Tài liệu Data Center Architecture pptx

ˆ‹c©oaion.sevcceandaccess Network Areas Nш.< [+ Core and Edge layers IP switching Infrastructure j- Service points ee + Storage Switching Infrastructure Jj Server farm topologies |

Cisco SYSTEMS networkers

DC Functional Layers

A Data Center Topology

Cisco.com

intrusion Detection Ế fj SSL Offloading

Virtual Fabrics (VSANs)

“Es: ) Storage Virtualization

— — — Ty } Fabric Routing Services Remote DMA Services [«)f mm

Clustering Services Fe

thốn 4 1 201 05 2005 c2 oe © 2005 Cisco Systems, Inc All rights reserved oo gã TT TẤT TT TT Ta TT TT TT TT ẤT 1 ẤT 3 ẽ.

Blueprints and Best Practices

The baseline of an architecture

CISCO BUSINESS READY DATA CENTER NETWORK ARCHITECTURE

INTELLIGENCE TO PROTECT, OPTIMIZE AND GROW

For more information about Cisco Data Center Networking solutions,

The Data Center Network

System Validation Roadmap

Bue dees FWSM, IDS, CSA, Riverhead, S, cv tem Virtualization

| iol t-ele | | ˆ Server Virtualization

+ Application Optimization | Storage Virtualization

WASF, Content Switching, ẹ Segmentation

SSL, AONS, CDN, caching |

A4 _ |jj ˆ‹c©oaion.sevcceandaccess

Network Areas Nш.<

[+ Core and Edge layers

IP switching Infrastructure j- Service points ee

+ Storage Switching Infrastructure Jj Server farm topologies | x eee aati a patie

eee ketal | a Interop., transparency and ‘

Infrastructure f+ HA, Convergence, Scalability Pneanich

Architecture, Foundation Service Virtualization

Definition Architecture Integration

Data Center Design

External, Internal, Partner

Inter and Intra Server Farm Risk Analysis—too much vs too little

¢ Business Continuance and Disaster Recovery Policy

Business Impact Assessment (BIA) per application

How many Data Centers, how far apart

Active/Active, Active/Standby, both

Personnel Support Plan during outage

¢ Application and Service Level Agreements

Application bandwidth and redundancy BIA prioritization between applications Layer2 and Layer3 server adjacency requirements NIC Teaming and Backup and Management networks

Today’s Data Center

Integration of Many Systems and Services

E=3) l \ Application and Server Optimization

App Servers 1 | : a=" IDS ~ a WAN Data Center Security

Distributed Data Centers

—_—

Systems and Solutions

Switches Server Load Balancing Firewalls

IGP and BGP Protocols

RPVST+ Monitoring Encrypted Traffic

FC to IP Ethernet Gateways Failover and Load Balancing

IP Services in FC switches DNS Base Site Selection

Route Health Injection IGP and BGP Site Selection

NIC Teaming Reverse Proxy Caching PVLANs, Static ARP, Port

Clustering WCCP and SLB Redirection AAA, SSH, Root and BPDU Guard,

iSCSI, FC, NAS, Content Prepositioning ARP Spoofing, DHCP Spoofing,

VLAN Hoping

DC-1101

11201 05 2005 c2 © 2005 Cisco Systems, Inc All rights reserved

Best Practices Synchronous and Asynchronous Intra-DC FC Over Campus and MAN

10

Data Center Architecture

Đ©-1101 Load Firewall SSL Cache Network IDS Gss

11201_05_2005_c2 © 2005 Cisco Systems, Inc All rights Balancer Offloader analysis Sensor

12

IP Infrastructure

Highly Available, Adaptable, Predictable, Deterministic

and Service Ready

_— ————— - Vẻ

-_Integration with the routed

network

Intranet and Internet peering

DC Isolation from external events

¢ Server farm topologies

Layer 2 Adjacency requirements

Layer 3 Boundary Service Location

Multi-tier Topologies Scalability

¢ 1RU and Blade Servers

Used in Hosting Services

Dedicated service devices

Greater service efficiency

Server and Application Scalability

Improving and Guaranteeing Service Levels

Load balancing and Content Switching Technology

¢ Distribute Traffic Load

HW alternative to clustering technologies Avoiding misbehaving apps/server: app health checking Allows seamless scalability

