H3C Data Center Solution
Forward
A data center (DC) refers to an integrated IT application environment formed through data centralization. It is a center that provides diversified IT applications and a center of data processing, network transmission, and storage. A DC realizes the unified management of IT infrastructure, services, and data, the unified deployment of security policies, and O&M management. DCs remain the focus of IT construction by telecom operators and industry customers. Operators, large-scale businesses, government agencies, and businesses in the fields of financial securities, energy, electricity, transportation, education, manufacturing, power grids, and e-commerce have already constructed or are constructing their DCs. Thanks to DCs, IT information systems are integrated and unified management is now available to raise internal operations and management efficiency and external service levels while reducing the TCO of IT construction.
H3C is dedicated to the research, development, production, and sales of IP technologies, products, and services. Apart from the full series of Ethernet switches and routers, H3C has gained a steady growth in network security, IP storage, IP monitoring, voice videoconferencing, WVLAN, SOHO, and software management systems. At present, H3C ranks the first in China in the market share of network products, among the top three in the market share of security products in China, and the first in the market share of IP storage products in the Asian-Pacific region. H3C takes a lead in the world in the IP monitoring technology. From a network equipment supplier, H3C has established itself as an IToIP solution provider with multiple products.
H3C follows closely the development of the data center sector and sustains the input to the R&D of DC solutions. The H3C IToIP-based DC solutions that combine network, security, IP storage, software management, and IP monitoring effectively address various tough problems in the construction of data centers and have been extensively applied to DCs of all sectors. Based on the long-standing R&D and technological
accumulations in the data communications field and the history of DCs, H3C divides the development of DCs into the following levels:
u Basic DC network integration: In this stage, the primary focus of data center construction is to integrate the existing heterogeneous service systems, network resources, and IT resources based on service requirements and open-standard IP protocols. A basic DC network is divided into functional areas, follows network layers, and features hierarchical server access. Thanks to the high availability (HA) technologies and sound network design, you can ensure the reliable running of data centers and guarantee service continuity.
u Application intelligence data center: Based on the open TCP/IP architecture, application intelligence enables the seamless deployment and upgrade of various new services and applications on the basic DC architecture. This satisfies the changing requirements of users and ensures the service sustainability and continuity of a data center. The security, optimization, and integration of diversified applications can be seamlessly deployed over the data center.
u Data center virtualization: The traditional DC model with isolated application islands has poor scalability. The allocation of core resources does not match the service application development, leading to uneven resource utilization and driving up operation costs. As a result, the existing investment cannot bring out the optimal utilization; new services can hardly be deployed; the continuity of existing services cannot be guaranteed; the data center faces security threats. By building a shared resource pool, virtualization manages, plans, and controls network, processing, and storage resources, simplifies management and maintenance, enhances the utilization rate of device resources, optimizes the service procedures, and lowers maintenance costs.
u Data center resource intelligence: With the intelligence management platform, you can manage, allocate, and
2
schedule resources in an intelligent manner, and construct a highly intelligent automatic data center.
I. Basic Network Integration
1. Network Design
With the rapid development of services, the service applications and data of businesses including operators, firms, and industrial users are heading for integration from scattered deployment. The deployment model of IT facilities that carry services also experiences dramatic changes. The interconnection cannot satisfy the requirement for sustained service development after the application integration.
A network is the only universal entity that connects all DC IT components. Building solid network infrastructures guarantees the continuity, management, and O&M of data center services. User services are generally classified into several subsystems that depend on each other in terms of data sharing, service access, data access control and isolation. Based on service relevance and related procedures, user services should be designed into different modules on the principle of low coupling and high cohesion to ensure system and data security, reliability, flexible scalability, and easy management.
The design of basic DC networks should follow the principle of different areas, layers, and hierarchies.
Area division
In area division, you are required to divide user services into multiple service subsystems based on the relevance and management of the entire IT system. Each subsystem has independent core switches, servers, and security boundary devices. The subsystems follow hierarchical access control policies. Rational logical area division and security area division are a prerequisite for a data center network.
Based on the characteristics of a company, the relevance of service systems, the access requirements of data flows, and the security control requirements, DC servers and service systems can be divided into the areas of intranet, extranet, and Internet. In each area, the service procedures can be further classified.
Intranet area
u An intranet area is generally an internal data center area that allows data access within a company. An intranet is not visible to external networks.
Extranet area
u An extranet area is a data center area that allows data access of partners. By constructing VPNs, users can access server farms and isolate different businesses. Internet area
u An Internet area, also known as the DMZ area, is a data center area provided by a company for the access of Internet users. External users can access the Internet area through a public network. The Internet area is usually deployed on the server farm that accommodates the portal website of the company.
