1 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 Data Center Architecture Overview Willie Yam Data Center Lead, APAC 222 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 Agenda • Introduction • Data Center Design Overview • DC IP Infrastructure • DC Application Optimization • DC Security • DC Storage Networking & Business Continuance • Summary 333 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 Layers & Services Aggregation Edge Access Core Fabric Routing Services Data Replication Svcs Storage Virtualization Virtual Fabrics (VSANs) Content Caching SSL Offloading Firewall Services Intrusion Detection Server Balancing Server Virtualization V Remote DMA Services Virtual I/O Clustering Services Compute Fabric Services Network Analysis VPN Termination File Caching Core Fabric Gateway Services Fabric Gateway Services Storage / Tape Farms DOS Protection Server Clusters Server Farms DC Functional Layers … A Data Center Topology 444 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 Physical Areas … A Data Center Topology The Physical Facility… • Flooring • Racks • HVAC and Electrical infrastructure • Cabling • Fire Suppression Systems • Compute Equipment • Network Equipment Raised Flooring Ceiling Plenum HVAC Rack Rack Rack 555 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 Blueprints and Best Practices The baseline of an architecture… 666 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 The Data Center Network System Validation Roadmap… Foundation Architecture Service Integration Virtualization Network DNA  Aggregation, service and access layers  Core and Edge layers  Service points  Server farm topologies « ------ »  HA, Convergence, Scalability Performance Network DNA  Aggregation, service and access layers  Core and Edge layers  Service points  Server farm topologies « ------ »  HA, Convergence, Scalability Performance Network Intelligence  Service Integration  Security: FWSM, IDS, CSA, Riverhead, Portego  Application Optimization WASF, Content Switching, SSL, AONS, CDN, caching  Network Management « ------ »  Interop., transparency and Integration Network Intelligence  Service Integration  Security: FWSM, IDS, CSA, Riverhead, Portego  Application Optimization WASF, Content Switching, SSL, AONS, CDN, caching  Network Management « ------ »  Interop., transparency and Integration Network Virtualization  Virtual Infrastructure Virtual Switching Virtual Routing  Virtual Services Virtual Firewalls Virtual Load balancers  System Virtualization Server Virtualization Storage Virtualization  Segmentation « ------ »  Logical Partitioning, Dynamic Provisioning & Self Adjusting Network Virtualization  Virtual Infrastructure Virtual Switching Virtual Routing  Virtual Services Virtual Firewalls Virtual Load balancers  System Virtualization Server Virtualization Storage Virtualization  Segmentation « ------ »  Logical Partitioning, Dynamic Provisioning & Self Adjusting Architecture Definition Network Areas  IP switching Infrastructure  Storage Switching Infrastructure  Distributed Data Center Infrastructure « ------ »  Baseline Fundamental Functional Network Areas  Mapping DC technology to customer requirements Network Areas  IP switching Infrastructure  Storage Switching Infrastructure  Distributed Data Center Infrastructure « ------ »  Baseline Fundamental Functional Network Areas  Mapping DC technology to customer requirements DATA CENTER DESIGN OVERVIEW 777 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 888 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 Data Center Design Strategic Foundation • Security Policy External, Internal, Partner Inter and Intra Server Farm Risk Analysis—too much vs. too little • Business Continuance and Disaster Recovery Policy Business Impact Assessment (BIA) per application How many Data Centers, how far apart Active/Active, Active/Standby, both Personnel Support Plan during outage • Application and Service Level Agreements Application bandwidth and redundancy BIA prioritization between applications Layer2 and Layer3 server adjacency requirements NIC Teaming and Backup and Management networks Good Design Requires Defined Business Policies 999 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 N-Tier Applications DB Servers App Servers Web Servers Mainframe OperationsIP Comm. Front End Network Application/Server Optimization Content Switch Cache Today’s Data Center Integration of Many Systems and Services Tape FC SAN RAID Storage Network NAS FC Switch VSANs Scalable Infrastructure DC Storage Networks Distributed Data Centers Application and Server Optimization Data Center Security Security Firewall IDS Resilient IP Metro Network DWDM/SONET/Ethernet FC Switch Secondary Data Center MAN/ Internet DR Data Center FC Switch WAN/ Internet 101010 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 Systems and Solutions Tactical Execution Data Replication and SAN Extension SAN TopologiesL3 and L2 FeaturesCachingServer Farm Topologies Synchronous and Asynchronous FC Over Campus and MAN FCIP Over WAN Best Practices Intra-DC Inter-DC PVLANs, Static ARP, Port Security, MD5 Authentication AAA, SSH, Root and BPDU Guard, ARP