Building a small Data Centre

Similar documents
OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS

Introduction to Network Virtualization in IaaS Cloud. Akane Matsuo, Midokura Japan K.K. LinuxCon Japan 2013 May 31 st, 2013

Data Center Use Cases and Trends

Building Nameserver Clusters with Free Software

Measuring IP Network Routing Convergence. A new approach to the problem

MPLS WAN Explorer. Enterprise Network Management Visibility through the MPLS VPN Cloud

Data Center Infrastructure of the future. Alexei Agueev, Systems Engineer

Residential IPv6 IPv6 a t at S wisscom Swisscom a, n an overview overview Martin Gysi

HP Networking BGP and MPLS technology training

Stanford SDN-Based Private Cloud. Johan van Reijendam Stanford University

Core and Pod Data Center Design

Architecting Data Center Networks in the era of Big Data and Cloud

NVO3: Network Virtualization Problem Statement. Thomas Narten IETF 83 Paris March, 2012

Load balancing and traffic control in BGP

Implementing MPLS VPN in Provider's IP Backbone Luyuan Fang AT&T

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

How To Make A Network Secure

Network Technologies for Next-generation Data Centers

Introduction to MPLS-based VPNs

Campus IPv6 connection Campus IPv6 deployment

RFC 2547bis: BGP/MPLS VPN Fundamentals

datacenter networking

BGP as an IGP for Carrier/Enterprise Networks

IPv6 Fundamentals, Design, and Deployment

VXLAN Bridging & Routing

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

WHITEPAPER. Bringing MPLS to Data Center Fabrics with Labeled BGP

How Routers Forward Packets

Data Center Network Virtualisation Standards. Matthew Bocci, Director of Technology & Standards, IP Division IETF NVO3 Co-chair

Experiences with BGP in Large Scale Data Centers: Teaching an old protocol new tricks

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs

SOFTWARE DEFINED NETWORKING: INDUSTRY INVOLVEMENT

For internal circulation of BSNLonly

Simplify Your Data Center Network to Improve Performance and Decrease Costs

Load balancing and traffic control in BGP

Implementing Cisco Service Provider Next-Generation Edge Network Services **Part of the CCNP Service Provider track**

Introducing Basic MPLS Concepts

MPLS Inter-AS VPNs. Configuration on Cisco Devices

Testing Software Defined Network (SDN) For Data Center and Cloud VERYX TECHNOLOGIES

IPv6 over IPv4/MPLS Networks: The 6PE approach

Brain-Slug: a BGP-Only SDN for Large-Scale Data-Centers

Introduction Inter-AS L3VPN

Network Configuration Example

Campus LAN at NKN Member Institutions

APNIC IPv6 Deployment

Palo Alto Networks. Security Models in the Software Defined Data Center

IPv6, Perspective from small to medium ISP

Network Architecture Validated designs utilizing MikroTik in the Data Center

VXLAN: Scaling Data Center Capacity. White Paper

Cisco Prime Network Services Controller. Sonali Kalje Sr. Product Manager Cloud and Virtualization, Cisco Systems

Network Virtualization for the Enterprise Data Center. Guido Appenzeller Open Networking Summit October 2011

Campus Network Best Practices: Core and Edge Networks

Address Scheme Planning for an ISP backbone Network

DD2491 p MPLS/BGP VPNs. Olof Hagsand KTH CSC

BFD. (Bidirectional Forwarding Detection) Does it work and is it worth it? Tom Scholl, AT&T Labs NANOG 45

Understanding Virtual Router and Virtual Systems

Building A Cheaper Peering Router. (Actually it s more about buying a cheaper router and applying some routing tricks)

Automating Network Security

Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap

Cisco Exam CCIE Service Provider Written Exam Version: 7.0 [ Total Questions: 107 ]

Why Is MPLS VPN Security Important?

