Data Center手冊(4):設計

基礎架構

拓撲圖html

image

Switching Path

L3 routing at aggregation layergit

L2 switching at access layerweb

L3 switch融合了三種功能:安全

RP, router processor, 處理路由協議session

SP, switch processor, 處理L2協議架構

ASIC, Application-specific integrated circuit專用集成電路,用於重寫header的app

對於traffic forwarding有幾種方法:less

  • Process switching: 經過IP input過程,每一個包都經過CPU處理,查找整個routing table,於是是最慢的
  • Fast switching: 將第一個包的路由查詢結果放在cache裏面,後續的package之間查找cache便可
  • CEF:是最快的方式,它處理routing table,獲得一個能夠快速查詢的FIB forwarding information base,不管是第一個包,仍是後續包,都能快速的查詢。並且處理有特別的硬件ASIC進行。

Use VLAN

VLAN能夠很好的進行二次隔離。dom

L3 switch能夠容許不一樣的VLAN之間進行通訊,經過一個L3的interface稱爲SVI,是一個在VLAN上虛擬網卡,沒有物理端口與之對應,僅僅用於VLAN之間的通訊。ide

image

當一個VLAN上面沒有物理端口的時候,這個虛擬端口也會設置爲down,從而不會有包再到這個VLAN,這種行爲稱之爲Autostate.

image

Link Redundancy and Load Distribution

容錯與分流

使用EtherChannels增長帶寬,將多個鏈接綁定在一塊兒,在STP看來是一個link, LACP

image

 

L2的分流方法,咱們僅僅考慮Loop-free的狀況。

image

HSRP, VRRP, and GLBP are the key protocols to provide redundancy when working with a static routing environment. HSRP is a Cisco proprietary protocol (RFC 2281, informational), VRRP is an Internet Engineering Task Force (IETF)–proposed standard (RFC 2338), and GLBP is a Cisco proprietary protocol.

image 

With HSRP, only one of the two routers (the active router) is responsible for routing the servers’ traffic; the standby router assumes responsibility for the task when the active router fails.

image

Aggregation1 and Aggregation2 both have an interface on VLAN 10: 10.0.0.253 and 10.0.0.254.

Together, they provide the default gateway to the servers: 10.0.0.1.

Aggregation1 is the active HSRP router: when the server sends an ARP request for 10.0.0.1, Aggregation1 responds with the MAC address 0000.0c07.ac01, which is a virtual MAC (vMAC) address; the burned-in MAC address (BIA) for Aggregation1 is 0003.6c43.8c0a.

In case the interface of Aggregation1 on VLAN 10 is lost, Aggregation2 takes over 10.0.0.1 and the MAC address 0000.0c07.ac01.

HSRP Group

One VLAN segment can have multiple groups

multiple virtual IP addresses to be used concurrently

One single router interface can belong to multiple groups and be active for one group and standby for another one.

image

You assign half of the servers to use the HSRP IP address of group 1 (10.0.0.1) as the default gateway and the other half to use the HSRP IP address of group 2 (10.0.0.2).

VRRP conceptually is similar to HSRP

In the presence of multiple routers on a VLAN segment, VRRP elects a router as master and the other routers as backup for a given virtual router (equivalent to an HSRP group).

image

VRRP has preemption enabled by default. You can use the command no vrrp group preempt to  disable preemption.

The master router sends hello packets to the multicast IP address 224.0.0.18 (MAC 0100.5e00.0012) every 1 sec, and the backup detects the failure of the master after three hello packets are lost.

GLBP, it possible for the peer routers providing redundancy to the servers to be active concurrently on the VLAN segment.

image

All ARP requests for the default gateway from the servers are directed to the virtual IP address (vIP) 10.0.0.1.

Only one of the routers is authorized to respond to the ARP request, the active virtual gateway (AVG).

This router answers to the ARP requests by performing a round-robin among a number of vMAC addresses (for example, two MACs).

Each vMAC address identifies a router in the GLBP group; for example, 0007.B400.0101 is the vMAC for Aggregation1 and 0007.B400.0102 is the vMAC for Aggregation2.

By answering with different vMACs to different servers, the AVG achieves load distribution: half of the servers use Aggregation1 as their default gateway, and the other half uses Aggregation2.