Layered design
It is based upon the principle of internal and external traffic flows. A DC network is divided into three layers: core layer, aggregation layer, and access layer. The traffic between a server and a service system is mostly within a single functional area and does not need to enter the core layer. The traffic between layers, however, should enter the core layer. In this manner, you can easily configure access control policies on the aggregation switches in each area, lessen the traffic pressure on the core layer, minimize the scope of a fault, and rapidly rectify a fault. Core layer
u The core layer connects multiple interconnected DC aggregation modules and connects the campus core area. The core layer is required to have powerful switching capability and strong adaptability to burst traffic. A
3
large-scale DC core layer should be able to connect multiple aggregation modules through extension. Small and medium-scale DCs can share the campus core area. Currently, 10-Gbit/s interfaces are mostly in use. Four to eight 10-Gbit/s interfaces should be bundled to support high performance applications.
Aggregation layer
u The aggregation layer provides server farms with outbound interfaces of high bandwidth. High-density GE or 10GE interfaces are required to connect the access layer. The aggregation layer provides many slots for value-added service modules.
Access layer
u The access layer provides high density GE or 10GE access. The percentage of the overall access bandwidth and the upstream bandwidth has two modes: aggregation ratio and line rate. In terms of rack mounting, the 1 RU is capable of flexible deployments. The access layer supports stacks and features good scalability. It also supports dual upstream links in redundancy mode.
The mainstream practices in the industry show that diversified security and application optimization services are deployed on the aggregation layer. For example, integrate the firewall, load balancing, or application accelerator board functions on the switch.
Hierarchical structure
The application access model has already transformed to the browser/server (B/S) model from the traditional client/server (C/S) model. The B/S model requires a three-tier server structure that can be classified into the following layers:
Web layer
u The Web layer is responsible for providing application windows, accepting customer requests, and returning end results. It is the external interface of service systems and data. IIS and Apache servers work on the Web layer. Application layer
u The application layer is responsible for data processing and service procedure integration. The common middleware technologies such as WebLogic and J2EE are implemented on the application layer.
Database layer
u The database layer is responsible for storing data for the access and random debugging of service systems. MS SQL server, Oracle 9i, and IBM DB2 work on the database layer.
Internally interconnected through the switching network,
the three-tier server access model features hierarchical
security protection, distinct architecture, and convenient
deployment. The three-tier interconnection has two models:
horizontal and flat. The horizontal model has a distinct
architecture and easy management whereas the flat model
saves investment.
Advantages of the H3C basic DC networks
Security
u The security relations in different network areas can be easily identified. You can then enforce security policies in each area separately without affecting other areas.
Scalability
u Built into different areas and levels as required, the H3C basic DC network boasts flexible service deployments. You can easily add a new server farm area without changing the original network structure.
High availability
4
accelerate the convergence time. Easy management
u The distinct network structure facilitates routine O&M and fault location.
2. High Availability Solution
With the increasingly intensified market competition, customers depend more and more on information systems. The requirements for information systems also grow higher and higher. To ensure a HA data center, providing the 7 x 24 network services becomes the primary objective in network construction. It is also the utmost concern in DC construction.
Network failures that lead to unavailable networks are classified into the following types:
u Uncontrollable factors including natural disasters, wars, blackout, and human sabotage
By constructing the "three centers at two locations" model that consists of a production center, a local backup center, and a remote disaster tolerance center, together with rational overall planning and design, you can ensure the HA of a data center in the case of uncontrollable factors.
u Controllable factors including device failures, link failures, network congestion, misoperations, and malicious attacks Several factors are considered by H3C in product designs and a full series of solutions that cover the physical layer, link layer, IP layer, transport layer, and application layer are implemented to enhance network availability in an all-round manner.
n Hardware redundancy: dual main control boards, hot swappable boards, redundant power supply modules, and redundant fan modules
n Redundant physical links such as Ethernet link aggregation
n Ring technologies such as RPR and RRPP
n Redundant Layer 2 paths such as MSTP and SmartLink
n Redundant Layer 3 paths such as VRRP, ECMP, and fast convergence of dynamic routes
n Fast fault detection technologies such as BFD n Non-blocking forwarding technologies such as GR
In addition to HA products, H3C also provide a complete HA
data center solution. The solution includes HA server access,
HA from the access layer to the aggregation layer, and HA
aggregation layer.
HA server access
It is also called the multi-NIC server access. To ensure the HA of service access, a server is generally connected to an upstream device through multiple links. In this case, two or more NICs are in use. The network driver program in the server bundles the two or mote NICs into a virtual NIC. If one NIC fails, the other NIC takes over the MAC address. The two NICs use the same IP address and are located in the same broadcast domain, that is, in the same subnet. There are many methods to connect a server to an access switch.
