TBIZ2011 - Juniper. Next Generation Data Center

1,213 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,213
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
85
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

TBIZ2011 - Juniper. Next Generation Data Center

  1. 1. NEXT GENERATION DATA CENTEROctober, 2011
  2. 2. AGENDACloud Computing and Cloud InfrastructuresDC infrastructure evolutionSecurity Requirements and Solution2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  3. 3. THE CHALLENGE OF THE DATA CENTER EXPERIENCE ECONOMICS3 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  4. 4. THE APPLICATIONS CHANGED Client – Server Architecture Service Oriented Architecture Client Client Server Server B Server Server B A A C C Server D DB Server D DB A fundamental change4 in data flows Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  5. 5. THE MULTI-TIER LEGACY NETWORK IS A BARRIER The challenge Multi-tier legacy network  Too slow N Unnecessary layers add hops and latency  Too complex  Too expensive Up to 50% of the ports interconnect switches, not servers or storage W Up to 75% of traffic E Spanning Tree disablesComplexity up to 50% of bandwidth S Scale 5 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  6. 6. THE TYRANNY OF TREES Location matters in a Typical tree tree architecture configuration Bubbles Optimal performance One VM Hop6 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  7. 7. THE TYRANNY OF TREES Location matters in a Typical tree tree architecture configuration Appliances and VLANs Shadows VM7 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  8. 8. COMPLEXITY – A FUNCTION OF DEVICES + INTERACTIONS Data CenterOperational Complexity N• Number of managed devices • Each switch is autonomous • 7 managed devices• Number of potential interactions • Shared protocols • 21 potential interactions N*(N-1) 2 S8 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  9. 9. COMPLEXITY – A FUNCTION OF DEVICES + INTERACTIONS Devices Interactions Too Complex Solve for the smallest N possible 400 10,000 300 7,500 InteractionsComplexity N*(N-1) No. of Interactions = 2 N = No. of managed devices 200 5,000 100 2,500 Managed Devices 0 1000 2000 3000 4000 5000 6000 No. of Ports Too Complex 9 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  10. 10. CHALLENGES OF EFFICIENCY Up to 50% of the ports interconnect switches, not servers or storage Up to 50% of the bandwidth is disabled by spanning tree Up to 30% of the network spend can be avoided  Eliminate $1B of annual spend world wide Too Expensive10 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  11. 11. DATA CENTERS TODAY: 1GBE SERVERS Experience Economics Virtual Chassis MX Series  Up to 400 servers in 1 tier (EX4200 with Virtual Chassis)  Up to 9,000 servers in EX8216 STP 2 tiers (EX4200 and EX8200 with Virtual SRX5800 Chassis) EX4200 Servers NAS FC Storage FC SAN11 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  12. 12. DATA CENTERS TODAY: MIXED 1GBE & 10GBESERVERS Experience Economics MX Series Industry’s only X-platform  EX4200/EX4500: Managed as a single switch EX8216 SRX5800 EX4200 EX4500 10G Servers NAS FC Storage FC SAN12 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  13. 13. OPEN SYSTEM ARCHITECTURE Operational Efficiency Business Continuity Agility Third-Party Standards- Any Any Open to Manageable Based Device Place Innovation SNMP Various RFCs Access points Access Junos SDK Netconf/XML IEEE 802.1at IP phones Aggregation Syslog LLDP Security camera Core13 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  14. 14. EX SERIES: CAMPUS PRODUCTS EX8208 EX8216 EX4500 EX4500 EX4200 EX8208 EX3200 EX3300 EX4200 EX4200 EX2200 EX3300 EX6200 EX6200 EX2200-C14 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  15. 15. EX SERIES FIXED PLATFORMS  40 10GbE fiber  28/48 port ports  24/48 10/100/ wirespeed  Redundant 1000BASE-T 10/100/ power and 1000BASE-T cooling  Modular power  PoE/PoE+  PoE/PoE+  Small form and cooling  Data center factor air flow  Flexible uplinks  Fixed power  Field  10 member replaceable  6 member  Data center supply and fans air flow Virtual power and fans Virtual Chassis Chassis12 port 10/100/  24/48 port  Field replaceable 10/100/  4 port GbE SFP  Fixed power  Mixed Virtual1000BASE-T uplink supply and fans power and 1000BASE-T cooling Chassis withPoE/PoE+  2 port 10GbE  MacSec  EX4200  4 SFP uplinks  4 port GbE SFPFan-less XFP uplink  External RPS  Line rate  PoE/PoE+ uplink model options  External RPS option  option  2 port 10GbE  4 port XFP uplink  Full Class 3 SFP/SFP+ PoE uplinks  10 member Virtual Chassis  OSPF, IP multicast in  128 Gbps base license Virtual Chassis backplane EX2200-C EX2200 EX3200 EX3300 EX4200 EX4500 Roadmap15 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  16. 