v100r001c31 white paper - huawei/media/cnbg/downloads/product/it/en...opportunities and challenges...

IDC Solution V100R001C31

White Paper

Issue 01

Date 2013-07-30

HUAWEI TECHNOLOGIES CO., LTD.

Issue 01 (2013-07-30) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

ii

Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and

the customer. All or part of the products, services and features described in this document may not

be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all

statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://enterprise.huawei.com

IDC Solution

White Paper About This Document



iii

About This Document

Purpose

This document describes services, architecture, and reference models of the Internet Data

Center (IDC) solution.

Intended Audience This document is intended for:

Technical support engineers

System engineers

Symbol Conventions The symbols that may be found in this document are defined as follows.

Symbol Description

DANGER indicates a hazard with a high level or medium

level of risk which, if not avoided, could result in death or serious injury.

WARNING indicates a hazard with a low level of risk which,

if not avoided, could result in minor or moderate injury.

CAUTION indicates a potentially hazardous situation that, if

not avoided, could result in equipment damage, data loss, performance deterioration, or unanticipated results.

TIP indicates a tip that may help you solve a problem or save

time.

NOTE provides additional information to emphasize or

supplement important points of the main text.

IDC Solution

White Paper About This Document



iv

Change History

Changes between document issues are cumulative. The latest document issue contains all the

changes made in earlier issues.

Issue 01 (2013-07-30)

This issue is used for first office application (FOA).

IDC Solution

White Paper Contents



v

Contents

About This Document .............................................................................................................. iii

1 IDC Trend and Introduction ................................................................................................... 7

2 Customer Benefits .................................................................................................................... 9

3 IDC Services............................................................................................................................ 10

3.1 Cloud Host Service ...................................................................................................................................10

3.1.1 Overview .........................................................................................................................................10

3.1.2 Highlights ........................................................................................................................................10

3.1.3 Logical Architecture ........................................................................................................................ 11

3.1.4 Features ...........................................................................................................................................12

3.1.5 Operation Model ..............................................................................................................................16

3.2 VPC Service .............................................................................................................................................16

3.2.1 Introduction .....................................................................................................................................16

3.2.2 Highlights ........................................................................................................................................17

3.2.3 Logical Architecture ........................................................................................................................18

3.2.4 Technical Features ...........................................................................................................................19

3.2.5 Operation Model ..............................................................................................................................23

3.3 Massive Object Storage ............................................................................................................................23

3.3.1 Overview .........................................................................................................................................23

3.3.2 Highlights ........................................................................................................................................23

3.3.3 Operation Model ..............................................................................................................................26

3.4 Cloud Backup ...........................................................................................................................................26

3.4.1 Introduction .....................................................................................................................................26

3.4.2 Highlights ........................................................................................................................................26

3.4.3 Service Architecture .........................................................................................................................27

3.4.4 Operation Model ..............................................................................................................................27

4 IDC Architecture .................................................................................................................... 28

4.1 Computing and Storage Cloud-based Architecture .....................................................................................28

4.1.1 Cloud OS .........................................................................................................................................28

4.1.2 Server +SAN Storage (Traditional Architecture) ...............................................................................32

4.1.3 Server +FusionStorage Distributed Storage (Innovative Architecture) ...............................................37

4.1.4 Comparison Between SAN Storage and FusionStorage .....................................................................41

IDC Solution

White Paper Contents



vi

4.2 Network ...................................................................................................................................................42

4.2.1 Overview .........................................................................................................................................42

4.2.2 IDC Network Architecture ...............................................................................................................44

4.2.3 Area-Based Architecture Design .......................................................................................................45

4.2.4 Data Center Interconnection Architecture .........................................................................................48

4.2.5 Features ...........................................................................................................................................50

4.3 Security ....................................................................................................................................................53

4.3.1 Overview .........................................................................................................................................53

4.3.2 IDC Security Architecture ................................................................................................................54

4.3.3 IDC Security Layer Design ..............................................................................................................56

4.3.4 IDC Security Features ......................................................................................................................58

4.4 Management .............................................................................................................................................59

4.4.1 IDC Management Overview.............................................................................................................59

4.4.2 IDC Management Architecture .........................................................................................................61

4.4.3 Customer Benefits ...........................................................................................................................65

4.5 DR ...........................................................................................................................................................66

4.5.1 Overview .........................................................................................................................................66

4.5.2 Active/Active VIS DR Solution ........................................................................................................69

4.5.3 Array Replication-based DR Solution ...............................................................................................72

4.5.4 Comparisons Between DR Solutions ................................................................................................75

4.6 Backup .....................................................................................................................................................75

4.6.1 Overview .........................................................................................................................................75

4.6.2 VM-level Backup Solution ...............................................................................................................78

4.6.3 CommVault Cloud Backup Solution .................................................................................................80

4.6.4 Comparison Between Backup Solutions ...........................................................................................82

5 IDC Reference Models .......................................................................................................... 83

5.1 Reference Model for a FusionStorage Small-scale Scenario .......................................................................83

5.1.1 Networking......................................................................................................................................83

5.1.2 Device Configuration .......................................................................................................................84

5.2 Reference Model for a FusionStorage Large-scale Scenario .......................................................................87

5.2.1 Networking......................................................................................................................................87


5.3 Reference Model for the Rack Server + SAN Scenario ..............................................................................90

5.3.1 Networking......................................................................................................................................90


5.4 Reference Model for the Blade Server + SAN Scenario .............................................................................93

5.4.1 Networking......................................................................................................................................93


A Acronyms and Abbreviations .............................................................................................. 94

IDC Solution

White Paper 1 IDC Trend and Introduction



7

1 IDC Trend and Introduction

The IDC is a high-performance local area network (LAN) platform deployed in secure,

reliable, and professional equipment rooms. The platform has high-speed Internet access

bandwidth, implements professional operation and maintenance management, and provides

comprehensive operable applications for enterprises and individuals over the Internet. IDC

carriers can provide Internet-based IT platform services and various value-added services by

their owned or leased data centers for users such as enterprises, individuals, Internet service

providers (ISPs), and Internet content providers (ICPs). Data centers built by enterprises and

used for themselves are not IDCs.

IDC carriers have the following types:

Traditional telecom carriers: have backbone networks, Internet bandwidth, and

professional data equipment rooms.

IDC carriers that have their owned equipment rooms: They are generally traditional ISPs and ICPs who are familiar with applications.

IDC carriers that lease equipment rooms: They lease equipment rooms and bandwidth to build operable data centers.

Traditional IDC services include basic services (such as equipment room leasing, rack leasing,

hosting, and host leasing), resource leasing (such as public IP address leasing, bandwidth

leasing, and data storage services), and value-added services (such as data backup, bandwidth

management, traffic analysis, load balancing, and security services). Currently, traditional

IDC markets, especially in Europe and America, are to be saturated. Large-scale telecom

carriers continuously build data centers worldwide to strengthen global service capabilities

and balance data center deployment. Most of newly built data centers are cloud computing

data centers, providing Infrastructure as a Service (IaaS), platform as a service (PaaS), and

software as a service (SaaS).

With the development of the e-commerce, e-Government, Internet of Things (IoT), and

mobile Internet, the Internet industry has rich applications, the number of users and the access

volume of services are increasing, and big data processing in the background increases rapidly.

Big data has different features from traditional data. Big data analysis requires high

performance and real-time performance and has different requirements for software and

hardware architectures from traditional data analysis. Users have high requirements for

service access speed, real-time access performance, and value-added services, which are

opportunities and challenges for IDCs. Traditional IDCs face challenges on big data

processing performance and new value-added services, including network automation, rapid

application deployment, elastic resource utilization, and unified resource management.

To improve the traditional IDC architecture, cloud computing technologies are changing the

mode of the entire IT industry and provide opportunities for the comprehensive

IDC Solution

White Paper 1 IDC Trend and Introduction



8

transformation from the communications industry to the ICT industry. Cloud data centers use

virtualization technologies and high-performance infrastructures and implement unified

resource management and operation to provide on-demand services. The on-demand services

become a mainstream market trend.

IDC Solution

White Paper 2 Customer Benefits



9

2 Customer Benefits

The IDC is an Internet-based network. It provides operation and maintenance services for

devices that collect, store, process, and transfer data and provides services for external

networks. Traditional IDC services include basic services (such as equipment room leasing,

rack leasing, hosting, and host leasing), resource leasing (such as public IP address leasing,

bandwidth leasing, and data storage services), and value-added services (such as data backup,

bandwidth management, traffic analysis, load balancing, and security services). The IDC

brings the following values:

Brings more profits for carriers

IDC vendors provide IDC hardware, software, services, operation, and maintenance

capabilities for carriers. Then carriers provide related services for end users, such as

enterprises and the public, by these hardware, software, and services to gain profits. With

the development of IT technologies, especially cloud technologies, cloud-related services

become rich. IDCs become energy-saving and environmentally-friendly and can be easily managed and maintained.

Facilitates the IT transformation.

As the IDC develops, enterprises begin to assess architectures (including

high-performance computing, memory computing technologies, and large-scale

concurrent processing) and information management (especially information

management of analysis domains) policies to meet requirements of service departments.

They realize that the traditional IDC faces challenges: insufficient capital and planning

capabilities, high maintenance costs, difficult service expansion, and low efficiency.

Therefore, IT services brought by the IDC are the trend of IT-based enterprise development.

Allows the public to use and share massive data.

Nowadays, the public have high requirements for Internet information, such as

microblogs, WeChat, mobile office, telephone reading, electronic documents, online

music, online TVs, and online video. How to provide these services and ensure data

security is important. The IDC can meet the public's requirements for massive

information. The IDC not only provides rich services and massive data, but also ensures data privacy, integrity, and reliability.

IDC Solution

White Paper 3 IDC Services



10

3 IDC Services

Traditional IDC carriers primarily provide resource leasing services, such as the equipment

room leasing, rack leasing, hosting, host leasing, public IP address leasing, and bandwidth

leasing. These services are increasingly homogenous. Traditional IDC carriers face great

challenges in high electric power consumption, low resource utilization, and complex

application deployment.

Cloud computing technologies are used to improve the resource utilization of IDCs, facilitate

on-demand and rapid application deployment, and implement unified O&M and operation

management. The new services brought by cloud IDCs generate new streams of revenues for

IDC carriers and improve their profitability.

3.1 Cloud Host Service

3.1.1 Overview

Cloud host services brought by the IDC public cloud offer flexible, on-demand VMs based on

the Huawei virtual computing environment FusionSphere. Based on the service deployment,

users can lease VMs with different configurations and related value-added service features,

and run standard or customized image files on VMs.

Users have full control of leased cloud host resources, such as usage, monitoring, and

maintenance of basic cloud hosts and value-added features.

User data can be stored on cloud host instances. However, when cloud host instances are

damaged, user data will be lost. Users generally store user data on the Elastic Block Storage

(EBS) that is independent from cloud host instances and provides reliable and elastic block

storage services for cloud hosts. In addition, users can purchase cloud host instances or

backend as a service (BaaS) of the EBS to implement snapshot backup for key service data

volumes or cloud host instances.

3.1.2 Highlights

Elastic and on-demand resource allocation

Users are allowed to apply for resources as required, saving expenses.

Flexible, rapid, and automated service deployment

Multiple cloud host specifications for the CPU, memory, storage, and operating system (OS) are supported. Service provisioning and deployment are rapid.

IDC Solution




11

Full control

Users have full control of cloud hosts, such as logging in to VMs using virtual network

computing (VNC) and having administrator rights.

Real-time performance monitoring

Users can monitor performance, such as the CPU, memory, and disk utilization, disk input/output (I/O), and network I/O, in real time to learn about the service running status.

Data security

VM-level backup is implemented based on the disk snapshot function of cloud hosts.

Security

Network access among cloud hosts can be controlled by the virtual firewall (VFW) and

security group configuration. VPCs can be used to isolate networks. The IP Security

(IPsec) virtual private network (VPN) technology is used to connect cloud data centers to

enterprise IT centers.

Various value-added network services

Various value-added network services, such as elastic IP addresses and elastic load

balancer (ELB), are provided for users, and these services can be configured on the Internet Explorer page.

3.1.3 Logical Architecture

Mainstream application layers include the web server, application server, and database (DB)

server. Cloud host services include the VM instance installation and value-added services and

features.

Cloud hosts not only provide VMs for users, but also provide a VM-centric comprehensive

solution, including VM instances and value-added services and features, for user IT

application deployment based on the cloud IDC architecture. The following describes cloud

host features:

VM instance supporting various specifications

After IDC infrastructures are virtualized, a virtualization resource pool that can be

managed in unified manner is constructed. IDC carriers can implement unified O&M

and operation management for the resource pool (physical and virtual resources) by

using FusionManager. Users can flexibly apply for virtual computing and storage

resources based on their own service characteristics to create VM instances with different specifications.

Cloud host usage

Users have full control and usage rights of cloud hosts, such as starting, stopping, and

logging out of cloud hosts, modifying cloud host specifications, logging in to VMs using VNC for VM O&M, and monitoring cloud host performance on a specific page.

Elastic IP address

Public IP addresses can be flexibly bound to, unbound from, or reclaimed from cloud

hosts on the user portal. FusionManager automatically provisions the Network Address

Translation (NAT) configuration to firewalls, so that carriers' administrators are not

required to perform the NAT configuration on firewalls.

EBS volume

Users can create EBS volumes and attach these volumes to VM instances to provide

reliable and elastic block storage services. Even if VM instances are damaged, user data will not be lost.

Cloud host snapshot backup

IDC Solution




12

Snapshot backup can be performed for VM instances or volumes of the leased cloud

hosts. Users can configure and query backup policies and restoration tasks.

3.1.4 Features

Cloud Host Instance Supporting Various Specifications

Cloud OS software, consisting of virtualization platforms and cloud service platforms, is

deployed on IDCs. This software is used to virtualize IDC hardware resources (computing,

storage, and network resources) by using virtual computing, storage, and network

technologies and centrally manage virtual, service, and user resources.

Computing virtualization

Computing virtualization enables physical server resources to be virtualized into virtual

CPUs (vCPUs), memory, disks, I/O resources. A server can be divided into a few or many separated VMs. At the same time, VM isolation and high security is ensured.

Network virtualization

Network virtualization is a process wherein the physical network resources of a server

are virtualized into multiple logical resources. For example, a NIC of the server can be

virtualized into several or even hundreds of isolated virtual NICs. FusionCompute

supports intelligent NICs to implement multi-queue, virtual switching, high QoS, and

uplink aggregation functions. This improves the I/O performance of virtual NICs.

Storage virtualization

Storage virtualization enables storage devices to be converted to logical data storage. A

VM is stored as a set of files in a directory on the data storage. Data storage is a logical

container that is similar to a file system. It hides the features of each storage device and

forms a unified model to provide disks for VMs. The storage virtualization technology

helps the system manage virtual infrastructure storage resources with high resource

utilization and flexibility. Data storage supports the virtual image management system and network file system.

Users can select VMs with different specifications based on IT resource consumption. Logical

resources of VM instances include vCPUs, memory, system disks, data disks, and NICs. Table

3-1 lists the common instances.

Table 3-1 VM specifications

vCPU Memory (GB)

System Disk (GB)

Data Disk (GB) Network

Standard host: Suitable for most applications.

Low-end host 1 2 60 130 100 Mbit/s

Mid-range host 2 4 60 260 100 Mbit/s

High-end host 4 8 60 520 100 Mbit/s

Super large host 8 16 60 1040 1 Gbit/s

Host with large memory capacity: Suitable for high-throughput applications such as database and cache

applications.

Mid-range host 8 24 60 1040 1 Gbit/s

IDC Solution




13

vCPU Memory (GB)

System Disk (GB)

Data Disk (GB) Network

High-end host 16 48 60 2080 1 Gbit/s

Host with high computing performance: Suitable for computing-intensive applications.

High-end host 8 4 60 520 1 Gbit/s

Super large host 16 8 60 1040 1 Gbit/s

Cloud Host Usage

Users have full control and usage rights of leased cloud hosts. The basic usage rights include:

Logging in to VMs using VNC

Starting, stopping, and logging out of cloud hosts

Modifying cloud host specifications

Monitoring cloud hosts

O&M administrators log in to VMs using VNC to maintain and operate cloud hosts, such as

resolving problems during the remote server login, setting private IP addresses, and modifying

network configurations. IDC end users also require cloud host maintenance. In this case, the

VNC service needs to perform NAT conversion across the public network.

Users are allowed to maintain and operate cloud hosts, such as starting, stopping, and logging

out of cloud hosts, on the user portal.

Users can apply to online or offline modify cloud host specifications, including vCPUs,

memory, storage capacity, and the number of NICs, based on the service running status.

Cloud hosts do not support the cloud monitoring function by default. Only after users

subscribe the cloud monitoring service, the cloud monitoring function can be supported.

When cloud monitoring is enabled for a cloud host on the self-service portal, the operation

management system, that is, the Cloud Service Brokerage (CSB) sends monitoring messages

to the resource pool system (FusionManager). The resource pool system starts to obtain

monitoring data in real time from underlying virtualization platforms or network devices.

Then the operation management system regularly queries real-time monitoring data about

specific resources from the resource pool system. Monitoring data is displayed on the user

portal according to customers' habits. When the performance report of a resource needs to be

queried, the operation management system sends report querying information to the operation

and maintenance management (OMM) system. Then the OMM system queries performance

report data in specific time periods according to the resource ID and reflects these data to the

operation management system. These data is displayed on the user portal according to

customers' habits. Important cloud host indicators, such as the CPU, memory, and disk

utilization, disk I/O, network traffic.

Elastic IP Address

The elastic IP address refers to the public IP address that is bound to the first NIC of a VM.

The elastic IP address allows users to access a VM over the public network by using a fixed

address. An elastic IP address can be bound to only one VM at a time. The elastic IP address

bound to a VM will not be released or changed when the VM is stopped or migrated.