The network availability of the preceding connections increases from left to right. The fourth connection method is recommended. In this mode, a server is connected to two cabinet switches in fault tolerance mode. In addition, a VLAN trunk is configured on the switches to ensure highly reliable access of the server.
HA from the access layer to the aggregation layer
There are four methods to connect access devices to the aggregation layer: inverted U-shape, U-shape, triangle, and rectangular. These connection methods are all based on Layer 2 links. Take the rectangular connection as an example. The links between access devices, from access devices to aggregation devices, and between aggregation devices are all Layer 2 links. This forms rectangular Layer 2 links.
5
H3C recommends the triangle connection:
n It supports redundant links and paths and has the smallest convergence time in case of failures.
n The VLAN can extend to different switches on the aggregation layer and the servers boast flexible deployments.
In practice, you can choose one of the following schemes as required:
n H3C Intelligent Resilient Framework (IRF): The H3C IRF manages distributed devices, distributed routes, and aggregates links connecting different devices. In addition to improved network availability and reduced impact of single point failuress, the H3C IRF also has the following features:
- Largely enhances the network performance by the distributed processing of Layer 2 and Layer 3 protocols.
- Ensures effective configuration management by considering each group of devices as a logical fabric. - Facilitates easy upgrade by allowing the simultaneous
software upgrade of all devices in a stack group. - Allows flexible management by supporting hot
swapping of devices in all stack groups.
n Adopt MSTP+VRRP to connect access devices to aggregation devices. This improves network availability and also shares the traffic load among links.
HA aggregation layer
n Configure VRRP between aggregation switches. n VRRP configured between security and application
optimization devices can be built in or attached to aggregation switches. The attachment method is
recommended. In this case, the devices are not connected to the network in tandem, eliminating performance bottleneck. With the HRP protocol, you can back up the key configuration commands and session status between the master and the backup firewall devices. The HRP protocol is carried over VGMP packets. Through the specified load balancing algorithm, the packets to a server farm are balanced among the member servers. This maximizes the external service provision capability of the server farm, improves the availability of servers, and enhances the processing performance of the server farm.
II. Application Intelligence
1. Model
T
oday, with the emerging of Web 2.0 applications such as Flickr, YouTube, Blog, WIKI, and Podcast, the Internet thrives again after the first bubble collapses. The underlying hero of these new applications is the Web technology. Web 1.0 addresses the subject of standardizing human-machine interactive interfaces, and Web 2.0 further standardizes the application data interaction. Web 2.0 is developed on the basis of XML protocols and a series of Web technologies.The most striking characteristic of the Web 2.0 era is that every one can become a data provider. In the coming few years, the popularity of Web applications is bound to lead to the emerge of a new standard, that is, standard Web-based applications. In the OSI model, it is the standard session and presentation layers. Once standardization is complete, network application is available. This means that the standardized application functions are integrated to network devices. New services are pressing for new application intelligence networks.
Corporate services and data head for high centralization from scattered deployment. The number of data centers soars and the attention paid to the significance of data centers is unparalleled. Application optimization, network security, and application security devices are deployed in a large scale. Application intelligence data centers that combine application security and optimization capabilities are becoming increasingly popular. In this context, multi-service aggregation switches become an indispensable component in data center construction.
6
u Authentication, authorization, and accounting at the application layer
u Encryption (SSL) and integrated PKI deployment at the application layer
u Firewall (HTTP/XML firewall, Security Assertion Markup Language (SAML)) at the application layer
u Protecting application contents against viruses and intrusion
Application optimization includes: u Application load balancing
u Hardware-based application buffer, compression, and switching
u Application protocol optimization (HTTP/TCP)
The following figure shows the model of an application intelligence DC that combines application security and optimization.
2. Security
Apart from carrying core services and confidential data of users, data centers also provide service interactions and data exchanges between internal and external customers, and partners. In this case, the security of data centers must be integrated with service systems and security policies should be easily deployed on networks. One of the major concepts in the security construction of data centers is layered hierarchical security. The security of an IT system contains several levels and is divided into different security areas, supplementing to the
inherent security requirements of a data center.
Based on an in-depth analysis of IT security, H3C puts forward the status-based evolving security model that classifies the IT security into the following:
u Device security: indicates rights management, virus protection, and data backup.
u Regional security: indicates remote access, intrusion inspection, security convergence, and security cooperation. u Deep security: indicates disaster tolerance backup, deep
defense, security auditing, and traffic analysis.
u Unified security: indicates risk management, corporate internal control, unified planning, and unified management.
