[ X n$r.. :.. òF Þ - cisco.com · Network Network VirtualizationNetwork Virtualization VDC Lab network network Consolidation 9H/W 자원과S/W 구성을 유연하게배치가능

임강빈 ([email protected])

Ci S t K

© 2008 Cisco Systems, Inc. All rights reserved. 1

Cisco Systems Korea

목차

SP Security

SP


Driver for Service Delivery Data CenterDriver for Service Delivery Data CenterN

N

LI

CAT

ION

LAYE

RLI

CAT

ION

LAYE

R

DC Infrastructure

DC Infrastructure

VoD / HDTV GAMING

VoD / HDTV GAMING COMMCOMM

WEB SERVICES

WEB SERVICES

MOBILE APPS

MOBILE APPS

IP CONTACT CENTER

IP CONTACT CENTER

APP

L LA

PPL L

Service ExchangeService ExchangeService Delivery Data Centers

ERVI

CE

ON

TRO

L LA

YER

ERVI

CE

ON

TRO

L LA

YER Open Framework

for Enabling Triple Play On The Move

Open Framework for Enabling Triple Play On The Move

Se ce c a geSe ce c a ge

S CO LS CO L y

(Data, Voice, Video, Mobility)y

(Data, Voice, Video, Mobility)

K

K

IntelligentEdge

IntelligentEdge

CustomerElement

CustomerElement

MultiserviceCore

MultiserviceCore

Access / Aggregation

Access / Aggregation

TransportTransportSEC

UR

E N

ETW

OR

KLA

YER

SEC

UR

E N

ETW

OR

KLA

YER

© 2008 Cisco Systems, Inc. All rights reserved. 3INTELLIGENT NETWORKINGINTELLIGENT NETWORKING

TransportTransportS NS N

SP & Core NetworkManaged Service DCVAS and

Production ITI t t

B k E d A li ti

IntrusionDetection

ServerLoad Balancing

ContentCaching

StatefulFirewalls

Front-End Application Servers

Internet

High DensityMultilayer

LAN Switch

Aggregation Node

Carrier Ethernet Aggregation

Residential BNG

Access Edge

Ethernet

Business

Corporate

Back-End Application Servers


SAN Directors

Storage Arrays

Enterprise #1 DC

Business

Corporate

Distribution Node

Access Node

STP ETTX Access Rings

CoreServer

Load Balancing

ContentCaching

StatefulFirewalls

Internet


LAN Switch

Aggregation NetworkMPLS/IP

Business

Corporate

Distribution Aggregation

Nodes

Core Network

IP / MPLS

Back-End Application Servers


SAN Directors

IntrusionDetection

Front-End Application Servers

DSL Access Node

Business MSE

Node

Aggregation Node

Business

Corporate

Internal IT DC

Storage Arrays

Enterprise #N DC


Shared Services

SP

IT DC VAS DC DC

SP

IPTV, Mobile/, IPTV, Mobile/ Broadband

( , B2C )

,

Shared

SP , < 1K+ , 1M ,< 1K+,1M

Time-to- /Top Priority Security, HA , Time-to-market, Security

, /Security

securityF/W(L2/Virtual)

DDOSVideo


Video

SP Security

Infrastructure Security• IDC

Out of Path

• Control-Plane Security

• Data-Plane Security

Service LayerDDOS

Out of Path

• Anti-Spoofing

• App. SecurityService Layer

SecuritySecurity

Technology데이터 센터Security

• NETFLOW

L3ACL/VACL

• Virtualization

Enhanced ACL (FPM)Access-Layer Security

• L3ACL/VACL

• DAI

• IPSG

• Enhanced ACL (FPM)

• Service Control

• Visibility in DC


IPSG y(NETFLOW, SCE)

SP Security Point

ISP BBSP B/B

Core- CoPP MLS rate

11DDOS

-33

SP B/B

- CoPP, MLS rate

- SCE, Netflow v955

Aggregation

Vi t li ti

SCE, Netflow v9

Access

Virtualization-

44

(Multicast)....

PP

....

Decoder

#1 #2- DAI/IPSG/ACL

22


NVoDIP-Mux Video Source#3 #4

SPSP


SP - 6500 MLS Rate-Limiters6500 MLS Rate Limiters

: mls rate-limit multicast ipv4 fib-ICMP/ARP Routing Protocol

mls rate limit multicast ipv4 fibmiss 10000 10mls rate-limit unicast cef glean 1000 10

Punt ,

:

mls rate-limit unicast ip icmp unreachable acl-drop 500 10mls rate-limit all ttl-failure 500 10

:MLS

Policing (Attack

DoS Attack – TTL=1 Unicast Traffic

8090

100No Rate Limiter

100pps TTL=1 rateon)

ICMP Redirect, Unreachable

304050607080 100pps TTL=1 rate

limiter

PU U

tiliz

atio

U eac ab e

0102030

1000pps 5000pps 10000pps 844590pps

CP


Traffic Rate (pps)

SP - Control-Plane ProtectionControl Plane Protection

: CoPP의 동작 원리

Control Packet

CPU

CoPP의 동작 원리

OpenTCP/UDP Port Software Control

Plane Policing

:CoPPCoPP

MQC

T ffi R t DFC3DFC3 PFC3

HW Control Policing

HW Control Policing

HW Control Policing

Traffic Rate DFC3DFC3 PFC3

Trafficto CPU

Trafficto CPU

Trafficto CPU


to CPU to CPU to CPU

SP - NetflowNetflow

Monitoring (N x 10G , )