IDC Solution




14

An elastic IP address can be configured on the user portal. When a public IP address is bound

to a cloud host, FusionManager automatically configures the NAT mapping relationships

between the public IP address and the private IP address of the cloud host on firewalls. When

the public IP address is unbound from the cloud host, FusionManager automatically deletes

the NAT mapping relationships, and the public IP address is released for other cloud hosts.

Figure 3-1 Elastic IP address

EBS Volume

The Huawei elastic block storage (EBS) provides block storage for cloud host instances. EBS

volumes are independent from the storage devices of cloud host instances. User data is stored

in EBSs. If cloud host instances are damaged, user data is not affected. EBSs are suitable for

databases, file systems, or data raw devices. The EBS volume capacity ranges from 10 GB to

1 TB. EBS volumes can be attached to different cloud host instances and function as local

disks. One cloud host instance can be attached with multiple EBS volumes. One EBS volume

can only be attached to one cloud host instance at a time.

Figure 3-2 Logical architecture of the EBS

IDC Solution




15

Cloud Host Snapshot Backup

The VM snapshot backup service is available for the users who lease cloud hosts from carriers.

This service enables users to back up and restore leased VMs by using snapshots, ensuring

data security. Users can configure backup policies and restore VMs as required. Users can

enable the VM-level backup service in one-click mode without building other backup systems.

Figure 3-3 shows the logical architecture of VM-level snapshot backup.

Figure 3-3 Logical architecture of VM-level backup

Control data traffic

Backup data traffic

End users

VMs in enterprise B VMs in enterprise A

Local snapshot Snapshot backup

VMs in enterprise B VMs in enterprise A

Local snapshot Snapshot backup

Backup storage resource

OMM system

The logical architecture consists of the OMM system, FusionCompute, and HyperDP backup

module.

The OMM system provides a service management portal and an operation service portal. The

HyperDP cooperates with FusionCompute to back up VMs or specified VM volumes based on

specified policies. When VM data is lost or VMs are faulty, data can be restored by using

backups. Backup data is stored on the virtual disks attached to the HyperDP VM or the

peripheral storage devices of the NFS/CIFS shared file system.

The VM-level backup service enables users to configure the full backup policy, incremental

backup policy, backup cycle, backup period, and backup data expiration policy. Different

types of VMs can be configured with different backup policies.

Carriers' administrators can manage the VM snapshot backup service (such as user

management, service management, and charging and measuring management) over the

service management portal. End users can subscribe, unsubscribe, renew the VM snapshot

backup service, configure backup policies, back up and restore data, and query resource usage

over the operation service portal.

The HyperDP backup module implements data backup and restoration function. This module

automatically backs up data based on policies, stores and manages end users' backup data,

records detailed backup and restoration operations, and provides detailed resource usage and

IDC Solution




16

measuring information. Backup storage devices provide physical storage space for backup

data.

3.1.5 Operation Model

The cloud host service is charged at a flat monthly or yearly rate based on VM specifications.

The following cloud host features are charged:

Cloud host

Cloud hosts are charged at a flat monthly or yearly rate or by usage volume. The

charging period is an hour. This is a postpaid mode.

Cloud monitoring

Cloud monitoring services are charged at a flat monthly or yearly rate

Elastic IP address

Elastic IP addresses are charged at a flat monthly or yearly rate based on the quantity and

usage time of elastic IP addresses.

ELB

ELBs are charged at a flat monthly or yearly rate.

VFW

VFWs are charged at a flat monthly or yearly rate based on VFW specifications.

EBS volume

EBS volumes are charged at a flat monthly or yearly rate based on the EBS volume capacity.

VM snapshot backup

The cloud host VM snapshot backup service is charged based on the backup object size (GB) multiplied by hours. This is a postpaid mode.

3.2 VPC Service

3.2.1 Introduction

The VPC service is to create a private network in the public cloud. The private network can

communicate with user networks. Enterprises can apply for VPCs on the public cloud

platform. Enterprises can use independent IP addresses and spaces in VPCs, and are isolated

from other networks which are not in VPCs.

Enterprises can use VPN gateways to connect VPCs to the existing enterprise networks.

Virtual networks function as the sub-networks of the existing enterprise networks. VPCs

support webs, databases, emails, OA, CRM, and HR applications. The enterprise data can be

backed up to cloud hosts in VPCs.

VPNs are provided by carriers or created by customers themselves. Therefore, complex host

configuration is not required.

IDC Solution




17

Figure 3-4 Logical VPC architecture

Cloud data center

Core switch

VPN gatewayEnterprise A's employees on business trip

Enterprise A Enterprise B

As for enterprises, the private cloud uses the virtualization technology to isolate network and

computing resources because cloud resources can be accessed only by VPNs. The

virtualization layer on the cloud also uses the isolation technology to ensure that users can use

VMs exclusively. The private cloud simplifies deployment. A user can specify an internal IP

address for a VM and configure the subnet and routing table, seamlessly connecting the VM

to the enterprise intranet. The VM functions as if it were a local physical server. The VM

provides powerful computing performance, uses encrypted link channels for communication,

and is protected by firewall rules. In addition, the VM provides value-added services, such as

load balancing and multi-firewall security groups. Therefore, more optional services and

deployment modes are available for enterprise IT systems.

3.2.2 Highlights

Elastic Resource Expansion

The cloud computing has the capability to dynamically adjust resources. Each enterprise can

dynamically apply for VPC resources over the self-service portal. Each VPC is established

based on physical resources. As for users, they can obtain endless resources from the cloud.

Elastic resource expansion is suitable for rapidly developed enterprises and supports smooth

expansion from small-scale database to large-scale database.

Flexible Resource Management

Users can centrally manage the VMs added in VPCs over the self-service portal. Users have

permissions to monitor owned resources and query resource running status and active services.

Users can also customize resource adjustment methods and group resources. Resource online

and exit operations are performed on the unified VPC management portal, which is more convenient than the decentralized management mode of the traditional data center.

IDC Solution




18

Secure and Reliable Network

Enterprises' internal IT systems run on VPCs, and sensitive user data is transmitted over the

network. Therefore, secure and reliable networks are required to ensure data security. VPCs

use IPsec VPNs to access enterprises. Data link reliability is ensured and data transmission is

encrypted, which prevent user data from being intercepted.

3.2.3 Logical Architecture

Figure 3-5 shows the logical architecture of the VPC service.

Figure 3-5 Logical architecture of the VPC service

Public network connection

Platform management/service configuration connection

Physical connection

Enterprise IT administrator

Enterprise A

Enterprise user

Enterprise IT resource

Enterprise B

Carrier's bearer network

IDC administrator

IP SAN

VM service area

Virtualization platform

Virtualization platform

IDC operation and O&M server group

SSH, RDP, and VNC

SSH, RDP, and VNC

Enterprise IT administrator

Enterprise user

Enterprise IT resource

IP SAN

VM service area

The carrier's IDC provides a large resource pool, which includes computing resources, storage

resources, virtual networks, VFWs, and ELBs. Users obtain VPC resources from the resource

pool without concerning resource locations and methods for providing resources. Only the

unified OMM interface is visible to users.

Carriers' administrators use a unified management platform to manage physical and virtual

resources of the entire data center. Carriers' administrators approve users' applications for

VPC resources and handle routine operations and O&M affairs. Users subscribe and change

services over the self-service portal. Users can apply for services. After carriers'

administrators approve the application, services are automatically provisioned, and resources

are automatically created and allocated.

By using VPN tunnels, users connect to the VPCs that they have applied from the IDC. VPCs

become a part of enterprise IT resources. User data transmission is encrypted at the enterprise

IDC Solution




19

and IDC edges and is transparent to public networks. VPC IP addresses are assigned by users

and can be planned based on actual situations.

In the IDC, network isolation covers from access devices to edge egress devices. Therefore,

different tenants can use the same VPC IP address segment. Users do not worry about that IP

addresses in a carrier's data center conflict with each other.

3.2.4 Technical Features

VPC Service Usage

Users can apply for, renew, unsubscribe, and configure services over the OMM system user

portal. Operation administrators can manage VPC specifications over the management portal.

VPC specification management: Operation administrators log in to the CSB management

platform to manage VPC specifications. When VPC specifications are created, operation

administrators must set the maximum number of network and public network IP addresses,

network bandwidth, and priority. Networks include the direct network, routing network, and

intranet.

Service application: Users can customize VPC names and template types to apply for services.

After the application has been approved by carriers' administrators, resources are

automatically provisioned.

Service renewal: when services expire, services are frozen. In this case, users can renew

services.

Service unsubscription: If a user does not want to use a service, the user can unsubscribe from

the service to release resources.

Users configure IPsec VPN tunnels on VPC VFWs and enterprise edge network devices. All

enterprise data is transmitted through IPsec tunnels. After VPN tunnels have been enabled,

enterprises can plan or customize IP address segments for VPCs based on enterprise intranets.

The gateways of IP address segments are configured on VFWs.

ELB

Allows an ELB to be virtualized into multiple LBs, which provide load balancing for each

tenant separately. Tenants can customize load balancing policies, algorithms, listeners,

uploaded certificates, and weight. The ELB, a value-added feature for multi-cloud host

solutions, must be used along with cloud hosts. The VLB can automatically assign service

traffic of applications to multiple cloud hosts, check the health status of cloud hosts, and

automatically isolate abnormal cloud hosts. This ensures good performance, capacity

expansion, and stability of a server. In addition, the ELB enhances the threat prevention

capability of the server pool and ensures secure isolation of applications and servers.

IDC Solution




20

Figure 3-6 Logical architecture of the ELB

The key components in the logical architecture include the OMM system and F5 LBs or

software load balancers (SLBs).

The OMM system is the core software of public cloud data center. The OMM system is

responsible for data center operation, maintenance, monitoring, and resource pool

management and scheduling.

The unified portal module is used for users and carriers' administrators to access data center

services.

The operation management module is used to apply for, unsubscribe from, provision, cancel,

and delete services. By using this module, individual and enterprise users can apply for,

unsubscribe from, and configure services, and carriers' administrators can customize service

packages and provision services.

The resource pool management module connects to underlying hardware devices or software

to convert user requests and underlying functions and support correct configuration on related

devices or software.

F5 LBs support the load balancing function, providing the load balancing function for each

user separately. Requests sent by each user can be configured independently, and the

configuration is not conflicted because load balancing is isolated.

The resource pool management module connects to F5 LBs. The operation management

module sends user requests to the resource pool management module. The resource pool

management module converts user requests to functional instructions and sends functional

instructions to hardware devices or software for configuration. After configuration is

implemented on the hardware devices or software, the hardware devices or software returns a

value to the resource pool management module. Then the resource pool management module

returns a value to the operation management module, indicating that the service has been

configured.

F5 LBs provide command-line interfaces (CLIs) and application programming interfaces

(APIs). The resource pool management module can invoke these interfaces to provision F5

LB configuration to F5 LBs based on users' instructions.

IDC Solution




21

VFW

A physical firewall is virtualized into multiple VFWs. Each tenant can apply for one or

multiple VFWs. The functions of VFWs are the same as those of the physical firewall. The

tenant can customize the server gateway IP address, access control list (ACL), application

specific packet filter (ASPF), and names and number of security domains to meet different

requirements on security.

The VFW service is a value-added security service provided by carriers. The VFW offers

configurable and customized network firewall functions, which cover most of the functions of

common firewalls. The VFW also helps create a reliable security protection layer. This layer

protects users' cloud resources from external attacks and supports customized policies to

allow authorized users to access cloud resources. Users can apply VFWs by themselves. The

VFW can be deployed and enabled in several minutes.

Figure 3-7 Logical architecture o f the VFW

The key components in the logical architecture include the OMM, firewall, and virtualization

platform.

The OMM system is the core software of public cloud data center. The OMM system is

responsible for data center operation, maintenance, monitoring, and resource pool

management and scheduling.

The unified portal module is used for users and carriers' administrators to access data center

services.

The operation management module is used to apply for, unsubscribe from, provision, cancel,

and delete services. By using this module, individual and enterprise users can apply for,

unsubscribe from, and configure services, and carriers' administrators can customize service

packages and provision services.

The resource pool management module connects to underlying hardware devices or software

to convert user requests and underlying functions and support correct configuration on related

devices or software.

IDC Solution




22

The Huawei firewall supports the VFW function, providing a VFW for each user. VFWs can

be independently configured, and VFW configuration is not conflicted.

The resource pool management module connects to the Huawei firewall. The operation

management module sends user requests to the resource pool management module. The

resource pool management module converts user requests to functional instructions and sends

functional instructions to the Huawei firewall for configuration. After configuration is

implemented on the Huawei firewall, the Huawei firewall returns a value to the resource pool

management module. Then the resource pool management module returns a value to the

operation management module, indicating that the service has been configured.

The Huawei firewall provides the CLI. The resource pool management module can invoke the

CLI to provision VFW configuration based on users' instructions.

Security Group

The security group feature provides network isolation capabilities in the VPC.

You can add some IP addresses in the VPC to a security group, and set access rules for

different security groups. These IP addresses do not need to be consecutive, that is, the IP

addresses om a security group can belong to different segments.

Inter-security group access rules can be configured as follows:

Allow or forbid requests from another security group to access the security group

through specified protocols and interfaces.

Allow or forbid requests from a specified IP address segment to access the security group

through specified protocols and interfaces.

IP addresses in the same security group are not restricted for access.

In this way, refined control can be implemented for internal network security behavior in the

VPC, as shown in Figure 3-8.

Figure 3-8 Network security control

IDC Solution




23


Enterprise users subscribe VPCs over the self-service portal. Network resources are allocated

to enterprise users after carriers' administrators approve subscription. Enterprise users can add

subscribed cloud hosts to VPCs. Cloud hosts are paid per use. IPsec VPN tunnels are used to

connect cloud hosts in VPCs to internal enterprise IT systems. Enterprises only have

permissions to user physical resources, but do not own physical resources. When enterprises

unsubscribe services, resources are reclaimed for other VPCs.

The VPC service is free, and only the VFW, ELB, and security group features are charged.

3.3 Massive Object Storage

3.3.1 Overview

Designed based on Huawei cloud storage technologies, carrier service characteristics, and

Huawei rich experience, the massive object storage solution constructs a systematic, operable,

manageable, maintainable, compatible, and reliable service system.

By using the massive object storage service, carriers can offer storage resource pool

products with massive capacities for end users. The operation management platform CSB

provide a tenant GUI portal for creating and deleting buckets, managing UDSKEYs, and

uploading and downloading objects.

3.3.2 Highlights

Massive Cloud Storage

The Huawei-developed massive cloud storage service integrates the universal hardware

platform, advanced storage software, intelligent management system, and flexible service

software. The massive cloud storage service meets storage requirements of the massive and

increasing data and provides operable cloud storage solutions, satisfying requirements of

telecom carriers, government agencies, universities, large enterprises, industrial customers,

VPBs, and data center value-added services. It also supports TB-level, PB-level, and EB-level

capacity expansion. Users can expand storage capacity on demand, helping reduce costs.

Powerful Storage Management

The object storage service provides the following storage management functions:

Enables administrators to manage enterprise and individual tenants, and enables enterprise tenants to manage sub-tenants.

Manages storage capacities allocated to tenants and sub-tenants, tenant information, and

permissions to access paths.

Meets the SLA and provides independent physical or logical storage capacities for

leasing.

Stores data of different types, including images, videos, audio, and files.

IDC Solution




24

Transmission and Storage Security

The object storage service data security is ensured from the following perspectives:

Transmission security

Data transmission is encrypted and data is transmitted by using HTTPS, which ensure data transmission security.

Storage security

User data is segmented. Data segments are stored on different storage nodes and hard

disks by using the private storage protocol. As a result, attackers cannot obtain user data

by attacking only one storage node and hard disk. A faulty storage node and hard disk

can be discarded without data clearing. Key user authentication information, such as

passwords, are encrypted and stored in the Cookie. This prevents unauthorized users from obtaining user authentication information by analyzing Cookie content.

Access security

The object storage mechanism is used. Data is stored as objects in specified containers.

Containers are logically isolated and data cannot be accessed without authorization codes and signature keys, which ensure data access security.

Hierarchical group management mechanism is used to manage users. Operation permissions are granted to service users and system administrators to control operations.

Data persistency

The object storage service resource pool ensures service reliability with 99.999%

availability and 99.9999% persistency. Redundancy is used to protect the stored data.

One data object has multiple duplicates, which are allocated in different physical nodes. If one node is faulty, data can be rapidly restored from other nodes.

Unified Management

The object storage service provides the unified service management, storage service, resource

management, and system OMM.

Service management

The OMM system manages tenants in a unified manner. Tenants can access the OMM

system through browsers to use powerful storage management functions provided by the object storage service.

Resource management

The object storage service manages storage space integration and allocation.

System OMM

The object storage service supports OMM for performance, alarms, and events of the storage system.

Scalability

The object storage service scalability is described as follows:

Storage capability expansion

Storage nodes and hard disks can be added to the background storage system without

interrupting services. Therefore, the TB-level storage capacity can be expanded to the PB level or EB level.

Performance expansion

IDC Solution




25

The management node cluster can be expanded by adding management nodes. This

enhances concurrent access capabilities of the cloud storage service and accelerates data processing speed. Therefore, system performance is improved.

Fault Data Self-Recovery

The storage resource system that implements the object storage service adopts a powerful data

protection mechanism. Data is segmented and distributed on multiple storage nodes in

different cabinets. The multi-duplicate technology enables data to be automatically stored for

multiple copies. Copies of each data segment are stored on different storage nodes.

If a fault occurs and causes data inconsistency, the storage resource system uses its internal

self-check mechanism to check copies of data segments on different storage nodes and

discover the data fault. After discovering the fault, the storage resource system enables the

data recovery function to recover data at the background. Data is separately stored on multiple

storage nodes so that data recovery is performed on each storage node. That is, a small part of

data is recovered on each storage node. This enables the concurrent data recovery on all

storage nodes, avoiding performance bottlenecks caused by recovery of a large amount of

data on one node. Therefore, the impact on upper-layer services is minimized. Figure 3-9

shows the fault data self-recovery steps.