Each router is an active virtual forwarder (AVF) for a given virtual MAC. Aggregation1 is AVF for 0007.B400.0101 and Aggregation2 is the AVF for

0007.B400.0102. Should Aggregation1 fail, Aggregation2 becomes the AVF for both the vMACs.

image

 

L3分流的方法

the links between the aggregation switches and the core are typically Layer 3 links, and it is desirable to take advantage of the bandwidth provided by all these links.

OSPF allows four equal-cost routes by default, which you can extend to eight routes with the command maximum-path under the router ospf configuration.

EIGRP allows load balancing for four equal-cost routes by default. You can modify this parameter with the maximum-path command. Differently from OSPF, EIGRP can also load-balance unequal-cost routes if you use the variance command.

Load-balancing routes多種方式:

Per-packet: Each packet is treated independently, and the router round-robins the packets on all the available routes (equal-cost routes). packages may out-of-order.

Per-destination: Traffic destined to a specific host always takes the same next hop; packets from different clients for the same destination take the same next hop.

Per-source-and-destination: Load balancing on both the source IP address and the destination IP address allows better load distribution without breaking the packet sequence for a specific flow

Process switching uses per-packet load balancing.

Fast switching uses per-destination load balancing.

CEF uses either per-packet or per-source-and-destination load balancing.

Flow-based MLS typically uses no load balancing by default. You can configure it to per-source-and-destination load balancing by changing the flowmask to source-destination.

CEF-based MLS typically uses per-source-and-destination load balancing (source and destination IP address) by default.

Dual-Attached Servers

attach dual NIC servers to a Layer 2 infrastructure for a loop-free design.

image

 

安全

image

那些須要保護的區域

Internet Edge

You can provide security at the Internet Edge using the following methods:

Deploying antispoofing filtering to prevent DoS attacks by limiting IP spoofing

image

RFC 1918 filtering:

RFC 1918 filtering makes sure that no packets using source IP addresses from the private address space are sent to or received from the Internet.

RFC 2827 filtering:

RFC 2827 filtering prevents the spoofing of the enterprise address space by blocking incoming packets with source IP addresses belonging to the public address space reserved for the enterprise’s public services.

Using uRPF, also to prevent DoS attacks by limiting IP spoofing

When uRPF is enabled, each packet is checked not only for its destination IP address but also for the routing table of the source IP addresses.

It verifies that there is a routing-table entry with the destination to the source IP address of the packet and the route is associated with the interface the packet came from.

ACL

allow only access to and from the public services provided by the enterprise.

these filters permit the typical services used in a Data Center, such as DNS, HTTP, Simple Mail Transfer Protocol (SMTP), ICMP, and Network Time Protocol (NTP).

image

Implementing traffic rate limiting to reduce the effect of DoS and DDoS attacks

Traffic rate limiting consists of implementing queuing mechanisms that control the volume of traffic forwarded through a router.

The traffic is usually classified based on protocol, source and destination IP address, and port numbers.

Each defined traffic type is assigned a threshold, after which packets are processed at a lower priority or are simply discarded.

You can use traffic rate limiting to reduce the effects of DoS attacks and their large volumes of data

缺點:

fixed thresholds

legitimate packets often cannot be distinguished from DoS packets

Securing routing protocols to avoid trust exploitation and routing disruptions

When you use dynamic routing, you implement Border Gateway Protocol (BGP) between the ISP and the Internet Edge routers, and you deploy an Interior Gateway Protocol (IGP) such as Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP) to propagate routing information to the interior of the enterprise network.

Attackers may do illegal routing updates.

Protocols such as BGP, OSPF, Inter-mediate System-to-Intermediate System (IS-IS), EIGRP, and Routing Information Protocol Version 2 (RIPv2) provide mechanisms to ensure that routing updates are valid and are received from legitimate routing peers. They achieve this goal by using route filters and neighbor router authentication.

Route filters are typically deployed at the ISP router to ensure that only the public networks assigned to the enterprise are externally advertised.

Internet Edge routers should use neighbor router authentication to ensure that routing updates are valid and are received only from legitimate peers.

image

1. The routers are configured with a shared secret key that is used to sign and validate each routing update.

2. Every time a router has to send a routing update, the routing update is processed with a hash function that uses the secret key to produce a digest.

3. The resulting digest is appended to the routing update. In this way, the routing update message contains the actual routing update plus its corresponding digest. The routing update message contains the actual routing update plus its corresponding digest.

4. Once the message is sent, the receiving router processes the routing update with the same hash function and secret key.