SDN PARTNER INTEGRATION: SANDVINE

MikroTik RouterOS Introduction to MPLS. Prague MUM Czech Republic 2009

MPLS-based Layer 3 VPNs

Broadband Network Architecture

Routing Security Server failure detection and recovery Protocol support Redundancy

Design, Implementation and Evolution of a DNS anycast resolving service in a country-wide ISP network

FLAG s IPv6 Implementation

Software Defined Network (SDN)

SOFTWARE DEFINED NETWORKS REALITY CHECK. DENOG5, Darmstadt, 14/11/2013 Carsten Michel

MPLS for ISPs PPPoE over VPLS. MPLS, VPLS, PPPoE

Introduction to Software Defined Networking (SDN) and how it will change the inside of your DataCentre

Hunting down a DDOS attack

Building VPNs. Nam-Kee Tan. With IPSec and MPLS. McGraw-Hill CCIE #4307 S&

Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心

Copyright 2008 Link Technologies,Inc. A Proud Vendor Member of the

IMPLEMENTING CISCO IP ROUTING V2.0 (ROUTE)

Visualizing Traffic on Network Topology

RA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. Kapil.Kumar@relianceinfo.com

Transitioning to BGP. ISP Workshops. Last updated 24 April 2013

IPv6 Practices on China Mobile IP Bearer Network

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

Provisioning Cable Services

Transform Your Business and Protect Your Cisco Nexus Investment While Adopting Cisco Application Centric Infrastructure

S ITGuru Exercise (3: Building the MPLS BGP VPN) Spring 2006

IPV6 FOR INTERNET SERVICE PROVIDERS STATE/LESSONS/STILL TO COME

What is SDN? And Why Should I Care? Jim Metzler Vice President Ashton Metzler & Associates

SEC , Cisco Systems, Inc. All rights reserved.

Computer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

SDN CONTROLLER. Emil Gągała. PLNOG, , Kraków

What network engineers can learn from web developers when thinking SDN.

MPLS RSVP-TE Auto-Bandwidth: Practical Lessons Learned

OpenFlow and Software Defined Networking presented by Greg Ferro. Software Defined Networking (SDN)

Use Cases for the NPS the Revolutionary C-Programmable 7-Layer Network Processor. Sandeep Shah Director, Systems Architecture EZchip

Transcription:

Building a small Data Centre Cause we re not all Facebook, Google, Amazon, Microsoft Karl Brumund, Dyn RIPE71 1

Dyn what we do DNS, email, Internet Intelligence from where 28 sites, 100s of probes, clouds 4 core sites building regional core sites in EU and AP what this talk is about new core site network 2

First what not to do it was a learning experience 3

Design, version 1.0 Physical CLOS design redundancy lots of bandwidth looks good buy install configure firewall cluster spine what could go wrong? router spine ToRa Internet router spine ToRb load balancer spine servers Layer 2 only 1 rack shown MPLS 4

Design, version 1.0 Logical MPLS is great for everything let s use MPLS VPNs ToR switches are PEs 10G ToR switch with MPLS 10G ToR switch with 6VPE IPv6 wasn t a requirement. 5

reboot time let s start over this time lets engineer it 6

Define the Problem legacy DCs were good, but didn t scale Bandwidth, Redundancy, Security legacy servers & apps = more brownfield than green but we re not building DCs with 1000s of servers want it good, fast and cheap enough need 20 racks now, 200 tomorrow 7

Get Requirements good scalable and supportable by existing teams standard protocols; not proprietary fast cheap not too expensive fits us can t move everything to VMs or overlay today just works so I m not paged at 3am 8

Things we had to figure out 1. Routing actually make it work this time, including IPv6 2. Security let s do better 3. Service Mobility be able to move/upgrade instances easily 9

Design, version 2.0 Physical Internet see version 1.0 router router firewall cluster load balancers I can work with this spine spine spine spine Layer 3 No money to rebuy ToRa ToRb servers Layer 2 only 1 rack shown 10

Design, version 2.0 Logical we still like layer 3, don t want layer 2 service mobility? not everything on the Internet please need multiple routing tables VRF-lite/virtual-routers can work multiple IGP/BGP RIB/FIB scaling we re still not ready for an overlay network 11

How many routing tables? 1. Internet accessible (PUBLIC) 2. not Internet accessible (PRIVATE) 3. load-balanced servers (LB) 4. between sites (INTERSITE) 5. test, isolated from Production (QA) 6. CI pipeline common systems (COM_SYS) 12