Spoofing, DHCP Spoofing, VLAN Hoping Reverse Proxy Caching WCCP and SLB Redirection Content Prepositioning NIC Teaming Clustering iSCSI, FC, NAS, Failover and Load Balancing DNS Base Site Selection Route Health Injection IGP and BGP Site Selection FC to IP Ethernet Gateways IP Services in FC switches Network IDS Host IDS SSL Acceleration Mgmt Simplification Monitoring Encrypted Traffic Modular Stackable RPVST+ Site SelectioniSCSI/FCIPIntrusion Detection/Protection SSL OffloadSwitching DWDM, SONET/SDH, CWDM GE and 10GE MetroE and IP WAN Services L2 and L3 VPN Service Director Class Switches Stackable Switches Firewalls ACL—RACLs, VACLs Server Load BalancingSwitches Routers IGP and BGP Protocols DC InterconnectivityFC SwitchingTraffic FilteringContent SwitchingRouting Business Continuance Networking Storage Network Infrastructure DC SecurityApplication Optimization IP Network Infrastructure [...]... 11201_05_2005_c2 © 2005 Cisco Systems, Inc All rights reserved 29 Distributed Data Center Design • How many Data Centers do we need one, two, or…? • How far apart should the Data Centers be? • How much redundancy is enough? • What data replication methods should be used? • How should the Data Centers be interconnected; Optical, Ethernet VPN service, IP VPN Service…? • What are your personnel support... 11201_05_2005_c2 © 2005 Cisco Systems, Inc All rights reserved 24 DATA CENTER Storage Networking & Business Continuance DC-1101 11201_05_2005_c2 © 2005 Cisco Systems, Inc All rights reserved 25 Storage Area Networking Increased Efficiency and Higher Availability Consolidated Data Centers Multiple Server Farms w/ dedicated storage Campus Core Distributed Data Centers Campus Core Campus Core SAN Storage Area Network... Inc All rights reserved 30 Recovery Architectures Redundancy at Many Levels Site Selection Internet Data Center 1 Storage Network Intranet N-Tier Applications Storage Network Front End Network Web Servers Data Center 2 N-Tier Applications Front End Network Web Servers Transaction Replication App Servers App Servers IP Layer 2/3 DB Servers IP Layer 2/3 DB Servers Database Replication DC-1101 11201_05_2005_c2... Convergence Server Load Balancing 31 Distributed Data Centers Failover and Distribution Across Multiple Sites Each Application can Have a Unique IP Address ISPA Application 1 Active Application 2 Active Internet ISPB Corporate WAN Application 1 Active Application 2 Standby West Coast Remote Offices East Coast Remote Offices West Data Center East Data Center • Traffic distribution is based on load and... reserved 19 DATA CENTER Security DC-1101 11201_05_2005_c2 © 2005 Cisco Systems, Inc All rights reserved 20 What Is Your State of Security Readiness? Any Vulnerable Area Impacts the DC, if Exploited Internet SP A SP B User Access Application Environments Intranet Network Infrastructure Data • Attacks are getting: more sophisticated, more frequent and more devastating • Securing the Data Center requires:.. .DATA CENTER IP Infrastructure DC-1101 11201_05_2005_c2 © 2005 Cisco Systems, Inc All rights reserved 11 Data Center Architecture Intranet Core Internet Edge DC Aggregation Aggregation Layer Server Access DC-1101 11201_05_2005_c2 Access Layer Load Balancer © 2005... much data can you afford to loose? How much does downtime cost per hour? • Site Selection Accessing Multiple DCs Active/Active Active/Standby • SAN Extension Distance and Bandwidth Synchronous and/or Asynchronous Replication • Data Center Interconnect IP Transport Optical Transport L2 and/or L3 Adjacency DC-1101 11201_05_2005_c2 © 2005 Cisco Systems, Inc All rights reserved 29 Distributed Data Center. .. consistent use of all available SECURITY TOOLS Applied to the entire Data Center Environment © 2005 Cisco Systems, Inc All rights reserved 21 The Specifics… What’s Important in Each Area User Access Application Environments • Protection of network entry points: • Protection of application traffic: Internet Edge Extranet Edge Data Center Edge Client to server interaction Server to server interaction... Impacts BUSINESS CONTINUANCE Ensuring Business can Recover and Continue After Failure or Disaster: Recovery of Data and Resumption of Service DISASTER RECOVERY Mitigating the Impact of a Disaster DC-1101 11201_05_2005_c2 © 2005 Cisco Systems, Inc All rights reserved 27 Multilayer Data Center Architecture Resiliency on the Front End and Back End INTERNET STATEFUL FIREWALLS HIGH DENSITY MULTILAYER LAN... Choosing the Correct Site GSS Employee Customer/ Partner Internet or WAN Intranet FC SAN FC SAN FCIP FCIP Storage Network Primary DC-1101 11201_05_2005_c2 RAID Data Center © 2005 Cisco Systems, Inc All rights reserved Storage Network RAID Secondary Data Center 34 Route Health Injection Server Health Aware Routing O E2 Routing Table Entry for Far Side Router 20.18.30.200/32 [110/20] via 20.17.50.2, 1d18h, . Inc. All rights reserved. DC-1101 11201_05_2005_c2 Data Center Architecture Overview Willie Yam Data Center Lead, APAC 222 © 2005 Cisco Systems, Inc. All. Functional Layers … A Data Center Topology 444 © 2005 Cisco Systems, Inc. All rights reserved. DC-1101 11201_05_2005_c2 Physical Areas … A Data Center Topology