Contenu connexe
Similaire à TBIZ2011 - Juniper. Next Generation Data Center
Similaire à TBIZ2011 - Juniper. Next Generation Data Center (20)
Plus de TechnologyBIZ (20)
TBIZ2011 - Juniper. Next Generation Data Center
- 2. AGENDA
Cloud Computing and Cloud Infrastructures
DC infrastructure evolution
Security Requirements and Solution
2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 3. THE CHALLENGE OF THE DATA CENTER
EXPERIENCE
ECONOMICS
3 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 4. THE APPLICATIONS CHANGED
Client – Server Architecture Service Oriented Architecture
Client Client
Server
Server B
Server Server
B
A A C
C
Server
D DB Server
D
DB
A fundamental change
4 in data flows
Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 5. THE MULTI-TIER LEGACY NETWORK IS A BARRIER
The challenge Multi-tier legacy network
Too slow N Unnecessary layers
add hops and latency
Too complex
Too expensive
Up to 50% of the ports
interconnect switches,
not servers or storage
W Up to 75% of traffic E
Spanning Tree disables
Complexity
up to 50% of bandwidth
S
Scale
5 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 6. THE TYRANNY OF TREES
Location matters in a
Typical tree tree architecture
configuration
Bubbles
Optimal performance
One
VM Hop
6 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 7. THE TYRANNY OF TREES
Location matters in a
Typical tree tree architecture
configuration
Appliances and VLANs
Shadows
VM
7 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 8. COMPLEXITY – A FUNCTION OF DEVICES + INTERACTIONS
Data Center
Operational Complexity
N
• Number of managed devices
• Each switch is
autonomous
• 7 managed devices
• Number of potential interactions
• Shared protocols
• 21 potential interactions
N*(N-1)
2 S
8 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 9. COMPLEXITY – A FUNCTION OF DEVICES + INTERACTIONS
Devices Interactions Too Complex
Solve for the smallest N possible
400 10,000
300 7,500 Interactions
Complexity
N*(N-1)
No. of Interactions =
2
N = No. of managed devices
200 5,000
100 2,500
Managed Devices
0 1000 2000 3000 4000 5000 6000
No. of Ports
Too Complex
9 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 10. CHALLENGES OF EFFICIENCY
Up to 50% of the ports interconnect switches, not servers or
storage
Up to 50% of the bandwidth is disabled by spanning tree
Up to 30% of the network spend can be avoided
Eliminate $1B of annual spend world wide
Too Expensive
10 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 11. DATA CENTERS TODAY: 1GBE SERVERS
Experience Economics
Virtual Chassis
MX
Series
Up to 400 servers
in 1 tier (EX4200
with Virtual Chassis)
Up to 9,000 servers in
EX8216 STP 2 tiers (EX4200 and
EX8200 with Virtual
SRX5800 Chassis)
EX4200
Servers NAS FC Storage
FC SAN
11 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 12. DATA CENTERS TODAY: MIXED 1GBE & 10GBE
SERVERS
Experience Economics
MX
Series
Industry’s only X-platform
EX4200/EX4500: Managed
as a single switch
EX8216
SRX5800
EX4200 EX4500
10G
Servers NAS FC Storage
FC SAN
12 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 13. OPEN SYSTEM ARCHITECTURE
Operational Efficiency Business Continuity Agility
Third-Party Standards- Any Any Open to
Manageable Based Device Place Innovation
SNMP Various RFCs Access points Access Junos SDK
Netconf/XML IEEE 802.1at IP phones Aggregation
Syslog LLDP Security camera Core
13 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 14. EX SERIES: CAMPUS PRODUCTS
EX8208 EX8216
EX4500
EX4500
EX4200
EX8208
EX3200 EX3300 EX4200
EX4200
EX2200 EX3300 EX6200 EX6200
EX2200-C
14 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 15. EX SERIES FIXED PLATFORMS
40 10GbE fiber
28/48 port ports
24/48 10/100/ wirespeed Redundant
1000BASE-T 10/100/ power and
1000BASE-T cooling
Modular power PoE/PoE+
PoE/PoE+ Small form
and cooling Data center factor
air flow Flexible uplinks
Fixed power Field 10 member
replaceable 6 member Data center
supply and fans air flow Virtual
power and fans Virtual Chassis Chassis
12 port 10/100/ 24/48 port Field replaceable
10/100/ 4 port GbE SFP Fixed power Mixed Virtual
1000BASE-T uplink supply and fans power and
1000BASE-T cooling Chassis with
PoE/PoE+ 2 port 10GbE MacSec EX4200
4 SFP uplinks 4 port GbE SFP
