200 likes | 360 Views
Network Services. BNL USATLAS. Tier 1 / Tier 2 Meeting John Bigrow December 14, 2005. Network Services. BNL LHC Overview Preliminary Network and Security Architecture IP Address space allocations Performance Monitoring. Network Services.
E N D
Network Services BNL USATLAS Tier 1 / Tier 2 Meeting John Bigrow December 14, 2005
Network Services • BNL LHC Overview • Preliminary Network and Security Architecture • IP Address space allocations • Performance Monitoring
Network Services • Network Security Limitations • Current firewall Architecture • 6 virtual 1 Gb/Sec EtherChannel to backplane • Rated total throughput of 5 Gb/Sec • EtherChannel Overhead Loss • Single 1 Gb/Sec flow / interface
Network Services • Network Security Limitations (Continued) • Current Router Architecture • Single Access Control List (ACL) / interface • 1 inbound and 1 outbound • Default behavior Implicit deny • A single ACL can become unwieldy in a complex WAN environment
Network Services • Network Security Limitations (Continued) …………. access-list 109 deny ip host 81.12.96.78 any access-list 109 remark Block IPs per ticket 160,729 1 Month 12/8 access-list 109 deny ip host 219.105.44.115 any access-list 109 deny ip host 217.199.177.208 any access-list 109 deny ip host 202.108.13.91 any access-list 109 deny ip host 210.219.231.2 any access-list 109 remark ********************* Allow ************************* access-list 109 remark permit all before implicit deny access-list 109 permit ip any any
Network Services • IP Address Allocation Tier 0 to Tier 1 (BNL - CERN) • Requires routable IP Address space • Direct BGP peering with CERN to / from BNL • Limited route advertisements between T0 and T1 • For the LHC OPN Circuit BNL will use 192.12.15.0/24
Network Services • IP Address Allocation Tier 1 to Tier X (BNL - Internet) • Requires routable IP Address space • Direct BGP peering with ES Net from BNL • Full Internet route advertisements • ES Net CIDR IP Address Space • For the Internet circuit BNL will use 198.124.220.0/24 • 3 additional class C networks available
Network Services • IP Address Allocation Tier 1 to Tier X (Continued) • DNS Fully Qualified Domain Hostname • Accessible ONLY from ES Net • No other path to get to BNL for LHC / Atlas
Network Services • Future BNL LHC OPN Enhancements • Dedicated Cisco Firewall Service Modules when available • Eliminate router ACL Functionality / Maintenance • Connection Logging • Each FWSM circuit will not impede the 10 Gb/Sec. • Stateful FWSM redundancy • IDS / IPS when available
Network Services • Mon • browser-based IP service monitor • Internet-centric WAN based monitor application • Interrogates essential BNL network services
Network Services • MonaLisa • Java based SNMP monitoring tool • External WAN based monitor • Tracks BNL EtherChannel OC-48 • Firewall Service Module • 10 Gb/Sec. Uplink to the BNL core
Network Services • Summary • Tier 2 traffic dependant on Internet connectivity • Path to BNL via ES Net only • Initial router ACL based access to BNL • BNL provides DNS hostname for Internet resolution
Questions/Comments Network Services ???
BNL Points of Contact Network Services • Scott Bradley, Manager of Network Services • 631.344.5745, bradley@bnl.gov • John Bigrow, Senior Network Architect • 631.344.2648, big@bnl.gov