Similar documents
Top-Down Network Design

ADVANCED NETWORK CONFIGURATION GUIDE

Feature Comparison. Windows Server 2008 R2 Hyper-V and Windows Server 2012 Hyper-V

50. DFN Betriebstagung

Troubleshooting and Maintaining Cisco IP Networks Volume 1

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Open Source in Network Administration: the ntop Project

Introduction to MPIO, MCS, Trunking, and LACP

Performance Evaluation of VMXNET3 Virtual Network Device VMware vsphere 4 build

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE Computer Network Analysis and Design Slide 1

Digi Certified Transport Technician Training Course (DCTT)

The Role of Virtual Routers In Carrier Networks

Cloud Based Application Architectures using Smart Computing

Intel DPDK Boosts Server Appliance Performance White Paper

PARALLELS SERVER BARE METAL 5.0 README

Windows Server on WAAS: Reduce Branch-Office Cost and Complexity with WAN Optimization and Secure, Reliable Local IT Services

Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware

Novel Systems. Extensible Networks

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Cisco Application Networking Manager Version 2.0

How To Use The Cisco Wide Area Application Services (Waas) Network Module

Stingray Traffic Manager Sizing Guide

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs

Using Multipathing Technology to Achieve a High Availability Solution

Deployment Guide. How to prepare your environment for an OnApp Cloud deployment.

Remote PC Guide Series - Volume 1

Purpose-Built Load Balancing The Advantages of Coyote Point Equalizer over Software-based Solutions

Achieving a High-Performance Virtual Network Infrastructure with PLUMgrid IO Visor & Mellanox ConnectX -3 Pro

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Open Source Bandwidth Management: Introduction to Linux Traffic Control

alcatel-lucent vitalqip Appliance manager End-to-end, feature-rich, appliance-based DNS/DHCP and IP address management

Bandwidth Management and Optimization System Design (draft)

MCSE SYLLABUS. Exam : Managing and Maintaining a Microsoft Windows Server 2003:

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

Virtualization: an old concept in a new approach

An Oracle Technical White Paper November Oracle Solaris 11 Network Virtualization and Network Resource Management

Oracle SDN Performance Acceleration with Software-Defined Networking

Vyatta Network OS for Network Virtualization

Restricted Document. Pulsant Technical Specification

Performance of Software Switching

Gigabit Ethernet Design

Windows Server 2008 R2 Hyper-V Server and Windows Server 8 Beta Hyper-V

A Research Study on Packet Sniffing Tool TCPDUMP

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Citrix XenDesktop Modular Reference Architecture Version 2.0. Prepared by: Worldwide Consulting Solutions

AND Recorder 5.4. Overview. Benefits. Datenblatt

Virtual Software Routers: A Performance and Migration Study

Mobility Task Force. Deliverable F. Inventory of web-based solution for inter-nren roaming

Chapter 1 Reading Organizer

Maximizing Hadoop Performance and Storage Capacity with AltraHD TM

Deploying F5 BIG-IP Virtual Editions in a Hyper-Converged Infrastructure

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

W H I T E P A P E R. VMware Infrastructure Architecture Overview

Application-Centric WLAN. Rob Mellencamp

TRUFFLE Broadband Bonding Network Appliance. A Frequently Asked Question on. Link Bonding vs. Load Balancing

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

An Oracle White Paper December Oracle Virtual Desktop Infrastructure: A Design Proposal for Hosted Virtual Desktops

Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies

LinuxWorld Conference & Expo Server Farms and XML Web Services

White Paper. ThinRDP Load Balancing

Preparation Guide. How to prepare your environment for an OnApp Cloud v3.0 (beta) deployment.

Networking and High Availability

Radware s AppDirector and AppXcel An Application Delivery solution for applications developed over BEA s Weblogic

Router Architectures

Layer 3 Network + Dedicated Internet Connectivity

Designing Cisco Network Service Architectures ARCH v2.1; 5 Days, Instructor-led

IP Telephony Management

Monitoring high-speed networks using ntop. Luca Deri

Windows Server 2008 R2 Hyper V. Public FAQ

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

Load-Balancing Introduction (with examples...)