Fan-less XFP uplink External RPS Line rate
PoE/PoE+ uplink
model options External RPS option
option 2 port 10GbE
4 port XFP uplink
Full Class 3 SFP/SFP+
PoE uplinks 10 member
Virtual Chassis
OSPF, IP
multicast in 128 Gbps
base license Virtual Chassis
backplane
EX2200-C EX2200 EX3200 EX3300 EX4200 EX4500
Roadmap
15 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 16. EX4200 LINE OF ETHERNET SWITCHES
WITH VIRTUAL CHASSIS TECHNOLOGY
24-48 port copper/fiber
access switch
PoE+ model option
4-port GbE (SFP) uplink
2-port 10GbE (XFP) uplink
Dual-mode 4-port GbE/2-port
10GbE (SFP+)
Fully redundant power and
cooling
External RPS option
Virtual Chassis technology
128 Gbps virtual backplane
Manage up to 10 switches
as a single device
Extend over 10GbE
or GbE uplinks
Full OSPF and IP Multicast
in base license
LCD window
Roadmap
16 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 17. EX4500 LINE OF 10GBE SWITCHES
WITH VIRTUAL CHASSIS TECHNOLOGY
2U 40-port 10GbE switch
Wire-rate performance on all ports
14.88 Mpps per port
on all 48 ports at all packet sizes
8 SFP+ uplinks
Virtual Chassis technology
128 Gbps virtual backplane
Manage up to 10
as a single device
Extend over 10GbE
or GbE uplinks
Virtual Chassis with EX4200
Extensive Layer 2
and Layer 3 features
Routing protocols (OSPF)
VRRP
Redundant power and
cooling
Large MAC and IPv4/IPv6
tables
Roadmap
17 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 18. EX8200 LINE OF MODULAR ETHERNET SWITCHES
8/16-slot high-
performance chassis
EX8208: 8 line cards; 960 Mpps
EX8216: 16 line cards; 1.92 Bpps
100GbE ready
Fully redundant Routing Engines
with N+1 redundant switch fabrics
Up to 256 wire-speed, non-
blocking 10GbE ports in a rack
320 Gbps capacity per line card
Virtual Chassis
technology
Two-member Virtual Chassis
External Routing Engine (XRE200)
required
Fully redundant power 48x1G-ES 8x10G 40x10G
and cooling
Redundant, load-sharing PSUs
(AC, DC) 48x1G-POE 48x1G-Fiber
48x1G-Copper
Hot-swappable fan tray with
redundant fans
18 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 19. SCALING THE DATA PLANE
Data Plane
1. All ports are
directly connected
to every other port
QF/Interconnect 2. A single “full
lookup” at the
ingress QF/Node
device
QF/Node
3. Blazingly fast:
Always under 5us
3.71us (short cables)
QFabric is faster than any Ethernet chassis switch ever built
19 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 20. FABRIC HARDWARE – QF/NODE
Front View QF/Node
• 1 RU high fixed configuration
• 48 SFP+/36 SFP ports
• 12 FC capable (2/4/8G) ports
• 4 * 40G fabric uplink ports (can
Rear View also operate in 10G mode)
• Redundant AC power supply
• Front to back air flow
4 QSFP+ ports Will also operate as a
48 SFP+/36 SFP Stand Alone Switch
ports
12 FC Capable ports
QFX3500
20 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 21. RE-DESIGN SECURITY FOUNDATION
The Dynamic Services Architecture
Scales performance, capacity and
service density
– World’s fastest firewall and IPS
SRX Services Gateways
High-Speed Fabric Carrier-Class
Technology Reliability
Expandable chassis Separation of control and
Linear scalability data planes
Processing and I/O pools The power of one Redundant everything
Industry’s top performance operating system, one Proven operating system
release train
21 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 22. SRX SERIES FOR THE DATA CENTER
COMPARISON CHART
SRX3400 SRX3600 SRX5600 SRX5800
Max FW Throughput 20 Gbps 30 Gbps 60 Gbps 150 Gbps
Max VPN Throughput 6 Gbps 10 Gbps 15 Gbps 30 Gbps
Max IPS Throughput 6 Gbps 10 Gbps 15 Gbps 30 Gbps
Max PPS 4 Mpps 7 Mpps 10 Mpps 18 Mpps
Max Sessions 2.25 million 2.25 million 9 million 10 million
New & Sustained CPS 175,000 175,000 350,000 350,000
Interfaces 8 10/100/1000 + 4 SFP 8 10/100/1000 + 4 SFP 40 x SFP 40 x SFP
16 x SFP module 16 x SFP module 4 x 10GbE XFP 4 x 10GbE XFP
2 x 10GbE module 2 x 10GbE module 16 x TX/SFP FlexIOC 16 x TX/SFP FlexIOC
4 x 10GbE XFP 4 x 10GbE XFP
FlexIOC FlexIOC
Max I/O Ports 76 x GbE or 108 x GbE or 200 x GbE or 440 x GbE or
8 x 10GbE 12 x 10GbE 40 x 10GbE 88 x 10GbE
22 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 23. JUNOS SOFTWARE ENHANCEMENTS
In-service software upgrades New in
Low Impact Junos
Eliminate downtime when upgrading SRX