With the evolution of the status, security takes a trend of application intelligence security. In whatever situation, information is in only one of the following processes:
u Processing: indicates the process that information is created, modified, deleted, searched, or processed in-depth.
u Communications: indicates the process of transmitting information between different settings or within one setting. u Storage: indicates the process of saving information
temporarily or permanently.
Security application aims to protect the data in the three statuses. The security status of information determines its security policy. With regard to a data center, the security policies cover access control, patch management, attack defense, filtration defense, virus control, traffic control, and risk control.
Security areas
The basis of security policies lies in the logical division of services and of security areas. The advantages of security area division in data center services are as follows:
u Easy deployment of new functional areas u Different security policies for different areas u Independent expansion of each area if required
u Easy fault location and rapid recovery in case of failures
In accordance with the division concept, a data center is divided into different logical areas based on the service types. Each area
7
is deployed with its own security policy and trust model. The data center thus becomes a hierarchical security domain. In actual deployment, security policies are classified into:
u Boundary access control u Deep intelligence defense u Intelligent security management
1. Boundary access control
Boundary control, the access control of users to a data center, is the fundamental requirement of the data center. With the evolution of security status, security takes a trend of application intelligence security. H3C SecBlade II 10GE firewalls, core and aggregation switches are all integrated with multiple services and can exchange data directly through the backplane. The double merits of high performance and reliability avoid the performance bottleneck and single point failures of switches during in-service deployment. Compared with the attachment of a firewall to a data center, boundary control features easy configuration of policies, unchanged data forwarding paths, distinct traffic forwarding process, and easy deployment and maintenance.
2. Deep intelligence defense
In the presence of endless intrusions of DDoS attacks, Trojan horses, and hackers to a data center, traditional IDS products detect only some events and cannot realize real-time analysis and defense. The industry leading H3C Intrusion Prevention System (IPS) is deployed on the key paths of a customer network in online or bypass mode (so that the IPS can protect the network against attacks or configure the Layer 2 return function). The IPS performs the Layers 2 through 7 deep analysis for data flows on the key paths, accurately identifies and blocks or restricts in real time the network attacks by hackers, worms, viruses, Trojan horses, DoS/DDoS, scanning, spyware, abnormal protocol, phishing, P2P, IM, and online games, or network abuses. In this manner, the H3C IPS protects the network applications, infrastructure, and performance of the customer's network. The H3C IPS series products also boast strong and practical bandwidth management and URL filtering functions, bringing customers high added values.
3. Intelligent security management
In addition to the operations of mass network devices, service interactions between various servers and operating systems abound in a data center. Immense alarming, monitoring, SNMP, and WMI messages are also transmitted over the DC network. It
is necessary to collect and manage the security, network, system, and application events, and convert and screen the raw data into effective information of intelligence security through intelligence analysis. The H3C SecCenter solution manages the security and network products of up to 100 mainstream suppliers, generates 1000+ reports automatically or manually, monitors the traffic and attacks in real time, analyzes the relevance of mass events and threats, performs the security auditing, and keeps track of any fault origins.
In all, the H3C communications security goal is to provide service-oriented end-to-end security guarantee to clients, networks, DC servers, and storage systems.
3. Optimization
With the continuous development of the Internet and user services, Web applications already become the major data processing tasks of servers. HTTP is used to transmit Web-based data between a server and a client. TCP is employed to provide guaranteed connections and fault correction to HTTP. Although an ideal transmission mechanism, TCP also has limitations. When used to transmit Web data, TCP consumes a large amount of resources and results in the poor performance of servers. The performance bottleneck of data centers becomes increasingly severe. To address such performance problems, traffic management products such as routers that can identify and manage deep inspection for the P2P traffic are introduced at the network layer to handle application optimization problems in data transmission. These products balance the traffic load and aim to overcome the bottleneck in server access. They cannot, however, solve the performance problems at the application layer of a data center. In this context, H3C application optimization devices are introduced. The H3C devices use advanced connection
8
management technologies to unload TCP and optimize the end-to-end transmission at the transport layer, take into account the concurrent processing of SSL, compression, and encryption, largely enhancing the performance of data access to data centers.
GET A;GET B;GET C GET A;GET B;GET D GET C;GET D;GET E GET B;GET A;GET D GET C;GET D;GET E GET A;GET B;GET C GET E;GET B;GET C GET F;GET E;GET G GET F;GET A;GET C GET A;GET B;GET C GET C;GET D;GET E
Server TCP Session TCP Session TCP Session TCP Session TCP Session TCP Session TCP Session TCP Session TCP Session TCP Session TCP Session
H3C SecPath ASE series are designed in hardware-based architectures (NP+FPGA) and support TCP optimization, contents compression, load balancing, and SSL acceleration through different built-in hardware modules to achieve application acceleration. The H3C ASE relieves data centers from the existing unbearable heavy load and forms an integrated solution with other products to accommodate the requirements of data centers. The following figure shows the application scenario of the H3C SecPath ASE.