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Wireshark in a Multi-Core Environment Using Hardware Acceleration Presenter: Pete Sanders, Napatech Inc. Sharkfest 2009 Stanford University

Cisco Data Center Network Manager Release 5.1 (LAN)

VDI Solutions - Advantages of Virtual Desktop Infrastructure

Networking and High Availability

Virtualized Security: The Next Generation of Consolidation

Virtualised MikroTik

COS 318: Operating Systems. Virtual Machine Monitors

Introduction to Network Virtualization in IaaS Cloud. Akane Matsuo, Midokura Japan K.K. LinuxCon Japan 2013 May 31 st, 2013

Southwest Arkansas Telephone Cooperative Network Management Practices

The Lagopus SDN Software Switch. 3.1 SDN and OpenFlow. 3. Cloud Computing Technology

10 Gbit Hardware Packet Filtering Using Commodity Network Adapters. Luca Deri Joseph Gasparakis

Creating the Conceptual Design by Gathering and Analyzing Business and Technical Requirements

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

REFERENCE ARCHITECTURES FOR MANUFACTURING

Network Management and Monitoring Software

Cloud Computing - Architecture, Applications and Advantages

Delivering Managed Services Using Next Generation Branch Architectures

MCITP MCITP: Enterprise Administrator on Windows Server 2008 (5 Modules)

Ten Things to Look for in an SDN Controller

Recommended IP Telephony Architecture

DB2 Connect for NT and the Microsoft Windows NT Load Balancing Service

Optimal Network Connectivity Reliable Network Access Flexible Network Management

Product Overview. UNIFIED COMPUTING Managed Hosting Compute Data Sheet

Zeus Extensible Traffic Manager in Virtualized Hosting Environments.

Scalable Internet Services and Load Balancing

Transcription:

A Distributed, Robust Network Architecture Built on an Ensemble of Open-Source Firewall-Routers Dr Simon A. Boggis <s.a.boggis@qmul.ac.uk> IT Services, Queen Mary, University of London JANET Networkshop 38, Manchester, 2010 S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 1 / 22

Outline 1 Introduction 2 Philosophy, Design and Implementation Philosophy Design Implementation 3 Critical Appraisal Performance Open-Source vs. Proprietary Software Firewall-Router: PC vs. Commercial Appliance Whole Solution: PC vs. Commercial Appliances 4 Conclusion S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 2 / 22

Queen Mary, University of London Research-focused higher education institution. Four main campuses in London. 21 academic departments. 15000 post- and undergraduate students. 3000 staff. <http://www.qmul.ac.uk> S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 3 / 22

Traffic (March 2010) Peak Internal Traffic 7Gbit/s 1.1M packet/s. Peak External Traffic 500Mbit/s in. 200Mbit/s out. 100k packet/s. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 4 / 22

Philosophy IT Environment IT highly devolved to departments: Variable levels of provision and support. Diverse, heterogeneous clients and systems. College network was segmented and distributed: Many logical/administrative boundaries (ca. 350 IP networks). Logical units span physical locations. Desire to avoid constraining planners (+ 802.1x benefit). Requirements Avoid being forced into unwanted centralisation. Scalable, high-performance, robust, resilient and modest cost. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 5 / 22

Factorised, Distributed Network Resilient layer 2 fabric: switches and links. Parallel layer 3 firewall/routers. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 6 / 22

Distributed, Resilient Layer 2 Fabric Distributed Core switches distributed across sites. Workload distributed over multiple switches. High performance. Resilient Modular switches with internal redundancy. Resilient physical links with diverse routing. "Instant" link/node failover (IP telephony!). Distribution layer LACP trunks. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 7 / 22

Distributed, Parallel Firewall-Routers Distributed No single points of failure. Workload division = problem isolation. Self-contained, independent and robust: graceful failure modes. Efficient: filter and traffic-shape near edge. More traffic on switches, but bandwidth cheap. Parallel High performance, low cost. Easy to scale - just add more. Resilience: multiple identical, redundant routers. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 8 / 22

