1 / 46

Make Your Network Mobile

Make Your Network Mobile. Vorguvara Conference 5 th May 2011. Timo Lonka Systems Engineer. Agenda. Trends Driving Cloud. Identity awareness and identity management in networks . Extreme Networks Managed Hosting / Cloud Solutions. About the company. Extreme Networks Product Portfolio.

damon
Télécharger la présentation

Make Your Network Mobile

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Make YourNetwork Mobile

  2. Vorguvara Conference 5th May 2011 Timo Lonka Systems Engineer

  3. Agenda Trends Driving Cloud Identity awareness and identity management in networks Extreme Networks Managed Hosting / Cloud Solutions About the company

  4. Extreme Networks Product Portfolio Summit X480 8900-40G6X-Xm BlackDiamond X-series BlackDiamond 8900 Ridgeline Summit X670 S-10G2Xc E4G 200/400 NEBS-1 Certification Summit X460 BlackDiamond 8800 Summit X650 Summit WM VIM3-40G4X Single-Radio AP Adaptive AP Wall Plate AP Controller w/ AP ADSP Summit X450a BlackDiamond 8500 Summit X250e Summit X450e ReachNXT Summit X150 Summit X350 40G 10/100M 1G 10G 1/10/40G 10/40/100G Modular Fixed ExtremeXOS®

  5. A History of Award-Winning Innovation Layer 2/3 Ethernet Switching Ethernet Resiliency: EAPS On-switch Scripting Controls Price/Performance Leadership Modular OS: ExtremeXOS® Virtualization-Aware Network Ethernet Quality-of-Service Hierarchical QoS First 40 GbE Switch @ $1k/port 1990 2000 • 2010

  6. Resiliency in SoftwareExtremeXOS Modular Operating System An Extreme Networks® Innovation Modularity = High Availability Without modularity …. • If a process fails, OS has to be restarted. • If a patch or feature needs to be added, OS has to be restarted. With ExtremeXOS® modularity …. • Self-healing process restart • Dynamic software uploads One modular operating system • From 10/100M to 10G products ExtremeXOS • Shipping since December 2003 • Competitors started talking only in 2004 Configuration Management(CLI/SNMP/XML/Scripts) ExtremeXOS Application Modules sFlow SSH2 OSPF VRRP 802.1x STP EAPS ESRP ExtremeXOS Kernel-Loadable Modules ExtremeXOS Kernel Hardware Abstraction Layer Hardware ExtremeXOSModular Operating System

  7. Our Differentiator is ExtremeXOSWe Try Hard to Keep it SIMPLE 10.1 10.1 11.0 11.1 11.2 11.3 11.4 11.5 11.6 12.0 12.3 12.2 12.1 12.4 12.5 2003 • ExtremeXOS®: Simplifies your upgrade management with • Predictable release cycles • Same OS & release train across all Extreme Networks® product lines • Compare with other vendor • Release map from vendor website • 18 month releases • Every product has its own software • Non-modular software

  8. Summit ExtremeXOS Management Simplicity – Stacking and WebGUI • ExtremeXOS® Stacking • 10/100, 1G and 10G Summit series switches • Simple management for up to 8 switches • 40 Gbpsto 512Gbps high speed stacking interfaces with distributed L2/L3 switching and routing • Rapid Master Failover and Path Recovery • Hitless protocol failover support • Web GUI • Embedded Web server for Web-based management of all Summit series switches

  9. Hardware, Software & Network Resiliency With converged networks comes an increased need for always-on networking – that is, 100% network availability. This is important both for emergency purposes and to guarantee business continuity. This sort of reliability starts at the core of the network with highly available solutions and robust network designs that have millisecond failover and recovery times. – Current Analysis Hardware Resiliency Software Resiliency Modular Operating System Hitless Failover Process MonitoringGraceful restartCPU DoS Protection Passive BackplaneRedundant SwitchingRedundant ManagementRedundant PowerRedundant Fans BlackDiamond® 8810 Network Resiliency Summit®X460-24p Summit X460-48t EAPS – Sub 50ms Restoration