16. EX4200 LINE OF ETHERNET SWITCHESWITH VIRTUAL CHASSIS TECHNOLOGY 24-48 port copper/fiber access switch  PoE+ model option  4-port GbE (SFP) uplink  2-port 10GbE (XFP) uplink  Dual-mode 4-port GbE/2-port 10GbE (SFP+) Fully redundant power and cooling  External RPS option Virtual Chassis technology  128 Gbps virtual backplane  Manage up to 10 switches as a single device  Extend over 10GbE or GbE uplinks Full OSPF and IP Multicast in base license LCD window Roadmap16 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  17. 17. EX4500 LINE OF 10GBE SWITCHESWITH VIRTUAL CHASSIS TECHNOLOGY 2U 40-port 10GbE switch  Wire-rate performance on all ports  14.88 Mpps per port on all 48 ports at all packet sizes  8 SFP+ uplinks Virtual Chassis technology  128 Gbps virtual backplane  Manage up to 10 as a single device  Extend over 10GbE or GbE uplinks  Virtual Chassis with EX4200 Extensive Layer 2 and Layer 3 features  Routing protocols (OSPF)  VRRP Redundant power and cooling Large MAC and IPv4/IPv6 tables Roadmap17 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  18. 18. EX8200 LINE OF MODULAR ETHERNET SWITCHES 8/16-slot high- performance chassis  EX8208: 8 line cards; 960 Mpps  EX8216: 16 line cards; 1.92 Bpps  100GbE ready  Fully redundant Routing Engines with N+1 redundant switch fabrics  Up to 256 wire-speed, non- blocking 10GbE ports in a rack  320 Gbps capacity per line card Virtual Chassis technology  Two-member Virtual Chassis  External Routing Engine (XRE200) required Fully redundant power 48x1G-ES 8x10G 40x10G and cooling  Redundant, load-sharing PSUs (AC, DC) 48x1G-POE 48x1G-Fiber 48x1G-Copper  Hot-swappable fan tray with redundant fans18 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  19. 19. SCALING THE DATA PLANE Data Plane 1. All ports are directly connected to every other port QF/Interconnect 2. A single “full lookup” at the ingress QF/Node device QF/Node 3. Blazingly fast: Always under 5us 3.71us (short cables) QFabric is faster than any Ethernet chassis switch ever built19 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  20. 20. FABRIC HARDWARE – QF/NODE Front View QF/Node • 1 RU high fixed configuration • 48 SFP+/36 SFP ports • 12 FC capable (2/4/8G) ports • 4 * 40G fabric uplink ports (can Rear View also operate in 10G mode) • Redundant AC power supply • Front to back air flow 4 QSFP+ ports Will also operate as a 48 SFP+/36 SFP Stand Alone Switch ports 12 FC Capable ports QFX350020 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  21. 21. RE-DESIGN SECURITY FOUNDATION The Dynamic Services Architecture Scales performance, capacity and service density – World’s fastest firewall and IPS SRX Services Gateways High-Speed Fabric Carrier-Class Technology Reliability  Expandable chassis Separation of control and  Linear scalability data planes  Processing and I/O pools  The power of one Redundant everything  Industry’s top performance operating system, one Proven operating system release train 21 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  22. 22. SRX SERIES FOR THE DATA CENTER COMPARISON CHART SRX3400 SRX3600 SRX5600 SRX5800Max FW Throughput 20 Gbps 30 Gbps 60 Gbps 150 GbpsMax VPN Throughput 6 Gbps 10 Gbps 15 Gbps 30 GbpsMax IPS Throughput 6 Gbps 10 Gbps 15 Gbps 30 GbpsMax PPS 4 Mpps 7 Mpps 10 Mpps 18 MppsMax Sessions 2.25 million 2.25 million 9 million 10 millionNew & Sustained CPS 175,000 175,000 350,000 350,000Interfaces 8 10/100/1000 + 4 SFP 8 10/100/1000 + 4 SFP 40 x SFP 40 x SFP 16 x SFP module 16 x SFP module 4 x 10GbE XFP 4 x 10GbE XFP 2 x 10GbE module 2 x 10GbE module 16 x TX/SFP FlexIOC 16 x TX/SFP FlexIOC 4 x 10GbE XFP 4 x 10GbE XFP FlexIOC FlexIOCMax I/O Ports 76 x GbE or 108 x GbE or 200 x GbE or 440 x GbE or 8 x 10GbE 12 x 10GbE 40 x 10GbE 88 x 10GbE 22 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  23. 