Science DMZ
Download as PPTX, PDF1 like1,257 views
This document discusses the concept of a Science DMZ, which consists of three key components: 1) a dedicated "friction-free" network path with high-performance networking devices located near the site perimeter to facilitate science data transfer, 2) dedicated high-performance data transfer nodes optimized for data transfer tools, and 3) a performance measurement/test node. It contrasts this approach with the typical ad-hoc deployment of a data transfer node wherever space allows, which often fails to provide necessary performance. Details of an example Science DMZ deployment at Lawrence Berkeley National Laboratory are provided.
Science DMZ
- 1. Science DMZ DrAlan Buxey, Loughborough University, Campus network engineering workshop 19/10/2016 1
- 2. “Science DMZ” Or “exo-perimeter safe-harboured segmented network architecture facilitating science and research data transfer and access” JISC e2e event, 19th Oct 2016 Dr Alan Buxey Loughborough University
- 3. Science DMZ • An overview of the concept • In one slide! • Versus the typical ‘ad-hoc’ deployment • Deployment…and onwards....
- 4. Consists of three key components, all required: • “Friction free” network path – Highly capable network devices (wire-speed, deep queues) – Virtual circuit connectivity option – Security policy and enforcement specific to science workflows – Located at or near site perimeter if possible • Dedicated, high-performance Data Transfer Nodes (DTNs) – Hardware, operating system, libraries all optimized for transfer – Includes optimized data transfer tools such as Globus Online and GridFTP • Performance measurement/test node – perfSONAR Did we say *3* components? • Engagement with end users Details at http://fasterdata.es.net/science-dmz/ The Science DMZ* in 1 Slide * Science DMZ is a trademark of The Energy Sciences Network (ESnet)
- 5. Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science Ad Hoc DTN Deployment If present, perfSONAR is at the border • This is a good start • Need a second one next to the DTN Entire LAN path has to be sized for data flows Entire LAN path is part of any troubleshooting exercise This usually fails to provide the necessary performance. 15 – ESnet Science Engagement (engage@es.net) - 1/27/14 10GE10G Site Border Router WAN Buildingor Wiring Closet Switch/Router Perimeter Firewall Site/ Campus LAN Highperformance DataTransfer Node withhigh-speedstorage Globalsecuritypolicy mixesrulesforscience andbusinesstraffic DTNtrafficsubjecttofirewall limitations perfSONAR Testandmeasurement notalignedwithdata resourceplacement DTNtrafficsubjecttolimitationsof general-purposenetworking equipment/config Note:Siteborder routerandperimeter firewallareoftenthe samedevice Conflictingrequirements resultinperformance compromises This is often what gets tried first Data transfer node deployed where the owner has space • This is often the easiest thing to do at the time • Straightforward to turn on, hard to achieve performance
- 6. Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science A better approach: simple Science DMZ 10GE 10GE 10GE 10GE 10G Border Router WAN Science DMZ Switch/Router Enterprise Border Router/Firewall Site / Campus LAN High performance Data Transfer Node with high-speed storage Per-service security policy control points Clean, High-bandwidth WAN path Site / Campus access to Science DMZ resources perfSONAR perfSONAR perfSONAR
- 7. Familiar? • Presented at JISC e2e performance initiative event in 2015 • Presented at Networkshop 44 • Presented at TNC2016 Getting the concept and message out there
- 8. Who/what/where? • DTN / HPC • Have requirements for 10Gbit data transfer • Access/control now self-contained • SDN experiments • Out of the way, isolated from inside production • IPv6 experiments • ditto
- 9. Cost/benefits 10G firewalls (Palo Alto) – campus traffic already using that budget (e.g. students) “We need to transfer data….need 10Gbit...” $$$$$$ for bigger firewalls, ‘small change’ for suitable 10G (and higher!) switches
- 10. Start small, build the environment • Basic small L2/L3 switch e.g. catalyst 3750 • Route statically from the external • (then find out about buffers, QoS limitations etc ;-) ) • Measurement tools e.g. PerfSONAR • Be ready to see difference • Inside/outside (can use to e.g. verify firewall) • Engage with local community, propose idea • Trust!
- 11. Looks like… (Nexus 9372PX-E) Image during staging. 2x10G to border, 2x10G to HPC, 2x10G VCP, 1G keepalive/heartbeat (40G optics not in use at this stage), long loopy fibres due to flexibility ;-)
- 12. PerfSONAR MadDash (small nodes) IPv4 throughput IPv6 throughput
- 13. eduPERT A small amount of packet loss makes a HUGE difference in TCP performance
- 15. Inspiring Winners Since 1909 Thank you! Alan Buxey a.l.m.buxey@lboro.ac.uk
Editor's Notes
- #15: ACI (application centric infrastructure) Native VxLAN, netflow in ACI mode (next year)… NXOS supports Puppet, Chef, and Ansible, Python, POAP (power on autoprovisioning) etc etc 10/25 40/100 , using Cisco silicon "Superbowl” ASIC and not previous merchant silicon (was Broadcom Trident not Tomahawk)