View
258
Download
0
Category
Tags:
Preview:
Citation preview
UNM RESEARCH NETWORKSSteve Perry
CCNP, CCDP, CCNP-V, CCNP-S, CCNP-SP, CCAI, CMNA, CNSS 4013
Director of Networks
Overview• Why Research Specific Networks?
• Production Network/ScienceDMZ Design Basics
• ScienceDMZ Components
• UNM CCIIE Grant/Researchers Requirements
• UNM Design
Possibilities??
Design Considerations
1. Type of R&E traffic – TCP –based, microburst traffic that can quickly consume entire available bandwidth
a. Subject to TCP Global Synchronization
2. TCP traffic needs deep buffer on ports when congestion occurs.
3. No commercially available security devices can sit in-path with line-rate process speed
4. 100 Gbps backbone across continental US
5. The general rule of thumb is that you need 50ms of line-rate output queue buffer for a 10G port, so there should be around 60MB of buffer.
Research Network: Science DMZ• A network optimized for business is not designed or
capable of supporting data intensive science.
Universities will always need to support security features that protect organizational financial and personnel data.
Solution: create separate data intensive science network, external to university enterprise network
Design formalized by ESnet, based on traditional network DMZ paradigm
Basic Science DMZ• Science DMZ: (1) dedicated access to high-performance
WAN, (2) high-performance switching infrastructure (large buffer memory), (3) dedicated data transfer nodes
ScienceDMZ Components
• DTNs (Data Transfer Nodes—Originator/Responder)• High capacity servers capable of wire speed 10Gbps Transfer• Globus GridFTP Application tuned for large data transfers
• Large Buffer capable switches to smooth TCP drops• Must have 60MB per port buffer space• Must be SDN capable
• PerfSONAR measurement nodes at each location
• Bro IDS (IDS versus IPS, to minimize deep packet inspection)
• Open Daylight SDN Controller
• Supporting Staff
Managing by Measuring--PerfSONAR
• Off campus / On campus• Service tuning - Dedicated PerfSonar • Beyond UNM
• https://pas.net.internet2.edu/maddash-webui/• http://ps-dashboard.es.net/
How To Secure it?
• Use Bro to monitor it out of line• IDS, not an IPS• Requires full understanding of Bro libraries and expertise in
application stacks
• Router ACL or SDN policy on key switches for traffic engineering
• IPTables at the boxes
CC*IIE Grant
• NSF Grant awarded to UNM
• Collaborative amongst researchers/IT
• Initial funding to build out the basic network
• Smaller regional schools up for grants this year
• Hope to apply for additional grants as available
UNM Design
Summary• Why Research Specific Networks?
• Production Network/ScienceDMZ Design Basics
• ScienceDMZ Components
• UNM CCIIE Grant/Researchers Requirements
• UNM Design
Questions???
Recommended