20050719-Force10-Montano
Download
Report
Transcript 20050719-Force10-Montano
Resiliency
Joint Techs Workshop
July 19, 2005 - Vancouver, BC
Debbie Montano
Dir. of Research & Education Alliances
[email protected]
1
Copyright 2005, Force10 Networks, Inc
Agenda
Who is Force10?
Resiliency:
–
–
–
–
–
Reliability
Stability
Security
Fault Tolerance
High Availability
2
Copyright 2005, Force10 Networks, Inc
What is Force10 about?
Innovation
Leadership
– ASICs, Back Plane, 3-CPU architecture, hot-lock ACLs, ...
Simplicity
Lowering TCO
– Easier network designs, predictable performance, hotswap of components, DOS resilient, hitless failover, one
software train …
Reliability
Peace of mind
– Distributed forwarding, fault isolation, ECC protected
memory, modular software design, separation of control
and data plane, automated testing, …
3
Copyright 2005, Force10 Networks, Inc
Supporting the Community
Internet2 Partner
– I2 HOPI project
Supporting SC|05
– Scinet and Bandwidth Challenge
– Supported SCxy for many years
Supporting iGrid and other events
Engaging with the Quilt (more soon)
Many R&E customers around the globe:
– universities, energy sciences labs, supercomputing
centers, research networks, exchanges, regional
optical networks, gigaPOPs, etc., etc.
4
Copyright 2005, Force10 Networks, Inc
Force10 Networks, Inc
Leaders in 10 GbE Switching & Routing
Founded in 1999, Privately Held
First to ship line-rate 10 GbE switching &
routing
Pioneered new switch/router architecture
providing best-in-class resiliency and
density, simplifying network topologies
Customer base spans academic/research,
data center, enterprise and service provider
Fastest growing 10 GbE vendor
April 2005: TeraScale E300 switch/router
named winner of the Networking
Infrastructure category for eWEEK's Fifth
Annual Excellence Awards program.
5
Copyright 2005, Force10 Networks, Inc
Force10 Participation
Internet2 HOPI Project
HOPI - Hybrid Optical
Packet Infrastructure
Fundamental Questions:
How will the core Internet
architecture evolve?
What should the next
generation Internet2
network infrastructure be?
Internet2 Corporate Partner &
HOPI project partner
Providing five E600
switch/routers, being deployed
in Los Angeles, DC, Chicago,
Seattle & New York
Examining a hybrid of
shared IP packet switching
and dynamically
provisioned optical lambdas
Modeling scaleable nextgeneration networks
6
Copyright 2005, Force10 Networks, Inc
Internet2 HOPI Project
7
Copyright 2005, Force10 Networks, Inc
Hybrid Optical Packet
Infrastructure (HOPI) Node
NLR 10 GigE
Lambda
NLR Optical
Terminal
NLR Optical
Terminal
OPTICAL
Force10 E600
Switch/Router
Regional
Optical
Network (RON)
Optical
Cross
Connect
Control
Measurement
Support
OOB
HOPI Node
PACKET
10 GigE Backbone
Abilene
Network
Abilene
Network
Abilene core router
GigaPOP
8
Copyright 2005, Force10 Networks, Inc
GigaPOP
Force10 Firsts…
First
Line-Rate
10 GbE
Mid-Size
System
Shipped
E600
First
Line-Rate
10 GbE
System
Shipped
E1200
First
Line-Rate
10 GbE
CompactSize
First
Public Zero System
Packet Loss Shipped
E300
Hitless
Failover
Demo
First
Line-Rate
336 GbE
Ports
Demo
Jan
9 2002
Apr
2002
Oct
2002
Copyright 2005, Force10 Networks, Inc
Nov
2003
Nov
2003
First
Line-Rate
672 GbE /
56 – 10
GbE Ports
First
48 GbE x
10 GbE
Purpose
Built
Data Center
Switch
April
2005
March
2005
Sept
2004
First
>1200 GbE
Ports
Per Chassis
TeraScale E-Series
Chassis-based 10 GbE Switch/Router Family
E1200
E600
E300
Capacity
1.68 Tbps,
1 Bpps
900 Gbps,
500 Mpps
400 Gbps,
196 Mpps
Size
21 Rack Units
2 Units/Rack
16 Rack Units