Chassis Upgrades 9.6
Single command to upgrade SRX clusters
SECURE
Session increase in SRX3000 and SRX5000 lines
Performance and SRX3000 line – 2.25 million sessions
Density New in
SRX5600 – 9 million sessions Junos
Improvements
SRX5800 – 10 million 10.0
RELIABLE Identify and mitigate threats and attacks New in
targeting applications Junos
AppSecure with
AppDoS Multi-stage detection methods 10.0
Tracks application protocols, users and volumes
23 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 24. SRX5800:
FRONT AND REAR VIEW
SRX5800 Front View 16 RU
Control Modular chassis
Upper fan
Panel tray – Vertical design
– 12 expansion slots
Switch Control – Modules for flexible I/O and
Boards (SCBs) service processing
– Junos software
Massive Scale
40 x GbE Services
I/O Card Processing – Up to 350,000 new & sustained
Card connections per second (CPS)
Power supplies
– Up to 10 million sessions
4 x 10GbE FRU High performance
I/O Card Management
module – Up to 120 Gbps firewall
– Up to 30 Gbps IPS
– Up to 30 Gbps IPSec VPN
High availability
Lower fan tray – Redundant management
modules
– Redundant switching fabrics
Air intake – Redundant fans & power
supplies
– Modular Junos Software
Expansion slots
(fits any module)
SRX5800 Rear View
24 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 25. BREAK THE PERFORMANCE/INTEGRATION
TRADEOFF
Services integration via
Firewall
Junos
Limited Services Processing scalability via
SPC
Scalability via multiple
appliances I/O scalability via IOC
Management and Management and
deployment challenges deployment simplicity
Performance
Services via dedicated appliances
Management and deployment
nightmare
Router Firewall IPS IPsec VPN NAT
Service Integration
25 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 26. MARKET DRIVERS FOR VIRTUALIZATION
Virtualization Server Licenses grew 53% in '08 over prior year
IDC Server Virtualization Tracker December 08
Desktop virtualization software technologies are forecast to
grow at a 33.6% compound annual growth rate through 2013
Gartner Dataquest Insight January 09
43% of enterprises with 500+ employees and 26% of SMBs
100-499 employees are using server virtualization
Yankee July 09
Installed Base Grows 10x
VM Penetration of Installed Workloads YE 2008 (5.8M) YE 2012 (58M)
26 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 27. SECURITY IMPLICATIONS OF VIRTUAL SERVERS
PHYSICAL NETWORK VIRTUAL NETWORK
VM1 VM2 VM3
ESX Host
HYPERVISOR
Firewall/IPS Inspects Physical Security is “Blind” to
All Traffic Between Servers Traffic Between Virtual Machines
27 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 28. APPROACHES TO SECURING VIRTUAL SERVERS:
THREE METHODS
1. VLAN Segmentation 2. Agent-based 3. Kernel-based Firewall
Each VM in separate VLAN Each VM has a software firewall VMs can securely share VLANs
Inter-VM communications must Drawback: Significant performance Inter-VM traffic always protected
route through the firewall implications; Huge management
High-performance from
overhead of maintaining software
Drawback: Possibly complex VLAN implementing firewall in the kernel
and signature on 1000s of VMs
networking
Micro-segmenting capabilities
VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3
ESX Host
ESX Host
ESX Host
FW as Kernel Module
FW as Kernel Module
HYPERVISOR HYPERVISOR
HYPERVISOR
FW Agents
28 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 29. INTRODUCING THE ALTOR VF
Hypervisor Kernel Stateful Firewall
VM1 VM2 VM3
Purpose-built virtual firewall
Secure Live-Migration (VMotion)
ESX Host
Security for each VM by VM ID
ALTOR VF
Fully stateful firewall
VMware “VMsafe Certified”
Tight Integration with Virtual Platform
Management, e.g. VMware vCenter
Fault-Tolerant Architecture
NSM
Network
STRM
Juniper Switch Juniper SRX
29 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
- 30. INTEGRATION WITH JUNIPER DATA CENTER SECURITY
VM1 VM2 VM3 ALTOR VM
Altor
Center
Policies
Altor Integration Point
Central Policy Management
Altor Virtual Firewall
Altor Integration Point
VMware vSphere Firewall Event Syslogs
Netflow for Inter-VM Traffic
Inter-
Altor Integration Point
Traffic Mirroring to IPS STRM NSM
Network
Juniper Switch Juniper SRX with IPS
30 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY