1 / 32

BNL LHC Networking Overview: Services & Security Insights

Learn about the networking architecture supporting LHC operations at BNL, including IP allocation, security limitations, future enhancements, and monitoring tools. Contact Scott Bradley or John Bigrow for more information.

vtucker
Download Presentation

BNL LHC Networking Overview: Services & Security Insights

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Services LHC OPN Networking at BNL Summer 2006 Internet 2 Joint Techs John Bigrow July 18, 2006

  2. Network Services • LHC Overview (very simple overview, I’m not a physicist) • LHC / Atlas Experiments Overview (The What) • The Physics Architecture (The Why) • Preliminary Network and Security Architecture (The How)

  3. Network Services CERN Accelerator Ring Aerial View

  4. Network Services

  5. Network Services Tier2 Center Tier2 Center Tier2 Center Tier2 Center Tier2 Center HPSS HPSS HPSS CERN:Outside Resource Ratio ~1:2Tier0:( Tier1):( Tier2) ~1:1:1 ~PByte/sec Online System <GBytes/sec ATLAS Experiment CERN ~5M SI2K >1 PB Disk Tape Robot Tier 0 +1 Castor ~10 Gbits/sec Tier 1 BNL: ~2M SI2K; 2PB Tape Robot IN2P3 Center INFN Center RAL Center HPSS 2.5 Gbps Tier 2 ~2.5 Gbps Tier 3 Tier 0: DAQ, reconstruction, archive Tier 1: Reconstruction, simulation, archive, mining and (large scale) analysis Tier 2+: Analysis, simulation Tier 3+: Interactive analysis Institute Institute Institute Institute 100 - 1000 Mbits/sec Physics data cache Tier 4 Workstations

  6. Network Services The same host name for dual NIC dCache door is resolved to different IP addresses depending on which DNS is inquired. 130.199.185.0 130.199.48.0 … … 130.199.48.0

  7. Network Services

  8. Network Services

  9. Network Services MAN LANCERN (?)NLRESnetGEANT, etc. Other connections BNL internal Other connections

  10. Network Services

  11. Network Services • Network Security Limitations • Current firewall Architecture • 6 virtual 1 Gb/Sec EtherChannel to Catalyst backplane • Rated total throughput of 5 Gb/Sec • EtherChannel Overhead Loss • Single 1 Gb/Sec flow / interface • New Cisco ACE blade might address these limitations

  12. Network Services • Network Security Limitations (Continued) • Current Router Architecture • Single Access Control List (ACL) / interface • 1 inbound and 1 outbound per interface • Default behavior Implicit deny • Policy route map for traffic flow • A single ACL can become unwieldy in a complex WAN environment (what are the network prefixes, DHCP, NAT) • Manual changes to the route map for additional access

  13. Network Services • BNL LHC Overview cont. • Networking resources • IP Address space allocations / access • 10Gig interfaces / 20Gig Etherchannels • Performance Monitoring

  14. Network Services • IP Address Allocation Tier 0 to Tier 1 (BNL - CERN) • Requires routable IP Address space • Direct dedicated access with CERN to / from BNL • Limited route advertisements between T0 and T1 • For the LHC OPN Circuit BNL will use 192.12.15.0/24 • No direct T1 to T1 access through CERN at this time

  15. Network Services • BNL OPN to Tier 2 and others • Tier 2 and other traffic dependant on Internet connectivity • Path to BNL via all service providers (ES Net now, NYSERNET, Broadwing in the future ?) • Dedicated paths to other institutions welcome (you buy)

  16. Network Services

  17. Network Services • Future BNL LHC OPN Enhancements • Dedicated Cisco Firewall Service Modules (ACE) when available • Eliminate router ACL Functionality / Maintenance • Connection Logging • Each FWSM circuit will not impede the 10 Gb/Sec. • Stateful FWSM redundancy • IDS / IPS when available

  18. Network Services

  19. Network Services • Mon • browser-based IP service monitor • Internet-centric WAN based monitor application • Interrogates essential BNL network services

  20. Network Services • MonaLisa • Java based SNMP monitoring tool • External WAN based monitor • Tracks BNL 10G/Sec. Interfaces • Firewall Service Module • 20 Gb/Sec. Uplinks to the BNL core

  21. Network Services

  22. Network Services

  23. Network Services • Cacti • SNMP monitoring tool • Replacement for MRTG • Tracks most BNL core network interfaces • Firewall Service Module EtherChannel interfaces also

  24. Network Services

  25. Network Services

  26. Network Services

  27. Network Services

  28. Network Services

  29. Network Services • Thanks (a few kind words to so many) • Thanks to the many individuals and groups who have donated their time, code, and talents to make the Internet what it is today. Without their efforts, this infrastructure we take for granted would not exist. We owe many our gratitude.

  30. Questions/Comments Network Services ???

  31. BNL Points of Contact Network Services • Scott Bradley, Manager of Network Services • 631.344.5745, bradley@bnl.gov • John Bigrow, Senior Network Architect • 631.344.2648, big@bnl.gov

More Related