3 Units/Rack
8 Rack Units
6 Units/Rack
Slots
14 Line Cards
7 Line Cards
6 Line Cards
Line
cards
10GE
1 GbE SFP
1 GbE 10/100/1000
10GE
1 GbE SFP
1 GbE 10/100/1000
10GE
1 GbE SFP
1 GbE 10/100/1000
10
Copyright 2005, Force10 Networks, Inc
TeraScale E-Series
Chassis-based 10 GbE Switch/Router Family
High-Density
GigE Ports
Line-Rate
GigE Ports
Line-Rate
10 GigE Ports
E1200
E600
E300
1260
630
288
672
336
132
56
28
12
Highest Density GigE and 10 GigE
11
Copyright 2005, Force10 Networks, Inc
Force10 S50 Switch
Designed for High Performance Data Centers
Performance & capacity to
scale
FRONT VIEW
– Switching capacity of
192 Gbps, 20% more than
competitive switches
– Stack up to eight S50s in a
virtual switch to
simplify management
REAR VIEW
Core-like resiliency
– Resiliency feature protects
against stack breaks
– Advanced link aggregation
features
12
Copyright 2005, Force10 Networks, Inc
AC Power
Supply inlet
2 Stacking
Ports
2x10GbE
Redundant
XFP Module
Power Supply
Connector Slot
Top 500: Force10 List June 2005
2005
Customer
2005
Customer
5
Barcelona Supercomputing Center (BSC)
108
SDSC TeraGrid
20
NCSA - Tungsten
129
UT SimCenter at Chattanooga
24
European Centre for Medium-Range Weather Forecasts
168
Grid Technology Research Center, AIST
25
European Centre for Medium-Range Weather Forecasts
135
Petroleum Geo Services (PGS)
38
NCSA Teragrid
200
SUNY at Buffalo
46
Grid Technology Research Center, AIST
203
Grid Technology Research Center, AIST
47
NCSA - Tungsten2
300
Veritas DGC
53
Brigham Young University - Marylou4
326
Cornell Theory Center
54
University of Oklahoma - Topdawg
449
University of Liverpool
58
Argonne National Labs
499
Doshisha University
63
San Diego Supercomputing Center
74
TACC / Texas Advanced Computing Center
94
Petroleum Geo Services (PGS)
13
Copyright 2005, Force10 Networks, Inc
• Force10 has 23 in the Top 500 list
• 5 more than last year
Top 500: Interconnect of Choice
Type
2004
2005
Ethernet
35.2%
42.4%
Myrinet
38.6%
28.2%
SP Switch
9.2%
9.0%
NUM Alink
3.4%
4.2%
Crossbar
4.6%
4.2%
3.4%
Proprietary
Infiniband
2.2%
3.2%
Quadrics
4.0%
2.6%
Other
2.8%
2.8%
-
14
• Ethernet is the only inter-connect technology that has made substantial gains
• Myrinet is down by over 10%
• Infiniband has negligible gains
Copyright 2005, Force10 Networks, Inc
Resiliency
What is it?
– Ability to recover readily, bounce back
– Fault Tolerant
– Self Healing
Why should you care?
–
–
–
–
Lots of things attack and stress your switches/routers
Some malicious & some not, many outside your control
Need your network to continue running smoothly
Reliability & Security
How does one achieve resiliency?
– Stay tuned…
15
Copyright 2005, Force10 Networks, Inc
Route Processor Module – 3 CPUs
16
Copyright 2005, Force10 Networks, Inc
RPM: 3 CPUs – Resiliency
Router Processor Module (RPM)
– Handles all route & control processing
– Optional Redundant RPM
3 independent CPUs per RPM
–
–
–
–
1 for: Switching (Layer 2) processes
1 for: Routing (Layer 3) processes
1 for: Local control & management
Process isolation with memory protection
Won’t have to reboot for:
– Spanning tree loops creating Layer 2 MAC address floods
– Route flaps
– Distributed Denial of Services (DDoS) attacks
17
Copyright 2005, Force10 Networks, Inc
Control Packet Rate Limiting
Denial of Service (DoS) attacks
– Malicious attack designed to bring network to its knees
– Flood system with useless traffic designed as control
plane packets
– Target control plane CPU – can overwhelm any CPU
– Problem worse with 10 GigE links – more traffic!