5. The receiving router compares the result with the digest in the routing update message. A match means that the sender has signed the update using the same secret key and hashing algorithm and that the message has not changed while in transit.

Deploying stateful firewalls to prevent unauthorized access

The use of stateful firewalls has two main goals, protecting the Internet server farm and controlling the traffic between the Internet and the rest of the enterprise network.

image

Implementing intrusion detection to detect network reconnaissance activities and to identify threats and intruders

When you deploy the network-based sensor in a switched infrastructure, you must use features such as switch port analyzer (SPAN) or capture to forward traffic to the monitoring interface of the IDS sensor.

DNS signatures: Examples are 6050 - DNS HINFO Request, 6051 - DNS Zone Transfer, 6052 - DNS Zone Transfer from High Port, 6053 - DNS Request for All Records, 6054 - DNS Version Request, 6055 - DNS Inverse Query Buffer Overflow, and 6056 - DNS NXT Buffer Overflow.

HTTP signatures: Examples are 5188 - HTTP Tunneling, 5055 - HTTP Basic Authentication Overflow, 3200 - WWW Phf Attack, 3202 - WWW .url File Requested, 3203 - WWW .lnk File Requested, 3204 - WWW .bat File Requested, 3212 - WWW NPH-TEST-CGI Attack, and 3213 - WWW TEST-CGI Attack.

FTP signatures: Examples are 3150 - FTP Remote Command Execution, 3151 FTP SYST Command Attempt, 3152 - FTP CWD ~root, 3153 - FTP Improper Address Specified, 3154 - FTP Improper Port Specified, 3155 - FTP RETR Pipe Filename Command Execution, 3156 - FTP STOR Pipe Filename Command Execution, 3157 - FTP PASV Port Spoof, 3158 - FTP SITE EXEC Format String, 3159 - FTP PASS Suspicious Length, and 3160 - Cesar FTP Buffer Overflow.

E-mail signatures: Examples are 3100 - Smail Attack, 3101 - Sendmail Invalid Recipient, 3102 - Sendmail Invalid Sender, 3103 - Sendmail Reconnaissance, 3104 - Archaic Sendmail Attacks, 3105 - Sendmail Decode Alias, 3106 - Mail Spam, and 3107 - Majordomo Execute Attack.

Host-based IDSs specifically target host vulnerabilities, including the following:

  • Protection against e-mail worm attacks such as GONER or NIMDA
  • Protection against application hijacking using a dynamic link libraries (DLLs) control hook
  • Protection against downloading files using instant-messenger applications
  • Protection against known buffer-overflow attacks
  • Control of application execution in the system

image

 

Campus Core

Disable any unnecessary services and harden the configuration of the switches and routers that build the campus core.

image

The second recommendation is to secure the exchange of routing updates with routing-update authentication, route filters, and neighbor definitions.

Use secure protocols such as Secure Shell (SSH) and Simple Network Management Protocol Version 3 (SNMPv3), and avoid insecure protocols that do not protect usernames and passwords

image

Intranet Server Farms

image

Management Isolation

image

Performance

Traffic Patterns

Internet Traffic Patterns

有一些組織進行這方面的研究

San Diego Supercomputer Center (SDSC) http://www.sdsc.edu/

The Cooperative Association for Internet Data Analysis (CAIDA) http://www.caida.org/

The National Laboratory for Applied Network Research, Measurement Network Analysis Group (NLANR) http://www.nlanr.net/

Wide-Area Internet Traffic Patterns and Characteristics

TCP averages 95 percent of bytes, 90 percent of packets, and at least 75 percent of flows on the link.

User Datagram Protocol (UDP) averages 5 percent of bytes, 10 percent of packets, and 20 percent of flows.

Web traffic makes 75 percent of bytes, 70 percent of packets, and 75 percent of flows in the TCP category.

In addition to Web traffic, Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP), FTP data, Network News Transfer Protocol (NNTP), and Telnet are identified as contributing a visible percentage.

DNS represents 18 percent of flows but only 3 percent of total packets and 1 percent of total bytes.

SMTP makes 5 percent of bytes, 5 percent of packets, and 2 percent of flows.

FTP data produces 5 percent of bytes, 3 percent of packets, and less than 1 percent of flows.

NNTP contributes 2 percent of bytes and less than 1 percent of packets and flows.

Intranet Traffic Pattern

A good source of information for measuring performance of IP networks is the paper 「Measuring IP Network Performance」 by Geoff Houston on the Internet Protocol Journal at http://www.cisco.com/warp/customer/759/ipj_6-1/ipj_6-1_measuring_ip_networks.html.