Figure 3-9 Fault data self-recovery

Data is stored as segments on storage nodes.

Concurrent data is recovered on the storage nodes.

The UDS creates data copies.

The UDS checks data copies of data segments.

Hardware is faulty.

Figure 3-10 shows the fault data self-recovery process.

Figure 3-10 Fault data self-recovery process

IDC Solution




26


Users can apply for the service online instantly after authorization.

The GUI portal allows users to create and delete buckets, manage UDSKEYs, and upload and

download objects.

3.4 Cloud Backup

3.4.1 Introduction

The cloud backup service provided by the IDC public cloud is to protect user data. Carriers

establish unified data protection platforms to implement the BaaS cloud backup service. This

allows end users to use the enterprise-level backup function as a service over the Internet.

After enabling the cloud backup service, end users can back up and restore data of files,

mainstream databases, and mainstream applications on OSs including Windows, SUSE Linux,

and Unix. Users can set backup policies and perform backup and restoration operations flexibly.

3.4.2 Highlights

Enterprise-level backup

The enterprise-level backup function allows data backup of mass files on OSs including

Windows, SUSE Linux, and Unix. This function enables users to back up and restore

data in databases such as Oracle, DB2, MS SQL, and MySQL databases, and data of applications such as SharePoint, Exchange, SAP, and Lotus Notes.

High security

Access streams and data streams of the backup service are transferred by using HTTPS

and encrypted by using the advanced encryption standard (AES) 256 algorithm, ensuring data security during transfer.

The backup system isolates multiple tenants. That is, each user can use the personal

username and password to log in to the backup system, and query and access only the

use's own resources and files.

Backup servers and media servers can be accessed only through the web console and

Proxy server for obtaining configuration and service data of the backup service. This prevents the backup system from being exposed to threads of public networks.

IDC Solution




27

3.4.3 Service Architecture

The cloud backup service of the current version supports only offline operation.

The backup system is the core of the cloud backup service implementation. The backup

system comprises backup management software, backup servers, and backup storage devices.

In this version, the Simpana backup software developed by Commvault is used. The Simpana

software adopts the following three-layer architecture:

Management server: CommServe

The CommServe:

− Manages data backup, archive, and restoration.

− Maintains CommCell configuration and storage data and controls licenses for tasks,

policies, user security, and modules. The CommServe controls only licenses and does not store backup data.

− Stores metabase catalogs.

The metabase stores metadata that describes backup data features and locations.

− Provides the centralized event controller that records all event logs and delivers notifications about keys events.

Media agent: MediaAgent

The MediaAgent transmits data between clients and storage media. Each MediaAgent

can communicate with one or multiple local or remote storage devices including storage

media.

The MediaAgent is independent from storage media and is compatible with storage

media of different types. Load balancing policies can be configured on the backup system to prevent each MediaAgent from heavy loads.

Web consoles and Proxy servers are deployed in the demilitarized zone (DMZ) in the data

center.

Web console server

The Web console provides a GUI for end users to configure backup policies, and view, back up, and restore data.

Proxy server

The Proxy server delivers backup data streams from external networks to the MediaAgent in the intra-network backup system.

Intelligent data agent: iDataAgent

The iDataAgent is a software module used to back up and restore data and supports

mainstream file systems and applications. A host on which the iDataAgent is installed is

called a client. Multiple iDataAgents can be installed on a client. The iDataAgent module

has multiple types including online backup modules, such as file systems, Oracle

databases, and SQL databases, and other function modules such as ProxyHost. If data of

different types exists on the client, data of each type requires an iDataAgent function module.


Currently, only the enterprise customers can apply for the service offline.

IDC Solution

White Paper 4 IDC Architecture



28

4 IDC Architecture

The IDC architecture provides comprehensive systems, including computing, network,

storage, security, cloud OS software, and management subsystems. Various IDC services are

provided based on this architecture.

4.1 Computing and Storage Cloud-based Architecture The computing and storage cloud-based architecture includes two parts, cloud OS as well as

computing and storage devices. The computing and storage devices can adopt traditional

architecture of server + SAN storage or innovative architecture of server + FusionStorage.

4.1.1 Cloud OS

Positioning

FusionCompute, Huawei cloud OS software, consists of the virtualization infrastructure

platform and cloud infrastructure service platform. It is responsible for hardware resource

virtualization and centralized management of virtual resources, service resources, and user

resources. FusionCompute uses virtualization technologies such as virtualization computing,

storage, and network technologies to virtualize computing, storage, and network resources,

and performs centralized management and scheduling of virtual resources over a unified

interface. This helps reduce operating expense (OPEX), ensure system security and reliability,

and construct a secure and energy-lit cloud data center.

IDC Solution




29

Figure 4-1 Solution components

Infrastructure virtualization

Desktop cloud

Cloud infrastructure service platform

Image management

DR and backup

Multiple tenants Elastic IP address

Service resource scheduling

Virtual resource interface

Virtualization infrastructure platform

Virtual resource scheduling

Availability Security Scalability

Virtualization computing Virtualization storage

Virtualization network

Infrastructure

Servers Storage devices Network devices Security devices

Cloud equipment room

Cabinet Power supply

Cabling Monitoring CoolingFire

extinguishing

Decoration Lightning protection and grounding

Technical Features Unified virtualization platform

FusionCompute uses virtualization management software to divide computing resources

into multiple resources that can be used by high-performance, operational, and

manageable VMs. FusionCompute provides the following features:

− Allocates VM resources on demand.

− Supports multiple OSs.

− Isolates VMs to ensure QoS.

Supports for various hardware platforms

FusionCompute can be deployed on various types of x86 servers and is compatible with

various types of storage devices.

Large cluster

A single logical computing cluster supports a maximum of 3000 VMs.

− When the VIMS system is used, a single shared domain supports a maximum of 32 physical servers.

IDC Solution




30

− When the FusionStorage system is used, a single shared domain supports a maximum

of 128 physical servers.

Automatic scheduling

FusionCompute allows users to define SLA policies, fault reporting criteria, and fault rectification policies.

− FusionCompute implements centralized IT resource scheduling, heat management, and power consumption management, reducing maintenance costs.

− FusionCompute automatically detects the load of servers or services and intelligently

schedules resources to achieve load balancing across servers and service systems, ensuring good user experience and optimal system response.

Cross-domain resource management

FusionCompute supports cross-domain resource management and implements centralized management of all resources.

− Distributed storage and cluster O&M: FusionCompute uses distributed storage and

cluster O&M technologies to consolidate devices on the physical layer and network

layer, provide upper-layer services with uniformly-managed storage, computing, and

network capabilities, and provide users with a network-based management system to implement unified scheduling of all resources.

− Rights- and domain-based management: FusionCompute provides comprehensive

rights- and domain-based management functions by area, role, or rights, so that users at different areas can be authorized to manage local resources.

− Cross-domain scheduling: VMs can be scheduled across domains over the layer-3 network by using elastic IP addresses.

Comprehensive OMM

FusionCompute provides various types of O&M tools to control and manage services, improving operation and maintenance efficiency. FusionCompute supports the following:

− Black box for rapid fault location: enables users to rapidly locate faults by obtaining

exception logs and program stacks. This reduces fault locating time.

− Automatic health status inspection: helps detect faults in a timely manner and present pre-warning reports. This facilitates VM operation and management.

− Web interface: FusionCompute provides a web interface, through which users can

monitor and manage all hardware resources, virtual resources, and service

provisioning.

Cloud security

FusionCompute adopts various security measures and policies and complies with local

information security laws and regulations to provide end-to-end protection for user access, management and maintenance, data, network, and virtualization.

Logical Architecture

FusionCompute consists of the virtualization infrastructure platform and cloud infrastructure

service platform. Figure 4-2 shows the logical architecture of FusionCompute.

IDC Solution




31

Figure 4-2 Logical architecture of FusionCompute



Table 4-1 lists logical modules of FusionCompute.

Table 4-1 Logical modules of FusionCompute

Module Function

Image storage

(IMGS)

Stores image files.

Image

management (IMGM)

Provides image data management, including registering, querying,

modifying, and deleting images.

Computing node

agent (CNA)

The CNA provides the following functions:

Implements the virtual computing function.

Manages the VMs running on the CNA.

Manages the computing, storage, and network resources of the CNA.

VRM The VRM provides the following functions:

Manages block storage resources in clusters.

Assigns private IP addresses to VMs using Dynamic Host Configuration Protocol (DHCP).

Manages nodes in the computing cluster and maps physical computing resources to virtual computing resources.

Manages network resources, such as IP addresses, virtual local area

networks (VLANs), security groups, and DHCP severs, in the cluster and assigns private IP addresses to non-VPC VMs.

Manages the lifecycle of VMs in the cluster and distributes and migrates VMs across CNAs.

IDC Solution




32

Module Function

Dynamically adjusts resources in the cluster.

Implements centralized management of virtual resources and user

data and provides elastic computing, storage, and IP address services.

Allows O&M personnel to remotely access FusionCompute from

the web user interface (WebUI) to perform resource monitoring and management and view resource statistics reports.


The virtualization infrastructure platform virtualizes physical resources, such as

computing, storage, and network resources, into virtual resources that can be centrally

managed, flexibly scheduled, and dynamically allocated. It is the key platform used for building cloud data centers.


The cloud infrastructure service platform encapsulates and manages virtual resources

provided by the virtualization infrastructure platform, helping carriers and enterprises to

build their data center O&M capabilities. The management function includes resource

management, image management, charging management, scheduling management, and user management.

4.1.2 Server +SAN Storage (Traditional Architecture)

Servers and SAN storage devices to be used as infrastructure servers can be selected

according to project requirements.

Server

Servers are classified into tower, rack, and blade servers by appearance. Rack and blade

servers are installed in the standard 19-inch cabinet.

Various rack servers are available for selection. As for computing capabilities, there are

1-socket to 8-socket rack servers.

The blade server adopts a new server structure. The peripheral networks, management

modules, PSUs, heat dissipation components are integrated into a unified chassis,

implementing integrated deployment for multiple servers. Compared with rack servers, blade

servers improve computing density, reduce server deployment time and space, and simplify

cabling. However, blade servers are poorer in hard disk and NIC expansion than rack servers

because multiple servers are deployed in the integrated manner.

Common servers consist of the blade server E6000 and the rack server RH2288 V2. Table 4-2

and Table 4-3 describe the specifications of the two types of servers.

Table 4-2 E6000 blade server

Component Sub-Componen

t Specifications

E6000H chassis Deployment

mode

8 U blade server

IDC Solution




33

Component Sub-Component

Specifications

Blade slot 10

I/O module Six GE, 10GE, or 8 Gbit/s FC I/O modules

Backplane High-speed passive backplanes can be used to support

the connections of the following modules:

Server blade

Ethernet or FC switch module

Management module

Power module

Fan module

System

management

Provides powerful management capabilities and

supports FE, Serial, and USB management ports.

Chassis management module (MM) and business

management controller (BMC) of a server blade are

connected by IPMB.

Supports two chassis management modules (or only

one standard chassis management module that

supports redundancy configuration) and the remote

KVM.

Power module A maximum of six 1600 W AC/DC or 1300

W DC/DC hot swapping power modules can be

configured. The N+N or N+1 redundancy, load balancing, and fault switchover are supported.

Note: The N+N redundancy is not supported when the HB640 V2 blade server is in full configuration.

Fan module Nine hot swapping fan modules can be configured and

the N+1 redundancy is supported.

BH620 V2

server blade

Processor Supports a maximum of two Intel® Xeon E5-2400

series processors.

Memory Supports a maximum of 12 DIMM slots.

Local storage Supports a maximum of four 2.5-inch SAS/SATA/SSD hot-swappable hard disks.

PCIe slot Supports two PCIe x8 Mezz interfaces.

BH621 V2 Processor Supports a maximum of two Intel® Xeon E5-2400

series processors.


Local storage Supports a maximum of two 2.5-inch

SAS/SATA/SSD hot-swappable hard disks.

IDC Solution




34

Component Sub-Component

Specifications


Supports one standard full-height half-length PCIe

slot.

BH622 V2 Processor Supports a maximum of two Intel® Xeon E5-2600

series processors.





BH640 V2 Processor Supports a maximum of four Intel® Xeon E5-4600

series processors.





Table 4-3 RH2288 V2 technical specifications

Component Specifications

Deployment

mode

2U rack server

Processor Supports a maximum of two Intel® Xeon E5-2600 series processors

Memory Supports a maximum of 24 DIMM slots

Local storage Supports three types of hard disk configurations:

Eight 2.5-inch SAS/SATA/SSD hard disks

Twelve 3.5-inch SAS/SATA hard disks and two 2.5-inch SAS/SATA

hard disks

Twenty-four 2.5-inch SAS/SATA/SSD hard disks and two 2.5-inch SAS/SATA hard disks

Mixed configuration of SAS/SATA/SSD hard disks is supported.

Network port Four integrated GE 1000BASE-T ports.

IDC Solution




35


PCIe slot A single processor (a riser card is required) supports the following:

One PCIe 3.0 x16 card of full height and full length

One PCIe 3.0 x8 card of full height and three fourths length

One non-standard PCIe slot for installing a RAID controller card

Dual processors (a riser card is required) support the following:

One PCIe 3.0 x16 card of full height and full length

One PCIe 3.0 x8 card of full height and three fourths length

Three half-height PCIe 3.0 x8 cards

One non-standard PCIe slot for installing a RAID controller card

Fan Four hot-swappable counter-rotating fans, allowing single-fan failures.

Power module Two redundant and hot-swappable 460 W/750 W/800 W AC PSUs and

800 W -48 V DC PSUs.

Storage

You can select FC SAN or IP SAN based on project requirements.

In consideration of costs and applications, the IP SAN is recommended for IDC services. The

reasons are as follows:

The IP SAN functions based on TCP/IP. IT personnel are familiar with TCP/IP, which

helps reduce maintenance costs.

The IP SAN adopts Ethernet switches, which are cost-effective. If the FC SAN is used,

HBA cards must be deployed on servers and FC storage switches are also required, which improve device and license costs.

The FC SAN transmission distance does not exceed 50 km, which is unsuitable for

integrating remote storage.

In consideration of performance and reliability, the FC SAN is recommended for key services.

The reasons are as follows:

The FC SAN transfers data based on the closed network of traffic control. The IP SAN

transfers data based on the CSMA/CD mechanism. Therefore, the FC SAN provides

higher transfer efficiency than the IP SAN.

The FC SAN uses the efficient fiber channel protocol. Most of FC SAN functions are

achieved by using hardware. For example, a server uses a dedicated HBA that provides

the ASIC chip to process data. Therefore, the FC SAN offers higher performance than

the IP SAN.

The common storage array includes mid-range storage such as OceanStor S5500T, S5600T,

S5800T, and S6800T as well as high-end storage such as OceanStor18500 and 18800. Table 4-1 describes the technical parameters of S5500T and 18500.

Table 4-4 S5500T


Cache capacity 8 GB/16 GB/32 GB

IDC Solution




36


Number of

controllers 2

Type of front

channel ports

8 Gbit/s FC, 1 Gbit/s iSCSI, 10 Gbit/s iSCSI (Toe), and 10 Gbit/s

FCoE

Type of rear channel

ports 6 Gbit/s SAS 2.0 wide port

Number of onboard

I/O ports 8 x 8 Gbit/s front FC port and 4 x SAS 2.0 rear SAS wide port

Maximum number

of I/O modules 2

Maximum number

of hard disk slots 528

Disk Type SAS, NL SAS, SATA, and SSD

RAID support 0, 1, 3, 5, 6, 10, 50

Supported number

of snapshots 1024

Supported number

of LUNs 4096

TurboModule Supported

Other software Hyperimage, HyperCopy, HyperClone, HyperMirror, HyperThin,

UltraPath, DiskGuard, and SmartCache

Table 4-5 OceanStor18500


Maximum cache

capacity 768 GB

Maximum number

of controllers 4

Maximum number

of front host ports 96

Maximum number

of hard disk slots 1584

Disk Type 2.5-inch SAS, 2.5-inch SSD, 3.5-inch SAS, 3.5-inch NL SAS, and 3.5-inch SSD

RAID support 5, 6, 10

Maximum number

of hosts 65536

IDC Solution




37


Supported number

of LUNs 65536

Other software HyperSnap, HyperClone, HyperCopy, HyperReplication, SmartThin,

SmartTier, SmartQos, and SmartVirtualization

4.1.3 Server +FusionStorage Distributed Storage (Innovative Architecture)

With the development of services, the integrated SAN storage array is facing a series of

problems and challenges:

Performance and data need more time to restore due to RAID mechanisms. According to

RAID implementation principle, in the same RAID group, the larger the number of disks

is, the higher the performance is. However, the error rate of multiple disks in the same

RAID group increases and reliability decreases, as the number of disks grows. Therefore, you are advised to deploy a maximum of 15 disks.

Using central accesses and management, heads can become the bottleneck. Mid-range

storage only has two controllers, controller A and controller B. when disks are excessive,

the storage controllers usually become the bottleneck of performance, and restrict the scalability of SAN storage.

To address the foregoing challenge, Huawei FusionStorage pools the local hard disks of the

x86 servers to provide block storage.

FusionStorage has the following characteristics:

Cutting-edge distributed architecture, deep convergence of computing and storage

− FusionStorage uses a distributed architecture, including distributed management

cluster, distributed hash-based routing algorithm, distributed and stateless engines,

distributed intelligent caching. The structure ensures that the SPOF does not occur in the system.

IDC Solution




38

Figure 4-3 FusionStorage distributed architecture

− FusionStorage is deployed on the servers that the local hard disks are attached to. The

local disks form a virtual resource pool to function as an external storage device, which integrates computing and storage devices.

High reliability

− To ensure data reliability, FusionStorage uses the multiple data copy mechanism

rather than the RAID technology. Before storing the data, FusionStorage fragments

the data and stores the data fragments on the cluster nodes based on specified rules.

Figure 4-4 shows the multiple data copy mechanism that FusionStorage uses. For

partition P1 on disk 1 of server 1, its data copy is P1' on disk 2 of server 2. P1 and P1' are two data copies of the same data block.