The ASE integrates Web acceleration, SSL unloading and acceleration, compression, TCP optimization, load balancing, and anti-DDoS attack into a hardware platform, where each functional module is run by a special hardware chip. The hardware-based acceleration processing technologies are used to help businesses enhance application performance and the performance of a Web server can be enhanced up to 10 times. In addition, the SecPath ASE provides high availability load balancing, rapid and super intelligent Layers 4 through 7 switching, fine interaction control, and other features to guarantee the finest protection to DC networks.
In a client and server model, the ASE assumes dual roles. For the client, the ASE is a server and for the server, the ASE is a client.
When connected to clients, the ASE primarily handles and maintains all connections initiated by the clients. For a server, however, the ASE creates a few but long-standing connections to the server and uses these connections to transmit new data continuously.
The ASE uses various algorithms to determine when a new connection to the server should be set up or when an existing connection should be continued. The advantages of connection pooling brought by the ASE are as follows:
1)
The ASE handles all connections from the clients and the server is not required to set up or release connections.2)
The server needs to process only a few TCP sessions after the connection pooling.3)
The ASE shields various WAN accesses from clients and avoids the impact of server delay, clash, and packet loss on the clients.4)
The ASE sets up a few connections to the server and transmits a large volume of data, maximizing resource utilization. In addition, the ASE is in the same LAN as the server, which is like relocating clients to the server LAN. This largely reduces the delay from clients to the server.The connection and request processing mechanism and powerful processing capability of the ASE enables the ASE to handle peak loads and protects the server against overloads so that the full potential of the server can be put into play.
SecPath ASE single-arm deployment
In the single-arm mode, you can attach the ASE to a network without changing the original deployment. Users who access the Web server should first be directed to the ASE and the ASE then sends service requests to the daemon server.
9
This deployment does not change the network setting and greatly speeds up application operations while ensuring application reliability. It also reduces network maintenance tasks and lowers routine operation costs.
SecPath ASE online deployment
In this mode, the ASE is deployed in the front of the server farm to provide application acceleration and load balancing to users and to enhance the performance of network applications.
Diagram of the SecPath ASE online deployment
The ASE provides users with an application acceleration path, terminates the connections from remote users, and performs application acceleration and load balancing.
In online deployment mode, the SecPath ASE transparently transmits non-HTTP protocol packets to ensure the normal operation of other services on the servers. Meanwhile, the end users who access the Web server first have to access the ASE. This protects the end servers from DDoS attacks because the servers are not directly connected to the Web server.
4. Load Balancing
As the heart of service networks, data centers are confronted with numerous challenges. Scalability, flexibility, high performance, reliability, and security are all imposed on data centers. It should be particularly noted that in the case of an abrupt increase in access requests, servers are still required to transmit applications
to clients in a rapid and steady manner.
Without load balancing configuration at a data center, the servers have uneven traffic loads. To handle new service requests, some already heavily-loaded servers show degraded performance, have longer response time, and even go Down. Other servers may have light loads or remain idle for a long time. As a result, the overall performance of the data center is degraded; the resource utilization is decreased; the overall investment is not guaranteed.
After load balancing is configured, the uneven task scheduling and unreasonable resource utilization of servers are addressed, and the performance and the overall robustness of the service system improved.
The SecBlade Load Balance (LB) service module, a model of high-performance load balancing devices, perfectly combines application optimization with network switching devices in an innovative manner. The model features plug-and-play and strong scalability, reduces management complexity, and lowers maintenance costs.
By identifying and differentiating various applications and monitoring the health and performance of servers and firewalls, the SecBlade LB uses the auto-adaptive intelligence algorithms to evenly distribute the application requests to different devices. This greatly speeds up application access and provides businesses and operator networks with a cost-effective load balancing solutions with high performance.
10
Two links or link aggregation groups, which are L3 and L2 links or link aggregation groups, exist between the LB and an aggregation switch. The server gateway is directed to the LB. For the traffic that should be balanced, the aggregation layer specifies the next hop of the VSIP packets to the LB. The default route of the LB leads to the aggregation switch.
III. Virtualization
Thanks to continuous development of services, frequent upgrade of systems, increasing number of devices, and soaring energy consumption, data centers encounter a tough issue to match resource allocations with service development.
u Increased number of service systems: requires more network devices and servers. The running service systems change frequently and the shortage of resources and devices becomes increasingly intensified.
u Mass devices and complex deployment: In the trend of high data centralization, the IT infrastructure inside a DC equipment room becomes huge. The number of devices to be added continues to increase and the deployment complexity grows.
u Continued rising investment: The scale of IT infrastructure multiplies and drives up the costs in the hardware, software, and human resources required in a data center.
u High O&M costs and energy consumption: The increased number of devices naturally leads to higher costs in energy consumption and O&M, which does not follow the trend of green data centers. Energy consumption already becomes a heavy economic burden in the O&M of a data center.
