temporarily lost (if the transmission rate is low and data is not transmitted completely on WAN), but data consistency is not affected, similar to what happens if the local host is abnormally shut down. 4.7.4 Service Planning for Disaster Recovery Based on real-time synchronization, automatic switchover and active/active load balancing can be implemented for services. As shown in Figure 4-18, intelligent DNS servers (global load balancers) monitor the status of web servers and local load balancers, and provide DNS resolution results based on the status. If a web server fails in the active DC, the local load balancer switches services on this web server to the other web server in the center. If the whole active DC fails, the global load balancer switches services in the center to the disaster recovery center. Figure 4-18 Automatic switchover and active/active load balancing implemented based on the active/backup intelligent DNS/GSLB Disaster recovery DC Active DC Web server Web server 1 Local load balancer Local load balancer 2 Intelligent DNS (global load balancer) Intelligent DNS (global load balancer) 3 Carrier DNS Normal access Backup access Monitoring the status of servers and load balancers Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 96 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs The DNS service has a great impact on services in the DC, so disaster recovery for DNS servers must be taken into consideration. In multiple DCs, it is recommended that you deploy the slave DNS server in the active DC, and master DNS server in the backup DC. This guarantees the proper operation of DNS services when the whole active DC fails. In addition, the manual switchover mode can be used for disaster recovery. When the DC experiences a disaster, the network segment of the disaster recovery center can be manually opened so that users and branches can connect to the disaster recovery center without performing any operations. The reachable route import mode can also be used. In most cases, the active DC advertises low-cost routes, whereas the backup DC advertises high-cost routes. When both the active and backup DCs are working properly, a user receives two host routes with different costs after sending a connection request. Normally, the user selects the route with a lower cost to connect to the active DC. When the active DC experiences a disaster, the user can only receive a route with high cost from the backup DC, so the user can only connect to the backup DC using this route. Table 4-6 shows the comparisons between the three common switchover modes. Table 4-6 Comparisons between service recovery modes Service Recovery Mode Applicable Disaster Recovery Mode Switchover Speed Required Device Scalability (Multiple DCs) Manual mode Cold standby Minutes None Low DNS mode Hot standby, active/active Minutes DNS server High Route convergence mode Hot standby Seconds Load balancer Medium 4.8 Service Distribution Planning 4.8.1 Service Distribution Overview With the development and expansion of enterprises, the deployment mode of DCs evolves from single-center mode to three-center-in-two-area mode and multiple-center mode. Services are hosted in active DCs or regional DCs as required. Based on user experience and service characteristics, services have different requirements for bandwidth and transmission delay. Therefore, the related DCs are deployed in different modes. For example, office automation (OA) services such as Notes and Email, are sensitive to transmission delay and require high bandwidth. Therefore, they are deployed in distributed mode, which reduces bandwidth on leased lines of regional DCs and active DCs. 4.8.2 Service Distribution Planning Services in DCs are deployed in the centralized and distributed manner to meet operators' network requirements and increase user satisfaction. The following table lists characteristics of some application services in DCs and recommendations on their deployment modes. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 97 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs Table 4-7 Centralized and distributed deployment modes of application services Application Service Architecture Characteristics Deployment Mode OA services (such as Notes and Email) C/S Interactive operation: sensitive to delay Distributed deployment: Web service B/S Large-amount-of-data operation: sensitive to bandwidth and delay OA services are deployed in global active DCs and regional DCs in the distributed mode. Interactive operation: sensitive to delay Centralized and distributed deployment: Large-amount-of-data operation: sensitive to bandwidth and delay Database servers and application servers are deployed in centralized mode. HTTP servers are deployed in distributed mode. ERP Video B/S - VoIP Sensitive to delay and error codes Centralized deployment: Sensitive to bandwidth and jitter Centralized and distributed deployment: ERP is distributed in global active DCs in centralized mode. Gatekeepers (GKs) are deployed in centralized mode. Multipoint Control Units (MCUs) are deployed in distributed mode. Interactive production services - Interactive operation and low bandwidth Interactive production services are deployed in DCs in centralized mode Centralized and distributed deployment modes are applicable to the services in Table 4-8 Table 4-8 Services deployed in the centralized/distributed mode Deployment Mode Applicable To Distributed deployment z Services distributed in regions z Services limited within regions z Services with heavy traffic and frequent interactions z Services with light traffic, such as services in the early development stage z Services of great importance and requiring surveillance by headquarters Centralized deployment Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 98 ONE NET DCN Data Center Solution Technical Proposal 4 Suggestions on Planning Multiple DCs With the global load balancing technology, distributed services meet requirements of the nearest enterprises, back up data in DCs for each other in multiple locations, and perform load balancing among multiple DCs. Currently, the GSLB technologies are implemented based on DNS, application redirection, IP address spoofing (triangulation), and host route import. The last three implementation modes have many limitations or poor performance, and DNS-based GSLB is the current mainstream technology. Figure 4-19 shows the principle of DNS-based GSLB. Figure 4-19 DNS-based GSLB Step 1 A user needs to access http://www.abc.com and sends a DNS request for the IP address of www.abc.com to the corresponding carrier's local DNS server. Step 2 The local DNS server finds the primary and secondary DNS servers of abc.com using the recursive algorithm. Step 3 The GSLB device that receives the DNS request checks whether there is a most matching entry for the local DNS server. If so, the GSLB device returns the most matching server IP address to the local DNS server. If not, the GSLB device instructs another GSLB device to search for a most matching entry for the local DNS server. Step 4 The two GSLB devices detect the local DNS server separately. The GSLB device at the DR site finds that the RTT time of the local DNS server is 300 ms, whereas the GSLB device at the main site finds that the RTT time of the local DNS server is 150 ms. Then the matching entries for the local DNS server are generated on the two GSLB devices. Step 5 The GSLB device that receives the local DNS request returns the corresponding server IP address to the local DNS server according to the matching entries for the local DNS server. Step 6 After obtaining a server IP address, the local DNS server sends the IP address to the user. Step 7 The user accesses the website www.abc.com. ----End Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 99 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations 5 DC Network Maintenance Recommendations 5.1 Network Management 5.1.1 NMS Overview As the growing increase in the scale and complexity of DC networks, the DC network topology becomes complex. How to obtain network changes and operating status and network resource information in time has become a major concern to DC network administrators. Huawei eSight is a new generation of NMS targeting the enterprise campus and DC. It can uniformly manage enterprise resources, services, and users. The eSight manages all IT devices, IP devices, and third-party devices, intelligently analyzes network traffic and access users' roles, and automatically adjust network control polices to ensure enterprise network security. In addition, it provides a flexible and open platform based on which enterprises can develop their intelligent management systems. In DC scenarios, Huawei eSight provides a variety of application and management functions: z Manages various Huawei and non-Huawei devices. z Manages all DC resources. z Provides the visual DC unified view. z Supports comprehensive fault monitoring. z Performs delicacy management on equipment room. z Monitors and manages DC network performance. z Performs right- area- and time-based user management. Using eSight, you can view the network topology, know the network topology, configure system information, and manage network devices. 5.1.2 Networking Mode Centralized Deployment eSight works in browser/server (B/S) mode and allows multiple browsers to access simultaneously. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 100 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations Figure 5-1 Centralized deployment Core zone Management zone Firewall DSM System administrator eSight Hierarchical Deployment eSight supports hierarchical management to allow an enterprise headquarters to manage branches. eSight allows you to add the low-level NMS to the upper-level NMS and provides the link to open the low-level NMS page. When users click the low-level NMS link, a new browser window is popped out. Users can open the low-level NMS page without logging in to the page. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 101 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations Figure 5-2 eSight hierarchical management Core layer network eSight professional version Aggregation layer network eSight professional version Access layer network eSight standard version Integrated with the OSS eSight can integrate with the OSS. eSight reports network alarms using SNMP to work with the OSS alarm system. Figure 5-3 eSight integrated with the OSS Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 102 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations 5.1.3 eSight Highlights Oriented towards enterprise networks, eSight can manage network devices, servers, and IT applications. A single eSight can manage devices from multiple vendors. eSight provides required information for operation and maintenance personnel, which reduces the workload of the operation and maintenance personnel. eSight provides various management functions and flexible maintenance measures, which makes it easy to perform routine maintenance. eSight has the following advantages. Lightweight and Componentized Architecture The Browser/Server (B/S) structure, fit client, and componentized decoupling of functional modules allow eSight to meet requirements in different enterprise network scenarios, providing management for enterprise networks in a wide range. Device Adaptation Technology The device adaptation technology aims to load different adaptation packages on a stable eSight edition to manage various devices. This ensures stability of core functions and implements quick adaptation of new device types and versions. Multiple Editions Different eSight editions are provided to meet requirements of different enterprises with different network scales, both low-end and mid-range network management requirements of small and medium enterprises and high-end network management requirements of large enterprises. Secondary Development Capability Because there are a great number of enterprises, eSight AppBase must provide secondary development capability for agents or cooperators to conduct secondary development and customization, satisfying requirements of different customers in different scenarios. eSight AppBase must provide stable interfaces and mechanism for easily integrating with third-party systems. Multi-service Management eSight provides the following management functions: topology management, fault management, performance management, configuration management, and security management. In addition, eSight functions as a platform for other service management components to enhance overall management functions. eSight provides instructions on the GUI on how to use its functions. By using the WLAN service to manage hosts, eSight helps customers quickly deploy wireless networks, providing integrated wired and wireless management for network devices and WLAN devices. This lays a foundation for routine network maintenance and network adjustment, considerably improving network management efficiency. BGP/MPLS VPN service management allows eSight to monitor and manage VPN services. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 103 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations 5.1.4 Network Routine Maintenance Overview Routine maintenance is complex and the workload is heavy. The following tasks are involved in maintenance: z Monitoring topology objects z Monitoring network elements z Configuring network elements z Monitoring services z Diagnosing faults z Monitoring performance z Checking resources z Generating reports Huawei eSight can quickly and accurately provide required information for network administrators, which significantly relieves workload. The eSight provides abundant management functions and various maintenance methods for operators to implement routine maintenance easily. Managing Topologies The eSight topology view displays the navigation tree on the left and the view on the right. The navigation tree displays the hierarchy of the network structure while the view displays hierarchical objects in different coordinates so that users can learn about the object deployment in a clear and direct way. The eSight topology view provides the following functions: z Adding, deleting, modifying, and querying subnets, network elements (NEs), links, and virtual NEs z Moving elements on the topology z Displaying the alarm status and tips z Arranging NEs, viewing NE attributes, zooming in or zooming out the NE icons, and printing the topology view. z Providing shortcut access interfaces, such as the shortcut to accessing the NE manager or viewing device alarms Monitoring NEs The homepage of the NE manager displays basic information about NE devices, TOPN alarms, interface traffic, bandwidth usage, CPU, and memory in tables. Users can determine whether to display these performance tables as required. Configuring NEs The eSight configures a single NE in the following ways: z The eSight configures interfaces and routes using the simple configuration frame. z The eSight configures a single NE using the smart configuration tool. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 104 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations z The eSight configures switches, access routers, and security devices using the web NMS. z During new deployment and network maintenance, users need to configure services for devices deployed in centralized mode in batches. In this case, users are recommended to use the smart configuration tool to configure services for multiple devices in batches, which significantly improves operation and maintenance efficiency. Managing Alarms eSight monitors exceptions on the network in real time and provides measures such as the alarm panel, alarm browsing, alarm operations, alarm rule setting (alarm suppression rule and audio setting), and remote alarm notification rules. This helps the network administrator take measures to recover network operation. You can set remote alarm notification rules, alarm suppression rules, and audios, helping administrators to optimize network management. Monitoring Services The eSight monitors services in real time and collects traffic statistics and other information based on the service type, which helps the maintenance personnel to monitor services. Monitoring Network Performance The eSight can monitor the key performance indexes (KPIs) of a network and collects performance statistics. Users can manage network performance on the eSight graphical user interfaces (GUIs). Users can query the collected performance data displayed in GUI in the performance monitoring view to learn the network performance within a specified period and predict the network performance change. Querying Resources and Managing Reports The eSight provides various resources and predefined reports and the easy-to-use report design function so that users can design reports based on the industry features and OAM requirements. Managing Configuration Files The eSight can manage configuration files to help users quickly save files and log in to the device. In addition, the eSight provides a tool to inspect devices periodically, lessening the workload of the maintenance personnel. Intelligent Configuration eSight smart configuration tool provides service configuration and profile-based and plan sheet-based batch configuration for Huawei NEs. z Profile deployment A profile is used for delivering the same service configuration to multiple NEs. You can configure a profile to batch deliver the service configuration to Huawei NEs, or customize a profile to deliver the configuration using a configuration wizard and verify the commands. z Issue 01 (2012-05-15) Plan sheet deployment Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 105 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations A plan sheet is used for delivering similar service configuration to multiple NEs. To use the plan sheet for batch configuration delivery, set parameters in the exported plan sheet, export the parameters in the smart configuration tool, and deliver the configuration using a configuration wizard. 5.1.5 Customization of Third-Party Devices Network devices in a DC are from different manufactures and cannot be managed in a uniformly pre-integrated manner. Therefore, customization capabilities are required. If network devices are managed by their NMS, the maintenance cost will be higher and workload of the maintenance personnel will be heavier. Huawei eSight provides customization capabilities for users to manage third-party devices. Users can configure the following information to manage third-party devices as required: z Configuring manufacturers The eSight can configure the name and contact information of a manufacturer. The configured manufacturer information is used in the subsequent configuration of device models. z Configuring device models The eSight can configure the description, icon, and web link for a device model. The configured icon is displayed on the topology. z Customizing alarms The eSight can customize reported alarms. The customized alarms can be parsed and are displayed on the alarm management page. z Customizing performance indexes The eSight can customize performance indexes of devices. The customized performance indexes are collected by the performance statistics task and displayed on the performance page. z Customizing device panels The eSight can customize the simulation images of subracks, boards, subcards, and ports. The customized panel will display the new simulation images. z Customizing configuration files The eSight can customize commands to back up, restore, or restart configuration files so that configuration files can be automatically backed up. z Customizing reports The eSight can make report designs by modifying predefined report design files. 5.1.6 Software Upgrade and Patch Loading Overview A DC has many network devices. Therefore, it is time consuming to upgrade software or load patches on these devices one by one and upgrade failures may occur due to human factors. Huawei recommends you upgrade software and load all patches remotely at one time. This method significantly lessens the workload of maintenance personnel and avoids failures caused by human factors. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 106 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations Upgrading Software The eSight provides a function to upgrade software remotely at one time. Figure 5-4 shows the operation guide to upgrade devices. If the upgrade fails, the eSight provides troubleshooting methods to ensure that devices run in normal status. Figure 5-4 Software upgrade flowchart Start Configure FTP/TFTP/ SFTP servers (optional) Configure backup/load path (optional) Prepare application files Create and execute the upgrade task Query the execution result Is the upgrade successful No Troubleshoot the fault Yes End Loading Patches The eSight provides a function to load patches remotely at one time. Figure 5-5 shows the operation flow to load patches. The eSight also provides the patch rollback function to restore the NE to the previous status. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 107 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations Figure 5-5 Patch update flowchart Start Load patches Activate patches Confirm (optional) End 5.1.7 Network Traffic Analysis Port mirroring and NetStream are used to analyze network traffic. Port Mirroring Port mirroring, also called port scanning or port monitoring, is used on a network switch to send a copy of network packets on one switch interface to a network connection on another switch interface. Port mirroring copies data on all switch interfaces to one interface. Port mirroring is implemented through switches. Because data on all interface needs to be copied to the monitoring interface, the switch burden is increased and switch performance deteriorates. Port mirroring is often deployed on the egress switch. For example, port mirroring can be used to monitor Internet connections of employers. NetStream Because consecutive data packets can be aggregated, NetStream uses the cache mechanism to analyze packets. When NetStream is enabled on a router or switch interface, the router or switch analyzes received packet header to obtain traffic information and aggregates all the received data packets into flows for analysis. NetStream occupies less bandwidth and collects complete data, and is often applied to large-scale enterprise networks, greatly reducing switch burden. Figure 5-6 shows the NetStream networking. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 108 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations Figure 5-6 NetStream networking 5.2 Troubleshooting The DC network system consists of network devices, links between devices, and servers. If the network system is faulty, you can locate the fault by checking the link status, device status, or server status, or by detecting virus attacks. The upper layer application cannot work properly if any one of these components is faulty. 5.2.1 Troubleshooting Network Devices Network devices may encounter the following faults: z A device is down: The power indicator or other indicators on the device are off and no sound is generated. z The CPU usage of a device is too high: The CPU usage is too high and related applications responds slowly when a user runs the monitoring software or logs in to the device. z An error message is displayed: An error message is generated on the server when a user views the log server or logs in to the device. z An alarm is reported: The status indicator of the device is red, indicating that an alarm is reported. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 109 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations A Device Is Down If a device is down, check the power cable and power supply in the equipment room first. If the power cable is connected properly and the power supply is normal, call the device vendor or service provider for help immediately. If the hardware is faulty, ask the device vendor or service provider to replace parts as soon as possible. The CPU Usage of a Device Is Too High Report the problem to the service provider immediately. Help the technical support engineers to locate the cause. In most cases, the problem is caused by the virus attack. An Error Message Is Displayed Send the error message to the service provider and track the troubleshooting progress. The service provider will provide the cause to the problem after analyzing the error message. If the device has a potential fault, prepare an emergency trouble shooting scheme or replace the device. An Alarm Is Reported Send the alarm to the device vendor and service provider, and ask them to troubleshoot the fault or replace parts. 5.2.2 Troubleshooting Servers Servers related to a network system are Dynamic Host Configuration Protocol (DHCP) server, access control system (ACS) server, and agent server on the external network. Faults that often occur are as follows: z Failure to obtain an IP address. z Failure to log in to the network device. z Failure to access the Internet through an agent server. Fail to Obtain an IP Address To troubleshoot the fault, proceed as follows: Step 1 Perform the ping operation to check the connectivity of the DHCP server. Step 2 If the DHCP server is connected properly, log in to the DHCP server to check whether the DHCP service is normal. If it is normal, verify that the DHCP request times out due to the virus attack. Step 3 If the DHCP server fails, replace it with the backup server. Step 4 Configure a static IP address manually for the computer to access the network before the DHCP server recovers. ----End Fail to Log In to the Network Device Step 1 Perform a ping operation to check the connectivity of the network device. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 110 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations Step 2 If the device is connected properly, log in to the ACS server to check whether the ACS service is normal. Step 3 If the ACS service is abnormal, log in to the network device through the console port, disable the authentication, authorization, and accounting (AAA) authentication, and enable the local authentication based on the built-in database. ----End Fail to Access the Internet Through an Agent Server Step 1 Check the network connectivity by accessing other applications. Then, perform a ping operation to check the connectivity of the agent server. Step 2 If the agent server is connected correctly, log in to the agent server to check whether the agent service and related system services are normal. If any service is abnormal, restart the service or the agent server. Step 3 If the fault persists, check whether the key hardware (such as NIC) of the agent server is faulty. Step 4 If the hardware or system is faulty, replace the agent server with the backup agent server. Step 5 If there are no problems with the agent server, ping the DNS gateway and Internet service provider (ISP) gateway to check the Internet access. If the DNS gateway or ISP gateway cannot be pinged, contact the ISP to rectify the fault. Step 6 If the link provided by the ISP is faulty, access the Internet through the backup link. ----End 5.3 Network Expansion 5.3.1 Overview With increasing expansion of services and scale of a DC, an existing network capacity cannot meet the requirements of long-term development. Therefore, network expansion is important. A smooth expansion is essential to the network expansion because services are not affected during the expansion. The network expansion is implemented in three ways: z Server expansion z Device expansion z Link bandwidth expansion Use a proper expansion policy as required by expansion scenarios to expand the network capacity smoothly without affecting services. 5.3.2 Server Expansion Server expansion is implemented by expanding servers in an original area or creating servers in a new area. The expansion policies of each are different. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 111 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations Figure 5-7 Internal architecture of the DC E n te rp ris e b ra n c h E n te rp ris e in tra n e t E n te rp ris e access n e tw o rk V L A N: 2 0 0 0 to 2 1 9 9 C o lla b o ra tiv e u n it C o lla b o ra tiv e u n it d e d ic a te d n e tw o rk C o lla b o ra tiv e u n it a c c e s s n e tw o rk VLAN : 2 2 0 0 to 2 2 9 9 M anagem ent VLAN: 3 0 0 0 to 3 9 9 9 V L A N: 2 0 0 to 3 9 9 D is a s te r re c o v e ry n e tw o rk In te rn e t D is a s te r b a c k u p c e n te r a c c e s s n e tw o rk V L A N: 2 4 0 0 to 2 4 9 9 In te rn e t a c c e s s n e tw o rk V L A N: 2 3 0 0 to 2 3 9 9 V L A N: 1 0 0 to 1 9 9 C o re n e tw o rk P ro d u c tio n zone R e m o te d is a s te r re c o v e ry c e n te r E x te rn a l u s e r O ffic e z o n e O th e r z o n e s V L A N: 4 0 0 to 5 9 9 V L A N: 6 0 0 to 7 9 9 D M Z zone ... V L A N: 8 0 0 to 9 9 9 S to ra g e z o n e z Expand servers in an original area With the development of production services, servers in the production zone need to be expanded to meet service requirements. The servers must be expanded smoothly based on the previously planned VLANs and IP addresses, which ensures VLAN continuity, requires no change to the upstream router or firewall policy, facilitates the network maintenance, and relieves the expansion workload. z Create servers in a new area If the demilitarized zone (DMZ) is a newly created area, you need to allocate VLANs and IP addresses and plan a router and a firewall policy for this area. In this way, the existing services will be expanded smoothly without being affected, and the new area is easy to maintain and manage. 5.3.3 Device Expansion Figure 5-8 shows common network architecture of a DC. Many ring networks exist at the access layer and aggregation layer. Once you add servers, you need to deploy routers at the access layer and connect them to the combined core layer, which makes the network more complex and requires a loop-prevention technology. Therefore, services on the existing network will be affected. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 112 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations Figure 5-8 Common network architecture of a DC Internet WAN 10GE OSPF Aggregation/ core layer Rack Access layer To avoid affecting services while expanding, Huawei recommends cluster and stacking technologies in planning the network architecture of a DC, as shown in Figure 5-9. Cluster and stacking technologies tear down the loop prevention protocol, simplifies the network architecture, and facilitates the device expansion. Figure 5-9 Network architecture of a DC deployed in the cluster and stacking mode Internet WAN 10GE OSPF Aggregation /core layer Trunk Rack Access layer After the network is planned in the cluster and stacking mode, the network changes from a ring topology to a tree topology which is easy to maintain. When you expand devices, you Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 113 ONE NET DCN Data Center Solution Technical Proposal 5 DC Network Maintenance Recommendations only need to add new devices to the stacking system to implement smooth expansion, which has no impact on the network architecture and does not add physical links at the combined core layer. 5.3.4 Link Bandwidth Expansion With the development of services, link bandwidth will increase and may become a bottleneck. You can use high-performance and high-bandwidth (for example, replace the GE board to 10GE board, or replace the 10GE board to 40GE board) boards or use the link binding technology to implement smooth expansion without affecting network services. 5.4 Disaster Emergency Maintenance Overview Disaster emergency maintenance requires designers to consider, during the network design, how to take emergency maintenance measures, how to recover services, and how to minimize service losses if a disaster occurs (such as an earthquake or fire) at a DC. Suggestions on Disaster Emergency Maintenance The three-center-in-two-area solution has taken unexpected disasters into consideration. For details about how to store data between the active center, backup center, and disaster recovery center and how to switch services if a disaster occurs, see 4 "Suggestions on Planning Multiple DCs." Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 114 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products 6 Recommended Products The data center solution is made up of the following products: z Core switch: S9300 series core switches z Access switch: S6700 series access switches z Access switch: S5700 series access switches z Firewall: E8000E-X/E1000E-X series firewalls z Mini optical transport network (OTN): Optical OSN 1800 6.1 S9300 Series Core Switches 6.1.1 Product Overview The Quidway S9300, which is a carrier-class core switch (S9300 for short), is a next-generation high-performance core routing switch developed by Huawei. The S9300 has a large switching capacity, a high port density, and can forward Layer 2 to Layer 4 packets at wire speed. In addition, the S9300 provides powerful multicast functions, a comprehensive QoS guarantee, an effective security management mechanism, and high reliability to meet the requirements of VIP users for multi-service, high reliability, large capacity, and modulation. This reduces costs in network construction and maintenance. The S9300 can be deployed at the core and aggregation layers on various types of campus networks. It can also be used as an aggregation switch on some large campus networks that require high performance and port density. 6.1.2 Product Model The S9300 series switches include the following models: Table 6-1 S9300 product model Product Model Description S9303 z LPU: 3 z Switch fabric capacity: 1440 Gbit/s z Backplane capacity: 3 Tbit/s z Forwarding performance: 540 Mpps Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 115 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Product Model Description S9306 z LPU: 6 z Switch fabric capacity: 2 Tbit/s z Backplane capacity: 6 Tbit/s z Forwarding capacity: 1320 Mpps z LPU: 12 z Switch fabric capacity: 2 Tbit/s z Backplane capacity: 12 Tbit/s z Forwarding capacity: 1320 Mpps S9312 Figure 6-1 The S9303 Figure 6-2 The S9306 Figure 6-3 The S9312 Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 116 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products 6.1.3 Product Characteristics Advanced Architecture, High Performance, and Flexible Configuration The S9300 adopts the advanced and distributed architecture and the latest hardware forwarding engine technology. The services on all interfaces can be forwarded at wire speed, including IPv4 services, MPLS services, and Layer 2 forwarding services. The S9300 can use the ACL to forward packets at wire speed. The hardware of the S9300 implements two-level packet replication to forward multicast packets at wire speed: The SFU replicates multicast packets to the LPU. Then the forwarding engine of the LPU replicates the multicast packets to the interfaces on the LPU. The S9300 supports 2 Tbit/s switching capacity and various high-density boards to meet requirements for the large capacity and high-density interfaces of core and aggregation layer devices. It can meet users' increasing requirements for the bandwidth and protect and save the maximum amount of the users' investment. Comprehensive Security Measures The S9300 supports Authentication, Authorization, and Accounting (AAA). It performs AAA for access users based on policies. In addition, the S9300 supports 802.1x, portal, guest VLAN, and dynamic user access authentication. Therefore, it can work well with the network admission control (NAC) produced by other mainstream manufacturers. The S9300 supports the routing protocol encryption, lawful interception, MAC address filtering, dynamic ARP detection, and ACLs to protect data for service providers and end users. Hardware-based packet filtering and sampling guarantee high performance and high scalability of the system. The S9300 is the industry leader in integrated security solutions. It uses a 2-level CPU protection mechanism and supports 1K CPU queues, and protects the CPU by separating the data plane and control plane. In addition, the S9300 defends against DoS attacks, prevents unauthorized access, and prevents control plane overloading. High Reliability Huawei's carrier-class high reliability design ensures that the S9300 is 99.999% reliable, which meets and exceeds carrier-class operation requirements. The S9300 provides redundant backup for key components, including MPUs, power supply units, and fans, all of which are hot swappable. Based on distributed hardware forwarding architecture, the routing plane is separated from the switching plane to ensure service continuity. The S9300 provides 3.3 ms hardware-based Ethernet operation, administration, and maintenance (OAM) function, which can quickly detect and locate faults. By using the Ethernet OAM technology and switchover technologies, the S9300 can provide millisecond-level protection for networks. The service traffic can be switched between active and standby components without rebooting the equipment. The S9300 also supports the in-service software upgrade (ISSU), further reducing service interruption. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 117 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products The S9300 supports the link aggregation defined in IEEE 802.3ad, the IEEE 802.1s/w standard, and Virtual Router Redundancy Protocol (VRRP). In addition, it supports various millisecond switchover technologies, such as Rapid Ring Protection Protocol (RRPP), Smart Link, IP fast reroute (FRR), traffic engineering (TE) FRR, and virtual private network (VPN) FRR. These features improve the reliability of data transmission. 