Enables any-window maintenance change control

SSL Offloading

Scaling Application Layer Security

With SSL Offloader Without SSL Offloader

- lmproves server scalability °- SSL processing within

Servers requires high-end

servers to scale SSL

capacity

- Enables L5+ load balancing

and user session

persistence via L4-7 switch

integration * Hides L5+ info for intelligent

load balancing, user

management

* Managing SSL certificates

on individual servers is a heavy operational burden

* Provides traffic inspection

visibility hidden in SSL

sessions

Caching in the Data Center

Offloading Static Content Serving

* Done close to the server farm

Reverse Proxy Caching mode Aggregation layer

¢ Offloading Redirection Alternatives

Web Cache Control Protocol (WCCP) Content Switch

DC-1101

What Is Your State of Security Readiness?

Any Vulnerable Area Impacts the DC, if Exploited

- Attacks are getting: more sophisticated, more frequent

and more devastating

¢ Securing the Data Center requires:

COMPREHENSIVE and consistent use of all available SECURITY TOOLS

2G-1103 Applied to the entire Data Center Environment

11201 05 2005 c2 © 2005 Cisco Systems, Inc All rights reserved 21

Data Center Edge

¢ Access Control Mechanisms:

Routers, Switches (Ethernet, FC, IB)

Services Devices: Firewalls, SLB,

¢ Protection of application traffic:

Client to server interaction Server to server interaction

¢ Protection of application resources:

Server OS Application Software

¢ Protection of data entry points:

DASD: server NAS: NAS heads SAN: Disk subsystems

¢ Access Control Mechanisms:

User Identification

The Security Toolkit

systematic Approach to Secure Networked Resources

DC-1101

11201_05 2005 c2

Using the Security Features Throughout the Data Center

STP Root Lock Down

SWITCH PORTS Fads ead ey — PVLANS, ARP INSPECTION,

a oa 2 :: BROADCAST SUPPRESSION

Prevent VLAN hoppin stig TAG ALL ton as _e" Traffic Filtering ¬

Detection of Unusual e—_qjvw Prevent Viruses, Worms and

Traffic/Intruders ay = EF ZF OS/App Vulnerabilities

NETWORK-BASED IDS a = HOST-BASED PROTECTION

Prevent MAC Flooding — io Prevent PC Roaming

PORT SECURITY Storage Security DISABLE UNUSED PORTS

VSANSs, iSCSI, FCIP DC-1101

Storage Area Networking

Increased Efficiency and Higher Availability

Cisco.com

Consolidated Data Centers

Multiple Server Farms

Campus Core Campus Core

Consolidation

¢ Lower Cost of Ownership

- Lower Cost of Operation - Increase High Availability

¬ ° Increase Efficiency - Disaster Recovery & Business Continuity

11201 05 2005 c2 © 2005 Cisco Systems, Inc All rights reserved 26

Defining Availability from a Business View

Business Continuance Networking

BUSINESS CONTINUANCE

Ensuring Business can Recover and Continue After Failure

or Disaster: Recovery of Data and Resumption of Service

DC-1101

APPLICATION SERVERS WITH ISCSI BACK-END SERVERS HIGH

Switching

Internet

Connectivity

Data Caching Load Balancing

The Resilient

‘BACK END’

Virtual SAN Technology Advanced Diagnostics Multi-protocol (ISCSVUFCIP) Extensive Security

High-density SAN Switching

© 2005 Cisco Systems, Inc All rights reserved

Multilayer Data Center Architecture

Resiliency on the Front End and Back End

LOAD aaj MULTILA

BALANCING YER INTRUSION LAN DETECTION SWITCH FRONT-END

APPLICATION SERVERS WITH ISCSI

ISCSI BACK-END

SERVERS

HIGH DENSITY MULTILAY

ER SAN DIRECTOR

ENTERPRISE-CLASS STORAGE ARRAYS í

28

11201 05 2005 c2 © 2005 Cisco Systems, Inc All rights reserved 29

Distributed Data Center Design

_—_ ằẶằẶằẶ_- TỪ

°„ How many Data Centers do we need one, two, or 2

¢ How far apart should the Data Centers be?

¢ How much redundancy is enough?