  10. Trends Driving Cloud

  11. The New Enterprise… A New Mobility Inflection in 2012 Smartphones > PCs Cloud Services ($B) 600 500 400 300 Global Unit Shipments (MM) Billions $ 200 100 0 2009 2010E 2011E 2012E 2013E Cloud Services Desktop PCs Notebook PCs (includes Netbooks) Smartphones Source: Katy Huberty, Ehud Gelblum, Morgan Stanley Research. Data and Estimates as of 9/10 Source: 415 Group and Tier 1 Research • Revenues from mobile apps, including from those designed for enterprise use, will experience a compound annual growth rate of 60 percent during the next four years. • By 2014 the market is expected to reach $35 billion. • This year mobile application downloads will top 10.9 billion. That will reach 76.9 billion over the next four years. Source: IDC

  12. Data Residing in the Cloud Expected to Grow Recent Network World End-User Survey Q. Approximately, how much of your organization’s data presently resides in the public, private and hybrid clouds, and will in 18 months? Source: Network World Cloud-Based Computing Research Study, November 2010 Source: State of the Network Survey 2010. Network World. August 2010.

  13. Extreme Networks® • Our Mission • Deliver networks optimized for the managed hosting and cloud data center that provide leading scale, openness and simplicity in a cost-effective architecture Scale to address the demands of the cloud Open Architecture to provide best of breed Mobile to enable dynamic resource allocation Automate to create zero-touch services 5 Phase strategy to move from physical to virtual to cloud

  14. Open – Enable Best-of-Breed Solutions Open Network Virtualization Open Source Cloud Architecture Open Enterprise Cloud Enterprise Cloud Consortium

  15. Data Center – Requirements

  16. Data Center Trends • The New Computer • Data center capacity, not server capacity, is the new metric • Consolidation • High Computational Density • Physical Location Consolidation • Green • Efficient Power Management • Virtualization • On Demand Provisioning • Hardware Independence / High Availability • Location Independence • Network / Storage Convergence

  17. Some Issues in a Virtualized Network

  18. Virtualization: A Networking Problem • The Dissolving Network Edge • Network boundary between edge switch and server has blurred • Switching at multiple levels • Virtual switch • Network switch • Switching in NIC cards • Distributed virtual switches • Co-existence of different virtual switch models a challenge

  19. Virtualization: A Networking Problem • The Departmental Divide • Who owns the networking configuration? • Server and network administrators traditionally distinct • Server administrators not skilled at network configuration • Dealing with inconsistencies in server and network configuration • Increased likelihood of errors • Troubleshooting, maintenance require direct coordination across groups • Shifting locus of control

  20. Virtualization: A Networking Problem • VM: Force-Fitting Dynamism onto a Static Network • VM Mobility requires network configuration to follow VMs • VLAN, QoS, ACLs, Rate Limiting tied to VM, not network port • Best practices are conflicting • Flat Layer 2 versus segmented • Requires coordination between server & network administrators • Automated and dynamic VM migration

  21. Network Mobility of Virtual Machines • Make the network “VM aware” • Hypervisor independent • “Zero-touch” network provisioning • Dynamic Virtual Port Profiles across the infrastructure

  22. VM Mobility Issues Today Network has Zero Visibility into VM Lifecycle Server Admin Initiate Virtual Machine Manager Network Admin Switch Port Config IP: 1.1.1.2 MAC: 00:0A QoS: QP7 ACL: Deny HTTP Switch Port Config None or Disabled Result: The VM moves to a destination switch port that is incorrectly configured to deliver network services to the specific VM When a virtual machine move occurs automatically or initiated by server admin, the network admin has NO visibility into VM location or when the movement occur NIC NIC VM1 IP: 1.1.1.2MAC: 00:0A Hypervisor Hypervisor