6.1.4 Specifications The following table lists the specifications of the S9300 series switches. Table 6-2 Main specifications of the S9300 series switches Specifications S9303 S9306 S9312 Backplane capacity (Tbit/s) 1.2 2.4 4.8 Service slot 3 6 12 GE port density 144 288 576 10G port density 120 240 480 VLAN z Access, trunk, and hybrid interfaces z Default VLAN z VLAN switching z QinQ and enhanced selective QinQ z Automatic learning and aging of MAC addresses z Static, dynamic, and blackhole MAC address entries z Packet filtering based on source MAC addresses z MAC address learning limitation based on interfaces and VLANs z STP, RSTP, and MSTP z Bridge protocol data unit (BPDU) protection, root protection, and loop protection z BDPU tunnels z IPv4 dynamic routing protocols, such as, RIP, OSPF, IS-IS, and BGP z IPv6 dynamic routing protocols, such as, RIPng, OSPFv3, ISISv6, and BGPv4 z IGMP snooping z IGMP fast leave z Multicast traffic control z Multicast queries z Suppression on multicast packets z Multicast ACL MAC address STP IP routing Multicast Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 118 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Specifications S9303 MPLS z Basic MPLS functions z MPLS OAM z MPLS traffic engineering (TE) z MPLS VPN, VLL, and VPLS z Synchronous Ethernet clock z IEEE 1588v2 z Traffic classification based on the Layer 2 protocol header, Layer 3 protocol, Layer 4 protocol, and 802.1p priority z Actions such as ACL, CAR, remark, and schedule z Queue scheduling styles such as PQ, WRR, DRR, PQ+WRR, and PQ+DRR z Congestion avoidance mechanisms such as Weighted Random Early Detection (WRED) and tail drop z Traffic shaping z Terminal services such as Console, Telnet, and SSH z Network management protocols such as SNMPv1/v2/v3 z Uploading and downloading of files using FTP and TFTP z BootROM upgrade and remote online upgrade z Hot patches z User operation logs z 802.1x authentication and portal authentication z RADIUS and HWTACACS authentication for login users z Hierarchical protection for commands to prevent unauthorized users from accessing the device z Protection against DoS attacks, SYN flood attacks of TCP, UDP flood attacks, broadcast storms, and large-traffic attacks z CPU channel protection z Ping and traceroute z RMON Clock QoS Configuration and maintenance Security and management Chassis dimension S9306 S9312 442 mm x 476 mm x 175 mm 442 mm x 476 mm x 441.7 mm 442 mm x 476 mm x 663.95 mm Chassis weight (empty) < 22 kg < 42 kg < 70 kg Working voltage DC power supply: –38.4 V to –72 V (H x W x D) AC power supply: 90 V to 264 V Typical power consumption Issue 01 (2012-05-15) 180 W < 350 W Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. < 650 W 119 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Specifications S9303 S9306 S9312 Power supply capability of the device 800 W 1600 W 1600 W (PoE not included) 6.2 S6700 Series Access Switches 6.2.1 Product Overview The Quidway S6700 (S6700) is a next-generation 10GE box-shaped switch developed by Huawei. The S6700 can serve as access switches in the data center to access the 10GE server, aggregation switches on a metropolitan area network (MAN), and core switches on a campus network. As one of the class-A switches in the industry, the S6700 provides a maximum of 24 or 48 10GE interfaces at wire speed, which enables the high-density 10GE access and high-density 10GE aggregation on the campus network. The S6700 provides rich service features, a comprehensive security control policy, and various QoS mechanisms to meet the requirements for extensibility, reliability, manageability, and security of the data center. 6.2.2 Product Model The S6700 series switches include two models. z S6748-EI: provides 48 GE small form-factor pluggable (SFP)/10GE small form-factor pluggable plus (SFP+) ports, two slots for power supplies, and a USB port. z S6724-EI: provides 24 GE SFP/10GE SFP+ ports, two slots for power supplies, and a USB port. Figure 6-4 The S6748-EI Figure 6-5 The S6724-EI Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 120 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products 6.2.3 Product Characteristics High-Density 10GE Flexible Access With the increasing bandwidth required by the clients, the 10GE network interface cards on the server are widely used. The switch in the data center provides higher forwarding performance and 10GE interface extensibility. Compared with other similar switches in the industry, the S6700 box-shape switch has the highest 10GE port density and largest switching capacity. An S6700 can support packet forwarding at wire speed on a maximum of 48 10GE interfaces. The GE/10GE interfaces support flexible access and can automatically identify the type of an installed optical module. The S6700 can access the optical/electrical interfaces on the GE server. This saves the users' investments and ensures flexible usage of the S6700. To meet the requirements for heavy traffic and non-blocking transmission, the S6700 provides large buffer capacity and uses advanced buffer scheduling mechanisms to maximize the effective usage of buffer capacity. Comprehensive Security Measures The S6700 provides various security measures. It can defend against Denial of Service (DoS) attacks, attacks to networks, and attacks to users. DoS attacks include SYN Flood attacks, Land attacks, Smurf attacks, and ICMP Flood attacks. Attacks to networks refer to STP BPDU/root attacks. Attacks to users include bogus DHCP server attacks, man-in-the-middle attacks, IP/MAC spoofing attacks, DHCP request flood attacks, and DoS attacks by changing the CHADDR field of packets. The S6700 listens to information about the MAC or IP address of an access user, IP address lease, VLAN ID, and interface by establishing and maintaining a DHCP snooping binding table. The S6700 directly discards invalid packets such as ARP spoofing packets and packets with bogus IP addresses that do not match binding entries. In this manner, hackers or attackers are prevented from carrying out the man-in-the-middle attacks by using ARP packets on campus networks. The trusted interface feature of DHCP snooping ensures the validity of the DHCP server. The S6700 supports strict learning of ARP entries to prevent ARP spoofing attackers from exhausting ARP entries so that authorized users can access the Internet. The S6700 supports IP source check to prevent DoS attacks caused by MAC address spoofing, IP address spoofing, and MAC/IP spoofing. Unicast reverse path forwarding (URPF) provided by the S6700 can reverse check packet transmission path to authenticate packets, which can protect the network against increasing source address spoofing attacks. The S6700 supports the integrated MAC address authentication and 802.1x authentication. User information, such as the user name, IP address, MAC address, VLAN ID, access interface, and a flag indicating whether antivirus software is installed on the client, can be bound statically or dynamically, and policies (VLAN, QoS, and ACL) can be delivered dynamically. The S6700 can limit the number of MAC addresses learned on an interface to prevent attackers from exhausting MAC address entries by using bogus source MAC addresses. In this way, MAC addresses of authorized users can be learned and flooding is prevented. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 121 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products High Reliability The S6700 supports dual power supplies for backup and can use an AC power supply and a DC power supply at the same time. Users can select a single power supply or dual power supplies to improve device reliability. The switch provides two built-in fans to improve operating stability and has a long mean time between failure (MTBF). Enhancing STP, RSTP, and MSTP, the S6700 supports the MSTP multi-process that greatly increases the number of sub-ring instances. It supports enhanced Ethernet technologies such as Smart Link and RRPP to implement millisecond-level protective switchover, improving network reliability. Smart Link and RRPP both support multi-instance to implement load balancing among links, further improving bandwidth usage. The S6700 supports enhanced trunk (E-Trunk). When a client edge (CE) is dual homed to a VPLS, VLL, or PWE3 network, an E-Trunk can be configured to protect the links between the CEs and provider edges (PEs) and implement backup between PEs. The E-trunk can implement link aggregation across devices to upgrade the link reliability to device level. The S6700 supports Smart Ethernet Protection (SEP) protocol, a ring network protocol applied to the link layer of an Ethernet network. SEP is applicable to open ring networks and can be deployed on upper-layer aggregation devices to provide millisecond-level switchover without interrupting services. Huawei devices have implemented Ethernet link management using SEP. SEP features simplicity, high reliability, high switchover performance, convenient maintenance, and flexible topology and enables users to conveniently manage and plan networks. The S6700 supports VRRP to keep the communication continuity and reliability, ensuring a stable network. Multiple equal-cost routes can be configured on the S6700 to implement route redundancy. When the active uplink route is faulty, traffic is automatically switched to a backup route. This feature implements multi-level backup for uplink routes. Rich QoS Capabilities The S6700 can implement complex traffic classification based on information such as the 5-tuple, IP preference, ToS, DSCP, IP protocol type, ICMP type, TCP source port, VLAN, the protocol type of an Ethernet frame, and CoS. The S6700 supports inbound and outbound ACLs. The S6700 supports the flow-based two-rate and three-color CAR. Each interface supports eight priority queues, multiple queue scheduling algorithms such as WRR, DRR, SP, WRR+SP, and DRR+SP, and WRED congestion avoidance mechanism, which ensures the quality of network services such as voice, video and data services. High Extensibility The S6700 supports long-distance intelligence stacking (iStack). A common interface can be configured as a stack interface at the CLI, enabling flexible interface usage. The optical fibers can be used for stacking, greatly increasing the distance between stacked devices. Compared with a single device, intelligent stacking features powerful extensibility, reliability, and performance. When customers need to expand the device or replace a single faulty device, they can add new devices without interrupting services. Compared with chassis switches, the performance and port density of intelligent stacking are not restricted by the hardware architecture. Multiple stacked devices can be considered as a logical device, which simplifies the network management and configuration. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 122 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Convenient Operation and Maintenance The S6700 supports automatic configuration, plug-and-play, deployment from USB devices, and batch remote upgrade. Upgrade and delivery of the S6700 can be completed at one time, which simplifies management and maintenance. Maintenance costs are greatly reduced. The S6700 supports diversified management and maintenance modes such as SNMPv1/v2/v3, CLI, web network management, Telnet, and Huawei Group Multicast Protocol (HGMP), which makes device management more flexible. In addition, the S6700 supports NTP, SSHv2.0, TACACS+, RMON, multi-log host, interface-based traffic statistics, and NQA, which helps to better deploy and adjust networks. The S6700 supports the GARP VLAN Registration Protocol (GVRP). The GVRP technology implements dynamic configuration of VLANs. In a complicated networking environment, GVRP can simplify VLAN configuration and reduce network communication faults caused by incorrect configuration of VLANs. This reduces the manual configurations of network managers and ensures correct VLAN configurations. The S6700 supports MUX VLAN. The MUX VLAN function is used to isolate Layer 2 traffic between interfaces on a VLAN. Subordinate VLANs can communicate with the MUX VLAN but cannot communicate with each other. MUX VLAN is usually used on enterprise intranets. With this function, a user interface can communicate with a server interface but cannot communicate with other user interfaces. MUX VLAN prevents communication between network devices connected to some interfaces or interface groups but allows these devices to communicate with the default gateway. This function ensures resource sharing and secure communication in an enterprise. The S6700 supports BFD and provides millisecond-level detection for protocols such as OSPF, IS-IS, VRRP, and PIM to improve network reliability. Complying with IEEE 802.3ah and 802.1ag, the S6700 supports point-to-point Ethernet fault management. It can detect faults on user links. Ethernet OAM improves the network management and maintenance capabilities on the Ethernet and ensures a stable network. Rich IPv6 Features The S6700 supports IPv4/IPv6 protocol stack and can be smoothly upgraded. The S6700 hardware supports the IPv4/IPv6 protocol stack, IPv6 over IPv4 tunnels (including manual tunnels, 6to4 tunnels, and ISATAP tunnels), and Layer 3 wire-speed forwarding. Therefore, the S6700 can be deployed on IPv4 networks, IPv6 networks, and networks that run IPv4 and IPv6 simultaneously. This makes the networking flexible and meets the requirements for the network transition from IPv4 to IPv6. The S6700 supports various IPv6 routing protocols including RIPng and OSPFv3. It uses the IPv6 Neighbor Discovery Protocol (NDP) to manage packets exchanged between neighbors. It also provides the Path MTU Discovery (PMTU) mechanism to select a proper MTU on the path from the source to the destination, optimizing network resources and obtaining the maximum throughput. 