To lower the TCO, data centers should be integrated. This involves a series of tough problems.
u Security: Security should be guaranteed when multiple services are integrated on the same set of devices.
u Rational resource allocation: Different services have different requirements on the DC resources and rational resource allocation must be ensured for each service. Virtualization addresses these problems by creating one logical entity for multiple physical entities or creating multiple logical entities for one physical entity. An entity can be computing, storage, network, or application resources.
The essence of virualization is isolation. The virtualization technology isolates different services and blocks their mutual access to ensure the security requirements of services. Virtualization also isolates different service resources to meet the requirements of data center resources by services.
The H3C virtualization solution consists of three parts: u Network virtualization
u Computing virtualization u Storage virtualization
The combination of DC network virtualization and campus network virtualization links DC access with the authentication,
11
security check, and dynamic authorization of end users. This ensures the security of and flexible access to a data center. The core switch at the data center serves as the PE of the campus area network VPN and the aggregation switch as the corresponding MCE. In this manner, the campus area virtualization is terminated at the data center. Configure VLANs on the access switch at the data center to logically isolate services. Each VLAN is recorded in the corresponding routing table of the MCE. In this manner, the data center virtualization is penetrated to the campus area virtualization through the access, aggregation, and core devices at the data center, forming an end-to-end network virtualization. The firewall at the data center supports virtualization and can be integrated onto or attached to the aggregation switch to assist network virtualization in the virtualization of data center resources.
DC network virtualization, client virtualization (EAD), and campus network virtualization form the end-to-end virtual access path of H3C networks.
H3C cooperates with VMWARE, the industry leader, to realize the virtualization of computing resources. The H3C adopts the IV5000 series that support the dynamic expansion of physical disk spaces to implement storage virtualization. In this manner, existing devices can be incorporated in the advanced storage virtualization system. This guarantees the existing investment of users, lowers the TCO, implements the dynamic expansion of storage capacity, and raises the Return on Investment (ROI).
The highlight of the H3C data center virtualization is the end-to-end virtualization of networks, computing, and storage.
IV. Storage
IP network standards have developed into information technology infrastructure standards. Driven by this irresistible force, standardization, enhanced performance, compactness, and easy availability become the trend of IP storage. All network transport technologies applied with IP technologies provide wide application prospects for IP storage. With the combination of the increasingly sophisticated 10GE storage technology and the 10GE network transport technology, the IP network-based storage technologies is predicted to dominate the integrated data center storage.
The H3C full series IP storage products provide complete data center storage solutions.
12 10GE access to the servers GE access to the servers Storage system 10GE GE
In this solution, the 10GE Ethernet switches are built upon the IP storage area network (SAN). The IP standard platform hosts a variety of servers with built-in Ethernet cards. These servers comply with unified standards and operate under the same management platform. The 10GE products prevails and IP SANs that adopt 10GE Ethernet technologies increase bandwidth and speed up service access. The shared storage of sever farms in particular, has high requirements on performance. Driven by these changes, 10GE storage is bound to become the choice in the integrated storage of future data center severs.
2. Continuous Data Protection Solution
In this solution, the continuous data protection (CDP) technology is adopted. Data are effectively protected in the case of any change. Multiple data copies at different times are saved. The single data copy problem in the traditional one data mirroring or backup mode is thus eradicated. For businesses that have high requirements on service continuity, CDP reduces the time required for data recovery and guarantees continuous service operations. The near-line CDP solution allows a storage system to rapidly recover the sound status of data at a certain point through the markup of time points in the system. The online CDP
solution allows not only the rapid recovery of historical data but also avoids data loss or service interruption caused by the hardware failures of online storage devices.
3. Remote Data Backup and Recovery
Remote data backup lays a foundation for data disaster recovery. In the remote data backup and recovery solution, strategic incremental replication is performed to key service data over the IP network between the production center and the backup center. In case of unexpected disasters in the production center, the data can be rapidly recovered from the remote backup center. In remote data replication, the block-based incremental backup technology replicates only the incremental data since the previous replication. The backup data is then compressed through the data compression technology before being transmitted. This effectively reduces the occupation of WAN resources.
V. Disaster Tolerance
Along with huge benefits, high data centralization also brings in high risks. How to handle and dissolve risks brought by data centralization, how to guarantee data security in case of disasters, how to ensure service continuity, and how to maintain corporate reputation are all problems to be confronted with. The construction of a disaster tolerance system becomes an urgent task with the increasingly high data centralization.