  23. Extreme Networks XNV Network Visibility into VM Lifecycle Server Admin Location-based VM awareness at the network level for efficient virtual machine mobility Query Initiate Virtual Machine Manager Network Admin VM info Switch Port Config Virtual Port Profile IP: 1.1.1.2 MAC: 00:0A QoS: QP7 ACL: Deny HTTP Switch Port Config Virtual Port Profile IP: 1.1.1.2 MAC: 00:0A QoS: QP7 ACL: Deny HTTP Switch Port Config IP: 1.1.1.2 MAC: 00:0A QoS: QP7 ACL: Deny HTTP Switch Port Config None or Disabled XNV™-enabled XNV-enabled Result: Both the VM and the Virtual Port Profile moves to the destination switch port. Network-level visibility into VM movement is achieved to deliver better SLA. • Ridgeline®: Through XML integration • Pull Inventory from virtual machine manager • Locate VMs on network switches • Show Inventory VM  Switch Port Mapping • Define Virtual Port Profile (VPP) • Assign (VPP) to VMs and Distribute • Respond to VM motion occurrences NIC NIC VM1 IP: 1.1.1.2MAC: 00:0A Hypervisor Hypervisor

  24. ExtremeXOS Automation • Ridgeline™ provisions across multiple Extreme Networks ® switches and integrates with hypervisor management • Tightly integrates with virtualization management platforms • XML based API • Centralized network-level inventory • Network-level insight and control of virtualization

  25. Simplifying the Network Topology • Virtualization has introduced complexity to the network • Additional 1 or 2 tiers of switching • Extreme Networks® Direct Attach™ architecture reduces network tiers • Fewer switches • Lower cost design • High performance • Reduced cabling • Reduced power

  26. Scale: Line Rate Performance of Large Environments Embedded Soft Switch (Today) • Large growth in VMs introduces switch functionality on server • Proliferation of switching infrastructure in network • Soft Switch (vSwitch) in server • Each vSwitch needs management Direct Attach™ (Future) • Can reduce management complexity • Can increase performance and security

  27. Direct Attach – Eliminate the vSwitch “Virtually” Reducing Network Tiers Data Center Core Minimal traffic provisioning (if any) is done at the vSwitch. vSwitch VM2 VM1 Today’s Inter-VM Switching

  28. Direct Attach – Eliminate the vSwitch “Virtually” Reducing Network Tiers Inter-VM traffic is transmitted and received on the same network physical port. VM2 CPU and network utilization severely impacted, due to DoS attack. CLEAR-Flow enabled to dynamically provision/block DoS traffic. VM2 CPU and network utilization reverts to healthy. Direct Attach™ Enabled Switch • Guest OS: Ubuntu • Active applications: • gnome-system-monitor for network and CPU utilization • hping to generate DoS attack targeted at VM2 • Guest OS: Ubuntu • Active applications: • gnome-system-monitor for network and CPU utilization • tcpdump to monitor attack traffic from VM1 VM2 VM2 VM1 Host: Fedora 12 Hypervisor: QEMU-KVM

  29. Extreme Networks® Scale to address the demands of the cloud Open Architecture to provide best of breed Mobile to enable dynamic resource allocation Automate to create zero-touch services 5 Phase strategy to move from physical to virtual to cloud

  30. Identity awareness and identity management

  31. Extreme Solutions for Extreme Challenges The Solution Extreme Networks®five phase strategy delivering mobile awareness, personalization and control, from the converged edge to the cloud. Built upon industry standards and openness with leading price-performance. Architecture eases role of IT, enables Quality of User Experience (QUE) and can increase business productivity.

  32. Islands of Awareness • Phase 2 • Recognize users and tailor network access for human users via Identity Manager • Recognize and tailor network access for devices via Universal Port and virtual machines via XNV (ExtremeXOSNetwork Virtualization) • High-performance via 40G, converged WLAN edge, DCB for storage convergence, and data center flattening with Direct Attach (VEPA) ExtremeXOS® Intelligence Layer Ridgeline™ Network Management User Intelligence Device Intelligence Personalization/ Customization Virtual Machine Intelligence Traffic Intelligence SDK Identity Management Universal Port Software Development Kit, Scripts Virtualization Manager Flow and Security Converged Ethernet Layer Summit® Switch Stack DCB 40G M-LAG IPv4/v6 XNV™ 10G 10G/40G Direct Attach™ EAPS Altitude™ AP Blade Servers with Hypervisor Edge Campus Core Data Center

  33. Vision Network-based Identity and Access Management Extending security provisioning of users and applications to the network for greater control