 

common performance matrix

Throughput: The maximum rate at which none of the offered frames are dropped by the device.

Frame loss: Percentage of frames that should have been forwarded by a network device under steady state (constant) load that were not forwarded due to lack of resources.

Latency for store and forward devices: The time interval starting when the last bit of the input frame reaches the input port and ending when the first bit of the output frame is seen on the output port.

Latency for bit-forwarding devices: The time interval starting when the end of the first bit of the input frame reaches the input port and ending when the start of the first bit of the output frame is seen on the output port.

Connection processing rate: The maximum rate of new connections the device is able to process.

CC: The number of simultaneous connections the device is able to track and process.

Multilayer Switch Metrics

Throughput:

Throughput is measured in bits per second (BPS) or PPS. BPS gives the absolute throughput number, but PPS multiplied by the packet size

Multilayer switches process frames or packets

You obtain the maximum throughput values using the maximum transmission unit (MTU) size

Frame and Packet Loss:

the actual processing limits of the DUT(Device under test) under a constant load

Latency:

latency generally increases as the depth of packet inspection increases

Firewall Metrics

The DoS handling tests determine how the firewall deals with a high rate of TCP connection requests (SYN packets). This maximum rate indicates how well the firewall would fare under such an attack (a SYN flood attack).

HTTP transfer rate refers to how the firewall handles entire HTTP transactions that include the TCP connection request, the transfer of the objects associated with the URL in the request, and the final connection teardown.

HTTP transaction rate refers to the transaction rate per unit of time that the firewall is able to support.

Illegal traffic handling refers to the capability of the firewall to handle both legal and illegal traffic concurrently.

IP fragmentation handling refers to the capability of the firewall to process fragments that might require re-assembly before a rule could be applied.

Load Balancer Performance Metrics

CPS describes how many new connection requests per second a load balancer can process.

The term processing implies the successful completion of the connection handshake and connection teardown.

CC refers to the number of simultaneous connections a load balancer can support.

PPS describes how many packets per second a load balancer can process.

a load balancer has the potential to add more latency than other devices because it can execute tasks deeper in the payload of packets.

At Layer 4, the load balancer must perform the following tasks:

  • 5-tuple lookup
  • Lookup of content policy information on TCP/IP headers
  • Rewrite of MAC header information
  • Rewrite of IP header information
  • Checksum calculations for TCP
  • Calculation and rewrite of other TCP/UDP header information

At Layer 5, the load balancer performs all Layer 4 tasks in addition to the following:

  • Spoofing TCP connections toward the client side
  • Lookup of content policy information on packet payload
  • Initiating new TCP connections with the server
  • Maintaining both client and server connection synchronization, which requires SEQ and checksum calculation, in addition to other header rewrite operations for both connections

Response time is loosely defined as the elapsed time between the end of an application layer request (the user presses the Enter key) and the end of the response (the data is displayed in the user’s screen).

SSL Offloaders Performance Metrics

The CPS rate that you should measure for SSL offloaders is related to the number of SSL handshakes it can complete. This metric is often called transactions per second (TPS) or sessions per second

Concurrent connections or rather concurrent SSL sessions are mostly related to long-lived sessions and therefore indicate the memory capacity to hold them.

As with load balancers, measuring PPS requires real traffic or at least real SSL connections.

Latency on an SSL offloader indicates the time it would take the device to process the data, which in this case is the SSL handshake and subsequent encryption/decryption of packets.

Testing Tools

First are the web load tools:

http://www.testingfaqs.org/t-load.html lists a number of tools.

http://www.softwareqatest.com/qatweb1.html lists a number of tools under the category of load and performance tools.

http://www.aptest.com/resources.html lists a number of testing tools under the category of web test tools.

The next list outlines specific testing tools:

HTTPLOAD from ACME offers a variety of tools for HTTP-related tests at http://www.acme.com/software/http_load/.

The Web Application Stress Tool from Microsoft is at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag00/html/StressTool.asp.

WebStone from Mindcraft for benchmarking Web servers is at http://www.mindcraft.com/webstone/.

WebBench from Ziff Davis is at http://www.etestinglabs.com/benchmarks/webbench/webbench.asp.

SPECweb99 from Standard Performance Evaluation Corporation is at http://www.spec.org/osg/web99/.

相關文章
相關標籤/搜索