Layer 2 Fabric S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 9 / 22

Open-Source PC Firewall-Router Platform Commodity Hardware: Commodity 2U server class PCs. 8 Core 3GHz Intel CPU, 4GiB RAM. 4 x 1Gbit/s Intel E1000 NIC. Remote OOB management (IPMI). Redundant power supplies, fans, disks. Open-Source Operating System and Software: OS: Debian GNU/Linux 5.0 "Lenny". Quagga Routing Suite, Netfilter and iproute2. DJB DNS, ISC dhcpd, NTPv4 and apache. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 10 / 22

An Open-Source PC Firewall-Router Self-contained, independent and robust. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 11 / 22

Self-Contained Firewall-Router Services Full state-tracking firewall. Authoritative DNS, Robust Caching DNS: nearest answer, short-circuit delegation. DHCP, radvd or DHCPv6 (if you prefer). Traffic shaping (xmit), scheduling, policing (recv): Linux tc (HTB + SFQ). Monitoring & Logging: libpcap, state-tracking, ARP, IPv6 ND. Client Authentication, Abuse block/notify: Netfilter DNAT + ipt_recent and apache mod_rewrite. All of the above benefit from: Flexible central control/configuration mechanisms. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 12 / 22

Firewall-Router Management Installation System Interchangeable Hardware. Easy "canned" setups. Remote operation. Automatic - 5 minutes. Configuration System Shared, hierarchical. Autogeneration. Two-way sync. Versioned (subversion). S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 13 / 22

Implementation Overview S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 14 / 22

Firewall-Router Performance Intel E1000 NIC: in theory 800k packets/s, seen ca. 650k packet/s. NIC Interrupt Mitigation is Essential: Operating system support for intelligent interrupt handling. Transition from interrupt to polling operation as load increases. Linux kernel newer than 2.6.18. "New" API network driver to support autotuning. Linux System Configuration: Increase RX/TX ring buffers to maximum (256 4096). CPU affinity helps - dedicated CPU per NIC. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 15 / 22

Open-Source vs. Proprietary Software Features Leading/bleeding-edge functionality: earlier (e.g. state-tracking). Usually wider, richer range of features. Excellent documentation and support: can talk to developers. Flexible and Adaptable Sophisticated, flexible control mechanisms. Interoperability: open-standards. Easy to modify to deal with changing requirements. Ability to fully investigate and fix problems yourself: Commercial big names can be unresponsive to small customers. Highly skilled staff required to take full advantage. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 16 / 22

Firewall-Router: PC vs. Commercial Appliance Open-Source PC Firewall-Router Low-cost incremental upgrades ( 2k). Advanced facilities at low performance overhead. Network services self-contained on router. Sophisticated diagnosis capabilities. Frequent small updates (fewer than desktop system). Easy to automate. Commercial Appliance Upgrades in larger chunks ( 40k). Use of advanced facilities can degrade performance. Additional network service appliances required. Limited diagnosis capabilities. Infrequent, large updates. Harder to automate effectively. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 17 / 22

Whole Solution: PC vs. Commercial Appliances Open-Source PC Firewall-Routers Modest cost: < 20k for 10 (non-resilient). Model matches distributed nature of network. Install/management system: economies of scale. Specialist skilled staff required. Can be harder to buy-in services: this is changing. Commercial Appliances Expensive: 160k for 4 routers (non-resilient) + support appliances. High unit-cost drives artificial centralisation. Discrete functions on multiple appliances (management?). Can be "run" by more general staff... + consultants. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 18 / 22

Conclusion Open-source PC Firewall-Routers Good match for the nature of the network and requirements of a medium-large institution. Valuable flexibility and adaptability. Performance and resilience at modest cost. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 19 / 22

Current and Future Developments Roll-out of automatic failover to Departments: VRRP / keepalived / CARP. BGP routing. Split multi-link trunking (IEEE 802.3ad): Servers and distribution-layer switches not dependent upon single uplink switch. S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 20 / 22

Acknowledgements IT Services Colleagues: John Cobb David Pick Tavinder Jandu Jeff Fern Jaspal Sura S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 21 / 22

Questions? S. A. Boggis (qmul.ac.uk) Distributed Open-Source Firewall-Routers JANET Networkshop 38 22 / 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information