320 likes | 332 Views
Learn about the networking architecture supporting LHC operations at BNL, including IP allocation, security limitations, future enhancements, and monitoring tools. Contact Scott Bradley or John Bigrow for more information.
E N D
Network Services LHC OPN Networking at BNL Summer 2006 Internet 2 Joint Techs John Bigrow July 18, 2006
Network Services • LHC Overview (very simple overview, I’m not a physicist) • LHC / Atlas Experiments Overview (The What) • The Physics Architecture (The Why) • Preliminary Network and Security Architecture (The How)
Network Services CERN Accelerator Ring Aerial View
Network Services Tier2 Center Tier2 Center Tier2 Center Tier2 Center Tier2 Center HPSS HPSS HPSS CERN:Outside Resource Ratio ~1:2Tier0:( Tier1):( Tier2) ~1:1:1 ~PByte/sec Online System <GBytes/sec ATLAS Experiment CERN ~5M SI2K >1 PB Disk Tape Robot Tier 0 +1 Castor ~10 Gbits/sec Tier 1 BNL: ~2M SI2K; 2PB Tape Robot IN2P3 Center INFN Center RAL Center HPSS 2.5 Gbps Tier 2 ~2.5 Gbps Tier 3 Tier 0: DAQ, reconstruction, archive Tier 1: Reconstruction, simulation, archive, mining and (large scale) analysis Tier 2+: Analysis, simulation Tier 3+: Interactive analysis Institute Institute Institute Institute 100 - 1000 Mbits/sec Physics data cache Tier 4 Workstations
Network Services The same host name for dual NIC dCache door is resolved to different IP addresses depending on which DNS is inquired. 130.199.185.0 130.199.48.0 … … 130.199.48.0
Network Services MAN LANCERN (?)NLRESnetGEANT, etc. Other connections BNL internal Other connections
Network Services • Network Security Limitations • Current firewall Architecture • 6 virtual 1 Gb/Sec EtherChannel to Catalyst backplane • Rated total throughput of 5 Gb/Sec • EtherChannel Overhead Loss • Single 1 Gb/Sec flow / interface • New Cisco ACE blade might address these limitations
Network Services • Network Security Limitations (Continued) • Current Router Architecture • Single Access Control List (ACL) / interface • 1 inbound and 1 outbound per interface • Default behavior Implicit deny • Policy route map for traffic flow • A single ACL can become unwieldy in a complex WAN environment (what are the network prefixes, DHCP, NAT) • Manual changes to the route map for additional access
Network Services • BNL LHC Overview cont. • Networking resources • IP Address space allocations / access • 10Gig interfaces / 20Gig Etherchannels • Performance Monitoring
Network Services • IP Address Allocation Tier 0 to Tier 1 (BNL - CERN) • Requires routable IP Address space • Direct dedicated access with CERN to / from BNL • Limited route advertisements between T0 and T1 • For the LHC OPN Circuit BNL will use 192.12.15.0/24 • No direct T1 to T1 access through CERN at this time
Network Services • BNL OPN to Tier 2 and others • Tier 2 and other traffic dependant on Internet connectivity • Path to BNL via all service providers (ES Net now, NYSERNET, Broadwing in the future ?) • Dedicated paths to other institutions welcome (you buy)
Network Services • Future BNL LHC OPN Enhancements • Dedicated Cisco Firewall Service Modules (ACE) when available • Eliminate router ACL Functionality / Maintenance • Connection Logging • Each FWSM circuit will not impede the 10 Gb/Sec. • Stateful FWSM redundancy • IDS / IPS when available
Network Services • Mon • browser-based IP service monitor • Internet-centric WAN based monitor application • Interrogates essential BNL network services
Network Services • MonaLisa • Java based SNMP monitoring tool • External WAN based monitor • Tracks BNL 10G/Sec. Interfaces • Firewall Service Module • 20 Gb/Sec. Uplinks to the BNL core
Network Services • Cacti • SNMP monitoring tool • Replacement for MRTG • Tracks most BNL core network interfaces • Firewall Service Module EtherChannel interfaces also
Network Services • Thanks (a few kind words to so many) • Thanks to the many individuals and groups who have donated their time, code, and talents to make the Internet what it is today. Without their efforts, this infrastructure we take for granted would not exist. We owe many our gratitude.
Questions/Comments Network Services ???
BNL Points of Contact Network Services • Scott Bradley, Manager of Network Services • 631.344.5745, bradley@bnl.gov • John Bigrow, Senior Network Architect • 631.344.2648, big@bnl.gov