− In a public cloud scenario, when three data copies are stored, the data availability reaches 99.9999% on FusionStorage.

Figure 4-4 Multiple data copy mechanism

− FusionStorage uses the tight consistency and replication technology to ensure data

consistency between data copies. If the data written into the system is divided into

multiple portions, the system also creates multiple copies for each data portion and

stores them in different disks. FusionStorage also ensures consistency between the copies of each data portion.

IDC Solution




39

− When failing to read data, FusionStorage determines the failure cause. If the failure is

resulted from a disk sector, FusionStorage reads the required data from other copies

and restores the data in the original copy. This ensures that the total number of data copies does not decrease.

High performance

− FusionStorage uses distributed stateless engines. Engines are deployed on each server

and no centric engine is deployed. The engines consume little CPU resources on each server and allow more IOPS.

− FusionStorage uses some memory of each server for read cache and non-volatile dual

in-line memory module (NVDIMM) for write cache. Caches are evenly distributed to

all nodes. The total cache size on all servers is greatly larger than that provided by

external storage devices. Even when using the large-capacity and low-cost SATA

disks, FusionStorage can still provide one to three times higher input/output performance and larger effective capacity.

− The DHT of FusionStorage ensures that the input/output operations performed by

upper-layer applications are evenly distributed on the hard disks of various servers and the load is globally balanced as follows:

Table 4-6 DHT routing algorithm that FusionStorage supports

− FusionStorage creates snapshots based on the distributed hash table (DHT)

technology. Creating snapshots does not have any adverse impact on the volumes.

For example, 24 GB space is required for constructing indexes in the memory for a

2-TB disk. You can determine whether any snapshot has been created for the disks in

a hash query operation. If a snapshot has been created, the hash query operation

enables you to determine the storage location of the snapshot. Therefore, the DHT

technology provides high query efficiency.

IDC Solution




40

Table 4-7 High-performance snapshots provided by FusionStorage

Rapid parallel data reconstruction upon failure

FusionStorage provides the powerful data protection mechanism. When storing data,

FusionStorage fragments the data and stores the fragments on multiple storage nodes

that may be installed in different cabinets. In addition, FusionStorage automatically

duplicates the data and the data fragments into multiple copies and also stores the

data and fragment copies on different storage nodes. When data becomes inconsistent

due to hardware failures, FusionStorage uses the internal check mechanism to

compare data fragment copies on different nodes and automatically detect the data

failure. After detecting a data error, FusionStorage uses a data restoration mechanism

to automatically restore data. The restoration mechanism allows FusionStorage to

simultaneously restore a minimal amount of data on different nodes because the data

copies are stored on different storage nodes. This mechanism prevents performance

deterioration caused by restoration of a large amount of data on a single node, and

therefore minimizes adverse impact on upper-layer services. Figure 4-8 shows the automatic data reconstruction process upon failure on FusionStorage.

Table 4-8 Data reconstruction process on FusionStorage

FusionStorage supports parallel and rapid fault troubleshooting and data reconstruction as follows:

IDC Solution




41

Data is fragmented in the resource pool. If a disk is faulty, these data fragments can

be automatically reconstructed by simultaneously restoring data copies in the resource pool efficiently.

Data can be distributed to different servers or different cabinets so that data can be obtained even when a server is faulty.

Load is automatically shared between existing nodes and new nodes. You do not need

to adjust application configuration to obtain larger capacity and higher performance.

Easy Expansion and Ultra-Large Capacity

− The DHT routing algorithm ensures rapid load balancing after capacity expansion and avoids migration of a large amount of data.

− When computing nodes are added, the storage capacity is added. After capacity expansion, computing and storage are still integrated.

− The bandwidth and cache are evenly distributed on each node and do not decrease with capacity expansion.

4.1.4 Comparison Between SAN Storage and FusionStorage

Table 4-9 Restriction of server + FusionStorage

Item Subitem SAN Storage FusionStorage

Specificat

ions

Maximum number

of servers in single

resource pool

32 (VIMS enabled) 128

Performan

ce

IOPS of the same

disk

8 K, read/write 3:7,

100% random

read/write IOPS:

14463.7

8 K, read/write 3:7,

100% random

read/write IOPS:

10701.8

8 K, read/write 3:7, 100%

random read/write IOPS: 8000

8 K, read/write 3:7, 100%

random read/write IOPS: 7364

Compatibi

lity

Server Decoupled

interaction, without

special limitations

Supports only RH2288H V2.

Virtualization Compatible when the

mapping virtualization

platform supports

standard SAN storage,

including

FusionStorage, Xen,

Vmware, and hyper-V;

Supports only FusionSphere.

IDC Solution




42

Item Subitem SAN Storage FusionStorage

Scalabilit

y

Capacity

expansion

A set of expansion

disk racks and

disks, without special limitations

No limitations on

adding multiple sets

of SAN storage

devices

Multiple FusionStorage

resource pools are not

supported.

Capacity expansion

requirements of single

FusionStorage resource

pool: the configuration of

the expanded SCNA nodes

must be the same as that of

current SCNA nodes in

number and specification;

Storage

migration

Storage migration Supports storage live

migration and

cross-cluster migration

Does not support migration

between FusionStorage pools

or migration between

FusionStorage and other SAN

Disaster

recovery

Disaster recovery

solution

Supports two disaster

recovery solutions:

active-active storage

and array replication

Without disaster recovery

solutions

4.2 Network

4.2.1 Overview

The data center network architecture, which carries all application data, is the core of the IT

architecture. A proper network design is important, which must support high network

performance, flexibility, and scalability. IDC network design should also consider rapid

deployment and flexibility to support new services. A flexible network architecture allows

new applications to be deployed in a short time.

The IDC network design adopts a time-tested layered mode which is a basis for data center

design. The layered mode is to ensure network scalability, performance, flexibility, elasticity,

and maintainability. In addition, the network is divided into different functional areas and

three logical planes: management, storage, and service planes. The Huawei IDC network has

the following characteristics:

Tenant isolation

Resources of different enterprise tenants are isolated in the data center. Tenants' network,

computing, and storage resources are isolated in an end-to-end (E2E) manner. Cloud data

center resources of different tenants are isolated by using technologies such as the VFW,

virtual routing and forwarding (VRF), and VLAN. Tenants can set network routes and

security policies, bind elastic IP addresses, and configure server gateways. IP addresses

of different tenants can overlap. Computing resources of each tenant exclusively occupy

the CPU and memory to achieve logical isolation between tenants. Computing resources

of different tenants do not affect each other. Storage resources are mapped to VMs of

each tenant by using logically isolated data volumes. Storage resources of the same

IDC Solution




43

tenant can access each other, while storage resources of different tenants cannot access

each other.

Large layer 2 network

The data center supports large layer 2 networking. The Transparent Interconnection of

Lots of Links (TRILL) protocol is used to construct a cost-effective, large-scale, and

unblocked large layer 2 network. The TRILL protocol supports high-efficiency

forwarding, fast convergence, easy deployment, and multi-tenancy technology and

effectively avoids loops. The TRILL-based network architecture can meet requirements of data center services in the cloud computing era.

Layer 2 interconnections among multiple data centers

A layer 2 network across multiple data centers is constructed at the external access layer

of different data center networks to meet requirements of scenarios such as server

clusters and VM dynamic migration. The virtual private LAN segment (VPLS)

technology allows different data centers to be in the same layer 2 network. Services can

be normally provisioned without modifying network properties when VMs are migrated

among data centers.

Network convergence

Date center network construction focuses on simple storage network deployment. Data

center networks tend to converge, and the fibre channel over Ethernet (FCoE) technology

makes network convergence possible. The FCoE technology is used to converge the

storage network and Ethernet.

Network virtualization

The data center infrastructure provides VFW, ELB, and switch virtualization

capabilities, which provide each tenant with firewall, load balancing, and switching

functions. Resources are isolated, and tenants can customize policies. The VFW provides

isolated security services for each tenant, and each tenant has a VFW. Each VFW

consists of private interfaces, security areas, security domains, ACL, and NAT address

pools and can provide private security services such as address binding, blacklists, NAT,

packet filtering, statistics, attack defense, and ASPF. An LB is virtualized into multiple

ELBs to support multi-tenancy. Tenants can customize the load balancing policy,

algorithm, weight, and associated servers. Tenants can manage and maintain ELBs by

themselves and view the running status of ELBs and resource utilization. Load balancing

resources of different tenants are isolated from each other. The switch virtualization

capability is provided by the cluster switch system (CSS). In the CSS, multiple switches

supporting clusters are connected to function as a switch. The CSS supports the following features:

− Simplified network topology

− Improved network performance

− Simple O&M and reduced operating expense (OPEX) in that the CSS is managed as

a switch.

− Single point of failure (SPOF) prevention

When a device in the CSS fails, other devices in the CSS can take over the control and forwarding services of the faulty device, preventing the SPOF.

− Loop-free networks

The CSS supports multi-chassis link aggregation which helps avoid loops. Complex

loop avoidance protocols such as Multiple Spanning Tree Protocol (MSTP) do not

need to be configured.

− High link bandwidth utilization

The bandwidth utilization of multi-chassis links is up to 100%.

IDC Solution




44

4.2.2 IDC Network Architecture

Figure 4-5 IDC network architecture

CSS

External area

Core layer

DDoS traffic cleaning

InternetMPLS

VPN

iStack

云 OS

Storage network

Storage resources

iStack

云 OS

Operation

management

iStack

云 OS

DMZMaintenance

management

iStack

云 OS

VES/CA system

management

iStack

云 OS

Service area

Server + SAN

Storage

cabinet

Setup

cabinet

Computing

cabinet

RH2288 RH2288 RH2288

Backup

cabinet

N8500

Server + Dsware

Ne

two

rk s

erv

ice

are

a FW

LB

VPN

IDS/IPS

FW

LB

VPN

IDS/IPS Ne

two

rk s

erv

ice

are

a

Access switch RouterAggregation switchCore switch LB FW/IPS

Server Storage device

GE link10GE link Stacking cable


Legend

VM FC switch UVP Virtualization system

VPN device IDS/IPS

The IDC adopts the flattened two-layer architecture design. The internal switching

architecture is simple and clear. The server +SAN storage architecture consists of the core

layer and access layer. In the server + FusionStorage architecture, however, servers provide

10GE ports to connect to the core layer switches.

The IDC is divided into five areas based on the network logical functions: external area, core

area, network service area, access area, and storage area.

The external area connects to the Internet and VPN network.

IDC Solution




45

The core area is the switching core of the data center and consists of high-performance

switches.

The network service area provides value-added services such as traffic statistics, the

intrusion detection system (IDS)/intrusion prevention system (IPS), firewalls, load balancing, and VPN.

The access area provides access for data center server nodes.

The storage area provides SAN access.

At the core layer, subrack switches are used to form a cluster, and multiple switches are

logically virtualized into a switch to implement device redundancy. Only one management IP

address is required to manage the devices.

The CSS + iStack + Eth-Trunk mode is used to construct a reliable loop-free layer 2 network.

At the core layer, the VRF technology is used to logically isolate network areas and service

areas at layer 3.

With the virtualization function, VFWs, ELBs, and virtual switches are provided to meet user

requirements on virtualization and isolation.

At the access layer, VLAN and 802.1Q technologies are used to implement layer 2 isolation.

Service areas have three security levels: high, medium, and low. The operation management

area and maintenance management area have a high security level, and the DMZ has a

medium security level.

Other service areas are assigned with security levels as required.

4.2.3 Area-Based Architecture Design

External Area

The external area connects the data center network to the Internet and dedicated networks.

Figure 4-6 shows the external area networking.

Figure 4-6 External area networking

External area


Internet MPLS

Optional

The external area connects to the Multiprotocol Label Switching (MPLS) bearer network,

Internet, and data communication network (DCN) through routers. The external area

IDC Solution




46

communicates with extranets by using the Border Gateway Protocol (BGP) or static routes

(static routes are used for enterprise access). Active and standby links are configured to

improve reliability. The external area connects to extranets through dual links, and each link

connects to a carrier's network to ensure reliability of external connections.

The anti-distributed denial of service (DDOS) device is used to prevent DDOS attacks. The

anti-DDoS device connects to routers in bypass mode. Routers are configured with port

mirroring to send traffic to the anti-DDoS device for analysis. Dynamic routes are configured

between routers and the anti-DDoS device to dynamically divert attack traffic. The anti-DDoS

device injects the normal traffic after cleaning to routers through policy-based routes, and

routers divert the normal traffic after cleaning to the data center through policy-based

routes, which ensure traffic security for the data center.

Firewalls in the external area are optional components. The firewalls are serially connected

and work in routing mode. The firewall provides four domains: untrusted, trusted, DMZ, and

management domains. Inter-domain policies are used to ensure access security. Open Shortest

Path First (OSPF) is configured between the firewall and the egress router to dynamically

learn routing entries advertised by the intranet.

Core Area

The core area is the switching core of the data center. Based on project requirements, two

high-performance switches are configured to ensure reliability and redundancy.

At the core layer, subrack switches are used to form a cluster, and multiple switches are

logically virtualized into a switch to implement device redundancy and facilitate

management. The core switch uses the VRF technology to logically isolate service networks.

The OSPF protocol is used between the core area and the external area, and between the

core area and the aggregation switch to advertise routes, ensuring that correct routes

between the core area and the intranet/extranet are quickly learned. This adapts to frequent service changes and dynamically updates routes in real time.

Downlink ports physically connect to access switches through aggregated 10GE fiber

links. A maximum of eight 10GE links can be bound. In this manner, high bandwidth is

provided. The maximum single-area uplink bandwidth reaches 80 Gbit/s. A trunk link is

configured to transport service VLAN communication. A loop-free high-efficiency layer 2 network is constructed, and different users and different services are logically isolated.

Network Service Area

Devices in the network service area connect to the core switch in bypass mode and provide

value-added network services and value-added network security services.

Figure 4-7 Network service area

Core layer

Ne

two

rk s

erv

ice

are

a

Ne

two

rk s

erv

ice

are

a

CSS

IDC Solution




47

The network service area houses the traffic analysis and statistics device Netstream, IDS/IPS, firewalls, LBs, and VPN devices.

Firewalls are used to isolate security domains and control access between security

domains. Firewalls support the VFW function to meet high security requirements of tenants.

LBs implement load balancing for users' applications. An LB can be virtualized into

ELBs. ELBs are logically isolated. Each tenant can use at least one ELB. Tenants' data

configurations are independent of each other.

VPN devices provide remote encrypted access for users to manage and maintain their

own data center resources.

Access Area

The access area houses network elements (NEs) that access the data center, such as servers.

There are two scenarios:

Server + SAN Storage

Rack servers connect to access switches, and blade servers access the data center through the

switching backplane in the chassis.

Two access switches are stacked and virtualized into one switch. Layer 2 isolation is

performed on service planes by VLANs. Different downlink ports are configured to

allow different VLANs to pass through. Uplink ports are configured in trunk mode to

allow all VLANs to pass through. Multiple physical ports are aggregated and connect upstream to the core switch.

When rack servers or blade servers are used in the service area, TOR switches or

switching backplanes in blade chassis are used respectively to provide the switching

capability. Each plane on the server adopts dual NICs, and each NIC corresponds to one

access switch, which improve the reliability of servers and networks. Two switches for

one server are in a pair and stacked. The switches connect upstream to the aggregation

switch through bound 10GE uplinks.

No gateway is configured for access switches. Each pair of access switches supports

4094 VLANs and communicates with the aggregation switch at layer 2. In this manner, a loop-free high-efficiency layer 2 network is constructed.

Server + FusionStorage

RH2288H rack servers are used. A server NIC egress provides two 10GE ports. In

small-capacity scenarios, servers directly connect to core switches without independent

access switches; in large-capacity scenarios, CE6850 switches are configured as access switches.

Each RH2288H server uses two 10GE load sharing uplink ports. The management,

service, and storage planes are separated by VLANs and support QoS reservation.

Storage Area

The storage area provides SAN access in the server + SAN storage scenario.

IDC Solution




48

Figure 4-8 Storage area

Storage aggregation network

IP SAN FC SAN

The storage network is an independent Fibre Channel (FC) or IP network, which

provides storage access. The storage area supports IP SAN devices, FC SAN devices,

and virtual intelligent storage (VIS) devices. The IP SAN device connects upstream to

the storage access IP switches through eight GE ports, and the FC SAN device connects

upstream to the storage access FC switches through four GE ports. Each set of links has

multiple hot backup links. The storage area adopts multipath design, providing high capacity and storage network reliability.

Storage aggregation switches are classified into IP switches and FC switches. The

aggregation switches connect upstream to the storage plane of each server and downstream to storage access switches.

Storage access switches are classified into IP switches and FC switches. IP switches

connect downstream to the IP SAN, and FC switches connect downstream to the FC SAN.

4.2.4 Data Center Interconnection Architecture

When IDC carriers provide public cloud services to Internet users, data centers that are

located in different places need to interconnect with each other. Besides, disaster recovery

(DR) for the IDC also involves data center interconnection. Figure 4-9 shows the data center

interconnection architecture.

IDC Solution




49

Figure 4-9 Data center interconnection architecture

DC 1 DC 2Layer 3 interconnection

Layer 2 service interconnection

Bare fiber interconnection

IP SAN/FC SAN IP SAN/FC SAN

Networks between data centers can be bare fiber networks, dedicated networks, leased

MPLS or IP networks, metropolitan bearer networks, Internet, or self-built wide area

networks (WANs).

Different interconnection technologies are used for different networks. For example, for

self-built WANs and bare fiber networks that support high scalability and flexibility,

a wide range of interconnection technologies can be selected. For leased MPLS or IP

networks, you are advised to lease VPN services (VPLS, MPLS L3VPN, and GRE VPN)

from carriers together with the MPLS or IP networks.

Multiple interconnection networks can be used together. For example, data centers in the

same city interconnect with each other through bare fiber networks or self-built WANs,

data centers in different cities interconnect with each other through leased MPLS or IP

networks, and branch offices interconnect with each other through the Internet.