6.2.4 Main Specifications Table 6-3 Main specifications of the S6700 series products Item S6724-EI S6748-EI Port description 24 GE SFP/10GE SFP+ ports 48 GE SFP/10GE SFP+ ports Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 123 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Item S6724-EI S6748-EI Forwarding performance (PPS) 358 Mbit/s 715 Mbit/s Interface switching capacity (bit/s) 480 Gbit/s 960 Gbit/s MAC address table z Capacity of 128K MAC addresses z Automatic learning and aging of MAC addresses z Static, dynamic, and blackhole MAC address entries z Packet filtering based on source MAC addresses z 4K VLANs z Guest VLANs and voice VLANs z VLANs based on MAC addresses, protocols, IP subnets, policies, and interfaces. z 1:1 and N:1 VLAN switching z QinQ and selective QinQ z Static route, RIPv1, RIPv2, ECMP, and URPF z OSPF, IS-IS, and BGP z VRRP z Policy-based routing z Routing policy z Static route z RIPng z Manual tunnels z Six-to-four tunnels z ISTAP tunnels z Neighbor Discovery (ND) z PMTU z IPv6 Ping, IPv6 Tracert, and IPv6 Telnet z Six-to-four tunnels, ISATAP tunnels, and manually configured tunnels z ACLs based on the source IPv6 address, destination IPv6 address, Layer 4 interface, or protocol type z MLDv1/v2 snooping VLAN IPv4 route IPv6 route IPv6 features Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 124 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Item S6724-EI Multicast z Static Layer 2 multicast MAC address z MAC address-based multicast forwarding z IGMP snooping and IGMP fast leave z Multicast VLAN z MLD snooping z IGMP proxy z Controllable multicast z Interface-based multicast traffic statistics z IGMP v1/v2/v3 z PIM-SM, PIM-DM, and PIM-SSM z MSDP z Rate limit on packets sent and received by an interface z Packet redirection z Port-based traffic policing and two-rate and three-color CAR z Eight queues on each port z WRR, DRR, SP, WRR+SP, and DRR+SP queue scheduling algorithms z WRED z Re-marking of the 802.1p priority and DSCP priority of packets z Packet filtering on Layer 2 to Layer 4, filtering out invalid frames based on the source MAC address, destination MAC address, source IP address, destination IP address, port number, protocol, and VLAN ID z Queue-based rate limit and port-based traffic shaping z STP, RSTP, and MSTP z BPDU protection, root protection, and loop protection z RRPP topology and RRPP multi-instance z Smart Link tree topology, Smart Link multi-instance, and the millisecond-level protection z SEP z BFD for OSPF, IS-IS, VRRP, and PIM z Enhanced trunk (E-trunk) QoS/ACL Reliability Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. S6748-EI 125 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Item S6724-EI Security z Hierarchical user management and password protection z DoS attack defense, ARP attack defense, and ICMP attack defense z Binding of the IP address, MAC address, interface, and VLAN z Interface isolation, interface security, and sticky MAC addresses z Blackhole MAC addresses z Limit on the number of learned MAC addresses z IEEE 802.1x authentication and limit on the number of users on an interface z Multiple authentication methods including AAA, RADIUS, TACACS+, and NAC authentication z SSH v2.0 z Hypertext Transfer Protocol Secure (HTTPS) z CPU protection z Blacklist and whitelist z Stack function on service interfaces z MAC forced forwarding (MFF) z Virtual cable detection (VCT) z Ethernet OAM (IEEE 802.3ah and 802.1ag) z Local port mirroring, remote switched port analyzer (RSPAN) and the packet forwarding on observing ports z Remote configuration and maintenance using Telnet z SNMPv1/v2/v3 z RMON z Network management system (NMS) and web NMS z HGMP z System logs and multi-level alarms z GVRP z MUX VLAN z 802.3az Energy Efficient Ethernet (EEE) Working environment z Working temperature: 0°C to 45°C (long term); -5°C to 50°C (short term); relative humidity: 10% to 90% (non-condensing) Input voltage AC power supply Management and maintenance z Rated voltage: 100 V to 240 V, 50/60 Hz z Maximum voltage: 90 V to 264 V, 50/60 Hz Dimensions (H x W x D) 43.6 mm x 442 mm x 420 mm Power consumption 165 W Issue 01 (2012-05-15) S6748-EI Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 237 W 126 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products 6.3 S5700 Series Access Switches 6.3.1 Product Overview The Quidway S5700 (S5700) is a next-generation GE switch developed by Huawei to meet the requirements for high-bandwidth access and Ethernet multi-service aggregation, providing powerful Ethernet functions for carriers and enterprise customers. Based on the next-generation high-performance hardware and Huawei Versatile Routing Platform (VRP) software, the S5700 features large capacity and high-density GE interfaces, and provides 10 Gbit/s uplinks for customers. The S5700 can meet the requirements of multiple scenarios such as service aggregation on campus networks and enterprise networks, GE access to IDC, and the GE desktop access to the enterprise network. The S5700 is a box-shaped device with a chassis of 1 U high, providing a limited version (LI), a standard version (SI), an enhanced version (EI), and an advanced version (HI). LI provides various Layer 2 functions while SI supports Layer 2 functions and basic Layer 3 functions. EI supports all routing protocols and service features. In addition to the functions of EI, HI supports some advanced functions such as MPLS and hardware OAM. 6.3.2 Appearance The following table lists models of the S5700. Table 6-4 Models of S5700 Model S5706TP-LI S5724TP-SI S5724TP-PWR-SI S5748TP-SI Issue 01 (2012-05-15) Appearance Description z Four 10/100/1000Base-T ports z Two 1000 Mbit/s combo ports z AC power supply z 20 10/100/1000Base-T ports z Four 100/1000Base-X 1000M combo ports z AC/DC power supply z RPS 12 V power supply backup z USB port z 20 10/100/1000Base-T ports z Four 100/1000Base-X 1000M combo ports z Pluggable dual AC power supplies z PoE z USB port z 44 10/100/1000Base-T ports z Four 100/1000Base-X 1000M combo ports z AC/DC power supply z RPS 12 V power supply backup z USB port Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 127 ONE NET DCN Data Center Solution Technical Proposal Model S5748TP-PWR-SI S5728C-SI S5728C-PWR-SI S5752C-SI S5752C-PWR-SI S5728C-EI Issue 01 (2012-05-15) Appearance 6 Recommended Products Description z 44 10/100/1000Base-T ports z Four 100/1000Base-X 1000M combo ports z AC power supply z PoE z USB port z 24 10/100/1000Base-T ports z Four 100/1000Base-X 1000M combo ports z Two 10GE XFP uplink ports, four 1000Base-X SFP uplink ports, two 10GE SFP+ uplink ports, or four 10GE SFP+ subcards z Dual pluggable power supplies z USB port z 24 10/100/1000Base-T ports z Four 100/1000Base-X 1000M combo ports z Two 10GE XFP uplink ports, four 1000Base-X SFP uplink ports, two 10GE SFP+ uplink ports, or four 10GE SFP+ subcards z Dual pluggable AC power supplies z PoE z USB port z 48 10/100/1000Base-T ports z Two 10GE XFP uplink ports, four 1000Base-X SFP uplink ports, two 10GE SFP+ uplink ports, or four 10GE SFP+ subcards z Dual pluggable power supplies z USB port z 48 10/100/1000Base-T ports z Two 10GE XFP uplink ports, four 1000Base-X SFP uplink ports, two 10GE SFP+ uplink ports, or four 10GE SFP+ subcards z Dual pluggable AC power supplies z PoE z USB port z 24 10/100/1000Base-T ports z Two 10GE XFP uplink ports, four 1000Base-X SFP uplink ports, two 10GE SFP+ uplink ports, or four 10GE SFP+ subcards z Dual pluggable power supplies Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 128 ONE NET DCN Data Center Solution Technical Proposal Model 6 Recommended Products Appearance Description S5728C-PWR-EI S5728C-EI-24S S5752C-EI S5752C-PWR-EI S5728C-HI S5728C-HI-24S z 24 10/100/1000Base-T ports z Two 10GE XFP uplink ports, four 1000Base-X SFP uplink ports, or two 10GE SFP+ subcards z Dual pluggable AC power supplies z PoE z 24 100/1000Base-X ports z Four 10/100/1000Base-T GE combo ports, two 10GE XFP uplink ports, four 1000Base-X SFP uplink ports, two 10GE SFP+ uplink ports, or four 10GE SFP+ subcards z Dual pluggable power supplies z 48 10/100/1000Base-T ports z Two 10GE XFP uplink ports, four 1000Base-X SFP uplink ports, two 10GE SFP+ uplink ports, or four 10GE SFP+ subcards z Dual pluggable power supplies z 48 10/100/1000Base-T ports z Two 10GE XFP uplink ports, four 1000Base-X SFP uplink ports, or two 10GE SFP+ subcards z Dual pluggable AC power supplies z PoE z 24 10/100/1000Base-T ports z Four 1000Base-X SFP uplink ports, two 10GE SFP+ uplink ports, or four 10GE SFP+ subcards z Dual pluggable power supplies z 24 100/1000Base-X ports z Four 1000Base-X SFP uplink ports, two 10GE SFP+ uplink ports, or four 10GE SFP+ subcards z Dual pluggable power supplies 6.3.3 Product Characteristics High Extensibility The S5700 supports intelligent stacking (iStack). Multiple S5700s constructs a virtual switch automatically after being connected by stacking cables. Compared with a single device, intelligent stacking features powerful extensibility, reliability, and performance. When customers need to expand the device or replace a single faulty device, they can add new devices without interrupting services. Compared with chassis switches, the performance and port density of intelligent stacking are not restricted by the hardware Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 129 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products architecture. Multiple stacked devices can be considered as a logical device, which simplifies the network management and configuration. Powerful Service Support The S5700 supports the enhanced selective QinQ to add outer VLAN tags to packets, without occupying ACL resources, which meets requirements for multi-service provisioning. The S5700 supports IGMPv1/v2/v3, IGMP snooping, IGMP filter, IGMP fast leave, and IGMP proxy. It supports wire-speed multicast VLAN replication, multicast load balancing in an Eth-Trunk, and controllable multicast. These multicast features provide high-quality video services for users. The S5700 supports multi-VPN-instance CE (MCE) to isolate users on different VPNs on a device, ensuring the user's data security and saving the user's investments. The S5700HI switches are cost-effective box-shaped MPLS switches. They support basic MPLS and VLL functions and can be used as high-quality access devices to provide leased line services for enterprises. The S5700HI can help customers to construct an MPLS edge network. The S5700 provides multiple devices that support PoE and comply with IEEE802.3af and 802.3at (POE+) standards. By using the Ethernet, the S5700 can supply power to standard PD devices such as the IP Phone, WLAN AP, and Bluetooth AP. Each interface provides 30 W power. This reduces the power cable layout and management cost for terminal devices. The S5700 can also be configured to provide power for PDs at specified times as required. High Reliability The S5700 supports dual power supplies for backup and can use an AC power supply and a DC power supply at the same time. Users can select a single power supply or dual power supplies to improve device reliability. The switch provides three built-in fans to improve stability and has a long MTBF. Enhancing STP, RSTP, and MSTP, the S5700 supports the MSTP multi-process that greatly increases the number of sub-ring instances. It supports enhanced Ethernet technologies such as Smart Link and RRPP to implement millisecond-level protective switchover, improving network reliability. Smart Link and RRPP both support multi-instance to implement load balancing among links, further improving bandwidth usage. The S5700 supports E-Trunk. When a CE is dual homed to a VPLS, VLL, or PWE3 network, an E-Trunk can be configured to protect the links between the CEs and PEs and implement backup between PEs. The E-trunk can implement link aggregation across devices to upgrade the link reliability to device level. The S5700 supports SEP, a ring network protocol applied to the link layer of an Ethernet network. SEP is applicable to open ring networks and can be deployed on upper-layer aggregation devices to provide millisecond-level switchover without interrupting services. Huawei devices have implemented Ethernet link management using SEP. SEP features simplicity, high reliability, high switchover performance, convenient maintenance, and flexible topology and enables users to manage and plan networks conveniently. The S5700 supports VRRP to keep the communication continuity and reliability, ensuring a stable network. Multiple equal-cost routes can be configured on the S5700 to implement route redundancy. When the active uplink route is faulty, traffic is automatically switched to a backup route. This feature implements multi-level backup for uplink routes. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 130 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Rich Security Measures and QoS Policies The S5700 provides various security measures. It can defend against DoS attacks, attacks to networks, and attacks to users. DoS attacks include SYN Flood attacks, Land attacks, Smurf attacks, and ICMP Flood attacks. Attacks to networks refer to STP BPDU/root attacks. Attacks to users include bogus DHCP server attacks, man-in-the-middle attacks, IP/MAC spoofing attacks, DHCP request flood attacks, and DoS attacks by changing the CHADDR field of packets. The S5700 listens to information about the MAC or IP address of an access user, IP address lease, VLAN ID, and interface by establishing and maintaining a DHCP snooping binding table. The S5700 directly discards invalid packets such as ARP spoofing packets and packets with bogus IP addresses that do not match binding entries. In this manner, hackers or attackers are prevented from carrying out the man-in-the-middle attacks by using ARP packets on campus networks. The trusted interface feature of DHCP snooping ensures the validity of the DHCP server. The S5700 supports strict learning of ARP entries to prevent ARP spoofing attackers from exhausting ARP entries so that authorized users can access the Internet. The S5700 supports IP source check to prevent DoS attacks caused by MAC address spoofing, IP address spoofing, and MAC/IP spoofing. URRF provided by the S5700 can reverse check the packet transmission path to authenticate packets, which can protect the network against increasing source address spoofing attacks. The S5700 supports the integrated MAC address authentication and 802.1x authentication. User information, such as the user name, IP address, MAC address, VLAN ID, access interface, and a flag indicating whether antivirus software is installed on the client, can be bound statically or dynamically, and policies (VLAN, QoS, and ACL) can be delivered dynamically. The S5700 can limit the number of MAC addresses learned on an interface to prevent attackers from exhausting MAC address entries by using bogus source MAC addresses. In this way, MAC addresses of authorized users can be learned and flooding is prevented. The S5700 can implement complex traffic classification based on information such as the 5-tuple, IP preference, ToS, DSCP, IP protocol type, ICMP type, TCP source port, VLAN, the protocol type of an Ethernet frame, and CoS. The S6700 supports inbound and outbound ACLs. The S5700 supports the flow-based two-rate and three-color CAR. Each interface supports eight priority queues and multiple queue scheduling algorithms such as WRR, DRR, SP, WRR+SP, and DRR+SP, which ensures the quality of network services such as voice, video and data services. Convenient Operation and Maintenance The S5700 supports automatic configuration, plug-and-play, deployment from USB devices, and batch remote upgrade. Upgrade and delivery of the S5700 can be completed at one time, which simplifies management and maintenance. Maintenance costs are greatly reduced. The S5700 supports diversified management and maintenance modes such as SNMPv1/v2/v3, CLI, web network management, Telnet, and HGMP, which makes device management more flexible. In addition, the S5700 supports NTP, SSHv2.0, TACACS+, RMON, multi-log host, interface-based traffic statistics, and NQA, which helps to better deploy and adjust networks. The S5700 supports GVRP. The GVRP technology implements dynamic configuration of VLANs. In a complicated networking environment, GVRP can simplify VLAN configuration and reduce network communication faults caused by incorrect configuration of VLANs. This reduces the manual configurations of network managers and ensures correct VLAN configurations. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 131 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products The S5700 supports MUX VLAN. The MUX VLAN function is used to isolate Layer 2 traffic between interfaces on a VLAN. Subordinate VLANs can communicate with the MUX VLAN but cannot communicate with each other. MUX VLAN is usually used on enterprise intranets. With this function, a user interface can communicate with a server interface but cannot communicate with other user interfaces. MUX VLAN prevents communication between network devices connected to some interfaces or interface groups but allows these devices to communicate with the default gateway. This function ensures resource sharing and secure communication in an enterprise. The S5700 supports BFD and provides millisecond-level detection for protocols such as OSPF, IS-IS, VRRP, and PIM to improve network reliability. Complying with IEEE 802.3ah and 802.1ag, the S5700 supports point-to-point Ethernet fault management. It can detect faults on user links. Ethernet OAM improves the network management and maintenance capabilities on the Ethernet and ensures a stable network. The S5700HI and the S5706 provide 3.3 ms hardware-based Ethernet OAM function and Y.1731, which can quickly detect and locate faults. By using the Ethernet OAM technology and switchover technologies, the S5700 can provide millisecond-level protection for networks. Rich IPv6 Features The S5700 supports IPv4/IPv6 protocol stack and can be upgraded smoothly. The S5700 hardware supports the IPv4/IPv6 protocol stack, IPv6 over IPv4 tunnels (including manual tunnels, 6to4 tunnels, and ISATAP tunnels), and Layer 3 wire-speed forwarding. Therefore, the S5700 can be deployed on IPv4 networks, IPv6 networks, and networks that simultaneously run IPv4 and IPv6. This makes the networking flexible and meets the requirements for the network transition from IPv4 to IPv6. The S5700 supports various IPv6 routing protocols including RIPng and OSPFv3. It uses the IPv6 NDP to manage packets exchanged between neighbors. It also provides the PMTU mechanism to select a proper MTU on the path from the source to the destination, optimizing network resources and obtaining the maximum throughput. 6.3.4 Product Specifications Table 6-5 Main specifications of the S5700 series products Item S5706TP-LI Extended slot z The S5706 has no extended slot. z The 5700TP provides a stacking extended slot. z The S5700C provides two extended slots. One supports subcards and the other supports stacking cards. z The S5700HI provides an extended slot that supports subcards. z S5706: 9 Mbit/s z S5724TP-SI/S5724TP-PWR-SI: 36 Mbit/s z S5748TP-SI/S5748TP-PWR-SI: 72 Mbit/s z S5728C-SI/S5728C-PWR-SI/S5728C-EI/S5728C-PWR-EI/ S5728C-EI-24S/S57HI: 96 Mbit/s z S5752C-SI/S5752C-PWR-SI/ S5752C-EI/S5752C-PWR-EI: 132 Mbit/s Forwarding performance (PPS) Issue 01 (2012-05-15) S5700-SI Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. S5700-EI S5700HI 132 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Item S5706TP-LI S5700-SI S5700-EI S5700HI Interface switching capacity (bit/s) z S5706: 12 Gbit/s z S5724TP-SI/S5724TP-PWR-SI: 48 Gbit/s z S5748TP-SI/S5748TP-PWR-SI: 96 Gbit/s z S5728C-SI/S5728C-PWR-SI/S5728C-EI/S5728C-PWR-EI/ S5728C-EI-24S/S57HI: 128 Gbit/s z S5752C-SI/S5752C-PWR-SI/ S5752C-EI/S5752C-PWR-EI: 176 Gbit/s Backplane switching capacity 256 Gbit/s MAC address table z LI/SI: 16K; EI/HI: 32K z Automatic learning and aging of MAC addresses z Static, dynamic, and blackhole MAC address entries z Packet filtering based on source MAC addresses z 4K VLANs z Guest VLANs and voice VLANs z VLANs based on MAC addresses, protocols, IP subnets, policies, and interfaces. z 1:1 and N:1 VLAN switching z QinQ and selective QinQ VLAN MPLS features IPv4 route IPv6 route Issue 01 (2012-05-15) Not supported. Static route Static route Not supported. Static route, RIPv1, RIPv2, ECMP, and URPF Not supported. z OSPF, IS-IS, and BGP z VRRP z Policy-based routing z Routing policy z The same as those of the SI z RIPng z OSPFv3 z Manual tunnels z z 6to4 tunnels The same as those of the SI z ISTAP tunnels Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. z Support basic MPLS functions. z Support MPLS VLL. Same as those of the EI Same as those of the EI 133 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Item S5706TP-LI IPv6 features z ND z PMTU z IPv6 Ping, IPv6 Tracert, and IPv6 Telnet z 6to4 tunnels, ISATAP tunnels, and manually configured tunnels z ACLs based on the source IPv6 address, destination IPv6 address, Layer 4 interface, or protocol type z MLDv1/v2 snooping z Static Layer 2 multicast MAC address z MAC address-based multicast forwarding Multicast QoS/ACL Reliability Issue 01 (2012-05-15) S5700-SI z IGMP snooping and IGMP fast leave S5700-EI z IGMP v1/v2/v3 z PIM-SM, PIM-DM, and PIM-SSM z Multicast VLAN z MLD snooping z MSDP z IGMP proxy z z Controllable multicast The same as those of the SI z Interface-base d multicast traffic statistics S5700HI Same as those of the EI z Rate limit on packets sent and received by an interface z Packet redirection z Port-based traffic policing and two-rate and three-color CAR z Eight queues on each port z WRR, DRR, SP, WRR+SP, and DRR+SP queue scheduling algorithms z WRED (supported by the S5706 and the S5700HI) z Re-marking of the 802.1p priority and DSCP priority of packets z Packet filtering on Layer 2 to Layer 4, filtering out invalid frames based on the source MAC address, destination MAC address, source IP address, destination IP address, port number, protocol, and VLAN ID z Queue-based rate limit and port-based traffic shaping z STP, RSTP, and MSTP z BPDU protection, root protection, and loop protection z RRPP topology and RRPP multi-instance z Smart Link tree topology, Smart Link multi-instance, and the millisecond-level protection z SEP z BFD for OSPF, BFD for IS-IS, BFD for VRRP, and BFD for PIM (supported by the 5700EI/HI series) z E-trunk Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 134 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Item S5706TP-LI Security z Hierarchical user management and password protection z DoS attack defense, ARP attack defense, and ICMP attack defense z Binding of the IP address, MAC address, interface, and VLAN z Interface isolation, interface security, and sticky MAC addresses z Blackhole MAC addresses z Limit on the number of learned MAC addresses z IEEE 802.1x authentication and limit on the number of users on an interface z Multiple authentication methods including AAA, RADIUS, TACACS+, and NAC authentication z SSH v2.0 z CPU protection z Blacklist and whitelist z Hardware implementation z EFM OAM z z OAM Management and maintenance Issue 01 (2012-05-15) S5700-SI S5700-EI S5700HI z Hardware implementati on CFM OAM z EFM OAM Y.1731 performance test supports hardware-level delay and jitter detection z CFM OAM z Y.1731 performance test supports hardware-lev el delay and jitter detection Software implementation Software implementation z Intelligent stacking (excluding the S5700HI and the S5706) z MFF z Virtual cable test z Ethernet OAM (IEEE 802.3ah and 802.1ag) z Local port mirroring, remote switched port analyzer (RSPAN) and the packet forwarding on observing ports z Remote configuration and maintenance using Telnet z SNMPv1/v2/v3 z RMON z Network management system (NMS) and web NMS z HGMP z System logs and multi-level alarms z Dying gasp power-off alarm (supported only by the S5706) z GVRP z MUX VLAN z HTTPS z 802.3az EEE (supported only by the S5700HI and the S5706) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 135 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Item S5706TP-LI Working environment z Working temperature: 0°C to 50°C (long term); –5°C to 55°C (short term) z Relative humidity: 10% to 90% (non-condensing) Input voltage S5700-SI S5700-EI S5700HI AC power supply z Rated voltage: 100 V to 240 V, 50/60 Hz z Maximum voltage: 90 V to 264 V, 50/60 Hz DC power supply z Rated voltage range: –48 V to –60 V z Maximum voltage: –36 V to –72 V Note: Models supporting the PoE supply do not use DC power supplies. Dimensions (H x W x D) Power consumption z S5706: 250 mm x180 mm x 43.6 mm z S5724TP-SI/S5724TP-PWR-SI/S57HI: 442 mm x 220 mm x 43.6 mm z Others: 43.6 mm x 442 mm x 420 mm S5706: < 40 W z S5724TP-SI: < 40 W z S5728C-EI: < 60 W z S5724TP-PW R-SI: < 455 W z z S5748TP-SI: < 64 W S5728C-PW R-EI: < 472 W z S5748TP-PW R-SI: < 907 W S5728C-EI-2 4S: < 63 W z S5728C-SI: < 56 W S5752C-EI: < 88 W z S5752C-PW R-EI: < 930 W z z z S5728C-PWRSI: < 891 W z S5752C-SI: < 78 W z S5752C-PWRSI: < 917 W S57HI: < 93 W 6.4 E8000E-X Series Firewall 6.4.1 Product Overview Eudemon8000E-X (E8000E-X for short) is a next-generation high-performance firewall and is applicable to carrier backbone networks, large-scale IDCs, and high-end industry users. E8000E-X uses the distributed multi-core processor and network processor together with specialized modular security software platform to provide high performance and service flexibility, meeting requirements for future high-end network security devices. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 136 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products 6.4.2 Product Model E8000E-X is available in the following models: z E8000E-X3 z E8000E-X8 z E8000E-X16 E8000E-X3 contains AC and DC models. Figure 6-6 E8000E-X appearance Table 6-6 System configuration of E8000E-X models Item E8000E-X3 E8000E-X8 E8000E-X16 MPU CPU processing capability Dominant frequency: 1 GHz Dominant frequency: 1.5 GHz Dominant frequency: 1.5 GHz Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 137 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Item E8000E-X3 E8000E-X8 E8000E-X16 MPU BootROM capacity 1 MB 8 MB 8 MB MPU SDRAM capacity 2 GB 4 GB 4 GB MPU NVRAM capacity 1 MB 4 MB 4 MB CF card 2 GB 2 GB 2 GB MPU slot quantity 2 2 2 SFU slot quantity - 1 4 LPU slot quantity 3 8 16 Switching capacity 1.08 Tbit/s 1.44 Tbit/s 2.56Tbit/s Port capacity 40 Gbit/s 120 Gbit/s 240 Gbit/s Maximum throughput supported by the SPU 2 x 10 Gbit/s Maximum port rate supported by the LPU 4 x 10 Gbit/s 6.4.3 Product Characteristics Industry No. 1 Performance, Coping with Surging Traffic E8000E-X provides industry-level performance: z The 10-Gigabit line-speed forwarding and the performance of up to 200 Gbit/s easily address the challenges brought by Web 2.0 and promote commercial use. z With up to 80,000,000 concurrent connections per second and coordinated overall performance with connection quality, E8000E-X supports Web 2.0 applications. z With up to 5,000,000 new connections per second, E8000E-X easily meets the challenges of burst problems such as surging traffic in rush hours and DDoS attacks to ensure a smooth network. With the overall penetration of wireless services, the number of mobile subscribers grows rapidly. The concurrent access of numerous mobile subscribers imposes a higher requirement for device performance. In addition, security problems in the transmission of wireless network information become increasingly pressing. VPN devices are facing new challenges of stronger processing capability and larger capacity. E8000E-X provides the best VPN performance in the industry: z Up to 320,000 VPN concurrent tunnels z Up to 96 Gbps (3DES/DES) encryption performance E8000E-X supports IKEv2 and enhances functions of user authentication, packet authentication, and NAT traversal. E8000E-X removes potential risks of man-in-the-middle attacks and DDoS attacks and supports wireless authentication protocols, such as EAP-SIM and EAP-AKA. In addition, E8000E-X supports PKI/CA, and can authorize and authenticate VPN access devices. All these features effectively safeguard wireless networks. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 138 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Distributed and Scalable Architecture, Improving the ROI E8000E-X uses the distributed and scalable architecture with independent service processing units (SPUs) and line interface processing units (LPUs), which can be configured as per requirements. E8000E-X has flexible scalability, satisfying the demand of increasing service traffic, and improving the ROI. E8000E-X overall performance including the throughput, number of concurrent connections, number of connections established per second, and other indexes increases linearly as the number of SPUs grows. End-to-End Reliability, Ensuring Service Continuity E8000E-X provides comprehensive end-to-end reliability solution. With reliability of high-end router level, E8000E-X ensures service continuity: z z z Device-level reliability − Dual-Main Processing Unit (MPU) backup supports a smooth switchover between MPUs. − N+1 backup of Switch Fabric Units (SFUs) enables inter-board data exchange and load balancing. − Load balancing and hot backup can be performed among SPUs of E8000E-X. When an SPU is faulty, the system switches service traffic to other SPUs to ensure nonstop service transmission. − E8000E-X has redundant components. In addition, the power modules and fan modules are hot-swappable. Network-level reliability − E8000E-X supports dual-system hot backup in active/standby backup or load balancing mode based on the Huawei Redundancy Protocol (HRP). HRP backs up key configuration commands and information about session table status from the active device to the standby device so that services are switched smoothly. − E8000E-X can connect to dedicated external bypass devices. When E8000E-X is faulty, network traffic can be forwarded by the bypass device in a timely manner to ensure service continuity. Link-level reliability − E8000E-X supports inter-board interface binding to load balance traffic, improving link availability and increasing bandwidth. − E8000E-X supports Bidirectional Forwarding Detection (BFD) to detect network connectivity. One-box Deployment, Lowering CAPEX E8000E-X supports the following SPUs: z Firewall SPUs z IPS SPUs z Anti-DDoS SPUs, including DDoS detecting SPUs and DDos cleaning SPUs Various SPUs can be installed on E8000E-X to enable integrated multi-service deployment. This enhances network security and reduces the CAPEX. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 139 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products E8000E-X can have different LPUs configured to provide various models, which are applied to different security solutions: z Security protection solution Provides isolated network planes for carriers, large IDCs, and enterprises. z CGN solution Provides a smooth and mature transition solution from IPv4 to IPv6 for carriers. z ATIC solution Provides an advanced anti-DDoS and flexible operation solution at the large-scale IDC and MAN egress. 6.4.4 Technical Specifications Table 6-7 E8000E-X technical specifications Item E8000E-X3 E8000E-X8 E8000E-X16 Maximum throughput of each SPU 20 Gbit/s Maximum throughput of each LPU 40 Gbit/s Maximum-throughput configuration of the system 1 x LPU+2 x SPU 3 x LPU+5 x SPU 6 x LPU+10 x SPU Maximum throughput of the system 40 Gbit/s 100 Gbit/s 200 Gbit/s Number of concurrent connections 16,000,000 (8,000,000 x 2) 40,000,000 (8,000,000 x 5) 80,000,000 (8,000,000 x 10) Number of new connections per second 1,000,000 (500,000 x 2) 2,500,000 (500,000 x 5) 5,000,000 (500,000 x 10) Maximum number of ACL rules 128000 Mean time between failures 25 years 6.5 E1000E-X Series Firewall 6.5.1 Product Overview Eudemon1000E-X is a next-generation carrier-class firewall for large and medium-sized enterprises and carriers. It can be deployed at borders of carrier, enterprise, government, finance, energy, and campus networks, suiting requirements for Gigabit and 10-Gigabit firewalls. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 140 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products E1000E-X is deployed at the egress of the enterprise network to limit the bandwidth, defend against hacker attacks and DDoS attacks, prevent internal users from accessing unauthorized websites, and provide a secure and reliable network. 6.5.2 Product Model E1000E-X is available in three models: E1000E-X3, E1000E-X5, and E1000E-X6. E1000E-X3/X5 is 1 U high and supports FIC/DFIC card slots. E1000E-X6 is 3 U high, and supports FIC/DFIC and MIC/DMIC card slots. Figure 6-7 E1000E-X series 6.5.3 Product Characteristics Carrier-Class Reliability Design E1000E-X provides power supply backup, fan backup, link bypass, and dual-system hot backup and link backup, ensuring high reliability. Advanced Performance E1000E-X uses multi-core processor-based hardware architecture. With the multithreaded processing design, E1000E-X provides excellent forwarding performance. High-Density Interfaces In addition to providing multiple fixed interfaces, E1000E-X supports interface cards for expansion, featuring high interface density. Excellent Networking Adaptability E1000E-X supports Layer 2 and Layer 3 networking, various routing protocols, and the virtual firewall function, which flexibly adapts to networks. Diversified NAT Applications E1000E-X supports multiple NAT functions, such as source IP address-based NAT for Internet access through private IP addresses, NAT server, and NAT ALG, enabling mutual access between private and public networks. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 141 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Extensive Authentication and Access Control Modes E1000E-X provides multiple authentication and access control modes to manage access in centralized manner. Powerful Attack Defense Capability E1000E-X supports enhanced packet filtering, stateful inspection, blacklist for filtering malicious hosts, IP-MAC address binding, and powerful attack defense capabilities. Powerful GTP Protection Function E1000E-X provides a GTP solution with GPRS Support Node (GSN) products to safeguard data transmission on the General Packet Radio Service (GPRS) network. Secure VPN Applications E1000E-X supports multiple VPN technologies, including IPSec, L2TP, GRE, and SSL VPN, to provide secure communication tunnels for enterprises and users in different physical locations. Effective Online Behavior Management E1000E-X uses the Deep Packet Inspection (DPI) technology to perform in-depth inspection on packets, identify application-layer protocols, and control traffic of specific type. E1000E-X analyzes received packets, compares them with signatures in the knowledge base, classifies game, stock, P2P, IM, and VoIP traffic, and controls traffic of different protocols accordingly. Enhanced UTM Functions Based on sophisticated application-layer analysis fruits, E1000E-X integrates application layer attack defense functions, such as IPS, antivirus, and URL filtering, to deal with various network security threats. Comprehensive QoS Mechanism E1000E-X supports multiple QoS mechanisms, such as traffic policing, traffic shaping, traffic re-marking, congestion avoidance, and congestion management, as well as IP address-based connection number and bandwidth limiting. Integrated IPv4/IPv6 Solution E1000E-X supports multiple IPv6 over IPv4 and IPv4 over IPv6 tunnels, and diversified IPv6 routing protocols. 6.5.4 Technical Specifications Table 6-8 E1000E-X technical specifications Model E1000E-X3 E1000E-X5 E1000E-X6 Performance Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 142 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Throughput 6 Gbps 10 Gbps 15 Gbps 64-byte packet forwarding performance 1.5 Gbps 2 Gbps 3 Gbps IPSec VPN performance 3 Gbps 5 Gbps 7 Gbps Number of new connections established per second 100,000/s 150,000/s 200,000/s Maximum number of concurrent sessions 2,000,000 3,000,000 4,000,000 Maximum number of security policies 30,000 30,000 30,000 Maximum number of users Unlimited Unlimited Unlimited Expansion and I/O Standard interfaces 4*GE electrical + 4*GE combo 4*GE electrical + 4*GE combo + 8*GE optical Expansion slots 2*FIC 2*MIC+6*FIC Interface module type 10GE/GE electrical/GE optical/BYPASS card 6.6 OSN 1800 Compact Multi-Service Edge Optical Transport Platform 6.6.1 Product Overview The OptiX OSN 1800 Multi-Service Mini-WDM/OTN System (OptiX OSN 1800 for short) combines the OTN and WDM features and enables operators to integrate multiple access transport networks into a single network for energy, education, government, and large-scale enterprise industries. This helps solve many problems faced by access transport networks. It extends ITU-T G.709 OTN to 10 M to 10 G. OSN 1800 reduces network construction and operation costs. PON over OTN solves the problem of high rents because of many FTTx sites and facilitates maintenance. It helps you to construct the network where fewer nodes are used and nodes are manged in centralized manner. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 143 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Figure 6-8 OptiX OSN 1800 6.6.2 Product Characteristics Transmission of All Services over a Single Network z Integrated service transmission and simplified networking All over WDM/OTN: The OptiX OSN 1800 encapsulates services at a low rate (such as E1) and those with large bandwidth (such as 10G) into OTN frames for transmission. It applies to DSL, FTTx, and leased line services. z Long-distance transmission with fewer nodes G.709 OTN is applied to the WDM system for the first time in industry. The standard OTN interface supports the FEC function. After the OTN technology is applied to the traditional CWDM system, transmission up to 120 km (33 dB) is supported. z Powerful service aggregation and integration, reducing the device quantity OSN 1800 supports 2xGE+2xFE, 2xGE+2xSTM-1, 4xGE, 8xGE, 4xAny, 8xAny, 8xEPON, and 4xGPON. All boards occupy only one slot. Boards at a rate of less than 5 Gbit/s have configured with a protection mechanism. This mechanism uses two interfaces to send traffic and one optimal interface to receive traffic. Lower Maintenance Cost and Operation Cost z Simplified networking, reducing fees on nodes Multi-service, long-distance, and large-capacity transmission helps simplify the network structure. The service processing and switching equipment, network management system (NMS), and OSS system are configured at the central node. The equipment with simplified transport functions is deployed in unattended equipment rooms. Such networking improves maintenance efficiency and reduces maintenance workload. z OTN ESC OSN 1800 supports the optical supervisory channel (OSC) and G.709 OTN ESC. Without any investments on the NMS, all SDH and WDM/OTN devices are managed and maintained uniformly. NMS information does not pass through the IP network to ensure security. z Fan-free design, relieving maintenance Such design improves reliability because there is no fan module fault. Energy Saving and Reduced Power Consumption z Unified networking, reducing power consumption With multi-service transmission, OSN 1800 integrates multiple transport networks into a network. This greatly reduces power consumption on the entire network. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 144 ONE NET DCN Data Center Solution Technical Proposal z 6 Recommended Products Fewer nodes The All over WDM/OTN technology allows service devices deployed at a large site to remotely connect to clients, reducing intermediate nodes by 30% to 90%. This also reduces node construction and management expenses. z Table lamp low consumption design The 1 U device with 2*GE interfaces at a single site has less than 25 W power consumption, which is less than the power consumption of a table lamp. Smooth Upgrade, Protecting Investments z OSN 1800 allows expansion for single-wavelength, 18-wavelength CWDM, and 40-wavelength DWDM, meeting requirements for network capacity and protecting investments. z Optical modules are hot swappable, reducing spare part expenses. 6.6.3 Technical Specifications Chassis Specifications OptiX OSN 1800 series include OptiX OSN 1800 I chassis, OptiX OSN 1800 II chassis, and OptiX OSN 1800 OADM frame. OptiX OSN 1800 can be equipped with different functional boards to implement wavelength conversion, multiplexer/demultiplexer, add/drop wavelengths, and amplify optical power. OptiX OSN 1800 OADM cannot be used independently and can only be used as the expansion frame of the OptiX OSN 1800 I chassis or OptiX OSN 1800 II chassis to add the number of wavelengths and implement low-cost networking. z OptiX OSN 1800 I chassis Table 6-9 Technical specifications of the OptiX OSN 1800 I DC chassis Item Specifications Dimensions (H x W x D) 44 mm x 442 mm x 220 mm Weight (empty chassis) 4.5 kg Maximum power consumption 150 W Rated current 3A Working voltage –48 V to –60 V DC Table 6-10 Technical specifications of the OptiX OSN 1800 I AC chassis Item Specifications Dimensions (H x W x D) 44 mm x 442 mm x 220 mm Weight (empty chassis) 4.5 kg Typical power consumption 100 W Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 145 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Item Specifications Rated current 1A Working voltage 100 V to 240 V AC z OptiX OSN 1800 II chassis Table 6-11 Technical specifications of the OptiX OSN 1800 II DC chassis Item Specifications Dimensions (H x W x D) 88 mm x 442 mm x 220 mm Weight (empty chassis) 7 kg Maximum power consumption 300 W Rated current 6A Working voltage –48 V to –60 V DC Table 6-12 Technical specifications of the OptiX OSN 1800 II AC chassis Item Specifications Dimensions (H x W x D) 88 mm x 442 mm x 220 mm Weight (empty chassis) 7 kg Typical power consumption 200 W Rated current 2.5 A Working voltage 100 V to 240 V AC z OptiX OSN 1800 OADM frame Table 6-13 Technical specifications of the OptiX OSN 1800 OADM frame Item Specifications Dimensions (H x W x D) 44 mm x 442 mm x 220 mm Weight (empty chassis) 4.5 kg Maximum power consumption <3.6 W Rated current 0.3 A Working voltage 12 V DC Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 146 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Main Optical Path Specifications The following describes the characteristic of the optical interface at points MPI-S or S' and MPI-R or R' as well as the main optical path parameters. The 16-wavelength system at a rate of 2.5 Gbit/s and 10 Gbit/s supports 1x36 dB transmission. Main optical path parameters of the DWDM system (G.652 fiber) (single span with the amplifier) Item Unit Performance Indicator Span of line - 7x22 dB 6x22 dB Number of channels - 16 16 Maximum bit rate of channel Gbit/s 2.5 10 Optical interface at points MPI-S and S' Channel output power dBm ≥1 dBm ≥1 dBm Maximum total output power dBm 17 17 Maximum channel power difference at point MPI-S dB 8 8 Optical path (MPI-S - MPI-R) Maximum optical path penalty dB ≤2 ≤2 Line dispersion tolerance - 11200 ps/nm 9600 ps/nm Maximum discrete reflectance dB -27 -27 -30 dBm (2.5 Gbit/s APD) -22 dBm (10 Gbit/s APD) -21 dBm (2.5 Gbit/s PIN) -16 dBm (10 Gbit/s PIN) Optical interface at points MPI and R' Receiver sensitivity of each channel dBm Minimum channel optical signal-to-noise ratio at point MPI-R dB 15 20 Maximum channel power difference at point MPI-R dB 10 10 Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 147 ONE NET DCN Data Center Solution Technical Proposal 6 Recommended Products Table 6-14 Main optical path parameters of the CWDM system (G.652 fiber) Item Unit Performance Indicator Span of line - 1x27 dB 1x21 dB 1x16 dB Number of channels - 8 8 2 Maximum bit rate of channel Gbit/s 2.5 5 10 Optical interface at points MPI-S and S' Channel output power dBm ≥2 dBm ≥1 dBm ≥1 dBm Maximum total output power dBm 14 14 6 Maximum channel power difference at point MPI-S dB 5 5 5 Optical path (MPI-S - MPI-R) Maximum optical path penalty dB ≤2 ≤2 ≤2 Line dispersion tolerance - 2000 ps/nm 1400 ps/nm 1200 ps/nm Maximum discrete reflectance dB -27 -23 -27 -28 dBm (5 Gbit/s APD) -24 dBm (10 Gbit/s APD) 5 5 Optical interface at points MPI-R and R' Receiver sensitivity of each channel dBm Maximum channel power difference at point MPI-R dB Issue 01 (2012-05-15) -30 dBm (2.5 Gbit/s APD) -21 dBm (2.5 Gbit/s PIN) 5 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 148 ONE NET DCN Data Center Solution Technical Proposal 7 Data Center Success Stories 7 Data Center Success Stories 7.1 Data Center for Beijing Branch of Bank of China Project Description Figure 7-1 Data center for Beijing Branch of Bank of China Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 149 ONE NET DCN Data Center Solution Technical Proposal 7 Data Center Success Stories Beijing Data Center for Bank of China 3D-3: two 9303 edge switches 3D-1: two 9303 edge switches OSPF100 Area0 S9312-1 S9312-2 S9303 2A: two 9303 edge switches S9303 3A: four 9303 edge switches 3C: four 9303 Edge switches Requirements z When data and services develop rapidly, network performance bottleneck becomes a problem. z The equipment room and rack space are insufficient. z Power consumption and maintenance costs need to be reduced. z Use area-based design to transmit core NAS services. z Use the best aggregation layer design. Multiple S9300s construct a non-blocking cluster, simplifying networking and management. z Use energy saving design. Solution Customer Benefits z High-performance devices meet requirements for switching of a large amount of data. z The aggregation layer design and energy saving design save rack resources and reduce 30% power consumption. z The non-blocking cluster implements carrier-class reliability and simplifies management. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 150 ONE NET DCN Data Center Solution Technical Proposal 7 Data Center Success Stories 7.2 Baidu Data Center Project Description Figure 7-2 Baidu data center Requirements z Service access increases and more than 100,000 servers are added every year. Servers perform calculation concurrently, requiring high reliability. z Access and aggregation devices are required to provide high switching capacity and packet forwarding rate. z The core and aggregation layers use S9300s and the access layer uses S5700s to construct 10G line-speed data center network, meeting requirements for traffic bursts and peak bursts. z The switches work with storage devices and servers to provide an end-to-end high-reliability solution. Solution Customer Benefits z High-performance and large-capacity network devices meet requirements for switching of a large amount of data. z The data center network is highly reliability and energy saving with low delay, improving user experience and reducing the TCO. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 151 ONE NET DCN Data Center Solution Technical Proposal 7 Data Center Success Stories 7.3 Huawei Data Center Project Description Figure 7-3 Huawei data center Requirements z A large-scale data center is required, covering more than 100,000 employers, 250 branches around the world, 4000 services, and 2000 racks. z R&D data must be protected. z NE80E routers are used as core nodes. China and areas outside China use NE40 routers as aggregation nodes. Representative offices are connected using leased lines. z MPLS VPN is used to isolate R&D and non R&D services. z The data center use S9300 switches to forward services. Solution Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 152 ONE NET DCN Data Center Solution Technical Proposal 7 Data Center Success Stories Customer Benefits z The data center provides full support for core services such as ERP and ISC, and implements product management, financial management, sales management, and partner management. z The data center is secure and reliable. 7.4 Disaster Recovery System for Brazil Santander Bank Project Description Figure 7-4 Disaster recovery system for Brazil Santander bank Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 153 ONE NET DCN Data Center Solution Technical Proposal 7 Data Center Success Stories Requirements z Data and storage services require secure and reliable transmission. z The system needs to be upgraded smoothly. z Huawei OSN6800 is used to construct the SAN. z Boards transmitting FC (FICON/ESCON) storage services and GE data services are provided. Solution Customer Benefits z The network provides security for real-time data transmission. z Flexible solutions meet requirements for the capacity, services, and distances. z The system can be upgraded by increasing the wavelength quantity. 7.5 Disaster Recovery System for KPN in Netherlands Project Description Figure 7-5 Disaster recovery system for KPN in Netherlands Requirements z Data and storage services require secure and reliable transmission. z The system needs to be upgraded smoothly. z Huawei large-capacity 10G WDM devices establish an FC of long distance. z FC100/FC200/GE services are transmitted over a single wavelength. Solution Customer Benefits z Core services are transmitted with high security and reliability. z FC storage and IP services are transmitted uniformly, reducing the TCO. Issue 01 (2012-05-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 154 ONE NET DCN Data Center Solution Technical Proposal z Issue 01 (2012-05-15) 7 Data Center Success Stories The system provides high-performance transmission and smooth upgrade. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 155
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
advertisement
© 2021