IPTV Monitoring

해결 방안Network Planning

v9 Export

Security/Accounting/Billing


Security/Accounting/Billing

SP – Multicast SecurityMulticast Security

Multicast


SP DDOS

DDOS

DDOS

DDOS

Detector (2G)

Guard

DDOS

DDOS

Detector Netflow

Guard Farm

DDOS

Guard Farm

( )

ACE Redirection


SP DDOSDDOS

DDOS


SP – Virtualization

SP DC ,

Virtualization

As-Is TO-BE

Catalyst 6500

TCP L7 Filter

WEBCSM

Catalyst 6500

VLAN

VLAN

N

FWSM ACE

APPFWSM CSM

VLAN

AN

FWSM ACE

DBCatalyst 6500

VLA

VLAN

VLAN

• ,

Catalyst 6500 V

Catalyst 6500


,• , /

SP – Nexus 7000 VirtualizationNexus 7000 Virtualization

Productiont k Device

Virtual Device Context:

Network Network VirtualizationVirtualizationNetwork Network VirtualizationVirtualization

VDC Lab network

network Device Consolidation

H/W 자원과 S/W 구성을유연하게 배치 가능

Secure한 Context별 관리Network

ConsolidationSecure한 Context별 관리제공

S/W 장애에 대한 격리VDC

Infosec

Network Ops

Consolidation

Use Cases:다수의 서비스 통합 구성 시

신규 서비스 추가 시 용이

서비스 성격에 맞는 적정Resource 할당 gg

1

gg2

gg3

CoreSystem ResourceScaling


Ag A A

SP – FPMFPM

, ACL IP/Port

Header Pattern Enhanced ACLHeader Pattern Enhanced ACL

FPM (Flexible Packet Matching)( g)


SP – FPM

CCO Application Signature TCDF (Traffic Classification Definition Files)

FPM

(Traffic Classification Definition Files)

www.cisco.com/cgi-Bin/tablebuild.pl/fpmg p pData Center

Sup32-PISA(config)#load classification bootdisk:bittorrent.tcdf

Sup32-PISA(config)#int vlan 611

Sup32-PISA(config-if)#service-policy type access-control input fpm_policy_template

Sup32-PISA(config)#int vlan 611

Sup32-PISA(config-if)#no service-policy type access-control input fpm_policy_template


SP – Service Control EngineService Control Engine

10G SCE 10G SCE10G SCE

IPTV

10G SCE 10G SCE10G SCE

P2P

10G SCE10G SCE

Dynamic Signature L7 FilterZero-Day L7 Filter

Service/ Control IPTV Business Application Bandwidth Guarantee


ppIDC L4~L7 Visibility

SP – SCE OverviewSCE Overview

SCE

2 x 1G ( )

2 x 10G , 15G (S/W)

SCE

Aggregation Layer

15Gbps deep packet engine

SCE

Cisco 7600 (2009. Q1)

L2/L3 IP Forwarding I/F card(s)


One or more SCP

bladesOne or more Application

Blades

SUMMARYSUMMARY


SUMMARYProcess Model Built for Revenue

운영 프로세스 모델

Process Model Built for Revenue

Trust/Identity

Visibility Correlation DeviceManagement

Isolation(virtual)

PolicyEnforcement

운영 프로세스 모델ru

st

ts ess

is o

f en

ts

ing

ews

titio

nys

tem

bed

Identity a age e t ( )

y st

ate

of tr

e IP

Pac

ket

yer 2

–7

and

Stat

ele

nal A

naly

sm

Wid

e Ev

e

ce H

arde

nra

tiona

l Vie

nt a

nd P

art

hout

the

sy

e Su

bscr

ibB

ehav

ior

Iden

tify

Obs

erve

Lay

Stat

eful

a

Rel

atio

nSy

stem

Dev

icO

per

Segm

enth

roug

h

Enfo

rce B

SP 네트웍 강력한 Control


Visibility 확보강력한 Control

SUMMARYIP NGN Security

OO DCDC

IP NGN Security

PPLI

CAT

ION

LAY

ERPP

LIC

ATIO

N L

AYER

DC Infrastructure

DC Infrastructure

VoD / HDTV GAMING

VoD / HDTV GAMING COMMCOMM

WEB SERVICES

WEB SERVICES

MOBILE APPS

MOBILE APPS

IP CONTACT CENTER

IP CONTACT CENTER

AP N

AP N

E OL

RE OL

R O F kO F kService ExchangeService Exchange

Service Delivery Data Centers

SER

VIC

EC

ON

TRO

LAYE

R

SER

VIC

EC

ON

TRO

LAYE

R Open Framework for Enabling Triple Play On The Move

(Data, Voice, Video,

Open Framework for Enabling Triple Play On The Move

(Data, Voice, Video, Mobility)Mobility)

IntelligentIntelligentCustomerCustomer MultiserviceMultiserviceAccess / Access / RE

OR

K

ERRE

OR

K

ER SECURITYEdgeEdgeElementElement CoreCoreAggregationAggregation

TransportTransportSEC

UN

ETW

OLA

YE

SEC

UN

ETW

OLA

YE SECURITY기술 + 솔루션 + 프로세스


INTELLIGENT NETWORKINGINTELLIGENT NETWORKING


Documents

[ X n$r.. :.. òF Þ - cisco.com · Network Network VirtualizationNetwork Virtualization VDC Lab network network Consolidation 9H/W 자원과S/W 구성을 유연하게배치가능