Data center disaster tolerance means activities and procedures designed to recover the faulty or collapsed status of various application systems in a data center to the normal operation status. For that purpose, a disaster tolerance center should be constructed to replace the main data center for service processing in case of disasters.
13
A typical disaster tolerance system consists of basic infrastructure, data backup system, backup processing system, network communications system, and disaster recovery schemes. When designing a disaster tolerance system, you need to use qualitative disaster recovery capability indexes to measure the goal and level of disaster tolerance.
Disaster occurrence
System interruptionOperation recovery Time Time T1 T1 T2 Recovery time Last point of
effective data status Data loss phase Disaster occurrence
Recovery point T0
Recovery Time Object (RTO) refers to the time required by an information system to recover the operational status from a disaster. RTO is used to evaluate the service recovery capability of a disaster tolerance system.
Recovery Point Object (RPO) indicates the maximum amount of data lost in a disaster on a service system. RPO is used to evaluate the data redundancy backup capability of a disaster tolerance system.
RPO and RTO form qualitative disaster recovery objectives that in turn lead to different levels of disaster recovery. The following table shows the relations of disaster recovery capabilities and RTOs/RPOs in a certain industry.
The construction of a data backup center takes data disaster tolerance as the core and focuses on service continuity to ensure safe production and operations. The construction of data backup centers has three models: local backup center, remote backup center, and the three centers at two locations model. Data backup
centers can be independently built, shared, or leased for the purpose of disaster tolerance. In terms of disaster tolerance, the three centers at two locations model represents the best practice to maximize data protection and service continuity in the case of severe regional disasters.
Production center Local data backup center Remote data backup center
Storage system Ethernet switch Aggregation switch Core switch Aggregation switch Core router
Ethernet switch Ethernet switch
Aggregation
switch Aggregation switch
Core switch Core switch
Aggregation
switch Aggregation switch
Core router Core router
Remote data backup center
Production center Local data backup center
Branches
VI. Management
A data center supports service and office IT services of a business. The sound management of the data center, considered as the heart of the business, is of great importance.
By referring to the traditional FCAPS management model that consists of fault, configuration, account/directory, performance, and security managements, H3C incorporates the server/network device management, data storage management, user management, and log auditing into the data center management scheme. The core of H3C data center schemes is the Intelligent Management Center (iMC).
As an important component in the integrated IToIP solution, iMC follows the open service-oriented architecture (SOA) design concept, implements fault alarms, configuration management, user management, network topology management, and behavior auditing, and addresses existing problems in network security, optimization, and operations.
Device management
Unified all-round management that covers topology, performance, fault, and configuration is required for network-wide servers and network devices.
14
network resources, users, and services, provides basic management of network resources, topology, failures, performance, users, and system security. Based on the B/S architecture, the platform can be integrated with other service modules to manage all H3C datacom products and the datacom devices of mainstream vendors such as Cisco and 3Com through MIBs.
The iMC supports the automatic discovery of network topologies, the unified topology view of all devices on a network, and the rapid navigation between views through the tree view navigation. The servers are managed through the KVM system.
Remote IP users are connected to the remote monitoring server through TCP/IP connections for clock-around remote access. This enables administrators to rapidly and effectively modify and store services or data and troubleshoot failures on servers.
Unified data manager (UDM) solution
In addition to network device management, the iMC also provides unified management on all H3C storage and network products, covering all management processes after the hardware is deployed on a shared data backup network. The management extends to the complete processes of automatic discovery of network and storage devices, configuration on storage devices, alarm management on the data backup network, shared user management, shared service procedure management, automatic deployment of shared services, data backup monitoring,
performance monitoring, and data backup adjustments.
Terminal access and user management
Security is a top priority in a data center. With the development of network technologies, new security threats constantly emerge. Viruses and worms plague the networks with severer effect over wider areas. This leads to collapsed systems and paralyzed networks, resulting in huge loss of users. The security status (mainly the anti-virus capability, patch level, and system security settings) of any terminal has a direct impact on the security of the entire network.
Thanks to its dependence on the SOA, the iMC jointly coordinates user terminals and network services to perform terminal security check, user authentication/AAA, dynamic access authorization, and user behavior auditing.
Resource intelligence
As a trend and one of the ultimate objectives in the constantly evolving data centers, intelligent resource management aims to effectively capitalize upon valuable data center resources for dynamic allocation and maximum output. Resource intelligence is a continuously self-improvement process. With the emergence of new services and applications, the data center architecture always needs to adapt to new requirements. The data center construction constantly improves and perfects itself.
