BNL PDN Enhancements

Perimeter Load Balancers Scaleable Performance Fault Tolerance Server Maintainability User Convenience Perimeter Security

Cisco Content Sensitive Switches Dual Cisco units for fault tolerance Dual Cisco 4506 switches for proxies Rated at 40GB/Sec. Maximum throughput Virtualizes site perimeter services Extreme scaleable and flexibility High availability and redundancy

Content Switches cont. ACL based proxy service access (secure) Provides expandable pools of servers and services Transparent to end users A single IP address / DNS name for all servers in the service pool (Virtual IP) Load balanced user access to proxies based on Least Number of Connections algorithm

Content Switches cont. Proxies assigned RFC 1918 (Private IP) space (additional isolation) Linear scalability Individual servers can be added to or removed from the service pool at will. This facilitates software upgrades, maintenance, and patch support for the actual servers.

CSS VIP Security Behavior similar to Pix Firewall Outbound traffic permitted by default Inbound traffic subject to ACL optional Protects all pool services Internet scans show no or minimal services (Only the advertised services)

Performance Overview Services virtualized and “Pooled” together Approximately Linear Scalability / 28 for individual service pools 14 slaves max Separate management and load traffic paths

Proxy Services Virtual IP’s SMTP HTTP SSH TELNET HTTP/Reverse FTP Others as we grow

Example eth0.310 Link encap:Ethernet HWaddr 00:03:47:DB:6D:6B inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:0 frame:0 TX packets: errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (86.9 MiB) TX bytes: (14.1 MiB) Management Server Configuration IEEE 802.1q Trunk Format (LB Monitor Interface) Custom Linux Kernel Configuration Parameters Subset of NIC cards, Intel EEPro 100 with Intel Driver Vconfig utility to create vlan (IEEE 802.1q tag) interfaces

Performance Tests single test [SUM] sec 15.2 GBytes 516 Mbits/sec psudo double test smtpvip2:~#iperf -c n t 300 -P Client connecting to , TCP port 5001 TCP window size: 64.0 KByte (default) [ 5] local port connected with port 5001 [ 6] local port connected with port 5001 [ 7] local port connected with port 5001 [ 8] local port connected with port 5001 [ 9] local port connected with port 5001 [ ID] Interval Transfer Bandwidth [ 8] sec 1.89 GBytes 54.2 Mbits/sec [ 6] sec 1.85 GBytes 53.0 Mbits/sec [ 5] sec 1.87 GBytes 53.6 Mbits/sec [ 9] sec 1.76 GBytes 50.3 Mbits/sec [ 7] sec 1.84 GBytes 52.7 Mbits/sec [SUM] sec 9.22 GBytes 264 Mbits/sec [ ID] Interval Transfer Bandwidth [ 7] sec 1.78 GBytes 51.0 Mbits/sec [ 9] sec 1.86 GBytes 53.3 Mbits/sec [ 5] sec 2.00 GBytes 57.0 Mbits/sec [ 8] sec 1.68 GBytes 48.1 Mbits/sec [ 6] sec 1.82 GBytes 52.0 Mbits/sec [SUM] sec 9.14 GBytes 261 Mbits/sec

2 runs of a single machine in the VIP, 2 runs 2 machines in the VIP

Confirmation from different measuring tool

netmon:~# nmap -P Starting nmap 3.50 ( ) at :11 EDT All 1659 scanned ports on csssm1 ( ) are: filtered …... Interesting ports on smtpgateway ( ): (The 1656 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 25/tcp open smtp 79/tcp open finger 113/tcp open auth All 1659 scanned ports on httpgateway ( ) are: filtered Interesting ports on cecache ( ): (The 1655 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 443/tcp open https 563/tcp open snews 8080/tcp open http-proxy All 1659 scanned ports on are: filtered

Summary Cisco CSS provides a high throughput scalable solution for most BNL perimeter services Security enhancements are additional features

IP v6 Test Bed Deployment Campus Network and Host Security Low Cost

Built from “recycled” 7513 free Separate Infrastructure IPv q Trunk Encapsulation EUI-64 /64 subnets HTTP and FTP servers Next Step: Fix DNS NatPT or dual stack