23. JUNOS SOFTWARE ENHANCEMENTS  In-service software upgrades New in Low Impact Junos  Eliminate downtime when upgrading SRXChassis Upgrades 9.6  Single command to upgrade SRX clusters SECURE  Session increase in SRX3000 and SRX5000 lines Performance and  SRX3000 line – 2.25 million sessions Density New in  SRX5600 – 9 million sessions Junos Improvements  SRX5800 – 10 million 10.0 RELIABLE  Identify and mitigate threats and attacks New in targeting applications Junos AppSecure with AppDoS  Multi-stage detection methods 10.0  Tracks application protocols, users and volumes 23 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  24. 24. SRX5800: FRONT AND REAR VIEW SRX5800 Front View  16 RU Control  Modular chassis Upper fan Panel tray – Vertical design – 12 expansion slots Switch Control – Modules for flexible I/O and Boards (SCBs) service processing – Junos software  Massive Scale 40 x GbE Services I/O Card Processing – Up to 350,000 new & sustained Card connections per second (CPS) Power supplies – Up to 10 million sessions4 x 10GbE FRU  High performance I/O Card Management module – Up to 120 Gbps firewall – Up to 30 Gbps IPS – Up to 30 Gbps IPSec VPN  High availability Lower fan tray – Redundant management modules – Redundant switching fabrics Air intake – Redundant fans & power supplies – Modular Junos Software Expansion slots (fits any module) SRX5800 Rear View 24 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  25. 25. BREAK THE PERFORMANCE/INTEGRATIONTRADEOFF  Services integration via Firewall Junos  Limited Services  Processing scalability via SPC  Scalability via multiple appliances  I/O scalability via IOC  Management and  Management and deployment challenges deployment simplicityPerformance  Services via dedicated appliances  Management and deployment nightmare Router Firewall IPS IPsec VPN NAT Service Integration25 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  26. 26. MARKET DRIVERS FOR VIRTUALIZATION Virtualization Server Licenses grew 53% in 08 over prior year IDC Server Virtualization Tracker December 08 Desktop virtualization software technologies are forecast to grow at a 33.6% compound annual growth rate through 2013 Gartner Dataquest Insight January 09 43% of enterprises with 500+ employees and 26% of SMBs 100-499 employees are using server virtualization Yankee July 09 Installed Base Grows 10x VM Penetration of Installed Workloads YE 2008 (5.8M) YE 2012 (58M)26 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  27. 27. SECURITY IMPLICATIONS OF VIRTUAL SERVERS PHYSICAL NETWORK VIRTUAL NETWORK VM1 VM2 VM3 ESX Host HYPERVISOR Firewall/IPS Inspects Physical Security is “Blind” to All Traffic Between Servers Traffic Between Virtual Machines27 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  28. 28. APPROACHES TO SECURING VIRTUAL SERVERS:THREE METHODS 1. VLAN Segmentation 2. Agent-based 3. Kernel-based Firewall Each VM in separate VLAN Each VM has a software firewall VMs can securely share VLANs Inter-VM communications must Drawback: Significant performance Inter-VM traffic always protected route through the firewall implications; Huge management High-performance from overhead of maintaining software Drawback: Possibly complex VLAN implementing firewall in the kernel and signature on 1000s of VMs networking Micro-segmenting capabilities VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3 ESX Host ESX Host ESX Host FW as Kernel Module FW as Kernel Module HYPERVISOR HYPERVISOR HYPERVISOR FW Agents28 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  29. 29. INTRODUCING THE ALTOR VF Hypervisor Kernel Stateful Firewall VM1 VM2 VM3 Purpose-built virtual firewall  Secure Live-Migration (VMotion) ESX Host  Security for each VM by VM ID ALTOR VF  Fully stateful firewall VMware “VMsafe Certified” Tight Integration with Virtual Platform Management, e.g. VMware vCenter Fault-Tolerant Architecture NSM Network STRM Juniper Switch Juniper SRX29 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY
  30. 30. INTEGRATION WITH JUNIPER DATA CENTER SECURITY VM1 VM2 VM3 ALTOR VM Altor Center Policies Altor Integration Point Central Policy Management Altor Virtual Firewall Altor Integration Point VMware vSphere Firewall Event Syslogs Netflow for Inter-VM Traffic Inter- Altor Integration Point Traffic Mirroring to IPS STRM NSM Network Juniper Switch Juniper SRX with IPS30 Copyright © 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY

×