Force10 Defense
–
–
–
–
Rate limit traffic to control plane CPUs
Queue & prioritize control plane messages
Throttle control plane when CPU utilization > 85%
With Access Control Lists (ACLs), can rate limit only
specific traffic types, e.g. ICMP.
– Ensure critical control messages get through
18
Copyright 2005, Force10 Networks, Inc
ACLs Applied to Control Packets
Access Control Lists
(ACLs)
– Extensive ACLs can be
applied to incoming
control packets
– Line Rate ACLs
– No additional Latency –
helps reduce overall route
table convergence time
Fine Tune Packet
Classification &
Control Mechanisms
19
Copyright 2005, Force10 Networks, Inc
Scalable Security
ACL Security
Filters Per
Chassis
Source
Force10 E1200 Switch/Router
1+ Million
Tolly Verified
Extreme BD 10K
128k
Extreme Web site
Force10 E600 Switch/Router
500+k
Based on Tolly
Foundry MG8 / 40G
40k
Foundry Web site
Cisco Catalyst Sup720 / 6509
288k
Cisco Web site
Force10 E300 Switch/Router
240+k
Based on Tolly
Product
Size
1 Rack
1/2 Rack
CRS-1 Core Router
Juniper T640 Core Router
1/3 Rack
1/6 Rack
20
Copyright 2005, Force10 Networks, Inc
Hot-Lock ACL Technology
TM
Must update Access Control Lists (ACLs)
frequently
– For comprehensive security
– To prevent newly discovered or pending attacks
If the ACL updates open the gates, intruders
with sophisticated port scanning technologies
can enter your network while the security
holes are open
Millions of packets could pass unchecked into
you network.
21
Copyright 2005, Force10 Networks, Inc
2-Step ACL Update
Competing vendors use 2-step ACL update procedure
– Creates security hole during the update
– Higher speed interfaces, greater the risk
22
Copyright 2005, Force10 Networks, Inc
1-Step ACL Update
Force10 uses 1-step ACL update
– Hot-Lock avoids removing ACL from the interface prior to
ACL modification action
– No security hole during ACL updates
– No disruption of traffic during ACL updates
23
Copyright 2005, Force10 Networks, Inc
Tolly Tested
Hitless Route Processor
Module (RPM) Failover
–
–
–
–
From working to redundant RPM
E1200, 56 x 10 GigE ports
Snake confirguration
Throughput tests at various
frame sizes (64, 1518 & 9252
bytes)
– Issued “redundant force-fail
RPM” 1 minute into tests
– Line Rate Throughput, Zero
Frame Loss, at any frame size
24
Copyright 2005, Force10 Networks, Inc
Hitless Technology
Claims Hitless Layer 2 and Layer 3 failover.
No public demo with line rate traffic and Zero packet loss
Claims Hitless Layer 2 and Layer 3 failover
No switch fabric redundancy. Switch fabric and
Management module combined in one card. Cannot
claim zero-packet loss for line rate all ports failover.
Claims Hitless Layer 2 and Layer 3 failover.
Reboots linecards during management card failover. No
switch fabric redundancy.
Hitless Layer 2 and Layer 3 failover
ZERO packet loss hitless failover of Route Processor
module demonstrated in a public show (SC2003) with
layer 2 and layer 3 (BGP, OSPF) traffic.
25
Copyright 2005, Force10 Networks, Inc
Tolly Tested
Hitless Switch Fabric Module (SFM) Failover
– Supports 100% of line-rate zero-loss throughput when tested across 56
10-Gigabit Ethernet ports during a Switch Fabric Module failover, while
passing over 1 Terabits per second of traffic.
– Recovers from link outages in less than 2 milliseconds with a single
Layer 2 flow, and less than 1 millisecond with 16 million Layer 3 flows,
both well below the failover time usually reserved for SONTET/SDH
links.
– Maintains all BGP, OSPF and Telnet sessions even when hammered by
a multiheaded Denial of Service attack.
– Relies upon QoS facilities to ensure voice, video and data traffic types
are handled according to policy parameters and with respect to latency
sensitivity.
26
Copyright 2005, Force10 Networks, Inc
Debbie Montano
Director of Research & Education Alliances
[email protected]
Thank You
www.force10networks.com
27
Copyright 2005, Force10 Networks, Inc