Brookhaven Science AssociatesU.S. Department of Energy 1
Network Services Network Services
BNL USATLAS
Tier 1 / Tier 2 Meeting
John BigrowDecember 14, 2005
Brookhaven Science AssociatesU.S. Department of Energy 2
Network Services Network Services BNL LHC Overview
• Preliminary Network and Security Architecture
• IP Address space allocations
• Performance Monitoring
Brookhaven Science AssociatesU.S. Department of Energy 3
Network Security Limitations
• Current firewall Architecture
– 6 virtual 1 Gb/Sec EtherChannel to backplane
– Rated total throughput of 5 Gb/Sec - EtherChannel Overhead Loss
– Single 1 Gb/Sec flow / interface
Network ServicesNetwork Services
Brookhaven Science AssociatesU.S. Department of Energy 4
Network Security Limitations (Continued)
• Current Router Architecture
– Single Access Control List (ACL) / interface- 1 inbound and 1 outbound- Default behavior Implicit deny
– A single ACL can become unwieldy in a complex WAN environment
Network ServicesNetwork Services
Brookhaven Science AssociatesU.S. Department of Energy 5
Network Security Limitations (Continued)
Network ServicesNetwork Services
………….
access-list 109 deny ip host 81.12.96.78 any access-list 109 remark Block IPs per ticket 160,729 1 Month 12/8
access-list 109 deny ip host 219.105.44.115 any access-list 109 deny ip host 217.199.177.208 any
access-list 109 deny ip host 202.108.13.91 any access-list 109 deny ip host 210.219.231.2 any
access-list 109 remark ********************* Allow ************************* access-list 109 remark permit all before implicit deny
access-list 109 permit ip any any
Brookhaven Science AssociatesU.S. Department of Energy 6
Network ServicesNetwork ServicesBNL LHC OPN Conceptual Block Diagram
LHC OPN PrivateCore Intranetwork
BNL Border RouterOptional DedicatedLHC OPN FWSMs
LHC OPN T0-T1Lambda Layer 2
Tunnel
BNL LHC OPNPrimary Distribution
Switchs
ES Net / GeneralInternet / Tier 2
BNL Internet /Tier 2 Lambda
ES Net ProvisionedCIDR IP Space
latigidlatigid latigid
BNL LHC OPN Disk Cache / Storage / Analysis FacilitiesMulti-homed
Other Tier 1 Sites
BNL Campus Network
20 Gb/Sec
20 Gb/Sec
1 Gb/Sec1 Gb/Sec 1 Gb/Sec
ACL
CIDR RestrictedDistribute ListES Net Only
ACL
ACL
NYSERNET /Broadwing
latigid
Future 10 Gb/SecUpgrades
ACL
Brookhaven Science AssociatesU.S. Department of Energy 7
IP Address Allocation Tier 0 to Tier 1 (BNL - CERN)
• Requires routable IP Address space
• Direct BGP peering with CERN to / from BNL
• Limited route advertisements between T0 and T1– For the LHC OPN Circuit BNL will use 192.12.15.0/24
Network ServicesNetwork Services
Brookhaven Science AssociatesU.S. Department of Energy 8
IP Address Allocation Tier 1 to Tier X (BNL - Internet)
• Requires routable IP Address space
• Direct BGP peering with ES Net from BNL
• Full Internet route advertisements– ES Net CIDR IP Address Space– For the Internet circuit BNL will use 198.124.220.0/24– 3 additional class C networks available
Network ServicesNetwork Services
Brookhaven Science AssociatesU.S. Department of Energy 9
IP Address Allocation Tier 1 to Tier X (Continued)
• DNS Fully Qualified Domain Hostname
• Accessible ONLY from ES Net – No other path to get to BNL for LHC / Atlas
Network ServicesNetwork Services
Brookhaven Science AssociatesU.S. Department of Energy 10
Network ServicesNetwork Services
Mutt Amon
TefnutShu
Anubis
Nephthys
Isis
Osiris
CoreSW9
SW7
Direct Layer 2 Interface to CERNT0 - T1
1 x 10G
Internet Peer with ES Net
1 x 10G
PreliminaryBNL 10 /20 Gig-E LHC OPN
Initial Architecture
BNL LHC OPN
Gateway ACL
Gateway ACL
Brookhaven Science AssociatesU.S. Department of Energy 11
Future BNL LHC OPN Enhancements
• Dedicated Cisco Firewall Service Modules when available– Eliminate router ACL Functionality / Maintenance– Connection Logging– Each FWSM circuit will not impede the 10 Gb/Sec. – Stateful FWSM redundancy
• IDS / IPS when available
Network ServicesNetwork Services
Brookhaven Science AssociatesU.S. Department of Energy 12
Network ServicesNetwork Services
Mutt Amon
TefnutShu
Anubis
Nephthys
Isis
Osiris
CoreSW9
SW7
Direct Layer 2 Interface to CERNT0 - T1
1 x 10G
Internet Peer with ES Net
1 x 10G
PreliminaryBNL 10 /20 Gig-E LHC OPN
Enhanced Architecture
BNL LHC OPN
CISCOSYSTEMS
IDS / IPS
CISCOSYSTEMS
IDS / IPS
StatefulLink
Brookhaven Science AssociatesU.S. Department of Energy 13
Network Services Network Services
Mon• browser-based IP service monitor
Internet-centric WAN based monitor application
Interrogates essential BNL network services
Brookhaven Science AssociatesU.S. Department of Energy 14
Brookhaven Science AssociatesU.S. Department of Energy 15
Network Services Network Services
MonaLisa• Java based SNMP monitoring tool
External WAN based monitor
Tracks BNL EtherChannel OC-48 Firewall Service Module 10 Gb/Sec. Uplink to the BNL core
Brookhaven Science AssociatesU.S. Department of Energy 16
Network Services Network Services
Brookhaven Science AssociatesU.S. Department of Energy 17
Network Services Network Services
Brookhaven Science AssociatesU.S. Department of Energy 18
Summary
• Tier 2 traffic dependant on Internet connectivity
– Path to BNL via ES Net only– Initial router ACL based access to BNL– BNL provides DNS hostname for Internet resolution
Network ServicesNetwork Services
Brookhaven Science AssociatesU.S. Department of Energy 19
Questions/CommentsQuestions/Comments
???
Network Services
Brookhaven Science AssociatesU.S. Department of Energy 20
BNL Points of ContactBNL Points of Contact Scott Bradley, Manager of Network Services
• 631.344.5745, [email protected]
John Bigrow, Senior Network Architect• 631.344.2648, [email protected]
Network Services