Table 4-10 lists suggestions about data center interconnections.

Table 4-10 Data center interconnection suggestions

Application Scenario

Service Deployment Suggestion

L2/L3 Network Solution

Feature/Advantage

Recommended Product

Intra-city fiber

interconnection

Services are

deployed in active/active mode.

L3 VPN

Pure Ethernet

VPLS/Virtual leased

line (VLL)

Low network delay,

sufficient bandwidth,

high reliability, and flexible deployment

OSN6800/S9700

Intra-city private

line interconnection

Some services are

deployed in active/active mode.

L3 VPN VPLS/VLL Flexible bandwidth,

and high reliability and security

NE40E/S9700

IDC Solution




50

Application Scenario

Service Deployment Suggestion

L2/L3 Network Solution

Feature/Advantage

Recommended Product

Remote private

line

interconnection

Some services are

deployed in

active/active mode.

L3 VPN

VPLS/VLL

Flexible bandwidth,

and high reliability

and security

NE40E/S9700

Remote MPLS

network interconnection

Services are

deployed in

active/standby mode.

L3 VPN

VPLS/VLL

Leased networks are

cost effective and

provide good isolation.

NE40E/S9700

Remote IP

network

interconnection

Services are

deployed in

active/standby mode.

L3 VPN over GRE

VPLS over GRE

Leased networks are

cost effective and

facilitate deployment and maintenance.

NE40E

Shared equipment

room in the same city

Services are locally

backed up.

MPLS L3 VPN Self-built WANs

feature flexibility and good isolation.

NE40E

Remote

shared DR center

The DR center

provides

remote DR for the production center.

MPLS L3 VPN Leased networks are

cost effective.

NE40E

4.2.5 Features

Tenant Isolation

The data center supports multi-tenancy management. IT administrators allocate dedicated

infrastructure resources for each tenant. Deploying public infrastructures shared by multiple

tenants in the data center improves resource utilization. Resources of different tenants must be

isolated in the date center to ensure E2E path isolation and meet tenants' security

requirements.

To support multiple tenants and provide the same dedicated infrastructures to tenants, the data

center reference architecture adopts the path isolation technology to logically divide the

infrastructure into several infrastructures shared by multiple virtual networks (tenants). Tenant

isolation relies on device virtualization and is implemented across layers.

Layer 3 isolation

At the core layer or aggregation layer, the VRF technology is used to isolate tenants at

layer 3. Each tenant is assigned with an independent routing and forwarding table. Data

stream exchange between tenants (from server to server) is not allowed, except that data

stream exchange is required and definite configuration is provided. IP addresses of different tenants can overlap.

Layer 2 isolation

VLAN IDs and 802.1Q tags are used to implement layer 2 isolation. Tenants can forward

data only within their own layer 2 networks.

Network service isolation

IDC Solution




51

Service modules of physical devices or network devices are virtualized to provide VFW

and ELB functions to each tenant. VFWs or ELBs do not affect each other. Tenants can customize policies. Different tenants can set the same policies.

Large Layer 2 Network

In the cloud computing era, the TRILL protocol is used to construct a large layer 2 network to

efficiently use data center resources.

The TRILL protocol applies the layer 3 link state routing technology to layer 2 networks. The

TRILL protocol uses the Intermediate System to Intermediate System (IS-IS) protocol as the

control protocol to meet large layer 2 networking requirements and provide solutions to data

center services.

The TRILL protocol has the following advantages:

High-efficiency forwarding

Each device with the TRILL protocol enabled on the network takes itself as the source

node and calculates the shortest path to other nodes by using the shortest path algorithm.

If multiple equal-cost links exist, load balancing is implemented when unicast routing

entries are generated. Compared with traditional layer 2 networks, the TRILL protocol

improves the data forwarding efficiency for data centers and throughput of data center networks.

Loop avoidance

The TRILL protocol can automatically construct a share-multicast distribution tree

(Share-MDT). The Share-MDT connects all nodes on a network to carry layer 2

unknown unicast, broadcast, or multicast data packets. In this way, no loop is formed.

When the network topology changes, data packets received at incorrect ports are

discarded by using the reverse path forwarding (RPF) technology to avoid loops. In

addition, the TRILL protocol packet header carries the Hop field, which helps minimize the impact of temporary loops and avoid loop storms.

Fast convergence

The TRILL protocol generates forwarding entries by using the IS-IS protocol, and the

Hop field in the TRILL protocol packet header allows temporary loops, so that fast convergence can be implemented when a node or link fails.

Easy deployment

TRILL configuration is simple. Many parameters such as Nickname and System ID can

be automatically generated. In addition, TRILL networks are layer 2 networks, which support plug and play (PnP) and ease-of-use features.

The TRILL data center network adopts the typical layer 2 networking mode, and the TRILL

protocol is enabled for all access switches, aggregation switches, and core switches on the

network. Figure 4-10 shows the TRILL data center network.

IDC Solution




52

Figure 4-10 TRILL data center network

Core layer

Aggregation layer

Access layer

Access switches can be TOR switches and End Of Rack (EOR) switches. Aggregation

switches and core switches are generally EOR switches. To ensure that data center services

are normally deployed, the TRILL protocol is required to implement high-efficiency data

forwarding between servers and between servers and Internet users.

Network Convergence

FCoE is a network convergence technology. It provides an I/O integration solution with the

FC storage protocol being the core to enable LAN and SAN networks to share network

resources. The FCoE technology is not to substitute for the traditional FC technology. Instead,

the FCoE technology extends FC at the Ethernet transport layer. In this way, Ethernet frames

can carry FC frames, in other words, FC frames are encapsulated into Ethernet frames so that

SAN data can be transmitted over the Ethernet.

The FCoE network has the following advantages:

Reduced total cost of ownership (TCO)

The LAN and SAN networks share network resources by using the FCoE

technology. Distributed resources are consolidated and efficiently used. Investment to

SAN infrastructures is reduced, the network is simplified, and network management and

maintenance costs are reduced. Converged Network Adapters (CNAs) are installed on

servers to reduce power and cooling costs of data centers.

Strong investment protection

The FCoE network can seamlessly communicate with the existing Ethernet and FC

infrastructures, which protects the existing FC SAN investment (such as investment to FC devices, tools, and management facilities).

Enhanced service flexibility

The FCoE technology allows all servers to share storage resources, which meets VM migration requirements and improve system flexibility and availability.

IDC Solution




53

Deploying FCoE at the access layer achieves server I/O integration and reduces cables

connecting servers to the network. CNAs on servers support FCoE and connect to access

switches. Then access switches connect to the LAN and SAN networks through Ethernet links, as shown in Figure 4-11.

Figure 4-11 LAN and SAN networking

Servers connect to access switches through FCoE NICs. All access switches support FCoE.

Then access switches connect to the SAN through the Ethernet, and data is transmitted

between access switches and SAN by using the FCoE protocol. FC switches or FCoE

switches can be deployed on the SAN, which connect downstream to storage devices,

reducing network lines.

4.3 Security

4.3.1 Overview

With the IT development, for example, as Web2.0, service oriented architecture (SOA), and

cloud computing technologies are emerging and mobile devices, remote access devices,

browsers, plug-ins of various applications, intelligent terminals, and cloud hosts come into

being, information security faces new challenges. Attacks from the intranet and extranet and

system vulnerability are major threats to information security. Based on IDC service

characteristics, we must consider whether security technologies and products meet IDC

security requirements, and how to use various software and hardware security products to

construct an IDC security solution to meet various IDC service security requirements.

The IDC functioning as an information hub contains servers, storage devices, network devices,

and applications. With the emergence of the cloud computing, new elements, such as

virtualization, are added in the IDC. Therefore, the IDC security solution must be

IDC Solution




54

designed with consideration of all IDC elements. Using traditional security technologies only

cannot ensure IDC security.

The Huawei IDC security architecture is designed based on the best practice in the industry

and Huawei's expertise and experience. The security architecture is designed to meet service

security, reliability, and data integrity requirements. The Huawei IDC security architecture

supports the following features:

Reliability

Security devices and key components in security systems adopt high-reliability design.

That is, dual-node hot backup is implemented to meet long-term running requirements of data center services.

Modularization

The Huawei IDC security architecture is designed based on eight modules: physical

security, network security, host security, application security, virtualization security, user

security, security management, and security services. A security architecture can be

quickly formed based on customer requirements to provide a customized security system.

E2E security

The Huawei IDC security solution provides E2E protection from user access, use, and

exit. Technologies such as the authentication technology based on dual factors, rights

control technology for privileged users, VPN, application protection technology, and

event auditing technology are used to control user access to IT resources, ensure data communication security and secure application access, and audit operations.

Low coupling

The Huawei IDC security architecture must provide protection for multiple layers, such

as the data layer and application layer. Therefore, the IDC security architecture involves

various security technologies, products, and management policies. The IDC security

architecture features low coupling. That is, various security technologies are not tightly

associated, security products provided by different vendors can be used and are not

limited to specific models, and security management policy formulation does not depend on specific security products.

Scalability

The Huawei IDC security architecture is a guiding framework. Users can implement

security construction based on the guiding framework and security requirements, which

protects investment while meeting security requirements.

Support for e-Government level 3 protection

The Huawei IDC security architecture is designed from aspects of physical security,

network security, host security, application security, data security, user management, and

security management to meet level 3 security protection requirements of e-Government.

The Huawei IDC security architecture is one of the best guiding frameworks for

constructing e-Government data centers. Virtualization security is also ensured by the Huawei IDC security architecture based on cloud computing characteristics.

4.3.2 IDC Security Architecture

According to the ideas of layered and in-depth defense, the Huawei IDC security architecture

is divided into physical device security, network security, host security, application security,

virtualization security, data security, user management, and security management layers. The

IDC security architecture meets different security requirements. Figure 4-12 shows the IDC

security architecture.

IDC Solution




55

Figure 4-12 Security architecture

Physical security

Network security

Firewall/UTM

Traffic cleaning

VPN access

Gatekeeper

Intrusion detection/Intrusion

prevention

Security domain division

Network antivirus

Network auditing

Application security

Server antivirus

Data volume encryption

Host system hardening

OS security hardening

Email security

Web page anti-tamper

Web application

firewall

Security services

Security integration

implementation service

Security assessment

service

Security optimization

service

Virtualization security

Cloud management application hardening

Hypervisor hardening

VM protection against malware

VM template security

hardening

VM isolation

User management

Data encryption

and key management

Document permission

management

Data deletion

Identification and access

management

Access management and auditing for privileged

users

Dual-factor authentication

Security management

Security policy

management

Security information and event

management

Vulnerability management

Data security

Host security

0 shows the Huawei IDC security integration design.

Figure 4-13 IDC security integration design

CSS

Web application

firewall

VPN

Core layer

iStack

VPN

Internet application (DMZ)

Government extranet

Firewall/Anti-DDoS/IPS

Firewall/Anti-DDoS/IPS

Internet

Router Router

UMAUMA

Web application

firewall

Antivirus gateway Antivirus

gateway

IDS/IPSIDS/IPS

CDPHDP

Backup system area

iStack

Application area

CSSWeb

application server

Core layer

Application area

UMAUMA

Web application

server

Antivirus gateway Antivirus

gateway

e-Government dedicated network

FirewallFirewall

Router Router


iStack

Desktop cloud

Gatekeeper

iStack

iStack

AGAG

FWFW

FWFW

FWFW

Private line


Internet

Firewall/Anti-DDoS/IPSFirewall/Anti-

DDoS/IPS

Government extranet

Router Router

Government extranet

FW/IPS

FW/IPS

DBAPP

Security control

iStack

Running management area

AG

UVP

Virtualization hardening

UVP UVP

UVP


UVP


UVP


Virus Agent

Virus Agent

Anti-tamper

Database encryption

Document management

Database auditing

Database auditing

Network auditing

Network auditing

iSOC

Vulnerability scanning

tool

Antivirus server

Host core security

hardening system

Dual-factor authentication system

Network service area

Network service area

Web page anti-tamper

system

Document security

management system

UVP

Host core security

hardening system

Network service

area

IDC

Network service

area

LB LB

Different security components are deployed on different network areas based on component

functions to ensure security. Government hosting has the highest security requirements, as

shown in Figure 4-13. The following describes the deployment of security components:

High-end firewalls and traffic cleaning devices are deployed on the network border.

IDC Solution




56

The components, such as the intrusion detection system (IDS)/intrusion prevention

system (IPS), Unified Maintenance Audit (UMA), VPN device, low-end firewall, and antivirus gateway, are deployed on the network service area in bypass mode.

The components, such as the Information Security Operations Center (iSOC),

vulnerability scanning tool, web page anti-tamper system, dual-factor authentication

system, antivirus server, host core security hardening system server, document security management system, are deployed on the running management area.

Antivirus software and host core security hardening system software are deployed on service hosts.

Auditing systems are deployed on aggregation switches of DB servers in bypass mode.

Web application firewalls are deployed on the Internet application area.

Service backup systems are deployed on the backup system area.

Security gatekeepers are deployed between core switches of government extranet and e-Government dedicated networks.

4.3.3 IDC Security Layer Design

Physical Security

The physical security is ensured by deploying the access control system, video surveillance

system, and environment surveillance system. The access control system allows only the

authorized personnel to enter the IDC. The video surveillance system and environment

surveillance system facilitate subsequent auditing. In addition, the following aspects must be

considered to further ensure physical security:

Anti-theft and anti-sabotage

Anti-lightning

Fire prevention

Waterproofing and moisture proof

Electrostatic discharging

Humidity control

Power supply protection

Electromagnetic shielding

Network Security

The firewall, IPS, SSL VPN, anti-DDoS, and data ferry technologies are used to protect

systems and communication data. These technologies prevent data from being damaged,

changed, or disclosed accidentally or intentionally. With these technologies, systems are

reliable, secure, and able to run continuously without service interruption.

Host Security

Client antivirus protection, HIPS protection, HIDS protection, VM security hardening are

used to prevent VMs from being threatened by intranet and extranet viruses, hackers, and

security vulnerability. This ensures VM security and enables user services to run stably in the

long term.

IDC Solution




57

Application Security

Mail security protection and web application security protection are used to protect key

applications, such as emails, web applications, and portal networks in the IDC, and prevent

data from being damaged, changed, or disclosed accidentally or intentionally.

Virtualization Security

The virtualization layer and cloud management application layer are hardened, and VMs are

isolated to prevent the virtualization environment from being threatened by viruses and

hackers. Even if one VM is attacked, other VMs are not affected.

Data Security

The remaining data destruction mechanism ensures the security of the data stored in the

storage of the cloud computing platform. User data stored on physical storage devices is

deleted so that the user data is not disclosed when the storage devices are leased to other users.

This helps dispel users' worries about data security of cloud services.

High-security encryption algorithms are used to encrypt data. This ensures data integrity and

data security.

Distributed file systems are used in the storage system. Data is segmented and distributed on

different cloud hard disks on storage nodes. Data cannot be restored by using a single hard

disk. When a hard disk is faulty, the hard disk can be discarded without data deletion.

User Management

A unified O&M access control solution is provided to control and manage accounts,

authentication, authorization, and auditing of IT resources (such as OSs of core services and

network devices). The unified security control and management center collects operation logs

to perform event association analysis and discover security risks in a timely manner. Logs and

related analysis results provide evidence for information security events.

Security Management

Security management involves the technologies, methods, and products that support security

policies and security management regulations. A unified security control and management

center collects IDC security logs to perform association analysis and discover security risks in

a timely manner. These security logs include firewall logs, intrusion detection logs, intrusion

prevention logs, traffic cleaning logs, VPN access logs, junk mail gateway logs, Hypervisor

logs, and auditing logs.

To protect services without interrupting services and affecting efficiency, obey the following

rules to configure security policies for IDC network devices, security devices, and security

software:

Minimum authorization rule

Service relativity rule

Policy maximization rule

Ensure that security policies are not exclusive with each other.

IDC Solution




58

Security Service

Security services not only include integration services, such as end-to-end IDC devices,

software installation, and software configuration, but also include professional security

assessment and optimization services. These services help users know about their existing and

potential security threats and take measures in a timely manner.

4.3.4 IDC Security Features

VFW

A firewall is logically divided into multiple VFWs to provide independent security insurance

for enterprises and maximize resource utilization of physical firewalls.

Figure 4-14 VFW

Enterprise A

Enterprise B

Each VFW is a complex of a VPN instance, security instance and configuration instance. It

can provide private routing services, security services, and configuration management

services for users.

VPN instance

The VPN instance provides isolated VPN routes that correspond to VFWs for VFW users.

These VPN routes support routing for packets received by VFWs.

Security instance

The security instance provides isolated security services that correspond to VFWs for

VFW users. These security instances consist of private interfaces, security areas, security

domains, ACL, and NAT address pools and can provide private security services such as

blacklists, package filtering, ASPF, and NAT.

Configuration instance

The configuration instance provides isolated configuration management services that

correspond to VFWs for VFW users. These configuration instances allow VFW users to

log in to their VFWs and manage and maintain preceding private VPN routers and security instances.

VM Isolation

VM isolation refers to the resource isolation of different VMs on the same physical machine.

VM isolation is a basic feature of virtualization applications. VM isolation includes the

isolation of CPUs, memory, internal networks, and disk I/O.

IDC Solution




59

Account Management, Authentication and Authorization

The Huawei Operation and Maintenance Management (OMM) System supports account

period management. A super administrator named admin is provided by default. Users can log

in to the system as user admin, create other accounts, and assign rights to these accounts.

The OMM System supports role management and role-based authorization. The OMM

System supports three types of roles: super administrator, O&M administrator, and

guest. Different roles are assigned with different rights.

Tailoring and Hardening of the Cloud Platform OS

The Huawei cloud platform OS is tailored and hardened, and is implemented security

configuration.

OS tailoring

This solution simplifies the cloud platform OS based on the rule of installing

systems with minimum configurations. Only required components are installed. The

quantity of OS software is substantially reduced. This lowers the possibility of systems from being attacked.