Design, version 2.0 Logical lb PUBLIC vpn PUBLIC PRIVATE LB Internet edge (RR) PRIVATE LB spine COM_SYS INTERSITE remote sites PUBLIC PUBLIC PRIVATE PRIVATE ToRa/b remote sites LB COM_SYS INTERSITE LB COM_SYS INTERSITE PUBLIC PRIVATE LB COM_SYS server 13

ebgp or ibgp? ibgp (+IGP) works ok for us can use RRs to scale staff understand this model ebgp session count a concern multiple routing tables really cheap L3 spines (Design 1.0 reuse) ebgp might work as well, just didn t try it ref: NANOG55, Microsoft, Lapukhov.pdf 14

What IGP? OSPFv2/v3 or OSPFv3 or IS-IS we picked OSPFv2/v3 any choice would have worked draft-ietf-v6ops-design-choices-08 15

Route Exchange from one instance to another route-exchange can become confusing fast BGP communities make it manageable keep it as simple as possible mostly on spines for us 16

Routing Details pair of ToR switches = blackholing potential RR can only send 1 route to spine, picks ToRa breaks when spine - ToRa link is down BGP next-hop = per-rack lo0 on both ToRa/b spine NH =.1 :( spine NH =.3 :) ToRa lo0 =.1 ToRb lo0 =.2 ToRa lo0 =.1,.3 ToRb lo0 =.2,.3 17

Anycast ECMP ECMP for anycast IPs in multiple racks spines only get one best route from RRs would send all traffic to a single rack we really only have a few anycast routes put them into OSPF! :) instances announce ANYCAST community spine Rack 101 Rack 210 spine route table ibgp route from RR = Rack 101 only OSPF route = Rack 101, Rack 210 18

Security legacy design had ACLs and firewalls network security is clearly a problem so get rid of the problem No more security in the network 19

Security network moves packets, not filter them security directly on the instance (server or VM) service owner responsible for their own security blast radius limited to a single instance less network state iptables Instance 20

How we deploy security install base security when instance built ssh and monitoring, rest blocked service owners add the rules they need CI pipeline makes this easy automated audits and verification needed to educate and convince service owners many meetings over many months 21

Service Mobility Layer 3 means per rack IP subnets moving an instance means renumbering interfaces what if the IP(s) of the service didn t change? instances announce service IP(s) rack 101 10.0.101.0/24 server rack 210 10.0.210.0/24 server 22

Service IPs service IP(s) on dummy0 exabgp announces service IP(s) many applications work some can t bind outbound seemed like a really good idea didn t go as smooth as hoped TRAFFIC Network iptables Interface IP Instance Service IP(s) BGP 23

Network Deployment ToR switches fully automated trivial to add more as DC grows any manual changes are overwritten ref: NANOG63, Kipper, cvicente rest of network is semi-automated partially controlled by Kipper partially manual, but being automated 24

What We Learned - Design A design documented in advance is good. A design that can be implemented is better. Design it right, not just easy. Validate as much as you can before you deploy. Integrating legacy into new is hard. Integrating legacy cruft is harder. Everything is YMMV. 25

What We Learned - Network Cheap L3 switches are great beware limitations (RIB, FIB, TCAM, features) Multiple routing tables are a pain; a few is ok. Automation is your friend. Seriously. Do it! BGP communities make routing scalable and sane. There is no such thing as partially in production. Staff experience levels are really important. 26

What We Learned - Security Moving security to instances was the right decision. Commercial solutions to deploy and audit suck. IPv6 support is lacking. Hello vendors? We rolled our own because we had to. Many service owners don t know flows of their code. never had to care before; network managed it service owners now own their security 27

What We Learned - Users People don t like change. People really hate change if they have to do more. Need to be involved with dev squads to help them deploy properly into new network. Educating users on changes is as much work as building a network. a lot more 28

Summary Many different ways to build DCs and networks. This solution works for us. YMMV Our network moves bits to servers running apps delivering services. Our customers buy services. User, business, legacy >> network 29

Thank you kbrumund@dyn.com For more information on Dyn s services visit dyn.com INTERNET PERFORMANCE. DELIVERED. 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information