  34. Traditional IdAM Identity and Access Management (IdAM) provisioning at the application (i.e. resource) level Intellectual property data IP Manager: John Unknown Customer data Sales: Alice Unknown Financial resource systems Finance: Bob User Community ProtectedApplication / Data Center Application / Data Center Network Infrastructure

  35. Network-based IdAM Identity and Access Management (IdAM) provisioning at the network and application level with Extreme Networks Intellectual property data IP Manager: John • Increased Network Availability • Eliminate “noise” traffic and malicious activity within the infrastructure • Network and data access provisioned based on roles and identity • Audit network activity per user Unknown Customer data Sales: Alice Unknown Financial resource systems Finance: Bob User Community Protected Application / Data Center ProtectedNetwork Infrastructure Network Infrastructure

  36. Extreme Networks Embedded Security and Extensible Ecosystem Identity Reporting Embedded Security (e.g. DoS, IP Spoof, ARP, etc..) Role-based Enforcement EPICenter: Centralized Mgmt Platform Device Mgmt XOS 12.4 SIEM RADIUS Partner Solutions Extreme XOS Software Modules Identity Reporting IPS 3rd party interface (XML, SNMP, etc…) AD/LDAP Flow Analysis VPN DLP Role-based Mgmt Firewall UTM Extreme Switching Infrastructure

  37. Identity Management : Overview • Identity management brings user awareness to networks. • Network monitoring was based on IP addresses. • Network Admins get insight into user behavior on their networks. • Locate and track VoIP phone. (Phone<->IP<->switch port) • Network Security by port authentication. • Netlogin 802.1x, mac-based and captive portal. • Network Authorization by policy profiles (ex. UPM scripts). Identification Authentication Authorization Network Resources

  38. Introducing in XOS 12.4.1Identity Manager • Tracking of network users based on username (at the switch level) • Netlogin 802.1X Login ID • Netlogin Web-based ID • Netlogin MAC-radius • LLDP-based device identification (e.g. VoIP Phone) • Kerberos Snooping (Windows Active Directory Domain Login) • Transparent method of tracking users attached to the network • Reporting: Location tracking based on username/device name • Mapping of usernames to IP, MAC, Port, VLAN, NetBIOS Name, etc… • 24-hour Dashboard Reporting

  39. Extreme: An Identity-aware Network Internet Firewall IPS IPS Server Farm LDAP, AD, CRM, ERP Firewall Extreme EPICenter

  40. Extreme: An Identity-aware Network Internet Firewall IPS IPS Server Farm LDAP, AD, CRM, ERP Firewall Extreme EPICenter

  41. User Role-based Policy Once a user successfully authenticates, Extreme performs an LDAP query to the AD server for the user’s specific attribute. Based on response from AD and the attribute, Extreme switch places user into a specified “role”. Internet Firewall IPS IPS Server Farm LDAP, AD, CRM, ERP Firewall Extreme EPICenter

  42. User Role-based Policy “then” place user in the following defined “Role”. For example: Employee Role Sales Role Engineering Role Marketing Role Contractor Role Visitor Role User-Defined Role “if ” user matches a defined attribute value Active Directory Attributes City Comment Common Name Company Country Department Description Distinguished Name Email Address Employee ID Host Common Name Host Description Host Distinguished Name Host DNS Name Host Member of Host Operating System Host Operating System Service Pack Host Operating System Version Manager Member Of Phone Home Phone Home Other Postal Code State Street Address Telephone Number Title User Principle Name Radius Attributes Called Station Calling Station Filter ID Login IP Login Service Login TCP Port NAS Framed IP NAS Framed Netmask NAS ID NAS IP NAS Port NAS Port Type NAS Service Type Reply User Name

  43. User Role-based Policy User gets placed into a defined role, which will then “dynamically” inherit a set of policies configured for each specific role Contains Policy 1, 2, 3 Employee Role Contains Policy 4, 5 Sales Role Contains Policy 6, 7 Engineering Role Contains Policy 8, 9, 10 Marketing Role Contains Policy 11, 12, 13 Contractor Role Contains Policy 14, 15 Visitor Role User-Defined Role Contains Policy 16

  44. The Concept of Roles

  45. Make YourNetworkMobile

More Related