Security configuration

This solution implements the security settings for OSs on nodes by referring to the

Center for Internet Security (CIS) Linux benchmark. For example, insecure services are

disabled; account and password complexity policies, and permissions for files and directories are correctly configured.

Security patch management

Huawei implements a strict process for managing security patches and regularly releases

tested OS patch packages on the Huawei support website. O&M personnel regularly

download and install OS patches.

Protection Against Malicious VMs Protection against address spoofing

vSwitch (bridge) of the Hypervisor binds the IP address of each VM to the MAC address

of the VM, so that each VM can send packets only using the local address. This prevents VM IP address spoofing and address resolution protocol (ARP) address spoofing.

Protection against malicious sniffing

The vSwitch is only for switching but not for sharing. When packets of different VMs

are forwarded to the specified virtual port, a VM cannot receive packets of other VMs

even on the same physical host. This prevents malicious sniffing.

4.4 Management

4.4.1 IDC Management Overview

With the development of cloud computing and virtualization technologies, data center

management is transforming from IT infrastructure management to self-service management,

IT service automation, horizontally-expanded server management and storage and network

architecture management, and unified management.

To implement data center management transformation, the following must be performed:

IDC Solution




60

Reduce costs of physical servers and operating costs.

Shorten service rollout periods.

Integrate physical and virtual resources from different vendors and implement unified

resource management.

Enhance device utilization.

Restore faults of key applications and implement DR.

Simplify O&M and reduce management costs.

Reduce power consumption.

The next-generation data center adopts the virtualization technology, centrally manages

services, and supports dynamic resource allocation. The next-generation data center must

provide high-performance, reliable, adaptable, and secure resources to support enterprise

application migration from existing enterprise systems to the cloud. In addition, automatic

infrastructure management is required for the next-generation data center, ensuring that

infrastructures rapidly respond to business changes and IT costs are reduced.

To meet management requirements of the next-generation data center, the Huawei OMM

system data center management solution supports:

End-to-end self-service management

Unified operation and maintenance management

Automatic process orchestration, resource allocation, and application deployment

Unified management of multiple data centers

Heterogeneous management of multiple virtualization platforms

Integration service for various hardware and software

Maintenance management for servers, network devices, storage devices, databases, and middleware

Standard ITIL processes

3D visualized equipment room management and power consumption management

IDC Solution




61

4.4.2 IDC Management Architecture

Overall Architecture

Figure 4-15 ManageOne architecture

API API

Service

catalog

Order Management

Cloud service operation Service Maintenance

Service

Definition

User

management

Measurement

Event

management

Service

Request

Change

management

Configuration

management

Releasing

management

Capacity

management

Fault

management

Equipment

management

Performance

monitoring

ITOM

Computing

virtualizationFacilities

Local

management

layer

Global

management

layer

IP network

Computing

serverStorage device

Storage

virtualization

Network device

Network

virtualization

Data center 1

Automatic control

Resource management

Resource

scheduling

Resource

monitoring

HA

management

Computing

virtualization

Computing

serverStorage device

Storage

virtualization

Network device

Network

virtualization

Data center n

CMDBMaintenance center

Fault

management

Unified

monitoring

Performance

management

Resource

scheduling

Template

Management

Resource

Topology

Automatic control/deployment

Resource management

Resource

scheduling

Resource

monitoring

HA

management

Fault

management

Equipment

management

Performance

monitoring

ITOM

User portal Management portal

Template/Image

management

Template/Image

management

Service O&M Module

The service O&M module provides service assurance and management functions for the

cloud platform, ensuring resource availability and cloud service quality. The service O&M

module includes the cloud service O&M management process and CMDB.

The service maintenance module is an IT service management product based on the ITIL V3

concept. Functions in this project, such as service request, event management, change

management, release management, configuration management, and CMDB functions, can be

implemented by the service maintenance module.

Relationships between the service O&M module and other modules are as follows:

The service O&M module receives service requests, including resource deployment

requests, resource maintenance requests, and resource change requests, from the O&M center and processes the requests.

The O&M center converges alarm and performance information from each data center,

centrally monitors devices in each data center, and processes faults reported by each data

center. Alarms in the O&M center are generated into events in the service O&M module

based on specified rules, and then the events are processed based on the ITIL event management process.

Maintenance Center Module

Module Overview

The maintenance center module is oriented to data center maintenance scenarios. It connects

to different management systems and supports across-area management and multiple data

center scenarios.

IDC Solution




62

The maintenance center module is a unified maintenance management module in the

maintenance layer. It operates and maintains data center services based on scenarios, provides

visualized status, risk, and efficiency analysis capabilities, and proactively analyzes problems. The maintenance center module provides the following functions: comprehensive analysis

and manual operation. Comprehensive analysis includes alarm and performance analysis.

Manual operations include routine maintenance, manual entry of traditional data center asset

data, and traditional resource (equipment room space and cabinets) provisioning.

The maintenance center is also a unified maintenance management portal of the solution. As

a work platform of O&M personnel, the maintenance center not only provides its function

links on its home page, but also provides a unified portal and redirection links to access other

components.

Architecture

Figure 4-16 shows the architecture of the maintenance center module.

Figure 4-16 Maintenance center module architecture

Presentation layer

Intelligence layer

Basic layer

Platform

functions

Adaptation layer

OC adaptation container

Unified

object

databaseMODB

Internal service bus

Comprehensivealarm Event & Alarm

Comprehensivemonitoring

Status

&Topology

Maintenance

personnel

Interconnected systems

Operation

Center

Resource, alarm, performance

CMDB

Comprehensive performance

Performance

& Report

Search and analysis Data snapshot

& entry

Unified

portal

UserDB &

personalized

settings

NBI management

Network

monitoring

ITSM, AD, and

notification

server

Storage and

server

monitoring

Middleware

and database

monitoring

Virtual

resource pool

management

The maintenance center module adopts a flexible development platform and SOA.

Components in the maintenance center module are loosely coupled and work with each other

by transmitting messages. Components work like service providers or consumers. Interfaces

of each component comply with standards and can provide new functions flexibly. The

maintenance center module provides the following features:

Service bus: used for communication between internal modules. With the bus, modules

can be deployed on different computing nodes in distributed mode. The service bus

meets requirements of large systems. When two components are running on the same

node and the same process, a more efficient internal communication mode is automatically used.

Management object database (MODB): provides a unified object database at the

platform layer and ensures consistency between internal models and coordination of modules.

IDC Solution




63

Plug-in mechanism: By using the adaptation container and loading customized

adaptation packages, the maintenance center module can connect to new systems without

affecting running functions. Adaptation packages are provided as plug-in packages.

Plug-ins are parsed and executed in the container, ensuring stable internal logic

programs.

Functions

At the adaptation layer, the maintenance center module provides adaption capabilities to

connect to peripheral systems. After an adaptation package (containing scripts, the jar package

is used in some systems) is added, the maintenance center module can connect to new

management systems. The maintenance center module can connect to the following systems:

Network monitoring system

Storage and server monitoring system

Middleware and database monitoring system

Virtual resource pool management system

ITSM system

Existing LDAP system

Notification server (such as a mailbox or SMSGW).

By default, the maintenance center module can connect to some common systems, such as

HUAWEI eSight, HUAWEI FusionManager, CA Spectrum and Performance Center, and

other third-party management software.

The basic layer provides the following services and functions:

Centralized comprehensive monitoring services, allowing users to view resource status and topologies

Comprehensive alarm services, which collect alarm information from other systems and support alarm query in multiple dimensions

Comprehensive performance services, allowing users to view device performance

Report management Various O&M reports are provided, including predefined unified

O&M reports. Reports at each layer in the IT system are provided, including server

reports, virtualization reports, network reports, and database reports. In addition, report generation tasks can be flexibly scheduled.

The intelligence layer provides analysis functions.

Users can search for information in databases and system logs, and associated information is displayed by entry.

The presentation layer provides the following functions:

Provides a unified portal, from which users can go to other pages or other systems. The portal saves users' personalized setting and records users' usage habits.

Provides the northbound interfaces (NBIs) for adapting to various upper-layer

management systems. Information about resources, alarms, and performance is open to upper-layer systems, and users can query analysis results through the API.

Resource Pool Management Module

Module Overview

IDC Solution




64

This resource pool management module is dedicated for the local data center and can be

accessed by hardware devices from various vendors and virtual platforms. It dispatches

resources for the global resource management subsystem based on service level and resource

load by performing computing, storage, and network automation. It also provides local

templates and image management, monitors resources, and manages measurements.

Architecture

Figure 4-17 shows the architecture of the resource pool management module:

Figure 4-17 Architecture of resource pool management module

Orchestrator

VMPhysical

machine

Block

storageFirewall …

Measurement

management

Image

management

Document

management

Portal Open API

Network

automation

Storage

automation

Computing

automation

Global management layer

Managem

ent

layer

Access

layer

Auto

mation

layer

This J2EE frame-based resource pool management adopts classic three-layer B/S architecture. As regards to deployment, the resource pool management supports active/standby or cluster

deployment. The following functions are supported:

Manages multi-vendor hardware devices

Differences between hardware devices that are provided by various manufacturers are

masked off to achieve unified hardware management. A unified physical resource

management system is established to effectively manage physical resources of the cloud IDCs.

Manages virtualization platforms that are provided by various manufacturers

Virtualization platforms that are provided by various manufacturers, such as VMware

and HUAWEI FusionSphere, are managed in a unified manner.

Rapid service customizing

Graphic service processing is provided to facilitate service process customizing and

expanding for customers.

Functions

IDC Solution




65

The resource pool management module has three layers: access layer, management layer, and

automation layer. The following describes functions of each layer respectively:

Access layer: including Portal and Open API modules.

− Portal: Enables the unified management of the computing, storage, network resources

of the local data center and images, templates, and software packages of the VM,

provides various dashboards to display various customer-concerned management indicators of the data center.

− Open API: Provides RESTful, SOAP, and SDK API.

Management layer: including resource module, image management, measurement management.

− Resource management: Plans the resource pools of computing, storage, and network

based on network location, service level, and function, allocates resources based on

the requirements of the global management, manages the capacity and monitors the performance of the applied resources.

− Image management: Manages VM images and software package images. Images can

be imported or exported from the subsystem of the local resource management system and be quoted by the global resource management subsystem.

− Measurement management: Records events of resource application, changes, return,

and power-on/off to the measurement files and reports the events periodically to the

global resource management subsystem.

Automation layer: including Orchestrator and computing/storage/network automation

− Orchestrator: Resolves resource applications and configurations into the automatic

allocation commands of the computing/storage/network automation, and provides

graphic service processing to facilitate service process customizing and expanding for customers.

− Computing/storage/network automation: Manages physical machines, network

devices, storage devices, and virtual environment, detects and configure devices

automatically over device management ports, implements automatic virtual resource

application and configuration by dispatching the northbound ports in the virtual

environment. The automation module is Plugin-mechanism based, which facilitates the integration of servers, switches, storage devices, and virtual environments.

4.4.3 Customer Benefits

HUAWEI ManageOne solution is dedicated to the service operation and management of the

distributed cloud data center, which enjoys the following features and advantages:

Supports unified management for multiple data centers.

Implements the self-help resource and strategy applications of customers and supports various O&M modes.

HUAWEI ManageOne solution benefits our customers by the following advantages:

High resource usage rate and low cost

− The server usage rate is raised from 10% below to 50%.

− Resources can be shared across DCs and scheduled by strategy.

− DCs and devices can be reused.

Agile services

− The service rollout time is shortened from 30 days to 30 minutes.

High-reliability computing environment

IDC Solution




66

− High reliability of VMs is supported.

− Data and network security is ensured.

Innovative service mode

− Unified infrastructure and self-service resource management is available.

− Resource usage metering and review are supported.

− Idle data centers can be rented.

4.5 DR

The following DR solutions are based on arrays and are applicable to only the server + SAN

storage architecture.

4.5.1 Overview

DR is the capability to recover from a disaster. Two or more systems with the same functions

are deployed at different locations. They monitor the healthy status of each other and support

function switchover. If one system is unavailable due to an unexpected event, such as a fire,

flood, earthquake, or deliberate human damage, the whole application system falls over to

the DR system at a different location, which ensures continuous system running.

The DR system must provide comprehensive data protection and DR functions. When the

production center fails to run properly, these functions ensure data integrity and service

continuity and allow the DR center to replace the abnormal production center in a timely

manner to recover services and minimize losses.

Evaluation Indexes for DR Systems

Data loss amount and system recovery period are used as indexes for evaluating a DR system

in the industry. The recovery point objective (RPO) and recovery time objective (RTO) are

two industry-accepted standards.

RPO: indicates the requirement for time point. When a disaster occurs, the system and data

must be recovered to their original states at this time point. RPO refers to the maximum data

loss amount tolerated by the system. The smaller the tolerable data loss amount is, the smaller

the value of the RPO must be.

RTO: indicates the requirement for the recovery duration of an information system failure or

service function failure caused by a disaster. RTO refers to the maximum service interruption

duration tolerated by the system. The more urgent the system services are, the smaller the

value of the RTO must be.

The RPO is related to data loss, but the RTO is related to service loss. The RTO and RPO can

be determined only after risk analysis and service influence analysis are conducted based on

service requirements.

The International Share78 Standard classifies the DR system into seven grades, as shown in

Figure 4-18.

CAUTION

IDC Solution




67

Figure 4-18 DR system grades

Cost Remote DR center

Available backup center

Time-based backup

Tier 1: PTAMTier 2: PTAM + Hot standby site

Tier 3: Electronic vaulting

Tier 4: Batch/online database image or log transmission

Tier 5 Software-level, two-site, two-phase commit (integrity of exchange)

Tier 6: Near-zero or zero data loss and remote data mirroring

Tier 7: Near-zero or zero data loss, remote data mirroring, and automatic service switchover

The disaster recovery specifications for information systems classify DR into six levels.

Figure 4-19 DR levels

Disaster recovery specifications for information systems—GB/T 20988-2007

Media-level DR

Data-level DR

Application-level DR

DR Capability

LevelDescription Requisite

Level 1 Basic support

Standby premises support

Electronic transmission and

some device support

Electronic transmission and full device support

Real-time data transmission and full device support

Zero data loss and remote cluster

support

Level 2

Level 3

Level 4

Level 5

Level 6

· Full backup is performed at least once every week.

· Management regulations for media access, verification, and dump are formulated.

· Complete testing and drill are performed for disaster recovery plans.

· Data, communications lines, and network devices are transferred at preset time.

· Management regulations for standby premises are formulated.

· Agreements on emergent device and network supply are signed.

· Some data, communications lines, and network devices are configured.

· Electronic data transmission is performed several times per day.

· Full-time management personnel are assigned for standby premises.

· All required data, communications lines, and network devices are configured and get ready.

· 24/7 running is supported, and technical support and O&M management are available.

· Remote data replication is supported.

· Standby networks support automatic or central switchover capabilities.

· Data is remotely backed up in real time to achieve zero data loss.

· Applications support real-time seamless switchovers.

· Remote clustered systems support real-time monitoring and automatic switchovers.

More than 2 days

More than 24 hours

More than 12 hours

Several minutes to 2

days

Several minutes

Several hours to 2 days

1 to 7 days

1 to 7 days

Several hours to 1 day

Several hours to 1 day

0 to 30 minutes

0

RTO RPO

The higher DR grade requires more complicated technology and more investment and has

greater impact on service systems. Meanwhile, it is more difficult to perform scalability of

solutions and manage the DR function. Therefore, the DR solution of a data center is made by

IDC Solution




68

taking several factors into consideration, including service requirements, DR investment,

implementation difficulty, and management complexity.

DR Technologies

DR technologies include the database-based DR technology, host-based DR technology,

virtual gateway-based DR technology, and storage-based DR technology.

Database-based DR technology

The database-based DR technology sends the database logs to a different location and

synchronizes the data to the remote host to guarantee consistency between the local and

remote databases. This scheme has the minimum error rate by using the database

software to keep data consistency. Moreover, it has the highest switching speed.

However, this scheme is supported only by several database vendors with cutting-edge

technologies, such as Oracle's Dataguard and DB2's HADR.

Host-based DR technology

The volume replication software or third-party data replication software installed on

servers is used to capture the high-layer write I/O, and remote servers are connected by using Transmission Control Protocol (TCP) or IP networks to remotely replicate data.

With the host-based DR technology, the high-layer I/O is captured by the OS-level

processes. As a result, the host CPU and memory resources are consumed. The

mainstream software supports the local caching technology to reduce consumption of the

host CPU and memory resources. The main OS-level DR technology providers and their products are Veritas's VRR, FalconStor's CDP DR set, and Vision's Double-take HA.

Virtual gateway-based DR technology

A storage gateway is added to the SAN between front-end application servers and

back-end storage systems. The storage gateway is different from common network

gateways. Use the Huawei VIS gateway as an example. The Huawei VIS gateway

connects to servers at the front end and storage devices at the back end. The VIS gateway

serves as a policeman in the storage network and controls all I/Os. It supports local storage system applications as well as remote data replication.

The virtual DR technology features powerful functions. Data replication is performed by

storage gateways, so impact on host performance is minimized. In addition, virtual

storage gateways help consolidate front-end heterogeneous servers and back-end storage

devices of different brands.

Storage-based DR technology

The storage-based DR technology is implemented based on storage systems (such as disk

arrays and NAS). Value-added functions built in storage systems replicate data to the

remote end in synchronous or asynchronous mode over the IP, dense wavelength

division multiplexing (DWDM), or FC network. Devices of mainstream storage vendors support the storage-based DR technology.

Compared with the host-based DR technology, the storage-based DR technology

separates data from host applications, which minimizes impact on host running. In

addition, data is replicated by mirroring, and the high-speed cache is used to accelerate

I/O. Therefore, time point difference of data at two ends is small. Moreover, storage systems support error tolerance, which ensures running performance and data reliability.

