Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brookhaven Science Associates U.S. Department of Energy 1 Network Services BNL USATLAS Tier 1 / Tier 2 Meeting John Bigrow December 14, 2005.

Published byAshlee Flynn Modified over 9 years ago

Similar presentations

Presentation on theme: "Brookhaven Science Associates U.S. Department of Energy 1 Network Services BNL USATLAS Tier 1 / Tier 2 Meeting John Bigrow December 14, 2005."— Presentation transcript:

1 Brookhaven Science Associates U.S. Department of Energy 1 Network Services BNL USATLAS Tier 1 / Tier 2 Meeting John Bigrow December 14, 2005

2 Brookhaven Science Associates U.S. Department of Energy 2 Network Services n BNL LHC Overview Preliminary Network and Security Architecture IP Address space allocations Performance Monitoring

3 Brookhaven Science Associates U.S. Department of Energy 3 n Network Security Limitations Current firewall Architecture –6 virtual 1 Gb/Sec EtherChannel to backplane –Rated total throughput of 5 Gb/Sec -EtherChannel Overhead Loss –Single 1 Gb/Sec flow / interface Network Services

4 Brookhaven Science Associates U.S. Department of Energy 4 n Network Security Limitations (Continued) Current Router Architecture –Single Access Control List (ACL) / interface -1 inbound and 1 outbound -Default behavior Implicit deny –A single ACL can become unwieldy in a complex WAN environment Network Services

5 Brookhaven Science Associates U.S. Department of Energy 5 n Network Security Limitations (Continued) Network Services …………. access-list 109 deny ip host 81.12.96.78 any access-list 109 remark Block IPs per ticket 160,729 1 Month 12/8 access-list 109 deny ip host 219.105.44.115 any access-list 109 deny ip host 217.199.177.208 any access-list 109 deny ip host 202.108.13.91 any access-list 109 deny ip host 210.219.231.2 any access-list 109 remark ********************* Allow ************************* access-list 109 remark permit all before implicit deny access-list 109 permit ip any any

6 Brookhaven Science Associates U.S. Department of Energy 6 Network Services

7 Brookhaven Science Associates U.S. Department of Energy 7 n IP Address Allocation Tier 0 to Tier 1 (BNL - CERN) Requires routable IP Address space Direct BGP peering with CERN to / from BNL Limited route advertisements between T0 and T1 –For the LHC OPN Circuit BNL will use 192.12.15.0/24 Network Services

8 Brookhaven Science Associates U.S. Department of Energy 8 n IP Address Allocation Tier 1 to Tier X (BNL - Internet) Requires routable IP Address space Direct BGP peering with ES Net from BNL Full Internet route advertisements –ES Net CIDR IP Address Space –For the Internet circuit BNL will use 198.124.220.0/24 –3 additional class C networks available Network Services

9 Brookhaven Science Associates U.S. Department of Energy 9 n IP Address Allocation Tier 1 to Tier X (Continued) DNS Fully Qualified Domain Hostname Accessible ONLY from ES Net –No other path to get to BNL for LHC / Atlas Network Services

10 Brookhaven Science Associates U.S. Department of Energy 10 Network Services

11 Brookhaven Science Associates U.S. Department of Energy 11 n Future BNL LHC OPN Enhancements Dedicated Cisco Firewall Service Modules when available –Eliminate router ACL Functionality / Maintenance –Connection Logging –Each FWSM circuit will not impede the 10 Gb/Sec. –Stateful FWSM redundancy IDS / IPS when available Network Services

12 Brookhaven Science Associates U.S. Department of Energy 12 Network Services

13 Brookhaven Science Associates U.S. Department of Energy 13 Network Services n Mon browser-based IP service monitor n Internet-centric WAN based monitor application n Interrogates essential BNL network services

14 Brookhaven Science Associates U.S. Department of Energy 14

15 Brookhaven Science Associates U.S. Department of Energy 15 Network Services n MonaLisa Java based SNMP monitoring tool n External WAN based monitor n Tracks BNL EtherChannel OC-48 n Firewall Service Module n 10 Gb/Sec. Uplink to the BNL core

16 Brookhaven Science Associates U.S. Department of Energy 16 Network Services

17 Brookhaven Science Associates U.S. Department of Energy 17 Network Services

18 Brookhaven Science Associates U.S. Department of Energy 18 n Summary Tier 2 traffic dependant on Internet connectivity –Path to BNL via ES Net only –Initial router ACL based access to BNL –BNL provides DNS hostname for Internet resolution Network Services

19 Brookhaven Science Associates U.S. Department of Energy 19 Questions/Comments ??? Network Services

20 Brookhaven Science Associates U.S. Department of Energy 20 BNL Points of Contact n Scott Bradley, Manager of Network Services 631.344.5745, bradley@bnl.gov n John Bigrow, Senior Network Architect 631.344.2648, big@bnl.gov Network Services

Download ppt "Brookhaven Science Associates U.S. Department of Energy 1 Network Services BNL USATLAS Tier 1 / Tier 2 Meeting John Bigrow December 14, 2005."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
T1-NREN Luca dell’Agnello CCR, 21-Ottobre-2005. The problem Computing for LHC experiments –Multi tier model (MONARC) –LHC computing based on grid –Experiment.

T1-NREN Luca dell’Agnello CCR, 21-Ottobre The problem Computing for LHC experiments –Multi tier model (MONARC) –LHC computing based on grid –Experiment.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FNAL Site Perspective on LHCOPN & LHCONE Future Directions Phil DeMar (FNAL) February 10, 2014.

FNAL Site Perspective on LHCOPN & LHCONE Future Directions Phil DeMar (FNAL) February 10, 2014.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
Washington School District Computer Network System Threaded Case Study Jim, Jeff, Pete, Adam, Chris  100X LAN Growth  2X WAN Growth  1.0 Mbps to any.

Washington School District Computer Network System Threaded Case Study Jim, Jeff, Pete, Adam, Chris  100X LAN Growth  2X WAN Growth  1.0 Mbps to any.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)

1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932

Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932
CS335 Networking & Network Administration Tuesday April 27, 2010.

CS335 Networking & Network Administration Tuesday April 27, 2010.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—7-1 Integrating Internet Access with MPLS VPNs Implementing Internet Access as a Separate VPN.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—7-1 Integrating Internet Access with MPLS VPNs Implementing Internet Access as a Separate VPN.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
NJEDge.Net Regional Meeting Jim Stankiewicz Network Operations October 20, 2006 Jim Stankiewicz Network Operations October 20, 2006.

NJEDge.Net Regional Meeting Jim Stankiewicz Network Operations October 20, 2006 Jim Stankiewicz Network Operations October 20, 2006.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Questionaire answers D. Petravick P. Demar FNAL. 7/14/05 DLP -- GDB2 FNAL/T1 issues In interpreting the T0/T1 document how do the T1s foresee to connect.

Questionaire answers D. Petravick P. Demar FNAL. 7/14/05 DLP -- GDB2 FNAL/T1 issues In interpreting the T0/T1 document how do the T1s foresee to connect.

Similar presentations

Ads by Google