¢ What data replication methods should be used?

¢ How should the Data Centers be interconnected;

Optical, Ethernet VPN service, IP VPN Service ?

¢ What are your personnel support plans during an

outage?

storage a5 =& Front End Storage GQ = Fròqt End

Network me Network Network (74g Netwark

= Eyal Web eb Servers

DC-1101 Remote Disk -Disk and Disk -Tape Copy and Routing Convergence _— Balancing

11201 05 2005 c2 © 2005 Cisco Systems, Inc All rights reserved 31

Distributed Data Centers

Failover and Distribution Across Multiple Sites

Cisco.com

Each Application can

Have a Unique IP _EPA \)

g< ss FX

¢ Site health is a reflection of local application and server health

scsip, °° Failover can be done via DNS or Routing Protocols

11201 05 2005 c2 © 2005 Cisco Systems, Inc All rights reserved 32

Site Selection Technology

Network-Based Application Avalia itty

¢ DNS: Traditional Application Identification by Client

* RHI: Application Selection based on Network Information

¢ BGP: integration with Internet edge routing domains

¢ DNS provides load distribution

DNS (Application Aware) functions, but it is subject to limitations Used for Load Distribution, and

Proximity

of DNS caching, re-resolution of browsers and so forth

e Routing overcomes the limitations of DNS caching

° BGP integrates application availability BGP across IGP boundaries

(Application Unaware)

Global Site Selection

Choosing the Correct Site

Route Health Injection

Server Health Aware Routing

eee“

a) OE2 20.18.30.200/32 [110/20] via 20.17.50.2, 1d18h, Serial1/0

5 Far side router receives two

routes to the VIP and chooses the

routing table

aul aad 4 MSFC on Cat6k advertises mer aad

its routes via routing

si] šjEl mm si] šjEl

sr

1 CSM Probes Server Farm 3 MSFC on Cat6k adds the VIP 1 CSM Probes Server Farm

and the VLAN ID to its routing

Message to MSFC on Cat6k if message to MSFC on catGk if

at least one server is active

at least one server is active

Network Convergence Time

SAN Extension: Data Replication Operation

Replication Across Geographically Dispersed DCs

Cisco.com

¢ Fibre Channel Fabric extended

between Data Centers

Host

° Writes I/Os replicated to

remote array

Replication managed by storage arrays

Fabric

⁄ Replicated `

Asynchronous—write acknowledged :

after write to local array; Write is Local Remote

- Replication Modes

Synchronous—all data written to

local and remote arrays before I/O

is acknowledged to host

SAN Extension

Transport Alternatives

Increasing Distance Data

Center Campus Metro Regional National

Data Center Management Framework

TỪ

Multiple Vendors, Multiple Technologies

CONSOLIDATION APPLICATION DEPLOYMENT

Fault Config Accounting Perform Security = <

Management Management Management Management Management = =

SML/ Network Fault Network Network Usage Traffic Mngt/ Network bàn

NML Events/Correl Conn/Install’n Correl Cap Planning Security Pol — |

- O

EML NE Alarm/Fault NE Loading/ NE Usage Data NE Trend NE Security œ ra

mn

is NEL Failure Event Configuration Element Usage Detection/ Access 2

Detection Enforcement Gener Reporting Control/IDS

Today’s Data Centers

- Protect with Business Resilience

Tighten security Improve business continuance

¢ Optimize with Consolidation

Improve operational efficiency and resource utilization

Lower complexity and cost

of ownership

¢ Grow towards Services-oriented

Infrastructure

Align virtualized resources

with business demands

Automate infrastructure to respond dynamically

DC-1101

11201 05 2005 c2 © 2005 Cisco Systems, Inc All rights reserved.

The Big Picture—The Cisco Data Center

Firewall Services if Catalyst 6500 TOPSPIN :

Server Farm 5 pnunnunnug ma mm - SERVER

9 Ps ate ENTERPRISE : :| 1) GRID PPO HE PE: POH SE 4 (i: 1 1 :f | FABRIC :: SWITCHING ;

Enterprise UNIX/Windows Blade Virtual Private Virtual Private Virtual Private

NAS Storage Servers Servers Server Server Blade Server

Fabric #1 Fabric #2 Fabric #3