Huawei IDC DR Solutions

Based on different application scenarios and service requirements of the Huawei cloud

platform, the Huawei IDC solution provides the cloud platform active/active VIS DR solution and cloud platform array replication-based DR solution to support data center-level DR.

IDC Solution




69

Table 4-11 Cloud platform DR solutions

Solution Type Solution Function Cost

Active/Active D

R

Cloud platform

active/active VIS DR solution

Both the production and DR sites

can provide external services.

VMs can be migrated from one site to the other site.

The RPO is near zero, and the RTO is minute-level.

This solution is applicable to

only the server +SAN storage architecture.

High

Active/Standby

DR

Array

replication-based DR solution

The graphical DR management

UI is available.

The RPO is minute-level, and the RTO is less than 4 hours.

This solution is applicable to

only the server +SAN storage

architecture.

Medium

4.5.2 Active/Active VIS DR Solution

Solution Architecture

By using the active/active VIS DR solution, cloud platforms and storage arrays are deployed

on local and remote sites. VIS nodes from the same VIS cluster and hosts from the same

cluster are deployed on local and remote sites in active/active mode. By using the mirroring

technology of the VIS system, these VIS nodes provide storage access services for local and

remote sites simultaneously. Storage access services can be switched over seamlessly.

Automatic DR switchover is achieved by using the VM HA function.

IDC Solution




70

Figure 4-20 Active/active VIS DR solution architecture

Active-active VIS DR is based on the across-array mirroring replication function of VIS.

When new data is written from a host to the VIS6600T, the VIS6600T writes the data to

production volumes and mirrored volumes simultaneously. After data is written into the two

volumes successfully, the VIS6000 returns a success signal to the host. In the mirroring mode,

data in mirrored volumes must be the same as that in production volumes. Mirroring can be

deployed locally and remotely. Compared with other backup technologies, the mirroring

technology features better data protection.

The VIS6600Ts in two sites use the active-active cluster technology. Nodes generally work at

the same time and concurrently process service requests from hosts. Nodes back up each other.

When one or multiple nodes are faulty, other nodes automatically take over services of the

faulty node or nodes rapidly, ensuring service continuity. The VIS cluster is required to

provide large layer 2 networking for the VIS in the two sites.

In virtualization environments, virtualized management nodes (such as FusionManager, UHM,

and VRM) in active/standby mode are deployed in the two sites that have a far distance to

continuously support the VM functions such as HA and live migration. Heartbeat

communication between active nodes and standby nodes is required. Therefore, the large layer

2 networking and active/standby gateway redundancy mechanism are required. You can use

an aggregation switch or core switch as a gateway.

The VIS6600T cluster can balance services among multiple nodes for processing. The service

sharing mode is called load balancing. Load balancing fully utilizes resources and improves

system work efficiency and performance. Users can maximize benefits from the cluster

system investment. The division of the VIS cluster is determined by a LUN. A VIS quorum

disk is used to determine which VIS uses the LUN service.

IDC Solution




71

To prevent performance from being affected by high latency of remote storage mirroring, the

distance between the production site and the DR site must be less than 100 km, and the

single-trip network loopback latency between sites is equal to or less than 5 ms. Therefore,

storage planes in sites must use optical fibers to ensure better latency and meet actual

bandwidth requirements.

Solution Selection Restrictions and limitations

− This solution applies only to virtualized storage with big LUNs but does not applies

to virtualized storage with small LUNs.

− This solution depends on the mirroring and cluster capabilities of the VIS6600T with

big LUNs. The distance between the production site and the DR site must be less than 100 km.

− Considering the performance and compatibility, this solution uses only the FC SAN

other than the IP SAN. In addition, hosts connect to VIS devices through FC connections other than iSCSI connections.

− This solution can be used only between two data centers other than among multiple data centers.

Network bandwidth between the production site and the DR site

Bandwidth configuration suggestions are made for large layer 2 networking, FC storage links, and IP network connection between the two sites and the quorum disk.

− Large layer 2 networking: The two sites need large layer 2 networking to support

virtualization management and VIS cluster management. The large layer 2

networking transmits virtualization management data, live migration data, and VIS cluster management data.

Estimated bandwidth required by virtualization management data: 100 Mbit/s (peak

value)

Estimated bandwidth required by VIS cluster management data: 100 Mbit/s (peak value)

Bandwidth required by live migration of a VM: Bw = [(D+Mem/Tn) x C%]/RBw

Table 4-12 Factors that affect VM live migration bandwidth

Bw Specifies the network bandwidth (Mbit/s).

Tn Specifies the total migration time (s). The maximum time period of VM

migration is 20 minutes.

Mem Specifies the VM memory size (MB).

MU Specifies the actual memory usage. The value is generally 70%.

RBw Specifies the actual bandwidth usage. The value is generally 0.8.

D Specifies the memory change rate. The memory change rate is generally 2.5

MB/s for 1 GB memory.

C% Specifies the memory compression rate. The current value is 100% (no

compression).

IDC Solution




72

//Assume that it takes about 30 seconds for a VM with 2 GB memory to implement

live migration, 516 Mbit/s is required. The bandwidth is calculated as follows: [(2.5 x 2 + 2000 x 0.7/30) x 8 x 100%)/0.8 = 516 Mbit/s

You can refer to the preceding formula to calculate the bandwidth required by multiple VMs based on specifications. Live migration is rarely implemented.

− FC storage link

FC switches between the two sites must be connected.

FC storage bandwidth: Bw = (PIO x VM) x 8/RBW

Table 4-13 Factors affect FC storage bandwidth

Bw Specifies the network bandwidth (Mbit/s).

PIO Specifies the peak I/O data volume (MB/s) of a VM.

VM Specifies the number of VMs that need DR.

RBw Specifies the actual bandwidth usage. The value is generally 0.8.

//Assumes that the storage bandwidth of each VM is 10 Mbit/s, and the number of

VMs that need DR is 30, the total bandwidth of the FC link is 300 Mbit/s (30 x 10 Mbit/s).

− IP network connection between the two sites and the quorum disk

You are advised to use 1 Mbit/s bandwidth to support the IP network connection.

4.5.3 Array Replication-based DR Solution


The array replication-based DR solution implements remote data replication between the

production center and the DR center by using the remote replication function of the storage

system. In this solution, the UltraVR DR management software is used to synchronize cloud

platform management data between the production center and the DR center, and provide

the DR management function. When a disaster occurs in the production center, the DR center

uses the UltraVR to restore the Huawei cloud platform. This ensures the continuity of cloud

platform services in the production center.

IDC Solution




73

Figure 4-21 Array replication-based DR solution

In this solution, one cloud platform is deployed on the production center to provide a service

system platform for users, and another cloud platform is deployed on the DR center to provide

cloud DR protection. When a disaster occurs in the production center, the cloud platform and

related service systems of the production center are switched to the cloud platform of the DR

center, ensuring service availability.

Cloud platform management data is synchronized from the production center to the DR center

by using the UltraVR. The UltraVR can communicate with VRMs and the local IP SAN, and

forward messages between the production center and DR center by using message interfaces.

The UltraVR communicates with the VRM through Representational State Transfer

(REST) to obtain related information (such as VM information) and perform operations

(such as starting and stopping the VM by the VRM).

The UltraVR communicates with arrays through SMI-S or TLV to perform array-related

operations, for example, issue synchronization commands to arrays and run switchover commands.

The production center communicates with the DR center by using the UltraVR, such as

the DR configuration synchronization and association between the production center and

the DR center.

All VMs running on the production center cloud platform are stored on the production storage

resource pool. Remote VM DR is implemented by using remote replication technologies of

Huawei OceanStor T series storage. Some LUNs can be set to LUNs that require DR, and

some LUNs can be set to LUNs that do not require DR.

Remote replication is data mirroring based on the LUN level. The active LUN provides the

data access function, and the standby LUN copies data from the active LUN. When the active

LUN is faulty, the standby LUN can take over services from the active LUN. After the active

LUN recovers, services are switched over from the standby LUN to the active LUN. This

ensures user application continuity and data availability.

When the remote replication relationship is established between the active LUN in the

production center and the standby LUN in the DR center, an initial synchronization

process will start. That is, all data on the active LUN is copied to the standby LUN. Then

synchronous or asynchronous replication is implemented based on configuration.

Synchronous replication requires a short distance between two sites. Therefore, this solution adopts asynchronous replication.

IDC Solution




74

Asynchronous replication: A snapshot is created for the active and standby LUNs respectively

according to the specified interval (1 to 1440 minutes, within one day). The active LUN

snapshot ensures data consistency. The standby LUN snapshot is used to ensure availability

for the standby LUN data when exceptions occur during synchronization.

Solution Selection Restrictions and limitations

− This solution supports only the Huawei cloud platform but does not support heterogeneous platforms such as VMWare and XenServer.

− This solution supports only virtualized storage with big LUNs but does not support

virtualized storage with small LUNs. (A single set of Huawei Symantec IP SAN

supports only 256 groups of synchronous mirroring and 128 groups of asynchronous mirroring, which does not meet LUN requirements.)

− This solution does not support synchronous replication.

− This solution depends on the remote replication function of Huawei IP SAN. Because

Huawei IP SAN cannot update VM I/O cache data to disks during remote replication, it cannot be ensured that all VMs that need DR can be started.

− VM configuration data is synchronized by using UltraVR, and VM disk data is

replicated by the IP SAN in asynchronous mode, so the synchronization cycles of

VM configuration data and disk data are inconsistent. During DR switchover, VM

configuration data is updated, while VM disk data is rolled back to the previous snapshot. As a result, data is inconsistent.

Network bandwidth between the production site and the DR site

Network bandwidth for replication does not compromise host operating performance but

affects the RPO of the DR system. If the bandwidth allocated to the replication links of

the DR system is too low and data amount of the service system in the production center

is large, data on the production disk arrays cannot be replicated to the DR center in time.

If a disaster occurs in the production center, data may lose. On the contrary, sufficient

bandwidth can ensure that data in the production center is replicated to the DR center in time. This reduces the RPO.

You can calculate the required bandwidth as follows: Suppose in a replication DR system:

− The peak data write bandwidth of the host is BS.

− The average data write bandwidth of the host is BA.

− The network bandwidth between the DR center and production center is BI.

− The required RPO is T0.

− The network bandwidth is smaller than disk array read/write bandwidth and storage network bandwidth.

During time T, data amount in the production center with peak data write bandwidth D =

(BS – BI) x T. To meet the requirement of the RPO, D must be smaller than BI x T0. Therefore, (BS – BI) x T is smaller than BI x T0 or BI is greater than (BS x T)/(T + T0).

Recommended: BA < BI < BS

The data transfer amount is expressed in B/s and bandwidth is expressed in b/s. 10 b is equal to 1 B. For example, 2000 Mb/s is equal to 200 MB/s (2000 Mb/s/10).

If the IP replication bandwidth is R Mb/s, it is (R/10) MB/s. Because 20% to 30% bandwidth

loss exists during data transfer, the maximum data transfer bandwidth is (R/10) MB/s x 70%, or (0.7 x R/10) MB/s.

NOTE

IDC Solution




75

Calculate required network bandwidth based on site requirements.

4.5.4 Comparisons Between DR Solutions

Table 4-14 Comparisons between DR solutions

Solution Function Application Scenario

Cloud

platform

active/active

VIS DR

solution

Both the production and DR sites can

provide external services.

VMs can be migrated from one site to the other site.

The RPO is near zero, and the RTO is minute-level.

Two sites provide services

simultaneously.

VMs can be migrated across sites.

The RPO is second-level, and the RTO is minute-level.

Array

replication-b

ased DR solution

Provides a graphical DR management

page, simplifies management, and

facilitates operations.

The synchronization cycle of site data

can be set flexibly based on site

requirements and site network status.

The cycle will affect the RPO.

The RPO is minute-level, and the RTO

is less than 4 hours.

Active/standby DR is required

for the Huawei cloud platform.

Two sites do not provide services

simultaneously. The RPO is less

than 30 minutes, and the RTO is hour-level.

4.6 Backup

4.6.1 Overview

Data backup is used to protect data. Based on certain backup policies, application data is

duplicated and stored on preset storage media for data recovery when an online system fault

occurs.

Backup System Components Backup software

Excellent backup software can incorporate acceleration, automation, DR, and

consistency policies into a control platform to simplify processing, improve operation

speed, reduce storage costs, and simplify management. In addition, backup system

security, validity, stability, and scalability are ensured.

Backup network

Backup networks can be the SAN, LAN, MAN, WAN, and hybrid

SAN+/LAN/MAN/WAN. Backup networks provide data transfer channels and play a crucial part in data backup implementation.

Backup storage media

Backup storage media is used to carry data, which is classified into two types: physical

and virtual. Storage media must be reliable. Otherwise, data on the storage media will lose.

IDC Solution




76

Backup management

An excellent backup system must be equipped with qualified software and hardware. In

addition, backup policies and management plans must provide high availability. Backup

policies of a complex system must be configured based on application and service types. Qualified backup policies must be configured by consideration of various factors.

Backup Modes Full backup

A full backup backs up all data or applications at a certain time point. To implement this,

a tape is used to back up the entire system, including the system and all data in the

system.

Incremental backup

Incremental backup backs up only the files that have changed since the last full or incremental backup.

Differential backup

Differential backup backs up all files that have been changed (based on archive bit) since

the last full or incremental backup. Only the first full backup data and the last differential backup data are restored.

Synthetic backup

The synthetic backup data is created from a recent full backup and subsequent

incremental backups. During synthetic backup, original data is not involved, which

minimizes impact on the CPU of application servers. In addition, the new synthetic backup can be used to protect data, set new sites, and test systems.

Backup System Networking

Common backup system networking has two structures: LAN-based and LAN-free.

In the LAN-based structure, backup data is transmitted over the Ethernet. One or

multiple servers are configured as backup server(s) to manage policies or media

read/write of the backup system. A tape library is connected to the backup server. The

LAN-based structure helps reduce investment and supports tape library sharing and

centralized backup management. However, the LAN-based structure puts high pressure on network transmission.

The LAN-free backup system is built on the SAN. It adopts a new architecture where

tape libraries and disk arrays are independent fiber nodes. When multiple hosts share a

tape library, data streams are directly transmitted from disk arrays to the tape

library without traversing networks. In this way, no network bandwidth is occupied. The

LAN-free structure supports centralized data backup management, fast backup, and tape

library sharing, and puts little pressure on network transmission. However, the LAN-free

structure requires high investment.

Rules for Designing a Backup System

Data backup is used to ensure data restoration, eliminating the worries of the system operators

and users. The data backup solution varies according to application scenarios. Generally, a

complete backup system must meet the following requirements:

Stability

The main function of a backup system is to provide a data protection method. For this

reason, the stability and reliability of a backup system become the most important issues.

IDC Solution




77

The backup system must be compatible with the OS and must be able to quickly and

effectively restore data when a disaster occurs.

Comprehensiveness

In complex computer network environment, there may be various operating platforms

(such as UNIX, NetWare, Windows NT, and VMS) and various application systems,

such as Enterprise Resource Planning (ERP), databases, and clusterware systems.

Backup software that supports various OSs, databases, and typical applications is recommended.

Automation

Many systems have restrictions on backup start time and backup window due to

their work natures. Data backup can be performed at midnight when the service system

carries the least load. However, such midnight operation will increase burdens on the

system administrator. Therefore, the backup solution must be able to provide automatic

backup functions and automatically manage backup media equipment. During the

automatic backup process, the backup system must also provide logs and automatically

generate alarms when exceptions occur.

High performance

An increasing amount of data is generated and updated frequently to meet the increasing

service demand. If data backup cannot be complete during the off-hour, the data backup

performed during working hours affects system performance. This dilemma requires

taking the data backup speed into consideration when planning backups to ensure that data backup can be accomplished within the specified time period.

Effective maintenance for the service system

Data backup may affect service system performance. It is important to use effective

technical measures to prevent the server system, database system, and network system

from being affected by data backup. In addition, data that is restored by the backup

system must be valid and complete.

Simple operation

Data backup is used in different areas. Operators who perform data backup belong to

different levels. An intuitive and simple GUI is required to shorten operators' learning curve, reduce their working pressure, and facilitate data backup configuration.

Real time

Some key tasks require 24 hour uninterrupted operation. Some files of these tasks may

still open during data backup. In this case, measures are taken to check file size in real

time and perform event trace to ensure that all system files have been correctly backed up.

Huawei IDC Backup Solutions

Huawei provides the various backup solutions as described in Table 4-15 to meet different

requirements of application scenarios, application types, IT infrastructures, and investment

budgets.

Table 4-15 Huawei IDC backup solutions

Solution Type Solution Description

VM backup VM-level

backup This solution is based on a VM snapshot backup

system developed by Huawei based on the

virtualization platform. This solution can back up VM data and does not require any agent nor any backup

IDC Solution




78

Solution Type Solution Description

client on VMs.

File-level cloud

backup

CommVault

cloud backup

In this solution, the CommVault backup software is

used to construct a centralized backup system. Files,

mainstream databases, and applications on mainstream

OS platforms can be backed up. The backup function

serving as a service is provided for end users over the

Internet.

Traditional file

backup

NAS

file-level backup

This solution provides backup resources by sharing

directories.

Integration

backup

HDP backup The HDP3500E, a Huawei-developed software and

hardware integrated backup device, integrates

mainstream NBU backup software. The HDP3500E

has powerful and reliable backup functions and features flexible networking and easy configuration.

Traditional

backup

NBU backup In this solution, the NBU backup software is used to

construct a centralized backup system, which can

connect to physical tape libraries, NAS storage

devices, and virtual tape libraries to provide large-capacity backup storage media.

4.6.2 VM-level Backup Solution


A local backup system is set up to create snapshots for VMs by using the snapshot function of

the cloud platform and back up VM snapshots. The backup process does not affect VM

running. When VM data is lost or deleted mistakenly, the local backup system can be used to

restore VMs.

Figure 4-22 shows the VM-level backup architecture.