Summary
The features of H3C data center solutions are:
High security, reliability, performance, multi-services, scalability, heterogeneous convergence, and intelligence management
As a carrier of core services, a data center is a systematic engineering project. The life cycles of analysis, design, construction, and O&M should be defined based on requirements analysis and service characteristics. In this manner, the data center construction realizes the objective of optimizing and integrating service procedures, improving operation efficiency, and enhancing competitiveness.
Appendix 1 H3C Data Center
Products
15
F1.1 Basic network platform: The H3C data center connects office users, computing resources, and storage resources through GE or 10GE Ethernet links. The architectural reliability (separation of the service network and management network, modular design), network reliability (network elements, links, and topology redundancy design), and device reliability (carrier-class devices, dual main control boards, and redundancy design of key parts) all contribute to a highly reliable network platform. In addition, the good scalability and modular design of products fully meet the scalability requirements of the data center architecture. WAN optimization devices are deployed to expand the WAN capacity, reduce the response time of applications and decrease protocol interactions. In addition, the priorities of applications are identified and the applications are controlled to ensure the minimum or maximum bandwidth for key applications and control or block non-key (rogue) applications.
Related products:
H3C S12500 routing switch, H3C S9500 routing switch, H3C S7500E/S7500 routing switch, H3C S5600 Ethernet switch, H3C S5500 Ethernet switch, and SECPATH ASE application optimization
F1.2 Network security: Based on the internal BPDU guard, PVLAN, binding of the quintuple information, 802.1X integrated security features, the H3C switches protects Layer 2 data. The firewalls protects data at the network layer whereas the Intrusion Prevention System (IPS) provides deep data security protection at the application layer.
Based on the management platform of multi-service security access, the Comprehensive Access Management Server (CAMS) and H3C switches, routers, and VPN gateways can be deployed in the same networking to manage, authenticate, authorize, and charge the broadband, VPN, wireless, and IP telephony access of subscribers.
The SecCenter A1000 intelligence security management center can automatically collect and analyze the mass security events and logs on the entire network and then perform high aggregation storage and assimilation to the collected data. The device is compatible with devices of several vendors over a heterogeneous network and monitors the security status of an entire network in real time. Meanwhile, it can automatically generate convincing network security status and policy compliance auditing reports
based on different requirements.
Related products:
H3C SecBalde I/II, IPS, ACG series, H3C SecPath series firewalls or VPN products, SecCenter, and H3C Endpoint Admission Defense (EAD)
F1.3 Data storage: stores and back up centralized data. As a pioneer in the IP storage, H3C uses the all IP architecture to combine the storage network with the front-end network, building the homogeneous IT infrastructure. This architecture features flexibility, openness, sharing, high performance, and low cost.
Related products:
H3C Neocean IV5000 series products
F1.4 Data management: implements the virtualization management, resource debugging, and operation management of data. H3C data center solution allows the harmonious existence of IP storage and FC storage products of different vendors. This allocates resources for unified usage and eradicates the heterogeneity problem. In addition, the H3C data center solution has good scalability, reduces maintenance complexity, and lowers costs.
Related products:
H3C Neocean IV5100 virtualization data management product, H3C Neocean IV5200virtualization data management product, and H3C DM data management platform
F1.5 Data backup and recovery: The objective of building a remote or local data backup center is to avoid the unrecoverable loss of original data due to small probability events such as disasters. In this manner, important service data are protected in case of disasters and can be recovered within the set time to ensure service continuity. <The rapid data recovery capability further enhances the corporate reputation, boosts the confidence of customers and potential customers, and gains an edge over competitors.
Related products:
H3C S9500 routing switch, H3C SR8800 service router, H3C Neocean IX5000 IP SAN storage products, H3C Neocean IX1000 IP SAN storage products, H3C Neocean IV5100 virtual data management products, H3C Neocean IV5200 virtual data management products, and H3C SecPath series firewalls/VPN products
16
Appendix 2 List of Key Users
u Shanghai data center of the Agricultural Bank of China u Shanghai disaster recovery center of the Bank of China u Server farm data center at the China Construction Bank
headquarter
u Data center at Shandong Rural Credit Cooperatives u Zibo Commercial Bank
u Local backup center at Huishang Bank
u Data center of Anbang Property & Casualty Insurance Company Ltd.
u Baidu data center u Sohu data center u NetEase data center
u IDC at Shanghai Zhangjiang High-Tech Park Development Co., Ltd.
u Southern data center of the Chengdu municipal government u E-government data center of Nanshan District, Shenzhen u Data center at Suzhou Branch of Huaxia Bank
u Data center at the Ministry of Personnel of the PRC u Information sharing system at the Ministry of Science and
Technology of PRC
u The United front Work Department of CCCPC
u State Administration for Industry & Commerce of the PRC