IDC Solution




79

Figure 4-22 VM-level backup architecture

FM

VRMVRM

CNACNA

HyperDPDisp

atcher

HyperDP

ProcessorCNACNA

HyperDP

Processor

Main StorageBackup Storage

Local Dir/NASMain Storage

Backup Storage

Local Dir/NAS

Backup control flow

Backup data flow

This solution uses the Huawei-developed HyperDP system. The HyperDP backup system

consists of the HyperDP backup server and backup storage medium.

The HyperDP backup server has components including Dispatcher and Processor. It is

recommended that the HyperDP backup server be deployed on VMs.

Dispatcher: schedules data backup and restoration tasks and manages HyperDP Processor.

Processor: manages backup and restoration tasks and backs up and restores VMs.

The HyperDP backup server role can be set to HyperDP Dispatcher and HyperDP Processor.

A backup domain has only one HyperDP Dispatcher for scheduling data backup and

restoration tasks and managing HyperDP Processor. A backup system has multiple HyperDP

Processors which are responsible for VM backup and restoration.

The local directory of the backup server or NAS shared storage can be used as backup storage

medium.

Local directory/NAS: The local directory refers to the storage of the backup server. The

additional storage space allocated to VMs when the backup server is deployed on VMs can be

used only by the backup server. NAS is shared storage which can be shared by multiple

backup servers.

VRM: provides VM snapshot interfaces and allows query of physical storage information of

virtual volumes.

Primary storage: creates snapshots for virtual volumes and obtains differential bitmaps and

backup data.

VM backup policies can be set on the HyperDP system. The time point for generating VM

snapshots, backup start time, and backup cycles can be set. Periodical full backup and

incremental backup are supported. Moreover, VMs can be restored to the specified time point.

Solution Selection

Restrictions and limitations:

IDC Solution




80

This solution supports VM-level backup only for cloud hosts on the Huawei cloud

platform. Backup for VMs on the VMware and Citrix platforms in not supported.

This solution provides backup based on VM snapshots. The VM snapshot feature has the following limitations which affect the VM snapshot-based backup:

− A VM supports at most 32 snapshots.

− VMs with shared volumes mounted do not support snapshots.

− Linked clone VMs do not support snapshots.

− VMs created by templates do not support snapshots.

The IP SAN with big LUNs supports only virtual storage-based VM backup and

restoration, but does not support block device-based VM backup and restoration. During

VM backup, related disk data and some configuration data of VMs are backed up, and

data on the VM memory and peripherals such as CD-ROMs and USBs is not backed up.

Backup data integrity depends on the function of creating consistent snapshots and

support for data integrity. FusionCompute V100R003C00 supports the function of

creating consistent snapshots only for Windows OSs that support virtual software switch

(VSS). (VMware and Citrix also have this limitation). The function of creating consistent

snapshots is dependent on the VSS capability of Windows OSs. This function reduces

the probability of blue screen of death (BSOD) for VMs that run on Windows OSs and

support VSS. However, it cannot exterminate BSOD nor ensure data integrity for Linux

OSs and Windows OSs that do not support VSS. When BSOD occurs on VMs and VMs

cannot be restored after being restarted, you are advised to use backup data at other time

points to restore the VMs.

4.6.3 CommVault Cloud Backup Solution


CommVault cloud backup solution uses CommVault Simpana backup management software

to create a centralized backup system locally, and end users install backup client software on

their computers. Files, mainstream databases, and mainstream application systems on users'

computers can be backed up and restored through the backup client.

CommVault Simpana software provides a centralized backup system management platform.

Simpana integrates backup and recovery module, archiving module, replication module,

resource module, and search module. This simplifies data lifecycle management. This ensures

rapid and reliable data backup and restoration.

A CommVault cloud backup system consists of the backup management software, backup

server, and backup storage device. The backup management software is the core of the entire

backup system. The current version adopts CommVault Simpana backup management

software.

The Simpana includes:

CommServe

The CommServe manages all operations of the data backup, archiving, and recovery. It is

also responsible for maintaining CommCell configuration and data storage information, managing all tasks, policies, user security and module licensing.

Only control information passes through the CommServe software module; not the data

itself. It also houses the meta database catalog. This database includes metadata about the

nature and location of the data that is stored. The centralized event manager logs all events, providing unified notification of important events.

MediaAgent

IDC Solution




81

The MediaAgent transfers data between the client computer(s) and the storage media.

Each MediaAgent communicates locally or remotely with one or more storage devices, which contain the storage media.

The MediaAgent software is designed to be storage-media independent. Therefore, it is capable of supporting a wide variety of storage models.

iDataAgent

A client system provides the resources necessary for an iDataAgent to access the data.

Clients can be either physical machines independent on the network or VMs in a

clustered environment. Data accessed from the client can reside on local disks or mounted file systems via a LAN or SAN.

Client systems must be accessible from the CommServe and supporting MediaAgent at

all times during backup and restoration operations. This connection is necessary to

exercise control over the operation and to update indexing and tracking data on these systems.

Figure 4-23 shows the CommVault backup solution architecture.

Figure 4-23 CommVault backup solution architecture

Data Center

Firewall

StorageDMZ area

Lessee 1

Lessee 2

Backup server

Media server

Backup agent

Backup data flow

Backup control flow

The CommServe and Media Agent are deployed on the data center intranet, and the Proxy

Server and Web Console Server are deployed on the DMZ for access from external users.

Backup data flow is transmitted to the Proxy Server first, and then transmitted to the backup

system in the intranet. The backup data flow is indicated by red dotted lines in the preceding

figure. The Web Console Server provides a web console GUI, and allows users to view, back

up, and restore data through the console GUI. The backup control flow is indicated by green

dotted lines in the preceding figure.

Tenants install backup agents locally and access the Web Console Server to perform

operations such as configuring backup policies. The Simpana backup system isolates tenants.

After tenants access the Simpana backup system, tenants can only view and perform

operations for their own resources.

IDC Solution




82

User backup data flow must be transmitted to the Proxy Server first, and then the Proxy

Server sends the data flow to the Media Agent. On the Simpana backup system, users can

configure load balancing policies to prevent heavy load of a Media Agent.

Solution Selection

Restrictions and limitations:

This solution does not support backup and restoration for the entire OS.

This solution does not support LAN-free and Server-free backup architectures.

4.6.4 Comparison Between Backup Solutions

Table 4-16 Comparison between backup solutions

Solution Type Solution Function Application Scenario

VM backup VM-level backup Supports system volume

backup.

Supports data backup and

restoration for a single VM.

It is not required to install backup agents on VMs.

1. Public clouds provide VM

backup services.

2. The VMs running on the

Huawei cloud platform are backed up centrally.

File-level cloud

backup

CommVault cloud

backup

Supports file data backup of

VMs and physical machines.

Supports the backup of

mainstream file systems,

databases, and applications.

The backup function serving

as a service is provided for

end users over the Internet,

and end users can customize

backup policies.

Public clouds provide data cloud

backup services.

IDC Solution

White Paper A Acronyms and Abbreviations



83

5 IDC Reference Models

5.1 Reference Model for a FusionStorage Small-scale Scenario

5.1.1 Networking

Figure 5-1 Networking in a FusionStorage small-scale scenario

Internet

Resource Pool

30*RH2288H V2

GE 10GE

O&M Network

CE6850

…….

GE

3328

FW E1000E-X5 FW E1000E-X5

Resource pool capabilities: 1268 vCPU, 2934 GB memory, 238.32 TB storage, and four cabinets

CSB/eSight

The reference model for a small-scale scenario supports a maximum of 30 servers to provide

1268 vCPU, 2934 GB memory, 238.32 TB storage, and offer cloud host and VPC services.

IDC Solution




84

In the small-scale scenario, the access layer and core layer are integrated to reduce the

network costs of small-scale projects.

A pair of E1000E-X5 firewalls is used to provide vFW service and other security features.

CSB and ManageOne hardware and software are configured to provide cloud host operation

and resource pool maintenance capabilities.

5.1.2 Device Configuration

Table 5-1 Device configuration in a FusionStorage small-scale scenario

Device

Classification Device

Type Configuration Quantity Remarks

Computing and

storage devices

RH2288

H server

MCNA:

CPU: E5-2695

Memory: 128 GB

Hard disk: two 600

GB SAS disks,

twelve 2 TB SATA

disks, and one 800 GB SSD card

RAID card: SR120

SAS/SATA RAID

card

NIC: two 10GE

NICs

2 Computing

storage resource pool

LCNA:

CPU: E5-2695

Memory: 128 GB

Hard disk: two 600

GB SAS disks,

twelve 2 TB SATA

disks, and one 800

GB SSD card

RAID card: SR120

SAS/SATA RAID card

NIC: two 10GE

NICs

3

IDC Solution




85

Device Classification

Device Type

Configuration Quantity Remarks

SCNA:

CPU: E5-2695

Memory: 128 GB

Hard disk: two 300

GB SAS disks,

twelve 2 TB SATA

disks, and one 800 GB SSD card

RAID card: SR120

SAS/SATA RAID card

NIC: two 10GE NICs

25

RH2288

server

CSB:

CPU: E5-2650

Memory: 128 GB

Hard disk: two 300 GB SAS disks

NIC: GE NIC

2 Deploys the

CSB database.

IPSAN

S5500T

Cache: 8 GB

Hard disk: five 600 GB SAS disks

1

RH2288

server

RH2288:

CPU: two E5-2640 CPUs

Memory: 32 GB

Hard disk: three 300

GB SAS disks (2.5)

LOM: four GE LOMs

NIC: one 4 x GE NIC

RAID card: SR320BC+BBU

PS: two 750 W PSs

1 Deploys the

eSight.

Network BMC

manage

ment

access switch

3328 4 Supports

server BMC

and other

device

management

access.

IDC Solution




86


Device Type


Manage

ment

access switch.

One S5328, which

provides two 10GE optical modules

2 Supports CSB

and eSight

service and storage access.

Core

switch

One CE6850, which

provides thirty 10GE

optical modules and

two 40GE optical modules

2

Firewall One E1000E-X5, which

provides two 10GE

optical modules

2

Virtualization

software

FusionS

phere

V100R003C10

platinum edition

60

Distributed

storage software

FusionSt

orage

Virtualization edition

(per TB), which

includes one-year

exclusive upgrade

service

720

O&M system

software

CSB V100R001C20 1

O&M

management software

Manage

One

OC 1

eSight 1

IDC Solution




87

5.2 Reference Model for a FusionStorage Large-scale Scenario

5.2.1 Networking

Figure 5-2 Networking in a FusionStorage large-scale scenario

Internet

40*RH2288H V2

GE 10GE

O&M Network

...

CSS

40*RH2288H V2

...

CSS

GE

40GE

10GE

FW E8000E-X8

10GE

FW E8000E-X8

CSS

CE6850 CE6850CE6850CE6850

CE12804

...

128*RH2288H V2

Resource pool capabilities: 5568 vCPU, 12984 GB memory, 1022.32 TB storage, and 15 cabinets

3328

The reference model for a large-scale scenario supports a maximum of 128 servers to provide

5568 vCPU, 12984 GB memory, 1022.32 TB storage, and offer cloud host and VPC services.

The large-scale scenario network consists of the access layer and core layer. The access

switches are a pair of CE6850s stacking to provide access for 48 servers and provide a pair of

40GE uplink ports to connect to the core switches. The core switches are a pair of CE12804s.

A pair of E8000E-X8 firewalls are used to provide vFW service and other security features.



IDC Solution




88


Table 5-2 Device configuration in a FusionStorage large-scale scenario


Device Type


Computing and

storage devices

RH2288

H server

MCNA:

CPU: E5-2695

Memory: 128 GB

Hard disk: two 600 GB

SAS disks, twelve 2 TB

SATA disks, and one 800 GB SSD card

RAID card: SR120 SAS/SATA RAID card

NIC: two 10GE NICs

2 Computing

storage resource pool

LCNA:

CPU: E5-2695

Memory: 128 GB





NIC: two 10GE NICs

3

SCNA:

CPU: E5-2695

Memory: 128 GB





NIC: two 10GE NICs

123

RH2288

server

CSB:

CPU: E5-2650

Memory: 128 GB


NIC: GE NIC

2 Deploys the

CSB database.

IDC Solution




89


Device Type


IPSAN

S5500T

Cache: 8 GB

Hard disk: five 600 GB

SAS disks

1

RH2288

server

RH2288:


Memory: 32 GB

Hard disk: three 300 GB

SAS disks (2.5)

LOM: four GE LOMs

NIC: one 4 x GE NIC

RAID card:

SR320BC+BBU

PS: two 750 W PSs

1 Deploys the

eSight.

Network Manage

ment

access switch.

3328 4 Supports server

BMC and other

device

management

access.

Access

switch

One CE6850, which

provides forty 10GE optical

modules and one 40GE optical modules

2

Core switch

One CE12804, which

provides one 24-port 40GE

optical interface board, four

40GE optical modules, and

one 48-port GE interface

board

2

Firewall One E1000E-X5,

which provides two LPUF40

interface boards, four 10GE

interface subcards, and one

80 G X8&X16 firework

service board

2

Virtualization

software

FusionS

phere

V100R003C10 platinum

edition

256

Distributed

storage software

FusionSt

orage

Virtualization edition (per

TB), which includes

one-year exclusive upgrade service

3072

O&M system

software

CSB V100R001C20 1

IDC Solution




90


Device Type


O&M

management software

Manage

One

OC 1

eSight 1

5.3 Reference Model for the Rack Server + SAN Scenario

5.3.1 Networking

Figure 5-3 Networking in the rack server + SAN scenario

Service GE 10GE

Resource pool capabilities: 366 vCPU, 1107 GB memory, 89.4 TB storage

Management GE Storage GE

…….

Internet

32*RH2288H V2

O&M Network

……

CSS

10GE

FW E8000E-X5

10GE

FW E8000E-X5

CSS

CE5850CE5850

CE6850

...

……

CSSCE5850CE5850

S5500T

The reference model for the RH2288 + SAN scenario supports a maximum of 32 servers to

provide 366 vCPU, 1107 GB memory, 89.4 TB storage, and offer cloud host and VPC

services.

IDC Solution




91

The RH2288 + SAN scenario network consists of the access layer and core layer. The access

layer supports the access of the management plane, server plane, and storage plane. These

three planes are isolated from one to another. The access layer uses a pair of CE6850 switches

to provide two 48GE accesses and a pair of 10GE ports to connect to the core layer. The core

layer uses a pair of CE6850 switches. Each CE6850 provides forty-eight 10GE ports to

support the uplink access and SAN access.





Table 5-3 Device configuration in the rack server + SAN scenario

Device

Classification Device

Type Configuration Quantity Remarks

Computing

resource

RH2288

H server

CPU: E5-2695

Memory: 128 GB


NIC: three double-port GE

NICs

32 Computing

resource pool

RH2288

server

CSB:

CPU: E5-2650

Memory: 128 GB


SAS disks

NIC: double-port GE NIC

2 Deploys the

CSB database.

RH2288

server

RH2288:


Memory: 32 GB

Hard disk: three 300 GB

SAS disks (2.5)

LOM: four GE LOMs

NIC: one 4 x GE NIC

RAID card:

SR320BC+BBU

PS: two 750 W PSs

1 Deploys the

eSight.

IDC Solution




92


Device Type


Storage

resource

OceanSt

or S5500T

Cache: 16 GB

Enclosure: one controller

enclosure and three disk enclosures

Hard disk: seventy-two 600 GB SAS disks

2 Provides

storage resources.

OceanSt

or S5500T

Cache: 16 GB

Enclosure: one controller

enclosure and two disk enclosures

Hard disk: seventy-two 600

GB SAS disks

6

Network Server

access switch

One 5850, which provides one

48GE port and two 10GE

optical ports and optical modules

8 Accesses

server

services,

management,

and storage.

Core

switch

One CE6850, which provides

twenty-four 10GE optical modules

2 Converges

services,

management, and storage.

Firewall E1000E-X5 2

Virtualization

software

FusionS

phere

V100R003C10 platinum

edition

64

O&M system

software

CSB V100R001C20 1

O&M

management

software

Manage

One

OC 1

eSight 1

IDC Solution




93

5.4 Reference Model for the Blade Server + SAN Scenario

5.4.1 Networking

Figure 5-4 Networking in the blade server + SAN scenario

10GE

Resource pool capabilities: 484 vCPU, 1180 GB memory, 117 TB storage

Management GE

…….

Internet

E9000 blade server

CH121 blade

2*E9000 enclosures

32*CH121 blades

O&M Network

10GE

FW E8000E-X5

10GE

FW E8000E-X5

CSS

CE6850

S5500T

E9000 blade server

CH121 blade

The reference model for the E9000 + SAN scenario supports a maximum of 32 servers to

provide 484 vCPU, 1180 GB memory, 117 TB storage, and offer cloud host and VPC

services.

Externally, the access layer and core layer in the E9000 + SAN scenario are integrated. The

switching modules of the server subracks support the access capability of server blades. The

core layer uses a pair of CE6850 switches to support the uplink access and the SAN access.





IDC Solution




94

A Acronyms and Abbreviations

ACL access control list

ASPF application specific packet filter

CIFS common Internet file system

CLI command-line interface

CSB Cloud Service Brokerage

CSS cluster switch system

DHCP Dynamic Host Configuration Protocol

DMZ demilitarized zone

EBS Elastic Block Storage

EIP elastic IP

ELB Elastic Load Balance

ICP Internet content provider

IDC Internet Data Center

ISM Integrated Storage Management

ISP Internet service provider

ISV independent software vendor

ITIL Information Technology Infrastructure Library

MPP Massively Parallel Processing

NAT Network Address Translation

NFS Network File System

RAID redundant array of independent disks

SAN storage area network

SAS serial attached SCSI

SATA Serial ATA

IDC Solution




95

SLA service level agreement

SSD solid-state drive

UDS Universal Distributed Storage

VFW virtual fire wall

VLAN virtual local area network

VM virtual machine

VNC Virtual Network Computing

VPC virtual private cloud

VPN virtual private network

VRF virtual routing and forwarding

v100r001c31 white paper - huawei/media/cnbg/downloads/product/it/en...opportunities and challenges...

Documents